mirror of
https://github.com/samba-team/samba.git
synced 2025-01-14 19:24:43 +03:00
847506a755
Jeremy.
-
4026 lines
123 KiB
Groff
4026 lines
123 KiB
Groff
.TH SMB.CONF 5 "28 Nov 1997" "smb.conf 1.9.18alpha12"
|
|
.SH NAME
|
|
smb.conf \- configuration file for smbd
|
|
.SH SYNOPSIS
|
|
.B smb.conf
|
|
.SH DESCRIPTION
|
|
The
|
|
.B smb.conf
|
|
file is a configuration file for the Samba suite.
|
|
|
|
.B smb.conf
|
|
contains runtime configuration information for the
|
|
.B smbd
|
|
program. The
|
|
.B smbd
|
|
program provides LanManager-like services to clients
|
|
using the SMB protocol.
|
|
.SH FILE FORMAT
|
|
The file consists of sections and parameters. A section begins with the
|
|
name of the section in square brackets and continues until the next
|
|
section begins. Sections contain parameters of the form 'name = value'.
|
|
|
|
The file is line-based - that is, each newline-terminated line represents
|
|
either a comment, a section name or a parameter.
|
|
|
|
Section and parameter names are not case sensitive.
|
|
|
|
Only the first equals sign in a parameter is significant. Whitespace before
|
|
or after the first equals sign is discarded. Leading, trailing and internal
|
|
whitespace in section and parameter names is irrelevant. Leading and
|
|
trailing whitespace in a parameter value is discarded. Internal whitespace
|
|
within a parameter value is retained verbatim.
|
|
|
|
Any line beginning with a semicolon is ignored, as are lines containing
|
|
only whitespace.
|
|
|
|
Any line ending in a \e is "continued" on the next line in the
|
|
customary UNIX fashion.
|
|
|
|
The values following the equals sign in parameters are all either a string
|
|
(no quotes needed) or a boolean, which may be given as yes/no, 0/1 or
|
|
true/false. Case is not significant in boolean values, but is preserved
|
|
in string values. Some items such as create modes are numeric.
|
|
.SH SERVICE DESCRIPTIONS
|
|
Each section in the configuration file describes a service. The section name
|
|
is the service name and the parameters within the section define the service's
|
|
attributes.
|
|
|
|
There are three special sections, [global], [homes] and [printers], which are
|
|
described under 'special sections'. The following notes apply to ordinary
|
|
service descriptions.
|
|
|
|
A service consists of a directory to which access is being given plus a
|
|
description of the access rights which are granted to the user of the
|
|
service. Some housekeeping options are also specifiable.
|
|
|
|
Services are either filespace services (used by the client as an extension of
|
|
their native file systems) or printable services (used by the client to access
|
|
print services on the host running the server).
|
|
|
|
Services may be guest services, in which case no password is required to
|
|
access them. A specified guest account is used to define access privileges
|
|
in this case.
|
|
|
|
Services other than guest services will require a password to access
|
|
them. The client provides the username. As many clients only provide
|
|
passwords and not usernames, you may specify a list of usernames to
|
|
check against the password using the "user=" option in the service
|
|
definition.
|
|
|
|
Note that the access rights granted by the server are masked by the access
|
|
rights granted to the specified or guest user by the host system. The
|
|
server does not grant more access than the host system grants.
|
|
|
|
The following sample section defines a file space service. The user has write
|
|
access to the path /home/bar. The service is accessed via the service name
|
|
"foo":
|
|
|
|
[foo]
|
|
path = /home/bar
|
|
writable = true
|
|
|
|
The following sample section defines a printable service. The service is
|
|
readonly, but printable. That is, the only write access permitted is via
|
|
calls to open, write to and close a spool file. The 'guest ok' parameter
|
|
means access will be permitted as the default guest user (specified elsewhere):
|
|
|
|
[aprinter]
|
|
path = /usr/spool/public
|
|
read only = true
|
|
printable = true
|
|
public = true
|
|
.SH SPECIAL SECTIONS
|
|
|
|
.SS The [global] section
|
|
.RS 3
|
|
Parameters in this section apply to the server as a whole, or are defaults
|
|
for services which do not specifically define certain items. See the notes
|
|
under 'Parameters' for more information.
|
|
.RE
|
|
|
|
.SS The [homes] section
|
|
.RS 3
|
|
If a section called 'homes' is included in the configuration file, services
|
|
connecting clients to their home directories can be created on the fly by the
|
|
server.
|
|
|
|
When the connection request is made, the existing services are scanned. If a
|
|
match is found, it is used. If no match is found, the requested service name is
|
|
treated as a user name and looked up in the local passwords file. If the
|
|
name exists and the correct password has been given, a service is created
|
|
by cloning the [homes] section.
|
|
|
|
Some modifications are then made to the newly created section:
|
|
|
|
.RS 3
|
|
The service name is changed from 'homes' to the located username
|
|
|
|
If no path was given, the path is set to the user's home directory.
|
|
.RE
|
|
|
|
If you decide to use a path= line in your [homes] section then you may
|
|
find it useful to use the %S macro. For example path=/data/pchome/%S
|
|
would be useful if you have different home directories for your PCs
|
|
than for UNIX access.
|
|
|
|
This is a fast and simple way to give a large number of clients access to
|
|
their home directories with a minimum of fuss.
|
|
|
|
A similar process occurs if the requested service name is "homes", except that
|
|
the service name is not changed to that of the requesting user. This method
|
|
of using the [homes] section works well if different users share a client PC.
|
|
|
|
The [homes] section can specify all the parameters a normal service section
|
|
can specify, though some make more sense than others. The following is a
|
|
typical and suitable [homes] section:
|
|
|
|
[homes]
|
|
writable = yes
|
|
|
|
An important point:
|
|
|
|
.RS 3
|
|
If guest access is specified in the [homes] section, all home directories will
|
|
be accessible to all clients
|
|
.B without a password.
|
|
In the very unlikely event
|
|
that this is actually desirable, it would be wise to also specify read only
|
|
access.
|
|
.RE
|
|
.RE
|
|
|
|
Note that the browseable flag for auto home directories will be
|
|
inherited from the global browseable flag, not the [homes] browseable
|
|
flag. This is useful as it means setting browseable=no in the [homes]
|
|
section will hide the [homes] service but make any auto home
|
|
directories visible.
|
|
|
|
.SS The [printers] section
|
|
.RS 3
|
|
This section works like [homes], but for printers.
|
|
|
|
If a [printers] section occurs in the configuration file, users are able
|
|
to connect to any printer specified in the local host's printcap file.
|
|
|
|
When a connection request is made, the existing services are scanned. If a
|
|
match is found, it is used. If no match is found, but a [homes] section
|
|
exists, it is used as described above. Otherwise, the requested service name is
|
|
treated as a printer name and the appropriate printcap file is scanned to
|
|
see if the requested service name is a valid printer name. If a match is
|
|
found, a new service is created by cloning the [printers] section.
|
|
|
|
A few modifications are then made to the newly created section:
|
|
|
|
.RS 3
|
|
The service name is set to the located printer name
|
|
|
|
If no printer name was given, the printer name is set to the located printer
|
|
name
|
|
|
|
If the service does not permit guest access and no username was given, the
|
|
username is set to the located printer name.
|
|
.RE
|
|
|
|
Note that the [printers] service MUST be printable - if you specify otherwise,
|
|
the server will refuse to load the configuration file.
|
|
|
|
Typically the path specified would be that of a world-writable spool directory
|
|
with the sticky bit set on it. A typical [printers] entry would look like this:
|
|
|
|
[printers]
|
|
path = /usr/spool/public
|
|
writable = no
|
|
public = yes
|
|
printable = yes
|
|
|
|
All aliases given for a printer in the printcap file are legitimate printer
|
|
names as far as the server is concerned. If your printing subsystem doesn't
|
|
work like that, you will have to set up a pseudo-printcap. This is a file
|
|
consisting of one or more lines like this:
|
|
|
|
alias|alias|alias|alias...
|
|
|
|
Each alias should be an acceptable printer name for your printing
|
|
subsystem. In the [global] section, specify the new file as your printcap.
|
|
The server will then only recognise names found in your pseudo-printcap,
|
|
which of course can contain whatever aliases you like. The same technique
|
|
could be used simply to limit access to a subset of your local printers.
|
|
|
|
An alias, by the way, is defined as any component of the first entry of a
|
|
printcap record. Records are separated by newlines, components (if there are
|
|
more than one) are separated by vertical bar symbols ("|").
|
|
|
|
NOTE: On SYSV systems which use lpstat to determine what printers are
|
|
defined on the system you may be able to use "printcap name = lpstat"
|
|
to automatically obtain a list of printers. See the "printcap name"
|
|
option for more detils.
|
|
|
|
.RE
|
|
.SH PARAMETERS
|
|
Parameters define the specific attributes of services.
|
|
|
|
Some parameters are specific to the [global] section (eg., security).
|
|
Some parameters are usable in all sections (eg., create mode). All others are
|
|
permissible only in normal sections. For the purposes of the following
|
|
descriptions the [homes] and [printers] sections will be considered normal.
|
|
The letter 'G' in parentheses indicates that a parameter is specific to the
|
|
[global] section. The letter 'S' indicates that a parameter can be
|
|
specified in a service specific section. Note that all S parameters
|
|
can also be specified in the [global] section - in which case they
|
|
will define the default behaviour for all services.
|
|
|
|
Parameters are arranged here in alphabetical order - this may not create
|
|
best bedfellows, but at least you can find them! Where there are synonyms,
|
|
the preferred synonym is described, others refer to the preferred synonym.
|
|
|
|
.SS VARIABLE SUBSTITUTIONS
|
|
|
|
Many of the strings that are settable in the config file can take
|
|
substitutions. For example the option "path = /tmp/%u" would be
|
|
interpreted as "path = /tmp/john" if the user connected with the
|
|
username john.
|
|
|
|
These substitutions are mostly noted in the descriptions below, but
|
|
there are some general substitutions which apply whenever they might be
|
|
relevant. These are:
|
|
|
|
%S = the name of the current service, if any
|
|
|
|
%P = the root directory of the current service, if any
|
|
|
|
%u = user name of the current service, if any
|
|
|
|
%g = primary group name of %u
|
|
|
|
%U = session user name (the user name that the client wanted, not
|
|
necessarily the same as the one they got)
|
|
|
|
%G = primary group name of %U
|
|
|
|
%H = the home directory of the user given by %u
|
|
|
|
%v = the Samba version
|
|
|
|
%h = the hostname that Samba is running on
|
|
|
|
%m = the netbios name of the client machine (very useful)
|
|
|
|
%L = the netbios name of the server. This allows you to change your
|
|
config based on what the client calls you. Your server can have a "dual
|
|
personality".
|
|
|
|
%M = the internet name of the client machine
|
|
|
|
%N = the name of your NIS home directory server. This is obtained from
|
|
your NIS auto.map entry. If you have not compiled Samba with -DAUTOMOUNT
|
|
then this value will be the same as %L.
|
|
|
|
%R = the selected protocol level after protocol negotiation. As of
|
|
Samba 1.9.18 it can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.
|
|
|
|
%d = The process id of the current server process
|
|
|
|
%a = the architecture of the remote machine. Only some are recognised,
|
|
and those may not be 100% reliable. It currently recognises Samba,
|
|
WfWg, WinNT and Win95. Anything else will be known as "UNKNOWN". If it
|
|
gets it wrong then sending me a level 3 log should allow me to fix it.
|
|
|
|
%I = The IP address of the client machine
|
|
|
|
%T = the current date and time
|
|
|
|
There are some quite creative things that can be done with these
|
|
substitutions and other smb.conf options.
|
|
|
|
.SS NAME MANGLING
|
|
|
|
Samba supports "name mangling" so that DOS and Windows clients can use
|
|
files that don't conform to the 8.3 format. It can also be set to adjust
|
|
the case of 8.3 format filenames.
|
|
|
|
There are several options that control the way mangling is performed,
|
|
and they are grouped here rather than listed separately. For the
|
|
defaults look at the output of the testparm program.
|
|
|
|
All of these options can be set separately for each service (or
|
|
globally, of course).
|
|
|
|
The options are:
|
|
|
|
"mangle case = yes/no" controls if names that have characters that
|
|
aren't of the "default" case are mangled. For example, if this is yes
|
|
then a name like "Mail" would be mangled. Default no.
|
|
|
|
"case sensitive = yes/no" controls whether filenames are case
|
|
sensitive. If they aren't then Samba must do a filename search and
|
|
match on passed names. Default no.
|
|
|
|
"default case = upper/lower" controls what the default case is for new
|
|
filenames. Default lower.
|
|
|
|
"preserve case = yes/no" controls if new files are created with the
|
|
case that the client passes, or if they are forced to be the "default"
|
|
case. Default no.
|
|
|
|
"short preserve case = yes/no" controls if new files which conform to 8.3
|
|
syntax, that is all in upper case and of suitable length, are created
|
|
upper case, or if they are forced to be the "default" case. This option can
|
|
be use with "preserve case = yes" to permit long filenames to retain their
|
|
case, while short names are lowered. Default no.
|
|
|
|
.SS COMPLETE LIST OF GLOBAL PARAMETERS
|
|
|
|
Here is a list of all global parameters. See the section of each
|
|
parameter for details. Note that some are synonyms.
|
|
|
|
announce as
|
|
|
|
announce version
|
|
|
|
auto services
|
|
|
|
bind interfaces only
|
|
|
|
browse list
|
|
|
|
character set
|
|
|
|
client code page
|
|
|
|
config file
|
|
|
|
deadtime
|
|
|
|
debuglevel
|
|
|
|
default
|
|
|
|
default service
|
|
|
|
dfree command
|
|
|
|
dns proxy
|
|
|
|
domain allow hosts
|
|
|
|
domain controller
|
|
|
|
domain deny hosts
|
|
|
|
domain group
|
|
|
|
domain hosts allow
|
|
|
|
domain hosts deny
|
|
|
|
domain logons
|
|
|
|
domain master
|
|
|
|
domain sid
|
|
|
|
encrypt passwords
|
|
|
|
getwd cache
|
|
|
|
hide files
|
|
|
|
hide dot files
|
|
|
|
homedir map
|
|
|
|
hosts equiv
|
|
|
|
include
|
|
|
|
interfaces
|
|
|
|
keepalive
|
|
|
|
lm announce
|
|
|
|
lm interval
|
|
|
|
lock dir
|
|
|
|
load printers
|
|
|
|
local master
|
|
|
|
lock directory
|
|
|
|
log file
|
|
|
|
log level
|
|
|
|
logon drive
|
|
|
|
logon home
|
|
|
|
logon path
|
|
|
|
logon script
|
|
|
|
lpq cache time
|
|
|
|
mangled stack
|
|
|
|
max log size
|
|
|
|
max mux
|
|
|
|
max packet
|
|
|
|
max ttl
|
|
|
|
max xmit
|
|
|
|
max wins ttl
|
|
|
|
message command
|
|
|
|
min wins ttl
|
|
|
|
netbios aliases
|
|
|
|
netbios name
|
|
|
|
nis homedir
|
|
|
|
null passwords
|
|
|
|
os level
|
|
|
|
packet size
|
|
|
|
passwd chat
|
|
|
|
passwd program
|
|
|
|
password level
|
|
|
|
password server
|
|
|
|
preferred master
|
|
|
|
preload
|
|
|
|
printcap name
|
|
|
|
printer driver file
|
|
|
|
protocol
|
|
|
|
read bmpx
|
|
|
|
read prediction
|
|
|
|
read raw
|
|
|
|
read size
|
|
|
|
remote announce
|
|
|
|
remote browse sync
|
|
|
|
root
|
|
|
|
root dir
|
|
|
|
root directory
|
|
|
|
security
|
|
|
|
server string
|
|
|
|
shared file entries
|
|
|
|
shared mem size
|
|
|
|
smb passwd file
|
|
|
|
smbrun
|
|
|
|
socket address
|
|
|
|
socket options
|
|
|
|
status
|
|
|
|
strip dot
|
|
|
|
syslog
|
|
|
|
syslog only
|
|
|
|
time offset
|
|
|
|
time server
|
|
|
|
unix realname
|
|
|
|
username level
|
|
|
|
username map
|
|
|
|
use rhosts
|
|
|
|
valid chars
|
|
|
|
veto files
|
|
|
|
workgroup
|
|
|
|
write raw
|
|
|
|
.SS COMPLETE LIST OF SERVICE PARAMETERS
|
|
|
|
Here is a list of all service parameters. See the section of each
|
|
parameter for details. Note that some are synonyms.
|
|
|
|
admin users
|
|
|
|
allow hosts
|
|
|
|
alternate permissions
|
|
|
|
available
|
|
|
|
browseable
|
|
|
|
case sensitive
|
|
|
|
case sig names
|
|
|
|
copy
|
|
|
|
create mask
|
|
|
|
create mode
|
|
|
|
comment
|
|
|
|
default case
|
|
|
|
delete readonly
|
|
|
|
delete veto files
|
|
|
|
deny hosts
|
|
|
|
directory
|
|
|
|
directory mask
|
|
|
|
directory mode
|
|
|
|
dont descend
|
|
|
|
dos filetimes
|
|
|
|
exec
|
|
|
|
fake oplocks
|
|
|
|
follow symlinks
|
|
|
|
force create mode
|
|
|
|
force directory mode
|
|
|
|
force group
|
|
|
|
force user
|
|
|
|
guest account
|
|
|
|
guest ok
|
|
|
|
guest only
|
|
|
|
hide dot files
|
|
|
|
hosts allow
|
|
|
|
hosts deny
|
|
|
|
invalid users
|
|
|
|
locking
|
|
|
|
lppause command
|
|
|
|
lpq command
|
|
|
|
lpresume command
|
|
|
|
lprm command
|
|
|
|
magic output
|
|
|
|
magic script
|
|
|
|
mangle case
|
|
|
|
mangled names
|
|
|
|
mangling char
|
|
|
|
map archive
|
|
|
|
map hidden
|
|
|
|
map system
|
|
|
|
max connections
|
|
|
|
min print space
|
|
|
|
only guest
|
|
|
|
only user
|
|
|
|
oplocks
|
|
|
|
path
|
|
|
|
postexec
|
|
|
|
postscript
|
|
|
|
preserve case
|
|
|
|
print command
|
|
|
|
printer driver
|
|
|
|
printer driver location
|
|
|
|
printing
|
|
|
|
print ok
|
|
|
|
printable
|
|
|
|
printer
|
|
|
|
printer name
|
|
|
|
public
|
|
|
|
read only
|
|
|
|
read list
|
|
|
|
revalidate
|
|
|
|
root postexec
|
|
|
|
root preexec
|
|
|
|
set directory
|
|
|
|
share modes
|
|
|
|
short preserve case
|
|
|
|
strict locking
|
|
|
|
sync always
|
|
|
|
user
|
|
|
|
username
|
|
|
|
users
|
|
|
|
valid users
|
|
|
|
veto oplock files
|
|
|
|
volume
|
|
|
|
wide links
|
|
|
|
writable
|
|
|
|
write ok
|
|
|
|
writeable
|
|
|
|
write list
|
|
|
|
.SS EXPLANATION OF EACH PARAMETER
|
|
.RS 3
|
|
|
|
.SS admin users (S)
|
|
|
|
This is a list of users who will be granted administrative privileges
|
|
on the share. This means that they will do all file operations as the
|
|
super-user (root).
|
|
|
|
You should use this option very carefully, as any user in this list
|
|
will be able to do anything they like on the share, irrespective of
|
|
file permissions.
|
|
|
|
.B Default:
|
|
no admin users
|
|
|
|
.B Example:
|
|
admin users = jason
|
|
|
|
.SS announce as (G)
|
|
|
|
This specifies what type of server nmbd will announce itself as in
|
|
browse lists. By default this is set to Windows NT. The valid options
|
|
are "NT", "Win95" or "WfW" meaining Windows NT, Windows 95 and
|
|
Windows for Workgroups respectively. Do not change this parameter
|
|
unless you have a specific need to stop Samba appearing as an NT
|
|
server as this may prevent Samba servers from participating as
|
|
browser servers correctly.
|
|
|
|
.B Default:
|
|
announce as = NT
|
|
|
|
.B Example
|
|
announce as = Win95
|
|
|
|
.SS announce version (G)
|
|
|
|
This specifies the major and minor version numbers that nmbd
|
|
will use when announcing itself as a server. The default is 4.2.
|
|
Do not change this parameter unless you have a specific need to
|
|
set a Samba server to be a downlevel server.
|
|
|
|
.B Default:
|
|
announce version = 4.2
|
|
|
|
.B Example:
|
|
announce version = 2.0
|
|
|
|
.SS auto services (G)
|
|
This is a list of services that you want to be automatically added to
|
|
the browse lists. This is most useful for homes and printers services
|
|
that would otherwise not be visible.
|
|
|
|
Note that if you just want all printers in your printcap file loaded
|
|
then the "load printers" option is easier.
|
|
|
|
.B Default:
|
|
no auto services
|
|
|
|
.B Example:
|
|
auto services = fred lp colorlp
|
|
|
|
.SS allow hosts (S)
|
|
A synonym for this parameter is 'hosts allow'.
|
|
|
|
This parameter is a comma delimited set of hosts which are permitted to access
|
|
a service.
|
|
|
|
If specified in the [global] section then it will apply to all
|
|
services, regardless of whether the individual service has a different
|
|
setting.
|
|
|
|
You can specify the hosts by name or IP number. For example, you could
|
|
restrict access to only the hosts on a Class C subnet with something like
|
|
"allow hosts = 150.203.5.". The full syntax of the list is described in
|
|
the man page
|
|
.BR hosts_access (5).
|
|
|
|
You can also specify hosts by network/netmask pairs and by netgroup
|
|
names if your system supports netgroups. The EXCEPT keyword can also
|
|
be used to limit a wildcard list. The following examples may provide
|
|
some help:
|
|
|
|
Example 1: allow all IPs in 150.203.*.* except one
|
|
|
|
hosts allow = 150.203. EXCEPT 150.203.6.66
|
|
|
|
Example 2: allow hosts that match the given network/netmask
|
|
|
|
hosts allow = 150.203.15.0/255.255.255.0
|
|
|
|
Example 3: allow a couple of hosts
|
|
|
|
hosts allow = lapland, arvidsjaur
|
|
|
|
Example 4: allow only hosts in netgroup "foonet" or localhost, but
|
|
deny access from one particular host
|
|
|
|
hosts allow = @foonet, localhost
|
|
hosts deny = pirate
|
|
|
|
Note that access still requires suitable user-level passwords.
|
|
|
|
See
|
|
.BR testparm (1)
|
|
for a way of testing your host access to see if it
|
|
does what you expect.
|
|
|
|
.B Default:
|
|
none (i.e., all hosts permitted access)
|
|
|
|
.B Example:
|
|
allow hosts = 150.203.5. myhost.mynet.edu.au
|
|
|
|
.SS alternate permissions (S)
|
|
|
|
This option affects the way the "read only" DOS attribute is produced
|
|
for UNIX files. If this is false then the read only bit is set for
|
|
files on writeable shares which the user cannot write to.
|
|
|
|
If this is true then it is set for files whos user write bit is not set.
|
|
|
|
The latter behaviour is useful for when users copy files from each
|
|
others directories, and use a file manager that preserves
|
|
permissions. Without this option they may get annoyed as all copied
|
|
files will have the "read only" bit set.
|
|
|
|
.B Default:
|
|
alternate permissions = no
|
|
|
|
.B Example:
|
|
alternate permissions = yes
|
|
|
|
.SS available (S)
|
|
This parameter lets you 'turn off' a service. If 'available = no', then
|
|
ALL attempts to connect to the service will fail. Such failures are logged.
|
|
|
|
.B Default:
|
|
available = yes
|
|
|
|
.B Example:
|
|
available = no
|
|
|
|
.SS bind interfaces only (G)
|
|
This global parameter (new for 1.9.18) allows the Samba admin to limit
|
|
what interfaces on a machine will serve smb requests. If affects file service
|
|
(smbd) and name service (nmbd) in slightly different ways.
|
|
|
|
For name service it causes nmbd to bind to ports 137 and 138 on
|
|
the interfaces listed in the 'interfaces' parameter. nmbd also binds
|
|
to the 'all addresses' interface (0.0.0.0) on ports 137 and 138
|
|
for the purposes of reading broadcast messages. If this option is
|
|
not set then nmbd will service name requests on all of these
|
|
sockets. If "bind interfaces only" is set then nmbd will check
|
|
the source address of any packets coming in on the broadcast
|
|
sockets and discard any that don't match the broadcast addresses
|
|
of the interfaces in the 'interfaces' parameter list. As unicast
|
|
packets are received on the other sockets it allows nmbd to
|
|
refuse to serve names to machines that send packets that arrive
|
|
through any interfaces not listed in the 'interfaces' list.
|
|
IP Source address spoofing does defeat this simple check, however
|
|
so it must not be used seriously as a security feature for nmbd.
|
|
|
|
For file service it causes smbd to bind only to the interface
|
|
list given in the 'interfaces' parameter. This restricts the
|
|
networks that smbd will serve to packets coming in those interfaces.
|
|
Note that you should not use this parameter for machines that
|
|
are serving ppp or other intermittant or non-broadcast network
|
|
interfaces as it will not cope with non-permanent interfaces.
|
|
|
|
.B Default:
|
|
bind interfaces only = False
|
|
|
|
.B Example:
|
|
bind interfaces only = True
|
|
|
|
.SS browseable (S)
|
|
This controls whether this share is seen in the list of available
|
|
shares in a net view and in the browse list.
|
|
|
|
.B Default:
|
|
browseable = Yes
|
|
|
|
.B Example:
|
|
browseable = No
|
|
.SS browse list(G)
|
|
This controls whether the smbd will serve a browse list to a client
|
|
doing a NetServerEnum call. Normally set to true. You should never
|
|
need to change this.
|
|
|
|
.B Default:
|
|
browse list = Yes
|
|
|
|
.SS case sensitive (G)
|
|
See the discussion on NAME MANGLING.
|
|
|
|
.SS case sig names (G)
|
|
See "case sensitive"
|
|
|
|
.SS character set (G)
|
|
This allows a smbd to map incoming characters from a DOS 850 Code page
|
|
to either a Western European (ISO8859-1) or Easter European (ISO8859-2)
|
|
code page. Normally not set, meaning no filename translation is done.
|
|
|
|
.B Default
|
|
|
|
character set =
|
|
|
|
.B Example
|
|
|
|
character set = iso8859-1
|
|
|
|
.SS client code page (G)
|
|
Currently (Samba 1.9.17 and above) this may be set to one of two
|
|
values, 850 or 437. It specifies the base DOS code page that the
|
|
clients accessing Samba are using. To determine this, open a DOS
|
|
command prompt and type the command "chcp". This will output the
|
|
code page. The default for USA MS-DOS, Windows 95, and Windows NT
|
|
releases is code page 437. The default for western european
|
|
releases of the above operating systems is code page 850.
|
|
|
|
This parameter co-operates with the "valid chars" parameter in
|
|
determining what characters are valid in filenames and how
|
|
capitalization is done. It has been added as a convenience for
|
|
clients whose code page is either 437 or 850 so a convoluted
|
|
"valid chars" string does not have to be determined. If you
|
|
set both this parameter and the "valid chars" parameter the
|
|
"client code page" parameter MUST be set before the "valid chars"
|
|
in the smb.conf file. The "valid chars" string will then augment
|
|
the character settings in the "client code page" parameter.
|
|
|
|
If "client code page" is set to a value other than 850 or 437
|
|
it will default to 850.
|
|
|
|
See also : "valid chars".
|
|
|
|
.B Default
|
|
|
|
client code page = 850
|
|
|
|
.B Example
|
|
|
|
client code page = 437
|
|
|
|
.SS comment (S)
|
|
This is a text field that is seen next to a share when a client does a
|
|
net view to list what shares are available.
|
|
|
|
If you want to set the string that is displayed next to the machine
|
|
name then see the server string command.
|
|
|
|
.B Default:
|
|
No comment string
|
|
|
|
.B Example:
|
|
comment = Fred's Files
|
|
|
|
.SS config file (G)
|
|
|
|
This allows you to override the config file to use, instead of the
|
|
default (usually smb.conf). There is a chicken and egg problem here as
|
|
this option is set in the config file!
|
|
|
|
For this reason, if the name of the config file has changed when the
|
|
parameters are loaded then it will reload them from the new config
|
|
file.
|
|
|
|
This option takes the usual substitutions, which can be very useful.
|
|
|
|
If the config file doesn't exist then it won't be loaded (allowing
|
|
you to special case the config files of just a few clients).
|
|
|
|
.B Example:
|
|
config file = /usr/local/samba/lib/smb.conf.%m
|
|
|
|
.SS copy (S)
|
|
This parameter allows you to 'clone' service entries. The specified
|
|
service is simply duplicated under the current service's name. Any
|
|
parameters specified in the current section will override those in the
|
|
section being copied.
|
|
|
|
This feature lets you set up a 'template' service and create similar
|
|
services easily. Note that the service being copied must occur earlier
|
|
in the configuration file than the service doing the copying.
|
|
|
|
.B Default:
|
|
none
|
|
|
|
.B Example:
|
|
copy = otherservice
|
|
.SS create mask (S)
|
|
A synonym for this parameter is 'create mode'.
|
|
|
|
When a file is created, the neccessary permissions are calculated
|
|
according to the mapping from DOS modes to UNIX permissions, and
|
|
the resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
|
|
This parameter may be thought of as a bit-wise MASK for the UNIX
|
|
modes of a file. Any bit *not* set here will be removed from the
|
|
modes set on a file when it is created.
|
|
|
|
The default value of this parameter removes the 'group' and 'other'
|
|
write and execute bits from the UNIX modes.
|
|
|
|
Following this Samba will bit-wise 'OR' the UNIX mode created from
|
|
this parameter with the value of the "force create mode" parameter
|
|
which is set to 000 by default.
|
|
|
|
For Samba 1.9.17 and above this parameter no longer affects directory
|
|
modes. See the parameter 'directory mode' for details.
|
|
|
|
See also the "force create mode" parameter for forcing particular
|
|
mode bits to be set on created files.
|
|
See also the "directory mode" parameter for masking mode bits on created
|
|
directories.
|
|
|
|
.B Default:
|
|
create mask = 0744
|
|
|
|
.B Example:
|
|
create mask = 0775
|
|
.SS create mode (S)
|
|
See
|
|
.B create mask.
|
|
|
|
.SS dead time (G)
|
|
The value of the parameter (a decimal integer) represents the number of
|
|
minutes of inactivity before a connection is considered dead, and it
|
|
is disconnected. The deadtime only takes effect if the number of open files
|
|
is zero.
|
|
|
|
This is useful to stop a server's resources being exhausted by a large
|
|
number of inactive connections.
|
|
|
|
Most clients have an auto-reconnect feature when a connection is broken so
|
|
in most cases this parameter should be transparent to users.
|
|
|
|
Using this parameter with a timeout of a few minutes is recommended
|
|
for most systems.
|
|
|
|
A deadtime of zero indicates that no auto-disconnection should be performed.
|
|
|
|
.B Default:
|
|
dead time = 0
|
|
|
|
.B Example:
|
|
dead time = 15
|
|
.SS debug level (G)
|
|
The value of the parameter (an integer) allows the debug level
|
|
(logging level) to be specified in the
|
|
.B smb.conf
|
|
file. This is to give
|
|
greater flexibility in the configuration of the system.
|
|
|
|
The default will be the debug level specified on the command line.
|
|
|
|
.B Example:
|
|
debug level = 3
|
|
.SS default (G)
|
|
See
|
|
.B default service.
|
|
.SS default case (S)
|
|
|
|
See the section on "NAME MANGLING" Also note the addition of "short
|
|
preserve case"
|
|
|
|
.SS default service (G)
|
|
A synonym for this parameter is 'default'.
|
|
|
|
This parameter specifies the name of a service which will be connected to
|
|
if the service actually requested cannot be found. Note that the square
|
|
brackets are NOT given in the parameter value (see example below).
|
|
|
|
There is no default value for this parameter. If this parameter is not given,
|
|
attempting to connect to a nonexistent service results in an error.
|
|
|
|
Typically the default service would be a public, read-only service.
|
|
|
|
Also note that as of 1.9.14 the apparent service name will be changed to
|
|
equal that of the requested service, this is very useful as it allows
|
|
you to use macros like %S to make a wildcard service.
|
|
|
|
Note also that any _ characters in the name of the service used in the
|
|
default service will get mapped to a /. This allows for interesting
|
|
things.
|
|
|
|
|
|
.B Example:
|
|
default service = pub
|
|
|
|
[pub]
|
|
path = /%S
|
|
|
|
|
|
.SS delete readonly (S)
|
|
This parameter allows readonly files to be deleted. This is not normal DOS
|
|
semantics, but is allowed by UNIX.
|
|
|
|
This option may be useful for running applications such as rcs, where UNIX
|
|
file ownership prevents changing file permissions, and DOS semantics prevent
|
|
deletion of a read only file.
|
|
|
|
.B Default:
|
|
delete readonly = No
|
|
|
|
.B Example:
|
|
delete readonly = Yes
|
|
.SS deny hosts (S)
|
|
A synonym for this parameter is 'hosts deny'.
|
|
|
|
The opposite of 'allow hosts' - hosts listed here are NOT permitted
|
|
access to services unless the specific services have their own lists to
|
|
override this one. Where the lists conflict, the 'allow' list takes precedence.
|
|
|
|
.B Default:
|
|
none (i.e., no hosts specifically excluded)
|
|
|
|
.B Example:
|
|
deny hosts = 150.203.4. badhost.mynet.edu.au
|
|
|
|
.SS delete veto files (S)
|
|
|
|
This option is used when Samba is attempting to delete a directory
|
|
that contains one or more vetoed directories (see the 'veto files' option).
|
|
If this option is set to False (the default) then if a vetoed directory
|
|
contains any non-vetoed files or directories then the directory delete
|
|
will fail. This is usually what you want.
|
|
|
|
If this option is set to True, then Samba will attempt
|
|
to recursively delete any files and directories within the vetoed
|
|
directory. This can be useful for integration with file serving
|
|
systems such as Netatalk, which create meta-files within directories
|
|
you might normally veto DOS/Windows users from seeing (eg. .AppleDouble)
|
|
|
|
Setting 'delete veto files = True' allows these directories to be
|
|
transparently deleted when the parent directory is deleted (so long
|
|
as the user has permissions to do so).
|
|
|
|
.B Default:
|
|
delete veto files = False
|
|
|
|
.B Example:
|
|
delete veto files = True
|
|
|
|
See
|
|
.B veto files
|
|
|
|
.SS dfree command (G)
|
|
The dfree command setting should only be used on systems where a
|
|
problem occurs with the internal disk space calculations. This has
|
|
been known to happen with Ultrix, but may occur with other operating
|
|
systems. The symptom that was seen was an error of "Abort Retry
|
|
Ignore" at the end of each directory listing.
|
|
|
|
This setting allows the replacement of the internal routines to
|
|
calculate the total disk space and amount available with an external
|
|
routine. The example below gives a possible script that might fulfill
|
|
this function.
|
|
|
|
The external program will be passed a single parameter indicating a
|
|
directory in the filesystem being queried. This will typically consist
|
|
of the string "./". The script should return two integers in ascii. The
|
|
first should be the total disk space in blocks, and the second should
|
|
be the number of available blocks. An optional third return value
|
|
can give the block size in bytes. The default blocksize is 1024 bytes.
|
|
|
|
Note: Your script should NOT be setuid or setgid and should be owned by
|
|
(and writable only by) root!
|
|
|
|
.B Default:
|
|
By default internal routines for determining the disk capacity
|
|
and remaining space will be used.
|
|
|
|
.B Example:
|
|
dfree command = /usr/local/samba/bin/dfree
|
|
|
|
Where the script dfree (which must be made executable) could be
|
|
|
|
.nf
|
|
#!/bin/sh
|
|
df $1 | tail -1 | awk '{print $2" "$4}'
|
|
.fi
|
|
|
|
or perhaps (on Sys V)
|
|
|
|
.nf
|
|
#!/bin/sh
|
|
/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
|
|
.fi
|
|
|
|
Note that you may have to replace the command names with full
|
|
path names on some systems.
|
|
.SS directory (S)
|
|
See
|
|
.B path.
|
|
|
|
.SS directory mask (S)
|
|
A synonym for this parameter is 'directory mode'.
|
|
|
|
This parameter is the octal modes which are used when converting DOS modes
|
|
to UNIX modes when creating UNIX directories.
|
|
|
|
When a directory is created, the neccessary permissions are calculated
|
|
according to the mapping from DOS modes to UNIX permissions, and
|
|
the resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
|
|
This parameter may be thought of as a bit-wise MASK for the UNIX
|
|
modes of a directory. Any bit *not* set here will be removed from the
|
|
modes set on a directory when it is created.
|
|
|
|
The default value of this parameter removes the 'group' and 'other'
|
|
write bits from the UNIX mode, allowing only the user who owns the
|
|
directory to modify it.
|
|
|
|
Following this Samba will bit-wise 'OR' the UNIX mode created from
|
|
this parameter with the value of the "force directory mode" parameter.
|
|
This parameter is set to 000 by default (ie. no extra mode bits are added).
|
|
|
|
See the "force directory mode" parameter to cause particular mode
|
|
bits to always be set on created directories.
|
|
|
|
See also the "create mode" parameter for masking mode bits on created
|
|
files.
|
|
|
|
.B Default:
|
|
directory mask = 0755
|
|
|
|
.B Example:
|
|
directory mask = 0775
|
|
|
|
.SS directory mode (S)
|
|
See
|
|
.B directory mask.
|
|
|
|
.SS dns proxy (G)
|
|
|
|
Specifies that nmbd should (as a WINS server), on finding that a NetBIOS
|
|
name has not been registered, treat the NetBIOS name word-for-word as
|
|
a DNS name.
|
|
|
|
Note that the maximum length for a NetBIOS name is 15
|
|
characters, so the DNS name (or DNS alias) can likewise only be 15
|
|
characters, maximum.
|
|
|
|
Note also that nmbd will block completely until the DNS name is resolved.
|
|
This will result in temporary loss of browsing and WINS services.
|
|
Enable this option only if you are certain that DNS resolution is fast,
|
|
or you can live with the consequences of periodic pauses in nmbd service.
|
|
|
|
.B Default:
|
|
dns proxy = yes
|
|
|
|
.SS domain controller (G)
|
|
|
|
Specifies the DNS name or IP address of the machine to refer domain
|
|
logons from Win95 machines to. You should never need to set this parameter.
|
|
|
|
.B Default:
|
|
domain controller = no
|
|
|
|
.SS domain groups (G)
|
|
|
|
Specifies the NT Domain groups that the user belongs to, and the attributes
|
|
associated with that group. This parameter is a white-space separated list
|
|
of group ids (in decimal), followed by an option attribute (in decimal) which
|
|
defaults to a value of 7 if not specified. A group id and the user attributes
|
|
associated with it are separated by "/".
|
|
|
|
.B
|
|
It is known that attributes are ignored by NT 4.0 Workstation, but not by
|
|
NT 3.51 Workstation. Furthermore, no information on the exact meaning of
|
|
NT Domain groups is presently known.
|
|
|
|
.B Default:
|
|
domain groups = 776/7
|
|
|
|
.B Example:
|
|
domain groups = 776 1024/7 777
|
|
|
|
.SS domain hosts allow (G)
|
|
A synonym for this parameter is 'domain allow hosts'.
|
|
|
|
This parameter is a comma delimited set of hosts which are permitted to access
|
|
a Domain.
|
|
|
|
Note that access still requires suitable user-level passwords for the Domain.
|
|
See 'allow hosts' for a description of the syntax of this parameter.
|
|
|
|
.B Default:
|
|
none (i.e., all hosts permitted login access to the domain)
|
|
|
|
.B Example:
|
|
domain hosts allow = 150.203.5. myhost.mynet.edu.au
|
|
|
|
.SS domain hosts deny (G)
|
|
A synonym for this parameter is 'domain deny hosts'.
|
|
|
|
The opposite of 'domain hosts deny' - hosts listed here are NOT permitted
|
|
to Login to the Domain from those NT Workstations. Where the lists conflict,
|
|
the 'allow' list takes precedence.
|
|
|
|
.B Default:
|
|
none (i.e., no hosts specifically excluded login access to the domain)
|
|
|
|
.B Example:
|
|
domain hosts deny = guest_wksta 150.203.4. badhost.mynet.edu.au
|
|
|
|
.SS domain logons (G)
|
|
|
|
If set to true, the Samba server will serve Windows 95 domain logons
|
|
for the workgroup it is in. For more details on setting up this feature
|
|
see the file DOMAINS.txt in the Samba source documentation directory.
|
|
|
|
.B Default:
|
|
domain logons = no
|
|
|
|
.SS domain master (G)
|
|
|
|
Enable WAN-wide browse list collation. Local master browsers on
|
|
broadcast-isolated subnets will give samba their local browse lists, and
|
|
ask for a complete copy of the browse list for the whole wide area network.
|
|
Browser clients will then contact their local master browser, and will
|
|
receive the domain-wide browse list, instead of just the list for their
|
|
broadcast-isolated subnet.
|
|
|
|
.B Default:
|
|
domain master = no
|
|
|
|
.SS domain sid (G)
|
|
|
|
Specifies the SID when using Samba as a Logon Server for NT Workstations.
|
|
The format of SIDs supported by samba at present is S-1-N-nnn-nnn-nnn-nnn-nnn.
|
|
The number N indicates the number of sub-authorities (nnn).
|
|
|
|
.B Default:
|
|
domain sid = none
|
|
|
|
.B Example:
|
|
domain sid = S-1-5-21-123-456-789-123
|
|
|
|
.SS dont descend (S)
|
|
There are certain directories on some systems (eg., the /proc tree under
|
|
Linux) that are either not of interest to clients or are infinitely deep
|
|
(recursive). This parameter allows you to specify a comma-delimited list
|
|
of directories that the server should always show as empty.
|
|
|
|
Note that Samba can be very fussy about the exact format of the "dont
|
|
descend" entries. For example you may need "./proc" instead of just
|
|
"/proc". Experimentation is the best policy :-)
|
|
|
|
.B Default:
|
|
none (i.e., all directories are OK to descend)
|
|
|
|
.B Example:
|
|
dont descend = /proc,/dev
|
|
|
|
.SS dos filetimes (S)
|
|
Under DOS and Windows, if a user can write to a file they can change
|
|
the timestamp on it. Under POSIX semantics, only the owner of the file
|
|
or root may change the timestamp. By default, Samba runs with POSIX
|
|
semantics and refuses to change the timestamp on a file if the user
|
|
smbd is acting on behalf of is not the file owner. Setting this option
|
|
to True allows DOS semantics and smbd will change the file timstamp as
|
|
DOS requires. This is a correct implementation of a previous compile-time
|
|
options (UTIME_WORKAROUND) which was broken and is now removed.
|
|
|
|
.B Default:
|
|
dos filetimes = False
|
|
|
|
.B Example:
|
|
dos filetimes = True
|
|
|
|
.SS encrypt passwords (G)
|
|
|
|
This boolean controls whether encrypted passwords will be negotiated
|
|
with the client. Note that this option has no effect if you haven't
|
|
compiled in the necessary des libraries and encryption code. It
|
|
defaults to no.
|
|
|
|
.SS exec (S)
|
|
|
|
This is an alias for preexec
|
|
|
|
.SS fake oplocks (S)
|
|
|
|
Oplocks are the way that SMB clients get permission from a server to
|
|
locally cache file operations. If a server grants an oplock
|
|
(opportunistic lock) then the client is free to assume that it is the
|
|
only one accessing the file and it will aggressively cache file
|
|
data. With some oplock types the client may even cache file open/close
|
|
operations. This can give enormous performance benefits.
|
|
|
|
When you set "fake oplocks = yes" Samba will always grant oplock
|
|
requests no matter how many clients are using the file.
|
|
|
|
By enabling this option on all read-only shares or shares that you know
|
|
will only be accessed from one client at a time you will see a big
|
|
performance improvement on many operations. If you enable this option
|
|
on shares where multiple clients may be accessing the files read-write
|
|
at the same time you can get data corruption. Use this option
|
|
carefully!
|
|
|
|
It is generally much better to use the real oplock support except for
|
|
physically read-only media such as CDROMs.
|
|
|
|
This option is disabled by default.
|
|
|
|
.SS follow symlinks (S)
|
|
|
|
This parameter allows the Samba administrator to stop smbd from
|
|
following symbolic links in a particular share. Setting this
|
|
parameter to "No" prevents any file or directory that is a
|
|
symbolic link from being followed (the user will get an error).
|
|
This option is very useful to stop users from adding a symbolic
|
|
link to /etc/pasword in their home directory for instance.
|
|
However it will slow filename lookups down slightly.
|
|
|
|
This option is enabled (ie. smbd will follow symbolic links)
|
|
by default.
|
|
|
|
.SS force create mode (S)
|
|
This parameter specifies a set of UNIX mode bit permissions that
|
|
will *always* be set on a file created by Samba. This is done
|
|
by bitwise 'OR'ing these bits onto the mode bits of a file that
|
|
is being created. The default for this parameter is (in octel)
|
|
000. The modes in this parameter are bitwise 'OR'ed onto the
|
|
file mode after the mask set in the "create mask" parameter
|
|
is applied.
|
|
|
|
See also the parameter "create mask" for details on masking mode
|
|
bits on created files.
|
|
|
|
.B Default:
|
|
force create mode = 000
|
|
|
|
.B Example:
|
|
force create mode = 0755
|
|
|
|
would force all created files to have read and execute permissions
|
|
set for 'group' and 'other' as well as the read/write/execute bits
|
|
set for the 'user'.
|
|
|
|
.SS force directory mode (S)
|
|
This parameter specifies a set of UNIX mode bit permissions that
|
|
will *always* be set on a directory created by Samba. This is done
|
|
by bitwise 'OR'ing these bits onto the mode bits of a directory that
|
|
is being created. The default for this parameter is (in octel)
|
|
0000 which will not add any extra permission bits to a created
|
|
directory. This operation is done after the mode mask in the parameter
|
|
"directory mask" is applied.
|
|
|
|
See also the parameter "directory mask" for details on masking mode
|
|
bits on created directories.
|
|
|
|
.B Default:
|
|
force directory mode = 000
|
|
|
|
.B Example:
|
|
force directory mode = 0755
|
|
|
|
would force all created directories to have read and execute permissions
|
|
set for 'group' and 'other' as well as the read/write/execute bits
|
|
set for the 'user'.
|
|
|
|
.SS force group (S)
|
|
This specifies a group name that all connections to this service
|
|
should be made as. This may be useful for sharing files.
|
|
|
|
.B Default:
|
|
no forced group
|
|
|
|
.B Example:
|
|
force group = agroup
|
|
|
|
.SS force user (S)
|
|
This specifies a user name that all connections to this service
|
|
should be made as. This may be useful for sharing files. You should
|
|
also use it carefully as using it incorrectly can cause security
|
|
problems.
|
|
|
|
This user name only gets used once a connection is established. Thus
|
|
clients still need to connect as a valid user and supply a valid
|
|
password. Once connected, all file operations will be performed as the
|
|
"forced user", not matter what username the client connected as.
|
|
|
|
.B Default:
|
|
no forced user
|
|
|
|
.B Example:
|
|
force user = auser
|
|
|
|
.SS getwd cache (G)
|
|
This is a tuning option. When this is enabled a cacheing algorithm will
|
|
be used to reduce the time taken for getwd() calls. This can have a
|
|
significant impact on performance, especially when widelinks is False.
|
|
|
|
.B Default:
|
|
getwd cache = No
|
|
|
|
.B Example:
|
|
getwd cache = Yes
|
|
|
|
.SS group (S)
|
|
This is an alias for "force group" and is only kept for compatibility
|
|
with old versions of Samba. It may be removed in future versions.
|
|
|
|
.SS guest account (S)
|
|
This is a username which will be used for access to services which are
|
|
specified as 'guest ok' (see below). Whatever privileges this user has
|
|
will be available to any client connecting to the guest
|
|
service. Typically this user will exist in the password file, but will
|
|
not have a valid login. If a username is specified in a given service,
|
|
the specified username overrides this one.
|
|
|
|
One some systems the account "nobody" may not be able to print. Use
|
|
another account in this case. You should test this by trying to log in
|
|
as your guest user (perhaps by using the "su \-" command) and trying to
|
|
print using
|
|
.BR lpr .
|
|
|
|
Note that as of version 1.9 of Samba this option may be set
|
|
differently for each service.
|
|
|
|
.B Default:
|
|
specified at compile time
|
|
|
|
.B Example:
|
|
guest account = nobody
|
|
.SS guest ok (S)
|
|
See
|
|
.B public.
|
|
.SS guest only (S)
|
|
If this parameter is 'yes' for a service, then only guest connections to the
|
|
service are permitted. This parameter will have no affect if "guest ok" or
|
|
"public" is not set for the service.
|
|
|
|
See the section below on user/password validation for more information about
|
|
this option.
|
|
|
|
.B Default:
|
|
guest only = no
|
|
|
|
.B Example:
|
|
guest only = yes
|
|
.SS hide dot files (S)
|
|
This is a boolean parameter that controls whether files starting with
|
|
a dot appear as hidden files.
|
|
|
|
.B Default:
|
|
hide dot files = yes
|
|
|
|
.B Example:
|
|
hide dot files = no
|
|
|
|
|
|
.SS hide files(S)
|
|
This is a list of files or directories that are not visible but are
|
|
accessible. The DOS 'hidden' attribute is applied to any files or
|
|
directories that match.
|
|
|
|
Each entry in the list must be separated by a "/", which allows spaces
|
|
to be included in the entry. '*' and '?' can be used to specify multiple
|
|
files or directories as in DOS wildcards.
|
|
|
|
Each entry must be a unix path, not a DOS path and must not include the
|
|
unix directory separator "/".
|
|
|
|
Note that the case sensitivity option is applicable in hiding files.
|
|
|
|
Setting this parameter will affect the performance of Samba, as
|
|
it will be forced to check all files and directories for a match
|
|
as they are scanned.
|
|
|
|
See also "hide dot files", "veto files" and "case sensitive"
|
|
|
|
.B Default
|
|
No files or directories are hidden by this option (dot files are
|
|
hidden by default because of the "hide dot files" option).
|
|
|
|
.B Example
|
|
hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
|
|
|
|
The above example is based on files that the Macintosh client (DAVE)
|
|
creates for internal use, and also still hides all files beginning with
|
|
a dot.
|
|
|
|
.SS homedir map (G)
|
|
If "nis homedir" is true, this parameter specifies the NIS (or YP) map
|
|
from which the server for the user's home directory should be extracted.
|
|
At present, only the Sun auto.home map format is understood. The form of
|
|
the map is:
|
|
|
|
username server:/some/file/system
|
|
|
|
and the program will extract the servername from before the first ':'.
|
|
There should probably be a better parsing system that copes with different
|
|
map formats and also Amd (another automounter) maps.
|
|
|
|
NB: The -DNETGROUP option is required in the Makefile for option to work
|
|
and on some architectures the line -lrpcsvc needs to be added to the
|
|
LIBSM variable. This is required for Solaris 2, FreeBSD and HPUX.
|
|
|
|
See also "nis homedir"
|
|
|
|
.B Default:
|
|
homedir map = auto.home
|
|
|
|
.B Example:
|
|
homedir map = amd.homedir
|
|
.SS hosts allow (S)
|
|
See
|
|
.B allow hosts.
|
|
.SS hosts deny (S)
|
|
See
|
|
.B deny hosts.
|
|
|
|
.SS hosts equiv (G)
|
|
If this global parameter is a non-null string, it specifies the name of
|
|
a file to read for the names of hosts and users who will be allowed access
|
|
without specifying a password.
|
|
|
|
This is not be confused with
|
|
.B allow hosts
|
|
which is about hosts access to services and is more useful for guest services.
|
|
.B hosts equiv
|
|
may be useful for NT clients which will not supply passwords to samba.
|
|
|
|
NOTE: The use of hosts.equiv can be a major security hole. This is
|
|
because you are trusting the PC to supply the correct username. It is
|
|
very easy to get a PC to supply a false username. I recommend that the
|
|
hosts.equiv option be only used if you really know what you are doing,
|
|
or perhaps on a home network where you trust your wife and kids :-)
|
|
|
|
.B Default
|
|
No host equivalences
|
|
|
|
.B Example
|
|
hosts equiv = /etc/hosts.equiv
|
|
|
|
.SS include (G)
|
|
|
|
This allows you to include one config file inside another. The file is
|
|
included literally, as though typed in place.
|
|
|
|
It takes the standard substitutions, except %u, %P and %S
|
|
|
|
.SS interfaces (G)
|
|
|
|
This option allows you to setup multiple network interfaces, so that
|
|
Samba can properly handle browsing on all interfaces.
|
|
|
|
The option takes a list of ip/netmask pairs. The netmask may either be
|
|
a bitmask, or a bitlength.
|
|
|
|
For example, the following line:
|
|
|
|
interfaces = 192.168.2.10/24 192.168.3.10/24
|
|
|
|
would configure two network interfaces with IP addresses 192.168.2.10
|
|
and 192.168.3.10. The netmasks of both interfaces would be set to
|
|
255.255.255.0.
|
|
|
|
You could produce an equivalent result by using:
|
|
|
|
interfaces = 192.168.2.10/255.255.255.0 192.168.3.10/255.255.255.0
|
|
|
|
if you prefer that format.
|
|
|
|
If this option is not set then Samba will attempt to find a primary
|
|
interface, but won't attempt to configure more than one interface.
|
|
|
|
.SS invalid users (S)
|
|
This is a list of users that should not be allowed to login to this
|
|
service. This is really a "paranoid" check to absolutely ensure an
|
|
improper setting does not breach your security.
|
|
|
|
A name starting with @ is interpreted as a UNIX group.
|
|
|
|
The current servicename is substituted for %S. This is useful in the
|
|
[homes] section.
|
|
|
|
See also "valid users"
|
|
|
|
.B Default
|
|
No invalid users
|
|
|
|
.B Example
|
|
invalid users = root fred admin @wheel
|
|
|
|
.SS keep alive (G)
|
|
The value of the parameter (an integer) represents the number of seconds
|
|
between 'keepalive' packets. If this parameter is zero, no keepalive packets
|
|
will be sent. Keepalive packets, if sent, allow the server to tell whether a
|
|
client is still present and responding.
|
|
|
|
Keepalives should, in general, not be needed if the socket being used
|
|
has the SO_KEEPALIVE attribute set on it (see "socket
|
|
options"). Basically you should only use this option if you strike
|
|
difficulties.
|
|
|
|
.B Default:
|
|
keep alive = 0
|
|
|
|
.B Example:
|
|
keep alive = 60
|
|
|
|
.SS lm announce (G)
|
|
|
|
This parameter determines if Samba will produce Lanman announce
|
|
broadcasts that are needed by OS/2 clients in order for them to
|
|
see the Samba server in their browse list. This parameter can
|
|
have three values, true, false, or auto. The default is auto.
|
|
If set to False Samba will never produce these broadcasts. If
|
|
set to true Samba will produce Lanman announce broadcasts at
|
|
a frequency set by the parameter 'lm interval'. If set to auto
|
|
Samba will not send Lanman announce broadcasts by default but
|
|
will listen for them. If it hears such a broadcast on the wire
|
|
it will then start sending them at a frequency set by the parameter
|
|
'lm interval'.
|
|
|
|
See also "lm interval".
|
|
|
|
.B Default:
|
|
lm announce = auto
|
|
|
|
.B Example:
|
|
lm announce = true
|
|
|
|
.SS lm interval (G)
|
|
|
|
If Samba is set to produce Lanman announce broadcasts needed
|
|
by OS/2 clients (see the "lm announce" parameter) this parameter
|
|
defines the frequency in seconds with which they will be made.
|
|
If this is set to zero then no Lanman announcements will be
|
|
made despite the setting of the "lm announce" parameter.
|
|
|
|
See also "lm announce".
|
|
|
|
.B Default:
|
|
lm interval = 60
|
|
|
|
.B Example:
|
|
lm interval = 120
|
|
|
|
.SS load printers (G)
|
|
A boolean variable that controls whether all printers in the printcap
|
|
will be loaded for browsing by default.
|
|
|
|
.B Default:
|
|
load printers = yes
|
|
|
|
.B Example:
|
|
load printers = no
|
|
|
|
.SS local master (G)
|
|
This option allows the nmbd to become a local master browser on a
|
|
subnet. If set to False then nmbd will not attempt to become a local
|
|
master browser on a subnet and will also lose in all browsing elections.
|
|
By default this value is set to true. Setting this value to true doesn't
|
|
mean that Samba will become the local master browser on a subnet, just
|
|
that the nmbd will participate in elections for local master browser.
|
|
|
|
.B Default:
|
|
local master = yes
|
|
|
|
.SS lock directory (G)
|
|
This option specifies the directory where lock files will be placed.
|
|
The lock files are used to implement the "max connections" option.
|
|
|
|
.B Default:
|
|
lock directory = /tmp/samba
|
|
|
|
.B Example:
|
|
lock directory = /usr/local/samba/var/locks
|
|
|
|
.SS locking (S)
|
|
This controls whether or not locking will be performed by the server in
|
|
response to lock requests from the client.
|
|
|
|
If "locking = no", all lock and unlock requests will appear to succeed and
|
|
all lock queries will indicate that the queried lock is clear.
|
|
|
|
If "locking = yes", real locking will be performed by the server.
|
|
|
|
This option may be particularly useful for read-only filesystems which
|
|
do not need locking (such as cdrom drives).
|
|
|
|
Be careful about disabling locking either globally or in a specific
|
|
service, as lack of locking may result in data corruption.
|
|
|
|
.B Default:
|
|
locking = yes
|
|
|
|
.B Example:
|
|
locking = no
|
|
|
|
.SS log file (G)
|
|
|
|
This options allows you to override the name of the Samba log file
|
|
(also known as the debug file).
|
|
|
|
This option takes the standard substitutions, allowing you to have
|
|
separate log files for each user or machine.
|
|
|
|
.B Example:
|
|
log file = /usr/local/samba/var/log.%m
|
|
|
|
.SS log level (G)
|
|
see "debug level"
|
|
|
|
.SS logon drive (G)
|
|
|
|
This parameter specifies the local path to which the home directory
|
|
will be connected (see "logon home") and is only used by NT Workstations.
|
|
|
|
.B Example:
|
|
logon drive = h:
|
|
|
|
.SS logon home (G)
|
|
|
|
This parameter specifies the home directory location when a Win95 or
|
|
NT Workstation logs into a Samba PDC. It allows you to do "NET USE
|
|
H: /HOME" from a command prompt, for example.
|
|
|
|
.B
|
|
This option takes the standard substitutions, allowing you to have
|
|
separate logon scripts for each user or machine.
|
|
|
|
.B Example:
|
|
logon home = "\\\\remote_smb_server\\%U"
|
|
|
|
.B Default:
|
|
logon home = "\\\\%N\\%U"
|
|
|
|
.SS logon path (G)
|
|
|
|
This parameter specifies the home directory where roaming profiles
|
|
(USER.DAT / USER.MAN files for Windows 95) are stored.
|
|
|
|
This option takes the standard substitutions, allowing you to have
|
|
separate logon scripts for each user or machine. It also specifies
|
|
the directory from which the "desktop", "start menu", "nethood" and
|
|
"programs" folders, and their contents, are loaded and displayed
|
|
on your Windows 95 client.
|
|
|
|
The share and the path must be readable by the user for the preferences
|
|
and directories to be loaded onto the Windows 95 client. The share
|
|
must be writeable when the logs in for the first time, in order that
|
|
the Windows 95 client can create the user.dat and other directories.
|
|
|
|
Thereafter, the directories and any of contents can, if required,
|
|
be made read-only. It is not adviseable that the USER.DAT file be made
|
|
read-only - rename it to USER.MAN to achieve the desired effect
|
|
(a MANdatory profile).
|
|
|
|
Windows clients can sometimes maintain a connection to the [homes]
|
|
share, even though there is no user logged in. Therefore, it is
|
|
vital that the logon path does not include a reference to the
|
|
homes share (i.e \\\\%N\\HOMES\profile_path will cause problems).
|
|
|
|
.B
|
|
This option takes the standard substitutions, allowing you to have
|
|
separate logon scripts for each user or machine.
|
|
|
|
.B Default:
|
|
logon path = \\\\%N\\%U\\profile
|
|
|
|
.B Example:
|
|
logon path = \\\\PROFILESERVER\\HOME_DIR\\%U\\PROFILE
|
|
|
|
.SS logon script (G)
|
|
|
|
This parameter specifies the batch file (.bat) or NT command file (.cmd)
|
|
to be downloaded and run on a machine when a user successfully logs in.
|
|
The file must contain the DOS style cr/lf line endings. Using a DOS-style
|
|
editor to create the file is recommended.
|
|
|
|
The script must be a relative path to the [netlogon] service. If the
|
|
[netlogon] service specifies a path of /usr/local/samba/netlogon, and
|
|
logon script = STARTUP.BAT, then file that will be downloaded is:
|
|
|
|
.B /usr/local/samba/netlogon/STARTUP.BAT
|
|
|
|
The contents of the batch file is entirely your choice. A suggested
|
|
command would be to add NET TIME \\\\SERVER /SET /YES, to force every
|
|
machine to synchronise clocks with the same time server. Another use
|
|
would be to add NET USE U: \\\\SERVER\\UTILS for commonly used utilities,
|
|
or NET USE Q: \\\\SERVER\\ISO9001_QA.
|
|
|
|
Note that it is particularly important not to allow write access to
|
|
the [netlogon] share, or to grant users write permission on the
|
|
batch files in a secure environment, as this would allow the batch
|
|
files to be arbitrarily modified.
|
|
|
|
.B
|
|
This option takes the standard substitutions, allowing you to have
|
|
separate logon scripts for each user or machine.
|
|
|
|
.B Example:
|
|
logon script = scripts/%U.bat
|
|
|
|
.SS lppause command (S)
|
|
This parameter specifies the command to be executed on the server host in
|
|
order to stop printing or spooling a specific print job.
|
|
|
|
This command should be a program or script which takes a printer name and
|
|
job number to pause the print job. Currently I don't know of any print
|
|
spooler system that can do this with a simple option, except for the PPR
|
|
system from Trinity College (ppr\-dist.trincoll.edu/pub/ppr). One way
|
|
of implementing this is by using job priorities, where jobs having a too
|
|
low priority won't be sent to the printer. See also the
|
|
.B lppause
|
|
command.
|
|
|
|
If a %p is given then the printername is put in its place. A %j is
|
|
replaced with the job number (an integer).
|
|
On HPUX (see printing=hpux), if the -p%p option is added to the lpq
|
|
command, the job will show up with the correct status, i.e. if the job
|
|
priority is lower than the set fence priority it will have the PAUSED
|
|
status, whereas if the priority is equal or higher it will have the
|
|
SPOOLED or PRINTING status.
|
|
|
|
Note that it is good practice to include the absolute path in the lppause
|
|
command as the PATH may not be available to the server.
|
|
|
|
.B Default:
|
|
Currently no default value is given to this string
|
|
|
|
.B Example for HPUX:
|
|
lppause command = /usr/bin/lpalt %p-%j -p0
|
|
|
|
.SS lpq cache time (G)
|
|
|
|
This controls how long lpq info will be cached for to prevent the lpq
|
|
command being called too often. A separate cache is kept for each
|
|
variation of the lpq command used by the system, so if you use
|
|
different lpq commands for different users then they won't share cache
|
|
information.
|
|
|
|
The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash
|
|
of the lpq command in use.
|
|
|
|
The default is 10 seconds, meaning that the cached results of a
|
|
previous identical lpq command will be used if the cached data is less
|
|
than 10 seconds old. A large value may be advisable if your lpq
|
|
command is very slow.
|
|
|
|
A value of 0 will disable cacheing completely.
|
|
|
|
.B Default:
|
|
lpq cache time = 10
|
|
|
|
.B Example:
|
|
lpq cache time = 30
|
|
|
|
.SS lpq command (S)
|
|
This parameter specifies the command to be executed on the server host in
|
|
order to obtain "lpq"-style printer status information.
|
|
|
|
This command should be a program or script which takes a printer name
|
|
as its only parameter and outputs printer status information.
|
|
|
|
Currently six styles of printer status information are supported; BSD,
|
|
SYSV, AIX, HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You
|
|
control which type is expected using the "printing =" option.
|
|
|
|
Some clients (notably Windows for Workgroups) may not correctly send the
|
|
connection number for the printer they are requesting status information
|
|
about. To get around this, the server reports on the first printer service
|
|
connected to by the client. This only happens if the connection number sent
|
|
is invalid.
|
|
|
|
If a %p is given then the printername is put in its place. Otherwise
|
|
it is placed at the end of the command.
|
|
|
|
Note that it is good practice to include the absolute path in the lpq
|
|
command as the PATH may not be available to the server.
|
|
|
|
.B Default:
|
|
depends on the setting of "printing ="
|
|
|
|
.B Example:
|
|
lpq command = /usr/bin/lpq %p
|
|
|
|
.SS lpresume command (S)
|
|
This parameter specifies the command to be executed on the server host in
|
|
order to restart or continue printing or spooling a specific print job.
|
|
|
|
This command should be a program or script which takes a printer name and
|
|
job number to resume the print job. See also the lppause command.
|
|
|
|
If a %p is given then the printername is put in its place. A %j is
|
|
replaced with the job number (an integer).
|
|
|
|
Note that it is good practice to include the absolute path in the lpresume
|
|
command as the PATH may not be available to the server.
|
|
|
|
.B Default:
|
|
Currently no default value is given to this string
|
|
|
|
.B Example for HPUX:
|
|
lpresume command = /usr/bin/lpalt %p-%j -p2
|
|
|
|
.SS lprm command (S)
|
|
This parameter specifies the command to be executed on the server host in
|
|
order to delete a print job.
|
|
|
|
This command should be a program or script which takes a printer name
|
|
and job number, and deletes the print job.
|
|
|
|
Currently seven styles of printer control are supported; BSD, SYSV, AIX
|
|
HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You control
|
|
which type is expected using the "printing =" option.
|
|
|
|
If a %p is given then the printername is put in its place. A %j is
|
|
replaced with the job number (an integer).
|
|
|
|
Note that it is good practice to include the absolute path in the lprm
|
|
command as the PATH may not be available to the server.
|
|
|
|
.B Default:
|
|
depends on the setting of "printing ="
|
|
|
|
.B Example 1:
|
|
lprm command = /usr/bin/lprm -P%p %j
|
|
|
|
.B Example 2:
|
|
lprm command = /usr/bin/cancel %p-%j
|
|
|
|
.SS magic output (S)
|
|
This parameter specifies the name of a file which will contain output
|
|
created by a magic script (see
|
|
.I magic script
|
|
below).
|
|
|
|
Warning: If two clients use the same magic script in the same directory the
|
|
output file content is undefined.
|
|
.B Default:
|
|
magic output = <magic script name>.out
|
|
|
|
.B Example:
|
|
magic output = myfile.txt
|
|
.SS magic script (S)
|
|
This parameter specifies the name of a file which, if opened, will be
|
|
executed by the server when the file is closed. This allows a UNIX script
|
|
to be sent to the Samba host and executed on behalf of the connected user.
|
|
|
|
Scripts executed in this way will be deleted upon completion, permissions
|
|
permitting.
|
|
|
|
If the script generates output, output will be sent to the file specified by
|
|
the
|
|
.I magic output
|
|
parameter (see above).
|
|
|
|
Note that some shells are unable to interpret scripts containing
|
|
carriage-return-linefeed instead of linefeed as the end-of-line
|
|
marker. Magic scripts must be executable "as is" on the host, which
|
|
for some hosts and some shells will require filtering at the DOS end.
|
|
|
|
Magic scripts are EXPERIMENTAL and should NOT be relied upon.
|
|
|
|
.B Default:
|
|
None. Magic scripts disabled.
|
|
|
|
.B Example:
|
|
magic script = user.csh
|
|
|
|
.SS mangle case (S)
|
|
|
|
See the section on "NAME MANGLING"
|
|
|
|
.SS mangled map (S)
|
|
This is for those who want to directly map UNIX file names which are
|
|
not representable on DOS. The mangling of names is not always what is
|
|
needed. In particular you may have documents with file extensions
|
|
that differ between DOS and UNIX. For example, under UNIX it is common
|
|
to use .html for HTML files, whereas under DOS .htm is more commonly
|
|
used.
|
|
|
|
So to map 'html' to 'htm' you put:
|
|
|
|
mangled map = (*.html *.htm)
|
|
|
|
One very useful case is to remove the annoying ;1 off the ends of
|
|
filenames on some CDROMS (only visible under some UNIXes). To do this
|
|
use a map of (*;1 *)
|
|
|
|
.B default:
|
|
no mangled map
|
|
|
|
.B Example:
|
|
mangled map = (*;1 *)
|
|
|
|
.SS mangled names (S)
|
|
This controls whether non-DOS names under UNIX should be mapped to
|
|
DOS-compatible names ("mangled") and made visible, or whether non-DOS names
|
|
should simply be ignored.
|
|
|
|
See the section on "NAME MANGLING" for details on how to control the
|
|
mangling process.
|
|
|
|
If mangling is used then the mangling algorithm is as follows:
|
|
.RS
|
|
- the first (up to) five alphanumeric characters before the rightmost dot of
|
|
the filename are preserved, forced to upper case, and appear as the first (up
|
|
to) five characters of the mangled name.
|
|
|
|
- a tilde ("~") is appended to the first part of the mangled name, followed
|
|
by a two-character unique sequence, based on the original root name
|
|
(i.e., the original filename minus its final extension). The final
|
|
extension is included in the hash calculation only if it contains any upper
|
|
case characters or is longer than three characters.
|
|
|
|
Note that the character to use may be specified using the "mangling
|
|
char" option, if you don't like ~.
|
|
|
|
- the first three alphanumeric characters of the final extension are preserved,
|
|
forced to upper case and appear as the extension of the mangled name. The
|
|
final extension is defined as that part of the original filename after the
|
|
rightmost dot. If there are no dots in the filename, the mangled name will
|
|
have no extension (except in the case of hidden files - see below).
|
|
|
|
- files whose UNIX name begins with a dot will be presented as DOS hidden
|
|
files. The mangled name will be created as for other filenames, but with the
|
|
leading dot removed and "___" as its extension regardless of actual original
|
|
extension (that's three underscores).
|
|
.RE
|
|
|
|
The two-digit hash value consists of upper case alphanumeric characters.
|
|
|
|
This algorithm can cause name collisions only if files in a directory share
|
|
the same first five alphanumeric characters. The probability of such a clash
|
|
is 1/1300.
|
|
|
|
The name mangling (if enabled) allows a file to be copied between UNIX
|
|
directories from DOS while retaining the long UNIX filename. UNIX files can
|
|
be renamed to a new extension from DOS and will retain the same basename.
|
|
Mangled names do not change between sessions.
|
|
|
|
.B Default:
|
|
mangled names = yes
|
|
|
|
.B Example:
|
|
mangled names = no
|
|
.SS mangling char (S)
|
|
This controls what character is used as the "magic" character in name
|
|
mangling. The default is a ~ but this may interfere with some
|
|
software. Use this option to set it to whatever you prefer.
|
|
|
|
.B Default:
|
|
mangling char = ~
|
|
|
|
.B Example:
|
|
mangling char = ^
|
|
|
|
.SS mangled stack (G)
|
|
This parameter controls the number of mangled names that should be cached in
|
|
the Samba server.
|
|
|
|
This stack is a list of recently mangled base names (extensions are only
|
|
maintained if they are longer than 3 characters or contains upper case
|
|
characters).
|
|
|
|
The larger this value, the more likely it is that mangled names can be
|
|
successfully converted to correct long UNIX names. However, large stack
|
|
sizes will slow most directory access. Smaller stacks save memory in the
|
|
server (each stack element costs 256 bytes).
|
|
|
|
It is not possible to absolutely guarantee correct long file names, so
|
|
be prepared for some surprises!
|
|
|
|
.B Default:
|
|
mangled stack = 50
|
|
|
|
.B Example:
|
|
mangled stack = 100
|
|
|
|
.SS map archive (S)
|
|
This controls whether the DOS archive attribute should be mapped to the
|
|
UNIX owner execute bit. The DOS archive bit is set when a file has been modified
|
|
since its last backup. One motivation for this option it to keep Samba/your
|
|
PC from making any file it touches from becoming executable under UNIX.
|
|
This can be quite annoying for shared source code, documents, etc...
|
|
|
|
Note that this requires the 'create mask' to be set such that owner
|
|
execute bit is not masked out (ie. it must include 100). See the
|
|
parameter "create mask" for details.
|
|
|
|
.B Default:
|
|
map archive = yes
|
|
|
|
.B Example:
|
|
map archive = no
|
|
|
|
.SS map hidden (S)
|
|
This controls whether DOS style hidden files should be mapped to the
|
|
UNIX world execute bit.
|
|
|
|
Note that this requires the 'create mask' to be set such that the world
|
|
execute bit is not masked out (ie. it must include 001).
|
|
See the parameter "create mask" for details.
|
|
|
|
.B Default:
|
|
map hidden = no
|
|
|
|
.B Example:
|
|
map hidden = yes
|
|
.SS map system (S)
|
|
This controls whether DOS style system files should be mapped to the
|
|
UNIX group execute bit.
|
|
|
|
Note that this requires the 'create mask' to be set such that the group
|
|
execute bit is not masked out (ie. it must include 010). See the parameter
|
|
"create mask" for details.
|
|
|
|
.B Default:
|
|
map system = no
|
|
|
|
.B Example:
|
|
map system = yes
|
|
.SS max connections (S)
|
|
This option allows the number of simultaneous connections to a
|
|
service to be limited. If "max connections" is greater than 0 then
|
|
connections will be refused if this number of connections to the
|
|
service are already open. A value of zero mean an unlimited number of
|
|
connections may be made.
|
|
|
|
Record lock files are used to implement this feature. The lock files
|
|
will be stored in the directory specified by the "lock directory" option.
|
|
|
|
.B Default:
|
|
max connections = 0
|
|
|
|
.B Example:
|
|
max connections = 10
|
|
|
|
.SS max disk size (G)
|
|
This option allows you to put an upper limit on the apparent size of
|
|
disks. If you set this option to 100 then all shares will appear to be
|
|
not larger than 100 MB in size.
|
|
|
|
Note that this option does not limit the amount of data you can put on
|
|
the disk. In the above case you could still store much more than 100
|
|
MB on the disk, but if a client ever asks for the amount of free disk
|
|
space or the total disk size then the result will be bounded by the
|
|
amount specified in "max disk size".
|
|
|
|
This option is primarily useful to work around bugs in some pieces of
|
|
software that can't handle very large disks, particularly disks over
|
|
1GB in size.
|
|
|
|
A "max disk size" of 0 means no limit.
|
|
|
|
.B Default:
|
|
max disk size = 0
|
|
|
|
.B Example:
|
|
max disk size = 1000
|
|
|
|
.SS max log size (G)
|
|
|
|
This option (an integer in kilobytes) specifies the max size the log
|
|
file should grow to. Samba periodically checks the size and if it is
|
|
exceeded it will rename the file, adding a .old extension.
|
|
|
|
A size of 0 means no limit.
|
|
|
|
.B Default:
|
|
max log size = 5000
|
|
|
|
.B Example:
|
|
max log size = 1000
|
|
|
|
.SS max mux (G)
|
|
|
|
This option controls the maximum number of outstanding simultaneous SMB
|
|
operations that samba tells the client it will allow. You should never need
|
|
to set this parameter.
|
|
|
|
.B Default:
|
|
max mux = 50
|
|
|
|
.SS max packet (G)
|
|
|
|
A synonym for this parameter is 'packet size'.
|
|
|
|
.SS max ttl (G)
|
|
|
|
This option tells nmbd what the default 'time to live' of NetBIOS
|
|
names should be (in seconds) when nmbd is requesting a name using
|
|
either a broadcast or from a WINS server. You should never need to
|
|
change this parameter.
|
|
|
|
.B Default:
|
|
max ttl = 14400
|
|
|
|
.SS max wins ttl (G)
|
|
|
|
This option tells nmbd when acting as a WINS server (wins support = true)
|
|
what the maximum 'time to live' of NetBIOS names that nmbd will grant will
|
|
be (in seconds). You should never need to change this parameter.
|
|
The default is 3 days (259200 seconds).
|
|
|
|
.B Default:
|
|
max wins ttl = 259200
|
|
|
|
.SS max xmit (G)
|
|
|
|
This option controls the maximum packet size that will be negotiated
|
|
by Samba. The default is 65535, which is the maximum. In some cases
|
|
you may find you get better performance with a smaller value. A value
|
|
below 2048 is likely to cause problems.
|
|
|
|
.B Default:
|
|
max xmit = 65535
|
|
|
|
.B Example:
|
|
max xmit = 8192
|
|
|
|
.SS message command (G)
|
|
|
|
This specifies what command to run when the server receives a WinPopup
|
|
style message.
|
|
|
|
This would normally be a command that would deliver the message
|
|
somehow. How this is to be done is up to your imagination.
|
|
|
|
What I use is:
|
|
|
|
message command = csh -c 'xedit %s;rm %s' &
|
|
|
|
This delivers the message using xedit, then removes it
|
|
afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
|
|
IMMEDIATELY. That's why I have the & on the end. If it doesn't return
|
|
immediately then your PCs may freeze when sending messages (they
|
|
should recover after 30secs, hopefully).
|
|
|
|
All messages are delivered as the global guest user. The command takes
|
|
the standard substitutions, although %u won't work (%U may be better
|
|
in this case).
|
|
|
|
Apart from the standard substitutions, some additional ones apply. In
|
|
particular:
|
|
|
|
%s = the filename containing the message
|
|
|
|
%t = the destination that the message was sent to (probably the server
|
|
name)
|
|
|
|
%f = who the message is from
|
|
|
|
You could make this command send mail, or whatever else takes your
|
|
fancy. Please let me know of any really interesting ideas you have.
|
|
|
|
Here's a way of sending the messages as mail to root:
|
|
|
|
message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s
|
|
|
|
If you don't have a message command then the message won't be
|
|
delivered and Samba will tell the sender there was an
|
|
error. Unfortunately WfWg totally ignores the error code and carries
|
|
on regardless, saying that the message was delivered.
|
|
|
|
If you want to silently delete it then try "message command = rm %s".
|
|
|
|
For the really adventurous, try something like this:
|
|
|
|
message command = csh -c 'csh < %s |& /usr/local/samba/bin/smbclient \e
|
|
-M %m; rm %s' &
|
|
|
|
this would execute the command as a script on the server, then give
|
|
them the result in a WinPopup message. Note that this could cause a
|
|
loop if you send a message from the server using smbclient! You better
|
|
wrap the above in a script that checks for this :-)
|
|
|
|
.B Default:
|
|
no message command
|
|
|
|
.B Example:
|
|
message command = csh -c 'xedit %s;rm %s' &
|
|
|
|
.SS min print space (S)
|
|
|
|
This sets the minimum amount of free disk space that must be available
|
|
before a user will be able to spool a print job. It is specified in
|
|
kilobytes. The default is 0, which means no limit.
|
|
|
|
.B Default:
|
|
min print space = 0
|
|
|
|
.B Example:
|
|
min print space = 2000
|
|
|
|
.SS min wins ttl (G)
|
|
|
|
This option tells nmbd when acting as a WINS server (wins support = true)
|
|
what the minimum 'time to live' of NetBIOS names that nmbd will grant will
|
|
be (in seconds). You should never need to change this parameter.
|
|
The default is 6 hours (21600 seconds).
|
|
|
|
.B Default:
|
|
min wins ttl = 21600
|
|
|
|
|
|
.SS netbios aliases (G)
|
|
|
|
This is a list of names that nmbd will advertise as additional
|
|
names by which the Samba server is known. This allows one machine
|
|
to appear in browse lists under multiple names. If a machine is
|
|
acting as a browse server or logon server none of these names
|
|
will be advertised as either browse server or logon servers, only
|
|
the primary name of the machine will be advertised with these
|
|
capabilities.
|
|
|
|
See also 'netbios name'.
|
|
|
|
.B Example:
|
|
netbios aliases = TEST TEST1 TEST2
|
|
|
|
.SS netbios name (G)
|
|
|
|
This sets the NetBIOS name by which a Samba server is known. By
|
|
default it is the same as the first component of the host's DNS name.
|
|
If a machine is a browse server or logon server this name (or the
|
|
first component of the hosts DNS name) will be the name that these
|
|
services are advertised under.
|
|
|
|
See also 'netbios aliases'.
|
|
|
|
.B Example:
|
|
netbios name = MYNAME
|
|
|
|
.SS nis homedir (G)
|
|
Get the home share server from a NIS (or YP) map. For unix systems that
|
|
use an automounter, the user's home directory will often be mounted on
|
|
a workstation on demand from a remote server. When the Samba logon server
|
|
is not the actual home directory server, two network hops are required
|
|
to access the home directory and this can be very slow especially with
|
|
writing via Samba to an NFS mounted directory. This option allows samba
|
|
to return the home share as being on a different server to the logon
|
|
server and as long as a samba daemon is running on the home directory
|
|
server, it will be mounted on the Samba client directly from the directory
|
|
server. When Samba is returning the home share to the client, it will
|
|
consult the NIS (or YP) map specified in "homedir map" and return the
|
|
server listed there.
|
|
|
|
.B Default:
|
|
nis homedir = false
|
|
|
|
.B Example:
|
|
nis homedir = true
|
|
|
|
.SS null passwords (G)
|
|
Allow or disallow access to accounts that have null passwords.
|
|
|
|
.B Default:
|
|
null passwords = no
|
|
|
|
.B Example:
|
|
null passwords = yes
|
|
|
|
.SS only guest (S)
|
|
A synonym for this command is 'guest only'.
|
|
|
|
.SS only user (S)
|
|
This is a boolean option that controls whether connections with
|
|
usernames not in the user= list will be allowed. By default this
|
|
option is disabled so a client can supply a username to be used by
|
|
the server.
|
|
|
|
Note that this also means Samba won't try to deduce usernames from the
|
|
service name. This can be annoying for the [homes] section. To get
|
|
around this you could use "user = %S" which means your "user" list
|
|
will be just the service name, which for home directories is the name
|
|
of the user.
|
|
|
|
.B Default:
|
|
only user = False
|
|
|
|
.B Example:
|
|
only user = True
|
|
|
|
.SS oplocks (S)
|
|
This boolean option tells smbd whether to issue oplocks (opportunistic
|
|
locks) to file open requests on this share. The oplock code was introduced in
|
|
Samba 1.9.18 and can dramatically (approx 30% or more) improve the speed
|
|
of access to files on Samba servers. It allows the clients to agressively
|
|
cache files locally and you may want to disable this option for unreliable
|
|
network environments (it is turned on by default in Windows NT Servers).
|
|
For more information see the file Speed.txt in the Samba docs/ directory.
|
|
|
|
Oplocks may be selectively turned off on certain files on a per share basis.
|
|
See the 'veto oplock files' parameter.
|
|
|
|
.B Default:
|
|
oplocks = True
|
|
|
|
.B Example:
|
|
oplocks = False
|
|
|
|
|
|
.SS os level (G)
|
|
This integer value controls what level Samba advertises itself as for
|
|
browse elections. See BROWSING.txt for details.
|
|
|
|
.SS packet size (G)
|
|
The maximum transmit packet size during a raw read. This option is no
|
|
longer implemented as of version 1.7.00, and is kept only so old
|
|
configuration files do not become invalid.
|
|
|
|
.SS passwd chat (G)
|
|
This string controls the "chat" conversation that takes places
|
|
between smbd and the local password changing program to change the
|
|
users password. The string describes a sequence of response-receive
|
|
pairs that smbd uses to determine what to send to the passwd program
|
|
and what to expect back. If the expected output is not received then
|
|
the password is not changed.
|
|
|
|
This chat sequence is often quite site specific, depending on what
|
|
local methods are used for password control (such as NIS+ etc).
|
|
|
|
The string can contain the macros %o and %n which are substituted for
|
|
the old and new passwords respectively. It can also contain the
|
|
standard macros \en \er \et and \es to give line-feed, carriage-return,
|
|
tab and space.
|
|
|
|
The string can also contain a * which matches any sequence of
|
|
characters.
|
|
|
|
Double quotes can be used to collect strings with spaces in them into
|
|
a single string.
|
|
|
|
If the send string in any part of the chat sequence is a fullstop "."
|
|
then no string is sent. Similarly, is the expect string is a fullstop
|
|
then no string is expected.
|
|
|
|
.B Example:
|
|
passwd chat = "*Enter OLD password*" %o\en "*Enter NEW password*" %n\en \e
|
|
"*Reenter NEW password*" %n\en "*Password changed*"
|
|
|
|
|
|
.B Default:
|
|
passwd chat = *old*password* %o\en *new*password* %n\en *new*password* %n\en *changed*
|
|
|
|
.SS passwd program (G)
|
|
The name of a program that can be used to set user passwords.
|
|
|
|
This is only necessary if you have enabled remote password changing at
|
|
compile time. Any occurrences of %u will be replaced with the user
|
|
name.
|
|
|
|
Also note that many passwd programs insist in "reasonable" passwords,
|
|
such as a minimum length, or the inclusion of mixed case chars and
|
|
digits. This can pose a problem as some clients (such as Windows for
|
|
Workgroups) uppercase the password before sending it.
|
|
|
|
.B Default:
|
|
passwd program = /bin/passwd
|
|
|
|
.B Example:
|
|
passwd program = /sbin/passwd %u
|
|
|
|
.SS password level (G)
|
|
Some client/server combinations have difficulty with mixed-case passwords.
|
|
One offending client is Windows for Workgroups, which for some reason forces
|
|
passwords to upper case when using the LANMAN1 protocol, but leaves them alone
|
|
when using COREPLUS!
|
|
|
|
This parameter defines the maximum number of characters that may be upper case
|
|
in passwords.
|
|
|
|
For example, say the password given was "FRED". If
|
|
.B password level
|
|
is set to 1 (one), the following combinations would be tried if "FRED" failed:
|
|
"Fred", "fred", "fRed", "frEd", "freD". If
|
|
.B password level was set to 2 (two), the following combinations would also be
|
|
tried: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED". And so on.
|
|
|
|
The higher value this parameter is set to the more likely it is that a mixed
|
|
case password will be matched against a single case password. However, you
|
|
should be aware that use of this parameter reduces security and increases the
|
|
time taken to process a new connection.
|
|
|
|
A value of zero will cause only two attempts to be made - the password as is
|
|
and the password in all-lower case.
|
|
|
|
If you find the connections are taking too long with this option then
|
|
you probably have a slow crypt() routine. Samba now comes with a fast
|
|
"ufc crypt" that you can select in the Makefile. You should also make
|
|
sure the PASSWORD_LENGTH option is correct for your system in local.h
|
|
and includes.h. On most systems only the first 8 chars of a password
|
|
are significant so PASSWORD_LENGTH should be 8, but on some longer
|
|
passwords are significant. The includes.h file tries to select the
|
|
right length for your system.
|
|
|
|
.B Default:
|
|
password level = 0
|
|
|
|
.B Example:
|
|
password level = 4
|
|
|
|
.SS password server (G)
|
|
|
|
By specifying the name of another SMB server (such as a WinNT box)
|
|
with this option, and using "security = server" you can get Samba to
|
|
do all its username/password validation via a remote server.
|
|
|
|
This options sets the name of the password server to use. It must be a
|
|
netbios name, so if the machine's netbios name is different from its
|
|
internet name then you may have to add its netbios name to
|
|
/etc/hosts.
|
|
|
|
The password server much be a machine capable of using the "LM1.2X002"
|
|
or the "LM NT 0.12" protocol, and it must be in user level security
|
|
mode.
|
|
|
|
NOTE: Using a password server means your UNIX box (running Samba) is
|
|
only as secure as your password server. DO NOT CHOOSE A PASSWORD
|
|
SERVER THAT YOU DON'T COMPLETELY TRUST.
|
|
|
|
Never point a Samba server at itself for password serving. This will
|
|
cause a loop and could lock up your Samba server!
|
|
|
|
The name of the password server takes the standard substitutions, but
|
|
probably the only useful one is %m, which means the Samba server will
|
|
use the incoming client as the password server. If you use this then
|
|
you better trust your clients, and you better restrict them with hosts
|
|
allow!
|
|
|
|
If you list several hosts in the "password server" option then smbd
|
|
will try each in turn till it finds one that responds. This is useful
|
|
in case your primary server goes down.
|
|
|
|
If you are using a WindowsNT server as your password server then you
|
|
will have to ensure that your users are able to login from the Samba
|
|
server, as the network logon will appear to come from there rather
|
|
than from the users workstation.
|
|
|
|
.SS path (S)
|
|
A synonym for this parameter is 'directory'.
|
|
|
|
This parameter specifies a directory to which the user of the service is to
|
|
be given access. In the case of printable services, this is where print data
|
|
will spool prior to being submitted to the host for printing.
|
|
|
|
For a printable service offering guest access, the service should be readonly
|
|
and the path should be world-writable and have the sticky bit set. This is not
|
|
mandatory of course, but you probably won't get the results you expect if you
|
|
do otherwise.
|
|
|
|
Any occurrences of %u in the path will be replaced with the username
|
|
that the client is connecting as. Any occurrences of %m will be
|
|
replaced by the name of the machine they are connecting from. These
|
|
replacements are very useful for setting up pseudo home directories
|
|
for users.
|
|
|
|
Note that this path will be based on 'root dir' if one was specified.
|
|
.B Default:
|
|
none
|
|
|
|
.B Example:
|
|
path = /home/fred+
|
|
|
|
.SS postexec (S)
|
|
|
|
This option specifies a command to be run whenever the service is
|
|
disconnected. It takes the usual substitutions. The command may be run
|
|
as the root on some systems.
|
|
|
|
An interesting example may be do unmount server resources:
|
|
|
|
postexec = /etc/umount /cdrom
|
|
|
|
See also preexec
|
|
|
|
.B Default:
|
|
none (no command executed)
|
|
|
|
.B Example:
|
|
postexec = echo \e"%u disconnected from %S from %m (%I)\e" >> /tmp/log
|
|
|
|
.SS postscript (S)
|
|
This parameter forces a printer to interpret the print files as
|
|
postscript. This is done by adding a %! to the start of print output.
|
|
|
|
This is most useful when you have lots of PCs that persist in putting
|
|
a control-D at the start of print jobs, which then confuses your
|
|
printer.
|
|
|
|
.B Default:
|
|
postscript = False
|
|
|
|
.B Example:
|
|
postscript = True
|
|
|
|
.SS preexec (S)
|
|
|
|
This option specifies a command to be run whenever the service is
|
|
connected to. It takes the usual substitutions.
|
|
|
|
An interesting example is to send the users a welcome message every
|
|
time they log in. Maybe a message of the day? Here is an example:
|
|
|
|
preexec = csh -c 'echo \e"Welcome to %S!\e" | \e
|
|
/usr/local/samba/bin/smbclient -M %m -I %I' &
|
|
|
|
Of course, this could get annoying after a while :-)
|
|
|
|
See also postexec
|
|
|
|
.B Default:
|
|
none (no command executed)
|
|
|
|
.B Example:
|
|
preexec = echo \e"%u connected to %S from %m (%I)\e" >> /tmp/log
|
|
|
|
.SS preferred master (G)
|
|
This boolean parameter controls if Samba is a preferred master browser
|
|
for its workgroup.
|
|
If this is set to true, on startup, samba will force an election,
|
|
and it will have a slight advantage in winning the election.
|
|
It is recommended that this parameter is used in conjunction
|
|
with domain master = yes, so that samba can guarantee becoming
|
|
a domain master.
|
|
|
|
Use this option with caution, because if there are several hosts
|
|
(whether samba servers, Windows 95 or NT) that are preferred master
|
|
browsers on the same subnet, they will each periodically and continuously
|
|
attempt to become the local master browser. This will result in
|
|
unnecessary broadcast traffic and reduced browsing capabilities.
|
|
|
|
See
|
|
.B os level = nn
|
|
|
|
.B Default:
|
|
preferred master = no
|
|
|
|
.SS preload
|
|
This is an alias for "auto services"
|
|
|
|
.SS preserve case (S)
|
|
|
|
This controls if new filenames are created with the case that the
|
|
client passes, or if they are forced to be the "default" case.
|
|
|
|
.B Default:
|
|
preserve case = no
|
|
|
|
See the section on "NAME MANGLING" for a fuller discussion.
|
|
|
|
.SS print command (S)
|
|
After a print job has finished spooling to a service, this command will be
|
|
used via a system() call to process the spool file. Typically the command
|
|
specified will submit the spool file to the host's printing subsystem, but
|
|
there is no requirement that this be the case. The server will not remove the
|
|
spool file, so whatever command you specify should remove the spool file when
|
|
it has been processed, otherwise you will need to manually remove old spool
|
|
files.
|
|
|
|
The print command is simply a text string. It will be used verbatim,
|
|
with two exceptions: All occurrences of "%s" will be replaced by the
|
|
appropriate spool file name, and all occurrences of "%p" will be
|
|
replaced by the appropriate printer name. The spool file name is
|
|
generated automatically by the server, the printer name is discussed
|
|
below.
|
|
|
|
The full path name will be used for the filename if %s is not preceded
|
|
by a /. If you don't like this (it can stuff up some lpq output) then
|
|
use %f instead. Any occurrences of %f get replaced by the spool
|
|
filename without the full path at the front.
|
|
|
|
The print command MUST contain at least one occurrence of "%s" or %f -
|
|
the "%p" is optional. At the time a job is submitted, if no printer
|
|
name is supplied the "%p" will be silently removed from the printer
|
|
command.
|
|
|
|
If specified in the [global] section, the print command given will be used
|
|
for any printable service that does not have its own print command specified.
|
|
|
|
If there is neither a specified print command for a printable service nor a
|
|
global print command, spool files will be created but not processed and (most
|
|
importantly) not removed.
|
|
|
|
Note that printing may fail on some UNIXes from the "nobody"
|
|
account. If this happens then create an alternative guest account that
|
|
can print and set the "guest account" in the [global] section.
|
|
|
|
You can form quite complex print commands by realising that they are
|
|
just passed to a shell. For example the following will log a print
|
|
job, print the file, then remove it. Note that ; is the usual
|
|
separator for command in shell scripts.
|
|
|
|
print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s
|
|
|
|
You may have to vary this command considerably depending on how you
|
|
normally print files on your system.
|
|
|
|
.B Default:
|
|
print command = lpr -r -P %p %s
|
|
|
|
.B Example:
|
|
print command = /usr/local/samba/bin/myprintscript %p %s
|
|
.SS print ok (S)
|
|
See
|
|
.B printable.
|
|
.SS printable (S)
|
|
A synonym for this parameter is 'print ok'.
|
|
|
|
If this parameter is 'yes', then clients may open, write to and submit spool
|
|
files on the directory specified for the service.
|
|
|
|
Note that a printable service will ALWAYS allow writing to the service path
|
|
(user privileges permitting) via the spooling of print data. The 'read only'
|
|
parameter controls only non-printing access to the resource.
|
|
|
|
.B Default:
|
|
printable = no
|
|
|
|
.B Example:
|
|
printable = yes
|
|
|
|
.SS printcap name (G)
|
|
This parameter may be used to override the compiled-in default printcap
|
|
name used by the server (usually /etc/printcap). See the discussion of the
|
|
[printers] section above for reasons why you might want to do this.
|
|
|
|
On SystemV systems that use lpstat to list available printers you
|
|
can use "printcap name = lpstat" to automatically obtain lists of
|
|
available printers. This is the default for systems that define
|
|
SYSV at compile time in Samba (this includes most SystemV based
|
|
systems). If "printcap name" is set to lpstat on these systems then
|
|
Samba will launch "lpstat -v" and attempt to parse the output to
|
|
obtain a printer list.
|
|
|
|
A minimal printcap file would look something like this:
|
|
|
|
print1|My Printer 1
|
|
.br
|
|
print2|My Printer 2
|
|
.br
|
|
print3|My Printer 3
|
|
.br
|
|
print4|My Printer 4
|
|
.br
|
|
print5|My Printer 5
|
|
|
|
where the | separates aliases of a printer. The fact that the second
|
|
alias has a space in it gives a hint to Samba that it's a comment.
|
|
|
|
NOTE: Under AIX the default printcap name is "/etc/qconfig". Samba
|
|
will assume the file is in AIX "qconfig" format if the string
|
|
"/qconfig" appears in the printcap filename.
|
|
|
|
.B Default:
|
|
printcap name = /etc/printcap
|
|
|
|
.B Example:
|
|
printcap name = /etc/myprintcap
|
|
|
|
.SS printer (S)
|
|
A synonym for this parameter is 'printer name'.
|
|
|
|
This parameter specifies the name of the printer to which print jobs spooled
|
|
through a printable service will be sent.
|
|
|
|
If specified in the [global] section, the printer name given will be used
|
|
for any printable service that does not have its own printer name specified.
|
|
|
|
.B Default:
|
|
none (but may be 'lp' on many systems)
|
|
|
|
.B Example:
|
|
printer name = laserwriter
|
|
|
|
.SS printer driver (S)
|
|
This option allows you to control the string that clients receive when
|
|
they ask the server for the printer driver associated with a
|
|
printer. If you are using Windows95 or WindowsNT then you can use this
|
|
to automate the setup of printers on your system.
|
|
|
|
You need to set this parameter to the exact string (case sensitive)
|
|
that describes the appropriate printer driver for your system.
|
|
If you don't know the exact string to use then you should first try
|
|
with no "printer driver" option set and the client will give you a
|
|
list of printer drivers. The appropriate strings are shown in a
|
|
scrollbox after you have chosen the printer manufacturer.
|
|
|
|
.B Example:
|
|
printer driver = HP LaserJet 4L
|
|
|
|
.SS printer name (S)
|
|
See
|
|
.B printer.
|
|
|
|
.SS printer driver file (G)
|
|
This parameter tells Samba where the printer driver definition file,
|
|
used when serving drivers to Windows 95 clients, is to be found. If
|
|
this is not set, the default is :
|
|
|
|
SAMBA_INSTALL_DIRECTORY/lib/printers.def
|
|
|
|
This file is created from Windows 95 'msprint.def' files found on the
|
|
Windows 95 client system. For more details on setting up serving of
|
|
printer drivers to Windows 95 clients, see the documentation file
|
|
docs/PRINTER_DRIVER.txt.
|
|
|
|
.B Default:
|
|
None (set in compile).
|
|
|
|
.B Example:
|
|
printer driver file = /usr/local/samba/printers/drivers.def
|
|
|
|
Related parameters.
|
|
.B printer driver location
|
|
|
|
.SS printer driver location (S)
|
|
This parameter tells clients of a particular printer share where
|
|
to find the printer driver files for the automatic installation
|
|
of drivers for Windows 95 machines. If Samba is set up to serve
|
|
printer drivers to Windows 95 machines, this should be set to
|
|
|
|
\e\eMACHINE\ePRINTER$
|
|
|
|
Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$
|
|
is a share you set up for serving printer driver files. For more
|
|
details on setting this up see the documentation file
|
|
docs/PRINTER_DRIVER.txt.
|
|
|
|
.B Default:
|
|
None
|
|
|
|
.B Example:
|
|
printer driver location = \e\eMACHINE\ePRINTER$
|
|
|
|
Related paramerers.
|
|
.B printer driver file
|
|
|
|
|
|
.SS printing (S)
|
|
This parameters controls how printer status information is interpreted
|
|
on your system, and also affects the default values for the "print
|
|
command", "lpq command" and "lprm command".
|
|
|
|
Currently six printing styles are supported. They are "printing =
|
|
bsd", "printing = sysv", "printing = hpux", "printing = aix",
|
|
"printing = qnx" and "printing = plp".
|
|
|
|
To see what the defaults are for the other print commands when using
|
|
these three options use the "testparm" program.
|
|
|
|
As of version 1.9.18 of Samba this option can be set on a per printer basis
|
|
|
|
.SS protocol (G)
|
|
The value of the parameter (a string) is the highest protocol level that will
|
|
be supported by the server.
|
|
|
|
Possible values are CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. The relative
|
|
merits of each are discussed in the README file.
|
|
|
|
Normally this option should not be set as the automatic negotiation
|
|
phase in the SMB protocol takes care of choosing the appropriate protocol.
|
|
|
|
.B Default:
|
|
protocol = NT1
|
|
|
|
.B Example:
|
|
protocol = LANMAN1
|
|
.SS public (S)
|
|
A synonym for this parameter is 'guest ok'.
|
|
|
|
If this parameter is 'yes' for a service, then no password is required
|
|
to connect to the service. Privileges will be those of the guest
|
|
account.
|
|
|
|
See the section below on user/password validation for more information about
|
|
this option.
|
|
|
|
.B Default:
|
|
public = no
|
|
|
|
.B Example:
|
|
public = yes
|
|
.SS read list (S)
|
|
This is a list of users that are given read-only access to a
|
|
service. If the connecting user is in this list then they will
|
|
not be given write access, no matter what the "read only" option
|
|
is set to. The list can include group names using the @group syntax.
|
|
|
|
See also the "write list" option
|
|
|
|
.B Default:
|
|
read list =
|
|
|
|
.B Example:
|
|
read list = mary, @students
|
|
|
|
.SS read only (S)
|
|
See
|
|
.B writable
|
|
and
|
|
.B write ok.
|
|
Note that this is an inverted synonym for writable and write ok.
|
|
.SS read prediction (G)
|
|
This options enables or disables the read prediction code used to
|
|
speed up reads from the server. When enabled the server will try to
|
|
pre-read data from the last accessed file that was opened read-only
|
|
while waiting for packets.
|
|
|
|
.SS Default:
|
|
read prediction = False
|
|
|
|
.SS Example:
|
|
read prediction = True
|
|
.SS read raw (G)
|
|
This parameter controls whether or not the server will support raw reads when
|
|
transferring data to clients.
|
|
|
|
If enabled, raw reads allow reads of 65535 bytes in one packet. This
|
|
typically provides a major performance benefit.
|
|
|
|
However, some clients either negotiate the allowable block size incorrectly
|
|
or are incapable of supporting larger block sizes, and for these clients you
|
|
may need to disable raw reads.
|
|
|
|
In general this parameter should be viewed as a system tuning tool and left
|
|
severely alone. See also
|
|
.B write raw.
|
|
|
|
.B Default:
|
|
read raw = yes
|
|
|
|
.B Example:
|
|
read raw = no
|
|
.SS read size (G)
|
|
|
|
The option "read size" affects the overlap of disk reads/writes with
|
|
network reads/writes. If the amount of data being transferred in
|
|
several of the SMB commands (currently SMBwrite, SMBwriteX and
|
|
SMBreadbraw) is larger than this value then the server begins writing
|
|
the data before it has received the whole packet from the network, or
|
|
in the case of SMBreadbraw, it begins writing to the network before
|
|
all the data has been read from disk.
|
|
|
|
This overlapping works best when the speeds of disk and network access
|
|
are similar, having very little effect when the speed of one is much
|
|
greater than the other.
|
|
|
|
The default value is 2048, but very little experimentation has been
|
|
done yet to determine the optimal value, and it is likely that the best
|
|
value will vary greatly between systems anyway. A value over 65536 is
|
|
pointless and will cause you to allocate memory unnecessarily.
|
|
|
|
.B Default:
|
|
read size = 2048
|
|
|
|
.B Example:
|
|
read size = 8192
|
|
|
|
.SS remote announce (G)
|
|
|
|
This option allows you to setup nmbd to periodically announce itself
|
|
to arbitrary IP addresses with an arbitrary workgroup name.
|
|
|
|
This is useful if you want your Samba server to appear in a remote
|
|
workgroup for which the normal browse propagation rules don't
|
|
work. The remote workgroup can be anywhere that you can send IP
|
|
packets to.
|
|
|
|
For example:
|
|
|
|
remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF
|
|
|
|
the above line would cause nmbd to announce itself to the two given IP
|
|
addresses using the given workgroup names. If you leave out the
|
|
workgroup name then the one given in the "workgroup" option is used
|
|
instead.
|
|
|
|
The IP addresses you choose would normally be the broadcast addresses
|
|
of the remote networks, but can also be the IP addresses of known
|
|
browse masters if your network config is that stable.
|
|
|
|
This option replaces similar functionality from the nmbd lmhosts file.
|
|
|
|
.SS remote browse sync (G)
|
|
|
|
This option allows you to setup nmbd to periodically request synchronisation
|
|
of browse lists with the master browser of a samba server that is on a remote
|
|
segment. This option will allow you to gain browse lists for multiple
|
|
workgroups across routed networks. This is done in a manner that does not work
|
|
with any non-samba servers.
|
|
|
|
This is useful if you want your Samba server and all local clients
|
|
to appear in a remote workgroup for which the normal browse propagation
|
|
rules don't work. The remote workgroup can be anywhere that you can send IP
|
|
packets to.
|
|
|
|
For example:
|
|
|
|
remote browse sync = 192.168.2.255 192.168.4.255
|
|
|
|
the above line would cause nmbd to request the master browser on the
|
|
specified subnets or addresses to synchronise their browse lists with
|
|
the local server.
|
|
|
|
The IP addresses you choose would normally be the broadcast addresses
|
|
of the remote networks, but can also be the IP addresses of known
|
|
browse masters if your network config is that stable. If a machine IP
|
|
address is given Samba makes NO attempt to validate that the remote
|
|
machine is available, is listening, nor that it is in fact the browse
|
|
master on it's segment.
|
|
|
|
|
|
.SS revalidate (S)
|
|
|
|
This options controls whether Samba will allow a previously validated
|
|
username/password pair to be used to attach to a share. Thus if you
|
|
connect to \e\eserver\eshare1 then to \e\eserver\eshare2 it won't
|
|
automatically allow the client to request connection to the second
|
|
share as the same username as the first without a password.
|
|
|
|
If "revalidate" is True then the client will be denied automatic
|
|
access as the same username.
|
|
|
|
.B Default:
|
|
revalidate = False
|
|
|
|
.B Example:
|
|
revalidate = True
|
|
|
|
.SS root (G)
|
|
See
|
|
.B root directory.
|
|
.SS root dir (G)
|
|
See
|
|
.B root directory.
|
|
.SS root directory (G)
|
|
Synonyms for this parameter are 'root dir' and 'root'.
|
|
|
|
The server will chroot() to this directory on startup. This is not
|
|
strictly necessary for secure operation. Even without it the server
|
|
will deny access to files not in one of the service entries. It may
|
|
also check for, and deny access to, soft links to other parts of the
|
|
filesystem, or attempts to use .. in file names to access other
|
|
directories (depending on the setting of the "wide links" parameter).
|
|
|
|
Adding a "root dir" entry other than "/" adds an extra level of security,
|
|
but at a price. It absolutely ensures that no access is given to files not
|
|
in the sub-tree specified in the "root dir" option, *including* some files
|
|
needed for complete operation of the server. To maintain full operability
|
|
of the server you will need to mirror some system files into the "root dir"
|
|
tree. In particular you will need to mirror /etc/passwd (or a subset of it),
|
|
and any binaries or configuration files needed for printing (if required).
|
|
The set of files that must be mirrored is operating system dependent.
|
|
|
|
.B Default:
|
|
root directory = /
|
|
|
|
.B Example:
|
|
root directory = /homes/smb
|
|
.SS root postexec (S)
|
|
|
|
This is the same as postexec except that the command is run as
|
|
root. This is useful for unmounting filesystems (such as cdroms) after
|
|
a connection is closed.
|
|
|
|
.SS root preexec (S)
|
|
|
|
This is the same as preexec except that the command is run as
|
|
root. This is useful for mounting filesystems (such as cdroms) before
|
|
a connection is finalised.
|
|
|
|
.SS security (G)
|
|
This option affects how clients respond to Samba.
|
|
|
|
The option sets the "security mode bit" in replies to protocol negotiations
|
|
to turn share level security on or off. Clients decide based on this bit
|
|
whether (and how) to transfer user and password information to the server.
|
|
|
|
The default is "security=SHARE", mainly because that was the only
|
|
option at one stage.
|
|
|
|
The alternatives are "security = user" or "security = server".
|
|
|
|
If your PCs use usernames that are the same as their usernames on the
|
|
UNIX machine then you will want to use "security = user". If you
|
|
mostly use usernames that don't exist on the UNIX box then use
|
|
"security = share".
|
|
|
|
There is a bug in WfWg that may affect your decision. When in user
|
|
level security a WfWg client will totally ignore the password you type
|
|
in the "connect drive" dialog box. This makes it very difficult (if
|
|
not impossible) to connect to a Samba service as anyone except the
|
|
user that you are logged into WfWg as.
|
|
|
|
If you use "security = server" then Samba will try to validate the
|
|
username/password by passing it to another SMB server, such as an NT
|
|
box. If this fails it will revert to "security = USER".
|
|
|
|
See the "password server" option for more details.
|
|
|
|
.B Default:
|
|
security = SHARE
|
|
|
|
.B Example:
|
|
security = USER
|
|
.SS server string (G)
|
|
This controls what string will show up in the printer comment box in
|
|
print manager and next to the IPC connection in "net view". It can be
|
|
any string that you wish to show to your users.
|
|
|
|
It also sets what will appear in browse lists next to the machine name.
|
|
|
|
A %v will be replaced with the Samba version number.
|
|
|
|
A %h will be replaced with the hostname.
|
|
|
|
.B Default:
|
|
server string = Samba %v
|
|
|
|
.B Example:
|
|
server string = University of GNUs Samba Server
|
|
|
|
.SS set directory (S)
|
|
If 'set directory = no', then users of the service may not use the setdir
|
|
command to change directory.
|
|
|
|
The setdir command is only implemented in the Digital Pathworks client. See the
|
|
Pathworks documentation for details.
|
|
|
|
.B Default:
|
|
set directory = no
|
|
|
|
.B Example:
|
|
set directory = yes
|
|
|
|
.SS shared file entries (G)
|
|
This parameter is only useful when Samba has been compiled with FAST_SHARE_MODES.
|
|
It specifies the number of hash bucket entries used for share file locking.
|
|
You should never change this parameter unless you have studied the source
|
|
and know what you are doing.
|
|
|
|
.B Default
|
|
shared file entries = 113
|
|
|
|
.SS shared mem size (G)
|
|
This parameter is only useful when Samba has been compiled with FAST_SHARE_MODES.
|
|
It specifies the size of the shared memory (in bytes) to use between smbd
|
|
processes. You should never change this parameter unless you have studied
|
|
the source and know what you are doing.
|
|
|
|
.B Default
|
|
shared mem size = 102400
|
|
|
|
.SS smb passwd file (G)
|
|
This option sets the path to the encrypted smbpasswd file. This is a *VERY
|
|
DANGEROUS OPTION* if the smb.conf is user writable. By default the path
|
|
to the smbpasswd file is compiled into Samba.
|
|
|
|
.SS smbrun (G)
|
|
This sets the full path to the smbrun binary. This defaults to the
|
|
value in the Makefile.
|
|
|
|
You must get this path right for many services to work correctly.
|
|
|
|
.B Default:
|
|
taken from Makefile
|
|
|
|
.B Example:
|
|
smbrun = /usr/local/samba/bin/smbrun
|
|
|
|
.SS share modes (S)
|
|
|
|
This enables or disables the honouring of the "share modes" during a
|
|
file open. These modes are used by clients to gain exclusive read or
|
|
write access to a file.
|
|
|
|
These open modes are not directly supported by UNIX, so they are
|
|
simulated using lock files in the "lock directory". The "lock
|
|
directory" specified in smb.conf must be readable by all users.
|
|
|
|
The share modes that are enabled by this option are DENY_DOS,
|
|
DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB.
|
|
|
|
Enabling this option gives full share compatibility but may cost a bit
|
|
of processing time on the UNIX server. They are enabled by default.
|
|
|
|
.B Default:
|
|
share modes = yes
|
|
|
|
.B Example:
|
|
share modes = no
|
|
|
|
.SS short preserve case (S)
|
|
|
|
This controls if new short filenames are created with the case that
|
|
the client passes, or if they are forced to be the "default" case.
|
|
|
|
.B Default:
|
|
short preserve case = no
|
|
|
|
See the section on "NAME MANGLING" for a fuller discussion.
|
|
|
|
.SS socket address (G)
|
|
|
|
This option allows you to control what address Samba will listen for
|
|
connections on. This is used to support multiple virtual interfaces on
|
|
the one server, each with a different configuration.
|
|
|
|
By default samba will accept connections on any address.
|
|
|
|
.B Example:
|
|
socket address = 192.168.2.20
|
|
|
|
.SS socket options (G)
|
|
This option (which can also be invoked with the -O command line
|
|
option) allows you to set socket options to be used when talking with
|
|
the client.
|
|
|
|
Socket options are controls on the networking layer of the operating
|
|
systems which allow the connection to be tuned.
|
|
|
|
This option will typically be used to tune your Samba server for
|
|
optimal performance for your local network. There is no way that Samba
|
|
can know what the optimal parameters are for your net, so you must
|
|
experiment and choose them yourself. I strongly suggest you read the
|
|
appropriate documentation for your operating system first (perhaps
|
|
"man setsockopt" will help).
|
|
|
|
You may find that on some systems Samba will say "Unknown socket
|
|
option" when you supply an option. This means you either mis-typed it
|
|
or you need to add an include file to includes.h for your OS. If the
|
|
latter is the case please send the patch to me
|
|
(samba-bugs@samba.anu.edu.au).
|
|
|
|
Any of the supported socket options may be combined in any way you
|
|
like, as long as your OS allows it.
|
|
|
|
This is the list of socket options currently settable using this
|
|
option:
|
|
|
|
SO_KEEPALIVE
|
|
|
|
SO_REUSEADDR
|
|
|
|
SO_BROADCAST
|
|
|
|
TCP_NODELAY
|
|
|
|
IPTOS_LOWDELAY
|
|
|
|
IPTOS_THROUGHPUT
|
|
|
|
SO_SNDBUF *
|
|
|
|
SO_RCVBUF *
|
|
|
|
SO_SNDLOWAT *
|
|
|
|
SO_RCVLOWAT *
|
|
|
|
Those marked with a * take an integer argument. The others can
|
|
optionally take a 1 or 0 argument to enable or disable the option, by
|
|
default they will be enabled if you don't specify 1 or 0.
|
|
|
|
To specify an argument use the syntax SOME_OPTION=VALUE for example
|
|
SO_SNDBUF=8192. Note that you must not have any spaces before or after
|
|
the = sign.
|
|
|
|
If you are on a local network then a sensible option might be
|
|
|
|
socket options = IPTOS_LOWDELAY
|
|
|
|
If you have an almost unloaded local network and you don't mind a lot
|
|
of extra CPU usage in the server then you could try
|
|
|
|
socket options = IPTOS_LOWDELAY TCP_NODELAY
|
|
|
|
If you are on a wide area network then perhaps try setting
|
|
IPTOS_THROUGHPUT.
|
|
|
|
Note that several of the options may cause your Samba server to fail
|
|
completely. Use these options with caution!
|
|
|
|
.B Default:
|
|
no socket options
|
|
|
|
.B Example:
|
|
socket options = IPTOS_LOWDELAY
|
|
|
|
|
|
|
|
|
|
.SS status (G)
|
|
This enables or disables logging of connections to a status file that
|
|
.B smbstatus
|
|
can read.
|
|
|
|
With this disabled
|
|
.B smbstatus
|
|
won't be able to tell you what
|
|
connections are active.
|
|
|
|
.B Default:
|
|
status = yes
|
|
|
|
.B Example:
|
|
status = no
|
|
|
|
.SS strict locking (S)
|
|
This is a boolean that controls the handling of file locking in the
|
|
server. When this is set to yes the server will check every read and
|
|
write access for file locks, and deny access if locks exist. This can
|
|
be slow on some systems.
|
|
|
|
When strict locking is "no" the server does file lock checks only when
|
|
the client explicitly asks for them.
|
|
|
|
Well behaved clients always ask for lock checks when it is important,
|
|
so in the vast majority of cases "strict locking = no" is preferable.
|
|
|
|
.B Default:
|
|
strict locking = no
|
|
|
|
.B Example:
|
|
strict locking = yes
|
|
|
|
.SS strip dot (G)
|
|
This is a boolean that controls whether to strip trailing dots off
|
|
UNIX filenames. This helps with some CDROMs that have filenames ending in a
|
|
single dot.
|
|
|
|
.B Default:
|
|
strip dot = no
|
|
|
|
.B Example:
|
|
strip dot = yes
|
|
|
|
.SS syslog (G)
|
|
This parameter maps how Samba debug messages are logged onto the
|
|
system syslog logging levels. Samba debug level zero maps onto
|
|
syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug
|
|
level two maps to LOG_NOTICE, debug level three maps onto LOG_INFO.
|
|
The paramter sets the threshold for doing the mapping, all Samba
|
|
debug messages above this threashold are mapped to syslog LOG_DEBUG
|
|
messages.
|
|
|
|
.B Default:
|
|
|
|
syslog = 1
|
|
|
|
.SS syslog only (G)
|
|
If this parameter is set then Samba debug messages are logged into
|
|
the system syslog only, and not to the debug log files.
|
|
|
|
.B Default:
|
|
syslog only = no
|
|
|
|
.SS sync always (S)
|
|
|
|
This is a boolean parameter that controls whether writes will always
|
|
be written to stable storage before the write call returns. If this is
|
|
false then the server will be guided by the client's request in each
|
|
write call (clients can set a bit indicating that a particular write
|
|
should be synchronous). If this is true then every write will be
|
|
followed by a fsync() call to ensure the data is written to disk.
|
|
|
|
.B Default:
|
|
sync always = no
|
|
|
|
.B Example:
|
|
sync always = yes
|
|
|
|
.SS time offset (G)
|
|
This parameter is a setting in minutes to add to the normal GMT to
|
|
local time conversion. This is useful if you are serving a lot of PCs
|
|
that have incorrect daylight saving time handling.
|
|
|
|
.B Default:
|
|
time offset = 0
|
|
|
|
.B Example:
|
|
time offset = 60
|
|
|
|
.SS time server (G)
|
|
This parameter determines if nmbd advertises itself as a time server
|
|
to Windows clients. The default is False.
|
|
|
|
.B Default:
|
|
time server = False
|
|
|
|
.B Example:
|
|
time server = True
|
|
|
|
.SS unix realname (G)
|
|
This boolean parameter when set causes samba to supply the real name field
|
|
from the unix password file to the client. This is useful for setting up
|
|
mail clients and WWW browsers on systems used by more than one person.
|
|
|
|
.B Default:
|
|
unix realname = no
|
|
|
|
.B Example:
|
|
unix realname = yes
|
|
|
|
.SS user (S)
|
|
See
|
|
.B username.
|
|
.SS username (S)
|
|
A synonym for this parameter is 'user'.
|
|
|
|
Multiple users may be specified in a comma-delimited list, in which case the
|
|
supplied password will be tested against each username in turn (left to right).
|
|
|
|
The username= line is needed only when the PC is unable to supply its own
|
|
username. This is the case for the coreplus protocol or where your
|
|
users have different WfWg usernames to UNIX usernames. In both these
|
|
cases you may also be better using the \e\eserver\eshare%user syntax
|
|
instead.
|
|
|
|
The username= line is not a great solution in many cases as it means Samba
|
|
will try to validate the supplied password against each of the
|
|
usernames in the username= line in turn. This is slow and a bad idea for
|
|
lots of users in case of duplicate passwords. You may get timeouts or
|
|
security breaches using this parameter unwisely.
|
|
|
|
Samba relies on the underlying UNIX security. This parameter does not
|
|
restrict who can login, it just offers hints to the Samba server as to
|
|
what usernames might correspond to the supplied password. Users can
|
|
login as whoever they please and they will be able to do no more
|
|
damage than if they started a telnet session. The daemon runs as the
|
|
user that they log in as, so they cannot do anything that user cannot
|
|
do.
|
|
|
|
To restrict a service to a particular set of users you can use the
|
|
"valid users=" line.
|
|
|
|
If any of the usernames begin with a @ then the name will be looked up
|
|
in the groups file and will expand to a list of all users in the group
|
|
of that name. Note that searching though a groups file can take quite
|
|
some time, and some clients may time out during the search.
|
|
|
|
See the section below on username/password validation for more information
|
|
on how this parameter determines access to the services.
|
|
|
|
.B Default:
|
|
The guest account if a guest service, else the name of the service.
|
|
|
|
.B Examples:
|
|
username = fred
|
|
username = fred, mary, jack, jane, @users, @pcgroup
|
|
|
|
.SS username level (G)
|
|
|
|
This option helps Samba to try and 'guess' at the real UNIX username,
|
|
as many DOS clients send an all-uppercase username. By default Samba
|
|
tries all lowercase, followed by the username with the first letter
|
|
capitalized, and fails if the username is not found on the UNIX machine.
|
|
|
|
If this parameter is set to non-zero the behaviour changes. This
|
|
parameter is a number that specifies the number of uppercase combinations
|
|
to try whilst trying to determine the UNIX user name. The higher the number
|
|
the more combinations will be tried, but the slower the discovery
|
|
of usernames will be. Use this parameter when you have strange
|
|
usernames on your UNIX machine, such as 'AstrangeUser'.
|
|
|
|
.B Default:
|
|
username level = 0
|
|
|
|
.B Example:
|
|
username level = 5
|
|
|
|
.SS username map (G)
|
|
|
|
This option allows you to to specify a file containing a mapping of
|
|
usernames from the clients to the server. This can be used for several
|
|
purposes. The most common is to map usernames that users use on DOS or
|
|
Windows machines to those that the UNIX box uses. The other is to map
|
|
multiple users to a single username so that they can more easily share
|
|
files.
|
|
|
|
The map file is parsed line by line. Each line should contain a single
|
|
UNIX username on the left then a '=' followed by a list of usernames
|
|
on the right. The list of usernames on the right may contain names of
|
|
the form @group in which case they will match any UNIX username in
|
|
that group. The special client name '*' is a wildcard and matches any
|
|
name.
|
|
|
|
The file is processed on each line by taking the supplied username and
|
|
comparing it with each username on the right hand side of the '='
|
|
signs. If the supplied name matches any of the names on the right
|
|
hand side then it is replaced with the name on the left. Processing
|
|
then continues with the next line.
|
|
|
|
If any line begins with a '#' or a ';' then it is ignored
|
|
|
|
If any line begins with an ! then the processing will stop after that
|
|
line if a mapping was done by the line. Otherwise mapping continues
|
|
with every line being processed. Using ! is most useful when you have
|
|
a wildcard mapping line later in the file.
|
|
|
|
For example to map from the name "admin" or "administrator" to the UNIX
|
|
name "root" you would use
|
|
|
|
root = admin administrator
|
|
|
|
Or to map anyone in the UNIX group "system" to the UNIX name "sys" you
|
|
would use
|
|
|
|
sys = @system
|
|
|
|
You can have as many mappings as you like in a username map file.
|
|
|
|
You can map Windows usernames that have spaces in them by using double
|
|
quotes around the name. For example:
|
|
|
|
tridge = "Andrew Tridgell"
|
|
|
|
would map the windows username "Andrew Tridgell" to the unix username
|
|
tridge.
|
|
|
|
The following example would map mary and fred to the unix user sys,
|
|
and map the rest to guest. Note the use of the ! to tell Samba to stop
|
|
processing if it gets a match on that line.
|
|
|
|
!sys = mary fred
|
|
guest = *
|
|
|
|
|
|
Note that the remapping is applied to all occurrences of
|
|
usernames. Thus if you connect to "\e\eserver\efred" and "fred" is
|
|
remapped to "mary" then you will actually be connecting to
|
|
"\e\eserver\emary" and will need to supply a password suitable for
|
|
"mary" not "fred". The only exception to this is the username passed
|
|
to the "password server" (if you have one). The password server will
|
|
receive whatever username the client supplies without modification.
|
|
|
|
Also note that no reverse mapping is done. The main effect this has is
|
|
with printing. Users who have been mapped may have trouble deleting
|
|
print jobs as PrintManager under WfWg will think they don't own the
|
|
print job.
|
|
|
|
.B Default
|
|
no username map
|
|
|
|
.B Example
|
|
username map = /usr/local/samba/lib/users.map
|
|
|
|
.SS valid chars (S)
|
|
|
|
The option allows you to specify additional characters that should be
|
|
considered valid by the server in filenames. This is particularly
|
|
useful for national character sets, such as adding u-umlaut or a-ring.
|
|
|
|
The option takes a list of characters in either integer or character
|
|
form with spaces between them. If you give two characters with a colon
|
|
between them then it will be taken as an lowercase:uppercase pair.
|
|
|
|
If you have an editor capable of entering the characters into the
|
|
config file then it is probably easiest to use this method. Otherwise
|
|
you can specify the characters in octal, decimal or hexadecimal form
|
|
using the usual C notation.
|
|
|
|
For example to add the single character 'Z' to the charset (which is a
|
|
pointless thing to do as it's already there) you could do one of the
|
|
following
|
|
|
|
valid chars = Z
|
|
valid chars = z:Z
|
|
valid chars = 0132:0172
|
|
|
|
The last two examples above actually add two characters, and alter
|
|
the uppercase and lowercase mappings appropriately.
|
|
|
|
Note that you MUST specify this parameter after the "client code page"
|
|
parameter if you have both set. If "client code page" is set after
|
|
the "valid chars" parameter the "valid chars" settings will be
|
|
overwritten.
|
|
|
|
See also the "client code page" parameter.
|
|
|
|
.B Default
|
|
.br
|
|
Samba defaults to using a reasonable set of valid characters
|
|
.br
|
|
for english systems
|
|
|
|
.B Example
|
|
valid chars = 0345:0305 0366:0326 0344:0304
|
|
|
|
The above example allows filenames to have the swedish characters in
|
|
them.
|
|
|
|
NOTE: It is actually quite difficult to correctly produce a "valid
|
|
chars" line for a particular system. To automate the process
|
|
tino@augsburg.net has written a package called "validchars" which will
|
|
automatically produce a complete "valid chars" line for a given client
|
|
system. Look in the examples subdirectory for this package.
|
|
|
|
.SS valid users (S)
|
|
This is a list of users that should be allowed to login to this
|
|
service. A name starting with @ is interpreted as a UNIX group.
|
|
|
|
If this is empty (the default) then any user can login. If a username
|
|
is in both this list and the "invalid users" list then access is
|
|
denied for that user.
|
|
|
|
The current servicename is substituted for %S. This is useful in the
|
|
[homes] section.
|
|
|
|
See also "invalid users"
|
|
|
|
.B Default
|
|
No valid users list. (anyone can login)
|
|
|
|
.B Example
|
|
valid users = greg, @pcusers
|
|
|
|
|
|
.SS veto files(S)
|
|
This is a list of files and directories that are neither visible nor
|
|
accessible. Each entry in the list must be separated by a "/", which
|
|
allows spaces to be included in the entry. '*' and '?' can be used to
|
|
specify multiple files or directories as in DOS wildcards.
|
|
|
|
Each entry must be a unix path, not a DOS path and must not include the
|
|
unix directory separator "/".
|
|
|
|
Note that the case sensitivity option is applicable in vetoing files.
|
|
|
|
One feature of the veto files parameter that it is important to be
|
|
aware of, is that if a directory contains nothing but files that
|
|
match the veto files parameter (which means that Windows/DOS clients
|
|
cannot ever see them) is deleted, the veto files within that directory
|
|
*are automatically deleted* along with it, if the user has UNIX permissions
|
|
to do so.
|
|
|
|
Setting this parameter will affect the performance of Samba, as
|
|
it will be forced to check all files and directories for a match
|
|
as they are scanned.
|
|
|
|
See also "hide files" and "case sensitive"
|
|
|
|
.B Default
|
|
No files or directories are vetoed.
|
|
|
|
.B Examples
|
|
Example 1.
|
|
Veto any files containing the word Security,
|
|
any ending in .tmp, and any directory containing the
|
|
word root.
|
|
|
|
veto files = /*Security*/*.tmp/*root*/
|
|
|
|
Example 2.
|
|
Veto the Apple specific files that a NetAtalk server
|
|
creates.
|
|
|
|
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
|
|
|
|
.SS veto oplock files (S)
|
|
This parameter is only valid when the 'oplocks' parameter is turned on
|
|
for a share. It allows the Samba administrator to selectively turn off
|
|
the granting of oplocks on selected files that match a wildcarded list,
|
|
similar to the wildcarded list used in the 'veto files' parameter.
|
|
|
|
.B Default
|
|
No files are vetoed for oplock grants.
|
|
|
|
.B Examples
|
|
You might want to do this on files that you know will be heavily
|
|
contended for by clients. A good example of this is in the NetBench
|
|
SMB benchmark program, which causes heavy client contention for files
|
|
ending in .SEM. To cause Samba not to grant oplocks on these files
|
|
you would use the line (either in the [global] section or in the section
|
|
for the particular NetBench share :
|
|
|
|
veto oplock files = /*.SEM/
|
|
|
|
.SS volume (S)
|
|
This allows you to override the volume label returned for a
|
|
share. Useful for CDROMs with installation programs that insist on a
|
|
particular volume label.
|
|
|
|
The default is the name of the share
|
|
|
|
.SS wide links (S)
|
|
This parameter controls whether or not links in the UNIX file system may be
|
|
followed by the server. Links that point to areas within the directory tree
|
|
exported by the server are always allowed; this parameter controls access
|
|
only to areas that are outside the directory tree being exported.
|
|
|
|
.B Default:
|
|
wide links = yes
|
|
|
|
.B Example:
|
|
wide links = no
|
|
|
|
.SS wins proxy (G)
|
|
|
|
This is a boolean that controls if nmbd will respond to broadcast name
|
|
queries on behalf of other hosts. You may need to set this to no for
|
|
some older clients.
|
|
|
|
.B Default:
|
|
wins proxy = no
|
|
.SS wins server (G)
|
|
|
|
This specifies the DNS name (or IP address) of the WINS server that Samba
|
|
should register with. If you have a WINS server on your network then you
|
|
should set this to the WINS servers name.
|
|
|
|
You should point this at your WINS server if you have a multi-subnetted
|
|
network.
|
|
.B Default:
|
|
wins server =
|
|
|
|
.SS wins support (G)
|
|
|
|
This boolean controls if Samba will act as a WINS server. You should
|
|
not set this to true unless you have a multi-subnetted network and
|
|
you wish a particular nmbd to be your WINS server. Note that you
|
|
should *NEVER* set this to true on more than one machine in your
|
|
network.
|
|
|
|
.B Default:
|
|
wins support = no
|
|
|
|
.SS workgroup (G)
|
|
|
|
This controls what workgroup your server will appear to be in when
|
|
queried by clients.
|
|
|
|
.B Default:
|
|
set in the Makefile
|
|
|
|
.B Example:
|
|
workgroup = MYGROUP
|
|
|
|
.SS writable (S)
|
|
A synonym for this parameter is 'write ok'. An inverted synonym is 'read only'.
|
|
|
|
If this parameter is 'no', then users of a service may not create or modify
|
|
files in the service's directory.
|
|
|
|
Note that a printable service ('printable = yes') will ALWAYS allow
|
|
writing to the directory (user privileges permitting), but only via
|
|
spooling operations.
|
|
|
|
.B Default:
|
|
writable = no
|
|
|
|
.B Examples:
|
|
read only = no
|
|
writable = yes
|
|
write ok = yes
|
|
.SS write list (S)
|
|
This is a list of users that are given read-write access to a
|
|
service. If the connecting user is in this list then they will be
|
|
given write access, no matter what the "read only" option is set
|
|
to. The list can include group names using the @group syntax.
|
|
|
|
Note that if a user is in both the read list and the write list then
|
|
they will be given write access.
|
|
|
|
See also the "read list" option
|
|
|
|
.B Default:
|
|
write list =
|
|
|
|
.B Example:
|
|
write list = admin, root, @staff
|
|
|
|
.SS write ok (S)
|
|
See
|
|
.B writable
|
|
and
|
|
.B read only.
|
|
.SS write raw (G)
|
|
This parameter controls whether or not the server will support raw writes when
|
|
transferring data from clients.
|
|
|
|
.B Default:
|
|
write raw = yes
|
|
|
|
.B Example:
|
|
write raw = no
|
|
.SH NOTE ABOUT USERNAME/PASSWORD VALIDATION
|
|
There are a number of ways in which a user can connect to a
|
|
service. The server follows the following steps in determining if it
|
|
will allow a connection to a specified service. If all the steps fail
|
|
then the connection request is rejected. If one of the steps pass then
|
|
the following steps are not checked.
|
|
|
|
If the service is marked "guest only = yes" then steps 1 to 5 are skipped
|
|
|
|
Step 1: If the client has passed a username/password pair and that
|
|
username/password pair is validated by the UNIX system's password
|
|
programs then the connection is made as that username. Note that this
|
|
includes the \e\eserver\eservice%username method of passing a username.
|
|
|
|
Step 2: If the client has previously registered a username with the
|
|
system and now supplies a correct password for that username then the
|
|
connection is allowed.
|
|
|
|
Step 3: The client's netbios name and any previously used user names
|
|
are checked against the supplied password, if they match then the
|
|
connection is allowed as the corresponding user.
|
|
|
|
Step 4: If the client has previously validated a username/password
|
|
pair with the server and the client has passed the validation token
|
|
then that username is used. This step is skipped if "revalidate = yes"
|
|
for this service.
|
|
|
|
Step 5: If a "user = " field is given in the smb.conf file for the
|
|
service and the client has supplied a password, and that password
|
|
matches (according to the UNIX system's password checking) with one of
|
|
the usernames from the user= field then the connection is made as the
|
|
username in the "user=" line. If one of the username in the user= list
|
|
begins with a @ then that name expands to a list of names in the group
|
|
of the same name.
|
|
|
|
Step 6: If the service is a guest service then a connection is made as
|
|
the username given in the "guest account =" for the service,
|
|
irrespective of the supplied password.
|
|
.SH WARNINGS
|
|
Although the configuration file permits service names to contain spaces,
|
|
your client software may not. Spaces will be ignored in comparisons anyway,
|
|
so it shouldn't be a problem - but be aware of the possibility.
|
|
|
|
On a similar note, many clients - especially DOS clients - limit service
|
|
names to eight characters. Smbd has no such limitation, but attempts
|
|
to connect from such clients will fail if they truncate the service names.
|
|
For this reason you should probably keep your service names down to eight
|
|
characters in length.
|
|
|
|
Use of the [homes] and [printers] special sections make life for an
|
|
administrator easy, but the various combinations of default attributes can be
|
|
tricky. Take extreme care when designing these sections. In particular,
|
|
ensure that the permissions on spool directories are correct.
|
|
.SH VERSION
|
|
This man page is (mostly) correct for version 1.9.18 of the Samba suite, plus some
|
|
of the recent patches to it. These notes will necessarily lag behind
|
|
development of the software, so it is possible that your version of
|
|
the server has extensions or parameter semantics that differ from or are not
|
|
covered by this man page. Please notify these to the address below for
|
|
rectification.
|
|
|
|
Prior to version 1.5.21 of the Samba suite, the configuration file was
|
|
radically different (more primitive). If you are using a version earlier than
|
|
1.8.05, it is STRONGLY recommended that you upgrade.
|
|
.SH OPTIONS
|
|
Not applicable.
|
|
.SH FILES
|
|
Not applicable.
|
|
.SH ENVIRONMENT VARIABLES
|
|
Not applicable.
|
|
.SH SEE ALSO
|
|
.BR smbd (8),
|
|
.BR smbclient (1),
|
|
.BR nmbd (8),
|
|
.BR testparm (1),
|
|
.BR testprns (1),
|
|
.BR lpq (1),
|
|
.BR hosts_access (5)
|
|
.SH DIAGNOSTICS
|
|
[This section under construction]
|
|
|
|
Most diagnostics issued by the server are logged in a specified log file. The
|
|
log file name is specified at compile time, but may be overridden on the
|
|
smbd command line (see
|
|
.BR smbd (8)).
|
|
|
|
The number and nature of diagnostics available depends on the debug level used
|
|
by the server. If you have problems, set the debug level to 3 and peruse the
|
|
log files.
|
|
|
|
Most messages are reasonably self-explanatory. Unfortunately, at time of
|
|
creation of this man page the source code is still too fluid to warrant
|
|
describing each and every diagnostic. At this stage your best bet is still
|
|
to grep the source code and inspect the conditions that gave rise to the
|
|
diagnostics you are seeing.
|
|
.SH BUGS
|
|
None known.
|
|
|
|
Please send bug reports, comments and so on to:
|
|
|
|
.RS 3
|
|
.B samba-bugs@samba.anu.edu.au (Andrew Tridgell)
|
|
|
|
.RS 3
|
|
or to the mailing list:
|
|
.RE
|
|
|
|
.B samba@listproc.anu.edu.au
|
|
|
|
.RE
|
|
You may also like to subscribe to the announcement channel:
|
|
|
|
.RS 3
|
|
.B samba-announce@listproc.anu.edu.au
|
|
.RE
|
|
|
|
To subscribe to these lists send a message to
|
|
listproc@listproc.anu.edu.au with a body of "subscribe samba Your
|
|
Name" or "subscribe samba-announce Your Name".
|
|
|
|
Errors or suggestions for improvements to the Samba man pages should be
|
|
mailed to:
|
|
|
|
.RS 3
|
|
.B samba-bugs@samba.anu.edu.au (Andrew Tridgell)
|
|
.RE
|
|
|