Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
GetNetWise: You
e One Click Away

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication
Feedback
Forums
Private Messages
Surveys

Features
HOWTOs
News Archive
Submit News
Topics
User Articles
Web Links

Google
Google


The Web
linux-tutorial.info

Who's Online
There are currently, 169 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

  

smb.conf



SYNOPSIS

       The  smb.conf  file  is a configuration file for the Samba
       suite. smb.conf contains runtime configuration information
       for  the  Samba programs. The smb.conf file is designed to
       be configured and administered by the swat(8)
        program. The complete description of the file format  and
       possible  parameters  held  within  are here for reference
       purposes.


FILE FORMAT

       The file consists of sections and  parameters.  A  section
       begins with the name of the section in square brackets and
       continues until the next section begins. Sections  contain
       parameters of the form

       name = value

       The  file is line-based - that is, each newline-terminated
       line represents either a comment,  a  section  name  or  a
       parameter.

       Section and parameter names are not case sensitive.

       Only  the first equals sign in a parameter is significant.
       Whitespace before or after the first equals sign  is  dis­
       carded.  Leading, trailing and internal whitespace in sec­
       tion and parameter names is irrelevant. Leading and trail­
       ing whitespace in a parameter value is discarded. Internal
       whitespace within a parameter value is retained  verbatim.

       Any  line beginning with a semicolon (';') or a hash ('#')
       character is ignored, as are lines containing only whites­
       pace.

       Any  line ending in a '\' is continued on the next line in
       the customary UNIX fashion.

       The values following the equals sign in parameters are all
       either a string (no quotes needed) or a boolean, which may
       be given as yes/no, 0/1 or true/false. Case is not signif­
       icant  in  boolean values, but is preserved in string val­
       ues. Some items such as create modes are numeric.


SECTION DESCRIPTIONS

       Each section in the configuration  file  (except  for  the
       [global]  section) describes a shared resource (known as a
       "share"). The section name  is  the  name  of  the  shared
       resource  and the parameters within the section define the
       shares attributes.

       There are three special sections,  [global],  [homes]  and
       [printers],  which  are  described under special sections.
       no password is required to access them. A  specified  UNIX
       guest  account is used to define access privileges in this
       case.

       Sections other than guest services will require a password
       to access them. The client provides the username. As older
       clients only provide passwords and not usernames, you  may
       specify  a list of usernames to check against the password
       using the "user =" option in  the  share  definition.  For
       modern  clients  such  as  Windows  95/98/ME/NT/2000, this
       should not be necessary.

       Note that the access rights  granted  by  the  server  are
       masked  by  the  access rights granted to the specified or
       guest UNIX user by the host system. The  server  does  not
       grant more access than the host system grants.

       The  following  sample section defines a file space share.
       The user has write access  to  the  path  /home/bar.   The
       share is accessed via the share name "foo":

                 [foo]
                 path = /home/bar
                 read only = no

       The  following  sample  section defines a printable share.
       The share is readonly, but printable. That  is,  the  only
       write  access permitted is via calls to open, write to and
       close a spool file. The guest ok  parameter  means  access
       will  be  permitted  as  the default guest user (specified
       elsewhere):

                 [aprinter]
                 path = /usr/spool/public
                 read only = yes
                 printable = yes
                 guest ok = yes


SPECIAL SECTIONS

   THE  GLOBAL  SECTION
       parameters in this section apply to the server as a whole,
       or  are  defaults  for  sections which do not specifically
       define certain items. See the notes under  PARAMETERS  for
       more information.

   THE  HOMES  SECTION
       · The  share  name  is  changed  from homes to the located
         username.

       · If no path was given, the path is set to the user's home
         directory.

       If you decide to use a path = line in your [homes] section
       then you may find it useful to use the %S macro. For exam­
       ple :

       path = /data/pchome/%S

       would be useful if you have different home directories for
       your PCs than for UNIX access.

       This is a fast and simple way to give a  large  number  of
       clients access to their home directories with a minimum of
       fuss.

       A similar process occurs if the requested section name  is
       "homes", except that the share name is not changed to that
       of the requesting user. This method of using  the  [homes]
       section works well if different users share a client PC.

       The  [homes] section can specify all the parameters a nor­
       mal service section can specify,  though  some  make  more
       sense than others. The following is a typical and suitable
       [homes] section:

                           [homes]
                      read only = no

       An important point is that if guest access is specified in
       the  [homes] section, all home directories will be visible
       to all clients without a password.  In the  very  unlikely
       event that this is actually desirable, it would be wise to
       also specify read only access.

       Note that the browseable flag for  auto  home  directories
       will be inherited from the global browseable flag, not the
       [homes] browseable flag. This is useful as it  means  set­
       ting  browseable = no in the [homes] section will hide the
       treated  as  a  printer  name and the appropriate printcap
       file is scanned to see if the requested section name is  a
       valid  printer  share  name.  If  a  match is found, a new
       printer share is created by cloning  the  [printers]  sec­
       tion.

       A  few  modifications  are  then made to the newly created
       share:

       · The share name is set to the located printer name

       · If no printer name was given, the printer name is set to
         the located printer name

       · If  the  share does not permit guest access and no user­
         name was given, the  username  is  set  to  the  located
         printer name.

       Note  that  the  [printers] service MUST be printable - if
       you specify otherwise, the server will refuse to load  the
       configuration file.

       Typically  the  path  specified  would be that of a world-
       writeable spool directory with the sticky bit set on it. A
       typical [printers] entry would look like this:

                 [printers]
                      path = /usr/spool/public
                      guest ok = yes
                      printable = yes

       All  aliases  given for a printer in the printcap file are
       legitimate printer names as far  as  the  server  is  con­
       cerned.   If  your  printing  subsystem  doesn't work like
       that, you will have to set up a pseudo-printcap. This is a
       file consisting of one or more lines like this:

                              alias|alias|alias|alias...

       Each  alias  should be an acceptable printer name for your
       printing subsystem. In the [global] section,  specify  the
       new  file as your printcap. The server will then only rec­
       ognize names  found  in  your  pseudo-printcap,  which  of
       course  can  contain  whatever  aliases you like. The same


PARAMETERS

       parameters define the specific attributes of sections.

       Some parameters  are  specific  to  the  [global]  section
       (e.g.,  security).  Some parameters are usable in all sec­
       tions (e.g., create mode). All others are permissible only
       in  normal  sections.  For  the  purposes of the following
       descriptions the [homes] and [printers] sections  will  be
       considered  normal.  The letter G in parentheses indicates
       that a parameter is specific to the [global] section.  The
       letter  S indicates that a parameter can be specified in a
       service specific section. Note that all S  parameters  can
       also  be specified in the [global] section - in which case
       they will define the default behavior for all services.

       parameters are arranged here in alphabetical order -  this
       may  not create best bedfellows, but at least you can find
       them! Where there are synonyms, the preferred  synonym  is
       described, others refer to the preferred synonym.


VARIABLE SUBSTITUTIONS

       Many  of  the strings that are settable in the config file
       can take substitutions. For example  the  option  "path  =
       /tmp/%u" would be interpreted as "path = /tmp/john" if the
       user connected with the username john.

       These substitutions are mostly noted in  the  descriptions
       below,  but  there  are  some  general substitutions which
       apply whenever they might be relevant. These are:

       %S     the name of the current service, if any.

       %P     the root directory of the current service, if  any.

       %u     user name of the current service, if any.

       %g     primary group name of %u.

       %U     session  user  name  (the user name that the client
              wanted, not necessarily the same as  the  one  they
              got).

       %G     primary group name of %U.

       %H     the home directory of the user given by %u.

       %v     the Samba version.

       %h     the Internet hostname that Samba is running on.

              is  obtained  from  your NIS auto.map entry. If you
              have not compiled Samba with  the  --with-automount
              option then this value will be the same as %L.

       %p     the  path of the service's home directory, obtained
              from your NIS  auto.map  entry.  The  NIS  auto.map
              entry is split up as "%N:%p".

       %R     the selected protocol level after protocol negotia­
              tion. It can be one  of  CORE,  COREPLUS,  LANMAN1,
              LANMAN2 or NT1.

       %d     The process id of the current server process.

       %a     the  architecture  of the remote machine. Only some
              are recognized, and those may not be 100% reliable.
              It  currently  recognizes Samba, WfWg, Win95, WinNT
              and  Win2k.  Anything  else  will   be   known   as
              "UNKNOWN". If it gets it wrong then sending a level
              3 log to samba@samba.org
               <URL:mailto:samba@samba.org> should allow it to be
              fixed.

       %I     The IP address of the client machine.

       %T     the current date and time.

       %$(envvar)
              The value of the environment variable envar.

       There are some quite creative things that can be done with
       these substitutions and other smb.conf options.


NAME MANGLING

       Samba supports "name mangling" so  that  DOS  and  Windows
       clients  can  use files that don't conform to the 8.3 for­
       mat.  It can also be set to adjust the case of 8.3  format
       filenames.

       There are several options that control the way mangling is
       performed, and they are grouped here  rather  than  listed
       separately.   For  the  defaults look at the output of the
       testparm program.

       All of these options can be set separately for  each  ser­
       vice (or globally, of course).

       The options are:

       mangling method
              controls  the algorithm used for the generating the
              this  is  yes then a name like "Mail" would be man­
              gled.  Default no.

       case sensitive = yes/no
              controls whether filenames are case  sensitive.  If
              they  aren't  then  Samba must do a filename search
              and match on passed names. Default no.

       default case = upper/lower
              controls what the default case  is  for  new  file­
              names. Default lower.

       preserve case = yes/no
              controls  if  new  files  are created with the case
              that the client passes, or if they are forced to be
              the "default" case. Default yes.

       short preserve case = yes/no
              controls  if new files which conform to 8.3 syntax,
              that is all in upper case and of  suitable  length,
              are created upper case, or if they are forced to be
              the "default" case. This option  can  be  use  with
              "preserve  case  = yes" to permit long filenames to
              retain their case, while  short  names  are  lower­
              cased. Default yes.

       By  default, Samba 2.2 has the same semantics as a Windows
       NT server, in that it is case insensitive  but  case  pre­
       serving.


NOTE ABOUT USERNAME/PASSWORD VALIDATION

       There  are a number of ways in which a user can connect to
       a service. The server uses the following steps  in  deter­
       mining  if  it will allow a connection to a specified ser­
       vice. If all the steps fail, then the  connection  request
       is  rejected.  However, if one of the steps succeeds, then
       the following steps are not checked.

       If the service is marked "guest only = yes" and the server
       is  running with share-level security ("security = share")
       then steps 1 to 5 are skipped.

       1.     If the client has passed a  username/password  pair
              and that username/password pair is validated by the
              UNIX system's password programs then the connection
              is  made  as that username. Note that this includes
              the \\server\service%username method of  passing  a
              username.

       2.     If  the client has previously registered a username
              with the system and now supplies a correct password
              word,  and  that password matches (according to the
              UNIX system's password checking) with  one  of  the
              usernames  from the "user =" field then the connec­
              tion is made as the username in the "user ="  line.
              If  one of the username in the "user =" list begins
              with a '@' then that name  expands  to  a  list  of
              names in the group of the same name.

       6.     If the service is a guest service then a connection
              is made as the username given in the "guest account
              ="  for  the  service, irrespective of the supplied
              password.


COMPLETE LIST OF GLOBAL PARAMETERS

       Here is a list of all global parameters. See  the  section
       of  each  parameter  for  details. Note that some are syn­
       onyms.

       · acl compatibility

       · add printer command

       · add share command

       · add user script

       · allow trusted domains

       · announce as

       · announce version

       · auto services

       · bind interfaces only

       · browse list

       · change notify timeout

       · change share command

       · character set

       · client code page

       · code page directory

       · coding system

       · config file

       · default service

       · delete printer command

       · delete share command

       · delete user script

       · dfree command

       · disable spoolss

       · dns proxy

       · domain admin group

       · domain guest group

       · domain logons

       · domain master

       · encrypt passwords

       · enhanced browsing

       · enumports command

       · getwd cache

       · hide local users

       · hide unreadable

       · homedir map

       · host msdfs

       · hosts equiv

       · interfaces

       · keepalive

       · kernel oplocks

       · lanman auth

       · large readwrite

       · ldap admin dn

       · lm interval

       · load printers

       · local master

       · lock dir

       · lock directory

       · lock spin count

       · lock spin time

       · pid directory

       · log file

       · log level

       · logon drive

       · logon home

       · logon path

       · logon script

       · lpq cache time

       · machine password timeout

       · mangled stack

       · mangling method

       · map to guest

       · max disk size

       · max log size

       · max mux

       · max open files

       · max protocol

       · max smbd processes

       · max ttl

       · name resolve order

       · netbios aliases

       · netbios name

       · netbios scope

       · nis homedir

       · nt pipe support

       · nt smb support

       · nt status support

       · null passwords

       · obey pam restrictions

       · oplock break wait time

       · os level

       · os2 driver map

       · pam password change

       · panic action

       · passwd chat

       · passwd chat debug

       · passwd program

       · password level

       · password server

       · prefered master

       · preferred master

       · preload

       · printcap

       · printcap name

       · printer driver file

       · root

       · root dir

       · root directory

       · security

       · server string

       · show add printer wizard

       · smb passwd file

       · socket address

       · socket options

       · source environment

       · ssl

       · ssl CA certDir

       · ssl CA certFile

       · ssl ciphers

       · ssl client cert

       · ssl client key

       · ssl compatibility

       · ssl egd socket

       · ssl entropy bytes

       · ssl entropy file

       · ssl hosts

       · ssl hosts resign

       · ssl require clientcert

       · ssl require servercert

       · ssl server cert

       · ssl server key

       · template shell

       · time offset

       · time server

       · timestamp logs

       · total print jobs

       · unix extensions

       · unix password sync

       · update encrypted

       · use mmap

       · use rhosts

       · username level

       · username map

       · utmp

       · utmp directory

       · valid chars

       · winbind cache time

       · winbind enum users

       · winbind enum groups

       · winbind gid

       · winbind separator

       · winbind uid

       · winbind use default domain

       · wins hook

       · wins proxy

       · wins server

       · wins support


       · blocking locks

       · block size

       · browsable

       · browseable

       · case sensitive

       · casesignames

       · comment

       · copy

       · create mask

       · create mode

       · csc policy

       · default case

       · default devmode

       · delete readonly

       · delete veto files

       · deny hosts

       · directory

       · directory mask

       · directory mode

       · directory security mask

       · dont descend

       · dos filemode

       · dos filetime resolution

       · dos filetimes

       · exec

       · fake directory create times

       · force unknown acl user

       · force user

       · fstype

       · group

       · guest account

       · guest ok

       · guest only

       · hide dot files

       · hide files

       · hosts allow

       · hosts deny

       · include

       · inherit acls

       · inherit permissions

       · invalid users

       · level2 oplocks

       · locking

       · lppause command

       · lpq command

       · lpresume command

       · lprm command

       · magic output

       · magic script

       · mangle case

       · mangled map

       · mangled names

       · msdfs proxy

       · msdfs root

       · nt acl support

       · only guest

       · only user

       · oplock contention limit

       · oplocks

       · path

       · posix locking

       · postexec

       · postscript

       · preexec

       · preexec close

       · preserve case

       · print command

       · print ok

       · printable

       · printer

       · printer admin

       · printer driver

       · printer driver location

       · printer name

       · printing

       · profile acls

       · public

       · queuepause command

       · set directory

       · share modes

       · short preserve case

       · status

       · strict allocate

       · strict locking

       · strict sync

       · sync always

       · use client driver

       · use sendfile

       · user

       · username

       · users

       · valid users

       · veto files

       · veto oplock files

       · vfs object

       · vfs options

       · volume

       · wide links

       · writable

       · write cache size

       · write list

       · write ok

       · writeable


EXPLANATION OF EACH PARAMETER

              Example: acl compatibility = Win2k

              Example: acl compatibility = winnt

       add printer command (G)
              With the introduction of MS-RPC based printing sup­
              port for Windows NT/2000 clients in Samba 2.2,  The
              MS Add Printer Wizard (APW) icon is now also avail­
              able in the "Printers..." folder displayed a  share
              listing.  The  APW  allows  for  printers to be add
              remotely  to  a  Samba  or  Windows  NT/2000  print
              server.

              For  a  Samba host this means that the printer must
              be physically added to the underlying printing sys­
              tem. The add printer command defines a script to be
              run which will perform the necessary operations for
              adding  the  printer to the print system and to add
              the appropriate service definition to the  smb.conf
              file in order that it can be shared by smbd(8)

              The  add  printer  command is automatically invoked
              with the following parameter (in order:

              · printer name

              · share name

              · port name

              · driver name

              · location

              · Windows 9x driver location

       All parameters  are  filled  in  from  the  PRINTER_INFO_2
       structure  sent  by  the  Windows  NT/2000 client with one
       exception. The "Windows 9x driver location"  parameter  is
       included  for  backwards compatibility only. The remaining
       fields in the structure are generated from answers to  the
       APW questions.

       Once  the add printer command has been executed, smbd will
       reparse the  smb.conf to determine if the share defined by
       the  APW  exists.  If the sharename is still invalid, then
       smbd will return an ACCESS_DENIED error to the client.

       See also   delete  printer  command,  printing,  show  add
              service  definition  to  smb.conf. In order to suc­
              cessfully  execute  the  add  share  command,  smbd
              requires  that the administrator be connected using
              a root account (i.e.  uid == 0).

              When executed, smbd will automatically  invoke  the
              add share command with four parameters.

              · configFile  - the location of the global smb.conf
                file.

              · shareName - the name of the new share.

              · pathName - path to an **existing**  directory  on
                disk.

              · comment  -  comment  string to associate with the
                new share.

       This parameter is only used for add file  shares.  To  add
       printer shares, see the add printer command.

       See also change share command, delete share command.

       Default: none

       Example: add share command = /usr/local/bin/addshare

       add user script (G)
              This  is the full pathname to a script that will be
              run AS ROOT by smbd(8)
               under special circumstances described below.

              Normally, a Samba server requires that  UNIX  users
              are  created  for all users accessing files on this
              server. For  sites  that  use  Windows  NT  account
              databases  as  their primary user database creating
              these users and keeping the user list in sync  with
              the  Windows NT PDC is an onerous task. This option
              allows smbd to create the required  UNIX  users  ON
              DEMAND when a user accesses the Samba server.

              In  order  to use this option, smbd must NOT be set
              to security = share and add user script must be set
              to  a full pathname for a script that will create a
              UNIX user given one argument of %u,  which  expands
              into the UNIX user name to create.

              ically   created   to  match  existing  Windows  NT
              accounts.

              See also  security,  password server,  delete  user
              script.

              Default: add user script = <empty string>

              Example:        add       user       script       =
              /usr/local/samba/bin/add_user %u

       admin users (S)
              This is a list of users who will be granted  admin­
              istrative  privileges on the share. This means that
              they will do all file operations as the  super-user
              (root).

              You  should  use this option very carefully, as any
              user in this list will be able to do anything  they
              like  on  the  share,  irrespective of file permis­
              sions.

              Default: no admin users

              Example: admin users = jason

       allow hosts (S)
              Synonym for  hosts allow.

       allow trusted domains (G)
              This option only takes  effect  when  the  security
              option is set to server or domain.  If it is set to
              no, then attempts to connect to a resource  from  a
              domain  or  workgroup other than the one which smbd
              is running in will fail, even  if  that  domain  is
              trusted  by the remote server doing the authentica­
              tion.

              This is useful if you only want your  Samba  server
              to  serve  resources to users in the domain it is a
              member of. As an example, suppose  that  there  are
              two domains DOMA and DOMB. DOMB is trusted by DOMA,
              which contains the Samba server. Under normal  cir­
              cumstances, a user with an account in DOMB can then
              access the resources of a  UNIX  account  with  the
              same  account name on the Samba server even if they
              do not have an  account  in  DOMA.  This  can  make
              implementing a security boundary difficult.

              Default: allow trusted domains = yes

       announce as (G)
              Example: announce as = Win95

       announce version (G)
              This  specifies the major and minor version numbers
              that nmbd will use  when  announcing  itself  as  a
              server.  The  default  is  4.9.  Do not change this
              parameter unless you have a specific need to set  a
              Samba server to be a downlevel server.

              Default: announce version = 4.9

              Example: announce version = 2.0

       auto services (G)
              This is a synonym for the  preload.

       available (S)
              This  parameter  lets  you "turn off" a service. If
              available = no, then ALL attempts to connect to the
              service will fail. Such failures are logged.

              Default: available = yes

       bind interfaces only (G)
              This  global  parameter  allows  the Samba admin to
              limit what interfaces on a machine will  serve  SMB
              requests.  If affects file service smbd(8) and name
              service nmbd(8) in slightly different ways.

              For name service it causes nmbd to  bind  to  ports
              137  and 138 on the interfaces listed in the inter­
              faces  parameter.  nmbd  also  binds  to  the  "all
              addresses" interface (0.0.0.0) on ports 137 and 138
              for the purposes of reading broadcast messages.  If
              this  option is not set then nmbd will service name
              requests on all of these sockets.  If  bind  inter­
              faces  only  is set then nmbd will check the source
              address of any packets coming in on  the  broadcast
              sockets and discard any that don't match the broad­
              cast addresses of the interfaces in the  interfaces
              parameter list.  As unicast packets are received on
              the other sockets it allows nmbd to refuse to serve
              names  to  machines  that  send packets that arrive
              through any interfaces not listed in the interfaces
              list.  IP  Source address spoofing does defeat this
              simple check, however so it must not be used  seri­
              ously as a security feature for nmbd.

              For  file service it causes smbd(8) to bind only to
              the interface list given in the  interfaces parame­
              ter.  This  restricts  the  networks that smbd will
              serve to packets coming in those  interfaces.  Note
              unless the network address 127.0.0.1  is  added  to
              the  interfaces parameter list then  smbpasswd will
              fail to connect in it's  default  mode.   smbpasswd
              can  be  forced  to use the primary IP interface of
              the local host by using its  -r remote machine
               parameter, with remote machine set to the IP  name
              of the primary interface of the local host.

              The swat status page tries to connect with smbd and
              nmbd at the address 127.0.0.1 to determine if  they
              are running.  Not adding 127.0.0.1 will cause  smbd
              and nmbd to always show "not running" even if  they
              really  are.  This  can  prevent   swat from start­
              ing/stopping/restarting smbd and nmbd.

              Default: bind interfaces only = no

       block size (S)
              This parameter controls  the  behavior  of  smbd(8)
              when  reporting  disk free sizes.  By default, this
              reports a disk block size of 1024 bytes.

              Changing this parameter may have some effect on the
              efficiency  of  client writes, this is not yet con­
              firmed. This parameter was added to allow  advanced
              administrators  to  change  it (usually to a higher
              value) and test the effect it has on  client  write
              performance  without re-compiling the code. As this
              is an experimental option it may be  removed  in  a
              future release.

              Changing  this option does not change the disk free
              reporting size, just the block size  unit  reported
              to the client.

              Default: block size = 1024

              Example: block size = 65536

       blocking locks (S)
              This  parameter  controls  the  behavior of smbd(8)
              when given a request by a client to obtain  a  byte
              range  lock  on  a  region of an open file, and the
              request has a time limit associated with it.

              If  this  parameter  is  set  and  the  lock  range
              requested  cannot  be  immediately satisfied, Samba
              2.2 will internally queue  the  lock  request,  and
              periodically  attempt  to obtain the lock until the
              timeout period expires.

              If this parameter is set to no, then Samba 2.2 will

              Default: browse list = yes

       browseable (S)
              This controls whether this share  is  seen  in  the
              list  of  available shares in a net view and in the
              browse list.

              Default: browseable = yes

       case sensitive (S)
              See the discussion in the section NAME MANGLING.

              Default: case sensitive = no

       casesignames (S)
              Synonym for case sensitive.

       change notify timeout (G)
              This SMB allows  a  client  to  tell  a  server  to
              "watch"  a particular directory for any changes and
              only reply to the SMB request  when  a  change  has
              occurred.  Such constant scanning of a directory is
              expensive under UNIX, hence an  smbd(8) daemon only
              performs  such  a  scan on each requested directory
              once every change notify timeout seconds.

              Default: change notify timeout = 60

              Example: change notify timeout = 300

              Would change the scan time to every 5 minutes.

       change share command (G)
              Samba 2.2.0 introduced the ability  to  dynamically
              add and delete shares via the Windows NT 4.0 Server
              Manager. The change share command is used to define
              an  external program or script which will modify an
              existing service definition in smb.conf.  In  order
              to  successfully  execute the change share command,
              smbd requires that the administrator  be  connected
              using a root account (i.e.  uid == 0).

              When  executed,  smbd will automatically invoke the
              change share command with four parameters.

              · configFile - the location of the global  smb.conf
                file.

              · shareName - the name of the new share.

              · pathName  -  path to an **existing** directory on

       Example: change share command = /usr/local/bin/addshare

       character set (G)
              This allows smbd to map incoming filenames  from  a
              DOS  Code page (see the client code page parameter)
              to several built in UNIX character sets.  The built
              in code page translations are:

              · ISO8859-1  : Western European UNIX character set.
                The parameter client code page  MUST  be  set  to
                code  page  850 if the character set parameter is
                set to ISO8859-1 in order for the  conversion  to
                the UNIX character set to be done correctly.

              · ISO8859-2  : Eastern European UNIX character set.
                The parameter client code page  MUST  be  set  to
                code  page 852 if the  character set parameter is
                set to ISO8859-2 in order for the  conversion  to
                the UNIX character set to be done correctly.

              · ISO8859-5  : Russian Cyrillic UNIX character set.
                The parameter client code page  MUST  be  set  to
                code  page 866 if the character set  parameter is
                set to ISO8859-5 in order for the  conversion  to
                the UNIX character set to be done correctly.

              · ISO8859-7 : Greek UNIX character set. The parame­
                ter client code page MUST be set to code page 737
                if   the   character  set  parameter  is  set  to
                ISO8859-7 in order for the conversion to the UNIX
                character set to be done correctly.

              · KOI8-R  :  Alternate mapping for Russian Cyrillic
                UNIX character set.  The  parameter  client  code
                page  MUST be set to code page 866 if the charac­
                ter set parameter is set to KOI8-R in  order  for
                the  conversion  to  the UNIX character set to be
                done correctly.

       BUG. These MSDOS code page to UNIX character set  mappings
       should  be dynamic, like the loading of MS DOS code pages,
       not static.

       Normally this parameter is not set,  meaning  no  filename
       translation is done.

       Default: character set = <empty string>
              page 850.

              This  parameter  tells  smbd(8)  which of the code­
              page.XXX files  to  dynamically  load  on  startup.
              These  files,  described  more  fully in the manual
              page  make_smbcodepage(1) tell   smbd  how  to  map
              lower  to upper case characters to provide the case
              insensitivity of  filenames  that  Windows  clients
              expect.

              Samba  currently ships with the following code page
              files :

              · Code Page 437 - MS-DOS Latin US

              · Code Page 737 - Windows '95 Greek

              · Code Page 850 - MS-DOS Latin 1

              · Code Page 852 - MS-DOS Latin 2

              · Code Page 861 - MS-DOS Icelandic

              · Code Page 866 - MS-DOS Cyrillic

              · Code Page 932 - MS-DOS Japanese SJIS

              · Code Page 936 - MS-DOS Simplified Chinese

              · Code Page 949 - MS-DOS Korean Hangul

              · Code Page 950 - MS-DOS Traditional Chinese

       Thus this parameter may have any of the values  437,  737,
       850,  852,  861,  932, 936, 949, or 950. If you don't find
       the codepage you need, read the comments  in  one  of  the
       other  codepage files and the make_smbcodepage(1) man page
       and write one. Please remember to donate it  back  to  the
       Samba user community.

       This  parameter co-operates with the valid chars parameter
       in determining what characters are valid in filenames  and
       how capitalization is done. If you set both this parameter
       and the valid chars parameter the client code page parame­
       ter  MUST  be  set before the valid chars parameter in the
       smb.conf file. The valid chars string  will  then  augment
       the  character settings in the client code page parameter.

       If not set, client code page defaults to 850.

              See also client code page

              Default:  code page directory = ${prefix}/lib/code­
              pages

              Example:      code      page      directory       =
              /usr/share/samba/codepages

       coding system (G)
              This  parameter  is  used to determine how incoming
              Shift-JIS Japanese characters are mapped  from  the
              incoming  client code page used by the client, into
              file names in the UNIX filesystem.  Only useful  if
              client  code  page  is  set to 932 (Japanese Shift-
              JIS). The options are :

              · SJIS -  Shift-JIS.  Does  no  conversion  of  the
                incoming filename.

              · JIS8,  J8BB,  J8BH,  J8@B,  J8@J, J8@H  - Convert
                from incoming Shift-JIS to  eight  bit  JIS  code
                with different shift-in, shift out codes.

              · JIS7,  J7BB,  J7BH,  J7@B,  J7@J, J7@H  - Convert
                from incoming Shift-JIS to  seven  bit  JIS  code
                with different shift-in, shift out codes.

              · JUNET,  JUBB,  JUBH,  JU@B,  JU@J, JU@H - Convert
                from incoming Shift-JIS to JUNET code  with  dif­
                ferent shift-in, shift out codes.

              · EUC  - Convert an incoming Shift-JIS character to
                EUC code.

              · HEX - Convert an incoming Shift-JIS character  to
                a 3 byte hex representation, i.e.  :AB.

              · CAP  - Convert an incoming Shift-JIS character to
                the  3  byte  hex  representation  used  by   the
                Columbia AppleTalk Program (CAP), i.e. :AB.  This
                is used for compatibility between Samba and  CAP.

       Default: coding system = <empty value>

       comment (S)
              This  is  a text field that is seen next to a share
              when a client does a queries the server, either via
              the  network  neighborhood  or via net view to list
              what shares are available.

              If you want to set the  string  that  is  displayed
              changed when the parameters are loaded then it will
              reload them from the new config file.

              This  option  takes  the usual substitutions, which
              can be very useful.

              If the config file doesn't exist then it  won't  be
              loaded  (allowing  you  to  special case the config
              files of just a few clients).

              Example:          config           file           =
              /usr/local/samba/lib/smb.conf.%m

       copy (S)
              This   parameter  allows  you  to  "clone"  service
              entries. The specified service is simply duplicated
              under  the  current  service's name. Any parameters
              specified in  the  current  section  will  override
              those in the section being copied.

              This  feature  lets you set up a 'template' service
              and create similar services easily. Note  that  the
              service being copied must occur earlier in the con­
              figuration file than the service doing the copying.

              Default: no value

              Example: copy = otherservice

       create mask (S)
              A synonym for this parameter is create mode .

              When  a  file is created, the necessary permissions
              are calculated according to the  mapping  from  DOS
              modes  to  UNIX permissions, and the resulting UNIX
              mode is then bit-wise 'AND'ed with this  parameter.
              This parameter may be thought of as a bit-wise MASK
              for the UNIX modes of a file. Any bit not set  here
              will  be  removed from the modes set on a file when
              it is created.

              The default value of  this  parameter  removes  the
              'group' and 'other' write and execute bits from the
              UNIX modes.

              Following this Samba will bit-wise  'OR'  the  UNIX
              mode  created from this parameter with the value of
              the force create mode parameter which is set to 000
              by default.

              This parameter does not affect directory modes. See
              the parameter directory mode for details.

              Example: create mask = 0775

       create mode (S)
              This is a synonym for  create mask.

       csc policy (S)
              This stands for  client-side  caching  policy,  and
              specifies  how  clients  capable of offline caching
              will cache the files in the share. The valid values
              are: manual, documents, programs, disable.

              These  values  correspond  to those used on Windows
              servers.

              For example, shares containing roaming profiles can
              have  offline  caching  disabled using csc policy =
              disable .

              Default: csc policy = manual

              Example: csc policy = programs

       deadtime (G)
              The value of the parameter (a decimal integer) rep­
              resents  the number of minutes of inactivity before
              a connection is considered dead, and it is  discon­
              nected.  The deadtime only takes effect if the num­
              ber of open files is zero.

              This is useful to stop a server's  resources  being
              exhausted  by  a  large  number of inactive connec­
              tions.

              Most clients have an auto-reconnect feature when  a
              connection  is broken so in most cases this parame­
              ter should be transparent to users.

              Using this parameter with a timeout of a  few  min­
              utes is recommended for most systems.

              A  deadtime  of zero indicates that no auto-discon­
              nection should be performed.

              Default: deadtime = 0

              Example: deadtime = 15

       debug hires timestamp (G)
              Sometimes the timestamps in the  log  messages  are
              needed  with  a  resolution of higher that seconds,
              this boolean parameter adds microsecond  resolution
              Note that the parameter  debug timestamp must be on
              for this to have an effect.

              Default: debug pid = no

       debug timestamp (G)
              Samba  2.2  debug  log  messages are timestamped by
              default. If you are running at a high  debug  level
              these  timestamps  can be distracting. This boolean
              parameter allows timestamping to be turned off.

              Default: debug timestamp = yes

       debug uid (G)
              Samba is sometimes run as root and sometime run  as
              the  connected user, this boolean parameter inserts
              the current euid, egid, uid and gid to  the  times­
              tamp  message headers in the log file if turned on.

              Note that the parameter  debug timestamp must be on
              for this to have an effect.

              Default: debug uid = no

       debuglevel (G)
              Synonym for  log level.

       default (G)
              A synonym for  default service.

       default case (S)
              See  the  section  on  NAME MANGLING. Also note the
              short preserve case parameter.

              Default: default case = lower

       default devmode (S)
              This parameter is only applicable to printable ser­
              vices. When smbd is serving Printer Drivers to Win­
              dows NT/2k/XP clients, each printer  on  the  Samba
              server  has a Device Mode which defines things such
              as paper size and orientation and duplex  settings.
              The  device mode can only correctly be generated by
              the printer driver itself (which can only  be  exe­
              cuted  on a Win32 platform). Because smbd is unable
              to execute the driver code to generate  the  device
              mode,  the default behavior is to set this field to
              NULL.

              Most problems with serving printer drivers to  Win­
              dows  NT/2k/XP  clients  can be traced to a problem
              with the generated  device  mode.  Certain  drivers

              For more information on Windows NT/2k printing  and
              Device    Modes,   see   the   MSDN   documentation
              <URL:http://msdn.microsoft.com/>.

              Default: default devmode = no

       default service (G)
              This parameter specifies  the  name  of  a  service
              which  will be connected to if the service actually
              requested cannot be found.  Note  that  the  square
              brackets  are NOT given in the parameter value (see
              example below).

              There is no default value for  this  parameter.  If
              this  parameter is not given, attempting to connect
              to a nonexistent service results in an error.

              Typically the default service would be a  guest ok,
              read-only service.

              Also  note  that  the apparent service name will be
              changed to equal that  of  the  requested  service,
              this  is very useful as it allows you to use macros
              like %S to make a wildcard service.

              Note also that any "_" characters in  the  name  of
              the  service  used  in the default service will get
              mapped  to  a  "/".  This  allows  for  interesting
              things.

              Example:

              [global]
                   default service = pub

              [pub]
                   path = /%S

       delete printer command (G)
              With  the introduction of MS-RPC based printer sup­
              port for Windows NT/2000 clients in Samba  2.2,  it
              is  now  possible  to delete printer at run time by
              issuing the DeletePrinter() RPC call.

              For a Samba host this means that the  printer  must
              be physically deleted from underlying printing sys­
              tem. The  deleteprinter command defines a script to
              be  run which will perform the necessary operations

              Default: none

              Example:        deleteprinter       command       =
              /usr/bin/removeprinter

       delete readonly (S)
              This parameter allows readonly files to be deleted.
              This is not normal DOS semantics, but is allowed by
              UNIX.

              This option may be useful for running  applications
              such  as  rcs,  where  UNIX file ownership prevents
              changing file permissions, and DOS  semantics  pre­
              vent deletion of a read only file.

              Default: delete readonly = no

       delete share command (G)
              Samba  2.2.0  introduced the ability to dynamically
              add and delete shares via the Windows NT 4.0 Server
              Manager. The delete share command is used to define
              an external program or script which will remove  an
              existing service definition from smb.conf. In order
              to successfully execute the delete  share  command,
              smbd  requires  that the administrator be connected
              using a root account (i.e.  uid == 0).

              When executed, smbd will automatically  invoke  the
              delete share command with two parameters.

              · configFile  - the location of the global smb.conf
                file.

              · shareName - the name of the existing service.

       This parameter is only used  to  remove  file  shares.  To
       delete printer shares, see the delete printer command.

       See also add share command, change share command.

       Default: none

       Example: delete share command = /usr/local/bin/delshare

       delete user script (G)
              This  is the full pathname to a script that will be
              run AS ROOT by  smbd(8) under special circumstances
              user  script  must  be set to a full pathname for a
              script that will delete a UNIX user given one argu­
              ment  of  %u, which expands into the UNIX user name
              to delete.

              When the Windows user attempts to access the  Samba
              server,  at  login (session setup in the SMB proto­
              col) time, smbd contacts the  password  server  and
              attempts  to  authenticate  the given user with the
              given password. If the  authentication  fails  with
              the  specific  Domain  error  code meaning that the
              user no longer exists then smbd attempts to find  a
              UNIX  user  in  the  UNIX  password  database  that
              matches the Windows user account.  If  this  lookup
              succeeds,  and  delete user script is set then smbd
              will all the specified script  AS  ROOT,  expanding
              any %u argument to be the user name to delete.

              This  script should delete the given UNIX username.
              In this way, UNIX users are dynamically deleted  to
              match existing Windows NT accounts.

              See  also  security = domain, password server , add
              user script .

              Default: delete user script = <empty string>

              Example:      delete      user       script       =
              /usr/local/samba/bin/del_user %u

       delete veto files (S)
              This  option  is  used  when Samba is attempting to
              delete a directory that contains one or more vetoed
              directories  (see  the  veto files option). If this
              option is set to no (the default) then if a  vetoed
              directory contains any non-vetoed files or directo­
              ries then the directory delete will fail.  This  is
              usually what you want.

              If  this  option  is  set  to  yes, then Samba will
              attempt to recursively delete any files and  direc­
              tories  within  the  vetoed  directory. This can be
              useful for integration with  file  serving  systems
              such  as  NetAtalk  which  create meta-files within
              directories you  might  normally  veto  DOS/Windows
              users from seeing (e.g. .AppleDouble)

              Setting delete veto files = yes allows these direc­
              tories to be transparently deleted when the  parent
              directory  is deleted (so long as the user has per­
              missions to do so).

              directory listing.

              This setting allows the replacement of the internal
              routines  to  calculate  the  total  disk space and
              amount available  with  an  external  routine.  The
              example  below  gives  a possible script that might
              fulfill this function.

              The external program will be passed a single param­
              eter indicating a directory in the filesystem being
              queried. This will typically consist of the  string
              ./. The script should return two integers in ASCII.
              The first should be the total disk space in blocks,
              and  the  second  should be the number of available
              blocks. An optional third return value can give the
              block  size in bytes. The default blocksize is 1024
              bytes.

              Note: Your script should NOT be  setuid  or  setgid
              and  should  be  owned  by  (and writeable only by)
              root!

              Default: By default internal routines for determin­
              ing  the  disk capacity and remaining space will be
              used.

              Example: dfree command = /usr/local/samba/bin/dfree

              Where  the  script  dfree  (which must be made exe­
              cutable) could be:

                        #!/bin/sh
                        df $1 | tail -1 | awk '{print $2" "$4}'

              or perhaps (on Sys V based systems):

                        #!/bin/sh
                        /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'

              Note that you may have to replace the command names
              with full path names on some systems.

       directory (S)
              Synonym for path .

              The default value of  this  parameter  removes  the
              'group'  and 'other' write bits from the UNIX mode,
              allowing only the user who owns  the  directory  to
              modify it.

              Following  this  Samba  will bit-wise 'OR' the UNIX
              mode created from this parameter with the value  of
              the  force directory mode parameter. This parameter
              is set to 000 by default (i.e. no extra  mode  bits
              are added).

              Note  that this parameter does not apply to permis­
              sions set by Windows NT/2000 ACL  editors.  If  the
              administrator  wishes  to  enforce a mask on access
              control lists also, they need to set the  directory
              security mask.

              See  the  force  directory  mode parameter to cause
              particular mode bits to always be  set  on  created
              directories.

              See also the create mode parameter for masking mode
              bits on created files, and the  directory  security
              mask parameter.

              Also refer to the  inherit permissions parameter.

              Default: directory mask = 0755

              Example: directory mask = 0775

       directory mode (S)
              Synonym for  directory mask

       directory security mask (S)
              This  parameter  controls what UNIX permission bits
              can be modified when a Windows NT client is manipu­
              lating the UNIX permission on a directory using the
              native NT security dialog box.

              This parameter is applied as a mask  (AND'ed  with)
              to the changed permission bits, thus preventing any
              bits not in this mask from being  modified.  Essen­
              tially,  zero bits in this mask may be treated as a
              set of bits the user is not allowed to change.

              If not set explicitly this parameter is set to 0777
              meaning  a  user  is  allowed  to  modify  all  the
              user/group/world permissions on a directory.

              Note that users who can  access  the  Samba  server
              Enabling this parameter will disables Samba's  sup­
              port for the SPOOLSS set of MS-RPC's and will yield
              identical behavior as Samba 2.0.x. Windows  NT/2000
              clients will downgrade to using Lanman style print­
              ing commands. Windows 9x/ME will be  uneffected  by
              the  parameter. However, this will also disable the
              ability to upload printer drivers to a Samba server
              via  the  Windows NT Add Printer Wizard or by using
              the NT printer properties dialog  window.  It  will
              also  disable  the  capability  of  Windows NT/2000
              clients to download print drivers  from  the  Samba
              host  upon  demand.  Be very careful about enabling
              this parameter.

              See also use client driver

              Default : disable spoolss = no

       dns proxy (G)
              Specifies that nmbd(8) when acting as a WINS server
              and finding that a NetBIOS name has not been regis­
              tered, should treat the NetBIOS name  word-for-word
              as  a  DNS name and do a lookup with the DNS server
              for  that  name  on  behalf  of  the  name-querying
              client.

              Note  that the maximum length for a NetBIOS name is
              15 characters, so the DNS name (or DNS  alias)  can
              likewise only be 15 characters, maximum.

              nmbd  spawns  a second copy of itself to do the DNS
              name lookup requests, as doing a name lookup  is  a
              blocking action.

              See also the parameter  wins support.

              Default: dns proxy = yes

       domain admin group (G)
              This  parameter is intended as a temporary solution
              to enable users to  be  a  member  of  the  "Domain
              Admins" group when a Samba host is acting as a PDC.
              A complete solution will be provided  by  a  system
              for   mapping  Windows  NT/2000  groups  onto  UNIX
              groups.  Please note  that  this  parameter  has  a
              somewhat confusing name. It accepts a list of user­
              names and of group names in standard smb.conf nota­
              tion.

              See also domain guest group, domain logons

              Default: no domain administrators
              See also domain admin group, domain logons

              Default: no domain guests

              Example: domain guest group = nobody @guest

       domain logons (G)
              If  set to yes, the Samba server will serve Windows
              95/98 Domain logons for the  workgroup  it  is  in.
              Samba  2.2  also has limited capability to act as a
              domain controller for Windows  NT  4  Domains.  For
              more  details  on  setting  up this feature see the
              Samba-PDC-HOWTO included in the htmldocs/ directory
              shipped with the source code.

              Default: domain logons = no

       domain master (G)
              Tell  nmbd(8) to enable WAN-wide browse list colla­
              tion. Setting this option causes nmbd  to  claim  a
              special  domain  specific NetBIOS name that identi­
              fies it as a domain master browser  for  its  given
              workgroup.  Local master browsers in the same work­
              group on broadcast-isolated subnets will give  this
              nmbd their local browse lists, and then ask smbd(8)
              for a complete copy of  the  browse  list  for  the
              whole  wide area network. Browser clients will then
              contact  their  local  master  browser,  and   will
              receive  the  domain-wide  browse  list, instead of
              just the list for their broadcast-isolated  subnet.

              Note  that  Windows  NT  Primary Domain Controllers
              expect to be able to claim this workgroup  specific
              special NetBIOS name that identifies them as domain
              master browsers for that workgroup by default (i.e.
              there  is  no  way to prevent a Windows NT PDC from
              attempting to do this). This  means  that  if  this
              parameter  is  set and nmbd claims the special name
              for a workgroup before a Windows NT PDC is able  to
              do  so  then  cross  subnet  browsing  will  behave
              strangely and may fail.

              If domain logons = yes , then the default  behavior
              is to enable the domain master parameter. If domain
              logons is not enabled (the default  setting),  then
              neither will domain master be enabled by default.

              Default: domain master = auto

       dont descend (S)
              There  are  certain  directories  on  some  systems
              (e.g., the /proc tree under Linux) that are  either

       dos filemode (S)
              The default behavior in Samba is to  provide  UNIX-
              like behavior where only the owner of a file/direc­
              tory is able to change the permissions on it.  How­
              ever,  this behavior is often confusing to DOS/Win­
              dows users. Enabling this parameter allows  a  user
              who  has  write  access  to  the  file (by whatever
              means) to modify the permissions on it. Note that a
              user  belonging  to  the group owning the file will
              not be allowed to change permissions if  the  group
              is  only  granted  read  access.   Ownership of the
              file/directory is not changed, only the permissions
              are modified.

              Default: dos filemode = no

       dos filetime resolution (S)
              Under  the  DOS  and  Windows  FAT  filesystem, the
              finest granularity on time resolution is  two  sec­
              onds.  Setting  this  parameter  for a share causes
              Samba to round the reported time down to the  near­
              est  two  second  boundary  when  a query call that
              requires one second resolution is made to smbd(8)

              This option  is  mainly  used  as  a  compatibility
              option  for  Visual  C++  when  used  against Samba
              shares. If oplocks are enabled on a  share,  Visual
              C++  uses two different time reading calls to check
              if a file has changed since it was last  read.  One
              of  these  calls uses a one-second granularity, the
              other uses a two second  granularity.  As  the  two
              second call rounds any odd second down, then if the
              file has a timestamp of an odd  number  of  seconds
              then  the  two timestamps will not match and Visual
              C++ will keep reporting the file has changed.  Set­
              ting  this  option  causes  the  two  timestamps to
              match, and Visual C++ is happy.

              Default: dos filetime resolution = no

       dos filetimes (S)
              Under DOS and Windows, if a user  can  write  to  a
              file  they  can  change  the timestamp on it. Under
              POSIX semantics, only the owner of the file or root
              may  change  the  timestamp. By default, Samba runs
              with POSIX semantics  and  refuses  to  change  the
              timestamp  on  a file if the user smbd is acting on
              behalf of is  not  the  file  owner.  Setting  this
              option  to   yes allows DOS semantics and smbd will
              change the file timestamp as DOS requires.
              smbd(8) must either have access  to  a  local  smb­
              passwd(5)
               program for information on how to set up and main­
              tain  this   file),   or   set   the   security   =
              [server|domain]  parameter  which  causes  smbd  to
              authenticate against another server.

              Default: encrypt passwords = no

       enhanced browsing (G)
              This option enables a  couple  of  enhancements  to
              cross-subnet  browse  propagation  that  have  been
              added in  Samba  but  which  are  not  standard  in
              Microsoft implementations.

              The  first  enhancement  to browse propagation con­
              sists of a regular wildcard query to a  Samba  WINS
              server  for all Domain Master Browsers, followed by
              a browse synchronization with each of the  returned
              DMBs.  The second enhancement consists of a regular
              randomised browse  synchronization  with  all  cur­
              rently known DMBs.

              You  may  wish to disable this option if you have a
              problem with empty workgroups not disappearing from
              browse lists. Due to the restrictions of the browse
              protocols these  enhancements  can  cause  a  empty
              workgroup  to  stay  around  forever  which  can be
              annoying.

              In general you should leave this option enabled  as
              it  makes cross-subnet browse propagation much more
              reliable.

              Default: enhanced browsing = yes

       enumports command (G)
              The concept of a "port" is fairly foreign  to  UNIX
              hosts.  Under Windows NT/2000 print servers, a port
              is associated with a  port  monitor  and  generally
              takes  the form of a local port (i.e. LPT1:, COM1:,
              FILE:) or a remote port  (i.e.  LPD  Port  Monitor,
              etc...).  By  default,  Samba  has  only  one  port
              defined--"Samba  Printer   Port".   Under   Windows
              NT/2000,  all printers must have a valid port name.
              If you wish to have a list of ports displayed (smbd
              does  not  use a port name for anything) other than
              the default "Samba Printer Port",  you  can  define
              enumports  command  to  point  to  a  program which
              should generate a list of ports, one per  line,  to
              standard  output. This listing will then be used in
              response to the level 1 and 2 EnumPorts() RPC.
              parameter for a share causes Samba to always report
              midnight 1-1-1980 as the create time  for  directo­
              ries.

              This  option  is  mainly  used  as  a compatibility
              option for  Visual  C++  when  used  against  Samba
              shares.  Visual  C++  generated  makefiles have the
              object directory as a dependency  for  each  object
              file,  and  a  make  rule  to create the directory.
              Also, when NMAKE compares timestamps  it  uses  the
              creation  time when examining a directory. Thus the
              object directory will be created  if  it  does  not
              exist,  but  once it does exist it will always have
              an earlier timestamp than the object files it  con­
              tains.

              However,  Unix  time semantics mean that the create
              time reported by Samba will be updated  whenever  a
              file  is  created  or  or deleted in the directory.
              NMAKE finds all object files in the  object  direc­
              tory.  The  timestamp of the last one built is then
              compared to the timestamp of the object  directory.
              If  the  directory's  timestamp  if newer, then all
              object files will be rebuilt. Enabling this  option
              ensures  directories  always predate their contents
              and an NMAKE build will proceed as expected.

              Default: fake directory create times = no

       fake oplocks (S)
              Oplocks are the way that SMB clients get permission
              from  a server to locally cache file operations. If
              a server grants an oplock (opportunistic lock) then
              the  client  is  free to assume that it is the only
              one accessing the file  and  it  will  aggressively
              cache  file data. With some oplock types the client
              may even cache file open/close operations. This can
              give enormous performance benefits.

              When  you  set  fake  oplocks  =  yes, smbd(8) will
              always grant oplock requests  no  matter  how  many
              clients are using the file.

              It is generally much better to use the real oplocks
              support rather than this parameter.

              If you enable this option on all  read-only  shares
              or  shares that you know will only be accessed from
              one client at a time such as  physically  read-only
              media  like  CDROMs, you will see a big performance
              improvement on many operations. If you enable  this
              option  on  shares  where  multiple  clients may be
              name lookups down slightly.

              This option is enabled (i.e. smbd will follow  sym­
              bolic links) by default.

              Default: follow symlinks = yes

       force create mode (S)
              This  parameter  specifies  a  set of UNIX mode bit
              permissions that will always be set on a file  cre­
              ated  by  Samba.  This  is  done by bitwise 'OR'ing
              these bits onto the mode bits of  a  file  that  is
              being  created  or  having its permissions changed.
              The default for this parameter is (in  octal)  000.
              The modes in this parameter are bitwise 'OR'ed onto
              the file mode after the mask set in the create mask
              parameter is applied.

              See  also  the parameter create mask for details on
              masking mode bits on files.

              See also the inherit permissions parameter.

              Default: force create mode = 000

              Example: force create mode = 0755

              would force all created files to have read and exe­
              cute  permissions  set  for  'group' and 'other' as
              well as the read/write/execute  bits  set  for  the
              'user'.

       force directory mode (S)
              This  parameter  specifies  a  set of UNIX mode bit
              permissions that will always be set on a  directory
              created  by  Samba. This is done by bitwise 'OR'ing
              these bits onto the mode bits of a  directory  that
              is being created. The default for this parameter is
              (in octal) 0000 which will not add any  extra  per­
              mission bits to a created directory. This operation
              is done after the mode mask in the parameter direc­
              tory mask is applied.

              See  also the parameter  directory mask for details
              on masking mode bits on created directories.

              See also the  inherit permissions parameter.

              Default: force directory mode = 000

              Example: force directory mode = 0755

              on.  Essentially,  one  bits  in  this  mask may be
              treated as a set of bits that, when modifying secu­
              rity  on a directory, the user has always set to be
              'on'.

              If not set explicitly this parameter is 000,  which
              allows  a  user  to modify all the user/group/world
              permissions on a directory without restrictions.

              Note that users who can  access  the  Samba  server
              through other means can easily bypass this restric­
              tion, so it  is  primarily  useful  for  standalone
              "appliance" systems.  Administrators of most normal
              systems will probably want to leave it set as 0000.

              See  also  the   directory security mask,  security
              mask, force security mode parameters.

              Default: force directory security mode = 0

              Example: force directory security mode = 700

       force group (S)
              This specifies a  UNIX  group  name  that  will  be
              assigned as the default primary group for all users
              connecting to this  service.  This  is  useful  for
              sharing  files by ensuring that all access to files
              on service will use the named group for their  per­
              missions  checking.  Thus, by assigning permissions
              for this group to the files and directories  within
              this  service  the Samba administrator can restrict
              or allow sharing of these files.

              In  Samba  2.0.5  and  above  this  parameter   has
              extended functionality in the following way. If the
              group  name  listed  here  has  a   '+'   character
              prepended to it then the current user accessing the
              share only has the primary group  default  assigned
              to  this  group  if  they are already assigned as a
              member of that group. This allows an  administrator
              to decide that only users who are already in a par­
              ticular group will create files with  group  owner­
              ship  set  to that group. This gives a finer granu­
              larity of ownership assignment.  For  example,  the
              setting  force  group  = +sys means that only users
              who are  already  in  group  sys  will  have  their
              default  primary group assigned to sys when access­
              ing this Samba share. All other users  will  retain
              their ordinary primary group.

              If  the  force user parameter is also set the group
              specified in force group will override the  primary
              This parameter is applied as a mask (OR'ed with) to
              the  changed permission bits, thus forcing any bits
              in this mask that the user may have modified to  be
              on.  Essentially,  one  bits  in  this  mask may be
              treated as a set of bits that, when modifying secu­
              rity on a file, the user has always set to be 'on'.

              If not set explicitly this parameter is set  to  0,
              and    allows    a   user   to   modify   all   the
              user/group/world permissions on  a  file,  with  no
              restrictions.

              Note  that  users  who  can access the Samba server
              through other means can easily bypass this restric­
              tion,  so  it  is  primarily  useful for standalone
              "appliance" systems.  Administrators of most normal
              systems  will  probably  want  to leave this set to
              0000.

              See also the  force directory security mode, direc­
              tory security mask,  security mask parameters.

              Default: force security mode = 0

              Example: force security mode = 700

       force unknown acl user (S)
              If  this  parameter  is  set, a Windows NT ACL that
              contains an unknown SID  (security  descriptor,  or
              representation  of a user or group id) as the owner
              or group owner of the file will be silently  mapped
              into  the  current UNIX uid or gid of the currently
              connected user.

              This is designed to allow  Windows  NT  clients  to
              copy  files  and  folders containing ACLs that were
              created locally on the client machine  and  contain
              users  local to that machine only (no domain users)
              to be copied to a Samba server (usually with  XCOPY
              /O)  and have the unknown userid and groupid of the
              file owner map to the current connected user.  This
              can  only  be  fixed correctly when winbindd allows
              arbitrary mapping from any Windows NT SID to a UNIX
              uid or gid.

              Try  using  this  parameter  when XCOPY /O gives an
              ACCESS_DENIED error.

              See also force group

              Default: False

              client connected as. This can be very useful.

              In Samba 2.0.5 and above this parameter also causes
              the primary group of the forced user to be used  as
              the  primary  group for all file activity. Prior to
              2.0.5 the primary group was  left  as  the  primary
              group of the connecting user (this was a bug).

              See also force group

              Default: no forced user

              Example: force user = auser

       fstype (S)
              This  parameter allows the administrator to config­
              ure the string that specifies the type of  filesys­
              tem a share is using that is reported by smbd(8)
               when  a  client  queries the filesystem type for a
              share. The default type is NTFS  for  compatibility
              with  Windows  NT  but this can be changed to other
              strings such as Samba or FAT if required.

              Default: fstype = NTFS

              Example: fstype = Samba

       getwd cache (G)
              This is a tuning option. When  this  is  enabled  a
              caching  algorithm  will be used to reduce the time
              taken for getwd() calls. This can have  a  signifi­
              cant  impact  on  performance,  especially when the
              wide links parameter is set to no.

              Default: getwd cache = yes

       group (S)
              Synonym for force group.

       guest account (S)
              This is a username which will be used for access to
              services  which  are  specified  as   guest ok (see
              below). Whatever privileges this user has  will  be
              available  to  any  client  connecting to the guest
              service.  Typically this user  will  exist  in  the
              password file, but will not have a valid login. The
              user account "ftp" is often a good choice for  this
              parameter.  If  a  username is specified in a given
              service, the specified username overrides this one.

              One some systems the default guest account "nobody"
              may not be able to print. Use  another  account  in

              See  the section below on  security for more infor­
              mation about this option.

              Default: guest ok = no

       guest only (S)
              If this parameter is yes for a service,  then  only
              guest  connections  to  the  service are permitted.
              This parameter will have no effect if  guest ok  is
              not set for the service.

              See  the section below on  security for more infor­
              mation about this option.

              Default: guest only = no

       hide dot files (S)
              This is a boolean parameter that  controls  whether
              files starting with a dot appear as hidden files.

              Default: hide dot files = yes

       hide files(S)
              This is a list of files or directories that are not
              visible  but  are  accessible.  The  DOS   'hidden'
              attribute  is  applied  to any files or directories
              that match.

              Each entry in the list must be separated by a  '/',
              which  allows  spaces  to be included in the entry.
              '*' and '?' can be used to specify  multiple  files
              or directories as in DOS wildcards.

              Each  entry must be a Unix path, not a DOS path and
              must not include the Unix directory separator  '/'.

              Note that the case sensitivity option is applicable
              in hiding files.

              Setting this parameter will affect the  performance
              of  Samba,  as it will be forced to check all files
              and directories for a match as they are scanned.

              See also hide dot files,  veto files and  case sen­
              sitive.

              Default: no file are hidden

              Example:  hide  files  = /.*/DesktopFolderDB/Trash­
              For%m/resource.frk/

              This parameter prevents  clients  from  seeing  the
              existance of files that cannot be read. Defaults to
              off.

              Default: hide unreadable = no

       homedir map (G)
              Ifnis homedir is yes, and smbd(8) is also acting as
              a  Win95/98 logon server then this parameter speci­
              fies the NIS (or YP) map from which the server  for
              the  user's  home directory should be extracted. At
              present, only  the  Sun  auto.home  map  format  is
              understood. The form of the map is:

              username server:/some/file/system

              and  the  program  will extract the servername from
              before the first ':'. There should  probably  be  a
              better parsing system that copes with different map
              formats and also Amd (another automounter) maps.

              NOTE :A working NIS client is required on the  sys­
              tem for this option to work.

              See also nis homedir , domain logons .

              Default: homedir map = <empty string>

              Example: homedir map = amd.homedir

       host msdfs (G)
              This  boolean  parameter is only available if Samba
              has been configured and compiled with the   --with-
              msdfs  option.  If  set to yes, Samba will act as a
              Dfs server, and allow Dfs-aware clients  to  browse
              Dfs trees hosted on the server.

              See also the  msdfs root share level parameter. For
              more information on setting up a Dfs tree on Samba,
              refer to msdfs_setup.html

              Default: host msdfs = no

       hosts allow (S)
              A synonym for this parameter is allow hosts.

              This  parameter is a comma, space, or tab delimited
              set of hosts which are permitted to access  a  ser­
              vice.

              If  specified  in the [global] section then it will
              apply to all services, regardless  of  whether  the

              You can also specify hosts by network/netmask pairs
              and  by netgroup names if your system supports net­
              groups. The EXCEPT keyword  can  also  be  used  to
              limit  a  wildcard list. The following examples may
              provide some help:

              Example 1: allow all IPs in 150.203.*.*; except one

              hosts allow = 150.203. EXCEPT 150.203.6.66

              Example  2:  allow  hosts that match the given net­
              work/netmask

              hosts allow = 150.203.15.0/255.255.255.0

              Example 3: allow a couple of hosts

              hosts allow = lapland, arvidsjaur

              Example  4:  allow  only  hosts  in  NIS   netgroup
              "foonet", but deny access from one particular host

              hosts allow = @foonet

              hosts deny = pirate

              Note that access still requires suitable user-level
              passwords.

              See testparm(1)
               for a way of testing your host access to see if it
              does what you expect.

              Default: none (i.e., all hosts permitted access)

              Example:      allow      hosts     =     150.203.5.
              myhost.mynet.edu.au

       hosts deny (S)
              The opposite of hosts allow - hosts listed here are
              NOT  permitted  access  to services unless the spe­
              cific services have their  own  lists  to  override
              this  one. Where the lists conflict, the allow list
              takes precedence.

              Default:  none   (i.e.,   no   hosts   specifically
              excluded)

              Example:    hosts    deny    =    150.203.4.   bad­
              host.mynet.edu.au

              to  supply the correct username. It is very easy to
              get a PC to supply a false  username.  I  recommend
              that  the  hosts  equiv  option be only used if you
              really know what you are doing,  or  perhaps  on  a
              home  network where you trust your spouse and kids.
              And only if you really trust them :-).

              Default: no host equivalences

              Example: hosts equiv = /etc/hosts.equiv

       include (G)
              This allows you to include one config  file  inside
              another.  The file is included literally, as though
              typed in place.

              It takes the standard substitutions, except %u , %P
              and %S.

              Default: no file included

              Example:                  include                 =
              /usr/local/samba/lib/admin_smb.conf

       inherit acls (S)
              This parameter  can  be  used  to  ensure  that  if
              default  acls exist on parent directories, they are
              always honored when creating a  subdirectory.   The
              default  behavior is to use the mode specified when
              creating the directory. Enabling this  option  sets
              the  mode  to  0777, thus guaranteeing that default
              directory acls are propagated.

              Default: inherit acls = no

       inherit permissions (S)
              The permissions on new files  and  directories  are
              normally governed by  create mask,  directory mask,
              force create mode and force directory mode but  the
              boolean  inherit  permissions  parameter  overrides
              this.

              New directories inherit  the  mode  of  the  parent
              directory, including bits such as setgid.

              New  files  inherit  their read/write bits from the
              parent directory. Their execute bits continue to be
              determined by map archive , map hidden and map sys­
              tem as usual.

              Note that the setuid bit is never set  via  inheri­
              tance (the code explicitly prohibits this).
              ing,  name  registration  and other NBT traffic. By
              default Samba will query the kernel for the list of
              all active interfaces and use any interfaces except
              127.0.0.1 that are broadcast capable.

              The option takes a list of interface strings.  Each
              string can be in any of the following forms:

              · a  network  interface  name (such as eth0).  This
                may include shell-like  wildcards  so  eth*  will
                match  any  interface starting with the substring
                "eth"

              · an IP address. In this case the netmask is deter­
                mined  from  the list of interfaces obtained from
                the kernel

              · an IP/mask pair.

              · a broadcast/mask pair.

       The "mask" parameters can either be a bit length (such  as
       24 for a C class network) or a full netmask in dotted dec­
       imal form.

       The "IP" parameters above can either be a full dotted dec­
       imal  IP address or a hostname which will be looked up via
       the OS's normal hostname resolution mechanisms.

       For example, the following line:

       interfaces         =         eth0          192.168.2.10/24
       192.168.3.10/255.255.255.0

       would  configure three network interfaces corresponding to
       the  eth0  device  and  IP  addresses   192.168.2.10   and
       192.168.3.10.   The  netmasks of the latter two interfaces
       would be set to 255.255.255.0.

       See also bind interfaces only.

       Default: all active interfaces except 127.0.0.1  that  are
       broadcast capable

       invalid users (S)
              on  your system). The characters '+' and '&' may be
              used at the start of the name in  either  order  so
              the  value  +&group  means  check  the  UNIX  group
              database, followed by the  NIS  netgroup  database,
              and  the value &+group means check the NIS netgroup
              database, followed by the UNIX group database  (the
              same as the '@' prefix).

              The  current  servicename  is  substituted  for %S.
              This is useful in the [homes] section.

              See also valid users .

              Default: no invalid users

              Example: invalid users = root fred admin @wheel

       keepalive (G)
              The value of the parameter (an integer)  represents
              the number of seconds between keepalive packets. If
              this parameter is zero, no keepalive  packets  will
              be  sent.  Keepalive  packets,  if  sent, allow the
              server to tell whether a client  is  still  present
              and responding.

              Keepalives should, in general, not be needed if the
              socket being used has  the  SO_KEEPALIVE  attribute
              set  on  it  (see  socket  options).  Basically you
              should only use this option if you strike difficul­
              ties.

              Default: keepalive = 300

              Example: keepalive = 600

       kernel oplocks (G)
              For  UNIXes that support kernel based oplocks (cur­
              rently only IRIX and the Linux  2.4  kernel),  this
              parameter allows the use of them to be turned on or
              off.

              Kernel oplocks support allows Samba oplocks  to  be
              broken  whenever a local UNIX process or NFS opera­
              tion accesses a file that smbd(8)
               has oplocked. This allows  complete  data  consis­
              tency  between  SMB/CIFS, NFS and local file access
              (and is a very cool feature :-).

              This parameter defaults to on, but is translated to
              a  no-op  on systems that no not have the necessary
              kernel support.  You should  never  need  to  touch
              this parameter.
              Default : lanman auth = yes

       large readwrite (G)
              This parameter determines whether or not smbd  sup­
              ports  the new 64k streaming read and write varient
              SMB requests introduced  with  Windows  2000.  Note
              that  due  to  Windows  2000 client redirector bugs
              this requires Samba to be running on a 64-bit capa­
              ble  operating  system  such  as IRIX, Solaris or a
              Linux 2.4 kernel. Can improve  performance  by  10%
              with  Windows 2000 clients. Defaults to on. Windows
              NT 4.0 only supports read version of this call, and
              ignores the write version.

              Default : large readwrite = yes

       ldap admin dn (G)
              This  parameter is only available if Samba has been
              configure to include the --with-ldapsam  option  at
              compile  time.  This  option  should  be considered
              experimental and under active development.

              The ldap admin dn defines  the  Distinguished  Name
              (DN)  name used by Samba to contact the ldap server
              when retreiving user account information. The  ldap
              admin  dn  is used in conjunction with the admin dn
              password stored in  the  private/secrets.tdb  file.
              See  the smbpasswd(8) man page for more information
              on how to accmplish this.

              Default : none

       ldap del only sam attr (G)
              This parameter is only available if Samba has  been
              configure  to  include the --with-ldapsam option at
              compile time.  This  option  should  be  considered
              experimental and under active development.

              The  ldap del only sam attr defines the behavior of
              pdbedit(8)  while  deleting  an  account  with   -x
              option. If set to true pdbedit will only delete the
              samba  LDAP  attributes  and  not  the  whole  LDAP
              account entry.

              Default : no

       ldap filter (G)
              This  parameter is only available if Samba has been
              configure to include the --with-ldapsam  option  at
              compile  time.  This  option  should  be considered
              experimental and under active development.


              This option is used to control the tcp port  number
              used to contact the ldap server.  The default is to
              use the stand LDAPS port 636.

              See Also: ldap ssl

              Default : ldap port = 636 ; if ldap ssl = on

              Default : ldap port = 389 ; if ldap ssl = off

       ldap server (G)
              This parameter is only available if Samba has  been
              configure  to  include the --with-ldapsam option at
              compile time.  This  option  should  be  considered
              experimental and under active development.

              This parameter should contains the FQDN of the ldap
              directory server which should be queried to  locate
              user account information.

              Default : ldap server = localhost

       ldap ssl (G)
              This  parameter is only available if Samba has been
              configure to include the --with-ldapsam  option  at
              compile  time.  This  option  should  be considered
              experimental and under active development.

              This option is used to define whether or not  Samba
              should  use SSL when connecting to the ldap server.
              This is NOT related to Samba SSL support  which  is
              enabled  by specifying the --with-ssl option to the
              configure script (see ssl).

              The ldap ssl can be set to one of three values: (a)
              on  -  Always  use  SSL  when  contacting  the ldap
              server, (b) off - Never use SSL when  querying  the
              directory, or (c) start_tls - Use the LDAPv3 Start­
              TLS extended operation (RFC2830) for  communicating
              with the directory server.

              Default : ldap ssl = on

       ldap suffix (G)
              This  parameter is only available if Samba has been
              configure to include the --with-ldapsam  option  at
              compile  time.  This  option  should  be considered
              experimental and under active development.

              Default : none

              commonly  written (such as application .EXE files).

              Once one of the  clients  which  have  a  read-only
              oplock  writes to the file all clients are notified
              (no reply is needed or  waited  for)  and  told  to
              break  their oplocks to "none" and delete any read-
              ahead caches.

              It is recommended that this parameter be turned  on
              to speed access to shared executables.

              For more discussions on level2 oplocks see the CIFS
              spec.

              Currently, if kernel  oplocks  are  supported  then
              level2 oplocks are not granted (even if this param­
              eter is set to yes).  Note also, the oplocks param­
              eter  must be set to yes on this share in order for
              this parameter to have any effect.

              See also the oplocks and kernel oplocks parameters.

              Default: level2 oplocks = yes

       lm announce (G)
              This  parameter determines if  nmbd(8) will produce
              Lanman announce broadcasts that are needed by  OS/2
              clients  in  order for them to see the Samba server
              in their browse list. This parameter can have three
              values,  yes, no, or auto. The default is auto.  If
              set to no Samba will  never  produce  these  broad­
              casts.  If  set  to  yes  Samba will produce Lanman
              announce broadcasts  at  a  frequency  set  by  the
              parameter  lm  interval.  If set to auto Samba will
              not send Lanman announce broadcasts by default  but
              will  listen for them. If it hears such a broadcast
              on the wire it will then start sending  them  at  a
              frequency set by the parameter lm interval.

              See also lm interval .

              Default: lm announce = auto

              Example: lm announce = yes

       lm interval (G)
              If  Samba  is set to produce Lanman announce broad­
              casts needed by OS/2 clients (see the  lm  announce
              parameter)  then  this  parameter  defines the fre­
              quency in seconds with which they will be made.  If
              this  is  set  to zero then no Lanman announcements
              will be made despite the setting of the lm announce
              Default: load printers = yes

       local master (G)
              This option allows  nmbd(8) to  try  and  become  a
              local master browser on a subnet. If set to no then
              nmbd will not attempt  to  become  a  local  master
              browser  on  a  subnet  and  will  also lose in all
              browsing elections. By default this value is set to
              yes.  Setting  this  value to yes doesn't mean that
              Samba will become the local  master  browser  on  a
              subnet,  just  that nmbd will  participate in elec­
              tions for local master browser.

              Setting this value to no will cause nmbd  never  to
              become a local master browser.

              Default: local master = yes

       lock dir (G)
              Synonym for  lock directory.

       lock directory (G)
              This  option  specifies  the  directory  where lock
              files will be placed. The lock files  are  used  to
              implement the max connections option.

              Default: lock directory = ${prefix}/var/locks

              Example: lock directory = /var/run/samba/locks

       lock spin count (G)
              This  parameter  controls  the number of times that
              smbd should attempt to gain a byte  range  lock  on
              the  behalf  of  a client request. Experiments have
              shown that Windows 2k servers do not reply  with  a
              failure  if  the  lock  could  not  be  immediately
              granted, but try a few more times in case the  lock
              could  later  be  aquired. This behavior is used to
              support PC database formats such as MS  Access  and
              FoxPro.

              Default: lock spin count = 2

       lock spin time (G)
              The  time  in  microseconds  that smbd should pause
              before attempting to gain a failed lock.  See  lock
              spin count for more details.

              Default: lock spin time = 10

       locking (S)
              This  controls  whether or not locking will be per­

              Be careful about disabling locking either  globally
              or  in  a  specific service, as lack of locking may
              result in data corruption.  You should  never  need
              to set this parameter.

              Default: locking = yes

       log file (G)
              This  option allows you to override the name of the
              Samba log file (also known as the debug file).

              This  option  takes  the  standard   substitutions,
              allowing  you  to  have separate log files for each
              user or machine.

              Example: log file = /usr/local/samba/var/log.%m

       log level (G)
              The value of the parameter (an integer) allows  the
              debug  level (logging level) to be specified in the
              smb.conf file. This is to give greater  flexibility
              in the configuration of the system.

              The  default will be the log level specified on the
              command line or level zero if none was specified.

              Example: log level = 3

       logon drive (G)
              This parameter specifies the local  path  to  which
              the  home  directory  will  be connected (see logon
              home) and is only used by NT Workstations.

              Note that this option is only useful  if  Samba  is
              set up as a logon server.

              Default: logon drive = z:

              Example: logon drive = h:

       logon home (G)
              This  parameter  specifies the home directory loca­
              tion when a Win95/98 or NT Workstation logs into  a
              Samba PDC.  It allows you to do

              C:\> NET USE H: /HOME

              from a command prompt, for example.

              This   option  takes  the  standard  substitutions,
              allowing you to have  separate  logon  scripts  for
              when dealing with profiles.

              Note  that  in  prior versions of Samba, the  logon
              path was returned  rather  than  logon  home.  This
              broke  net  use  /home but allowed profiles outside
              the home directory.  The current implementation  is
              correct,  and  can  be used for profiles if you use
              the above trick.

              This option is only useful if Samba is set up as  a
              logon server.

              Default: logon home = "\\%N\%U"

              Example: logon home = "\\remote_smb_server\%U"

       logon path (G)
              This  parameter  specifies the home directory where
              roaming profiles (NTuser.dat etc files for  Windows
              NT)  are  stored.  Contrary to previous versions of
              these manual pages, it has nothing to do  with  Win
              9X  roaming  profiles.  To  find  out how to handle
              roaming profiles for Win 9X system, see the   logon
              home parameter.

              This   option  takes  the  standard  substitutions,
              allowing you to have  separate  logon  scripts  for
              each  user or machine. It also specifies the direc­
              tory from which the "Application  Data",  (desktop,
              start  menu,  network  neighborhood,  programs  and
              other folders, and their contents, are  loaded  and
              displayed on your Windows NT client.

              The share and the path must be readable by the user
              for the preferences and directories  to  be  loaded
              onto  the  Windows  NT  client.  The  share must be
              writeable when the user logs in for the first time,
              in  order that the Windows NT client can create the
              NTuser.dat and other directories.

              Thereafter, the directories and any of the contents
              can,  if  required,  be  made  read-only. It is not
              advisable that the NTuser.dat file  be  made  read-
              only  -  rename  it  to  NTuser.man  to achieve the
              desired effect (a MANdatory profile).

              Windows clients can sometimes maintain a connection
              to  the [homes] share, even though there is no user
              logged in.  Therefore, it is vital that  the  logon
              path  does  not  include  a  reference to the homes
              share (i.e. setting this parameter  to  \%N\%U\pro­
              file_path will cause problems).
              NT  command file (.cmd) to be downloaded and run on
              a machine when a user  successfully  logs  in.  The
              file must contain the DOS style CR/LF line endings.
              Using a DOS-style editor to create the file is rec­
              ommended.

              The  script  must be a relative path to the [netlo­
              gon] service. If the [netlogon] service specifies a
              path   of  /usr/local/samba/netlogon  ,  and  logon
              script = STARTUP.BAT, then the file  that  will  be
              downloaded is:

              /usr/local/samba/netlogon/STARTUP.BAT

              The  contents  of  the batch file are entirely your
              choice. A suggested command would  be  to  add  NET
              TIME  \\SERVER /SET /YES, to force every machine to
              synchronize  clocks  with  the  same  time  server.
              Another   use   would   be   to   add  NET  USE  U:
              \\SERVER\UTILS for commonly used utilities, or  NET
              USE Q: \\SERVER\ISO9001_QA for example.

              Note that it is particularly important not to allow
              write access to the [netlogon] share, or  to  grant
              users  write  permission  on  the  batch files in a
              secure environment, as this would allow  the  batch
              files to be arbitrarily modified and security to be
              breached.

              This  option  takes  the  standard   substitutions,
              allowing  you  to  have  separate logon scripts for
              each user or machine.

              This option is only useful if Samba is set up as  a
              logon server.

              Default: no logon script defined

              Example: logon script = scripts\%U.bat

       lppause command (S)
              This parameter specifies the command to be executed
              on the server host in order  to  stop  printing  or
              spooling a specific print job.

              This  command  should  be a program or script which
              takes a printer name and job number  to  pause  the
              print job. One way of implementing this is by using
              job priorities, where jobs having a too low  prior­
              ity won't be sent to the printer.

              If  a  %p  is given then the printer name is put in

              Default:  Currently  no  default  value is given to
              this string,  unless  the  value  of  the  printing
              parameter is SYSV, in which case the default is :

              lp -i %p-%j -H hold

              or if the value of the printing parameter is SOFTQ,
              then the default is:

              qstat -s -j%j -h

              Example for HPUX: lppause command =  /usr/bin/lpalt
              %p-%j -p0

       lpq cache time (G)
              This  controls how long lpq info will be cached for
              to prevent the lpq command being called too  often.
              A  separate cache is kept for each variation of the
              lpq command used by the system, so if you use  dif­
              ferent  lpq  commands for different users then they
              won't share cache information.

              The cache files are stored in  /tmp/lpq.xxxx  where
              xxxx is a hash of the lpq command in use.

              The  default is 10 seconds, meaning that the cached
              results of a previous identical lpq command will be
              used  if  the  cached  data is less than 10 seconds
              old. A large value may be  advisable  if  your  lpq
              command is very slow.

              A value of 0 will disable caching completely.

              See also the printing parameter.

              Default: lpq cache time = 10

              Example: lpq cache time = 30

       lpq command (S)
              This parameter specifies the command to be executed
              on the server host in order to  obtain  lpq  -style
              printer status information.

              This  command  should  be a program or script which
              takes a printer name as its only parameter and out­
              puts printer status information.

              Currently nine styles of printer status information
              are supported; BSD, AIX, LPRNG,  PLP,  SYSV,  HPUX,
              QNX,  CUPS,  and SOFTQ.  This covers most UNIX sys­

              Note  that it is good practice to include the abso­
              lute path in the lpq command as the $PATH  may  not
              be  available to the server. When compiled with the
              CUPS libraries, no lpq command  is  needed  because
              smbd  will  make a library call to obtain the print
              queue listing.

              See also the printing parameter.

              Default: depends on the setting of  printing

              Example: lpq command = /usr/bin/lpq -P%p

       lpresume command (S)
              This parameter specifies the command to be executed
              on  the server host in order to restart or continue
              printing or spooling a specific print job.

              This command should be a program  or  script  which
              takes  a  printer name and job number to resume the
              print job. See also the lppause command  parameter.

              If  a  %p  is given then the printer name is put in
              its place. A %j is replaced with the job number (an
              integer).

              Note  that it is good practice to include the abso­
              lute path in the lpresume command as the  PATH  may
              not be available to the server.

              See also the printing parameter.

              Default:  Currently  no  default  value is given to
              this string,  unless  the  value  of  the  printing
              parameter is SYSV, in which case the default is :

              lp -i %p-%j -H resume

              or if the value of the printing parameter is SOFTQ,
              then the default is:

              qstat -s -j%j -r

              Example for HPUX: lpresume command = /usr/bin/lpalt
              %p-%j -p2

       lprm command (S)
              This parameter specifies the command to be executed
              on the server host in order to delete a print  job.

              This  command  should  be a program or script which

              Example 1: lprm command = /usr/bin/lprm -P%p %j

              Example 2: lprm command = /usr/bin/cancel %p-%j

       machine password timeout (G)
              If  a  Samba  server  is  a  member of a Windows NT
              Domain (see the security = domain) parameter)  then
              periodically  a  running   smbd(8) process will try
              and change the MACHINE ACCOUNT PASSWORD  stored  in
              the TDB called private/secrets.tdb . This parameter
              specifies how often this password will be  changed,
              in  seconds.  The default is one week (expressed in
              seconds), the same as a Windows  NT  Domain  member
              server.

              See also smbpasswd(8)
               and the  security = domain) parameter.

              Default: machine password timeout = 604800

       magic output (S)
              This  parameter  specifies the name of a file which
              will contain output created by a magic script  (see
              the magic script parameter below).

              Warning:  If  two clients use the same magic script
              in the same directory the output  file  content  is
              undefined.

              Default: magic output = <magic script name>.out

              Example: magic output = myfile.txt

       magic script (S)
              This  parameter specifies the name of a file which,
              if opened, will be executed by the server when  the
              file  is  closed.   This allows a UNIX script to be
              sent to the Samba host and executed  on  behalf  of
              the connected user.

              Scripts  executed  in this way will be deleted upon
              completion assuming that the user has the appropri­
              ate  level  of  privilege  and the file permissions
              allow the deletion.

              If the script generates output, output will be sent
              to  the file specified by the  magic output parame­
              ter (see above).

              Note that  some  shells  are  unable  to  interpret
              scripts  containing CR/LF instead of CR as the end-
              Default: mangle case = no

       mangled map (S)
              This  is  for  those  who want to directly map UNIX
              file names which  cannot  be  represented  on  Win­
              dows/DOS.  The mangling of names is not always what
              is needed. In particular  you  may  have  documents
              with  file  extensions  that differ between DOS and
              UNIX.  For example, under UNIX it is common to  use
              .html  for  HTML  files,  whereas under Windows/DOS
              .htm is more commonly used.

              So to map html to htm you would use:

              mangled map = (*.html *.htm)

              One very useful case is to remove the  annoying  ;1
              off the ends of filenames on some CDROMs (only vis­
              ible under some UNIXes). To do this use  a  map  of
              (*;1 *;).

              Default: no mangled map

              Example: mangled map = (*;1 *;)

       mangled names (S)
              This  controls  whether  non-DOS  names  under UNIX
              should be mapped  to  DOS-compatible  names  ("man­
              gled")  and  made visible, or whether non-DOS names
              should simply be ignored.

              See the section on  NAME MANGLING  for  details  on
              how to control the mangling process.

              If  mangling algorithm "hash" is used then the man­
              gling algorithm is as follows:

              · The first (up to)  five  alphanumeric  characters
                before the rightmost dot of the filename are pre­
                served, forced to upper case, and appear  as  the
                first  (up  to)  five  characters  of the mangled
                name.

              · A tilde "~" is appended to the first part of  the
                mangled  name, followed by a two-character unique
                sequence, based on the original root name  (i.e.,
                the original filename minus its final extension).
                The final extension is included in the hash  cal­
                culation only if it contains any upper case char­
                acters or is longer than three characters.

                Note that the character to use may  be  specified
                will  be created as for other filenames, but with
                the leading dot removed and "___" as  its  exten­
                sion  regardless  of  actual  original  extension
                (that's three underscores).

       The two-digit hash value consists of upper  case  alphanu­
       meric characters.

       This  algorithm can cause name collisions only if files in
       a directory share the same first five alphanumeric charac­
       ters.  The probability of such a clash is 1/1300.

       If  mangling  algorithm  "hash2" is used then the mangling
       algorithm is as follows:

              · The  first  alphanumeric  character  before   the
                rightmost  dot  of  the  filename  is  preserved,
                forced to upper case, and appears  as  the  first
                character of the mangled name.

              · A  base63  hash  of 5 characters is generated and
                the first 4 characters of that hash are  appended
                to the first character.

              · A  tilde "~" is appended to the first part of the
                mangled name, followed by the final character  of
                the base36 hash of the name.

                Note  that  the character to use may be specified
                using the mangling char option, if you don't like
                '~'.

              · The  first  three  alphanumeric characters of the
                final extension are preserved,  forced  to  upper
                case  and  appear as the extension of the mangled
                name. The final extension is defined as that part
                of the original filename after the rightmost dot.
                If there are no dots in the filename, the mangled
                name  will  have no extension (except in the case
                of "hidden files" - see below).

              · Files whose UNIX name begins with a dot  will  be
                presented  as  DOS hidden files. The mangled name
                will be created as for other filenames, but  with
                the  leading  dot removed and "___" as its exten­
                sion  regardless  of  actual  original  extension
                (that's three underscores).

       The  name mangling (if enabled) allows a file to be copied
              (extensions  are only maintained if they are longer
              than 3 characters or contains  upper  case  charac­
              ters).

              The  larger  this value, the more likely it is that
              mangled names can be successfully converted to cor­
              rect  long  UNIX names.  However, large stack sizes
              will slow most directory accesses.  Smaller  stacks
              save memory in the server (each stack element costs
              256 bytes).

              It is not possible to absolutely guarantee  correct
              long  filenames, so be prepared for some surprises!

              Default: mangled stack = 50

              Example: mangled stack = 100

       mangling char (S)
              This controls what character is used as  the  magic
              character  in  name  mangling. The default is a '~'
              but this may interfere with some software. Use this
              option to set it to whatever you prefer.

              Default: mangling char = ~

              Example: mangling char = ^

       mangling mathod(G)
              controls  the algorithm used for the generating the
              mangled  names.  Can  take  two  different  values,
              "hash"  and  "hash2".  "hash" is the default and is
              the algorithm that has been used in Samba for  many
              years.  "hash2"  is a newer and considered a better
              algorithm (generates less collisions) in the names.
              However,  many Win32 applications store the mangled
              names and so changing to the new algorithm must not
              be  done  lightly  as  these applications may break
              unless reinstalled.  New installations of Samba may
              set the default to hash2.

              Default: mangling method = hash

              Example: mangling method = hash2

       map archive (S)
              This  controls  whether  the  DOS archive attribute
              should be mapped to the UNIX owner execute bit. The
              DOS  archive  bit is set when a file has been modi­
              fied since its last backup. One motivation for this
              option  it  to  keep  Samba/your PC from making any
              file it  touches  from  becoming  executable  under
              Note that this requires the create mask to  be  set
              such  that  the world execute bit is not masked out
              (i.e.  it must  include  001).  See  the  parameter
              create mask for details.

              Default: map hidden = no

       map system (S)
              This controls whether DOS style system files should
              be mapped to the UNIX group execute bit.

              Note that this requires the create mask to  be  set
              such  that  the group execute bit is not masked out
              (i.e.  it must  include  010).  See  the  parameter
              create mask for details.

              Default: map system = no

       map to guest (G)
              This  parameter  is  only useful in  security modes
              other than security = share -  i.e.  user,  server,
              and domain.

              This  parameter  can  take  three different values,
              which tell smbd(8)  what  to  do  with  user  login
              requests that don't match a valid UNIX user in some
              way.

              The three settings are :

              · Never - Means user login requests with an invalid
                password are rejected. This is the default.

              · Bad  User  -  Means  user  logins with an invalid
                password are rejected, unless the  username  does
                not exist, in which case it is treated as a guest
                login and mapped into the  guest account.

              · Bad Password - Means user logins with an  invalid
                password  are treated as a guest login and mapped
                into the guest account. Note that this can  cause
                problems  as  it  means that any user incorrectly
                typing their password will be silently logged  on
                as  "guest"  -  and will not know the reason they
                cannot access files  they  think  they  should  -
                there  will  have  been  no message given to them
                that they got their password wrong. Helpdesk ser­
                vices  will  hate you if you set the map to guest
                parameter this way :-).

       Note that this parameter is needed to set up "Guest" share
       services  when using security modes other than share. This

       Example: map to guest = Bad User

       max connections (S)
              This option allows the number of simultaneous  con­
              nections to a service to be limited. If max connec­
              tions is greater than 0 then  connections  will  be
              refused  if  this number of connections to the ser­
              vice are already open. A  value  of  zero  mean  an
              unlimited number of connections may be made.

              Record  lock  files are used to implement this fea­
              ture. The lock files will be stored in  the  direc­
              tory specified by the lock directory option.

              Default: max connections = 0

              Example: max connections = 10

       max disk size (G)
              This option allows you to put an upper limit on the
              apparent size of disks. If you set this  option  to
              100  then  all  shares will appear to be not larger
              than 100 MB in size.

              Note that this option does not limit the amount  of
              data you can put on the disk. In the above case you
              could still store much more  than  100  MB  on  the
              disk,  but  if a client ever asks for the amount of
              free disk space or the total  disk  size  then  the
              result  will  be bounded by the amount specified in
              max disk size.

              This option is primarily useful to work around bugs
              in  some  pieces of software that can't handle very
              large disks, particularly disks over 1GB in size.

              A max disk size of 0 means no limit.

              Default: max disk size = 0

              Example: max disk size = 1000

       max log size (G)
              This option (an integer in kilobytes) specifies the
              max size the log file should grow to. Samba period­
              ically checks the size and if  it  is  exceeded  it
              will rename the file, adding a .old extension.

              A size of 0 means no limit.

              files  that  one  smbd(8)  file serving process may
              have open for a client at any one time. The default
              for  this  parameter  is  set very high (10,000) as
              Samba uses only one bit per unopened file.

              The limit of the number of open  files  is  usually
              set  by  the UNIX per-process file descriptor limit
              rather than this parameter so you should never need
              to touch this parameter.

              Default: max open files = 10000

       max print jobs (S)
              This  parameter  limits  the maximum number of jobs
              allowable in a Samba printer  queue  at  any  given
              moment.   If this number is exceeded,  smbd(8) will
              remote "Out of Space" to the client.  See all total
              print jobs.

              Default: max print jobs = 1000

              Example: max print jobs = 5000

       max protocol (G)
              The  value of the parameter (a string) is the high­
              est protocol level that will be  supported  by  the
              server.

              Possible values are :

              · CORE: Earliest version. No concept of user names.

              · COREPLUS: Slight improvements on CORE  for  effi­
                ciency.

              · LANMAN1:  First   modern version of the protocol.
                Long filename support.

              · LANMAN2: Updates to Lanman1 protocol.

              · NT1: Current up to date version of the  protocol.
                Used by Windows NT. Known as CIFS.

       Normally  this  option  should not be set as the automatic
       negotiation phase in the SMB protocol takes care of choos­
       ing the appropriate protocol.

       See also min protocol

       Default: max protocol = NT1
              shares from a given host.

              Default: max smbd processes = 0 ## no limit

              Example: max smbd processes = 1000

       max ttl (G)
              This option tells nmbd(8) what the default 'time to
              live' of NetBIOS names should be (in seconds)  when
              nmbd  is requesting a name using either a broadcast
              packet or from a WINS server. You should never need
              to change this parameter. The default is 3 days.

              Default: max ttl = 259200

       max wins ttl (G)
              This option tells nmbd(8)
               when acting as a WINS server ( wins support = yes)
              what the maximum 'time to live'  of  NetBIOS  names
              that  nmbd  will  grant  will  be (in seconds). You
              should never need to  change  this  parameter.  The
              default is 6 days (518400 seconds).

              See also the min wins ttl parameter.

              Default: max wins ttl = 518400

       max xmit (G)
              This  option  controls the maximum packet size that
              will be negotiated by Samba. The default  in  Samba
              2.2.6  is  now 16644 (changed from 65535 in earlier
              releases) which matches Windows 2000.  This  allows
              better  performance  with  Windows NT clients.  The
              maximum is 65535. In some cases you  may  find  you
              get  better  performance  with  a  smaller value. A
              value below 2048 is likely to cause problems.

              Default: max xmit = 16644

              Example: max xmit = 8192

       message command (G)
              This specifies what command to run when the  server
              receives a WinPopup style message.

              This would normally be a command that would deliver
              the message somehow. How this is to be done  is  up
              to your imagination.

              An example is:

              message command = csh -c 'xedit %s;rm %s' &
              Apart from the standard substitutions,  some  addi­
              tional ones apply. In particular:

              · %s = the filename containing the message.

              · %t = the destination that the message was sent to
                (probably the server name).

              · %f = who the message is from.

       You could make this command send mail,  or  whatever  else
       takes  your fancy. Please let us know of any really inter­
       esting ideas you have.

       Here's a way of sending the messages as mail to root:

       message command = /bin/mail -s 'message  from  %f  on  %m'
       root < %s; rm %s

       If you don't have a message command then the message won't
       be delivered and Samba will tell the sender there  was  an
       error.  Unfortunately  WfWg totally ignores the error code
       and carries on regardless, saying  that  the  message  was
       delivered.

       If you want to silently delete it then try:

       message command = rm %s

       Default: no message command

       Example: message command = csh -c 'xedit %s; rm %s' &

       min passwd length (G)
              Synonym for  min password length.

       min password length (G)
              This  option  sets the minimum length in characters
              of a plaintext password that smbd will accept  when
              performing UNIX password changing.

              See  also  unix  password sync,  passwd program and
              passwd chat debug .


       min protocol (G)
              The value of the parameter (a string) is the lowest
              SMB  protocol  dialect  than  Samba  will  support.
              Please refer to the max protocol  parameter  for  a
              list  of  valid protocol names and a brief descrip­
              tion of each. You may also wish to refer to  the  C
              source  code in source/smbd/negprot.c for a listing
              of known protocol dialects supported by clients.

              If you are viewing this  parameter  as  a  security
              measure,  you  should also refer to the lanman auth
              parameter. Otherwise,  you  should  never  need  to
              change this parameter.

              Default : min protocol = CORE

              Example : min protocol = NT1 # disable DOS clients

       min wins ttl (G)
              This  option  tells  nmbd(8)  when acting as a WINS
              server ( wins support = yes) what the minimum 'time
              to live' of NetBIOS names that nmbd will grant will
              be (in seconds). You should never  need  to  change
              this  parameter. The default is 6 hours (21600 sec­
              onds).

              Default: min wins ttl = 21600

       msdfs proxy (S)
              This parameter indicates that the share is a stand-
              in  for another CIFS share whose location is speci­
              fied by the value of the  parameter.  When  clients
              attempt  to  connect  to this share, they are redi­
              rected to the proxied share using the SMB-Dfs  pro­
              tocol.

              Only Dfs roots can act as proxy shares. Take a look
              at the msdfs root and host msdfs  options  to  find
              out how to set up a Dfs root share.

              Example: msdfs proxy = \otherserver\someshare

       msdfs root (S)
              This  boolean  parameter is only available if Samba
              is configured and compiled with  the   --with-msdfs
              option.  If set to yes, Samba treats the share as a
              Dfs root and allows  clients  to  browse  the  dis­
              tributed  file  system  tree  rooted  at  the share
              directory.  Dfs links are specified  in  the  share
              directory   by   symbolic   links   of   the   form
              msdfs:serverA\shareA,serverB\shareB and so on.  For

              The options  are  :"lmhosts",  "host",  "wins"  and
              "bcast". They cause names to be resolved as follows
              :

              · lmhosts : Lookup  an  IP  address  in  the  Samba
                lmhosts  file. If the line in lmhosts has no name
                type  attached  to  the  NetBIOS  name  (see  the
                lmhosts(5)   for  details)  then  any  name  type
                matches for lookup.

              · host : Do a standard host name to IP address res­
                olution,  using  the  system /etc/hosts , NIS, or
                DNS lookups. This method of  name  resolution  is
                operating system depended for instance on IRIX or
                Solaris this may be controlled by  the  /etc/nss­
                witch.conf  file.  Note  that this method is only
                used if the NetBIOS name type  being  queried  is
                the  0x20  (server)  name  type,  otherwise it is
                ignored.

              · wins : Query a name with the IP address listed in
                the  wins server parameter. If no WINS server has
                been specified this method will be ignored.

              · bcast : Do a broadcast on each of the known local
                interfaces  listed  in  the interfaces parameter.
                This is the least reliable of the name resolution
                methods as it depends on the target host being on
                a locally connected subnet.

       Default: name resolve order = lmhosts host wins bcast

       Example: name resolve order = lmhosts bcast host

       This will cause the local  lmhosts  file  to  be  examined
       first, followed by a broadcast attempt, followed by a nor­
       mal system hostname lookup.

       netbios aliases (G)
              This is a list of NetBIOS names that  nmbd(8)  will
              advertise  as  additional  names by which the Samba
              server is known. This allows one machine to  appear
              in  browse lists under multiple names. If a machine
              is acting as a browse server or logon  server  none
              of  these names will be advertised as either browse
              server or logon servers, only the primary  name  of
              the machine will be advertised with these capabili­
              ties.

              See also netbios aliases.

              Default: machine DNS name

              Example: netbios name = MYNAME

       netbios scope (G)
              This sets the NetBIOS scope that Samba will operate
              under. This should not be set unless every  machine
              on your LAN also sets this value.

       nis homedir (G)
              Get  the home share server from a NIS map. For UNIX
              systems that use an automounter,  the  user's  home
              directory will often be mounted on a workstation on
              demand from a remote server.

              When the Samba logon server is not the actual  home
              directory server, but is mounting the home directo­
              ries  via  NFS  then  two  network  hops  would  be
              required  to access the users home directory if the
              logon server told the client to use itself  as  the
              SMB  server  for home directories (one over SMB and
              one over NFS). This can be very slow.

              This option allows Samba to return the  home  share
              as  being on a different server to the logon server
              and as long as a Samba daemon  is  running  on  the
              home  directory  server,  it will be mounted on the
              Samba client directly from  the  directory  server.
              When  Samba  is  returning  the  home  share to the
              client, it will consult the NIS  map  specified  in
              homedir map and return the server listed there.

              Note  that  for this option to work there must be a
              working NIS system and the Samba server  with  this
              option must also be a logon server.

              Default: nis homedir = no

       nt acl support (S)
              This  boolean  parameter  controls  whether smbd(8)
              will attempt to map UNIX permissions  into  Windows
              NT  access  control lists.  This parameter was for­
              mally a  global  parameter  in  releases  prior  to
              2.2.2.

              Default: nt acl support = yes

       nt pipe support (G)
              This  boolean  parameter  controls  whether smbd(8)
              to  no then Samba offers exactly the same SMB calls
              that versions prior to  Samba  2.0  offered.   This
              information  may  be of use if any users are having
              problems with NT SMB support.

              You should not need to ever disable this parameter.

              Default: nt smb support = yes

       nt status support (G)
              This  boolean  parameter  controls  whether smbd(8)
              will negotiate NT specific status support with Win­
              dows  NT/2k/XP  clients. This is a developer debug­
              ging option and should  be  left  alone.   If  this
              option  is  set to no then Samba offers exactly the
              same DOS error codes that versions prior  to  Samba
              2.2.3 reported.

              You should not need to ever disable this parameter.

              Default: nt status support = yes

       null passwords (G)
              Allow or disallow client access  to  accounts  that
              have null passwords.

              See also smbpasswd (5)

              Default: null passwords = no

       obey pam restrictions (G)
              When  Samba 2.2 is configured to enable PAM support
              (i.e.  --with-pam),  this  parameter  will  control
              whether  or not Samba should obey PAM's account and
              session management directives. The default behavior
              is  to  use  PAM for clear text authentication only
              and to ignore any account  or  session  management.
              Note  that Samba always ignores PAM for authentica­
              tion in the case of encrypt passwords = yes  .  The
              reason is that PAM modules cannot support the chal­
              lenge/response authentication mechanism  needed  in
              the presence of SMB password encryption.

              Default: obey pam restrictions = no

       only user (S)
              This is a boolean option that controls whether con­
              nections with usernames not in the user  list  will
              be  allowed.  By default this option is disabled so
              that a client can supply a username to be  used  by
              the  server. Enabling this parameter will force the
              server to only use the login names  from  the  user

       only guest (S)
              A synonym for  guest only.

       oplock break wait time (G)
              This  is  a  tuning  parameter added due to bugs in
              both Windows 9x and WinNT. If Samba responds  to  a
              client  too  quickly when that client issues an SMB
              that can cause an oplock break  request,  then  the
              network  client  can  fail  and  not respond to the
              break request. This tuning parameter (which is  set
              in  milliseconds)  is the amount of time Samba will
              wait before sending an oplock break request to such
              (broken) clients.

              DO  NOT  CHANGE THIS PARAMETER UNLESS YOU HAVE READ
              AND UNDERSTOOD THE SAMBA OPLOCK CODE.

              Default: oplock break wait time = 0

       oplock contention limit (S)
              This is a very advanced smbd(8)  tuning  option  to
              improve  the  efficiency of the granting of oplocks
              under multiple client contention for the same file.

              In  brief  it specifies a number, which causes smbd
              not to grant an oplock even when requested  if  the
              approximate  number  of  clients  contending for an
              oplock on the same file goes over this limit.  This
              causes  smbd  to behave in a similar way to Windows
              NT.

              DO NOT CHANGE THIS PARAMETER UNLESS YOU  HAVE  READ
              AND UNDERSTOOD THE SAMBA OPLOCK CODE.

              Default: oplock contention limit = 2

       oplocks (S)
              This  boolean  option  tells  smbd whether to issue
              oplocks (opportunistic locks) to file open requests
              on  this  share.  The  oplock code can dramatically
              (approx. 30% or more) improve the speed  of  access
              to files on Samba servers. It allows the clients to
              aggressively cache files locally and you  may  want
              to disable this option for unreliable network envi­
              ronments (it is turned on by default in Windows  NT
              Servers).   For   more  information  see  the  file
              Speed.txt in the Samba docs/ directory.

              Oplocks may be selectively turned  off  on  certain
              files  with  a  share.  See  the  veto oplock files
              parameter. On some systems oplocks  are  recognized
              by  the  underlying  operating  system. This allows
              chance  of  becoming a local master browser for the
              WORKGROUP in the local broadcast area.

              Note :By default, Samba will  win  a  local  master
              browsing election over all Microsoft operating sys­
              tems except  a  Windows  NT  4.0/2000  Domain  Con­
              troller. This means that a misconfigured Samba host
              can effectively isolate a subnet for browsing  pur­
              poses.  See  BROWSING.txt in the Samba docs/ direc­
              tory for details.

              Default: os level = 20

              Example: os level = 65

       os2 driver map (G)
              The parameter is used to define the  absolute  path
              to  a  file  containing  a  mapping  of  Windows NT
              printer driver names to OS/2 printer driver  names.
              The format is:

              <nt driver name> = <os2 driver name>.<device name>

              For  example, a valid entry using the HP LaserJet 5
              printer driver would appear as  HP  LaserJet  5L  =
              LASERJET.HP LaserJet 5L.

              The  need for the file is due to the printer driver
              namespace problem described in the  Samba  Printing
              HOWTO  For  more  details  on  OS/2 clients, please
              refer to the OS2-Client-HOWTO
               containing in the Samba documentation.

              Default: os2 driver map = <empty string>

       pam password change (G)
              With the addition of better PAM  support  in  Samba
              2.2,  this  parameter,  it is possible to use PAM's
              password change control flag for Samba. If enabled,
              then  PAM  will  be  used for password changes when
              requested by an SMB client instead of  the  program
              listed in passwd program.  It should be possible to
              enable  this  without  changing  your  passwd  chat
              parameter for most setups.

              Default: pam password change = no

       panic action (G)
              This is a Samba developer option that allows a sys­
              tem command  to  be  called  when  either   smbd(8)
              crashes.  This is usually used to draw attention to
              the fact that a problem occurred.

              This  chat  sequence  is often quite site specific,
              depending on what local methods are used for  pass­
              word control (such as NIS etc).

              Note  that  this parameter only is only used if the
              unix password sync parameter is set  to  yes.  This
              sequence  is then called AS ROOT when the SMB pass­
              word in the smbpasswd file is being changed,  with­
              out  access  to  the  old  password cleartext. This
              means that root must be able to  reset  the  user's
              password  without  knowing the text of the previous
              password. In the presence  of  NIS/YP,  this  means
              that the passwd program must be executed on the NIS
              master.

              The string can contain the macro %n which  is  sub­
              stituted  for  the  new password. The chat sequence
              can also contain the standard macros  \n,  \r,   \t
              and  \s to give line-feed, carriage-return, tab and
              space. The chat sequence string can also contain  a
              '*' which matches any sequence of characters.  Dou­
              ble quotes can be  used  to  collect  strings  with
              spaces in them into a single string.

              If the send string in any part of the chat sequence
              is a full stop ".", then no string is  sent.  Simi­
              larly,  if the expect string is a full stop then no
              string is expected.

              If the pam password change parameter is set to yes,
              the  chat  pairs  may  be matched in any order, and
              success is determined by the PAM  result,  not  any
              particular  output. The \n macro is ignored for PAM
              conversions.

              See also unix  password  sync,   passwd  program  ,
              passwd chat debug and  pam password change.

              Default:   passwd   chat   =   *new*password*  %n\n
              *new*password* %n\n *changed*

              Example: passwd chat = "*Enter OLD password*"  %o\n
              "*Enter  NEW  password*"  %n\n  "*Reenter NEW pass­
              word*" %n\n "*Password changed*"

       passwd chat debug (G)
              This boolean specifies if the  passwd  chat  script
              parameter  is  run  in debug mode. In this mode the
              strings passed to and received from the passwd chat
              are  printed  in the smbd(8) log with a debug level
              of 100. This is a dangerous option as it will allow
              The name of a program that can be used to set  UNIX
              user  passwords.  Any  occurrences  of  %u  will be
              replaced with the  user  name.  The  user  name  is
              checked  for  existence before calling the password
              changing program.

              Also note that many passwd programs insist in  rea­
              sonable passwords, such as a minimum length, or the
              inclusion of mixed case chars and digits. This  can
              pose a problem as some clients (such as Windows for
              Workgroups) uppercase the password  before  sending
              it.

              Note  that  if  the unix password sync parameter is
              set to yes then this  program  is  called  AS  ROOT
              before the SMB password in the smbpasswd(5)
               file  is  changed.  If  this  UNIX password change
              fails, then smbd will fail to change the SMB  pass­
              word also (this is by design).

              If  the  unix  password  sync parameter is set this
              parameter MUST USE ABSOLUTE PATHS for ALL  programs
              called,  and must be examined for security implica­
              tions. Note that by default unix password  sync  is
              set to no.

              See also unix password sync.

              Default: passwd program = /bin/passwd

              Example: passwd program = /sbin/npasswd %u

       password level (G)
              Some  client/server  combinations  have  difficulty
              with mixed-case passwords. One offending client  is
              Windows  for  Workgroups,  which  for  some  reason
              forces passwords to upper case when using the  LAN­
              MAN1  protocol,  but  leaves  them alone when using
              COREPLUS! Another  problem  child  is  the  Windows
              95/98  family  of  operating systems. These clients
              upper case clear text passwords  even  when  NT  LM
              0.12   selected   by   the   protocol   negotiation
              request/response.

              This parameter defines the maximum number of  char­
              acters that may be upper case in passwords.

              For  example, say the password given was "FRED". If
              password level is set to 1, the following  combina­
              tions would be tried if "FRED" failed:

              "Fred", "fred", "fRed", "frEd","freD"

              A value of zero will cause only two attempts to  be
              made  - the password as is and the password in all-
              lower case.

              Default: password level = 0

              Example: password level = 4

       password server (G)
              By specifying the name of another SMB server  (such
              as  a  WinNT box) with this option, and using secu­
              rity = domain or security  =  server  you  can  get
              Samba  to  do  all its username/password validation
              via a remote server.

              This option sets the name of the password server to
              use.   It  must  be  a  NetBIOS  name,  so  if  the
              machine's NetBIOS name is different from its Inter­
              net  name then you may have to add its NetBIOS name
              to the lmhosts file which is  stored  in  the  same
              directory as the smb.conf file.

              The  name of the password server is looked up using
              the  parameter  name  resolve  order  and  so   may
              resolved  by any method and order described in that
              parameter.

              The password server must be a  machine  capable  of
              using the "LM1.2X002" or the "NT LM 0.12" protocol,
              and it must be in user level security mode.

              NOTE: Using a password server means your  UNIX  box
              (running  Samba) is only as secure as your password
              server. DO NOT CHOOSE A PASSWORD  SERVER  THAT  YOU
              DON'T COMPLETELY TRUST.

              Never  point  a Samba server at itself for password
              serving. This will cause a loop and could  lock  up
              your Samba server!

              The  name of the password server takes the standard
              substitutions, but probably the only useful one  is
              %m  ,  which  means  the  Samba server will use the
              incoming client as the password server. If you  use
              this  then  you  better trust your clients, and you
              had better restrict them with hosts allow!

              If the security parameter is set  to  domain,  then
              the  list of machines in this option must be a list
              of Primary or Backup  Domain  controllers  for  the
              Domain or the character '*', as the Samba server is
              tion source.

              If the security parameter is set  to  server,  then
              there  are  different  restrictions that security =
              domain doesn't suffer from:

              · You may list  several  password  servers  in  the
                password  server  parameter,  however  if an smbd
                makes a connection to a password server, and then
                the  password server fails, no more users will be
                able to be authenticated from this smbd. This  is
                a  restriction  of  the SMB/CIFS protocol when in
                security = server mode and  cannot  be  fixed  in
                Samba.

              · If  you  are  using  a  Windows NT server as your
                password server then you will have to ensure that
                your  users  are  able  to  login  from the Samba
                server, as when in  security =  server  mode  the
                network  logon  will  appear  to  come from there
                rather than from the users workstation.

       See also the security parameter.

       Default: password server = <empty string>

       Example: password server = NT-PDC, NT-BDC1, NT-BDC2

       Example: password server = *

       path (S)
              This parameter specifies a directory to  which  the
              user  of  the service is to be given access. In the
              case of printable services,  this  is  where  print
              data  will  spool  prior  to being submitted to the
              host for printing.

              For a printable service offering guest access,  the
              service  should  be readonly and the path should be
              world-writeable and have the sticky bit  set.  This
              is  not mandatory of course, but you probably won't
              get the results you expect if you do otherwise.

              Any occurrences of %u in the path will be  replaced
              with  the UNIX username that the client is using on
              this connection. Any  occurrences  of  %m  will  be
              replaced  by  the  NetBIOS name of the machine they
              are connecting from. These  replacements  are  very
              Default: pid directory = ${prefix}/var/locks

              Example: pid directory = /var/run/

       posix locking (S)
              The smbd(8) daemon maintains an  database  of  file
              locks  obtained by SMB clients.  The default behav­
              ior is to  map  this  internal  database  to  POSIX
              locks.  This  means that file locks obtained by SMB
              clients are consistent with  those  seen  by  POSIX
              compliant  applications  accessing  the files via a
              non-SMB method (e.g. NFS  or  local  file  access).
              You should never need to disable this parameter.

              Default: posix locking = yes

       postexec (S)
              This  option specifies a command to be run whenever
              the service is disconnected.  It  takes  the  usual
              substitutions.  The  command may be run as the root
              on some systems.

              An interesting example may  be  to  unmount  server
              resources:

              postexec = /etc/umount /cdrom

              See also preexec .

              Default: none (no command executed)

              Example:  postexec = echo \"%u disconnected from %S
              from %m (%I)\" >> /tmp/log

       postscript (S)
              This parameter forces a printer  to  interpret  the
              print files as PostScript. This is done by adding a
              %!  to the start of print output.

              This is most useful when you have lots of PCs  that
              persist  in  putting  a  control-D  at the start of
              print jobs, which then confuses your printer.

              Default: postscript = no

       preexec (S)
              This option specifies a command to be run  whenever
              the  service  is  connected  to. It takes the usual
              substitutions.

              An interesting example is to send the users a  wel­
              come  message  every time they log in. Maybe a mes­

       preexec close (S)
              This  boolean  option  controls  whether a non-zero
              return code from preexec should close  the  service
              being connected to.

              Default: preexec close = no

       preferred master (G)
              This  boolean  parameter  controls  if nmbd(8) is a
              preferred master browser for its workgroup.

              If this is set to yes, on startup, nmbd will  force
              an election, and it will have a slight advantage in
              winning the election. It is recommended  that  this
              parameter  is used in conjunction with  domain mas­
              ter = yes, so that  nmbd can guarantee  becoming  a
              domain master.

              Use  this option with caution, because if there are
              several hosts (whether Samba servers, Windows 95 or
              NT)  that are preferred master browsers on the same
              subnet, they will each  periodically  and  continu­
              ously  attempt  to become the local master browser.
              This will result in unnecessary  broadcast  traffic
              and reduced browsing capabilities.

              See also os level .

              Default: preferred master = auto

       prefered master (G)
              Synonym for  preferred master for people who cannot
              spell :-).

       preload
              This is a list of services  that  you  want  to  be
              automatically  added  to  the browse lists. This is
              most useful for homes and  printers  services  that
              would otherwise not be visible.

              Note  that  if  you  just want all printers in your
              printcap file loaded then the  load printers option
              is easier.

              Default: no preloaded services

              Example: preload = fred lp colorlp

       preserve case (S)
              This controls if new filenames are created with the
              case that the client passes, or if they are  forced
              the spool file, so  whatever  command  you  specify
              should  remove the spool file when it has been pro­
              cessed, otherwise you will need to manually  remove
              old spool files.

              The  print command is simply a text string. It will
              be used verbatim  after  macro  substitutions  have
              been made:

              s, %p - the path to the spool file name

              %p - the appropriate printer name

              %J - the job name as transmitted by the client.

              %c - The number of printed pages of the spooled job
              (if known).

              %z - the size of the spooled print job (in bytes)

              The print command MUST contain at least one  occur­
              rence of %s or %f - the %p is optional. At the time
              a job is submitted, if no printer name is  supplied
              the  %p  will  be silently removed from the printer
              command.

              If specified in the  [global]  section,  the  print
              command  given  will be used for any printable ser­
              vice that does not have its own print command spec­
              ified.

              If there is neither a specified print command for a
              printable service nor a global print command, spool
              files  will  be created but not processed and (most
              importantly) not removed.

              Note that printing may fail on some UNIXes from the
              nobody  account.  If  this  happens  then create an
              alternative guest account that can  print  and  set
              the guest account in the [global] section.

              You  can form quite complex print commands by real­
              izing that they are just passed  to  a  shell.  For
              example  the  following will log a print job, print
              the file, then remove it.  Note  that  ';'  is  the
              usual separator for command in shell scripts.

              print command = echo Printing %s >> /tmp/print.log;
              lpr -P %p %s; rm %s

              You may have  to  vary  this  command  considerably
              depending  on  how you normally print files on your

              print command = lp -d%p -s %s; rm %s

              For  printing = CUPS : If SAMBA is compiled against
              libcups, then printcap = cups uses the CUPS API  to
              submit jobs, etc. Otherwise it maps to the System V
              commands with the -oraw option for  printing,  i.e.
              it  uses  lp -c -d%p -oraw; rm %s.  With printing =
              cups, and if SAMBA is compiled against libcups, any
              manually set print command will be ignored.

              Example:          print          command          =
              /usr/local/samba/bin/myprintscript %p %s

       print ok (S)
              Synonym for  printable.

       printable (S)
              If this parameter is yes, then  clients  may  open,
              write  to  and  submit spool files on the directory
              specified for the service.

              Note that a printable  service  will  ALWAYS  allow
              writing  to  the service path (user privileges per­
              mitting) via the spooling of print data.  The  read
              only parameter controls only non-printing access to
              the resource.

              Default: printable = no

       printcap (G)
              Synonym for  printcap name.

       printcap name (G)
              This parameter may be used  to  override  the  com­
              piled-in  default  printcap name used by the server
              (usually  /etc/printcap). See the discussion of the
              [printers]  section above for reasons why you might
              want to do this.

              To use the CUPS  printing  interface  set  printcap
              name  =  cups  .  This should be supplemented by an
              addtional setting printing = cups in  the  [global]
              section.  printcap name = cups will use the "dummy"
              printcap created by CUPS, as specified in your CUPS
              configuration file.

              On  System V systems that use lpstat to list avail­
              able printers you can use printcap name = lpstat to
              automatically  obtain  lists of available printers.
              This is the default for systems that define SYSV at
              configure  time in Samba (this includes most System

              where the '|' separates aliases of a  printer.  The
              fact  that the second alias has a space in it gives
              a hint to Samba that it's a comment.

              NOTE:  Under  AIX  the  default  printcap  name  is
              /etc/qconfig.  Samba will assume the file is in AIX
              qconfig format if the string qconfig appears in the
              printcap filename.

              Default: printcap name = /etc/printcap

              Example: printcap name = /etc/myprintcap

       printer admin (S)
              This  is  a  list  of users that can do anything to
              printers via the remote  administration  interfaces
              offered by MS-RPC (usually using a NT workstation).
              Note that the root user always has admin rights.

              Default: printer admin = <empty string>

              Example: printer admin = admin, @staff

       printer driver (S)
              Note :This is a deprecated parameter  and  will  be
              removed in the next major release following version
              2.2. Please see the instructions in the Samba  2.2.
              Printing  HOWTO  for  more  information  on the new
              method of loading  printer  drivers  onto  a  Samba
              server.

              This  option  allows you to control the string that
              clients receive when they ask the  server  for  the
              printer  driver  associated  with a printer. If you
              are using Windows95 or Windows NT then you can  use
              this to automate the setup of printers on your sys­
              tem.

              You need to set this parameter to the exact  string
              (case  sensitive)  that  describes  the appropriate
              printer driver for your system. If you  don't  know
              the  exact  string to use then you should first try
              with no  printer driver option set and  the  client
              will give you a list of printer drivers. The appro­
              priate strings are shown in a scroll box after  you
              have chosen the printer manufacturer.

              See also printer driver file.


              SAMBA_INSTALL_DIRECTORY /lib/printers.def

              This  file  is  created from Windows 95 msprint.inf
              files found on the Windows 95  client  system.  For
              more  details  on  setting  up  serving  of printer
              drivers to Windows 95  clients,  see  the  outdated
              documentation   file   in   the   docs/  directory,
              PRINTER_DRIVER.txt.

              See also  printer driver location.

              Default: None (set in compile).

              Example:      printer      driver      file       =
              /usr/local/samba/printers/drivers.def

       printer driver location (S)
              Note  :This  is  a deprecated parameter and will be
              removed in the next major release following version
              2.2.  Please see the instructions in the Samba 2.2.
              Printing HOWTO for  more  information  on  the  new
              method  of  loading  printer  drivers  onto a Samba
              server.

              This  parameter  tells  clients  of  a   particular
              printer  share  where  to  find  the printer driver
              files for the automatic installation of drivers for
              Windows  95  machines.  If Samba is set up to serve
              printer drivers to Windows 95 machines, this should
              be set to

              \\MACHINE\PRINTER$

              Where  MACHINE  is  the  NetBIOS name of your Samba
              server, and PRINTER$ is a  share  you  set  up  for
              serving  printer  driver files. For more details on
              setting this up see the outdated documentation file
              in the docs/ directory,  PRINTER_DRIVER.txt.

              See also  printer driver file.

              Default: none

              Example:      printer     driver     location     =
              \\MACHINE\PRINTER$

       printer name (S)
              This parameter specifies the name of the printer to
              which  print  jobs spooled through a printable ser­
              vice will be sent.

              affects  the  default values for the print command,
              lpq command, lppause command  ,  lpresume  command,
              and  lprm command if specified in the [global] sec­
              tion.

              Currently nine printing styles are supported.  They
              are  BSD,  AIX, LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ,
              and CUPS.

              To see what the defaults are for  the  other  print
              commands  when  using  the  various options use the
              testparm(1) program.

              This option can be set on a per printer basis

              See also the discussion in the  [printers] section.

       profile acls (S)
              This  boolean  parameter was added to fix the prob­
              lems that people have been having with storing user
              profiles  on Samba shares from Windows 2000 or Win­
              dows XP clients. New versions of  Windows  2000  or
              Windows  XP  service packs do security ACL checking
              on the owner and ability to write  of  the  profile
              directory stored on a local workstation when copied
              from a Samba share. When not in  domain  mode  with
              winbindd  then  the  security  info copied onto the
              local workstation has no meaning to the  logged  in
              user (SID) on that workstation so the profile stor­
              ing fails. Adding this parameter onto a share  used
              for  profile  storage  changes two things about the
              returned Windows ACL. Firstly it changes the  owner
              and  group owner of all reported files and directo­
              ries to  be  BUILTIN\Administrators,  BUILTIN\Users
              respectively   (SIDs  S-1-5-32-544,  S-1-5-32-545).
              Secondly it adds an ACE entry of "Full Control"  to
              the  SID  BUILTIN\Users to every returned ACL. This
              will allow any Windows 2000 or XP workstation  user
              to access the profile. Note that if you have multi­
              ple users logging on to a workstation then in order
              to prevent them from being able to access each oth­
              ers profiles you must remove the  "Bypass  traverse
              checking"  advanced  user  right. This will prevent
              access to other users profile  directories  as  the
              top  level profile directory (named after the user)
              is created by the workstation profile code and  has
              an  ACL  restricting entry to the directory tree to
              the owning user.

              If you didn't understand the above text, you proba­
              bly should not set this parameter :-).

              takes a printer name  as  its  only  parameter  and
              stops  the  printer queue, such that no longer jobs
              are submitted to the printer.

              This command is not supported by Windows for  Work­
              groups,  but can be issued from the Printers window
              under Windows 95 and NT.

              If a %p is given then the printer name  is  put  in
              its place. Otherwise it is placed at the end of the
              command.

              Note that it is good practice to include the  abso­
              lute  path  in  the  command as the PATH may not be
              available to the server.

              Default: depends on the setting of printing

              Example: queuepause command = disable %p

       queueresume command (S)
              This parameter specifies the command to be executed
              on  the  server host in order to resume the printer
              queue. It is the command to undo the behavior  that
              is  caused  by  the previous parameter ( queuepause
              command).

              This command should be a program  or  script  which
              takes  a  printer  name  as  its only parameter and
              resumes the printer queue, such  that  queued  jobs
              are resubmitted to the printer.

              This  command is not supported by Windows for Work­
              groups, but can be issued from the Printers  window
              under Windows 95 and NT.

              If  a  %p  is given then the printer name is put in
              its place. Otherwise it is placed at the end of the
              command.

              Note  that it is good practice to include the abso­
              lute path in the command as the  PATH  may  not  be
              available to the server.

              Default: depends on the setting of printing

              Example: queuepause command = enable %p

       read bmpx (G)
              This  boolean  parameter  controls  whether smbd(8)
              will support the "Read Block Multiplex"  SMB.  This
              is  now  rarely used and defaults to no. You should

              Default: read list = <empty string>

              Example: read list = mary, @students

       read only (S)
              An inverted synonym is  writeable.

              If this parameter is yes, then users of  a  service
              may  not  create  or  modify files in the service's
              directory.

              Note that a printable  service  (printable  =  yes)
              will  ALWAYS  allow  writing to the directory (user
              privileges permitting), but only via spooling oper­
              ations.

              Default: read only = yes

       read raw (G)
              This  parameter  controls whether or not the server
              will support the raw read SMB requests when  trans­
              ferring data to clients.

              If enabled, raw reads allow reads of 65535 bytes in
              one packet. This typically provides a major perfor­
              mance benefit.

              However,  some  clients either negotiate the allow­
              able block size incorrectly  or  are  incapable  of
              supporting   larger  block  sizes,  and  for  these
              clients you may need to disable raw reads.

              In general this parameter should  be  viewed  as  a
              system  tuning  tool  and  left severely alone. See
              also  write raw.

              Default: read raw = yes

       read size (G)
              The option read size affects the  overlap  of  disk
              reads/writes  with  network  reads/writes.   If the
              amount of data being transferred in several of  the
              SMB  commands  (currently  SMBwrite,  SMBwriteX and
              SMBreadbraw) is larger than  this  value  then  the
              server  begins  writing  the  data  before  it  has
              received the whole packet from the network,  or  in
              the  case  of SMBreadbraw, it begins writing to the
              network before all the  data  has  been  read  from
              disk.

              This overlapping works best when the speeds of disk

       remote announce (G)
              This option allows you to setup nmbd(8) to periodi­
              cally announce itself  to  arbitrary  IP  addresses
              with an arbitrary workgroup name.

              This  is  useful  if  you want your Samba server to
              appear in a remote workgroup for which  the  normal
              browse  propagation  rules  don't  work. The remote
              workgroup can be anywhere  that  you  can  send  IP
              packets to.

              For example:

              remote     announce     =     192.168.2.255/SERVERS
              192.168.4.255/STAFF

              the above line would cause nmbd to announce  itself
              to the two given IP addresses using the given work­
              group names.  If you leave out the  workgroup  name
              then  the  one  given in the workgroup parameter is
              used instead.

              The IP addresses you choose would normally  be  the
              broadcast addresses of the remote networks, but can
              also be the IP addresses of known browse masters if
              your network config is that stable.

              See  the  documentation  file  BROWSING.txt  in the
              docs/ directory.

              Default: remote announce = <empty string>

       remote browse sync (G)
              This option allows you to setup nmbd(8) to periodi­
              cally  request synchronization of browse lists with
              the master browser of a Samba server that is  on  a
              remote  segment. This option will allow you to gain
              browse lists for multiple workgroups across  routed
              networks.  This  is  done in a manner that does not
              work with any non-Samba servers.

              This is useful if you want your  Samba  server  and
              all  local  clients to appear in a remote workgroup
              for which the normal browse propagation rules don't
              work. The remote workgroup can be anywhere that you
              can send IP packets to.

              For example:

              remote browse sync = 192.168.2.255 192.168.4.255

              Default: remote browse sync = <empty string>

       restrict anonymous (G)
              This is a boolean parameter. If  it  is  yes,  then
              anonymous  access to the server will be restricted,
              namely in the case where the  server  is  expecting
              the client to send a username, but it doesn't. Set­
              ting it to yes will force these  anonymous  connec­
              tions to be denied, and the client will be required
              to always supply a username and password when  con­
              necting.  Use of this parameter is only recommended
              for homogeneous NT client environments.

              This parameter makes the use  of  macro  expansions
              that rely on the username (%U, %G, etc) consistent.
              NT 4.0 likes  to  use  anonymous  connections  when
              refreshing  the  share  list,  and this is a way to
              work around that.

              When restrict anonymous is yes, all anonymous  con­
              nections  are  denied  no matter what they are for.
              This can effect the ability of a machine to  access
              the  Samba  Primary Domain Controller to revalidate
              its machine account after someone else  has  logged
              on  the  client  interactively.  The NT client will
              display a message saying that the machine's account
              in the domain doesn't exist or the password is bad.
              The best way to deal with  this  is  to  reboot  NT
              client  machines  between interactive logons, using
              "Shutdown and Restart", rather than "Close all pro­
              grams and logon as a different user".

              Default: restrict anonymous = no

       root (G)
              Synonym for  root directory".

       root dir (G)
              Synonym for  root directory".

       root directory (G)
              The  server  will  chroot()  (i.e.  Change its root
              directory) to this directory on  startup.  This  is
              not  strictly  necessary for secure operation. Even
              without it the server will deny access to files not
              in  one  of the service entries.  It may also check
              for, and deny access to, soft links to other  parts
              of  the filesystem, or attempts to use ".." in file
              names to access other directories (depending on the
              setting of the wide links parameter).

              Adding  a  root directory entry other than "/" adds

              Example: root directory = /homes/smb

       root postexec (S)
              This  is  the same as the postexec parameter except
              that the command is run as root. This is useful for
              unmounting  filesystems  (such  as  CDROMs) after a
              connection is closed.

              See also  postexec.

              Default: root postexec = <empty string>

       root preexec (S)
              This is the same as the  preexec  parameter  except
              that the command is run as root. This is useful for
              mounting filesystems (such as CDROMs) when  a  con­
              nection is opened.

              See also  preexec and  preexec close.

              Default: root preexec = <empty string>

       root preexec close (S)
              This  is  the  same  as the preexec close parameter
              except that the command is run as root.

              See also  preexec and  preexec close.

              Default: root preexec close = no

       security (G)
              This option affects how clients  respond  to  Samba
              and  is  one  of the most important settings in the
              smb.conf file.

              The option sets the "security mode bit" in  replies
              to protocol negotiations with smbd(8)
               to  turn  share  level security on or off. Clients
              decide based on  this  bit  whether  (and  how)  to
              transfer  user  and  password  information  to  the
              server.

              The default is security = user, as this is the most
              common  setting  needed  when talking to Windows 98
              and Windows NT.

              The alternatives are security = share,  security  =
              server or security = domain .

              In  versions  of  Samba prior to 2.0.0, the default
              was security = share mainly because  that  was  the
              security = share.

              You should also use security = share if you want to
              mainly  setup  shares  without  a  password  (guest
              shares). This is commonly used for a shared printer
              server. It is more difficult to setup guest  shares
              with  security = user, see the map to guest parame­
              ter for details.

              It is possible to use smbd in a  hybrid mode  where
              it  is  offers  both  user and share level security
              under different  NetBIOS aliases.

              The different settings will now be explained.

              SECURITY = SHARE

              When clients connect  to  a  share  level  security
              server  they  need  not  log onto the server with a
              valid username and password  before  attempting  to
              connect  to  a  shared  resource  (although  modern
              clients such as Windows 95/98 and Windows  NT  will
              send  a  logon request with a username but no pass­
              word when talking to a security  =  share  server).
              Instead,  the  clients send authentication informa­
              tion (passwords) on a per-share basis, at the  time
              they attempt to connect to that share.

              Note that smbd ALWAYS uses a valid UNIX user to act
              on behalf of the client, even in security  =  share
              level security.

              As  clients  are not required to send a username to
              the server in share level security, smbd uses  sev­
              eral  techniques to determine the correct UNIX user
              to use on behalf of the client.

              A list of possible UNIX usernames to match with the
              given client password is constructed using the fol­
              lowing methods :

              · If the guest only parameter is set, then all  the
                other  stages  are  missed  and  only  the  guest
                account username is checked.

              · Is a username is sent with the  share  connection
                request,  then this username (after mapping - see
                username map), is added as a potential  username.

              · If  the  client did a previous logon request (the
                SessionSetup SMB call) then the username sent  in
                this SMB will be added as a potential username.

       If the guest only parameter is set, or no username can  be
       determined then if the share is marked as available to the
       guest account, then this guest user will be  used,  other­
       wise access is denied.

       Note that it can be very confusing in share-level security
       as to which UNIX  username  will  eventually  be  used  in
       granting access.

       See also the section  NOTE ABOUT USERNAME/PASSWORD VALIDA­
       TION.

       SECURITY = USER

       This is the default security setting in Samba  2.2.   With
       user-level  security  a  client must first "log-on" with a
       valid username and password (which can be mapped using the
       username  map  parameter).  Encrypted  passwords  (see the
       encrypted passwords parameter) can also be  used  in  this
       security mode. Parameters such as  user and  guest only if
       set are then applied and may change the UNIX user  to  use
       on  this connection, but only after the user has been suc­
       cessfully authenticated.

       Note that the name of the resource being requested is  not
       sent to the server until after the server has successfully
       authenticated the client. This is why guest  shares  don't
       work in user level security without allowing the server to
       automatically map unknown users into  the  guest  account.
       See  the map to guest parameter for details on doing this.

       See also the section  NOTE ABOUT USERNAME/PASSWORD VALIDA­
       TION.

       SECURITY = SERVER

       In this mode Samba will try to validate the username/pass­
       word by passing it to another SMB server, such  as  an  NT
       box.  If this fails it will revert to security = user, but
       note that if encrypted passwords have been negotiated then
       Samba  cannot  revert  back  to checking the UNIX password
       file, it must have a valid smbpasswd file to  check  users
       against. See the documentation file in the docs/ directory
       See the map to guest parameter for details on doing  this.

       See also the section  NOTE ABOUT USERNAME/PASSWORD VALIDA­
       TION.

       See also the password server parameter and  the  encrypted
       passwords parameter.

       SECURITY = DOMAIN

       This  mode  will  only  work correctly if smbpasswd(8) has
       been used to add this machine into a Windows NT Domain. It
       expects  the  encrypted  passwords  parameter to be set to
       yes. In this mode Samba will try  to  validate  the  user­
       name/password  by  passing  it  to a Windows NT Primary or
       Backup Domain Controller, in exactly the same way  that  a
       Windows NT Server would do.

       Note  that  a  valid UNIX user must still exist as well as
       the account on the Domain Controller  to  allow  Samba  to
       have a valid UNIX account to map file access to.

       Note  that  from  the  client's  point  of view security =
       domain is the same as security = user .  It  only  affects
       how  the server deals with the authentication, it does not
       in any way affect what the client sees.

       Note that the name of the resource being requested is  not
       sent to the server until after the server has successfully
       authenticated the client. This is why guest  shares  don't
       work in user level security without allowing the server to
       automatically map unknown users into  the  guest  account.
       See  the map to guest parameter for details on doing this.

       BUG: There is currently a bug  in  the  implementation  of
       security = domain with respect to multi-byte character set
       usernames. The communication with a Domain Controller must
       be  done  in  UNICODE  and  Samba currently does not widen
       multi-byte user names to UNICODE correctly, thus a  multi-
       byte  username  will  not  be  recognized correctly at the
       Domain Controller. This  issue  will  be  addressed  in  a
       future release.

       security mask (S)
              This  parameter  controls what UNIX permission bits
              can be modified when a Windows NT client is manipu­
              lating  the  UNIX  permission  on  a file using the
              native NT security dialog box.

              This parameter is applied as a mask  (AND'ed  with)
              to the changed permission bits, thus preventing any
              bits not in this mask from being  modified.  Essen­
              tially,  zero bits in this mask may be treated as a
              set of bits the user is not allowed to change.

              If not  set  explicitly  this  parameter  is  0777,
              allowing  a user to modify all the user/group/world
              permissions on a file.

              Note that users who can  access  the  Samba  server
              through other means can easily bypass this restric­
              tion, so it  is  primarily  useful  for  standalone
              "appliance"  systems. Administrators of most normal
              systems will probably want to leave it set to 0777.

              See also the  force directory security mode, direc­
              tory security mask,  force  security  mode  parame­
              ters.

              Default: security mask = 0777

              Example: security mask = 0770

       server string (G)
              This  controls  what  string  will  show  up in the
              printer comment box in print manager  and  next  to
              the  IPC  connection  in  net  view.  It can be any
              string that you wish to show to your users.

              It also sets what will appear in browse lists  next
              to the machine name.

              A  %v  will be replaced with the Samba version num­
              ber.

              A %h will be replaced with the hostname.

              Default: server string = Samba %v

              Example: server string = University of  GNUs  Samba
              Server

       set directory (S)
              If  set  directory  = no, then users of the service
              may not use the setdir command to change directory.
              UNIX, so they are simulated using shared memory, or
              lock files if your UNIX doesn't support shared mem­
              ory (almost all do).

              The share modes that are enabled by this option are
              DENY_DOS,    DENY_ALL,    DENY_READ,    DENY_WRITE,
              DENY_NONE and DENY_FCB.

              This  option  gives  full  share  compatibility and
              enabled by default.

              You should NEVER turn this parameter  off  as  many
              Windows applications will break if you do so.

              Default: share modes = yes

       short preserve case (S)
              This  boolean parameter controls if new files which
              conform to 8.3 syntax, that is all  in  upper  case
              and  of suitable length, are created upper case, or
              if they are forced to be the default  case  .  This
              option  can be use with preserve case = yes to per­
              mit long filenames  to  retain  their  case,  while
              short names are lowered.

              See the section on  NAME MANGLING.

              Default: short preserve case = yes

       show add printer wizard (G)
              With the introduction of MS-RPC based printing sup­
              port for Windows NT/2000 client  in  Samba  2.2,  a
              "Printers..."  folder will appear on Samba hosts in
              the share listing. Normally this folder  will  con­
              tain  an  icon for the MS Add Printer Wizard (APW).
              However, it is possible  to  disable  this  feature
              regardless  of  the  level of privilege of the con­
              nected user.

              Under normal  circumstances,  the  Windows  NT/2000
              client  will  open  a  handle on the printer server
              with OpenPrinterEx() asking for Administrator priv­
              ileges.  If  the  user does not have administrative
              access on the print server (i.e is not  root  or  a
              member  of the printer admin group), the OpenPrint­
              erEx() call fails and the client makes another open
              call  with  a  request for a lower privilege level.
              This should succeed, however the APW icon will  not
              be displayed.

              Disabling  the  show  add  printer wizard parameter
              will always cause the OpenPrinterEx() on the server

              Default:  smb  passwd file = ${prefix}/private/smb­
              passwd

              Example: smb passwd file = /etc/samba/smbpasswd

       socket address (G)
              This option allows  you  to  control  what  address
              Samba  will listen for connections on. This is used
              to support multiple virtual interfaces on  the  one
              server, each with a different configuration.

              By  default  Samba  will  accept connections on any
              address.

              Example: socket address = 192.168.2.20

       socket options (G)
              This option allows you to set socket options to  be
              used when talking with the client.

              Socket options are controls on the networking layer
              of the operating systems which allow the connection
              to be tuned.

              This  option  will  typically  be used to tune your
              Samba server for optimal performance for your local
              network.  There  is no way that Samba can know what
              the optimal parameters are for  your  net,  so  you
              must   experiment  and  choose  them  yourself.  We
              strongly suggest you read the appropriate  documen­
              tation for your operating system first (perhaps man
              setsockopt will help).

              You may find that on some systems  Samba  will  say
              "Unknown  socket option" when you supply an option.
              This means you either incorrectly typed it  or  you
              need  to add an include file to includes.h for your
              OS. If the latter is the case please send the patch
              to  samba@samba.org <URL:mailto:samba@samba.org>.

              Any of the supported socket options may be combined
              in any way you like, as long as your OS allows  it.

              This  is  the list of socket options currently set­
              table using this option:

              · SO_KEEPALIVE

              · SO_REUSEADDR

              · SO_BROADCAST

       Those marked with a '*' take an integer argument. The oth­
       ers  can  optionally  take  a 1 or 0 argument to enable or
       disable the option, by default they will be enabled if you
       don't specify 1 or 0.

       To  specify an argument use the syntax SOME_OPTION = VALUE
       for example SO_SNDBUF = 8192. Note that you must not  have
       any spaces before or after the = sign.

       If you are on a local network then a sensible option might
       be

       socket options = IPTOS_LOWDELAY

       If you have a local network then you could try:

       socket options = IPTOS_LOWDELAY TCP_NODELAY

       If you are on a wide area network then perhaps try setting
       IPTOS_THROUGHPUT.

       Note  that  several  of  the  options may cause your Samba
       server to fail completely. Use these options with caution!

       Default: socket options = TCP_NODELAY

       Example: socket options = IPTOS_LOWDELAY

       source environment (G)
              This  parameter  causes  Samba  to  set environment
              variables as per the content of the file named.

              If the value of this parameter starts  with  a  "|"
              character  then  Samba  will  treat that value as a
              pipe command to open and will set  the  environment
              variables from the output of the pipe.

              The  contents of the file or the output of the pipe
              should be formatted as the output of  the  standard
              Unix env(1) command. This is of the form :

              piled on  your  system  and  the  configure  option
              --with-ssl was given at configure time.

              This  variable  enables  or disables the entire SSL
              mode. If it is set to  no,  the  SSL-enabled  Samba
              behaves  exactly  like the non-SSL Samba. If set to
              yes, it depends on the  variables   ssl  hosts  and
              ssl  hosts resign whether an SSL connection will be
              required.

              Default: ssl = no

       ssl CA certDir (G)
              This variable is part of SSL-enabled Samba. This is
              only  available if the SSL libraries have been com­
              piled on  your  system  and  the  configure  option
              --with-ssl was given at configure time.

              This variable defines where to look up the Certifi­
              cation Authorities. The given directory should con­
              tain  one  file  for each CA that Samba will trust.
              The file name must be the hash value over the "Dis­
              tinguished  Name"  of the CA. How this directory is
              set up is explained later  in  this  document.  All
              files within the directory that don't fit into this
              naming scheme are  ignored.  You  don't  need  this
              variable if you don't verify client certificates.

              Default: ssl CA certDir = /usr/local/ssl/certs

       ssl CA certFile (G)
              This variable is part of SSL-enabled Samba. This is
              only available if the SSL libraries have been  com­
              piled  on  your  system  and  the  configure option
              --with-ssl was given at configure time.

              This variable is a second way to define the trusted
              CAs.   The certificates of the trusted CAs are col­
              lected in one big file and this variable points  to
              the file. You will probably only use one of the two
              ways to  define  your  CAs.  The  first  choice  is
              preferable if you have many CAs or want to be flex­
              ible, the second is preferable if you only have one
              CA  and  want to keep things simple (you won't need
              to create the hashed file names).  You  don't  need
              this  variable  if you don't verify client certifi­
              cates.

              Default:       ssl       CA       certFile        =
              /usr/local/ssl/certs/trustedCAs.pem

       ssl ciphers (G)

              The  certificate  in  this  file  is  used by  smb­
              client(1) if it exists. It's needed if  the  server
              requires a client certificate.

              Default:        ssl       client       cert       =
              /usr/local/ssl/certs/smbclient.pem

       ssl client key (G)
              This variable is part of SSL-enabled Samba. This is
              only  available if the SSL libraries have been com­
              piled on  your  system  and  the  configure  option
              --with-ssl was given at configure time.

              This is the private key for  smbclient(1) It's only
              needed if the client should have a certificate.

              Default:  ssl  client  key  =   /usr/local/ssl/pri­
              vate/smbclient.pem

       ssl compatibility (G)
              This variable is part of SSL-enabled Samba. This is
              only available if the SSL libraries have been  com­
              piled  on  your  system  and  the  configure option
              --with-ssl was given at configure time.

              This variable defines  whether  OpenSSL  should  be
              configured  for  bug  compatibility  with other SSL
              implementations. This  is  probably  not  desirable
              because  currently  no clients with SSL implementa­
              tions other than OpenSSL exist.

              Default: ssl compatibility = no

       ssl egd socket (G)
              This variable is part of SSL-enabled Samba. This is
              only  available if the SSL libraries have been com­
              piled on  your  system  and  the  configure  option
              --with-ssl was given at configure time.

              This  option  is used to define the location of the
              communiation socket of an EGD or PRNGD daemon, from
              which  entropy can be retrieved. This option can be
              used instead of or together with  the  ssl  entropy
              file  directive.  255  bytes  of  entropy  will  be
              retrieved from the daemon.

              Default: none

       ssl entropy bytes (G)
              This variable is part of SSL-enabled Samba. This is
              only  available if the SSL libraries have been com­
              --with-ssl was given at configure time.

              This parameter is used to specify a file from which
              processes will read "random bytes" on  startup.  In
              order  to  seed  the  internal pseudo random number
              generator, entropy must be provided. On system with
              a  /dev/urandom  device  file,  the  processes will
              retrieve its entropy from the  kernel.  On  systems
              without  kernel entropy support, a file can be sup­
              plied that will be read on startup and that will be
              used to seed the PRNG.

              Default: none

       ssl hosts (G)
              See  ssl hosts resign.

       ssl hosts resign (G)
              This variable is part of SSL-enabled Samba. This is
              only available if the SSL libraries have been  com­
              piled  on  your  system  and  the  configure option
              --with-ssl was given at configure time.

              These two variables define whether  Samba  will  go
              into  SSL  mode or not. If none of them is defined,
              Samba will allow only SSL connections. If the   ssl
              hosts  variable  lists  hosts  (by  IP-address, IP-
              address range, net group or name), only these hosts
              will  be  forced  into  SSL mode. If the  ssl hosts
              resign variable lists hosts, only these hosts  will
              NOT  be  forced into SSL mode. The syntax for these
              two variables is the same as for the   hosts  allow
              and   hosts  deny  pair of variables, only that the
              subject of the decision is different: It's not  the
              access right but whether SSL is used or not.

              The example below requires SSL connections from all
              hosts outside the local net (which is 192.168.*.*).

              Default: ssl hosts = <empty string>

              ssl hosts resign = <empty string>

              Example: ssl hosts resign = 192.168.

       ssl require clientcert (G)
              This variable is part of SSL-enabled Samba. This is
              only available if the SSL libraries have been  com­
              piled  on  your  system  and  the  configure option
              --with-ssl was given at configure time.

              If this variable is set to yes, the server will not

              Default: ssl require clientcert = no

       ssl require servercert (G)
              This variable is part of SSL-enabled Samba. This is
              only  available if the SSL libraries have been com­
              piled on  your  system  and  the  configure  option
              --with-ssl was given at configure time.

              If this variable is set to yes, the smbclient(1)
               will  request  a certificate from the server. Same
              as ssl require clientcert for the server.

              Default: ssl require servercert = no

       ssl server cert (G)
              This variable is part of SSL-enabled Samba. This is
              only  available if the SSL libraries have been com­
              piled on  your  system  and  the  configure  option
              --with-ssl was given at configure time.

              This  is  the file containing the server's certifi­
              cate.  The server must have a certificate. The file
              may  also  contain  the  server's  private key. See
              later for how certificates  and  private  keys  are
              created.

              Default: ssl server cert = <empty string>

       ssl server key (G)
              This variable is part of SSL-enabled Samba. This is
              only available if the SSL libraries have been  com­
              piled  on  your  system  and  the  configure option
              --with-ssl was given at configure time.

              This file contains the private key of  the  server.
              If  this variable is not defined, the key is looked
              up in the certificate file (it may be  appended  to
              the  certificate).   The server must have a private
              key and the certificate  must  match  this  private
              key.

              Default: ssl server key = <empty string>

       ssl version (G)
              This variable is part of SSL-enabled Samba. This is
              only available if the SSL libraries have been  com­
              piled  on  your  system  and  the  configure option
              --with-ssl was given at configure time.

              This enumeration variable defines the  versions  of
              the  SSL protocol that will be used. ssl2or3 allows

       stat cache size (G)
              This parameter determines the number of entries  in
              the  stat  cache.  You  should never need to change
              this parameter.

              Default: stat cache size = 50

       status (G)
              This enables or disables logging of connections  to
              a status file that smbstatus(1) can read.

              With  this disabled smbstatus won't be able to tell
              you what connections are active. You  should  never
              need to change this parameter.

              Default: status = yes

       strict allocate (S)
              This  is  a  boolean  that controls the handling of
              disk space allocation in the server. When  this  is
              set  to  yes  the  server  will  change  from  UNIX
              behaviour  of  not  committing  real  disk  storage
              blocks  when  a  file  is  extended  to the Windows
              behaviour of actually forcing the  disk  system  to
              allocate real storage blocks when a file is created
              or extended to be a given size. In UNIX terminology
              this  means  that  Samba  will stop creating sparse
              files.  This can be slow on some systems.

              When strict allocate is no the server  does  sparse
              disk block allocation when a file is extended.

              Setting  this  to  yes can help Samba return out of
              quota messages on systems that are restricting  the
              disk quota of users.

              Default: strict allocate = no

       strict locking (S)
              This  is  a  boolean  that controls the handling of
              file locking in the server. When this is set to yes
              the  server  will check every read and write access
              for file locks, and deny  access  if  locks  exist.
              This can be slow on some systems.

              When strict locking is no the server does file lock
              checks only when the  client  explicitly  asks  for
              them.

              Well-behaved  clients  always  ask  for lock checks
              when it is important, so in the  vast  majority  of
              ignores the Windows  applications  requests  for  a
              sync  call.  There  is only a possibility of losing
              data if the operating system itself that  Samba  is
              running  on  crashes,  so there is little danger in
              this default setting. In addition, this fixes  many
              performance problems that people have reported with
              the new Windows98 explorer shell file copies.

              See also the sync always> parameter.

              Default: strict sync = no

       strip dot (G)
              This parameter is now unused in  Samba  (2.2.5  and
              above).  It used strip trailing dots off UNIX file­
              names but was not correctly implmented.   In  Samba
              2.2.5  and above UNIX filenames ending in a dot are
              invalid Windows long filenames (as they are in Win­
              dows  NT  and  above) and are mangled to 8.3 before
              being returned to a client.

              Default: strip dot = no

       sync always (S)
              This is a boolean parameter that  controls  whether
              writes  will  always  be  written to stable storage
              before the write call returns. If this is  no  then
              the  server  will be guided by the client's request
              in each write call (clients can set a bit  indicat­
              ing that a particular write should be synchronous).
              If this is yes then every write will be followed by
              a  fsync()  call  to  ensure the data is written to
              disk. Note that the strict sync parameter  must  be
              set  to yes in order for this parameter to have any
              affect.

              See also the strict sync parameter.

              Default: sync always = no

       syslog (G)
              This parameter maps how Samba  debug  messages  are
              logged onto the system syslog logging levels. Samba
              debug level zero maps onto  syslog  LOG_ERR,  debug
              level  one  maps  onto LOG_WARNING, debug level two
              maps onto LOG_NOTICE, debug level three  maps  onto
              LOG_INFO.   All   higher   levels   are  mapped  to
              LOG_DEBUG.

              This parameter sets the threshold for sending  mes­
              sages  to  syslog.  Only  messages with debug level
              less than this value will be sent to syslog.
              the string %D is present it is substituted with the
              user's Windows NT domain name. If the string %U  is
              present  it  is substituted with the user's Windows
              NT user name.

              Default: template homedir = /home/%D/%U

       template shell (G)
              When filling out the user information for a Windows
              NT user, the winbindd(8) daemon uses this parameter
              to fill in the login shell for that user.

              Default: template shell = /bin/false

       time offset (G)
              This parameter is a setting in minutes  to  add  to
              the  normal  GMT  to local time conversion. This is
              useful if you are serving a lot of  PCs  that  have
              incorrect daylight saving time handling.

              Default: time offset = 0

              Example: time offset = 60

       time server (G)
              This  parameter  determines  if  nmbd(8) advertises
              itself as a time server to Windows clients.

              Default: time server = no

       timestamp logs (G)
              Synonym for  debug timestamp.

       total print jobs (G)
              This  parameter  accepts  an  integer  value  which
              defines a limit on the maximum number of print jobs
              that will be accepted  system  wide  at  any  given
              time. If a print job is submitted by a client which
              will exceed this number, then smbd will  return  an
              error  indicating that no space is available on the
              server. The default value of 0 means that  no  such
              limit exists. This parameter can be used to prevent
              a  server  from  exceeding  its  capacity  and   is
              designed as a printing throttle. See also max print
              jobs.

              Default: total print jobs = 0

              Example: total print jobs = 5000

       unix extensions(G)
              This boolean parameter controls whether Samba impl­
              the program specified in the passwd  programparame­
              ter is called AS ROOT - to allow the new UNIX pass­
              word to be set without access to the old UNIX pass­
              word (as the SMB password change code has no access
              to the old password cleartext, only the new).

              See also passwd program,  passwd chat.

              Default: unix password sync = no

       update encrypted (G)
              This boolean parameter allows  a  user  logging  on
              with  a  plaintext password to have their encrypted
              (hashed) password  in  the  smbpasswd  file  to  be
              updated  automatically  as they log on. This option
              allows a site to migrate  from  plaintext  password
              authentication  (users  authenticate with plaintext
              password over the wire, and are checked  against  a
              UNIX   account   database)  to  encrypted  password
              authentication (the SMB challenge/response  authen­
              tication  mechanism)  without  forcing all users to
              re-enter their passwords via smbpasswd at the  time
              the change is made. This is a convenience option to
              allow the change over to encrypted passwords to  be
              made  over  a  longer  period.  Once all users have
              encrypted representations of their passwords in the
              smbpasswd  file this parameter should be set to no.

              In order for this parameter to work  correctly  the
              encrypt  passwords parameter must be set to no when
              this parameter is set to yes.

              Note that even when this parameter is  set  a  user
              authenticating  to  smbd  must  still enter a valid
              password in order  to  connect  correctly,  and  to
              update their hashed (smbpasswd) passwords.

              Default: update encrypted = no

       use client driver (S)
              This  parameter  applies  only  to  Windows NT/2000
              clients. It  has  no  affect  on  Windows  95/98/ME
              clients.  When serving a printer to Windows NT/2000
              clients without first installing  a  valid  printer
              driver  on  the  Samba  host,  the  client  will be
              required to install a local  printer  driver.  From
              this point on, the client will treat the print as a
              local printer and not a network printer connection.
              This is much the same behavior that will occur when
              disable spoolss = yes.

              The differentiating factor  is  that  under  normal
              any   attempt   to   open   the  printer  with  the
              PRINTER_ACCESS_ADMINISTER  right   is   mapped   to
              PRINTER_ACCESS_USE instead. Thus allowing the Open­
              PrinterEx() call to succeed.  This  parameter  MUST
              not  be  able  enabled  on  a print share which has
              valid print driver installed on the Samba server.

              See also disable spoolss

              Default: use client driver = no

       use mmap (G)
              This global parameter determines if the tdb  inter­
              nals  of Samba can depend on mmap working correctly
              on the running system. Samba  requires  a  coherent
              mmap/read-write system memory cache. Currently only
              HPUX does not have such a coherent  cache,  and  so
              this  parameter is set to no by default on HPUX. On
              all other systems this  parameter  should  be  left
              alone. This parameter is provided to help the Samba
              developers track down problems with the tdb  inter­
              nal code.

              Default: use mmap = yes

       use rhosts (G)
              If  this global parameter is yes, it specifies that
              the UNIX user's .rhosts file in their  home  direc­
              tory  will  be  read to find the names of hosts and
              users who will be allowed access without specifying
              a password.

              NOTE: The use of use rhosts can be a major security
              hole. This is because you are trusting  the  PC  to
              supply the correct username. It is very easy to get
              a PC to supply a false username. I  recommend  that
              the   use  rhosts option be only used if you really
              know what you are doing.

              Default: use rhosts = no

       user (S)
              Synonym for  username.

       users (S)
              Synonym for  username.

       username (S)
              Multiple users may be specified in  a  comma-delim­
              ited list, in which case the supplied password will
              be tested against each username in  turn  (left  to
              right).
              using this parameter unwisely.

              Samba relies on the underlying UNIX security.  This
              parameter  does not restrict who can login, it just
              offers hints to the Samba server as to  what  user­
              names  might  correspond  to the supplied password.
              Users can login as whoever  they  please  and  they
              will  be  able  to  do  no more damage than if they
              started a telnet session. The daemon  runs  as  the
              user  that  they  log in as, so they cannot do any­
              thing that user cannot do.

              To restrict a service to a particular set of  users
              you can use the valid users parameter.

              If  any  of the usernames begin with a '@' then the
              name will be looked up first in the  NIS  netgroups
              list  (if Samba is compiled with netgroup support),
              followed by a lookup in the  UNIX  groups  database
              and will expand to a list of all users in the group
              of that name.

              If any of the usernames begin with a '+'  then  the
              name  will  be  looked  up  only in the UNIX groups
              database and will expand to a list of all users  in
              the group of that name.

              If  any  of  the usernames begin with a '&'then the
              name will be looked up only in  the  NIS  netgroups
              database  (if  Samba is compiled with netgroup sup­
              port) and will expand to a list of all users in the
              netgroup group of that name.

              Note  that  searching  though a groups database can
              take quite some time, and some clients may time out
              during the search.

              See  the section NOTE ABOUT USERNAME/PASSWORD VALI­
              DATION for more information on how  this  parameter
              determines access to the services.

              Default: The guest account if a guest service, else
              <empty string>.

              Examples:username = fred, mary, jack, jane, @users,
              @pcgroup

       username level (G)
              This  option  helps Samba to try and 'guess' at the
              real UNIX username, as many  DOS  clients  send  an
              all-uppercase  username. By default Samba tries all
              lowercase, followed by the username with the  first
              Example: username level = 5

       username map (G)
              This option allows you to specify a file containing
              a mapping of usernames  from  the  clients  to  the
              server.  This can be used for several purposes. The
              most common is to map usernames that users  use  on
              DOS  or Windows machines to those that the UNIX box
              uses. The other is to map multiple users to a  sin­
              gle  username  so  that  they can more easily share
              files.

              The map file is parsed  line  by  line.  Each  line
              should  contain  a single UNIX username on the left
              then a '=' followed by a list of usernames  on  the
              right.  The list of usernames on the right may con­
              tain names of the form @group in  which  case  they
              will  match  any  UNIX  username in that group. The
              special client name '*' is a wildcard  and  matches
              any  name.  Each  line of the map file may be up to
              1023 characters long.

              The file is processed on each line  by  taking  the
              supplied  username and comparing it with each user­
              name on the right hand side of the  '='  signs.  If
              the  supplied  name matches any of the names on the
              right hand side then it is replaced with  the  name
              on  the  left.  Processing  then continues with the
              next line.

              If any line begins with a '#' or a ';' then  it  is
              ignored

              If  any line begins with an '!' then the processing
              will stop after that line if a mapping was done  by
              the  line.   Otherwise mapping continues with every
              line being processed.  Using  '!'  is  most  useful
              when  you have a wildcard mapping line later in the
              file.

              For example to map from the name admin or  adminis­
              trator to the UNIX name  root you would use:

              root = admin administrator

              Or  to  map  anyone in the UNIX group system to the
              UNIX name sys you would use:

              sys = @system

              You can have as many mappings  as  you  like  in  a
              username map file.
              The following example would map mary  and  fred  to
              the  unix user sys, and map the rest to guest. Note
              the use of the '!' to tell Samba to stop processing
              if it gets a match on that line.

                        !sys = mary fred
                        guest = *

              Note  that  the  remapping is applied to all occur­
              rences  of  usernames.  Thus  if  you  connect   to
              \\server\fred  and   fred  is remapped to mary then
              you will actually be  connecting  to  \\server\mary
              and  will  need  to  supply a password suitable for
              mary not fred. The only exception to  this  is  the
              username  passed  to  the   password server (if you
              have one). The password server will  receive  what­
              ever username the client supplies without modifica­
              tion.

              Also note that no reverse mapping is done. The main
              effect  this  has  is with printing. Users who have
              been mapped may have trouble deleting print jobs as
              PrintManager  under  WfWg will think they don't own
              the print job.

              Default: no username map

              Example:          username          map           =
              /usr/local/samba/lib/users.map

       use sendfile (S)
              If  this parameter is yes, and Samba was built with
              the --with-sendfile-support option, and the  under­
              lying  operating  system  supports  sendfile system
              call, then some SMB read calls (mainly ReadAndX and
              ReadRaw)  will use the more efficient sendfile sys­
              tem call for files that are  exclusively  oplocked.
              This  may  make  more  efficient  use of the system
              CPU's and cause Samba to be faster. This is off  by
              default as it's effects are unknown as yet.

              Default: use sendfile = no

       utmp (G)
              This  boolean  parameter is only available if Samba
              has been configured and compiled  with  the  option
              --with-utmp.  If set to yes then Samba will attempt
              to add utmp or utmpx records (depending on the UNIX
              system)  whenever  a  connection is made to a Samba
              default  this  is  not set, meaning the system will
              use whatever utmp file the native system is set  to
              use (usually /var/run/utmp on Linux).

              Default: no utmp directory

       valid chars (G)
              The option allows you to specify additional charac­
              ters that should be considered valid by the  server
              in  filenames.  This  is  particularly  useful  for
              national character sets, such as adding u-umlaut or
              a-ring.

              The  option  takes  a  list of characters in either
              integer or character form with spaces between them.
              If  you  give  two  characters with a colon between
              them then it will be taken as  an  lowercase:upper­
              case pair.

              If you have an editor capable of entering the char­
              acters into the config file  then  it  is  probably
              easiest to use this method. Otherwise you can spec­
              ify the characters in octal, decimal or hexadecimal
              form using the usual C notation.

              For  example to add the single character 'Z' to the
              charset (which is a pointless thing to do  as  it's
              already there) you could do one of the following

                        valid chars = Z
                        valid chars = z:Z
                        valid chars = 0132:0172

              The  last two examples above actually add two char­
              acters, and alter the uppercase and lowercase  map­
              pings appropriately.

              Note that you MUST specify this parameter after the
              client code page parameter if you have both set. If
              client  code  page  is  set  after  the valid chars
              parameter the valid chars settings  will  be  over­
              written.

              See also the client code page parameter.

              Default:  Samba  defaults to using a reasonable set
              of valid characters for English systems

              Example:  valid   chars   =   0345:0305   0366:0326

       valid users (S)
              This is a list of users that should be  allowed  to
              login to this service. Names starting with '@', '+'
              and '&' are interpreted using  the  same  rules  as
              described in the invalid users parameter.

              If  this  is  empty (the default) then any user can
              login.  If a username is in both this list and  the
              invalid  users  list then access is denied for that
              user.

              The current servicename is  substituted  for  %S  .
              This is useful in the [homes] section.

              See also invalid users

              Default: No valid users list (anyone can login)

              Example: valid users = greg, @pcusers

       veto files(S)
              This  is  a  list of files and directories that are
              neither visible nor accessible. Each entry  in  the
              list  must  be  separated  by  a  '/', which allows
              spaces to be included in the entry. '*' and '?' can
              be used to specify multiple files or directories as
              in DOS wildcards.

              Each entry must be a unix path, not a DOS path  and
              must  not include the unix directory separator '/'.

              Note that the case sensitive option  is  applicable
              in vetoing files.

              One  feature of the veto files parameter that it is
              important to be aware of is Samba's behaviour  when
              trying  to  delete a directory. If a directory that
              is to be deleted contains nothing  but  veto  files
              this  deletion  will  fail  unless you also set the
              delete veto files parameter to yes.

              Setting this parameter will affect the  performance
              of  Samba,  as it will be forced to check all files
              and directories for a match as they are scanned.

              See also hide files and  case sensitive.

              Default: No files or directories are vetoed.

              Examples:

              granting  of oplocks on selected files that match a
              wildcarded list, similar  to  the  wildcarded  list
              used in the veto files parameter.

              Default: No files are vetoed for oplock grants

              You  might  want  to do this on files that you know
              will be heavily contended for by  clients.  A  good
              example  of  this  is in the NetBench SMB benchmark
              program, which causes heavy client  contention  for
              files  ending in .SEM.  To cause Samba not to grant
              oplocks on these  files  you  would  use  the  line
              (either  in  the [global] section or in the section
              for the particular NetBench share :

              Example: veto oplock files = /*.SEM/

       vfs object (S)
              This parameter specifies a shared object file  that
              is  used  for Samba VFS I/O operations. By default,
              normal disk I/O operations are used but  these  can
              be  overloaded  with  a  VFS  object. The Samba VFS
              layer is new to Samba 2.2 and must  be  enabled  at
              compile time with --with-vfs.

              Default : no value

       vfs options (S)
              This  parameter  allows  parameters to be passed to
              the vfs layer at initialization time. The Samba VFS
              layer  is  new  to Samba 2.2 and must be enabled at
              compile time with --with-vfs. See also  vfs object.

              Default : no value

       volume (S)
              This  allows  you  to  override  the  volume  label
              returned  for  a  share.  Useful  for  CDROMs  with
              installation  programs  that insist on a particular
              volume label.

              Default: the name of the share

       wide links (S)
              This parameter controls whether or not links in the
              UNIX  file  system  may  be followed by the server.
              Links that point to areas within the directory tree
              exported  by  the  server  are always allowed; this
              parameter controls access only to  areas  that  are
              outside the directory tree being exported.

              Note  that  setting this parameter can have a nega­
              On large installations using winbindd(8) it may  be
              necessary  to  suppress  the  enumeration  of users
              through the setpwent(), getpwent()  and  endpwent()
              group  of  system  calls. If the winbind enum users
              parameter is no, calls to the getpwent system  call
              will not return any data.

              Warning:  Turning  off  user  enumeration may cause
              some programs to behave  oddly.  For  example,  the
              finger  program relies on having access to the full
              user list when searching for matching usernames.

              Default: winbind enum users = yes

       winbind enum groups (G)
              On large installations using winbindd(8) it may  be
              necessary  to  suppress  the  enumeration of groups
              through the setgrent(), getgrent()  and  endgrent()
              group  of  system calls. If the winbind enum groups
              parameter is no, calls  to  the  getgrent()  system
              call will not return any data.

              Warning:  Turning  off  group enumeration may cause
              some programs to behave oddly.

              Default: winbind enum groups = yes

       winbind gid (G)
              The winbind gid parameter specifies  the  range  of
              group  ids  that  are allocated by the  winbindd(8)
              daemon. This range of  group  ids  should  have  no
              existing  local  or NIS groups within it as strange
              conflicts can occur otherwise.

              Default: winbind gid = <empty string>

              Example: winbind gid = 10000-20000

       winbind separator (G)
              This parameter allows an admin to define the  char­
              acter  used  when listing a username of the form of
              DOMAIN \user. This  parameter  is  only  applicable
              when  using  the  pam_winbind.so and nss_winbind.so
              modules for UNIX services.

              Please note that setting this parameter to + causes
              problems  with  group  membership at least on glibc
              systems, as the character + is used  as  a  special
              character for NIS in /etc/group.

              Default: winbind separator = '\'


       winbind use default domain
              This  parameter  specifies whether the  winbindd(8)
              daemon should operate on users without domain  com­
              ponent  in  their username.  Users without a domain
              component are treated as is part  of  the  winbindd
              server's  own  domain.  While this does not benifit
              Windows users, it makes SSH, FTP and  e-mail  func­
              tion  in a way much closer to the way they would in
              a native unix system.

              Default: winbind use default domain = <no>

              Example: winbind use default domain = yes

       wins hook (G)
              When Samba is running as a WINS server this  allows
              you  to call an external program for all changes to
              the WINS database. The primary use for this  option
              is  to  allow  the  dynamic update of external name
              resolution databases such as dynamic DNS.

              The wins hook parameter specifies  the  name  of  a
              script  or  executable  that will be called as fol­
              lows:

              wins_hook operation name nametype ttl IP_list

              · The first argument is the operation and is one of
                "add",  "delete", or "refresh". In most cases the
                operation can be  ignored  as  the  rest  of  the
                parameters  provide  sufficient information. Note
                that "refresh" may sometimes be called  when  the
                name  has not previously been added, in that case
                it should be treated as an add.

              · The second argument is the NetBIOS name.  If  the
                name  is  not  a legal name then the wins hook is
                not called.  Legal names  contain  only  letters,
                digits, hyphens, underscores and periods.

              · The  third argument is the NetBIOS name type as a
                2 digit hexadecimal number.

              · The fourth argument is the TTL (time to live) for
                the name in seconds.

              · The  fifth  and  subsequent  arguments are the IP
                addresses currently registered for that name.  If
                this  list  is  empty  then  the  name  should be
                deleted.

              This  specifies  the  IP  address  (or DNS name: IP
              address for preference) of  the  WINS  server  that
              nmbd(8)  should  register  with. If you have a WINS
              server on your network then you should set this  to
              the WINS server's IP.

              You  should  point  this at your WINS server if you
              have a multi-subnetted network.

              NOTE. You need to set up Samba to point to  a  WINS
              server if you have multiple subnets and wish cross-
              subnet browsing to work correctly.

              See the  documentation  file  BROWSING.txt  in  the
              docs/  directory of your Samba source distribution.

              Default: not enabled

              Example: wins server = 192.9.200.1

       wins support (G)
              This boolean controls if  the  nmbd(8)  process  in
              Samba will act as a WINS server. You should not set
              this to yes unless you have a multi-subnetted  net­
              work and you wish a particular nmbd to be your WINS
              server.  Note that you should NEVER set this to yes
              on more than one machine in your network.

              Default: wins support = no

       workgroup (G)
              This  controls  what  workgroup  your  server  will
              appear to be in when queried by clients. Note  that
              this  parameter  also controls the Domain name used
              with the security = domain setting.

              Default: set at compile time to WORKGROUP

              Example: workgroup = MYGROUP

       writable (S)
              Synonym for  writeable for people who  can't  spell
              :-).

       write cache size (S)
              If this integer parameter is set to non-zero value,
              Samba will  create  an  in-memory  cache  for  each
              oplocked file (it does not do this for non-oplocked
              files). All writes that the client does not request
              to  be  flushed  directly to disk will be stored in
              this cache if possible.  The cache is flushed  onto
              disk  when  a write comes in whose offset would not
              Default: write cache size = 0

              Example: write cache size = 262144

              for a 256k cache size per file.

       write list (S)
              This is a list of users that are  given  read-write
              access  to  a service. If the connecting user is in
              this list then they will be given write access,  no
              matter  what  the  read  only option is set to. The
              list can include group names using the @group  syn­
              tax.

              Note  that  if  a user is in both the read list and
              the write  list  then  they  will  be  given  write
              access.

              See also the read list option.

              Default: write list = <empty string>

              Example: write list = admin, root, @staff

       write ok (S)
              Inverted synonym for  read only.

       write raw (G)
              This  parameter  controls whether or not the server
              will support raw write SMB's when transferring data
              from clients.  You should never need to change this
              parameter.

              Default: write raw = yes

       writeable (S)
              Inverted synonym for  read only.


WARNINGS

       Although the configuration file permits service  names  to
       contain  spaces, your client software may not. Spaces will
       be ignored in comparisons anyway, so  it  shouldn't  be  a
       problem - but be aware of the possibility.

       On a similar note, many clients - especially DOS clients -
       limit service names to eight characters. smbd(8)
        has no such limitation, but attempts to connect from such
       clients  will fail if they truncate the service names. For
       this reason you should probably keep  your  service  names
       down to eight characters in length.

       Use  of  the  [homes] and [printers] special sections make
       The  original  Samba  software  and related utilities were
       created by Andrew Tridgell. Samba is now developed by  the
       Samba  Team  as  an Open Source project similar to the way
       the Linux kernel is developed.

       The original Samba man pages were written  by  Karl  Auer.
       The  man  page  sources  were  converted  to  YODL  format
       (another excellent piece of Open Source  software,  avail­
       able           at          ftp://ftp.icce.rug.nl/pub/unix/
       <URL:ftp://ftp.icce.rug.nl/pub/unix/>) and updated for the
       Samba  2.0  release  by  Jeremy Allison. The conversion to
       DocBook for Samba 2.2 was done by Gerald Carter

                          14 March 2003               SMB.CONF(5)
  




Login
Nickname

Password

Security Code
Security Code
Type Security Code


Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!


Amazon Wish List

Did You Know?
You can help in many different ways.


Friends



Tell a Friend About Us

Bookmark and Share



Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.30 Seconds