1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smb.conf</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smb.conf.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smb.conf — The configuration file for the Samba suite</p></div><div class="refsect1" lang="en"><a name="id291806"></a><h2>SYNOPSIS</h2><p> 2 The <code class="filename">smb.conf</code> file is a configuration file for the Samba suite. <code class="filename">smb.conf</code> contains runtime configuration information for the Samba programs. The 3 <code class="filename">smb.conf</code> file is designed to be configured and administered by the 4 <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> program. The 5 complete description of the file format and possible parameters held within are here for reference purposes. 6 </p></div><div class="refsect1" lang="en"><a name="FILEFORMATSECT"></a><h2>FILE FORMAT</h2><p> 7 The file consists of sections and parameters. A section begins with the name of the section in square brackets 8 and continues until the next section begins. Sections contain parameters of the form: 9</p><pre class="programlisting"> 10<em class="replaceable"><code>name</code></em> = <em class="replaceable"><code>value </code></em> 11</pre><p> 12 </p><p> 13 The file is line-based - that is, each newline-terminated line represents either a comment, a section name or 14 a parameter. 15 </p><p>Section and parameter names are not case sensitive.</p><p> 16 Only the first equals sign in a parameter is significant. Whitespace before or after the first equals sign is 17 discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading 18 and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value is 19 retained verbatim. 20 </p><p> 21 Any line beginning with a semicolon (“<span class="quote">;</span>”) or a hash (“<span class="quote">#</span>”) 22 character is ignored, as are lines containing only whitespace. 23 </p><p> 24 Any line ending in a “<span class="quote"><code class="literal">\</code></span>” is continued on the next line in the customary UNIX fashion. 25 </p><p> 26 The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, 27 which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved 28 in string values. Some items such as create masks are numeric. 29 </p></div><div class="refsect1" lang="en"><a name="id259596"></a><h2>SECTION DESCRIPTIONS</h2><p> 30 Each section in the configuration file (except for the [global] section) describes a shared resource (known as 31 a “<span class="quote">share</span>”). The section name is the name of the shared resource and the parameters within the 32 section define the shares attributes. 33 </p><p> 34 There are three special sections, [global], [homes] and [printers], which are described under 35 <span class="emphasis"><em>special sections</em></span>. The following notes apply to ordinary section descriptions. 36 </p><p> 37 A share consists of a directory to which access is being given plus a description of the access rights 38 which are granted to the user of the service. Some housekeeping options are also specifiable. 39 </p><p> 40 Sections are either file share services (used by the client as an extension of their native file systems) 41 or printable services (used by the client to access print services on the host running the server). 42 </p><p> 43 Sections may be designated <span class="emphasis"><em>guest</em></span> services, in which case no password is required to 44 access them. A specified UNIX <span class="emphasis"><em>guest account</em></span> is used to define access privileges in this 45 case. 46 </p><p> 47 Sections other than guest services will require a password to access them. The client provides the 48 username. As older clients only provide passwords and not usernames, you may specify a list of usernames to 49 check against the password using the <code class="literal">user =</code> option in the share definition. For modern clients 50 such as Windows 95/98/ME/NT/2000, this should not be necessary. 51 </p><p> 52 The access rights granted by the server are masked by the access rights granted to the specified or guest 53 UNIX user by the host system. The server does not grant more access than the host system grants. 54 </p><p> 55 The following sample section defines a file space share. The user has write access to the path <code class="filename">/home/bar</code>. The share is accessed via the share name <code class="literal">foo</code>: 56</p><pre class="programlisting"> 57 <em class="parameter"><code>[foo]</code></em> 58 <a class="indexterm" name="id259433"></a>path = /home/bar 59 <a class="indexterm" name="id260355"></a>read only = no 60</pre><p> 61 </p><p> 62 The following sample section defines a printable share. The share is read-only, but printable. That is, 63 the only write access permitted is via calls to open, write to and close a spool file. The <span class="emphasis"><em>guest 64 ok</em></span> parameter means access will be permitted as the default guest user (specified elsewhere): 65</p><pre class="programlisting"> 66 <em class="parameter"><code>[aprinter]</code></em> 67 <a class="indexterm" name="id260383"></a>path = /usr/spool/public 68 <a class="indexterm" name="id260390"></a>read only = yes 69 <a class="indexterm" name="id260397"></a>printable = yes 70 <a class="indexterm" name="id260404"></a>guest ok = yes 71</pre><p> 72 </p></div><div class="refsect1" lang="en"><a name="id260415"></a><h2>SPECIAL SECTIONS</h2><div class="refsect2" lang="en"><a name="id260420"></a><h3>The [global] section</h3><p> 73 Parameters in this section apply to the server as a whole, or are defaults for sections that do not 74 specifically define certain items. See the notes under PARAMETERS for more information. 75 </p></div><div class="refsect2" lang="en"><a name="HOMESECT"></a><h3>The [homes] section</h3><p> 76 If a section called [homes] is included in the configuration file, services connecting clients 77 to their home directories can be created on the fly by the server. 78 </p><p> 79 When the connection request is made, the existing sections are scanned. If a match is found, it is 80 used. If no match is found, the requested section name is treated as a username and looked up in the local 81 password file. If the name exists and the correct password has been given, a share is created by cloning the 82 [homes] section. 83 </p><p> 84 Some modifications are then made to the newly created share: 85 </p><div class="itemizedlist"><ul type="disc"><li><p> 86 The share name is changed from homes to the located username. 87 </p></li><li><p> 88 If no path was given, the path is set to the user's home directory. 89 </p></li></ul></div><p> 90 If you decide to use a <span class="emphasis"><em>path =</em></span> line in your [homes] section, it may be useful 91 to use the %S macro. For example: 92</p><pre class="programlisting"> 93<strong class="userinput"><code>path = /data/pchome/%S</code></strong> 94</pre><p> 95 is useful if you have different home directories for your PCs than for UNIX access. 96 </p><p> 97 This is a fast and simple way to give a large number of clients access to their home directories with a minimum 98 of fuss. 99 </p><p> 100 A similar process occurs if the requested section name is “<span class="quote">homes</span>”, except that the share 101 name is not changed to that of the requesting user. This method of using the [homes] section works well if 102 different users share a client PC. 103 </p><p> 104 The [homes] section can specify all the parameters a normal service section can specify, though some make more sense 105 than others. The following is a typical and suitable [homes] section: 106</p><pre class="programlisting"> 107<em class="parameter"><code>[homes]</code></em> 108<a class="indexterm" name="id260157"></a>read only = no 109</pre><p> 110 </p><p> 111 An important point is that if guest access is specified in the [homes] section, all home directories will be 112 visible to all clients <span class="emphasis"><em>without a password</em></span>. In the very unlikely event that this is actually 113 desirable, it is wise to also specify <span class="emphasis"><em>read only access</em></span>. 114 </p><p> 115 The <span class="emphasis"><em>browseable</em></span> flag for auto home directories will be inherited from the global browseable 116 flag, not the [homes] browseable flag. This is useful as it means setting <span class="emphasis"><em>browseable = no</em></span> in 117 the [homes] section will hide the [homes] share but make any auto home directories visible. 118 </p></div><div class="refsect2" lang="en"><a name="PRINTERSSECT"></a><h3>The [printers] section</h3><p> 119 This section works like [homes], but for printers. 120 </p><p> 121 If a [printers] section occurs in the configuration file, users are able to connect to any printer 122 specified in the local host's printcap file. 123 </p><p> 124 When a connection request is made, the existing sections are scanned. If a match is found, it is used. 125 If no match is found, but a [homes] section exists, it is used as described above. Otherwise, the requested 126 section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested 127 section name is a valid printer share name. If a match is found, a new printer share is created by cloning the 128 [printers] section. 129 </p><p> 130 A few modifications are then made to the newly created share: 131 </p><div class="itemizedlist"><ul type="disc"><li><p>The share name is set to the located printer name</p></li><li><p>If no printer name was given, the printer name is set to the located printer name</p></li><li><p>If the share does not permit guest access and no username was given, the username is set 132 to the located printer name.</p></li></ul></div><p> 133 The [printers] service MUST be printable - if you specify otherwise, the server will refuse 134 to load the configuration file. 135 </p><p> 136 Typically the path specified is that of a world-writeable spool directory with the sticky bit set on 137 it. A typical [printers] entry looks like this: 138</p><pre class="programlisting"> 139<em class="parameter"><code>[printers]</code></em> 140<a class="indexterm" name="id300481"></a>path = /usr/spool/public 141<a class="indexterm" name="id300488"></a>guest ok = yes 142<a class="indexterm" name="id300495"></a>printable = yes 143</pre><p> 144 </p><p> 145 All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. 146 If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file 147 consisting of one or more lines like this: 148</p><pre class="programlisting"> 149alias|alias|alias|alias... 150</pre><p> 151 </p><p> 152 Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, 153 specify the new file as your printcap. The server will only recognize names found in your pseudo-printcap, 154 which of course can contain whatever aliases you like. The same technique could be used simply to limit access 155 to a subset of your local printers. 156 </p><p> 157 An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, 158 components (if there are more than one) are separated by vertical bar symbols (<code class="literal">|</code>). 159 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 160 On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use 161 <code class="literal">printcap name = lpstat</code> to automatically obtain a list of printers. See the 162 <code class="literal">printcap name</code> option for more details. 163 </p></div></div></div><div class="refsect1" lang="en"><a name="id300553"></a><h2>USERSHARES</h2><p>Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete 164 their own share definitions has been added. This capability is called <span class="emphasis"><em>usershares</em></span> and 165 is controlled by a set of parameters in the [global] section of the smb.conf. 166 The relevant parameters are : 167 </p><div class="variablelist"><dl><dt><span class="term">usershare allow guests</span></dt><dd><p>Controls if usershares can permit guest access.</p></dd><dt><span class="term">usershare max shares</span></dt><dd><p>Maximum number of user defined shares allowed.</p></dd><dt><span class="term">usershare owner only</span></dt><dd><p>If set only directories owned by the sharing user can be shared.</p></dd><dt><span class="term">usershare path</span></dt><dd><p>Points to the directory containing the user defined share definitions. 168 The filesystem permissions on this directory control who can create user defined shares.</p></dd><dt><span class="term">usershare prefix allow list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories 169 can be shared. Only directories below the pathnames in this list are permitted.</p></dd><dt><span class="term">usershare prefix deny list</span></dt><dd><p>Comma-separated list of absolute pathnames restricting what directories 170 can be shared. Directories below the pathnames in this list are prohibited.</p></dd><dt><span class="term">usershare template share</span></dt><dd><p>Names a pre-existing share used as a template for creating new usershares. 171 All other share parameters not specified in the user defined share definition 172 are copied from this named share.</p></dd></dl></div><p>To allow members of the UNIX group <code class="literal">foo</code> to create user defined 173 shares, create the directory to contain the share definitions as follows: 174 </p><p>Become root:</p><pre class="programlisting"> 175mkdir /usr/local/samba/lib/usershares 176chgrp foo /usr/local/samba/lib/usershares 177chmod 1770 /usr/local/samba/lib/usershares 178</pre><p>Then add the parameters 179 180</p><pre class="programlisting"> 181 <a class="indexterm" name="id300682"></a>usershare path = /usr/local/samba/lib/usershares 182 <a class="indexterm" name="id300690"></a>usershare max shares = 10 # (or the desired number of shares) 183</pre><p> 184 185 to the global 186 section of your <code class="filename">smb.conf</code>. Members of the group foo may then manipulate the user defined shares 187 using the following commands.</p><div class="variablelist"><dl><dt><span class="term">net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]</span></dt><dd><p>To create or modify (overwrite) a user defined share.</p></dd><dt><span class="term">net usershare delete sharename</span></dt><dd><p>To delete a user defined share.</p></dd><dt><span class="term">net usershare list wildcard-sharename</span></dt><dd><p>To list user defined shares.</p></dd><dt><span class="term">net usershare info wildcard-sharename</span></dt><dd><p>To print information about user defined shares.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id300757"></a><h2>PARAMETERS</h2><p>Parameters define the specific attributes of sections.</p><p> 188 Some parameters are specific to the [global] section (e.g., <span class="emphasis"><em>security</em></span>). Some parameters 189 are usable in all sections (e.g., <span class="emphasis"><em>create mask</em></span>). All others are permissible only in normal 190 sections. For the purposes of the following descriptions the [homes] and [printers] sections will be 191 considered normal. The letter <span class="emphasis"><em>G</em></span> in parentheses indicates that a parameter is specific to 192 the [global] section. The letter <span class="emphasis"><em>S</em></span> indicates that a parameter can be specified in a 193 service specific section. All <span class="emphasis"><em>S</em></span> parameters can also be specified in the [global] section 194 - in which case they will define the default behavior for all services. 195 </p><p> 196 Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can 197 find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred 198 synonym. 199 </p></div><div class="refsect1" lang="en"><a name="id300798"></a><h2>VARIABLE SUBSTITUTIONS</h2><p> 200 Many of the strings that are settable in the config file can take substitutions. For example the option 201 “<span class="quote">path = /tmp/%u</span>” is interpreted as “<span class="quote">path = /tmp/john</span>” if the user connected with the 202 username john. 203 </p><p> 204 These substitutions are mostly noted in the descriptions below, but there are some general substitutions 205 which apply whenever they might be relevant. These are: 206 </p><div class="variablelist"><dl><dt><span class="term">%U</span></dt><dd><p>session username (the username that the client wanted, not 207 necessarily the same as the one they got).</p></dd><dt><span class="term">%G</span></dt><dd><p>primary group name of %U.</p></dd><dt><span class="term">%h</span></dt><dd><p>the Internet hostname that Samba is running on.</p></dd><dt><span class="term">%m</span></dt><dd><p>the NetBIOS name of the client machine (very useful).</p><p>This parameter is not available when Samba listens on port 445, as clients no longer 208 send this information. If you use this macro in an include statement on a domain that has 209 a Samba domain controller be sure to set in the [global] section <em class="parameter"><code>smb ports = 210 139</code></em>. This will cause Samba to not listen on port 445 and will permit include 211 functionality to function as it did with Samba 2.x. 212 </p></dd><dt><span class="term">%L</span></dt><dd><p>the NetBIOS name of the server. This allows you to change your config based on what 213 the client calls you. Your server can have a “<span class="quote">dual personality</span>”. 214 </p></dd><dt><span class="term">%M</span></dt><dd><p>the Internet name of the client machine. 215 </p></dd><dt><span class="term">%R</span></dt><dd><p>the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, 216 LANMAN1, LANMAN2 or NT1.</p></dd><dt><span class="term">%d</span></dt><dd><p>the process id of the current server 217 process.</p></dd><dt><span class="term">%a</span></dt><dd><p>the architecture of the remote 218 machine. It currently recognizes Samba (<code class="constant">Samba</code>), 219 the Linux CIFS file system (<code class="constant">CIFSFS</code>), OS/2, (<code class="constant">OS2</code>), 220 Windows for Workgroups (<code class="constant">WfWg</code>), Windows 9x/ME 221 (<code class="constant">Win95</code>), Windows NT (<code class="constant">WinNT</code>), 222 Windows 2000 (<code class="constant">Win2K</code>), Windows XP (<code class="constant">WinXP</code>), 223 and Windows 2003 (<code class="constant">Win2K3</code>). Anything else will be known as 224 <code class="constant">UNKNOWN</code>.</p></dd><dt><span class="term">%I</span></dt><dd><p>the IP address of the client machine.</p></dd><dt><span class="term">%i</span></dt><dd><p>the local IP address to which a client connected.</p></dd><dt><span class="term">%T</span></dt><dd><p>the current date and time.</p></dd><dt><span class="term">%D</span></dt><dd><p>name of the domain or workgroup of the current user.</p></dd><dt><span class="term">%w</span></dt><dd><p>the winbind separator.</p></dd><dt><span class="term">%$(<em class="replaceable"><code>envvar</code></em>)</span></dt><dd><p>the value of the environment variable 225 <em class="replaceable"><code>envar</code></em>.</p></dd></dl></div><p> 226 The following substitutes apply only to some configuration options (only those that are 227 used when a connection has been established): 228 </p><div class="variablelist"><dl><dt><span class="term">%S</span></dt><dd><p>the name of the current service, if any.</p></dd><dt><span class="term">%P</span></dt><dd><p>the root directory of the current service, if any.</p></dd><dt><span class="term">%u</span></dt><dd><p>username of the current service, if any.</p></dd><dt><span class="term">%g</span></dt><dd><p>primary group name of %u.</p></dd><dt><span class="term">%H</span></dt><dd><p>the home directory of the user given by %u.</p></dd><dt><span class="term">%N</span></dt><dd><p> 229 the name of your NIS home directory server. This is obtained from your NIS auto.map entry. 230 If you have not compiled Samba with the <span class="emphasis"><em>--with-automount</em></span> option, this 231 value will be the same as %L.</p></dd><dt><span class="term">%p</span></dt><dd><p> 232 the path of the service's home directory, obtained from your NIS auto.map entry. The NIS 233 auto.map entry is split up as <code class="literal">%N:%p</code>.</p></dd></dl></div><p> 234 There are some quite creative things that can be done with these substitutions and other 235 <code class="filename">smb.conf</code> options. 236 </p></div><div class="refsect1" lang="en"><a name="NAMEMANGLINGSECT"></a><h2>NAME MANGLING</h2><p> 237 Samba supports <code class="literal">name mangling</code> so that DOS and Windows clients can use files that don't 238 conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames. 239 </p><p> 240 There are several options that control the way mangling is performed, and they are grouped here rather 241 than listed separately. For the defaults look at the output of the testparm program. 242 </p><p> 243 These options can be set separately for each service. 244 </p><p> 245 The options are: 246 </p><div class="variablelist"><dl><dt><span class="term">case sensitive = yes/no/auto</span></dt><dd><p> 247 controls whether filenames are case sensitive. If they aren't, Samba must do a filename search and match on 248 passed names. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS 249 and smbclient 3.0.5 and above currently) to tell the Samba server on a per-packet basis that they wish to 250 access the file system in a case-sensitive manner (to support UNIX case sensitive semantics). No Windows or 251 DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no 252 for them. Default <span class="emphasis"><em>auto</em></span>. 253 </p></dd><dt><span class="term">default case = upper/lower</span></dt><dd><p> 254 controls what the default case is for new filenames (ie. files that don't currently exist in the filesystem). 255 Default <span class="emphasis"><em>lower</em></span>. IMPORTANT NOTE: This option will be used to modify the case of 256 <span class="emphasis"><em>all</em></span> incoming client filenames, not just new filenames if the options <a class="indexterm" name="id301239"></a>case sensitive = yes, <a class="indexterm" name="id301246"></a>preserve case = No, 257 <a class="indexterm" name="id301253"></a>short preserve case = No are set. This change is needed as part of the 258 optimisations for directories containing large numbers of files. 259 </p></dd><dt><span class="term">preserve case = yes/no</span></dt><dd><p> 260 controls whether new files (ie. files that don't currently exist in the filesystem) are created with the case 261 that the client passes, or if they are forced to be the <code class="literal">default</code> case. Default 262 <span class="emphasis"><em>yes</em></span>. 263 </p></dd><dt><span class="term">short preserve case = yes/no</span></dt><dd><p> 264 controls if new files (ie. files that don't currently exist in the filesystem) which conform to 8.3 syntax, 265 that is all in upper case and of suitable length, are created upper case, or if they are forced to be the 266 <code class="literal">default</code> case. This option can be used with <code class="literal">preserve case = yes</code> to permit 267 long filenames to retain their case, while short names are lowercased. Default <span class="emphasis"><em>yes</em></span>. 268 </p></dd></dl></div><p> 269 By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive 270 but case preserving. As a special case for directories with large numbers of files, if the case 271 options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no" 272 then the "default case" option will be applied and will modify all filenames sent from the client 273 when accessing this share. 274 </p></div><div class="refsect1" lang="en"><a name="VALIDATIONSECT"></a><h2>NOTE ABOUT USERNAME/PASSWORD VALIDATION</h2><p> 275 There are a number of ways in which a user can connect to a service. The server uses the following steps 276 in determining if it will allow a connection to a specified service. If all the steps fail, the connection 277 request is rejected. However, if one of the steps succeeds, the following steps are not checked. 278 </p><p> 279 If the service is marked “<span class="quote">guest only = yes</span>” and the server is running with share-level 280 security (“<span class="quote">security = share</span>”, steps 1 to 5 are skipped. 281 </p><div class="orderedlist"><ol type="1"><li><p> 282 If the client has passed a username/password pair and that username/password pair is validated by the UNIX 283 system's password programs, the connection is made as that username. This includes the 284 <code class="literal">\\server\service</code>%<em class="replaceable"><code>username</code></em> method of passing a username. 285 </p></li><li><p> 286 If the client has previously registered a username with the system and now supplies a correct password for that 287 username, the connection is allowed. 288 </p></li><li><p> 289 The client's NetBIOS name and any previously used usernames are checked against the supplied password. If 290 they match, the connection is allowed as the corresponding user. 291 </p></li><li><p> 292 If the client has previously validated a username/password pair with the server and the client has passed 293 the validation token, that username is used. 294 </p></li><li><p> 295 If a <code class="literal">user = </code> field is given in the <code class="filename">smb.conf</code> file for the 296 service and the client has supplied a password, and that password matches (according to the UNIX system's 297 password checking) with one of the usernames from the <code class="literal">user =</code> field, the connection is made as 298 the username in the <code class="literal">user =</code> line. If one of the usernames in the <code class="literal">user =</code> list 299 begins with a <code class="literal">@</code>, that name expands to a list of names in the group of the same name. 300 </p></li><li><p> 301 If the service is a guest service, a connection is made as the username given in the <code class="literal">guest account 302 =</code> for the service, irrespective of the supplied password. 303 </p></li></ol></div></div><div class="refsect1" lang="en"><a name="id301448"></a><h2>EXPLANATION OF EACH PARAMETER</h2><div class="variablelist"><dl><dt><span class="term"><a name="ABORTSHUTDOWNSCRIPT"></a>abort shutdown script (G)</span></dt><dd><p>This a full path name to a script called by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that 304 should stop a shutdown procedure issued by the <a class="indexterm" name="id301488"></a>shutdown script.</p><p>If the connected user posseses the <code class="constant">SeRemoteShutdownPrivilege</code>, 305 right, this command will be run as user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>abort shutdown script</code></em> = <code class="literal">""</code> 306</em></span> 307</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>abort shutdown script</code></em> = <code class="literal">/sbin/shutdown -c</code> 308</em></span> 309</p></dd><dt><span class="term"><a name="ACLCHECKPERMISSIONS"></a>acl check permissions (S)</span></dt><dd><p>This boolean parameter controls what <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>does on receiving a protocol request of "open for delete" 310 from a Windows client. If a Windows client doesn't have permissions to delete a file then they 311 expect this to be denied at open time. POSIX systems normally only detect restrictions on delete by 312 actually attempting to delete the file or directory. As Windows clients can (and do) "back out" a 313 delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately 314 on "open for delete" request as we cannot restore such a deleted file. With this parameter set to 315 true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the 316 request without actually deleting the file if the file system permissions would seem to deny it. 317 This is not perfect, as it's possible a user could have deleted a file without Samba being able to 318 check the permissions correctly, but it is close enough to Windows semantics for mostly correct 319 behaviour. Samba will correctly check POSIX ACL semantics in this case. 320 </p><p>If this parameter is set to "false" Samba doesn't check permissions on "open for delete" 321 and allows the open. If the user doesn't have permission to delete the file this will only be 322 discovered at close time, which is too late for the Windows user tools to display an error message 323 to the user. The symptom of this is files that appear to have been deleted "magically" re-appearing 324 on a Windows explorer refersh. This is an extremely advanced protocol option which should not 325 need to be changed. This parameter was introduced in its final form in 3.0.21, an earlier version 326 with slightly different semantics was introduced in 3.0.20. That older version is not documented here. 327 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl check permissions</code></em> = <code class="literal">True</code> 328</em></span> 329</p></dd><dt><span class="term"><a name="ACLCOMPATIBILITY"></a>acl compatibility (S)</span></dt><dd><p>This parameter specifies what OS ACL semantics should 330 be compatible with. Possible values are <span class="emphasis"><em>winnt</em></span> for Windows NT 4, 331 <span class="emphasis"><em>win2k</em></span> for Windows 2000 and above and <span class="emphasis"><em>auto</em></span>. 332 If you specify <span class="emphasis"><em>auto</em></span>, the value for this parameter 333 will be based upon the version of the client. There should 334 be no reason to change this parameter from the default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl compatibility</code></em> = <code class="literal">Auto</code> 335</em></span> 336</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>acl compatibility</code></em> = <code class="literal">win2k</code> 337</em></span> 338</p></dd><dt><span class="term"><a name="ACLGROUPCONTROL"></a>acl group control (S)</span></dt><dd><p> 339 In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions 340 and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the 341 <span class="emphasis"><em>primary group owner</em></span> of a file or directory to modify the permissions and ACLs 342 on that file. 343 </p><p> 344 On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in 345 that group to modify the permissions on it. This allows the delegation of security controls 346 on a point in the filesystem to the group owner of a directory and anything below it also owned 347 by that group. This means there are multiple people with permissions to modify ACLs on a file 348 or directory, easing managability. 349 </p><p> 350 This parameter allows Samba to also permit delegation of the control over a point in the exported 351 directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to 352 control the permissions on a file or directory they have group ownership on. 353 </p><p> 354 This parameter is best used with the <a class="indexterm" name="id301716"></a>inherit owner option and also 355 on on a share containing directories with the UNIX <span class="emphasis"><em>setgid bit</em></span> bit set 356 on them, which causes new files and directories created within it to inherit the group 357 ownership from the containing directory. 358 </p><p> 359 This is parameter has been marked deprecated in Samba 3.0.23. The same behavior is now 360 implemented by the <em class="parameter"><code>dos filemode</code></em> option. 361 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl group control</code></em> = <code class="literal">no</code> 362</em></span> 363</p></dd><dt><span class="term"><a name="ACLMAPFULLCONTROL"></a>acl map full control (S)</span></dt><dd><p> 364 This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum 365 allowed POSIX permission set, into a Windows ACL of "FULL CONTROL". If this parameter is set to true any POSIX 366 ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any 367 POSIX ACE entry of "rwx" will be returned as the specific Windows ACL bits representing read, write and 368 execute. 369 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>acl map full control</code></em> = <code class="literal">True</code> 370</em></span> 371</p></dd><dt><span class="term"><a name="ADDGROUPSCRIPT"></a>add group script (G)</span></dt><dd><p> 372 This is the full pathname to a script that will be run <span class="emphasis"><em>AS ROOT</em></span> by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a new group is requested. It 373 will expand any <em class="parameter"><code>%g</code></em> to the group name passed. This script is only useful 374 for installations using the Windows NT domain administration tools. The script is free to create a group with 375 an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric 376 gid of the created group on stdout. 377 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add group script</code></em> = <code class="literal"></code> 378</em></span> 379</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add group script</code></em> = <code class="literal">/usr/sbin/groupadd %g</code> 380</em></span> 381</p></dd><dt><span class="term"><a name="ADDMACHINESCRIPT"></a>add machine script (G)</span></dt><dd><p> 382 This is the full pathname to a script that will be run by 383 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a machine is 384 added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not 385 already exist. 386 </p><p>This option is very similar to the <a class="indexterm" name="id301914"></a>add user script, and likewise uses the %u 387 substitution for the account name. Do not use the %m 388 substitution. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add machine script</code></em> = <code class="literal"></code> 389</em></span> 390</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add machine script</code></em> = <code class="literal">/usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u</code> 391</em></span> 392</p></dd><dt><span class="term"><a name="ADDPORTCOMMAND"></a>add port command (G)</span></dt><dd><p>Samba 3.0.23 introduces support for adding printer ports 393 remotely using the Windows "Add Standard TCP/IP Port Wizard". 394 This option defines an external program to be executed when 395 smbd receives a request to add a new Port to the system. 396 he script is passed two parameters: 397 </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>port name</code></em></p></li><li><p><em class="parameter"><code>device URI</code></em></p></li></ul></div><p>The deviceURI is in the for of socket://<hostname>[:<portnumber>] 398 or lpd://<hostname>/<queuename>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add port command</code></em> = <code class="literal"></code> 399</em></span> 400</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add port command</code></em> = <code class="literal">/etc/samba/scripts/addport.sh</code> 401</em></span> 402</p></dd><dt><span class="term"><a name="ADDPRINTERCOMMAND"></a>add printer command (G)</span></dt><dd><p>With the introduction of MS-RPC based printing 403 support for Windows NT/2000 clients in Samba 2.2, The MS Add 404 Printer Wizard (APW) icon is now also available in the 405 "Printers..." folder displayed a share listing. The APW 406 allows for printers to be add remotely to a Samba or Windows 407 NT/2000 print server.</p><p>For a Samba host this means that the printer must be 408 physically added to the underlying printing system. The <em class="parameter"><code>add 409 printer command</code></em> defines a script to be run which 410 will perform the necessary operations for adding the printer 411 to the print system and to add the appropriate service definition 412 to the <code class="filename">smb.conf</code> file in order that it can be 413 shared by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>The <em class="parameter"><code>addprinter command</code></em> is 414 automatically invoked with the following parameter (in 415 order):</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>printer name</code></em></p></li><li><p><em class="parameter"><code>share name</code></em></p></li><li><p><em class="parameter"><code>port name</code></em></p></li><li><p><em class="parameter"><code>driver name</code></em></p></li><li><p><em class="parameter"><code>location</code></em></p></li><li><p><em class="parameter"><code>Windows 9x driver location</code></em></p></li></ul></div><p>All parameters are filled in from the PRINTER_INFO_2 structure sent 416 by the Windows NT/2000 client with one exception. The "Windows 9x 417 driver location" parameter is included for backwards compatibility 418 only. The remaining fields in the structure are generated from answers 419 to the APW questions.</p><p>Once the <em class="parameter"><code>addprinter command</code></em> has 420 been executed, <code class="literal">smbd</code> will reparse the <code class="filename"> 421 smb.conf</code> to determine if the share defined by the APW 422 exists. If the sharename is still invalid, then <code class="literal">smbd 423 </code> will return an ACCESS_DENIED error to the client.</p><p> 424 The "add printer command" program can output a single line of text, 425 which Samba will set as the port the new printer is connected to. 426 If this line isn't output, Samba won't reload its printer shares. 427 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add printer command</code></em> = <code class="literal"></code> 428</em></span> 429</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add printer command</code></em> = <code class="literal">/usr/bin/addprinter</code> 430</em></span> 431</p></dd><dt><span class="term"><a name="ADDSHARECOMMAND"></a>add share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically 432 add and delete shares via the Windows NT 4.0 Server Manager. The 433 <em class="parameter"><code>add share command</code></em> is used to define an 434 external program or script which will add a new service definition 435 to <code class="filename">smb.conf</code>. In order to successfully 436 execute the <em class="parameter"><code>add share command</code></em>, <code class="literal">smbd</code> 437 requires that the administrator be connected using a root account (i.e. 438 uid == 0). 439 </p><p> 440 When executed, <code class="literal">smbd</code> will automatically invoke the 441 <em class="parameter"><code>add share command</code></em> with five parameters. 442 </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>configFile</code></em> - the location 443 of the global <code class="filename">smb.conf</code> file. 444 </p></li><li><p><em class="parameter"><code>shareName</code></em> - the name of the new 445 share. 446 </p></li><li><p><em class="parameter"><code>pathName</code></em> - path to an **existing** 447 directory on disk. 448 </p></li><li><p><em class="parameter"><code>comment</code></em> - comment string to associate 449 with the new share. 450 </p></li><li><p><em class="parameter"><code>max 451 connections</code></em> 452 Number of maximum simultaneous connections to this 453 share. 454 </p></li></ul></div><p> 455 This parameter is only used for add file shares. To add printer shares, 456 see the <a class="indexterm" name="id302354"></a>addprinter command. 457 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add share command</code></em> = <code class="literal"></code> 458</em></span> 459</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add share command</code></em> = <code class="literal">/usr/local/bin/addshare</code> 460</em></span> 461</p></dd><dt><span class="term"><a name="ADDUSERSCRIPT"></a>add user script (G)</span></dt><dd><p> 462 This is the full pathname to a script that will be run <span class="emphasis"><em>AS ROOT</em></span> by 463 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> 464 under special circumstances described below. 465 </p><p> 466 Normally, a Samba server requires that UNIX users are created for all users accessing 467 files on this server. For sites that use Windows NT account databases as their primary 468 user database creating these users and keeping the user list in sync with the Windows 469 NT PDC is an onerous task. This option allows smbd to create the required UNIX users 470 <span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server. 471 </p><p> 472 In order to use this option, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must <span class="emphasis"><em>NOT</em></span> be set to 473 <a class="indexterm" name="id302456"></a>security = share and <a class="indexterm" name="id302463"></a>add user script 474 must be set to a full pathname for a script that will create a UNIX user given one argument of 475 <em class="parameter"><code>%u</code></em>, which expands into the UNIX user name to create. 476 </p><p> 477 When the Windows user attempts to access the Samba server, at login (session setup in 478 the SMB protocol) time, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> contacts the <a class="indexterm" name="id302489"></a>password server 479 and attempts to authenticate the given user with the given password. If the authentication 480 succeeds then <code class="literal">smbd</code> attempts to find a UNIX user in the UNIX 481 password database to map the Windows user into. If this lookup fails, and 482 <a class="indexterm" name="id302504"></a>add user script is set then <code class="literal">smbd</code> will 483 call the specified script <span class="emphasis"><em>AS ROOT</em></span>, expanding any 484 <em class="parameter"><code>%u</code></em> argument to be the user name to create. 485 </p><p> 486 If this script successfully creates the user then <code class="literal">smbd</code> will 487 continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to 488 match existing Windows NT accounts. 489 </p><p> 490 See also <a class="indexterm" name="id302541"></a>security, <a class="indexterm" name="id302548"></a>password server, 491 <a class="indexterm" name="id302555"></a>delete user script. 492 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add user script</code></em> = <code class="literal"></code> 493</em></span> 494</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add user script</code></em> = <code class="literal">/usr/local/samba/bin/add_user %u</code> 495</em></span> 496</p></dd><dt><span class="term"><a name="ADDUSERTOGROUPSCRIPT"></a>add user to group script (G)</span></dt><dd><p> 497 Full path to the script that will be called when a user is added to a group using the Windows NT domain administration 498 tools. It will be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> 499 <span class="emphasis"><em>AS ROOT</em></span>. Any <em class="parameter"><code>%g</code></em> will be replaced with the group name and 500 any <em class="parameter"><code>%u</code></em> will be replaced with the user name. 501 </p><p> 502 Note that the <code class="literal">adduser</code> command used in the example below does 503 not support the used syntax on all systems. 504 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add user to group script</code></em> = <code class="literal"></code> 505</em></span> 506</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add user to group script</code></em> = <code class="literal">/usr/sbin/adduser %u %g</code> 507</em></span> 508</p></dd><dt><span class="term"><a name="ADMINUSERS"></a>admin users (S)</span></dt><dd><p>This is a list of users who will be granted 509 administrative privileges on the share. This means that they 510 will do all file operations as the super-user (root).</p><p>You should use this option very carefully, as any user in 511 this list will be able to do anything they like on the share, 512 irrespective of file permissions.</p><p>This parameter will not work with the <a class="indexterm" name="id302715"></a>security = share in 513 Samba 3.0. This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>admin users</code></em> = <code class="literal"></code> 514</em></span> 515</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>admin users</code></em> = <code class="literal">jason</code> 516</em></span> 517</p></dd><dt><span class="term"><a name="AFSSHARE"></a>afs share (S)</span></dt><dd><p>This parameter controls whether special AFS features are enabled 518 for this share. If enabled, it assumes that the directory exported via 519 the <em class="parameter"><code>path</code></em> parameter is a local AFS import. The 520 special AFS features include the attempt to hand-craft an AFS token 521 if you enabled --with-fake-kaserver in configure. 522 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>afs share</code></em> = <code class="literal">no</code> 523</em></span> 524</p></dd><dt><span class="term"><a name="AFSUSERNAMEMAP"></a>afs username map (G)</span></dt><dd><p>If you are using the fake kaserver AFS feature, you might 525 want to hand-craft the usernames you are creating tokens for. 526 For example this is necessary if you have users from several domain 527 in your AFS Protection Database. One possible scheme to code users 528 as DOMAIN+User as it is done by winbind with the + as a separator. 529 </p><p>The mapped user name must contain the cell name to log into, 530 so without setting this parameter there will be no token.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>afs username map</code></em> = <code class="literal"></code> 531</em></span> 532</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>afs username map</code></em> = <code class="literal">%u@afs.samba.org</code> 533</em></span> 534</p></dd><dt><span class="term"><a name="AIOREADSIZE"></a>aio read size (S)</span></dt><dd><p>If Samba has been built with asynchronous I/O support and this 535 integer parameter is set to non-zero value, 536 Samba will read from file asynchronously when size of request is bigger 537 than this value. Note that it happens only for non-chained and non-chaining 538 reads and when not using write cache.</p><p>Current implementation of asynchronous I/O in Samba 3.0 does support 539 only up to 10 outstanding asynchronous requests, read and write combined.</p> 540 541 write cache size 542 aio write size 543 544<p>Default: <span class="emphasis"><em><em class="parameter"><code>aio read size</code></em> = <code class="literal">0</code> 545</em></span> 546</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>aio read size</code></em> = <code class="literal">16384 547# Use asynchronous I/O for reads bigger than 16KB 548 request size</code> 549</em></span> 550</p></dd><dt><span class="term"><a name="AIOWRITESIZE"></a>aio write size (S)</span></dt><dd><p>If Samba has been built with asynchronous I/O support and this 551 integer parameter is set to non-zero value, 552 Samba will write to file asynchronously when size of request is bigger 553 than this value. Note that it happens only for non-chained and non-chaining 554 reads and when not using write cache.</p><p>Current implementation of asynchronous I/O in Samba 3.0 does support 555 only up to 10 outstanding asynchronous requests, read and write combined.</p> 556 557 write cache size 558 aio read size 559 560<p>Default: <span class="emphasis"><em><em class="parameter"><code>aio write size</code></em> = <code class="literal">0</code> 561</em></span> 562</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>aio write size</code></em> = <code class="literal">16384 563# Use asynchronous I/O for writes bigger than 16KB 564 request size</code> 565</em></span> 566</p></dd><dt><span class="term"><a name="ALGORITHMICRIDBASE"></a>algorithmic rid base (G)</span></dt><dd><p>This determines how Samba will use its 567 algorithmic mapping from uids/gid to the RIDs needed to construct 568 NT Security Identifiers. 569 </p><p>Setting this option to a larger value could be useful to sites 570 transitioning from WinNT and Win2k, as existing user and 571 group rids would otherwise clash with sytem users etc. 572 </p><p>All UIDs and GIDs must be able to be resolved into SIDs for 573 the correct operation of ACLs on the server. As such the algorithmic 574 mapping can't be 'turned off', but pushing it 'out of the way' should 575 resolve the issues. Users and groups can then be assigned 'low' RIDs 576 in arbitary-rid supporting backends. 577 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>algorithmic rid base</code></em> = <code class="literal">1000</code> 578</em></span> 579</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>algorithmic rid base</code></em> = <code class="literal">100000</code> 580</em></span> 581</p></dd><dt><span class="term"><a name="ALLOCATIONROUNDUPSIZE"></a>allocation roundup size (S)</span></dt><dd><p>This parameter allows an administrator to tune the 582 allocation size reported to Windows clients. The default 583 size of 1Mb generally results in improved Windows client 584 performance. However, rounding the allocation size may cause 585 difficulties for some applications, e.g. MS Visual Studio. 586 If the MS Visual Studio compiler starts to crash with an 587 internal error, set this parameter to zero for this share. 588 </p><p>The integer parameter specifies the roundup size in bytes.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>allocation roundup size</code></em> = <code class="literal">1048576</code> 589</em></span> 590</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>allocation roundup size</code></em> = <code class="literal">0 591# (to disable roundups)</code> 592</em></span> 593</p></dd><dt><span class="term"><a name="ALLOWTRUSTEDDOMAINS"></a>allow trusted domains (G)</span></dt><dd><p> 594 This option only takes effect when the <a class="indexterm" name="id303140"></a>security option is set to 595 <code class="constant">server</code>, <code class="constant">domain</code> or <code class="constant">ads</code>. 596 If it is set to no, then attempts to connect to a resource from 597 a domain or workgroup other than the one which smbd is running 598 in will fail, even if that domain is trusted by the remote server 599 doing the authentication.</p><p>This is useful if you only want your Samba server to 600 serve resources to users in the domain it is a member of. As 601 an example, suppose that there are two domains DOMA and DOMB. DOMB 602 is trusted by DOMA, which contains the Samba server. Under normal 603 circumstances, a user with an account in DOMB can then access the 604 resources of a UNIX account with the same account name on the 605 Samba server even if they do not have an account in DOMA. This 606 can make implementing a security boundary difficult.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>allow trusted domains</code></em> = <code class="literal">yes</code> 607</em></span> 608</p></dd><dt><span class="term"><a name="ANNOUNCEAS"></a>announce as (G)</span></dt><dd><p>This specifies what type of server <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will announce itself as, to a network neighborhood browse 609 list. By default this is set to Windows NT. The valid options 610 are : "NT Server" (which can also be written as "NT"), 611 "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, 612 Windows NT Workstation, Windows 95 and Windows for Workgroups 613 respectively. Do not change this parameter unless you have a 614 specific need to stop Samba appearing as an NT server as this 615 may prevent Samba servers from participating as browser servers 616 correctly.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>announce as</code></em> = <code class="literal">NT Server</code> 617</em></span> 618</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>announce as</code></em> = <code class="literal">Win95</code> 619</em></span> 620</p></dd><dt><span class="term"><a name="ANNOUNCEVERSION"></a>announce version (G)</span></dt><dd><p>This specifies the major and minor version numbers 621 that nmbd will use when announcing itself as a server. The default 622 is 4.9. Do not change this parameter unless you have a specific 623 need to set a Samba server to be a downlevel server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>announce version</code></em> = <code class="literal">4.9</code> 624</em></span> 625</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>announce version</code></em> = <code class="literal">2.0</code> 626</em></span> 627</p></dd><dt><span class="term"><a name="AUTHMETHODS"></a>auth methods (G)</span></dt><dd><p> 628 This option allows the administrator to chose what authentication methods <code class="literal">smbd</code> 629 will use when authenticating a user. This option defaults to sensible values based on <a class="indexterm" name="id303341"></a>security. 630 This should be considered a developer option and used only in rare circumstances. In the majority (if not all) 631 of production servers, the default setting should be adequate. 632 </p><p> 633 Each entry in the list attempts to authenticate the user in turn, until 634 the user authenticates. In practice only one method will ever actually 635 be able to complete the authentication. 636 </p><p> 637 Possible options include <code class="constant">guest</code> (anonymous access), 638 <code class="constant">sam</code> (lookups in local list of accounts based on netbios 639 name or domain name), <code class="constant">winbind</code> (relay authentication requests 640 for remote users through winbindd), <code class="constant">ntdomain</code> (pre-winbindd 641 method of authentication for remote domain users; deprecated in favour of winbind method), 642 <code class="constant">trustdomain</code> (authenticate trusted users by contacting the 643 remote DC directly from smbd; deprecated in favour of winbind method). 644 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>auth methods</code></em> = <code class="literal"></code> 645</em></span> 646</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>auth methods</code></em> = <code class="literal">guest sam winbind</code> 647</em></span> 648</p></dd><dt><span class="term"><a name="AVAILABLE"></a>available (S)</span></dt><dd><p>This parameter lets you "turn off" a service. If 649 <em class="parameter"><code>available = no</code></em>, then <span class="emphasis"><em>ALL</em></span> 650 attempts to connect to the service will fail. Such failures are 651 logged.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>available</code></em> = <code class="literal">yes</code> 652</em></span> 653</p></dd><dt><span class="term"><a name="BINDINTERFACESONLY"></a>bind interfaces only (G)</span></dt><dd><p>This global parameter allows the Samba admin 654 to limit what interfaces on a machine will serve SMB requests. It 655 affects file service <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and name service <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> in a slightly different ways.</p><p> 656 For name service it causes <code class="literal">nmbd</code> to bind to ports 137 and 138 on the 657 interfaces listed in the <a class="indexterm" name="id303510"></a>interfaces parameter. <code class="literal">nmbd</code> 658 also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of 659 reading broadcast messages. If this option is not set then <code class="literal">nmbd</code> will 660 service name requests on all of these sockets. If <a class="indexterm" name="id303531"></a>bind interfaces only is set then 661 <code class="literal">nmbd</code> will check the source address of any packets coming in on the 662 broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the 663 <a class="indexterm" name="id303545"></a>interfaces parameter list. As unicast packets are received on the other sockets it 664 allows <code class="literal">nmbd</code> to refuse to serve names to machines that send packets that 665 arrive through any interfaces not listed in the <a class="indexterm" name="id303560"></a>interfaces list. IP Source address 666 spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for 667 <code class="literal">nmbd</code>. 668 </p><p> 669 For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list given in the <a class="indexterm" name="id303585"></a>interfaces parameter. This restricts the networks that <code class="literal">smbd</code> will 670 serve to packets coming in those interfaces. Note that you should not use this parameter for machines that 671 are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with 672 non-permanent interfaces. 673 </p><p> 674 If <a class="indexterm" name="id303604"></a>bind interfaces only is set then unless the network address 675 <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id303615"></a>interfaces parameter list 676 <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and 677 <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as 678 expected due to the reasons covered below. 679 </p><p> 680 To change a users SMB password, the <code class="literal">smbpasswd</code> by default connects to the 681 <span class="emphasis"><em>localhost - 127.0.0.1</em></span> address as an SMB client to issue the password change request. If 682 <a class="indexterm" name="id303653"></a>bind interfaces only is set then unless the network address 683 <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id303664"></a>interfaces parameter list then <code class="literal"> smbpasswd</code> will fail to connect in it's default mode. <code class="literal">smbpasswd</code> can be forced to use the primary IP interface of the local host by using 684 its <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> <em class="parameter"><code>-r <em class="replaceable"><code>remote machine</code></em></code></em> parameter, with <em class="replaceable"><code>remote 685 machine</code></em> set to the IP name of the primary interface of the local host. 686 </p><p> 687 The <code class="literal">swat</code> status page tries to connect with <code class="literal">smbd</code> and <code class="literal">nmbd</code> at the address 688 <span class="emphasis"><em>127.0.0.1</em></span> to determine if they are running. Not adding <span class="emphasis"><em>127.0.0.1</em></span> 689 will cause <code class="literal"> smbd</code> and <code class="literal">nmbd</code> to always show 690 "not running" even if they really are. This can prevent <code class="literal"> swat</code> 691 from starting/stopping/restarting <code class="literal">smbd</code> and <code class="literal">nmbd</code>. 692 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>bind interfaces only</code></em> = <code class="literal">no</code> 693</em></span> 694</p></dd><dt><span class="term"><a name="BLOCKINGLOCKS"></a>blocking locks (S)</span></dt><dd><p>This parameter controls the behavior 695 of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when given a request by a client 696 to obtain a byte range lock on a region of an open file, and the 697 request has a time limit associated with it.</p><p>If this parameter is set and the lock range requested 698 cannot be immediately satisfied, samba will internally 699 queue the lock request, and periodically attempt to obtain 700 the lock until the timeout period expires.</p><p>If this parameter is set to <code class="constant">no</code>, then 701 samba will behave as previous versions of Samba would and 702 will fail the lock request immediately if the lock range 703 cannot be obtained.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>blocking locks</code></em> = <code class="literal">yes</code> 704</em></span> 705</p></dd><dt><span class="term"><a name="BLOCKSIZE"></a>block size (S)</span></dt><dd><p>This parameter controls the behavior of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when reporting disk free 706 sizes. By default, this reports a disk block size of 1024 bytes. 707 </p><p>Changing this parameter may have some effect on the 708 efficiency of client writes, this is not yet confirmed. This 709 parameter was added to allow advanced administrators to change 710 it (usually to a higher value) and test the effect it has on 711 client write performance without re-compiling the code. As this 712 is an experimental option it may be removed in a future release. 713 </p><p>Changing this option does not change the disk free reporting 714 size, just the block size unit reported to the client. 715 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>block size</code></em> = <code class="literal">1024</code> 716</em></span> 717</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>block size</code></em> = <code class="literal">4096</code> 718</em></span> 719</p></dd><dt><span class="term"><a name="BROWSABLE"></a>browsable</span></dt><dd><p>This parameter is a synonym for browseable.</p></dd><dt><span class="term"><a name="BROWSEABLE"></a>browseable (S)</span></dt><dd><p>This controls whether this share is seen in 720 the list of available shares in a net view and in the browse list.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>browseable</code></em> = <code class="literal">yes</code> 721</em></span> 722</p></dd><dt><span class="term"><a name="BROWSELIST"></a>browse list (G)</span></dt><dd><p>This controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will serve a browse list to 723 a client doing a <code class="literal">NetServerEnum</code> call. Normally 724 set to <code class="constant">yes</code>. You should never need to change 725 this.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>browse list</code></em> = <code class="literal">yes</code> 726</em></span> 727</p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames</span></dt><dd><p>This parameter is a synonym for case sensitive.</p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a class="indexterm" name="id304074"></a>name mangling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>case sensitive</code></em> = <code class="literal">no</code> 728</em></span> 729</p></dd><dt><span class="term"><a name="CHANGENOTIFY"></a>change notify (S)</span></dt><dd><p>This parameter specifies whether Samba should reply 730 to a client's file change notify requests. 731 </p><p>You should never need to change this parameter</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>change notify</code></em> = <code class="literal">no</code> 732</em></span> 733</p></dd><dt><span class="term"><a name="CHANGESHARECOMMAND"></a>change share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically 734 add and delete shares via the Windows NT 4.0 Server Manager. The 735 <em class="parameter"><code>change share command</code></em> is used to define an 736 external program or script which will modify an existing service definition 737 in <code class="filename">smb.conf</code>. In order to successfully 738 execute the <em class="parameter"><code>change share command</code></em>, <code class="literal">smbd</code> 739 requires that the administrator be connected using a root account (i.e. 740 uid == 0). 741 </p><p> 742 When executed, <code class="literal">smbd</code> will automatically invoke the 743 <em class="parameter"><code>change share command</code></em> with five parameters. 744 </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>configFile</code></em> - the location 745 of the global <code class="filename">smb.conf</code> file. 746 </p></li><li><p><em class="parameter"><code>shareName</code></em> - the name of the new 747 share. 748 </p></li><li><p><em class="parameter"><code>pathName</code></em> - path to an **existing** 749 directory on disk. 750 </p></li><li><p><em class="parameter"><code>comment</code></em> - comment string to associate 751 with the new share. 752 </p></li><li><p><em class="parameter"><code>max 753 connections</code></em> 754 Number of maximum simultaneous connections to this 755 share. 756 </p></li></ul></div><p> 757 This parameter is only used modify existing file shares definitions. To modify 758 printer shares, use the "Printers..." folder as seen when browsing the Samba host. 759 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>change share command</code></em> = <code class="literal"></code> 760</em></span> 761</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>change share command</code></em> = <code class="literal">/usr/local/bin/addshare</code> 762</em></span> 763</p></dd><dt><span class="term"><a name="CHECKPASSWORDSCRIPT"></a>check password script (G)</span></dt><dd><p>The name of a program that can be used to check password 764 complexity. The password is sent to the program's standrad input.</p><p>The program must return 0 on good password any other value otherwise. 765 In case the password is considered weak (the program do not return 0) the 766 user will be notified and the password change will fail.</p><p>Note: In the example directory there is a sample program called crackcheck 767 that uses cracklib to checkpassword quality</p>. 768 769 770<p>Default: <span class="emphasis"><em><em class="parameter"><code>check password script</code></em> = <code class="literal">Disabled</code> 771</em></span> 772</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>check password script</code></em> = <code class="literal">check password script = /usr/local/sbin/crackcheck</code> 773</em></span> 774</p></dd><dt><span class="term"><a name="CLIENTLANMANAUTH"></a>client lanman auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbclient.8.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(8)</span></a> and other samba client 775 tools will attempt to authenticate itself to servers using the 776 weaker LANMAN password hash. If disabled, only server which support NT 777 password hashes (e.g. Windows NT/2000, Samba, etc... but not 778 Windows 95/98) will be able to be connected from the Samba client.</p><p>The LANMAN encrypted response is easily broken, due to it's 779 case-insensitive nature, and the choice of algorithm. Clients 780 without Windows 95/98 servers are advised to disable 781 this option. </p><p>Disabling this option will also disable the <code class="literal">client plaintext auth</code> option</p><p>Likewise, if the <code class="literal">client ntlmv2 782 auth</code> parameter is enabled, then only NTLMv2 logins will be 783 attempted.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client lanman auth</code></em> = <code class="literal">yes</code> 784</em></span> 785</p></dd><dt><span class="term"><a name="CLIENTNTLMV2AUTH"></a>client ntlmv2 auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbclient.8.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(8)</span></a> will attempt to 786 authenticate itself to servers using the NTLMv2 encrypted password 787 response.</p><p>If enabled, only an NTLMv2 and LMv2 response (both much more 788 secure than earlier versions) will be sent. Many servers 789 (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with 790 NTLMv2. </p><p>Similarly, if enabled, NTLMv1, <code class="literal">client lanman auth</code> and <code class="literal">client plaintext auth</code> 791 authentication will be disabled. This also disables share-level 792 authentication. </p><p>If disabled, an NTLM response (and possibly a LANMAN response) 793 will be sent by the client, depending on the value of <code class="literal">client lanman auth</code>. </p><p>Note that some sites (particularly 794 those following 'best practice' security polices) only allow NTLMv2 795 responses, and not the weaker LM or NTLM.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client ntlmv2 auth</code></em> = <code class="literal">no</code> 796</em></span> 797</p></dd><dt><span class="term"><a name="CLIENTPLAINTEXTAUTH"></a>client plaintext auth (G)</span></dt><dd><p>Specifies whether a client should send a plaintext 798 password if the server does not support encrypted passwords.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client plaintext auth</code></em> = <code class="literal">yes</code> 799</em></span> 800</p></dd><dt><span class="term"><a name="CLIENTSCHANNEL"></a>client schannel (G)</span></dt><dd><p> 801 This controls whether the client offers or even demands the use of the netlogon schannel. 802 <a class="indexterm" name="id304593"></a>client schannel = no does not offer the schannel, 803 <a class="indexterm" name="id304601"></a>client schannel = auto offers the schannel but does not 804 enforce it, and <a class="indexterm" name="id304608"></a>client schannel = yes denies access 805 if the server is not able to speak netlogon schannel. 806 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client schannel</code></em> = <code class="literal">auto</code> 807</em></span> 808</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>client schannel</code></em> = <code class="literal">yes</code> 809</em></span> 810</p></dd><dt><span class="term"><a name="CLIENTSIGNING"></a>client signing (G)</span></dt><dd><p>This controls whether the client offers or requires 811 the server it talks to to use SMB signing. Possible values 812 are <span class="emphasis"><em>auto</em></span>, <span class="emphasis"><em>mandatory</em></span> 813 and <span class="emphasis"><em>disabled</em></span>. 814 </p><p>When set to auto, SMB signing is offered, but not enforced. 815 When set to mandatory, SMB signing is required and if set 816 to disabled, SMB signing is not offered either.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client signing</code></em> = <code class="literal">auto</code> 817</em></span> 818</p></dd><dt><span class="term"><a name="CLIENTUSESPNEGO"></a>client use spnego (G)</span></dt><dd><p> This variable controls whether Samba clients will try 819 to use Simple and Protected NEGOciation (as specified by rfc2478) with 820 supporting servers (including WindowsXP, Windows2000 and Samba 821 3.0) to agree upon an authentication 822 mechanism. This enables Kerberos authentication in particular.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client use spnego</code></em> = <code class="literal">yes</code> 823</em></span> 824</p></dd><dt><span class="term"><a name="COMMENT"></a>comment (S)</span></dt><dd><p>This is a text field that is seen next to a share 825 when a client does a queries the server, either via the network 826 neighborhood or via <code class="literal">net view</code> to list what shares 827 are available.</p><p>If you want to set the string that is displayed next to the 828 machine name then see the <a class="indexterm" name="id304778"></a>server string parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>comment</code></em> = <code class="literal"> 829# No comment</code> 830</em></span> 831</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>comment</code></em> = <code class="literal">Fred's Files</code> 832</em></span> 833</p></dd><dt><span class="term"><a name="CONFIGFILE"></a>config file (G)</span></dt><dd><p>This allows you to override the config file 834 to use, instead of the default (usually <code class="filename">smb.conf</code>). 835 There is a chicken and egg problem here as this option is set 836 in the config file!</p><p>For this reason, if the name of the config file has changed 837 when the parameters are loaded then it will reload them from 838 the new config file.</p><p>This option takes the usual substitutions, which can 839 be very useful.</p><p>If the config file doesn't exist then it won't be loaded 840 (allowing you to special case the config files of just a few 841 clients).</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>config file</code></em> = <code class="literal">/usr/local/samba/lib/smb.conf.%m</code> 842</em></span> 843</p></dd><dt><span class="term"><a name="COPY"></a>copy (S)</span></dt><dd><p>This parameter allows you to "clone" service 844 entries. The specified service is simply duplicated under the 845 current service's name. Any parameters specified in the current 846 section will override those in the section being copied.</p><p>This feature lets you set up a 'template' service and 847 create similar services easily. Note that the service being 848 copied must occur earlier in the configuration file than the 849 service doing the copying.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>copy</code></em> = <code class="literal"></code> 850</em></span> 851</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>copy</code></em> = <code class="literal">otherservice</code> 852</em></span> 853</p></dd><dt><span class="term"><a name="CREATEMODE"></a>create mode</span></dt><dd><p>This parameter is a synonym for create mask.</p></dd><dt><span class="term"><a name="CREATEMASK"></a>create mask (S)</span></dt><dd><p> 854 When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to 855 UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may 856 be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <span class="emphasis"><em>not</em></span> set here will 857 be removed from the modes set on a file when it is created. 858 </p><p> 859 The default value of this parameter removes the <code class="literal">group</code> and <code class="literal">other</code> 860 write and execute bits from the UNIX modes. 861 </p><p> 862 Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the 863 <a class="indexterm" name="id305012"></a>force create mode parameter which is set to 000 by default. 864 </p><p> 865 This parameter does not affect directory masks. See the parameter <a class="indexterm" name="id305023"></a>directory mask 866 for details. 867 </p><p> 868 Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the 869 administrator wishes to enforce a mask on access control lists also, they need to set the <a class="indexterm" name="id305036"></a>security mask. 870 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>create mask</code></em> = <code class="literal">0744</code> 871</em></span> 872</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>create mask</code></em> = <code class="literal">0775</code> 873</em></span> 874</p></dd><dt><span class="term"><a name="CSCPOLICY"></a>csc policy (S)</span></dt><dd><p> 875 This stands for <span class="emphasis"><em>client-side caching policy</em></span>, and specifies how clients capable of offline 876 caching will cache the files in the share. The valid values are: manual, documents, programs, disable. 877 </p><p> 878 These values correspond to those used on Windows servers. 879 </p><p> 880 For example, shares containing roaming profiles can have offline caching disabled using 881 <a class="indexterm" name="id305112"></a>csc policy = disable. 882 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>csc policy</code></em> = <code class="literal">manual</code> 883</em></span> 884</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>csc policy</code></em> = <code class="literal">programs</code> 885</em></span> 886</p></dd><dt><span class="term"><a name="CUPSOPTIONS"></a>cups options (S)</span></dt><dd><p> 887 This parameter is only applicable if <a class="indexterm" name="id305175"></a>printing is 888 set to <code class="constant">cups</code>. Its value is a free form string of options 889 passed directly to the cups library. 890 </p><p> 891 You can pass any generic print option known to CUPS (as listed 892 in the CUPS "Software Users' Manual"). You can also pass any printer 893 specific option (as listed in "lpoptions -d printername -l") 894 valid for the target queue. 895 </p><p> 896 You should set this parameter to <code class="constant">raw</code> if your CUPS server 897 <code class="filename">error_log</code> file contains messages such as 898 "Unsupported format 'application/octet-stream'" when printing from a Windows client 899 through Samba. It is no longer necessary to enable 900 system wide raw printing in <code class="filename">/etc/cups/mime.{convs,types}</code>. 901 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>cups options</code></em> = <code class="literal">""</code> 902</em></span> 903</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups options</code></em> = <code class="literal">"raw,media=a4,job-sheets=secret,secret"</code> 904</em></span> 905</p></dd><dt><span class="term"><a name="CUPSSERVER"></a>cups server (G)</span></dt><dd><p> 906 This parameter is only applicable if <a class="indexterm" name="id305268"></a>printing is set to <code class="constant">cups</code>. 907 </p><p> 908 If set, this option overrides the ServerName option in the CUPS <code class="filename">client.conf</code>. This is 909 necessary if you have virtual samba servers that connect to different CUPS daemons. 910 </p><p>Optionally, a port can be specified by separating the server name 911 and port number with a colon. If no port was specified, 912 the default port for IPP (631) will be used. 913 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = <code class="literal">""</code> 914</em></span> 915</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = <code class="literal">mycupsserver</code> 916</em></span> 917</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>cups server</code></em> = <code class="literal">mycupsserver:1631</code> 918</em></span> 919</p></dd><dt><span class="term"><a name="DEADTIME"></a>deadtime (G)</span></dt><dd><p>The value of the parameter (a decimal integer) 920 represents the number of minutes of inactivity before a connection 921 is considered dead, and it is disconnected. The deadtime only takes 922 effect if the number of open files is zero.</p><p>This is useful to stop a server's resources being 923 exhausted by a large number of inactive connections.</p><p>Most clients have an auto-reconnect feature when a 924 connection is broken so in most cases this parameter should be 925 transparent to users.</p><p>Using this parameter with a timeout of a few minutes 926 is recommended for most systems.</p><p>A deadtime of zero indicates that no auto-disconnection 927 should be performed.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>deadtime</code></em> = <code class="literal">0</code> 928</em></span> 929</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>deadtime</code></em> = <code class="literal">15</code> 930</em></span> 931</p></dd><dt><span class="term"><a name="DEBUGHIRESTIMESTAMP"></a>debug hires timestamp (G)</span></dt><dd><p> 932 Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this 933 boolean parameter adds microsecond resolution to the timestamp message header when turned on. 934 </p><p> 935 Note that the parameter <a class="indexterm" name="id305445"></a>debug timestamp must be on for this to have an effect. 936 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug hires timestamp</code></em> = <code class="literal">no</code> 937</em></span> 938</p></dd><dt><span class="term"><a name="DEBUGPID"></a>debug pid (G)</span></dt><dd><p> 939 When using only one log file for more then one forked <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>-process there may be hard to follow which process outputs which 940 message. This boolean parameter is adds the process-id to the timestamp message headers in the 941 logfile when turned on. 942 </p><p> 943 Note that the parameter <a class="indexterm" name="id305504"></a>debug timestamp must be on for this to have an effect. 944 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug pid</code></em> = <code class="literal">no</code> 945</em></span> 946</p></dd><dt><span class="term"><a name="DEBUGPREFIXTIMESTAMP"></a>debug prefix timestamp (G)</span></dt><dd><p> 947 With this option enabled, the timestamp message header is prefixed to the debug message without the 948 filename and function information that is included with the <a class="indexterm" name="id305552"></a>debug timestamp 949 parameter. This gives timestamps to the messages without adding an additional line. 950 </p><p> 951 Note that this parameter overrides the <a class="indexterm" name="id305563"></a>debug timestamp parameter. 952 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug prefix timestamp</code></em> = <code class="literal">no</code> 953</em></span> 954</p></dd><dt><span class="term"><a name="TIMESTAMPLOGS"></a>timestamp logs</span></dt><dd><p>This parameter is a synonym for debug timestamp.</p></dd><dt><span class="term"><a name="DEBUGTIMESTAMP"></a>debug timestamp (G)</span></dt><dd><p> 955 Samba debug log messages are timestamped by default. If you are running at a high 956 <a class="indexterm" name="id305630"></a>debug level these timestamps can be distracting. This 957 boolean parameter allows timestamping to be turned off. 958 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug timestamp</code></em> = <code class="literal">yes</code> 959</em></span> 960</p></dd><dt><span class="term"><a name="DEBUGUID"></a>debug uid (G)</span></dt><dd><p> 961 Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the 962 current euid, egid, uid and gid to the timestamp message headers in the log file if turned on. 963 </p><p> 964 Note that the parameter <a class="indexterm" name="id305681"></a>debug timestamp must be on for this to have an effect. 965 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug uid</code></em> = <code class="literal">no</code> 966</em></span> 967</p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a class="indexterm" name="id305726"></a>name mangling. 968 Also note the <a class="indexterm" name="id305734"></a>short preserve case parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default case</code></em> = <code class="literal">lower</code> 969</em></span> 970</p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a class="indexterm" name="id305779"></a>printable services. 971 When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba 972 server has a Device Mode which defines things such as paper size and 973 orientation and duplex settings. The device mode can only correctly be 974 generated by the printer driver itself (which can only be executed on a 975 Win32 platform). Because smbd is unable to execute the driver code 976 to generate the device mode, the default behavior is to set this field 977 to NULL. 978 </p><p>Most problems with serving printer drivers to Windows NT/2k/XP clients 979 can be traced to a problem with the generated device mode. Certain drivers 980 will do things such as crashing the client's Explorer.exe with a NULL devmode. 981 However, other printer drivers can cause the client's spooler service 982 (spoolsv.exe) to die if the devmode was not created by the driver itself 983 (i.e. smbd generates a default devmode). 984 </p><p>This parameter should be used with care and tested with the printer 985 driver in question. It is better to leave the device mode to NULL 986 and let the Windows client set the correct values. Because drivers do not 987 do this all the time, setting <code class="literal">default devmode = yes</code> 988 will instruct smbd to generate a default one. 989 </p><p>For more information on Windows NT/2k printing and Device Modes, 990 see the <a href="http://msdn.microsoft.com/" target="_top">MSDN documentation</a>. 991</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default devmode</code></em> = <code class="literal">yes</code> 992</em></span> 993</p></dd><dt><span class="term"><a name="DEFAULT"></a>default</span></dt><dd><p>This parameter is a synonym for default service.</p></dd><dt><span class="term"><a name="DEFAULTSERVICE"></a>default service (G)</span></dt><dd><p>This parameter specifies the name of a service 994 which will be connected to if the service actually requested cannot 995 be found. Note that the square brackets are <span class="emphasis"><em>NOT</em></span> 996 given in the parameter value (see example below).</p><p>There is no default value for this parameter. If this 997 parameter is not given, attempting to connect to a nonexistent 998 service results in an error.</p><p> 999 Typically the default service would be a <a class="indexterm" name="id305892"></a>guest ok, <a class="indexterm" name="id305899"></a>read-only service.</p><p>Also note that the apparent service name will be changed to equal 1000 that of the requested service, this is very useful as it allows you to use macros like <em class="parameter"><code>%S</code></em> to make a wildcard service. 1001 </p><p>Note also that any "_" characters in the name of the service 1002 used in the default service will get mapped to a "/". This allows for 1003 interesting things.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default service</code></em> = <code class="literal"></code> 1004</em></span> 1005</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>default service</code></em> = <code class="literal">pub</code> 1006</em></span> 1007</p></dd><dt><span class="term"><a name="DEFERSHARINGVIOLATIONS"></a>defer sharing violations (G)</span></dt><dd><p> 1008 Windows allows specifying how a file will be shared with 1009 other processes when it is opened. Sharing violations occur when 1010 a file is opened by a different process using options that violate 1011 the share settings specified by other processes. This parameter causes 1012 smbd to act as a Windows server does, and defer returning a "sharing 1013 violation" error message for up to one second, allowing the client 1014 to close the file causing the violation in the meantime. 1015 </p><p>UNIX by default does not have this behaviour.</p><p> 1016 There should be no reason to turn off this parameter, as it is 1017 designed to enable Samba to more correctly emulate Windows. 1018 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>defer sharing violations</code></em> = <code class="literal">True</code> 1019</em></span> 1020</p></dd><dt><span class="term"><a name="DELETEGROUPSCRIPT"></a>delete group script (G)</span></dt><dd><p>This is the full pathname to a script that will 1021 be run <span class="emphasis"><em>AS ROOT</em></span> <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a group is requested to be deleted. 1022 It will expand any <em class="parameter"><code>%g</code></em> to the group name passed. 1023 This script is only useful for installations using the Windows NT domain administration tools. 1024 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete group script</code></em> = <code class="literal"></code> 1025</em></span> 1026</p></dd><dt><span class="term"><a name="DELETEPRINTERCOMMAND"></a>deleteprinter command (G)</span></dt><dd><p>With the introduction of MS-RPC based printer 1027 support for Windows NT/2000 clients in Samba 2.2, it is now 1028 possible to delete printer at run time by issuing the 1029 DeletePrinter() RPC call.</p><p>For a Samba host this means that the printer must be 1030 physically deleted from underlying printing system. The 1031 <a class="indexterm" name="id306089"></a>deleteprinter command defines a script to be run which 1032 will perform the necessary operations for removing the printer 1033 from the print system and from <code class="filename">smb.conf</code>. 1034 </p><p>The <a class="indexterm" name="id306106"></a>deleteprinter command is 1035 automatically called with only one parameter: <a class="indexterm" name="id306114"></a>printer name. 1036 </p><p>Once the <a class="indexterm" name="id306124"></a>deleteprinter command has 1037 been executed, <code class="literal">smbd</code> will reparse the <code class="filename"> 1038 smb.conf</code> to associated printer no longer exists. 1039 If the sharename is still valid, then <code class="literal">smbd 1040 </code> will return an ACCESS_DENIED error to the client.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>deleteprinter command</code></em> = <code class="literal"></code> 1041</em></span> 1042</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>deleteprinter command</code></em> = <code class="literal">/usr/bin/removeprinter</code> 1043</em></span> 1044</p></dd><dt><span class="term"><a name="DELETEREADONLY"></a>delete readonly (S)</span></dt><dd><p>This parameter allows readonly files to be deleted. 1045 This is not normal DOS semantics, but is allowed by UNIX.</p><p>This option may be useful for running applications such 1046 as rcs, where UNIX file ownership prevents changing file 1047 permissions, and DOS semantics prevent deletion of a read only file.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete readonly</code></em> = <code class="literal">no</code> 1048</em></span> 1049</p></dd><dt><span class="term"><a name="DELETESHARECOMMAND"></a>delete share command (G)</span></dt><dd><p>Samba 2.2.0 introduced the ability to dynamically 1050 add and delete shares via the Windows NT 4.0 Server Manager. The 1051 <em class="parameter"><code>delete share command</code></em> is used to define an 1052 external program or script which will remove an existing service 1053 definition from <code class="filename">smb.conf</code>. In order to successfully 1054 execute the <em class="parameter"><code>delete share command</code></em>, <code class="literal">smbd</code> 1055 requires that the administrator be connected using a root account (i.e. 1056 uid == 0). 1057 </p><p> 1058 When executed, <code class="literal">smbd</code> will automatically invoke the 1059 <em class="parameter"><code>delete share command</code></em> with two parameters. 1060 </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>configFile</code></em> - the location 1061 of the global <code class="filename">smb.conf</code> file. 1062 </p></li><li><p><em class="parameter"><code>shareName</code></em> - the name of 1063 the existing service. 1064 </p></li></ul></div><p> 1065 This parameter is only used to remove file shares. To delete printer shares, 1066 see the <a class="indexterm" name="id306327"></a>deleteprinter command. 1067 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete share command</code></em> = <code class="literal"></code> 1068</em></span> 1069</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>delete share command</code></em> = <code class="literal">/usr/local/bin/delshare</code> 1070</em></span> 1071</p></dd><dt><span class="term"><a name="DELETEUSERFROMGROUPSCRIPT"></a>delete user from group script (G)</span></dt><dd><p>Full path to the script that will be called when 1072 a user is removed from a group using the Windows NT domain administration 1073 tools. It will be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> <span class="emphasis"><em>AS ROOT</em></span>. 1074 Any <em class="parameter"><code>%g</code></em> will be replaced with the group name and 1075 any <em class="parameter"><code>%u</code></em> will be replaced with the user name. 1076</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete user from group script</code></em> = <code class="literal"></code> 1077</em></span> 1078</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>delete user from group script</code></em> = <code class="literal">/usr/sbin/deluser %u %g</code> 1079</em></span> 1080</p></dd><dt><span class="term"><a name="DELETEUSERSCRIPT"></a>delete user script (G)</span></dt><dd><p>This is the full pathname to a script that will 1081 be run by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when managing users 1082 with remote RPC (NT) tools. 1083 </p><p>This script is called when a remote client removes a user 1084 from the server, normally using 'User Manager for Domains' or 1085 <code class="literal">rpcclient</code>.</p><p>This script should delete the given UNIX username.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete user script</code></em> = <code class="literal"></code> 1086</em></span> 1087</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>delete user script</code></em> = <code class="literal">/usr/local/samba/bin/del_user %u</code> 1088</em></span> 1089</p></dd><dt><span class="term"><a name="DELETEVETOFILES"></a>delete veto files (S)</span></dt><dd><p>This option is used when Samba is attempting to 1090 delete a directory that contains one or more vetoed directories 1091 (see the <a class="indexterm" name="id306545"></a>veto files 1092 option). If this option is set to <code class="constant">no</code> (the default) then if a vetoed 1093 directory contains any non-vetoed files or directories then the 1094 directory delete will fail. This is usually what you want.</p><p>If this option is set to <code class="constant">yes</code>, then Samba 1095 will attempt to recursively delete any files and directories within 1096 the vetoed directory. This can be useful for integration with file 1097 serving systems such as NetAtalk which create meta-files within 1098 directories you might normally veto DOS/Windows users from seeing 1099 (e.g. <code class="filename">.AppleDouble</code>)</p><p>Setting <a class="indexterm" name="id306576"></a>delete veto files = yes allows these 1100 directories to be transparently deleted when the parent directory 1101 is deleted (so long as the user has permissions to do so).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete veto files</code></em> = <code class="literal">no</code> 1102</em></span> 1103</p></dd><dt><span class="term"><a name="DFREECACHETIME"></a>dfree cache time (S)</span></dt><dd><p> 1104 The <em class="parameter"><code>dfree cache time</code></em> should only be used on systems where a problem 1105 occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur 1106 with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" at the 1107 end of each directory listing. 1108 </p><p> 1109 This is a new parameter introduced in Samba version 3.0.21. It specifies in seconds the time that smbd will 1110 cache the output of a disk free query. If set to zero (the default) no caching is done. This allows a heavily 1111 loaded server to prevent rapid spawning of <a class="indexterm" name="id306636"></a>dfree command scripts increasing the load. 1112 </p><p> 1113 By default this parameter is zero, meaning no caching will be done. 1114 </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>dfree cache time</code></em> = <code class="literal">dfree cache time = 60</code> 1115</em></span> 1116</p></dd><dt><span class="term"><a name="DFREECOMMAND"></a>dfree command (S)</span></dt><dd><p> 1117 The <em class="parameter"><code>dfree command</code></em> setting should only be used on systems where a 1118 problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may 1119 occur with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" 1120 at the end of each directory listing. 1121 </p><p> 1122 This setting allows the replacement of the internal routines to calculate the total disk space and amount 1123 available with an external routine. The example below gives a possible script that might fulfill this 1124 function. 1125 </p><p> 1126 In Samba version 3.0.21 this parameter has been changed to be a per-share parameter, and in addition the 1127 parameter <a class="indexterm" name="id306708"></a>dfree cache time was added to allow the output of this script to be cached 1128 for systems under heavy load. 1129 </p><p> 1130 The external program will be passed a single parameter indicating a directory in the filesystem being queried. 1131 This will typically consist of the string <code class="filename">./</code>. The script should return 1132 two integers in ASCII. The first should be the total disk space in blocks, and the second should be the number 1133 of available blocks. An optional third return value can give the block size in bytes. The default blocksize is 1134 1024 bytes. 1135 </p><p> 1136 Note: Your script should <span class="emphasis"><em>NOT</em></span> be setuid or setgid and should be owned by (and writeable 1137 only by) root! 1138 </p><p> 1139 Where the script dfree (which must be made executable) could be: 1140</p><pre class="programlisting"> 1141#!/bin/sh 1142df $1 | tail -1 | awk '{print $2" "$4}' 1143</pre><p> 1144 or perhaps (on Sys V based systems): 1145</p><pre class="programlisting"> 1146#!/bin/sh 1147/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' 1148</pre><p> 1149 Note that you may have to replace the command names with full path names on some systems. 1150 </p><p> 1151 By default internal routines for determining the disk capacity and remaining space will be used. 1152 </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>dfree command</code></em> = <code class="literal">/usr/local/samba/bin/dfree</code> 1153</em></span> 1154</p></dd><dt><span class="term"><a name="DIRECTORYMODE"></a>directory mode</span></dt><dd><p>This parameter is a synonym for directory mask.</p></dd><dt><span class="term"><a name="DIRECTORYMASK"></a>directory mask (S)</span></dt><dd><p>This parameter is the octal modes which are 1155 used when converting DOS modes to UNIX modes when creating UNIX 1156 directories.</p><p>When a directory is created, the necessary permissions are 1157 calculated according to the mapping from DOS modes to UNIX permissions, 1158 and the resulting UNIX mode is then bit-wise 'AND'ed with this 1159 parameter. This parameter may be thought of as a bit-wise MASK for 1160 the UNIX modes of a directory. Any bit <span class="emphasis"><em>not</em></span> set 1161 here will be removed from the modes set on a directory when it is 1162 created.</p><p>The default value of this parameter removes the 'group' 1163 and 'other' write bits from the UNIX mode, allowing only the 1164 user who owns the directory to modify it.</p><p>Following this Samba will bit-wise 'OR' the UNIX mode 1165 created from this parameter with the value of the <a class="indexterm" name="id306842"></a>force directory mode parameter. 1166 This parameter is set to 000 by default (i.e. no extra mode bits are added).</p><p>Note that this parameter does not apply to permissions 1167 set by Windows NT/2000 ACL editors. If the administrator wishes to enforce 1168 a mask on access control lists also, they need to set the <a class="indexterm" name="id306854"></a>directory security mask.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = <code class="literal">0755</code> 1169</em></span> 1170</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = <code class="literal">0775</code> 1171</em></span> 1172</p></dd><dt><span class="term"><a name="DIRECTORYSECURITYMASK"></a>directory security mask (S)</span></dt><dd><p>This parameter controls what UNIX permission bits 1173 can be modified when a Windows NT client is manipulating the UNIX 1174 permission on a directory using the native NT security dialog 1175 box.</p><p> 1176 This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not 1177 in this mask from being modified. Make sure not to mix up this parameter with <a class="indexterm" name="id306924"></a>force directory security mode, which works similar like this one but uses logical OR instead of AND. 1178 Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. 1179 </p><p>If not set explicitly this parameter is set to 0777 1180 meaning a user is allowed to modify all the user/group/world 1181 permissions on a directory.</p><p><span class="emphasis"><em>Note</em></span> that users who can access the 1182 Samba server through other means can easily bypass this restriction, 1183 so it is primarily useful for standalone "appliance" systems. 1184 Administrators of most normal systems will probably want to leave 1185 it as the default of <code class="constant">0777</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>directory security mask</code></em> = <code class="literal">0777</code> 1186</em></span> 1187</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>directory security mask</code></em> = <code class="literal">0700</code> 1188</em></span> 1189</p></dd><dt><span class="term"><a name="DISABLENETBIOS"></a>disable netbios (G)</span></dt><dd><p>Enabling this parameter will disable netbios support 1190 in Samba. Netbios is the only available form of browsing in 1191 all windows versions except for 2000 and XP. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Clients that only support netbios won't be able to 1192 see your samba server when netbios support is disabled. 1193 </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>disable netbios</code></em> = <code class="literal">no</code> 1194</em></span> 1195</p></dd><dt><span class="term"><a name="DISABLESPOOLSS"></a>disable spoolss (G)</span></dt><dd><p>Enabling this parameter will disable Samba's support 1196 for the SPOOLSS set of MS-RPC's and will yield identical behavior 1197 as Samba 2.0.x. Windows NT/2000 clients will downgrade to using 1198 Lanman style printing commands. Windows 9x/ME will be unaffected by 1199 the parameter. However, this will also disable the ability to upload 1200 printer drivers to a Samba server via the Windows NT Add Printer 1201 Wizard or by using the NT printer properties dialog window. It will 1202 also disable the capability of Windows NT/2000 clients to download 1203 print drivers from the Samba host upon demand. 1204 <span class="emphasis"><em>Be very careful about enabling this parameter.</em></span> 1205</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>disable spoolss</code></em> = <code class="literal">no</code> 1206</em></span> 1207</p></dd><dt><span class="term"><a name="DISPLAYCHARSET"></a>display charset (G)</span></dt><dd><p> 1208 Specifies the charset that samba will use to print messages to stdout and stderr. 1209 The default value is "LOCALE", which means automatically set, depending on the 1210 current locale. The value should generally be the same as the value of the parameter 1211 <a class="indexterm" name="id258203"></a>unix charset. 1212 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>display charset</code></em> = <code class="literal">"LOCALE" or "ASCII" (depending on the system)</code> 1213</em></span> 1214</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>display charset</code></em> = <code class="literal">UTF8</code> 1215</em></span> 1216</p></dd><dt><span class="term"><a name="DMAPISUPPORT"></a>dmapi support (S)</span></dt><dd><p>This parameter specifies whether Samba should use DMAPI to 1217 determine whether a file is offline or not. This would typically 1218 be used in conjunction with a hierarchical storage system that 1219 automatically migrates files to tape. 1220 </p><p>Note that Samba infers the status of a file by examining the 1221 events that a DMAPI application has registered interest in. This 1222 heuristic is satisfactory for a number of hierarchical storage 1223 systems, but there may be system for which it will fail. In this 1224 case, Samba may erroneously report files to be offline. 1225 </p><p>This parameter is only available if a supported DMAPI 1226 implementation was found at compilation time. It will only be used 1227 if DMAPI is found to enabled on the system at run time. 1228 </p><p> 1229 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dmapi support</code></em> = <code class="literal">no</code> 1230</em></span> 1231</p></dd><dt><span class="term"><a name="DNSPROXY"></a>dns proxy (G)</span></dt><dd><p>Specifies that <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> when acting as a WINS server and 1232 finding that a NetBIOS name has not been registered, should treat the 1233 NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server 1234 for that name on behalf of the name-querying client.</p><p>Note that the maximum length for a NetBIOS name is 15 1235 characters, so the DNS name (or DNS alias) can likewise only be 1236 15 characters, maximum.</p><p><code class="literal">nmbd</code> spawns a second copy of itself to do the 1237 DNS name lookup requests, as doing a name lookup is a blocking 1238 action.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dns proxy</code></em> = <code class="literal">yes</code> 1239</em></span> 1240</p></dd><dt><span class="term"><a name="DOMAINLOGONS"></a>domain logons (G)</span></dt><dd><p> 1241 If set to <code class="constant">yes</code>, the Samba server will 1242 provide the netlogon service for Windows 9X network logons for the 1243 <a class="indexterm" name="id307348"></a>workgroup it is in. 1244 This will also cause the Samba server to act as a domain 1245 controller for NT4 style domain services. For more details on 1246 setting up this feature see the Domain Control chapter of the 1247 Samba HOWTO Collection. 1248 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>domain logons</code></em> = <code class="literal">no</code> 1249</em></span> 1250</p></dd><dt><span class="term"><a name="DOMAINMASTER"></a>domain master (G)</span></dt><dd><p> 1251 Tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to enable 1252 WAN-wide browse list collation. Setting this option causes <code class="literal">nmbd</code> to claim a 1253 special domain specific NetBIOS name that identifies it as a domain master browser for its given 1254 <a class="indexterm" name="id307410"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id307417"></a>workgroup on 1255 broadcast-isolated subnets will give this <code class="literal">nmbd</code> their local browse lists, 1256 and then ask <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> for a 1257 complete copy of the browse list for the whole wide area network. Browser clients will then contact their 1258 local master browser, and will receive the domain-wide browse list, instead of just the list for their 1259 broadcast-isolated subnet. 1260 </p><p> 1261 Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id307445"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that 1262 <a class="indexterm" name="id307453"></a>workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting 1263 to do this). This means that if this parameter is set and <code class="literal">nmbd</code> claims the 1264 special name for a <a class="indexterm" name="id307467"></a>workgroup before a Windows NT PDC is able to do so then cross 1265 subnet browsing will behave strangely and may fail. 1266 </p><p> 1267 If <a class="indexterm" name="id307478"></a>domain logons = yes, then the default behavior is to enable the 1268 <a class="indexterm" name="id307486"></a>domain master parameter. If <a class="indexterm" name="id307493"></a>domain logons is not enabled (the 1269 default setting), then neither will <a class="indexterm" name="id307501"></a>domain master be enabled by default. 1270 </p><p> 1271 When <a class="indexterm" name="id307511"></a>domain logons = Yes the default setting for this parameter is 1272 Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id307519"></a>domain master = No, 1273 Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC. 1274 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>domain master</code></em> = <code class="literal">auto</code> 1275</em></span> 1276</p></dd><dt><span class="term"><a name="DONTDESCEND"></a>dont descend (S)</span></dt><dd><p>There are certain directories on some systems 1277 (e.g., the <code class="filename">/proc</code> tree under Linux) that are either not 1278 of interest to clients or are infinitely deep (recursive). This 1279 parameter allows you to specify a comma-delimited list of directories 1280 that the server should always show as empty.</p><p>Note that Samba can be very fussy about the exact format 1281 of the "dont descend" entries. For example you may need <code class="filename"> 1282 ./proc</code> instead of just <code class="filename">/proc</code>. 1283 Experimentation is the best policy :-) </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dont descend</code></em> = <code class="literal"></code> 1284</em></span> 1285</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>dont descend</code></em> = <code class="literal">/proc,/dev</code> 1286</em></span> 1287</p></dd><dt><span class="term"><a name="DOSCHARSET"></a>dos charset (G)</span></dt><dd><p>DOS SMB clients assume the server has 1288 the same charset as they do. This option specifies which 1289 charset Samba should talk to DOS clients. 1290 </p><p>The default depends on which charsets you have installed. 1291 Samba tries to use charset 850 but falls back to ASCII in 1292 case it is not available. Run <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> to check the default on your system.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="DOSFILEMODE"></a>dos filemode (S)</span></dt><dd><p> The default behavior in Samba is to provide 1293 UNIX-like behavior where only the owner of a file/directory is 1294 able to change the permissions on it. However, this behavior 1295 is often confusing to DOS/Windows users. Enabling this parameter 1296 allows a user who has write access to the file (by whatever 1297 means) to modify the permissions (including ACL) on it. Note that a user 1298 belonging to the group owning the file will not be allowed to 1299 change permissions if the group is only granted read access. 1300 Ownership of the file/directory may also be changed.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dos filemode</code></em> = <code class="literal">no</code> 1301</em></span> 1302</p></dd><dt><span class="term"><a name="DOSFILETIMERESOLUTION"></a>dos filetime resolution (S)</span></dt><dd><p>Under the DOS and Windows FAT filesystem, the finest 1303 granularity on time resolution is two seconds. Setting this parameter 1304 for a share causes Samba to round the reported time down to the 1305 nearest two second boundary when a query call that requires one second 1306 resolution is made to <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>.</p><p>This option is mainly used as a compatibility option for Visual 1307 C++ when used against Samba shares. If oplocks are enabled on a 1308 share, Visual C++ uses two different time reading calls to check if a 1309 file has changed since it was last read. One of these calls uses a 1310 one-second granularity, the other uses a two second granularity. As 1311 the two second call rounds any odd second down, then if the file has a 1312 timestamp of an odd number of seconds then the two timestamps will not 1313 match and Visual C++ will keep reporting the file has changed. Setting 1314 this option causes the two timestamps to match, and Visual C++ is 1315 happy.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dos filetime resolution</code></em> = <code class="literal">no</code> 1316</em></span> 1317</p></dd><dt><span class="term"><a name="DOSFILETIMES"></a>dos filetimes (S)</span></dt><dd><p>Under DOS and Windows, if a user can write to a 1318 file they can change the timestamp on it. Under POSIX semantics, 1319 only the owner of the file or root may change the timestamp. By 1320 default, Samba runs with POSIX semantics and refuses to change the 1321 timestamp on a file if the user <code class="literal">smbd</code> is acting 1322 on behalf of is not the file owner. Setting this option to <code class="constant"> 1323 yes</code> allows DOS semantics and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will change the file 1324 timestamp as DOS requires. Due to changes in Microsoft Office 2000 and beyond, 1325 the default for this parameter has been changed from "no" to "yes" in Samba 3.0.14 1326 and above. Microsoft Excel will display dialog box warnings about the file being 1327 changed by another user if this parameter is not set to "yes" and files are being 1328 shared between users. 1329 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>dos filetimes</code></em> = <code class="literal">yes</code> 1330</em></span> 1331</p></dd><dt><span class="term"><a name="EASUPPORT"></a>ea support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will allow clients to attempt to store OS/2 style Extended 1332 attributes on a share. In order to enable this parameter the underlying filesystem exported by 1333 the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the 1334 correct kernel patches). On Linux the filesystem must have been mounted with the mount 1335 option user_xattr in order for extended attributes to work, also 1336 extended attributes must be compiled into the Linux kernel.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ea support</code></em> = <code class="literal">no</code> 1337</em></span> 1338</p></dd><dt><span class="term"><a name="ENABLEASUSUPPORT"></a>enable asu support (G)</span></dt><dd><p>Hosts running the "Advanced Server for Unix (ASU)" product 1339 require some special accomodations such as creating a builting [ADMIN$] 1340 share that only supports IPC connections. The has been the default 1341 behavior in smbd for many years. However, certain Microsoft applications 1342 such as the Print Migrator tool require that the remote server support 1343 an [ADMIN$} file share. Disabling this parameter allows for creating 1344 an [ADMIN$] file share in smb.conf.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enable asu support</code></em> = <code class="literal">no</code> 1345</em></span> 1346</p></dd><dt><span class="term"><a name="ENABLEPRIVILEGES"></a>enable privileges (G)</span></dt><dd><p> 1347 This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either 1348 <code class="literal">net rpc rights</code> or one of the Windows user and group manager tools. This parameter is 1349 enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to 1350 assign privileges to users or groups which can then result in certain smbd operations running as root that 1351 would normally run under the context of the connected user. 1352 </p><p> 1353 An example of how privileges can be used is to assign the right to join clients to a Samba controlled 1354 domain without providing root access to the server via smbd. 1355 </p><p> 1356 Please read the extended description provided in the Samba HOWTO documentation. 1357 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enable privileges</code></em> = <code class="literal">yes</code> 1358</em></span> 1359</p></dd><dt><span class="term"><a name="ENCRYPTPASSWORDS"></a>encrypt passwords (G)</span></dt><dd><p>This boolean controls whether encrypted passwords 1360 will be negotiated with the client. Note that Windows NT 4.0 SP3 and 1361 above and also Windows 98 will by default expect encrypted passwords 1362 unless a registry entry is changed. To use encrypted passwords in 1363 Samba see the chapter "User Database" in the Samba HOWTO Collection. 1364 </p><p> 1365 MS Windows clients that expect Microsoft encrypted passwords and that 1366 do not have plain text password support enabled will be able to 1367 connect only to a Samba server that has encrypted password support 1368 enabled and for which the user accounts have a valid encrypted password. 1369 Refer to the smbpasswd command man page for information regarding the 1370 creation of encrypted passwords for user accounts. 1371 </p><p> 1372 The use of plain text passwords is NOT advised as support for this feature 1373 is no longer maintained in Microsoft Windows products. If you want to use 1374 plain text passwords you must set this parameter to no. 1375 </p><p>In order for encrypted passwords to work correctly 1376 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must either 1377 have access to a local <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> file (see the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> program for information on how to set up 1378 and maintain this file), or set the <a class="indexterm" name="id308038"></a>security = [server|domain|ads] parameter which 1379 causes <code class="literal">smbd</code> to authenticate against another 1380 server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>encrypt passwords</code></em> = <code class="literal">yes</code> 1381</em></span> 1382</p></dd><dt><span class="term"><a name="ENHANCEDBROWSING"></a>enhanced browsing (G)</span></dt><dd><p>This option enables a couple of enhancements to 1383 cross-subnet browse propagation that have been added in Samba 1384 but which are not standard in Microsoft implementations. 1385 </p><p>The first enhancement to browse propagation consists of a regular 1386 wildcard query to a Samba WINS server for all Domain Master Browsers, 1387 followed by a browse synchronization with each of the returned 1388 DMBs. The second enhancement consists of a regular randomised browse 1389 synchronization with all currently known DMBs.</p><p>You may wish to disable this option if you have a problem with empty 1390 workgroups not disappearing from browse lists. Due to the restrictions 1391 of the browse protocols these enhancements can cause a empty workgroup 1392 to stay around forever which can be annoying.</p><p>In general you should leave this option enabled as it makes 1393 cross-subnet browse propagation much more reliable.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enhanced browsing</code></em> = <code class="literal">yes</code> 1394</em></span> 1395</p></dd><dt><span class="term"><a name="ENUMPORTSCOMMAND"></a>enumports command (G)</span></dt><dd><p>The concept of a "port" is fairly foreign 1396 to UNIX hosts. Under Windows NT/2000 print servers, a port 1397 is associated with a port monitor and generally takes the form of 1398 a local port (i.e. LPT1:, COM1:, FILE:) or a remote port 1399 (i.e. LPD Port Monitor, etc...). By default, Samba has only one 1400 port defined--<code class="constant">"Samba Printer Port"</code>. Under 1401 Windows NT/2000, all printers must have a valid port name. 1402 If you wish to have a list of ports displayed (<code class="literal">smbd 1403 </code> does not use a port name for anything) other than 1404 the default <code class="constant">"Samba Printer Port"</code>, you 1405 can define <em class="parameter"><code>enumports command</code></em> to point to 1406 a program which should generate a list of ports, one per line, 1407 to standard output. This listing will then be used in response 1408 to the level 1 and 2 EnumPorts() RPC.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>enumports command</code></em> = <code class="literal"></code> 1409</em></span> 1410</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>enumports command</code></em> = <code class="literal">/usr/bin/listports</code> 1411</em></span> 1412</p></dd><dt><span class="term"><a name="EVENTLOGLIST"></a>eventlog list (G)</span></dt><dd><p>This option defines a list of log names that Samba will 1413 report to the Microsoft EventViewer utility. The listed 1414 eventlogs will be associated with tdb file on disk in the 1415 <code class="filename">$(lockdir)/eventlog</code>. 1416 </p><p> 1417 The administrator must use an external process to parse the normal 1418 Unix logs such as <code class="filename">/var/log/messages</code> 1419 and write then entries to the eventlog tdb files. Refer to the 1420 eventlogadm(8) utility for how to write eventlog entries. 1421 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>eventlog list</code></em> = <code class="literal"></code> 1422</em></span> 1423</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>eventlog list</code></em> = <code class="literal">Security Application Syslog Apache</code> 1424</em></span> 1425</p></dd><dt><span class="term"><a name="FAKEDIRECTORYCREATETIMES"></a>fake directory create times (S)</span></dt><dd><p>NTFS and Windows VFAT file systems keep a create 1426 time for all files and directories. This is not the same as the 1427 ctime - status change time - that Unix keeps, so Samba by default 1428 reports the earliest of the various times Unix does keep. Setting 1429 this parameter for a share causes Samba to always report midnight 1430 1-1-1980 as the create time for directories.</p><p>This option is mainly used as a compatibility option for 1431 Visual C++ when used against Samba shares. Visual C++ generated 1432 makefiles have the object directory as a dependency for each object 1433 file, and a make rule to create the directory. Also, when NMAKE 1434 compares timestamps it uses the creation time when examining a 1435 directory. Thus the object directory will be created if it does not 1436 exist, but once it does exist it will always have an earlier 1437 timestamp than the object files it contains.</p><p>However, Unix time semantics mean that the create time 1438 reported by Samba will be updated whenever a file is created or 1439 or deleted in the directory. NMAKE finds all object files in 1440 the object directory. The timestamp of the last one built is then 1441 compared to the timestamp of the object directory. If the 1442 directory's timestamp if newer, then all object files 1443 will be rebuilt. Enabling this option 1444 ensures directories always predate their contents and an NMAKE build 1445 will proceed as expected.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>fake directory create times</code></em> = <code class="literal">no</code> 1446</em></span> 1447</p></dd><dt><span class="term"><a name="FAKEOPLOCKS"></a>fake oplocks (S)</span></dt><dd><p>Oplocks are the way that SMB clients get permission 1448 from a server to locally cache file operations. If a server grants 1449 an oplock (opportunistic lock) then the client is free to assume 1450 that it is the only one accessing the file and it will aggressively 1451 cache file data. With some oplock types the client may even cache 1452 file open/close operations. This can give enormous performance benefits. 1453 </p><p>When you set <code class="literal">fake oplocks = yes</code>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will 1454 always grant oplock requests no matter how many clients are using the file.</p><p>It is generally much better to use the real <a class="indexterm" name="id308378"></a>oplocks support rather 1455 than this parameter.</p><p>If you enable this option on all read-only shares or 1456 shares that you know will only be accessed from one client at a 1457 time such as physically read-only media like CDROMs, you will see 1458 a big performance improvement on many operations. If you enable 1459 this option on shares where multiple clients may be accessing the 1460 files read-write at the same time you can get data corruption. Use 1461 this option carefully!</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>fake oplocks</code></em> = <code class="literal">no</code> 1462</em></span> 1463</p></dd><dt><span class="term"><a name="FOLLOWSYMLINKS"></a>follow symlinks (S)</span></dt><dd><p> 1464 This parameter allows the Samba administrator to stop <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> from following symbolic links in a particular share. Setting this 1465 parameter to <code class="constant">no</code> prevents any file or directory that is a symbolic link from being 1466 followed (the user will get an error). This option is very useful to stop users from adding a symbolic 1467 link to <code class="filename">/etc/passwd</code> in their home directory for instance. However 1468 it will slow filename lookups down slightly. 1469 </p><p> 1470 This option is enabled (i.e. <code class="literal">smbd</code> will follow symbolic links) by default. 1471 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>follow symlinks</code></em> = <code class="literal">yes</code> 1472</em></span> 1473</p></dd><dt><span class="term"><a name="FORCECREATEMODE"></a>force create mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit 1474 permissions that will <span class="emphasis"><em>always</em></span> be set on a 1475 file created by Samba. This is done by bitwise 'OR'ing these bits onto 1476 the mode bits of a file that is being created or having its 1477 permissions changed. The default for this parameter is (in octal) 1478 000. The modes in this parameter are bitwise 'OR'ed onto the file 1479 mode after the mask set in the <em class="parameter"><code>create mask</code></em> 1480 parameter is applied.</p><p>The example below would force all created files to have read and execute 1481 permissions set for 'group' and 'other' as well as the 1482 read/write/execute bits set for the 'user'.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force create mode</code></em> = <code class="literal">000</code> 1483</em></span> 1484</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force create mode</code></em> = <code class="literal">0755</code> 1485</em></span> 1486</p></dd><dt><span class="term"><a name="FORCEDIRECTORYMODE"></a>force directory mode (S)</span></dt><dd><p>This parameter specifies a set of UNIX mode bit 1487 permissions that will <span class="emphasis"><em>always</em></span> be set on a directory 1488 created by Samba. This is done by bitwise 'OR'ing these bits onto the 1489 mode bits of a directory that is being created. The default for this 1490 parameter is (in octal) 0000 which will not add any extra permission 1491 bits to a created directory. This operation is done after the mode 1492 mask in the parameter <em class="parameter"><code>directory mask</code></em> is 1493 applied.</p><p>The example below would force all created directories to have read and execute 1494 permissions set for 'group' and 'other' as well as the 1495 read/write/execute bits set for the 'user'.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force directory mode</code></em> = <code class="literal">000</code> 1496</em></span> 1497</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force directory mode</code></em> = <code class="literal">0755</code> 1498</em></span> 1499</p></dd><dt><span class="term"><a name="FORCEDIRECTORYSECURITYMODE"></a>force directory security mode (S)</span></dt><dd><p> 1500 This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating 1501 the UNIX permission on a directory using the native NT security dialog box. 1502 </p><p> 1503 This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this 1504 mask that the user may have modified to be on. Make sure not to mix up this parameter with <a class="indexterm" name="id308652"></a>directory security mask, which works in a similar manner to this one, but uses a logical AND instead 1505 of an OR. 1506 </p><p> 1507 Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, 1508 to will enable (1) any flags that are off (0) but which the mask has set to on (1). 1509 </p><p> 1510 If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world 1511 permissions on a directory without restrictions. 1512 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 1513 Users who can access the Samba server through other means can easily bypass this restriction, so it is 1514 primarily useful for standalone "appliance" systems. Administrators of most normal systems will 1515 probably want to leave it set as 0000. 1516 </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>force directory security mode</code></em> = <code class="literal">0</code> 1517</em></span> 1518</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force directory security mode</code></em> = <code class="literal">700</code> 1519</em></span> 1520</p></dd><dt><span class="term"><a name="GROUP"></a>group</span></dt><dd><p>This parameter is a synonym for force group.</p></dd><dt><span class="term"><a name="FORCEGROUP"></a>force group (S)</span></dt><dd><p>This specifies a UNIX group name that will be 1521 assigned as the default primary group for all users connecting 1522 to this service. This is useful for sharing files by ensuring 1523 that all access to files on service will use the named group for 1524 their permissions checking. Thus, by assigning permissions for this 1525 group to the files and directories within this service the Samba 1526 administrator can restrict or allow sharing of these files.</p><p>In Samba 2.0.5 and above this parameter has extended 1527 functionality in the following way. If the group name listed here 1528 has a '+' character prepended to it then the current user accessing 1529 the share only has the primary group default assigned to this group 1530 if they are already assigned as a member of that group. This allows 1531 an administrator to decide that only users who are already in a 1532 particular group will create files with group ownership set to that 1533 group. This gives a finer granularity of ownership assignment. For 1534 example, the setting <code class="filename">force group = +sys</code> means 1535 that only users who are already in group sys will have their default 1536 primary group assigned to sys when accessing this Samba share. All 1537 other users will retain their ordinary primary group.</p><p> 1538 If the <a class="indexterm" name="id308775"></a>force user parameter is also set the group specified in 1539 <em class="parameter"><code>force group</code></em> will override the primary group 1540 set in <em class="parameter"><code>force user</code></em>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force group</code></em> = <code class="literal"></code> 1541</em></span> 1542</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force group</code></em> = <code class="literal">agroup</code> 1543</em></span> 1544</p></dd><dt><span class="term"><a name="FORCEPRINTERNAME"></a>force printername (S)</span></dt><dd><p>When printing from Windows NT (or later), 1545 each printer in <code class="filename">smb.conf</code> has two 1546 associated names which can be used by the client. The first 1547 is the sharename (or shortname) defined in smb.conf. This 1548 is the only printername available for use by Windows 9x clients. 1549 The second name associated with a printer can be seen when 1550 browsing to the "Printers" (or "Printers and Faxes") folder 1551 on the Samba server. This is referred to simply as the printername 1552 (not to be confused with the <em class="parameter"><code>printer name</code></em> option). 1553 </p><p>When assigning a new driver to a printer on a remote 1554 Windows compatible print server such as Samba, the Windows client 1555 will rename the printer to match the driver name just uploaded. 1556 This can result in confusion for users when multiple 1557 printers are bound to the same driver. To prevent Samba from 1558 allowing the printer's printername to differ from the sharename 1559 defined in smb.conf, set <em class="parameter"><code>force printername = yes</code></em>. 1560 </p><p>Be aware that enabling this parameter may affect migrating 1561 printers from a Windows server to Samba since Windows has no way to 1562 force the sharename and printername to match.</p><p>It is recommended that this parameter's value not be changed 1563 once the printer is in use by clients as this could cause a user 1564 not be able to delete printer connections from their local Printers 1565 folder.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force printername</code></em> = <code class="literal">no</code> 1566</em></span> 1567</p></dd><dt><span class="term"><a name="FORCESECURITYMODE"></a>force security mode (S)</span></dt><dd><p> 1568 This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating 1569 the UNIX permission on a file using the native NT security dialog box. 1570 </p><p> 1571 This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this 1572 mask that the user may have modified to be on. Make sure not to mix up this parameter with <a class="indexterm" name="id308932"></a>security mask, which works similar like this one but uses logical AND instead of OR. 1573 </p><p> 1574 Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, 1575 the user has always set to be on. 1576 </p><p> 1577 If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world 1578 permissions on a file, with no restrictions. 1579 </p><p><span class="emphasis"><em> 1580 Note</em></span> that users who can access the Samba server through other means can easily bypass this 1581 restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most 1582 normal systems will probably want to leave this set to 0000. 1583 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force security mode</code></em> = <code class="literal">0</code> 1584</em></span> 1585</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force security mode</code></em> = <code class="literal">700</code> 1586</em></span> 1587</p></dd><dt><span class="term"><a name="FORCEUNKNOWNACLUSER"></a>force unknown acl user (S)</span></dt><dd><p> 1588 If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or 1589 representation of a user or group id) as the owner or group owner of the file will be silently 1590 mapped into the current UNIX uid or gid of the currently connected user. 1591 </p><p> 1592 This is designed to allow Windows NT clients to copy files and folders containing ACLs that were 1593 created locally on the client machine and contain users local to that machine only (no domain 1594 users) to be copied to a Samba server (usually with XCOPY /O) and have the unknown userid and 1595 groupid of the file owner map to the current connected user. This can only be fixed correctly 1596 when winbindd allows arbitrary mapping from any Windows NT SID to a UNIX uid or gid. 1597 </p><p> 1598 Try using this parameter when XCOPY /O gives an ACCESS_DENIED error. 1599 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force unknown acl user</code></em> = <code class="literal">no</code> 1600</em></span> 1601</p></dd><dt><span class="term"><a name="FORCEUSER"></a>force user (S)</span></dt><dd><p>This specifies a UNIX user name that will be 1602 assigned as the default user for all users connecting to this service. 1603 This is useful for sharing files. You should also use it carefully 1604 as using it incorrectly can cause security problems.</p><p>This user name only gets used once a connection is established. 1605 Thus clients still need to connect as a valid user and supply a 1606 valid password. Once connected, all file operations will be performed 1607 as the "forced user", no matter what username the client connected 1608 as. This can be very useful.</p><p>In Samba 2.0.5 and above this parameter also causes the 1609 primary group of the forced user to be used as the primary group 1610 for all file activity. Prior to 2.0.5 the primary group was left 1611 as the primary group of the connecting user (this was a bug).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force user</code></em> = <code class="literal"></code> 1612</em></span> 1613</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>force user</code></em> = <code class="literal">auser</code> 1614</em></span> 1615</p></dd><dt><span class="term"><a name="FSTYPE"></a>fstype (S)</span></dt><dd><p> 1616 This parameter allows the administrator to configure the string that specifies the type of filesystem a share 1617 is using that is reported by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> 1618 when a client queries the filesystem type for a share. The default type is <code class="constant">NTFS</code> for compatibility 1619 with Windows NT but this can be changed to other strings such as <code class="constant">Samba</code> or <code class="constant">FAT</code> 1620 if required. 1621 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>fstype</code></em> = <code class="literal">NTFS</code> 1622</em></span> 1623</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>fstype</code></em> = <code class="literal">Samba</code> 1624</em></span> 1625</p></dd><dt><span class="term"><a name="GETQUOTACOMMAND"></a>get quota command (G)</span></dt><dd><p>The <code class="literal">get quota command</code> should only be used 1626 whenever there is no operating system API available from the OS that 1627 samba can use.</p><p>This option is only available with <code class="literal">./configure --with-sys-quotas</code>. 1628 Or on linux when <code class="literal">./configure --with-quotas</code> was used and a working quota api 1629 was found in the system.</p><p>This parameter should specify the path to a script that 1630 queries the quota information for the specified 1631 user/group for the partition that 1632 the specified directory is on.</p><p>Such a script should take 3 arguments:</p><div class="itemizedlist"><ul type="disc"><li><p>directory</p></li><li><p>type of query</p></li><li><p>uid of user or gid of group</p></li></ul></div><p>The type of query can be one of :</p><div class="itemizedlist"><ul type="disc"><li><p>1 - user quotas</p></li><li><p>2 - user default quotas (uid = -1)</p></li><li><p>3 - group quotas</p></li><li><p>4 - group default quotas (gid = -1)</p></li></ul></div><p>This script should print one line as output with spaces between the arguments. The arguments are: 1633 </p><div class="itemizedlist"><ul type="disc"><li><p>Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)</p></li><li><p>Arg 2 - number of currently used blocks</p></li><li><p>Arg 3 - the softlimit number of blocks</p></li><li><p>Arg 4 - the hardlimit number of blocks</p></li><li><p>Arg 5 - currently used number of inodes</p></li><li><p>Arg 6 - the softlimit number of inodes</p></li><li><p>Arg 7 - the hardlimit number of inodes</p></li><li><p>Arg 8(optional) - the number of bytes in a block(default is 1024)</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>get quota command</code></em> = <code class="literal"></code> 1634</em></span> 1635</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>get quota command</code></em> = <code class="literal">/usr/local/sbin/query_quota</code> 1636</em></span> 1637</p></dd><dt><span class="term"><a name="GETWDCACHE"></a>getwd cache (G)</span></dt><dd><p>This is a tuning option. When this is enabled a 1638 caching algorithm will be used to reduce the time taken for getwd() 1639 calls. This can have a significant impact on performance, especially 1640 when the <a class="indexterm" name="id309382"></a>wide smbconfoptions parameter is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>getwd cache</code></em> = <code class="literal">yes</code> 1641</em></span> 1642</p></dd><dt><span class="term"><a name="GUESTACCOUNT"></a>guest account (G)</span></dt><dd><p>This is a username which will be used for access 1643 to services which are specified as <a class="indexterm" name="id309432"></a>guest ok (see below). Whatever privileges this 1644 user has will be available to any client connecting to the guest service. 1645 This user must exist in the password file, but does not require 1646 a valid login. The user account "ftp" is often a good choice 1647 for this parameter. 1648 </p><p>On some systems the default guest account "nobody" may not 1649 be able to print. Use another account in this case. You should test 1650 this by trying to log in as your guest user (perhaps by using the 1651 <code class="literal">su -</code> command) and trying to print using the 1652 system print command such as <code class="literal">lpr(1)</code> or <code class="literal"> 1653 lp(1)</code>.</p><p>This parameter does not accept % macros, because 1654 many parts of the system require this value to be 1655 constant for correct operation.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest account</code></em> = <code class="literal">nobody 1656# default can be changed at compile-time</code> 1657</em></span> 1658</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>guest account</code></em> = <code class="literal">ftp</code> 1659</em></span> 1660</p></dd><dt><span class="term"><a name="PUBLIC"></a>public</span></dt><dd><p>This parameter is a synonym for guest ok.</p></dd><dt><span class="term"><a name="GUESTOK"></a>guest ok (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for 1661 a service, then no password is required to connect to the service. 1662 Privileges will be those of the <a class="indexterm" name="id309550"></a>guest account.</p><p>This paramater nullifies the benifits of setting 1663 <a class="indexterm" name="id309561"></a>restrict anonymous = 2 1664 </p><p>See the section below on <a class="indexterm" name="id309572"></a>security for more information about this option. 1665 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest ok</code></em> = <code class="literal">no</code> 1666</em></span> 1667</p></dd><dt><span class="term"><a name="ONLYGUEST"></a>only guest</span></dt><dd><p>This parameter is a synonym for guest only.</p></dd><dt><span class="term"><a name="GUESTONLY"></a>guest only (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for 1668 a service, then only guest connections to the service are permitted. 1669 This parameter will have no effect if <a class="indexterm" name="id309642"></a>guest ok is not set for the service.</p><p>See the section below on <a class="indexterm" name="id309653"></a>security for more information about this option. 1670 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest only</code></em> = <code class="literal">no</code> 1671</em></span> 1672</p></dd><dt><span class="term"><a name="HIDEDOTFILES"></a>hide dot files (S)</span></dt><dd><p>This is a boolean parameter that controls whether 1673 files starting with a dot appear as hidden files.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide dot files</code></em> = <code class="literal">yes</code> 1674</em></span> 1675</p></dd><dt><span class="term"><a name="HIDEFILES"></a>hide files (S)</span></dt><dd><p>This is a list of files or directories that are not 1676 visible but are accessible. The DOS 'hidden' attribute is applied 1677 to any files or directories that match.</p><p>Each entry in the list must be separated by a '/', 1678 which allows spaces to be included in the entry. '*' 1679 and '?' can be used to specify multiple files or directories 1680 as in DOS wildcards.</p><p>Each entry must be a Unix path, not a DOS path and must 1681 not include the Unix directory separator '/'.</p><p>Note that the case sensitivity option is applicable 1682 in hiding files.</p><p>Setting this parameter will affect the performance of Samba, 1683 as it will be forced to check all files and directories for a match 1684 as they are scanned.</p><p> 1685 The example shown above is based on files that the Macintosh 1686 SMB client (DAVE) available from <a href="http://www.thursby.com" target="_top"> 1687 Thursby</a> creates for internal use, and also still hides 1688 all files beginning with a dot. 1689 </p><p> 1690 An example of us of this parameter is: 1691</p><pre class="programlisting"> 1692hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ 1693</pre><p> 1694 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide files</code></em> = <code class="literal"> 1695# no file are hidden</code> 1696</em></span> 1697</p></dd><dt><span class="term"><a name="HIDESPECIALFILES"></a>hide special files (S)</span></dt><dd><p> 1698 This parameter prevents clients from seeing special files such as sockets, devices and 1699 fifo's in directory listings. 1700 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide special files</code></em> = <code class="literal">no</code> 1701</em></span> 1702</p></dd><dt><span class="term"><a name="HIDEUNREADABLE"></a>hide unreadable (S)</span></dt><dd><p>This parameter prevents clients from seeing the 1703 existance of files that cannot be read. Defaults to off.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide unreadable</code></em> = <code class="literal">no</code> 1704</em></span> 1705</p></dd><dt><span class="term"><a name="HIDEUNWRITEABLEFILES"></a>hide unwriteable files (S)</span></dt><dd><p> 1706 This parameter prevents clients from seeing the existance of files that cannot be written to. 1707 Defaults to off. Note that unwriteable directories are shown as usual. 1708 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hide unwriteable files</code></em> = <code class="literal">no</code> 1709</em></span> 1710</p></dd><dt><span class="term"><a name="HOMEDIRMAP"></a>homedir map (G)</span></dt><dd><p> 1711 If <a class="indexterm" name="id309932"></a>nis homedir is <code class="constant">yes</code>, and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> is also acting as a Win95/98 <em class="parameter"><code>logon server</code></em> 1712 then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted. 1713 At present, only the Sun auto.home map format is understood. The form of the map is: 1714</p><pre class="programlisting"> 1715<code class="literal">username server:/some/file/system</code> 1716</pre><p> 1717 and the program will extract the servername from before the first ':'. There should probably be a better parsing system 1718 that copes with different map formats and also Amd (another automounter) maps. 1719 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 1720 A working NIS client is required on the system for this option to work. 1721 </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>homedir map</code></em> = <code class="literal"></code> 1722</em></span> 1723</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>homedir map</code></em> = <code class="literal">amd.homedir</code> 1724</em></span> 1725</p></dd><dt><span class="term"><a name="HOSTMSDFS"></a>host msdfs (G)</span></dt><dd><p> 1726 If set to <code class="constant">yes</code>, Samba will act as a Dfs server, and allow Dfs-aware clients to browse 1727 Dfs trees hosted on the server. 1728 </p><p> 1729 See also the <a class="indexterm" name="id310039"></a>msdfs root share level parameter. For more information on 1730 setting up a Dfs tree on Samba, refer to the MSFDS chapter in the book Samba3-HOWTO. 1731 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>host msdfs</code></em> = <code class="literal">yes</code> 1732</em></span> 1733</p></dd><dt><span class="term"><a name="HOSTNAMELOOKUPS"></a>hostname lookups (G)</span></dt><dd><p>Specifies whether samba should use (expensive) 1734 hostname lookups or use the ip addresses instead. An example place 1735 where hostname lookups are currently used is when checking 1736 the <code class="literal">hosts deny</code> and <code class="literal">hosts allow</code>. 1737 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hostname lookups</code></em> = <code class="literal">no</code> 1738</em></span> 1739</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hostname lookups</code></em> = <code class="literal">yes</code> 1740</em></span> 1741</p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts</span></dt><dd><p>This parameter is a synonym for hosts allow.</p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <a class="indexterm" name="id310176"></a>allow hosts.</p><p>This parameter is a comma, space, or tab delimited 1742 set of hosts which are permitted to access a service.</p><p>If specified in the [global] section then it will 1743 apply to all services, regardless of whether the individual 1744 service has a different setting.</p><p>You can specify the hosts by name or IP number. For 1745 example, you could restrict access to only the hosts on a 1746 Class C subnet with something like <code class="literal">allow hosts = 150.203.5.</code>. 1747 The full syntax of the list is described in the man 1748 page <code class="filename">hosts_access(5)</code>. Note that this man 1749 page may not be present on your system, so a brief description will 1750 be given here also.</p><p>Note that the localhost address 127.0.0.1 will always 1751 be allowed access unless specifically denied by a <a class="indexterm" name="id310214"></a>hosts deny option.</p><p>You can also specify hosts by network/netmask pairs and 1752 by netgroup names if your system supports netgroups. The 1753 <span class="emphasis"><em>EXCEPT</em></span> keyword can also be used to limit a 1754 wildcard list. The following examples may provide some help:</p><p>Example 1: allow all IPs in 150.203.*.*; except one</p><p><code class="literal">hosts allow = 150.203. EXCEPT 150.203.6.66</code></p><p>Example 2: allow hosts that match the given network/netmask</p><p><code class="literal">hosts allow = 150.203.15.0/255.255.255.0</code></p><p>Example 3: allow a couple of hosts</p><p><code class="literal">hosts allow = lapland, arvidsjaur</code></p><p>Example 4: allow only hosts in NIS netgroup "foonet", but 1755 deny access from one particular host</p><p><code class="literal">hosts allow = @foonet</code></p><p><code class="literal">hosts deny = pirate</code></p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Note that access still requires suitable user-level passwords.</p></div><p>See <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> for a way of testing your host access 1756 to see if it does what you expect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hosts allow</code></em> = <code class="literal"> 1757# none (i.e., all hosts permitted access)</code> 1758</em></span> 1759</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hosts allow</code></em> = <code class="literal">150.203.5. myhost.mynet.edu.au</code> 1760</em></span> 1761</p></dd><dt><span class="term"><a name="DENYHOSTS"></a>deny hosts</span></dt><dd><p>This parameter is a synonym for hosts deny.</p></dd><dt><span class="term"><a name="HOSTSDENY"></a>hosts deny (S)</span></dt><dd><p>The opposite of <em class="parameter"><code>hosts allow</code></em> 1762 - hosts listed here are <span class="emphasis"><em>NOT</em></span> permitted access to 1763 services unless the specific services have their own lists to override 1764 this one. Where the lists conflict, the <em class="parameter"><code>allow</code></em> 1765 list takes precedence.</p><p> 1766 In the event that it is necessary to deny all by default, use the keyword 1767 ALL (or the netmask <code class="literal">0.0.0.0/0</code>) and then explicitly specify 1768 to the <a class="indexterm" name="id310401"></a>hosts allow = hosts allow parameter those hosts 1769 that should be permitted access. 1770 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hosts deny</code></em> = <code class="literal"> 1771# none (i.e., no hosts specifically excluded)</code> 1772</em></span> 1773</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hosts deny</code></em> = <code class="literal">150.203.4. badhost.mynet.edu.au</code> 1774</em></span> 1775</p></dd><dt><span class="term"><a name="IDMAPALLOCBACKEND"></a>idmap alloc backend (G)</span></dt><dd><p> 1776 The idmap alloc backend provides a plugin interface for Winbind to use 1777 when allocating Unix uids/gids for Windows SIDs. This option is 1778 to be used in conjunction with the <a class="indexterm" name="id310466"></a>idmap domains 1779 parameter and refers to the name of the idmap module which will provide 1780 the id allocation functionality. Please refer to the man page 1781 for each idmap plugin to determine whether or not the module implements 1782 the allocation feature. The most common plugins are the tdb (<a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a>) 1783 and ldap (<a href="idmap_ldap.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_ldap</span>(8)</span></a>) libraries. 1784 </p><p>Also refer to the <a class="indexterm" name="id310495"></a>idmap alloc config option. 1785 </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap alloc backend</code></em> = <code class="literal">tdb</code> 1786</em></span> 1787</p></dd><dt><span class="term"><a name="IDMAPALLOCCONFIG"></a>idmap alloc config (G)</span></dt><dd><p> 1788 The idmap alloc config prefix provides a means of managing settings 1789 for the backend defined by the <a class="indexterm" name="id310546"></a>idmap alloc backend 1790 parameter. Refer to the man page for each idmap plugin regarding 1791 specific configuration details. 1792 </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="IDMAPBACKEND"></a>idmap backend (G)</span></dt><dd><p> 1793 The idmap backend provides a plugin interface for Winbind to use 1794 varying backends to store SID/uid/gid mapping tables. This 1795 option is mutually exclusive with the newer and more flexible 1796 <a class="indexterm" name="id310581"></a>idmap domains parameter. The main difference 1797 between the "idmap backend" and the "idmap domains" 1798 is that the former only allows on backend for all domains while the 1799 latter supports configuring backends on a per domain basis. 1800 </p><p>Examples of SID/uid/gid backends include tdb (<a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a>), 1801 ldap (<a href="idmap_ldap.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_ldap</span>(8)</span></a>), rid (<a href="idmap_rid.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_rid</span>(8)</span></a>), 1802 and ad (<a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a>). 1803 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap backend</code></em> = <code class="literal">tdb</code> 1804</em></span> 1805</p></dd><dt><span class="term"><a name="IDMAPCACHETIME"></a>idmap cache time (G)</span></dt><dd><p>This parameter specifies the number of seconds that Winbind's 1806 idmap interface will cache positive SID/uid/gid query results. 1807 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap cache time</code></em> = <code class="literal">900</code> 1808</em></span> 1809</p></dd><dt><span class="term"><a name="IDMAPCONFIG"></a>idmap config (G)</span></dt><dd><p> 1810 The idmap config prefix provides a means of managing each domain 1811 defined by the <a class="indexterm" name="id310703"></a>idmap domains option using Samba's 1812 parameteric option support. The idmap config prefix should be 1813 followed by the name of the domain, a colon, and a setting specific to 1814 the chosen backend. There are three options available for all domains: 1815 </p><div class="variablelist"><dl><dt><span class="term">backend = backend_name</span></dt><dd><p> 1816 Specifies the name of the idmap plugin to use as the 1817 SID/uid/gid backend for this domain. 1818 </p></dd><dt><span class="term">default = [yes|no]</span></dt><dd><p> 1819 The default domain/backend will be used for searching for 1820 users and groups not belonging to one of the explicitly 1821 listed domains (matched by comparing the account SID and the 1822 domain SID). 1823 </p></dd><dt><span class="term">readonly = [yes|no]</span></dt><dd><p> 1824 Mark the domain as readonly which means that no attempts to 1825 allocate a uid or gid (by the <a class="indexterm" name="id310750"></a>idmap alloc backend) for any user or group in that domain 1826 will be attempted. 1827 </p></dd></dl></div><p> 1828 The following example illustrates how to configure the <a href="idmap_ad.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_ad</span>(8)</span></a> 1829 for the CORP domain and the <a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a> backend for all other domains. The 1830 TRUSTEDDOMAINS string is simply a key used to reference the "idmap 1831 config" settings and does not represent the actual name of a domain. 1832 </p><pre class="programlisting"> 1833 idmap domains = CORP TRUSTEDDOMAINS 1834 1835 idmap config CORP:backend = ad 1836 idmap config CORP:readonly = yes 1837 1838 idmap config TRUSTEDDOMAINS:backend = tdb 1839 idmap config TRUSTEDDOMAINS:default = yes 1840 idmap config TRUSTEDDOMAINS:range = 1000 - 9999 1841 </pre><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="IDMAPDOMAINS"></a>idmap domains (G)</span></dt><dd><p> 1842 The idmap domains option defines a list of Windows domains which will each 1843 have a separately configured backend for managing Winbind's SID/uid/gid 1844 tables. This parameter is mutually exclusive with the older <a class="indexterm" name="id310818"></a>idmap backend option. 1845 </p><p> 1846 Values consist of the short domain name for Winbind's primary or collection 1847 of trusted domains. You may also use an arbitrary string to represent a catchall 1848 domain backend for any domain not explicitly listed. 1849 </p><p> 1850 Refer to the <a class="indexterm" name="id310834"></a>idmap config for details about 1851 managing the SID/uid/gid backend for each domain. 1852 </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap domains</code></em> = <code class="literal">default AD CORP</code> 1853</em></span> 1854</p></dd><dt><span class="term"><a name="WINBINDGID"></a>winbind gid</span></dt><dd><p>This parameter is a synonym for idmap gid.</p></dd><dt><span class="term"><a name="IDMAPGID"></a>idmap gid (G)</span></dt><dd><p>The idmap gid parameter specifies the range of group ids 1855 that are allocated for the purpose of mapping UNX groups to NT group 1856 SIDs. This range of group ids should have no 1857 existing local or NIS groups within it as strange conflicts can 1858 occur otherwise.</p><p>See also the <a class="indexterm" name="id310911"></a>idmap backend, <a class="indexterm" name="id310918"></a>idmap domains, and <a class="indexterm" name="id310925"></a>idmap config options. 1859 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap gid</code></em> = <code class="literal"></code> 1860</em></span> 1861</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap gid</code></em> = <code class="literal">10000-20000</code> 1862</em></span> 1863</p></dd><dt><span class="term"><a name="IDMAPNEGATIVECACHETIME"></a>idmap negative cache time (G)</span></dt><dd><p>This parameter specifies the number of seconds that Winbind's 1864 idmap interface will cache negative SID/uid/gid query results. 1865 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap negative cache time</code></em> = <code class="literal">120</code> 1866</em></span> 1867</p></dd><dt><span class="term"><a name="WINBINDUID"></a>winbind uid</span></dt><dd><p>This parameter is a synonym for idmap uid.</p></dd><dt><span class="term"><a name="IDMAPUID"></a>idmap uid (G)</span></dt><dd><p> 1868 The idmap uid parameter specifies the range of user ids that are 1869 allocated for use in mapping UNIX users to NT user SIDs. This 1870 range of ids should have no existing local 1871 or NIS users within it as strange conflicts can occur otherwise.</p><p>See also the <a class="indexterm" name="id311053"></a>idmap backend, <a class="indexterm" name="id311060"></a>idmap domains, and <a class="indexterm" name="id311067"></a>idmap config options. 1872 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap uid</code></em> = <code class="literal"></code> 1873</em></span> 1874</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap uid</code></em> = <code class="literal">10000-20000</code> 1875</em></span> 1876</p></dd><dt><span class="term"><a name="INCLUDE"></a>include (G)</span></dt><dd><p> 1877 This allows you to include one config file inside another. The file is included literally, as though typed 1878 in place. 1879 </p><p> 1880 It takes the standard substitutions, except <em class="parameter"><code>%u</code></em>, 1881 <em class="parameter"><code>%P</code></em> and <em class="parameter"><code>%S</code></em>. 1882 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>include</code></em> = <code class="literal"></code> 1883</em></span> 1884</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>include</code></em> = <code class="literal">/usr/local/samba/lib/admin_smb.conf</code> 1885</em></span> 1886</p></dd><dt><span class="term"><a name="INHERITACLS"></a>inherit acls (S)</span></dt><dd><p>This parameter can be used to ensure that if default acls 1887 exist on parent directories, they are always honored when creating a 1888 new file or subdirectory in these parent directories. The default 1889 behavior is to use the unix mode specified when creating the directory. 1890 Enabling this option sets the unix mode to 0777, thus guaranteeing that 1891 default directory acls are propagated. 1892</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>inherit acls</code></em> = <code class="literal">no</code> 1893</em></span> 1894</p></dd><dt><span class="term"><a name="INHERITOWNER"></a>inherit owner (S)</span></dt><dd><p>The ownership of new files and directories 1895 is normally governed by effective uid of the connected user. 1896 This option allows the Samba administrator to specify that 1897 the ownership for new files and directories should be controlled 1898 by the ownership of the parent directory.</p><p>Common scenarios where this behavior is useful is in 1899 implementing drop-boxes where users can create and edit files but not 1900 delete them and to ensure that newly create files in a user's 1901 roaming profile directory are actually owner by the user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>inherit owner</code></em> = <code class="literal">no</code> 1902</em></span> 1903</p></dd><dt><span class="term"><a name="INHERITPERMISSIONS"></a>inherit permissions (S)</span></dt><dd><p> 1904 The permissions on new files and directories are normally governed by <a class="indexterm" name="id311291"></a>create mask, 1905 <a class="indexterm" name="id311298"></a>directory mask, <a class="indexterm" name="id311305"></a>force create mode and <a class="indexterm" name="id311312"></a>force directory mode but the boolean inherit permissions parameter overrides this. 1906 </p><p>New directories inherit the mode of the parent directory, 1907 including bits such as setgid.</p><p> 1908 New files inherit their read/write bits from the parent directory. Their execute bits continue to be 1909 determined by <a class="indexterm" name="id311328"></a>map archive, <a class="indexterm" name="id311335"></a>map hidden and <a class="indexterm" name="id311342"></a>map system as usual. 1910 </p><p>Note that the setuid bit is <span class="emphasis"><em>never</em></span> set via 1911 inheritance (the code explicitly prohibits this).</p><p>This can be particularly useful on large systems with 1912 many users, perhaps several thousand, to allow a single [homes] 1913 share to be used flexibly by each user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>inherit permissions</code></em> = <code class="literal">no</code> 1914</em></span> 1915</p></dd><dt><span class="term"><a name="INTERFACES"></a>interfaces (G)</span></dt><dd><p>This option allows you to override the default 1916 network interfaces list that Samba will use for browsing, name 1917 registration and other NBT traffic. By default Samba will query 1918 the kernel for the list of all active interfaces and use any 1919 interfaces except 127.0.0.1 that are broadcast capable.</p><p>The option takes a list of interface strings. Each string 1920 can be in any of the following forms:</p><div class="itemizedlist"><ul type="disc"><li><p>a network interface name (such as eth0). 1921 This may include shell-like wildcards so eth* will match 1922 any interface starting with the substring "eth"</p></li><li><p>an IP address. In this case the netmask is 1923 determined from the list of interfaces obtained from the 1924 kernel</p></li><li><p>an IP/mask pair. </p></li><li><p>a broadcast/mask pair.</p></li></ul></div><p>The "mask" parameters can either be a bit length (such 1925 as 24 for a C class network) or a full netmask in dotted 1926 decimal form.</p><p>The "IP" parameters above can either be a full dotted 1927 decimal IP address or a hostname which will be looked up via 1928 the OS's normal hostname resolution mechanisms.</p><p> 1929 By default Samba enables all active interfaces that are broadcast capable 1930 except the loopback adaptor (IP address 127.0.0.1). 1931 </p><p> 1932 The example below configures three network interfaces corresponding 1933 to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. 1934 The netmasks of the latter two interfaces would be set to 255.255.255.0. 1935 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>interfaces</code></em> = <code class="literal"></code> 1936</em></span> 1937</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>interfaces</code></em> = <code class="literal">eth0 192.168.2.10/24 192.168.3.10/255.255.255.0</code> 1938</em></span> 1939</p></dd><dt><span class="term"><a name="INVALIDUSERS"></a>invalid users (S)</span></dt><dd><p>This is a list of users that should not be allowed 1940 to login to this service. This is really a <span class="emphasis"><em>paranoid</em></span> 1941 check to absolutely ensure an improper setting does not breach 1942 your security.</p><p>A name starting with a '@' is interpreted as an NIS 1943 netgroup first (if your system supports NIS), and then as a UNIX 1944 group if the name was not found in the NIS netgroup database.</p><p>A name starting with '+' is interpreted only 1945 by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with 1946 '&' is interpreted only by looking in the NIS netgroup database 1947 (this requires NIS to be working on your system). The characters 1948 '+' and '&' may be used at the start of the name in either order 1949 so the value <em class="parameter"><code>+&group</code></em> means check the 1950 UNIX group database, followed by the NIS netgroup database, and 1951 the value <em class="parameter"><code>&+group</code></em> means check the NIS 1952 netgroup database, followed by the UNIX group database (the 1953 same as the '@' prefix).</p><p>The current servicename is substituted for <em class="parameter"><code>%S</code></em>. 1954 This is useful in the [homes] section.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>invalid users</code></em> = <code class="literal"> 1955# no invalid users</code> 1956</em></span> 1957</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>invalid users</code></em> = <code class="literal">root fred admin @wheel</code> 1958</em></span> 1959</p></dd><dt><span class="term"><a name="IPRINTSERVER"></a>iprint server (G)</span></dt><dd><p> 1960 This parameter is only applicable if <a class="indexterm" name="id311602"></a>printing is set to <code class="constant">iprint</code>. 1961 </p><p> 1962 If set, this option overrides the ServerName option in the CUPS <code class="filename">client.conf</code>. This is 1963 necessary if you have virtual samba servers that connect to different CUPS daemons. 1964 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>iprint server</code></em> = <code class="literal">""</code> 1965</em></span> 1966</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>iprint server</code></em> = <code class="literal">MYCUPSSERVER</code> 1967</em></span> 1968</p></dd><dt><span class="term"><a name="KEEPALIVE"></a>keepalive (G)</span></dt><dd><p>The value of the parameter (an integer) represents 1969 the number of seconds between <em class="parameter"><code>keepalive</code></em> 1970 packets. If this parameter is zero, no keepalive packets will be 1971 sent. Keepalive packets, if sent, allow the server to tell whether 1972 a client is still present and responding.</p><p>Keepalives should, in general, not be needed if the socket 1973 has the SO_KEEPALIVE attribute set on it by default. (see <a class="indexterm" name="id311691"></a>socket options). 1974Basically you should only use this option if you strike difficulties.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>keepalive</code></em> = <code class="literal">300</code> 1975</em></span> 1976</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>keepalive</code></em> = <code class="literal">600</code> 1977</em></span> 1978</p></dd><dt><span class="term"><a name="KERNELCHANGENOTIFY"></a>kernel change notify (S)</span></dt><dd><p>This parameter specifies whether Samba should ask the 1979 kernel for change notifications in directories so that 1980 SMB clients can refresh whenever the data on the server changes. 1981 </p><p>This parameter is only used when your kernel supports 1982 change notification to user programs using the inotify interface. 1983 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>kernel change notify</code></em> = <code class="literal">yes</code> 1984</em></span> 1985</p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a class="indexterm" name="id311797"></a>oplocks 1986 (currently only IRIX and the Linux 2.4 kernel), this parameter 1987 allows the use of them to be turned on or off.</p><p>Kernel oplocks support allows Samba <em class="parameter"><code>oplocks 1988 </code></em> to be broken whenever a local UNIX process or NFS operation 1989 accesses a file that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> has oplocked. This allows complete 1990 data consistency between SMB/CIFS, NFS and local file access (and is 1991 a <span class="emphasis"><em>very</em></span> cool feature :-).</p><p>This parameter defaults to <code class="constant">on</code>, but is translated 1992 to a no-op on systems that no not have the necessary kernel support. 1993 You should never need to touch this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>kernel oplocks</code></em> = <code class="literal">yes</code> 1994</em></span> 1995</p></dd><dt><span class="term"><a name="LANMANAUTH"></a>lanman auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to 1996 authenticate users or permit password changes 1997 using the LANMAN password hash. If disabled, only clients which support NT 1998 password hashes (e.g. Windows NT/2000 clients, smbclient, but not 1999 Windows 95/98 or the MS DOS network client) will be able to 2000 connect to the Samba host.</p><p>The LANMAN encrypted response is easily broken, due to it's 2001 case-insensitive nature, and the choice of algorithm. Servers 2002 without Windows 95/98/ME or MS DOS clients are advised to disable 2003 this option. </p><p>Unlike the <code class="literal">encrypt 2004 passwords</code> option, this parameter cannot alter client 2005 behaviour, and the LANMAN response will still be sent over the 2006 network. See the <code class="literal">client lanman 2007 auth</code> to disable this for Samba's clients (such as smbclient)</p><p>If this option, and <code class="literal">ntlm 2008 auth</code> are both disabled, then only NTLMv2 logins will be 2009 permited. Not all clients support NTLMv2, and most will require 2010 special configuration to use it.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lanman auth</code></em> = <code class="literal">yes</code> 2011</em></span> 2012</p></dd><dt><span class="term"><a name="LARGEREADWRITE"></a>large readwrite (G)</span></dt><dd><p>This parameter determines whether or not 2013 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> supports the new 64k 2014 streaming read and write varient SMB requests introduced with 2015 Windows 2000. Note that due to Windows 2000 client redirector bugs 2016 this requires Samba to be running on a 64-bit capable operating 2017 system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve 2018 performance by 10% with Windows 2000 clients. Defaults to on. Not as 2019 tested as some other Samba code paths.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>large readwrite</code></em> = <code class="literal">yes</code> 2020</em></span> 2021</p></dd><dt><span class="term"><a name="LDAPADMINDN"></a>ldap admin dn (G)</span></dt><dd><p> 2022 The <a class="indexterm" name="id312005"></a>ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact 2023 the ldap server when retreiving user account information. The <a class="indexterm" name="id312013"></a>ldap admin dn is used 2024 in conjunction with the admin dn password stored in the <code class="filename">private/secrets.tdb</code> 2025 file. See the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> 2026 man page for more information on how to accomplish this. 2027 </p><p> 2028 The <a class="indexterm" name="id312038"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id312046"></a>ldap suffix is not appended to the <a class="indexterm" name="id312053"></a>ldap admin dn. 2029 </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LDAPDELETEDN"></a>ldap delete dn (G)</span></dt><dd><p> This parameter specifies whether a delete 2030 operation in the ldapsam deletes the complete entry or only the attributes 2031 specific to Samba. 2032 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap delete dn</code></em> = <code class="literal">no</code> 2033</em></span> 2034</p></dd><dt><span class="term"><a name="LDAPGROUPSUFFIX"></a>ldap group suffix (G)</span></dt><dd><p>This parameter specifies the suffix that is 2035 used for groups when these are added to the LDAP directory. 2036 If this parameter is unset, the value of <a class="indexterm" name="id312126"></a>ldap suffix will be used instead. The suffix string is pre-pended to the 2037 <a class="indexterm" name="id312134"></a>ldap suffix string so use a partial DN.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> = <code class="literal"></code> 2038</em></span> 2039</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> = <code class="literal">ou=Groups</code> 2040</em></span> 2041</p></dd><dt><span class="term"><a name="LDAPIDMAPSUFFIX"></a>ldap idmap suffix (G)</span></dt><dd><p> 2042 This parameters specifies the suffix that is used when storing idmap mappings. If this parameter 2043 is unset, the value of <a class="indexterm" name="id312196"></a>ldap suffix will be used instead. The suffix 2044 string is pre-pended to the <a class="indexterm" name="id312204"></a>ldap suffix string so use a partial DN. 2045 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap idmap suffix</code></em> = <code class="literal"></code> 2046</em></span> 2047</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap idmap suffix</code></em> = <code class="literal">ou=Idmap</code> 2048</em></span> 2049</p></dd><dt><span class="term"><a name="LDAPMACHINESUFFIX"></a>ldap machine suffix (G)</span></dt><dd><p> 2050 It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of 2051 <a class="indexterm" name="id312266"></a>ldap suffix will be used instead. The suffix string is pre-pended to the 2052 <a class="indexterm" name="id312274"></a>ldap suffix string so use a partial DN. 2053 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap machine suffix</code></em> = <code class="literal"></code> 2054</em></span> 2055</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap machine suffix</code></em> = <code class="literal">ou=Computers</code> 2056</em></span> 2057</p></dd><dt><span class="term"><a name="LDAPPASSWDSYNC"></a>ldap passwd sync (G)</span></dt><dd><p> 2058 This option is used to define whether or not Samba should sync the LDAP password with the NT 2059 and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password 2060 change via SAMBA. 2061 </p><p> 2062 The <a class="indexterm" name="id312340"></a>ldap passwd sync can be set to one of three values: 2063 </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Yes</code></em> = Try 2064 to update the LDAP, NT and LM passwords and update the pwdLastSet time.</p></li><li><p><em class="parameter"><code>No</code></em> = Update NT and 2065 LM passwords and update the pwdLastSet time.</p></li><li><p><em class="parameter"><code>Only</code></em> = Only update 2066 the LDAP password and let the LDAP server do the rest.</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap passwd sync</code></em> = <code class="literal">no</code> 2067</em></span> 2068</p></dd><dt><span class="term"><a name="LDAPREPLICATIONSLEEP"></a>ldap replication sleep (G)</span></dt><dd><p> 2069 When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server. 2070 This server then replicates our changes back to the 'local' server, however the replication might take some seconds, 2071 especially over slow links. Certain client activities, particularly domain joins, can become confused by the 'success' 2072 that does not immediately change the LDAP back-end's data. 2073 </p><p> 2074 This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. If you have a particularly 2075 high-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly. 2076 Be aware that no checking is performed that the data has actually replicated. 2077 </p><p> 2078 The value is specified in milliseconds, the maximum value is 5000 (5 seconds). 2079 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap replication sleep</code></em> = <code class="literal">1000</code> 2080</em></span> 2081</p></dd><dt><span class="term"><a name="LDAPSAM:EDITPOSIX"></a>ldapsam:editposix (G)</span></dt><dd><p> 2082 Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller 2083 eliminating the need to set up custom scripts to add and manage the posix users and groups. This option 2084 will instead directly manipulate the ldap tree to create, remove and modify user and group entries. 2085 This option also requires a running winbindd as it is used to allocate new uids/gids on user/group 2086 creation. The allocation range must be therefore configured. 2087 </p><p> 2088 To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly 2089 configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users, 2090 Domain Admins, Domain Guests) can be precreated with the command <code class="literal">net sam 2091 provision</code>. To run this command the ldap server must be running, Winindd must be running and 2092 the smb.conf ldap options must be properly configured. 2093 2094 The typical ldap setup used with the <a class="indexterm" name="id312494"></a>ldapsam:trusted = yes option 2095 is usually sufficient to use <a class="indexterm" name="id312501"></a>ldapsam:editposix = yes as well. 2096 </p><p> 2097 An example configuration can be the following: 2098 2099 </p><pre class="programlisting"> 2100 encrypt passwords = true 2101 passdb backend = ldapsam 2102 2103 ldapsam:trusted=yes 2104 ldapsam:editposix=yes 2105 2106 ldap admin dn = cn=admin,dc=samba,dc=org 2107 ldap delete dn = yes 2108 ldap group suffix = ou=groups 2109 ldap idmap suffix = ou=idmap 2110 ldap machine suffix = ou=computers 2111 ldap user suffix = ou=users 2112 ldap suffix = dc=samba,dc=org 2113 2114 idmap backend = ldap:"ldap://localhost" 2115 2116 idmap uid = 5000-50000 2117 idmap gid = 5000-50000 2118 </pre><p> 2119 2120 This configuration assume the ldap server have been loaded with a base tree like described 2121 in the following ldif: 2122 2123 </p><pre class="programlisting"> 2124 dn: dc=samba,dc=org 2125 objectClass: top 2126 objectClass: dcObject 2127 objectClass: organization 2128 o: samba.org 2129 dc: samba 2130 2131 dn: cn=admin,dc=samba,dc=org 2132 objectClass: simpleSecurityObject 2133 objectClass: organizationalRole 2134 cn: admin 2135 description: LDAP administrator 2136 userPassword: secret 2137 2138 dn: ou=users,dc=samba,dc=org 2139 objectClass: top 2140 objectClass: organizationalUnit 2141 ou: users 2142 2143 dn: ou=groups,dc=samba,dc=org 2144 objectClass: top 2145 objectClass: organizationalUnit 2146 ou: groups 2147 2148 dn: ou=idmap,dc=samba,dc=org 2149 objectClass: top 2150 objectClass: organizationalUnit 2151 ou: idmap 2152 2153 dn: ou=computers,dc=samba,dc=org 2154 objectClass: top 2155 objectClass: organizationalUnit 2156 ou: computers 2157 </pre><p> 2158 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldapsam:editposix</code></em> = <code class="literal">no</code> 2159</em></span> 2160</p></dd><dt><span class="term"><a name="LDAPSAM:TRUSTED"></a>ldapsam:trusted (G)</span></dt><dd><p> 2161 By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to 2162 access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group 2163 this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he 2164 is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS 2165 counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that 2166 are used to deal with user and group attributes lack such optimization. 2167 </p><p> 2168 To make Samba scale well in large environments, the <a class="indexterm" name="id312581"></a>ldapsam:trusted = yes 2169 option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the 2170 standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are 2171 stored together with the POSIX data in the same LDAP object. If these assumptions are met, 2172 <a class="indexterm" name="id312590"></a>ldapsam:trusted = yes can be activated and Samba can bypass the 2173 NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and 2174 administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries 2175 is easily achieved. 2176 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldapsam:trusted</code></em> = <code class="literal">no</code> 2177</em></span> 2178</p></dd><dt><span class="term"><a name="LDAPSSL"></a>ldap ssl (G)</span></dt><dd><p>This option is used to define whether or not Samba should 2179 use SSL when connecting to the ldap server 2180 This is <span class="emphasis"><em>NOT</em></span> related to 2181 Samba's previous SSL support which was enabled by specifying the 2182 <code class="literal">--with-ssl</code> option to the <code class="filename">configure</code> 2183 script.</p><p>The <a class="indexterm" name="id312659"></a>ldap ssl can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Off</code></em> = Never 2184 use SSL when querying the directory.</p></li><li><p><em class="parameter"><code>Start_tls</code></em> = Use 2185 the LDAPv3 StartTLS extended operation (RFC2830) for 2186 communicating with the directory server.</p></li><li><p><em class="parameter"><code>On</code></em> = Use SSL 2187 on the ldaps port when contacting the <em class="parameter"><code>ldap server</code></em>. Only available when the 2188 backwards-compatiblity <code class="literal">--with-ldapsam</code> option is specified 2189 to configure. See <a class="indexterm" name="id312714"></a>passdb backend</p>. 2190 </li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = <code class="literal">start_tls</code> 2191</em></span> 2192</p></dd><dt><span class="term"><a name="LDAPSUFFIX"></a>ldap suffix (G)</span></dt><dd><p>Specifies the base for all ldap suffixes and for storing the sambaDomain object.</p><p> 2193 The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id312767"></a>ldap user suffix, 2194 <a class="indexterm" name="id312774"></a>ldap group suffix, <a class="indexterm" name="id312781"></a>ldap machine suffix, and the 2195 <a class="indexterm" name="id312788"></a>ldap idmap suffix. Each of these should be given only a DN relative to the 2196 <a class="indexterm" name="id312796"></a>ldap suffix. 2197 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> = <code class="literal"></code> 2198</em></span> 2199</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> = <code class="literal">dc=samba,dc=org</code> 2200</em></span> 2201</p></dd><dt><span class="term"><a name="LDAPTIMEOUT"></a>ldap timeout (G)</span></dt><dd><p> 2202 When Samba connects to an ldap server that servermay be down or unreachable. To prevent Samba from hanging whilst 2203 waiting for the connection this parameter specifies in seconds how long Samba should wait before failing the 2204 connect. The default is to only wait fifteen seconds for the ldap server to respond to the connect request. 2205 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap timeout</code></em> = <code class="literal">15</code> 2206</em></span> 2207</p></dd><dt><span class="term"><a name="LDAPUSERSUFFIX"></a>ldap user suffix (G)</span></dt><dd><p> 2208 This parameter specifies where users are added to the tree. If this parameter is unset, 2209 the value of <a class="indexterm" name="id312898"></a>ldap suffix will be used instead. The suffix 2210 string is pre-pended to the <a class="indexterm" name="id312906"></a>ldap suffix string so use a partial DN. 2211 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap user suffix</code></em> = <code class="literal"></code> 2212</em></span> 2213</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap user suffix</code></em> = <code class="literal">ou=people</code> 2214</em></span> 2215</p></dd><dt><span class="term"><a name="LEVEL2OPLOCKS"></a>level2 oplocks (S)</span></dt><dd><p>This parameter controls whether Samba supports 2216 level2 (read-only) oplocks on a share.</p><p>Level2, or read-only oplocks allow Windows NT clients 2217 that have an oplock on a file to downgrade from a read-write oplock 2218 to a read-only oplock once a second client opens the file (instead 2219 of releasing all oplocks on a second open, as in traditional, 2220 exclusive oplocks). This allows all openers of the file that 2221 support level2 oplocks to cache the file for read-ahead only (ie. 2222 they may not cache writes or lock requests) and increases performance 2223 for many accesses of files that are not commonly written (such as 2224 application .EXE files).</p><p>Once one of the clients which have a read-only oplock 2225 writes to the file all clients are notified (no reply is needed 2226 or waited for) and told to break their oplocks to "none" and 2227 delete any read-ahead caches.</p><p>It is recommended that this parameter be turned on to 2228 speed access to shared executables.</p><p>For more discussions on level2 oplocks see the CIFS spec.</p><p> 2229 Currently, if <a class="indexterm" name="id312993"></a>kernel oplocks are supported then 2230 level2 oplocks are not granted (even if this parameter is set to 2231 <code class="constant">yes</code>). Note also, the <a class="indexterm" name="id313004"></a>oplocks 2232 parameter must be set to <code class="constant">yes</code> on this share in order for 2233 this parameter to have any effect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>level2 oplocks</code></em> = <code class="literal">yes</code> 2234</em></span> 2235</p></dd><dt><span class="term"><a name="LMANNOUNCE"></a>lm announce (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will produce Lanman announce 2236 broadcasts that are needed by OS/2 clients in order for them to see 2237 the Samba server in their browse list. This parameter can have three 2238 values, <code class="constant">yes</code>, <code class="constant">no</code>, or 2239 <code class="constant">auto</code>. The default is <code class="constant">auto</code>. 2240 If set to <code class="constant">no</code> Samba will never produce these 2241 broadcasts. If set to <code class="constant">yes</code> Samba will produce 2242 Lanman announce broadcasts at a frequency set by the parameter 2243 <a class="indexterm" name="id313085"></a>lm interval. If set to <code class="constant">auto</code> 2244 Samba will not send Lanman announce broadcasts by default but will 2245 listen for them. If it hears such a broadcast on the wire it will 2246 then start sending them at a frequency set by the parameter 2247 <a class="indexterm" name="id313097"></a>lm interval.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = <code class="literal">auto</code> 2248</em></span> 2249</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = <code class="literal">yes</code> 2250</em></span> 2251</p></dd><dt><span class="term"><a name="LMINTERVAL"></a>lm interval (G)</span></dt><dd><p>If Samba is set to produce Lanman announce 2252 broadcasts needed by OS/2 clients (see the 2253 <a class="indexterm" name="id313160"></a>lm announce parameter) then this 2254 parameter defines the frequency in seconds with which they will be 2255 made. If this is set to zero then no Lanman announcements will be 2256 made despite the setting of the <a class="indexterm" name="id313168"></a>lm announce 2257 parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm interval</code></em> = <code class="literal">60</code> 2258</em></span> 2259</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lm interval</code></em> = <code class="literal">120</code> 2260</em></span> 2261</p></dd><dt><span class="term"><a name="LOADPRINTERS"></a>load printers (G)</span></dt><dd><p>A boolean variable that controls whether all 2262 printers in the printcap will be loaded for browsing by default. 2263 See the <a class="indexterm" name="id313232"></a>printers section for 2264 more details.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>load printers</code></em> = <code class="literal">yes</code> 2265</em></span> 2266</p></dd><dt><span class="term"><a name="LOCALMASTER"></a>local master (G)</span></dt><dd><p>This option allows <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to try and become a local master browser 2267 on a subnet. If set to <code class="constant">no</code> then <code class="literal"> 2268 nmbd</code> will not attempt to become a local master browser 2269 on a subnet and will also lose in all browsing elections. By 2270 default this value is set to <code class="constant">yes</code>. Setting this value to 2271 <code class="constant">yes</code> doesn't mean that Samba will <span class="emphasis"><em>become</em></span> the 2272 local master browser on a subnet, just that <code class="literal">nmbd</code> 2273 will <span class="emphasis"><em>participate</em></span> in elections for local master browser.</p><p>Setting this value to <code class="constant">no</code> will cause <code class="literal">nmbd</code> <span class="emphasis"><em>never</em></span> to become a local 2274master browser.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>local master</code></em> = <code class="literal">yes</code> 2275</em></span> 2276</p></dd><dt><span class="term"><a name="LOCKDIR"></a>lock dir</span></dt><dd><p>This parameter is a synonym for lock directory.</p></dd><dt><span class="term"><a name="LOCKDIRECTORY"></a>lock directory (G)</span></dt><dd><p>This option specifies the directory where lock 2277 files will be placed. The lock files are used to implement the 2278 <a class="indexterm" name="id313394"></a>max connections option. 2279 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock directory</code></em> = <code class="literal">${prefix}/var/locks</code> 2280</em></span> 2281</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lock directory</code></em> = <code class="literal">/var/run/samba/locks</code> 2282</em></span> 2283</p></dd><dt><span class="term"><a name="LOCKING"></a>locking (S)</span></dt><dd><p>This controls whether or not locking will be 2284 performed by the server in response to lock requests from the 2285 client.</p><p>If <code class="literal">locking = no</code>, all lock and unlock 2286 requests will appear to succeed and all lock queries will report 2287 that the file in question is available for locking.</p><p>If <code class="literal">locking = yes</code>, real locking will be performed 2288 by the server.</p><p>This option <span class="emphasis"><em>may</em></span> be useful for read-only 2289 filesystems which <span class="emphasis"><em>may</em></span> not need locking (such as 2290 CDROM drives), although setting this parameter of <code class="constant">no</code> 2291 is not really recommended even in this case.</p><p>Be careful about disabling locking either globally or in a 2292 specific service, as lack of locking may result in data corruption. 2293 You should never need to set this parameter.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LOCKSPINCOUNT"></a>lock spin count (G)</span></dt><dd><p>This parameter has been made inoperative in Samba 3.0.24. 2294 The functionality it contolled is now controlled by the parameter 2295 <a class="indexterm" name="id313524"></a>lock spin time. 2296 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin count</code></em> = <code class="literal">0</code> 2297</em></span> 2298</p></dd><dt><span class="term"><a name="LOCKSPINTIME"></a>lock spin time (G)</span></dt><dd><p>The time in microseconds that smbd should 2299 keep waiting to see if a failed lock request can 2300 be granted. This parameter has changed in default 2301 value from Samba 3.0.23 from 10 to 200. The associated 2302 <a class="indexterm" name="id313571"></a>lock spin count parameter is 2303 no longer used in Samba 3.0.24. You should not need 2304 to change the value of this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin time</code></em> = <code class="literal">200</code> 2305</em></span> 2306</p></dd><dt><span class="term"><a name="LOGFILE"></a>log file (G)</span></dt><dd><p> 2307 This option allows you to override the name of the Samba log file (also known as the debug file). 2308 </p><p> 2309 This option takes the standard substitutions, allowing you to have separate log files for each user or machine. 2310 </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>log file</code></em> = <code class="literal">/usr/local/samba/var/log.%m</code> 2311</em></span> 2312</p></dd><dt><span class="term"><a name="DEBUGLEVEL"></a>debuglevel</span></dt><dd><p>This parameter is a synonym for log level.</p></dd><dt><span class="term"><a name="LOGLEVEL"></a>log level (G)</span></dt><dd><p> 2313 The value of the parameter (a astring) allows the debug level (logging level) to be specified in the 2314 <code class="filename">smb.conf</code> file. This parameter has been extended since the 2.2.x 2315 series, now it allow to specify the debug level for multiple debug classes. This is to give greater 2316 flexibility in the configuration of the system. 2317 </p><p> 2318 The default will be the log level specified on the command line or level zero if none was specified. 2319 </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>log level</code></em> = <code class="literal">3 passdb:5 auth:10 winbind:2</code> 2320</em></span> 2321</p></dd><dt><span class="term"><a name="LOGONDRIVE"></a>logon drive (G)</span></dt><dd><p> 2322 This parameter specifies the local path to which the home directory will be 2323 connected (see <a class="indexterm" name="id313742"></a>logon home) and is only used by NT 2324 Workstations. 2325 </p><p> 2326 Note that this option is only useful if Samba is set up as a logon server. 2327 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon drive</code></em> = <code class="literal"></code> 2328</em></span> 2329</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>logon drive</code></em> = <code class="literal">h:</code> 2330</em></span> 2331</p></dd><dt><span class="term"><a name="LOGONHOME"></a>logon home (G)</span></dt><dd><p> 2332 This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. 2333 It allows you to do 2334 </p><p> 2335 <code class="prompt">C:\></code><strong class="userinput"><code>NET USE H: /HOME</code></strong> 2336 </p><p> 2337 from a command prompt, for example. 2338 </p><p> 2339 This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. 2340 </p><p> 2341 This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a 2342 subdirectory of the user's home directory. This is done in the following way: 2343 </p><p> 2344 <code class="literal">logon home = \\%N\%U\profile</code> 2345 </p><p> 2346 This tells Samba to return the above string, with substitutions made when a client requests the info, generally 2347 in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does 2348 <code class="literal">net use /home</code> but use the whole string when dealing with profiles. 2349 </p><p> 2350 Note that in prior versions of Samba, the <a class="indexterm" name="id313860"></a>logon path was returned rather than 2351 <em class="parameter"><code>logon home</code></em>. This broke <code class="literal">net use /home</code> 2352 but allowed profiles outside the home directory. The current implementation is correct, and can be used for 2353 profiles if you use the above trick. 2354 </p><p> 2355 Disable this feature by setting <a class="indexterm" name="id313884"></a>logon home = "" - using the empty string. 2356 </p><p> 2357 This option is only useful if Samba is set up as a logon server. 2358 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon home</code></em> = <code class="literal">\\%N\%U</code> 2359</em></span> 2360</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>logon home</code></em> = <code class="literal">\\remote_smb_server\%U</code> 2361</em></span> 2362</p></dd><dt><span class="term"><a name="LOGONPATH"></a>logon path (G)</span></dt><dd><p> 2363 This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are 2364 stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming 2365 profiles. To find out how to handle roaming profiles for Win 9X system, see the 2366 <a class="indexterm" name="id313953"></a>logon home parameter. 2367 </p><p> 2368 This option takes the standard substitutions, allowing you to have separate logon scripts for each user or 2369 machine. It also specifies the directory from which the "Application Data", <code class="filename">desktop</code>, <code class="filename">start menu</code>, <code class="filename">network neighborhood</code>, <code class="filename">programs</code> and other 2370 folders, and their contents, are loaded and displayed on your Windows NT client. 2371 </p><p> 2372 The share and the path must be readable by the user for the preferences and directories to be loaded onto the 2373 Windows NT client. The share must be writeable when the user logs in for the first time, in order that the 2374 Windows NT client can create the NTuser.dat and other directories. 2375 Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable 2376 that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a 2377 <span class="emphasis"><em>MAN</em></span>datory profile). 2378 </p><p> 2379 Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged 2380 in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting 2381 this parameter to \\%N\homes\profile_path will cause problems). 2382 </p><p> 2383 This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. 2384 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> 2385 Do not quote the value. Setting this as “<span class="quote">\\%N\profile\%U</span>” 2386 will break profile handling. Where the tdbsam or ldapsam passdb backend 2387 is used, at the time the user account is created the value configured 2388 for this parameter is written to the passdb backend and that value will 2389 over-ride the parameter value present in the smb.conf file. Any error 2390 present in the passdb backend account record must be editted using the 2391 appropriate tool (pdbedit on the command-line, or any other locally 2392 provided system tool). 2393 </p></div><p>Note that this option is only useful if Samba is set up as a domain controller.</p><p> 2394 Disable the use of roaming profiles by setting the value of this parameter to the empty string. For 2395 example, <a class="indexterm" name="id314030"></a>logon path = "". Take note that even if the default setting 2396 in the smb.conf file is the empty string, any value specified in the user account settings in the passdb 2397 backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use 2398 requires that the user account settings must also be blank. 2399 </p><p> 2400 An example of use is: 2401</p><pre class="programlisting"> 2402logon path = \\PROFILESERVER\PROFILE\%U 2403</pre><p> 2404 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon path</code></em> = <code class="literal">\\%N\%U\profile</code> 2405</em></span> 2406</p></dd><dt><span class="term"><a name="LOGONSCRIPT"></a>logon script (G)</span></dt><dd><p> 2407 This parameter specifies the batch file (<code class="filename">.bat</code>) or NT command file 2408 (<code class="filename">.cmd</code>) to be downloaded and run on a machine when a user successfully logs in. The file 2409 must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended. 2410 </p><p> 2411 The script must be a relative path to the <em class="parameter"><code>[netlogon]</code></em> service. If the [netlogon] 2412 service specifies a <a class="indexterm" name="id314112"></a>path of <code class="filename">/usr/local/samba/netlogon</code>, and <a class="indexterm" name="id314125"></a>logon script = STARTUP.BAT, then the file that will be downloaded is: 2413</p><pre class="programlisting"> 2414 /usr/local/samba/netlogon/STARTUP.BAT 2415</pre><p> 2416 </p><p> 2417 The contents of the batch file are entirely your choice. A suggested command would be to add <code class="literal">NET TIME \\SERVER /SET /YES</code>, to force every machine to synchronize clocks with the 2418 same time server. Another use would be to add <code class="literal">NET USE U: \\SERVER\UTILS</code> 2419 for commonly used utilities, or 2420</p><pre class="programlisting"> 2421<strong class="userinput"><code>NET USE Q: \\SERVER\ISO9001_QA</code></strong> 2422</pre><p> 2423 for example. 2424 </p><p> 2425 Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users 2426 write permission on the batch files in a secure environment, as this would allow the batch files to be 2427 arbitrarily modified and security to be breached. 2428 </p><p> 2429 This option takes the standard substitutions, allowing you to have separate logon scripts for each user or 2430 machine. 2431 </p><p> 2432 This option is only useful if Samba is set up as a logon server. 2433 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>logon script</code></em> = <code class="literal"></code> 2434</em></span> 2435</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>logon script</code></em> = <code class="literal">scripts\%U.bat</code> 2436</em></span> 2437</p></dd><dt><span class="term"><a name="LPPAUSECOMMAND"></a>lppause command (S)</span></dt><dd><p>This parameter specifies the command to be 2438 executed on the server host in order to stop printing or spooling 2439 a specific print job.</p><p>This command should be a program or script which takes 2440 a printer name and job number to pause the print job. One way 2441 of implementing this is by using job priorities, where jobs 2442 having a too low priority won't be sent to the printer.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name 2443 is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with 2444 the job number (an integer). On HPUX (see <em class="parameter"><code>printing=hpux 2445 </code></em>), if the <em class="parameter"><code>-p%p</code></em> option is added 2446 to the lpq command, the job will show up with the correct status, i.e. 2447 if the job priority is lower than the set fence priority it will 2448 have the PAUSED status, whereas if the priority is equal or higher it 2449 will have the SPOOLED or PRINTING status.</p><p>Note that it is good practice to include the absolute path 2450 in the lppause command as the PATH may not be available to the server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lppause command</code></em> = <code class="literal"> 2451# Currently no default value is given to 2452 this string, unless the value of the <a class="indexterm" name="id314292"></a>printing 2453 parameter is <code class="constant">SYSV</code>, in which case the default is : 2454 <code class="literal">lp -i %p-%j -H hold</code> or if the value of the 2455 <em class="parameter"><code>printing</code></em> parameter is 2456 <code class="constant">SOFTQ</code>, then the default is: 2457 <code class="literal">qstat -s -j%j -h</code>. </code> 2458</em></span> 2459</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lppause command</code></em> = <code class="literal">/usr/bin/lpalt %p-%j -p0</code> 2460</em></span> 2461</p></dd><dt><span class="term"><a name="LPQCACHETIME"></a>lpq cache time (G)</span></dt><dd><p>This controls how long lpq info will be cached 2462 for to prevent the <code class="literal">lpq</code> command being called too 2463 often. A separate cache is kept for each variation of the <code class="literal"> 2464 lpq</code> command used by the system, so if you use different 2465 <code class="literal">lpq</code> commands for different users then they won't 2466 share cache information.</p><p>The cache files are stored in <code class="filename">/tmp/lpq.xxxx</code> 2467 where xxxx is a hash of the <code class="literal">lpq</code> command in use.</p><p>The default is 30 seconds, meaning that the cached results 2468 of a previous identical <code class="literal">lpq</code> command will be used 2469 if the cached data is less than 30 seconds old. A large value may 2470 be advisable if your <code class="literal">lpq</code> command is very slow.</p><p>A value of 0 will disable caching completely.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lpq cache time</code></em> = <code class="literal">30</code> 2471</em></span> 2472</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lpq cache time</code></em> = <code class="literal">10</code> 2473</em></span> 2474</p></dd><dt><span class="term"><a name="LPQCOMMAND"></a>lpq command (S)</span></dt><dd><p>This parameter specifies the command to be 2475 executed on the server host in order to obtain <code class="literal">lpq 2476 </code>-style printer status information.</p><p>This command should be a program or script which 2477 takes a printer name as its only parameter and outputs printer 2478 status information.</p><p>Currently nine styles of printer status information 2479 are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. 2480 This covers most UNIX systems. You control which type is expected 2481 using the <em class="parameter"><code>printing =</code></em> option.</p><p>Some clients (notably Windows for Workgroups) may not 2482 correctly send the connection number for the printer they are 2483 requesting status information about. To get around this, the 2484 server reports on the first printer service connected to by the 2485 client. This only happens if the connection number sent is invalid.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name 2486 is put in its place. Otherwise it is placed at the end of the 2487 command.</p><p>Note that it is good practice to include the absolute path 2488 in the <em class="parameter"><code>lpq command</code></em> as the <code class="envar">$PATH 2489 </code> may not be available to the server. When compiled with 2490 the CUPS libraries, no <em class="parameter"><code>lpq command</code></em> is 2491 needed because smbd will make a library call to obtain the 2492 print queue listing.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lpq command</code></em> = <code class="literal"></code> 2493</em></span> 2494</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lpq command</code></em> = <code class="literal">/usr/bin/lpq -P%p</code> 2495</em></span> 2496</p></dd><dt><span class="term"><a name="LPRESUMECOMMAND"></a>lpresume command (S)</span></dt><dd><p>This parameter specifies the command to be 2497 executed on the server host in order to restart or continue 2498 printing or spooling a specific print job.</p><p>This command should be a program or script which takes 2499 a printer name and job number to resume the print job. See 2500 also the <a class="indexterm" name="id314599"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name 2501 is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with 2502 the job number (an integer).</p><p>Note that it is good practice to include the absolute path 2503 in the <em class="parameter"><code>lpresume command</code></em> as the PATH may not 2504 be available to the server.</p><p>See also the <a class="indexterm" name="id314635"></a>printing parameter.</p><p>Default: Currently no default value is given 2505 to this string, unless the value of the <em class="parameter"><code>printing</code></em> 2506 parameter is <code class="constant">SYSV</code>, in which case the default is :</p><p><code class="literal">lp -i %p-%j -H resume</code></p><p>or if the value of the <em class="parameter"><code>printing</code></em> parameter 2507 is <code class="constant">SOFTQ</code>, then the default is:</p><p><code class="literal">qstat -s -j%j -r</code></p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lpresume command</code></em> = <code class="literal">lpresume command = /usr/bin/lpalt %p-%j -p2</code> 2508</em></span> 2509</p></dd><dt><span class="term"><a name="LPRMCOMMAND"></a>lprm command (S)</span></dt><dd><p>This parameter specifies the command to be 2510 executed on the server host in order to delete a print job.</p><p>This command should be a program or script which takes 2511 a printer name and job number, and deletes the print job.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name 2512 is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with 2513 the job number (an integer).</p><p>Note that it is good practice to include the absolute 2514 path in the <em class="parameter"><code>lprm command</code></em> as the PATH may not be 2515 available to the server.</p><p> 2516 Examples of use are: 2517</p><pre class="programlisting"> 2518lprm command = /usr/bin/lprm -P%p %j 2519 2520or 2521 2522lprm command = /usr/bin/cancel %p-%j 2523</pre><p> 2524 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lprm command</code></em> = <code class="literal"> determined by printing parameter</code> 2525</em></span> 2526</p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p> 2527 If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id314802"></a>security = domain parameter) then periodically a running smbd process will try and change 2528 the MACHINE ACCOUNT PASSWORD stored in the TDB called <code class="filename">private/secrets.tdb 2529 </code>. This parameter specifies how often this password will be changed, in seconds. The default is one 2530 week (expressed in seconds), the same as a Windows NT Domain member server. 2531 </p><p> 2532 See also <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, 2533 and the <a class="indexterm" name="id314828"></a>security = domain parameter. 2534 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>machine password timeout</code></em> = <code class="literal">604800</code> 2535</em></span> 2536</p></dd><dt><span class="term"><a name="MAGICOUTPUT"></a>magic output (S)</span></dt><dd><p> 2537 This parameter specifies the name of a file which will contain output created by a magic script (see the 2538 <a class="indexterm" name="id314875"></a>magic script parameter below). 2539 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If two clients use the same <em class="parameter"><code>magic script 2540 </code></em> in the same directory the output file content is undefined. 2541 </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>magic output</code></em> = <code class="literal"><magic script name>.out</code> 2542</em></span> 2543</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>magic output</code></em> = <code class="literal">myfile.txt</code> 2544</em></span> 2545</p></dd><dt><span class="term"><a name="MAGICSCRIPT"></a>magic script (S)</span></dt><dd><p>This parameter specifies the name of a file which, 2546 if opened, will be executed by the server when the file is closed. 2547 This allows a UNIX script to be sent to the Samba host and 2548 executed on behalf of the connected user.</p><p>Scripts executed in this way will be deleted upon 2549 completion assuming that the user has the appropriate level 2550 of privilege and the file permissions allow the deletion.</p><p>If the script generates output, output will be sent to 2551 the file specified by the <a class="indexterm" name="id314959"></a>magic output 2552 parameter (see above).</p><p>Note that some shells are unable to interpret scripts 2553 containing CR/LF instead of CR as 2554 the end-of-line marker. Magic scripts must be executable 2555 <span class="emphasis"><em>as is</em></span> on the host, which for some hosts and 2556 some shells will require filtering at the DOS end.</p><p>Magic scripts are <span class="emphasis"><em>EXPERIMENTAL</em></span> and 2557 should <span class="emphasis"><em>NOT</em></span> be relied upon.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>magic script</code></em> = <code class="literal"></code> 2558</em></span> 2559</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>magic script</code></em> = <code class="literal">user.csh</code> 2560</em></span> 2561</p></dd><dt><span class="term"><a name="MANGLEDMAP"></a>mangled map (S)</span></dt><dd><p> 2562 This is for those who want to directly map UNIX file names which cannot be represented on 2563 Windows/DOS. The mangling of names is not always what is needed. In particular you may have 2564 documents with file extensions that differ between DOS and UNIX. 2565 For example, under UNIX it is common to use <code class="filename">.html</code> 2566 for HTML files, whereas under Windows/DOS <code class="filename">.htm</code> 2567 is more commonly used. 2568 </p><p> 2569 So to map <code class="filename">html</code> to <code class="filename">htm</code> 2570 you would use: 2571 </p><p> 2572 <a class="indexterm" name="id315073"></a>mangled map = (*.html *.htm). 2573 </p><p> 2574 One very useful case is to remove the annoying <code class="filename">;1</code> off 2575 the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of 2576 (*;1 *;). 2577 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangled map</code></em> = <code class="literal"> 2578# no mangled map</code> 2579</em></span> 2580</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangled map</code></em> = <code class="literal">(*;1 *;)</code> 2581</em></span> 2582</p></dd><dt><span class="term"><a name="MANGLEDNAMES"></a>mangled names (S)</span></dt><dd><p>This controls whether non-DOS names under UNIX 2583 should be mapped to DOS-compatible names ("mangled") and made visible, 2584 or whether non-DOS names should simply be ignored.</p><p>See the section on <a class="indexterm" name="id315151"></a>name mangling for 2585 details on how to control the mangling process.</p><p>If mangling is used then the mangling algorithm is as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The first (up to) five alphanumeric characters 2586 before the rightmost dot of the filename are preserved, forced 2587 to upper case, and appear as the first (up to) five characters 2588 of the mangled name.</p></li><li><p>A tilde "~" is appended to the first part of the mangled 2589 name, followed by a two-character unique sequence, based on the 2590 original root name (i.e., the original filename minus its final 2591 extension). The final extension is included in the hash calculation 2592 only if it contains any upper case characters or is longer than three 2593 characters.</p><p>Note that the character to use may be specified using 2594 the <a class="indexterm" name="id315185"></a>mangling char 2595 option, if you don't like '~'.</p></li><li><p>Files whose UNIX name begins with a dot will be 2596 presented as DOS hidden files. The mangled name will be created as 2597 for other filenames, but with the leading dot removed and "___" as 2598 its extension regardless of actual original extension (that's three 2599 underscores).</p></li></ul></div><p>The two-digit hash value consists of upper case alphanumeric characters.</p><p>This algorithm can cause name collisions only if files 2600 in a directory share the same first five alphanumeric characters. 2601 The probability of such a clash is 1/1300.</p><p>The name mangling (if enabled) allows a file to be 2602 copied between UNIX directories from Windows/DOS while retaining 2603 the long UNIX filename. UNIX files can be renamed to a new extension 2604 from Windows/DOS and will retain the same basename. Mangled names 2605 do not change between sessions.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangled names</code></em> = <code class="literal">yes</code> 2606</em></span> 2607</p></dd><dt><span class="term"><a name="MANGLEPREFIX"></a>mangle prefix (G)</span></dt><dd><p> controls the number of prefix 2608 characters from the original name used when generating 2609 the mangled names. A larger value will give a weaker 2610 hash and therefore more name collisions. The minimum 2611 value is 1 and the maximum value is 6.</p><p> 2612 mangle prefix is effective only when mangling method is hash2. 2613 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangle prefix</code></em> = <code class="literal">1</code> 2614</em></span> 2615</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangle prefix</code></em> = <code class="literal">4</code> 2616</em></span> 2617</p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as 2618 the <span class="emphasis"><em>magic</em></span> character in <a class="indexterm" name="id315321"></a>name mangling. The 2619 default is a '~' but this may interfere with some software. Use this option to set 2620 it to whatever you prefer. This is effective only when mangling method is hash.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangling char</code></em> = <code class="literal">~</code> 2621</em></span> 2622</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangling char</code></em> = <code class="literal">^</code> 2623</em></span> 2624</p></dd><dt><span class="term"><a name="MANGLINGMETHOD"></a>mangling method (G)</span></dt><dd><p> controls the algorithm used for the generating 2625 the mangled names. Can take two different values, "hash" and 2626 "hash2". "hash" is the algorithm that was used 2627 used in Samba for many years and was the default in Samba 2.2.x "hash2" is 2628 now the default and is newer and considered a better algorithm (generates less collisions) in 2629 the names. Many Win32 applications store the mangled names and so 2630 changing to algorithms must not be done lightly as these applications 2631 may break unless reinstalled.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangling method</code></em> = <code class="literal">hash2</code> 2632</em></span> 2633</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>mangling method</code></em> = <code class="literal">hash</code> 2634</em></span> 2635</p></dd><dt><span class="term"><a name="MAPACLINHERIT"></a>map acl inherit (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map the 'inherit' and 'protected' 2636 access control entry flags stored in Windows ACLs into an extended attribute 2637 called user.SAMBA_PAI. This parameter only takes effect if Samba is being run 2638 on a platform that supports extended attributes (Linux and IRIX so far) and 2639 allows the Windows 2000 ACL editor to correctly use inheritance with the Samba 2640 POSIX ACL mapping code. 2641 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map acl inherit</code></em> = <code class="literal">no</code> 2642</em></span> 2643</p></dd><dt><span class="term"><a name="MAPARCHIVE"></a>map archive (S)</span></dt><dd><p> 2644 This controls whether the DOS archive attribute 2645 should be mapped to the UNIX owner execute bit. The DOS archive bit 2646 is set when a file has been modified since its last backup. One 2647 motivation for this option is to keep Samba/your PC from making 2648 any file it touches from becoming executable under UNIX. This can 2649 be quite annoying for shared source code, documents, etc... 2650 </p><p> 2651 Note that this requires the <a class="indexterm" name="id315501"></a>create mask parameter to be set such that owner 2652 execute bit is not masked out (i.e. it must include 100). See the parameter 2653 <a class="indexterm" name="id315509"></a>create mask for details. 2654 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map archive</code></em> = <code class="literal">yes</code> 2655</em></span> 2656</p></dd><dt><span class="term"><a name="MAPHIDDEN"></a>map hidden (S)</span></dt><dd><p> 2657 This controls whether DOS style hidden files should be mapped to the UNIX world execute bit. 2658 </p><p> 2659 Note that this requires the <a class="indexterm" name="id315559"></a>create mask to be set such that the world execute 2660 bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id315567"></a>create mask 2661 for details. 2662 </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="MAPREADONLY"></a>map read only (S)</span></dt><dd><p> 2663 This controls how the DOS read only attribute should be mapped from a UNIX filesystem. 2664 </p><p> 2665 This parameter can take three different values, which tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> how to display the read only attribute on files, where either 2666 <a class="indexterm" name="id315613"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is 2667 present. If <a class="indexterm" name="id315624"></a>store dos attributes is set to <code class="constant">yes</code> then this 2668 parameter is <span class="emphasis"><em>ignored</em></span>. This is a new parameter introduced in Samba version 3.0.21. 2669 </p><p>The three settings are :</p><div class="itemizedlist"><ul type="disc"><li><p> 2670 <code class="constant">Yes</code> - The read only DOS attribute is mapped to the inverse of the user 2671 or owner write bit in the unix permission mode set. If the owner write bit is not set, the 2672 read only attribute is reported as being set on the file. 2673 </p></li><li><p> 2674 <code class="constant">Permissions</code> - The read only DOS attribute is mapped to the effective permissions of 2675 the connecting user, as evaluated by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> by reading the unix permissions and POSIX ACL (if present). 2676 If the connecting user does not have permission to modify the file, the read only attribute 2677 is reported as being set on the file. 2678 </p></li><li><p> 2679 <code class="constant">No</code> - The read only DOS attribute is unaffected by permissions, and can only be set by 2680 the <a class="indexterm" name="id315681"></a>store dos attributes method. This may be useful for exporting mounted CDs. 2681 </p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>map read only</code></em> = <code class="literal">yes</code> 2682</em></span> 2683</p></dd><dt><span class="term"><a name="MAPSYSTEM"></a>map system (S)</span></dt><dd><p> 2684 This controls whether DOS style system files should be mapped to the UNIX group execute bit. 2685 </p><p> 2686 Note that this requires the <a class="indexterm" name="id315731"></a>create mask to be set such that the group 2687 execute bit is not masked out (i.e. it must include 010). See the parameter 2688 <a class="indexterm" name="id315739"></a>create mask for details. 2689 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map system</code></em> = <code class="literal">no</code> 2690</em></span> 2691</p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id315785"></a>SECURITY = 2692 security modes other than <em class="parameter"><code>security = share</code></em> 2693 and <em class="parameter"><code>security = server</code></em> 2694 - i.e. <code class="constant">user</code>, and <code class="constant">domain</code>.</p><p>This parameter can take four different values, which tell 2695 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> what to do with user 2696 login requests that don't match a valid UNIX user in some way.</p><p>The four settings are :</p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">Never</code> - Means user login 2697 requests with an invalid password are rejected. This is the 2698 default.</p></li><li><p><code class="constant">Bad User</code> - Means user 2699 logins with an invalid password are rejected, unless the username 2700 does not exist, in which case it is treated as a guest login and 2701 mapped into the <a class="indexterm" name="id315849"></a>guest account.</p></li><li><p><code class="constant">Bad Password</code> - Means user logins 2702 with an invalid password are treated as a guest login and mapped 2703 into the <a class="indexterm" name="id315866"></a>guest account. Note that 2704 this can cause problems as it means that any user incorrectly typing 2705 their password will be silently logged on as "guest" - and 2706 will not know the reason they cannot access files they think 2707 they should - there will have been no message given to them 2708 that they got their password wrong. Helpdesk services will 2709 <span class="emphasis"><em>hate</em></span> you if you set the <em class="parameter"><code>map to 2710 guest</code></em> parameter this way :-).</p></li><li><p><code class="constant">Bad Uid</code> - Is only applicable when Samba is configured 2711 in some type of domain mode security (security = {domain|ads}) and means that 2712 user logins which are successfully authenticated but which have no valid Unix 2713 user account (and smbd is unable to create one) should be mapped to the defined 2714 guest account. This was the default behavior of Samba 2.x releases. Note that 2715 if a member server is running winbindd, this option should never be required 2716 because the nss_winbind library will export the Windows domain users and groups 2717 to the underlying OS via the Name Service Switch interface.</p></li></ul></div><p>Note that this parameter is needed to set up "Guest" 2718 share services when using <em class="parameter"><code>security</code></em> modes other than 2719 share and server. This is because in these modes the name of the resource being 2720 requested is <span class="emphasis"><em>not</em></span> sent to the server until after 2721 the server has successfully authenticated the client so the server 2722 cannot make authentication decisions at the correct time (connection 2723 to the share) for "Guest" shares. This parameter is not useful with 2724 <em class="parameter"><code>security = server</code></em> as in this security mode 2725 no information is returned about whether a user logon failed due to 2726 a bad username or bad password, the same error is returned from a modern server 2727 in both cases.</p><p>For people familiar with the older Samba releases, this 2728 parameter maps to the old compile-time setting of the <code class="constant"> 2729 GUEST_SESSSETUP</code> value in local.h.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map to guest</code></em> = <code class="literal">Never</code> 2730</em></span> 2731</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>map to guest</code></em> = <code class="literal">Bad User</code> 2732</em></span> 2733</p></dd><dt><span class="term"><a name="MAXCONNECTIONS"></a>max connections (S)</span></dt><dd><p>This option allows the number of simultaneous connections to a service to be limited. 2734 If <em class="parameter"><code>max connections</code></em> is greater than 0 then connections 2735 will be refused if this number of connections to the service are already open. A value 2736 of zero mean an unlimited number of connections may be made.</p><p>Record lock files are used to implement this feature. The lock files will be stored in 2737 the directory specified by the <a class="indexterm" name="id316002"></a>lock directory option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = <code class="literal">0</code> 2738</em></span> 2739</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = <code class="literal">10</code> 2740</em></span> 2741</p></dd><dt><span class="term"><a name="MAXDISKSIZE"></a>max disk size (G)</span></dt><dd><p>This option allows you to put an upper limit 2742 on the apparent size of disks. If you set this option to 100 2743 then all shares will appear to be not larger than 100 MB in 2744 size.</p><p>Note that this option does not limit the amount of 2745 data you can put on the disk. In the above case you could still 2746 store much more than 100 MB on the disk, but if a client ever asks 2747 for the amount of free disk space or the total disk size then the 2748 result will be bounded by the amount specified in <em class="parameter"><code>max 2749 disk size</code></em>.</p><p>This option is primarily useful to work around bugs 2750 in some pieces of software that can't handle very large disks, 2751 particularly disks over 1GB in size.</p><p>A <em class="parameter"><code>max disk size</code></em> of 0 means no limit.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max disk size</code></em> = <code class="literal">0</code> 2752</em></span> 2753</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max disk size</code></em> = <code class="literal">1000</code> 2754</em></span> 2755</p></dd><dt><span class="term"><a name="MAXLOGSIZE"></a>max log size (G)</span></dt><dd><p> 2756 This option (an integer in kilobytes) specifies the max size the log file should grow to. 2757 Samba periodically checks the size and if it is exceeded it will rename the file, adding 2758 a <code class="filename">.old</code> extension. 2759 </p><p>A size of 0 means no limit. 2760 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max log size</code></em> = <code class="literal">5000</code> 2761</em></span> 2762</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max log size</code></em> = <code class="literal">1000</code> 2763</em></span> 2764</p></dd><dt><span class="term"><a name="MAXMUX"></a>max mux (G)</span></dt><dd><p>This option controls the maximum number of 2765 outstanding simultaneous SMB operations that Samba tells the client 2766 it will allow. You should never need to set this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max mux</code></em> = <code class="literal">50</code> 2767</em></span> 2768</p></dd><dt><span class="term"><a name="MAXOPENFILES"></a>max open files (G)</span></dt><dd><p>This parameter limits the maximum number of 2769 open files that one <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> file 2770 serving process may have open for a client at any one time. The 2771 default for this parameter is set very high (10,000) as Samba uses 2772 only one bit per unopened file.</p><p>The limit of the number of open files is usually set 2773 by the UNIX per-process file descriptor limit rather than 2774 this parameter so you should never need to touch this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max open files</code></em> = <code class="literal">10000</code> 2775</em></span> 2776</p></dd><dt><span class="term"><a name="MAXPRINTJOBS"></a>max print jobs (S)</span></dt><dd><p>This parameter limits the maximum number of 2777 jobs allowable in a Samba printer queue at any given moment. 2778 If this number is exceeded, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will remote "Out of Space" to the client. 2779 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max print jobs</code></em> = <code class="literal">1000</code> 2780</em></span> 2781</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max print jobs</code></em> = <code class="literal">5000</code> 2782</em></span> 2783</p></dd><dt><span class="term"><a name="PROTOCOL"></a>protocol</span></dt><dd><p>This parameter is a synonym for max protocol.</p></dd><dt><span class="term"><a name="MAXPROTOCOL"></a>max protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the highest 2784 protocol level that will be supported by the server.</p><p>Possible values are :</p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">CORE</code>: Earliest version. No 2785 concept of user names.</p></li><li><p><code class="constant">COREPLUS</code>: Slight improvements on 2786 CORE for efficiency.</p></li><li><p><code class="constant">LANMAN1</code>: First <span class="emphasis"><em> 2787 modern</em></span> version of the protocol. Long filename 2788 support.</p></li><li><p><code class="constant">LANMAN2</code>: Updates to Lanman1 protocol.</p></li><li><p><code class="constant">NT1</code>: Current up to date version of the protocol. 2789 Used by Windows NT. Known as CIFS.</p></li></ul></div><p>Normally this option should not be set as the automatic 2790 negotiation phase in the SMB protocol takes care of choosing 2791 the appropriate protocol.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max protocol</code></em> = <code class="literal">NT1</code> 2792</em></span> 2793</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max protocol</code></em> = <code class="literal">LANMAN1</code> 2794</em></span> 2795</p></dd><dt><span class="term"><a name="MAXREPORTEDPRINTJOBS"></a>max reported print jobs (S)</span></dt><dd><p> 2796 This parameter limits the maximum number of jobs displayed in a port monitor for 2797 Samba printer queue at any given moment. If this number is exceeded, the excess 2798 jobs will not be shown. A value of zero means there is no limit on the number of 2799 print jobs reported. 2800 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max reported print jobs</code></em> = <code class="literal">0</code> 2801</em></span> 2802</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max reported print jobs</code></em> = <code class="literal">1000</code> 2803</em></span> 2804</p></dd><dt><span class="term"><a name="MAXSMBDPROCESSES"></a>max smbd processes (G)</span></dt><dd><p>This parameter limits the maximum number of <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> processes concurrently running on a system and is intended 2805 as a stopgap to prevent degrading service to clients in the event that the server has insufficient 2806 resources to handle more than this number of connections. Remember that under normal operating 2807 conditions, each user will have an <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> associated with him or her to handle connections to all 2808 shares from a given host.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max smbd processes</code></em> = <code class="literal">0</code> 2809</em></span> 2810</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max smbd processes</code></em> = <code class="literal">1000</code> 2811</em></span> 2812</p></dd><dt><span class="term"><a name="MAXSTATCACHESIZE"></a>max stat cache size (G)</span></dt><dd><p>This parameter limits the size in memory of any 2813 <em class="parameter"><code>stat cache</code></em> being used 2814 to speed up case insensitive name mappings. This parameter is 2815 the number of kilobyte (1024) units the stat cache can use. 2816 A value of zero means unlimited which is not advised aѕ it can 2817 use a lot of memory. 2818 You should not need to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max stat cache size</code></em> = <code class="literal">1024</code> 2819</em></span> 2820</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max stat cache size</code></em> = <code class="literal">100</code> 2821</em></span> 2822</p></dd><dt><span class="term"><a name="MAXTTL"></a>max ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> what the default 'time to live' 2823 of NetBIOS names should be (in seconds) when <code class="literal">nmbd</code> is 2824 requesting a name using either a broadcast packet or from a WINS server. You should 2825 never need to change this parameter. The default is 3 days.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max ttl</code></em> = <code class="literal">259200</code> 2826</em></span> 2827</p></dd><dt><span class="term"><a name="MAXWINSTTL"></a>max wins ttl (G)</span></dt><dd><p>This option tells <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when acting as a WINS server 2828 (<a class="indexterm" name="id316771"></a>wins support = yes) what the maximum 2829 'time to live' of NetBIOS names that <code class="literal">nmbd</code> 2830 will grant will be (in seconds). You should never need to change this 2831 parameter. The default is 6 days (518400 seconds).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max wins ttl</code></em> = <code class="literal">518400</code> 2832</em></span> 2833</p></dd><dt><span class="term"><a name="MAXXMIT"></a>max xmit (G)</span></dt><dd><p>This option controls the maximum packet size 2834 that will be negotiated by Samba. The default is 16644, which 2835 matches the behavior of Windows 2000. A value below 2048 is likely to cause problems. 2836 You should never need to change this parameter from its default value. 2837</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max xmit</code></em> = <code class="literal">16644</code> 2838</em></span> 2839</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max xmit</code></em> = <code class="literal">8192</code> 2840</em></span> 2841</p></dd><dt><span class="term"><a name="MESSAGECOMMAND"></a>message command (G)</span></dt><dd><p>This specifies what command to run when the 2842 server receives a WinPopup style message.</p><p>This would normally be a command that would 2843 deliver the message somehow. How this is to be done is 2844 up to your imagination.</p><p>An example is: 2845</p><pre class="programlisting"> 2846<code class="literal">message command = csh -c 'xedit %s;rm %s' &</code> 2847</pre><p> 2848 </p><p>This delivers the message using <code class="literal">xedit</code>, then 2849 removes it afterwards. <span class="emphasis"><em>NOTE THAT IT IS VERY IMPORTANT 2850 THAT THIS COMMAND RETURN IMMEDIATELY</em></span>. That's why I 2851 have the '&' on the end. If it doesn't return immediately then 2852 your PCs may freeze when sending messages (they should recover 2853 after 30 seconds, hopefully).</p><p>All messages are delivered as the global guest user. 2854 The command takes the standard substitutions, although <em class="parameter"><code> 2855 %u</code></em> won't work (<em class="parameter"><code>%U</code></em> may be better 2856 in this case).</p><p>Apart from the standard substitutions, some additional 2857 ones apply. In particular:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>%s</code></em> = the filename containing 2858 the message.</p></li><li><p><em class="parameter"><code>%t</code></em> = the destination that 2859 the message was sent to (probably the server name).</p></li><li><p><em class="parameter"><code>%f</code></em> = who the message 2860 is from.</p></li></ul></div><p>You could make this command send mail, or whatever else 2861 takes your fancy. Please let us know of any really interesting 2862 ideas you have.</p><p> 2863 Here's a way of sending the messages as mail to root: 2864</p><pre class="programlisting"> 2865<code class="literal">message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s</code> 2866</pre><p> 2867 </p><p>If you don't have a message command then the message 2868 won't be delivered and Samba will tell the sender there was 2869 an error. Unfortunately WfWg totally ignores the error code 2870 and carries on regardless, saying that the message was delivered. 2871 </p><p> 2872 If you want to silently delete it then try: 2873</p><pre class="programlisting"> 2874<code class="literal">message command = rm %s</code> 2875</pre><p> 2876 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>message command</code></em> = <code class="literal"></code> 2877</em></span> 2878</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>message command</code></em> = <code class="literal">csh -c 'xedit %s; rm %s' &</code> 2879</em></span> 2880</p></dd><dt><span class="term"><a name="MINPRINTSPACE"></a>min print space (S)</span></dt><dd><p>This sets the minimum amount of free disk 2881 space that must be available before a user will be able to spool 2882 a print job. It is specified in kilobytes. The default is 0, which 2883 means a user can always spool a print job.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min print space</code></em> = <code class="literal">0</code> 2884</em></span> 2885</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>min print space</code></em> = <code class="literal">2000</code> 2886</em></span> 2887</p></dd><dt><span class="term"><a name="MINPROTOCOL"></a>min protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the 2888 lowest SMB protocol dialect than Samba will support. Please refer 2889 to the <a class="indexterm" name="id317130"></a>max protocol 2890 parameter for a list of valid protocol names and a brief description 2891 of each. You may also wish to refer to the C source code in 2892 <code class="filename">source/smbd/negprot.c</code> for a listing of known protocol 2893 dialects supported by clients.</p><p>If you are viewing this parameter as a security measure, you should 2894 also refer to the <a class="indexterm" name="id317149"></a>lanman auth parameter. Otherwise, you should never need 2895 to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = <code class="literal">CORE</code> 2896</em></span> 2897</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = <code class="literal">NT1</code> 2898</em></span> 2899</p></dd><dt><span class="term"><a name="MINWINSTTL"></a>min wins ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> 2900 when acting as a WINS server (<a class="indexterm" name="id317220"></a>wins support = yes) what the minimum 'time to live' 2901 of NetBIOS names that <code class="literal">nmbd</code> will grant will be (in 2902 seconds). You should never need to change this parameter. The default 2903 is 6 hours (21600 seconds).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min wins ttl</code></em> = <code class="literal">21600</code> 2904</em></span> 2905</p></dd><dt><span class="term"><a name="MSDFSPROXY"></a>msdfs proxy (S)</span></dt><dd><p>This parameter indicates that the share is a 2906 stand-in for another CIFS share whose location is specified by 2907 the value of the parameter. When clients attempt to connect to 2908 this share, they are redirected to the proxied share using 2909 the SMB-Dfs protocol.</p><p>Only Dfs roots can act as proxy shares. Take a look at the 2910 <a class="indexterm" name="id317279"></a>msdfs root and <a class="indexterm" name="id317286"></a>host msdfs 2911 options to find out how to set up a Dfs root share.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>msdfs proxy</code></em> = <code class="literal">\\otherserver\someshare</code> 2912</em></span> 2913</p></dd><dt><span class="term"><a name="MSDFSROOT"></a>msdfs root (S)</span></dt><dd><p>If set to <code class="constant">yes</code>, Samba treats the 2914 share as a Dfs root and allows clients to browse the 2915 distributed file system tree rooted at the share directory. 2916 Dfs links are specified in the share directory by symbolic 2917 links of the form <code class="filename">msdfs:serverA\\shareA,serverB\\shareB</code> 2918 and so on. For more information on setting up a Dfs tree on 2919 Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>msdfs root</code></em> = <code class="literal">no</code> 2920</em></span> 2921</p></dd><dt><span class="term"><a name="NAMECACHETIMEOUT"></a>name cache timeout (G)</span></dt><dd><p>Specifies the number of seconds it takes before 2922 entries in samba's hostname resolve cache time out. If 2923 the timeout is set to 0. the caching is disabled. 2924</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>name cache timeout</code></em> = <code class="literal">660</code> 2925</em></span> 2926</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>name cache timeout</code></em> = <code class="literal">0</code> 2927</em></span> 2928</p></dd><dt><span class="term"><a name="NAMERESOLVEORDER"></a>name resolve order (G)</span></dt><dd><p>This option is used by the programs in the Samba 2929 suite to determine what naming services to use and in what order 2930 to resolve host names to IP addresses. Its main purpose to is to 2931 control how netbios name resolution is performed. The option takes a space 2932 separated string of name resolution options.</p><p>The options are: "lmhosts", "host", 2933 "wins" and "bcast". They cause names to be 2934 resolved as follows:</p><div class="itemizedlist"><ul type="disc"><li><p> 2935 <code class="constant">lmhosts</code> : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has 2936 no name type attached to the NetBIOS name (see the manpage for lmhosts for details) then 2937 any name type matches for lookup. 2938 </p></li><li><p> 2939 <code class="constant">host</code> : Do a standard host name to IP address resolution, using the system 2940 <code class="filename">/etc/hosts </code>, NIS, or DNS lookups. This method of name resolution is 2941 operating system depended for instance on IRIX or Solaris this may be controlled by the <code class="filename">/etc/nsswitch.conf</code> file. Note that this method is used only if the NetBIOS name 2942 type being queried is the 0x20 (server) name type or 0x1c (domain controllers). The latter case is only 2943 useful for active directory domains and results in a DNS query for the SRV RR entry matching 2944 _ldap._tcp.domain. 2945 </p></li><li><p><code class="constant">wins</code> : Query a name with 2946 the IP address listed in the <a class="indexterm" name="id317498"></a>WINSSERVER parameter. If no WINS server has 2947 been specified this method will be ignored.</p></li><li><p><code class="constant">bcast</code> : Do a broadcast on 2948 each of the known local interfaces listed in the <a class="indexterm" name="id317515"></a>interfaces 2949 parameter. This is the least reliable of the name resolution 2950 methods as it depends on the target host being on a locally 2951 connected subnet.</p></li></ul></div><p>The example below will cause the local lmhosts file to be examined 2952 first, followed by a broadcast attempt, followed by a normal 2953 system hostname lookup.</p><p>When Samba is functioning in ADS security mode (<code class="literal">security = ads</code>) 2954 it is advised to use following settings for <em class="parameter"><code>name resolve order</code></em>:</p><p><code class="literal">name resolve order = wins bcast</code></p><p>DC lookups will still be done via DNS, but fallbacks to netbios names will 2955 not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>name resolve order</code></em> = <code class="literal">lmhosts host wins bcast</code> 2956</em></span> 2957</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>name resolve order</code></em> = <code class="literal">lmhosts bcast host</code> 2958</em></span> 2959</p></dd><dt><span class="term"><a name="NETBIOSALIASES"></a>netbios aliases (G)</span></dt><dd><p>This is a list of NetBIOS names that nmbd will 2960 advertise as additional names by which the Samba server is known. This allows one machine 2961 to appear in browse lists under multiple names. If a machine is acting as a browse server 2962 or logon server none of these names will be advertised as either browse server or logon 2963 servers, only the primary name of the machine will be advertised with these capabilities. 2964 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>netbios aliases</code></em> = <code class="literal"> 2965# empty string (no additional names)</code> 2966</em></span> 2967</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>netbios aliases</code></em> = <code class="literal">TEST TEST1 TEST2</code> 2968</em></span> 2969</p></dd><dt><span class="term"><a name="NETBIOSNAME"></a>netbios name (G)</span></dt><dd><p> 2970 This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component 2971 of the host's DNS name. If a machine is a browse server or logon server this name (or the first component of 2972 the hosts DNS name) will be the name that these services are advertised under. 2973 </p><p> 2974 There is a bug in Samba-3 that breaks operation of browsing and access to shares if the netbios name 2975 is set to the literal name <code class="literal">PIPE</code>. To avoid this problem, do not name your Samba-3 2976 server <code class="literal">PIPE</code>. 2977 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>netbios name</code></em> = <code class="literal"> 2978# machine DNS name</code> 2979</em></span> 2980</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>netbios name</code></em> = <code class="literal">MYNAME</code> 2981</em></span> 2982</p></dd><dt><span class="term"><a name="NETBIOSSCOPE"></a>netbios scope (G)</span></dt><dd><p>This sets the NetBIOS scope that Samba will 2983 operate under. This should not be set unless every machine 2984 on your LAN also sets this value.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>netbios scope</code></em> = <code class="literal"></code> 2985</em></span> 2986</p></dd><dt><span class="term"><a name="NISHOMEDIR"></a>nis homedir (G)</span></dt><dd><p>Get the home share server from a NIS map. For 2987 UNIX systems that use an automounter, the user's home directory 2988 will often be mounted on a workstation on demand from a remote 2989 server. </p><p>When the Samba logon server is not the actual home directory 2990 server, but is mounting the home directories via NFS then two 2991 network hops would be required to access the users home directory 2992 if the logon server told the client to use itself as the SMB server 2993 for home directories (one over SMB and one over NFS). This can 2994 be very slow.</p><p>This option allows Samba to return the home share as 2995 being on a different server to the logon server and as 2996 long as a Samba daemon is running on the home directory server, 2997 it will be mounted on the Samba client directly from the directory 2998 server. When Samba is returning the home share to the client, it 2999 will consult the NIS map specified in 3000 <a class="indexterm" name="id317804"></a>homedir map and return the server 3001 listed there.</p><p>Note that for this option to work there must be a working 3002 NIS system and the Samba server with this option must also 3003 be a logon server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nis homedir</code></em> = <code class="literal">no</code> 3004</em></span> 3005</p></dd><dt><span class="term"><a name="NTACLSUPPORT"></a>nt acl support (S)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to map 3006 UNIX permissions into Windows NT access control lists. The UNIX 3007 permissions considered are the the traditional UNIX owner and 3008 group permissions, as well as POSIX ACLs set on any files or 3009 directories. This parameter was formally a global parameter in 3010 releases prior to 2.2.2.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nt acl support</code></em> = <code class="literal">yes</code> 3011</em></span> 3012</p></dd><dt><span class="term"><a name="NTLMAUTH"></a>ntlm auth (G)</span></dt><dd><p>This parameter determines whether or not <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will attempt to 3013 authenticate users using the NTLM encrypted password response. 3014 If disabled, either the lanman password hash or an NTLMv2 response 3015 will need to be sent by the client.</p><p>If this option, and <code class="literal">lanman 3016 auth</code> are both disabled, then only NTLMv2 logins will be 3017 permited. Not all clients support NTLMv2, and most will require 3018 special configuration to us it.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ntlm auth</code></em> = <code class="literal">yes</code> 3019</em></span> 3020</p></dd><dt><span class="term"><a name="NTPIPESUPPORT"></a>nt pipe support (G)</span></dt><dd><p>This boolean parameter controls whether 3021 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will allow Windows NT 3022 clients to connect to the NT SMB specific <code class="constant">IPC$</code> 3023 pipes. This is a developer debugging option and can be left 3024 alone.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nt pipe support</code></em> = <code class="literal">yes</code> 3025</em></span> 3026</p></dd><dt><span class="term"><a name="NTSTATUSSUPPORT"></a>nt status support (G)</span></dt><dd><p>This boolean parameter controls whether <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will negotiate NT specific status 3027 support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. 3028 If this option is set to <code class="constant">no</code> then Samba offers 3029 exactly the same DOS error codes that versions prior to Samba 2.2.3 3030 reported.</p><p>You should not need to ever disable this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>nt status support</code></em> = <code class="literal">yes</code> 3031</em></span> 3032</p></dd><dt><span class="term"><a name="NULLPASSWORDS"></a>null passwords (G)</span></dt><dd><p>Allow or disallow client access to accounts that have null passwords. </p><p>See also <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>null passwords</code></em> = <code class="literal">no</code> 3033</em></span> 3034</p></dd><dt><span class="term"><a name="OBEYPAMRESTRICTIONS"></a>obey pam restrictions (G)</span></dt><dd><p>When Samba 3.0 is configured to enable PAM support 3035 (i.e. --with-pam), this parameter will control whether or not Samba 3036 should obey PAM's account and session management directives. The 3037 default behavior is to use PAM for clear text authentication only 3038 and to ignore any account or session management. Note that Samba 3039 always ignores PAM for authentication in the case of <a class="indexterm" name="id318122"></a>encrypt passwords = yes. The reason 3040 is that PAM modules cannot support the challenge/response 3041 authentication mechanism needed in the presence of SMB password encryption. 3042</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>obey pam restrictions</code></em> = <code class="literal">no</code> 3043</em></span> 3044</p></dd><dt><span class="term"><a name="ONLYUSER"></a>only user (S)</span></dt><dd><p>This is a boolean option that controls whether 3045 connections with usernames not in the <em class="parameter"><code>user</code></em> 3046 list will be allowed. By default this option is disabled so that a 3047 client can supply a username to be used by the server. Enabling 3048 this parameter will force the server to only use the login 3049 names from the <em class="parameter"><code>user</code></em> list and is only really 3050 useful in <a class="indexterm" name="id318183"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce 3051 usernames from the service name. This can be annoying for 3052 the [homes] section. To get around this you could use <code class="literal">user = 3053 %S</code> which means your <em class="parameter"><code>user</code></em> list 3054 will be just the service name, which for home directories is the 3055 name of the user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>only user</code></em> = <code class="literal">no</code> 3056</em></span> 3057</p></dd><dt><span class="term"><a name="OPENFILESDATABASEHASHSIZE"></a>open files database hash size (G)</span></dt><dd><p>This parameter was added in Samba 3.0.23. This is an internal tuning parameter that sets 3058 the hash size of the tdb used for the open file databases. The presence of this parameter 3059 allows tuning of the system for very large (thousands of concurrent users) Samba setups. 3060 The default setting of this parameter should be sufficient for most normal environments. 3061 It is advised not to change this parameter unless advised to by a Samba Team member.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>open files database hash size</code></em> = <code class="literal">10007</code> 3062</em></span> 3063</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>open files database hash size</code></em> = <code class="literal">1338457</code> 3064</em></span> 3065</p></dd><dt><span class="term"><a name="OPLOCKBREAKWAITTIME"></a>oplock break wait time (G)</span></dt><dd><p> 3066 This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too 3067 quickly when that client issues an SMB that can cause an oplock break request, then the network client can 3068 fail and not respond to the break request. This tuning parameter (which is set in milliseconds) is the amount 3069 of time Samba will wait before sending an oplock break request to such (broken) clients. 3070 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> 3071 DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE. 3072 </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplock break wait time</code></em> = <code class="literal">0</code> 3073</em></span> 3074</p></dd><dt><span class="term"><a name="OPLOCKCONTENTIONLIMIT"></a>oplock contention limit (S)</span></dt><dd><p> 3075 This is a <span class="emphasis"><em>very</em></span> advanced <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> tuning option to improve the efficiency of the 3076 granting of oplocks under multiple client contention for the same file. 3077 </p><p> 3078 In brief it specifies a number, which causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>not to grant an oplock even when requested if the 3079 approximate number of clients contending for an oplock on the same file goes over this 3080 limit. This causes <code class="literal">smbd</code> to behave in a similar 3081 way to Windows NT. 3082 </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p> 3083 DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE. 3084 </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplock contention limit</code></em> = <code class="literal">2</code> 3085</em></span> 3086</p></dd><dt><span class="term"><a name="OPLOCKS"></a>oplocks (S)</span></dt><dd><p> 3087 This boolean option tells <code class="literal">smbd</code> whether to 3088 issue oplocks (opportunistic locks) to file open requests on this 3089 share. The oplock code can dramatically (approx. 30% or more) improve 3090 the speed of access to files on Samba servers. It allows the clients 3091 to aggressively cache files locally and you may want to disable this 3092 option for unreliable network environments (it is turned on by 3093 default in Windows NT Servers). For more information see the file 3094 <code class="filename">Speed.txt</code> in the Samba 3095 <code class="filename">docs/</code> directory. 3096 </p><p> 3097 Oplocks may be selectively turned off on certain files with a share. See 3098 the <a class="indexterm" name="id318454"></a>veto oplock files parameter. On some systems 3099 oplocks are recognized by the underlying operating system. This 3100 allows data synchronization between all access to oplocked files, 3101 whether it be via Samba or NFS or a local UNIX process. See the 3102 <a class="indexterm" name="id318463"></a>kernel oplocks parameter for details. 3103 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplocks</code></em> = <code class="literal">yes</code> 3104</em></span> 3105</p></dd><dt><span class="term"><a name="OS2DRIVERMAP"></a>os2 driver map (G)</span></dt><dd><p>The parameter is used to define the absolute 3106 path to a file containing a mapping of Windows NT printer driver 3107 names to OS/2 printer driver names. The format is:</p><p><nt driver name> = <os2 driver name>.<device name></p><p>For example, a valid entry using the HP LaserJet 5 3108 printer driver would appear as <code class="literal">HP LaserJet 5L = LASERJET.HP 3109 LaserJet 5L</code>.</p><p> 3110 The need for the file is due to the printer driver namespace problem described in 3111 the chapter on Classical Printing in the Samba3-HOWTO book. For more 3112 details on OS/2 clients, please refer to chapter on other clients in the Samba3-HOWTO book. 3113 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>os2 driver map</code></em> = <code class="literal"></code> 3114</em></span> 3115</p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p> 3116 This integer value controls what level Samba advertises itself as for browse elections. The value of this 3117 parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <a class="indexterm" name="id318576"></a>workgroup in the local broadcast area. 3118</p><p><span class="emphasis"><em> 3119 Note :</em></span>By default, Samba will win a local master browsing election over all Microsoft operating 3120 systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can 3121 effectively isolate a subnet for browsing purposes. This parameter is largely auto-configured in the Samba-3 3122 release series and it is seldom necessary to manually over-ride the default setting. Please refer to 3123 chapter 9 of the Samba-3 HOWTO document for further information regarding the use of this parameter. 3124 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>os level</code></em> = <code class="literal">20</code> 3125</em></span> 3126</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>os level</code></em> = <code class="literal">65</code> 3127</em></span> 3128</p></dd><dt><span class="term"><a name="PAMPASSWORDCHANGE"></a>pam password change (G)</span></dt><dd><p>With the addition of better PAM support in Samba 2.2, 3129 this parameter, it is possible to use PAM's password change control 3130 flag for Samba. If enabled, then PAM will be used for password 3131 changes when requested by an SMB client instead of the program listed in 3132 <a class="indexterm" name="id318651"></a>passwd program. 3133 It should be possible to enable this without changing your 3134 <a class="indexterm" name="id318658"></a>passwd chat parameter for most setups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pam password change</code></em> = <code class="literal">no</code> 3135</em></span> 3136</p></dd><dt><span class="term"><a name="PANICACTION"></a>panic action (G)</span></dt><dd><p>This is a Samba developer option that allows a 3137 system command to be called when either <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> or <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> crashes. This is usually used to 3138 draw attention to the fact that a problem occurred. 3139 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>panic action</code></em> = <code class="literal"></code> 3140</em></span> 3141</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>panic action</code></em> = <code class="literal">"/bin/sleep 90000"</code> 3142</em></span> 3143</p></dd><dt><span class="term"><a name="PARANOIDSERVERSECURITY"></a>paranoid server security (G)</span></dt><dd><p>Some version of NT 4.x allow non-guest 3144 users with a bad passowrd. When this option is enabled, samba will not 3145 use a broken NT 4.x server as password server, but instead complain 3146 to the logs and exit. 3147 </p><p>Disabling this option prevents Samba from making 3148 this check, which involves deliberatly attempting a 3149 bad logon to the remote server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>paranoid server security</code></em> = <code class="literal">yes</code> 3150</em></span> 3151</p></dd><dt><span class="term"><a name="PASSDBBACKEND"></a>passdb backend (G)</span></dt><dd><p>This option allows the administrator to chose which backend 3152 will be used for storing user and possibly group information. This allows 3153 you to swap between dfferent storage mechanisms without recompile. </p><p>The parameter value is divided into two parts, the backend's name, and a 'location' 3154 string that has meaning only to that particular backed. These are separated 3155 by a : character.</p><p>Available backends can include: 3156 </p><div class="itemizedlist"><ul type="disc"><li><p><code class="literal">smbpasswd</code> - The default smbpasswd 3157 backend. Takes a path to the smbpasswd file as an optional argument. 3158 </p></li><li><p><code class="literal">tdbsam</code> - The TDB based password storage 3159 backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb 3160 in the <a class="indexterm" name="id318855"></a>private dir directory.</p></li><li><p><code class="literal">ldapsam</code> - The LDAP based passdb 3161 backend. Takes an LDAP URL as an optional argument (defaults to 3162 <code class="literal">ldap://localhost</code>)</p><p>LDAP connections should be secured where possible. This may be done using either 3163 Start-TLS (see <a class="indexterm" name="id318885"></a>ldap ssl) or by 3164 specifying <em class="parameter"><code>ldaps://</code></em> in 3165 the URL argument. </p><p>Multiple servers may also be specified in double-quotes, if your 3166 LDAP libraries supports the LDAP URL notation. 3167 (OpenLDAP does). 3168 </p></li></ul></div><p> 3169 3170 </p> 3171 Examples of use are: 3172<pre class="programlisting"> 3173passdb backend = tdbsam:/etc/samba/private/passdb.tdb 3174 3175or 3176 3177passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com" 3178</pre><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb backend</code></em> = <code class="literal">smbpasswd</code> 3179</em></span> 3180</p></dd><dt><span class="term"><a name="PASSDBEXPANDEXPLICIT"></a>passdb expand explicit (G)</span></dt><dd><p> 3181 This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We 3182 used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable 3183 %G_osver% in which %G would have been substituted by the user's primary group. 3184 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb expand explicit</code></em> = <code class="literal">no</code> 3185</em></span> 3186</p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>"chat"</em></span> 3187 conversation that takes places between <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and the local password changing 3188 program to change the user's password. The string describes a 3189 sequence of response-receive pairs that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> uses to determine what to send to the 3190 <a class="indexterm" name="id319013"></a>passwd program and what to expect back. If the expected output is not 3191 received then the password is not changed.</p><p>This chat sequence is often quite site specific, depending 3192 on what local methods are used for password control (such as NIS 3193 etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id319030"></a>unix password sync parameter is set to <code class="constant">yes</code>. This sequence is 3194 then called <span class="emphasis"><em>AS ROOT</em></span> when the SMB password in the 3195 smbpasswd file is being changed, without access to the old password 3196 cleartext. This means that root must be able to reset the user's password without 3197 knowing the text of the previous password. In the presence of 3198 NIS/YP, this means that the <a class="indexterm" name="id319046"></a>passwd program must 3199 be executed on the NIS master. 3200 </p><p>The string can contain the macro <em class="parameter"><code>%n</code></em> which is substituted 3201 for the new password. The chat sequence can also contain the standard 3202 macros \n, \r, \t and \s to 3203 give line-feed, carriage-return, tab and space. The chat sequence string can also contain 3204 a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces 3205 in them into a single string.</p><p>If the send string in any part of the chat sequence is a full 3206 stop ".", then no string is sent. Similarly, if the 3207 expect string is a full stop then no string is expected.</p><p>If the <a class="indexterm" name="id319074"></a>pam password change parameter is set to <code class="constant">yes</code>, the 3208 chat pairs may be matched in any order, and success is determined by the PAM result, not any particular 3209 output. The \n macro is ignored for PAM conversions. 3210 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat</code></em> = <code class="literal">*new*password* %n\n*new*password* %n\n *changed*</code> 3211</em></span> 3212</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>passwd chat</code></em> = <code class="literal">"*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*"</code> 3213</em></span> 3214</p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script 3215 parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the 3216 strings passed to and received from the passwd chat are printed 3217 in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a 3218 <a class="indexterm" name="id319156"></a>debug level 3219 of 100. This is a dangerous option as it will allow plaintext passwords 3220 to be seen in the <code class="literal">smbd</code> log. It is available to help 3221 Samba admins debug their <em class="parameter"><code>passwd chat</code></em> scripts 3222 when calling the <em class="parameter"><code>passwd program</code></em> and should 3223 be turned off after this has been done. This option has no effect if the 3224 <a class="indexterm" name="id319184"></a>pam password change 3225 paramter is set. This parameter is off by default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat debug</code></em> = <code class="literal">no</code> 3226</em></span> 3227</p></dd><dt><span class="term"><a name="PASSWDCHATTIMEOUT"></a>passwd chat timeout (G)</span></dt><dd><p>This integer specifies the number of seconds smbd will wait for an initial 3228 answer from a passwd chat script being run. Once the initial answer is received 3229 the subsequent answers must be received in one tenth of this time. The default it 3230 two seconds.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat timeout</code></em> = <code class="literal">2</code> 3231</em></span> 3232</p></dd><dt><span class="term"><a name="PASSWDPROGRAM"></a>passwd program (G)</span></dt><dd><p>The name of a program that can be used to set 3233 UNIX user passwords. Any occurrences of <em class="parameter"><code>%u</code></em> 3234 will be replaced with the user name. The user name is checked for 3235 existence before calling the password changing program.</p><p>Also note that many passwd programs insist in <span class="emphasis"><em>reasonable 3236 </em></span> passwords, such as a minimum length, or the inclusion 3237 of mixed case chars and digits. This can pose a problem as some clients 3238 (such as Windows for Workgroups) uppercase the password before sending 3239 it.</p><p><span class="emphasis"><em>Note</em></span> that if the <em class="parameter"><code>unix 3240 password sync</code></em> parameter is set to <code class="constant">yes 3241 </code> then this program is called <span class="emphasis"><em>AS ROOT</em></span> 3242 before the SMB password in the smbpasswd 3243 file is changed. If this UNIX password change fails, then 3244 <code class="literal">smbd</code> will fail to change the SMB password also 3245 (this is by design).</p><p>If the <em class="parameter"><code>unix password sync</code></em> parameter 3246 is set this parameter <span class="emphasis"><em>MUST USE ABSOLUTE PATHS</em></span> 3247 for <span class="emphasis"><em>ALL</em></span> programs called, and must be examined 3248 for security implications. Note that by default <em class="parameter"><code>unix 3249 password sync</code></em> is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd program</code></em> = <code class="literal"></code> 3250</em></span> 3251</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>passwd program</code></em> = <code class="literal">/bin/passwd %u</code> 3252</em></span> 3253</p></dd><dt><span class="term"><a name="PASSWORDLEVEL"></a>password level (G)</span></dt><dd><p>Some client/server combinations have difficulty 3254 with mixed-case passwords. One offending client is Windows for 3255 Workgroups, which for some reason forces passwords to upper 3256 case when using the LANMAN1 protocol, but leaves them alone when 3257 using COREPLUS! Another problem child is the Windows 95/98 3258 family of operating systems. These clients upper case clear 3259 text passwords even when NT LM 0.12 selected by the protocol 3260 negotiation request/response.</p><p>This parameter defines the maximum number of characters 3261 that may be upper case in passwords.</p><p>For example, say the password given was "FRED". If <em class="parameter"><code> 3262 password level</code></em> is set to 1, the following combinations 3263 would be tried if "FRED" failed:</p><p>"Fred", "fred", "fRed", "frEd","freD"</p><p>If <em class="parameter"><code>password level</code></em> was set to 2, 3264 the following combinations would also be tried: </p><p>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</p><p>And so on.</p><p>The higher value this parameter is set to the more likely 3265 it is that a mixed case password will be matched against a single 3266 case password. However, you should be aware that use of this 3267 parameter reduces security and increases the time taken to 3268 process a new connection.</p><p>A value of zero will cause only two attempts to be 3269 made - the password as is and the password in all-lower case.</p><p>This parameter is used only when using plain-text passwords. It is 3270 not at all used when encrypted passwords as in use (that is the default 3271 since samba-3.0.0). Use this only when <a class="indexterm" name="id319448"></a>encrypt passwords = No.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = <code class="literal">0</code> 3272</em></span> 3273</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = <code class="literal">4</code> 3274</em></span> 3275</p></dd><dt><span class="term"><a name="PASSWORDSERVER"></a>password server (G)</span></dt><dd><p>By specifying the name of another SMB server 3276 or Active Directory domain controller with this option, 3277 and using <code class="literal">security = [ads|domain|server]</code> 3278 it is possible to get Samba to 3279 to do all its username/password validation using a specific remote server.</p><p>This option sets the name or IP address of the password server to use. 3280 New syntax has been added to support defining the port to use when connecting 3281 to the server the case of an ADS realm. To define a port other than the 3282 default LDAP port of 389, add the port number using a colon after the 3283 name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, 3284 Samba will use the standard LDAP port of tcp/389. Note that port numbers 3285 have no effect on password servers for Windows NT 4.0 domains or netbios 3286 connections.</p><p>If parameter is a name, it is looked up using the 3287 parameter <a class="indexterm" name="id319530"></a>name resolve order and so may resolved 3288 by any method and order described in that parameter.</p><p>The password server must be a machine capable of using 3289 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in 3290 user level security mode.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Using a password server means your UNIX box (running 3291 Samba) is only as secure as your password server. <span class="emphasis"><em>DO NOT 3292 CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</em></span>. 3293 </p></div><p>Never point a Samba server at itself for password serving. 3294 This will cause a loop and could lock up your Samba server!</p><p>The name of the password server takes the standard 3295 substitutions, but probably the only useful one is <em class="parameter"><code>%m 3296 </code></em>, which means the Samba server will use the incoming 3297 client as the password server. If you use this then you better 3298 trust your clients, and you had better restrict them with hosts allow!</p><p>If the <em class="parameter"><code>security</code></em> parameter is set to 3299 <code class="constant">domain</code> or <code class="constant">ads</code>, then the list of machines in this 3300 option must be a list of Primary or Backup Domain controllers for the 3301 Domain or the character '*', as the Samba server is effectively 3302 in that domain, and will use cryptographically authenticated RPC calls 3303 to authenticate the user logging on. The advantage of using <code class="literal"> 3304 security = domain</code> is that if you list several hosts in the 3305 <em class="parameter"><code>password server</code></em> option then <code class="literal">smbd 3306 </code> will try each in turn till it finds one that responds. This 3307 is useful in case your primary server goes down.</p><p>If the <em class="parameter"><code>password server</code></em> option is set 3308 to the character '*', then Samba will attempt to auto-locate the 3309 Primary or Backup Domain controllers to authenticate against by 3310 doing a query for the name <code class="constant">WORKGROUP<1C></code> 3311 and then contacting each server returned in the list of IP 3312 addresses from the name resolution source. </p><p>If the list of servers contains both names/IP's and the '*' 3313 character, the list is treated as a list of preferred 3314 domain controllers, but an auto lookup of all remaining DC's 3315 will be added to the list as well. Samba will not attempt to optimize 3316 this list by locating the closest DC.</p><p>If the <em class="parameter"><code>security</code></em> parameter is 3317 set to <code class="constant">server</code>, then there are different 3318 restrictions that <code class="literal">security = domain</code> doesn't 3319 suffer from:</p><div class="itemizedlist"><ul type="disc"><li><p>You may list several password servers in 3320 the <em class="parameter"><code>password server</code></em> parameter, however if an 3321 <code class="literal">smbd</code> makes a connection to a password server, 3322 and then the password server fails, no more users will be able 3323 to be authenticated from this <code class="literal">smbd</code>. This is a 3324 restriction of the SMB/CIFS protocol when in <code class="literal">security = server 3325 </code> mode and cannot be fixed in Samba.</p></li><li><p>If you are using a Windows NT server as your 3326 password server then you will have to ensure that your users 3327 are able to login from the Samba server, as when in <code class="literal"> 3328 security = server</code> mode the network logon will appear to 3329 come from there rather than from the users workstation.</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal"></code> 3330</em></span> 3331</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal">NT-PDC, NT-BDC1, NT-BDC2, *</code> 3332</em></span> 3333</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal">windc.mydomain.com:389 192.168.1.101 *</code> 3334</em></span> 3335</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password server</code></em> = <code class="literal">*</code> 3336</em></span> 3337</p></dd><dt><span class="term"><a name="DIRECTORY"></a>directory</span></dt><dd><p>This parameter is a synonym for path.</p></dd><dt><span class="term"><a name="PATH"></a>path (S)</span></dt><dd><p>This parameter specifies a directory to which 3338 the user of the service is to be given access. In the case of 3339 printable services, this is where print data will spool prior to 3340 being submitted to the host for printing.</p><p>For a printable service offering guest access, the service 3341 should be readonly and the path should be world-writeable and 3342 have the sticky bit set. This is not mandatory of course, but 3343 you probably won't get the results you expect if you do 3344 otherwise.</p><p>Any occurrences of <em class="parameter"><code>%u</code></em> in the path 3345 will be replaced with the UNIX username that the client is using 3346 on this connection. Any occurrences of <em class="parameter"><code>%m</code></em> 3347 will be replaced by the NetBIOS name of the machine they are 3348 connecting from. These replacements are very useful for setting 3349 up pseudo home directories for users.</p><p>Note that this path will be based on <a class="indexterm" name="id319834"></a>root dir 3350 if one was specified.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>path</code></em> = <code class="literal"></code> 3351</em></span> 3352</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>path</code></em> = <code class="literal">/home/fred</code> 3353</em></span> 3354</p></dd><dt><span class="term"><a name="PIDDIRECTORY"></a>pid directory (G)</span></dt><dd><p> 3355 This option specifies the directory where pid files will be placed. 3356 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pid directory</code></em> = <code class="literal">${prefix}/var/locks</code> 3357</em></span> 3358</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>pid directory</code></em> = <code class="literal">pid directory = /var/run/</code> 3359</em></span> 3360</p></dd><dt><span class="term"><a name="POSIXLOCKING"></a>posix locking (S)</span></dt><dd><p> 3361 The <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> 3362 daemon maintains an database of file locks obtained by SMB clients. The default behavior is 3363 to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are 3364 consistent with those seen by POSIX compliant applications accessing the files via a non-SMB 3365 method (e.g. NFS or local file access). You should never need to disable this parameter. 3366 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>posix locking</code></em> = <code class="literal">yes</code> 3367</em></span> 3368</p></dd><dt><span class="term"><a name="POSTEXEC"></a>postexec (S)</span></dt><dd><p>This option specifies a command to be run 3369 whenever the service is disconnected. It takes the usual 3370 substitutions. The command may be run as the root on some 3371 systems.</p><p>An interesting example may be to unmount server 3372 resources:</p><p><code class="literal">postexec = /etc/umount /cdrom</code></p><p>Default: <span class="emphasis"><em><em class="parameter"><code>postexec</code></em> = <code class="literal"></code> 3373</em></span> 3374</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>postexec</code></em> = <code class="literal">echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log</code> 3375</em></span> 3376</p></dd><dt><span class="term"><a name="EXEC"></a>exec</span></dt><dd><p>This parameter is a synonym for preexec.</p></dd><dt><span class="term"><a name="PREEXEC"></a>preexec (S)</span></dt><dd><p>This option specifies a command to be run whenever 3377 the service is connected to. It takes the usual substitutions.</p><p>An interesting example is to send the users a welcome 3378 message every time they log in. Maybe a message of the day? Here 3379 is an example:</p><p> 3380 <code class="literal">preexec = csh -c 'echo \"Welcome to %S!\" | 3381 /usr/local/samba/bin/smbclient -M %m -I %I' & </code> 3382 </p><p>Of course, this could get annoying after a while :-)</p><p> 3383 See also <a class="indexterm" name="id320111"></a>preexec close and <a class="indexterm" name="id320118"></a>postexec. 3384 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> = <code class="literal"></code> 3385</em></span> 3386</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> = <code class="literal">echo \"%u connected to %S from %m (%I)\" >> /tmp/log</code> 3387</em></span> 3388</p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p> 3389 This boolean option controls whether a non-zero return code from <a class="indexterm" name="id320180"></a>preexec 3390 should close the service being connected to. 3391 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec close</code></em> = <code class="literal">no</code> 3392</em></span> 3393</p></dd><dt><span class="term"><a name="PREFEREDMASTER"></a>prefered master</span></dt><dd><p>This parameter is a synonym for preferred master.</p></dd><dt><span class="term"><a name="PREFERREDMASTER"></a>preferred master (G)</span></dt><dd><p> 3394 This boolean parameter controls if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> is a preferred master browser for its workgroup. 3395 </p><p> 3396 If this is set to <code class="constant">yes</code>, on startup, <code class="literal">nmbd</code> will force 3397 an election, and it will have a slight advantage in winning the election. It is recommended that this 3398 parameter is used in conjunction with <a class="indexterm" name="id320270"></a>domain master = yes, so that 3399 <code class="literal">nmbd</code> can guarantee becoming a domain master. 3400 </p><p> 3401 Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) 3402 that are preferred master browsers on the same subnet, they will each periodically and continuously attempt 3403 to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing 3404 capabilities. 3405 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preferred master</code></em> = <code class="literal">auto</code> 3406</em></span> 3407</p></dd><dt><span class="term"><a name="AUTOSERVICES"></a>auto services</span></dt><dd><p>This parameter is a synonym for preload.</p></dd><dt><span class="term"><a name="PRELOAD"></a>preload (G)</span></dt><dd><p>This is a list of services that you want to be 3408 automatically added to the browse lists. This is most useful 3409 for homes and printers services that would otherwise not be 3410 visible.</p><p> 3411 Note that if you just want all printers in your 3412 printcap file loaded then the <a class="indexterm" name="id320355"></a>load printers 3413 option is easier. 3414 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> = <code class="literal"></code> 3415</em></span> 3416</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> = <code class="literal">fred lp colorlp</code> 3417</em></span> 3418</p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should 3419 be loaded into smbd before a client connects. This improves 3420 the speed of smbd when reacting to new connections somewhat. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = <code class="literal"></code> 3421</em></span> 3422</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = <code class="literal">/usr/lib/samba/passdb/mysql.so</code> 3423</em></span> 3424</p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p> 3425 This controls if new filenames are created with the case that the client passes, or if 3426 they are forced to be the <a class="indexterm" name="id320472"></a>default case. 3427 </p><p> 3428 See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for a fuller discussion. 3429 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preserve case</code></em> = <code class="literal">yes</code> 3430</em></span> 3431</p></dd><dt><span class="term"><a name="PRINTOK"></a>print ok</span></dt><dd><p>This parameter is a synonym for printable.</p></dd><dt><span class="term"><a name="PRINTABLE"></a>printable (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code>, then 3432 clients may open, write to and submit spool files on the directory 3433 specified for the service. </p><p>Note that a printable service will ALWAYS allow writing 3434 to the service path (user privileges permitting) via the spooling 3435 of print data. The <a class="indexterm" name="id320662"></a>read only parameter controls only non-printing access to 3436 the resource.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printable</code></em> = <code class="literal">no</code> 3437</em></span> 3438</p></dd><dt><span class="term"><a name="PRINTCAPCACHETIME"></a>printcap cache time (G)</span></dt><dd><p>This option specifies the number of seconds before the printing 3439 subsystem is again asked for the known printers. If the value 3440 is greater than 60 the initial waiting time is set to 60 seconds 3441 to allow an earlier first rescan of the printing subsystem. 3442 </p><p>Setting this parameter to 0 disables any rescanning for new 3443 or removed printers after the initial startup. 3444 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printcap cache time</code></em> = <code class="literal">750</code> 3445</em></span> 3446</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printcap cache time</code></em> = <code class="literal">600</code> 3447</em></span> 3448</p></dd><dt><span class="term"><a name="PRINTCAP"></a>printcap</span></dt><dd><p>This parameter is a synonym for printcap name.</p></dd><dt><span class="term"><a name="PRINTCAPNAME"></a>printcap name (S)</span></dt><dd><p> 3449 This parameter may be used to override the compiled-in default printcap name used by the server (usually 3450 <code class="filename"> /etc/printcap</code>). See the discussion of the <a href="#PRINTERSSECT" title="The [printers] section">[printers]</a> section above for reasons why you might want to do this. 3451 </p><p> 3452 To use the CUPS printing interface set <code class="literal">printcap name = cups </code>. This should 3453 be supplemented by an addtional setting <a class="indexterm" name="id320815"></a>printing = cups in the [global] 3454 section. <code class="literal">printcap name = cups</code> will use the "dummy" printcap 3455 created by CUPS, as specified in your CUPS configuration file. 3456 </p><p> 3457 On System V systems that use <code class="literal">lpstat</code> to 3458 list available printers you can use <code class="literal">printcap name = lpstat 3459 </code> to automatically obtain lists of available printers. This 3460 is the default for systems that define SYSV at configure time in 3461 Samba (this includes most System V based systems). If <em class="parameter"><code> 3462 printcap name</code></em> is set to <code class="literal">lpstat</code> on 3463 these systems then Samba will launch <code class="literal">lpstat -v</code> and 3464 attempt to parse the output to obtain a printer list. 3465 </p><p> 3466 A minimal printcap file would look something like this: 3467</p><pre class="programlisting"> 3468print1|My Printer 1 3469print2|My Printer 2 3470print3|My Printer 3 3471print4|My Printer 4 3472print5|My Printer 5 3473</pre><p> 3474 where the '|' separates aliases of a printer. The fact that the second alias has a space in 3475 it gives a hint to Samba that it's a comment. 3476 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 3477 Under AIX the default printcap name is <code class="filename">/etc/qconfig</code>. Samba will 3478 assume the file is in AIX <code class="filename">qconfig</code> format if the string <code class="filename">qconfig</code> appears in the printcap filename. 3479 </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>printcap name</code></em> = <code class="literal">/etc/printcap</code> 3480</em></span> 3481</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printcap name</code></em> = <code class="literal">/etc/myprintcap</code> 3482</em></span> 3483</p></dd><dt><span class="term"><a name="PRINTCOMMAND"></a>print command (S)</span></dt><dd><p>After a print job has finished spooling to 3484 a service, this command will be used via a <code class="literal">system()</code> 3485 call to process the spool file. Typically the command specified will 3486 submit the spool file to the host's printing subsystem, but there 3487 is no requirement that this be the case. The server will not remove 3488 the spool file, so whatever command you specify should remove the 3489 spool file when it has been processed, otherwise you will need to 3490 manually remove old spool files.</p><p>The print command is simply a text string. It will be used 3491 verbatim after macro substitutions have been made:</p><p>%s, %f - the path to the spool 3492 file name</p><p>%p - the appropriate printer 3493 name</p><p>%J - the job 3494 name as transmitted by the client.</p><p>%c - The number of printed pages 3495 of the spooled job (if known).</p><p>%z - the size of the spooled 3496 print job (in bytes)</p><p>The print command <span class="emphasis"><em>MUST</em></span> contain at least 3497 one occurrence of <em class="parameter"><code>%s</code></em> or <em class="parameter"><code>%f 3498 </code></em> - the <em class="parameter"><code>%p</code></em> is optional. At the time 3499 a job is submitted, if no printer name is supplied the <em class="parameter"><code>%p 3500 </code></em> will be silently removed from the printer command.</p><p>If specified in the [global] section, the print command given 3501 will be used for any printable service that does not have its own 3502 print command specified.</p><p>If there is neither a specified print command for a 3503 printable service nor a global print command, spool files will 3504 be created but not processed and (most importantly) not removed.</p><p>Note that printing may fail on some UNIXes from the 3505 <code class="constant">nobody</code> account. If this happens then create 3506 an alternative guest account that can print and set the <a class="indexterm" name="id321038"></a>guest account 3507 in the [global] section.</p><p>You can form quite complex print commands by realizing 3508 that they are just passed to a shell. For example the following 3509 will log a print job, print the file, then remove it. Note that 3510 ';' is the usual separator for command in shell scripts.</p><p><code class="literal">print command = echo Printing %s >> 3511 /tmp/print.log; lpr -P %p %s; rm %s</code></p><p>You may have to vary this command considerably depending 3512 on how you normally print files on your system. The default for 3513 the parameter varies depending on the setting of the <a class="indexterm" name="id321064"></a>printing 3514 parameter.</p><p>Default: For <code class="literal">printing = BSD, AIX, QNX, LPRNG 3515 or PLP :</code></p><p><code class="literal">print command = lpr -r -P%p %s</code></p><p>For <code class="literal">printing = SYSV or HPUX :</code></p><p><code class="literal">print command = lp -c -d%p %s; rm %s</code></p><p>For <code class="literal">printing = SOFTQ :</code></p><p><code class="literal">print command = lp -d%p -s %s; rm %s</code></p><p>For printing = CUPS : If SAMBA is compiled against 3516 libcups, then <a class="indexterm" name="id321121"></a>printcap = cups 3517 uses the CUPS API to 3518 submit jobs, etc. Otherwise it maps to the System V 3519 commands with the -oraw option for printing, i.e. it 3520 uses <code class="literal">lp -c -d%p -oraw; rm %s</code>. 3521 With <code class="literal">printing = cups</code>, 3522 and if SAMBA is compiled against libcups, any manually 3523 set print command will be ignored.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>print command</code></em> = <code class="literal">/usr/local/samba/bin/myprintscript %p %s</code> 3524</em></span> 3525</p></dd><dt><span class="term"><a name="PRINTERADMIN"></a>printer admin (S)</span></dt><dd><p> 3526 This lists users who can do anything to printers 3527 via the remote administration interfaces offered 3528 by MS-RPC (usually using a NT workstation). 3529 This parameter can be set per-share or globally. 3530 Note: The root user always has admin rights. Use 3531 caution with use in the global stanza as this can 3532 cause side effects. 3533 </p><p> 3534 This parameter has been marked deprecated in favor 3535 of using the SePrintOperatorPrivilege and individual 3536 print security descriptors. It will be removed in a future release. 3537 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printer admin</code></em> = <code class="literal"></code> 3538</em></span> 3539</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printer admin</code></em> = <code class="literal">admin, @staff</code> 3540</em></span> 3541</p></dd><dt><span class="term"><a name="PRINTER"></a>printer</span></dt><dd><p>This parameter is a synonym for printer name.</p></dd><dt><span class="term"><a name="PRINTERNAME"></a>printer name (S)</span></dt><dd><p> 3542 This parameter specifies the name of the printer to which print jobs spooled through a printable service 3543 will be sent. 3544 </p><p> 3545 If specified in the [global] section, the printer name given will be used for any printable service that 3546 does not have its own printer name specified. 3547 </p><p> 3548 The default value of the <a class="indexterm" name="id321277"></a>printer name may be <code class="literal">lp</code> on many 3549 systems. 3550 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printer name</code></em> = <code class="literal">none</code> 3551</em></span> 3552</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printer name</code></em> = <code class="literal">laserwriter</code> 3553</em></span> 3554</p></dd><dt><span class="term"><a name="PRINTING"></a>printing (S)</span></dt><dd><p>This parameters controls how printer status information is 3555 interpreted on your system. It also affects the default values for 3556 the <em class="parameter"><code>print command</code></em>, <em class="parameter"><code>lpq command</code></em>, <em class="parameter"><code>lppause command </code></em>, <em class="parameter"><code>lpresume command</code></em>, and <em class="parameter"><code>lprm command</code></em> if specified in the 3557 [global] section.</p><p>Currently nine printing styles are supported. They are 3558 <code class="constant">BSD</code>, <code class="constant">AIX</code>, 3559 <code class="constant">LPRNG</code>, <code class="constant">PLP</code>, 3560 <code class="constant">SYSV</code>, <code class="constant">HPUX</code>, 3561 <code class="constant">QNX</code>, <code class="constant">SOFTQ</code>, 3562 and <code class="constant">CUPS</code>.</p><p>To see what the defaults are for the other print 3563 commands when using the various options use the <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a> program.</p><p>This option can be set on a per printer basis. Please be 3564 aware however, that you must place any of the various printing 3565 commands (e.g. print command, lpq command, etc...) after defining 3566 the value for the <em class="parameter"><code>printing</code></em> option since it will 3567 reset the printing commands to default values.</p><p>See also the discussion in the <a href="#PRINTERSSECT" title="The [printers] section"> 3568 [printers]</a> section.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="PRINTJOBUSERNAME"></a>printjob username (S)</span></dt><dd><p>This parameter specifies which user information will be 3569 passed to the printing system. Usually, the username is sent, 3570 but in some cases, e.g. the domain prefix is useful, too.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printjob username</code></em> = <code class="literal">%U</code> 3571</em></span> 3572</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>printjob username</code></em> = <code class="literal">%D\%U</code> 3573</em></span> 3574</p></dd><dt><span class="term"><a name="PRIVATEDIR"></a>private dir (G)</span></dt><dd><p>This parameters defines the directory 3575 smbd will use for storing such files as <code class="filename">smbpasswd</code> 3576 and <code class="filename">secrets.tdb</code>. 3577</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>private dir</code></em> = <code class="literal">${prefix}/private</code> 3578</em></span> 3579</p></dd><dt><span class="term"><a name="PROFILEACLS"></a>profile acls (S)</span></dt><dd><p> 3580 This boolean parameter was added to fix the problems that people have been 3581 having with storing user profiles on Samba shares from Windows 2000 or 3582 Windows XP clients. New versions of Windows 2000 or Windows XP service 3583 packs do security ACL checking on the owner and ability to write of the 3584 profile directory stored on a local workstation when copied from a Samba 3585 share. 3586 </p><p> 3587 When not in domain mode with winbindd then the security info copied 3588 onto the local workstation has no meaning to the logged in user (SID) on 3589 that workstation so the profile storing fails. Adding this parameter 3590 onto a share used for profile storage changes two things about the 3591 returned Windows ACL. Firstly it changes the owner and group owner 3592 of all reported files and directories to be BUILTIN\\Administrators, 3593 BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly 3594 it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to 3595 every returned ACL. This will allow any Windows 2000 or XP workstation 3596 user to access the profile. 3597 </p><p> 3598 Note that if you have multiple users logging 3599 on to a workstation then in order to prevent them from being able to access 3600 each others profiles you must remove the "Bypass traverse checking" advanced 3601 user right. This will prevent access to other users profile directories as 3602 the top level profile directory (named after the user) is created by the 3603 workstation profile code and has an ACL restricting entry to the directory 3604 tree to the owning user. 3605 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>profile acls</code></em> = <code class="literal">no</code> 3606</em></span> 3607</p></dd><dt><span class="term"><a name="QUEUEPAUSECOMMAND"></a>queuepause command (S)</span></dt><dd><p>This parameter specifies the command to be 3608 executed on the server host in order to pause the printer queue.</p><p>This command should be a program or script which takes 3609 a printer name as its only parameter and stops the printer queue, 3610 such that no longer jobs are submitted to the printer.</p><p>This command is not supported by Windows for Workgroups, 3611 but can be issued from the Printers window under Windows 95 3612 and NT.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name 3613 is put in its place. Otherwise it is placed at the end of the command. 3614 </p><p>Note that it is good practice to include the absolute 3615 path in the command as the PATH may not be available to the 3616 server.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>queuepause command</code></em> = <code class="literal">disable %p</code> 3617</em></span> 3618</p></dd><dt><span class="term"><a name="QUEUERESUMECOMMAND"></a>queueresume command (S)</span></dt><dd><p>This parameter specifies the command to be 3619 executed on the server host in order to resume the printer queue. It 3620 is the command to undo the behavior that is caused by the 3621 previous parameter (<a class="indexterm" name="id321707"></a>queuepause command).</p><p>This command should be a program or script which takes 3622 a printer name as its only parameter and resumes the printer queue, 3623 such that queued jobs are resubmitted to the printer.</p><p>This command is not supported by Windows for Workgroups, 3624 but can be issued from the Printers window under Windows 95 3625 and NT.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name 3626 is put in its place. Otherwise it is placed at the end of the 3627 command.</p><p>Note that it is good practice to include the absolute 3628 path in the command as the PATH may not be available to the 3629 server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>queueresume command</code></em> = <code class="literal"></code> 3630</em></span> 3631</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>queueresume command</code></em> = <code class="literal">enable %p</code> 3632</em></span> 3633</p></dd><dt><span class="term"><a name="READBMPX"></a>read bmpx (G)</span></dt><dd><p>This boolean parameter controls whether 3634 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will support the "Read 3635 Block Multiplex" SMB. This is now rarely used and defaults to 3636 <code class="constant">no</code>. You should never need to set this 3637 parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read bmpx</code></em> = <code class="literal">no</code> 3638</em></span> 3639</p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p> 3640 This is a list of users that are given read-only access to a service. If the connecting user is in this list 3641 then they will not be given write access, no matter what the <a class="indexterm" name="id321844"></a>read only option is set 3642 to. The list can include group names using the syntax described in the <a class="indexterm" name="id321852"></a>invalid users 3643 parameter. 3644 </p><p>This parameter will not work with the <a class="indexterm" name="id321862"></a>security = share in 3645 Samba 3.0. This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> = <code class="literal"></code> 3646</em></span> 3647</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> = <code class="literal">mary, @students</code> 3648</em></span> 3649</p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id321924"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users 3650 of a service may not create or modify files in the service's 3651 directory.</p><p>Note that a printable service (<code class="literal">printable = yes</code>) 3652 will <span class="emphasis"><em>ALWAYS</em></span> allow writing to the directory 3653 (user privileges permitting), but only via spooling operations.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read only</code></em> = <code class="literal">yes</code> 3654</em></span> 3655</p></dd><dt><span class="term"><a name="READRAW"></a>read raw (G)</span></dt><dd><p>This parameter controls whether or not the server 3656 will support the raw read SMB requests when transferring data 3657 to clients.</p><p>If enabled, raw reads allow reads of 65535 bytes in 3658 one packet. This typically provides a major performance benefit. 3659 </p><p>However, some clients either negotiate the allowable 3660 block size incorrectly or are incapable of supporting larger block 3661 sizes, and for these clients you may need to disable raw reads.</p><p>In general this parameter should be viewed as a system tuning 3662 tool and left severely alone.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read raw</code></em> = <code class="literal">yes</code> 3663</em></span> 3664</p></dd><dt><span class="term"><a name="REALM"></a>realm (G)</span></dt><dd><p>This option specifies the kerberos realm to use. The realm is 3665 used as the ADS equivalent of the NT4 <code class="literal">domain</code>. It 3666 is usually set to the DNS name of the kerberos server. 3667 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>realm</code></em> = <code class="literal"></code> 3668</em></span> 3669</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>realm</code></em> = <code class="literal">mysambabox.mycompany.com</code> 3670</em></span> 3671</p></dd><dt><span class="term"><a name="REMOTEANNOUNCE"></a>remote announce (G)</span></dt><dd><p> 3672 This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>to periodically announce itself 3673 to arbitrary IP addresses with an arbitrary workgroup name. 3674 </p><p> 3675 This is useful if you want your Samba server to appear in a remote workgroup for 3676 which the normal browse propagation rules don't work. The remote workgroup can be 3677 anywhere that you can send IP packets to. 3678 </p><p> 3679 For example: 3680</p><pre class="programlisting"> 3681<code class="literal">remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF</code> 3682</pre><p> 3683 the above line would cause <code class="literal">nmbd</code> to announce itself 3684 to the two given IP addresses using the given workgroup names. If you leave out the 3685 workgroup name then the one given in the <a class="indexterm" name="id322141"></a>workgroup parameter 3686 is used instead. 3687 </p><p> 3688 The IP addresses you choose would normally be the broadcast addresses of the remote 3689 networks, but can also be the IP addresses of known browse masters if your network 3690 config is that stable. 3691 </p><p> 3692 See the chapter on Network Browsing in the Samba-HOWTO book. 3693 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>remote announce</code></em> = <code class="literal"></code> 3694</em></span> 3695</p></dd><dt><span class="term"><a name="REMOTEBROWSESYNC"></a>remote browse sync (G)</span></dt><dd><p> 3696 This option allows you to setup <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> to periodically request 3697 synchronization of browse lists with the master browser of a Samba 3698 server that is on a remote segment. This option will allow you to 3699 gain browse lists for multiple workgroups across routed networks. This 3700 is done in a manner that does not work with any non-Samba servers. 3701 </p><p> 3702 This is useful if you want your Samba server and all local 3703 clients to appear in a remote workgroup for which the normal browse 3704 propagation rules don't work. The remote workgroup can be anywhere 3705 that you can send IP packets to. 3706 </p><p> 3707 For example: 3708</p><pre class="programlisting"> 3709<em class="parameter"><code>remote browse sync = 192.168.2.255 192.168.4.255</code></em> 3710</pre><p> 3711 the above line would cause <code class="literal">nmbd</code> to request the master browser on the 3712 specified subnets or addresses to synchronize their browse lists with 3713 the local server. 3714 </p><p> 3715 The IP addresses you choose would normally be the broadcast 3716 addresses of the remote networks, but can also be the IP addresses 3717 of known browse masters if your network config is that stable. If 3718 a machine IP address is given Samba makes NO attempt to validate 3719 that the remote machine is available, is listening, nor that it 3720 is in fact the browse master on its segment. 3721 </p><p> 3722 The <a class="indexterm" name="id322243"></a>remote browse sync may be used on networks 3723 where there is no WINS server, and may be used on disjoint networks where 3724 each network has its own WINS server. 3725 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>remote browse sync</code></em> = <code class="literal"></code> 3726</em></span> 3727</p></dd><dt><span class="term"><a name="RENAMEUSERSCRIPT"></a>rename user script (G)</span></dt><dd><p> 3728 This is the full pathname to a script that will be run as root by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> under special circumstances described below. 3729 </p><p> 3730 When a user with admin authority or SeAddUserPrivilege rights renames a user (e.g.: from the NT4 User Manager 3731 for Domains), this script will be run to rename the POSIX user. Two variables, <code class="literal">%uold</code> and 3732 <code class="literal">%unew</code>, will be substituted with the old and new usernames, respectively. The script should 3733 return 0 upon successful completion, and nonzero otherwise. 3734 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 3735 The script has all responsibility to rename all the necessary data that is accessible in this posix method. 3736 This can mean different requirements for different backends. The tdbsam and smbpasswd backends will take care 3737 of the contents of their respective files, so the script is responsible only for changing the POSIX username, and 3738 other data that may required for your circumstances, such as home directory. Please also consider whether or 3739 not you need to rename the actual home directories themselves. The ldapsam backend will not make any changes, 3740 because of the potential issues with renaming the LDAP naming attribute. In this case the script is 3741 responsible for changing the attribute that samba uses (uid) for locating users, as well as any data that 3742 needs to change for other applications using the same directory. 3743 </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>rename user script</code></em> = <code class="literal">no</code> 3744</em></span> 3745</p></dd><dt><span class="term"><a name="RESETONZEROVC"></a>reset on zero vc (G)</span></dt><dd><p> 3746 This boolean option controls whether an incoming session setup 3747 should kill other connections coming from the same IP. This matches 3748 the default Windows 2003 behaviour. 3749 3750 Setting this parameter to yes becomes necessary when you have a flaky 3751 network and windows decides to reconnect while the old connection 3752 still has files with share modes open. These files become inaccessible 3753 over the new connection. 3754 3755 The client sends a zero VC on the new connection, and Windows 2003 3756 kills all other connections coming from the same IP. This way the 3757 locked files are accessible again. 3758 3759 Please be aware that enabling this option will kill connections behind 3760 a masquerading router. 3761 3762 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>reset on zero vc</code></em> = <code class="literal">no</code> 3763</em></span> 3764</p></dd><dt><span class="term"><a name="RESTRICTANONYMOUS"></a>restrict anonymous (G)</span></dt><dd><p>The setting of this parameter determines whether user and 3765 group list information is returned for an anonymous connection. 3766 and mirrors the effects of the 3767</p><pre class="programlisting"> 3768HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ 3769 Control\LSA\RestrictAnonymous 3770</pre><p> 3771 registry key in Windows 2000 and Windows NT. When set to 0, user 3772 and group list information is returned to anyone who asks. When set 3773 to 1, only an authenticated user can retrive user and 3774 group list information. For the value 2, supported by 3775 Windows 2000/XP and Samba, no anonymous connections are allowed at 3776 all. This can break third party and Microsoft 3777 applications which expect to be allowed to perform 3778 operations anonymously.</p><p> 3779 The security advantage of using restrict anonymous = 1 is dubious, 3780 as user and group list information can be obtained using other 3781 means. 3782 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 3783 The security advantage of using restrict anonymous = 2 is removed 3784 by setting <a class="indexterm" name="id322431"></a>guest ok = yes on any share. 3785 </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>restrict anonymous</code></em> = <code class="literal">0</code> 3786</em></span> 3787</p></dd><dt><span class="term"><a name="ROOT"></a>root</span></dt><dd><p>This parameter is a synonym for root directory.</p></dd><dt><span class="term"><a name="ROOTDIR"></a>root dir</span></dt><dd><p>This parameter is a synonym for root directory.</p></dd><dt><span class="term"><a name="ROOTDIRECTORY"></a>root directory (G)</span></dt><dd><p>The server will <code class="literal">chroot()</code> (i.e. 3788 Change its root directory) to this directory on startup. This is 3789 not strictly necessary for secure operation. Even without it the 3790 server will deny access to files not in one of the service entries. 3791 It may also check for, and deny access to, soft links to other 3792 parts of the filesystem, or attempts to use ".." in file names 3793 to access other directories (depending on the setting of the 3794 <a class="indexterm" name="id322529"></a>wide smbconfoptions parameter). 3795 </p><p>Adding a <em class="parameter"><code>root directory</code></em> entry other 3796 than "/" adds an extra level of security, but at a price. It 3797 absolutely ensures that no access is given to files not in the 3798 sub-tree specified in the <em class="parameter"><code>root directory</code></em> 3799 option, <span class="emphasis"><em>including</em></span> some files needed for 3800 complete operation of the server. To maintain full operability 3801 of the server you will need to mirror some system files 3802 into the <em class="parameter"><code>root directory</code></em> tree. In particular 3803 you will need to mirror <code class="filename">/etc/passwd</code> (or a 3804 subset of it), and any binaries or configuration files needed for 3805 printing (if required). The set of files that must be mirrored is 3806 operating system dependent.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root directory</code></em> = <code class="literal">/</code> 3807</em></span> 3808</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>root directory</code></em> = <code class="literal">/homes/smb</code> 3809</em></span> 3810</p></dd><dt><span class="term"><a name="ROOTPOSTEXEC"></a>root postexec (S)</span></dt><dd><p> 3811 This is the same as the <em class="parameter"><code>postexec</code></em> 3812 parameter except that the command is run as root. This is useful for 3813 unmounting filesystems (such as CDROMs) after a connection is closed. 3814 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root postexec</code></em> = <code class="literal"></code> 3815</em></span> 3816</p></dd><dt><span class="term"><a name="ROOTPREEXEC"></a>root preexec (S)</span></dt><dd><p> 3817 This is the same as the <em class="parameter"><code>preexec</code></em> 3818 parameter except that the command is run as root. This is useful for 3819 mounting filesystems (such as CDROMs) when a connection is opened. 3820 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec</code></em> = <code class="literal"></code> 3821</em></span> 3822</p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <em class="parameter"><code>preexec close 3823 </code></em> parameter except that the command is run as root.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec close</code></em> = <code class="literal">no</code> 3824</em></span> 3825</p></dd><dt><span class="term"><a name="SECURITY"></a>security (G)</span></dt><dd><p>This option affects how clients respond to 3826 Samba and is one of the most important settings in the <code class="filename"> 3827 smb.conf</code> file.</p><p>The option sets the "security mode bit" in replies to 3828 protocol negotiations with <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to turn share level security on or off. Clients decide 3829 based on this bit whether (and how) to transfer user and password 3830 information to the server.</p><p>The default is <code class="literal">security = user</code>, as this is 3831 the most common setting needed when talking to Windows 98 and 3832 Windows NT.</p><p>The alternatives are <code class="literal">security = share</code>, 3833 <code class="literal">security = server</code> or <code class="literal">security = domain 3834 </code>.</p><p>In versions of Samba prior to 2.0.0, the default was 3835 <code class="literal">security = share</code> mainly because that was 3836 the only option at one stage.</p><p>There is a bug in WfWg that has relevance to this 3837 setting. When in user or server level security a WfWg client 3838 will totally ignore the username and password you type in the "connect 3839 drive" dialog box. This makes it very difficult (if not impossible) 3840 to connect to a Samba service as anyone except the user that 3841 you are logged into WfWg as.</p><p>If your PCs use usernames that are the same as their 3842 usernames on the UNIX machine then you will want to use 3843 <code class="literal">security = user</code>. If you mostly use usernames 3844 that don't exist on the UNIX box then use <code class="literal">security = 3845 share</code>.</p><p>You should also use <code class="literal">security = share</code> if you 3846 want to mainly setup shares without a password (guest shares). This 3847 is commonly used for a shared printer server. It is more difficult 3848 to setup guest shares with <code class="literal">security = user</code>, see 3849 the <a class="indexterm" name="id322862"></a>map to guestparameter for details.</p><p>It is possible to use <code class="literal">smbd</code> in a <span class="emphasis"><em> 3850 hybrid mode</em></span> where it is offers both user and share 3851 level security under different <a class="indexterm" name="id322883"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they 3852 need not log onto the server with a valid username and password before 3853 attempting to connect to a shared resource (although modern clients 3854 such as Windows 95/98 and Windows NT will send a logon request with 3855 a username but no password when talking to a <code class="literal">security = share 3856 </code> server). Instead, the clients send authentication information 3857 (passwords) on a per-share basis, at the time they attempt to connect 3858 to that share.</p><p>Note that <code class="literal">smbd</code> <span class="emphasis"><em>ALWAYS</em></span> 3859 uses a valid UNIX user to act on behalf of the client, even in 3860 <code class="literal">security = share</code> level security.</p><p>As clients are not required to send a username to the server 3861 in share level security, <code class="literal">smbd</code> uses several 3862 techniques to determine the correct UNIX user to use on behalf 3863 of the client.</p><p>A list of possible UNIX usernames to match with the given 3864 client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id322959"></a>guest only parameter is set, then all the other 3865 stages are missed and only the <a class="indexterm" name="id322966"></a>guest account username is checked. 3866 </p></li><li><p>Is a username is sent with the share connection 3867 request, then this username (after mapping - see <a class="indexterm" name="id322981"></a>username map), 3868 is added as a potential username. 3869 </p></li><li><p>If the client did a previous <span class="emphasis"><em>logon 3870 </em></span> request (the SessionSetup SMB call) then the 3871 username sent in this SMB will be added as a potential username. 3872 </p></li><li><p>The name of the service the client requested is 3873 added as a potential username. 3874 </p></li><li><p>The NetBIOS name of the client is added to 3875 the list as a potential username. 3876 </p></li><li><p>Any users on the <a class="indexterm" name="id323021"></a>user list are added as potential usernames. 3877 </p></li></ul></div><p>If the <em class="parameter"><code>guest only</code></em> parameter is 3878 not set, then this list is then tried with the supplied password. 3879 The first user for whom the password matches will be used as the 3880 UNIX user.</p><p>If the <em class="parameter"><code>guest only</code></em> parameter is 3881 set, or no username can be determined then if the share is marked 3882 as available to the <em class="parameter"><code>guest account</code></em>, then this 3883 guest user will be used, otherwise access is denied.</p><p>Note that it can be <span class="emphasis"><em>very</em></span> confusing 3884 in share-level security as to which UNIX username will eventually 3885 be used in granting access.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION"> 3886 NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0. 3887 With user-level security a client must first "log-on" with a 3888 valid username and password (which can be mapped using the <a class="indexterm" name="id323090"></a>username map 3889 parameter). Encrypted passwords (see the <a class="indexterm" name="id323098"></a>encrypted passwords parameter) can also 3890 be used in this security mode. Parameters such as <a class="indexterm" name="id323106"></a>user and <a class="indexterm" name="id323113"></a>guest only if set are then applied and 3891 may change the UNIX user to use on this connection, but only after 3892 the user has been successfully authenticated.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being 3893 requested is <span class="emphasis"><em>not</em></span> sent to the server until after 3894 the server has successfully authenticated the client. This is why 3895 guest shares don't work in user level security without allowing 3896 the server to automatically map unknown users into the <a class="indexterm" name="id323132"></a>guest account. 3897 See the <a class="indexterm" name="id323140"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this 3898 machine into a Windows NT Domain. It expects the <a class="indexterm" name="id323178"></a>encrypted passwords 3899 parameter to be set to <code class="constant">yes</code>. In this 3900 mode Samba will try to validate the username/password by passing 3901 it to a Windows NT Primary or Backup Domain Controller, in exactly 3902 the same way that a Windows NT Server would do.</p><p><span class="emphasis"><em>Note</em></span> that a valid UNIX user must still 3903 exist as well as the account on the Domain Controller to allow 3904 Samba to have a valid UNIX account to map file access to.</p><p><span class="emphasis"><em>Note</em></span> that from the client's point 3905 of view <code class="literal">security = domain</code> is the same 3906 as <code class="literal">security = user</code>. It only 3907 affects how the server deals with the authentication, 3908 it does not in any way affect what the client sees.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being 3909 requested is <span class="emphasis"><em>not</em></span> sent to the server until after 3910 the server has successfully authenticated the client. This is why 3911 guest shares don't work in user level security without allowing 3912 the server to automatically map unknown users into the <a class="indexterm" name="id323228"></a>guest account. 3913 See the <a class="indexterm" name="id323235"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION"> 3914 NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id323256"></a>password server parameter and 3915 the <a class="indexterm" name="id323264"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p> 3916 In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an 3917 NT box. If this fails it will revert to <code class="literal">security = user</code>. It expects the 3918 <a class="indexterm" name="id323290"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote 3919 server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot 3920 revert back to checking the UNIX password file, it must have a valid <code class="filename">smbpasswd</code> file to check users against. See the chapter about the User Database in 3921 the Samba HOWTO Collection for details on how to set this up. 3922</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This mode of operation has 3923 significant pitfalls since it is more vulnerable to 3924 man-in-the-middle attacks and server impersonation. In particular, 3925 this mode of operation can cause significant resource consuption on 3926 the PDC, as it must maintain an active connection for the duration 3927 of the user's session. Furthermore, if this connection is lost, 3928 there is no way to reestablish it, and futher authentications to the 3929 Samba server may fail (from a single client, till it disconnects). 3930 </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>From the client's point of 3931 view <code class="literal">security = server</code> is the 3932 same as <code class="literal">security = user</code>. It 3933 only affects how the server deals with the authentication, it does 3934 not in any way affect what the client sees.</p></div><p><span class="emphasis"><em>Note</em></span> that the name of the resource being 3935 requested is <span class="emphasis"><em>not</em></span> sent to the server until after 3936 the server has successfully authenticated the client. This is why 3937 guest shares don't work in user level security without allowing 3938 the server to automatically map unknown users into the <a class="indexterm" name="id323348"></a>guest account. 3939 See the <a class="indexterm" name="id323355"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION"> 3940 NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id323376"></a>password server parameter and the 3941 <a class="indexterm" name="id323383"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate 3942 in this mode, the machine running Samba will need to have Kerberos installed 3943 and configured and Samba will need to be joined to the ADS realm using the 3944 net utility. </p><p>Note that this mode does NOT make Samba operate as a Active Directory Domain 3945 Controller. </p><p>Read the chapter about Domain Membership in the HOWTO for details.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security</code></em> = <code class="literal">USER</code> 3946</em></span> 3947</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security</code></em> = <code class="literal">DOMAIN</code> 3948</em></span> 3949</p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p> 3950 This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the 3951 UNIX permission on a file using the native NT security dialog box. 3952 </p><p> 3953 This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not 3954 in this mask from being modified. Make sure not to mix up this parameter with <a class="indexterm" name="id323475"></a>force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND. 3955 </p><p> 3956 Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. 3957 </p><p> 3958 If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file. 3959 </p><p><span class="emphasis"><em> 3960 Note</em></span> that users who can access the Samba server through other means can easily bypass this 3961 restriction, so it is primarily useful for standalone "appliance" systems. Administrators of 3962 most normal systems will probably want to leave it set to <code class="constant">0777</code>. 3963 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = <code class="literal">0777</code> 3964</em></span> 3965</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = <code class="literal">0770</code> 3966</em></span> 3967</p></dd><dt><span class="term"><a name="SERVERSCHANNEL"></a>server schannel (G)</span></dt><dd><p> 3968 This controls whether the server offers or even demands the use of the netlogon schannel. 3969 <a class="indexterm" name="id323559"></a>server schannel = no does not offer the schannel, <a class="indexterm" name="id323566"></a>server schannel = auto offers the schannel but does not enforce it, and <a class="indexterm" name="id323574"></a>server schannel = yes denies access if the client is not able to speak netlogon schannel. 3970 This is only the case for Windows NT4 before SP4. 3971 </p><p> 3972 Please note that with this set to <code class="literal">no</code> you will have to apply the WindowsXP 3973 <code class="filename">WinXP_SignOrSeal.reg</code> registry patch found in the docs/registry subdirectory of the Samba distribution tarball. 3974 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>server schannel</code></em> = <code class="literal">auto</code> 3975</em></span> 3976</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>server schannel</code></em> = <code class="literal">yes</code> 3977</em></span> 3978</p></dd><dt><span class="term"><a name="SERVERSIGNING"></a>server signing (G)</span></dt><dd><p>This controls whether the server offers or requires 3979 the client it talks to to use SMB signing. Possible values 3980 are <span class="emphasis"><em>auto</em></span>, <span class="emphasis"><em>mandatory</em></span> 3981 and <span class="emphasis"><em>disabled</em></span>. 3982 </p><p>When set to auto, SMB signing is offered, but not enforced. 3983 When set to mandatory, SMB signing is required and if set 3984 to disabled, SMB signing is not offered either.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>server signing</code></em> = <code class="literal">Disabled</code> 3985</em></span> 3986</p></dd><dt><span class="term"><a name="SERVERSTRING"></a>server string (G)</span></dt><dd><p>This controls what string will show up in the printer comment box in print 3987 manager and next to the IPC connection in <code class="literal">net view</code>. It 3988 can be any string that you wish to show to your users.</p><p>It also sets what will appear in browse lists next 3989 to the machine name.</p><p>A <em class="parameter"><code>%v</code></em> will be replaced with the Samba 3990 version number.</p><p>A <em class="parameter"><code>%h</code></em> will be replaced with the 3991 hostname.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>server string</code></em> = <code class="literal">Samba %v</code> 3992</em></span> 3993</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>server string</code></em> = <code class="literal">University of GNUs Samba Server</code> 3994</em></span> 3995</p></dd><dt><span class="term"><a name="SETDIRECTORY"></a>set directory (S)</span></dt><dd><p> 3996 If <code class="literal">set directory = no</code>, then users of the 3997 service may not use the setdir command to change directory. 3998 </p><p> 3999 The <code class="literal">setdir</code> command is only implemented 4000 in the Digital Pathworks client. See the Pathworks documentation 4001 for details. 4002 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>set directory</code></em> = <code class="literal">no</code> 4003</em></span> 4004</p></dd><dt><span class="term"><a name="SETPRIMARYGROUPSCRIPT"></a>set primary group script (G)</span></dt><dd><p>Thanks to the Posix subsystem in NT a Windows User has a 4005 primary group in addition to the auxiliary groups. This script 4006 sets the primary group in the unix userdatase when an 4007 administrator sets the primary group from the windows user 4008 manager or when fetching a SAM with <code class="literal">net rpc 4009 vampire</code>. <em class="parameter"><code>%u</code></em> will be replaced 4010 with the user whose primary group is to be set. 4011 <em class="parameter"><code>%g</code></em> will be replaced with the group to 4012 set.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>set primary group script</code></em> = <code class="literal"></code> 4013</em></span> 4014</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>set primary group script</code></em> = <code class="literal">/usr/sbin/usermod -g '%g' '%u'</code> 4015</em></span> 4016</p></dd><dt><span class="term"><a name="SETQUOTACOMMAND"></a>set quota command (G)</span></dt><dd><p>The <code class="literal">set quota command</code> should only be used 4017 whenever there is no operating system API available from the OS that 4018 samba can use.</p><p>This option is only available if Samba was configured with the argument <code class="literal">--with-sys-quotas</code> or 4019 on linux when <code class="literal">./configure --with-quotas</code> was used and a working quota api 4020 was found in the system. Most packages are configured with these options already.</p><p>This parameter should specify the path to a script that 4021 can set quota for the specified arguments.</p><p>The specified script should take the following arguments:</p><div class="itemizedlist"><ul type="disc"><li><p>1 - quota type 4022 </p><div class="itemizedlist"><ul type="circle"><li><p>1 - user quotas</p></li><li><p>2 - user default quotas (uid = -1)</p></li><li><p>3 - group quotas</p></li><li><p>4 - group default quotas (gid = -1)</p></li></ul></div><p> 4023 </p></li><li><p>2 - id (uid for user, gid for group, -1 if N/A)</p></li><li><p>3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce)</p></li><li><p>4 - block softlimit</p></li><li><p>5 - block hardlimit</p></li><li><p>6 - inode softlimit</p></li><li><p>7 - inode hardlimit</p></li><li><p>8(optional) - block size, defaults to 1024</p></li></ul></div><p>The script should output at least one line of data on success. And nothing on failure.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>set quota command</code></em> = <code class="literal"></code> 4024</em></span> 4025</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>set quota command</code></em> = <code class="literal">/usr/local/sbin/set_quota</code> 4026</em></span> 4027</p></dd><dt><span class="term"><a name="SHAREMODES"></a>share modes (S)</span></dt><dd><p>This enables or disables the honoring of 4028 the <em class="parameter"><code>share modes</code></em> during a file open. These 4029 modes are used by clients to gain exclusive read or write access 4030 to a file.</p><p>These open modes are not directly supported by UNIX, so 4031 they are simulated using shared memory, or lock files if your 4032 UNIX doesn't support shared memory (almost all do).</p><p>The share modes that are enabled by this option are 4033 <code class="constant">DENY_DOS</code>, <code class="constant">DENY_ALL</code>, 4034 <code class="constant">DENY_READ</code>, <code class="constant">DENY_WRITE</code>, 4035 <code class="constant">DENY_NONE</code> and <code class="constant">DENY_FCB</code>. 4036 </p><p>This option gives full share compatibility and enabled 4037 by default.</p><p>You should <span class="emphasis"><em>NEVER</em></span> turn this parameter 4038 off as many Windows applications will break if you do so.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>share modes</code></em> = <code class="literal">yes</code> 4039</em></span> 4040</p></dd><dt><span class="term"><a name="SHORTPRESERVECASE"></a>short preserve case (S)</span></dt><dd><p> 4041 This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of 4042 suitable length, are created upper case, or if they are forced to be the <a class="indexterm" name="id324165"></a>default case. 4043 This option can be use with <a class="indexterm" name="id324172"></a>preserve case = yes to permit long filenames 4044 to retain their case, while short names are lowered. 4045 </p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>short preserve case</code></em> = <code class="literal">yes</code> 4046</em></span> 4047</p></dd><dt><span class="term"><a name="SHOWADDPRINTERWIZARD"></a>show add printer wizard (G)</span></dt><dd><p>With the introduction of MS-RPC based printing support 4048 for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will 4049 appear on Samba hosts in the share listing. Normally this folder will 4050 contain an icon for the MS Add Printer Wizard (APW). However, it is 4051 possible to disable this feature regardless of the level of privilege 4052 of the connected user.</p><p>Under normal circumstances, the Windows NT/2000 client will 4053 open a handle on the printer server with OpenPrinterEx() asking for 4054 Administrator privileges. If the user does not have administrative 4055 access on the print server (i.e is not root or a member of the 4056 <em class="parameter"><code>printer admin</code></em> group), the OpenPrinterEx() 4057 call fails and the client makes another open call with a request for 4058 a lower privilege level. This should succeed, however the APW 4059 icon will not be displayed.</p><p>Disabling the <em class="parameter"><code>show add printer wizard</code></em> 4060 parameter will always cause the OpenPrinterEx() on the server 4061 to fail. Thus the APW icon will never be displayed. 4062</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>This does not prevent the same user from having 4063 administrative privilege on an individual printer.</p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>show add printer wizard</code></em> = <code class="literal">yes</code> 4064</em></span> 4065</p></dd><dt><span class="term"><a name="SHUTDOWNSCRIPT"></a>shutdown script (G)</span></dt><dd><p>This a full path name to a script called by 4066 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that should 4067 start a shutdown procedure.</p><p>If the connected user posseses the <code class="constant">SeRemoteShutdownPrivilege</code>, 4068 right, this command will be run as user.</p><p>The %z %t %r %f variables are expanded as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>%z</code></em> will be substituted with the 4069 shutdown message sent to the server.</p></li><li><p><em class="parameter"><code>%t</code></em> will be substituted with the 4070 number of seconds to wait before effectively starting the 4071 shutdown procedure.</p></li><li><p><em class="parameter"><code>%r</code></em> will be substituted with the 4072 switch <span class="emphasis"><em>-r</em></span>. It means reboot after shutdown 4073 for NT.</p></li><li><p><em class="parameter"><code>%f</code></em> will be substituted with the 4074 switch <span class="emphasis"><em>-f</em></span>. It means force the shutdown 4075 even if applications do not respond for NT.</p></li></ul></div><p>Shutdown script example: 4076</p><pre class="programlisting"> 4077#!/bin/bash 4078 4079$time=0 4080let "time/60" 4081let "time++" 4082 4083/sbin/shutdown $3 $4 +$time $1 & 4084</pre><p> 4085 Shutdown does not return so we need to launch it in background. 4086 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>shutdown script</code></em> = <code class="literal"></code> 4087</em></span> 4088</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>shutdown script</code></em> = <code class="literal">/usr/local/samba/sbin/shutdown %m %t %r %f</code> 4089</em></span> 4090</p></dd><dt><span class="term"><a name="SMBPASSWDFILE"></a>smb passwd file (G)</span></dt><dd><p>This option sets the path to the encrypted smbpasswd file. By 4091 default the path to the smbpasswd file is compiled into Samba.</p><p> 4092 An example of use is: 4093</p><pre class="programlisting"> 4094smb passwd file = /etc/samba/smbpasswd 4095</pre><p> 4096 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>smb passwd file</code></em> = <code class="literal">${prefix}/private/smbpasswd</code> 4097</em></span> 4098</p></dd><dt><span class="term"><a name="SMBPORTS"></a>smb ports (G)</span></dt><dd><p>Specifies which ports the server should listen on for SMB traffic.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>smb ports</code></em> = <code class="literal">445 139</code> 4099</em></span> 4100</p></dd><dt><span class="term"><a name="SOCKETADDRESS"></a>socket address (G)</span></dt><dd><p>This option allows you to control what 4101 address Samba will listen for connections on. This is used to 4102 support multiple virtual interfaces on the one server, each 4103 with a different configuration.</p><p>By default Samba will accept connections on any 4104 address.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>socket address</code></em> = <code class="literal"></code> 4105</em></span> 4106</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>socket address</code></em> = <code class="literal">192.168.2.20</code> 4107</em></span> 4108</p></dd><dt><span class="term"><a name="SOCKETOPTIONS"></a>socket options (G)</span></dt><dd><p>This option allows you to set socket options 4109 to be used when talking with the client.</p><p>Socket options are controls on the networking layer 4110 of the operating systems which allow the connection to be 4111 tuned.</p><p>This option will typically be used to tune your Samba server 4112 for optimal performance for your local network. There is no way 4113 that Samba can know what the optimal parameters are for your net, 4114 so you must experiment and choose them yourself. We strongly 4115 suggest you read the appropriate documentation for your operating 4116 system first (perhaps <code class="literal">man 4117 setsockopt</code> will help).</p><p>You may find that on some systems Samba will say 4118 "Unknown socket option" when you supply an option. This means you 4119 either incorrectly typed it or you need to add an include file 4120 to includes.h for your OS. If the latter is the case please 4121 send the patch to <a href="mailto:samba-technical@samba.org" target="_top"> 4122 samba-technical@samba.org</a>.</p><p>Any of the supported socket options may be combined 4123 in any way you like, as long as your OS allows it.</p><p>This is the list of socket options currently settable 4124 using this option:</p><div class="itemizedlist"><ul type="disc"><li><p>SO_KEEPALIVE</p></li><li><p>SO_REUSEADDR</p></li><li><p>SO_BROADCAST</p></li><li><p>TCP_NODELAY</p></li><li><p>IPTOS_LOWDELAY</p></li><li><p>IPTOS_THROUGHPUT</p></li><li><p>SO_SNDBUF *</p></li><li><p>SO_RCVBUF *</p></li><li><p>SO_SNDLOWAT *</p></li><li><p>SO_RCVLOWAT *</p></li></ul></div><p>Those marked with a <span class="emphasis"><em>'*'</em></span> take an integer 4125 argument. The others can optionally take a 1 or 0 argument to enable 4126 or disable the option, by default they will be enabled if you 4127 don't specify 1 or 0.</p><p>To specify an argument use the syntax SOME_OPTION = VALUE 4128 for example <code class="literal">SO_SNDBUF = 8192</code>. Note that you must 4129 not have any spaces before or after the = sign.</p><p>If you are on a local network then a sensible option 4130 might be:</p><p><code class="literal">socket options = IPTOS_LOWDELAY</code></p><p>If you have a local network then you could try:</p><p><code class="literal">socket options = IPTOS_LOWDELAY TCP_NODELAY</code></p><p>If you are on a wide area network then perhaps try 4131 setting IPTOS_THROUGHPUT. </p><p>Note that several of the options may cause your Samba 4132 server to fail completely. Use these options with caution!</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>socket options</code></em> = <code class="literal">TCP_NODELAY</code> 4133</em></span> 4134</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>socket options</code></em> = <code class="literal">IPTOS_LOWDELAY</code> 4135</em></span> 4136</p></dd><dt><span class="term"><a name="STATCACHE"></a>stat cache (G)</span></dt><dd><p>This parameter determines if <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will use a cache in order to 4137 speed up case insensitive name mappings. You should never need 4138 to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>stat cache</code></em> = <code class="literal">yes</code> 4139</em></span> 4140</p></dd><dt><span class="term"><a name="STOREDOSATTRIBUTES"></a>store dos attributes (S)</span></dt><dd><p> 4141 If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or 4142 READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such 4143 as occurs with <a class="indexterm" name="id324831"></a>map hidden and <a class="indexterm" name="id324838"></a>map readonly). When set, DOS 4144 attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or 4145 directory. For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id324846"></a>map hidden, 4146 <a class="indexterm" name="id324854"></a>map system, <a class="indexterm" name="id324861"></a>map archive and <a class="indexterm" name="id324868"></a>map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended 4147 attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an 4148 EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for 4149 extended attributes to work, also extended attributes must be compiled into the Linux kernel. 4150 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>store dos attributes</code></em> = <code class="literal">no</code> 4151</em></span> 4152</p></dd><dt><span class="term"><a name="STRICTALLOCATE"></a>strict allocate (S)</span></dt><dd><p>This is a boolean that controls the handling of 4153 disk space allocation in the server. When this is set to <code class="constant">yes</code> 4154 the server will change from UNIX behaviour of not committing real 4155 disk storage blocks when a file is extended to the Windows behaviour 4156 of actually forcing the disk system to allocate real storage blocks 4157 when a file is created or extended to be a given size. In UNIX 4158 terminology this means that Samba will stop creating sparse files. 4159 This can be slow on some systems.</p><p>When strict allocate is <code class="constant">no</code> the server does sparse 4160 disk block allocation when a file is extended.</p><p>Setting this to <code class="constant">yes</code> can help Samba return 4161 out of quota messages on systems that are restricting the disk quota 4162 of users.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict allocate</code></em> = <code class="literal">no</code> 4163</em></span> 4164</p></dd><dt><span class="term"><a name="STRICTLOCKING"></a>strict locking (S)</span></dt><dd><p> 4165 This is an enumerated type that controls the handling of file locking in the server. When this is set to <code class="constant">yes</code>, 4166 the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on 4167 some systems. 4168 </p><p> 4169 When strict locking is set to Auto (the default), the server performs file lock checks only on non-oplocked files. 4170 As most Windows redirectors perform file locking checks locally on oplocked files this is a good trade off for 4171 inproved performance. 4172 </p><p> 4173 When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them. 4174 </p><p> 4175 Well-behaved clients always ask for lock checks when it is important. So in the vast majority of cases, 4176 <code class="literal">strict locking = Auto</code> or 4177 <code class="literal">strict locking = no</code> is acceptable. 4178 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict locking</code></em> = <code class="literal">Auto</code> 4179</em></span> 4180</p></dd><dt><span class="term"><a name="STRICTSYNC"></a>strict sync (S)</span></dt><dd><p>Many Windows applications (including the Windows 98 explorer 4181 shell) seem to confuse flushing buffer contents to disk with doing 4182 a sync to disk. Under UNIX, a sync call forces the process to be 4183 suspended until the kernel has ensured that all outstanding data in 4184 kernel disk buffers has been safely stored onto stable storage. 4185 This is very slow and should only be done rarely. Setting this 4186 parameter to <code class="constant">no</code> (the default) means that 4187 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> ignores the Windows 4188 applications requests for a sync call. There is only a possibility 4189 of losing data if the operating system itself that Samba is running 4190 on crashes, so there is little danger in this default setting. In 4191 addition, this fixes many performance problems that people have 4192 reported with the new Windows98 explorer shell file copies.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict sync</code></em> = <code class="literal">no</code> 4193</em></span> 4194</p></dd><dt><span class="term"><a name="SVCCTLLIST"></a>svcctl list (G)</span></dt><dd><p>This option defines a list of init scripts that smbd 4195 will use for starting and stopping Unix services via the Win32 4196 ServiceControl API. This allows Windows administrators to 4197 utilize the MS Management Console plug-ins to manage a 4198 Unix server running Samba.</p><p>The administrator must create a directory 4199 name <code class="filename">svcctl</code> in Samba's $(libdir) 4200 and create symbolic links to the init scripts in 4201 <code class="filename">/etc/init.d/</code>. The name of the links 4202 must match the names given as part of the <em class="parameter"><code>svcctl list</code></em>. 4203 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>svcctl list</code></em> = <code class="literal"></code> 4204</em></span> 4205</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>svcctl list</code></em> = <code class="literal">cups postfix portmap httpd</code> 4206</em></span> 4207</p></dd><dt><span class="term"><a name="SYNCALWAYS"></a>sync always (S)</span></dt><dd><p>This is a boolean parameter that controls 4208 whether writes will always be written to stable storage before 4209 the write call returns. If this is <code class="constant">no</code> then the server will be 4210 guided by the client's request in each write call (clients can 4211 set a bit indicating that a particular write should be synchronous). 4212 If this is <code class="constant">yes</code> then every write will be followed by a <code class="literal">fsync() 4213 </code> call to ensure the data is written to disk. Note that 4214 the <em class="parameter"><code>strict sync</code></em> parameter must be set to 4215 <code class="constant">yes</code> in order for this parameter to have 4216 any affect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>sync always</code></em> = <code class="literal">no</code> 4217</em></span> 4218</p></dd><dt><span class="term"><a name="SYSLOG"></a>syslog (G)</span></dt><dd><p> 4219 This parameter maps how Samba debug messages are logged onto the system syslog logging levels. 4220 Samba debug level zero maps onto syslog <code class="constant">LOG_ERR</code>, debug level one maps onto 4221 <code class="constant">LOG_WARNING</code>, debug level two maps onto <code class="constant">LOG_NOTICE</code>, 4222 debug level three maps onto LOG_INFO. All higher levels are mapped to <code class="constant">LOG_DEBUG</code>. 4223 </p><p> 4224 This parameter sets the threshold for sending messages to syslog. Only messages with debug 4225 level less than this value will be sent to syslog. 4226 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog</code></em> = <code class="literal">1</code> 4227</em></span> 4228</p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p> 4229 If this parameter is set then Samba debug messages are logged into the system 4230 syslog only, and not to the debug log files. 4231 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog only</code></em> = <code class="literal">no</code> 4232</em></span> 4233</p></dd><dt><span class="term"><a name="TEMPLATEHOMEDIR"></a>template homedir (G)</span></dt><dd><p>When filling out the user information for a Windows NT 4234 user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon uses this 4235 parameter to fill in the home directory for that user. If the 4236 string <em class="parameter"><code>%D</code></em> is present it 4237 is substituted with the user's Windows NT domain name. If the 4238 string <em class="parameter"><code>%U</code></em> is present it 4239 is substituted with the user's Windows NT user name.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>template homedir</code></em> = <code class="literal">/home/%D/%U</code> 4240</em></span> 4241</p></dd><dt><span class="term"><a name="TEMPLATESHELL"></a>template shell (G)</span></dt><dd><p>When filling out the user information for a Windows NT 4242 user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon uses this 4243 parameter to fill in the login shell for that user.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="TIMEOFFSET"></a>time offset (G)</span></dt><dd><p>This parameter is a setting in minutes to add 4244 to the normal GMT to local time conversion. This is useful if 4245 you are serving a lot of PCs that have incorrect daylight 4246 saving time handling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>time offset</code></em> = <code class="literal">0</code> 4247</em></span> 4248</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>time offset</code></em> = <code class="literal">60</code> 4249</em></span> 4250</p></dd><dt><span class="term"><a name="TIMESERVER"></a>time server (G)</span></dt><dd><p>This parameter determines if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> advertises itself as a time server to Windows 4251clients.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>time server</code></em> = <code class="literal">no</code> 4252</em></span> 4253</p></dd><dt><span class="term"><a name="UNIXCHARSET"></a>unix charset (G)</span></dt><dd><p>Specifies the charset the unix machine 4254 Samba runs on uses. Samba needs to know this in order to be able to 4255 convert text to the charsets other SMB clients use. 4256 </p><p>This is also the charset Samba will use when specifying arguments 4257 to scripts that it invokes. 4258 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>unix charset</code></em> = <code class="literal">UTF8</code> 4259</em></span> 4260</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>unix charset</code></em> = <code class="literal">ASCII</code> 4261</em></span> 4262</p></dd><dt><span class="term"><a name="UNIXEXTENSIONS"></a>unix extensions (G)</span></dt><dd><p>This boolean parameter controls whether Samba 4263 implments the CIFS UNIX extensions, as defined by HP. 4264 These extensions enable Samba to better serve UNIX CIFS clients 4265 by supporting features such as symbolic links, hard links, etc... 4266 These extensions require a similarly enabled client, and are of 4267 no current use to Windows clients.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>unix extensions</code></em> = <code class="literal">yes</code> 4268</em></span> 4269</p></dd><dt><span class="term"><a name="UNIXPASSWORDSYNC"></a>unix password sync (G)</span></dt><dd><p>This boolean parameter controls whether Samba 4270 attempts to synchronize the UNIX password with the SMB password 4271 when the encrypted SMB password in the smbpasswd file is changed. 4272 If this is set to <code class="constant">yes</code> the program specified in the <em class="parameter"><code>passwd 4273 program</code></em>parameter is called <span class="emphasis"><em>AS ROOT</em></span> - 4274 to allow the new UNIX password to be set without access to the 4275 old UNIX password (as the SMB password change code has no 4276 access to the old password cleartext, only the new).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>unix password sync</code></em> = <code class="literal">no</code> 4277</em></span> 4278</p></dd><dt><span class="term"><a name="UPDATEENCRYPTED"></a>update encrypted (G)</span></dt><dd><p> 4279 This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) 4280 password in the smbpasswd file to be updated automatically as they log on. This option allows a site to 4281 migrate from plaintext password authentication (users authenticate with plaintext password over the 4282 wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB 4283 challenge/response authentication mechanism) without forcing all users to re-enter their passwords via 4284 smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted 4285 passwords to be made over a longer period. Once all users have encrypted representations of their passwords 4286 in the smbpasswd file this parameter should be set to <code class="constant">no</code>. 4287 </p><p> 4288 In order for this parameter to be operative the <a class="indexterm" name="id325719"></a>encrypt passwords parameter must 4289 be set to <code class="constant">no</code>. The default value of <a class="indexterm" name="id325730"></a>encrypt passwords = Yes. Note: This must be set to <code class="constant">no</code> for this <a class="indexterm" name="id325741"></a>update encrypted to work. 4290 </p><p> 4291 Note that even when this parameter is set a user authenticating to <code class="literal">smbd</code> 4292 must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) 4293 passwords. 4294 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>update encrypted</code></em> = <code class="literal">no</code> 4295</em></span> 4296</p></dd><dt><span class="term"><a name="USECLIENTDRIVER"></a>use client driver (S)</span></dt><dd><p>This parameter applies only to Windows NT/2000 4297 clients. It has no effect on Windows 95/98/ME clients. When 4298 serving a printer to Windows NT/2000 clients without first installing 4299 a valid printer driver on the Samba host, the client will be required 4300 to install a local printer driver. From this point on, the client 4301 will treat the print as a local printer and not a network printer 4302 connection. This is much the same behavior that will occur 4303 when <code class="literal">disable spoolss = yes</code>. 4304 </p><p>The differentiating factor is that under normal 4305 circumstances, the NT/2000 client will attempt to open the network 4306 printer using MS-RPC. The problem is that because the client 4307 considers the printer to be local, it will attempt to issue the 4308 OpenPrinterEx() call requesting access rights associated with the 4309 logged on user. If the user possesses local administator rights but 4310 not root privilege on the Samba host (often the case), the 4311 OpenPrinterEx() call will fail. The result is that the client will 4312 now display an "Access Denied; Unable to connect" message 4313 in the printer queue window (even though jobs may successfully be 4314 printed). </p><p>If this parameter is enabled for a printer, then any attempt 4315 to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped 4316 to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() 4317 call to succeed. <span class="emphasis"><em>This parameter MUST not be able enabled 4318 on a print share which has valid print driver installed on the Samba 4319 server.</em></span></p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use client driver</code></em> = <code class="literal">no</code> 4320</em></span> 4321</p></dd><dt><span class="term"><a name="USEKERBEROSKEYTAB"></a>use kerberos keytab (G)</span></dt><dd><p> 4322 Specifies whether Samba should attempt to maintain service principals in the systems 4323 keytab file for <code class="constant">host/FQDN</code> and <code class="constant">cifs/FQDN</code>. 4324 </p><p> 4325 When you are using the heimdal Kerberos libraries, you must also specify the following in 4326 <code class="filename">/etc/krb5.conf</code>: 4327</p><pre class="programlisting"> 4328[libdefaults] 4329default_keytab_name = FILE:/etc/krb5.keytab 4330</pre><p> 4331 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use kerberos keytab</code></em> = <code class="literal">False</code> 4332</em></span> 4333</p></dd><dt><span class="term"><a name="USEMMAP"></a>use mmap (G)</span></dt><dd><p>This global parameter determines if the tdb internals of Samba can 4334 depend on mmap working correctly on the running system. Samba requires a coherent 4335 mmap/read-write system memory cache. Currently only HPUX does not have such a 4336 coherent cache, and so this parameter is set to <code class="constant">no</code> by 4337 default on HPUX. On all other systems this parameter should be left alone. This 4338 parameter is provided to help the Samba developers track down problems with 4339 the tdb internal code. 4340 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use mmap</code></em> = <code class="literal">yes</code> 4341</em></span> 4342</p></dd><dt><span class="term"><a name="USER"></a>user</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERS"></a>users</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERNAME"></a>username (S)</span></dt><dd><p>Multiple users may be specified in a comma-delimited 4343 list, in which case the supplied password will be tested against 4344 each username in turn (left to right).</p><p>The <em class="parameter"><code>username</code></em> line is needed only when 4345 the PC is unable to supply its own username. This is the case 4346 for the COREPLUS protocol or where your users have different WfWg 4347 usernames to UNIX usernames. In both these cases you may also be 4348 better using the \\server\share%user syntax instead.</p><p>The <em class="parameter"><code>username</code></em> line is not a great 4349 solution in many cases as it means Samba will try to validate 4350 the supplied password against each of the usernames in the 4351 <em class="parameter"><code>username</code></em> line in turn. This is slow and 4352 a bad idea for lots of users in case of duplicate passwords. 4353 You may get timeouts or security breaches using this parameter 4354 unwisely.</p><p>Samba relies on the underlying UNIX security. This 4355 parameter does not restrict who can login, it just offers hints 4356 to the Samba server as to what usernames might correspond to the 4357 supplied password. Users can login as whoever they please and 4358 they will be able to do no more damage than if they started a 4359 telnet session. The daemon runs as the user that they log in as, 4360 so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you 4361 can use the <a class="indexterm" name="id326066"></a>valid users parameter.</p><p>If any of the usernames begin with a '@' then the name 4362 will be looked up first in the NIS netgroups list (if Samba 4363 is compiled with netgroup support), followed by a lookup in 4364 the UNIX groups database and will expand to a list of all users 4365 in the group of that name.</p><p>If any of the usernames begin with a '+' then the name 4366 will be looked up only in the UNIX groups database and will 4367 expand to a list of all users in the group of that name.</p><p>If any of the usernames begin with a '&' then the name 4368 will be looked up only in the NIS netgroups database (if Samba 4369 is compiled with netgroup support) and will expand to a list 4370 of all users in the netgroup group of that name.</p><p>Note that searching though a groups database can take 4371 quite some time, and some clients may time out during the 4372 search.</p><p>See the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT 4373 USERNAME/PASSWORD VALIDATION</a> for more information on how 4374 this parameter determines access to the services.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username</code></em> = <code class="literal"> 4375# The guest account if a guest service, 4376 else <empty string>.</code> 4377</em></span> 4378</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username</code></em> = <code class="literal">fred, mary, jack, jane, @users, @pcgroup</code> 4379</em></span> 4380</p></dd><dt><span class="term"><a name="USERNAMELEVEL"></a>username level (G)</span></dt><dd><p>This option helps Samba to try and 'guess' at 4381 the real UNIX username, as many DOS clients send an all-uppercase 4382 username. By default Samba tries all lowercase, followed by the 4383 username with the first letter capitalized, and fails if the 4384 username is not found on the UNIX machine.</p><p>If this parameter is set to non-zero the behavior changes. 4385 This parameter is a number that specifies the number of uppercase 4386 combinations to try while trying to determine the UNIX user name. The 4387 higher the number the more combinations will be tried, but the slower 4388 the discovery of usernames will be. Use this parameter when you have 4389 strange usernames on your UNIX machine, such as <code class="constant">AstrangeUser 4390 </code>.</p><p>This parameter is needed only on UNIX systems that have case 4391 sensitive usernames.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = <code class="literal">0</code> 4392</em></span> 4393</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = <code class="literal">5</code> 4394</em></span> 4395</p></dd><dt><span class="term"><a name="USERNAMEMAP"></a>username map (G)</span></dt><dd><p> 4396 This option allows you to specify a file containing a mapping of usernames from the clients to the server. 4397 This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows 4398 machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they 4399 can more easily share files. 4400 </p><p> 4401 Please note that for user or share mode security, the username map is applied prior to validating the user 4402 credentials. Domain member servers (domain or ads) apply the username map after the user has been 4403 successfully authenticated by the domain controller and require fully qualified enties in the map table (e.g. 4404 biddle = DOMAIN\foo). 4405 </p><p> 4406 The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '=' 4407 followed by a list of usernames on the right. The list of usernames on the right may contain names of the form 4408 @group in which case they will match any UNIX username in that group. The special client name '*' is a 4409 wildcard and matches any name. Each line of the map file may be up to 1023 characters long. 4410 </p><p> 4411 The file is processed on each line by taking the supplied username and comparing it with each username on the 4412 right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it 4413 is replaced with the name on the left. Processing then continues with the next line. 4414 </p><p> 4415 If any line begins with a '#' or a ';' then it is ignored. 4416 </p><p> 4417 If any line begins with an '!' then the processing will stop after that line if a mapping was done by the 4418 line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a 4419 wildcard mapping line later in the file. 4420 </p><p> 4421 For example to map from the name <code class="constant">admin</code> or <code class="constant">administrator</code> to the UNIX 4422 name <code class="constant"> root</code> you would use: 4423</p><pre class="programlisting"> 4424<code class="literal">root = admin administrator</code> 4425</pre><p> 4426 Or to map anyone in the UNIX group <code class="constant">system</code> to the UNIX name <code class="constant">sys</code> you would use: 4427</p><pre class="programlisting"> 4428<code class="literal">sys = @system</code> 4429</pre><p> 4430 </p><p> 4431 You can have as many mappings as you like in a username map file. 4432 </p><p> 4433 If your system supports the NIS NETGROUP option then the netgroup database is checked before the <code class="filename">/etc/group </code> database for matching groups. 4434 </p><p> 4435 You can map Windows usernames that have spaces in them by using double quotes around the name. For example: 4436</p><pre class="programlisting"> 4437<code class="literal">tridge = "Andrew Tridgell"</code> 4438</pre><p> 4439 would map the windows username "Andrew Tridgell" to the unix username "tridge". 4440 </p><p> 4441 The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the 4442 '!' to tell Samba to stop processing if it gets a match on that line: 4443</p><pre class="programlisting"> 4444!sys = mary fred 4445guest = * 4446</pre><p> 4447 </p><p> 4448 Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and 4449 <code class="constant">fred</code> is remapped to <code class="constant">mary</code> then you will actually be connecting to 4450 \\server\mary and will need to supply a password suitable for <code class="constant">mary</code> not 4451 <code class="constant">fred</code>. The only exception to this is the username passed to the <a class="indexterm" name="id326373"></a>password server (if you have one). The password server will receive whatever username the client 4452 supplies without modification. 4453 </p><p> 4454 Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been 4455 mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print 4456 job. 4457 </p><p> 4458 Samba versions prior to 3.0.8 would only support reading the fully qualified username (e.g.: DOMAIN\user) from 4459 the username map when performing a kerberos login from a client. However, when looking up a map entry for a 4460 user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent 4461 behavior sometimes even on the same server. 4462 </p><p> 4463 The following functionality is obeyed in version 3.0.8 and later: 4464 </p><p> 4465 When performing local authentication, the username map is applied to the login name before attempting to authenticate 4466 the connection. 4467 </p><p> 4468 When relying upon a external domain controller for validating authentication requests, smbd will apply the username map 4469 to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated. 4470 </p><p> 4471 An example of use is: 4472</p><pre class="programlisting"> 4473username map = /usr/local/samba/lib/users.map 4474</pre><p> 4475 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map</code></em> = <code class="literal"> 4476# no username map</code> 4477</em></span> 4478</p></dd><dt><span class="term"><a name="USERNAMEMAPSCRIPT"></a>username map script (G)</span></dt><dd><p>This script is a mutually exclusive alternative to the 4479 <a class="indexterm" name="id326456"></a>username map parameter. This parameter 4480 specifies and external program or script that must accept a single 4481 command line option (the username transmitted in the authentication 4482 request) and return a line line on standard output (the name to which 4483 the account should mapped). In this way, it is possible to store 4484 username map tables in an LDAP or NIS directory services. 4485 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = <code class="literal"></code> 4486</em></span> 4487</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = <code class="literal">/etc/samba/scripts/mapusers.sh</code> 4488</em></span> 4489</p></dd><dt><span class="term"><a name="USERSHAREALLOWGUESTS"></a>usershare allow guests (G)</span></dt><dd><p>This parameter controls whether user defined shares are allowed 4490 to be accessed by non-authenticated users or not. It is the equivalent 4491 of allowing people who can create a share the option of setting 4492 <em class="parameter"><code>guest ok = yes</code></em> in a share 4493 definition. Due to the security sensitive nature of this the default 4494 is set to off.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare allow guests</code></em> = <code class="literal">no</code> 4495</em></span> 4496</p></dd><dt><span class="term"><a name="USERSHAREMAXSHARES"></a>usershare max shares (G)</span></dt><dd><p>This parameter specifies the number of user defined shares 4497 that are allowed to be created by users belonging to the group owning the 4498 usershare directory. If set to zero (the default) user defined shares are ignored. 4499 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare max shares</code></em> = <code class="literal">0</code> 4500</em></span> 4501</p></dd><dt><span class="term"><a name="USERSHAREOWNERONLY"></a>usershare owner only (G)</span></dt><dd><p>This parameter controls whether the pathname exported by 4502 a user defined shares must be owned by the user creating the 4503 user defined share or not. If set to True (the default) then 4504 smbd checks that the directory path being shared is owned by 4505 the user who owns the usershare file defining this share and 4506 refuses to create the share if not. If set to False then no 4507 such check is performed and any directory path may be exported 4508 regardless of who owns it. 4509 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare owner only</code></em> = <code class="literal">True</code> 4510</em></span> 4511</p></dd><dt><span class="term"><a name="USERSHAREPATH"></a>usershare path (G)</span></dt><dd><p>This parameter specifies the absolute path of the directory on the 4512 filesystem used to store the user defined share definition files. 4513 This directory must be owned by root, and have no access for 4514 other, and be writable only by the group owner. In addition the 4515 "sticky" bit must also be set, restricting rename and delete to 4516 owners of a file (in the same way the /tmp directory is usually configured). 4517 Members of the group owner of this directory are the users allowed to create 4518 usershares. If this parameter is undefined then no user defined 4519 shares are allowed. 4520 </p><p> 4521 For example, a valid usershare directory might be /usr/local/samba/lib/usershares, 4522 set up as follows. 4523 </p><p> 4524 </p><pre class="programlisting"> 4525 ls -ld /usr/local/samba/lib/usershares/ 4526 drwxrwx--T 2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/ 4527 </pre><p> 4528 </p><p> 4529 In this case, only members of the group "power_users" can create user defined shares. 4530 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare path</code></em> = <code class="literal">NULL</code> 4531</em></span> 4532</p></dd><dt><span class="term"><a name="USERSHAREPREFIXALLOWLIST"></a>usershare prefix allow list (G)</span></dt><dd><p>This parameter specifies a list of absolute pathnames 4533 the root of which are allowed to be exported by user defined share definitions. 4534 If the pathname exported doesn't start with one of the strings in this 4535 list the user defined share will not be allowed. This allows the Samba 4536 administrator to restrict the directories on the system that can be 4537 exported by user defined shares. 4538 </p><p> 4539 If there is a "usershare prefix deny list" and also a 4540 "usershare prefix allow list" the deny list is processed 4541 first, followed by the allow list, thus leading to the most 4542 restrictive interpretation. 4543 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare prefix allow list</code></em> = <code class="literal">NULL</code> 4544</em></span> 4545</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare prefix allow list</code></em> = <code class="literal">/home /data /space</code> 4546</em></span> 4547</p></dd><dt><span class="term"><a name="USERSHAREPREFIXDENYLIST"></a>usershare prefix deny list (G)</span></dt><dd><p>This parameter specifies a list of absolute pathnames 4548 the root of which are NOT allowed to be exported by user defined share definitions. 4549 If the pathname exported starts with one of the strings in this 4550 list the user defined share will not be allowed. Any pathname not 4551 starting with one of these strings will be allowed to be exported 4552 as a usershare. This allows the Samba administrator to restrict the 4553 directories on the system that can be exported by user defined shares. 4554 </p><p> 4555 If there is a "usershare prefix deny list" and also a 4556 "usershare prefix allow list" the deny list is processed 4557 first, followed by the allow list, thus leading to the most 4558 restrictive interpretation. 4559 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare prefix deny list</code></em> = <code class="literal">NULL</code> 4560</em></span> 4561</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare prefix deny list</code></em> = <code class="literal">/etc /dev /private</code> 4562</em></span> 4563</p></dd><dt><span class="term"><a name="USERSHARETEMPLATESHARE"></a>usershare template share (G)</span></dt><dd><p>User defined shares only have limited possible parameters 4564 such as path, guest ok etc. This parameter allows usershares to 4565 "cloned" from an existing share. If "usershare template share" 4566 is set to the name of an existing share, then all usershares 4567 created have their defaults set from the parameters set on this 4568 share. 4569 </p><p> 4570 The target share may be set to be invalid for real file 4571 sharing by setting the parameter "-valid = False" on the template 4572 share definition. This causes it not to be seen as a real exported 4573 share but to be able to be used as a template for usershares. 4574 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>usershare template share</code></em> = <code class="literal">NULL</code> 4575</em></span> 4576</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>usershare template share</code></em> = <code class="literal">template_share</code> 4577</em></span> 4578</p></dd><dt><span class="term"><a name="USESENDFILE"></a>use sendfile (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code>, and the <code class="constant">sendfile()</code> 4579 system call is supported by the underlying operating system, then some SMB read calls 4580 (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that 4581 are exclusively oplocked. This may make more efficient use of the system CPU's 4582 and cause Samba to be faster. Samba automatically turns this off for clients 4583 that use protocol levels lower than NT LM 0.12 and when it detects a client is 4584 Windows 9x (using sendfile from Linux will cause these clients to fail). 4585 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use sendfile</code></em> = <code class="literal">false</code> 4586</em></span> 4587</p></dd><dt><span class="term"><a name="USESPNEGO"></a>use spnego (G)</span></dt><dd><p>This variable controls controls whether samba will try 4588 to use Simple and Protected NEGOciation (as specified by rfc2478) with 4589 WindowsXP and Windows2000 clients to agree upon an authentication mechanism. 4590</p><p> 4591 Unless further issues are discovered with our SPNEGO 4592 implementation, there is no reason this should ever be 4593 disabled.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use spnego</code></em> = <code class="literal">yes</code> 4594</em></span> 4595</p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p> 4596 This boolean parameter is only available if Samba has been configured and compiled 4597 with the option <code class="literal">--with-utmp</code>. If set to 4598 <code class="constant">yes</code> then Samba will attempt to add utmp or utmpx records 4599 (depending on the UNIX system) whenever a connection is made to a Samba server. 4600 Sites may use this to record the user connecting to a Samba share. 4601 </p><p> 4602 Due to the requirements of the utmp record, we are required to create a unique 4603 identifier for the incoming user. Enabling this option creates an n^2 algorithm 4604 to find this number. This may impede performance on large installations. 4605 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp</code></em> = <code class="literal">no</code> 4606</em></span> 4607</p></dd><dt><span class="term"><a name="UTMPDIRECTORY"></a>utmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has 4608 been configured and compiled with the option <code class="literal"> 4609 --with-utmp</code>. It specifies a directory pathname that is 4610 used to store the utmp or utmpx files (depending on the UNIX system) that 4611 record user connections to a Samba server. By default this is 4612 not set, meaning the system will use whatever utmp file the 4613 native system is set to use (usually 4614 <code class="filename">/var/run/utmp</code> on Linux).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp directory</code></em> = <code class="literal"> 4615# Determined automatically</code> 4616</em></span> 4617</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>utmp directory</code></em> = <code class="literal">/var/run/utmp</code> 4618</em></span> 4619</p></dd><dt><span class="term"><a name="-VALID"></a>-valid (S)</span></dt><dd><p> This parameter indicates whether a share is 4620 valid and thus can be used. When this parameter is set to false, 4621 the share will be in no way visible nor accessible. 4622 </p><p> 4623 This option should not be 4624 used by regular users but might be of help to developers. 4625 Samba uses this option internally to mark shares as deleted. 4626 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>-valid</code></em> = <code class="literal">yes</code> 4627</em></span> 4628</p></dd><dt><span class="term"><a name="VALIDUSERS"></a>valid users (S)</span></dt><dd><p> 4629 This is a list of users that should be allowed to login to this service. Names starting with 4630 '@', '+' and '&' are interpreted using the same rules as described in the 4631 <em class="parameter"><code>invalid users</code></em> parameter. 4632 </p><p> 4633 If this is empty (the default) then any user can login. If a username is in both this list 4634 and the <em class="parameter"><code>invalid users</code></em> list then access is denied 4635 for that user. 4636 </p><p> 4637 The current servicename is substituted for <em class="parameter"><code>%S</code></em>. 4638 This is useful in the [homes] section. 4639 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>valid users</code></em> = <code class="literal"> 4640# No valid users list (anyone can login) </code> 4641</em></span> 4642</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>valid users</code></em> = <code class="literal">greg, @pcusers</code> 4643</em></span> 4644</p></dd><dt><span class="term"><a name="VETOFILES"></a>veto files (S)</span></dt><dd><p> 4645 This is a list of files and directories that are neither visible nor accessible. Each entry in 4646 the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' 4647 can be used to specify multiple files or directories as in DOS wildcards. 4648 </p><p> 4649 Each entry must be a unix path, not a DOS path and must <span class="emphasis"><em>not</em></span> include the 4650 unix directory separator '/'. 4651 </p><p> 4652 Note that the <a class="indexterm" name="id327272"></a>case sensitive option is applicable in vetoing files. 4653 </p><p> 4654 One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when 4655 trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this 4656 deletion will <span class="emphasis"><em>fail</em></span> unless you also set the <a class="indexterm" name="id327288"></a>delete veto files 4657 parameter to <em class="parameter"><code>yes</code></em>. 4658 </p><p> 4659 Setting this parameter will affect the performance of Samba, as it will be forced to check all files 4660 and directories for a match as they are scanned. 4661 </p><p> 4662 Examples of use include: 4663</p><pre class="programlisting"> 4664; Veto any files containing the word Security, 4665; any ending in .tmp, and any directory containing the 4666; word root. 4667veto files = /*Security*/*.tmp/*root*/ 4668 4669; Veto the Apple specific files that a NetAtalk server 4670; creates. 4671veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ 4672</pre><p> 4673 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>veto files</code></em> = <code class="literal">No files or directories are vetoed.</code> 4674</em></span> 4675</p></dd><dt><span class="term"><a name="VETOOPLOCKFILES"></a>veto oplock files (S)</span></dt><dd><p> 4676 This parameter is only valid when the <a class="indexterm" name="id327357"></a>oplocks 4677 parameter is turned on for a share. It allows the Samba administrator 4678 to selectively turn off the granting of oplocks on selected files that 4679 match a wildcarded list, similar to the wildcarded list used in the 4680 <a class="indexterm" name="id327366"></a>veto files parameter. 4681 </p><p> 4682 You might want to do this on files that you know will be heavily contended 4683 for by clients. A good example of this is in the NetBench SMB benchmark 4684 program, which causes heavy client contention for files ending in 4685 <code class="filename">.SEM</code>. To cause Samba not to grant 4686 oplocks on these files you would use the line (either in the [global] 4687 section or in the section for the particular NetBench share. 4688 </p><p> 4689 An example of use is: 4690</p><pre class="programlisting"> 4691veto oplock files = /.*SEM/ 4692</pre><p> 4693 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>veto oplock files</code></em> = <code class="literal"> 4694# No files are vetoed for oplock grants</code> 4695</em></span> 4696</p></dd><dt><span class="term"><a name="VFSOBJECT"></a>vfs object</span></dt><dd><p>This parameter is a synonym for vfs objects.</p></dd><dt><span class="term"><a name="VFSOBJECTS"></a>vfs objects (S)</span></dt><dd><p>This parameter specifies the backend names which 4697 are used for Samba VFS I/O operations. By default, normal 4698 disk I/O operations are used but these can be overloaded 4699 with one or more VFS objects. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>vfs objects</code></em> = <code class="literal"></code> 4700</em></span> 4701</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>vfs objects</code></em> = <code class="literal">extd_audit recycle</code> 4702</em></span> 4703</p></dd><dt><span class="term"><a name="VOLUME"></a>volume (S)</span></dt><dd><p>This allows you to override the volume label 4704 returned for a share. Useful for CDROMs with installation programs 4705 that insist on a particular volume label.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>volume</code></em> = <code class="literal"> 4706# the name of the share</code> 4707</em></span> 4708</p></dd><dt><span class="term"><a name="WIDELINKS"></a>wide links (S)</span></dt><dd><p>This parameter controls whether or not links 4709 in the UNIX file system may be followed by the server. Links 4710 that point to areas within the directory tree exported by the 4711 server are always allowed; this parameter controls access only 4712 to areas that are outside the directory tree being exported.</p><p>Note that setting this parameter can have a negative 4713 effect on your server performance due to the extra system calls 4714 that Samba has to do in order to perform the link checks.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wide links</code></em> = <code class="literal">yes</code> 4715</em></span> 4716</p></dd><dt><span class="term"><a name="WINBINDCACHETIME"></a>winbind cache time (G)</span></dt><dd><p>This parameter specifies the number of 4717 seconds the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon will cache 4718 user and group information before querying a Windows NT server 4719 again.</p><p> 4720 This does not apply to authentication requests, these are always 4721 evaluated in real time unless the <a class="indexterm" name="id327609"></a>winbind offline logon option has been enabled. 4722 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind cache time</code></em> = <code class="literal">300</code> 4723</em></span> 4724</p></dd><dt><span class="term"><a name="WINBINDENUMGROUPS"></a>winbind enum groups (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be necessary to suppress 4725 the enumeration of groups through the <code class="literal">setgrent()</code>, 4726 <code class="literal">getgrent()</code> and 4727 <code class="literal">endgrent()</code> group of system calls. If 4728 the <em class="parameter"><code>winbind enum groups</code></em> parameter is 4729 <code class="constant">no</code>, calls to the <code class="literal">getgrent()</code> system 4730 call will not return any data. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Turning off group enumeration may cause some programs to behave oddly. </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind enum groups</code></em> = <code class="literal">no</code> 4731</em></span> 4732</p></dd><dt><span class="term"><a name="WINBINDENUMUSERS"></a>winbind enum users (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be 4733 necessary to suppress the enumeration of users through the <code class="literal">setpwent()</code>, 4734 <code class="literal">getpwent()</code> and 4735 <code class="literal">endpwent()</code> group of system calls. If 4736 the <em class="parameter"><code>winbind enum users</code></em> parameter is 4737 <code class="constant">no</code>, calls to the <code class="literal">getpwent</code> system call 4738 will not return any data. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Turning off user 4739 enumeration may cause some programs to behave oddly. For 4740 example, the finger program relies on having access to the 4741 full user list when searching for matching 4742 usernames. </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind enum users</code></em> = <code class="literal">no</code> 4743</em></span> 4744</p></dd><dt><span class="term"><a name="WINBINDEXPANDGROUPS"></a>winbind expand groups (G)</span></dt><dd><p>This option controls the maximum depth that winbindd 4745 will traverse when flattening nested group memberships 4746 of Windows domain groups. This is different from the 4747 <a class="indexterm" name="id327830"></a>winbind nested groups option 4748 which implements the Windows NT4 model of local group 4749 nesting. The "winbind expand groups" 4750 parameter specifically applies to the membership of 4751 domain groups.</p><p>Be aware that a high value for this parameter can 4752 result in system slowdown as the main parent winbindd daemon 4753 must perform the group unrolling and will be unable to answer 4754 incoming NSS or authentication requests during this time.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind expand groups</code></em> = <code class="literal">1</code> 4755</em></span> 4756</p></dd><dt><span class="term"><a name="WINBINDNESTEDGROUPS"></a>winbind nested groups (G)</span></dt><dd><p>If set to yes, this parameter activates the support for nested 4757 groups. Nested groups are also called local groups or 4758 aliases. They work like their counterparts in Windows: Nested 4759 groups are defined locally on any machine (they are shared 4760 between DC's through their SAM) and can contain users and 4761 global groups from any trusted SAM. To be able to use nested 4762 groups, you need to run nss_winbind.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind nested groups</code></em> = <code class="literal">yes</code> 4763</em></span> 4764</p></dd><dt><span class="term"><a name="WINBINDNORMALIZENAMES"></a>winbind normalize names (G)</span></dt><dd><p>This parameter controls whether winbindd will replace 4765 whitespace in user and group names with an underscore (_) character. 4766 For example, whether the name "Space Kadet" should be 4767 replaced with the string "space_kadet". 4768 Frequently Unix shell scripts will have difficulty with usernames 4769 contains whitespace due to the default field separator in the shell. 4770 Do not enable this option if the underscore character is used in 4771 account names within your domain 4772 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind normalize names</code></em> = <code class="literal">no</code> 4773</em></span> 4774</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind normalize names</code></em> = <code class="literal">yes</code> 4775</em></span> 4776</p></dd><dt><span class="term"><a name="WINBINDNSSINFO"></a>winbind nss info (G)</span></dt><dd><p>This parameter is designed to control how Winbind retrieves Name 4777 Service Information to construct a user's home directory and login shell. 4778 Currently the following settings are available: 4779 4780 </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>template</code></em> 4781 - The default, using the parameters of <em class="parameter"><code>template 4782 shell</code></em> and <em class="parameter"><code>template homedir</code></em>) 4783 </p></li><li><p><em class="parameter"><code>sfu</code></em> 4784 - When Samba is running in security = ads and your Active Directory 4785 Domain Controller does support the Microsoft "Services for Unix" (SFU) 4786 LDAP schema, winbind can retrieve the login shell and the home 4787 directory attributes directly from your Directory Server. Note that 4788 retrieving UID and GID from your ADS-Server requires to use 4789 <em class="parameter"><code>idmap backend</code></em> = idmap_ad as well. 4790 </p></li></ul></div><p> 4791 4792</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind nss info</code></em> = <code class="literal">template</code> 4793</em></span> 4794</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind nss info</code></em> = <code class="literal">template sfu</code> 4795</em></span> 4796</p></dd><dt><span class="term"><a name="WINBINDOFFLINELOGON"></a>winbind offline logon (G)</span></dt><dd><p>This parameter is designed to control whether Winbind should 4797 allow to login with the <em class="parameter"><code>pam_winbind</code></em> 4798 module using Cached Credentials. If enabled, winbindd will store user credentials 4799 from successful logins encrypted in a local cache. 4800 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind offline logon</code></em> = <code class="literal">false</code> 4801</em></span> 4802</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind offline logon</code></em> = <code class="literal">true</code> 4803</em></span> 4804</p></dd><dt><span class="term"><a name="WINBINDREFRESHTICKETS"></a>winbind refresh tickets (G)</span></dt><dd><p>This parameter is designed to control whether Winbind should refresh Kerberos Tickets 4805 retrieved using the <em class="parameter"><code>pam_winbind</code></em> module. 4806 4807</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind refresh tickets</code></em> = <code class="literal">false</code> 4808</em></span> 4809</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind refresh tickets</code></em> = <code class="literal">true</code> 4810</em></span> 4811</p></dd><dt><span class="term"><a name="WINBINDRPCONLY"></a>winbind rpc only (G)</span></dt><dd><p> 4812 Setting this parameter to <code class="literal">yes</code> forces 4813 winbindd to use RPC instead of LDAP to retrieve information from Domain 4814 Controllers. 4815 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind rpc only</code></em> = <code class="literal">no</code> 4816</em></span> 4817</p></dd><dt><span class="term"><a name="WINBINDSEPARATOR"></a>winbind separator (G)</span></dt><dd><p>This parameter allows an admin to define the character 4818 used when listing a username of the form of <em class="replaceable"><code>DOMAIN 4819 </code></em>\<em class="replaceable"><code>user</code></em>. This parameter 4820 is only applicable when using the <code class="filename">pam_winbind.so</code> 4821 and <code class="filename">nss_winbind.so</code> modules for UNIX services. 4822 </p><p>Please note that setting this parameter to + causes problems 4823 with group membership at least on glibc systems, as the character + 4824 is used as a special character for NIS in /etc/group.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind separator</code></em> = <code class="literal">'\'</code> 4825</em></span> 4826</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind separator</code></em> = <code class="literal">+</code> 4827</em></span> 4828</p></dd><dt><span class="term"><a name="WINBINDTRUSTEDDOMAINSONLY"></a>winbind trusted domains only (G)</span></dt><dd><p> 4829 This parameter is designed to allow Samba servers that are members 4830 of a Samba controlled domain to use UNIX accounts distributed via NIS, 4831 rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. 4832 Therefore, the user <code class="literal">DOMAIN\user1</code> would be mapped to 4833 the account user1 in /etc/passwd instead of allocating a new uid for him or her. 4834 </p><p> 4835 This parameter is now deprecated in favor of the newer idmap_nss backend. 4836 Refer to the <a class="indexterm" name="id328357"></a>idmap domains smb.conf option and 4837 the <a href="idmap_nss.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_nss</span>(8)</span></a> man page for more information. 4838 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind trusted domains only</code></em> = <code class="literal">no</code> 4839</em></span> 4840</p></dd><dt><span class="term"><a name="WINBINDUSEDEFAULTDOMAIN"></a>winbind use default domain (G)</span></dt><dd><p>This parameter specifies whether the 4841 <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon should operate on users 4842 without domain component in their username. Users without a domain 4843 component are treated as is part of the winbindd server's own 4844 domain. While this does not benifit Windows users, it makes SSH, FTP and 4845 e-mail function in a way much closer to the way they 4846 would in a native unix system.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind use default domain</code></em> = <code class="literal">no</code> 4847</em></span> 4848</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>winbind use default domain</code></em> = <code class="literal">yes</code> 4849</em></span> 4850</p></dd><dt><span class="term"><a name="WINSHOOK"></a>wins hook (G)</span></dt><dd><p>When Samba is running as a WINS server this 4851 allows you to call an external program for all changes to the 4852 WINS database. The primary use for this option is to allow the 4853 dynamic update of external name resolution databases such as 4854 dynamic DNS.</p><p>The wins hook parameter specifies the name of a script 4855 or executable that will be called as follows:</p><p><code class="literal">wins_hook operation name nametype ttl IP_list</code></p><div class="itemizedlist"><ul type="disc"><li><p>The first argument is the operation and is 4856 one of "add", "delete", or 4857 "refresh". In most cases the operation 4858 can be ignored as the rest of the parameters 4859 provide sufficient information. Note that 4860 "refresh" may sometimes be called when 4861 the name has not previously been added, in that 4862 case it should be treated as an add.</p></li><li><p>The second argument is the NetBIOS name. If the 4863 name is not a legal name then the wins hook is not called. 4864 Legal names contain only letters, digits, hyphens, underscores 4865 and periods.</p></li><li><p>The third argument is the NetBIOS name 4866 type as a 2 digit hexadecimal number. </p></li><li><p>The fourth argument is the TTL (time to live) 4867 for the name in seconds.</p></li><li><p>The fifth and subsequent arguments are the IP 4868 addresses currently registered for that name. If this list is 4869 empty then the name should be deleted.</p></li></ul></div><p>An example script that calls the BIND dynamic DNS update 4870 program <code class="literal">nsupdate</code> is provided in the examples 4871 directory of the Samba source code. </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WINSPROXY"></a>wins proxy (G)</span></dt><dd><p>This is a boolean that controls if <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> will respond to broadcast name 4872 queries on behalf of other hosts. You may need to set this 4873 to <code class="constant">yes</code> for some older clients.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wins proxy</code></em> = <code class="literal">no</code> 4874</em></span> 4875</p></dd><dt><span class="term"><a name="WINSSERVER"></a>wins server (G)</span></dt><dd><p>This specifies the IP address (or DNS name: IP 4876 address for preference) of the WINS server that <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> should register with. If you have a WINS server on 4877 your network then you should set this to the WINS server's IP.</p><p>You should point this at your WINS server if you have a 4878 multi-subnetted network.</p><p>If you want to work in multiple namespaces, you can 4879 give every wins server a 'tag'. For each tag, only one 4880 (working) server will be queried for a name. The tag should be 4881 separated from the ip address by a colon. 4882 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You need to set up Samba to point 4883 to a WINS server if you have multiple subnets and wish cross-subnet 4884 browsing to work correctly.</p></div><p>See the chapter in the Samba3-HOWTO on Network Browsing.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wins server</code></em> = <code class="literal"></code> 4885</em></span> 4886</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wins server</code></em> = <code class="literal">mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 4887 4888# For this example when querying a certain name, 192.19.200.1 will 4889 be asked first and if that doesn't respond 192.168.2.61. If either 4890 of those doesn't know the name 192.168.3.199 will be queried.</code> 4891</em></span> 4892</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wins server</code></em> = <code class="literal">192.9.200.1 192.168.2.61</code> 4893</em></span> 4894</p></dd><dt><span class="term"><a name="WINSSUPPORT"></a>wins support (G)</span></dt><dd><p>This boolean controls if the <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> process in Samba will act as a WINS server. You should 4895 not set this to <code class="constant">yes</code> unless you have a multi-subnetted network and 4896 you wish a particular <code class="literal">nmbd</code> to be your WINS server. 4897 Note that you should <span class="emphasis"><em>NEVER</em></span> set this to <code class="constant">yes</code> 4898 on more than one machine in your network.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wins support</code></em> = <code class="literal">no</code> 4899</em></span> 4900</p></dd><dt><span class="term"><a name="WORKGROUP"></a>workgroup (G)</span></dt><dd><p>This controls what workgroup your server will 4901 appear to be in when queried by clients. Note that this parameter 4902 also controls the Domain name used with 4903 the <a class="indexterm" name="id328788"></a>security = domain 4904 setting.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = <code class="literal">WORKGROUP</code> 4905</em></span> 4906</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = <code class="literal">MYGROUP</code> 4907</em></span> 4908</p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id328872"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value, 4909 Samba will create an in-memory cache for each oplocked file 4910 (it does <span class="emphasis"><em>not</em></span> do this for 4911 non-oplocked files). All writes that the client does not request 4912 to be flushed directly to disk will be stored in this cache if possible. 4913 The cache is flushed onto disk when a write comes in whose offset 4914 would not fit into the cache or when the file is closed by the client. 4915 Reads for the file are also served from this cache if the data is stored 4916 within it.</p><p>This cache allows Samba to batch client writes into a more 4917 efficient write size for RAID disks (i.e. writes may be tuned to 4918 be the RAID stripe size) and can improve performance on systems 4919 where the disk subsystem is a bottleneck but there is free 4920 memory for userspace programs.</p><p>The integer parameter specifies the size of this cache 4921 (per oplocked file) in bytes.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write cache size</code></em> = <code class="literal">0</code> 4922</em></span> 4923</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>write cache size</code></em> = <code class="literal">262144 4924# for a 256k cache size per file</code> 4925</em></span> 4926</p></dd><dt><span class="term"><a name="WRITELIST"></a>write list (S)</span></dt><dd><p> 4927 This is a list of users that are given read-write access to a service. If the 4928 connecting user is in this list then they will be given write access, no matter 4929 what the <a class="indexterm" name="id328980"></a>read only option is set to. The list can 4930 include group names using the @group syntax. 4931 </p><p> 4932 Note that if a user is in both the read list and the write list then they will be 4933 given write access. 4934 </p><p> 4935 By design, this parameter will not work with the 4936 <a class="indexterm" name="id328995"></a>security = share in Samba 3.0. 4937 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> = <code class="literal"></code> 4938</em></span> 4939</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> = <code class="literal">admin, root, @staff</code> 4940</em></span> 4941</p></dd><dt><span class="term"><a name="WRITERAW"></a>write raw (G)</span></dt><dd><p>This parameter controls whether or not the server 4942 will support raw write SMB's when transferring data from clients. 4943 You should never need to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write raw</code></em> = <code class="literal">yes</code> 4944</em></span> 4945</p></dd><dt><span class="term"><a name="WTMPDIRECTORY"></a>wtmp directory (G)</span></dt><dd><p> 4946 This parameter is only available if Samba has been configured and compiled with the option <code class="literal"> 4947 --with-utmp</code>. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on 4948 the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact 4949 that user info is kept after a user has logged out. 4950 </p><p> 4951 By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually 4952 <code class="filename">/var/run/wtmp</code> on Linux). 4953 </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>wtmp directory</code></em> = <code class="literal"></code> 4954</em></span> 4955</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wtmp directory</code></em> = <code class="literal">/var/log/wtmp</code> 4956</em></span> 4957</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id329153"></a><h2>WARNINGS</h2><p> 4958 Although the configuration file permits service names to contain spaces, your client software may not. 4959 Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility. 4960 </p><p> 4961 On a similar note, many clients - especially DOS clients - limit service names to eight characters. 4962 <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> has no such 4963 limitation, but attempts to connect from such clients will fail if they truncate the service names. For this 4964 reason you should probably keep your service names down to eight characters in length. 4965 </p><p> 4966 Use of the <code class="literal">[homes]</code> and <code class="literal">[printers]</code> special sections make life 4967 for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme 4968 care when designing these sections. In particular, ensure that the permissions on spool directories are 4969 correct. 4970 </p></div><div class="refsect1" lang="en"><a name="id329196"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id329207"></a><h2>SEE ALSO</h2><p> 4971 <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id329286"></a><h2>AUTHOR</h2><p> 4972 The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed 4973 by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. 4974 </p><p> 4975 The original Samba man pages were written by Karl Auer. The man page sources were converted to YODL format (another 4976 excellent piece of Open Source software, available at <a href="ftp://ftp.icce.rug.nl/pub/unix/" target="_top"> 4977 ftp://ftp.icce.rug.nl/pub/unix/</a>) and updated for the Samba 2.0 release by Jeremy Allison. The conversion 4978 to DocBook for Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done by 4979 Alexander Bokovoy. 4980 </p></div></div></body></html> 4981