1SMB.CONF(5) SMB.CONF(5)
2
3
4
6 smb.conf - The configuration file for the Samba suite
7
9 The smb.conf file is a configuration file for the Samba suite.
10 smb.conf contains runtime configuration information for the Samba pro‐
11 grams. The smb.conf file is designed to be configured and administered
12 by the swat(8) program. The complete description of the file format and
13 possible parameters held within are here for reference purposes.
14
16 The file consists of sections and parameters. A section begins with the
17 name of the section in square brackets and continues until the next
18 section begins. Sections contain parameters of the form:
19
20
21
22
23 name = value
24
25
26
27 The file is line-based - that is, each newline-terminated line repre‐
28 sents either a comment, a section name or a parameter.
29
30 Section and parameter names are not case sensitive.
31
32 Only the first equals sign in a parameter is significant. Whitespace
33 before or after the first equals sign is discarded. Leading, trailing
34 and internal whitespace in section and parameter names is irrelevant.
35 Leading and trailing whitespace in a parameter value is discarded.
36 Internal whitespace within a parameter value is retained verbatim.
37
38 Any line beginning with a semicolon (;) or a hash (#) character is
39 ignored, as are lines containing only whitespace.
40
41 Any line ending in a \ is continued on the next line in the customary
42 UNIX fashion.
43
44 The values following the equals sign in parameters are all either a
45 string (no quotes needed) or a boolean, which may be given as yes/no,
46 0/1 or true/false. Case is not significant in boolean values, but is
47 preserved in string values. Some items such as create masks are
48 numeric.
49
51 Each section in the configuration file (except for the [global] sec‐
52 tion) describes a shared resource (known as a share). The section name
53 is the name of the shared resource and the parameters within the sec‐
54 tion define the shares attributes.
55
56 There are three special sections, [global], [homes] and [printers],
57 which are described under special sections. The following notes apply
58 to ordinary section descriptions.
59
60 A share consists of a directory to which access is being given plus a
61 description of the access rights which are granted to the user of the
62 service. Some housekeeping options are also specifiable.
63
64 Sections are either file share services (used by the client as an
65 extension of their native file systems) or printable services (used by
66 the client to access print services on the host running the server).
67
68 Sections may be designated guest services, in which case no password is
69 required to access them. A specified UNIX guest account is used to
70 define access privileges in this case.
71
72 Sections other than guest services will require a password to access
73 them. The client provides the username. As older clients only provide
74 passwords and not usernames, you may specify a list of usernames to
75 check against the password using the user = option in the share defini‐
76 tion. For modern clients such as Windows 95/98/ME/NT/2000, this should
77 not be necessary.
78
79 The access rights granted by the server are masked by the access rights
80 granted to the specified or guest UNIX user by the host system. The
81 server does not grant more access than the host system grants.
82
83 The following sample section defines a file space share. The user has
84 write access to the path /home/bar. The share is accessed via the share
85 name foo:
86
87
88
89
90 [foo]
91 path = /home/bar
92 read only = no
93
94
95
96 The following sample section defines a printable share. The share is
97 read-only, but printable. That is, the only write access permitted is
98 via calls to open, write to and close a spool file. The guest ok param‐
99 eter means access will be permitted as the default guest user (speci‐
100 fied elsewhere):
101
102
103
104
105 [aprinter]
106 path = /usr/spool/public
107 read only = yes
108 printable = yes
109 guest ok = yes
110
111
112
114 The [global] section
115 Parameters in this section apply to the server as a whole, or are
116 defaults for sections that do not specifically define certain items.
117 See the notes under PARAMETERS for more information.
118
119 The [homes] section
120 If a section called [homes] is included in the configuration file, ser‐
121 vices connecting clients to their home directories can be created on
122 the fly by the server.
123
124 When the connection request is made, the existing sections are scanned.
125 If a match is found, it is used. If no match is found, the requested
126 section name is treated as a username and looked up in the local pass‐
127 word file. If the name exists and the correct password has been given,
128 a share is created by cloning the [homes] section.
129
130 Some modifications are then made to the newly created share:
131
132 · The share name is changed from homes to the located username.
133
134 · If no path was given, the path is set to the user's home directory.
135
136 If you decide to use a path = line in your [homes] section, it may be
137 useful to use the %S macro. For example:
138
139
140
141
142 path = /data/pchome/%S
143
144 is useful if you have different home directories for your PCs than for
145 UNIX access.
146
147 This is a fast and simple way to give a large number of clients access
148 to their home directories with a minimum of fuss.
149
150 A similar process occurs if the requested section name is homes, except
151 that the share name is not changed to that of the requesting user. This
152 method of using the [homes] section works well if different users share
153 a client PC.
154
155 The [homes] section can specify all the parameters a normal service
156 section can specify, though some make more sense than others. The fol‐
157 lowing is a typical and suitable [homes] section:
158
159
160
161
162 [homes]
163 read only = no
164
165
166
167 An important point is that if guest access is specified in the [homes]
168 section, all home directories will be visible to all clients without a
169 password. In the very unlikely event that this is actually desirable,
170 it is wise to also specify read only access.
171
172 The browseable flag for auto home directories will be inherited from
173 the global browseable flag, not the [homes] browseable flag. This is
174 useful as it means setting browseable = no in the [homes] section will
175 hide the [homes] share but make any auto home directories visible.
176
177 The [printers] section
178 This section works like [homes], but for printers.
179
180 If a [printers] section occurs in the configuration file, users are
181 able to connect to any printer specified in the local host's printcap
182 file.
183
184 When a connection request is made, the existing sections are scanned.
185 If a match is found, it is used. If no match is found, but a [homes]
186 section exists, it is used as described above. Otherwise, the requested
187 section name is treated as a printer name and the appropriate printcap
188 file is scanned to see if the requested section name is a valid printer
189 share name. If a match is found, a new printer share is created by
190 cloning the [printers] section.
191
192 A few modifications are then made to the newly created share:
193
194 · The share name is set to the located printer name
195
196 · If no printer name was given, the printer name is set to the located
197 printer name
198
199 · If the share does not permit guest access and no username was given,
200 the username is set to the located printer name.
201
202 The [printers] service MUST be printable - if you specify otherwise,
203 the server will refuse to load the configuration file.
204
205 Typically the path specified is that of a world-writeable spool direc‐
206 tory with the sticky bit set on it. A typical [printers] entry looks
207 like this:
208
209
210
211
212 [printers]
213 path = /usr/spool/public
214 guest ok = yes
215 printable = yes
216
217
218
219 All aliases given for a printer in the printcap file are legitimate
220 printer names as far as the server is concerned. If your printing sub‐
221 system doesn't work like that, you will have to set up a pseudo-print‐
222 cap. This is a file consisting of one or more lines like this:
223
224
225
226
227 alias|alias|alias|alias...
228
229
230
231 Each alias should be an acceptable printer name for your printing sub‐
232 system. In the [global] section, specify the new file as your printcap.
233 The server will only recognize names found in your pseudo-printcap,
234 which of course can contain whatever aliases you like. The same tech‐
235 nique could be used simply to limit access to a subset of your local
236 printers.
237
238 An alias, by the way, is defined as any component of the first entry of
239 a printcap record. Records are separated by newlines, components (if
240 there are more than one) are separated by vertical bar symbols (|).
241
242 Note
243 On SYSV systems which use lpstat to determine what printers are defined
244 on the system you may be able to use printcap name = lpstat to automat‐
245 ically obtain a list of printers. See the printcap name option for more
246 details.
247
249 Starting with Samba version 3.0.23 the capability for non-root users to
250 add, modify, and delete their own share definitions has been added.
251 This capability is called usershares and is controlled by a set of
252 parameters in the [global] section of the smb.conf. The relevant param‐
253 eters are :
254
255 usershare allow guests
256 Controls if usershares can permit guest access.
257
258 usershare max shares
259 Maximum number of user defined shares allowed.
260
261 usershare owner only
262 If set only directories owned by the sharing user can be shared.
263
264 usershare path
265 Points to the directory containing the user defined share defini‐
266 tions. The filesystem permissions on this directory control who can
267 create user defined shares.
268
269 usershare prefix allow list
270 Comma-separated list of absolute pathnames restricting what directo‐
271 ries can be shared. Only directories below the pathnames in this
272 list are permitted.
273
274 usershare prefix deny list
275 Comma-separated list of absolute pathnames restricting what directo‐
276 ries can be shared. Directories below the pathnames in this list are
277 prohibited.
278
279 usershare template share
280 Names a pre-existing share used as a template for creating new user‐
281 shares. All other share parameters not specified in the user defined
282 share definition are copied from this named share.
283
284 To allow members of the UNIX group foo to create user defined shares,
285 create the directory to contain the share definitions as follows:
286
287 Become root:
288
289
290 mkdir /usr/local/samba/lib/usershares
291 chgrp foo /usr/local/samba/lib/usershares
292 chmod 1770 /usr/local/samba/lib/usershares
293
294
295 Then add the parameters
296
297
298
299
300 usershare path = /usr/local/samba/lib/usershares
301 usershare max shares = 10 # (or the desired number of shares)
302
303 to the global section of your smb.conf. Members of the group foo may
304 then manipulate the user defined shares using the following commands.
305
306 net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]
307 To create or modify (overwrite) a user defined share.
308
309 net usershare delete sharename
310 To delete a user defined share.
311
312 net usershare list wildcard-sharename
313 To list user defined shares.
314
315 net usershare info wildcard-sharename
316 To print information about user defined shares.
317
319 Parameters define the specific attributes of sections.
320
321 Some parameters are specific to the [global] section (e.g., security).
322 Some parameters are usable in all sections (e.g., create mask). All
323 others are permissible only in normal sections. For the purposes of the
324 following descriptions the [homes] and [printers] sections will be con‐
325 sidered normal. The letter G in parentheses indicates that a parameter
326 is specific to the [global] section. The letter S indicates that a
327 parameter can be specified in a service specific section. All S parame‐
328 ters can also be specified in the [global] section - in which case they
329 will define the default behavior for all services.
330
331 Parameters are arranged here in alphabetical order - this may not cre‐
332 ate best bedfellows, but at least you can find them! Where there are
333 synonyms, the preferred synonym is described, others refer to the pre‐
334 ferred synonym.
335
337 Many of the strings that are settable in the config file can take sub‐
338 stitutions. For example the option path = /tmp/%u is interpreted as
339 path = /tmp/john if the user connected with the username john.
340
341 These substitutions are mostly noted in the descriptions below, but
342 there are some general substitutions which apply whenever they might be
343 relevant. These are:
344
345 %U
346 session username (the username that the client wanted, not necessar‐
347 ily the same as the one they got).
348
349 %G
350 primary group name of %U.
351
352 %h
353 the Internet hostname that Samba is running on.
354
355 %m
356 the NetBIOS name of the client machine (very useful).
357
358 This parameter is not available when Samba listens on port 445, as
359 clients no longer send this information. If you use this macro in an
360 include statement on a domain that has a Samba domain controller be
361 sure to set in the [global] section smb ports = 139. This will cause
362 Samba to not listen on port 445 and will permit include functional‐
363 ity to function as it did with Samba 2.x.
364
365 %L
366 the NetBIOS name of the server. This allows you to change your con‐
367 fig based on what the client calls you. Your server can have a dual
368 personality.
369
370 %M
371 the Internet name of the client machine.
372
373 %R
374 the selected protocol level after protocol negotiation. It can be
375 one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.
376
377 %d
378 the process id of the current server process.
379
380 %a
381 the architecture of the remote machine. It currently recognizes
382 Samba (Samba), the Linux CIFS file system (CIFSFS), OS/2, (OS2),
383 Windows for Workgroups (WfWg), Windows 9x/ME (Win95), Windows NT
384 (WinNT), Windows 2000 (Win2K), Windows XP (WinXP), and Windows 2003
385 (Win2K3). Anything else will be known as UNKNOWN.
386
387 %I
388 the IP address of the client machine.
389
390 %i
391 the local IP address to which a client connected.
392
393 %T
394 the current date and time.
395
396 %D
397 name of the domain or workgroup of the current user.
398
399 %w
400 the winbind separator.
401
402 %$(envvar)
403 the value of the environment variable envar.
404
405 The following substitutes apply only to some configuration options
406 (only those that are used when a connection has been established):
407
408 %S
409 the name of the current service, if any.
410
411 %P
412 the root directory of the current service, if any.
413
414 %u
415 username of the current service, if any.
416
417 %g
418 primary group name of %u.
419
420 %H
421 the home directory of the user given by %u.
422
423 %N
424 the name of your NIS home directory server. This is obtained from
425 your NIS auto.map entry. If you have not compiled Samba with the
426 --with-automount option, this value will be the same as %L.
427
428 %p
429 the path of the service's home directory, obtained from your NIS
430 auto.map entry. The NIS auto.map entry is split up as %N:%p.
431
432 There are some quite creative things that can be done with these sub‐
433 stitutions and other smb.conf options.
434
436 Samba supports name mangling so that DOS and Windows clients can use
437 files that don't conform to the 8.3 format. It can also be set to
438 adjust the case of 8.3 format filenames.
439
440 There are several options that control the way mangling is performed,
441 and they are grouped here rather than listed separately. For the
442 defaults look at the output of the testparm program.
443
444 These options can be set separately for each service.
445
446 The options are:
447
448 case sensitive = yes/no/auto
449 controls whether filenames are case sensitive. If they aren't, Samba
450 must do a filename search and match on passed names. The default
451 setting of auto allows clients that support case sensitive filenames
452 (Linux CIFSVFS and smbclient 3.0.5 and above currently) to tell the
453 Samba server on a per-packet basis that they wish to access the file
454 system in a case-sensitive manner (to support UNIX case sensitive
455 semantics). No Windows or DOS system supports case-sensitive file‐
456 name so setting this option to auto is that same as setting it to no
457 for them. Default auto.
458
459 default case = upper/lower
460 controls what the default case is for new filenames (ie. files that
461 don't currently exist in the filesystem). Default lower. IMPORTANT
462 NOTE: This option will be used to modify the case of all incoming
463 client filenames, not just new filenames if the options case sensi‐
464 tive = yes, preserve case = No, short preserve case = No are set.
465 This change is needed as part of the optimisations for directories
466 containing large numbers of files.
467
468 preserve case = yes/no
469 controls whether new files (ie. files that don't currently exist in
470 the filesystem) are created with the case that the client passes, or
471 if they are forced to be the default case. Default yes.
472
473 short preserve case = yes/no
474 controls if new files (ie. files that don't currently exist in the
475 filesystem) which conform to 8.3 syntax, that is all in upper case
476 and of suitable length, are created upper case, or if they are
477 forced to be the default case. This option can be used with preserve
478 case = yes to permit long filenames to retain their case, while
479 short names are lowercased. Default yes.
480
481 By default, Samba 3.0 has the same semantics as a Windows NT server, in
482 that it is case insensitive but case preserving. As a special case for
483 directories with large numbers of files, if the case options are set as
484 follows, "case sensitive = yes", "case preserve = no", "short preserve
485 case = no" then the "default case" option will be applied and will mod‐
486 ify all filenames sent from the client when accessing this share.
487
489 There are a number of ways in which a user can connect to a service.
490 The server uses the following steps in determining if it will allow a
491 connection to a specified service. If all the steps fail, the connec‐
492 tion request is rejected. However, if one of the steps succeeds, the
493 following steps are not checked.
494
495 If the service is marked guest only = yes and the server is running
496 with share-level security (security = share, steps 1 to 5 are skipped.
497
498 1. If the client has passed a username/password pair and that user‐
499 name/password pair is validated by the UNIX system's password pro‐
500 grams, the connection is made as that username. This includes the
501 \\server\service%username method of passing a username.
502
503 2. If the client has previously registered a username with the system
504 and now supplies a correct password for that username, the connec‐
505 tion is allowed.
506
507 3. The client's NetBIOS name and any previously used usernames are
508 checked against the supplied password. If they match, the connection
509 is allowed as the corresponding user.
510
511 4. If the client has previously validated a username/password pair with
512 the server and the client has passed the validation token, that
513 username is used.
514
515 5. If a user = field is given in the smb.conf file for the service and
516 the client has supplied a password, and that password matches
517 (according to the UNIX system's password checking) with one of the
518 usernames from the user = field, the connection is made as the user‐
519 name in the user = line. If one of the usernames in the user = list
520 begins with a @, that name expands to a list of names in the group
521 of the same name.
522
523 6. If the service is a guest service, a connection is made as the user‐
524 name given in the guest account = for the service, irrespective of
525 the supplied password.
526
528 abort shutdown script (G)
529 This a full path name to a script called by smbd(8) that should stop
530 a shutdown procedure issued by the shutdown script.
531
532 If the connected user posseses the SeRemoteShutdownPrivilege, right,
533 this command will be run as user.
534
535 Default: abort shutdown script = ""
536
537 Example: abort shutdown script = /sbin/shutdown -c
538
539 acl check permissions (S)
540 This boolean parameter controls what smbd(8)does on receiving a pro‐
541 tocol request of "open for delete" from a Windows client. If a Win‐
542 dows client doesn't have permissions to delete a file then they
543 expect this to be denied at open time. POSIX systems normally only
544 detect restrictions on delete by actually attempting to delete the
545 file or directory. As Windows clients can (and do) "back out" a
546 delete request by unsetting the "delete on close" bit Samba cannot
547 delete the file immediately on "open for delete" request as we can‐
548 not restore such a deleted file. With this parameter set to true
549 (the default) then smbd checks the file system permissions directly
550 on "open for delete" and denies the request without actually delet‐
551 ing the file if the file system permissions would seem to deny it.
552 This is not perfect, as it's possible a user could have deleted a
553 file without Samba being able to check the permissions correctly,
554 but it is close enough to Windows semantics for mostly correct be‐
555 haviour. Samba will correctly check POSIX ACL semantics in this
556 case.
557
558 If this parameter is set to "false" Samba doesn't check permissions
559 on "open for delete" and allows the open. If the user doesn't have
560 permission to delete the file this will only be discovered at close
561 time, which is too late for the Windows user tools to display an
562 error message to the user. The symptom of this is files that appear
563 to have been deleted "magically" re-appearing on a Windows explorer
564 refersh. This is an extremely advanced protocol option which should
565 not need to be changed. This parameter was introduced in its final
566 form in 3.0.21, an earlier version with slightly different semantics
567 was introduced in 3.0.20. That older version is not documented here.
568
569 Default: acl check permissions = True
570
571 acl compatibility (S)
572 This parameter specifies what OS ACL semantics should be compatible
573 with. Possible values are winnt for Windows NT 4, win2k for Windows
574 2000 and above and auto. If you specify auto, the value for this
575 parameter will be based upon the version of the client. There should
576 be no reason to change this parameter from the default.
577
578 Default: acl compatibility = Auto
579
580 Example: acl compatibility = win2k
581
582 acl group control (S)
583 In a POSIX filesystem, only the owner of a file or directory and the
584 superuser can modify the permissions and ACLs on a file. If this
585 parameter is set, then Samba overrides this restriction, and also
586 allows the primary group owner of a file or directory to modify the
587 permissions and ACLs on that file.
588
589 On a Windows server, groups may be the owner of a file or directory
590 - thus allowing anyone in that group to modify the permissions on
591 it. This allows the delegation of security controls on a point in
592 the filesystem to the group owner of a directory and anything below
593 it also owned by that group. This means there are multiple people
594 with permissions to modify ACLs on a file or directory, easing man‐
595 agability.
596
597 This parameter allows Samba to also permit delegation of the control
598 over a point in the exported directory hierarchy in much the same
599 was as Windows. This allows all members of a UNIX group to control
600 the permissions on a file or directory they have group ownership on.
601
602 This parameter is best used with the inherit owner option and also
603 on on a share containing directories with the UNIX setgid bit bit
604 set on them, which causes new files and directories created within
605 it to inherit the group ownership from the containing directory.
606
607 This is parameter has been marked deprecated in Samba 3.0.23. The
608 same behavior is now implemented by the dos filemode option.
609
610 Default: acl group control = no
611
612 acl map full control (S)
613 This boolean parameter controls whether smbd(8)maps a POSIX ACE
614 entry of "rwx" (read/write/execute), the maximum allowed POSIX per‐
615 mission set, into a Windows ACL of "FULL CONTROL". If this parameter
616 is set to true any POSIX ACE entry of "rwx" will be returned in a
617 Windows ACL as "FULL CONTROL", is this parameter is set to false any
618 POSIX ACE entry of "rwx" will be returned as the specific Windows
619 ACL bits representing read, write and execute.
620
621 Default: acl map full control = True
622
623 add group script (G)
624 This is the full pathname to a script that will be run AS ROOT by
625 smbd(8) when a new group is requested. It will expand any %g to the
626 group name passed. This script is only useful for installations
627 using the Windows NT domain administration tools. The script is free
628 to create a group with an arbitrary name to circumvent unix group
629 name restrictions. In that case the script must print the numeric
630 gid of the created group on stdout.
631
632 Default: add group script =
633
634 Example: add group script = /usr/sbin/groupadd %g
635
636 add machine script (G)
637 This is the full pathname to a script that will be run by smbd(8)
638 when a machine is added to Samba's domain and a Unix account match‐
639 ing the machine's name appended with a "$" does not already exist.
640
641 This option is very similar to the add user script, and likewise
642 uses the %u substitution for the account name. Do not use the %m
643 substitution.
644
645 Default: add machine script =
646
647 Example: add machine script = /usr/sbin/adduser -n -g machines -c
648 Machine -d /var/lib/nobody -s /bin/false %u
649
650 add port command (G)
651 Samba 3.0.23 introduces support for adding printer ports remotely
652 using the Windows "Add Standard TCP/IP Port Wizard". This option
653 defines an external program to be executed when smbd receives a
654 request to add a new Port to the system. he script is passed two
655 parameters:
656
657 · port name
658
659 · device URI
660
661 The deviceURI is in the for of socket://<hostname>[:<portnumber>]
662 or lpd://<hostname>/<queuename>.
663
664 Default: add port command =
665
666 Example: add port command = /etc/samba/scripts/addport.sh
667
668 add printer command (G)
669 With the introduction of MS-RPC based printing support for Windows
670 NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon
671 is now also available in the "Printers..." folder displayed a share
672 listing. The APW allows for printers to be add remotely to a Samba
673 or Windows NT/2000 print server.
674
675 For a Samba host this means that the printer must be physically
676 added to the underlying printing system. The add printer command
677 defines a script to be run which will perform the necessary opera‐
678 tions for adding the printer to the print system and to add the
679 appropriate service definition to the smb.conf file in order that it
680 can be shared by smbd(8).
681
682 The addprinter command is automatically invoked with the following
683 parameter (in order):
684
685 · printer name
686
687 · share name
688
689 · port name
690
691 · driver name
692
693 · location
694
695 · Windows 9x driver location
696
697 All parameters are filled in from the PRINTER_INFO_2 structure
698 sent by the Windows NT/2000 client with one exception. The "Win‐
699 dows 9x driver location" parameter is included for backwards com‐
700 patibility only. The remaining fields in the structure are gener‐
701 ated from answers to the APW questions.
702
703 Once the addprinter command has been executed, smbd will reparse
704 the
705 smb.conf to determine if the share defined by the APW exists. If
706 the sharename is still invalid, then smbd will return an
707 ACCESS_DENIED error to the client.
708
709 The "add printer command" program can output a single line of
710 text, which Samba will set as the port the new printer is con‐
711 nected to. If this line isn't output, Samba won't reload its
712 printer shares.
713
714 Default: add printer command =
715
716 Example: add printer command = /usr/bin/addprinter
717
718 add share command (G)
719 Samba 2.2.0 introduced the ability to dynamically add and delete
720 shares via the Windows NT 4.0 Server Manager. The add share command
721 is used to define an external program or script which will add a new
722 service definition to smb.conf. In order to successfully execute the
723 add share command, smbd requires that the administrator be connected
724 using a root account (i.e. uid == 0).
725
726 When executed, smbd will automatically invoke the add share command
727 with five parameters.
728
729 · configFile - the location of the global smb.conf file.
730
731 · shareName - the name of the new share.
732
733 · pathName - path to an **existing** directory on disk.
734
735 · comment - comment string to associate with the new share.
736
737 · max connections Number of maximum simultaneous connections to
738 this share.
739
740 This parameter is only used for add file shares. To add printer
741 shares, see the addprinter command.
742
743 Default: add share command =
744
745 Example: add share command = /usr/local/bin/addshare
746
747 add user script (G)
748 This is the full pathname to a script that will be run AS ROOT by
749 smbd(8) under special circumstances described below.
750
751 Normally, a Samba server requires that UNIX users are created for
752 all users accessing files on this server. For sites that use Windows
753 NT account databases as their primary user database creating these
754 users and keeping the user list in sync with the Windows NT PDC is
755 an onerous task. This option allows smbd to create the required UNIX
756 users ON DEMAND when a user accesses the Samba server.
757
758 In order to use this option, smbd(8) must NOT be set to security =
759 share and add user script must be set to a full pathname for a
760 script that will create a UNIX user given one argument of %u, which
761 expands into the UNIX user name to create.
762
763 When the Windows user attempts to access the Samba server, at login
764 (session setup in the SMB protocol) time, smbd(8) contacts the pass‐
765 word server and attempts to authenticate the given user with the
766 given password. If the authentication succeeds then smbd attempts to
767 find a UNIX user in the UNIX password database to map the Windows
768 user into. If this lookup fails, and add user script is set then
769 smbd will call the specified script AS ROOT, expanding any %u argu‐
770 ment to be the user name to create.
771
772 If this script successfully creates the user then smbd will continue
773 on as though the UNIX user already existed. In this way, UNIX users
774 are dynamically created to match existing Windows NT accounts.
775
776 See also security, password server, delete user script.
777
778 Default: add user script =
779
780 Example: add user script = /usr/local/samba/bin/add_user %u
781
782 add user to group script (G)
783 Full path to the script that will be called when a user is added to
784 a group using the Windows NT domain administration tools. It will be
785 run by smbd(8) AS ROOT. Any %g will be replaced with the group name
786 and any %u will be replaced with the user name.
787
788 Note that the adduser command used in the example below does not
789 support the used syntax on all systems.
790
791 Default: add user to group script =
792
793 Example: add user to group script = /usr/sbin/adduser %u %g
794
795 admin users (S)
796 This is a list of users who will be granted administrative privi‐
797 leges on the share. This means that they will do all file operations
798 as the super-user (root).
799
800 You should use this option very carefully, as any user in this list
801 will be able to do anything they like on the share, irrespective of
802 file permissions.
803
804 This parameter will not work with the security = share in Samba 3.0.
805 This is by design.
806
807 Default: admin users =
808
809 Example: admin users = jason
810
811 afs share (S)
812 This parameter controls whether special AFS features are enabled for
813 this share. If enabled, it assumes that the directory exported via
814 the path parameter is a local AFS import. The special AFS features
815 include the attempt to hand-craft an AFS token if you enabled
816 --with-fake-kaserver in configure.
817
818 Default: afs share = no
819
820 afs username map (G)
821 If you are using the fake kaserver AFS feature, you might want to
822 hand-craft the usernames you are creating tokens for. For example
823 this is necessary if you have users from several domain in your AFS
824 Protection Database. One possible scheme to code users as
825 DOMAIN+User as it is done by winbind with the + as a separator.
826
827 The mapped user name must contain the cell name to log into, so
828 without setting this parameter there will be no token.
829
830 Default: afs username map =
831
832 Example: afs username map = %u@afs.samba.org
833
834 aio read size (S)
835 If Samba has been built with asynchronous I/O support and this inte‐
836 ger parameter is set to non-zero value, Samba will read from file
837 asynchronously when size of request is bigger than this value. Note
838 that it happens only for non-chained and non-chaining reads and when
839 not using write cache.
840
841 Current implementation of asynchronous I/O in Samba 3.0 does support
842 only up to 10 outstanding asynchronous requests, read and write com‐
843 bined.
844
845
846
847 write cache size
848 aio write size
849
850 Default: aio read size = 0
851
852 Example: aio read size = 16384 # Use asynchronous I/O for reads big‐
853 ger than 16KB request size
854
855 aio write size (S)
856 If Samba has been built with asynchronous I/O support and this inte‐
857 ger parameter is set to non-zero value, Samba will write to file
858 asynchronously when size of request is bigger than this value. Note
859 that it happens only for non-chained and non-chaining reads and when
860 not using write cache.
861
862 Current implementation of asynchronous I/O in Samba 3.0 does support
863 only up to 10 outstanding asynchronous requests, read and write com‐
864 bined.
865
866
867
868 write cache size
869 aio read size
870
871 Default: aio write size = 0
872
873 Example: aio write size = 16384 # Use asynchronous I/O for writes
874 bigger than 16KB request size
875
876 algorithmic rid base (G)
877 This determines how Samba will use its algorithmic mapping from
878 uids/gid to the RIDs needed to construct NT Security Identifiers.
879
880 Setting this option to a larger value could be useful to sites tran‐
881 sitioning from WinNT and Win2k, as existing user and group rids
882 would otherwise clash with sytem users etc.
883
884 All UIDs and GIDs must be able to be resolved into SIDs for the cor‐
885 rect operation of ACLs on the server. As such the algorithmic map‐
886 ping can't be 'turned off', but pushing it 'out of the way' should
887 resolve the issues. Users and groups can then be assigned 'low' RIDs
888 in arbitary-rid supporting backends.
889
890 Default: algorithmic rid base = 1000
891
892 Example: algorithmic rid base = 100000
893
894 allocation roundup size (S)
895 This parameter allows an administrator to tune the allocation size
896 reported to Windows clients. The default size of 1Mb generally
897 results in improved Windows client performance. However, rounding
898 the allocation size may cause difficulties for some applications,
899 e.g. MS Visual Studio. If the MS Visual Studio compiler starts to
900 crash with an internal error, set this parameter to zero for this
901 share.
902
903 The integer parameter specifies the roundup size in bytes.
904
905 Default: allocation roundup size = 1048576
906
907 Example: allocation roundup size = 0 # (to disable roundups)
908
909 allow trusted domains (G)
910 This option only takes effect when the security option is set to
911 server, domain or ads. If it is set to no, then attempts to connect
912 to a resource from a domain or workgroup other than the one which
913 smbd is running in will fail, even if that domain is trusted by the
914 remote server doing the authentication.
915
916 This is useful if you only want your Samba server to serve resources
917 to users in the domain it is a member of. As an example, suppose
918 that there are two domains DOMA and DOMB. DOMB is trusted by DOMA,
919 which contains the Samba server. Under normal circumstances, a user
920 with an account in DOMB can then access the resources of a UNIX
921 account with the same account name on the Samba server even if they
922 do not have an account in DOMA. This can make implementing a secu‐
923 rity boundary difficult.
924
925 Default: allow trusted domains = yes
926
927 announce as (G)
928 This specifies what type of server nmbd(8) will announce itself as,
929 to a network neighborhood browse list. By default this is set to
930 Windows NT. The valid options are : "NT Server" (which can also be
931 written as "NT"), "NT Workstation", "Win95" or "WfW" meaning Windows
932 NT Server, Windows NT Workstation, Windows 95 and Windows for Work‐
933 groups respectively. Do not change this parameter unless you have a
934 specific need to stop Samba appearing as an NT server as this may
935 prevent Samba servers from participating as browser servers cor‐
936 rectly.
937
938 Default: announce as = NT Server
939
940 Example: announce as = Win95
941
942 announce version (G)
943 This specifies the major and minor version numbers that nmbd will
944 use when announcing itself as a server. The default is 4.9. Do not
945 change this parameter unless you have a specific need to set a Samba
946 server to be a downlevel server.
947
948 Default: announce version = 4.9
949
950 Example: announce version = 2.0
951
952 auth methods (G)
953 This option allows the administrator to chose what authentication
954 methods smbd will use when authenticating a user. This option
955 defaults to sensible values based on security. This should be con‐
956 sidered a developer option and used only in rare circumstances. In
957 the majority (if not all) of production servers, the default setting
958 should be adequate.
959
960 Each entry in the list attempts to authenticate the user in turn,
961 until the user authenticates. In practice only one method will ever
962 actually be able to complete the authentication.
963
964 Possible options include guest (anonymous access), sam (lookups in
965 local list of accounts based on netbios name or domain name), win‐
966 bind (relay authentication requests for remote users through win‐
967 bindd), ntdomain (pre-winbindd method of authentication for remote
968 domain users; deprecated in favour of winbind method), trustdomain
969 (authenticate trusted users by contacting the remote DC directly
970 from smbd; deprecated in favour of winbind method).
971
972 Default: auth methods =
973
974 Example: auth methods = guest sam winbind
975
976 available (S)
977 This parameter lets you "turn off" a service. If available = no,
978 then ALL attempts to connect to the service will fail. Such failures
979 are logged.
980
981 Default: available = yes
982
983 bind interfaces only (G)
984 This global parameter allows the Samba admin to limit what inter‐
985 faces on a machine will serve SMB requests. It affects file service
986 smbd(8) and name service nmbd(8) in a slightly different ways.
987
988 For name service it causes nmbd to bind to ports 137 and 138 on the
989 interfaces listed in the interfaces parameter. nmbd also binds to
990 the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the
991 purposes of reading broadcast messages. If this option is not set
992 then nmbd will service name requests on all of these sockets. If
993 bind interfaces only is set then nmbd will check the source address
994 of any packets coming in on the broadcast sockets and discard any
995 that don't match the broadcast addresses of the interfaces in the
996 interfaces parameter list. As unicast packets are received on the
997 other sockets it allows nmbd to refuse to serve names to machines
998 that send packets that arrive through any interfaces not listed in
999 the interfaces list. IP Source address spoofing does defeat this
1000 simple check, however, so it must not be used seriously as a secu‐
1001 rity feature for nmbd.
1002
1003 For file service it causes smbd(8) to bind only to the interface
1004 list given in the interfaces parameter. This restricts the networks
1005 that smbd will serve to packets coming in those interfaces. Note
1006 that you should not use this parameter for machines that are serving
1007 PPP or other intermittent or non-broadcast network interfaces as it
1008 will not cope with non-permanent interfaces.
1009
1010 If bind interfaces only is set then unless the network address
1011 127.0.0.1 is added to the interfaces parameter list smbpasswd(8) and
1012 swat(8) may not work as expected due to the reasons covered below.
1013
1014 To change a users SMB password, the smbpasswd by default connects to
1015 the localhost - 127.0.0.1 address as an SMB client to issue the
1016 password change request. If bind interfaces only is set then unless
1017 the network address 127.0.0.1 is added to the interfaces parameter
1018 list then smbpasswd will fail to connect in it's default mode. smb‐
1019 passwd can be forced to use the primary IP interface of the local
1020 host by using its smbpasswd(8) -r remote machine parameter, with
1021 remote machine set to the IP name of the primary interface of the
1022 local host.
1023
1024 The swat status page tries to connect with smbd and nmbd at the
1025 address 127.0.0.1 to determine if they are running. Not adding
1026 127.0.0.1 will cause smbd and nmbd to always show "not running" even
1027 if they really are. This can prevent swat from starting/stop‐
1028 ping/restarting smbd and nmbd.
1029
1030 Default: bind interfaces only = no
1031
1032 blocking locks (S)
1033 This parameter controls the behavior of smbd(8) when given a request
1034 by a client to obtain a byte range lock on a region of an open file,
1035 and the request has a time limit associated with it.
1036
1037 If this parameter is set and the lock range requested cannot be
1038 immediately satisfied, samba will internally queue the lock request,
1039 and periodically attempt to obtain the lock until the timeout period
1040 expires.
1041
1042 If this parameter is set to no, then samba will behave as previous
1043 versions of Samba would and will fail the lock request immediately
1044 if the lock range cannot be obtained.
1045
1046 Default: blocking locks = yes
1047
1048 block size (S)
1049 This parameter controls the behavior of smbd(8) when reporting disk
1050 free sizes. By default, this reports a disk block size of 1024
1051 bytes.
1052
1053 Changing this parameter may have some effect on the efficiency of
1054 client writes, this is not yet confirmed. This parameter was added
1055 to allow advanced administrators to change it (usually to a higher
1056 value) and test the effect it has on client write performance with‐
1057 out re-compiling the code. As this is an experimental option it may
1058 be removed in a future release.
1059
1060 Changing this option does not change the disk free reporting size,
1061 just the block size unit reported to the client.
1062
1063 Default: block size = 1024
1064
1065 Example: block size = 4096
1066
1067 browsable
1068 This parameter is a synonym for browseable.
1069
1070 browseable (S)
1071 This controls whether this share is seen in the list of available
1072 shares in a net view and in the browse list.
1073
1074 Default: browseable = yes
1075
1076 browse list (G)
1077 This controls whether smbd(8) will serve a browse list to a client
1078 doing a NetServerEnum call. Normally set to yes. You should never
1079 need to change this.
1080
1081 Default: browse list = yes
1082
1083 casesignames
1084 This parameter is a synonym for case sensitive.
1085
1086 case sensitive (S)
1087 See the discussion in the section name mangling.
1088
1089 Default: case sensitive = no
1090
1091 change notify (S)
1092 This parameter specifies whether Samba should reply to a client's
1093 file change notify requests.
1094
1095 You should never need to change this parameter
1096
1097 Default: change notify = no
1098
1099 change share command (G)
1100 Samba 2.2.0 introduced the ability to dynamically add and delete
1101 shares via the Windows NT 4.0 Server Manager. The change share com‐
1102 mand is used to define an external program or script which will mod‐
1103 ify an existing service definition in smb.conf. In order to success‐
1104 fully execute the change share command, smbd requires that the
1105 administrator be connected using a root account (i.e. uid == 0).
1106
1107 When executed, smbd will automatically invoke the change share com‐
1108 mand with five parameters.
1109
1110 · configFile - the location of the global smb.conf file.
1111
1112 · shareName - the name of the new share.
1113
1114 · pathName - path to an **existing** directory on disk.
1115
1116 · comment - comment string to associate with the new share.
1117
1118 · max connections Number of maximum simultaneous connections to
1119 this share.
1120
1121 This parameter is only used modify existing file shares defini‐
1122 tions. To modify printer shares, use the "Printers..." folder as
1123 seen when browsing the Samba host.
1124
1125 Default: change share command =
1126
1127 Example: change share command = /usr/local/bin/addshare
1128
1129 check password script (G)
1130 The name of a program that can be used to check password complexity.
1131 The password is sent to the program's standrad input.
1132
1133 The program must return 0 on good password any other value other‐
1134 wise. In case the password is considered weak (the program do not
1135 return 0) the user will be notified and the password change will
1136 fail.
1137
1138 Note: In the example directory there is a sample program called
1139 crackcheck that uses cracklib to checkpassword quality
1140
1141
1142
1143 Default: check password script = Disabled
1144
1145 Example: check password script = check password script =
1146 /usr/local/sbin/crackcheck
1147
1148 client lanman auth (G)
1149 This parameter determines whether or not smbclient(8) and other
1150 samba client tools will attempt to authenticate itself to servers
1151 using the weaker LANMAN password hash. If disabled, only server
1152 which support NT password hashes (e.g. Windows NT/2000, Samba,
1153 etc... but not Windows 95/98) will be able to be connected from the
1154 Samba client.
1155
1156 The LANMAN encrypted response is easily broken, due to it's case-
1157 insensitive nature, and the choice of algorithm. Clients without
1158 Windows 95/98 servers are advised to disable this option.
1159
1160 Disabling this option will also disable the client plaintext auth
1161 option
1162
1163 Likewise, if the client ntlmv2 auth parameter is enabled, then only
1164 NTLMv2 logins will be attempted.
1165
1166 Default: client lanman auth = yes
1167
1168 client ntlmv2 auth (G)
1169 This parameter determines whether or not smbclient(8) will attempt
1170 to authenticate itself to servers using the NTLMv2 encrypted pass‐
1171 word response.
1172
1173 If enabled, only an NTLMv2 and LMv2 response (both much more secure
1174 than earlier versions) will be sent. Many servers (including NT4 <
1175 SP4, Win9x and Samba 2.2) are not compatible with NTLMv2.
1176
1177 Similarly, if enabled, NTLMv1, client lanman auth and client plain‐
1178 text auth authentication will be disabled. This also disables share-
1179 level authentication.
1180
1181 If disabled, an NTLM response (and possibly a LANMAN response) will
1182 be sent by the client, depending on the value of client lanman auth.
1183
1184 Note that some sites (particularly those following 'best practice'
1185 security polices) only allow NTLMv2 responses, and not the weaker LM
1186 or NTLM.
1187
1188 Default: client ntlmv2 auth = no
1189
1190 client plaintext auth (G)
1191 Specifies whether a client should send a plaintext password if the
1192 server does not support encrypted passwords.
1193
1194 Default: client plaintext auth = yes
1195
1196 client schannel (G)
1197 This controls whether the client offers or even demands the use of
1198 the netlogon schannel. client schannel = no does not offer the
1199 schannel, client schannel = auto offers the schannel but does not
1200 enforce it, and client schannel = yes denies access if the server is
1201 not able to speak netlogon schannel.
1202
1203 Default: client schannel = auto
1204
1205 Example: client schannel = yes
1206
1207 client signing (G)
1208 This controls whether the client offers or requires the server it
1209 talks to to use SMB signing. Possible values are auto, mandatory and
1210 disabled.
1211
1212 When set to auto, SMB signing is offered, but not enforced. When set
1213 to mandatory, SMB signing is required and if set to disabled, SMB
1214 signing is not offered either.
1215
1216 Default: client signing = auto
1217
1218 client use spnego (G)
1219 This variable controls whether Samba clients will try to use Simple
1220 and Protected NEGOciation (as specified by rfc2478) with supporting
1221 servers (including WindowsXP, Windows2000 and Samba 3.0) to agree
1222 upon an authentication mechanism. This enables Kerberos authentica‐
1223 tion in particular.
1224
1225 Default: client use spnego = yes
1226
1227 comment (S)
1228 This is a text field that is seen next to a share when a client does
1229 a queries the server, either via the network neighborhood or via net
1230 view to list what shares are available.
1231
1232 If you want to set the string that is displayed next to the machine
1233 name then see the server string parameter.
1234
1235 Default: comment = # No comment
1236
1237 Example: comment = Fred's Files
1238
1239 config file (G)
1240 This allows you to override the config file to use, instead of the
1241 default (usually smb.conf). There is a chicken and egg problem here
1242 as this option is set in the config file!
1243
1244 For this reason, if the name of the config file has changed when the
1245 parameters are loaded then it will reload them from the new config
1246 file.
1247
1248 This option takes the usual substitutions, which can be very useful.
1249
1250 If the config file doesn't exist then it won't be loaded (allowing
1251 you to special case the config files of just a few clients).
1252
1253 No default
1254
1255 Example: config file = /usr/local/samba/lib/smb.conf.%m
1256
1257 copy (S)
1258 This parameter allows you to "clone" service entries. The specified
1259 service is simply duplicated under the current service's name. Any
1260 parameters specified in the current section will override those in
1261 the section being copied.
1262
1263 This feature lets you set up a 'template' service and create similar
1264 services easily. Note that the service being copied must occur ear‐
1265 lier in the configuration file than the service doing the copying.
1266
1267 Default: copy =
1268
1269 Example: copy = otherservice
1270
1271 create mode
1272 This parameter is a synonym for create mask.
1273
1274 create mask (S)
1275 When a file is created, the necessary permissions are calculated
1276 according to the mapping from DOS modes to UNIX permissions, and the
1277 resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
1278 This parameter may be thought of as a bit-wise MASK for the UNIX
1279 modes of a file. Any bit not set here will be removed from the modes
1280 set on a file when it is created.
1281
1282 The default value of this parameter removes the group and other
1283 write and execute bits from the UNIX modes.
1284
1285 Following this Samba will bit-wise 'OR' the UNIX mode created from
1286 this parameter with the value of the force create mode parameter
1287 which is set to 000 by default.
1288
1289 This parameter does not affect directory masks. See the parameter
1290 directory mask for details.
1291
1292 Note that this parameter does not apply to permissions set by Win‐
1293 dows NT/2000 ACL editors. If the administrator wishes to enforce a
1294 mask on access control lists also, they need to set the security
1295 mask.
1296
1297 Default: create mask = 0744
1298
1299 Example: create mask = 0775
1300
1301 csc policy (S)
1302 This stands for client-side caching policy, and specifies how
1303 clients capable of offline caching will cache the files in the
1304 share. The valid values are: manual, documents, programs, disable.
1305
1306 These values correspond to those used on Windows servers.
1307
1308 For example, shares containing roaming profiles can have offline
1309 caching disabled using csc policy = disable.
1310
1311 Default: csc policy = manual
1312
1313 Example: csc policy = programs
1314
1315 cups options (S)
1316 This parameter is only applicable if printing is set to cups. Its
1317 value is a free form string of options passed directly to the cups
1318 library.
1319
1320 You can pass any generic print option known to CUPS (as listed in
1321 the CUPS "Software Users' Manual"). You can also pass any printer
1322 specific option (as listed in "lpoptions -d printername -l") valid
1323 for the target queue.
1324
1325 You should set this parameter to raw if your CUPS server error_log
1326 file contains messages such as "Unsupported format 'applica‐
1327 tion/octet-stream'" when printing from a Windows client through
1328 Samba. It is no longer necessary to enable system wide raw printing
1329 in /etc/cups/mime.{convs,types}.
1330
1331 Default: cups options = ""
1332
1333 Example: cups options = "raw,media=a4,job-sheets=secret,secret"
1334
1335 cups server (G)
1336 This parameter is only applicable if printing is set to cups.
1337
1338 If set, this option overrides the ServerName option in the CUPS
1339 client.conf. This is necessary if you have virtual samba servers
1340 that connect to different CUPS daemons.
1341
1342 Optionally, a port can be specified by separating the server name
1343 and port number with a colon. If no port was specified, the default
1344 port for IPP (631) will be used.
1345
1346 Default: cups server = ""
1347
1348 Example: cups server = mycupsserver
1349
1350 Example: cups server = mycupsserver:1631
1351
1352 deadtime (G)
1353 The value of the parameter (a decimal integer) represents the number
1354 of minutes of inactivity before a connection is considered dead, and
1355 it is disconnected. The deadtime only takes effect if the number of
1356 open files is zero.
1357
1358 This is useful to stop a server's resources being exhausted by a
1359 large number of inactive connections.
1360
1361 Most clients have an auto-reconnect feature when a connection is
1362 broken so in most cases this parameter should be transparent to
1363 users.
1364
1365 Using this parameter with a timeout of a few minutes is recommended
1366 for most systems.
1367
1368 A deadtime of zero indicates that no auto-disconnection should be
1369 performed.
1370
1371 Default: deadtime = 0
1372
1373 Example: deadtime = 15
1374
1375 debug hires timestamp (G)
1376 Sometimes the timestamps in the log messages are needed with a reso‐
1377 lution of higher that seconds, this boolean parameter adds microsec‐
1378 ond resolution to the timestamp message header when turned on.
1379
1380 Note that the parameter debug timestamp must be on for this to have
1381 an effect.
1382
1383 Default: debug hires timestamp = no
1384
1385 debug pid (G)
1386 When using only one log file for more then one forked
1387 smbd(8)-process there may be hard to follow which process outputs
1388 which message. This boolean parameter is adds the process-id to the
1389 timestamp message headers in the logfile when turned on.
1390
1391 Note that the parameter debug timestamp must be on for this to have
1392 an effect.
1393
1394 Default: debug pid = no
1395
1396 debug prefix timestamp (G)
1397 With this option enabled, the timestamp message header is prefixed
1398 to the debug message without the filename and function information
1399 that is included with the debug timestamp parameter. This gives
1400 timestamps to the messages without adding an additional line.
1401
1402 Note that this parameter overrides the debug timestamp parameter.
1403
1404 Default: debug prefix timestamp = no
1405
1406 timestamp logs
1407 This parameter is a synonym for debug timestamp.
1408
1409 debug timestamp (G)
1410 Samba debug log messages are timestamped by default. If you are run‐
1411 ning at a high debug level these timestamps can be distracting. This
1412 boolean parameter allows timestamping to be turned off.
1413
1414 Default: debug timestamp = yes
1415
1416 debug uid (G)
1417 Samba is sometimes run as root and sometime run as the connected
1418 user, this boolean parameter inserts the current euid, egid, uid and
1419 gid to the timestamp message headers in the log file if turned on.
1420
1421 Note that the parameter debug timestamp must be on for this to have
1422 an effect.
1423
1424 Default: debug uid = no
1425
1426 default case (S)
1427 See the section on name mangling. Also note the short preserve case
1428 parameter.
1429
1430 Default: default case = lower
1431
1432 default devmode (S)
1433 This parameter is only applicable to printable services. When smbd
1434 is serving Printer Drivers to Windows NT/2k/XP clients, each printer
1435 on the Samba server has a Device Mode which defines things such as
1436 paper size and orientation and duplex settings. The device mode can
1437 only correctly be generated by the printer driver itself (which can
1438 only be executed on a Win32 platform). Because smbd is unable to
1439 execute the driver code to generate the device mode, the default
1440 behavior is to set this field to NULL.
1441
1442 Most problems with serving printer drivers to Windows NT/2k/XP
1443 clients can be traced to a problem with the generated device mode.
1444 Certain drivers will do things such as crashing the client's
1445 Explorer.exe with a NULL devmode. However, other printer drivers can
1446 cause the client's spooler service (spoolsv.exe) to die if the dev‐
1447 mode was not created by the driver itself (i.e. smbd generates a
1448 default devmode).
1449
1450 This parameter should be used with care and tested with the printer
1451 driver in question. It is better to leave the device mode to NULL
1452 and let the Windows client set the correct values. Because drivers
1453 do not do this all the time, setting default devmode = yes will
1454 instruct smbd to generate a default one.
1455
1456 For more information on Windows NT/2k printing and Device Modes, see
1457 the MSDN documentation.
1458
1459 Default: default devmode = yes
1460
1461 default
1462 This parameter is a synonym for default service.
1463
1464 default service (G)
1465 This parameter specifies the name of a service which will be con‐
1466 nected to if the service actually requested cannot be found. Note
1467 that the square brackets are NOT given in the parameter value (see
1468 example below).
1469
1470 There is no default value for this parameter. If this parameter is
1471 not given, attempting to connect to a nonexistent service results in
1472 an error.
1473
1474 Typically the default service would be a guest ok, read-only ser‐
1475 vice.
1476
1477 Also note that the apparent service name will be changed to equal
1478 that of the requested service, this is very useful as it allows you
1479 to use macros like %S to make a wildcard service.
1480
1481 Note also that any "_" characters in the name of the service used in
1482 the default service will get mapped to a "/". This allows for inter‐
1483 esting things.
1484
1485 Default: default service =
1486
1487 Example: default service = pub
1488
1489 defer sharing violations (G)
1490 Windows allows specifying how a file will be shared with other pro‐
1491 cesses when it is opened. Sharing violations occur when a file is
1492 opened by a different process using options that violate the share
1493 settings specified by other processes. This parameter causes smbd to
1494 act as a Windows server does, and defer returning a "sharing viola‐
1495 tion" error message for up to one second, allowing the client to
1496 close the file causing the violation in the meantime.
1497
1498 UNIX by default does not have this behaviour.
1499
1500 There should be no reason to turn off this parameter, as it is
1501 designed to enable Samba to more correctly emulate Windows.
1502
1503 Default: defer sharing violations = True
1504
1505 delete group script (G)
1506 This is the full pathname to a script that will be run AS ROOT
1507 smbd(8) when a group is requested to be deleted. It will expand any
1508 %g to the group name passed. This script is only useful for instal‐
1509 lations using the Windows NT domain administration tools.
1510
1511 Default: delete group script =
1512
1513 deleteprinter command (G)
1514 With the introduction of MS-RPC based printer support for Windows
1515 NT/2000 clients in Samba 2.2, it is now possible to delete printer
1516 at run time by issuing the DeletePrinter() RPC call.
1517
1518 For a Samba host this means that the printer must be physically
1519 deleted from underlying printing system. The deleteprinter command
1520 defines a script to be run which will perform the necessary opera‐
1521 tions for removing the printer from the print system and from
1522 smb.conf.
1523
1524 The deleteprinter command is automatically called with only one
1525 parameter: printer name.
1526
1527 Once the deleteprinter command has been executed, smbd will reparse
1528 the
1529 smb.conf to associated printer no longer exists. If the sharename
1530 is still valid, then smbd will return an ACCESS_DENIED error to the
1531 client.
1532
1533 Default: deleteprinter command =
1534
1535 Example: deleteprinter command = /usr/bin/removeprinter
1536
1537 delete readonly (S)
1538 This parameter allows readonly files to be deleted. This is not nor‐
1539 mal DOS semantics, but is allowed by UNIX.
1540
1541 This option may be useful for running applications such as rcs,
1542 where UNIX file ownership prevents changing file permissions, and
1543 DOS semantics prevent deletion of a read only file.
1544
1545 Default: delete readonly = no
1546
1547 delete share command (G)
1548 Samba 2.2.0 introduced the ability to dynamically add and delete
1549 shares via the Windows NT 4.0 Server Manager. The delete share com‐
1550 mand is used to define an external program or script which will
1551 remove an existing service definition from smb.conf. In order to
1552 successfully execute the delete share command, smbd requires that
1553 the administrator be connected using a root account (i.e. uid == 0).
1554
1555 When executed, smbd will automatically invoke the delete share com‐
1556 mand with two parameters.
1557
1558 · configFile - the location of the global smb.conf file.
1559
1560 · shareName - the name of the existing service.
1561
1562 This parameter is only used to remove file shares. To delete
1563 printer shares, see the deleteprinter command.
1564
1565 Default: delete share command =
1566
1567 Example: delete share command = /usr/local/bin/delshare
1568
1569 delete user from group script (G)
1570 Full path to the script that will be called when a user is removed
1571 from a group using the Windows NT domain administration tools. It
1572 will be run by smbd(8) AS ROOT. Any %g will be replaced with the
1573 group name and any %u will be replaced with the user name.
1574
1575 Default: delete user from group script =
1576
1577 Example: delete user from group script = /usr/sbin/deluser %u %g
1578
1579 delete user script (G)
1580 This is the full pathname to a script that will be run by smbd(8)
1581 when managing users with remote RPC (NT) tools.
1582
1583 This script is called when a remote client removes a user from the
1584 server, normally using 'User Manager for Domains' or rpcclient.
1585
1586 This script should delete the given UNIX username.
1587
1588 Default: delete user script =
1589
1590 Example: delete user script = /usr/local/samba/bin/del_user %u
1591
1592 delete veto files (S)
1593 This option is used when Samba is attempting to delete a directory
1594 that contains one or more vetoed directories (see the veto files
1595 option). If this option is set to no (the default) then if a vetoed
1596 directory contains any non-vetoed files or directories then the
1597 directory delete will fail. This is usually what you want.
1598
1599 If this option is set to yes, then Samba will attempt to recursively
1600 delete any files and directories within the vetoed directory. This
1601 can be useful for integration with file serving systems such as
1602 NetAtalk which create meta-files within directories you might nor‐
1603 mally veto DOS/Windows users from seeing (e.g. .AppleDouble)
1604
1605 Setting delete veto files = yes allows these directories to be
1606 transparently deleted when the parent directory is deleted (so long
1607 as the user has permissions to do so).
1608
1609 Default: delete veto files = no
1610
1611 dfree cache time (S)
1612 The dfree cache time should only be used on systems where a problem
1613 occurs with the internal disk space calculations. This has been
1614 known to happen with Ultrix, but may occur with other operating sys‐
1615 tems. The symptom that was seen was an error of "Abort Retry Ignore"
1616 at the end of each directory listing.
1617
1618 This is a new parameter introduced in Samba version 3.0.21. It spec‐
1619 ifies in seconds the time that smbd will cache the output of a disk
1620 free query. If set to zero (the default) no caching is done. This
1621 allows a heavily loaded server to prevent rapid spawning of dfree
1622 command scripts increasing the load.
1623
1624 By default this parameter is zero, meaning no caching will be done.
1625
1626 No default
1627
1628 Example: dfree cache time = dfree cache time = 60
1629
1630 dfree command (S)
1631 The dfree command setting should only be used on systems where a
1632 problem occurs with the internal disk space calculations. This has
1633 been known to happen with Ultrix, but may occur with other operating
1634 systems. The symptom that was seen was an error of "Abort Retry
1635 Ignore" at the end of each directory listing.
1636
1637 This setting allows the replacement of the internal routines to cal‐
1638 culate the total disk space and amount available with an external
1639 routine. The example below gives a possible script that might ful‐
1640 fill this function.
1641
1642 In Samba version 3.0.21 this parameter has been changed to be a per-
1643 share parameter, and in addition the parameter dfree cache time was
1644 added to allow the output of this script to be cached for systems
1645 under heavy load.
1646
1647 The external program will be passed a single parameter indicating a
1648 directory in the filesystem being queried. This will typically con‐
1649 sist of the string ./. The script should return two integers in
1650 ASCII. The first should be the total disk space in blocks, and the
1651 second should be the number of available blocks. An optional third
1652 return value can give the block size in bytes. The default blocksize
1653 is 1024 bytes.
1654
1655 Note: Your script should NOT be setuid or setgid and should be owned
1656 by (and writeable only by) root!
1657
1658 Where the script dfree (which must be made executable) could be:
1659
1660
1661
1662
1663 #!/bin/sh
1664 df $1 | tail -1 | awk '{print $2" "$4}'
1665
1666 or perhaps (on Sys V based systems):
1667
1668
1669
1670
1671 #!/bin/sh
1672 /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
1673
1674 Note that you may have to replace the command names with full path
1675 names on some systems.
1676
1677 By default internal routines for determining the disk capacity and
1678 remaining space will be used.
1679
1680 No default
1681
1682 Example: dfree command = /usr/local/samba/bin/dfree
1683
1684 directory mode
1685 This parameter is a synonym for directory mask.
1686
1687 directory mask (S)
1688 This parameter is the octal modes which are used when converting DOS
1689 modes to UNIX modes when creating UNIX directories.
1690
1691 When a directory is created, the necessary permissions are calcu‐
1692 lated according to the mapping from DOS modes to UNIX permissions,
1693 and the resulting UNIX mode is then bit-wise 'AND'ed with this
1694 parameter. This parameter may be thought of as a bit-wise MASK for
1695 the UNIX modes of a directory. Any bit not set here will be removed
1696 from the modes set on a directory when it is created.
1697
1698 The default value of this parameter removes the 'group' and 'other'
1699 write bits from the UNIX mode, allowing only the user who owns the
1700 directory to modify it.
1701
1702 Following this Samba will bit-wise 'OR' the UNIX mode created from
1703 this parameter with the value of the force directory mode parameter.
1704 This parameter is set to 000 by default (i.e. no extra mode bits are
1705 added).
1706
1707 Note that this parameter does not apply to permissions set by Win‐
1708 dows NT/2000 ACL editors. If the administrator wishes to enforce a
1709 mask on access control lists also, they need to set the directory
1710 security mask.
1711
1712 Default: directory mask = 0755
1713
1714 Example: directory mask = 0775
1715
1716 directory security mask (S)
1717 This parameter controls what UNIX permission bits can be modified
1718 when a Windows NT client is manipulating the UNIX permission on a
1719 directory using the native NT security dialog box.
1720
1721 This parameter is applied as a mask (AND'ed with) to the changed
1722 permission bits, thus preventing any bits not in this mask from
1723 being modified. Make sure not to mix up this parameter with force
1724 directory security mode, which works similar like this one but uses
1725 logical OR instead of AND. Essentially, zero bits in this mask may
1726 be treated as a set of bits the user is not allowed to change.
1727
1728 If not set explicitly this parameter is set to 0777 meaning a user
1729 is allowed to modify all the user/group/world permissions on a
1730 directory.
1731
1732 Note that users who can access the Samba server through other means
1733 can easily bypass this restriction, so it is primarily useful for
1734 standalone "appliance" systems. Administrators of most normal sys‐
1735 tems will probably want to leave it as the default of 0777.
1736
1737 Default: directory security mask = 0777
1738
1739 Example: directory security mask = 0700
1740
1741 disable netbios (G)
1742 Enabling this parameter will disable netbios support in Samba. Net‐
1743 bios is the only available form of browsing in all windows versions
1744 except for 2000 and XP.
1745
1746 Note
1747 Clients that only support netbios won't be able to see your samba
1748 server when netbios support is disabled. Default: disable netbios =
1749 no
1750
1751 disable spoolss (G)
1752 Enabling this parameter will disable Samba's support for the SPOOLSS
1753 set of MS-RPC's and will yield identical behavior as Samba 2.0.x.
1754 Windows NT/2000 clients will downgrade to using Lanman style print‐
1755 ing commands. Windows 9x/ME will be unaffected by the parameter.
1756 However, this will also disable the ability to upload printer driv‐
1757 ers to a Samba server via the Windows NT Add Printer Wizard or by
1758 using the NT printer properties dialog window. It will also disable
1759 the capability of Windows NT/2000 clients to download print drivers
1760 from the Samba host upon demand. Be very careful about enabling
1761 this parameter.
1762
1763 Default: disable spoolss = no
1764
1765 display charset (G)
1766 Specifies the charset that samba will use to print messages to std‐
1767 out and stderr. The default value is "LOCALE", which means automati‐
1768 cally set, depending on the current locale. The value should gener‐
1769 ally be the same as the value of the parameter unix charset.
1770
1771 Default: display charset = "LOCALE" or "ASCII" (depending on the
1772 system)
1773
1774 Example: display charset = UTF8
1775
1776 dmapi support (S)
1777 This parameter specifies whether Samba should use DMAPI to determine
1778 whether a file is offline or not. This would typically be used in
1779 conjunction with a hierarchical storage system that automatically
1780 migrates files to tape.
1781
1782 Note that Samba infers the status of a file by examining the events
1783 that a DMAPI application has registered interest in. This heuristic
1784 is satisfactory for a number of hierarchical storage systems, but
1785 there may be system for which it will fail. In this case, Samba may
1786 erroneously report files to be offline.
1787
1788 This parameter is only available if a supported DMAPI implementation
1789 was found at compilation time. It will only be used if DMAPI is
1790 found to enabled on the system at run time.
1791
1792
1793
1794 Default: dmapi support = no
1795
1796 dns proxy (G)
1797 Specifies that nmbd(8) when acting as a WINS server and finding that
1798 a NetBIOS name has not been registered, should treat the NetBIOS
1799 name word-for-word as a DNS name and do a lookup with the DNS server
1800 for that name on behalf of the name-querying client.
1801
1802 Note that the maximum length for a NetBIOS name is 15 characters, so
1803 the DNS name (or DNS alias) can likewise only be 15 characters, max‐
1804 imum.
1805
1806 nmbd spawns a second copy of itself to do the DNS name lookup
1807 requests, as doing a name lookup is a blocking action.
1808
1809 Default: dns proxy = yes
1810
1811 domain logons (G)
1812 If set to yes, the Samba server will provide the netlogon service
1813 for Windows 9X network logons for the workgroup it is in. This will
1814 also cause the Samba server to act as a domain controller for NT4
1815 style domain services. For more details on setting up this feature
1816 see the Domain Control chapter of the Samba HOWTO Collection.
1817
1818 Default: domain logons = no
1819
1820 domain master (G)
1821 Tell smbd(8) to enable WAN-wide browse list collation. Setting this
1822 option causes nmbd to claim a special domain specific NetBIOS name
1823 that identifies it as a domain master browser for its given work‐
1824 group. Local master browsers in the same workgroup on broadcast-iso‐
1825 lated subnets will give this nmbd their local browse lists, and then
1826 ask smbd(8) for a complete copy of the browse list for the whole
1827 wide area network. Browser clients will then contact their local
1828 master browser, and will receive the domain-wide browse list,
1829 instead of just the list for their broadcast-isolated subnet.
1830
1831 Note that Windows NT Primary Domain Controllers expect to be able to
1832 claim this workgroup specific special NetBIOS name that identifies
1833 them as domain master browsers for that workgroup by default (i.e.
1834 there is no way to prevent a Windows NT PDC from attempting to do
1835 this). This means that if this parameter is set and nmbd claims the
1836 special name for a workgroup before a Windows NT PDC is able to do
1837 so then cross subnet browsing will behave strangely and may fail.
1838
1839 If domain logons = yes, then the default behavior is to enable the
1840 domain master parameter. If domain logons is not enabled (the
1841 default setting), then neither will domain master be enabled by
1842 default.
1843
1844 When domain logons = Yes the default setting for this parameter is
1845 Yes, with the result that Samba will be a PDC. If domain master =
1846 No, Samba will function as a BDC. In general, this parameter should
1847 be set to 'No' only on a BDC.
1848
1849 Default: domain master = auto
1850
1851 dont descend (S)
1852 There are certain directories on some systems (e.g., the /proc tree
1853 under Linux) that are either not of interest to clients or are in‐
1854 finitely deep (recursive). This parameter allows you to specify a
1855 comma-delimited list of directories that the server should always
1856 show as empty.
1857
1858 Note that Samba can be very fussy about the exact format of the
1859 "dont descend" entries. For example you may need
1860 ./proc instead of just /proc. Experimentation is the best policy
1861 :-)
1862
1863 Default: dont descend =
1864
1865 Example: dont descend = /proc,/dev
1866
1867 dos charset (G)
1868 DOS SMB clients assume the server has the same charset as they do.
1869 This option specifies which charset Samba should talk to DOS
1870 clients.
1871
1872 The default depends on which charsets you have installed. Samba
1873 tries to use charset 850 but falls back to ASCII in case it is not
1874 available. Run testparm(1) to check the default on your system.
1875
1876 No default
1877
1878 dos filemode (S)
1879 The default behavior in Samba is to provide UNIX-like behavior where
1880 only the owner of a file/directory is able to change the permissions
1881 on it. However, this behavior is often confusing to DOS/Windows
1882 users. Enabling this parameter allows a user who has write access to
1883 the file (by whatever means) to modify the permissions (including
1884 ACL) on it. Note that a user belonging to the group owning the file
1885 will not be allowed to change permissions if the group is only
1886 granted read access. Ownership of the file/directory may also be
1887 changed.
1888
1889 Default: dos filemode = no
1890
1891 dos filetime resolution (S)
1892 Under the DOS and Windows FAT filesystem, the finest granularity on
1893 time resolution is two seconds. Setting this parameter for a share
1894 causes Samba to round the reported time down to the nearest two sec‐
1895 ond boundary when a query call that requires one second resolution
1896 is made to smbd(8).
1897
1898 This option is mainly used as a compatibility option for Visual C++
1899 when used against Samba shares. If oplocks are enabled on a share,
1900 Visual C++ uses two different time reading calls to check if a file
1901 has changed since it was last read. One of these calls uses a one-
1902 second granularity, the other uses a two second granularity. As the
1903 two second call rounds any odd second down, then if the file has a
1904 timestamp of an odd number of seconds then the two timestamps will
1905 not match and Visual C++ will keep reporting the file has changed.
1906 Setting this option causes the two timestamps to match, and Visual
1907 C++ is happy.
1908
1909 Default: dos filetime resolution = no
1910
1911 dos filetimes (S)
1912 Under DOS and Windows, if a user can write to a file they can change
1913 the timestamp on it. Under POSIX semantics, only the owner of the
1914 file or root may change the timestamp. By default, Samba runs with
1915 POSIX semantics and refuses to change the timestamp on a file if the
1916 user smbd is acting on behalf of is not the file owner. Setting this
1917 option to
1918 yes allows DOS semantics and smbd(8) will change the file timestamp
1919 as DOS requires. Due to changes in Microsoft Office 2000 and beyond,
1920 the default for this parameter has been changed from "no" to "yes"
1921 in Samba 3.0.14 and above. Microsoft Excel will display dialog box
1922 warnings about the file being changed by another user if this param‐
1923 eter is not set to "yes" and files are being shared between users.
1924
1925 Default: dos filetimes = yes
1926
1927 ea support (S)
1928 This boolean parameter controls whether smbd(8) will allow clients
1929 to attempt to store OS/2 style Extended attributes on a share. In
1930 order to enable this parameter the underlying filesystem exported by
1931 the share must support extended attributes (such as provided on XFS
1932 and EXT3 on Linux, with the correct kernel patches). On Linux the
1933 filesystem must have been mounted with the mount option user_xattr
1934 in order for extended attributes to work, also extended attributes
1935 must be compiled into the Linux kernel.
1936
1937 Default: ea support = no
1938
1939 enable asu support (G)
1940 Hosts running the "Advanced Server for Unix (ASU)" product require
1941 some special accomodations such as creating a builting [ADMIN$]
1942 share that only supports IPC connections. The has been the default
1943 behavior in smbd for many years. However, certain Microsoft applica‐
1944 tions such as the Print Migrator tool require that the remote server
1945 support an [ADMIN$} file share. Disabling this parameter allows for
1946 creating an [ADMIN$] file share in smb.conf.
1947
1948 Default: enable asu support = no
1949
1950 enable privileges (G)
1951 This parameter controls whether or not smbd will honor privileges
1952 assigned to specific SIDs via either net rpc rights or one of the
1953 Windows user and group manager tools. This parameter is enabled by
1954 default. It can be disabled to prevent members of the Domain Admins
1955 group from being able to assign privileges to users or groups which
1956 can then result in certain smbd operations running as root that
1957 would normally run under the context of the connected user.
1958
1959 An example of how privileges can be used is to assign the right to
1960 join clients to a Samba controlled domain without providing root
1961 access to the server via smbd.
1962
1963 Please read the extended description provided in the Samba HOWTO
1964 documentation.
1965
1966 Default: enable privileges = yes
1967
1968 encrypt passwords (G)
1969 This boolean controls whether encrypted passwords will be negotiated
1970 with the client. Note that Windows NT 4.0 SP3 and above and also
1971 Windows 98 will by default expect encrypted passwords unless a reg‐
1972 istry entry is changed. To use encrypted passwords in Samba see the
1973 chapter "User Database" in the Samba HOWTO Collection.
1974
1975 MS Windows clients that expect Microsoft encrypted passwords and
1976 that do not have plain text password support enabled will be able to
1977 connect only to a Samba server that has encrypted password support
1978 enabled and for which the user accounts have a valid encrypted pass‐
1979 word. Refer to the smbpasswd command man page for information
1980 regarding the creation of encrypted passwords for user accounts.
1981
1982 The use of plain text passwords is NOT advised as support for this
1983 feature is no longer maintained in Microsoft Windows products. If
1984 you want to use plain text passwords you must set this parameter to
1985 no.
1986
1987 In order for encrypted passwords to work correctly smbd(8) must
1988 either have access to a local smbpasswd(5) file (see the smb‐
1989 passwd(8) program for information on how to set up and maintain this
1990 file), or set the security = [server|domain|ads] parameter which
1991 causes smbd to authenticate against another server.
1992
1993 Default: encrypt passwords = yes
1994
1995 enhanced browsing (G)
1996 This option enables a couple of enhancements to cross-subnet browse
1997 propagation that have been added in Samba but which are not standard
1998 in Microsoft implementations.
1999
2000 The first enhancement to browse propagation consists of a regular
2001 wildcard query to a Samba WINS server for all Domain Master
2002 Browsers, followed by a browse synchronization with each of the
2003 returned DMBs. The second enhancement consists of a regular ran‐
2004 domised browse synchronization with all currently known DMBs.
2005
2006 You may wish to disable this option if you have a problem with empty
2007 workgroups not disappearing from browse lists. Due to the restric‐
2008 tions of the browse protocols these enhancements can cause a empty
2009 workgroup to stay around forever which can be annoying.
2010
2011 In general you should leave this option enabled as it makes cross-
2012 subnet browse propagation much more reliable.
2013
2014 Default: enhanced browsing = yes
2015
2016 enumports command (G)
2017 The concept of a "port" is fairly foreign to UNIX hosts. Under Win‐
2018 dows NT/2000 print servers, a port is associated with a port monitor
2019 and generally takes the form of a local port (i.e. LPT1:, COM1:,
2020 FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default,
2021 Samba has only one port defined--"Samba Printer Port". Under Windows
2022 NT/2000, all printers must have a valid port name. If you wish to
2023 have a list of ports displayed (smbd does not use a port name for
2024 anything) other than the default "Samba Printer Port", you can
2025 define enumports command to point to a program which should generate
2026 a list of ports, one per line, to standard output. This listing will
2027 then be used in response to the level 1 and 2 EnumPorts() RPC.
2028
2029 Default: enumports command =
2030
2031 Example: enumports command = /usr/bin/listports
2032
2033 eventlog list (G)
2034 This option defines a list of log names that Samba will report to
2035 the Microsoft EventViewer utility. The listed eventlogs will be
2036 associated with tdb file on disk in the $(lockdir)/eventlog.
2037
2038 The administrator must use an external process to parse the normal
2039 Unix logs such as /var/log/messages and write then entries to the
2040 eventlog tdb files. Refer to the eventlogadm(8) utility for how to
2041 write eventlog entries.
2042
2043 Default: eventlog list =
2044
2045 Example: eventlog list = Security Application Syslog Apache
2046
2047 fake directory create times (S)
2048 NTFS and Windows VFAT file systems keep a create time for all files
2049 and directories. This is not the same as the ctime - status change
2050 time - that Unix keeps, so Samba by default reports the earliest of
2051 the various times Unix does keep. Setting this parameter for a share
2052 causes Samba to always report midnight 1-1-1980 as the create time
2053 for directories.
2054
2055 This option is mainly used as a compatibility option for Visual C++
2056 when used against Samba shares. Visual C++ generated makefiles have
2057 the object directory as a dependency for each object file, and a
2058 make rule to create the directory. Also, when NMAKE compares time‐
2059 stamps it uses the creation time when examining a directory. Thus
2060 the object directory will be created if it does not exist, but once
2061 it does exist it will always have an earlier timestamp than the
2062 object files it contains.
2063
2064 However, Unix time semantics mean that the create time reported by
2065 Samba will be updated whenever a file is created or or deleted in
2066 the directory. NMAKE finds all object files in the object directory.
2067 The timestamp of the last one built is then compared to the time‐
2068 stamp of the object directory. If the directory's timestamp if
2069 newer, then all object files will be rebuilt. Enabling this option
2070 ensures directories always predate their contents and an NMAKE build
2071 will proceed as expected.
2072
2073 Default: fake directory create times = no
2074
2075 fake oplocks (S)
2076 Oplocks are the way that SMB clients get permission from a server to
2077 locally cache file operations. If a server grants an oplock (oppor‐
2078 tunistic lock) then the client is free to assume that it is the only
2079 one accessing the file and it will aggressively cache file data.
2080 With some oplock types the client may even cache file open/close
2081 operations. This can give enormous performance benefits.
2082
2083 When you set fake oplocks = yes, smbd(8) will always grant oplock
2084 requests no matter how many clients are using the file.
2085
2086 It is generally much better to use the real oplocks support rather
2087 than this parameter.
2088
2089 If you enable this option on all read-only shares or shares that you
2090 know will only be accessed from one client at a time such as physi‐
2091 cally read-only media like CDROMs, you will see a big performance
2092 improvement on many operations. If you enable this option on shares
2093 where multiple clients may be accessing the files read-write at the
2094 same time you can get data corruption. Use this option carefully!
2095
2096 Default: fake oplocks = no
2097
2098 follow symlinks (S)
2099 This parameter allows the Samba administrator to stop smbd(8) from
2100 following symbolic links in a particular share. Setting this parame‐
2101 ter to no prevents any file or directory that is a symbolic link
2102 from being followed (the user will get an error). This option is
2103 very useful to stop users from adding a symbolic link to /etc/passwd
2104 in their home directory for instance. However it will slow filename
2105 lookups down slightly.
2106
2107 This option is enabled (i.e. smbd will follow symbolic links) by
2108 default.
2109
2110 Default: follow symlinks = yes
2111
2112 force create mode (S)
2113 This parameter specifies a set of UNIX mode bit permissions that
2114 will always be set on a file created by Samba. This is done by bit‐
2115 wise 'OR'ing these bits onto the mode bits of a file that is being
2116 created or having its permissions changed. The default for this
2117 parameter is (in octal) 000. The modes in this parameter are bitwise
2118 'OR'ed onto the file mode after the mask set in the create mask
2119 parameter is applied.
2120
2121 The example below would force all created files to have read and
2122 execute permissions set for 'group' and 'other' as well as the
2123 read/write/execute bits set for the 'user'.
2124
2125 Default: force create mode = 000
2126
2127 Example: force create mode = 0755
2128
2129 force directory mode (S)
2130 This parameter specifies a set of UNIX mode bit permissions that
2131 will always be set on a directory created by Samba. This is done by
2132 bitwise 'OR'ing these bits onto the mode bits of a directory that is
2133 being created. The default for this parameter is (in octal) 0000
2134 which will not add any extra permission bits to a created directory.
2135 This operation is done after the mode mask in the parameter direc‐
2136 tory mask is applied.
2137
2138 The example below would force all created directories to have read
2139 and execute permissions set for 'group' and 'other' as well as the
2140 read/write/execute bits set for the 'user'.
2141
2142 Default: force directory mode = 000
2143
2144 Example: force directory mode = 0755
2145
2146 force directory security mode (S)
2147 This parameter controls what UNIX permission bits can be modified
2148 when a Windows NT client is manipulating the UNIX permission on a
2149 directory using the native NT security dialog box.
2150
2151 This parameter is applied as a mask (OR'ed with) to the changed per‐
2152 mission bits, thus forcing any bits in this mask that the user may
2153 have modified to be on. Make sure not to mix up this parameter with
2154 directory security mask, which works in a similar manner to this
2155 one, but uses a logical AND instead of an OR.
2156
2157 Essentially, this mask may be treated as a set of bits that, when
2158 modifying security on a directory, to will enable (1) any flags that
2159 are off (0) but which the mask has set to on (1).
2160
2161 If not set explicitly this parameter is 0000, which allows a user to
2162 modify all the user/group/world permissions on a directory without
2163 restrictions.
2164
2165 Note
2166 Users who can access the Samba server through other means can easily
2167 bypass this restriction, so it is primarily useful for standalone
2168 "appliance" systems. Administrators of most normal systems will
2169 probably want to leave it set as 0000. Default: force directory
2170 security mode = 0
2171
2172 Example: force directory security mode = 700
2173
2174 group
2175 This parameter is a synonym for force group.
2176
2177 force group (S)
2178 This specifies a UNIX group name that will be assigned as the
2179 default primary group for all users connecting to this service. This
2180 is useful for sharing files by ensuring that all access to files on
2181 service will use the named group for their permissions checking.
2182 Thus, by assigning permissions for this group to the files and
2183 directories within this service the Samba administrator can restrict
2184 or allow sharing of these files.
2185
2186 In Samba 2.0.5 and above this parameter has extended functionality
2187 in the following way. If the group name listed here has a '+' char‐
2188 acter prepended to it then the current user accessing the share only
2189 has the primary group default assigned to this group if they are
2190 already assigned as a member of that group. This allows an adminis‐
2191 trator to decide that only users who are already in a particular
2192 group will create files with group ownership set to that group. This
2193 gives a finer granularity of ownership assignment. For example, the
2194 setting force group = +sys means that only users who are already in
2195 group sys will have their default primary group assigned to sys when
2196 accessing this Samba share. All other users will retain their ordi‐
2197 nary primary group.
2198
2199 If the force user parameter is also set the group specified in force
2200 group will override the primary group set in force user.
2201
2202 Default: force group =
2203
2204 Example: force group = agroup
2205
2206 force printername (S)
2207 When printing from Windows NT (or later), each printer in smb.conf
2208 has two associated names which can be used by the client. The first
2209 is the sharename (or shortname) defined in smb.conf. This is the
2210 only printername available for use by Windows 9x clients. The second
2211 name associated with a printer can be seen when browsing to the
2212 "Printers" (or "Printers and Faxes") folder on the Samba server.
2213 This is referred to simply as the printername (not to be confused
2214 with the printer name option).
2215
2216 When assigning a new driver to a printer on a remote Windows compat‐
2217 ible print server such as Samba, the Windows client will rename the
2218 printer to match the driver name just uploaded. This can result in
2219 confusion for users when multiple printers are bound to the same
2220 driver. To prevent Samba from allowing the printer's printername to
2221 differ from the sharename defined in smb.conf, set force printername
2222 = yes.
2223
2224 Be aware that enabling this parameter may affect migrating printers
2225 from a Windows server to Samba since Windows has no way to force the
2226 sharename and printername to match.
2227
2228 It is recommended that this parameter's value not be changed once
2229 the printer is in use by clients as this could cause a user not be
2230 able to delete printer connections from their local Printers folder.
2231
2232 Default: force printername = no
2233
2234 force security mode (S)
2235 This parameter controls what UNIX permission bits can be modified
2236 when a Windows NT client is manipulating the UNIX permission on a
2237 file using the native NT security dialog box.
2238
2239 This parameter is applied as a mask (OR'ed with) to the changed per‐
2240 mission bits, thus forcing any bits in this mask that the user may
2241 have modified to be on. Make sure not to mix up this parameter with
2242 security mask, which works similar like this one but uses logical
2243 AND instead of OR.
2244
2245 Essentially, one bits in this mask may be treated as a set of bits
2246 that, when modifying security on a file, the user has always set to
2247 be on.
2248
2249 If not set explicitly this parameter is set to 0, and allows a user
2250 to modify all the user/group/world permissions on a file, with no
2251 restrictions.
2252
2253 Note that users who can access the Samba server through other means
2254 can easily bypass this restriction, so it is primarily useful for
2255 standalone "appliance" systems. Administrators of most normal sys‐
2256 tems will probably want to leave this set to 0000.
2257
2258 Default: force security mode = 0
2259
2260 Example: force security mode = 700
2261
2262 force unknown acl user (S)
2263 If this parameter is set, a Windows NT ACL that contains an unknown
2264 SID (security descriptor, or representation of a user or group id)
2265 as the owner or group owner of the file will be silently mapped into
2266 the current UNIX uid or gid of the currently connected user.
2267
2268 This is designed to allow Windows NT clients to copy files and fold‐
2269 ers containing ACLs that were created locally on the client machine
2270 and contain users local to that machine only (no domain users) to be
2271 copied to a Samba server (usually with XCOPY /O) and have the
2272 unknown userid and groupid of the file owner map to the current con‐
2273 nected user. This can only be fixed correctly when winbindd allows
2274 arbitrary mapping from any Windows NT SID to a UNIX uid or gid.
2275
2276 Try using this parameter when XCOPY /O gives an ACCESS_DENIED error.
2277
2278 Default: force unknown acl user = no
2279
2280 force user (S)
2281 This specifies a UNIX user name that will be assigned as the default
2282 user for all users connecting to this service. This is useful for
2283 sharing files. You should also use it carefully as using it incor‐
2284 rectly can cause security problems.
2285
2286 This user name only gets used once a connection is established. Thus
2287 clients still need to connect as a valid user and supply a valid
2288 password. Once connected, all file operations will be performed as
2289 the "forced user", no matter what username the client connected as.
2290 This can be very useful.
2291
2292 In Samba 2.0.5 and above this parameter also causes the primary
2293 group of the forced user to be used as the primary group for all
2294 file activity. Prior to 2.0.5 the primary group was left as the pri‐
2295 mary group of the connecting user (this was a bug).
2296
2297 Default: force user =
2298
2299 Example: force user = auser
2300
2301 fstype (S)
2302 This parameter allows the administrator to configure the string that
2303 specifies the type of filesystem a share is using that is reported
2304 by smbd(8) when a client queries the filesystem type for a share.
2305 The default type is NTFS for compatibility with Windows NT but this
2306 can be changed to other strings such as Samba or FAT if required.
2307
2308 Default: fstype = NTFS
2309
2310 Example: fstype = Samba
2311
2312 get quota command (G)
2313 The get quota command should only be used whenever there is no oper‐
2314 ating system API available from the OS that samba can use.
2315
2316 This option is only available with was used and a working quota api
2317 was found in the system.
2318
2319 This parameter should specify the path to a script that queries the
2320 quota information for the specified user/group for the partition
2321 that the specified directory is on.
2322
2323 Such a script should take 3 arguments:
2324
2325 · directory
2326
2327 · type of query
2328
2329 · uid of user or gid of group
2330
2331 The type of query can be one of :
2332
2333 · 1 - user quotas
2334
2335 · 2 - user default quotas (uid = -1)
2336
2337 · 3 - group quotas
2338
2339 · 4 - group default quotas (gid = -1)
2340
2341 This script should print one line as output with spaces between
2342 the arguments. The arguments are:
2343
2344 · Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 =
2345 quotas enabled and enforced)
2346
2347 · Arg 2 - number of currently used blocks
2348
2349 · Arg 3 - the softlimit number of blocks
2350
2351 · Arg 4 - the hardlimit number of blocks
2352
2353 · Arg 5 - currently used number of inodes
2354
2355 · Arg 6 - the softlimit number of inodes
2356
2357 · Arg 7 - the hardlimit number of inodes
2358
2359 · Arg 8(optional) - the number of bytes in a block(default is
2360 1024)
2361
2362 Default: get quota command =
2363
2364 Example: get quota command = /usr/local/sbin/query_quota
2365
2366 getwd cache (G)
2367 This is a tuning option. When this is enabled a caching algorithm
2368 will be used to reduce the time taken for getwd() calls. This can
2369 have a significant impact on performance, especially when the wide
2370 smbconfoptions parameter is set to no.
2371
2372 Default: getwd cache = yes
2373
2374 guest account (G)
2375 This is a username which will be used for access to services which
2376 are specified as guest ok (see below). Whatever privileges this user
2377 has will be available to any client connecting to the guest service.
2378 This user must exist in the password file, but does not require a
2379 valid login. The user account "ftp" is often a good choice for this
2380 parameter.
2381
2382 On some systems the default guest account "nobody" may not be able
2383 to print. Use another account in this case. You should test this by
2384 trying to log in as your guest user (perhaps by using the su - com‐
2385 mand) and trying to print using the system print command such as
2386 lpr(1) or lp(1).
2387
2388 This parameter does not accept % macros, because many parts of the
2389 system require this value to be constant for correct operation.
2390
2391 Default: guest account = nobody # default can be changed at compile-
2392 time
2393
2394 Example: guest account = ftp
2395
2396 public
2397 This parameter is a synonym for guest ok.
2398
2399 guest ok (S)
2400 If this parameter is yes for a service, then no password is required
2401 to connect to the service. Privileges will be those of the guest
2402 account.
2403
2404 This paramater nullifies the benifits of setting restrict anonymous
2405 = 2
2406
2407 See the section below on security for more information about this
2408 option.
2409
2410 Default: guest ok = no
2411
2412 only guest
2413 This parameter is a synonym for guest only.
2414
2415 guest only (S)
2416 If this parameter is yes for a service, then only guest connections
2417 to the service are permitted. This parameter will have no effect if
2418 guest ok is not set for the service.
2419
2420 See the section below on security for more information about this
2421 option.
2422
2423 Default: guest only = no
2424
2425 hide dot files (S)
2426 This is a boolean parameter that controls whether files starting
2427 with a dot appear as hidden files.
2428
2429 Default: hide dot files = yes
2430
2431 hide files (S)
2432 This is a list of files or directories that are not visible but are
2433 accessible. The DOS 'hidden' attribute is applied to any files or
2434 directories that match.
2435
2436 Each entry in the list must be separated by a '/', which allows spa‐
2437 ces to be included in the entry. '*' and '?' can be used to specify
2438 multiple files or directories as in DOS wildcards.
2439
2440 Each entry must be a Unix path, not a DOS path and must not include
2441 the Unix directory separator '/'.
2442
2443 Note that the case sensitivity option is applicable in hiding files.
2444
2445 Setting this parameter will affect the performance of Samba, as it
2446 will be forced to check all files and directories for a match as
2447 they are scanned.
2448
2449 The example shown above is based on files that the Macintosh SMB
2450 client (DAVE) available from Thursby creates for internal use, and
2451 also still hides all files beginning with a dot.
2452
2453 An example of us of this parameter is:
2454
2455
2456
2457
2458 hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
2459
2460
2461
2462 Default: hide files = # no file are hidden
2463
2464 hide special files (S)
2465 This parameter prevents clients from seeing special files such as
2466 sockets, devices and fifo's in directory listings.
2467
2468 Default: hide special files = no
2469
2470 hide unreadable (S)
2471 This parameter prevents clients from seeing the existance of files
2472 that cannot be read. Defaults to off.
2473
2474 Default: hide unreadable = no
2475
2476 hide unwriteable files (S)
2477 This parameter prevents clients from seeing the existance of files
2478 that cannot be written to. Defaults to off. Note that unwriteable
2479 directories are shown as usual.
2480
2481 Default: hide unwriteable files = no
2482
2483 homedir map (G)
2484 If nis homedir is yes, and smbd(8) is also acting as a Win95/98
2485 logon server then this parameter specifies the NIS (or YP) map from
2486 which the server for the user's home directory should be extracted.
2487 At present, only the Sun auto.home map format is understood. The
2488 form of the map is:
2489
2490
2491
2492
2493 username server:/some/file/system
2494
2495 and the program will extract the servername from before the first
2496 ':'. There should probably be a better parsing system that copes
2497 with different map formats and also Amd (another automounter) maps.
2498
2499 Note
2500 A working NIS client is required on the system for this option to
2501 work. Default: homedir map =
2502
2503 Example: homedir map = amd.homedir
2504
2505 host msdfs (G)
2506 If set to yes, Samba will act as a Dfs server, and allow Dfs-aware
2507 clients to browse Dfs trees hosted on the server.
2508
2509 See also the msdfs root share level parameter. For more information
2510 on setting up a Dfs tree on Samba, refer to the MSFDS chapter in the
2511 book Samba3-HOWTO.
2512
2513 Default: host msdfs = yes
2514
2515 hostname lookups (G)
2516 Specifies whether samba should use (expensive) hostname lookups or
2517 use the ip addresses instead. An example place where hostname
2518 lookups are currently used is when checking the hosts deny and hosts
2519 allow.
2520
2521 Default: hostname lookups = no
2522
2523 Example: hostname lookups = yes
2524
2525 allow hosts
2526 This parameter is a synonym for hosts allow.
2527
2528 hosts allow (S)
2529 A synonym for this parameter is allow hosts.
2530
2531 This parameter is a comma, space, or tab delimited set of hosts
2532 which are permitted to access a service.
2533
2534 If specified in the [global] section then it will apply to all ser‐
2535 vices, regardless of whether the individual service has a different
2536 setting.
2537
2538 You can specify the hosts by name or IP number. For example, you
2539 could restrict access to only the hosts on a Class C subnet with
2540 something like allow hosts = 150.203.5.. The full syntax of the list
2541 is described in the man page hosts_access(5). Note that this man
2542 page may not be present on your system, so a brief description will
2543 be given here also.
2544
2545 Note that the localhost address 127.0.0.1 will always be allowed
2546 access unless specifically denied by a hosts deny option.
2547
2548 You can also specify hosts by network/netmask pairs and by netgroup
2549 names if your system supports netgroups. The EXCEPT keyword can also
2550 be used to limit a wildcard list. The following examples may provide
2551 some help:
2552
2553 Example 1: allow all IPs in 150.203.*.*; except one
2554
2555 hosts allow = 150.203. EXCEPT 150.203.6.66
2556
2557 Example 2: allow hosts that match the given network/netmask
2558
2559 hosts allow = 150.203.15.0/255.255.255.0
2560
2561 Example 3: allow a couple of hosts
2562
2563 hosts allow = lapland, arvidsjaur
2564
2565 Example 4: allow only hosts in NIS netgroup "foonet", but deny
2566 access from one particular host
2567
2568 hosts allow = @foonet
2569
2570 hosts deny = pirate
2571
2572 Note
2573 Note that access still requires suitable user-level passwords. See
2574 testparm(1) for a way of testing your host access to see if it does
2575 what you expect.
2576
2577 Default: hosts allow = # none (i.e., all hosts permitted access)
2578
2579 Example: hosts allow = 150.203.5. myhost.mynet.edu.au
2580
2581 deny hosts
2582 This parameter is a synonym for hosts deny.
2583
2584 hosts deny (S)
2585 The opposite of hosts allow - hosts listed here are NOT permitted
2586 access to services unless the specific services have their own lists
2587 to override this one. Where the lists conflict, the allow list takes
2588 precedence.
2589
2590 In the event that it is necessary to deny all by default, use the
2591 keyword ALL (or the netmask 0.0.0.0/0) and then explicitly specify
2592 to the hosts allow = hosts allow parameter those hosts that should
2593 be permitted access.
2594
2595 Default: hosts deny = # none (i.e., no hosts specifically excluded)
2596
2597 Example: hosts deny = 150.203.4. badhost.mynet.edu.au
2598
2599 idmap alloc backend (G)
2600 The idmap alloc backend provides a plugin interface for Winbind to
2601 use when allocating Unix uids/gids for Windows SIDs. This option is
2602 to be used in conjunction with the idmap domains parameter and
2603 refers to the name of the idmap module which will provide the id
2604 allocation functionality. Please refer to the man page for each
2605 idmap plugin to determine whether or not the module implements the
2606 allocation feature. The most common plugins are the tdb
2607 (idmap_tdb(8)) and ldap (idmap_ldap(8)) libraries.
2608
2609 Also refer to the idmap alloc config option.
2610
2611 No default
2612
2613 Example: idmap alloc backend = tdb
2614
2615 idmap alloc config (G)
2616 The idmap alloc config prefix provides a means of managing settings
2617 for the backend defined by the idmap alloc backend parameter. Refer
2618 to the man page for each idmap plugin regarding specific configura‐
2619 tion details.
2620
2621 No default
2622
2623 idmap backend (G)
2624 The idmap backend provides a plugin interface for Winbind to use
2625 varying backends to store SID/uid/gid mapping tables. This option is
2626 mutually exclusive with the newer and more flexible idmap domains
2627 parameter. The main difference between the "idmap backend" and the
2628 "idmap domains" is that the former only allows on backend for all
2629 domains while the latter supports configuring backends on a per
2630 domain basis.
2631
2632 Examples of SID/uid/gid backends include tdb (idmap_tdb(8)), ldap
2633 (idmap_ldap(8)), rid (idmap_rid(8)), and ad (idmap_tdb(8)).
2634
2635 Default: idmap backend = tdb
2636
2637 idmap cache time (G)
2638 This parameter specifies the number of seconds that Winbind's idmap
2639 interface will cache positive SID/uid/gid query results.
2640
2641 Default: idmap cache time = 900
2642
2643 idmap config (G)
2644 The idmap config prefix provides a means of managing each domain
2645 defined by the idmap domains option using Samba's parameteric option
2646 support. The idmap config prefix should be followed by the name of
2647 the domain, a colon, and a setting specific to the chosen backend.
2648 There are three options available for all domains:
2649
2650
2651 backend = backend_name
2652 Specifies the name of the idmap plugin to use as the
2653 SID/uid/gid backend for this domain.
2654
2655 default = [yes|no]
2656 The default domain/backend will be used for searching for
2657 users and groups not belonging to one of the explicitly listed
2658 domains (matched by comparing the account SID and the domain
2659 SID).
2660
2661 readonly = [yes|no]
2662 Mark the domain as readonly which means that no attempts to
2663 allocate a uid or gid (by the idmap alloc backend) for any
2664 user or group in that domain will be attempted.
2665
2666 The following example illustrates how to configure the
2667 idmap_ad(8) for the CORP domain and the idmap_tdb(8) backend for
2668 all other domains. The TRUSTEDDOMAINS string is simply a key used
2669 to reference the "idmap config" settings and does not represent
2670 the actual name of a domain.
2671
2672
2673 idmap domains = CORP TRUSTEDDOMAINS
2674
2675 idmap config CORP:backend = ad
2676 idmap config CORP:readonly = yes
2677
2678 idmap config TRUSTEDDOMAINS:backend = tdb
2679 idmap config TRUSTEDDOMAINS:default = yes
2680 idmap config TRUSTEDDOMAINS:range = 1000 - 9999
2681
2682 No default
2683
2684 idmap domains (G)
2685 The idmap domains option defines a list of Windows domains which
2686 will each have a separately configured backend for managing Win‐
2687 bind's SID/uid/gid tables. This parameter is mutually exclusive with
2688 the older idmap backend option.
2689
2690 Values consist of the short domain name for Winbind's primary or
2691 collection of trusted domains. You may also use an arbitrary string
2692 to represent a catchall domain backend for any domain not explicitly
2693 listed.
2694
2695 Refer to the idmap config for details about managing the SID/uid/gid
2696 backend for each domain.
2697
2698 No default
2699
2700 Example: idmap domains = default AD CORP
2701
2702 winbind gid
2703 This parameter is a synonym for idmap gid.
2704
2705 idmap gid (G)
2706 The idmap gid parameter specifies the range of group ids that are
2707 allocated for the purpose of mapping UNX groups to NT group SIDs.
2708 This range of group ids should have no existing local or NIS groups
2709 within it as strange conflicts can occur otherwise.
2710
2711 See also the idmap backend, idmap domains, and idmap config options.
2712
2713 Default: idmap gid =
2714
2715 Example: idmap gid = 10000-20000
2716
2717 idmap negative cache time (G)
2718 This parameter specifies the number of seconds that Winbind's idmap
2719 interface will cache negative SID/uid/gid query results.
2720
2721 Default: idmap negative cache time = 120
2722
2723 winbind uid
2724 This parameter is a synonym for idmap uid.
2725
2726 idmap uid (G)
2727 The idmap uid parameter specifies the range of user ids that are
2728 allocated for use in mapping UNIX users to NT user SIDs. This range
2729 of ids should have no existing local or NIS users within it as
2730 strange conflicts can occur otherwise.
2731
2732 See also the idmap backend, idmap domains, and idmap config options.
2733
2734 Default: idmap uid =
2735
2736 Example: idmap uid = 10000-20000
2737
2738 include (G)
2739 This allows you to include one config file inside another. The file
2740 is included literally, as though typed in place.
2741
2742 It takes the standard substitutions, except %u, %P and %S.
2743
2744 Default: include =
2745
2746 Example: include = /usr/local/samba/lib/admin_smb.conf
2747
2748 inherit acls (S)
2749 This parameter can be used to ensure that if default acls exist on
2750 parent directories, they are always honored when creating a new file
2751 or subdirectory in these parent directories. The default behavior is
2752 to use the unix mode specified when creating the directory. Enabling
2753 this option sets the unix mode to 0777, thus guaranteeing that
2754 default directory acls are propagated.
2755
2756 Default: inherit acls = no
2757
2758 inherit owner (S)
2759 The ownership of new files and directories is normally governed by
2760 effective uid of the connected user. This option allows the Samba
2761 administrator to specify that the ownership for new files and direc‐
2762 tories should be controlled by the ownership of the parent direc‐
2763 tory.
2764
2765 Common scenarios where this behavior is useful is in implementing
2766 drop-boxes where users can create and edit files but not delete them
2767 and to ensure that newly create files in a user's roaming profile
2768 directory are actually owner by the user.
2769
2770 Default: inherit owner = no
2771
2772 inherit permissions (S)
2773 The permissions on new files and directories are normally governed
2774 by create mask, directory mask, force create mode and force direc‐
2775 tory mode but the boolean inherit permissions parameter overrides
2776 this.
2777
2778 New directories inherit the mode of the parent directory, including
2779 bits such as setgid.
2780
2781 New files inherit their read/write bits from the parent directory.
2782 Their execute bits continue to be determined by map archive, map
2783 hidden and map system as usual.
2784
2785 Note that the setuid bit is never set via inheritance (the code
2786 explicitly prohibits this).
2787
2788 This can be particularly useful on large systems with many users,
2789 perhaps several thousand, to allow a single [homes] share to be used
2790 flexibly by each user.
2791
2792 Default: inherit permissions = no
2793
2794 interfaces (G)
2795 This option allows you to override the default network interfaces
2796 list that Samba will use for browsing, name registration and other
2797 NBT traffic. By default Samba will query the kernel for the list of
2798 all active interfaces and use any interfaces except 127.0.0.1 that
2799 are broadcast capable.
2800
2801 The option takes a list of interface strings. Each string can be in
2802 any of the following forms:
2803
2804 · a network interface name (such as eth0). This may include
2805 shell-like wildcards so eth* will match any interface starting
2806 with the substring "eth"
2807
2808 · an IP address. In this case the netmask is determined from the
2809 list of interfaces obtained from the kernel
2810
2811 · an IP/mask pair.
2812
2813 · a broadcast/mask pair.
2814
2815 The "mask" parameters can either be a bit length (such as 24 for
2816 a C class network) or a full netmask in dotted decimal form.
2817
2818 The "IP" parameters above can either be a full dotted decimal IP
2819 address or a hostname which will be looked up via the OS's normal
2820 hostname resolution mechanisms.
2821
2822 By default Samba enables all active interfaces that are broadcast
2823 capable except the loopback adaptor (IP address 127.0.0.1).
2824
2825 The example below configures three network interfaces correspond‐
2826 ing to the eth0 device and IP addresses 192.168.2.10 and
2827 192.168.3.10. The netmasks of the latter two interfaces would be
2828 set to 255.255.255.0.
2829
2830 Default: interfaces =
2831
2832 Example: interfaces = eth0 192.168.2.10/24
2833 192.168.3.10/255.255.255.0
2834
2835 invalid users (S)
2836 This is a list of users that should not be allowed to login to this
2837 service. This is really a paranoid check to absolutely ensure an
2838 improper setting does not breach your security.
2839
2840 A name starting with a '@' is interpreted as an NIS netgroup first
2841 (if your system supports NIS), and then as a UNIX group if the name
2842 was not found in the NIS netgroup database.
2843
2844 A name starting with '+' is interpreted only by looking in the UNIX
2845 group database via the NSS getgrnam() interface. A name starting
2846 with '&' is interpreted only by looking in the NIS netgroup database
2847 (this requires NIS to be working on your system). The characters '+'
2848 and '&' may be used at the start of the name in either order so the
2849 value +&group means check the UNIX group database, followed by the
2850 NIS netgroup database, and the value &+group means check the NIS
2851 netgroup database, followed by the UNIX group database (the same as
2852 the '@' prefix).
2853
2854 The current servicename is substituted for %S. This is useful in the
2855 [homes] section.
2856
2857 Default: invalid users = # no invalid users
2858
2859 Example: invalid users = root fred admin @wheel
2860
2861 iprint server (G)
2862 This parameter is only applicable if printing is set to iprint.
2863
2864 If set, this option overrides the ServerName option in the CUPS
2865 client.conf. This is necessary if you have virtual samba servers
2866 that connect to different CUPS daemons.
2867
2868 Default: iprint server = ""
2869
2870 Example: iprint server = MYCUPSSERVER
2871
2872 keepalive (G)
2873 The value of the parameter (an integer) represents the number of
2874 seconds between keepalive packets. If this parameter is zero, no
2875 keepalive packets will be sent. Keepalive packets, if sent, allow
2876 the server to tell whether a client is still present and responding.
2877
2878 Keepalives should, in general, not be needed if the socket has the
2879 SO_KEEPALIVE attribute set on it by default. (see socket options).
2880 Basically you should only use this option if you strike difficul‐
2881 ties.
2882
2883 Default: keepalive = 300
2884
2885 Example: keepalive = 600
2886
2887 kernel change notify (S)
2888 This parameter specifies whether Samba should ask the kernel for
2889 change notifications in directories so that SMB clients can refresh
2890 whenever the data on the server changes.
2891
2892 This parameter is only used when your kernel supports change notifi‐
2893 cation to user programs using the inotify interface.
2894
2895 Default: kernel change notify = yes
2896
2897 kernel oplocks (G)
2898 For UNIXes that support kernel based oplocks (currently only IRIX
2899 and the Linux 2.4 kernel), this parameter allows the use of them to
2900 be turned on or off.
2901
2902 Kernel oplocks support allows Samba oplocks to be broken whenever a
2903 local UNIX process or NFS operation accesses a file that smbd(8) has
2904 oplocked. This allows complete data consistency between SMB/CIFS,
2905 NFS and local file access (and is a very cool feature :-).
2906
2907 This parameter defaults to on, but is translated to a no-op on sys‐
2908 tems that no not have the necessary kernel support. You should never
2909 need to touch this parameter.
2910
2911 Default: kernel oplocks = yes
2912
2913 lanman auth (G)
2914 This parameter determines whether or not smbd(8) will attempt to
2915 authenticate users or permit password changes using the LANMAN pass‐
2916 word hash. If disabled, only clients which support NT password
2917 hashes (e.g. Windows NT/2000 clients, smbclient, but not Windows
2918 95/98 or the MS DOS network client) will be able to connect to the
2919 Samba host.
2920
2921 The LANMAN encrypted response is easily broken, due to it's case-
2922 insensitive nature, and the choice of algorithm. Servers without
2923 Windows 95/98/ME or MS DOS clients are advised to disable this
2924 option.
2925
2926 Unlike the encrypt passwords option, this parameter cannot alter
2927 client behaviour, and the LANMAN response will still be sent over
2928 the network. See the client lanman auth to disable this for Samba's
2929 clients (such as smbclient)
2930
2931 If this option, and ntlm auth are both disabled, then only NTLMv2
2932 logins will be permited. Not all clients support NTLMv2, and most
2933 will require special configuration to use it.
2934
2935 Default: lanman auth = yes
2936
2937 large readwrite (G)
2938 This parameter determines whether or not smbd(8) supports the new
2939 64k streaming read and write varient SMB requests introduced with
2940 Windows 2000. Note that due to Windows 2000 client redirector bugs
2941 this requires Samba to be running on a 64-bit capable operating sys‐
2942 tem such as IRIX, Solaris or a Linux 2.4 kernel. Can improve perfor‐
2943 mance by 10% with Windows 2000 clients. Defaults to on. Not as
2944 tested as some other Samba code paths.
2945
2946 Default: large readwrite = yes
2947
2948 ldap admin dn (G)
2949 The ldap admin dn defines the Distinguished Name (DN) name used by
2950 Samba to contact the ldap server when retreiving user account infor‐
2951 mation. The ldap admin dn is used in conjunction with the admin dn
2952 password stored in the private/secrets.tdb file. See the smb‐
2953 passwd(8) man page for more information on how to accomplish this.
2954
2955 The ldap admin dn requires a fully specified DN. The ldap suffix is
2956 not appended to the ldap admin dn.
2957
2958 No default
2959
2960 ldap delete dn (G)
2961 This parameter specifies whether a delete operation in the ldapsam
2962 deletes the complete entry or only the attributes specific to Samba.
2963
2964 Default: ldap delete dn = no
2965
2966 ldap group suffix (G)
2967 This parameter specifies the suffix that is used for groups when
2968 these are added to the LDAP directory. If this parameter is unset,
2969 the value of ldap suffix will be used instead. The suffix string is
2970 pre-pended to the ldap suffix string so use a partial DN.
2971
2972 Default: ldap group suffix =
2973
2974 Example: ldap group suffix = ou=Groups
2975
2976 ldap idmap suffix (G)
2977 This parameters specifies the suffix that is used when storing idmap
2978 mappings. If this parameter is unset, the value of ldap suffix will
2979 be used instead. The suffix string is pre-pended to the ldap suffix
2980 string so use a partial DN.
2981
2982 Default: ldap idmap suffix =
2983
2984 Example: ldap idmap suffix = ou=Idmap
2985
2986 ldap machine suffix (G)
2987 It specifies where machines should be added to the ldap tree. If
2988 this parameter is unset, the value of ldap suffix will be used
2989 instead. The suffix string is pre-pended to the ldap suffix string
2990 so use a partial DN.
2991
2992 Default: ldap machine suffix =
2993
2994 Example: ldap machine suffix = ou=Computers
2995
2996 ldap passwd sync (G)
2997 This option is used to define whether or not Samba should sync the
2998 LDAP password with the NT and LM hashes for normal accounts (NOT for
2999 workstation, server or domain trusts) on a password change via
3000 SAMBA.
3001
3002 The ldap passwd sync can be set to one of three values:
3003
3004 · Yes = Try to update the LDAP, NT and LM passwords and update
3005 the pwdLastSet time.
3006
3007 · No = Update NT and LM passwords and update the pwdLastSet
3008 time.
3009
3010 · Only = Only update the LDAP password and let the LDAP server
3011 do the rest.
3012
3013 Default: ldap passwd sync = no
3014
3015 ldap replication sleep (G)
3016 When Samba is asked to write to a read-only LDAP replica, we are
3017 redirected to talk to the read-write master server. This server then
3018 replicates our changes back to the 'local' server, however the
3019 replication might take some seconds, especially over slow links.
3020 Certain client activities, particularly domain joins, can become
3021 confused by the 'success' that does not immediately change the LDAP
3022 back-end's data.
3023
3024 This option simply causes Samba to wait a short time, to allow the
3025 LDAP server to catch up. If you have a particularly high-latency
3026 network, you may wish to time the LDAP replication with a network
3027 sniffer, and increase this value accordingly. Be aware that no
3028 checking is performed that the data has actually replicated.
3029
3030 The value is specified in milliseconds, the maximum value is 5000 (5
3031 seconds).
3032
3033 Default: ldap replication sleep = 1000
3034
3035 ldapsam:editposix (G)
3036 Editposix is an option that leverages ldapsam:trusted to make it
3037 simpler to manage a domain controller eliminating the need to set up
3038 custom scripts to add and manage the posix users and groups. This
3039 option will instead directly manipulate the ldap tree to create,
3040 remove and modify user and group entries. This option also requires
3041 a running winbindd as it is used to allocate new uids/gids on
3042 user/group creation. The allocation range must be therefore config‐
3043 ured.
3044
3045 To use this option, a basic ldap tree must be provided and the ldap
3046 suffix parameters must be properly configured. On virgin servers the
3047 default users and groups (Administrator, Guest, Domain Users, Domain
3048 Admins, Domain Guests) can be precreated with the command net sam
3049 provision. To run this command the ldap server must be running,
3050 Winindd must be running and the smb.conf ldap options must be prop‐
3051 erly configured. The typical ldap setup used with the ldap‐
3052 sam:trusted = yes option is usually sufficient to use ldapsam:edit‐
3053 posix = yes as well.
3054
3055 An example configuration can be the following:
3056
3057
3058
3059
3060 encrypt passwords = true
3061 passdb backend = ldapsam
3062
3063 ldapsam:trusted=yes
3064 ldapsam:editposix=yes
3065
3066 ldap admin dn = cn=admin,dc=samba,dc=org
3067 ldap delete dn = yes
3068 ldap group suffix = ou=groups
3069 ldap idmap suffix = ou=idmap
3070 ldap machine suffix = ou=computers
3071 ldap user suffix = ou=users
3072 ldap suffix = dc=samba,dc=org
3073
3074 idmap backend = ldap:"ldap://localhost"
3075
3076 idmap uid = 5000-50000
3077 idmap gid = 5000-50000
3078
3079 This configuration assume the ldap server have been loaded with a
3080 base tree like described in the following ldif:
3081
3082
3083
3084
3085 dn: dc=samba,dc=org
3086 objectClass: top
3087 objectClass: dcObject
3088 objectClass: organization
3089 o: samba.org
3090 dc: samba
3091
3092 dn: cn=admin,dc=samba,dc=org
3093 objectClass: simpleSecurityObject
3094 objectClass: organizationalRole
3095 cn: admin
3096 description: LDAP administrator
3097 userPassword: secret
3098
3099 dn: ou=users,dc=samba,dc=org
3100 objectClass: top
3101 objectClass: organizationalUnit
3102 ou: users
3103
3104 dn: ou=groups,dc=samba,dc=org
3105 objectClass: top
3106 objectClass: organizationalUnit
3107 ou: groups
3108
3109 dn: ou=idmap,dc=samba,dc=org
3110 objectClass: top
3111 objectClass: organizationalUnit
3112 ou: idmap
3113
3114 dn: ou=computers,dc=samba,dc=org
3115 objectClass: top
3116 objectClass: organizationalUnit
3117 ou: computers
3118
3119
3120
3121 Default: ldapsam:editposix = no
3122
3123 ldapsam:trusted (G)
3124 By default, Samba as a Domain Controller with an LDAP backend needs
3125 to use the Unix-style NSS subsystem to access user and group infor‐
3126 mation. Due to the way Unix stores user information in /etc/passwd
3127 and /etc/group this inevitably leads to inefficiencies. One impor‐
3128 tant question a user needs to know is the list of groups he is mem‐
3129 ber of. The plain UNIX model involves a complete enumeration of the
3130 file /etc/group and its NSS counterparts in LDAP. UNIX has optimized
3131 functions to enumerate group membership. Sadly, other functions that
3132 are used to deal with user and group attributes lack such optimiza‐
3133 tion.
3134
3135 To make Samba scale well in large environments, the ldapsam:trusted
3136 = yes option assumes that the complete user and group database that
3137 is relevant to Samba is stored in LDAP with the standard posixAc‐
3138 count/posixGroup attributes. It further assumes that the Samba aux‐
3139 iliary object classes are stored together with the POSIX data in the
3140 same LDAP object. If these assumptions are met, ldapsam:trusted =
3141 yes can be activated and Samba can bypass the NSS system to query
3142 user group memberships. Optimized LDAP queries can greatly speed up
3143 domain logon and administration tasks. Depending on the size of the
3144 LDAP database a factor of 100 or more for common queries is easily
3145 achieved.
3146
3147 Default: ldapsam:trusted = no
3148
3149 ldap ssl (G)
3150 This option is used to define whether or not Samba should use SSL
3151 when connecting to the ldap server This is NOT related to Samba's
3152 previous SSL support which was enabled by specifying the --with-ssl
3153 option to the configure script.
3154
3155 The ldap ssl can be set to one of three values:
3156
3157 · Off = Never use SSL when querying the directory.
3158
3159 · Start_tls = Use the LDAPv3 StartTLS extended operation
3160 (RFC2830) for communicating with the directory server.
3161
3162 · On = Use SSL on the ldaps port when contacting the ldap
3163 server. Only available when the backwards-compatiblity --with-
3164 ldapsam option is specified to configure. See passdb backend
3165 .RE
3166
3167 Default: ldap ssl = start_tls
3168
3169 ldap suffix (G)
3170 Specifies the base for all ldap suffixes and for storing the sam‐
3171 baDomain object.
3172
3173 The ldap suffix will be appended to the values specified for the
3174 ldap user suffix, ldap group suffix, ldap machine suffix, and the
3175 ldap idmap suffix. Each of these should be given only a DN rela‐
3176 tive to the ldap suffix.
3177
3178 Default: ldap suffix =
3179
3180 Example: ldap suffix = dc=samba,dc=org
3181
3182 ldap timeout (G)
3183 When Samba connects to an ldap server that servermay be down or
3184 unreachable. To prevent Samba from hanging whilst waiting for the
3185 connection this parameter specifies in seconds how long Samba
3186 should wait before failing the connect. The default is to only
3187 wait fifteen seconds for the ldap server to respond to the con‐
3188 nect request.
3189
3190 Default: ldap timeout = 15
3191
3192 ldap user suffix (G)
3193 This parameter specifies where users are added to the tree. If
3194 this parameter is unset, the value of ldap suffix will be used
3195 instead. The suffix string is pre-pended to the ldap suffix
3196 string so use a partial DN.
3197
3198 Default: ldap user suffix =
3199
3200 Example: ldap user suffix = ou=people
3201
3202 level2 oplocks (S)
3203 This parameter controls whether Samba supports level2 (read-only)
3204 oplocks on a share.
3205
3206 Level2, or read-only oplocks allow Windows NT clients that have
3207 an oplock on a file to downgrade from a read-write oplock to a
3208 read-only oplock once a second client opens the file (instead of
3209 releasing all oplocks on a second open, as in traditional, exclu‐
3210 sive oplocks). This allows all openers of the file that support
3211 level2 oplocks to cache the file for read-ahead only (ie. they
3212 may not cache writes or lock requests) and increases performance
3213 for many accesses of files that are not commonly written (such as
3214 application .EXE files).
3215
3216 Once one of the clients which have a read-only oplock writes to
3217 the file all clients are notified (no reply is needed or waited
3218 for) and told to break their oplocks to "none" and delete any
3219 read-ahead caches.
3220
3221 It is recommended that this parameter be turned on to speed
3222 access to shared executables.
3223
3224 For more discussions on level2 oplocks see the CIFS spec.
3225
3226 Currently, if kernel oplocks are supported then level2 oplocks
3227 are not granted (even if this parameter is set to yes). Note
3228 also, the oplocks parameter must be set to yes on this share in
3229 order for this parameter to have any effect.
3230
3231 Default: level2 oplocks = yes
3232
3233 lm announce (G)
3234 This parameter determines if nmbd(8) will produce Lanman announce
3235 broadcasts that are needed by OS/2 clients in order for them to
3236 see the Samba server in their browse list. This parameter can
3237 have three values, yes, no, or auto. The default is auto. If set
3238 to no Samba will never produce these broadcasts. If set to yes
3239 Samba will produce Lanman announce broadcasts at a frequency set
3240 by the parameter lm interval. If set to auto Samba will not send
3241 Lanman announce broadcasts by default but will listen for them.
3242 If it hears such a broadcast on the wire it will then start send‐
3243 ing them at a frequency set by the parameter lm interval.
3244
3245 Default: lm announce = auto
3246
3247 Example: lm announce = yes
3248
3249 lm interval (G)
3250 If Samba is set to produce Lanman announce broadcasts needed by
3251 OS/2 clients (see the lm announce parameter) then this parameter
3252 defines the frequency in seconds with which they will be made. If
3253 this is set to zero then no Lanman announcements will be made
3254 despite the setting of the lm announce parameter.
3255
3256 Default: lm interval = 60
3257
3258 Example: lm interval = 120
3259
3260 load printers (G)
3261 A boolean variable that controls whether all printers in the
3262 printcap will be loaded for browsing by default. See the printers
3263 section for more details.
3264
3265 Default: load printers = yes
3266
3267 local master (G)
3268 This option allows nmbd(8) to try and become a local master
3269 browser on a subnet. If set to no then nmbd will not attempt to
3270 become a local master browser on a subnet and will also lose in
3271 all browsing elections. By default this value is set to yes. Set‐
3272 ting this value to yes doesn't mean that Samba will become the
3273 local master browser on a subnet, just that nmbd will participate
3274 in elections for local master browser.
3275
3276 Setting this value to no will cause nmbd never to become a local
3277 master browser.
3278
3279 Default: local master = yes
3280
3281 lock dir
3282 This parameter is a synonym for lock directory.
3283
3284 lock directory (G)
3285 This option specifies the directory where lock files will be
3286 placed. The lock files are used to implement the max connections
3287 option.
3288
3289 Default: lock directory = ${prefix}/var/locks
3290
3291 Example: lock directory = /var/run/samba/locks
3292
3293 locking (S)
3294 This controls whether or not locking will be performed by the
3295 server in response to lock requests from the client.
3296
3297 If locking = no, all lock and unlock requests will appear to suc‐
3298 ceed and all lock queries will report that the file in question
3299 is available for locking.
3300
3301 If locking = yes, real locking will be performed by the server.
3302
3303 This option may be useful for read-only filesystems which may not
3304 need locking (such as CDROM drives), although setting this param‐
3305 eter of no is not really recommended even in this case.
3306
3307 Be careful about disabling locking either globally or in a spe‐
3308 cific service, as lack of locking may result in data corruption.
3309 You should never need to set this parameter.
3310
3311 No default
3312
3313 lock spin count (G)
3314 This parameter has been made inoperative in Samba 3.0.24. The
3315 functionality it contolled is now controlled by the parameter
3316 lock spin time.
3317
3318 Default: lock spin count = 0
3319
3320 lock spin time (G)
3321 The time in microseconds that smbd should keep waiting to see if
3322 a failed lock request can be granted. This parameter has changed
3323 in default value from Samba 3.0.23 from 10 to 200. The associated
3324 lock spin count parameter is no longer used in Samba 3.0.24. You
3325 should not need to change the value of this parameter.
3326
3327 Default: lock spin time = 200
3328
3329 log file (G)
3330 This option allows you to override the name of the Samba log file
3331 (also known as the debug file).
3332
3333 This option takes the standard substitutions, allowing you to
3334 have separate log files for each user or machine.
3335
3336 No default
3337
3338 Example: log file = /usr/local/samba/var/log.%m
3339
3340 debuglevel
3341 This parameter is a synonym for log level.
3342
3343 log level (G)
3344 The value of the parameter (a astring) allows the debug level
3345 (logging level) to be specified in the smb.conf file. This param‐
3346 eter has been extended since the 2.2.x series, now it allow to
3347 specify the debug level for multiple debug classes. This is to
3348 give greater flexibility in the configuration of the system.
3349
3350 The default will be the log level specified on the command line
3351 or level zero if none was specified.
3352
3353 No default
3354
3355 Example: log level = 3 passdb:5 auth:10 winbind:2
3356
3357 logon drive (G)
3358 This parameter specifies the local path to which the home direc‐
3359 tory will be connected (see logon home) and is only used by NT
3360 Workstations.
3361
3362 Note that this option is only useful if Samba is set up as a
3363 logon server.
3364
3365 Default: logon drive =
3366
3367 Example: logon drive = h:
3368
3369 logon home (G)
3370 This parameter specifies the home directory location when a
3371 Win95/98 or NT Workstation logs into a Samba PDC. It allows you
3372 to do
3373
3374
3375 C:>NET USE H: /HOME
3376
3377 from a command prompt, for example.
3378
3379 This option takes the standard substitutions, allowing you to
3380 have separate logon scripts for each user or machine.
3381
3382 This parameter can be used with Win9X workstations to ensure that
3383 roaming profiles are stored in a subdirectory of the user's home
3384 directory. This is done in the following way:
3385
3386
3387 logon home = \\%N\%U\profile
3388
3389 This tells Samba to return the above string, with substitutions
3390 made when a client requests the info, generally in a NetUserGet‐
3391 Info request. Win9X clients truncate the info to \serverre when a
3392 user does net use /home but use the whole string when dealing
3393 with profiles.
3394
3395 Note that in prior versions of Samba, the logon path was returned
3396 rather than logon home. This broke net use /home but allowed pro‐
3397 files outside the home directory. The current implementation is
3398 correct, and can be used for profiles if you use the above trick.
3399
3400 Disable this feature by setting logon home = "" - using the empty
3401 string.
3402
3403 This option is only useful if Samba is set up as a logon server.
3404
3405 Default: logon home = \\%N\%U
3406
3407 Example: logon home = \\remote_smb_server\%U
3408
3409 logon path (G)
3410 This parameter specifies the directory where roaming profiles
3411 (Desktop, NTuser.dat, etc) are stored. Contrary to previous ver‐
3412 sions of these manual pages, it has nothing to do with Win 9X
3413 roaming profiles. To find out how to handle roaming profiles for
3414 Win 9X system, see the logon home parameter.
3415
3416 This option takes the standard substitutions, allowing you to
3417 have separate logon scripts for each user or machine. It also
3418 specifies the directory from which the "Application Data", desk‐
3419 top, start menu, network neighborhood, programs and other fold‐
3420 ers, and their contents, are loaded and displayed on your Windows
3421 NT client.
3422
3423 The share and the path must be readable by the user for the pref‐
3424 erences and directories to be loaded onto the Windows NT client.
3425 The share must be writeable when the user logs in for the first
3426 time, in order that the Windows NT client can create the
3427 NTuser.dat and other directories. Thereafter, the directories and
3428 any of the contents can, if required, be made read-only. It is
3429 not advisable that the NTuser.dat file be made read-only - rename
3430 it to NTuser.man to achieve the desired effect (a MANdatory pro‐
3431 file).
3432
3433 Windows clients can sometimes maintain a connection to the
3434 [homes] share, even though there is no user logged in. Therefore,
3435 it is vital that the logon path does not include a reference to
3436 the homes share (i.e. setting this parameter to \%Nesrofile_path
3437 will cause problems).
3438
3439 This option takes the standard substitutions, allowing you to
3440 have separate logon scripts for each user or machine.
3441
3442 Warning
3443 Do not quote the value. Setting this as \%NrofileU
3444 will break profile handling. Where the tdbsam or ldapsam passdb
3445 backend is used, at the time the user account is created the
3446 value configured for this parameter is written to the passdb
3447 backend and that value will over-ride the parameter value present
3448 in the smb.conf file. Any error present in the passdb backend
3449 account record must be editted using the appropriate tool (pdbe‐
3450 dit on the command-line, or any other locally provided system
3451 tool). Note that this option is only useful if Samba is set up
3452 as a domain controller.
3453
3454 Disable the use of roaming profiles by setting the value of this
3455 parameter to the empty string. For example, logon path = "". Take
3456 note that even if the default setting in the smb.conf file is the
3457 empty string, any value specified in the user account settings in
3458 the passdb backend will over-ride the effect of setting this
3459 parameter to null. Disabling of all roaming profile use requires
3460 that the user account settings must also be blank.
3461
3462 An example of use is:
3463
3464
3465
3466
3467 logon path = \PROFILESERVERPROFILEU
3468
3469
3470
3471 Default: logon path = \\%N\%U\profile
3472
3473 logon script (G)
3474 This parameter specifies the batch file (.bat) or NT command file
3475 (.cmd) to be downloaded and run on a machine when a user success‐
3476 fully logs in. The file must contain the DOS style CR/LF line
3477 endings. Using a DOS-style editor to create the file is recom‐
3478 mended.
3479
3480 The script must be a relative path to the [netlogon] service. If
3481 the [netlogon] service specifies a path of /usr/local/samba/netl‐
3482 ogon, and logon script = STARTUP.BAT, then the file that will be
3483 downloaded is:
3484
3485
3486
3487
3488 /usr/local/samba/netlogon/STARTUP.BAT
3489
3490
3491
3492 The contents of the batch file are entirely your choice. A sug‐
3493 gested command would be to add NET TIME \\SERVER /SET /YES, to
3494 force every machine to synchronize clocks with the same time
3495 server. Another use would be to add NET USE U: \\SERVER\UTILS for
3496 commonly used utilities, or
3497
3498
3499
3500
3501 NET USE Q: \SERVERISO9001_QA
3502
3503 for example.
3504
3505 Note that it is particularly important not to allow write access
3506 to the [netlogon] share, or to grant users write permission on
3507 the batch files in a secure environment, as this would allow the
3508 batch files to be arbitrarily modified and security to be
3509 breached.
3510
3511 This option takes the standard substitutions, allowing you to
3512 have separate logon scripts for each user or machine.
3513
3514 This option is only useful if Samba is set up as a logon server.
3515
3516 Default: logon script =
3517
3518 Example: logon script = scripts\%U.bat
3519
3520 lppause command (S)
3521 This parameter specifies the command to be executed on the server
3522 host in order to stop printing or spooling a specific print job.
3523
3524 This command should be a program or script which takes a printer
3525 name and job number to pause the print job. One way of implement‐
3526 ing this is by using job priorities, where jobs having a too low
3527 priority won't be sent to the printer.
3528
3529 If a %p is given then the printer name is put in its place. A %j
3530 is replaced with the job number (an integer). On HPUX (see print‐
3531 ing=hpux ), if the -p%p option is added to the lpq command, the
3532 job will show up with the correct status, i.e. if the job prior‐
3533 ity is lower than the set fence priority it will have the PAUSED
3534 status, whereas if the priority is equal or higher it will have
3535 the SPOOLED or PRINTING status.
3536
3537 Note that it is good practice to include the absolute path in the
3538 lppause command as the PATH may not be available to the server.
3539
3540 Default: lppause command = # Currently no default value is given
3541 to this string, unless the value of the printing parameter is
3542 \fBSYSV\fR, in which case the default is : lp -i %p-%j -H hold or
3543 if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then
3544 the default is: qstat -s -j%j -h.
3545
3546 Example: lppause command = /usr/bin/lpalt %p-%j -p0
3547
3548 lpq cache time (G)
3549 This controls how long lpq info will be cached for to prevent the
3550 lpq command being called too often. A separate cache is kept for
3551 each variation of the lpq command used by the system, so if you
3552 use different lpq commands for different users then they won't
3553 share cache information.
3554
3555 The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash
3556 of the lpq command in use.
3557
3558 The default is 30 seconds, meaning that the cached results of a
3559 previous identical lpq command will be used if the cached data is
3560 less than 30 seconds old. A large value may be advisable if your
3561 lpq command is very slow.
3562
3563 A value of 0 will disable caching completely.
3564
3565 Default: lpq cache time = 30
3566
3567 Example: lpq cache time = 10
3568
3569 lpq command (S)
3570 This parameter specifies the command to be executed on the server
3571 host in order to obtain lpq-style printer status information.
3572
3573 This command should be a program or script which takes a printer
3574 name as its only parameter and outputs printer status informa‐
3575 tion.
3576
3577 Currently nine styles of printer status information are sup‐
3578 ported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.
3579 This covers most UNIX systems. You control which type is expected
3580 using the printing = option.
3581
3582 Some clients (notably Windows for Workgroups) may not correctly
3583 send the connection number for the printer they are requesting
3584 status information about. To get around this, the server reports
3585 on the first printer service connected to by the client. This
3586 only happens if the connection number sent is invalid.
3587
3588 If a %p is given then the printer name is put in its place. Oth‐
3589 erwise it is placed at the end of the command.
3590
3591 Note that it is good practice to include the absolute path in the
3592 lpq command as the $PATH may not be available to the server. When
3593 compiled with the CUPS libraries, no lpq command is needed
3594 because smbd will make a library call to obtain the print queue
3595 listing.
3596
3597 Default: lpq command =
3598
3599 Example: lpq command = /usr/bin/lpq -P%p
3600
3601 lpresume command (S)
3602 This parameter specifies the command to be executed on the server
3603 host in order to restart or continue printing or spooling a spe‐
3604 cific print job.
3605
3606 This command should be a program or script which takes a printer
3607 name and job number to resume the print job. See also the lppause
3608 command parameter.
3609
3610 If a %p is given then the printer name is put in its place. A %j
3611 is replaced with the job number (an integer).
3612
3613 Note that it is good practice to include the absolute path in the
3614 lpresume command as the PATH may not be available to the server.
3615
3616 See also the printing parameter.
3617
3618 Default: Currently no default value is given to this string,
3619 unless the value of the printing parameter is SYSV, in which case
3620 the default is :
3621
3622 lp -i %p-%j -H resume
3623
3624 or if the value of the printing parameter is SOFTQ, then the
3625 default is:
3626
3627 qstat -s -j%j -r
3628
3629 Default: lpresume command = lpresume command = /usr/bin/lpalt
3630 %p-%j -p2
3631
3632 lprm command (S)
3633 This parameter specifies the command to be executed on the server
3634 host in order to delete a print job.
3635
3636 This command should be a program or script which takes a printer
3637 name and job number, and deletes the print job.
3638
3639 If a %p is given then the printer name is put in its place. A %j
3640 is replaced with the job number (an integer).
3641
3642 Note that it is good practice to include the absolute path in the
3643 lprm command as the PATH may not be available to the server.
3644
3645 Examples of use are:
3646
3647
3648
3649
3650 lprm command = /usr/bin/lprm -P%p %j
3651
3652 or
3653
3654 lprm command = /usr/bin/cancel %p-%j
3655
3656
3657
3658 Default: lprm command = determined by printing parameter
3659
3660 machine password timeout (G)
3661 If a Samba server is a member of a Windows NT Domain (see the
3662 security = domain parameter) then periodically a running smbd
3663 process will try and change the MACHINE ACCOUNT PASSWORD stored
3664 in the TDB called private/secrets.tdb . This parameter specifies
3665 how often this password will be changed, in seconds. The default
3666 is one week (expressed in seconds), the same as a Windows NT
3667 Domain member server.
3668
3669 See also smbpasswd(8), and the security = domain parameter.
3670
3671 Default: machine password timeout = 604800
3672
3673 magic output (S)
3674 This parameter specifies the name of a file which will contain
3675 output created by a magic script (see the magic script parameter
3676 below).
3677
3678 Warning
3679 If two clients use the same magic script in the same directory
3680 the output file content is undefined. Default: magic output =
3681 <magic script name>.out
3682
3683 Example: magic output = myfile.txt
3684
3685 magic script (S)
3686 This parameter specifies the name of a file which, if opened,
3687 will be executed by the server when the file is closed. This
3688 allows a UNIX script to be sent to the Samba host and executed on
3689 behalf of the connected user.
3690
3691 Scripts executed in this way will be deleted upon completion
3692 assuming that the user has the appropriate level of privilege and
3693 the file permissions allow the deletion.
3694
3695 If the script generates output, output will be sent to the file
3696 specified by the magic output parameter (see above).
3697
3698 Note that some shells are unable to interpret scripts containing
3699 CR/LF instead of CR as the end-of-line marker. Magic scripts must
3700 be executable as is on the host, which for some hosts and some
3701 shells will require filtering at the DOS end.
3702
3703 Magic scripts are EXPERIMENTAL and should NOT be relied upon.
3704
3705 Default: magic script =
3706
3707 Example: magic script = user.csh
3708
3709 mangled map (S)
3710 This is for those who want to directly map UNIX file names which
3711 cannot be represented on Windows/DOS. The mangling of names is
3712 not always what is needed. In particular you may have documents
3713 with file extensions that differ between DOS and UNIX. For exam‐
3714 ple, under UNIX it is common to use .html for HTML files, whereas
3715 under Windows/DOS .htm is more commonly used.
3716
3717 So to map html to htm you would use:
3718
3719
3720 mangled map = (*.html *.htm).
3721
3722 One very useful case is to remove the annoying ;1 off the ends of
3723 filenames on some CDROMs (only visible under some UNIXes). To do
3724 this use a map of (*;1 *;).
3725
3726 Default: mangled map = # no mangled map
3727
3728 Example: mangled map = (*;1 *;)
3729
3730 mangled names (S)
3731 This controls whether non-DOS names under UNIX should be mapped
3732 to DOS-compatible names ("mangled") and made visible, or whether
3733 non-DOS names should simply be ignored.
3734
3735 See the section on name mangling for details on how to control
3736 the mangling process.
3737
3738 If mangling is used then the mangling algorithm is as follows:
3739
3740 · The first (up to) five alphanumeric characters before the
3741 rightmost dot of the filename are preserved, forced to
3742 upper case, and appear as the first (up to) five characters
3743 of the mangled name.
3744
3745 · A tilde "~" is appended to the first part of the mangled
3746 name, followed by a two-character unique sequence, based on
3747 the original root name (i.e., the original filename minus
3748 its final extension). The final extension is included in
3749 the hash calculation only if it contains any upper case
3750 characters or is longer than three characters.
3751
3752 Note that the character to use may be specified using the
3753 mangling char option, if you don't like '~'.
3754
3755 · Files whose UNIX name begins with a dot will be presented
3756 as DOS hidden files. The mangled name will be created as
3757 for other filenames, but with the leading dot removed and
3758 "___" as its extension regardless of actual original exten‐
3759 sion (that's three underscores).
3760
3761 The two-digit hash value consists of upper case alphanumeric
3762 characters.
3763
3764 This algorithm can cause name collisions only if files in a
3765 directory share the same first five alphanumeric characters.
3766 The probability of such a clash is 1/1300.
3767
3768 The name mangling (if enabled) allows a file to be copied
3769 between UNIX directories from Windows/DOS while retaining the
3770 long UNIX filename. UNIX files can be renamed to a new exten‐
3771 sion from Windows/DOS and will retain the same basename. Man‐
3772 gled names do not change between sessions.
3773
3774 Default: mangled names = yes
3775
3776 mangle prefix (G)
3777 controls the number of prefix characters from the original name
3778 used when generating the mangled names. A larger value will give
3779 a weaker hash and therefore more name collisions. The minimum
3780 value is 1 and the maximum value is 6.
3781
3782 mangle prefix is effective only when mangling method is hash2.
3783
3784 Default: mangle prefix = 1
3785
3786 Example: mangle prefix = 4
3787
3788 mangling char (S)
3789 This controls what character is used as the magic character in
3790 name mangling. The default is a '~' but this may interfere with
3791 some software. Use this option to set it to whatever you prefer.
3792 This is effective only when mangling method is hash.
3793
3794 Default: mangling char = ~
3795
3796 Example: mangling char = ^
3797
3798 mangling method (G)
3799 controls the algorithm used for the generating the mangled names.
3800 Can take two different values, "hash" and "hash2". "hash" is the
3801 algorithm that was used used in Samba for many years and was the
3802 default in Samba 2.2.x "hash2" is now the default and is newer
3803 and considered a better algorithm (generates less collisions) in
3804 the names. Many Win32 applications store the mangled names and so
3805 changing to algorithms must not be done lightly as these applica‐
3806 tions may break unless reinstalled.
3807
3808 Default: mangling method = hash2
3809
3810 Example: mangling method = hash
3811
3812 map acl inherit (S)
3813 This boolean parameter controls whether smbd(8) will attempt to
3814 map the 'inherit' and 'protected' access control entry flags
3815 stored in Windows ACLs into an extended attribute called
3816 user.SAMBA_PAI. This parameter only takes effect if Samba is
3817 being run on a platform that supports extended attributes (Linux
3818 and IRIX so far) and allows the Windows 2000 ACL editor to cor‐
3819 rectly use inheritance with the Samba POSIX ACL mapping code.
3820
3821 Default: map acl inherit = no
3822
3823 map archive (S)
3824 This controls whether the DOS archive attribute should be mapped
3825 to the UNIX owner execute bit. The DOS archive bit is set when a
3826 file has been modified since its last backup. One motivation for
3827 this option is to keep Samba/your PC from making any file it
3828 touches from becoming executable under UNIX. This can be quite
3829 annoying for shared source code, documents, etc...
3830
3831 Note that this requires the create mask parameter to be set such
3832 that owner execute bit is not masked out (i.e. it must include
3833 100). See the parameter create mask for details.
3834
3835 Default: map archive = yes
3836
3837 map hidden (S)
3838 This controls whether DOS style hidden files should be mapped to
3839 the UNIX world execute bit.
3840
3841 Note that this requires the create mask to be set such that the
3842 world execute bit is not masked out (i.e. it must include 001).
3843 See the parameter create mask for details.
3844
3845 No default
3846
3847 map read only (S)
3848 This controls how the DOS read only attribute should be mapped
3849 from a UNIX filesystem.
3850
3851 This parameter can take three different values, which tell
3852 smbd(8) how to display the read only attribute on files, where
3853 either store dos attributes is set to No, or no extended
3854 attribute is present. If store dos attributes is set to yes then
3855 this parameter is ignored. This is a new parameter introduced in
3856 Samba version 3.0.21.
3857
3858 The three settings are :
3859
3860 ·
3861
3862 Yes - The read only DOS attribute is mapped to the inverse
3863 of the user or owner write bit in the unix permission mode
3864 set. If the owner write bit is not set, the read only
3865 attribute is reported as being set on the file.
3866
3867 ·
3868
3869 Permissions - The read only DOS attribute is mapped to the
3870 effective permissions of the connecting user, as evaluated
3871 by smbd(8) by reading the unix permissions and POSIX ACL
3872 (if present). If the connecting user does not have permis‐
3873 sion to modify the file, the read only attribute is
3874 reported as being set on the file.
3875
3876 ·
3877
3878 No - The read only DOS attribute is unaffected by permis‐
3879 sions, and can only be set by the store dos attributes
3880 method. This may be useful for exporting mounted CDs.
3881
3882 Default: map read only = yes
3883
3884 map system (S)
3885 This controls whether DOS style system files should be mapped to
3886 the UNIX group execute bit.
3887
3888 Note that this requires the create mask to be set such that the
3889 group execute bit is not masked out (i.e. it must include 010).
3890 See the parameter create mask for details.
3891
3892 Default: map system = no
3893
3894 map to guest (G)
3895 This parameter is only useful in SECURITY = security modes other
3896 than security = share and security = server - i.e. user, and
3897 domain.
3898
3899 This parameter can take four different values, which tell smbd(8)
3900 what to do with user login requests that don't match a valid UNIX
3901 user in some way.
3902
3903 The four settings are :
3904
3905 · Never - Means user login requests with an invalid password
3906 are rejected. This is the default.
3907
3908 · Bad User - Means user logins with an invalid password are
3909 rejected, unless the username does not exist, in which case
3910 it is treated as a guest login and mapped into the guest
3911 account.
3912
3913 · Bad Password - Means user logins with an invalid password
3914 are treated as a guest login and mapped into the guest
3915 account. Note that this can cause problems as it means that
3916 any user incorrectly typing their password will be silently
3917 logged on as "guest" - and will not know the reason they
3918 cannot access files they think they should - there will
3919 have been no message given to them that they got their
3920 password wrong. Helpdesk services will hate you if you set
3921 the map to guest parameter this way :-).
3922
3923 · Bad Uid - Is only applicable when Samba is configured in
3924 some type of domain mode security (security = {domain|ads})
3925 and means that user logins which are successfully authenti‐
3926 cated but which have no valid Unix user account (and smbd
3927 is unable to create one) should be mapped to the defined
3928 guest account. This was the default behavior of Samba 2.x
3929 releases. Note that if a member server is running winbindd,
3930 this option should never be required because the nss_win‐
3931 bind library will export the Windows domain users and
3932 groups to the underlying OS via the Name Service Switch
3933 interface.
3934
3935 Note that this parameter is needed to set up "Guest" share
3936 services when using security modes other than share and
3937 server. This is because in these modes the name of the
3938 resource being requested is not sent to the server until after
3939 the server has successfully authenticated the client so the
3940 server cannot make authentication decisions at the correct
3941 time (connection to the share) for "Guest" shares. This param‐
3942 eter is not useful with security = server as in this security
3943 mode no information is returned about whether a user logon
3944 failed due to a bad username or bad password, the same error
3945 is returned from a modern server in both cases.
3946
3947 For people familiar with the older Samba releases, this param‐
3948 eter maps to the old compile-time setting of the
3949 GUEST_SESSSETUP value in local.h.
3950
3951 Default: map to guest = Never
3952
3953 Example: map to guest = Bad User
3954
3955 max connections (S)
3956 This option allows the number of simultaneous connections to a
3957 service to be limited. If max connections is greater than 0 then
3958 connections will be refused if this number of connections to the
3959 service are already open. A value of zero mean an unlimited num‐
3960 ber of connections may be made.
3961
3962 Record lock files are used to implement this feature. The lock
3963 files will be stored in the directory specified by the lock
3964 directory option.
3965
3966 Default: max connections = 0
3967
3968 Example: max connections = 10
3969
3970 max disk size (G)
3971 This option allows you to put an upper limit on the apparent size
3972 of disks. If you set this option to 100 then all shares will
3973 appear to be not larger than 100 MB in size.
3974
3975 Note that this option does not limit the amount of data you can
3976 put on the disk. In the above case you could still store much
3977 more than 100 MB on the disk, but if a client ever asks for the
3978 amount of free disk space or the total disk size then the result
3979 will be bounded by the amount specified in max disk size.
3980
3981 This option is primarily useful to work around bugs in some
3982 pieces of software that can't handle very large disks, particu‐
3983 larly disks over 1GB in size.
3984
3985 A max disk size of 0 means no limit.
3986
3987 Default: max disk size = 0
3988
3989 Example: max disk size = 1000
3990
3991 max log size (G)
3992 This option (an integer in kilobytes) specifies the max size the
3993 log file should grow to. Samba periodically checks the size and
3994 if it is exceeded it will rename the file, adding a .old exten‐
3995 sion.
3996
3997 A size of 0 means no limit.
3998
3999 Default: max log size = 5000
4000
4001 Example: max log size = 1000
4002
4003 max mux (G)
4004 This option controls the maximum number of outstanding simultane‐
4005 ous SMB operations that Samba tells the client it will allow. You
4006 should never need to set this parameter.
4007
4008 Default: max mux = 50
4009
4010 max open files (G)
4011 This parameter limits the maximum number of open files that one
4012 smbd(8) file serving process may have open for a client at any
4013 one time. The default for this parameter is set very high
4014 (10,000) as Samba uses only one bit per unopened file.
4015
4016 The limit of the number of open files is usually set by the UNIX
4017 per-process file descriptor limit rather than this parameter so
4018 you should never need to touch this parameter.
4019
4020 Default: max open files = 10000
4021
4022 max print jobs (S)
4023 This parameter limits the maximum number of jobs allowable in a
4024 Samba printer queue at any given moment. If this number is
4025 exceeded, smbd(8) will remote "Out of Space" to the client.
4026
4027 Default: max print jobs = 1000
4028
4029 Example: max print jobs = 5000
4030
4031 protocol
4032 This parameter is a synonym for max protocol.
4033
4034 max protocol (G)
4035 The value of the parameter (a string) is the highest protocol
4036 level that will be supported by the server.
4037
4038 Possible values are :
4039
4040 · CORE: Earliest version. No concept of user names.
4041
4042 · COREPLUS: Slight improvements on CORE for efficiency.
4043
4044 · LANMAN1: First
4045 modern version of the protocol. Long filename support.
4046
4047 · LANMAN2: Updates to Lanman1 protocol.
4048
4049 · NT1: Current up to date version of the protocol. Used by
4050 Windows NT. Known as CIFS.
4051
4052 Normally this option should not be set as the automatic nego‐
4053 tiation phase in the SMB protocol takes care of choosing the
4054 appropriate protocol.
4055
4056 Default: max protocol = NT1
4057
4058 Example: max protocol = LANMAN1
4059
4060 max reported print jobs (S)
4061 This parameter limits the maximum number of jobs displayed in a
4062 port monitor for Samba printer queue at any given moment. If this
4063 number is exceeded, the excess jobs will not be shown. A value of
4064 zero means there is no limit on the number of print jobs
4065 reported.
4066
4067 Default: max reported print jobs = 0
4068
4069 Example: max reported print jobs = 1000
4070
4071 max smbd processes (G)
4072 This parameter limits the maximum number of smbd(8) processes
4073 concurrently running on a system and is intended as a stopgap to
4074 prevent degrading service to clients in the event that the server
4075 has insufficient resources to handle more than this number of
4076 connections. Remember that under normal operating conditions,
4077 each user will have an smbd(8) associated with him or her to han‐
4078 dle connections to all shares from a given host.
4079
4080 Default: max smbd processes = 0
4081
4082 Example: max smbd processes = 1000
4083
4084 max stat cache size (G)
4085 This parameter limits the size in memory of any stat cache being
4086 used to speed up case insensitive name mappings. This parameter
4087 is the number of kilobyte (1024) units the stat cache can use. A
4088 value of zero means unlimited which is not advised aѕ it
4089 can use a lot of memory. You should not need to change this
4090 parameter.
4091
4092 Default: max stat cache size = 1024
4093
4094 Example: max stat cache size = 100
4095
4096 max ttl (G)
4097 This option tells nmbd(8) what the default 'time to live' of Net‐
4098 BIOS names should be (in seconds) when nmbd is requesting a name
4099 using either a broadcast packet or from a WINS server. You should
4100 never need to change this parameter. The default is 3 days.
4101
4102 Default: max ttl = 259200
4103
4104 max wins ttl (G)
4105 This option tells smbd(8) when acting as a WINS server (wins sup‐
4106 port = yes) what the maximum 'time to live' of NetBIOS names that
4107 nmbd will grant will be (in seconds). You should never need to
4108 change this parameter. The default is 6 days (518400 seconds).
4109
4110 Default: max wins ttl = 518400
4111
4112 max xmit (G)
4113 This option controls the maximum packet size that will be negoti‐
4114 ated by Samba. The default is 16644, which matches the behavior
4115 of Windows 2000. A value below 2048 is likely to cause problems.
4116 You should never need to change this parameter from its default
4117 value.
4118
4119 Default: max xmit = 16644
4120
4121 Example: max xmit = 8192
4122
4123 message command (G)
4124 This specifies what command to run when the server receives a
4125 WinPopup style message.
4126
4127 This would normally be a command that would deliver the message
4128 somehow. How this is to be done is up to your imagination.
4129
4130 An example is:
4131
4132
4133
4134
4135 message command = csh -c 'xedit %s;rm %s' &
4136
4137
4138
4139 This delivers the message using xedit, then removes it after‐
4140 wards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
4141 IMMEDIATELY. That's why I have the '&' on the end. If it doesn't
4142 return immediately then your PCs may freeze when sending messages
4143 (they should recover after 30 seconds, hopefully).
4144
4145 All messages are delivered as the global guest user. The command
4146 takes the standard substitutions, although
4147 %u won't work (%U may be better in this case).
4148
4149 Apart from the standard substitutions, some additional ones
4150 apply. In particular:
4151
4152 · %s = the filename containing the message.
4153
4154 · %t = the destination that the message was sent to (probably
4155 the server name).
4156
4157 · %f = who the message is from.
4158
4159 You could make this command send mail, or whatever else takes
4160 your fancy. Please let us know of any really interesting ideas
4161 you have.
4162
4163 Here's a way of sending the messages as mail to root:
4164
4165
4166
4167
4168 message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s
4169
4170
4171
4172 If you don't have a message command then the message won't be
4173 delivered and Samba will tell the sender there was an error.
4174 Unfortunately WfWg totally ignores the error code and carries
4175 on regardless, saying that the message was delivered.
4176
4177 If you want to silently delete it then try:
4178
4179
4180
4181
4182 message command = rm %s
4183
4184
4185
4186 Default: message command =
4187
4188 Example: message command = csh -c 'xedit %s; rm %s' &
4189
4190 min print space (S)
4191 This sets the minimum amount of free disk space that must be
4192 available before a user will be able to spool a print job. It is
4193 specified in kilobytes. The default is 0, which means a user can
4194 always spool a print job.
4195
4196 Default: min print space = 0
4197
4198 Example: min print space = 2000
4199
4200 min protocol (G)
4201 The value of the parameter (a string) is the lowest SMB protocol
4202 dialect than Samba will support. Please refer to the max protocol
4203 parameter for a list of valid protocol names and a brief descrip‐
4204 tion of each. You may also wish to refer to the C source code in
4205 source/smbd/negprot.c for a listing of known protocol dialects
4206 supported by clients.
4207
4208 If you are viewing this parameter as a security measure, you
4209 should also refer to the lanman auth parameter. Otherwise, you
4210 should never need to change this parameter.
4211
4212 Default: min protocol = CORE
4213
4214 Example: min protocol = NT1
4215
4216 min wins ttl (G)
4217 This option tells nmbd(8) when acting as a WINS server (wins sup‐
4218 port = yes) what the minimum 'time to live' of NetBIOS names that
4219 nmbd will grant will be (in seconds). You should never need to
4220 change this parameter. The default is 6 hours (21600 seconds).
4221
4222 Default: min wins ttl = 21600
4223
4224 msdfs proxy (S)
4225 This parameter indicates that the share is a stand-in for another
4226 CIFS share whose location is specified by the value of the param‐
4227 eter. When clients attempt to connect to this share, they are
4228 redirected to the proxied share using the SMB-Dfs protocol.
4229
4230 Only Dfs roots can act as proxy shares. Take a look at the msdfs
4231 root and host msdfs options to find out how to set up a Dfs root
4232 share.
4233
4234 No default
4235
4236 Example: msdfs proxy = \\otherserver\someshare
4237
4238 msdfs root (S)
4239 If set to yes, Samba treats the share as a Dfs root and allows
4240 clients to browse the distributed file system tree rooted at the
4241 share directory. Dfs links are specified in the share directory
4242 by symbolic links of the form msdfs:serverA\shareA,serverB\shareB
4243 and so on. For more information on setting up a Dfs tree on
4244 Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.
4245
4246 Default: msdfs root = no
4247
4248 name cache timeout (G)
4249 Specifies the number of seconds it takes before entries in
4250 samba's hostname resolve cache time out. If the timeout is set to
4251 0. the caching is disabled.
4252
4253 Default: name cache timeout = 660
4254
4255 Example: name cache timeout = 0
4256
4257 name resolve order (G)
4258 This option is used by the programs in the Samba suite to deter‐
4259 mine what naming services to use and in what order to resolve
4260 host names to IP addresses. Its main purpose to is to control how
4261 netbios name resolution is performed. The option takes a space
4262 separated string of name resolution options.
4263
4264 The options are: "lmhosts", "host", "wins" and "bcast". They
4265 cause names to be resolved as follows:
4266
4267 ·
4268
4269 lmhosts : Lookup an IP address in the Samba lmhosts file.
4270 If the line in lmhosts has no name type attached to the
4271 NetBIOS name (see the manpage for lmhosts for details) then
4272 any name type matches for lookup.
4273
4274 ·
4275
4276 host : Do a standard host name to IP address resolution,
4277 using the system /etc/hosts , NIS, or DNS lookups. This
4278 method of name resolution is operating system depended for
4279 instance on IRIX or Solaris this may be controlled by the
4280 /etc/nsswitch.conf file. Note that this method is used only
4281 if the NetBIOS name type being queried is the 0x20 (server)
4282 name type or 0x1c (domain controllers). The latter case is
4283 only useful for active directory domains and results in a
4284 DNS query for the SRV RR entry matching _ldap._tcp.domain.
4285
4286 · wins : Query a name with the IP address listed in the
4287 WINSSERVER parameter. If no WINS server has been specified
4288 this method will be ignored.
4289
4290 · bcast : Do a broadcast on each of the known local inter‐
4291 faces listed in the interfaces parameter. This is the least
4292 reliable of the name resolution methods as it depends on
4293 the target host being on a locally connected subnet.
4294
4295 The example below will cause the local lmhosts file to be
4296 examined first, followed by a broadcast attempt, followed by a
4297 normal system hostname lookup.
4298
4299 When Samba is functioning in ADS security mode (security =
4300 ads) it is advised to use following settings for name resolve
4301 order:
4302
4303 name resolve order = wins bcast
4304
4305 DC lookups will still be done via DNS, but fallbacks to net‐
4306 bios names will not inundate your DNS servers with needless
4307 querys for DOMAIN<0x1c> lookups.
4308
4309 Default: name resolve order = lmhosts host wins bcast
4310
4311 Example: name resolve order = lmhosts bcast host
4312
4313 netbios aliases (G)
4314 This is a list of NetBIOS names that nmbd will advertise as addi‐
4315 tional names by which the Samba server is known. This allows one
4316 machine to appear in browse lists under multiple names. If a
4317 machine is acting as a browse server or logon server none of
4318 these names will be advertised as either browse server or logon
4319 servers, only the primary name of the machine will be advertised
4320 with these capabilities.
4321
4322 Default: netbios aliases = # empty string (no additional names)
4323
4324 Example: netbios aliases = TEST TEST1 TEST2
4325
4326 netbios name (G)
4327 This sets the NetBIOS name by which a Samba server is known. By
4328 default it is the same as the first component of the host's DNS
4329 name. If a machine is a browse server or logon server this name
4330 (or the first component of the hosts DNS name) will be the name
4331 that these services are advertised under.
4332
4333 There is a bug in Samba-3 that breaks operation of browsing and
4334 access to shares if the netbios name is set to the literal name
4335 PIPE. To avoid this problem, do not name your Samba-3 server
4336 PIPE.
4337
4338 Default: netbios name = # machine DNS name
4339
4340 Example: netbios name = MYNAME
4341
4342 netbios scope (G)
4343 This sets the NetBIOS scope that Samba will operate under. This
4344 should not be set unless every machine on your LAN also sets this
4345 value.
4346
4347 Default: netbios scope =
4348
4349 nis homedir (G)
4350 Get the home share server from a NIS map. For UNIX systems that
4351 use an automounter, the user's home directory will often be
4352 mounted on a workstation on demand from a remote server.
4353
4354 When the Samba logon server is not the actual home directory
4355 server, but is mounting the home directories via NFS then two
4356 network hops would be required to access the users home directory
4357 if the logon server told the client to use itself as the SMB
4358 server for home directories (one over SMB and one over NFS). This
4359 can be very slow.
4360
4361 This option allows Samba to return the home share as being on a
4362 different server to the logon server and as long as a Samba dae‐
4363 mon is running on the home directory server, it will be mounted
4364 on the Samba client directly from the directory server. When
4365 Samba is returning the home share to the client, it will consult
4366 the NIS map specified in homedir map and return the server listed
4367 there.
4368
4369 Note that for this option to work there must be a working NIS
4370 system and the Samba server with this option must also be a logon
4371 server.
4372
4373 Default: nis homedir = no
4374
4375 nt acl support (S)
4376 This boolean parameter controls whether smbd(8) will attempt to
4377 map UNIX permissions into Windows NT access control lists. The
4378 UNIX permissions considered are the the traditional UNIX owner
4379 and group permissions, as well as POSIX ACLs set on any files or
4380 directories. This parameter was formally a global parameter in
4381 releases prior to 2.2.2.
4382
4383 Default: nt acl support = yes
4384
4385 ntlm auth (G)
4386 This parameter determines whether or not smbd(8) will attempt to
4387 authenticate users using the NTLM encrypted password response. If
4388 disabled, either the lanman password hash or an NTLMv2 response
4389 will need to be sent by the client.
4390
4391 If this option, and lanman auth are both disabled, then only
4392 NTLMv2 logins will be permited. Not all clients support NTLMv2,
4393 and most will require special configuration to us it.
4394
4395 Default: ntlm auth = yes
4396
4397 nt pipe support (G)
4398 This boolean parameter controls whether smbd(8) will allow Win‐
4399 dows NT clients to connect to the NT SMB specific IPC$ pipes.
4400 This is a developer debugging option and can be left alone.
4401
4402 Default: nt pipe support = yes
4403
4404 nt status support (G)
4405 This boolean parameter controls whether smbd(8) will negotiate NT
4406 specific status support with Windows NT/2k/XP clients. This is a
4407 developer debugging option and should be left alone. If this
4408 option is set to no then Samba offers exactly the same DOS error
4409 codes that versions prior to Samba 2.2.3 reported.
4410
4411 You should not need to ever disable this parameter.
4412
4413 Default: nt status support = yes
4414
4415 null passwords (G)
4416 Allow or disallow client access to accounts that have null pass‐
4417 words.
4418
4419 See also smbpasswd(5).
4420
4421 Default: null passwords = no
4422
4423 obey pam restrictions (G)
4424 When Samba 3.0 is configured to enable PAM support (i.e. --with-
4425 pam), this parameter will control whether or not Samba should
4426 obey PAM's account and session management directives. The default
4427 behavior is to use PAM for clear text authentication only and to
4428 ignore any account or session management. Note that Samba always
4429 ignores PAM for authentication in the case of encrypt passwords =
4430 yes. The reason is that PAM modules cannot support the chal‐
4431 lenge/response authentication mechanism needed in the presence of
4432 SMB password encryption.
4433
4434 Default: obey pam restrictions = no
4435
4436 only user (S)
4437 This is a boolean option that controls whether connections with
4438 usernames not in the user list will be allowed. By default this
4439 option is disabled so that a client can supply a username to be
4440 used by the server. Enabling this parameter will force the server
4441 to only use the login names from the user list and is only really
4442 useful in security = share level security.
4443
4444 Note that this also means Samba won't try to deduce usernames
4445 from the service name. This can be annoying for the [homes] sec‐
4446 tion. To get around this you could use user = %S which means your
4447 user list will be just the service name, which for home directo‐
4448 ries is the name of the user.
4449
4450 Default: only user = no
4451
4452 open files database hash size (G)
4453 This parameter was added in Samba 3.0.23. This is an internal
4454 tuning parameter that sets the hash size of the tdb used for the
4455 open file databases. The presence of this parameter allows tuning
4456 of the system for very large (thousands of concurrent users)
4457 Samba setups. The default setting of this parameter should be
4458 sufficient for most normal environments. It is advised not to
4459 change this parameter unless advised to by a Samba Team member.
4460
4461 Default: open files database hash size = 10007
4462
4463 Example: open files database hash size = 1338457
4464
4465 oplock break wait time (G)
4466 This is a tuning parameter added due to bugs in both Windows 9x
4467 and WinNT. If Samba responds to a client too quickly when that
4468 client issues an SMB that can cause an oplock break request, then
4469 the network client can fail and not respond to the break request.
4470 This tuning parameter (which is set in milliseconds) is the
4471 amount of time Samba will wait before sending an oplock break
4472 request to such (broken) clients.
4473
4474 Warning
4475 DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD
4476 THE SAMBA OPLOCK CODE. Default: oplock break wait time = 0
4477
4478 oplock contention limit (S)
4479 This is a very advanced smbd(8) tuning option to improve the
4480 efficiency of the granting of oplocks under multiple client con‐
4481 tention for the same file.
4482
4483 In brief it specifies a number, which causes smbd(8)not to grant
4484 an oplock even when requested if the approximate number of
4485 clients contending for an oplock on the same file goes over this
4486 limit. This causes smbd to behave in a similar way to Windows NT.
4487
4488 Warning
4489 DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD
4490 THE SAMBA OPLOCK CODE. Default: oplock contention limit = 2
4491
4492 oplocks (S)
4493 This boolean option tells smbd whether to issue oplocks (oppor‐
4494 tunistic locks) to file open requests on this share. The oplock
4495 code can dramatically (approx. 30% or more) improve the speed of
4496 access to files on Samba servers. It allows the clients to
4497 aggressively cache files locally and you may want to disable this
4498 option for unreliable network environments (it is turned on by
4499 default in Windows NT Servers). For more information see the file
4500 Speed.txt in the Samba docs/ directory.
4501
4502 Oplocks may be selectively turned off on certain files with a
4503 share. See the veto oplock files parameter. On some systems
4504 oplocks are recognized by the underlying operating system. This
4505 allows data synchronization between all access to oplocked files,
4506 whether it be via Samba or NFS or a local UNIX process. See the
4507 kernel oplocks parameter for details.
4508
4509 Default: oplocks = yes
4510
4511 os2 driver map (G)
4512 The parameter is used to define the absolute path to a file con‐
4513 taining a mapping of Windows NT printer driver names to OS/2
4514 printer driver names. The format is:
4515
4516 <nt driver name> = <os2 driver name>.<device name>
4517
4518 For example, a valid entry using the HP LaserJet 5 printer driver
4519 would appear as HP LaserJet 5L = LASERJET.HP LaserJet 5L.
4520
4521 The need for the file is due to the printer driver namespace
4522 problem described in the chapter on Classical Printing in the
4523 Samba3-HOWTO book. For more details on OS/2 clients, please refer
4524 to chapter on other clients in the Samba3-HOWTO book.
4525
4526 Default: os2 driver map =
4527
4528 os level (G)
4529 This integer value controls what level Samba advertises itself as
4530 for browse elections. The value of this parameter determines
4531 whether nmbd(8) has a chance of becoming a local master browser
4532 for the workgroup in the local broadcast area.
4533
4534 Note :By default, Samba will win a local master browsing elec‐
4535 tion over all Microsoft operating systems except a Windows NT
4536 4.0/2000 Domain Controller. This means that a misconfigured Samba
4537 host can effectively isolate a subnet for browsing purposes. This
4538 parameter is largely auto-configured in the Samba-3 release
4539 series and it is seldom necessary to manually over-ride the
4540 default setting. Please refer to chapter 9 of the Samba-3 HOWTO
4541 document for further information regarding the use of this param‐
4542 eter.
4543
4544 Default: os level = 20
4545
4546 Example: os level = 65
4547
4548 pam password change (G)
4549 With the addition of better PAM support in Samba 2.2, this param‐
4550 eter, it is possible to use PAM's password change control flag
4551 for Samba. If enabled, then PAM will be used for password changes
4552 when requested by an SMB client instead of the program listed in
4553 passwd program. It should be possible to enable this without
4554 changing your passwd chat parameter for most setups.
4555
4556 Default: pam password change = no
4557
4558 panic action (G)
4559 This is a Samba developer option that allows a system command to
4560 be called when either smbd(8) or smbd(8) crashes. This is usually
4561 used to draw attention to the fact that a problem occurred.
4562
4563 Default: panic action =
4564
4565 Example: panic action = "/bin/sleep 90000"
4566
4567 paranoid server security (G)
4568 Some version of NT 4.x allow non-guest users with a bad passowrd.
4569 When this option is enabled, samba will not use a broken NT 4.x
4570 server as password server, but instead complain to the logs and
4571 exit.
4572
4573 Disabling this option prevents Samba from making this check,
4574 which involves deliberatly attempting a bad logon to the remote
4575 server.
4576
4577 Default: paranoid server security = yes
4578
4579 passdb backend (G)
4580 This option allows the administrator to chose which backend will
4581 be used for storing user and possibly group information. This
4582 allows you to swap between dfferent storage mechanisms without
4583 recompile.
4584
4585 The parameter value is divided into two parts, the backend's
4586 name, and a 'location' string that has meaning only to that par‐
4587 ticular backed. These are separated by a : character.
4588
4589 Available backends can include:
4590
4591 · smbpasswd - The default smbpasswd backend. Takes a path to
4592 the smbpasswd file as an optional argument.
4593
4594 · tdbsam - The TDB based password storage backend. Takes a
4595 path to the TDB as an optional argument (defaults to
4596 passdb.tdb in the private dir directory.
4597
4598 · ldapsam - The LDAP based passdb backend. Takes an LDAP URL
4599 as an optional argument (defaults to ldap://localhost)
4600
4601 LDAP connections should be secured where possible. This may
4602 be done using either Start-TLS (see ldap ssl) or by speci‐
4603 fying ldaps:// in the URL argument.
4604
4605 Multiple servers may also be specified in double-quotes, if
4606 your LDAP libraries supports the LDAP URL notation. (OpenL‐
4607 DAP does).
4608
4609
4610
4611
4612 Examples of use are:
4613
4614
4615 passdb backend = tdbsam:/etc/samba/private/passdb.tdb
4616
4617 or
4618
4619 passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"
4620
4621 Default: passdb backend = smbpasswd
4622
4623 passdb expand explicit (G)
4624 This parameter controls whether Samba substitutes %-macros in the
4625 passdb fields if they are explicitly set. We used to expand
4626 macros here, but this turned out to be a bug because the Windows
4627 client can expand a variable %G_osver% in which %G would have
4628 been substituted by the user's primary group.
4629
4630 Default: passdb expand explicit = no
4631
4632 passwd chat (G)
4633 This string controls the "chat" conversation that takes places
4634 between smbd(8) and the local password changing program to change
4635 the user's password. The string describes a sequence of response-
4636 receive pairs that smbd(8) uses to determine what to send to the
4637 passwd program and what to expect back. If the expected output is
4638 not received then the password is not changed.
4639
4640 This chat sequence is often quite site specific, depending on
4641 what local methods are used for password control (such as NIS
4642 etc).
4643
4644 Note that this parameter only is only used if the unix password
4645 sync parameter is set to yes. This sequence is then called AS
4646 ROOT when the SMB password in the smbpasswd file is being
4647 changed, without access to the old password cleartext. This means
4648 that root must be able to reset the user's password without know‐
4649 ing the text of the previous password. In the presence of NIS/YP,
4650 this means that the passwd program must be executed on the NIS
4651 master.
4652
4653 The string can contain the macro %n which is substituted for the
4654 new password,. Theancdhattoseqguievnecelicnaen-feaelds,ocacrornitaagien-retthuern,sttaanbdaarndd
4655 macros 0
4656 space. The chat sequence string can also contain a '*' which
4657 matches any sequence of characters. Double quotes can be used to
4658 collect strings with spaces in them into a single string.
4659
4660 If the send string in any part of the chat sequence is a full
4661 stop ".", then no string is sent. Similarly, if the expect string
4662 is a full stop then no string is expected.
4663
4664 If the pam password change parameter is set to yes, the chat
4665 pairs may be matched in any order, and success is determined by
4666 the PAM result, not any particular output. The macro is ignored
4667 for PAM conversions.
4668
4669 Default: passwd chat = *new*password* %n\n*new*password* %n\n
4670 *changed*
4671
4672 Example: passwd chat = "*Enter OLD password*" %o\n "*Enter NEW
4673 password*" %n\n "*Reenter NEW password*" %n\n "*Password
4674 changed*"
4675
4676 passwd chat debug (G)
4677 This boolean specifies if the passwd chat script parameter is run
4678 in debug mode. In this mode the strings passed to and received
4679 from the passwd chat are printed in the smbd(8) log with a debug
4680 level of 100. This is a dangerous option as it will allow plain‐
4681 text passwords to be seen in the smbd log. It is available to
4682 help Samba admins debug their passwd chat scripts when calling
4683 the passwd program and should be turned off after this has been
4684 done. This option has no effect if the pam password change
4685 paramter is set. This parameter is off by default.
4686
4687 Default: passwd chat debug = no
4688
4689 passwd chat timeout (G)
4690 This integer specifies the number of seconds smbd will wait for
4691 an initial answer from a passwd chat script being run. Once the
4692 initial answer is received the subsequent answers must be
4693 received in one tenth of this time. The default it two seconds.
4694
4695 Default: passwd chat timeout = 2
4696
4697 passwd program (G)
4698 The name of a program that can be used to set UNIX user pass‐
4699 words. Any occurrences of %u will be replaced with the user name.
4700 The user name is checked for existence before calling the pass‐
4701 word changing program.
4702
4703 Also note that many passwd programs insist in reasonable pass‐
4704 words, such as a minimum length, or the inclusion of mixed case
4705 chars and digits. This can pose a problem as some clients (such
4706 as Windows for Workgroups) uppercase the password before sending
4707 it.
4708
4709 Note that if the unix password sync parameter is set to yes then
4710 this program is called AS ROOT before the SMB password in the
4711 smbpasswd file is changed. If this UNIX password change fails,
4712 then smbd will fail to change the SMB password also (this is by
4713 design).
4714
4715 If the unix password sync parameter is set this parameter MUST
4716 USE ABSOLUTE PATHS for ALL programs called, and must be examined
4717 for security implications. Note that by default unix password
4718 sync is set to no.
4719
4720 Default: passwd program =
4721
4722 Example: passwd program = /bin/passwd %u
4723
4724 password level (G)
4725 Some client/server combinations have difficulty with mixed-case
4726 passwords. One offending client is Windows for Workgroups, which
4727 for some reason forces passwords to upper case when using the
4728 LANMAN1 protocol, but leaves them alone when using COREPLUS!
4729 Another problem child is the Windows 95/98 family of operating
4730 systems. These clients upper case clear text passwords even when
4731 NT LM 0.12 selected by the protocol negotiation request/response.
4732
4733 This parameter defines the maximum number of characters that may
4734 be upper case in passwords.
4735
4736 For example, say the password given was "FRED". If
4737 password level is set to 1, the following combinations would be
4738 tried if "FRED" failed:
4739
4740 "Fred", "fred", "fRed", "frEd","freD"
4741
4742 If password level was set to 2, the following combinations would
4743 also be tried:
4744
4745 "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..
4746
4747 And so on.
4748
4749 The higher value this parameter is set to the more likely it is
4750 that a mixed case password will be matched against a single case
4751 password. However, you should be aware that use of this parameter
4752 reduces security and increases the time taken to process a new
4753 connection.
4754
4755 A value of zero will cause only two attempts to be made - the
4756 password as is and the password in all-lower case.
4757
4758 This parameter is used only when using plain-text passwords. It
4759 is not at all used when encrypted passwords as in use (that is
4760 the default since samba-3.0.0). Use this only when encrypt pass‐
4761 words = No.
4762
4763 Default: password level = 0
4764
4765 Example: password level = 4
4766
4767 password server (G)
4768 By specifying the name of another SMB server or Active Directory
4769 domain controller with this option, and using security =
4770 [ads|domain|server] it is possible to get Samba to to do all its
4771 username/password validation using a specific remote server.
4772
4773 This option sets the name or IP address of the password server to
4774 use. New syntax has been added to support defining the port to
4775 use when connecting to the server the case of an ADS realm. To
4776 define a port other than the default LDAP port of 389, add the
4777 port number using a colon after the name or IP address (e.g.
4778 192.168.1.100:389). If you do not specify a port, Samba will use
4779 the standard LDAP port of tcp/389. Note that port numbers have no
4780 effect on password servers for Windows NT 4.0 domains or netbios
4781 connections.
4782
4783 If parameter is a name, it is looked up using the parameter name
4784 resolve order and so may resolved by any method and order
4785 described in that parameter.
4786
4787 The password server must be a machine capable of using the
4788 "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user
4789 level security mode.
4790
4791 Note
4792 Using a password server means your UNIX box (running Samba) is
4793 only as secure as your password server. DO NOT CHOOSE A PASSWORD
4794 SERVER THAT YOU DON'T COMPLETELY TRUST. Never point a Samba
4795 server at itself for password serving. This will cause a loop and
4796 could lock up your Samba server!
4797
4798 The name of the password server takes the standard substitutions,
4799 but probably the only useful one is %m , which means the Samba
4800 server will use the incoming client as the password server. If
4801 you use this then you better trust your clients, and you had bet‐
4802 ter restrict them with hosts allow!
4803
4804 If the security parameter is set to domain or ads, then the list
4805 of machines in this option must be a list of Primary or Backup
4806 Domain controllers for the Domain or the character '*', as the
4807 Samba server is effectively in that domain, and will use crypto‐
4808 graphically authenticated RPC calls to authenticate the user log‐
4809 ging on. The advantage of using security = domain is that if you
4810 list several hosts in the password server option then smbd will
4811 try each in turn till it finds one that responds. This is useful
4812 in case your primary server goes down.
4813
4814 If the password server option is set to the character '*', then
4815 Samba will attempt to auto-locate the Primary or Backup Domain
4816 controllers to authenticate against by doing a query for the name
4817 WORKGROUP<1C> and then contacting each server returned in the
4818 list of IP addresses from the name resolution source.
4819
4820 If the list of servers contains both names/IP's and the '*' char‐
4821 acter, the list is treated as a list of preferred domain con‐
4822 trollers, but an auto lookup of all remaining DC's will be added
4823 to the list as well. Samba will not attempt to optimize this list
4824 by locating the closest DC.
4825
4826 If the security parameter is set to server, then there are dif‐
4827 ferent restrictions that security = domain doesn't suffer from:
4828
4829 · You may list several password servers in the password
4830 server parameter, however if an smbd makes a connection to
4831 a password server, and then the password server fails, no
4832 more users will be able to be authenticated from this smbd.
4833 This is a restriction of the SMB/CIFS protocol when in
4834 security = server mode and cannot be fixed in Samba.
4835
4836 · If you are using a Windows NT server as your password
4837 server then you will have to ensure that your users are
4838 able to login from the Samba server, as when in security =
4839 server mode the network logon will appear to come from
4840 there rather than from the users workstation.
4841
4842 Default: password server =
4843
4844 Example: password server = NT-PDC, NT-BDC1, NT-BDC2, *
4845
4846 Example: password server = windc.mydomain.com:389
4847 192.168.1.101 *
4848
4849 Example: password server = *
4850
4851 directory
4852 This parameter is a synonym for path.
4853
4854 path (S)
4855 This parameter specifies a directory to which the user of the
4856 service is to be given access. In the case of printable services,
4857 this is where print data will spool prior to being submitted to
4858 the host for printing.
4859
4860 For a printable service offering guest access, the service should
4861 be readonly and the path should be world-writeable and have the
4862 sticky bit set. This is not mandatory of course, but you probably
4863 won't get the results you expect if you do otherwise.
4864
4865 Any occurrences of %u in the path will be replaced with the UNIX
4866 username that the client is using on this connection. Any occur‐
4867 rences of %m will be replaced by the NetBIOS name of the machine
4868 they are connecting from. These replacements are very useful for
4869 setting up pseudo home directories for users.
4870
4871 Note that this path will be based on root dir if one was speci‐
4872 fied.
4873
4874 Default: path =
4875
4876 Example: path = /home/fred
4877
4878 pid directory (G)
4879 This option specifies the directory where pid files will be
4880 placed.
4881
4882 Default: pid directory = ${prefix}/var/locks
4883
4884 Example: pid directory = pid directory = /var/run/
4885
4886 posix locking (S)
4887 The smbd(8) daemon maintains an database of file locks obtained
4888 by SMB clients. The default behavior is to map this internal
4889 database to POSIX locks. This means that file locks obtained by
4890 SMB clients are consistent with those seen by POSIX compliant
4891 applications accessing the files via a non-SMB method (e.g. NFS
4892 or local file access). You should never need to disable this
4893 parameter.
4894
4895 Default: posix locking = yes
4896
4897 postexec (S)
4898 This option specifies a command to be run whenever the service is
4899 disconnected. It takes the usual substitutions. The command may
4900 be run as the root on some systems.
4901
4902 An interesting example may be to unmount server resources:
4903
4904 postexec = /etc/umount /cdrom
4905
4906 Default: postexec =
4907
4908 Example: postexec = echo \"%u disconnected from %S from %m (%I)\"
4909 >> /tmp/log
4910
4911 exec
4912 This parameter is a synonym for preexec.
4913
4914 preexec (S)
4915 This option specifies a command to be run whenever the service is
4916 connected to. It takes the usual substitutions.
4917
4918 An interesting example is to send the users a welcome message
4919 every time they log in. Maybe a message of the day? Here is an
4920 example:
4921
4922
4923 preexec = csh -c 'echo \"Welcome to %S!\" |
4924 /usr/local/samba/bin/smbclient -M %m -I %I' &
4925
4926 Of course, this could get annoying after a while :-)
4927
4928 See also preexec close and postexec.
4929
4930 Default: preexec =
4931
4932 Example: preexec = echo \"%u connected to %S from %m (%I)\" >>
4933 /tmp/log
4934
4935 preexec close (S)
4936 This boolean option controls whether a non-zero return code from
4937 preexec should close the service being connected to.
4938
4939 Default: preexec close = no
4940
4941 prefered master
4942 This parameter is a synonym for preferred master.
4943
4944 preferred master (G)
4945 This boolean parameter controls if nmbd(8) is a preferred master
4946 browser for its workgroup.
4947
4948 If this is set to yes, on startup, nmbd will force an election,
4949 and it will have a slight advantage in winning the election. It
4950 is recommended that this parameter is used in conjunction with
4951 domain master = yes, so that nmbd can guarantee becoming a domain
4952 master.
4953
4954 Use this option with caution, because if there are several hosts
4955 (whether Samba servers, Windows 95 or NT) that are preferred mas‐
4956 ter browsers on the same subnet, they will each periodically and
4957 continuously attempt to become the local master browser. This
4958 will result in unnecessary broadcast traffic and reduced browsing
4959 capabilities.
4960
4961 Default: preferred master = auto
4962
4963 auto services
4964 This parameter is a synonym for preload.
4965
4966 preload (G)
4967 This is a list of services that you want to be automatically
4968 added to the browse lists. This is most useful for homes and
4969 printers services that would otherwise not be visible.
4970
4971 Note that if you just want all printers in your printcap file
4972 loaded then the load printers option is easier.
4973
4974 Default: preload =
4975
4976 Example: preload = fred lp colorlp
4977
4978 preload modules (G)
4979 This is a list of paths to modules that should be loaded into
4980 smbd before a client connects. This improves the speed of smbd
4981 when reacting to new connections somewhat.
4982
4983 Default: preload modules =
4984
4985 Example: preload modules = /usr/lib/samba/passdb/mysql.so
4986
4987 preserve case (S)
4988 This controls if new filenames are created with the case that the
4989 client passes, or if they are forced to be the default case.
4990
4991 See the section on NAME MANGLING for a fuller discussion.
4992
4993 Default: preserve case = yes
4994
4995 print ok
4996 This parameter is a synonym for printable.
4997
4998 printable (S)
4999 If this parameter is yes, then clients may open, write to and
5000 submit spool files on the directory specified for the service.
5001
5002 Note that a printable service will ALWAYS allow writing to the
5003 service path (user privileges permitting) via the spooling of
5004 print data. The read only parameter controls only non-printing
5005 access to the resource.
5006
5007 Default: printable = no
5008
5009 printcap cache time (G)
5010 This option specifies the number of seconds before the printing
5011 subsystem is again asked for the known printers. If the value is
5012 greater than 60 the initial waiting time is set to 60 seconds to
5013 allow an earlier first rescan of the printing subsystem.
5014
5015 Setting this parameter to 0 disables any rescanning for new or
5016 removed printers after the initial startup.
5017
5018 Default: printcap cache time = 750
5019
5020 Example: printcap cache time = 600
5021
5022 printcap
5023 This parameter is a synonym for printcap name.
5024
5025 printcap name (S)
5026 This parameter may be used to override the compiled-in default
5027 printcap name used by the server (usually
5028 /etc/printcap). See the discussion of the [printers] section
5029 above for reasons why you might want to do this.
5030
5031 To use the CUPS printing interface set printcap name = cups. This
5032 should be supplemented by an addtional setting printing = cups in
5033 the [global] section. printcap name = cups will use the "dummy"
5034 printcap created by CUPS, as specified in your CUPS configuration
5035 file.
5036
5037 On System V systems that use lpstat to list available printers
5038 you can use printcap name = lpstat to automatically obtain lists
5039 of available printers. This is the default for systems that
5040 define SYSV at configure time in Samba (this includes most System
5041 V based systems). If
5042 printcap name is set to lpstat on these systems then Samba will
5043 launch lpstat -v and attempt to parse the output to obtain a
5044 printer list.
5045
5046 A minimal printcap file would look something like this:
5047
5048
5049
5050
5051 print1|My Printer 1
5052 print2|My Printer 2
5053 print3|My Printer 3
5054 print4|My Printer 4
5055 print5|My Printer 5
5056
5057 where the '|' separates aliases of a printer. The fact that the
5058 second alias has a space in it gives a hint to Samba that it's a
5059 comment.
5060
5061 Note
5062 Under AIX the default printcap name is /etc/qconfig. Samba will
5063 assume the file is in AIX qconfig format if the string qconfig
5064 appears in the printcap filename. Default: printcap name =
5065 /etc/printcap
5066
5067 Example: printcap name = /etc/myprintcap
5068
5069 print command (S)
5070 After a print job has finished spooling to a service, this com‐
5071 mand will be used via a system() call to process the spool file.
5072 Typically the command specified will submit the spool file to the
5073 host's printing subsystem, but there is no requirement that this
5074 be the case. The server will not remove the spool file, so what‐
5075 ever command you specify should remove the spool file when it has
5076 been processed, otherwise you will need to manually remove old
5077 spool files.
5078
5079 The print command is simply a text string. It will be used verba‐
5080 tim after macro substitutions have been made:
5081
5082 %s, %f - the path to the spool file name
5083
5084 %p - the appropriate printer name
5085
5086 %J - the job name as transmitted by the client.
5087
5088 %c - The number of printed pages of the spooled job (if known).
5089
5090 %z - the size of the spooled print job (in bytes)
5091
5092 The print command MUST contain at least one occurrence of %s or
5093 %f - the %p is optional. At the time a job is submitted, if no
5094 printer name is supplied the %p will be silently removed from the
5095 printer command.
5096
5097 If specified in the [global] section, the print command given
5098 will be used for any printable service that does not have its own
5099 print command specified.
5100
5101 If there is neither a specified print command for a printable
5102 service nor a global print command, spool files will be created
5103 but not processed and (most importantly) not removed.
5104
5105 Note that printing may fail on some UNIXes from the nobody
5106 account. If this happens then create an alternative guest account
5107 that can print and set the guest account in the [global] section.
5108
5109 You can form quite complex print commands by realizing that they
5110 are just passed to a shell. For example the following will log a
5111 print job, print the file, then remove it. Note that ';' is the
5112 usual separator for command in shell scripts.
5113
5114 print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s;
5115 rm %s
5116
5117 You may have to vary this command considerably depending on how
5118 you normally print files on your system. The default for the
5119 parameter varies depending on the setting of the printing parame‐
5120 ter.
5121
5122 Default: For printing = BSD, AIX, QNX, LPRNG or PLP :
5123
5124 print command = lpr -r -P%p %s
5125
5126 For printing = SYSV or HPUX :
5127
5128 print command = lp -c -d%p %s; rm %s
5129
5130 For printing = SOFTQ :
5131
5132 print command = lp -d%p -s %s; rm %s
5133
5134 For printing = CUPS : If SAMBA is compiled against libcups, then
5135 printcap = cups uses the CUPS API to submit jobs, etc. Otherwise
5136 it maps to the System V commands with the -oraw option for print‐
5137 ing, i.e. it uses lp -c -d%p -oraw; rm %s. With printing = cups,
5138 and if SAMBA is compiled against libcups, any manually set print
5139 command will be ignored.
5140
5141 No default
5142
5143 Example: print command = /usr/local/samba/bin/myprintscript %p %s
5144
5145 printer admin (S)
5146 This lists users who can do anything to printers via the remote
5147 administration interfaces offered by MS-RPC (usually using a NT
5148 workstation). This parameter can be set per-share or globally.
5149 Note: The root user always has admin rights. Use caution with use
5150 in the global stanza as this can cause side effects.
5151
5152 This parameter has been marked deprecated in favor of using the
5153 SePrintOperatorPrivilege and individual print security descrip‐
5154 tors. It will be removed in a future release.
5155
5156 Default: printer admin =
5157
5158 Example: printer admin = admin, @staff
5159
5160 printer
5161 This parameter is a synonym for printer name.
5162
5163 printer name (S)
5164 This parameter specifies the name of the printer to which print
5165 jobs spooled through a printable service will be sent.
5166
5167 If specified in the [global] section, the printer name given will
5168 be used for any printable service that does not have its own
5169 printer name specified.
5170
5171 The default value of the printer name may be lp on many systems.
5172
5173 Default: printer name = none
5174
5175 Example: printer name = laserwriter
5176
5177 printing (S)
5178 This parameters controls how printer status information is inter‐
5179 preted on your system. It also affects the default values for the
5180 print command, lpq command, lppause command , lpresume command,
5181 and lprm command if specified in the [global] section.
5182
5183 Currently nine printing styles are supported. They are BSD, AIX,
5184 LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ, and CUPS.
5185
5186 To see what the defaults are for the other print commands when
5187 using the various options use the testparm(1) program.
5188
5189 This option can be set on a per printer basis. Please be aware
5190 however, that you must place any of the various printing commands
5191 (e.g. print command, lpq command, etc...) after defining the
5192 value for the printing option since it will reset the printing
5193 commands to default values.
5194
5195 See also the discussion in the [printers] section.
5196
5197 No default
5198
5199 printjob username (S)
5200 This parameter specifies which user information will be passed to
5201 the printing system. Usually, the username is sent, but in some
5202 cases, e.g. the domain prefix is useful, too.
5203
5204 Default: printjob username = %U
5205
5206 Example: printjob username = %D\%U
5207
5208 private dir (G)
5209 This parameters defines the directory smbd will use for storing
5210 such files as smbpasswd and secrets.tdb.
5211
5212 Default: private dir = ${prefix}/private
5213
5214 profile acls (S)
5215 This boolean parameter was added to fix the problems that people
5216 have been having with storing user profiles on Samba shares from
5217 Windows 2000 or Windows XP clients. New versions of Windows 2000
5218 or Windows XP service packs do security ACL checking on the owner
5219 and ability to write of the profile directory stored on a local
5220 workstation when copied from a Samba share.
5221
5222 When not in domain mode with winbindd then the security info
5223 copied onto the local workstation has no meaning to the logged in
5224 user (SID) on that workstation so the profile storing fails.
5225 Adding this parameter onto a share used for profile storage
5226 changes two things about the returned Windows ACL. Firstly it
5227 changes the owner and group owner of all reported files and
5228 directories to be BUILTIN\Administrators, BUILTIN\Users respec‐
5229 tively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds an ACE
5230 entry of "Full Control" to the SID BUILTIN\Users to every
5231 returned ACL. This will allow any Windows 2000 or XP workstation
5232 user to access the profile.
5233
5234 Note that if you have multiple users logging on to a workstation
5235 then in order to prevent them from being able to access each oth‐
5236 ers profiles you must remove the "Bypass traverse checking"
5237 advanced user right. This will prevent access to other users pro‐
5238 file directories as the top level profile directory (named after
5239 the user) is created by the workstation profile code and has an
5240 ACL restricting entry to the directory tree to the owning user.
5241
5242 Default: profile acls = no
5243
5244 queuepause command (S)
5245 This parameter specifies the command to be executed on the server
5246 host in order to pause the printer queue.
5247
5248 This command should be a program or script which takes a printer
5249 name as its only parameter and stops the printer queue, such that
5250 no longer jobs are submitted to the printer.
5251
5252 This command is not supported by Windows for Workgroups, but can
5253 be issued from the Printers window under Windows 95 and NT.
5254
5255 If a %p is given then the printer name is put in its place. Oth‐
5256 erwise it is placed at the end of the command.
5257
5258 Note that it is good practice to include the absolute path in the
5259 command as the PATH may not be available to the server.
5260
5261 No default
5262
5263 Example: queuepause command = disable %p
5264
5265 queueresume command (S)
5266 This parameter specifies the command to be executed on the server
5267 host in order to resume the printer queue. It is the command to
5268 undo the behavior that is caused by the previous parameter
5269 (queuepause command).
5270
5271 This command should be a program or script which takes a printer
5272 name as its only parameter and resumes the printer queue, such
5273 that queued jobs are resubmitted to the printer.
5274
5275 This command is not supported by Windows for Workgroups, but can
5276 be issued from the Printers window under Windows 95 and NT.
5277
5278 If a %p is given then the printer name is put in its place. Oth‐
5279 erwise it is placed at the end of the command.
5280
5281 Note that it is good practice to include the absolute path in the
5282 command as the PATH may not be available to the server.
5283
5284 Default: queueresume command =
5285
5286 Example: queueresume command = enable %p
5287
5288 read bmpx (G)
5289 This boolean parameter controls whether smbd(8) will support the
5290 "Read Block Multiplex" SMB. This is now rarely used and defaults
5291 to no. You should never need to set this parameter.
5292
5293 Default: read bmpx = no
5294
5295 read list (S)
5296 This is a list of users that are given read-only access to a ser‐
5297 vice. If the connecting user is in this list then they will not
5298 be given write access, no matter what the read only option is set
5299 to. The list can include group names using the syntax described
5300 in the invalid users parameter.
5301
5302 This parameter will not work with the security = share in Samba
5303 3.0. This is by design.
5304
5305 Default: read list =
5306
5307 Example: read list = mary, @students
5308
5309 read only (S)
5310 An inverted synonym is writeable.
5311
5312 If this parameter is yes, then users of a service may not create
5313 or modify files in the service's directory.
5314
5315 Note that a printable service (printable = yes) will ALWAYS allow
5316 writing to the directory (user privileges permitting), but only
5317 via spooling operations.
5318
5319 Default: read only = yes
5320
5321 read raw (G)
5322 This parameter controls whether or not the server will support
5323 the raw read SMB requests when transferring data to clients.
5324
5325 If enabled, raw reads allow reads of 65535 bytes in one packet.
5326 This typically provides a major performance benefit.
5327
5328 However, some clients either negotiate the allowable block size
5329 incorrectly or are incapable of supporting larger block sizes,
5330 and for these clients you may need to disable raw reads.
5331
5332 In general this parameter should be viewed as a system tuning
5333 tool and left severely alone.
5334
5335 Default: read raw = yes
5336
5337 realm (G)
5338 This option specifies the kerberos realm to use. The realm is
5339 used as the ADS equivalent of the NT4 domain. It is usually set
5340 to the DNS name of the kerberos server.
5341
5342 Default: realm =
5343
5344 Example: realm = mysambabox.mycompany.com
5345
5346 remote announce (G)
5347 This option allows you to setup nmbd(8)to periodically announce
5348 itself to arbitrary IP addresses with an arbitrary workgroup
5349 name.
5350
5351 This is useful if you want your Samba server to appear in a
5352 remote workgroup for which the normal browse propagation rules
5353 don't work. The remote workgroup can be anywhere that you can
5354 send IP packets to.
5355
5356 For example:
5357
5358
5359
5360
5361 remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF
5362
5363 the above line would cause nmbd to announce itself to the two
5364 given IP addresses using the given workgroup names. If you leave
5365 out the workgroup name then the one given in the workgroup param‐
5366 eter is used instead.
5367
5368 The IP addresses you choose would normally be the broadcast
5369 addresses of the remote networks, but can also be the IP
5370 addresses of known browse masters if your network config is that
5371 stable.
5372
5373 See the chapter on Network Browsing in the Samba-HOWTO book.
5374
5375 Default: remote announce =
5376
5377 remote browse sync (G)
5378 This option allows you to setup nmbd(8) to periodically request
5379 synchronization of browse lists with the master browser of a
5380 Samba server that is on a remote segment. This option will allow
5381 you to gain browse lists for multiple workgroups across routed
5382 networks. This is done in a manner that does not work with any
5383 non-Samba servers.
5384
5385 This is useful if you want your Samba server and all local
5386 clients to appear in a remote workgroup for which the normal
5387 browse propagation rules don't work. The remote workgroup can be
5388 anywhere that you can send IP packets to.
5389
5390 For example:
5391
5392
5393
5394
5395 remote browse sync = 192.168.2.255 192.168.4.255
5396
5397 the above line would cause nmbd to request the master browser on
5398 the specified subnets or addresses to synchronize their browse
5399 lists with the local server.
5400
5401 The IP addresses you choose would normally be the broadcast
5402 addresses of the remote networks, but can also be the IP
5403 addresses of known browse masters if your network config is that
5404 stable. If a machine IP address is given Samba makes NO attempt
5405 to validate that the remote machine is available, is listening,
5406 nor that it is in fact the browse master on its segment.
5407
5408 The remote browse sync may be used on networks where there is no
5409 WINS server, and may be used on disjoint networks where each net‐
5410 work has its own WINS server.
5411
5412 Default: remote browse sync =
5413
5414 rename user script (G)
5415 This is the full pathname to a script that will be run as root by
5416 smbd(8) under special circumstances described below.
5417
5418 When a user with admin authority or SeAddUserPrivilege rights
5419 renames a user (e.g.: from the NT4 User Manager for Domains),
5420 this script will be run to rename the POSIX user. Two variables,
5421 %uold and %unew, will be substituted with the old and new user‐
5422 names, respectively. The script should return 0 upon successful
5423 completion, and nonzero otherwise.
5424
5425 Note
5426 The script has all responsibility to rename all the necessary
5427 data that is accessible in this posix method. This can mean dif‐
5428 ferent requirements for different backends. The tdbsam and smb‐
5429 passwd backends will take care of the contents of their respec‐
5430 tive files, so the script is responsible only for changing the
5431 POSIX username, and other data that may required for your circum‐
5432 stances, such as home directory. Please also consider whether or
5433 not you need to rename the actual home directories themselves.
5434 The ldapsam backend will not make any changes, because of the
5435 potential issues with renaming the LDAP naming attribute. In this
5436 case the script is responsible for changing the attribute that
5437 samba uses (uid) for locating users, as well as any data that
5438 needs to change for other applications using the same directory.
5439 Default: rename user script = no
5440
5441 reset on zero vc (G)
5442 This boolean option controls whether an incoming session setup
5443 should kill other connections coming from the same IP. This
5444 matches the default Windows 2003 behaviour. Setting this parame‐
5445 ter to yes becomes necessary when you have a flaky network and
5446 windows decides to reconnect while the old connection still has
5447 files with share modes open. These files become inaccessible over
5448 the new connection. The client sends a zero VC on the new connec‐
5449 tion, and Windows 2003 kills all other connections coming from
5450 the same IP. This way the locked files are accessible again.
5451 Please be aware that enabling this option will kill connections
5452 behind a masquerading router.
5453
5454 Default: reset on zero vc = no
5455
5456 restrict anonymous (G)
5457 The setting of this parameter determines whether user and group
5458 list information is returned for an anonymous connection. and
5459 mirrors the effects of the
5460
5461
5462
5463
5464 HKEY_LOCAL_MACHINETEM Control
5465 registry key in Windows 2000 and Windows NT. When set to 0, user
5466 and group list information is returned to anyone who asks. When
5467 set to 1, only an authenticated user can retrive user and group
5468 list information. For the value 2, supported by Windows 2000/XP
5469 and Samba, no anonymous connections are allowed at all. This can
5470 break third party and Microsoft applications which expect to be
5471 allowed to perform operations anonymously.
5472
5473 The security advantage of using restrict anonymous = 1 is dubi‐
5474 ous, as user and group list information can be obtained using
5475 other means.
5476
5477 Note
5478 The security advantage of using restrict anonymous = 2 is removed
5479 by setting guest ok = yes on any share. Default: restrict anony‐
5480 mous = 0
5481
5482 root
5483 This parameter is a synonym for root directory.
5484
5485 root dir
5486 This parameter is a synonym for root directory.
5487
5488 root directory (G)
5489 The server will chroot() (i.e. Change its root directory) to this
5490 directory on startup. This is not strictly necessary for secure
5491 operation. Even without it the server will deny access to files
5492 not in one of the service entries. It may also check for, and
5493 deny access to, soft links to other parts of the filesystem, or
5494 attempts to use ".." in file names to access other directories
5495 (depending on the setting of the wide smbconfoptions parameter).
5496
5497 Adding a root directory entry other than "/" adds an extra level
5498 of security, but at a price. It absolutely ensures that no access
5499 is given to files not in the sub-tree specified in the root
5500 directory option, including some files needed for complete opera‐
5501 tion of the server. To maintain full operability of the server
5502 you will need to mirror some system files into the root directory
5503 tree. In particular you will need to mirror /etc/passwd (or a
5504 subset of it), and any binaries or configuration files needed for
5505 printing (if required). The set of files that must be mirrored is
5506 operating system dependent.
5507
5508 Default: root directory = /
5509
5510 Example: root directory = /homes/smb
5511
5512 root postexec (S)
5513 This is the same as the postexec parameter except that the com‐
5514 mand is run as root. This is useful for unmounting filesystems
5515 (such as CDROMs) after a connection is closed.
5516
5517 Default: root postexec =
5518
5519 root preexec (S)
5520 This is the same as the preexec parameter except that the command
5521 is run as root. This is useful for mounting filesystems (such as
5522 CDROMs) when a connection is opened.
5523
5524 Default: root preexec =
5525
5526 root preexec close (S)
5527 This is the same as the preexec close parameter except that the
5528 command is run as root.
5529
5530 Default: root preexec close = no
5531
5532 security (G)
5533 This option affects how clients respond to Samba and is one of
5534 the most important settings in the
5535 smb.conf file.
5536
5537 The option sets the "security mode bit" in replies to protocol
5538 negotiations with smbd(8) to turn share level security on or off.
5539 Clients decide based on this bit whether (and how) to transfer
5540 user and password information to the server.
5541
5542 The default is security = user, as this is the most common set‐
5543 ting needed when talking to Windows 98 and Windows NT.
5544
5545 The alternatives are security = share, security = server or secu‐
5546 rity = domain.
5547
5548 In versions of Samba prior to 2.0.0, the default was security =
5549 share mainly because that was the only option at one stage.
5550
5551 There is a bug in WfWg that has relevance to this setting. When
5552 in user or server level security a WfWg client will totally
5553 ignore the username and password you type in the "connect drive"
5554 dialog box. This makes it very difficult (if not impossible) to
5555 connect to a Samba service as anyone except the user that you are
5556 logged into WfWg as.
5557
5558 If your PCs use usernames that are the same as their usernames on
5559 the UNIX machine then you will want to use security = user. If
5560 you mostly use usernames that don't exist on the UNIX box then
5561 use security = share.
5562
5563 You should also use security = share if you want to mainly setup
5564 shares without a password (guest shares). This is commonly used
5565 for a shared printer server. It is more difficult to setup guest
5566 shares with security = user, see the map to guestparameter for
5567 details.
5568
5569 It is possible to use smbd in a
5570 hybrid mode where it is offers both user and share level secu‐
5571 rity under different NetBIOS aliases.
5572
5573 The different settings will now be explained.
5574
5575 SECURITY = SHARE
5576
5577 When clients connect to a share level security server they need
5578 not log onto the server with a valid username and password before
5579 attempting to connect to a shared resource (although modern
5580 clients such as Windows 95/98 and Windows NT will send a logon
5581 request with a username but no password when talking to a secu‐
5582 rity = share server). Instead, the clients send authentication
5583 information (passwords) on a per-share basis, at the time they
5584 attempt to connect to that share.
5585
5586 Note that smbd ALWAYS uses a valid UNIX user to act on behalf of
5587 the client, even in security = share level security.
5588
5589 As clients are not required to send a username to the server in
5590 share level security, smbd uses several techniques to determine
5591 the correct UNIX user to use on behalf of the client.
5592
5593 A list of possible UNIX usernames to match with the given client
5594 password is constructed using the following methods :
5595
5596 · If the guest only parameter is set, then all the other
5597 stages are missed and only the guest account username is
5598 checked.
5599
5600 · Is a username is sent with the share connection request,
5601 then this username (after mapping - see username map), is
5602 added as a potential username.
5603
5604 · If the client did a previous logon request (the Session‐
5605 Setup SMB call) then the username sent in this SMB will be
5606 added as a potential username.
5607
5608 · The name of the service the client requested is added as a
5609 potential username.
5610
5611 · The NetBIOS name of the client is added to the list as a
5612 potential username.
5613
5614 · Any users on the user list are added as potential user‐
5615 names.
5616
5617 If the guest only parameter is not set, then this list is then
5618 tried with the supplied password. The first user for whom the
5619 password matches will be used as the UNIX user.
5620
5621 If the guest only parameter is set, or no username can be
5622 determined then if the share is marked as available to the
5623 guest account, then this guest user will be used, otherwise
5624 access is denied.
5625
5626 Note that it can be very confusing in share-level security as
5627 to which UNIX username will eventually be used in granting
5628 access.
5629
5630 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5631
5632 SECURITY = USER
5633
5634 This is the default security setting in Samba 3.0. With user-
5635 level security a client must first "log-on" with a valid user‐
5636 name and password (which can be mapped using the username map
5637 parameter). Encrypted passwords (see the encrypted passwords
5638 parameter) can also be used in this security mode. Parameters
5639 such as user and guest only if set are then applied and may
5640 change the UNIX user to use on this connection, but only after
5641 the user has been successfully authenticated.
5642
5643 Note that the name of the resource being requested is not sent
5644 to the server until after the server has successfully authen‐
5645 ticated the client. This is why guest shares don't work in
5646 user level security without allowing the server to automati‐
5647 cally map unknown users into the guest account. See the map to
5648 guest parameter for details on doing this.
5649
5650 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5651
5652 SECURITY = DOMAIN
5653
5654 This mode will only work correctly if net(8) has been used to
5655 add this machine into a Windows NT Domain. It expects the
5656 encrypted passwords parameter to be set to yes. In this mode
5657 Samba will try to validate the username/password by passing it
5658 to a Windows NT Primary or Backup Domain Controller, in
5659 exactly the same way that a Windows NT Server would do.
5660
5661 Note that a valid UNIX user must still exist as well as the
5662 account on the Domain Controller to allow Samba to have a
5663 valid UNIX account to map file access to.
5664
5665 Note that from the client's point of view security = domain is
5666 the same as security = user. It only affects how the server
5667 deals with the authentication, it does not in any way affect
5668 what the client sees.
5669
5670 Note that the name of the resource being requested is not sent
5671 to the server until after the server has successfully authen‐
5672 ticated the client. This is why guest shares don't work in
5673 user level security without allowing the server to automati‐
5674 cally map unknown users into the guest account. See the map to
5675 guest parameter for details on doing this.
5676
5677 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5678
5679 See also the password server parameter and the encrypted pass‐
5680 words parameter.
5681
5682 SECURITY = SERVER
5683
5684 In this mode Samba will try to validate the username/password
5685 by passing it to another SMB server, such as an NT box. If
5686 this fails it will revert to security = user. It expects the
5687 encrypted passwords parameter to be set to yes, unless the
5688 remote server does not support them. However note that if
5689 encrypted passwords have been negotiated then Samba cannot
5690 revert back to checking the UNIX password file, it must have a
5691 valid smbpasswd file to check users against. See the chapter
5692 about the User Database in the Samba HOWTO Collection for
5693 details on how to set this up.
5694
5695 Note
5696 This mode of operation has significant pitfalls since it is
5697 more vulnerable to man-in-the-middle attacks and server imper‐
5698 sonation. In particular, this mode of operation can cause sig‐
5699 nificant resource consuption on the PDC, as it must maintain
5700 an active connection for the duration of the user's session.
5701 Furthermore, if this connection is lost, there is no way to
5702 reestablish it, and futher authentications to the Samba server
5703 may fail (from a single client, till it disconnects).
5704
5705 Note
5706 From the client's point of view security = server is the same
5707 as security = user. It only affects how the server deals with
5708 the authentication, it does not in any way affect what the
5709 client sees. Note that the name of the resource being
5710 requested is not sent to the server until after the server has
5711 successfully authenticated the client. This is why guest
5712 shares don't work in user level security without allowing the
5713 server to automatically map unknown users into the guest
5714 account. See the map to guest parameter for details on doing
5715 this.
5716
5717 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5718
5719 See also the password server parameter and the encrypted pass‐
5720 words parameter.
5721
5722 SECURITY = ADS
5723
5724 In this mode, Samba will act as a domain member in an ADS
5725 realm. To operate in this mode, the machine running Samba will
5726 need to have Kerberos installed and configured and Samba will
5727 need to be joined to the ADS realm using the net utility.
5728
5729 Note that this mode does NOT make Samba operate as a Active
5730 Directory Domain Controller.
5731
5732 Read the chapter about Domain Membership in the HOWTO for
5733 details.
5734
5735 Default: security = USER
5736
5737 Example: security = DOMAIN
5738
5739 security mask (S)
5740 This parameter controls what UNIX permission bits can be modified
5741 when a Windows NT client is manipulating the UNIX permission on a
5742 file using the native NT security dialog box.
5743
5744 This parameter is applied as a mask (AND'ed with) to the changed
5745 permission bits, thus preventing any bits not in this mask from
5746 being modified. Make sure not to mix up this parameter with force
5747 security mode, which works in a manner similar to this one but
5748 uses a logical OR instead of an AND.
5749
5750 Essentially, zero bits in this mask may be treated as a set of
5751 bits the user is not allowed to change.
5752
5753 If not set explicitly this parameter is 0777, allowing a user to
5754 modify all the user/group/world permissions on a file.
5755
5756 Note that users who can access the Samba server through other
5757 means can easily bypass this restriction, so it is primarily use‐
5758 ful for standalone "appliance" systems. Administrators of most
5759 normal systems will probably want to leave it set to 0777.
5760
5761 Default: security mask = 0777
5762
5763 Example: security mask = 0770
5764
5765 server schannel (G)
5766 This controls whether the server offers or even demands the use
5767 of the netlogon schannel. server schannel = no does not offer
5768 the schannel, server schannel = auto offers the schannel but does
5769 not enforce it, and server schannel = yes denies access if the
5770 client is not able to speak netlogon schannel. This is only the
5771 case for Windows NT4 before SP4.
5772
5773 Please note that with this set to no you will have to apply the
5774 WindowsXP WinXP_SignOrSeal.reg registry patch found in the
5775 docs/registry subdirectory of the Samba distribution tarball.
5776
5777 Default: server schannel = auto
5778
5779 Example: server schannel = yes
5780
5781 server signing (G)
5782 This controls whether the server offers or requires the client it
5783 talks to to use SMB signing. Possible values are auto, mandatory
5784 and disabled.
5785
5786 When set to auto, SMB signing is offered, but not enforced. When
5787 set to mandatory, SMB signing is required and if set to disabled,
5788 SMB signing is not offered either.
5789
5790 Default: server signing = Disabled
5791
5792 server string (G)
5793 This controls what string will show up in the printer comment box
5794 in print manager and next to the IPC connection in net view. It
5795 can be any string that you wish to show to your users.
5796
5797 It also sets what will appear in browse lists next to the machine
5798 name.
5799
5800 A %v will be replaced with the Samba version number.
5801
5802 A %h will be replaced with the hostname.
5803
5804 Default: server string = Samba %v
5805
5806 Example: server string = University of GNUs Samba Server
5807
5808 set directory (S)
5809 If set directory = no, then users of the service may not use the
5810 setdir command to change directory.
5811
5812 The setdir command is only implemented in the Digital Pathworks
5813 client. See the Pathworks documentation for details.
5814
5815 Default: set directory = no
5816
5817 set primary group script (G)
5818 Thanks to the Posix subsystem in NT a Windows User has a primary
5819 group in addition to the auxiliary groups. This script sets the
5820 primary group in the unix userdatase when an administrator sets
5821 the primary group from the windows user manager or when fetching
5822 a SAM with net rpc vampire. %u will be replaced with the user
5823 whose primary group is to be set. %g will be replaced with the
5824 group to set.
5825
5826 Default: set primary group script =
5827
5828 Example: set primary group script = /usr/sbin/usermod -g '%g'
5829 '%u'
5830
5831 set quota command (G)
5832 The set quota command should only be used whenever there is no
5833 operating system API available from the OS that samba can use.
5834
5835 This option is only available if Samba was configured with the
5836 argument --with-sys-quotas or on linux when was used and a work‐
5837 ing quota api was found in the system. Most packages are config‐
5838 ured with these options already.
5839
5840 This parameter should specify the path to a script that can set
5841 quota for the specified arguments.
5842
5843 The specified script should take the following arguments:
5844
5845 · 1 - quota type
5846
5847 · 1 - user quotas
5848
5849 · 2 - user default quotas (uid = -1)
5850
5851 · 3 - group quotas
5852
5853 · 4 - group default quotas (gid = -1)
5854
5855
5856
5857
5858 · 2 - id (uid for user, gid for group, -1 if N/A)
5859
5860 · 3 - quota state (0 = disable, 1 = enable, 2 = enable and
5861 enforce)
5862
5863 · 4 - block softlimit
5864
5865 · 5 - block hardlimit
5866
5867 · 6 - inode softlimit
5868
5869 · 7 - inode hardlimit
5870
5871 · 8(optional) - block size, defaults to 1024
5872
5873 The script should output at least one line of data on success.
5874 And nothing on failure.
5875
5876 Default: set quota command =
5877
5878 Example: set quota command = /usr/local/sbin/set_quota
5879
5880 share modes (S)
5881 This enables or disables the honoring of the share modes during a
5882 file open. These modes are used by clients to gain exclusive read
5883 or write access to a file.
5884
5885 These open modes are not directly supported by UNIX, so they are
5886 simulated using shared memory, or lock files if your UNIX doesn't
5887 support shared memory (almost all do).
5888
5889 The share modes that are enabled by this option are DENY_DOS,
5890 DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB.
5891
5892 This option gives full share compatibility and enabled by
5893 default.
5894
5895 You should NEVER turn this parameter off as many Windows applica‐
5896 tions will break if you do so.
5897
5898 Default: share modes = yes
5899
5900 short preserve case (S)
5901 This boolean parameter controls if new files which conform to 8.3
5902 syntax, that is all in upper case and of suitable length, are
5903 created upper case, or if they are forced to be the default case.
5904 This option can be use with preserve case = yes to permit long
5905 filenames to retain their case, while short names are lowered.
5906
5907 See the section on NAME MANGLING.
5908
5909 Default: short preserve case = yes
5910
5911 show add printer wizard (G)
5912 With the introduction of MS-RPC based printing support for Win‐
5913 dows NT/2000 client in Samba 2.2, a "Printers..." folder will
5914 appear on Samba hosts in the share listing. Normally this folder
5915 will contain an icon for the MS Add Printer Wizard (APW). How‐
5916 ever, it is possible to disable this feature regardless of the
5917 level of privilege of the connected user.
5918
5919 Under normal circumstances, the Windows NT/2000 client will open
5920 a handle on the printer server with OpenPrinterEx() asking for
5921 Administrator privileges. If the user does not have administra‐
5922 tive access on the print server (i.e is not root or a member of
5923 the printer admin group), the OpenPrinterEx() call fails and the
5924 client makes another open call with a request for a lower privi‐
5925 lege level. This should succeed, however the APW icon will not be
5926 displayed.
5927
5928 Disabling the show add printer wizard parameter will always cause
5929 the OpenPrinterEx() on the server to fail. Thus the APW icon will
5930 never be displayed.
5931
5932 Note
5933 This does not prevent the same user from having administrative
5934 privilege on an individual printer. Default: show add printer
5935 wizard = yes
5936
5937 shutdown script (G)
5938 This a full path name to a script called by smbd(8) that should
5939 start a shutdown procedure.
5940
5941 If the connected user posseses the SeRemoteShutdownPrivilege,
5942 right, this command will be run as user.
5943
5944 The %z %t %r %f variables are expanded as follows:
5945
5946 · %z will be substituted with the shutdown message sent to
5947 the server.
5948
5949 · %t will be substituted with the number of seconds to wait
5950 before effectively starting the shutdown procedure.
5951
5952 · %r will be substituted with the switch -r. It means reboot
5953 after shutdown for NT.
5954
5955 · %f will be substituted with the switch -f. It means force
5956 the shutdown even if applications do not respond for NT.
5957
5958 Shutdown script example:
5959
5960
5961
5962
5963 #!/bin/bash
5964
5965 $time=0
5966 let "time/60"
5967 let "time++"
5968
5969 /sbin/shutdown $3 $4 +$time $1 &
5970
5971 Shutdown does not return so we need to launch it in back‐
5972 ground.
5973
5974 Default: shutdown script =
5975
5976 Example: shutdown script = /usr/local/samba/sbin/shutdown %m
5977 %t %r %f
5978
5979 smb passwd file (G)
5980 This option sets the path to the encrypted smbpasswd file. By
5981 default the path to the smbpasswd file is compiled into Samba.
5982
5983 An example of use is:
5984
5985
5986
5987
5988 smb passwd file = /etc/samba/smbpasswd
5989
5990
5991
5992 Default: smb passwd file = ${prefix}/private/smbpasswd
5993
5994 smb ports (G)
5995 Specifies which ports the server should listen on for SMB traf‐
5996 fic.
5997
5998 Default: smb ports = 445 139
5999
6000 socket address (G)
6001 This option allows you to control what address Samba will listen
6002 for connections on. This is used to support multiple virtual
6003 interfaces on the one server, each with a different configura‐
6004 tion.
6005
6006 By default Samba will accept connections on any address.
6007
6008 Default: socket address =
6009
6010 Example: socket address = 192.168.2.20
6011
6012 socket options (G)
6013 This option allows you to set socket options to be used when
6014 talking with the client.
6015
6016 Socket options are controls on the networking layer of the oper‐
6017 ating systems which allow the connection to be tuned.
6018
6019 This option will typically be used to tune your Samba server for
6020 optimal performance for your local network. There is no way that
6021 Samba can know what the optimal parameters are for your net, so
6022 you must experiment and choose them yourself. We strongly suggest
6023 you read the appropriate documentation for your operating system
6024 first (perhaps man setsockopt will help).
6025
6026 You may find that on some systems Samba will say "Unknown socket
6027 option" when you supply an option. This means you either incor‐
6028 rectly typed it or you need to add an include file to includes.h
6029 for your OS. If the latter is the case please send the patch to
6030 samba-technical@samba.org.
6031
6032 Any of the supported socket options may be combined in any way
6033 you like, as long as your OS allows it.
6034
6035 This is the list of socket options currently settable using this
6036 option:
6037
6038 · SO_KEEPALIVE
6039
6040 · SO_REUSEADDR
6041
6042 · SO_BROADCAST
6043
6044 · TCP_NODELAY
6045
6046 · IPTOS_LOWDELAY
6047
6048 · IPTOS_THROUGHPUT
6049
6050 · SO_SNDBUF *
6051
6052 · SO_RCVBUF *
6053
6054 · SO_SNDLOWAT *
6055
6056 · SO_RCVLOWAT *
6057
6058 Those marked with a '*' take an integer argument. The others
6059 can optionally take a 1 or 0 argument to enable or disable the
6060 option, by default they will be enabled if you don't specify 1
6061 or 0.
6062
6063 To specify an argument use the syntax SOME_OPTION = VALUE for
6064 example SO_SNDBUF = 8192. Note that you must not have any spa‐
6065 ces before or after the = sign.
6066
6067 If you are on a local network then a sensible option might be:
6068
6069 socket options = IPTOS_LOWDELAY
6070
6071 If you have a local network then you could try:
6072
6073 socket options = IPTOS_LOWDELAY TCP_NODELAY
6074
6075 If you are on a wide area network then perhaps try setting
6076 IPTOS_THROUGHPUT.
6077
6078 Note that several of the options may cause your Samba server
6079 to fail completely. Use these options with caution!
6080
6081 Default: socket options = TCP_NODELAY
6082
6083 Example: socket options = IPTOS_LOWDELAY
6084
6085 stat cache (G)
6086 This parameter determines if smbd(8) will use a cache in order to
6087 speed up case insensitive name mappings. You should never need to
6088 change this parameter.
6089
6090 Default: stat cache = yes
6091
6092 store dos attributes (S)
6093 If this parameter is set Samba attempts to first read DOS
6094 attributes (SYSTEM, HIDDEN, ARCHIVE or READ-ONLY) from a filesys‐
6095 tem extended attribute, before mapping DOS attributes to UNIX
6096 permission bits (such as occurs with map hidden and map read‐
6097 only). When set, DOS attributes will be stored onto an extended
6098 attribute in the UNIX filesystem, associated with the file or
6099 directory. For no other mapping to occur as a fall-back, the
6100 parameters map hidden, map system, map archive and map readonly
6101 must be set to off. This parameter writes the DOS attributes as a
6102 string into the extended attribute named "user.DOSATTRIB". This
6103 extended attribute is explicitly hidden from smbd clients
6104 requesting an EA list. On Linux the filesystem must have been
6105 mounted with the mount option user_xattr in order for extended
6106 attributes to work, also extended attributes must be compiled
6107 into the Linux kernel.
6108
6109 Default: store dos attributes = no
6110
6111 strict allocate (S)
6112 This is a boolean that controls the handling of disk space allo‐
6113 cation in the server. When this is set to yes the server will
6114 change from UNIX behaviour of not committing real disk storage
6115 blocks when a file is extended to the Windows behaviour of actu‐
6116 ally forcing the disk system to allocate real storage blocks when
6117 a file is created or extended to be a given size. In UNIX termi‐
6118 nology this means that Samba will stop creating sparse files.
6119 This can be slow on some systems.
6120
6121 When strict allocate is no the server does sparse disk block
6122 allocation when a file is extended.
6123
6124 Setting this to yes can help Samba return out of quota messages
6125 on systems that are restricting the disk quota of users.
6126
6127 Default: strict allocate = no
6128
6129 strict locking (S)
6130 This is an enumerated type that controls the handling of file
6131 locking in the server. When this is set to yes, the server will
6132 check every read and write access for file locks, and deny access
6133 if locks exist. This can be slow on some systems.
6134
6135 When strict locking is set to Auto (the default), the server per‐
6136 forms file lock checks only on non-oplocked files. As most Win‐
6137 dows redirectors perform file locking checks locally on oplocked
6138 files this is a good trade off for inproved performance.
6139
6140 When strict locking is disabled, the server performs file lock
6141 checks only when the client explicitly asks for them.
6142
6143 Well-behaved clients always ask for lock checks when it is impor‐
6144 tant. So in the vast majority of cases, strict locking = Auto or
6145 strict locking = no is acceptable.
6146
6147 Default: strict locking = Auto
6148
6149 strict sync (S)
6150 Many Windows applications (including the Windows 98 explorer
6151 shell) seem to confuse flushing buffer contents to disk with
6152 doing a sync to disk. Under UNIX, a sync call forces the process
6153 to be suspended until the kernel has ensured that all outstanding
6154 data in kernel disk buffers has been safely stored onto stable
6155 storage. This is very slow and should only be done rarely. Set‐
6156 ting this parameter to no (the default) means that smbd(8)
6157 ignores the Windows applications requests for a sync call. There
6158 is only a possibility of losing data if the operating system
6159 itself that Samba is running on crashes, so there is little dan‐
6160 ger in this default setting. In addition, this fixes many perfor‐
6161 mance problems that people have reported with the new Windows98
6162 explorer shell file copies.
6163
6164 Default: strict sync = no
6165
6166 svcctl list (G)
6167 This option defines a list of init scripts that smbd will use for
6168 starting and stopping Unix services via the Win32 ServiceControl
6169 API. This allows Windows administrators to utilize the MS Manage‐
6170 ment Console plug-ins to manage a Unix server running Samba.
6171
6172 The administrator must create a directory name svcctl in Samba's
6173 $(libdir) and create symbolic links to the init scripts in
6174 /etc/init.d/. The name of the links must match the names given as
6175 part of the svcctl list.
6176
6177 Default: svcctl list =
6178
6179 Example: svcctl list = cups postfix portmap httpd
6180
6181 sync always (S)
6182 This is a boolean parameter that controls whether writes will
6183 always be written to stable storage before the write call
6184 returns. If this is no then the server will be guided by the
6185 client's request in each write call (clients can set a bit indi‐
6186 cating that a particular write should be synchronous). If this is
6187 yes then every write will be followed by a fsync() call to ensure
6188 the data is written to disk. Note that the strict sync parameter
6189 must be set to yes in order for this parameter to have any
6190 affect.
6191
6192 Default: sync always = no
6193
6194 syslog (G)
6195 This parameter maps how Samba debug messages are logged onto the
6196 system syslog logging levels. Samba debug level zero maps onto
6197 syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug
6198 level two maps onto LOG_NOTICE, debug level three maps onto
6199 LOG_INFO. All higher levels are mapped to LOG_DEBUG.
6200
6201 This parameter sets the threshold for sending messages to syslog.
6202 Only messages with debug level less than this value will be sent
6203 to syslog.
6204
6205 Default: syslog = 1
6206
6207 syslog only (G)
6208 If this parameter is set then Samba debug messages are logged
6209 into the system syslog only, and not to the debug log files.
6210
6211 Default: syslog only = no
6212
6213 template homedir (G)
6214 When filling out the user information for a Windows NT user, the
6215 winbindd(8) daemon uses this parameter to fill in the home direc‐
6216 tory for that user. If the string %D is present it is substituted
6217 with the user's Windows NT domain name. If the string %U is
6218 present it is substituted with the user's Windows NT user name.
6219
6220 Default: template homedir = /home/%D/%U
6221
6222 template shell (G)
6223 When filling out the user information for a Windows NT user, the
6224 winbindd(8) daemon uses this parameter to fill in the login shell
6225 for that user.
6226
6227 No default
6228
6229 time offset (G)
6230 This parameter is a setting in minutes to add to the normal GMT
6231 to local time conversion. This is useful if you are serving a lot
6232 of PCs that have incorrect daylight saving time handling.
6233
6234 Default: time offset = 0
6235
6236 Example: time offset = 60
6237
6238 time server (G)
6239 This parameter determines if nmbd(8) advertises itself as a time
6240 server to Windows clients.
6241
6242 Default: time server = no
6243
6244 unix charset (G)
6245 Specifies the charset the unix machine Samba runs on uses. Samba
6246 needs to know this in order to be able to convert text to the
6247 charsets other SMB clients use.
6248
6249 This is also the charset Samba will use when specifying arguments
6250 to scripts that it invokes.
6251
6252 Default: unix charset = UTF8
6253
6254 Example: unix charset = ASCII
6255
6256 unix extensions (G)
6257 This boolean parameter controls whether Samba implments the CIFS
6258 UNIX extensions, as defined by HP. These extensions enable Samba
6259 to better serve UNIX CIFS clients by supporting features such as
6260 symbolic links, hard links, etc... These extensions require a
6261 similarly enabled client, and are of no current use to Windows
6262 clients.
6263
6264 Default: unix extensions = yes
6265
6266 unix password sync (G)
6267 This boolean parameter controls whether Samba attempts to syn‐
6268 chronize the UNIX password with the SMB password when the
6269 encrypted SMB password in the smbpasswd file is changed. If this
6270 is set to yes the program specified in the passwd programparame‐
6271 ter is called AS ROOT - to allow the new UNIX password to be set
6272 without access to the old UNIX password (as the SMB password
6273 change code has no access to the old password cleartext, only the
6274 new).
6275
6276 Default: unix password sync = no
6277
6278 update encrypted (G)
6279 This boolean parameter allows a user logging on with a plaintext
6280 password to have their encrypted (hashed) password in the smb‐
6281 passwd file to be updated automatically as they log on. This
6282 option allows a site to migrate from plaintext password authenti‐
6283 cation (users authenticate with plaintext password over the wire,
6284 and are checked against a UNIX account atabase) to encrypted
6285 password authentication (the SMB challenge/response authentica‐
6286 tion mechanism) without forcing all users to re-enter their pass‐
6287 words via smbpasswd at the time the change is made. This is a
6288 convenience option to allow the change over to encrypted pass‐
6289 words to be made over a longer period. Once all users have
6290 encrypted representations of their passwords in the smbpasswd
6291 file this parameter should be set to no.
6292
6293 In order for this parameter to be operative the encrypt passwords
6294 parameter must be set to no. The default value of encrypt pass‐
6295 words = Yes. Note: This must be set to no for this update
6296 encrypted to work.
6297
6298 Note that even when this parameter is set a user authenticating
6299 to smbd must still enter a valid password in order to connect
6300 correctly, and to update their hashed (smbpasswd) passwords.
6301
6302 Default: update encrypted = no
6303
6304 use client driver (S)
6305 This parameter applies only to Windows NT/2000 clients. It has no
6306 effect on Windows 95/98/ME clients. When serving a printer to
6307 Windows NT/2000 clients without first installing a valid printer
6308 driver on the Samba host, the client will be required to install
6309 a local printer driver. From this point on, the client will treat
6310 the print as a local printer and not a network printer connec‐
6311 tion. This is much the same behavior that will occur when disable
6312 spoolss = yes.
6313
6314 The differentiating factor is that under normal circumstances,
6315 the NT/2000 client will attempt to open the network printer using
6316 MS-RPC. The problem is that because the client considers the
6317 printer to be local, it will attempt to issue the OpenPrinterEx()
6318 call requesting access rights associated with the logged on user.
6319 If the user possesses local administator rights but not root
6320 privilege on the Samba host (often the case), the OpenPrinterEx()
6321 call will fail. The result is that the client will now display an
6322 "Access Denied; Unable to connect" message in the printer queue
6323 window (even though jobs may successfully be printed).
6324
6325 If this parameter is enabled for a printer, then any attempt to
6326 open the printer with the PRINTER_ACCESS_ADMINISTER right is
6327 mapped to PRINTER_ACCESS_USE instead. Thus allowing the Open‐
6328 PrinterEx() call to succeed. This parameter MUST not be able
6329 enabled on a print share which has valid print driver installed
6330 on the Samba server.
6331
6332 Default: use client driver = no
6333
6334 use kerberos keytab (G)
6335 Specifies whether Samba should attempt to maintain service prin‐
6336 cipals in the systems keytab file for host/FQDN and cifs/FQDN.
6337
6338 When you are using the heimdal Kerberos libraries, you must also
6339 specify the following in /etc/krb5.conf:
6340
6341
6342
6343
6344 [libdefaults]
6345 default_keytab_name = FILE:/etc/krb5.keytab
6346
6347
6348
6349 Default: use kerberos keytab = False
6350
6351 use mmap (G)
6352 This global parameter determines if the tdb internals of Samba
6353 can depend on mmap working correctly on the running system. Samba
6354 requires a coherent mmap/read-write system memory cache. Cur‐
6355 rently only HPUX does not have such a coherent cache, and so this
6356 parameter is set to no by default on HPUX. On all other systems
6357 this parameter should be left alone. This parameter is provided
6358 to help the Samba developers track down problems with the tdb
6359 internal code.
6360
6361 Default: use mmap = yes
6362
6363 user
6364 This parameter is a synonym for username.
6365
6366 users
6367 This parameter is a synonym for username.
6368
6369 username (S)
6370 Multiple users may be specified in a comma-delimited list, in
6371 which case the supplied password will be tested against each
6372 username in turn (left to right).
6373
6374 The username line is needed only when the PC is unable to supply
6375 its own username. This is the case for the COREPLUS protocol or
6376 where your users have different WfWg usernames to UNIX usernames.
6377 In both these cases you may also be better using the
6378 \serverre%user syntax instead.
6379
6380 The username line is not a great solution in many cases as it
6381 means Samba will try to validate the supplied password against
6382 each of the usernames in the username line in turn. This is slow
6383 and a bad idea for lots of users in case of duplicate passwords.
6384 You may get timeouts or security breaches using this parameter
6385 unwisely.
6386
6387 Samba relies on the underlying UNIX security. This parameter does
6388 not restrict who can login, it just offers hints to the Samba
6389 server as to what usernames might correspond to the supplied
6390 password. Users can login as whoever they please and they will be
6391 able to do no more damage than if they started a telnet session.
6392 The daemon runs as the user that they log in as, so they cannot
6393 do anything that user cannot do.
6394
6395 To restrict a service to a particular set of users you can use
6396 the valid users parameter.
6397
6398 If any of the usernames begin with a '@' then the name will be
6399 looked up first in the NIS netgroups list (if Samba is compiled
6400 with netgroup support), followed by a lookup in the UNIX groups
6401 database and will expand to a list of all users in the group of
6402 that name.
6403
6404 If any of the usernames begin with a '+' then the name will be
6405 looked up only in the UNIX groups database and will expand to a
6406 list of all users in the group of that name.
6407
6408 If any of the usernames begin with a '&' then the name will be
6409 looked up only in the NIS netgroups database (if Samba is com‐
6410 piled with netgroup support) and will expand to a list of all
6411 users in the netgroup group of that name.
6412
6413 Note that searching though a groups database can take quite some
6414 time, and some clients may time out during the search.
6415
6416 See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more
6417 information on how this parameter determines access to the ser‐
6418 vices.
6419
6420 Default: username = # The guest account if a guest service, else
6421 <empty string>.
6422
6423 Example: username = fred, mary, jack, jane, @users, @pcgroup
6424
6425 username level (G)
6426 This option helps Samba to try and 'guess' at the real UNIX user‐
6427 name, as many DOS clients send an all-uppercase username. By
6428 default Samba tries all lowercase, followed by the username with
6429 the first letter capitalized, and fails if the username is not
6430 found on the UNIX machine.
6431
6432 If this parameter is set to non-zero the behavior changes. This
6433 parameter is a number that specifies the number of uppercase com‐
6434 binations to try while trying to determine the UNIX user name.
6435 The higher the number the more combinations will be tried, but
6436 the slower the discovery of usernames will be. Use this parameter
6437 when you have strange usernames on your UNIX machine, such as
6438 AstrangeUser .
6439
6440 This parameter is needed only on UNIX systems that have case sen‐
6441 sitive usernames.
6442
6443 Default: username level = 0
6444
6445 Example: username level = 5
6446
6447 username map (G)
6448 This option allows you to specify a file containing a mapping of
6449 usernames from the clients to the server. This can be used for
6450 several purposes. The most common is to map usernames that users
6451 use on DOS or Windows machines to those that the UNIX box uses.
6452 The other is to map multiple users to a single username so that
6453 they can more easily share files.
6454
6455 Please note that for user or share mode security, the username
6456 map is applied prior to validating the user credentials. Domain
6457 member servers (domain or ads) apply the username map after the
6458 user has been successfully authenticated by the domain controller
6459 and require fully qualified enties in the map table (e.g. biddle
6460 = DOMAINo).
6461
6462 The map file is parsed line by line. Each line should contain a
6463 single UNIX username on the left then a '=' followed by a list of
6464 usernames on the right. The list of usernames on the right may
6465 contain names of the form @group in which case they will match
6466 any UNIX username in that group. The special client name '*' is a
6467 wildcard and matches any name. Each line of the map file may be
6468 up to 1023 characters long.
6469
6470 The file is processed on each line by taking the supplied user‐
6471 name and comparing it with each username on the right hand side
6472 of the '=' signs. If the supplied name matches any of the names
6473 on the right hand side then it is replaced with the name on the
6474 left. Processing then continues with the next line.
6475
6476 If any line begins with a '#' or a ';' then it is ignored.
6477
6478 If any line begins with an '!' then the processing will stop
6479 after that line if a mapping was done by the line. Otherwise map‐
6480 ping continues with every line being processed. Using '!' is most
6481 useful when you have a wildcard mapping line later in the file.
6482
6483 For example to map from the name admin or administrator to the
6484 UNIX name
6485 root you would use:
6486
6487
6488
6489
6490 root = admin administrator
6491
6492 Or to map anyone in the UNIX group system to the UNIX name sys
6493 you would use:
6494
6495
6496
6497
6498 sys = @system
6499
6500
6501
6502 You can have as many mappings as you like in a username map file.
6503
6504 If your system supports the NIS NETGROUP option then the netgroup
6505 database is checked before the /etc/group database for matching
6506 groups.
6507
6508 You can map Windows usernames that have spaces in them by using
6509 double quotes around the name. For example:
6510
6511
6512
6513
6514 tridge = "Andrew Tridgell"
6515
6516 would map the windows username "Andrew Tridgell" to the unix
6517 username "tridge".
6518
6519 The following example would map mary and fred to the unix user
6520 sys, and map the rest to guest. Note the use of the '!' to tell
6521 Samba to stop processing if it gets a match on that line:
6522
6523
6524
6525
6526 !sys = mary fred
6527 guest = *
6528
6529
6530
6531 Note that the remapping is applied to all occurrences of user‐
6532 names. Thus if you connect to \servered and fred is remapped to
6533 mary then you will actually be connecting to \serverry and will
6534 need to supply a password suitable for mary not fred. The only
6535 exception to this is the username passed to the password server
6536 (if you have one). The password server will receive whatever
6537 username the client supplies without modification.
6538
6539 Also note that no reverse mapping is done. The main effect this
6540 has is with printing. Users who have been mapped may have trouble
6541 deleting print jobs as PrintManager under WfWg will think they
6542 don't own the print job.
6543
6544 Samba versions prior to 3.0.8 would only support reading the
6545 fully qualified username (e.g.: DOMAINser) from the username map
6546 when performing a kerberos login from a client. However, when
6547 looking up a map entry for a user authenticated by NTLM[SSP],
6548 only the login name would be used for matches. This resulted in
6549 inconsistent behavior sometimes even on the same server.
6550
6551 The following functionality is obeyed in version 3.0.8 and later:
6552
6553 When performing local authentication, the username map is applied
6554 to the login name before attempting to authenticate the connec‐
6555 tion.
6556
6557 When relying upon a external domain controller for validating
6558 authentication requests, smbd will apply the username map to the
6559 fully qualified username (i.e. DOMAINser) only after the user has
6560 been successfully authenticated.
6561
6562 An example of use is:
6563
6564
6565
6566
6567 username map = /usr/local/samba/lib/users.map
6568
6569
6570
6571 Default: username map = # no username map
6572
6573 username map script (G)
6574 This script is a mutually exclusive alternative to the username
6575 map parameter. This parameter specifies and external program or
6576 script that must accept a single command line option (the user‐
6577 name transmitted in the authentication request) and return a line
6578 line on standard output (the name to which the account should
6579 mapped). In this way, it is possible to store username map tables
6580 in an LDAP or NIS directory services.
6581
6582 Default: username map script =
6583
6584 Example: username map script = /etc/samba/scripts/mapusers.sh
6585
6586 usershare allow guests (G)
6587 This parameter controls whether user defined shares are allowed
6588 to be accessed by non-authenticated users or not. It is the
6589 equivalent of allowing people who can create a share the option
6590 of setting guest ok = yes in a share definition. Due to the secu‐
6591 rity sensitive nature of this the default is set to off.
6592
6593 Default: usershare allow guests = no
6594
6595 usershare max shares (G)
6596 This parameter specifies the number of user defined shares that
6597 are allowed to be created by users belonging to the group owning
6598 the usershare directory. If set to zero (the default) user
6599 defined shares are ignored.
6600
6601 Default: usershare max shares = 0
6602
6603 usershare owner only (G)
6604 This parameter controls whether the pathname exported by a user
6605 defined shares must be owned by the user creating the user
6606 defined share or not. If set to True (the default) then smbd
6607 checks that the directory path being shared is owned by the user
6608 who owns the usershare file defining this share and refuses to
6609 create the share if not. If set to False then no such check is
6610 performed and any directory path may be exported regardless of
6611 who owns it.
6612
6613 Default: usershare owner only = True
6614
6615 usershare path (G)
6616 This parameter specifies the absolute path of the directory on
6617 the filesystem used to store the user defined share definition
6618 files. This directory must be owned by root, and have no access
6619 for other, and be writable only by the group owner. In addition
6620 the "sticky" bit must also be set, restricting rename and delete
6621 to owners of a file (in the same way the /tmp directory is usu‐
6622 ally configured). Members of the group owner of this directory
6623 are the users allowed to create usershares. If this parameter is
6624 undefined then no user defined shares are allowed.
6625
6626 For example, a valid usershare directory might be
6627 /usr/local/samba/lib/usershares, set up as follows.
6628
6629
6630
6631
6632
6633
6634 ls -ld /usr/local/samba/lib/usershares/
6635 drwxrwx--T 2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/
6636
6637
6638
6639 In this case, only members of the group "power_users" can create
6640 user defined shares.
6641
6642 Default: usershare path = NULL
6643
6644 usershare prefix allow list (G)
6645 This parameter specifies a list of absolute pathnames the root of
6646 which are allowed to be exported by user defined share defini‐
6647 tions. If the pathname exported doesn't start with one of the
6648 strings in this list the user defined share will not be allowed.
6649 This allows the Samba administrator to restrict the directories
6650 on the system that can be exported by user defined shares.
6651
6652 If there is a "usershare prefix deny list" and also a "usershare
6653 prefix allow list" the deny list is processed first, followed by
6654 the allow list, thus leading to the most restrictive interpreta‐
6655 tion.
6656
6657 Default: usershare prefix allow list = NULL
6658
6659 Example: usershare prefix allow list = /home /data /space
6660
6661 usershare prefix deny list (G)
6662 This parameter specifies a list of absolute pathnames the root of
6663 which are NOT allowed to be exported by user defined share defi‐
6664 nitions. If the pathname exported starts with one of the strings
6665 in this list the user defined share will not be allowed. Any
6666 pathname not starting with one of these strings will be allowed
6667 to be exported as a usershare. This allows the Samba administra‐
6668 tor to restrict the directories on the system that can be
6669 exported by user defined shares.
6670
6671 If there is a "usershare prefix deny list" and also a "usershare
6672 prefix allow list" the deny list is processed first, followed by
6673 the allow list, thus leading to the most restrictive interpreta‐
6674 tion.
6675
6676 Default: usershare prefix deny list = NULL
6677
6678 Example: usershare prefix deny list = /etc /dev /private
6679
6680 usershare template share (G)
6681 User defined shares only have limited possible parameters such as
6682 path, guest ok etc. This parameter allows usershares to "cloned"
6683 from an existing share. If "usershare template share" is set to
6684 the name of an existing share, then all usershares created have
6685 their defaults set from the parameters set on this share.
6686
6687 The target share may be set to be invalid for real file sharing
6688 by setting the parameter "-valid = False" on the template share
6689 definition. This causes it not to be seen as a real exported
6690 share but to be able to be used as a template for usershares.
6691
6692 Default: usershare template share = NULL
6693
6694 Example: usershare template share = template_share
6695
6696 use sendfile (S)
6697 If this parameter is yes, and the sendfile() system call is sup‐
6698 ported by the underlying operating system, then some SMB read
6699 calls (mainly ReadAndX and ReadRaw) will use the more efficient
6700 sendfile system call for files that are exclusively oplocked.
6701 This may make more efficient use of the system CPU's and cause
6702 Samba to be faster. Samba automatically turns this off for
6703 clients that use protocol levels lower than NT LM 0.12 and when
6704 it detects a client is Windows 9x (using sendfile from Linux will
6705 cause these clients to fail).
6706
6707 Default: use sendfile = false
6708
6709 use spnego (G)
6710 This variable controls controls whether samba will try to use
6711 Simple and Protected NEGOciation (as specified by rfc2478) with
6712 WindowsXP and Windows2000 clients to agree upon an authentication
6713 mechanism.
6714
6715 Unless further issues are discovered with our SPNEGO implementa‐
6716 tion, there is no reason this should ever be disabled.
6717
6718 Default: use spnego = yes
6719
6720 utmp (G)
6721 This boolean parameter is only available if Samba has been con‐
6722 figured and compiled with the option --with-utmp. If set to yes
6723 then Samba will attempt to add utmp or utmpx records (depending
6724 on the UNIX system) whenever a connection is made to a Samba
6725 server. Sites may use this to record the user connecting to a
6726 Samba share.
6727
6728 Due to the requirements of the utmp record, we are required to
6729 create a unique identifier for the incoming user. Enabling this
6730 option creates an n^2 algorithm to find this number. This may
6731 impede performance on large installations.
6732
6733 Default: utmp = no
6734
6735 utmp directory (G)
6736 This parameter is only available if Samba has been configured and
6737 compiled with the option --with-utmp. It specifies a directory
6738 pathname that is used to store the utmp or utmpx files (depending
6739 on the UNIX system) that record user connections to a Samba
6740 server. By default this is not set, meaning the system will use
6741 whatever utmp file the native system is set to use (usually
6742 /var/run/utmp on Linux).
6743
6744 Default: utmp directory = # Determined automatically
6745
6746 Example: utmp directory = /var/run/utmp
6747
6748 -valid (S)
6749 This parameter indicates whether a share is valid and thus can be
6750 used. When this parameter is set to false, the share will be in
6751 no way visible nor accessible.
6752
6753 This option should not be used by regular users but might be of
6754 help to developers. Samba uses this option internally to mark
6755 shares as deleted.
6756
6757 Default: -valid = yes
6758
6759 valid users (S)
6760 This is a list of users that should be allowed to login to this
6761 service. Names starting with '@', '+' and '&' are interpreted
6762 using the same rules as described in the invalid users parameter.
6763
6764 If this is empty (the default) then any user can login. If a
6765 username is in both this list and the invalid users list then
6766 access is denied for that user.
6767
6768 The current servicename is substituted for %S. This is useful in
6769 the [homes] section.
6770
6771 Default: valid users = # No valid users list (anyone can login)
6772
6773 Example: valid users = greg, @pcusers
6774
6775 veto files (S)
6776 This is a list of files and directories that are neither visible
6777 nor accessible. Each entry in the list must be separated by a
6778 '/', which allows spaces to be included in the entry. '*' and '?'
6779 can be used to specify multiple files or directories as in DOS
6780 wildcards.
6781
6782 Each entry must be a unix path, not a DOS path and must not
6783 include the unix directory separator '/'.
6784
6785 Note that the case sensitive option is applicable in vetoing
6786 files.
6787
6788 One feature of the veto files parameter that it is important to
6789 be aware of is Samba's behaviour when trying to delete a direc‐
6790 tory. If a directory that is to be deleted contains nothing but
6791 veto files this deletion will fail unless you also set the delete
6792 veto files parameter to yes.
6793
6794 Setting this parameter will affect the performance of Samba, as
6795 it will be forced to check all files and directories for a match
6796 as they are scanned.
6797
6798 Examples of use include:
6799
6800
6801
6802
6803 ; Veto any files containing the word Security,
6804 ; any ending in .tmp, and any directory containing the
6805 ; word root.
6806 veto files = /*Security*/*.tmp/*root*/
6807
6808 ; Veto the Apple specific files that a NetAtalk server
6809 ; creates.
6810 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
6811
6812
6813
6814 Default: veto files = No files or directories are vetoed.
6815
6816 veto oplock files (S)
6817 This parameter is only valid when the oplocks parameter is turned
6818 on for a share. It allows the Samba administrator to selectively
6819 turn off the granting of oplocks on selected files that match a
6820 wildcarded list, similar to the wildcarded list used in the veto
6821 files parameter.
6822
6823 You might want to do this on files that you know will be heavily
6824 contended for by clients. A good example of this is in the Net‐
6825 Bench SMB benchmark program, which causes heavy client contention
6826 for files ending in .SEM. To cause Samba not to grant oplocks on
6827 these files you would use the line (either in the [global] sec‐
6828 tion or in the section for the particular NetBench share.
6829
6830 An example of use is:
6831
6832
6833
6834
6835 veto oplock files = /.*SEM/
6836
6837
6838
6839 Default: veto oplock files = # No files are vetoed for oplock
6840 grants
6841
6842 vfs object
6843 This parameter is a synonym for vfs objects.
6844
6845 vfs objects (S)
6846 This parameter specifies the backend names which are used for
6847 Samba VFS I/O operations. By default, normal disk I/O operations
6848 are used but these can be overloaded with one or more VFS
6849 objects.
6850
6851 Default: vfs objects =
6852
6853 Example: vfs objects = extd_audit recycle
6854
6855 volume (S)
6856 This allows you to override the volume label returned for a
6857 share. Useful for CDROMs with installation programs that insist
6858 on a particular volume label.
6859
6860 Default: volume = # the name of the share
6861
6862 wide links (S)
6863 This parameter controls whether or not links in the UNIX file
6864 system may be followed by the server. Links that point to areas
6865 within the directory tree exported by the server are always
6866 allowed; this parameter controls access only to areas that are
6867 outside the directory tree being exported.
6868
6869 Note that setting this parameter can have a negative effect on
6870 your server performance due to the extra system calls that Samba
6871 has to do in order to perform the link checks.
6872
6873 Default: wide links = yes
6874
6875 winbind cache time (G)
6876 This parameter specifies the number of seconds the winbindd(8)
6877 daemon will cache user and group information before querying a
6878 Windows NT server again.
6879
6880 This does not apply to authentication requests, these are always
6881 evaluated in real time unless the winbind offline logon option
6882 has been enabled.
6883
6884 Default: winbind cache time = 300
6885
6886 winbind enum groups (G)
6887 On large installations using winbindd(8) it may be necessary to
6888 suppress the enumeration of groups through the setgrent(), get‐
6889 grent() and endgrent() group of system calls. If the winbind enum
6890 groups parameter is no, calls to the getgrent() system call will
6891 not return any data.
6892
6893 Warning
6894 Turning off group enumeration may cause some programs to behave
6895 oddly. Default: winbind enum groups = no
6896
6897 winbind enum users (G)
6898 On large installations using winbindd(8) it may be necessary to
6899 suppress the enumeration of users through the setpwent(), getp‐
6900 went() and endpwent() group of system calls. If the winbind enum
6901 users parameter is no, calls to the getpwent system call will not
6902 return any data.
6903
6904 Warning
6905 Turning off user enumeration may cause some programs to behave
6906 oddly. For example, the finger program relies on having access to
6907 the full user list when searching for matching usernames.
6908 Default: winbind enum users = no
6909
6910 winbind expand groups (G)
6911 This option controls the maximum depth that winbindd will tra‐
6912 verse when flattening nested group memberships of Windows domain
6913 groups. This is different from the winbind nested groups option
6914 which implements the Windows NT4 model of local group nesting.
6915 The "winbind expand groups" parameter specifically applies to the
6916 membership of domain groups.
6917
6918 Be aware that a high value for this parameter can result in sys‐
6919 tem slowdown as the main parent winbindd daemon must perform the
6920 group unrolling and will be unable to answer incoming NSS or
6921 authentication requests during this time.
6922
6923 Default: winbind expand groups = 1
6924
6925 winbind nested groups (G)
6926 If set to yes, this parameter activates the support for nested
6927 groups. Nested groups are also called local groups or aliases.
6928 They work like their counterparts in Windows: Nested groups are
6929 defined locally on any machine (they are shared between DC's
6930 through their SAM) and can contain users and global groups from
6931 any trusted SAM. To be able to use nested groups, you need to run
6932 nss_winbind.
6933
6934 Default: winbind nested groups = yes
6935
6936 winbind normalize names (G)
6937 This parameter controls whether winbindd will replace whitespace
6938 in user and group names with an underscore (_) character. For
6939 example, whether the name "Space Kadet" should be replaced with
6940 the string "space_kadet". Frequently Unix shell scripts will have
6941 difficulty with usernames contains whitespace due to the default
6942 field separator in the shell. Do not enable this option if the
6943 underscore character is used in account names within your domain
6944
6945 Default: winbind normalize names = no
6946
6947 Example: winbind normalize names = yes
6948
6949 winbind nss info (G)
6950 This parameter is designed to control how Winbind retrieves Name
6951 Service Information to construct a user's home directory and
6952 login shell. Currently the following settings are available:
6953
6954 · template - The default, using the parameters of template
6955 shell and template homedir)
6956
6957 · sfu - When Samba is running in security = ads and your
6958 Active Directory Domain Controller does support the Micro‐
6959 soft "Services for Unix" (SFU) LDAP schema, winbind can
6960 retrieve the login shell and the home directory attributes
6961 directly from your Directory Server. Note that retrieving
6962 UID and GID from your ADS-Server requires to use idmap
6963 backend = idmap_ad as well.
6964
6965
6966
6967
6968 Default: winbind nss info = template
6969
6970 Example: winbind nss info = template sfu
6971
6972 winbind offline logon (G)
6973 This parameter is designed to control whether Winbind should
6974 allow to login with the pam_winbind module using Cached Creden‐
6975 tials. If enabled, winbindd will store user credentials from suc‐
6976 cessful logins encrypted in a local cache.
6977
6978 Default: winbind offline logon = false
6979
6980 Example: winbind offline logon = true
6981
6982 winbind refresh tickets (G)
6983 This parameter is designed to control whether Winbind should
6984 refresh Kerberos Tickets retrieved using the pam_winbind module.
6985
6986 Default: winbind refresh tickets = false
6987
6988 Example: winbind refresh tickets = true
6989
6990 winbind rpc only (G)
6991 Setting this parameter to yes forces winbindd to use RPC instead
6992 of LDAP to retrieve information from Domain Controllers.
6993
6994 Default: winbind rpc only = no
6995
6996 winbind separator (G)
6997 This parameter allows an admin to define the character used when
6998 listing a username of the form of DOMAIN \fIuser. This parameter
6999 is only applicable when using the pam_winbind.so and nss_win‐
7000 bind.so modules for UNIX services.
7001
7002 Please note that setting this parameter to + causes problems with
7003 group membership at least on glibc systems, as the character + is
7004 used as a special character for NIS in /etc/group.
7005
7006 Default: winbind separator = '\'
7007
7008 Example: winbind separator = +
7009
7010 winbind trusted domains only (G)
7011 This parameter is designed to allow Samba servers that are mem‐
7012 bers of a Samba controlled domain to use UNIX accounts distrib‐
7013 uted via NIS, rsync, or LDAP as the uid's for winbindd users in
7014 the hosts primary domain. Therefore, the user DOMAIN\user1 would
7015 be mapped to the account user1 in /etc/passwd instead of allocat‐
7016 ing a new uid for him or her.
7017
7018 This parameter is now deprecated in favor of the newer idmap_nss
7019 backend. Refer to the idmap domains smb.conf option and the
7020 idmap_nss(8) man page for more information.
7021
7022 Default: winbind trusted domains only = no
7023
7024 winbind use default domain (G)
7025 This parameter specifies whether the winbindd(8) daemon should
7026 operate on users without domain component in their username.
7027 Users without a domain component are treated as is part of the
7028 winbindd server's own domain. While this does not benifit Windows
7029 users, it makes SSH, FTP and e-mail function in a way much closer
7030 to the way they would in a native unix system.
7031
7032 Default: winbind use default domain = no
7033
7034 Example: winbind use default domain = yes
7035
7036 wins hook (G)
7037 When Samba is running as a WINS server this allows you to call an
7038 external program for all changes to the WINS database. The pri‐
7039 mary use for this option is to allow the dynamic update of exter‐
7040 nal name resolution databases such as dynamic DNS.
7041
7042 The wins hook parameter specifies the name of a script or exe‐
7043 cutable that will be called as follows:
7044
7045 wins_hook operation name nametype ttl IP_list
7046
7047 · The first argument is the operation and is one of "add",
7048 "delete", or "refresh". In most cases the operation can be
7049 ignored as the rest of the parameters provide sufficient
7050 information. Note that "refresh" may sometimes be called
7051 when the name has not previously been added, in that case
7052 it should be treated as an add.
7053
7054 · The second argument is the NetBIOS name. If the name is not
7055 a legal name then the wins hook is not called. Legal names
7056 contain only letters, digits, hyphens, underscores and
7057 periods.
7058
7059 · The third argument is the NetBIOS name type as a 2 digit
7060 hexadecimal number.
7061
7062 · The fourth argument is the TTL (time to live) for the name
7063 in seconds.
7064
7065 · The fifth and subsequent arguments are the IP addresses
7066 currently registered for that name. If this list is empty
7067 then the name should be deleted.
7068
7069 An example script that calls the BIND dynamic DNS update pro‐
7070 gram nsupdate is provided in the examples directory of the
7071 Samba source code.
7072
7073 No default
7074
7075 wins proxy (G)
7076 This is a boolean that controls if nmbd(8) will respond to broad‐
7077 cast name queries on behalf of other hosts. You may need to set
7078 this to yes for some older clients.
7079
7080 Default: wins proxy = no
7081
7082 wins server (G)
7083 This specifies the IP address (or DNS name: IP address for pref‐
7084 erence) of the WINS server that nmbd(8) should register with. If
7085 you have a WINS server on your network then you should set this
7086 to the WINS server's IP.
7087
7088 You should point this at your WINS server if you have a multi-
7089 subnetted network.
7090
7091 If you want to work in multiple namespaces, you can give every
7092 wins server a 'tag'. For each tag, only one (working) server will
7093 be queried for a name. The tag should be separated from the ip
7094 address by a colon.
7095
7096 Note
7097 You need to set up Samba to point to a WINS server if you have
7098 multiple subnets and wish cross-subnet browsing to work cor‐
7099 rectly. See the chapter in the Samba3-HOWTO on Network Browsing.
7100
7101 Default: wins server =
7102
7103 Example: wins server = mary:192.9.200.1 fred:192.168.3.199
7104 mary:192.168.2.61 # For this example when querying a certain
7105 name, 192.19.200.1 will be asked first and if that doesn't
7106 respond 192.168.2.61. If either of those doesn't know the name
7107 192.168.3.199 will be queried.
7108
7109 Example: wins server = 192.9.200.1 192.168.2.61
7110
7111 wins support (G)
7112 This boolean controls if the nmbd(8) process in Samba will act as
7113 a WINS server. You should not set this to yes unless you have a
7114 multi-subnetted network and you wish a particular nmbd to be your
7115 WINS server. Note that you should NEVER set this to yes on more
7116 than one machine in your network.
7117
7118 Default: wins support = no
7119
7120 workgroup (G)
7121 This controls what workgroup your server will appear to be in
7122 when queried by clients. Note that this parameter also controls
7123 the Domain name used with the security = domain setting.
7124
7125 Default: workgroup = WORKGROUP
7126
7127 Example: workgroup = MYGROUP
7128
7129 writable
7130 This parameter is a synonym for writeable.
7131
7132 writeable (S)
7133 Inverted synonym for read only.
7134
7135 No default
7136
7137 write cache size (S)
7138 If this integer parameter is set to non-zero value, Samba will
7139 create an in-memory cache for each oplocked file (it does not do
7140 this for non-oplocked files). All writes that the client does not
7141 request to be flushed directly to disk will be stored in this
7142 cache if possible. The cache is flushed onto disk when a write
7143 comes in whose offset would not fit into the cache or when the
7144 file is closed by the client. Reads for the file are also served
7145 from this cache if the data is stored within it.
7146
7147 This cache allows Samba to batch client writes into a more effi‐
7148 cient write size for RAID disks (i.e. writes may be tuned to be
7149 the RAID stripe size) and can improve performance on systems
7150 where the disk subsystem is a bottleneck but there is free memory
7151 for userspace programs.
7152
7153 The integer parameter specifies the size of this cache (per
7154 oplocked file) in bytes.
7155
7156 Default: write cache size = 0
7157
7158 Example: write cache size = 262144 # for a 256k cache size per
7159 file
7160
7161 write list (S)
7162 This is a list of users that are given read-write access to a
7163 service. If the connecting user is in this list then they will be
7164 given write access, no matter what the read only option is set
7165 to. The list can include group names using the @group syntax.
7166
7167 Note that if a user is in both the read list and the write list
7168 then they will be given write access.
7169
7170 By design, this parameter will not work with the security = share
7171 in Samba 3.0.
7172
7173 Default: write list =
7174
7175 Example: write list = admin, root, @staff
7176
7177 write raw (G)
7178 This parameter controls whether or not the server will support
7179 raw write SMB's when transferring data from clients. You should
7180 never need to change this parameter.
7181
7182 Default: write raw = yes
7183
7184 wtmp directory (G)
7185 This parameter is only available if Samba has been configured and
7186 compiled with the option --with-utmp. It specifies a directory
7187 pathname that is used to store the wtmp or wtmpx files (depending
7188 on the UNIX system) that record user connections to a Samba
7189 server. The difference with the utmp directory is the fact that
7190 user info is kept after a user has logged out.
7191
7192 By default this is not set, meaning the system will use whatever
7193 utmp file the native system is set to use (usually /var/run/wtmp
7194 on Linux).
7195
7196 Default: wtmp directory =
7197
7198 Example: wtmp directory = /var/log/wtmp
7199
7201 Although the configuration file permits service names to contain spa‐
7202 ces, your client software may not. Spaces will be ignored in compar‐
7203 isons anyway, so it shouldn't be a problem - but be aware of the possi‐
7204 bility.
7205
7206 On a similar note, many clients - especially DOS clients - limit ser‐
7207 vice names to eight characters. smbd(8) has no such limitation, but
7208 attempts to connect from such clients will fail if they truncate the
7209 service names. For this reason you should probably keep your service
7210 names down to eight characters in length.
7211
7212 Use of the [homes] and [printers] special sections make life for an
7213 administrator easy, but the various combinations of default attributes
7214 can be tricky. Take extreme care when designing these sections. In par‐
7215 ticular, ensure that the permissions on spool directories are correct.
7216
7218 This man page is correct for version 3.0 of the Samba suite.
7219
7221 samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1),
7222 nmblookup(1), testparm(1), testprns(1).
7223
7225 The original Samba software and related utilities were created by
7226 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
7227 Source project similar to the way the Linux kernel is developed.
7228
7229 The original Samba man pages were written by Karl Auer. The man page
7230 sources were converted to YODL format (another excellent piece of Open
7231 Source software, available at ftp://ftp.icce.rug.nl/pub/unix/) and
7232 updated for the Samba 2.0 release by Jeremy Allison. The conversion to
7233 DocBook for Samba 2.2 was done by Gerald Carter. The conversion to Doc‐
7234 Book XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.
7235
7236
7237
7238
7239 SMB.CONF(5)