1SMB.CONF(5)              File Formats and Conventions              SMB.CONF(5)
2
3
4

NAME

6       smb.conf - The configuration file for the Samba suite
7

SYNOPSIS

9       The smb.conf file is a configuration file for the Samba suite.
10       smb.conf contains runtime configuration information for the Samba
11       programs. The complete description of the file format and possible
12       parameters held within are here for reference purposes.
13

FILE FORMAT

15       The file consists of sections and parameters. A section begins with the
16       name of the section in square brackets and continues until the next
17       section begins. Sections contain parameters of the form:
18
19           name = value
20
21       The file is line-based - that is, each newline-terminated line
22       represents either a comment, a section name or a parameter.
23
24       Section and parameter names are not case sensitive.
25
26       Only the first equals sign in a parameter is significant. Whitespace
27       before or after the first equals sign is discarded. Leading, trailing
28       and internal whitespace in section and parameter names is irrelevant.
29       Leading and trailing whitespace in a parameter value is discarded.
30       Internal whitespace within a parameter value is retained verbatim.
31
32       Any line beginning with a semicolon (“;”) or a hash (“#”) character is
33       ignored, as are lines containing only whitespace.
34
35       Any line ending in a “\” is continued on the next line in the customary
36       UNIX fashion.
37
38       The values following the equals sign in parameters are all either a
39       string (no quotes needed) or a boolean, which may be given as yes/no,
40       1/0 or true/false. Case is not significant in boolean values, but is
41       preserved in string values. Some items such as create masks are
42       numeric.
43

SECTION DESCRIPTIONS

45       Each section in the configuration file (except for the [global]
46       section) describes a shared resource (known as a “share”). The section
47       name is the name of the shared resource and the parameters within the
48       section define the shares attributes.
49
50       There are three special sections, [global], [homes] and [printers],
51       which are described under special sections. The following notes apply
52       to ordinary section descriptions.
53
54       A share consists of a directory to which access is being given plus a
55       description of the access rights which are granted to the user of the
56       service. Some housekeeping options are also specifiable.
57
58       Sections are either file share services (used by the client as an
59       extension of their native file systems) or printable services (used by
60       the client to access print services on the host running the server).
61
62       Sections may be designated guest services, in which case no password is
63       required to access them. A specified UNIX guest account is used to
64       define access privileges in this case.
65
66       Sections other than guest services will require a password to access
67       them. The client provides the username. As older clients only provide
68       passwords and not usernames, you may specify a list of usernames to
69       check against the password using the user = option in the share
70       definition. For modern clients such as Windows 95/98/ME/NT/2000, this
71       should not be necessary.
72
73       The access rights granted by the server are masked by the access rights
74       granted to the specified or guest UNIX user by the host system. The
75       server does not grant more access than the host system grants.
76
77       The following sample section defines a file space share. The user has
78       write access to the path /home/bar. The share is accessed via the share
79       name foo:
80
81                [foo]
82                path = /home/bar
83                read only = no
84
85       The following sample section defines a printable share. The share is
86       read-only, but printable. That is, the only write access permitted is
87       via calls to open, write to and close a spool file. The guest ok
88       parameter means access will be permitted as the default guest user
89       (specified elsewhere):
90
91                [aprinter]
92                path = /usr/spool/public
93                read only = yes
94                printable = yes
95                guest ok = yes
96
97

SPECIAL SECTIONS

99   The [global] section
100       Parameters in this section apply to the server as a whole, or are
101       defaults for sections that do not specifically define certain items.
102       See the notes under PARAMETERS for more information.
103
104   The [homes] section
105       If a section called [homes] is included in the configuration file,
106       services connecting clients to their home directories can be created on
107       the fly by the server.
108
109       When the connection request is made, the existing sections are scanned.
110       If a match is found, it is used. If no match is found, the requested
111       section name is treated as a username and looked up in the local
112       password file. If the name exists and the correct password has been
113       given, a share is created by cloning the [homes] section.
114
115       Some modifications are then made to the newly created share:
116
117              ·   The share name is changed from homes to the located
118                  username.
119
120              ·   If no path was given, the path is set to the user's home
121                  directory.
122
123
124       If you decide to use a path = line in your [homes] section, it may be
125       useful to use the %S macro. For example:
126
127           path = /data/pchome/%S
128
129       is useful if you have different home directories for your PCs than for
130       UNIX access.
131
132       This is a fast and simple way to give a large number of clients access
133       to their home directories with a minimum of fuss.
134
135       A similar process occurs if the requested section name is “homes”,
136       except that the share name is not changed to that of the requesting
137       user. This method of using the [homes] section works well if different
138       users share a client PC.
139
140       The [homes] section can specify all the parameters a normal service
141       section can specify, though some make more sense than others. The
142       following is a typical and suitable [homes] section:
143
144           [homes]
145           read only = no
146
147       An important point is that if guest access is specified in the [homes]
148       section, all home directories will be visible to all clients without a
149       password. In the very unlikely event that this is actually desirable,
150       it is wise to also specify read only access.
151
152       The browseable flag for auto home directories will be inherited from
153       the global browseable flag, not the [homes] browseable flag. This is
154       useful as it means setting browseable = no in the [homes] section will
155       hide the [homes] share but make any auto home directories visible.
156
157   The [printers] section
158       This section works like [homes], but for printers.
159
160       If a [printers] section occurs in the configuration file, users are
161       able to connect to any printer specified in the local host's printcap
162       file.
163
164       When a connection request is made, the existing sections are scanned.
165       If a match is found, it is used. If no match is found, but a [homes]
166       section exists, it is used as described above. Otherwise, the requested
167       section name is treated as a printer name and the appropriate printcap
168       file is scanned to see if the requested section name is a valid printer
169       share name. If a match is found, a new printer share is created by
170       cloning the [printers] section.
171
172       A few modifications are then made to the newly created share:
173
174              ·   The share name is set to the located printer name
175
176              ·   If no printer name was given, the printer name is set to the
177                  located printer name
178
179              ·   If the share does not permit guest access and no username
180                  was given, the username is set to the located printer name.
181
182
183       The [printers] service MUST be printable - if you specify otherwise,
184       the server will refuse to load the configuration file.
185
186       Typically the path specified is that of a world-writeable spool
187       directory with the sticky bit set on it. A typical [printers] entry
188       looks like this:
189
190           [printers]
191           path = /usr/spool/public
192           guest ok = yes
193           printable = yes
194
195       All aliases given for a printer in the printcap file are legitimate
196       printer names as far as the server is concerned. If your printing
197       subsystem doesn't work like that, you will have to set up a
198       pseudo-printcap. This is a file consisting of one or more lines like
199       this:
200
201           alias|alias|alias|alias...
202
203       Each alias should be an acceptable printer name for your printing
204       subsystem. In the [global] section, specify the new file as your
205       printcap. The server will only recognize names found in your
206       pseudo-printcap, which of course can contain whatever aliases you like.
207       The same technique could be used simply to limit access to a subset of
208       your local printers.
209
210       An alias, by the way, is defined as any component of the first entry of
211       a printcap record. Records are separated by newlines, components (if
212       there are more than one) are separated by vertical bar symbols (|).
213
214           Note
215           On SYSV systems which use lpstat to determine what printers are
216           defined on the system you may be able to use printcap name = lpstat
217           to automatically obtain a list of printers. See the printcap name
218           option for more details.
219

USERSHARES

221       Starting with Samba version 3.0.23 the capability for non-root users to
222       add, modify, and delete their own share definitions has been added.
223       This capability is called usershares and is controlled by a set of
224       parameters in the [global] section of the smb.conf. The relevant
225       parameters are :
226
227       usershare allow guests
228           Controls if usershares can permit guest access.
229
230       usershare max shares
231           Maximum number of user defined shares allowed.
232
233       usershare owner only
234           If set only directories owned by the sharing user can be shared.
235
236       usershare path
237           Points to the directory containing the user defined share
238           definitions. The filesystem permissions on this directory control
239           who can create user defined shares.
240
241       usershare prefix allow list
242           Comma-separated list of absolute pathnames restricting what
243           directories can be shared. Only directories below the pathnames in
244           this list are permitted.
245
246       usershare prefix deny list
247           Comma-separated list of absolute pathnames restricting what
248           directories can be shared. Directories below the pathnames in this
249           list are prohibited.
250
251       usershare template share
252           Names a pre-existing share used as a template for creating new
253           usershares. All other share parameters not specified in the user
254           defined share definition are copied from this named share.
255
256       To allow members of the UNIX group foo to create user defined shares,
257       create the directory to contain the share definitions as follows:
258
259       Become root:
260
261           mkdir /usr/local/samba/lib/usershares
262           chgrp foo /usr/local/samba/lib/usershares
263           chmod 1770 /usr/local/samba/lib/usershares
264
265       Then add the parameters
266
267                usershare path = /usr/local/samba/lib/usershares
268                usershare max shares = 10 # (or the desired number of shares)
269
270       to the global section of your smb.conf. Members of the group foo may
271       then manipulate the user defined shares using the following commands.
272
273       net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]
274           To create or modify (overwrite) a user defined share.
275
276       net usershare delete sharename
277           To delete a user defined share.
278
279       net usershare list wildcard-sharename
280           To list user defined shares.
281
282       net usershare info wildcard-sharename
283           To print information about user defined shares.
284

PARAMETERS

286       Parameters define the specific attributes of sections.
287
288       Some parameters are specific to the [global] section (e.g., security).
289       Some parameters are usable in all sections (e.g., create mask). All
290       others are permissible only in normal sections. For the purposes of the
291       following descriptions the [homes] and [printers] sections will be
292       considered normal. The letter G in parentheses indicates that a
293       parameter is specific to the [global] section. The letter S indicates
294       that a parameter can be specified in a service specific section. All S
295       parameters can also be specified in the [global] section - in which
296       case they will define the default behavior for all services.
297
298       Parameters are arranged here in alphabetical order - this may not
299       create best bedfellows, but at least you can find them! Where there are
300       synonyms, the preferred synonym is described, others refer to the
301       preferred synonym.
302

VARIABLE SUBSTITUTIONS

304       Many of the strings that are settable in the config file can take
305       substitutions. For example the option “path = /tmp/%u” is interpreted
306       as “path = /tmp/john” if the user connected with the username john.
307
308       These substitutions are mostly noted in the descriptions below, but
309       there are some general substitutions which apply whenever they might be
310       relevant. These are:
311
312       %U
313           session username (the username that the client wanted, not
314           necessarily the same as the one they got).
315
316       %G
317           primary group name of %U.
318
319       %h
320           the Internet hostname that Samba is running on.
321
322       %m
323           the NetBIOS name of the client machine (very useful).
324
325           This parameter is not available when Samba listens on port 445, as
326           clients no longer send this information. If you use this macro in
327           an include statement on a domain that has a Samba domain controller
328           be sure to set in the [global] section smb ports = 139. This will
329           cause Samba to not listen on port 445 and will permit include
330           functionality to function as it did with Samba 2.x.
331
332       %L
333           the NetBIOS name of the server. This allows you to change your
334           config based on what the client calls you. Your server can have a
335           “dual personality”.
336
337       %M
338           the Internet name of the client machine.
339
340       %R
341           the selected protocol level after protocol negotiation. It can be
342           one of CORE, COREPLUS, LANMAN1, LANMAN2, NT1, SMB2_02, SMB2_10,
343           SMB2_22, SMB2_24, SMB3_00, SMB3_02, SMB3_10, SMB3_11 or SMB2_FF.
344
345       %d
346           the process id of the current server process.
347
348       %a
349           The architecture of the remote machine. It currently recognizes
350           Samba (Samba), the Linux CIFS file system (CIFSFS), OS/2, (OS2),
351           Mac OS X (OSX), Windows for Workgroups (WfWg), Windows 9x/ME
352           (Win95), Windows NT (WinNT), Windows 2000 (Win2K), Windows XP
353           (WinXP), Windows XP 64-bit(WinXP64), Windows 2003 including 2003R2
354           (Win2K3), and Windows Vista (Vista). Anything else will be known as
355           UNKNOWN.
356
357       %I
358           the IP address of the client machine.
359
360           Before 4.0.0 it could contain IPv4 mapped IPv6 addresses, now it
361           only contains IPv4 or IPv6 addresses.
362
363       %J
364           the IP address of the client machine, colons/dots replaced by
365           underscores.
366
367       %i
368           the local IP address to which a client connected.
369
370           Before 4.0.0 it could contain IPv4 mapped IPv6 addresses, now it
371           only contains IPv4 or IPv6 addresses.
372
373       %j
374           the local IP address to which a client connected, colons/dots
375           replaced by underscores.
376
377       %T
378           the current date and time.
379
380       %t
381           the current date and time in a minimal format without colons
382           (YYYYYmmdd_HHMMSS).
383
384       %D
385           name of the domain or workgroup of the current user.
386
387       %w
388           the winbind separator.
389
390       %$(envvar)
391           the value of the environment variable envar.
392
393       The following substitutes apply only to some configuration options
394       (only those that are used when a connection has been established):
395
396       %S
397           the name of the current service, if any.
398
399       %P
400           the root directory of the current service, if any.
401
402       %u
403           username of the current service, if any.
404
405       %g
406           primary group name of %u.
407
408       %H
409           the home directory of the user given by %u.
410
411       %N
412           the name of your NIS home directory server. This is obtained from
413           your NIS auto.map entry. If you have not compiled Samba with the
414           --with-automount option, this value will be the same as %L.
415
416       %p
417           the path of the service's home directory, obtained from your NIS
418           auto.map entry. The NIS auto.map entry is split up as %N:%p.
419
420       There are some quite creative things that can be done with these
421       substitutions and other smb.conf options.
422

NAME MANGLING

424       Samba supports name mangling so that DOS and Windows clients can use
425       files that don't conform to the 8.3 format. It can also be set to
426       adjust the case of 8.3 format filenames.
427
428       There are several options that control the way mangling is performed,
429       and they are grouped here rather than listed separately. For the
430       defaults look at the output of the testparm program.
431
432       These options can be set separately for each service.
433
434       The options are:
435
436       case sensitive = yes/no/auto
437           controls whether filenames are case sensitive. If they aren't,
438           Samba must do a filename search and match on passed names. The
439           default setting of auto allows clients that support case sensitive
440           filenames (Linux CIFSVFS and smbclient 3.0.5 and above currently)
441           to tell the Samba server on a per-packet basis that they wish to
442           access the file system in a case-sensitive manner (to support UNIX
443           case sensitive semantics). No Windows or DOS system supports
444           case-sensitive filename so setting this option to auto is that same
445           as setting it to no for them. Default auto.
446
447       default case = upper/lower
448           controls what the default case is for new filenames (ie. files that
449           don't currently exist in the filesystem). Default lower. IMPORTANT
450           NOTE: As part of the optimizations for directories containing large
451           numbers of files, the following special case applies. If the
452           options case sensitive = yes, preserve case = No, and short
453           preserve case = No are set, then the case of all incoming client
454           filenames, not just new filenames, will be modified. See additional
455           notes below.
456
457       preserve case = yes/no
458           controls whether new files (ie. files that don't currently exist in
459           the filesystem) are created with the case that the client passes,
460           or if they are forced to be the default case. Default yes.
461
462       short preserve case = yes/no
463           controls if new files (ie. files that don't currently exist in the
464           filesystem) which conform to 8.3 syntax, that is all in upper case
465           and of suitable length, are created upper case, or if they are
466           forced to be the default case. This option can be used with
467           preserve case = yes to permit long filenames to retain their case,
468           while short names are lowercased. Default yes.
469
470       By default, Samba 3.0 has the same semantics as a Windows NT server, in
471       that it is case insensitive but case preserving. As a special case for
472       directories with large numbers of files, if the case options are set as
473       follows, "case sensitive = yes", "case preserve = no", "short preserve
474       case = no" then the "default case" option will be applied and will
475       modify all filenames sent from the client when accessing this share.
476

REGISTRY-BASED CONFIGURATION

478       Starting with Samba version 3.2.0, the capability to store Samba
479       configuration in the registry is available. The configuration is stored
480       in the registry key HKLM\Software\Samba\smbconf. There are two levels
481       of registry configuration:
482
483               1. Share definitions stored in registry are used. This is
484                  triggered by setting the global parameter registry shares to
485                  “yes” in smb.conf.
486
487                  The registry shares are loaded not at startup but on demand
488                  at runtime by smbd. Shares defined in smb.conf take priority
489                  over shares of the same name defined in registry.
490
491               2. Global smb.conf options stored in registry are used. This
492                  can be activated in two different ways:
493
494                  Firstly, a registry only configuration is triggered by
495                  setting config backend = registry in the [global] section of
496                  smb.conf. This resets everything that has been read from
497                  config files to this point and reads the content of the
498                  global configuration section from the registry. This is the
499                  recommended method of using registry based configuration.
500
501                  Secondly, a mixed configuration can be activated by a
502                  special new meaning of the parameter include = registry in
503                  the [global] section of smb.conf. This reads the global
504                  options from registry with the same priorities as for an
505                  include of a text file. This may be especially useful in
506                  cases where an initial configuration is needed to access the
507                  registry.
508
509                  Activation of global registry options automatically
510                  activates registry shares. So in the registry only case,
511                  shares are loaded on demand only.
512
513
514       Note: To make registry-based configurations foolproof at least to a
515       certain extent, the use of lock directory and config backend inside the
516       registry configuration has been disabled: Especially by changing the
517       lock directory inside the registry configuration, one would create a
518       broken setup where the daemons do not see the configuration they loaded
519       once it is active.
520
521       The registry configuration can be accessed with tools like regedit or
522       net (rpc) registry in the key HKLM\Software\Samba\smbconf. More
523       conveniently, the conf subcommand of the net(8) utility offers a
524       dedicated interface to read and write the registry based configuration
525       locally, i.e. directly accessing the database file, circumventing the
526       server.
527

IDENTITY MAPPING CONSIDERATIONS

529       In the SMB protocol, users, groups, and machines are represented by
530       their security identifiers (SIDs). On POSIX system Samba processes need
531       to run under corresponding POSIX user identities and with supplemental
532       POSIX groups to allow access to the files owned by those users and
533       groups. The process of mapping SIDs to POSIX users and groups is called
534       IDENTITY MAPPING or, in short, ID MAPPING.
535
536       Samba supports multiple ways to map SIDs to POSIX users and groups. The
537       configuration is driven by the idmap config DOMAIN : OPTION option
538       which allows one to specify identity mapping (idmap) options for each
539       domain separately.
540
541       Identity mapping modules implement different strategies for mapping of
542       SIDs to POSIX user and group identities. They are applicable to
543       different use cases and scenarios. It is advised to read the
544       documentation of the individual identity mapping modules before
545       choosing a specific scenario to use. Each identity management module is
546       documented in a separate manual page. The standard idmap backends are
547       tdb (idmap_tdb(8)), tdb2 (idmap_tdb2(8)), ldap (idmap_ldap(8)), rid
548       (idmap_rid(8)), hash (idmap_hash(8)), autorid (idmap_autorid(8)), ad
549       (idmap_ad(8)), nss (idmap_nss(8)), and rfc2307 (idmap_rfc2307(8)).
550
551       Overall, ID mapping configuration should be decided carefully. Changes
552       to the already deployed ID mapping configuration may create the risk of
553       losing access to the data or disclosing the data to the wrong parties.
554
555       This example shows how to configure two domains with idmap_rid(8), the
556       principal domain and a trusted domain, leaving the default id mapping
557       scheme at tdb.
558
559                [global]
560                security = domain
561                workgroup = MAIN
562
563                idmap config * : backend        = tdb
564                idmap config * : range          = 1000000-1999999
565
566                idmap config MAIN : backend     = rid
567                idmap config MAIN : range       = 5000000-5999999
568
569                idmap config TRUSTED : backend  = rid
570                idmap config TRUSTED : range    = 6000000-6999999
571
572

EXPLANATION OF EACH PARAMETER

574       abort shutdown script (G)
575
576           This a full path name to a script called by smbd(8) that should
577           stop a shutdown procedure issued by the shutdown script.
578
579           If the connected user possesses the SeRemoteShutdownPrivilege,
580           right, this command will be run as root.
581
582           Default: abort shutdown script = ""
583
584           Example: abort shutdown script = /sbin/shutdown -c
585
586       access based share enum (S)
587
588           If this parameter is yes for a service, then the share hosted by
589           the service will only be visible to users who have read or write
590           access to the share during share enumeration (for example net view
591           \\sambaserver). The share ACLs which allow or deny the access to
592           the share can be modified using for example the sharesec command or
593           using the appropriate Windows tools. This has parallels to access
594           based enumeration, the main difference being that only share
595           permissions are evaluated, and security descriptors on files
596           contained on the share are not used in computing enumeration access
597           rights.
598
599           Default: access based share enum = no
600
601       acl allow execute always (S)
602
603           This boolean parameter controls the behaviour of smbd(8) when
604           receiving a protocol request of "open for execution" from a Windows
605           client. With Samba 3.6 and older, the execution right in the ACL
606           was not checked, so a client could execute a file even if it did
607           not have execute rights on the file. In Samba 4.0, this has been
608           fixed, so that by default, i.e. when this parameter is set to
609           "False", "open for execution" is now denied when execution
610           permissions are not present.
611
612           If this parameter is set to "True", Samba does not check execute
613           permissions on "open for execution", thus re-establishing the
614           behaviour of Samba 3.6. This can be useful to smoothen upgrades
615           from older Samba versions to 4.0 and newer. This setting is not
616           meant to be used as a permanent setting, but as a temporary relief:
617           It is recommended to fix the permissions in the ACLs and reset this
618           parameter to the default after a certain transition period.
619
620           Default: acl allow execute always = no
621
622       acl check permissions (S)
623
624           Please note this parameter is now deprecated in Samba 3.6.2 and
625           will be removed in a future version of Samba.
626
627           This boolean parameter controls what smbd(8) does on receiving a
628           protocol request of "open for delete" from a Windows client. If a
629           Windows client doesn't have permissions to delete a file then they
630           expect this to be denied at open time. POSIX systems normally only
631           detect restrictions on delete by actually attempting to delete the
632           file or directory. As Windows clients can (and do) "back out" a
633           delete request by unsetting the "delete on close" bit Samba cannot
634           delete the file immediately on "open for delete" request as we
635           cannot restore such a deleted file. With this parameter set to true
636           (the default) then smbd checks the file system permissions directly
637           on "open for delete" and denies the request without actually
638           deleting the file if the file system permissions would seem to deny
639           it. This is not perfect, as it's possible a user could have deleted
640           a file without Samba being able to check the permissions correctly,
641           but it is close enough to Windows semantics for mostly correct
642           behaviour. Samba will correctly check POSIX ACL semantics in this
643           case.
644
645           If this parameter is set to "false" Samba doesn't check permissions
646           on "open for delete" and allows the open. If the user doesn't have
647           permission to delete the file this will only be discovered at close
648           time, which is too late for the Windows user tools to display an
649           error message to the user. The symptom of this is files that appear
650           to have been deleted "magically" re-appearing on a Windows explorer
651           refresh. This is an extremely advanced protocol option which should
652           not need to be changed. This parameter was introduced in its final
653           form in 3.0.21, an earlier version with slightly different
654           semantics was introduced in 3.0.20. That older version is not
655           documented here.
656
657           Default: acl check permissions = yes
658
659       acl group control (S)
660
661           In a POSIX filesystem, only the owner of a file or directory and
662           the superuser can modify the permissions and ACLs on a file. If
663           this parameter is set, then Samba overrides this restriction, and
664           also allows the primary group owner of a file or directory to
665           modify the permissions and ACLs on that file.
666
667           On a Windows server, groups may be the owner of a file or directory
668           - thus allowing anyone in that group to modify the permissions on
669           it. This allows the delegation of security controls on a point in
670           the filesystem to the group owner of a directory and anything below
671           it also owned by that group. This means there are multiple people
672           with permissions to modify ACLs on a file or directory, easing
673           manageability.
674
675           This parameter allows Samba to also permit delegation of the
676           control over a point in the exported directory hierarchy in much
677           the same way as Windows. This allows all members of a UNIX group to
678           control the permissions on a file or directory they have group
679           ownership on.
680
681           This parameter is best used with the inherit owner option and also
682           on a share containing directories with the UNIX setgid bit set on
683           them, which causes new files and directories created within it to
684           inherit the group ownership from the containing directory.
685
686           This parameter was deprecated in Samba 3.0.23, but re-activated in
687           Samba 3.0.31 and above, as it now only controls permission changes
688           if the user is in the owning primary group. It is now no longer
689           equivalent to the dos filemode option.
690
691           Default: acl group control = no
692
693       acl map full control (S)
694
695           This boolean parameter controls whether smbd(8) maps a POSIX ACE
696           entry of "rwx" (read/write/execute), the maximum allowed POSIX
697           permission set, into a Windows ACL of "FULL CONTROL". If this
698           parameter is set to true any POSIX ACE entry of "rwx" will be
699           returned in a Windows ACL as "FULL CONTROL", is this parameter is
700           set to false any POSIX ACE entry of "rwx" will be returned as the
701           specific Windows ACL bits representing read, write and execute.
702
703           Default: acl map full control = yes
704
705       add group script (G)
706
707           This is the full pathname to a script that will be run AS ROOT by
708           smbd(8) when a new group is requested. It will expand any %g to the
709           group name passed. This script is only useful for installations
710           using the Windows NT domain administration tools. The script is
711           free to create a group with an arbitrary name to circumvent unix
712           group name restrictions. In that case the script must print the
713           numeric gid of the created group on stdout.
714
715           Default: add group script =
716
717           Example: add group script = /usr/sbin/groupadd %g
718
719       add machine script (G)
720
721           This is the full pathname to a script that will be run by smbd(8)
722           when a machine is added to Samba's domain and a Unix account
723           matching the machine's name appended with a "$" does not already
724           exist.
725
726           This option is very similar to the add user script, and likewise
727           uses the %u substitution for the account name. Do not use the %m
728           substitution.
729
730           Default: add machine script =
731
732           Example: add machine script = /usr/sbin/adduser -n -g machines -c
733           Machine -d /var/lib/nobody -s /bin/false %u
734
735       addport command (G)
736
737           Samba 3.0.23 introduced support for adding printer ports remotely
738           using the Windows "Add Standard TCP/IP Port Wizard". This option
739           defines an external program to be executed when smbd receives a
740           request to add a new Port to the system. The script is passed two
741           parameters:
742
743                  ·   port name
744
745                  ·   device URI
746
747           The deviceURI is in the format of
748           socket://<hostname>[:<portnumber>] or lpd://<hostname>/<queuename>.
749
750           Default: addport command =
751
752           Example: addport command = /etc/samba/scripts/addport.sh
753
754       addprinter command (G)
755
756           With the introduction of MS-RPC based printing support for Windows
757           NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon
758           is now also available in the "Printers..." folder displayed a share
759           listing. The APW allows for printers to be add remotely to a Samba
760           or Windows NT/2000 print server.
761
762           For a Samba host this means that the printer must be physically
763           added to the underlying printing system. The addprinter command
764           defines a script to be run which will perform the necessary
765           operations for adding the printer to the print system and to add
766           the appropriate service definition to the smb.conf file in order
767           that it can be shared by smbd(8).
768
769           The addprinter command is automatically invoked with the following
770           parameter (in order):
771
772                  ·   printer name
773
774                  ·   share name
775
776                  ·   port name
777
778                  ·   driver name
779
780                  ·   location
781
782                  ·   Windows 9x driver location
783
784           All parameters are filled in from the PRINTER_INFO_2 structure sent
785           by the Windows NT/2000 client with one exception. The "Windows 9x
786           driver location" parameter is included for backwards compatibility
787           only. The remaining fields in the structure are generated from
788           answers to the APW questions.
789
790           Once the addprinter command has been executed, smbd will reparse
791           the smb.conf to determine if the share defined by the APW exists.
792           If the sharename is still invalid, then smbd will return an
793           ACCESS_DENIED error to the client.
794
795           The addprinter command program can output a single line of text,
796           which Samba will set as the port the new printer is connected to.
797           If this line isn't output, Samba won't reload its printer shares.
798
799           Default: addprinter command =
800
801           Example: addprinter command = /usr/bin/addprinter
802
803       add share command (G)
804
805           Samba 2.2.0 introduced the ability to dynamically add and delete
806           shares via the Windows NT 4.0 Server Manager. The add share command
807           is used to define an external program or script which will add a
808           new service definition to smb.conf.
809
810           In order to successfully execute the add share command, smbd
811           requires that the administrator connects using a root account (i.e.
812           uid == 0) or has the SeDiskOperatorPrivilege. Scripts defined in
813           the add share command parameter are executed as root.
814
815           When executed, smbd will automatically invoke the add share command
816           with five parameters.
817
818                  ·   configFile - the location of the global smb.conf file.
819
820                  ·   shareName - the name of the new share.
821
822                  ·   pathName - path to an **existing** directory on disk.
823
824                  ·   comment - comment string to associate with the new
825                      share.
826
827                  ·   max connections Number of maximum simultaneous
828                      connections to this share.
829
830           This parameter is only used to add file shares. To add printer
831           shares, see the addprinter command.
832
833           Default: add share command =
834
835           Example: add share command = /usr/local/bin/addshare
836
837       add user script (G)
838
839           This is the full pathname to a script that will be run AS ROOT by
840           smbd(8) under special circumstances described below.
841
842           Normally, a Samba server requires that UNIX users are created for
843           all users accessing files on this server. For sites that use
844           Windows NT account databases as their primary user database
845           creating these users and keeping the user list in sync with the
846           Windows NT PDC is an onerous task. This option allows smbd to
847           create the required UNIX users ON DEMAND when a user accesses the
848           Samba server.
849
850           When the Windows user attempts to access the Samba server, at login
851           (session setup in the SMB protocol) time, smbd(8) contacts the
852           password server and attempts to authenticate the given user with
853           the given password. If the authentication succeeds then smbd
854           attempts to find a UNIX user in the UNIX password database to map
855           the Windows user into. If this lookup fails, and add user script is
856           set then smbd will call the specified script AS ROOT, expanding any
857           %u argument to be the user name to create.
858
859           If this script successfully creates the user then smbd will
860           continue on as though the UNIX user already existed. In this way,
861           UNIX users are dynamically created to match existing Windows NT
862           accounts.
863
864           See also security, password server, delete user script.
865
866           Default: add user script =
867
868           Example: add user script = /usr/local/samba/bin/add_user %u
869
870       add user to group script (G)
871
872           Full path to the script that will be called when a user is added to
873           a group using the Windows NT domain administration tools. It will
874           be run by smbd(8) AS ROOT. Any %g will be replaced with the group
875           name and any %u will be replaced with the user name.
876
877           Note that the adduser command used in the example below does not
878           support the used syntax on all systems.
879
880           Default: add user to group script =
881
882           Example: add user to group script = /usr/sbin/adduser %u %g
883
884       administrative share (S)
885
886           If this parameter is set to yes for a share, then the share will be
887           an administrative share. The Administrative Shares are the default
888           network shares created by all Windows NT-based operating systems.
889           These are shares like C$, D$ or ADMIN$. The type of these shares is
890           STYPE_DISKTREE_HIDDEN.
891
892           See the section below on security for more information about this
893           option.
894
895           Default: administrative share = no
896
897       admin users (S)
898
899           This is a list of users who will be granted administrative
900           privileges on the share. This means that they will do all file
901           operations as the super-user (root).
902
903           You should use this option very carefully, as any user in this list
904           will be able to do anything they like on the share, irrespective of
905           file permissions.
906
907           Default: admin users =
908
909           Example: admin users = jason
910
911       afs share (S)
912
913           This parameter controls whether special AFS features are enabled
914           for this share. If enabled, it assumes that the directory exported
915           via the path parameter is a local AFS import. The special AFS
916           features include the attempt to hand-craft an AFS token if you
917           enabled --with-fake-kaserver in configure.
918
919           Default: afs share = no
920
921       afs token lifetime (G)
922
923           This parameter controls the lifetime of tokens that the AFS
924           fake-kaserver claims. In reality these never expire but this
925           lifetime controls when the afs client will forget the token.
926
927           Set this parameter to 0 to get NEVERDATE.
928
929           Default: afs token lifetime = 604800
930
931       afs username map (G)
932
933           If you are using the fake kaserver AFS feature, you might want to
934           hand-craft the usernames you are creating tokens for. For example
935           this is necessary if you have users from several domain in your AFS
936           Protection Database. One possible scheme to code users as
937           DOMAIN+User as it is done by winbind with the + as a separator.
938
939           The mapped user name must contain the cell name to log into, so
940           without setting this parameter there will be no token.
941
942           Default: afs username map =
943
944           Example: afs username map = %u@afs.samba.org
945
946       aio max threads (G)
947
948           The integer parameter specifies the maximum number of threads each
949           smbd process will create when doing parallel asynchronous IO calls.
950           If the number of outstanding calls is greater than this number the
951           requests will not be refused but go onto a queue and will be
952           scheduled in turn as outstanding requests complete.
953
954           Related command: aio read size
955
956           Related command: aio write size
957
958           Default: aio max threads = 100
959
960       aio read size (S)
961
962           If this integer parameter is set to a non-zero value, Samba will
963           read from files asynchronously when the request size is bigger than
964           this value. Note that it happens only for non-chained and
965           non-chaining reads and when not using write cache.
966
967           The only reasonable values for this parameter are 0 (no async I/O)
968           and 1 (always do async I/O).
969
970           Related command: write cache size
971
972           Related command: aio write size
973
974           Default: aio read size = 1
975
976           Example: aio read size = 0 # Always do reads synchronously
977
978       aio write behind (S)
979
980           If Samba has been built with asynchronous I/O support, Samba will
981           not wait until write requests are finished before returning the
982           result to the client for files listed in this parameter. Instead,
983           Samba will immediately return that the write request has been
984           finished successfully, no matter if the operation will succeed or
985           not. This might speed up clients without aio support, but is really
986           dangerous, because data could be lost and files could be damaged.
987
988           The syntax is identical to the veto files parameter.
989
990           Default: aio write behind =
991
992           Example: aio write behind = /*.tmp/
993
994       aio write size (S)
995
996           If this integer parameter is set to a non-zero value, Samba will
997           write to files asynchronously when the request size is bigger than
998           this value. Note that it happens only for non-chained and
999           non-chaining reads and when not using write cache.
1000
1001           The only reasonable values for this parameter are 0 (no async I/O)
1002           and 1 (always do async I/O).
1003
1004           Compared to aio read size this parameter has a smaller effect, most
1005           writes should end up in the file system cache. Writes that require
1006           space allocation might benefit most from going asynchronous.
1007
1008           Related command: write cache size
1009
1010           Related command: aio read size
1011
1012           Default: aio write size = 1
1013
1014           Example: aio write size = 0 # Always do writes synchronously
1015
1016       algorithmic rid base (G)
1017
1018           This determines how Samba will use its algorithmic mapping from
1019           uids/gid to the RIDs needed to construct NT Security Identifiers.
1020
1021           Setting this option to a larger value could be useful to sites
1022           transitioning from WinNT and Win2k, as existing user and group rids
1023           would otherwise clash with system users etc.
1024
1025           All UIDs and GIDs must be able to be resolved into SIDs for the
1026           correct operation of ACLs on the server. As such the algorithmic
1027           mapping can't be 'turned off', but pushing it 'out of the way'
1028           should resolve the issues. Users and groups can then be assigned
1029           'low' RIDs in arbitrary-rid supporting backends.
1030
1031           Default: algorithmic rid base = 1000
1032
1033           Example: algorithmic rid base = 100000
1034
1035       allocation roundup size (S)
1036
1037           This parameter allows an administrator to tune the allocation size
1038           reported to Windows clients. The default size of 1Mb generally
1039           results in improved Windows client performance. However, rounding
1040           the allocation size may cause difficulties for some applications,
1041           e.g. MS Visual Studio. If the MS Visual Studio compiler starts to
1042           crash with an internal error, set this parameter to zero for this
1043           share.
1044
1045           The integer parameter specifies the roundup size in bytes.
1046
1047           Default: allocation roundup size = 1048576
1048
1049           Example: allocation roundup size = 0 # (to disable roundups)
1050
1051       allow dcerpc auth level connect (G)
1052
1053           This option controls whether DCERPC services are allowed to be used
1054           with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but
1055           no per message integrity nor privacy protection.
1056
1057           Some interfaces like samr, lsarpc and netlogon have a hard-coded
1058           default of no and epmapper, mgmt and rpcecho have a hard-coded
1059           default of yes.
1060
1061           The behavior can be overwritten per interface name (e.g. lsarpc,
1062           netlogon, samr, srvsvc, winreg, wkssvc ...) by using 'allow dcerpc
1063           auth level connect:interface = yes' as option.
1064
1065           This option yields precedence to the implementation specific
1066           restrictions. E.g. the drsuapi and backupkey protocols require
1067           DCERPC_AUTH_LEVEL_PRIVACY. The dnsserver protocol requires
1068           DCERPC_AUTH_LEVEL_INTEGRITY.
1069
1070           Default: allow dcerpc auth level connect = no
1071
1072           Example: allow dcerpc auth level connect = yes
1073
1074       allow dns updates (G)
1075
1076           This option determines what kind of updates to the DNS are allowed.
1077
1078           DNS updates can either be disallowed completely by setting it to
1079           disabled, enabled over secure connections only by setting it to
1080           secure only or allowed in all cases by setting it to nonsecure.
1081
1082           Default: allow dns updates = secure only
1083
1084           Example: allow dns updates = disabled
1085
1086       allow insecure wide links (G)
1087
1088           In normal operation the option wide links which allows the server
1089           to follow symlinks outside of a share path is automatically
1090           disabled when unix extensions are enabled on a Samba server. This
1091           is done for security purposes to prevent UNIX clients creating
1092           symlinks to areas of the server file system that the administrator
1093           does not wish to export.
1094
1095           Setting allow insecure wide links to true disables the link between
1096           these two parameters, removing this protection and allowing a site
1097           to configure the server to follow symlinks (by setting wide links
1098           to "true") even when unix extensions is turned on.
1099
1100           It is not recommended to enable this option unless you fully
1101           understand the implications of allowing the server to follow
1102           symbolic links created by UNIX clients. For most normal Samba
1103           configurations this would be considered a security hole and setting
1104           this parameter is not recommended.
1105
1106           This option was added at the request of sites who had deliberately
1107           set Samba up in this way and needed to continue supporting this
1108           functionality without having to patch the Samba code.
1109
1110           Default: allow insecure wide links = no
1111
1112       allow nt4 crypto (G)
1113
1114           This option controls whether the netlogon server (currently only in
1115           'active directory domain controller' mode), will reject clients
1116           which does not support NETLOGON_NEG_STRONG_KEYS nor
1117           NETLOGON_NEG_SUPPORTS_AES.
1118
1119           This option was added with Samba 4.2.0. It may lock out clients
1120           which worked fine with Samba versions up to 4.1.x. as the effective
1121           default was "yes" there, while it is "no" now.
1122
1123           If you have clients without RequireStrongKey = 1 in the registry,
1124           you may need to set "allow nt4 crypto = yes", until you have fixed
1125           all clients.
1126
1127           "allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe
1128           via downgrade attacks.
1129
1130           This option yields precedence to the 'reject md5 clients' option.
1131
1132           Default: allow nt4 crypto = no
1133
1134       allow trusted domains (G)
1135
1136           This option only takes effect when the security option is set to
1137           server, domain or ads. If it is set to no, then attempts to connect
1138           to a resource from a domain or workgroup other than the one which
1139           smbd is running in will fail, even if that domain is trusted by the
1140           remote server doing the authentication.
1141
1142           This is useful if you only want your Samba server to serve
1143           resources to users in the domain it is a member of. As an example,
1144           suppose that there are two domains DOMA and DOMB. DOMB is trusted
1145           by DOMA, which contains the Samba server. Under normal
1146           circumstances, a user with an account in DOMB can then access the
1147           resources of a UNIX account with the same account name on the Samba
1148           server even if they do not have an account in DOMA. This can make
1149           implementing a security boundary difficult.
1150
1151           Default: allow trusted domains = yes
1152
1153       allow unsafe cluster upgrade (G)
1154
1155           If set to no (the default), smbd checks at startup if other smbd
1156           versions are running in the cluster and refuses to start if so.
1157           This is done to protect data corruption in internal data structures
1158           due to incompatible Samba versions running concurrently in the same
1159           cluster. Setting this parameter to yes disables this safety check.
1160
1161           Default: allow unsafe cluster upgrade = no
1162
1163       apply group policies (G)
1164
1165           This option controls whether winbind will execute the gpupdate
1166           command defined in gpo update command on the Group Policy update
1167           interval. The Group Policy update interval is defined as every 90
1168           minutes, plus a random offset between 0 and 30 minutes. This
1169           applies Group Policy Machine polices to the client or KDC and
1170           machine policies to a server.
1171
1172           Default: apply group policies = no
1173
1174           Example: apply group policies = yes
1175
1176       async smb echo handler (G)
1177
1178           This parameter specifies whether Samba should fork the async smb
1179           echo handler. It can be beneficial if your file system can block
1180           syscalls for a very long time. In some circumstances, it prolongs
1181           the timeout that Windows uses to determine whether a connection is
1182           dead. This parameter is only for SMB1. For SMB2 and above TCP
1183           keepalives can be used instead.
1184
1185           Default: async smb echo handler = no
1186
1187       auth event notification (G)
1188
1189           When enabled, this option causes Samba (acting as an Active
1190           Directory Domain Controller) to stream authentication events across
1191           the internal message bus. Scripts built using Samba's python
1192           bindings can listen to these events by registering as the service
1193           auth_event.
1194
1195           This should be considered a developer option (it assists in the
1196           Samba testsuite) rather than a facility for external auditing, as
1197           message delivery is not guaranteed (a feature that the testsuite
1198           works around). Additionally Samba must be compiled with the jansson
1199           support for this option to be effective.
1200
1201           The authentication events are also logged via the normal logging
1202           methods when the log level is set appropriately.
1203
1204           Default: auth event notification = no
1205
1206       preload
1207
1208           This parameter is a synonym for auto services.
1209
1210       auto services (G)
1211
1212           This is a list of services that you want to be automatically added
1213           to the browse lists. This is most useful for homes and printers
1214           services that would otherwise not be visible.
1215
1216           Note that if you just want all printers in your printcap file
1217           loaded then the load printers option is easier.
1218
1219           Default: auto services =
1220
1221           Example: auto services = fred lp colorlp
1222
1223       available (S)
1224
1225           This parameter lets you "turn off" a service. If available = no,
1226           then ALL attempts to connect to the service will fail. Such
1227           failures are logged.
1228
1229           Default: available = yes
1230
1231       bind dns directory
1232
1233           This parameter is a synonym for binddns dir.
1234
1235       binddns dir (G)
1236
1237           This parameters defines the directory samba will use to store the
1238           configuration files for bind, such as named.conf. NOTE: The bind
1239           dns directory needs to be on the same mount point as the private
1240           directory!
1241
1242           Default: binddns dir = /var/lib/samba/bind-dns
1243
1244       bind interfaces only (G)
1245
1246           This global parameter allows the Samba admin to limit what
1247           interfaces on a machine will serve SMB requests. It affects file
1248           service smbd(8) and name service nmbd(8) in a slightly different
1249           ways.
1250
1251           For name service it causes nmbd to bind to ports 137 and 138 on the
1252           interfaces listed in the interfaces parameter.  nmbd also binds to
1253           the "all addresses" interface (0.0.0.0) on ports 137 and 138 for
1254           the purposes of reading broadcast messages. If this option is not
1255           set then nmbd will service name requests on all of these sockets.
1256           If bind interfaces only is set then nmbd will check the source
1257           address of any packets coming in on the broadcast sockets and
1258           discard any that don't match the broadcast addresses of the
1259           interfaces in the interfaces parameter list. As unicast packets are
1260           received on the other sockets it allows nmbd to refuse to serve
1261           names to machines that send packets that arrive through any
1262           interfaces not listed in the interfaces list. IP Source address
1263           spoofing does defeat this simple check, however, so it must not be
1264           used seriously as a security feature for nmbd.
1265
1266           For file service it causes smbd(8) to bind only to the interface
1267           list given in the interfaces parameter. This restricts the networks
1268           that smbd will serve, to packets coming in on those interfaces.
1269           Note that you should not use this parameter for machines that are
1270           serving PPP or other intermittent or non-broadcast network
1271           interfaces as it will not cope with non-permanent interfaces.
1272
1273           If bind interfaces only is set and the network address 127.0.0.1 is
1274           not added to the interfaces parameter list smbpasswd(8) may not
1275           work as expected due to the reasons covered below.
1276
1277           To change a users SMB password, the smbpasswd by default connects
1278           to the localhost - 127.0.0.1 address as an SMB client to issue the
1279           password change request. If bind interfaces only is set then unless
1280           the network address 127.0.0.1 is added to the interfaces parameter
1281           list then smbpasswd will fail to connect in it's default mode.
1282           smbpasswd can be forced to use the primary IP interface of the
1283           local host by using its smbpasswd(8) -r remote machine parameter,
1284           with remote machine set to the IP name of the primary interface of
1285           the local host.
1286
1287           Default: bind interfaces only = no
1288
1289       blocking locks (S)
1290
1291           This parameter controls the behavior of smbd(8) when given a
1292           request by a client to obtain a byte range lock on a region of an
1293           open file, and the request has a time limit associated with it.
1294
1295           If this parameter is set and the lock range requested cannot be
1296           immediately satisfied, samba will internally queue the lock
1297           request, and periodically attempt to obtain the lock until the
1298           timeout period expires.
1299
1300           If this parameter is set to no, then samba will behave as previous
1301           versions of Samba would and will fail the lock request immediately
1302           if the lock range cannot be obtained.
1303
1304           Default: blocking locks = yes
1305
1306       block size (S)
1307
1308           This parameter controls the behavior of smbd(8) when reporting disk
1309           free sizes. By default, this reports a disk block size of 1024
1310           bytes.
1311
1312           Changing this parameter may have some effect on the efficiency of
1313           client writes, this is not yet confirmed. This parameter was added
1314           to allow advanced administrators to change it (usually to a higher
1315           value) and test the effect it has on client write performance
1316           without re-compiling the code. As this is an experimental option it
1317           may be removed in a future release.
1318
1319           Changing this option does not change the disk free reporting size,
1320           just the block size unit reported to the client.
1321
1322           Default: block size = 1024
1323
1324           Example: block size = 4096
1325
1326       browsable
1327
1328           This parameter is a synonym for browseable.
1329
1330       browseable (S)
1331
1332           This controls whether this share is seen in the list of available
1333           shares in a net view and in the browse list.
1334
1335           Default: browseable = yes
1336
1337       browse list (G)
1338
1339           This controls whether smbd(8) will serve a browse list to a client
1340           doing a NetServerEnum call. Normally set to yes. You should never
1341           need to change this.
1342
1343           Default: browse list = yes
1344
1345       cache directory (G)
1346
1347           Usually, most of the TDB files are stored in the lock directory.
1348           Since Samba 3.4.0, it is possible to differentiate between TDB
1349           files with persistent data and TDB files with non-persistent data
1350           using the state directory and the cache directory options.
1351
1352           This option specifies the directory for storing TDB files
1353           containing non-persistent data that will be kept across service
1354           restarts. The directory should be placed on persistent storage, but
1355           the data can be safely deleted by an administrator.
1356
1357           Default: cache directory = /var/lib/samba
1358
1359           Example: cache directory = /var/run/samba/locks/cache
1360
1361       casesignames
1362
1363           This parameter is a synonym for case sensitive.
1364
1365       case sensitive (S)
1366
1367           See the discussion in the section name mangling.
1368
1369           Default: case sensitive = auto
1370
1371       change notify (G)
1372
1373           This parameter specifies whether Samba should reply to a client's
1374           file change notify requests.
1375
1376           You should never need to change this parameter
1377
1378           Default: change notify = yes
1379
1380       change share command (G)
1381
1382           Samba 2.2.0 introduced the ability to dynamically add and delete
1383           shares via the Windows NT 4.0 Server Manager. The change share
1384           command is used to define an external program or script which will
1385           modify an existing service definition in smb.conf.
1386
1387           In order to successfully execute the change share command, smbd
1388           requires that the administrator connects using a root account (i.e.
1389           uid == 0) or has the SeDiskOperatorPrivilege. Scripts defined in
1390           the change share command parameter are executed as root.
1391
1392           When executed, smbd will automatically invoke the change share
1393           command with six parameters.
1394
1395                  ·   configFile - the location of the global smb.conf file.
1396
1397                  ·   shareName - the name of the new share.
1398
1399                  ·   pathName - path to an **existing** directory on disk.
1400
1401                  ·   comment - comment string to associate with the new
1402                      share.
1403
1404                  ·   max connections Number of maximum simultaneous
1405                      connections to this share.
1406
1407                  ·   CSC policy - client side caching policy in string form.
1408                      Valid values are: manual, documents, programs, disable.
1409
1410           This parameter is only used to modify existing file share
1411           definitions. To modify printer shares, use the "Printers..." folder
1412           as seen when browsing the Samba host.
1413
1414           Default: change share command =
1415
1416           Example: change share command = /usr/local/bin/changeshare
1417
1418       check parent directory delete on close (S)
1419
1420           A Windows SMB server prevents the client from creating files in a
1421           directory that has the delete-on-close flag set. By default Samba
1422           doesn't perform this check as this check is a quite expensive
1423           operation in Samba.
1424
1425           Default: check parent directory delete on close = no
1426
1427       check password script (G)
1428
1429           The name of a program that can be used to check password
1430           complexity. The password is sent to the program's standard input.
1431
1432           The program must return 0 on a good password, or any other value if
1433           the password is bad. In case the password is considered weak (the
1434           program does not return 0) the user will be notified and the
1435           password change will fail.
1436
1437           In Samba AD, this script will be run AS ROOT by samba(8) without
1438           any substitutions.
1439
1440           Note: In the example directory is a sample program called
1441           crackcheck that uses cracklib to check the password quality.
1442
1443           Default: check password script =  # Disabled
1444
1445           Example: check password script = /usr/local/sbin/crackcheck
1446
1447       cldap port (G)
1448
1449           This option controls the port used by the CLDAP protocol.
1450
1451           Default: cldap port = 389
1452
1453           Example: cldap port = 3389
1454
1455       client ipc max protocol (G)
1456
1457           The value of the parameter (a string) is the highest protocol level
1458           that will be supported for IPC$ connections as DCERPC transport.
1459
1460           Normally this option should not be set as the automatic negotiation
1461           phase in the SMB protocol takes care of choosing the appropriate
1462           protocol.
1463
1464           The value default refers to the latest supported protocol,
1465           currently SMB3_11.
1466
1467           See client max protocol for a full list of available protocols. The
1468           values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to
1469           NT1.
1470
1471           Default: client ipc max protocol = default
1472
1473           Example: client ipc max protocol = SMB2_10
1474
1475       client ipc min protocol (G)
1476
1477           This setting controls the minimum protocol version that the will be
1478           attempted to use for IPC$ connections as DCERPC transport.
1479
1480           Normally this option should not be set as the automatic negotiation
1481           phase in the SMB protocol takes care of choosing the appropriate
1482           protocol.
1483
1484           The value default refers to the higher value of NT1 and the
1485           effective value of client min protocol.
1486
1487           See client max protocol for a full list of available protocols. The
1488           values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to
1489           NT1.
1490
1491           Default: client ipc min protocol = default
1492
1493           Example: client ipc min protocol = SMB3_11
1494
1495       client ipc signing (G)
1496
1497           This controls whether the client is allowed or required to use SMB
1498           signing for IPC$ connections as DCERPC transport. Possible values
1499           are auto, mandatory and disabled.
1500
1501           When set to mandatory or default, SMB signing is required.
1502
1503           When set to auto, SMB signing is offered, but not enforced and if
1504           set to disabled, SMB signing is not offered either.
1505
1506           Connections from winbindd to Active Directory Domain Controllers
1507           always enforce signing.
1508
1509           Default: client ipc signing = default
1510
1511       client lanman auth (G)
1512
1513           This parameter determines whether or not smbclient(8) and other
1514           samba client tools will attempt to authenticate itself to servers
1515           using the weaker LANMAN password hash. If disabled, only server
1516           which support NT password hashes (e.g. Windows NT/2000, Samba,
1517           etc... but not Windows 95/98) will be able to be connected from the
1518           Samba client.
1519
1520           The LANMAN encrypted response is easily broken, due to its
1521           case-insensitive nature, and the choice of algorithm. Clients
1522           without Windows 95/98 servers are advised to disable this option.
1523
1524           Disabling this option will also disable the client plaintext auth
1525           option.
1526
1527           Likewise, if the client ntlmv2 auth parameter is enabled, then only
1528           NTLMv2 logins will be attempted.
1529
1530           Default: client lanman auth = no
1531
1532       client ldap sasl wrapping (G)
1533
1534           The client ldap sasl wrapping defines whether ldap traffic will be
1535           signed or signed and encrypted (sealed). Possible values are plain,
1536           sign and seal.
1537
1538           The values sign and seal are only available if Samba has been
1539           compiled against a modern OpenLDAP version (2.3.x or higher).
1540
1541           This option is needed in the case of Domain Controllers enforcing
1542           the usage of signed LDAP connections (e.g. Windows 2000 SP3 or
1543           higher). LDAP sign and seal can be controlled with the registry key
1544           "HKLM\System\CurrentControlSet\Services\
1545           NTDS\Parameters\LDAPServerIntegrity" on the Windows server side.
1546
1547           Depending on the used KRB5 library (MIT and older Heimdal versions)
1548           it is possible that the message "integrity only" is not supported.
1549           In this case, sign is just an alias for seal.
1550
1551           The default value is sign. That implies synchronizing the time with
1552           the KDC in the case of using Kerberos.
1553
1554           Default: client ldap sasl wrapping = sign
1555
1556       client max protocol (G)
1557
1558           The value of the parameter (a string) is the highest protocol level
1559           that will be supported by the client.
1560
1561           Possible values are :
1562
1563                  ·   CORE: Earliest version. No concept of user names.
1564
1565                  ·   COREPLUS: Slight improvements on CORE for efficiency.
1566
1567                  ·   LANMAN1: First modern version of the protocol. Long
1568                      filename support.
1569
1570                  ·   LANMAN2: Updates to Lanman1 protocol.
1571
1572                  ·   NT1: Current up to date version of the protocol. Used by
1573                      Windows NT. Known as CIFS.
1574
1575                  ·   SMB2: Re-implementation of the SMB protocol. Used by
1576                      Windows Vista and later versions of Windows. SMB2 has
1577                      sub protocols available.
1578
1579                             ·   SMB2_02: The earliest SMB2 version.
1580
1581                             ·   SMB2_10: Windows 7 SMB2 version.
1582
1583                             ·   SMB2_22: Early Windows 8 SMB2 version.
1584
1585                             ·   SMB2_24: Windows 8 beta SMB2 version.
1586
1587                      By default SMB2 selects the SMB2_10 variant.
1588
1589                  ·   SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub
1590                      protocols available.
1591
1592                             ·   SMB3_00: Windows 8 SMB3 version. (mostly the
1593                                 same as SMB2_24)
1594
1595                             ·   SMB3_02: Windows 8.1 SMB3 version.
1596
1597                             ·   SMB3_10: early Windows 10 technical preview
1598                                 SMB3 version.
1599
1600                             ·   SMB3_11: Windows 10 technical preview SMB3
1601                                 version (maybe final).
1602
1603                      By default SMB3 selects the SMB3_11 variant.
1604
1605           Normally this option should not be set as the automatic negotiation
1606           phase in the SMB protocol takes care of choosing the appropriate
1607           protocol.
1608
1609           The value default refers to SMB3_11.
1610
1611           IPC$ connections for DCERPC e.g. in winbindd, are handled by the
1612           client ipc max protocol option.
1613
1614           Default: client max protocol = default
1615
1616           Example: client max protocol = LANMAN1
1617
1618       client min protocol (G)
1619
1620           This setting controls the minimum protocol version that the client
1621           will attempt to use.
1622
1623           Normally this option should not be set as the automatic negotiation
1624           phase in the SMB protocol takes care of choosing the appropriate
1625           protocol.
1626
1627           See Related command: client max protocol for a full list of
1628           available protocols.
1629
1630           IPC$ connections for DCERPC e.g. in winbindd, are handled by the
1631           client ipc min protocol option.
1632
1633           Default: client min protocol = CORE
1634
1635           Example: client min protocol = NT1
1636
1637       client NTLMv2 auth (G)
1638
1639           This parameter determines whether or not smbclient(8) will attempt
1640           to authenticate itself to servers using the NTLMv2 encrypted
1641           password response.
1642
1643           If enabled, only an NTLMv2 and LMv2 response (both much more secure
1644           than earlier versions) will be sent. Older servers (including NT4 <
1645           SP4, Win9x and Samba 2.2) are not compatible with NTLMv2 when not
1646           in an NTLMv2 supporting domain
1647
1648           Similarly, if enabled, NTLMv1, client lanman auth and client
1649           plaintext auth authentication will be disabled. This also disables
1650           share-level authentication.
1651
1652           If disabled, an NTLM response (and possibly a LANMAN response) will
1653           be sent by the client, depending on the value of client lanman
1654           auth.
1655
1656           Note that Windows Vista and later versions already use NTLMv2 by
1657           default, and some sites (particularly those following 'best
1658           practice' security polices) only allow NTLMv2 responses, and not
1659           the weaker LM or NTLM.
1660
1661           When client use spnego is also set to yes extended security
1662           (SPNEGO) is required in order to use NTLMv2 only within NTLMSSP.
1663           This behavior was introduced with the patches for CVE-2016-2111.
1664
1665           Default: client NTLMv2 auth = yes
1666
1667       client plaintext auth (G)
1668
1669           Specifies whether a client should send a plaintext password if the
1670           server does not support encrypted passwords.
1671
1672           Default: client plaintext auth = no
1673
1674       client schannel (G)
1675
1676           This option is deprecated with Samba 4.8 and will be removed in
1677           future. At the same time the default changed to yes, which will be
1678           the hardcoded behavior in future.
1679
1680           This controls whether the client offers or even demands the use of
1681           the netlogon schannel.  client schannel = no does not offer the
1682           schannel, client schannel = auto offers the schannel but does not
1683           enforce it, and client schannel = yes denies access if the server
1684           is not able to speak netlogon schannel.
1685
1686           Note that for active directory domains this is hardcoded to client
1687           schannel = yes.
1688
1689           This option yields precedence to the require strong key option.
1690
1691           Default: client schannel = yes
1692
1693           Example: client schannel = auto
1694
1695       client signing (G)
1696
1697           This controls whether the client is allowed or required to use SMB
1698           signing. Possible values are auto, mandatory and disabled.
1699
1700           When set to auto or default, SMB signing is offered, but not
1701           enforced.
1702
1703           When set to mandatory, SMB signing is required and if set to
1704           disabled, SMB signing is not offered either.
1705
1706           IPC$ connections for DCERPC e.g. in winbindd, are handled by the
1707           client ipc signing option.
1708
1709           Default: client signing = default
1710
1711       client use spnego principal (G)
1712
1713           This parameter determines whether or not smbclient(8) and other
1714           samba components acting as a client will attempt to use the
1715           server-supplied principal sometimes given in the SPNEGO exchange.
1716
1717           If enabled, Samba can attempt to use Kerberos to contact servers
1718           known only by IP address. Kerberos relies on names, so ordinarily
1719           cannot function in this situation.
1720
1721           This is a VERY BAD IDEA for security reasons, and so this parameter
1722           SHOULD NOT BE USED. It will be removed in a future version of
1723           Samba.
1724
1725           If disabled, Samba will use the name used to look up the server
1726           when asking the KDC for a ticket. This avoids situations where a
1727           server may impersonate another, soliciting authentication as one
1728           principal while being known on the network as another.
1729
1730           Note that Windows XP SP2 and later versions already follow this
1731           behaviour, and Windows Vista and later servers no longer supply
1732           this 'rfc4178 hint' principal on the server side.
1733
1734           This parameter is deprecated in Samba 4.2.1 and will be removed
1735           (along with the functionality) in a later release of Samba.
1736
1737           Default: client use spnego principal = no
1738
1739       client use spnego (G)
1740
1741           This variable controls whether Samba clients will try to use Simple
1742           and Protected NEGOciation (as specified by rfc2478) with supporting
1743           servers (including WindowsXP, Windows2000 and Samba 3.0) to agree
1744           upon an authentication mechanism. This enables Kerberos
1745           authentication in particular.
1746
1747           When client NTLMv2 auth is also set to yes extended security
1748           (SPNEGO) is required in order to use NTLMv2 only within NTLMSSP.
1749           This behavior was introduced with the patches for CVE-2016-2111.
1750
1751           Default: client use spnego = yes
1752
1753       cluster addresses (G)
1754
1755           With this parameter you can add additional addresses nmbd will
1756           register with a WINS server. These addresses are not necessarily
1757           present on all nodes simultaneously, but they will be registered
1758           with the WINS server so that clients can contact any of the nodes.
1759
1760           Default: cluster addresses =
1761
1762           Example: cluster addresses = 10.0.0.1 10.0.0.2 10.0.0.3
1763
1764       clustering (G)
1765
1766           This parameter specifies whether Samba should contact ctdb for
1767           accessing its tdb files and use ctdb as a backend for its messaging
1768           backend.
1769
1770           Set this parameter to yes only if you have a cluster setup with
1771           ctdb running.
1772
1773           Default: clustering = no
1774
1775       comment (S)
1776
1777           This is a text field that is seen next to a share when a client
1778           does a queries the server, either via the network neighborhood or
1779           via net view to list what shares are available.
1780
1781           If you want to set the string that is displayed next to the machine
1782           name then see the server string parameter.
1783
1784           Default: comment =  # No comment
1785
1786           Example: comment = Fred's Files
1787
1788       config backend (G)
1789
1790           This controls the backend for storing the configuration. Possible
1791           values are file (the default) and registry. When config backend =
1792           registry is encountered while loading smb.conf, the configuration
1793           read so far is dropped and the global options are read from
1794           registry instead. So this triggers a registry only configuration.
1795           Share definitions are not read immediately but instead registry
1796           shares is set to yes.
1797
1798           Note: This option can not be set inside the registry configuration
1799           itself.
1800
1801           Default: config backend = file
1802
1803           Example: config backend = registry
1804
1805       config file (G)
1806
1807           This allows you to override the config file to use, instead of the
1808           default (usually smb.conf). There is a chicken and egg problem here
1809           as this option is set in the config file!
1810
1811           For this reason, if the name of the config file has changed when
1812           the parameters are loaded then it will reload them from the new
1813           config file.
1814
1815           This option takes the usual substitutions, which can be very
1816           useful.
1817
1818           If the config file doesn't exist then it won't be loaded (allowing
1819           you to special case the config files of just a few clients).
1820
1821           No default
1822
1823           Example: config file = /usr/local/samba/lib/smb.conf.%m
1824
1825       copy (S)
1826
1827           This parameter allows you to "clone" service entries. The specified
1828           service is simply duplicated under the current service's name. Any
1829           parameters specified in the current section will override those in
1830           the section being copied.
1831
1832           This feature lets you set up a 'template' service and create
1833           similar services easily. Note that the service being copied must
1834           occur earlier in the configuration file than the service doing the
1835           copying.
1836
1837           Default: copy =
1838
1839           Example: copy = otherservice
1840
1841       create krb5 conf (G)
1842
1843           Setting this parameter to no prevents winbind from creating custom
1844           krb5.conf files. Winbind normally does this because the krb5
1845           libraries are not AD-site-aware and thus would pick any domain
1846           controller out of potentially very many. Winbind is site-aware and
1847           makes the krb5 libraries use a local DC by creating its own
1848           krb5.conf files.
1849
1850           Preventing winbind from doing this might become necessary if you
1851           have to add special options into your system-krb5.conf that winbind
1852           does not see.
1853
1854           Default: create krb5 conf = yes
1855
1856       create mode
1857
1858           This parameter is a synonym for create mask.
1859
1860       create mask (S)
1861
1862           When a file is created, the necessary permissions are calculated
1863           according to the mapping from DOS modes to UNIX permissions, and
1864           the resulting UNIX mode is then bit-wise 'AND'ed with this
1865           parameter. This parameter may be thought of as a bit-wise MASK for
1866           the UNIX modes of a file. Any bit not set here will be removed from
1867           the modes set on a file when it is created.
1868
1869           The default value of this parameter removes the group and other
1870           write and execute bits from the UNIX modes.
1871
1872           Following this Samba will bit-wise 'OR' the UNIX mode created from
1873           this parameter with the value of the force create mode parameter
1874           which is set to 000 by default.
1875
1876           This parameter does not affect directory masks. See the parameter
1877           directory mask for details.
1878
1879           Default: create mask = 0744
1880
1881           Example: create mask = 0775
1882
1883       csc policy (S)
1884
1885           This stands for client-side caching policy, and specifies how
1886           clients capable of offline caching will cache the files in the
1887           share. The valid values are: manual, documents, programs, disable.
1888
1889           These values correspond to those used on Windows servers.
1890
1891           For example, shares containing roaming profiles can have offline
1892           caching disabled using csc policy = disable.
1893
1894           Default: csc policy = manual
1895
1896           Example: csc policy = programs
1897
1898       ctdbd socket (G)
1899
1900           If you set clustering=yes, you need to tell Samba where ctdbd
1901           listens on its unix domain socket. The default path as of ctdb 1.0
1902           is /tmp/ctdb.socket which you have to explicitly set for Samba in
1903           smb.conf.
1904
1905           Default: ctdbd socket =
1906
1907           Example: ctdbd socket = /tmp/ctdb.socket
1908
1909       ctdb locktime warn threshold (G)
1910
1911           In a cluster environment using Samba and ctdb it is critical that
1912           locks on central ctdb-hosted databases like locking.tdb are not
1913           held for long. With the current Samba architecture it happens that
1914           Samba takes a lock and while holding that lock makes file system
1915           calls into the shared cluster file system. This option makes Samba
1916           warn if it detects that it has held locks for the specified number
1917           of milliseconds. If this happens, smbd will emit a debug level 0
1918           message into its logs and potentially into syslog. The most likely
1919           reason for such a log message is that an operation of the cluster
1920           file system Samba exports is taking longer than expected. The
1921           messages are meant as a debugging aid for potential cluster
1922           problems.
1923
1924           The default value of 0 disables this logging.
1925
1926           Default: ctdb locktime warn threshold = 0
1927
1928       ctdb timeout (G)
1929
1930           This parameter specifies a timeout in milliseconds for the
1931           connection between Samba and ctdb. It is only valid if you have
1932           compiled Samba with clustering and if you have set clustering=yes.
1933
1934           When something in the cluster blocks, it can happen that we wait
1935           indefinitely long for ctdb, just adding to the blocking condition.
1936           In a well-running cluster this should never happen, but there are
1937           too many components in a cluster that might have hickups. Choosing
1938           the right balance for this value is very tricky, because on a busy
1939           cluster long service times to transfer something across the cluster
1940           might be valid. Setting it too short will degrade the service your
1941           cluster presents, setting it too long might make the cluster itself
1942           not recover from something severely broken for too long.
1943
1944           Be aware that if you set this parameter, this needs to be in the
1945           file smb.conf, it is not really helpful to put this into a registry
1946           configuration (typical on a cluster), because to access the
1947           registry contact to ctdb is required.
1948
1949           Setting ctdb timeout to n makes any process waiting longer than n
1950           milliseconds for a reply by the cluster panic. Setting it to 0 (the
1951           default) makes Samba block forever, which is the highly recommended
1952           default.
1953
1954           Default: ctdb timeout = 0
1955
1956       cups connection timeout (G)
1957
1958           This parameter is only applicable if printing is set to cups.
1959
1960           If set, this option specifies the number of seconds that smbd will
1961           wait whilst trying to contact to the CUPS server. The connection
1962           will fail if it takes longer than this number of seconds.
1963
1964           Default: cups connection timeout = 30
1965
1966           Example: cups connection timeout = 60
1967
1968       cups encrypt (G)
1969
1970           This parameter is only applicable if printing is set to cups and if
1971           you use CUPS newer than 1.0.x.It is used to define whether or not
1972           Samba should use encryption when talking to the CUPS server.
1973           Possible values are auto, yes and no
1974
1975           When set to auto we will try to do a TLS handshake on each CUPS
1976           connection setup. If that fails, we will fall back to unencrypted
1977           operation.
1978
1979           Default: cups encrypt = no
1980
1981       cups options (S)
1982
1983           This parameter is only applicable if printing is set to cups. Its
1984           value is a free form string of options passed directly to the cups
1985           library.
1986
1987           You can pass any generic print option known to CUPS (as listed in
1988           the CUPS "Software Users' Manual"). You can also pass any printer
1989           specific option (as listed in "lpoptions -d printername -l") valid
1990           for the target queue. Multiple parameters should be space-delimited
1991           name/value pairs according to the PAPI text option ABNF
1992           specification. Collection values ("name={a=... b=... c=...}") are
1993           stored with the curley brackets intact.
1994
1995           You should set this parameter to raw if your CUPS server error_log
1996           file contains messages such as "Unsupported format
1997           'application/octet-stream'" when printing from a Windows client
1998           through Samba. It is no longer necessary to enable system wide raw
1999           printing in /etc/cups/mime.{convs,types}.
2000
2001           Default: cups options = ""
2002
2003           Example: cups options = "raw media=a4"
2004
2005       cups server (G)
2006
2007           This parameter is only applicable if printing is set to cups.
2008
2009           If set, this option overrides the ServerName option in the CUPS
2010           client.conf. This is necessary if you have virtual samba servers
2011           that connect to different CUPS daemons.
2012
2013           Optionally, a port can be specified by separating the server name
2014           and port number with a colon. If no port was specified, the default
2015           port for IPP (631) will be used.
2016
2017           Default: cups server = ""
2018
2019           Example: cups server = mycupsserver
2020
2021           Example: cups server = mycupsserver:1631
2022
2023       dcerpc endpoint servers (G)
2024
2025           Specifies which DCE/RPC endpoint servers should be run.
2026
2027           Default: dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
2028           netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
2029           backupkey, dnsserver
2030
2031           Example: dcerpc endpoint servers = rpcecho
2032
2033       deadtime (G)
2034
2035           The value of the parameter (a decimal integer) represents the
2036           number of minutes of inactivity before a connection is considered
2037           dead, and it is disconnected. The deadtime only takes effect if the
2038           number of open files is zero.
2039
2040           This is useful to stop a server's resources being exhausted by a
2041           large number of inactive connections.
2042
2043           Most clients have an auto-reconnect feature when a connection is
2044           broken so in most cases this parameter should be transparent to
2045           users.
2046
2047           Using this parameter with a timeout of a few minutes is recommended
2048           for most systems.
2049
2050           A deadtime of zero indicates that no auto-disconnection should be
2051           performed.
2052
2053           Default: deadtime = 0
2054
2055           Example: deadtime = 15
2056
2057       debug class (G)
2058
2059           With this boolean parameter enabled, the debug class (DBGC_CLASS)
2060           will be displayed in the debug header.
2061
2062           For more information about currently available debug classes, see
2063           section about log level.
2064
2065           Default: debug class = no
2066
2067       debug hires timestamp (G)
2068
2069           Sometimes the timestamps in the log messages are needed with a
2070           resolution of higher that seconds, this boolean parameter adds
2071           microsecond resolution to the timestamp message header when turned
2072           on.
2073
2074           Note that the parameter debug timestamp must be on for this to have
2075           an effect.
2076
2077           Default: debug hires timestamp = yes
2078
2079       debug pid (G)
2080
2081           When using only one log file for more then one forked
2082           smbd(8)-process there may be hard to follow which process outputs
2083           which message. This boolean parameter is adds the process-id to the
2084           timestamp message headers in the logfile when turned on.
2085
2086           Note that the parameter debug timestamp must be on for this to have
2087           an effect.
2088
2089           Default: debug pid = no
2090
2091       debug prefix timestamp (G)
2092
2093           With this option enabled, the timestamp message header is prefixed
2094           to the debug message without the filename and function information
2095           that is included with the debug timestamp parameter. This gives
2096           timestamps to the messages without adding an additional line.
2097
2098           Note that this parameter overrides the debug timestamp parameter.
2099
2100           Default: debug prefix timestamp = no
2101
2102       debug uid (G)
2103
2104           Samba is sometimes run as root and sometime run as the connected
2105           user, this boolean parameter inserts the current euid, egid, uid
2106           and gid to the timestamp message headers in the log file if turned
2107           on.
2108
2109           Note that the parameter debug timestamp must be on for this to have
2110           an effect.
2111
2112           Default: debug uid = no
2113
2114       dedicated keytab file (G)
2115
2116           Specifies the absolute path to the kerberos keytab file when
2117           kerberos method is set to "dedicated keytab".
2118
2119           Default: dedicated keytab file =
2120
2121           Example: dedicated keytab file = /usr/local/etc/krb5.keytab
2122
2123       default case (S)
2124
2125           See the section on name mangling. Also note the short preserve case
2126           parameter.
2127
2128           Default: default case = lower
2129
2130       default devmode (S)
2131
2132           This parameter is only applicable to printable services. When smbd
2133           is serving Printer Drivers to Windows NT/2k/XP clients, each
2134           printer on the Samba server has a Device Mode which defines things
2135           such as paper size and orientation and duplex settings. The device
2136           mode can only correctly be generated by the printer driver itself
2137           (which can only be executed on a Win32 platform). Because smbd is
2138           unable to execute the driver code to generate the device mode, the
2139           default behavior is to set this field to NULL.
2140
2141           Most problems with serving printer drivers to Windows NT/2k/XP
2142           clients can be traced to a problem with the generated device mode.
2143           Certain drivers will do things such as crashing the client's
2144           Explorer.exe with a NULL devmode. However, other printer drivers
2145           can cause the client's spooler service (spoolsv.exe) to die if the
2146           devmode was not created by the driver itself (i.e. smbd generates a
2147           default devmode).
2148
2149           This parameter should be used with care and tested with the printer
2150           driver in question. It is better to leave the device mode to NULL
2151           and let the Windows client set the correct values. Because drivers
2152           do not do this all the time, setting default devmode = yes will
2153           instruct smbd to generate a default one.
2154
2155           For more information on Windows NT/2k printing and Device Modes,
2156           see the MSDN documentation.
2157
2158           Default: default devmode = yes
2159
2160       default
2161
2162           This parameter is a synonym for default service.
2163
2164       default service (G)
2165
2166           This parameter specifies the name of a service which will be
2167           connected to if the service actually requested cannot be found.
2168           Note that the square brackets are NOT given in the parameter value
2169           (see example below).
2170
2171           There is no default value for this parameter. If this parameter is
2172           not given, attempting to connect to a nonexistent service results
2173           in an error.
2174
2175           Typically the default service would be a guest ok, read-only
2176           service.
2177
2178           Also note that the apparent service name will be changed to equal
2179           that of the requested service, this is very useful as it allows you
2180           to use macros like %S to make a wildcard service.
2181
2182           Note also that any "_" characters in the name of the service used
2183           in the default service will get mapped to a "/". This allows for
2184           interesting things.
2185
2186           Default: default service =
2187
2188           Example: default service = pub
2189
2190       defer sharing violations (G)
2191
2192           Windows allows specifying how a file will be shared with other
2193           processes when it is opened. Sharing violations occur when a file
2194           is opened by a different process using options that violate the
2195           share settings specified by other processes. This parameter causes
2196           smbd to act as a Windows server does, and defer returning a
2197           "sharing violation" error message for up to one second, allowing
2198           the client to close the file causing the violation in the meantime.
2199
2200           UNIX by default does not have this behaviour.
2201
2202           There should be no reason to turn off this parameter, as it is
2203           designed to enable Samba to more correctly emulate Windows.
2204
2205           Default: defer sharing violations = yes
2206
2207       delete group script (G)
2208
2209           This is the full pathname to a script that will be run AS ROOT by
2210           smbd(8) when a group is requested to be deleted. It will expand any
2211           %g to the group name passed. This script is only useful for
2212           installations using the Windows NT domain administration tools.
2213
2214           Default: delete group script =
2215
2216       deleteprinter command (G)
2217
2218           With the introduction of MS-RPC based printer support for Windows
2219           NT/2000 clients in Samba 2.2, it is now possible to delete a
2220           printer at run time by issuing the DeletePrinter() RPC call.
2221
2222           For a Samba host this means that the printer must be physically
2223           deleted from the underlying printing system. The deleteprinter
2224           command defines a script to be run which will perform the necessary
2225           operations for removing the printer from the print system and from
2226           smb.conf.
2227
2228           The deleteprinter command is automatically called with only one
2229           parameter: printer name.
2230
2231           Once the deleteprinter command has been executed, smbd will reparse
2232           the smb.conf to check that the associated printer no longer exists.
2233           If the sharename is still valid, then smbd will return an
2234           ACCESS_DENIED error to the client.
2235
2236           Default: deleteprinter command =
2237
2238           Example: deleteprinter command = /usr/bin/removeprinter
2239
2240       delete readonly (S)
2241
2242           This parameter allows readonly files to be deleted. This is not
2243           normal DOS semantics, but is allowed by UNIX.
2244
2245           This option may be useful for running applications such as rcs,
2246           where UNIX file ownership prevents changing file permissions, and
2247           DOS semantics prevent deletion of a read only file.
2248
2249           Default: delete readonly = no
2250
2251       delete share command (G)
2252
2253           Samba 2.2.0 introduced the ability to dynamically add and delete
2254           shares via the Windows NT 4.0 Server Manager. The delete share
2255           command is used to define an external program or script which will
2256           remove an existing service definition from smb.conf.
2257
2258           In order to successfully execute the delete share command, smbd
2259           requires that the administrator connects using a root account (i.e.
2260           uid == 0) or has the SeDiskOperatorPrivilege. Scripts defined in
2261           the delete share command parameter are executed as root.
2262
2263           When executed, smbd will automatically invoke the delete share
2264           command with two parameters.
2265
2266                  ·   configFile - the location of the global smb.conf file.
2267
2268                  ·   shareName - the name of the existing service.
2269
2270           This parameter is only used to remove file shares. To delete
2271           printer shares, see the deleteprinter command.
2272
2273           Default: delete share command =
2274
2275           Example: delete share command = /usr/local/bin/delshare
2276
2277       delete user from group script (G)
2278
2279           Full path to the script that will be called when a user is removed
2280           from a group using the Windows NT domain administration tools. It
2281           will be run by smbd(8) AS ROOT. Any %g will be replaced with the
2282           group name and any %u will be replaced with the user name.
2283
2284           Default: delete user from group script =
2285
2286           Example: delete user from group script = /usr/sbin/deluser %u %g
2287
2288       delete user script (G)
2289
2290           This is the full pathname to a script that will be run by smbd(8)
2291           when managing users with remote RPC (NT) tools.
2292
2293           This script is called when a remote client removes a user from the
2294           server, normally using 'User Manager for Domains' or rpcclient.
2295
2296           This script should delete the given UNIX username.
2297
2298           Default: delete user script =
2299
2300           Example: delete user script = /usr/local/samba/bin/del_user %u
2301
2302       delete veto files (S)
2303
2304           This option is used when Samba is attempting to delete a directory
2305           that contains one or more vetoed directories (see the veto files
2306           option). If this option is set to no (the default) then if a vetoed
2307           directory contains any non-vetoed files or directories then the
2308           directory delete will fail. This is usually what you want.
2309
2310           If this option is set to yes, then Samba will attempt to
2311           recursively delete any files and directories within the vetoed
2312           directory. This can be useful for integration with file serving
2313           systems such as NetAtalk which create meta-files within directories
2314           you might normally veto DOS/Windows users from seeing (e.g.
2315           .AppleDouble)
2316
2317           Setting delete veto files = yes allows these directories to be
2318           transparently deleted when the parent directory is deleted (so long
2319           as the user has permissions to do so).
2320
2321           Default: delete veto files = no
2322
2323       dfree cache time (S)
2324
2325           The dfree cache time should only be used on systems where a problem
2326           occurs with the internal disk space calculations. This has been
2327           known to happen with Ultrix, but may occur with other operating
2328           systems. The symptom that was seen was an error of "Abort Retry
2329           Ignore" at the end of each directory listing.
2330
2331           This is a new parameter introduced in Samba version 3.0.21. It
2332           specifies in seconds the time that smbd will cache the output of a
2333           disk free query. If set to zero (the default) no caching is done.
2334           This allows a heavily loaded server to prevent rapid spawning of
2335           dfree command scripts increasing the load.
2336
2337           By default this parameter is zero, meaning no caching will be done.
2338
2339           No default
2340
2341           Example: dfree cache time = 60
2342
2343       dfree command (S)
2344
2345           The dfree command setting should only be used on systems where a
2346           problem occurs with the internal disk space calculations. This has
2347           been known to happen with Ultrix, but may occur with other
2348           operating systems. The symptom that was seen was an error of "Abort
2349           Retry Ignore" at the end of each directory listing.
2350
2351           This setting allows the replacement of the internal routines to
2352           calculate the total disk space and amount available with an
2353           external routine. The example below gives a possible script that
2354           might fulfill this function.
2355
2356           In Samba version 3.0.21 this parameter has been changed to be a
2357           per-share parameter, and in addition the parameter dfree cache time
2358           was added to allow the output of this script to be cached for
2359           systems under heavy load.
2360
2361           The external program will be passed a single parameter indicating a
2362           directory in the filesystem being queried. This will typically
2363           consist of the string ./. The script should return two integers in
2364           ASCII. The first should be the total disk space in blocks, and the
2365           second should be the number of available blocks. An optional third
2366           return value can give the block size in bytes. The default
2367           blocksize is 1024 bytes.
2368
2369           Note: Your script should NOT be setuid or setgid and should be
2370           owned by (and writeable only by) root!
2371
2372           Where the script dfree (which must be made executable) could be:
2373
2374
2375               #!/bin/sh
2376               df $1 | tail -1 | awk '{print $(NF-4),$(NF-2)}'
2377
2378           or perhaps (on Sys V based systems):
2379
2380
2381               #!/bin/sh
2382               /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
2383
2384           Note that you may have to replace the command names with full path
2385           names on some systems.
2386
2387           By default internal routines for determining the disk capacity and
2388           remaining space will be used.
2389
2390           No default
2391
2392           Example: dfree command = /usr/local/samba/bin/dfree
2393
2394       dgram port (G)
2395
2396           Specifies which ports the server should listen on for NetBIOS
2397           datagram traffic.
2398
2399           Default: dgram port = 138
2400
2401       directory mode
2402
2403           This parameter is a synonym for directory mask.
2404
2405       directory mask (S)
2406
2407           This parameter is the octal modes which are used when converting
2408           DOS modes to UNIX modes when creating UNIX directories.
2409
2410           When a directory is created, the necessary permissions are
2411           calculated according to the mapping from DOS modes to UNIX
2412           permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
2413           with this parameter. This parameter may be thought of as a bit-wise
2414           MASK for the UNIX modes of a directory. Any bit not set here will
2415           be removed from the modes set on a directory when it is created.
2416
2417           The default value of this parameter removes the 'group' and 'other'
2418           write bits from the UNIX mode, allowing only the user who owns the
2419           directory to modify it.
2420
2421           Following this Samba will bit-wise 'OR' the UNIX mode created from
2422           this parameter with the value of the force directory mode
2423           parameter. This parameter is set to 000 by default (i.e. no extra
2424           mode bits are added).
2425
2426           Default: directory mask = 0755
2427
2428           Example: directory mask = 0775
2429
2430       directory name cache size (S)
2431
2432           This parameter specifies the size of the directory name cache for
2433           SMB1 connections. It is not used for SMB2. It will be needed to
2434           turn this off for *BSD systems.
2435
2436           Default: directory name cache size = 100
2437
2438       directory security mask (S)
2439
2440           This parameter has been removed for Samba 4.0.0.
2441
2442           No default
2443
2444       disable netbios (G)
2445
2446           Enabling this parameter will disable netbios support in Samba.
2447           Netbios is the only available form of browsing in all windows
2448           versions except for 2000 and XP.
2449
2450               Note
2451               Clients that only support netbios won't be able to see your
2452               samba server when netbios support is disabled.
2453           Default: disable netbios = no
2454
2455       disable spoolss (G)
2456
2457           Enabling this parameter will disable Samba's support for the
2458           SPOOLSS set of MS-RPC's and will yield identical behavior as Samba
2459           2.0.x. Windows NT/2000 clients will downgrade to using Lanman style
2460           printing commands. Windows 9x/ME will be unaffected by the
2461           parameter. However, this will also disable the ability to upload
2462           printer drivers to a Samba server via the Windows NT Add Printer
2463           Wizard or by using the NT printer properties dialog window. It will
2464           also disable the capability of Windows NT/2000 clients to download
2465           print drivers from the Samba host upon demand.  Be very careful
2466           about enabling this parameter.
2467
2468           Default: disable spoolss = no
2469
2470       dmapi support (S)
2471
2472           This parameter specifies whether Samba should use DMAPI to
2473           determine whether a file is offline or not. This would typically be
2474           used in conjunction with a hierarchical storage system that
2475           automatically migrates files to tape.
2476
2477           Note that Samba infers the status of a file by examining the events
2478           that a DMAPI application has registered interest in. This heuristic
2479           is satisfactory for a number of hierarchical storage systems, but
2480           there may be system for which it will fail. In this case, Samba may
2481           erroneously report files to be offline.
2482
2483           This parameter is only available if a supported DMAPI
2484           implementation was found at compilation time. It will only be used
2485           if DMAPI is found to enabled on the system at run time.
2486
2487           Default: dmapi support = no
2488
2489       dns forwarder (G)
2490
2491           This option specifies the list of DNS servers that DNS requests
2492           will be forwarded to if they can not be handled by Samba itself.
2493
2494           The DNS forwarder is only used if the internal DNS server in Samba
2495           is used.
2496
2497           Default: dns forwarder =
2498
2499           Example: dns forwarder = 192.168.0.1
2500
2501       dns proxy (G)
2502
2503           Specifies that nmbd(8) when acting as a WINS server and finding
2504           that a NetBIOS name has not been registered, should treat the
2505           NetBIOS name word-for-word as a DNS name and do a lookup with the
2506           DNS server for that name on behalf of the name-querying client.
2507
2508           Note that the maximum length for a NetBIOS name is 15 characters,
2509           so the DNS name (or DNS alias) can likewise only be 15 characters,
2510           maximum.
2511
2512           nmbd spawns a second copy of itself to do the DNS name lookup
2513           requests, as doing a name lookup is a blocking action.
2514
2515           Default: dns proxy = yes
2516
2517       dns update command (G)
2518
2519           This option sets the command that is called when there are DNS
2520           updates. It should update the local machines DNS names using
2521           TSIG-GSS.
2522
2523           Default: dns update command =
2524           /builddir/build/BUILD/samba-4.10.4/source4/scripting/bin/samba_dnsupdate
2525
2526           Example: dns update command = /usr/local/sbin/dnsupdate
2527
2528       dns zone scavenging (G)
2529
2530           When enabled (the default is disabled) unused dynamic dns records
2531           are periodically removed.
2532
2533               Warning
2534               This option should not be enabled for installations created
2535               with versions of samba before 4.9. Doing this will result in
2536               the loss of static DNS entries. This is due to a bug in
2537               previous versions of samba (BUG 12451) which marked dynamic DNS
2538               records as static and static records as dynamic.
2539
2540               Note
2541               If one record for a DNS name is static (non-aging) then no
2542               other record for that DNS name will be scavenged.
2543           Default: dns zone scavenging = no
2544
2545       domain logons (G)
2546
2547           If set to yes, the Samba server will provide the netlogon service
2548           for Windows 9X network logons for the workgroup it is in. This will
2549           also cause the Samba server to act as a domain controller for NT4
2550           style domain services. For more details on setting up this feature
2551           see the Domain Control chapter of the Samba HOWTO Collection.
2552
2553           Default: domain logons = no
2554
2555       domain master (G)
2556
2557           Tell smbd(8) to enable WAN-wide browse list collation. Setting this
2558           option causes nmbd to claim a special domain specific NetBIOS name
2559           that identifies it as a domain master browser for its given
2560           workgroup. Local master browsers in the same workgroup on
2561           broadcast-isolated subnets will give this nmbd their local browse
2562           lists, and then ask smbd(8) for a complete copy of the browse list
2563           for the whole wide area network. Browser clients will then contact
2564           their local master browser, and will receive the domain-wide browse
2565           list, instead of just the list for their broadcast-isolated subnet.
2566
2567           Note that Windows NT Primary Domain Controllers expect to be able
2568           to claim this workgroup specific special NetBIOS name that
2569           identifies them as domain master browsers for that workgroup by
2570           default (i.e. there is no way to prevent a Windows NT PDC from
2571           attempting to do this). This means that if this parameter is set
2572           and nmbd claims the special name for a workgroup before a Windows
2573           NT PDC is able to do so then cross subnet browsing will behave
2574           strangely and may fail.
2575
2576           If domain logons = yes, then the default behavior is to enable the
2577           domain master parameter. If domain logons is not enabled (the
2578           default setting), then neither will domain master be enabled by
2579           default.
2580
2581           When domain logons = Yes the default setting for this parameter is
2582           Yes, with the result that Samba will be a PDC. If domain master =
2583           No, Samba will function as a BDC. In general, this parameter should
2584           be set to 'No' only on a BDC.
2585
2586           Default: domain master = auto
2587
2588       dont descend (S)
2589
2590           There are certain directories on some systems (e.g., the /proc tree
2591           under Linux) that are either not of interest to clients or are
2592           infinitely deep (recursive). This parameter allows you to specify a
2593           comma-delimited list of directories that the server should always
2594           show as empty.
2595
2596           Note that Samba can be very fussy about the exact format of the
2597           "dont descend" entries. For example you may need ./proc instead of
2598           just /proc. Experimentation is the best policy :-)
2599
2600           Default: dont descend =
2601
2602           Example: dont descend = /proc,/dev
2603
2604       dos charset (G)
2605
2606           DOS SMB clients assume the server has the same charset as they do.
2607           This option specifies which charset Samba should talk to DOS
2608           clients.
2609
2610           The default depends on which charsets you have installed. Samba
2611           tries to use charset 850 but falls back to ASCII in case it is not
2612           available. Run testparm(1) to check the default on your system.
2613
2614           No default
2615
2616       dos filemode (S)
2617
2618           The default behavior in Samba is to provide UNIX-like behavior
2619           where only the owner of a file/directory is able to change the
2620           permissions on it. However, this behavior is often confusing to
2621           DOS/Windows users. Enabling this parameter allows a user who has
2622           write access to the file (by whatever means, including an ACL
2623           permission) to modify the permissions (including ACL) on it. Note
2624           that a user belonging to the group owning the file will not be
2625           allowed to change permissions if the group is only granted read
2626           access. Ownership of the file/directory may also be changed. Note
2627           that using the VFS modules acl_xattr or acl_tdb which store native
2628           Windows as meta-data will automatically turn this option on for any
2629           share for which they are loaded, as they require this option to
2630           emulate Windows ACLs correctly.
2631
2632           Default: dos filemode = no
2633
2634       dos filetime resolution (S)
2635
2636           Under the DOS and Windows FAT filesystem, the finest granularity on
2637           time resolution is two seconds. Setting this parameter for a share
2638           causes Samba to round the reported time down to the nearest two
2639           second boundary when a query call that requires one second
2640           resolution is made to smbd(8).
2641
2642           This option is mainly used as a compatibility option for Visual C++
2643           when used against Samba shares. If oplocks are enabled on a share,
2644           Visual C++ uses two different time reading calls to check if a file
2645           has changed since it was last read. One of these calls uses a
2646           one-second granularity, the other uses a two second granularity. As
2647           the two second call rounds any odd second down, then if the file
2648           has a timestamp of an odd number of seconds then the two timestamps
2649           will not match and Visual C++ will keep reporting the file has
2650           changed. Setting this option causes the two timestamps to match,
2651           and Visual C++ is happy.
2652
2653           Default: dos filetime resolution = no
2654
2655       dos filetimes (S)
2656
2657           Under DOS and Windows, if a user can write to a file they can
2658           change the timestamp on it. Under POSIX semantics, only the owner
2659           of the file or root may change the timestamp. By default, Samba
2660           emulates the DOS semantics and allows one to change the timestamp
2661           on a file if the user smbd is acting on behalf has write
2662           permissions. Due to changes in Microsoft Office 2000 and beyond,
2663           the default for this parameter has been changed from "no" to "yes"
2664           in Samba 3.0.14 and above. Microsoft Excel will display dialog box
2665           warnings about the file being changed by another user if this
2666           parameter is not set to "yes" and files are being shared between
2667           users.
2668
2669           Default: dos filetimes = yes
2670
2671       dsdb event notification (G)
2672
2673           When enabled, this option causes Samba (acting as an Active
2674           Directory Domain Controller) to stream Samba database events across
2675           the internal message bus. Scripts built using Samba's python
2676           bindings can listen to these events by registering as the service
2677           dsdb_event.
2678
2679           This should be considered a developer option (it assists in the
2680           Samba testsuite) rather than a facility for external auditing, as
2681           message delivery is not guaranteed (a feature that the testsuite
2682           works around).
2683
2684           The Samba database events are also logged via the normal logging
2685           methods when the log level is set appropriately.
2686
2687           Default: dsdb event notification = no
2688
2689       dsdb group change notification (G)
2690
2691           When enabled, this option causes Samba (acting as an Active
2692           Directory Domain Controller) to stream group membership change
2693           events across the internal message bus. Scripts built using Samba's
2694           python bindings can listen to these events by registering as the
2695           service dsdb_group_event.
2696
2697           This should be considered a developer option (it assists in the
2698           Samba testsuite) rather than a facility for external auditing, as
2699           message delivery is not guaranteed (a feature that the testsuite
2700           works around).
2701
2702           The group events are also logged via the normal logging methods
2703           when the log level is set appropriately.
2704
2705           Default: dsdb group change notification = no
2706
2707       dsdb password event notification (G)
2708
2709           When enabled, this option causes Samba (acting as an Active
2710           Directory Domain Controller) to stream password change and reset
2711           events across the internal message bus. Scripts built using Samba's
2712           python bindings can listen to these events by registering as the
2713           service password_event.
2714
2715           This should be considered a developer option (it assists in the
2716           Samba testsuite) rather than a facility for external auditing, as
2717           message delivery is not guaranteed (a feature that the testsuite
2718           works around).
2719
2720           The password events are also logged via the normal logging methods
2721           when the log level is set appropriately.
2722
2723           Default: dsdb password event notification = no
2724
2725       durable handles (S)
2726
2727           This boolean parameter controls whether Samba can grant SMB2
2728           durable file handles on a share.
2729
2730           Note that durable handles are only enabled if kernel oplocks = no,
2731           kernel share modes = no, and posix locking = no, i.e. if the share
2732           is configured for CIFS/SMB2 only access, not supporting
2733           interoperability features with local UNIX processes or NFS
2734           operations.
2735
2736           Also note that, for the time being, durability is not granted for a
2737           handle that has the delete on close flag set.
2738
2739           Default: durable handles = yes
2740
2741       ea support (S)
2742
2743           This boolean parameter controls whether smbd(8) will allow clients
2744           to attempt to access extended attributes on a share. In order to
2745           enable this parameter on a setup with default VFS modules:
2746
2747                  ·   Samba must have been built with extended attributes
2748                      support.
2749
2750                  ·   The underlying filesystem exposed by the share must
2751                      support extended attributes (e.g. the getfattr(1) /
2752                      setfattr(1) utilities must work).
2753
2754           Note that the SMB protocol allows setting attributes whose value is
2755           64K bytes long, and that on NTFS, the maximum storage space for
2756           extended attributes per file is 64K. On most UNIX systems (Solaris
2757           and ZFS file system being the exception), the limits are much lower
2758           - typically 4K. Worse, the same 4K space is often used to store
2759           system metadata such as POSIX ACLs, or Samba's NT ACLs. Giving
2760           clients access to this tight space via extended attribute support
2761           could consume all of it by unsuspecting client applications, which
2762           would prevent changing system metadata due to lack of space. The
2763           default has changed to yes in Samba release 4.9.0 and above to
2764           allow better Windows fileserver compatibility in a default install.
2765
2766           Default: ea support = yes
2767
2768       enable asu support (G)
2769
2770           Hosts running the "Advanced Server for Unix (ASU)" product require
2771           some special accomodations such as creating a builtin [ADMIN$]
2772           share that only supports IPC connections. The has been the default
2773           behavior in smbd for many years. However, certain Microsoft
2774           applications such as the Print Migrator tool require that the
2775           remote server support an [ADMIN$] file share. Disabling this
2776           parameter allows for creating an [ADMIN$] file share in smb.conf.
2777
2778           Default: enable asu support = no
2779
2780       enable core files (G)
2781
2782           This parameter specifies whether core dumps should be written on
2783           internal exits. Normally set to yes. You should never need to
2784           change this.
2785
2786           Default: enable core files = yes
2787
2788           Example: enable core files = no
2789
2790       enable privileges (G)
2791
2792           This deprecated parameter controls whether or not smbd will honor
2793           privileges assigned to specific SIDs via either net rpc rights or
2794           one of the Windows user and group manager tools. This parameter is
2795           enabled by default. It can be disabled to prevent members of the
2796           Domain Admins group from being able to assign privileges to users
2797           or groups which can then result in certain smbd operations running
2798           as root that would normally run under the context of the connected
2799           user.
2800
2801           An example of how privileges can be used is to assign the right to
2802           join clients to a Samba controlled domain without providing root
2803           access to the server via smbd.
2804
2805           Please read the extended description provided in the Samba HOWTO
2806           documentation.
2807
2808           Default: enable privileges = yes
2809
2810       enable spoolss (G)
2811
2812           Inverted synonym for disable spoolss.
2813
2814           Default: enable spoolss = yes
2815
2816       encrypt passwords (G)
2817
2818           This boolean controls whether encrypted passwords will be
2819           negotiated with the client. Note that Windows NT 4.0 SP3 and above
2820           and also Windows 98 will by default expect encrypted passwords
2821           unless a registry entry is changed. To use encrypted passwords in
2822           Samba see the chapter "User Database" in the Samba HOWTO
2823           Collection.
2824
2825           MS Windows clients that expect Microsoft encrypted passwords and
2826           that do not have plain text password support enabled will be able
2827           to connect only to a Samba server that has encrypted password
2828           support enabled and for which the user accounts have a valid
2829           encrypted password. Refer to the smbpasswd command man page for
2830           information regarding the creation of encrypted passwords for user
2831           accounts.
2832
2833           The use of plain text passwords is NOT advised as support for this
2834           feature is no longer maintained in Microsoft Windows products. If
2835           you want to use plain text passwords you must set this parameter to
2836           no.
2837
2838           In order for encrypted passwords to work correctly smbd(8) must
2839           either have access to a local smbpasswd(5) file (see the
2840           smbpasswd(8) program for information on how to set up and maintain
2841           this file), or set the security = [domain|ads] parameter which
2842           causes smbd to authenticate against another server.
2843
2844           Default: encrypt passwords = yes
2845
2846       enhanced browsing (G)
2847
2848           This option enables a couple of enhancements to cross-subnet browse
2849           propagation that have been added in Samba but which are not
2850           standard in Microsoft implementations.
2851
2852           The first enhancement to browse propagation consists of a regular
2853           wildcard query to a Samba WINS server for all Domain Master
2854           Browsers, followed by a browse synchronization with each of the
2855           returned DMBs. The second enhancement consists of a regular
2856           randomised browse synchronization with all currently known DMBs.
2857
2858           You may wish to disable this option if you have a problem with
2859           empty workgroups not disappearing from browse lists. Due to the
2860           restrictions of the browse protocols, these enhancements can cause
2861           a empty workgroup to stay around forever which can be annoying.
2862
2863           In general you should leave this option enabled as it makes
2864           cross-subnet browse propagation much more reliable.
2865
2866           Default: enhanced browsing = yes
2867
2868       enumports command (G)
2869
2870           The concept of a "port" is fairly foreign to UNIX hosts. Under
2871           Windows NT/2000 print servers, a port is associated with a port
2872           monitor and generally takes the form of a local port (i.e. LPT1:,
2873           COM1:, FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By
2874           default, Samba has only one port defined--"Samba Printer Port".
2875           Under Windows NT/2000, all printers must have a valid port name. If
2876           you wish to have a list of ports displayed (smbd does not use a
2877           port name for anything) other than the default "Samba Printer
2878           Port", you can define enumports command to point to a program which
2879           should generate a list of ports, one per line, to standard output.
2880           This listing will then be used in response to the level 1 and 2
2881           EnumPorts() RPC.
2882
2883           Default: enumports command =
2884
2885           Example: enumports command = /usr/bin/listports
2886
2887       eventlog list (G)
2888
2889           This option defines a list of log names that Samba will report to
2890           the Microsoft EventViewer utility. The listed eventlogs will be
2891           associated with tdb file on disk in the $(statedir)/eventlog.
2892
2893           The administrator must use an external process to parse the normal
2894           Unix logs such as /var/log/messages and write then entries to the
2895           eventlog tdb files. Refer to the eventlogadm(8) utility for how to
2896           write eventlog entries.
2897
2898           Default: eventlog list =
2899
2900           Example: eventlog list = Security Application Syslog Apache
2901
2902       fake directory create times (S)
2903
2904           NTFS and Windows VFAT file systems keep a create time for all files
2905           and directories. This is not the same as the ctime - status change
2906           time - that Unix keeps, so Samba by default reports the earliest of
2907           the various times Unix does keep. Setting this parameter for a
2908           share causes Samba to always report midnight 1-1-1980 as the create
2909           time for directories.
2910
2911           This option is mainly used as a compatibility option for Visual C++
2912           when used against Samba shares. Visual C++ generated makefiles have
2913           the object directory as a dependency for each object file, and a
2914           make rule to create the directory. Also, when NMAKE compares
2915           timestamps it uses the creation time when examining a directory.
2916           Thus the object directory will be created if it does not exist, but
2917           once it does exist it will always have an earlier timestamp than
2918           the object files it contains.
2919
2920           However, Unix time semantics mean that the create time reported by
2921           Samba will be updated whenever a file is created or deleted in the
2922           directory. NMAKE finds all object files in the object directory.
2923           The timestamp of the last one built is then compared to the
2924           timestamp of the object directory. If the directory's timestamp if
2925           newer, then all object files will be rebuilt. Enabling this option
2926           ensures directories always predate their contents and an NMAKE
2927           build will proceed as expected.
2928
2929           Default: fake directory create times = no
2930
2931       fake oplocks (S)
2932
2933           Oplocks are the way that SMB clients get permission from a server
2934           to locally cache file operations. If a server grants an oplock
2935           (opportunistic lock) then the client is free to assume that it is
2936           the only one accessing the file and it will aggressively cache file
2937           data. With some oplock types the client may even cache file
2938           open/close operations. This can give enormous performance benefits.
2939
2940           When you set fake oplocks = yes, smbd(8) will always grant oplock
2941           requests no matter how many clients are using the file.
2942
2943           It is generally much better to use the real oplocks support rather
2944           than this parameter.
2945
2946           If you enable this option on all read-only shares or shares that
2947           you know will only be accessed from one client at a time such as
2948           physically read-only media like CDROMs, you will see a big
2949           performance improvement on many operations. If you enable this
2950           option on shares where multiple clients may be accessing the files
2951           read-write at the same time you can get data corruption. Use this
2952           option carefully!
2953
2954           Default: fake oplocks = no
2955
2956       follow symlinks (S)
2957
2958           This parameter allows the Samba administrator to stop smbd(8) from
2959           following symbolic links in a particular share. Setting this
2960           parameter to no prevents any file or directory that is a symbolic
2961           link from being followed (the user will get an error). This option
2962           is very useful to stop users from adding a symbolic link to
2963           /etc/passwd in their home directory for instance. However it will
2964           slow filename lookups down slightly.
2965
2966           This option is enabled (i.e.  smbd will follow symbolic links) by
2967           default.
2968
2969           Default: follow symlinks = yes
2970
2971       force create mode (S)
2972
2973           This parameter specifies a set of UNIX mode bit permissions that
2974           will always be set on a file created by Samba. This is done by
2975           bitwise 'OR'ing these bits onto the mode bits of a file that is
2976           being created. The default for this parameter is (in octal) 000.
2977           The modes in this parameter are bitwise 'OR'ed onto the file mode
2978           after the mask set in the create mask parameter is applied.
2979
2980           The example below would force all newly created files to have read
2981           and execute permissions set for 'group' and 'other' as well as the
2982           read/write/execute bits set for the 'user'.
2983
2984           Default: force create mode = 0000
2985
2986           Example: force create mode = 0755
2987
2988       force directory mode (S)
2989
2990           This parameter specifies a set of UNIX mode bit permissions that
2991           will always be set on a directory created by Samba. This is done by
2992           bitwise 'OR'ing these bits onto the mode bits of a directory that
2993           is being created. The default for this parameter is (in octal) 0000
2994           which will not add any extra permission bits to a created
2995           directory. This operation is done after the mode mask in the
2996           parameter directory mask is applied.
2997
2998           The example below would force all created directories to have read
2999           and execute permissions set for 'group' and 'other' as well as the
3000           read/write/execute bits set for the 'user'.
3001
3002           Default: force directory mode = 0000
3003
3004           Example: force directory mode = 0755
3005
3006       force directory security mode (S)
3007
3008           This parameter has been removed for Samba 4.0.0.
3009
3010           No default
3011
3012       group
3013
3014           This parameter is a synonym for force group.
3015
3016       force group (S)
3017
3018           This specifies a UNIX group name that will be assigned as the
3019           default primary group for all users connecting to this service.
3020           This is useful for sharing files by ensuring that all access to
3021           files on service will use the named group for their permissions
3022           checking. Thus, by assigning permissions for this group to the
3023           files and directories within this service the Samba administrator
3024           can restrict or allow sharing of these files.
3025
3026           In Samba 2.0.5 and above this parameter has extended functionality
3027           in the following way. If the group name listed here has a '+'
3028           character prepended to it then the current user accessing the share
3029           only has the primary group default assigned to this group if they
3030           are already assigned as a member of that group. This allows an
3031           administrator to decide that only users who are already in a
3032           particular group will create files with group ownership set to that
3033           group. This gives a finer granularity of ownership assignment. For
3034           example, the setting force group = +sys means that only users who
3035           are already in group sys will have their default primary group
3036           assigned to sys when accessing this Samba share. All other users
3037           will retain their ordinary primary group.
3038
3039           If the force user parameter is also set the group specified in
3040           force group will override the primary group set in force user.
3041
3042           Default: force group =
3043
3044           Example: force group = agroup
3045
3046       force printername (S)
3047
3048           When printing from Windows NT (or later), each printer in smb.conf
3049           has two associated names which can be used by the client. The first
3050           is the sharename (or shortname) defined in smb.conf. This is the
3051           only printername available for use by Windows 9x clients. The
3052           second name associated with a printer can be seen when browsing to
3053           the "Printers" (or "Printers and Faxes") folder on the Samba
3054           server. This is referred to simply as the printername (not to be
3055           confused with the printer name option).
3056
3057           When assigning a new driver to a printer on a remote Windows
3058           compatible print server such as Samba, the Windows client will
3059           rename the printer to match the driver name just uploaded. This can
3060           result in confusion for users when multiple printers are bound to
3061           the same driver. To prevent Samba from allowing the printer's
3062           printername to differ from the sharename defined in smb.conf, set
3063           force printername = yes.
3064
3065           Be aware that enabling this parameter may affect migrating printers
3066           from a Windows server to Samba since Windows has no way to force
3067           the sharename and printername to match.
3068
3069           It is recommended that this parameter's value not be changed once
3070           the printer is in use by clients as this could cause a user not be
3071           able to delete printer connections from their local Printers
3072           folder.
3073
3074           Default: force printername = no
3075
3076       force security mode (S)
3077
3078           This parameter has been removed for Samba 4.0.0.
3079
3080           No default
3081
3082       force unknown acl user (S)
3083
3084           If this parameter is set, a Windows NT ACL that contains an unknown
3085           SID (security descriptor, or representation of a user or group id)
3086           as the owner or group owner of the file will be silently mapped
3087           into the current UNIX uid or gid of the currently connected user.
3088
3089           This is designed to allow Windows NT clients to copy files and
3090           folders containing ACLs that were created locally on the client
3091           machine and contain users local to that machine only (no domain
3092           users) to be copied to a Samba server (usually with XCOPY /O) and
3093           have the unknown userid and groupid of the file owner map to the
3094           current connected user. This can only be fixed correctly when
3095           winbindd allows arbitrary mapping from any Windows NT SID to a UNIX
3096           uid or gid.
3097
3098           Try using this parameter when XCOPY /O gives an ACCESS_DENIED
3099           error.
3100
3101           Default: force unknown acl user = no
3102
3103       force user (S)
3104
3105           This specifies a UNIX user name that will be assigned as the
3106           default user for all users connecting to this service. This is
3107           useful for sharing files. You should also use it carefully as using
3108           it incorrectly can cause security problems.
3109
3110           This user name only gets used once a connection is established.
3111           Thus clients still need to connect as a valid user and supply a
3112           valid password. Once connected, all file operations will be
3113           performed as the "forced user", no matter what username the client
3114           connected as. This can be very useful.
3115
3116           In Samba 2.0.5 and above this parameter also causes the primary
3117           group of the forced user to be used as the primary group for all
3118           file activity. Prior to 2.0.5 the primary group was left as the
3119           primary group of the connecting user (this was a bug).
3120
3121           Default: force user =
3122
3123           Example: force user = auser
3124
3125       fss: prune stale (G)
3126
3127           When enabled, Samba's File Server Remote VSS Protocol (FSRVP)
3128           server checks all FSRVP initiated snapshots on startup, and removes
3129           any corresponding state (including share definitions) for
3130           nonexistent snapshot paths.
3131
3132           Default: fss: prune stale = no
3133
3134           Example: fss: prune stale = yes
3135
3136       fss: sequence timeout (G)
3137
3138           The File Server Remote VSS Protocol (FSRVP) server includes a
3139           message sequence timer to ensure cleanup on unexpected client
3140           disconnect. This parameter overrides the default timeout between
3141           FSRVP operations. FSRVP timeouts can be completely disabled via a
3142           value of 0.
3143
3144           Default: fss: sequence timeout = 180 or 1800, depending on
3145           operation
3146
3147           Example: fss: sequence timeout = 0
3148
3149       fstype (S)
3150
3151           This parameter allows the administrator to configure the string
3152           that specifies the type of filesystem a share is using that is
3153           reported by smbd(8) when a client queries the filesystem type for a
3154           share. The default type is NTFS for compatibility with Windows NT
3155           but this can be changed to other strings such as Samba or FAT if
3156           required.
3157
3158           Default: fstype = NTFS
3159
3160           Example: fstype = Samba
3161
3162       get quota command (G)
3163
3164           The get quota command should only be used whenever there is no
3165           operating system API available from the OS that samba can use.
3166
3167           This option is only available Samba was compiled with quotas
3168           support.
3169
3170           This parameter should specify the path to a script that queries the
3171           quota information for the specified user/group for the partition
3172           that the specified directory is on.
3173
3174           Such a script is being given 3 arguments:
3175
3176                  ·   directory
3177
3178                  ·   type of query
3179
3180                  ·   uid of user or gid of group
3181
3182           The directory is actually mostly just "." - It needs to be treated
3183           relatively to the current working directory that the script can
3184           also query.
3185
3186           The type of query can be one of:
3187
3188                  ·   1 - user quotas
3189
3190                  ·   2 - user default quotas (uid = -1)
3191
3192                  ·   3 - group quotas
3193
3194                  ·   4 - group default quotas (gid = -1)
3195
3196           This script should print one line as output with spaces between the
3197           columns. The printed columns should be:
3198
3199                  ·   1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 =
3200                      quotas enabled and enforced)
3201
3202                  ·   2 - number of currently used blocks
3203
3204                  ·   3 - the softlimit number of blocks
3205
3206                  ·   4 - the hardlimit number of blocks
3207
3208                  ·   5 - currently used number of inodes
3209
3210                  ·   6 - the softlimit number of inodes
3211
3212                  ·   7 - the hardlimit number of inodes
3213
3214                  ·   8 (optional) - the number of bytes in a block(default is
3215                      1024)
3216
3217           Default: get quota command =
3218
3219           Example: get quota command = /usr/local/sbin/query_quota
3220
3221       getwd cache (G)
3222
3223           This is a tuning option. When this is enabled a caching algorithm
3224           will be used to reduce the time taken for getwd() calls. This can
3225           have a significant impact on performance, especially when the wide
3226           links parameter is set to no.
3227
3228           Default: getwd cache = yes
3229
3230       gpo update command (G)
3231
3232           This option sets the command that is called to apply GPO policies.
3233           The samba-gpupdate script applies System Access and Kerberos
3234           Policies to the KDC. System Access policies set minPwdAge,
3235           maxPwdAge, minPwdLength, and pwdProperties in the samdb. Kerberos
3236           Policies set kdc:service ticket lifetime, kdc:user ticket lifetime,
3237           and kdc:renewal lifetime in smb.conf.
3238
3239           Default: gpo update command =
3240           /builddir/build/BUILD/samba-4.10.4/source4/scripting/bin/samba-gpupdate
3241
3242           Example: gpo update command = /usr/local/sbin/gpoupdate
3243
3244       guest account (G)
3245
3246           This is a username which will be used for access to services which
3247           are specified as guest ok (see below). Whatever privileges this
3248           user has will be available to any client connecting to the guest
3249           service. This user must exist in the password file, but does not
3250           require a valid login. The user account "ftp" is often a good
3251           choice for this parameter.
3252
3253           On some systems the default guest account "nobody" may not be able
3254           to print. Use another account in this case. You should test this by
3255           trying to log in as your guest user (perhaps by using the su -
3256           command) and trying to print using the system print command such as
3257           lpr(1) or lp(1).
3258
3259           This parameter does not accept % macros, because many parts of the
3260           system require this value to be constant for correct operation.
3261
3262           Default: guest account = nobody # default can be changed at
3263           compile-time
3264
3265           Example: guest account = ftp
3266
3267       public
3268
3269           This parameter is a synonym for guest ok.
3270
3271       guest ok (S)
3272
3273           If this parameter is yes for a service, then no password is
3274           required to connect to the service. Privileges will be those of the
3275           guest account.
3276
3277           This parameter nullifies the benefits of setting restrict anonymous
3278           = 2
3279
3280           See the section below on security for more information about this
3281           option.
3282
3283           Default: guest ok = no
3284
3285       only guest
3286
3287           This parameter is a synonym for guest only.
3288
3289       guest only (S)
3290
3291           If this parameter is yes for a service, then only guest connections
3292           to the service are permitted. This parameter will have no effect if
3293           guest ok is not set for the service.
3294
3295           See the section below on security for more information about this
3296           option.
3297
3298           Default: guest only = no
3299
3300       hide dot files (S)
3301
3302           This is a boolean parameter that controls whether files starting
3303           with a dot appear as hidden files.
3304
3305           Default: hide dot files = yes
3306
3307       hide files (S)
3308
3309           This is a list of files or directories that are not visible but are
3310           accessible. The DOS 'hidden' attribute is applied to any files or
3311           directories that match.
3312
3313           Each entry in the list must be separated by a '/', which allows
3314           spaces to be included in the entry. '*' and '?' can be used to
3315           specify multiple files or directories as in DOS wildcards.
3316
3317           Each entry must be a Unix path, not a DOS path and must not include
3318           the Unix directory separator '/'.
3319
3320           Note that the case sensitivity option is applicable in hiding
3321           files.
3322
3323           Setting this parameter will affect the performance of Samba, as it
3324           will be forced to check all files and directories for a match as
3325           they are scanned.
3326
3327           The example shown above is based on files that the Macintosh SMB
3328           client (DAVE) available from Thursby creates for internal use, and
3329           also still hides all files beginning with a dot.
3330
3331           An example of us of this parameter is:
3332
3333               hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
3334
3335           Default: hide files =  # no file are hidden
3336
3337       hide new files timeout (S)
3338
3339           Setting this parameter to something but 0 hides files that have
3340           been modified less than N seconds ago.
3341
3342           It can be used for ingest/process queue style workloads. A
3343           processing application should only see files that are definitely
3344           finished. As many applications do not have proper external workflow
3345           control, this can be a way to make sure processing does not
3346           interfere with file ingest.
3347
3348           Default: hide new files timeout = 0
3349
3350       hide special files (S)
3351
3352           This parameter prevents clients from seeing special files such as
3353           sockets, devices and fifo's in directory listings.
3354
3355           Default: hide special files = no
3356
3357       hide unreadable (S)
3358
3359           This parameter prevents clients from seeing the existence of files
3360           that cannot be read. Defaults to off.
3361
3362           Please note that enabling this can slow down listing large
3363           directories significantly. Samba has to evaluate the ACLs of all
3364           directory members, which can be a lot of effort.
3365
3366           Default: hide unreadable = no
3367
3368       hide unwriteable files (S)
3369
3370           This parameter prevents clients from seeing the existence of files
3371           that cannot be written to. Defaults to off. Note that unwriteable
3372           directories are shown as usual.
3373
3374           Please note that enabling this can slow down listing large
3375           directories significantly. Samba has to evaluate the ACLs of all
3376           directory members, which can be a lot of effort.
3377
3378           Default: hide unwriteable files = no
3379
3380       homedir map (G)
3381
3382           If nis homedir is yes, and smbd(8) is also acting as a Win95/98
3383           logon server then this parameter specifies the NIS (or YP) map from
3384           which the server for the user's home directory should be extracted.
3385           At present, only the Sun auto.home map format is understood. The
3386           form of the map is:
3387
3388               username server:/some/file/system
3389
3390           and the program will extract the servername from before the first
3391           ':'. There should probably be a better parsing system that copes
3392           with different map formats and also Amd (another automounter) maps.
3393
3394               Note
3395               A working NIS client is required on the system for this option
3396               to work.
3397           Default: homedir map =
3398
3399           Example: homedir map = amd.homedir
3400
3401       host msdfs (G)
3402
3403           If set to yes, Samba will act as a Dfs server, and allow Dfs-aware
3404           clients to browse Dfs trees hosted on the server.
3405
3406           See also the msdfs root share level parameter. For more information
3407           on setting up a Dfs tree on Samba, refer to the MSFDS chapter in
3408           the book Samba3-HOWTO.
3409
3410           Default: host msdfs = yes
3411
3412       hostname lookups (G)
3413
3414           Specifies whether samba should use (expensive) hostname lookups or
3415           use the ip addresses instead. An example place where hostname
3416           lookups are currently used is when checking the hosts deny and
3417           hosts allow.
3418
3419           Default: hostname lookups = no
3420
3421           Example: hostname lookups = yes
3422
3423       allow hosts
3424
3425           This parameter is a synonym for hosts allow.
3426
3427       hosts allow (S)
3428
3429           A synonym for this parameter is allow hosts.
3430
3431           This parameter is a comma, space, or tab delimited set of hosts
3432           which are permitted to access a service.
3433
3434           If specified in the [global] section then it will apply to all
3435           services, regardless of whether the individual service has a
3436           different setting.
3437
3438           You can specify the hosts by name or IP number. For example, you
3439           could restrict access to only the hosts on a Class C subnet with
3440           something like allow hosts = 150.203.5.. The full syntax of the
3441           list is described in the man page hosts_access(5). Note that this
3442           man page may not be present on your system, so a brief description
3443           will be given here also.
3444
3445           Note that the localhost address 127.0.0.1 will always be allowed
3446           access unless specifically denied by a hosts deny option.
3447
3448           You can also specify hosts by network/netmask pairs and by netgroup
3449           names if your system supports netgroups. The EXCEPT keyword can
3450           also be used to limit a wildcard list. The following examples may
3451           provide some help:
3452
3453           Example 1: allow all IPs in 150.203.*.*; except one
3454
3455           hosts allow = 150.203. EXCEPT 150.203.6.66
3456
3457           Example 2: allow hosts that match the given network/netmask
3458
3459           hosts allow = 150.203.15.0/255.255.255.0
3460
3461           Example 3: allow a couple of hosts
3462
3463           hosts allow = lapland, arvidsjaur
3464
3465           Example 4: allow only hosts in NIS netgroup "foonet", but deny
3466           access from one particular host
3467
3468           hosts allow = @foonet
3469
3470           hosts deny = pirate
3471
3472               Note
3473               Note that access still requires suitable user-level passwords.
3474           See testparm(1) for a way of testing your host access to see if it
3475           does what you expect.
3476
3477           Default: hosts allow =  # none (i.e., all hosts permitted access)
3478
3479           Example: hosts allow = 150.203.5. myhost.mynet.edu.au
3480
3481       deny hosts
3482
3483           This parameter is a synonym for hosts deny.
3484
3485       hosts deny (S)
3486
3487           The opposite of hosts allow - hosts listed here are NOT permitted
3488           access to services unless the specific services have their own
3489           lists to override this one. Where the lists conflict, the allow
3490           list takes precedence.
3491
3492           In the event that it is necessary to deny all by default, use the
3493           keyword ALL (or the netmask 0.0.0.0/0) and then explicitly specify
3494           to the hosts allow = hosts allow parameter those hosts that should
3495           be permitted access.
3496
3497           Default: hosts deny =  # none (i.e., no hosts specifically
3498           excluded)
3499
3500           Example: hosts deny = 150.203.4. badhost.mynet.edu.au
3501
3502       idmap backend (G)
3503
3504           The idmap backend provides a plugin interface for Winbind to use
3505           varying backends to store SID/uid/gid mapping tables.
3506
3507           This option specifies the default backend that is used when no
3508           special configuration set, but it is now deprecated in favour of
3509           the new spelling idmap config * : backend.
3510
3511           Default: idmap backend = tdb
3512
3513       idmap cache time (G)
3514
3515           This parameter specifies the number of seconds that Winbind's idmap
3516           interface will cache positive SID/uid/gid query results. By
3517           default, Samba will cache these results for one week.
3518
3519           Default: idmap cache time = 604800
3520
3521       idmap config DOMAIN : OPTION (G)
3522
3523           ID mapping in Samba is the mapping between Windows SIDs and Unix
3524           user and group IDs. This is performed by Winbindd with a
3525           configurable plugin interface. Samba's ID mapping is configured by
3526           options starting with the idmap config prefix. An idmap option
3527           consists of the idmap config prefix, followed by a domain name or
3528           the asterisk character (*), a colon, and the name of an idmap
3529           setting for the chosen domain.
3530
3531           The idmap configuration is hence divided into groups, one group for
3532           each domain to be configured, and one group with the asterisk
3533           instead of a proper domain name, which specifies the default
3534           configuration that is used to catch all domains that do not have an
3535           explicit idmap configuration of their own.
3536
3537           There are three general options available:
3538
3539           backend = backend_name
3540               This specifies the name of the idmap plugin to use as the
3541               SID/uid/gid backend for this domain. The standard backends are
3542               tdb (idmap_tdb(8)), tdb2 (idmap_tdb2(8)), ldap (idmap_ldap(8)),
3543               rid (idmap_rid(8)), hash (idmap_hash(8)), autorid
3544               (idmap_autorid(8)), ad (idmap_ad(8)) and nss (idmap_nss(8)).
3545               The corresponding manual pages contain the details, but here is
3546               a summary.
3547
3548               The first three of these create mappings of their own using
3549               internal unixid counters and store the mappings in a database.
3550               These are suitable for use in the default idmap configuration.
3551               The rid and hash backends use a pure algorithmic calculation to
3552               determine the unixid for a SID. The autorid module is a mixture
3553               of the tdb and rid backend. It creates ranges for each domain
3554               encountered and then uses the rid algorithm for each of these
3555               automatically configured domains individually. The ad backend
3556               uses unix ids stored in Active Directory via the standard
3557               schema extensions. The nss backend reverses the standard
3558               winbindd setup and gets the unix ids via names from nsswitch
3559               which can be useful in an ldap setup.
3560
3561           range = low - high
3562               Defines the available matching uid and gid range for which the
3563               backend is authoritative. For allocating backends, this also
3564               defines the start and the end of the range for allocating new
3565               unique IDs.
3566
3567               winbind uses this parameter to find the backend that is
3568               authoritative for a unix ID to SID mapping, so it must be set
3569               for each individually configured domain and for the default
3570               configuration. The configured ranges must be mutually disjoint.
3571
3572           read only = yes|no
3573               This option can be used to turn the writing backends tdb, tdb2,
3574               and ldap into read only mode. This can be useful e.g. in cases
3575               where a pre-filled database exists that should not be extended
3576               automatically.
3577
3578           The following example illustrates how to configure the idmap_ad(8)
3579           backend for the CORP domain and the idmap_tdb(8) backend for all
3580           other domains. This configuration assumes that the admin of CORP
3581           assigns unix ids below 1000000 via the SFU extensions, and winbind
3582           is supposed to use the next million entries for its own mappings
3583           from trusted domains and for local groups for example.
3584
3585                    idmap config * : backend = tdb
3586                    idmap config * : range = 1000000-1999999
3587
3588                    idmap config CORP : backend  = ad
3589                    idmap config CORP : range = 1000-999999
3590
3591
3592           No default
3593
3594       winbind gid
3595
3596           This parameter is a synonym for idmap gid.
3597
3598       idmap gid (G)
3599
3600           The idmap gid parameter specifies the range of group ids for the
3601           default idmap configuration. It is now deprecated in favour of
3602           idmap config * : range.
3603
3604           See the idmap config option.
3605
3606           Default: idmap gid =
3607
3608           Example: idmap gid = 10000-20000
3609
3610       idmap negative cache time (G)
3611
3612           This parameter specifies the number of seconds that Winbind's idmap
3613           interface will cache negative SID/uid/gid query results.
3614
3615           Default: idmap negative cache time = 120
3616
3617       winbind uid
3618
3619           This parameter is a synonym for idmap uid.
3620
3621       idmap uid (G)
3622
3623           The idmap uid parameter specifies the range of user ids for the
3624           default idmap configuration. It is now deprecated in favour of
3625           idmap config * : range.
3626
3627           See the idmap config option.
3628
3629           Default: idmap uid =
3630
3631           Example: idmap uid = 10000-20000
3632
3633       include (S)
3634
3635           This allows you to include one config file inside another. The file
3636           is included literally, as though typed in place.
3637
3638           It takes the standard substitutions, except %u, %P and %S.
3639
3640           The parameter include = registry has a special meaning: It does not
3641           include a file named registry from the current working directory,
3642           but instead reads the global configuration options from the
3643           registry. See the section on registry-based configuration for
3644           details. Note that this option automatically activates registry
3645           shares.
3646
3647           Default: include =
3648
3649           Example: include = /usr/local/samba/lib/admin_smb.conf
3650
3651       include system krb5 conf (G)
3652
3653           Setting this parameter to no will prevent winbind to include the
3654           system /etc/krb5.conf file into the krb5.conf file it creates. See
3655           also create krb5 conf. This option only applies to Samba built with
3656           MIT Kerberos.
3657
3658           Default: include system krb5 conf = yes
3659
3660       inherit acls (S)
3661
3662           This parameter can be used to ensure that if default acls exist on
3663           parent directories, they are always honored when creating a new
3664           file or subdirectory in these parent directories. The default
3665           behavior is to use the unix mode specified when creating the
3666           directory. Enabling this option sets the unix mode to 0777, thus
3667           guaranteeing that default directory acls are propagated. Note that
3668           using the VFS modules acl_xattr or acl_tdb which store native
3669           Windows as meta-data will automatically turn this option on for any
3670           share for which they are loaded, as they require this option to
3671           emulate Windows ACLs correctly.
3672
3673           Default: inherit acls = no
3674
3675       inherit owner (S)
3676
3677           The ownership of new files and directories is normally governed by
3678           effective uid of the connected user. This option allows the Samba
3679           administrator to specify that the ownership for new files and
3680           directories should be controlled by the ownership of the parent
3681           directory.
3682
3683           Valid options are:
3684
3685                  ·   no - Both the Windows (SID) owner and the UNIX (uid)
3686                      owner of the file are governed by the identity of the
3687                      user that created the file.
3688
3689                  ·   windows and unix - The Windows (SID) owner and the UNIX
3690                      (uid) owner of new files and directories are set to the
3691                      respective owner of the parent directory.
3692
3693                  ·   yes - a synonym for windows and unix.
3694
3695                  ·   unix only - Only the UNIX owner is set to the UNIX owner
3696                      of the parent directory.
3697
3698           Common scenarios where this behavior is useful is in implementing
3699           drop-boxes, where users can create and edit files but not delete
3700           them and ensuring that newly created files in a user's roaming
3701           profile directory are actually owned by the user.
3702
3703           The unix only option effectively breaks the tie between the Windows
3704           owner of a file and the UNIX owner. As a logical consequence, in
3705           this mode, setting the the Windows owner of a file does not modify
3706           the UNIX owner. Using this mode should typically be combined with a
3707           backing store that can emulate the full NT ACL model without
3708           affecting the POSIX permissions, such as the acl_xattr VFS module,
3709           coupled with acl_xattr:ignore system acls = yes. This can be used
3710           to emulate folder quotas, when files are exposed only via SMB
3711           (without UNIX extensions). The UNIX owner of a directory is locally
3712           set and inherited by all subdirectories and files, and they all
3713           consume the same quota.
3714
3715           Default: inherit owner = no
3716
3717       inherit permissions (S)
3718
3719           The permissions on new files and directories are normally governed
3720           by create mask, directory mask, force create mode and force
3721           directory mode but the boolean inherit permissions parameter
3722           overrides this.
3723
3724           New directories inherit the mode of the parent directory, including
3725           bits such as setgid.
3726
3727           New files inherit their read/write bits from the parent directory.
3728           Their execute bits continue to be determined by map archive, map
3729           hidden and map system as usual.
3730
3731           Note that the setuid bit is never set via inheritance (the code
3732           explicitly prohibits this).
3733
3734           This can be particularly useful on large systems with many users,
3735           perhaps several thousand, to allow a single [homes] share to be
3736           used flexibly by each user.
3737
3738           Default: inherit permissions = no
3739
3740       init logon delay (G)
3741
3742           This parameter specifies a delay in milliseconds for the hosts
3743           configured for delayed initial samlogon with init logon delayed
3744           hosts.
3745
3746           Default: init logon delay = 100
3747
3748       init logon delayed hosts (G)
3749
3750           This parameter takes a list of host names, addresses or networks
3751           for which the initial samlogon reply should be delayed (so other
3752           DCs get preferred by XP workstations if there are any).
3753
3754           The length of the delay can be specified with the init logon delay
3755           parameter.
3756
3757           Default: init logon delayed hosts =
3758
3759           Example: init logon delayed hosts = 150.203.5. myhost.mynet.de
3760
3761       interfaces (G)
3762
3763           This option allows you to override the default network interfaces
3764           list that Samba will use for browsing, name registration and other
3765           NetBIOS over TCP/IP (NBT) traffic. By default Samba will query the
3766           kernel for the list of all active interfaces and use any interfaces
3767           except 127.0.0.1 that are broadcast capable.
3768
3769           The option takes a list of interface strings. Each string can be in
3770           any of the following forms:
3771
3772                  ·   a network interface name (such as eth0). This may
3773                      include shell-like wildcards so eth* will match any
3774                      interface starting with the substring "eth"
3775
3776                  ·   an IP address. In this case the netmask is determined
3777                      from the list of interfaces obtained from the kernel
3778
3779                  ·   an IP/mask pair.
3780
3781                  ·   a broadcast/mask pair.
3782
3783           The "mask" parameters can either be a bit length (such as 24 for a
3784           C class network) or a full netmask in dotted decimal form.
3785
3786           The "IP" parameters above can either be a full dotted decimal IP
3787           address or a hostname which will be looked up via the OS's normal
3788           hostname resolution mechanisms.
3789
3790           By default Samba enables all active interfaces that are broadcast
3791           capable except the loopback adaptor (IP address 127.0.0.1).
3792
3793           In order to support SMB3 multi-channel configurations, smbd
3794           understands some extra data that can be appended after the actual
3795           interface with this extended syntax:
3796
3797           interface[;key1=value1[,key2=value2[...]]]
3798
3799           Known keys are speed, capability, and if_index. Speed is specified
3800           in bits per second. Known capabilities are RSS and RDMA. The
3801           if_index should be used with care: the values must not coincide
3802           with indexes used by the kernel. Note that these options are mainly
3803           intended for testing and development rather than for production
3804           use. At least on Linux systems, these values should be
3805           auto-detected, but the settings can serve as last a resort when
3806           autodetection is not working or is not available.
3807
3808           The example below configures three network interfaces corresponding
3809           to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10.
3810           The netmasks of the latter two interfaces would be set to
3811           255.255.255.0.
3812
3813           Default: interfaces =
3814
3815           Example: interfaces = eth0 192.168.2.10/24
3816           192.168.3.10/255.255.255.0
3817
3818       invalid users (S)
3819
3820           This is a list of users that should not be allowed to login to this
3821           service. This is really a paranoid check to absolutely ensure an
3822           improper setting does not breach your security.
3823
3824           A name starting with a '@' is interpreted as an NIS netgroup first
3825           (if your system supports NIS), and then as a UNIX group if the name
3826           was not found in the NIS netgroup database.
3827
3828           A name starting with '+' is interpreted only by looking in the UNIX
3829           group database via the NSS getgrnam() interface. A name starting
3830           with '&' is interpreted only by looking in the NIS netgroup
3831           database (this requires NIS to be working on your system). The
3832           characters '+' and '&' may be used at the start of the name in
3833           either order so the value +&group means check the UNIX group
3834           database, followed by the NIS netgroup database, and the value
3835           &+group means check the NIS netgroup database, followed by the UNIX
3836           group database (the same as the '@' prefix).
3837
3838           The current servicename is substituted for %S. This is useful in
3839           the [homes] section.
3840
3841           Default: invalid users =  # no invalid users
3842
3843           Example: invalid users = root fred admin @wheel
3844
3845       iprint server (G)
3846
3847           This parameter is only applicable if printing is set to iprint.
3848
3849           If set, this option overrides the ServerName option in the CUPS
3850           client.conf. This is necessary if you have virtual samba servers
3851           that connect to different CUPS daemons.
3852
3853           Default: iprint server = ""
3854
3855           Example: iprint server = MYCUPSSERVER
3856
3857       keepalive (G)
3858
3859           The value of the parameter (an integer) represents the number of
3860           seconds between keepalive packets. If this parameter is zero, no
3861           keepalive packets will be sent. Keepalive packets, if sent, allow
3862           the server to tell whether a client is still present and
3863           responding.
3864
3865           Keepalives should, in general, not be needed if the socket has the
3866           SO_KEEPALIVE attribute set on it by default. (see socket options).
3867           Basically you should only use this option if you strike
3868           difficulties.
3869
3870           Please note this option only applies to SMB1 client connections,
3871           and has no effect on SMB2 clients.
3872
3873           Default: keepalive = 300
3874
3875           Example: keepalive = 600
3876
3877       kerberos encryption types (G)
3878
3879           This parameter determines the encryption types to use when
3880           operating as a Kerberos client. Possible values are all, strong,
3881           and legacy.
3882
3883           Samba uses a Kerberos library (MIT or Heimdal) to obtain Kerberos
3884           tickets. This library is normally configured outside of Samba,
3885           using the krb5.conf file. This file may also include directives to
3886           configure the encryption types to be used. However, Samba
3887           implements Active Directory protocols and algorithms to locate a
3888           domain controller. In order to force the Kerberos library into
3889           using the correct domain controller, some Samba processes, such as
3890           winbindd(8) and net(8), build a private krb5.conf file for use by
3891           the Kerberos library while being invoked from Samba. This private
3892           file controls all aspects of the Kerberos library operation, and
3893           this parameter controls how the encryption types are configured
3894           within this generated file, and therefore also controls the
3895           encryption types negotiable by Samba.
3896
3897           When set to all, all active directory encryption types are allowed.
3898
3899           When set to strong, only AES-based encryption types are offered.
3900           This can be used in hardened environments to prevent downgrade
3901           attacks.
3902
3903           When set to legacy, only RC4-HMAC-MD5 is allowed. Avoiding AES this
3904           way has one a very specific use. Normally, the encryption type is
3905           negotiated between the peers. However, there is one scenario in
3906           which a Windows read-only domain controller (RODC) advertises AES
3907           encryption, but then proxies the request to a writeable DC which
3908           may not support AES encryption, leading to failure of the
3909           handshake. Setting this parameter to legacy would cause samba not
3910           to negotiate AES encryption. It is assumed of course that the
3911           weaker legacy encryption types are acceptable for the setup.
3912
3913           Default: kerberos encryption types = all
3914
3915       kerberos method (G)
3916
3917           Controls how kerberos tickets are verified.
3918
3919           Valid options are:
3920
3921                  ·   secrets only - use only the secrets.tdb for ticket
3922                      verification (default)
3923
3924                  ·   system keytab - use only the system keytab for ticket
3925                      verification
3926
3927                  ·   dedicated keytab - use a dedicated keytab for ticket
3928                      verification
3929
3930                  ·   secrets and keytab - use the secrets.tdb first, then the
3931                      system keytab
3932
3933           The major difference between "system keytab" and "dedicated keytab"
3934           is that the latter method relies on kerberos to find the correct
3935           keytab entry instead of filtering based on expected principals.
3936
3937           When the kerberos method is in "dedicated keytab" mode, dedicated
3938           keytab file must be set to specify the location of the keytab file.
3939
3940           Default: kerberos method = default
3941
3942       kernel change notify (G)
3943
3944           This parameter specifies whether Samba should ask the kernel for
3945           change notifications in directories so that SMB clients can refresh
3946           whenever the data on the server changes.
3947
3948           This parameter is only used when your kernel supports change
3949           notification to user programs using the inotify interface.
3950
3951           Default: kernel change notify = yes
3952
3953       kernel oplocks (S)
3954
3955           For UNIXes that support kernel based oplocks (currently only
3956           Linux), this parameter allows the use of them to be turned on or
3957           off. However, this disables Level II oplocks for clients as the
3958           Linux kernel does not support them properly.
3959
3960           Kernel oplocks support allows Samba oplocks to be broken whenever a
3961           local UNIX process or NFS operation accesses a file that smbd(8)
3962           has oplocked. This allows complete data consistency between
3963           SMB/CIFS, NFS and local file access (and is a very cool feature
3964           :-).
3965
3966           If you do not need this interaction, you should disable the
3967           parameter on Linux to get Level II oplocks and the associated
3968           performance benefit.
3969
3970           This parameter defaults to no and is translated to a no-op on
3971           systems that do not have the necessary kernel support.
3972
3973           Default: kernel oplocks = no
3974
3975       kernel share modes (S)
3976
3977           This parameter controls whether SMB share modes are translated into
3978           UNIX flocks.
3979
3980           Kernel share modes provide a minimal level of interoperability with
3981           local UNIX processes and NFS operations by preventing access with
3982           flocks corresponding to the SMB share modes. Generally, it is very
3983           desirable to leave this enabled.
3984
3985           Note that in order to use SMB2 durable file handles on a share, you
3986           have to turn kernel share modes off.
3987
3988           This parameter defaults to yes and is translated to a no-op on
3989           systems that do not have the necessary kernel flock support.
3990
3991           Default: kernel share modes = yes
3992
3993       kpasswd port (G)
3994
3995           Specifies which ports the Kerberos server should listen on for
3996           password changes.
3997
3998           Default: kpasswd port = 464
3999
4000       krb5 port (G)
4001
4002           Specifies which port the KDC should listen on for Kerberos traffic.
4003
4004           Default: krb5 port = 88
4005
4006       lanman auth (G)
4007
4008           This parameter determines whether or not smbd(8) will attempt to
4009           authenticate users or permit password changes using the LANMAN
4010           password hash. If disabled, only clients which support NT password
4011           hashes (e.g. Windows NT/2000 clients, smbclient, but not Windows
4012           95/98 or the MS DOS network client) will be able to connect to the
4013           Samba host.
4014
4015           The LANMAN encrypted response is easily broken, due to its
4016           case-insensitive nature, and the choice of algorithm. Servers
4017           without Windows 95/98/ME or MS DOS clients are advised to disable
4018           this option.
4019
4020           When this parameter is set to no this will also result in
4021           sambaLMPassword in Samba's passdb being blanked after the next
4022           password change. As a result of that lanman clients won't be able
4023           to authenticate, even if lanman auth is re-enabled later on.
4024
4025           Unlike the encrypt passwords option, this parameter cannot alter
4026           client behaviour, and the LANMAN response will still be sent over
4027           the network. See the client lanman auth to disable this for Samba's
4028           clients (such as smbclient)
4029
4030           If this option, and ntlm auth are both disabled, then only NTLMv2
4031           logins will be permited. Not all clients support NTLMv2, and most
4032           will require special configuration to use it.
4033
4034           Default: lanman auth = no
4035
4036       large readwrite (G)
4037
4038           This parameter determines whether or not smbd(8) supports the new
4039           64k streaming read and write variant SMB requests introduced with
4040           Windows 2000. Note that due to Windows 2000 client redirector bugs
4041           this requires Samba to be running on a 64-bit capable operating
4042           system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve
4043           performance by 10% with Windows 2000 clients. Defaults to on. Not
4044           as tested as some other Samba code paths.
4045
4046           Default: large readwrite = yes
4047
4048       ldap admin dn (G)
4049
4050           The ldap admin dn defines the Distinguished Name (DN) name used by
4051           Samba to contact the ldap server when retreiving user account
4052           information. The ldap admin dn is used in conjunction with the
4053           admin dn password stored in the private/secrets.tdb file. See the
4054           smbpasswd(8) man page for more information on how to accomplish
4055           this.
4056
4057           The ldap admin dn requires a fully specified DN. The ldap suffix is
4058           not appended to the ldap admin dn.
4059
4060           No default
4061
4062       ldap connection timeout (G)
4063
4064           This parameter tells the LDAP library calls which timeout in
4065           seconds they should honor during initial connection establishments
4066           to LDAP servers. It is very useful in failover scenarios in
4067           particular. If one or more LDAP servers are not reachable at all,
4068           we do not have to wait until TCP timeouts are over. This feature
4069           must be supported by your LDAP library.
4070
4071           This parameter is different from ldap timeout which affects
4072           operations on LDAP servers using an existing connection and not
4073           establishing an initial connection.
4074
4075           Default: ldap connection timeout = 2
4076
4077       ldap debug level (G)
4078
4079           This parameter controls the debug level of the LDAP library calls.
4080           In the case of OpenLDAP, it is the same bit-field as understood by
4081           the server and documented in the slapd.conf(5) manpage. A typical
4082           useful value will be 1 for tracing function calls.
4083
4084           The debug output from the LDAP libraries appears with the prefix
4085           [LDAP] in Samba's logging output. The level at which LDAP logging
4086           is printed is controlled by the parameter ldap debug threshold.
4087
4088           Default: ldap debug level = 0
4089
4090           Example: ldap debug level = 1
4091
4092       ldap debug threshold (G)
4093
4094           This parameter controls the Samba debug level at which the ldap
4095           library debug output is printed in the Samba logs. See the
4096           description of ldap debug level for details.
4097
4098           Default: ldap debug threshold = 10
4099
4100           Example: ldap debug threshold = 5
4101
4102       ldap delete dn (G)
4103
4104           This parameter specifies whether a delete operation in the ldapsam
4105           deletes the complete entry or only the attributes specific to
4106           Samba.
4107
4108           Default: ldap delete dn = no
4109
4110       ldap deref (G)
4111
4112           This option controls whether Samba should tell the LDAP library to
4113           use a certain alias dereferencing method. The default is auto,
4114           which means that the default setting of the ldap client library
4115           will be kept. Other possible values are never, finding, searching
4116           and always. Grab your LDAP manual for more information.
4117
4118           Default: ldap deref = auto
4119
4120           Example: ldap deref = searching
4121
4122       ldap follow referral (G)
4123
4124           This option controls whether to follow LDAP referrals or not when
4125           searching for entries in the LDAP database. Possible values are on
4126           to enable following referrals, off to disable this, and auto, to
4127           use the libldap default settings. libldap's choice of following
4128           referrals or not is set in /etc/openldap/ldap.conf with the
4129           REFERRALS parameter as documented in ldap.conf(5).
4130
4131           Default: ldap follow referral = auto
4132
4133           Example: ldap follow referral = off
4134
4135       ldap group suffix (G)
4136
4137           This parameter specifies the suffix that is used for groups when
4138           these are added to the LDAP directory. If this parameter is unset,
4139           the value of ldap suffix will be used instead. The suffix string is
4140           pre-pended to the ldap suffix string so use a partial DN.
4141
4142           Default: ldap group suffix =
4143
4144           Example: ldap group suffix = ou=Groups
4145
4146       ldap idmap suffix (G)
4147
4148           This parameters specifies the suffix that is used when storing
4149           idmap mappings. If this parameter is unset, the value of ldap
4150           suffix will be used instead. The suffix string is pre-pended to the
4151           ldap suffix string so use a partial DN.
4152
4153           Default: ldap idmap suffix =
4154
4155           Example: ldap idmap suffix = ou=Idmap
4156
4157       ldap machine suffix (G)
4158
4159           It specifies where machines should be added to the ldap tree. If
4160           this parameter is unset, the value of ldap suffix will be used
4161           instead. The suffix string is pre-pended to the ldap suffix string
4162           so use a partial DN.
4163
4164           Default: ldap machine suffix =
4165
4166           Example: ldap machine suffix = ou=Computers
4167
4168       ldap page size (G)
4169
4170           This parameter specifies the number of entries per page.
4171
4172           If the LDAP server supports paged results, clients can request
4173           subsets of search results (pages) instead of the entire list. This
4174           parameter specifies the size of these pages.
4175
4176           Default: ldap page size = 1000
4177
4178           Example: ldap page size = 512
4179
4180       ldap password sync
4181
4182           This parameter is a synonym for ldap passwd sync.
4183
4184       ldap passwd sync (G)
4185
4186           This option is used to define whether or not Samba should sync the
4187           LDAP password with the NT and LM hashes for normal accounts (NOT
4188           for workstation, server or domain trusts) on a password change via
4189           SAMBA.
4190
4191           The ldap passwd sync can be set to one of three values:
4192
4193                  ·   Yes = Try to update the LDAP, NT and LM passwords and
4194                      update the pwdLastSet time.
4195
4196                  ·   No = Update NT and LM passwords and update the
4197                      pwdLastSet time.
4198
4199                  ·   Only = Only update the LDAP password and let the LDAP
4200                      server do the rest.
4201
4202           Default: ldap passwd sync = no
4203
4204       ldap replication sleep (G)
4205
4206           When Samba is asked to write to a read-only LDAP replica, we are
4207           redirected to talk to the read-write master server. This server
4208           then replicates our changes back to the 'local' server, however the
4209           replication might take some seconds, especially over slow links.
4210           Certain client activities, particularly domain joins, can become
4211           confused by the 'success' that does not immediately change the LDAP
4212           back-end's data.
4213
4214           This option simply causes Samba to wait a short time, to allow the
4215           LDAP server to catch up. If you have a particularly high-latency
4216           network, you may wish to time the LDAP replication with a network
4217           sniffer, and increase this value accordingly. Be aware that no
4218           checking is performed that the data has actually replicated.
4219
4220           The value is specified in milliseconds, the maximum value is 5000
4221           (5 seconds).
4222
4223           Default: ldap replication sleep = 1000
4224
4225       ldapsam:editposix (G)
4226
4227           Editposix is an option that leverages ldapsam:trusted to make it
4228           simpler to manage a domain controller eliminating the need to set
4229           up custom scripts to add and manage the posix users and groups.
4230           This option will instead directly manipulate the ldap tree to
4231           create, remove and modify user and group entries. This option also
4232           requires a running winbindd as it is used to allocate new uids/gids
4233           on user/group creation. The allocation range must be therefore
4234           configured.
4235
4236           To use this option, a basic ldap tree must be provided and the ldap
4237           suffix parameters must be properly configured. On virgin servers
4238           the default users and groups (Administrator, Guest, Domain Users,
4239           Domain Admins, Domain Guests) can be precreated with the command
4240           net sam provision. To run this command the ldap server must be
4241           running, Winbindd must be running and the smb.conf ldap options
4242           must be properly configured. The typical ldap setup used with the
4243           ldapsam:trusted = yes option is usually sufficient to use
4244           ldapsam:editposix = yes as well.
4245
4246           An example configuration can be the following:
4247
4248                    encrypt passwords = true
4249                    passdb backend = ldapsam
4250
4251                    ldapsam:trusted=yes
4252                    ldapsam:editposix=yes
4253
4254                    ldap admin dn = cn=admin,dc=samba,dc=org
4255                    ldap delete dn = yes
4256                    ldap group suffix = ou=groups
4257                    ldap idmap suffix = ou=idmap
4258                    ldap machine suffix = ou=computers
4259                    ldap user suffix = ou=users
4260                    ldap suffix = dc=samba,dc=org
4261
4262                    idmap backend = ldap:"ldap://localhost"
4263
4264                    idmap uid = 5000-50000
4265                    idmap gid = 5000-50000
4266
4267
4268           This configuration assumes a directory layout like described in the
4269           following ldif:
4270
4271                    dn: dc=samba,dc=org
4272                    objectClass: top
4273                    objectClass: dcObject
4274                    objectClass: organization
4275                    o: samba.org
4276                    dc: samba
4277
4278                    dn: cn=admin,dc=samba,dc=org
4279                    objectClass: simpleSecurityObject
4280                    objectClass: organizationalRole
4281                    cn: admin
4282                    description: LDAP administrator
4283                    userPassword: secret
4284
4285                    dn: ou=users,dc=samba,dc=org
4286                    objectClass: top
4287                    objectClass: organizationalUnit
4288                    ou: users
4289
4290                    dn: ou=groups,dc=samba,dc=org
4291                    objectClass: top
4292                    objectClass: organizationalUnit
4293                    ou: groups
4294
4295                    dn: ou=idmap,dc=samba,dc=org
4296                    objectClass: top
4297                    objectClass: organizationalUnit
4298                    ou: idmap
4299
4300                    dn: ou=computers,dc=samba,dc=org
4301                    objectClass: top
4302                    objectClass: organizationalUnit
4303                    ou: computers
4304
4305
4306           Default: ldapsam:editposix = no
4307
4308       ldapsam:trusted (G)
4309
4310           By default, Samba as a Domain Controller with an LDAP backend needs
4311           to use the Unix-style NSS subsystem to access user and group
4312           information. Due to the way Unix stores user information in
4313           /etc/passwd and /etc/group this inevitably leads to inefficiencies.
4314           One important question a user needs to know is the list of groups
4315           he is member of. The plain UNIX model involves a complete
4316           enumeration of the file /etc/group and its NSS counterparts in
4317           LDAP. UNIX has optimized functions to enumerate group membership.
4318           Sadly, other functions that are used to deal with user and group
4319           attributes lack such optimization.
4320
4321           To make Samba scale well in large environments, the ldapsam:trusted
4322           = yes option assumes that the complete user and group database that
4323           is relevant to Samba is stored in LDAP with the standard
4324           posixAccount/posixGroup attributes. It further assumes that the
4325           Samba auxiliary object classes are stored together with the POSIX
4326           data in the same LDAP object. If these assumptions are met,
4327           ldapsam:trusted = yes can be activated and Samba can bypass the NSS
4328           system to query user group memberships. Optimized LDAP queries can
4329           greatly speed up domain logon and administration tasks. Depending
4330           on the size of the LDAP database a factor of 100 or more for common
4331           queries is easily achieved.
4332
4333           Default: ldapsam:trusted = no
4334
4335       ldap server require strong auth (G)
4336
4337           The ldap server require strong auth defines whether the ldap server
4338           requires ldap traffic to be signed or signed and encrypted
4339           (sealed). Possible values are no, allow_sasl_over_tls and yes.
4340
4341           A value of no allows simple and sasl binds over all transports.
4342
4343           A value of allow_sasl_over_tls allows simple and sasl binds
4344           (without sign or seal) over TLS encrypted connections. Unencrypted
4345           connections only allow sasl binds with sign or seal.
4346
4347           A value of yes allows only simple binds over TLS encrypted
4348           connections. Unencrypted connections only allow sasl binds with
4349           sign or seal.
4350
4351           Default: ldap server require strong auth = yes
4352
4353       ldap ssl (G)
4354
4355           This option is used to define whether or not Samba should use SSL
4356           when connecting to the ldap server This is NOT related to Samba's
4357           previous SSL support which was enabled by specifying the --with-ssl
4358           option to the configure script.
4359
4360           LDAP connections should be secured where possible. This may be done
4361           setting either this parameter to start tls or by specifying
4362           ldaps:// in the URL argument of passdb backend.
4363
4364           The ldap ssl can be set to one of two values:
4365
4366                  ·   Off = Never use SSL when querying the directory.
4367
4368                  ·   start tls = Use the LDAPv3 StartTLS extended operation
4369                      (RFC2830) for communicating with the directory server.
4370
4371           Please note that this parameter does only affect rpc methods. To
4372           enable the LDAPv3 StartTLS extended operation (RFC2830) for ads,
4373           set ldap ssl = start tls and ldap ssl ads = yes. See smb.conf(5)
4374           for more information on ldap ssl ads.
4375
4376           Default: ldap ssl = start tls
4377
4378       ldap ssl ads (G)
4379
4380           This option is used to define whether or not Samba should use SSL
4381           when connecting to the ldap server using ads methods. Rpc methods
4382           are not affected by this parameter. Please note, that this
4383           parameter won't have any effect if ldap ssl is set to no.
4384
4385           See smb.conf(5) for more information on ldap ssl.
4386
4387           Default: ldap ssl ads = no
4388
4389       ldap suffix (G)
4390
4391           Specifies the base for all ldap suffixes and for storing the
4392           sambaDomain object.
4393
4394           The ldap suffix will be appended to the values specified for the
4395           ldap user suffix, ldap group suffix, ldap machine suffix, and the
4396           ldap idmap suffix. Each of these should be given only a DN relative
4397           to the ldap suffix.
4398
4399           Default: ldap suffix =
4400
4401           Example: ldap suffix = dc=samba,dc=org
4402
4403       ldap timeout (G)
4404
4405           This parameter defines the number of seconds that Samba should use
4406           as timeout for LDAP operations.
4407
4408           Default: ldap timeout = 15
4409
4410       ldap user suffix (G)
4411
4412           This parameter specifies where users are added to the tree. If this
4413           parameter is unset, the value of ldap suffix will be used instead.
4414           The suffix string is pre-pended to the ldap suffix string so use a
4415           partial DN.
4416
4417           Default: ldap user suffix =
4418
4419           Example: ldap user suffix = ou=people
4420
4421       level2 oplocks (S)
4422
4423           This parameter controls whether Samba supports level2 (read-only)
4424           oplocks on a share.
4425
4426           Level2, or read-only oplocks allow Windows NT clients that have an
4427           oplock on a file to downgrade from a read-write oplock to a
4428           read-only oplock once a second client opens the file (instead of
4429           releasing all oplocks on a second open, as in traditional,
4430           exclusive oplocks). This allows all openers of the file that
4431           support level2 oplocks to cache the file for read-ahead only (ie.
4432           they may not cache writes or lock requests) and increases
4433           performance for many accesses of files that are not commonly
4434           written (such as application .EXE files).
4435
4436           Once one of the clients which have a read-only oplock writes to the
4437           file all clients are notified (no reply is needed or waited for)
4438           and told to break their oplocks to "none" and delete any read-ahead
4439           caches.
4440
4441           It is recommended that this parameter be turned on to speed access
4442           to shared executables.
4443
4444           For more discussions on level2 oplocks see the CIFS spec.
4445
4446           Currently, if kernel oplocks are supported then level2 oplocks are
4447           not granted (even if this parameter is set to yes). Note also, the
4448           oplocks parameter must be set to yes on this share in order for
4449           this parameter to have any effect.
4450
4451           Default: level2 oplocks = yes
4452
4453       lm announce (G)
4454
4455           This parameter determines if nmbd(8) will produce Lanman announce
4456           broadcasts that are needed by OS/2 clients in order for them to see
4457           the Samba server in their browse list. This parameter can have
4458           three values, yes, no, or auto. The default is auto. If set to no
4459           Samba will never produce these broadcasts. If set to yes Samba will
4460           produce Lanman announce broadcasts at a frequency set by the
4461           parameter lm interval. If set to auto Samba will not send Lanman
4462           announce broadcasts by default but will listen for them. If it
4463           hears such a broadcast on the wire it will then start sending them
4464           at a frequency set by the parameter lm interval.
4465
4466           Default: lm announce = auto
4467
4468           Example: lm announce = yes
4469
4470       lm interval (G)
4471
4472           If Samba is set to produce Lanman announce broadcasts needed by
4473           OS/2 clients (see the lm announce parameter) then this parameter
4474           defines the frequency in seconds with which they will be made. If
4475           this is set to zero then no Lanman announcements will be made
4476           despite the setting of the lm announce parameter.
4477
4478           Default: lm interval = 60
4479
4480           Example: lm interval = 120
4481
4482       load printers (G)
4483
4484           A boolean variable that controls whether all printers in the
4485           printcap will be loaded for browsing by default. See the printers
4486           section for more details.
4487
4488           Default: load printers = yes
4489
4490       local master (G)
4491
4492           This option allows nmbd(8) to try and become a local master browser
4493           on a subnet. If set to no then nmbd will not attempt to become a
4494           local master browser on a subnet and will also lose in all browsing
4495           elections. By default this value is set to yes. Setting this value
4496           to yes doesn't mean that Samba will become the local master browser
4497           on a subnet, just that nmbd will participate in elections for local
4498           master browser.
4499
4500           Setting this value to no will cause nmbd never to become a local
4501           master browser.
4502
4503           Default: local master = yes
4504
4505       lock dir
4506
4507           This parameter is a synonym for lock directory.
4508
4509       lock directory (G)
4510
4511           This option specifies the directory where lock files will be
4512           placed. The lock files are used to implement the max connections
4513           option.
4514
4515           Note: This option can not be set inside registry configurations.
4516
4517           The files placed in this directory are not required across service
4518           restarts and can be safely placed on volatile storage (e.g. tmpfs
4519           in Linux)
4520
4521           Default: lock directory = /var/lib/samba/lock
4522
4523           Example: lock directory = /var/run/samba/locks
4524
4525       locking (S)
4526
4527           This controls whether or not locking will be performed by the
4528           server in response to lock requests from the client.
4529
4530           If locking = no, all lock and unlock requests will appear to
4531           succeed and all lock queries will report that the file in question
4532           is available for locking.
4533
4534           If locking = yes, real locking will be performed by the server.
4535
4536           This option may be useful for read-only filesystems which may not
4537           need locking (such as CDROM drives), although setting this
4538           parameter of no is not really recommended even in this case.
4539
4540           Be careful about disabling locking either globally or in a specific
4541           service, as lack of locking may result in data corruption. You
4542           should never need to set this parameter.
4543
4544           Default: locking = yes
4545
4546       lock spin time (G)
4547
4548           The time in milliseconds that smbd should keep waiting to see if a
4549           failed lock request can be granted. This parameter has changed in
4550           default value from Samba 3.0.23 from 10 to 200. The associated lock
4551           spin count parameter is no longer used in Samba 3.0.24. You should
4552           not need to change the value of this parameter.
4553
4554           Default: lock spin time = 200
4555
4556       log file (G)
4557
4558           This option allows you to override the name of the Samba log file
4559           (also known as the debug file).
4560
4561           This option takes the standard substitutions, allowing you to have
4562           separate log files for each user or machine.
4563
4564           No default
4565
4566           Example: log file = /usr/local/samba/var/log.%m
4567
4568       logging (G)
4569
4570           This parameter configures logging backends. Multiple backends can
4571           be specified at the same time, with different log levels for each
4572           backend. The parameter is a list of backends, where each backend is
4573           specified as backend[:option][@loglevel].
4574
4575           The 'option' parameter can be used to pass backend-specific
4576           options.
4577
4578           The log level for a backend is optional, if it is not set for a
4579           backend, all messages are sent to this backend. The parameter log
4580           level determines overall log levels, while the log levels specified
4581           here define what is sent to the individual backends.
4582
4583           When logging is set, it overrides the syslog and syslog only
4584           parameters.
4585
4586           Some backends are only available when Samba has been compiled with
4587           the additional libraries. The overall list of logging backends:
4588
4589                  ·   syslog
4590
4591                  ·   file
4592
4593                  ·   systemd
4594
4595                  ·   lttng
4596
4597                  ·   gpfs
4598
4599                  ·   ringbuf
4600
4601           The ringbuf backend supports an optional size argument to change
4602           the buffer size used, the default is 1 MB: ringbuf:size=NBYTES
4603
4604           Default: logging =
4605
4606           Example: logging = syslog@1 file
4607
4608       debuglevel
4609
4610           This parameter is a synonym for log level.
4611
4612       log level (G)
4613
4614           The value of the parameter (a astring) allows the debug level
4615           (logging level) to be specified in the smb.conf file.
4616
4617           This parameter has been extended since the 2.2.x series, now it
4618           allows one to specify the debug level for multiple debug classes
4619           and distinct logfiles for debug classes. This is to give greater
4620           flexibility in the configuration of the system. The following debug
4621           classes are currently implemented:
4622
4623                  ·   all
4624
4625                  ·   tdb
4626
4627                  ·   printdrivers
4628
4629                  ·   lanman
4630
4631                  ·   smb
4632
4633                  ·   smb2
4634
4635                  ·   smb2_credits
4636
4637                  ·   rpc_parse
4638
4639                  ·   rpc_srv
4640
4641                  ·   rpc_cli
4642
4643                  ·   passdb
4644
4645                  ·   sam
4646
4647                  ·   auth
4648
4649                  ·   winbind
4650
4651                  ·   vfs
4652
4653                  ·   idmap
4654
4655                  ·   quota
4656
4657                  ·   acls
4658
4659                  ·   locking
4660
4661                  ·   msdfs
4662
4663                  ·   dmapi
4664
4665                  ·   registry
4666
4667                  ·   scavenger
4668
4669                  ·   dns
4670
4671                  ·   ldb
4672
4673                  ·   tevent
4674
4675                  ·   auth_audit
4676
4677                  ·   auth_json_audit
4678
4679                  ·   kerberos
4680
4681                  ·   dsdb_audit
4682
4683                  ·   dsdb_json_audit
4684
4685                  ·   dsdb_password_audit
4686
4687                  ·   dsdb_password_json_audit
4688
4689                  ·   dsdb_transaction_audit
4690
4691                  ·   dsdb_transaction_json_audit
4692
4693           To configure the logging for specific classes to go into a
4694           different file then log file, you can append @PATH to the class, eg
4695           log level = 1 full_audit:1@/var/log/audit.log.
4696
4697           Authentication and authorization audit information is logged under
4698           the auth_audit, and if Samba was not compiled with --without-json,
4699           a JSON representation is logged under auth_json_audit.
4700
4701           Support is comprehensive for all authentication and authorisation
4702           of user accounts in the Samba Active Directory Domain Controller,
4703           as well as the implicit authentication in password changes. In the
4704           file server, NTLM authentication, SMB and RPC authorization is
4705           covered.
4706
4707           Log levels for auth_audit and auth_audit_json are:
4708
4709                  ·   2: Authentication Failure
4710
4711                  ·   3: Authentication Success
4712
4713                  ·   4: Authorization Success
4714
4715                  ·   5: Anonymous Authentication and Authorization Success
4716
4717           Changes to the sam.ldb database are logged under the dsdb_audit and
4718           a JSON representation is logged under dsdb_json_audit.
4719
4720           Password changes and Password resets are logged under
4721           dsdb_password_audit and a JSON representation is logged under the
4722           dsdb_password_json_audit.
4723
4724           Transaction rollbacks and prepare commit failures are logged under
4725           the dsdb_transaction_audit and a JSON representation is logged
4726           under the password_json_audit. Logging the transaction details
4727           allows the identification of password and sam.ldb operations that
4728           have been rolled back.
4729
4730           Default: log level = 0
4731
4732           Example: log level = 3 passdb:5 auth:10 winbind:2
4733
4734           Example: log level = 1 full_audit:1@/var/log/audit.log winbind:2
4735
4736       log nt token command (G)
4737
4738           This option can be set to a command that will be called when new nt
4739           tokens are created.
4740
4741           This is only useful for development purposes.
4742
4743           Default: log nt token command =
4744
4745       logon drive (G)
4746
4747           This parameter specifies the local path to which the home directory
4748           will be connected (see logon home) and is only used by NT
4749           Workstations.
4750
4751           Note that this option is only useful if Samba is set up as a logon
4752           server.
4753
4754           Default: logon drive =
4755
4756           Example: logon drive = h:
4757
4758       logon home (G)
4759
4760           This parameter specifies the home directory location when a
4761           Win95/98 or NT Workstation logs into a Samba PDC. It allows you to
4762           do
4763
4764           C:\>NET USE H: /HOME
4765
4766           from a command prompt, for example.
4767
4768           This option takes the standard substitutions, allowing you to have
4769           separate logon scripts for each user or machine.
4770
4771           This parameter can be used with Win9X workstations to ensure that
4772           roaming profiles are stored in a subdirectory of the user's home
4773           directory. This is done in the following way:
4774
4775           logon home = \\%N\%U\profile
4776
4777           This tells Samba to return the above string, with substitutions
4778           made when a client requests the info, generally in a NetUserGetInfo
4779           request. Win9X clients truncate the info to \\server\share when a
4780           user does net use /home but use the whole string when dealing with
4781           profiles.
4782
4783           Note that in prior versions of Samba, the logon path was returned
4784           rather than logon home. This broke net use /home but allowed
4785           profiles outside the home directory. The current implementation is
4786           correct, and can be used for profiles if you use the above trick.
4787
4788           Disable this feature by setting logon home = "" - using the empty
4789           string.
4790
4791           This option is only useful if Samba is set up as a logon server.
4792
4793           Default: logon home = \\%N\%U
4794
4795           Example: logon home = \\remote_smb_server\%U
4796
4797       logon path (G)
4798
4799           This parameter specifies the directory where roaming profiles
4800           (Desktop, NTuser.dat, etc) are stored. Contrary to previous
4801           versions of these manual pages, it has nothing to do with Win 9X
4802           roaming profiles. To find out how to handle roaming profiles for
4803           Win 9X system, see the logon home parameter.
4804
4805           This option takes the standard substitutions, allowing you to have
4806           separate logon scripts for each user or machine. It also specifies
4807           the directory from which the "Application Data", desktop, start
4808           menu, network neighborhood, programs and other folders, and their
4809           contents, are loaded and displayed on your Windows NT client.
4810
4811           The share and the path must be readable by the user for the
4812           preferences and directories to be loaded onto the Windows NT
4813           client. The share must be writeable when the user logs in for the
4814           first time, in order that the Windows NT client can create the
4815           NTuser.dat and other directories. Thereafter, the directories and
4816           any of the contents can, if required, be made read-only. It is not
4817           advisable that the NTuser.dat file be made read-only - rename it to
4818           NTuser.man to achieve the desired effect (a MANdatory profile).
4819
4820           Windows clients can sometimes maintain a connection to the [homes]
4821           share, even though there is no user logged in. Therefore, it is
4822           vital that the logon path does not include a reference to the homes
4823           share (i.e. setting this parameter to \\%N\homes\profile_path will
4824           cause problems).
4825
4826           This option takes the standard substitutions, allowing you to have
4827           separate logon scripts for each user or machine.
4828
4829               Warning
4830               Do not quote the value. Setting this as “\\%N\profile\%U” will
4831               break profile handling. Where the tdbsam or ldapsam passdb
4832               backend is used, at the time the user account is created the
4833               value configured for this parameter is written to the passdb
4834               backend and that value will over-ride the parameter value
4835               present in the smb.conf file. Any error present in the passdb
4836               backend account record must be editted using the appropriate
4837               tool (pdbedit on the command-line, or any other locally
4838               provided system tool).
4839           Note that this option is only useful if Samba is set up as a domain
4840           controller.
4841
4842           Disable the use of roaming profiles by setting the value of this
4843           parameter to the empty string. For example, logon path = "". Take
4844           note that even if the default setting in the smb.conf file is the
4845           empty string, any value specified in the user account settings in
4846           the passdb backend will over-ride the effect of setting this
4847           parameter to null. Disabling of all roaming profile use requires
4848           that the user account settings must also be blank.
4849
4850           An example of use is:
4851
4852               logon path = \\PROFILESERVER\PROFILE\%U
4853
4854           Default: logon path = \\%N\%U\profile
4855
4856       logon script (G)
4857
4858           This parameter specifies the batch file (.bat) or NT command file
4859           (.cmd) to be downloaded and run on a machine when a user
4860           successfully logs in. The file must contain the DOS style CR/LF
4861           line endings. Using a DOS-style editor to create the file is
4862           recommended.
4863
4864           The script must be a relative path to the [netlogon] service. If
4865           the [netlogon] service specifies a path of
4866           /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the
4867           file that will be downloaded is:
4868
4869                    /usr/local/samba/netlogon/STARTUP.BAT
4870
4871           The contents of the batch file are entirely your choice. A
4872           suggested command would be to add NET TIME \\SERVER /SET /YES, to
4873           force every machine to synchronize clocks with the same time
4874           server. Another use would be to add NET USE U: \\SERVER\UTILS for
4875           commonly used utilities, or
4876
4877               NET USE Q: \\SERVER\ISO9001_QA
4878
4879           for example.
4880
4881           Note that it is particularly important not to allow write access to
4882           the [netlogon] share, or to grant users write permission on the
4883           batch files in a secure environment, as this would allow the batch
4884           files to be arbitrarily modified and security to be breached.
4885
4886           This option takes the standard substitutions, allowing you to have
4887           separate logon scripts for each user or machine.
4888
4889           This option is only useful if Samba is set up as a logon server in
4890           a classic domain controller role. If Samba is set up as an Active
4891           Directory domain controller, LDAP attribute scriptPath is used
4892           instead. For configurations where passdb backend = ldapsam is in
4893           use, this option only defines a default value in case LDAP
4894           attribute sambaLogonScript is missing.
4895
4896           Default: logon script =
4897
4898           Example: logon script = scripts\%U.bat
4899
4900       log writeable files on exit (G)
4901
4902           When the network connection between a CIFS client and Samba dies,
4903           Samba has no option but to simply shut down the server side of the
4904           network connection. If this happens, there is a risk of data
4905           corruption because the Windows client did not complete all write
4906           operations that the Windows application requested. Setting this
4907           option to "yes" makes smbd log with a level 0 message a list of all
4908           files that have been opened for writing when the network connection
4909           died. Those are the files that are potentially corrupted. It is
4910           meant as an aid for the administrator to give him a list of files
4911           to do consistency checks on.
4912
4913           Default: log writeable files on exit = no
4914
4915       lppause command (S)
4916
4917           This parameter specifies the command to be executed on the server
4918           host in order to stop printing or spooling a specific print job.
4919
4920           This command should be a program or script which takes a printer
4921           name and job number to pause the print job. One way of implementing
4922           this is by using job priorities, where jobs having a too low
4923           priority won't be sent to the printer.
4924
4925           If a %p is given then the printer name is put in its place. A %j is
4926           replaced with the job number (an integer). On HPUX (see
4927           printing=hpux ), if the -p%p option is added to the lpq command,
4928           the job will show up with the correct status, i.e. if the job
4929           priority is lower than the set fence priority it will have the
4930           PAUSED status, whereas if the priority is equal or higher it will
4931           have the SPOOLED or PRINTING status.
4932
4933           Note that it is good practice to include the absolute path in the
4934           lppause command as the PATH may not be available to the server.
4935
4936           Currently no default value is given to this string, unless the
4937           value of the printing parameter is SYSV, in which case the default
4938           is : lp -i %p-%j -H hold or if the value of the printing parameter
4939           is SOFTQ, then the default is: qstat -s -j%j -h.
4940
4941           Default: lppause command =  # determined by printing parameter
4942
4943           Example: lppause command = /usr/bin/lpalt %p-%j -p0
4944
4945       lpq cache time (G)
4946
4947           This controls how long lpq info will be cached for to prevent the
4948           lpq command being called too often. A separate cache is kept for
4949           each variation of the lpq command used by the system, so if you use
4950           different lpq commands for different users then they won't share
4951           cache information.
4952
4953           The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash of
4954           the lpq command in use.
4955
4956           The default is 30 seconds, meaning that the cached results of a
4957           previous identical lpq command will be used if the cached data is
4958           less than 30 seconds old. A large value may be advisable if your
4959           lpq command is very slow.
4960
4961           A value of 0 will disable caching completely.
4962
4963           Default: lpq cache time = 30
4964
4965           Example: lpq cache time = 10
4966
4967       lpq command (S)
4968
4969           This parameter specifies the command to be executed on the server
4970           host in order to obtain lpq-style printer status information.
4971
4972           This command should be a program or script which takes a printer
4973           name as its only parameter and outputs printer status information.
4974
4975           Currently nine styles of printer status information are supported;
4976           BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. This covers
4977           most UNIX systems. You control which type is expected using the
4978           printing = option.
4979
4980           Some clients (notably Windows for Workgroups) may not correctly
4981           send the connection number for the printer they are requesting
4982           status information about. To get around this, the server reports on
4983           the first printer service connected to by the client. This only
4984           happens if the connection number sent is invalid.
4985
4986           If a %p is given then the printer name is put in its place.
4987           Otherwise it is placed at the end of the command.
4988
4989           Note that it is good practice to include the absolute path in the
4990           lpq command as the $PATH may not be available to the server. When
4991           compiled with the CUPS libraries, no lpq command is needed because
4992           smbd will make a library call to obtain the print queue listing.
4993
4994           Default: lpq command =  # determined by printing parameter
4995
4996           Example: lpq command = /usr/bin/lpq -P%p
4997
4998       lpresume command (S)
4999
5000           This parameter specifies the command to be executed on the server
5001           host in order to restart or continue printing or spooling a
5002           specific print job.
5003
5004           This command should be a program or script which takes a printer
5005           name and job number to resume the print job. See also the lppause
5006           command parameter.
5007
5008           If a %p is given then the printer name is put in its place. A %j is
5009           replaced with the job number (an integer).
5010
5011           Note that it is good practice to include the absolute path in the
5012           lpresume command as the PATH may not be available to the server.
5013
5014           See also the printing parameter.
5015
5016           Default: Currently no default value is given to this string, unless
5017           the value of the printing parameter is SYSV, in which case the
5018           default is:
5019
5020           lp -i %p-%j -H resume
5021
5022           or if the value of the printing parameter is SOFTQ, then the
5023           default is:
5024
5025           qstat -s -j%j -r
5026
5027           Default: lpresume command =  # determined by printing parameter
5028
5029           Example: lpresume command = /usr/bin/lpalt %p-%j -p2
5030
5031       lprm command (S)
5032
5033           This parameter specifies the command to be executed on the server
5034           host in order to delete a print job.
5035
5036           This command should be a program or script which takes a printer
5037           name and job number, and deletes the print job.
5038
5039           If a %p is given then the printer name is put in its place. A %j is
5040           replaced with the job number (an integer).
5041
5042           Note that it is good practice to include the absolute path in the
5043           lprm command as the PATH may not be available to the server.
5044
5045           Examples of use are:
5046
5047               lprm command = /usr/bin/lprm -P%p %j
5048
5049               or
5050
5051               lprm command = /usr/bin/cancel %p-%j
5052
5053           Default: lprm command =  # determined by printing parameter
5054
5055       lsa over netlogon (G)
5056
5057           Setting this deprecated option will allow the RPC server in the AD
5058           DC to answer the LSARPC interface on the \pipe\netlogon IPC pipe.
5059
5060           When enabled, this matches the behaviour of Microsoft's Windows,
5061           due to their internal implementation choices.
5062
5063           If it is disabled (the default), the AD DC can offer improved
5064           performance, as the netlogon server is decoupled and can run as
5065           multiple processes.
5066
5067           Default: lsa over netlogon = no
5068
5069       machine password timeout (G)
5070
5071           If a Samba server is a member of a Windows NT or Active Directory
5072           Domain (see the security = domain and security = ads parameters),
5073           then periodically a running winbindd process will try and change
5074           the MACHINE ACCOUNT PASSWORD stored in the TDB called secrets.tdb.
5075           This parameter specifies how often this password will be changed,
5076           in seconds. The default is one week (expressed in seconds), the
5077           same as a Windows NT Domain member server.
5078
5079           See also smbpasswd(8), and the security = domain and security = ads
5080           parameters.
5081
5082           Default: machine password timeout = 604800
5083
5084       magic output (S)
5085
5086           This parameter specifies the name of a file which will contain
5087           output created by a magic script (see the magic script parameter
5088           below).
5089
5090               Warning
5091               If two clients use the same magic script in the same directory
5092               the output file content is undefined.
5093           Default: magic output =  # <magic script name>.out
5094
5095           Example: magic output = myfile.txt
5096
5097       magic script (S)
5098
5099           This parameter specifies the name of a file which, if opened, will
5100           be executed by the server when the file is closed. This allows a
5101           UNIX script to be sent to the Samba host and executed on behalf of
5102           the connected user.
5103
5104           Scripts executed in this way will be deleted upon completion
5105           assuming that the user has the appropriate level of privilege and
5106           the file permissions allow the deletion.
5107
5108           If the script generates output, output will be sent to the file
5109           specified by the magic output parameter (see above).
5110
5111           Note that some shells are unable to interpret scripts containing
5112           CR/LF instead of CR as the end-of-line marker. Magic scripts must
5113           be executable as is on the host, which for some hosts and some
5114           shells will require filtering at the DOS end.
5115
5116           Magic scripts are EXPERIMENTAL and should NOT be relied upon.
5117
5118           Default: magic script =
5119
5120           Example: magic script = user.csh
5121
5122       mangled names (S)
5123
5124           This controls whether non-DOS names under UNIX should be mapped to
5125           DOS-compatible names ("mangled") and made visible, or whether
5126           non-DOS names should simply be ignored.
5127
5128           See the section on name mangling for details on how to control the
5129           mangling process.
5130
5131           Possible option settings are
5132
5133                  ·   yes (default) - enables name mangling for all not DOS
5134                      8.3 conforming names.
5135
5136                  ·   no - disables any name mangling.
5137
5138                  ·   illegal - does mangling for names with illegal NTFS
5139                      characters. This is the most sensible setting for modern
5140                      clients that don't use the shortname anymore.
5141
5142           If mangling is used then the mangling method is as follows:
5143
5144                  ·   The first (up to) five alphanumeric characters before
5145                      the rightmost dot of the filename are preserved, forced
5146                      to upper case, and appear as the first (up to) five
5147                      characters of the mangled name.
5148
5149                  ·   A tilde "~" is appended to the first part of the mangled
5150                      name, followed by a two-character unique sequence, based
5151                      on the original root name (i.e., the original filename
5152                      minus its final extension). The final extension is
5153                      included in the hash calculation only if it contains any
5154                      upper case characters or is longer than three
5155                      characters.
5156
5157                      Note that the character to use may be specified using
5158                      the mangling char option, if you don't like '~'.
5159
5160                  ·   Files whose UNIX name begins with a dot will be
5161                      presented as DOS hidden files. The mangled name will be
5162                      created as for other filenames, but with the leading dot
5163                      removed and "___" as its extension regardless of actual
5164                      original extension (that's three underscores).
5165
5166           The two-digit hash value consists of upper case alphanumeric
5167           characters.
5168
5169           This algorithm can cause name collisions only if files in a
5170           directory share the same first five alphanumeric characters. The
5171           probability of such a clash is 1/1300.
5172
5173           The name mangling (if enabled) allows a file to be copied between
5174           UNIX directories from Windows/DOS while retaining the long UNIX
5175           filename. UNIX files can be renamed to a new extension from
5176           Windows/DOS and will retain the same basename. Mangled names do not
5177           change between sessions.
5178
5179           Default: mangled names = yes
5180
5181           Example: mangled names = illegal
5182
5183       mangle prefix (G)
5184
5185           controls the number of prefix characters from the original name
5186           used when generating the mangled names. A larger value will give a
5187           weaker hash and therefore more name collisions. The minimum value
5188           is 1 and the maximum value is 6.
5189
5190           mangle prefix is effective only when mangling method is hash2.
5191
5192           Default: mangle prefix = 1
5193
5194           Example: mangle prefix = 4
5195
5196       mangling char (S)
5197
5198           This controls what character is used as the magic character in name
5199           mangling. The default is a '~' but this may interfere with some
5200           software. Use this option to set it to whatever you prefer. This is
5201           effective only when mangling method is hash.
5202
5203           Default: mangling char = ~
5204
5205           Example: mangling char = ^
5206
5207       mangling method (G)
5208
5209           controls the algorithm used for the generating the mangled names.
5210           Can take two different values, "hash" and "hash2". "hash" is the
5211           algorithm that was used in Samba for many years and was the default
5212           in Samba 2.2.x "hash2" is now the default and is newer and
5213           considered a better algorithm (generates less collisions) in the
5214           names. Many Win32 applications store the mangled names and so
5215           changing to algorithms must not be done lightly as these
5216           applications may break unless reinstalled.
5217
5218           Default: mangling method = hash2
5219
5220           Example: mangling method = hash
5221
5222       map acl inherit (S)
5223
5224           This boolean parameter controls whether smbd(8) will attempt to map
5225           the 'inherit' and 'protected' access control entry flags stored in
5226           Windows ACLs into an extended attribute called user.SAMBA_PAI. This
5227           parameter only takes effect if Samba is being run on a platform
5228           that supports extended attributes (Linux and IRIX so far) and
5229           allows the Windows 2000 ACL editor to correctly use inheritance
5230           with the Samba POSIX ACL mapping code.
5231
5232           Default: map acl inherit = no
5233
5234       map archive (S)
5235
5236           This controls whether the DOS archive attribute should be mapped to
5237           the UNIX owner execute bit. The DOS archive bit is set when a file
5238           has been modified since its last backup. One motivation for this
5239           option is to keep Samba/your PC from making any file it touches
5240           from becoming executable under UNIX. This can be quite annoying for
5241           shared source code, documents, etc...
5242
5243           Note that this parameter will be ignored if the store dos
5244           attributes parameter is set, as the DOS archive attribute will then
5245           be stored inside a UNIX extended attribute.
5246
5247           Note that this requires the create mask parameter to be set such
5248           that owner execute bit is not masked out (i.e. it must include
5249           100). See the parameter create mask for details.
5250
5251           Default: map archive = yes
5252
5253       map hidden (S)
5254
5255           This controls whether DOS style hidden files should be mapped to
5256           the UNIX world execute bit.
5257
5258           Note that this parameter will be ignored if the store dos
5259           attributes parameter is set, as the DOS hidden attribute will then
5260           be stored inside a UNIX extended attribute.
5261
5262           Note that this requires the create mask to be set such that the
5263           world execute bit is not masked out (i.e. it must include 001). See
5264           the parameter create mask for details.
5265
5266           Default: map hidden = no
5267
5268       map readonly (S)
5269
5270           This controls how the DOS read only attribute should be mapped from
5271           a UNIX filesystem.
5272
5273           This parameter can take three different values, which tell smbd(8)
5274           how to display the read only attribute on files, where either store
5275           dos attributes is set to No, or no extended attribute is present.
5276           If store dos attributes is set to yes then this parameter is
5277           ignored. This is a new parameter introduced in Samba version
5278           3.0.21.
5279
5280           The three settings are :
5281
5282                  ·   Yes - The read only DOS attribute is mapped to the
5283                      inverse of the user or owner write bit in the unix
5284                      permission mode set. If the owner write bit is not set,
5285                      the read only attribute is reported as being set on the
5286                      file. If the read only DOS attribute is set, Samba sets
5287                      the owner, group and others write bits to zero. Write
5288                      bits set in an ACL are ignored by Samba. If the read
5289                      only DOS attribute is unset, Samba simply sets the write
5290                      bit of the owner to one.
5291
5292                  ·   Permissions - The read only DOS attribute is mapped to
5293                      the effective permissions of the connecting user, as
5294                      evaluated by smbd(8) by reading the unix permissions and
5295                      POSIX ACL (if present). If the connecting user does not
5296                      have permission to modify the file, the read only
5297                      attribute is reported as being set on the file.
5298
5299                  ·   No - The read only DOS attribute is unaffected by
5300                      permissions, and can only be set by the store dos
5301                      attributes method. This may be useful for exporting
5302                      mounted CDs.
5303
5304           Note that this parameter will be ignored if the store dos
5305           attributes parameter is set, as the DOS 'read-only' attribute will
5306           then be stored inside a UNIX extended attribute.
5307
5308           The default has changed to no in Samba release 4.9.0 and above to
5309           allow better Windows fileserver compatibility in a default install.
5310           In addition the default setting of store dos attributes has been
5311           changed to Yes in Samba release 4.9.0 and above.
5312
5313           Default: map readonly = no
5314
5315       map system (S)
5316
5317           This controls whether DOS style system files should be mapped to
5318           the UNIX group execute bit.
5319
5320           Note that this parameter will be ignored if the store dos
5321           attributes parameter is set, as the DOS system attribute will then
5322           be stored inside a UNIX extended attribute.
5323
5324           Note that this requires the create mask to be set such that the
5325           group execute bit is not masked out (i.e. it must include 010). See
5326           the parameter create mask for details.
5327
5328           Default: map system = no
5329
5330       map to guest (G)
5331
5332           This parameter can take four different values, which tell smbd(8)
5333           what to do with user login requests that don't match a valid UNIX
5334           user in some way.
5335
5336           The four settings are :
5337
5338                  ·   Never - Means user login requests with an invalid
5339                      password are rejected. This is the default.
5340
5341                  ·   Bad User - Means user logins with an invalid password
5342                      are rejected, unless the username does not exist, in
5343                      which case it is treated as a guest login and mapped
5344                      into the guest account.
5345
5346                  ·   Bad Password - Means user logins with an invalid
5347                      password are treated as a guest login and mapped into
5348                      the guest account. Note that this can cause problems as
5349                      it means that any user incorrectly typing their password
5350                      will be silently logged on as "guest" - and will not
5351                      know the reason they cannot access files they think they
5352                      should - there will have been no message given to them
5353                      that they got their password wrong. Helpdesk services
5354                      will hate you if you set the map to guest parameter this
5355                      way :-).
5356
5357                  ·   Bad Uid - Is only applicable when Samba is configured in
5358                      some type of domain mode security (security =
5359                      {domain|ads}) and means that user logins which are
5360                      successfully authenticated but which have no valid Unix
5361                      user account (and smbd is unable to create one) should
5362                      be mapped to the defined guest account. This was the
5363                      default behavior of Samba 2.x releases. Note that if a
5364                      member server is running winbindd, this option should
5365                      never be required because the nss_winbind library will
5366                      export the Windows domain users and groups to the
5367                      underlying OS via the Name Service Switch interface.
5368
5369           Note that this parameter is needed to set up "Guest" share
5370           services. This is because in these modes the name of the resource
5371           being requested is not sent to the server until after the server
5372           has successfully authenticated the client so the server cannot make
5373           authentication decisions at the correct time (connection to the
5374           share) for "Guest" shares.
5375
5376           Default: map to guest = Never
5377
5378           Example: map to guest = Bad User
5379
5380       max connections (S)
5381
5382           This option allows the number of simultaneous connections to a
5383           service to be limited. If max connections is greater than 0 then
5384           connections will be refused if this number of connections to the
5385           service are already open. A value of zero mean an unlimited number
5386           of connections may be made.
5387
5388           Record lock files are used to implement this feature. The lock
5389           files will be stored in the directory specified by the lock
5390           directory option.
5391
5392           Default: max connections = 0
5393
5394           Example: max connections = 10
5395
5396       max disk size (G)
5397
5398           This option allows you to put an upper limit on the apparent size
5399           of disks. If you set this option to 100 then all shares will appear
5400           to be not larger than 100 MB in size.
5401
5402           Note that this option does not limit the amount of data you can put
5403           on the disk. In the above case you could still store much more than
5404           100 MB on the disk, but if a client ever asks for the amount of
5405           free disk space or the total disk size then the result will be
5406           bounded by the amount specified in max disk size.
5407
5408           This option is primarily useful to work around bugs in some pieces
5409           of software that can't handle very large disks, particularly disks
5410           over 1GB in size.
5411
5412           A max disk size of 0 means no limit.
5413
5414           Default: max disk size = 0
5415
5416           Example: max disk size = 1000
5417
5418       max log size (G)
5419
5420           This option (an integer in kilobytes) specifies the max size the
5421           log file should grow to. Samba periodically checks the size and if
5422           it is exceeded it will rename the file, adding a .old extension.
5423
5424           A size of 0 means no limit.
5425
5426           Default: max log size = 5000
5427
5428           Example: max log size = 1000
5429
5430       max mux (G)
5431
5432           This option controls the maximum number of outstanding simultaneous
5433           SMB operations that Samba tells the client it will allow. You
5434           should never need to set this parameter.
5435
5436           Default: max mux = 50
5437
5438       max open files (G)
5439
5440           This parameter limits the maximum number of open files that one
5441           smbd(8) file serving process may have open for a client at any one
5442           time. This parameter can be set very high (16384) as Samba uses
5443           only one bit per unopened file. Setting this parameter lower than
5444           16384 will cause Samba to complain and set this value back to the
5445           minimum of 16384, as Windows 7 depends on this number of open file
5446           handles being available.
5447
5448           The limit of the number of open files is usually set by the UNIX
5449           per-process file descriptor limit rather than this parameter so you
5450           should never need to touch this parameter.
5451
5452           Default: max open files = 16384
5453
5454       max print jobs (S)
5455
5456           This parameter limits the maximum number of jobs allowable in a
5457           Samba printer queue at any given moment. If this number is
5458           exceeded, smbd(8) will remote "Out of Space" to the client.
5459
5460           Default: max print jobs = 1000
5461
5462           Example: max print jobs = 5000
5463
5464       max reported print jobs (S)
5465
5466           This parameter limits the maximum number of jobs displayed in a
5467           port monitor for Samba printer queue at any given moment. If this
5468           number is exceeded, the excess jobs will not be shown. A value of
5469           zero means there is no limit on the number of print jobs reported.
5470
5471           Default: max reported print jobs = 0
5472
5473           Example: max reported print jobs = 1000
5474
5475       max smbd processes (G)
5476
5477           This parameter limits the maximum number of smbd(8) processes
5478           concurrently running on a system and is intended as a stopgap to
5479           prevent degrading service to clients in the event that the server
5480           has insufficient resources to handle more than this number of
5481           connections. Remember that under normal operating conditions, each
5482           user will have an smbd(8) associated with him or her to handle
5483           connections to all shares from a given host.
5484
5485           For a Samba ADDC running the standard process model this option
5486           limits the number of processes forked to handle requests. Currently
5487           new processes are only forked for ldap and netlogon requests.
5488
5489           Default: max smbd processes = 0
5490
5491           Example: max smbd processes = 1000
5492
5493       max stat cache size (G)
5494
5495           This parameter limits the size in memory of any stat cache being
5496           used to speed up case insensitive name mappings. It represents the
5497           number of kilobyte (1024) units the stat cache can use. A value of
5498           zero, meaning unlimited, is not advisable due to increased memory
5499           usage. You should not need to change this parameter.
5500
5501           Default: max stat cache size = 512
5502
5503           Example: max stat cache size = 100
5504
5505       max ttl (G)
5506
5507           This option tells nmbd(8) what the default 'time to live' of
5508           NetBIOS names should be (in seconds) when nmbd is requesting a name
5509           using either a broadcast packet or from a WINS server. You should
5510           never need to change this parameter. The default is 3 days.
5511
5512           Default: max ttl = 259200
5513
5514       max wins ttl (G)
5515
5516           This option tells smbd(8) when acting as a WINS server (wins
5517           support = yes) what the maximum 'time to live' of NetBIOS names
5518           that nmbd will grant will be (in seconds). You should never need to
5519           change this parameter. The default is 6 days (518400 seconds).
5520
5521           Default: max wins ttl = 518400
5522
5523       max xmit (G)
5524
5525           This option controls the maximum packet size that will be
5526           negotiated by Samba's smbd(8) for the SMB1 protocol. The default is
5527           16644, which matches the behavior of Windows 2000. A value below
5528           2048 is likely to cause problems. You should never need to change
5529           this parameter from its default value.
5530
5531           Default: max xmit = 16644
5532
5533           Example: max xmit = 8192
5534
5535       mdns name (G)
5536
5537           This parameter controls the name that multicast DNS support
5538           advertises as its' hostname.
5539
5540           The default is to use the NETBIOS name which is typically the
5541           hostname in all capital letters.
5542
5543           A setting of mdns will defer the hostname configuration to the MDNS
5544           library that is used.
5545
5546           Default: mdns name = netbios
5547
5548       message command (G)
5549
5550           This specifies what command to run when the server receives a
5551           WinPopup style message.
5552
5553           This would normally be a command that would deliver the message
5554           somehow. How this is to be done is up to your imagination.
5555
5556           An example is:
5557
5558               message command = csh -c 'xedit %s;rm %s' &
5559
5560           This delivers the message using xedit, then removes it afterwards.
5561           NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
5562           IMMEDIATELY. That's why I have the '&' on the end. If it doesn't
5563           return immediately then your PCs may freeze when sending messages
5564           (they should recover after 30 seconds, hopefully).
5565
5566           All messages are delivered as the global guest user. The command
5567           takes the standard substitutions, although
5568            %u won't work (%U may be better in this case).
5569
5570           Apart from the standard substitutions, some additional ones apply.
5571           In particular:
5572
5573                  ·   %s = the filename containing the message.
5574
5575                  ·   %t = the destination that the message was sent to
5576                      (probably the server name).
5577
5578                  ·   %f = who the message is from.
5579
5580           You could make this command send mail, or whatever else takes your
5581           fancy. Please let us know of any really interesting ideas you have.
5582
5583           Here's a way of sending the messages as mail to root:
5584
5585               message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s
5586
5587           If you don't have a message command then the message won't be
5588           delivered and Samba will tell the sender there was an error.
5589           Unfortunately WfWg totally ignores the error code and carries on
5590           regardless, saying that the message was delivered.
5591
5592           If you want to silently delete it then try:
5593
5594               message command = rm %s
5595
5596           Default: message command =
5597
5598           Example: message command = csh -c 'xedit %s; rm %s' &
5599
5600       min print space (S)
5601
5602           This sets the minimum amount of free disk space that must be
5603           available before a user will be able to spool a print job. It is
5604           specified in kilobytes. The default is 0, which means a user can
5605           always spool a print job.
5606
5607           Default: min print space = 0
5608
5609           Example: min print space = 2000
5610
5611       min receivefile size (G)
5612
5613           This option changes the behavior of smbd(8) when processing
5614           SMBwriteX calls. Any incoming SMBwriteX call on a non-signed
5615           SMB/CIFS connection greater than this value will not be processed
5616           in the normal way but will be passed to any underlying kernel
5617           recvfile or splice system call (if there is no such call Samba will
5618           emulate in user space). This allows zero-copy writes directly from
5619           network socket buffers into the filesystem buffer cache, if
5620           available. It may improve performance but user testing is
5621           recommended. If set to zero Samba processes SMBwriteX calls in the
5622           normal way. To enable POSIX large write support (SMB/CIFS writes up
5623           to 16Mb) this option must be nonzero. The maximum value is 128k.
5624           Values greater than 128k will be silently set to 128k.
5625
5626           Note this option will have NO EFFECT if set on a SMB signed
5627           connection.
5628
5629           The default is zero, which disables this option.
5630
5631           Default: min receivefile size = 0
5632
5633       min wins ttl (G)
5634
5635           This option tells nmbd(8) when acting as a WINS server (wins
5636           support = yes) what the minimum 'time to live' of NetBIOS names
5637           that nmbd will grant will be (in seconds). You should never need to
5638           change this parameter. The default is 6 hours (21600 seconds).
5639
5640           Default: min wins ttl = 21600
5641
5642       mit kdc command (G)
5643
5644           This option specifies the path to the MIT kdc binary.
5645
5646           If the KDC is not installed in the default location and wasn't
5647           correctly detected during build then you should modify this
5648           variable and point it to the correct binary.
5649
5650           Default: mit kdc command = /usr/sbin/krb5kdc
5651
5652           Example: mit kdc command = /opt/mit/sbin/krb5kdc
5653
5654       msdfs proxy (S)
5655
5656           This parameter indicates that the share is a stand-in for another
5657           CIFS share whose location is specified by the value of the
5658           parameter. When clients attempt to connect to this share, they are
5659           redirected to one or multiple, comma separated proxied shares using
5660           the SMB-Dfs protocol.
5661
5662           Only Dfs roots can act as proxy shares. Take a look at the msdfs
5663           root and host msdfs options to find out how to set up a Dfs root
5664           share.
5665
5666           No default
5667
5668           Example: msdfs proxy =
5669           \otherserver\someshare,\otherserver2\someshare
5670
5671       msdfs root (S)
5672
5673           If set to yes, Samba treats the share as a Dfs root and allows
5674           clients to browse the distributed file system tree rooted at the
5675           share directory. Dfs links are specified in the share directory by
5676           symbolic links of the form msdfs:serverA\\shareA,serverB\\shareB
5677           and so on. For more information on setting up a Dfs tree on Samba,
5678           refer to the MSDFS chapter in the Samba3-HOWTO book.
5679
5680           Default: msdfs root = no
5681
5682       msdfs shuffle referrals (S)
5683
5684           If set to yes, Samba will shuffle Dfs referrals for a given Dfs
5685           link if multiple are available, allowing for load balancing across
5686           clients. For more information on setting up a Dfs tree on Samba,
5687           refer to the MSDFS chapter in the Samba3-HOWTO book.
5688
5689           Default: msdfs shuffle referrals = no
5690
5691       multicast dns register (G)
5692
5693           If compiled with proper support for it, Samba will announce itself
5694           with multicast DNS services like for example provided by the Avahi
5695           daemon.
5696
5697           This parameter allows disabling Samba to register itself.
5698
5699           Default: multicast dns register = yes
5700
5701       name cache timeout (G)
5702
5703           Specifies the number of seconds it takes before entries in samba's
5704           hostname resolve cache time out. If the timeout is set to 0. the
5705           caching is disabled.
5706
5707           Default: name cache timeout = 660
5708
5709           Example: name cache timeout = 0
5710
5711       name resolve order (G)
5712
5713           This option is used by the programs in the Samba suite to determine
5714           what naming services to use and in what order to resolve host names
5715           to IP addresses. Its main purpose to is to control how netbios name
5716           resolution is performed. The option takes a space separated string
5717           of name resolution options.
5718
5719           The options are: "lmhosts", "host", "wins" and "bcast". They cause
5720           names to be resolved as follows:
5721
5722                  ·   lmhosts : Lookup an IP address in the Samba lmhosts
5723                      file. If the line in lmhosts has no name type attached
5724                      to the NetBIOS name (see the manpage for lmhosts for
5725                      details) then any name type matches for lookup.
5726
5727                  ·   host : Do a standard host name to IP address resolution,
5728                      using the system /etc/hosts, NIS, or DNS lookups. This
5729                      method of name resolution is operating system depended
5730                      for instance on IRIX or Solaris this may be controlled
5731                      by the /etc/nsswitch.conf file. Note that this method is
5732                      used only if the NetBIOS name type being queried is the
5733                      0x20 (server) name type or 0x1c (domain controllers).
5734                      The latter case is only useful for active directory
5735                      domains and results in a DNS query for the SRV RR entry
5736                      matching _ldap._tcp.domain.
5737
5738                  ·   wins : Query a name with the IP address listed in the
5739                      WINSSERVER parameter. If no WINS server has been
5740                      specified this method will be ignored.
5741
5742                  ·   bcast : Do a broadcast on each of the known local
5743                      interfaces listed in the interfaces parameter. This is
5744                      the least reliable of the name resolution methods as it
5745                      depends on the target host being on a locally connected
5746                      subnet.
5747
5748           The example below will cause the local lmhosts file to be examined
5749           first, followed by a broadcast attempt, followed by a normal system
5750           hostname lookup.
5751
5752           When Samba is functioning in ADS security mode (security = ads) it
5753           is advised to use following settings for name resolve order:
5754
5755           name resolve order = wins bcast
5756
5757           DC lookups will still be done via DNS, but fallbacks to netbios
5758           names will not inundate your DNS servers with needless querys for
5759           DOMAIN<0x1c> lookups.
5760
5761           Default: name resolve order = lmhosts wins host bcast
5762
5763           Example: name resolve order = lmhosts bcast host
5764
5765       socket address
5766
5767           This parameter is a synonym for nbt client socket address.
5768
5769       nbt client socket address (G)
5770
5771           This option allows you to control what address Samba will send NBT
5772           client packets from, and process replies using, including in nmbd.
5773
5774           Setting this option should never be necessary on usual Samba
5775           servers running only one nmbd.
5776
5777           By default Samba will send UDP packets from the OS default address
5778           for the destination, and accept replies on 0.0.0.0.
5779
5780           This parameter is deprecated. See bind interfaces only = Yes and
5781           interfaces for the previous behaviour of controlling the normal
5782           listening sockets.
5783
5784           Default: nbt client socket address = 0.0.0.0
5785
5786           Example: nbt client socket address = 192.168.2.20
5787
5788       nbtd:wins_prepend1Bto1Cqueries (G)
5789
5790           Normally queries for 0x1C names (all logon servers for a domain)
5791           will return the first address of the 0x1B names (domain master
5792           browser and PDC) as first address in the result list. As many
5793           client only use the first address in the list by default, all
5794           clients will use the same server (the PDC). Windows servers have an
5795           option to disable this behavior (since Windows 2000 Service Pack
5796           2).
5797
5798           Default: nbtd:wins_prepend1Bto1Cqueries = yes
5799
5800       nbtd:wins_wins_randomize1Clist (G)
5801
5802           Normally queries for 0x1C names will return the addresses in the
5803           same order as they're stored in the database, that means first all
5804           addresses which have been directly registered at the local wins
5805           server and then all addresses registered at other servers. Windows
5806           servers have an option to change this behavior and randomize the
5807           returned addresses. Set this parameter to "yes" and Samba will sort
5808           the address list depending on the client address and the matching
5809           bits of the addresses, the first address is randomized based on
5810           depending on the "nbtd:wins_randomize1Clist_mask" parameter.
5811
5812           Default: nbtd:wins_wins_randomize1Clist = no
5813
5814       nbtd:wins_randomize1Clist_mask (G)
5815
5816           If the "nbtd:wins_randomize1Clist" parameter is set to "yes", then
5817           randomizing of the first returned address is based on the specified
5818           netmask. If there are addresses which are in the same subnet as the
5819           client address, the first returned address is randomly chosen out
5820           them. Otherwise the first returned address is randomly chosen out
5821           of all addresses.
5822
5823           Default: nbtd:wins_randomize1Clist_mask = 255.255.255.0
5824
5825       nbt port (G)
5826
5827           Specifies which port the server should use for NetBIOS over IP name
5828           services traffic.
5829
5830           Default: nbt port = 137
5831
5832       ncalrpc dir (G)
5833
5834           This directory will hold a series of named pipes to allow RPC over
5835           inter-process communication.
5836
5837           This will allow Samba and other unix processes to interact over
5838           DCE/RPC without using TCP/IP. Additionally a sub-directory 'np' has
5839           restricted permissions, and allows a trusted communication channel
5840           between Samba processes
5841
5842           Default: ncalrpc dir = /run/samba/ncalrpc
5843
5844           Example: ncalrpc dir = /var/run/samba/ncalrpc
5845
5846       netbios aliases (G)
5847
5848           This is a list of NetBIOS names that nmbd will advertise as
5849           additional names by which the Samba server is known. This allows
5850           one machine to appear in browse lists under multiple names. If a
5851           machine is acting as a browse server or logon server none of these
5852           names will be advertised as either browse server or logon servers,
5853           only the primary name of the machine will be advertised with these
5854           capabilities.
5855
5856           Default: netbios aliases =  # empty string (no additional names)
5857
5858           Example: netbios aliases = TEST TEST1 TEST2
5859
5860       netbios name (G)
5861
5862           This sets the NetBIOS name by which a Samba server is known. By
5863           default it is the same as the first component of the host's DNS
5864           name. If a machine is a browse server or logon server this name (or
5865           the first component of the hosts DNS name) will be the name that
5866           these services are advertised under.
5867
5868           Note that the maximum length for a NetBIOS name is 15 characters.
5869
5870           There is a bug in Samba that breaks operation of browsing and
5871           access to shares if the netbios name is set to the literal name
5872           PIPE. To avoid this problem, do not name your Samba server PIPE.
5873
5874           Default: netbios name =  # machine DNS name
5875
5876           Example: netbios name = MYNAME
5877
5878       netbios scope (G)
5879
5880           This sets the NetBIOS scope that Samba will operate under. This
5881           should not be set unless every machine on your LAN also sets this
5882           value.
5883
5884           Default: netbios scope =
5885
5886       neutralize nt4 emulation (G)
5887
5888           This option controls whether winbindd sends the
5889           NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass the
5890           NT4 emulation of a domain controller.
5891
5892           Typically you should not need set this. It can be useful for
5893           upgrades from NT4 to AD domains.
5894
5895           The behavior can be controlled per netbios domain by using
5896           'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.
5897
5898           Default: neutralize nt4 emulation = no
5899
5900       NIS homedir (G)
5901
5902           Get the home share server from a NIS map. For UNIX systems that use
5903           an automounter, the user's home directory will often be mounted on
5904           a workstation on demand from a remote server.
5905
5906           When the Samba logon server is not the actual home directory
5907           server, but is mounting the home directories via NFS then two
5908           network hops would be required to access the users home directory
5909           if the logon server told the client to use itself as the SMB server
5910           for home directories (one over SMB and one over NFS). This can be
5911           very slow.
5912
5913           This option allows Samba to return the home share as being on a
5914           different server to the logon server and as long as a Samba daemon
5915           is running on the home directory server, it will be mounted on the
5916           Samba client directly from the directory server. When Samba is
5917           returning the home share to the client, it will consult the NIS map
5918           specified in homedir map and return the server listed there.
5919
5920           Note that for this option to work there must be a working NIS
5921           system and the Samba server with this option must also be a logon
5922           server.
5923
5924           Default: NIS homedir = no
5925
5926       nmbd bind explicit broadcast (G)
5927
5928           This option causes nmbd(8) to explicitly bind to the broadcast
5929           address of the local subnets. This is needed to make nmbd work
5930           correctly in combination with the socket address option. You should
5931           not need to unset this option.
5932
5933           Default: nmbd bind explicit broadcast = yes
5934
5935       nsupdate command (G)
5936
5937           This option sets the path to the nsupdate command which is used for
5938           GSS-TSIG dynamic DNS updates.
5939
5940           Default: nsupdate command = /usr/bin/nsupdate -g
5941
5942       nt acl support (S)
5943
5944           This boolean parameter controls whether smbd(8) will attempt to map
5945           UNIX permissions into Windows NT access control lists. The UNIX
5946           permissions considered are the traditional UNIX owner and group
5947           permissions, as well as POSIX ACLs set on any files or directories.
5948           This parameter was formally a global parameter in releases prior to
5949           2.2.2.
5950
5951           Default: nt acl support = yes
5952
5953       ntlm auth (G)
5954
5955           This parameter determines whether or not smbd(8) will attempt to
5956           authenticate users using the NTLM encrypted password response for
5957           this local passdb (SAM or account database).
5958
5959           If disabled, both NTLM and LanMan authencication against the local
5960           passdb is disabled.
5961
5962           Note that these settings apply only to local users, authentication
5963           will still be forwarded to and NTLM authentication accepted against
5964           any domain we are joined to, and any trusted domain, even if
5965           disabled or if NTLMv2-only is enforced here. To control NTLM
5966           authentiation for domain users, this must option must be configured
5967           on each DC.
5968
5969           By default with lanman auth set to no and ntlm auth set to
5970           ntlmv2-only only NTLMv2 logins will be permited. Most clients
5971           support NTLMv2 by default, but some older clients will require
5972           special configuration to use it.
5973
5974           The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
5975
5976           The available settings are:
5977
5978                  ·   ntlmv1-permitted (alias yes) - Allow NTLMv1 and above
5979                      for all clients.
5980
5981                  ·   ntlmv2-only (alias no) - Do not allow NTLMv1 to be used,
5982                      but permit NTLMv2.
5983
5984                  ·   mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the
5985                      client promises that it is providing MSCHAPv2
5986                      authentication (such as the ntlm_auth tool).
5987
5988                  ·   disabled - Do not accept NTLM (or LanMan) authentication
5989                      of any level, nor permit NTLM password changes.
5990
5991           The default changed from yes to no with Samba 4.5. The default
5992           chagned again to ntlmv2-only with Samba 4.7, however the behaviour
5993           is unchanged.
5994
5995           Default: ntlm auth = ntlmv2-only
5996
5997       nt pipe support (G)
5998
5999           This boolean parameter controls whether smbd(8) will allow Windows
6000           NT clients to connect to the NT SMB specific IPC$ pipes. This is a
6001           developer debugging option and can be left alone.
6002
6003           Default: nt pipe support = yes
6004
6005       ntp signd socket directory (G)
6006
6007           This setting controls the location of the socket that the NTP
6008           daemon uses to communicate with Samba for signing packets.
6009
6010           If a non-default path is specified here, then it is also necessary
6011           to make NTP aware of the new path using the ntpsigndsocket
6012           directive in ntp.conf.
6013
6014           Default: ntp signd socket directory = /var/lib/samba/ntp_signd
6015
6016       nt status support (G)
6017
6018           This boolean parameter controls whether smbd(8) will negotiate NT
6019           specific status support with Windows NT/2k/XP clients. This is a
6020           developer debugging option and should be left alone. If this option
6021           is set to no then Samba offers exactly the same DOS error codes
6022           that versions prior to Samba 2.2.3 reported.
6023
6024           You should not need to ever disable this parameter.
6025
6026           Default: nt status support = yes
6027
6028       ntvfs handler (S)
6029
6030           This specifies the NTVFS handlers for this share.
6031
6032                  ·   unixuid: Sets up user credentials based on POSIX
6033                      gid/uid.
6034
6035                  ·   cifs: Proxies a remote CIFS FS. Mainly useful for
6036                      testing.
6037
6038                  ·   nbench: Filter module that saves data useful to the
6039                      nbench benchmark suite.
6040
6041                  ·   ipc: Allows using SMB for inter process communication.
6042                      Only used for the IPC$ share.
6043
6044                  ·   posix: Maps POSIX FS semantics to NT semantics
6045
6046                  ·   print: Allows printing over SMB. This is LANMAN-style
6047                      printing, not the be confused with the spoolss DCE/RPC
6048                      interface used by later versions of Windows.
6049
6050           Note that this option is only used when the NTVFS file server is in
6051           use. It is not used with the (default) s3fs file server.
6052
6053           Default: ntvfs handler = unixuid, default
6054
6055       null passwords (G)
6056
6057           Allow or disallow client access to accounts that have null
6058           passwords.
6059
6060           See also smbpasswd(5).
6061
6062           Default: null passwords = no
6063
6064       obey pam restrictions (G)
6065
6066           When Samba 3.0 is configured to enable PAM support (i.e.
6067           --with-pam), this parameter will control whether or not Samba
6068           should obey PAM's account and session management directives. The
6069           default behavior is to use PAM for clear text authentication only
6070           and to ignore any account or session management. Note that Samba
6071           always ignores PAM for authentication in the case of encrypt
6072           passwords = yes. The reason is that PAM modules cannot support the
6073           challenge/response authentication mechanism needed in the presence
6074           of SMB password encryption.
6075
6076           Default: obey pam restrictions = no
6077
6078       old password allowed period (G)
6079
6080           Number of minutes to permit an NTLM login after a password change
6081           or reset using the old password. This allows the user to re-cache
6082           the new password on multiple clients without disrupting a network
6083           reconnection in the meantime.
6084
6085           This parameter only applies when server role is set to Active
6086           Directory Domain Controller
6087
6088           Default: old password allowed period = 60
6089
6090       oplock break wait time (G)
6091
6092           This is a tuning parameter added due to bugs in both Windows 9x and
6093           WinNT. If Samba responds to a client too quickly when that client
6094           issues an SMB that can cause an oplock break request, then the
6095           network client can fail and not respond to the break request. This
6096           tuning parameter (which is set in milliseconds) is the amount of
6097           time Samba will wait before sending an oplock break request to such
6098           (broken) clients.
6099
6100               Warning
6101               DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND
6102               UNDERSTOOD THE SAMBA OPLOCK CODE.
6103           Default: oplock break wait time = 0
6104
6105       oplocks (S)
6106
6107           This boolean option tells smbd whether to issue oplocks
6108           (opportunistic locks) to file open requests on this share. The
6109           oplock code can dramatically (approx. 30% or more) improve the
6110           speed of access to files on Samba servers. It allows the clients to
6111           aggressively cache files locally and you may want to disable this
6112           option for unreliable network environments (it is turned on by
6113           default in Windows NT Servers).
6114
6115           Oplocks may be selectively turned off on certain files with a
6116           share. See the veto oplock files parameter. On some systems oplocks
6117           are recognized by the underlying operating system. This allows data
6118           synchronization between all access to oplocked files, whether it be
6119           via Samba or NFS or a local UNIX process. See the kernel oplocks
6120           parameter for details.
6121
6122           Default: oplocks = yes
6123
6124       os2 driver map (G)
6125
6126           The parameter is used to define the absolute path to a file
6127           containing a mapping of Windows NT printer driver names to OS/2
6128           printer driver names. The format is:
6129
6130           <nt driver name> = <os2 driver name>.<device name>
6131
6132           For example, a valid entry using the HP LaserJet 5 printer driver
6133           would appear as HP LaserJet 5L = LASERJET.HP LaserJet 5L.
6134
6135           The need for the file is due to the printer driver namespace
6136           problem described in the chapter on Classical Printing in the
6137           Samba3-HOWTO book. For more details on OS/2 clients, please refer
6138           to chapter on other clients in the Samba3-HOWTO book.
6139
6140           Default: os2 driver map =
6141
6142       os level (G)
6143
6144           This integer value controls what level Samba advertises itself as
6145           for browse elections. The value of this parameter determines
6146           whether nmbd(8) has a chance of becoming a local master browser for
6147           the workgroup in the local broadcast area.
6148
6149            Note: By default, Samba will win a local master browsing election
6150           over all Microsoft operating systems except a Windows NT 4.0/2000
6151           Domain Controller. This means that a misconfigured Samba host can
6152           effectively isolate a subnet for browsing purposes. This parameter
6153           is largely auto-configured in the Samba-3 release series and it is
6154           seldom necessary to manually override the default setting. Please
6155           refer to the chapter on Network Browsing in the Samba-3 HOWTO
6156           document for further information regarding the use of this
6157           parameter.  Note: The maximum value for this parameter is 255. If
6158           you use higher values, counting will start at 0!
6159
6160           Default: os level = 20
6161
6162           Example: os level = 65
6163
6164       pam password change (G)
6165
6166           With the addition of better PAM support in Samba 2.2, this
6167           parameter, it is possible to use PAM's password change control flag
6168           for Samba. If enabled, then PAM will be used for password changes
6169           when requested by an SMB client instead of the program listed in
6170           passwd program. It should be possible to enable this without
6171           changing your passwd chat parameter for most setups.
6172
6173           Default: pam password change = no
6174
6175       panic action (G)
6176
6177           This is a Samba developer option that allows a system command to be
6178           called when either smbd(8) or nmbd(8) crashes. This is usually used
6179           to draw attention to the fact that a problem occurred.
6180
6181           Default: panic action =
6182
6183           Example: panic action = "/bin/sleep 90000"
6184
6185       passdb backend (G)
6186
6187           This option allows the administrator to chose which backend will be
6188           used for storing user and possibly group information. This allows
6189           you to swap between different storage mechanisms without recompile.
6190
6191           The parameter value is divided into two parts, the backend's name,
6192           and a 'location' string that has meaning only to that particular
6193           backed. These are separated by a : character.
6194
6195           Available backends can include:
6196
6197                  ·   smbpasswd - The old plaintext passdb backend. Some Samba
6198                      features will not work if this passdb backend is used.
6199                      Takes a path to the smbpasswd file as an optional
6200                      argument.
6201
6202                  ·   tdbsam - The TDB based password storage backend. Takes a
6203                      path to the TDB as an optional argument (defaults to
6204                      passdb.tdb in the private dir directory.
6205
6206                  ·   ldapsam - The LDAP based passdb backend. Takes an LDAP
6207                      URL as an optional argument (defaults to
6208                      ldap://localhost)
6209
6210                      LDAP connections should be secured where possible. This
6211                      may be done using either Start-TLS (see ldap ssl) or by
6212                      specifying ldaps:// in the URL argument.
6213
6214                      Multiple servers may also be specified in double-quotes.
6215                      Whether multiple servers are supported or not and the
6216                      exact syntax depends on the LDAP library you use.
6217
6218
6219                Examples of use are:
6220
6221               passdb backend = tdbsam:/etc/samba/private/passdb.tdb
6222
6223               or multi server LDAP URL with OpenLDAP library:
6224
6225               passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"
6226
6227               or multi server LDAP URL with Netscape based LDAP library:
6228
6229               passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"
6230
6231           Default: passdb backend = tdbsam
6232
6233       passdb expand explicit (G)
6234
6235           This parameter controls whether Samba substitutes %-macros in the
6236           passdb fields if they are explicitly set. We used to expand macros
6237           here, but this turned out to be a bug because the Windows client
6238           can expand a variable %G_osver% in which %G would have been
6239           substituted by the user's primary group.
6240
6241           Default: passdb expand explicit = no
6242
6243       passwd chat (G)
6244
6245           This string controls the "chat" conversation that takes places
6246           between smbd(8) and the local password changing program to change
6247           the user's password. The string describes a sequence of
6248           response-receive pairs that smbd(8) uses to determine what to send
6249           to the passwd program and what to expect back. If the expected
6250           output is not received then the password is not changed.
6251
6252           This chat sequence is often quite site specific, depending on what
6253           local methods are used for password control (such as NIS etc).
6254
6255           Note that this parameter only is used if the unix password sync
6256           parameter is set to yes. This sequence is then called AS ROOT when
6257           the SMB password in the smbpasswd file is being changed, without
6258           access to the old password cleartext. This means that root must be
6259           able to reset the user's password without knowing the text of the
6260           previous password. In the presence of NIS/YP, this means that the
6261           passwd program must be executed on the NIS master.
6262
6263           The string can contain the macro %n which is substituted for the
6264           new password. The old passsword (%o) is only available when encrypt
6265           passwords has been disabled. The chat sequence can also contain the
6266           standard macros \n, \r, \t and \s to give line-feed,
6267           carriage-return, tab and space. The chat sequence string can also
6268           contain a '*' which matches any sequence of characters. Double
6269           quotes can be used to collect strings with spaces in them into a
6270           single string.
6271
6272           If the send string in any part of the chat sequence is a full stop
6273           ".", then no string is sent. Similarly, if the expect string is a
6274           full stop then no string is expected.
6275
6276           If the pam password change parameter is set to yes, the chat pairs
6277           may be matched in any order, and success is determined by the PAM
6278           result, not any particular output. The \n macro is ignored for PAM
6279           conversions.
6280
6281           Default: passwd chat = *new*password* %n\n *new*password* %n\n
6282           *changed*
6283
6284           Example: passwd chat = "*Enter NEW password*" %n\n "*Reenter NEW
6285           password*" %n\n "*Password changed*"
6286
6287       passwd chat debug (G)
6288
6289           This boolean specifies if the passwd chat script parameter is run
6290           in debug mode. In this mode the strings passed to and received from
6291           the passwd chat are printed in the smbd(8) log with a debug level
6292           of 100. This is a dangerous option as it will allow plaintext
6293           passwords to be seen in the smbd log. It is available to help Samba
6294           admins debug their passwd chat scripts when calling the passwd
6295           program and should be turned off after this has been done. This
6296           option has no effect if the pam password change parameter is set.
6297           This parameter is off by default.
6298
6299           Default: passwd chat debug = no
6300
6301       passwd chat timeout (G)
6302
6303           This integer specifies the number of seconds smbd will wait for an
6304           initial answer from a passwd chat script being run. Once the
6305           initial answer is received the subsequent answers must be received
6306           in one tenth of this time. The default it two seconds.
6307
6308           Default: passwd chat timeout = 2
6309
6310       passwd program (G)
6311
6312           The name of a program that can be used to set UNIX user passwords.
6313           Any occurrences of %u will be replaced with the user name. The user
6314           name is checked for existence before calling the password changing
6315           program.
6316
6317           Also note that many passwd programs insist in reasonable passwords,
6318           such as a minimum length, or the inclusion of mixed case chars and
6319           digits. This can pose a problem as some clients (such as Windows
6320           for Workgroups) uppercase the password before sending it.
6321
6322           Note that if the unix password sync parameter is set to yes then
6323           this program is called AS ROOT before the SMB password in the
6324           smbpasswd file is changed. If this UNIX password change fails, then
6325           smbd will fail to change the SMB password also (this is by design).
6326
6327           If the unix password sync parameter is set this parameter MUST USE
6328           ABSOLUTE PATHS for ALL programs called, and must be examined for
6329           security implications. Note that by default unix password sync is
6330           set to no.
6331
6332           Default: passwd program =
6333
6334           Example: passwd program = /bin/passwd %u
6335
6336       password hash gpg key ids (G)
6337
6338           If samba is running as an active directory domain controller, it is
6339           possible to store the cleartext password of accounts in a
6340           PGP/OpenGPG encrypted form.
6341
6342           You can specify one or more recipients by key id or user id. Note
6343           that 32bit key ids are not allowed, specify at least 64bit.
6344
6345           The value is stored as 'Primary:SambaGPG' in the
6346           supplementalCredentials attribute.
6347
6348           As password changes can occur on any domain controller, you should
6349           configure this on each of them. Note that this feature is currently
6350           available only on Samba domain controllers.
6351
6352           This option is only available if samba was compiled with gpgme
6353           support.
6354
6355           You may need to export the GNUPGHOME environment variable before
6356           starting samba.  It is strongly recommended to only store the
6357           public key in this location. The private key is not used for
6358           encryption and should be only stored where decryption is required.
6359
6360           Being able to restore the cleartext password helps, when they need
6361           to be imported into other authentication systems later (see
6362           samba-tool user getpassword) or you want to keep the passwords in
6363           sync with another system, e.g. an OpenLDAP server (see samba-tool
6364           user syncpasswords).
6365
6366           While this option needs to be configured on all domain controllers,
6367           the samba-tool user syncpasswords command should run on a single
6368           domain controller only (typically the PDC-emulator).
6369
6370           Default: password hash gpg key ids =
6371
6372           Example: password hash gpg key ids = 4952E40301FAB41A
6373
6374           Example: password hash gpg key ids = selftest@samba.example.com
6375
6376           Example: password hash gpg key ids = selftest@samba.example.com,
6377           4952E40301FAB41A
6378
6379       password hash userPassword schemes (G)
6380
6381           This parameter determines whether or not samba(8) acting as an
6382           Active Directory Domain Controller will attempt to store additional
6383           passwords hash types for the user
6384
6385           The values are stored as 'Primary:userPassword' in the
6386           supplementalCredentials attribute. The value of this option is a
6387           hash type.
6388
6389           The currently supported hash types are:
6390
6391                  ·   CryptSHA256
6392
6393                  ·   CryptSHA512
6394
6395           Multiple instances of a hash type may be computed and stored. The
6396           password hashes are calculated using the crypt(3) call. The number
6397           of rounds used to compute the hash can be specified by adding
6398           ':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would
6399           calculate an SHA512 hash using 4500 rounds. If not specified the
6400           Operating System defaults for crypt(3) are used.
6401
6402           As password changes can occur on any domain controller, you should
6403           configure this on each of them. Note that this feature is currently
6404           available only on Samba domain controllers.
6405
6406           Currently the NT Hash of the password is recorded when these hashes
6407           are calculated and stored. When retrieving the hashes the current
6408           value of the NT Hash is checked against the stored NT Hash. This
6409           detects password changes that have not updated the password hashes.
6410           In this case samba-tool user will ignore the stored hash values.
6411
6412           Being able to obtain the hashed password helps, when they need to
6413           be imported into other authentication systems later (see samba-tool
6414           user getpassword) or you want to keep the passwords in sync with
6415           another system, e.g. an OpenLDAP server (see samba-tool user
6416           syncpasswords).
6417
6418           Related command: unix password sync
6419
6420           Default: password hash userPassword schemes =
6421
6422           Example: password hash userPassword schemes = CryptSHA256
6423
6424           Example: password hash userPassword schemes = CryptSHA256
6425           CryptSHA512
6426
6427           Example: password hash userPassword schemes =
6428           CryptSHA256:rounds=5000 CryptSHA512:rounds=7000
6429
6430       password server (G)
6431
6432           By specifying the name of a domain controller with this option, and
6433           using security = [ads|domain] it is possible to get Samba to do all
6434           its username/password validation using a specific remote server.
6435
6436           Ideally, this option should not be used, as the default '*'
6437           indicates to Samba to determine the best DC to contact dynamically,
6438           just as all other hosts in an AD domain do. This allows the domain
6439           to be maintained (addition and removal of domain controllers)
6440           without modification to the smb.conf file. The cryptographic
6441           protection on the authenticated RPC calls used to verify passwords
6442           ensures that this default is safe.
6443
6444           It is strongly recommended that you use the default of '*', however
6445           if in your particular environment you have reason to specify a
6446           particular DC list, then the list of machines in this option must
6447           be a list of names or IP addresses of Domain controllers for the
6448           Domain. If you use the default of '*', or list several hosts in the
6449           password server option then smbd will try each in turn till it
6450           finds one that responds. This is useful in case your primary server
6451           goes down.
6452
6453           If the list of servers contains both names/IP's and the '*'
6454           character, the list is treated as a list of preferred domain
6455           controllers, but an auto lookup of all remaining DC's will be added
6456           to the list as well. Samba will not attempt to optimize this list
6457           by locating the closest DC.
6458
6459           If parameter is a name, it is looked up using the parameter name
6460           resolve order and so may resolved by any method and order described
6461           in that parameter.
6462
6463           Default: password server = *
6464
6465           Example: password server = NT-PDC, NT-BDC1, NT-BDC2, *
6466
6467           Example: password server = windc.mydomain.com:389 192.168.1.101 *
6468
6469       directory
6470
6471           This parameter is a synonym for path.
6472
6473       path (S)
6474
6475           This parameter specifies a directory to which the user of the
6476           service is to be given access. In the case of printable services,
6477           this is where print data will spool prior to being submitted to the
6478           host for printing.
6479
6480           For a printable service offering guest access, the service should
6481           be readonly and the path should be world-writeable and have the
6482           sticky bit set. This is not mandatory of course, but you probably
6483           won't get the results you expect if you do otherwise.
6484
6485           Any occurrences of %u in the path will be replaced with the UNIX
6486           username that the client is using on this connection. Any
6487           occurrences of %m will be replaced by the NetBIOS name of the
6488           machine they are connecting from. These replacements are very
6489           useful for setting up pseudo home directories for users.
6490
6491           Note that this path will be based on root dir if one was specified.
6492
6493           Default: path =
6494
6495           Example: path = /home/fred
6496
6497       perfcount module (G)
6498
6499           This parameter specifies the perfcount backend to be used when
6500           monitoring SMB operations. Only one perfcount module may be used,
6501           and it must implement all of the apis contained in the
6502           smb_perfcount_handler structure defined in smb.h.
6503
6504           No default
6505
6506       pid directory (G)
6507
6508           This option specifies the directory where pid files will be placed.
6509
6510           Default: pid directory = /run
6511
6512           Example: pid directory = /var/run/
6513
6514       posix locking (S)
6515
6516           The smbd(8) daemon maintains an database of file locks obtained by
6517           SMB clients. The default behavior is to map this internal database
6518           to POSIX locks. This means that file locks obtained by SMB clients
6519           are consistent with those seen by POSIX compliant applications
6520           accessing the files via a non-SMB method (e.g. NFS or local file
6521           access). It is very unlikely that you need to set this parameter to
6522           "no", unless you are sharing from an NFS mount, which is not a good
6523           idea in the first place.
6524
6525           Default: posix locking = yes
6526
6527       postexec (S)
6528
6529           This option specifies a command to be run whenever the service is
6530           disconnected. It takes the usual substitutions. The command may be
6531           run as the root on some systems.
6532
6533           An interesting example may be to unmount server resources:
6534
6535           postexec = /etc/umount /cdrom
6536
6537           Default: postexec =
6538
6539           Example: postexec = echo \"%u disconnected from %S from %m (%I)\"
6540           >> /tmp/log
6541
6542       exec
6543
6544           This parameter is a synonym for preexec.
6545
6546       preexec (S)
6547
6548           This option specifies a command to be run whenever the service is
6549           connected to. It takes the usual substitutions.
6550
6551           An interesting example is to send the users a welcome message every
6552           time they log in. Maybe a message of the day? Here is an example:
6553
6554           preexec = csh -c 'echo \"Welcome to %S!\" |
6555           /usr/local/samba/bin/smbclient -M %m -I %I' &
6556
6557           Of course, this could get annoying after a while :-)
6558
6559           See also preexec close and postexec.
6560
6561           Default: preexec =
6562
6563           Example: preexec = echo \"%u connected to %S from %m (%I)\" >>
6564           /tmp/log
6565
6566       preexec close (S)
6567
6568           This boolean option controls whether a non-zero return code from
6569           preexec should close the service being connected to.
6570
6571           Default: preexec close = no
6572
6573       prefered master
6574
6575           This parameter is a synonym for preferred master.
6576
6577       preferred master (G)
6578
6579           This boolean parameter controls if nmbd(8) is a preferred master
6580           browser for its workgroup.
6581
6582           If this is set to yes, on startup, nmbd will force an election, and
6583           it will have a slight advantage in winning the election. It is
6584           recommended that this parameter is used in conjunction with domain
6585           master = yes, so that nmbd can guarantee becoming a domain master.
6586
6587           Use this option with caution, because if there are several hosts
6588           (whether Samba servers, Windows 95 or NT) that are preferred master
6589           browsers on the same subnet, they will each periodically and
6590           continuously attempt to become the local master browser. This will
6591           result in unnecessary broadcast traffic and reduced browsing
6592           capabilities.
6593
6594           Default: preferred master = auto
6595
6596       prefork backoff increment (G)
6597
6598           This option specifies the number of seconds added to the delay
6599           before a prefork master or worker process is restarted. The restart
6600           is initially zero, the prefork backoff increment is added to the
6601           delay on each restart up to the value specified by "prefork maximum
6602           backoff".
6603
6604           Additionally the the backoff for an individual service by using
6605           "prefork backoff increment: service name" i.e. "prefork backoff
6606           increment:ldap = 2" to set the backoff increment to 2.
6607
6608           If the backoff increment is 2 and the maximum backoff is 5. There
6609           will be a zero second delay for the first restart. A two second
6610           delay for the second restart. A four second delay for the third and
6611           any subsequent restarts
6612
6613           Default: prefork backoff increment = 10
6614
6615       prefork children (G)
6616
6617           This option controls the number of worker processes that are
6618           started for each service when prefork process model is enabled (see
6619           samba(8) -M) The prefork children are only started for those
6620           services that support prefork (currently ldap, kdc and netlogon).
6621           For processes that don't support preforking all requests are
6622           handled by a single process for that service.
6623
6624           This should be set to a small multiple of the number of CPU's
6625           available on the server
6626
6627           Additionally the number of prefork children can be specified for an
6628           individual service by using "prefork children: service name" i.e.
6629           "prefork children:ldap = 8" to set the number of ldap worker
6630           processes.
6631
6632           Default: prefork children = 4
6633
6634       prefork maximum backoff (G)
6635
6636           This option controls the maximum delay before a failed pre-fork
6637           process is restarted.
6638
6639           Default: prefork maximum backoff = 120
6640
6641       preload modules (G)
6642
6643           This is a list of paths to modules that should be loaded into smbd
6644           before a client connects. This improves the speed of smbd when
6645           reacting to new connections somewhat.
6646
6647           Default: preload modules =
6648
6649           Example: preload modules = /usr/lib/samba/passdb/mysql.so
6650
6651       preserve case (S)
6652
6653           This controls if new filenames are created with the case that the
6654           client passes, or if they are forced to be the default case.
6655
6656           See the section on NAME MANGLING for a fuller discussion.
6657
6658           Default: preserve case = yes
6659
6660       print ok
6661
6662           This parameter is a synonym for printable.
6663
6664       printable (S)
6665
6666           If this parameter is yes, then clients may open, write to and
6667           submit spool files on the directory specified for the service.
6668
6669           Note that a printable service will ALWAYS allow writing to the
6670           service path (user privileges permitting) via the spooling of print
6671           data. The read only parameter controls only non-printing access to
6672           the resource.
6673
6674           Default: printable = no
6675
6676       printcap cache time (G)
6677
6678           This option specifies the number of seconds before the printing
6679           subsystem is again asked for the known printers.
6680
6681           Setting this parameter to 0 disables any rescanning for new or
6682           removed printers after the initial startup.
6683
6684           Default: printcap cache time = 750
6685
6686           Example: printcap cache time = 600
6687
6688       printcap
6689
6690           This parameter is a synonym for printcap name.
6691
6692       printcap name (G)
6693
6694           This parameter may be used to override the compiled-in default
6695           printcap name used by the server (usually /etc/printcap). See the
6696           discussion of the [printers] section above for reasons why you
6697           might want to do this.
6698
6699           To use the CUPS printing interface set printcap name = cups. This
6700           should be supplemented by an additional setting printing = cups in
6701           the [global] section.  printcap name = cups will use the "dummy"
6702           printcap created by CUPS, as specified in your CUPS configuration
6703           file.
6704
6705           On System V systems that use lpstat to list available printers you
6706           can use printcap name = lpstat to automatically obtain lists of
6707           available printers. This is the default for systems that define
6708           SYSV at configure time in Samba (this includes most System V based
6709           systems). If
6710            printcap name is set to lpstat on these systems then Samba will
6711           launch lpstat -v and attempt to parse the output to obtain a
6712           printer list.
6713
6714           A minimal printcap file would look something like this:
6715
6716               print1|My Printer 1
6717               print2|My Printer 2
6718               print3|My Printer 3
6719               print4|My Printer 4
6720               print5|My Printer 5
6721
6722           where the '|' separates aliases of a printer. The fact that the
6723           second alias has a space in it gives a hint to Samba that it's a
6724           comment.
6725
6726               Note
6727               Under AIX the default printcap name is /etc/qconfig. Samba will
6728               assume the file is in AIX qconfig format if the string qconfig
6729               appears in the printcap filename.
6730           Default: printcap name = /etc/printcap
6731
6732           Example: printcap name = /etc/myprintcap
6733
6734       print command (S)
6735
6736           After a print job has finished spooling to a service, this command
6737           will be used via a system() call to process the spool file.
6738           Typically the command specified will submit the spool file to the
6739           host's printing subsystem, but there is no requirement that this be
6740           the case. The server will not remove the spool file, so whatever
6741           command you specify should remove the spool file when it has been
6742           processed, otherwise you will need to manually remove old spool
6743           files.
6744
6745           The print command is simply a text string. It will be used verbatim
6746           after macro substitutions have been made:
6747
6748           %s, %f - the path to the spool file name
6749
6750           %p - the appropriate printer name
6751
6752           %J - the job name as transmitted by the client.
6753
6754           %c - The number of printed pages of the spooled job (if known).
6755
6756           %z - the size of the spooled print job (in bytes)
6757
6758           The print command MUST contain at least one occurrence of %s or %f
6759           - the %p is optional. At the time a job is submitted, if no printer
6760           name is supplied the %p will be silently removed from the printer
6761           command.
6762
6763           If specified in the [global] section, the print command given will
6764           be used for any printable service that does not have its own print
6765           command specified.
6766
6767           If there is neither a specified print command for a printable
6768           service nor a global print command, spool files will be created but
6769           not processed and (most importantly) not removed.
6770
6771           Note that printing may fail on some UNIXes from the nobody account.
6772           If this happens then create an alternative guest account that can
6773           print and set the guest account in the [global] section.
6774
6775           You can form quite complex print commands by realizing that they
6776           are just passed to a shell. For example the following will log a
6777           print job, print the file, then remove it. Note that ';' is the
6778           usual separator for command in shell scripts.
6779
6780           print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s;
6781           rm %s
6782
6783           You may have to vary this command considerably depending on how you
6784           normally print files on your system. The default for the parameter
6785           varies depending on the setting of the printing parameter.
6786
6787           Default: For printing = BSD, AIX, QNX, LPRNG or PLP :
6788
6789           print command = lpr -r -P%p %s
6790
6791           For printing = SYSV or HPUX :
6792
6793           print command = lp -c -d%p %s; rm %s
6794
6795           For printing = SOFTQ :
6796
6797           print command = lp -d%p -s %s; rm %s
6798
6799           For printing = CUPS : If SAMBA is compiled against libcups, then
6800           printcap = cups uses the CUPS API to submit jobs, etc. Otherwise it
6801           maps to the System V commands with the -oraw option for printing,
6802           i.e. it uses lp -c -d%p -oraw; rm %s. With printing = cups, and if
6803           SAMBA is compiled against libcups, any manually set print command
6804           will be ignored.
6805
6806           No default
6807
6808           Example: print command = /usr/local/samba/bin/myprintscript %p %s
6809
6810       printer
6811
6812           This parameter is a synonym for printer name.
6813
6814       printer name (S)
6815
6816           This parameter specifies the name of the printer to which print
6817           jobs spooled through a printable service will be sent.
6818
6819           If specified in the [global] section, the printer name given will
6820           be used for any printable service that does not have its own
6821           printer name specified.
6822
6823           The default value of the printer name may be lp on many systems.
6824
6825           Default: printer name =
6826
6827           Example: printer name = laserwriter
6828
6829       printing (S)
6830
6831           This parameters controls how printer status information is
6832           interpreted on your system. It also affects the default values for
6833           the print command, lpq command, lppause command , lpresume command,
6834           and lprm command if specified in the [global] section.
6835
6836           Currently nine printing styles are supported. They are BSD, AIX,
6837           LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ, CUPS and IPRINT.
6838
6839           Be aware that CUPS and IPRINT are only available if the CUPS
6840           development library was available at the time Samba was compiled or
6841           packaged.
6842
6843           To see what the defaults are for the other print commands when
6844           using the various options use the testparm(1) program.
6845
6846           This option can be set on a per printer basis. Please be aware
6847           however, that you must place any of the various printing commands
6848           (e.g. print command, lpq command, etc...) after defining the value
6849           for the printing option since it will reset the printing commands
6850           to default values.
6851
6852           See also the discussion in the [printers] section.
6853
6854           See testparm -v.  for the default value on your system
6855
6856           Default: printing =  # Depends on the operating system
6857
6858       printjob username (S)
6859
6860           This parameter specifies which user information will be passed to
6861           the printing system. Usually, the username is sent, but in some
6862           cases, e.g. the domain prefix is useful, too.
6863
6864           Default: printjob username = %U
6865
6866           Example: printjob username = %D\%U
6867
6868       print notify backchannel (S)
6869
6870           Windows print clients can update print queue status by expecting
6871           the server to open a backchannel SMB connection to them. Due to
6872           client firewall settings this can cause considerable timeouts and
6873           will often fail, as there is no guarantee the client is even
6874           running an SMB server. By default, the Samba print server will not
6875           try to connect back to clients, and will treat corresponding
6876           requests as if the connection back to the client failed.
6877
6878           Default: print notify backchannel = no
6879
6880       private directory
6881
6882           This parameter is a synonym for private dir.
6883
6884       private dir (G)
6885
6886           This parameters defines the directory smbd will use for storing
6887           such files as smbpasswd and secrets.tdb.
6888
6889           Default: private dir = /var/lib/samba/private
6890
6891       queuepause command (S)
6892
6893           This parameter specifies the command to be executed on the server
6894           host in order to pause the printer queue.
6895
6896           This command should be a program or script which takes a printer
6897           name as its only parameter and stops the printer queue, such that
6898           no longer jobs are submitted to the printer.
6899
6900           This command is not supported by Windows for Workgroups, but can be
6901           issued from the Printers window under Windows 95 and NT.
6902
6903           If a %p is given then the printer name is put in its place.
6904           Otherwise it is placed at the end of the command.
6905
6906           Note that it is good practice to include the absolute path in the
6907           command as the PATH may not be available to the server.
6908
6909           Default: queuepause command =  # determined by printing parameter
6910
6911           Example: queuepause command = disable %p
6912
6913       queueresume command (S)
6914
6915           This parameter specifies the command to be executed on the server
6916           host in order to resume the printer queue. It is the command to
6917           undo the behavior that is caused by the previous parameter
6918           (queuepause command).
6919
6920           This command should be a program or script which takes a printer
6921           name as its only parameter and resumes the printer queue, such that
6922           queued jobs are resubmitted to the printer.
6923
6924           This command is not supported by Windows for Workgroups, but can be
6925           issued from the Printers window under Windows 95 and NT.
6926
6927           If a %p is given then the printer name is put in its place.
6928           Otherwise it is placed at the end of the command.
6929
6930           Note that it is good practice to include the absolute path in the
6931           command as the PATH may not be available to the server.
6932
6933           Default: queueresume command =  # determined by printing parameter
6934
6935           Example: queueresume command = enable %p
6936
6937       raw NTLMv2 auth (G)
6938
6939           This parameter determines whether or not smbd(8) will allow SMB1
6940           clients without extended security (without SPNEGO) to use NTLMv2
6941           authentication.
6942
6943           If this option, lanman auth and ntlm auth are all disabled, then
6944           only clients with SPNEGO support will be permitted. That means
6945           NTLMv2 is only supported within NTLMSSP.
6946
6947           Default: raw NTLMv2 auth = no
6948
6949       read list (S)
6950
6951           This is a list of users that are given read-only access to a
6952           service. If the connecting user is in this list then they will not
6953           be given write access, no matter what the read only option is set
6954           to. The list can include group names using the syntax described in
6955           the invalid users parameter.
6956
6957           Default: read list =
6958
6959           Example: read list = mary, @students
6960
6961       read only (S)
6962
6963           An inverted synonym is writeable.
6964
6965           If this parameter is yes, then users of a service may not create or
6966           modify files in the service's directory.
6967
6968           Note that a printable service (printable = yes) will ALWAYS allow
6969           writing to the directory (user privileges permitting), but only via
6970           spooling operations.
6971
6972           Default: read only = yes
6973
6974       read raw (G)
6975
6976           This is ignored if async smb echo handler is set, because this
6977           feature is incompatible with raw read SMB requests
6978
6979           If enabled, raw reads allow reads of 65535 bytes in one packet.
6980           This typically provides a major performance benefit for some very,
6981           very old clients.
6982
6983           However, some clients either negotiate the allowable block size
6984           incorrectly or are incapable of supporting larger block sizes, and
6985           for these clients you may need to disable raw reads.
6986
6987           In general this parameter should be viewed as a system tuning tool
6988           and left severely alone.
6989
6990           Default: read raw = yes
6991
6992       realm (G)
6993
6994           This option specifies the kerberos realm to use. The realm is used
6995           as the ADS equivalent of the NT4 domain. It is usually set to the
6996           DNS name of the kerberos server.
6997
6998           Default: realm =
6999
7000           Example: realm = mysambabox.mycompany.com
7001
7002       registry shares (G)
7003
7004           This turns on or off support for share definitions read from
7005           registry. Shares defined in smb.conf take precedence over shares
7006           with the same name defined in registry. See the section on
7007           registry-based configuration for details.
7008
7009           Note that this parameter defaults to no, but it is set to yes when
7010           config backend is set to registry.
7011
7012           Default: registry shares = no
7013
7014           Example: registry shares = yes
7015
7016       reject md5 clients (G)
7017
7018           This option controls whether the netlogon server (currently only in
7019           'active directory domain controller' mode), will reject clients
7020           which does not support NETLOGON_NEG_SUPPORTS_AES.
7021
7022           You can set this to yes if all domain members support aes. This
7023           will prevent downgrade attacks.
7024
7025           This option takes precedence to the 'allow nt4 crypto' option.
7026
7027           Default: reject md5 clients = no
7028
7029       reject md5 servers (G)
7030
7031           This option controls whether winbindd requires support for aes
7032           support for the netlogon secure channel.
7033
7034           The following flags will be required NETLOGON_NEG_ARCFOUR,
7035           NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and
7036           NETLOGON_NEG_AUTHENTICATED_RPC.
7037
7038           You can set this to yes if all domain controllers support aes. This
7039           will prevent downgrade attacks.
7040
7041           The behavior can be controlled per netbios domain by using 'reject
7042           md5 servers:NETBIOSDOMAIN = yes' as option.
7043
7044           This option takes precedence to the require strong key option.
7045
7046           Default: reject md5 servers = no
7047
7048       remote announce (G)
7049
7050           This option allows you to setup nmbd(8) to periodically announce
7051           itself to arbitrary IP addresses with an arbitrary workgroup name.
7052
7053           This is useful if you want your Samba server to appear in a remote
7054           workgroup for which the normal browse propagation rules don't work.
7055           The remote workgroup can be anywhere that you can send IP packets
7056           to.
7057
7058           For example:
7059
7060               remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF
7061
7062           the above line would cause nmbd to announce itself to the two given
7063           IP addresses using the given workgroup names. If you leave out the
7064           workgroup name, then the one given in the workgroup parameter is
7065           used instead.
7066
7067           The IP addresses you choose would normally be the broadcast
7068           addresses of the remote networks, but can also be the IP addresses
7069           of known browse masters if your network config is that stable.
7070
7071           See the chapter on Network Browsing in the Samba-HOWTO book.
7072
7073           Default: remote announce =
7074
7075       remote browse sync (G)
7076
7077           This option allows you to setup nmbd(8) to periodically request
7078           synchronization of browse lists with the master browser of a Samba
7079           server that is on a remote segment. This option will allow you to
7080           gain browse lists for multiple workgroups across routed networks.
7081           This is done in a manner that does not work with any non-Samba
7082           servers.
7083
7084           This is useful if you want your Samba server and all local clients
7085           to appear in a remote workgroup for which the normal browse
7086           propagation rules don't work. The remote workgroup can be anywhere
7087           that you can send IP packets to.
7088
7089           For example:
7090
7091               remote browse sync = 192.168.2.255 192.168.4.255
7092
7093           the above line would cause nmbd to request the master browser on
7094           the specified subnets or addresses to synchronize their browse
7095           lists with the local server.
7096
7097           The IP addresses you choose would normally be the broadcast
7098           addresses of the remote networks, but can also be the IP addresses
7099           of known browse masters if your network config is that stable. If a
7100           machine IP address is given Samba makes NO attempt to validate that
7101           the remote machine is available, is listening, nor that it is in
7102           fact the browse master on its segment.
7103
7104           The remote browse sync may be used on networks where there is no
7105           WINS server, and may be used on disjoint networks where each
7106           network has its own WINS server.
7107
7108           Default: remote browse sync =
7109
7110       rename user script (G)
7111
7112           This is the full pathname to a script that will be run as root by
7113           smbd(8) under special circumstances described below.
7114
7115           When a user with admin authority or SeAddUserPrivilege rights
7116           renames a user (e.g.: from the NT4 User Manager for Domains), this
7117           script will be run to rename the POSIX user. Two variables, %uold
7118           and %unew, will be substituted with the old and new usernames,
7119           respectively. The script should return 0 upon successful
7120           completion, and nonzero otherwise.
7121
7122               Note
7123               The script has all responsibility to rename all the necessary
7124               data that is accessible in this posix method. This can mean
7125               different requirements for different backends. The tdbsam and
7126               smbpasswd backends will take care of the contents of their
7127               respective files, so the script is responsible only for
7128               changing the POSIX username, and other data that may required
7129               for your circumstances, such as home directory. Please also
7130               consider whether or not you need to rename the actual home
7131               directories themselves. The ldapsam backend will not make any
7132               changes, because of the potential issues with renaming the LDAP
7133               naming attribute. In this case the script is responsible for
7134               changing the attribute that samba uses (uid) for locating
7135               users, as well as any data that needs to change for other
7136               applications using the same directory.
7137           Default: rename user script =
7138
7139       require strong key (G)
7140
7141           This option controls whether winbindd requires support for md5
7142           strong key support for the netlogon secure channel.
7143
7144           The following flags will be required NETLOGON_NEG_STRONG_KEYS,
7145           NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.
7146
7147           You can set this to no if some domain controllers only support des.
7148           This might allows weak crypto to be negotiated, may via downgrade
7149           attacks.
7150
7151           The behavior can be controlled per netbios domain by using 'require
7152           strong key:NETBIOSDOMAIN = no' as option.
7153
7154           Note for active directory domain this option is hardcoded to 'yes'
7155
7156           This option yields precedence to the reject md5 servers option.
7157
7158           This option takes precedence to the client schannel option.
7159
7160           Default: require strong key = yes
7161
7162       reset on zero vc (G)
7163
7164           This boolean option controls whether an incoming SMB1 session setup
7165           should kill other connections coming from the same IP. This matches
7166           the default Windows 2003 behaviour. Setting this parameter to yes
7167           becomes necessary when you have a flaky network and windows decides
7168           to reconnect while the old connection still has files with share
7169           modes open. These files become inaccessible over the new
7170           connection. The client sends a zero VC on the new connection, and
7171           Windows 2003 kills all other connections coming from the same IP.
7172           This way the locked files are accessible again. Please be aware
7173           that enabling this option will kill connections behind a
7174           masquerading router, and will not trigger for clients that only use
7175           SMB2 or SMB3.
7176
7177           Default: reset on zero vc = no
7178
7179       restrict anonymous (G)
7180
7181           The setting of this parameter determines whether user and group
7182           list information is returned for an anonymous connection. and
7183           mirrors the effects of the
7184
7185               HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
7186                          Control\LSA\RestrictAnonymous
7187
7188           registry key in Windows 2000 and Windows NT. When set to 0, user
7189           and group list information is returned to anyone who asks. When set
7190           to 1, only an authenticated user can retrieve user and group list
7191           information. For the value 2, supported by Windows 2000/XP and
7192           Samba, no anonymous connections are allowed at all. This can break
7193           third party and Microsoft applications which expect to be allowed
7194           to perform operations anonymously.
7195
7196           The security advantage of using restrict anonymous = 1 is dubious,
7197           as user and group list information can be obtained using other
7198           means.
7199
7200               Note
7201               The security advantage of using restrict anonymous = 2 is
7202               removed by setting guest ok = yes on any share.
7203           Default: restrict anonymous = 0
7204
7205       rndc command (G)
7206
7207           This option specifies the path to the name server control utility.
7208
7209           The rndc utility should be a part of the bind installation.
7210
7211           Default: rndc command = /usr/sbin/rndc
7212
7213           Example: rndc command = /usr/local/bind9/sbin/rndc
7214
7215       root
7216
7217           This parameter is a synonym for root directory.
7218
7219       root dir
7220
7221           This parameter is a synonym for root directory.
7222
7223       root directory (G)
7224
7225           The server will chroot() (i.e. Change its root directory) to this
7226           directory on startup. This is not strictly necessary for secure
7227           operation. Even without it the server will deny access to files not
7228           in one of the service entries. It may also check for, and deny
7229           access to, soft links to other parts of the filesystem, or attempts
7230           to use ".." in file names to access other directories (depending on
7231           the setting of the wide smbconfoptions parameter).
7232
7233           Adding a root directory entry other than "/" adds an extra level of
7234           security, but at a price. It absolutely ensures that no access is
7235           given to files not in the sub-tree specified in the root directory
7236           option, including some files needed for complete operation of the
7237           server. To maintain full operability of the server you will need to
7238           mirror some system files into the root directory tree. In
7239           particular you will need to mirror /etc/passwd (or a subset of it),
7240           and any binaries or configuration files needed for printing (if
7241           required). The set of files that must be mirrored is operating
7242           system dependent.
7243
7244           Default: root directory =
7245
7246           Example: root directory = /homes/smb
7247
7248       root postexec (S)
7249
7250           This is the same as the postexec parameter except that the command
7251           is run as root. This is useful for unmounting filesystems (such as
7252           CDROMs) after a connection is closed.
7253
7254           Default: root postexec =
7255
7256       root preexec (S)
7257
7258           This is the same as the preexec parameter except that the command
7259           is run as root. This is useful for mounting filesystems (such as
7260           CDROMs) when a connection is opened.
7261
7262           Default: root preexec =
7263
7264       root preexec close (S)
7265
7266           This is the same as the preexec close parameter except that the
7267           command is run as root.
7268
7269           Default: root preexec close = no
7270
7271       rpc big endian (G)
7272
7273           Setting this option will force the RPC client and server to
7274           transfer data in big endian.
7275
7276           If it is disabled, data will be transferred in little endian.
7277
7278           The behaviour is independent of the endianness of the host machine.
7279
7280           Default: rpc big endian = no
7281
7282       rpc_daemon:DAEMON (G)
7283
7284           Defines whether to use the embedded code or start a separate daemon
7285           for the defined rpc services. The rpc_daemon prefix must be
7286           followed by the server name, and a value.
7287
7288           Two possible values are currently supported:
7289
7290                         disabled
7291                         fork
7292
7293
7294           The classic method is to run rpc services as internal daemons
7295           embedded in smbd, therefore the external daemons are disabled by
7296           default.
7297
7298           Choosing the fork option will cause samba to fork a separate
7299           process for each daemon configured this way. Each daemon may in
7300           turn fork a number of children used to handle requests from
7301           multiple smbds and direct tcp/ip connections (if the Endpoint
7302           Mapper is enabled). Communication with smbd happens over named
7303           pipes and require that said pipes are forward to the external
7304           daemon (see rpc_server).
7305
7306           Forked RPC Daemons support dynamically forking children to handle
7307           connections. The heuristics about how many children to keep around
7308           and how fast to allow them to fork and also how many clients each
7309           child is allowed to handle concurrently is defined by parametrical
7310           options named after the daemon. Five options are currently
7311           supported:
7312
7313                         prefork_min_children
7314                         prefork_max_children
7315                         prefork_spawn_rate
7316                         prefork_max_allowed_clients
7317                         prefork_child_min_life
7318
7319
7320           To set one of these options use the following syntax:
7321
7322                    daemonname:prefork_min_children = 5
7323
7324
7325           Samba includes separate daemons for spoolss, lsarpc/lsass,
7326           netlogon, samr, FSRVP and mdssvc(Spotlight). Currently five daemons
7327           are available and they are called:
7328
7329                         epmd
7330                         lsasd
7331                         spoolssd
7332                         fssd
7333                         mdssd
7334
7335
7336           Example:
7337
7338                    rpc_daemon:spoolssd = fork
7339
7340
7341           Default: rpc_daemon:DAEMON = disabled
7342
7343       rpc_server:SERVER (G)
7344
7345           With this option you can define if a rpc service should be running
7346           internal/embedded in smbd or should be redirected to an external
7347           daemon like Samba4, the endpoint mapper daemon, the spoolss daemon
7348           or the new LSA service daemon. The rpc_server prefix must be
7349           followed by the pipe name, and a value.
7350
7351           This option can be set for each available rpc service in Samba. The
7352           following list shows all available pipe names services you can
7353           modify with this option.
7354
7355                  ·   epmapper - Endpoint Mapper
7356
7357                  ·   winreg - Remote Registry Service
7358
7359                  ·   srvsvc - Remote Server Services
7360
7361                  ·   lsarpc - Local Security Authority
7362
7363                  ·   samr - Security Account Management
7364
7365                  ·   netlogon - Netlogon Remote Protocol
7366
7367                  ·   netdfs - Settings for Distributed File System
7368
7369                  ·   dssetup - Active Directory Setup
7370
7371                  ·   wkssvc - Workstation Services
7372
7373                  ·   spoolss - Network Printing Spooler
7374
7375                  ·   svcctl - Service Control
7376
7377                  ·   ntsvcs - Plug and Play Services
7378
7379                  ·   eventlog - Event Logger
7380
7381                  ·   initshutdown - Init Shutdown Service
7382
7383                  ·   mdssvc - Spotlight
7384
7385           Three possible values currently supported are: embedded external
7386           disabled
7387
7388           The classic method is to run every pipe as an internal function
7389           embedded in smbd. The defaults may vary depending on the service.
7390
7391           Choosing the external option allows one to run a separate daemon or
7392           even a completely independent (3rd party) server capable of
7393           interfacing with samba via the MS-RPC interface over named pipes.
7394
7395           Currently in Samba3 we support four daemons, spoolssd, epmd, lsasd
7396           and mdssd. These daemons can be enabled using the rpc_daemon
7397           option. For spoolssd you have to enable the daemon and proxy the
7398           named pipe with:
7399
7400           Examples:
7401
7402                              rpc_daemon:lsasd = fork
7403                              rpc_server:lsarpc = external
7404                              rpc_server:samr = external
7405                              rpc_server:netlogon = external
7406
7407                              rpc_server:spoolss = external
7408                              rpc_server:epmapper = disabled
7409
7410                              rpc_daemon:mdssd = fork
7411                              rpc_server:mdssvc = external
7412
7413
7414           There is one special option which allows you to enable rpc services
7415           to listen for ncacn_ip_tcp connections too. Currently this is only
7416           used for testing and doesn't scale!
7417
7418                              rpc_server:tcpip = yes
7419
7420
7421           Default: rpc_server:SERVER = embedded
7422
7423       rpc server dynamic port range (G)
7424
7425           This parameter tells the RPC server which port range it is allowed
7426           to use to create a listening socket for LSA, SAM, Netlogon and
7427           others without wellknown tcp ports. The first value is the lowest
7428           number of the port range and the second the hightest.
7429
7430           This applies to RPC servers in all server roles.
7431
7432           Default: rpc server dynamic port range = 49152-65535
7433
7434       rpc server port (G)
7435
7436           Specifies which port the server should listen on for DCE/RPC over
7437           TCP/IP traffic.
7438
7439           This controls the default port for all protocols, except for
7440           NETLOGON.
7441
7442           If unset, the first available port from rpc server dynamic port
7443           range is used, e.g. 49152.
7444
7445           The NETLOGON server will use the next available port, e.g. 49153.
7446           To change this port use (eg) rpc server port:netlogon = 4000.
7447
7448           Furthermore, all RPC servers can have the port they use specified
7449           independenty, with (for example) rpc server port:drsuapi = 5000.
7450
7451           This option applies currently only when samba(8) runs as an active
7452           directory domain controller.
7453
7454           The default value 0 causes Samba to select the first available port
7455           from rpc server dynamic port range.
7456
7457           Default: rpc server port = 0
7458
7459       samba kcc command (G)
7460
7461           This option specifies the path to the Samba KCC command. This
7462           script is used for replication topology replication.
7463
7464           It should not be necessary to modify this option except for testing
7465           purposes or if the samba_kcc was installed in a non-default
7466           location.
7467
7468           Default: samba kcc command =
7469           /builddir/build/BUILD/samba-4.10.4/source4/scripting/bin/samba_kcc
7470
7471           Example: samba kcc command = /usr/local/bin/kcc
7472
7473       security (G)
7474
7475           This option affects how clients respond to Samba and is one of the
7476           most important settings in the smb.conf file.
7477
7478           The default is security = user, as this is the most common setting,
7479           used for a standalone file server or a DC.
7480
7481           The alternatives are security = ads or security = domain, which
7482           support joining Samba to a Windows domain
7483
7484           You should use security = user and map to guest if you want to
7485           mainly setup shares without a password (guest shares). This is
7486           commonly used for a shared printer server.
7487
7488           The different settings will now be explained.
7489
7490           SECURITY = AUTO
7491
7492           This is the default security setting in Samba, and causes Samba to
7493           consult the server role parameter (if set) to determine the
7494           security mode.
7495
7496           SECURITY = USER
7497
7498           If server role is not specified, this is the default security
7499           setting in Samba. With user-level security a client must first
7500           "log-on" with a valid username and password (which can be mapped
7501           using the username map parameter). Encrypted passwords (see the
7502           encrypted passwords parameter) can also be used in this security
7503           mode. Parameters such as user and guest only if set are then
7504           applied and may change the UNIX user to use on this connection, but
7505           only after the user has been successfully authenticated.
7506
7507           Note that the name of the resource being requested is not sent to
7508           the server until after the server has successfully authenticated
7509           the client. This is why guest shares don't work in user level
7510           security without allowing the server to automatically map unknown
7511           users into the guest account. See the map to guest parameter for
7512           details on doing this.
7513
7514           SECURITY = DOMAIN
7515
7516           This mode will only work correctly if net(8) has been used to add
7517           this machine into a Windows NT Domain. It expects the encrypted
7518           passwords parameter to be set to yes. In this mode Samba will try
7519           to validate the username/password by passing it to a Windows NT
7520           Primary or Backup Domain Controller, in exactly the same way that a
7521           Windows NT Server would do.
7522
7523           Note that a valid UNIX user must still exist as well as the account
7524           on the Domain Controller to allow Samba to have a valid UNIX
7525           account to map file access to.
7526
7527           Note that from the client's point of view security = domain is the
7528           same as security = user. It only affects how the server deals with
7529           the authentication, it does not in any way affect what the client
7530           sees.
7531
7532           Note that the name of the resource being requested is not sent to
7533           the server until after the server has successfully authenticated
7534           the client. This is why guest shares don't work in user level
7535           security without allowing the server to automatically map unknown
7536           users into the guest account. See the map to guest parameter for
7537           details on doing this.
7538
7539           See also the password server parameter and the encrypted passwords
7540           parameter.
7541
7542           SECURITY = ADS
7543
7544           In this mode, Samba will act as a domain member in an ADS realm. To
7545           operate in this mode, the machine running Samba will need to have
7546           Kerberos installed and configured and Samba will need to be joined
7547           to the ADS realm using the net utility.
7548
7549           Note that this mode does NOT make Samba operate as a Active
7550           Directory Domain Controller.
7551
7552           Note that this forces require strong key = yes and client schannel
7553           = yes for the primary domain.
7554
7555           Read the chapter about Domain Membership in the HOWTO for details.
7556
7557           Default: security = AUTO
7558
7559           Example: security = DOMAIN
7560
7561       security mask (S)
7562
7563           This parameter has been removed for Samba 4.0.0.
7564
7565           No default
7566
7567       max protocol
7568
7569           This parameter is a synonym for server max protocol.
7570
7571       protocol
7572
7573           This parameter is a synonym for server max protocol.
7574
7575       server max protocol (G)
7576
7577           The value of the parameter (a string) is the highest protocol level
7578           that will be supported by the server.
7579
7580           Possible values are :
7581
7582                  ·   LANMAN1: First modern version of the protocol. Long
7583                      filename support.
7584
7585                  ·   LANMAN2: Updates to Lanman1 protocol.
7586
7587                  ·   NT1: Current up to date version of the protocol. Used by
7588                      Windows NT. Known as CIFS.
7589
7590                  ·   SMB2: Re-implementation of the SMB protocol. Used by
7591                      Windows Vista and later versions of Windows. SMB2 has
7592                      sub protocols available.
7593
7594                             ·   SMB2_02: The earliest SMB2 version.
7595
7596                             ·   SMB2_10: Windows 7 SMB2 version.
7597
7598                             ·   SMB2_22: Early Windows 8 SMB2 version.
7599
7600                             ·   SMB2_24: Windows 8 beta SMB2 version.
7601
7602                      By default SMB2 selects the SMB2_10 variant.
7603
7604                  ·   SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub
7605                      protocols available.
7606
7607                             ·   SMB3_00: Windows 8 SMB3 version. (mostly the
7608                                 same as SMB2_24)
7609
7610                             ·   SMB3_02: Windows 8.1 SMB3 version.
7611
7612                             ·   SMB3_10: early Windows 10 technical preview
7613                                 SMB3 version.
7614
7615                             ·   SMB3_11: Windows 10 technical preview SMB3
7616                                 version (maybe final).
7617
7618                      By default SMB3 selects the SMB3_11 variant.
7619
7620           Normally this option should not be set as the automatic negotiation
7621           phase in the SMB protocol takes care of choosing the appropriate
7622           protocol.
7623
7624           Default: server max protocol = SMB3
7625
7626           Example: server max protocol = LANMAN1
7627
7628       min protocol
7629
7630           This parameter is a synonym for server min protocol.
7631
7632       server min protocol (G)
7633
7634           This setting controls the minimum protocol version that the server
7635           will allow the client to use.
7636
7637           Normally this option should not be set as the automatic negotiation
7638           phase in the SMB protocol takes care of choosing the appropriate
7639           protocol.
7640
7641           See Related command: server max protocol for a full list of
7642           available protocols.
7643
7644           Default: server min protocol = LANMAN1
7645
7646           Example: server min protocol = NT1
7647
7648       server multi channel support (G)
7649
7650           This boolean parameter controls whether smbd(8) will support SMB3
7651           multi-channel.
7652
7653           This parameter was added with version 4.4.
7654
7655           Warning: Note that this feature is still considered experimental.
7656           Use it at your own risk: Even though it may seem to work well in
7657           testing, it may result in data corruption under some race
7658           conditions. Future releases may improve this situation.
7659
7660           Default: server multi channel support = no
7661
7662       server role (G)
7663
7664           This option determines the basic operating mode of a Samba server
7665           and is one of the most important settings in the smb.conf file.
7666
7667           The default is server role = auto, as causes Samba to operate
7668           according to the security setting, or if not specified as a simple
7669           file server that is not connected to any domain.
7670
7671           The alternatives are server role = standalone or server role =
7672           member server, which support joining Samba to a Windows domain,
7673           along with server role = domain controller, which run Samba as a
7674           Windows domain controller.
7675
7676           You should use server role = standalone and map to guest if you
7677           want to mainly setup shares without a password (guest shares). This
7678           is commonly used for a shared printer server.
7679
7680           SERVER ROLE = AUTO
7681
7682           This is the default server role in Samba, and causes Samba to
7683           consult the security parameter (if set) to determine the server
7684           role, giving compatible behaviours to previous Samba versions.
7685
7686           SERVER ROLE = STANDALONE
7687
7688           If security is also not specified, this is the default security
7689           setting in Samba. In standalone operation, a client must first
7690           "log-on" with a valid username and password (which can be mapped
7691           using the username map parameter) stored on this machine. Encrypted
7692           passwords (see the encrypted passwords parameter) are by default
7693           used in this security mode. Parameters such as user and guest only
7694           if set are then applied and may change the UNIX user to use on this
7695           connection, but only after the user has been successfully
7696           authenticated.
7697
7698           SERVER ROLE = MEMBER SERVER
7699
7700           This mode will only work correctly if net(8) has been used to add
7701           this machine into a Windows Domain. It expects the encrypted
7702           passwords parameter to be set to yes. In this mode Samba will try
7703           to validate the username/password by passing it to a Windows or
7704           Samba Domain Controller, in exactly the same way that a Windows
7705           Server would do.
7706
7707           Note that a valid UNIX user must still exist as well as the account
7708           on the Domain Controller to allow Samba to have a valid UNIX
7709           account to map file access to. Winbind can provide this.
7710
7711           SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER
7712
7713           This mode of operation runs a classic Samba primary domain
7714           controller, providing domain logon services to Windows and Samba
7715           clients of an NT4-like domain. Clients must be joined to the domain
7716           to create a secure, trusted path across the network. There must be
7717           only one PDC per NetBIOS scope (typcially a broadcast network or
7718           clients served by a single WINS server).
7719
7720           SERVER ROLE = CLASSIC BACKUP DOMAIN CONTROLLER
7721
7722           This mode of operation runs a classic Samba backup domain
7723           controller, providing domain logon services to Windows and Samba
7724           clients of an NT4-like domain. As a BDC, this allows multiple Samba
7725           servers to provide redundant logon services to a single NetBIOS
7726           scope.
7727
7728           SERVER ROLE = ACTIVE DIRECTORY DOMAIN CONTROLLER
7729
7730           This mode of operation runs Samba as an active directory domain
7731           controller, providing domain logon services to Windows and Samba
7732           clients of the domain. This role requires special configuration,
7733           see the Samba4 HOWTO
7734
7735           Default: server role = AUTO
7736
7737           Example: server role = ACTIVE DIRECTORY DOMAIN CONTROLLER
7738
7739       server schannel (G)
7740
7741           This option is deprecated with Samba 4.8 and will be removed in
7742           future. At the same time the default changed to yes, which will be
7743           the hardcoded behavior in future. If you have the need for the
7744           behavior of "auto" to be kept, please file a bug at
7745           https://bugzilla.samba.org.
7746
7747           This controls whether the server offers or even demands the use of
7748           the netlogon schannel.  server schannel = no does not offer the
7749           schannel, server schannel = auto offers the schannel but does not
7750           enforce it, and server schannel = yes denies access if the client
7751           is not able to speak netlogon schannel. This is only the case for
7752           Windows NT4 before SP4.
7753
7754           Please note that with this set to no, you will have to apply the
7755           WindowsXP WinXP_SignOrSeal.reg registry patch found in the
7756           docs/registry subdirectory of the Samba distribution tarball.
7757
7758           Default: server schannel = yes
7759
7760           Example: server schannel = auto
7761
7762       server services (G)
7763
7764           This option contains the services that the Samba daemon will run.
7765
7766           An entry in the smb.conf file can either override the previous
7767           value completely or entries can be removed from or added to it by
7768           prefixing them with + or -.
7769
7770           Default: server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
7771           drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
7772
7773           Example: server services = -s3fs, +smb
7774
7775       server signing (G)
7776
7777           This controls whether the client is allowed or required to use SMB1
7778           and SMB2 signing. Possible values are default, auto, mandatory and
7779           disabled.
7780
7781           By default, and when smb signing is set to default, smb signing is
7782           required when server role is active directory domain controller and
7783           disabled otherwise.
7784
7785           When set to auto, SMB1 signing is offered, but not enforced. When
7786           set to mandatory, SMB1 signing is required and if set to disabled,
7787           SMB signing is not offered either.
7788
7789           For the SMB2 protocol, by design, signing cannot be disabled. In
7790           the case where SMB2 is negotiated, if this parameter is set to
7791           disabled, it will be treated as auto. Setting it to mandatory will
7792           still require SMB2 clients to use signing.
7793
7794           Default: server signing = default
7795
7796       server string (G)
7797
7798           This controls what string will show up in the printer comment box
7799           in print manager and next to the IPC connection in net view. It can
7800           be any string that you wish to show to your users.
7801
7802           It also sets what will appear in browse lists next to the machine
7803           name.
7804
7805           A %v will be replaced with the Samba version number.
7806
7807           A %h will be replaced with the hostname.
7808
7809           Default: server string = Samba %v
7810
7811           Example: server string = University of GNUs Samba Server
7812
7813       set primary group script (G)
7814
7815           Thanks to the Posix subsystem in NT a Windows User has a primary
7816           group in addition to the auxiliary groups. This script sets the
7817           primary group in the unix user database when an administrator sets
7818           the primary group from the windows user manager or when fetching a
7819           SAM with net rpc vampire.  %u will be replaced with the user whose
7820           primary group is to be set.  %g will be replaced with the group to
7821           set.
7822
7823           Default: set primary group script =
7824
7825           Example: set primary group script = /usr/sbin/usermod -g '%g' '%u'
7826
7827       set quota command (G)
7828
7829           The set quota command should only be used whenever there is no
7830           operating system API available from the OS that samba can use.
7831
7832           This option is only available if Samba was compiled with quota
7833           support.
7834
7835           This parameter should specify the path to a script that can set
7836           quota for the specified arguments.
7837
7838           The specified script should take the following arguments:
7839
7840                  ·   1 - path to where the quota needs to be set. This needs
7841                      to be interpreted relative to the current working
7842                      directory that the script may also check for.
7843
7844                  ·   2 - quota type
7845
7846                             ·   1 - user quotas
7847
7848                             ·   2 - user default quotas (uid = -1)
7849
7850                             ·   3 - group quotas
7851
7852                             ·   4 - group default quotas (gid = -1)
7853
7854
7855                  ·   3 - id (uid for user, gid for group, -1 if N/A)
7856
7857                  ·   4 - quota state (0 = disable, 1 = enable, 2 = enable and
7858                      enforce)
7859
7860                  ·   5 - block softlimit
7861
7862                  ·   6 - block hardlimit
7863
7864                  ·   7 - inode softlimit
7865
7866                  ·   8 - inode hardlimit
7867
7868                  ·   9(optional) - block size, defaults to 1024
7869
7870           The script should output at least one line of data on success. And
7871           nothing on failure.
7872
7873           Default: set quota command =
7874
7875           Example: set quota command = /usr/local/sbin/set_quota
7876
7877       share backend (G)
7878
7879           This option specifies the backend that will be used to access the
7880           configuration of file shares.
7881
7882           Traditionally, Samba file shares have been configured in the
7883           smb.conf file and this is still the default.
7884
7885           At the moment there are no other supported backends.
7886
7887           Default: share backend = classic
7888
7889       share:fake_fscaps (G)
7890
7891           This is needed to support some special application that makes
7892           QFSINFO calls to check whether we set the SPARSE_FILES bit (0x40).
7893           If this bit is not set that particular application refuses to work
7894           against Samba. With share:fake_fscaps = 64 the SPARSE_FILES file
7895           system capability flag is set. Use other decimal values to specify
7896           the bitmask you need to fake.
7897
7898           Default: share:fake_fscaps = 0
7899
7900       short preserve case (S)
7901
7902           This boolean parameter controls if new files which conform to 8.3
7903           syntax, that is all in upper case and of suitable length, are
7904           created upper case, or if they are forced to be the default case.
7905           This option can be use with preserve case = yes to permit long
7906           filenames to retain their case, while short names are lowered.
7907
7908           See the section on NAME MANGLING.
7909
7910           Default: short preserve case = yes
7911
7912       show add printer wizard (G)
7913
7914           With the introduction of MS-RPC based printing support for Windows
7915           NT/2000 client in Samba 2.2, a "Printers..." folder will appear on
7916           Samba hosts in the share listing. Normally this folder will contain
7917           an icon for the MS Add Printer Wizard (APW). However, it is
7918           possible to disable this feature regardless of the level of
7919           privilege of the connected user.
7920
7921           Under normal circumstances, the Windows NT/2000 client will open a
7922           handle on the printer server with OpenPrinterEx() asking for
7923           Administrator privileges. If the user does not have administrative
7924           access on the print server (i.e is not root or has granted the
7925           SePrintOperatorPrivilege), the OpenPrinterEx() call fails and the
7926           client makes another open call with a request for a lower privilege
7927           level. This should succeed, however the APW icon will not be
7928           displayed.
7929
7930           Disabling the show add printer wizard parameter will always cause
7931           the OpenPrinterEx() on the server to fail. Thus the APW icon will
7932           never be displayed.
7933
7934               Note
7935               This does not prevent the same user from having administrative
7936               privilege on an individual printer.
7937           Default: show add printer wizard = yes
7938
7939       shutdown script (G)
7940
7941           This a full path name to a script called by smbd(8) that should
7942           start a shutdown procedure.
7943
7944           If the connected user possesses the SeRemoteShutdownPrivilege,
7945           right, this command will be run as root.
7946
7947           The %z %t %r %f variables are expanded as follows:
7948
7949                  ·   %z will be substituted with the shutdown message sent to
7950                      the server.
7951
7952                  ·   %t will be substituted with the number of seconds to
7953                      wait before effectively starting the shutdown procedure.
7954
7955                  ·   %r will be substituted with the switch -r. It means
7956                      reboot after shutdown for NT.
7957
7958                  ·   %f will be substituted with the switch -f. It means
7959                      force the shutdown even if applications do not respond
7960                      for NT.
7961
7962           Shutdown script example:
7963
7964               #!/bin/bash
7965
7966               time=$2
7967               let time="${time} / 60"
7968               let time="${time} + 1"
7969
7970               /sbin/shutdown $3 $4 +$time $1 &
7971
7972
7973           Shutdown does not return so we need to launch it in background.
7974
7975           Default: shutdown script =
7976
7977           Example: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r
7978           %f
7979
7980       smb2 leases (G)
7981
7982           This boolean option tells smbd whether to globally negotiate SMB2
7983           leases on file open requests. Leasing is an SMB2-only feature which
7984           allows clients to aggressively cache files locally above and beyond
7985           the caching allowed by SMB1 oplocks.
7986
7987           This is only available with oplocks = yes and kernel oplocks = no.
7988
7989           Note that the write cache won't be used for file handles with a
7990           smb2 write lease.
7991
7992           Default: smb2 leases = yes
7993
7994       smb2 max credits (G)
7995
7996           This option controls the maximum number of outstanding simultaneous
7997           SMB2 operations that Samba tells the client it will allow. This is
7998           similar to the max mux parameter for SMB1. You should never need to
7999           set this parameter.
8000
8001           The default is 8192 credits, which is the same as a Windows 2008R2
8002           SMB2 server.
8003
8004           Default: smb2 max credits = 8192
8005
8006       smb2 max read (G)
8007
8008           This option specifies the protocol value that smbd(8) will return
8009           to a client, informing the client of the largest size that may be
8010           returned by a single SMB2 read call.
8011
8012           The maximum is 8388608 bytes (8MiB), which is the same as a Windows
8013           Server 2012 r2.
8014
8015           Please note that the default is 8MiB, but it's limit is based on
8016           the smb2 dialect (64KiB for SMB == 2.0, 8MiB for SMB >= 2.1 with
8017           LargeMTU). Large MTU is not supported over NBT (tcp port 139).
8018
8019           Default: smb2 max read = 8388608
8020
8021       smb2 max trans (G)
8022
8023           This option specifies the protocol value that smbd(8) will return
8024           to a client, informing the client of the largest size of buffer
8025           that may be used in querying file meta-data via QUERY_INFO and
8026           related SMB2 calls.
8027
8028           The maximum is 8388608 bytes (8MiB), which is the same as a Windows
8029           Server 2012 r2.
8030
8031           Please note that the default is 8MiB, but it's limit is based on
8032           the smb2 dialect (64KiB for SMB == 2.0, 1MiB for SMB >= 2.1 with
8033           LargeMTU). Large MTU is not supported over NBT (tcp port 139).
8034
8035           Default: smb2 max trans = 8388608
8036
8037       smb2 max write (G)
8038
8039           This option specifies the protocol value that smbd(8) will return
8040           to a client, informing the client of the largest size that may be
8041           sent to the server by a single SMB2 write call.
8042
8043           The maximum is 8388608 bytes (8MiB), which is the same as a Windows
8044           Server 2012 r2.
8045
8046           Please note that the default is 8MiB, but it's limit is based on
8047           the smb2 dialect (64KiB for SMB == 2.0, 8MiB for SMB => 2.1 with
8048           LargeMTU). Large MTU is not supported over NBT (tcp port 139).
8049
8050           Default: smb2 max write = 8388608
8051
8052       smbd async dosmode (S)
8053
8054           This parameter control whether the fileserver will use sync or
8055           async methods for fetching the DOS attributes when doing a
8056           directory listing. By default sync methods will be used.
8057
8058           Default: smbd async dosmode = no
8059
8060       smbd getinfo ask sharemode (S)
8061
8062           This parameter allows disabling fetching file write time from the
8063           open file handle database locking.tdb when a client requests file
8064           or directory metadata. It's a performance optimisation at the
8065           expense of protocol correctness.
8066
8067           Default: smbd getinfo ask sharemode = yes
8068
8069       smbd max async dosmode (S)
8070
8071           This parameter controls how many async operations to fetch the DOS
8072           attributes the fileserver will queue when doing directory listings.
8073
8074           Default: smbd max async dosmode = aio max threads * 2
8075
8076       smbd profiling level (G)
8077
8078           This parameter allows the administrator to enable profiling
8079           support.
8080
8081           Possible values are off, count and on.
8082
8083           Default: smbd profiling level = off
8084
8085           Example: smbd profiling level = on
8086
8087       smbd search ask sharemode (S)
8088
8089           This parameter allows disabling fetching file write time from the
8090           open file handle database locking.tdb. It's a performance
8091           optimisation at the expense of protocol correctness.
8092
8093           Default: smbd search ask sharemode = yes
8094
8095       smb encrypt (S)
8096
8097           This parameter controls whether a remote client is allowed or
8098           required to use SMB encryption. It has different effects depending
8099           on whether the connection uses SMB1 or SMB2 and newer:
8100
8101                  ·   If the connection uses SMB1, then this option controls
8102                      the use of a Samba-specific extension to the SMB
8103                      protocol introduced in Samba 3.2 that makes use of the
8104                      Unix extensions.
8105
8106                  ·   If the connection uses SMB2 or newer, then this option
8107                      controls the use of the SMB-level encryption that is
8108                      supported in SMB version 3.0 and above and available in
8109                      Windows 8 and newer.
8110
8111           This parameter can be set globally and on a per-share bases.
8112           Possible values are off (or disabled), enabled (or auto, or
8113           if_required), desired, and required (or mandatory). A special value
8114           is default which is the implicit default setting of enabled.
8115
8116           Effects for SMB1
8117               The Samba-specific encryption of SMB1 connections is an
8118               extension to the SMB protocol negotiated as part of the UNIX
8119               extensions. SMB encryption uses the GSSAPI (SSPI on Windows)
8120               ability to encrypt and sign every request/response in a SMB
8121               protocol stream. When enabled it provides a secure method of
8122               SMB/CIFS communication, similar to an ssh protected session,
8123               but using SMB/CIFS authentication to negotiate encryption and
8124               signing keys. Currently this is only supported smbclient of by
8125               Samba 3.2 and newer, and hopefully soon Linux CIFSFS and
8126               MacOS/X clients. Windows clients do not support this feature.
8127
8128               This may be set on a per-share basis, but clients may chose to
8129               encrypt the entire session, not just traffic to a specific
8130               share. If this is set to mandatory then all traffic to a share
8131               must be encrypted once the connection has been made to the
8132               share. The server would return "access denied" to all
8133               non-encrypted requests on such a share. Selecting encrypted
8134               traffic reduces throughput as smaller packet sizes must be used
8135               (no huge UNIX style read/writes allowed) as well as the
8136               overhead of encrypting and signing all the data.
8137
8138               If SMB encryption is selected, Windows style SMB signing (see
8139               the server signing option) is no longer necessary, as the
8140               GSSAPI flags use select both signing and sealing of the data.
8141
8142               When set to auto or default, SMB encryption is offered, but not
8143               enforced. When set to mandatory, SMB encryption is required and
8144               if set to disabled, SMB encryption can not be negotiated.
8145
8146           Effects for SMB2
8147               Native SMB transport encryption is available in SMB version 3.0
8148               or newer. It is only offered by Samba if server max protocol is
8149               set to SMB3 or newer. Clients supporting this type of
8150               encryption include Windows 8 and newer, Windows server 2012 and
8151               newer, and smbclient of Samba 4.1 and newer.
8152
8153               The protocol implementation offers various options:
8154
8155                      ·   The capability to perform SMB encryption can be
8156                          negotiated during protocol negotiation.
8157
8158                      ·   Data encryption can be enabled globally. In that
8159                          case, an encryption-capable connection will have all
8160                          traffic in all its sessions encrypted. In particular
8161                          all share connections will be encrypted.
8162
8163                      ·   Data encryption can also be enabled per share if not
8164                          enabled globally. For an encryption-capable
8165                          connection, all connections to an encryption-enabled
8166                          share will be encrypted.
8167
8168                      ·   Encryption can be enforced. This means that session
8169                          setups will be denied on non-encryption-capable
8170                          connections if data encryption has been enabled
8171                          globally. And tree connections will be denied for
8172                          non-encryption capable connections to shares with
8173                          data encryption enabled.
8174
8175               These features can be controlled with settings of smb encrypt
8176               as follows:
8177
8178                      ·   Leaving it as default, explicitly setting default,
8179                          or setting it to enabled globally will enable
8180                          negotiation of encryption but will not turn on data
8181                          encryption globally or per share.
8182
8183                      ·   Setting it to desired globally will enable
8184                          negotiation and will turn on data encryption on
8185                          sessions and share connections for those clients
8186                          that support it.
8187
8188                      ·   Setting it to required globally will enable
8189                          negotiation and turn on data encryption on sessions
8190                          and share connections. Clients that do not support
8191                          encryption will be denied access to the server.
8192
8193                      ·   Setting it to off globally will completely disable
8194                          the encryption feature for all connections. Setting
8195                          smb encrypt = required for individual shares (while
8196                          it's globally off) will deny access to this shares
8197                          for all clients.
8198
8199                      ·   Setting it to desired on a share will turn on data
8200                          encryption for this share for clients that support
8201                          encryption if negotiation has been enabled globally.
8202
8203                      ·   Setting it to required on a share will enforce data
8204                          encryption for this share if negotiation has been
8205                          enabled globally. I.e. clients that do not support
8206                          encryption will be denied access to the share.
8207
8208                          Note that this allows per-share enforcing to be
8209                          controlled in Samba differently from Windows: In
8210                          Windows, RejectUnencryptedAccess is a global
8211                          setting, and if it is set, all shares with data
8212                          encryption turned on are automatically enforcing
8213                          encryption. In order to achieve the same effect in
8214                          Samba, one has to globally set smb encrypt to
8215                          enabled, and then set all shares that should be
8216                          encrypted to required. Additionally, it is possible
8217                          in Samba to have some shares with encryption
8218                          required and some other shares with encryption only
8219                          desired, which is not possible in Windows.
8220
8221                      ·   Setting it to off or enabled for a share has no
8222                          effect.
8223
8224
8225           Default: smb encrypt = default
8226
8227       smb passwd file (G)
8228
8229           This option sets the path to the encrypted smbpasswd file. By
8230           default the path to the smbpasswd file is compiled into Samba.
8231
8232           An example of use is:
8233
8234               smb passwd file = /etc/samba/smbpasswd
8235
8236           Default: smb passwd file = /var/lib/samba/private/smbpasswd
8237
8238       smb ports (G)
8239
8240           Specifies which ports the server should listen on for SMB traffic.
8241
8242           Default: smb ports = 445 139
8243
8244       socket options (G)
8245
8246               Warning
8247               Modern server operating systems are tuned for high network
8248               performance in the majority of situations; when you set socket
8249               options you are overriding those settings. Linux in particular
8250               has an auto-tuning mechanism for buffer sizes that will be
8251               disabled if you specify a socket buffer size. This can
8252               potentially cripple your TCP/IP stack.
8253
8254               Getting the socket options correct can make a big difference to
8255               your performance, but getting them wrong can degrade it by just
8256               as much. As with any other low level setting, if you must make
8257               changes to it, make small changes and test the effect before
8258               making any large changes.
8259
8260           This option allows you to set socket options to be used when
8261           talking with the client.
8262
8263           Socket options are controls on the networking layer of the
8264           operating systems which allow the connection to be tuned.
8265
8266           This option will typically be used to tune your Samba server for
8267           optimal performance for your local network. There is no way that
8268           Samba can know what the optimal parameters are for your net, so you
8269           must experiment and choose them yourself. We strongly suggest you
8270           read the appropriate documentation for your operating system first
8271           (perhaps man setsockopt will help).
8272
8273           You may find that on some systems Samba will say "Unknown socket
8274           option" when you supply an option. This means you either
8275           incorrectly typed it or you need to add an include file to
8276           includes.h for your OS. If the latter is the case please send the
8277           patch to samba-technical@lists.samba.org.
8278
8279           Any of the supported socket options may be combined in any way you
8280           like, as long as your OS allows it.
8281
8282           This is the list of socket options currently settable using this
8283           option:
8284
8285                  ·   SO_KEEPALIVE
8286
8287                  ·   SO_REUSEADDR
8288
8289                  ·   SO_BROADCAST
8290
8291                  ·   TCP_NODELAY
8292
8293                  ·   TCP_KEEPCNT *
8294
8295                  ·   TCP_KEEPIDLE *
8296
8297                  ·   TCP_KEEPINTVL *
8298
8299                  ·   IPTOS_LOWDELAY
8300
8301                  ·   IPTOS_THROUGHPUT
8302
8303                  ·   SO_REUSEPORT
8304
8305                  ·   SO_SNDBUF *
8306
8307                  ·   SO_RCVBUF *
8308
8309                  ·   SO_SNDLOWAT *
8310
8311                  ·   SO_RCVLOWAT *
8312
8313                  ·   SO_SNDTIMEO *
8314
8315                  ·   SO_RCVTIMEO *
8316
8317                  ·   TCP_FASTACK *
8318
8319                  ·   TCP_QUICKACK
8320
8321                  ·   TCP_NODELAYACK
8322
8323                  ·   TCP_KEEPALIVE_THRESHOLD *
8324
8325                  ·   TCP_KEEPALIVE_ABORT_THRESHOLD *
8326
8327                  ·   TCP_DEFER_ACCEPT *
8328
8329           Those marked with a '*' take an integer argument. The others can
8330           optionally take a 1 or 0 argument to enable or disable the option,
8331           by default they will be enabled if you don't specify 1 or 0.
8332
8333           To specify an argument use the syntax SOME_OPTION = VALUE for
8334           example SO_SNDBUF = 8192. Note that you must not have any spaces
8335           before or after the = sign.
8336
8337           If you are on a local network then a sensible option might be:
8338
8339           socket options = IPTOS_LOWDELAY
8340
8341           If you have a local network then you could try:
8342
8343           socket options = IPTOS_LOWDELAY TCP_NODELAY
8344
8345           If you are on a wide area network then perhaps try setting
8346           IPTOS_THROUGHPUT.
8347
8348           Note that several of the options may cause your Samba server to
8349           fail completely. Use these options with caution!
8350
8351           Default: socket options = TCP_NODELAY
8352
8353           Example: socket options = IPTOS_LOWDELAY
8354
8355       spn update command (G)
8356
8357           This option sets the command that for updating servicePrincipalName
8358           names from spn_update_list.
8359
8360           Default: spn update command =
8361           /builddir/build/BUILD/samba-4.10.4/source4/scripting/bin/samba_spnupdate
8362
8363           Example: spn update command = /usr/local/sbin/spnupdate
8364
8365       spoolss: architecture (G)
8366
8367           Windows spoolss print clients only allow association of server-side
8368           drivers with printers when the driver architecture matches the
8369           advertised print server architecture. Samba's spoolss print server
8370           architecture can be changed using this parameter.
8371
8372           Default: spoolss: architecture = Windows NT x86
8373
8374           Example: spoolss: architecture = Windows x64
8375
8376       spoolss: os_major (G)
8377
8378           Windows might require a new os version number. This option allows
8379           to modify the build number. The complete default version number is:
8380           5.0.2195 (Windows 2000). The example is 6.1.7601 (Windows 2008 R2).
8381
8382           Default: spoolss: os_major = 5
8383
8384           Example: spoolss: os_major = 6
8385
8386       spoolss: os_minor (G)
8387
8388           Windows might require a new os version number. This option allows
8389           to modify the build number. The complete default version number is:
8390           5.0.2195 (Windows 2000). The example is 6.1.7601 (Windows 2008 R2).
8391
8392           Default: spoolss: os_minor = 0
8393
8394           Example: spoolss: os_minor = 1
8395
8396       spoolss: os_build (G)
8397
8398           Windows might require a new os version number. This option allows
8399           to modify the build number. The complete default version number is:
8400           5.0.2195 (Windows 2000). The example is 6.1.7601 (Windows 2008 R2).
8401
8402           Default: spoolss: os_build = 2195
8403
8404           Example: spoolss: os_build = 7601
8405
8406       spoolss_client: os_major (G)
8407
8408           Windows might require a new os version number. This option allows
8409           to modify the build number. The complete default version number is:
8410           6.1.7007 (Windows 7 and Windows Server 2008 R2).
8411
8412           Default: spoolss_client: os_major = 6
8413
8414       spoolss_client: os_minor (G)
8415
8416           Windows might require a new os version number. This option allows
8417           to modify the build number. The complete default version number is:
8418           6.1.7007 (Windows 7 and Windows Server 2008 R2).
8419
8420           Default: spoolss_client: os_minor = 1
8421
8422       spoolss_client: os_build (G)
8423
8424           Windows might require a new os version number. This option allows
8425           to modify the build number. The complete default version number is:
8426           6.1.7007 (Windows 7 and Windows Server 2008 R2).
8427
8428           Default: spoolss_client: os_build = 7007
8429
8430       spotlight (S)
8431
8432           This parameter controls whether Samba allows Spotlight queries on a
8433           share. For controlling indexing of filesystems you also have to use
8434           Tracker's own configuration system.
8435
8436           Spotlight has several prerequisites:
8437
8438                  ·   Samba must be configured and built with Spotlight
8439                      support.
8440
8441                  ·   The mdssvc RPC service must be enabled, see below.
8442
8443                  ·   Tracker intergration must be setup and the share must be
8444                      indexed by Tracker.
8445
8446           For a detailed set of instructions please see
8447           https://wiki.samba.org/index.php/Spotlight.
8448
8449           The Spotlight RPC service can either be enabled as embedded RPC
8450           service:
8451
8452               [Global]
8453               rpc_server:mdsvc = embedded
8454
8455           Or it can be run in a separate RPC service daemon:
8456
8457               [Global]
8458               rpc_server:mdssd = fork
8459               rpc_server:mdsvc = external
8460
8461           Default: spotlight = no
8462
8463       stat cache (G)
8464
8465           This parameter determines if smbd(8) will use a cache in order to
8466           speed up case insensitive name mappings. You should never need to
8467           change this parameter.
8468
8469           Default: stat cache = yes
8470
8471       state directory (G)
8472
8473           Usually, most of the TDB files are stored in the lock directory.
8474           Since Samba 3.4.0, it is possible to differentiate between TDB
8475           files with persistent data and TDB files with non-persistent data
8476           using the state directory and the cache directory options.
8477
8478           This option specifies the directory where TDB files containing
8479           important persistent data will be stored.
8480
8481           Default: state directory = /var/lib/samba
8482
8483           Example: state directory = /var/run/samba/locks/state
8484
8485       store dos attributes (S)
8486
8487           If this parameter is set Samba attempts to first read DOS
8488           attributes (SYSTEM, HIDDEN, ARCHIVE or READ-ONLY) from a filesystem
8489           extended attribute, before mapping DOS attributes to UNIX
8490           permission bits (such as occurs with map hidden and map readonly).
8491           When set, DOS attributes will be stored onto an extended attribute
8492           in the UNIX filesystem, associated with the file or directory. When
8493           this parameter is set it will override the parameters map hidden,
8494           map system, map archive and map readonly and they will behave as if
8495           they were set to off. This parameter writes the DOS attributes as a
8496           string into the extended attribute named "user.DOSATTRIB". This
8497           extended attribute is explicitly hidden from smbd clients
8498           requesting an EA list. On Linux the filesystem must have been
8499           mounted with the mount option user_xattr in order for extended
8500           attributes to work, also extended attributes must be compiled into
8501           the Linux kernel. In Samba 3.5.0 and above the "user.DOSATTRIB"
8502           extended attribute has been extended to store the create time for a
8503           file as well as the DOS attributes. This is done in a backwards
8504           compatible way so files created by Samba 3.5.0 and above can still
8505           have the DOS attribute read from this extended attribute by earlier
8506           versions of Samba, but they will not be able to read the create
8507           time stored there. Storing the create time separately from the
8508           normal filesystem meta-data allows Samba to faithfully reproduce
8509           NTFS semantics on top of a POSIX filesystem. The default has
8510           changed to yes in Samba release 4.9.0 and above to allow better
8511           Windows fileserver compatibility in a default install.
8512
8513           Default: store dos attributes = yes
8514
8515       strict allocate (S)
8516
8517           This is a boolean that controls the handling of disk space
8518           allocation in the server. When this is set to yes the server will
8519           change from UNIX behaviour of not committing real disk storage
8520           blocks when a file is extended to the Windows behaviour of actually
8521           forcing the disk system to allocate real storage blocks when a file
8522           is created or extended to be a given size. In UNIX terminology this
8523           means that Samba will stop creating sparse files.
8524
8525           This option is really designed for file systems that support fast
8526           allocation of large numbers of blocks such as extent-based file
8527           systems. On file systems that don't support extents (most notably
8528           ext3) this can make Samba slower. When you work with large files
8529           over >100MB on file systems without extents you may even run into
8530           problems with clients running into timeouts.
8531
8532           When you have an extent based filesystem it's likely that we can
8533           make use of unwritten extents which allows Samba to allocate even
8534           large amounts of space very fast and you will not see any timeout
8535           problems caused by strict allocate. With strict allocate in use you
8536           will also get much better out of quota messages in case you use
8537           quotas. Another advantage of activating this setting is that it
8538           will help to reduce file fragmentation.
8539
8540           To give you an idea on which filesystems this setting might
8541           currently be a good option for you: XFS, ext4, btrfs, ocfs2 on
8542           Linux and JFS2 on AIX support unwritten extents. On Filesystems
8543           that do not support it, preallocation is probably an expensive
8544           operation where you will see reduced performance and risk to let
8545           clients run into timeouts when creating large files. Examples are
8546           ext3, ZFS, HFS+ and most others, so be aware if you activate this
8547           setting on those filesystems.
8548
8549           Default: strict allocate = no
8550
8551       strict locking (S)
8552
8553           This is an enumerated type that controls the handling of file
8554           locking in the server. When this is set to yes, the server will
8555           check every read and write access for file locks, and deny access
8556           if locks exist. This can be slow on some systems.
8557
8558           When strict locking is set to Auto (the default), the server
8559           performs file lock checks only on non-oplocked files. As most
8560           Windows redirectors perform file locking checks locally on oplocked
8561           files this is a good trade off for improved performance.
8562
8563           When strict locking is disabled, the server performs file lock
8564           checks only when the client explicitly asks for them.
8565
8566           Well-behaved clients always ask for lock checks when it is
8567           important. So in the vast majority of cases, strict locking = Auto
8568           or strict locking = no is acceptable.
8569
8570           Default: strict locking = Auto
8571
8572       strict rename (S)
8573
8574           By default a Windows SMB server prevents directory renames when
8575           there are open file or directory handles below it in the filesystem
8576           hierarchy. Historically Samba has always allowed this as POSIX
8577           filesystem semantics require it.
8578
8579           This boolean parameter allows Samba to match the Windows behavior.
8580           Setting this to "yes" is a very expensive change, as it forces
8581           Samba to travers the entire open file handle database on every
8582           directory rename request. In a clustered Samba system the cost is
8583           even greater than the non-clustered case.
8584
8585           When set to "no" smbd only checks the local process the client is
8586           attached to for open files below a directory being renamed, instead
8587           of checking for open files across all smbd processes.
8588
8589           Because of the expense in fully searching the database, the default
8590           is "no", and it is recommended to be left that way unless a
8591           specific Windows application requires it to be changed.
8592
8593           If the client has requested UNIX extensions (POSIX pathnames) then
8594           renames are always allowed and this parameter has no effect.
8595
8596           Default: strict rename = no
8597
8598       strict sync (S)
8599
8600           This parameter controls whether Samba honors a request from an SMB
8601           client to ensure any outstanding operating system buffer contents
8602           held in memory are safely written onto stable storage on disk. If
8603           set to yes, which is the default, then Windows applications can
8604           force the smbd server to synchronize unwritten data onto the disk.
8605           If set to no then smbd will ignore client requests to synchronize
8606           unwritten data onto stable storage on disk.
8607
8608           In Samba 4.7.0, the default for this parameter changed from no to
8609           yes to better match the expectations of SMB2/3 clients and improve
8610           application safety when running against smbd.
8611
8612           The flush request from SMB2/3 clients is handled asynchronously
8613           inside smbd, so leaving the parameter as the default value of yes
8614           does not block the processing of other requests to the smbd
8615           process.
8616
8617           Legacy Windows applications (such as the Windows 98 explorer shell)
8618           seemed to confuse writing buffer contents to the operating system
8619           with synchronously writing outstanding data onto stable storage on
8620           disk. Changing this parameter to no means that smbd(8) will ignore
8621           the Windows applications request to synchronize unwritten data onto
8622           disk. Only consider changing this if smbd is serving obsolete SMB1
8623           Windows clients prior to Windows XP (Windows 98 and below). There
8624           should be no need to change this setting for normal operations.
8625
8626           Default: strict sync = yes
8627
8628       svcctl list (G)
8629
8630           This option defines a list of init scripts that smbd will use for
8631           starting and stopping Unix services via the Win32 ServiceControl
8632           API. This allows Windows administrators to utilize the MS
8633           Management Console plug-ins to manage a Unix server running Samba.
8634
8635           The administrator must create a directory name svcctl in Samba's
8636           $(libdir) and create symbolic links to the init scripts in
8637           /etc/init.d/. The name of the links must match the names given as
8638           part of the svcctl list.
8639
8640           Default: svcctl list =
8641
8642           Example: svcctl list = cups postfix portmap httpd
8643
8644       sync always (S)
8645
8646           This is a boolean parameter that controls whether writes will
8647           always be written to stable storage before the write call returns.
8648           If this is no then the server will be guided by the client's
8649           request in each write call (clients can set a bit indicating that a
8650           particular write should be synchronous). If this is yes then every
8651           write will be followed by a fsync() call to ensure the data is
8652           written to disk. Note that the strict sync parameter must be set to
8653           yes in order for this parameter to have any effect.
8654
8655           Default: sync always = no
8656
8657       syslog (G)
8658
8659           This parameter maps how Samba debug messages are logged onto the
8660           system syslog logging levels. Samba debug level zero maps onto
8661           syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug level
8662           two maps onto LOG_NOTICE, debug level three maps onto LOG_INFO. All
8663           higher levels are mapped to LOG_DEBUG.
8664
8665           This parameter sets the threshold for sending messages to syslog.
8666           Only messages with debug level less than this value will be sent to
8667           syslog. There still will be some logging to log.[sn]mbd even if
8668           syslog only is enabled.
8669
8670           The logging parameter should be used instead. When logging is set,
8671           it overrides the syslog parameter.
8672
8673           Default: syslog = 1
8674
8675       syslog only (G)
8676
8677           If this parameter is set then Samba debug messages are logged into
8678           the system syslog only, and not to the debug log files. There still
8679           will be some logging to log.[sn]mbd even if syslog only is enabled.
8680
8681           The logging parameter should be used instead. When logging is set,
8682           it overrides the syslog only parameter.
8683
8684           Default: syslog only = no
8685
8686       template homedir (G)
8687
8688           When filling out the user information for a Windows NT user, the
8689           winbindd(8) daemon uses this parameter to fill in the home
8690           directory for that user. If the string %D is present it is
8691           substituted with the user's Windows NT domain name. If the string
8692           %U is present it is substituted with the user's Windows NT user
8693           name.
8694
8695           Default: template homedir = /home/%D/%U
8696
8697       template shell (G)
8698
8699           When filling out the user information for a Windows NT user, the
8700           winbindd(8) daemon uses this parameter to fill in the login shell
8701           for that user.
8702
8703           Default: template shell = /bin/false
8704
8705       time server (G)
8706
8707           This parameter determines if nmbd(8) advertises itself as a time
8708           server to Windows clients.
8709
8710           Default: time server = no
8711
8712       debug timestamp
8713
8714           This parameter is a synonym for timestamp logs.
8715
8716       timestamp logs (G)
8717
8718           Samba debug log messages are timestamped by default. If you are
8719           running at a high debug level these timestamps can be distracting.
8720           This boolean parameter allows timestamping to be turned off.
8721
8722           Default: timestamp logs = yes
8723
8724       tls cafile (G)
8725
8726           This option can be set to a file (PEM format) containing CA
8727           certificates of root CAs to trust to sign certificates or
8728           intermediate CA certificates.
8729
8730           This path is relative to private dir if the path does not start
8731           with a /.
8732
8733           Default: tls cafile = tls/ca.pem
8734
8735       tls certfile (G)
8736
8737           This option can be set to a file (PEM format) containing the RSA
8738           certificate.
8739
8740           This path is relative to private dir if the path does not start
8741           with a /.
8742
8743           Default: tls certfile = tls/cert.pem
8744
8745       tls crlfile (G)
8746
8747           This option can be set to a file containing a certificate
8748           revocation list (CRL).
8749
8750           This path is relative to private dir if the path does not start
8751           with a /.
8752
8753           Default: tls crlfile =
8754
8755       tls dh params file (G)
8756
8757           This option can be set to a file with Diffie-Hellman parameters
8758           which will be used with DH ciphers.
8759
8760           This path is relative to private dir if the path does not start
8761           with a /.
8762
8763           Default: tls dh params file =
8764
8765       tls enabled (G)
8766
8767           If this option is set to yes, then Samba will use TLS when possible
8768           in communication.
8769
8770           Default: tls enabled = yes
8771
8772       tls keyfile (G)
8773
8774           This option can be set to a file (PEM format) containing the RSA
8775           private key. This file must be accessible without a pass-phrase,
8776           i.e. it must not be encrypted.
8777
8778           This path is relative to private dir if the path does not start
8779           with a /.
8780
8781           Default: tls keyfile = tls/key.pem
8782
8783       tls priority (G)
8784
8785           This option can be set to a string describing the TLS protocols to
8786           be supported in the parts of Samba that use GnuTLS, specifically
8787           the AD DC.
8788
8789           The default turns off SSLv3, as this protocol is no longer
8790           considered secure after CVE-2014-3566 (otherwise known as POODLE)
8791           impacted SSLv3 use in HTTPS applications.
8792
8793           The valid options are described in the GNUTLS Priority-Strings
8794           documentation at
8795           http://gnutls.org/manual/html_node/Priority-Strings.html
8796
8797           Default: tls priority = NORMAL:-VERS-SSL3.0
8798
8799       tls verify peer (G)
8800
8801           This controls if and how strict the client will verify the peer's
8802           certificate and name. Possible values are (in increasing order):
8803           no_check, ca_only, ca_and_name_if_available, ca_and_name and
8804           as_strict_as_possible.
8805
8806           When set to no_check the certificate is not verified at all, which
8807           allows trivial man in the middle attacks.
8808
8809           When set to ca_only the certificate is verified to be signed from a
8810           ca specified in the tls ca file option. Setting tls ca file to a
8811           valid file is required. The certificate lifetime is also verified.
8812           If the tls crl file option is configured, the certificate is also
8813           verified against the ca crl.
8814
8815           When set to ca_and_name_if_available all checks from ca_only are
8816           performed. In addition, the peer hostname is verified against the
8817           certificate's name, if it is provided by the application layer and
8818           not given as an ip address string.
8819
8820           When set to ca_and_name all checks from ca_and_name_if_available
8821           are performed. In addition the peer hostname needs to be provided
8822           and even an ip address is checked against the certificate's name.
8823
8824           When set to as_strict_as_possible all checks from ca_and_name are
8825           performed. In addition the tls crl file needs to be configured.
8826           Future versions of Samba may implement additional checks.
8827
8828           Default: tls verify peer = as_strict_as_possible
8829
8830       unicode (G)
8831
8832           Specifies whether the server and client should support unicode.
8833
8834           If this option is set to false, the use of ASCII will be forced.
8835
8836           Default: unicode = yes
8837
8838       unix charset (G)
8839
8840           Specifies the charset the unix machine Samba runs on uses. Samba
8841           needs to know this in order to be able to convert text to the
8842           charsets other SMB clients use.
8843
8844           This is also the charset Samba will use when specifying arguments
8845           to scripts that it invokes.
8846
8847           Default: unix charset = UTF-8
8848
8849           Example: unix charset = ASCII
8850
8851       unix extensions (G)
8852
8853           This boolean parameter controls whether Samba implements the CIFS
8854           UNIX extensions, as defined by HP. These extensions enable Samba to
8855           better serve UNIX CIFS clients by supporting features such as
8856           symbolic links, hard links, etc... These extensions require a
8857           similarly enabled client, and are of no current use to Windows
8858           clients.
8859
8860           Note if this parameter is turned on, the wide links parameter will
8861           automatically be disabled.
8862
8863           See the parameter allow insecure wide links if you wish to change
8864           this coupling between the two parameters.
8865
8866           Default: unix extensions = yes
8867
8868       unix password sync (G)
8869
8870           This boolean parameter controls whether Samba attempts to
8871           synchronize the UNIX password with the SMB password when the
8872           encrypted SMB password in the smbpasswd file is changed. If this is
8873           set to yes the program specified in the passwd program parameter is
8874           called AS ROOT - to allow the new UNIX password to be set without
8875           access to the old UNIX password (as the SMB password change code
8876           has no access to the old password cleartext, only the new).
8877
8878           This option has no effect if samba is running as an active
8879           directory domain controller, in that case have a look at the
8880           password hash gpg key ids option and the samba-tool user
8881           syncpasswords command.
8882
8883           Default: unix password sync = no
8884
8885       use client driver (S)
8886
8887           This parameter applies only to Windows NT/2000 clients. It has no
8888           effect on Windows 95/98/ME clients. When serving a printer to
8889           Windows NT/2000 clients without first installing a valid printer
8890           driver on the Samba host, the client will be required to install a
8891           local printer driver. From this point on, the client will treat the
8892           print as a local printer and not a network printer connection. This
8893           is much the same behavior that will occur when disable spoolss =
8894           yes.
8895
8896           The differentiating factor is that under normal circumstances, the
8897           NT/2000 client will attempt to open the network printer using
8898           MS-RPC. The problem is that because the client considers the
8899           printer to be local, it will attempt to issue the OpenPrinterEx()
8900           call requesting access rights associated with the logged on user.
8901           If the user possesses local administrator rights but not root
8902           privilege on the Samba host (often the case), the OpenPrinterEx()
8903           call will fail. The result is that the client will now display an
8904           "Access Denied; Unable to connect" message in the printer queue
8905           window (even though jobs may successfully be printed).
8906
8907           If this parameter is enabled for a printer, then any attempt to
8908           open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped
8909           to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx()
8910           call to succeed.  This parameter MUST not be enabled on a print
8911           share which has valid print driver installed on the Samba server.
8912
8913           Default: use client driver = no
8914
8915       use mmap (G)
8916
8917           This global parameter determines if the tdb internals of Samba can
8918           depend on mmap working correctly on the running system. Samba
8919           requires a coherent mmap/read-write system memory cache. Currently
8920           only HPUX does not have such a coherent cache, and so this
8921           parameter is set to no by default on HPUX. On all other systems
8922           this parameter should be left alone. This parameter is provided to
8923           help the Samba developers track down problems with the tdb internal
8924           code.
8925
8926           Default: use mmap = yes
8927
8928       username level (G)
8929
8930           This option helps Samba to try and 'guess' at the real UNIX
8931           username, as many DOS clients send an all-uppercase username. By
8932           default Samba tries all lowercase, followed by the username with
8933           the first letter capitalized, and fails if the username is not
8934           found on the UNIX machine.
8935
8936           If this parameter is set to non-zero the behavior changes. This
8937           parameter is a number that specifies the number of uppercase
8938           combinations to try while trying to determine the UNIX user name.
8939           The higher the number the more combinations will be tried, but the
8940           slower the discovery of usernames will be. Use this parameter when
8941           you have strange usernames on your UNIX machine, such as
8942           AstrangeUser .
8943
8944           This parameter is needed only on UNIX systems that have case
8945           sensitive usernames.
8946
8947           Default: username level = 0
8948
8949           Example: username level = 5
8950
8951       username map (G)
8952
8953           This option allows you to specify a file containing a mapping of
8954           usernames from the clients to the server. This can be used for
8955           several purposes. The most common is to map usernames that users
8956           use on DOS or Windows machines to those that the UNIX box uses. The
8957           other is to map multiple users to a single username so that they
8958           can more easily share files.
8959
8960           Please note that for user mode security, the username map is
8961           applied prior to validating the user credentials. Domain member
8962           servers (domain or ads) apply the username map after the user has
8963           been successfully authenticated by the domain controller and
8964           require fully qualified entries in the map table (e.g. biddle =
8965           DOMAIN\foo).
8966
8967           The map file is parsed line by line. Each line should contain a
8968           single UNIX username on the left then a '=' followed by a list of
8969           usernames on the right. The list of usernames on the right may
8970           contain names of the form @group in which case they will match any
8971           UNIX username in that group. The special client name '*' is a
8972           wildcard and matches any name. Each line of the map file may be up
8973           to 1023 characters long.
8974
8975           The file is processed on each line by taking the supplied username
8976           and comparing it with each username on the right hand side of the
8977           '=' signs. If the supplied name matches any of the names on the
8978           right hand side then it is replaced with the name on the left.
8979           Processing then continues with the next line.
8980
8981           If any line begins with a '#' or a ';' then it is ignored.
8982
8983           If any line begins with an '!' then the processing will stop after
8984           that line if a mapping was done by the line. Otherwise mapping
8985           continues with every line being processed. Using '!' is most useful
8986           when you have a wildcard mapping line later in the file.
8987
8988           For example to map from the name admin or administrator to the UNIX
8989           name
8990            root you would use:
8991
8992               root = admin administrator
8993
8994           Or to map anyone in the UNIX group system to the UNIX name sys you
8995           would use:
8996
8997               sys = @system
8998
8999           You can have as many mappings as you like in a username map file.
9000
9001           If your system supports the NIS NETGROUP option then the netgroup
9002           database is checked before the /etc/group database for matching
9003           groups.
9004
9005           You can map Windows usernames that have spaces in them by using
9006           double quotes around the name. For example:
9007
9008               tridge = "Andrew Tridgell"
9009
9010           would map the windows username "Andrew Tridgell" to the unix
9011           username "tridge".
9012
9013           The following example would map mary and fred to the unix user sys,
9014           and map the rest to guest. Note the use of the '!' to tell Samba to
9015           stop processing if it gets a match on that line:
9016
9017               !sys = mary fred
9018               guest = *
9019
9020           Note that the remapping is applied to all occurrences of usernames.
9021           Thus if you connect to \\server\fred and fred is remapped to mary
9022           then you will actually be connecting to \\server\mary and will need
9023           to supply a password suitable for mary not fred. The only exception
9024           to this is the username passed to a Domain Controller (if you have
9025           one). The DC will receive whatever username the client supplies
9026           without modification.
9027
9028           Also note that no reverse mapping is done. The main effect this has
9029           is with printing. Users who have been mapped may have trouble
9030           deleting print jobs as PrintManager under WfWg will think they
9031           don't own the print job.
9032
9033           Samba versions prior to 3.0.8 would only support reading the fully
9034           qualified username (e.g.: DOMAIN\user) from the username map when
9035           performing a kerberos login from a client. However, when looking up
9036           a map entry for a user authenticated by NTLM[SSP], only the login
9037           name would be used for matches. This resulted in inconsistent
9038           behavior sometimes even on the same server.
9039
9040           The following functionality is obeyed in version 3.0.8 and later:
9041
9042           When performing local authentication, the username map is applied
9043           to the login name before attempting to authenticate the connection.
9044
9045           When relying upon a external domain controller for validating
9046           authentication requests, smbd will apply the username map to the
9047           fully qualified username (i.e.  DOMAIN\user) only after the user
9048           has been successfully authenticated.
9049
9050           An example of use is:
9051
9052               username map = /usr/local/samba/lib/users.map
9053
9054           Default: username map =  # no username map
9055
9056       username map cache time (G)
9057
9058           Mapping usernames with the username map or username map script
9059           features of Samba can be relatively expensive. During login of a
9060           user, the mapping is done several times. In particular, calling the
9061           username map script can slow down logins if external databases have
9062           to be queried from the script being called.
9063
9064           The parameter username map cache time controls a mapping cache. It
9065           specifies the number of seconds a mapping from the username map
9066           file or script is to be efficiently cached. The default of 0 means
9067           no caching is done.
9068
9069           Default: username map cache time = 0
9070
9071           Example: username map cache time = 60
9072
9073       username map script (G)
9074
9075           This script is a mutually exclusive alternative to the username map
9076           parameter. This parameter specifies and external program or script
9077           that must accept a single command line option (the username
9078           transmitted in the authentication request) and return a line on
9079           standard output (the name to which the account should mapped). In
9080           this way, it is possible to store username map tables in an LDAP or
9081           NIS directory services.
9082
9083           Default: username map script =
9084
9085           Example: username map script = /etc/samba/scripts/mapusers.sh
9086
9087       usershare allow guests (G)
9088
9089           This parameter controls whether user defined shares are allowed to
9090           be accessed by non-authenticated users or not. It is the equivalent
9091           of allowing people who can create a share the option of setting
9092           guest ok = yes in a share definition. Due to its security sensitive
9093           nature, the default is set to off.
9094
9095           Default: usershare allow guests = no
9096
9097       usershare max shares (G)
9098
9099           This parameter specifies the number of user defined shares that are
9100           allowed to be created by users belonging to the group owning the
9101           usershare directory. If set to zero (the default) user defined
9102           shares are ignored.
9103
9104           Default: usershare max shares = 0
9105
9106       usershare owner only (G)
9107
9108           This parameter controls whether the pathname exported by a user
9109           defined shares must be owned by the user creating the user defined
9110           share or not. If set to True (the default) then smbd checks that
9111           the directory path being shared is owned by the user who owns the
9112           usershare file defining this share and refuses to create the share
9113           if not. If set to False then no such check is performed and any
9114           directory path may be exported regardless of who owns it.
9115
9116           Default: usershare owner only = yes
9117
9118       usershare path (G)
9119
9120           This parameter specifies the absolute path of the directory on the
9121           filesystem used to store the user defined share definition files.
9122           This directory must be owned by root, and have no access for other,
9123           and be writable only by the group owner. In addition the "sticky"
9124           bit must also be set, restricting rename and delete to owners of a
9125           file (in the same way the /tmp directory is usually configured).
9126           Members of the group owner of this directory are the users allowed
9127           to create usershares.
9128
9129           For example, a valid usershare directory might be
9130           /usr/local/samba/lib/usershares, set up as follows.
9131
9132                    ls -ld /usr/local/samba/lib/usershares/
9133                    drwxrwx--T  2 root power_users 4096 2006-05-05 12:27 /usr/local/samba/lib/usershares/
9134
9135
9136           In this case, only members of the group "power_users" can create
9137           user defined shares.
9138
9139           Default: usershare path = /var/lib/samba/usershares
9140
9141       usershare prefix allow list (G)
9142
9143           This parameter specifies a list of absolute pathnames the root of
9144           which are allowed to be exported by user defined share definitions.
9145           If the pathname to be exported doesn't start with one of the
9146           strings in this list, the user defined share will not be allowed.
9147           This allows the Samba administrator to restrict the directories on
9148           the system that can be exported by user defined shares.
9149
9150           If there is a "usershare prefix deny list" and also a "usershare
9151           prefix allow list" the deny list is processed first, followed by
9152           the allow list, thus leading to the most restrictive
9153           interpretation.
9154
9155           Default: usershare prefix allow list =
9156
9157           Example: usershare prefix allow list = /home /data /space
9158
9159       usershare prefix deny list (G)
9160
9161           This parameter specifies a list of absolute pathnames the root of
9162           which are NOT allowed to be exported by user defined share
9163           definitions. If the pathname exported starts with one of the
9164           strings in this list the user defined share will not be allowed.
9165           Any pathname not starting with one of these strings will be allowed
9166           to be exported as a usershare. This allows the Samba administrator
9167           to restrict the directories on the system that can be exported by
9168           user defined shares.
9169
9170           If there is a "usershare prefix deny list" and also a "usershare
9171           prefix allow list" the deny list is processed first, followed by
9172           the allow list, thus leading to the most restrictive
9173           interpretation.
9174
9175           Default: usershare prefix deny list =
9176
9177           Example: usershare prefix deny list = /etc /dev /private
9178
9179       usershare template share (G)
9180
9181           User defined shares only have limited possible parameters such as
9182           path, guest ok, etc. This parameter allows usershares to "cloned"
9183           from an existing share. If "usershare template share" is set to the
9184           name of an existing share, then all usershares created have their
9185           defaults set from the parameters set on this share.
9186
9187           The target share may be set to be invalid for real file sharing by
9188           setting the parameter "-valid = False" on the template share
9189           definition. This causes it not to be seen as a real exported share
9190           but to be able to be used as a template for usershares.
9191
9192           Default: usershare template share =
9193
9194           Example: usershare template share = template_share
9195
9196       use sendfile (S)
9197
9198           If this parameter is yes, and the sendfile() system call is
9199           supported by the underlying operating system, then some SMB read
9200           calls (mainly ReadAndX and ReadRaw) will use the more efficient
9201           sendfile system call for files that are exclusively oplocked. This
9202           may make more efficient use of the system CPU's and cause Samba to
9203           be faster. Samba automatically turns this off for clients that use
9204           protocol levels lower than NT LM 0.12 and when it detects a client
9205           is Windows 9x (using sendfile from Linux will cause these clients
9206           to fail).
9207
9208           Default: use sendfile = no
9209
9210       utmp (G)
9211
9212           This boolean parameter is only available if Samba has been
9213           configured and compiled with the option --with-utmp. If set to yes
9214           then Samba will attempt to add utmp or utmpx records (depending on
9215           the UNIX system) whenever a connection is made to a Samba server.
9216           Sites may use this to record the user connecting to a Samba share.
9217
9218           Due to the requirements of the utmp record, we are required to
9219           create a unique identifier for the incoming user. Enabling this
9220           option creates an n^2 algorithm to find this number. This may
9221           impede performance on large installations.
9222
9223           Default: utmp = no
9224
9225       utmp directory (G)
9226
9227           This parameter is only available if Samba has been configured and
9228           compiled with the option --with-utmp. It specifies a directory
9229           pathname that is used to store the utmp or utmpx files (depending
9230           on the UNIX system) that record user connections to a Samba server.
9231           By default this is not set, meaning the system will use whatever
9232           utmp file the native system is set to use (usually /var/run/utmp on
9233           Linux).
9234
9235           Default: utmp directory =  # Determined automatically
9236
9237           Example: utmp directory = /var/run/utmp
9238
9239       -valid (S)
9240
9241           This parameter indicates whether a share is valid and thus can be
9242           used. When this parameter is set to false, the share will be in no
9243           way visible nor accessible.
9244
9245           This option should not be used by regular users but might be of
9246           help to developers. Samba uses this option internally to mark
9247           shares as deleted.
9248
9249           Default: -valid = yes
9250
9251       valid users (S)
9252
9253           This is a list of users that should be allowed to login to this
9254           service. Names starting with '@', '+' and '&' are interpreted using
9255           the same rules as described in the invalid users parameter.
9256
9257           If this is empty (the default) then any user can login. If a
9258           username is in both this list and the invalid users list then
9259           access is denied for that user.
9260
9261           The current servicename is substituted for %S. This is useful in
9262           the [homes] section.
9263
9264           Note: When used in the [global] section this parameter may have
9265           unwanted side effects. For example: If samba is configured as a
9266           MASTER BROWSER (see local master, os level, domain master,
9267           preferred master) this option will prevent workstations from being
9268           able to browse the network.
9269
9270           Default: valid users =  # No valid users list (anyone can login)
9271
9272           Example: valid users = greg, @pcusers
9273
9274       veto files (S)
9275
9276           This is a list of files and directories that are neither visible
9277           nor accessible. Each entry in the list must be separated by a '/',
9278           which allows spaces to be included in the entry. '*' and '?' can be
9279           used to specify multiple files or directories as in DOS wildcards.
9280
9281           Each entry must be a unix path, not a DOS path and must not include
9282           the unix directory separator '/'.
9283
9284           Note that the case sensitive option is applicable in vetoing files.
9285
9286           One feature of the veto files parameter that it is important to be
9287           aware of is Samba's behaviour when trying to delete a directory. If
9288           a directory that is to be deleted contains nothing but veto files
9289           this deletion will fail unless you also set the delete veto files
9290           parameter to yes.
9291
9292           Setting this parameter will affect the performance of Samba, as it
9293           will be forced to check all files and directories for a match as
9294           they are scanned.
9295
9296           Examples of use include:
9297
9298               ; Veto any files containing the word Security,
9299               ; any ending in .tmp, and any directory containing the
9300               ; word root.
9301               veto files = /*Security*/*.tmp/*root*/
9302
9303               ; Veto the Apple specific files that a NetAtalk server
9304               ; creates.
9305               veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
9306
9307           Default: veto files =  # No files or directories are vetoed
9308
9309       veto oplock files (S)
9310
9311           This parameter is only valid when the oplocks parameter is turned
9312           on for a share. It allows the Samba administrator to selectively
9313           turn off the granting of oplocks on selected files that match a
9314           wildcarded list, similar to the wildcarded list used in the veto
9315           files parameter.
9316
9317           You might want to do this on files that you know will be heavily
9318           contended for by clients. A good example of this is in the NetBench
9319           SMB benchmark program, which causes heavy client contention for
9320           files ending in .SEM. To cause Samba not to grant oplocks on these
9321           files you would use the line (either in the [global] section or in
9322           the section for the particular NetBench share.
9323
9324           An example of use is:
9325
9326               veto oplock files = /.*SEM/
9327
9328           Default: veto oplock files =  # No files are vetoed for oplock
9329           grants
9330
9331       vfs object
9332
9333           This parameter is a synonym for vfs objects.
9334
9335       vfs objects (S)
9336
9337           This parameter specifies the backend names which are used for Samba
9338           VFS I/O operations. By default, normal disk I/O operations are used
9339           but these can be overloaded with one or more VFS objects.
9340
9341           Default: vfs objects =
9342
9343           Example: vfs objects = extd_audit recycle
9344
9345       volume (S)
9346
9347           This allows you to override the volume label returned for a share.
9348           Useful for CDROMs with installation programs that insist on a
9349           particular volume label.
9350
9351           Default: volume =  # the name of the share
9352
9353       web port (G)
9354
9355           Specifies which port the Samba web server should listen on.
9356
9357           Default: web port = 901
9358
9359           Example: web port = 80
9360
9361       wide links (S)
9362
9363           This parameter controls whether or not links in the UNIX file
9364           system may be followed by the server. Links that point to areas
9365           within the directory tree exported by the server are always
9366           allowed; this parameter controls access only to areas that are
9367           outside the directory tree being exported.
9368
9369           Note: Turning this parameter on when UNIX extensions are enabled
9370           will allow UNIX clients to create symbolic links on the share that
9371           can point to files or directories outside restricted path exported
9372           by the share definition. This can cause access to areas outside of
9373           the share. Due to this problem, this parameter will be
9374           automatically disabled (with a message in the log file) if the unix
9375           extensions option is on.
9376
9377           See the parameter allow insecure wide links if you wish to change
9378           this coupling between the two parameters.
9379
9380           Default: wide links = no
9381
9382       winbind cache time (G)
9383
9384           This parameter specifies the number of seconds the winbindd(8)
9385           daemon will cache user and group information before querying a
9386           Windows NT server again.
9387
9388           This does not apply to authentication requests, these are always
9389           evaluated in real time unless the winbind offline logon option has
9390           been enabled.
9391
9392           Default: winbind cache time = 300
9393
9394       winbindd socket directory (G)
9395
9396           This setting controls the location of the winbind daemon's socket.
9397
9398           Except within automated test scripts, this should not be altered,
9399           as the client tools (nss_winbind etc) do not honour this parameter.
9400           Client tools must then be advised of the altered path with the
9401           WINBINDD_SOCKET_DIR environment varaible.
9402
9403           Default: winbindd socket directory = /run/samba/winbindd
9404
9405       winbind enum groups (G)
9406
9407           On large installations using winbindd(8) it may be necessary to
9408           suppress the enumeration of groups through the setgrent(),
9409           getgrent() and endgrent() group of system calls. If the winbind
9410           enum groups parameter is no, calls to the getgrent() system call
9411           will not return any data.
9412
9413               Warning
9414               Turning off group enumeration may cause some programs to behave
9415               oddly.
9416           Default: winbind enum groups = no
9417
9418       winbind enum users (G)
9419
9420           On large installations using winbindd(8) it may be necessary to
9421           suppress the enumeration of users through the setpwent(),
9422           getpwent() and endpwent() group of system calls. If the winbind
9423           enum users parameter is no, calls to the getpwent system call will
9424           not return any data.
9425
9426               Warning
9427               Turning off user enumeration may cause some programs to behave
9428               oddly. For example, the finger program relies on having access
9429               to the full user list when searching for matching usernames.
9430           Default: winbind enum users = no
9431
9432       winbind expand groups (G)
9433
9434           This option controls the maximum depth that winbindd will traverse
9435           when flattening nested group memberships of Windows domain groups.
9436           This is different from the winbind nested groups option which
9437           implements the Windows NT4 model of local group nesting. The
9438           "winbind expand groups" parameter specifically applies to the
9439           membership of domain groups.
9440
9441           This option also affects the return of non nested group memberships
9442           of Windows domain users. With the new default "winbind expand
9443           groups = 0" winbind does not query group memberships at all.
9444
9445           Be aware that a high value for this parameter can result in system
9446           slowdown as the main parent winbindd daemon must perform the group
9447           unrolling and will be unable to answer incoming NSS or
9448           authentication requests during this time.
9449
9450           The default value was changed from 1 to 0 with Samba 4.2. Some
9451           broken applications (including some implementations of newgrp and
9452           sg) calculate the group memberships of users by traversing groups,
9453           such applications will require "winbind expand groups = 1". But the
9454           new default makes winbindd more reliable as it doesn't require SAMR
9455           access to domain controllers of trusted domains.
9456
9457           Default: winbind expand groups = 0
9458
9459       winbind:ignore domains (G)
9460
9461           Allows one to enter a list of trusted domains winbind should ignore
9462           (untrust). This can avoid the overhead of resources from attempting
9463           to login to DCs that should not be communicated with.
9464
9465           Default: winbind:ignore domains =
9466
9467           Example: winbind:ignore domains = DOMAIN1, DOMAIN2
9468
9469       winbind max clients (G)
9470
9471           This parameter specifies the maximum number of clients the
9472           winbindd(8) daemon can connect with. The parameter is not a hard
9473           limit. The winbindd(8) daemon configures itself to be able to
9474           accept at least that many connections, and if the limit is reached,
9475           an attempt is made to disconnect idle clients.
9476
9477           Default: winbind max clients = 200
9478
9479       winbind max domain connections (G)
9480
9481           This parameter specifies the maximum number of simultaneous
9482           connections that the winbindd(8) daemon should open to the domain
9483           controller of one domain. Setting this parameter to a value greater
9484           than 1 can improve scalability with many simultaneous winbind
9485           requests, some of which might be slow.
9486
9487           Note that if winbind offline logon is set to Yes, then only one DC
9488           connection is allowed per domain, regardless of this setting.
9489
9490           Default: winbind max domain connections = 1
9491
9492           Example: winbind max domain connections = 10
9493
9494       winbind nested groups (G)
9495
9496           If set to yes, this parameter activates the support for nested
9497           groups. Nested groups are also called local groups or aliases. They
9498           work like their counterparts in Windows: Nested groups are defined
9499           locally on any machine (they are shared between DC's through their
9500           SAM) and can contain users and global groups from any trusted SAM.
9501           To be able to use nested groups, you need to run nss_winbind.
9502
9503           Default: winbind nested groups = yes
9504
9505       winbind normalize names (G)
9506
9507           This parameter controls whether winbindd will replace whitespace in
9508           user and group names with an underscore (_) character. For example,
9509           whether the name "Space Kadet" should be replaced with the string
9510           "space_kadet". Frequently Unix shell scripts will have difficulty
9511           with usernames contains whitespace due to the default field
9512           separator in the shell. If your domain possesses names containing
9513           the underscore character, this option may cause problems unless the
9514           name aliasing feature is supported by your nss_info plugin.
9515
9516           This feature also enables the name aliasing API which can be used
9517           to make domain user and group names to a non-qualified version.
9518           Please refer to the manpage for the configured idmap and nss_info
9519           plugin for the specifics on how to configure name aliasing for a
9520           specific configuration. Name aliasing takes precedence (and is
9521           mutually exclusive) over the whitespace replacement mechanism
9522           discussed previously.
9523
9524           Default: winbind normalize names = no
9525
9526           Example: winbind normalize names = yes
9527
9528       winbind nss info (G)
9529
9530           This parameter is designed to control how Winbind retrieves Name
9531           Service Information to construct a user's home directory and login
9532           shell. Currently the following settings are available:
9533
9534                  ·   template - The default, using the parameters of template
9535                      shell and template homedir)
9536
9537                  ·   <sfu | sfu20 | rfc2307 > - When Samba is running in
9538                      security = ads and your Active Directory Domain
9539                      Controller does support the Microsoft "Services for
9540                      Unix" (SFU) LDAP schema, winbind can retrieve the login
9541                      shell and the home directory attributes directly from
9542                      your Directory Server. For SFU 3.0 or 3.5 simply choose
9543                      "sfu", if you use SFU 2.0 please choose "sfu20". Note
9544                      that retrieving UID and GID from your ADS-Server
9545                      requires to use idmap config DOMAIN:backend = ad as
9546                      well. The primary group membership is currently always
9547                      calculated via the "primaryGroupID" LDAP attribute.
9548
9549
9550           Default: winbind nss info = template
9551
9552           Example: winbind nss info = sfu
9553
9554       winbind offline logon (G)
9555
9556           This parameter is designed to control whether Winbind should allow
9557           one to login with the pam_winbind module using Cached Credentials.
9558           If enabled, winbindd will store user credentials from successful
9559           logins encrypted in a local cache.
9560
9561           Default: winbind offline logon = no
9562
9563           Example: winbind offline logon = yes
9564
9565       winbind reconnect delay (G)
9566
9567           This parameter specifies the number of seconds the winbindd(8)
9568           daemon will wait between attempts to contact a Domain controller
9569           for a domain that is determined to be down or not contactable.
9570
9571           Default: winbind reconnect delay = 30
9572
9573       winbind refresh tickets (G)
9574
9575           This parameter is designed to control whether Winbind should
9576           refresh Kerberos Tickets retrieved using the pam_winbind module.
9577
9578           Default: winbind refresh tickets = no
9579
9580           Example: winbind refresh tickets = yes
9581
9582       winbind request timeout (G)
9583
9584           This parameter specifies the number of seconds the winbindd(8)
9585           daemon will wait before disconnecting either a client connection
9586           with no outstanding requests (idle) or a client connection with a
9587           request that has remained outstanding (hung) for longer than this
9588           number of seconds.
9589
9590           Default: winbind request timeout = 60
9591
9592       winbind rpc only (G)
9593
9594           Setting this parameter to yes forces winbindd to use RPC instead of
9595           LDAP to retrieve information from Domain Controllers.
9596
9597           Default: winbind rpc only = no
9598
9599       winbind scan trusted domains (G)
9600
9601           This option only takes effect when the security option is set to
9602           domain or ads. If it is set to yes (the default), winbindd
9603           periodically tries to scan for new trusted domains and adds them to
9604           a global list inside of winbindd. The list can be extracted with
9605           wbinfo --trusted-domains --verbose. This matches the behaviour of
9606           Samba 4.7 and older.
9607
9608           The construction of that global list is not reliable and often
9609           incomplete in complex trust setups. In most situations the list is
9610           not needed any more for winbindd to operate correctly. E.g. for
9611           plain file serving via SMB using a simple idmap setup with autorid,
9612           tdb or ad. However some more complex setups require the list, e.g.
9613           if you specify idmap backends for specific domains. Some
9614           pam_winbind setups may also require the global list.
9615
9616           If you have a setup that doesn't require the global list, you
9617           should set winbind scan trusted domains = no.
9618
9619           Default: winbind scan trusted domains = yes
9620
9621       winbind sealed pipes (G)
9622
9623           This option controls whether any requests from winbindd to domain
9624           controllers pipe will be sealed. Disabling sealing can be useful
9625           for debugging purposes.
9626
9627           The behavior can be controlled per netbios domain by using 'winbind
9628           sealed pipes:NETBIOSDOMAIN = no' as option.
9629
9630           Default: winbind sealed pipes = yes
9631
9632       winbind separator (G)
9633
9634           This parameter allows an admin to define the character used when
9635           listing a username of the form of DOMAIN \user. This parameter is
9636           only applicable when using the pam_winbind.so and nss_winbind.so
9637           modules for UNIX services.
9638
9639           Please note that setting this parameter to + causes problems with
9640           group membership at least on glibc systems, as the character + is
9641           used as a special character for NIS in /etc/group.
9642
9643           Default: winbind separator = \
9644
9645           Example: winbind separator = +
9646
9647       winbind use default domain (G)
9648
9649           This parameter specifies whether the winbindd(8) daemon should
9650           operate on users without domain component in their username. Users
9651           without a domain component are treated as is part of the winbindd
9652           server's own domain. While this does not benefit Windows users, it
9653           makes SSH, FTP and e-mail function in a way much closer to the way
9654           they would in a native unix system.
9655
9656           This option should be avoided if possible. It can cause confusion
9657           about responsibilities for a user or group. In many situations it
9658           is not clear whether winbind or /etc/passwd should be seen as
9659           authoritative for a user, likewise for groups.
9660
9661           Default: winbind use default domain = no
9662
9663           Example: winbind use default domain = yes
9664
9665       winsdb:local_owner (G)
9666
9667           This specifies the address that is stored in the winsOwner
9668           attribute, of locally registered winsRecord-objects. The default is
9669           to use the ip-address of the first network interface.
9670
9671           No default
9672
9673       winsdb:dbnosync (G)
9674
9675           This parameter disables fsync() after changes of the WINS database.
9676
9677           Default: winsdb:dbnosync = no
9678
9679       wins hook (G)
9680
9681           When Samba is running as a WINS server this allows you to call an
9682           external program for all changes to the WINS database. The primary
9683           use for this option is to allow the dynamic update of external name
9684           resolution databases such as dynamic DNS.
9685
9686           The wins hook parameter specifies the name of a script or
9687           executable that will be called as follows:
9688
9689           wins_hook operation name nametype ttl IP_list
9690
9691                  ·   The first argument is the operation and is one of "add",
9692                      "delete", or "refresh". In most cases the operation can
9693                      be ignored as the rest of the parameters provide
9694                      sufficient information. Note that "refresh" may
9695                      sometimes be called when the name has not previously
9696                      been added, in that case it should be treated as an add.
9697
9698                  ·   The second argument is the NetBIOS name. If the name is
9699                      not a legal name then the wins hook is not called. Legal
9700                      names contain only letters, digits, hyphens, underscores
9701                      and periods.
9702
9703                  ·   The third argument is the NetBIOS name type as a 2 digit
9704                      hexadecimal number.
9705
9706                  ·   The fourth argument is the TTL (time to live) for the
9707                      name in seconds.
9708
9709                  ·   The fifth and subsequent arguments are the IP addresses
9710                      currently registered for that name. If this list is
9711                      empty then the name should be deleted.
9712
9713           An example script that calls the BIND dynamic DNS update program
9714           nsupdate is provided in the examples directory of the Samba source
9715           code.
9716
9717           No default
9718
9719       wins proxy (G)
9720
9721           This is a boolean that controls if nmbd(8) will respond to
9722           broadcast name queries on behalf of other hosts. You may need to
9723           set this to yes for some older clients.
9724
9725           Default: wins proxy = no
9726
9727       wins server (G)
9728
9729           This specifies the IP address (or DNS name: IP address for
9730           preference) of the WINS server that nmbd(8) should register with.
9731           If you have a WINS server on your network then you should set this
9732           to the WINS server's IP.
9733
9734           You should point this at your WINS server if you have a
9735           multi-subnetted network.
9736
9737           If you want to work in multiple namespaces, you can give every wins
9738           server a 'tag'. For each tag, only one (working) server will be
9739           queried for a name. The tag should be separated from the ip address
9740           by a colon.
9741
9742               Note
9743               You need to set up Samba to point to a WINS server if you have
9744               multiple subnets and wish cross-subnet browsing to work
9745               correctly.
9746           See the chapter in the Samba3-HOWTO on Network Browsing.
9747
9748           Default: wins server =
9749
9750           Example: wins server = mary:192.9.200.1 fred:192.168.3.199
9751           mary:192.168.2.61 # For this example when querying a certain name,
9752           192.19.200.1 will be asked first and if that doesn't respond
9753           192.168.2.61. If either of those doesn't know the name
9754           192.168.3.199 will be queried.
9755
9756           Example: wins server = 192.9.200.1 192.168.2.61
9757
9758       wins support (G)
9759
9760           This boolean controls if the nmbd(8) process in Samba will act as a
9761           WINS server. You should not set this to yes unless you have a
9762           multi-subnetted network and you wish a particular nmbd to be your
9763           WINS server. Note that you should NEVER set this to yes on more
9764           than one machine in your network.
9765
9766           Default: wins support = no
9767
9768       workgroup (G)
9769
9770           This controls what workgroup your server will appear to be in when
9771           queried by clients. Note that this parameter also controls the
9772           Domain name used with the security = domain setting.
9773
9774           Default: workgroup = WORKGROUP
9775
9776           Example: workgroup = MYGROUP
9777
9778       wreplsrv:periodic_interval (G)
9779
9780           This maximum interval in seconds between 2 periodically scheduled
9781           runs where we check for wins.ldb changes and do push notifications
9782           to our push partners. Also wins_config.ldb changes are checked in
9783           that interval and partner configuration reloads are done.
9784
9785           Default: wreplsrv:periodic_interval = 15
9786
9787       wreplsrv:propagate name releases (G)
9788
9789           If this parameter is enabled, then explicit (from the client) and
9790           implicit (via the scavenging) name releases are propagated to the
9791           other servers directly, even if there are still other addresses
9792           active, this applies to SPECIAL GROUP (2) and MULTIHOMED (3)
9793           entries. Also the replication conflict merge algorithm for SPECIAL
9794           GROUP (2) entries discards replica addresses where the address
9795           owner is the local server, if the address was not stored locally
9796           before. The merge result is propagated directly in case an address
9797           was discarded. A Windows servers doesn't propagate name releases of
9798           SPECIAL GROUP (2) and MULTIHOMED (3) entries directly, which means
9799           that Windows servers may return different results to name queries
9800           for SPECIAL GROUP (2) and MULTIHOMED (3) names. The option doesn't
9801           have much negative impact if Windows servers are around, but be
9802           aware that they might return unexpected results.
9803
9804           Default: wreplsrv:propagate name releases = no
9805
9806       wreplsrv:scavenging_interval (G)
9807
9808           This is the interval in s between 2 scavenging runs which clean up
9809           the WINS database and changes the states of expired name records.
9810           Defaults to half of the value of wreplsrv:renew_interval.
9811
9812           No default
9813
9814       wreplsrv:tombstone_extra_timeout (G)
9815
9816           This is the time in s the server needs to be up till we'll remove
9817           tombstone records from our database. Defaults to 3 days.
9818
9819           Default: wreplsrv:tombstone_extra_timeout = 259200
9820
9821       wreplsrv:tombstone_interval (G)
9822
9823           This is the interval in s till released records of the WINS server
9824           become tombstone. Defaults to 6 days.
9825
9826           Default: wreplsrv:tombstone_interval = 518400
9827
9828       wreplsrv:tombstone_timeout (G)
9829
9830           This is the interval in s till tombstone records are deleted from
9831           the WINS database. Defaults to 1 day.
9832
9833           Default: wreplsrv:tombstone_timeout = 86400
9834
9835       wreplsrv:verify_interval (G)
9836
9837           This is the interval in s till we verify active replica records
9838           with the owning WINS server. Unfortunately not implemented yet.
9839           Defaults to 24 days.
9840
9841           Default: wreplsrv:verify_interval = 2073600
9842
9843       writable
9844
9845           This parameter is a synonym for writeable.
9846
9847       write ok
9848
9849           This parameter is a synonym for writeable.
9850
9851       writeable (S)
9852
9853           Inverted synonym for read only.
9854
9855           Default: writeable = no
9856
9857       write cache size (S)
9858
9859           If this integer parameter is set to non-zero value, Samba will
9860           create an in-memory cache for each oplocked file (it does not do
9861           this for non-oplocked files). All writes that the client does not
9862           request to be flushed directly to disk will be stored in this cache
9863           if possible. The cache is flushed onto disk when a write comes in
9864           whose offset would not fit into the cache or when the file is
9865           closed by the client. Reads for the file are also served from this
9866           cache if the data is stored within it.
9867
9868           This cache allows Samba to batch client writes into a more
9869           efficient write size for RAID disks (i.e. writes may be tuned to be
9870           the RAID stripe size) and can improve performance on systems where
9871           the disk subsystem is a bottleneck but there is free memory for
9872           userspace programs.
9873
9874           The integer parameter specifies the size of this cache (per
9875           oplocked file) in bytes.
9876
9877           Note that the write cache won't be used for file handles with a
9878           smb2 write lease.
9879
9880           Default: write cache size = 0
9881
9882           Example: write cache size = 262144 # for a 256k cache size per file
9883
9884       write list (S)
9885
9886           This is a list of users that are given read-write access to a
9887           service. If the connecting user is in this list then they will be
9888           given write access, no matter what the read only option is set to.
9889           The list can include group names using the @group syntax.
9890
9891           Note that if a user is in both the read list and the write list
9892           then they will be given write access.
9893
9894           Default: write list =
9895
9896           Example: write list = admin, root, @staff
9897
9898       write raw (G)
9899
9900           This is ignored if async smb echo handler is set, because this
9901           feature is incompatible with raw write SMB requests
9902
9903           If enabled, raw writes allow writes of 65535 bytes in one packet.
9904           This typically provides a major performance benefit for some very,
9905           very old clients.
9906
9907           However, some clients either negotiate the allowable block size
9908           incorrectly or are incapable of supporting larger block sizes, and
9909           for these clients you may need to disable raw writes.
9910
9911           In general this parameter should be viewed as a system tuning tool
9912           and left severely alone.
9913
9914           Default: write raw = yes
9915
9916       wtmp directory (G)
9917
9918           This parameter is only available if Samba has been configured and
9919           compiled with the option --with-utmp. It specifies a directory
9920           pathname that is used to store the wtmp or wtmpx files (depending
9921           on the UNIX system) that record user connections to a Samba server.
9922           The difference with the utmp directory is the fact that user info
9923           is kept after a user has logged out.
9924
9925           By default this is not set, meaning the system will use whatever
9926           utmp file the native system is set to use (usually /var/run/wtmp on
9927           Linux).
9928
9929           Default: wtmp directory =
9930
9931           Example: wtmp directory = /var/log/wtmp
9932

WARNINGS

9934       Although the configuration file permits service names to contain
9935       spaces, your client software may not. Spaces will be ignored in
9936       comparisons anyway, so it shouldn't be a problem - but be aware of the
9937       possibility.
9938
9939       On a similar note, many clients - especially DOS clients - limit
9940       service names to eight characters.  smbd(8) has no such limitation, but
9941       attempts to connect from such clients will fail if they truncate the
9942       service names. For this reason you should probably keep your service
9943       names down to eight characters in length.
9944
9945       Use of the [homes] and [printers] special sections make life for an
9946       administrator easy, but the various combinations of default attributes
9947       can be tricky. Take extreme care when designing these sections. In
9948       particular, ensure that the permissions on spool directories are
9949       correct.
9950

VERSION

9952       This man page is part of version 4.10.4 of the Samba suite.
9953

SEE ALSO

9955       samba(7), smbpasswd(8), smbd(8), nmbd(8), winbindd(8), samba(8), samba-
9956       tool(8), smbclient(1), nmblookup(1), testparm(1).
9957

AUTHOR

9959       The original Samba software and related utilities were created by
9960       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
9961       Source project similar to the way the Linux kernel is developed.
9962
9963
9964
9965Samba 4.10.4                      05/28/2019                       SMB.CONF(5)
Impressum