htmldocs/using_samba/ch06.html

<html>
<body bgcolor="#ffffff">

<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
hspace="10" align="left" />

<h1 class="head0">Chapter 6. The Samba Configuration File</h1>


<p><a name="INDEX-1"/>In
previous chapters, we showed you how to install Samba on a Unix
server and set up Windows clients to use a simple disk share. This
chapter will show you how Samba can assume more productive roles on
your network.</p>

<p>Samba's daemons, <em class="emphasis">smbd</em> and
<em class="emphasis">nmbd</em>, are controlled through a single ASCII
file, <em class="filename">smb.conf</em>, that can contain over 300 unique
options (also called parameters). Some of these options you will use
and change frequently; others you might never use, depending on how
much functionality you want Samba to offer its clients.</p>

<p>This chapter introduces the structure of the Samba configuration file
and shows you how to use options to create and modify disk shares.
Subsequent chapters will discuss browsing, how to configure users,
security, printing, and other topics related to implementing Samba on
your network.</p>


<div class="sect1"><a name="samba2-CHP-6-SECT-1"/>

<h2 class="head1">The Samba Configuration File</h2>

<p>The Samba configuration file, called <em class="filename">smb.conf</em> by
default, uses the same format as Windows
<em class="filename">.ini</em><a name="INDEX-2"/><a name="INDEX-3"/> files. If you have ever worked with a
<em class="filename">.ini</em> file, you will find
<em class="filename">smb.conf</em> easy to create and modify. Even if you
haven't, you will find the format to be simple and
easy to learn. Here is an example of a Samba
<a name="INDEX-4"/>configuration
file:</p>

<blockquote><pre class="code">[global]
    workgroup = METRAN
    encrypt passwords = yes
    wins support = yes
    log level = 1
    max log size = 1000
    read only = no
[homes]
    browsable = no
    map archive = yes
[printers]
    path = /var/tmp
    printable = yes
    min print space = 2000
[test]
    browsable = yes
    read only = yes
    path = /usr/local/samba/tmp</pre></blockquote>

<p>This configuration file is based on the one we created in <a href="ch02.html">Chapter 2</a> and sets up a workgroup in which Samba
authenticates users using encrypted passwords and the default
user-level security method. Samba is providing WINS name server
support. We've configured very basic event logging
to use a log file not to exceed 1MB in size. The
<tt class="literal">[homes]</tt> share has been added to allow Samba to
create a disk share for the home directory of each user who has a
standard Unix account on the server. In addition, each printer
registered on the server will be publicly available, as will a single
read-only share that maps to the
<em class="filename">/usr/local/samba/tmp</em> directory.</p>


<div class="sect2"><a name="samba2-CHP-6-SECT-1.1"/>

<h3 class="head2">Configuration File Structure</h3>

<p><a name="INDEX-5"/>Let's take another
look at this configuration file, this time from a higher level:</p>

<blockquote><pre class="code">[global]
    ...
[homes]
    ...
[printers]
    ...
[test]
    ...</pre></blockquote>

<p><a name="INDEX-6"/><a name="INDEX-7"/>The
names inside the square brackets delineate unique
<em class="firstterm">sections</em> of the <em class="filename">smb.conf</em>
file; each section names the share (or service) to which the section
refers. For example, the <tt class="literal">[test]</tt> and
<tt class="literal">[homes]</tt> sections are unique disk shares; they
contain options that map to specific directories on the Samba server.
The <tt class="literal">[printers]</tt> share contains options that map to
various printers on the server. All the sections defined in the
<em class="filename">smb.conf</em> file, with the exception of the
<tt class="literal">[global]</tt> section, will be available as a disk or
printer share to clients connecting to the Samba server.</p>

<p>The remaining lines are individual configuration options for that
share. These options will continue until a new section is encountered
or until the end of the file is reached. Each configuration option
follows a simple format:</p>

<blockquote><pre class="code"><em class="replaceable">option</em> = <em class="replaceable">value</em></pre></blockquote>

<p><a name="INDEX-8"/>Options in
the <em class="filename">smb.conf</em> file are set by assigning a value
to them. We should warn you up front that some of the option names in
Samba are poorly chosen. For example, <tt class="literal">read</tt>
<tt class="literal">only</tt> is self-explanatory and is typical of many
recent Samba options. The <tt class="literal">public</tt> option is an
older option and is vague. It now has a less-confusing synonym
<tt class="literal">guest</tt> <tt class="literal">ok</tt> (meaning it can be
accessed by guests). <em class="emphasis">Appendix B</em> contains an
alphabetical index of all the configuration options and their
meanings.</p>


<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.1"/>

<h3 class="head3">Whitespace, quotes, and commas</h3>

<p>An important item to remember about configuration options is that all
whitespace within the <em class="replaceable">value</em> is
significant. For example, consider the following option:</p>

<blockquote><pre class="code">volume = The Big Bad Hard Drive Number 3543</pre></blockquote>

<p>Samba strips away the spaces up to the first <tt class="literal">T</tt> in
<tt class="literal">The</tt>. These whitespaces are insignificant. The rest
of the whitespaces are significant and will be recognized and
preserved by Samba when reading in the file. Space is not significant
in option names (such as <tt class="literal">read</tt>
<tt class="literal">only</tt>), but we recommend you follow convention and
keep spaces between the words of options.</p>

<p>If you feel safer including quotation marks at the beginning and end
of a configuration option's value, you can do so.
Samba will ignore these quotation marks when it encounters them.
Never use quotation marks around an option name; Samba will treat
this as an error.</p>

<p>Usually, you can use whitespaces or commas to separate a series of
values in a list. These two options are equivalent:</p>

<blockquote><pre class="code">netbios aliases = sales, accounting, payroll
netbios aliases = sales accounting payroll</pre></blockquote>

<p>In some cases, you must use one form of separation&mdash;sometimes
spaces are required, and sometimes commas.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.2"/>

<h3 class="head3">Capitalization</h3>

<p><a name="INDEX-9"/>Capitalization
is not important in the Samba configuration file except in locations
where it would confuse the underlying operating system. For example,
let's assume that you included the following option
in a share that pointed to <em class="filename">/export/samba/simple
</em>:</p>

<blockquote><pre class="code">PATH = /EXPORT/SAMBA/SIMPLE</pre></blockquote>

<p>Samba would have no problem with the <tt class="literal">path</tt>
configuration option appearing entirely in capital letters. However,
when it tries to connect to the given directory, it would be
unsuccessful because the Unix filesystem <em class="emphasis">is</em>
case-sensitive. Consequently, the path listed would not be found, and
clients could not connect to the share.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.3"/>

<h3 class="head3">Line continuation</h3>

<p><a name="INDEX-10"/>You can continue a line in the
Samba configuration file using the backslash, like this:</p>

<blockquote><pre class="code">comment = The first share that has the primary copies \
          of the new Teamworks software product.</pre></blockquote>

<p>Because of the backslash, these two lines will be treated as one line
by Samba. The second line begins at the first nonwhitespace character
that Samba encounters; in this case, the <tt class="literal">o</tt> in
<tt class="literal">of</tt>.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.4"/>

<h3 class="head3">Comments</h3>

<p><a name="INDEX-11"/>You can
insert comments in the <em class="filename">smb.conf</em> configuration
file by starting a line with either a hash (<tt class="literal">#</tt>) or
a semicolon ( <tt class="literal">;</tt> ). For this purpose, both
characters are equivalent. For example, the first three lines in the
following example would be considered comments:</p>

<blockquote><pre class="code">#  This is the printers section. We have given a minimum print
;  space of 2000 to prevent some errors that we've seen when
;  the spooler runs out of space.

[printers]
    public = yes
    min print space = 2000</pre></blockquote>

<p>Samba will ignore all comment lines in its configuration file; there
are no limitations to what can be placed on a comment line after the
initial hash mark or semicolon. Note that the line continuation
character (<tt class="literal">\</tt>) will <em class="emphasis">not</em> be
honored on a commented line. Like the rest of the line, it is
ignored.</p>
<a name="samba2-CHP-6-NOTE-128"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
<p>Samba does not allow mixing of comment lines and parameters. Be
careful not to put comments on the same line as anything else, such
as:</p>


<blockquote><pre class="code">path = /d # server's data partition</pre></blockquote>


<p>Errors such as this, where the parameter value is defined with a
string, can be tricky to notice. The <em class="emphasis">testparm</em>
program won't complain, and the only clues
you'll receive are that
<em class="emphasis">testparm</em> reports the <tt class="literal">path</tt>
parameter set to <tt class="literal">/d # server's data partition</tt>, and
the failures that result when clients attempt to access the share.</p>
</blockquote>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-1.1.5"/>

<h3 class="head3">Changes at runtime</h3>

<p><a name="INDEX-12"/>You can modify the
<em class="filename">smb.conf</em> configuration file and any of its
options at any time while the Samba daemons are running. By default,
Samba checks the configuration file every 60 seconds. If it finds any
changes, they are immediately put into effect.</p>

<a name="samba2-CHP-6-NOTE-129"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
<p>Having Samba check the configuration file automatically can be
convenient, but it also means that if you edit
<em class="filename">smb.conf</em> directly, you might be immediately
changing your network's <a name="INDEX-13"/>configuration every time you save the
file. If you're making anything more than a minor
change, it may be wiser to copy <em class="filename">smb.conf</em> to a
temporary file, edit that, run <tt class="literal">testparm</tt>
<em class="replaceable">filename</em> to check it, and then copy the
temporary file back to <em class="filename">smb.conf</em>. That way, you
can be sure to put all your changes into effect at once, and only
after you are confident that you have created the exact configuration
you wish to implement.</p>
</blockquote>

<p>If you don't want to wait for the configuration file
to be reloaded automatically, you can force a reload either by
sending a hangup signal to the <em class="emphasis">smbd</em> and
<em class="emphasis">nmbd</em> processes or simply by restarting the
daemons. Actually, it can be a good idea to restart the daemons
because it forces the clients to disconnect and reconnect, ensuring
that the new configuration is applied to all clients. We showed you
how to restart the daemons in <a href="ch02.html">Chapter 2</a>, and
sending them a hangup (HUP) signal is very similar. On Linux, it can
be done with the command:</p>

<blockquote><pre class="code"># <tt class="userinput"><b>killall -HUP smbd nmbd</b></tt></pre></blockquote>

<p>In this case, not all changes will be immediately recognized by
clients. For example, changes to a share that is currently in use
will not be registered until the client disconnects and reconnects to
that share. In addition, server-specific parameters such as the
workgroup or NetBIOS name of the server will not go into effect
immediately either. (This behavior was implemented intentionally
because it keeps active clients from being suddenly disconnected or
encountering unexpected access problems while a session is open.)
<a name="INDEX-14"/></p>


</div>


</div>


<div class="sect2"><a name="samba2-CHP-6-SECT-1.2"/>

<h3 class="head2">Variables</h3>

<p><a name="INDEX-15"/>Because a
new copy of the<em class="filename"> </em><em class="emphasis">smbd</em> daemon
is created for each connecting client, it is possible for each client
to have its own customized configuration file. Samba allows a
limited, yet useful, form of variable substitution in the
configuration file to allow information about the Samba server and
the client to be included in the configuration at the time the client
connects. Inside the configuration file, a variable begins with a
percent sign (<tt class="literal">%</tt>), followed by a single upper- or
lowercase letter, and can be used only on the right side of a
configuration option (i.e., after the equal sign). An example is:</p>

<blockquote><pre class="code">[pub]
    path = /home/ftp/pub/%a</pre></blockquote>

<p>The <tt class="literal">%a</tt><a name="INDEX-16"/> stands for the client
system's architecture and will be replaced as shown
in <a href="ch06.html#samba2-CHP-6-TABLE-1">Table 6-1</a>.</p>

<a name="samba2-CHP-6-TABLE-1"/><h4 class="head4">Table 6-1. %a substitution</h4><table border="1">


<tr>
<th>
<p>Client operating system
(&quot;architecture&quot;)</p>
</th>
<th>
<p>Replacement string</p>
</th>
</tr>


<tr>
<td>
<p>Windows for Workgroups</p>
</td>
<td>
<p><tt class="literal">WfWg</tt></p>
</td>
</tr>
<tr>
<td>
<p>Windows 95 and Windows 98</p>
</td>
<td>
<p><tt class="literal">Win95</tt></p>
</td>
</tr>
<tr>
<td>
<p>Windows NT</p>
</td>
<td>
<p><tt class="literal">WinNT</tt></p>
</td>
</tr>
<tr>
<td>
<p>Windows 2000 and Windows XP</p>
</td>
<td>
<p><tt class="literal">Win2K</tt></p>
</td>
</tr>
<tr>
<td>
<p>Samba</p>
</td>
<td>
<p><tt class="literal">Samba</tt></p>
</td>
</tr>
<tr>
<td>
<p>Any OS not listed earlier</p>
</td>
<td>
<p><tt class="literal">UNKNOWN</tt></p>
</td>
</tr>

</table>

<p>In this example, Samba will assign a unique path for the
<tt class="literal">[pub]</tt> share to client systems based on what
operating system they are running. The paths that each client would
see as its share differ according to the client's
architecture:</p>

<blockquote><pre class="code">/home/ftp/pub/WfwG
/home/ftp/pub/Win95
/home/ftp/pub/WinNT
/home/ftp/pub/Win2K
/home/ftp/pub/Samba
/home/ftp/pub/UNKNOWN</pre></blockquote>

<p>Using variables in this manner comes in handy if you wish to have
different users run custom configurations based on their own unique
characteristics or conditions.
<a name="INDEX-17"/><a name="INDEX-18"/>Samba
has 20 variables, as shown in <a href="ch06.html#samba2-CHP-6-TABLE-2">Table 6-2</a>.</p>

<a name="samba2-CHP-6-TABLE-2"/><h4 class="head4">Table 6-2. Samba variables</h4><table border="1">


<tr>
<th>
<p>Variable</p>
</th>
<th>
<p>Definition</p>
</th>
</tr>


<tr>
<td>
<p><b class="emphasis-bold">Client variables</b></p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%a</tt><a name="INDEX-19"/></p>
</td>
<td>
<p>Client's architecture (see <a href="ch06.html#samba2-CHP-6-TABLE-1">Table 6-1</a>)</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%I</tt><a name="INDEX-20"/></p>
</td>
<td>
<p>Client's IP address (e.g., 172.16.1.2)</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%m</tt><a name="INDEX-21"/></p>
</td>
<td>
<p>Client's NetBIOS name</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%M</tt><a name="INDEX-22"/></p>
</td>
<td>
<p>Client's DNS name</p>
</td>
</tr>
<tr>
<td>
<p><b class="emphasis-bold">User variables</b></p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%u</tt><a name="INDEX-23"/></p>
</td>
<td>
<p>Current Unix username</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%U</tt><a name="INDEX-24"/></p>
</td>
<td>
<p>Requested client username (not always used by Samba)</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%H</tt><a name="INDEX-25"/></p>
</td>
<td>
<p>Home directory of <tt class="literal">%u</tt></p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%g</tt><a name="INDEX-26"/></p>
</td>
<td>
<p>Primary group of <tt class="literal">%u</tt></p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%G</tt><a name="INDEX-27"/></p>
</td>
<td>
<p>Primary group of <tt class="literal">%U</tt></p>
</td>
</tr>
<tr>
<td>
<p><b class="emphasis-bold">Share variables</b></p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%S</tt><a name="INDEX-28"/></p>
</td>
<td>
<p>Current share's name</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%P</tt><a name="INDEX-29"/></p>
</td>
<td>
<p>Current share's root directory</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%p</tt><a name="INDEX-30"/></p>
</td>
<td>
<p>Automounter's path to the share's
root directory, if different from <tt class="literal">%P</tt></p>
</td>
</tr>
<tr>
<td>
<p><b class="emphasis-bold">Server variables</b></p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%d</tt><a name="INDEX-31"/></p>
</td>
<td>
<p>Current server process ID</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%h</tt><a name="INDEX-32"/></p>
</td>
<td>
<p>Samba server's DNS hostname</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%L</tt><a name="INDEX-33"/></p>
</td>
<td>
<p>Samba server's NetBIOS name</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%N</tt><a name="INDEX-34"/></p>
</td>
<td>
<p>Home directory server, from the automount map</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%v</tt><a name="INDEX-35"/></p>
</td>
<td>
<p>Samba version</p>
</td>
</tr>
<tr>
<td>
<p><b class="emphasis-bold">Miscellaneous variables</b></p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%R</tt><a name="INDEX-36"/></p>
</td>
<td>
<p>The SMB protocol level that was negotiated</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">%T</tt><a name="INDEX-37"/></p>
</td>
<td>
<p>The current date and time</p>
</td>
</tr>
<tr>
<td>
<p><a name="INDEX-38"/>%$<em class="replaceable">var</em></p>
</td>
<td>
<p>The value of environment variable <tt class="literal">var</tt></p>
</td>
</tr>

</table>

<p>Here's another example of using
<a name="INDEX-39"/><a name="INDEX-40"/><a name="INDEX-41"/>variables: let's say there
are five clients on your network, but one client,
<tt class="literal">maya</tt>, requires a slightly different
<tt class="literal">[homes]</tt> configuration. With Samba,
it's simple to handle this:</p>

<blockquote><pre class="code">[homes]
    ...
    include = /usr/local/samba/lib/smb.conf.%m
    ...</pre></blockquote>

<p>The <tt class="literal">include</tt> option here causes a separate
configuration file for each particular NetBIOS machine
(<tt class="literal">%m</tt>) to be read in addition to the current file.
If the hostname of the client system is <tt class="literal">maya</tt>, and
if a <em class="filename">smb.conf.maya</em> file exists in the
<em class="filename">/usr/local/samba/lib</em> directory, Samba will
insert that configuration file into the default one. If any
configuration options are restated in
<em class="filename">smb.conf.maya</em>, those values will override any
options previously encountered in that share. Note that we say
&quot;previously.&quot; If any options are
restated in the main configuration file after the
<tt class="literal">include</tt> option, Samba will honor those restated
values for the share in which they are defined.</p>

<p>If the file specified by the <tt class="literal">include</tt> parameter
does not exist, Samba will not generate an error. In fact, it
won't do anything at all. This allows you to create
only one extra configuration file for <tt class="literal">maya</tt> when
using this strategy, instead of one for each client that is on the
network.</p>

<p>Client-specific configuration files can be used to customize
particular clients. They also can be used to make debugging Samba
easier. For example, if we have one client with a problem, we can use
this approach to give it a private log file with a more verbose
logging level. This allows us to see what Samba is doing without
slowing down all the other clients or overflowing the disk with
useless logs.</p>

<p>You can use the variables in <a href="ch06.html#samba2-CHP-6-TABLE-2">Table 6-2</a> to give
custom values to a variety of Samba options. We will highlight
several of these options as we move through the next few chapters.
<a name="INDEX-42"/></p>


</div>


</div>


<div class="sect1"><a name="samba2-CHP-6-SECT-2"/>

<h2 class="head1">Special Sections</h2>

<p>Now that we've gotten our feet wet with variables,
there are a few special sections of the Samba configuration file that
we should talk about. Again, don't worry if you do
not understand every configuration option listed here;
we'll go over each of them in the upcoming chapters.</p>


<div class="sect2"><a name="samba2-CHP-6-SECT-2.1"/>

<h3 class="head2">The [ global] Section</h3>

<p>The <tt class="literal">[global]</tt><a name="INDEX-43"/><a name="INDEX-44"/> section appears in virtually
every Samba configuration file, even though it is not mandatory.
There are two purposes for the <tt class="literal">[global]</tt> section.
Server-wide settings are defined here, and any options that apply to
shares will be used as a default in all share definitions, unless
overridden within the share definition.</p>

<p>To illustrate this, let's again look at the example
at the beginning of the chapter:</p>

<blockquote><pre class="code">[global]
    workgroup = METRAN
    encrypt passwords = yes
    wins support = yes
    log level = 1
    max log size = 1000
    read only = no
[homes]
    browsable = no
    map archive = yes
[printers]
    path = /var/tmp
    printable = yes
    min print space = 2000
[test]
    browsable = yes
    read only = yes
    path = /usr/local/samba/tmp</pre></blockquote>

<p>When a client connects to the <tt class="literal">[test]</tt> share, Samba
first reads the <tt class="literal">[global]</tt> section and sets the
option <tt class="literal">read</tt> <tt class="literal">only</tt>
<tt class="literal">=</tt> <tt class="literal">no</tt> as the global default for
each share it encounters throughout the configuration file. This
includes the <tt class="literal">[homes]</tt> and <tt class="literal">[test]</tt>
shares. When it reads the definition of the <tt class="literal">[test]</tt>
share, it then finds the configuration option <tt class="literal">read</tt>
<tt class="literal">only</tt> <tt class="literal">=</tt> <tt class="literal">yes</tt>
and overrides the default from the <tt class="literal">[global]</tt>
section with the value <tt class="literal">yes</tt>.</p>

<p>Any option that appears before the first marked section is assumed to
be a global option. This means that the <tt class="literal">[global]</tt>
section heading is not absolutely required; however, we suggest you
always include it for clarity and to ensure future compatibility.</p>


</div>


<div class="sect2"><a name="samba2-CHP-6-SECT-2.2"/>

<h3 class="head2">The [ homes] Section</h3>

<p>If a client attempts to connect to a share that
doesn't appear in the <em class="filename">smb.conf</em>
file, Samba will search for a
<tt class="literal">[homes]</tt><a name="INDEX-45"/><a name="INDEX-46"/> share in the
configuration file. If a <tt class="literal">[homes]</tt> share exists, the
unresolved share name is assumed to be a Unix username. If that
username appears in the password database on the Samba server, Samba
assumes the client is a Unix user trying to connect to her home
directory on the server.</p>

<p>For example, assume a client system is connecting to the Samba server
<tt class="literal">toltec</tt> for the first time and tries to connect to
a share named <tt class="literal">[alice]</tt>. There is no
<tt class="literal">[alice]</tt> share defined in the
<em class="filename">smb.conf</em> file, but there is a
<tt class="literal">[homes]</tt>, so Samba searches the password database
file and finds an <tt class="literal">alice</tt> user account is present on
the system. Samba then checks the password provided by the client
against user <tt class="literal">alice</tt>'s Unix
password&mdash;either with the password database file if
it's using nonencrypted passwords or with
Samba's <em class="filename">smbpasswd</em> file if
encrypted passwords are in use. If the passwords match, Samba knows
it has guessed right: the user <tt class="literal">alice</tt> is trying to
connect to her home directory. Samba will then create a share called
<tt class="literal">[alice]</tt> for her, with the share's
path set to <tt class="literal">alice</tt>'s home
directory.</p>

<p>The process of using the <tt class="literal">[homes]</tt> section to create
users (and dealing with their passwords) is discussed in more detail
in <a href="ch09.html">Chapter 9</a>.</p>


</div>


<div class="sect2"><a name="samba2-CHP-6-SECT-2.3"/>

<h3 class="head2">The [printers] Section</h3>

<p>The third special section is called
<tt class="literal">[printers]</tt><a name="INDEX-47"/><a name="INDEX-48"/> and is similar to
<tt class="literal">[homes]</tt>. If a client attempts to connect to a
share that isn't in the
<em class="filename">smb.conf</em> file and its name
can't be found in the password file, Samba will
check to see if it is a printer share. Samba does this by reading the
printer capabilities file (usually
<em class="filename">/etc/printcap</em>) to see if the share name appears
there.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> If it does, Samba creates a share named after the
printer.</p>

<p>This means that as with <tt class="literal">[homes]</tt>, you
don't have to maintain a share for each system
printer in the <em class="filename">smb.conf</em> file. Instead, Samba
honors the Unix printer registry if you ask it to, and it provides
the registered printers to the client systems. However, there is a
potential difficulty: if you have an account named
<tt class="literal">fred</tt> and a printer named <tt class="literal">fred</tt>,
Samba will always find the user account first, even if the client
really needed to connect to the printer.</p>

<p>The process of setting up the <tt class="literal">[printers]</tt> share is
discussed in more detail in <a href="ch10.html">Chapter 10</a>.</p>


</div>


</div>


<div class="sect1"><a name="samba2-CHP-6-SECT-3"/>

<h2 class="head1">Configuration Options</h2>

<p><a name="INDEX-49"/>Options in
the Samba configuration files fall into one of two categories:
<em class="firstterm">global</em> options or <em class="firstterm">share</em>
options. Each category dictates where an option can appear in the
configuration file.</p>

<dl>
<dt><b>Global options</b></dt>
<dd>
<p>Global options must appear in the <tt class="literal">[global]</tt> section
and nowhere else. These are options that typically apply to the
behavior of the Samba server itself and not to any of its shares.</p>
</dd>


<dt><b>Share options</b></dt>
<dd>
<p>Share options can appear in share definitions, the
<tt class="literal">[global]</tt> section, or both. If they appear in the
<tt class="literal">[global]</tt> section, they will define a default
behavior for all shares unless a share overrides the option with a
value of its own.</p>
</dd>

</dl>

<p>In addition, configuration options can take three kinds of values.
They are as follows:</p>

<dl>
<dt><b>Boolean</b></dt>
<dd>
<p>These are simply yes or no values, but can be represented by any of
the following: <tt class="literal">yes</tt>, <tt class="literal">no</tt>,
<tt class="literal">true</tt>, <tt class="literal">false</tt>,
<tt class="literal">1</tt>, or <tt class="literal">0</tt>. The values are
case-insensitive: <tt class="literal">YES</tt> is the same as
<tt class="literal">yes</tt>.</p>
</dd>


<dt><b>Numeric</b></dt>
<dd>
<p>This is a decimal, hexadecimal, or octal number. The standard
<tt class="literal">0x</tt><em class="emphasis">nn</em> syntax is used for
hexadecimal and <tt class="literal">0</tt><em class="emphasis">nnn</em> for
octal.</p>
</dd>


<dt><b>String</b></dt>
<dd>
<p>This is a string of case-sensitive characters, such as a filename or
a username.</p>
</dd>

</dl>


<div class="sect2"><a name="samba2-CHP-6-SECT-3.1"/>

<h3 class="head2">Configuration File Options</h3>

<p>You can instruct Samba to include or replace configuration options as
it is processing them. The options to do this are summarized in <a href="ch06.html#samba2-CHP-6-TABLE-3">Table 6-3</a>.</p>

<a name="samba2-CHP-6-TABLE-3"/><h4 class="head4">Table 6-3. Configuration file options</h4><table border="1">


<tr>
<th>
<p>Option</p>
</th>
<th>
<p>Parameters</p>
</th>
<th>
<p>Function</p>
</th>
<th>
<p>Default</p>
</th>
<th>
<p>Scope</p>
</th>
</tr>


<tr>
<td>
<p><tt class="literal">config</tt> <tt class="literal">file</tt></p>
</td>
<td>
<p>string (name of file)</p>
</td>
<td>
<p>Sets the location of a configuration file to use instead of the
current one</p>
</td>
<td>
<p>None</p>
</td>
<td>
<p>Global</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">include</tt></p>
</td>
<td>
<p>string (name of file)</p>
</td>
<td>
<p>Specifies an additional set of configuration options to be included
in the configuration file</p>
</td>
<td>
<p>None</p>
</td>
<td>
<p>Global</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">copy</tt></p>
</td>
<td>
<p>string (name of share)</p>
</td>
<td>
<p>Allows you to clone the configuration options of another share in the
current share</p>
</td>
<td>
<p>None</p>
</td>
<td>
<p>Share</p>
</td>
</tr>

</table>


<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.1"/>

<h3 class="head3">config file</h3>

<p>The global <tt class="literal">config</tt><a name="INDEX-50"/> <tt class="literal">file</tt>
option specifies a replacement configuration file that will be loaded
when the option is encountered. If the target file exists, the
remainder of the current configuration file, as well as the options
encountered so far, will be discarded, and Samba will configure
itself entirely with the options in the new file. Variables can be
used with the <tt class="literal">config</tt> <tt class="literal">file</tt>
option, which is useful in the event that you want to use a special
configuration file based on the NetBIOS machine name or user of the
client that is connecting.</p>

<p>For example, the following line instructs Samba to use a
configuration file specified by the NetBIOS name of the client
connecting, if such a file exists. If it does, options specified in
the original configuration file are ignored:</p>

<blockquote><pre class="code">[global]
    config file = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>

<p>If the configuration file specified does not exist, the option is
ignored, and Samba will continue to configure itself based on the
current file. This allows a default configuration file to serve most
clients, while providing for exceptions with customized configuration
files.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.2"/>

<h3 class="head3">include</h3>

<p>This <a name="INDEX-51"/>option, discussed in greater detail
earlier, copies the target file into the current configuration file
at the point specified, as shown in <a href="ch06.html#samba2-CHP-6-FIG-1">Figure 6-1</a>.
This option also can be used with variables. You can use this option
as follows:</p>

<blockquote><pre class="code">[global]
    include = /usr/local/samba/lib/smb.conf.%m</pre></blockquote>

<p>If the configuration file specified does not exist, the option is
ignored. Options in the include file override any option specified
previously, but not options that are specified later. In <a href="ch06.html#samba2-CHP-6-FIG-1">Figure 6-1</a>, all three options will override their
previous values.</p>

<div class="figure"><a name="samba2-CHP-6-FIG-1"/><img src="figs/sam2_0601.gif"/></div><h4 class="head4">Figure 6-1. The include option in a Samba configuration file</h4>

<p>The <tt class="literal">include</tt> option does not work with the
variables <tt class="literal">%u</tt> (user), <tt class="literal">%P</tt>
(current share's root directory), or
<tt class="literal">%S</tt> (current share's name) because
they are not set at the time the <tt class="literal">include</tt> parameter
is processed.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-3.1.3"/>

<h3 class="head3">copy</h3>

<p>The <tt class="literal">copy</tt><a name="INDEX-52"/> configuration option allows you to clone
the configuration options of the share name that you specify in the
current share. The target share must appear earlier in the
configuration file than the share that is performing the copy. For
example:</p>

<blockquote><pre class="code">[template]
    writable = yes
    browsable = yes
    valid users = andy, dave, jay

[data]
    path = /usr/local/samba
    copy = template</pre></blockquote>

<p>Note that any options in the share that invoked the
<tt class="literal">copy</tt> directive will override those in the cloned
share; it does not matter whether they appear before or after the
<tt class="literal">copy</tt> directive. <a name="INDEX-53"/></p>


</div>


</div>


</div>


<div class="sect1"><a name="samba2-CHP-6-SECT-4"/>

<h2 class="head1">Server Configuration</h2>

<p><a name="INDEX-54"/>We will now start from
scratch and build a configuration file for our Samba server. First we
will introduce three basic configuration options that can appear in
the <tt class="literal">[global]</tt> section of the
<em class="filename">smb.conf</em> file:</p>

<blockquote><pre class="code">[global]
    #  Server configuration parameters
    netbios name = toltec
    server string = Samba %v on %L
    workgroup = METRAN
    encrypt passwords = yes</pre></blockquote>

<p>This configuration file is pretty simple; it advertises the Samba
server under the NetBIOS name <tt class="literal">toltec</tt>. In addition,
it places the system in the METRAN workgroup and displays a
description to clients that includes the Samba version number, as
well as the NetBIOS name of the Samba server.</p>

<a name="samba2-CHP-6-NOTE-130"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
<p>If you used the line <tt class="literal">encrypt passwords = yes</tt> in
your earlier configuration file, you should do so here as well.</p>
</blockquote>

<p>If you like, you can go ahead and try this configuration file. Create
a file named <em class="filename">smb.conf</em> under the
<em class="filename">/usr/local/samba/lib</em> directory with the text
listed earlier. Then restart the Samba server and use a Windows
client to verify the results. Be sure that your Windows clients are
in the METRAN workgroup as well. After double-clicking the Network
Neighborhood on a Windows client, you should see a window similar to
<a href="ch06.html#samba2-CHP-6-FIG-2">Figure 6-2</a>. (In this figure,
<tt class="literal">Mixtec</tt> is another Samba server,
<tt class="literal">a</tt>nd <tt class="literal">Zapotec</tt> is a Windows
client.)</p>

<div class="figure"><a name="samba2-CHP-6-FIG-2"/><img src="figs/sam2_0602.gif"/></div><h4 class="head4">Figure 6-2. Network Neighborhood showing Toltec, the Samba server</h4>

<p>You can verify the <tt class="literal">server</tt>
<tt class="literal">string</tt> by listing the details of the Network
Neighborhood window (select Details in the View menu). You should see
a window similar to <a href="ch06.html#samba2-CHP-6-FIG-3">Figure 6-3</a>.</p>

<div class="figure"><a name="samba2-CHP-6-FIG-3"/><img src="figs/sam2_0603.gif"/></div><h4 class="head4">Figure 6-3. Network Neighborhood details listing</h4>

<p>If you were to click the <em class="filename">toltec</em> icon, a window
should appear that shows the services that it provides. In this case,
the window would be completely empty because there are no shares on
the server yet.</p>


<div class="sect2"><a name="samba2-CHP-6-SECT-4.1"/>

<h3 class="head2">Server Configuration Options</h3>

<p><a href="ch06.html#samba2-CHP-6-TABLE-4">Table 6-4</a> summarizes the server configuration
options introduced previously. All three of these options are global
in scope, so they must appear in the <tt class="literal">[global]</tt>
section of the configuration file.<a name="INDEX-55"/></p>

<a name="samba2-CHP-6-TABLE-4"/><h4 class="head4">Table 6-4. Server configuration options</h4><table border="1">


<tr>
<th>
<p>Option</p>
</th>
<th>
<p>Parameters</p>
</th>
<th>
<p>Function</p>
</th>
<th>
<p>Default</p>
</th>
<th>
<p>Scope</p>
</th>
</tr>


<tr>
<td>
<p><tt class="literal">netbios</tt> <tt class="literal">name</tt></p>
</td>
<td>
<p>string</p>
</td>
<td>
<p>NetBIOS name of the Samba server</p>
</td>
<td>
<p>Server's unqualified DNS hostname</p>
</td>
<td>
<p>Global</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">workgroup</tt></p>
</td>
<td>
<p>string</p>
</td>
<td>
<p>NetBIOS group to which the server belongs</p>
</td>
<td>
<p>Defined at compile time</p>
</td>
<td>
<p>Global</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">server</tt> <tt class="literal">string</tt></p>
</td>
<td>
<p>string</p>
</td>
<td>
<p>Descriptive string for the Samba server</p>
</td>
<td>
<p><tt class="literal">Samba %v</tt></p>
</td>
<td>
<p>Global</p>
</td>
</tr>

</table>


<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.1"/>

<h3 class="head3">netbios name</h3>

<p>The <tt class="literal">netbios</tt><a name="INDEX-56"/> <tt class="literal">name</tt> option
allows you to set the NetBIOS name of the server. For example:</p>

<blockquote><pre class="code">netbios name = YORKVM1</pre></blockquote>

<p>The default value for this configuration option is the
server's hostname&mdash;that is, the first part of
its fully qualified domain name. For example, a system with the DNS
name <tt class="literal">ruby.ora.com</tt> would be given the NetBIOS name
<tt class="literal">RUBY</tt> by default. While you can use this option to
restate the system's NetBIOS name in the
configuration file (as we did previously), it is more commonly used
to assign the Samba server a NetBIOS name other than its current DNS
name. Remember that the name given must follow the rules for valid
NetBIOS machine names as outlined in <a href="ch01.html">Chapter 1</a>.</p>

<p>Changing the NetBIOS name of the server is not recommended unless you
have a good reason. One such reason might be if the hostname of the
system is not unique because the LAN is divided over two or more DNS
domains. For example, YORKVM1 is a good NetBIOS candidate for
<tt class="literal">vm1.york.example.com</tt> to differentiate it from
<tt class="literal">vm1.falkirk.example.com</tt>, which has the same
hostname but resides in a different DNS domain.</p>

<p>Another use of this option is for relocating SMB services from a dead
or retired system. For example, if <tt class="literal">SALES</tt> is the
SMB server for the department and it suddenly dies, you could
immediately reset <tt class="literal">netbios</tt> <tt class="literal">name</tt>
<tt class="literal">=</tt> <tt class="literal">SALES</tt> on a backup Samba
server that's taking over for it. Users
won't have to change their drive mappings to a
different server; new connections to <tt class="literal">SALES</tt> will
simply go to the new server.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.2"/>

<h3 class="head3">workgroup</h3>

<p>The <tt class="literal">workgroup</tt><a name="INDEX-57"/> parameter sets the
current workgroup (or domain) in which the Samba server will
advertise itself. Clients that wish to access shares on the Samba
server should be in the same NetBIOS group. Remember that workgroups
are really just NetBIOS group names and must follow the standard
NetBIOS naming conventions outlined in <a href="ch01.html">Chapter 1</a>.</p>

<p>The default option for this parameter is set at compile time to
<tt class="literal">WORKGROUP</tt>. Because this is the default workgroup
name of every unconfigured Windows and Samba system, we recommend
that you always set your workgroup name in the Samba configuration
file. When choosing your workgroup name, try to avoid making it the
same name as a server or user. This will avoid possible problems with
WINS name resolution.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-4.1.3"/>

<h3 class="head3">server string</h3>

<p>The <tt class="literal">server</tt><a name="INDEX-58"/> <tt class="literal">string</tt>
parameter defines a comment string that will appear next to the
server name in both the Network Neighborhood (when shown with the
Details view) and the comment entry of the Microsoft Windows printer
manager.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> </p>

<p>You can use variables to provide
information in the description. For example, our entry earlier was:</p>

<blockquote><pre class="code">[global]
    server string = Samba %v on (%h)</pre></blockquote>

<p>The default for this option simply presents the current version of
Samba and is equivalent to:</p>

<a name="INDEX-59"/><blockquote><pre class="code">server string = Samba %v</pre></blockquote>


</div>


</div>


</div>


<div class="sect1"><a name="samba2-CHP-6-SECT-5"/>

<h2 class="head1">Disk Share Configuration</h2>

<p><a name="INDEX-60"/><a name="INDEX-61"/>We mentioned in the previous section that
there were no disk shares on the <tt class="literal">toltec</tt> server.
Let's continue building the configuration file and
create an empty disk share called <tt class="literal">[data]</tt>. Here are
the additions that will do it:</p>

<blockquote><pre class="code">[data]
    path = /export/samba/data
    comment = Data Drive
    volume = Sample-Data-Drive
    writable = yes</pre></blockquote>

<p>The <tt class="literal">[data]</tt> share is typical for a Samba disk
share. The share maps to the directory <em class="filename">/export/samba/data
</em>on the Samba server. We've also provided
a comment that describes the share as a <tt class="literal">Data</tt>
<tt class="literal">Drive</tt>, as well as a volume name for the share
itself.</p>

<p>Samba's default is to create a read-only share. As a
result, the <tt class="literal">writable</tt> option needs to be explicitly
set for each disk share you wish to make writable.</p>

<p>We will also need to create the
<em class="filename">/export/samba/data</em> directory on the Samba server
with the following commands:</p>

<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /export/samba/data</b></tt>
# <tt class="userinput"><b>chmod 777 /export/samba/data</b></tt></pre></blockquote>

<p>Now, if we connect to the <tt class="literal">toltec</tt> server again by
double-clicking its icon in the Windows Network Neighborhood, we will
see a single share entitled <tt class="literal">data</tt>, as shown in
<a href="ch06.html#samba2-CHP-6-FIG-4">Figure 6-4</a>. This share has read/write access, so
files can be copied to or from it.</p>

<div class="figure"><a name="samba2-CHP-6-FIG-4"/><img src="figs/sam2_0604.gif"/></div><h4 class="head4">Figure 6-4. The initial data share on the Samba server</h4>


<div class="sect2"><a name="samba2-CHP-6-SECT-5.1"/>

<h3 class="head2">Disk Share Configuration Options</h3>

<p>The basic Samba configuration options for disk shares previously
introduced are listed in <a href="ch06.html#samba2-CHP-6-TABLE-5">Table 6-5</a>.</p>

<a name="samba2-CHP-6-TABLE-5"/><h4 class="head4">Table 6-5. Basic share configuration options</h4><table border="1">


<tr>
<th>
<p>Option</p>
</th>
<th>
<p>Parameters</p>
</th>
<th>
<p>Function</p>
</th>
<th>
<p>Default</p>
</th>
<th>
<p>Scope</p>
</th>
</tr>


<tr>
<td>
<p><tt class="literal">path</tt> <tt class="literal">(directory)</tt></p>
</td>
<td>
<p>string (directory name)</p>
</td>
<td>
<p>Sets the Unix directory that will be provided for a disk share or
used for spooling by a printer share.</p>
</td>
<td>
<p><tt class="literal">/tmp</tt></p>
</td>
<td>
<p>Share</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">comment</tt></p>
</td>
<td>
<p>string</p>
</td>
<td>
<p>Sets the comment that appears with the share.</p>
</td>
<td>
<p>None</p>
</td>
<td>
<p>Share</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">volume</tt></p>
</td>
<td>
<p>string</p>
</td>
<td>
<p>Sets the MS-DOS volume name for the share.</p>
</td>
<td>
<p>Share name</p>
</td>
<td>
<p>Share</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">read only</tt></p>
</td>
<td>
<p>boolean</p>
</td>
<td>
<p>If <tt class="literal">yes</tt>, allows read-only access to a share.</p>
</td>
<td>
<p><tt class="literal">yes</tt></p>
</td>
<td>
<p>Share</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">writable</tt> <tt class="literal">(write ok or writeable)</tt></p>
</td>
<td>
<p>boolean</p>
</td>
<td>
<p>If <tt class="literal">no</tt>, allows read-only access to a share. If
<tt class="literal">yes</tt>, both reading and writing are allowed.</p>
</td>
<td>
<p><tt class="literal">no</tt></p>
</td>
<td>
<p>Share</p>
</td>
</tr>

</table>


<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.1"/>

<h3 class="head3">path</h3>

<p>This <a name="INDEX-63"/>option, which has the synonym
<tt class="literal">directory</tt>, indicates the pathname for the root of
the shared directory or printer. You can choose any directory on the
Samba server, so long as the owner of the Samba process that is
connecting has read and write access to that directory. If the path
is for a printing share, it should point to a temporary directory
where files can be written on the server before being spooled to the
target printer ( <em class="filename"> /tmp</em> and
<em class="filename">/var/spool</em> are popular choices). If this path is
for a disk share, the contents of the folder representing the share
name on the client will match the contents of the directory on the
Samba server.</p>

<p>The directory specified as the value for <tt class="literal">path</tt> can
be given as a relative path, in which case it will be relative to the
directory specified by the <tt class="literal">root</tt>
<tt class="literal">directory</tt> parameter. Because
<tt class="literal">root</tt> <tt class="literal">directory</tt> defaults to root
(<em class="filename">/</em> ), it is generally a good idea to use
absolute paths for the <tt class="literal">path</tt> parameter, unless
<tt class="literal">root</tt> <tt class="literal">directory</tt> has been set to
something other than the default.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.2"/>

<h3 class="head3">comment</h3>

<p>The <tt class="literal">comment</tt><a name="INDEX-64"/> option allows you to enter a
comment that will be sent to the client when it attempts to browse
the share. The user can see the comment by using the Details view on
the share folder or with the <em class="emphasis">net view</em> command at
an MS-DOS prompt. For example, here is how you might insert a comment
for a share:</p>

<blockquote><pre class="code">[network]
    comment = Network Drive
    path = /export/samba/network</pre></blockquote>

<p>Be sure not to confuse the <tt class="literal">comment</tt> option, which
documents a Samba server's shares, with the
<tt class="literal">server</tt> <tt class="literal">string</tt> option, which
documents the server itself.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.3"/>

<h3 class="head3">volume</h3>

<p>This <a name="INDEX-65"/>option allows you to specify the volume
name of the share, which would otherwise default to the name of the
share given in the <em class="filename">smb.conf</em> file.</p>

<p>Some software installation programs check the volume name of the
distribution CD-ROM to make sure the correct CD-ROM is in the drive
before attempting to install from it. If you copy the contents of the
CD-ROM into a network share and wish to install from there, you can
use this option to make sure the installation program sees the
correct volume name:</p>

<blockquote><pre class="code">[network]
    comment = Network Drive
    volume = ASVP-102-RTYUIKA
    path = /home/samba/network</pre></blockquote>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-5.1.4"/>

<h3 class="head3">read only, writable</h3>

<p>The options <tt class="literal">read</tt><a name="INDEX-66"/> <tt class="literal">only</tt>
and <tt class="literal">writable</tt><a name="INDEX-67"/> (also called
<tt class="literal">writeable</tt><a name="INDEX-68"/> or
<tt class="literal">write</tt><a name="INDEX-69"/> <tt class="literal">ok</tt> ) are really two
ways of saying the same thing, but they are approached from opposite
ends. For example, you can set either of the following options in the
<tt class="literal">[global]</tt> section or in an individual share:</p>

<blockquote><pre class="code">read only = yes
writable = no</pre></blockquote>

<p>If either option is set as shown, data can be read from a share, but
cannot be written to it. You might think you would need this option
only if you were creating a read-only share. However, note that this
read-only behavior is the <em class="emphasis">default</em> action for
shares; if you want to be able to write data to a share, you must
explicitly specify one of the following options in the configuration
file for each share:</p>

<blockquote><pre class="code">read only = no
writable = yes</pre></blockquote>

<p>If you specify more than one occurrence of either option, Samba will
adhere to the last value it encounters for the share. <a name="INDEX-70"/><a name="INDEX-71"/></p>


</div>


</div>


</div>


<div class="sect1"><a name="samba2-CHP-6-SECT-6"/>

<h2 class="head1">Networking Options with Samba</h2>

<p><a name="INDEX-72"/><a name="INDEX-73"/>If
you're running <a name="INDEX-74"/><a name="INDEX-75"/>Samba on a multihomed
system (on multiple subnets), you will need to configure Samba to use
all the network interfaces. Another use for the options presented in
this section is to implement better security by allowing or
disallowing connections on the specified interfaces.</p>

<p>Let's assume that our Samba server can access both
the subnets 192.168.220.* and 134.213.233.*. Here are our additions
to the configuration file to add the networking configuration
options:</p>

<blockquote><pre class="code">[global]
    #  Networking configuration options
    hosts allow = 192.168.220. 134.213.233.
    hosts deny = 192.168.220.102
    interfaces = 192.168.220.100/255.255.255.0 \
                    134.213.233.110/255.255.255.0
    bind interfaces only = yes</pre></blockquote>

<p>Take a look at the <tt class="literal">hosts</tt><a name="INDEX-76"/> <tt class="literal">allow</tt>
and <tt class="literal">hosts</tt><a name="INDEX-77"/> <tt class="literal">deny</tt> options. If these
options sound familiar, you're probably thinking of
the <em class="filename">hosts.allow</em> and
<em class="filename">hosts.deny</em> files that are found in the
<em class="filename">/etc</em> directories of many Unix systems. The
purpose of these options is identical to those files; they provide a
means of security by allowing or denying the connections of other
hosts based on their IP addresses. We could use the
<em class="filename">hosts.allow</em> and <em class="filename">hosts.deny</em>
files, but we are using this method instead because there might be
services on the server that we want others to access without also
giving them access to Samba's disk or printer
shares.</p>

<p>With the <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option,
we've specified a 192.168.220 IP address, which is
equivalent to saying: &quot;All hosts on the 192.168.220
subnet.&quot; However, we've explicitly
specified in a <tt class="literal">hosts</tt> <tt class="literal">deny</tt> line
that 192.168.220.102 is not to be allowed access.</p>

<p>You might be wondering why 192.168.220.102 will be denied even though
it is still in the subnet matched by the <tt class="literal">hosts</tt>
<tt class="literal">allow</tt> option. It is important to understand how
Samba sorts out the rules specified by <tt class="literal">hosts</tt>
<tt class="literal">allow</tt> and <tt class="literal">hosts</tt> <tt class="literal">deny</tt>
:</p>

<ol><li>
<p>If no <tt class="literal">allow</tt> or <tt class="literal">deny</tt> options are
defined anywhere in <em class="filename">smb.conf</em>, Samba will allow
connections from any system.</p>
</li><li>
<p>If <tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options are defined
in the <tt class="literal">[global]</tt> section of
<em class="filename">smb.conf</em>, they will apply to all shares, even if
either option is defined in one or more of the shares.</p>
</li><li>
<p>If only a <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option is
defined for a share, only the hosts listed will be allowed to use the
share. All others will be denied.</p>
</li><li>
<p>If only a <tt class="literal">hosts</tt> <tt class="literal">deny</tt> option is
defined for a share, any client which is not on the list will be able
to use the share.</p>
</li><li>
<p>If both a <tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option are defined,
a host must appear in the allow list and not appear in the deny list
(in any form) to access the share. Otherwise, the host will not be
allowed.</p>
</li></ol><a name="samba2-CHP-6-NOTE-131"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
<p>Take care that you don't explicitly allow a host to
access a share, but then deny access to the entire subnet of which
the host is part.</p>
</blockquote>

<p>Let's look at another example of that final item.
Consider the following options:</p>

<blockquote><pre class="code">hosts allow = 111.222.
hosts deny = 111.222.333.</pre></blockquote>

<p>In this case, only the hosts that belong to the subnet 111.222.*.*
will be allowed access to the Samba shares. However, if a client
belongs to the 111.222.333.* subnet, it will be denied access, even
though it still matches the qualifications outlined by
<tt class="literal">hosts</tt> <tt class="literal">allow</tt>. The client must
appear on the <tt class="literal">hosts</tt> <tt class="literal">allow</tt> list
and <em class="emphasis">must not</em> appear on the
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> list to gain access
to a Samba share.</p>

<p>The other two options that we've specified are
<tt class="literal">interfaces</tt> and <tt class="literal">bind</tt>
<tt class="literal">interface</tt> <tt class="literal">only</tt>.
Let's look at the <tt class="literal">interfaces</tt>
option first. Samba, by default, sends data only from the primary
network interface, which in our example is the 192.168.220.100
subnet. If we would like it to send data to more than that one
interface, we need to specify the complete list with the
<tt class="literal">interfaces</tt> option. In the previous example,
we've bound Samba to interface with both subnets
(192.168.220 and 134.213.233) on which the system is operating by
specifying the other network interface address: 134.213.233.100. If
you have more than one interface on your computer, you should always
set this option, as there is no guarantee that the primary interface
that Samba chooses will be the right one.</p>

<p>Finally, the <tt class="literal">bind</tt> <tt class="literal">interfaces</tt>
<tt class="literal">only</tt> option instructs the
<em class="filename">nmbd</em> process not to accept any broadcast
messages other than on the subnets specified with the
<tt class="literal">interfaces</tt> option. This is different from the
<tt class="literal">hosts</tt> <tt class="literal">allow</tt> and
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> options, which
prevent clients from making connections to services, but not from
receiving broadcast messages. Using the <tt class="literal">bind</tt>
<tt class="literal">interfaces</tt> <tt class="literal">only</tt> option is a way
to shut out all datagrams from foreign subnets. In addition, it
instructs the <em class="emphasis">smbd</em> process to bind to only the
interface list given by the <em class="emphasis">interfaces</em> option.
This restricts the networks that Samba will serve.</p>


<div class="sect2"><a name="samba2-CHP-6-SECT-6.1"/>

<h3 class="head2">Networking Options</h3>

<p>The networking options we introduced earlier are summarized in <a href="ch06.html#samba2-CHP-6-TABLE-6">Table 6-6</a>.</p>

<a name="samba2-CHP-6-TABLE-6"/><h4 class="head4">Table 6-6. Networking configuration options</h4><table border="1">


<tr>
<th>
<p>Option</p>
</th>
<th>
<p>Parameters</p>
</th>
<th>
<p>Function</p>
</th>
<th>
<p>Default</p>
</th>
<th>
<p>Scope</p>
</th>
</tr>


<tr>
<td>
<p><tt class="literal">hosts allow (allow</tt> <tt class="literal">hosts)</tt></p>
</td>
<td>
<p>string (list of hostnames)</p>
</td>
<td>
<p>Client systems that can connect to Samba.</p>
</td>
<td>
<p>None</p>
</td>
<td>
<p>Share</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">hosts deny (deny</tt> <tt class="literal">hosts)</tt></p>
</td>
<td>
<p>string (list of hostnames)</p>
</td>
<td>
<p>Client systems that cannot connect to Samba.</p>
</td>
<td>
<p>None</p>
</td>
<td>
<p>Share</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">interfaces</tt></p>
</td>
<td>
<p>string (list of IP/netmask combinations)</p>
</td>
<td>
<p>Network interfaces Samba will respond to. Allows correcting defaults.</p>
</td>
<td>
<p>System-dependent</p>
</td>
<td>
<p>Global</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">bind</tt></p>

<p><tt class="literal">interfaces only</tt></p>
</td>
<td>
<p>boolean</p>
</td>
<td>
<p>If set to <tt class="literal">yes</tt>, Samba will bind only to those
interfaces specified by the <tt class="literal">interfaces</tt> option.</p>
</td>
<td>
<p><tt class="literal">no</tt></p>
</td>
<td>
<p>Global</p>
</td>
</tr>

</table>


<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.1"/>

<h3 class="head3">hosts allow</h3>

<p>The <tt class="literal">hosts</tt> <tt class="literal">allow</tt> option
(sometimes written as <tt class="literal">allow</tt>
<tt class="literal">hosts</tt>) specifies the clients that have permission
to access shares on the Samba server, written as a comma- or
space-separated list of hostnames of systems or their IP addresses.
You can gain quite a bit of security by simply placing your
LAN's subnet address in this option.</p>

<p>You can specify any of the following formats for this option:</p>

<ul><li>
<p>Hostnames, such as <tt class="literal">ftp.example.com</tt> .</p>
</li><li>
<p>IP addresses, such as <tt class="literal">130.63.9.252</tt>.</p>
</li><li>
<p>Domain names, which can be differentiated from individual hostnames
because they start with a dot. For example,
<tt class="literal">.ora.com</tt> represents all systems within the
<em class="emphasis">ora.com</em> domain.</p>
</li><li>
<p>Netgroups, which start with an at sign (<tt class="literal">@</tt>), such
as <tt class="literal">@printerhosts</tt>. Netgroups are usually available
only on systems running NIS or NIS+. If netgroups are supported on
your system, there should be a <tt class="literal">netgroups</tt> manual
page that describes them in more detail.</p>
</li><li>
<p>Subnets, which end with a dot. For example,
<tt class="literal">130.63.9</tt>. means all the systems whose IP addresses
begin with 130.63.9.</p>
</li><li>
<p>The keyword <tt class="literal">ALL</tt>, which allows any client access.</p>
</li><li>
<p>The keyword <tt class="literal">EXCEPT</tt> followed by one or more names,
IP addresses, domain names, netgroups, or subnets. For example, you
could specify that Samba allow all hosts except those on the
192.168.110 subnet with <tt class="literal">hosts</tt>
<tt class="literal">allow</tt> <tt class="literal">=</tt> <tt class="literal">ALL</tt>
<tt class="literal">EXCEPT</tt> <tt class="literal">192.168.110</tt>. (remember
to include the trailing dot).</p>
</li></ul>
<p>Using the <tt class="literal">ALL</tt> keyword by itself is almost always a
bad idea because it means that crackers on any network can access
your Samba server.</p>

<p>The hostname <tt class="literal">localhost</tt>, for the loopback address
127.0.0.1, is included in the <tt class="literal">hosts</tt>
<tt class="literal">allow</tt> list by default and does not need to be
listed explicitly unless you have specified the
<tt class="literal">bind</tt> <tt class="literal">interfaces</tt>
<tt class="literal">only</tt> parameter. This address is required for Samba
to work properly.</p>

<p>Other than that, there is no default value for the
<tt class="literal">hosts</tt> <tt class="literal">allow</tt> configuration
option. The default course of action in the event that neither the
<tt class="literal">hosts</tt> <tt class="literal">allow</tt> or
<tt class="literal">hosts</tt> <tt class="literal">deny</tt> option is specified
in <em class="filename">smb.conf</em> is to allow access from all sources.</p>

<a name="samba2-CHP-6-NOTE-132"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
<p>If you specify <tt class="literal">hosts allow</tt> in the
<tt class="literal">[global]</tt> section, that definition will override
any <tt class="literal">hosts allow</tt> lines in the share definitions.
This is the opposite of the usual behavior, which is for parameters
set in share definitions to override default values set in the
<tt class="literal">[global]</tt> section.<a name="INDEX-78"/></p>
</blockquote>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.2"/>

<h3 class="head3">hosts deny</h3>

<p>The <tt class="literal">hosts</tt> <tt class="literal">deny</tt> option
(synonymous with <tt class="literal">deny</tt> <tt class="literal">hosts</tt>)
specifies client systems that do not have permission to access a
share, written as a comma- or space-separated list of hostnames or
their IP addresses. Use the same format for specifying clients as the
<tt class="literal">hosts</tt> <tt class="literal">allow</tt> option earlier. For
example, to restrict access to the server from everywhere but
<tt class="literal">example.com</tt>, you could write:</p>

<blockquote><pre class="code">hosts deny = ALL EXCEPT .example.com</pre></blockquote>

<p>There is no default value for the <tt class="literal">hosts</tt>
<tt class="literal">deny</tt> configuration option, although the default
course of action in the event that neither option is specified is to
allow access from all sources. Also, if you specify this option in
the <tt class="literal">[global]</tt> section of the configuration file, it
will override any <tt class="literal">hosts</tt> <tt class="literal">deny</tt>
options defined in shares. If you wish to deny access to specific
shares, omit both the <tt class="literal">hosts</tt>
<tt class="literal">allow</tt> and <tt class="literal">hosts</tt>
<tt class="literal">deny</tt> options from the <tt class="literal">[global]</tt>
section of the configuration file.</p>

<a name="samba2-CHP-6-NOTE-133"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
<p>Never include the loopback address (<tt class="literal">localhost</tt> at
IP address 127.0.0.1) in the <tt class="literal">hosts deny</tt> list. The
<em class="filename">smbpasswd</em> program needs to connect through the
loopback address to the Samba server as a client to change a
user's encrypted password. If the loopback address
is disabled, the locally generated packets requesting the change of
the encrypted password will be discarded by Samba.</p>


<p>In addition, both local browsing propagation and some functions of
SWAT require access to the Samba server through the loopback address
and will not work correctly if this address is disabled.
<a name="INDEX-79"/></p>
</blockquote>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.3"/>

<h3 class="head3">interfaces</h3>

<p>The <tt class="literal">interfaces</tt><a name="INDEX-80"/> option specifies the
networks that you want the Samba server to recognize and respond to.
This option is handy if you have a computer that resides on more than
one network subnet. If this option is not set, Samba searches for the
primary network interface of the server (typically the first Ethernet
card) upon startup and configures itself to operate on only that
subnet. If the server is configured for more than one subnet and you
do not specify this option, Samba will only work on the first subnet
it encounters. You must use this option to force Samba to serve the
other subnets on your network.</p>

<p>The value of this option is one or more sets of IP address/netmask
pairs, as in the following:</p>

<blockquote><pre class="code">interfaces = 192.168.220.100/255.255.255.0 192.168.210.30/255.255.255.0</pre></blockquote>

<p>You can optionally specify a
<a name="INDEX-81"/><a name="INDEX-82"/>CIDR format bitmask, like this:</p>

<blockquote><pre class="code">interfaces = 192.168.220.100/24 192.168.210.30/24</pre></blockquote>

<p>The number after the slash specifies the number of bits that will be
set in the netmask. For example, the number 24 means that the first
24 (of 32) bits will be set in the bitmask, which is the same as
specifying 255.255.255.0 as the netmask. Likewise, 16 would be
equivalent to a netmask of 255.255.0.0, and 8 would be the same as a
netmask of 255.0.0.0.</p>
<a name="samba2-CHP-6-NOTE-135"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
<p>This option might not work correctly if you are using DHCP.</p>
</blockquote>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-6.1.4"/>

<h3 class="head3">bind interfaces only</h3>

<p>The <tt class="literal">bind</tt><a name="INDEX-83"/>
<tt class="literal">interfaces</tt> <tt class="literal">only</tt> option can be
used to force the <em class="emphasis">smbd</em> and
<em class="emphasis">nmbd</em> processes to respond only to those
addresses specified by the <tt class="literal">interfaces</tt> option. The
<em class="emphasis">nmbd</em> process normally binds to the all-addresses
interface (0.0.0.0.) on ports 137 and 138, allowing it to receive
broadcasts from anywhere. However, you can override this behavior
with the following:</p>

<blockquote><pre class="code">bind interfaces only = yes</pre></blockquote>

<p>This will cause Samba to ignore any packets (including broadcast
packets) whose source address does not correspond to any of the
network interfaces specified by the <tt class="literal">interfaces</tt>
option. You should avoid using this option if you want to allow
temporary network connections, such as those created through SLIP or
PPP. It's very rare that this option is needed, and
it should be used only by experts.</p>

<a name="samba2-CHP-6-NOTE-136"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
<p>If you set <tt class="literal">bind interfaces only</tt> to <tt class="literal">yes</tt>
, add the <a name="INDEX-84"/><a name="INDEX-85"/><a name="INDEX-86"/>local host
address (127.0.01) to the
&quot;interfaces&quot; list. Otherwise,
<em class="emphasis">smbpasswd</em> will be unable to connect to the
server using its default mode in order to change a password, local
browse list propagation will fail, and some functions of swat will
not work properly. <a name="INDEX-87"/><a name="INDEX-88"/></p>
</blockquote>


</div>


</div>


</div>


<div class="sect1"><a name="samba2-CHP-6-SECT-7"/>

<h2 class="head1">Virtual Servers</h2>

<p><a name="INDEX-89"/>Virtual
servers can be used to create the illusion of having multiple servers
on the network, when in reality there is only one. The technique is
simple to implement: a system simply registers more than one NetBIOS
name in association with its IP address. There are tangible benefits
to doing this.</p>

<p>For example, the accounting department might have an
<tt class="literal">accounting</tt> server, and clients of it would see
just the accounting disks and printers. The marketing department
could have its own server, <tt class="literal">marketing</tt>, with its own
reports, and so on. However, all the services would be provided by
one medium-size Unix server (and one relaxed administrator) instead
of having one small server per department.</p>


<div class="sect2"><a name="samba2-CHP-6-SECT-7.1"/>

<h3 class="head2">Virtual Server Configuration Options</h3>

<p><a name="INDEX-90"/><a name="INDEX-91"/>Samba will allow a server to use more
than one NetBIOS name with the <tt class="literal">netbios</tt>
<tt class="literal">aliases</tt> option. See <a href="ch06.html#samba2-CHP-6-TABLE-7">Table 6-7</a>.</p>

<a name="samba2-CHP-6-TABLE-7"/><h4 class="head4">Table 6-7. Virtual server configuration options</h4><table border="1">


<tr>
<th>
<p>Option</p>
</th>
<th>
<p>Parameters</p>
</th>
<th>
<p>Function</p>
</th>
<th>
<p>Default</p>
</th>
<th>
<p>Scope</p>
</th>
</tr>


<tr>
<td>
<p><tt class="literal">netbios</tt> <tt class="literal">aliases</tt></p>
</td>
<td>
<p>string (list of NetBIOS names)</p>
</td>
<td>
<p>Additional NetBIOS names to respond to, for use with multiple
&quot;virtual&quot; Samba servers</p>
</td>
<td>
<p>None</p>
</td>
<td>
<p>Global</p>
</td>
</tr>

</table>


<div class="sect3"><a name="samba2-CHP-6-SECT-7.1.1"/>

<h3 class="head3">netbios aliases</h3>

<p>The <tt class="literal">netbios</tt><a name="INDEX-92"/>
<tt class="literal">aliases</tt> option can be used to give the Samba
server more than one NetBIOS name. Each NetBIOS name listed as a
value will be displayed in the Network Neighborhood of Windows
clients. When a connection is requested to any of the servers, it
will connect to the same Samba server.</p>

<p>This might come in handy, for example, if you're
transferring three departments' data to a single
Unix server with larger and faster disks and are retiring or
reallocating the old Windows NT/2000 servers. If the three servers
are called <tt class="literal">sales</tt>, <tt class="literal">accounting</tt>,
and <tt class="literal">admin</tt>, you can have Samba represent all three
servers with the following options:</p>

<blockquote><pre class="code">[global]
    netbios aliases = sales accounting admin
    include = /usr/local/samba/lib/smb.conf.%L</pre></blockquote>

<p>See <a href="ch06.html#samba2-CHP-6-FIG-5">Figure 6-5</a> for what the Network Neighborhood
would display from a client. When a client attempts to connect to
Samba, it will specify the name of the server to which
it's trying to connect, which is made available in
the configuration file through the <tt class="literal">%L</tt> variable. If
the requested server is <tt class="literal">sales</tt>, Samba will include
the file <em class="filename">/usr/local/samba/lib/smb.conf.sales</em>.
This file might contain global and share declarations exclusively for
the sales team, such as the following:</p>

<blockquote><pre class="code">[global]
    workgroup = SALES
    hosts allow = 192.168.10.255

[sales2003]
    path = /usr/local/samba/sales/sales2003/
...</pre></blockquote>

<p>This particular example would set the workgroup to SALES as well and
set the IP address to allow connections only from the SALES subnet
(192.168.10). In addition, it would offer shares specific to the
sales department.</p>

<div class="figure"><a name="samba2-CHP-6-FIG-5"/><img src="figs/sam2_0605.gif"/></div><h4 class="head4">Figure 6-5. Using NetBIOS aliases for a Samba server</h4>


</div>


</div>


</div>


<div class="sect1"><a name="samba2-CHP-6-SECT-8"/>

<h2 class="head1">Logging Configuration Options</h2>

<p><a name="INDEX-93"/><a name="INDEX-94"/>Occasionally,
we need to find out what Samba is up to. This is especially true when
Samba is performing an unexpected action or is not performing at all.
To find out this information, we need to check
Samba's log files to see exactly why it did what it
did.</p>

<p>Samba <a name="INDEX-95"/>log files
can be as brief or verbose as you like. Here is an example of what a
Samba log file looks like:</p>

<blockquote><pre class="code">[2002/07/21 13:23:25, 3] smbd/service.c:close_cnum(514)
  maya (172.16.1.6) closed connection to service IPC$
[2002/07/21 13:23:25, 3] smbd/connection.c:yield_connection(40)
  Yielding connection to IPC$
[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
  Transaction 923 of length 49
[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
  switch message SMBread (pid 467)
[2002/07/21 13:23:25, 3] lib/doscalls.c:dos_ChDir(336)
  dos_ChDir to /home/samba
[2002/07/21 13:23:25, 3] smbd/reply.c:reply_read(2199)
  read fnum=4207 num=2820 nread=2820
[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
  Transaction 924 of length 55
[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
  switch message SMBreadbraw (pid 467)
[2002/07/21 13:23:25, 3] smbd/reply.c:reply_readbraw(2053)
  readbraw fnum=4207 start=130820 max=1276 min=0 nread=1276
[2002/07/21 13:23:25, 3] smbd/process.c:process_smb(615)
  Transaction 925 of length 55
[2002/07/21 13:23:25, 3] smbd/process.c:switch_message(448)
  switch message SMBreadbraw (pid 467)</pre></blockquote>

<p>Much of this information is of use only to Samba programmers.
However, we will go over the meaning of some of these entries in more
detail in <a href="ch12.html">Chapter 12</a>.</p>

<p>Samba contains six options that allow users to describe how and where
logging information should be written. Each of these are global
options and cannot appear inside a share definition. Here is an
example of some logging options that we are adding to our
configuration file:</p>

<blockquote><pre class="code">[global]
    log level = 2
    log file = /var/log/samba.log.%m
    max log size = 50
    debug timestamp = yes</pre></blockquote>

<p>Here, we've added a custom log file that reports
information up to debug level 2. This is a relatively light debugging
level. The logging level ranges from 1 to 10, where level 1 provides
only a small amount of information and level 10 provides a plethora
of low-level information. Levels 2 or 3 will provide us with useful
debugging information without wasting disk space on our server. In
practice, you should avoid using log levels greater than 3 unless you
are working on the Samba source code.</p>

<p>The logging file is located in the <em class="filename">/var/log</em>
directory thanks to the <tt class="literal">log</tt>
<tt class="literal">file</tt> configuration option. However, we can use
variable substitution to create log files specifically for individual
users or clients, such as with the <tt class="literal">%m</tt> variable in
the following line:</p>

<blockquote><pre class="code">log file = /usr/local/logs/samba.log.%m</pre></blockquote>

<p>Isolating the log messages can be invaluable in tracking down a
network error if you know the problem is coming from a specific
client system or user.</p>

<p>We've added a precaution to the log files: no one
log file can exceed 50 KB in size, as specified by the
<tt class="literal">max</tt> <tt class="literal">log</tt> <tt class="literal">size</tt>
option. If a log file exceeds this size, the contents are moved to a
file with the same name but with the suffix <em class="emphasis">.old</em>
appended. If the <em class="emphasis">.old</em> file already exists, it is
overwritten and its contents are lost. The original file is cleared,
waiting to receive new logging information. This prevents the hard
drive from being overwhelmed with Samba log files during the life of
the Samba daemons.</p>

<p>We have decided to write the timestamps of the messages in the logs
with the <tt class="literal">debug</tt> <tt class="literal">timestamp</tt>
option, which is the default behavior. This will place a timestamp in
each message written to the logging file. If we were not interested
in this information, we could specify <tt class="literal">no</tt> for this
option instead.</p>


<div class="sect2"><a name="samba2-CHP-6-SECT-8.1"/>

<h3 class="head2">Using syslog</h3>

<p>If you wish to use the system logger
(<a name="INDEX-96"/>syslog<em class="filename">
</em>) in addition to or in place of the standard Samba logging
file, Samba provides options for this as well. However, to use
syslog, the first thing you will have to do is make sure that Samba
was built with the <tt class="literal">configure</tt>
<tt class="literal">--with-syslog</tt> option. See <a href="ch02.html">Chapter 2</a> for more information on configuring and
compiling Samba. See <a href="appe.html">Appendix E</a> for more
information about the <tt class="literal">--with-syslog</tt> option.</p>

<p>Once that is done, you will need to configure your
<em class="filename">/etc/syslog.conf</em><a name="INDEX-97"/> to accept logging information from Samba.
If there is not already a <tt class="literal">daemon.*</tt> entry in the
<em class="filename">/etc/syslog.conf</em> file, add the following:</p>

<blockquote><pre class="code">daemon.*        /var/log/daemon.log</pre></blockquote>

<p>This specifies that any logging information from system daemons will
be stored in the <em class="filename">/var/log/daemon.log</em> file. This
is where the Samba information will be stored as well. From there,
you can set a value for the <tt class="literal">syslog</tt> parameter in
your Samba configuration file to specify which logging messages are
to be sent to syslog. Only messages that have debug levels lower than
the value of the <tt class="literal">syslog</tt> parameter will be sent to
syslog. For example, setting the following:</p>

<blockquote><pre class="code">syslog = 3</pre></blockquote>

<p>specifies that any logging messages with a level of 2 or below will
be sent to both syslog and the Samba logging files. (The mappings to
<em class="filename">syslog</em> priorities are described in the upcoming
section &quot;syslog.&quot;) To continue the
example, let's assume that we have set the
<tt class="literal">log</tt> <tt class="literal">level</tt> option to 4. Logging
messages with levels of 2 and 1 will be sent to both syslog and the
Samba logging files, and messages with a level of 3 or 4 will be sent
to the Samba logging files, but not to syslog. If the
<tt class="literal">syslog</tt> value exceeds the <tt class="literal">log</tt>
<tt class="literal">level</tt> value, nothing will be sent to syslog.</p>

<p>If you want to specify that messages be sent only to syslog&mdash;and
not to the standard Samba logging files&mdash;you can place this
option in the configuration file:</p>

<blockquote><pre class="code">syslog only = yes</pre></blockquote>

<p>If this is the case, any logging information above the number
specified in the <tt class="literal">syslog</tt> option will be discarded,
as with the <tt class="literal">log</tt> <tt class="literal">level</tt> option.</p>


</div>


<div class="sect2"><a name="samba2-CHP-6-SECT-8.2"/>

<h3 class="head2">Logging Configuration Options</h3>

<p><a href="ch06.html#samba2-CHP-6-TABLE-8">Table 6-8</a> lists each logging configuration option
that Samba can use.</p>

<a name="samba2-CHP-6-TABLE-8"/><h4 class="head4">Table 6-8. Logging configuration options</h4><table border="1">


<tr>
<th>
<p>Option</p>
</th>
<th>
<p>Parameters</p>
</th>
<th>
<p>Function</p>
</th>
<th>
<p>Default</p>
</th>
<th>
<p>Scope</p>
</th>
</tr>


<tr>
<td>
<p><tt class="literal">log file</tt></p>
</td>
<td>
<p>string (name of file)</p>
</td>
<td>
<p>Name of the log file that Samba is to use. Works with all variables.</p>
</td>
<td>
<p>Specified in Samba makefile</p>
</td>
<td>
<p>Global</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">log level</tt></p>

<p><tt class="literal">(debug level)</tt></p>
</td>
<td>
<p>numeric (0-10)</p>
</td>
<td>
<p>Amount of log/debug messages that are sent to the log file. 0 is
none; 3 is considerable.</p>
</td>
<td>
<p><tt class="literal">1</tt></p>
</td>
<td>
<p>Global</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">max log size</tt></p>
</td>
<td>
<p>numeric (size in KB)</p>
</td>
<td>
<p>Maximum size of log file.</p>
</td>
<td>
<p><tt class="literal">5000</tt></p>
</td>
<td>
<p>Global</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">debug timestamp</tt> <tt class="literal">(timestamp logs)</tt></p>
</td>
<td>
<p>boolean</p>
</td>
<td>
<p>If <tt class="literal">no</tt>, doesn't timestamp logs,
making them easier to read during heavy debugging.</p>
</td>
<td>
<p><tt class="literal">yes</tt></p>
</td>
<td>
<p>Global</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">syslog</tt></p>
</td>
<td>
<p>numeric (0-10)</p>
</td>
<td>
<p>Level of messages sent to <em class="emphasis">syslog</em>. Those levels
below <tt class="literal">syslog</tt> <tt class="literal">level</tt> will be sent
to the system logger.</p>
</td>
<td>
<p><tt class="literal">1</tt></p>
</td>
<td>
<p>Global</p>
</td>
</tr>
<tr>
<td>
<p><tt class="literal">syslog only</tt></p>
</td>
<td>
<p>boolean</p>
</td>
<td>
<p>If <tt class="literal">yes</tt>, uses <em class="emphasis">syslog</em> entirely
and sends no output to the Samba log files.</p>
</td>
<td>
<p><tt class="literal">no</tt></p>
</td>
<td>
<p>Global</p>
</td>
</tr>

</table>


<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.1"/>

<h3 class="head3">log file</h3>

<p>By default, Samba writes log information to text files in the
<em class="filename">/usr/local/samba/var</em> directory. The
<tt class="literal">log</tt><a name="INDEX-98"/> <tt class="literal">file</tt> option can be
used to set the name of the log file to another location. For
example, to put the Samba log information in
<em class="filename">/usr/local/logs/samba.log</em>, you could use the
following:</p>

<blockquote><pre class="code">[global]
    log file = /usr/local/logs/samba.log</pre></blockquote>

<p>You can use variable substitution to create log files specifically
for individual users or clients.</p>

<p>You can override the default log file location using the
<em class="emphasis">-l</em> command-line switch when either daemon is
started. However, this does not override the <tt class="literal">log</tt>
<tt class="literal">file</tt> option. If you do specify this parameter,
initial logging information will be sent to the file specified after
<em class="emphasis">-l</em> (or the default specified in the Samba
makefile) until the daemons have processed the
<em class="filename">smb.conf</em> file and know to redirect it to a new
log file.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.2"/>

<h3 class="head3">log level</h3>

<p>The <tt class="literal">log</tt><a name="INDEX-99"/> <tt class="literal">level</tt> option
sets the amount of data to be logged. Normally this is set to 0 or 1.
However, if you have a specific problem, you might want to set it at
3, which provides the most useful debugging information you would
need to track down a problem. Levels above 3 provide information
that's primarily for the developers to use for
chasing internal bugs, and it slows down the server considerably.
Therefore, we recommend that for normal day-to-day operation, you
avoid setting this option to anything above 3.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.3"/>

<h3 class="head3">max log size</h3>

<p>The <tt class="literal">max</tt><a name="INDEX-100"/> <tt class="literal">log</tt>
<tt class="literal">size</tt> option sets the maximum size, in kilobytes,
of the debugging log file that Samba keeps. When the log file exceeds
this size, the current log file is renamed to add a
<em class="filename">.old</em> extension (erasing any previous file with
that name) and a new debugging log file is started with the original
name. For example:</p>

<blockquote><pre class="code">[global]
    log file = /usr/local/logs/samba.log.%m
    max log size = 1000</pre></blockquote>

<p>Here, if the size of any log file exceeds 1MB, Samba renames the log
file <em class="emphasis">samba.log</em>.
<em class="replaceable">machine-name</em><em class="emphasis">.old</em>,
and a new log file is generated. If there is already a file with the
<em class="emphasis">.old</em> extension, Samba deletes it. We highly
recommend setting this option in your configuration files because
debug logging (even at lower levels) can quietly eat away at your
available disk space. Using this option protects unwary
administrators from suddenly discovering that most of the space on a
disk or partition has been swallowed up by a single Samba log file.</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.4"/>

<h3 class="head3">debug timestamp or timestamp logs</h3>

<p>If you happen to be debugging a network problem and you find that the
timestamp information within the Samba log lines gets in the way, you
can turn it off by giving either the
<tt class="literal">timestamp</tt><a name="INDEX-101"/> <tt class="literal">logs</tt> or the
synonymous <tt class="literal">debug</tt><a name="INDEX-102"/>
<tt class="literal">timestamp</tt> option a value of <tt class="literal">no</tt>.
For example, a regular Samba log file presents its output in the
following form:</p>

<blockquote><pre class="code">12/31/01 12:03:34 toltec (172.16.1.1) connect to server network as user jay</pre></blockquote>

<p>With a <tt class="literal">no</tt> value for this option, the output would
appear without the timestamp:</p>

<blockquote><pre class="code">toltec (172.16.1.1) connect to server network as user jay</pre></blockquote>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.5"/>

<h3 class="head3">syslog</h3>

<p>The <tt class="literal">syslog</tt><a name="INDEX-103"/> option causes Samba log
messages to be sent to the Unix system logger. The type of log
information to be sent is specified as a numeric value. Like the
<tt class="literal">log</tt> <tt class="literal">level</tt> option, it can be a
number from 0 to 10. Logging information with a level less than the
number specified will be sent to the system logger. Debug logs
greater than or equal to the <tt class="literal">syslog</tt> level, but
less than log level, will still be sent to the standard Samba log
files. For example:</p>

<blockquote><pre class="code">[global]
    log level = 3
    syslog = 1</pre></blockquote>

<p>With this, all logging information with a level of 0 would be sent to
the standard Samba logs and the system logger, while information with
levels 1, 2, and 3 would be sent only to the standard Samba logs.
Levels above 3 are not logged at all. All messages sent to the system
logger are mapped to a priority level that the syslogd daemon
understands, as shown in <a href="ch06.html#samba2-CHP-6-TABLE-9">Table 6-9</a>. The default
level is 1.</p>

<a name="samba2-CHP-6-TABLE-9"/><h4 class="head4">Table 6-9. syslog priority conversion</h4><table border="1">


<tr>
<th>
<p>Log level</p>
</th>
<th>
<p>syslog priority</p>
</th>
</tr>


<tr>
<td>
<p>0</p>
</td>
<td>
<p><tt class="literal">LOG_ERR</tt></p>
</td>
</tr>
<tr>
<td>
<p>1</p>
</td>
<td>
<p><tt class="literal">LOG_WARNING</tt></p>
</td>
</tr>
<tr>
<td>
<p>2</p>
</td>
<td>
<p><tt class="literal">LOG_NOTICE</tt></p>
</td>
</tr>
<tr>
<td>
<p>3</p>
</td>
<td>
<p><tt class="literal">LOG_INFO</tt></p>
</td>
</tr>
<tr>
<td>
<p>4 and above</p>
</td>
<td>
<p><tt class="literal">LOG_DEBUG</tt></p>
</td>
</tr>

</table>

<p>If you wish to use <em class="emphasis">syslog</em>, you will have to run
<tt class="literal">configure</tt> <tt class="literal">--with-syslog</tt> when
compiling Samba, and you will need to configure your
<em class="filename">/etc/syslog.conf</em> to suit. (See <a href="ch06.html#samba2-CHP-6-SECT-8.1">Section 6.8.1</a>, earlier in this chapter.)</p>


</div>


<div class="sect3"><a name="samba2-CHP-6-SECT-8.2.6"/>

<h3 class="head3">syslog only</h3>

<p>The <tt class="literal">syslog</tt><a name="INDEX-104"/> <tt class="literal">only</tt> option
tells Samba not to use its own logging files at all and to use only
the system logger. To enable this, specify the following option in
the global section of the Samba configuration file:</p>

<a name="INDEX-105"/><a name="INDEX-106"/><a name="INDEX-107"/><blockquote><pre class="code">[global]
    syslog only = yes</pre></blockquote>


</div>


</div>


</div>

<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> Depending on your system, this file might not
be <em class="emphasis">/etc/printcap</em>. You can use the
<em class="emphasis">testparm</em> command that comes with Samba to dump
the parameter definitions and determine the value of the
<tt class="literal">printcap</tt> <tt class="literal">name</tt> configuration
option. The value assigned to it is the default value chosen when
Samba was configured and compiled, which should be correct.</p>
<a name="FOOTNOTE-2"/> <p><a href="#FNPTR-2">[2]</a> We are referring here to the window that
opens when a printer icon in the Printers control panel is
double-clicked.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>