1SMB.CONF(5)                                                        SMB.CONF(5)
2
3
4

NAME

6       smb.conf - The configuration file for the Samba suite
7

SYNOPSIS

9       The  smb.conf  file  is  a  configuration  file  for  the  Samba suite.
10       smb.conf contains runtime configuration information for the Samba  pro‐
11       grams.  The smb.conf file is designed to be configured and administered
12       by the swat(8) program. The complete description of the file format and
13       possible parameters held within are here for reference purposes.
14

FILE FORMAT

16       The file consists of sections and parameters. A section begins with the
17       name of the section in square brackets and  continues  until  the  next
18       section begins. Sections contain parameters of the form:
19
20
21
22
23       name = value
24
25
26
27       The  file  is line-based - that is, each newline-terminated line repre‐
28       sents either a comment, a section name or a parameter.
29
30       Section and parameter names are not case sensitive.
31
32       Only the first equals sign in a parameter  is  significant.  Whitespace
33       before  or  after the first equals sign is discarded. Leading, trailing
34       and internal whitespace in section and parameter names  is  irrelevant.
35       Leading  and  trailing  whitespace  in  a parameter value is discarded.
36       Internal whitespace within a parameter value is retained verbatim.
37
38       Any line beginning with a semicolon (;) or  a  hash  (#)  character  is
39       ignored, as are lines containing only whitespace.
40
41       Any  line  ending in a \ is continued on the next line in the customary
42       UNIX fashion.
43
44       The values following the equals sign in parameters  are  all  either  a
45       string  (no  quotes needed) or a boolean, which may be given as yes/no,
46       0/1 or true/false. Case is not significant in boolean  values,  but  is
47       preserved  in  string  values.  Some  items  such  as  create masks are
48       numeric.
49

SECTION DESCRIPTIONS

51       Each section in the configuration file (except for  the  [global]  sec‐
52       tion)  describes a shared resource (known as a share). The section name
53       is the name of the shared resource and the parameters within  the  sec‐
54       tion define the shares attributes.
55
56       There  are  three  special  sections, [global], [homes] and [printers],
57       which are described under special sections. The following  notes  apply
58       to ordinary section descriptions.
59
60       A  share  consists of a directory to which access is being given plus a
61       description of the access rights which are granted to the user  of  the
62       service. Some housekeeping options are also specifiable.
63
64       Sections  are  either  file  share  services  (used by the client as an
65       extension of their native file systems) or printable services (used  by
66       the client to access print services on the host running the server).
67
68       Sections may be designated guest services, in which case no password is
69       required to access them. A specified UNIX  guest  account  is  used  to
70       define access privileges in this case.
71
72       Sections  other  than  guest services will require a password to access
73       them. The client provides the username. As older clients  only  provide
74       passwords  and  not  usernames,  you may specify a list of usernames to
75       check against the password using the user = option in the share defini‐
76       tion.  For modern clients such as Windows 95/98/ME/NT/2000, this should
77       not be necessary.
78
79       The access rights granted by the server are masked by the access rights
80       granted  to  the  specified  or guest UNIX user by the host system. The
81       server does not grant more access than the host system grants.
82
83       The following sample section defines a file space share. The  user  has
84       write access to the path /home/bar. The share is accessed via the share
85       name foo:
86
87
88
89
90            [foo]
91            path = /home/bar
92            read only = no
93
94
95
96       The following sample section defines a printable share.  The  share  is
97       read-only,  but  printable. That is, the only write access permitted is
98       via calls to open, write to and close a spool file. The guest ok param‐
99       eter  means  access will be permitted as the default guest user (speci‐
100       fied elsewhere):
101
102
103
104
105            [aprinter]
106            path = /usr/spool/public
107            read only = yes
108            printable = yes
109            guest ok = yes
110
111
112

SPECIAL SECTIONS

114   The [global] section
115       Parameters in this section apply to the  server  as  a  whole,  or  are
116       defaults  for  sections  that do not specifically define certain items.
117       See the notes under PARAMETERS for more information.
118
119   The [homes] section
120       If a section called [homes] is included in the configuration file, ser‐
121       vices  connecting  clients  to their home directories can be created on
122       the fly by the server.
123
124       When the connection request is made, the existing sections are scanned.
125       If  a  match  is found, it is used. If no match is found, the requested
126       section name is treated as a username and looked up in the local  pass‐
127       word  file. If the name exists and the correct password has been given,
128       a share is created by cloning the [homes] section.
129
130       Some modifications are then made to the newly created share:
131
132       ·  The share name is changed from homes to the located username.
133
134       ·  If no path was given, the path is set to the user's home directory.
135
136       If you decide to use a path = line in your [homes] section, it  may  be
137       useful to use the %S macro. For example:
138
139
140
141
142       path = /data/pchome/%S
143
144       is  useful if you have different home directories for your PCs than for
145       UNIX access.
146
147       This is a fast and simple way to give a large number of clients  access
148       to their home directories with a minimum of fuss.
149
150       A similar process occurs if the requested section name is homes, except
151       that the share name is not changed to that of the requesting user. This
152       method of using the [homes] section works well if different users share
153       a client PC.
154
155       The [homes] section can specify all the  parameters  a  normal  service
156       section  can specify, though some make more sense than others. The fol‐
157       lowing is a typical and suitable [homes] section:
158
159
160
161
162       [homes]
163       read only = no
164
165
166
167       An important point is that if guest access is specified in the  [homes]
168       section,  all home directories will be visible to all clients without a
169       password. In the very unlikely event that this is  actually  desirable,
170       it is wise to also specify read only access.
171
172       The  browseable  flag  for auto home directories will be inherited from
173       the global browseable flag, not the [homes] browseable  flag.  This  is
174       useful  as it means setting browseable = no in the [homes] section will
175       hide the [homes] share but make any auto home directories visible.
176
177   The [printers] section
178       This section works like [homes], but for printers.
179
180       If a [printers] section occurs in the  configuration  file,  users  are
181       able  to  connect to any printer specified in the local host's printcap
182       file.
183
184       When a connection request is made, the existing sections  are  scanned.
185       If  a  match  is found, it is used. If no match is found, but a [homes]
186       section exists, it is used as described above. Otherwise, the requested
187       section  name is treated as a printer name and the appropriate printcap
188       file is scanned to see if the requested section name is a valid printer
189       share  name.  If  a  match  is found, a new printer share is created by
190       cloning the [printers] section.
191
192       A few modifications are then made to the newly created share:
193
194       ·  The share name is set to the located printer name
195
196       ·  If no printer name was given, the printer name is set to the located
197          printer name
198
199       ·  If the share does not permit guest access and no username was given,
200          the username is set to the located printer name.
201
202       The [printers] service MUST be printable - if  you  specify  otherwise,
203       the server will refuse to load the configuration file.
204
205       Typically  the path specified is that of a world-writeable spool direc‐
206       tory with the sticky bit set on it. A typical  [printers]  entry  looks
207       like this:
208
209
210
211
212       [printers]
213       path = /usr/spool/public
214       guest ok = yes
215       printable = yes
216
217
218
219       All  aliases  given  for  a printer in the printcap file are legitimate
220       printer names as far as the server is concerned. If your printing  sub‐
221       system  doesn't work like that, you will have to set up a pseudo-print‐
222       cap. This is a file consisting of one or more lines like this:
223
224
225
226
227       alias|alias|alias|alias...
228
229
230
231       Each alias should be an acceptable printer name for your printing  sub‐
232       system. In the [global] section, specify the new file as your printcap.
233       The server will only recognize names  found  in  your  pseudo-printcap,
234       which  of  course can contain whatever aliases you like. The same tech‐
235       nique could be used simply to limit access to a subset  of  your  local
236       printers.
237
238       An alias, by the way, is defined as any component of the first entry of
239       a printcap record. Records are separated by  newlines,  components  (if
240       there are more than one) are separated by vertical bar symbols (|).
241
242       Note
243       On SYSV systems which use lpstat to determine what printers are defined
244       on the system you may be able to use printcap name = lpstat to automat‐
245       ically obtain a list of printers. See the printcap name option for more
246       details.
247

USERSHARES

249       Starting with Samba version 3.0.23 the capability for non-root users to
250       add,  modify,  and  delete  their own share definitions has been added.
251       This capability is called usershares and is  controlled  by  a  set  of
252       parameters in the [global] section of the smb.conf. The relevant param‐
253       eters are :
254
255       usershare allow guests
256          Controls if usershares can permit guest access.
257
258       usershare max shares
259          Maximum number of user defined shares allowed.
260
261       usershare owner only
262          If set only directories owned by the sharing user can be shared.
263
264       usershare path
265          Points to the directory containing the user  defined  share  defini‐
266          tions.  The filesystem permissions on this directory control who can
267          create user defined shares.
268
269       usershare prefix allow list
270          Comma-separated list of absolute pathnames restricting what directo‐
271          ries  can  be  shared.  Only directories below the pathnames in this
272          list are permitted.
273
274       usershare prefix deny list
275          Comma-separated list of absolute pathnames restricting what directo‐
276          ries can be shared. Directories below the pathnames in this list are
277          prohibited.
278
279       usershare template share
280          Names a pre-existing share used as a template for creating new user‐
281          shares. All other share parameters not specified in the user defined
282          share definition are copied from this named share.
283
284       To allow members of the UNIX group foo to create user  defined  shares,
285       create the directory to contain the share definitions as follows:
286
287       Become root:
288
289
290       mkdir /usr/local/samba/lib/usershares
291       chgrp foo /usr/local/samba/lib/usershares
292       chmod 1770 /usr/local/samba/lib/usershares
293
294
295       Then add the parameters
296
297
298
299
300            usershare path = /usr/local/samba/lib/usershares
301            usershare max shares = 10 # (or the desired number of shares)
302
303       to  the  global  section of your smb.conf. Members of the group foo may
304       then manipulate the user defined shares using the following commands.
305
306       net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]
307          To create or modify (overwrite) a user defined share.
308
309       net usershare delete sharename
310          To delete a user defined share.
311
312       net usershare list wildcard-sharename
313          To list user defined shares.
314
315       net usershare info wildcard-sharename
316          To print information about user defined shares.
317

PARAMETERS

319       Parameters define the specific attributes of sections.
320
321       Some parameters are specific to the [global] section (e.g.,  security).
322       Some  parameters  are  usable  in all sections (e.g., create mask). All
323       others are permissible only in normal sections. For the purposes of the
324       following descriptions the [homes] and [printers] sections will be con‐
325       sidered normal. The letter G in parentheses indicates that a  parameter
326       is  specific  to  the  [global]  section. The letter S indicates that a
327       parameter can be specified in a service specific section. All S parame‐
328       ters can also be specified in the [global] section - in which case they
329       will define the default behavior for all services.
330
331       Parameters are arranged here in alphabetical order - this may not  cre‐
332       ate  best  bedfellows,  but at least you can find them! Where there are
333       synonyms, the preferred synonym is described, others refer to the  pre‐
334       ferred synonym.
335

VARIABLE SUBSTITUTIONS

337       Many  of the strings that are settable in the config file can take sub‐
338       stitutions. For example the option path =  /tmp/%u  is  interpreted  as
339       path = /tmp/john if the user connected with the username john.
340
341       These  substitutions  are  mostly  noted in the descriptions below, but
342       there are some general substitutions which apply whenever they might be
343       relevant. These are:
344
345       %U
346          session username (the username that the client wanted, not necessar‐
347          ily the same as the one they got).
348
349       %G
350          primary group name of %U.
351
352       %h
353          the Internet hostname that Samba is running on.
354
355       %m
356          the NetBIOS name of the client machine (very useful).
357
358          This parameter is not available when Samba listens on port  445,  as
359          clients no longer send this information. If you use this macro in an
360          include statement on a domain that has a Samba domain controller  be
361          sure to set in the [global] section smb ports = 139. This will cause
362          Samba to not listen on port 445 and will permit include  functional‐
363          ity to function as it did with Samba 2.x.
364
365       %L
366          the  NetBIOS name of the server. This allows you to change your con‐
367          fig based on what the client calls you. Your server can have a  dual
368          personality.
369
370       %M
371          the Internet name of the client machine.
372
373       %R
374          the  selected  protocol  level after protocol negotiation. It can be
375          one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.
376
377       %d
378          the process id of the current server process.
379
380       %a
381          the architecture of the  remote  machine.  It  currently  recognizes
382          Samba  (Samba),  the  Linux  CIFS file system (CIFSFS), OS/2, (OS2),
383          Windows for Workgroups (WfWg), Windows  9x/ME  (Win95),  Windows  NT
384          (WinNT),  Windows 2000 (Win2K), Windows XP (WinXP), and Windows 2003
385          (Win2K3). Anything else will be known as UNKNOWN.
386
387       %I
388          the IP address of the client machine.
389
390       %i
391          the local IP address to which a client connected.
392
393       %T
394          the current date and time.
395
396       %D
397          name of the domain or workgroup of the current user.
398
399       %w
400          the winbind separator.
401
402       %$(envvar)
403          the value of the environment variable envar.
404
405       The following substitutes apply  only  to  some  configuration  options
406       (only those that are used when a connection has been established):
407
408       %S
409          the name of the current service, if any.
410
411       %P
412          the root directory of the current service, if any.
413
414       %u
415          username of the current service, if any.
416
417       %g
418          primary group name of %u.
419
420       %H
421          the home directory of the user given by %u.
422
423       %N
424          the  name  of  your NIS home directory server. This is obtained from
425          your NIS auto.map entry. If you have not  compiled  Samba  with  the
426          --with-automount option, this value will be the same as %L.
427
428       %p
429          the  path  of  the  service's home directory, obtained from your NIS
430          auto.map entry. The NIS auto.map entry is split up as %N:%p.
431
432       There are some quite creative things that can be done with  these  sub‐
433       stitutions and other smb.conf options.
434

NAME MANGLING

436       Samba  supports  name  mangling so that DOS and Windows clients can use
437       files that don't conform to the 8.3 format.  It  can  also  be  set  to
438       adjust the case of 8.3 format filenames.
439
440       There  are  several options that control the way mangling is performed,
441       and they are grouped  here  rather  than  listed  separately.  For  the
442       defaults look at the output of the testparm program.
443
444       These options can be set separately for each service.
445
446       The options are:
447
448       case sensitive = yes/no/auto
449          controls whether filenames are case sensitive. If they aren't, Samba
450          must do a filename search and match on  passed  names.  The  default
451          setting of auto allows clients that support case sensitive filenames
452          (Linux CIFSVFS and smbclient 3.0.5 and above currently) to tell  the
453          Samba server on a per-packet basis that they wish to access the file
454          system in a case-sensitive manner (to support  UNIX  case  sensitive
455          semantics).  No  Windows or DOS system supports case-sensitive file‐
456          name so setting this option to auto is that same as setting it to no
457          for them. Default auto.
458
459       default case = upper/lower
460          controls  what the default case is for new filenames (ie. files that
461          don't currently exist in the filesystem). Default  lower.  IMPORTANT
462          NOTE:  This  option  will be used to modify the case of all incoming
463          client filenames, not just new filenames if the options case  sensi‐
464          tive  =  yes,  preserve case = No, short preserve case = No are set.
465          This change is needed as part of the optimisations  for  directories
466          containing large numbers of files.
467
468       preserve case = yes/no
469          controls  whether new files (ie. files that don't currently exist in
470          the filesystem) are created with the case that the client passes, or
471          if they are forced to be the default case. Default yes.
472
473       short preserve case = yes/no
474          controls  if  new files (ie. files that don't currently exist in the
475          filesystem) which conform to 8.3 syntax, that is all in  upper  case
476          and  of  suitable  length,  are  created  upper case, or if they are
477          forced to be the default case. This option can be used with preserve
478          case  =  yes  to  permit  long filenames to retain their case, while
479          short names are lowercased. Default yes.
480
481       By default, Samba 3.0 has the same semantics as a Windows NT server, in
482       that  it is case insensitive but case preserving. As a special case for
483       directories with large numbers of files, if the case options are set as
484       follows,  "case sensitive = yes", "case preserve = no", "short preserve
485       case = no" then the "default case" option will be applied and will mod‐
486       ify all filenames sent from the client when accessing this share.
487

NOTE ABOUT USERNAME/PASSWORD VALIDATION

489       There  are  a  number of ways in which a user can connect to a service.
490       The server uses the following steps in determining if it will  allow  a
491       connection  to  a specified service. If all the steps fail, the connec‐
492       tion request is rejected. However, if one of the  steps  succeeds,  the
493       following steps are not checked.
494
495       If  the  service  is  marked guest only = yes and the server is running
496       with share-level security (security = share, steps 1 to 5 are skipped.
497
498       1. If the client has passed a username/password  pair  and  that  user‐
499          name/password  pair  is validated by the UNIX system's password pro‐
500          grams, the connection is made as that username.  This  includes  the
501          \\server\service%username method of passing a username.
502
503       2. If  the  client has previously registered a username with the system
504          and now supplies a correct password for that username,  the  connec‐
505          tion is allowed.
506
507       3. The  client's  NetBIOS  name  and  any previously used usernames are
508          checked against the supplied password. If they match, the connection
509          is allowed as the corresponding user.
510
511       4. If the client has previously validated a username/password pair with
512          the server and the client has  passed  the  validation  token,  that
513          username is used.
514
515       5. If  a user = field is given in the smb.conf file for the service and
516          the client has  supplied  a  password,  and  that  password  matches
517          (according  to  the UNIX system's password checking) with one of the
518          usernames from the user = field, the connection is made as the user‐
519          name  in the user = line. If one of the usernames in the user = list
520          begins with a @, that name expands to a list of names in  the  group
521          of the same name.
522
523       6. If the service is a guest service, a connection is made as the user‐
524          name given in the guest account = for the service,  irrespective  of
525          the supplied password.
526

EXPLANATION OF EACH PARAMETER

528       abort shutdown script (G)
529          This a full path name to a script called by smbd(8) that should stop
530          a shutdown procedure issued by the shutdown script.
531
532          If the connected user posseses the SeRemoteShutdownPrivilege, right,
533          this command will be run as user.
534
535          Default: abort shutdown script = ""
536
537          Example: abort shutdown script = /sbin/shutdown -c
538
539       acl check permissions (S)
540          This boolean parameter controls what smbd(8)does on receiving a pro‐
541          tocol request of "open for delete" from a Windows client. If a  Win‐
542          dows  client  doesn't  have  permissions  to delete a file then they
543          expect this to be denied at open time. POSIX systems  normally  only
544          detect  restrictions  on delete by actually attempting to delete the
545          file or directory. As Windows clients can  (and  do)  "back  out"  a
546          delete  request  by unsetting the "delete on close" bit Samba cannot
547          delete the file immediately on "open for delete" request as we  can‐
548          not  restore  such  a  deleted file. With this parameter set to true
549          (the default) then smbd checks the file system permissions  directly
550          on  "open for delete" and denies the request without actually delet‐
551          ing the file if the file system permissions would seem to  deny  it.
552          This  is  not  perfect, as it's possible a user could have deleted a
553          file without Samba being able to check  the  permissions  correctly,
554          but  it  is close enough to Windows semantics for mostly correct be‐
555          haviour. Samba will correctly check  POSIX  ACL  semantics  in  this
556          case.
557
558          If  this parameter is set to "false" Samba doesn't check permissions
559          on "open for delete" and allows the open. If the user  doesn't  have
560          permission  to delete the file this will only be discovered at close
561          time, which is too late for the Windows user  tools  to  display  an
562          error  message to the user. The symptom of this is files that appear
563          to have been deleted "magically" re-appearing on a Windows  explorer
564          refersh.  This is an extremely advanced protocol option which should
565          not need to be changed. This parameter was introduced in  its  final
566          form in 3.0.21, an earlier version with slightly different semantics
567          was introduced in 3.0.20. That older version is not documented here.
568
569          Default: acl check permissions = True
570
571       acl compatibility (S)
572          This parameter specifies what OS ACL semantics should be  compatible
573          with.  Possible values are winnt for Windows NT 4, win2k for Windows
574          2000 and above and auto. If you specify auto,  the  value  for  this
575          parameter will be based upon the version of the client. There should
576          be no reason to change this parameter from the default.
577
578          Default: acl compatibility = Auto
579
580          Example: acl compatibility = win2k
581
582       acl group control (S)
583          In a POSIX filesystem, only the owner of a file or directory and the
584          superuser  can  modify  the  permissions and ACLs on a file. If this
585          parameter is set, then Samba overrides this  restriction,  and  also
586          allows  the primary group owner of a file or directory to modify the
587          permissions and ACLs on that file.
588
589          On a Windows server, groups may be the owner of a file or  directory
590          -  thus  allowing  anyone in that group to modify the permissions on
591          it. This allows the delegation of security controls on  a  point  in
592          the  filesystem to the group owner of a directory and anything below
593          it also owned by that group. This means there  are  multiple  people
594          with  permissions to modify ACLs on a file or directory, easing man‐
595          agability.
596
597          This parameter allows Samba to also permit delegation of the control
598          over  a  point  in the exported directory hierarchy in much the same
599          was as Windows. This allows all members of a UNIX group  to  control
600          the permissions on a file or directory they have group ownership on.
601
602          This  parameter  is best used with the inherit owner option and also
603          on on a share containing directories with the UNIX  setgid  bit  bit
604          set  on  them, which causes new files and directories created within
605          it to inherit the group ownership from the containing directory.
606
607          This is parameter has been marked deprecated in  Samba  3.0.23.  The
608          same behavior is now implemented by the dos filemode option.
609
610          Default: acl group control = no
611
612       acl map full control (S)
613          This  boolean  parameter  controls  whether  smbd(8)maps a POSIX ACE
614          entry of "rwx" (read/write/execute), the maximum allowed POSIX  per‐
615          mission set, into a Windows ACL of "FULL CONTROL". If this parameter
616          is set to true any POSIX ACE entry of "rwx" will be  returned  in  a
617          Windows ACL as "FULL CONTROL", is this parameter is set to false any
618          POSIX ACE entry of "rwx" will be returned as  the  specific  Windows
619          ACL bits representing read, write and execute.
620
621          Default: acl map full control = True
622
623       add group script (G)
624          This  is  the  full pathname to a script that will be run AS ROOT by
625          smbd(8) when a new group is requested. It will expand any %g to  the
626          group  name  passed.  This  script  is only useful for installations
627          using the Windows NT domain administration tools. The script is free
628          to  create  a  group with an arbitrary name to circumvent unix group
629          name restrictions. In that case the script must  print  the  numeric
630          gid of the created group on stdout.
631
632          Default: add group script =
633
634          Example: add group script = /usr/sbin/groupadd %g
635
636       add machine script (G)
637          This  is  the  full pathname to a script that will be run by smbd(8)
638          when a machine is added to Samba's domain and a Unix account  match‐
639          ing the machine's name appended with a "$" does not already exist.
640
641          This  option  is  very  similar to the add user script, and likewise
642          uses the %u substitution for the account name. Do  not  use  the  %m
643          substitution.
644
645          Default: add machine script =
646
647          Example:  add  machine  script = /usr/sbin/adduser -n -g machines -c
648          Machine -d /var/lib/nobody -s /bin/false %u
649
650       add port command (G)
651          Samba 3.0.23 introduces support for adding  printer  ports  remotely
652          using  the  Windows  "Add  Standard TCP/IP Port Wizard". This option
653          defines an external program to be  executed  when  smbd  receives  a
654          request  to  add  a  new Port to the system. he script is passed two
655          parameters:
656
657             ·  port name
658
659             ·  device URI
660
661             The deviceURI is in the for of socket://<hostname>[:<portnumber>]
662             or lpd://<hostname>/<queuename>.
663
664             Default: add port command =
665
666             Example: add port command = /etc/samba/scripts/addport.sh
667
668       add printer command (G)
669          With  the  introduction of MS-RPC based printing support for Windows
670          NT/2000 clients in Samba 2.2, The MS Add Printer Wizard  (APW)  icon
671          is  now also available in the "Printers..." folder displayed a share
672          listing. The APW allows for printers to be add remotely to  a  Samba
673          or Windows NT/2000 print server.
674
675          For  a  Samba  host  this  means that the printer must be physically
676          added to the underlying printing system.  The  add  printer  command
677          defines  a  script to be run which will perform the necessary opera‐
678          tions for adding the printer to the print  system  and  to  add  the
679          appropriate service definition to the smb.conf file in order that it
680          can be shared by smbd(8).
681
682          The addprinter command is automatically invoked with  the  following
683          parameter (in order):
684
685             ·  printer name
686
687             ·  share name
688
689             ·  port name
690
691             ·  driver name
692
693             ·  location
694
695             ·  Windows 9x driver location
696
697             All  parameters  are  filled in from the PRINTER_INFO_2 structure
698             sent by the Windows NT/2000 client with one exception. The  "Win‐
699             dows 9x driver location" parameter is included for backwards com‐
700             patibility only. The remaining fields in the structure are gener‐
701             ated from answers to the APW questions.
702
703             Once  the addprinter command has been executed, smbd will reparse
704             the
705              smb.conf to determine if the share defined by the APW exists. If
706             the  sharename  is  still  invalid,  then  smbd  will  return  an
707             ACCESS_DENIED error to the client.
708
709             The "add printer command" program can output  a  single  line  of
710             text,  which  Samba  will set as the port the new printer is con‐
711             nected to. If this line isn't  output,  Samba  won't  reload  its
712             printer shares.
713
714             Default: add printer command =
715
716             Example: add printer command = /usr/bin/addprinter
717
718       add share command (G)
719          Samba  2.2.0  introduced  the  ability to dynamically add and delete
720          shares via the Windows NT 4.0 Server Manager. The add share  command
721          is used to define an external program or script which will add a new
722          service definition to smb.conf. In order to successfully execute the
723          add share command, smbd requires that the administrator be connected
724          using a root account (i.e. uid == 0).
725
726          When executed, smbd will automatically invoke the add share  command
727          with five parameters.
728
729             ·  configFile - the location of the global smb.conf file.
730
731             ·  shareName - the name of the new share.
732
733             ·  pathName - path to an **existing** directory on disk.
734
735             ·  comment - comment string to associate with the new share.
736
737             ·  max  connections Number of maximum simultaneous connections to
738                this share.
739
740             This parameter is only used for add file shares. To  add  printer
741             shares, see the addprinter command.
742
743             Default: add share command =
744
745             Example: add share command = /usr/local/bin/addshare
746
747       add user script (G)
748          This  is  the  full pathname to a script that will be run AS ROOT by
749          smbd(8) under special circumstances described below.
750
751          Normally, a Samba server requires that UNIX users  are  created  for
752          all users accessing files on this server. For sites that use Windows
753          NT account databases as their primary user database  creating  these
754          users  and  keeping the user list in sync with the Windows NT PDC is
755          an onerous task. This option allows smbd to create the required UNIX
756          users ON DEMAND when a user accesses the Samba server.
757
758          In  order  to use this option, smbd(8) must NOT be set to security =
759          share and add user script must be set  to  a  full  pathname  for  a
760          script  that will create a UNIX user given one argument of %u, which
761          expands into the UNIX user name to create.
762
763          When the Windows user attempts to access the Samba server, at  login
764          (session setup in the SMB protocol) time, smbd(8) contacts the pass‐
765          word server and attempts to authenticate the  given  user  with  the
766          given password. If the authentication succeeds then smbd attempts to
767          find a UNIX user in the UNIX password database to  map  the  Windows
768          user  into.  If  this  lookup fails, and add user script is set then
769          smbd will call the specified script AS ROOT, expanding any %u  argu‐
770          ment to be the user name to create.
771
772          If this script successfully creates the user then smbd will continue
773          on as though the UNIX user already existed. In this way, UNIX  users
774          are dynamically created to match existing Windows NT accounts.
775
776          See also security, password server, delete user script.
777
778          Default: add user script =
779
780          Example: add user script = /usr/local/samba/bin/add_user %u
781
782       add user to group script (G)
783          Full  path to the script that will be called when a user is added to
784          a group using the Windows NT domain administration tools. It will be
785          run  by smbd(8) AS ROOT. Any %g will be replaced with the group name
786          and any %u will be replaced with the user name.
787
788          Note that the adduser command used in the  example  below  does  not
789          support the used syntax on all systems.
790
791          Default: add user to group script =
792
793          Example: add user to group script = /usr/sbin/adduser %u %g
794
795       admin users (S)
796          This  is  a  list of users who will be granted administrative privi‐
797          leges on the share. This means that they will do all file operations
798          as the super-user (root).
799
800          You  should use this option very carefully, as any user in this list
801          will be able to do anything they like on the share, irrespective  of
802          file permissions.
803
804          This parameter will not work with the security = share in Samba 3.0.
805          This is by design.
806
807          Default: admin users =
808
809          Example: admin users = jason
810
811       afs share (S)
812          This parameter controls whether special AFS features are enabled for
813          this  share.  If enabled, it assumes that the directory exported via
814          the path parameter is a local AFS import. The special  AFS  features
815          include  the  attempt  to  hand-craft  an  AFS  token if you enabled
816          --with-fake-kaserver in configure.
817
818          Default: afs share = no
819
820       afs username map (G)
821          If you are using the fake kaserver AFS feature, you  might  want  to
822          hand-craft  the  usernames  you are creating tokens for. For example
823          this is necessary if you have users from several domain in your  AFS
824          Protection   Database.   One   possible  scheme  to  code  users  as
825          DOMAIN+User as it is done by winbind with the + as a separator.
826
827          The mapped user name must contain the cell  name  to  log  into,  so
828          without setting this parameter there will be no token.
829
830          Default: afs username map =
831
832          Example: afs username map = %u@afs.samba.org
833
834       aio read size (S)
835          If Samba has been built with asynchronous I/O support and this inte‐
836          ger parameter is set to non-zero value, Samba will  read  from  file
837          asynchronously  when size of request is bigger than this value. Note
838          that it happens only for non-chained and non-chaining reads and when
839          not using write cache.
840
841          Current implementation of asynchronous I/O in Samba 3.0 does support
842          only up to 10 outstanding asynchronous requests, read and write com‐
843          bined.
844
845
846
847            write cache size
848            aio write size
849
850          Default: aio read size = 0
851
852          Example: aio read size = 16384 # Use asynchronous I/O for reads big‐
853          ger than 16KB request size
854
855       aio write size (S)
856          If Samba has been built with asynchronous I/O support and this inte‐
857          ger  parameter  is  set  to non-zero value, Samba will write to file
858          asynchronously when size of request is bigger than this value.  Note
859          that it happens only for non-chained and non-chaining reads and when
860          not using write cache.
861
862          Current implementation of asynchronous I/O in Samba 3.0 does support
863          only up to 10 outstanding asynchronous requests, read and write com‐
864          bined.
865
866
867
868            write cache size
869            aio read size
870
871          Default: aio write size = 0
872
873          Example: aio write size = 16384 # Use asynchronous  I/O  for  writes
874          bigger than 16KB request size
875
876       algorithmic rid base (G)
877          This  determines  how  Samba  will  use its algorithmic mapping from
878          uids/gid to the RIDs needed to construct NT Security Identifiers.
879
880          Setting this option to a larger value could be useful to sites tran‐
881          sitioning  from  WinNT  and  Win2k,  as existing user and group rids
882          would otherwise clash with sytem users etc.
883
884          All UIDs and GIDs must be able to be resolved into SIDs for the cor‐
885          rect  operation  of ACLs on the server. As such the algorithmic map‐
886          ping can't be 'turned off', but pushing it 'out of the  way'  should
887          resolve the issues. Users and groups can then be assigned 'low' RIDs
888          in arbitary-rid supporting backends.
889
890          Default: algorithmic rid base = 1000
891
892          Example: algorithmic rid base = 100000
893
894       allocation roundup size (S)
895          This parameter allows an administrator to tune the  allocation  size
896          reported  to  Windows  clients.  The  default  size of 1Mb generally
897          results in improved Windows client  performance.  However,  rounding
898          the  allocation  size  may cause difficulties for some applications,
899          e.g. MS Visual Studio. If the MS Visual Studio  compiler  starts  to
900          crash  with  an  internal error, set this parameter to zero for this
901          share.
902
903          The integer parameter specifies the roundup size in bytes.
904
905          Default: allocation roundup size = 1048576
906
907          Example: allocation roundup size = 0 # (to disable roundups)
908
909       allow trusted domains (G)
910          This option only takes effect when the security  option  is  set  to
911          server,  domain or ads. If it is set to no, then attempts to connect
912          to a resource from a domain or workgroup other than  the  one  which
913          smbd  is running in will fail, even if that domain is trusted by the
914          remote server doing the authentication.
915
916          This is useful if you only want your Samba server to serve resources
917          to  users  in  the  domain it is a member of. As an example, suppose
918          that there are two domains DOMA and DOMB. DOMB is trusted  by  DOMA,
919          which  contains the Samba server. Under normal circumstances, a user
920          with an account in DOMB can then access  the  resources  of  a  UNIX
921          account  with the same account name on the Samba server even if they
922          do not have an account in DOMA. This can make implementing  a  secu‐
923          rity boundary difficult.
924
925          Default: allow trusted domains = yes
926
927       announce as (G)
928          This  specifies what type of server nmbd(8) will announce itself as,
929          to a network neighborhood browse list. By default  this  is  set  to
930          Windows  NT.  The valid options are : "NT Server" (which can also be
931          written as "NT"), "NT Workstation", "Win95" or "WfW" meaning Windows
932          NT  Server, Windows NT Workstation, Windows 95 and Windows for Work‐
933          groups respectively. Do not change this parameter unless you have  a
934          specific  need  to  stop Samba appearing as an NT server as this may
935          prevent Samba servers from participating  as  browser  servers  cor‐
936          rectly.
937
938          Default: announce as = NT Server
939
940          Example: announce as = Win95
941
942       announce version (G)
943          This  specifies  the  major and minor version numbers that nmbd will
944          use when announcing itself as a server. The default is 4.9.  Do  not
945          change this parameter unless you have a specific need to set a Samba
946          server to be a downlevel server.
947
948          Default: announce version = 4.9
949
950          Example: announce version = 2.0
951
952       auth methods (G)
953          This option allows the administrator to  chose  what  authentication
954          methods  smbd  will  use  when  authenticating  a  user. This option
955          defaults to sensible values based on security. This should  be  con‐
956          sidered  a  developer option and used only in rare circumstances. In
957          the majority (if not all) of production servers, the default setting
958          should be adequate.
959
960          Each  entry  in  the list attempts to authenticate the user in turn,
961          until the user authenticates. In practice only one method will  ever
962          actually be able to complete the authentication.
963
964          Possible  options  include guest (anonymous access), sam (lookups in
965          local list of accounts based on netbios name or domain  name),  win‐
966          bind  (relay  authentication  requests for remote users through win‐
967          bindd), ntdomain (pre-winbindd method of authentication  for  remote
968          domain  users;  deprecated in favour of winbind method), trustdomain
969          (authenticate trusted users by contacting  the  remote  DC  directly
970          from smbd; deprecated in favour of winbind method).
971
972          Default: auth methods =
973
974          Example: auth methods = guest sam winbind
975
976       available (S)
977          This  parameter  lets  you  "turn off" a service. If available = no,
978          then ALL attempts to connect to the service will fail. Such failures
979          are logged.
980
981          Default: available = yes
982
983       bind interfaces only (G)
984          This  global  parameter  allows the Samba admin to limit what inter‐
985          faces on a machine will serve SMB requests. It affects file  service
986          smbd(8) and name service nmbd(8) in a slightly different ways.
987
988          For  name service it causes nmbd to bind to ports 137 and 138 on the
989          interfaces listed in the interfaces parameter.  nmbd also  binds  to
990          the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the
991          purposes of reading broadcast messages. If this option  is  not  set
992          then  nmbd  will  service  name requests on all of these sockets. If
993          bind interfaces only is set then nmbd will check the source  address
994          of  any  packets  coming in on the broadcast sockets and discard any
995          that don't match the broadcast addresses of the  interfaces  in  the
996          interfaces  parameter  list.  As unicast packets are received on the
997          other sockets it allows nmbd to refuse to serve  names  to  machines
998          that  send  packets that arrive through any interfaces not listed in
999          the interfaces list. IP Source address  spoofing  does  defeat  this
1000          simple  check,  however, so it must not be used seriously as a secu‐
1001          rity feature for nmbd.
1002
1003          For file service it causes smbd(8) to bind  only  to  the  interface
1004          list  given in the interfaces parameter. This restricts the networks
1005          that smbd will serve to packets coming  in  those  interfaces.  Note
1006          that you should not use this parameter for machines that are serving
1007          PPP or other intermittent or non-broadcast network interfaces as  it
1008          will not cope with non-permanent interfaces.
1009
1010          If  bind  interfaces  only  is  set  then unless the network address
1011          127.0.0.1 is added to the interfaces parameter list smbpasswd(8) and
1012          swat(8) may not work as expected due to the reasons covered below.
1013
1014          To change a users SMB password, the smbpasswd by default connects to
1015          the localhost - 127.0.0.1 address as an  SMB  client  to  issue  the
1016          password  change request. If bind interfaces only is set then unless
1017          the network address 127.0.0.1 is added to the  interfaces  parameter
1018          list then smbpasswd will fail to connect in it's default mode.  smb‐
1019          passwd can be forced to use the primary IP interface  of  the  local
1020          host  by  using  its  smbpasswd(8) -r remote machine parameter, with
1021          remote machine set to the IP name of the primary  interface  of  the
1022          local host.
1023
1024          The  swat  status  page  tries  to connect with smbd and nmbd at the
1025          address 127.0.0.1 to determine  if  they  are  running.  Not  adding
1026          127.0.0.1 will cause smbd and nmbd to always show "not running" even
1027          if they really  are.  This  can  prevent  swat  from  starting/stop‐
1028          ping/restarting smbd and nmbd.
1029
1030          Default: bind interfaces only = no
1031
1032       blocking locks (S)
1033          This parameter controls the behavior of smbd(8) when given a request
1034          by a client to obtain a byte range lock on a region of an open file,
1035          and the request has a time limit associated with it.
1036
1037          If  this  parameter  is  set  and the lock range requested cannot be
1038          immediately satisfied, samba will internally queue the lock request,
1039          and periodically attempt to obtain the lock until the timeout period
1040          expires.
1041
1042          If this parameter is set to no, then samba will behave  as  previous
1043          versions  of  Samba would and will fail the lock request immediately
1044          if the lock range cannot be obtained.
1045
1046          Default: blocking locks = yes
1047
1048       block size (S)
1049          This parameter controls the behavior of smbd(8) when reporting  disk
1050          free  sizes.  By  default,  this  reports  a disk block size of 1024
1051          bytes.
1052
1053          Changing this parameter may have some effect on  the  efficiency  of
1054          client  writes,  this is not yet confirmed. This parameter was added
1055          to allow advanced administrators to change it (usually to  a  higher
1056          value)  and test the effect it has on client write performance with‐
1057          out re-compiling the code. As this is an experimental option it  may
1058          be removed in a future release.
1059
1060          Changing  this  option does not change the disk free reporting size,
1061          just the block size unit reported to the client.
1062
1063          Default: block size = 1024
1064
1065          Example: block size = 4096
1066
1067       browsable
1068          This parameter is a synonym for browseable.
1069
1070       browseable (S)
1071          This controls whether this share is seen in the  list  of  available
1072          shares in a net view and in the browse list.
1073
1074          Default: browseable = yes
1075
1076       browse list (G)
1077          This  controls  whether smbd(8) will serve a browse list to a client
1078          doing a NetServerEnum call. Normally set to yes.  You  should  never
1079          need to change this.
1080
1081          Default: browse list = yes
1082
1083       casesignames
1084          This parameter is a synonym for case sensitive.
1085
1086       case sensitive (S)
1087          See the discussion in the section name mangling.
1088
1089          Default: case sensitive = no
1090
1091       change notify (S)
1092          This  parameter  specifies  whether Samba should reply to a client's
1093          file change notify requests.
1094
1095          You should never need to change this parameter
1096
1097          Default: change notify = no
1098
1099       change share command (G)
1100          Samba 2.2.0 introduced the ability to  dynamically  add  and  delete
1101          shares  via the Windows NT 4.0 Server Manager. The change share com‐
1102          mand is used to define an external program or script which will mod‐
1103          ify an existing service definition in smb.conf. In order to success‐
1104          fully execute the change  share  command,  smbd  requires  that  the
1105          administrator be connected using a root account (i.e. uid == 0).
1106
1107          When  executed, smbd will automatically invoke the change share com‐
1108          mand with five parameters.
1109
1110             ·  configFile - the location of the global smb.conf file.
1111
1112             ·  shareName - the name of the new share.
1113
1114             ·  pathName - path to an **existing** directory on disk.
1115
1116             ·  comment - comment string to associate with the new share.
1117
1118             ·  max connections Number of maximum simultaneous connections  to
1119                this share.
1120
1121             This  parameter  is only used modify existing file shares defini‐
1122             tions. To modify printer shares, use the "Printers..." folder  as
1123             seen when browsing the Samba host.
1124
1125             Default: change share command =
1126
1127             Example: change share command = /usr/local/bin/addshare
1128
1129       check password script (G)
1130          The name of a program that can be used to check password complexity.
1131          The password is sent to the program's standrad input.
1132
1133          The program must return 0 on good password any  other  value  other‐
1134          wise.  In  case  the password is considered weak (the program do not
1135          return 0) the user will be notified and  the  password  change  will
1136          fail.
1137
1138          Note:  In  the  example  directory  there is a sample program called
1139          crackcheck that uses cracklib to checkpassword quality
1140
1141
1142
1143          Default: check password script = Disabled
1144
1145          Example:  check  password  script  =   check   password   script   =
1146          /usr/local/sbin/crackcheck
1147
1148       client lanman auth (G)
1149          This  parameter  determines  whether  or  not smbclient(8) and other
1150          samba client tools will attempt to authenticate  itself  to  servers
1151          using  the  weaker  LANMAN  password  hash. If disabled, only server
1152          which support NT  password  hashes  (e.g.  Windows  NT/2000,  Samba,
1153          etc...  but not Windows 95/98) will be able to be connected from the
1154          Samba client.
1155
1156          The LANMAN encrypted response is easily broken, due  to  it's  case-
1157          insensitive  nature,  and  the  choice of algorithm. Clients without
1158          Windows 95/98 servers are advised to disable this option.
1159
1160          Disabling this option will also disable the  client  plaintext  auth
1161          option
1162
1163          Likewise,  if the client ntlmv2 auth parameter is enabled, then only
1164          NTLMv2 logins will be attempted.
1165
1166          Default: client lanman auth = yes
1167
1168       client ntlmv2 auth (G)
1169          This parameter determines whether or not smbclient(8)  will  attempt
1170          to  authenticate  itself to servers using the NTLMv2 encrypted pass‐
1171          word response.
1172
1173          If enabled, only an NTLMv2 and LMv2 response (both much more  secure
1174          than  earlier  versions) will be sent. Many servers (including NT4 <
1175          SP4, Win9x and Samba 2.2) are not compatible with NTLMv2.
1176
1177          Similarly, if enabled, NTLMv1, client lanman auth and client  plain‐
1178          text auth authentication will be disabled. This also disables share-
1179          level authentication.
1180
1181          If disabled, an NTLM response (and possibly a LANMAN response)  will
1182          be sent by the client, depending on the value of client lanman auth.
1183
1184          Note  that  some sites (particularly those following 'best practice'
1185          security polices) only allow NTLMv2 responses, and not the weaker LM
1186          or NTLM.
1187
1188          Default: client ntlmv2 auth = no
1189
1190       client plaintext auth (G)
1191          Specifies  whether  a client should send a plaintext password if the
1192          server does not support encrypted passwords.
1193
1194          Default: client plaintext auth = yes
1195
1196       client schannel (G)
1197          This controls whether the client offers or even demands the  use  of
1198          the  netlogon  schannel.   client  schannel  = no does not offer the
1199          schannel, client schannel = auto offers the schannel  but  does  not
1200          enforce it, and client schannel = yes denies access if the server is
1201          not able to speak netlogon schannel.
1202
1203          Default: client schannel = auto
1204
1205          Example: client schannel = yes
1206
1207       client signing (G)
1208          This controls whether the client offers or requires  the  server  it
1209          talks to to use SMB signing. Possible values are auto, mandatory and
1210          disabled.
1211
1212          When set to auto, SMB signing is offered, but not enforced. When set
1213          to  mandatory,  SMB  signing is required and if set to disabled, SMB
1214          signing is not offered either.
1215
1216          Default: client signing = auto
1217
1218       client use spnego (G)
1219          This variable controls whether Samba clients will try to use  Simple
1220          and  Protected NEGOciation (as specified by rfc2478) with supporting
1221          servers (including WindowsXP, Windows2000 and Samba  3.0)  to  agree
1222          upon  an authentication mechanism. This enables Kerberos authentica‐
1223          tion in particular.
1224
1225          Default: client use spnego = yes
1226
1227       comment (S)
1228          This is a text field that is seen next to a share when a client does
1229          a queries the server, either via the network neighborhood or via net
1230          view to list what shares are available.
1231
1232          If you want to set the string that is displayed next to the  machine
1233          name then see the server string parameter.
1234
1235          Default: comment = # No comment
1236
1237          Example: comment = Fred's Files
1238
1239       config file (G)
1240          This  allows  you to override the config file to use, instead of the
1241          default (usually smb.conf). There is a chicken and egg problem  here
1242          as this option is set in the config file!
1243
1244          For this reason, if the name of the config file has changed when the
1245          parameters are loaded then it will reload them from the  new  config
1246          file.
1247
1248          This option takes the usual substitutions, which can be very useful.
1249
1250          If  the  config file doesn't exist then it won't be loaded (allowing
1251          you to special case the config files of just a few clients).
1252
1253          No default
1254
1255          Example: config file = /usr/local/samba/lib/smb.conf.%m
1256
1257       copy (S)
1258          This parameter allows you to "clone" service entries. The  specified
1259          service  is  simply duplicated under the current service's name. Any
1260          parameters specified in the current section will override  those  in
1261          the section being copied.
1262
1263          This feature lets you set up a 'template' service and create similar
1264          services easily. Note that the service being copied must occur  ear‐
1265          lier in the configuration file than the service doing the copying.
1266
1267          Default: copy =
1268
1269          Example: copy = otherservice
1270
1271       create mode
1272          This parameter is a synonym for create mask.
1273
1274       create mask (S)
1275          When  a  file  is  created, the necessary permissions are calculated
1276          according to the mapping from DOS modes to UNIX permissions, and the
1277          resulting  UNIX  mode  is then bit-wise 'AND'ed with this parameter.
1278          This parameter may be thought of as a bit-wise  MASK  for  the  UNIX
1279          modes of a file. Any bit not set here will be removed from the modes
1280          set on a file when it is created.
1281
1282          The default value of this parameter  removes  the  group  and  other
1283          write and execute bits from the UNIX modes.
1284
1285          Following  this  Samba will bit-wise 'OR' the UNIX mode created from
1286          this parameter with the value of the  force  create  mode  parameter
1287          which is set to 000 by default.
1288
1289          This  parameter  does  not affect directory masks. See the parameter
1290          directory mask for details.
1291
1292          Note that this parameter does not apply to permissions set  by  Win‐
1293          dows  NT/2000  ACL editors. If the administrator wishes to enforce a
1294          mask on access control lists also, they need  to  set  the  security
1295          mask.
1296
1297          Default: create mask = 0744
1298
1299          Example: create mask = 0775
1300
1301       csc policy (S)
1302          This  stands  for  client-side  caching  policy,  and  specifies how
1303          clients capable of offline caching  will  cache  the  files  in  the
1304          share. The valid values are: manual, documents, programs, disable.
1305
1306          These values correspond to those used on Windows servers.
1307
1308          For  example,  shares  containing  roaming profiles can have offline
1309          caching disabled using csc policy = disable.
1310
1311          Default: csc policy = manual
1312
1313          Example: csc policy = programs
1314
1315       cups options (S)
1316          This parameter is only applicable if printing is set  to  cups.  Its
1317          value  is  a free form string of options passed directly to the cups
1318          library.
1319
1320          You can pass any generic print option known to CUPS  (as  listed  in
1321          the  CUPS  "Software  Users' Manual"). You can also pass any printer
1322          specific option (as listed in "lpoptions -d printername  -l")  valid
1323          for the target queue.
1324
1325          You  should  set this parameter to raw if your CUPS server error_log
1326          file  contains  messages  such  as  "Unsupported  format   'applica‐
1327          tion/octet-stream'"  when  printing  from  a  Windows client through
1328          Samba. It is no longer necessary to enable system wide raw  printing
1329          in /etc/cups/mime.{convs,types}.
1330
1331          Default: cups options = ""
1332
1333          Example: cups options = "raw,media=a4,job-sheets=secret,secret"
1334
1335       cups server (G)
1336          This parameter is only applicable if printing is set to cups.
1337
1338          If  set,  this  option  overrides  the ServerName option in the CUPS
1339          client.conf. This is necessary if you  have  virtual  samba  servers
1340          that connect to different CUPS daemons.
1341
1342          Optionally,  a  port  can be specified by separating the server name
1343          and port number with a colon. If no port was specified, the  default
1344          port for IPP (631) will be used.
1345
1346          Default: cups server = ""
1347
1348          Example: cups server = mycupsserver
1349
1350          Example: cups server = mycupsserver:1631
1351
1352       deadtime (G)
1353          The value of the parameter (a decimal integer) represents the number
1354          of minutes of inactivity before a connection is considered dead, and
1355          it  is disconnected. The deadtime only takes effect if the number of
1356          open files is zero.
1357
1358          This is useful to stop a server's resources  being  exhausted  by  a
1359          large number of inactive connections.
1360
1361          Most  clients  have  an  auto-reconnect feature when a connection is
1362          broken so in most cases this  parameter  should  be  transparent  to
1363          users.
1364
1365          Using  this parameter with a timeout of a few minutes is recommended
1366          for most systems.
1367
1368          A deadtime of zero indicates that no  auto-disconnection  should  be
1369          performed.
1370
1371          Default: deadtime = 0
1372
1373          Example: deadtime = 15
1374
1375       debug hires timestamp (G)
1376          Sometimes the timestamps in the log messages are needed with a reso‐
1377          lution of higher that seconds, this boolean parameter adds microsec‐
1378          ond resolution to the timestamp message header when turned on.
1379
1380          Note  that the parameter debug timestamp must be on for this to have
1381          an effect.
1382
1383          Default: debug hires timestamp = no
1384
1385       debug pid (G)
1386          When  using  only  one  log  file   for   more   then   one   forked
1387          smbd(8)-process  there  may  be hard to follow which process outputs
1388          which message. This boolean parameter is adds the process-id to  the
1389          timestamp message headers in the logfile when turned on.
1390
1391          Note  that the parameter debug timestamp must be on for this to have
1392          an effect.
1393
1394          Default: debug pid = no
1395
1396       debug prefix timestamp (G)
1397          With this option enabled, the timestamp message header  is  prefixed
1398          to  the  debug message without the filename and function information
1399          that is included with the  debug  timestamp  parameter.  This  gives
1400          timestamps to the messages without adding an additional line.
1401
1402          Note that this parameter overrides the debug timestamp parameter.
1403
1404          Default: debug prefix timestamp = no
1405
1406       timestamp logs
1407          This parameter is a synonym for debug timestamp.
1408
1409       debug timestamp (G)
1410          Samba debug log messages are timestamped by default. If you are run‐
1411          ning at a high debug level these timestamps can be distracting. This
1412          boolean parameter allows timestamping to be turned off.
1413
1414          Default: debug timestamp = yes
1415
1416       debug uid (G)
1417          Samba  is  sometimes  run  as root and sometime run as the connected
1418          user, this boolean parameter inserts the current euid, egid, uid and
1419          gid to the timestamp message headers in the log file if turned on.
1420
1421          Note  that the parameter debug timestamp must be on for this to have
1422          an effect.
1423
1424          Default: debug uid = no
1425
1426       default case (S)
1427          See the section on name mangling. Also note the short preserve  case
1428          parameter.
1429
1430          Default: default case = lower
1431
1432       default devmode (S)
1433          This  parameter  is only applicable to printable services. When smbd
1434          is serving Printer Drivers to Windows NT/2k/XP clients, each printer
1435          on  the  Samba server has a Device Mode which defines things such as
1436          paper size and orientation and duplex settings. The device mode  can
1437          only  correctly be generated by the printer driver itself (which can
1438          only be executed on a Win32 platform). Because  smbd  is  unable  to
1439          execute  the  driver  code  to generate the device mode, the default
1440          behavior is to set this field to NULL.
1441
1442          Most problems with  serving  printer  drivers  to  Windows  NT/2k/XP
1443          clients  can  be traced to a problem with the generated device mode.
1444          Certain drivers  will  do  things  such  as  crashing  the  client's
1445          Explorer.exe with a NULL devmode. However, other printer drivers can
1446          cause the client's spooler service (spoolsv.exe) to die if the  dev‐
1447          mode  was  not  created  by the driver itself (i.e. smbd generates a
1448          default devmode).
1449
1450          This parameter should be used with care and tested with the  printer
1451          driver  in  question.  It is better to leave the device mode to NULL
1452          and let the Windows client set the correct values.  Because  drivers
1453          do  not  do  this  all  the time, setting default devmode = yes will
1454          instruct smbd to generate a default one.
1455
1456          For more information on Windows NT/2k printing and Device Modes, see
1457          the MSDN documentation.
1458
1459          Default: default devmode = yes
1460
1461       default
1462          This parameter is a synonym for default service.
1463
1464       default service (G)
1465          This  parameter  specifies  the name of a service which will be con‐
1466          nected to if the service actually requested cannot  be  found.  Note
1467          that  the  square brackets are NOT given in the parameter value (see
1468          example below).
1469
1470          There is no default value for this parameter. If this  parameter  is
1471          not given, attempting to connect to a nonexistent service results in
1472          an error.
1473
1474          Typically the default service would be a guest  ok,  read-only  ser‐
1475          vice.
1476
1477          Also  note  that  the apparent service name will be changed to equal
1478          that of the requested service, this is very useful as it allows  you
1479          to use macros like %S to make a wildcard service.
1480
1481          Note also that any "_" characters in the name of the service used in
1482          the default service will get mapped to a "/". This allows for inter‐
1483          esting things.
1484
1485          Default: default service =
1486
1487          Example: default service = pub
1488
1489       defer sharing violations (G)
1490          Windows  allows specifying how a file will be shared with other pro‐
1491          cesses when it is opened. Sharing violations occur when  a  file  is
1492          opened  by  a different process using options that violate the share
1493          settings specified by other processes. This parameter causes smbd to
1494          act  as a Windows server does, and defer returning a "sharing viola‐
1495          tion" error message for up to one second,  allowing  the  client  to
1496          close the file causing the violation in the meantime.
1497
1498          UNIX by default does not have this behaviour.
1499
1500          There  should  be  no  reason  to  turn off this parameter, as it is
1501          designed to enable Samba to more correctly emulate Windows.
1502
1503          Default: defer sharing violations = True
1504
1505       delete group script (G)
1506          This is the full pathname to a script  that  will  be  run  AS  ROOT
1507          smbd(8)  when a group is requested to be deleted. It will expand any
1508          %g to the group name passed. This script is only useful for  instal‐
1509          lations using the Windows NT domain administration tools.
1510
1511          Default: delete group script =
1512
1513       deleteprinter command (G)
1514          With  the  introduction  of MS-RPC based printer support for Windows
1515          NT/2000 clients in Samba 2.2, it is now possible to  delete  printer
1516          at run time by issuing the DeletePrinter() RPC call.
1517
1518          For  a  Samba  host  this  means that the printer must be physically
1519          deleted from underlying printing system. The  deleteprinter  command
1520          defines  a  script to be run which will perform the necessary opera‐
1521          tions for removing the  printer  from  the  print  system  and  from
1522          smb.conf.
1523
1524          The  deleteprinter  command  is  automatically  called with only one
1525          parameter: printer name.
1526
1527          Once the deleteprinter command has been executed, smbd will  reparse
1528          the
1529           smb.conf  to  associated printer no longer exists. If the sharename
1530          is still valid, then smbd will return an ACCESS_DENIED error to  the
1531          client.
1532
1533          Default: deleteprinter command =
1534
1535          Example: deleteprinter command = /usr/bin/removeprinter
1536
1537       delete readonly (S)
1538          This parameter allows readonly files to be deleted. This is not nor‐
1539          mal DOS semantics, but is allowed by UNIX.
1540
1541          This option may be useful for  running  applications  such  as  rcs,
1542          where  UNIX  file  ownership prevents changing file permissions, and
1543          DOS semantics prevent deletion of a read only file.
1544
1545          Default: delete readonly = no
1546
1547       delete share command (G)
1548          Samba 2.2.0 introduced the ability to  dynamically  add  and  delete
1549          shares  via the Windows NT 4.0 Server Manager. The delete share com‐
1550          mand is used to define an external  program  or  script  which  will
1551          remove  an  existing  service  definition from smb.conf. In order to
1552          successfully execute the delete share command,  smbd  requires  that
1553          the administrator be connected using a root account (i.e. uid == 0).
1554
1555          When  executed, smbd will automatically invoke the delete share com‐
1556          mand with two parameters.
1557
1558             ·  configFile - the location of the global smb.conf file.
1559
1560             ·  shareName - the name of the existing service.
1561
1562             This parameter is only used to  remove  file  shares.  To  delete
1563             printer shares, see the deleteprinter command.
1564
1565             Default: delete share command =
1566
1567             Example: delete share command = /usr/local/bin/delshare
1568
1569       delete user from group script (G)
1570          Full  path  to the script that will be called when a user is removed
1571          from a group using the Windows NT domain  administration  tools.  It
1572          will  be  run  by  smbd(8) AS ROOT. Any %g will be replaced with the
1573          group name and any %u will be replaced with the user name.
1574
1575          Default: delete user from group script =
1576
1577          Example: delete user from group script = /usr/sbin/deluser %u %g
1578
1579       delete user script (G)
1580          This is the full pathname to a script that will be  run  by  smbd(8)
1581          when managing users with remote RPC (NT) tools.
1582
1583          This  script  is called when a remote client removes a user from the
1584          server, normally using 'User Manager for Domains' or rpcclient.
1585
1586          This script should delete the given UNIX username.
1587
1588          Default: delete user script =
1589
1590          Example: delete user script = /usr/local/samba/bin/del_user %u
1591
1592       delete veto files (S)
1593          This option is used when Samba is attempting to delete  a  directory
1594          that  contains  one  or  more vetoed directories (see the veto files
1595          option). If this option is set to no (the default) then if a  vetoed
1596          directory  contains  any  non-vetoed  files  or directories then the
1597          directory delete will fail. This is usually what you want.
1598
1599          If this option is set to yes, then Samba will attempt to recursively
1600          delete  any  files and directories within the vetoed directory. This
1601          can be useful for integration with  file  serving  systems  such  as
1602          NetAtalk  which  create meta-files within directories you might nor‐
1603          mally veto DOS/Windows users from seeing (e.g.  .AppleDouble)
1604
1605          Setting delete veto files =  yes  allows  these  directories  to  be
1606          transparently  deleted when the parent directory is deleted (so long
1607          as the user has permissions to do so).
1608
1609          Default: delete veto files = no
1610
1611       dfree cache time (S)
1612          The dfree cache time should only be used on systems where a  problem
1613          occurs  with  the  internal  disk  space calculations. This has been
1614          known to happen with Ultrix, but may occur with other operating sys‐
1615          tems. The symptom that was seen was an error of "Abort Retry Ignore"
1616          at the end of each directory listing.
1617
1618          This is a new parameter introduced in Samba version 3.0.21. It spec‐
1619          ifies  in seconds the time that smbd will cache the output of a disk
1620          free query. If set to zero (the default) no caching  is  done.  This
1621          allows  a  heavily  loaded server to prevent rapid spawning of dfree
1622          command scripts increasing the load.
1623
1624          By default this parameter is zero, meaning no caching will be done.
1625
1626          No default
1627
1628          Example: dfree cache time = dfree cache time = 60
1629
1630       dfree command (S)
1631          The dfree command setting should only be used  on  systems  where  a
1632          problem  occurs  with the internal disk space calculations. This has
1633          been known to happen with Ultrix, but may occur with other operating
1634          systems.  The  symptom  that  was  seen was an error of "Abort Retry
1635          Ignore" at the end of each directory listing.
1636
1637          This setting allows the replacement of the internal routines to cal‐
1638          culate  the  total  disk space and amount available with an external
1639          routine. The example below gives a possible script that  might  ful‐
1640          fill this function.
1641
1642          In Samba version 3.0.21 this parameter has been changed to be a per-
1643          share parameter, and in addition the parameter dfree cache time  was
1644          added  to  allow  the output of this script to be cached for systems
1645          under heavy load.
1646
1647          The external program will be passed a single parameter indicating  a
1648          directory  in the filesystem being queried. This will typically con‐
1649          sist of the string ./. The script  should  return  two  integers  in
1650          ASCII.  The  first should be the total disk space in blocks, and the
1651          second should be the number of available blocks. An  optional  third
1652          return value can give the block size in bytes. The default blocksize
1653          is 1024 bytes.
1654
1655          Note: Your script should NOT be setuid or setgid and should be owned
1656          by (and writeable only by) root!
1657
1658          Where the script dfree (which must be made executable) could be:
1659
1660
1661
1662
1663          #!/bin/sh
1664          df $1 | tail -1 | awk '{print $2" "$4}'
1665
1666          or perhaps (on Sys V based systems):
1667
1668
1669
1670
1671          #!/bin/sh
1672          /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
1673
1674          Note  that  you may have to replace the command names with full path
1675          names on some systems.
1676
1677          By default internal routines for determining the disk  capacity  and
1678          remaining space will be used.
1679
1680          No default
1681
1682          Example: dfree command = /usr/local/samba/bin/dfree
1683
1684       directory mode
1685          This parameter is a synonym for directory mask.
1686
1687       directory mask (S)
1688          This parameter is the octal modes which are used when converting DOS
1689          modes to UNIX modes when creating UNIX directories.
1690
1691          When a directory is created, the necessary  permissions  are  calcu‐
1692          lated  according  to the mapping from DOS modes to UNIX permissions,
1693          and the resulting UNIX mode  is  then  bit-wise  'AND'ed  with  this
1694          parameter.  This  parameter may be thought of as a bit-wise MASK for
1695          the UNIX modes of a directory. Any bit not set here will be  removed
1696          from the modes set on a directory when it is created.
1697
1698          The  default value of this parameter removes the 'group' and 'other'
1699          write bits from the UNIX mode, allowing only the user who  owns  the
1700          directory to modify it.
1701
1702          Following  this  Samba will bit-wise 'OR' the UNIX mode created from
1703          this parameter with the value of the force directory mode parameter.
1704          This parameter is set to 000 by default (i.e. no extra mode bits are
1705          added).
1706
1707          Note that this parameter does not apply to permissions set  by  Win‐
1708          dows  NT/2000  ACL editors. If the administrator wishes to enforce a
1709          mask on access control lists also, they need to  set  the  directory
1710          security mask.
1711
1712          Default: directory mask = 0755
1713
1714          Example: directory mask = 0775
1715
1716       directory security mask (S)
1717          This  parameter  controls  what UNIX permission bits can be modified
1718          when a Windows NT client is manipulating the UNIX  permission  on  a
1719          directory using the native NT security dialog box.
1720
1721          This  parameter  is  applied  as a mask (AND'ed with) to the changed
1722          permission bits, thus preventing any bits  not  in  this  mask  from
1723          being  modified.  Make  sure not to mix up this parameter with force
1724          directory security mode, which works similar like this one but  uses
1725          logical  OR  instead of AND. Essentially, zero bits in this mask may
1726          be treated as a set of bits the user is not allowed to change.
1727
1728          If not set explicitly this parameter is set to 0777 meaning  a  user
1729          is  allowed  to  modify  all  the  user/group/world permissions on a
1730          directory.
1731
1732          Note that users who can access the Samba server through other  means
1733          can  easily  bypass  this restriction, so it is primarily useful for
1734          standalone "appliance" systems. Administrators of most  normal  sys‐
1735          tems will probably want to leave it as the default of 0777.
1736
1737          Default: directory security mask = 0777
1738
1739          Example: directory security mask = 0700
1740
1741       disable netbios (G)
1742          Enabling  this parameter will disable netbios support in Samba. Net‐
1743          bios is the only available form of browsing in all windows  versions
1744          except for 2000 and XP.
1745
1746          Note
1747          Clients  that  only  support netbios won't be able to see your samba
1748          server when netbios support is disabled.  Default: disable netbios =
1749          no
1750
1751       disable spoolss (G)
1752          Enabling this parameter will disable Samba's support for the SPOOLSS
1753          set of MS-RPC's and will yield identical behavior  as  Samba  2.0.x.
1754          Windows  NT/2000 clients will downgrade to using Lanman style print‐
1755          ing commands. Windows 9x/ME will be  unaffected  by  the  parameter.
1756          However,  this will also disable the ability to upload printer driv‐
1757          ers to a Samba server via the Windows NT Add Printer  Wizard  or  by
1758          using  the NT printer properties dialog window. It will also disable
1759          the capability of Windows NT/2000 clients to download print  drivers
1760          from  the  Samba  host  upon demand.  Be very careful about enabling
1761          this parameter.
1762
1763          Default: disable spoolss = no
1764
1765       display charset (G)
1766          Specifies the charset that samba will use to print messages to  std‐
1767          out and stderr. The default value is "LOCALE", which means automati‐
1768          cally set, depending on the current locale. The value should  gener‐
1769          ally be the same as the value of the parameter unix charset.
1770
1771          Default:  display  charset  =  "LOCALE" or "ASCII" (depending on the
1772          system)
1773
1774          Example: display charset = UTF8
1775
1776       dmapi support (S)
1777          This parameter specifies whether Samba should use DMAPI to determine
1778          whether  a  file  is offline or not. This would typically be used in
1779          conjunction with a hierarchical storage  system  that  automatically
1780          migrates files to tape.
1781
1782          Note  that Samba infers the status of a file by examining the events
1783          that a DMAPI application has registered interest in. This  heuristic
1784          is  satisfactory  for  a number of hierarchical storage systems, but
1785          there may be system for which it will fail. In this case, Samba  may
1786          erroneously report files to be offline.
1787
1788          This parameter is only available if a supported DMAPI implementation
1789          was found at compilation time. It will only  be  used  if  DMAPI  is
1790          found to enabled on the system at run time.
1791
1792
1793
1794          Default: dmapi support = no
1795
1796       dns proxy (G)
1797          Specifies that nmbd(8) when acting as a WINS server and finding that
1798          a NetBIOS name has not been registered,  should  treat  the  NetBIOS
1799          name word-for-word as a DNS name and do a lookup with the DNS server
1800          for that name on behalf of the name-querying client.
1801
1802          Note that the maximum length for a NetBIOS name is 15 characters, so
1803          the DNS name (or DNS alias) can likewise only be 15 characters, max‐
1804          imum.
1805
1806          nmbd spawns a second copy of  itself  to  do  the  DNS  name  lookup
1807          requests, as doing a name lookup is a blocking action.
1808
1809          Default: dns proxy = yes
1810
1811       domain logons (G)
1812          If  set  to  yes, the Samba server will provide the netlogon service
1813          for Windows 9X network logons for the workgroup it is in. This  will
1814          also  cause  the  Samba server to act as a domain controller for NT4
1815          style domain services. For more details on setting up  this  feature
1816          see the Domain Control chapter of the Samba HOWTO Collection.
1817
1818          Default: domain logons = no
1819
1820       domain master (G)
1821          Tell  smbd(8) to enable WAN-wide browse list collation. Setting this
1822          option causes nmbd to claim a special domain specific  NetBIOS  name
1823          that  identifies  it  as a domain master browser for its given work‐
1824          group. Local master browsers in the same workgroup on broadcast-iso‐
1825          lated subnets will give this nmbd their local browse lists, and then
1826          ask smbd(8) for a complete copy of the browse  list  for  the  whole
1827          wide  area  network.  Browser  clients will then contact their local
1828          master browser,  and  will  receive  the  domain-wide  browse  list,
1829          instead of just the list for their broadcast-isolated subnet.
1830
1831          Note that Windows NT Primary Domain Controllers expect to be able to
1832          claim this workgroup specific special NetBIOS name  that  identifies
1833          them  as  domain master browsers for that workgroup by default (i.e.
1834          there is no way to prevent a Windows NT PDC from  attempting  to  do
1835          this).  This means that if this parameter is set and nmbd claims the
1836          special name for a workgroup before a Windows NT PDC is able  to  do
1837          so then cross subnet browsing will behave strangely and may fail.
1838
1839          If  domain  logons = yes, then the default behavior is to enable the
1840          domain master parameter.  If  domain  logons  is  not  enabled  (the
1841          default  setting),  then  neither  will  domain master be enabled by
1842          default.
1843
1844          When domain logons = Yes the default setting for this  parameter  is
1845          Yes,  with  the  result that Samba will be a PDC. If domain master =
1846          No, Samba will function as a BDC. In general, this parameter  should
1847          be set to 'No' only on a BDC.
1848
1849          Default: domain master = auto
1850
1851       dont descend (S)
1852          There  are certain directories on some systems (e.g., the /proc tree
1853          under Linux) that are either not of interest to clients or  are  in‐
1854          finitely  deep  (recursive).  This parameter allows you to specify a
1855          comma-delimited list of directories that the  server  should  always
1856          show as empty.
1857
1858          Note  that  Samba  can  be  very fussy about the exact format of the
1859          "dont descend" entries. For example you may need
1860           ./proc instead of just /proc. Experimentation is  the  best  policy
1861          :-)
1862
1863          Default: dont descend =
1864
1865          Example: dont descend = /proc,/dev
1866
1867       dos charset (G)
1868          DOS  SMB  clients assume the server has the same charset as they do.
1869          This option  specifies  which  charset  Samba  should  talk  to  DOS
1870          clients.
1871
1872          The  default  depends  on  which  charsets you have installed. Samba
1873          tries to use charset 850 but falls back to ASCII in case it  is  not
1874          available. Run testparm(1) to check the default on your system.
1875
1876          No default
1877
1878       dos filemode (S)
1879          The default behavior in Samba is to provide UNIX-like behavior where
1880          only the owner of a file/directory is able to change the permissions
1881          on  it.  However,  this  behavior  is often confusing to DOS/Windows
1882          users. Enabling this parameter allows a user who has write access to
1883          the  file  (by  whatever means) to modify the permissions (including
1884          ACL) on it. Note that a user belonging to the group owning the  file
1885          will  not  be  allowed  to  change  permissions if the group is only
1886          granted read access. Ownership of the  file/directory  may  also  be
1887          changed.
1888
1889          Default: dos filemode = no
1890
1891       dos filetime resolution (S)
1892          Under  the DOS and Windows FAT filesystem, the finest granularity on
1893          time resolution is two seconds. Setting this parameter for  a  share
1894          causes Samba to round the reported time down to the nearest two sec‐
1895          ond boundary when a query call that requires one  second  resolution
1896          is made to smbd(8).
1897
1898          This  option is mainly used as a compatibility option for Visual C++
1899          when used against Samba shares. If oplocks are enabled on  a  share,
1900          Visual  C++ uses two different time reading calls to check if a file
1901          has changed since it was last read. One of these calls uses  a  one-
1902          second  granularity, the other uses a two second granularity. As the
1903          two second call rounds any odd second down, then if the file  has  a
1904          timestamp  of  an odd number of seconds then the two timestamps will
1905          not match and Visual C++ will keep reporting the file  has  changed.
1906          Setting  this  option causes the two timestamps to match, and Visual
1907          C++ is happy.
1908
1909          Default: dos filetime resolution = no
1910
1911       dos filetimes (S)
1912          Under DOS and Windows, if a user can write to a file they can change
1913          the  timestamp  on  it. Under POSIX semantics, only the owner of the
1914          file or root may change the timestamp. By default, Samba  runs  with
1915          POSIX semantics and refuses to change the timestamp on a file if the
1916          user smbd is acting on behalf of is not the file owner. Setting this
1917          option to
1918           yes allows DOS semantics and smbd(8) will change the file timestamp
1919          as DOS requires. Due to changes in Microsoft Office 2000 and beyond,
1920          the  default  for this parameter has been changed from "no" to "yes"
1921          in Samba 3.0.14 and above. Microsoft Excel will display  dialog  box
1922          warnings about the file being changed by another user if this param‐
1923          eter is not set to "yes" and files are being shared between users.
1924
1925          Default: dos filetimes = yes
1926
1927       ea support (S)
1928          This boolean parameter controls whether smbd(8) will  allow  clients
1929          to  attempt  to  store OS/2 style Extended attributes on a share. In
1930          order to enable this parameter the underlying filesystem exported by
1931          the  share must support extended attributes (such as provided on XFS
1932          and EXT3 on Linux, with the correct kernel patches).  On  Linux  the
1933          filesystem  must  have been mounted with the mount option user_xattr
1934          in order for extended attributes to work, also  extended  attributes
1935          must be compiled into the Linux kernel.
1936
1937          Default: ea support = no
1938
1939       enable asu support (G)
1940          Hosts  running  the "Advanced Server for Unix (ASU)" product require
1941          some special accomodations such  as  creating  a  builting  [ADMIN$]
1942          share  that  only supports IPC connections. The has been the default
1943          behavior in smbd for many years. However, certain Microsoft applica‐
1944          tions such as the Print Migrator tool require that the remote server
1945          support an [ADMIN$} file share. Disabling this parameter allows  for
1946          creating an [ADMIN$] file share in smb.conf.
1947
1948          Default: enable asu support = no
1949
1950       enable privileges (G)
1951          This  parameter  controls  whether or not smbd will honor privileges
1952          assigned to specific SIDs via either net rpc rights or  one  of  the
1953          Windows  user  and group manager tools. This parameter is enabled by
1954          default. It can be disabled to prevent members of the Domain  Admins
1955          group  from being able to assign privileges to users or groups which
1956          can then result in certain smbd  operations  running  as  root  that
1957          would normally run under the context of the connected user.
1958
1959          An  example  of how privileges can be used is to assign the right to
1960          join clients to a Samba controlled  domain  without  providing  root
1961          access to the server via smbd.
1962
1963          Please  read  the  extended  description provided in the Samba HOWTO
1964          documentation.
1965
1966          Default: enable privileges = yes
1967
1968       encrypt passwords (G)
1969          This boolean controls whether encrypted passwords will be negotiated
1970          with  the  client.  Note  that Windows NT 4.0 SP3 and above and also
1971          Windows 98 will by default expect encrypted passwords unless a  reg‐
1972          istry  entry is changed. To use encrypted passwords in Samba see the
1973          chapter "User Database" in the Samba HOWTO Collection.
1974
1975          MS Windows clients that expect  Microsoft  encrypted  passwords  and
1976          that do not have plain text password support enabled will be able to
1977          connect only to a Samba server that has encrypted  password  support
1978          enabled and for which the user accounts have a valid encrypted pass‐
1979          word. Refer to  the  smbpasswd  command  man  page  for  information
1980          regarding the creation of encrypted passwords for user accounts.
1981
1982          The  use  of plain text passwords is NOT advised as support for this
1983          feature is no longer maintained in Microsoft  Windows  products.  If
1984          you  want to use plain text passwords you must set this parameter to
1985          no.
1986
1987          In order for encrypted passwords  to  work  correctly  smbd(8)  must
1988          either  have  access  to  a  local  smbpasswd(5)  file (see the smb‐
1989          passwd(8) program for information on how to set up and maintain this
1990          file),  or  set  the  security = [server|domain|ads] parameter which
1991          causes smbd to authenticate against another server.
1992
1993          Default: encrypt passwords = yes
1994
1995       enhanced browsing (G)
1996          This option enables a couple of enhancements to cross-subnet  browse
1997          propagation that have been added in Samba but which are not standard
1998          in Microsoft implementations.
1999
2000          The first enhancement to browse propagation consists  of  a  regular
2001          wildcard  query  to  a  Samba  WINS  server  for  all  Domain Master
2002          Browsers, followed by a browse  synchronization  with  each  of  the
2003          returned  DMBs.  The  second  enhancement consists of a regular ran‐
2004          domised browse synchronization with all currently known DMBs.
2005
2006          You may wish to disable this option if you have a problem with empty
2007          workgroups  not  disappearing from browse lists. Due to the restric‐
2008          tions of the browse protocols these enhancements can cause  a  empty
2009          workgroup to stay around forever which can be annoying.
2010
2011          In  general  you should leave this option enabled as it makes cross-
2012          subnet browse propagation much more reliable.
2013
2014          Default: enhanced browsing = yes
2015
2016       enumports command (G)
2017          The concept of a "port" is fairly foreign to UNIX hosts. Under  Win‐
2018          dows NT/2000 print servers, a port is associated with a port monitor
2019          and generally takes the form of a local  port  (i.e.  LPT1:,  COM1:,
2020          FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default,
2021          Samba has only one port defined--"Samba Printer Port". Under Windows
2022          NT/2000,  all  printers  must have a valid port name. If you wish to
2023          have a list of ports displayed (smbd does not use a  port  name  for
2024          anything)  other  than  the  default  "Samba  Printer Port", you can
2025          define enumports command to point to a program which should generate
2026          a list of ports, one per line, to standard output. This listing will
2027          then be used in response to the level 1 and 2 EnumPorts() RPC.
2028
2029          Default: enumports command =
2030
2031          Example: enumports command = /usr/bin/listports
2032
2033       eventlog list (G)
2034          This option defines a list of log names that Samba  will  report  to
2035          the  Microsoft  EventViewer  utility.  The  listed eventlogs will be
2036          associated with tdb file on disk in the $(lockdir)/eventlog.
2037
2038          The administrator must use an external process to parse  the  normal
2039          Unix  logs  such  as /var/log/messages and write then entries to the
2040          eventlog tdb files. Refer to the eventlogadm(8) utility for  how  to
2041          write eventlog entries.
2042
2043          Default: eventlog list =
2044
2045          Example: eventlog list = Security Application Syslog Apache
2046
2047       fake directory create times (S)
2048          NTFS  and Windows VFAT file systems keep a create time for all files
2049          and directories. This is not the same as the ctime -  status  change
2050          time  - that Unix keeps, so Samba by default reports the earliest of
2051          the various times Unix does keep. Setting this parameter for a share
2052          causes  Samba  to always report midnight 1-1-1980 as the create time
2053          for directories.
2054
2055          This option is mainly used as a compatibility option for Visual  C++
2056          when  used against Samba shares. Visual C++ generated makefiles have
2057          the object directory as a dependency for each  object  file,  and  a
2058          make  rule  to create the directory. Also, when NMAKE compares time‐
2059          stamps it uses the creation time when examining  a  directory.  Thus
2060          the  object directory will be created if it does not exist, but once
2061          it does exist it will always have  an  earlier  timestamp  than  the
2062          object files it contains.
2063
2064          However,  Unix  time semantics mean that the create time reported by
2065          Samba will be updated whenever a file is created or  or  deleted  in
2066          the directory. NMAKE finds all object files in the object directory.
2067          The timestamp of the last one built is then compared  to  the  time‐
2068          stamp  of  the  object  directory.  If  the directory's timestamp if
2069          newer, then all object files will be rebuilt. Enabling  this  option
2070          ensures directories always predate their contents and an NMAKE build
2071          will proceed as expected.
2072
2073          Default: fake directory create times = no
2074
2075       fake oplocks (S)
2076          Oplocks are the way that SMB clients get permission from a server to
2077          locally  cache file operations. If a server grants an oplock (oppor‐
2078          tunistic lock) then the client is free to assume that it is the only
2079          one  accessing  the  file  and it will aggressively cache file data.
2080          With some oplock types the client may  even  cache  file  open/close
2081          operations. This can give enormous performance benefits.
2082
2083          When  you  set  fake oplocks = yes, smbd(8) will always grant oplock
2084          requests no matter how many clients are using the file.
2085
2086          It is generally much better to use the real oplocks  support  rather
2087          than this parameter.
2088
2089          If you enable this option on all read-only shares or shares that you
2090          know will only be accessed from one client at a time such as  physi‐
2091          cally  read-only  media  like CDROMs, you will see a big performance
2092          improvement on many operations. If you enable this option on  shares
2093          where  multiple clients may be accessing the files read-write at the
2094          same time you can get data corruption. Use this option carefully!
2095
2096          Default: fake oplocks = no
2097
2098       follow symlinks (S)
2099          This parameter allows the Samba administrator to stop  smbd(8)  from
2100          following symbolic links in a particular share. Setting this parame‐
2101          ter to no prevents any file or directory that  is  a  symbolic  link
2102          from  being  followed  (the  user will get an error). This option is
2103          very useful to stop users from adding a symbolic link to /etc/passwd
2104          in  their home directory for instance. However it will slow filename
2105          lookups down slightly.
2106
2107          This option is enabled (i.e.  smbd will follow  symbolic  links)  by
2108          default.
2109
2110          Default: follow symlinks = yes
2111
2112       force create mode (S)
2113          This  parameter  specifies  a  set of UNIX mode bit permissions that
2114          will always be set on a file created by Samba. This is done by  bit‐
2115          wise  'OR'ing  these bits onto the mode bits of a file that is being
2116          created or having its permissions  changed.  The  default  for  this
2117          parameter is (in octal) 000. The modes in this parameter are bitwise
2118          'OR'ed onto the file mode after the mask  set  in  the  create  mask
2119          parameter is applied.
2120
2121          The  example  below  would  force all created files to have read and
2122          execute permissions set for 'group'  and  'other'  as  well  as  the
2123          read/write/execute bits set for the 'user'.
2124
2125          Default: force create mode = 000
2126
2127          Example: force create mode = 0755
2128
2129       force directory mode (S)
2130          This  parameter  specifies  a  set of UNIX mode bit permissions that
2131          will always be set on a directory created by Samba. This is done  by
2132          bitwise 'OR'ing these bits onto the mode bits of a directory that is
2133          being created. The default for this parameter  is  (in  octal)  0000
2134          which will not add any extra permission bits to a created directory.
2135          This operation is done after the mode mask in the  parameter  direc‐
2136          tory mask is applied.
2137
2138          The  example  below would force all created directories to have read
2139          and execute permissions set for 'group' and 'other' as well  as  the
2140          read/write/execute bits set for the 'user'.
2141
2142          Default: force directory mode = 000
2143
2144          Example: force directory mode = 0755
2145
2146       force directory security mode (S)
2147          This  parameter  controls  what UNIX permission bits can be modified
2148          when a Windows NT client is manipulating the UNIX  permission  on  a
2149          directory using the native NT security dialog box.
2150
2151          This parameter is applied as a mask (OR'ed with) to the changed per‐
2152          mission bits, thus forcing any bits in this mask that the  user  may
2153          have  modified to be on. Make sure not to mix up this parameter with
2154          directory security mask, which works in a  similar  manner  to  this
2155          one, but uses a logical AND instead of an OR.
2156
2157          Essentially,  this  mask  may be treated as a set of bits that, when
2158          modifying security on a directory, to will enable (1) any flags that
2159          are off (0) but which the mask has set to on (1).
2160
2161          If not set explicitly this parameter is 0000, which allows a user to
2162          modify all the user/group/world permissions on a  directory  without
2163          restrictions.
2164
2165          Note
2166          Users who can access the Samba server through other means can easily
2167          bypass this restriction, so it is primarily  useful  for  standalone
2168          "appliance"  systems.  Administrators  of  most  normal systems will
2169          probably want to leave it set as  0000.   Default:  force  directory
2170          security mode = 0
2171
2172          Example: force directory security mode = 700
2173
2174       group
2175          This parameter is a synonym for force group.
2176
2177       force group (S)
2178          This  specifies  a  UNIX  group  name  that  will be assigned as the
2179          default primary group for all users connecting to this service. This
2180          is  useful for sharing files by ensuring that all access to files on
2181          service will use the named group  for  their  permissions  checking.
2182          Thus,  by  assigning  permissions  for  this  group to the files and
2183          directories within this service the Samba administrator can restrict
2184          or allow sharing of these files.
2185
2186          In  Samba  2.0.5 and above this parameter has extended functionality
2187          in the following way. If the group name listed here has a '+'  char‐
2188          acter prepended to it then the current user accessing the share only
2189          has the primary group default assigned to this  group  if  they  are
2190          already  assigned as a member of that group. This allows an adminis‐
2191          trator to decide that only users who are  already  in  a  particular
2192          group will create files with group ownership set to that group. This
2193          gives a finer granularity of ownership assignment. For example,  the
2194          setting  force group = +sys means that only users who are already in
2195          group sys will have their default primary group assigned to sys when
2196          accessing  this Samba share. All other users will retain their ordi‐
2197          nary primary group.
2198
2199          If the force user parameter is also set the group specified in force
2200          group will override the primary group set in force user.
2201
2202          Default: force group =
2203
2204          Example: force group = agroup
2205
2206       force printername (S)
2207          When  printing  from Windows NT (or later), each printer in smb.conf
2208          has two associated names which can be used by the client. The  first
2209          is  the  sharename  (or  shortname) defined in smb.conf. This is the
2210          only printername available for use by Windows 9x clients. The second
2211          name  associated  with  a  printer  can be seen when browsing to the
2212          "Printers" (or "Printers and Faxes") folder  on  the  Samba  server.
2213          This  is  referred  to simply as the printername (not to be confused
2214          with the printer name option).
2215
2216          When assigning a new driver to a printer on a remote Windows compat‐
2217          ible  print server such as Samba, the Windows client will rename the
2218          printer to match the driver name just uploaded. This can  result  in
2219          confusion  for  users  when  multiple printers are bound to the same
2220          driver. To prevent Samba from allowing the printer's printername  to
2221          differ from the sharename defined in smb.conf, set force printername
2222          = yes.
2223
2224          Be aware that enabling this parameter may affect migrating  printers
2225          from a Windows server to Samba since Windows has no way to force the
2226          sharename and printername to match.
2227
2228          It is recommended that this parameter's value not  be  changed  once
2229          the  printer  is in use by clients as this could cause a user not be
2230          able to delete printer connections from their local Printers folder.
2231
2232          Default: force printername = no
2233
2234       force security mode (S)
2235          This parameter controls what UNIX permission bits  can  be  modified
2236          when  a  Windows  NT client is manipulating the UNIX permission on a
2237          file using the native NT security dialog box.
2238
2239          This parameter is applied as a mask (OR'ed with) to the changed per‐
2240          mission  bits,  thus forcing any bits in this mask that the user may
2241          have modified to be on. Make sure not to mix up this parameter  with
2242          security  mask,  which  works similar like this one but uses logical
2243          AND instead of OR.
2244
2245          Essentially, one bits in this mask may be treated as a set  of  bits
2246          that,  when modifying security on a file, the user has always set to
2247          be on.
2248
2249          If not set explicitly this parameter is set to 0, and allows a  user
2250          to  modify  all  the user/group/world permissions on a file, with no
2251          restrictions.
2252
2253           Note that users who can access the Samba server through other means
2254          can  easily  bypass  this restriction, so it is primarily useful for
2255          standalone "appliance" systems. Administrators of most  normal  sys‐
2256          tems will probably want to leave this set to 0000.
2257
2258          Default: force security mode = 0
2259
2260          Example: force security mode = 700
2261
2262       force unknown acl user (S)
2263          If  this parameter is set, a Windows NT ACL that contains an unknown
2264          SID (security descriptor, or representation of a user or  group  id)
2265          as the owner or group owner of the file will be silently mapped into
2266          the current UNIX uid or gid of the currently connected user.
2267
2268          This is designed to allow Windows NT clients to copy files and fold‐
2269          ers  containing ACLs that were created locally on the client machine
2270          and contain users local to that machine only (no domain users) to be
2271          copied  to  a  Samba  server  (usually  with  XCOPY /O) and have the
2272          unknown userid and groupid of the file owner map to the current con‐
2273          nected  user.  This can only be fixed correctly when winbindd allows
2274          arbitrary mapping from any Windows NT SID to a UNIX uid or gid.
2275
2276          Try using this parameter when XCOPY /O gives an ACCESS_DENIED error.
2277
2278          Default: force unknown acl user = no
2279
2280       force user (S)
2281          This specifies a UNIX user name that will be assigned as the default
2282          user  for  all  users connecting to this service. This is useful for
2283          sharing files. You should also use it carefully as using  it  incor‐
2284          rectly can cause security problems.
2285
2286          This user name only gets used once a connection is established. Thus
2287          clients still need to connect as a valid user  and  supply  a  valid
2288          password.  Once  connected, all file operations will be performed as
2289          the "forced user", no matter what username the client connected  as.
2290          This can be very useful.
2291
2292          In  Samba  2.0.5  and  above  this parameter also causes the primary
2293          group of the forced user to be used as the  primary  group  for  all
2294          file activity. Prior to 2.0.5 the primary group was left as the pri‐
2295          mary group of the connecting user (this was a bug).
2296
2297          Default: force user =
2298
2299          Example: force user = auser
2300
2301       fstype (S)
2302          This parameter allows the administrator to configure the string that
2303          specifies  the  type of filesystem a share is using that is reported
2304          by smbd(8) when a client queries the filesystem type  for  a  share.
2305          The  default type is NTFS for compatibility with Windows NT but this
2306          can be changed to other strings such as Samba or FAT if required.
2307
2308          Default: fstype = NTFS
2309
2310          Example: fstype = Samba
2311
2312       get quota command (G)
2313          The get quota command should only be used whenever there is no oper‐
2314          ating system API available from the OS that samba can use.
2315
2316          This  option is only available with was used and a working quota api
2317          was found in the system.
2318
2319          This parameter should specify the path to a script that queries  the
2320          quota  information  for  the  specified user/group for the partition
2321          that the specified directory is on.
2322
2323          Such a script should take 3 arguments:
2324
2325             ·  directory
2326
2327             ·  type of query
2328
2329             ·  uid of user or gid of group
2330
2331             The type of query can be one of :
2332
2333             ·  1 - user quotas
2334
2335             ·  2 - user default quotas (uid = -1)
2336
2337             ·  3 - group quotas
2338
2339             ·  4 - group default quotas (gid = -1)
2340
2341             This script should print one line as output with  spaces  between
2342             the arguments. The arguments are:
2343
2344             ·  Arg  1  -  quota flags (0 = no quotas, 1 = quotas enabled, 2 =
2345                quotas enabled and enforced)
2346
2347             ·  Arg 2 - number of currently used blocks
2348
2349             ·  Arg 3 - the softlimit number of blocks
2350
2351             ·  Arg 4 - the hardlimit number of blocks
2352
2353             ·  Arg 5 - currently used number of inodes
2354
2355             ·  Arg 6 - the softlimit number of inodes
2356
2357             ·  Arg 7 - the hardlimit number of inodes
2358
2359             ·  Arg 8(optional) - the number of bytes in  a  block(default  is
2360                1024)
2361
2362             Default: get quota command =
2363
2364             Example: get quota command = /usr/local/sbin/query_quota
2365
2366       getwd cache (G)
2367          This  is  a  tuning option. When this is enabled a caching algorithm
2368          will be used to reduce the time taken for getwd()  calls.  This  can
2369          have  a  significant impact on performance, especially when the wide
2370          smbconfoptions parameter is set to no.
2371
2372          Default: getwd cache = yes
2373
2374       guest account (G)
2375          This is a username which will be used for access to  services  which
2376          are specified as guest ok (see below). Whatever privileges this user
2377          has will be available to any client connecting to the guest service.
2378          This  user  must  exist in the password file, but does not require a
2379          valid login. The user account "ftp" is often a good choice for  this
2380          parameter.
2381
2382          On  some  systems the default guest account "nobody" may not be able
2383          to print. Use another account in this case. You should test this  by
2384          trying  to log in as your guest user (perhaps by using the su - com‐
2385          mand) and trying to print using the system  print  command  such  as
2386          lpr(1) or lp(1).
2387
2388          This  parameter  does not accept % macros, because many parts of the
2389          system require this value to be constant for correct operation.
2390
2391          Default: guest account = nobody # default can be changed at compile-
2392          time
2393
2394          Example: guest account = ftp
2395
2396       public
2397          This parameter is a synonym for guest ok.
2398
2399       guest ok (S)
2400          If this parameter is yes for a service, then no password is required
2401          to connect to the service. Privileges will be  those  of  the  guest
2402          account.
2403
2404          This  paramater nullifies the benifits of setting restrict anonymous
2405          = 2
2406
2407          See the section below on security for more  information  about  this
2408          option.
2409
2410          Default: guest ok = no
2411
2412       only guest
2413          This parameter is a synonym for guest only.
2414
2415       guest only (S)
2416          If  this parameter is yes for a service, then only guest connections
2417          to the service are permitted. This parameter will have no effect  if
2418          guest ok is not set for the service.
2419
2420          See  the  section  below on security for more information about this
2421          option.
2422
2423          Default: guest only = no
2424
2425       hide dot files (S)
2426          This is a boolean parameter that  controls  whether  files  starting
2427          with a dot appear as hidden files.
2428
2429          Default: hide dot files = yes
2430
2431       hide files (S)
2432          This  is a list of files or directories that are not visible but are
2433          accessible. The DOS 'hidden' attribute is applied to  any  files  or
2434          directories that match.
2435
2436          Each entry in the list must be separated by a '/', which allows spa‐
2437          ces to be included in the entry. '*' and '?' can be used to  specify
2438          multiple files or directories as in DOS wildcards.
2439
2440          Each  entry must be a Unix path, not a DOS path and must not include
2441          the Unix directory separator '/'.
2442
2443          Note that the case sensitivity option is applicable in hiding files.
2444
2445          Setting this parameter will affect the performance of Samba,  as  it
2446          will  be  forced  to  check all files and directories for a match as
2447          they are scanned.
2448
2449          The example shown above is based on files  that  the  Macintosh  SMB
2450          client  (DAVE)  available from Thursby creates for internal use, and
2451          also still hides all files beginning with a dot.
2452
2453          An example of us of this parameter is:
2454
2455
2456
2457
2458          hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
2459
2460
2461
2462          Default: hide files = # no file are hidden
2463
2464       hide special files (S)
2465          This parameter prevents clients from seeing special  files  such  as
2466          sockets, devices and fifo's in directory listings.
2467
2468          Default: hide special files = no
2469
2470       hide unreadable (S)
2471          This  parameter  prevents clients from seeing the existance of files
2472          that cannot be read. Defaults to off.
2473
2474          Default: hide unreadable = no
2475
2476       hide unwriteable files (S)
2477          This parameter prevents clients from seeing the existance  of  files
2478          that  cannot  be  written to. Defaults to off. Note that unwriteable
2479          directories are shown as usual.
2480
2481          Default: hide unwriteable files = no
2482
2483       homedir map (G)
2484          If nis homedir is yes, and smbd(8) is  also  acting  as  a  Win95/98
2485          logon  server then this parameter specifies the NIS (or YP) map from
2486          which the server for the user's home directory should be  extracted.
2487          At  present,  only  the  Sun auto.home map format is understood. The
2488          form of the map is:
2489
2490
2491
2492
2493          username server:/some/file/system
2494
2495          and the program will extract the servername from  before  the  first
2496          ':'.  There  should  probably  be a better parsing system that copes
2497          with different map formats and also Amd (another automounter) maps.
2498
2499          Note
2500          A working NIS client is required on the system for  this  option  to
2501          work.  Default: homedir map =
2502
2503          Example: homedir map = amd.homedir
2504
2505       host msdfs (G)
2506          If  set  to yes, Samba will act as a Dfs server, and allow Dfs-aware
2507          clients to browse Dfs trees hosted on the server.
2508
2509          See also the msdfs root share level parameter. For more  information
2510          on setting up a Dfs tree on Samba, refer to the MSFDS chapter in the
2511          book Samba3-HOWTO.
2512
2513          Default: host msdfs = yes
2514
2515       hostname lookups (G)
2516          Specifies whether samba should use (expensive) hostname  lookups  or
2517          use  the  ip  addresses  instead.  An  example  place where hostname
2518          lookups are currently used is when checking the hosts deny and hosts
2519          allow.
2520
2521          Default: hostname lookups = no
2522
2523          Example: hostname lookups = yes
2524
2525       allow hosts
2526          This parameter is a synonym for hosts allow.
2527
2528       hosts allow (S)
2529          A synonym for this parameter is allow hosts.
2530
2531          This  parameter  is  a  comma,  space, or tab delimited set of hosts
2532          which are permitted to access a service.
2533
2534          If specified in the [global] section then it will apply to all  ser‐
2535          vices,  regardless of whether the individual service has a different
2536          setting.
2537
2538          You can specify the hosts by name or IP  number.  For  example,  you
2539          could  restrict  access  to  only the hosts on a Class C subnet with
2540          something like allow hosts = 150.203.5.. The full syntax of the list
2541          is  described  in  the  man page hosts_access(5). Note that this man
2542          page may not be present on your system, so a brief description  will
2543          be given here also.
2544
2545          Note  that  the  localhost  address 127.0.0.1 will always be allowed
2546          access unless specifically denied by a hosts deny option.
2547
2548          You can also specify hosts by network/netmask pairs and by  netgroup
2549          names if your system supports netgroups. The EXCEPT keyword can also
2550          be used to limit a wildcard list. The following examples may provide
2551          some help:
2552
2553          Example 1: allow all IPs in 150.203.*.*; except one
2554
2555          hosts allow = 150.203. EXCEPT 150.203.6.66
2556
2557          Example 2: allow hosts that match the given network/netmask
2558
2559          hosts allow = 150.203.15.0/255.255.255.0
2560
2561          Example 3: allow a couple of hosts
2562
2563          hosts allow = lapland, arvidsjaur
2564
2565          Example  4:  allow  only  hosts  in  NIS netgroup "foonet", but deny
2566          access from one particular host
2567
2568          hosts allow = @foonet
2569
2570          hosts deny = pirate
2571
2572          Note
2573          Note that access still requires suitable user-level passwords.   See
2574          testparm(1)  for a way of testing your host access to see if it does
2575          what you expect.
2576
2577          Default: hosts allow = # none (i.e., all hosts permitted access)
2578
2579          Example: hosts allow = 150.203.5. myhost.mynet.edu.au
2580
2581       deny hosts
2582          This parameter is a synonym for hosts deny.
2583
2584       hosts deny (S)
2585          The opposite of hosts allow - hosts listed here  are  NOT  permitted
2586          access to services unless the specific services have their own lists
2587          to override this one. Where the lists conflict, the allow list takes
2588          precedence.
2589
2590          In  the  event  that it is necessary to deny all by default, use the
2591          keyword ALL (or the netmask 0.0.0.0/0) and then  explicitly  specify
2592          to  the  hosts allow = hosts allow parameter those hosts that should
2593          be permitted access.
2594
2595          Default: hosts deny = # none (i.e., no hosts specifically excluded)
2596
2597          Example: hosts deny = 150.203.4. badhost.mynet.edu.au
2598
2599       idmap alloc backend (G)
2600          The idmap alloc backend provides a plugin interface for  Winbind  to
2601          use  when allocating Unix uids/gids for Windows SIDs. This option is
2602          to be used in conjunction  with  the  idmap  domains  parameter  and
2603          refers  to  the  name  of the idmap module which will provide the id
2604          allocation functionality. Please refer to  the  man  page  for  each
2605          idmap  plugin  to determine whether or not the module implements the
2606          allocation  feature.  The  most   common   plugins   are   the   tdb
2607          (idmap_tdb(8)) and ldap (idmap_ldap(8)) libraries.
2608
2609          Also refer to the idmap alloc config option.
2610
2611          No default
2612
2613          Example: idmap alloc backend = tdb
2614
2615       idmap alloc config (G)
2616          The  idmap alloc config prefix provides a means of managing settings
2617          for the backend defined by the idmap alloc backend parameter.  Refer
2618          to  the man page for each idmap plugin regarding specific configura‐
2619          tion details.
2620
2621          No default
2622
2623       idmap backend (G)
2624          The idmap backend provides a plugin interface  for  Winbind  to  use
2625          varying backends to store SID/uid/gid mapping tables. This option is
2626          mutually exclusive with the newer and more  flexible  idmap  domains
2627          parameter.  The  main difference between the "idmap backend" and the
2628          "idmap domains" is that the former only allows on  backend  for  all
2629          domains  while  the  latter  supports  configuring backends on a per
2630          domain basis.
2631
2632          Examples of SID/uid/gid backends include  tdb  (idmap_tdb(8)),  ldap
2633          (idmap_ldap(8)), rid (idmap_rid(8)), and ad (idmap_tdb(8)).
2634
2635          Default: idmap backend = tdb
2636
2637       idmap cache time (G)
2638          This  parameter specifies the number of seconds that Winbind's idmap
2639          interface will cache positive SID/uid/gid query results.
2640
2641          Default: idmap cache time = 900
2642
2643       idmap config (G)
2644          The idmap config prefix provides a means  of  managing  each  domain
2645          defined by the idmap domains option using Samba's parameteric option
2646          support. The idmap config prefix should be followed by the  name  of
2647          the  domain,  a colon, and a setting specific to the chosen backend.
2648          There are three options available for all domains:
2649
2650
2651             backend = backend_name
2652                Specifies  the  name  of  the  idmap  plugin  to  use  as  the
2653                SID/uid/gid backend for this domain.
2654
2655             default = [yes|no]
2656                The  default  domain/backend  will  be  used for searching for
2657                users and groups not belonging to one of the explicitly listed
2658                domains  (matched  by comparing the account SID and the domain
2659                SID).
2660
2661             readonly = [yes|no]
2662                Mark the domain as readonly which means that  no  attempts  to
2663                allocate  a  uid  or  gid (by the idmap alloc backend) for any
2664                user or group in that domain will be attempted.
2665
2666             The  following  example  illustrates   how   to   configure   the
2667             idmap_ad(8)  for the CORP domain and the idmap_tdb(8) backend for
2668             all other domains. The TRUSTEDDOMAINS string is simply a key used
2669             to  reference  the "idmap config" settings and does not represent
2670             the actual name of a domain.
2671
2672
2673                  idmap domains = CORP TRUSTEDDOMAINS
2674
2675                  idmap config CORP:backend  = ad
2676                  idmap config CORP:readonly = yes
2677
2678                  idmap config TRUSTEDDOMAINS:backend = tdb
2679                  idmap config TRUSTEDDOMAINS:default = yes
2680                  idmap config TRUSTEDDOMAINS:range   = 1000 - 9999
2681
2682             No default
2683
2684       idmap domains (G)
2685          The idmap domains option defines a list  of  Windows  domains  which
2686          will  each  have  a  separately configured backend for managing Win‐
2687          bind's SID/uid/gid tables. This parameter is mutually exclusive with
2688          the older idmap backend option.
2689
2690          Values  consist  of  the  short domain name for Winbind's primary or
2691          collection of trusted domains. You may also use an arbitrary  string
2692          to represent a catchall domain backend for any domain not explicitly
2693          listed.
2694
2695          Refer to the idmap config for details about managing the SID/uid/gid
2696          backend for each domain.
2697
2698          No default
2699
2700          Example: idmap domains = default AD CORP
2701
2702       winbind gid
2703          This parameter is a synonym for idmap gid.
2704
2705       idmap gid (G)
2706          The  idmap  gid  parameter specifies the range of group ids that are
2707          allocated for the purpose of mapping UNX groups to  NT  group  SIDs.
2708          This  range of group ids should have no existing local or NIS groups
2709          within it as strange conflicts can occur otherwise.
2710
2711          See also the idmap backend, idmap domains, and idmap config options.
2712
2713          Default: idmap gid =
2714
2715          Example: idmap gid = 10000-20000
2716
2717       idmap negative cache time (G)
2718          This parameter specifies the number of seconds that Winbind's  idmap
2719          interface will cache negative SID/uid/gid query results.
2720
2721          Default: idmap negative cache time = 120
2722
2723       winbind uid
2724          This parameter is a synonym for idmap uid.
2725
2726       idmap uid (G)
2727          The  idmap  uid  parameter  specifies the range of user ids that are
2728          allocated for use in mapping UNIX users to NT user SIDs. This  range
2729          of  ids  should  have  no  existing  local or NIS users within it as
2730          strange conflicts can occur otherwise.
2731
2732          See also the idmap backend, idmap domains, and idmap config options.
2733
2734          Default: idmap uid =
2735
2736          Example: idmap uid = 10000-20000
2737
2738       include (G)
2739          This allows you to include one config file inside another. The  file
2740          is included literally, as though typed in place.
2741
2742          It takes the standard substitutions, except %u, %P and %S.
2743
2744          Default: include =
2745
2746          Example: include = /usr/local/samba/lib/admin_smb.conf
2747
2748       inherit acls (S)
2749          This  parameter  can be used to ensure that if default acls exist on
2750          parent directories, they are always honored when creating a new file
2751          or subdirectory in these parent directories. The default behavior is
2752          to use the unix mode specified when creating the directory. Enabling
2753          this  option  sets  the  unix  mode  to 0777, thus guaranteeing that
2754          default directory acls are propagated.
2755
2756          Default: inherit acls = no
2757
2758       inherit owner (S)
2759          The ownership of new files and directories is normally  governed  by
2760          effective  uid  of  the connected user. This option allows the Samba
2761          administrator to specify that the ownership for new files and direc‐
2762          tories  should  be  controlled by the ownership of the parent direc‐
2763          tory.
2764
2765          Common scenarios where this behavior is useful  is  in  implementing
2766          drop-boxes where users can create and edit files but not delete them
2767          and to ensure that newly create files in a  user's  roaming  profile
2768          directory are actually owner by the user.
2769
2770          Default: inherit owner = no
2771
2772       inherit permissions (S)
2773          The  permissions  on new files and directories are normally governed
2774          by create mask, directory mask, force create mode and  force  direc‐
2775          tory  mode  but  the boolean inherit permissions parameter overrides
2776          this.
2777
2778          New directories inherit the mode of the parent directory,  including
2779          bits such as setgid.
2780
2781          New  files  inherit their read/write bits from the parent directory.
2782          Their execute bits continue to be determined  by  map  archive,  map
2783          hidden and map system as usual.
2784
2785          Note  that  the  setuid  bit  is never set via inheritance (the code
2786          explicitly prohibits this).
2787
2788          This can be particularly useful on large systems  with  many  users,
2789          perhaps several thousand, to allow a single [homes] share to be used
2790          flexibly by each user.
2791
2792          Default: inherit permissions = no
2793
2794       interfaces (G)
2795          This option allows you to override the  default  network  interfaces
2796          list  that  Samba will use for browsing, name registration and other
2797          NBT traffic. By default Samba will query the kernel for the list  of
2798          all  active  interfaces and use any interfaces except 127.0.0.1 that
2799          are broadcast capable.
2800
2801          The option takes a list of interface strings. Each string can be  in
2802          any of the following forms:
2803
2804             ·  a  network  interface  name  (such  as eth0). This may include
2805                shell-like wildcards so eth* will match any interface starting
2806                with the substring "eth"
2807
2808             ·  an IP address. In this case the netmask is determined from the
2809                list of interfaces obtained from the kernel
2810
2811             ·  an IP/mask pair.
2812
2813             ·  a broadcast/mask pair.
2814
2815             The "mask" parameters can either be a bit length (such as 24  for
2816             a C class network) or a full netmask in dotted decimal form.
2817
2818             The  "IP" parameters above can either be a full dotted decimal IP
2819             address or a hostname which will be looked up via the OS's normal
2820             hostname resolution mechanisms.
2821
2822             By default Samba enables all active interfaces that are broadcast
2823             capable except the loopback adaptor (IP address 127.0.0.1).
2824
2825             The example below configures three network interfaces correspond‐
2826             ing  to  the  eth0  device  and  IP  addresses  192.168.2.10  and
2827             192.168.3.10. The netmasks of the latter two interfaces would  be
2828             set to 255.255.255.0.
2829
2830             Default: interfaces =
2831
2832             Example:       interfaces       =       eth0      192.168.2.10/24
2833             192.168.3.10/255.255.255.0
2834
2835       invalid users (S)
2836          This is a list of users that should not be allowed to login to  this
2837          service.  This  is  really  a paranoid check to absolutely ensure an
2838          improper setting does not breach your security.
2839
2840          A name starting with a '@' is interpreted as an NIS  netgroup  first
2841          (if  your system supports NIS), and then as a UNIX group if the name
2842          was not found in the NIS netgroup database.
2843
2844          A name starting with '+' is interpreted only by looking in the  UNIX
2845          group  database  via  the  NSS getgrnam() interface. A name starting
2846          with '&' is interpreted only by looking in the NIS netgroup database
2847          (this requires NIS to be working on your system). The characters '+'
2848          and '&' may be used at the start of the name in either order so  the
2849          value  +&group  means check the UNIX group database, followed by the
2850          NIS netgroup database, and the value &+group  means  check  the  NIS
2851          netgroup  database, followed by the UNIX group database (the same as
2852          the '@' prefix).
2853
2854          The current servicename is substituted for %S. This is useful in the
2855          [homes] section.
2856
2857          Default: invalid users = # no invalid users
2858
2859          Example: invalid users = root fred admin @wheel
2860
2861       iprint server (G)
2862          This parameter is only applicable if printing is set to iprint.
2863
2864          If  set,  this  option  overrides  the ServerName option in the CUPS
2865          client.conf. This is necessary if you  have  virtual  samba  servers
2866          that connect to different CUPS daemons.
2867
2868          Default: iprint server = ""
2869
2870          Example: iprint server = MYCUPSSERVER
2871
2872       keepalive (G)
2873          The  value  of  the  parameter (an integer) represents the number of
2874          seconds between keepalive packets. If this  parameter  is  zero,  no
2875          keepalive  packets  will  be sent. Keepalive packets, if sent, allow
2876          the server to tell whether a client is still present and responding.
2877
2878          Keepalives should, in general, not be needed if the socket  has  the
2879          SO_KEEPALIVE  attribute  set on it by default. (see socket options).
2880          Basically you should only use this option if  you  strike  difficul‐
2881          ties.
2882
2883          Default: keepalive = 300
2884
2885          Example: keepalive = 600
2886
2887       kernel change notify (S)
2888          This  parameter  specifies  whether  Samba should ask the kernel for
2889          change notifications in directories so that SMB clients can  refresh
2890          whenever the data on the server changes.
2891
2892          This parameter is only used when your kernel supports change notifi‐
2893          cation to user programs using the inotify interface.
2894
2895          Default: kernel change notify = yes
2896
2897       kernel oplocks (G)
2898          For UNIXes that support kernel based oplocks  (currently  only  IRIX
2899          and  the Linux 2.4 kernel), this parameter allows the use of them to
2900          be turned on or off.
2901
2902          Kernel oplocks support allows Samba oplocks to be broken whenever  a
2903          local UNIX process or NFS operation accesses a file that smbd(8) has
2904          oplocked. This allows complete data  consistency  between  SMB/CIFS,
2905          NFS and local file access (and is a very cool feature :-).
2906
2907          This  parameter defaults to on, but is translated to a no-op on sys‐
2908          tems that no not have the necessary kernel support. You should never
2909          need to touch this parameter.
2910
2911          Default: kernel oplocks = yes
2912
2913       lanman auth (G)
2914          This  parameter  determines  whether  or not smbd(8) will attempt to
2915          authenticate users or permit password changes using the LANMAN pass‐
2916          word  hash.  If  disabled,  only  clients  which support NT password
2917          hashes (e.g. Windows NT/2000 clients,  smbclient,  but  not  Windows
2918          95/98  or  the MS DOS network client) will be able to connect to the
2919          Samba host.
2920
2921          The LANMAN encrypted response is easily broken, due  to  it's  case-
2922          insensitive  nature,  and  the  choice of algorithm. Servers without
2923          Windows 95/98/ME or MS DOS  clients  are  advised  to  disable  this
2924          option.
2925
2926          Unlike  the  encrypt  passwords  option, this parameter cannot alter
2927          client behaviour, and the LANMAN response will still  be  sent  over
2928          the  network. See the client lanman auth to disable this for Samba's
2929          clients (such as smbclient)
2930
2931          If this option, and ntlm auth are both disabled,  then  only  NTLMv2
2932          logins  will  be  permited. Not all clients support NTLMv2, and most
2933          will require special configuration to use it.
2934
2935          Default: lanman auth = yes
2936
2937       large readwrite (G)
2938          This parameter determines whether or not smbd(8)  supports  the  new
2939          64k  streaming  read  and write varient SMB requests introduced with
2940          Windows 2000. Note that due to Windows 2000 client  redirector  bugs
2941          this requires Samba to be running on a 64-bit capable operating sys‐
2942          tem such as IRIX, Solaris or a Linux 2.4 kernel. Can improve perfor‐
2943          mance  by  10%  with  Windows  2000  clients. Defaults to on. Not as
2944          tested as some other Samba code paths.
2945
2946          Default: large readwrite = yes
2947
2948       ldap admin dn (G)
2949          The ldap admin dn defines the Distinguished Name (DN) name  used  by
2950          Samba to contact the ldap server when retreiving user account infor‐
2951          mation. The ldap admin dn is used in conjunction with the  admin  dn
2952          password  stored  in  the  private/secrets.tdb  file.  See  the smb‐
2953          passwd(8) man page for more information on how to accomplish this.
2954
2955          The ldap admin dn requires a fully specified DN. The ldap suffix  is
2956          not appended to the ldap admin dn.
2957
2958          No default
2959
2960       ldap delete dn (G)
2961          This  parameter  specifies whether a delete operation in the ldapsam
2962          deletes the complete entry or only the attributes specific to Samba.
2963
2964          Default: ldap delete dn = no
2965
2966       ldap group suffix (G)
2967          This parameter specifies the suffix that is  used  for  groups  when
2968          these  are  added to the LDAP directory. If this parameter is unset,
2969          the value of ldap suffix will be used instead. The suffix string  is
2970          pre-pended to the ldap suffix string so use a partial DN.
2971
2972          Default: ldap group suffix =
2973
2974          Example: ldap group suffix = ou=Groups
2975
2976       ldap idmap suffix (G)
2977          This parameters specifies the suffix that is used when storing idmap
2978          mappings. If this parameter is unset, the value of ldap suffix  will
2979          be  used instead. The suffix string is pre-pended to the ldap suffix
2980          string so use a partial DN.
2981
2982          Default: ldap idmap suffix =
2983
2984          Example: ldap idmap suffix = ou=Idmap
2985
2986       ldap machine suffix (G)
2987          It specifies where machines should be added to  the  ldap  tree.  If
2988          this  parameter  is  unset,  the  value  of ldap suffix will be used
2989          instead. The suffix string is pre-pended to the ldap  suffix  string
2990          so use a partial DN.
2991
2992          Default: ldap machine suffix =
2993
2994          Example: ldap machine suffix = ou=Computers
2995
2996       ldap passwd sync (G)
2997          This  option  is used to define whether or not Samba should sync the
2998          LDAP password with the NT and LM hashes for normal accounts (NOT for
2999          workstation,  server  or  domain  trusts)  on  a password change via
3000          SAMBA.
3001
3002          The ldap passwd sync can be set to one of three values:
3003
3004             ·  Yes = Try to update the LDAP, NT and LM passwords  and  update
3005                the pwdLastSet time.
3006
3007             ·  No  =  Update  NT  and  LM passwords and update the pwdLastSet
3008                time.
3009
3010             ·  Only = Only update the LDAP password and let the  LDAP  server
3011                do the rest.
3012
3013             Default: ldap passwd sync = no
3014
3015       ldap replication sleep (G)
3016          When  Samba  is  asked  to write to a read-only LDAP replica, we are
3017          redirected to talk to the read-write master server. This server then
3018          replicates  our  changes  back  to  the  'local' server, however the
3019          replication might take some seconds,  especially  over  slow  links.
3020          Certain  client  activities,  particularly  domain joins, can become
3021          confused by the 'success' that does not immediately change the  LDAP
3022          back-end's data.
3023
3024          This  option  simply causes Samba to wait a short time, to allow the
3025          LDAP server to catch up. If you  have  a  particularly  high-latency
3026          network,  you  may  wish to time the LDAP replication with a network
3027          sniffer, and increase this  value  accordingly.  Be  aware  that  no
3028          checking is performed that the data has actually replicated.
3029
3030          The value is specified in milliseconds, the maximum value is 5000 (5
3031          seconds).
3032
3033          Default: ldap replication sleep = 1000
3034
3035       ldapsam:editposix (G)
3036          Editposix is an option that leverages  ldapsam:trusted  to  make  it
3037          simpler to manage a domain controller eliminating the need to set up
3038          custom scripts to add and manage the posix users  and  groups.  This
3039          option  will  instead  directly  manipulate the ldap tree to create,
3040          remove and modify user and group entries. This option also  requires
3041          a  running  winbindd  as  it  is  used  to allocate new uids/gids on
3042          user/group creation. The allocation range must be therefore  config‐
3043          ured.
3044
3045          To  use this option, a basic ldap tree must be provided and the ldap
3046          suffix parameters must be properly configured. On virgin servers the
3047          default users and groups (Administrator, Guest, Domain Users, Domain
3048          Admins, Domain Guests) can be precreated with the  command  net  sam
3049          provision.  To  run  this  command  the ldap server must be running,
3050          Winindd must be running and the smb.conf ldap options must be  prop‐
3051          erly  configured.  The  typical  ldap  setup  used  with  the  ldap‐
3052          sam:trusted = yes option is usually sufficient to use  ldapsam:edit‐
3053          posix = yes as well.
3054
3055          An example configuration can be the following:
3056
3057
3058
3059
3060               encrypt passwords = true
3061               passdb backend = ldapsam
3062
3063               ldapsam:trusted=yes
3064               ldapsam:editposix=yes
3065
3066               ldap admin dn = cn=admin,dc=samba,dc=org
3067               ldap delete dn = yes
3068               ldap group suffix = ou=groups
3069               ldap idmap suffix = ou=idmap
3070               ldap machine suffix = ou=computers
3071               ldap user suffix = ou=users
3072               ldap suffix = dc=samba,dc=org
3073
3074               idmap backend = ldap:"ldap://localhost"
3075
3076               idmap uid = 5000-50000
3077               idmap gid = 5000-50000
3078
3079          This  configuration  assume  the ldap server have been loaded with a
3080          base tree like described in the following ldif:
3081
3082
3083
3084
3085               dn: dc=samba,dc=org
3086               objectClass: top
3087               objectClass: dcObject
3088               objectClass: organization
3089               o: samba.org
3090               dc: samba
3091
3092               dn: cn=admin,dc=samba,dc=org
3093               objectClass: simpleSecurityObject
3094               objectClass: organizationalRole
3095               cn: admin
3096               description: LDAP administrator
3097               userPassword: secret
3098
3099               dn: ou=users,dc=samba,dc=org
3100               objectClass: top
3101               objectClass: organizationalUnit
3102               ou: users
3103
3104               dn: ou=groups,dc=samba,dc=org
3105               objectClass: top
3106               objectClass: organizationalUnit
3107               ou: groups
3108
3109               dn: ou=idmap,dc=samba,dc=org
3110               objectClass: top
3111               objectClass: organizationalUnit
3112               ou: idmap
3113
3114               dn: ou=computers,dc=samba,dc=org
3115               objectClass: top
3116               objectClass: organizationalUnit
3117               ou: computers
3118
3119
3120
3121          Default: ldapsam:editposix = no
3122
3123       ldapsam:trusted (G)
3124          By default, Samba as a Domain Controller with an LDAP backend  needs
3125          to  use the Unix-style NSS subsystem to access user and group infor‐
3126          mation. Due to the way Unix stores user information  in  /etc/passwd
3127          and  /etc/group  this inevitably leads to inefficiencies. One impor‐
3128          tant question a user needs to know is the list of groups he is  mem‐
3129          ber  of. The plain UNIX model involves a complete enumeration of the
3130          file /etc/group and its NSS counterparts in LDAP. UNIX has optimized
3131          functions to enumerate group membership. Sadly, other functions that
3132          are used to deal with user and group attributes lack such  optimiza‐
3133          tion.
3134
3135          To  make Samba scale well in large environments, the ldapsam:trusted
3136          = yes option assumes that the complete user and group database  that
3137          is  relevant  to  Samba is stored in LDAP with the standard posixAc‐
3138          count/posixGroup attributes. It further assumes that the Samba  aux‐
3139          iliary object classes are stored together with the POSIX data in the
3140          same LDAP object. If these assumptions are  met,  ldapsam:trusted  =
3141          yes  can  be  activated and Samba can bypass the NSS system to query
3142          user group memberships. Optimized LDAP queries can greatly speed  up
3143          domain  logon and administration tasks. Depending on the size of the
3144          LDAP database a factor of 100 or more for common queries  is  easily
3145          achieved.
3146
3147          Default: ldapsam:trusted = no
3148
3149       ldap ssl (G)
3150          This  option  is  used to define whether or not Samba should use SSL
3151          when connecting to the ldap server This is NOT  related  to  Samba's
3152          previous  SSL support which was enabled by specifying the --with-ssl
3153          option to the configure script.
3154
3155          The ldap ssl can be set to one of three values:
3156
3157             ·  Off = Never use SSL when querying the directory.
3158
3159             ·  Start_tls  =  Use  the  LDAPv3  StartTLS  extended   operation
3160                (RFC2830) for communicating with the directory server.
3161
3162             ·  On  =  Use  SSL  on  the  ldaps  port when contacting the ldap
3163                server. Only available when the backwards-compatiblity --with-
3164                ldapsam  option  is specified to configure. See passdb backend
3165                          .RE
3166
3167                Default: ldap ssl = start_tls
3168
3169          ldap suffix (G)
3170             Specifies the base for all ldap suffixes and for storing the sam‐
3171             baDomain object.
3172
3173             The  ldap suffix will be appended to the values specified for the
3174             ldap user suffix, ldap group suffix, ldap machine suffix, and the
3175             ldap  idmap suffix. Each of these should be given only a DN rela‐
3176             tive to the ldap suffix.
3177
3178             Default: ldap suffix =
3179
3180             Example: ldap suffix = dc=samba,dc=org
3181
3182          ldap timeout (G)
3183             When Samba connects to an ldap server that servermay be  down  or
3184             unreachable. To prevent Samba from hanging whilst waiting for the
3185             connection this parameter specifies in  seconds  how  long  Samba
3186             should  wait  before  failing the connect. The default is to only
3187             wait fifteen seconds for the ldap server to respond to  the  con‐
3188             nect request.
3189
3190             Default: ldap timeout = 15
3191
3192          ldap user suffix (G)
3193             This  parameter  specifies  where users are added to the tree. If
3194             this parameter is unset, the value of ldap suffix  will  be  used
3195             instead.  The  suffix  string  is  pre-pended  to the ldap suffix
3196             string so use a partial DN.
3197
3198             Default: ldap user suffix =
3199
3200             Example: ldap user suffix = ou=people
3201
3202          level2 oplocks (S)
3203             This parameter controls whether Samba supports level2 (read-only)
3204             oplocks on a share.
3205
3206             Level2,  or  read-only oplocks allow Windows NT clients that have
3207             an oplock on a file to downgrade from a read-write  oplock  to  a
3208             read-only  oplock once a second client opens the file (instead of
3209             releasing all oplocks on a second open, as in traditional, exclu‐
3210             sive  oplocks).  This allows all openers of the file that support
3211             level2 oplocks to cache the file for read-ahead  only  (ie.  they
3212             may  not cache writes or lock requests) and increases performance
3213             for many accesses of files that are not commonly written (such as
3214             application .EXE files).
3215
3216             Once  one  of the clients which have a read-only oplock writes to
3217             the file all clients are notified (no reply is needed  or  waited
3218             for)  and  told  to  break their oplocks to "none" and delete any
3219             read-ahead caches.
3220
3221             It is recommended that this  parameter  be  turned  on  to  speed
3222             access to shared executables.
3223
3224             For more discussions on level2 oplocks see the CIFS spec.
3225
3226             Currently,  if  kernel  oplocks are supported then level2 oplocks
3227             are not granted (even if this parameter  is  set  to  yes).  Note
3228             also,  the  oplocks parameter must be set to yes on this share in
3229             order for this parameter to have any effect.
3230
3231             Default: level2 oplocks = yes
3232
3233          lm announce (G)
3234             This parameter determines if nmbd(8) will produce Lanman announce
3235             broadcasts  that  are needed by OS/2 clients in order for them to
3236             see the Samba server in their browse  list.  This  parameter  can
3237             have  three values, yes, no, or auto. The default is auto. If set
3238             to no Samba will never produce these broadcasts. If  set  to  yes
3239             Samba  will produce Lanman announce broadcasts at a frequency set
3240             by the parameter lm interval. If set to auto Samba will not  send
3241             Lanman  announce  broadcasts by default but will listen for them.
3242             If it hears such a broadcast on the wire it will then start send‐
3243             ing them at a frequency set by the parameter lm interval.
3244
3245             Default: lm announce = auto
3246
3247             Example: lm announce = yes
3248
3249          lm interval (G)
3250             If  Samba  is set to produce Lanman announce broadcasts needed by
3251             OS/2 clients (see the lm announce parameter) then this  parameter
3252             defines the frequency in seconds with which they will be made. If
3253             this is set to zero then no Lanman  announcements  will  be  made
3254             despite the setting of the lm announce parameter.
3255
3256             Default: lm interval = 60
3257
3258             Example: lm interval = 120
3259
3260          load printers (G)
3261             A  boolean  variable  that  controls  whether all printers in the
3262             printcap will be loaded for browsing by default. See the printers
3263             section for more details.
3264
3265             Default: load printers = yes
3266
3267          local master (G)
3268             This  option  allows  nmbd(8)  to  try  and become a local master
3269             browser on a subnet. If set to no then nmbd will not  attempt  to
3270             become  a  local master browser on a subnet and will also lose in
3271             all browsing elections. By default this value is set to yes. Set‐
3272             ting  this  value  to yes doesn't mean that Samba will become the
3273             local master browser on a subnet, just that nmbd will participate
3274             in elections for local master browser.
3275
3276             Setting  this value to no will cause nmbd never to become a local
3277             master browser.
3278
3279             Default: local master = yes
3280
3281          lock dir
3282             This parameter is a synonym for lock directory.
3283
3284          lock directory (G)
3285             This option specifies the directory  where  lock  files  will  be
3286             placed.  The lock files are used to implement the max connections
3287             option.
3288
3289             Default: lock directory = ${prefix}/var/locks
3290
3291             Example: lock directory = /var/run/samba/locks
3292
3293          locking (S)
3294             This controls whether or not locking will  be  performed  by  the
3295             server in response to lock requests from the client.
3296
3297             If locking = no, all lock and unlock requests will appear to suc‐
3298             ceed and all lock queries will report that the file  in  question
3299             is available for locking.
3300
3301             If locking = yes, real locking will be performed by the server.
3302
3303             This option may be useful for read-only filesystems which may not
3304             need locking (such as CDROM drives), although setting this param‐
3305             eter of no is not really recommended even in this case.
3306
3307             Be  careful  about disabling locking either globally or in a spe‐
3308             cific service, as lack of locking may result in data  corruption.
3309             You should never need to set this parameter.
3310
3311             No default
3312
3313          lock spin count (G)
3314             This  parameter  has  been  made inoperative in Samba 3.0.24. The
3315             functionality it contolled is now  controlled  by  the  parameter
3316             lock spin time.
3317
3318             Default: lock spin count = 0
3319
3320          lock spin time (G)
3321             The  time in microseconds that smbd should keep waiting to see if
3322             a failed lock request can be granted. This parameter has  changed
3323             in default value from Samba 3.0.23 from 10 to 200. The associated
3324             lock spin count parameter is no longer used in Samba 3.0.24.  You
3325             should not need to change the value of this parameter.
3326
3327             Default: lock spin time = 200
3328
3329          log file (G)
3330             This option allows you to override the name of the Samba log file
3331             (also known as the debug file).
3332
3333             This option takes the standard  substitutions,  allowing  you  to
3334             have separate log files for each user or machine.
3335
3336             No default
3337
3338             Example: log file = /usr/local/samba/var/log.%m
3339
3340          debuglevel
3341             This parameter is a synonym for log level.
3342
3343          log level (G)
3344             The  value  of  the  parameter (a astring) allows the debug level
3345             (logging level) to be specified in the smb.conf file. This param‐
3346             eter  has  been  extended since the 2.2.x series, now it allow to
3347             specify the debug level for multiple debug classes.  This  is  to
3348             give greater flexibility in the configuration of the system.
3349
3350             The  default  will be the log level specified on the command line
3351             or level zero if none was specified.
3352
3353             No default
3354
3355             Example: log level = 3 passdb:5 auth:10 winbind:2
3356
3357          logon drive (G)
3358             This parameter specifies the local path to which the home  direc‐
3359             tory  will  be  connected (see logon home) and is only used by NT
3360             Workstations.
3361
3362             Note that this option is only useful if Samba  is  set  up  as  a
3363             logon server.
3364
3365             Default: logon drive =
3366
3367             Example: logon drive = h:
3368
3369          logon home (G)
3370             This  parameter  specifies  the  home  directory  location when a
3371             Win95/98 or NT Workstation logs into a Samba PDC. It  allows  you
3372             to do
3373
3374
3375             C:>NET USE H: /HOME
3376
3377             from a command prompt, for example.
3378
3379             This  option  takes  the  standard substitutions, allowing you to
3380             have separate logon scripts for each user or machine.
3381
3382             This parameter can be used with Win9X workstations to ensure that
3383             roaming  profiles are stored in a subdirectory of the user's home
3384             directory. This is done in the following way:
3385
3386
3387             logon home = \\%N\%U\profile
3388
3389             This tells Samba to return the above string,  with  substitutions
3390             made  when a client requests the info, generally in a NetUserGet‐
3391             Info request. Win9X clients truncate the info to \serverre when a
3392             user  does  net  use  /home but use the whole string when dealing
3393             with profiles.
3394
3395             Note that in prior versions of Samba, the logon path was returned
3396             rather than logon home. This broke net use /home but allowed pro‐
3397             files outside the home directory. The current  implementation  is
3398             correct, and can be used for profiles if you use the above trick.
3399
3400             Disable this feature by setting logon home = "" - using the empty
3401             string.
3402
3403             This option is only useful if Samba is set up as a logon server.
3404
3405             Default: logon home = \\%N\%U
3406
3407             Example: logon home = \\remote_smb_server\%U
3408
3409          logon path (G)
3410             This parameter specifies the  directory  where  roaming  profiles
3411             (Desktop,  NTuser.dat, etc) are stored. Contrary to previous ver‐
3412             sions of these manual pages, it has nothing to  do  with  Win  9X
3413             roaming  profiles. To find out how to handle roaming profiles for
3414             Win 9X system, see the logon home parameter.
3415
3416             This option takes the standard  substitutions,  allowing  you  to
3417             have  separate  logon  scripts  for each user or machine. It also
3418             specifies the directory from which the "Application Data",  desk‐
3419             top,  start  menu, network neighborhood, programs and other fold‐
3420             ers, and their contents, are loaded and displayed on your Windows
3421             NT client.
3422
3423             The share and the path must be readable by the user for the pref‐
3424             erences and directories to be loaded onto the Windows NT  client.
3425             The  share  must be writeable when the user logs in for the first
3426             time, in  order  that  the  Windows  NT  client  can  create  the
3427             NTuser.dat and other directories. Thereafter, the directories and
3428             any of the contents can, if required, be made  read-only.  It  is
3429             not advisable that the NTuser.dat file be made read-only - rename
3430             it to NTuser.man to achieve the desired effect (a MANdatory  pro‐
3431             file).
3432
3433             Windows  clients  can  sometimes  maintain  a  connection  to the
3434             [homes] share, even though there is no user logged in. Therefore,
3435             it  is  vital that the logon path does not include a reference to
3436             the homes share (i.e. setting this parameter to  \%Nesrofile_path
3437             will cause problems).
3438
3439             This  option  takes  the  standard substitutions, allowing you to
3440             have separate logon scripts for each user or machine.
3441
3442             Warning
3443             Do  not   quote   the   value.   Setting   this   as   \%NrofileU
3444             will  break  profile handling. Where the tdbsam or ldapsam passdb
3445             backend is used, at the time the  user  account  is  created  the
3446             value  configured  for  this  parameter  is written to the passdb
3447             backend and that value will over-ride the parameter value present
3448             in  the  smb.conf  file.  Any error present in the passdb backend
3449             account record must be editted using the appropriate tool  (pdbe‐
3450             dit  on  the  command-line,  or any other locally provided system
3451             tool).  Note that this option is only useful if Samba is  set  up
3452             as a domain controller.
3453
3454             Disable  the use of roaming profiles by setting the value of this
3455             parameter to the empty string. For example, logon path = "". Take
3456             note that even if the default setting in the smb.conf file is the
3457             empty string, any value specified in the user account settings in
3458             the  passdb  backend  will  over-ride  the effect of setting this
3459             parameter to null. Disabling of all roaming profile use  requires
3460             that the user account settings must also be blank.
3461
3462             An example of use is:
3463
3464
3465
3466
3467             logon path = \PROFILESERVERPROFILEU
3468
3469
3470
3471             Default: logon path = \\%N\%U\profile
3472
3473          logon script (G)
3474             This parameter specifies the batch file (.bat) or NT command file
3475             (.cmd) to be downloaded and run on a machine when a user success‐
3476             fully  logs  in.  The  file must contain the DOS style CR/LF line
3477             endings. Using a DOS-style editor to create the  file  is  recom‐
3478             mended.
3479
3480             The  script must be a relative path to the [netlogon] service. If
3481             the [netlogon] service specifies a path of /usr/local/samba/netl‐
3482             ogon,  and logon script = STARTUP.BAT, then the file that will be
3483             downloaded is:
3484
3485
3486
3487
3488                  /usr/local/samba/netlogon/STARTUP.BAT
3489
3490
3491
3492             The contents of the batch file are entirely your choice.  A  sug‐
3493             gested  command  would  be to add NET TIME \\SERVER /SET /YES, to
3494             force every machine to synchronize  clocks  with  the  same  time
3495             server. Another use would be to add NET USE U: \\SERVER\UTILS for
3496             commonly used utilities, or
3497
3498
3499
3500
3501             NET USE Q: \SERVERISO9001_QA
3502
3503             for example.
3504
3505             Note that it is particularly important not to allow write  access
3506             to  the  [netlogon]  share, or to grant users write permission on
3507             the batch files in a secure environment, as this would allow  the
3508             batch  files  to  be  arbitrarily  modified  and  security  to be
3509             breached.
3510
3511             This option takes the standard  substitutions,  allowing  you  to
3512             have separate logon scripts for each user or machine.
3513
3514             This option is only useful if Samba is set up as a logon server.
3515
3516             Default: logon script =
3517
3518             Example: logon script = scripts\%U.bat
3519
3520          lppause command (S)
3521             This parameter specifies the command to be executed on the server
3522             host in order to stop printing or spooling a specific print job.
3523
3524             This command should be a program or script which takes a  printer
3525             name and job number to pause the print job. One way of implement‐
3526             ing this is by using job priorities, where jobs having a too  low
3527             priority won't be sent to the printer.
3528
3529             If  a %p is given then the printer name is put in its place. A %j
3530             is replaced with the job number (an integer). On HPUX (see print‐
3531             ing=hpux  ),  if the -p%p option is added to the lpq command, the
3532             job will show up with the correct status, i.e. if the job  prior‐
3533             ity  is lower than the set fence priority it will have the PAUSED
3534             status, whereas if the priority is equal or higher it  will  have
3535             the SPOOLED or PRINTING status.
3536
3537             Note that it is good practice to include the absolute path in the
3538             lppause command as the PATH may not be available to the server.
3539
3540             Default: lppause command = # Currently no default value is  given
3541             to  this  string,  unless  the value of the printing parameter is
3542             \fBSYSV\fR, in which case the default is : lp -i %p-%j -H hold or
3543             if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then
3544             the default is: qstat -s -j%j -h.
3545
3546             Example: lppause command = /usr/bin/lpalt %p-%j -p0
3547
3548          lpq cache time (G)
3549             This controls how long lpq info will be cached for to prevent the
3550             lpq  command being called too often. A separate cache is kept for
3551             each variation of the lpq command used by the system, so  if  you
3552             use  different  lpq  commands for different users then they won't
3553             share cache information.
3554
3555             The cache files are stored in /tmp/lpq.xxxx where xxxx is a  hash
3556             of the lpq command in use.
3557
3558             The  default  is 30 seconds, meaning that the cached results of a
3559             previous identical lpq command will be used if the cached data is
3560             less  than 30 seconds old. A large value may be advisable if your
3561             lpq command is very slow.
3562
3563             A value of 0 will disable caching completely.
3564
3565             Default: lpq cache time = 30
3566
3567             Example: lpq cache time = 10
3568
3569          lpq command (S)
3570             This parameter specifies the command to be executed on the server
3571             host in order to obtain lpq-style printer status information.
3572
3573             This  command should be a program or script which takes a printer
3574             name as its only parameter and outputs  printer  status  informa‐
3575             tion.
3576
3577             Currently  nine  styles  of  printer  status information are sup‐
3578             ported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS,  and  SOFTQ.
3579             This covers most UNIX systems. You control which type is expected
3580             using the printing = option.
3581
3582             Some clients (notably Windows for Workgroups) may  not  correctly
3583             send  the  connection  number for the printer they are requesting
3584             status information about. To get around this, the server  reports
3585             on  the  first  printer  service connected to by the client. This
3586             only happens if the connection number sent is invalid.
3587
3588             If a %p is given then the printer name is put in its place.  Oth‐
3589             erwise it is placed at the end of the command.
3590
3591             Note that it is good practice to include the absolute path in the
3592             lpq command as the $PATH may not be available to the server. When
3593             compiled  with  the  CUPS  libraries,  no  lpq  command is needed
3594             because smbd will make a library call to obtain the  print  queue
3595             listing.
3596
3597             Default: lpq command =
3598
3599             Example: lpq command = /usr/bin/lpq -P%p
3600
3601          lpresume command (S)
3602             This parameter specifies the command to be executed on the server
3603             host in order to restart or continue printing or spooling a  spe‐
3604             cific print job.
3605
3606             This  command should be a program or script which takes a printer
3607             name and job number to resume the print job. See also the lppause
3608             command parameter.
3609
3610             If  a %p is given then the printer name is put in its place. A %j
3611             is replaced with the job number (an integer).
3612
3613             Note that it is good practice to include the absolute path in the
3614             lpresume command as the PATH may not be available to the server.
3615
3616             See also the printing parameter.
3617
3618             Default:  Currently  no  default  value  is given to this string,
3619             unless the value of the printing parameter is SYSV, in which case
3620             the default is :
3621
3622             lp -i %p-%j -H resume
3623
3624             or  if  the  value  of  the printing parameter is SOFTQ, then the
3625             default is:
3626
3627             qstat -s -j%j -r
3628
3629             Default: lpresume command =  lpresume  command  =  /usr/bin/lpalt
3630             %p-%j -p2
3631
3632          lprm command (S)
3633             This parameter specifies the command to be executed on the server
3634             host in order to delete a print job.
3635
3636             This command should be a program or script which takes a  printer
3637             name and job number, and deletes the print job.
3638
3639             If  a %p is given then the printer name is put in its place. A %j
3640             is replaced with the job number (an integer).
3641
3642             Note that it is good practice to include the absolute path in the
3643             lprm command as the PATH may not be available to the server.
3644
3645             Examples of use are:
3646
3647
3648
3649
3650             lprm command = /usr/bin/lprm -P%p %j
3651
3652             or
3653
3654             lprm command = /usr/bin/cancel %p-%j
3655
3656
3657
3658             Default: lprm command = determined by printing parameter
3659
3660          machine password timeout (G)
3661             If  a  Samba  server  is a member of a Windows NT Domain (see the
3662             security = domain parameter) then  periodically  a  running  smbd
3663             process  will  try and change the MACHINE ACCOUNT PASSWORD stored
3664             in the TDB called private/secrets.tdb . This parameter  specifies
3665             how  often this password will be changed, in seconds. The default
3666             is one week (expressed in seconds), the  same  as  a  Windows  NT
3667             Domain member server.
3668
3669             See also smbpasswd(8), and the security = domain parameter.
3670
3671             Default: machine password timeout = 604800
3672
3673          magic output (S)
3674             This  parameter  specifies  the name of a file which will contain
3675             output created by a magic script (see the magic script  parameter
3676             below).
3677
3678             Warning
3679             If  two  clients  use the same magic script in the same directory
3680             the output file content is undefined.  Default:  magic  output  =
3681             <magic script name>.out
3682
3683             Example: magic output = myfile.txt
3684
3685          magic script (S)
3686             This  parameter  specifies  the  name of a file which, if opened,
3687             will be executed by the server when  the  file  is  closed.  This
3688             allows a UNIX script to be sent to the Samba host and executed on
3689             behalf of the connected user.
3690
3691             Scripts executed in this way  will  be  deleted  upon  completion
3692             assuming that the user has the appropriate level of privilege and
3693             the file permissions allow the deletion.
3694
3695             If the script generates output, output will be sent to  the  file
3696             specified by the magic output parameter (see above).
3697
3698             Note  that some shells are unable to interpret scripts containing
3699             CR/LF instead of CR as the end-of-line marker. Magic scripts must
3700             be  executable  as  is on the host, which for some hosts and some
3701             shells will require filtering at the DOS end.
3702
3703             Magic scripts are EXPERIMENTAL and should NOT be relied upon.
3704
3705             Default: magic script =
3706
3707             Example: magic script = user.csh
3708
3709          mangled map (S)
3710             This is for those who want to directly map UNIX file names  which
3711             cannot  be  represented  on Windows/DOS. The mangling of names is
3712             not always what is needed. In particular you may  have  documents
3713             with  file extensions that differ between DOS and UNIX. For exam‐
3714             ple, under UNIX it is common to use .html for HTML files, whereas
3715             under Windows/DOS .htm is more commonly used.
3716
3717             So to map html to htm you would use:
3718
3719
3720             mangled map = (*.html *.htm).
3721
3722             One very useful case is to remove the annoying ;1 off the ends of
3723             filenames on some CDROMs (only visible under some UNIXes). To  do
3724             this use a map of (*;1 *;).
3725
3726             Default: mangled map = # no mangled map
3727
3728             Example: mangled map = (*;1 *;)
3729
3730          mangled names (S)
3731             This  controls  whether non-DOS names under UNIX should be mapped
3732             to DOS-compatible names ("mangled") and made visible, or  whether
3733             non-DOS names should simply be ignored.
3734
3735             See  the  section  on name mangling for details on how to control
3736             the mangling process.
3737
3738             If mangling is used then the mangling algorithm is as follows:
3739
3740                ·  The first (up to) five alphanumeric characters  before  the
3741                   rightmost  dot  of  the  filename  are preserved, forced to
3742                   upper case, and appear as the first (up to) five characters
3743                   of the mangled name.
3744
3745                ·  A  tilde  "~"  is appended to the first part of the mangled
3746                   name, followed by a two-character unique sequence, based on
3747                   the  original  root name (i.e., the original filename minus
3748                   its final extension). The final extension  is  included  in
3749                   the  hash  calculation  only  if it contains any upper case
3750                   characters or is longer than three characters.
3751
3752                   Note that the character to use may be specified  using  the
3753                   mangling char option, if you don't like '~'.
3754
3755                ·  Files  whose  UNIX name begins with a dot will be presented
3756                   as DOS hidden files. The mangled name will  be  created  as
3757                   for  other  filenames, but with the leading dot removed and
3758                   "___" as its extension regardless of actual original exten‐
3759                   sion (that's three underscores).
3760
3761                The  two-digit  hash value consists of upper case alphanumeric
3762                characters.
3763
3764                This algorithm can cause name collisions only if  files  in  a
3765                directory  share  the same first five alphanumeric characters.
3766                The probability of such a clash is 1/1300.
3767
3768                The name mangling (if enabled) allows  a  file  to  be  copied
3769                between  UNIX directories from Windows/DOS while retaining the
3770                long UNIX filename. UNIX files can be renamed to a new  exten‐
3771                sion  from Windows/DOS and will retain the same basename. Man‐
3772                gled names do not change between sessions.
3773
3774                Default: mangled names = yes
3775
3776          mangle prefix (G)
3777             controls the number of prefix characters from the  original  name
3778             used  when generating the mangled names. A larger value will give
3779             a weaker hash and therefore more  name  collisions.  The  minimum
3780             value is 1 and the maximum value is 6.
3781
3782             mangle prefix is effective only when mangling method is hash2.
3783
3784             Default: mangle prefix = 1
3785
3786             Example: mangle prefix = 4
3787
3788          mangling char (S)
3789             This  controls  what  character is used as the magic character in
3790             name mangling. The default is a '~' but this may  interfere  with
3791             some  software. Use this option to set it to whatever you prefer.
3792             This is effective only when mangling method is hash.
3793
3794             Default: mangling char = ~
3795
3796             Example: mangling char = ^
3797
3798          mangling method (G)
3799             controls the algorithm used for the generating the mangled names.
3800             Can  take two different values, "hash" and "hash2". "hash" is the
3801             algorithm that was used used in Samba for many years and was  the
3802             default  in  Samba  2.2.x "hash2" is now the default and is newer
3803             and considered a better algorithm (generates less collisions)  in
3804             the names. Many Win32 applications store the mangled names and so
3805             changing to algorithms must not be done lightly as these applica‐
3806             tions may break unless reinstalled.
3807
3808             Default: mangling method = hash2
3809
3810             Example: mangling method = hash
3811
3812          map acl inherit (S)
3813             This  boolean  parameter controls whether smbd(8) will attempt to
3814             map the 'inherit' and  'protected'  access  control  entry  flags
3815             stored   in  Windows  ACLs  into  an  extended  attribute  called
3816             user.SAMBA_PAI. This parameter only  takes  effect  if  Samba  is
3817             being  run on a platform that supports extended attributes (Linux
3818             and IRIX so far) and allows the Windows 2000 ACL editor  to  cor‐
3819             rectly use inheritance with the Samba POSIX ACL mapping code.
3820
3821             Default: map acl inherit = no
3822
3823          map archive (S)
3824             This  controls whether the DOS archive attribute should be mapped
3825             to the UNIX owner execute bit. The DOS archive bit is set when  a
3826             file  has been modified since its last backup. One motivation for
3827             this option is to keep Samba/your PC  from  making  any  file  it
3828             touches  from  becoming  executable under UNIX. This can be quite
3829             annoying for shared source code, documents, etc...
3830
3831             Note that this requires the create mask parameter to be set  such
3832             that  owner  execute  bit is not masked out (i.e. it must include
3833             100). See the parameter create mask for details.
3834
3835             Default: map archive = yes
3836
3837          map hidden (S)
3838             This controls whether DOS style hidden files should be mapped  to
3839             the UNIX world execute bit.
3840
3841             Note  that  this requires the create mask to be set such that the
3842             world execute bit is not masked out (i.e. it must  include  001).
3843             See the parameter create mask for details.
3844
3845             No default
3846
3847          map read only (S)
3848             This  controls  how  the DOS read only attribute should be mapped
3849             from a UNIX filesystem.
3850
3851             This parameter  can  take  three  different  values,  which  tell
3852             smbd(8)  how  to  display the read only attribute on files, where
3853             either store  dos  attributes  is  set  to  No,  or  no  extended
3854             attribute  is present. If store dos attributes is set to yes then
3855             this parameter is ignored. This is a new parameter introduced  in
3856             Samba version 3.0.21.
3857
3858             The three settings are :
3859
3860                ·
3861
3862                   Yes  - The read only DOS attribute is mapped to the inverse
3863                   of the user or owner write bit in the unix permission  mode
3864                   set.  If  the  owner  write  bit  is not set, the read only
3865                   attribute is reported as being set on the file.
3866
3867                ·
3868
3869                   Permissions - The read only DOS attribute is mapped to  the
3870                   effective  permissions of the connecting user, as evaluated
3871                   by smbd(8) by reading the unix permissions  and  POSIX  ACL
3872                   (if  present). If the connecting user does not have permis‐
3873                   sion to  modify  the  file,  the  read  only  attribute  is
3874                   reported as being set on the file.
3875
3876                ·
3877
3878                   No  -  The read only DOS attribute is unaffected by permis‐
3879                   sions, and can only be set  by  the  store  dos  attributes
3880                   method. This may be useful for exporting mounted CDs.
3881
3882                Default: map read only = yes
3883
3884          map system (S)
3885             This  controls whether DOS style system files should be mapped to
3886             the UNIX group execute bit.
3887
3888             Note that this requires the create mask to be set such  that  the
3889             group  execute  bit is not masked out (i.e. it must include 010).
3890             See the parameter create mask for details.
3891
3892             Default: map system = no
3893
3894          map to guest (G)
3895             This parameter is only useful in SECURITY = security modes  other
3896             than  security  =  share  and security = server - i.e.  user, and
3897             domain.
3898
3899             This parameter can take four different values, which tell smbd(8)
3900             what to do with user login requests that don't match a valid UNIX
3901             user in some way.
3902
3903             The four settings are :
3904
3905                ·  Never - Means user login requests with an invalid  password
3906                   are rejected. This is the default.
3907
3908                ·  Bad  User  - Means user logins with an invalid password are
3909                   rejected, unless the username does not exist, in which case
3910                   it  is  treated  as a guest login and mapped into the guest
3911                   account.
3912
3913                ·  Bad Password - Means user logins with an  invalid  password
3914                   are  treated  as  a  guest  login and mapped into the guest
3915                   account. Note that this can cause problems as it means that
3916                   any user incorrectly typing their password will be silently
3917                   logged on as "guest" - and will not know  the  reason  they
3918                   cannot  access  files  they  think they should - there will
3919                   have been no message given to  them  that  they  got  their
3920                   password  wrong. Helpdesk services will hate you if you set
3921                   the map to guest parameter this way :-).
3922
3923                ·  Bad Uid - Is only applicable when Samba  is  configured  in
3924                   some type of domain mode security (security = {domain|ads})
3925                   and means that user logins which are successfully authenti‐
3926                   cated  but  which have no valid Unix user account (and smbd
3927                   is unable to create one) should be mapped  to  the  defined
3928                   guest  account.  This was the default behavior of Samba 2.x
3929                   releases. Note that if a member server is running winbindd,
3930                   this  option  should never be required because the nss_win‐
3931                   bind library will  export  the  Windows  domain  users  and
3932                   groups  to  the  underlying  OS via the Name Service Switch
3933                   interface.
3934
3935                Note that this parameter is needed to  set  up  "Guest"  share
3936                services  when  using  security  modes  other  than  share and
3937                server. This is  because  in  these  modes  the  name  of  the
3938                resource being requested is not sent to the server until after
3939                the server has successfully authenticated the  client  so  the
3940                server  cannot  make  authentication  decisions at the correct
3941                time (connection to the share) for "Guest" shares. This param‐
3942                eter  is not useful with security = server as in this security
3943                mode no information is returned about  whether  a  user  logon
3944                failed  due  to a bad username or bad password, the same error
3945                is returned from a modern server in both cases.
3946
3947                For people familiar with the older Samba releases, this param‐
3948                eter maps to the old compile-time setting of the
3949                 GUEST_SESSSETUP value in local.h.
3950
3951                Default: map to guest = Never
3952
3953                Example: map to guest = Bad User
3954
3955          max connections (S)
3956             This  option  allows  the number of simultaneous connections to a
3957             service to be limited. If max connections is greater than 0  then
3958             connections  will be refused if this number of connections to the
3959             service are already open. A value of zero mean an unlimited  num‐
3960             ber of connections may be made.
3961
3962             Record  lock  files  are used to implement this feature. The lock
3963             files will be stored in  the  directory  specified  by  the  lock
3964             directory option.
3965
3966             Default: max connections = 0
3967
3968             Example: max connections = 10
3969
3970          max disk size (G)
3971             This option allows you to put an upper limit on the apparent size
3972             of disks. If you set this option to  100  then  all  shares  will
3973             appear to be not larger than 100 MB in size.
3974
3975             Note  that  this option does not limit the amount of data you can
3976             put on the disk. In the above case you  could  still  store  much
3977             more  than  100 MB on the disk, but if a client ever asks for the
3978             amount of free disk space or the total disk size then the  result
3979             will be bounded by the amount specified in max disk size.
3980
3981             This  option  is  primarily  useful  to  work around bugs in some
3982             pieces of software that can't handle very large  disks,  particu‐
3983             larly disks over 1GB in size.
3984
3985             A max disk size of 0 means no limit.
3986
3987             Default: max disk size = 0
3988
3989             Example: max disk size = 1000
3990
3991          max log size (G)
3992             This  option (an integer in kilobytes) specifies the max size the
3993             log file should grow to. Samba periodically checks the  size  and
3994             if  it  is exceeded it will rename the file, adding a .old exten‐
3995             sion.
3996
3997             A size of 0 means no limit.
3998
3999             Default: max log size = 5000
4000
4001             Example: max log size = 1000
4002
4003          max mux (G)
4004             This option controls the maximum number of outstanding simultane‐
4005             ous SMB operations that Samba tells the client it will allow. You
4006             should never need to set this parameter.
4007
4008             Default: max mux = 50
4009
4010          max open files (G)
4011             This parameter limits the maximum number of open files  that  one
4012             smbd(8)  file  serving  process may have open for a client at any
4013             one time. The  default  for  this  parameter  is  set  very  high
4014             (10,000) as Samba uses only one bit per unopened file.
4015
4016             The  limit of the number of open files is usually set by the UNIX
4017             per-process file descriptor limit rather than this  parameter  so
4018             you should never need to touch this parameter.
4019
4020             Default: max open files = 10000
4021
4022          max print jobs (S)
4023             This  parameter  limits the maximum number of jobs allowable in a
4024             Samba printer queue at  any  given  moment.  If  this  number  is
4025             exceeded, smbd(8) will remote "Out of Space" to the client.
4026
4027             Default: max print jobs = 1000
4028
4029             Example: max print jobs = 5000
4030
4031          protocol
4032             This parameter is a synonym for max protocol.
4033
4034          max protocol (G)
4035             The  value  of  the  parameter (a string) is the highest protocol
4036             level that will be supported by the server.
4037
4038             Possible values are :
4039
4040                ·  CORE: Earliest version. No concept of user names.
4041
4042                ·  COREPLUS: Slight improvements on CORE for efficiency.
4043
4044                ·  LANMAN1: First
4045                    modern version of the protocol. Long filename support.
4046
4047                ·  LANMAN2: Updates to Lanman1 protocol.
4048
4049                ·  NT1: Current up to date version of the  protocol.  Used  by
4050                   Windows NT. Known as CIFS.
4051
4052                Normally  this option should not be set as the automatic nego‐
4053                tiation phase in the SMB protocol takes care of  choosing  the
4054                appropriate protocol.
4055
4056                Default: max protocol = NT1
4057
4058                Example: max protocol = LANMAN1
4059
4060          max reported print jobs (S)
4061             This  parameter  limits the maximum number of jobs displayed in a
4062             port monitor for Samba printer queue at any given moment. If this
4063             number is exceeded, the excess jobs will not be shown. A value of
4064             zero means there  is  no  limit  on  the  number  of  print  jobs
4065             reported.
4066
4067             Default: max reported print jobs = 0
4068
4069             Example: max reported print jobs = 1000
4070
4071          max smbd processes (G)
4072             This  parameter  limits  the  maximum number of smbd(8) processes
4073             concurrently running on a system and is intended as a stopgap  to
4074             prevent degrading service to clients in the event that the server
4075             has insufficient resources to handle more  than  this  number  of
4076             connections.  Remember  that  under  normal operating conditions,
4077             each user will have an smbd(8) associated with him or her to han‐
4078             dle connections to all shares from a given host.
4079
4080             Default: max smbd processes = 0
4081
4082             Example: max smbd processes = 1000
4083
4084          max stat cache size (G)
4085             This  parameter limits the size in memory of any stat cache being
4086             used to speed up case insensitive name mappings.  This  parameter
4087             is  the number of kilobyte (1024) units the stat cache can use. A
4088             value of zero means unlimited which is not  advised  a&#1109;  it
4089             can  use  a  lot  of  memory.  You should not need to change this
4090             parameter.
4091
4092             Default: max stat cache size = 1024
4093
4094             Example: max stat cache size = 100
4095
4096          max ttl (G)
4097             This option tells nmbd(8) what the default 'time to live' of Net‐
4098             BIOS  names should be (in seconds) when nmbd is requesting a name
4099             using either a broadcast packet or from a WINS server. You should
4100             never need to change this parameter. The default is 3 days.
4101
4102             Default: max ttl = 259200
4103
4104          max wins ttl (G)
4105             This option tells smbd(8) when acting as a WINS server (wins sup‐
4106             port = yes) what the maximum 'time to live' of NetBIOS names that
4107             nmbd  will  grant  will be (in seconds). You should never need to
4108             change this parameter. The default is 6 days (518400 seconds).
4109
4110             Default: max wins ttl = 518400
4111
4112          max xmit (G)
4113             This option controls the maximum packet size that will be negoti‐
4114             ated  by  Samba. The default is 16644, which matches the behavior
4115             of Windows 2000. A value below 2048 is likely to cause  problems.
4116             You  should  never need to change this parameter from its default
4117             value.
4118
4119             Default: max xmit = 16644
4120
4121             Example: max xmit = 8192
4122
4123          message command (G)
4124             This specifies what command to run when  the  server  receives  a
4125             WinPopup style message.
4126
4127             This  would  normally be a command that would deliver the message
4128             somehow. How this is to be done is up to your imagination.
4129
4130             An example is:
4131
4132
4133
4134
4135             message command = csh -c 'xedit %s;rm %s' &
4136
4137
4138
4139             This delivers the message using xedit,  then  removes  it  after‐
4140             wards.   NOTE  THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
4141             IMMEDIATELY. That's why I have the '&' on the end. If it  doesn't
4142             return immediately then your PCs may freeze when sending messages
4143             (they should recover after 30 seconds, hopefully).
4144
4145             All messages are delivered as the global guest user. The  command
4146             takes the standard substitutions, although
4147              %u won't work (%U may be better in this case).
4148
4149             Apart  from  the  standard  substitutions,  some  additional ones
4150             apply. In particular:
4151
4152                ·  %s = the filename containing the message.
4153
4154                ·  %t = the destination that the message was sent to (probably
4155                   the server name).
4156
4157                ·  %f = who the message is from.
4158
4159                You  could make this command send mail, or whatever else takes
4160                your fancy. Please let us know of any really interesting ideas
4161                you have.
4162
4163                Here's a way of sending the messages as mail to root:
4164
4165
4166
4167
4168                message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s
4169
4170
4171
4172                If  you don't have a message command then the message won't be
4173                delivered and Samba will tell the sender there was  an  error.
4174                Unfortunately  WfWg totally ignores the error code and carries
4175                on regardless, saying that the message was delivered.
4176
4177                If you want to silently delete it then try:
4178
4179
4180
4181
4182                message command = rm %s
4183
4184
4185
4186                Default: message command =
4187
4188                Example: message command = csh -c 'xedit %s; rm %s' &
4189
4190          min print space (S)
4191             This sets the minimum amount of free  disk  space  that  must  be
4192             available  before a user will be able to spool a print job. It is
4193             specified in kilobytes. The default is 0, which means a user  can
4194             always spool a print job.
4195
4196             Default: min print space = 0
4197
4198             Example: min print space = 2000
4199
4200          min protocol (G)
4201             The  value of the parameter (a string) is the lowest SMB protocol
4202             dialect than Samba will support. Please refer to the max protocol
4203             parameter for a list of valid protocol names and a brief descrip‐
4204             tion of each. You may also wish to refer to the C source code  in
4205             source/smbd/negprot.c  for  a  listing of known protocol dialects
4206             supported by clients.
4207
4208             If you are viewing this parameter  as  a  security  measure,  you
4209             should  also  refer  to the lanman auth parameter. Otherwise, you
4210             should never need to change this parameter.
4211
4212             Default: min protocol = CORE
4213
4214             Example: min protocol = NT1
4215
4216          min wins ttl (G)
4217             This option tells nmbd(8) when acting as a WINS server (wins sup‐
4218             port = yes) what the minimum 'time to live' of NetBIOS names that
4219             nmbd will grant will be (in seconds). You should  never  need  to
4220             change this parameter. The default is 6 hours (21600 seconds).
4221
4222             Default: min wins ttl = 21600
4223
4224          msdfs proxy (S)
4225             This parameter indicates that the share is a stand-in for another
4226             CIFS share whose location is specified by the value of the param‐
4227             eter.  When  clients  attempt  to connect to this share, they are
4228             redirected to the proxied share using the SMB-Dfs protocol.
4229
4230             Only Dfs roots can act as proxy shares. Take a look at the  msdfs
4231             root  and host msdfs options to find out how to set up a Dfs root
4232             share.
4233
4234             No default
4235
4236             Example: msdfs proxy = \\otherserver\someshare
4237
4238          msdfs root (S)
4239             If set to yes, Samba treats the share as a Dfs  root  and  allows
4240             clients  to browse the distributed file system tree rooted at the
4241             share directory. Dfs links are specified in the  share  directory
4242             by symbolic links of the form msdfs:serverA\shareA,serverB\shareB
4243             and so on. For more information on  setting  up  a  Dfs  tree  on
4244             Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.
4245
4246             Default: msdfs root = no
4247
4248          name cache timeout (G)
4249             Specifies  the  number  of  seconds  it  takes  before entries in
4250             samba's hostname resolve cache time out. If the timeout is set to
4251             0. the caching is disabled.
4252
4253             Default: name cache timeout = 660
4254
4255             Example: name cache timeout = 0
4256
4257          name resolve order (G)
4258             This  option is used by the programs in the Samba suite to deter‐
4259             mine what naming services to use and in  what  order  to  resolve
4260             host names to IP addresses. Its main purpose to is to control how
4261             netbios name resolution is performed. The option  takes  a  space
4262             separated string of name resolution options.
4263
4264             The  options  are:  "lmhosts",  "host",  "wins" and "bcast". They
4265             cause names to be resolved as follows:
4266
4267                ·
4268
4269                   lmhosts : Lookup an IP address in the Samba  lmhosts  file.
4270                   If  the  line  in  lmhosts has no name type attached to the
4271                   NetBIOS name (see the manpage for lmhosts for details) then
4272                   any name type matches for lookup.
4273
4274                ·
4275
4276                   host  :  Do  a standard host name to IP address resolution,
4277                   using the system /etc/hosts , NIS,  or  DNS  lookups.  This
4278                   method  of name resolution is operating system depended for
4279                   instance on IRIX or Solaris this may be controlled  by  the
4280                   /etc/nsswitch.conf file. Note that this method is used only
4281                   if the NetBIOS name type being queried is the 0x20 (server)
4282                   name  type or 0x1c (domain controllers). The latter case is
4283                   only useful for active directory domains and results  in  a
4284                   DNS query for the SRV RR entry matching _ldap._tcp.domain.
4285
4286                ·  wins  :  Query  a  name  with  the IP address listed in the
4287                   WINSSERVER parameter. If no WINS server has been  specified
4288                   this method will be ignored.
4289
4290                ·  bcast  :  Do  a broadcast on each of the known local inter‐
4291                   faces listed in the interfaces parameter. This is the least
4292                   reliable  of  the  name resolution methods as it depends on
4293                   the target host being on a locally connected subnet.
4294
4295                The example below will cause the  local  lmhosts  file  to  be
4296                examined first, followed by a broadcast attempt, followed by a
4297                normal system hostname lookup.
4298
4299                When Samba is functioning in ADS  security  mode  (security  =
4300                ads)  it is advised to use following settings for name resolve
4301                order:
4302
4303                name resolve order = wins bcast
4304
4305                DC lookups will still be done via DNS, but fallbacks  to  net‐
4306                bios  names  will  not inundate your DNS servers with needless
4307                querys for DOMAIN<0x1c> lookups.
4308
4309                Default: name resolve order = lmhosts host wins bcast
4310
4311                Example: name resolve order = lmhosts bcast host
4312
4313          netbios aliases (G)
4314             This is a list of NetBIOS names that nmbd will advertise as addi‐
4315             tional  names by which the Samba server is known. This allows one
4316             machine to appear in browse lists  under  multiple  names.  If  a
4317             machine  is  acting  as  a  browse server or logon server none of
4318             these names will be advertised as either browse server  or  logon
4319             servers,  only the primary name of the machine will be advertised
4320             with these capabilities.
4321
4322             Default: netbios aliases = # empty string (no additional names)
4323
4324             Example: netbios aliases = TEST TEST1 TEST2
4325
4326          netbios name (G)
4327             This sets the NetBIOS name by which a Samba server is  known.  By
4328             default  it  is the same as the first component of the host's DNS
4329             name. If a machine is a browse server or logon server  this  name
4330             (or  the  first component of the hosts DNS name) will be the name
4331             that these services are advertised under.
4332
4333             There is a bug in Samba-3 that breaks operation of  browsing  and
4334             access  to  shares if the netbios name is set to the literal name
4335             PIPE. To avoid this problem, do  not  name  your  Samba-3  server
4336             PIPE.
4337
4338             Default: netbios name = # machine DNS name
4339
4340             Example: netbios name = MYNAME
4341
4342          netbios scope (G)
4343             This  sets  the NetBIOS scope that Samba will operate under. This
4344             should not be set unless every machine on your LAN also sets this
4345             value.
4346
4347             Default: netbios scope =
4348
4349          nis homedir (G)
4350             Get  the  home share server from a NIS map. For UNIX systems that
4351             use an automounter, the  user's  home  directory  will  often  be
4352             mounted on a workstation on demand from a remote server.
4353
4354             When  the  Samba  logon  server  is not the actual home directory
4355             server, but is mounting the home directories  via  NFS  then  two
4356             network hops would be required to access the users home directory
4357             if the logon server told the client to  use  itself  as  the  SMB
4358             server for home directories (one over SMB and one over NFS). This
4359             can be very slow.
4360
4361             This option allows Samba to return the home share as being  on  a
4362             different  server to the logon server and as long as a Samba dae‐
4363             mon is running on the home directory server, it will  be  mounted
4364             on  the  Samba  client  directly  from the directory server. When
4365             Samba is returning the home share to the client, it will  consult
4366             the NIS map specified in homedir map and return the server listed
4367             there.
4368
4369             Note that for this option to work there must  be  a  working  NIS
4370             system and the Samba server with this option must also be a logon
4371             server.
4372
4373             Default: nis homedir = no
4374
4375          nt acl support (S)
4376             This boolean parameter controls whether smbd(8) will  attempt  to
4377             map  UNIX  permissions  into Windows NT access control lists. The
4378             UNIX permissions considered are the the  traditional  UNIX  owner
4379             and  group permissions, as well as POSIX ACLs set on any files or
4380             directories. This parameter was formally a  global  parameter  in
4381             releases prior to 2.2.2.
4382
4383             Default: nt acl support = yes
4384
4385          ntlm auth (G)
4386             This  parameter determines whether or not smbd(8) will attempt to
4387             authenticate users using the NTLM encrypted password response. If
4388             disabled,  either  the lanman password hash or an NTLMv2 response
4389             will need to be sent by the client.
4390
4391             If this option, and lanman auth  are  both  disabled,  then  only
4392             NTLMv2  logins  will be permited. Not all clients support NTLMv2,
4393             and most will require special configuration to us it.
4394
4395             Default: ntlm auth = yes
4396
4397          nt pipe support (G)
4398             This boolean parameter controls whether smbd(8) will  allow  Win‐
4399             dows  NT  clients  to  connect to the NT SMB specific IPC$ pipes.
4400             This is a developer debugging option and can be left alone.
4401
4402             Default: nt pipe support = yes
4403
4404          nt status support (G)
4405             This boolean parameter controls whether smbd(8) will negotiate NT
4406             specific  status support with Windows NT/2k/XP clients. This is a
4407             developer debugging option and should  be  left  alone.  If  this
4408             option  is set to no then Samba offers exactly the same DOS error
4409             codes that versions prior to Samba 2.2.3 reported.
4410
4411             You should not need to ever disable this parameter.
4412
4413             Default: nt status support = yes
4414
4415          null passwords (G)
4416             Allow or disallow client access to accounts that have null  pass‐
4417             words.
4418
4419             See also smbpasswd(5).
4420
4421             Default: null passwords = no
4422
4423          obey pam restrictions (G)
4424             When  Samba 3.0 is configured to enable PAM support (i.e. --with-
4425             pam), this parameter will control whether  or  not  Samba  should
4426             obey PAM's account and session management directives. The default
4427             behavior is to use PAM for clear text authentication only and  to
4428             ignore  any account or session management. Note that Samba always
4429             ignores PAM for authentication in the case of encrypt passwords =
4430             yes.  The  reason  is  that  PAM modules cannot support the chal‐
4431             lenge/response authentication mechanism needed in the presence of
4432             SMB password encryption.
4433
4434             Default: obey pam restrictions = no
4435
4436          only user (S)
4437             This  is  a boolean option that controls whether connections with
4438             usernames not in the user list will be allowed. By  default  this
4439             option  is  disabled so that a client can supply a username to be
4440             used by the server. Enabling this parameter will force the server
4441             to only use the login names from the user list and is only really
4442             useful in security = share level security.
4443
4444             Note that this also means Samba won't  try  to  deduce  usernames
4445             from  the service name. This can be annoying for the [homes] sec‐
4446             tion. To get around this you could use user = %S which means your
4447             user  list will be just the service name, which for home directo‐
4448             ries is the name of the user.
4449
4450             Default: only user = no
4451
4452          open files database hash size (G)
4453             This parameter was added in Samba 3.0.23.  This  is  an  internal
4454             tuning  parameter that sets the hash size of the tdb used for the
4455             open file databases. The presence of this parameter allows tuning
4456             of  the  system  for  very  large (thousands of concurrent users)
4457             Samba setups. The default setting of  this  parameter  should  be
4458             sufficient  for  most  normal  environments. It is advised not to
4459             change this parameter unless advised to by a Samba Team member.
4460
4461             Default: open files database hash size = 10007
4462
4463             Example: open files database hash size = 1338457
4464
4465          oplock break wait time (G)
4466             This is a tuning parameter added due to bugs in both  Windows  9x
4467             and  WinNT.  If  Samba responds to a client too quickly when that
4468             client issues an SMB that can cause an oplock break request, then
4469             the network client can fail and not respond to the break request.
4470             This tuning parameter (which  is  set  in  milliseconds)  is  the
4471             amount  of  time  Samba  will wait before sending an oplock break
4472             request to such (broken) clients.
4473
4474             Warning
4475             DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND  UNDERSTOOD
4476             THE SAMBA OPLOCK CODE.  Default: oplock break wait time = 0
4477
4478          oplock contention limit (S)
4479             This  is  a  very  advanced  smbd(8) tuning option to improve the
4480             efficiency of the granting of oplocks under multiple client  con‐
4481             tention for the same file.
4482
4483             In  brief it specifies a number, which causes smbd(8)not to grant
4484             an oplock even  when  requested  if  the  approximate  number  of
4485             clients  contending for an oplock on the same file goes over this
4486             limit. This causes smbd to behave in a similar way to Windows NT.
4487
4488             Warning
4489             DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND  UNDERSTOOD
4490             THE SAMBA OPLOCK CODE.  Default: oplock contention limit = 2
4491
4492          oplocks (S)
4493             This  boolean  option tells smbd whether to issue oplocks (oppor‐
4494             tunistic locks) to file open requests on this share.  The  oplock
4495             code  can dramatically (approx. 30% or more) improve the speed of
4496             access to files on  Samba  servers.  It  allows  the  clients  to
4497             aggressively cache files locally and you may want to disable this
4498             option for unreliable network environments (it is  turned  on  by
4499             default in Windows NT Servers). For more information see the file
4500             Speed.txt in the Samba docs/ directory.
4501
4502             Oplocks may be selectively turned off on  certain  files  with  a
4503             share.  See  the  veto  oplock  files  parameter. On some systems
4504             oplocks are recognized by the underlying operating  system.  This
4505             allows data synchronization between all access to oplocked files,
4506             whether it be via Samba or NFS or a local UNIX process.  See  the
4507             kernel oplocks parameter for details.
4508
4509             Default: oplocks = yes
4510
4511          os2 driver map (G)
4512             The  parameter is used to define the absolute path to a file con‐
4513             taining a mapping of Windows NT  printer  driver  names  to  OS/2
4514             printer driver names. The format is:
4515
4516             <nt driver name> = <os2 driver name>.<device name>
4517
4518             For example, a valid entry using the HP LaserJet 5 printer driver
4519             would appear as HP LaserJet 5L = LASERJET.HP LaserJet 5L.
4520
4521             The need for the file is due  to  the  printer  driver  namespace
4522             problem  described  in  the  chapter on Classical Printing in the
4523             Samba3-HOWTO book. For more details on OS/2 clients, please refer
4524             to chapter on other clients in the Samba3-HOWTO book.
4525
4526             Default: os2 driver map =
4527
4528          os level (G)
4529             This integer value controls what level Samba advertises itself as
4530             for browse elections. The  value  of  this  parameter  determines
4531             whether  nmbd(8)  has a chance of becoming a local master browser
4532             for the workgroup in the local broadcast area.
4533
4534              Note :By default, Samba will win a local master  browsing  elec‐
4535             tion  over  all  Microsoft  operating systems except a Windows NT
4536             4.0/2000 Domain Controller. This means that a misconfigured Samba
4537             host can effectively isolate a subnet for browsing purposes. This
4538             parameter is  largely  auto-configured  in  the  Samba-3  release
4539             series  and  it  is  seldom  necessary  to manually over-ride the
4540             default setting. Please refer to chapter 9 of the  Samba-3  HOWTO
4541             document for further information regarding the use of this param‐
4542             eter.
4543
4544             Default: os level = 20
4545
4546             Example: os level = 65
4547
4548          pam password change (G)
4549             With the addition of better PAM support in Samba 2.2, this param‐
4550             eter,  it  is  possible to use PAM's password change control flag
4551             for Samba. If enabled, then PAM will be used for password changes
4552             when  requested by an SMB client instead of the program listed in
4553             passwd program. It should be  possible  to  enable  this  without
4554             changing your passwd chat parameter for most setups.
4555
4556             Default: pam password change = no
4557
4558          panic action (G)
4559             This  is a Samba developer option that allows a system command to
4560             be called when either smbd(8) or smbd(8) crashes. This is usually
4561             used to draw attention to the fact that a problem occurred.
4562
4563             Default: panic action =
4564
4565             Example: panic action = "/bin/sleep 90000"
4566
4567          paranoid server security (G)
4568             Some version of NT 4.x allow non-guest users with a bad passowrd.
4569             When this option is enabled, samba will not use a broken  NT  4.x
4570             server  as  password server, but instead complain to the logs and
4571             exit.
4572
4573             Disabling this option prevents  Samba  from  making  this  check,
4574             which  involves  deliberatly attempting a bad logon to the remote
4575             server.
4576
4577             Default: paranoid server security = yes
4578
4579          passdb backend (G)
4580             This option allows the administrator to chose which backend  will
4581             be  used  for  storing  user and possibly group information. This
4582             allows you to swap between dfferent  storage  mechanisms  without
4583             recompile.
4584
4585             The  parameter  value  is  divided  into two parts, the backend's
4586             name, and a 'location' string that has meaning only to that  par‐
4587             ticular backed. These are separated by a : character.
4588
4589             Available backends can include:
4590
4591                ·  smbpasswd  - The default smbpasswd backend. Takes a path to
4592                   the smbpasswd file as an optional argument.
4593
4594                ·  tdbsam - The TDB based password storage  backend.  Takes  a
4595                   path  to  the  TDB  as  an  optional  argument (defaults to
4596                   passdb.tdb in the private dir directory.
4597
4598                ·  ldapsam - The LDAP based passdb backend. Takes an LDAP  URL
4599                   as an optional argument (defaults to ldap://localhost)
4600
4601                   LDAP connections should be secured where possible. This may
4602                   be done using either Start-TLS (see ldap ssl) or by  speci‐
4603                   fying ldaps:// in the URL argument.
4604
4605                   Multiple servers may also be specified in double-quotes, if
4606                   your LDAP libraries supports the LDAP URL notation. (OpenL‐
4607                   DAP does).
4608
4609
4610
4611
4612                     Examples of use are:
4613
4614
4615                passdb backend = tdbsam:/etc/samba/private/passdb.tdb
4616
4617                or
4618
4619                passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"
4620
4621                Default: passdb backend = smbpasswd
4622
4623          passdb expand explicit (G)
4624             This parameter controls whether Samba substitutes %-macros in the
4625             passdb fields if they are  explicitly  set.  We  used  to  expand
4626             macros  here, but this turned out to be a bug because the Windows
4627             client can expand a variable %G_osver% in  which  %G  would  have
4628             been substituted by the user's primary group.
4629
4630             Default: passdb expand explicit = no
4631
4632          passwd chat (G)
4633             This  string  controls  the "chat" conversation that takes places
4634             between smbd(8) and the local password changing program to change
4635             the user's password. The string describes a sequence of response-
4636             receive pairs that smbd(8) uses to determine what to send to  the
4637             passwd program and what to expect back. If the expected output is
4638             not received then the password is not changed.
4639
4640             This chat sequence is often quite  site  specific,  depending  on
4641             what  local  methods  are  used for password control (such as NIS
4642             etc).
4643
4644             Note that this parameter only is only used if the  unix  password
4645             sync  parameter  is  set  to yes. This sequence is then called AS
4646             ROOT when the  SMB  password  in  the  smbpasswd  file  is  being
4647             changed, without access to the old password cleartext. This means
4648             that root must be able to reset the user's password without know‐
4649             ing the text of the previous password. In the presence of NIS/YP,
4650             this means that the passwd program must be executed  on  the  NIS
4651             master.
4652
4653             The  string can contain the macro %n which is substituted for the
4654             new password,. Theancdhattoseqguievnecelicnaen-feaelds,ocacrornitaagien-retthuern,sttaanbdaarndd
4655             macros  0
4656             space. The chat sequence string can  also  contain  a  '*'  which
4657             matches  any sequence of characters. Double quotes can be used to
4658             collect strings with spaces in them into a single string.
4659
4660             If the send string in any part of the chat  sequence  is  a  full
4661             stop ".", then no string is sent. Similarly, if the expect string
4662             is a full stop then no string is expected.
4663
4664             If the pam password change parameter is  set  to  yes,  the  chat
4665             pairs  may  be matched in any order, and success is determined by
4666             the PAM result, not any particular output. The macro  is  ignored
4667             for PAM conversions.
4668
4669             Default:  passwd  chat  =  *new*password* %n\n*new*password* %n\n
4670             *changed*
4671
4672             Example: passwd chat = "*Enter OLD password*"  %o\n  "*Enter  NEW
4673             password*"   %n\n   "*Reenter   NEW  password*"  %n\n  "*Password
4674             changed*"
4675
4676          passwd chat debug (G)
4677             This boolean specifies if the passwd chat script parameter is run
4678             in  debug  mode.  In this mode the strings passed to and received
4679             from the passwd chat are printed in the smbd(8) log with a  debug
4680             level  of 100. This is a dangerous option as it will allow plain‐
4681             text passwords to be seen in the smbd log.  It  is  available  to
4682             help  Samba  admins  debug their passwd chat scripts when calling
4683             the passwd program and should be turned off after this  has  been
4684             done.  This  option  has  no  effect  if  the pam password change
4685             paramter is set. This parameter is off by default.
4686
4687             Default: passwd chat debug = no
4688
4689          passwd chat timeout (G)
4690             This integer specifies the number of seconds smbd will  wait  for
4691             an  initial  answer from a passwd chat script being run. Once the
4692             initial  answer  is  received  the  subsequent  answers  must  be
4693             received in one tenth of this time. The default it two seconds.
4694
4695             Default: passwd chat timeout = 2
4696
4697          passwd program (G)
4698             The  name  of  a  program that can be used to set UNIX user pass‐
4699             words. Any occurrences of %u will be replaced with the user name.
4700             The  user  name is checked for existence before calling the pass‐
4701             word changing program.
4702
4703             Also note that many passwd programs insist  in  reasonable  pass‐
4704             words,  such  as a minimum length, or the inclusion of mixed case
4705             chars and digits. This can pose a problem as some  clients  (such
4706             as  Windows for Workgroups) uppercase the password before sending
4707             it.
4708
4709             Note that if the unix password sync parameter is set to yes  then
4710             this  program  is  called  AS ROOT before the SMB password in the
4711             smbpasswd file is changed. If this UNIX  password  change  fails,
4712             then  smbd  will fail to change the SMB password also (this is by
4713             design).
4714
4715             If the unix password sync parameter is set  this  parameter  MUST
4716             USE  ABSOLUTE PATHS for ALL programs called, and must be examined
4717             for security implications. Note that  by  default  unix  password
4718             sync is set to no.
4719
4720             Default: passwd program =
4721
4722             Example: passwd program = /bin/passwd %u
4723
4724          password level (G)
4725             Some  client/server  combinations have difficulty with mixed-case
4726             passwords. One offending client is Windows for Workgroups,  which
4727             for  some  reason  forces  passwords to upper case when using the
4728             LANMAN1 protocol, but leaves  them  alone  when  using  COREPLUS!
4729             Another  problem  child  is the Windows 95/98 family of operating
4730             systems. These clients upper case clear text passwords even  when
4731             NT LM 0.12 selected by the protocol negotiation request/response.
4732
4733             This  parameter defines the maximum number of characters that may
4734             be upper case in passwords.
4735
4736             For example, say the password given was "FRED". If
4737              password level is set to 1, the following combinations would  be
4738             tried if "FRED" failed:
4739
4740             "Fred", "fred", "fRed", "frEd","freD"
4741
4742             If  password level was set to 2, the following combinations would
4743             also be tried:
4744
4745             "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..
4746
4747             And so on.
4748
4749             The higher value this parameter is set to the more likely  it  is
4750             that  a mixed case password will be matched against a single case
4751             password. However, you should be aware that use of this parameter
4752             reduces  security  and  increases the time taken to process a new
4753             connection.
4754
4755             A value of zero will cause only two attempts to  be  made  -  the
4756             password as is and the password in all-lower case.
4757
4758             This  parameter  is used only when using plain-text passwords. It
4759             is not at all used when encrypted passwords as in  use  (that  is
4760             the  default since samba-3.0.0). Use this only when encrypt pass‐
4761             words = No.
4762
4763             Default: password level = 0
4764
4765             Example: password level = 4
4766
4767          password server (G)
4768             By specifying the name of another SMB server or Active  Directory
4769             domain   controller  with  this  option,  and  using  security  =
4770             [ads|domain|server] it is possible to get Samba to to do all  its
4771             username/password validation using a specific remote server.
4772
4773             This option sets the name or IP address of the password server to
4774             use. New syntax has been added to support defining  the  port  to
4775             use  when  connecting  to the server the case of an ADS realm. To
4776             define a port other than the default LDAP port of  389,  add  the
4777             port  number  using  a  colon  after the name or IP address (e.g.
4778             192.168.1.100:389). If you do not specify a port, Samba will  use
4779             the standard LDAP port of tcp/389. Note that port numbers have no
4780             effect on password servers for Windows NT 4.0 domains or  netbios
4781             connections.
4782
4783             If  parameter is a name, it is looked up using the parameter name
4784             resolve order and  so  may  resolved  by  any  method  and  order
4785             described in that parameter.
4786
4787             The  password  server  must  be  a  machine  capable of using the
4788             "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in  user
4789             level security mode.
4790
4791             Note
4792             Using  a  password  server means your UNIX box (running Samba) is
4793             only as secure as your password server.  DO NOT CHOOSE A PASSWORD
4794             SERVER  THAT  YOU  DON'T  COMPLETELY  TRUST.  Never point a Samba
4795             server at itself for password serving. This will cause a loop and
4796             could lock up your Samba server!
4797
4798             The name of the password server takes the standard substitutions,
4799             but probably the only useful one is %m , which  means  the  Samba
4800             server  will  use  the incoming client as the password server. If
4801             you use this then you better trust your clients, and you had bet‐
4802             ter restrict them with hosts allow!
4803
4804             If  the security parameter is set to domain or ads, then the list
4805             of machines in this option must be a list of  Primary  or  Backup
4806             Domain  controllers  for  the Domain or the character '*', as the
4807             Samba server is effectively in that domain, and will use  crypto‐
4808             graphically authenticated RPC calls to authenticate the user log‐
4809             ging on. The advantage of using security = domain is that if  you
4810             list  several  hosts in the password server option then smbd will
4811             try each in turn till it finds one that responds. This is  useful
4812             in case your primary server goes down.
4813
4814             If  the  password server option is set to the character '*', then
4815             Samba will attempt to auto-locate the Primary  or  Backup  Domain
4816             controllers to authenticate against by doing a query for the name
4817             WORKGROUP<1C> and then contacting each  server  returned  in  the
4818             list of IP addresses from the name resolution source.
4819
4820             If the list of servers contains both names/IP's and the '*' char‐
4821             acter, the list is treated as a list  of  preferred  domain  con‐
4822             trollers,  but an auto lookup of all remaining DC's will be added
4823             to the list as well. Samba will not attempt to optimize this list
4824             by locating the closest DC.
4825
4826             If  the  security parameter is set to server, then there are dif‐
4827             ferent restrictions that security = domain doesn't suffer from:
4828
4829                ·  You may list  several  password  servers  in  the  password
4830                   server  parameter, however if an smbd makes a connection to
4831                   a password server, and then the password server  fails,  no
4832                   more users will be able to be authenticated from this smbd.
4833                   This is a restriction of  the  SMB/CIFS  protocol  when  in
4834                   security = server mode and cannot be fixed in Samba.
4835
4836                ·  If  you  are  using  a  Windows  NT server as your password
4837                   server then you will have to ensure  that  your  users  are
4838                   able  to login from the Samba server, as when in security =
4839                   server mode the network logon  will  appear  to  come  from
4840                   there rather than from the users workstation.
4841
4842                Default: password server =
4843
4844                Example: password server = NT-PDC, NT-BDC1, NT-BDC2, *
4845
4846                Example:     password    server    =    windc.mydomain.com:389
4847                192.168.1.101 *
4848
4849                Example: password server = *
4850
4851          directory
4852             This parameter is a synonym for path.
4853
4854          path (S)
4855             This parameter specifies a directory to which  the  user  of  the
4856             service is to be given access. In the case of printable services,
4857             this is where print data will spool prior to being  submitted  to
4858             the host for printing.
4859
4860             For a printable service offering guest access, the service should
4861             be readonly and the path should be world-writeable and  have  the
4862             sticky bit set. This is not mandatory of course, but you probably
4863             won't get the results you expect if you do otherwise.
4864
4865             Any occurrences of %u in the path will be replaced with the  UNIX
4866             username  that the client is using on this connection. Any occur‐
4867             rences of %m will be replaced by the NetBIOS name of the  machine
4868             they  are connecting from. These replacements are very useful for
4869             setting up pseudo home directories for users.
4870
4871             Note that this path will be based on root dir if one  was  speci‐
4872             fied.
4873
4874             Default: path =
4875
4876             Example: path = /home/fred
4877
4878          pid directory (G)
4879             This  option  specifies  the  directory  where  pid files will be
4880             placed.
4881
4882             Default: pid directory = ${prefix}/var/locks
4883
4884             Example: pid directory = pid directory = /var/run/
4885
4886          posix locking (S)
4887             The smbd(8) daemon maintains an database of file  locks  obtained
4888             by  SMB  clients.  The  default  behavior is to map this internal
4889             database to POSIX locks. This means that file locks  obtained  by
4890             SMB  clients  are  consistent  with those seen by POSIX compliant
4891             applications accessing the files via a non-SMB method  (e.g.  NFS
4892             or  local  file  access).  You  should never need to disable this
4893             parameter.
4894
4895             Default: posix locking = yes
4896
4897          postexec (S)
4898             This option specifies a command to be run whenever the service is
4899             disconnected.  It  takes the usual substitutions. The command may
4900             be run as the root on some systems.
4901
4902             An interesting example may be to unmount server resources:
4903
4904             postexec = /etc/umount /cdrom
4905
4906             Default: postexec =
4907
4908             Example: postexec = echo \"%u disconnected from %S from %m (%I)\"
4909             >> /tmp/log
4910
4911          exec
4912             This parameter is a synonym for preexec.
4913
4914          preexec (S)
4915             This option specifies a command to be run whenever the service is
4916             connected to. It takes the usual substitutions.
4917
4918             An interesting example is to send the  users  a  welcome  message
4919             every  time  they  log in. Maybe a message of the day? Here is an
4920             example:
4921
4922
4923             preexec   =   csh    -c    'echo    \"Welcome    to    %S!\"    |
4924             /usr/local/samba/bin/smbclient -M %m -I %I' &
4925
4926             Of course, this could get annoying after a while :-)
4927
4928             See also preexec close and postexec.
4929
4930             Default: preexec =
4931
4932             Example:  preexec  =  echo \"%u connected to %S from %m (%I)\" >>
4933             /tmp/log
4934
4935          preexec close (S)
4936             This boolean option controls whether a non-zero return code  from
4937             preexec should close the service being connected to.
4938
4939             Default: preexec close = no
4940
4941          prefered master
4942             This parameter is a synonym for preferred master.
4943
4944          preferred master (G)
4945             This  boolean parameter controls if nmbd(8) is a preferred master
4946             browser for its workgroup.
4947
4948             If this is set to yes, on startup, nmbd will force  an  election,
4949             and  it  will have a slight advantage in winning the election. It
4950             is recommended that this parameter is used  in  conjunction  with
4951             domain master = yes, so that nmbd can guarantee becoming a domain
4952             master.
4953
4954             Use this option with caution, because if there are several  hosts
4955             (whether Samba servers, Windows 95 or NT) that are preferred mas‐
4956             ter browsers on the same subnet, they will each periodically  and
4957             continuously  attempt  to  become  the local master browser. This
4958             will result in unnecessary broadcast traffic and reduced browsing
4959             capabilities.
4960
4961             Default: preferred master = auto
4962
4963          auto services
4964             This parameter is a synonym for preload.
4965
4966          preload (G)
4967             This  is  a  list  of  services that you want to be automatically
4968             added to the browse lists. This is  most  useful  for  homes  and
4969             printers services that would otherwise not be visible.
4970
4971             Note  that  if  you  just want all printers in your printcap file
4972             loaded then the load printers option is easier.
4973
4974             Default: preload =
4975
4976             Example: preload = fred lp colorlp
4977
4978          preload modules (G)
4979             This is a list of paths to modules that  should  be  loaded  into
4980             smbd  before  a  client connects. This improves the speed of smbd
4981             when reacting to new connections somewhat.
4982
4983             Default: preload modules =
4984
4985             Example: preload modules = /usr/lib/samba/passdb/mysql.so
4986
4987          preserve case (S)
4988             This controls if new filenames are created with the case that the
4989             client passes, or if they are forced to be the default case.
4990
4991             See the section on NAME MANGLING for a fuller discussion.
4992
4993             Default: preserve case = yes
4994
4995          print ok
4996             This parameter is a synonym for printable.
4997
4998          printable (S)
4999             If  this  parameter  is  yes, then clients may open, write to and
5000             submit spool files on the directory specified for the service.
5001
5002             Note that a printable service will ALWAYS allow  writing  to  the
5003             service  path  (user  privileges  permitting) via the spooling of
5004             print data. The read only parameter  controls  only  non-printing
5005             access to the resource.
5006
5007             Default: printable = no
5008
5009          printcap cache time (G)
5010             This  option  specifies the number of seconds before the printing
5011             subsystem is again asked for the known printers. If the value  is
5012             greater  than 60 the initial waiting time is set to 60 seconds to
5013             allow an earlier first rescan of the printing subsystem.
5014
5015             Setting this parameter to 0 disables any rescanning  for  new  or
5016             removed printers after the initial startup.
5017
5018             Default: printcap cache time = 750
5019
5020             Example: printcap cache time = 600
5021
5022          printcap
5023             This parameter is a synonym for printcap name.
5024
5025          printcap name (S)
5026             This  parameter  may  be used to override the compiled-in default
5027             printcap name used by the server (usually
5028              /etc/printcap). See the discussion  of  the  [printers]  section
5029             above for reasons why you might want to do this.
5030
5031             To use the CUPS printing interface set printcap name = cups. This
5032             should be supplemented by an addtional setting printing = cups in
5033             the  [global] section.  printcap name = cups will use the "dummy"
5034             printcap created by CUPS, as specified in your CUPS configuration
5035             file.
5036
5037             On  System  V  systems that use lpstat to list available printers
5038             you can use printcap name = lpstat to automatically obtain  lists
5039             of  available  printers.  This  is  the  default for systems that
5040             define SYSV at configure time in Samba (this includes most System
5041             V based systems). If
5042              printcap  name is set to lpstat on these systems then Samba will
5043             launch lpstat -v and attempt to parse  the  output  to  obtain  a
5044             printer list.
5045
5046             A minimal printcap file would look something like this:
5047
5048
5049
5050
5051             print1|My Printer 1
5052             print2|My Printer 2
5053             print3|My Printer 3
5054             print4|My Printer 4
5055             print5|My Printer 5
5056
5057             where  the  '|' separates aliases of a printer. The fact that the
5058             second alias has a space in it gives a hint to Samba that it's  a
5059             comment.
5060
5061             Note
5062             Under  AIX  the default printcap name is /etc/qconfig. Samba will
5063             assume the file is in AIX qconfig format if  the  string  qconfig
5064             appears  in  the  printcap  filename.   Default:  printcap name =
5065             /etc/printcap
5066
5067             Example: printcap name = /etc/myprintcap
5068
5069          print command (S)
5070             After a print job has finished spooling to a service,  this  com‐
5071             mand  will be used via a system() call to process the spool file.
5072             Typically the command specified will submit the spool file to the
5073             host's  printing subsystem, but there is no requirement that this
5074             be the case. The server will not remove the spool file, so  what‐
5075             ever command you specify should remove the spool file when it has
5076             been processed, otherwise you will need to  manually  remove  old
5077             spool files.
5078
5079             The print command is simply a text string. It will be used verba‐
5080             tim after macro substitutions have been made:
5081
5082             %s, %f - the path to the spool file name
5083
5084             %p - the appropriate printer name
5085
5086             %J - the job name as transmitted by the client.
5087
5088             %c - The number of printed pages of the spooled job (if known).
5089
5090             %z - the size of the spooled print job (in bytes)
5091
5092             The print command MUST contain at least one occurrence of  %s  or
5093             %f  -  the  %p is optional. At the time a job is submitted, if no
5094             printer name is supplied the %p will be silently removed from the
5095             printer command.
5096
5097             If  specified  in  the  [global] section, the print command given
5098             will be used for any printable service that does not have its own
5099             print command specified.
5100
5101             If  there  is  neither  a specified print command for a printable
5102             service nor a global print command, spool files will  be  created
5103             but not processed and (most importantly) not removed.
5104
5105             Note  that  printing  may  fail  on  some  UNIXes from the nobody
5106             account. If this happens then create an alternative guest account
5107             that can print and set the guest account in the [global] section.
5108
5109             You  can form quite complex print commands by realizing that they
5110             are just passed to a shell. For example the following will log  a
5111             print  job,  print the file, then remove it. Note that ';' is the
5112             usual separator for command in shell scripts.
5113
5114             print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s;
5115             rm %s
5116
5117             You  may  have to vary this command considerably depending on how
5118             you normally print files on your  system.  The  default  for  the
5119             parameter varies depending on the setting of the printing parame‐
5120             ter.
5121
5122             Default: For printing = BSD, AIX, QNX, LPRNG or PLP :
5123
5124             print command = lpr -r -P%p %s
5125
5126             For printing = SYSV or HPUX :
5127
5128             print command = lp -c -d%p %s; rm %s
5129
5130             For printing = SOFTQ :
5131
5132             print command = lp -d%p -s %s; rm %s
5133
5134             For printing = CUPS : If SAMBA is compiled against libcups,  then
5135             printcap  = cups uses the CUPS API to submit jobs, etc. Otherwise
5136             it maps to the System V commands with the -oraw option for print‐
5137             ing,  i.e. it uses lp -c -d%p -oraw; rm %s. With printing = cups,
5138             and if SAMBA is compiled against libcups, any manually set  print
5139             command will be ignored.
5140
5141             No default
5142
5143             Example: print command = /usr/local/samba/bin/myprintscript %p %s
5144
5145          printer admin (S)
5146             This  lists  users who can do anything to printers via the remote
5147             administration interfaces offered by MS-RPC (usually using  a  NT
5148             workstation).  This  parameter  can be set per-share or globally.
5149             Note: The root user always has admin rights. Use caution with use
5150             in the global stanza as this can cause side effects.
5151
5152             This  parameter  has been marked deprecated in favor of using the
5153             SePrintOperatorPrivilege and individual print  security  descrip‐
5154             tors. It will be removed in a future release.
5155
5156             Default: printer admin =
5157
5158             Example: printer admin = admin, @staff
5159
5160          printer
5161             This parameter is a synonym for printer name.
5162
5163          printer name (S)
5164             This  parameter  specifies the name of the printer to which print
5165             jobs spooled through a printable service will be sent.
5166
5167             If specified in the [global] section, the printer name given will
5168             be  used  for  any  printable  service that does not have its own
5169             printer name specified.
5170
5171             The default value of the printer name may be lp on many systems.
5172
5173             Default: printer name = none
5174
5175             Example: printer name = laserwriter
5176
5177          printing (S)
5178             This parameters controls how printer status information is inter‐
5179             preted on your system. It also affects the default values for the
5180             print command, lpq command, lppause command ,  lpresume  command,
5181             and lprm command if specified in the [global] section.
5182
5183             Currently  nine printing styles are supported. They are BSD, AIX,
5184             LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ, and CUPS.
5185
5186             To see what the defaults are for the other  print  commands  when
5187             using the various options use the testparm(1) program.
5188
5189             This  option  can  be set on a per printer basis. Please be aware
5190             however, that you must place any of the various printing commands
5191             (e.g.  print  command,  lpq  command,  etc...) after defining the
5192             value for the printing option since it will  reset  the  printing
5193             commands to default values.
5194
5195             See also the discussion in the [printers] section.
5196
5197             No default
5198
5199          printjob username (S)
5200             This parameter specifies which user information will be passed to
5201             the printing system. Usually, the username is sent, but  in  some
5202             cases, e.g. the domain prefix is useful, too.
5203
5204             Default: printjob username = %U
5205
5206             Example: printjob username = %D\%U
5207
5208          private dir (G)
5209             This  parameters  defines the directory smbd will use for storing
5210             such files as smbpasswd and secrets.tdb.
5211
5212             Default: private dir = ${prefix}/private
5213
5214          profile acls (S)
5215             This boolean parameter was added to fix the problems that  people
5216             have  been having with storing user profiles on Samba shares from
5217             Windows 2000 or Windows XP clients. New versions of Windows  2000
5218             or Windows XP service packs do security ACL checking on the owner
5219             and ability to write of the profile directory stored on  a  local
5220             workstation when copied from a Samba share.
5221
5222             When  not  in  domain  mode  with winbindd then the security info
5223             copied onto the local workstation has no meaning to the logged in
5224             user  (SID)  on  that  workstation  so the profile storing fails.
5225             Adding this parameter onto  a  share  used  for  profile  storage
5226             changes  two  things  about  the returned Windows ACL. Firstly it
5227             changes the owner and group  owner  of  all  reported  files  and
5228             directories  to  be BUILTIN\Administrators, BUILTIN\Users respec‐
5229             tively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds an ACE
5230             entry  of  "Full  Control"  to  the  SID  BUILTIN\Users  to every
5231             returned ACL. This will allow any Windows 2000 or XP  workstation
5232             user to access the profile.
5233
5234             Note  that if you have multiple users logging on to a workstation
5235             then in order to prevent them from being able to access each oth‐
5236             ers  profiles  you  must  remove  the  "Bypass traverse checking"
5237             advanced user right. This will prevent access to other users pro‐
5238             file  directories as the top level profile directory (named after
5239             the user) is created by the workstation profile code and  has  an
5240             ACL restricting entry to the directory tree to the owning user.
5241
5242             Default: profile acls = no
5243
5244          queuepause command (S)
5245             This parameter specifies the command to be executed on the server
5246             host in order to pause the printer queue.
5247
5248             This command should be a program or script which takes a  printer
5249             name as its only parameter and stops the printer queue, such that
5250             no longer jobs are submitted to the printer.
5251
5252             This command is not supported by Windows for Workgroups, but  can
5253             be issued from the Printers window under Windows 95 and NT.
5254
5255             If  a %p is given then the printer name is put in its place. Oth‐
5256             erwise it is placed at the end of the command.
5257
5258             Note that it is good practice to include the absolute path in the
5259             command as the PATH may not be available to the server.
5260
5261             No default
5262
5263             Example: queuepause command = disable %p
5264
5265          queueresume command (S)
5266             This parameter specifies the command to be executed on the server
5267             host in order to resume the printer queue. It is the  command  to
5268             undo  the  behavior  that  is  caused  by  the previous parameter
5269             (queuepause command).
5270
5271             This command should be a program or script which takes a  printer
5272             name  as  its  only parameter and resumes the printer queue, such
5273             that queued jobs are resubmitted to the printer.
5274
5275             This command is not supported by Windows for Workgroups, but  can
5276             be issued from the Printers window under Windows 95 and NT.
5277
5278             If  a %p is given then the printer name is put in its place. Oth‐
5279             erwise it is placed at the end of the command.
5280
5281             Note that it is good practice to include the absolute path in the
5282             command as the PATH may not be available to the server.
5283
5284             Default: queueresume command =
5285
5286             Example: queueresume command = enable %p
5287
5288          read bmpx (G)
5289             This  boolean parameter controls whether smbd(8) will support the
5290             "Read Block Multiplex" SMB. This is now rarely used and  defaults
5291             to no. You should never need to set this parameter.
5292
5293             Default: read bmpx = no
5294
5295          read list (S)
5296             This is a list of users that are given read-only access to a ser‐
5297             vice. If the connecting user is in this list then they  will  not
5298             be given write access, no matter what the read only option is set
5299             to. The list can include group names using the  syntax  described
5300             in the invalid users parameter.
5301
5302             This  parameter  will not work with the security = share in Samba
5303             3.0. This is by design.
5304
5305             Default: read list =
5306
5307             Example: read list = mary, @students
5308
5309          read only (S)
5310             An inverted synonym is writeable.
5311
5312             If this parameter is yes, then users of a service may not  create
5313             or modify files in the service's directory.
5314
5315             Note that a printable service (printable = yes) will ALWAYS allow
5316             writing to the directory (user privileges permitting),  but  only
5317             via spooling operations.
5318
5319             Default: read only = yes
5320
5321          read raw (G)
5322             This  parameter  controls  whether or not the server will support
5323             the raw read SMB requests when transferring data to clients.
5324
5325             If enabled, raw reads allow reads of 65535 bytes in  one  packet.
5326             This typically provides a major performance benefit.
5327
5328             However,  some  clients either negotiate the allowable block size
5329             incorrectly or are incapable of supporting  larger  block  sizes,
5330             and for these clients you may need to disable raw reads.
5331
5332             In  general  this  parameter  should be viewed as a system tuning
5333             tool and left severely alone.
5334
5335             Default: read raw = yes
5336
5337          realm (G)
5338             This option specifies the kerberos realm to  use.  The  realm  is
5339             used  as  the ADS equivalent of the NT4 domain. It is usually set
5340             to the DNS name of the kerberos server.
5341
5342             Default: realm =
5343
5344             Example: realm = mysambabox.mycompany.com
5345
5346          remote announce (G)
5347             This option allows you to setup nmbd(8)to  periodically  announce
5348             itself  to  arbitrary  IP  addresses  with an arbitrary workgroup
5349             name.
5350
5351             This is useful if you want your  Samba  server  to  appear  in  a
5352             remote  workgroup  for  which the normal browse propagation rules
5353             don't work. The remote workgroup can be  anywhere  that  you  can
5354             send IP packets to.
5355
5356             For example:
5357
5358
5359
5360
5361             remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF
5362
5363             the  above  line  would  cause nmbd to announce itself to the two
5364             given IP addresses using the given workgroup names. If you  leave
5365             out the workgroup name then the one given in the workgroup param‐
5366             eter is used instead.
5367
5368             The IP addresses you  choose  would  normally  be  the  broadcast
5369             addresses  of  the  remote  networks,  but  can  also  be  the IP
5370             addresses of known browse masters if your network config is  that
5371             stable.
5372
5373             See the chapter on Network Browsing in the Samba-HOWTO book.
5374
5375             Default: remote announce =
5376
5377          remote browse sync (G)
5378             This  option  allows you to setup nmbd(8) to periodically request
5379             synchronization of browse lists with  the  master  browser  of  a
5380             Samba  server that is on a remote segment. This option will allow
5381             you to gain browse lists for multiple  workgroups  across  routed
5382             networks.  This  is  done in a manner that does not work with any
5383             non-Samba servers.
5384
5385             This is useful if you  want  your  Samba  server  and  all  local
5386             clients  to  appear  in  a  remote workgroup for which the normal
5387             browse propagation rules don't work. The remote workgroup can  be
5388             anywhere that you can send IP packets to.
5389
5390             For example:
5391
5392
5393
5394
5395             remote browse sync = 192.168.2.255 192.168.4.255
5396
5397             the  above line would cause nmbd to request the master browser on
5398             the specified subnets or addresses to  synchronize  their  browse
5399             lists with the local server.
5400
5401             The  IP  addresses  you  choose  would  normally be the broadcast
5402             addresses of  the  remote  networks,  but  can  also  be  the  IP
5403             addresses  of known browse masters if your network config is that
5404             stable. If a machine IP address is given Samba makes  NO  attempt
5405             to  validate  that the remote machine is available, is listening,
5406             nor that it is in fact the browse master on its segment.
5407
5408             The remote browse sync may be used on networks where there is  no
5409             WINS server, and may be used on disjoint networks where each net‐
5410             work has its own WINS server.
5411
5412             Default: remote browse sync =
5413
5414          rename user script (G)
5415             This is the full pathname to a script that will be run as root by
5416             smbd(8) under special circumstances described below.
5417
5418             When  a  user  with  admin authority or SeAddUserPrivilege rights
5419             renames a user (e.g.: from the NT4  User  Manager  for  Domains),
5420             this  script will be run to rename the POSIX user. Two variables,
5421             %uold and %unew, will be substituted with the old and  new  user‐
5422             names,  respectively.  The script should return 0 upon successful
5423             completion, and nonzero otherwise.
5424
5425             Note
5426             The script has all responsibility to  rename  all  the  necessary
5427             data  that is accessible in this posix method. This can mean dif‐
5428             ferent requirements for different backends. The tdbsam  and  smb‐
5429             passwd  backends  will take care of the contents of their respec‐
5430             tive files, so the script is responsible only  for  changing  the
5431             POSIX username, and other data that may required for your circum‐
5432             stances, such as home directory. Please also consider whether  or
5433             not  you  need  to rename the actual home directories themselves.
5434             The ldapsam backend will not make any  changes,  because  of  the
5435             potential issues with renaming the LDAP naming attribute. In this
5436             case the script is responsible for changing  the  attribute  that
5437             samba  uses  (uid)  for  locating users, as well as any data that
5438             needs to change for other applications using the same  directory.
5439             Default: rename user script = no
5440
5441          reset on zero vc (G)
5442             This  boolean  option  controls whether an incoming session setup
5443             should kill other connections  coming  from  the  same  IP.  This
5444             matches  the default Windows 2003 behaviour. Setting this parame‐
5445             ter to yes becomes necessary when you have a  flaky  network  and
5446             windows  decides  to reconnect while the old connection still has
5447             files with share modes open. These files become inaccessible over
5448             the new connection. The client sends a zero VC on the new connec‐
5449             tion, and Windows 2003 kills all other  connections  coming  from
5450             the  same  IP.  This  way  the locked files are accessible again.
5451             Please be aware that enabling this option will  kill  connections
5452             behind a masquerading router.
5453
5454             Default: reset on zero vc = no
5455
5456          restrict anonymous (G)
5457             The  setting  of this parameter determines whether user and group
5458             list information is returned for  an  anonymous  connection.  and
5459             mirrors the effects of the
5460
5461
5462
5463
5464             HKEY_LOCAL_MACHINETEM          Control
5465             registry  key in Windows 2000 and Windows NT. When set to 0, user
5466             and group list information is returned to anyone who  asks.  When
5467             set  to  1, only an authenticated user can retrive user and group
5468             list information. For the value 2, supported by  Windows  2000/XP
5469             and  Samba, no anonymous connections are allowed at all. This can
5470             break third party and Microsoft applications which expect  to  be
5471             allowed to perform operations anonymously.
5472
5473             The  security  advantage of using restrict anonymous = 1 is dubi‐
5474             ous, as user and group list information  can  be  obtained  using
5475             other means.
5476
5477             Note
5478             The security advantage of using restrict anonymous = 2 is removed
5479             by setting guest ok = yes on any share.  Default: restrict anony‐
5480             mous = 0
5481
5482          root
5483             This parameter is a synonym for root directory.
5484
5485          root dir
5486             This parameter is a synonym for root directory.
5487
5488          root directory (G)
5489             The server will chroot() (i.e. Change its root directory) to this
5490             directory on startup. This is not strictly necessary  for  secure
5491             operation.  Even  without it the server will deny access to files
5492             not in one of the service entries. It may  also  check  for,  and
5493             deny  access  to, soft links to other parts of the filesystem, or
5494             attempts to use ".." in file names to  access  other  directories
5495             (depending on the setting of the wide smbconfoptions parameter).
5496
5497             Adding  a root directory entry other than "/" adds an extra level
5498             of security, but at a price. It absolutely ensures that no access
5499             is  given  to  files  not  in  the sub-tree specified in the root
5500             directory option, including some files needed for complete opera‐
5501             tion  of  the  server. To maintain full operability of the server
5502             you will need to mirror some system files into the root directory
5503             tree.  In  particular  you  will need to mirror /etc/passwd (or a
5504             subset of it), and any binaries or configuration files needed for
5505             printing (if required). The set of files that must be mirrored is
5506             operating system dependent.
5507
5508             Default: root directory = /
5509
5510             Example: root directory = /homes/smb
5511
5512          root postexec (S)
5513             This is the same as the postexec parameter except that  the  com‐
5514             mand  is  run  as root. This is useful for unmounting filesystems
5515             (such as CDROMs) after a connection is closed.
5516
5517             Default: root postexec =
5518
5519          root preexec (S)
5520             This is the same as the preexec parameter except that the command
5521             is  run as root. This is useful for mounting filesystems (such as
5522             CDROMs) when a connection is opened.
5523
5524             Default: root preexec =
5525
5526          root preexec close (S)
5527             This is the same as the preexec close parameter except  that  the
5528             command is run as root.
5529
5530             Default: root preexec close = no
5531
5532          security (G)
5533             This  option  affects  how clients respond to Samba and is one of
5534             the most important settings in the
5535              smb.conf file.
5536
5537             The option sets the "security mode bit" in  replies  to  protocol
5538             negotiations with smbd(8) to turn share level security on or off.
5539             Clients decide based on this bit whether (and  how)  to  transfer
5540             user and password information to the server.
5541
5542             The  default  is security = user, as this is the most common set‐
5543             ting needed when talking to Windows 98 and Windows NT.
5544
5545             The alternatives are security = share, security = server or secu‐
5546             rity = domain.
5547
5548             In  versions  of Samba prior to 2.0.0, the default was security =
5549             share mainly because that was the only option at one stage.
5550
5551             There is a bug in WfWg that has relevance to this  setting.  When
5552             in  user  or  server  level  security  a WfWg client will totally
5553             ignore the username and password you type in the "connect  drive"
5554             dialog  box.  This makes it very difficult (if not impossible) to
5555             connect to a Samba service as anyone except the user that you are
5556             logged into WfWg as.
5557
5558             If your PCs use usernames that are the same as their usernames on
5559             the UNIX machine then you will want to use security  =  user.  If
5560             you  mostly  use  usernames that don't exist on the UNIX box then
5561             use security = share.
5562
5563             You should also use security = share if you want to mainly  setup
5564             shares  without  a password (guest shares). This is commonly used
5565             for a shared printer server. It is more difficult to setup  guest
5566             shares  with  security  = user, see the map to guestparameter for
5567             details.
5568
5569             It is possible to use smbd in a
5570              hybrid mode where it is offers both user and share  level  secu‐
5571             rity under different NetBIOS aliases.
5572
5573             The different settings will now be explained.
5574
5575             SECURITY = SHARE
5576
5577             When  clients  connect to a share level security server they need
5578             not log onto the server with a valid username and password before
5579             attempting  to  connect  to  a  shared  resource (although modern
5580             clients such as Windows 95/98 and Windows NT will  send  a  logon
5581             request  with  a username but no password when talking to a secu‐
5582             rity = share server). Instead, the  clients  send  authentication
5583             information  (passwords)  on  a per-share basis, at the time they
5584             attempt to connect to that share.
5585
5586             Note that smbd ALWAYS uses a valid UNIX user to act on behalf  of
5587             the client, even in security = share level security.
5588
5589             As  clients  are not required to send a username to the server in
5590             share level security, smbd uses several techniques  to  determine
5591             the correct UNIX user to use on behalf of the client.
5592
5593             A  list of possible UNIX usernames to match with the given client
5594             password is constructed using the following methods :
5595
5596                ·  If the guest only parameter is  set,  then  all  the  other
5597                   stages  are  missed  and only the guest account username is
5598                   checked.
5599
5600                ·  Is a username is sent with the  share  connection  request,
5601                   then  this  username (after mapping - see username map), is
5602                   added as a potential username.
5603
5604                ·  If the client did a previous logon  request  (the  Session‐
5605                   Setup  SMB call) then the username sent in this SMB will be
5606                   added as a potential username.
5607
5608                ·  The name of the service the client requested is added as  a
5609                   potential username.
5610
5611                ·  The  NetBIOS  name  of the client is added to the list as a
5612                   potential username.
5613
5614                ·  Any users on the user list are  added  as  potential  user‐
5615                   names.
5616
5617                If the guest only parameter is not set, then this list is then
5618                tried with the supplied password. The first user for whom  the
5619                password matches will be used as the UNIX user.
5620
5621                If  the  guest  only  parameter  is set, or no username can be
5622                determined then if the share is marked  as  available  to  the
5623                guest  account,  then  this guest user will be used, otherwise
5624                access is denied.
5625
5626                Note that it can be very confusing in share-level security  as
5627                to  which  UNIX  username  will eventually be used in granting
5628                access.
5629
5630                See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5631
5632                SECURITY = USER
5633
5634                This is the default security setting in Samba 3.0. With  user-
5635                level security a client must first "log-on" with a valid user‐
5636                name and password (which can be mapped using the username  map
5637                parameter).  Encrypted  passwords (see the encrypted passwords
5638                parameter) can also be used in this security mode.  Parameters
5639                such  as  user  and guest only if set are then applied and may
5640                change the UNIX user to use on this connection, but only after
5641                the user has been successfully authenticated.
5642
5643                Note that the name of the resource being requested is not sent
5644                to the server until after the server has successfully  authen‐
5645                ticated  the  client.  This  is why guest shares don't work in
5646                user level security without allowing the server  to  automati‐
5647                cally map unknown users into the guest account. See the map to
5648                guest parameter for details on doing this.
5649
5650                See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5651
5652                SECURITY = DOMAIN
5653
5654                This mode will only work correctly if net(8) has been used  to
5655                add  this  machine  into  a  Windows NT Domain. It expects the
5656                encrypted passwords parameter to be set to yes. In  this  mode
5657                Samba will try to validate the username/password by passing it
5658                to a Windows  NT  Primary  or  Backup  Domain  Controller,  in
5659                exactly the same way that a Windows NT Server would do.
5660
5661                Note  that  a  valid UNIX user must still exist as well as the
5662                account on the Domain Controller to  allow  Samba  to  have  a
5663                valid UNIX account to map file access to.
5664
5665                Note that from the client's point of view security = domain is
5666                the same as security = user. It only affects  how  the  server
5667                deals  with  the authentication, it does not in any way affect
5668                what the client sees.
5669
5670                Note that the name of the resource being requested is not sent
5671                to  the server until after the server has successfully authen‐
5672                ticated the client. This is why guest  shares  don't  work  in
5673                user  level  security without allowing the server to automati‐
5674                cally map unknown users into the guest account. See the map to
5675                guest parameter for details on doing this.
5676
5677                See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5678
5679                See also the password server parameter and the encrypted pass‐
5680                words parameter.
5681
5682                SECURITY = SERVER
5683
5684                In this mode Samba will try to validate the  username/password
5685                by  passing  it  to  another SMB server, such as an NT box. If
5686                this fails it will revert to security = user. It  expects  the
5687                encrypted  passwords  parameter  to  be set to yes, unless the
5688                remote server does not support  them.  However  note  that  if
5689                encrypted  passwords  have  been  negotiated then Samba cannot
5690                revert back to checking the UNIX password file, it must have a
5691                valid  smbpasswd  file to check users against. See the chapter
5692                about the User Database in  the  Samba  HOWTO  Collection  for
5693                details on how to set this up.
5694
5695                Note
5696                This  mode  of  operation has significant pitfalls since it is
5697                more vulnerable to man-in-the-middle attacks and server imper‐
5698                sonation. In particular, this mode of operation can cause sig‐
5699                nificant resource consuption on the PDC, as it  must  maintain
5700                an  active  connection for the duration of the user's session.
5701                Furthermore, if this connection is lost, there is  no  way  to
5702                reestablish it, and futher authentications to the Samba server
5703                may fail (from a single client, till it disconnects).
5704
5705                Note
5706                From the client's point of view security = server is the  same
5707                as  security = user. It only affects how the server deals with
5708                the authentication, it does not in any  way  affect  what  the
5709                client  sees.   Note  that  the  name  of  the  resource being
5710                requested is not sent to the server until after the server has
5711                successfully  authenticated  the  client.  This  is  why guest
5712                shares don't work in user level security without allowing  the
5713                server  to  automatically  map  unknown  users  into the guest
5714                account. See the map to guest parameter for details  on  doing
5715                this.
5716
5717                See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.
5718
5719                See also the password server parameter and the encrypted pass‐
5720                words parameter.
5721
5722                SECURITY = ADS
5723
5724                In this mode, Samba will act as a  domain  member  in  an  ADS
5725                realm. To operate in this mode, the machine running Samba will
5726                need to have Kerberos installed and configured and Samba  will
5727                need to be joined to the ADS realm using the net utility.
5728
5729                Note  that  this  mode does NOT make Samba operate as a Active
5730                Directory Domain Controller.
5731
5732                Read the chapter about Domain  Membership  in  the  HOWTO  for
5733                details.
5734
5735                Default: security = USER
5736
5737                Example: security = DOMAIN
5738
5739          security mask (S)
5740             This parameter controls what UNIX permission bits can be modified
5741             when a Windows NT client is manipulating the UNIX permission on a
5742             file using the native NT security dialog box.
5743
5744             This  parameter is applied as a mask (AND'ed with) to the changed
5745             permission bits, thus preventing any bits not in this  mask  from
5746             being modified. Make sure not to mix up this parameter with force
5747             security mode, which works in a manner similar to  this  one  but
5748             uses a logical OR instead of an AND.
5749
5750             Essentially,  zero  bits  in this mask may be treated as a set of
5751             bits the user is not allowed to change.
5752
5753             If not set explicitly this parameter is 0777, allowing a user  to
5754             modify all the user/group/world permissions on a file.
5755
5756              Note  that  users  who can access the Samba server through other
5757             means can easily bypass this restriction, so it is primarily use‐
5758             ful  for  standalone  "appliance" systems. Administrators of most
5759             normal systems will probably want to leave it set to 0777.
5760
5761             Default: security mask = 0777
5762
5763             Example: security mask = 0770
5764
5765          server schannel (G)
5766             This controls whether the server offers or even demands  the  use
5767             of  the  netlogon  schannel.  server schannel = no does not offer
5768             the schannel, server schannel = auto offers the schannel but does
5769             not  enforce  it,  and server schannel = yes denies access if the
5770             client is not able to speak netlogon schannel. This is  only  the
5771             case for Windows NT4 before SP4.
5772
5773             Please  note  that with this set to no you will have to apply the
5774             WindowsXP  WinXP_SignOrSeal.reg  registry  patch  found  in   the
5775             docs/registry subdirectory of the Samba distribution tarball.
5776
5777             Default: server schannel = auto
5778
5779             Example: server schannel = yes
5780
5781          server signing (G)
5782             This controls whether the server offers or requires the client it
5783             talks to to use SMB signing. Possible values are auto,  mandatory
5784             and disabled.
5785
5786             When  set to auto, SMB signing is offered, but not enforced. When
5787             set to mandatory, SMB signing is required and if set to disabled,
5788             SMB signing is not offered either.
5789
5790             Default: server signing = Disabled
5791
5792          server string (G)
5793             This controls what string will show up in the printer comment box
5794             in print manager and next to the IPC connection in net  view.  It
5795             can be any string that you wish to show to your users.
5796
5797             It also sets what will appear in browse lists next to the machine
5798             name.
5799
5800             A %v will be replaced with the Samba version number.
5801
5802             A %h will be replaced with the hostname.
5803
5804             Default: server string = Samba %v
5805
5806             Example: server string = University of GNUs Samba Server
5807
5808          set directory (S)
5809             If set directory = no, then users of the service may not use  the
5810             setdir command to change directory.
5811
5812             The  setdir  command is only implemented in the Digital Pathworks
5813             client. See the Pathworks documentation for details.
5814
5815             Default: set directory = no
5816
5817          set primary group script (G)
5818             Thanks to the Posix subsystem in NT a Windows User has a  primary
5819             group  in  addition to the auxiliary groups. This script sets the
5820             primary group in the unix userdatase when an  administrator  sets
5821             the  primary group from the windows user manager or when fetching
5822             a SAM with net rpc vampire.  %u will be replaced  with  the  user
5823             whose  primary  group is to be set.  %g will be replaced with the
5824             group to set.
5825
5826             Default: set primary group script =
5827
5828             Example: set primary group script  =  /usr/sbin/usermod  -g  '%g'
5829             '%u'
5830
5831          set quota command (G)
5832             The  set  quota  command should only be used whenever there is no
5833             operating system API available from the OS that samba can use.
5834
5835             This option is only available if Samba was  configured  with  the
5836             argument  --with-sys-quotas or on linux when was used and a work‐
5837             ing quota api was found in the system. Most packages are  config‐
5838             ured with these options already.
5839
5840             This  parameter  should specify the path to a script that can set
5841             quota for the specified arguments.
5842
5843             The specified script should take the following arguments:
5844
5845                ·  1 - quota type
5846
5847                   ·  1 - user quotas
5848
5849                   ·  2 - user default quotas (uid = -1)
5850
5851                   ·  3 - group quotas
5852
5853                   ·  4 - group default quotas (gid = -1)
5854
5855
5856
5857
5858                ·  2 - id (uid for user, gid for group, -1 if N/A)
5859
5860                ·  3 - quota state (0 = disable, 1 = enable, 2  =  enable  and
5861                   enforce)
5862
5863                ·  4 - block softlimit
5864
5865                ·  5 - block hardlimit
5866
5867                ·  6 - inode softlimit
5868
5869                ·  7 - inode hardlimit
5870
5871                ·  8(optional) - block size, defaults to 1024
5872
5873                The script should output at least one line of data on success.
5874                And nothing on failure.
5875
5876                Default: set quota command =
5877
5878                Example: set quota command = /usr/local/sbin/set_quota
5879
5880          share modes (S)
5881             This enables or disables the honoring of the share modes during a
5882             file open. These modes are used by clients to gain exclusive read
5883             or write access to a file.
5884
5885             These open modes are not directly supported by UNIX, so they  are
5886             simulated using shared memory, or lock files if your UNIX doesn't
5887             support shared memory (almost all do).
5888
5889             The share modes that are enabled by  this  option  are  DENY_DOS,
5890             DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB.
5891
5892             This  option  gives  full  share  compatibility  and  enabled  by
5893             default.
5894
5895             You should NEVER turn this parameter off as many Windows applica‐
5896             tions will break if you do so.
5897
5898             Default: share modes = yes
5899
5900          short preserve case (S)
5901             This boolean parameter controls if new files which conform to 8.3
5902             syntax, that is all in upper case and  of  suitable  length,  are
5903             created upper case, or if they are forced to be the default case.
5904             This option can be use with preserve case = yes  to  permit  long
5905             filenames to retain their case, while short names are lowered.
5906
5907             See the section on NAME MANGLING.
5908
5909             Default: short preserve case = yes
5910
5911          show add printer wizard (G)
5912             With  the  introduction of MS-RPC based printing support for Win‐
5913             dows NT/2000 client in Samba 2.2,  a  "Printers..."  folder  will
5914             appear  on Samba hosts in the share listing. Normally this folder
5915             will contain an icon for the MS Add Printer  Wizard  (APW).  How‐
5916             ever,  it  is  possible to disable this feature regardless of the
5917             level of privilege of the connected user.
5918
5919             Under normal circumstances, the Windows NT/2000 client will  open
5920             a  handle  on  the printer server with OpenPrinterEx() asking for
5921             Administrator privileges. If the user does not  have  administra‐
5922             tive  access  on the print server (i.e is not root or a member of
5923             the printer admin group), the OpenPrinterEx() call fails and  the
5924             client  makes another open call with a request for a lower privi‐
5925             lege level. This should succeed, however the APW icon will not be
5926             displayed.
5927
5928             Disabling the show add printer wizard parameter will always cause
5929             the OpenPrinterEx() on the server to fail. Thus the APW icon will
5930             never be displayed.
5931
5932             Note
5933             This  does  not  prevent the same user from having administrative
5934             privilege on an individual printer.  Default:  show  add  printer
5935             wizard = yes
5936
5937          shutdown script (G)
5938             This  a  full path name to a script called by smbd(8) that should
5939             start a shutdown procedure.
5940
5941             If the connected  user  posseses  the  SeRemoteShutdownPrivilege,
5942             right, this command will be run as user.
5943
5944             The %z %t %r %f variables are expanded as follows:
5945
5946                ·  %z  will  be  substituted with the shutdown message sent to
5947                   the server.
5948
5949                ·  %t will be substituted with the number of seconds  to  wait
5950                   before effectively starting the shutdown procedure.
5951
5952                ·  %r  will be substituted with the switch -r. It means reboot
5953                   after shutdown for NT.
5954
5955                ·  %f will be substituted with the switch -f. It  means  force
5956                   the shutdown even if applications do not respond for NT.
5957
5958                Shutdown script example:
5959
5960
5961
5962
5963                #!/bin/bash
5964
5965                $time=0
5966                let "time/60"
5967                let "time++"
5968
5969                /sbin/shutdown $3 $4 +$time $1 &
5970
5971                Shutdown  does  not  return  so  we need to launch it in back‐
5972                ground.
5973
5974                Default: shutdown script =
5975
5976                Example: shutdown script =  /usr/local/samba/sbin/shutdown  %m
5977                %t %r %f
5978
5979          smb passwd file (G)
5980             This  option  sets  the  path to the encrypted smbpasswd file. By
5981             default the path to the smbpasswd file is compiled into Samba.
5982
5983             An example of use is:
5984
5985
5986
5987
5988             smb passwd file = /etc/samba/smbpasswd
5989
5990
5991
5992             Default: smb passwd file = ${prefix}/private/smbpasswd
5993
5994          smb ports (G)
5995             Specifies which ports the server should listen on for  SMB  traf‐
5996             fic.
5997
5998             Default: smb ports = 445 139
5999
6000          socket address (G)
6001             This  option allows you to control what address Samba will listen
6002             for connections on. This is  used  to  support  multiple  virtual
6003             interfaces  on  the  one server, each with a different configura‐
6004             tion.
6005
6006             By default Samba will accept connections on any address.
6007
6008             Default: socket address =
6009
6010             Example: socket address = 192.168.2.20
6011
6012          socket options (G)
6013             This option allows you to set socket  options  to  be  used  when
6014             talking with the client.
6015
6016             Socket  options are controls on the networking layer of the oper‐
6017             ating systems which allow the connection to be tuned.
6018
6019             This option will typically be used to tune your Samba server  for
6020             optimal  performance for your local network. There is no way that
6021             Samba can know what the optimal parameters are for your  net,  so
6022             you must experiment and choose them yourself. We strongly suggest
6023             you read the appropriate documentation for your operating  system
6024             first (perhaps man setsockopt will help).
6025
6026             You  may find that on some systems Samba will say "Unknown socket
6027             option" when you supply an option. This means you  either  incor‐
6028             rectly  typed it or you need to add an include file to includes.h
6029             for your OS. If the latter is the case please send the  patch  to
6030             samba-technical@samba.org.
6031
6032             Any  of  the  supported socket options may be combined in any way
6033             you like, as long as your OS allows it.
6034
6035             This is the list of socket options currently settable using  this
6036             option:
6037
6038                ·  SO_KEEPALIVE
6039
6040                ·  SO_REUSEADDR
6041
6042                ·  SO_BROADCAST
6043
6044                ·  TCP_NODELAY
6045
6046                ·  IPTOS_LOWDELAY
6047
6048                ·  IPTOS_THROUGHPUT
6049
6050                ·  SO_SNDBUF *
6051
6052                ·  SO_RCVBUF *
6053
6054                ·  SO_SNDLOWAT *
6055
6056                ·  SO_RCVLOWAT *
6057
6058                Those  marked  with a '*' take an integer argument. The others
6059                can optionally take a 1 or 0 argument to enable or disable the
6060                option, by default they will be enabled if you don't specify 1
6061                or 0.
6062
6063                To specify an argument use the syntax SOME_OPTION = VALUE  for
6064                example SO_SNDBUF = 8192. Note that you must not have any spa‐
6065                ces before or after the = sign.
6066
6067                If you are on a local network then a sensible option might be:
6068
6069                socket options = IPTOS_LOWDELAY
6070
6071                If you have a local network then you could try:
6072
6073                socket options = IPTOS_LOWDELAY TCP_NODELAY
6074
6075                If you are on a wide area network  then  perhaps  try  setting
6076                IPTOS_THROUGHPUT.
6077
6078                Note  that  several of the options may cause your Samba server
6079                to fail completely. Use these options with caution!
6080
6081                Default: socket options = TCP_NODELAY
6082
6083                Example: socket options = IPTOS_LOWDELAY
6084
6085          stat cache (G)
6086             This parameter determines if smbd(8) will use a cache in order to
6087             speed up case insensitive name mappings. You should never need to
6088             change this parameter.
6089
6090             Default: stat cache = yes
6091
6092          store dos attributes (S)
6093             If this parameter  is  set  Samba  attempts  to  first  read  DOS
6094             attributes (SYSTEM, HIDDEN, ARCHIVE or READ-ONLY) from a filesys‐
6095             tem extended attribute, before mapping  DOS  attributes  to  UNIX
6096             permission  bits  (such  as  occurs with map hidden and map read‐
6097             only). When set, DOS attributes will be stored onto  an  extended
6098             attribute  in  the  UNIX  filesystem, associated with the file or
6099             directory. For no other mapping to  occur  as  a  fall-back,  the
6100             parameters  map  hidden, map system, map archive and map readonly
6101             must be set to off. This parameter writes the DOS attributes as a
6102             string  into  the extended attribute named "user.DOSATTRIB". This
6103             extended  attribute  is  explicitly  hidden  from  smbd   clients
6104             requesting  an  EA  list.  On Linux the filesystem must have been
6105             mounted with the mount option user_xattr in  order  for  extended
6106             attributes  to  work,  also  extended attributes must be compiled
6107             into the Linux kernel.
6108
6109             Default: store dos attributes = no
6110
6111          strict allocate (S)
6112             This is a boolean that controls the handling of disk space  allo‐
6113             cation  in  the  server.  When this is set to yes the server will
6114             change from UNIX behaviour of not committing  real  disk  storage
6115             blocks  when a file is extended to the Windows behaviour of actu‐
6116             ally forcing the disk system to allocate real storage blocks when
6117             a  file is created or extended to be a given size. In UNIX termi‐
6118             nology this means that Samba will  stop  creating  sparse  files.
6119             This can be slow on some systems.
6120
6121             When  strict  allocate  is  no  the server does sparse disk block
6122             allocation when a file is extended.
6123
6124             Setting this to yes can help Samba return out of  quota  messages
6125             on systems that are restricting the disk quota of users.
6126
6127             Default: strict allocate = no
6128
6129          strict locking (S)
6130             This  is  an  enumerated  type that controls the handling of file
6131             locking in the server. When this is set to yes, the  server  will
6132             check every read and write access for file locks, and deny access
6133             if locks exist. This can be slow on some systems.
6134
6135             When strict locking is set to Auto (the default), the server per‐
6136             forms  file  lock checks only on non-oplocked files. As most Win‐
6137             dows redirectors perform file locking checks locally on  oplocked
6138             files this is a good trade off for inproved performance.
6139
6140             When  strict  locking  is disabled, the server performs file lock
6141             checks only when the client explicitly asks for them.
6142
6143             Well-behaved clients always ask for lock checks when it is impor‐
6144             tant.  So in the vast majority of cases, strict locking = Auto or
6145             strict locking = no is acceptable.
6146
6147             Default: strict locking = Auto
6148
6149          strict sync (S)
6150             Many Windows applications  (including  the  Windows  98  explorer
6151             shell)  seem  to  confuse  flushing  buffer contents to disk with
6152             doing a sync to disk. Under UNIX, a sync call forces the  process
6153             to be suspended until the kernel has ensured that all outstanding
6154             data in kernel disk buffers has been safely  stored  onto  stable
6155             storage.  This  is very slow and should only be done rarely. Set‐
6156             ting this parameter  to  no  (the  default)  means  that  smbd(8)
6157             ignores  the Windows applications requests for a sync call. There
6158             is only a possibility of losing  data  if  the  operating  system
6159             itself  that Samba is running on crashes, so there is little dan‐
6160             ger in this default setting. In addition, this fixes many perfor‐
6161             mance  problems  that people have reported with the new Windows98
6162             explorer shell file copies.
6163
6164             Default: strict sync = no
6165
6166          svcctl list (G)
6167             This option defines a list of init scripts that smbd will use for
6168             starting  and stopping Unix services via the Win32 ServiceControl
6169             API. This allows Windows administrators to utilize the MS Manage‐
6170             ment Console plug-ins to manage a Unix server running Samba.
6171
6172             The  administrator must create a directory name svcctl in Samba's
6173             $(libdir) and create  symbolic  links  to  the  init  scripts  in
6174             /etc/init.d/. The name of the links must match the names given as
6175             part of the svcctl list.
6176
6177             Default: svcctl list =
6178
6179             Example: svcctl list = cups postfix portmap httpd
6180
6181          sync always (S)
6182             This is a boolean parameter that  controls  whether  writes  will
6183             always  be  written  to  stable  storage  before  the  write call
6184             returns. If this is no then the server  will  be  guided  by  the
6185             client's  request in each write call (clients can set a bit indi‐
6186             cating that a particular write should be synchronous). If this is
6187             yes then every write will be followed by a fsync() call to ensure
6188             the data is written to disk. Note that the strict sync  parameter
6189             must  be  set  to  yes  in  order  for this parameter to have any
6190             affect.
6191
6192             Default: sync always = no
6193
6194          syslog (G)
6195             This parameter maps how Samba debug messages are logged onto  the
6196             system  syslog  logging  levels. Samba debug level zero maps onto
6197             syslog LOG_ERR, debug level  one  maps  onto  LOG_WARNING,  debug
6198             level  two  maps  onto  LOG_NOTICE,  debug  level three maps onto
6199             LOG_INFO. All higher levels are mapped to LOG_DEBUG.
6200
6201             This parameter sets the threshold for sending messages to syslog.
6202             Only  messages with debug level less than this value will be sent
6203             to syslog.
6204
6205             Default: syslog = 1
6206
6207          syslog only (G)
6208             If this parameter is set then Samba  debug  messages  are  logged
6209             into the system syslog only, and not to the debug log files.
6210
6211             Default: syslog only = no
6212
6213          template homedir (G)
6214             When  filling out the user information for a Windows NT user, the
6215             winbindd(8) daemon uses this parameter to fill in the home direc‐
6216             tory for that user. If the string %D is present it is substituted
6217             with the user's Windows NT domain  name.  If  the  string  %U  is
6218             present it is substituted with the user's Windows NT user name.
6219
6220             Default: template homedir = /home/%D/%U
6221
6222          template shell (G)
6223             When  filling out the user information for a Windows NT user, the
6224             winbindd(8) daemon uses this parameter to fill in the login shell
6225             for that user.
6226
6227             No default
6228
6229          time offset (G)
6230             This  parameter  is a setting in minutes to add to the normal GMT
6231             to local time conversion. This is useful if you are serving a lot
6232             of PCs that have incorrect daylight saving time handling.
6233
6234             Default: time offset = 0
6235
6236             Example: time offset = 60
6237
6238          time server (G)
6239             This  parameter determines if nmbd(8) advertises itself as a time
6240             server to Windows clients.
6241
6242             Default: time server = no
6243
6244          unix charset (G)
6245             Specifies the charset the unix machine Samba runs on uses.  Samba
6246             needs  to  know  this  in order to be able to convert text to the
6247             charsets other SMB clients use.
6248
6249             This is also the charset Samba will use when specifying arguments
6250             to scripts that it invokes.
6251
6252             Default: unix charset = UTF8
6253
6254             Example: unix charset = ASCII
6255
6256          unix extensions (G)
6257             This  boolean parameter controls whether Samba implments the CIFS
6258             UNIX extensions, as defined by HP. These extensions enable  Samba
6259             to  better serve UNIX CIFS clients by supporting features such as
6260             symbolic links, hard links, etc...  These  extensions  require  a
6261             similarly  enabled  client,  and are of no current use to Windows
6262             clients.
6263
6264             Default: unix extensions = yes
6265
6266          unix password sync (G)
6267             This boolean parameter controls whether Samba  attempts  to  syn‐
6268             chronize  the  UNIX  password  with  the  SMB  password  when the
6269             encrypted SMB password in the smbpasswd file is changed. If  this
6270             is  set to yes the program specified in the passwd programparame‐
6271             ter is called AS ROOT - to allow the new UNIX password to be  set
6272             without  access  to  the  old  UNIX password (as the SMB password
6273             change code has no access to the old password cleartext, only the
6274             new).
6275
6276             Default: unix password sync = no
6277
6278          update encrypted (G)
6279             This  boolean parameter allows a user logging on with a plaintext
6280             password to have their encrypted (hashed) password  in  the  smb‐
6281             passwd  file  to  be  updated  automatically as they log on. This
6282             option allows a site to migrate from plaintext password authenti‐
6283             cation (users authenticate with plaintext password over the wire,
6284             and are checked against a  UNIX  account  atabase)  to  encrypted
6285             password  authentication  (the SMB challenge/response authentica‐
6286             tion mechanism) without forcing all users to re-enter their pass‐
6287             words  via  smbpasswd  at  the time the change is made. This is a
6288             convenience option to allow the change over  to  encrypted  pass‐
6289             words  to  be  made  over  a  longer  period. Once all users have
6290             encrypted representations of their  passwords  in  the  smbpasswd
6291             file this parameter should be set to no.
6292
6293             In order for this parameter to be operative the encrypt passwords
6294             parameter must be set to no. The default value of  encrypt  pass‐
6295             words  =  Yes.  Note:  This  must  be  set  to no for this update
6296             encrypted to work.
6297
6298             Note that even when this parameter is set a  user  authenticating
6299             to  smbd  must  still  enter a valid password in order to connect
6300             correctly, and to update their hashed (smbpasswd) passwords.
6301
6302             Default: update encrypted = no
6303
6304          use client driver (S)
6305             This parameter applies only to Windows NT/2000 clients. It has no
6306             effect  on  Windows  95/98/ME  clients. When serving a printer to
6307             Windows NT/2000 clients without first installing a valid  printer
6308             driver  on the Samba host, the client will be required to install
6309             a local printer driver. From this point on, the client will treat
6310             the  print  as  a local printer and not a network printer connec‐
6311             tion. This is much the same behavior that will occur when disable
6312             spoolss = yes.
6313
6314             The  differentiating  factor  is that under normal circumstances,
6315             the NT/2000 client will attempt to open the network printer using
6316             MS-RPC.  The  problem  is  that  because the client considers the
6317             printer to be local, it will attempt to issue the OpenPrinterEx()
6318             call requesting access rights associated with the logged on user.
6319             If the user possesses local  administator  rights  but  not  root
6320             privilege on the Samba host (often the case), the OpenPrinterEx()
6321             call will fail. The result is that the client will now display an
6322             "Access  Denied;  Unable to connect" message in the printer queue
6323             window (even though jobs may successfully be printed).
6324
6325             If this parameter is enabled for a printer, then any  attempt  to
6326             open  the  printer  with  the  PRINTER_ACCESS_ADMINISTER right is
6327             mapped to PRINTER_ACCESS_USE instead.  Thus  allowing  the  Open‐
6328             PrinterEx()  call  to  succeed.   This parameter MUST not be able
6329             enabled on a print share which has valid print  driver  installed
6330             on the Samba server.
6331
6332             Default: use client driver = no
6333
6334          use kerberos keytab (G)
6335             Specifies  whether Samba should attempt to maintain service prin‐
6336             cipals in the systems keytab file for host/FQDN and cifs/FQDN.
6337
6338             When you are using the heimdal Kerberos libraries, you must  also
6339             specify the following in /etc/krb5.conf:
6340
6341
6342
6343
6344             [libdefaults]
6345             default_keytab_name = FILE:/etc/krb5.keytab
6346
6347
6348
6349             Default: use kerberos keytab = False
6350
6351          use mmap (G)
6352             This  global  parameter  determines if the tdb internals of Samba
6353             can depend on mmap working correctly on the running system. Samba
6354             requires  a  coherent  mmap/read-write  system memory cache. Cur‐
6355             rently only HPUX does not have such a coherent cache, and so this
6356             parameter  is  set to no by default on HPUX. On all other systems
6357             this parameter should be left alone. This parameter  is  provided
6358             to  help  the  Samba  developers track down problems with the tdb
6359             internal code.
6360
6361             Default: use mmap = yes
6362
6363          user
6364             This parameter is a synonym for username.
6365
6366          users
6367             This parameter is a synonym for username.
6368
6369          username (S)
6370             Multiple users may be specified in  a  comma-delimited  list,  in
6371             which  case  the  supplied  password  will be tested against each
6372             username in turn (left to right).
6373
6374             The username line is needed only when the PC is unable to  supply
6375             its  own  username. This is the case for the COREPLUS protocol or
6376             where your users have different WfWg usernames to UNIX usernames.
6377             In   both   these   cases  you  may  also  be  better  using  the
6378             \serverre%user syntax instead.
6379
6380             The username line is not a great solution in  many  cases  as  it
6381             means  Samba  will  try to validate the supplied password against
6382             each of the usernames in the username line in turn. This is  slow
6383             and  a bad idea for lots of users in case of duplicate passwords.
6384             You may get timeouts or security breaches  using  this  parameter
6385             unwisely.
6386
6387             Samba relies on the underlying UNIX security. This parameter does
6388             not restrict who can login, it just offers  hints  to  the  Samba
6389             server  as  to  what  usernames  might correspond to the supplied
6390             password. Users can login as whoever they please and they will be
6391             able  to do no more damage than if they started a telnet session.
6392             The daemon runs as the user that they log in as, so  they  cannot
6393             do anything that user cannot do.
6394
6395             To  restrict  a  service to a particular set of users you can use
6396             the valid users parameter.
6397
6398             If any of the usernames begin with a '@' then the  name  will  be
6399             looked  up  first in the NIS netgroups list (if Samba is compiled
6400             with netgroup support), followed by a lookup in the  UNIX  groups
6401             database  and  will expand to a list of all users in the group of
6402             that name.
6403
6404             If any of the usernames begin with a '+' then the  name  will  be
6405             looked  up  only in the UNIX groups database and will expand to a
6406             list of all users in the group of that name.
6407
6408             If any of the usernames begin with a '&' then the  name  will  be
6409             looked  up  only  in the NIS netgroups database (if Samba is com‐
6410             piled with netgroup support) and will expand to  a  list  of  all
6411             users in the netgroup group of that name.
6412
6413             Note  that searching though a groups database can take quite some
6414             time, and some clients may time out during the search.
6415
6416             See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for  more
6417             information  on  how this parameter determines access to the ser‐
6418             vices.
6419
6420             Default: username = # The guest account if a guest service,  else
6421             <empty string>.
6422
6423             Example: username = fred, mary, jack, jane, @users, @pcgroup
6424
6425          username level (G)
6426             This option helps Samba to try and 'guess' at the real UNIX user‐
6427             name, as many DOS clients  send  an  all-uppercase  username.  By
6428             default  Samba tries all lowercase, followed by the username with
6429             the first letter capitalized, and fails if the  username  is  not
6430             found on the UNIX machine.
6431
6432             If  this  parameter is set to non-zero the behavior changes. This
6433             parameter is a number that specifies the number of uppercase com‐
6434             binations  to  try  while trying to determine the UNIX user name.
6435             The higher the number the more combinations will  be  tried,  but
6436             the slower the discovery of usernames will be. Use this parameter
6437             when you have strange usernames on your  UNIX  machine,  such  as
6438             AstrangeUser .
6439
6440             This parameter is needed only on UNIX systems that have case sen‐
6441             sitive usernames.
6442
6443             Default: username level = 0
6444
6445             Example: username level = 5
6446
6447          username map (G)
6448             This option allows you to specify a file containing a mapping  of
6449             usernames  from  the  clients to the server. This can be used for
6450             several purposes. The most common is to map usernames that  users
6451             use  on  DOS or Windows machines to those that the UNIX box uses.
6452             The other is to map multiple users to a single username  so  that
6453             they can more easily share files.
6454
6455             Please  note  that  for user or share mode security, the username
6456             map is applied prior to validating the user  credentials.  Domain
6457             member  servers  (domain or ads) apply the username map after the
6458             user has been successfully authenticated by the domain controller
6459             and  require fully qualified enties in the map table (e.g. biddle
6460             = DOMAINo).
6461
6462             The map file is parsed line by line. Each line should  contain  a
6463             single UNIX username on the left then a '=' followed by a list of
6464             usernames on the right. The list of usernames on  the  right  may
6465             contain  names  of  the form @group in which case they will match
6466             any UNIX username in that group. The special client name '*' is a
6467             wildcard  and  matches any name. Each line of the map file may be
6468             up to 1023 characters long.
6469
6470             The file is processed on each line by taking the  supplied  user‐
6471             name  and  comparing it with each username on the right hand side
6472             of the '=' signs. If the supplied name matches any of  the  names
6473             on  the  right hand side then it is replaced with the name on the
6474             left. Processing then continues with the next line.
6475
6476             If any line begins with a '#' or a ';' then it is ignored.
6477
6478             If any line begins with an '!'  then  the  processing  will  stop
6479             after that line if a mapping was done by the line. Otherwise map‐
6480             ping continues with every line being processed. Using '!' is most
6481             useful when you have a wildcard mapping line later in the file.
6482
6483             For  example  to  map from the name admin or administrator to the
6484             UNIX name
6485              root you would use:
6486
6487
6488
6489
6490             root = admin administrator
6491
6492             Or to map anyone in the UNIX group system to the  UNIX  name  sys
6493             you would use:
6494
6495
6496
6497
6498             sys = @system
6499
6500
6501
6502             You can have as many mappings as you like in a username map file.
6503
6504             If your system supports the NIS NETGROUP option then the netgroup
6505             database is checked before the /etc/group database  for  matching
6506             groups.
6507
6508             You  can  map Windows usernames that have spaces in them by using
6509             double quotes around the name. For example:
6510
6511
6512
6513
6514             tridge = "Andrew Tridgell"
6515
6516             would map the windows username  "Andrew  Tridgell"  to  the  unix
6517             username "tridge".
6518
6519             The  following  example  would map mary and fred to the unix user
6520             sys, and map the rest to guest. Note the use of the '!'  to  tell
6521             Samba to stop processing if it gets a match on that line:
6522
6523
6524
6525
6526             !sys = mary fred
6527             guest = *
6528
6529
6530
6531             Note  that  the  remapping is applied to all occurrences of user‐
6532             names. Thus if you connect to \servered and fred is  remapped  to
6533             mary  then  you will actually be connecting to \serverry and will
6534             need to supply a password suitable for mary not  fred.  The  only
6535             exception  to  this is the username passed to the password server
6536             (if you have one). The  password  server  will  receive  whatever
6537             username the client supplies without modification.
6538
6539             Also  note  that no reverse mapping is done. The main effect this
6540             has is with printing. Users who have been mapped may have trouble
6541             deleting  print  jobs  as PrintManager under WfWg will think they
6542             don't own the print job.
6543
6544             Samba versions prior to 3.0.8  would  only  support  reading  the
6545             fully  qualified username (e.g.: DOMAINser) from the username map
6546             when performing a kerberos login from  a  client.  However,  when
6547             looking  up  a  map  entry for a user authenticated by NTLM[SSP],
6548             only the login name would be used for matches. This  resulted  in
6549             inconsistent behavior sometimes even on the same server.
6550
6551             The following functionality is obeyed in version 3.0.8 and later:
6552
6553             When performing local authentication, the username map is applied
6554             to the login name before attempting to authenticate  the  connec‐
6555             tion.
6556
6557             When  relying  upon  a  external domain controller for validating
6558             authentication requests, smbd will apply the username map to  the
6559             fully qualified username (i.e. DOMAINser) only after the user has
6560             been successfully authenticated.
6561
6562             An example of use is:
6563
6564
6565
6566
6567             username map = /usr/local/samba/lib/users.map
6568
6569
6570
6571             Default: username map = # no username map
6572
6573          username map script (G)
6574             This script is a mutually exclusive alternative to  the  username
6575             map  parameter.  This parameter specifies and external program or
6576             script that must accept a single command line option  (the  user‐
6577             name transmitted in the authentication request) and return a line
6578             line on standard output (the name to  which  the  account  should
6579             mapped). In this way, it is possible to store username map tables
6580             in an LDAP or NIS directory services.
6581
6582             Default: username map script =
6583
6584             Example: username map script = /etc/samba/scripts/mapusers.sh
6585
6586          usershare allow guests (G)
6587             This parameter controls whether user defined shares  are  allowed
6588             to  be  accessed  by  non-authenticated  users  or not. It is the
6589             equivalent of allowing people who can create a share  the  option
6590             of setting guest ok = yes in a share definition. Due to the secu‐
6591             rity sensitive nature of this the default is set to off.
6592
6593             Default: usershare allow guests = no
6594
6595          usershare max shares (G)
6596             This parameter specifies the number of user defined  shares  that
6597             are  allowed to be created by users belonging to the group owning
6598             the usershare directory.  If  set  to  zero  (the  default)  user
6599             defined shares are ignored.
6600
6601             Default: usershare max shares = 0
6602
6603          usershare owner only (G)
6604             This  parameter  controls whether the pathname exported by a user
6605             defined shares must be  owned  by  the  user  creating  the  user
6606             defined  share  or  not.  If  set to True (the default) then smbd
6607             checks that the directory path being shared is owned by the  user
6608             who  owns  the  usershare file defining this share and refuses to
6609             create the share if not. If set to False then no  such  check  is
6610             performed  and  any  directory path may be exported regardless of
6611             who owns it.
6612
6613             Default: usershare owner only = True
6614
6615          usershare path (G)
6616             This parameter specifies the absolute path of  the  directory  on
6617             the  filesystem  used  to store the user defined share definition
6618             files. This directory must be owned by root, and have  no  access
6619             for  other,  and be writable only by the group owner. In addition
6620             the "sticky" bit must also be set, restricting rename and  delete
6621             to  owners  of a file (in the same way the /tmp directory is usu‐
6622             ally configured). Members of the group owner  of  this  directory
6623             are  the users allowed to create usershares. If this parameter is
6624             undefined then no user defined shares are allowed.
6625
6626             For   example,   a   valid   usershare   directory    might    be
6627             /usr/local/samba/lib/usershares, set up as follows.
6628
6629
6630
6631
6632
6633
6634                  ls -ld /usr/local/samba/lib/usershares/
6635                  drwxrwx--T  2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/
6636
6637
6638
6639             In  this case, only members of the group "power_users" can create
6640             user defined shares.
6641
6642             Default: usershare path = NULL
6643
6644          usershare prefix allow list (G)
6645             This parameter specifies a list of absolute pathnames the root of
6646             which  are  allowed  to be exported by user defined share defini‐
6647             tions. If the pathname exported doesn't start  with  one  of  the
6648             strings  in this list the user defined share will not be allowed.
6649             This allows the Samba administrator to restrict  the  directories
6650             on the system that can be exported by user defined shares.
6651
6652             If  there is a "usershare prefix deny list" and also a "usershare
6653             prefix allow list" the deny list is processed first, followed  by
6654             the  allow list, thus leading to the most restrictive interpreta‐
6655             tion.
6656
6657             Default: usershare prefix allow list = NULL
6658
6659             Example: usershare prefix allow list = /home /data /space
6660
6661          usershare prefix deny list (G)
6662             This parameter specifies a list of absolute pathnames the root of
6663             which  are NOT allowed to be exported by user defined share defi‐
6664             nitions. If the pathname exported starts with one of the  strings
6665             in  this  list  the  user  defined share will not be allowed. Any
6666             pathname not starting with one of these strings will  be  allowed
6667             to  be exported as a usershare. This allows the Samba administra‐
6668             tor to restrict  the  directories  on  the  system  that  can  be
6669             exported by user defined shares.
6670
6671             If  there is a "usershare prefix deny list" and also a "usershare
6672             prefix allow list" the deny list is processed first, followed  by
6673             the  allow list, thus leading to the most restrictive interpreta‐
6674             tion.
6675
6676             Default: usershare prefix deny list = NULL
6677
6678             Example: usershare prefix deny list = /etc /dev /private
6679
6680          usershare template share (G)
6681             User defined shares only have limited possible parameters such as
6682             path,  guest ok etc. This parameter allows usershares to "cloned"
6683             from an existing share. If "usershare template share" is  set  to
6684             the  name  of an existing share, then all usershares created have
6685             their defaults set from the parameters set on this share.
6686
6687             The target share may be set to be invalid for real  file  sharing
6688             by  setting  the parameter "-valid = False" on the template share
6689             definition. This causes it not to be  seen  as  a  real  exported
6690             share but to be able to be used as a template for usershares.
6691
6692             Default: usershare template share = NULL
6693
6694             Example: usershare template share = template_share
6695
6696          use sendfile (S)
6697             If  this parameter is yes, and the sendfile() system call is sup‐
6698             ported by the underlying operating system,  then  some  SMB  read
6699             calls  (mainly  ReadAndX and ReadRaw) will use the more efficient
6700             sendfile system call for files  that  are  exclusively  oplocked.
6701             This  may  make  more efficient use of the system CPU's and cause
6702             Samba to be  faster.  Samba  automatically  turns  this  off  for
6703             clients  that  use protocol levels lower than NT LM 0.12 and when
6704             it detects a client is Windows 9x (using sendfile from Linux will
6705             cause these clients to fail).
6706
6707             Default: use sendfile = false
6708
6709          use spnego (G)
6710             This  variable  controls  controls  whether samba will try to use
6711             Simple and Protected NEGOciation (as specified by  rfc2478)  with
6712             WindowsXP and Windows2000 clients to agree upon an authentication
6713             mechanism.
6714
6715             Unless further issues are discovered with our SPNEGO  implementa‐
6716             tion, there is no reason this should ever be disabled.
6717
6718             Default: use spnego = yes
6719
6720          utmp (G)
6721             This  boolean  parameter is only available if Samba has been con‐
6722             figured and compiled with the option --with-utmp. If set  to  yes
6723             then  Samba  will attempt to add utmp or utmpx records (depending
6724             on the UNIX system) whenever a connection  is  made  to  a  Samba
6725             server.  Sites  may  use  this to record the user connecting to a
6726             Samba share.
6727
6728             Due to the requirements of the utmp record, we  are  required  to
6729             create  a  unique identifier for the incoming user. Enabling this
6730             option creates an n^2 algorithm to find  this  number.  This  may
6731             impede performance on large installations.
6732
6733             Default: utmp = no
6734
6735          utmp directory (G)
6736             This parameter is only available if Samba has been configured and
6737             compiled with the option --with-utmp. It  specifies  a  directory
6738             pathname that is used to store the utmp or utmpx files (depending
6739             on the UNIX system) that  record  user  connections  to  a  Samba
6740             server.  By  default this is not set, meaning the system will use
6741             whatever utmp file the native  system  is  set  to  use  (usually
6742             /var/run/utmp on Linux).
6743
6744             Default: utmp directory = # Determined automatically
6745
6746             Example: utmp directory = /var/run/utmp
6747
6748          -valid (S)
6749             This parameter indicates whether a share is valid and thus can be
6750             used. When this parameter is set to false, the share will  be  in
6751             no way visible nor accessible.
6752
6753             This  option  should not be used by regular users but might be of
6754             help to developers. Samba uses this  option  internally  to  mark
6755             shares as deleted.
6756
6757             Default: -valid = yes
6758
6759          valid users (S)
6760             This  is  a list of users that should be allowed to login to this
6761             service. Names starting with '@', '+'  and  '&'  are  interpreted
6762             using the same rules as described in the invalid users parameter.
6763
6764             If  this  is  empty  (the  default) then any user can login. If a
6765             username is in both this list and the  invalid  users  list  then
6766             access is denied for that user.
6767
6768             The  current servicename is substituted for %S. This is useful in
6769             the [homes] section.
6770
6771             Default: valid users = # No valid users list (anyone can login)
6772
6773             Example: valid users = greg, @pcusers
6774
6775          veto files (S)
6776             This is a list of files and directories that are neither  visible
6777             nor  accessible.  Each  entry  in the list must be separated by a
6778             '/', which allows spaces to be included in the entry. '*' and '?'
6779             can  be  used  to specify multiple files or directories as in DOS
6780             wildcards.
6781
6782             Each entry must be a unix path, not  a  DOS  path  and  must  not
6783             include the unix directory separator '/'.
6784
6785             Note  that  the  case  sensitive  option is applicable in vetoing
6786             files.
6787
6788             One feature of the veto files parameter that it is  important  to
6789             be  aware  of is Samba's behaviour when trying to delete a direc‐
6790             tory. If a directory that is to be deleted contains  nothing  but
6791             veto files this deletion will fail unless you also set the delete
6792             veto files parameter to yes.
6793
6794             Setting this parameter will affect the performance of  Samba,  as
6795             it  will be forced to check all files and directories for a match
6796             as they are scanned.
6797
6798             Examples of use include:
6799
6800
6801
6802
6803             ; Veto any files containing the word Security,
6804             ; any ending in .tmp, and any directory containing the
6805             ; word root.
6806             veto files = /*Security*/*.tmp/*root*/
6807
6808             ; Veto the Apple specific files that a NetAtalk server
6809             ; creates.
6810             veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
6811
6812
6813
6814             Default: veto files = No files or directories are vetoed.
6815
6816          veto oplock files (S)
6817             This parameter is only valid when the oplocks parameter is turned
6818             on  for a share. It allows the Samba administrator to selectively
6819             turn off the granting of oplocks on selected files that  match  a
6820             wildcarded  list, similar to the wildcarded list used in the veto
6821             files parameter.
6822
6823             You might want to do this on files that you know will be  heavily
6824             contended  for  by clients. A good example of this is in the Net‐
6825             Bench SMB benchmark program, which causes heavy client contention
6826             for  files ending in .SEM. To cause Samba not to grant oplocks on
6827             these files you would use the line (either in the  [global]  sec‐
6828             tion or in the section for the particular NetBench share.
6829
6830             An example of use is:
6831
6832
6833
6834
6835             veto oplock files = /.*SEM/
6836
6837
6838
6839             Default:  veto  oplock  files  = # No files are vetoed for oplock
6840             grants
6841
6842          vfs object
6843             This parameter is a synonym for vfs objects.
6844
6845          vfs objects (S)
6846             This parameter specifies the backend names  which  are  used  for
6847             Samba  VFS I/O operations. By default, normal disk I/O operations
6848             are used but these  can  be  overloaded  with  one  or  more  VFS
6849             objects.
6850
6851             Default: vfs objects =
6852
6853             Example: vfs objects = extd_audit recycle
6854
6855          volume (S)
6856             This  allows  you  to  override  the  volume label returned for a
6857             share. Useful for CDROMs with installation programs  that  insist
6858             on a particular volume label.
6859
6860             Default: volume = # the name of the share
6861
6862          wide links (S)
6863             This  parameter  controls  whether  or not links in the UNIX file
6864             system may be followed by the server. Links that point  to  areas
6865             within  the  directory  tree  exported  by  the server are always
6866             allowed; this parameter controls access only to  areas  that  are
6867             outside the directory tree being exported.
6868
6869             Note  that  setting  this parameter can have a negative effect on
6870             your server performance due to the extra system calls that  Samba
6871             has to do in order to perform the link checks.
6872
6873             Default: wide links = yes
6874
6875          winbind cache time (G)
6876             This  parameter  specifies  the number of seconds the winbindd(8)
6877             daemon will cache user and group information  before  querying  a
6878             Windows NT server again.
6879
6880             This  does not apply to authentication requests, these are always
6881             evaluated in real time unless the winbind  offline  logon  option
6882             has been enabled.
6883
6884             Default: winbind cache time = 300
6885
6886          winbind enum groups (G)
6887             On  large  installations using winbindd(8) it may be necessary to
6888             suppress the enumeration of groups through the  setgrent(),  get‐
6889             grent() and endgrent() group of system calls. If the winbind enum
6890             groups parameter is no, calls to the getgrent() system call  will
6891             not return any data.
6892
6893             Warning
6894             Turning  off  group enumeration may cause some programs to behave
6895             oddly.  Default: winbind enum groups = no
6896
6897          winbind enum users (G)
6898             On large installations using winbindd(8) it may be  necessary  to
6899             suppress  the  enumeration of users through the setpwent(), getp‐
6900             went() and endpwent() group of system calls. If the winbind  enum
6901             users parameter is no, calls to the getpwent system call will not
6902             return any data.
6903
6904             Warning
6905             Turning off user enumeration may cause some  programs  to  behave
6906             oddly. For example, the finger program relies on having access to
6907             the  full  user  list  when  searching  for  matching  usernames.
6908             Default: winbind enum users = no
6909
6910          winbind expand groups (G)
6911             This  option  controls  the maximum depth that winbindd will tra‐
6912             verse when flattening nested group memberships of Windows  domain
6913             groups.  This  is different from the winbind nested groups option
6914             which implements the Windows NT4 model of  local  group  nesting.
6915             The "winbind expand groups" parameter specifically applies to the
6916             membership of domain groups.
6917
6918             Be aware that a high value for this parameter can result in  sys‐
6919             tem  slowdown as the main parent winbindd daemon must perform the
6920             group unrolling and will be unable  to  answer  incoming  NSS  or
6921             authentication requests during this time.
6922
6923             Default: winbind expand groups = 1
6924
6925          winbind nested groups (G)
6926             If  set  to  yes, this parameter activates the support for nested
6927             groups. Nested groups are also called local  groups  or  aliases.
6928             They  work  like their counterparts in Windows: Nested groups are
6929             defined locally on any machine  (they  are  shared  between  DC's
6930             through  their  SAM) and can contain users and global groups from
6931             any trusted SAM. To be able to use nested groups, you need to run
6932             nss_winbind.
6933
6934             Default: winbind nested groups = yes
6935
6936          winbind normalize names (G)
6937             This  parameter controls whether winbindd will replace whitespace
6938             in user and group names with an  underscore  (_)  character.  For
6939             example,  whether  the name "Space Kadet" should be replaced with
6940             the string "space_kadet". Frequently Unix shell scripts will have
6941             difficulty  with usernames contains whitespace due to the default
6942             field separator in the shell. Do not enable this  option  if  the
6943             underscore character is used in account names within your domain
6944
6945             Default: winbind normalize names = no
6946
6947             Example: winbind normalize names = yes
6948
6949          winbind nss info (G)
6950             This  parameter is designed to control how Winbind retrieves Name
6951             Service Information to construct  a  user's  home  directory  and
6952             login shell. Currently the following settings are available:
6953
6954                ·  template  -  The  default, using the parameters of template
6955                   shell and template homedir)
6956
6957                ·  sfu - When Samba is running in  security  =  ads  and  your
6958                   Active  Directory Domain Controller does support the Micro‐
6959                   soft "Services for Unix" (SFU)  LDAP  schema,  winbind  can
6960                   retrieve  the login shell and the home directory attributes
6961                   directly from your Directory Server. Note  that  retrieving
6962                   UID  and  GID  from  your  ADS-Server requires to use idmap
6963                   backend = idmap_ad as well.
6964
6965
6966
6967
6968                Default: winbind nss info = template
6969
6970                Example: winbind nss info = template sfu
6971
6972          winbind offline logon (G)
6973             This parameter is designed  to  control  whether  Winbind  should
6974             allow  to  login with the pam_winbind module using Cached Creden‐
6975             tials. If enabled, winbindd will store user credentials from suc‐
6976             cessful logins encrypted in a local cache.
6977
6978             Default: winbind offline logon = false
6979
6980             Example: winbind offline logon = true
6981
6982          winbind refresh tickets (G)
6983             This  parameter  is  designed  to  control whether Winbind should
6984             refresh Kerberos Tickets retrieved using the pam_winbind module.
6985
6986             Default: winbind refresh tickets = false
6987
6988             Example: winbind refresh tickets = true
6989
6990          winbind rpc only (G)
6991             Setting this parameter to yes forces winbindd to use RPC  instead
6992             of LDAP to retrieve information from Domain Controllers.
6993
6994             Default: winbind rpc only = no
6995
6996          winbind separator (G)
6997             This  parameter allows an admin to define the character used when
6998             listing a username of the form of DOMAIN \fIuser. This  parameter
6999             is  only  applicable  when  using the pam_winbind.so and nss_win‐
7000             bind.so modules for UNIX services.
7001
7002             Please note that setting this parameter to + causes problems with
7003             group membership at least on glibc systems, as the character + is
7004             used as a special character for NIS in /etc/group.
7005
7006             Default: winbind separator = '\'
7007
7008             Example: winbind separator = +
7009
7010          winbind trusted domains only (G)
7011             This parameter is designed to allow Samba servers that  are  mem‐
7012             bers  of  a Samba controlled domain to use UNIX accounts distrib‐
7013             uted via NIS, rsync, or LDAP as the uid's for winbindd  users  in
7014             the  hosts primary domain. Therefore, the user DOMAIN\user1 would
7015             be mapped to the account user1 in /etc/passwd instead of allocat‐
7016             ing a new uid for him or her.
7017
7018             This  parameter is now deprecated in favor of the newer idmap_nss
7019             backend. Refer to the  idmap  domains  smb.conf  option  and  the
7020             idmap_nss(8) man page for more information.
7021
7022             Default: winbind trusted domains only = no
7023
7024          winbind use default domain (G)
7025             This  parameter  specifies  whether the winbindd(8) daemon should
7026             operate on users without  domain  component  in  their  username.
7027             Users  without  a  domain component are treated as is part of the
7028             winbindd server's own domain. While this does not benifit Windows
7029             users, it makes SSH, FTP and e-mail function in a way much closer
7030             to the way they would in a native unix system.
7031
7032             Default: winbind use default domain = no
7033
7034             Example: winbind use default domain = yes
7035
7036          wins hook (G)
7037             When Samba is running as a WINS server this allows you to call an
7038             external  program  for all changes to the WINS database. The pri‐
7039             mary use for this option is to allow the dynamic update of exter‐
7040             nal name resolution databases such as dynamic DNS.
7041
7042             The  wins  hook  parameter specifies the name of a script or exe‐
7043             cutable that will be called as follows:
7044
7045             wins_hook operation name nametype ttl IP_list
7046
7047                ·  The first argument is the operation and is  one  of  "add",
7048                   "delete",  or "refresh". In most cases the operation can be
7049                   ignored as the rest of the  parameters  provide  sufficient
7050                   information.  Note  that  "refresh" may sometimes be called
7051                   when the name has not previously been added, in  that  case
7052                   it should be treated as an add.
7053
7054                ·  The second argument is the NetBIOS name. If the name is not
7055                   a legal name then the wins hook is not called. Legal  names
7056                   contain  only  letters,  digits,  hyphens,  underscores and
7057                   periods.
7058
7059                ·  The third argument is the NetBIOS name type as  a  2  digit
7060                   hexadecimal number.
7061
7062                ·  The  fourth argument is the TTL (time to live) for the name
7063                   in seconds.
7064
7065                ·  The fifth and subsequent arguments  are  the  IP  addresses
7066                   currently  registered  for that name. If this list is empty
7067                   then the name should be deleted.
7068
7069                An example script that calls the BIND dynamic DNS update  pro‐
7070                gram  nsupdate  is  provided  in the examples directory of the
7071                Samba source code.
7072
7073                No default
7074
7075          wins proxy (G)
7076             This is a boolean that controls if nmbd(8) will respond to broad‐
7077             cast  name  queries on behalf of other hosts. You may need to set
7078             this to yes for some older clients.
7079
7080             Default: wins proxy = no
7081
7082          wins server (G)
7083             This specifies the IP address (or DNS name: IP address for  pref‐
7084             erence)  of the WINS server that nmbd(8) should register with. If
7085             you have a WINS server on your network then you should  set  this
7086             to the WINS server's IP.
7087
7088             You  should  point  this at your WINS server if you have a multi-
7089             subnetted network.
7090
7091             If you want to work in multiple namespaces, you  can  give  every
7092             wins server a 'tag'. For each tag, only one (working) server will
7093             be queried for a name. The tag should be separated  from  the  ip
7094             address by a colon.
7095
7096             Note
7097             You  need  to  set up Samba to point to a WINS server if you have
7098             multiple subnets and wish  cross-subnet  browsing  to  work  cor‐
7099             rectly.  See the chapter in the Samba3-HOWTO on Network Browsing.
7100
7101             Default: wins server =
7102
7103             Example:   wins   server  =  mary:192.9.200.1  fred:192.168.3.199
7104             mary:192.168.2.61 # For this  example  when  querying  a  certain
7105             name,  192.19.200.1  will  be  asked  first  and  if that doesn't
7106             respond 192.168.2.61. If either of those doesn't  know  the  name
7107             192.168.3.199 will be queried.
7108
7109             Example: wins server = 192.9.200.1 192.168.2.61
7110
7111          wins support (G)
7112             This boolean controls if the nmbd(8) process in Samba will act as
7113             a WINS server. You should not set this to yes unless you  have  a
7114             multi-subnetted network and you wish a particular nmbd to be your
7115             WINS server. Note that you should NEVER set this to yes  on  more
7116             than one machine in your network.
7117
7118             Default: wins support = no
7119
7120          workgroup (G)
7121             This  controls  what  workgroup  your server will appear to be in
7122             when queried by clients. Note that this parameter  also  controls
7123             the Domain name used with the security = domain setting.
7124
7125             Default: workgroup = WORKGROUP
7126
7127             Example: workgroup = MYGROUP
7128
7129          writable
7130             This parameter is a synonym for writeable.
7131
7132          writeable (S)
7133             Inverted synonym for read only.
7134
7135             No default
7136
7137          write cache size (S)
7138             If  this  integer  parameter is set to non-zero value, Samba will
7139             create an in-memory cache for each oplocked file (it does not  do
7140             this for non-oplocked files). All writes that the client does not
7141             request to be flushed directly to disk will  be  stored  in  this
7142             cache  if  possible.  The cache is flushed onto disk when a write
7143             comes in whose offset would not fit into the cache  or  when  the
7144             file  is closed by the client. Reads for the file are also served
7145             from this cache if the data is stored within it.
7146
7147             This cache allows Samba to batch client writes into a more  effi‐
7148             cient  write  size for RAID disks (i.e. writes may be tuned to be
7149             the RAID stripe size) and  can  improve  performance  on  systems
7150             where the disk subsystem is a bottleneck but there is free memory
7151             for userspace programs.
7152
7153             The integer parameter specifies  the  size  of  this  cache  (per
7154             oplocked file) in bytes.
7155
7156             Default: write cache size = 0
7157
7158             Example:  write  cache  size = 262144 # for a 256k cache size per
7159             file
7160
7161          write list (S)
7162             This is a list of users that are given  read-write  access  to  a
7163             service. If the connecting user is in this list then they will be
7164             given write access, no matter what the read only  option  is  set
7165             to. The list can include group names using the @group syntax.
7166
7167             Note  that  if a user is in both the read list and the write list
7168             then they will be given write access.
7169
7170             By design, this parameter will not work with the security = share
7171             in Samba 3.0.
7172
7173             Default: write list =
7174
7175             Example: write list = admin, root, @staff
7176
7177          write raw (G)
7178             This  parameter  controls  whether or not the server will support
7179             raw write SMB's when transferring data from clients.  You  should
7180             never need to change this parameter.
7181
7182             Default: write raw = yes
7183
7184          wtmp directory (G)
7185             This parameter is only available if Samba has been configured and
7186             compiled with the option --with-utmp. It  specifies  a  directory
7187             pathname that is used to store the wtmp or wtmpx files (depending
7188             on the UNIX system) that  record  user  connections  to  a  Samba
7189             server.  The  difference with the utmp directory is the fact that
7190             user info is kept after a user has logged out.
7191
7192             By default this is not set, meaning the system will use  whatever
7193             utmp  file the native system is set to use (usually /var/run/wtmp
7194             on Linux).
7195
7196             Default: wtmp directory =
7197
7198             Example: wtmp directory = /var/log/wtmp
7199