diff options
Diffstat (limited to 'docs/docbook/manpages/smb.conf.5.sgml')
| -rw-r--r-- | docs/docbook/manpages/smb.conf.5.sgml | 1581 |
1 files changed, 919 insertions, 662 deletions
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index c0893f1005a..cff2afdcaca 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -396,7 +396,7 @@ to change your config based on what the client calls you. Your server can have a "dual personality".</para> - <para>Note that this parameter is not available when Samba listens + <para>Note that this paramater is not available when Samba listens on port 445, as clients no longer send this information </para> </listitem> @@ -489,6 +489,21 @@ <variablelist> <varlistentry> + <term>mangling method</term> + <listitem><para> controls the algorithm used for the generating + the mangled names. Can take two different values, "hash" and + "hash2". "hash" is the default and is the algorithm that has been + used in Samba for many years. "hash2" is a newer and considered + a better algorithm (generates less collisions) in the names. + However, many Win32 applications store the + mangled names and so changing to the new algorithm must not be done + lightly as these applications may break unless reinstalled. + New installations of Samba may set the default to hash2. + Default <emphasis>hash</emphasis>.</para></listitem> + </varlistentry> + + + <varlistentry> <term>mangle case = yes/no</term> <listitem><para> controls if names that have characters that aren't of the "default" case are mangled. For example, @@ -593,25 +608,21 @@ each parameter for details. Note that some are synonyms.</para> <itemizedlist> - <listitem><para><link linkend="ABORTSHUTDOWNSCRIPT"><parameter>abort shutdown script</parameter></link></para></listitem> - <listitem><para><link linkend="ADDGROUPSCRIPT"><parameter>add group script</parameter></link></para></listitem> - <listitem><para><link linkend="ADDPRINTERCOMMAND"><parameter>addprinter command</parameter></link></para></listitem> + <listitem><para><link linkend="ADDPRINTERCOMMAND"><parameter>add printer command</parameter></link></para></listitem> <listitem><para><link linkend="ADDSHARECOMMAND"><parameter>add share command</parameter></link></para></listitem> <listitem><para><link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter></link></para></listitem> - <listitem><para><link linkend="ADDUSERTOGROUPSCRIPT"><parameter>add user to group script</parameter></link></para></listitem> - <listitem><para><link linkend="ADDMACHINESCRIPT"><parameter>add machine script</parameter></link></para></listitem> - <listitem><para><link linkend="DELETEGROUPSCRIPT"><parameter>delete group script</parameter></link></para></listitem> - <listitem><para><link linkend="ADSSERVER"><parameter>ads server</parameter></link></para></listitem> - <listitem><para><link linkend="ALGORITHMICRIDBASE"><parameter>algorithmic rid base</parameter></link></para></listitem> <listitem><para><link linkend="ALLOWTRUSTEDDOMAINS"><parameter>allow trusted domains</parameter></link></para></listitem> <listitem><para><link linkend="ANNOUNCEAS"><parameter>announce as</parameter></link></para></listitem> <listitem><para><link linkend="ANNOUNCEVERSION"><parameter>announce version</parameter></link></para></listitem> - <listitem><para><link linkend="AUTHMETHODS"><parameter>auth methods</parameter></link></para></listitem> <listitem><para><link linkend="AUTOSERVICES"><parameter>auto services</parameter></link></para></listitem> <listitem><para><link linkend="BINDINTERFACESONLY"><parameter>bind interfaces only</parameter></link></para></listitem> <listitem><para><link linkend="BROWSELIST"><parameter>browse list</parameter></link></para></listitem> <listitem><para><link linkend="CHANGENOTIFYTIMEOUT"><parameter>change notify timeout</parameter></link></para></listitem> <listitem><para><link linkend="CHANGESHARECOMMAND"><parameter>change share command</parameter></link></para></listitem> + <listitem><para><link linkend="CHARACTERSET"><parameter>character set</parameter></link></para></listitem> + <listitem><para><link linkend="CLIENTCODEPAGE"><parameter>client code page</parameter></link></para></listitem> + <listitem><para><link linkend="CODEPAGEDIRECTORY"><parameter>code page directory</parameter></link></para></listitem> + <listitem><para><link linkend="CODINGSYSTEM"><parameter>coding system</parameter></link></para></listitem> <listitem><para><link linkend="CONFIGFILE"><parameter>config file</parameter></link></para></listitem> <listitem><para><link linkend="DEADTIME"><parameter>deadtime</parameter></link></para></listitem> <listitem><para><link linkend="DEBUGHIRESTIMESTAMP"><parameter>debug hires timestamp</parameter></link></para></listitem> @@ -621,30 +632,24 @@ <listitem><para><link linkend="DEBUGLEVEL"><parameter>debuglevel</parameter></link></para></listitem> <listitem><para><link linkend="DEFAULT"><parameter>default</parameter></link></para></listitem> <listitem><para><link linkend="DEFAULTSERVICE"><parameter>default service</parameter></link></para></listitem> - <listitem><para><link linkend="DELETEPRINTERCOMMAND"><parameter>deleteprinter command</parameter></link></para></listitem> + <listitem><para><link linkend="DELETEPRINTERCOMMAND"><parameter>delete printer command</parameter></link></para></listitem> <listitem><para><link linkend="DELETESHARECOMMAND"><parameter>delete share command</parameter></link></para></listitem> <listitem><para><link linkend="DELETEUSERSCRIPT"><parameter>delete user script</parameter></link></para></listitem> - <listitem><para><link linkend="DELETEUSERFROMGROUPSCRIPT"><parameter>delete user from group script</parameter></link></para></listitem> <listitem><para><link linkend="DFREECOMMAND"><parameter>dfree command</parameter></link></para></listitem> - <listitem><para><link linkend="DISABLENETBIOS"><parameter>disable netbios</parameter></link></para></listitem> <listitem><para><link linkend="DISABLESPOOLSS"><parameter>disable spoolss</parameter></link></para></listitem> - <listitem><para><link linkend="DISPLAYCHARSET"><parameter>display charset</parameter></link></para></listitem> <listitem><para><link linkend="DNSPROXY"><parameter>dns proxy</parameter></link></para></listitem> <listitem><para><link linkend="DOMAINADMINGROUP"><parameter>domain admin group</parameter></link></para></listitem> <listitem><para><link linkend="DOMAINGUESTGROUP"><parameter>domain guest group</parameter></link></para></listitem> <listitem><para><link linkend="DOMAINLOGONS"><parameter>domain logons</parameter></link></para></listitem> <listitem><para><link linkend="DOMAINMASTER"><parameter>domain master</parameter></link></para></listitem> - <listitem><para><link linkend="DOSCHARSET"><parameter>dos charset</parameter></link></para></listitem> <listitem><para><link linkend="ENCRYPTPASSWORDS"><parameter>encrypt passwords</parameter></link></para></listitem> <listitem><para><link linkend="ENHANCEDBROWSING"><parameter>enhanced browsing</parameter></link></para></listitem> <listitem><para><link linkend="ENUMPORTSCOMMAND"><parameter>enumports command</parameter></link></para></listitem> <listitem><para><link linkend="GETWDCACHE"><parameter>getwd cache</parameter></link></para></listitem> <listitem><para><link linkend="HIDELOCALUSERS"><parameter>hide local users</parameter></link></para></listitem> <listitem><para><link linkend="HIDEUNREADABLE"><parameter>hide unreadable</parameter></link></para></listitem> - <listitem><para><link linkend="HIDEUNWRITEABLEFILES"><parameter>hide unwriteable files</parameter></link></para></listitem> <listitem><para><link linkend="HOMEDIRMAP"><parameter>homedir map</parameter></link></para></listitem> <listitem><para><link linkend="HOSTMSDFS"><parameter>host msdfs</parameter></link></para></listitem> - <listitem><para><link linkend="HOSTNAMELOOKUPS"><parameter>hostname lookups</parameter></link></para></listitem> <listitem><para><link linkend="HOSTSEQUIV"><parameter>hosts equiv</parameter></link></para></listitem> <listitem><para><link linkend="INTERFACES"><parameter>interfaces</parameter></link></para></listitem> <listitem><para><link linkend="KEEPALIVE"><parameter>keepalive</parameter></link></para></listitem> @@ -654,11 +659,10 @@ <listitem><para><link linkend="LDAPADMINDN"><parameter>ldap admin dn</parameter></link></para></listitem> <listitem><para><link linkend="LDAPFILTER"><parameter>ldap filter</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPPORT"><parameter>ldap port</parameter></link></para></listitem> + <listitem><para><link linkend="LDAPSERVER"><parameter>ldap server</parameter></link></para></listitem> <listitem><para><link linkend="LDAPSSL"><parameter>ldap ssl</parameter></link></para></listitem> <listitem><para><link linkend="LDAPSUFFIX"><parameter>ldap suffix</parameter></link></para></listitem> - <listitem><para><link linkend="LDAPUSERSUFFIX"><parameter>ldap user suffix</parameter></link></para></listitem> - <listitem><para><link linkend="LDAPMACHINESUFFIX"><parameter>ldap machine suffix</parameter></link></para></listitem> - <listitem><para><link linkend="LDAPPASSWDSYNC"><parameter>ldap passwd sync</parameter></link></para></listitem> <listitem><para><link linkend="LMANNOUNCE"><parameter>lm announce</parameter></link></para></listitem> <listitem><para><link linkend="LMINTERVAL"><parameter>lm interval</parameter></link></para></listitem> @@ -678,6 +682,7 @@ <listitem><para><link linkend="LPQCACHETIME"><parameter>lpq cache time</parameter></link></para></listitem> <listitem><para><link linkend="MACHINEPASSWORDTIMEOUT"><parameter>machine password timeout</parameter></link></para></listitem> <listitem><para><link linkend="MANGLEDSTACK"><parameter>mangled stack</parameter></link></para></listitem> + <listitem><para><link linkend="MANGLINGMETHOD"><parameter>mangling method</parameter></link></para></listitem> <listitem><para><link linkend="MAPTOGUEST"><parameter>map to guest</parameter></link></para></listitem> <listitem><para><link linkend="MAXDISKSIZE"><parameter>max disk size</parameter></link></para></listitem> <listitem><para><link linkend="MAXLOGSIZE"><parameter>max log size</parameter></link></para></listitem> @@ -693,15 +698,13 @@ <listitem><para><link linkend="MINPASSWORDLENGTH"><parameter>min password length</parameter></link></para></listitem> <listitem><para><link linkend="MINPROTOCOL"><parameter>min protocol</parameter></link></para></listitem> <listitem><para><link linkend="MINWINSTTL"><parameter>min wins ttl</parameter></link></para></listitem> - <listitem><para><link linkend="NAMECACHETIMEOUT"><parameter>name cache timeout</parameter></link></para></listitem> <listitem><para><link linkend="NAMERESOLVEORDER"><parameter>name resolve order</parameter></link></para></listitem> <listitem><para><link linkend="NETBIOSALIASES"><parameter>netbios aliases</parameter></link></para></listitem> <listitem><para><link linkend="NETBIOSNAME"><parameter>netbios name</parameter></link></para></listitem> <listitem><para><link linkend="NETBIOSSCOPE"><parameter>netbios scope</parameter></link></para></listitem> <listitem><para><link linkend="NISHOMEDIR"><parameter>nis homedir</parameter></link></para></listitem> - <listitem><para><link linkend="NTLMAUTH"><parameter>ntlm auth</parameter></link></para></listitem> - <listitem><para><link linkend="NONUNIXACCOUNTRANGE"><parameter>non unix account range</parameter></link></para></listitem> <listitem><para><link linkend="NTPIPESUPPORT"><parameter>nt pipe support</parameter></link></para></listitem> + <listitem><para><link linkend="NTSMBSUPPORT"><parameter>nt smb support</parameter></link></para></listitem> <listitem><para><link linkend="NTSTATUSSUPPORT"><parameter>nt status support</parameter></link></para></listitem> <listitem><para><link linkend="NULLPASSWORDS"><parameter>null passwords</parameter></link></para></listitem> <listitem><para><link linkend="OBEYPAMRESTRICTIONS"><parameter>obey pam restrictions</parameter></link></para></listitem> @@ -710,8 +713,6 @@ <listitem><para><link linkend="OS2DRIVERMAP"><parameter>os2 driver map</parameter></link></para></listitem> <listitem><para><link linkend="PAMPASSWORDCHANGE"><parameter>pam password change</parameter></link></para></listitem> <listitem><para><link linkend="PANICACTION"><parameter>panic action</parameter></link></para></listitem> - <listitem><para><link linkend="PARANOIDSERVERSECURITY"><parameter>paranoid server security</parameter></link></para></listitem> - <listitem><para><link linkend="PASSDBBACKEND"><parameter>passdb backend</parameter></link></para></listitem> <listitem><para><link linkend="PASSWDCHAT"><parameter>passwd chat</parameter></link></para></listitem> <listitem><para><link linkend="PASSWDCHATDEBUG"><parameter>passwd chat debug</parameter></link></para></listitem> <listitem><para><link linkend="PASSWDPROGRAM"><parameter>passwd program</parameter></link></para></listitem> @@ -723,12 +724,10 @@ <listitem><para><link linkend="PRINTCAP"><parameter>printcap</parameter></link></para></listitem> <listitem><para><link linkend="PRINTCAPNAME"><parameter>printcap name</parameter></link></para></listitem> <listitem><para><link linkend="PRINTERDRIVERFILE"><parameter>printer driver file</parameter></link></para></listitem> - <listitem><para><link linkend="PRIVATEDIR"><parameter>private dir</parameter></link></para></listitem> <listitem><para><link linkend="PROTOCOL"><parameter>protocol</parameter></link></para></listitem> <listitem><para><link linkend="READBMPX"><parameter>read bmpx</parameter></link></para></listitem> <listitem><para><link linkend="READRAW"><parameter>read raw</parameter></link></para></listitem> <listitem><para><link linkend="READSIZE"><parameter>read size</parameter></link></para></listitem> - <listitem><para><link linkend="REALM"><parameter>realm</parameter></link></para></listitem> <listitem><para><link linkend="REMOTEANNOUNCE"><parameter>remote announce</parameter></link></para></listitem> <listitem><para><link linkend="REMOTEBROWSESYNC"><parameter>remote browse sync</parameter></link></para></listitem> <listitem><para><link linkend="RESTRICTANONYMOUS"><parameter>restrict anonymous</parameter></link></para></listitem> @@ -738,13 +737,29 @@ <listitem><para><link linkend="SECURITY"><parameter>security</parameter></link></para></listitem> <listitem><para><link linkend="SERVERSTRING"><parameter>server string</parameter></link></para></listitem> <listitem><para><link linkend="SHOWADDPRINTERWIZARD"><parameter>show add printer wizard</parameter></link></para></listitem> - <listitem><para><link linkend="SHUTDOWNSCRIPT"><parameter>shutdown script</parameter></link></para></listitem> <listitem><para><link linkend="SMBPASSWDFILE"><parameter>smb passwd file</parameter></link></para></listitem> - <listitem><para><link linkend="SMBPORTS"><parameter>smb ports</parameter></link></para></listitem> <listitem><para><link linkend="SOCKETADDRESS"><parameter>socket address</parameter></link></para></listitem> <listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem> <listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem> - <listitem><para><link linkend="SPNEGO"><parameter>use spnego</parameter></link></para></listitem> + + <listitem><para><link linkend="SSL"><parameter>ssl</parameter></link></para></listitem> + <listitem><para><link linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter></link></para></listitem> + <listitem><para><link linkend="SSLCACERTFILE"><parameter>ssl CA certFile</parameter></link></para></listitem> + <listitem><para><link linkend="SSLCIPHERS"><parameter>ssl ciphers</parameter></link></para></listitem> + <listitem><para><link linkend="SSLCLIENTCERT"><parameter>ssl client cert</parameter></link></para></listitem> + <listitem><para><link linkend="SSLCLIENTKEY"><parameter>ssl client key</parameter></link></para></listitem> + <listitem><para><link linkend="SSLCOMPATIBILITY"><parameter>ssl compatibility</parameter></link></para></listitem> + <listitem><para><link linkend="SSLEGDSOCKET"><parameter>ssl egd socket</parameter></link></para></listitem> + <listitem><para><link linkend="SSLENTROPYBYTES"><parameter>ssl entropy bytes</parameter></link></para></listitem> + <listitem><para><link linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link></para></listitem> + <listitem><para><link linkend="SSLHOSTS"><parameter>ssl hosts</parameter></link></para></listitem> + <listitem><para><link linkend="SSLHOSTSRESIGN"><parameter>ssl hosts resign</parameter></link></para></listitem> + <listitem><para><link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require clientcert</parameter></link></para></listitem> + <listitem><para><link linkend="SSLREQUIRESERVERCERT"><parameter>ssl require servercert</parameter></link></para></listitem> + <listitem><para><link linkend="SSLSERVERCERT"><parameter>ssl server cert</parameter></link></para></listitem> + <listitem><para><link linkend="SSLSERVERKEY"><parameter>ssl server key</parameter></link></para></listitem> + <listitem><para><link linkend="SSLVERSION"><parameter>ssl version</parameter></link></para></listitem> + <listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem> <listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem> <listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem> @@ -756,8 +771,6 @@ <listitem><para><link linkend="TIMESERVER"><parameter>time server</parameter></link></para></listitem> <listitem><para><link linkend="TIMESTAMPLOGS"><parameter>timestamp logs</parameter></link></para></listitem> <listitem><para><link linkend="TOTALPRINTJOBS"><parameter>total print jobs</parameter></link></para></listitem> - <listitem><para><link linkend="UNICODE"><parameter>unicode</parameter></link></para></listitem> - <listitem><para><link linkend="UNIXCHARSET"><parameter>unix charset</parameter></link></para></listitem> <listitem><para><link linkend="UNIXEXTENSIONS"><parameter>unix extensions</parameter></link></para></listitem> <listitem><para><link linkend="UNIXPASSWORDSYNC"><parameter>unix password sync</parameter></link></para></listitem> <listitem><para><link linkend="UPDATEENCRYPTED"><parameter>update encrypted</parameter></link></para></listitem> @@ -767,7 +780,7 @@ <listitem><para><link linkend="USERNAMEMAP"><parameter>username map</parameter></link></para></listitem> <listitem><para><link linkend="UTMP"><parameter>utmp</parameter></link></para></listitem> <listitem><para><link linkend="UTMPDIRECTORY"><parameter>utmp directory</parameter></link></para></listitem> - <listitem><para><link linkend="WTMPDIRECTORY"><parameter>wtmp directory</parameter></link></para></listitem> + <listitem><para><link linkend="VALIDCHARS"><parameter>valid chars</parameter></link></para></listitem> <listitem><para><link linkend="WINBINDCACHETIME"><parameter>winbind cache time</parameter></link></para></listitem> <listitem><para><link linkend="WINBINDENUMUSERS"><parameter>winbind enum users</parameter></link></para></listitem> <listitem><para><link linkend="WINBINDENUMGROUPS"><parameter>winbind enum groups</parameter></link></para></listitem> @@ -776,7 +789,6 @@ <listitem><para><link linkend="WINBINDUID"><parameter>winbind uid</parameter></link></para></listitem> <listitem><para><link linkend="WINBINDUSEDEFAULTDOMAIN"><parameter>winbind use default domain</parameter></link></para></listitem> <listitem><para><link linkend="WINSHOOK"><parameter>wins hook</parameter></link></para></listitem> - <listitem><para><link linkend="WINSPARTNERS"><parameter>wins partners</parameter></link></para></listitem> <listitem><para><link linkend="WINSPROXY"><parameter>wins proxy</parameter></link></para></listitem> <listitem><para><link linkend="WINSSERVER"><parameter>wins server</parameter></link></para></listitem> <listitem><para><link linkend="WINSSUPPORT"><parameter>wins support</parameter></link></para></listitem> @@ -797,7 +809,7 @@ <listitem><para><link linkend="ALLOWHOSTS"><parameter>allow hosts</parameter></link></para></listitem> <listitem><para><link linkend="AVAILABLE"><parameter>available</parameter></link></para></listitem> <listitem><para><link linkend="BLOCKINGLOCKS"><parameter>blocking locks</parameter></link></para></listitem> -<listitem><para><link linkend="BLOCKSIZE"><parameter>block size</parameter></link></para></listitem> + <listitem><para><link linkend="BLOCKSIZE"><parameter>block size</parameter></link></para></listitem> <listitem><para><link linkend="BROWSABLE"><parameter>browsable</parameter></link></para></listitem> <listitem><para><link linkend="BROWSEABLE"><parameter>browseable</parameter></link></para></listitem> <listitem><para><link linkend="CASESENSITIVE"><parameter>case sensitive</parameter></link></para></listitem> @@ -830,6 +842,7 @@ <listitem><para><link linkend="FORCEDIRECTORYSECURITYMODE"><parameter>force directory security mode</parameter></link></para></listitem> <listitem><para><link linkend="FORCEGROUP"><parameter>force group</parameter></link></para></listitem> <listitem><para><link linkend="FORCESECURITYMODE"><parameter>force security mode</parameter></link></para></listitem> + <listitem><para><link linkend="FORCEUNKNOWNACLUSER"><parameter>force unknown acl user</parameter></link></para></listitem> <listitem><para><link linkend="FORCEUSER"><parameter>force user</parameter></link></para></listitem> <listitem><para><link linkend="FSTYPE"><parameter>fstype</parameter></link></para></listitem> <listitem><para><link linkend="GROUP"><parameter>group</parameter></link></para></listitem> @@ -856,7 +869,6 @@ <listitem><para><link linkend="MANGLEDMAP"><parameter>mangled map</parameter></link></para></listitem> <listitem><para><link linkend="MANGLEDNAMES"><parameter>mangled names</parameter></link></para></listitem> <listitem><para><link linkend="MANGLINGCHAR"><parameter>mangling char</parameter></link></para></listitem> - <listitem><para><link linkend="MANGLINGMETHOD"><parameter>mangling method</parameter></link></para></listitem> <listitem><para><link linkend="MAPARCHIVE"><parameter>map archive</parameter></link></para></listitem> <listitem><para><link linkend="MAPHIDDEN"><parameter>map hidden</parameter></link></para></listitem> <listitem><para><link linkend="MAPSYSTEM"><parameter>map system</parameter></link></para></listitem> @@ -909,7 +921,6 @@ <listitem><para><link linkend="VALIDUSERS"><parameter>valid users</parameter></link></para></listitem> <listitem><para><link linkend="VETOFILES"><parameter>veto files</parameter></link></para></listitem> <listitem><para><link linkend="VETOOPLOCKFILES"><parameter>veto oplock files</parameter></link></para></listitem> - <listitem><para><link linkend="VFSPATH"><parameter>vfs path</parameter></link></para></listitem> <listitem><para><link linkend="VFSOBJECT"><parameter>vfs object</parameter></link></para></listitem> <listitem><para><link linkend="VFSOPTIONS"><parameter>vfs options</parameter></link></para></listitem> <listitem><para><link linkend="VOLUME"><parameter>volume</parameter></link></para></listitem> @@ -928,23 +939,9 @@ <variablelist> - <varlistentry> - <term><anchor id="ABORTSHUTDOWNSCRIPT">abort shutdown script (G)</term> - <listitem><para><emphasis>This parameter only exists in the HEAD cvs branch</emphasis> - This a full path name to a script called by - <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> that - should stop a shutdown procedure issued by the <link - linkend="SHUTDOWNSCRIPT"><parameter>shutdown script</parameter></link>.</para> - - <para>This command will be run as user.</para> - - <para>Default: <emphasis>None</emphasis>.</para> - <para>Example: <command>abort shutdown script = /sbin/shutdown -c</command></para> - </listitem> - </varlistentry> <varlistentry> - <term><anchor id="ADDPRINTERCOMMAND">addprinter command (G)</term> + <term><anchor id="ADDPRINTERCOMMAND">add printer command (G)</term> <listitem><para>With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the @@ -961,7 +958,7 @@ shared by <ulink url="smbd.8.html"><command>smbd(8)</command> </ulink>.</para> - <para>The <parameter>addprinter command</parameter> is + <para>The <parameter>add printer command</parameter> is automatically invoked with the following parameter (in order:</para> @@ -981,14 +978,14 @@ only. The remaining fields in the structure are generated from answers to the APW questions.</para> - <para>Once the <parameter>addprinter command</parameter> has + <para>Once the <parameter>add printer command</parameter> has been executed, <command>smbd</command> will reparse the <filename> smb.conf</filename> to determine if the share defined by the APW exists. If the sharename is still invalid, then <command>smbd </command> will return an ACCESS_DENIED error to the client.</para> <para>See also <link linkend="DELETEPRINTERCOMMAND"><parameter> - deleteprinter command</parameter></link>, <link + delete printer command</parameter></link>, <link linkend="printing"><parameter>printing</parameter></link>, <link linkend="SHOWADDPRINTERWIZARD"><parameter>show add printer wizard</parameter></link></para> @@ -1038,7 +1035,7 @@ <para> This parameter is only used for add file shares. To add printer shares, - see the <link linkend="ADDPRINTERCOMMAND"><parameter>addprinter + see the <link linkend="ADDPRINTERCOMMAND"><parameter>add printer command</parameter></link>. </para> @@ -1055,36 +1052,7 @@ - <varlistentry> - <term><anchor id="ADDMACHINESCRIPT">add machine script (G)</term> - <listitem><para>This is the full pathname to a script that will - be run by <ulink url="smbd.8.html">smbd(8)</ulink> when a machine is added - to it's domain using the administrator username and password method. </para> - - <para>This option is only required when using sam back-ends tied to the - Unix uid method of RID calculation such as smbpasswd. This option is only - available in Samba 3.0.</para> - - <para>Default: <command>add machine script = <empty string> - </command></para> - <para>Example: <command>add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u - </command></para> - </listitem> - </varlistentry> - - <varlistentry> - <term><anchor id="ADSSERVER">ads server (G)</term> - <listitem><para>If this option is specified, samba does - not try to figure out what ads server to use itself, but - uses the specified ads server. Either one DNS name or IP - address can be used.</para> - - <para>Default: <command>ads server = </command></para> - - <para>Example: <command>ads server = 192.168.1.2</command></para> - </listitem> - </varlistentry> <varlistentry> <term><anchor id="ADDUSERSCRIPT">add user script (G)</term> @@ -1136,22 +1104,10 @@ %u</command></para> </listitem> </varlistentry> - - <varlistentry><term><anchor id="ADDGROUPSCRIPT">add group script (G)</term> - <listitem><para>This is the full pathname to a script that will - be run <emphasis>AS ROOT</emphasis> by <ulink - url="smbd.8.html">smbd(8)</ulink> when a new group is - requested. It will expand any - <parameter>%g</parameter> to the group name passed. - This script is only useful for installations using the - Windows NT domain administration tools. The script is - free to create a group with an arbitrary name to - circumvent unix group name restrictions. In that case - the script must print the numeric gid of the created - group on stdout. - </para></listitem> - </varlistentry> + + + <varlistentry> <term><anchor id="ADMINUSERS">admin users (S)</term> <listitem><para>This is a list of users who will be granted @@ -1167,23 +1123,8 @@ <para>Example: <command>admin users = jason</command></para> </listitem> </varlistentry> - - <varlistentry> - <term><anchor id="ADDUSERTOGROUPSCRIPT">add user to group script (G)</term> - <listitem><para>Full path to the script that will be called when - a user is added to a group using the Windows NT domain administration - tools. It will be run by <ulink url="smbd.8.html">smbd(8)</ulink> - <emphasis>AS ROOT</emphasis>. Any <parameter>%g</parameter> will be - replaced with the group name and any <parameter>%u</parameter> will - be replaced with the user name. - </para> - - <para>Default: <command>add user to group script = </command></para> - - <para>Example: <command>add user to group script = /usr/sbin/adduser %u %g</command></para> - </listitem> - </varlistentry> + <varlistentry> <term><anchor id="ALLOWHOSTS">allow hosts (S)</term> @@ -1191,29 +1132,8 @@ <parameter>hosts allow</parameter></link>.</para></listitem> </varlistentry> - <varlistentry> - <term><anchor id="ALGORITHMICRIDBASE">algorithmic rid base (G)</term> - <listitem><para>This determines how Samba will use its - algorithmic mapping from uids/gid to the RIDs needed to construct - NT Security Identifiers.</para> - <para>Setting this option to a larger value could be useful to sites - transitioning from WinNT and Win2k, as existing user and - group rids would otherwise clash with sytem users etc. - </para> - <para>All UIDs and GIDs must be able to be resolved into SIDs for - the correct operation of ACLs on the server. As such the algorithmic - mapping can't be 'turned off', but pushing it 'out of the way' should - resolve the issues. Users and groups can then be assigned 'low' RIDs - in arbitary-rid supporting backends. </para> - - <para>Default: <command>algorithmic rid base = 1000</command></para> - - <para>Example: <command>algorithmic rid base = 100000</command></para> - </listitem> - </varlistentry> - <varlistentry> <term><anchor id="ALLOWTRUSTEDDOMAINS">allow trusted domains (G)</term> <listitem><para>This option only takes effect when the <link @@ -1238,6 +1158,8 @@ </listitem> </varlistentry> + + <varlistentry> <term><anchor id="ANNOUNCEAS">announce as (G)</term> <listitem><para>This specifies what type of server @@ -1264,7 +1186,7 @@ <term><anchor id="ANNOUNCEVERSION">announce version (G)</term> <listitem><para>This specifies the major and minor version numbers that nmbd will use when announcing itself as a server. The default - is 4.2. Do not change this parameter unless you have a specific + is 4.5. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server.</para> <para>Default: <command>announce version = 4.5</command></para> @@ -1285,24 +1207,6 @@ <varlistentry> - <term><anchor id="AUTHMETHODS">auth methods (G)</term> - <listitem><para>This option allows the administrator to chose what - authentication methods <command>smbd</command> will use when authenticating - a user. This option defaults to sensible values based on <link linkend="SECURITY"><parameter> - security</parameter></link>. - - Each entry in the list attempts to authenticate the user in turn, until - the user authenticates. In practice only one method will ever actually - be able to complete the authentication. - </para> - - <para>Default: <command>auth methods = <empty string></command></para> - <para>Example: <command>auth methods = guest sam ntdomain</command></para> - </listitem> - </varlistentry> - - - <varlistentry> <term><anchor id="AVAILABLE">available (S)</term> <listitem><para>This parameter lets you "turn off" a service. If <parameter>available = no</parameter>, then <emphasis>ALL</emphasis> @@ -1387,6 +1291,32 @@ <varlistentry> + <term><anchor id="BLOCKSIZE">block size (S)</term> + <listitem><para>This parameter controls the behavior of <ulink + url="smbd.8.html">smbd(8)</ulink> when reporting disk free sizes. + By default, this reports a disk block size of 1024 bytes.</para> + + <para>Changing this parameter may have some effect on the + efficiency of client writes, this is not yet confirmed. This + parameter was added to allow advanced administrators to change + it (usually to a higher value) and test the effect it has on + client write performance without re-compiling the code. As this + is an experimental option it may be removed in a future release. + </para> + + <para>Changing this option does not change the disk free reporting + size, just the block size unit reported to the client.</para> + + <para>Default: <command>block size = 1024</command></para> + <para>Example: <command>block size = 65536</command></para> + + </listitem> + </varlistentry> + + + + + <varlistentry> <term><anchor id="BLOCKINGLOCKS">blocking locks (S)</term> <listitem><para>This parameter controls the behavior of <ulink url="smbd.8.html">smbd(8)</ulink> when given a request by a client @@ -1407,31 +1337,7 @@ </listitem> </varlistentry> - - <varlistentry> - <term><anchor id="BLOCKSIZE">block size (S)</term> - <listitem><para>This parameter controls the behavior of - <ulink url="smbd.8.html">smbd(8)</ulink> when reporting disk free - sizes. By default, this reports a disk block size of 1024 bytes. - </para> - <para>Changing this parameter may have some effect on the - efficiency of client writes, this is not yet confirmed. This - parameter was added to allow advanced administrators to change - it (usually to a higher value) and test the effect it has on - client write performance without re-compiling the code. As this - is an experimental option it may be removed in a future release. - </para> - - <para>Changing this option does not change the disk free reporting - size, just the block size unit reported to the client.</para> - - <para>Default: <command>block size = 1024</command></para> - <para>Example: <command>block size = 65536</command></para> - - </listitem> - </varlistentry> - <varlistentry> @@ -1556,7 +1462,192 @@ + <varlistentry> + <term><anchor id="CHARACTERSET">character set (G)</term> + <listitem><para>This allows <ulink url="smbd.8.html">smbd</ulink> to map incoming filenames + from a DOS Code page (see the <link linkend="CLIENTCODEPAGE">client + code page</link> parameter) to several built in UNIX character sets. + The built in code page translations are:</para> + + <itemizedlist> + <listitem><para><constant>ISO8859-1</constant> : Western European + UNIX character set. The parameter <parameter>client code page</parameter> + <emphasis>MUST</emphasis> be set to code page 850 if the + <parameter>character set</parameter> parameter is set to + <constant>ISO8859-1</constant> in order for the conversion to the + UNIX character set to be done correctly.</para></listitem> + + <listitem><para><constant>ISO8859-2</constant> : Eastern European + UNIX character set. The parameter <parameter>client code page + </parameter> <emphasis>MUST</emphasis> be set to code page 852 if + the <parameter> character set</parameter> parameter is set + to <constant>ISO8859-2</constant> in order for the conversion + to the UNIX character set to be done correctly. </para></listitem> + + <listitem><para><constant>ISO8859-5</constant> : Russian Cyrillic + UNIX character set. The parameter <parameter>client code page + </parameter> <emphasis>MUST</emphasis> be set to code page + 866 if the <parameter>character set </parameter> parameter is + set to <constant>ISO8859-5</constant> in order for the conversion + to the UNIX character set to be done correctly. </para></listitem> + + <listitem><para><constant>ISO8859-7</constant> : Greek UNIX + character set. The parameter <parameter>client code page + </parameter> <emphasis>MUST</emphasis> be set to code page + 737 if the <parameter>character set</parameter> parameter is + set to <constant>ISO8859-7</constant> in order for the conversion + to the UNIX character set to be done correctly.</para></listitem> + + <listitem><para><constant>KOI8-R</constant> : Alternate mapping + for Russian Cyrillic UNIX character set. The parameter + <parameter>client code page</parameter> <emphasis>MUST</emphasis> + be set to code page 866 if the <parameter>character set</parameter> + parameter is set to <constant>KOI8-R</constant> in order for the + conversion to the UNIX character set to be done correctly.</para> + </listitem> + </itemizedlist> + + <para><emphasis>BUG</emphasis>. These MSDOS code page to UNIX character + set mappings should be dynamic, like the loading of MS DOS code pages, + not static.</para> + + <para>Normally this parameter is not set, meaning no filename + translation is done.</para> + + <para>Default: <command>character set = <empty string></command></para> + <para>Example: <command>character set = ISO8859-1</command></para></listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="CLIENTCODEPAGE">client code page (G)</term> + <listitem><para>This parameter specifies the DOS code page + that the clients accessing Samba are using. To determine what code + page a Windows or DOS client is using, open a DOS command prompt + and type the command <command>chcp</command>. This will output + the code page. The default for USA MS-DOS, Windows 95, and + Windows NT releases is code page 437. The default for western + European releases of the above operating systems is code page 850.</para> + <para>This parameter tells <ulink url="smbd.8.html">smbd(8)</ulink> + which of the <filename>codepage.<replaceable>XXX</replaceable> + </filename> files to dynamically load on startup. These files, + described more fully in the manual page <ulink url="make_smbcodepage.1.html"> + <command>make_smbcodepage(1)</command></ulink>, tell <command> + smbd</command> how to map lower to upper case characters to provide + the case insensitivity of filenames that Windows clients expect.</para> + + <para>Samba currently ships with the following code page files :</para> + + <itemizedlist> + <listitem><para>Code Page 437 - MS-DOS Latin US</para></listitem> + <listitem><para>Code Page 737 - Windows '95 Greek</para></listitem> + <listitem><para>Code Page 850 - MS-DOS Latin 1</para></listitem> + <listitem><para>Code Page 852 - MS-DOS Latin 2</para></listitem> + <listitem><para>Code Page 861 - MS-DOS Icelandic</para></listitem> + <listitem><para>Code Page 866 - MS-DOS Cyrillic</para></listitem> + <listitem><para>Code Page 932 - MS-DOS Japanese SJIS</para></listitem> + <listitem><para>Code Page 936 - MS-DOS Simplified Chinese</para></listitem> + <listitem><para>Code Page 949 - MS-DOS Korean Hangul</para></listitem> + <listitem><para>Code Page 950 - MS-DOS Traditional Chinese</para></listitem> + </itemizedlist> + + <para>Thus this parameter may have any of the values 437, 737, 850, 852, + 861, 932, 936, 949, or 950. If you don't find the codepage you need, + read the comments in one of the other codepage files and the + <command>make_smbcodepage(1)</command> man page and write one. Please + remember to donate it back to the Samba user community.</para> + + <para>This parameter co-operates with the <parameter>valid + chars</parameter> parameter in determining what characters are + valid in filenames and how capitalization is done. If you set both + this parameter and the <parameter>valid chars</parameter> parameter + the <parameter>client code page</parameter> parameter + <emphasis>MUST</emphasis> be set before the <parameter>valid + chars</parameter> parameter in the <filename>smb.conf</filename> + file. The <parameter>valid chars</parameter> string will then + augment the character settings in the <parameter>client code page</parameter> + parameter.</para> + + <para>If not set, <parameter>client code page</parameter> defaults + to 850.</para> + + <para>See also : <link linkend="VALIDCHARS"><parameter>valid + chars</parameter></link>, <link linkend="CODEPAGEDIRECTORY"> + <parameter>code page directory</parameter></link></para> + + <para>Default: <command>client code page = 850</command></para> + <para>Example: <command>client code page = 936</command></para> + </listitem> + </varlistentry> + + + + + <varlistentry> + <term><anchor id="CODEPAGEDIRECTORY">code page directory (G)</term> + <listitem><para>Define the location of the various client code page + files.</para> + + <para>See also <link linkend="CLIENTCODEPAGE"><parameter>client + code page</parameter></link></para> + + <para>Default: <command>code page directory = ${prefix}/lib/codepages + </command></para> + <para>Example: <command>code page directory = /usr/share/samba/codepages + </command></para> + </listitem> + </varlistentry> + + + + + + <varlistentry> + <term><anchor id="CODINGSYSTEM">coding system (G)</term> + <listitem><para>This parameter is used to determine how incoming + Shift-JIS Japanese characters are mapped from the incoming <link + linkend="CLIENTCODEPAGE"><parameter>client code page</parameter> + </link> used by the client, into file names in the UNIX filesystem. + Only useful if <parameter>client code page</parameter> is set to + 932 (Japanese Shift-JIS). The options are :</para> + + <itemizedlist> + <listitem><para><constant>SJIS</constant> - Shift-JIS. Does no + conversion of the incoming filename.</para></listitem> + + <listitem><para><constant>JIS8, J8BB, J8BH, J8@B, + J8@J, J8@H </constant> - Convert from incoming Shift-JIS to eight + bit JIS code with different shift-in, shift out codes.</para></listitem> + + <listitem><para><constant>JIS7, J7BB, J7BH, J7@B, J7@J, + J7@H </constant> - Convert from incoming Shift-JIS to seven bit + JIS code with different shift-in, shift out codes.</para></listitem> + + <listitem><para><constant>JUNET, JUBB, JUBH, JU@B, JU@J, JU@H </constant> + - Convert from incoming Shift-JIS to JUNET code with different shift-in, + shift out codes.</para></listitem> + + <listitem><para><constant>EUC</constant> - Convert an incoming + Shift-JIS character to EUC code.</para></listitem> + + <listitem><para><constant>HEX</constant> - Convert an incoming + Shift-JIS character to a 3 byte hex representation, i.e. + <constant>:AB</constant>.</para></listitem> + + <listitem><para><constant>CAP</constant> - Convert an incoming + Shift-JIS character to the 3 byte hex representation used by + the Columbia AppleTalk Program (CAP), i.e. <constant>:AB</constant>. + This is used for compatibility between Samba and CAP.</para></listitem> + </itemizedlist> + + <para>Default: <command>coding system = <empty value></command> + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><anchor id="COMMENT">comment (S)</term> @@ -1878,14 +1969,10 @@ </listitem> </varlistentry> - <varlistentry><term><anchor id="DELETEGROUPSCRIPT">delete group script (G)</term> - <listitem><para>This is the full pathname to a script that will - be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html">smbd(8)</ulink> when a group is requested to be deleted. It will expand any <parameter>%g</parameter> to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. - </para></listitem> - </varlistentry> + <varlistentry> - <term><anchor id="DELETEPRINTERCOMMAND">deleteprinter command (G)</term> + <term><anchor id="DELETEPRINTERCOMMAND">delete printer command (G)</term> <listitem><para>With the introduction of MS-RPC based printer support for Windows NT/2000 clients in Samba 2.2, it is now possible to delete printer at run time by issuing the @@ -1898,19 +1985,19 @@ from the print system and from <filename>smb.conf</filename>. </para> - <para>The <parameter>deleteprinter command</parameter> is + <para>The <parameter>delete printer command</parameter> is automatically called with only one parameter: <parameter> "printer name"</parameter>.</para> - <para>Once the <parameter>deleteprinter command</parameter> has + <para>Once the <parameter>delete printer command</parameter> has been executed, <command>smbd</command> will reparse the <filename> smb.conf</filename> to associated printer no longer exists. If the sharename is still valid, then <command>smbd </command> will return an ACCESS_DENIED error to the client.</para> <para>See also <link linkend="ADDPRINTERCOMMAND"><parameter> - addprinter command</parameter></link>, <link + add printer command</parameter></link>, <link linkend="printing"><parameter>printing</parameter></link>, <link linkend="SHOWADDPRINTERWIZARD"><parameter>show add printer wizard</parameter></link></para> @@ -1969,7 +2056,7 @@ <para> This parameter is only used to remove file shares. To delete printer shares, - see the <link linkend="DELETEPRINTERCOMMAND"><parameter>deleteprinter + see the <link linkend="DELETEPRINTERCOMMAND"><parameter>delete printer command</parameter></link>. </para> @@ -1991,17 +2078,47 @@ <varlistentry> <term><anchor id="DELETEUSERSCRIPT">delete user script (G)</term> <listitem><para>This is the full pathname to a script that will - be run by <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> - when managing user's with remote RPC (NT) tools. - </para> + be run <emphasis>AS ROOT</emphasis> by <ulink url="smbd.8.html"> + <command>smbd(8)</command></ulink> under special circumstances + described below.</para> - <para>This script is called when a remote client removes a user - from the server, normally using 'User Manager for Domains' or - <command>rpcclient</command>. - </para> + <para>Normally, a Samba server requires that UNIX users are + created for all users accessing files on this server. For sites + that use Windows NT account databases as their primary user database + creating these users and keeping the user list in sync with the + Windows NT PDC is an onerous task. This option allows <command> + smbd</command> to delete the required UNIX users <emphasis>ON + DEMAND</emphasis> when a user accesses the Samba server and the + Windows NT user no longer exists.</para> + + <para>In order to use this option, <command>smbd</command> must be + set to <parameter>security = domain</parameter> or <parameter>security = + user</parameter> and <parameter>delete user script</parameter> + must be set to a full pathname for a script + that will delete a UNIX user given one argument of <parameter>%u</parameter>, + which expands into the UNIX user name to delete.</para> - <para>This script should delete the given UNIX username. - </para> + <para>When the Windows user attempts to access the Samba server, + at <emphasis>login</emphasis> (session setup in the SMB protocol) + time, <command>smbd</command> contacts the <link linkend="PASSWORDSERVER"> + <parameter>password server</parameter></link> and attempts to authenticate + the given user with the given password. If the authentication fails + with the specific Domain error code meaning that the user no longer + exists then <command>smbd</command> attempts to find a UNIX user in + the UNIX password database that matches the Windows user account. If + this lookup succeeds, and <parameter>delete user script</parameter> is + set then <command>smbd</command> will all the specified script + <emphasis>AS ROOT</emphasis>, expanding any <parameter>%u</parameter> + argument to be the user name to delete.</para> + + <para>This script should delete the given UNIX username. In this way, + UNIX users are dynamically deleted to match existing Windows NT + accounts.</para> + + <para>See also <link linkend="SECURITYEQUALSDOMAIN">security = domain</link>, + <link linkend="PASSWORDSERVER"><parameter>password server</parameter> + </link>, <link linkend="ADDUSERSCRIPT"><parameter>add user script</parameter> + </link>.</para> <para>Default: <command>delete user script = <empty string> </command></para> @@ -2009,22 +2126,9 @@ %u</command></para></listitem> </varlistentry> - <varlistentry> - <term><anchor id="DELETEUSERFROMGROUPSCRIPT">delete user from group script (G)</term> - <listitem><para>Full path to the script that will be called when - a user is removed from a group using the Windows NT domain administration - tools. It will be run by <ulink url="smbd.8.html">smbd(8)</ulink> - <emphasis>AS ROOT</emphasis>. Any <parameter>%g</parameter> will be - replaced with the group name and any <parameter>%u</parameter> will - be replaced with the user name. - </para> - <para>Default: <command>delete user from group script = </command></para> - <para>Example: <command>delete user from group script = /usr/sbin/deluser %u %g</command></para> - - </listitem> - </varlistentry> + <varlistentry> <term><anchor id="DELETEVETOFILES">delete veto files (S)</term> @@ -2217,24 +2321,10 @@ </varlistentry> - <varlistentry> - <term><anchor id="DISABLENETBIOS">disable netbios (G)</term> - <listitem><para>Enabling this parameter will disable netbios support - in Samba. Netbios is the only available form of browsing in - all windows versions except for 2000 and XP. </para> - - <para>Note that clients that only support netbios won't be able to - see your samba server when netbios support is disabled. - </para> - - <para>Default: <command>disable netbios = no</command></para> - <para>Example: <command>disable netbios = yes</command></para> - </listitem> - </varlistentry> <varlistentry> <term><anchor id="DISABLESPOOLSS">disable spoolss (G)</term> - <listitem><para>Enabling this parameter will disable Samba's support + <listitem><para>Enabling this parameter will disables Samba's support for the SPOOLSS set of MS-RPC's and will yield identical behavior as Samba 2.0.x. Windows NT/2000 clients will downgrade to using Lanman style printing commands. Windows 9x/ME will be uneffected by @@ -2253,19 +2343,6 @@ </listitem> </varlistentry> - <varlistentry> - <term><anchor id="DISPLAYCHARSET">display charset (G)</term> - <listitem><para>Specifies the charset that samba will use - to print messages to stdout and stderr and SWAT will use. - Should generally be the same as the <command>unix charset</command>. - </para> - - <para>Default: <command>display charset = ASCII</command></para> - - <para>Example: <command>display charset = UTF8</command></para> - - </listitem> - </varlistentry> <varlistentry> @@ -2410,20 +2487,7 @@ </listitem> </varlistentry> - <varlistentry> - <term><anchor id="DOSCHARSET">dos charset (G)</term> - <listitem><para>DOS SMB clients assume the server has - the same charset as they do. This option specifies which - charset Samba should talk to DOS clients. - </para> - <para>The default depends on which charsets you have instaled. - Samba tries to use charset 850 but falls back to ASCII in - case it is not available. Run <ulink url="testparm.1.html">testparm(1) - </ulink> to check the default on your system. - </para> - </listitem> - </varlistentry> <varlistentry> <term><anchor id="DOSFILEMODE">dos filemode (S)</term> @@ -2501,11 +2565,11 @@ </filename></ulink> file (see the <ulink url="smbpasswd.8.html"><command> smbpasswd(8)</command></ulink> program for information on how to set up and maintain this file), or set the <link - linkend="SECURITY">security = [server|domain|ads]</link> parameter which + linkend="SECURITY">security = [server|domain]</link> parameter which causes <command>smbd</command> to authenticate against another server.</para> - <para>Default: <command>encrypt passwords = yes</command></para></listitem> + <para>Default: <command>encrypt passwords = no</command></para></listitem> </varlistentry> @@ -2710,7 +2774,8 @@ <varlistentry> - <term><anchor id="FORCEDIRECTORYSECURITYMODE">force directory security mode (S)</term> + <term><anchor id="FORCEDIRECTORYSECURITYMODE">force directory + security mode (S)</term> <listitem><para>This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box.</para> @@ -2781,6 +2846,8 @@ </listitem> </varlistentry> + + <varlistentry> <term><anchor id="FORCESECURITYMODE">force security mode (S)</term> <listitem><para>This parameter controls what UNIX permission @@ -2814,12 +2881,38 @@ <para>Example: <command>force security mode = 700</command></para> </listitem> </varlistentry> - - <varlistentry> + <term><anchor id="FORCEUNKNOWNACLUSER">force unknown acl user (S)</term> + <listitem><para>If this parameter is set, a Windows NT ACL that contains + an unknown SID (security descriptor, or representation of a user or group id) + as the owner or group owner of the file will be silently mapped into the + current UNIX uid or gid of the currently connected user.</para> + + <para>This is designed to allow Windows NT clients to copy files and + folders containing ACLs that were created locally on the client machine + and contain users local to that machine only (no domain users) to be + copied to a Samba server (usually with XCOPY /O) and have the unknown + userid and groupid of the file owner map to the current connected user. + This can only be fixed correctly when winbindd allows arbitrary mapping + from any Windows NT SID to a UNIX uid or gid.</para> + + <para>Try using this parameter when XCOPY /O gives an ACCESS_DENIED error. + </para> + + <para>See also <link linkend="FORCEGROUP"><parameter>force group + </parameter></link></para> + + <para>Default: <emphasis>False</emphasis></para> + <para>Example: <command>force unknown acl user = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> <term><anchor id="FORCEUSER">force user (S)</term> <listitem><para>This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. @@ -2903,10 +2996,6 @@ <command>su -</command> command) and trying to print using the system print command such as <command>lpr(1)</command> or <command> lp(1)</command>.</para> - - <para>This paramater does not accept % macros, because - many parts of the system require this value to be - constant for correct operation.</para> <para>Default: <emphasis>specified at compile time, usually "nobody"</emphasis></para> @@ -3007,24 +3096,14 @@ <varlistentry> - <term><anchor id="HIDEUNREADABLE">hide unreadable (G)</term> + <term><anchor id="HIDEUNREADABLE">hide unreadable (S)</term> <listitem><para>This parameter prevents clients from seeing the existance of files that cannot be read. Defaults to off.</para> - <para>Default: <command>hide unreadable = no</command></para> - </listitem> + <para>Default: <command>hide unreadable = no</command></para></listitem> </varlistentry> - <varlistentry> - <term><anchor id="HIDEUNWRITEABLEFILES">hide unwriteable files (G)</term> - <listitem><para>This parameter prevents clients from seeing - the existance of files that cannot be written to. Defaults to off. - Note that unwriteable directories are shown as usual. - </para> - <para>Default: <command>hide unwriteable = no</command></para> - </listitem> - </varlistentry> <varlistentry> <term><anchor id="HOMEDIRMAP">homedir map (G)</term> @@ -3076,21 +3155,6 @@ <para>Default: <command>host msdfs = no</command></para> </listitem> </varlistentry> - - <varlistentry> - <term><anchor id="HOSTNAMELOOKUPS">hostname lookups (G)</term> - <listitem><para>Specifies whether samba should use (expensive) - hostname lookups or use the ip addresses instead. An example place - where hostname lookups are currently used is when checking - the <command>hosts deny</command> and <command>hosts allow</command>. - </para> - - <para>Default: <command>hostname lookups = yes</command></para> - - <para>Example: <command>hostname lookups = no</command></para> - - </listitem> - </varlistentry> <varlistentry> @@ -3439,11 +3503,11 @@ with Windows 2000. Note that due to Windows 2000 client redirector bugs this requires Samba to be running on a 64-bit capable operating system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with - Windows 2000 clients. Defaults to on. Not as tested as some other Samba + Windows 2000 clients. Defaults to off. Not as tested as some other Samba code paths. </para> - <para>Default : <command>large readwrite = yes</command></para> + <para>Default : <command>large readwrite = no</command></para> </listitem> </varlistentry> @@ -3451,9 +3515,16 @@ <varlistentry> <term><anchor id="LDAPADMINDN">ldap admin dn (G)</term> - <listitem><para> The <parameter>ldap admin dn</parameter> defines the Distinguished - Name (DN) name used by Samba to contact the ldap server when retreiving - user account information. The <parameter>ldap + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + The <parameter>ldap admin dn</parameter> defines the Distinguished + Name (DN) name used by Samba to contact the <link linkend="LDAPSERVER">ldap + server</link> when retreiving user account information. The <parameter>ldap admin dn</parameter> is used in conjunction with the admin dn password stored in the <filename>private/secrets.tdb</filename> file. See the <ulink url="smbpasswd.8.html"><command>smbpasswd(8)</command></ulink> man @@ -3470,42 +3541,46 @@ <varlistentry> <term><anchor id="LDAPFILTER">ldap filter (G)</term> - <listitem><para>This parameter specifies the RFC 2254 compliant LDAP search filter. + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + This parameter specifies the RFC 2254 compliant LDAP search filter. The default is to match the login name with the <constant>uid</constant> attribute for all entries matching the <constant>sambaAccount</constant> objectclass. Note that this filter should only return one entry. </para> - <para>Default : <command>ldap filter = (&(uid=%u)(objectclass=sambaAccount))</command></para> + <para>Default : <command>ldap filter = (&(uid=%u)(objectclass=sambaAccount))</command></para> </listitem> </varlistentry> + + <varlistentry> - <term><anchor id="LDAPSSL">ldap ssl (G)</term> - <listitem><para>This option is used to define whether or not Samba should - use SSL when connecting to the ldap server - This is <emphasis>NOT</emphasis> related to - Samba's previous SSL support which was enabled by specifying the - <command>--with-ssl</command> option to the <filename>configure</filename> - script. + <term><anchor id="LDAPPORT">ldap port (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. </para> <para> - The <parameter>ldap ssl</parameter> can be set to one of three values: - </para> - <itemizedlist> - <listitem><para><parameter>On</parameter> = Always use SSL when contacting the - <parameter>ldap server</parameter>.</para></listitem> - - <listitem><para><parameter>Off</parameter> = Never use SSL when querying the directory.</para></listitem> + This option is used to control the tcp port number used to contact + the <link linkend="LDAPSERVER"><parameter>ldap server</parameter></link>. + The default is to use the stand LDAPS port 636. + </para> - <listitem><para><parameter>Start_tls</parameter> = Use the LDAPv3 StartTLS extended operation - (RFC2830) for communicating with the directory server.</para></listitem> - </itemizedlist> + <para>See Also: <link linkend="LDAPSSL">ldap ssl</link> + </para> - <para>Default : <command>ldap ssl = on</command></para> + <para>Default : <command>ldap port = 636 ; if ldap ssl = on</command></para> + <para>Default : <command>ldap port = 389 ; if ldap ssl = off</command></para> </listitem> </varlistentry> @@ -3513,31 +3588,67 @@ <varlistentry> - <term><anchor id="LDAPSUFFIX">ldap suffix (G)</term> - <listitem> - <para>Default : <emphasis>none</emphasis></para> + <term><anchor id="LDAPSERVER">ldap server (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. + </para> + + <para> + This parameter should contains the FQDN of the ldap directory + server which should be queried to locate user account information. + </para> + + + + <para>Default : <command>ldap server = localhost</command></para> </listitem> </varlistentry> + <varlistentry> - <term><anchor id="LDAPUSERSUFFIX">ldap user suffix (G)</term> - <listitem><para>It specifies where users are added to the tree. + <term><anchor id="LDAPSSL">ldap ssl (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. </para> - + <para> + This option is used to define whether or not Samba should + use SSL when connecting to the <link linkend="LDAPSERVER"><parameter>ldap + server</parameter></link>. This is <emphasis>NOT</emphasis> related to + Samba SSL support which is enabled by specifying the + <command>--with-ssl</command> option to the <filename>configure</filename> + script (see <link linkend="SSL"><parameter>ssl</parameter></link>). + </para> - <para>Default : <emphasis>none</emphasis></para> + <para> + The <parameter>ldap ssl</parameter> can be set to one of three values: + (a) <constant>on</constant> - Always use SSL when contacting the + <parameter>ldap server</parameter>, (b) <constant>off</constant> - + Never use SSL when querying the directory, or (c) <constant>start_tls</constant> + - Use the LDAPv3 StartTLS extended operation + (RFC2830) for communicating with the directory server. + </para> + + + <para>Default : <command>ldap ssl = on</command></para> </listitem> </varlistentry> + <varlistentry> - <term><anchor id="LDAPMACHINESUFFIX">ldap machine suffix (G)</term> - <listitem><para>It specifies where machines should be - added to the ldap tree. + <term><anchor id="LDAPSUFFIX">ldap suffix (G)</term> + <listitem><para>This parameter is only available if Samba has been + configure to include the <command>--with-ldapsam</command> option + at compile time. This option should be considered experimental and + under active development. </para> @@ -3546,29 +3657,7 @@ </listitem> </varlistentry> - <varlistentry> - <term><anchor id="LDAPPASSWDSYNC">ldap passwd sync (G)</term> - <listitem><para>This option is used to define whether - or not Samba should sync the LDAP password with the NT - and LM hashes for normal accounts (NOT for - workstation, server or domain trusts) on a password - change via SAMBA. - </para> - <para> - The <parameter>ldap passwd sync</parameter> can be set to one of three values: - </para> - <itemizedlist> - <listitem><para><parameter>Yes</parameter> = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.</para></listitem> - - <listitem><para><parameter>No</parameter> = Update NT and LM passwords and update the pwdLastSet time.</para></listitem> - - <listitem><para><parameter>Only</parameter> = Only update the LDAP password and let the LDAP server do the rest.</para></listitem> - </itemizedlist> - - <para>Default : <command>ldap passwd sync = no</command></para> - </listitem> - </varlistentry> @@ -3798,18 +3887,15 @@ <varlistentry> <term><anchor id="LOGLEVEL">log level (G)</term> - <listitem><para>The value of the parameter (a astring) allows + <listitem><para>The value of the parameter (an integer) allows the debug level (logging level) to be specified in the - <filename>smb.conf</filename> file. This parameter has been - extended since 2.2.x series, now it allow to specify the debug - level for multiple debug classes. This is to give greater + <filename>smb.conf</filename> file. This is to give greater flexibility in the configuration of the system.</para> <para>The default will be the log level specified on the command line or level zero if none was specified.</para> - <para>Example: <command>log level = 3 passdb:5 auth:10 winbind:2 - </command></para></listitem> + <para>Example: <command>log level = 3</command></para></listitem> </varlistentry> @@ -4265,7 +4351,7 @@ <para>See the section on <link linkend="NAMEMANGLINGSECT"> NAME MANGLING</link> for details on how to control the mangling process.</para> - <para>If mangling is used then the mangling algorithm is as follows:</para> + <para>If mangling algorithm "hash" is used then the mangling algorithm is as follows:</para> <itemizedlist> <listitem><para>The first (up to) five alphanumeric characters @@ -4305,6 +4391,40 @@ in a directory share the same first five alphanumeric characters. The probability of such a clash is 1/1300.</para> + <para>If mangling algorithm "hash2" is used then the mangling algorithm is as follows:</para> + + <itemizedlist> + <listitem><para>The first alphanumeric character + before the rightmost dot of the filename is preserved, forced + to upper case, and appears as the first character of the mangled name. + </para></listitem> + + <listitem><para>A base63 hash of 5 characters is generated and the + first 4 characters of that hash are appended to the first character. + </para></listitem> + + <listitem><para>A tilde "~" is appended to the first part of the mangled + name, followed by the final character of the base36 hash of the name. + </para> + + <para>Note that the character to use may be specified using + the <link linkend="MANGLINGCHAR"><parameter>mangling char</parameter> + </link> option, if you don't like '~'.</para></listitem> + + <listitem><para>The first three alphanumeric characters of the final + extension are preserved, forced to upper case and appear as the + extension of the mangled name. The final extension is defined as that + part of the original filename after the rightmost dot. If there are no + dots in the filename, the mangled name will have no extension (except + in the case of "hidden files" - see below).</para></listitem> + + <listitem><para>Files whose UNIX name begins with a dot will be + presented as DOS hidden files. The mangled name will be created as + for other filenames, but with the leading dot removed and "___" as + its extension regardless of actual original extension (that's three + underscores).</para></listitem> + </itemizedlist> + <para>The name mangling (if enabled) allows a file to be copied between UNIX directories from Windows/DOS while retaining the long UNIX filename. UNIX files can be renamed to a new extension @@ -4315,22 +4435,8 @@ </listitem> </varlistentry> - <varlistentry> - <term><anchor id="MANGLINGMETHOD">mangling method (G)</term> - <listitem><para> controls the algorithm used for the generating - the mangled names. Can take two different values, "hash" and - "hash2". "hash" is the default and is the algorithm that has been - used in Samba for many years. "hash2" is a newer and considered - a better algorithm (generates less collisions) in the names. - However, many Win32 applications store the mangled names and so - changing to the new algorithm must not be done - lightly as these applications may break unless reinstalled. - New installations of Samba may set the default to hash2.</para> - <para>Default: <command>mangling method = hash</command></para> - <para>Example: <command>mangling method = hash2</command></para> - </listitem> - </varlistentry> + <varlistentry> <term><anchor id="MANGLEDSTACK">mangled stack (G)</term> <listitem><para>This parameter controls the number of mangled names @@ -4372,6 +4478,21 @@ </varlistentry> + <varlistentry> + <term><anchor id="MANGLINGMETHOD">mangling mathod(G)</term> + <listitem><para> controls the algorithm used for the generating + the mangled names. Can take two different values, "hash" and + "hash2". "hash" is the default and is the algorithm that has been + used in Samba for many years. "hash2" is a newer and considered + a better algorithm (generates less collisions) in the names. + However, many Win32 applications store the mangled names and so + changing to the new algorithm must not be done + lightly as these applications may break unless reinstalled. + New installations of Samba may set the default to hash2.</para> + <para>Default: <command>mangling method = hash</command></para> + <para>Example: <command>mangling method = hash2</command></para> + </listitem> + </varlistentry> @@ -4868,18 +4989,6 @@ </listitem> </varlistentry> - <varlistentry> - <term><anchor id="NAMECACHETIMEOUT">name cache timeout (G)</term> - <listitem><para>Specifies the number of seconds it takes before - entries in samba's hostname resolve cache time out. If - the timeout is set to 0. the caching is disabled. - </para> - - - <para>Default: <command>name cache timeout = 660</command></para> - <para>Example: <command>name cache timeout = 0</command></para> - </listitem> - </varlistentry> <varlistentry> <term><anchor id="NAMERESOLVEORDER">name resolve order (G)</term> @@ -5017,30 +5126,6 @@ <varlistentry> - <term><anchor id="NONUNIXACCOUNTRANGE">non unix account range (G)</term> - <listitem><para>The non unix account range parameter specifies - the range of 'user ids' that are allocated by the various 'non unix - account' passdb backends. These backends allow - the storage of passwords for users who don't exist in /etc/passwd. - This is most often used for machine account creation. - This range of ids should have no existing local or NIS users within - it as strange conflicts can occur otherwise.</para> - - <para>NOTE: These userids never appear on the system and Samba will never - 'become' these users. They are used only to ensure that the algorithmic - RID mapping does not conflict with normal users. - </para> - - <para>Default: <command>non unix account range = <empty string> - </command></para> - - <para>Example: <command>non unix account range = 10000-20000</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> <term><anchor id="NTACLSUPPORT">nt acl support (S)</term> <listitem><para>This boolean parameter controls whether <ulink url="smbd.8.html">smbd(8)</ulink> will attempt to map @@ -5069,6 +5154,27 @@ <varlistentry> + <term><anchor id="NTSMBSUPPORT">nt smb support (G)</term> + <listitem><para>This boolean parameter controls whether <ulink + url="smbd.8.html">smbd(8)</ulink> will negotiate NT specific SMB + support with Windows NT/2k/XP clients. Although this is a developer + debugging option and should be left alone, benchmarking has discovered + that Windows NT clients give faster performance with this option + set to <constant>no</constant>. This is still being investigated. + If this option is set to <constant>no</constant> then Samba offers + exactly the same SMB calls that versions prior to Samba 2.0 offered. + This information may be of use if any users are having problems + with NT SMB support.</para> + + <para>You should not need to ever disable this parameter.</para> + + <para>Default: <command>nt smb support = yes</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> <term><anchor id="NTSTATUSSUPPORT">nt status support (G)</term> <listitem><para>This boolean parameter controls whether <ulink url="smbd.8.html">smbd(8)</ulink> will negotiate NT specific status @@ -5085,6 +5191,7 @@ </varlistentry> + <varlistentry> <term><anchor id="NULLPASSWORDS">null passwords (G)</term> <listitem><para>Allow or disallow client access to accounts @@ -5227,19 +5334,7 @@ </listitem> </varlistentry> - <varlistentry> - <term><anchor id="NTLMAUTH">ntlm auth (G)</term> - <listitem><para>This parameter determines whether or not <ulink url="smbd.8.html">smbd</ulink> will - attempt to authenticate users using the NTLM password hash. - If disabled, only the lanman password hashes will be used. - </para> - <para>Please note that at least this option or <command>lanman auth</command> should be enabled in order to be able to log in. - </para> - - <para>Default : <command>ntlm auth = yes</command></para> - </listitem> - </varlistentry> <varlistentry> <term><anchor id="OSLEVEL">os level (G)</term> @@ -5320,98 +5415,6 @@ </listitem> </varlistentry> - <varlistentry> - <term><anchor id="PARANOIDSERVERSECURITY">paranoid server security (G)</term> - <listitem><para>Some version of NT 4.x allow non-guest - users with a bad passowrd. When this option is enabled, samba will not - use a broken NT 4.x server as password server, but instead complain - to the logs and exit. - </para> - - <para>Default: <command>paranoid server security = yes</command></para> - - </listitem> - </varlistentry> - - <varlistentry> - <term><anchor id="PASSDBBACKEND">passdb backend (G)</term> - <listitem><para>This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both - smbpasswd and tdbsam to be used without a recompile. - Multiple backends can be specified, seperated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. - Experimental backends must still be selected - (eg --with-tdbsam) at configure time. - </para> - - <para>This parameter is in two parts, the backend's name, and a 'location' - string that has meaning only to that particular backed. These are separated - by a : character.</para> - - <para>Available backends can include: - <itemizedlist> - <listitem><para><command>smbpasswd</command> - The default smbpasswd - backend. Takes a path to the smbpasswd file as an optional argument.</para></listitem> - - <listitem><para><command>smbpasswd_nua</command> - The smbpasswd - backend, but with support for 'not unix accounts'. - Takes a path to the smbpasswd file as an optional argument.</para> - <para>See also <link linkend="NONUNIXACCOUNTRANGE"> - <parameter>non unix account range</parameter></link></para></listitem> - - <listitem><para><command>tdbsam</command> - The TDB based password storage - backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the <link linkend="PRIVATEDIR"> - <parameter>private dir</parameter></link> directory.</para></listitem> - - <listitem><para><command>tdbsam_nua</command> - The TDB based password storage - backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the <link linkend="PRIVATEDIR"> - <parameter>private dir</parameter></link> directory.</para> - <para>See also <link linkend="NONUNIXACCOUNTRANGE"> - <parameter>non unix account range</parameter></link></para></listitem> - - <listitem><para><command>ldapsam</command> - The LDAP based passdb - backend. Takes an LDAP URL as an optional argument (defaults to - <command>ldap://localhost</command>)</para></listitem> - - <listitem><para><command>ldapsam_nua</command> - The LDAP based passdb - backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to - <command>ldap://localhost</command>)</para> - <para>See also <link linkend="NONUNIXACCOUNTRANGE"> - <parameter>non unix account range</parameter></link></para></listitem> - - <listitem><para><command>nisplussam</command> - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. </para></listitem> - - <listitem><para><command>plugin</command> - Allows Samba to load an - arbitary passdb backend from the .so specified as a compulsary argument. - </para> - - <para>Any characters after the (optional) second : are passed to the plugin - for its own processing</para> - </listitem> - - <listitem><para><command>unixsam</command> - Allows samba to map all (other) available unix users</para> - - <para>This backend uses the standard unix database for retrieving users. Users included - in this pdb are NOT listed in samba user listings and users included in this pdb won't be - able to login. The use of this backend is to always be able to display the owner of a file - on the samba server - even when the user doesn't have a 'real' samba account in one of the - other passdb backends. - </para> - - <para>This backend should always be the last backend listed, since it contains all users in - the unix passdb and might 'override' mappings if specified earlier. It's meant to only return - accounts for users that aren't covered by the previous backends.</para> - </listitem> - </itemizedlist> - </para> - - <para>Default: <command>passdb backend = smbpasswd unixsam</command></para> - <para>Example: <command>passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam</command></para> - <para>Example: <command>passdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam</command></para> - <para>Example: <command>passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb</command></para> - </listitem> - </varlistentry> - <varlistentry> <term><anchor id="PASSWDCHAT">passwd chat (G)</term> @@ -6236,24 +6239,10 @@ [printers]</link> section.</para> </listitem> </varlistentry> - - - - <varlistentry> - <term><anchor id="PRIVATEDIR">private dir (G)</term> - <listitem><para>This parameters defines the directory - smbd will use for storing such files as <filename>smbpasswd</filename> - and <filename>secrets.tdb</filename>. - </para> - <para>Default :<command>private dir = ${prefix}/private</command></para> - </listitem> - </varlistentry> - - <varlistentry> <term><anchor id="PROTOCOL">protocol (G)</term> <listitem><para>Synonym for <link linkend="MAXPROTOCOL"> @@ -6432,18 +6421,6 @@ </varlistentry> - <varlistentry> - <term><anchor id="REALM">realm (G)</term> - <listitem><para> - This option specifies the kerberos realm to use. The realm is - used as the ADS equivalent of the NT4<command>domain</command>. It - is usually set to the DNS name of the kerberos server. - </para> - - <para>Default: <command>realm = </command></para> - <para>Example: <command>realm = mysambabox.mycompany.com</command></para> - </listitem> - </varlistentry> <varlistentry> <term><anchor id="REMOTEANNOUNCE">remote announce (G)</term> @@ -7044,49 +7021,6 @@ - <varlistentry> - <term><anchor id="SHUTDOWNSCRIPT">shutdown script (G)</term> - <listitem><para><emphasis>This parameter only exists in the HEAD cvs branch</emphasis> - This a full path name to a script called by - <ulink url="smbd.8.html"><command>smbd(8)</command></ulink> that - should start a shutdown procedure.</para> - - <para>This command will be run as the user connected to the - server.</para> - - <para>%m %t %r %f parameters are expanded</para> - <para><parameter>%m</parameter> will be substituted with the - shutdown message sent to the server.</para> - <para><parameter>%t</parameter> will be substituted with the - number of seconds to wait before effectively starting the - shutdown procedure.</para> - <para><parameter>%r</parameter> will be substituted with the - switch <emphasis>-r</emphasis>. It means reboot after shutdown - for NT. - </para> - <para><parameter>%f</parameter> will be substituted with the - switch <emphasis>-f</emphasis>. It means force the shutdown - even if applications do not respond for NT.</para> - - <para>Default: <emphasis>None</emphasis>.</para> - <para>Example: <command>abort shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f</command></para> - <para>Shutdown script example: - <programlisting> - #!/bin/bash - - $time=0 - let "time/60" - let "time++" - - /sbin/shutdown $3 $4 +$time $1 & - </programlisting> - Shutdown does not return so we need to launch it in background. - </para> - - <para>See also <link linkend="ABORTSHUTDOWNSCRIPT"><parameter>abort shutdown script</parameter></link>.</para> - </listitem> - </varlistentry> - <varlistentry> <term><anchor id="SMBPASSWDFILE">smb passwd file (G)</term> @@ -7103,16 +7037,7 @@ </varlistentry> - <varlistentry> - <term><anchor id="SMBPORTS">smb ports (G)</term> - <listitem><para>Specifies which ports the server should listen on - for SMB traffic. - </para> - <para>Default: <command>smb ports = 445 139</command></para> - - </listitem> - </varlistentry> <varlistentry> <term><anchor id="SOCKETADDRESS">socket address (G)</term> @@ -7227,12 +7152,349 @@ /usr/local/smb_env_vars</command></para> </listitem> </varlistentry> -<varlistentry> -<term><anchor id="SPNEGO">use spnego (G)</term> -<listitem><para> This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. As of samba 3.0alpha it must be set to "no" for these clients to join a samba domain controller. It can be set to "yes" to allow samba to participate in an AD domain controlled by a Windows2000 domain controller.</para> -<para>Default: <emphasis>use spnego = yes</emphasis></para> -</listitem> -</varlistentry> + + + + <varlistentry> + <term><anchor id="SSL">ssl (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>This variable enables or disables the entire SSL mode. If + it is set to <constant>no</constant>, the SSL-enabled Samba behaves + exactly like the non-SSL Samba. If set to <constant>yes</constant>, + it depends on the variables <link linkend="SSLHOSTS"><parameter> + ssl hosts</parameter></link> and <link linkend="SSLHOSTSRESIGN"> + <parameter>ssl hosts resign</parameter></link> whether an SSL + connection will be required.</para> + + <para>Default: <command>ssl = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="SSLCACERTDIR">ssl CA certDir (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>This variable defines where to look up the Certification + Authorities. The given directory should contain one file for + each CA that Samba will trust. The file name must be the hash + value over the "Distinguished Name" of the CA. How this directory + is set up is explained later in this document. All files within the + directory that don't fit into this naming scheme are ignored. You + don't need this variable if you don't verify client certificates.</para> + + <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="SSLCACERTFILE">ssl CA certFile (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>This variable is a second way to define the trusted CAs. + The certificates of the trusted CAs are collected in one big + file and this variable points to the file. You will probably + only use one of the two ways to define your CAs. The first choice is + preferable if you have many CAs or want to be flexible, the second + is preferable if you only have one CA and want to keep things + simple (you won't need to create the hashed file names). You + don't need this variable if you don't verify client certificates.</para> + + <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="SSLCIPHERS">ssl ciphers (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>This variable defines the ciphers that should be offered + during SSL negotiation. You should not set this variable unless + you know what you are doing.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term><anchor id="SSLCLIENTCERT">ssl client cert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>The certificate in this file is used by <ulink url="smbclient.1.html"> + <command>smbclient(1)</command></ulink> if it exists. It's needed + if the server requires a client certificate.</para> + + <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="SSLCLIENTKEY">ssl client key (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>This is the private key for <ulink url="smbclient.1.html"> + <command>smbclient(1)</command></ulink>. It's only needed if the + client should have a certificate. </para> + + <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem + </command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="SSLCOMPATIBILITY">ssl compatibility (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>This variable defines whether OpenSSL should be configured + for bug compatibility with other SSL implementations. This is + probably not desirable because currently no clients with SSL + implementations other than OpenSSL exist.</para> + + <para>Default: <command>ssl compatibility = no</command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term><anchor id="SSLEGDSOCKET">ssl egd socket (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para> + This option is used to define the location of the communiation socket of + an EGD or PRNGD daemon, from which entropy can be retrieved. This option + can be used instead of or together with the <link + linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link> + directive. 255 bytes of entropy will be retrieved from the daemon. + </para> + + <para>Default: <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term><anchor id="SSLENTROPYBYTES">ssl entropy bytes (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para> + This parameter is used to define the number of bytes which should + be read from the <link linkend="SSLENTROPYFILE"><parameter>ssl entropy + file</parameter></link> If a -1 is specified, the entire file will + be read. + </para> + + <para>Default: <command>ssl entropy bytes = 255</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="SSLENTROPYFILE">ssl entropy file (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para> + This parameter is used to specify a file from which processes will + read "random bytes" on startup. In order to seed the internal pseudo + random number generator, entropy must be provided. On system with a + <filename>/dev/urandom</filename> device file, the processes + will retrieve its entropy from the kernel. On systems without kernel + entropy support, a file can be supplied that will be read on startup + and that will be used to seed the PRNG. + </para> + + <para>Default: <emphasis>none</emphasis></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="SSLHOSTS">ssl hosts (G)</term> + <listitem><para>See <link linkend="SSLHOSTSRESIGN"><parameter> + ssl hosts resign</parameter></link>.</para> + </listitem> + </varlistentry> + + + <varlistentry> + <term><anchor id="SSLHOSTSRESIGN">ssl hosts resign (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>These two variables define whether Samba will go + into SSL mode or not. If none of them is defined, Samba will + allow only SSL connections. If the <link linkend="SSLHOSTS"> + <parameter>ssl hosts</parameter></link> variable lists + hosts (by IP-address, IP-address range, net group or name), + only these hosts will be forced into SSL mode. If the <parameter> + ssl hosts resign</parameter> variable lists hosts, only these + hosts will <emphasis>NOT</emphasis> be forced into SSL mode. The syntax for these two + variables is the same as for the <link linkend="HOSTSALLOW"><parameter> + hosts allow</parameter></link> and <link linkend="HOSTSDENY"> + <parameter>hosts deny</parameter></link> pair of variables, only + that the subject of the decision is different: It's not the access + right but whether SSL is used or not. </para> + + <para>The example below requires SSL connections from all hosts + outside the local net (which is 192.168.*.*).</para> + + <para>Default: <command>ssl hosts = <empty string></command></para> + <para><command>ssl hosts resign = <empty string></command></para> + + <para>Example: <command>ssl hosts resign = 192.168.</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="SSLREQUIRECLIENTCERT">ssl require clientcert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>If this variable is set to <constant>yes</constant>, the + server will not tolerate connections from clients that don't + have a valid certificate. The directory/file given in <link + linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter> + </link> and <link linkend="SSLCACERTFILE"><parameter>ssl CA certFile + </parameter></link> will be used to look up the CAs that issued + the client's certificate. If the certificate can't be verified + positively, the connection will be terminated. If this variable + is set to <constant>no</constant>, clients don't need certificates. + Contrary to web applications you really <emphasis>should</emphasis> + require client certificates. In the web environment the client's + data is sensitive (credit card numbers) and the server must prove + to be trustworthy. In a file server environment the server's data + will be sensitive and the clients must prove to be trustworthy.</para> + + <para>Default: <command>ssl require clientcert = no</command></para> + </listitem> + </varlistentry> + + + + <varlistentry> + <term><anchor id="SSLREQUIRESERVERCERT">ssl require servercert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>If this variable is set to <constant>yes</constant>, the + <ulink url="smbclient.1.html"><command>smbclient(1)</command> + </ulink> will request a certificate from the server. Same as + <link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require + clientcert</parameter></link> for the server.</para> + + <para>Default: <command>ssl require servercert = no</command> + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><anchor id="SSLSERVERCERT">ssl server cert (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>This is the file containing the server's certificate. + The server <emphasis>must</emphasis> have a certificate. The + file may also contain the server's private key. See later for + how certificates and private keys are created.</para> + + <para>Default: <command>ssl server cert = <empty string> + </command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term><anchor id="SSLSERVERKEY">ssl server key (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>This file contains the private key of the server. If + this variable is not defined, the key is looked up in the + certificate file (it may be appended to the certificate). + The server <emphasis>must</emphasis> have a private key + and the certificate <emphasis>must</emphasis> + match this private key.</para> + + <para>Default: <command>ssl server key = <empty string> + </command></para> + </listitem> + </varlistentry> + + + <varlistentry> + <term><anchor id="SSLVERSION">ssl version (G)</term> + <listitem><para>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <command>--with-ssl</command> was + given at configure time.</para> + + <para>This enumeration variable defines the versions of the + SSL protocol that will be used. <constant>ssl2or3</constant> allows + dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results + in SSL v2, <constant>ssl3</constant> results in SSL v3 and + <constant>tls1</constant> results in TLS v1. TLS (Transport Layer + Security) is the new standard for SSL.</para> + + <para>Default: <command>ssl version = "ssl2or3"</command></para> + </listitem> + </varlistentry> + + <varlistentry> <term><anchor id="STATCACHE">stat cache (G)</term> @@ -7343,9 +7605,11 @@ <varlistentry> <term><anchor id="STRIPDOT">strip dot (G)</term> - <listitem><para>This is a boolean that controls whether to - strip trailing dots off UNIX filenames. This helps with some - CDROMs that have filenames ending in a single dot.</para> + <listitem><para>This parameter is now unused in Samba (2.2.5 and above). + It used strip trailing dots off UNIX filenames but was not correctly implmented. + In Samba 2.2.5 and above UNIX filenames ending in a dot are invalid Windows long + filenames (as they are in Windows NT and above) and are mangled to 8.3 before + being returned to a client.</para> <para>Default: <command>strip dot = no</command></para> </listitem> @@ -7489,27 +7753,8 @@ </listitem> </varlistentry> - <varlistentry> - <term><anchor id="UNICODE">unicode (G)</term> - <listitem><para>Specifies whether Samba should try - to use unicode on the wire by default. - </para> - <para>Default: <command>unicode = yes</command></para> - </listitem> - </varlistentry> - - <varlistentry> - <term><anchor id="UNIXCHARSET">unix charset (G)</term> - <listitem><para>Specifies the charset the unix machine - Samba runs on uses. Samba needs to know this in order to be able to - convert text to the charsets other SMB clients use. - </para> - - <para>Default: <command>unix charset = ASCII</command></para> - </listitem> - </varlistentry> <varlistentry> <term><anchor id="UNIXEXTENSIONS">unix extensions(G)</term> @@ -7862,12 +8107,6 @@ connection is made to a Samba server. Sites may use this to record the user connecting to a Samba share.</para> - <para>Due to the requirements of the utmp record, we - are required to create a unique identifier for the - incoming user. Enabling this option creates an n^2 - algorithm to find this number. This may impede - performance on large installations. </para> - <para>See also the <link linkend="UTMPDIRECTORY"><parameter> utmp directory</parameter></link> parameter.</para> @@ -7875,6 +8114,8 @@ </listitem> </varlistentry> + + <varlistentry> <term><anchor id="UTMPDIRECTORY">utmp directory(G)</term> <listitem><para>This parameter is only available if Samba has @@ -7888,32 +8129,73 @@ <filename>/var/run/utmp</filename> on Linux).</para> <para>Default: <emphasis>no utmp directory</emphasis></para> - <para>Example: <command>utmp directory = /var/run/utmp</command></para> </listitem> </varlistentry> + + <varlistentry> - <term><anchor id="WTMPDIRECTORY">wtmp directory(G)</term> - <listitem><para>This parameter is only available if Samba has - been configured and compiled with the option <command> - --with-utmp</command>. It specifies a directory pathname that is - used to store the wtmp or wtmpx files (depending on the UNIX system) that - record user connections to a Samba server. The difference with - the utmp directory is the fact that user info is kept after a user - has logged out. + <term><anchor id="VALIDCHARS">valid chars (G)</term> + <listitem><para>The option allows you to specify additional + characters that should be considered valid by the server in + filenames. This is particularly useful for national character + sets, such as adding u-umlaut or a-ring.</para> + + <para>The option takes a list of characters in either integer + or character form with spaces between them. If you give two + characters with a colon between them then it will be taken as + an lowercase:uppercase pair.</para> + + <para>If you have an editor capable of entering the characters + into the config file then it is probably easiest to use this + method. Otherwise you can specify the characters in octal, + decimal or hexadecimal form using the usual C notation.</para> + + <para>For example to add the single character 'Z' to the charset + (which is a pointless thing to do as it's already there) you could + do one of the following</para> + + <para><programlisting> + valid chars = Z + valid chars = z:Z + valid chars = 0132:0172 + </programlisting></para> - See also the <link linkend="UTMP"> - <parameter>utmp</parameter></link> parameter. By default this is - not set, meaning the system will use whatever utmp file the - native system is set to use (usually - <filename>/var/run/wtmp</filename> on Linux).</para> + <para>The last two examples above actually add two characters, + and alter the uppercase and lowercase mappings appropriately.</para> - <para>Default: <emphasis>no wtmp directory</emphasis></para> - <para>Example: <command>wtmp directory = /var/log/wtmp</command></para> + <para>Note that you <emphasis>MUST</emphasis> specify this parameter + after the <parameter>client code page</parameter> parameter if you + have both set. If <parameter>client code page</parameter> is set after + the <parameter>valid chars</parameter> parameter the <parameter>valid + chars</parameter> settings will be overwritten.</para> + + <para>See also the <link linkend="CLIENTCODEPAGE"><parameter>client + code page</parameter></link> parameter.</para> + + <para>Default: <emphasis>Samba defaults to using a reasonable set + of valid characters for English systems</emphasis></para> + + <para>Example: <command>valid chars = 0345:0305 0366:0326 0344:0304 + </command></para> + + <para>The above example allows filenames to have the Swedish + characters in them.</para> + + <para><emphasis>NOTE:</emphasis> It is actually quite difficult to + correctly produce a <parameter>valid chars</parameter> line for + a particular system. To automate the process <ulink + url="mailto:tino@augsburg.net">tino@augsburg.net</ulink> has written + a package called <command>validchars</command> which will automatically + produce a complete <parameter>valid chars</parameter> line for + a given client system. Look in the <filename>examples/validchars/ + </filename> subdirectory of your Samba source code distribution + for this package.</para> </listitem> </varlistentry> + <varlistentry> <term><anchor id="VALIDUSERS">valid users (S)</term> <listitem><para>This is a list of users that should be allowed @@ -8015,18 +8297,7 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ </listitem> </varlistentry> - <varlistentry> - <term><anchor id="VFSPATH">vfs path (S)</term> - <listitem><para>This parameter specifies the directory - to look in for vfs modules. The name of every <command>vfs object - </command> will be prepended by this directory - </para> - - <para>Default: <command>vfs path = </command></para> - <para>Example: <command>vfs path = /usr/lib/samba/vfs</command></para> - </listitem> - </varlistentry> <varlistentry> <term><anchor id="VFSOBJECT">vfs object (S)</term> @@ -8397,20 +8668,6 @@ veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ - <varlistentry> - <term><anchor id="WINSPARTNERS">wins partners (G)</term> - <listitem><para>A space separated list of partners' IP addresses for - WINS replication. WINS partners are always defined as push/pull - partners as defining only one way WINS replication is unreliable. - WINS replication is currently experimental and unreliable between - samba servers. - </para> - - <para>Default: <command>wins partners = </command></para> - - <para>Example: <command>wins partners = 192.168.0.1 172.16.1.2</command></para> - </listitem> - </varlistentry> <varlistentry> |