diff options
Diffstat (limited to 'docs/htmldocs')
25 files changed, 26627 insertions, 9345 deletions
diff --git a/docs/htmldocs/DOMAIN_MEMBER.html b/docs/htmldocs/DOMAIN_MEMBER.html index 847c6c51891..6ae8e7a49d1 100644 --- a/docs/htmldocs/DOMAIN_MEMBER.html +++ b/docs/htmldocs/DOMAIN_MEMBER.html @@ -1,127 +1,320 @@ - - - - - - -<html><head><title>Joining an NT Domain with Samba 2.0</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>Joining an NT Domain with Samba 2.0</h1> -<h2>Jeremy Allison, Samba Team</h2> -<h2>7th October 1999</h2> - -<h1>Table of Contents </h1><p></p> - -<p><hr><p><br> -<p><center>Joining an NT Domain with Samba 2.0 </center> -<center>----------------------------------- </center> -<p>In order for a Samba-2 server to join an NT domain, you must first add -the NetBIOS name of the Samba server to the NT domain on the PDC using -Server Manager for Domains. This creates the machine account in the -domain (PDC) SAM. Note that you should add the Samba server as a "Windows -NT Workstation or Server", <em>NOT</em> as a Primary or backup domain controller. -<p>Assume you have a Samba-2 server with a NetBIOS name of <code>SERV1</code> and are -joining an NT domain called <code>DOM</code>, which has a PDC with a NetBIOS name -of <code>DOMPDC</code> and two backup domain controllers with NetBIOS names <code>DOMBDC1</code> -and <code>DOMBDC2</code>. -<p>In order to join the domain, first stop all Samba daemons and run the -command -<p><code>smbpasswd -j DOM -r DOMPDC</code> -<p>as we are joining the domain DOM and the PDC for that domain (the only -machine that has write access to the domain SAM database) is DOMPDC. If this is -successful you will see the message: -<p><code>smbpasswd: Joined domain DOM.</code> -<p>in your terminal window. See the <a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> -man page for more details. -<p>This command goes through the machine account password change -protocol, then writes the new (random) machine account password for -this Samba server into a file in the same directory in which an -smbpasswd file would be stored - normally : -<p><code>/usr/local/samba/private</code> -<p>The filename looks like this: -<p><code><NT DOMAIN NAME>.<Samba Server Name>.mac</code> -<p>The <code>.mac</code> suffix stands for machine account password file. So in -our example above, the file would be called: -<p><code>DOM.SERV1.mac</code> -<p>This file is created and owned by root and is not readable by any -other user. It is the key to the domain-level security for your -system, and should be treated as carefully as a shadow password file. -<p>Now, before restarting the Samba daemons you must edit your -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file to tell Samba it should now -use domain security. -<p>Change (or add) your -<p><a href="smb.conf.5.html#security"><strong>"security ="</strong></a> -<p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section of your -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> to read: -<p><code>security = domain</code> -<p>Next change the -<p><a href="smb.conf.5.html#workgroup"><strong>"workgroup ="</strong></a> -<p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section to read: -<p><code>workgroup = DOM</code> -<p>as this is the name of the domain we are joining. -<p>You must also have the parameter <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypt passwords"</strong></a> -set to <code>"yes"</code> in order for your users to authenticate to the -NT PDC. -<p>Finally, add (or modify) a: -<p><a href="smb.conf.5.html#passwordserver"><strong>"password server ="</strong></a> -<p>line in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section to read: -<p><code>password server = DOMPDC DOMBDC1 DOMBDC2</code> -<p>These are the primary and backup domain controllers Samba will attempt -to contact in order to authenticate users. Samba will try to contact -each of these servers in order, so you may want to rearrange this list -in order to spread out the authentication load among domain -controllers. -<p>Alternatively, if you want smbd to automatically determine the -list of Domain controllers to use for authentication, you may set this line to be : -<p><code>password server = *</code> -<p>This method, which is new in Samba 2.0.6 and above, allows Samba -to use exactly the same mechanism that NT does. This method either broadcasts or -uses a WINS database in order to find domain controllers to -authenticate against. -<p>Finally, restart your Samba daemons and get ready for clients to begin -using domain security! -<p><center>Why is this better than security = server? </center> -<center>------------------------------------------ </center> -<p>Currently, domain security in Samba doesn't free you from having to -create local Unix users to represent the users attaching to your -server. This means that if domain user <code>DOM\fred</code> attaches to your -domain security Samba server, there needs to be a local Unix user fred -to represent that user in the Unix filesystem. This is very similar to -the older Samba security mode <a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a>, where Samba would pass -through the authentication request to a Windows NT server in the same -way as a Windows 95 or Windows 98 server would. -<p>The advantage to domain-level security is that the authentication in -domain-level security is passed down the authenticated RPC channel in -exactly the same way that an NT server would do it. This means Samba -servers now participate in domain trust relationships in exactly the -same way NT servers do (i.e., you can add Samba servers into a -resource domain and have the authentication passed on from a resource -domain PDC to an account domain PDC. -<p>In addition, with <a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a> every Samba daemon on a -server has to keep a connection open to the authenticating server for -as long as that daemon lasts. This can drain the connection resources -on a Microsoft NT server and cause it to run out of available -connections. With <a href="smb.conf.5.html#securityequaldomain"><strong>"security =domain"</strong></a>, however, the Samba -daemons connect to the PDC/BDC only for as long as is necessary to -authenticate the user, and then drop the connection, thus conserving -PDC connection resources. -<p>And finally, acting in the same manner as an NT server authenticating -to a PDC means that as part of the authentication reply, the Samba -server gets the user identification information such as the user SID, -the list of NT groups the user belongs to, etc. All this information -will allow Samba to be extended in the future into a mode the -developers currently call appliance mode. In this mode, no local Unix -users will be necessary, and Samba will generate Unix uids and gids -from the information passed back from the PDC when a user is -authenticated, making a Samba server truly plug and play in an NT -domain environment. Watch for this code soon. -<p><em>NOTE:</em> Much of the text of this document was first published in the -Web magazine <a href="http://www.linuxworld.com"><strong>"LinuxWorld"</strong></a> as the article <a href="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"><strong>"Doing the NIS/NT Samba"</strong></a>. -</body> -</html> +<HTML +><HEAD +><TITLE +></TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="ARTICLE" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="ARTICLE" +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2" +>Joining an NT Domain with Samba 2.2</A +></H1 +><P +>In order for a Samba-2 server to join an NT domain, + you must first add the NetBIOS name of the Samba server to the + NT domain on the PDC using Server Manager for Domains. This creates + the machine account in the domain (PDC) SAM. Note that you should + add the Samba server as a "Windows NT Workstation or Server", + <I +CLASS="EMPHASIS" +>NOT</I +> as a Primary or backup domain controller.</P +><P +>Assume you have a Samba-2 server with a NetBIOS name of + <TT +CLASS="CONSTANT" +>SERV1</TT +> and are joining an NT domain called + <TT +CLASS="CONSTANT" +>DOM</TT +>, which has a PDC with a NetBIOS name + of <TT +CLASS="CONSTANT" +>DOMPDC</TT +> and two backup domain controllers + with NetBIOS names <TT +CLASS="CONSTANT" +>DOMBDC1</TT +> and <TT +CLASS="CONSTANT" +>DOMBDC2 + </TT +>.</P +><P +>In order to join the domain, first stop all Samba daemons + and run the command:</P +><P +><TT +CLASS="PROMPT" +>root# </TT +><TT +CLASS="USERINPUT" +><B +>smbpasswd -j DOM -r DOMPDC + </B +></TT +></P +><P +>as we are joining the domain DOM and the PDC for that domain + (the only machine that has write access to the domain SAM database) + is DOMPDC. If this is successful you will see the message:</P +><P +><TT +CLASS="COMPUTEROUTPUT" +>smbpasswd: Joined domain DOM.</TT +> + </P +><P +>in your terminal window. See the <A +HREF="smbpasswd.8.html" +TARGET="_top" +> smbpasswd(8)</A +> man page for more details.</P +><P +>This command goes through the machine account password + change protocol, then writes the new (random) machine account + password for this Samba server into a file in the same directory + in which an smbpasswd file would be stored - normally :</P +><P +><TT +CLASS="FILENAME" +>/usr/local/samba/private</TT +></P +><P +>In Samba 2.0.x, the filename looks like this:</P +><P +><TT +CLASS="FILENAME" +><TT +CLASS="REPLACEABLE" +><I +><NT DOMAIN NAME></I +></TT +>. + <TT +CLASS="REPLACEABLE" +><I +><Samba Server Name></I +></TT +>.mac</TT +></P +><P +>The <TT +CLASS="FILENAME" +>.mac</TT +> suffix stands for machine account + password file. So in our example above, the file would be called:</P +><P +><TT +CLASS="FILENAME" +>DOM.SERV1.mac</TT +></P +><P +>In Samba 2.2, this file has been replaced with a TDB + (Trivial Database) file named <TT +CLASS="FILENAME" +>secrets.tdb</TT +>. + </P +><P +>This file is created and owned by root and is not + readable by any other user. It is the key to the domain-level + security for your system, and should be treated as carefully + as a shadow password file.</P +><P +>Now, before restarting the Samba daemons you must + edit your <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +> + </A +> file to tell Samba it should now use domain security.</P +><P +>Change (or add) your <A +HREF="smb.conf.5.html#SECURITY" +TARGET="_top" +> <TT +CLASS="PARAMETER" +><I +>security =</I +></TT +></A +> line in the [global] section + of your smb.conf to read:</P +><P +><B +CLASS="COMMAND" +>security = domain</B +></P +><P +>Next change the <A +HREF="smb.conf.5.html#WORKGROUP" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +> workgroup =</I +></TT +></A +> line in the [global] section to read: </P +><P +><B +CLASS="COMMAND" +>workgroup = DOM</B +></P +><P +>as this is the name of the domain we are joining. </P +><P +>You must also have the parameter <A +HREF="smb.conf.5.html#ENCRYPTPASSWORDS" +TARGET="_top" +> <TT +CLASS="PARAMETER" +><I +>encrypt passwords</I +></TT +></A +> set to <TT +CLASS="CONSTANT" +>yes + </TT +> in order for your users to authenticate to the NT PDC.</P +><P +>Finally, add (or modify) a <A +HREF="smb.conf.5.html#PASSWORDSERVER" +TARGET="_top" +> <TT +CLASS="PARAMETER" +><I +>password server =</I +></TT +></A +> line in the [global] + section to read: </P +><P +><B +CLASS="COMMAND" +>password server = DOMPDC DOMBDC1 DOMBDC2</B +></P +><P +>These are the primary and backup domain controllers Samba + will attempt to contact in order to authenticate users. Samba will + try to contact each of these servers in order, so you may want to + rearrange this list in order to spread out the authentication load + among domain controllers.</P +><P +>Alternatively, if you want smbd to automatically determine + the list of Domain controllers to use for authentication, you may + set this line to be :</P +><P +><B +CLASS="COMMAND" +>password server = *</B +></P +><P +>This method, which was introduced in Samba 2.0.6, + allows Samba to use exactly the same mechanism that NT does. This + method either broadcasts or uses a WINS database in order to + find domain controllers to authenticate against.</P +><P +>Finally, restart your Samba daemons and get ready for + clients to begin using domain security!</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN65" +>Why is this better than security = server?</A +></H1 +><P +>Currently, domain security in Samba doesn't free you from + having to create local Unix users to represent the users attaching + to your server. This means that if domain user <TT +CLASS="CONSTANT" +>DOM\fred + </TT +> attaches to your domain security Samba server, there needs + to be a local Unix user fred to represent that user in the Unix + filesystem. This is very similar to the older Samba security mode + <A +HREF="smb.conf.5.html#SECURITYEQUALSERVER" +TARGET="_top" +>security = server</A +>, + where Samba would pass through the authentication request to a Windows + NT server in the same way as a Windows 95 or Windows 98 server would. + </P +><P +>The advantage to domain-level security is that the + authentication in domain-level security is passed down the authenticated + RPC channel in exactly the same way that an NT server would do it. This + means Samba servers now participate in domain trust relationships in + exactly the same way NT servers do (i.e., you can add Samba servers into + a resource domain and have the authentication passed on from a resource + domain PDC to an account domain PDC.</P +><P +>In addition, with <B +CLASS="COMMAND" +>security = server</B +> every Samba + daemon on a server has to keep a connection open to the + authenticating server for as long as that daemon lasts. This can drain + the connection resources on a Microsoft NT server and cause it to run + out of available connections. With <B +CLASS="COMMAND" +>security = domain</B +>, + however, the Samba daemons connect to the PDC/BDC only for as long + as is necessary to authenticate the user, and then drop the connection, + thus conserving PDC connection resources.</P +><P +>And finally, acting in the same manner as an NT server + authenticating to a PDC means that as part of the authentication + reply, the Samba server gets the user identification information such + as the user SID, the list of NT groups the user belongs to, etc. All + this information will allow Samba to be extended in the future into + a mode the developers currently call appliance mode. In this mode, + no local Unix users will be necessary, and Samba will generate Unix + uids and gids from the information passed back from the PDC when a + user is authenticated, making a Samba server truly plug and play + in an NT domain environment. Watch for this code soon.</P +><P +><I +CLASS="EMPHASIS" +>NOTE:</I +> Much of the text of this document + was first published in the Web magazine <A +HREF="http://www.linuxworld.com" +TARGET="_top" +> + LinuxWorld</A +> as the article <A +HREF="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html" +TARGET="_top" +>Doing + the NIS/NT Samba</A +>.</P +></DIV +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/NT_Security.html b/docs/htmldocs/NT_Security.html index eb4d3a23552..8615a7f0dab 100644 --- a/docs/htmldocs/NT_Security.html +++ b/docs/htmldocs/NT_Security.html @@ -1,254 +1,774 @@ - - - - - - -<html><head><title>Viewing and changing UNIX permissions using the NT security dialogs in Samba 2.0.4</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>Viewing and changing UNIX permissions using the NT security dialogs in Samba 2.0.4</h1> -<h2>Jeremy Allison, Samba Team</h2> -<h2>12th April 1999</h2> - -<h1>Table of Contents </h1><p></p> - -<p><hr><p><br> -<p><center><strong>Viewing and changing UNIX permissions using the NT security dialogs</strong> </center><br> -<center><strong>-------------------------------------------------------------------</strong> </center> -<p>New in the <strong>Samba 2.0.4</strong> release is the -ability for Windows NT clients to use their native security -settings dialog box to view and modify the underlying UNIX -permissions. -<p>Note that this ability is careful not to compromise the security -of the UNIX host Samba is running on, and still obeys all the -file permission rules that a Samba administrator can set. -<p>In Samba 2.0.4 and above the default value of the parameter -<a href="smb.conf.5.html#ntaclsupport"><strong>"nt acl support"</strong></a> has been -changed from "false" to "true", so manipulation of permissions is -turned on by default. -<p><strong>How to view file security on a Samba share</strong><br> -<strong>------------------------------------------</strong> -<p>From an NT 4.0 client, single-click with the right mouse button on -any file or directory in a Samba mounted drive letter or UNC path. -When the menu pops-up, click on the <code>Properties</code> entry at the -bottom of the menu. This brings up the normal file properties dialog -box, but with Samba 2.0.4 this will have a new tab along the top -marked <code>Security</code>. Click on this tab and you will see three buttons, -<em>Permissions</em>, <em>Auditing</em>, and <em>Ownership</em>. The <em>Auditing</em> -button will cause either an error message <code>"A requested privilege is -not held by the client"</code> to appear if the user is not the NT Administrator, -or a dialog which is intended to allow an Administrator to add -auditing requirements to a file if the user is logged on as the -NT Administrator. This dialog is non-functional with a Samba -share at this time, as the only useful button, the <code>Add</code> button -will not currently allow a list of users to be seen. -<p><strong>Viewing file ownership</strong><br> -<strong>----------------------</strong> -<p>Clicking on the <code>"Ownership"</code> button brings up a dialog box telling -you who owns the given file. The owner name will be of the form : -<p><code>"SERVER\user (Long name)"</code> -<p>Where <code>SERVER</code> is the NetBIOS name of the Samba server, <code>user</code> -is the user name of the UNIX user who owns the file, and <code>(Long name)</code> -is the discriptive string identifying the user (normally found in the -GECOS field of the UNIX password database). Click on the <code>Close</code> -button to remove this dialog. -<p>If the parameter <a href="smb.conf.5.html#ntaclsupport"><strong>"nt acl support"</strong></a> -is set to "false" then the file owner will be shown as the NT user -<code>"Everyone"</code>. -<p>The <code>Take Ownership</code> button will not allow you to change the -ownership of this file to yourself (clicking on it will display a -dialog box complaining that the user you are currently logged onto -the NT client cannot be found). The reason for this is that changing -the ownership of a file is a privilaged operation in UNIX, available -only to the <em>root</em> user. As clicking on this button causes NT to -attempt to change the ownership of a file to the current user logged -into the NT client this will not work with Samba at this time. -<p>There is an NT chown command that will work with Samba and allow -a user with Administrator privillage connected to a Samba 2.0.4 -server as root to change the ownership of files on both a local NTFS -filesystem or remote mounted NTFS or Samba drive. This is available -as part of the <strong>Seclib</strong> NT security library written by Jeremy -Allison of the Samba Team, available from the main Samba ftp site. -<p><strong>Viewing file or directory permissions</strong><br> -<strong>-------------------------------------</strong> -<p>The third button is the <code>"Permissions"</code> button. Clicking on this -brings up a dialog box that shows both the permissions and the UNIX -owner of the file or directory. The owner is displayed in the form : -<p><code>"SERVER\user (Long name)"</code> -<p>Where <code>SERVER</code> is the NetBIOS name of the Samba server, <code>user</code> -is the user name of the UNIX user who owns the file, and <code>(Long name)</code> -is the discriptive string identifying the user (normally found in the -GECOS field of the UNIX password database). -<p>If the parameter <a href="smb.conf.5.html#ntaclsupport"><strong>"nt acl support"</strong></a> -is set to "false" then the file owner will be shown as the NT user -<code>"Everyone"</code> and the permissions will be shown as NT <code>"Full Control"</code>. -<p>The permissions field is displayed differently for files and directories, -so I'll describe the way file permissions are displayed first. -<p><strong>File Permissions</strong><br> -<strong>----------------</strong> -<p>The standard UNIX user/group/world triple and the correspinding -"read", "write", "execute" permissions triples are mapped by Samba -into a three element NT ACL with the 'r', 'w', and 'x' bits mapped -into the corresponding NT permissions. The UNIX world permissions are mapped -into the global NT group <code>Everyone</code>, followed by the list of permissions -allowed for UNIX world. The UNIX owner and group permissions -are displayed as an NT <code>user</code> icon and an NT <code>local group</code> icon -respectively followed by the list of permissions allowed for the -UNIX user and group. -<p>As many UNIX permission sets don't map into common NT names such as -<code>"read"</code>, <code>"change"</code> or <code>"full control"</code> then usually the permissions -will be prefixed by the words <code>"Special Access"</code> in the NT display -list. -<p>But what happens if the file has no permissions allowed for a -particular UNIX user group or world component ? In order to -allow "no permissions" to be seen and modified then Samba overloads -the NT <code>"Take Ownership"</code> ACL attribute (which has no meaning in -UNIX) and reports a component with no permissions as having the NT -<code>"O"</code> bit set. This was chosen of course to make it look like a -zero, meaning zero permissions. More details on the decision behind -this will be given below. -<p><strong>Directory Permissions</strong><br> -<strong>---------------------</strong> -<p>Directories on an NT NTFS file system have two different sets of -permissions. The first set of permissions is the ACL set on the -directory itself, this is usually displayed in the first set of -parentheses in the normal <code>"RW"</code> NT style. This first set of -permissions is created by Samba in exactly the same way as normal -file permissions are, described above, and is displayed in the -same way. -<p>The second set of directory permissions has no real meaning in the -UNIX permissions world and represents the <code>"inherited"</code> permissions -that any file created within this directory would inherit. -<p>Samba synthesises these inherited permissions for NT by returning as -an NT ACL the UNIX permission mode that a new file created by Samba -on this share would receive. -<p><strong>Modifying file or directory permissions</strong><br> -<strong>---------------------------------------</strong> -<p>Modifying file and directory permissions is as simple as changing -the displayed permissions in the dialog box, and clicking the <code>OK</code> -button. However, there are limitations that a user needs to be aware -of, and also interactions with the standard Samba permission masks -and mapping of DOS attributes that need to also be taken into account. -<p>If the parameter <a href="smb.conf.5.html#ntaclsupport"><strong>"nt acl support"</strong></a> -is set to "false" then any attempt to set security permissions will -fail with an <code>"Access Denied"</code> message. -<p>The first thing to note is that the <code>"Add"</code> button will not return -a list of users in Samba 2.0.4 (it will give an error message of -<code>"The remote proceedure call failed and did not execute"</code>). This -means that you can only manipulate the current user/group/world -permissions listed in the dialog box. This actually works quite well -as these are the only permissions that UNIX actually has. -<p>If a permission triple (either user, group, or world) is removed from -the list of permissions in the NT dialog box, then when the <code>"OK"</code> -button is pressed it will be applied as "no permissions" on the UNIX -side. If you then view the permissions again the "no permissions" entry -will appear as the NT <code>"O"</code> flag, as described above. This allows you -to add permissions back to a file or directory once you have removed -them from a triple component. -<p>As UNIX supports only the "r", "w" and "x" bits of an NT ACL -then if other NT security attributes such as "Delete access" -are selected then they will be ignored when applied on the -Samba server. -<p>When setting permissions on a directory the second set of permissions -(in the second set of parentheses) is by default applied to all -files within that directory. If this is not what you want you -must uncheck the <code>"Replace permissions on existing files"</code> checkbox -in the NT dialog before clicking <code>"OK"</code>. -<p>If you wish to remove all permissions from a user/group/world -component then you may either highlight the component and click -the <code>"Remove"</code> button, or set the component to only have the special -<code>"Take Ownership"</code> permission (dsplayed as <code>"O"</code>) highlighted. -<p><strong>Interaction with the standard Samba create mask parameters</strong><br> -<strong>----------------------------------------------------------</strong> -<p>Note that with Samba 2.0.5 there are four new parameters to -control this interaction. -<p>These are : -<p><code>security mask</code> -<code>force security mode</code> -<code>directory security mask</code> -<code>force directory security mode</code> -<p>Once a user clicks <code>"OK"</code> to apply the permissions Samba maps -the given permissions into a user/group/world r/w/x triple set, -and then will check the changed permissions for a file against -the bits set in the <a href="smb.conf.5.html#securitymask"><strong>"security mask"</strong></a> -parameter. Any bits that were changed that are not set to '1' -in this parameter are left alone in the file permissions. -<p>Essentially, zero bits in the <a href="smb.conf.5.html#securitymask"><strong>"security mask"</strong></a> -mask may be treated as a set of bits the user is <em>not</em> allowed to change, -and one bits are those the user is allowed to change. -<p>If not set explicitly this parameter is set to the same value as the -<a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> parameter to provide compatibility -with Samba 2.0.4 where this permission change facility was introduced. -To allow a user to modify all the user/group/world permissions on a file, -set this parameter to 0777. -<p>Next Samba checks the changed permissions for a file against the -bits set in the <a href="smb.conf.5.html#forcesecuritymode"><strong>"force security mode"</strong></a> -parameter. Any bits that were changed that correspond to bits set -to '1' in this parameter are forced to be set. -<p>Essentially, bits set in the <a href="smb.conf.5.html#forcesecuritymode"><strong>"force security mode"</strong></a> -parameter may be treated as a set of bits that, when modifying security on a file, the -user has always set to be 'on'. -<p>If not set explicitly this parameter is set to the same value as the -<a href="smb.conf.5.html#forcecreatemode"><strong>"force create mode"</strong></a> parameter to provide compatibility -with Samba 2.0.4 where the permission change facility was introduced. -To allow a user to modify all the user/group/world permissions on a file, -with no restrictions set this parameter to 000. -<p>The <a href="smb.conf.5.html#securitymask"><strong>"security mask"</strong></a> and -<a href="smb.conf.5.html#forcesecuritymode"><strong>"force security mode"</strong></a> parameters -are applied to the change request in that order. -<p>For a directory Samba will perform the same operations as described above -for a file except using the parameter <a href="smb.conf.5.html#directorysecuritymask"><strong>"directory security mask"</strong></a> -instead of <a href="smb.conf.5.html#securitymask"><strong>"security mask"</strong></a>, and -<a href="smb.conf.5.html#forcedirectorysecuritymode"><strong>"force directory security mode"</strong></a> parameter instead -of <a href="smb.conf.5.html#forcesecuritymode"><strong>"force security mode"</strong></a>. -<p>The <a href="smb.conf.5.html#directorysecuritymask"><strong>"directory security mask"</strong></a> -parameter by default is set to the same value as the <a href="smb.conf.5.html#directorymask"><strong>"directory mask"</strong></a> -parameter and the <a href="smb.conf.5.html#forcedirectorysecuritymode"><strong>"force directory security mode"</strong></a> -parameter by default is set to the same value as the -iurl(<strong>"force directory mode"</strong>)(smb.conf.5.html#forcedirectorymode) parameter -to provide compatibility with Samba 2.0.4 where the permission change facility was introduced. -<p>In this way Samba enforces the permission restrictions that an administrator -can set on a Samba share, whilst still allowing users to modify the -permission bits within that restriction. -<p>If you want to set up a share that allows users full control -in modifying the permission bits on their files and directories and -doesn't force any particular bits to be set 'on', then set the following -parameters in the <a href="smb.conf.5.html"><strong>smb.conf.5</strong></a> file in -that share specific section : -<p><code>security mask = 0777</code> -<code>force security mode = 0</code> -<code>directory security mask = 0777</code> -<code>force directory security mode = 0</code> -<p>As described, in Samba 2.0.4 the parameters : -<p><code>create mask</code> -<code>force create mode</code> -<code>directory mask</code> -<code>force directory mode</code> -<p>were used instead of the parameters discussed here. -<p><strong>Interaction with the standard Samba file attribute mapping</strong><br> -<strong>----------------------------------------------------------</strong> -<p>Samba maps some of the DOS attribute bits (such as "read only") -into the UNIX permissions of a file. This means there can be a -conflict between the permission bits set via the security dialog -and the permission bits set by the file attribute mapping. -<p>One way this can show up is if a file has no UNIX read access -for the owner it will show up as "read only" in the standard -file attributes tabbed dialog. Unfortunately this dialog is -the same one that contains the security info in another tab. -<p>What this can mean is that if the owner changes the permissions -to allow themselves read access using the security dialog, clicks -<code>"OK"</code> to get back to the standard attributes tab dialog, and -then clicks <code>"OK"</code> on that dialog, then NT will set the file -permissions back to read-only (as that is what the attributes -still say in the dialog). This means that after setting permissions -and clicking <code>"OK"</code> to get back to the attributes dialog you -should always hit <code>"Cancel"</code> rather than <code>"OK"</code> to ensure -that your changes are not overridden. -</body> -</html> +<HTML +><HEAD +><TITLE +></TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="ARTICLE" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="ARTICLE" +><DIV +CLASS="SECT1" +><H1 +CLASS="SECT1" +><A +NAME="AEN2" +>Viewing and changing UNIX permissions using the NT + security dialogs</A +></H1 +><P +>New in the Samba 2.0.4 release is the ability for Windows + NT clients to use their native security settings dialog box to + view and modify the underlying UNIX permissions.</P +><P +>Note that this ability is careful not to compromise + the security of the UNIX host Samba is running on, and + still obeys all the file permission rules that a Samba + administrator can set.</P +><P +>In Samba 2.0.4 and above the default value of the + parameter <A +HREF="smb.conf.5.html#NTACLSUPPOR" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +> nt acl support</I +></TT +></A +> has been changed from + <TT +CLASS="CONSTANT" +>false</TT +> to <TT +CLASS="CONSTANT" +>true</TT +>, so + manipulation of permissions is turned on by default.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN11" +>How to view file security on a Samba share</A +></H1 +><P +>From an NT 4.0 client, single-click with the right + mouse button on any file or directory in a Samba mounted + drive letter or UNC path. When the menu pops-up, click + on the <I +CLASS="EMPHASIS" +>Properties</I +> entry at the bottom of + the menu. This brings up the normal file properties dialog + box, but with Samba 2.0.4 this will have a new tab along the top + marked <I +CLASS="EMPHASIS" +>Security</I +>. Click on this tab and you + will see three buttons, <I +CLASS="EMPHASIS" +>Permissions</I +>, + <I +CLASS="EMPHASIS" +>Auditing</I +>, and <I +CLASS="EMPHASIS" +>Ownership</I +>. + The <I +CLASS="EMPHASIS" +>Auditing</I +> button will cause either + an error message <SPAN +CLASS="ERRORNAME" +>A requested privilege is not held + by the client</SPAN +> to appear if the user is not the + NT Administrator, or a dialog which is intended to allow an + Administrator to add auditing requirements to a file if the + user is logged on as the NT Administrator. This dialog is + non-functional with a Samba share at this time, as the only + useful button, the <B +CLASS="COMMAND" +>Add</B +> button will not currently + allow a list of users to be seen.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN22" +>Viewing file ownership</A +></H1 +><P +>Clicking on the <B +CLASS="COMMAND" +>"Ownership"</B +> button + brings up a dialog box telling you who owns the given file. The + owner name will be of the form :</P +><P +><B +CLASS="COMMAND" +>"SERVER\user (Long name)"</B +></P +><P +>Where <TT +CLASS="REPLACEABLE" +><I +>SERVER</I +></TT +> is the NetBIOS name of + the Samba server, <TT +CLASS="REPLACEABLE" +><I +>user</I +></TT +> is the user name of + the UNIX user who owns the file, and <TT +CLASS="REPLACEABLE" +><I +>(Long name)</I +></TT +> + is the discriptive string identifying the user (normally found in the + GECOS field of the UNIX password database). Click on the <B +CLASS="COMMAND" +>Close + </B +> button to remove this dialog.</P +><P +>If the parameter <TT +CLASS="PARAMETER" +><I +>nt acl support</I +></TT +> + is set to <TT +CLASS="CONSTANT" +>false</TT +> then the file owner will + be shown as the NT user <B +CLASS="COMMAND" +>"Everyone"</B +>.</P +><P +>The <B +CLASS="COMMAND" +>Take Ownership</B +> button will not allow + you to change the ownership of this file to yourself (clicking on + it will display a dialog box complaining that the user you are + currently logged onto the NT client cannot be found). The reason + for this is that changing the ownership of a file is a privilaged + operation in UNIX, available only to the <I +CLASS="EMPHASIS" +>root</I +> + user. As clicking on this button causes NT to attempt to change + the ownership of a file to the current user logged into the NT + client this will not work with Samba at this time.</P +><P +>There is an NT chown command that will work with Samba + and allow a user with Administrator privillage connected + to a Samba 2.0.4 server as root to change the ownership of + files on both a local NTFS filesystem or remote mounted NTFS + or Samba drive. This is available as part of the <I +CLASS="EMPHASIS" +>Seclib + </I +> NT security library written by Jeremy Allison of + the Samba Team, available from the main Samba ftp site.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN42" +>Viewing file or directory permissions</A +></H1 +><P +>The third button is the <B +CLASS="COMMAND" +>"Permissions"</B +> + button. Clicking on this brings up a dialog box that shows both + the permissions and the UNIX owner of the file or directory. + The owner is displayed in the form :</P +><P +><B +CLASS="COMMAND" +>"SERVER\user (Long name)"</B +></P +><P +>Where <TT +CLASS="REPLACEABLE" +><I +>SERVER</I +></TT +> is the NetBIOS name of + the Samba server, <TT +CLASS="REPLACEABLE" +><I +>user</I +></TT +> is the user name of + the UNIX user who owns the file, and <TT +CLASS="REPLACEABLE" +><I +>(Long name)</I +></TT +> + is the discriptive string identifying the user (normally found in the + GECOS field of the UNIX password database).</P +><P +>If the parameter <TT +CLASS="PARAMETER" +><I +>nt acl support</I +></TT +> + is set to <TT +CLASS="CONSTANT" +>false</TT +> then the file owner will + be shown as the NT user <B +CLASS="COMMAND" +>"Everyone"</B +> and the + permissions will be shown as NT "Full Control".</P +><P +>The permissions field is displayed differently for files + and directories, so I'll describe the way file permissions + are displayed first.</P +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN57" +>File Permissions</A +></H2 +><P +>The standard UNIX user/group/world triple and + the correspinding "read", "write", "execute" permissions + triples are mapped by Samba into a three element NT ACL + with the 'r', 'w', and 'x' bits mapped into the corresponding + NT permissions. The UNIX world permissions are mapped into + the global NT group <B +CLASS="COMMAND" +>Everyone</B +>, followed + by the list of permissions allowed for UNIX world. The UNIX + owner and group permissions are displayed as an NT + <B +CLASS="COMMAND" +>user</B +> icon and an NT <B +CLASS="COMMAND" +>local + group</B +> icon respectively followed by the list + of permissions allowed for the UNIX user and group.</P +><P +>As many UNIX permission sets don't map into common + NT names such as <B +CLASS="COMMAND" +>"read"</B +>, <B +CLASS="COMMAND" +> "change"</B +> or <B +CLASS="COMMAND" +>"full control"</B +> then + usually the permissions will be prefixed by the words <B +CLASS="COMMAND" +> "Special Access"</B +> in the NT display list.</P +><P +>But what happens if the file has no permissions allowed + for a particular UNIX user group or world component ? In order + to allow "no permissions" to be seen and modified then Samba + overloads the NT <B +CLASS="COMMAND" +>"Take Ownership"</B +> ACL attribute + (which has no meaning in UNIX) and reports a component with + no permissions as having the NT <B +CLASS="COMMAND" +>"O"</B +> bit set. + This was chosen of course to make it look like a zero, meaning + zero permissions. More details on the decision behind this will + be given below.</P +></DIV +><DIV +CLASS="SECT2" +><HR><H2 +CLASS="SECT2" +><A +NAME="AEN71" +>Directory Permissions</A +></H2 +><P +>Directories on an NT NTFS file system have two + different sets of permissions. The first set of permissions + is the ACL set on the directory itself, this is usually displayed + in the first set of parentheses in the normal <B +CLASS="COMMAND" +>"RW"</B +> + NT style. This first set of permissions is created by Samba in + exactly the same way as normal file permissions are, described + above, and is displayed in the same way.</P +><P +>The second set of directory permissions has no real meaning + in the UNIX permissions world and represents the <B +CLASS="COMMAND" +> "inherited"</B +> permissions that any file created within + this directory would inherit.</P +><P +>Samba synthesises these inherited permissions for NT by + returning as an NT ACL the UNIX permission mode that a new file + created by Samba on this share would receive.</P +></DIV +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN78" +>Modifying file or directory permissions</A +></H1 +><P +>Modifying file and directory permissions is as simple + as changing the displayed permissions in the dialog box, and + clicking the <B +CLASS="COMMAND" +>OK</B +> button. However, there are + limitations that a user needs to be aware of, and also interactions + with the standard Samba permission masks and mapping of DOS + attributes that need to also be taken into account.</P +><P +>If the parameter <TT +CLASS="PARAMETER" +><I +>nt acl support</I +></TT +> + is set to <TT +CLASS="CONSTANT" +>false</TT +> then any attempt to set + security permissions will fail with an <B +CLASS="COMMAND" +>"Access Denied" + </B +> message.</P +><P +>The first thing to note is that the <B +CLASS="COMMAND" +>"Add"</B +> + button will not return a list of users in Samba 2.0.4 (it will give + an error message of <B +CLASS="COMMAND" +>"The remote proceedure call failed + and did not execute"</B +>). This means that you can only + manipulate the current user/group/world permissions listed in + the dialog box. This actually works quite well as these are the + only permissions that UNIX actually has.</P +><P +>If a permission triple (either user, group, or world) + is removed from the list of permissions in the NT dialog box, + then when the <B +CLASS="COMMAND" +>"OK"</B +> button is pressed it will + be applied as "no permissions" on the UNIX side. If you then + view the permissions again the "no permissions" entry will appear + as the NT <B +CLASS="COMMAND" +>"O"</B +> flag, as described above. This + allows you to add permissions back to a file or directory once + you have removed them from a triple component.</P +><P +>As UNIX supports only the "r", "w" and "x" bits of + an NT ACL then if other NT security attributes such as "Delete + access" are selected then they will be ignored when applied on + the Samba server.</P +><P +>When setting permissions on a directory the second + set of permissions (in the second set of parentheses) is + by default applied to all files within that directory. If this + is not what you want you must uncheck the <B +CLASS="COMMAND" +>"Replace + permissions on existing files"</B +> checkbox in the NT + dialog before clicking <B +CLASS="COMMAND" +>"OK"</B +>.</P +><P +>If you wish to remove all permissions from a + user/group/world component then you may either highlight the + component and click the <B +CLASS="COMMAND" +>"Remove"</B +> button, + or set the component to only have the special <B +CLASS="COMMAND" +>"Take + Ownership"</B +> permission (dsplayed as <B +CLASS="COMMAND" +>"O" + </B +>) highlighted.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN100" +>Interaction with the standard Samba create mask + parameters</A +></H1 +><P +>Note that with Samba 2.0.5 there are four new parameters + to control this interaction. These are :</P +><P +><TT +CLASS="PARAMETER" +><I +>security mask</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force security mode</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>directory security mask</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force directory security mode</I +></TT +></P +><P +>Once a user clicks <B +CLASS="COMMAND" +>"OK"</B +> to apply the + permissions Samba maps the given permissions into a user/group/world + r/w/x triple set, and then will check the changed permissions for a + file against the bits set in the <A +HREF="smb.conf.5.html#SECURITYMASK" +TARGET="_top" +> + <TT +CLASS="PARAMETER" +><I +>security mask</I +></TT +></A +> parameter. Any bits that + were changed that are not set to '1' in this parameter are left alone + in the file permissions.</P +><P +>Essentially, zero bits in the <TT +CLASS="PARAMETER" +><I +>security mask</I +></TT +> + mask may be treated as a set of bits the user is <I +CLASS="EMPHASIS" +>not</I +> + allowed to change, and one bits are those the user is allowed to change. + </P +><P +>If not set explicitly this parameter is set to the same value as + the <A +HREF="smb.conf.5.html#CREATEMASK" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +>create mask + </I +></TT +></A +> parameter to provide compatibility with Samba 2.0.4 + where this permission change facility was introduced. To allow a user to + modify all the user/group/world permissions on a file, set this parameter + to 0777.</P +><P +>Next Samba checks the changed permissions for a file against + the bits set in the <A +HREF="smb.conf.5.html#FORCESECURITYMODE" +TARGET="_top" +> <TT +CLASS="PARAMETER" +><I +>force security mode</I +></TT +></A +> parameter. Any bits + that were changed that correspond to bits set to '1' in this parameter + are forced to be set.</P +><P +>Essentially, bits set in the <TT +CLASS="PARAMETER" +><I +>force security mode + </I +></TT +> parameter may be treated as a set of bits that, when + modifying security on a file, the user has always set to be 'on'.</P +><P +>If not set explicitly this parameter is set to the same value + as the <A +HREF="smb.conf.5.html#FORCECREATEMODE" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +>force + create mode</I +></TT +></A +> parameter to provide compatibility + with Samba 2.0.4 where the permission change facility was introduced. + To allow a user to modify all the user/group/world permissions on a file, + with no restrictions set this parameter to 000.</P +><P +>The <TT +CLASS="PARAMETER" +><I +>security mask</I +></TT +> and <TT +CLASS="PARAMETER" +><I +>force + security mode</I +></TT +> parameters are applied to the change + request in that order.</P +><P +>For a directory Samba will perform the same operations as + described above for a file except using the parameter <TT +CLASS="PARAMETER" +><I +> directory security mask</I +></TT +> instead of <TT +CLASS="PARAMETER" +><I +>security + mask</I +></TT +>, and <TT +CLASS="PARAMETER" +><I +>force directory security mode + </I +></TT +> parameter instead of <TT +CLASS="PARAMETER" +><I +>force security mode + </I +></TT +>.</P +><P +>The <TT +CLASS="PARAMETER" +><I +>directory security mask</I +></TT +> parameter + by default is set to the same value as the <TT +CLASS="PARAMETER" +><I +>directory mask + </I +></TT +> parameter and the <TT +CLASS="PARAMETER" +><I +>force directory security + mode</I +></TT +> parameter by default is set to the same value as + the <TT +CLASS="PARAMETER" +><I +>force directory mode</I +></TT +> parameter to provide + compatibility with Samba 2.0.4 where the permission change facility + was introduced.</P +><P +>In this way Samba enforces the permission restrictions that + an administrator can set on a Samba share, whilst still allowing users + to modify the permission bits within that restriction.</P +><P +>If you want to set up a share that allows users full control + in modifying the permission bits on their files and directories and + doesn't force any particular bits to be set 'on', then set the following + parameters in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5) + </TT +></A +> file in that share specific section :</P +><P +><TT +CLASS="PARAMETER" +><I +>security mask = 0777</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force security mode = 0</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>directory security mask = 0777</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force directory security mode = 0</I +></TT +></P +><P +>As described, in Samba 2.0.4 the parameters :</P +><P +><TT +CLASS="PARAMETER" +><I +>create mask</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force create mode</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>directory mask</I +></TT +></P +><P +><TT +CLASS="PARAMETER" +><I +>force directory mode</I +></TT +></P +><P +>were used instead of the parameters discussed here.</P +></DIV +><DIV +CLASS="SECT1" +><HR><H1 +CLASS="SECT1" +><A +NAME="AEN164" +>Interaction with the standard Samba file attribute + mapping</A +></H1 +><P +>Samba maps some of the DOS attribute bits (such as "read + only") into the UNIX permissions of a file. This means there can + be a conflict between the permission bits set via the security + dialog and the permission bits set by the file attribute mapping. + </P +><P +>One way this can show up is if a file has no UNIX read access + for the owner it will show up as "read only" in the standard + file attributes tabbed dialog. Unfortunately this dialog is + the same one that contains the security info in another tab.</P +><P +>What this can mean is that if the owner changes the permissions + to allow themselves read access using the security dialog, clicks + <B +CLASS="COMMAND" +>"OK"</B +> to get back to the standard attributes tab + dialog, and then clicks <B +CLASS="COMMAND" +>"OK"</B +> on that dialog, then + NT will set the file permissions back to read-only (as that is what + the attributes still say in the dialog). This means that after setting + permissions and clicking <B +CLASS="COMMAND" +>"OK"</B +> to get back to the + attributes dialog you should always hit <B +CLASS="COMMAND" +>"Cancel"</B +> + rather than <B +CLASS="COMMAND" +>"OK"</B +> to ensure that your changes + are not overridden.</P +></DIV +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/findsmb.1.html b/docs/htmldocs/findsmb.1.html index 893113f22e2..0f7ed2265ea 100644 --- a/docs/htmldocs/findsmb.1.html +++ b/docs/htmldocs/findsmb.1.html @@ -1,72 +1,175 @@ - - - - - -<html><head><title>findsmb (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>findsmb (1)</h1> -<h2>Samba</h2> -<h2>2 May 2000</h2> - - - - -<p><br><a name="NAME"></a> -<h2>NAME</h2> - findsmb - list info about machines that respond to SMB name queries on a subnet -<p><br><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><br><strong>findsmb</strong> [<a href="findsmb.1.html#subnetbroadcastaddress">subnet broadcast address</a>] -<p><br><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p><br>This perl script is part of the <strong>Samba</strong> suite. -<p><br><strong>findsmb</strong> is a perl script that prints out several pieces -of information about machines on a subnet that respond to SMB -name query requests. -It uses <a href="nmblookup.1.html"><strong>nmblookup</strong></a> and -<a href="smbclient.1.html"><strong>smbclient</strong></a> to obtain this information. -<p><br><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><br><ul> -<p><br><a name="subnetbroadcastaddress"></a> -<li><strong><strong>subnet broadcast address</strong></strong> Without this option, <strong>findsmb</strong> -will probe the subnet of the machine where <strong>findsmb</strong> is run. -This value is passed to <strong>nmblookup</strong> as part of the <strong>-B</strong> -option -<p><br></ul> -<p><br><a name="EXAMPLES"></a> -<h2>EXAMPLES</h2> - -<p><br>The output of <strong>findsmb</strong> lists the following information for all -machines that respond to the initial <strong>nmblookup</strong> for any name: -IP address, NetBIOS name, Workgroup name, operating system, and -SMB server version. -<p><br>There will be a "+" in front of the workgroup name for machines that are -local master browsers for that workgroup. There will be an "*" in front -of the workgroup name for machines that are the domain master browser for -that workgroup. Machines that are running Windows, Windows 95 or Windows 98 -will not show any information about the operating system or server version. -<p><br>The command must be run on a system without -<strong>nmbd</strong> running. If <strong>nmbd</strong> is running on the system, you will only -get the IP address and the DNS name of the machine. To get proper responses -from Windows 95 and Windows 98 machines, the command must be run as root. -<p><br>For example running: -<p><br><code>findsmb</code> -<p><br>on a machine without <strong>nmbd</strong> running would yield output similar -to the following -<p><br><pre> - -IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION +<HTML +><HEAD +><TITLE +>findsmb</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="FINDSMB" +>findsmb</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>findsmb -- list info about machines that respond to SMB + name queries on a subnet</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>findsmb</B +> [subnet broadcast address]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN12" +></A +><H2 +>DESCRIPTION</H2 +><P +>This perl script is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>findsmb</B +> is a perl script that + prints out several pieces of information about machines + on a subnet that respond to SMB name query requests. + It uses <A +HREF="nmblookup.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +> nmblookup(1)</B +></A +> and <A +HREF="smbclient.1.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>smbclient(1)</B +></A +> to obtain this information. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN22" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>subnet broadcast address</DT +><DD +><P +>Without this option, <B +CLASS="COMMAND" +>findsmb + </B +> will probe the subnet of the machine where + <B +CLASS="COMMAND" +>findsmb</B +> is run. This value is passed + to <B +CLASS="COMMAND" +>nmblookup</B +> as part of the + <TT +CLASS="CONSTANT" +>-B</TT +> option</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN33" +></A +><H2 +>EXAMPLES</H2 +><P +>The output of <B +CLASS="COMMAND" +>findsmb</B +> lists the following + information for all machines that respond to the initial + <B +CLASS="COMMAND" +>nmblookup</B +> for any name: IP address, NetBIOS name, + Workgroup name, operating system, and SMB server version.</P +><P +>There will be a '+' in front of the workgroup name for + machines that are local master browsers for that workgroup. There + will be an '*' in front of the workgroup name for + machines that are the domain master browser for that workgroup. + Machines that are running Windows, Windows 95 or Windows 98 will + not show any information about the operating system or server + version.</P +><P +>The command must be run on a system without <A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmbd</B +></A +> running. + If <B +CLASS="COMMAND" +>nmbd</B +> is running on the system, you will + only get the IP address and the DNS name of the machine. To + get proper responses from Windows 95 and Windows 98 machines, + the command must be run as root. </P +><P +>For example running <B +CLASS="COMMAND" +>findsmb</B +> on a machine + without <B +CLASS="COMMAND" +>nmbd</B +> running would yield output similar + to the following</P +><PRE +CLASS="SCREEN" +><TT +CLASS="COMPUTEROUTPUT" +>IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION --------------------------------------------------------------------- 192.168.35.10 MINESET-TEST1 [DMVENGR] 192.168.35.55 LINUXBOX *[MYGROUP] [Unix] [Samba 2.0.6] @@ -78,27 +181,78 @@ IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION 192.168.35.88 SCNT2 +[MVENGR] [Windows NT 4.0] [NT LAN Manager 4.0] 192.168.35.93 FROGSTAR-PC [MVENGR] [Windows 5.0] [Windows 2000 LAN Manager] 192.168.35.97 HERBNT1 *[HERB-NT] [Windows NT 4.0] [NT LAN Manager 4.0] - -</pre> - -<p><br><a name="VERSION"></a> -<h2>VERSION</h2> - -<p><br>This man page is correct for version 2.0 of the Samba suite. -<p><br><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><br><a href="nmblookup.1.html"><strong>nmblookup (1)</strong></a>, <a href="smbclient.1.html"><strong>smbclient (1)</strong></a> -<p><br><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p><br>This perl script was developed by Herb Lewis of SGI. -<p><br>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p><br>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> + </TT +></PRE +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN48" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN51" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmbd(8)</B +></A +>, + <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1) + </B +></A +>, and <A +HREF="nmblookup.1.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>nmblookup(1)</B +></A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN60" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/lmhosts.5.html b/docs/htmldocs/lmhosts.5.html index af88b4aded0..4d66e95b7a0 100644 --- a/docs/htmldocs/lmhosts.5.html +++ b/docs/htmldocs/lmhosts.5.html @@ -1,94 +1,206 @@ - - - - - - -<html><head><title>lmhosts (5)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>lmhosts (5)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - lmhosts - The Samba NetBIOS hosts file -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p>lmhosts is the <strong>Samba</strong> NetBIOS name to IP address mapping file. -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This file is part of the <strong>Samba</strong> suite. -<p><strong>lmhosts</strong> is the <strong>Samba</strong> NetBIOS name to IP address mapping file. It -is very similar to the <strong>/etc/hosts</strong> file format, except that the -hostname component must correspond to the NetBIOS naming format. -<p><a name="FILEFORMAT"></a> -<h2>FILE FORMAT</h2> - -<p>It is an ASCII file containing one line for NetBIOS name. The two -fields on each line are separated from each other by white space. Any -entry beginning with # is ignored. Each line in the lmhosts file -contains the following information : -<p><dl> -<p><li > <strong>IP Address</strong> - in dotted decimal format. -<p><li > <strong>NetBIOS Name</strong> - This name format is a maximum fifteen -character host name, with an optional trailing <code>'#'</code> character -followed by the NetBIOS name type as two hexadecimal digits. -<p>If the trailing <code>'#'</code> is omitted then the given IP address will be -returned for all names that match the given name, whatever the NetBIOS -name type in the lookup. -<p></dl> -<p>An example follows : -<p># <br> -# Sample Samba lmhosts file. <br> -# <br> -192.9.200.1 TESTPC <br> -192.9.200.20 NTSERVER#20 <br> -192.9.200.21 SAMBASERVER <br> -<p>Contains three IP to NetBIOS name mappings. The first and third will -be returned for any queries for the names <code>"TESTPC"</code> and -<code>"SAMBASERVER"</code> respectively, whatever the type component of the -NetBIOS name requested. -<p>The second mapping will be returned only when the <code>"0x20"</code> name type -for a name <code>"NTSERVER"</code> is queried. Any other name type will not be -resolved. -<p>The default location of the <strong>lmhosts</strong> file is in the same directory -as the <a href="smb.conf.html"><strong>smb.conf</strong></a> file. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smb.conf.5.html#nameresolveorder"><strong>smb.conf (5)</strong></a>, -<a href="smbclient.1.html#minusR"><strong>smbclient (1)</strong></a>, -<a href="smbpasswd.8.html#minusR"><strong>smbpasswd (8)</strong></a>, <a href="samba.7.html"><strong>samba (7)</strong></a>. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>lmhosts</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="FINDSMB" +>lmhosts</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>lmhosts -- The Samba NetBIOS hosts file</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><TT +CLASS="FILENAME" +>lmhosts</TT +> is the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> NetBIOS name to IP address mapping file.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN12" +></A +><H2 +>DESCRIPTION</H2 +><P +>This file is part of the <<A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><TT +CLASS="FILENAME" +>lmhosts</TT +> is the <I +CLASS="EMPHASIS" +>Samba + </I +> NetBIOS name to IP address mapping file. It + is very similar to the <TT +CLASS="FILENAME" +>/etc/hosts</TT +> file + format, except that the hostname component must correspond + to the NetBIOS naming format.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN20" +></A +><H2 +>FILE FORMAT</H2 +><P +>It is an ASCII file containing one line for NetBIOS name. + The two fields on each line are separated from each other by + white space. Any entry beginning with '#' is ignored. Each line + in the lmhosts file contains the following information :</P +><P +></P +><UL +><LI +><P +>IP Address - in dotted decimal format.</P +></LI +><LI +><P +>NetBIOS Name - This name format is a + maximum fifteen character host name, with an optional + trailing '#' character followed by the NetBIOS name type + as two hexadecimal digits.</P +><P +>If the trailing '#' is omitted then the given IP + address will be returned for all names that match the given + name, whatever the NetBIOS name type in the lookup.</P +></LI +></UL +><P +>An example follows :</P +><P +><PRE +CLASS="PROGRAMLISTING" +># +#Sample Samba lmhosts file. +# +192.9.200.1 TESTPC +192.9.200.20 NTSERVER#20 +192.9.200.21 SAMBASERVER + </PRE +></P +><P +>Contains three IP to NetBIOS name mappings. The first + and third will be returned for any queries for the names "TESTPC" + and "SAMBASERVER" respectively, whatever the type component of + the NetBIOS name requested.</P +><P +>The second mapping will be returned only when the "0x20" name + type for a name "NTSERVER" is queried. Any other name type will not + be resolved.</P +><P +>The default location of the <TT +CLASS="FILENAME" +>lmhosts</TT +> file + is in the same directory as the <A +HREF="smb.conf.5.html" +TARGET="_top" +> + smb.conf(5)></A +> file.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN37" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN40" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1) + </B +></A +>, <A +HREF="smb.conf.5.html#NAMERESOLVEORDER" +TARGET="_top" +> smb.conf(5)</A +>, and <A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +> smbpasswd(8)</B +></A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN48" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/make_smbcodepage.1.html b/docs/htmldocs/make_smbcodepage.1.html index 558a559f03b..456ea98b20c 100644 --- a/docs/htmldocs/make_smbcodepage.1.html +++ b/docs/htmldocs/make_smbcodepage.1.html @@ -1,144 +1,354 @@ - - - - - - -<html><head><title>make_smbcodepage (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>make_smbcodepage (1)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - make_codepage - Construct a codepage file for Samba -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>make_smbcodepage</strong> [<a href="make_smbcodepage.1.html#cord">c|d</a>] <a href="make_smbcodepage.1.html#codepage">codepage</a> <a href="make_smbcodepage.1.html#inputfile">inputfile</a> <a href="make_smbcodepage.1.html#outputfile">outputfile</a> -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p><strong>make_smbcodepage</strong> compiles or de-compiles codepage files for use -with the internationalization features of Samba 2.0 -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="cord"></a> -<p></p><dt><strong>c|d</strong><dd> This tells <strong>make_smbcodepage</strong> if it is compiling (<strong>c</strong>) a text -format code page file to binary, or (<strong>d</strong>) de-compiling a binary codepage -file to text. -<p><a name="codepage"></a> -<p></p><dt><strong>codepage</strong><dd> This is the codepage we are processing (a number, e.g. 850). -<p><a name="inputfile"></a> -<p></p><dt><strong>inputfile</strong><dd> This is the input file to process. In the '<strong>c</strong>' case this -will be a text codepage definition file such as the ones found in the -Samba <em>source/codepages</em> directory. In the '<strong>d</strong>' case this will be the -binary format codepage definition file normally found in the -<em>lib/codepages</em> directory in the Samba install directory path. -<p><a name="outputfile"></a> -<p></p><dt><strong>outputfile</strong><dd> This is the output file to produce. -<p></dl> -<p><a name="SambaCodepageFiles"></a> -<h2>Samba Codepage Files</h2> - -<p>A text Samba codepage definition file is a description that tells -Samba how to map from upper to lower case for characters greater than -ascii 127 in the specified DOS code page. Note that for certain DOS -codepages (437 for example) mapping from lower to upper case may be -non-symmetrical. For example, in code page 437 lower case a acute maps to -a plain upper case A when going from lower to upper case, but -plain upper case A maps to plain lower case a when lower casing a -character. -<p>A binary Samba codepage definition file is a binary representation of -the same information, including a value that specifies what codepage -this file is describing. -<p>As Samba does not yet use UNICODE (current for Samba version 2.0) you -must specify the client code page that your DOS and Windows clients -are using if you wish to have case insensitivity done correctly for -your particular language. The default codepage Samba uses is 850 -(Western European). Text codepage definition sample files are -provided in the Samba distribution for codepages 437 (USA), 737 -(Greek), 850 (Western European) 852 (MS-DOS Latin 2), 861 (Icelandic), -866 (Cyrillic), 932 (Kanji SJIS), 936 (Simplified Chinese), 949 -(Hangul) and 950 (Traditional Chinese). Users are encouraged to write -text codepage definition files for their own code pages and donate -them to <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. All codepage files in the -Samba <em>source/codepages</em> directory are compiled and installed when a -<em>'make install'</em> command is issued there. -<p>The client codepage used by the <a href="smbd.8.html"><strong>smbd</strong></a> server is -configured using the <a href="smb.conf.5.html#clientcodepage"><strong>client code -page</strong></a> parameter in the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file. -<p><a name="FILES"></a> -<h2>FILES</h2> - -<p><strong>codepage_def.<codepage></strong> -<p>These are the input (text) codepage files provided in the Samba -<em>source/codepages</em> directory. -<p>A text codepage definition file consists of multiple lines -containing four fields. These fields are : -<p><dl> -<p><li > <strong>lower</strong>: which is the (hex) lower case character mapped on this -line. -<p><li > <strong>upper</strong>: which is the (hex) upper case character that the lower -case character will map to. -<p><li > <strong>map upper to lower</strong> which is a boolean value (put either True -or False here) which tells Samba if it is to map the given upper case -character to the given lower case character when lower casing a -filename. -<p><li > <strong>map lower to upper</strong> which is a boolean value (put either True -or False here) which tells Samba if it is to map the given lower case -character to the given upper case character when upper casing a -filename. -<p></dl> -<p><strong>codepage.<codepage></strong> These are the output (binary) codepage files -produced and placed in the Samba destination <em>lib/codepage</em> -directory. -<p><a name="INSTALLATION"></a> -<h2>INSTALLATION</h2> - -<p>The location of the server and its support files is a matter for -individual system administrators. The following are thus suggestions -only. -<p>It is recommended that the <strong>make_smbcodepage</strong> program be installed -under the <em>/usr/local/samba</em> hierarchy, in a directory readable by -all, writeable only by root. The program itself should be executable -by all. The program should NOT be setuid or setgid! -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smb.conf.5.html"><strong>smb.conf(5)</strong></a>, <a href="smbd.8.html"><strong>smbd (8)</strong></a> -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>make_smbcodepage</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="FINDSMB" +>make_smbcodepage</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>make_smbcodepage -- construct a codepage file for Samba</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>make_smbcodepage</B +> {c|d} {codepage} {inputfile} {outputfile}</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN15" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>make_smbcodepage</B +> compiles or de-compiles + codepage files for use with the internationalization features + of Samba 2.2</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN21" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>c|d</DT +><DD +><P +>This tells <B +CLASS="COMMAND" +>make_smbcodepage</B +> + if it is compiling (<TT +CLASS="PARAMETER" +><I +>c</I +></TT +>) a text format code + page file to binary, or (<TT +CLASS="PARAMETER" +><I +>d</I +></TT +>) de-compiling + a binary codepage file to text. </P +></DD +><DT +>codepage</DT +><DD +><P +>This is the codepage we are processing (a + number, e.g. 850). </P +></DD +><DT +>inputfile</DT +><DD +><P +>This is the input file to process. In t + he '<TT +CLASS="PARAMETER" +><I +>c</I +></TT +>' case this will be a text + codepage definition file such as the ones found in the Samba + <TT +CLASS="FILENAME" +>source/codepages</TT +> directory. In + the '<TT +CLASS="PARAMETER" +><I +>d</I +></TT +>' case this will be the + binary format codepage definition file normally found in + the <TT +CLASS="FILENAME" +>lib/codepages</TT +> directory in the + Samba install directory path.</P +></DD +><DT +>outputfile</DT +><DD +><P +>This is the output file to produce.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN47" +></A +><H2 +>Samba Codepage Files</H2 +><P +>A text Samba codepage definition file is a description + that tells Samba how to map from upper to lower case for + characters greater than ascii 127 in the specified DOS code page. + Note that for certain DOS codepages (437 for example) mapping + from lower to upper case may be non-symmetrical. For example, in + code page 437 lower case a acute maps to a plain upper case A + when going from lower to upper case, but plain upper case A maps + to plain lower case a when lower casing a character. </P +><P +>A binary Samba codepage definition file is a binary + representation of the same information, including a value that + specifies what codepage this file is describing. </P +><P +>As Samba does not yet use UNICODE (current for Samba version 2.2) + you must specify the client code page that your DOS and Windows + clients are using if you wish to have case insensitivity done + correctly for your particular language. The default codepage Samba + uses is 850 (Western European). Text codepage definition sample files + are provided in the Samba distribution for codepages 437 (USA), 737 (Greek), + 850 (Western European) 852 (MS-DOS Latin 2), 861 (Icelandic), 866 (Cyrillic), + 932 (Kanji SJIS), 936 (Simplified Chinese), 949 (Hangul) and 950 (Traditional + Chinese). Users are encouraged to write text codepage definition files for + their own code pages and donate them to samba@samba.org. All codepage files + in the Samba <TT +CLASS="FILENAME" +>source/codepages</TT +> directory are + compiled and installed when a <B +CLASS="COMMAND" +>'make install'</B +> + command is issued there. </P +><P +>The client codepage used by the <B +CLASS="COMMAND" +>smbd</B +> server + is configured using the <B +CLASS="COMMAND" +>client code page</B +> parameter + in the <B +CLASS="COMMAND" +>smb.conf</B +> file. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN58" +></A +><H2 +>Files</H2 +><P +><B +CLASS="COMMAND" +>codepage_def.<codepage></B +></P +><P +>These are the input (text) codepage files provided in the + Samba <TT +CLASS="FILENAME" +>source/codepages</TT +> directory.</P +><P +>A text codepage definition file consists of multiple lines + containing four fields. These fields are:</P +><P +></P +><UL +><LI +><P +><B +CLASS="COMMAND" +>lower</B +>: which is the + (hex) lower case character mapped on this line.</P +></LI +><LI +><P +><B +CLASS="COMMAND" +>upper</B +>: which is the (hex) + upper case character that the lower case character will map to. + </P +></LI +><LI +><P +><B +CLASS="COMMAND" +>map upper to lower</B +> which + is a boolean value (put either True or False here) which tells + Samba if it is to map the given upper case character to the + given lower case character when lower casing a filename. + </P +></LI +><LI +><P +><B +CLASS="COMMAND" +>map lower to upper</B +> which + is a boolean value (put either True or False here) which tells + Samba if it is to map the given lower case character to the + given upper case character when upper casing a filename. + </P +></LI +></UL +><P +><B +CLASS="COMMAND" +>codepage.<codepage></B +> - These are the + output (binary) codepage files produced and placed in the Samba + destination <TT +CLASS="FILENAME" +>lib/codepage</TT +> directory. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN81" +></A +><H2 +>Installation</H2 +><P +>The location of the server and its support files is a + matter for individual system administrators. The following are + thus suggestions only. </P +><P +>It is recommended that the <B +CLASS="COMMAND" +>make_smbcodepage + </B +> program be installed under the <TT +CLASS="FILENAME" +>/usr/local/samba + </TT +> hierarchy, in a directory readable by all, writeable + only by root. The program itself should be executable by all. The + program should NOT be setuid or setgid! </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN87" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN90" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +>, + <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5)</A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN96" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/nmbd.8.html b/docs/htmldocs/nmbd.8.html index 12f8178cfa3..4f7f71fe700 100644 --- a/docs/htmldocs/nmbd.8.html +++ b/docs/htmldocs/nmbd.8.html @@ -1,206 +1,682 @@ - - - - - - -<html><head><title>nmbd</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>nmbd</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - nmbd - NetBIOS name server to provide NetBIOS over IP -naming services to clients -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>nmbd</strong> [<a href="nmbd.8.html#minusD">-D</a>] [<a href="nmbd.8.html#minusa">-a</a>] [<a href="nmbd.8.html#minuso">-o</a>] [<a href="nmbd.8.html#minush">-h</a>] [<a href="nmbd.8.html#minusV">-V</a>] [<a href="nmbd.8.html#minusH">-H lmhosts file</a>] [<a href="nmbd.8.html#minusd">-d debuglevel</a>] [<a href="nmbd.8.html#minusl">-l log file basename</a>] [<a href="nmbd.8.html#minusn">-n primary NetBIOS name</a>] [<a href="nmbd.8.html#minusp">-p port number</a>] [<a href="nmbd.8.html#minuss">-s configuration file</a>] -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p><strong>nmbd</strong> is a server that understands and can reply to NetBIOS over IP -name service requests, like those produced by SMBD/CIFS clients such -as Windows 95/98, Windows NT and LanManager clients. It also -participates in the browsing protocols which make up the Windows -"Network Neighborhood" view. -<p>SMB/CIFS clients, when they start up, may wish to locate an SMB/CIFS -server. That is, they wish to know what IP number a specified host is -using. -<p>Amongst other services, <strong>nmbd</strong> will listen for such requests, -and if its own NetBIOS name is specified it will respond with the IP -number of the host it is running on. Its "own NetBIOS name" is by -default the primary DNS name of the host it is running on, but this -can be overridden with the <strong>-n</strong> option (see <a href="nmbd.8.html#OPTIONS">OPTIONS</a> below). Thus -<strong>nmbd</strong> will reply to broadcast queries for its own name(s). Additional -names for <strong>nmbd</strong> to respond on can be set via parameters in the -<a href="smb.conf.5.html"><strong>smb.conf(5)</strong></a> configuration file. -<p><strong>nmbd</strong> can also be used as a WINS (Windows Internet Name Server) -server. What this basically means is that it will act as a WINS -database server, creating a database from name registration requests -that it receives and replying to queries from clients for these names. -<p>In addition, <strong>nmbd</strong> can act as a WINS proxy, relaying broadcast queries -from clients that do not understand how to talk the WINS protocol to a -WIN server. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="minusD"></a> -<p></p><dt><strong><strong>-D</strong></strong><dd> If specified, this parameter causes <strong>nmbd</strong> to operate -as a daemon. That is, it detaches itself and runs in the background, -fielding requests on the appropriate port. By default, <strong>nmbd</strong> will -NOT operate as a daemon. nmbd can also be operated from the inetd -meta-daemon, although this is not recommended. -<p><a name="minusa"></a> -<p></p><dt><strong><strong>-a</strong></strong><dd> If this parameter is specified, each new connection will -append log messages to the log file. This is the default. -<p><a name="minuso"></a> -<p></p><dt><strong><strong>-o</strong></strong><dd> If this parameter is specified, the log files will be -overwritten when opened. By default, the log files will be appended -to. -<p><a name="minush"></a> -<p></p><dt><strong><strong>-h</strong></strong><dd> Prints the help information (usage) for <strong>nmbd</strong>. -<p><a name="minusV"></a> -<p></p><dt><strong><strong>-V</strong></strong><dd> Prints the version number for <strong>nmbd</strong>. -<p><a name="minusH"></a> -<p></p><dt><strong><strong>-H filename</strong></strong><dd> NetBIOS lmhosts file. -<p>The lmhosts file is a list of NetBIOS names to IP addresses that is -loaded by the nmbd server and used via the name resolution mechanism -<a href="smb.conf.5.html#nameresolveorder"><strong>name resolve order</strong></a> described in -<a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> to resolve any -NetBIOS name queries needed by the server. Note that the contents of -this file are <em>NOT</em> used by <strong>nmbd</strong> to answer any name queries. Adding -a line to this file affects name NetBIOS resolution from this host -<em>ONLY</em>. -<p>The default path to this file is compiled into Samba as part of the -build process. Common defaults are <em>/usr/local/samba/lib/lmhosts</em>, -<em>/usr/samba/lib/lmhosts</em> or <em>/etc/lmhosts</em>. See the -<a href="lmhosts.5.html"><strong>lmhosts (5)</strong></a> man page for details on the contents of this file. -<p><a name="minusd"></a> -<p></p><dt><strong><strong>-d debuglevel</strong></strong><dd> debuglevel is an integer from 0 to 10. -<p>The default value if this parameter is not specified is zero. -<p>The higher this value, the more detail will be logged to the log files -about the activities of the server. At level 0, only critical errors -and serious warnings will be logged. Level 1 is a reasonable level for -day to day running - it generates a small amount of information about -operations carried out. -<p>Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic. -<p>Note that specifying this parameter here will override the <a href="smb.conf.5.html#loglevel"><strong>log -level</strong></a> parameter in the <a href="smb.conf.5.html"><strong>smb.conf -(5)</strong></a> file. -<p><a name="minusl"></a> -<p></p><dt><strong><strong>-l logfile</strong></strong><dd> The <strong>-l</strong> parameter specifies a path and base -filename into which operational data from the running nmbd server will -be logged. The actual log file name is generated by appending the -extension ".nmb" to the specified base name. For example, if the name -specified was "log" then the file log.nmb would contain the debugging -data. -<p>The default log file path is compiled into Samba as part of the -build process. Common defaults are <em>/usr/local/samba/var/log.nmb</em>, -<em>/usr/samba/var/log.nmb</em> or <em>/var/log/log.nmb</em>. -<p><a name="minusn"></a> -<p></p><dt><strong><strong>-n primary NetBIOS name</strong></strong><dd> This option allows you to override -the NetBIOS name that Samba uses for itself. This is identical to -setting the <a href="smb.conf.5.html#netbiosname"><strong>NetBIOS name</strong></a> parameter -in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file -but will override the setting in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file. -<p><a name="minusp"></a> -<p></p><dt><strong><strong>-p UDP port number</strong></strong><dd> UDP port number is a positive integer value. -<p>This option changes the default UDP port number (normally 137) that -<strong>nmbd</strong> responds to name queries on. Don't use this option unless you are -an expert, in which case you won't need help! -<p><a name="minuss"></a> -<p></p><dt><strong><strong>-s configuration file</strong></strong><dd> The default configuration file name is -set at build time, typically as <em>/usr/local/samba/lib/smb.conf</em>, but -this may be changed when Samba is autoconfigured. -<p>The file specified contains the configuration details required by the -server. See <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> for more information. -<p></dl> -<p><a name="FILES"></a> -<h2>FILES</h2> - -<p><strong>/etc/inetd.conf</strong> -<p>If the server is to be run by the inetd meta-daemon, this file must -contain suitable startup information for the meta-daemon. -<p><strong>/etc/rc</strong> -<p>(or whatever initialization script your system uses). -<p>If running the server as a daemon at startup, this file will need to -contain an appropriate startup sequence for the server. -<p><strong>/usr/local/samba/lib/smb.conf</strong> -<p>This is the default location of the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> server configuration -file. Other common places that systems install this file are -<em>/usr/samba/lib/smb.conf</em> and <em>/etc/smb.conf</em>. -<p>When run as a <strong>WINS</strong> server (see the <a href="smb.conf.5.html#winssupport"><strong>wins support</strong></a> -parameter in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> man page), <strong>nmbd</strong> will -store the WINS database in the file <code>wins.dat</code> in the <code>var/locks</code> directory -configured under wherever Samba was configured to install itself. -<p>If <strong>nmbd</strong> is acting as a <strong>browse master</strong> (see the <a href="smb.conf.5.html#localmaster"><strong>local master</strong></a> -parameter in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> man page), <strong>nmbd</strong> will -store the browsing database in the file <code>browse.dat</code> in the <code>var/locks</code> directory -configured under wherever Samba was configured to install itself. -<p><a name="SIGNALS"></a> -<h2>SIGNALS</h2> - -<p>To shut down an <strong>nmbd</strong> process it is recommended that SIGKILL (-9) -<em>NOT</em> be used, except as a last resort, as this may leave the name -database in an inconsistent state. The correct way to terminate -<strong>nmbd</strong> is to send it a SIGTERM (-15) signal and wait for it to die on -its own. -<p><strong>nmbd</strong> will accept SIGHUP, which will cause it to dump out it's -namelists into the file <code>namelist.debug</code> in the -<em>/usr/local/samba/var/locks</em> directory (or the <em>var/locks</em> -directory configured under wherever Samba was configured to install -itself). This will also cause <strong>nmbd</strong> to dump out it's server database in -the log.nmb file. In addition, the debug log level of nmbd may be raised -by sending it a SIGUSR1 (<code>kill -USR1 <nmbd-pid></code>) and lowered by sending it a -SIGUSR2 (<code>kill -USR2 <nmbd-pid></code>). This is to allow transient -problems to be diagnosed, whilst still running at a normally low log -level. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><strong>inetd (8)</strong>, <a href="smbd.8.html"><strong>smbd (8)</strong></a>, <a href="smb.conf.5.html"><strong>smb.conf -(5)</strong></a>, <a href="smbclient.1.html"><strong>smbclient (1)</strong></a>, -<a href="testparm.1.html"><strong>testparm (1)</strong></a>, <a href="testprns.1.html"><strong>testprns -(1)</strong></a>, and the Internet RFC's <strong>rfc1001.txt</strong>, -<strong>rfc1002.txt</strong>. In addition the CIFS (formerly SMB) specification is -available as a link from the Web page : -<a href="http://samba.org/cifs/">http://samba.org/cifs/</a>. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>nmbd</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="NMBD" +>nmbd</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>nmbd -- NetBIOS name server to provide NetBIOS + over IP naming services to clients</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbd</B +> [-D] [-a] [-o] [-P] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log file>] [-n <primary netbios name>] [-p <port number>] [-s <configuration file>]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN23" +></A +><H2 +>DESCRIPTION</H2 +><P +>This program is part of the Samba suite.</P +><P +><B +CLASS="COMMAND" +>nmbd</B +> is a server that understands + and can reply to NetBIOS over IP name service requests, like + those produced by SMBD/CIFS clients such as Windows 95/98/ME, + Windows NT, Windows 2000, and LanManager clients. It also + participates in the browsing protocols which make up the + Windows "Network Neighborhood" view.</P +><P +>SMB/CIFS clients, when they start up, may wish to + locate an SMB/CIFS server. That is, they wish to know what + IP number a specified host is using.</P +><P +>Amongst other services, <B +CLASS="COMMAND" +>nmbd</B +> will + listen for such requests, and if its own NetBIOS name is + specified it will respond with the IP number of the host it + is running on. Its "own NetBIOS name" is by + default the primary DNS name of the host it is running on, + but this can be overridden with the <I +CLASS="EMPHASIS" +>-n</I +> + option (see OPTIONS below). Thus <B +CLASS="COMMAND" +>nmbd</B +> will + reply to broadcast queries for its own name(s). Additional + names for <B +CLASS="COMMAND" +>nmbd</B +> to respond on can be set + via parameters in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +> smb.conf(5)</TT +></A +> configuration file.</P +><P +><B +CLASS="COMMAND" +>nmbd</B +> can also be used as a WINS + (Windows Internet Name Server) server. What this basically means + is that it will act as a WINS database server, creating a + database from name registration requests that it receives and + replying to queries from clients for these names.</P +><P +>In addition, <B +CLASS="COMMAND" +>nmbd</B +> can act as a WINS + proxy, relaying broadcast queries from clients that do + not understand how to talk the WINS protocol to a WIN + server.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN40" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-D</DT +><DD +><P +>If specified, this parameter causes + <B +CLASS="COMMAND" +>nmbd</B +> to operate as a daemon. That is, + it detaches itself and runs in the background, fielding + requests on the appropriate port. By default, <B +CLASS="COMMAND" +>nmbd</B +> + will operate as a daemon if launched from a command shell. + nmbd can also be operated from the <B +CLASS="COMMAND" +>inetd</B +> + meta-daemon, although this is not recommended. + </P +></DD +><DT +>-a</DT +><DD +><P +>If this parameter is specified, each new + connection will append log messages to the log file. + This is the default.</P +></DD +><DT +>-o</DT +><DD +><P +>If this parameter is specified, the + log files will be overwritten when opened. By default, + <B +CLASS="COMMAND" +>smbd</B +> will append entries to the log + files.</P +></DD +><DT +>-h</DT +><DD +><P +>Prints the help information (usage) + for <B +CLASS="COMMAND" +>nmbd</B +>.</P +></DD +><DT +>-H <filename></DT +><DD +><P +>NetBIOS lmhosts file. The lmhosts + file is a list of NetBIOS names to IP addresses that + is loaded by the nmbd server and used via the name + resolution mechanism <A +HREF="smb.conf.5.html#nameresolveorder" +TARGET="_top" +> name resolve order</A +> described in <A +HREF="smb.conf.5.html" +TARGET="_top" +> <TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> + to resolve any NetBIOS name queries needed by the server. Note + that the contents of this file are <I +CLASS="EMPHASIS" +>NOT</I +> + used by <B +CLASS="COMMAND" +>nmbd</B +> to answer any name queries. + Adding a line to this file affects name NetBIOS resolution + from this host <I +CLASS="EMPHASIS" +>ONLY</I +>.</P +><P +>The default path to this file is compiled into + Samba as part of the build process. Common defaults + are <TT +CLASS="FILENAME" +>/usr/local/samba/lib/lmhosts</TT +>, + <TT +CLASS="FILENAME" +>/usr/samba/lib/lmhosts</TT +> or + <TT +CLASS="FILENAME" +>/etc/lmhosts</TT +>. See the <A +HREF="lmhosts.5.html" +TARGET="_top" +> <TT +CLASS="FILENAME" +>lmhosts(5)</TT +></A +> man page for details on the + contents of this file.</P +></DD +><DT +>-V</DT +><DD +><P +>Prints the version number for + <B +CLASS="COMMAND" +>nmbd</B +>.</P +></DD +><DT +>-d <debug level></DT +><DD +><P +>debuglevel is an integer + from 0 to 10. The default value if this parameter is + not specified is zero.</P +><P +>The higher this value, the more detail will + be logged to the log files about the activities of the + server. At level 0, only critical errors and serious + warnings will be logged. Level 1 is a reasonable level for + day to day running - it generates a small amount of + information about operations carried out.</P +><P +>Levels above 1 will generate considerable amounts + of log data, and should only be used when investigating + a problem. Levels above 3 are designed for use only by developers + and generate HUGE amounts of log data, most of which is extremely + cryptic.</P +><P +>Note that specifying this parameter here will override + the <A +HREF="smb.conf.5.html#loglevel" +TARGET="_top" +>log level</A +> + parameter in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +> smb.conf</TT +></A +> file.</P +></DD +><DT +>-l <log file></DT +><DD +><P +>The -l parameter specifies a path + and base filename into which operational data from + the running <B +CLASS="COMMAND" +>nmbd</B +> server will + be logged. The actual log file name is generated by + appending the extension ".nmb" to the specified base + name. For example, if the name specified was "log" + then the file log.nmb would contain the debugging data.</P +><P +>The default log file path is compiled into Samba as + part of the build process. Common defaults are <TT +CLASS="FILENAME" +> /usr/local/samba/var/log.nmb</TT +>, <TT +CLASS="FILENAME" +> /usr/samba/var/log.nmb</TT +> or + <TT +CLASS="FILENAME" +>/var/log/log.nmb</TT +>.</P +></DD +><DT +>-n <primary NetBIOS name></DT +><DD +><P +>This option allows you to override + the NetBIOS name that Samba uses for itself. This is identical + to setting the <A +HREF="smb.conf.5.html#netbiosname" +TARGET="_top" +> NetBIOS name</A +> parameter in the <A +HREF="smb.conf.5.html" +TARGET="_top" +> + <TT +CLASS="FILENAME" +>smb.conf</TT +></A +> file. However, a command + line setting will take precedence over settings in + <TT +CLASS="FILENAME" +>smb.conf</TT +>.</P +></DD +><DT +>-p <UDP port number></DT +><DD +><P +>UDP port number is a positive integer value. + This option changes the default UDP port number (normally 137) + that <B +CLASS="COMMAND" +>nmbd</B +> responds to name queries on. Don't + use this option unless you are an expert, in which case you + won't need help!</P +></DD +><DT +>-s <configuration file></DT +><DD +><P +>The default configuration file name + is set at build time, typically as <TT +CLASS="FILENAME" +> /usr/local/samba/lib/smb.conf</TT +>, but + this may be changed when Samba is autoconfigured.</P +><P +>The file specified contains the configuration details + required by the server. See <A +HREF="smb.conf.5.html" +TARGET="_top" +> + <TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> for more information. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN125" +></A +><H2 +>FILES</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +><TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +></DT +><DD +><P +>If the server is to be run by the + <B +CLASS="COMMAND" +>inetd</B +> meta-daemon, this file + must contain suitable startup information for the + meta-daemon. See the section INSTALLATION below. + </P +></DD +><DT +><TT +CLASS="FILENAME" +>/etc/rc</TT +></DT +><DD +><P +>or whatever initialization script your + system uses).</P +><P +>If running the server as a daemon at startup, + this file will need to contain an appropriate startup + sequence for the server. See the section INSTALLATION + below.</P +></DD +><DT +><TT +CLASS="FILENAME" +>/etc/services</TT +></DT +><DD +><P +>If running the server via the + meta-daemon <B +CLASS="COMMAND" +>inetd</B +>, this file + must contain a mapping of service name (e.g., netbios-ssn) + to service port (e.g., 139) and protocol type (e.g., tcp). + See the section INSTALLATION below.</P +></DD +><DT +><TT +CLASS="FILENAME" +>/usr/local/samba/lib/smb.conf</TT +></DT +><DD +><P +>This is the default location of the + <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf</TT +></A +> + server configuration file. Other common places that systems + install this file are <TT +CLASS="FILENAME" +>/usr/samba/lib/smb.conf</TT +> + and <TT +CLASS="FILENAME" +>/etc/smb.conf</TT +>.</P +><P +>When run as a WINS server (see the + <A +HREF="smb.conf.5.html#winssupport" +TARGET="_top" +>wins support</A +> + parameter in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +> smb.conf(5)</TT +></A +> man page), <B +CLASS="COMMAND" +>nmbd</B +> + will store the WINS database in the file <TT +CLASS="FILENAME" +>wins.dat</TT +> + in the <TT +CLASS="FILENAME" +>var/locks</TT +> directory configured under + wherever Samba was configured to install itself.</P +><P +>If <B +CLASS="COMMAND" +>nmbd</B +> is acting as a <I +CLASS="EMPHASIS" +> browse master</I +> (see the <A +HREF="smb.conf.5.html#localmaster" +TARGET="_top" +>local master</A +> + parameter in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +> smb.conf(5)</TT +></A +> man page), <B +CLASS="COMMAND" +>nmbd</B +> + will store the browsing database in the file <TT +CLASS="FILENAME" +>browse.dat + </TT +> in the <TT +CLASS="FILENAME" +>var/locks</TT +> directory + configured under wherever Samba was configured to install itself. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN171" +></A +><H2 +>SIGNALS</H2 +><P +>To shut down an <B +CLASS="COMMAND" +>nmbd</B +> process it is recommended + that SIGKILL (-9) <I +CLASS="EMPHASIS" +>NOT</I +> be used, except as a last + resort, as this may leave the name database in an inconsistent state. + The correct way to terminate <B +CLASS="COMMAND" +>nmbd</B +> is to send it + a SIGTERM (-15) signal and wait for it to die on its own.</P +><P +><B +CLASS="COMMAND" +>nmbd</B +> will accept SIGHUP, which will cause + it to dump out it's namelists into the file <TT +CLASS="FILENAME" +>namelist.debug + </TT +> in the <TT +CLASS="FILENAME" +>/usr/local/samba/var/locks</TT +> + directory (or the <TT +CLASS="FILENAME" +>var/locks</TT +> directory configured + under wherever Samba was configured to install itself). This will also + cause <B +CLASS="COMMAND" +>nmbd</B +> to dump out it's server database in + the <TT +CLASS="FILENAME" +>log.nmb</TT +> file. In addition, the debug log level + of nmbd may be raised by sending it a SIGUSR1 (<B +CLASS="COMMAND" +>kill -USR1 + <nmbd-pid></B +>) and lowered by sending it a + SIGUSR2 (<B +CLASS="COMMAND" +>kill -USR2 <nmbd-pid></B +>). This is to + allow transient problems to be diagnosed, whilst still running at a + normally low log level.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN186" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN189" +></A +><H2 +>SEE ALSO</H2 +><P +><B +CLASS="COMMAND" +>inetd(8)</B +>, <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +>, + <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +> + </A +>, <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1) + </B +></A +>, <A +HREF="testparm.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +> testparm(1)</B +></A +>, <A +HREF="testprns.1.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>testprns(1)</B +></A +>, and the Internet RFC's + <TT +CLASS="FILENAME" +>rfc1001.txt</TT +>, <TT +CLASS="FILENAME" +>rfc1002.txt</TT +>. + In addition the CIFS (formerly SMB) specification is available + as a link from the Web page <A +HREF="http://samba.org/cifs/" +TARGET="_top" +> + http://samba.org/cifs/</A +>.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN206" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/nmblookup.1.html b/docs/htmldocs/nmblookup.1.html index 57effe149d3..71503708752 100644 --- a/docs/htmldocs/nmblookup.1.html +++ b/docs/htmldocs/nmblookup.1.html @@ -1,153 +1,396 @@ - - - - - - -<html><head><title>nmblookup (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>nmblookup (1)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - nmblookup - NetBIOS over TCP/IP client used to lookup NetBIOS names -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>nmblookup</strong> [<a href="nmblookup.1.html#minusM">-M</a>] [<a href="nmblookup.1.html#minusR">-R</a>] [<a href="nmblookup.1.html#minusS">-S</a>] [<a href="nmblookup.1.html#minusr">-r</a>] [<a href="nmblookup.1.html#minusA">-A</a>] [<a href="nmblookup.1.html#minush">-h</a>] [<a href="nmblookup.1.html#minusB">-B broadcast address</a>] [<a href="nmblookup.1.html#minusU">-U unicast address</a>] [<a href="nmblookup.1.html#minusd">-d debuglevel</a>] [<a href="nmblookup.1.html#minuss">-s smb config file</a>] [<a href="nmblookup.1.html#minusi">-i NetBIOS scope</a>] [<a href="nmblookup.1.html#minusT">-T</a>] <a href="nmblookup.1.html#name">name</a> -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p><strong>nmblookup</strong> is used to query NetBIOS names and map them to IP -addresses in a network using NetBIOS over TCP/IP queries. The options -allow the name queries to be directed at a particular IP broadcast area -or to a particular machine. All queries are done over UDP. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="minusM"></a> -<p></p><dt><strong><strong>-M</strong></strong><dd> Searches for a master browser by looking up the -NetBIOS name <a href="nmblookup.1.html#name"><strong>name</strong></a> with a type of 0x1d. If <a href="nmblookup.1.html#name"><strong>name</strong></a> -is <code>"-"</code> then it does a lookup on the special name <code>__MSBROWSE__</code>. -<p><a name="minusR"></a> -<p></p><dt><strong><strong>-R</strong></strong><dd> Set the recursion desired bit in the packet to do a -recursive lookup. This is used when sending a name query to a machine -running a WINS server and the user wishes to query the names in the -WINS server. If this bit is unset the normal (broadcast responding) -NetBIOS processing code on a machine is used instead. See rfc1001, -rfc1002 for details. -<p><a name="minusS"></a> -<p></p><dt><strong><strong>-S</strong></strong><dd> Once the name query has returned an IP address then do a -node status query as well. A node status query returns the NetBIOS names -registered by a host. -<p><a name="minusr"></a> -<p></p><dt><strong><strong>-r</strong></strong><dd> Try and bind to UDP port 137 to send and receive UDP -datagrams. The reason for this option is a bug in Windows 95 where it -ignores the source port of the requesting packet and only replies to -UDP port 137. Unfortunately, on most UNIX systems root privilage is -needed to bind to this port, and in addition, if the -<a href="nmbd.8.html"><strong>nmbd</strong></a> daemon is running on this machine it also -binds to this port. -<p><a name="minusA"></a> -<p></p><dt><strong><strong>-A</strong></strong><dd> Interpret <name> as an IP Address and do a node status -query on this address. -<p><a name="minush"></a> -<p></p><dt><strong><strong>-h</strong></strong><dd> Print a help (usage) message. -<p><a name="minusB"></a> -<p></p><dt><strong><strong>-B broadcast address</strong></strong><dd> Send the query to the given broadcast -address. Without this option the default behavior of nmblookup is to -send the query to the broadcast address of the network -interfaces as either auto-detected or defined in the -<a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> parameter of the -<a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> file. -<p><a name="minusU"></a> -<p></p><dt><strong><strong>-U unicast address</strong></strong><dd> Do a unicast query to the specified -address or host <code>"unicast address"</code>. This option (along with the -<a href="nmblookup.1.html#minusR"><strong>-R</strong></a> option) is needed to query a WINS server. -<p><a name="minusd"></a> -<p></p><dt><strong><strong>-d debuglevel</strong></strong><dd> debuglevel is an integer from 0 to 10. -<p>The default value if this parameter is not specified is zero. -<p>The higher this value, the more detail will be logged about the -activities of <strong>nmblookup</strong>. At level 0, only critical errors and -serious warnings will be logged. -<p>Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of -data, most of which is extremely cryptic. -<p>Note that specifying this parameter here will override the <a href="smb.conf.5.html#loglevel"><strong>log -level</strong></a> parameter in the <a href="smb.conf.5.html"><strong>smb.conf -(5)</strong></a> file. -<p><a name="minuss"></a> -<p></p><dt><strong><strong>-s smb.conf</strong></strong><dd> This parameter specifies the pathname to the -Samba configuration file, <a href="smb.conf.5.html"><strong>smb.conf</strong></a>. -This file controls all aspects of -the Samba setup on the machine. -<p><a name="minusi"></a> -<p></p><dt><strong><strong>-i scope</strong></strong><dd> This specifies a NetBIOS scope that <strong>nmblookup</strong> will use -to communicate with when generating NetBIOS names. For details on the -use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes -are <em>very</em> rarely used, only set this parameter if you are the -system administrator in charge of all the NetBIOS systems you -communicate with. -<p><a name="minusT"></a> -<p></p><dt><strong><strong>-T</strong></strong><dd> This causes any IP addresses found in the lookup to be -looked up via a reverse DNS lookup into a DNS name, and printed out -before each <code>"IP address NetBIOS name"</code> pair that is the normal -output. -<p><a name="name"></a> -<p></p><dt><strong><strong>name</strong></strong><dd> This is the NetBIOS name being queried. Depending upon -the previous options this may be a NetBIOS name or IP address. If a -NetBIOS name then the different name types may be specified by -appending <code>#<type></code> to the name. This name may also be <code>"*"</code>, -which will return all registered names within a broadcast area. -<p></dl> -<p><a name="EXAMPLES"></a> -<h2>EXAMPLES</h2> - -<p><strong>nmblookup</strong> can be used to query a WINS server (in the same way -<strong>nslookup</strong> is used to query DNS servers). To query a WINS server, -<strong>nmblookup</strong> must be called like this: -<p><code>nmblookup -U server -R 'name'</code> -<p>For example, running : -<p><code>nmblookup -U samba.org -R IRIX#1B'</code> -<p>would query the WINS server samba.org for the domain master -browser (1B name type) for the IRIX workgroup. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="samba.7.html"><strong>samba (7)</strong></a>, <a href="nmbd.8.html"><strong>nmbd (8)</strong></a>, -<a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -<p></body> -</html> +<HTML +><HEAD +><TITLE +>nmblookup</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="NMBLOOKUP" +>nmblookup</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>nmblookup -- NetBIOS over TCP/IP client used to lookup NetBIOS + names</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>nmblookup</B +> [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] {name}</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN24" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>nmblookup</B +> is used to query NetBIOS names + and map them to IP addresses in a network using NetBIOS over TCP/IP + queries. The options allow the name queries to be directed at a + particular IP broadcast area or to a particular machine. All queries + are done over UDP.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN30" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-M</DT +><DD +><P +>Searches for a master browser by looking + up the NetBIOS name <TT +CLASS="REPLACEABLE" +><I +>name</I +></TT +> with a + type of <TT +CLASS="CONSTANT" +>0x1d</TT +>. If <TT +CLASS="REPLACEABLE" +><I +> name</I +></TT +> is "-" then it does a lookup on the special name + <TT +CLASS="CONSTANT" +>__MSBROWSE__</TT +>.</P +></DD +><DT +>-R</DT +><DD +><P +>Set the recursion desired bit in the packet + to do a recursive lookup. This is used when sending a name + query to a machine running a WINS server and the user wishes + to query the names in the WINS server. If this bit is unset + the normal (broadcast responding) NetBIOS processing code + on a machine is used instead. See rfc1001, rfc1002 for details. + </P +></DD +><DT +>-S</DT +><DD +><P +>Once the name query has returned an IP + address then do a node status query as well. A node status + query returns the NetBIOS names registered by a host. + </P +></DD +><DT +>-r</DT +><DD +><P +>Try and bind to UDP port 137 to send and receive UDP + datagrams. The reason for this option is a bug in Windows 95 + where it ignores the source port of the requesting packet + and only replies to UDP port 137. Unfortunately, on most UNIX + systems root privilage is needed to bind to this port, and + in addition, if the <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> + daemon is running on this machine it also binds to this port. + </P +></DD +><DT +>-A</DT +><DD +><P +>Interpret <TT +CLASS="REPLACEABLE" +><I +>name</I +></TT +> as + an IP Address and do a node status query on this address.</P +></DD +><DT +>-h</DT +><DD +><P +>Print a help (usage) message.</P +></DD +><DT +>-B <broadcast address></DT +><DD +><P +>Send the query to the given broadcast address. Without + this option the default behavior of nmblookup is to send the + query to the broadcast address of the network interfaces as + either auto-detected or defined in the <A +HREF="smb.conf.5.html#INTERFACES" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +> + </A +> parameter of the <TT +CLASS="FILENAME" +>smb.conf (5)</TT +> file. + </P +></DD +><DT +>-U <unicast address></DT +><DD +><P +>Do a unicast query to the specified address or + host <TT +CLASS="REPLACEABLE" +><I +>unicast address</I +></TT +>. This option + (along with the <TT +CLASS="PARAMETER" +><I +>-R</I +></TT +> option) is needed to + query a WINS server.</P +></DD +><DT +>-d <debuglevel></DT +><DD +><P +>debuglevel is an integer from 0 to 10.</P +><P +>The default value if this parameter is not specified + is zero.</P +><P +>The higher this value, the more detail will be logged + about the activities of <B +CLASS="COMMAND" +>nmblookup</B +>. At level + 0, only critical errors and serious warnings will be logged.</P +><P +>Levels above 1 will generate considerable amounts of + log data, and should only be used when investigating a problem. + Levels above 3 are designed for use only by developers and + generate HUGE amounts of data, most of which is extremely cryptic.</P +><P +>Note that specifying this parameter here will override + the <A +HREF="smb.conf.5.html#LOGLEVEL" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +> log level</I +></TT +></A +> parameter in the <TT +CLASS="FILENAME" +> smb.conf(5)</TT +> file.</P +></DD +><DT +>-s <smb.conf></DT +><DD +><P +>This parameter specifies the pathname to + the Samba configuration file, <A +HREF="smb.conf.5.html" +TARGET="_top" +> smb.conf(5)</A +>. This file controls all aspects of + the Samba setup on the machine.</P +></DD +><DT +>-i <scope></DT +><DD +><P +>This specifies a NetBIOS scope that + <B +CLASS="COMMAND" +>nmblookup</B +> will use to communicate with when + generating NetBIOS names. For details on the use of NetBIOS + scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are + <I +CLASS="EMPHASIS" +>very</I +> rarely used, only set this parameter + if you are the system administrator in charge of all the + NetBIOS systems you communicate with.</P +></DD +><DT +>-T</DT +><DD +><P +>This causes any IP addresses found in the + lookup to be looked up via a reverse DNS lookup into a + DNS name, and printed out before each</P +><P +><I +CLASS="EMPHASIS" +>IP address .... NetBIOS name</I +></P +><P +> pair that is the normal output.</P +></DD +><DT +>name</DT +><DD +><P +>This is the NetBIOS name being queried. Depending + upon the previous options this may be a NetBIOS name or IP address. + If a NetBIOS name then the different name types may be specified + by appending '#<type>' to the name. This name may also be + '*', which will return all registered names within a broadcast + area.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN110" +></A +><H2 +>EXAMPLES</H2 +><P +><B +CLASS="COMMAND" +>nmblookup</B +> can be used to query + a WINS server (in the same way <B +CLASS="COMMAND" +>nslookup</B +> is + used to query DNS servers). To query a WINS server, + <B +CLASS="COMMAND" +>nmblookup</B +> must be called like this:</P +><P +><B +CLASS="COMMAND" +>nmblookup -U server -R 'name'</B +></P +><P +>For example, running :</P +><P +><B +CLASS="COMMAND" +>nmblookup -U samba.org -R IRIX#1B'</B +></P +><P +>would query the WINS server samba.org for the domain + master browser (1B name type) for the IRIX workgroup.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN122" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN125" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmbd(8)</B +></A +>, + <A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +>, and <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5)</A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN132" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/samba-pdc-faq.html b/docs/htmldocs/samba-pdc-faq.html index 6ce798cd0dc..ec8efaff4bc 100644 --- a/docs/htmldocs/samba-pdc-faq.html +++ b/docs/htmldocs/samba-pdc-faq.html @@ -47,23 +47,10 @@ NAME="AEN12" >Comments, corrections and additions to <TT CLASS="EMAIL" ><<A -HREF="mailto:D.Bannon@samba.org" ->D.Bannon@samba.org</A +HREF="mailto:D.Bannon@latrobe.edu.au" +>D.Bannon@latrobe.edu.au</A >></TT ></P -><DIV -CLASS="NOTE" -><BLOCKQUOTE -CLASS="NOTE" -><P -><B ->Note: </B ->Please read the Introduction for the current <A -HREF="#AEN27" -> state of play</A ->.</P -></BLOCKQUOTE -></DIV ><P >This is the FAQ for Samba 2.2 as an NTDomain controller. This document is derived from the origional FAQ that was built and @@ -84,6 +71,19 @@ TARGET="_top" by step, over the process of setting up a very basic Samba 2.2 Primary Domain Controller </P ><DIV +CLASS="NOTE" +><BLOCKQUOTE +CLASS="NOTE" +><P +><B +>Note: </B +>Please read the Introduction for the current <A +HREF="#AEN27" +> state of play</A +>.</P +></BLOCKQUOTE +></DIV +><DIV CLASS="TOC" ><DL ><DT @@ -104,62 +104,57 @@ HREF="#AEN27" ></DT ><DT ><A -HREF="#AEN54" +HREF="#AEN50" >Introduction</A ></DT ></DL ></DD ><DT >2. <A -HREF="#AEN59" +HREF="#AEN55" >General Information</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN61" +HREF="#AEN57" >What can we do ?</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN63" +HREF="#AEN59" >What can Samba Primary Domain Controller (PDC) do ?</A ></DT ><DT ><A -HREF="#AEN98" +HREF="#AEN92" >Can I have a Windows 2000 client logon to a Samba controlled domain?</A ></DT ><DT ><A -HREF="#AEN101" ->Can a samba server join a Win2000 domain ?</A -></DT -><DT -><A -HREF="#AEN104" +HREF="#AEN95" >What's the status of print spool (spoolss) support in the NTDOM code?</A ></DT ></DL ></DD ><DT ><A -HREF="#AEN107" +HREF="#AEN98" >CVS</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN110" +HREF="#AEN101" >What are the different Samba branches available in CVS ?</A ></DT ><DT ><A -HREF="#AEN133" +HREF="#AEN124" >What are the CVS commands ?</A ></DT ></DL @@ -168,58 +163,58 @@ HREF="#AEN133" ></DD ><DT >3. <A -HREF="#AEN164" +HREF="#AEN155" >Establishing Connections</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN166" +HREF="#AEN157" ></A ></DT ><DD ><DL ><DT ><A -HREF="#AEN168" +HREF="#AEN159" >How do I get my NT4 or W2000 Workstation to login to the Samba controlled Domain?</A ></DT ><DT ><A -HREF="#AEN173" +HREF="#AEN164" >What is a 'machine account' ?</A ></DT ><DT ><A -HREF="#AEN180" +HREF="#AEN171" >"The machine account for this computer either does not exist or is not accessable."</A ></DT ><DT ><A -HREF="#AEN186" +HREF="#AEN177" >How do I create machine accounts manually ?</A ></DT ><DT ><A -HREF="#AEN199" +HREF="#AEN190" >I cannot include a '$' in a machine name.</A ></DT ><DT ><A -HREF="#AEN205" +HREF="#AEN196" >I get told "You already have a connection to the Domain...." when creating a machine account.</A ></DT ><DT ><A -HREF="#AEN209" +HREF="#AEN200" >I get told "Cannot join domain, the credentials supplied conflict with an existing set.."</A ></DT ><DT ><A -HREF="#AEN213" +HREF="#AEN204" >"The system can not log you on (C000019B)...."</A ></DT ></DL @@ -228,98 +223,93 @@ HREF="#AEN213" ></DD ><DT >4. <A -HREF="#AEN217" +HREF="#AEN208" >User Account Management</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN219" +HREF="#AEN210" >Domain Admins</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN221" +HREF="#AEN212" >How do I configure an account as a domain administrator?</A ></DT ></DL ></DD ><DT ><A -HREF="#AEN225" +HREF="#AEN216" >Profiles</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN227" +HREF="#AEN218" >Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? ?</A ></DT ><DT ><A -HREF="#AEN241" +HREF="#AEN232" >Why are all the users listed in the "domain admin users" using the same profile?</A ></DT ><DT ><A -HREF="#AEN244" +HREF="#AEN235" >The roaming profiles do not seem to be updating on the server.</A ></DT -><DT -><A -HREF="#AEN252" ->Is it possible to store the users profile on workstation and not on server?</A -></DT ></DL ></DD ><DT ><A -HREF="#AEN256" +HREF="#AEN243" >Policies</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN258" +HREF="#AEN245" >What are 'Policies' ?.</A ></DT ><DT ><A -HREF="#AEN265" +HREF="#AEN252" >I can't get system policies to work.</A ></DT ><DT ><A -HREF="#AEN279" +HREF="#AEN266" >What about Windows NT Policy Editor ?</A ></DT ><DT ><A -HREF="#AEN293" +HREF="#AEN280" >Can Win95 do Policies ?</A ></DT ></DL ></DD ><DT ><A -HREF="#AEN299" +HREF="#AEN286" >Passwords</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN301" +HREF="#AEN288" >What is password sync and should I use it ?</A ></DT ><DT ><A -HREF="#AEN314" +HREF="#AEN301" >How do I get remote password (unix and SMB) changing working ?</A ></DT ></DL @@ -328,51 +318,41 @@ HREF="#AEN314" ></DD ><DT >5. <A -HREF="#AEN320" +HREF="#AEN307" >Miscellaneous</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN322" +HREF="#AEN309" ></A ></DT ><DD ><DL ><DT ><A -HREF="#AEN324" ->How do I send a message to a PC running windows from a samba server ?</A -></DT -><DT -><A -HREF="#AEN329" +HREF="#AEN311" >What editor can I use in DOS/Windows that won't mess with my unix EOF</A ></DT ><DT ><A -HREF="#AEN342" +HREF="#AEN324" >How do I get 'User Manager' and 'Server Manager'</A ></DT ><DT ><A -HREF="#AEN357" ->Can I make my samba server a Time server too ?</A -></DT -><DT -><A -HREF="#AEN362" +HREF="#AEN339" >The time setting from a Samba server does not work.</A ></DT ><DT ><A -HREF="#AEN366" +HREF="#AEN343" >"trust account xxx should be in DOMAIN_GROUP_RID_USERS"</A ></DT ><DT ><A -HREF="#AEN370" +HREF="#AEN347" >How do I get my samba server to become a member ( not PDC ) of an NT domain?</A ></DT ></DL @@ -381,51 +361,51 @@ HREF="#AEN370" ></DD ><DT >6. <A -HREF="#AEN405" +HREF="#AEN382" >Troubleshooting and Bug Reporting</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN407" +HREF="#AEN384" >Diagnostic tools</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN409" +HREF="#AEN386" >What are some diagnostics tools I can use to debug the domain logon process and where can I find them?</A ></DT ><DT ><A -HREF="#AEN423" +HREF="#AEN400" >How do I install 'Network Monitor' on an NT Workstation or a Windows 9x box?</A ></DT ></DL ></DD ><DT ><A -HREF="#AEN452" +HREF="#AEN429" >What other help can I get ?</A ></DT ><DD ><DL ><DT ><A -HREF="#AEN455" +HREF="#AEN432" >URLs and similar</A ></DT ><DT ><A -HREF="#AEN504" +HREF="#AEN481" >How do I get help from the mailing lists ?</A ></DT ><DT ><A -HREF="#AEN533" +HREF="#AEN510" >How do I get off the mailing lists ?</A ></DT ></DL @@ -458,21 +438,7 @@ CLASS="EMPHASIS" ></P ><P >Comments here about W2K joining the domain apply only to Samba 2.2 from the CVS after November 27th. The - 'snapshot' release Samba2.2alpha1 (typically obtained via FTP) does not work !!! See below on how to get a CVS tree.</P -><P -><B -CLASS="COMMAND" ->Bug List</B ->I would really appriciate some confirmation that - some of these bugs are fixed. I don't have a usefull test setup at - present so need a bit of feedback.</P -><P -><B -CLASS="COMMAND" ->Know Bug ?</B ->There has been a suggestion that some of the problems - that some people have experienced may be due to using gcc from RedHat 7.0. - The alternative is to use kgcc - feedback desperatly needed !</P + 'snapshot' release Samba2.2alpha1 does not work !!! See below on how to get a CVS tree.</P ><P ><B CLASS="COMMAND" @@ -552,7 +518,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN54" +NAME="AEN50" >Introduction</A ></H1 ><P @@ -573,7 +539,7 @@ NAME="AEN54" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN59" +NAME="AEN55" >Chapter 2. General Information</A ></H1 ><DIV @@ -581,7 +547,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN61" +NAME="AEN57" >What can we do ?</A ></H1 ><DIV @@ -589,7 +555,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN63" +NAME="AEN59" >What can Samba Primary Domain Controller (PDC) do ?</A ></H2 ><P @@ -636,10 +602,6 @@ NAME="AEN63" ></LI ><LI ><P ->Join a W2000 controlled domain. See below.</P -></LI -><LI -><P >Support for a LDAP password database backend.</P ></LI ><LI @@ -678,7 +640,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN98" +NAME="AEN92" >Can I have a Windows 2000 client logon to a Samba controlled domain?</A ></H2 ><P @@ -691,22 +653,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN101" ->Can a samba server join a Win2000 domain ?</A -></H2 -><P ->Yes, a samba server, (2.0.7, 2.2 or Head) will join and be part of - a Win2000 domain as long as the Win2000 PDC has NetBios and - NTLMv1 enabled. You don't need a 'mixed mode' DC unless there is - also a NT4 BDC in the domain. Samba will not particate in a 'Native - Win2000' Active Directory controlled domain.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN104" +NAME="AEN95" >What's the status of print spool (spoolss) support in the NTDOM code?</A ></H2 ><P @@ -720,7 +667,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN107" +NAME="AEN98" >CVS</A ></H1 ><P @@ -732,7 +679,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN110" +NAME="AEN101" >What are the different Samba branches available in CVS ?</A ></H2 ><P @@ -805,7 +752,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN133" +NAME="AEN124" >What are the CVS commands ?</A ></H2 ><P @@ -892,7 +839,7 @@ CLASS="COMMAND" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN164" +NAME="AEN155" >Chapter 3. Establishing Connections</A ></H1 ><DIV @@ -900,7 +847,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN166" +NAME="AEN157" ></A ></H1 ><DIV @@ -908,7 +855,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN168" +NAME="AEN159" >How do I get my NT4 or W2000 Workstation to login to the Samba controlled Domain?</A ></H2 ><P @@ -929,7 +876,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN173" +NAME="AEN164" >What is a 'machine account' ?</A ></H2 ><P @@ -943,7 +890,7 @@ CLASS="FILENAME" >/usr/local/samba/private/smbpasswd</TT >. Under some circumstances these entries are made <A -HREF="#AEN186" +HREF="#AEN177" >manually</A >, the <A @@ -957,7 +904,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN180" +NAME="AEN171" >"The machine account for this computer either does not exist or is not accessable."</A ></H2 ><P @@ -986,7 +933,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN186" +NAME="AEN177" >How do I create machine accounts manually ?</A ></H2 ><P @@ -1031,7 +978,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN199" +NAME="AEN190" >I cannot include a '$' in a machine name.</A ></H2 ><P @@ -1055,7 +1002,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN205" +NAME="AEN196" >I get told "You already have a connection to the Domain...." when creating a machine account.</A ></H2 @@ -1075,13 +1022,13 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN209" +NAME="AEN200" >I get told "Cannot join domain, the credentials supplied conflict with an existing set.."</A ></H2 ><P >This is the same basic problem as mentioned above, <A -HREF="#AEN205" +HREF="#AEN196" > "You already have a connection..."</A ></P ></DIV @@ -1090,7 +1037,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN213" +NAME="AEN204" >"The system can not log you on (C000019B)...."</A ></H2 ><P @@ -1110,7 +1057,7 @@ NAME="AEN213" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN217" +NAME="AEN208" >Chapter 4. User Account Management</A ></H1 ><DIV @@ -1118,7 +1065,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN219" +NAME="AEN210" >Domain Admins</A ></H1 ><DIV @@ -1126,7 +1073,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN221" +NAME="AEN212" >How do I configure an account as a domain administrator?</A ></H2 ><P @@ -1142,7 +1089,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN225" +NAME="AEN216" >Profiles</A ></H1 ><DIV @@ -1150,7 +1097,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN227" +NAME="AEN218" >Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? ?</A ></H2 ><P @@ -1197,7 +1144,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN241" +NAME="AEN232" >Why are all the users listed in the "domain admin users" using the same profile?</A ></H2 ><P @@ -1208,7 +1155,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN244" +NAME="AEN235" >The roaming profiles do not seem to be updating on the server.</A ></H2 ><P @@ -1220,7 +1167,7 @@ CLASS="COMMAND" >net time \\server /set /yes</B > replacing server with the name of your PDC (or another synchronized SMB server). See <A -HREF="#AEN362" +HREF="#AEN339" > about Setting Time</A ></P ><P @@ -1232,31 +1179,13 @@ HREF="#AEN362" >Some people have reported that the logon path location should also be browseable. I (GC) have yet to emperically verify this, but you can try.</P ></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN252" ->Is it possible to store the users profile on workstation and not on server?</A -></H2 -><P ->Hergen Lange suggested that for 2.0.7 you can set <TT -CLASS="FILENAME" ->logon - drive = </TT ->, ie to blank. Can someone confirm this works in 2.2 ? Other - wise, use the registery settings (perhaps via policies) to not save - profiles on the server. - </P -></DIV ></DIV ><DIV CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN256" +NAME="AEN243" >Policies</A ></H1 ><DIV @@ -1264,7 +1193,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN258" +NAME="AEN245" >What are 'Policies' ?.</A ></H2 ><P @@ -1282,7 +1211,7 @@ CLASS="COMMAND" >[netlogon]</B >share. The file is created with a policy editor and must be readable by anyone and writeable by only root. See <A -HREF="#AEN279" +HREF="#AEN266" > below</A > for how to get a suitable editor.</P ></DIV @@ -1291,7 +1220,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN265" +NAME="AEN252" >I can't get system policies to work.</A ></H2 ><P @@ -1313,7 +1242,7 @@ CLASS="COMMAND" > share and must be readable by everyone and writeable by only root. The file must be created by an NTServer <A -HREF="#AEN279" +HREF="#AEN266" >Policy Editor</A >.</P ><P @@ -1350,7 +1279,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN279" +NAME="AEN266" >What about Windows NT Policy Editor ?</A ></H2 ><P @@ -1412,7 +1341,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN293" +NAME="AEN280" >Can Win95 do Policies ?</A ></H2 ><P @@ -1437,7 +1366,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN299" +NAME="AEN286" >Passwords</A ></H1 ><DIV @@ -1445,7 +1374,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN301" +NAME="AEN288" >What is password sync and should I use it ?</A ></H2 ><P @@ -1494,7 +1423,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN314" +NAME="AEN301" >How do I get remote password (unix and SMB) changing working ?</A ></H2 ><P @@ -1524,7 +1453,7 @@ CLASS="PROGRAMLISTING" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN320" +NAME="AEN307" >Chapter 5. Miscellaneous</A ></H1 ><DIV @@ -1532,7 +1461,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN322" +NAME="AEN309" ></A ></H1 ><DIV @@ -1540,26 +1469,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN324" ->How do I send a message to a PC running windows from a samba server ?</A -></H2 -><P -><TT -CLASS="FILENAME" ->echo "message" | smbclient -M PC_NETBIOS_NAME_HERE -U "from" -I "to"</TT -> - The limit on message length is 1600 characters. -U and -I are - optional and purely cosmetic.[Time Cole]</P -><P ->Although this will always work with NTs and W2K, W95/98 require Winpopup - (or something similar) to be running.</P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN329" +NAME="AEN311" >What editor can I use in DOS/Windows that won't mess with my unix EOF</A ></H2 ><P @@ -1599,7 +1509,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN342" +NAME="AEN324" >How do I get 'User Manager' and 'Server Manager'</A ></H2 ><P @@ -1647,29 +1557,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN357" ->Can I make my samba server a Time server too ?</A -></H2 -><P ->Yep, add a line to smb.conf <TT -CLASS="FILENAME" ->time server = True </TT -> under the Global - section. Then Windows machines can use it to set the time with a command like - <TT -CLASS="FILENAME" ->net time \\server_name /set /yes</TT ->. NTs and W2K machines will have - to have been told to allow ordinary users to change the system time/date. See next - item. - </P -></DIV -><DIV -CLASS="SECT2" -><HR><H2 -CLASS="SECT2" -><A -NAME="AEN362" +NAME="AEN339" >The time setting from a Samba server does not work.</A ></H2 ><P @@ -1686,7 +1574,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN366" +NAME="AEN343" >"trust account xxx should be in DOMAIN_GROUP_RID_USERS"</A ></H2 ><P @@ -1701,7 +1589,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN370" +NAME="AEN347" >How do I get my samba server to become a member ( not PDC ) of an NT domain?</A ></H2 ><P @@ -1742,7 +1630,7 @@ CLASS="EMPHASIS" >sleepy$</I >. It would have to be created <A -HREF="#AEN186" +HREF="#AEN177" >manually</A >. </P ><P @@ -1842,7 +1730,7 @@ CLASS="PROGRAMLISTING" CLASS="CHAPTER" ><HR><H1 ><A -NAME="AEN405" +NAME="AEN382" >Chapter 6. Troubleshooting and Bug Reporting</A ></H1 ><DIV @@ -1850,7 +1738,7 @@ CLASS="SECT1" ><H1 CLASS="SECT1" ><A -NAME="AEN407" +NAME="AEN384" >Diagnostic tools</A ></H1 ><DIV @@ -1858,7 +1746,7 @@ CLASS="SECT2" ><H2 CLASS="SECT2" ><A -NAME="AEN409" +NAME="AEN386" >What are some diagnostics tools I can use to debug the domain logon process and where can I find them?</A ></H2 @@ -1923,7 +1811,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN423" +NAME="AEN400" >How do I install 'Network Monitor' on an NT Workstation or a Windows 9x box?</A ></H2 ><P @@ -2008,7 +1896,7 @@ CLASS="SECT1" ><HR><H1 CLASS="SECT1" ><A -NAME="AEN452" +NAME="AEN429" >What other help can I get ?</A ></H1 ><P @@ -2020,7 +1908,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN455" +NAME="AEN432" >URLs and similar</A ></H2 ><P @@ -2163,7 +2051,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN504" +NAME="AEN481" >How do I get help from the mailing lists ?</A ></H2 ><P @@ -2266,7 +2154,7 @@ CLASS="SECT2" ><HR><H2 CLASS="SECT2" ><A -NAME="AEN533" +NAME="AEN510" >How do I get off the mailing lists ?</A ></H2 ><P diff --git a/docs/htmldocs/samba.7.html b/docs/htmldocs/samba.7.html index 21bd5d8b32d..6fb9eac5784 100644 --- a/docs/htmldocs/samba.7.html +++ b/docs/htmldocs/samba.7.html @@ -1,139 +1,365 @@ - - - - - -<html><head><title>Samba (7)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>Samba (7)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - Samba - A Windows SMB/CIFS fileserver for UNIX -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<strong>Samba</strong> -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>The Samba software suite is a collection of programs that implements -the Server Message Block(commonly abbreviated as SMB) protocol for -UNIX systems. This protocol is sometimes also referred to as the -Common Internet File System (CIFS), LanManager or NetBIOS protocol. -<p><a name="COMPONENTS"></a> -<h2>COMPONENTS</h2> - -<p>The Samba suite is made up of several components. Each component is -described in a separate manual page. It is strongly recommended that -you read the documentation that comes with Samba and the manual pages -of those components that you use. If the manual pages aren't clear -enough then please send a patch or bug report -to <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p><dl> -<p><p></p><dt><strong><a href="smbd.8.html"><strong>smbd</strong></a></strong><dd> <br> <br> The <a href="smbd.8.html"><strong>smbd</strong> -(8)</a> daemon provides the file and print services to SMB -clients, such as Windows 95/98, Windows NT, Windows for Workgroups or -LanManager. The configuration file for this daemon is described in -<a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a>. -<p><p></p><dt><strong><a href="nmbd.8.html"><strong>nmbd</strong></a></strong><dd> <br> <br> The <a href="nmbd.8.html"><strong>nmbd</strong> -(8)</a> daemon provides NetBIOS nameserving and browsing -support. The configuration file for this daemon is described in -<a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a>. -<p><p></p><dt><strong><a href="smbclient.1.html"><strong>smbclient</strong></a></strong><dd> <br> <br> The <a href="smbclient.1.html"><strong>smbclient</strong> -(1)</a> program implements a simple ftp-like -client. This is useful for accessing SMB shares on other compatible -servers (such as Windows NT), and can also be used to allow a UNIX box -to print to a printer attached to any SMB server (such as a PC running -Windows NT). -<p><p></p><dt><strong><a href="testparm.1.html"><strong>testparm</strong></a></strong><dd> <br> <br> The <a href="testparm.1.html"><strong>testparm -(1)</strong></a> utility allows you to test your <a href="smb.conf.5.html"><strong>smb.conf -(5)</strong></a> configuration file. -<p><p></p><dt><strong><a href="testprns.1.html"><strong>testprns</strong></a></strong><dd> <br> <br> the <a href="testprns.1.html"><strong>testprns -(1)</strong></a> utility allows you to test the printers defined -in your printcap file. -<p><p></p><dt><strong><a href="smbstatus.1.html"><strong>smbstatus</strong></a></strong><dd> <br> <br> The <a href="smbstatus.1.html"><strong>smbstatus</strong> -(1)</a> utility allows you list current connections to the -<a href="smbd.8.html"><strong>smbd (8)</strong></a> server. -<p><p></p><dt><strong><a href="nmblookup.1.html"><strong>nmblookup</strong></a></strong><dd> <br> <br> the -<a href="nmblookup.1.html"><strong>nmblookup (1)</strong></a> utility allows NetBIOS name -queries to be made from the UNIX machine. -<p><p></p><dt><strong><a href="make_smbcodepage.1.html"><strong>make_smbcodepage</strong></a></strong><dd> <br> <br> The -<a href="make_smbcodepage.1.html"><strong>make_smbcodepage (1)</strong></a> utility allows -you to create SMB code page definition files for your <a href="smbd.8.html"><strong>smbd -(8)</strong></a> server. -<p><p></p><dt><strong><a href="smbpasswd.8.html"><strong>smbpasswd</strong></a></strong><dd> <br> <br> The <a href="smbpasswd.8.html"><strong>smbpasswd -(8)</strong></a> utility allows you to change SMB encrypted -passwords on Samba and Windows NT(tm) servers. -<p></dl> -<p><a name="AVAILABILITY"></a> -<h2>AVAILABILITY</h2> - -<p>The Samba software suite is licensed under the GNU Public License -(GPL). A copy of that license should have come with the package in the -file COPYING. You are encouraged to distribute copies of the Samba -suite, but please obey the terms of this license. -<p>The latest version of the Samba suite can be obtained via anonymous -ftp from samba.org in the directory pub/samba/. It is -also available on several mirror sites worldwide. -<p>You may also find useful information about Samba on the newsgroup -comp.protocols.smb and the Samba mailing list. Details on how to join -the mailing list are given in the README file that comes with Samba. -<p>If you have access to a WWW viewer (such as Netscape or Mosaic) then -you will also find lots of useful information, including back issues -of the Samba mailing list, at -<a href="http://samba.org/samba/">http://samba.org/samba/</a>. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="CONTRIBUTIONS"></a> -<h2>CONTRIBUTIONS</h2> - -<p>If you wish to contribute to the Samba project, then I suggest you -join the Samba mailing list at <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. See the -Web page at <a href="http://lists.samba.org/">http://lists.samba.org/</a> -for details on how to do this. -<p>If you have patches to submit or bugs to report then you may mail them -directly to <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Note, however, that due to -the enormous popularity of this package the Samba Team may take some -time to respond to mail. We prefer patches in <em>diff -u</em> format. -<p><a name="CREDITS"></a> -<h2>CREDITS</h2> - -<p>Contributors to the project are now too numerous to mention here but -all deserve the thanks of all Samba users. To see a full list, look at -<a href="ftp://samba.org/pub/samba/alpha/change-log">ftp://samba.org/pub/samba/alpha/change-log</a> -for the pre-CVS changes and at -<a href="ftp://samba.org/pub/samba/alpha/cvs.log">ftp://samba.org/pub/samba/alpha/cvs.log</a> -for the contributors to Samba post-CVS. CVS is the Open Source source -code control system used by the Samba Team to develop Samba. The -project would have been unmanageable without it. -<p>In addition, several commercial organizations now help fund the Samba -Team with money and equipment. For details see the Samba Web pages at -<a href="http://samba.org/samba/samba-thanks.html">http://samba.org/samba/samba-thanks.html</a>. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -</body> -</html> +<HTML +><HEAD +><TITLE +>samba</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SAMBA" +>samba</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>SAMBA -- A Windows SMB/CIFS fileserver for UNIX</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>Samba</B +> </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN11" +></A +><H2 +>DESCRIPTION</H2 +><P +>The Samba software suite is a collection of programs + that implements the Server Message Block (commonly abbreviated + as SMB) protocol for UNIX systems. This protocol is sometimes + also referred to as the Common Internet File System (CIFS), + LanManager or NetBIOS protocol.</P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +><B +CLASS="COMMAND" +>smbd</B +></DT +><DD +><P +>The <B +CLASS="COMMAND" +>smbd </B +> + daemon provides the file and print services to + SMB clients, such as Windows 95/98, Windows NT, Windows + for Workgroups or LanManager. The configuration file + for this daemon is described in <TT +CLASS="FILENAME" +>smb.conf</TT +> + </P +></DD +><DT +><B +CLASS="COMMAND" +>nmbd</B +></DT +><DD +><P +>The <B +CLASS="COMMAND" +>nmbd</B +> + daemon provides NetBIOS nameserving and browsing + support. The configuration file for this daemon + is described in <TT +CLASS="FILENAME" +>smb.conf</TT +></P +></DD +><DT +><B +CLASS="COMMAND" +>smbclient</B +></DT +><DD +><P +>The <B +CLASS="COMMAND" +>smbclient</B +> + program implements a simple ftp-like client. This + is useful for accessing SMB shares on other compatible + servers (such as Windows NT), and can also be used + to allow a UNIX box to print to a printer attached to + any SMB server (such as a PC running Windows NT).</P +></DD +><DT +><B +CLASS="COMMAND" +>testparm</B +></DT +><DD +><P +>The <B +CLASS="COMMAND" +>testparm</B +> + utility is a simple syntax checker for Samba's + <TT +CLASS="FILENAME" +>smb.conf</TT +>configuration file.</P +></DD +><DT +><B +CLASS="COMMAND" +>testprns</B +></DT +><DD +><P +>The <B +CLASS="COMMAND" +>testprns</B +> + utility supports testing printer names defined + in your <TT +CLASS="FILENAME" +>printcap></TT +> file used + by Samba.</P +></DD +><DT +><B +CLASS="COMMAND" +>smbstatus</B +></DT +><DD +><P +>The <B +CLASS="COMMAND" +>smbstatus</B +> + tool provides access to information about the + current connections to <B +CLASS="COMMAND" +>smbd</B +>.</P +></DD +><DT +><B +CLASS="COMMAND" +>nmblookup</B +></DT +><DD +><P +>The <B +CLASS="COMMAND" +>nmblookup</B +> + tools allows NetBIOS name queries to be made + from a UNIX host.</P +></DD +><DT +><B +CLASS="COMMAND" +>make_smbcodepage</B +></DT +><DD +><P +>The <B +CLASS="COMMAND" +>make_smbcodepage</B +> + utility provides a means of creating SMB code page + definition files for your <B +CLASS="COMMAND" +>smbd</B +> server.</P +></DD +><DT +><B +CLASS="COMMAND" +>smbpasswd</B +></DT +><DD +><P +>The <B +CLASS="COMMAND" +>smbpasswd</B +> + command is a tool for changing LanMan and Windows NT + password hashes on Samba and Windows NT servers.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN75" +></A +><H2 +>COMPONENTS</H2 +><P +>The Samba suite is made up of several components. Each + component is described in a separate manual page. It is strongly + recommended that you read the documentation that comes with Samba + and the manual pages of those components that you use. If the + manual pages aren't clear enough then please send a patch or + bug report to <A +HREF="mailto:samba@samba.org" +TARGET="_top" +> samba@samba.org</A +></P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN79" +></A +><H2 +>AVAILABILITY</H2 +><P +>The Samba software suite is licensed under the + GNU Public License(GPL). A copy of that license should + have come with the package in the file COPYING. You are + encouraged to distribute copies of the Samba suite, but + please obey the terms of this license.</P +><P +>The latest version of the Samba suite can be + obtained via anonymous ftp from samba.org in the + directory pub/samba/. It is also available on several + mirror sites worldwide.</P +><P +>You may also find useful information about Samba + on the newsgroup <A +HREF="news:comp.protocols.smb" +TARGET="_top" +> comp.protocol.smb</A +> and the Samba mailing + list. Details on how to join the mailing list are given in + the README file that comes with Samba.</P +><P +>If you have access to a WWW viewer (such as Netscape + or Mosaic) then you will also find lots of useful information, + including back issues of the Samba mailing list, at + <A +HREF="http://lists.samba.org/" +TARGET="_top" +>http://lists.samba.org</A +>.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN87" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of the + Samba suite. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN90" +></A +><H2 +>CONTRIBUTIONS</H2 +><P +>If you wish to contribute to the Samba project, + then I suggest you join the Samba mailing list at + <A +HREF="http://lists.samba.org/" +TARGET="_top" +>http://lists.samba.org</A +>. + </P +><P +>If you have patches to submit or bugs to report + then you may mail them directly to samba-patches@samba.org. + Note, however, that due to the enormous popularity of this + package the Samba Team may take some time to respond to mail. We + prefer patches in <B +CLASS="COMMAND" +>diff -u</B +> format.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN96" +></A +><H2 +>CONTRIBUTORS</H2 +><P +>Contributors to the project are now too numerous + to mention here but all deserve the thanks of all Samba + users. To see a full list, look at <A +HREF="ftp://samba.org/pub/samba/alpha/change-log" +TARGET="_top" +> ftp://samba.org/pub/samba/alpha/change-log</A +> + for the pre-CVS changes and at <A +HREF="ftp://samba.org/pub/samba/alpha/cvs.log" +TARGET="_top" +> ftp://samba.org/pub/samba/alpha/cvs.log</A +> + for the contributors to Samba post-CVS. CVS is the Open Source + source code control system used by the Samba Team to develop + Samba. The project would have been unmanageable without it.</P +><P +>In addition, several commercial organizations now help + fund the Samba Team with money and equipment. For details see + the Samba Web pages at <A +HREF="http://samba.org/samba/samba-thanks.html" +TARGET="_top" +> http://samba.org/samba/samba-thanks.html</A +>.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN103" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index e16d79fbd26..71f05fc1dc2 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -1,5071 +1,16154 @@ - - - - - - -<html><head><title>smb.conf (5)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smb.conf (5)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smb.conf - The configuration file for the Samba suite -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>smb.conf</strong> The <strong>smb.conf</strong> file is a configuration file for the -Samba suite. <strong>smb.conf</strong> contains runtime configuration information -for the Samba programs. The <strong>smb.conf</strong> file is designed to be -configured and administered by the <a href="swat.8.html"><strong>swat (8)</strong></a> -program. The complete description of the file format and possible -parameters held within are here for reference purposes. -<p><a name="FILEFORMAT"></a> -<h2>FILE FORMAT</h2> - -<p>The file consists of sections and parameters. A section begins with -the name of the section in square brackets and continues until the -next section begins. Sections contain parameters of the form -<p><code>'name = value'</code> -<p>The file is line-based - that is, each newline-terminated line -represents either a comment, a section name or a parameter. -<p>Section and parameter names are not case sensitive. -<p>Only the first equals sign in a parameter is significant. Whitespace -before or after the first equals sign is discarded. Leading, trailing -and internal whitespace in section and parameter names is -irrelevant. Leading and trailing whitespace in a parameter value is -discarded. Internal whitespace within a parameter value is retained -verbatim. -<p>Any line beginning with a semicolon (';') or a hash ('#') character is -ignored, as are lines containing only whitespace. -<p>Any line ending in a <code>'\'</code> is "continued" on the next line in the -customary UNIX fashion. -<p>The values following the equals sign in parameters are all either a -string (no quotes needed) or a boolean, which may be given as yes/no, -0/1 or true/false. Case is not significant in boolean values, but is -preserved in string values. Some items such as create modes are -numeric. -<p><a name="SECTIONDESCRIPTIONS"></a> -<h2>SECTION DESCRIPTIONS</h2> - -<p>Each section in the configuration file (except for the -<a href="smb.conf.5.html#global"><strong>[global]</strong></a> section) describes a shared resource (known -as a <em>"share"</em>). The section name is the name of the shared resource -and the parameters within the section define the shares attributes. -<p>There are three special sections, <a href="smb.conf.5.html#global"><strong>[global]</strong></a>, -<a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> and <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a>, which are -described under <a href="smb.conf.5.html#SPECIALSECTIONS"><strong>'special sections'</strong></a>. The -following notes apply to ordinary section descriptions. -<p>A share consists of a directory to which access is being given plus -a description of the access rights which are granted to the user of -the service. Some housekeeping options are also specifiable. -<p>Sections are either filespace services (used by the client as an -extension of their native file systems) or printable services (used by -the client to access print services on the host running the server). -<p>Sections may be designated <a href="smb.conf.5.html#guestok"><strong>guest</strong></a> services, in which -case no password is required to access them. A specified UNIX -<a href="smb.conf.5.html#guestaccount"><strong>guest account</strong></a> is used to define access -privileges in this case. -<p>Sections other than guest services will require a password to access -them. The client provides the username. As older clients only provide -passwords and not usernames, you may specify a list of usernames to -check against the password using the <a href="smb.conf.5.html#user"><strong>"user="</strong></a> option in -the share definition. For modern clients such as Windows 95/98 and -Windows NT, this should not be necessary. -<p>Note that the access rights granted by the server are masked by the -access rights granted to the specified or guest UNIX user by the host -system. The server does not grant more access than the host system -grants. -<p>The following sample section defines a file space share. The user has -write access to the path <code>/home/bar</code>. The share is accessed via -the share name "foo": -<p><pre> - - - [foo] +<HTML +><HEAD +><TITLE +>smb.conf</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMB.CONF" +>smb.conf</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smb.conf -- The configuration file for the Samba suite</DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN8" +></A +><H2 +>SYNOPSIS</H2 +><P +>The <TT +CLASS="FILENAME" +>smb.conf</TT +> file is a configuration + file for the Samba suite. <TT +CLASS="FILENAME" +>smb.conf</TT +> contains + runtime configuration information for the Samba programs. The + <TT +CLASS="FILENAME" +>smb.conf</TT +> file is designed to be configured and + administered by the <A +HREF="swat.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>swat(8)</B +> + </A +> program. The complete description of the file format and + possible parameters held within are here for reference purposes.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN16" +></A +><H2 +>FILE FORMAT</H2 +><P +>The file consists of sections and parameters. A section + begins with the name of the section in square brackets and continues + until the next section begins. Sections contain parameters of the + form</P +><P +><TT +CLASS="REPLACEABLE" +><I +>name</I +></TT +> = <TT +CLASS="REPLACEABLE" +><I +>value + </I +></TT +></P +><P +>The file is line-based - that is, each newline-terminated + line represents either a comment, a section name or a parameter.</P +><P +>Section and parameter names are not case sensitive.</P +><P +>Only the first equals sign in a parameter is significant. + Whitespace before or after the first equals sign is discarded. + Leading, trailing and internal whitespace in section and parameter + names is irrelevant. Leading and trailing whitespace in a parameter + value is discarded. Internal whitespace within a parameter value + is retained verbatim.</P +><P +>Any line beginning with a semicolon (';') or a hash ('#') + character is ignored, as are lines containing only whitespace.</P +><P +>Any line ending in a '\' is continued + on the next line in the customary UNIX fashion.</P +><P +>The values following the equals sign in parameters are all + either a string (no quotes needed) or a boolean, which may be given + as yes/no, 0/1 or true/false. Case is not significant in boolean + values, but is preserved in string values. Some items such as + create modes are numeric.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN28" +></A +><H2 +>SECTION DESCRIPTIONS</H2 +><P +>Each section in the configuration file (except for the + [global] section) describes a shared resource (known + as a "share"). The section name is the name of the + shared resource and the parameters within the section define + the shares attributes.</P +><P +>There are three special sections, [global], + [homes] and [printers], which are + described under <I +CLASS="EMPHASIS" +>special sections</I +>. The + following notes apply to ordinary section descriptions.</P +><P +>A share consists of a directory to which access is being + given plus a description of the access rights which are granted + to the user of the service. Some housekeeping options are + also specifiable.</P +><P +>Sections are either filespace services (used by the + client as an extension of their native file systems) or + printable services (used by the client to access print services + on the host running the server).</P +><P +>Sections may be designated <I +CLASS="EMPHASIS" +>guest</I +> services, + in which case no password is required to access them. A specified + UNIX <I +CLASS="EMPHASIS" +>guest account</I +> is used to define access + privileges in this case.</P +><P +>Sections other than guest services will require a password + to access them. The client provides the username. As older clients + only provide passwords and not usernames, you may specify a list + of usernames to check against the password using the "user=" + option in the share definition. For modern clients such as + Windows 95/98/ME/NT/2000, this should not be necessary.</P +><P +>Note that the access rights granted by the server are + masked by the access rights granted to the specified or guest + UNIX user by the host system. The server does not grant more + access than the host system grants.</P +><P +>The following sample section defines a file space share. + The user has write access to the path <TT +CLASS="FILENAME" +>/home/bar</TT +>. + The share is accessed via the share name "foo":</P +><PRE +CLASS="SCREEN" +> <TT +CLASS="COMPUTEROUTPUT" +> [foo] path = /home/bar writeable = true - - -</pre> - -<p>The following sample section defines a printable share. The share -is readonly, but printable. That is, the only write access permitted -is via calls to open, write to and close a spool file. The -<a href="smb.conf.5.html#guestok"><strong>'guest ok'</strong></a> parameter means access will be permitted -as the default guest user (specified elsewhere): -<p><pre> - - [aprinter] + </TT +> + </PRE +><P +>The following sample section defines a printable share. + The share is readonly, but printable. That is, the only write + access permitted is via calls to open, write to and close a + spool file. The <I +CLASS="EMPHASIS" +>guest ok</I +> parameter means + access will be permitted as the default guest user (specified + elsewhere):</P +><PRE +CLASS="SCREEN" +> <TT +CLASS="COMPUTEROUTPUT" +> [aprinter] path = /usr/spool/public writeable = false printable = true guest ok = true - -</pre> - -<p><a name="SPECIALSECTIONS"></a> -<h2>SPECIAL SECTIONS</h2> - -<p><dl> -<p><a name="global"></a> -<p></p><dt><strong><strong>The [global] section</strong></strong><dd> -<p>Parameters in this section apply to the server as a whole, or are -defaults for sections which do not specifically define certain -items. See the notes under <a href="smb.conf.5.html#PARAMETERS"><strong>'PARAMETERS'</strong></a> for more -information. -<p><a name="homes"></a> -<p></p><dt><strong><strong>The [homes] section</strong></strong><dd> -<p>If a section called <code>'homes'</code> is included in the configuration file, -services connecting clients to their home directories can be created -on the fly by the server. -<p>When the connection request is made, the existing sections are -scanned. If a match is found, it is used. If no match is found, the -requested section name is treated as a user name and looked up in the -local password file. If the name exists and the correct password has -been given, a share is created by cloning the [homes] section. -<p>Some modifications are then made to the newly created share: -<p><dl> -<p><li > The share name is changed from <code>'homes'</code> to the located -username -<p><li > If no path was given, the path is set to the user's home -directory. -<p></dl> -<p>If you decide to use a <a href="smb.conf.5.html#path"><strong>path=</strong></a> line in your [homes] -section then you may find it useful to use the <a href="smb.conf.5.html#percentS"><strong>%S</strong></a> -macro. For example : -<p><code>path=/data/pchome/%S</code> -<p>would be useful if you have different home directories for your PCs -than for UNIX access. -<p>This is a fast and simple way to give a large number of clients access -to their home directories with a minimum of fuss. -<p>A similar process occurs if the requested section name is <code>"homes"</code>, -except that the share name is not changed to that of the requesting -user. This method of using the [homes] section works well if different -users share a client PC. -<p>The [homes] section can specify all the parameters a normal service -section can specify, though some make more sense than others. The -following is a typical and suitable [homes] section: -<p><pre> - - [homes] - writeable = yes - -</pre> - -<p>An important point is that if guest access is specified in the [homes] -section, all home directories will be visible to all clients -<strong>without a password</strong>. In the very unlikely event that this is -actually desirable, it would be wise to also specify <a href="smb.conf.5.html#readonly"><strong>read only -access</strong></a>. -<p>Note that the <a href="smb.conf.5.html#browseable"><strong>browseable</strong></a> flag for auto home -directories will be inherited from the global browseable flag, not the -[homes] browseable flag. This is useful as it means setting -browseable=no in the [homes] section will hide the [homes] share but -make any auto home directories visible. -<p><a name="printers"></a> -<p></p><dt><strong><strong>The [printers] section</strong></strong><dd> -<p>This section works like <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a>, but for printers. -<p>If a <strong>[printers]</strong> section occurs in the configuration file, users are -able to connect to any printer specified in the local host's printcap -file. -<p>When a connection request is made, the existing sections are -scanned. If a match is found, it is used. If no match is found, but a -<a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> section exists, it is used as described -above. Otherwise, the requested section name is treated as a printer -name and the appropriate printcap file is scanned to see if the -requested section name is a valid printer share name. If a match is -found, a new printer share is created by cloning the <strong>[printers]</strong> -section. -<p>A few modifications are then made to the newly created share: -<p><dl> -<p><li > The share name is set to the located printer name -<p><li > If no printer name was given, the printer name is set to the -located printer name -<p><li > If the share does not permit guest access and no username was -given, the username is set to the located printer name. -<p></dl> -<p>Note that the <strong>[printers]</strong> service MUST be printable - if you specify -otherwise, the server will refuse to load the configuration file. -<p>Typically the path specified would be that of a world-writeable spool -directory with the sticky bit set on it. A typical <strong>[printers]</strong> entry -would look like this: -<p><pre> - - [printers] - path = /usr/spool/public - guest ok = yes - printable = yes - -</pre> - -<p>All aliases given for a printer in the printcap file are legitimate -printer names as far as the server is concerned. If your printing -subsystem doesn't work like that, you will have to set up a -pseudo-printcap. This is a file consisting of one or more lines like -this: -<p><pre> - alias|alias|alias|alias... -</pre> - -<p>Each alias should be an acceptable printer name for your printing -subsystem. In the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section, specify the new -file as your printcap. The server will then only recognize names -found in your pseudo-printcap, which of course can contain whatever -aliases you like. The same technique could be used simply to limit -access to a subset of your local printers. -<p>An alias, by the way, is defined as any component of the first entry -of a printcap record. Records are separated by newlines, components -(if there are more than one) are separated by vertical bar symbols -("|"). -<p>NOTE: On SYSV systems which use lpstat to determine what printers are -defined on the system you may be able to use <a href="smb.conf.5.html#printcapname"><strong>"printcap name = -lpstat"</strong></a> to automatically obtain a list of -printers. See the <a href="smb.conf.5.html#printcapname"><strong>"printcap name"</strong></a> option for -more details. -<p></dl> -<p><a name="PARAMETERS"></a> -<h2>PARAMETERS</h2> - -<p>Parameters define the specific attributes of sections. -<p>Some parameters are specific to the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section -(e.g., <a href="smb.conf.5.html#security"><strong>security</strong></a>). Some parameters are usable in -all sections (e.g., <a href="smb.conf.5.html#createmode"><strong>create mode</strong></a>). All others are -permissible only in normal sections. For the purposes of the following -descriptions the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> and -<a href="smb.conf.5.html#printers"><strong>[printers]</strong></a> sections will be considered normal. -The letter <code>'G'</code> in parentheses indicates that a parameter is -specific to the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section. The letter <code>'S'</code> -indicates that a parameter can be specified in a service specific -section. Note that all <code>'S'</code> parameters can also be specified in the -<a href="smb.conf.5.html#global"><strong>[global]</strong></a> section - in which case they will define -the default behavior for all services. -<p>Parameters are arranged here in alphabetical order - this may not -create best bedfellows, but at least you can find them! Where there -are synonyms, the preferred synonym is described, others refer to the -preferred synonym. -<p><a name="VARIABLESUBSTITUTIONS"></a> -<h2>VARIABLE SUBSTITUTIONS</h2> - -<p>Many of the strings that are settable in the config file can take -substitutions. For example the option <a href="smb.conf.5.html#path"><strong><code>"path = -/tmp/%u"</code></strong></a> would be interpreted as <code>"path = /tmp/john"</code> if -the user connected with the username john. -<p>These substitutions are mostly noted in the descriptions below, but -there are some general substitutions which apply whenever they might -be relevant. These are: -<p><dl> -<p><a name="percentS"></a> -<li > <strong>%S</strong> = the name of the current service, if any. -<p><a name="percentP"></a> -<li > <strong>%P</strong> = the root directory of the current service, if any. -<p><a name="percentu"></a> -<li > <strong>%u</strong> = user name of the current service, if any. -<p><a name="percentg"></a> -<li > <strong>%g</strong> = primary group name of <a href="smb.conf.5.html#percentu"><strong>%u</strong></a>. -<p><a name="percentU"></a> -<li > <strong>%U</strong> = session user name (the user name that -the client wanted, not necessarily the same as the one they got). -<p><a name="percentG"></a> -<li > <strong>%G</strong> = primary group name of <a href="smb.conf.5.html#percentU"><strong>%U</strong></a>. -<p><a name="percentH"></a> -<li > <strong>%H</strong> = the home directory of the user given by <a href="smb.conf.5.html#percentu"><strong>%u</strong></a>. -<p><a name="percentv"></a> -<li > <strong>%v</strong> = the Samba version. -<p><a name="percenth"></a> -<li > <strong>%h</strong> = the internet hostname that Samba is running on. -<p><a name="percentm"></a> -<li > <strong>%m</strong> = the NetBIOS name of the client machine (very useful). -<p><a name="percentL"></a> -<li > <strong>%L</strong> = the NetBIOS name of the server. This allows you to change your -config based on what the client calls you. Your server can have a "dual -personality". -<p><a name="percentM"></a> -<li > <strong>%M</strong> = the internet name of the client machine. -<p><a name="percentN"></a> -<li > <strong>%N</strong> = the name of your NIS home directory server. This is -obtained from your NIS auto.map entry. If you have not compiled Samba -with the <strong>--with-automount</strong> option then this value will be the same -as <a href="smb.conf.5.html#percentL"><strong>%L</strong></a>. -<p><a name="percentp"></a> -<li > <strong>%p</strong> = the path of the service's home directory, obtained from your NIS -auto.map entry. The NIS auto.map entry is split up as "%N:%p". -<p><a name="percentR"></a> -<li > <strong>%R</strong> = the selected protocol level after protocol -negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. -<p><a name="percentd"></a> -<li > <strong>%d</strong> = The process id of the current server process. -<p><a name="percenta"></a> -<li > <strong>%a</strong> = the architecture of the remote -machine. Only some are recognized, and those may not be 100% -reliable. It currently recognizes Samba, WfWg, WinNT and -Win95. Anything else will be known as "UNKNOWN". If it gets it wrong -then sending a level 3 log to <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a> -should allow it to be fixed. -<p><a name="percentI"></a> -<li > <strong>%I</strong> = The IP address of the client machine. -<p><a name="percentT"></a> -<li > <strong>%T</strong> = the current date and time. -<p></dl> -<p>There are some quite creative things that can be done with these -substitutions and other smb.conf options. -<p><a name="NAMEMANGLING"></a> -<h2>NAME MANGLING</h2> - -<p>Samba supports <em>"name mangling"</em> so that DOS and Windows clients can -use files that don't conform to the 8.3 format. It can also be set to -adjust the case of 8.3 format filenames. -<p>There are several options that control the way mangling is performed, -and they are grouped here rather than listed separately. For the -defaults look at the output of the testparm program. -<p>All of these options can be set separately for each service (or -globally, of course). -<p>The options are: -<p><a name="manglecaseoption"></a> -<strong>"mangle case = yes/no"</strong> controls if names that have characters that -aren't of the "default" case are mangled. For example, if this is yes -then a name like <code>"Mail"</code> would be mangled. Default <em>no</em>. -<p><a name="casesensitiveoption"></a> -<strong>"case sensitive = yes/no"</strong> controls whether filenames are case -sensitive. If they aren't then Samba must do a filename search and -match on passed names. Default <em>no</em>. -<p><a name="defaultcaseoption"></a> -<strong>"default case = upper/lower"</strong> controls what the default case is for new -filenames. Default <em>lower</em>. -<p><a name="preservecaseoption"></a> -<strong>"preserve case = yes/no"</strong> controls if new files are created with the -case that the client passes, or if they are forced to be the <code>"default"</code> -case. Default <em>Yes</em>. -<p><a name="shortpreservecaseoption"></a> -<p><strong>"short preserve case = yes/no"</strong> controls if new files which conform -to 8.3 syntax, that is all in upper case and of suitable length, are -created upper case, or if they are forced to be the <code>"default"</code> -case. This option can be use with <a href="smb.conf.5.html#preservecaseoption"><strong>"preserve case = -yes"</strong></a> to permit long filenames to retain their -case, while short names are lowered. Default <em>Yes</em>. -<p>By default, Samba 2.0 has the same semantics as a Windows NT -server, in that it is case insensitive but case preserving. -<p><a name="NOTEABOUTUSERNAMEPASSWORDVALIDATION"></a> -<h2>NOTE ABOUT USERNAME/PASSWORD VALIDATION</h2> - -<p>There are a number of ways in which a user can connect to a -service. The server follows the following steps in determining if it -will allow a connection to a specified service. If all the steps fail -then the connection request is rejected. If one of the steps pass then -the following steps are not checked. -<p>If the service is marked <a href="smb.conf.5.html#guestonly"><strong>"guest only = yes"</strong></a> then -steps 1 to 5 are skipped. -<p><ol> -<p><li> Step 1: If the client has passed a username/password pair and -that username/password pair is validated by the UNIX system's password -programs then the connection is made as that username. Note that this -includes the <code>\\server\service%username</code> method of passing a -username. -<p><li> Step 2: If the client has previously registered a username with -the system and now supplies a correct password for that username then -the connection is allowed. -<p><li> Step 3: The client's netbios name and any previously used user -names are checked against the supplied password, if they match then -the connection is allowed as the corresponding user. -<p><li> Step 4: If the client has previously validated a -username/password pair with the server and the client has passed the -validation token then that username is used. -<p><li> Step 5: If a <a href="smb.conf.5.html#user"><strong>"user = "</strong></a> field is given in the -smb.conf file for the service and the client has supplied a password, -and that password matches (according to the UNIX system's password -checking) with one of the usernames from the <a href="smb.conf.5.html#user"><strong>user=</strong></a> -field then the connection is made as the username in the -<a href="smb.conf.5.html#user"><strong>"user="</strong></a> line. If one of the username in the -<a href="smb.conf.5.html#user"><strong>user=</strong></a> list begins with a <code>'@'</code> then that name -expands to a list of names in the group of the same name. -<p><li> Step 6: If the service is a guest service then a connection is -made as the username given in the <a href="smb.conf.5.html#guestaccount"><strong>"guest account -="</strong></a> for the service, irrespective of the supplied -password. -<p></ol> -<p><a name="COMPLETELISTOFGLOBALPARAMETERS"></a> -<h2>COMPLETE LIST OF GLOBAL PARAMETERS</h2> - -<p>Here is a list of all global parameters. See the section of each -parameter for details. Note that some are synonyms. -<p><dl> -<p><li > <a href="smb.conf.5.html#adduserscript"><strong>add user script</strong></a> -<p><li > <a href="smb.conf.5.html#allowtrusteddomains"><strong>allow trusted domains</strong></a> -<p><li > <a href="smb.conf.5.html#announceas"><strong>announce as</strong></a> -<p><li > <a href="smb.conf.5.html#announceversion"><strong>announce version</strong></a> -<p><li > <a href="smb.conf.5.html#autoservices"><strong>auto services</strong></a> -<p><li > <a href="smb.conf.5.html#bindinterfacesonly"><strong>bind interfaces only</strong></a> -<p><li > <a href="smb.conf.5.html#browselist"><strong>browse list</strong></a> -<p><li > <a href="smb.conf.5.html#changenotifytimeout"><strong>change notify timeout</strong></a> -<p><li > <a href="smb.conf.5.html#characterset"><strong>character set</strong></a> -<p><li > <a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> -<p><li > <a href="smb.conf.5.html#codingsystem"><strong>coding system</strong></a> -<p><li > <a href="smb.conf.5.html#configfile"><strong>config file</strong></a> -<p><li > <a href="smb.conf.5.html#deadtime"><strong>deadtime</strong></a> -<p><li > <a href="smb.conf.5.html#debughirestimestamp"><strong>debug hires timestamp</strong></a> -<p><li > <a href="smb.conf.5.html#debugpid"><strong>debug pid</strong></a> -<p><li > <a href="smb.conf.5.html#debugtimestamp"><strong>debug timestamp</strong></a> -<p><li > <a href="smb.conf.5.html#debuguid"><strong>debug uid</strong></a> -<p><li > <a href="smb.conf.5.html#debuglevel"><strong>debug level</strong></a> -<p><li > <a href="smb.conf.5.html#default"><strong>default</strong></a> -<p><li > <a href="smb.conf.5.html#defaultservice"><strong>default service</strong></a> -<p><li > <a href="smb.conf.5.html#deleteuserscript"><strong>delete user script</strong></a> -<p><li > <a href="smb.conf.5.html#dfreecommand"><strong>dfree command</strong></a> -<p><li > <a href="smb.conf.5.html#dnsproxy"><strong>dns proxy</strong></a> -<p><li > <a href="smb.conf.5.html#domainadmingroup"><strong>domain admin group</strong></a> -<p><li > <a href="smb.conf.5.html#domainadminusers"><strong>domain admin users</strong></a> -<p><li > <a href="smb.conf.5.html#domaingroups"><strong>domain groups</strong></a> -<p><li > <a href="smb.conf.5.html#domainguestgroup"><strong>domain guest group</strong></a> -<p><li > <a href="smb.conf.5.html#domainguestusers"><strong>domain guest users</strong></a> -<p><li > <a href="smb.conf.5.html#domainlogons"><strong>domain logons</strong></a> -<p><li > <a href="smb.conf.5.html#domainmaster"><strong>domain master</strong></a> -<p><li > <a href="smb.conf.5.html#encryptpasswords"><strong>encrypt passwords</strong></a> -<p><li > <a href="smb.conf.5.html#getwdcache"><strong>getwd cache</strong></a> -<p><li > <a href="smb.conf.5.html#homedirmap"><strong>homedir map</strong></a> -<p><li > <a href="smb.conf.5.html#hostsequiv"><strong>hosts equiv</strong></a> -<p><li > <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> -<p><li > <a href="smb.conf.5.html#keepalive"><strong>keepalive</strong></a> -<p><li > <a href="smb.conf.5.html#kerneloplocks"><strong>kernel oplocks</strong></a> -<p><li > <a href="smb.conf.5.html#ldapfilter"><strong>ldap filter</strong></a> -<p><li > <a href="smb.conf.5.html#ldapport"><strong>ldap port</strong></a> -<p><li > <a href="smb.conf.5.html#ldaproot"><strong>ldap root</strong></a> -<p><li > <a href="smb.conf.5.html#ldaprootpasswd"><strong>ldap root passwd</strong></a> -<p><li > <a href="smb.conf.5.html#ldapserver"><strong>ldap server</strong></a> -<p><li > <a href="smb.conf.5.html#ldapsuffix"><strong>ldap suffix</strong></a> -<p><li > <a href="smb.conf.5.html#lmannounce"><strong>lm announce</strong></a> -<p><li > <a href="smb.conf.5.html#lminterval"><strong>lm interval</strong></a> -<p><li > <a href="smb.conf.5.html#loadprinters"><strong>load printers</strong></a> -<p><li > <a href="smb.conf.5.html#localmaster"><strong>local master</strong></a> -<p><li > <a href="smb.conf.5.html#lockdir"><strong>lock dir</strong></a> -<p><li > <a href="smb.conf.5.html#lockdirectory"><strong>lock directory</strong></a> -<p><li > <a href="smb.conf.5.html#logfile"><strong>log file</strong></a> -<p><li > <a href="smb.conf.5.html#loglevel"><strong>log level</strong></a> -<p><li > <a href="smb.conf.5.html#logondrive"><strong>logon drive</strong></a> -<p><li > <a href="smb.conf.5.html#logonhome"><strong>logon home</strong></a> -<p><li > <a href="smb.conf.5.html#logonpath"><strong>logon path</strong></a> -<p><li > <a href="smb.conf.5.html#logonscript"><strong>logon script</strong></a> -<p><li > <a href="smb.conf.5.html#lpqcachetime"><strong>lpq cache time</strong></a> -<p><li > <a href="smb.conf.5.html#machinepasswordtimeout"><strong>machine password timeout</strong></a> -<p><li > <a href="smb.conf.5.html#mangledstack"><strong>mangled stack</strong></a> -<p><li > <a href="smb.conf.5.html#maptoguest"><strong>map to guest</strong></a> -<p><li > <a href="smb.conf.5.html#maxdisksize"><strong>max disk size</strong></a> -<p><li > <a href="smb.conf.5.html#maxlogsize"><strong>max log size</strong></a> -<p><li > <a href="smb.conf.5.html#maxmux"><strong>max mux</strong></a> -<p><li > <a href="smb.conf.5.html#maxopenfiles"><strong>max open files</strong></a> -<p><li > <a href="smb.conf.5.html#maxpacket"><strong>max packet</strong></a> -<p><li > <a href="smb.conf.5.html#maxttl"><strong>max ttl</strong></a> -<p><li > <a href="smb.conf.5.html#maxwinsttl"><strong>max wins ttl</strong></a> -<p><li > <a href="smb.conf.5.html#maxxmit"><strong>max xmit</strong></a> -<p><li > <a href="smb.conf.5.html#messagecommand"><strong>message command</strong></a> -<p><li > <a href="smb.conf.5.html#minpasswdlength"><strong>min passwd length</strong></a> -<p><li > <a href="smb.conf.5.html#minpasswordlength"><strong>min password length</strong></a> -<p><li > <a href="smb.conf.5.html#minwinsttl"><strong>min wins ttl</strong></a> -<p><li > <a href="smb.conf.5.html#nameresolveorder"><strong>name resolve order</strong></a> -<p><li > <a href="smb.conf.5.html#netbiosaliases"><strong>netbios aliases</strong></a> -<p><li > <a href="smb.conf.5.html#netbiosname"><strong>netbios name</strong></a> -<p><li > <a href="smb.conf.5.html#netbiosscope"><strong>netbios scope</strong></a> -<p><li > <a href="smb.conf.5.html#nishomedir"><strong>nis homedir</strong></a> -<p><li > <a href="smb.conf.5.html#ntaclsupport"><strong>nt acl support</strong></a> -<p><li > <a href="smb.conf.5.html#ntpipesupport"><strong>nt pipe support</strong></a> -<p><li > <a href="smb.conf.5.html#ntsmbsupport"><strong>nt smb support</strong></a> -<p><li > <a href="smb.conf.5.html#nullpasswords"><strong>null passwords</strong></a> -<p><li > <a href="smb.conf.5.html#olelockingcompatibility"><strong>ole locking compatibility</strong></a> -<p><li > <a href="smb.conf.5.html#oplockbreakwaittime"><strong>oplock break wait time</strong></a> -<p><li > <a href="smb.conf.5.html#oslevel"><strong>os level</strong></a> -<p><li > <a href="smb.conf.5.html#packetsize"><strong>packet size</strong></a> -<p><li > <a href="smb.conf.5.html#panicaction"><strong>panic action</strong></a> -<p><li > <a href="smb.conf.5.html#passwdchat"><strong>passwd chat</strong></a> -<p><li > <a href="smb.conf.5.html#passwdchatdebug"><strong>passwd chat debug</strong></a> -<p><li > <a href="smb.conf.5.html#passwdprogram"><strong>passwd program</strong></a> -<p><li > <a href="smb.conf.5.html#passwordlevel"><strong>password level</strong></a> -<p><li > <a href="smb.conf.5.html#passwordserver"><strong>password server</strong></a> -<p><li > <a href="smb.conf.5.html#preferedmaster"><strong>prefered master</strong></a> -<p><li > <a href="smb.conf.5.html#preferredmaster"><strong>preferred master</strong></a> -<p><li > <a href="smb.conf.5.html#preload"><strong>preload</strong></a> -<p><li > <a href="smb.conf.5.html#printcap"><strong>printcap</strong></a> -<p><li > <a href="smb.conf.5.html#printcapname"><strong>printcap name</strong></a> -<p><li > <a href="smb.conf.5.html#printerdriverfile"><strong>printer driver file</strong></a> -<p><li > <a href="smb.conf.5.html#protocol"><strong>protocol</strong></a> -<p><li > <a href="smb.conf.5.html#readbmpx"><strong>read bmpx</strong></a> -<p><li > <a href="smb.conf.5.html#readprediction"><strong>read prediction</strong></a> -<p><li > <a href="smb.conf.5.html#readraw"><strong>read raw</strong></a> -<p><li > <a href="smb.conf.5.html#readsize"><strong>read size</strong></a> -<p><li > <a href="smb.conf.5.html#remoteannounce"><strong>remote announce</strong></a> -<p><li > <a href="smb.conf.5.html#remotebrowsesync"><strong>remote browse sync</strong></a> -<p><li > <a href="smb.conf.5.html#restrictanonymous"><strong>restrict anonymous</strong></a> -<p><li > <a href="smb.conf.5.html#root"><strong>root</strong></a> -<p><li > <a href="smb.conf.5.html#rootdir"><strong>root dir</strong></a> -<p><li > <a href="smb.conf.5.html#rootdirectory"><strong>root directory</strong></a> -<p><li > <a href="smb.conf.5.html#security"><strong>security</strong></a> -<p><li > <a href="smb.conf.5.html#serverstring"><strong>server string</strong></a> -<p><li > <a href="smb.conf.5.html#sharedmemsize"><strong>shared mem size</strong></a> -<p><li > <a href="smb.conf.5.html#smbpasswdfile"><strong>smb passwd file</strong></a> -<p><li > <a href="smb.conf.5.html#smbrun"><strong>smbrun</strong></a> -<p><li > <a href="smb.conf.5.html#socketaddress"><strong>socket address</strong></a> -<p><li > <a href="smb.conf.5.html#socketoptions"><strong>socket options</strong></a> -<p><li > <a href="smb.conf.5.html#sourceenvironment"><strong>source environment</strong></a> -<p><li > <a href="smb.conf.5.html#ssl"><strong>ssl</strong></a> -<p><li > <a href="smb.conf.5.html#sslCAcertDir"><strong>ssl CA certDir</strong></a> -<p><li > <a href="smb.conf.5.html#sslCAcertFile"><strong>ssl CA certFile</strong></a> -<p><li > <a href="smb.conf.5.html#sslciphers"><strong>ssl ciphers</strong></a> -<p><li > <a href="smb.conf.5.html#sslclientcert"><strong>ssl client cert</strong></a> -<p><li > <a href="smb.conf.5.html#sslclientkey"><strong>ssl client key</strong></a> -<p><li > <a href="smb.conf.5.html#sslcompatibility"><strong>ssl compatibility</strong></a> -<p><li > <a href="smb.conf.5.html#sslhosts"><strong>ssl hosts</strong></a> -<p><li > <a href="smb.conf.5.html#sslhostsresign"><strong>ssl hosts resign</strong></a> -<p><li > <a href="smb.conf.5.html#sslrequireclientcert"><strong>ssl require clientcert</strong></a> -<p><li > <a href="smb.conf.5.html#sslrequireservercert"><strong>ssl require servercert</strong></a> -<p><li > <a href="smb.conf.5.html#sslservercert"><strong>ssl server cert</strong></a> -<p><li > <a href="smb.conf.5.html#sslserverkey"><strong>ssl server key</strong></a> -<p><li > <a href="smb.conf.5.html#sslversion"><strong>ssl version</strong></a> -<p><li > <a href="smb.conf.5.html#statcache"><strong>stat cache</strong></a> -<p><li > <a href="smb.conf.5.html#statcachesize"><strong>stat cache size</strong></a> -<p><li > <a href="smb.conf.5.html#stripdot"><strong>strip dot</strong></a> -<p><li > <a href="smb.conf.5.html#syslog"><strong>syslog</strong></a> -<p><li > <a href="smb.conf.5.html#syslogonly"><strong>syslog only</strong></a> -<p><li > <a href="smb.conf.5.html#templatehomedir"><strong>template homedir</strong></a> -<p><li > <a href="smb.conf.5.html#templateshell"><strong>template shell</strong></a> -<p><li > <a href="smb.conf.5.html#timeoffset"><strong>time offset</strong></a> -<p><li > <a href="smb.conf.5.html#timeserver"><strong>time server</strong></a> -<p><li > <a href="smb.conf.5.html#timestamplogs"><strong>timestamp logs</strong></a> -<p><li > <a href="smb.conf.5.html#unixpasswordsync"><strong>unix password sync</strong></a> -<p><li > <a href="smb.conf.5.html#unixrealname"><strong>unix realname</strong></a> -<p><li > <a href="smb.conf.5.html#updateencrypted"><strong>update encrypted</strong></a> -<p><li > <a href="smb.conf.5.html#userhosts"><strong>use rhosts</strong></a> -<p><li > <a href="smb.conf.5.html#usernamelevel"><strong>username level</strong></a> -<p><li > <a href="smb.conf.5.html#usernamemap"><strong>username map</strong></a> -<p><li > <a href="smb.conf.5.html#utmpdirectory"><strong>utmp directory</strong></a> -<p><li > <a href="smb.conf.5.html#validchars"><strong>valid chars</strong></a> -<p><li > <a href="smb.conf.5.html#winbindcachetime"><strong>winbind cache time</strong></a> -<p><li > <a href="smb.conf.5.html#winbindgid"><strong>winbind gid</strong></a> -<p><li > <a href="smb.conf.5.html#winbinduid"><strong>winbind uid</strong></a> -<p><li > <a href="smb.conf.5.html#winshook"><strong>wins hook</strong></a> -<p><li > <a href="smb.conf.5.html#winsproxy"><strong>wins proxy</strong></a> -<p><li > <a href="smb.conf.5.html#winsserver"><strong>wins server</strong></a> -<p><li > <a href="smb.conf.5.html#winssupport"><strong>wins support</strong></a> -<p><li > <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> -<p><li > <a href="smb.conf.5.html#writeraw"><strong>write raw</strong></a> -<p></dl> -<p><a name="COMPLETELISTOFSERVICEPARAMETERS"></a> -<h2>COMPLETE LIST OF SERVICE PARAMETERS</h2> - -<p>Here is a list of all service parameters. See the section of each -parameter for details. Note that some are synonyms. -<p><dl> -<p><li > <a href="smb.conf.5.html#adminusers"><strong>admin users</strong></a> -<p><li > <a href="smb.conf.5.html#allowhosts"><strong>allow hosts</strong></a> -<p><li > <a href="smb.conf.5.html#alternatepermissions"><strong>alternate permissions</strong></a> -<p><li > <a href="smb.conf.5.html#available"><strong>available</strong></a> -<p><li > <a href="smb.conf.5.html#blockinglocks"><strong>blocking locks</strong></a> -<p><li > <a href="smb.conf.5.html#browsable"><strong>browsable</strong></a> -<p><li > <a href="smb.conf.5.html#browseable"><strong>browseable</strong></a> -<p><li > <a href="smb.conf.5.html#casesensitive"><strong>case sensitive</strong></a> -<p><li > <a href="smb.conf.5.html#casesignames"><strong>casesignames</strong></a> -<p><li > <a href="smb.conf.5.html#comment"><strong>comment</strong></a> -<p><li > <a href="smb.conf.5.html#copy"><strong>copy</strong></a> -<p><li > <a href="smb.conf.5.html#createmask"><strong>create mask</strong></a> -<p><li > <a href="smb.conf.5.html#createmode"><strong>create mode</strong></a> -<p><li > <a href="smb.conf.5.html#defaultcase"><strong>default case</strong></a> -<p><li > <a href="smb.conf.5.html#deletereadonly"><strong>delete readonly</strong></a> -<p><li > <a href="smb.conf.5.html#deletevetofiles"><strong>delete veto files</strong></a> -<p><li > <a href="smb.conf.5.html#denyhosts"><strong>deny hosts</strong></a> -<p><li > <a href="smb.conf.5.html#directory"><strong>directory</strong></a> -<p><li > <a href="smb.conf.5.html#directorymask"><strong>directory mask</strong></a> -<p><li > <a href="smb.conf.5.html#directorymode"><strong>directory mode</strong></a> -<p><li > <a href="smb.conf.5.html#directorysecuritymask"><strong>directory security mask</strong></a> -<p><li > <a href="smb.conf.5.html#dontdescend"><strong>dont descend</strong></a> -<p><li > <a href="smb.conf.5.html#dosfiletimeresolution"><strong>dos filetime resolution</strong></a> -<p><li > <a href="smb.conf.5.html#dosfiletimes"><strong>dos filetimes</strong></a> -<p><li > <a href="smb.conf.5.html#exec"><strong>exec</strong></a> -<p><li > <a href="smb.conf.5.html#fakedirectorycreatetimes"><strong>fake directory create times</strong></a> -<p><li > <a href="smb.conf.5.html#fakeoplocks"><strong>fake oplocks</strong></a> -<p><li > <a href="smb.conf.5.html#followsymlinks"><strong>follow symlinks</strong></a> -<p><li > <a href="smb.conf.5.html#forcecreatemode"><strong>force create mode</strong></a> -<p><li > <a href="smb.conf.5.html#forcedirectorymode"><strong>force directory mode</strong></a> -<p><li > <a href="smb.conf.5.html#forcedirectorysecuritymode"><strong>force directory security mode</strong></a> -<p><li > <a href="smb.conf.5.html#forcegroup"><strong>force group</strong></a> -<p><li > <a href="smb.conf.5.html#forcesecuritymode"><strong>force security mode</strong></a> -<p><li > <a href="smb.conf.5.html#forceuser"><strong>force user</strong></a> -<p><li > <a href="smb.conf.5.html#fstype"><strong>fstype</strong></a> -<p><li > <a href="smb.conf.5.html#group"><strong>group</strong></a> -<p><li > <a href="smb.conf.5.html#guestaccount"><strong>guest account</strong></a> -<p><li > <a href="smb.conf.5.html#guestok"><strong>guest ok</strong></a> -<p><li > <a href="smb.conf.5.html#guestonly"><strong>guest only</strong></a> -<p><li > <a href="smb.conf.5.html#hidedotfiles"><strong>hide dot files</strong></a> -<p><li > <a href="smb.conf.5.html#hidefiles"><strong>hide files</strong></a> -<p><li > <a href="smb.conf.5.html#hostsallow"><strong>hosts allow</strong></a> -<p><li > <a href="smb.conf.5.html#hostsdeny"><strong>hosts deny</strong></a> -<p><li > <a href="smb.conf.5.html#include"><strong>include</strong></a> -<p><li > <a href="smb.conf.5.html#inheritpermissions"><strong>inherit permissions</strong></a> -<p><li > <a href="smb.conf.5.html#invalidusers"><strong>invalid users</strong></a> -<p><li > <a href="smb.conf.5.html#level2oplocks"><strong>level2 oplocks</strong></a> -<p><li > <a href="smb.conf.5.html#locking"><strong>locking</strong></a> -<p><li > <a href="smb.conf.5.html#lppausecommand"><strong>lppause command</strong></a> -<p><li > <a href="smb.conf.5.html#lpqcommand"><strong>lpq command</strong></a> -<p><li > <a href="smb.conf.5.html#lpresumecommand"><strong>lpresume command</strong></a> -<p><li > <a href="smb.conf.5.html#lprmcommand"><strong>lprm command</strong></a> -<p><li > <a href="smb.conf.5.html#magicoutput"><strong>magic output</strong></a> -<p><li > <a href="smb.conf.5.html#magicscript"><strong>magic script</strong></a> -<p><li > <a href="smb.conf.5.html#manglecase"><strong>mangle case</strong></a> -<p><li > <a href="smb.conf.5.html#manglelocks"><strong>mangle locks</strong></a> -<p><li > <a href="smb.conf.5.html#mangledmap"><strong>mangled map</strong></a> -<p><li > <a href="smb.conf.5.html#manglednames"><strong>mangled names</strong></a> -<p><li > <a href="smb.conf.5.html#manglingchar"><strong>mangling char</strong></a> -<p><li > <a href="smb.conf.5.html#maparchive"><strong>map archive</strong></a> -<p><li > <a href="smb.conf.5.html#maphidden"><strong>map hidden</strong></a> -<p><li > <a href="smb.conf.5.html#mapsystem"><strong>map system</strong></a> -<p><li > <a href="smb.conf.5.html#maxconnections"><strong>max connections</strong></a> -<p><li > <a href="smb.conf.5.html#minprintspace"><strong>min print space</strong></a> -<p><li > <a href="smb.conf.5.html#onlyguest"><strong>only guest</strong></a> -<p><li > <a href="smb.conf.5.html#onlyuser"><strong>only user</strong></a> -<p><li > <a href="smb.conf.5.html#oplockcontentionlimit"><strong>oplock contention limit</strong></a> -<p><li > <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a> -<p><li > <a href="smb.conf.5.html#path"><strong>path</strong></a> -<p><li > <a href="smb.conf.5.html#postexec"><strong>postexec</strong></a> -<p><li > <a href="smb.conf.5.html#postscript"><strong>postscript</strong></a> -<p><li > <a href="smb.conf.5.html#preexec"><strong>preexec</strong></a> -<p><li > <a href="smb.conf.5.html#preexecclose"><strong>preexec close</strong></a> -<p><li > <a href="smb.conf.5.html#preservecase"><strong>preserve case</strong></a> -<p><li > <a href="smb.conf.5.html#printcommand"><strong>print command</strong></a> -<p><li > <a href="smb.conf.5.html#printok"><strong>print ok</strong></a> -<p><li > <a href="smb.conf.5.html#printable"><strong>printable</strong></a> -<p><li > <a href="smb.conf.5.html#printer"><strong>printer</strong></a> -<p><li > <a href="smb.conf.5.html#printeradmin"><strong>printer admin</strong></a> -<p><li > <a href="smb.conf.5.html#printerdriver"><strong>printer driver</strong></a> -<p><li > <a href="smb.conf.5.html#printerdriverlocation"><strong>printer driver location</strong></a> -<p><li > <a href="smb.conf.5.html#printername"><strong>printer name</strong></a> -<p><li > <a href="smb.conf.5.html#printing"><strong>printing</strong></a> -<p><li > <a href="smb.conf.5.html#public"><strong>public</strong></a> -<p><li > <a href="smb.conf.5.html#queuepausecommand"><strong>queuepause command</strong></a> -<p><li > <a href="smb.conf.5.html#queueresumecommand"><strong>queueresume command</strong></a> -<p><li > <a href="smb.conf.5.html#readlist"><strong>read list</strong></a> -<p><li > <a href="smb.conf.5.html#readonly"><strong>read only</strong></a> -<p><li > <a href="smb.conf.5.html#rootpostexec"><strong>root postexec</strong></a> -<p><li > <a href="smb.conf.5.html#rootpreexec"><strong>root preexec</strong></a> -<p><li > <a href="smb.conf.5.html#rootpreexecclose"><strong>root preexec close</strong></a> -<p><li > <a href="smb.conf.5.html#securitymask"><strong>security mask</strong></a> -<p><li > <a href="smb.conf.5.html#setdirectory"><strong>set directory</strong></a> -<p><li > <a href="smb.conf.5.html#sharemodes"><strong>share modes</strong></a> -<p><li > <a href="smb.conf.5.html#shortpreservecase"><strong>short preserve case</strong></a> -<p><li > <a href="smb.conf.5.html#status"><strong>status</strong></a> -<p><li > <a href="smb.conf.5.html#strictlocking"><strong>strict locking</strong></a> -<p><li > <a href="smb.conf.5.html#strictsync"><strong>strict sync</strong></a> -<p><li > <a href="smb.conf.5.html#syncalways"><strong>sync always</strong></a> -<p><li > <a href="smb.conf.5.html#user"><strong>user</strong></a> -<p><li > <a href="smb.conf.5.html#username"><strong>username</strong></a> -<p><li > <a href="smb.conf.5.html#users"><strong>users</strong></a> -<p><li > <a href="smb.conf.5.html#utmp"><strong>utmp</strong></a> -<p><li > <a href="smb.conf.5.html#validusers"><strong>valid users</strong></a> -<p><li > <a href="smb.conf.5.html#vetofiles"><strong>veto files</strong></a> -<p><li > <a href="smb.conf.5.html#vetooplockfiles"><strong>veto oplock files</strong></a> -<p><li > <a href="smb.conf.5.html#volume"><strong>volume</strong></a> -<p><li > <a href="smb.conf.5.html#widelinks"><strong>wide links</strong></a> -<p><li > <a href="smb.conf.5.html#writable"><strong>writable</strong></a> -<p><li > <a href="smb.conf.5.html#writecachesize"><strong>write cache size</strong></a> -<p><li > <a href="smb.conf.5.html#writelist"><strong>write list</strong></a> -<p><li > <a href="smb.conf.5.html#writeok"><strong>write ok</strong></a> -<p><li > <a href="smb.conf.5.html#writeable"><strong>writeable</strong></a> -<p></dl> -<p><a name="EXPLANATIONOFEACHPARAMETER"></a> -<h2>EXPLANATION OF EACH PARAMETER</h2> - -<p><dl> -<p><a name="adduserscript"></a> -<p></p><dt><strong><strong>add user script (G)</strong></strong><dd> -<p>This is the full pathname to a script that will be run <em>AS ROOT</em> by -<a href="smbd.8.html"><strong>smbd (8)</strong></a> under special circumstances decribed -below. -<p>Normally, a Samba server requires that UNIX users are created for all -users accessing files on this server. For sites that use Windows NT -account databases as their primary user database creating these users -and keeping the user list in sync with the Windows NT PDC is an -onerous task. This option allows <a href="smbd.8.html"><strong>smbd</strong></a> to create -the required UNIX users <em>ON DEMAND</em> when a user accesses the Samba -server. -<p>In order to use this option, <a href="smbd.8.html"><strong>smbd</strong></a> must be set to -<a href="smb.conf.5.html#securityequalserver"><strong>security=server</strong></a> or -<a href="smb.conf.5.html#securityequaldomain"><strong>security=domain</strong></a> and <strong>"add user script"</strong> -must be set to a full pathname for a script that will create a UNIX user -given one argument of <strong>%u</strong>, which expands into the UNIX user name to -create. -<p>When the Windows user attempts to access the Samba server, at -<em>"login"</em>(session setup in the SMB protocol) time, -<a href="smbd.8.html"><strong>smbd</strong></a> contacts the <a href="smb.conf.5.html#passwordserver"><strong>password -server</strong></a> and attempts to authenticate the given user -with the given password. If the authentication succeeds then -<a href="smbd.8.html"><strong>smbd</strong></a> attempts to find a UNIX user in the UNIX -password database to map the Windows user into. If this lookup fails, -and <strong>"add user script"</strong> is set then <a href="smbd.8.html"><strong>smbd</strong></a> will -call the specified script <em>AS ROOT</em>, expanding any <strong>%u</strong> argument -to be the user name to create. -<p>If this script successfully creates the user then -<a href="smbd.8.html"><strong>smbd</strong></a> will continue on as though the UNIX user -already existed. In this way, UNIX users are dynamically created to -match existing Windows NT accounts. -<p>See also <a href="smb.conf.5.html#securityequalserver"><strong>security=server</strong></a>, -<a href="smb.conf.5.html#securityequaldomain"><strong>security=domain</strong></a>, <a href="smb.conf.5.html#passwordserver"><strong>password -server</strong></a>, <a href="smb.conf.5.html#deleteuserscript"><strong>delete user -script</strong></a>. -<p><strong>Default:</strong> -<code> add user script = <empty string></code> -<p><strong>Example:</strong> -<code> add user script = /usr/local/samba/bin/add_user %u</code> -<p><a name="adminusers"></a> -<p></p><dt><strong><strong>admin users (S)</strong></strong><dd> -<p>This is a list of users who will be granted administrative privileges -on the share. This means that they will do all file operations as the -super-user (root). -<p>You should use this option very carefully, as any user in this list -will be able to do anything they like on the share, irrespective of -file permissions. -<p><strong>Default:</strong> <br> -<code> no admin users</code> -<p><strong>Example:</strong> <br> -<code> admin users = jason</code> -<p><a name="allowhosts"></a> -<p></p><dt><strong><strong>allow hosts (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#hostsallow"><strong>hosts allow</strong></a>. -<p><a name="allowtrusteddomains"></a> -<p></p><dt><strong><strong>allow trusted domains (G)</strong></strong><dd> -<p>This option only takes effect when the <a href="smb.conf.5.html#security"><strong>security</strong></a> -option is set to <strong>server</strong> or <strong>domain</strong>. If it is set to no, -then attempts to connect to a resource from a domain or workgroup other than -the one which smbd is running in will fail, even if that domain -is trusted by the remote server doing the authentication. -<p>This is useful if you only want your Samba server to serve resources -to users in the domain it is a member of. As an example, suppose that there are -two domains DOMA and DOMB. DOMB is trusted by DOMA, which contains -the Samba server. Under normal circumstances, a user with an account -in DOMB can then access the resources of a UNIX account with the same -account name on the Samba server even if they do not have an account -in DOMA. This can make implementing a security boundary difficult. -<p><strong>Default:</strong> -<code> allow trusted domains = Yes</code> -<p><strong>Example:</strong> -<code> allow trusted domains = No</code> -<p><a name="alternatepermissions"></a> -<p></p><dt><strong><strong>alternate permissions (S)</strong></strong><dd> -<p>This is a deprecated parameter. It no longer has any effect in Samba2.0. -In previous versions of Samba it affected the way the DOS "read only" -attribute was mapped for a file. In Samba2.0 a file is marked "read only" -if the UNIX file does not have the 'w' bit set for the owner of the file, -regardless if the owner of the file is the currently logged on user or not. -<p><a name="announceas"></a> -<p></p><dt><strong><strong>announce as (G)</strong></strong><dd> -<p>This specifies what type of server <a href="nmbd.8.html"><strong>nmbd</strong></a> will -announce itself as, to a network neighborhood browse list. By default -this is set to Windows NT. The valid options are : "NT", which is a -synonym for "NT Server", "NT Server", "NT Workstation", "Win95" or -"WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 -and Windows for Workgroups respectively. Do not change this parameter -unless you have a specific need to stop Samba appearing as an NT server -as this may prevent Samba servers from participating as browser servers correctly. -<p><strong>Default:</strong> -<code> announce as = NT Server</code> -<p><strong>Example</strong> -<code> announce as = Win95</code> -<p><a name="announceversion"></a> -<p></p><dt><strong><strong>announce version (G)</strong></strong><dd> -<p>This specifies the major and minor version numbers that nmbd will use -when announcing itself as a server. The default is 4.2. Do not change -this parameter unless you have a specific need to set a Samba server -to be a downlevel server. -<p><strong>Default:</strong> -<code> announce version = 4.2</code> -<p><strong>Example:</strong> -<code> announce version = 2.0</code> -<p><a name="autoservices"></a> -<p></p><dt><strong><strong>auto services (G)</strong></strong><dd> -<p>This is a list of services that you want to be automatically added to -the browse lists. This is most useful for homes and printers services -that would otherwise not be visible. -<p>Note that if you just want all printers in your printcap file loaded -then the <a href="smb.conf.5.html#loadprinters"><strong>"load printers"</strong></a> option is easier. -<p><strong>Default:</strong> -<code> no auto services</code> -<p><strong>Example:</strong> -<code> auto services = fred lp colorlp</code> -<p><a name="available"></a> -<p></p><dt><strong><strong>available (S)</strong></strong><dd> -<p>This parameter lets you <em>'turn off'</em> a service. If <code>'available = no'</code>, -then <em>ALL</em> attempts to connect to the service will fail. Such failures -are logged. -<p><strong>Default:</strong> -<code> available = yes</code> -<p><strong>Example:</strong> -<code> available = no</code> -<p><a name="bindinterfacesonly"></a> -<p></p><dt><strong><strong>bind interfaces only (G)</strong></strong><dd> -<p>This global parameter allows the Samba admin to limit what interfaces -on a machine will serve smb requests. If affects file service -<a href="smbd.8.html"><strong>smbd</strong></a> and name service <a href="nmbd.8.html"><strong>nmbd</strong></a> -in slightly different ways. -<p>For name service it causes <a href="nmbd.8.html"><strong>nmbd</strong></a> to bind to ports -137 and 138 on the interfaces listed in the -<a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> -parameter. <a href="nmbd.8.html"><strong>nmbd</strong></a> also binds to the 'all -addresses' interface (0.0.0.0) on ports 137 and 138 for the purposes -of reading broadcast messages. If this option is not set then -<a href="nmbd.8.html"><strong>nmbd</strong></a> will service name requests on all of these -sockets. If <strong>"bind interfaces only"</strong> is set then -<a href="nmbd.8.html"><strong>nmbd</strong></a> will check the source address of any -packets coming in on the broadcast sockets and discard any that don't -match the broadcast addresses of the interfaces in the -<a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> parameter list. As unicast packets -are received on the other sockets it allows <a href="nmbd.8.html"><strong>nmbd</strong></a> -to refuse to serve names to machines that send packets that arrive -through any interfaces not listed in the -<a href="smb.conf.5.html#interfaces"><strong>"interfaces"</strong></a> list. IP Source address spoofing -does defeat this simple check, however so it must not be used -seriously as a security feature for <a href="nmbd.8.html"><strong>nmbd</strong></a>. -<p>For file service it causes <a href="smbd.8.html"><strong>smbd</strong></a> to bind only to -the interface list given in the <a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> -parameter. This restricts the networks that <a href="smbd.8.html"><strong>smbd</strong></a> -will serve to packets coming in those interfaces. Note that you -should not use this parameter for machines that are serving PPP or -other intermittent or non-broadcast network interfaces as it will not -cope with non-permanent interfaces. -<p>If <strong>"bind interfaces only"</strong> is set then unless the network address -<em>127.0.0.1</em> is added to the <a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> parameter -list <a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> and -<a href="swat.8.html"><strong>swat</strong></a> may not work as expected due to the -reasons covered below. -<p>To change a users SMB password, the <a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> -by default connects to the <em>"localhost" - 127.0.0.1</em> address as an SMB -client to issue the password change request. If <strong>"bind interfaces only"</strong> -is set then unless the network address <em>127.0.0.1</em> is added to the -<a href="smb.conf.5.html#interfaces"><strong>'interfaces'</strong></a> parameter list then -<a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> will fail to connect in it's -default mode. <a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> can be forced to -use the primary IP interface of the local host by using its -<a href="smbpasswd.8.html#minusr"><strong>"-r remote machine"</strong></a> parameter, with -<strong>"remote machine"</strong> set to the IP name of the primary interface -of the local host. -<p>The <a href="swat.8.html"><strong>swat</strong></a> status page tries to connect with -<a href="smbd.8.html"><strong>smbd</strong></a> and <a href="nmbd.8.html"><strong>nmbd</strong></a> at the address -<em>127.0.0.1</em> to determine if they are running. Not adding <em>127.0.0.1</em> will cause -<a href="smbd.8.html"><strong>smbd</strong></a> and <a href="nmbd.8.html"><strong>nmbd</strong></a> to always show -"not running" even if they really are. This can prevent -<a href="swat.8.html"><strong>swat</strong></a> from starting/stopping/restarting -<a href="smbd.8.html"><strong>smbd</strong></a> and <a href="nmbd.8.html"><strong>nmbd</strong></a>. -<p><strong>Default:</strong> -<code> bind interfaces only = False</code> -<p><strong>Example:</strong> -<code> bind interfaces only = True</code> -<p><a name="blockinglocks"></a> -<p></p><dt><strong><strong>blocking locks (S)</strong></strong><dd> -<p>This parameter controls the behavior of <a href="smbd.8.html"><strong>smbd</strong></a> when -given a request by a client to obtain a byte range lock on a region -of an open file, and the request has a time limit associated with it. -<p>If this parameter is set and the lock range requested cannot be -immediately satisfied, Samba 2.0 will internally queue the lock -request, and periodically attempt to obtain the lock until the -timeout period expires. -<p>If this parameter is set to "False", then Samba 2.0 will behave -as previous versions of Samba would and will fail the lock -request immediately if the lock range cannot be obtained. -<p>This parameter can be set per share. -<p><strong>Default:</strong> -<code> blocking locks = True</code> -<p><strong>Example:</strong> -<code> blocking locks = False</code> -<p><a name="browsable"></a> -<p></p><dt><strong><strong>browsable (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#browseable"><strong>browseable</strong></a>. -<p><a name="browselist"></a> -<p></p><dt><strong><strong>browse list(G)</strong></strong><dd> -<p>This controls whether <a href="smbd.8.html"><strong>smbd</strong></a> will serve a browse -list to a client doing a NetServerEnum call. Normally set to true. You -should never need to change this. -<p><strong>Default:</strong> -<code> browse list = Yes</code> -<p><a name="browseable"></a> -<p></p><dt><strong><strong>browseable</strong></strong><dd> -<p>This controls whether this share is seen in the list of available -shares in a net view and in the browse list. -<p><strong>Default:</strong> -<code> browseable = Yes</code> -<p><strong>Example:</strong> -<code> browseable = No</code> -<p><a name="casesensitive"></a> -<p></p><dt><strong><strong>case sensitive (S)</strong></strong><dd> -<p>See the discussion in the section <a href="smb.conf.5.html#NAMEMANGLING"><strong>NAME MANGLING</strong></a>. -<p><a name="casesignames"></a> -<p></p><dt><strong><strong>casesignames (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#casesensitive"><strong>"case sensitive"</strong></a>. -<p><a name="changenotifytimeout"></a> -<p></p><dt><strong><strong>change notify timeout (G)</strong></strong><dd> -<p>One of the new NT SMB requests that Samba 2.0 supports is the -"ChangeNotify" requests. This SMB allows a client to tell a server to -<em>"watch"</em> a particular directory for any changes and only reply to -the SMB request when a change has occurred. Such constant scanning of -a directory is expensive under UNIX, hence an -<a href="smbd.8.html"><strong>smbd</strong></a> daemon only performs such a scan on each -requested directory once every <strong>change notify timeout</strong> seconds. -<p><strong>change notify timeout</strong> is specified in units of seconds. -<p><strong>Default:</strong> -<code> change notify timeout = 60</code> -<p><strong>Example:</strong> -<code> change notify timeout = 300</code> -<p>Would change the scan time to every 5 minutes. -<p><a name="characterset"></a> -<p></p><dt><strong><strong>character set (G)</strong></strong><dd> -<p>This allows a smbd to map incoming filenames from a DOS Code page (see -the <a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> parameter) to several -built in UNIX character sets. The built in code page translations are: -<p><dl> -<p><li > <strong>ISO8859-1</strong> Western European UNIX character set. The parameter -<a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> <em>MUST</em> be set to code -page 850 if the <strong>character set</strong> parameter is set to iso8859-1 -in order for the conversion to the UNIX character set to be done -correctly. -<p><li > <strong>ISO8859-2</strong> Eastern European UNIX character set. The parameter -<a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> <em>MUST</em> be set to code -page 852 if the <strong>character set</strong> parameter is set to ISO8859-2 -in order for the conversion to the UNIX character set to be done -correctly. -<p><li > <strong>ISO8859-5</strong> Russian Cyrillic UNIX character set. The parameter -<a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> <em>MUST</em> be set to code -page 866 if the <strong>character set</strong> parameter is set to ISO8859-5 -in order for the conversion to the UNIX character set to be done -correctly. -<p><li > <strong>ISO8859-7</strong> Greek UNIX character set. The parameter -<a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a> <em>MUST</em> be set to code -page 737 if the <strong>character set</strong> parameter is set to ISO8859-7 -in order for the conversion to the UNIX character set to be done -correctly. -<p><li > <strong>KOI8-R</strong> Alternate mapping for Russian Cyrillic UNIX -character set. The parameter <a href="smb.conf.5.html#clientcodepage"><strong>client code -page</strong></a> <em>MUST</em> be set to code page 866 if the -<strong>character set</strong> parameter is set to KOI8-R in order for the -conversion to the UNIX character set to be done correctly. -<p></dl> -<p><em>BUG</em>. These MSDOS code page to UNIX character set mappings should -be dynamic, like the loading of MS DOS code pages, not static. -<p>See also <a href="smb.conf.5.html#clientcodepage"><strong>client code page</strong></a>. Normally this -parameter is not set, meaning no filename translation is done. -<p><strong>Default:</strong> -<code> character set = <empty string></code> -<p><strong>Example:</strong> -<code> character set = ISO8859-1</code> -<p><a name="clientcodepage"></a> -<p></p><dt><strong><strong>client code page (G)</strong></strong><dd> -<p>This parameter specifies the DOS code page that the clients accessing -Samba are using. To determine what code page a Windows or DOS client -is using, open a DOS command prompt and type the command "chcp". This -will output the code page. The default for USA MS-DOS, Windows 95, and -Windows NT releases is code page 437. The default for western european -releases of the above operating systems is code page 850. -<p>This parameter tells <a href="smbd.8.html"><strong>smbd</strong></a> which of the -<code>codepage.XXX</code> files to dynamically load on startup. These files, -described more fully in the manual page <a href="make_smbcodepage.1.html"><strong>make_smbcodepage -(1)</strong></a>, tell <a href="smbd.8.html"><strong>smbd</strong></a> how -to map lower to upper case characters to provide the case insensitivity -of filenames that Windows clients expect. -<p>Samba currently ships with the following code page files : -<p><dl> -<p><li > <strong>Code Page 437 - MS-DOS Latin US</strong> -<p><li > <strong>Code Page 737 - Windows '95 Greek</strong> -<p><li > <strong>Code Page 850 - MS-DOS Latin 1</strong> -<p><li > <strong>Code Page 852 - MS-DOS Latin 2</strong> -<p><li > <strong>Code Page 861 - MS-DOS Icelandic</strong> -<p><li > <strong>Code Page 866 - MS-DOS Cyrillic</strong> -<p><li > <strong>Code Page 932 - MS-DOS Japanese SJIS</strong> -<p><li > <strong>Code Page 936 - MS-DOS Simplified Chinese</strong> -<p><li > <strong>Code Page 949 - MS-DOS Korean Hangul</strong> -<p><li > <strong>Code Page 950 - MS-DOS Traditional Chinese</strong> -<p></dl> -<p>Thus this parameter may have any of the values 437, 737, 850, 852, -861, 932, 936, 949, or 950. If you don't find the codepage you need, -read the comments in one of the other codepage files and the -<a href="make_smbcodepage.1.html"><strong>make_smbcodepage (1)</strong></a> man page and -write one. Please remember to donate it back to the Samba user -community. -<p>This parameter co-operates with the <a href="smb.conf.5.html#validchars"><strong>"valid -chars"</strong></a> parameter in determining what characters are -valid in filenames and how capitalization is done. If you set both -this parameter and the <a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a> parameter -the <strong>"client code page"</strong> parameter <em>MUST</em> be set before the -<a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a> parameter in the <strong>smb.conf</strong> -file. The <a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a> string will then augment -the character settings in the "client code page" parameter. -<p>If not set, <strong>"client code page"</strong> defaults to 850. -<p>See also : <a href="smb.conf.5.html#validchars"><strong>"valid chars"</strong></a> -<p><strong>Default:</strong> -<code> client code page = 850</code> -<p><strong>Example:</strong> -<code> client code page = 936</code> -<p><a name="codingsystem"></a> -<p></p><dt><strong><strong>codingsystem (G)</strong></strong><dd> -<p>This parameter is used to determine how incoming Shift-JIS Japanese -characters are mapped from the incoming <a href="smb.conf.5.html#clientcodepage"><strong>"client code -page"</strong></a> used by the client, into file names in the -UNIX filesystem. Only useful if <a href="smb.conf.5.html#clientcodepage"><strong>"client code -page"</strong></a> is set to 932 (Japanese Shift-JIS). -<p>The options are : -<p><dl> -<p><li > <strong>SJIS</strong> Shift-JIS. Does no conversion of the incoming filename. -<p><li > <strong>JIS8, J8BB, J8BH, J8@B, J8@J, J8@H </strong> Convert from incoming -Shift-JIS to eight bit JIS code with different shift-in, shift out -codes. -<p><li > <strong>JIS7, J7BB, J7BH, J7@B, J7@J, J7@H </strong> Convert from incoming -Shift-JIS to seven bit JIS code with different shift-in, shift out -codes. -<p><li > <strong>JUNET, JUBB, JUBH, JU@B, JU@J, JU@H </strong> Convert from incoming -Shift-JIS to JUNET code with different shift-in, shift out codes. -<p><li > <strong>EUC</strong> Convert an incoming Shift-JIS character to EUC code. -<p><li > <strong>HEX</strong> Convert an incoming Shift-JIS character to a 3 byte hex -representation, i.e. <code>:AB</code>. -<p><li > <strong>CAP</strong> Convert an incoming Shift-JIS character to the 3 byte hex -representation used by the Columbia AppleTalk Program (CAP), -i.e. <code>:AB</code>. This is used for compatibility between Samba and CAP. -<p></dl> -<p><a name="comment"></a> -<p></p><dt><strong><strong>comment (S)</strong></strong><dd> -<p>This is a text field that is seen next to a share when a client does a -queries the server, either via the network neighborhood or via "net -view" to list what shares are available. -<p>If you want to set the string that is displayed next to the machine -name then see the server string command. -<p><strong>Default:</strong> -<code> No comment string</code> -<p><strong>Example:</strong> -<code> comment = Fred's Files</code> -<p><a name="configfile"></a> -<p></p><dt><strong><strong>config file (G)</strong></strong><dd> -<p>This allows you to override the config file to use, instead of the -default (usually <strong>smb.conf</strong>). There is a chicken and egg problem -here as this option is set in the config file! -<p>For this reason, if the name of the config file has changed when the -parameters are loaded then it will reload them from the new config -file. -<p>This option takes the usual substitutions, which can be very useful. -<p>If the config file doesn't exist then it won't be loaded (allowing you -to special case the config files of just a few clients). -<p><strong>Example:</strong> -<code> config file = /usr/local/samba/lib/smb.conf.%m</code> -<p><a name="copy"></a> -<p></p><dt><strong><strong>copy (S)</strong></strong><dd> -<p>This parameter allows you to <em>'clone'</em> service entries. The specified -service is simply duplicated under the current service's name. Any -parameters specified in the current section will override those in the -section being copied. -<p>This feature lets you set up a 'template' service and create similar -services easily. Note that the service being copied must occur earlier -in the configuration file than the service doing the copying. -<p><strong>Default:</strong> -<code> none</code> -<p><strong>Example:</strong> -<code> copy = otherservice</code> -<p><a name="createmask"></a> -<p></p><dt><strong><strong>create mask (S)</strong></strong><dd> -<p>A synonym for this parameter is <a href="smb.conf.5.html#createmode"><strong>'create mode'</strong></a>. -<p>When a file is created, the necessary permissions are calculated -according to the mapping from DOS modes to UNIX permissions, and the -resulting UNIX mode is then bit-wise 'AND'ed with this parameter. -This parameter may be thought of as a bit-wise MASK for the UNIX modes -of a file. Any bit <em>*not*</em> set here will be removed from the modes set -on a file when it is created. -<p>The default value of this parameter removes the 'group' and 'other' -write and execute bits from the UNIX modes. -<p>Following this Samba will bit-wise 'OR' the UNIX mode created from -this parameter with the value of the "force create mode" parameter -which is set to 000 by default. -<p>This parameter does not affect directory modes. See the parameter -<a href="smb.conf.5.html#directorymode"><strong>'directory mode'</strong></a> for details. -<p>See also the <a href="smb.conf.5.html#forcecreatemode"><strong>"force create mode"</strong></a> parameter -for forcing particular mode bits to be set on created files. See also -the <a href="smb.conf.5.html#directorymode"><strong>"directory mode"</strong></a> parameter for masking -mode bits on created directories. -See also the <a href="smb.conf.5.html#inheritpermissions"><strong>"inherit permissions"</strong></a> parameter. -<p><strong>Default:</strong> -<code> create mask = 0744</code> -<p><strong>Example:</strong> -<code> create mask = 0775</code> -<p><a name="createmode"></a> -<p></p><dt><strong><strong>create mode (S)</strong></strong><dd> -<p>This is a synonym for <a href="smb.conf.5.html#createmask"><strong>create mask</strong></a>. -<p><a name="deadtime"></a> -<p></p><dt><strong><strong>deadtime (G)</strong></strong><dd> -<p>The value of the parameter (a decimal integer) represents the number -of minutes of inactivity before a connection is considered dead, and -it is disconnected. The deadtime only takes effect if the number of -open files is zero. -<p>This is useful to stop a server's resources being exhausted by a large -number of inactive connections. -<p>Most clients have an auto-reconnect feature when a connection is -broken so in most cases this parameter should be transparent to users. -<p>Using this parameter with a timeout of a few minutes is recommended -for most systems. -<p>A deadtime of zero indicates that no auto-disconnection should be -performed. -<p><strong>Default:</strong> -<code> deadtime = 0</code> -<p><strong>Example:</strong> -<code> deadtime = 15</code> -<p><a name="debughirestimestamp"></a> -<p></p><dt><strong><strong>debug hires timestamp (G)</strong></strong><dd> -<p>Sometimes the timestamps in the log messages are needed with a -resolution of higher that seconds, this boolean parameter adds -microsecond resolution to the timestamp message header when turned on. -<p>Note that the parameter <a href="smb.conf.5.html#debugtimestamp"><strong>debug timestamp</strong></a> -must be on for this to have an effect. -<p><strong>Default:</strong> -<code> debug hires timestamp = No</code> -<p><strong>Example:</strong> -<code> debug hires timestamp = Yes</code> -<p><a name="debugtimestamp"></a> -<p></p><dt><strong><strong>debug timestamp (G)</strong></strong><dd> -<p>Samba2.0 debug log messages are timestamped by default. If you are -running at a high <a href="smb.conf.5.html#debuglevel"><strong>"debug level"</strong></a> these timestamps -can be distracting. This boolean parameter allows timestamping to be turned -off. -<p><strong>Default:</strong> -<code> debug timestamp = Yes</code> -<p><strong>Example:</strong> -<code> debug timestamp = No</code> -<p><a name="debugpid"></a> -<p></p><dt><strong><strong>debug pid (G)</strong></strong><dd> -<p>When using only one log file for more then one forked smbd-process -there may be hard to follow which process outputs which message. -This boolean parameter is adds the process-id to the timestamp message -headers in the logfile when turned on. -<p>Note that the parameter <a href="smb.conf.5.html#debugtimestamp"><strong>debug timestamp</strong></a> -must be on for this to have an effect. -<p><strong>Default:</strong> -<code> debug pid = No</code> -<p><strong>Example:</strong> -<code> debug pid = Yes</code> -<p><a name="debuguid"></a> -<p></p><dt><strong><strong>debug uid (G)</strong></strong><dd> -<p>Samba is sometimes run as root and sometime run as the connected -user, this boolean parameter inserts the current euid, egid, uid -and gid to the timestamp message headers in the log file if turned on. -<p>Note that the parameter <a href="smb.conf.5.html#debugtimestamp"><strong>debug timestamp</strong></a> -must be on for this to have an effect. -<p><strong>Default:</strong> -<code> debug uid = No</code> -<p><strong>Example:</strong> -<code> debug uid = Yes</code> -<p><a name="debuglevel"></a> -<p></p><dt><strong><strong>debug level (G)</strong></strong><dd> -<p>The value of the parameter (an integer) allows the debug level -(logging level) to be specified in the <strong>smb.conf</strong> file. This is to -give greater flexibility in the configuration of the system. -<p>The default will be the debug level specified on the command line -or level zero if none was specified. -<p><strong>Example:</strong> -<code> debug level = 3</code> -<p><a name="default"></a> -<p></p><dt><strong><strong>default (G)</strong></strong><dd> -<p>A synonym for <a href="smb.conf.5.html#defaultservice"><strong>default service</strong></a>. -<p><a name="defaultcase"></a> -<p></p><dt><strong><strong>default case (S)</strong></strong><dd> -<p>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a>. Also note -the <a href="smb.conf.5.html#shortpreservecase"><strong>"short preserve case"</strong></a> parameter. -<p><a name="defaultservice"></a> -<p></p><dt><strong><strong>default service (G)</strong></strong><dd> -<p>This parameter specifies the name of a service which will be connected -to if the service actually requested cannot be found. Note that the -square brackets are <em>NOT</em> given in the parameter value (see example -below). -<p>There is no default value for this parameter. If this parameter is not -given, attempting to connect to a nonexistent service results in an -error. -<p>Typically the default service would be a <a href="smb.conf.5.html#guestok"><strong>guest ok</strong></a>, -<a href="smb.conf.5.html#readonly"><strong>read-only</strong></a> service. -<p>Also note that the apparent service name will be changed to equal that -of the requested service, this is very useful as it allows you to use -macros like <a href="smb.conf.5.html#percentS"><strong>%S</strong></a> to make a wildcard service. -<p>Note also that any <code>'_'</code> characters in the name of the service used -in the default service will get mapped to a <code>'/'</code>. This allows for -interesting things. -<p><strong>Example:</strong> -<pre> - - default service = pub + </TT +> + </PRE +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN48" +></A +><H2 +>SPECIAL SECTIONS</H2 +><DIV +CLASS="REFSECT2" +><A +NAME="AEN50" +></A +><H3 +>The [global] section</H3 +><P +>parameters in this section apply to the server + as a whole, or are defaults for sections which do not + specifically define certain items. See the notes + under paraMETERS for more information.</P +></DIV +><DIV +CLASS="REFSECT2" +><A +NAME="AEN53" +></A +><H3 +>The [homes] section</H3 +><P +>If a section called homes is included in the + configuration file, services connecting clients to their + home directories can be created on the fly by the server.</P +><P +>When the connection request is made, the existing + sections are scanned. If a match is found, it is used. If no + match is found, the requested section name is treated as a + user name and looked up in the local password file. If the + name exists and the correct password has been given, a share is + created by cloning the [homes] section.</P +><P +>Some modifications are then made to the newly + created share:</P +><P +></P +><UL +><LI +><P +>The share name is changed from homes to + the located username.</P +></LI +><LI +><P +>If no path was given, the path is set to + the user's home directory.</P +></LI +></UL +><P +>If you decide to use a <I +CLASS="EMPHASIS" +>path=</I +> line + in your [homes] section then you may find it useful + to use the %S macro. For example :</P +><P +><TT +CLASS="USERINPUT" +><B +>path=/data/pchome/%S</B +></TT +></P +><P +>would be useful if you have different home directories + for your PCs than for UNIX access.</P +><P +>This is a fast and simple way to give a large number + of clients access to their home directories with a minimum + of fuss.</P +><P +>A similar process occurs if the requested section + name is "homes", except that the share name is not + changed to that of the requesting user. This method of using + the [homes] section works well if different users share + a client PC.</P +><P +>The [homes] section can specify all the parameters + a normal service section can specify, though some make more sense + than others. The following is a typical and suitable [homes] + section:</P +><PRE +CLASS="SCREEN" +> <TT +CLASS="COMPUTEROUTPUT" +> [homes] + writeable = yes + </TT +> + </PRE +><P +>An important point is that if guest access is specified + in the [homes] section, all home directories will be + visible to all clients <I +CLASS="EMPHASIS" +>without a password</I +>. + In the very unlikely event that this is actually desirable, it + would be wise to also specify <I +CLASS="EMPHASIS" +>read only + access</I +>.</P +><P +>Note that the <I +CLASS="EMPHASIS" +>browseable</I +> flag for + auto home directories will be inherited from the global browseable + flag, not the [homes] browseable flag. This is useful as + it means setting browseable=no in the [homes] section + will hide the [homes] share but make any auto home + directories visible.</P +></DIV +><DIV +CLASS="REFSECT2" +><A +NAME="AEN78" +></A +><H3 +>The [printers] section</H3 +><P +>This section works like [homes], + but for printers.</P +><P +>If a [printers] section occurs in the + configuration file, users are able to connect to any printer + specified in the local host's printcap file.</P +><P +>When a connection request is made, the existing sections + are scanned. If a match is found, it is used. If no match is found, + but a [homes] section exists, it is used as described + above. Otherwise, the requested section name is treated as a + printer name and the appropriate printcap file is scanned to see + if the requested section name is a valid printer share name. If + a match is found, a new printer share is created by cloning + the [printers] section.</P +><P +>A few modifications are then made to the newly created + share:</P +><P +></P +><UL +><LI +><P +>The share name is set to the located printer + name</P +></LI +><LI +><P +>If no printer name was given, the printer name + is set to the located printer name</P +></LI +><LI +><P +>If the share does not permit guest access and + no username was given, the username is set to the located + printer name.</P +></LI +></UL +><P +>Note that the [printers] service MUST be + printable - if you specify otherwise, the server will refuse + to load the configuration file.</P +><P +>Typically the path specified would be that of a + world-writeable spool directory with the sticky bit set on + it. A typical [printers] entry would look like + this:</P +><PRE +CLASS="SCREEN" +><TT +CLASS="COMPUTEROUTPUT" +> [printers] + path = /usr/spool/public + guest ok = yes + printable = yes + </TT +></PRE +><P +>All aliases given for a printer in the printcap file + are legitimate printer names as far as the server is concerned. + If your printing subsystem doesn't work like that, you will have + to set up a pseudo-printcap. This is a file consisting of one or + more lines like this:</P +><PRE +CLASS="SCREEN" +> <TT +CLASS="COMPUTEROUTPUT" +> alias|alias|alias|alias... + </TT +> + </PRE +><P +>Each alias should be an acceptable printer name for + your printing subsystem. In the [global] section, specify + the new file as your printcap. The server will then only recognize + names found in your pseudo-printcap, which of course can contain + whatever aliases you like. The same technique could be used + simply to limit access to a subset of your local printers.</P +><P +>An alias, by the way, is defined as any component of the + first entry of a printcap record. Records are separated by newlines, + components (if there are more than one) are separated by vertical + bar symbols ('|').</P +><P +>NOTE: On SYSV systems which use lpstat to determine what + printers are defined on the system you may be able to use + "printcap name = lpstat" to automatically obtain a list + of printers. See the "printcap name" option + for more details.</P +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN101" +></A +><H2 +>paraMETRS</H2 +><P +>parameters define the specific attributes of sections.</P +><P +>Some parameters are specific to the [global] section + (e.g., <I +CLASS="EMPHASIS" +>security</I +>). Some parameters are usable + in all sections (e.g., <I +CLASS="EMPHASIS" +>create mode</I +>). All others + are permissible only in normal sections. For the purposes of the + following descriptions the [homes] and [printers] + sections will be considered normal. The letter <I +CLASS="EMPHASIS" +>G</I +> + in parentheses indicates that a parameter is specific to the + [global] section. The letter <I +CLASS="EMPHASIS" +>S</I +> + indicates that a parameter can be specified in a service specific + section. Note that all <I +CLASS="EMPHASIS" +>S</I +> parameters can also be specified in + the [global] section - in which case they will define + the default behavior for all services.</P +><P +>parameters are arranged here in alphabetical order - this may + not create best bedfellows, but at least you can find them! Where + there are synonyms, the preferred synonym is described, others refer + to the preferred synonym.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN111" +></A +><H2 +>VARIABLE SUBSTITUTIONS</H2 +><P +>Many of the strings that are settable in the config file + can take substitutions. For example the option "path = + /tmp/%u" would be interpreted as "path = + /tmp/john" if the user connected with the username john.</P +><P +>These substitutions are mostly noted in the descriptions below, + but there are some general substitutions which apply whenever they + might be relevant. These are:</P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>%S</DT +><DD +><P +>the name of the current service, if any.</P +></DD +><DT +>%P</DT +><DD +><P +>the root directory of the current service, + if any.</P +></DD +><DT +>%u</DT +><DD +><P +>user name of the current service, if any.</P +></DD +><DT +>%g</DT +><DD +><P +>primary group name of %u.</P +></DD +><DT +>%U</DT +><DD +><P +>session user name (the user name that the client + wanted, not necessarily the same as the one they got).</P +></DD +><DT +>%G</DT +><DD +><P +>primary group name of %U.</P +></DD +><DT +>%H</DT +><DD +><P +>the home directory of the user given + by %u.</P +></DD +><DT +>%v</DT +><DD +><P +>the Samba version.</P +></DD +><DT +>%h</DT +><DD +><P +>the internet hostname that Samba is running + on.</P +></DD +><DT +>%m</DT +><DD +><P +>the NetBIOS name of the client machine + (very useful).</P +></DD +><DT +>%L</DT +><DD +><P +>the NetBIOS name of the server. This allows you + to change your config based on what the client calls you. Your + server can have a "dual personality".</P +></DD +><DT +>%M</DT +><DD +><P +>the internet name of the client machine. + </P +></DD +><DT +>%N</DT +><DD +><P +>the name of your NIS home directory server. + This is obtained from your NIS auto.map entry. If you have + not compiled Samba with the <I +CLASS="EMPHASIS" +>--with-automount</I +> + option then this value will be the same as %.</P +></DD +><DT +>%p</DT +><DD +><P +>the path of the service's home directory, + obtained from your NIS auto.map entry. The NIS auto.map entry + is split up as "%N:%p".</P +></DD +><DT +>%R</DT +><DD +><P +>the selected protocol level after + protocol negotiation. It can be one of CORE, COREPLUS, + LANMAN1, LANMAN2 or NT1.</P +></DD +><DT +>%d</DT +><DD +><P +>The process id of the current server + process.</P +></DD +><DT +>%a</DT +><DD +><P +>the architecture of the remote + machine. Only some are recognized, and those may not be + 100% reliable. It currently recognizes Samba, WfWg, + WinNT and Win95. Anything else will be known as + "UNKNOWN". If it gets it wrong then sending a level + 3 log to <A +HREF="mailto:samba@samba.org" +TARGET="_top" +>samba@samba.org + </A +> should allow it to be fixed.</P +></DD +><DT +>%I</DT +><DD +><P +>The IP address of the client machine.</P +></DD +><DT +>%T</DT +><DD +><P +>the current date and time.</P +></DD +><DT +>%$(<TT +CLASS="REPLACEABLE" +><I +>envvar</I +></TT +>)</DT +><DD +><P +>The value of the environment variable + <TT +CLASS="REPLACEABLE" +><I +>envar</I +></TT +>.</P +></DD +></DL +></DIV +><P +>There are some quite creative things that can be done + with these substitutions and other smb.conf options.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN201" +></A +><H2 +>NAME MANGLING</H2 +><P +>Samba supports "name mangling" so that DOS and + Windows clients can use files that don't conform to the 8.3 format. + It can also be set to adjust the case of 8.3 format filenames.</P +><P +>There are several options that control the way mangling is + performed, and they are grouped here rather than listed separately. + For the defaults look at the output of the testparm program. </P +><P +>All of these options can be set separately for each service + (or globally, of course). </P +><P +>The options are: </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>mangle case= yes/no</DT +><DD +><P +> controls if names that have characters that + aren't of the "default" case are mangled. For example, + if this is yes then a name like "Mail" would be mangled. + Default <I +CLASS="EMPHASIS" +>no</I +>.</P +></DD +><DT +>case sensitive = yes/no</DT +><DD +><P +>controls whether filenames are case sensitive. If + they aren't then Samba must do a filename search and match on passed + names. Default <I +CLASS="EMPHASIS" +>no</I +>.</P +></DD +><DT +>default case = upper/lower</DT +><DD +><P +>controls what the default case is for new + filenames. Default <I +CLASS="EMPHASIS" +>lower</I +>.</P +></DD +><DT +>preserve case = yes/no</DT +><DD +><P +>controls if new files are created with the + case that the client passes, or if they are forced to be the + "default" case. Default <I +CLASS="EMPHASIS" +>yes</I +>. + </P +></DD +><DT +>short preserve case = yes/no</DT +><DD +><P +>controls if new files which conform to 8.3 syntax, + that is all in upper case and of suitable length, are created + upper case, or if they are forced to be the "default" + case. This option can be use with "preserve case = yes" + to permit long filenames to retain their case, while short names + are lowered. Default <I +CLASS="EMPHASIS" +>yes</I +>.</P +></DD +></DL +></DIV +><P +>By default, Samba 2.2 has the same semantics as a Windows + NT server, in that it is case insensitive but case preserving.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN234" +></A +><H2 +>NOTE ABOUT USERNAME/PASSWORD VALIDATION</H2 +><P +>There are a number of ways in which a user can connect + to a service. The server follows the following steps in determining + if it will allow a connection to a specified service. If all the + steps fail then the connection request is rejected. If one of the + steps pass then the following steps are not checked.</P +><P +>If the service is marked "guest only = yes" then + steps 1 to 5 are skipped.</P +><P +></P +><OL +TYPE="1" +><LI +><P +>If the client has passed a username/password + pair and that username/password pair is validated by the UNIX + system's password programs then the connection is made as that + username. Note that this includes the + \\server\service%<TT +CLASS="REPLACEABLE" +><I +>username</I +></TT +> method of passing + a username.</P +></LI +><LI +><P +>If the client has previously registered a username + with the system and now supplies a correct password for that + username then the connection is allowed.</P +></LI +><LI +><P +>The client's netbios name and any previously + used user names are checked against the supplied password, if + they match then the connection is allowed as the corresponding + user.</P +></LI +><LI +><P +>If the client has previously validated a + username/password pair with the server and the client has passed + the validation token then that username is used. </P +></LI +><LI +><P +>If a "user = " field is given in the + <TT +CLASS="FILENAME" +>smb.conf</TT +> file for the service and the client + has supplied a password, and that password matches (according to + the UNIX system's password checking) with one of the usernames + from the "user=" field then the connection is made as + the username in the "user=" line. If one + of the username in the "user=" list begins with a + '@' then that name expands to a list of names in + the group of the same name.</P +></LI +><LI +><P +>If the service is a guest service then a + connection is made as the username given in the "guest + account =" for the service, irrespective of the + supplied password.</P +></LI +></OL +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN253" +></A +><H2 +>COMPLETE LIST OF GLOBAL PARAMETERS</H2 +><P +>Here is a list of all global parameters. See the section of + each parameter for details. Note that some are synonyms.</P +><P +></P +><UL +><LI +><P +><TT +CLASS="PARAMETER" +><I +>add user script</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>allow trusted domains</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>announce as</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>announce version</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>auto services</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>bind interfaces only</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>browse list</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>change notify timeout</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>character set</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>client code page</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>coding system</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>config file</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>deadtime</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>debug hires timestamp</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>debug pid</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>debug timestamp</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>debug uid</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>debug level</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>default</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>default service</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>delete user script</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>dfree command</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>dns proxy</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>domain admin group</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>domain admin users</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>domain groups</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>domain guest group</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>domain guest users</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>domain logons</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>domain master</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>encrypt passwords</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>getwd cache</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>hide local users</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>homedir map</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>hosts equiv</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>keepalive</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>kernel oplocks</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>lm announce</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>lm interval</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>load printers</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>local master</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>lock dir</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>lock directory</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>log file</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>log level</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>logon drive</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>logon home</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>logon path</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>logon script</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>lpq cache time</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>machine password timeout</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>mangled stack</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>map to guest</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>max disk size</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>max log size</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>max mux</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>max open files</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>max packet</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>max ttl</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>max wins ttl</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>max xmit</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>message command</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>min passwd length</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>min password length</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>min wins ttl</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>name resolve order</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>netbios aliases</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>netbios name</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>netbios scope</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>nis homedir</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>nt acl support</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>nt pipe support</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>nt smb support</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>null passwords</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ole locking compatibility</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>oplock break wait time</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>os level</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>panic action</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>passwd chat</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>passwd chat debug</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>passwd program</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>password level</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>password server</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>prefered master</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>preferred master</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>preload</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>printcap</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>printcap name</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>printer driver file</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>private dir</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>protocol</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>read bmpx</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>read prediction</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>read raw</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>read size</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>remote announce</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>remote browse sync</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>restrict anonymous</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>root</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>root dir</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>root directory</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>security</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>server string</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>shared mem size</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>smb passwd file</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>smbrun</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>socket address</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>socket options</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>source environment</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl CA certDir</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl CA certFile</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl ciphers</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl client cert</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl client key</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl compatibility</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl hosts</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl hosts resign</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl require clientcert</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl require servercert</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl server cert</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl server key</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>ssl version</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>stat cache</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>stat cache size</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>strip dot</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>syslog</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>syslog only</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>template homedir</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>template shell</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>time offset</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>time server</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>timestamp logs</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>unix password sync</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>unix realname</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>update encrypted</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>use rhosts</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>username level</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>username map</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>utmp directory</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>valid chars</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>winbind cache time</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>winbind gid</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>winbind uid</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>wins hook</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>wins proxy</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>wins server</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>wins support</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>workgroup</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>write raw</I +></TT +> </P +></LI +></UL +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN710" +></A +><H2 +>COMPLETE LIST OF SERVICE PARAMETERS</H2 +><P +>Here is a list of all service parameters. See the section of + each parameter for details. Note that some are synonyms.</P +><P +></P +><UL +><LI +><P +><TT +CLASS="PARAMETER" +><I +>admin users</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>allow hosts</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>alternate permissions</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>available</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>blocking locks</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>browsable</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>browseable</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>case sensitive</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>casesignames</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>comment</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>copy</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>create mask</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>create mode</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>default case</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>delete readonly</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>delete veto files</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>deny hosts</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>directory</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>directory mask</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>directory mode</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>directory security mask</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>dont descend</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>dos filetime resolution</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>dos filetimes</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>exec</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>fake directory create times</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>fake oplocks</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>follow symlinks</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>force create mode</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>force directory mode</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>force directory security mode</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>force group</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>force security mode</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>force user</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>fstype</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>group</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>guest account</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>guest ok</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>guest only</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>hide dot files</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>hide files</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>hosts allow</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>hosts deny</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>include</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>inherit permissions</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>invalid users</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>level2 oplocks</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>locking</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>lppause command</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>lpq command</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>lpresume command</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>lprm command</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>magic output</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>magic script</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>mangle case</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>mangle locks</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>mangled map</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>mangled names</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>mangling char</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>map archive</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>map hidden</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>map system</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>max connections</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>min print space</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>only guest</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>only user</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>oplock contention limit</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>oplocks</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>path</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>postexec</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>postscript</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>preexec</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>preexec close</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>preserve case</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>print command</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>print ok</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>printable</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>printer</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>printer admin</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>printer driver</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>printer driver location</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>printer name</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>printing</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>public</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>queuepause command</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>queueresume command</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>read list</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>read only</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>root postexec</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>root preexec</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>root preexec close</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>security mask</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>set directory</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>share modes</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>short preserve case</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>status</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>strict locking</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>strict sync</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>sync always</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>user</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>username</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>users</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>utmp</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>valid users</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>veto files</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>veto oplock files</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>volume</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>wide links</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>writable</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>write cache size</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>write list</I +></TT +></P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>write ok</I +></TT +> </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>writeable</I +></TT +> </P +></LI +></UL +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN1053" +></A +><H2 +>EXPLANATION OF EACH PARAMETER</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +><A +NAME="ADDUSERSCRIPT" +></A +>add user script (G)</DT +><DD +><P +>This is the full pathname to a script that will + be run <I +CLASS="EMPHASIS" +>AS ROOT</I +> by <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8) + </A +> under special circumstances decribed below.</P +><P +>Normally, a Samba server requires that UNIX users are + created for all users accessing files on this server. For sites + that use Windows NT account databases as their primary user database + creating these users and keeping the user list in sync with the + Windows NT PDC is an onerous task. This option allows <A +HREF="smbd.8.html" +TARGET="_top" +>smbd</A +> to create the required UNIX users + <I +CLASS="EMPHASIS" +>ON DEMAND</I +> when a user accesses the Samba server.</P +><P +>In order to use this option, <A +HREF="smbd.8.html" +TARGET="_top" +>smbd</A +> + must be set to <TT +CLASS="PARAMETER" +><I +>security=server</I +></TT +> or <TT +CLASS="PARAMETER" +><I +> security=domain</I +></TT +> and <TT +CLASS="PARAMETER" +><I +>add user script</I +></TT +> + must be set to a full pathname for a script that will create a UNIX + user given one argument of <TT +CLASS="PARAMETER" +><I +>%u</I +></TT +>, which expands into + the UNIX user name to create.</P +><P +>When the Windows user attempts to access the Samba server, + at login (session setup in the SMB protocol) time, <A +HREF="smbd.8.html" +TARGET="_top" +> smbd</A +> contacts the <TT +CLASS="PARAMETER" +><I +>password server</I +></TT +> and + attempts to authenticate the given user with the given password. If the + authentication succeeds then <A +HREF="smbd.8.html" +TARGET="_top" +>smbd</A +> + attempts to find a UNIX user in the UNIX password database to map the + Windows user into. If this lookup fails, and <TT +CLASS="PARAMETER" +><I +>add user script + </I +></TT +> is set then <A +HREF="smbd.8.html" +TARGET="_top" +>smbd</A +> will + call the specified script <I +CLASS="EMPHASIS" +>AS ROOT</I +>, expanding + any <TT +CLASS="PARAMETER" +><I +>%u</I +></TT +> argument to be the user name to create.</P +><P +>If this script successfully creates the user then <A +HREF="smbd.8.html" +TARGET="_top" +>smbd</A +> will continue on as though the UNIX user + already existed. In this way, UNIX users are dynamically created to + match existing Windows NT accounts.</P +><P +>See also <A +HREF="smb.conf.5.html#security" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +> security</I +></TT +></A +>, <A +HREF="smb.conf.5.html#passwordserver" +TARGET="_top" +> <TT +CLASS="PARAMETER" +><I +>password server</I +></TT +></A +>, <A +HREF="smb.conf.5.html#deleteuserscript" +TARGET="_top" +><TT +CLASS="PARAMETER" +><I +>delete user + script</I +></TT +></A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>add user script = <empty string> + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>add user script = /usr/local/samba/bin/add_user + %u</B +></P +></DD +><DT +><A +NAME="ADMINUSERS" +></A +>admin users (S)</DT +><DD +><P +>This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root).</P +><P +>You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions.</P +><P +>Default: <I +CLASS="EMPHASIS" +>no admin users</I +></P +><P +>Example: <B +CLASS="COMMAND" +>admin users = jason</B +></P +></DD +><DT +><A +NAME="ALLOWHOSTS" +></A +>allow hosts (S)</DT +><DD +><P +>Synonym for <A +HREF="smb.conf.5.html#hostsallow" +TARGET="_top" +> <TT +CLASS="PARAMETER" +><I +>hosts allow</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="ALLOWTRUSTEDDOMAINS" +></A +>allow trusted domains (G)</DT +><DD +><P +>This option only takes effect when the <A +HREF="smb.conf.5.html" +TARGET="_top" +>security</A +> option is set to + <TT +CLASS="PARAMETER" +><I +>server</I +></TT +> or <TT +CLASS="PARAMETER" +><I +>domain</I +></TT +>. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication.</P +><P +>This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult.</P +><P +>Default: <B +CLASS="COMMAND" +>allow trusted domains = yes</B +></P +></DD +><DT +><A +NAME="ANNOUNCEAS" +></A +>announce as (G)</DT +><DD +><P +>This specifies what type of server + <A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmbd</B +></A +> + will announce itself as, to a network neighborhood browse + list. By default this is set to Windows NT. The valid options + are : "NT" (which is a synonym for "NT Server"), "NT Server", + "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, + Windows NT Workstation, Windows 95 and Windows for Workgroups + respectively. Do not change this parameter unless you have a + specific need to stop Samba appearing as an NT server as this + may prevent Samba servers from participating as browser servers + correctly.</P +><P +>Default: <B +CLASS="COMMAND" +>announce as = NT Server</B +></P +><P +>Example: <B +CLASS="COMMAND" +>announce as = Win95</B +></P +></DD +><DT +><A +NAME="ANNOUCEVERSION" +></A +>annouce version (G)</DT +><DD +><P +>This specifies the major and minor version numbers + that nmbd will use when announcing itself as a server. The default + is 4.2. Do not change this parameter unless you have a specific + need to set a Samba server to be a downlevel server.</P +><P +>Default: <B +CLASS="COMMAND" +>announce version = 4.2</B +></P +><P +>Example: <B +CLASS="COMMAND" +>announce version = 2.0</B +></P +></DD +><DT +><A +NAME="AUTOSERVICES" +></A +>auto services (G)</DT +><DD +><P +>This is a list of services that you want to be + automatically added to the browse lists. This is most useful + for homes and printers services that would otherwise not be + visible.</P +><P +>Note that if you just want all printers in your + printcap file loaded then the <A +HREF="smb.conf.5.html#loadprinters" +TARGET="_top" +> <TT +CLASS="PARAMETER" +><I +>load printers</I +></TT +></A +> option is easier.</P +><P +>Default: <I +CLASS="EMPHASIS" +>no auto services</I +></P +><P +>Example: <B +CLASS="COMMAND" +>auto services = fred lp colorlp</B +></P +></DD +><DT +><A +NAME="AVAILABLE" +></A +>available (S)</DT +><DD +><P +>This parameter lets you "turn off" a service. If + <TT +CLASS="PARAMETER" +><I +>available = no</I +></TT +>, then <I +CLASS="EMPHASIS" +>ALL</I +> + attempts to connect to the service will fail. Such failures are + logged.</P +><P +>Default: <B +CLASS="COMMAND" +>available = yes</B +></P +></DD +><DT +><A +NAME="BINDINTERFACESONLY" +></A +>bind interfaces only (G)</DT +><DD +><P +>This global parameter allows the Samba admin + to limit what interfaces on a machine will serve smb requests. If + affects file service <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> and + name service <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> in slightly + different ways.</P +><P +>For name service it causes <B +CLASS="COMMAND" +>nmbd</B +> to bind + to ports 137 and 138 on the interfaces listed in the <A +HREF="#INTERFACES" +>interfaces</A +> parameter. <B +CLASS="COMMAND" +>nmbd + </B +> also binds to the "all addresses" interface (0.0.0.0) + on ports 137 and 138 for the purposes of reading broadcast messages. + If this option is not set then <B +CLASS="COMMAND" +>nmbd</B +> will service + name requests on all of these sockets. If <TT +CLASS="PARAMETER" +><I +>bind interfaces + only</I +></TT +> is set then <B +CLASS="COMMAND" +>nmbd</B +> will check the + source address of any packets coming in on the broadcast sockets + and discard any that don't match the broadcast addresses of the + interfaces in the <TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +> parameter list. + As unicast packets are received on the other sockets it allows + <B +CLASS="COMMAND" +>nmbd</B +> to refuse to serve names to machines that + send packets that arrive through any interfaces not listed in the + <TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +> list. IP Source address spoofing + does defeat this simple check, however so it must not be used + seriously as a security feature for <B +CLASS="COMMAND" +>nmbd</B +>.</P +><P +>For file service it causes <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> + to bind only to the interface list given in the <A +HREF="#INTERFACES" +> interfaces</A +> parameter. This restricts the networks that + <B +CLASS="COMMAND" +>smbd</B +> will serve to packets coming in those + interfaces. Note that you should not use this parameter for machines + that are serving PPP or other intermittent or non-broadcast network + interfaces as it will not cope with non-permanent interfaces.</P +><P +>If <TT +CLASS="PARAMETER" +><I +>bind interfaces only</I +></TT +> is set then + unless the network address <I +CLASS="EMPHASIS" +>127.0.0.1</I +> is added + to the <TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +> parameter list <A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8)</B +></A +> + and <A +HREF="swat.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>swat(8)</B +></A +> may + not work as expected due to the reasons covered below.</P +><P +>To change a users SMB password, the <B +CLASS="COMMAND" +>smbpasswd</B +> + by default connects to the <I +CLASS="EMPHASIS" +>localhost - 127.0.0.1</I +> + address as an SMB client to issue the password change request. If + <TT +CLASS="PARAMETER" +><I +>bind interfaces only</I +></TT +> is set then unless the + network address <I +CLASS="EMPHASIS" +>127.0.0.1</I +> is added to the + <TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +> parameter list then <B +CLASS="COMMAND" +> smbpasswd</B +> will fail to connect in it's default mode. + <B +CLASS="COMMAND" +>smbpasswd</B +> can be forced to use the primary IP interface + of the local host by using its <A +HREF="smbpasswd.8.html#minusr" +TARGET="_top" +> <TT +CLASS="PARAMETER" +><I +>-r <TT +CLASS="REPLACEABLE" +><I +>remote machine</I +></TT +></I +></TT +> + </A +> parameter, with <TT +CLASS="REPLACEABLE" +><I +>remote machine</I +></TT +> set + to the IP name of the primary interface of the local host.</P +><P +>The <B +CLASS="COMMAND" +>swat</B +> status page tries to connect with + <B +CLASS="COMMAND" +>smbd</B +> and <B +CLASS="COMMAND" +>nmbd</B +> at the address + <I +CLASS="EMPHASIS" +>127.0.0.1</I +> to determine if they are running. + Not adding <I +CLASS="EMPHASIS" +>127.0.0.1</I +> will cause <B +CLASS="COMMAND" +> smbd</B +> and <B +CLASS="COMMAND" +>nmbd</B +> to always show + "not running" even if they really are. This can prevent <B +CLASS="COMMAND" +> swat</B +> from starting/stopping/restarting <B +CLASS="COMMAND" +>smbd</B +> + and <B +CLASS="COMMAND" +>nmbd</B +>.</P +><P +>Default: <B +CLASS="COMMAND" +>bind interfaces only = no</B +></P +></DD +><DT +><A +NAME="BLOCKINGLOCKS" +></A +>blocking locks (S)</DT +><DD +><P +>This parameter controls the behavior of <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> when given a request by a client + to obtain a byte range lock on a region of an open file, and the + request has a time limit associated with it.</P +><P +>If this parameter is set and the lock range requested + cannot be immediately satisfied, Samba 2.2 will internally + queue the lock request, and periodically attempt to obtain + the lock until the timeout period expires.</P +><P +>If this parameter is set to <TT +CLASS="CONSTANT" +>False</TT +>, then + Samba 2.2 will behave as previous versions of Samba would and + will fail the lock request immediately if the lock range + cannot be obtained.</P +><P +>Default: <B +CLASS="COMMAND" +>blocking locks = yes</B +></P +></DD +><DT +><A +NAME="BROWSABLE" +></A +>browsable (S)</DT +><DD +><P +>See the <A +HREF="#BROWSEABLE" +><TT +CLASS="PARAMETER" +><I +> browseable</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="BROWSELIST" +></A +>browse list (G)</DT +><DD +><P +>This controls whether <A +HREF="smbd.8.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>smbd(8)</B +></A +> will serve a browse list to + a client doing a <B +CLASS="COMMAND" +>NetServerEnum</B +> call. Normally + set to <TT +CLASS="CONSTANT" +>true</TT +>. You should never need to change + this.</P +><P +>Default: <B +CLASS="COMMAND" +>browse list = yes</B +></P +></DD +><DT +><A +NAME="BROWSEABLE" +></A +>browseable (S)</DT +><DD +><P +>This controls whether this share is seen in + the list of available shares in a net view and in the browse list.</P +><P +>Default: <B +CLASS="COMMAND" +>browseable = yes</B +></P +></DD +><DT +><A +NAME="CASESENSITIVE" +></A +>case sensitive (S)</DT +><DD +><P +>See the discussion in the section <A +HREF="#AEN201" +>NAME MANGLING</A +>.</P +></DD +><DT +><A +NAME="CASESIGNAMES" +></A +>casesignames (S)</DT +><DD +><P +>Synonym for <A +HREF="#CASESENSITIVE" +>case + sensitive</A +>.</P +></DD +><DT +><A +NAME="CHANGENOTIFYTIMEOUT" +></A +>change notify timeout (G)</DT +><DD +><P +>This SMB allows a client to tell a server to + "watch" a particular directory for any changes and only reply to + the SMB request when a change has occurred. Such constant scanning of + a directory is expensive under UNIX, hence an <A +HREF="smbd.8.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>smbd(8)</B +></A +> daemon only performs such a scan + on each requested directory once every <TT +CLASS="PARAMETER" +><I +>change notify + timeout</I +></TT +> seconds.</P +><P +>Default: <B +CLASS="COMMAND" +>change notify timeout = 60</B +></P +><P +>Example: <B +CLASS="COMMAND" +>change notify timeout = 300</B +></P +><P +>Would change the scan time to every 5 minutes.</P +></DD +><DT +><A +NAME="CHARACTERSET" +></A +>character set (G)</DT +><DD +><P +>This allows a smbd to map incoming filenames + from a DOS Code page (see the <A +HREF="#CLIENTCODEPAGE" +>client + code page</A +> parameter) to several built in UNIX character sets. + The built in code page translations are:</P +><P +></P +><UL +><LI +><P +><TT +CLASS="CONSTANT" +>ISO8859-1</TT +> : Western European + UNIX character set. The parameter <TT +CLASS="PARAMETER" +><I +>client code page</I +></TT +> + <I +CLASS="EMPHASIS" +>MUST</I +> be set to code page 850 if the + <TT +CLASS="PARAMETER" +><I +>character set</I +></TT +> parameter is set to + <TT +CLASS="CONSTANT" +>ISO8859-1</TT +> in order for the conversion to the + UNIX character set to be done correctly.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>ISO8859-2</TT +> : Eastern European + UNIX character set. The parameter <TT +CLASS="PARAMETER" +><I +>client code page + </I +></TT +> <I +CLASS="EMPHASIS" +>MUST</I +> be set to code page 852 if + the <TT +CLASS="PARAMETER" +><I +> character set</I +></TT +> parameter is set + to <TT +CLASS="CONSTANT" +>ISO8859-2</TT +> in order for the conversion + to the UNIX character set to be done correctly. </P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>ISO8859-5</TT +> : Russian Cyrillic + UNIX character set. The parameter <TT +CLASS="PARAMETER" +><I +>client code page + </I +></TT +> <I +CLASS="EMPHASIS" +>MUST</I +> be set to code page + 866 if the <TT +CLASS="PARAMETER" +><I +>character set </I +></TT +> parameter is + set to <TT +CLASS="CONSTANT" +>ISO8859-5</TT +> in order for the conversion + to the UNIX character set to be done correctly. </P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>ISO8859-7</TT +> : Greek UNIX + character set. The parameter <TT +CLASS="PARAMETER" +><I +>client code page + </I +></TT +> <I +CLASS="EMPHASIS" +>MUST</I +> be set to code page + 737 if the <TT +CLASS="PARAMETER" +><I +>character set</I +></TT +> parameter is + set to <TT +CLASS="CONSTANT" +>ISO8859-7</TT +> in order for the conversion + to the UNIX character set to be done correctly.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>KOI8-R</TT +> : Alternate mapping + for Russian Cyrillic UNIX character set. The parameter + <TT +CLASS="PARAMETER" +><I +>client code page</I +></TT +> <I +CLASS="EMPHASIS" +>MUST</I +> + be set to code page 866 if the <TT +CLASS="PARAMETER" +><I +>character set</I +></TT +> + parameter is set to <TT +CLASS="CONSTANT" +>KOI8-R</TT +> in order for the + conversion to the UNIX character set to be done correctly.</P +></LI +></UL +><P +><I +CLASS="EMPHASIS" +>BUG</I +>. These MSDOS code page to UNIX character + set mappings should be dynamic, like the loading of MS DOS code pages, + not static.</P +><P +>Normally this parameter is not set, meaning no filename + translation is done.</P +><P +>Default: <B +CLASS="COMMAND" +>character set = <empty string></B +></P +><P +>Example: <B +CLASS="COMMAND" +>character set = ISO8859-1</B +></P +></DD +><DT +><A +NAME="CLIENTCODEPAGE" +></A +>client code page (G)</DT +><DD +><P +>This parameter specifies the DOS code page + that the clients accessing Samba are using. To determine what code + page a Windows or DOS client is using, open a DOS command prompt + and type the command <B +CLASS="COMMAND" +>chcp</B +>. This will output + the code page. The default for USA MS-DOS, Windows 95, and + Windows NT releases is code page 437. The default for western + european releases of the above operating systems is code page 850.</P +><P +>This parameter tells <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> + which of the <TT +CLASS="FILENAME" +>codepage.<TT +CLASS="REPLACEABLE" +><I +>XXX</I +></TT +> + </TT +> files to dynamically load on startup. These files, + described more fully in the manual page <A +HREF="make_smbcodepage.1.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>make_smbcodepage(1)</B +></A +>, tell <B +CLASS="COMMAND" +> smbd</B +> how to map lower to upper case characters to provide + the case insensitivity of filenames that Windows clients expect.</P +><P +>Samba currently ships with the following code page files :</P +><P +></P +><UL +><LI +><P +>Code Page 437 - MS-DOS Latin US</P +></LI +><LI +><P +>Code Page 737 - Windows '95 Greek</P +></LI +><LI +><P +>Code Page 850 - MS-DOS Latin 1</P +></LI +><LI +><P +>Code Page 852 - MS-DOS Latin 2</P +></LI +><LI +><P +>Code Page 861 - MS-DOS Icelandic</P +></LI +><LI +><P +>Code Page 866 - MS-DOS Cyrillic</P +></LI +><LI +><P +>Code Page 932 - MS-DOS Japanese SJIS</P +></LI +><LI +><P +>Code Page 936 - MS-DOS Simplified Chinese</P +></LI +><LI +><P +>Code Page 949 - MS-DOS Korean Hangul</P +></LI +><LI +><P +>Code Page 950 - MS-DOS Traditional Chinese</P +></LI +></UL +><P +>Thus this parameter may have any of the values 437, 737, 850, 852, + 861, 932, 936, 949, or 950. If you don't find the codepage you need, + read the comments in one of the other codepage files and the + <B +CLASS="COMMAND" +>make_smbcodepage(1)</B +> man page and write one. Please + remember to donate it back to the Samba user community.</P +><P +>This parameter co-operates with the <TT +CLASS="PARAMETER" +><I +>valid + chars</I +></TT +> parameter in determining what characters are + valid in filenames and how capitalization is done. If you set both + this parameter and the <TT +CLASS="PARAMETER" +><I +>valid chars</I +></TT +> parameter + the <TT +CLASS="PARAMETER" +><I +>client code page</I +></TT +> parameter + <I +CLASS="EMPHASIS" +>MUST</I +> be set before the <TT +CLASS="PARAMETER" +><I +>valid + chars</I +></TT +> parameter in the <TT +CLASS="FILENAME" +>smb.conf</TT +> + file. The <TT +CLASS="PARAMETER" +><I +>valid chars</I +></TT +> string will then + augment the character settings in the <TT +CLASS="PARAMETER" +><I +>client code page</I +></TT +> + parameter.</P +><P +>If not set, <TT +CLASS="PARAMETER" +><I +>client code page</I +></TT +> defaults + to 850.</P +><P +>See also : <A +HREF="#VALIDCHARS" +><TT +CLASS="PARAMETER" +><I +>valid + chars</I +></TT +></A +></P +><P +>Default: <B +CLASS="COMMAND" +>client code page = 850</B +></P +><P +>Example: <B +CLASS="COMMAND" +>client code page = 936</B +></P +></DD +><DT +><A +NAME="CODINGSYSTEM" +></A +>codingsystem (G)</DT +><DD +><P +>This parameter is used to determine how incoming + Shift-JIS Japanese characters are mapped from the incoming <A +HREF="#CLIENTCODEPAGE" +><TT +CLASS="PARAMETER" +><I +>client code page</I +></TT +> + </A +> used by the client, into file names in the UNIX filesystem. + Only useful if <TT +CLASS="PARAMETER" +><I +>client code page</I +></TT +> is set to + 932 (Japanese Shift-JIS). The options are :</P +><P +></P +><UL +><LI +><P +><TT +CLASS="CONSTANT" +>SJIS</TT +> - Shift-JIS. Does no + conversion of the incoming filename.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>JIS8, J8BB, J8BH, J8@B, + J8@J, J8@H </TT +> - Convert from incoming Shift-JIS to eight + bit JIS code with different shift-in, shift out codes.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>JIS7, J7BB, J7BH, J7@B, J7@J, + J7@H </TT +> - Convert from incoming Shift-JIS to seven bit + JIS code with different shift-in, shift out codes.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>JUNET, JUBB, JUBH, JU@B, JU@J, JU@H </TT +> + - Convert from incoming Shift-JIS to JUNET code with different shift-in, + shift out codes.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>EUC</TT +> - Convert an incoming + Shift-JIS character to EUC code.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>HEX</TT +> - Convert an incoming + Shift-JIS character to a 3 byte hex representation, i.e. + <TT +CLASS="CONSTANT" +>:AB</TT +>.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>CAP</TT +> - Convert an incoming + Shift-JIS character to the 3 byte hex representation used by + the Columbia AppleTalk Program (CAP), i.e. <TT +CLASS="CONSTANT" +>:AB</TT +>. + This is used for compatibility between Samba and CAP.</P +></LI +></UL +></DD +><DT +><A +NAME="COMMENT" +></A +>comment (S)</DT +><DD +><P +>This is a text field that is seen next to a share + when a client does a queries the server, either via the network + neighborhood or via <B +CLASS="COMMAND" +>net view</B +> to list what shares + are available.</P +><P +>If you want to set the string that is displayed next to the + machine name then see the <A +HREF="#SERVERSTRING" +><TT +CLASS="PARAMETER" +><I +> server string</I +></TT +></A +> parameter.</P +><P +>Default: <I +CLASS="EMPHASIS" +>No comment string</I +></P +><P +>Example: <B +CLASS="COMMAND" +>comment = Fred's Files</B +></P +></DD +><DT +><A +NAME="CONFIGFILE" +></A +>config file (G)</DT +><DD +><P +>This allows you to override the config file + to use, instead of the default (usually <TT +CLASS="FILENAME" +>smb.conf</TT +>). + There is a chicken and egg problem here as this option is set + in the config file!</P +><P +>For this reason, if the name of the config file has changed + when the parameters are loaded then it will reload them from + the new config file.</P +><P +>This option takes the usual substitutions, which can + be very useful.</P +><P +>If the config file doesn't exist then it won't be loaded + (allowing you to special case the config files of just a few + clients).</P +><P +>Example: <B +CLASS="COMMAND" +>config file = /usr/local/samba/lib/smb.conf.%m + </B +></P +></DD +><DT +><A +NAME="COPY" +></A +>copy (S)</DT +><DD +><P +>This parameter allows you to "clone" service + entries. The specified service is simply duplicated under the + current service's name. Any parameters specified in the current + section will override those in the section being copied.</P +><P +>This feature lets you set up a 'template' service and + create similar services easily. Note that the service being + copied must occur earlier in the configuration file than the + service doing the copying.</P +><P +>Default: <I +CLASS="EMPHASIS" +>none</I +></P +><P +>Example: <B +CLASS="COMMAND" +>copy = otherservice</B +></P +></DD +><DT +><A +NAME="CREATEMASK" +></A +>create mask (S)</DT +><DD +><P +>A synonym for this parameter is + <A +HREF="#CREATEMODE" +><TT +CLASS="PARAMETER" +><I +>create mode</I +></TT +> + </A +>.</P +><P +>When a file is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX + permissions, and the resulting UNIX mode is then bit-wise 'AND'ed + with this parameter. This parameter may be thought of as a bit-wise + MASK for the UNIX modes of a file. Any bit <I +CLASS="EMPHASIS" +>not</I +> + set here will be removed from the modes set on a file when it is + created.</P +><P +>The default value of this parameter removes the + 'group' and 'other' write and execute bits from the UNIX modes.</P +><P +>Following this Samba will bit-wise 'OR' the UNIX mode created + from this parameter with the value of the <A +HREF="#FORCECREATEMODE" +><TT +CLASS="PARAMETER" +><I +>force create mode</I +></TT +></A +> + parameter which is set to 000 by default.</P +><P +>This parameter does not affect directory modes. See the + parameter <A +HREF="#DIRECTORYMODE" +><TT +CLASS="PARAMETER" +><I +>directory mode + </I +></TT +></A +> for details.</P +><P +>See also the <A +HREF="#FORCECREATEMODE" +><TT +CLASS="PARAMETER" +><I +>force + create mode</I +></TT +></A +> parameter for forcing particular mode + bits to be set on created files. See also the <A +HREF="#DIRECTORYMODE" +> <TT +CLASS="PARAMETER" +><I +>directory mode"</I +></TT +></A +> parameter for masking + mode bits on created directories. See also the <A +HREF="#INHERITPERMISSIONS" +> <TT +CLASS="PARAMETER" +><I +>inherit permissions</I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>create mask = 0744</B +></P +><P +>Example: <B +CLASS="COMMAND" +>create mask = 0775</B +></P +></DD +><DT +><A +NAME="CREATEMODE" +></A +>create mode (S)</DT +><DD +><P +>This is a synonym for <A +HREF="#CREATEMASK" +><TT +CLASS="PARAMETER" +><I +> create mask</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="DEADTIME" +></A +>deadtime (G)</DT +><DD +><P +>The value of the parameter (a decimal integer) + represents the number of minutes of inactivity before a connection + is considered dead, and it is disconnected. The deadtime only takes + effect if the number of open files is zero.</P +><P +>This is useful to stop a server's resources being + exhausted by a large number of inactive connections.</P +><P +>Most clients have an auto-reconnect feature when a + connection is broken so in most cases this parameter should be + transparent to users.</P +><P +>Using this parameter with a timeout of a few minutes + is recommended for most systems.</P +><P +>A deadtime of zero indicates that no auto-disconnection + should be performed.</P +><P +>Default: <B +CLASS="COMMAND" +>deadtime = 0</B +></P +><P +>Example: <B +CLASS="COMMAND" +>deadtime = 15</B +></P +></DD +><DT +><A +NAME="DEBUGHIRESTIMESTAMP" +></A +>debug hires timestamp (G)</DT +><DD +><P +>Sometimes the timestamps in the log messages + are needed with a resolution of higher that seconds, this + boolean parameter adds microsecond resolution to the timestamp + message header when turned on.</P +><P +>Note that the parameter <A +HREF="#DEBUGTIMESTAMP" +><TT +CLASS="PARAMETER" +><I +> debug timestamp</I +></TT +></A +> must be on for this to have an + effect.</P +><P +>Default: <B +CLASS="COMMAND" +>debug hires timestamp = no</B +></P +></DD +><DT +><A +NAME="DEBUGTIMESTAMP" +></A +>debug timestamp (G)</DT +><DD +><P +>Samba 2.2 debug log messages are timestamped + by default. If you are running at a high <A +HREF="#DEBUGLEVEL" +> <TT +CLASS="PARAMETER" +><I +>debug level</I +></TT +></A +> these timestamps + can be distracting. This boolean parameter allows timestamping + to be turned off.</P +><P +>Default: <B +CLASS="COMMAND" +>debug timestamp = yes</B +></P +></DD +><DT +><A +NAME="DEBUGPID" +></A +>debug pid (G)</DT +><DD +><P +>When using only one log file for more then one + forked smbd-process there may be hard to follow which process + outputs which message. This boolean parameter is adds the process-id + to the timestamp message headers in the logfile when turned on.</P +><P +>Note that the parameter <A +HREF="#DEBUGTIMESTAMP" +><TT +CLASS="PARAMETER" +><I +> debug timestamp</I +></TT +></A +> must be on for this to have an + effect.</P +><P +>Default: <B +CLASS="COMMAND" +>debug pid = no</B +></P +></DD +><DT +><A +NAME="DEBUGUID" +></A +>debug uid (G)</DT +><DD +><P +>Samba is sometimes run as root and sometime + run as the connected user, this boolean parameter inserts the + current euid, egid, uid and gid to the timestamp message headers + in the log file if turned on.</P +><P +>Note that the parameter <A +HREF="#DEBUGTIMESTAMP" +><TT +CLASS="PARAMETER" +><I +> debug timestamp</I +></TT +></A +> must be on for this to have an + effect.</P +><P +>Default: <B +CLASS="COMMAND" +>debug uid = no</B +></P +></DD +><DT +><A +NAME="DEBUGLEVEL" +></A +>debug level (G)</DT +><DD +><P +>The value of the parameter (an integer) allows + the debug level (logging level) to be specified in the + <TT +CLASS="FILENAME" +>smb.conf</TT +> file. This is to give greater + flexibility in the configuration of the system.</P +><P +>The default will be the debug level specified on + the command line or level zero if none was specified.</P +><P +>Example: <B +CLASS="COMMAND" +>debug level = 3</B +></P +></DD +><DT +><A +NAME="DEFAULT" +></A +>default (G)</DT +><DD +><P +>A synonym for <A +HREF="#DEFAULTSERVICE" +><TT +CLASS="PARAMETER" +><I +> default service</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="DEFAULTCASE" +></A +>default case (S)</DT +><DD +><P +>See the section on <A +HREF="#AEN201" +> NAME MANGLING"</A +>. Also note the <A +HREF="#SHORTPRESERVECASE" +> <TT +CLASS="PARAMETER" +><I +>short preserve case"</I +></TT +></A +> parameter.</P +></DD +><DT +><A +NAME="DEFAULTSERVICE" +></A +>default service (G)</DT +><DD +><P +>This parameter specifies the name of a service + which will be connected to if the service actually requested cannot + be found. Note that the square brackets are <I +CLASS="EMPHASIS" +>NOT</I +> + given in the parameter value (see example below).</P +><P +>There is no default value for this parameter. If this + parameter is not given, attempting to connect to a nonexistent + service results in an error.</P +><P +>Typically the default service would be a <A +HREF="#GUESTOK" +> <TT +CLASS="PARAMETER" +><I +>guest ok</I +></TT +></A +>, <A +HREF="#READONLY" +> <TT +CLASS="PARAMETER" +><I +>read-only</I +></TT +></A +> service.</P +><P +>Also note that the apparent service name will be changed + to equal that of the requested service, this is very useful as it + allows you to use macros like <TT +CLASS="PARAMETER" +><I +>%S</I +></TT +> to make + a wildcard service.</P +><P +>Note also that any "_" characters in the name of the service + used in the default service will get mapped to a "/". This allows for + interesting things.</P +><P +>Example:</P +><PRE +CLASS="SCREEN" +><TT +CLASS="COMPUTEROUTPUT" +> default service = pub - [pub] - path = /%S - -</pre> - -<p><a name="deleteuserscript"></a> -<p></p><dt><strong><strong>delete user script (G)</strong></strong><dd> -<p>This is the full pathname to a script that will be run <em>AS ROOT</em> by -<a href="smbd.8.html"><strong>smbd (8)</strong></a> under special circumstances decribed -below. -<p>Normally, a Samba server requires that UNIX users are created for all -users accessing files on this server. For sites that use Windows NT -account databases as their primary user database creating these users -and keeping the user list in sync with the Windows NT PDC is an -onerous task. This option allows <a href="smbd.8.html"><strong>smbd</strong></a> to delete -the required UNIX users <em>ON DEMAND</em> when a user accesses the Samba -server and the Windows NT user no longer exists. -<p>In order to use this option, <a href="smbd.8.html"><strong>smbd</strong></a> must be set to -<a href="smb.conf.5.html#securityequaldomain"><strong>security=domain</strong></a> and <strong>"delete user -script"</strong> must be set to a full pathname for a script that will delete -a UNIX user given one argument of <strong>%u</strong>, which expands into the UNIX -user name to delete. <em>NOTE</em> that this is different to the -<a href="smb.conf.5.html#adduserscript"><strong>add user script</strong></a> which will work with the -<a href="smb.conf.5.html#securityequalserver"><strong>security=server</strong></a> option as well as -<a href="smb.conf.5.html#securityequaldomain"><strong>security=domain</strong></a>. The reason for this -is only when Samba is a domain member does it get the information -on an attempted user logon that a user no longer exists. In the -<a href="smb.conf.5.html#securityequalserver"><strong>security=server</strong></a> mode a missing user -is treated the same as an invalid password logon attempt. Deleting -the user in this circumstance would not be a good idea. -<p>When the Windows user attempts to access the Samba server, at -<em>"login"</em>(session setup in the SMB protocol) time, -<a href="smbd.8.html"><strong>smbd</strong></a> contacts the <a href="smb.conf.5.html#passwordserver"><strong>password -server</strong></a> and attempts to authenticate the given user -with the given password. If the authentication fails with the specific -Domain error code meaning that the user no longer exists then -<a href="smbd.8.html"><strong>smbd</strong></a> attempts to find a UNIX user in the UNIX -password database that matches the Windows user account. If this lookup succeeds, -and <strong>"delete user script"</strong> is set then <a href="smbd.8.html"><strong>smbd</strong></a> will -call the specified script <em>AS ROOT</em>, expanding any <strong>%u</strong> argument -to be the user name to delete. -<p>This script should delete the given UNIX username. In this way, UNIX -users are dynamically deleted to match existing Windows NT accounts. -<p>See also <a href="smb.conf.5.html#securityequaldomain"><strong>security=domain</strong></a>, -<a href="smb.conf.5.html#passwordserver"><strong>password server</strong></a>, <a href="smb.conf.5.html#adduserscript"><strong>add user -script</strong></a>. -<p><strong>Default:</strong> -<code> delete user script = <empty string></code> -<p><strong>Example:</strong> -<code> delete user script = /usr/local/samba/bin/del_user %u</code> -<p><a name="deletereadonly"></a> -<p></p><dt><strong><strong>delete readonly (S)</strong></strong><dd> -<p>This parameter allows readonly files to be deleted. This is not -normal DOS semantics, but is allowed by UNIX. -<p>This option may be useful for running applications such as rcs, where -UNIX file ownership prevents changing file permissions, and DOS -semantics prevent deletion of a read only file. -<p><strong>Default:</strong> -<code> delete readonly = No</code> -<p><strong>Example:</strong> -<code> delete readonly = Yes</code> -<p><a name="deletevetofiles"></a> -<p></p><dt><strong><strong>delete veto files (S)</strong></strong><dd> -<p>This option is used when Samba is attempting to delete a directory -that contains one or more vetoed directories (see the <a href="smb.conf.5.html#vetofiles"><strong>'veto -files'</strong></a> option). If this option is set to False (the -default) then if a vetoed directory contains any non-vetoed files or -directories then the directory delete will fail. This is usually what -you want. -<p>If this option is set to True, then Samba will attempt to recursively -delete any files and directories within the vetoed directory. This can -be useful for integration with file serving systems such as <strong>NetAtalk</strong>, -which create meta-files within directories you might normally veto -DOS/Windows users from seeing (e.g. <code>.AppleDouble</code>) -<p>Setting <code>'delete veto files = True'</code> allows these directories to be -transparently deleted when the parent directory is deleted (so long -as the user has permissions to do so). -<p>See also the <a href="smb.conf.5.html#vetofiles"><strong>veto files</strong></a> parameter. -<p><strong>Default:</strong> -<code> delete veto files = False</code> -<p><strong>Example:</strong> -<code> delete veto files = True</code> -<p><a name="denyhosts"></a> -<p></p><dt><strong><strong>deny hosts (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#hostsdeny"><strong>hosts deny</strong></a>. -<p><a name="dfreecommand"></a> -<p></p><dt><strong><strong>dfree command (G)</strong></strong><dd> -<p>The dfree command setting should only be used on systems where a -problem occurs with the internal disk space calculations. This has -been known to happen with Ultrix, but may occur with other operating -systems. The symptom that was seen was an error of "Abort Retry -Ignore" at the end of each directory listing. -<p>This setting allows the replacement of the internal routines to -calculate the total disk space and amount available with an external -routine. The example below gives a possible script that might fulfill -this function. -<p>The external program will be passed a single parameter indicating a -directory in the filesystem being queried. This will typically consist -of the string <code>"./"</code>. The script should return two integers in -ascii. The first should be the total disk space in blocks, and the -second should be the number of available blocks. An optional third -return value can give the block size in bytes. The default blocksize -is 1024 bytes. -<p>Note: Your script should <em>NOT</em> be setuid or setgid and should be -owned by (and writeable only by) root! -<p><strong>Default:</strong> -<code> By default internal routines for determining the disk capacity -and remaining space will be used.</code> -<p><strong>Example:</strong> -<code> dfree command = /usr/local/samba/bin/dfree</code> -<p>Where the script dfree (which must be made executable) could be: -<p><pre> - - #!/bin/sh - df $1 | tail -1 | awk '{print $2" "$4}' - -</pre> - -<p>or perhaps (on Sys V based systems): -<p><pre> - - #!/bin/sh - /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' - -</pre> - -<p>Note that you may have to replace the command names with full -path names on some systems. -<p><a name="directory"></a> -<p></p><dt><strong><strong>directory (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#path"><strong>path</strong></a>. -<p><a name="directorymask"></a> -<p></p><dt><strong><strong>directory mask (S)</strong></strong><dd> -<p>This parameter is the octal modes which are used when converting DOS -modes to UNIX modes when creating UNIX directories. -<p>When a directory is created, the necessary permissions are calculated -according to the mapping from DOS modes to UNIX permissions, and the -resulting UNIX mode is then bit-wise 'AND'ed with this parameter. -This parameter may be thought of as a bit-wise MASK for the UNIX modes -of a directory. Any bit <em>*not*</em> set here will be removed from the -modes set on a directory when it is created. -<p>The default value of this parameter removes the 'group' and 'other' -write bits from the UNIX mode, allowing only the user who owns the -directory to modify it. -<p>Following this Samba will bit-wise 'OR' the UNIX mode created from -this parameter with the value of the "force directory mode" -parameter. This parameter is set to 000 by default (i.e. no extra mode -bits are added). -<p>See the <a href="smb.conf.5.html#forcedirectorymode"><strong>"force directory mode"</strong></a> parameter -to cause particular mode bits to always be set on created directories. -<p>See also the <a href="smb.conf.5.html#createmode"><strong>"create mode"</strong></a> parameter for masking -mode bits on created files, and the <a href="smb.conf.5.html#directorysecuritymask"><strong>"directory security mask"</strong></a> -parameter. -<p>See also the <a href="smb.conf.5.html#inheritpermissions"><strong>"inherit permissions"</strong></a> parameter. -<p><strong>Default:</strong> -<code> directory mask = 0755</code> -<p><strong>Example:</strong> -<code> directory mask = 0775</code> -<p><a name="directorymode"></a> -<p></p><dt><strong><strong>directory mode (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#directorymask"><strong>directory mask</strong></a>. -<p><a name="directorysecuritymask"></a> -<p></p><dt><strong><strong>directory security mask (S)</strong></strong><dd> -<p>This parameter controls what UNIX permission bits can be modified -when a Windows NT client is manipulating the UNIX permission on a -directory using the native NT security dialog box. -<p>This parameter is applied as a mask (AND'ed with) to the changed -permission bits, thus preventing any bits not in this mask from -being modified. Essentially, zero bits in this mask may be treated -as a set of bits the user is not allowed to change. -<p>If not set explicitly this parameter is set to the same value as the -<a href="smb.conf.5.html#directorymask"><strong>directory mask</strong></a> parameter. To allow a user to -modify all the user/group/world permissions on a directory, set this -parameter to 0777. -<p><em>Note</em> that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems. Administrators of -most normal systems will probably want to set it to 0777. -<p>See also the <a href="smb.conf.5.html#forcedirectorysecuritymode"><strong>force directory security -mode</strong></a>, <a href="smb.conf.5.html#securitymask"><strong>security -mask</strong></a>, <a href="smb.conf.5.html#forcesecuritymode"><strong>force security mode</strong></a> -parameters. -<p><strong>Default:</strong> -<code> directory security mask = <same as directory mask></code> -<p><strong>Example:</strong> -<code> directory security mask = 0777</code> -<p><a name="dnsproxy"></a> -<p></p><dt><strong><strong>dns proxy (G)</strong></strong><dd> -<p>Specifies that <a href="nmbd.8.html"><strong>nmbd</strong></a> when acting as a WINS -server and finding that a NetBIOS name has not been registered, should -treat the NetBIOS name word-for-word as a DNS name and do a lookup -with the DNS server for that name on behalf of the name-querying -client. -<p>Note that the maximum length for a NetBIOS name is 15 characters, so -the DNS name (or DNS alias) can likewise only be 15 characters, -maximum. -<p><a href="nmbd.8.html"><strong>nmbd</strong></a> spawns a second copy of itself to do the -DNS name lookup requests, as doing a name lookup is a blocking action. -<p>See also the parameter <a href="smb.conf.5.html#winssupport"><strong>wins support</strong></a>. -<p><strong>Default:</strong> -<code> dns proxy = yes</code> -<p><a name="domainadmingroup"></a> -<strong>domain admin group (G)</strong> -<p>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list <strong>Samba-ntdom</strong> available by visiting the web page at -<a href="http://lists.samba.org/">http://lists.samba.org/</a> -<p><a name="domainadminusers"></a> -<p></p><dt><strong><strong>domain admin users (G)</strong></strong><dd> -<p>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list <strong>Samba-ntdom</strong> available by visiting the web page at -<a href="http://lists.samba.org/">http://lists.samba.org/</a> -<p><a name="domaingroups"></a> -<p></p><dt><strong><strong>domain groups (G)</strong></strong><dd> -<p>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list <strong>Samba-ntdom</strong> available by visiting the web page at -<a href="http://lists.samba.org/">http://lists.samba.org/</a> -<p><a name="domainguestgroup"></a> -<p></p><dt><strong><strong>domain guest group (G)</strong></strong><dd> -<p>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list <strong>Samba-ntdom</strong> available by visiting the web page at -<a href="http://lists.samba.org/">http://lists.samba.org/</a> -<p><a name="domainguestusers"></a> -<p></p><dt><strong><strong>domain guest users (G)</strong></strong><dd> -<p>This is an <strong>EXPERIMENTAL</strong> parameter that is part of the unfinished -Samba NT Domain Controller Code. It may be removed in a later release. -To work with the latest code builds that may have more support for -Samba NT Domain Controller functionality please subscribe to the -mailing list <strong>Samba-ntdom</strong> available by visiting the web page at -<a href="http://lists.samba.org/">http://lists.samba.org/</a> -<p><a name="domainlogons"></a> -<p></p><dt><strong><strong>domain logons (G)</strong></strong><dd> -<p>If set to true, the Samba server will serve Windows 95/98 Domain -logons for the <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> it is in. For more -details on setting up this feature see the file DOMAINS.txt in the -Samba documentation directory <code>docs/</code> shipped with the source code. -<p>Note that Win95/98 Domain logons are <em>NOT</em> the same as Windows -NT Domain logons. NT Domain logons require a Primary Domain Controller -(PDC) for the Domain. It is intended that in a future release Samba -will be able to provide this functionality for Windows NT clients -also. -<p><strong>Default:</strong> -<code> domain logons = no</code> -<p><a name="domainmaster"></a> -<p></p><dt><strong><strong>domain master (G)</strong></strong><dd> -<p>Tell <a href="nmbd.8.html"><strong>nmbd</strong></a> to enable WAN-wide browse list -collation. Setting this option causes <a href="nmbd.8.html"><strong>nmbd</strong></a> to -claim a special domain specific NetBIOS name that identifies it as a -domain master browser for its given -<a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a>. Local master browsers in the same -<a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> on broadcast-isolated subnets will give -this <a href="nmbd.8.html"><strong>nmbd</strong></a> their local browse lists, and then -ask <a href="smbd.8.html"><strong>smbd</strong></a> for a complete copy of the browse list -for the whole wide area network. Browser clients will then contact -their local master browser, and will receive the domain-wide browse -list, instead of just the list for their broadcast-isolated subnet. -<p>Note that Windows NT Primary Domain Controllers expect to be able to -claim this <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> specific special NetBIOS -name that identifies them as domain master browsers for that -<a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> by default (i.e. there is no way to -prevent a Windows NT PDC from attempting to do this). This means that -if this parameter is set and <a href="nmbd.8.html"><strong>nmbd</strong></a> claims the -special name for a <a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> before a Windows NT -PDC is able to do so then cross subnet browsing will behave strangely -and may fail. -<p><strong>Default:</strong> -<code> domain master = no</code> -<p><a name="dontdescend"></a> -<p></p><dt><strong><strong>dont descend (S)</strong></strong><dd> -<p>There are certain directories on some systems (e.g., the <code>/proc</code> tree -under Linux) that are either not of interest to clients or are -infinitely deep (recursive). This parameter allows you to specify a -comma-delimited list of directories that the server should always show -as empty. -<p>Note that Samba can be very fussy about the exact format of the "dont -descend" entries. For example you may need <code>"./proc"</code> instead of -just <code>"/proc"</code>. Experimentation is the best policy :-) -<p><strong>Default:</strong> -<code> none (i.e., all directories are OK to descend)</code> -<p><strong>Example:</strong> -<code> dont descend = /proc,/dev</code> -<p><a name="dosfiletimeresolution"></a> -<p></p><dt><strong><strong>dos filetime resolution (S)</strong></strong><dd> -<p>Under the DOS and Windows FAT filesystem, the finest granularity on -time resolution is two seconds. Setting this parameter for a share -causes Samba to round the reported time down to the nearest two second -boundary when a query call that requires one second resolution is made -to <a href="smbd.8.html"><strong>smbd</strong></a>. -<p>This option is mainly used as a compatibility option for Visual C++ -when used against Samba shares. If oplocks are enabled on a share, -Visual C++ uses two different time reading calls to check if a file -has changed since it was last read. One of these calls uses a -one-second granularity, the other uses a two second granularity. As -the two second call rounds any odd second down, then if the file has a -timestamp of an odd number of seconds then the two timestamps will not -match and Visual C++ will keep reporting the file has changed. Setting -this option causes the two timestamps to match, and Visual C++ is -happy. -<p><strong>Default:</strong> -<code> dos filetime resolution = False</code> -<p><strong>Example:</strong> -<code> dos filetime resolution = True</code> -<p><a name="dosfiletimes"></a> -<p></p><dt><strong><strong>dos filetimes (S)</strong></strong><dd> -<p>Under DOS and Windows, if a user can write to a file they can change -the timestamp on it. Under POSIX semantics, only the owner of the file -or root may change the timestamp. By default, Samba runs with POSIX -semantics and refuses to change the timestamp on a file if the user -smbd is acting on behalf of is not the file owner. Setting this option -to True allows DOS semantics and smbd will change the file timestamp as -DOS requires. -<p><strong>Default:</strong> -<code> dos filetimes = False</code> -<p><strong>Example:</strong> -<code> dos filetimes = True</code> -<p><a name="encryptpasswords"></a> -<p></p><dt><strong><strong>encrypt passwords (G)</strong></strong><dd> -<p>This boolean controls whether encrypted passwords will be negotiated -with the client. Note that Windows NT 4.0 SP3 and above and also -Windows 98 will by default expect encrypted passwords unless a -registry entry is changed. To use encrypted passwords in Samba see the -file ENCRYPTION.txt in the Samba documentation directory <code>docs/</code> -shipped with the source code. -<p>In order for encrypted passwords to work correctly -<a href="smbd.8.html"><strong>smbd</strong></a> must either have access to a local -<a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a> file (see the -<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a> program for information on -how to set up and maintain this file), or set the -<a href="smb.conf.5.html#security"><strong>security=</strong></a> parameter to either -<a href="smb.conf.5.html#securityequalserver"><strong>"server"</strong></a> or -<a href="smb.conf.5.html#securityequaldomain"><strong>"domain"</strong></a> which causes -<a href="smbd.8.html"><strong>smbd</strong></a> to authenticate against another server. -<p><a name="exec"></a> -<p></p><dt><strong><strong>exec (S)</strong></strong><dd> -<p>This is a synonym for <a href="smb.conf.5.html#preexec"><strong>preexec</strong></a>. -<p><a name="fakedirectorycreatetimes"></a> -<p></p><dt><strong><strong>fake directory create times (S)</strong></strong><dd> -<p>NTFS and Windows VFAT file systems keep a create time for all files -and directories. This is not the same as the ctime - status change -time - that Unix keeps, so Samba by default reports the earliest of -the various times Unix does keep. Setting this parameter for a share -causes Samba to always report midnight 1-1-1980 as the create time for -directories. -<p>This option is mainly used as a compatibility option for Visual C++ -when used against Samba shares. Visual C++ generated makefiles have -the object directory as a dependency for each object file, and a make -rule to create the directory. Also, when NMAKE compares timestamps it -uses the creation time when examining a directory. Thus the object -directory will be created if it does not exist, but once it does exist -it will always have an earlier timestamp than the object files it -contains. -<p>However, Unix time semantics mean that the create time reported by -Samba will be updated whenever a file is created or deleted in the -directory. NMAKE therefore finds all object files in the object -directory bar the last one built are out of date compared to the -directory and rebuilds them. Enabling this option ensures directories -always predate their contents and an NMAKE build will proceed as -expected. -<p><strong>Default:</strong> -<code> fake directory create times = False</code> -<p><strong>Example:</strong> -<code> fake directory create times = True</code> -<p><a name="fakeoplocks"></a> -<p></p><dt><strong><strong>fake oplocks (S)</strong></strong><dd> -<p>Oplocks are the way that SMB clients get permission from a server to -locally cache file operations. If a server grants an oplock -(opportunistic lock) then the client is free to assume that it is the -only one accessing the file and it will aggressively cache file -data. With some oplock types the client may even cache file open/close -operations. This can give enormous performance benefits. -<p>When you set <code>"fake oplocks = yes"</code> <a href="smbd.8.html"><strong>smbd</strong></a> will -always grant oplock requests no matter how many clients are using the -file. -<p>It is generally much better to use the real <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a> -support rather than this parameter. -<p>If you enable this option on all read-only shares or shares that you -know will only be accessed from one client at a time such as -physically read-only media like CDROMs, you will see a big performance -improvement on many operations. If you enable this option on shares -where multiple clients may be accessing the files read-write at the -same time you can get data corruption. Use this option carefully! -<p>This option is disabled by default. -<p><a name="followsymlinks"></a> -<p></p><dt><strong><strong>follow symlinks (S)</strong></strong><dd> -<p>This parameter allows the Samba administrator to stop -<a href="smbd.8.html"><strong>smbd</strong></a> from following symbolic links in a -particular share. Setting this parameter to <em>"No"</em> prevents any file -or directory that is a symbolic link from being followed (the user -will get an error). This option is very useful to stop users from -adding a symbolic link to <code>/etc/passwd</code> in their home directory for -instance. However it will slow filename lookups down slightly. -<p>This option is enabled (i.e. <a href="smbd.8.html"><strong>smbd</strong></a> will follow -symbolic links) by default. -<p><a name="forcecreatemode"></a> -<p></p><dt><strong><strong>force create mode (S)</strong></strong><dd> -<p>This parameter specifies a set of UNIX mode bit permissions that will -<em>*always*</em> be set on a file by Samba. This is done by bitwise -'OR'ing these bits onto the mode bits of a file that is being created -or having its permissions changed. The default for this parameter is -(in octal) 000. The modes in this parameter are bitwise 'OR'ed onto -the file mode after the mask set in the <a href="smb.conf.5.html#createmask"><strong>"create -mask"</strong></a> parameter is applied. -<p>See also the parameter <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> for details -on masking mode bits on files. -<p>See also the <a href="smb.conf.5.html#inheritpermissions"><strong>"inherit permissions"</strong></a> parameter. -<p><strong>Default:</strong> -<code> force create mode = 000</code> -<p><strong>Example:</strong> -<code> force create mode = 0755</code> -<p>would force all created files to have read and execute permissions set -for 'group' and 'other' as well as the read/write/execute bits set for -the 'user'. -<p><a name="forcedirectorymode"></a> -<p></p><dt><strong><strong>force directory mode (S)</strong></strong><dd> -<p>This parameter specifies a set of UNIX mode bit permissions that will -<em>*always*</em> be set on a directory created by Samba. This is done by -bitwise 'OR'ing these bits onto the mode bits of a directory that is -being created. The default for this parameter is (in octal) 0000 which -will not add any extra permission bits to a created directory. This -operation is done after the mode mask in the parameter -<a href="smb.conf.5.html#directorymask"><strong>"directory mask"</strong></a> is applied. -<p>See also the parameter <a href="smb.conf.5.html#directorymask"><strong>"directory mask"</strong></a> for -details on masking mode bits on created directories. -<p>See also the <a href="smb.conf.5.html#inheritpermissions"><strong>"inherit permissions"</strong></a> parameter. -<p><strong>Default:</strong> -<code> force directory mode = 000</code> -<p><strong>Example:</strong> -<code> force directory mode = 0755</code> -<p>would force all created directories to have read and execute -permissions set for 'group' and 'other' as well as the -read/write/execute bits set for the 'user'. -<p><a name="forcedirectorysecuritymode"></a> -<p></p><dt><strong><strong>force directory security mode (S)</strong></strong><dd> -<p>This parameter controls what UNIX permission bits can be modified when -a Windows NT client is manipulating the UNIX permission on a directory -using the native NT security dialog box. -<p>This parameter is applied as a mask (OR'ed with) to the changed -permission bits, thus forcing any bits in this mask that the user may -have modified to be on. Essentially, one bits in this mask may be -treated as a set of bits that, when modifying security on a directory, -the user has always set to be 'on'. -<p>If not set explicitly this parameter is set to the same value as the -<a href="smb.conf.5.html#forcedirectorymode"><strong>force directory mode</strong></a> parameter. To allow -a user to modify all the user/group/world permissions on a directory, -with restrictions set this parameter to 000. -<p><em>Note</em> that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems. Administrators of -most normal systems will probably want to set it to 0000. -<p>See also the <a href="smb.conf.5.html#directorysecuritymask"><strong>directory security mask</strong></a>, -<a href="smb.conf.5.html#securitymask"><strong>security mask</strong></a>, <a href="smb.conf.5.html#forcesecuritymode"><strong>force security -mode</strong></a> parameters. -<p><strong>Default:</strong> -<code> force directory security mode = <same as force directory mode></code> -<p><strong>Example:</strong> -<code> force directory security mode = 0</code> -<p><a name="forcegroup"></a> -<p></p><dt><strong><strong>force group (S)</strong></strong><dd> -<p>This specifies a UNIX group name that will be assigned as the default -primary group for all users connecting to this service. This is useful -for sharing files by ensuring that all access to files on service will -use the named group for their permissions checking. Thus, by assigning -permissions for this group to the files and directories within this -service the Samba administrator can restrict or allow sharing of these -files. -<p>In Samba 2.0.5 and above this parameter has extended functionality in the following -way. If the group name listed here has a '+' character prepended to it -then the current user accessing the share only has the primary group -default assigned to this group if they are already assigned as a member -of that group. This allows an administrator to decide that only users -who are already in a particular group will create files with group -ownership set to that group. This gives a finer granularity of ownership -assignment. For example, the setting <code>force group = +sys</code> means -that only users who are already in group sys will have their default -primary group assigned to sys when accessing this Samba share. All -other users will retain their ordinary primary group. -<p>If the <a href="smb.conf.5.html#forceuser"><strong>"force user"</strong></a> parameter is also set the -group specified in <strong>force group</strong> will override the primary group -set in <a href="smb.conf.5.html#forceuser"><strong>"force user"</strong></a>. -<p>See also <a href="smb.conf.5.html#forceuser"><strong>"force user"</strong></a> -<p><strong>Default:</strong> -<code> no forced group</code> -<p><strong>Example:</strong> -<code> force group = agroup</code> -<p><a name="forcesecuritymode"></a> -<p></p><dt><strong><strong>force security mode (S)</strong></strong><dd> -<p>This parameter controls what UNIX permission bits can be modified when -a Windows NT client is manipulating the UNIX permission on a file -using the native NT security dialog box. -<p>This parameter is applied as a mask (OR'ed with) to the changed -permission bits, thus forcing any bits in this mask that the user may -have modified to be on. Essentially, one bits in this mask may be -treated as a set of bits that, when modifying security on a file, the -user has always set to be 'on'. -<p>If not set explicitly this parameter is set to the same value as the -<a href="smb.conf.5.html#forcecreatemode"><strong>force create mode</strong></a> parameter. To allow -a user to modify all the user/group/world permissions on a file, -with no restrictions set this parameter to 000. -<p><em>Note</em> that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems. Administrators of -most normal systems will probably want to set it to 0000. -<p>See also the <a href="smb.conf.5.html#forcedirectorysecuritymode"><strong>force directory security -mode</strong></a>, <a href="smb.conf.5.html#directorysecuritymask"><strong>directory security -mask</strong></a>, <a href="smb.conf.5.html#securitymask"><strong>security mask</strong></a> -parameters. -<p><strong>Default:</strong> -<code> force security mode = <same as force create mode></code> -<p><strong>Example:</strong> -<code> force security mode = 0</code> -<p><a name="forceuser"></a> -<p></p><dt><strong><strong>force user (S)</strong></strong><dd> -<p>This specifies a UNIX user name that will be assigned as the default -user for all users connecting to this service. This is useful for -sharing files. You should also use it carefully as using it -incorrectly can cause security problems. -<p>This user name only gets used once a connection is established. Thus -clients still need to connect as a valid user and supply a valid -password. Once connected, all file operations will be performed as the -<code>"forced user"</code>, no matter what username the client connected as. -<p>This can be very useful. -<p>In Samba 2.0.5 and above this parameter also causes the primary -group of the forced user to be used as the primary group for all -file activity. Prior to 2.0.5 the primary group was left as the -primary group of the connecting user (this was a bug). -<p>See also <a href="smb.conf.5.html#forcegroup"><strong>"force group"</strong></a> -<p><strong>Default:</strong> -<code> no forced user</code> -<p><strong>Example:</strong> -<code> force user = auser</code> -<p><a name="fstype"></a> -<p></p><dt><strong><strong>fstype (S)</strong></strong><dd> -<p>This parameter allows the administrator to configure the string that -specifies the type of filesystem a share is using that is reported by -<a href="smbd.8.html"><strong>smbd</strong></a> when a client queries the filesystem type -for a share. The default type is <strong>"NTFS"</strong> for compatibility with -Windows NT but this can be changed to other strings such as "Samba" or -"FAT" if required. -<p><strong>Default:</strong> -<code> fstype = NTFS</code> -<p><strong>Example:</strong> -<code> fstype = Samba</code> -<p><a name="getwdcache"></a> -<p></p><dt><strong><strong>getwd cache (G)</strong></strong><dd> -<p>This is a tuning option. When this is enabled a caching algorithm -will be used to reduce the time taken for getwd() calls. This can have -a significant impact on performance, especially when the -<a href="smb.conf.5.html#widelinks"><strong>widelinks</strong></a> parameter is set to False. -<p><strong>Default:</strong> -<code> getwd cache = No</code> -<p><strong>Example:</strong> -<code> getwd cache = Yes</code> -<p><a name="group"></a> -<p></p><dt><strong><strong>group (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#forcegroup"><strong>"force group"</strong></a>. -<p><a name="guestaccount"></a> -<p></p><dt><strong><strong>guest account (S)</strong></strong><dd> -<p>This is a username which will be used for access to services which are -specified as <a href="smb.conf.5.html#guestok"><strong>'guest ok'</strong></a> (see below). Whatever -privileges this user has will be available to any client connecting to -the guest service. Typically this user will exist in the password -file, but will not have a valid login. The user account <strong>"ftp"</strong> is -often a good choice for this parameter. If a username is specified in -a given service, the specified username overrides this one. -<p>One some systems the default guest account "nobody" may not be able to -print. Use another account in this case. You should test this by -trying to log in as your guest user (perhaps by using the <code>"su -"</code> -command) and trying to print using the system print command such as -<strong>lpr (1)</strong> or <strong>lp (1)</strong>. -<p><strong>Default:</strong> -<code> specified at compile time, usually "nobody"</code> -<p><strong>Example:</strong> -<code> guest account = ftp</code> -<p><a name="guestok"></a> -<p></p><dt><strong><strong>guest ok (S)</strong></strong><dd> -<p>If this parameter is <em>'yes'</em> for a service, then no password is -required to connect to the service. Privileges will be those of the -<a href="smb.conf.5.html#guestaccount"><strong>guest account</strong></a>. -<p>See the section below on <a href="smb.conf.5.html#security"><strong>security</strong></a> for more -information about this option. -<p><strong>Default:</strong> -<code> guest ok = no</code> -<p><strong>Example:</strong> -<code> guest ok = yes</code> -<p><a name="guestonly"></a> -<p></p><dt><strong><strong>guest only (S)</strong></strong><dd> -<p>If this parameter is <em>'yes'</em> for a service, then only guest -connections to the service are permitted. This parameter will have no -affect if <a href="smb.conf.5.html#guestok"><strong>"guest ok"</strong></a> or <a href="smb.conf.5.html#public"><strong>"public"</strong></a> -is not set for the service. -<p>See the section below on <a href="smb.conf.5.html#security"><strong>security</strong></a> for more -information about this option. -<p><strong>Default:</strong> -<code> guest only = no</code> -<p><strong>Example:</strong> -<code> guest only = yes</code> -<p><a name="hidedotfiles"></a> -<p></p><dt><strong><strong>hide dot files (S)</strong></strong><dd> -<p>This is a boolean parameter that controls whether files starting with -a dot appear as hidden files. -<p><strong>Default:</strong> -<code> hide dot files = yes</code> -<p><strong>Example:</strong> -<code> hide dot files = no</code> -<p><a name="hidefiles"></a> -<p></p><dt><strong><strong>hide files(S)</strong></strong><dd> -<p>This is a list of files or directories that are not visible but are -accessible. The DOS 'hidden' attribute is applied to any files or -directories that match. -<p>Each entry in the list must be separated by a <code>'/'</code>, which allows -spaces to be included in the entry. <code>'*'</code> and <code>'?'</code> can be used -to specify multiple files or directories as in DOS wildcards. -<p>Each entry must be a Unix path, not a DOS path and must not include the -Unix directory separator <code>'/'</code>. -<p>Note that the case sensitivity option is applicable in hiding files. -<p>Setting this parameter will affect the performance of Samba, as it -will be forced to check all files and directories for a match as they -are scanned. -<p>See also <a href="smb.conf.5.html#hidedotfiles"><strong>"hide dot files"</strong></a>, <a href="smb.conf.5.html#vetofiles"><strong>"veto -files"</strong></a> and <a href="smb.conf.5.html#casesensitive"><strong>"case sensitive"</strong></a>. -<p><strong>Default</strong> -<pre> - - No files or directories are hidden by this option (dot files are - hidden by default because of the "hide dot files" option). - -</pre> - -<p><strong>Example</strong> -<code> hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/</code> -<p>The above example is based on files that the Macintosh SMB client -(DAVE) available from <a href="http://www.thursby.com"><strong>Thursby</strong></a> creates for -internal use, and also still hides all files beginning with a dot. -<p><a name="homedirmap"></a> -<p></p><dt><strong><strong>homedir map (G)</strong></strong><dd> -<p>If <a href="smb.conf.5.html#nishomedir"><strong>"nis homedir"</strong></a> is true, and -<a href="smbd.8.html"><strong>smbd</strong></a> is also acting as a Win95/98 <a href="smb.conf.5.html#domainlogons"><strong>logon -server</strong></a> then this parameter specifies the NIS (or YP) -map from which the server for the user's home directory should be -extracted. At present, only the Sun auto.home map format is -understood. The form of the map is: -<p><code>username server:/some/file/system</code> -<p>and the program will extract the servername from before the first -<code>':'</code>. There should probably be a better parsing system that copes -with different map formats and also Amd (another automounter) maps. -<p>NB: A working NIS is required on the system for this option to work. -<p>See also <a href="smb.conf.5.html#nishomedir"><strong>"nis homedir"</strong></a>, <a href="smb.conf.5.html#domainlogons"><strong>domain -logons</strong></a>. -<p><strong>Default:</strong> -<code> homedir map = auto.home</code> -<p><strong>Example:</strong> -<code> homedir map = amd.homedir</code> -<p><a name="hostsallow"></a> -<p></p><dt><strong><strong>hosts allow (S)</strong></strong><dd> -<p>A synonym for this parameter is <a href="smb.conf.5.html#allowhosts"><strong>'allow hosts'</strong></a> -<p>This parameter is a comma, space, or tab delimited set of hosts which -are permitted to access a service. -<p>If specified in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section then it will -apply to all services, regardless of whether the individual service -has a different setting. -<p>You can specify the hosts by name or IP number. For example, you could -restrict access to only the hosts on a Class C subnet with something -like <code>"allow hosts = 150.203.5."</code>. The full syntax of the list is -described in the man page <strong>hosts_access (5)</strong>. Note that this man -page may not be present on your system, so a brief description will -be given here also. -<p>Note that the localhost address 127.0.0.1 will always be allowed -access unless specifically denied by a "hosts deny" option. -<p>You can also specify hosts by network/netmask pairs and by netgroup -names if your system supports netgroups. The <em>EXCEPT</em> keyword can also -be used to limit a wildcard list. The following examples may provide -some help: -<p><strong>Example 1</strong>: allow all IPs in 150.203.*.* except one -<p><code> hosts allow = 150.203. EXCEPT 150.203.6.66</code> -<p><strong>Example 2</strong>: allow hosts that match the given network/netmask -<p><code> hosts allow = 150.203.15.0/255.255.255.0</code> -<p><strong>Example 3</strong>: allow a couple of hosts -<p><code> hosts allow = lapland, arvidsjaur</code> -<p><strong>Example 4</strong>: allow only hosts in NIS netgroup "foonet", but -deny access from one particular host -<p><code> hosts allow = @foonet</code> -<p><code> hosts deny = pirate</code> -<p>Note that access still requires suitable user-level passwords. -<p>See <a href="testparm.1.html"><strong>testparm (1)</strong></a> for a way of testing your -host access to see if it does what you expect. -<p><strong>Default:</strong> -<code> none (i.e., all hosts permitted access)</code> -<p><strong>Example:</strong> -<code> allow hosts = 150.203.5. myhost.mynet.edu.au</code> -<p><a name="hostsdeny"></a> -<p></p><dt><strong><strong>hosts deny (S)</strong></strong><dd> -<p>The opposite of <a href="smb.conf.5.html#hostsallow"><strong>'hosts allow'</strong></a> - hosts listed -here are <em>NOT</em> permitted access to services unless the specific -services have their own lists to override this one. Where the lists -conflict, the <a href="smb.conf.5.html#hostsallow"><strong>'allow'</strong></a> list takes precedence. -<p><strong>Default:</strong> -<code> none (i.e., no hosts specifically excluded)</code> -<p><strong>Example:</strong> -<code> hosts deny = 150.203.4. badhost.mynet.edu.au</code> -<p><a name="hostsequiv"></a> -<p></p><dt><strong><strong>hosts equiv (G)</strong></strong><dd> -<p>If this global parameter is a non-null string, it specifies the name -of a file to read for the names of hosts and users who will be allowed -access without specifying a password. -<p>This is not be confused with <a href="smb.conf.5.html#hostsallow"><strong>hosts allow</strong></a> which -is about hosts access to services and is more useful for guest -services. <strong>hosts equiv</strong> may be useful for NT clients which will not -supply passwords to samba. -<p>NOTE: The use of <strong>hosts equiv</strong> can be a major security hole. This is -because you are trusting the PC to supply the correct username. It is -very easy to get a PC to supply a false username. I recommend that the -<strong>hosts equiv</strong> option be only used if you really know what you are -doing, or perhaps on a home network where you trust your spouse and -kids. And only if you <em>really</em> trust them :-). -<p><strong>Default</strong> -<code> No host equivalences</code> -<p><strong>Example</strong> -<code> hosts equiv = /etc/hosts.equiv</code> -<p><a name="include"></a> -<p></p><dt><strong><strong>include (G)</strong></strong><dd> -<p>This allows you to include one config file inside another. The file -is included literally, as though typed in place. -<p>It takes the standard substitutions, except <a href="smb.conf.5.html#percentu"><strong>%u</strong></a>, -<a href="smb.conf.5.html#percentP"><strong>%P</strong></a> and <a href="smb.conf.5.html#percentS"><strong>%S</strong></a>. -<p><a name="inheritpermissions"></a> -<p></p><dt><strong><strong>inherit permissions (S)</strong></strong><dd> -<p>The permissions on new files and directories are normally governed by -<a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a>, -<a href="smb.conf.5.html#directorymask"><strong>"directory mask"</strong></a>, -<a href="smb.conf.5.html#forcecreatemode"><strong>"force create mode"</strong></a> and -<a href="smb.conf.5.html#forcedirectorymode"><strong>"force directory mode"</strong></a> -but the boolean inherit permissions parameter overrides this. -<p>New directories inherit the mode of the parent directory, -including bits such as setgid. -<p>New files inherit their read/write bits from the parent directory. -Their execute bits continue to be determined by -<a href="smb.conf.5.html#maparchive"><strong>"map archive"</strong></a>, -<a href="smb.conf.5.html#maphidden"><strong>"map hidden"</strong></a> and -<a href="smb.conf.5.html#mapsystem"><strong>"map system"</strong></a> as usual. -<p>Note that the setuid bit is *never* set via inheritance -(the code explicitly prohibits this). -<p>This can be particularly useful on large systems with many users, -perhaps several thousand, -to allow a single <strong>[homes]</strong> share to be used flexibly by each user. -<p>See also <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a>, <a href="smb.conf.5.html#directorymask"><strong>"directory mask"</strong></a>, -<a href="smb.conf.5.html#forcecreatemode"><strong>"force create mode"</strong></a> and -<a href="smb.conf.5.html#forcedirectorymode"><strong>"force directory mode"</strong></a>. -<p><strong>Default</strong> -<code> inherit permissions = no</code> -<p><strong>Example</strong> -<code> inherit permissions = yes</code> -<p><a name="interfaces"></a> -<p></p><dt><strong><strong>interfaces (G)</strong></strong><dd> -<p>This option allows you to override the default network interfaces list -that Samba will use for browsing, name registration and other NBT -traffic. By default Samba will query the kernel for the list of all -active interfaces and use any interfaces except 127.0.0.1 that are -broadcast capable. -<p>The option takes a list of interface strings. Each string can be in -any of the following forms: -<p><dl> -<li > a network interface name (such as eth0). This may include - shell-like wildcards so eth* will match any interface starting - with the substring "eth" -<li > an IP address. In this case the netmask is determined - from the list of interfaces obtained from the kernel -<li > an IP/mask pair. -<li > a broadcast/mask pair. -</dl> -<p>The "mask" parameters can either be a bit length (such as 24 for a C -class network) or a full netmask in dotted decmal form. -<p>The "IP" parameters above can either be a full dotted decimal IP -address or a hostname which will be looked up via the OSes normal -hostname resolution mechanisms. -<p>For example, the following line: -<p><code>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0</code> -<p>would configure three network interfaces corresponding to the eth0 -device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of -the latter two interfaces would be set to 255.255.255.0. -<p>See also <a href="smb.conf.5.html#bindinterfacesonly"><strong>"bind interfaces only"</strong></a>. -<p><a name="invalidusers"></a> -<p></p><dt><strong><strong>invalid users (S)</strong></strong><dd> -<p>This is a list of users that should not be allowed to login to this -service. This is really a <em>"paranoid"</em> check to absolutely ensure an -improper setting does not breach your security. -<p>A name starting with a <code>'@'</code> is interpreted as an NIS netgroup first -(if your system supports NIS), and then as a UNIX group if the name -was not found in the NIS netgroup database. -<p>A name starting with <code>'+'</code> is interpreted only by looking in the -UNIX group database. A name starting with <code>'&'</code> is interpreted only -by looking in the NIS netgroup database (this requires NIS to be -working on your system). The characters <code>'+'</code> and <code>'&'</code> may be -used at the start of the name in either order so the value -<code>"+&group"</code> means check the UNIX group database, followed by the NIS -netgroup database, and the value <code>"&+group"</code> means check the NIS -netgroup database, followed by the UNIX group database (the same as -the <code>'@'</code> prefix). -<p>The current servicename is substituted for -<a href="smb.conf.5.html#percentS"><strong>%S</strong></a>. This is useful in the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> -section. -<p>See also <a href="smb.conf.5.html#validusers"><strong>"valid users"</strong></a>. -<p><strong>Default:</strong> -<code> No invalid users</code> -<p><strong>Example:</strong> -<code> invalid users = root fred admin @wheel</code> -<p><a name="keepalive"></a> -<p></p><dt><strong><strong>keepalive (G)</strong></strong><dd> -<p>The value of the parameter (an integer) represents the number of -seconds between <strong>'keepalive'</strong> packets. If this parameter is zero, no -keepalive packets will be sent. Keepalive packets, if sent, allow the -server to tell whether a client is still present and responding. -<p>Keepalives should, in general, not be needed if the socket being used -has the SO_KEEPALIVE attribute set on it (see <a href="smb.conf.5.html#socketoptions"><strong>"socket -options"</strong></a>). Basically you should only use this option -if you strike difficulties. -<p><strong>Default:</strong> -<code> keepalive = 0</code> -<p><strong>Example:</strong> -<code> keepalive = 60</code> -<p><a name="kerneloplocks"></a> -<p></p><dt><strong><strong>kernel oplocks (G)</strong></strong><dd> -<p>For UNIXs that support kernel based <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a> -(currently only IRIX but hopefully also Linux and FreeBSD soon) this -parameter allows the use of them to be turned on or off. -<p>Kernel oplocks support allows Samba <a href="smb.conf.5.html#oplocks"><strong>oplocks</strong></a> to be -broken whenever a local UNIX process or NFS operation accesses a file -that <a href="smbd.8.html"><strong>smbd</strong></a> has oplocked. This allows complete -data consistency between SMB/CIFS, NFS and local file access (and is a -<em>very</em> cool feature :-). -<p>This parameter defaults to <em>"On"</em> on systems that have the support, -and <em>"off"</em> on systems that don't. You should never need to touch -this parameter. -<p>See also the <a href="smb.conf.5.html#oplocks"><strong>"oplocks"</strong></a> and <a href="smb.conf.5.html#level2oplocks"><strong>"level2 oplocks"</strong></a> -parameters. -<p><a name="ldapfilter"></a> -<p></p><dt><strong><strong>ldap filter (G)</strong></strong><dd> -<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p>This parameter specifies an LDAP search filter used to search for a -user name in the LDAP database. It must contain the string -<a href="smb.conf.5.html#percentU"><strong>%u</strong></a> which will be replaced with the user being -searched for. -<p><strong>Default:</strong> -<code> empty string.</code> -<p><a name="ldapport"></a> -<p></p><dt><strong><strong>ldap port (G)</strong></strong><dd> -<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p>This parameter specifies the TCP port number to use to contact -the LDAP server on. -<p><strong>Default:</strong> -<code> ldap port = 389.</code> -<p><a name="ldaproot"></a> -<p></p><dt><strong><strong>ldap root (G)</strong></strong><dd> -<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p>This parameter specifies the entity to bind to the LDAP server -as (essentially the LDAP username) in order to be able to perform -queries and modifications on the LDAP database. -<p>See also <a href="smb.conf.5.html#ldaprootpasswd"><strong>ldap root passwd</strong></a>. -<p><strong>Default:</strong> -<code> empty string (no user defined)</code> -<p><a name="ldaprootpasswd"></a> -<p></p><dt><strong><strong>ldap root passwd (G)</strong></strong><dd> -<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p>This parameter specifies the password for the entity to bind to the -LDAP server as (the password for this LDAP username) in order to be -able to perform queries and modifications on the LDAP database. -<p><em>BUGS:</em> This parameter should <em>NOT</em> be a readable parameter -in the <strong>smb.conf</strong> file and will be removed once a correct -storage place is found. -<p>See also <a href="smb.conf.5.html#ldaproot"><strong>ldap root</strong></a>. -<p><strong>Default:</strong> -<code> empty string.</code> -<p><a name="ldapserver"></a> -<p></p><dt><strong><strong>ldap server (G)</strong></strong><dd> -<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p>This parameter specifies the DNS name of the LDAP server to use -for SMB/CIFS authentication purposes. -<p><strong>Default:</strong> -<code> ldap server = localhost</code> -<p><a name="ldapsuffix"></a> -<p></p><dt><strong><strong>ldap suffix (G)</strong></strong><dd> -<p>This parameter is part of the <em>EXPERIMENTAL</em> Samba support for a -password database stored on an LDAP server back-end. These options -are only available if your version of Samba was configured with -the <strong>--with-ldap</strong> option. -<p>This parameter specifies the <code>"dn"</code> or LDAP <em>"distinguished name"</em> -that tells <a href="smbd.8.html"><strong>smbd</strong></a> to start from when searching -for an entry in the LDAP password database. -<p><strong>Default:</strong> -<code> empty string.</code> -<p><a name="level2oplocks"></a> -<p></p><dt><strong><strong>level2 oplocks (S)</strong></strong><dd> -<p>This parameter (new in Samba 2.0.5) controls whether Samba supports -level2 (read-only) oplocks on a share. In Samba 2.0.5 this parameter -defaults to "False" as the code is new, but will default to "True" -in a later release. -<p>Level2, or read-only oplocks allow Windows NT clients that have an -oplock on a file to downgrade from a read-write oplock to a read-only -oplock once a second client opens the file (instead of releasing all -oplocks on a second open, as in traditional, exclusive oplocks). This -allows all openers of the file that support level2 oplocks to cache -the file for read-ahead only (ie. they may not cache writes or lock -requests) and increases performance for many acesses of files that -are not commonly written (such as application .EXE files). -<p>Once one of the clients which have a read-only oplock writes to -the file all clients are notified (no reply is needed or waited -for) and told to break their oplocks to "none" and delete any -read-ahead caches. -<p>It is recommended that this parameter be turned on to speed access -to shared executables (and also to test the code :-). -<p>For more discussions on level2 oplocks see the CIFS spec. -<p>Currently, if <a href="smb.conf.5.html#kerneloplocks"><strong>"kernel oplocks"</strong></a> are supported -then level2 oplocks are not granted (even if this parameter is set -to <code>"true"</code>). Note also, the <a href="smb.conf.5.html#oplocks"><strong>"oplocks"</strong></a> parameter must -be set to "true" on this share in order for this parameter to have any -effect. -<p>See also the <a href="smb.conf.5.html#oplocks"><strong>"oplocks"</strong></a> and <a href="smb.conf.5.html#kerneloplocks"><strong>"kernel oplocks"</strong></a> parameters. -<p><strong>Default:</strong> -<code> level2 oplocks = False</code> -<p><strong>Example:</strong> -<code> level2 oplocks = True</code> -<p><a name="lmannounce"></a> -<p></p><dt><strong><strong>lm announce (G)</strong></strong><dd> -<p>This parameter determines if <a href="nmbd.8.html"><strong>nmbd</strong></a> will produce -Lanman announce broadcasts that are needed by <strong>OS/2</strong> clients in order -for them to see the Samba server in their browse list. This parameter -can have three values, <code>"true"</code>, <code>"false"</code>, or <code>"auto"</code>. The -default is <code>"auto"</code>. If set to <code>"false"</code> Samba will never produce -these broadcasts. If set to <code>"true"</code> Samba will produce Lanman -announce broadcasts at a frequency set by the parameter <a href="smb.conf.5.html#lminterval"><strong>"lm -interval"</strong></a>. If set to <code>"auto"</code> Samba will not send Lanman -announce broadcasts by default but will listen for them. If it hears -such a broadcast on the wire it will then start sending them at a -frequency set by the parameter <a href="smb.conf.5.html#lminterval"><strong>"lm interval"</strong></a>. -<p>See also <a href="smb.conf.5.html#lminterval"><strong>"lm interval"</strong></a>. -<p><strong>Default:</strong> -<code> lm announce = auto</code> -<p><strong>Example:</strong> -<code> lm announce = true</code> -<p><a name="lminterval"></a> -<p></p><dt><strong><strong>lm interval (G)</strong></strong><dd> -<p>If Samba is set to produce Lanman announce broadcasts needed by -<strong>OS/2</strong> clients (see the <a href="smb.conf.5.html#lmannounce"><strong>"lm announce"</strong></a> -parameter) then this parameter defines the frequency in seconds with -which they will be made. If this is set to zero then no Lanman -announcements will be made despite the setting of the <a href="smb.conf.5.html#lmannounce"><strong>"lm -announce"</strong></a> parameter. -<p>See also <a href="smb.conf.5.html#lmannounce"><strong>"lm announce"</strong></a>. -<p><strong>Default:</strong> -<code> lm interval = 60</code> -<p><strong>Example:</strong> -<code> lm interval = 120</code> -<p><a name="loadprinters"></a> -<p></p><dt><strong><strong>load printers (G)</strong></strong><dd> -<p>A boolean variable that controls whether all printers in the printcap -will be loaded for browsing by default. See the -<a href="smb.conf.5.html#printers"><strong>"printers"</strong></a> section for more details. -<p><strong>Default:</strong> -<code> load printers = yes</code> -<p><strong>Example:</strong> -<code> load printers = no</code> -<p><a name="localmaster"></a> -<p></p><dt><strong><strong>local master (G)</strong></strong><dd> -<p>This option allows <a href="nmbd.8.html"><strong>nmbd</strong></a> to try and become a -local master browser on a subnet. If set to False then -<a href="nmbd.8.html"><strong>nmbd</strong></a> will not attempt to become a local master -browser on a subnet and will also lose in all browsing elections. By -default this value is set to true. Setting this value to true doesn't -mean that Samba will <em>become</em> the local master browser on a subnet, -just that <a href="nmbd.8.html"><strong>nmbd</strong></a> will <em>participate</em> in -elections for local master browser. -<p>Setting this value to False will cause <a href="nmbd.8.html"><strong>nmbd</strong></a> -<em>never</em> to become a local master browser. -<p><strong>Default:</strong> -<code> local master = yes</code> -<p><a name="lockdir"></a> -<p></p><dt><strong><strong>lock dir (G)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#lockdirectory"><strong>"lock directory"</strong></a>. -<p><a name="lockdirectory"></a> -<p></p><dt><strong><strong>lock directory (G)</strong></strong><dd> -<p>This option specifies the directory where lock files will be placed. -The lock files are used to implement the <a href="smb.conf.5.html#maxconnections"><strong>"max -connections"</strong></a> option. -<p><strong>Default:</strong> -<code> lock directory = /tmp/samba</code> -<p><strong>Example:</strong> -<code> lock directory = /usr/local/samba/var/locks</code> -<p><a name="locking"></a> -<p></p><dt><strong><strong>locking (S)</strong></strong><dd> -<p>This controls whether or not locking will be performed by the server -in response to lock requests from the client. -<p>If <code>"locking = no"</code>, all lock and unlock requests will appear to -succeed and all lock queries will indicate that the queried lock is -clear. -<p>If <code>"locking = yes"</code>, real locking will be performed by the server. -<p>This option <em>may</em> be useful for read-only filesystems which <em>may</em> -not need locking (such as cdrom drives), although setting this -parameter of <code>"no"</code> is not really recommended even in this case. -<p>Be careful about disabling locking either globally or in a specific -service, as lack of locking may result in data corruption. You should -never need to set this parameter. -<p><strong>Default:</strong> -<code> locking = yes</code> -<p><strong>Example:</strong> -<code> locking = no</code> -<p><a name="logfile"></a> -<p></p><dt><strong><strong>log file (G)</strong></strong><dd> -<p>This options allows you to override the name of the Samba log file -(also known as the debug file). -<p>This option takes the standard substitutions, allowing you to have -separate log files for each user or machine. -<p><strong>Example:</strong> -<code> log file = /usr/local/samba/var/log.%m</code> -<p><a name="loglevel"></a> -<p></p><dt><strong><strong>log level (G)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#debuglevel"><strong>"debug level"</strong></a>. -<p><a name="logondrive"></a> -<p></p><dt><strong><strong>logon drive (G)</strong></strong><dd> -<p>This parameter specifies the local path to which the home directory -will be connected (see <a href="smb.conf.5.html#logonhome"><strong>"logon home"</strong></a>) and is only -used by NT Workstations. -<p>Note that this option is only useful if Samba is set up as a -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>. -<p><strong>Example:</strong> -<code> logon drive = h:</code> -<p><a name="logonhome"></a> -<p></p><dt><strong><strong>logon home (G)</strong></strong><dd> -<p>This parameter specifies the home directory location when a Win95/98 or -NT Workstation logs into a Samba PDC. It allows you to do -<p><code>"NET USE H: /HOME"</code> -<p>from a command prompt, for example. -<p>This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. -<p>This parameter can be used with Win9X workstations to ensure that -roaming profiles are stored in a subdirectory of the user's home -directory. This is done in the following way: -<p><code>" logon home = \\%L\%U\profile"</code> -<p>This tells Samba to return the above string, with substitutions made -when a client requests the info, generally in a NetUserGetInfo request. -Win9X clients truncate the info to \\server\share when a user does <code>"net use /home"</code>, -but use the whole string when dealing with profiles. -<p>Note that in prior versions of Samba, the <code>"logon path"</code> was returned rather than -<code>"logon home"</code>. This broke <code>"net use /home"</code> but allowed profiles outside the -home directory. The current implementation is correct, and can be used for profiles -if you use the above trick. -<p>Note that this option is only useful if Samba is set up as a -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>. -<p><strong>Example:</strong> -<code> logon home = "\\remote_smb_server\%U"</code> -<p><strong>Default:</strong> -<code> logon home = "\\%N\%U"</code> -<p><a name="logonpath"></a> -<p></p><dt><strong><strong>logon path (G)</strong></strong><dd> -<p>This parameter specifies the home directory where roaming profiles -(NTuser.dat etc files for Windows NT) are stored. Contrary to previous -versions of these manual pages, it has nothing to do with Win 9X roaming -profiles. To find out how to handle roaming profiles for Win 9X system, see -the <code>"logon home"</code> parameter. -<p>This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. It also specifies -the directory from which the <code>"application data"</code>, (<code>"desktop"</code>, <code>"start menu"</code>, -<code>"network neighborhood"</code>, <code>"programs"</code> and other folders, and their -contents, are loaded and displayed on your Windows NT client. -<p>The share and the path must be readable by the user for the -preferences and directories to be loaded onto the Windows NT -client. The share must be writeable when the logs in for the first -time, in order that the Windows NT client can create the NTuser.dat -and other directories. -<p>Thereafter, the directories and any of the contents can, if required, be -made read-only. It is not advisable that the NTuser.dat file be made -read-only - rename it to NTuser.man to achieve the desired effect (a -<em>MAN</em>datory profile). -<p>Windows clients can sometimes maintain a connection to the [homes] -share, even though there is no user logged in. Therefore, it is vital -that the logon path does not include a reference to the homes share -(i.e. setting this parameter to <code>\\%N\HOMES\profile_path</code> will cause -problems). -<p>This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. -<p>Note that this option is only useful if Samba is set up as a -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>. -<p><strong>Default:</strong> -<code> logon path = \\%N\%U\profile</code> -<p><strong>Example:</strong> -<code> logon path = \\PROFILESERVER\HOME_DIR\%U\PROFILE</code> -<p><a name="logonscript"></a> -<p></p><dt><strong><strong>logon script (G)</strong></strong><dd> -<p>This parameter specifies the batch file (.bat) or NT command file -(.cmd) to be downloaded and run on a machine when a user successfully -logs in. The file must contain the DOS style cr/lf line endings. -Using a DOS-style editor to create the file is recommended. -<p>The script must be a relative path to the <code>[netlogon]</code> service. If -the <code>[netlogon]</code> service specifies a <a href="smb.conf.5.html#path"><strong>path</strong></a> of -/usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the -file that will be downloaded is: -<p><code>/usr/local/samba/netlogon/STARTUP.BAT</code> -<p>The contents of the batch file is entirely your choice. A suggested -command would be to add <code>NET TIME \\SERVER /SET /YES</code>, to force every -machine to synchronize clocks with the same time server. Another use -would be to add <code>NET USE U: \\SERVER\UTILS</code> for commonly used -utilities, or <code>NET USE Q: \\SERVER\ISO9001_QA</code> for example. -<p>Note that it is particularly important not to allow write access to -the <code>[netlogon]</code> share, or to grant users write permission on the -batch files in a secure environment, as this would allow the batch -files to be arbitrarily modified and security to be breached. -<p>This option takes the standard substitutions, allowing you to have -separate logon scripts for each user or machine. -<p>Note that this option is only useful if Samba is set up as a -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>. -<p><strong>Example:</strong> -<code> logon script = scripts\%U.bat</code> -<p><a name="lppausecommand"></a> -<p></p><dt><strong><strong>lppause command (S)</strong></strong><dd> -<p>This parameter specifies the command to be executed on the server host -in order to stop printing or spooling a specific print job. -<p>This command should be a program or script which takes a printer name -and job number to pause the print job. One way of implementing this is -by using job priorities, where jobs having a too low priority won't be -sent to the printer. -<p>If a <code>"%p"</code> is given then the printername is put in its place. A -<code>"%j"</code> is replaced with the job number (an integer). On HPUX (see -<a href="smb.conf.5.html#printing"><strong>printing=hpux</strong></a>), if the <code>"-p%p"</code> option is added -to the lpq command, the job will show up with the correct status, -i.e. if the job priority is lower than the set fence priority it will -have the PAUSED status, whereas if the priority is equal or higher it -will have the SPOOLED or PRINTING status. -<p>Note that it is good practice to include the absolute path in the -lppause command as the PATH may not be available to the server. -<p>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter. -<p><strong>Default:</strong> - Currently no default value is given to this string, unless the -value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>SYSV</code>, in -which case the default is : -<p><code> lp -i %p-%j -H hold</code> -<p>or if the value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>softq</code>, -then the default is: -<p><code> qstat -s -j%j -h</code> -<p><strong>Example for HPUX:</strong> - lppause command = /usr/bin/lpalt %p-%j -p0 -<p><a name="lpqcachetime"></a> -<p></p><dt><strong><strong>lpq cache time (G)</strong></strong><dd> -<p>This controls how long lpq info will be cached for to prevent the -<strong>lpq</strong> command being called too often. A separate cache is kept for -each variation of the <strong>lpq</strong> command used by the system, so if you -use different <strong>lpq</strong> commands for different users then they won't -share cache information. -<p>The cache files are stored in <code>/tmp/lpq.xxxx</code> where xxxx is a hash of -the <strong>lpq</strong> command in use. -<p>The default is 10 seconds, meaning that the cached results of a -previous identical <strong>lpq</strong> command will be used if the cached data is -less than 10 seconds old. A large value may be advisable if your -<strong>lpq</strong> command is very slow. -<p>A value of 0 will disable caching completely. -<p>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter. -<p><strong>Default:</strong> -<code> lpq cache time = 10</code> -<p><strong>Example:</strong> -<code> lpq cache time = 30</code> -<p><a name="lpqcommand"></a> -<p></p><dt><strong><strong>lpq command (S)</strong></strong><dd> -<p>This parameter specifies the command to be executed on the server host -in order to obtain <code>"lpq"</code>-style printer status information. -<p>This command should be a program or script which takes a printer name -as its only parameter and outputs printer status information. -<p>Currently eight styles of printer status information are supported; -BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. This covers most UNIX -systems. You control which type is expected using the -<a href="smb.conf.5.html#printing"><strong>"printing ="</strong></a> option. -<p>Some clients (notably Windows for Workgroups) may not correctly send -the connection number for the printer they are requesting status -information about. To get around this, the server reports on the first -printer service connected to by the client. This only happens if the -connection number sent is invalid. -<p>If a <code>%p</code> is given then the printername is put in its place. Otherwise -it is placed at the end of the command. -<p>Note that it is good practice to include the absolute path in the <strong>lpq -command</strong> as the PATH may not be available to the server. -<p>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter. -<p><strong>Default:</strong> -<code> depends on the setting of printing =</code> -<p><strong>Example:</strong> -<code> lpq command = /usr/bin/lpq %p</code> -<p><a name="lpresumecommand"></a> -<p></p><dt><strong><strong>lpresume command (S)</strong></strong><dd> -<p>This parameter specifies the command to be executed on the server host -in order to restart or continue printing or spooling a specific print -job. -<p>This command should be a program or script which takes a printer name -and job number to resume the print job. See also the <a href="smb.conf.5.html#lppausecommand"><strong>"lppause -command"</strong></a> parameter. -<p>If a <code>%p</code> is given then the printername is put in its place. A -<code>%j</code> is replaced with the job number (an integer). -<p>Note that it is good practice to include the absolute path in the <strong>lpresume -command</strong> as the PATH may not be available to the server. -<p>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter. -<p><strong>Default:</strong> -<p>Currently no default value is given to this string, unless the -value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>SYSV</code>, in -which case the default is : -<p><code> lp -i %p-%j -H resume</code> -<p>or if the value of the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter is <code>softq</code>, -then the default is: -<p><code> qstat -s -j%j -r</code> -<p><strong>Example for HPUX:</strong> -<code> lpresume command = /usr/bin/lpalt %p-%j -p2</code> -<p><a name="lprmcommand"></a> -<p></p><dt><strong><strong>lprm command (S)</strong></strong><dd> -<p>This parameter specifies the command to be executed on the server host -in order to delete a print job. -<p>This command should be a program or script which takes a printer name -and job number, and deletes the print job. -<p>If a <code>%p</code> is given then the printername is put in its place. A -<code>%j</code> is replaced with the job number (an integer). -<p>Note that it is good practice to include the absolute path in the -<strong>lprm command</strong> as the PATH may not be available to the server. -<p>See also the <a href="smb.conf.5.html#printing"><strong>"printing"</strong></a> parameter. -<p><strong>Default:</strong> -<code> depends on the setting of "printing ="</code> -<p><strong>Example 1:</strong> -<code> lprm command = /usr/bin/lprm -P%p %j</code> -<p><strong>Example 2:</strong> -<code> lprm command = /usr/bin/cancel %p-%j</code> -<p><a name="machinepasswordtimeout"></a> -<p></p><dt><strong><strong>machine password timeout (G)</strong></strong><dd> -<p>If a Samba server is a member of an Windows NT Domain (see the -<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a>) parameter) then -periodically a running <a href="smbd.8.html"><strong>smbd</strong></a> process will try and -change the <strong>MACHINE ACCOUNT PASWORD</strong> stored in the file called -<code><Domain>.<Machine>.mac</code> where <code><Domain></code> is the name of the -Domain we are a member of and <code><Machine></code> is the primary -<a href="smb.conf.5.html#netbiosname"><strong>"NetBIOS name"</strong></a> of the machine -<a href="smbd.8.html"><strong>smbd</strong></a> is running on. This parameter specifies how -often this password will be changed, in seconds. The default is one -week (expressed in seconds), the same as a Windows NT Domain member -server. -<p>See also <a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>, and the -<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a>) parameter. -<p><strong>Default:</strong> -<code> machine password timeout = 604800</code> -<p><a name="magicoutput"></a> -<p></p><dt><strong><strong>magic output (S)</strong></strong><dd> -<p>This parameter specifies the name of a file which will contain output -created by a magic script (see the <a href="smb.conf.5.html#magicscript"><strong>"magic -script"</strong></a> parameter below). -<p>Warning: If two clients use the same <a href="smb.conf.5.html#magicscript"><strong>"magic -script"</strong></a> in the same directory the output file content -is undefined. -<p><strong>Default:</strong> -<code> magic output = <magic script name>.out</code> -<p><strong>Example:</strong> -<code> magic output = myfile.txt</code> -<p><a name="magicscript"></a> -<p></p><dt><strong><strong>magic script (S)</strong></strong><dd> -<p>This parameter specifies the name of a file which, if opened, will be -executed by the server when the file is closed. This allows a UNIX -script to be sent to the Samba host and executed on behalf of the -connected user. -<p>Scripts executed in this way will be deleted upon completion, -permissions permitting. -<p>If the script generates output, output will be sent to the file -specified by the <a href="smb.conf.5.html#magicoutput"><strong>"magic output"</strong></a> parameter (see -above). -<p>Note that some shells are unable to interpret scripts containing -carriage-return-linefeed instead of linefeed as the end-of-line -marker. Magic scripts must be executable <em>"as is"</em> on the host, -which for some hosts and some shells will require filtering at the DOS -end. -<p>Magic scripts are <em>EXPERIMENTAL</em> and should <em>NOT</em> be relied upon. -<p><strong>Default:</strong> -<code> None. Magic scripts disabled.</code> -<p><strong>Example:</strong> -<code> magic script = user.csh</code> -<p><a name="manglecase"></a> -<p></p><dt><strong><strong>mangle case (S)</strong></strong><dd> -<p>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a>. -<p><a name="manglelocks"></a> -<p></p><dt><strong><strong>mangle locks (S)</strong></strong><dd> -<p>This option is was introduced with Samba 2.0.4 and above and has been -removed in Samba 2.0.6 as Samba now dynamically configures such things -on 32 bit systems. -<p><a name="mangledmap"></a> -<p></p><dt><strong><strong>mangled map (S)</strong></strong><dd> -<p>This is for those who want to directly map UNIX file names which can -not be represented on Windows/DOS. The mangling of names is not always -what is needed. In particular you may have documents with file -extensions that differ between DOS and UNIX. For example, under UNIX -it is common to use <code>".html"</code> for HTML files, whereas under -Windows/DOS <code>".htm"</code> is more commonly used. -<p>So to map <code>"html"</code> to <code>"htm"</code> you would use: -<p><code> mangled map = (*.html *.htm)</code> -<p>One very useful case is to remove the annoying <code>";1"</code> off the ends -of filenames on some CDROMS (only visible under some UNIXs). To do -this use a map of (*;1 *). -<p><strong>default:</strong> -<code> no mangled map</code> -<p><strong>Example:</strong> -<code> mangled map = (*;1 *)</code> -<p><a name="manglednames"></a> -<p></p><dt><strong><strong>mangled names (S)</strong></strong><dd> -<p>This controls whether non-DOS names under UNIX should be mapped to -DOS-compatible names ("mangled") and made visible, or whether non-DOS -names should simply be ignored. -<p>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a> for details -on how to control the mangling process. -<p>If mangling is used then the mangling algorithm is as follows: -<p><dl> -<p><li > The first (up to) five alphanumeric characters before the -rightmost dot of the filename are preserved, forced to upper case, and -appear as the first (up to) five characters of the mangled name. -<p><li > A tilde <code>"~"</code> is appended to the first part of the mangled -name, followed by a two-character unique sequence, based on the -original root name (i.e., the original filename minus its final -extension). The final extension is included in the hash calculation -only if it contains any upper case characters or is longer than three -characters. -<p>Note that the character to use may be specified using the -<a href="smb.conf.5.html#manglingchar"><strong>"mangling char"</strong></a> option, if you don't like -<code>'~'</code>. -<p><li > The first three alphanumeric characters of the final extension -are preserved, forced to upper case and appear as the extension of the -mangled name. The final extension is defined as that part of the -original filename after the rightmost dot. If there are no dots in the -filename, the mangled name will have no extension (except in the case -of <a href="smb.conf.5.html#hidefiles"><strong>"hidden files"</strong></a> - see below). -<p><li > Files whose UNIX name begins with a dot will be presented as DOS -hidden files. The mangled name will be created as for other filenames, -but with the leading dot removed and <code>"___"</code> as its extension regardless -of actual original extension (that's three underscores). -<p></dl> -<p>The two-digit hash value consists of upper case alphanumeric -characters. -<p>This algorithm can cause name collisions only if files in a directory -share the same first five alphanumeric characters. The probability of -such a clash is 1/1300. -<p>The name mangling (if enabled) allows a file to be copied between UNIX -directories from Windows/DOS while retaining the long UNIX -filename. UNIX files can be renamed to a new extension from -Windows/DOS and will retain the same basename. Mangled names do not -change between sessions. -<p><strong>Default:</strong> -<code> mangled names = yes</code> -<p><strong>Example:</strong> -<code> mangled names = no</code> -<p><a name="manglingchar"></a> -<p></p><dt><strong><strong>mangling char (S)</strong></strong><dd> -<p>This controls what character is used as the <em>"magic"</em> character in -<a href="smb.conf.5.html#manglednames"><strong>name mangling</strong></a>. The default is a <code>'~'</code> but -this may interfere with some software. Use this option to set it to -whatever you prefer. -<p><strong>Default:</strong> -<code> mangling char = ~</code> -<p><strong>Example:</strong> -<code> mangling char = ^</code> -<p><a name="mangledstack"></a> -<p></p><dt><strong><strong>mangled stack (G)</strong></strong><dd> -<p>This parameter controls the number of mangled names that should be -cached in the Samba server <a href="smbd.8.html"><strong>smbd</strong></a>. -<p>This stack is a list of recently mangled base names (extensions are -only maintained if they are longer than 3 characters or contains upper -case characters). -<p>The larger this value, the more likely it is that mangled names can be -successfully converted to correct long UNIX names. However, large -stack sizes will slow most directory access. Smaller stacks save -memory in the server (each stack element costs 256 bytes). -<p>It is not possible to absolutely guarantee correct long file names, so -be prepared for some surprises! -<p><strong>Default:</strong> -<code> mangled stack = 50</code> -<p><strong>Example:</strong> -<code> mangled stack = 100</code> -<p><a name="maparchive"></a> -<p></p><dt><strong><strong>map archive (S)</strong></strong><dd> -<p>This controls whether the DOS archive attribute should be mapped to -the UNIX owner execute bit. The DOS archive bit is set when a file -has been modified since its last backup. One motivation for this -option it to keep Samba/your PC from making any file it touches from -becoming executable under UNIX. This can be quite annoying for shared -source code, documents, etc... -<p>Note that this requires the <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> -parameter to be set such that owner execute bit is not masked out -(i.e. it must include 100). See the parameter <a href="smb.conf.5.html#createmask"><strong>"create -mask"</strong></a> for details. -<p><strong>Default:</strong> -<code> map archive = yes</code> -<p><strong>Example:</strong> -<code> map archive = no</code> -<p><a name="maphidden"></a> -<p></p><dt><strong><strong>map hidden (S)</strong></strong><dd> -<p>This controls whether DOS style hidden files should be mapped to the -UNIX world execute bit. -<p>Note that this requires the <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> to be -set such that the world execute bit is not masked out (i.e. it must -include 001). See the parameter <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> -for details. -<p><strong>Default:</strong> -<code> map hidden = no</code> -<p><strong>Example:</strong> -<code> map hidden = yes</code> -<p><a name="mapsystem"></a> -<p></p><dt><strong><strong>map system (S)</strong></strong><dd> -<p>This controls whether DOS style system files should be mapped to the -UNIX group execute bit. -<p>Note that this requires the <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> to be -set such that the group execute bit is not masked out (i.e. it must -include 010). See the parameter <a href="smb.conf.5.html#createmask"><strong>"create mask"</strong></a> -for details. -<p><strong>Default:</strong> -<code> map system = no</code> -<p><strong>Example:</strong> -<code> map system = yes</code> -<p><a name="maptoguest"></a> -<p></p><dt><strong><strong>map to guest (G)</strong></strong><dd> -<p>This parameter is only useful in <a href="smb.conf.5.html#security"><strong>security</strong></a> modes -other than <a href="smb.conf.5.html#securityequalshare"><strong>"security=share"</strong></a> - i.e. user, -server, and domain. -<p>This parameter can take three different values, which tell -<a href="smbd.8.html"><strong>smbd</strong></a> what to do with user login requests that -don't match a valid UNIX user in some way. -<p>The three settings are : -<p><dl> -<p><li > <strong>"Never"</strong> - Means user login requests with an invalid password -are rejected. This is the default. -<p><li > <strong>"Bad User"</strong> - Means user logins with an invalid password are -rejected, unless the username does not exist, in which case it is -treated as a guest login and mapped into the <a href="smb.conf.5.html#guestaccount"><strong>"guest -account"</strong></a>. -<p><li > <strong>"Bad Password"</strong> - Means user logins with an invalid -password are treated as a guest login and mapped into the -<a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. Note that this can -cause problems as it means that any user incorrectly typing their -password will be silently logged on a <strong>"guest"</strong> - and -will not know the reason they cannot access files they think -they should - there will have been no message given to them -that they got their password wrong. Helpdesk services will -<em>*hate*</em> you if you set the <strong>"map to guest"</strong> parameter -this way :-). -<p></dl> -<p>Note that this parameter is needed to set up <strong>"Guest"</strong> share -services when using <a href="smb.conf.5.html#security"><strong>security</strong></a> modes other than -share. This is because in these modes the name of the resource being -requested is <em>*not*</em> sent to the server until after the server has -successfully authenticated the client so the server cannot make -authentication decisions at the correct time (connection to the -share) for <strong>"Guest"</strong> shares. -<p>For people familiar with the older Samba releases, this parameter -maps to the old compile-time setting of the GUEST_SESSSETUP value -in local.h. -<p><strong>Default:</strong> -<code> map to guest = Never</code> - <strong>Example</strong>: -<code> map to guest = Bad User</code> -<p><a name="maxconnections"></a> -<p></p><dt><strong><strong>max connections (S)</strong></strong><dd> -<p>This option allows the number of simultaneous connections to a service -to be limited. If <strong>"max connections"</strong> is greater than 0 then -connections will be refused if this number of connections to the -service are already open. A value of zero mean an unlimited number of -connections may be made. -<p>Record lock files are used to implement this feature. The lock files -will be stored in the directory specified by the <a href="smb.conf.5.html#lockdirectory"><strong>"lock -directory"</strong></a> option. -<p><strong>Default:</strong> -<code> max connections = 0</code> -<p><strong>Example:</strong> -<code> max connections = 10</code> -<p><a name="maxdisksize"></a> -<p></p><dt><strong><strong>max disk size (G)</strong></strong><dd> -<p>This option allows you to put an upper limit on the apparent size of -disks. If you set this option to 100 then all shares will appear to be -not larger than 100 MB in size. -<p>Note that this option does not limit the amount of data you can put on -the disk. In the above case you could still store much more than 100 -MB on the disk, but if a client ever asks for the amount of free disk -space or the total disk size then the result will be bounded by the -amount specified in <strong>"max disk size"</strong>. -<p>This option is primarily useful to work around bugs in some pieces of -software that can't handle very large disks, particularly disks over -1GB in size. -<p>A <strong>"max disk size"</strong> of 0 means no limit. -<p><strong>Default:</strong> -<code> max disk size = 0</code> -<p><strong>Example:</strong> -<code> max disk size = 1000</code> -<p><a name="maxlogsize"></a> -<p></p><dt><strong><strong>max log size (G)</strong></strong><dd> -<p>This option (an integer in kilobytes) specifies the max size the log -file should grow to. Samba periodically checks the size and if it is -exceeded it will rename the file, adding a <code>".old"</code> extension. -<p>A size of 0 means no limit. -<p><strong>Default:</strong> -<code> max log size = 5000</code> -<p><strong>Example:</strong> -<code> max log size = 1000</code> -<p><a name="maxmux"></a> -<p></p><dt><strong><strong>max mux (G)</strong></strong><dd> -<p>This option controls the maximum number of outstanding simultaneous -SMB operations that samba tells the client it will allow. You should -never need to set this parameter. -<p><strong>Default:</strong> -<code> max mux = 50</code> -<p><a name="maxopenfiles"></a> -<p></p><dt><strong><strong>max open files (G)</strong></strong><dd> -<p>This parameter limits the maximum number of open files that one -<a href="smbd.8.html"><strong>smbd</strong></a> file serving process may have open for -a client at any one time. The default for this parameter is set -very high (10,000) as Samba uses only one bit per unopened file. -<p>The limit of the number of open files is usually set by the -UNIX per-process file descriptor limit rather than this parameter -so you should never need to touch this parameter. -<p><strong>Default:</strong> -<code> max open files = 10000</code> -<p><a name="maxpacket"></a> -<p></p><dt><strong><strong>max packet (G)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#packetsize"><strong>"packet size"</strong></a>. -<p><a name="maxttl"></a> -<p></p><dt><strong><strong>max ttl (G)</strong></strong><dd> -<p>This option tells <a href="nmbd.8.html"><strong>nmbd</strong></a> what the default 'time -to live' of NetBIOS names should be (in seconds) when -<a href="nmbd.8.html"><strong>nmbd</strong></a> is requesting a name using either a -broadcast packet or from a WINS server. You should never need to -change this parameter. The default is 3 days. -<p><strong>Default:</strong> -<code> max ttl = 259200</code> -<p><a name="maxwinsttl"></a> -<p></p><dt><strong><strong>max wins ttl (G)</strong></strong><dd> -<p>This option tells <a href="nmbd.8.html"><strong>nmbd</strong></a> when acting as a WINS -server <a href="smb.conf.5.html#winssupport"><strong>(wins support =true)</strong></a> what the maximum -'time to live' of NetBIOS names that <a href="nmbd.8.html"><strong>nmbd</strong></a> will -grant will be (in seconds). You should never need to change this -parameter. The default is 6 days (518400 seconds). -<p>See also the <a href="smb.conf.5.html#minwinsttl"><strong>"min wins ttl"</strong></a> parameter. -<p><strong>Default:</strong> -<code> max wins ttl = 518400</code> -<p><a name="maxxmit"></a> -<p></p><dt><strong><strong>max xmit (G)</strong></strong><dd> -<p>This option controls the maximum packet size that will be negotiated -by Samba. The default is 65535, which is the maximum. In some cases -you may find you get better performance with a smaller value. A value -below 2048 is likely to cause problems. -<p><strong>Default:</strong> -<code> max xmit = 65535</code> -<p><strong>Example:</strong> -<code> max xmit = 8192</code> -<p><a name="messagecommand"></a> -<p></p><dt><strong><strong>message command (G)</strong></strong><dd> -<p>This specifies what command to run when the server receives a WinPopup -style message. -<p>This would normally be a command that would deliver the message -somehow. How this is to be done is up to your imagination. -<p>An example is: -<p><code> message command = csh -c 'xedit %s;rm %s' &</code> -<p>This delivers the message using <strong>xedit</strong>, then removes it -afterwards. <em>NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN -IMMEDIATELY</em>. That's why I have the <code>'&'</code> on the end. If it doesn't -return immediately then your PCs may freeze when sending messages -(they should recover after 30secs, hopefully). -<p>All messages are delivered as the global guest user. The command takes -the standard substitutions, although <a href="smb.conf.5.html#percentu"><strong>%u</strong></a> won't work -(<a href="smb.conf.5.html#percentU"><strong>%U</strong></a> may be better in this case). -<p>Apart from the standard substitutions, some additional ones apply. In -particular: -<p><dl> -<p><li > <code>"%s"</code> = the filename containing the message. -<p><li > <code>"%t"</code> = the destination that the message was sent to (probably the server -name). -<p><li > <code>"%f"</code> = who the message is from. -<p></dl> -<p>You could make this command send mail, or whatever else takes your -fancy. Please let us know of any really interesting ideas you have. -<p>Here's a way of sending the messages as mail to root: -<p><code>message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s</code> -<p>If you don't have a message command then the message won't be -delivered and Samba will tell the sender there was an -error. Unfortunately WfWg totally ignores the error code and carries -on regardless, saying that the message was delivered. -<p>If you want to silently delete it then try: -<p><code>"message command = rm %s"</code>. -<p><strong>Default:</strong> -<code> no message command</code> -<p><strong>Example:</strong> -<code> message command = csh -c 'xedit %s;rm %s' &</code> -<p><a name="minprintspace"></a> -<p></p><dt><strong><strong>min print space (S)</strong></strong><dd> -<p>This sets the minimum amount of free disk space that must be available -before a user will be able to spool a print job. It is specified in -kilobytes. The default is 0, which means a user can always spool a print -job. -<p>See also the <a href="smb.conf.5.html#printing"><strong>printing</strong></a> parameter. -<p><strong>Default:</strong> -<code> min print space = 0</code> -<p><strong>Example:</strong> -<code> min print space = 2000</code> -<p><a name="minpasswdlength"></a> -<p></p><dt><strong><strong>min passwd length (G)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#minpasswordlength"><strong>"min password length"</strong></a>. -<p><a name="minpasswordlength"></a> -<p></p><dt><strong><strong>min password length (G)</strong></strong><dd> -<p>This option sets the minimum length in characters of a plaintext password -than smbd will accept when performing UNIX password changing. -<p>See also <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a>, -<a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a> and <a href="smb.conf.5.html#passwdchatdebug"><strong>"passwd chat -debug"</strong></a>. -<p><strong>Default:</strong> -<code> min password length = 5</code> -<p><a name="minwinsttl"></a> -<p></p><dt><strong><strong>min wins ttl (G)</strong></strong><dd> -<p>This option tells <a href="nmbd.8.html"><strong>nmbd</strong></a> when acting as a WINS -server <a href="smb.conf.5.html#winssupport"><strong>(wins support = true)</strong></a> what the minimum -'time to live' of NetBIOS names that <a href="nmbd.8.html"><strong>nmbd</strong></a> will -grant will be (in seconds). You should never need to change this -parameter. The default is 6 hours (21600 seconds). -<p><strong>Default:</strong> -<code> min wins ttl = 21600</code> -<p><a name="nameresolveorder"></a> -<p></p><dt><strong><strong>name resolve order (G)</strong></strong><dd> -<p>This option is used by the programs in the Samba suite to determine -what naming services and in what order to resolve host names to IP -addresses. The option takes a space separated string of different name -resolution options. -<p>The options are :"lmhosts", "host", "wins" and "bcast". They cause -names to be resolved as follows : -<p><dl> -<p><li > <strong>lmhosts</strong> : Lookup an IP address in the Samba lmhosts file. -If the line in lmhosts has no name type attached to the NetBIOS -name (see the <a href="lmhosts.5.html"><strong>lmhosts (5)</strong></a> for details) then -any name type matches for lookup. -<p><li > <strong>host</strong> : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups. This method of name -resolution is operating system depended for instance on IRIX or -Solaris this may be controlled by the <em>/etc/nsswitch.conf</em> file). -Note that this method is only used if the NetBIOS name type being -queried is the 0x20 (server) name type, otherwise it is ignored. -<p><li > <strong>wins</strong> : Query a name with the IP address listed in the -<a href="smb.conf.5.html#winsserver"><strong>wins server</strong></a> parameter. If no WINS server has -been specified this method will be ignored. -<p><li > <strong>bcast</strong> : Do a broadcast on each of the known local interfaces -listed in the <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> parameter. This is the -least reliable of the name resolution methods as it depends on the -target host being on a locally connected subnet. -<p></dl> -<p><strong>Default:</strong> -<code> name resolve order = lmhosts host wins bcast</code> -<p><strong>Example:</strong> -<code> name resolve order = lmhosts bcast host</code> -<p>This will cause the local lmhosts file to be examined first, followed -by a broadcast attempt, followed by a normal system hostname lookup. -<p><a name="netbiosaliases"></a> -<p></p><dt><strong><strong>netbios aliases (G)</strong></strong><dd> -<p>This is a list of NetBIOS names that <a href="nmbd.8.html"><strong>nmbd</strong></a> will -advertise as additional names by which the Samba server is known. This -allows one machine to appear in browse lists under multiple names. If -a machine is acting as a <a href="smb.conf.5.html#localmaster"><strong>browse server</strong></a> or -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a> none of these names will be -advertised as either browse server or logon servers, only the primary -name of the machine will be advertised with these capabilities. -<p>See also <a href="smb.conf.5.html#netbiosname"><strong>"netbios name"</strong></a>. -<p><strong>Default:</strong> -<code> empty string (no additional names)</code> -<p><strong>Example:</strong> -<code> netbios aliases = TEST TEST1 TEST2</code> -<p><a name="netbiosname"></a> -<p></p><dt><strong><strong>netbios name (G)</strong></strong><dd> -<p>This sets the NetBIOS name by which a Samba server is known. By -default it is the same as the first component of the host's DNS name. -If a machine is a <a href="smb.conf.5.html#localmaster"><strong>browse server</strong></a> or -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a> this name (or the first component -of the hosts DNS name) will be the name that these services are -advertised under. -<p>See also <a href="smb.conf.5.html#netbiosaliases"><strong>"netbios aliases"</strong></a>. -<p><strong>Default:</strong> -<code> Machine DNS name.</code> -<p><strong>Example:</strong> -<code> netbios name = MYNAME</code> -<p><a name="netbiosscope"></a> -<p></p><dt><strong><strong>netbios scope (G)</strong></strong><dd> -<p>This sets the NetBIOS scope that Samba will operate under. This should -not be set unless every machine on your LAN also sets this value. -<p><a name="nishomedir"></a> -<p></p><dt><strong><strong>nis homedir (G)</strong></strong><dd> -<p>Get the home share server from a NIS map. For UNIX systems that use an -automounter, the user's home directory will often be mounted on a -workstation on demand from a remote server. -<p>When the Samba logon server is not the actual home directory server, -but is mounting the home directories via NFS then two network hops -would be required to access the users home directory if the logon -server told the client to use itself as the SMB server for home -directories (one over SMB and one over NFS). This can be very -slow. -<p>This option allows Samba to return the home share as being on a -different server to the logon server and as long as a Samba daemon is -running on the home directory server, it will be mounted on the Samba -client directly from the directory server. When Samba is returning the -home share to the client, it will consult the NIS map specified in -<a href="smb.conf.5.html#homedirmap"><strong>"homedir map"</strong></a> and return the server listed -there. -<p>Note that for this option to work there must be a working NIS -system and the Samba server with this option must also be a -<a href="smb.conf.5.html#domainlogons"><strong>logon server</strong></a>. -<p><strong>Default:</strong> -<code> nis homedir = false</code> -<p><strong>Example:</strong> -<code> nis homedir = true</code> -<p><a name="ntaclsupport"></a> -<p></p><dt><strong><strong>nt acl support (G)</strong></strong><dd> -<p>This boolean parameter controls whether <a href="smbd.8.html"><strong>smbd</strong></a> -will attempt to map UNIX permissions into Windows NT access control lists. -<p><strong>Default:</strong> -<code> nt acl support = yes</code> -<p><strong>Example:</strong> -<code> nt acl support = no</code> -<p><a name="ntpipesupport"></a> -<p></p><dt><strong><strong>nt pipe support (G)</strong></strong><dd> -<p>This boolean parameter controls whether <a href="smbd.8.html"><strong>smbd</strong></a> -will allow Windows NT clients to connect to the NT SMB specific -<code>IPC$</code> pipes. This is a developer debugging option and can be left -alone. -<p><strong>Default:</strong> -<code> nt pipe support = yes</code> -<p><a name="ntsmbsupport"></a> -<p></p><dt><strong><strong>nt smb support (G)</strong></strong><dd> -<p>This boolean parameter controls whether <a href="smbd.8.html"><strong>smbd</strong></a> -will negotiate NT specific SMB support with Windows NT -clients. Although this is a developer debugging option and should be -left alone, benchmarking has discovered that Windows NT clients give -faster performance with this option set to <code>"no"</code>. This is still -being investigated. If this option is set to <code>"no"</code> then Samba -offers exactly the same SMB calls that versions prior to Samba2.0 -offered. This information may be of use if any users are having -problems with NT SMB support. -<p><strong>Default:</strong> -<code> nt support = yes</code> -<p><a name="nullpasswords"></a> -<p></p><dt><strong><strong>null passwords (G)</strong></strong><dd> -<p>Allow or disallow client access to accounts that have null passwords. -<p>See also <a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a>. -<p><strong>Default:</strong> -<code> null passwords = no</code> -<p><strong>Example:</strong> -<code> null passwords = yes</code> -<p><a name="olelockingcompatibility"></a> -<p></p><dt><strong><strong>ole locking compatibility (G)</strong></strong><dd> -<p>This parameter allows an administrator to turn off the byte range lock -manipulation that is done within Samba to give compatibility for OLE -applications. Windows OLE applications use byte range locking as a -form of inter-process communication, by locking ranges of bytes around -the 2^32 region of a file range. This can cause certain UNIX lock -managers to crash or otherwise cause problems. Setting this parameter -to <code>"no"</code> means you trust your UNIX lock manager to handle such cases -correctly. -<p><strong>Default:</strong> -<code> ole locking compatibility = yes</code> -<p><strong>Example:</strong> -<code> ole locking compatibility = no</code> -<p><a name="onlyguest"></a> -<p></p><dt><strong><strong>only guest (S)</strong></strong><dd> -<p>A synonym for <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a>. -<p><a name="onlyuser"></a> -<p></p><dt><strong><strong>only user (S)</strong></strong><dd> -<p>This is a boolean option that controls whether connections with -usernames not in the <a href="smb.conf.5.html#user"><strong>user=</strong></a> list will be allowed. By -default this option is disabled so a client can supply a username to -be used by the server. -<p>Note that this also means Samba won't try to deduce usernames from the -service name. This can be annoying for the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> -section. To get around this you could use "<a href="smb.conf.5.html#user"><strong>user</strong></a> = -<a href="smb.conf.5.html#percentS"><strong>%S</strong></a>" which means your <a href="smb.conf.5.html#user"><strong>"user"</strong></a> list -will be just the service name, which for home directories is the name -of the user. -<p>See also the <a href="smb.conf.5.html#user"><strong>user</strong></a> parameter. -<p><strong>Default:</strong> -<code> only user = False</code> -<p><strong>Example:</strong> -<code> only user = True</code> -<p><a name="oplocks"></a> -<p></p><dt><strong><strong>oplocks (S)</strong></strong><dd> -<p>This boolean option tells smbd whether to issue oplocks (opportunistic -locks) to file open requests on this share. The oplock code can -dramatically (approx. 30% or more) improve the speed of access to files -on Samba servers. It allows the clients to aggressively cache files -locally and you may want to disable this option for unreliable network -environments (it is turned on by default in Windows NT Servers). For -more information see the file Speed.txt in the Samba docs/ directory. -<p>Oplocks may be selectively turned off on certain files on a per share basis. -See the 'veto oplock files' parameter. On some systems oplocks are recognized -by the underlying operating system. This allows data synchronization between -all access to oplocked files, whether it be via Samba or NFS or a local -UNIX process. See the <a href="smb.conf.5.html#kerneloplocks"><strong>kernel oplocks</strong></a> parameter -for details. -<p>See also the <a href="smb.conf.5.html#kerneloplocks"><strong>"kernel oplocks"</strong></a> and -<a href="smb.conf.5.html#level2oplocks"><strong>"level2 oplocks"</strong></a> parameters. -<p><strong>Default:</strong> -<code> oplocks = True</code> -<p><strong>Example:</strong> -<code> oplocks = False</code> -<p><a name="oplockbreakwaittime"></a> -<p></p><dt><strong><strong>oplock break wait time (G)</strong></strong><dd> -<p>This is a tuning parameter added due to bugs in both Windows 9x and WinNT. -If Samba responds to a client too quickly when that client issues an SMB that -can cause an oplock break request, then the client redirector can fail and -not respond to the break request. This tuning parameter (which is set in -milliseconds) is the amount of time Samba will wait before sending an -oplock break request to such (broken) clients. -<p><em>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA -OPLOCK CODE</em>. -<p><strong>Default:</strong> -<code> oplock break wait time = 10</code> -<p><a name="oplockcontentionlimit"></a> -<p></p><dt><strong><strong>oplock contention limit (S)</strong></strong><dd> -<p>This is a <em>very</em> advanced <a href="smbd.8.html"><strong>smbd</strong></a> tuning option to improve -the efficiency of the granting of oplocks under multiple client contention for the same file. -<p>In brief it specifies a number, which causes smbd not to grant an oplock even -when requested if the approximate number of clients contending for an oplock on -the same file goes over this limit. This causes <a href="smbd.8.html"><strong>smbd</strong></a> to -behave in a similar way to Windows NT. -<p><em>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA -OPLOCK CODE</em>. -<p><strong>Default:</strong> -<code> oplock contention limit = 2</code> -<p><a name="oslevel"></a> -<p></p><dt><strong><strong>os level (G)</strong></strong><dd> -<p>This integer value controls what level Samba advertises itself as for -browse elections. The value of this parameter determines whether -<a href="nmbd.8.html"><strong>nmbd</strong></a> has a chance of becoming a local master -browser for the <a href="smb.conf.5.html#workgroup"><strong>WORKGROUP</strong></a> in the local broadcast -area. The default is zero, which means <a href="nmbd.8.html"><strong>nmbd</strong></a> will -lose elections to Windows machines. See BROWSING.txt in the Samba -docs/ directory for details. -<p><strong>Default:</strong> -<code> os level = 20</code> -<p><strong>Example:</strong> -<code> os level = 65 ; This will win against any NT Server</code> -<p><a name="packetsize"></a> -<p></p><dt><strong><strong>packet size (G)</strong></strong><dd> -<p>This is a deprecated parameter that has no effect on the current -Samba code. It is left in the parameter list to prevent breaking -old <strong>smb.conf</strong> files. -<p><a name="panicaction"></a> -<p></p><dt><strong><strong>panic action (G)</strong></strong><dd> -<p>This is a Samba developer option that allows a system command to be -called when either <a href="smbd.8.html"><strong>smbd</strong></a> or -<a href="nmbd.8.html"><strong>nmbd</strong></a> crashes. This is usually used to draw -attention to the fact that a problem occurred. -<p><strong>Default:</strong> -<code> panic action = <empty string></code> -<p><a name="passwdchat"></a> -<p></p><dt><strong><strong>passwd chat (G)</strong></strong><dd> -<p>This string controls the <em>"chat"</em> conversation that takes places -between <a href="smbd.8.html"><strong>smbd</strong></a> and the local password changing -program to change the users password. The string describes a sequence -of response-receive pairs that <a href="smbd.8.html"><strong>smbd</strong></a> uses to -determine what to send to the <a href="smb.conf.5.html#passwdprogram"><strong>passwd</strong></a> program -and what to expect back. If the expected output is not received then -the password is not changed. -<p>This chat sequence is often quite site specific, depending on what -local methods are used for password control (such as NIS etc). -<p>The string can contain the macros <code>"%o"</code> and <code>"%n"</code> which are -substituted for the old and new passwords respectively. It can also -contain the standard macros <code>"\n"</code>, <code>"\r"</code>, <code>"\t"</code> and <code>"\s"</code> -to give line-feed, carriage-return, tab and space. -<p>The string can also contain a <code>'*'</code> which matches any sequence of -characters. -<p>Double quotes can be used to collect strings with spaces in them into -a single string. -<p>If the send string in any part of the chat sequence is a fullstop -<code>"."</code> then no string is sent. Similarly, is the expect string is a -fullstop then no string is expected. -<p>Note that if the <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a> -parameter is set to true, then this sequence is called <em>*AS ROOT*</em> -when the SMB password in the smbpasswd file is being changed, without -access to the old password cleartext. In this case the old password -cleartext is set to <code>""</code> (the empty string). -<p>See also <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a>, -<a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a> and <a href="smb.conf.5.html#passwdchatdebug"><strong>"passwd chat -debug"</strong></a>. -<p><strong>Example:</strong> -<pre> - passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" - -</pre> - -<p><strong>Default:</strong> -<pre> - passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed* -</pre> - -<p><a name="passwdchatdebug"></a> -<p></p><dt><strong><strong>passwd chat debug (G)</strong></strong><dd> -<p>This boolean specifies if the passwd chat script parameter is run in -<code>"debug"</code> mode. In this mode the strings passed to and received from -the passwd chat are printed in the <a href="smbd.8.html"><strong>smbd</strong></a> log with -a <a href="smb.conf.5.html#debuglevel"><strong>"debug level"</strong></a> of 100. This is a dangerous -option as it will allow plaintext passwords to be seen in the -<a href="smbd.8.html"><strong>smbd</strong></a> log. It is available to help Samba admins -debug their <a href="smb.conf.5.html#passwdchat"><strong>"passwd chat"</strong></a> scripts when calling -the <a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a> and should be turned off -after this has been done. This parameter is off by default. -<p>See also <a href="smb.conf.5.html#passwdchat"><strong>"passwd chat"</strong></a>, <a href="smb.conf.5.html#passwdprogram"><strong>"passwd -program"</strong></a>. -<p><strong>Example:</strong> -<code> passwd chat debug = True</code> -<p><strong>Default:</strong> -<code> passwd chat debug = False</code> -<p><a name="passwdprogram"></a> -<p></p><dt><strong><strong>passwd program (G)</strong></strong><dd> -<p>The name of a program that can be used to set UNIX user passwords. -Any occurrences of <a href="smb.conf.5.html#percentu"><strong>%u</strong></a> will be replaced with the -user name. The user name is checked for existence before calling the -password changing program. -<p>Also note that many passwd programs insist in <em>"reasonable"</em> -passwords, such as a minimum length, or the inclusion of mixed case -chars and digits. This can pose a problem as some clients (such as -Windows for Workgroups) uppercase the password before sending it. -<p><em>Note</em> that if the <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a> -parameter is set to <code>"True"</code> then this program is called <em>*AS -ROOT*</em> before the SMB password in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file is changed. If this UNIX -password change fails, then <a href="smbd.8.html"><strong>smbd</strong></a> will fail to -change the SMB password also (this is by design). -<p>If the <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a> parameter is -set this parameter <em>MUST USE ABSOLUTE PATHS</em> for <em>ALL</em> programs -called, and must be examined for security implications. Note that by -default <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a> is set to -<code>"False"</code>. -<p>See also <a href="smb.conf.5.html#unixpasswordsync"><strong>"unix password sync"</strong></a>. -<p><strong>Default:</strong> -<code> passwd program = /bin/passwd</code> -<p><strong>Example:</strong> -<code> passwd program = /sbin/passwd %u</code> -<p><a name="passwordlevel"></a> -<p></p><dt><strong><strong>password level (G)</strong></strong><dd> -<p>Some client/server combinations have difficulty with mixed-case -passwords. One offending client is Windows for Workgroups, which for -some reason forces passwords to upper case when using the LANMAN1 -protocol, but leaves them alone when using COREPLUS! -<p>This parameter defines the maximum number of characters that may be -upper case in passwords. -<p>For example, say the password given was <code>"FRED"</code>. If <strong>password -level</strong> is set to 1, the following combinations would be tried if -<code>"FRED"</code> failed: -<p><code>"Fred"</code>, <code>"fred"</code>, <code>"fRed"</code>, <code>"frEd"</code>, <code>"freD"</code> -<p>If <strong>password level</strong> was set to 2, the following combinations would -also be tried: -<p><code>"FRed"</code>, <code>"FrEd"</code>, <code>"FreD"</code>, <code>"fREd"</code>, <code>"fReD"</code>, -<code>"frED"</code>, <code>..</code> -<p>And so on. -<p>The higher value this parameter is set to the more likely it is that a -mixed case password will be matched against a single case -password. However, you should be aware that use of this parameter -reduces security and increases the time taken to process a new -connection. -<p>A value of zero will cause only two attempts to be made - the password -as is and the password in all-lower case. -<p><strong>Default:</strong> -<code> password level = 0</code> -<p><strong>Example:</strong> -<code> password level = 4</code> -<p><a name="passwordserver"></a> -<p></p><dt><strong><strong>password server (G)</strong></strong><dd> -<p>By specifying the name of another SMB server (such as a WinNT box) -with this option, and using <a href="smb.conf.5.html#security"><strong>"security = domain"</strong></a> or -<a href="smb.conf.5.html#security"><strong>"security = server"</strong></a> you can get Samba to do all -its username/password validation via a remote server. -<p>This options sets the name of the password server to use. It must be a -NetBIOS name, so if the machine's NetBIOS name is different from its -internet name then you may have to add its NetBIOS name to the lmhosts -file which is stored in the same directory as the <strong>smb.conf</strong> file. -<p>The name of the password server is looked up using the parameter -<a href="smb.conf.5.html#nameresolveorder"><strong>"name resolve order="</strong></a> and so may resolved -by any method and order described in that parameter. -<p>The password server much be a machine capable of using the "LM1.2X002" -or the "LM NT 0.12" protocol, and it must be in user level security -mode. -<p>NOTE: Using a password server means your UNIX box (running Samba) is -only as secure as your password server. <em>DO NOT CHOOSE A PASSWORD -SERVER THAT YOU DON'T COMPLETELY TRUST</em>. -<p>Never point a Samba server at itself for password serving. This will -cause a loop and could lock up your Samba server! -<p>The name of the password server takes the standard substitutions, but -probably the only useful one is <a href="smb.conf.5.html#percentm"><strong>%m</strong></a>, which means -the Samba server will use the incoming client as the password -server. If you use this then you better trust your clients, and you -better restrict them with hosts allow! -<p>If the <a href="smb.conf.5.html#security"><strong>"security"</strong></a> parameter is set to -<strong>"domain"</strong>, then the list of machines in this option must be a list -of Primary or Backup Domain controllers for the -<a href="smb.conf.5.html#workgroup"><strong>Domain</strong></a> or the character <code>*</code>, as the Samba server is cryptographicly -in that domain, and will use cryptographicly authenticated RPC calls -to authenticate the user logging on. The advantage of using -<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a> is that if you list -several hosts in the <strong>"password server"</strong> option then -<a href="smbd.8.html"><strong>smbd</strong></a> will try each in turn till it finds one -that responds. This is useful in case your primary server goes down. -<p>If the <strong>"password server"</strong> option is set to the character <code>*</code>, -then Samba will attempt to auto-locate the Primary or Backup Domain controllers -to authenticate against by doing a query for the name <code>WORKGROUP<1C></code> -and then contacting each server returned in the list of IP addresses -from the <a href="smb.conf.5.html#nameresolveorder"><strong>name resolution</strong></a> source. -<p>If the <a href="smb.conf.5.html#security"><strong>"security"</strong></a> parameter is set to -<a href="smb.conf.5.html#securityequalserver"><strong>"server"</strong></a>, then there are different -restrictions that <a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a> -doesn't suffer from: -<p><dl> -<p><li > You may list several password servers in the <strong>"password server"</strong> -parameter, however if an <a href="smbd.8.html"><strong>smbd</strong></a> makes a connection -to a password server, and then the password server fails, no more -users will be able to be authenticated from this -<a href="smbd.8.html"><strong>smbd</strong></a>. This is a restriction of the SMB/CIFS -protocol when in <a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a> mode -and cannot be fixed in Samba. -<p><li > If you are using a Windows NT server as your password server then -you will have to ensure that your users are able to login from the -Samba server, as when in -<a href="smb.conf.5.html#securityequalserver"><strong>"security=server"</strong></a> mode the network -logon will appear to come from there rather than from the users -workstation. -<p></dl> -<p>See also the <a href="smb.conf.5.html#security"><strong>"security"</strong></a> parameter. -<p><strong>Default:</strong> -<code> password server = <empty string></code> -<p><strong>Example:</strong> -<code> password server = NT-PDC, NT-BDC1, NT-BDC2</code> -<p><strong>Example:</strong> -<code> password server = *</code> -<p><a name="path"></a> -<p></p><dt><strong><strong>path (S)</strong></strong><dd> -<p>This parameter specifies a directory to which the user of the service -is to be given access. In the case of printable services, this is -where print data will spool prior to being submitted to the host for -printing. -<p>For a printable service offering guest access, the service should be -readonly and the path should be world-writeable and have the sticky bit -set. This is not mandatory of course, but you probably won't get the -results you expect if you do otherwise. -<p>Any occurrences of <a href="smb.conf.5.html#percentu"><strong>%u</strong></a> in the path will be replaced -with the UNIX username that the client is using on this -connection. Any occurrences of <a href="smb.conf.5.html#percentm"><strong>%m</strong></a> will be replaced -by the NetBIOS name of the machine they are connecting from. These -replacements are very useful for setting up pseudo home directories -for users. -<p>Note that this path will be based on <a href="smb.conf.5.html#rootdir"><strong>"root dir"</strong></a> if -one was specified. -<p><strong>Default:</strong> -<code> none</code> -<p><strong>Example:</strong> -<code> path = /home/fred</code> -<p><a name="postexec"></a> -<p></p><dt><strong><strong>postexec (S)</strong></strong><dd> -<p>This option specifies a command to be run whenever the service is -disconnected. It takes the usual substitutions. The command may be run -as the root on some systems. -<p>An interesting example may be do unmount server resources: -<p><code>postexec = /etc/umount /cdrom</code> -<p>See also <a href="smb.conf.5.html#preexec"><strong>preexec</strong></a>. -<p><strong>Default:</strong> -<code> none (no command executed)</code> -<p><strong>Example:</strong> -<code> postexec = echo "%u disconnected from %S from %m (%I)" >> /tmp/log</code> -<p><a name="postscript"></a> -<p></p><dt><strong><strong>postscript (S)</strong></strong><dd> -<p>This parameter forces a printer to interpret the print files as -postscript. This is done by adding a <code>%!</code> to the start of print output. -<p>This is most useful when you have lots of PCs that persist in putting -a control-D at the start of print jobs, which then confuses your -printer. -<p><strong>Default:</strong> -<code> postscript = False</code> -<p><strong>Example:</strong> -<code> postscript = True</code> -<p><a name="preexec"></a> -<p></p><dt><strong><strong>preexec (S)</strong></strong><dd> -<p>This option specifies a command to be run whenever the service is -connected to. It takes the usual substitutions. -<p>An interesting example is to send the users a welcome message every -time they log in. Maybe a message of the day? Here is an example: -<p><pre> - - preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & - -</pre> - -<p>Of course, this could get annoying after a while :-) -<p>See also <a href="smb.conf.5.html#preexecclose"><strong>preexec close</strong></a> and <a href="smb.conf.5.html#postexec"><strong>postexec</strong></a>. -<p><strong>Default:</strong> -<code> none (no command executed)</code> -<p><strong>Example:</strong> -<code> preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log</code> -<p><a name="preexecclose"></a> -<p></p><dt><strong><strong>preexec close (S)</strong></strong><dd> -<p>This boolean option controls whether a non-zero return code from -<a href="smb.conf.5.html#preexec"><strong>"preexec"</strong></a> should close the service being connected to. -<p><strong>Default:</strong> -<code> preexec close = no</code> -<p><strong>Example:</strong> -<code> preexec close = yes</code> -<p><a name="preferredmaster"></a> -<p></p><dt><strong><strong>preferred master (G)</strong></strong><dd> -<p>This boolean parameter controls if <a href="nmbd.8.html"><strong>nmbd</strong></a> is a -preferred master browser for its workgroup. -<p>If this is set to true, on startup, <a href="nmbd.8.html"><strong>nmbd</strong></a> will -force an election, and it will have a slight advantage in winning the -election. It is recommended that this parameter is used in -conjunction with <a href="smb.conf.5.html#domainmaster"><strong>"domain master = yes"</strong></a>, so -that <a href="nmbd.8.html"><strong>nmbd</strong></a> can guarantee becoming a domain -master. -<p>Use this option with caution, because if there are several hosts -(whether Samba servers, Windows 95 or NT) that are preferred master -browsers on the same subnet, they will each periodically and -continuously attempt to become the local master browser. This will -result in unnecessary broadcast traffic and reduced browsing -capabilities. -<p>See also <a href="smb.conf.5.html#oslevel"><strong>os level</strong></a>. -<p><strong>Default:</strong> -<code> preferred master = no</code> -<p><strong>Example:</strong> -<code> preferred master = yes</code> -<p><a name="preferedmaster"></a> -<p></p><dt><strong><strong>prefered master (G)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#preferredmaster"><strong>"preferred master"</strong></a> for people -who cannot spell :-). -<p><a name="preload"></a> -<p></p><dt><strong><strong>preload</strong></strong><dd> -Synonym for <a href="smb.conf.5.html#autoservices"><strong>"auto services"</strong></a>. -<p><a name="preservecase"></a> -<p></p><dt><strong><strong>preserve case (S)</strong></strong><dd> -<p>This controls if new filenames are created with the case that the -client passes, or if they are forced to be the <code>"default"</code> case. -<p><strong>Default:</strong> -<code> preserve case = yes</code> -<p>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>"NAME MANGLING"</strong></a> for a -fuller discussion. -<p><a name="printcommand"></a> -<p></p><dt><strong><strong>print command (S)</strong></strong><dd> -<p>After a print job has finished spooling to a service, this command -will be used via a <code>system()</code> call to process the spool -file. Typically the command specified will submit the spool file to -the host's printing subsystem, but there is no requirement that this -be the case. The server will not remove the spool file, so whatever -command you specify should remove the spool file when it has been -processed, otherwise you will need to manually remove old spool files. -<p>The print command is simply a text string. It will be used verbatim, -with two exceptions: All occurrences of <code>"%s"</code> and <code>"%f"</code> will be -replaced by the appropriate spool file name, and all occurrences of -<code>"%p"</code> will be replaced by the appropriate printer name. The spool -file name is generated automatically by the server, the printer name -is discussed below. -<p>The print command <em>MUST</em> contain at least one occurrence of <code>"%s"</code> -or <code>"%f"</code> - the <code>"%p"</code> is optional. At the time a job is -submitted, if no printer name is supplied the <code>"%p"</code> will be -silently removed from the printer command. -<p>If specified in the <a href="smb.conf.5.html#global"><strong>"[global]"</strong></a> section, the print -command given will be used for any printable service that does not -have its own print command specified. -<p>If there is neither a specified print command for a printable service -nor a global print command, spool files will be created but not -processed and (most importantly) not removed. -<p>Note that printing may fail on some UNIXs from the <code>"nobody"</code> -account. If this happens then create an alternative guest account that -can print and set the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a> in the -<a href="smb.conf.5.html#global"><strong>"[global]"</strong></a> section. -<p>You can form quite complex print commands by realizing that they are -just passed to a shell. For example the following will log a print -job, print the file, then remove it. Note that <code>';'</code> is the usual -separator for command in shell scripts. -<p><code>print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s</code> -<p>You may have to vary this command considerably depending on how you -normally print files on your system. The default for the parameter -varies depending on the setting of the <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a> -parameter. -<p><strong>Default:</strong> - For <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a> BSD, AIX, QNX, LPRNG or PLP : -<code> print command = lpr -r -P%p %s</code> -<p>For <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a> SYS or HPUX : -<code> print command = lp -c -d%p %s; rm %s</code> -<p>For <a href="smb.conf.5.html#printing"><strong>"printing="</strong></a> SOFTQ : -<code> print command = lp -d%p -s %s; rm %s</code> -<p><strong>Example:</strong> -<code> print command = /usr/local/samba/bin/myprintscript %p %s</code> -<p><a name="printok"></a> -<p></p><dt><strong><strong>print ok (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#printable"><strong>printable</strong></a>. -<p><a name="printable"></a> -<p></p><dt><strong><strong>printable (S)</strong></strong><dd> -<p>If this parameter is <code>"yes"</code>, then clients may open, write to and -submit spool files on the directory specified for the service. -<p>Note that a printable service will ALWAYS allow writing to the service -path (user privileges permitting) via the spooling of print data. The -<a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a> parameter controls only non-printing -access to the resource. -<p><strong>Default:</strong> -<code> printable = no</code> -<p><strong>Example:</strong> -<code> printable = yes</code> -<p><a name="printcap"></a> -<p></p><dt><strong><strong>printcap (G)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#printcapname"><strong>printcapname</strong></a>. -<p><a name="printeradmin"></a> -<p></p><dt><strong><strong>printer admin (S)</strong></strong><dd> -<p>This is a list of users that can do anything to printers via the -remote administration interfaces offered by MSRPC (usually using a NT -workstation). Note that the root user always has admin rights. -<p><strong>Default:</strong> -<code> printer admin = <empty string></code> -<p><strong>Example:</strong> -<code> printer admin = admin, @staff</code> -<p><a name="printcapname"></a> -<p></p><dt><strong><strong>printcap name (G)</strong></strong><dd> -<p>This parameter may be used to override the compiled-in default -printcap name used by the server (usually /etc/printcap). See the -discussion of the <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a> section above for -reasons why you might want to do this. -<p>On System V systems that use <strong>lpstat</strong> to list available printers you -can use <code>"printcap name = lpstat"</code> to automatically obtain lists of -available printers. This is the default for systems that define SYSV -at configure time in Samba (this includes most System V based -systems). If <strong>"printcap name"</strong> is set to <strong>lpstat</strong> on these systems -then Samba will launch <code>"lpstat -v"</code> and attempt to parse the output -to obtain a printer list. -<p>A minimal printcap file would look something like this: -<p><pre> - - print1|My Printer 1 - print2|My Printer 2 - print3|My Printer 3 - print4|My Printer 4 - print5|My Printer 5 - -</pre> - -<p>where the <code>'|'</code> separates aliases of a printer. The fact that the -second alias has a space in it gives a hint to Samba that it's a -comment. -<p><em>NOTE</em>: Under AIX the default printcap name is -<code>"/etc/qconfig"</code>. Samba will assume the file is in AIX <code>"qconfig"</code> -format if the string <code>"/qconfig"</code> appears in the printcap filename. -<p><strong>Default:</strong> -<code> printcap name = /etc/printcap</code> -<p><strong>Example:</strong> -<code> printcap name = /etc/myprintcap</code> -<p><a name="printer"></a> -<p></p><dt><strong><strong>printer (S)</strong></strong><dd> -<p>This parameter specifies the name of the printer to which print jobs -spooled through a printable service will be sent. -<p>If specified in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> section, the printer -name given will be used for any printable service that does not have -its own printer name specified. -<p><strong>Default:</strong> - none (but may be <code>"lp"</code> on many systems) -<p><strong>Example:</strong> - printer name = laserwriter -<p><a name="printerdriver"></a> -<p></p><dt><strong><strong>printer driver (S)</strong></strong><dd> -<p>This option allows you to control the string that clients receive when -they ask the server for the printer driver associated with a -printer. If you are using Windows95 or WindowsNT then you can use this -to automate the setup of printers on your system. -<p>You need to set this parameter to the exact string (case sensitive) -that describes the appropriate printer driver for your system. If you -don't know the exact string to use then you should first try with no -<strong>"printer driver"</strong> option set and the client will give you a list of -printer drivers. The appropriate strings are shown in a scrollbox -after you have chosen the printer manufacturer. -<p>See also <a href="smb.conf.5.html#printerdriverfile"><strong>"printer driver file"</strong></a>. -<p><strong>Example:</strong> - printer driver = HP LaserJet 4L -<p><a name="printerdriverfile"></a> -<p></p><dt><strong><strong>printer driver file (G)</strong></strong><dd> -<p>This parameter tells Samba where the printer driver definition file, -used when serving drivers to Windows 95 clients, is to be found. If -this is not set, the default is : -<p><code>SAMBA_INSTALL_DIRECTORY/lib/printers.def</code> -<p>This file is created from Windows 95 <code>"msprint.def"</code> files found on -the Windows 95 client system. For more details on setting up serving -of printer drivers to Windows 95 clients, see the documentation file -in the docs/ directory, PRINTER_DRIVER.txt. -<p><strong>Default:</strong> -<code> None (set in compile).</code> -<p><strong>Example:</strong> -<code> printer driver file = /usr/local/samba/printers/drivers.def</code> -<p>See also <a href="smb.conf.5.html#printerdriverlocation"><strong>"printer driver location"</strong></a>. -<p><a name="printerdriverlocation"></a> -<p></p><dt><strong><strong>printer driver location (S)</strong></strong><dd> -<p>This parameter tells clients of a particular printer share where to -find the printer driver files for the automatic installation of -drivers for Windows 95 machines. If Samba is set up to serve printer -drivers to Windows 95 machines, this should be set to -<p><code>\\MACHINE\PRINTER$</code> -<p>Where MACHINE is the NetBIOS name of your Samba server, and PRINTER$ -is a share you set up for serving printer driver files. For more -details on setting this up see the documentation file in the docs/ -directory, PRINTER_DRIVER.txt. -<p><strong>Default:</strong> -<code> None</code> -<p><strong>Example:</strong> -<code> printer driver location = \\MACHINE\PRINTER$</code> -<p>See also <a href="smb.conf.5.html#printerdriverfile"><strong>"printer driver file"</strong></a>. -<p><a name="printername"></a> -<p></p><dt><strong><strong>printer name (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#printer"><strong>printer</strong></a>. -<p><a name="printing"></a> -<p></p><dt><strong><strong>printing (S)</strong></strong><dd> -<p>This parameters controls how printer status information is interpreted -on your system. It also affects the default values for the -<a href="smb.conf.5.html#printcommand"><strong>"print command"</strong></a>, <a href="smb.conf.5.html#lpqcommand"><strong>"lpq -command"</strong></a> <a href="smb.conf.5.html#lppausecommand"><strong>"lppause command"</strong></a>, -<a href="smb.conf.5.html#lpresumecommand"><strong>"lpresume command"</strong></a>, and <a href="smb.conf.5.html#lprmcommand"><strong>"lprm -command"</strong></a> if specified in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> -section. -<p>Currently eight printing styles are supported. They are -<strong>"printing=BSD"</strong>, <strong>"printing=AIX"</strong>, -<strong>"printing=LPRNG"</strong>, <strong>"printing=PLP"</strong>, <strong>"printing=SYSV"</strong>, -<strong>"printing="HPUX"</strong>, <strong>"printing=QNX"</strong>, <strong>"printing=SOFTQ"</strong>, -and <strong>"printing=CUPS"</strong>. -<p>To see what the defaults are for the other print commands when using -the various options use the <a href="testparm.1.html"><strong>"testparm"</strong></a> program. -<p>This option can be set on a per printer basis -<p>See also the discussion in the <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a> section. -<p><a name="protocol"></a> -<p></p><dt><strong><strong>protocol (G)</strong></strong><dd> -<p>The value of the parameter (a string) is the highest protocol level -that will be supported by the server. -<p>Possible values are : -<p><dl> -<p><li > CORE: Earliest version. No concept of user names. -<p><li > COREPLUS: Slight improvements on CORE for efficiency. -<p><li > LANMAN1: First <em>"modern"</em> version of the protocol. Long -filename support. -<p><li > LANMAN2: Updates to Lanman1 protocol. -<p><li > NT1: Current up to date version of the protocol. Used by Windows -NT. Known as CIFS. -<p></dl> -<p>Normally this option should not be set as the automatic negotiation -phase in the SMB protocol takes care of choosing the appropriate -protocol. -<p><strong>Default:</strong> -<code> protocol = NT1</code> -<p><strong>Example:</strong> -<code> protocol = LANMAN1</code> -<p><a name="public"></a> -<p></p><dt><strong><strong>public (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#guestok"><strong>"guest ok"</strong></a>. -<p><a name="queuepausecommand"></a> -<p></p><dt><strong><strong>queuepause command (S)</strong></strong><dd> -<p>This parameter specifies the command to be executed on the server host -in order to pause the printerqueue. -<p>This command should be a program or script which takes a printer name -as its only parameter and stops the printerqueue, such that no longer -jobs are submitted to the printer. -<p>This command is not supported by Windows for Workgroups, but can be -issued from the Printer's window under Windows 95 & NT. -<p>If a <code>"%p"</code> is given then the printername is put in its -place. Otherwise it is placed at the end of the command. -<p>Note that it is good practice to include the absolute path in the -command as the PATH may not be available to the server. -<p><strong>Default:</strong> -<code> depends on the setting of "printing ="</code> -<p><strong>Example:</strong> -<code> queuepause command = disable %p</code> -<p><a name="queueresumecommand"></a> -<p></p><dt><strong><strong>queueresume command (S)</strong></strong><dd> -<p>This parameter specifies the command to be executed on the server host -in order to resume the printerqueue. It is the command to undo the -behavior that is caused by the previous parameter -(<a href="smb.conf.5.html#queuepausecommand"><strong>"queuepause command</strong></a>). -<p>This command should be a program or script which takes a printer name -as its only parameter and resumes the printerqueue, such that queued -jobs are resubmitted to the printer. -<p>This command is not supported by Windows for Workgroups, but can be -issued from the Printer's window under Windows 95 & NT. -<p>If a <code>"%p"</code> is given then the printername is put in its -place. Otherwise it is placed at the end of the command. -<p>Note that it is good practice to include the absolute path in the -command as the PATH may not be available to the server. -<p><strong>Default:</strong> -<code> depends on the setting of "printing ="</code> -<p><strong>Example:</strong> -<code> queuepause command = enable %p</code> -<p><a name="readbmpx"></a> -<p></p><dt><strong><strong>read bmpx (G)</strong></strong><dd> -<p>This boolean parameter controls whether <a href="smbd.8.html"><strong>smbd</strong></a> -will support the "Read Block Multiplex" SMB. This is now rarely used -and defaults to off. You should never need to set this parameter. -<p><strong>Default:</strong> - read bmpx = No -<p><a name="readlist"></a> -<p></p><dt><strong><strong>read list (S)</strong></strong><dd> -<p>This is a list of users that are given read-only access to a -service. If the connecting user is in this list then they will not be -given write access, no matter what the <a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a> -option is set to. The list can include group names using the syntax -described in the <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a> parameter. -<p>See also the <a href="smb.conf.5.html#writelist"><strong>"write list"</strong></a> parameter and -the <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a> parameter. -<p><strong>Default:</strong> -<code> read list = <empty string></code> -<p><strong>Example:</strong> -<code> read list = mary, @students</code> -<p><a name="readonly"></a> -<p></p><dt><strong><strong>read only (S)</strong></strong><dd> -<p>Note that this is an inverted synonym for -<a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a>. -<p><a name="readprediction"></a> -<p></p><dt><strong><strong>read prediction (G)</strong></strong><dd> -<p><em>NOTE</em>: This code is currently disabled in Samba2.0 and -may be removed at a later date. Hence this parameter has -no effect. -<p>This options enables or disables the read prediction code used to -speed up reads from the server. When enabled the server will try to -pre-read data from the last accessed file that was opened read-only -while waiting for packets. -<p><strong>Default:</strong> -<code> read prediction = False</code> -<p><a name="readraw"></a> -<p></p><dt><strong><strong>read raw (G)</strong></strong><dd> -<p>This parameter controls whether or not the server will support the raw -read SMB requests when transferring data to clients. -<p>If enabled, raw reads allow reads of 65535 bytes in one packet. This -typically provides a major performance benefit. -<p>However, some clients either negotiate the allowable block size -incorrectly or are incapable of supporting larger block sizes, and for -these clients you may need to disable raw reads. -<p>In general this parameter should be viewed as a system tuning tool and left -severely alone. See also <a href="smb.conf.5.html#writeraw"><strong>"write raw"</strong></a>. -<p><strong>Default:</strong> -<code> read raw = yes</code> -<p><a name="readsize"></a> -<p></p><dt><strong><strong>read size (G)</strong></strong><dd> -<p>The option <strong>"read size"</strong> affects the overlap of disk reads/writes -with network reads/writes. If the amount of data being transferred in -several of the SMB commands (currently SMBwrite, SMBwriteX and -SMBreadbraw) is larger than this value then the server begins writing -the data before it has received the whole packet from the network, or -in the case of SMBreadbraw, it begins writing to the network before -all the data has been read from disk. -<p>This overlapping works best when the speeds of disk and network access -are similar, having very little effect when the speed of one is much -greater than the other. -<p>The default value is 16384, but very little experimentation has been -done yet to determine the optimal value, and it is likely that the -best value will vary greatly between systems anyway. A value over -65536 is pointless and will cause you to allocate memory -unnecessarily. -<p><strong>Default:</strong> -<code> read size = 16384</code> -<p><strong>Example:</strong> -<code> read size = 8192</code> -<p><a name="remoteannounce"></a> -<p></p><dt><strong><strong>remote announce (G)</strong></strong><dd> -<p>This option allows you to setup <a href="nmbd.8.html"><strong>nmbd</strong></a> to -periodically announce itself to arbitrary IP addresses with an -arbitrary workgroup name. -<p>This is useful if you want your Samba server to appear in a remote -workgroup for which the normal browse propagation rules don't -work. The remote workgroup can be anywhere that you can send IP -packets to. -<p>For example: -<p><code> remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF</code> -<p>the above line would cause nmbd to announce itself to the two given IP -addresses using the given workgroup names. If you leave out the -workgroup name then the one given in the -<a href="smb.conf.5.html#workgroup"><strong>"workgroup"</strong></a> parameter is used instead. -<p>The IP addresses you choose would normally be the broadcast addresses -of the remote networks, but can also be the IP addresses of known -browse masters if your network config is that stable. -<p>See the documentation file BROWSING.txt in the docs/ directory. -<p><strong>Default:</strong> -<code> remote announce = <empty string></code> -<p><strong>Example:</strong> -<code> remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF</code> -<p><a name="remotebrowsesync"></a> -<p></p><dt><strong><strong>remote browse sync (G)</strong></strong><dd> -<p>This option allows you to setup <a href="nmbd.8.html"><strong>nmbd</strong></a> to -periodically request synchronization of browse lists with the master -browser of a samba server that is on a remote segment. This option -will allow you to gain browse lists for multiple workgroups across -routed networks. This is done in a manner that does not work with any -non-samba servers. -<p>This is useful if you want your Samba server and all local clients to -appear in a remote workgroup for which the normal browse propagation -rules don't work. The remote workgroup can be anywhere that you can -send IP packets to. -<p>For example: -<p><code> remote browse sync = 192.168.2.255 192.168.4.255</code> -<p>the above line would cause <a href="nmbd.8.html"><strong>nmbd</strong></a> to request the -master browser on the specified subnets or addresses to synchronize -their browse lists with the local server. -<p>The IP addresses you choose would normally be the broadcast addresses -of the remote networks, but can also be the IP addresses of known -browse masters if your network config is that stable. If a machine IP -address is given Samba makes NO attempt to validate that the remote -machine is available, is listening, nor that it is in fact the browse -master on it's segment. -<p><strong>Default:</strong> -<code> remote browse sync = <empty string></code> -<p><strong>Example:</strong> -<code> remote browse sync = 192.168.2.255 192.168.4.255</code> -<p><a name="restrictanonymous"></a> -<p></p><dt><strong><strong>restrict anonymous (G)</strong></strong><dd> -<p>This is a boolean parameter. If it is true, then anonymous access -to the server will be restricted, namely in the case where the server -is expecting the client to send a username, but it doesn't. Setting -it to true will force these anonymous connections to be denied, and -the client will be required to always supply a username and password -when connecting. Use of this parameter is only recommened for homogenous -NT client environments. -<p>This parameter makes the use of macro expansions that rely -on the username (%U, %G, etc) consistant. NT 4.0 likes to use -anonymous connections when refreshing the share list, and this -is a way to work around that. -<p>When restrict anonymous is true, all anonymous connections are denied -no matter what they are for. This can effect the ability of a machine -to access the samba Primary Domain Controller to revalidate it's machine -account after someone else has logged on the client interactively. The -NT client will display a message saying that the machine's account in -the domain doesn't exist or the password is bad. The best way to deal -with this is to reboot NT client machines between interactive logons, -using "Shutdown and Restart", rather than "Close all programs and logon -as a different user". -<p><strong>Default:</strong> -<code> restrict anonymous = false</code> -<p><strong>Example:</strong> -<code> restrict anonymous = true</code> -<p><a name="root"></a> -<p></p><dt><strong><strong>root (G)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#rootdirectory"><strong>"root directory"</strong></a>. -<p><a name="rootdir"></a> -<p></p><dt><strong><strong>root dir (G)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#rootdirectory"><strong>"root directory"</strong></a>. -<p><a name="rootdirectory"></a> -<p></p><dt><strong><strong>root directory (G)</strong></strong><dd> -<p>The server will <code>"chroot()"</code> (i.e. Change it's root directory) to -this directory on startup. This is not strictly necessary for secure -operation. Even without it the server will deny access to files not in -one of the service entries. It may also check for, and deny access to, -soft links to other parts of the filesystem, or attempts to use -<code>".."</code> in file names to access other directories (depending on the -setting of the <a href="smb.conf.5.html#widelinks"><strong>"wide links"</strong></a> parameter). -<p>Adding a <strong>"root directory"</strong> entry other than <code>"/"</code> adds an extra -level of security, but at a price. It absolutely ensures that no -access is given to files not in the sub-tree specified in the <strong>"root -directory"</strong> option, <em>*including*</em> some files needed for complete -operation of the server. To maintain full operability of the server -you will need to mirror some system files into the <strong>"root -directory"</strong> tree. In particular you will need to mirror /etc/passwd -(or a subset of it), and any binaries or configuration files needed -for printing (if required). The set of files that must be mirrored is -operating system dependent. -<p><strong>Default:</strong> -<code> root directory = /</code> -<p><strong>Example:</strong> -<code> root directory = /homes/smb</code> -<p><a name="rootpostexec"></a> -<p></p><dt><strong><strong>root postexec (S)</strong></strong><dd> -<p>This is the same as the <a href="smb.conf.5.html#postexec"><strong>"postexec"</strong></a> parameter -except that the command is run as root. This is useful for unmounting -filesystems (such as cdroms) after a connection is closed. -<p>See also <a href="smb.conf.5.html#postexec"><strong>"postexec"</strong></a>. -<p><a name="rootpreexec"></a> -<p></p><dt><strong><strong>root preexec (S)</strong></strong><dd> -<p>This is the same as the <a href="smb.conf.5.html#preexec"><strong>"preexec"</strong></a> parameter except -that the command is run as root. This is useful for mounting -filesystems (such as cdroms) before a connection is finalized. -<p>See also <a href="smb.conf.5.html#preexec"><strong>"preexec"</strong></a> -and <a href="smb.conf.5.html#rootpreexecclose"><strong>"root preexec close"</strong></a>. -<p><a name="rootpreexecclose"></a> -<p></p><dt><strong><strong>root preexec close (S)</strong></strong><dd> -<p>This is the same as the <a href="smb.conf.5.html#preexecclose"><strong>"preexec close"</strong></a> parameter -except that the command is run as root. -<p>See also <a href="smb.conf.5.html#preexec"><strong>"preexec"</strong></a>, <a href="smb.conf.5.html#preexecclose"><strong>"preexec close"</strong></a>. -<p><a name="security"></a> -<p></p><dt><strong><strong>security (G)</strong></strong><dd> -<p>This option affects how clients respond to Samba and is one of the most -important settings in the <strong>smb.conf</strong> file. -<p>The option sets the <code>"security mode bit"</code> in replies to protocol -negotiations with <a href="smbd.8.html"><strong>smbd</strong></a> to turn share level -security on or off. Clients decide based on this bit whether (and how) -to transfer user and password information to the server. -<p>The default is <a href="smb.conf.5.html#securityequaluser">"security=user"</a>, as this is -the most common setting needed when talking to Windows 98 and Windows -NT. -<p>The alternatives are <a href="smb.conf.5.html#securityequalshare"><strong>"security = share"</strong></a>, -<a href="smb.conf.5.html#securityequalserver"><strong>"security = server"</strong></a> or -<a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a>. -<p><em>*****NOTE THAT THIS DEFAULT IS DIFFERENT IN SAMBA2.0 THAN FOR -PREVIOUS VERSIONS OF SAMBA *******</em>. -<p>In previous versions of Samba the default was -<a href="smb.conf.5.html#securityequalshare"><strong>"security=share"</strong></a> mainly because that was -the only option at one stage. -<p>There is a bug in WfWg that has relevance to this setting. When in -user or server level security a WfWg client will totally ignore the -password you type in the "connect drive" dialog box. This makes it -very difficult (if not impossible) to connect to a Samba service as -anyone except the user that you are logged into WfWg as. -<p>If your PCs use usernames that are the same as their usernames on the -UNIX machine then you will want to use <strong>"security = user"</strong>. If you -mostly use usernames that don't exist on the UNIX box then use -<strong>"security = share"</strong>. -<p>You should also use <a href="smb.conf.5.html#securityequalshare"><strong>security=share</strong></a> if -you want to mainly setup shares without a password (guest -shares). This is commonly used for a shared printer server. It is more -difficult to setup guest shares with -<a href="smb.conf.5.html#securityequaluser"><strong>security=user</strong></a>, see the <a href="smb.conf.5.html#maptoguest"><strong>"map to -guest"</strong></a>parameter for details. -<p>It is possible to use <a href="smbd.8.html"><strong>smbd</strong></a> in a <em>"hybrid -mode"</em> where it is offers both user and share level security under -different <a href="smb.conf.5.html#netbiosaliases"><strong>NetBIOS aliases</strong></a>. See the -<a href="smb.conf.5.html#netbiosaliases"><strong>NetBIOS aliases</strong></a> and the -<a href="smb.conf.5.html#include"><strong>include</strong></a> parameters for more information. -<p>The different settings will now be explained. -<p><dl> -<p><a name="securityequalshare"></a> -<p></p><dt><strong><strong>"security=share"</strong></strong><dd> When clients connect to a share level -security server then need not log onto the server with a valid -username and password before attempting to connect to a shared -resource (although modern clients such as Windows 95/98 and Windows NT -will send a logon request with a username but no password when talking -to a <strong>security=share</strong> server). Instead, the clients send -authentication information (passwords) on a per-share basis, at the -time they attempt to connect to that share. -<p>Note that <a href="smbd.8.html"><strong>smbd</strong></a> <em>*ALWAYS*</em> uses a valid UNIX -user to act on behalf of the client, even in <strong>"security=share"</strong> -level security. -<p>As clients are not required to send a username to the server -in share level security, <a href="smbd.8.html"><strong>smbd</strong></a> uses several -techniques to determine the correct UNIX user to use on behalf -of the client. -<p>A list of possible UNIX usernames to match with the given -client password is constructed using the following methods : -<p><dl> -<p><li > If the <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a> parameter is set, then -all the other stages are missed and only the <a href="smb.conf.5.html#guestaccount"><strong>"guest -account"</strong></a> username is checked. -<p><li > Is a username is sent with the share connection request, then -this username (after mapping - see <a href="smb.conf.5.html#usernamemap"><strong>"username -map"</strong></a>), is added as a potential username. -<p><li > If the client did a previous <em>"logon"</em> request (the -SessionSetup SMB call) then the username sent in this SMB -will be added as a potential username. -<p><li > The name of the service the client requested is added -as a potential username. -<p><li > The NetBIOS name of the client is added to the list as a -potential username. -<p><li > Any users on the <a href="smb.conf.5.html#user"><strong>"user"</strong></a> list are added -as potential usernames. -<p></dl> -<p>If the <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a> parameter is not set, then -this list is then tried with the supplied password. The first user for -whom the password matches will be used as the UNIX user. -<p>If the <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a> parameter is set, or no -username can be determined then if the share is marked as available to -the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>, then this guest user will -be used, otherwise access is denied. -<p>Note that it can be <em>*very*</em> confusing in share-level security as to -which UNIX username will eventually be used in granting access. -<p>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"</strong></a>. -<p><a name="securityequaluser"></a> -<p></p><dt><strong><strong>"security=user"</strong></strong><dd> -<p>This is the default security setting in Samba2.0. With user-level -security a client must first <code>"log-on"</code> with a valid username and -password (which can be mapped using the <a href="smb.conf.5.html#usernamemap"><strong>"username -map"</strong></a> parameter). Encrypted passwords (see the -<a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted passwords"</strong></a> parameter) can also -be used in this security mode. Parameters such as -<a href="smb.conf.5.html#user"><strong>"user"</strong></a> and <a href="smb.conf.5.html#guestonly"><strong>"guest only"</strong></a>, if set -are then applied and may change the UNIX user to use on this -connection, but only after the user has been successfully -authenticated. -<p><em>Note</em> that the name of the resource being requested is -<em>*not*</em> sent to the server until after the server has successfully -authenticated the client. This is why guest shares don't work in user -level security without allowing the server to automatically map unknown -users into the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. See the -<a href="smb.conf.5.html#maptoguest"><strong>"map to guest"</strong></a> parameter for details on -doing this. -<p>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"</strong></a>. -<p><a name="securityequalserver"></a> -<p></p><dt><strong><strong>"security=server"</strong></strong><dd> -<p>In this mode Samba will try to validate the username/password by -passing it to another SMB server, such as an NT box. If this fails it -will revert to <strong>"security = user"</strong>, but note that if encrypted -passwords have been negotiated then Samba cannot revert back to -checking the UNIX password file, it must have a valid smbpasswd file -to check users against. See the documentation file in the docs/ -directory ENCRYPTION.txt for details on how to set this up. -<p><em>Note</em> that from the clients point of view <strong>"security=server"</strong> is -the same as <a href="smb.conf.5.html#securityequaluser"><strong>"security=user"</strong></a>. It only -affects how the server deals with the authentication, it does not in -any way affect what the client sees. -<p><em>Note</em> that the name of the resource being requested is -<em>*not*</em> sent to the server until after the server has successfully -authenticated the client. This is why guest shares don't work in server -level security without allowing the server to automatically map unknown -users into the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. See the -<a href="smb.conf.5.html#maptoguest"><strong>"map to guest"</strong></a> parameter for details on -doing this. -<p>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"</strong></a>. -<p>See also the <a href="smb.conf.5.html#passwordserver"><strong>"password server"</strong></a> parameter. -and the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted passwords"</strong></a> parameter. -<p><a name="securityequaldomain"></a> -<p></p><dt><strong><strong>"security=domain"</strong></strong><dd> -<p>This mode will only work correctly if -<a href="smbpasswd.8.html"><strong>smbpasswd</strong></a> has been used to add this machine -into a Windows NT Domain. It expects the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted -passwords"</strong></a> parameter to be set to <code>"true"</code>. In -this mode Samba will try to validate the username/password by passing -it to a Windows NT Primary or Backup Domain Controller, in exactly the -same way that a Windows NT Server would do. -<p><em>Note</em> that a valid UNIX user must still exist as well as the -account on the Domain Controller to allow Samba to have a valid -UNIX account to map file access to. -<p><em>Note</em> that from the clients point of view <strong>"security=domain"</strong> is -the same as <a href="smb.conf.5.html#securityequaluser"><strong>"security=user"</strong></a>. It only -affects how the server deals with the authentication, it does not in -any way affect what the client sees. -<p><em>Note</em> that the name of the resource being requested is -<em>*not*</em> sent to the server until after the server has successfully -authenticated the client. This is why guest shares don't work in domain -level security without allowing the server to automatically map unknown -users into the <a href="smb.conf.5.html#guestaccount"><strong>"guest account"</strong></a>. See the -<a href="smb.conf.5.html#maptoguest"><strong>"map to guest"</strong></a> parameter for details on -doing this. -<p><em>BUG:</em> There is currently a bug in the implementation of -<strong>"security=domain</strong> with respect to multi-byte character -set usernames. The communication with a Domain Controller -must be done in UNICODE and Samba currently does not widen -multi-byte user names to UNICODE correctly, thus a multi-byte -username will not be recognized correctly at the Domain Controller. -This issue will be addressed in a future release. -<p>See also the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"</strong></a>. -<p>See also the <a href="smb.conf.5.html#passwordserver"><strong>"password server"</strong></a> parameter. -and the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypted passwords"</strong></a> parameter. -<p></dl> -<p><strong>Default:</strong> -<code> security = USER</code> -<p><strong>Example:</strong> -<code> security = DOMAIN</code> -<p><a name="securitymask"></a> -<p></p><dt><strong><strong>security mask (S)</strong></strong><dd> -<p>This parameter controls what UNIX permission bits can be modified -when a Windows NT client is manipulating the UNIX permission on a -file using the native NT security dialog box. -<p>This parameter is applied as a mask (AND'ed with) to the changed -permission bits, thus preventing any bits not in this mask from -being modified. Essentially, zero bits in this mask may be treated -as a set of bits the user is not allowed to change. -<p>If not set explicitly this parameter is set to the same value as the -<a href="smb.conf.5.html#createmask"><strong>create mask</strong></a> parameter. To allow a user to -modify all the user/group/world permissions on a file, set this -parameter to 0777. -<p><em>Note</em> that users who can access the Samba server through other -means can easily bypass this restriction, so it is primarily -useful for standalone "appliance" systems. Administrators of -most normal systems will probably want to set it to 0777. -<p>See also the <a href="smb.conf.5.html#forcedirectorysecuritymode"><strong>force directory security -mode</strong></a>, <a href="smb.conf.5.html#directorysecuritymask"><strong>directory security -mask</strong></a>, <a href="smb.conf.5.html#forcesecuritymode"><strong>force security -mode</strong></a> parameters. -<p><strong>Default:</strong> -<code> security mask = <same as create mask></code> -<p><strong>Example:</strong> -<code> security mask = 0777</code> -<p><a name="serverstring"></a> -<p></p><dt><strong><strong>server string (G)</strong></strong><dd> -<p>This controls what string will show up in the printer comment box in -print manager and next to the IPC connection in <code>"net view"</code>. It can be -any string that you wish to show to your users. -<p>It also sets what will appear in browse lists next to the machine -name. -<p>A <code>"%v"</code> will be replaced with the Samba version number. -<p>A <code>"%h"</code> will be replaced with the hostname. -<p><strong>Default:</strong> -<code> server string = Samba %v</code> -<p><strong>Example:</strong> -<code> server string = University of GNUs Samba Server</code> -<p><a name="setdirectory"></a> -<p></p><dt><strong><strong>set directory (S)</strong></strong><dd> -<p>If <code>"set directory = no"</code>, then users of the service may not use the -setdir command to change directory. -<p>The setdir command is only implemented in the Digital Pathworks -client. See the Pathworks documentation for details. -<p><strong>Default:</strong> -<code> set directory = no</code> -<p><strong>Example:</strong> -<code> set directory = yes</code> -<p><a name="sharemodes"></a> -<p></p><dt><strong><strong>share modes (S)</strong></strong><dd> -<p>This enables or disables the honoring of the <code>"share modes"</code> during a -file open. These modes are used by clients to gain exclusive read or -write access to a file. -<p>These open modes are not directly supported by UNIX, so they are -simulated using shared memory, or lock files if your UNIX doesn't -support shared memory (almost all do). -<p>The share modes that are enabled by this option are DENY_DOS, -DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB. -<p>This option gives full share compatibility and enabled by default. -<p>You should <em>*NEVER*</em> turn this parameter off as many Windows -applications will break if you do so. -<p><strong>Default:</strong> -<code> share modes = yes</code> -<p><a name="sharedmemsize"></a> -<p></p><dt><strong><strong>shared mem size (G)</strong></strong><dd> -<p>It specifies the size of the shared memory (in bytes) to use between -<a href="smbd.8.html"><strong>smbd</strong></a> processes. This parameter defaults to one -megabyte of shared memory. It is possible that if you have a large -server with many files open simultaneously that you may need to -increase this parameter. Signs that this parameter is set too low are -users reporting strange problems trying to save files (locking errors) -and error messages in the smbd log looking like <code>"ERROR -smb_shm_alloc : alloc of XX bytes failed"</code>. -<p>If your OS refuses the size that Samba asks for then Samba will try a -smaller size, reducing by a factor of 0.8 until the OS accepts it. -<p><strong>Default:</strong> -<code> shared mem size = 1048576</code> -<p><strong>Example:</strong> -<code> shared mem size = 5242880 ; Set to 5mb for a large number of files.</code> -<p><a name="shortpreservecase"></a> -<p></p><dt><strong><strong>short preserve case (S)</strong></strong><dd> -<p>This boolean parameter controls if new files which conform to 8.3 -syntax, that is all in upper case and of suitable length, are created -upper case, or if they are forced to be the <code>"default"</code> case. This -option can be use with <a href="smb.conf.5.html#preservecaseoption"><strong>"preserve case -=yes"</strong></a> to permit long filenames to retain their -case, while short names are lowered. Default <em>Yes</em>. -<p>See the section on <a href="smb.conf.5.html#NAMEMANGLING"><strong>NAME MANGLING</strong></a>. -<p><strong>Default:</strong> -<code> short preserve case = yes</code> -<p><a name="smbpasswdfile"></a> -<p></p><dt><strong><strong>smb passwd file (G)</strong></strong><dd> -<p>This option sets the path to the encrypted smbpasswd file. By default -the path to the smbpasswd file is compiled into Samba. -<p><strong>Default:</strong> -<code> smb passwd file= <compiled default></code> -<p><strong>Example:</strong> -<code> smb passwd file = /usr/samba/private/smbpasswd</code> -<p><a name="smbrun"></a> -<p></p><dt><strong><strong>smbrun (G)</strong></strong><dd> -<p>This sets the full path to the <strong>smbrun</strong> binary. This defaults to the -value in the Makefile. -<p>You must get this path right for many services to work correctly. -<p>You should not need to change this parameter so long as Samba -is installed correctly. -<p><strong>Default:</strong> -<code> smbrun=<compiled default></code> -<p><strong>Example:</strong> -<code> smbrun = /usr/local/samba/bin/smbrun</code> -<p><a name="socketaddress"></a> -<p></p><dt><strong><strong>socket address (G)</strong></strong><dd> -<p>This option allows you to control what address Samba will listen for -connections on. This is used to support multiple virtual interfaces on -the one server, each with a different configuration. -<p>By default samba will accept connections on any address. -<p><strong>Example:</strong> -<code> socket address = 192.168.2.20</code> -<p><a name="socketoptions"></a> -<p></p><dt><strong><strong>socket options (G)</strong></strong><dd> -<p>This option allows you to set socket options to be used when talking -with the client. -<p>Socket options are controls on the networking layer of the operating -systems which allow the connection to be tuned. -<p>This option will typically be used to tune your Samba server for -optimal performance for your local network. There is no way that Samba -can know what the optimal parameters are for your net, so you must -experiment and choose them yourself. We strongly suggest you read the -appropriate documentation for your operating system first (perhaps -<strong>"man setsockopt"</strong> will help). -<p>You may find that on some systems Samba will say "Unknown socket -option" when you supply an option. This means you either incorrectly -typed it or you need to add an include file to includes.h for your OS. -If the latter is the case please send the patch to -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>Any of the supported socket options may be combined in any way you -like, as long as your OS allows it. -<p>This is the list of socket options currently settable using this -option: -<p><dl> -<p><li > SO_KEEPALIVE -<p><li > SO_REUSEADDR -<p><li > SO_BROADCAST -<p><li > TCP_NODELAY -<p><li > IPTOS_LOWDELAY -<p><li > IPTOS_THROUGHPUT -<p><li > SO_SNDBUF * -<p><li > SO_RCVBUF * -<p><li > SO_SNDLOWAT * -<p><li > SO_RCVLOWAT * -<p></dl> -<p>Those marked with a <code>*</code> take an integer argument. The others can -optionally take a 1 or 0 argument to enable or disable the option, by -default they will be enabled if you don't specify 1 or 0. -<p>To specify an argument use the syntax SOME_OPTION=VALUE for example -<code>SO_SNDBUF=8192</code>. Note that you must not have any spaces before or after -the = sign. -<p>If you are on a local network then a sensible option might be -<p><code>socket options = IPTOS_LOWDELAY</code> -<p>If you have a local network then you could try: -<p><code>socket options = IPTOS_LOWDELAY TCP_NODELAY</code> -<p>If you are on a wide area network then perhaps try setting -IPTOS_THROUGHPUT. -<p>Note that several of the options may cause your Samba server to fail -completely. Use these options with caution! -<p><strong>Default:</strong> -<code> socket options = TCP_NODELAY</code> -<p><strong>Example:</strong> -<code> socket options = IPTOS_LOWDELAY</code> -<p><a name="sourceenvironment"></a> -<p></p><dt><strong><strong>source environment (G)</strong></strong><dd> -<p>This parameter causes Samba to set environment variables as per the -content of the file named. -<p>The file <strong>must</strong> be owned by root and not world writable in order -to be read (this is a security check). -<p>If the value of this parameter starts with a "|" character then Samba will -treat that value as a pipe command to open and will set the environment -variables from the oput of the pipe. This command must not be world writable -and must reside in a directory that is not world writable. -<p>The contents of the file or the output of the pipe should be formatted -as the output of the standard Unix env(1) command. This is of the form : -<p>Example environment entry: -<code> SAMBA_NETBIOS_NAME=myhostname </code> -<p><strong>Default:</strong> -<code>No default value</code> -<p><strong>Examples:</strong> -<p><code> source environment = |/etc/smb.conf.sh</code> -<p><code> source environment = /usr/local/smb_env_vars</code> -<p><a name="ssl"></a> -<p></p><dt><strong><strong>ssl (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>This variable enables or disables the entire SSL mode. If it is set to -"no", the SSL enabled samba behaves exactly like the non-SSL samba. If -set to "yes", it depends on the variables <a href="smb.conf.5.html#sslhosts"><strong>"ssl -hosts"</strong></a> and <a href="smb.conf.5.html#sslhostsresign"><strong>"ssl hosts resign"</strong></a> -whether an SSL connection will be required. -<p><strong>Default:</strong> -<code> ssl=no</code> - <strong>Example:</strong> -<code> ssl=yes</code> -<p><a name="sslCAcertDir"></a> -<p></p><dt><strong><strong>ssl CA certDir (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>This variable defines where to look up the Certification -Authorities. The given directory should contain one file for each CA -that samba will trust. The file name must be the hash value over the -"Distinguished Name" of the CA. How this directory is set up is -explained later in this document. All files within the directory that -don't fit into this naming scheme are ignored. You don't need this -variable if you don't verify client certificates. -<p><strong>Default:</strong> -<code> ssl CA certDir = /usr/local/ssl/certs</code> -<p><a name="sslCAcertFile"></a> -<p></p><dt><strong><strong>ssl CA certFile (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>This variable is a second way to define the trusted CAs. The -certificates of the trusted CAs are collected in one big file and this -variable points to the file. You will probably only use one of the two -ways to define your CAs. The first choice is preferable if you have -many CAs or want to be flexible, the second is preferable if you only -have one CA and want to keep things simple (you won't need to create -the hashed file names). You don't need this variable if you don't -verify client certificates. -<p><strong>Default:</strong> -<code> ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem</code> -<p><a name="sslciphers"></a> -<p></p><dt><strong><strong>ssl ciphers (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>This variable defines the ciphers that should be offered during SSL -negotiation. You should not set this variable unless you know what you -are doing. -<p><a name="sslclientcert"></a> -<p></p><dt><strong><strong>ssl client cert (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>The certificate in this file is used by -<a href="smbclient.1.html"><strong>smbclient</strong></a> if it exists. It's needed if the -server requires a client certificate. -<p><strong>Default:</strong> -<code> ssl client cert = /usr/local/ssl/certs/smbclient.pem</code> -<p><a name="sslclientkey"></a> -<p></p><dt><strong><strong>ssl client key (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>This is the private key for <a href="smbclient.1.html"><strong>smbclient</strong></a>. It's -only needed if the client should have a certificate. -<p><strong>Default:</strong> -<code> ssl client key = /usr/local/ssl/private/smbclient.pem</code> -<p><a name="sslcompatibility"></a> -<p></p><dt><strong><strong>ssl compatibility (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>This variable defines whether SSLeay should be configured for bug -compatibility with other SSL implementations. This is probably not -desirable because currently no clients with SSL implementations other -than SSLeay exist. -<p><strong>Default:</strong> -<code> ssl compatibility = no</code> -<p><a name="sslhosts"></a> -<p></p><dt><strong><strong>ssl hosts (G)</strong></strong><dd> -<p>See <a href="smb.conf.5.html#sslhostsresign"><strong>"ssl hosts resign"</strong></a>. -<p><a name="sslhostsresign"></a> -<p></p><dt><strong><strong>ssl hosts resign (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>These two variables define whether samba will go into SSL mode or -not. If none of them is defined, samba will allow only SSL -connections. If the <a href="smb.conf.5.html#sslhosts"><strong>"ssl hosts"</strong></a> variable lists -hosts (by IP-address, IP-address range, net group or name), only these -hosts will be forced into SSL mode. If the <strong>"ssl hosts resign"</strong> -variable lists hosts, only these hosts will NOT be forced into SSL -mode. The syntax for these two variables is the same as for the -<a href="smb.conf.5.html#hostsallow"><strong>"hosts allow"</strong></a> and <a href="smb.conf.5.html#hostsdeny"><strong>"hosts -deny"</strong></a> pair of variables, only that the subject of the -decision is different: It's not the access right but whether SSL is -used or not. See the <a href="smb.conf.5.html#allowhosts"><strong>"allow hosts"</strong></a> parameter for -details. The example below requires SSL connections from all hosts -outside the local net (which is 192.168.*.*). -<p><strong>Default:</strong> -<code> ssl hosts = <empty string></code> -<code> ssl hosts resign = <empty string></code> -<p><strong>Example:</strong> -<code> ssl hosts resign = 192.168.</code> -<p><a name="sslrequireclientcert"></a> -<p></p><dt><strong><strong>ssl require clientcert (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>If this variable is set to <code>"yes"</code>, the server will not tolerate -connections from clients that don't have a valid certificate. The -directory/file given in <a href="smb.conf.5.html#sslCAcertDir"><strong>"ssl CA certDir"</strong></a> and -<a href="smb.conf.5.html#sslCAcertFile"><strong>"ssl CA certFile"</strong></a> will be used to look up the -CAs that issued the client's certificate. If the certificate can't be -verified positively, the connection will be terminated. If this -variable is set to <code>"no"</code>, clients don't need certificates. Contrary -to web applications you really <em>*should*</em> require client -certificates. In the web environment the client's data is sensitive -(credit card numbers) and the server must prove to be trustworthy. In -a file server environment the server's data will be sensitive and the -clients must prove to be trustworthy. -<p><strong>Default:</strong> -<code> ssl require clientcert = no</code> -<p><a name="sslrequireservercert"></a> -<p></p><dt><strong><strong>ssl require servercert (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>If this variable is set to <code>"yes"</code>, the -<a href="smbclient.1.html"><strong>smbclient</strong></a> will request a certificate from -the server. Same as <a href="smb.conf.5.html#sslrequireclientcert"><strong>"ssl require -clientcert"</strong></a> for the server. -<p><strong>Default:</strong> -<code> ssl require servercert = no</code> -<p><a name="sslservercert"></a> -<p></p><dt><strong><strong>ssl server cert (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>This is the file containing the server's certificate. The server _must_ -have a certificate. The file may also contain the server's private key. -See later for how certificates and private keys are created. -<p><strong>Default:</strong> -<code> ssl server cert = <empty string></code> -<p><a name="sslserverkey"></a> -<p></p><dt><strong><strong>ssl server key (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>This file contains the private key of the server. If this variable is -not defined, the key is looked up in the certificate file (it may be -appended to the certificate). The server <em>*must*</em> have a private key -and the certificate <em>*must*</em> match this private key. -<p><strong>Default:</strong> -<code> ssl server key = <empty string></code> -<p><a name="sslversion"></a> -<p></p><dt><strong><strong>ssl version (G)</strong></strong><dd> -<p>This variable is part of SSL-enabled Samba. This is only available if -the SSL libraries have been compiled on your system and the configure -option <code>"--with-ssl"</code> was given at configure time. -<p><em>Note</em> that for export control reasons this code is <em>**NOT**</em> -enabled by default in any current binary version of Samba. -<p>This enumeration variable defines the versions of the SSL protocol -that will be used. <code>"ssl2or3"</code> allows dynamic negotiation of SSL v2 -or v3, <code>"ssl2"</code> results in SSL v2, <code>"ssl3"</code> results in SSL v3 and -"tls1" results in TLS v1. TLS (Transport Layer Security) is the -(proposed?) new standard for SSL. -<p><strong>Default:</strong> -<code> ssl version = "ssl2or3"</code> -<p><a name="statcache"></a> -<p></p><dt><strong><strong>stat cache (G)</strong></strong><dd> -<p>This parameter determines if <a href="smbd.8.html"><strong>smbd</strong></a> will use a -cache in order to speed up case insensitive name mappings. You should -never need to change this parameter. -<p><strong>Default:</strong> -<code> stat cache = yes</code> -<p><a name="statcachesize"></a> -<p></p><dt><strong><strong>stat cache size (G)</strong></strong><dd> -<p>This parameter determines the number of entries in the <a href="smb.conf.5.html#statcache"><strong>stat -cache</strong></a>. You should never need to change this parameter. -<p><strong>Default:</strong> -<code> stat cache size = 50</code> -<p><a name="status"></a> -<p></p><dt><strong><strong>status (G)</strong></strong><dd> -<p>This enables or disables logging of connections to a status file that -<a href="smbstatus.1.html"><strong>smbstatus</strong></a> can read. -<p>With this disabled <a href="smbstatus.1.html"><strong>smbstatus</strong></a> won't be able -to tell you what connections are active. You should never need to -change this parameter. -<p><strong>Default:</strong> - status = yes -<p><a name="strictlocking"></a> -<p></p><dt><strong><strong>strict locking (S)</strong></strong><dd> -<p>This is a boolean that controls the handling of file locking in the -server. When this is set to <code>"yes"</code> the server will check every read and -write access for file locks, and deny access if locks exist. This can -be slow on some systems. -<p>When strict locking is <code>"no"</code> the server does file lock checks only -when the client explicitly asks for them. -<p>Well behaved clients always ask for lock checks when it is important, -so in the vast majority of cases <strong>"strict locking = no"</strong> is -preferable. -<p><strong>Default:</strong> -<code> strict locking = no</code> -<p><strong>Example:</strong> -<code> strict locking = yes</code> -<p><a name="strictsync"></a> -<p></p><dt><strong><strong>strict sync (S)</strong></strong><dd> -<p>Many Windows applications (including the Windows 98 explorer shell) -seem to confuse flushing buffer contents to disk with doing a sync to -disk. Under UNIX, a sync call forces the process to be suspended until -the kernel has ensured that all outstanding data in kernel disk -buffers has been safely stored onto stable storage. This is very slow -and should only be done rarely. Setting this parameter to "no" (the -default) means that smbd ignores the Windows applications requests for -a sync call. There is only a possibility of losing data if the -operating system itself that Samba is running on crashes, so there is -little danger in this default setting. In addition, this fixes many -performance problems that people have reported with the new Windows98 -explorer shell file copies. -<p>See also the <a href="smb.conf.5.html#syncalways"><strong>"sync always"</strong></a> parameter. -<p><strong>Default:</strong> -<code> strict sync = no</code> -<p><strong>Example:</strong> -<code> strict sync = yes</code> -<p><a name="stripdot"></a> -<p></p><dt><strong><strong>strip dot (G)</strong></strong><dd> -<p>This is a boolean that controls whether to strip trailing dots off -UNIX filenames. This helps with some CDROMs that have filenames ending -in a single dot. -<p><strong>Default:</strong> -<code> strip dot = no</code> -<p><strong>Example:</strong> -<code> strip dot = yes</code> -<p><a name="syncalways"></a> -<p></p><dt><strong><strong>sync always (S)</strong></strong><dd> -<p>This is a boolean parameter that controls whether writes will always -be written to stable storage before the write call returns. If this is -false then the server will be guided by the client's request in each -write call (clients can set a bit indicating that a particular write -should be synchronous). If this is true then every write will be -followed by a fsync() call to ensure the data is written to disk. -Note that the <a href="smb.conf.5.html#strictsync"><strong>"strict sync"</strong></a> parameter must be -set to <code>"yes"</code> in order for this parameter to have any affect. -<p>See also the <a href="smb.conf.5.html#strictsync"><strong>"strict sync"</strong></a> parameter. -<p><strong>Default:</strong> -<code> sync always = no</code> -<p><strong>Example:</strong> -<code> sync always = yes</code> -<p><a name="syslog"></a> -<p></p><dt><strong><strong>syslog (G)</strong></strong><dd> -<p>This parameter maps how Samba debug messages are logged onto the -system syslog logging levels. Samba debug level zero maps onto syslog -LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps -onto LOG_NOTICE, debug level three maps onto LOG_INFO. All higher -levels are mapped to LOG_DEBUG. -<p>This paramter sets the threshold for sending messages to syslog. -Only messages with debug level less than this value will be sent -to syslog. -<p><strong>Default:</strong> -<code> syslog = 1</code> -<p><a name="syslogonly"></a> -<p></p><dt><strong><strong>syslog only (G)</strong></strong><dd> -<p>If this parameter is set then Samba debug messages are logged into the -system syslog only, and not to the debug log files. -<p><strong>Default:</strong> -<code> syslog only = no</code> -<p><a name="templatehomedir"></a> -<p></p><dt><strong><strong>template homedir (G)</strong></strong><dd> -<p>NOTE: this parameter is only available in Samba 3.0. -<p>When filling out the user information for a Windows NT user, the -<a href="winbindd.8.html"><strong>winbindd</strong></a> daemon uses this parameter to fill in -the home directory for that user. If the string <code>%D</code> is present it is -substituted with the user's Windows NT domain name. If the string <code>%U</code> -is present it is substituted with the user's Windows NT user name. -<p><strong>Default:</strong> -<code> template homedir = /home/%D/%U</code> -<p><a name="templateshell"></a> -<p></p><dt><strong><strong>template shell (G)</strong></strong><dd> -<p>NOTE: this parameter is only available in Samba 3.0. -<p>When filling out the user information for a Windows NT user, the -<a href="winbindd.8.html"><strong>winbindd</strong></a> daemon uses this parameter to fill in -the login shell for that user. -<p><strong>Default:</strong> -<code> template shell = /bin/false</code> -<p><a name="timeoffset"></a> -<p></p><dt><strong><strong>time offset (G)</strong></strong><dd> -<p>This parameter is a setting in minutes to add to the normal GMT to -local time conversion. This is useful if you are serving a lot of PCs -that have incorrect daylight saving time handling. -<p><strong>Default:</strong> -<code> time offset = 0</code> -<p><strong>Example:</strong> -<code> time offset = 60</code> -<p><a name="timeserver"></a> -<p><p></p><dt><strong><strong>time server (G)</strong></strong><dd> -<p>This parameter determines if <a href="nmbd.8.html"><strong>nmbd</strong></a> advertises -itself as a time server to Windows clients. The default is False. -<p><strong>Default:</strong> -<code> time server = False</code> -<p><strong>Example:</strong> -<code> time server = True</code> -<p><a name="timestamplogs"></a> -<p></p><dt><strong><strong>timestamp logs (G)</strong></strong><dd> -<p>Synonym for <a href="debugtimestamp"><strong>"debug timestamp"</strong></a>. -<p><a name="unixpasswordsync"></a> -<p></p><dt><strong><strong>unix password sync (G)</strong></strong><dd> -<p>This boolean parameter controls whether Samba attempts to synchronize -the UNIX password with the SMB password when the encrypted SMB -password in the smbpasswd file is changed. If this is set to true the -program specified in the <a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a> -parameter is called <em>*AS ROOT*</em> - to allow the new UNIX password to be -set without access to the old UNIX password (as the SMB password has -change code has no access to the old password cleartext, only the -new). By default this is set to <code>"false"</code>. -<p>See also <a href="smb.conf.5.html#passwdprogram"><strong>"passwd program"</strong></a>, <a href="smb.conf.5.html#passwdchat"><strong>"passwd -chat"</strong></a>. -<p><strong>Default:</strong> -<code> unix password sync = False</code> -<p><strong>Example:</strong> -<code> unix password sync = True</code> -<p><a name="unixrealname"></a> -<p></p><dt><strong><strong>unix realname (G)</strong></strong><dd> -<p>This boolean parameter when set causes samba to supply the real name -field from the unix password file to the client. This is useful for -setting up mail clients and WWW browsers on systems used by more than -one person. -<p><strong>Default:</strong> -<code> unix realname = no</code> -<p><strong>Example:</strong> -<code> unix realname = yes</code> -<p><a name="updateencrypted"></a> -<p></p><dt><strong><strong>update encrypted (G)</strong></strong><dd> -<p>This boolean parameter allows a user logging on with a plaintext -password to have their encrypted (hashed) password in the smbpasswd -file to be updated automatically as they log on. This option allows a -site to migrate from plaintext password authentication (users -authenticate with plaintext password over the wire, and are checked -against a UNIX account database) to encrypted password authentication -(the SMB challenge/response authentication mechanism) without forcing -all users to re-enter their passwords via smbpasswd at the time the -change is made. This is a convenience option to allow the change over -to encrypted passwords to be made over a longer period. Once all users -have encrypted representations of their passwords in the smbpasswd -file this parameter should be set to <code>"off"</code>. -<p>In order for this parameter to work correctly the <a href="smb.conf.5.html#encryptpasswords"><strong>"encrypt -passwords"</strong></a> parameter must be set to <code>"no"</code> when -this parameter is set to <code>"yes"</code>. -<p>Note that even when this parameter is set a user authenticating to -smbd must still enter a valid password in order to connect correctly, -and to update their hashed (smbpasswd) passwords. -<p><strong>Default:</strong> -<code> update encrypted = no</code> -<p><strong>Example:</strong> -<code> update encrypted = yes</code> -<p><a name="userhosts"></a> -<p></p><dt><strong><strong>use rhosts (G)</strong></strong><dd> -<p>If this global parameter is a true, it specifies that the UNIX users -<code>".rhosts"</code> file in their home directory will be read to find the -names of hosts and users who will be allowed access without specifying -a password. -<p>NOTE: The use of <strong>use rhosts</strong> can be a major security hole. This is -because you are trusting the PC to supply the correct username. It is -very easy to get a PC to supply a false username. I recommend that the -<strong>use rhosts</strong> option be only used if you really know what you are -doing. -<p><strong>Default:</strong> -<code> use rhosts = no</code> -<p><strong>Example:</strong> -<code> use rhosts = yes</code> -<p><a name="user"></a> -<p></p><dt><strong><strong>user (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#username"><strong>"username"</strong></a>. -<p><a name="users"></a> -<p></p><dt><strong><strong>users (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#username"><strong>"username"</strong></a>. -<p><a name="username"></a> -<p></p><dt><strong><strong>username (S)</strong></strong><dd> -<p>Multiple users may be specified in a comma-delimited list, in which -case the supplied password will be tested against each username in -turn (left to right). -<p>The <strong>username=</strong> line is needed only when the PC is unable to supply -its own username. This is the case for the COREPLUS protocol or where -your users have different WfWg usernames to UNIX usernames. In both -these cases you may also be better using the <code>\\server\share%user</code> -syntax instead. -<p>The <strong>username=</strong> line is not a great solution in many cases as it -means Samba will try to validate the supplied password against each of -the usernames in the username= line in turn. This is slow and a bad -idea for lots of users in case of duplicate passwords. You may get -timeouts or security breaches using this parameter unwisely. -<p>Samba relies on the underlying UNIX security. This parameter does not -restrict who can login, it just offers hints to the Samba server as to -what usernames might correspond to the supplied password. Users can -login as whoever they please and they will be able to do no more -damage than if they started a telnet session. The daemon runs as the -user that they log in as, so they cannot do anything that user cannot -do. -<p>To restrict a service to a particular set of users you can use the -<a href="smb.conf.5.html#validusers"><strong>"valid users="</strong></a> parameter. -<p>If any of the usernames begin with a <code>'@'</code> then the name will be -looked up first in the yp netgroups list (if Samba is compiled with -netgroup support), followed by a lookup in the UNIX groups database -and will expand to a list of all users in the group of that name. -<p>If any of the usernames begin with a <code>'+'</code> then the name will be -looked up only in the UNIX groups database and will expand to a list -of all users in the group of that name. -<p>If any of the usernames begin with a <code>'&'</code> then the name will be -looked up only in the yp netgroups database (if Samba is compiled with -netgroup support) and will expand to a list of all users in the -netgroup group of that name. -<p>Note that searching though a groups database can take quite some time, -and some clients may time out during the search. -<p>See the section <a href="smb.conf.5.html#NOTEABOUTUSERNAMEPASSWORDVALIDATION"><strong>"NOTE ABOUT USERNAME/PASSWORD -VALIDATION"</strong></a> for more -information on how this parameter determines access to the services. -<p><strong>Default:</strong> -<code> The guest account if a guest service, else the name of the service.</code> -<p><strong>Examples:</strong> -<pre> - - username = fred - username = fred, mary, jack, jane, @users, @pcgroup - -</pre> - -<p><a name="usernamelevel"></a> -<p></p><dt><strong><strong>username level (G)</strong></strong><dd> -<p>This option helps Samba to try and 'guess' at the real UNIX username, -as many DOS clients send an all-uppercase username. By default Samba -tries all lowercase, followed by the username with the first letter -capitalized, and fails if the username is not found on the UNIX -machine. -<p>If this parameter is set to non-zero the behavior changes. This -parameter is a number that specifies the number of uppercase -combinations to try whilst trying to determine the UNIX user name. The -higher the number the more combinations will be tried, but the slower -the discovery of usernames will be. Use this parameter when you have -strange usernames on your UNIX machine, such as <code>"AstrangeUser"</code>. -<p><strong>Default:</strong> -<code> username level = 0</code> -<p><strong>Example:</strong> -<code> username level = 5</code> -<p><a name="usernamemap"></a> -<p></p><dt><strong><strong>username map (G)</strong></strong><dd> -<p>This option allows you to specify a file containing a mapping of -usernames from the clients to the server. This can be used for several -purposes. The most common is to map usernames that users use on DOS or -Windows machines to those that the UNIX box uses. The other is to map -multiple users to a single username so that they can more easily share -files. -<p>The map file is parsed line by line. Each line should contain a single -UNIX username on the left then a <code>'='</code> followed by a list of -usernames on the right. The list of usernames on the right may contain -names of the form @group in which case they will match any UNIX -username in that group. The special client name <code>'*'</code> is a wildcard -and matches any name. Each line of the map file may be up to 1023 -characters long. -<p>The file is processed on each line by taking the supplied username and -comparing it with each username on the right hand side of the <code>'='</code> -signs. If the supplied name matches any of the names on the right hand -side then it is replaced with the name on the left. Processing then -continues with the next line. -<p>If any line begins with a <code>'#'</code> or a <code>';'</code> then it is ignored -<p>If any line begins with an <code>'!'</code> then the processing will stop after -that line if a mapping was done by the line. Otherwise mapping -continues with every line being processed. Using <code>'!'</code> is most -useful when you have a wildcard mapping line later in the file. -<p>For example to map from the name <code>"admin"</code> or <code>"administrator"</code> to -the UNIX name <code>"root"</code> you would use: -<p><code> root = admin administrator</code> -<p>Or to map anyone in the UNIX group <code>"system"</code> to the UNIX name -<code>"sys"</code> you would use: -<p><code> sys = @system</code> -<p>You can have as many mappings as you like in a username map file. -<p>If your system supports the NIS NETGROUP option then the netgroup -database is checked before the <code>/etc/group</code> database for matching -groups. -<p>You can map Windows usernames that have spaces in them by using double -quotes around the name. For example: -<p><code> tridge = "Andrew Tridgell"</code> -<p>would map the windows username <code>"Andrew Tridgell"</code> to the unix -username tridge. -<p>The following example would map mary and fred to the unix user sys, -and map the rest to guest. Note the use of the <code>'!'</code> to tell Samba -to stop processing if it gets a match on that line. -<p><pre> - - !sys = mary fred - guest = * - -</pre> - -<p>Note that the remapping is applied to all occurrences of -usernames. Thus if you connect to <code>"\\server\fred"</code> and <code>"fred"</code> -is remapped to <code>"mary"</code> then you will actually be connecting to -<code>"\\server\mary"</code> and will need to supply a password suitable for -<code>"mary"</code> not <code>"fred"</code>. The only exception to this is the username -passed to the <a href="smb.conf.5.html#passwordserver"><strong>"password server"</strong></a> (if you have -one). The password server will receive whatever username the client -supplies without modification. -<p>Also note that no reverse mapping is done. The main effect this has is -with printing. Users who have been mapped may have trouble deleting -print jobs as PrintManager under WfWg will think they don't own the -print job. -<p><strong>Default:</strong> -<code> no username map</code> -<p><strong>Example:</strong> -<code> username map = /usr/local/samba/lib/users.map</code> -<p><a name="utmp"></a> -<p></p><dt><strong><strong>utmp (S)</strong></strong><dd> -<p>This boolean parameter is only available if Samba has been configured and compiled -with the option <code>--with-utmp</code>. If set to True then Samba will attempt -to add utmp or utmpx records (depending on the UNIX system) whenever a -connection is made to a Samba server. Sites may use this to record the -user connecting to a Samba share. -<p>See also the <a href="smb.conf.5.html#utmpdirectory"><strong>"utmp directory"</strong></a> parameter. -<p><strong>Default:</strong> -<code>utmp = False</code> -<p><strong>Example:</strong> -<code>utmp = True</code> -<p><a name="utmpdirectory"></a> -<p></p><dt><strong><strong>utmp directory(G)</strong></strong><dd> -<p>This parameter is only available if Samba has been configured and compiled -with the option <code>--with-utmp</code>. It specifies a directory pathname that is -used to store the utmp or utmpx files (depending on the UNIX system) that -record user connections to a Samba server. See also the <a href="smb.conf.5.html#utmp"><strong>"utmp"</strong></a> -parameter. By default this is not set, meaning the system will use whatever -utmp file the native system is set to use (usually /var/run/utmp on Linux). -<p><strong>Default:</strong> -<code>no utmp directory</code> -<p><strong>Example:</strong> -<code>utmp directory = /var/adm/</code> -<p><a name="winbindcachetime"></a> -<p></p><dt><strong>winbind cache time</strong><dd> -<p>NOTE: this parameter is only available in Samba 3.0. -<p>This parameter specifies the number of seconds the -<a href="winbindd.8.html"><strong>winbindd</strong></a> daemon will cache user and group -information before querying a Windows NT server again. -<p><strong>Default:</strong> -<code> winbind cache type = 15</code> -<p><a name="winbindgid"></a> -<p></p><dt><strong>winbind gid</strong><dd> -<p>NOTE: this parameter is only available in Samba 3.0. -<p>The winbind gid parameter specifies the range of group ids that are -allocated by the <a href="winbindd.8.html"><strong>winbindd</strong></a> daemon. This range of -group ids should have no existing local or nis groups within it as strange -conflicts can occur otherwise. -<p><strong>Default:</strong> -<code> winbind gid = <empty string></code> -<p><strong>Example:</strong> -<code> winbind gid = 10000-20000</code> -<p><a name="winbinduid"></a> -<p></p><dt><strong>winbind uid</strong><dd> -<p>NOTE: this parameter is only available in Samba 3.0. -<p>The winbind uid parameter specifies the range of user ids that are -allocated by the <a href="winbindd.8.html"><strong>winbindd</strong></a> daemon. This range of -ids should have no existing local or nis users within it as strange -conflicts can occur otherwise. -<p><strong>Default:</strong> -<code> winbind uid = <empty string></code> -<p><strong>Example:</strong> -<code> winbind uid = 10000-20000</code> -<p><a name="validchars"></a> -<p></p><dt><strong><strong>valid chars (G)</strong></strong><dd> -<p>The option allows you to specify additional characters that should be -considered valid by the server in filenames. This is particularly -useful for national character sets, such as adding u-umlaut or a-ring. -<p>The option takes a list of characters in either integer or character -form with spaces between them. If you give two characters with a colon -between them then it will be taken as an lowercase:uppercase pair. -<p>If you have an editor capable of entering the characters into the -config file then it is probably easiest to use this method. Otherwise -you can specify the characters in octal, decimal or hexadecimal form -using the usual C notation. -<p>For example to add the single character <code>'Z'</code> to the charset (which -is a pointless thing to do as it's already there) you could do one of -the following -<p><pre> - - valid chars = Z - valid chars = z:Z - valid chars = 0132:0172 - -</pre> - -<p>The last two examples above actually add two characters, and alter the -uppercase and lowercase mappings appropriately. -<p>Note that you MUST specify this parameter after the <a href="smb.conf.5.html#clientcodepage"><strong>"client -code page"</strong></a> parameter if you have both set. If -<a href="smb.conf.5.html#clientcodepage"><strong>"client code page"</strong></a> is set after the -<strong>"valid chars"</strong> parameter the <strong>"valid chars"</strong> settings will be -overwritten. -<p>See also the <a href="smb.conf.5.html#clientcodepage"><strong>"client code page"</strong></a> parameter. -<p><strong>Default:</strong> -<pre> - - Samba defaults to using a reasonable set of valid characters - for English systems - -</pre> - -<p><strong>Example</strong> -<code> valid chars = 0345:0305 0366:0326 0344:0304</code> -<p>The above example allows filenames to have the Swedish characters in -them. -<p>NOTE: It is actually quite difficult to correctly produce a <strong>"valid -chars"</strong> line for a particular system. To automate the process -<a href="mailto:tino@augsburg.net"><em>tino@augsburg.net</em></a> has written a package called <strong>"validchars"</strong> -which will automatically produce a complete <strong>"valid chars"</strong> line for -a given client system. Look in the examples/validchars/ subdirectory -of your Samba source code distribution for this package. -<p><a name="validusers"></a> -<p></p><dt><strong><strong>valid users (S)</strong></strong><dd> -<p>This is a list of users that should be allowed to login to this -service. Names starting with <code>'@'</code>, <code>'+'</code> and <code>'&'</code> are -interpreted using the same rules as described in the <a href="smb.conf.5.html#invalidusers"><strong>"invalid -users"</strong></a> parameter. -<p>If this is empty (the default) then any user can login. If a username -is in both this list and the <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a> -list then access is denied for that user. -<p>The current servicename is substituted for -<a href="smb.conf.5.html#percentS"><strong>"%S"</strong></a>. This is useful in the -<a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> section. -<p>See also <a href="smb.conf.5.html#invalidusers"><strong>"invalid users"</strong></a>. -<p><strong>Default:</strong> -<code> No valid users list. (anyone can login)</code> -<p><strong>Example:</strong> -<code> valid users = greg, @pcusers</code> -<p><a name="vetofiles"></a> -<p></p><dt><strong><strong>veto files(S)</strong></strong><dd> -<p>This is a list of files and directories that are neither visible nor -accessible. Each entry in the list must be separated by a <code>'/'</code>, -which allows spaces to be included in the entry. <code>'*'</code> and <code>'?'</code> -can be used to specify multiple files or directories as in DOS -wildcards. -<p>Each entry must be a unix path, not a DOS path and must <em>*not*</em> include the -unix directory separator <code>'/'</code>. -<p>Note that the <a href="smb.conf.5.html#casesensitive"><strong>"case sensitive"</strong></a> option is -applicable in vetoing files. -<p>One feature of the veto files parameter that it is important to be -aware of, is that if a directory contains nothing but files that match -the veto files parameter (which means that Windows/DOS clients cannot -ever see them) is deleted, the veto files within that directory *are -automatically deleted* along with it, if the user has UNIX permissions -to do so. -<p>Setting this parameter will affect the performance of Samba, as it -will be forced to check all files and directories for a match as they -are scanned. -<p>See also <a href="smb.conf.5.html#hidefiles"><strong>"hide files"</strong></a> and <a href="smb.conf.5.html#casesensitive"><strong>"case -sensitive"</strong></a>. -<p><strong>Default:</strong> -<code> No files or directories are vetoed.</code> -<p><strong>Examples:</strong> -<p>Example 1. -<p><pre> - - - Veto any files containing the word Security, - any ending in .tmp, and any directory containing the - word root. - - veto files = /*Security*/*.tmp/*root*/ - -</pre> - -<p>Example 2. -<p><pre> - - Veto the Apple specific files that a NetAtalk server - creates. - - veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ - -</pre> - -<p><a name="vetooplockfiles"></a> -<p></p><dt><strong><strong>veto oplock files (S)</strong></strong><dd> -<p>This parameter is only valid when the <a href="smb.conf.5.html#oplocks"><strong>"oplocks"</strong></a> -parameter is turned on for a share. It allows the Samba administrator -to selectively turn off the granting of oplocks on selected files that -match a wildcarded list, similar to the wildcarded list used in the -<a href="smb.conf.5.html#vetofiles"><strong>"veto files"</strong></a> parameter. -<p><strong>Default:</strong> -<code> No files are vetoed for oplock grants.</code> -<p><strong>Examples:</strong> -<p>You might want to do this on files that you know will be heavily -contended for by clients. A good example of this is in the NetBench -SMB benchmark program, which causes heavy client contention for files -ending in <code>".SEM"</code>. To cause Samba not to grant oplocks on these -files you would use the line (either in the <a href="smb.conf.5.html#global"><strong>[global]</strong></a> -section or in the section for the particular NetBench share : -<p><code> veto oplock files = /*.SEM/</code> -<p><a name="volume"></a> -<p></p><dt><strong><strong>volume (S)</strong></strong><dd> -<p>This allows you to override the volume label returned for a -share. Useful for CDROMs with installation programs that insist on a -particular volume label. -<p>The default is the name of the share. -<p><a name="widelinks"></a> -<p></p><dt><strong><strong>wide links (S)</strong></strong><dd> -<p>This parameter controls whether or not links in the UNIX file system -may be followed by the server. Links that point to areas within the -directory tree exported by the server are always allowed; this -parameter controls access only to areas that are outside the directory -tree being exported. -<p>Note that setting this parameter can have a negative effect on your -server performance due to the extra system calls that Samba has to -do in order to perform the link checks. -<p><strong>Default:</strong> -<code> wide links = yes</code> -<p><strong>Example:</strong> -<code> wide links = no</code> -<p><a name="winsproxy"></a> -<p></p><dt><strong><strong>wins proxy (G)</strong></strong><dd> -<p>This is a boolean that controls if <a href="nmbd.8.html"><strong>nmbd</strong></a> will -respond to broadcast name queries on behalf of other hosts. You may -need to set this to <code>"yes"</code> for some older clients. -<p><strong>Default:</strong> -<code> wins proxy = no</code> -<p><a name="winsserver"></a> -<p></p><dt><strong><strong>wins server (G)</strong></strong><dd> -<p>This specifies the IP address (or DNS name: IP address for preference) -of the WINS server that <a href="nmbd.8.html"><strong>nmbd</strong></a> should register with. -If you have a WINS server on your network then you should set this to -the WINS server's IP. -<p>You should point this at your WINS server if you have a -multi-subnetted network. -<p><em>NOTE</em>. You need to set up Samba to point to a WINS server if you -have multiple subnets and wish cross-subnet browsing to work correctly. -<p>See the documentation file BROWSING.txt in the docs/ directory of your -Samba source distribution. -<p><strong>Default:</strong> -<code> wins server = </code> -<p><strong>Example:</strong> -<code> wins server = 192.9.200.1</code> -<p><a name="winshook"></a> -<p></p><dt><strong><strong>wins hook (G)</strong></strong><dd> -<p>When Samba is running as a WINS server this allows you to call an -external program for all changes to the WINS database. The primary use -for this option is to allow the dynamic update of external name -resolution databases such as dynamic DNS. -<p>The wins hook parameter specifies the name of a script or executable -that will be called as follows: -<p>wins_hook operation name nametype ttl IP_list -<p>The first argument is the operation and is one of "add", "delete", -or "refresh". In most cases the operation can be ignored as the rest -of the parameters provide sufficient information. Note that "refresh" -may sometimes be called when the name has not previously been added, -in that case it should be treated as an add. -<p>The second argument is the netbios name. If the name is not a legal -name then the wins hook is not called. Legal names contain only -letters, digits, hyphens, underscores and periods. -<p>The third argument is the netbios name type as a 2 digit hexadecimal -number. -<p>The fourth argument is the TTL (time to live) for the name in seconds. -<p>The fifth and subsequent arguments are the IP addresses currently -registered for that name. If this list is empty then the name should -be deleted. -<p>An example script that calls the BIND dynamic DNS update program -"nsupdate" is provided in the examples directory of the Samba source -code. -<p><a name="winssupport"></a> -<p></p><dt><strong><strong>wins support (G)</strong></strong><dd> -<p>This boolean controls if the <a href="nmbd.8.html"><strong>nmbd</strong></a> process in -Samba will act as a WINS server. You should not set this to true -unless you have a multi-subnetted network and you wish a particular -<a href="nmbd.8.html"><strong>nmbd</strong></a> to be your WINS server. Note that you -should <em>*NEVER*</em> set this to true on more than one machine in your -network. -<p><strong>Default:</strong> -<code> wins support = no</code> -<p><a name="workgroup"></a> -<p></p><dt><strong><strong>workgroup (G)</strong></strong><dd> -<p>This controls what workgroup your server will appear to be in when -queried by clients. Note that this parameter also controls the Domain -name used with the <a href="smb.conf.5.html#securityequaldomain"><strong>"security=domain"</strong></a> -setting. -<p><strong>Default:</strong> -<code> set at compile time to WORKGROUP</code> -<p><strong>Example:</strong> - workgroup = MYGROUP -<p><a name="writable"></a> -<p></p><dt><strong><strong>writable (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a> for people who can't spell :-). -<p><a name="writelist"></a> -<p></p><dt><strong><strong>write list (S)</strong></strong><dd> -<p>This is a list of users that are given read-write access to a -service. If the connecting user is in this list then they will be -given write access, no matter what the <a href="smb.conf.5.html#writeable"><strong>"writeable"</strong></a> -option is set to. The list can include group names using the @group -syntax. -<p>Note that if a user is in both the read list and the write list then -they will be given write access. -<p>See also the <a href="smb.conf.5.html#readlist"><strong>"read list"</strong></a> option. -<p><strong>Default:</strong> -<code> write list = <empty string></code> -<p><strong>Example:</strong> -<code> write list = admin, root, @staff</code> -<p><a name="writecachesize"></a> -<p></p><dt><strong><strong>write cache size (S)</strong></strong><dd> -<p>This integer parameter (new with Samba 2.0.7) if set to non-zero causes Samba to create an in-memory -cache for each oplocked file (it does <strong>not</strong> do this for non-oplocked files). All -writes that the client does not request to be flushed directly to disk will be -stored in this cache if possible. The cache is flushed onto disk when a write -comes in whose offset would not fit into the cache or when the file is closed -by the client. Reads for the file are also served from this cache if the data -is stored within it. -<p>This cache allows Samba to batch client writes into a more efficient write -size for RAID disks (ie. writes may be tuned to be the RAID stripe size) and -can improve performance on systems where the disk subsystem is a bottleneck -but there is free memory for userspace programs. -<p>The integer parameter specifies the size of this cache (per oplocked file) -in bytes. -<p><strong>Default:</strong> -<code> write cache size = 0</code> -<p><strong>Example:</strong> -<code> write cache size = 262144</code> -for a 256k cache size per file. -<p><a name="writeok"></a> -<p></p><dt><strong><strong>write ok (S)</strong></strong><dd> -<p>Synonym for <a href="smb.conf.5.html#writeable"><strong>writeable</strong></a>. -<p><a name="writeraw"></a> -<p></p><dt><strong><strong>write raw (G)</strong></strong><dd> -<p>This parameter controls whether or not the server will support raw -writes SMB's when transferring data from clients. You should never -need to change this parameter. -<p><strong>Default:</strong> -<code> write raw = yes</code> -<p><a name="writeable"></a> -<p></p><dt><strong><strong>writeable</strong></strong><dd> -<p>An inverted synonym is <a href="smb.conf.5.html#readonly"><strong>"read only"</strong></a>. -<p>If this parameter is <code>"no"</code>, then users of a service may not create -or modify files in the service's directory. -<p>Note that a printable service <a href="smb.conf.5.html#printable"><strong>("printable = yes")</strong></a> -will <em>*ALWAYS*</em> allow writing to the directory (user privileges -permitting), but only via spooling operations. -<p><strong>Default:</strong> -<code> writeable = no</code> -<p><strong>Examples:</strong> -<pre> - - read only = no - writeable = yes - write ok = yes - -</pre> + [pub] + path = /%S + </TT +></PRE +></DD +><DT +><A +NAME="DELETEUSERSCRIPT" +></A +>delete user script (G)</DT +><DD +><P +>This is the full pathname to a script that will + be run <I +CLASS="EMPHASIS" +>AS ROOT</I +> by <A +HREF="smbd.8.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>smbd(8)</B +></A +> under special circumstances + decribed below.</P +><P +>Normally, a Samba server requires that UNIX users are + created for all users accessing files on this server. For sites + that use Windows NT account databases as their primary user database + creating these users and keeping the user list in sync with the + Windows NT PDC is an onerous task. This option allows <B +CLASS="COMMAND" +> smbd</B +> to delete the required UNIX users <I +CLASS="EMPHASIS" +>ON + DEMAND</I +> when a user accesses the Samba server and the + Windows NT user no longer exists.</P +><P +>In order to use this option, <B +CLASS="COMMAND" +>smbd</B +> must be + set to <TT +CLASS="PARAMETER" +><I +>security=domain</I +></TT +> and <TT +CLASS="PARAMETER" +><I +>delete + user script</I +></TT +> must be set to a full pathname for a script + that will delete a UNIX user given one argument of <TT +CLASS="PARAMETER" +><I +>%u + </I +></TT +>, which expands into the UNIX user name to delete. + <I +CLASS="EMPHASIS" +>NOTE</I +> that this is different to the <A +HREF="#ADDUSERSCRIPT" +><TT +CLASS="PARAMETER" +><I +>add user script</I +></TT +></A +> + which will work with the <TT +CLASS="PARAMETER" +><I +>security=server</I +></TT +> option + as well as <TT +CLASS="PARAMETER" +><I +>security=domain</I +></TT +>. The reason for this + is only when Samba is a domain member does it get the information + on an attempted user logon that a user no longer exists. In the + <TT +CLASS="PARAMETER" +><I +>security=server</I +></TT +> mode a missing user + is treated the same as an invalid password logon attempt. Deleting + the user in this circumstance would not be a good idea.</P +><P +>When the Windows user attempts to access the Samba server, + at <I +CLASS="EMPHASIS" +>login</I +> (session setup in the SMB protocol) + time, <B +CLASS="COMMAND" +>smbd</B +> contacts the <A +HREF="#PASSWORDSERVER" +> <TT +CLASS="PARAMETER" +><I +>password server</I +></TT +></A +> and attempts to authenticate + the given user with the given password. If the authentication fails + with the specific Domain error code meaning that the user no longer + exists then <B +CLASS="COMMAND" +>smbd</B +> attempts to find a UNIX user in + the UNIX password database that matches the Windows user account. If + this lookup succeeds, and <TT +CLASS="PARAMETER" +><I +>delete user script</I +></TT +> is + set then <B +CLASS="COMMAND" +>smbd</B +> will all the specified script + <I +CLASS="EMPHASIS" +>AS ROOT</I +>, expanding any <TT +CLASS="PARAMETER" +><I +>%u</I +></TT +> + argument to be the user name to delete.</P +><P +>This script should delete the given UNIX username. In this way, + UNIX users are dynamically deleted to match existing Windows NT + accounts.</P +><P +>See also <A +HREF="#SECURITYEQUALSDOMAIN" +>security=domain</A +>, + <A +HREF="#PASSWORDSERVER" +><TT +CLASS="PARAMETER" +><I +>password server</I +></TT +> + </A +>, <A +HREF="#ADDUSERSCRIPT" +><TT +CLASS="PARAMETER" +><I +>add user script</I +></TT +> + </A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>delete user script = <empty string> + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>delete user script = /usr/local/samba/bin/del_user + %u</B +></P +></DD +><DT +><A +NAME="DELETEREADONLY" +></A +>delete readonly (S)</DT +><DD +><P +>This parameter allows readonly files to be deleted. + This is not normal DOS semantics, but is allowed by UNIX.</P +><P +>This option may be useful for running applications such + as rcs, where UNIX file ownership prevents changing file + permissions, and DOS semantics prevent deletion of a read only file.</P +><P +>Default: <B +CLASS="COMMAND" +>delete readonly = no</B +></P +></DD +><DT +><A +NAME="DELETEVETOFILES" +></A +>delete veto files (S)</DT +><DD +><P +>This option is used when Samba is attempting to + delete a directory that contains one or more vetoed directories + (see the <A +HREF="#VETOFILES" +><TT +CLASS="PARAMETER" +><I +>veto files</I +></TT +></A +> + option). If this option is set to False (the default) then if a vetoed + directory contains any non-vetoed files or directories then the + directory delete will fail. This is usually what you want.</P +><P +>If this option is set to <TT +CLASS="CONSTANT" +>True</TT +>, then Samba + will attempt to recursively delete any files and directories within + the vetoed directory. This can be useful for integration with file + serving systems such as NetAtalk which create meta-files within + directories you might normally veto DOS/Windows users from seeing + (e.g. <TT +CLASS="FILENAME" +>.AppleDouble</TT +>)</P +><P +>Setting <B +CLASS="COMMAND" +>delete veto files = yes</B +> allows these + directories to be transparently deleted when the parent directory + is deleted (so long as the user has permissions to do so).</P +><P +>See also the <A +HREF="#VETOFILES" +><TT +CLASS="PARAMETER" +><I +>veto + files</I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>delete veto files = no</B +></P +></DD +><DT +><A +NAME="DENYHOSTS" +></A +>deny hosts (S)</DT +><DD +><P +>Synonym for <A +HREF="#HOSTSDENY" +><TT +CLASS="PARAMETER" +><I +>hosts + deny</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="DFREECOMMAND" +></A +>dfree command (G)</DT +><DD +><P +>The <TT +CLASS="PARAMETER" +><I +>dfree command</I +></TT +> setting should + only be used on systems where a problem occurs with the internal + disk space calculations. This has been known to happen with Ultrix, + but may occur with other operating systems. The symptom that was + seen was an error of "Abort Retry Ignore" at the end of each + directory listing.</P +><P +>This setting allows the replacement of the internal routines to + calculate the total disk space and amount available with an external + routine. The example below gives a possible script that might fulfill + this function.</P +><P +>The external program will be passed a single parameter indicating + a directory in the filesystem being queried. This will typically consist + of the string <TT +CLASS="FILENAME" +>./</TT +>. The script should return two + integers in ascii. The first should be the total disk space in blocks, + and the second should be the number of available blocks. An optional + third return value can give the block size in bytes. The default + blocksize is 1024 bytes.</P +><P +>Note: Your script should <I +CLASS="EMPHASIS" +>NOT</I +> be setuid or + setgid and should be owned by (and writeable only by) root!</P +><P +>Default: <I +CLASS="EMPHASIS" +>By default internal routines for + determining the disk capacity and remaining space will be used. + </I +></P +><P +>Example: <B +CLASS="COMMAND" +>dfree command = /usr/local/samba/bin/dfree + </B +></P +><P +>Where the script dfree (which must be made executable) could be:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> + #!/bin/sh + df $1 | tail -1 | awk '{print $2" "$4}' + </PRE +></P +><P +>or perhaps (on Sys V based systems):</P +><P +><PRE +CLASS="PROGRAMLISTING" +> + #!/bin/sh + /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' + </PRE +></P +><P +>Note that you may have to replace the command names + with full path names on some systems.</P +></DD +><DT +><A +NAME="DIRECTORY" +></A +>directory (S)</DT +><DD +><P +>Synonym for <A +HREF="#PATH" +><TT +CLASS="PARAMETER" +><I +>path + </I +></TT +></A +>.</P +></DD +><DT +><A +NAME="DIRECTORYMASK" +></A +>directory mask (S)</DT +><DD +><P +>This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories.</P +><P +>When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit <I +CLASS="EMPHASIS" +>not</I +> set + here will be removed from the modes set on a directory when it is + created.</P +><P +>The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it.</P +><P +>Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the <A +HREF="#FORCEDIRECTORYMODE" +><TT +CLASS="PARAMETER" +><I +>force directory mode + </I +></TT +></A +> parameter. This parameter is set to 000 by + default (i.e. no extra mode bits are added).</P +><P +>See the <A +HREF="#FORCEDIRECTORYMODE" +><TT +CLASS="PARAMETER" +><I +>force + directory mode</I +></TT +></A +> parameter to cause particular mode + bits to always be set on created directories.</P +><P +>See also the <A +HREF="#CREATEMODE" +><TT +CLASS="PARAMETER" +><I +>create mode + </I +></TT +></A +> parameter for masking mode bits on created files, + and the <A +HREF="#DIRECTORYSECURITYMASK" +><TT +CLASS="PARAMETER" +><I +>directory + security mask</I +></TT +></A +> parameter.</P +><P +>Also refer to the <A +HREF="#INHERITPERMISSIONS" +><TT +CLASS="PARAMETER" +><I +> inherit permissions</I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>directory mask = 0755</B +></P +><P +>Example: <B +CLASS="COMMAND" +>directory mask = 0775</B +></P +></DD +><DT +><A +NAME="DIRECTORYMODE" +></A +>directory mode (S)</DT +><DD +><P +>Synonym for <A +HREF="#DIRECTORYMASK" +><TT +CLASS="PARAMETER" +><I +> directory mask</I +></TT +></A +></P +></DD +><DT +><A +NAME="DIRECTORYSECURITYMASK" +></A +>directory security mask (S)</DT +><DD +><P +>This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog + box.</P +><P +>This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change.</P +><P +>If not set explicitly this parameter is set to the same + value as the <A +HREF="#DIRECTORYMASK" +><TT +CLASS="PARAMETER" +><I +>directory + mask</I +></TT +></A +> parameter. To allow a user to + modify all the user/group/world permissions on a directory, set + this parameter to 0777.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to set + it to 0777.</P +><P +>See also the <A +HREF="#FORCEDIRECTORYSECURITYMODE" +><TT +CLASS="PARAMETER" +><I +> force directory security mode</I +></TT +></A +>, <A +HREF="#SECURITYMASK" +><TT +CLASS="PARAMETER" +><I +>security mask</I +></TT +></A +>, + <A +HREF="#FORCESECURITYMODE" +><TT +CLASS="PARAMETER" +><I +>force security mode + </I +></TT +></A +> parameters.</P +><P +>Default: <B +CLASS="COMMAND" +>directory security mask = <same as + directory mask></B +></P +><P +>Example: <B +CLASS="COMMAND" +>directory security mask = 0777</B +></P +></DD +><DT +><A +NAME="DNSPROXY" +></A +>dns proxy (G)</DT +><DD +><P +>Specifies that <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> + when acting as a WINS server and finding that a NetBIOS name has not + been registered, should treat the NetBIOS name word-for-word as a DNS + name and do a lookup with the DNS server for that name on behalf of + the name-querying client.</P +><P +>Note that the maximum length for a NetBIOS name is 15 + characters, so the DNS name (or DNS alias) can likewise only be + 15 characters, maximum.</P +><P +><B +CLASS="COMMAND" +>nmbd</B +> spawns a second copy of itself to do the + DNS name lookup requests, as doing a name lookup is a blocking + action.</P +><P +>See also the parameter <A +HREF="#WINSSUPPORT" +><TT +CLASS="PARAMETER" +><I +> wins support</I +></TT +></A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>dns proxy = yes</B +></P +></DD +><DT +><A +NAME="DOMAINADMINGROUP" +></A +>domain admin group (G)</DT +><DD +><P +>This is an <I +CLASS="EMPHASIS" +>EXPERIMENTAL</I +> parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list <A +HREF="mailto:samba-ntdom@samba.org" +TARGET="_top" +>samba-ntdom</A +> available by + visiting the web page at <A +HREF="http://lists.samba.org/" +TARGET="_top" +> http://lists.samba.org/</A +>.</P +></DD +><DT +><A +NAME="DOMAINADMINUSERS" +></A +>domain admin users (G)</DT +><DD +><P +>This is an <I +CLASS="EMPHASIS" +>EXPERIMENTAL</I +> parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list <A +HREF="mailto:samba-ntdom@samba.org" +TARGET="_top" +>samba-ntdom</A +> available by + visiting the web page at <A +HREF="http://lists.samba.org/" +TARGET="_top" +> http://lists.samba.org/</A +>.</P +></DD +><DT +><A +NAME="DOMAINGROUPS" +></A +>domain groups (G)</DT +><DD +><P +>This is an <I +CLASS="EMPHASIS" +>EXPERIMENTAL</I +> parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list <A +HREF="mailto:samba-ntdom@samba.org" +TARGET="_top" +>samba-ntdom</A +> available by + visiting the web page at <A +HREF="http://lists.samba.org/" +TARGET="_top" +> http://lists.samba.org/</A +>.</P +></DD +><DT +><A +NAME="DOMAINGUESTGROUP" +></A +>domain guest group (G)</DT +><DD +><P +>This is an <I +CLASS="EMPHASIS" +>EXPERIMENTAL</I +> parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list <A +HREF="mailto:samba-ntdom@samba.org" +TARGET="_top" +>samba-ntdom</A +> available by + visiting the web page at <A +HREF="http://lists.samba.org/" +TARGET="_top" +> http://lists.samba.org/</A +>.</P +></DD +><DT +><A +NAME="DOMAINGUESTUSERS" +></A +>domain guest users (G)</DT +><DD +><P +>This is an <I +CLASS="EMPHASIS" +>EXPERIMENTAL</I +> parameter + that is part of the unfinished Samba NT Domain Controller Code. It may + be removed in a later release. To work with the latest code builds + that may have more support for Samba NT Domain Controller functionality + please subscribe to the mailing list <A +HREF="mailto:samba-ntdom@samba.org" +TARGET="_top" +>samba-ntdom</A +> available by + visiting the web page at <A +HREF="http://lists.samba.org/" +TARGET="_top" +> http://lists.samba.org/</A +>.</P +></DD +><DT +><A +NAME="DOMAINLOGONS" +></A +>domain logons (G)</DT +><DD +><P +>If set to true, the Samba server will serve + Windows 95/98 Domain logons for the <A +HREF="#WORKGROUP" +> <TT +CLASS="PARAMETER" +><I +>workgroup</I +></TT +></A +> it is in. Samba 2.2 also + has limited capability to act as a domain controller for Windows + NT 4 Domains. For more details on setting up this feature see + the file DOMAINS.txt in the Samba documentation directory <TT +CLASS="FILENAME" +>docs/ + </TT +> shipped with the source code.</P +><P +>Default: <B +CLASS="COMMAND" +>domain logons = no</B +></P +></DD +><DT +><A +NAME="DOMAINMASTER" +></A +>domain master (G)</DT +><DD +><P +>Tell <A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +> nmbd(8)</B +></A +> to enable WAN-wide browse list + collation. Setting this option causes <B +CLASS="COMMAND" +>nmbd</B +> to + claim a special domain specific NetBIOS name that identifies + it as a domain master browser for its given <A +HREF="#WORKGROUP" +> <TT +CLASS="PARAMETER" +><I +>workgroup</I +></TT +></A +>. Local master browsers + in the same <TT +CLASS="PARAMETER" +><I +>workgroup</I +></TT +> on broadcast-isolated + subnets will give this <B +CLASS="COMMAND" +>nmbd</B +> their local browse lists, + and then ask <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +> + for a complete copy of the browse list for the whole wide area + network. Browser clients will then contact their local master browser, + and will receive the domain-wide browse list, instead of just the list + for their broadcast-isolated subnet.</P +><P +>Note that Windows NT Primary Domain Controllers expect to be + able to claim this <TT +CLASS="PARAMETER" +><I +>workgroup</I +></TT +> specific special + NetBIOS name that identifies them as domain master browsers for + that <TT +CLASS="PARAMETER" +><I +>workgroup</I +></TT +> by default (i.e. there is no + way to prevent a Windows NT PDC from attempting to do this). This + means that if this parameter is set and <B +CLASS="COMMAND" +>nmbd</B +> claims + the special name for a <TT +CLASS="PARAMETER" +><I +>workgroup</I +></TT +> before a Windows + NT PDC is able to do so then cross subnet browsing will behave + strangely and may fail.</P +><P +>Default: <B +CLASS="COMMAND" +>domain master = no</B +></P +></DD +><DT +><A +NAME="DONTDESCEND" +></A +>dont descend (S)</DT +><DD +><P +>There are certain directories on some systems + (e.g., the <TT +CLASS="FILENAME" +>/proc</TT +> tree under Linux) that are either not + of interest to clients or are infinitely deep (recursive). This + parameter allows you to specify a comma-delimited list of directories + that the server should always show as empty.</P +><P +>Note that Samba can be very fussy about the exact format + of the "dont descend" entries. For example you may need <TT +CLASS="FILENAME" +> ./proc</TT +> instead of just <TT +CLASS="FILENAME" +>/proc</TT +>. + Experimentation is the best policy :-) </P +><P +>Default: <I +CLASS="EMPHASIS" +>none (i.e., all directories are OK + to descend)</I +></P +><P +>Example: <B +CLASS="COMMAND" +>dont descend = /proc,/dev</B +></P +></DD +><DT +><A +NAME="DOSFILETIMERESOLUTION" +></A +>dos filetime resolution (S)</DT +><DD +><P +>Under the DOS and Windows FAT filesystem, the finest + granularity on time resolution is two seconds. Setting this parameter + for a share causes Samba to round the reported time down to the + nearest two second boundary when a query call that requires one second + resolution is made to <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +> + </A +>.</P +><P +>This option is mainly used as a compatibility option for Visual + C++ when used against Samba shares. If oplocks are enabled on a + share, Visual C++ uses two different time reading calls to check if a + file has changed since it was last read. One of these calls uses a + one-second granularity, the other uses a two second granularity. As + the two second call rounds any odd second down, then if the file has a + timestamp of an odd number of seconds then the two timestamps will not + match and Visual C++ will keep reporting the file has changed. Setting + this option causes the two timestamps to match, and Visual C++ is + happy.</P +><P +>Default: <B +CLASS="COMMAND" +>dos filetime resolution = no</B +></P +></DD +><DT +><A +NAME="DOSFILETIMES" +></A +>dos filetimes (S)</DT +><DD +><P +>Under DOS and Windows, if a user can write to a + file they can change the timestamp on it. Under POSIX semantics, + only the owner of the file or root may change the timestamp. By + default, Samba runs with POSIX semantics and refuses to change the + timestamp on a file if the user <B +CLASS="COMMAND" +>smbd</B +> is acting + on behalf of is not the file owner. Setting this option to <TT +CLASS="CONSTANT" +> True</TT +> allows DOS semantics and smbd will change the file + timestamp as DOS requires.</P +><P +>Default: <B +CLASS="COMMAND" +>dos filetimes = no</B +></P +></DD +><DT +><A +NAME="ENCRYPTPASSWORDS" +></A +>encrypt passwords (G)</DT +><DD +><P +>This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the file ENCRYPTION.txt in the Samba documentation + directory <TT +CLASS="FILENAME" +>docs/</TT +> shipped with the source code.</P +><P +>In order for encrypted passwords to work correctly + <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +> must either + have access to a local <A +HREF="smbpasswd.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smbpasswd(5) + </TT +></A +> file (see the <A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +> smbpasswd(8)</B +></A +> program for information on how to set up + and maintain this file), or set the <A +HREF="#SECURITY" +>security=[serve|domain]</A +> parameter which + causes <B +CLASS="COMMAND" +>smbd</B +> to authenticate against another + server.</P +><P +>Default: <B +CLASS="COMMAND" +>encrypt passwords = no</B +></P +></DD +><DT +><A +NAME="EXEC" +></A +>exec (S)</DT +><DD +><P +>This is a synonym for <A +HREF="#PREEXEC" +> <TT +CLASS="PARAMETER" +><I +>preexec</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="FAKEDIRECTORYCREATETIMES" +></A +>fake directory create times (S)</DT +><DD +><P +>NTFS and Windows VFAT file systems keep a create + time for all files and directories. This is not the same as the + ctime - status change time - that Unix keeps, so Samba by default + reports the earliest of the various times Unix does keep. Setting + this parameter for a share causes Samba to always report midnight + 1-1-1980 as the create time for directories.</P +><P +>This option is mainly used as a compatibility option for + Visual C++ when used against Samba shares. Visual C++ generated + makefiles have the object directory as a dependency for each object + file, and a make rule to create the directory. Also, when NMAKE + compares timestamps it uses the creation time when examining a + directory. Thus the object directory will be created if it does not + exist, but once it does exist it will always have an earlier + timestamp than the object files it contains.</P +><P +>However, Unix time semantics mean that the create time + reported by Samba will be updated whenever a file is created or + deleted in the directory. NMAKE therefore finds all object files + in the object directory bar the last one built are out of date + compared to the directory and rebuilds them. Enabling this option + ensures directories always predate their contents and an NMAKE build + will proceed as expected.</P +><P +>Default: <B +CLASS="COMMAND" +>fake directory create times = no</B +></P +></DD +><DT +><A +NAME="FAKEOPLOCKS" +></A +>fake oplocks (S)</DT +><DD +><P +>Oplocks are the way that SMB clients get permission + from a server to locally cache file operations. If a server grants + an oplock (opportunistic lock) then the client is free to assume + that it is the only one accessing the file and it will aggressively + cache file data. With some oplock types the client may even cache + file open/close operations. This can give enormous performance benefits. + </P +><P +>When you set <B +CLASS="COMMAND" +>fake oplocks = yes</B +>, <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +> will + always grant oplock requests no matter how many clients are using + the file.</P +><P +>It is generally much better to use the real <A +HREF="#OPLOCKS" +><TT +CLASS="PARAMETER" +><I +>oplocks</I +></TT +></A +> support rather + than this parameter.</P +><P +>If you enable this option on all read-only shares or + shares that you know will only be accessed from one client at a + time such as physically read-only media like CDROMs, you will see + a big performance improvement on many operations. If you enable + this option on shares where multiple clients may be accessing the + files read-write at the same time you can get data corruption. Use + this option carefully!</P +><P +>Default: <B +CLASS="COMMAND" +>fake oplocks = no</B +></P +></DD +><DT +><A +NAME="FOLLOWSYMLINKS" +></A +>follow symlinks (S)</DT +><DD +><P +>This parameter allows the Samba administrator + to stop <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +> + from following symbolic links in a particular share. Setting this + parameter to <TT +CLASS="CONSTANT" +>no</TT +> prevents any file or directory + that is a symbolic link from being followed (the user will get an + error). This option is very useful to stop users from adding a + symbolic link to <TT +CLASS="FILENAME" +>/etc/passwd</TT +> in their home + directory for instance. However it will slow filename lookups + down slightly.</P +><P +>This option is enabled (i.e. <B +CLASS="COMMAND" +>smbd</B +> will + follow symbolic links) by default.</P +><P +>Default: <B +CLASS="COMMAND" +>follow symlinks = yes</B +></P +></DD +><DT +><A +NAME="FORCECREATEMODE" +></A +>force create mode (S)</DT +><DD +><P +>This parameter specifies a set of UNIX mode bit + permissions that will <I +CLASS="EMPHASIS" +>always</I +> be set on a + file by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created or having its + permissions changed. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the <TT +CLASS="PARAMETER" +><I +>create mask</I +></TT +> + parameter is applied.</P +><P +>See also the parameter <A +HREF="#CREATEMASK" +><TT +CLASS="PARAMETER" +><I +>create + mask</I +></TT +></A +> for details on masking mode bits on files.</P +><P +>See also the <A +HREF="#INHERITPERMISSIONS" +><TT +CLASS="PARAMETER" +><I +>inherit + permissions</I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>force create mode = 000</B +></P +><P +>Example: <B +CLASS="COMMAND" +>force create mode = 0755</B +></P +><P +>would force all created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.</P +></DD +><DT +><A +NAME="FORCEDIRECTORYMODE" +></A +>force directory mode (S)</DT +><DD +><P +>This parameter specifies a set of UNIX mode bit + permissions that will <I +CLASS="EMPHASIS" +>always</I +> be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter <TT +CLASS="PARAMETER" +><I +>directory mask</I +></TT +> is + applied.</P +><P +>See also the parameter <A +HREF="#DIRECTORYMASK" +><TT +CLASS="PARAMETER" +><I +> directory mask</I +></TT +></A +> for details on masking mode bits + on created directories.</P +><P +>See also the <A +HREF="#INHERITPERMISSIONS" +><TT +CLASS="PARAMETER" +><I +> inherit permissions</I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>force directory mode = 000</B +></P +><P +>Example: <B +CLASS="COMMAND" +>force directory mode = 0755</B +></P +><P +>would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.</P +></DD +><DT +><A +NAME="FORCEDIRECTORYSECURITYMODE" +></A +>force directory security mode (S)</DT +><DD +><P +>This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog box.</P +><P +>This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a directory, the user has always set to be 'on'.</P +><P +>If not set explicitly this parameter is set to the same + value as the <A +HREF="#FORCEDIRECTORYMODE" +><TT +CLASS="PARAMETER" +><I +>force + directory mode</I +></TT +></A +> parameter. To allow + a user to modify all the user/group/world permissions on a + directory, with restrictions set this parameter to 000.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to set + it to 0000.</P +><P +>See also the <A +HREF="#DIRECTORYSECURITYMASK" +><TT +CLASS="PARAMETER" +><I +> directory security mask</I +></TT +></A +>, <A +HREF="#SECURITYMASK" +> <TT +CLASS="PARAMETER" +><I +>security mask</I +></TT +></A +>, + <A +HREF="#FORCESECURITYMODE" +><TT +CLASS="PARAMETER" +><I +>force security mode + </I +></TT +></A +> parameters.</P +><P +>Default: <B +CLASS="COMMAND" +>force directory security mode = <same as + force directory mode></B +></P +><P +>Example: <B +CLASS="COMMAND" +>force directory security mode = 0</B +></P +></DD +><DT +><A +NAME="FORCEGROUP" +></A +>force group (S)</DT +><DD +><P +>This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files.</P +><P +>In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting <TT +CLASS="FILENAME" +>force group = +sys</TT +> means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group.</P +><P +>If the <A +HREF="#FORCEUSER" +><TT +CLASS="PARAMETER" +><I +>force user + </I +></TT +></A +> parameter is also set the group specified in + <TT +CLASS="PARAMETER" +><I +>force group</I +></TT +> will override the primary group + set in <TT +CLASS="PARAMETER" +><I +>force user</I +></TT +>.</P +><P +>See also <A +HREF="#FORCEUSER" +><TT +CLASS="PARAMETER" +><I +>force + user</I +></TT +></A +>.</P +><P +>Default: <I +CLASS="EMPHASIS" +>no forced group</I +></P +><P +>Example: <B +CLASS="COMMAND" +>force group = agroup</B +></P +></DD +><DT +><A +NAME="FORCESECURITYMODE" +></A +>force security mode (S)</DT +><DD +><P +>This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog + box.</P +><P +>This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a file, the user has always set to be 'on'.</P +><P +>If not set explicitly this parameter is set to the same + value as the <A +HREF="#FORCECREATEMODE" +><TT +CLASS="PARAMETER" +><I +>force + create mode</I +></TT +></A +> parameter. To allow a user to + modify all the user/group/world permissions on a file, with no + restrictions set this parameter to 000.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that users who can access + the Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to set + it to 0000.</P +><P +>See also the <A +HREF="#FORCEDIRECTORYSECURITYMODE" +><TT +CLASS="PARAMETER" +><I +> force directory security mode</I +></TT +></A +>, + <A +HREF="#DIRECTORYSECURITYMASK" +><TT +CLASS="PARAMETER" +><I +>directory security + mask</I +></TT +></A +>, <A +HREF="#SECURITYMASK" +><TT +CLASS="PARAMETER" +><I +> security mask</I +></TT +></A +> parameters.</P +><P +>Default: <B +CLASS="COMMAND" +>force security mode = <same as force + create mode></B +></P +><P +>Example: <B +CLASS="COMMAND" +>force security mode = 0</B +></P +></DD +><DT +><A +NAME="FORCEUSER" +></A +>force user (S)</DT +><DD +><P +>This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems.</P +><P +>This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as.</P +><P +>This can be very useful.</P +><P +>In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug).</P +><P +>See also <A +HREF="#FORCEGROUP" +><TT +CLASS="PARAMETER" +><I +>force group + </I +></TT +></A +></P +><P +>Default: <I +CLASS="EMPHASIS" +>no forced user</I +></P +><P +>Example: <B +CLASS="COMMAND" +>force user = auser</B +></P +></DD +><DT +><A +NAME="FSTYPE" +></A +>fstype (S)</DT +><DD +><P +>This parameter allows the administrator to + configure the string that specifies the type of filesystem a share + is using that is reported by <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8) + </B +></A +> when a client queries the filesystem type + for a share. The default type is <TT +CLASS="CONSTANT" +>NTFS</TT +> for + compatibility with Windows NT but this can be changed to other + strings such as <TT +CLASS="CONSTANT" +>Samba</TT +> or <TT +CLASS="CONSTANT" +>FAT + </TT +> if required.</P +><P +>Default: <B +CLASS="COMMAND" +>fstype = NTFS</B +></P +><P +>Example: <B +CLASS="COMMAND" +>fstype = Samba</B +></P +></DD +><DT +><A +NAME="GETWDCACHE" +></A +>getwd cache (G)</DT +><DD +><P +>This is a tuning option. When this is enabled a + caching algorithm will be used to reduce the time taken for getwd() + calls. This can have a significant impact on performance, especially + when the <A +HREF="#WIDELINKS" +><TT +CLASS="PARAMETER" +><I +>wide links</I +></TT +> + </A +>parameter is set to <TT +CLASS="CONSTANT" +>False</TT +>.</P +><P +>Default: <B +CLASS="COMMAND" +>getwd cache = No</B +></P +></DD +><DT +><A +NAME="GROUP" +></A +>group (S)</DT +><DD +><P +>Synonym for <A +HREF="#FORCEGROUP" +><TT +CLASS="PARAMETER" +><I +>force + group</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="GUESTACCOUNT" +></A +>guest account (S)</DT +><DD +><P +>This is a username which will be used for access + to services which are specified as <A +HREF="#GUESTOK" +><TT +CLASS="PARAMETER" +><I +> guest ok</I +></TT +></A +> (see below). Whatever privileges this + ser has will be available to any client connecting to the guest service. + Typically this user will exist in the password file, but will not + have a valid login. The user account "ftp" is often a good choice + for this parameter. If a username is specified in a given service, + the specified username overrides this one.</P +><P +>One some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + <B +CLASS="COMMAND" +>su -</B +> command) and trying to print using the + system print command such as <B +CLASS="COMMAND" +>lpr(1)</B +> or <B +CLASS="COMMAND" +> lp(1)</B +>.</P +><P +>Default: <I +CLASS="EMPHASIS" +>specified at compile time, usually + "nobody"</I +></P +><P +>Example: <B +CLASS="COMMAND" +>guest account = ftp</B +></P +></DD +><DT +><A +NAME="GUESTOK" +></A +>guest ok (S)</DT +><DD +><P +>If this parameter is <TT +CLASS="CONSTANT" +>yes</TT +> for + a service, then no password is equired to connect to the service. + Privileges will be those of the <A +HREF="#GUESTACCOUNT" +><TT +CLASS="PARAMETER" +><I +> guest account</I +></TT +></A +>.</P +><P +>See the section below on <A +HREF="#SECURITY" +><TT +CLASS="PARAMETER" +><I +> security</I +></TT +></A +> for more information about this option. + </P +><P +>Default: <B +CLASS="COMMAND" +>guest ok = no</B +></P +></DD +><DT +><A +NAME="GUESTONLY" +></A +>guest only (S)</DT +><DD +><P +>If this parameter is <TT +CLASS="CONSTANT" +>yes</TT +> for + a service, then only guest connections to the service are permitted. + This parameter will have no affect if <A +HREF="#GUESTOK" +> <TT +CLASS="PARAMETER" +><I +>guest ok</I +></TT +></A +> is not set for the service.</P +><P +>See the section below on <A +HREF="#SECURITY" +><TT +CLASS="PARAMETER" +><I +> security</I +></TT +></A +> for more information about this option. + </P +><P +>Default: <B +CLASS="COMMAND" +>guest only = no</B +></P +></DD +><DT +><A +NAME="HIDEDOTFILES" +></A +>hide dot files (S)</DT +><DD +><P +>This is a boolean parameter that controls whether + files starting with a dot appear as hidden files.</P +><P +>Default: <B +CLASS="COMMAND" +>hide dot files = yes</B +></P +></DD +><DT +><A +NAME="HIDEFILES" +></A +>hide files(S)</DT +><DD +><P +>This is a list of files or directories that are not + visible but are accessible. The DOS 'hidden' attribute is applied + to any files or directories that match.</P +><P +>Each entry in the list must be separated by a '/', + which allows spaces to be included in the entry. '*' + and '?' can be used to specify multiple files or directories + as in DOS wildcards.</P +><P +>Each entry must be a Unix path, not a DOS path and must + not include the Unix directory separator '/'.</P +><P +>Note that the case sensitivity option is applicable + in hiding files.</P +><P +>Setting this parameter will affect the performance of Samba, + as it will be forced to check all files and directories for a match + as they are scanned.</P +><P +>See also <A +HREF="#HIDEDOTFILES" +><TT +CLASS="PARAMETER" +><I +>hide + dot files</I +></TT +></A +>, <A +HREF="#VETOFILES" +><TT +CLASS="PARAMETER" +><I +> veto files</I +></TT +></A +> and <A +HREF="#CASESENSITIVE" +> <TT +CLASS="PARAMETER" +><I +>case sensitive</I +></TT +></A +>.</P +><P +>Default: <I +CLASS="EMPHASIS" +>no file are hidden</I +></P +><P +>Example: <B +CLASS="COMMAND" +>hide files = + /.*/DesktopFolderDB/TrashFor%m/resource.frk/</B +></P +><P +>The above example is based on files that the Macintosh + SMB client (DAVE) available from <A +HREF="http://www.thursby.com" +TARGET="_top" +> + Thursby</A +> creates for internal use, and also still hides + all files beginning with a dot.</P +></DD +><DT +><A +NAME="HIDELOCALUSERS" +></A +>hide local users(G)</DT +><DD +><P +>This parameter toggles the hiding of local UNIX + users (root, wheel, floppy, etc) from remote clients.</P +><P +>Default: <B +CLASS="COMMAND" +>hide local users = no</B +></P +></DD +><DT +><A +NAME="HOMEDIRMAP" +></A +>homedir map (G)</DT +><DD +><P +>If<A +HREF="#NISHOMEDIR" +><TT +CLASS="PARAMETER" +><I +>nis homedir + </I +></TT +></A +> is <TT +CLASS="CONSTANT" +>True</TT +>, and <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +> is also acting + as a Win95/98 <TT +CLASS="PARAMETER" +><I +>logon server</I +></TT +> then this parameter + specifies the NIS (or YP) map from which the server for the user's + home directory should be extracted. At present, only the Sun + auto.home map format is understood. The form of the map is:</P +><P +><B +CLASS="COMMAND" +>username server:/some/file/system</B +></P +><P +>and the program will extract the servername from before + the first ':'. There should probably be a better parsing system + that copes with different map formats and also Amd (another + automounter) maps.</P +><P +><I +CLASS="EMPHASIS" +>NOTE :</I +>A working NIS client is required on + the system for this option to work.</P +><P +>See also <A +HREF="#NISHOMEDIR" +><TT +CLASS="PARAMETER" +><I +>nis homedir</I +></TT +> + </A +>, <A +HREF="#DOMAINLOGONS" +><TT +CLASS="PARAMETER" +><I +>domain logons</I +></TT +> + </A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>homedir map = auto.home</B +></P +><P +>Example: <B +CLASS="COMMAND" +>homedir map = amd.homedir</B +></P +></DD +><DT +><A +NAME="HOSTSALLOW" +></A +>hosts allow (S)</DT +><DD +><P +>A synonym for this parameter is <TT +CLASS="PARAMETER" +><I +>allow + hosts</I +></TT +>.</P +><P +>This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service.</P +><P +>If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting.</P +><P +>You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like <B +CLASS="COMMAND" +>allow hosts = 150.203.5. + </B +>. The full syntax of the list is described in the man + page <TT +CLASS="FILENAME" +>hosts_access(5)</TT +>. Note that this man + page may not be present on your system, so a brief description will + be given here also.</P +><P +>Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a <A +HREF="#HOSTSDENY" +><TT +CLASS="PARAMETER" +><I +>hosts deny</I +></TT +></A +> option.</P +><P +>You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + <I +CLASS="EMPHASIS" +>EXCEPT</I +> keyword can also be used to limit a + wildcard list. The following examples may provide some help:</P +><P +>Example 1: allow all IPs in 150.203.*.*; except one</P +><P +><B +CLASS="COMMAND" +>hosts allow = 150.203. EXCEPT 150.203.6.66</B +></P +><P +>Example 2: allow hosts that match the given network/netmask</P +><P +><B +CLASS="COMMAND" +>hosts allow = 150.203.15.0/255.255.255.0</B +></P +><P +>Example 3: allow a couple of hosts</P +><P +><B +CLASS="COMMAND" +>hosts allow = lapland, arvidsjaur</B +></P +><P +>Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host</P +><P +><B +CLASS="COMMAND" +>hosts allow = @foonet</B +></P +><P +><B +CLASS="COMMAND" +>hosts deny = pirate</B +></P +><P +>Note that access still requires suitable user-level passwords.</P +><P +>See <A +HREF="testparm.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>testparm(1)</B +> + </A +> for a way of testing your host access to see if it does + what you expect.</P +><P +>Default: <I +CLASS="EMPHASIS" +>none (i.e., all hosts permitted access) + </I +></P +><P +>Example: <B +CLASS="COMMAND" +>allow hosts = 150.203.5. myhost.mynet.edu.au + </B +></P +></DD +><DT +><A +NAME="HOSTSDENY" +></A +>hosts deny (S)</DT +><DD +><P +>The opposite of <TT +CLASS="PARAMETER" +><I +>hosts allow</I +></TT +> + - hosts listed here are <I +CLASS="EMPHASIS" +>NOT</I +> permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the <TT +CLASS="PARAMETER" +><I +>allow</I +></TT +> + list takes precedence.</P +><P +>Default: <I +CLASS="EMPHASIS" +>none (i.e., no hosts specifically excluded) + </I +></P +><P +>Example: <B +CLASS="COMMAND" +>hosts deny = 150.203.4. badhost.mynet.edu.au + </B +></P +></DD +><DT +><A +NAME="HOSTSEQUIV" +></A +>hosts equiv (G)</DT +><DD +><P +>If this global parameter is a non-null string, + it specifies the name of a file to read for the names of hosts + and users who will be allowed access without specifying a password. + </P +><P +>This is not be confused with <A +HREF="#HOSTSALLOW" +> <TT +CLASS="PARAMETER" +><I +>hosts allow</I +></TT +></A +> which is about hosts + access to services and is more useful for guest services. <TT +CLASS="PARAMETER" +><I +> hosts equiv</I +></TT +> may be useful for NT clients which will + not supply passwords to samba.</P +><P +><I +CLASS="EMPHASIS" +>NOTE :</I +> The use of <TT +CLASS="PARAMETER" +><I +>hosts equiv + </I +></TT +> can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the + <TT +CLASS="PARAMETER" +><I +>hosts equiv</I +></TT +> option be only used if you really + know what you are doing, or perhaps on a home network where you trust + your spouse and kids. And only if you <I +CLASS="EMPHASIS" +>really</I +> trust + them :-).</P +><P +>Default: <I +CLASS="EMPHASIS" +>no host equivalences</I +></P +><P +>Example: <B +CLASS="COMMAND" +>hosts equiv = /etc/hosts.equiv</B +></P +></DD +><DT +><A +NAME="INCLUDE" +></A +>include (G)</DT +><DD +><P +>This allows you to include one config file + inside another. The file is included literally, as though typed + in place.</P +><P +>It takes the standard substitutions, except <TT +CLASS="PARAMETER" +><I +>%u + </I +></TT +>, <TT +CLASS="PARAMETER" +><I +>%P</I +></TT +> and <TT +CLASS="PARAMETER" +><I +>%S</I +></TT +>. + </P +><P +>Default: <I +CLASS="EMPHASIS" +>no file included</I +></P +><P +>Example: <B +CLASS="COMMAND" +>include = /usr/local/samba/lib/admin_smb.conf + </B +></P +></DD +><DT +><A +NAME="INHERITPERMISSIONS" +></A +>inherit permissions (S)</DT +><DD +><P +>The permissions on new files and directories + are normally governed by <A +HREF="#CREATEMASK" +><TT +CLASS="PARAMETER" +><I +> create mask</I +></TT +></A +>, <A +HREF="#DIRECTORYMASK" +> <TT +CLASS="PARAMETER" +><I +>directory mask</I +></TT +></A +>, <A +HREF="#FORCECREATEMODE" +><TT +CLASS="PARAMETER" +><I +>force create mode</I +></TT +> + </A +> and <A +HREF="#FORCEDIRECTORYMODE" +><TT +CLASS="PARAMETER" +><I +>force + directory mode</I +></TT +></A +> but the boolean inherit + permissions parameter overrides this.</P +><P +>New directories inherit the mode of the parent directory, + including bits such as setgid.</P +><P +>New files inherit their read/write bits from the parent + directory. Their execute bits continue to be determined by + <A +HREF="#MAPARCHIVE" +><TT +CLASS="PARAMETER" +><I +>map archive</I +></TT +> + </A +>, <A +HREF="#MAPHIDDEN" +><TT +CLASS="PARAMETER" +><I +>map hidden</I +></TT +> + </A +> and <A +HREF="#MAPSYSTEM" +><TT +CLASS="PARAMETER" +><I +>map system</I +></TT +> + </A +> as usual.</P +><P +>Note that the setuid bit is <I +CLASS="EMPHASIS" +>never</I +> set via + inheritance (the code explicitly prohibits this).</P +><P +>This can be particularly useful on large systems with + many users, perhaps several thousand,to allow a single [homes] + share to be used flexibly by each user.</P +><P +>See also <A +HREF="#CREATEMASK" +><TT +CLASS="PARAMETER" +><I +>create mask + </I +></TT +></A +>, <A +HREF="#DIRECTORYMASK" +><TT +CLASS="PARAMETER" +><I +> directory mask</I +></TT +></A +>, <A +HREF="#FORCECREATEMODE" +> <TT +CLASS="PARAMETER" +><I +>force create mode</I +></TT +></A +> and <A +HREF="#FORCEDIRECTORYMODE" +><TT +CLASS="PARAMETER" +><I +>force directory mode</I +></TT +> + </A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>inherit permissions = no</B +></P +></DD +><DT +><A +NAME="INTERFACES" +></A +>interfaces (G)</DT +><DD +><P +>This option allows you to override the default + network interfaces list that Samba will use for browsing, name + registration and other NBT traffic. By default Samba will query + the kernel for the list of all active interfaces and use any + interfaces except 127.0.0.1 that are broadcast capable.</P +><P +>The option takes a list of interface strings. Each string + can be in any of the following forms:</P +><P +></P +><UL +><LI +><P +>a network interface name (such as eth0). + This may include shell-like wildcards so eth* will match + any interface starting with the substring "eth"</P +></LI +><LI +><P +>an IP address. In this case the netmask is + determined from the list of interfaces obtained from the + kernel</P +></LI +><LI +><P +>an IP/mask pair. </P +></LI +><LI +><P +>a broadcast/mask pair.</P +></LI +></UL +><P +>The "mask" parameters can either be a bit length (such + as 24 for a C class network) or a full netmask in dotted + decmal form.</P +><P +>The "IP" parameters above can either be a full dotted + decimal IP address or a hostname which will be looked up via + the OSes normal hostname resolution mechanisms.</P +><P +>For example, the following line:</P +><P +><B +CLASS="COMMAND" +>interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 + </B +></P +><P +>would configure three network interfaces corresponding + to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. + The netmasks of the latter two interfaces would be set to 255.255.255.0.</P +><P +>See also <A +HREF="#BINDINTERFACESONLY" +><TT +CLASS="PARAMETER" +><I +>bind + interfaces only</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="INVALIDUSERS" +></A +>invalid users (S)</DT +><DD +><P +>This is a list of users that should not be allowed + to login to this service. This is really a <I +CLASS="EMPHASIS" +>paranoid</I +> + check to absolutely ensure an improper setting does not breach + your security.</P +><P +>A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database.</P +><P +>A name starting with '+' is interpreted only + by looking in the UNIX group database. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value <TT +CLASS="PARAMETER" +><I +>+&group</I +></TT +> means check the + UNIX group database, followed by the NIS netgroup database, and + the value <TT +CLASS="PARAMETER" +><I +>&+group"</I +></TT +> means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix).</P +><P +>The current servicename is substituted for <TT +CLASS="PARAMETER" +><I +>%S</I +></TT +>. + This is useful in the [homes] section.</P +><P +>See also <A +HREF="#VALIDUSERS" +><TT +CLASS="PARAMETER" +><I +>valid users + </I +></TT +></A +>.</P +><P +>Default: <I +CLASS="EMPHASIS" +>no invalid users</I +></P +><P +>Example: <B +CLASS="COMMAND" +>invalid users = root fred admin @wheel + </B +></P +></DD +><DT +><A +NAME="KEEPALIVE" +></A +>keepalive (G)</DT +><DD +><P +>The value of the parameter (an integer) represents + the number of seconds between <TT +CLASS="PARAMETER" +><I +>keepalive</I +></TT +> + packets. If this parameter is zero, no keepalive packets will be + sent. Keepalive packets, if sent, allow the server to tell whether + a client is still present and responding.</P +><P +>Keepalives should, in general, not be needed if the socket + being used has the SO_KEEPALIVE attribute set on it (see <A +HREF="#SOCKETOPTIONS" +><TT +CLASS="PARAMETER" +><I +>socket options</I +></TT +></A +>). + Basically you should only use this option if you strike difficulties.</P +><P +>Default: <B +CLASS="COMMAND" +>keepalive = 0</B +></P +><P +>Example: <B +CLASS="COMMAND" +>keepalive = 60</B +></P +></DD +><DT +><A +NAME="KERNELOPLOCKS" +></A +>kernel oplocks (G)</DT +><DD +><P +>For UNIXs that support kernel based <A +HREF="#OPLOCKS" +><TT +CLASS="PARAMETER" +><I +>oplocks</I +></TT +></A +> + (currently only IRIX and the Linux 2.4 kernel), this parameter + allows the use of them to be turned on or off.</P +><P +>Kernel oplocks support allows Samba <TT +CLASS="PARAMETER" +><I +>oplocks + </I +></TT +> to be broken whenever a local UNIX process or NFS operation + accesses a file that <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +> + </A +> has oplocked. This allows complete data consistency between + SMB/CIFS, NFS and local file access (and is a <I +CLASS="EMPHASIS" +>very</I +> + cool feature :-).</P +><P +>This parameter defaults to <TT +CLASS="CONSTANT" +>on</TT +> on systems + that have the support, and <TT +CLASS="CONSTANT" +>off</TT +> on systems that + don't. You should never need to touch this parameter.</P +><P +>See also the <A +HREF="#OPLOCKS" +><TT +CLASS="PARAMETER" +><I +>oplocks</I +></TT +> + </A +> and <A +HREF="#LEVEL2OPLOCKS" +><TT +CLASS="PARAMETER" +><I +>level2 oplocks + </I +></TT +></A +> parameters.</P +><P +>Default: <B +CLASS="COMMAND" +>kernel oplocks = yes</B +></P +></DD +><DT +><A +NAME="LEVEL2OPLOCKS" +></A +>level2 oplocks (S)</DT +><DD +><P +>This parameter controls whether Samba supports + level2 (read-only) oplocks on a share.</P +><P +>Level2, or read-only oplocks allow Windows NT clients + that have an oplock on a file to downgrade from a read-write oplock + to a read-only oplock once a second client opens the file (instead + of releasing all oplocks on a second open, as in traditional, + exclusive oplocks). This allows all openers of the file that + support level2 oplocks to cache the file for read-ahead only (ie. + they may not cache writes or lock requests) and increases performance + for many acesses of files that are not commonly written (such as + application .EXE files).</P +><P +>Once one of the clients which have a read-only oplock + writes to the file all clients are notified (no reply is needed + or waited for) and told to break their oplocks to "none" and + delete any read-ahead caches.</P +><P +>It is recommended that this parameter be turned on + to speed access to shared executables (and also to test + the code :-).</P +><P +>For more discussions on level2 oplocks see the CIFS spec.</P +><P +>Currently, if <A +HREF="#KERNELOPLOCKS" +><TT +CLASS="PARAMETER" +><I +>kernel + oplocks</I +></TT +></A +> are supported then level2 oplocks are + not granted (even if this parameter is set to <TT +CLASS="CONSTANT" +>yes</TT +>). + Note also, the <A +HREF="#OPLOCKS" +><TT +CLASS="PARAMETER" +><I +>oplocks</I +></TT +> + </A +> parameter must be set to "true" on this share in order for + this parameter to have any effect.</P +><P +>See also the <A +HREF="#OPLOCKS" +><TT +CLASS="PARAMETER" +><I +>oplocks</I +></TT +> + </A +> and <A +HREF="#OPLOCKS" +><TT +CLASS="PARAMETER" +><I +>kernel oplocks</I +></TT +> + </A +> parameters.</P +><P +>Default: <B +CLASS="COMMAND" +>level2 oplocks = False</B +></P +></DD +><DT +><A +NAME="LMANNOUNCE" +></A +>lm announce (G)</DT +><DD +><P +>This parameter determines if <A +HREF="nmbd.8.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>nmbd(8)</B +></A +> will produce Lanman announce + broadcasts that are needed by OS/2 clients in order for them to see + the Samba server in their browse list. This parameter can have three + values, <TT +CLASS="CONSTANT" +>true</TT +>, <TT +CLASS="CONSTANT" +>false</TT +>, or + <TT +CLASS="CONSTANT" +>auto</TT +>. The default is <TT +CLASS="CONSTANT" +>auto</TT +>. + If set to <TT +CLASS="CONSTANT" +>false</TT +> Samba will never produce these + broadcasts. If set to <TT +CLASS="CONSTANT" +>true</TT +> Samba will produce + Lanman announce broadcasts at a frequency set by the parameter + <TT +CLASS="PARAMETER" +><I +>lm interval</I +></TT +>. If set to <TT +CLASS="CONSTANT" +>auto</TT +> + Samba will not send Lanman announce broadcasts by default but will + listen for them. If it hears such a broadcast on the wire it will + then start sending them at a frequency set by the parameter + <TT +CLASS="PARAMETER" +><I +>lm interval</I +></TT +>.</P +><P +>See also <A +HREF="#LMINTERVAL" +><TT +CLASS="PARAMETER" +><I +>lm interval + </I +></TT +></A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>lm announce = auto</B +></P +><P +>Example: <B +CLASS="COMMAND" +>lm announce = true</B +></P +></DD +><DT +><A +NAME="LMINTERVAL" +></A +>lm interval (G)</DT +><DD +><P +>If Samba is set to produce Lanman announce + broadcasts needed by OS/2 clients (see the <A +HREF="#LMANNOUNCE" +> <TT +CLASS="PARAMETER" +><I +>lm announce</I +></TT +></A +> parameter) then this + parameter defines the frequency in seconds with which they will be + made. If this is set to zero then no Lanman announcements will be + made despite the setting of the <TT +CLASS="PARAMETER" +><I +>lm announce</I +></TT +> + parameter.</P +><P +>See also <A +HREF="#LMANNOUNCE" +><TT +CLASS="PARAMETER" +><I +>lm + announce</I +></TT +></A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>lm interval = 60</B +></P +><P +>Example: <B +CLASS="COMMAND" +>lm interval = 120</B +></P +></DD +><DT +><A +NAME="LOADPRINTERS" +></A +>load printers (G)</DT +><DD +><P +>A boolean variable that controls whether all + printers in the printcap will be loaded for browsing by default. + See the <A +HREF="#AEN78" +>printers</A +> section for + more details.</P +><P +>Default: <B +CLASS="COMMAND" +>load printers = yes</B +></P +></DD +><DT +><A +NAME="LOCALMASTER" +></A +>local master (G)</DT +><DD +><P +>This option allows <A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +> nmbd(8)</B +></A +> to try and become a local master browser + on a subnet. If set to <TT +CLASS="CONSTANT" +>False</TT +> then <B +CLASS="COMMAND" +> nmbd</B +> will not attempt to become a local master browser + on a subnet and will also lose in all browsing elections. By + default this value is set to true. Setting this value to true doesn't + mean that Samba will <I +CLASS="EMPHASIS" +>become</I +> the local master + browser on a subnet, just that <B +CLASS="COMMAND" +>nmbd</B +> will <I +CLASS="EMPHASIS" +> participate</I +> in elections for local master browser.</P +><P +>Setting this value to False will cause <B +CLASS="COMMAND" +>nmbd</B +> + <I +CLASS="EMPHASIS" +>never</I +> to become a local master browser.</P +><P +>Default: <B +CLASS="COMMAND" +>local master = yes</B +></P +></DD +><DT +><A +NAME="LOCKDIR" +></A +>lock dir (G)</DT +><DD +><P +>Synonym for <A +HREF="#LOCKDIRECTORY" +><TT +CLASS="PARAMETER" +><I +> lock directory</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="LOCKDIRECTORY" +></A +>lock directory (G)</DT +><DD +><P +>This option specifies the directory where lock + files will be placed. The lock files are used to implement the + <A +HREF="#MAXCONNECTIONS" +><TT +CLASS="PARAMETER" +><I +>max connections</I +></TT +> + </A +> option.</P +><P +>Default: <B +CLASS="COMMAND" +>lock directory = /tmp/samba</B +></P +><P +>Example: <B +CLASS="COMMAND" +>lock directory = /usr/local/samba/var/locks</B +> + </P +></DD +><DT +><A +NAME="LOCKING" +></A +>locking (S)</DT +><DD +><P +>This controls whether or not locking will be + performed by the server in response to lock requests from the + client.</P +><P +>If <B +CLASS="COMMAND" +>locking = no</B +>, all lock and unlock requests + will appear to succeed and all lock queries will indicate that the + queried lock is clear.</P +><P +>If <B +CLASS="COMMAND" +>locking = yes</B +>, real locking will be performed + by the server.</P +><P +>This option <I +CLASS="EMPHASIS" +>may</I +> be useful for read-only + filesystems which <I +CLASS="EMPHASIS" +>may</I +> not need locking (such as + cdrom drives), although setting this parameter of <TT +CLASS="CONSTANT" +>no</TT +> + is not really recommended even in this case.</P +><P +>Be careful about disabling locking either globally or in a + specific service, as lack of locking may result in data corruption. + You should never need to set this parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>locking = yes</B +></P +></DD +><DT +><A +NAME="LOGFILE" +></A +>log file (G)</DT +><DD +><P +>This options allows you to override the name + of the Samba log file (also known as the debug file).</P +><P +>This option takes the standard substitutions, allowing + you to have separate log files for each user or machine.</P +><P +>Example: <B +CLASS="COMMAND" +>log file = /usr/local/samba/var/log.%m + </B +></P +></DD +><DT +><A +NAME="LOGLEVEL" +></A +>log level (G)</DT +><DD +><P +>Synonym for <A +HREF="#DEBUGLEVEL" +><TT +CLASS="PARAMETER" +><I +> debug level</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="LOGONDRIVE" +></A +>logon drive (G)</DT +><DD +><P +>This parameter specifies the local path to + which the home directory will be connected (see <A +HREF="#LOGONHOME" +><TT +CLASS="PARAMETER" +><I +>logon home</I +></TT +></A +>) + and is only used by NT Workstations. </P +><P +>Note that this option is only useful if Samba is set up as a + logon server.</P +><P +>Default: <B +CLASS="COMMAND" +>logon drive = z:</B +></P +><P +>Example: <B +CLASS="COMMAND" +>logon drive = h:</B +></P +></DD +><DT +><A +NAME="LOGONHOME" +></A +>logon home (G)</DT +><DD +><P +>This parameter specifies the home directory + location when a Win95/98 or NT Workstation logs into a Samba PDC. + It allows you to do </P +><P +><TT +CLASS="PROMPT" +>C:\> </TT +><TT +CLASS="USERINPUT" +><B +>NET USE H: /HOME</B +></TT +> + </P +><P +>from a command prompt, for example.</P +><P +>This option takes the standard substitutions, allowing + you to have separate logon scripts for each user or machine.</P +><P +>This parameter can be used with Win9X workstations to ensure + that roaming profiles are stored in a subdirectory of the user's + home directory. This is done in the following way:</P +><P +><B +CLASS="COMMAND" +>logon home = \\%L\%U\profile</B +></P +><P +>This tells Samba to return the above string, with + substitutions made when a client requests the info, generally + in a NetUserGetInfo request. Win9X clients truncate the info to + \\server\share when a user does <B +CLASS="COMMAND" +>net use /home"</B +> + but use the whole string when dealing with profiles.</P +><P +>Note that in prior versions of Samba, the <A +HREF="#LOGONPATH" +> <TT +CLASS="PARAMETER" +><I +>logon path</I +></TT +></A +> was returned rather than + <TT +CLASS="PARAMETER" +><I +>logon home</I +></TT +>. This broke <B +CLASS="COMMAND" +>net use + /home</B +> but allowed profiles outside the home directory. + The current implementation is correct, and can be used for + profiles if you use the above trick.</P +><P +>This option is only useful if Samba is set up as a logon + server.</P +><P +>Default: <B +CLASS="COMMAND" +>logon home = "\\%N\%U"</B +></P +><P +>Example: <B +CLASS="COMMAND" +>logon home = "\\remote_smb_server\%U"</B +> + </P +></DD +><DT +><A +NAME="LOGONPATH" +></A +>logon path (G)</DT +><DD +><P +>This parameter specifies the home directory + where roaming profiles (NTuser.dat etc files for Windows NT) are + stored. Contrary to previous versions of these manual pages, it has + nothing to do with Win 9X roaming profiles. To find out how to + handle roaming profiles for Win 9X system, see the <A +HREF="#LOGONHOME" +> <TT +CLASS="PARAMETER" +><I +>logon home</I +></TT +></A +> parameter.</P +><P +>This option takes the standard substitutions, allowing you + to have separate logon scripts for each user or machine. It also + specifies the directory from which the "Application Data", + (<TT +CLASS="FILENAME" +>desktop</TT +>, <TT +CLASS="FILENAME" +>start menu</TT +>, + <TT +CLASS="FILENAME" +>network neighborhood</TT +>, <TT +CLASS="FILENAME" +>programs</TT +> + and other folders, and their contents, are loaded and displayed on + your Windows NT client.</P +><P +>The share and the path must be readable by the user for + the preferences and directories to be loaded onto the Windows NT + client. The share must be writeable when the logs in for the first + time, in order that the Windows NT client can create the NTuser.dat + and other directories.</P +><P +>Thereafter, the directories and any of the contents can, + if required, be made read-only. It is not advisable that the + NTuser.dat file be made read-only - rename it to NTuser.man to + achieve the desired effect (a <I +CLASS="EMPHASIS" +>MAN</I +>datory + profile). </P +><P +>Windows clients can sometimes maintain a connection to + the [homes] share, even though there is no user logged in. + Therefore, it is vital that the logon path does not include a + reference to the homes share (i.e. setting this parameter to + \%N\%U\profile_path will cause problems).</P +><P +>This option takes the standard substitutions, allowing + you to have separate logon scripts for each user or machine.</P +><P +>Note that this option is only useful if Samba is set up + as a logon server.</P +><P +>Default: <B +CLASS="COMMAND" +>logon path = \\%N\%U\profile</B +></P +><P +>Example: <B +CLASS="COMMAND" +>logon path = \\PROFILESERVER\PROFILE\%U</B +></P +></DD +><DT +><A +NAME="LOGONSCRIPT" +></A +>logon script (G)</DT +><DD +><P +>This parameter specifies the batch file (.bat) or + NT command file (.cmd) to be downloaded and run on a machine when + a user successfully logs in. The file must contain the DOS + style cr/lf line endings. Using a DOS-style editor to create the + file is recommended.</P +><P +>The script must be a relative path to the [netlogon] + service. If the [netlogon] service specifies a <A +HREF="#PATH" +> <TT +CLASS="PARAMETER" +><I +>path</I +></TT +></A +> of <TT +CLASS="FILENAME" +>/usr/local/samba/netlogon + </TT +>, and <B +CLASS="COMMAND" +>logon script = STARTUP.BAT</B +>, then + the file that will be downloaded is:</P +><P +><TT +CLASS="FILENAME" +>/usr/local/samba/netlogon/STARTUP.BAT</TT +></P +><P +>The contents of the batch file is entirely your choice. A + suggested command would be to add <B +CLASS="COMMAND" +>NET TIME \\SERVER /SET + /YES</B +>, to force every machine to synchronize clocks with + the same time server. Another use would be to add <B +CLASS="COMMAND" +>NET USE + U: \\SERVER\UTILS</B +> for commonly used utilities, or <B +CLASS="COMMAND" +> NET USE Q: \\SERVER\ISO9001_QA</B +> for example.</P +><P +>Note that it is particularly important not to allow write + access to the [netlogon] share, or to grant users write permission + on the batch files in a secure environment, as this would allow + the batch files to be arbitrarily modified and security to be + breached.</P +><P +>This option takes the standard substitutions, allowing you + to have separate logon scripts for each user or machine.</P +><P +>This option is only useful if Samba is set up as a logon + server.</P +><P +>Default: <I +CLASS="EMPHASIS" +>no logon script defined</I +></P +><P +>Example: <B +CLASS="COMMAND" +>logon script = scripts\%U.bat</B +></P +></DD +><DT +><A +NAME="LPPAUSECOMMAND" +></A +>lppause command (S)</DT +><DD +><P +>This parameter specifies the command to be + executed on the server host in order to stop printing or spooling + a specific print job.</P +><P +>This command should be a program or script which takes + a printer name and job number to pause the print job. One way + of implementing this is by using job priorities, where jobs + having a too low priority won't be sent to the printer.</P +><P +>If a <TT +CLASS="PARAMETER" +><I +>%p</I +></TT +> is given then the printername + is put in its place. A <TT +CLASS="PARAMETER" +><I +>%j</I +></TT +> is replaced with + the job number (an integer). On HPUX (see <TT +CLASS="PARAMETER" +><I +>printing=hpux + </I +></TT +>), if the <TT +CLASS="PARAMETER" +><I +>-p%p</I +></TT +> option is added + to the lpq command, the job will show up with the correct status, i.e. + if the job priority is lower than the set fence priority it will + have the PAUSED status, whereas if the priority is equal or higher it + will have the SPOOLED or PRINTING status.</P +><P +>Note that it is good practice to include the absolute path + in the lppause command as the PATH may not be available to the server.</P +><P +>See also the <A +HREF="#PRINTING" +><TT +CLASS="PARAMETER" +><I +>printing + </I +></TT +></A +> parameter.</P +><P +>Default: Currently no default value is given to + this string, unless the value of the <TT +CLASS="PARAMETER" +><I +>printing</I +></TT +> + parameter is <TT +CLASS="CONSTANT" +>SYSV</TT +>, in which case the default is :</P +><P +><B +CLASS="COMMAND" +>lp -i %p-%j -H hold</B +></P +><P +>or if the value of the <TT +CLASS="PARAMETER" +><I +>printing</I +></TT +> parameter + is <TT +CLASS="CONSTANT" +>SOFTQ</TT +>, then the default is:</P +><P +><B +CLASS="COMMAND" +>qstat -s -j%j -h</B +></P +><P +>Example for HPUX: <B +CLASS="COMMAND" +>lppause command = /usr/bin/lpalt + %p-%j -p0</B +></P +></DD +><DT +><A +NAME="LPQCACHETIME" +></A +>lpq cache time (G)</DT +><DD +><P +>This controls how long lpq info will be cached + for to prevent the <B +CLASS="COMMAND" +>lpq</B +> command being called too + often. A separate cache is kept for each variation of the <B +CLASS="COMMAND" +> lpq</B +> command used by the system, so if you use different + <B +CLASS="COMMAND" +>lpq</B +> commands for different users then they won't + share cache information.</P +><P +>The cache files are stored in <TT +CLASS="FILENAME" +>/tmp/lpq.xxxx</TT +> + where xxxx is a hash of the <B +CLASS="COMMAND" +>lpq</B +> command in use.</P +><P +>The default is 10 seconds, meaning that the cached results + of a previous identical <B +CLASS="COMMAND" +>lpq</B +> command will be used + if the cached data is less than 10 seconds old. A large value may + be advisable if your <B +CLASS="COMMAND" +>lpq</B +> command is very slow.</P +><P +>A value of 0 will disable caching completely.</P +><P +>See also the <A +HREF="#PRINTING" +><TT +CLASS="PARAMETER" +><I +>printing + </I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>lpq cache time = 10</B +></P +><P +>Example: <B +CLASS="COMMAND" +>lpq cache time = 30</B +></P +></DD +><DT +><A +NAME="LPQCOMMAND" +></A +>lpq command (S)</DT +><DD +><P +>This parameter specifies the command to be + executed on the server host in order to obtain <B +CLASS="COMMAND" +>lpq + </B +>-style printer status information.</P +><P +>This command should be a program or script which + takes a printer name as its only parameter and outputs printer + status information.</P +><P +>Currently eight styles of printer status information + are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX and SOFTQ. + This covers most UNIX systems. You control which type is expected + using the <TT +CLASS="PARAMETER" +><I +>printing =</I +></TT +> option.</P +><P +>Some clients (notably Windows for Workgroups) may not + correctly send the connection number for the printer they are + requesting status information about. To get around this, the + server reports on the first printer service connected to by the + client. This only happens if the connection number sent is invalid.</P +><P +>If a <TT +CLASS="PARAMETER" +><I +>%p</I +></TT +> is given then the printername + is put in its place. Otherwise it is placed at the end of the + command.</P +><P +>Note that it is good practice to include the absolute path + in the <TT +CLASS="PARAMETER" +><I +>lpq command</I +></TT +> as the PATH may not be + available to the server.</P +><P +>See also the <A +HREF="#PRINTING" +><TT +CLASS="PARAMETER" +><I +>printing + </I +></TT +></A +> parameter.</P +><P +>Default: <I +CLASS="EMPHASIS" +>depends on the setting of <TT +CLASS="PARAMETER" +><I +> printing</I +></TT +></I +></P +><P +>Example: <B +CLASS="COMMAND" +>lpq command = /usr/bin/lpq %p</B +></P +></DD +><DT +><A +NAME="LPRESUMECOMMAND" +></A +>lpresume command (S)</DT +><DD +><P +>This parameter specifies the command to be + executed on the server host in order to restart or continue + printing or spooling a specific print job.</P +><P +>This command should be a program or script which takes + a printer name and job number to resume the print job. See + also the <A +HREF="#LPPAUSECOMMAND" +><TT +CLASS="PARAMETER" +><I +>lppause command + </I +></TT +></A +> parameter.</P +><P +>If a <TT +CLASS="PARAMETER" +><I +>%p</I +></TT +> is given then the printername + is put in its place. A <TT +CLASS="PARAMETER" +><I +>%j</I +></TT +> is replaced with + the job number (an integer).</P +><P +>Note that it is good practice to include the absolute path + in the <TT +CLASS="PARAMETER" +><I +>lpresume command</I +></TT +> as the PATH may not + be available to the server.</P +><P +>See also the <A +HREF="#PRINTING" +><TT +CLASS="PARAMETER" +><I +>printing + </I +></TT +></A +> parameter.</P +><P +>Default: Currently no default value is given + to this string, unless the value of the <TT +CLASS="PARAMETER" +><I +>printing</I +></TT +> + parameter is <TT +CLASS="CONSTANT" +>SYSV</TT +>, in which case the default is :</P +><P +><B +CLASS="COMMAND" +>lp -i %p-%j -H resume</B +></P +><P +>or if the value of the <TT +CLASS="PARAMETER" +><I +>printing</I +></TT +> parameter + is <TT +CLASS="CONSTANT" +>SOFTQ</TT +>, then the default is:</P +><P +><B +CLASS="COMMAND" +>qstat -s -j%j -r</B +></P +><P +>Example for HPUX: <B +CLASS="COMMAND" +>lpresume command = /usr/bin/lpalt + %p-%j -p2</B +></P +></DD +><DT +><A +NAME="LPRMCOMMAND" +></A +>lprm command (S)</DT +><DD +><P +>This parameter specifies the command to be + executed on the server host in order to delete a print job.</P +><P +>This command should be a program or script which takes + a printer name and job number, and deletes the print job.</P +><P +>If a <TT +CLASS="PARAMETER" +><I +>%p</I +></TT +> is given then the printername + is put in its place. A <TT +CLASS="PARAMETER" +><I +>%j</I +></TT +> is replaced with + the job number (an integer).</P +><P +>Note that it is good practice to include the absolute + path in the <TT +CLASS="PARAMETER" +><I +>lprm command</I +></TT +> as the PATH may not be + available to the server.</P +><P +>See also the <A +HREF="#PRINTING" +><TT +CLASS="PARAMETER" +><I +>printing + </I +></TT +></A +> parameter.</P +><P +>Default: <I +CLASS="EMPHASIS" +>depends on the setting of <TT +CLASS="PARAMETER" +><I +>printing + </I +></TT +></I +></P +><P +>Example 1: <B +CLASS="COMMAND" +>lprm command = /usr/bin/lprm -P%p %j + </B +></P +><P +>Example 2: <B +CLASS="COMMAND" +>lprm command = /usr/bin/cancel %p-%j + </B +></P +></DD +><DT +><A +NAME="MACHINEPASSWORDTIMEOUT" +></A +>machine password timeout (G)</DT +><DD +><P +>If a Samba server is a member of an Windows + NT Domain (see the <A +HREF="#SECURITYEQUALSDOMAIN" +>security=domain</A +>) + parameter) then periodically a running <A +HREF="smbd.8.html" +TARGET="_top" +> smbd(8)</A +> process will try and change the MACHINE ACCOUNT + PASSWORD stored in the TDB called <TT +CLASS="FILENAME" +>private/secrets.tdb + </TT +>. This parameter specifies how often this password + will be changed, in seconds. The default is one week (expressed in + seconds), the same as a Windows NT Domain member server.</P +><P +>See also <A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8) + </B +></A +>, and the <A +HREF="#SECURITYEQUALSDOMAIN" +> security=domain</A +>) parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>machine password timeout = 604800</B +></P +></DD +><DT +><A +NAME="MAGICOUTPUT" +></A +>magic output (S)</DT +><DD +><P +>This parameter specifies the name of a file + which will contain output created by a magic script (see the + <A +HREF="#MAGICSCRIPT" +><TT +CLASS="PARAMETER" +><I +>magic script</I +></TT +></A +> + parameter below).</P +><P +>Warning: If two clients use the same <TT +CLASS="PARAMETER" +><I +>magic script + </I +></TT +> in the same directory the output file content + is undefined.</P +><P +>Default: <B +CLASS="COMMAND" +>magic output = <magic script name>.out + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>magic output = myfile.txt</B +></P +></DD +><DT +><A +NAME="MAGICSCRIPT" +></A +>magic script (S)</DT +><DD +><P +>This parameter specifies the name of a file which, + if opened, will be executed by the server when the file is closed. + This allows a UNIX script to be sent to the Samba host and + executed on behalf of the connected user.</P +><P +>Scripts executed in this way will be deleted upon + completion, permissions permitting.</P +><P +>If the script generates output, output will be sent to + the file specified by the <A +HREF="#MAGICOUTPUT" +><TT +CLASS="PARAMETER" +><I +> magic output</I +></TT +></A +> parameter (see above).</P +><P +>Note that some shells are unable to interpret scripts + containing carriage-return-linefeed instead of linefeed as + the end-of-line marker. Magic scripts must be executable + <I +CLASS="EMPHASIS" +>as is</I +> on the host, which for some hosts and + some shells will require filtering at the DOS end.</P +><P +>Magic scripts are <I +CLASS="EMPHASIS" +>EXPERIMENTAL</I +> and + should <I +CLASS="EMPHASIS" +>NOT</I +> be relied upon.</P +><P +>Default: <I +CLASS="EMPHASIS" +>None. Magic scripts disabled.</I +></P +><P +>Example: <B +CLASS="COMMAND" +>magic script = user.csh</B +></P +></DD +><DT +><A +NAME="MANGLECASE" +></A +>mangle case (S)</DT +><DD +><P +>See the section on <A +HREF="#AEN201" +> NAME MANGLING</A +></P +></DD +><DT +><A +NAME="MANGLEDMAP" +></A +>mangled map (S)</DT +><DD +><P +>This is for those who want to directly map UNIX + file names which can not be represented on Windows/DOS. The mangling + of names is not always what is needed. In particular you may have + documents with file extensions that differ between DOS and UNIX. + For example, under UNIX it is common to use <TT +CLASS="FILENAME" +>.html</TT +> + for HTML files, whereas under Windows/DOS <TT +CLASS="FILENAME" +>.htm</TT +> + is more commonly used.</P +><P +>So to map <TT +CLASS="FILENAME" +>html</TT +> to <TT +CLASS="FILENAME" +>htm</TT +> + you would use:</P +><P +><B +CLASS="COMMAND" +>mangled map = (*.html *.htm)</B +></P +><P +>One very useful case is to remove the annoying <TT +CLASS="FILENAME" +>;1 + </TT +> off the ends of filenames on some CDROMS (only visible + under some UNIXs). To do this use a map of (*;1 *;).</P +><P +>Default: <I +CLASS="EMPHASIS" +>no mangled map</I +></P +><P +>Example: <B +CLASS="COMMAND" +>mangled map = (*;1 *;)</B +></P +></DD +><DT +><A +NAME="MANGLEDNAMES" +></A +>mangled names (S)</DT +><DD +><P +>This controls whether non-DOS names under UNIX + should be mapped to DOS-compatible names ("mangled") and made visible, + or whether non-DOS names should simply be ignored.</P +><P +>See the section on <A +HREF="#AEN201" +> NAME MANGLING</A +> for details on how to control the mangling process.</P +><P +>If mangling is used then the mangling algorithm is as follows:</P +><P +></P +><UL +><LI +><P +>The first (up to) five alphanumeric characters + before the rightmost dot of the filename are preserved, forced + to upper case, and appear as the first (up to) five characters + of the mangled name.</P +></LI +><LI +><P +>A tilde "~" is appended to the first part of the mangled + name, followed by a two-character unique sequence, based on the + original root name (i.e., the original filename minus its final + extension). The final extension is included in the hash calculation + only if it contains any upper case characters or is longer than three + characters.</P +><P +>Note that the character to use may be specified using + the <A +HREF="#MANGLINGCHAR" +><TT +CLASS="PARAMETER" +><I +>mangling char</I +></TT +> + </A +> option, if you don't like '~'.</P +></LI +><LI +><P +>The first three alphanumeric characters of the final + extension are preserved, forced to upper case and appear as the + extension of the mangled name. The final extension is defined as that + part of the original filename after the rightmost dot. If there are no + dots in the filename, the mangled name will have no extension (except + in the case of "hidden files" - see below).</P +></LI +><LI +><P +>Files whose UNIX name begins with a dot will be + presented as DOS hidden files. The mangled name will be created as + for other filenames, but with the leading dot removed and "___" as + its extension regardless of actual original extension (that's three + underscores).</P +></LI +></UL +><P +>The two-digit hash value consists of upper case + alphanumeric characters.</P +><P +>This algorithm can cause name collisions only if files + in a directory share the same first five alphanumeric characters. + The probability of such a clash is 1/1300.</P +><P +>The name mangling (if enabled) allows a file to be + copied between UNIX directories from Windows/DOS while retaining + the long UNIX filename. UNIX files can be renamed to a new extension + from Windows/DOS and will retain the same basename. Mangled names + do not change between sessions.</P +><P +>Default: <B +CLASS="COMMAND" +>mangled names = yes</B +></P +></DD +><DT +><A +NAME="MANGLINGCHAR" +></A +>mangling char (S)</DT +><DD +><P +>This controls what character is used as + the <I +CLASS="EMPHASIS" +>magic</I +> character in <A +HREF="#AEN201" +>name mangling</A +>. The default is a '~' + but this may interfere with some software. Use this option to set + it to whatever you prefer.</P +><P +>Default: <B +CLASS="COMMAND" +>mangling char = ~</B +></P +><P +>Example: <B +CLASS="COMMAND" +>mangling char = ^</B +></P +></DD +><DT +><A +NAME="MANGLEDSTACK" +></A +>mangled stack (G)</DT +><DD +><P +>This parameter controls the number of mangled names + that should be cached in the Samba server <A +HREF="smbd.8.html" +TARGET="_top" +> smbd(8)</A +>.</P +><P +>This stack is a list of recently mangled base names + (extensions are only maintained if they are longer than 3 characters + or contains upper case characters).</P +><P +>The larger this value, the more likely it is that mangled + names can be successfully converted to correct long UNIX names. + However, large stack sizes will slow most directory access. Smaller + stacks save memory in the server (each stack element costs 256 bytes). + </P +><P +>It is not possible to absolutely guarantee correct long + file names, so be prepared for some surprises!</P +><P +>Default: <B +CLASS="COMMAND" +>mangled stack = 50</B +></P +><P +>Example: <B +CLASS="COMMAND" +>mangled stack = 100</B +></P +></DD +><DT +><A +NAME="MAPARCHIVE" +></A +>map archive (S)</DT +><DD +><P +>This controls whether the DOS archive attribute + should be mapped to the UNIX owner execute bit. The DOS archive bit + is set when a file has been modified since its last backup. One + motivation for this option it to keep Samba/your PC from making + any file it touches from becoming executable under UNIX. This can + be quite annoying for shared source code, documents, etc...</P +><P +>Note that this requires the <TT +CLASS="PARAMETER" +><I +>create mask</I +></TT +> + parameter to be set such that owner execute bit is not masked out + (i.e. it must include 100). See the parameter <A +HREF="#CREATEMASK" +> <TT +CLASS="PARAMETER" +><I +>create mask</I +></TT +></A +> for details.</P +><P +>Default: <B +CLASS="COMMAND" +>map archive = yes</B +></P +></DD +><DT +><A +NAME="MAPHIDDEN" +></A +>map hidden (S)</DT +><DD +><P +>This controls whether DOS style hidden files + should be mapped to the UNIX world execute bit.</P +><P +>Note that this requires the <TT +CLASS="PARAMETER" +><I +>create mask</I +></TT +> + to be set such that the world execute bit is not masked out (i.e. + it must include 001). See the parameter <A +HREF="#CREATEMASK" +> <TT +CLASS="PARAMETER" +><I +>create mask</I +></TT +></A +> for details.</P +><P +>Default: <B +CLASS="COMMAND" +>map hidden = no</B +></P +></DD +><DT +><A +NAME="MAPSYSTEM" +></A +>map system (S)</DT +><DD +><P +>This controls whether DOS style system files + should be mapped to the UNIX group execute bit.</P +><P +>Note that this requires the <TT +CLASS="PARAMETER" +><I +>create mask</I +></TT +> + to be set such that the group execute bit is not masked out (i.e. + it must include 010). See the parameter <A +HREF="#CREATEMASK" +> <TT +CLASS="PARAMETER" +><I +>create mask</I +></TT +></A +> for details.</P +><P +>Default: <B +CLASS="COMMAND" +>map system = no</B +></P +></DD +><DT +><A +NAME="MAPTOGUEST" +></A +>map to guest (G)</DT +><DD +><P +>This parameter is only useful in <A +HREF="#SECURITY" +> security</A +> modes other than <TT +CLASS="PARAMETER" +><I +>security=share</I +></TT +> + - i.e. <TT +CLASS="CONSTANT" +>user</TT +>, <TT +CLASS="CONSTANT" +>server</TT +>, + and <TT +CLASS="CONSTANT" +>domain</TT +>.</P +><P +>This parameter can take three different values, which tell + <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> what to do with user + login requests that don't match a valid UNIX user in some way.</P +><P +>The three settings are :</P +><P +></P +><UL +><LI +><P +><TT +CLASS="CONSTANT" +>Never</TT +> - Means user login + requests with an invalid password are rejected. This is the + default.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>Bad User</TT +> - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the <A +HREF="#GUESTACCOUNT" +><TT +CLASS="PARAMETER" +><I +> guest account</I +></TT +></A +>.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>Bad Password</TT +> - Means user logins + with an invalid password are treated as a guest login and mapped + into the <A +HREF="#GUESTACCOUNT" +>guest account</A +>. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as a "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + <I +CLASS="EMPHASIS" +>hate</I +> you if you set the <TT +CLASS="PARAMETER" +><I +>map to + guest</I +></TT +> parameter this way :-).</P +></LI +></UL +><P +>Note that this parameter is needed to set up "Guest" + share services when using <TT +CLASS="PARAMETER" +><I +>security</I +></TT +> modes other than + share. This is because in these modes the name of the resource being + requested is <I +CLASS="EMPHASIS" +>not</I +> sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares.</P +><P +>For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the <TT +CLASS="CONSTANT" +> GUEST_SESSSETUP</TT +> value in local.h.</P +><P +>Default: <B +CLASS="COMMAND" +>map to guest = Never</B +></P +><P +>Example: <B +CLASS="COMMAND" +>map to guest = Bad User</B +></P +></DD +><DT +><A +NAME="MAXCONNECTIONS" +></A +>max connections (S)</DT +><DD +><P +>This option allows the number of simultaneous + connections to a service to be limited. If <TT +CLASS="PARAMETER" +><I +>max connections + </I +></TT +> is greater than 0 then connections will be refused if + this number of connections to the service are already open. A value + of zero mean an unlimited number of connections may be made.</P +><P +>Record lock files are used to implement this feature. The + lock files will be stored in the directory specified by the <A +HREF="#LOCKDIRECTORY" +><TT +CLASS="PARAMETER" +><I +>lock directory</I +></TT +></A +> + option.</P +><P +>Default: <B +CLASS="COMMAND" +>max connections = 0</B +></P +><P +>Example: <B +CLASS="COMMAND" +>max connections = 10</B +></P +></DD +><DT +><A +NAME="MAXDISKSIZE" +></A +>max disk size (G)</DT +><DD +><P +>This option allows you to put an upper limit + on the apparent size of disks. If you set this option to 100 + then all shares will appear to be not larger than 100 MB in + size.</P +><P +>Note that this option does not limit the amount of + data you can put on the disk. In the above case you could still + store much more than 100 MB on the disk, but if a client ever asks + for the amount of free disk space or the total disk size then the + result will be bounded by the amount specified in <TT +CLASS="PARAMETER" +><I +>max + disk size</I +></TT +>.</P +><P +>This option is primarily useful to work around bugs + in some pieces of software that can't handle very large disks, + particularly disks over 1GB in size.</P +><P +>A <TT +CLASS="PARAMETER" +><I +>max disk size</I +></TT +> of 0 means no limit.</P +><P +>Default: <B +CLASS="COMMAND" +>max disk size = 0</B +></P +><P +>Example: <B +CLASS="COMMAND" +>max disk size = 1000</B +></P +></DD +><DT +><A +NAME="MAXLOGSIZE" +></A +>max log size (G)</DT +><DD +><P +>This option (an integer in kilobytes) specifies + the max size the log file should grow to. Samba periodically checks + the size and if it is exceeded it will rename the file, adding + a <TT +CLASS="FILENAME" +>.old</TT +> extension.</P +><P +>A size of 0 means no limit.</P +><P +>Default: <B +CLASS="COMMAND" +>max log size = 5000</B +></P +><P +>Example: <B +CLASS="COMMAND" +>max log size = 1000</B +></P +></DD +><DT +><A +NAME="MAXMUX" +></A +>max mux (G)</DT +><DD +><P +>This option controls the maximum number of + outstanding simultaneous SMB operations that samba tells the client + it will allow. You should never need to set this parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>max mux = 50</B +></P +></DD +><DT +><A +NAME="MAXOPENFILES" +></A +>max open files (G)</DT +><DD +><P +>This parameter limits the maximum number of + open files that one <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> file + serving process may have open for a client at any one time. The + default for this parameter is set very high (10,000) as Samba uses + only one bit per unopened file.</P +><P +>The limit of the number of open files is usually set + by the UNIX per-process file descriptor limit rather than + this parameter so you should never need to touch this parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>max open files = 10000</B +></P +></DD +><DT +><A +NAME="MAXTTL" +></A +>max ttl (G)</DT +><DD +><P +>This option tells <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> + what the default 'time to live' of NetBIOS names should be (in seconds) + when <B +CLASS="COMMAND" +>nmbd</B +> is requesting a name using either a + broadcast packet or from a WINS server. You should never need to + change this parameter. The default is 3 days.</P +><P +>Default: <B +CLASS="COMMAND" +>max ttl = 259200</B +></P +></DD +><DT +><A +NAME="MAXWINSTTL" +></A +>max wins ttl (G)</DT +><DD +><P +>This option tells <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8) + </A +> when acting as a WINS server (<A +HREF="#WINSSUPPORT" +> <TT +CLASS="PARAMETER" +><I +>wins support=yes</I +></TT +></A +>) what the maximum + 'time to live' of NetBIOS names that <B +CLASS="COMMAND" +>nmbd</B +> + will grant will be (in seconds). You should never need to change this + parameter. The default is 6 days (518400 seconds).</P +><P +>See also the <A +HREF="#MINWINSTTL" +><TT +CLASS="PARAMETER" +><I +>min + wins ttl"</I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>max wins ttl = 518400</B +></P +></DD +><DT +><A +NAME="MAXXMIT" +></A +>max xmit (G)</DT +><DD +><P +>This option controls the maximum packet size + that will be negotiated by Samba. The default is 65535, which + is the maximum. In some cases you may find you get better performance + with a smaller value. A value below 2048 is likely to cause problems. + </P +><P +>Default: <B +CLASS="COMMAND" +>max xmit = 65535</B +></P +><P +>Example: <B +CLASS="COMMAND" +>max xmit = 8192</B +></P +></DD +><DT +><A +NAME="MESSAGECOMMAND" +></A +>message command (G)</DT +><DD +><P +>This specifies what command to run when the + server receives a WinPopup style message.</P +><P +>This would normally be a command that would + deliver the message somehow. How this is to be done is + up to your imagination.</P +><P +>An example is:</P +><P +><B +CLASS="COMMAND" +>message command = csh -c 'xedit %s;rm %s' &</B +> + </P +><P +>This delivers the message using <B +CLASS="COMMAND" +>xedit</B +>, then + removes it afterwards. <I +CLASS="EMPHASIS" +>NOTE THAT IT IS VERY IMPORTANT + THAT THIS COMMAND RETURN IMMEDIATELY</I +>. That's why I + have the '&' on the end. If it doesn't return immediately then + your PCs may freeze when sending messages (they should recover + after 30secs, hopefully).</P +><P +>All messages are delivered as the global guest user. + The command takes the standard substitutions, although <TT +CLASS="PARAMETER" +><I +> %u</I +></TT +> won't work (<TT +CLASS="PARAMETER" +><I +>%U</I +></TT +> may be better + in this case).</P +><P +>Apart from the standard substitutions, some additional + ones apply. In particular:</P +><P +></P +><UL +><LI +><P +><TT +CLASS="PARAMETER" +><I +>%s</I +></TT +> = the filename containing + the message.</P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>%t</I +></TT +> = the destination that + the message was sent to (probably the server name).</P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>%f</I +></TT +> = who the message + is from.</P +></LI +></UL +><P +>You could make this command send mail, or whatever else + takes your fancy. Please let us know of any really interesting + ideas you have.</P +><P +>Here's a way of sending the messages as mail to root:</P +><P +><B +CLASS="COMMAND" +>message command = /bin/mail -s 'message from %f on + %m' root < %s; rm %s</B +></P +><P +>If you don't have a message command then the message + won't be delivered and Samba will tell the sender there was + an error. Unfortunately WfWg totally ignores the error code + and carries on regardless, saying that the message was delivered. + </P +><P +>If you want to silently delete it then try:</P +><P +><B +CLASS="COMMAND" +>message command = rm %s</B +></P +><P +>Default: <I +CLASS="EMPHASIS" +>no message command</I +></P +><P +>Example: <B +CLASS="COMMAND" +>message command = csh -c 'xedit %s; + rm %s' &</B +></P +></DD +><DT +><A +NAME="MINPRINTSPACE" +></A +>min print space (S)</DT +><DD +><P +>This sets the minimum amount of free disk + space that must be available before a user will be able to spool + a print job. It is specified in kilobytes. The default is 0, which + means a user can always spool a print job.</P +><P +>See also the <A +HREF="#PRINTING" +><TT +CLASS="PARAMETER" +><I +>printing + </I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>min print space = 0</B +></P +><P +>Example: <B +CLASS="COMMAND" +>min print space = 2000</B +></P +></DD +><DT +><A +NAME="MINPASSWDLENGTH" +></A +>min passwd length (G)</DT +><DD +><P +>Synonym for <A +HREF="#MINPASSWORDLENGTH" +> <TT +CLASS="PARAMETER" +><I +>min password length</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="MINPASSWORDLENGTH" +></A +>min password length (G)</DT +><DD +><P +>This option sets the minimum length in characters + of a plaintext password than smbd will accept when performing + UNIX password changing.</P +><P +>See also <A +HREF="#UNIXPASSWORDSYNC" +><TT +CLASS="PARAMETER" +><I +>unix + password sync</I +></TT +></A +>, <A +HREF="#PASSWDPROGRAM" +> <TT +CLASS="PARAMETER" +><I +>passwd program</I +></TT +></A +> and <A +HREF="#PASSWDCHATDEBUG" +><TT +CLASS="PARAMETER" +><I +>passwd chat debug</I +></TT +> + </A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>min password length = 5</B +></P +></DD +><DT +><A +NAME="MINWINSTTL" +></A +>min wins ttl (G)</DT +><DD +><P +>This option tells <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> + when acting as a WINS server (<A +HREF="#WINSSUPPORT" +><TT +CLASS="PARAMETER" +><I +> wins support = yes</I +></TT +></A +>) what the minimum 'time to live' + of NetBIOS names that <B +CLASS="COMMAND" +>nmbd</B +> will grant will be (in + seconds). You should never need to change this parameter. The default + is 6 hours (21600 seconds).</P +><P +>Default: <B +CLASS="COMMAND" +>min wins ttl = 21600</B +></P +></DD +><DT +><A +NAME="NAMERESOLVEORDER" +></A +>name resolve order (G)</DT +><DD +><P +>This option is used by the programs in the Samba + suite to determine what naming services and in what order to resolve + host names to IP addresses. The option takes a space separated + string of different name resolution options.</P +><P +>The options are :"lmhosts", "host", "wins" and "bcast". They + cause names to be resolved as follows :</P +><P +></P +><UL +><LI +><P +><TT +CLASS="CONSTANT" +>lmhosts</TT +> : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the <A +HREF="lmhosts.5.html" +TARGET="_top" +>lmhosts(5)</A +> for details) then + any name type matches for lookup.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>host</TT +> : Do a standard host + name to IP address resolution, using the system <TT +CLASS="FILENAME" +>/etc/hosts + </TT +>, NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>wins</TT +> : Query a name with + the IP address listed in the <A +HREF="#WINSSERVER" +><TT +CLASS="PARAMETER" +><I +> wins server</I +></TT +></A +> parameter. If no WINS server has + been specified this method will be ignored.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>bcast</TT +> : Do a broadcast on + each of the known local interfaces listed in the <A +HREF="#INTERFACES" +><TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +></A +> + parameter. This is the least reliable of the name resolution + methods as it depends on the target host being on a locally + connected subnet.</P +></LI +></UL +><P +>Default: <B +CLASS="COMMAND" +>name resolve order = lmhosts host wins bcast + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>name resolve order = lmhosts bcast host + </B +></P +><P +>This will cause the local lmhosts file to be examined + first, followed by a broadcast attempt, followed by a normal + system hostname lookup.</P +></DD +><DT +><A +NAME="NETBIOSALIASES" +></A +>netbios aliases (G)</DT +><DD +><P +>This is a list of NetBIOS names that <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> will advertise as additional + names by which the Samba server is known. This allows one machine + to appear in browse lists under multiple names. If a machine is + acting as a browse server or logon server none + of these names will be advertised as either browse server or logon + servers, only the primary name of the machine will be advertised + with these capabilities.</P +><P +>See also <A +HREF="#NETBIOSNAME" +><TT +CLASS="PARAMETER" +><I +>netbios + name</I +></TT +></A +>.</P +><P +>Default: <I +CLASS="EMPHASIS" +>empty string (no additional names)</I +></P +><P +>Example: <B +CLASS="COMMAND" +>netbios aliases = TEST TEST1 TEST2</B +></P +></DD +><DT +><A +NAME="NETBIOSNAME" +></A +>netbios name (G)</DT +><DD +><P +>This sets the NetBIOS name by which a Samba + server is known. By default it is the same as the first component + of the host's DNS name. If a machine is a browse server or + logon server this name (or the first component + of the hosts DNS name) will be the name that these services are + advertised under.</P +><P +>See also <A +HREF="#NETBIOSALIASES" +><TT +CLASS="PARAMETER" +><I +>netbios + aliases</I +></TT +></A +>.</P +><P +>Default: <I +CLASS="EMPHASIS" +>machine DNS name</I +></P +><P +>Example: <B +CLASS="COMMAND" +>netbios name = MYNAME</B +></P +></DD +><DT +><A +NAME="NETBIOSSCOPE" +></A +>netbios scope (G)</DT +><DD +><P +>This sets the NetBIOS scope that Samba will + operate under. This should not be set unless every machine + on your LAN also sets this value.</P +></DD +><DT +><A +NAME="NISHOMEDIR" +></A +>nis homedir (G)</DT +><DD +><P +>Get the home share server from a NIS map. For + UNIX systems that use an automounter, the user's home directory + will often be mounted on a workstation on demand from a remote + server. </P +><P +>When the Samba logon server is not the actual home directory + server, but is mounting the home directories via NFS then two + network hops would be required to access the users home directory + if the logon server told the client to use itself as the SMB server + for home directories (one over SMB and one over NFS). This can + be very slow.</P +><P +>This option allows Samba to return the home share as + being on a different server to the logon server and as + long as a Samba daemon is running on the home directory server, + it will be mounted on the Samba client directly from the directory + server. When Samba is returning the home share to the client, it + will consult the NIS map specified in <A +HREF="#HOMEDIRMAP" +> <TT +CLASS="PARAMETER" +><I +>homedir map</I +></TT +></A +> and return the server + listed there.</P +><P +>Note that for this option to work there must be a working + NIS system and the Samba server with this option must also + be a logon server.</P +><P +>Default: <B +CLASS="COMMAND" +>nis homedir = no</B +></P +></DD +><DT +><A +NAME="NTACLSUPPORT" +></A +>nt acl support (G)</DT +><DD +><P +>This boolean parameter controls whether + <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> will attempt to map + UNIX permissions into Windows NT access control lists.</P +><P +>Default: <B +CLASS="COMMAND" +>nt acl support = yes</B +></P +></DD +><DT +><A +NAME="NTPIPESUPPORT" +></A +>nt pipe support (G)</DT +><DD +><P +>This boolean parameter controls whether + <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> will allow Windows NT + clients to connect to the NT SMB specific <TT +CLASS="CONSTANT" +>IPC$</TT +> + pipes. This is a developer debugging option and can be left + alone.</P +><P +>Default: <B +CLASS="COMMAND" +>nt pipe support = yes</B +></P +></DD +><DT +><A +NAME="NTSMBSUPPORT" +></A +>nt smb support (G)</DT +><DD +><P +>This boolean parameter controls whether <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> will negotiate NT specific SMB + support with Windows NT clients. Although this is a developer + debugging option and should be left alone, benchmarking has discovered + that Windows NT clients give faster performance with this option + set to <TT +CLASS="CONSTANT" +>no</TT +>. This is still being investigated. + If this option is set to <TT +CLASS="CONSTANT" +>no</TT +> then Samba offers + exactly the same SMB calls that versions prior to Samba 2.0 offered. + This information may be of use if any users are having problems + with NT SMB support.</P +><P +>Default: <B +CLASS="COMMAND" +>nt support = yes</B +></P +></DD +><DT +><A +NAME="NULLPASSWORDS" +></A +>null passwords (G)</DT +><DD +><P +>Allow or disallow client access to accounts + that have null passwords. </P +><P +>See also <A +HREF="smbpasswd.5.html" +TARGET="_top" +>smbpasswd (5)</A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>null passwords = no</B +></P +></DD +><DT +><A +NAME="OLELOCKINGCOMPATIBILITY" +></A +>ole locking compatibility (G)</DT +><DD +><P +>This parameter allows an administrator to turn + off the byte range lock manipulation that is done within Samba to + give compatibility for OLE applications. Windows OLE applications + use byte range locking as a form of inter-process communication, by + locking ranges of bytes around the 2^32 region of a file range. This + can cause certain UNIX lock managers to crash or otherwise cause + problems. Setting this parameter to <TT +CLASS="CONSTANT" +>no</TT +> means you + trust your UNIX lock manager to handle such cases correctly.</P +><P +>Default: <B +CLASS="COMMAND" +>ole locking compatibility = yes</B +></P +></DD +><DT +><A +NAME="ONLYGUEST" +></A +>only guest (S)</DT +><DD +><P +>A synonym for <A +HREF="#GUESTONLY" +><TT +CLASS="PARAMETER" +><I +> guest only</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="ONLYUSER" +></A +>only user (S)</DT +><DD +><P +>This is a boolean option that controls whether + connections with usernames not in the <TT +CLASS="PARAMETER" +><I +>user</I +></TT +> + list will be allowed. By default this option is disabled so a client + can supply a username to be used by the server.</P +><P +>Note that this also means Samba won't try to deduce + usernames from the service name. This can be annoying for + the [homes] section. To get around this you could use <B +CLASS="COMMAND" +>user = + %S</B +> which means your <TT +CLASS="PARAMETER" +><I +>user</I +></TT +> list + will be just the service name, which for home directories is the + name of the user.</P +><P +>See also the <A +HREF="#USER" +><TT +CLASS="PARAMETER" +><I +>user</I +></TT +> + </A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>only user = no</B +></P +></DD +><DT +><A +NAME="OPLOCKS" +></A +>oplocks (S)</DT +><DD +><P +>This boolean option tells smbd whether to + issue oplocks (opportunistic locks) to file open requests on this + share. The oplock code can dramatically (approx. 30% or more) improve + the speed of access to files on Samba servers. It allows the clients + to aggressively cache files ocally and you may want to disable this + option for unreliable network environments (it is turned on by + default in Windows NT Servers). For more information see the file + <TT +CLASS="FILENAME" +>Speed.txt</TT +> in the Samba <TT +CLASS="FILENAME" +>docs/</TT +> + directory.</P +><P +>Oplocks may be selectively turned off on certain files on + a per share basis. See the <A +HREF="#VETOOPLOCKFILES" +><TT +CLASS="PARAMETER" +><I +> veto oplock files</I +></TT +></A +> parameter. On some systems + oplocks are recognized by the underlying operating system. This + allows data synchronization between all access to oplocked files, + whether it be via Samba or NFS or a local UNIX process. See the + <TT +CLASS="PARAMETER" +><I +>kernel oplocks</I +></TT +> parameter for details.</P +><P +>See also the <A +HREF="#KERNELOPLOCKS" +><TT +CLASS="PARAMETER" +><I +>kernel + oplocks</I +></TT +></A +> and <A +HREF="#LEVEL2OPLOCKS" +><TT +CLASS="PARAMETER" +><I +> level2 oplocks</I +></TT +></A +> parameters.</P +><P +>Default: <B +CLASS="COMMAND" +>oplocks = yes</B +></P +></DD +><DT +><A +NAME="OPLOCKBREAKWAITTIME" +></A +>oplock break wait time (G)</DT +><DD +><P +>This is a tuning parameter added due to bugs in + both Windows 9x and WinNT. If Samba responds to a client too + quickly when that client issues an SMB that can cause an oplock + break request, then the client redirector can fail and not respond + to the break request. This tuning parameter (which is set in milliseconds) + is the amount of time Samba will wait before sending an oplock break + request to such (broken) clients.</P +><P +><I +CLASS="EMPHASIS" +>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ + AND UNDERSTOOD THE SAMBA OPLOCK CODE</I +>.</P +><P +>Default: <B +CLASS="COMMAND" +>oplock break wait time = 10</B +></P +></DD +><DT +><A +NAME="OPLOCKCONTENTIONLIMIT" +></A +>oplock contention limit (S)</DT +><DD +><P +>This is a <I +CLASS="EMPHASIS" +>very</I +> advanced + <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> tuning option to + improve the efficiency of the granting of oplocks under multiple + client contention for the same file.</P +><P +>In brief it specifies a number, which causes smbd not to + grant an oplock even when requested if the approximate number of + clients contending for an oplock on the same file goes over this + limit. This causes <B +CLASS="COMMAND" +>smbd</B +> to behave in a similar + way to Windows NT.</P +><P +><I +CLASS="EMPHASIS" +>DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ + AND UNDERSTOOD THE SAMBA OPLOCK CODE</I +>.</P +><P +>Default: <B +CLASS="COMMAND" +>oplock contention limit = 2</B +></P +></DD +><DT +><A +NAME="OSLEVEL" +></A +>os level (G)</DT +><DD +><P +>This integer value controls what level Samba + advertises itself as for browse elections. The value of this + parameter determines whether <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> + has a chance of becoming a local master browser for the <TT +CLASS="PARAMETER" +><I +> WORKGROUP</I +></TT +> in the local broadcast area. The default is + zero, which means <B +CLASS="COMMAND" +>nmbd</B +> will lose elections to + Windows machines. See <TT +CLASS="FILENAME" +>BROWSING.txt</TT +> in the + Samba <TT +CLASS="FILENAME" +>docs/</TT +> directory for details.</P +><P +>Default: <B +CLASS="COMMAND" +>os level = 20</B +></P +><P +>Example: <B +CLASS="COMMAND" +>os level = 65 </B +></P +></DD +><DT +><A +NAME="PANICACTION" +></A +>panic action (G)</DT +><DD +><P +>This is a Samba developer option that allows a + system command to be called when either <A +HREF="smbd.8.html" +TARGET="_top" +> smbd(8)</A +> or <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> + crashes. This is usually used to draw attention to the fact that + a problem occurred.</P +><P +>Default: <B +CLASS="COMMAND" +>panic action = <empty string></B +></P +><P +>Example: <B +CLASS="COMMAND" +>panic action = "/bin/sleep 90000"</B +></P +></DD +><DT +><A +NAME="PASSWDCHAT" +></A +>passwd chat (G)</DT +><DD +><P +>This string controls the <I +CLASS="EMPHASIS" +>"chat"</I +> + conversation that takes places between <A +HREF="smbd.8.html" +TARGET="_top" +>smbd</A +> and the local password changing + program to change the users password. The string describes a + sequence of response-receive pairs that <A +HREF="smbd.8.html" +TARGET="_top" +> smbd(8)</A +> uses to determine what to send to the + <A +HREF="#PASSWDPROGRAM" +><TT +CLASS="PARAMETER" +><I +>passwd program</I +></TT +> + </A +> and what to expect back. If the expected output is not + received then the password is not changed.</P +><P +>This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc).</P +><P +>The string can contain the macros <TT +CLASS="PARAMETER" +><I +>%o</I +></TT +> + and <TT +CLASS="PARAMETER" +><I +>%n</I +></TT +> which are substituted for the old + and new passwords respectively. It can also contain the standard + macros <TT +CLASS="CONSTANT" +>\n</TT +>, <TT +CLASS="CONSTANT" +>\r</TT +>, <TT +CLASS="CONSTANT" +> \t</TT +> and <TT +CLASS="CONSTANT" +>%s</TT +> to give line-feed, + carriage-return, tab and space.</P +><P +>The string can also contain a '*' which matches + any sequence of characters.</P +><P +>Double quotes can be used to collect strings with spaces + in them into a single string.</P +><P +>If the send string in any part of the chat sequence + is a fullstop ".", then no string is sent. Similarly, + is the expect string is a fullstop then no string is expected.</P +><P +>Note that if the <A +HREF="#UNIXPASSWORDSYNC" +><TT +CLASS="PARAMETER" +><I +>unix + password sync</I +></TT +></A +> parameter is set to true, then this + sequence is called <I +CLASS="EMPHASIS" +>AS ROOT</I +> when the SMB password + in the smbpasswd file is being changed, without access to the old + password cleartext. In this case the old password cleartext is set + to "" (the empty string).</P +><P +>See also <A +HREF="#UNIXPASSWORDSYNC" +><TT +CLASS="PARAMETER" +><I +>unix password + sync</I +></TT +></A +>, <A +HREF="#PASSWDPROGRAM" +><TT +CLASS="PARAMETER" +><I +> passwd program</I +></TT +></A +> and <A +HREF="#PASSWDCHATDEBUG" +> <TT +CLASS="PARAMETER" +><I +>passwd chat debug</I +></TT +></A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>passwd chat = *old*password* %o\n *new* + password* %n\n *new*password* %n\n *changed*</B +></P +><P +>Example: <B +CLASS="COMMAND" +>passwd chat = "*Enter OLD password*" %o\n + "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password + changed*"</B +></P +></DD +><DT +><A +NAME="PASSWDCHATDEBUG" +></A +>passwd chat debug (G)</DT +><DD +><P +>This boolean specifies if the passwd chat script + parameter is run in <I +CLASS="EMPHASIS" +>debug</I +> mode. In this mode the + strings passed to and received from the passwd chat are printed + in the <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> log with a + <A +HREF="#DEBUGLEVEL" +><TT +CLASS="PARAMETER" +><I +>debug level</I +></TT +></A +> + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the <B +CLASS="COMMAND" +>smbd</B +> log. It is available to help + Samba admins debug their <TT +CLASS="PARAMETER" +><I +>passwd chat</I +></TT +> scripts + when calling the <TT +CLASS="PARAMETER" +><I +>passwd program</I +></TT +> and should + be turned off after this has been done. This parameter is off by + default.</P +><P +>See also <<A +HREF="#PASSWDCHAT" +><TT +CLASS="PARAMETER" +><I +>passwd chat</I +></TT +> + </A +>, <A +HREF="#PASSWDPROGRAM" +><TT +CLASS="PARAMETER" +><I +>passwd program</I +></TT +> + </A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>passwd chat debug = no</B +></P +><P +>Example: <B +CLASS="COMMAND" +>passwd chat debug = yes</B +></P +></DD +><DT +><A +NAME="PASSWDPROGRAM" +></A +>passwd program (G)</DT +><DD +><P +>The name of a program that can be used to set + UNIX user passwords. Any occurrences of <TT +CLASS="PARAMETER" +><I +>%u</I +></TT +> + will be replaced with the user name. The user name is checked for + existence before calling the password changing program.</P +><P +>Also note that many passwd programs insist in <I +CLASS="EMPHASIS" +>reasonable + </I +> passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that if the <TT +CLASS="PARAMETER" +><I +>unix + password sync</I +></TT +> parameter is set to <TT +CLASS="CONSTANT" +>True + </TT +> then this program is called <I +CLASS="EMPHASIS" +>AS ROOT</I +> + before the SMB password in the <A +HREF="smbpasswd.5.html" +TARGET="_top" +>smbpasswd(5) + </A +> file is changed. If this UNIX password change fails, then + <B +CLASS="COMMAND" +>smbd</B +> will fail to change the SMB password also + (this is by design).</P +><P +>If the <TT +CLASS="PARAMETER" +><I +>unix password sync</I +></TT +> parameter + is set this parameter <I +CLASS="EMPHASIS" +>MUST USE ABSOLUTE PATHS</I +> + for <I +CLASS="EMPHASIS" +>ALL</I +> programs called, and must be examined + for security implications. Note that by default <TT +CLASS="PARAMETER" +><I +>unix + password sync</I +></TT +> is set to <TT +CLASS="CONSTANT" +>False</TT +>.</P +><P +>See also <A +HREF="#UNIXPASSWORDSYNC" +><TT +CLASS="PARAMETER" +><I +>unix + password sync</I +></TT +></A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>passwd program = /bin/passwd</B +></P +><P +>Example: <B +CLASS="COMMAND" +>passwd program = /sbin/npasswd %u</B +> + </P +></DD +><DT +><A +NAME="PASSWORDLEVEL" +></A +>password level (G)</DT +><DD +><P +>Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS!</P +><P +>This parameter defines the maximum number of characters + that may be upper case in passwords.</P +><P +>For example, say the password given was "FRED". If <TT +CLASS="PARAMETER" +><I +> password level</I +></TT +> is set to 1, the following combinations + would be tried if "FRED" failed:</P +><P +>"Fred", "fred", "fRed", "frEd","freD"</P +><P +>If <TT +CLASS="PARAMETER" +><I +>password level</I +></TT +> was set to 2, + the following combinations would also be tried: </P +><P +>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</P +><P +>And so on.</P +><P +>The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection.</P +><P +>A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case.</P +><P +>Default: <B +CLASS="COMMAND" +>password level = 0</B +></P +><P +>Example: <B +CLASS="COMMAND" +>password level = 4</B +></P +></DD +><DT +><A +NAME="PASSWORDSERVER" +></A +>password server (G)</DT +><DD +><P +>By specifying the name of another SMB server (such + as a WinNT box) with this option, and using <B +CLASS="COMMAND" +>security = domain + </B +> or <B +CLASS="COMMAND" +>security = server</B +> you can get Samba + to do all its username/password validation via a remote server.</P +><P +>This options sets the name of the password server to use. + It must be a NetBIOS name, so if the machine's NetBIOS name is + different from its internet name then you may have to add its NetBIOS + name to the lmhosts file which is stored in the same directory + as the <TT +CLASS="FILENAME" +>smb.conf</TT +> file.</P +><P +>The name of the password server is looked up using the + parameter <A +HREF="#NAMERESOLVEORDER" +><TT +CLASS="PARAMETER" +><I +>name + resolve order</I +></TT +></A +> and so may resolved + by any method and order described in that parameter.</P +><P +>The password server much be a machine capable of using + the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in + user level security mode.</P +><P +><I +CLASS="EMPHASIS" +>NOTE:</I +> Using a password server + means your UNIX box (running Samba) is only as secure as your + password server. <I +CLASS="EMPHASIS" +>DO NOT CHOOSE A PASSWORD SERVER THAT + YOU DON'T COMPLETELY TRUST</I +>.</P +><P +>Never point a Samba server at itself for password + serving. This will cause a loop and could lock up your Samba + server!</P +><P +>The name of the password server takes the standard + substitutions, but probably the only useful one is <TT +CLASS="PARAMETER" +><I +>%m + </I +></TT +>, which means the Samba server will use the incoming + client as the passwordserver. If you use this then you better + trust your clients, and you better restrict them with hosts allow!</P +><P +>If the <TT +CLASS="PARAMETER" +><I +>security</I +></TT +> parameter is set to + <TT +CLASS="CONSTANT" +>domain</TT +>, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is cryptographicly + in that domain, and will use cryptographicly authenticated RPC calls + to authenticate the user logging on. The advantage of using <B +CLASS="COMMAND" +> security = domain</B +> is that if you list several hosts in the + <TT +CLASS="PARAMETER" +><I +>password server</I +></TT +> option then <B +CLASS="COMMAND" +>smbd + </B +> will try each in turn till it finds one that responds. This + is useful in case your primary server goes down.</P +><P +>If the <TT +CLASS="PARAMETER" +><I +>password server</I +></TT +> option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name <TT +CLASS="CONSTANT" +>WORKGROUP<1C></TT +> + and then contacting each server returned in the list of IP + addresses from the name resolution source. </P +><P +>If the <TT +CLASS="PARAMETER" +><I +>security</I +></TT +> parameter is + set to <TT +CLASS="CONSTANT" +>server</TT +>, then there are different + restrictions that <B +CLASS="COMMAND" +>security = domain</B +> doesn't + suffer from:</P +><P +></P +><UL +><LI +><P +>You may list several password servers in + the <TT +CLASS="PARAMETER" +><I +>password server</I +></TT +> parameter, however if an + <B +CLASS="COMMAND" +>smbd</B +> makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this <B +CLASS="COMMAND" +>smbd</B +>. This is a + restriction of the SMB/CIFS protocol when in <B +CLASS="COMMAND" +>security=server + </B +> mode and cannot be fixed in Samba.</P +></LI +><LI +><P +>If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in <B +CLASS="COMMAND" +> security=server</B +> mode the network logon will appear to + come from there rather than from the users workstation.</P +></LI +></UL +><P +>See also the <A +HREF="#SECURITY" +><TT +CLASS="PARAMETER" +><I +>security + </I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>password server = <empty string></B +> + </P +><P +>Example: <B +CLASS="COMMAND" +>password server = NT-PDC, NT-BDC1, NT-BDC2 + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>password server = *</B +></P +></DD +><DT +><A +NAME="PATH" +></A +>path (S)</DT +><DD +><P +>This parameter specifies a directory to which + the user of the service is to be given access. In the case of + printable services, this is where print data will spool prior to + being submitted to the host for printing.</P +><P +>For a printable service offering guest access, the service + should be readonly and the path should be world-writeable and + have the sticky bit set. This is not mandatory of course, but + you probably won't get the results you expect if you do + otherwise.</P +><P +>Any occurrences of <TT +CLASS="PARAMETER" +><I +>%u</I +></TT +> in the path + will be replaced with the UNIX username that the client is using + on this connection. Any occurrences of <TT +CLASS="PARAMETER" +><I +>%m</I +></TT +> + will be replaced by the NetBIOS name of the machine they are + connecting from. These replacements are very useful for setting + up pseudo home directories for users.</P +><P +>Note that this path will be based on <A +HREF="#ROOTDIR" +> <TT +CLASS="PARAMETER" +><I +>root dir</I +></TT +></A +> if one was specified.</P +><P +>Default: <I +CLASS="EMPHASIS" +>none</I +></P +><P +>Example: <B +CLASS="COMMAND" +>path = /home/fred</B +></P +></DD +><DT +><A +NAME="POSTEXEC" +></A +>postexec (S)</DT +><DD +><P +>This option specifies a command to be run + whenever the service is disconnected. It takes the usual + substitutions. The command may be run as the root on some + systems.</P +><P +>An interesting example may be do unmount server + resources:</P +><P +><B +CLASS="COMMAND" +>postexec = /etc/umount /cdrom</B +></P +><P +>See also <A +HREF="#PREEXEC" +><TT +CLASS="PARAMETER" +><I +>preexec</I +></TT +> + </A +>.</P +><P +>Default: <I +CLASS="EMPHASIS" +>none (no command executed)</I +> + </P +><P +>Example: <B +CLASS="COMMAND" +>postexec = echo \"%u disconnected from %S + from %m (%I)\" >> /tmp/log</B +></P +></DD +><DT +><A +NAME="POSTSCRIPT" +></A +>postscript (S)</DT +><DD +><P +>This parameter forces a printer to interpret + the print files as postscript. This is done by adding a <TT +CLASS="CONSTANT" +>%! + </TT +> to the start of print output.</P +><P +>This is most useful when you have lots of PCs that persist + in putting a control-D at the start of print jobs, which then + confuses your printer.</P +><P +>Default: <B +CLASS="COMMAND" +>postscript = no</B +></P +></DD +><DT +><A +NAME="PREEXEC" +></A +>preexec (S)</DT +><DD +><P +>This option specifies a command to be run whenever + the service is connected to. It takes the usual substitutions.</P +><P +>An interesting example is to send the users a welcome + message every time they log in. Maybe a message of the day? Here + is an example:</P +><P +><B +CLASS="COMMAND" +>preexec = csh -c 'echo \"Welcome to %S!\" | + /usr/local/samba/bin/smbclient -M %m -I %I' & </B +></P +><P +>Of course, this could get annoying after a while :-)</P +><P +>See also <A +HREF="#PREEXECCLOSE" +><TT +CLASS="PARAMETER" +><I +>preexec close + </I +></TT +></A +> and <A +HREF="#POSTEXEC" +><TT +CLASS="PARAMETER" +><I +>postexec + </I +></TT +></A +>.</P +><P +>Default: <I +CLASS="EMPHASIS" +>none (no command executed)</I +></P +><P +>Example: <B +CLASS="COMMAND" +>preexec = echo \"%u connected to %S from %m + (%I)\" >> /tmp/log</B +></P +></DD +><DT +><A +NAME="PREEXECCLOSE" +></A +>preexec close (S)</DT +><DD +><P +>This boolean option controls whether a non-zero + return code from <A +HREF="#PREEXEC" +><TT +CLASS="PARAMETER" +><I +>preexec + </I +></TT +></A +> should close the service being connected to.</P +><P +>Default: <B +CLASS="COMMAND" +>preexec close = no</B +></P +></DD +><DT +><A +NAME="PREFERREDMASTER" +></A +>preferred master (G)</DT +><DD +><P +>This boolean parameter controls if <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> is a preferred master browser + for its workgroup.</P +><P +>If this is set to true, on startup, <B +CLASS="COMMAND" +>nmbd</B +> + will force an election, and it will have a slight advantage in + winning the election. It is recommended that this parameter is + used in conjunction with <B +CLASS="COMMAND" +><A +HREF="#DOMAINMASTER" +><TT +CLASS="PARAMETER" +><I +> domain master</I +></TT +></A +> = yes</B +>, so that <B +CLASS="COMMAND" +> nmbd</B +> can guarantee becoming a domain master.</P +><P +>Use this option with caution, because if there are several + hosts (whether Samba servers, Windows 95 or NT) that are preferred + master browsers on the same subnet, they will each periodically + and continuously attempt to become the local master browser. + This will result in unnecessary broadcast traffic and reduced browsing + capabilities.</P +><P +>See also <A +HREF="#OSLEVEL" +><TT +CLASS="PARAMETER" +><I +>os level</I +></TT +> + </A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>preferred master = no</B +></P +></DD +><DT +><A +NAME="PREFEREDMASTER" +></A +>prefered master (G)</DT +><DD +><P +>Synonym for <A +HREF="#PREFERREDMASTER" +><TT +CLASS="PARAMETER" +><I +> preferred master</I +></TT +></A +> for people who cannot spell :-).</P +></DD +><DT +><A +NAME="PRELOAD" +></A +>preload</DT +><DD +><P +>Synonym for <A +HREF="#AUTOSERVICES" +><TT +CLASS="PARAMETER" +><I +> auto services</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="PRESERVECASE" +></A +>preserve case (S)</DT +><DD +><P +> This controls if new filenames are created + with the case that the client passes, or if they are forced to + be the <A +HREF="#DEFAULTCASE" +><TT +CLASS="PARAMETER" +><I +>derault case + </I +></TT +></A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>preserve case = yes</B +></P +><P +>See the section on <A +HREF="#AEN201" +>NAME + MANGLING"</A +> for a fuller discussion.</P +></DD +><DT +><A +NAME="PRINTCOMMAND" +></A +>print command (S)</DT +><DD +><P +>After a print job has finished spooling to + a service, this command will be used via a <B +CLASS="COMMAND" +>system()</B +> + call to process the spool file. Typically the command specified will + submit the spool file to the host's printing subsystem, but there + is no requirement that this be the case. The server will not remove + the spool file, so whatever command you specify should remove the + spool file when it has been processed, otherwise you will need to + manually remove old spool files.</P +><P +>The print command is simply a text string. It will be used + verbatim, with two exceptions: All occurrences of <TT +CLASS="PARAMETER" +><I +>%s + </I +></TT +> and <TT +CLASS="PARAMETER" +><I +>%f</I +></TT +> will be replaced by the + appropriate spool file name, and all occurrences of <TT +CLASS="PARAMETER" +><I +>%p + </I +></TT +> will be replaced by the appropriate printer name. The + spool file name is generated automatically by the server, the printer + name is discussed below.</P +><P +>The print command <I +CLASS="EMPHASIS" +>MUST</I +> contain at least + one occurrence of <TT +CLASS="PARAMETER" +><I +>%s</I +></TT +> or <TT +CLASS="PARAMETER" +><I +>%f + </I +></TT +> - the <TT +CLASS="PARAMETER" +><I +>%p</I +></TT +> is optional. At the time + a job is submitted, if no printer name is supplied the <TT +CLASS="PARAMETER" +><I +>%p + </I +></TT +> will be silently removed from the printer command.</P +><P +>If specified in the [global] section, the print command given + will be used for any printable service that does not have its own + print command specified.</P +><P +>If there is neither a specified print command for a + printable service nor a global print command, spool files will + be created but not processed and (most importantly) not removed.</P +><P +>Note that printing may fail on some UNIXs from the + <TT +CLASS="CONSTANT" +>nobody</TT +> account. If this happens then create + an alternative guest account that can print and set the <A +HREF="#GUESTACCOUNT" +><TT +CLASS="PARAMETER" +><I +>guest account</I +></TT +></A +> + in the [global] section.</P +><P +>You can form quite complex print commands by realizing + that they are just passed to a shell. For example the following + will log a print job, print the file, then remove it. Note that + ';' is the usual separator for command in shell scripts.</P +><P +><B +CLASS="COMMAND" +>print command = echo Printing %s >> + /tmp/print.log; lpr -P %p %s; rm %s</B +></P +><P +>You may have to vary this command considerably depending + on how you normally print files on your system. The default for + the parameter varies depending on the setting of the <A +HREF="#PRINTING" +> <TT +CLASS="PARAMETER" +><I +>printing</I +></TT +></A +> parameter.</P +><P +>Default: For <B +CLASS="COMMAND" +>printing= BSD, AIX, QNX, LPRNG + or PLP :</B +></P +><P +><B +CLASS="COMMAND" +>print command = lpr -r -P%p %s</B +></P +><P +>For <B +CLASS="COMMAND" +>printing= SYS or HPUX :</B +></P +><P +><B +CLASS="COMMAND" +>print command = lp -c -d%p %s; rm %s</B +></P +><P +>For <B +CLASS="COMMAND" +>printing=SOFTQ :</B +></P +><P +><B +CLASS="COMMAND" +>print command = lp -d%p -s %s; rm %s</B +></P +><P +>Example: <B +CLASS="COMMAND" +>print command = /usr/local/samba/bin/myprintscript + %p %s</B +></P +></DD +><DT +><A +NAME="PRINTOK" +></A +>print ok (S)</DT +><DD +><P +>Synonym for <A +HREF="#PRINTABLE" +> <TT +CLASS="PARAMETER" +><I +>printable</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="PRINTABLE" +></A +>printable (S)</DT +><DD +><P +>If this parameter is <TT +CLASS="CONSTANT" +>yes</TT +>, then + clients may open, write to and submit spool files on the directory + specified for the service. </P +><P +>Note that a printable service will ALWAYS allow writing + to the service path (user privileges permitting) via the spooling + of print data. The <A +HREF="#WRITEABLE" +><TT +CLASS="PARAMETER" +><I +>writeable + </I +></TT +></A +> parameter controls only non-printing access to + the resource.</P +><P +>Default: <B +CLASS="COMMAND" +>printable = no</B +></P +></DD +><DT +><A +NAME="PRINTCAP" +></A +>printcap (G)</DT +><DD +><P +>Synonym for <A +HREF="#PRINTCAPNAME" +><TT +CLASS="PARAMETER" +><I +> printcap name</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="PRINTERADMIN" +></A +>printer admin (S)</DT +><DD +><P +>This is a list of users that can do anything to + printers via the remote administration interfaces offered by MSRPC + (usually using a NT workstation). Note that the root user always + has admin rights.</P +><P +>Default: <B +CLASS="COMMAND" +>printer admin = <empty string></B +> + </P +><P +>Example: <B +CLASS="COMMAND" +>printer admin = admin, @staff</B +></P +></DD +><DT +><A +NAME="PRINTCAPNAME" +></A +>printcap name (G)</DT +><DD +><P +>This parameter may be used to override the + compiled-in default printcap name used by the server (usually <TT +CLASS="FILENAME" +> /etc/printcap</TT +>). See the discussion of the <A +HREF="#AEN78" +>[printers]</A +> section above for reasons + why you might want to do this.</P +><P +>On System V systems that use <B +CLASS="COMMAND" +>lpstat</B +> to + list available printers you can use <B +CLASS="COMMAND" +>printcap name = lpstat + </B +> to automatically obtain lists of available printers. This + is the default for systems that define SYSV at configure time in + Samba (this includes most System V based systems). If <TT +CLASS="PARAMETER" +><I +> printcap name</I +></TT +> is set to <B +CLASS="COMMAND" +>lpstat</B +> on + these systems then Samba will launch <B +CLASS="COMMAND" +>lpstat -v</B +> and + attempt to parse the output to obtain a printer list.</P +><P +>A minimal printcap file would look something like this:</P +><P +><PRE +CLASS="PROGRAMLISTING" +> print1|My Printer 1 + print2|My Printer 2 + print3|My Printer 3 + print4|My Printer 4 + print5|My Printer 5 + </PRE +></P +><P +>where the '|' separates aliases of a printer. The fact + that the second alias has a space in it gives a hint to Samba + that it's a comment.</P +><P +><I +CLASS="EMPHASIS" +>NOTE</I +>: Under AIX the default printcap + name is <TT +CLASS="FILENAME" +>/etc/qconfig</TT +>. Samba will assume the + file is in AIX <TT +CLASS="FILENAME" +>qconfig</TT +> format if the string + <TT +CLASS="FILENAME" +>qconfig</TT +> appears in the printcap filename.</P +><P +>Default: <B +CLASS="COMMAND" +>printcap name = /etc/printcap</B +></P +><P +>Example: <B +CLASS="COMMAND" +>printcap name = /etc/myprintcap</B +></P +></DD +><DT +><A +NAME="PRINTER" +></A +>printer (S)</DT +><DD +><P +>This parameter specifies the name of the printer + to which print jobs spooled through a printable service will be sent.</P +><P +>If specified in the [global] section, the printer + name given will be used for any printable service that does + not have its own printer name specified.</P +><P +>Default: <I +CLASS="EMPHASIS" +>none (but may be <TT +CLASS="CONSTANT" +>lp</TT +> + on many systems)</I +></P +><P +>Example: <B +CLASS="COMMAND" +>printer name = laserwriter</B +></P +></DD +><DT +><A +NAME="PRINTERDRIVER" +></A +>printer driver (S)</DT +><DD +><P +>This option allows you to control the string + that clients receive when they ask the server for the printer driver + associated with a printer. If you are using Windows95 or WindowsNT + then you can use this to automate the setup of printers on your + system.</P +><P +>You need to set this parameter to the exact string (case + sensitive) that describes the appropriate printer driver for your + system. If you don't know the exact string to use then you should + first try with no <A +HREF="#PRINTERDRIVER" +><TT +CLASS="PARAMETER" +><I +> printer driver</I +></TT +></A +> option set and the client will + give you a list of printer drivers. The appropriate strings are + shown in a scrollbox after you have chosen the printer manufacturer.</P +><P +>See also <A +HREF="#PRINTERDRIVERFILE" +><TT +CLASS="PARAMETER" +><I +>printer + driver file</I +></TT +></A +>.</P +><P +>Example: <B +CLASS="COMMAND" +>printer driver = HP LaserJet 4L</B +></P +></DD +><DT +><A +NAME="PRINTERDRIVERFILE" +></A +>printer driver file (G)</DT +><DD +><P +>This parameter tells Samba where the printer driver + definition file, used when serving drivers to Windows 95 clients, is + to be found. If this is not set, the default is :</P +><P +><TT +CLASS="FILENAME" +><TT +CLASS="REPLACEABLE" +><I +>SAMBA_INSTALL_DIRECTORY</I +></TT +> + /lib/printers.def</TT +></P +><P +>This file is created from Windows 95 <TT +CLASS="FILENAME" +>msprint.inf + </TT +> files found on the Windows 95 client system. For more + details on setting up serving of printer drivers to Windows 95 + clients, see the documentation file in the <TT +CLASS="FILENAME" +>docs/</TT +> + directory, <TT +CLASS="FILENAME" +>PRINTER_DRIVER.txt</TT +>.</P +><P +>See also <A +HREF="#PRINTERDRIVERLOCATION" +><TT +CLASS="PARAMETER" +><I +> printer driver location</I +></TT +></A +>.</P +><P +>Default: <I +CLASS="EMPHASIS" +>None (set in compile).</I +></P +><P +>Example: <B +CLASS="COMMAND" +>printer driver file = + /usr/local/samba/printers/drivers.def</B +></P +></DD +><DT +><A +NAME="PRINTERDRIVERLOCATION" +></A +>printer driver location (S)</DT +><DD +><P +>This parameter tells clients of a particular printer + share where to find the printer driver files for the automatic + installation of drivers for Windows 95 machines. If Samba is set up + to serve printer drivers to Windows 95 machines, this should be set to</P +><P +><B +CLASS="COMMAND" +>\\MACHINE\PRINTER$</B +></P +><P +>Where MACHINE is the NetBIOS name of your Samba server, + and PRINTER$ is a share you set up for serving printer driver + files. For more details on setting this up see the documentation + file in the <TT +CLASS="FILENAME" +>docs/</TT +> directory, <TT +CLASS="FILENAME" +> PRINTER_DRIVER.txt</TT +>.</P +><P +>See also <A +HREF="#PRINTERDRIVERFILE" +><TT +CLASS="PARAMETER" +><I +> printer driver file</I +></TT +></A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>none</B +></P +><P +>Example: <B +CLASS="COMMAND" +>printer driver location = \\MACHINE\PRINTER$ + </B +></P +></DD +><DT +><A +NAME="PRINTERNAME" +></A +>printer name (S)</DT +><DD +><P +>Synonym for <A +HREF="#PRINTER" +><TT +CLASS="PARAMETER" +><I +> printer</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="PRINTING" +></A +>printing (S)</DT +><DD +><P +>This parameters controls how printer status + information is interpreted on your system. It also affects the + default values for the <TT +CLASS="PARAMETER" +><I +>print command</I +></TT +>, + <TT +CLASS="PARAMETER" +><I +>lpq command</I +></TT +>, <TT +CLASS="PARAMETER" +><I +>lppause command + </I +></TT +>, <TT +CLASS="PARAMETER" +><I +>lpresume command</I +></TT +>, and + <TT +CLASS="PARAMETER" +><I +>lprm command</I +></TT +> if specified in the + [global]f> section.</P +><P +>Currently eight printing styles are supported. They are + <TT +CLASS="CONSTANT" +>BSD</TT +>, <TT +CLASS="CONSTANT" +>AIX</TT +>, + <TT +CLASS="CONSTANT" +>LPRNG</TT +>, <TT +CLASS="CONSTANT" +>PLP</TT +>, + <TT +CLASS="CONSTANT" +>SYSV</TT +>, <TT +CLASS="CONSTANT" +>HPUX</TT +>, + <TT +CLASS="CONSTANT" +>QNX</TT +>, <TT +CLASS="CONSTANT" +>SOFTQ</TT +>, + and <TT +CLASS="CONSTANT" +>CUPS</TT +>.</P +><P +>To see what the defaults are for the other print + commands when using the various options use the <A +HREF="testparm.1.html" +TARGET="_top" +>testparm(1)</A +> program.</P +><P +>This option can be set on a per printer basis</P +><P +>See also the discussion in the <A +HREF="#AEN78" +> [printers]</A +> section.</P +></DD +><DT +><A +NAME="PRIVATEDIR" +></A +>private dir(G)</DT +><DD +><P +>The <TT +CLASS="PARAMETER" +><I +>private dir</I +></TT +> parameter + allows an administator to define a directory path used to hold the + various databases Samba will use to store things like a the machine + trust account information when acting as a domain member (i.e. where + the secrets.tdb file will be located), where the passdb.tbd file + will stored in the case of using the experiemental tdbsam support, + etc...</P +><P +>Default: <B +CLASS="COMMAND" +>private dir = <compile time location + of smbpasswd></B +></P +><P +>Example: <B +CLASS="COMMAND" +>private dir = /etc/smbprivate</B +></P +></DD +><DT +><A +NAME="PROTOCOL" +></A +>protocol (G)</DT +><DD +><P +>The value of the parameter (a string) is the highest + protocol level that will be supported by the server.</P +><P +>Possible values are :</P +><P +></P +><UL +><LI +><P +><TT +CLASS="CONSTANT" +>CORE</TT +>: Earliest version. No + concept of user names.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>COREPLUS</TT +>: Slight improvements on + CORE for efficiency.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>LANMAN1</TT +>: First <I +CLASS="EMPHASIS" +> modern</I +> version of the protocol. Long filename + support.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>LANMAN2</TT +>: Updates to Lanman1 protocol. + </P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>NT1</TT +>: Current up to date version of + the protocol. Used by Windows NT. Known as CIFS.</P +></LI +></UL +><P +>Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol.</P +><P +>Default: <B +CLASS="COMMAND" +>protocol = NT1</B +></P +><P +>Example: <B +CLASS="COMMAND" +>protocol = LANMAN1</B +></P +></DD +><DT +><A +NAME="PUBLIC" +></A +>public (S)</DT +><DD +><P +>Synonym for <A +HREF="#GUESTOK" +><TT +CLASS="PARAMETER" +><I +>guest + ok</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="QUEUEPAUSECOMMAND" +></A +>queuepause command (S)</DT +><DD +><P +>This parameter specifies the command to be + executed on the server host in order to pause the printerqueue.</P +><P +>This command should be a program or script which takes + a printer name as its only parameter and stops the printerqueue, + such that no longer jobs are submitted to the printer.</P +><P +>This command is not supported by Windows for Workgroups, + but can be issued from the Printer's window under Windows 95 + and NT.</P +><P +>If a <TT +CLASS="PARAMETER" +><I +>%p</I +></TT +> is given then the printername + is put in its place. Otherwise it is placed at the end of the command. + </P +><P +>Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.</P +><P +>Default: <I +CLASS="EMPHASIS" +>depends on the setting of <TT +CLASS="PARAMETER" +><I +>printing + </I +></TT +></I +></P +><P +>Example: <B +CLASS="COMMAND" +>queuepause command = disable %p</B +></P +></DD +><DT +><A +NAME="QUEUERESUMECOMMAND" +></A +>queueresume command (S)</DT +><DD +><P +>This parameter specifies the command to be + executed on the server host in order to resume the printerqueue. It + is the command to undo the behavior that is caused by the + previous parameter (<A +HREF="#QUEUEPAUSECOMMAND" +><TT +CLASS="PARAMETER" +><I +> queuepause command</I +></TT +></A +>).</P +><P +>This command should be a program or script which takes + a printer name as its only parameter and resumes the printerqueue, + such that queued jobs are resubmitted to the printer.</P +><P +>This command is not supported by Windows for Workgroups, + but can be issued from the Printer's window under Windows 95 + and NT.</P +><P +>If a <TT +CLASS="PARAMETER" +><I +>%p</I +></TT +> is given then the printername + is put in its place. Otherwise it is placed at the end of the + command.</P +><P +>Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.</P +><P +>Default: <I +CLASS="EMPHASIS" +>depends on the setting of <A +HREF="#PRINTING" +><TT +CLASS="PARAMETER" +><I +>printing</I +></TT +></A +></I +> + </P +><P +>Example: <B +CLASS="COMMAND" +>queuepause command = enable %p + </B +></P +></DD +><DT +><A +NAME="READBMPX" +></A +>read bmpx (G)</DT +><DD +><P +>This boolean parameter controls whether <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> will support the "Read + Block Multiplex" SMB. This is now rarely used and defaults to + <TT +CLASS="CONSTANT" +>no</TT +>. You should never need to set this + parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>read bmpx = no</B +></P +></DD +><DT +><A +NAME="READLIST" +></A +>read list (S)</DT +><DD +><P +>This is a list of users that are given read-only + access to a service. If the connecting user is in this list then + they will not be given write access, no matter what the <A +HREF="#WRITEABLE" +><TT +CLASS="PARAMETER" +><I +>writeable</I +></TT +></A +> + option is set to. The list can include group names using the + syntax described in the <A +HREF="#INVALIDUSERS" +><TT +CLASS="PARAMETER" +><I +> invalid users</I +></TT +></A +> parameter.</P +><P +>See also the <A +HREF="#WRITELIST" +><TT +CLASS="PARAMETER" +><I +> write list</I +></TT +></A +> parameter and the <A +HREF="#INVALIDUSERS" +><TT +CLASS="PARAMETER" +><I +>invalid users</I +></TT +> + </A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>read list = <empty string></B +></P +><P +>Example: <B +CLASS="COMMAND" +>read list = mary, @students</B +></P +></DD +><DT +><A +NAME="READONLY" +></A +>read only (S)</DT +><DD +><P +>Note that this is an inverted synonym for <A +HREF="#WRITEABLE" +><TT +CLASS="PARAMETER" +><I +>writeable</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="READRAW" +></A +>read raw (G)</DT +><DD +><P +>This parameter controls whether or not the server + will support the raw read SMB requests when transferring data + to clients.</P +><P +>If enabled, raw reads allow reads of 65535 bytes in + one packet. This typically provides a major performance benefit. + </P +><P +>However, some clients either negotiate the allowable + block size incorrectly or are incapable of supporting larger block + sizes, and for these clients you may need to disable raw reads.</P +><P +>In general this parameter should be viewed as a system tuning + tool and left severely alone. See also <A +HREF="#WRITERAW" +> <TT +CLASS="PARAMETER" +><I +>write raw</I +></TT +></A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>read raw = yes</B +></P +></DD +><DT +><A +NAME="READSIZE" +></A +>read size (G)</DT +><DD +><P +>The option <TT +CLASS="PARAMETER" +><I +>read size</I +></TT +> + affects the overlap of disk reads/writes with network reads/writes. + If the amount of data being transferred in several of the SMB + commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger + than this value then the server begins writing the data before it + has received the whole packet from the network, or in the case of + SMBreadbraw, it begins writing to the network before all the data + has been read from disk.</P +><P +>This overlapping works best when the speeds of disk and + network access are similar, having very little effect when the + speed of one is much greater than the other.</P +><P +>The default value is 16384, but very little experimentation + has been done yet to determine the optimal value, and it is likely + that the best value will vary greatly between systems anyway. + A value over 65536 is pointless and will cause you to allocate + memory unnecessarily.</P +><P +>Default: <B +CLASS="COMMAND" +>read size = 16384</B +></P +><P +>Example: <B +CLASS="COMMAND" +>read size = 8192</B +></P +></DD +><DT +><A +NAME="REMOTEANNOUNCE" +></A +>remote announce (G)</DT +><DD +><P +>This option allows you to setup <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> to periodically announce itself + to arbitrary IP addresses with an arbitrary workgroup name.</P +><P +>This is useful if you want your Samba server to appear + in a remote workgroup for which the normal browse propagation + rules don't work. The remote workgroup can be anywhere that you + can send IP packets to.</P +><P +>For example:</P +><P +><B +CLASS="COMMAND" +>remote announce = 192.168.2.255/SERVERS + 192.168.4.255/STAFF</B +></P +><P +>the above line would cause nmbd to announce itself + to the two given IP addresses using the given workgroup names. + If you leave out the workgroup name then the one given in + the <A +HREF="#WORKGROUP" +><TT +CLASS="PARAMETER" +><I +>workgroup</I +></TT +></A +> + parameter is used instead.</P +><P +>The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable.</P +><P +>See the documentation file <TT +CLASS="FILENAME" +>BROWSING.txt</TT +> + in the <TT +CLASS="FILENAME" +>docs/</TT +> directory.</P +><P +>Default: <B +CLASS="COMMAND" +>remote announce = <empty string> + </B +></P +></DD +><DT +><A +NAME="REMOTEBROWSESYNC" +></A +>remote browse sync (G)</DT +><DD +><P +>This option allows you to setup <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> to periodically request + synchronization of browse lists with the master browser of a samba + server that is on a remote segment. This option will allow you to + gain browse lists for multiple workgroups across routed networks. This + is done in a manner that does not work with any non-samba servers.</P +><P +>This is useful if you want your Samba server and all local + clients to appear in a remote workgroup for which the normal browse + propagation rules don't work. The remote workgroup can be anywhere + that you can send IP packets to.</P +><P +>For example:</P +><P +><B +CLASS="COMMAND" +>remote browse sync = 192.168.2.255 192.168.4.255 + </B +></P +><P +>the above line would cause <B +CLASS="COMMAND" +>nmbd</B +> to request + the master browser on the specified subnets or addresses to + synchronize their browse lists with the local server.</P +><P +>The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. If + a machine IP address is given Samba makes NO attempt to validate + that the remote machine is available, is listening, nor that it + is in fact the browse master on it's segment.</P +><P +>Default: <B +CLASS="COMMAND" +>remote browse sync = <empty string> + </B +></P +></DD +><DT +><A +NAME="RESTRICTANONYMOUS" +></A +>restrict anonymous (G)</DT +><DD +><P +>This is a boolean parameter. If it is true, then + anonymous access to the server will be restricted, namely in the + case where the server is expecting the client to send a username, + but it doesn't. Setting it to true will force these anonymous + connections to be denied, and the client will be required to always + supply a username and password when connecting. Use of this parameter + is only recommened for homogenous NT client environments.</P +><P +>This parameter makes the use of macro expansions that rely + on the username (%U, %G, etc) consistant. NT 4.0 + likes to use anonymous connections when refreshing the share list, + and this is a way to work around that.</P +><P +>When restrict anonymous is true, all anonymous connections + are denied no matter what they are for. This can effect the ability + of a machine to access the samba Primary Domain Controller to revalidate + it's machine account after someone else has logged on the client + interactively. The NT client will display a message saying that + the machine's account in the domain doesn't exist or the password is + bad. The best way to deal with this is to reboot NT client machines + between interactive logons, using "Shutdown and Restart", rather + than "Close all programs and logon as a different user".</P +><P +>Default: <B +CLASS="COMMAND" +>restrict anonymous = no</B +></P +></DD +><DT +><A +NAME="ROOT" +></A +>root (G)</DT +><DD +><P +>Synonym for <A +HREF="#ROOTDIRECTORY" +> <TT +CLASS="PARAMETER" +><I +>root directory"</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="ROOTDIR" +></A +>root dir (G)</DT +><DD +><P +>Synonym for <A +HREF="#ROOTDIRECTORY" +> <TT +CLASS="PARAMETER" +><I +>root directory"</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="ROOTDIRECTORY" +></A +>root directory (G)</DT +><DD +><P +>The server will <B +CLASS="COMMAND" +>chroot()</B +> (i.e. + Change it's root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the <A +HREF="#WIDELINKS" +><TT +CLASS="PARAMETER" +><I +>wide links</I +></TT +></A +> + parameter).</P +><P +>Adding a <TT +CLASS="PARAMETER" +><I +>root directory</I +></TT +> entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the <TT +CLASS="PARAMETER" +><I +>root directory</I +></TT +> + option, <I +CLASS="EMPHASIS" +>including</I +> some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the <TT +CLASS="PARAMETER" +><I +>root directory</I +></TT +> tree. In particular + you will need to mirror <TT +CLASS="FILENAME" +>/etc/passwd</TT +> (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent.</P +><P +>Default: <B +CLASS="COMMAND" +>root directory = /</B +></P +><P +>Example: <B +CLASS="COMMAND" +>root directory = /homes/smb</B +></P +></DD +><DT +><A +NAME="ROOTPOSTEXEC" +></A +>root postexec (S)</DT +><DD +><P +>This is the same as the <TT +CLASS="PARAMETER" +><I +>postexec</I +></TT +> + parameter except that the command is run as root. This + is useful for unmounting filesystems + (such as cdroms) after a connection is closed.</P +><P +>See also <A +HREF="#POSTEXEC" +><TT +CLASS="PARAMETER" +><I +> postexec</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="ROOTPREEXEC" +></A +>root preexec (S)</DT +><DD +><P +>This is the same as the <TT +CLASS="PARAMETER" +><I +>preexec</I +></TT +> + parameter except that the command is run as root. This + is useful for mounting filesystems + (such as cdroms) after a connection is closed.</P +><P +>See also <A +HREF="#PREEXEC" +><TT +CLASS="PARAMETER" +><I +> preexec</I +></TT +></A +> and <A +HREF="#PREEXECCLOSE" +> <TT +CLASS="PARAMETER" +><I +>preexec close</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="ROOTPREEXECCLOSE" +></A +>root preexec close (S)</DT +><DD +><P +>This is the same as the <TT +CLASS="PARAMETER" +><I +>preexec close + </I +></TT +> parameter except that the command is run as root.</P +><P +>See also <A +HREF="#PREEXEC" +><TT +CLASS="PARAMETER" +><I +> preexec</I +></TT +></A +> and <A +HREF="#PREEXECCLOSE" +> <TT +CLASS="PARAMETER" +><I +>preexec close</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="SECURITY" +></A +>security (G)</DT +><DD +><P +>This option affects how clients respond to + Samba and is one of the most important settings in the <TT +CLASS="FILENAME" +> smb.conf</TT +> file.</P +><P +>The option sets the "security mode bit" in replies to + protocol negotiations with <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8) + </A +> to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server.</P +><P +>The default is <B +CLASS="COMMAND" +>security = user</B +>, as this is + the most common setting needed when talking to Windows 98 and + Windows NT.</P +><P +>The alternatives are <B +CLASS="COMMAND" +>security = share</B +>, + <B +CLASS="COMMAND" +>security = server</B +> or <B +CLASS="COMMAND" +>security=domain + </B +>.</P +><P +>In versions of Samba prior to 2..0, the default was + <B +CLASS="COMMAND" +>security = share</B +> mainly because that was + the only option at one stage.</P +><P +>There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as.</P +><P +>If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + <B +CLASS="COMMAND" +>security = user</B +>. If you mostly use usernames + that don't exist on the UNIX box then use <B +CLASS="COMMAND" +>security = + share</B +>.</P +><P +>You should also use <B +CLASS="COMMAND" +>security = share</B +> if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with <B +CLASS="COMMAND" +>security = user</B +>, see + the <A +HREF="#MAPTOGUEST" +><TT +CLASS="PARAMETER" +><I +>map to guest</I +></TT +> + </A +>parameter for details.</P +><P +>It is possible to use <B +CLASS="COMMAND" +>smbd</B +> in a <I +CLASS="EMPHASIS" +> hybrid mode</I +> where it is offers both user and share + level security under different <A +HREF="#NETBIOSALIASES" +> <TT +CLASS="PARAMETER" +><I +>NetBIOS aliases</I +></TT +></A +>. </P +><P +>The different settings will now be explained.</P +><P +><A +NAME="SECURITYEQUALSHARE" +></A +><I +CLASS="EMPHASIS" +>SECURITY = SHARE + </I +></P +><P +>When clients connect to a share level security server then + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a <B +CLASS="COMMAND" +>security = share + </B +> server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share.</P +><P +>Note that <B +CLASS="COMMAND" +>smbd</B +> <I +CLASS="EMPHASIS" +>ALWAYS</I +> + uses a valid UNIX user to act on behalf of the client, even in + <B +CLASS="COMMAND" +>security = share</B +> level security.</P +><P +>As clients are not required to send a username to the server + in share level security, <B +CLASS="COMMAND" +>smbd</B +> uses several + techniques to determine the correct UNIX user to use on behalf + of the client.</P +><P +>A list of possible UNIX usernames to match with the given + client password is constructed using the following methods :</P +><P +></P +><UL +><LI +><P +>If the <A +HREF="#GUESTONLY" +><TT +CLASS="PARAMETER" +><I +>guest + only</I +></TT +></A +> parameter is set, then all the other + stages are missed and only the <A +HREF="#GUESTACCOUNT" +> <TT +CLASS="PARAMETER" +><I +>guest account</I +></TT +></A +> username is checked. + </P +></LI +><LI +><P +>Is a username is sent with the share connection + request, then this username (after mapping - see <A +HREF="#USERNAMEMAP" +><TT +CLASS="PARAMETER" +><I +>username map</I +></TT +></A +>), + is added as a potential username.</P +></LI +><LI +><P +>If the client did a previous <I +CLASS="EMPHASIS" +>logon + </I +> request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. + </P +></LI +><LI +><P +>The name of the service the client requested is + added as a potential username.</P +></LI +><LI +><P +>The NetBIOS name of the client is added to + the list as a potential username.</P +></LI +><LI +><P +>Any users on the <A +HREF="#USER" +><TT +CLASS="PARAMETER" +><I +> user</I +></TT +></A +> list are added as potential usernames. + </P +></LI +></UL +><P +>If the <TT +CLASS="PARAMETER" +><I +>guest only</I +></TT +> parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user.</P +><P +>If the <TT +CLASS="PARAMETER" +><I +>guest only</I +></TT +> parameter is + set, or no username can be determined then if the share is marked + as available to the <TT +CLASS="PARAMETER" +><I +>guest account</I +></TT +>, then this + guest user will be used, otherwise access is denied.</P +><P +>Note that it can be <I +CLASS="EMPHASIS" +>very</I +> confusing + in share-level security as to which UNIX username will eventually + be used in granting access.</P +><P +>See also the section <A +HREF="#AEN234" +> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A +>.</P +><P +><A +NAME="SECURITYEQUALUSER" +></A +><I +CLASS="EMPHASIS" +>SECURIYT = USER + </I +></P +><P +>This is the default security setting in Samba 2.2. + With user-level security a client must first "log=on" with a + valid username and password (which can be mapped using the <A +HREF="#USERNAMEMAP" +><TT +CLASS="PARAMETER" +><I +>username map</I +></TT +></A +> + parameter). Encrypted passwords (see the <A +HREF="#ENCRYPTPASSWORDS" +> <TT +CLASS="PARAMETER" +><I +>encrypted passwords</I +></TT +></A +> parameter) can also + be used in this security mode. Parameters such as <A +HREF="#USER" +> <TT +CLASS="PARAMETER" +><I +>user</I +></TT +></A +> and <A +HREF="#GUESTONLY" +> <TT +CLASS="PARAMETER" +><I +>guest only</I +></TT +></A +> if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that the name of the resource being + requested is <I +CLASS="EMPHASIS" +>not</I +> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <A +HREF="#GUESTACCOUNT" +><TT +CLASS="PARAMETER" +><I +>guest account</I +></TT +></A +>. + See the <A +HREF="#MAPTOGUEST" +><TT +CLASS="PARAMETER" +><I +>map to guest</I +></TT +> + </A +> parameter for details on doing this.</P +><P +>See also the section <A +HREF="#AEN234" +> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A +>.</P +><P +><A +NAME="SECURITYEQUALSERVER" +></A +><I +CLASS="EMPHASIS" +>SECURITY = SERVER + </I +></P +><P +>In this mode Samba will try to validate the username/password + by passing it to another SMB server, such as an NT box. If this + fails it will revert to <B +CLASS="COMMAND" +>security = user</B +>, but note + that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid + <TT +CLASS="FILENAME" +>smbpasswd</TT +> file to check users against. See the + documentation file in the <TT +CLASS="FILENAME" +>docs/</TT +> directory + <TT +CLASS="FILENAME" +>ENCRYPTION.txt</TT +> for details on how to set this + up.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that from the clients point of + view <B +CLASS="COMMAND" +>security = server</B +> is the same as <B +CLASS="COMMAND" +> security = user</B +>. It only affects how the server deals + with the authentication, it does not in any way affect what the + client sees.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that the name of the resource being + requested is <I +CLASS="EMPHASIS" +>not</I +> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <A +HREF="#GUESTACCOUNT" +><TT +CLASS="PARAMETER" +><I +>guest account</I +></TT +></A +>. + See the <A +HREF="#MAPTOGUEST" +><TT +CLASS="PARAMETER" +><I +>map to guest</I +></TT +> + </A +> parameter for details on doing this.</P +><P +>See also the section <A +HREF="#AEN234" +> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A +>.</P +><P +>See also the <A +HREF="#PASSWORDSERVER" +><TT +CLASS="PARAMETER" +><I +>password + server</I +></TT +></A +> parameter and the <A +HREF="#ENCRYPTPASSWORDS" +><TT +CLASS="PARAMETER" +><I +>encrypted passwords</I +></TT +> + </A +> parameter.</P +><P +><A +NAME="SECURITYEQUALSDOMAIN" +></A +><I +CLASS="EMPHASIS" +>SECURITY = DOMAIN + </I +></P +><P +>This mode will only work correctly if <A +HREF="smbpasswd.8.html" +TARGET="_top" +>smbpasswd(8)</A +> has been used to add this + machine into a Windows NT Domain. It expects the <A +HREF="#ENCRYPTPASSWORDS" +><TT +CLASS="PARAMETER" +><I +>encrypted passwords</I +></TT +> + </A +> parameter to be set to <TT +CLASS="CONSTANT" +>true</TT +>. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that from the clients point + of view <B +CLASS="COMMAND" +>security = domain</B +> is the same as <B +CLASS="COMMAND" +>security = user + </B +>. It only affects how the server deals with the authentication, + it does not in any way affect what the client sees.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that the name of the resource being + requested is <I +CLASS="EMPHASIS" +>not</I +> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <A +HREF="#GUESTACCOUNT" +><TT +CLASS="PARAMETER" +><I +>guest account</I +></TT +></A +>. + See the <A +HREF="#MAPTOGUEST" +><TT +CLASS="PARAMETER" +><I +>map to guest</I +></TT +> + </A +> parameter for details on doing this.</P +><P +><I +CLASS="EMPHASIS" +>BUG:</I +> There is currently a bug in the + implementation of <B +CLASS="COMMAND" +>security = domain</B +> with respect + to multi-byte character set usernames. The communication with a + Domain Controller must be done in UNICODE and Samba currently + does not widen multi-byte user names to UNICODE correctly, thus + a multi-byte username will not be recognized correctly at the + Domain Controller. This issue will be addressed in a future release.</P +><P +>See also the section <A +HREF="#AEN234" +> NOTE ABOUT USERNAME/PASSWORD VALIDATION</A +>.</P +><P +>See also the <A +HREF="#PASSWORDSERVER" +><TT +CLASS="PARAMETER" +><I +>password + server</I +></TT +></A +> parameter and the <A +HREF="#ENCRYPTPASSWORDS" +><TT +CLASS="PARAMETER" +><I +>encrypted passwords</I +></TT +> + </A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>security = USER</B +></P +><P +>Example: <B +CLASS="COMMAND" +>security = DOMAIN</B +></P +></DD +><DT +><A +NAME="SECURITYMASK" +></A +>security mask (S)</DT +><DD +><P +>This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security + dialog box.</P +><P +>This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change.</P +><P +>If not set explicitly this parameter is set to the same + value as the <A +HREF="#CREATEMASK" +><TT +CLASS="PARAMETER" +><I +>create mask + </I +></TT +></A +> parameter. To allow a user to modify all the + user/group/world permissions on a file, set this parameter to + 0777.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that users who can access the + Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone + "appliance" systems. Administrators of most normal systems will + probably want to set it to 0777.</P +><P +>See also the <A +HREF="#FORCEDIRECTORYSECURITYMODE" +> <TT +CLASS="PARAMETER" +><I +>force directory security mode</I +></TT +></A +>, + <A +HREF="#DIRECTORYSECURITYMASK" +><TT +CLASS="PARAMETER" +><I +>directory + security mask</I +></TT +></A +>, <A +HREF="#FORCESECURITYMODE" +> <TT +CLASS="PARAMETER" +><I +>force security mode</I +></TT +></A +> parameters.</P +><P +>Default: <B +CLASS="COMMAND" +>security mask = <same as create mask> + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>security mask = 0777</B +></P +></DD +><DT +><A +NAME="SERVERSTRING" +></A +>server string (G)</DT +><DD +><P +>This controls what string will show up in the + printer comment box in print manager and next to the IPC connection + in <B +CLASS="COMMAND" +>net view"</B +>. It can be any string that you wish + to show to your users.</P +><P +>It also sets what will appear in browse lists next + to the machine name.</P +><P +>A <TT +CLASS="PARAMETER" +><I +>%v</I +></TT +> will be replaced with the Samba + version number.</P +><P +>A <TT +CLASS="PARAMETER" +><I +>%h</I +></TT +> will be replaced with the + hostname.</P +><P +>Default: <B +CLASS="COMMAND" +>server string = Samba %v</B +></P +><P +>Example: <B +CLASS="COMMAND" +>server string = University of GNUs Samba + Server</B +></P +></DD +><DT +><A +NAME="SETDIRECTORY" +></A +>set directory (S)</DT +><DD +><P +>If <B +CLASS="COMMAND" +>set directory = no</B +>, then + users of the service may not use the setdir command to change + directory.</P +><P +>The <B +CLASS="COMMAND" +>setdir</B +> command is only implemented + in the Digital Pathworks client. See the Pathworks documentation + for details.</P +><P +>Default: <B +CLASS="COMMAND" +>set directory = no</B +></P +></DD +><DT +><A +NAME="SHAREMODES" +></A +>share modes (S)</DT +><DD +><P +>This enables or disables the honoring of + the <TT +CLASS="PARAMETER" +><I +>share modes</I +></TT +> during a file open. These + modes are used by clients to gain exclusive read or write access + to a file.</P +><P +>These open modes are not directly supported by UNIX, so + they are simulated using shared memory, or lock files if your + UNIX doesn't support shared memory (almost all do).</P +><P +>The share modes that are enabled by this option are + <TT +CLASS="CONSTANT" +>DENY_DOS</TT +>, <TT +CLASS="CONSTANT" +>DENY_ALL</TT +>, + <TT +CLASS="CONSTANT" +>DENY_READ</TT +>, <TT +CLASS="CONSTANT" +>DENY_WRITE</TT +>, + <TT +CLASS="CONSTANT" +>DENY_NONE</TT +> and <TT +CLASS="CONSTANT" +>DENY_FCB</TT +>. + </P +><P +>This option gives full share compatibility and enabled + by default.</P +><P +>You should <I +CLASS="EMPHASIS" +>NEVER</I +> turn this parameter + off as many Windows applications will break if you do so.</P +><P +>Default: <B +CLASS="COMMAND" +>share modes = yes</B +></P +></DD +><DT +><A +NAME="SHAREDMEMSIZE" +></A +>shared mem size (G)</DT +><DD +><P +>It specifies the size of the shared memory (in + bytes) to use between <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> + processes. This parameter defaults to one megabyte of shared + memory. It is possible that if you have a large erver with many + files open simultaneously that you may need to increase this + parameter. Signs that this parameter is set too low are users + reporting strange problems trying to save files (locking errors) + and error messages in the smbd log looking like <I +CLASS="EMPHASIS" +>ERROR + smb_shm_alloc : alloc of XX bytes failed</I +>.</P +><P +>If your OS refuses the size that Samba asks for then + Samba will try a smaller size, reducing by a factor of 0.8 until + the OS accepts it.</P +><P +>Default: <B +CLASS="COMMAND" +>shared mem size = 1048576</B +></P +><P +>Example: <B +CLASS="COMMAND" +>shared mem size = 5242880 ; Set to 5mb for a + large number of files.</B +></P +></DD +><DT +><A +NAME="SHORTPRESERVECASE" +></A +>short preserve case (S)</DT +><DD +><P +>This boolean parameter controls if new files + which conform to 8.3 syntax, that is all in upper case and of + suitable length, are created upper case, or if they are forced + to be the <A +HREF="#DEFAULTCASE" +><TT +CLASS="PARAMETER" +><I +>default case + </I +></TT +></A +>. This option can be use with <A +HREF="#PRESERVECASE" +><B +CLASS="COMMAND" +>preserve case = yes</B +> + </A +> to permit long filenames to retain their case, while short + names are lowered. </P +><P +>See the section on <A +HREF="#AEN201" +> NAME MANGLING</A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>short preserve case = yes</B +></P +></DD +><DT +><A +NAME="SMBPASSWDFILE" +></A +>smb passwd file (G)</DT +><DD +><P +>This option sets the path to the encrypted + smbpasswd file. By default the path to the smbpasswd file + is compiled into Samba.</P +><P +>Default: <B +CLASS="COMMAND" +>smb passwd file= <compiled + default></B +></P +><P +>Example: <B +CLASS="COMMAND" +>smb passwd file = /usr/samba/private/smbpasswd + </B +></P +></DD +><DT +><A +NAME="SMBRUN" +></A +>smbrun (G)</DT +><DD +><P +>This sets the full path to the <B +CLASS="COMMAND" +>smbrun + </B +> binary. This defaults to the value in the <TT +CLASS="FILENAME" +> Makefile</TT +>.</P +><P +>You must get this path right for many services + to work correctly.</P +><P +>You should not need to change this parameter so + long as Samba is installed correctly.</P +><P +>Default: <B +CLASS="COMMAND" +>smbrun=<compiled default> + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>smbrun = /usr/local/samba/bin/smbrun + </B +></P +></DD +><DT +><A +NAME="SOCKETADDRESS" +></A +>socket address (G)</DT +><DD +><P +>This option allows you to control what + address Samba will listen for connections on. This is used to + support multiple virtual interfaces on the one server, each + with a different configuration.</P +><P +>By default samba will accept connections on any + address.</P +><P +>Example: <B +CLASS="COMMAND" +>socket address = 192.168.2.20</B +> + </P +></DD +><DT +><A +NAME="SOCKETOPTIONS" +></A +>socket options (G)</DT +><DD +><P +>This option allows you to set socket options + to be used when talking with the client.</P +><P +>Socket options are controls on the networking layer + of the operating systems which allow the connection to be + tuned.</P +><P +>This option will typically be used to tune your Samba + server for optimal performance for your local network. There is + no way that Samba can know what the optimal parameters are for + your net, so you must experiment and choose them yourself. We + strongly suggest you read the appropriate documentation for your + operating system first (perhaps <B +CLASS="COMMAND" +>man setsockopt</B +> + will help).</P +><P +>You may find that on some systems Samba will say + "Unknown socket option" when you supply an option. This means you + either incorrectly typed it or you need to add an include file + to includes.h for your OS. If the latter is the case please + send the patch to <A +HREF="mailto:samba@samba.org" +TARGET="_top" +> samba@samba.org</A +>.</P +><P +>Any of the supported socket options may be combined + in any way you like, as long as your OS allows it.</P +><P +>This is the list of socket options currently settable + using this option:</P +><P +></P +><UL +><LI +><P +>SO_KEEPALIVE</P +></LI +><LI +><P +>SO_REUSEADDR</P +></LI +><LI +><P +>SO_BROADCAST</P +></LI +><LI +><P +>TCP_NODELAY</P +></LI +><LI +><P +>IPTOS_LOWDELAY</P +></LI +><LI +><P +>IPTOS_THROUGHPUT</P +></LI +><LI +><P +>SO_SNDBUF *</P +></LI +><LI +><P +>SO_RCVBUF *</P +></LI +><LI +><P +>SO_SNDLOWAT *</P +></LI +><LI +><P +>SO_RCVLOWAT *</P +></LI +></UL +><P +>Those marked with a <I +CLASS="EMPHASIS" +>'*'</I +> take an integer + argument. The others can optionally take a 1 or 0 argument to enable + or disable the option, by default they will be enabled if you + don't specify 1 or 0.</P +><P +>To specify an argument use the syntax SOME_OPTION=VALUE + for example <B +CLASS="COMMAND" +>SO_SNDBUF=8192</B +>. Note that you must + not have any spaces before or after the = sign.</P +><P +>If you are on a local network then a sensible option + might be</P +><P +><B +CLASS="COMMAND" +>socket options = IPTOS_LOWDELAY</B +></P +><P +>If you have a local network then you could try:</P +><P +><B +CLASS="COMMAND" +>socket options = IPTOS_LOWDELAY TCP_NODELAY</B +></P +><P +>If you are on a wide area network then perhaps try + setting IPTOS_THROUGHPUT. </P +><P +>Note that several of the options may cause your Samba + server to fail completely. Use these options with caution!</P +><P +>Default: <B +CLASS="COMMAND" +>socket options = TCP_NODELAY</B +></P +><P +>Example: <B +CLASS="COMMAND" +>socket options = IPTOS_LOWDELAY</B +></P +></DD +><DT +><A +NAME="SOURCEENVIRONMENT" +></A +>source environment (G)</DT +><DD +><P +>This parameter causes Samba to set environment + variables as per the content of the file named.</P +><P +>If the value of this parameter starts with a "|" character + then Samba will treat that value as a pipe command to open and + will set the environment variables from the output of the pipe.</P +><P +>The contents of the file or the output of the pipe should + be formatted as the output of the standard Unix <B +CLASS="COMMAND" +>env(1) + </B +> command. This is of the form :</P +><P +>Example environment entry:</P +><P +><B +CLASS="COMMAND" +>SAMBA_NETBIOS_NAME=myhostname</B +></P +><P +>Default: <I +CLASS="EMPHASIS" +>No default value</I +></P +><P +>Examples: <B +CLASS="COMMAND" +>source environment = |/etc/smb.conf.sh + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>source environment = + /usr/local/smb_env_vars</B +></P +></DD +><DT +><A +NAME="SSL" +></A +>ssl (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>This variable enables or disables the entire SSL mode. If + it is set to <TT +CLASS="CONSTANT" +>no</TT +>, the SSL enabled samba behaves + exactly like the non-SSL samba. If set to <TT +CLASS="CONSTANT" +>yes</TT +>, + it depends on the variables <A +HREF="#SSLHOSTS" +><TT +CLASS="PARAMETER" +><I +> ssl hosts</I +></TT +></A +> and <A +HREF="#SSLHOSTSRESIGN" +> <TT +CLASS="PARAMETER" +><I +>ssl hosts resign</I +></TT +></A +> whether an SSL + connection will be required.</P +><P +>Default: <B +CLASS="COMMAND" +>ssl=no</B +></P +></DD +><DT +><A +NAME="SSLCACERTDIR" +></A +>ssl CA certDir (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>This variable defines where to look up the Certification + Authorities. The given directory should contain one file for + each CA that samba will trust. The file name must be the hash + value over the "Distinguished Name" of the CA. How this directory + is set up is explained later in this document. All files within the + directory that don't fit into this naming scheme are ignored. You + don't need this variable if you don't verify client certificates.</P +><P +>Default: <B +CLASS="COMMAND" +>ssl CA certDir = /usr/local/ssl/certs + </B +></P +></DD +><DT +><A +NAME="SSLCACERTFILE" +></A +>ssl CA certFile (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>This variable is a second way to define the trusted CAs. + The certificates of the trusted CAs are collected in one big + file and this variable points to the file. You will probably + only use one of the two ways to define your CAs. The first choice is + preferable if you have many CAs or want to be flexible, the second + is preferable if you only have one CA and want to keep things + simple (you won't need to create the hashed file names). You + don't need this variable if you don't verify client certificates.</P +><P +>Default: <B +CLASS="COMMAND" +>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem + </B +></P +></DD +><DT +><A +NAME="SSLCIPHERS" +></A +>ssl ciphers (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>This variable defines the ciphers that should be offered + during SSL negotiation. You should not set this variable unless + you know what you are doing.</P +></DD +><DT +><A +NAME="SSLCLIENTCERT" +></A +>ssl client cert (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>The certificate in this file is used by <A +HREF="smbclient.1.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>smbclient(1)</B +></A +> if it exists. It's needed + if the server requires a client certificate.</P +><P +>Default: <B +CLASS="COMMAND" +>ssl client cert = /usr/local/ssl/certs/smbclient.pem + </B +></P +></DD +><DT +><A +NAME="SSLCLIENTKEY" +></A +>ssl client key (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>This is the private key for <A +HREF="smbclient.1.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>smbclient(1)</B +></A +>. It's only needed if the + client should have a certificate. </P +><P +>Default: <B +CLASS="COMMAND" +>ssl client key = /usr/local/ssl/private/smbclient.pem + </B +></P +></DD +><DT +><A +NAME="SSLCOMPATIBILITY" +></A +>ssl compatibility (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>This variable defines whether SSLeay should be configured + for bug compatibility with other SSL implementations. This is + probably not desirable because currently no clients with SSL + implementations other than SSLeay exist.</P +><P +>Default: <B +CLASS="COMMAND" +>ssl compatibility = no</B +></P +></DD +><DT +><A +NAME="SSLHOSTS" +></A +>ssl hosts (G)</DT +><DD +><P +>See <A +HREF="#SSLHOSTSRESIGN" +><TT +CLASS="PARAMETER" +><I +> ssl hosts resign</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="SSLHOSTSRESIGN" +></A +>ssl hosts resign (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>These two variables define whether samba will go + into SSL mode or not. If none of them is defined, samba will + allow only SSL connections. If the <A +HREF="#SSLHOSTS" +> <TT +CLASS="PARAMETER" +><I +>ssl hosts</I +></TT +></A +> variable lists + hosts (by IP-address, IP-address range, net group or name), + only these hosts will be forced into SSL mode. If the <TT +CLASS="PARAMETER" +><I +> ssl hosts resign</I +></TT +> variable lists hosts, only these + hosts will NOT be forced into SSL mode. The syntax for these two + variables is the same as for the <A +HREF="#HOSTSALLOW" +><TT +CLASS="PARAMETER" +><I +> hosts allow</I +></TT +></A +> and <A +HREF="#HOSTSDENY" +> <TT +CLASS="PARAMETER" +><I +>hosts deny</I +></TT +></A +> pair of variables, only + that the subject of the decision is different: It's not the access + right but whether SSL is used or not. </P +><P +>The example below requires SSL connections from all hosts + outside the local net (which is 192.168.*.*).</P +><P +>Default: <B +CLASS="COMMAND" +>ssl hosts = <empty string></B +></P +><P +><B +CLASS="COMMAND" +>ssl hosts resign = <empty string></B +></P +><P +>Example: <B +CLASS="COMMAND" +>ssl hosts resign = 192.168.</B +></P +></DD +><DT +><A +NAME="SSLREQUIRECLIENTCERT" +></A +>ssl require clientcert (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>If this variable is set to <TT +CLASS="CONSTANT" +>yes</TT +>, the + server will not tolerate connections from clients that don't + have a valid certificate. The directory/file given in <A +HREF="#SSLCACERTDIR" +><TT +CLASS="PARAMETER" +><I +>ssl CA certDir</I +></TT +> + </A +> and <A +HREF="#SSLCACERTFILE" +><TT +CLASS="PARAMETER" +><I +>ssl CA certFile + </I +></TT +></A +> will be used to look up the CAs that issued + the client's certificate. If the certificate can't be verified + positively, the connection will be terminated. If this variable + is set to <TT +CLASS="CONSTANT" +>no</TT +>, clients don't need certificates. + Contrary to web applications you really <I +CLASS="EMPHASIS" +>should</I +> + require client certificates. In the web environment the client's + data is sensitive (credit card numbers) and the server must prove + to be trustworthy. In a file server environment the server's data + will be sensitive and the clients must prove to be trustworthy.</P +><P +>Default: <B +CLASS="COMMAND" +>ssl require clientcert = no</B +></P +></DD +><DT +><A +NAME="SSLREQUIRESERVERCERT" +></A +>ssl require servercert (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>If this variable is set to <TT +CLASS="CONSTANT" +>yes</TT +>, the + <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1)</B +> + </A +> will request a certificate from the server. Same as + <A +HREF="#SSLREQUIRECLIENTCERT" +><TT +CLASS="PARAMETER" +><I +>ssl require + clientcert</I +></TT +></A +> for the server.</P +><P +>Default: <B +CLASS="COMMAND" +>ssl require servercert = no</B +> + </P +></DD +><DT +><A +NAME="SSLSERVERCERT" +></A +>ssl server cert (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>This is the file containing the server's certificate. + The server <I +CLASS="EMPHASIS" +>must</I +> have a certificate. The + file may also contain the server's private key. See later for + how certificates and private keys are created.</P +><P +>Default: <B +CLASS="COMMAND" +>ssl server cert = <empty string> + </B +></P +></DD +><DT +><A +NAME="SSLSERVERKEY" +></A +>ssl server key (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>This file contains the private key of the server. If + this variable is not defined, the key is looked up in the + certificate file (it may be appended to the certificate). + The server <I +CLASS="EMPHASIS" +>must</I +> have a private key + and the certificate <I +CLASS="EMPHASIS" +>must</I +> + match this private key.</P +><P +>Default: <B +CLASS="COMMAND" +>ssl server key = <empty string> + </B +></P +></DD +><DT +><A +NAME="SSLVERSION" +></A +>ssl version (G)</DT +><DD +><P +>This variable is part of SSL-enabled Samba. This + is only available if the SSL libraries have been compiled on your + system and the configure option <B +CLASS="COMMAND" +>--with-ssl</B +> was + given at configure time.</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that for export control reasons + this code is <I +CLASS="EMPHASIS" +>NOT</I +> enabled by default in any + current binary version of Samba.</P +><P +>This enumeration variable defines the versions of the + SSL protocol that will be used. <TT +CLASS="CONSTANT" +>ssl2or3</TT +> allows + dynamic negotiation of SSL v2 or v3, <TT +CLASS="CONSTANT" +>ssl2</TT +> results + in SSL v2, <TT +CLASS="CONSTANT" +>ssl3</TT +> results in SSL v3 and + <TT +CLASS="CONSTANT" +>tls1</TT +> results in TLS v1. TLS (Transport Layer + Security) is the new standard for SSL.</P +><P +>Default: <B +CLASS="COMMAND" +>ssl version = "ssl2or3"</B +></P +></DD +><DT +><A +NAME="STATCACHE" +></A +>stat cache (G)</DT +><DD +><P +>This parameter determines if <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> will use a cache in order to + speed up case insensitive name mappings. You should never need + to change this parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>stat cache = yes</B +></P +></DD +><DT +><A +NAME="STATCACHESIZE" +></A +>stat cache size (G)</DT +><DD +><P +>This parameter determines the number of + entries in the <TT +CLASS="PARAMETER" +><I +>stat cache</I +></TT +>. You should + never need to change this parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>stat cache size = 50</B +></P +></DD +><DT +><A +NAME="STATUS" +></A +>status (G)</DT +><DD +><P +>This enables or disables logging of connections + to a status file that <A +HREF="smbstatus.1.html" +TARGET="_top" +>smbstatus(1)</A +> + can read.</P +><P +>With this disabled <B +CLASS="COMMAND" +>smbstatus</B +> won't be able + to tell you what connections are active. You should never need to + change this parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>status = yes</B +></P +></DD +><DT +><A +NAME="STRICTLOCKING" +></A +>strict locking (S)</DT +><DD +><P +>This is a boolean that controls the handling of + file locking in the server. When this is set to <TT +CLASS="CONSTANT" +>yes</TT +> + the server will check every read and write access for file locks, and + deny access if locks exist. This can be slow on some systems.</P +><P +>When strict locking is <TT +CLASS="CONSTANT" +>no</TT +> the server does file + lock checks only when the client explicitly asks for them.</P +><P +>Well behaved clients always ask for lock checks when it + is important, so in the vast majority of cases <B +CLASS="COMMAND" +>strict + locking = no</B +> is preferable.</P +><P +>Default: <B +CLASS="COMMAND" +>strict locking = no</B +></P +></DD +><DT +><A +NAME="STRICTSYNC" +></A +>strict sync (S)</DT +><DD +><P +>Many Windows applications (including the Windows + 98 explorer shell) seem to confuse flushing buffer contents to + disk with doing a sync to disk. Under UNIX, a sync call forces + the process to be suspended until the kernel has ensured that + all outstanding data in kernel disk buffers has been safely stored + onto stable storage. This is very slow and should only be done + rarely. Setting this parameter to <TT +CLASS="CONSTANT" +>no</TT +> (the + default) means that smbd ignores the Windows applications requests for + a sync call. There is only a possibility of losing data if the + operating system itself that Samba is running on crashes, so there is + little danger in this default setting. In addition, this fixes many + performance problems that people have reported with the new Windows98 + explorer shell file copies.</P +><P +>See also the <A +HREF="#SYNCALWAYS" +><TT +CLASS="PARAMETER" +><I +>sync + always></I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>strict sync = no</B +></P +></DD +><DT +><A +NAME="STRIPDOT" +></A +>strip dot (G)</DT +><DD +><P +>This is a boolean that controls whether to + strip trailing dots off UNIX filenames. This helps with some + CDROMs that have filenames ending in a single dot.</P +><P +>Default: <B +CLASS="COMMAND" +>strip dot = no</B +></P +></DD +><DT +><A +NAME="SYNCALWAYS" +></A +>sync always (S)</DT +><DD +><P +>This is a boolean parameter that controls + whether writes will always be written to stable storage before + the write call returns. If this is false then the server will be + guided by the client's request in each write call (clients can + set a bit indicating that a particular write should be synchronous). + If this is true then every write will be followed by a <B +CLASS="COMMAND" +>fsync() + </B +> call to ensure the data is written to disk. Note that + the <TT +CLASS="PARAMETER" +><I +>strict sync</I +></TT +> parameter must be set to + <TT +CLASS="CONSTANT" +>yes</TT +> in order for this parameter to have + any affect.</P +><P +>See also the <A +HREF="#STRICTSYNC" +><TT +CLASS="PARAMETER" +><I +>strict + sync</I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>sync always = no</B +></P +></DD +><DT +><A +NAME="SYSLOG" +></A +>syslog (G)</DT +><DD +><P +>This parameter maps how Samba debug messages + are logged onto the system syslog logging levels. Samba debug + level zero maps onto syslog <TT +CLASS="CONSTANT" +>LOG_ERR</TT +>, debug + level one maps onto <TT +CLASS="CONSTANT" +>LOG_WARNING</TT +>, debug level + two maps onto <TT +CLASS="CONSTANT" +>LOG_NOTICE</TT +>, debug level three + maps onto LOG_INFO. All higher levels are mapped to <TT +CLASS="CONSTANT" +> LOG_DEBUG</TT +>.</P +><P +>This paramter sets the threshold for sending messages + to syslog. Only messages with debug level less than this value + will be sent to syslog.</P +><P +>Default: <B +CLASS="COMMAND" +>syslog = 1</B +></P +></DD +><DT +><A +NAME="SYSLOGONLY" +></A +>syslog only (G)</DT +><DD +><P +>If this parameter is set then Samba debug + messages are logged into the system syslog only, and not to + the debug log files.</P +><P +>Default: <B +CLASS="COMMAND" +>syslog only = no</B +></P +></DD +><DT +><A +NAME="TEMPLATEHOMEDIR" +></A +>template homedir (G)</DT +><DD +><P +><I +CLASS="EMPHASIS" +>NOTE:</I +> this parameter is + only available in Samba 3.0.</P +><P +>When filling out the user information for a Windows NT + user, the <A +HREF="winbindd.8.html" +TARGET="_top" +>winbindd(8)</A +> daemon + uses this parameter to fill in the home directory for that user. + If the string <TT +CLASS="PARAMETER" +><I +>%D</I +></TT +> is present it is substituted + with the user's Windows NT domain name. If the string <TT +CLASS="PARAMETER" +><I +>%U + </I +></TT +> is present it is substituted with the user's Windows + NT user name.</P +><P +>Default: <B +CLASS="COMMAND" +>template homedir = /home/%D/%U</B +></P +></DD +><DT +><A +NAME="TEMPLATESHELL" +></A +>template shell (G)</DT +><DD +><P +><I +CLASS="EMPHASIS" +>NOTE:</I +> this parameter is + only available in Samba 3.0.</P +><P +>When filling out the user information for a Windows NT + user, the <A +HREF="winbindd.8.html" +TARGET="_top" +>winbindd(8)</A +> daemon + uses this parameter to fill in the login shell for that user.</P +><P +>Default: <B +CLASS="COMMAND" +>template shell = /bin/false</B +></P +></DD +><DT +><A +NAME="TIMEOFFSET" +></A +>time offset (G)</DT +><DD +><P +>This parameter is a setting in minutes to add + to the normal GMT to local time conversion. This is useful if + you are serving a lot of PCs that have incorrect daylight + saving time handling.</P +><P +>Default: <B +CLASS="COMMAND" +>time offset = 0</B +></P +><P +>Example: <B +CLASS="COMMAND" +>time offset = 60</B +></P +></DD +><DT +><A +NAME="TIMESERVER" +></A +>time server (G)</DT +><DD +><P +>This parameter determines if <A +HREF="nmbd.8.html" +TARGET="_top" +> + nmbd(8)</A +> advertises itself as a time server to Windows + clients.</P +><P +>Default: <B +CLASS="COMMAND" +>time server = no</B +></P +></DD +><DT +><A +NAME="TIMESTAMPLOGS" +></A +>timestamp logs (G)</DT +><DD +><P +>Synonym for <A +HREF="#DEBUGTIMESTAMP" +><TT +CLASS="PARAMETER" +><I +> debug timestamp</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="UNIXPASSWORDSYNC" +></A +>unix password sync (G)</DT +><DD +><P +>This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to true the program specified in the <TT +CLASS="PARAMETER" +><I +>passwd + program</I +></TT +>parameter is called <I +CLASS="EMPHASIS" +>AS ROOT</I +> - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password has change code has no + access to the old password cleartext, only the new).</P +><P +>See also <A +HREF="#PASSWDPROGRAM" +><TT +CLASS="PARAMETER" +><I +>passwd + program</I +></TT +></A +>, <A +HREF="#PASSWDCHAT" +><TT +CLASS="PARAMETER" +><I +> passwd chat</I +></TT +></A +>.</P +><P +>Default: <B +CLASS="COMMAND" +>unix password sync = no</B +></P +></DD +><DT +><A +NAME="UNIXREALNAME" +></A +>unix realname (G)</DT +><DD +><P +>This boolean parameter when set causes samba + to supply the real name field from the unix password file to + the client. This isuseful for setting up mail clients and WWW + browsers on systems used by more than one person.</P +><P +>Default: <B +CLASS="COMMAND" +>unix realname = no</B +></P +></DD +><DT +><A +NAME="UPDATEENCRYPTED" +></A +>update encrypted (G)</DT +><DD +><P +>This boolean parameter allows a user logging + on with a plaintext password to have their encrypted (hashed) + password in the smbpasswd file to be updated automatically as + they log on. This option allows a site to migrate from plaintext + password authentication (users authenticate with plaintext + password over the wire, and are checked against a UNIX account + database) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing + all users to re-enter their passwords via smbpasswd at the time the + change is made. This is a convenience option to allow the change over + to encrypted passwords to be made over a longer period. Once all users + have encrypted representations of their passwords in the smbpasswd + file this parameter should be set to <TT +CLASS="CONSTANT" +>no</TT +>.</P +><P +>In order for this parameter to work correctly the <A +HREF="#ENCRYPTPASSWORDS" +><TT +CLASS="PARAMETER" +><I +>encrypt passwords</I +></TT +> + </A +> parameter must be set to <TT +CLASS="CONSTANT" +>no</TT +> when + this parameter is set to <TT +CLASS="CONSTANT" +>yes</TT +>.</P +><P +>Note that even when this parameter is set a user + authenticating to <B +CLASS="COMMAND" +>smbd</B +> must still enter a valid + password in order to connect correctly, and to update their hashed + (smbpasswd) passwords.</P +><P +>Default: <B +CLASS="COMMAND" +>update encrypted = no</B +></P +></DD +><DT +><A +NAME="USERHOSTS" +></A +>use rhosts (G)</DT +><DD +><P +>If this global parameter is a true, it specifies + that the UNIX users <TT +CLASS="FILENAME" +>.rhosts</TT +> file in their home directory + will be read to find the names of hosts and users who will be allowed + access without specifying a password.</P +><P +><I +CLASS="EMPHASIS" +>NOTE:</I +> The use of <TT +CLASS="PARAMETER" +><I +>use rhosts + </I +></TT +> can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the <TT +CLASS="PARAMETER" +><I +> use rhosts</I +></TT +> option be only used if you really know what + you are doing.</P +><P +>Default: <B +CLASS="COMMAND" +>use rhosts = no</B +></P +></DD +><DT +><A +NAME="USER" +></A +>user (S)</DT +><DD +><P +>Synonym for <A +HREF="#USERNAME" +><TT +CLASS="PARAMETER" +><I +> username</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="USERS" +></A +>users (S)</DT +><DD +><P +>Synonym for <A +HREF="#USERNAME" +><TT +CLASS="PARAMETER" +><I +> username</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="USERNAME" +></A +>username (S)</DT +><DD +><P +>Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right).</P +><P +>The <TT +CLASS="PARAMETER" +><I +>username</I +></TT +> line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead.</P +><P +>The <TT +CLASS="PARAMETER" +><I +>username</I +></TT +> line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + <TT +CLASS="PARAMETER" +><I +>username</I +></TT +> line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely.</P +><P +>Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do.</P +><P +>To restrict a service to a particular set of users you + can use the <A +HREF="#VALIDUSERS" +><TT +CLASS="PARAMETER" +><I +>valid users + </I +></TT +></A +> parameter.</P +><P +>If any of the usernames begin with a '@' then the name + will be looked up first in the yp netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name.</P +><P +>If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name.</P +><P +>If any of the usernames begin with a '&'then the name + will be looked up only in the yp netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name.</P +><P +>Note that searching though a groups database can take + quite some time, snd some clients may time out during the + search.</P +><P +>See the section <A +HREF="#AEN234" +>NOTE ABOUT + USERNAME/PASSWORD VALIDATION</A +> for more information on how + this parameter determines access to the services.</P +><P +>Default: <B +CLASS="COMMAND" +>The guest account if a guest service, + else the name of the service.</B +></P +><P +>Examples:<B +CLASS="COMMAND" +>username = fred, mary, jack, jane, + @users, @pcgroup</B +></P +></DD +><DT +><A +NAME="USERNAMELEVEL" +></A +>username level (G)</DT +><DD +><P +>This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine.</P +><P +>If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try whilst trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as <TT +CLASS="CONSTANT" +>AstrangeUser + </TT +>.</P +><P +>Default: <B +CLASS="COMMAND" +>username level = 0</B +></P +><P +>Example: <B +CLASS="COMMAND" +>username level = 5</B +></P +></DD +><DT +><A +NAME="USERNAMEMAP" +></A +>username map (G)</DT +><DD +><P +>This option allows you to specify a file containing + a mapping of usernames from the clients to the server. This can be + used for several purposes. The most common is to map usernames + that users use on DOS or Windows machines to those that the UNIX + box uses. The other is to map multiple users to a single username + so that they can more easily share files.</P +><P +>The map file is parsed line by line. Each line should + contain a single UNIX username on the left then a '=' followed + by a list of usernames on the right. The list of usernames on the + right may contain names of the form @group in which case they + will match any UNIX username in that group. The special client + name '*' is a wildcard and matches any name. Each line of the + map file may be up to 1023 characters long.</P +><P +>The file is processed on each line by taking the + supplied username and comparing it with each username on the right + hand side of the '=' signs. If the supplied name matches any of + the names on the right hand side then it is replaced with the name + on the left. Processing then continues with the next line.</P +><P +>If any line begins with a '#' or a ';' then it is + ignored</P +><P +>If any line begins with an '!' then the processing + will stop after that line if a mapping was done by the line. + Otherwise mapping continues with every line being processed. + Using '!' is most useful when you have a wildcard mapping line + later in the file.</P +><P +>For example to map from the name <TT +CLASS="CONSTANT" +>admin</TT +> + or <TT +CLASS="CONSTANT" +>administrator</TT +> to the UNIX name <TT +CLASS="CONSTANT" +> root</TT +> you would use:</P +><P +><B +CLASS="COMMAND" +>root = admin administrator</B +></P +><P +>Or to map anyone in the UNIX group <TT +CLASS="CONSTANT" +>system</TT +> + to the UNIX name <TT +CLASS="CONSTANT" +>sys</TT +> you would use:</P +><P +><B +CLASS="COMMAND" +>sys = @system</B +></P +><P +>You can have as many mappings as you like in a username + map file.</P +><P +>If your system supports the NIS NETGROUP option then + the netgroup database is checked before the <TT +CLASS="FILENAME" +>/etc/group + </TT +> database for matching groups.</P +><P +>You can map Windows usernames that have spaces in them + by using double quotes around the name. For example:</P +><P +><B +CLASS="COMMAND" +>tridge = "Andrew Tridgell"</B +></P +><P +>would map the windows username "Andrew Tridgell" to the + unix username "tridge".</P +><P +>The following example would map mary and fred to the + unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on + that line.</P +><P +><PRE +CLASS="PROGRAMLISTING" +> !sys = mary fred + guest = * + </PRE +></P +><P +>Note that the remapping is applied to all occurrences + of usernames. Thus if you connect to \\server\fred and <TT +CLASS="CONSTANT" +> fred</TT +> is remapped to <TT +CLASS="CONSTANT" +>mary</TT +> then you + will actually be connecting to \\server\mary and will need to + supply a password suitable for <TT +CLASS="CONSTANT" +>mary</TT +> not + <TT +CLASS="CONSTANT" +>fred</TT +>. The only exception to this is the + username passed to the <A +HREF="#PASSWORDSERVER" +><TT +CLASS="PARAMETER" +><I +> password server</I +></TT +></A +> (if you have one). The password + server will receive whatever username the client supplies without + modification.</P +><P +>Also note that no reverse mapping is done. The main effect + this has is with printing. Users who have been mapped may have + trouble deleting print jobs as PrintManager under WfWg will think + they don't own the print job.</P +><P +>Default: <I +CLASS="EMPHASIS" +>no username map</I +></P +><P +>Example: <B +CLASS="COMMAND" +>username map = /usr/local/samba/lib/users.map + </B +></P +></DD +><DT +><A +NAME="UTMP" +></A +>utmp (S)</DT +><DD +><P +>This boolean parameter is only available if + Samba has been configured and compiled with the option <B +CLASS="COMMAND" +> --with-utmp</B +>. If set to True then Samba will attempt + to add utmp or utmpx records (depending on the UNIX system) whenever a + connection is made to a Samba server. Sites may use this to record the + user connecting to a Samba share.</P +><P +>See also the <A +HREF="#UTMPDIRECTORY" +><TT +CLASS="PARAMETER" +><I +> utmp directory</I +></TT +></A +> parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>utmp = no</B +></P +></DD +><DT +><A +NAME="UTMPDIRECTORY" +></A +>utmp directory(G)</DT +><DD +><P +>This parameter is only available if Samba has + been configured and compiled with the option <B +CLASS="COMMAND" +> --with-utmp</B +>. It specifies a directory pathname that is + used to store the utmp or utmpx files (depending on the UNIX system) that + record user connections to a Samba server. See also the <A +HREF="#UTMP" +> <TT +CLASS="PARAMETER" +><I +>utmp</I +></TT +></A +> parameter. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + <TT +CLASS="FILENAME" +>/var/run/utmp</TT +> on Linux).</P +><P +>Default: <I +CLASS="EMPHASIS" +>no utmp directory</I +></P +></DD +><DT +><A +NAME="WINBINDCACHETIME" +></A +>winbind cache time</DT +><DD +><P +><I +CLASS="EMPHASIS" +>NOTE:</I +> this parameter is only + available in Samba 3.0.</P +><P +>This parameter specifies the number of seconds the + <A +HREF="winbindd.8.html" +TARGET="_top" +>winbindd(8)</A +> daemon will cache + user and group information before querying a Windows NT server + again.</P +><P +>Default: <B +CLASS="COMMAND" +>winbind cache type = 15</B +></P +></DD +><DT +><A +NAME="WINBINDGID" +></A +>winbind gid</DT +><DD +><P +><I +CLASS="EMPHASIS" +>NOTE:</I +> this parameter is only + available in Samba 3.0.</P +><P +>The winbind gid parameter specifies the range of group + ids that are allocated by the <A +HREF="winbindd.8.html" +TARGET="_top" +> winbindd(8)</A +> daemon. This range of group ids should have no + existing local or nis groups within it as strange conflicts can + occur otherwise.</P +><P +>Default: <B +CLASS="COMMAND" +>winbind gid = <empty string> + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>winbind gid = 10000-20000</B +></P +></DD +><DT +><A +NAME="WINBINDUID" +></A +>winbind uid</DT +><DD +><P +><I +CLASS="EMPHASIS" +>NOTE:</I +> this parameter is only + available in Samba 3.0.</P +><P +>The winbind gid parameter specifies the range of group + ids that are allocated by the <A +HREF="winbindd.8.html" +TARGET="_top" +> winbindd(8)</A +> daemon. This range of ids should have no + existing local or nis users within it as strange conflicts can + occur otherwise.</P +><P +>Default: <B +CLASS="COMMAND" +>winbind uid = <empty string> + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>winbind uid = 10000-20000</B +></P +></DD +><DT +><A +NAME="VALIDCHARS" +></A +>valid chars (G)</DT +><DD +><P +>The option allows you to specify additional + characters that should be considered valid by the server in + filenames. This is particularly useful for national character + sets, such as adding u-umlaut or a-ring.</P +><P +>The option takes a list of characters in either integer + or character form with spaces between them. If you give two + characters with a colon between them then it will be taken as + an lowercase:uppercase pair.</P +><P +>If you have an editor capable of entering the characters + into the config file then it is probably easiest to use this + method. Otherwise you can specify the characters in octal, + decimal or hexadecimal form using the usual C notation.</P +><P +>For example to add the single character 'Z' to the charset + (which is a pointless thing to do as it's already there) you could + do one of the following</P +><P +><PRE +CLASS="PROGRAMLISTING" +> valid chars = Z + valid chars = z:Z + valid chars = 0132:0172 + </PRE +></P +><P +>The last two examples above actually add two characters, + and alter the uppercase and lowercase mappings appropriately.</P +><P +>Note that you <I +CLASS="EMPHASIS" +>MUST</I +> specify this parameter + after the <TT +CLASS="PARAMETER" +><I +>client code page</I +></TT +> parameter if you + have both set. If <TT +CLASS="PARAMETER" +><I +>client code page</I +></TT +> is set after + the <TT +CLASS="PARAMETER" +><I +>valid chars</I +></TT +> parameter the <TT +CLASS="PARAMETER" +><I +>valid + chars</I +></TT +> settings will be overwritten.</P +><P +>See also the <A +HREF="#CLIENTCODEPAGE" +><TT +CLASS="PARAMETER" +><I +>client + code page</I +></TT +></A +> parameter.</P +><P +>Default: <I +CLASS="EMPHASIS" +>Samba defaults to using a reasonable set + of valid characters for English systems</I +></P +><P +>Example: <B +CLASS="COMMAND" +>valid chars = 0345:0305 0366:0326 0344:0304 + </B +></P +><P +>The above example allows filenames to have the Swedish + characters in them.</P +><P +><I +CLASS="EMPHASIS" +>NOTE:</I +> It is actually quite difficult to + correctly produce a <TT +CLASS="PARAMETER" +><I +>valid chars</I +></TT +> line for + a particular system. To automate the process <A +HREF="mailto:tino@augsburg.net" +TARGET="_top" +>tino@augsburg.net</A +> has written + a package called <B +CLASS="COMMAND" +>validchars</B +> which will automatically + produce a complete <TT +CLASS="PARAMETER" +><I +>valid chars</I +></TT +> line for + a given client system. Look in the <TT +CLASS="FILENAME" +>examples/validchars/ + </TT +> subdirectory of your Samba source code distribution + for this package.</P +></DD +><DT +><A +NAME="VALIDUSERS" +></A +>valid users (S)</DT +><DD +><P +>This is a list of users that should be allowed + to login to this service. Names starting with '@', '+' and '&' + are interpreted using the same rules as described in the + <TT +CLASS="PARAMETER" +><I +>invalid users</I +></TT +> parameter.</P +><P +>If this is empty (the default) then any user can login. + If a username is in both this list and the <TT +CLASS="PARAMETER" +><I +>invalid + users</I +></TT +> list then access is denied for that user.</P +><P +>The current servicename is substituted for <TT +CLASS="PARAMETER" +><I +>%S + </I +></TT +>. This is useful in the [homes] section.</P +><P +>See also <A +HREF="#INVALIDUSERS" +><TT +CLASS="PARAMETER" +><I +>invalid users + </I +></TT +></A +></P +><P +>Default: <I +CLASS="EMPHASIS" +>No valid users list (anyone can login) + </I +></P +><P +>Example: <B +CLASS="COMMAND" +>valid users = greg, @pcusers</B +></P +></DD +><DT +><A +NAME="VETOFILES" +></A +>veto files(S)</DT +><DD +><P +>This is a list of files and directories that + are neither visible nor accessible. Each entry in the list must + be separated by a '/', which allows spaces to be included + in the entry. '*' and '?' can be used to specify multiple files + or directories as in DOS wildcards.</P +><P +>Each entry must be a unix path, not a DOS path and + must <I +CLASS="EMPHASIS" +>not</I +> include the unix directory + separator '/'.</P +><P +>Note that the <TT +CLASS="PARAMETER" +><I +>case sensitive</I +></TT +> option + is applicable in vetoing files.</P +><P +>One feature of the veto files parameter that it is important + to be aware of, is that if a directory contains nothing but files + that match the veto files parameter (which means that Windows/DOS + clients cannot ever see them) is deleted, the veto files within + that directory <I +CLASS="EMPHASIS" +>are automatically deleted</I +> along + with it, if the user has UNIX permissions to do so.</P +><P +>Setting this parameter will affect the performance + of Samba, as it will be forced to check all files and directories + for a match as they are scanned.</P +><P +>See also <A +HREF="#HIDEFILES" +><TT +CLASS="PARAMETER" +><I +>hide files + </I +></TT +></A +> and <A +HREF="#CASESENSITIVE" +><TT +CLASS="PARAMETER" +><I +> case sensitive</I +></TT +></A +>.</P +><P +>Default: <I +CLASS="EMPHASIS" +>No files or directories are vetoed. + </I +></P +><P +>Examples:<PRE +CLASS="PROGRAMLISTING" +> ; Veto any files containing the word Security, + ; any ending in .tmp, and any directory containing the + ; word root. + veto files = /*Security*/*.tmp/*root*/ -<p></dl> -<p><a name="WARNINGS"></a> -<h2>WARNINGS</h2> - -<p>Although the configuration file permits service names to contain -spaces, your client software may not. Spaces will be ignored in -comparisons anyway, so it shouldn't be a problem - but be aware of the -possibility. -<p>On a similar note, many clients - especially DOS clients - limit -service names to eight characters. <a href="smbd.8.html"><strong>Smbd</strong></a> has no -such limitation, but attempts to connect from such clients will fail -if they truncate the service names. For this reason you should -probably keep your service names down to eight characters in length. -<p>Use of the <a href="smb.conf.5.html#homes"><strong>[homes]</strong></a> and <a href="smb.conf.5.html#printers"><strong>[printers]</strong></a> -special sections make life for an administrator easy, but the various -combinations of default attributes can be tricky. Take extreme care -when designing these sections. In particular, ensure that the -permissions on spool directories are correct. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smbd.8.html"><strong>smbd (8)</strong></a>, <a href="smbclient.1.html"><strong>smbclient (1)</strong></a>, -<a href="nmbd.8.html"><strong>nmbd (8)</strong></a>, <a href="testparm.1.html"><strong>testparm (1)</strong></a>, -<a href="testprns.1.html"><strong>testprns (1)</strong></a>, <a href="samba.7.html"><strong>Samba</strong></a>, -<a href="nmblookup.1.html"><strong>nmblookup (1)</strong></a>, <a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a>, -<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> + ; Veto the Apple specific files that a NetAtalk server + ; creates. + veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ + </PRE +></P +></DD +><DT +><A +NAME="VETOOPLOCKFILES" +></A +>veto oplock files (S)</DT +><DD +><P +>This parameter is only valid when the <A +HREF="#OPLOCKS" +><TT +CLASS="PARAMETER" +><I +>oplocks</I +></TT +></A +> + parameter is turned on for a share. It allows the Samba administrator + to selectively turn off the granting of oplocks on selected files that + match a wildcarded list, similar to the wildcarded list used in the + <A +HREF="#VETOFILES" +><TT +CLASS="PARAMETER" +><I +>veto files</I +></TT +></A +> + parameter.</P +><P +>Default: <I +CLASS="EMPHASIS" +>No files are vetoed for oplock + grants</I +></P +><P +>You might want to do this on files that you know will + be heavily contended for by clients. A good example of this + is in the NetBench SMB benchmark program, which causes heavy + client contention for files ending in <TT +CLASS="FILENAME" +>.SEM</TT +>. + To cause Samba not to grant oplocks on these files you would use + the line (either in the [global] section or in the section for + the particular NetBench share :</P +><P +>Example: <B +CLASS="COMMAND" +>veto oplock files = /*;.SEM/ + </B +></P +></DD +><DT +><A +NAME="VOLUME" +></A +>volume (S)</DT +><DD +><P +> This allows you to override the volume label + returned for a share. Useful for CDROMs with installation programs + that insist on a particular volume label.</P +><P +>Default: <I +CLASS="EMPHASIS" +>the name of the share</I +></P +></DD +><DT +><A +NAME="WIDELINKS" +></A +>wide links (S)</DT +><DD +><P +>This parameter controls whether or not links + in the UNIX file system may be followed by the server. Links + that point to areas within the directory tree exported by the + server are always allowed; this parameter controls access only + to areas that are outside the directory tree being exported.</P +><P +>Note that setting this parameter can have a negative + effect on your server performance due to the extra system calls + that Samba has to do in order to perform the link checks.</P +><P +>Default: <B +CLASS="COMMAND" +>wide links = yes</B +></P +></DD +><DT +><A +NAME="WINSPROXY" +></A +>wins proxy (G)</DT +><DD +><P +>This is a boolean that controls if <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> will respond to broadcast name + queries on behalf of other hosts. You may need to set this + to <TT +CLASS="CONSTANT" +>yes</TT +> for some older clients.</P +><P +>Default: <B +CLASS="COMMAND" +>wins proxy = no</B +></P +></DD +><DT +><A +NAME="WINSSERVER" +></A +>wins server (G)</DT +><DD +><P +>This specifies the IP address (or DNS name: IP + address for preference) of the WINS server that <A +HREF="nmbd.8.html" +TARGET="_top" +> nmbd(8)</A +> should register with. If you have a WINS server on + your network then you should set this to the WINS server's IP.</P +><P +>You should point this at your WINS server if you have a + multi-subnetted network.</P +><P +><I +CLASS="EMPHASIS" +>NOTE</I +>. You need to set up Samba to point + to a WINS server if you have multiple subnets and wish cross-subnet + browsing to work correctly.</P +><P +>See the documentation file <TT +CLASS="FILENAME" +>BROWSING.txt</TT +> + in the docs/ directory of your Samba source distribution.</P +><P +>Default: <I +CLASS="EMPHASIS" +>not enabled</I +></P +><P +>Example: <B +CLASS="COMMAND" +>wins server = 192.9.200.1</B +></P +></DD +><DT +><A +NAME="WINSHOOK" +></A +>wins hook (G)</DT +><DD +><P +>When Samba is running as a WINS server this + allows you to call an external program for all changes to the + WINS database. The primary use for this option is to allow the + dynamic update of external name resolution databases such as + dynamic DNS.</P +><P +>The wins hook parameter specifies the name of a script + or executable that will be called as follows:</P +><P +><B +CLASS="COMMAND" +>wins_hook operation name nametype ttl IP_list + </B +></P +><P +></P +><UL +><LI +><P +>The first argument is the operation and is one + of "add", "delete", or "refresh". In most cases the operation can + be ignored as the rest of the parameters provide sufficient + information. Note that "refresh" may sometimes be called when the + name has not previously been added, in that case it should be treated + as an add.</P +></LI +><LI +><P +>The second argument is the netbios name. If the + name is not a legal name then the wins hook is not called. + Legal names contain only letters, digits, hyphens, underscores + and periods.</P +></LI +><LI +><P +>The third argument is the netbios name + type as a 2 digit hexadecimal number. </P +></LI +><LI +><P +>The fourth argument is the TTL (time to live) + for the name in seconds.</P +></LI +><LI +><P +>The fifth and subsequent arguments are the IP + addresses currently registered for that name. If this list is + empty then the name should be deleted.</P +></LI +></UL +><P +>An example script that calls the BIND dynamic DNS update + program <B +CLASS="COMMAND" +>nsupdate</B +> is provided in the examples + directory of the Samba source code. </P +></DD +><DT +><A +NAME="WINSSUPPORT" +></A +>wins support (G)</DT +><DD +><P +>This boolean controls if the <A +HREF="nmbd.8.html" +TARGET="_top" +> + nmbd(8)</A +> process in Samba will act as a WINS server. You should + not set this to true unless you have a multi-subnetted network and + you wish a particular <B +CLASS="COMMAND" +>nmbd</B +> to be your WINS server. + Note that you should <I +CLASS="EMPHASIS" +>NEVER</I +> set this to true + on more than one machine in your network.</P +><P +>Default: <B +CLASS="COMMAND" +>wins support = no</B +></P +></DD +><DT +><A +NAME="WORKGROUP" +></A +>workgroup (G)</DT +><DD +><P +>This controls what workgroup your server will + appear to be in when queried by clients. Note that this parameter + also controls the Domain name used with the <A +HREF="#WORKGROUP" +><B +CLASS="COMMAND" +>security=domain</B +></A +> + setting.</P +><P +>Default: <I +CLASS="EMPHASIS" +>set at compile time to WORKGROUP</I +></P +><P +>Example: <B +CLASS="COMMAND" +>workgroup = MYGROUP</B +></P +></DD +><DT +><A +NAME="WRITABLE" +></A +>writable (S)</DT +><DD +><P +>Synonym for <A +HREF="#WRITEABLE" +><TT +CLASS="PARAMETER" +><I +> writeable</I +></TT +></A +> for people who can't spell :-).</P +></DD +><DT +><A +NAME="WRITELIST" +></A +>write list (S)</DT +><DD +><P +>This is a list of users that are given read-write + access to a service. If the connecting user is in this list then + they will be given write access, no matter what the <A +HREF="#WRITEABLE" +><TT +CLASS="PARAMETER" +><I +>writeable</I +></TT +></A +> + option is set to. The list can include group names using the + @group syntax.</P +><P +>Note that if a user is in both the read list and the + write list then they will be given write access.</P +><P +>See also the <A +HREF="#READLIST" +><TT +CLASS="PARAMETER" +><I +>read list + </I +></TT +></A +> option.</P +><P +>Default: <B +CLASS="COMMAND" +>write list = <empty string> + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>write list = admin, root, @staff + </B +></P +></DD +><DT +><A +NAME="WRITECACHESIZE" +></A +>write cache size (S)</DT +><DD +><P +>This integer parameter (new with Samba 2.0.7) + if set to non-zero causes Samba to create an in-memory cache for + each oplocked file (it does <I +CLASS="EMPHASIS" +>not</I +> do this for + non-oplocked files). All writes that the client does not request + to be flushed directly to disk will be stored in this cache if possible. + The cache is flushed onto disk when a write comes in whose offset + would not fit into the cache or when the file is closed by the client. + Reads for the file are also served from this cache if the data is stored + within it.</P +><P +>This cache allows Samba to batch client writes into a more + efficient write size for RAID disks (ie. writes may be tuned to + be the RAID stripe size) and can improve performance on systems + where the disk subsystem is a bottleneck but there is free + memory for userspace programs.</P +><P +>The integer parameter specifies the size of this cache + (per oplocked file) in bytes.</P +><P +>Default: <B +CLASS="COMMAND" +>write cache size = 0</B +></P +><P +>Example: <B +CLASS="COMMAND" +>write cache size = 262144</B +></P +><P +>for a 256k cache size per file.</P +></DD +><DT +><A +NAME="WRITEOK" +></A +>write ok (S)</DT +><DD +><P +>Synonym for <A +HREF="#WRITEABLE" +><TT +CLASS="PARAMETER" +><I +> writeable</I +></TT +></A +>.</P +></DD +><DT +><A +NAME="WRITERAW" +></A +>write raw (G)</DT +><DD +><P +>This parameter controls whether or not the server + will support raw writes SMB's when transferring data from clients. + You should never need to change this parameter.</P +><P +>Default: <B +CLASS="COMMAND" +>write raw = yes</B +></P +></DD +><DT +><A +NAME="WRITEABLE" +></A +>writeable (S)</DT +><DD +><P +>An inverted synonym is <A +HREF="#READONLY" +> <TT +CLASS="PARAMETER" +><I +>read only</I +></TT +></A +>.</P +><P +>If this parameter is <TT +CLASS="CONSTANT" +>no</TT +>, then users + of a service may not create or modify files in the service's + directory.</P +><P +>Note that a printable service (<B +CLASS="COMMAND" +>printable = yes</B +>) + will <I +CLASS="EMPHASIS" +>ALWAYS</I +> allow writing to the directory + (user privileges permitting), but only via spooling operations.</P +><P +>Default: <B +CLASS="COMMAND" +>writeable = no</B +></P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN5053" +></A +><H2 +>WARNINGS</H2 +><P +>Although the configuration file permits service names + to contain spaces, your client software may not. Spaces will + be ignored in comparisons anyway, so it shouldn't be a + problem - but be aware of the possibility.</P +><P +>On a similar note, many clients - especially DOS clients - + limit service names to eight characters. <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8) + </A +> has no such limitation, but attempts to connect from such + clients will fail if they truncate the service names. For this reason + you should probably keep your service names down to eight characters + in length.</P +><P +>Use of the [homes] and [printers] special sections make life + for an administrator easy, but the various combinations of default + attributes can be tricky. Take extreme care when designing these + sections. In particular, ensure that the permissions on spool + directories are correct.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN5059" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN5062" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +>, + <A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8)</B +></A +>, + <A +HREF="swat.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>swat(8)</B +></A +>, + <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +>, + <A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmbd(8)</B +></A +>, + <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1)</B +></A +>, + <A +HREF="nmblookup.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmblookup(1)</B +></A +>, + <A +HREF="testparm.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>testparm(1)</B +></A +>, + <A +HREF="testprns.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>testprns(1)</B +></A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN5082" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbclient.1.html b/docs/htmldocs/smbclient.1.html index f0a6ced61b6..fec617f9745 100644 --- a/docs/htmldocs/smbclient.1.html +++ b/docs/htmldocs/smbclient.1.html @@ -1,605 +1,1429 @@ - - - - - -<html><head><title>smbclient (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbclient (1)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - - -<p><br><a name="NAME"></a> -<h2>NAME</h2> - smbclient - ftp-like client to access SMB/CIFS resources on servers -<p><br><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><br><strong>smbclient</strong> <a href="smbclient.1.html#servicename">servicename</a> [<a href="smbclient.1.html#minuss">-s smb.conf</a>] [<a href="smbclient.1.html#minusO">-O socket options</a>][<a href="smbclient.1.html#minusR">-R name resolve order</a>] [<a href="smbclient.1.html#minusM">-M NetBIOS name</a>] [<a href="smbclient.1.html#minusi">-i scope</a>] [<a href="smbclient.1.html#minusN">-N</a>] [<a href="smbclient.1.html#minusn">-n NetBIOS name</a>] [<a href="smbclient.1.html#minusd">-d debuglevel</a>] [<a href="smbclient.1.html#minusP">-P</a>] [<a href="smbclient.1.html#minusp">-p port</a>] [<a href="smbclient.1.html#minusl">-l log basename</a>] [<a href="smbclient.1.html#minush">-h</a>] [<a href="smbclient.1.html#minusI">-I dest IP</a>] [<a href="smbclient.1.html#minusE">-E</a>] [<a href="smbclient.1.html#minusU">-U username</a>] [<a href="smbclient.1.html#minusL">-L NetBIOS name</a>] [<a href="smbclient.1.html#minust">-t terminal code</a>] [<a href="smbclient.1.html#minusm">-m max protocol</a>] [<a href="smbclient.1.html#minusb">-b buffersize</a>] [<a href="smbclient.1.html#minusW">-W workgroup</a>] [<a href="smbclient.1.html#minusT">-T<c|x>IXFqgbNan</a>] [<a href="smbclient.1.html#minusD">-D directory</a>] [<a href="smbclient.1.html#minusc">-c command string</a>] -<p><br><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p><br>This program is part of the <strong>Samba</strong> suite. -<p><br><strong>smbclient</strong> is a client that can 'talk' to an SMB/CIFS server. It -offers an interface similar to that of the ftp program (see <strong>ftp -(1)</strong>). Operations include things like getting files from the server -to the local machine, putting files from the local machine to the -server, retrieving directory information from the server and so on. -<p><br><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><br><ul> -<p><br><a name="servicename"></a> -<li><strong><strong>servicename</strong></strong> servicename is the name of the service you want -to use on the server. A service name takes the form -<code>//server/service</code> where <em>server</em> is the NetBIOS name of the SMB/CIFS -server offering the desired service and <em>service</em> is the name -of the service offered. Thus to connect to the service <em>printer</em> on -the SMB/CIFS server <em>smbserver</em>, you would use the servicename -<p><br><code>//smbserver/printer</code> -<p><br>Note that the server name required is NOT necessarily the IP (DNS) -host name of the server ! The name required is a NetBIOS server name, -which may or may not be the same as the IP hostname of the machine -running the server. -<p><br>The server name is looked up according to either the -<a href="smbclient.1.html#minusR"><strong>-R</strong></a> parameter to <strong>smbclient</strong> or using the -<a href="smb.conf.5.html#nameresolveorder"><strong>name resolve order</strong></a> -parameter in the smb.conf file, allowing an administrator to change -the order and methods by which server names are looked up. -<p><br><a name="password"></a> -<li><strong><strong>password</strong></strong> password is the password required to access the -specified service on the specified server. If this parameter is -supplied, the <a href="smbclient.1.html#minusN"><strong>-N</strong></a> option (suppress password prompt) is assumed. -<p><br>There is no default password. If no password is supplied on the -command line (either by using this parameter or adding a password to -the <a href="smbclient.1.html#minusU"><strong>-U</strong></a> option (see below)) and the <a href="smbclient.1.html#minusN"><strong>-N</strong></a> option is not specified, -the client will prompt for a password, even if the desired service -does not require one. (If no password is required, simply press ENTER -to provide a null password.) -<p><br>Note: Some servers (including OS/2 and Windows for Workgroups) insist -on an uppercase password. Lowercase or mixed case passwords may be -rejected by these servers. -<p><br>Be cautious about including passwords in scripts. -<p><br><a name="minuss"></a> -<li><strong><strong>-s smb.conf</strong></strong> This parameter specifies the pathname to the -Samba configuration file, smb.conf. This file controls all aspects of -the Samba setup on the machine and smbclient also needs to read this -file. -<p><br><a name="minusO"></a> -<li><strong><strong>-O socket options</strong></strong> TCP socket options to set on the client -socket. See the <a href="smb.conf.5.html#socketoptions">socket options</a> -parameter in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> manpage for -the list of valid options. -<p><br><a name="minusR"></a> -<li><strong><strong>-R name resolve order</strong></strong> This option allows the user of -smbclient to determine what name resolution services to use when -looking up the NetBIOS name of the host being connected to. -<p><br>The options are :"lmhosts", "host", "wins" and "bcast". They cause -names to be resolved as follows : -<p><br><ul> -<p><br><li > <strong>lmhosts</strong> : Lookup an IP address in the Samba lmhosts file. -The lmhosts file is stored in the same directory as the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file. -<p><br><li > <strong>host</strong> : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups. This method of name -resolution is operating system depended for instance on IRIX or -Solaris this may be controlled by the <em>/etc/nsswitch.conf</em> file). -<p><br><li > <strong>wins</strong> : Query a name with the IP address listed in the <a href="smb.conf.5.html#winsserver"><strong>wins -server</strong></a> parameter in the smb.conf file. If -no WINS server has been specified this method will be ignored. -<p><br><li > <strong>bcast</strong> : Do a broadcast on each of the known local interfaces -listed in the <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> parameter -in the smb.conf file. This is the least reliable of the name resolution -methods as it depends on the target host being on a locally connected -subnet. -<p><br></ul> -<p><br>If this parameter is not set then the name resolve order defined -in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file parameter -<a href="smb.conf.5.html#nameresolveorder">(<strong>name resolve order</strong>)</a> -will be used. -<p><br>The default order is lmhosts, host, wins, bcast and without this -parameter or any entry in the <a href="smb.conf.5.html#nameresolveorder"><strong>"name resolve -order"</strong></a> parameter of the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file the name resolution methods -will be attempted in this order. -<p><br><a name="minusM"></a> -<li><strong><strong>-M NetBIOS name</strong></strong> This options allows you to send messages, -using the "WinPopup" protocol, to another computer. Once a connection -is established you then type your message, pressing ^D (control-D) to -end. -<p><br>If the receiving computer is running WinPopup the user will receive -the message and probably a beep. If they are not running WinPopup the -message will be lost, and no error message will occur. -<p><br>The message is also automatically truncated if the message is over -1600 bytes, as this is the limit of the protocol. -<p><br>One useful trick is to cat the message through <strong>smbclient</strong>. -For example: -<p><br><code>cat mymessage.txt | smbclient -M FRED</code> -<p><br>will send the message in the file <em>mymessage.txt</em> to the machine FRED. -<p><br>You may also find the <a href="smbclient.1.html#minusU"><strong>-U</strong></a> and <a href="smbclient.1.html#minusI"><strong>-I</strong></a> options useful, as they allow -you to control the FROM and TO parts of the message. -<p><br>See the <a href="smb.conf.5.html#messagecommand"><strong>message command</strong></a> -parameter in the <strong>smb.conf (5)</strong> for a description of how to handle -incoming WinPopup messages in Samba. -<p><br>Note: Copy WinPopup into the startup group on your WfWg PCs if you -want them to always be able to receive messages. -<p><br><a name="minusi"></a> -<li><strong><strong>-i scope</strong></strong> This specifies a NetBIOS scope that smbclient will use -to communicate with when generating NetBIOS names. For details on the -use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes -are <em>very</em> rarely used, only set this parameter if you are the -system administrator in charge of all the NetBIOS systems you -communicate with. -<p><br><a name="minusN"></a> -<li><strong><strong>-N</strong></strong> If specified, this parameter suppresses the normal -password prompt from the client to the user. This is useful when -accessing a service that does not require a password. -<p><br>Unless a password is specified on the command line or this parameter -is specified, the client will request a password. -<p><br><a name="minusn"></a> -<li><strong><strong>-n NetBIOS name</strong></strong> By default, the client will use the local -machine's hostname (in uppercase) as its NetBIOS name. This parameter -allows you to override the host name and use whatever NetBIOS name you -wish. -<p><br><a name="minusd"></a> -<li><strong><strong>-d debuglevel</strong></strong> debuglevel is an integer from 0 to 10, or the -letter 'A'. -<p><br>The default value if this parameter is not specified is zero. -<p><br>The higher this value, the more detail will be logged to the log files -about the activities of the client. At level 0, only critical errors -and serious warnings will be logged. Level 1 is a reasonable level for -day to day running - it generates a small amount of information about -operations carried out. -<p><br>Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic. If debuglevel is set to the -letter 'A', then <em>all</em> debug messages will be printed. This setting -is for developers only (and people who <em>really</em> want to know how the -code works internally). -<p><br>Note that specifying this parameter here will override the <a href="smb.conf.5.html#loglevel"><strong>log -level</strong></a> parameter in the <a href="smb.conf.5.html"><strong>smb.conf -(5)</strong></a> file. -<p><br><a name="minusP"></a> -<li><strong><strong>-P</strong></strong> This option is no longer used. The code in Samba2.0 -now lets the server decide the device type, so no printer specific -flag is needed. -<p><br><a name="minusp"></a> -<li><strong><strong>-p port</strong></strong> This number is the TCP port number that will be used -when making connections to the server. The standard (well-known) TCP -port number for an SMB/CIFS server is 139, which is the default. -<p><br><a name="minusl"></a> -<li><strong><strong>-l logfilename</strong></strong> If specified, logfilename specifies a base -filename into which operational data from the running client will be -logged. -<p><br>The default base name is specified at compile time. -<p><br>The base name is used to generate actual log file names. For example, -if the name specified was "log", the debug file would be -<code>log.client</code>. -<p><br>The log file generated is never removed by the client. -<p><br><a name="minush"></a> -<li><strong><strong>-h</strong></strong> Print the usage message for the client. -<p><br><a name="minusI"></a> -<li><strong><strong>-I IP address</strong></strong> IP address is the address of the server to -connect to. It should be specified in standard "a.b.c.d" notation. -<p><br>Normally the client would attempt to locate a named SMB/CIFS server by -looking it up via the NetBIOS name resolution mechanism described -above in the <a href="smbclient.1.html#minusR"><strong>name resolve order</strong></a> parameter -above. Using this parameter will force the client to assume that the -server is on the machine with the specified IP address and the NetBIOS -name component of the resource being connected to will be ignored. -<p><br>There is no default for this parameter. If not supplied, it will be -determined automatically by the client as described above. -<p><br><a name="minusE"></a> -<li><strong><strong>-E</strong></strong> This parameter causes the client to write messages to the -standard error stream (stderr) rather than to the standard output -stream. -<p><br>By default, the client writes messages to standard output - typically -the user's tty. -<p><br><a name="minusU"></a> -<li><strong><strong>-U username</strong></strong> This specifies the user name that will be used by -the client to make a connection, assuming your server is not a downlevel -server that is running a protocol level that uses passwords on shares, -not on usernames. -<p><br>Some servers are fussy about the case of this name, and some insist -that it must be a valid NetBIOS name. -<p><br>If no username is supplied, it will default to an uppercase version of -the environment variable <code>USER</code> or <code>LOGNAME</code> in that order. If no -username is supplied and neither environment variable exists the -username "GUEST" will be used. -<p><br>If the <code>USER</code> environment variable contains a '%' character, -everything after that will be treated as a password. This allows you -to set the environment variable to be <code>USER=username%password</code> so -that a password is not passed on the command line (where it may be -seen by the ps command). -<p><br>If the service you are connecting to requires a password, it can be -supplied using the <a href="smbclient.1.html#minusU"><strong>-U</strong></a> option, by appending a percent symbol ("%") -then the password to username. For example, to attach to a service as -user <code>"fred"</code> with password <code>"secret"</code>, you would specify. <br> -<p><br><code>-U fred%secret</code> <br> -<p><br>on the command line. Note that there are no spaces around the percent -symbol. -<p><br>You can specify a domain name as part of the username by using a username of the form "DOMAIN/user" or "DOMAIN\user". -<p><br>If you specify the password as part of username then the <a href="smbclient.1.html#minusN"><strong>-N</strong></a> option -(suppress password prompt) is assumed. -<p><br>If you specify the password as a parameter <em>AND</em> as part of username -then the password as part of username will take precedence. Putting -nothing before or nothing after the percent symbol will cause an empty -username or an empty password to be used, respectively. -<p><br>The password may also be specified by setting up an environment -variable called <code>PASSWD</code> that contains the users password. Note -that this may be very insecure on some systems but on others allows -users to script smbclient commands without having a password appear in -the command line of a process listing. -<p><br>A third option is to use a credentials file which contains -the plaintext of the username and password. This option is -mainly provided for scripts where the admin doesn't desire to -pass the credentials on the command line or via environment variables. -If this method is used, make certain that the permissions on the file -restrict access from unwanted users. See the <strong>-A</strong> for more details. -<p><br>Note: Some servers (including OS/2 and Windows for Workgroups) insist -on an uppercase password. Lowercase or mixed case passwords may be -rejected by these servers. -<p><br>Be cautious about including passwords in scripts or in the -<code>PASSWD</code> environment variable. Also, on many systems the command -line of a running process may be seen via the <code>ps</code> command to be -safe always allow smbclient to prompt for a password and type it in -directly. -<p><br><a name="minusA"></a> -<li><strong><strong>-A <filename></strong></strong> This option allows you to specify a file from which -to read the username and password used in the connection. The format -of the file is -<p><br><code>username = <value></code> <br> -<code>password = <value</code> <br> -<p><br>Make certain that the permissions on the file restrict access from -unwanted users. -<p><br><a name="minusL"></a> -<li><strong><strong>-L</strong></strong> This option allows you to look at what services are -available on a server. You use it as <code>"smbclient -L host"</code> and a -list should appear. The <a href="smbclient.1.html#minusI"><strong>-I</strong></a> option may be useful if your NetBIOS -names don't match your tcp/ip dns host names or if you are trying to -reach a host on another network. -<p><br><a name="minust"></a> -<li><strong><strong>-t terminal code</strong></strong> This option tells smbclient how to interpret -filenames coming from the remote server. Usually Asian language -multibyte UNIX implementations use different character sets than -SMB/CIFS servers (<em>EUC</em> instead of <em>SJIS</em> for example). Setting -this parameter will let smbclient convert between the UNIX filenames -and the SMB filenames correctly. This option has not been seriously -tested and may have some problems. -<p><br>The terminal codes include <code>sjis</code>, <code>euc</code>, <code>jis7</code>, <code>jis8</code>, -<code>junet</code>, <code>hex</code>, <code>cap</code>. This is not a complete list, check the -Samba source code for the complete list. -<p><br><a name="minusm"></a> -<li><strong><strong>-m max protocol level</strong></strong> With the new code in Samba2.0, -<strong>smbclient</strong> always attempts to connect at the maximum -protocols level the server supports. This parameter is -preserved for backwards compatibility, but any string -following the <strong>-m</strong> will be ignored. -<p><br><a name="minusb"></a> -<li><strong><strong>-b buffersize</strong></strong> This option changes the transmit/send buffer -size when getting or putting a file from/to the server. The default -is 65520 bytes. Setting this value smaller (to 1200 bytes) has been -observed to speed up file transfers to and from a Win9x server. -<p><br><a name="minusW"></a> -<li><strong><strong>-W WORKGROUP</strong></strong> Override the default workgroup specified in the -<a href="smb.conf.5.html#workgroup"><strong>workgroup</strong></a> parameter of the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file for this connection. This may -be needed to connect to some servers. -<p><br><a name="minusT"></a> <li><strong><strong>-T tar options</strong></strong> smbclient may be used to create -<strong>tar (1)</strong> compatible backups of all the files on an SMB/CIFS -share. The secondary tar flags that can be given to this option are : -<p><br><ul> -<p><br><li><strong><strong>c</strong></strong> Create a tar file on UNIX. Must be followed by the - name of a tar file, tape device or <code>"-"</code> for standard output. If - using standard output you must turn the log level to its lowest value - <code>-d0</code> to avoid corrupting your tar file. This flag is - mutually exclusive with the <strong>x</strong> flag. -<p><br><li><strong><strong>x</strong></strong> Extract (restore) a local tar file back to a - share. Unless the <a href="smbclient.1.html#minusD"><strong>-D</strong></a> option is given, the tar files will be - restored from the top level of the share. Must be followed by the name - of the tar file, device or <code>"-"</code> for standard input. Mutually exclusive - with the <strong>c</strong> flag. Restored files have their creation times (mtime) - set to the date saved in the tar file. Directories currently do not - get their creation dates restored properly. -<p><br><li><strong><strong>I</strong></strong> Include files and directories. Is the default - behavior when filenames are specified above. Causes tar files to - be included in an extract or create (and therefore everything else to - be excluded). See example below. Filename globbing works - in one of two ways. See <strong>r</strong> below. -<p><br><li><strong><strong>X</strong></strong> Exclude files and directories. Causes tar files to - be excluded from an extract or create. See example below. Filename - globbing works in one of two ways now. See <strong>r</strong> below. -<p><br><li><strong><strong>b</strong></strong> Blocksize. Must be followed by a valid (greater than - zero) blocksize. Causes tar file to be written out in - blocksize*TBLOCK (usually 512 byte) blocks. -<p><br><li><strong><strong>g</strong></strong> Incremental. Only back up files that have the - archive bit set. Useful only with the <strong>c</strong> flag. -<p><br><li><strong><strong>q</strong></strong> Quiet. Keeps tar from printing diagnostics as it - works. This is the same as tarmode quiet. -<p><br><li><strong><strong>r</strong></strong> Regular expression include or exclude. Uses regular - regular expression matching for excluding or excluding files if - compiled with HAVE_REGEX_H. However this mode can be very slow. If - not compiled with HAVE_REGEX_H, does a limited wildcard match on * and - ?. -<p><br><li><strong><strong>N</strong></strong> Newer than. Must be followed by the name of a file - whose date is compared against files found on the share during a - create. Only files newer than the file specified are backed up to the - tar file. Useful only with the <strong>c</strong> flag. -<p><br><li><strong><strong>a</strong></strong> Set archive bit. Causes the archive bit to be reset - when a file is backed up. Useful with the <strong>g</strong> and <strong>c</strong> flags. -<p><br></ul> -<p><br><em>Tar Long File Names</em> -<p><br>smbclient's tar option now supports long file names both on backup and -restore. However, the full path name of the file must be less than -1024 bytes. Also, when a tar archive is created, smbclient's tar -option places all files in the archive with relative names, not -absolute names. -<p><br><em>Tar Filenames</em> -<p><br>All file names can be given as DOS path names (with <code>\</code> as the -component separator) or as UNIX path names (with <code>/</code> as the -component separator). -<p><br><em>Examples</em> -<p><br><ul> -<p><br><li > Restore from tar file backup.tar into myshare on mypc (no password on share). -<p><br><code>smbclient //mypc/myshare "" -N -Tx backup.tar</code> -<p><br><li > Restore everything except users/docs -<p><br><code>smbclient //mypc/myshare "" -N -TXx backup.tar users/docs</code> -<p><br><li > Create a tar file of the files beneath users/docs. -<p><br><code>smbclient //mypc/myshare "" -N -Tc backup.tar users/docs</code> -<p><br><li > Create the same tar file as above, but now use a DOS path name. -<p><br><code>smbclient //mypc/myshare "" -N -tc backup.tar users\edocs</code> -<p><br><li > Create a tar file of all the files and directories in the share. -<p><br><code>smbclient //mypc/myshare "" -N -Tc backup.tar *</code> -<p><br></ul> -<p><br><a name="minusD"></a> -<li><strong><strong>-D initial directory</strong></strong> Change to initial directory before -starting. Probably only of any use with the tar <a href="smbclient.1.html#minusT"><strong>-T</strong></a> option. -<p><br><a name="minusc"></a> -<li><strong><strong>-c command string</strong></strong> command string is a semicolon separated -list of commands to be executed instead of prompting from stdin. -<a href="smbclient.1.html#minusN"><strong>-N</strong></a> is implied by <strong>-c</strong>. -<p><br>This is particularly useful in scripts and for printing stdin to the -server, e.g. <code>-c 'print -'</code>. -<p><br></ul> -<p><br><a name="OPERATIONS"></a> -<h2>OPERATIONS</h2> - -<p><br>Once the client is running, the user is presented with a prompt : -<p><br><code>smb:\></code> -<p><br>The backslash ("\") indicates the current working directory on the -server, and will change if the current working directory is changed. -<p><br>The prompt indicates that the client is ready and waiting to carry out -a user command. Each command is a single word, optionally followed by -parameters specific to that command. Command and parameters are -space-delimited unless these notes specifically state otherwise. All -commands are case-insensitive. Parameters to commands may or may not -be case sensitive, depending on the command. -<p><br>You can specify file names which have spaces in them by quoting the -name with double quotes, for example "a long file name". -<p><br>Parameters shown in square brackets (e.g., "[parameter]") are -optional. If not given, the command will use suitable -defaults. Parameters shown in angle brackets (e.g., "<parameter>") are -required. -<p><br>Note that all commands operating on the server are actually performed -by issuing a request to the server. Thus the behavior may vary from -server to server, depending on how the server was implemented. -<p><br>The commands available are given here in alphabetical order. -<p><br><ul> -<p><br><a name="questionmark"></a> <li><strong><strong>? [command]</strong></strong> If "command" is specified, -the <strong>?</strong> command will display a brief informative message about the -specified command. If no command is specified, a list of available -commands will be displayed. -<p><br><a name="exclaimationmark"></a> <li><strong><strong>! [shell command]</strong></strong> If "shell command" -is specified, the <strong>!</strong> command will execute a shell locally and run -the specified shell command. If no command is specified, a local shell -will be run. -<p><br><a name="cd"></a> <li><strong><strong>cd [directory name]</strong></strong> If "directory name" is -specified, the current working directory on the server will be changed -to the directory specified. This operation will fail if for any reason -the specified directory is inaccessible. -<p><br>If no directory name is specified, the current working directory on -the server will be reported. -<p><br><a name="del"></a> <li><strong><strong>del <mask></strong></strong> The client will request that the server -attempt to delete all files matching "mask" from the current working -directory on the server. -<p><br><a name="dir"></a> <li><strong><strong>dir <mask></strong></strong> A list of the files matching "mask" in -the current working directory on the server will be retrieved from the -server and displayed. -<p><br><a name="exit"></a> <li><strong><strong>exit</strong></strong> Terminate the connection with the server and -exit from the program. -<p><br><a name="get"></a> <li><strong><strong>get <remote file name> [local file name]</strong></strong> Copy the -file called "remote file name" from the server to the machine running -the client. If specified, name the local copy "local file name". Note -that all transfers in smbclient are binary. See also the -<a href="smbclient.1.html#lowercase"><strong>lowercase</strong></a> command. -<p><br><a name="help"></a> <li><strong><strong>help [command]</strong></strong> See the <a href="smbclient.1.html#questionmark"><strong>?</strong></a> -command above. -<p><br><a name="lcd"></a> <li><strong><strong>lcd [directory name]</strong></strong> If "directory name" is -specified, the current working directory on the local machine will -be changed to the directory specified. This operation will fail if for -any reason the specified directory is inaccessible. -<p><br>If no directory name is specified, the name of the current working -directory on the local machine will be reported. -<p><br><a name="lowercase"></a> <li><strong><strong>lowercase</strong></strong> Toggle lowercasing of filenames -for the <a href="smbclient.1.html#get"><strong>get</strong></a> and <a href="smbclient.1.html#mget"><strong>mget</strong></a> commands. -<p><br>When lowercasing is toggled ON, local filenames are converted to -lowercase when using the <a href="smbclient.1.html#get"><strong>get</strong></a> and <a href="smbclient.1.html#mget"><strong>mget</strong></a> -commands. This is often useful when copying (say) MSDOS files from a -server, because lowercase filenames are the norm on UNIX systems. -<p><br><a name="ls"></a> <li><strong><strong>ls <mask></strong></strong> See the <a href="smbclient.1.html#dir"><strong>dir</strong></a> command above. -<p><br><a name="mask"></a> <li><strong><strong>mask <mask></strong></strong> This command allows the user to set -up a mask which will be used during recursive operation of the -<a href="smbclient.1.html#mget"><strong>mget</strong></a> and <a href="smbclient.1.html#mput"><strong>mput</strong></a> commands. -<p><br>The masks specified to the <a href="smbclient.1.html#mget"><strong>mget</strong></a> and -<a href="smbclient.1.html#mput"><strong>mput</strong></a> commands act as filters for directories rather -than files when recursion is toggled ON. -<p><br>The mask specified with the .B mask command is necessary to filter -files within those directories. For example, if the mask specified in -an <a href="smbclient.1.html#mget"><strong>mget</strong></a> command is "source*" and the mask specified -with the mask command is "*.c" and recursion is toggled ON, the -<a href="smbclient.1.html#mget"><strong>mget</strong></a> command will retrieve all files matching "*.c" in -all directories below and including all directories matching "source*" -in the current working directory. -<p><br>Note that the value for mask defaults to blank (equivalent to "*") and -remains so until the mask command is used to change it. It retains the -most recently specified value indefinitely. To avoid unexpected -results it would be wise to change the value of .I mask back to "*" -after using the <a href="smbclient.1.html#mget"><strong>mget</strong></a> or <a href="smbclient.1.html#mput"><strong>mput</strong></a> commands. -<p><br><a name="md"></a> <li><strong><strong>md <directory name></strong></strong> See the <a href="smbclient.1.html#mkdir"><strong>mkdir</strong></a> -command. -<p><br><a name="mget"></a> <li><strong><strong>mget <mask></strong></strong> Copy all files matching mask from the -server to the machine running the client. -<p><br>Note that mask is interpreted differently during recursive operation -and non-recursive operation - refer to the <a href="smbclient.1.html#recurse"><strong>recurse</strong></a> -and <a href="smbclient.1.html#mask"><strong>mask</strong></a> commands for more information. Note that all -transfers in .B smbclient are binary. See also the -<a href="smbclient.1.html#lowercase"><strong>lowercase</strong></a> command. -<p><br><a name="mkdir"></a> <li><strong><strong>mkdir <directory name></strong></strong> Create a new directory on -the server (user access privileges permitting) with the specified -name. -<p><br><a name="mput"></a> <li><strong><strong>mput <mask></strong></strong> Copy all files matching mask in -the current working directory on the local machine to the current -working directory on the server. -<p><br>Note that mask is interpreted differently during recursive operation -and non-recursive operation - refer to the <a href="smbclient.1.html#recurse"><strong>recurse</strong></a> -and <a href="smbclient.1.html#mask"><strong>mask</strong></a> commands for more information. Note that all -transfers in .B smbclient are binary. -<p><br><a name="print"></a> <li><strong><strong>print <file name></strong></strong> Print the specified file -from the local machine through a printable service on the server. -<p><br>See also the <a href="smbclient.1.html#printmode"><strong>printmode</strong></a> command. -<p><br><a name="printmode"></a> <li><strong><strong>printmode <graphics or text></strong></strong> Set the print -mode to suit either binary data (such as graphical information) or -text. Subsequent print commands will use the currently set print -mode. -<p><br><a name="prompt"></a> <li><strong><strong>prompt</strong></strong> Toggle prompting for filenames during -operation of the <a href="smbclient.1.html#mget"><strong>mget</strong></a> and <a href="smbclient.1.html#mput"><strong>mput</strong></a> -commands. -<p><br>When toggled ON, the user will be prompted to confirm the transfer of -each file during these commands. When toggled OFF, all specified files -will be transferred without prompting. -<p><br><a name="put"></a> <li><strong><strong>put <local file name> [remote file name]</strong></strong> Copy the -file called "local file name" from the machine running the client to -the server. If specified, name the remote copy "remote file name". -Note that all transfers in smbclient are binary. See also the -<a href="smbclient.1.html#lowercase"><strong>lowercase</strong></a> command. -<p><br><a name="queue"></a> <li><strong><strong>queue</strong></strong> Displays the print queue, showing the job -id, name, size and current status. -<p><br><a name="quit"></a> <li><strong><strong>quit</strong></strong> See the <a href="smbclient.1.html#exit"><strong>exit</strong></a> command. -<p><br><a name="rd"></a> <li><strong><strong>rd <directory name></strong></strong> See the <a href="smbclient.1.html#rmdir"><strong>rmdir</strong></a> -command. -<p><br><a name="recurse"></a> <li><strong><strong>recurse</strong></strong> Toggle directory recursion for the -commands <a href="smbclient.1.html#mget"><strong>mget</strong></a> and <a href="smbclient.1.html#mput"><strong>mput</strong></a>. -<p><br>When toggled ON, these commands will process all directories in the -source directory (i.e., the directory they are copying .IR from ) and -will recurse into any that match the mask specified to the -command. Only files that match the mask specified using the -<a href="smbclient.1.html#mask"><strong>mask</strong></a> command will be retrieved. See also the -<a href="smbclient.1.html#mask"><strong>mask</strong></a> command. -<p><br>When recursion is toggled OFF, only files from the current working -directory on the source machine that match the mask specified to the -<a href="smbclient.1.html#mget"><strong>mget</strong></a> or <a href="smbclient.1.html#mput"><strong>mput</strong></a> commands will be copied, -and any mask specified using the <a href="smbclient.1.html#mask"><strong>mask</strong></a> command will be -ignored. -<p><br><a name="rm"></a> <li><strong><strong>rm <mask></strong></strong> Remove all files matching mask from -the current working directory on the server. -<p><br><a name="rmdir"></a> <li><strong><strong>rmdir <directory name></strong></strong> Remove the specified -directory (user access privileges permitting) from the server. -<p><br><a name="tar"></a> <li><strong><strong>tar <c|x>[IXbgNa]</strong></strong> Performs a tar operation - see -the <a href="smbclient.1.html#minusT"><strong>-T</strong></a> command line option above. Behavior may be -affected by the <a href="smbclient.1.html#tarmode"><strong>tarmode</strong></a> command (see below). Using -g (incremental) and N (newer) will affect tarmode settings. Note that -using the "-" option with tar x may not work - use the command line -option instead. -<p><br><a name="blocksize"></a> <li><strong><strong>blocksize <blocksize></strong></strong> Blocksize. Must be -followed by a valid (greater than zero) blocksize. Causes tar file to -be written out in blocksize*TBLOCK (usually 512 byte) blocks. -<p><br><a name="tarmode"></a> <li><strong><strong>tarmode <full|inc|reset|noreset></strong></strong> Changes tar's -behavior with regard to archive bits. In full mode, tar will back up -everything regardless of the archive bit setting (this is the default -mode). In incremental mode, tar will only back up files with the -archive bit set. In reset mode, tar will reset the archive bit on all -files it backs up (implies read/write share). -<p><br><a name="setmode"></a> <li><strong><strong>setmode <filename> <perm=[+|\-]rsha></strong></strong> A version -of the DOS attrib command to set file permissions. For example: -<p><br><code>setmode myfile +r</code> -<p><br>would make myfile read only. -<p><br></ul> -<p><br><a name="NOTES"></a> -<h2>NOTES</h2> - -<p><br>Some servers are fussy about the case of supplied usernames, -passwords, share names (AKA service names) and machine names. If you -fail to connect try giving all parameters in uppercase. -<p><br>It is often necessary to use the <a href="smbclient.1.html#minusn"><strong>-n</strong></a> option when connecting to some -types of servers. For example OS/2 LanManager insists on a valid -NetBIOS name being used, so you need to supply a valid name that would -be known to the server. -<p><br>smbclient supports long file names where the server supports the -LANMAN2 protocol or above. -<p><br><a name="ENVIRONMENTVARIABLES"></a> -<h2>ENVIRONMENT VARIABLES</h2> - -<p><br>The variable <strong>USER</strong> may contain the username of the person using the -client. This information is used only if the protocol level is high -enough to support session-level passwords. -<p><br>The variable <strong>PASSWD</strong> may contain the password of the person using -the client. This information is used only if the protocol level is -high enough to support session-level passwords. -<p><br><a name="INSTALLATION"></a> -<h2>INSTALLATION</h2> - -<p><br>The location of the client program is a matter for individual system -administrators. The following are thus suggestions only. -<p><br>It is recommended that the smbclient software be installed in the -/usr/local/samba/bin or /usr/samba/bin directory, this directory -readable by all, writeable only by root. The client program itself -should be executable by all. The client should <em>NOT</em> be setuid or -setgid! -<p><br>The client log files should be put in a directory readable and -writeable only by the user. -<p><br>To test the client, you will need to know the name of a running -SMB/CIFS server. It is possible to run <a href="smbd.8.html"><strong>smbd (8)</strong></a> -an ordinary user - running that server as a daemon on a -user-accessible port (typically any port number over 1024) would -provide a suitable test server. -<p><br><a name="DIAGNOSTICS"></a> -<h2>DIAGNOSTICS</h2> - -<p><br>Most diagnostics issued by the client are logged in a specified log -file. The log file name is specified at compile time, but may be -overridden on the command line. -<p><br>The number and nature of diagnostics available depends on the debug -level used by the client. If you have problems, set the debug level to -3 and peruse the log files. -<p><br><a name="VERSION"></a> -<h2>VERSION</h2> - -<p><br>This man page is correct for version 2.0 of the Samba suite. -<p><br><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p><br>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p><br>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p><br>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbclient</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBCLIENT" +>smbclient</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbclient -- ftp-like client to access SMB/CIFS resources + on servers</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbclient</B +> {servicename} [-b <buffer size>] [-d debuglevel] [-D Directory] [-S server] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logfile] [-L <netbios name>] [-I destinationIP] [-E <terminal code>] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan] [password]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN34" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>smbclient</B +> is a client that can + 'talk' to an SMB/CIFS server. It offers an interface + similar to that of the ftp program (see <B +CLASS="COMMAND" +>ftp(1)</B +>). + Operations include things like getting files from the server + to the local machine, putting files from the local machine to + the server, retrieving directory information from the server + and so on. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN41" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>servicename</DT +><DD +><P +>servicename is the name of the service + you want to use on the server. A service name takes the form + <TT +CLASS="FILENAME" +>//server/service</TT +> where <TT +CLASS="PARAMETER" +><I +>server + </I +></TT +> is the NetBIOS name of the SMB/CIFS server + offering the desired service and <TT +CLASS="PARAMETER" +><I +>service</I +></TT +> + is the name of the service offered. Thus to connect to + the service "printer" on the SMB/CIFS server "smbserver", + you would use the servicename <TT +CLASS="FILENAME" +>//smbserver/printer + </TT +></P +><P +>Note that the server name required is NOT necessarily + the IP (DNS) host name of the server ! The name required is + a NetBIOS server name, which may or may not be the + same as the IP hostname of the machine running the server. + </P +><P +>The server name is looked up according to either + the <TT +CLASS="PARAMETER" +><I +>-R</I +></TT +> parameter to smbclient or + using the name resolve order parameter in the smb.conf file, + allowing an administrator to change the order and methods + by which server names are looked up. </P +></DD +><DT +>password</DT +><DD +><P +>The password required to access the specified + service on the specified server. If this parameter is + supplied, the <TT +CLASS="PARAMETER" +><I +>-N</I +></TT +> option (suppress + password prompt) is assumed. </P +><P +>There is no default password. If no password is supplied + on the command line (either by using this parameter or adding + a password to the <TT +CLASS="PARAMETER" +><I +>-U</I +></TT +> option (see + below)) and the <TT +CLASS="PARAMETER" +><I +>-N</I +></TT +> option is not + specified, the client will prompt for a password, even if + the desired service does not require one. (If no password is + required, simply press ENTER to provide a null password.) + </P +><P +>Note: Some servers (including OS/2 and Windows for + Workgroups) insist on an uppercase password. Lowercase + or mixed case passwords may be rejected by these servers. + </P +><P +>Be cautious about including passwords in scripts. + </P +></DD +><DT +>-s smb.conf</DT +><DD +><P +>Specifies the location of the all important + <TT +CLASS="FILENAME" +>smb.conf</TT +> file. </P +></DD +><DT +>-O socket options</DT +><DD +><P +>TCP socket options to set on the client + socket. See the socket options parameter in the <TT +CLASS="FILENAME" +> smb.conf (5)</TT +> manpage for the list of valid + options. </P +></DD +><DT +>name resolve order (G)</DT +><DD +><P +>This option is used by the programs in the Samba + suite to determine what naming services and in what order to resolve + host names to IP addresses. The option takes a space separated + string of different name resolution options.</P +><P +>The options are :"lmhosts", "host", "wins" and "bcast". They + cause names to be resolved as follows :</P +><P +></P +><UL +><LI +><P +><TT +CLASS="CONSTANT" +>lmhosts</TT +> : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the <A +HREF="lmhosts.5.html" +TARGET="_top" +>lmhosts(5)</A +> for details) then + any name type matches for lookup.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>host</TT +> : Do a standard host + name to IP address resolution, using the system <TT +CLASS="FILENAME" +>/etc/hosts + </TT +>, NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>wins</TT +> : Query a name with + the IP address listed in the <TT +CLASS="PARAMETER" +><I +>wins server</I +></TT +> + parameter. If no WINS server has + been specified this method will be ignored.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>bcast</TT +> : Do a broadcast on + each of the known local interfaces listed in the + <TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +> + parameter. This is the least reliable of the name resolution + methods as it depends on the target host being on a locally + connected subnet.</P +></LI +></UL +><P +>If this parameter is not set then the name resolve order + defined in the <TT +CLASS="FILENAME" +>smb.conf</TT +> file parameter + (name resolve order) will be used. </P +><P +>The default order is lmhosts, host, wins, bcast and without + this parameter or any entry in the <TT +CLASS="PARAMETER" +><I +>name resolve order + </I +></TT +> parameter of the smb.conf file the name resolution + methods will be attempted in this order. </P +></DD +><DT +>-M NetBIOS name</DT +><DD +><P +>This options allows you to send messages, using + the "WinPopup" protocol, to another computer. Once a connection is + established you then type your message, pressing ^D (control-D) to + end. </P +><P +>If the receiving computer is running WinPopup the user will + receive the message and probably a beep. If they are not running + WinPopup the message will be lost, and no error message will + occur. </P +><P +>The message is also automatically truncated if the message + is over 1600 bytes, as this is the limit of the protocol. + </P +><P +>One useful trick is to cat the message through + <B +CLASS="COMMAND" +>smbclient</B +>. For example: <B +CLASS="COMMAND" +> cat mymessage.txt | smbclient -M FRED </B +> will + send the message in the file <TT +CLASS="FILENAME" +>mymessage.txt</TT +> + to the machine FRED. </P +><P +>You may also find the <TT +CLASS="PARAMETER" +><I +>-U</I +></TT +> and + <TT +CLASS="PARAMETER" +><I +>-I</I +></TT +> options useful, as they allow you to + control the FROM and TO parts of the message. </P +><P +>See the message command parameter in the <TT +CLASS="FILENAME" +> smb.conf(5)</TT +> for a description of how to handle incoming + WinPopup messages in Samba. </P +><P +><I +CLASS="EMPHASIS" +>Note</I +>: Copy WinPopup into the startup group + on your WfWg PCs if you want them to always be able to receive + messages. </P +></DD +><DT +>-i scope</DT +><DD +><P +>This specifies a NetBIOS scope that smbclient will + use to communicate with when generating NetBIOS names. For details + on the use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. + NetBIOS scopes are <I +CLASS="EMPHASIS" +>very</I +> rarely used, only set + this parameter if you are the system administrator in charge of all + the NetBIOS systems you communicate with. </P +></DD +><DT +>-N</DT +><DD +><P +>If specified, this parameter suppresses the normal + password prompt from the client to the user. This is useful when + accessing a service that does not require a password. </P +><P +>Unless a password is specified on the command line or + this parameter is specified, the client will request a + password.</P +></DD +><DT +>-n NetBIOS name</DT +><DD +><P +>By default, the client will use the local + machine's hostname (in uppercase) as its NetBIOS name. This parameter + allows you to override the host name and use whatever NetBIOS + name you wish. </P +></DD +><DT +>-d debuglevel</DT +><DD +><P +>debuglevel is an integer from 0 to 10, or + the letter 'A'. </P +><P +>The default value if this parameter is not specified + is zero. </P +><P +>The higher this value, the more detail will be logged to + the log files about the activities of the + client. At level 0, only critical errors and serious warnings will + be logged. Level 1 is a reasonable level for day to day running - + it generates a small amount of information about operations + carried out. </P +><P +>Levels above 1 will generate considerable amounts of log + data, and should only be used when investigating a problem. + Levels above 3 are designed for use only by developers and + generate HUGE amounts of log data, most of which is extremely + cryptic. If debuglevel is set to the letter 'A', then <I +CLASS="EMPHASIS" +>all + </I +> debug messages will be printed. This setting + is for developers only (and people who <I +CLASS="EMPHASIS" +>really</I +> want + to know how the code works internally). </P +><P +>Note that specifying this parameter here will override + the log level parameter in the <B +CLASS="COMMAND" +>smb.conf (5)</B +> + file. </P +></DD +><DT +>-p port</DT +><DD +><P +>This number is the TCP port number that will be used + when making connections to the server. The standard (well-known) + TCP port number for an SMB/CIFS server is 139, which is the + default. </P +></DD +><DT +>-l logfilename</DT +><DD +><P +>If specified, logfilename specifies a base filename + into which operational data from the running client will be + logged. </P +><P +>The default base name is specified at compile time.</P +><P +>The base name is used to generate actual log file names. + For example, if the name specified was "log", the debug file + would be <TT +CLASS="FILENAME" +>log.client</TT +>.</P +><P +>The log file generated is never removed by the client. + </P +></DD +><DT +>-h</DT +><DD +><P +>Print the usage message for the client. </P +></DD +><DT +>-I IP-address</DT +><DD +><P +>IP address is the address of the server to connect to. + It should be specified in standard "a.b.c.d" notation. </P +><P +>Normally the client would attempt to locate a named + SMB/CIFS server by looking it up via the NetBIOS name resolution + mechanism described above in the <TT +CLASS="PARAMETER" +><I +>name resolve order</I +></TT +> + parameter above. Using this parameter will force the client + to assume that the server is on the machine with the specified IP + address and the NetBIOS name component of the resource being + connected to will be ignored. </P +><P +>There is no default for this parameter. If not supplied, + it will be determined automatically by the client as described + above. </P +></DD +><DT +>-E</DT +><DD +><P +>This parameter causes the client to write messages + to the standard error stream (stderr) rather than to the standard + output stream. </P +><P +>By default, the client writes messages to standard output + - typically the user's tty. </P +></DD +><DT +>-U username[%pass]</DT +><DD +><P +>Sets the SMB username or username and password. + If %pass is not specified, The user will be prompted. The client + will first check the USER environment variable, then the + <TT +CLASS="PARAMETER" +><I +>$LOGNAME</I +></TT +> variable and if either exist, the + string is uppercased. Anything in these variables following a '%' + sign will be treated as the password. If these environmental + variables are not found, the username <TT +CLASS="CONSTANT" +>GUEST</TT +> + is used. </P +><P +>If the password is not included in these environment + variables (using the %pass syntax), rpcclient will look for + a <TT +CLASS="PARAMETER" +><I +>$PASSWD</I +></TT +> environment variable from which + to read the password. </P +><P +>A third option is to use a credentials file which + contains the plaintext of the username and password. This + option is mainly provided for scripts where the admin doesn't + desire to pass the credentials on the command line or via environment + variables. If this method is used, make certain that the permissions + on the file restrict access from unwanted users. See the + <TT +CLASS="PARAMETER" +><I +>-A</I +></TT +> for more details. </P +><P +>Be cautious about including passwords in scripts or in + the <TT +CLASS="PARAMETER" +><I +>$PASSWD</I +></TT +> environment variable. Also, on + many systems the command line of a running process may be seen + via the <B +CLASS="COMMAND" +>ps</B +> command to be safe always allow + <B +CLASS="COMMAND" +>rpcclient</B +> to prompt for a password and type + it in directly. </P +></DD +><DT +>-A filename</DT +><DD +><P +>This option allows + you to specify a file from which to read the username and + password used in the connection. The format of the file is + </P +><P +><PRE +CLASS="PROGRAMLISTING" +>username = <value> +password = <value> + </PRE +></P +><P +>Make certain that the permissions on the file restrict + access from unwanted users. </P +></DD +><DT +>-L</DT +><DD +><P +>This option allows you to look at what services + are available on a server. You use it as <B +CLASS="COMMAND" +>smbclient -L + host</B +> and a list should appear. The <TT +CLASS="PARAMETER" +><I +>-I + </I +></TT +> option may be useful if your NetBIOS names don't + match your tcp/ip dns host names or if you are trying to reach a + host on another network. </P +></DD +><DT +>-t terminal code</DT +><DD +><P +>This option tells smbclient how to interpret + filenames coming from the remote server. Usually Asian language + multibyte UNIX implementations use different character sets than + SMB/CIFS servers (<I +CLASS="EMPHASIS" +>EUC</I +> instead of <I +CLASS="EMPHASIS" +> SJIS</I +> for example). Setting this parameter will let + <B +CLASS="COMMAND" +>smbclient</B +> convert between the UNIX filenames and + the SMB filenames correctly. This option has not been seriously tested + and may have some problems. </P +><P +>The terminal codes include CWsjis, CWeuc, CWjis7, CWjis8, + CWjunet, CWhex, CWcap. This is not a complete list, check the Samba + source code for the complete list. </P +></DD +><DT +>-b buffersize</DT +><DD +><P +>This option changes the transmit/send buffer + size when getting or putting a file from/to the server. The default + is 65520 bytes. Setting this value smaller (to 1200 bytes) has been + observed to speed up file transfers to and from a Win9x server. + </P +></DD +><DT +>-W WORKGROUP</DT +><DD +><P +>Override the default workgroup specified in the + workgroup parameter of the <TT +CLASS="FILENAME" +>smb.conf</TT +> file + for this connection. This may be needed to connect to some + servers. </P +></DD +><DT +>-T tar options</DT +><DD +><P +>smbclient may be used to create <B +CLASS="COMMAND" +>tar(1) + </B +> compatible backups of all the files on an SMB/CIFS + share. The secondary tar flags that can be given to this option + are : </P +><P +></P +><UL +><LI +><P +><TT +CLASS="PARAMETER" +><I +>c</I +></TT +> - Create a tar file on UNIX. + Must be followed by the name of a tar file, tape device + or "-" for standard output. If using standard output you must + turn the log level to its lowest value -d0 to avoid corrupting + your tar file. This flag is mutually exclusive with the + <TT +CLASS="PARAMETER" +><I +>x</I +></TT +> flag. </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>x</I +></TT +> - Extract (restore) a local + tar file back to a share. Unless the -D option is given, the tar + files will be restored from the top level of the share. Must be + followed by the name of the tar file, device or "-" for standard + input. Mutually exclusive with the <TT +CLASS="PARAMETER" +><I +>c</I +></TT +> flag. + Restored files have their creation times (mtime) set to the + date saved in the tar file. Directories currently do not get + their creation dates restored properly. </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>I</I +></TT +> - Include files and directories. + Is the default behavior when filenames are specified above. Causes + tar files to be included in an extract or create (and therefore + everything else to be excluded). See example below. Filename globbing + works in one of two ways. See r below. </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>X</I +></TT +> - Exclude files and directories. + Causes tar files to be excluded from an extract or create. See + example below. Filename globbing works in one of two ways now. + See <TT +CLASS="PARAMETER" +><I +>r</I +></TT +> below. </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>b</I +></TT +> - Blocksize. Must be followed + by a valid (greater than zero) blocksize. Causes tar file to be + written out in blocksize*TBLOCK (usually 512 byte) blocks. + </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>g</I +></TT +> - Incremental. Only back up + files that have the archive bit set. Useful only with the + <TT +CLASS="PARAMETER" +><I +>c</I +></TT +> flag. </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>q</I +></TT +> - Quiet. Keeps tar from printing + diagnostics as it works. This is the same as tarmode quiet. + </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>r</I +></TT +> - Regular expression include + or exclude. Uses regular regular expression matching for + excluding or excluding files if compiled with HAVE_REGEX_H. + However this mode can be very slow. If not compiled with + HAVE_REGEX_H, does a limited wildcard match on '*' and '?'. + </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>N</I +></TT +> - Newer than. Must be followed + by the name of a file whose date is compared against files found + on the share during a create. Only files newer than the file + specified are backed up to the tar file. Useful only with the + <TT +CLASS="PARAMETER" +><I +>c</I +></TT +> flag. </P +></LI +><LI +><P +><TT +CLASS="PARAMETER" +><I +>a</I +></TT +> - Set archive bit. Causes the + archive bit to be reset when a file is backed up. Useful with the + <TT +CLASS="PARAMETER" +><I +>g</I +></TT +> and <TT +CLASS="PARAMETER" +><I +>c</I +></TT +> flags. + </P +></LI +></UL +><P +><I +CLASS="EMPHASIS" +>Tar Long File Names</I +></P +><P +><B +CLASS="COMMAND" +>smbclient</B +>'s tar option now supports long + file names both on backup and restore. However, the full path + name of the file must be less than 1024 bytes. Also, when + a tar archive is created, smbclient's tar option places all + files in the archive with relative names, not absolute names. + </P +><P +><I +CLASS="EMPHASIS" +>Tar Filenames</I +></P +><P +>All file names can be given as DOS path names (with '\' + as the component separator) or as UNIX path names (with '/' as + the component separator). </P +><P +><I +CLASS="EMPHASIS" +>Examples</I +></P +><P +>Restore from tar file backup.tar into myshare on mypc + (no password on share). </P +><P +><B +CLASS="COMMAND" +>smbclient //mypc/myshare "" -N -Tx backup.tar + </B +></P +><P +>Restore everything except <TT +CLASS="FILENAME" +>users/docs</TT +> + </P +><P +><B +CLASS="COMMAND" +>smbclient //mypc/myshare "" -N -TXx backup.tar + users/docs</B +></P +><P +>Create a tar file of the files beneath <TT +CLASS="FILENAME" +> users/docs</TT +>. </P +><P +><B +CLASS="COMMAND" +>smbclient //mypc/myshare "" -N -Tc + backup.tar users/docs </B +></P +><P +>Create the same tar file as above, but now use + a DOS path name. </P +><P +><B +CLASS="COMMAND" +>smbclient //mypc/myshare "" -N -tc backup.tar + users\edocs </B +></P +><P +>Create a tar file of all the files and directories in + the share. </P +><P +><B +CLASS="COMMAND" +>smbclient //mypc/myshare "" -N -Tc backup.tar * + </B +></P +></DD +><DT +>-D initial directory</DT +><DD +><P +>Change to initial directory before starting. Probably + only of any use with the tar -T option. </P +></DD +><DT +>-c command string</DT +><DD +><P +>command string is a semicolon separated list of + commands to be executed instead of prompting from stdin. <TT +CLASS="PARAMETER" +><I +> -N</I +></TT +> is implied by <TT +CLASS="PARAMETER" +><I +>-c</I +></TT +>.</P +><P +>This is particularly useful in scripts and for printing stdin + to the server, e.g. <B +CLASS="COMMAND" +>-c 'print -'</B +>. </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN297" +></A +><H2 +>OPERATIONS</H2 +><P +>Once the client is running, the user is presented with + a prompt : </P +><P +><TT +CLASS="PROMPT" +>smb:\> </TT +></P +><P +>The backslash ("\") indicates the current working directory + on the server, and will change if the current working directory + is changed. </P +><P +>The prompt indicates that the client is ready and waiting to + carry out a user command. Each command is a single word, optionally + followed by parameters specific to that command. Command and parameters + are space-delimited unless these notes specifically + state otherwise. All commands are case-insensitive. Parameters to + commands may or may not be case sensitive, depending on the command. + </P +><P +>You can specify file names which have spaces in them by quoting + the name with double quotes, for example "a long file name". </P +><P +>Parameters shown in square brackets (e.g., "[parameter]") are + optional. If not given, the command will use suitable defaults. Parameters + shown in angle brackets (e.g., "<parameter>") are required. + </P +><P +>Note that all commands operating on the server are actually + performed by issuing a request to the server. Thus the behavior may + vary from server to server, depending on how the server was implemented. + </P +><P +>The commands available are given here in alphabetical order. </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>? [command]</DT +><DD +><P +>If "command" is specified, the ? command will display + a brief informative message about the specified command. If no + command is specified, a list of available commands will + be displayed. </P +></DD +><DT +>! [shell command]</DT +><DD +><P +>If "shell command" is specified, the ! + command will execute a shell locally and run the specified shell + command. If no command is specified, a local shell will be run. + </P +></DD +><DT +>cd [directory name]</DT +><DD +><P +>If "directory name" is specified, the current + working directory on the server will be changed to the directory + specified. This operation will fail if for any reason the specified + directory is inaccessible. </P +><P +>If no directory name is specified, the current working + directory on the server will be reported. </P +></DD +><DT +>del <mask></DT +><DD +><P +>The client will request that the server attempt + to delete all files matching "mask" from the current working + directory on the server. </P +></DD +><DT +>dir <mask></DT +><DD +><P +>A list of the files matching "mask" in the current + working directory on the server will be retrieved from the server + and displayed. </P +></DD +><DT +>exit</DT +><DD +><P +>Terminate the connection with the server and exit + from the program. </P +></DD +><DT +>get <remote file name> [local file name]</DT +><DD +><P +>Copy the file called "remote file name" from + the server to the machine running the client. If specified, name + the local copy "local file name". Note that all transfers in + <B +CLASS="COMMAND" +>smbclient</B +> are binary. See also the + lowercase command. </P +></DD +><DT +>help [command]</DT +><DD +><P +>See the ? command above. </P +></DD +><DT +>lcd [directory name]</DT +><DD +><P +>If "directory name" is specified, the current + working directory on the local machine will be changed to + the directory specified. This operation will fail if for any + reason the specified directory is inaccessible. </P +><P +>If no directory name is specified, the name of the + current working directory on the local machine will be reported. + </P +></DD +><DT +>lowercase</DT +><DD +><P +>Toggle lowercasing of filenames for the get and + mget commands. </P +><P +>When lowercasing is toggled ON, local filenames are converted + to lowercase when using the get and mget commands. This is + often useful when copying (say) MSDOS files from a server, because + lowercase filenames are the norm on UNIX systems. </P +></DD +><DT +>ls <mask></DT +><DD +><P +>See the dir command above. </P +></DD +><DT +>mask <mask></DT +><DD +><P +>This command allows the user to set up a mask + which will be used during recursive operation of the mget and + mput commands. </P +><P +>The masks specified to the mget and mput commands act as + filters for directories rather than files when recursion is + toggled ON. </P +><P +>The mask specified with the mask command is necessary + to filter files within those directories. For example, if the + mask specified in an mget command is "source*" and the mask + specified with the mask command is "*.c" and recursion is + toggled ON, the mget command will retrieve all files matching + "*.c" in all directories below and including all directories + matching "source*" in the current working directory. </P +><P +>Note that the value for mask defaults to blank (equivalent + to "*") and remains so until the mask command is used to change it. + It retains the most recently specified value indefinitely. To + avoid unexpected results it would be wise to change the value of + mask back to "*" after using the mget or mput commands. </P +></DD +><DT +>md <directory name></DT +><DD +><P +>See the mkdir command. </P +></DD +><DT +>mget <mask></DT +><DD +><P +>Copy all files matching mask from the server to + the machine running the client. </P +><P +>Note that mask is interpreted differently during recursive + operation and non-recursive operation - refer to the recurse and + mask commands for more information. Note that all transfers in + smbclient are binary. See also the lowercase command. </P +></DD +><DT +>mkdir <directory name></DT +><DD +><P +>Create a new directory on the server (user access + privileges permitting) with the specified name. </P +></DD +><DT +>mput <mask></DT +><DD +><P +>Copy all files matching mask in the current working + directory on the local machine to the current working directory on + the server. </P +><P +>Note that mask is interpreted differently during recursive + operation and non-recursive operation - refer to the recurse and mask + commands for more information. Note that all transfers in smbclient + are binary. </P +></DD +><DT +>print <file name></DT +><DD +><P +>Print the specified file from the local machine + through a printable service on the server. </P +><P +>See also the printmode command.</P +></DD +><DT +>printmode <graphics or text></DT +><DD +><P +>Set the print mode to suit either binary data + (such as graphical information) or text. Subsequent print + commands will use the currently set print mode. </P +></DD +><DT +>prompt</DT +><DD +><P +>Toggle prompting for filenames during operation + of the mget and mput commands. </P +><P +>When toggled ON, the user will be prompted to confirm + the transfer of each file during these commands. When toggled + OFF, all specified files will be transferred without prompting. + </P +></DD +><DT +>put <local file name> [remote file name]</DT +><DD +><P +>Copy the file called "local file name" from the + machine running the client to the server. If specified, + name the remote copy "remote file name". Note that all transfers + in smbclient are binary. See also the lowercase command. + </P +></DD +><DT +>queue</DT +><DD +><P +>Displays the print queue, showing the job id, + name, size and current status. </P +></DD +><DT +>quit</DT +><DD +><P +>See the exit command. </P +></DD +><DT +>rd <directory name></DT +><DD +><P +>See the rmdir command. </P +></DD +><DT +>recurse</DT +><DD +><P +>Toggle directory recursion for the commands mget + and mput. </P +><P +>When toggled ON, these commands will process all directories + in the source directory (i.e., the directory they are copying + from ) and will recurse into any that match the mask specified + to the command. Only files that match the mask specified using + the mask command will be retrieved. See also the mask command. + </P +><P +>When recursion is toggled OFF, only files from the current + working directory on the source machine that match the mask specified + to the mget or mput commands will be copied, and any mask specified + using the mask command will be ignored. </P +></DD +><DT +>rm <mask></DT +><DD +><P +>Remove all files matching mask from the current + working directory on the server. </P +></DD +><DT +>rmdir <directory name></DT +><DD +><P +>Remove the specified directory (user access + privileges permitting) from the server. </P +></DD +><DT +>tar <c|x>[IXbgNa]</DT +><DD +><P +>Performs a tar operation - see the <TT +CLASS="PARAMETER" +><I +>-T + </I +></TT +> command line option above. Behavior may be affected + by the tarmode command (see below). Using g (incremental) and N + (newer) will affect tarmode settings. Note that using the "-" option + with tar x may not work - use the command line option instead. + </P +></DD +><DT +>blocksize <blocksize></DT +><DD +><P +>Blocksize. Must be followed by a valid (greater + than zero) blocksize. Causes tar file to be written out in + blocksize*TBLOCK (usually 512 byte) blocks. </P +></DD +><DT +>tarmode <full|inc|reset|noreset></DT +><DD +><P +>Changes tar's behavior with regard to archive + bits. In full mode, tar will back up everything regardless of the + archive bit setting (this is the default mode). In incremental mode, + tar will only back up files with the archive bit set. In reset mode, + tar will reset the archive bit on all files it backs up (implies + read/write share). </P +></DD +><DT +>setmode <filename> <perm=[+|\-]rsha></DT +><DD +><P +>A version of the DOS attrib command to set + file permissions. For example: </P +><P +><B +CLASS="COMMAND" +>setmode myfile +r </B +></P +><P +>would make myfile read only. </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN446" +></A +><H2 +>NOTES</H2 +><P +>Some servers are fussy about the case of supplied usernames, + passwords, share names (AKA service names) and machine names. + If you fail to connect try giving all parameters in uppercase. + </P +><P +>It is often necessary to use the -n option when connecting + to some types of servers. For example OS/2 LanManager insists + on a valid NetBIOS name being used, so you need to supply a valid + name that would be known to the server.</P +><P +>smbclient supports long file names where the server + supports the LANMAN2 protocol or above. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN451" +></A +><H2 +>ENVIRONMENT VARIABLES</H2 +><P +>The variable <TT +CLASS="PARAMETER" +><I +>$USER</I +></TT +> may contain the + username of the person using the client. This information is + used only if the protocol level is high enough to support + session-level passwords.</P +><P +>The variable <TT +CLASS="PARAMETER" +><I +>$PASSWD</I +></TT +> may contain + the password of the person using the client. This information is + used only if the protocol level is high enough to support + session-level passwords. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN457" +></A +><H2 +>INSTALLATION</H2 +><P +>The location of the client program is a matter for + individual system administrators. The following are thus + suggestions only. </P +><P +>It is recommended that the smbclient software be installed + in the <TT +CLASS="FILENAME" +>/usr/local/samba/bin/</TT +> or <TT +CLASS="FILENAME" +> /usr/samba/bin/</TT +> directory, this directory readable + by all, writeable only by root. The client program itself should + be executable by all. The client should <I +CLASS="EMPHASIS" +>NOT</I +> be + setuid or setgid! </P +><P +>The client log files should be put in a directory readable + and writeable only by the user. </P +><P +>To test the client, you will need to know the name of a + running SMB/CIFS server. It is possible to run <B +CLASS="COMMAND" +>smbd(8) + </B +> an ordinary user - running that server as a daemon + on a user-accessible port (typically any port number over 1024) + would provide a suitable test server. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN467" +></A +><H2 +>DIAGNOSTICS</H2 +><P +>Most diagnostics issued by the client are logged in a + specified log file. The log file name is specified at compile time, + but may be overridden on the command line. </P +><P +>The number and nature of diagnostics available depends + on the debug level used by the client. If you have problems, + set the debug level to 3 and peruse the log files. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN471" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN474" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbcontrol.1.html b/docs/htmldocs/smbcontrol.1.html index 57bda3759c3..c8cb14ccd31 100644 --- a/docs/htmldocs/smbcontrol.1.html +++ b/docs/htmldocs/smbcontrol.1.html @@ -1,106 +1,307 @@ - - - - - -<html><head><title>smbcontrol (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbcontrol (1)</h1> -<h2>Samba</h2> -<h2>29 Sep 2000</h2> - - - - -<p><br><a name="NAME"></a> -<h2>NAME</h2> - smbcontrol - send messages to smbd or nmbd processes -<p><br><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><br><strong>smbcontrol</strong> <a href="smbcontrol.1.html#minusi">-i</a> -<p><br><strong>smbcontrol</strong> <a href="smbcontrol.1.html#destination">destination</a> <a href="smbcontrol.1.html#messagetype">message-type</a> <a href="smbcontrol.1.html#parameters">parameters</a> -<p><br><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p><br>This program is part of the <strong>Samba</strong> suite. -<p><br><strong>smbcontrol</strong> is a very small program, which sends messages to an -<a href="smbd.8.html"><strong>smbd</strong></a> or an <a href="nmbd.8.html"><strong>nmbd</strong></a> daemon -running on the system. -<p><br><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><br><ul> -<p><br><a name="minusi"></a> -<li><strong><strong>-i</strong></strong> Run interactively. Individual commands of the form -<a href="smbcontrol.1.html#destination">destination</a> <a href="smbcontrol.1.html#messagetype">message-type</a> <a href="smbcontrol.1.html#parameters">parameters</a> -can be entered on STDIN. An empty command line or a "q" will quit the program. -<p><br><a name="destination"></a> -<li><strong><strong>destination</strong></strong> is one of "nmbd", "smbd" or a process ID. -<p><br>The <strong>smbd</strong> destination causes the message to be "broadcast" to all -smbd daemons. -<p><br>The <strong>nmbd</strong> destination causes the message to be sent to the nmbd -daemon specified in the <strong>nmbd.pid</strong> file. -<p><br>If a single process ID is given, the message is sent to only that -process. -<p><br><a name="messagetype"></a> -<li><strong><strong>message-type</strong></strong> is one of: debug, force-election, ping, profile, -debuglevel, profilelevel, or printer-notify. -<p><br>The <strong>debug</strong> message-type allows the debug level to be set to the value -specified by the parameter. This can be sent to any of the destinations. -<p><br>The <strong>force-election</strong> message-type can only be sent to the <strong>nmbd</strong> -destination. This message causes the <strong>nmbd</strong> daemon to force a -new browse master election. -<p><br>The <strong>ping</strong> message-type sends the number of "ping" messages specified -by the parameter and waits for the same number of -reply "pong" messages. This can be sent to any of the destinations. -<p><br>The <strong>profile</strong> message-type sends a message to an smbd to change the profile -settings based on the parameter. The parameter can be "on" to turn on -profile stats collection, "off" to turn off profile stats collection, "count" -to enable only collection of count stats (time stats are disabled), and -"flush" to zero the current profile stats. -This can be sent to any of the destinations. -<p><br>The <strong>debuglevel</strong> message-type sends a "request debug level" message. -The current debug level setting is returned by a -"debuglevel" message. This can be sent to any of the destinations. -<p><br>The <strong>profilelevel</strong> message-type sends a "request profile level" message. -The current profile level setting is returned by a -"profilelevel" message. This can be sent to any of the destinations. -<p><br>The <strong>printer-notify</strong> message-type sends a message to smbd which in turn -sends a printer notify message to any Windows NT clients connected to -a printer. This message-type takes an argument of the printer name to -send notify messages to. This message can only be sent to smbd. -<p><br><a name="parameters"></a> -<li><strong><strong>parameters</strong></strong> is any parameters required for the message-type -<p><br></ul> -<p><br><a name="VERSION"></a> -<h2>VERSION</h2> - -<p><br>This man page is correct for version 2.2.0 of the Samba suite. -<p><br><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><br><a href="smbd.8.html"><strong>smbd (8)</strong></a>, <a href="nmbd.8.html"><strong>nmbd (8)</strong></a> -<p><br><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p><br>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p><br>This man page source was written in YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -for the Samba 2.2.0 release by Herb Lewis. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p><br>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbcontrol</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="FINDSMB" +>smbcontrol</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbcontrol -- send messages to smbd or nmbd processes</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbcontrol</B +> [-i]</P +><P +><B +CLASS="COMMAND" +>smbcontrol</B +> [destination] [message-type] [parameter]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN17" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>smbcontrol</B +> is a very small program, which + sends messages to an <A +HREF="smbd.8.html" +TARGET="_top" +>smbd(8)</A +> or + an <A +HREF="nmbd.8.html" +TARGET="_top" +>nmbd(8)</A +> daemon running on the + system.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN25" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-i</DT +><DD +><P +>Run interactively. Individual commands + of the form destination message-type parameters can be entered + on STDIN. An empty command line or a "q" will quit the + program.</P +></DD +><DT +>destination</DT +><DD +><P +>One of <TT +CLASS="PARAMETER" +><I +>nmbd</I +></TT +> + <TT +CLASS="PARAMETER" +><I +>smbd</I +></TT +> or a process ID.</P +><P +>The <TT +CLASS="PARAMETER" +><I +>smbd</I +></TT +> destination causes the + message to "broadcast" to all smbd daemons.</P +><P +>The <TT +CLASS="PARAMETER" +><I +>nmbd</I +></TT +> destination causes the + message to be sent to the nmbd daemon specified in the + <TT +CLASS="FILENAME" +>nmbd.pid</TT +> file.</P +><P +>If a single process ID is given, the message is sent + to only that process.</P +></DD +><DT +>message-type</DT +><DD +><P +>One of: <TT +CLASS="CONSTANT" +>debug</TT +>, + <TT +CLASS="CONSTANT" +>force-election</TT +>, <TT +CLASS="CONSTANT" +>ping + </TT +>, <TT +CLASS="CONSTANT" +>profile</TT +>, <TT +CLASS="CONSTANT" +> debuglevel</TT +>, <TT +CLASS="CONSTANT" +>profilelevel</TT +>, + or <TT +CLASS="CONSTANT" +>printer-notify</TT +>.</P +><P +>The <TT +CLASS="CONSTANT" +>debug</TT +> message-type allows + the debug level to be set to the value specified by the + parameter. This can be sent to any of the destinations.</P +><P +>The <TT +CLASS="CONSTANT" +>force-election</TT +> message-type can only be + sent to the <TT +CLASS="CONSTANT" +>nmbd</TT +> destination. This message + causes the <B +CLASS="COMMAND" +>nmbd</B +> daemon to force a new browse + master election.</P +><P +>The <TT +CLASS="CONSTANT" +>ping</TT +> message-type sends the + number of "ping" messages specified by the parameter and waits + for the same number of reply "pong" messages. This can be sent to + any of the destinations.</P +><P +>The <TT +CLASS="CONSTANT" +>profile</TT +> message-type sends a + message to an smbd to change the profile settings based on the + parameter. The parameter can be "on" to turn on profile stats + collection, "off" to turn off profile stats collection, "count" + to enable only collection of count stats (time stats are + disabled), and "flush" to zero the current profile stats. This can + be sent to any of the destinations.</P +><P +>The <TT +CLASS="CONSTANT" +>debuglevel</TT +> message-type sends + a "request debug level" message. The current debug level setting + is returned by a "debuglevel" message. This can be + sent to any of the destinations.</P +><P +>The <TT +CLASS="CONSTANT" +>profilelevel</TT +> message-type sends + a "request profile level" message. The current profile level + setting is returned by a "profilelevel" message. This can be sent + to any of the destinations.</P +><P +>The <TT +CLASS="CONSTANT" +>printer-notify</TT +> message-type sends a + message to smbd which in turn sends a printer notify message to + any Windows NT clients connected to a printer. This message-type + takes an argument of the printer name to send notify messages to. + This message can only be sent to <TT +CLASS="CONSTANT" +>smbd</TT +>.</P +></DD +><DT +>parameters</DT +><DD +><P +>any parameters required for the message-type</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN76" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN79" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmbd(8)</B +></A +>, + and <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +>. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN86" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbd.8.html b/docs/htmldocs/smbd.8.html index 766de0853f0..33af0242e5d 100644 --- a/docs/htmldocs/smbd.8.html +++ b/docs/htmldocs/smbd.8.html @@ -1,378 +1,971 @@ +<HTML +><HEAD +><TITLE +>smbd</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBD" +>smbd</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbd -- server to provide SMB/CIFS services to clients</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbd</B +> [-D] [-a] [-o] [-P] [-h] [-V] [-d <debug level>] [-l <log file>] [-p <port number>] [-O <socket option>] [-s <configuration file>]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN22" +></A +><H2 +>DESCRIPTION</H2 +><P +>This program is part of the Samba suite.</P +><P +><B +CLASS="COMMAND" +>smbd</B +> is the server daemon that + provides filesharing and printing services to Windows clients. + The server provides filespace and printer services to + clients using the SMB (or CIFS) protocol. This is compatible + with the LanManager protocol, and can service LanManager + clients. These include MSCLIENT 3.0 for DOS, Windows for + Workgroups, Windows 95/98/ME, Windows NT, Windows 2000, + OS/2, DAVE for Macintosh, and smbfs for Linux.</P +><P +>An extensive description of the services that the + server can provide is given in the man page for the + configuration file controlling the attributes of those + services (see <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5) + </TT +></A +>. This man page will not describe the + services, but will concentrate on the administrative aspects + of running the server.</P +><P +>Please note that there are significant security + implications to running this server, and the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> + manpage should be regarded as mandatory reading before + proceeding with installation.</P +><P +>A session is created whenever a client requests one. + Each client gets a copy of the server for each session. This + copy then services all connections made by the client during + that session. When all connections from its client are closed, + the copy of the server for that client terminates.</P +><P +>The configuration file, and any files that it includes, + are automatically reloaded every minute, if they change. You + can force a reload by sending a SIGHUP to the server. Reloading + the configuration file will not affect connections to any service + that is already established. Either the user will have to + disconnect from the service, or smbd killed and restarted.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN35" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-D</DT +><DD +><P +>If specified, this parameter causes + the server to operate as a daemon. That is, it detaches + itself and runs in the background, fielding requests + on the appropriate port. Operating the server as a + daemon is the recommended way of running smbd for + servers that provide more than casual use file and + print services. This switch is assumed is <B +CLASS="COMMAND" +>smbd + </B +> is executed on the command line of a shell. + </P +></DD +><DT +>-a</DT +><DD +><P +>If this parameter is specified, each new + connection will append log messages to the log file. + This is the default.</P +></DD +><DT +>-o</DT +><DD +><P +>If this parameter is specified, the + log files will be overwritten when opened. By default, + <B +CLASS="COMMAND" +>smbd</B +> will append entries to the log + files.</P +></DD +><DT +>-P</DT +><DD +><P +>Passive option. Causes smbd not to + send any network traffic out. Used for debugging by + the developers only.</P +></DD +><DT +>-h</DT +><DD +><P +>Prints the help information (usage) + for <B +CLASS="COMMAND" +>smbd</B +>.</P +></DD +><DT +>-v</DT +><DD +><P +>Prints the version number for + <B +CLASS="COMMAND" +>smbd</B +>.</P +></DD +><DT +>-d <debug level></DT +><DD +><P +>debuglevel is an integer + from 0 to 10. The default value if this parameter is + not specified is zero.</P +><P +>The higher this value, the more detail will be + logged to the log files about the activities of the + server. At level 0, only critical errors and serious + warnings will be logged. Level 1 is a reasonable level for + day to day running - it generates a small amount of + information about operations carried out.</P +><P +>Levels above 1 will generate considerable + amounts of log data, and should only be used when + investigating a problem. Levels above 3 are designed for + use only by developers and generate HUGE amounts of log + data, most of which is extremely cryptic.</P +><P +>Note that specifying this parameter here will + override the <A +HREF="smb.conf.5.html#loglevel" +TARGET="_top" +>log + level</A +> parameter in the <A +HREF="smb.conf.5.html" +TARGET="_top" +> <TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> file.</P +></DD +><DT +>-l <log file></DT +><DD +><P +>If specified, <I +CLASS="EMPHASIS" +>log file</I +> + specifies a log filename into which informational and debug + messages from the running server will be logged. The log + file generated is never removed by the server although + its size may be controlled by the <A +HREF="smb.conf.5.html#maxlogsize" +TARGET="_top" +>max log size</A +> + option in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +> smb.conf(5)</TT +></A +> file. The default log + file name is specified at compile time.</P +></DD +><DT +>-O <socket options></DT +><DD +><P +>See the <A +HREF="smb.conf.5.html#socketoptions" +TARGET="_top" +>socket options</A +> + parameter in the <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5) + </TT +></A +> file for details.</P +></DD +><DT +>-p <port number></DT +><DD +><P +>port number is a positive integer + value. The default value if this parameter is not + specified is 139.</P +><P +>This number is the port number that will be + used when making connections to the server from client + software. The standard (well-known) port number for the + SMB over TCP is 139, hence the default. If you wish to + run the server as an ordinary user rather than + as root, most systems will require you to use a port + number greater than 1024 - ask your system administrator + for help if you are in this situation.</P +><P +>In order for the server to be useful by most + clients, should you configure it on a port other + than 139, you will require port redirection services + on port 139, details of which are outlined in rfc1002.txt + section 4.3.5.</P +><P +>This parameter is not normally specified except + in the above situation.</P +></DD +><DT +>-s <configuration file></DT +><DD +><P +>The file specified contains the + configuration details required by the server. The + information in this file includes server-specific + information such as what printcap file to use, as well + as descriptions of all the services that the server is + to provide. See <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +> smb.conf(5)</TT +></A +> for more information. + The default configuration file name is determined at + compile time.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN104" +></A +><H2 +>FILES</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +><TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +></DT +><DD +><P +>If the server is to be run by the + <B +CLASS="COMMAND" +>inetd</B +> meta-daemon, this file + must contain suitable startup information for the + meta-daemon. See the section INSTALLATION below. + </P +></DD +><DT +><TT +CLASS="FILENAME" +>/etc/rc</TT +></DT +><DD +><P +>or whatever initialization script your + system uses).</P +><P +>If running the server as a daemon at startup, + this file will need to contain an appropriate startup + sequence for the server. See the section INSTALLATION + below.</P +></DD +><DT +><TT +CLASS="FILENAME" +>/etc/services</TT +></DT +><DD +><P +>If running the server via the + meta-daemon <B +CLASS="COMMAND" +>inetd</B +>, this file + must contain a mapping of service name (e.g., netbios-ssn) + to service port (e.g., 139) and protocol type (e.g., tcp). + See the section INSTALLATION below.</P +></DD +><DT +><TT +CLASS="FILENAME" +>/usr/local/samba/lib/smb.conf</TT +></DT +><DD +><P +>This is the default location of the + <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf</TT +></A +> + server configuration file. Other common places that systems + install this file are <TT +CLASS="FILENAME" +>/usr/samba/lib/smb.conf</TT +> + and <TT +CLASS="FILENAME" +>/etc/smb.conf</TT +>.</P +><P +>This file describes all the services the server + is to make available to clients. See <A +HREF="smb.conf.5.html" +TARGET="_top" +> <TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +> for more information.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN137" +></A +><H2 +>LIMITATIONS</H2 +><P +>On some systems <B +CLASS="COMMAND" +>smbd</B +> cannot change uid back + to root after a setuid() call. Such systems are called + trapdoor uid systems. If you have such a system, + you will be unable to connect from a client (such as a PC) as + two different users at once. Attempts to connect the + second user will result in access denied or + similar.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN141" +></A +><H2 +>ENVIRONMENTVARIABLES</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>PRINTER</DT +><DD +><P +>If no printer name is specified to + printable services, most systems will use the value of + this variable (or lp if this variable is + not defined) as the name of the printer to use. This + is not specific to the server, however.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN148" +></A +><H2 +>INSTALLATION</H2 +><P +>The location of the server and its support files + is a matter for individual system administrators. The following + are thus suggestions only.</P +><P +>It is recommended that the server software be installed + under the <TT +CLASS="FILENAME" +>/usr/local/samba/</TT +> hierarchy, + in a directory readable by all, writeable only by root. The server + program itself should be executable by all, as users may wish to + run the server themselves (in which case it will of course run + with their privileges). The server should NOT be setuid. On some + systems it may be worthwhile to make smbd setgid to an empty group. + This is because some systems may have a security hole where daemon + processes that become a user can be attached to with a debugger. + Making the smbd file setgid to an empty group may prevent + this hole from being exploited. This security hole and the suggested + fix has only been confirmed on old versions (pre-kernel 2.0) of Linux + at the time this was written. It is possible that this hole only + exists in Linux, as testing on other systems has thus far shown them + to be immune.</P +><P +>The server log files should be put in a directory readable and + writeable only by root, as the log files may contain sensitive + information.</P +><P +>The configuration file should be placed in a directory + readable and writeable only by root, as the configuration file + controls security for the services offered by the server. The + configuration file can be made readable by all if desired, but + this is not necessary for correct operation of the server and is + not recommended. A sample configuration file <TT +CLASS="FILENAME" +>smb.conf.sample + </TT +> is supplied with the source to the server - this may + be renamed to <TT +CLASS="FILENAME" +>smb.conf</TT +> and modified to suit + your needs.</P +><P +>The remaining notes will assume the following:</P +><P +></P +><UL +><LI +><P +><B +CLASS="COMMAND" +>smbd</B +> (the server program) + installed in <TT +CLASS="FILENAME" +>/usr/local/samba/bin</TT +></P +></LI +><LI +><P +><TT +CLASS="FILENAME" +>smb.conf</TT +> (the configuration + file) installed in <TT +CLASS="FILENAME" +>/usr/local/samba/lib</TT +></P +></LI +><LI +><P +>log files stored in <TT +CLASS="FILENAME" +>/var/adm/smblogs + </TT +></P +></LI +></UL +><P +>The server may be run either as a daemon by users + or at startup, or it may be run from a meta-daemon such as + <B +CLASS="COMMAND" +>inetd</B +> upon request. If run as a daemon, + the server will always be ready, so starting sessions will be + faster. If run from a meta-daemon some memory will be saved and + utilities such as the tcpd TCP-wrapper may be used for extra + security. For serious use as file server it is recommended + that <B +CLASS="COMMAND" +>smbd</B +> be run as a daemon.</P +><P +>When you've decided, continue with either</P +><P +></P +><UL +><LI +><P +>RUNNING THE SERVER AS A DAEMON or</P +></LI +><LI +><P +>RUNNING THE SERVER ON REQUEST.</P +></LI +></UL +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN179" +></A +><H2 +>RUNNING THE SERVER AS A DAEMON</H2 +><P +>To run the server as a daemon from the command + line, simply put the <I +CLASS="EMPHASIS" +>-D</I +> option on the + command line. There is no need to place an ampersand at + the end of the command line - the <I +CLASS="EMPHASIS" +>-D</I +> + option causes the server to detach itself from the tty + anyway.</P +><P +>Any user can run the server as a daemon (execute + permissions permitting, of course). This is useful for + testing purposes, and may even be useful as a temporary + substitute for something like ftp. When run this way, however, + the server will only have the privileges of the user who ran + it.</P +><P +>To ensure that the server is run as a daemon whenever + the machine is started, and to ensure that it runs as root + so that it can serve multiple clients, you will need to modify + the system startup files. Wherever appropriate (for example, in + <TT +CLASS="FILENAME" +>/etc/rc</TT +>), insert the following line, + substituting port number, log file location, configuration file + location and debug level as desired:</P +><P +><B +CLASS="COMMAND" +>/usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log + -s /usr/local/samba/lib/smb.conf</B +></P +><P +>(The above should appear in your initialization script + as a single line. Depending on your terminal characteristics, + it may not appear that way in this man page. If the above appears + as more than one line, please treat any newlines or indentation + as a single space or TAB character.)</P +><P +>If the options used at compile time are appropriate for + your system, all parameters except <I +CLASS="EMPHASIS" +>-D</I +> may + be omitted. See the section OPTIONS above.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN192" +></A +><H2 +>RUNNING THE SERVER ON REQUEST</H2 +><P +>If your system uses a meta-daemon such as <B +CLASS="COMMAND" +>inetd + </B +>, you can arrange to have the smbd server started + whenever a process attempts to connect to it. This requires several + changes to the startup files on the host machine. If you are + experimenting as an ordinary user rather than as root, you will + need the assistance of your system administrator to modify the + system files.</P +><P +>You will probably want to set up the NetBIOS name server + <A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmbd</B +></A +> at + the same time as <B +CLASS="COMMAND" +>smbd</B +>. To do this refer to the + man page for <A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmbd(8)</B +> + </A +>.</P +><P +>First, ensure that a port is configured in the file + <TT +CLASS="FILENAME" +>/etc/services</TT +>. The well-known port 139 + should be used if possible, though any port may be used.</P +><P +>Ensure that a line similar to the following is in + <TT +CLASS="FILENAME" +>/etc/services</TT +>:</P +><P +><B +CLASS="COMMAND" +>netbios-ssn 139/tcp</B +></P +><P +>Note for NIS/YP users - you may need to rebuild the + NIS service maps rather than alter your local <TT +CLASS="FILENAME" +>/etc/services + </TT +> file.</P +><P +>Next, put a suitable line in the file <TT +CLASS="FILENAME" +>/etc/inetd.conf + </TT +> (in the unlikely event that you are using a meta-daemon + other than inetd, you are on your own). Note that the first item + in this line matches the service name in <TT +CLASS="FILENAME" +>/etc/services + </TT +>. Substitute appropriate values for your system + in this line (see <B +CLASS="COMMAND" +>inetd(8)</B +>):</P +><P +><B +CLASS="COMMAND" +>netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd + -d1 -l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf</B +></P +><P +>(The above should appear in <TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +> + as a single line. Depending on your terminal characteristics, it may + not appear that way in this man page. If the above appears as more + than one line, please treat any newlines or indentation as a single + space or TAB character.)</P +><P +>Note that there is no need to specify a port number here, + even if you are using a non-standard port number.</P +><P +>Lastly, edit the configuration file to provide suitable + services. To start with, the following two services should be + all you need:</P +><PRE +CLASS="SCREEN" +> <TT +CLASS="COMPUTEROUTPUT" +> [homes] + writeable = yes - - - - - -<html><head><title>smbd (8)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbd (8)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbd - server to provide SMB/CIFS services to clients -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>smbd</strong> [<a href="smbd.8.html#minusD">-D</a>] [<a href="smbd.8.html#minusa">-a</a>] [<a href="smbd.8.html#minuso">-o</a>] [<a href="smbd.8.html#minusP">-P</a>] [<a href="smbd.8.html#minush">-h</a>] [<a href="smbd.8.html#minusV">-V</a>] [<a href="smbd.8.html#minusd">-d debuglevel</a>] [<a href="smbd.8.html#minusl">-l log file</a>] [<a href="smbd.8.html#minusp">-p port number</a>] [<a href="smbd.8.html#minusO">-O socket options</a>] [<a href="smbd.8.html#minuss">-s configuration file</a>] -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p><strong>smbd</strong> is the server daemon that provides filesharing and printing -services to -Windows clients. The server provides filespace and printer services to -clients using the SMB (or CIFS) protocol. This is compatible with the -LanManager protocol, and can service LanManager clients. These -include MSCLIENT 3.0 for DOS, Windows for Workgroups, Windows 95, -Windows NT, OS/2, DAVE for Macintosh, and smbfs for Linux. -<p>An extensive description of the services that the server can provide -is given in the man page for the configuration file controlling the -attributes of those services (see -<a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a>. This man page -will not describe the services, but will concentrate on the -administrative aspects of running the server. -<p>Please note that there are significant security implications to -running this server, and the -<a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> manpage should be -regarded as mandatory reading before proceeding with installation. -<p>A session is created whenever a client requests one. Each client gets -a copy of the server for each session. This copy then services all -connections made by the client during that session. When all -connections from its client are closed, the copy of the server for -that client terminates. -<p>The configuration file, and any files that it includes, are -automatically reloaded every minute, if they change. You can force a -reload by sending a SIGHUP to the server. Reloading the configuration -file will not affect connections to any service that is already -established. Either the user will have to disconnect from the -service, or smbd killed and restarted. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="minusD"></a> -<p></p><dt><strong><strong>-D</strong></strong><dd> If specified, this parameter causes the server to operate as a -daemon. That is, it detaches itself and runs in the background, -fielding requests on the appropriate port. Operating the server as a -daemon is the recommended way of running smbd for servers that provide -more than casual use file and print services. -<p>By default, the server will NOT operate as a daemon. -<p><a name="minusa"></a> -<p></p><dt><strong><strong>-a</strong></strong><dd> If this parameter is specified, each new connection will -append log messages to the log file. This is the default. -<p><a name="minuso"></a> -<p></p><dt><strong><strong>-o</strong></strong><dd> If this parameter is specified, the log files will be -overwritten when opened. By default, the log files will be appended -to. -<p><a name="minusP"></a> -<p></p><dt><strong><strong>-P</strong></strong><dd> Passive option. Causes smbd not to send any network traffic -out. Used for debugging by the developers only. -<p><a name="minush"></a> -<p></p><dt><strong><strong>-h</strong></strong><dd> Prints the help information (usage) for <strong>smbd</strong>. -<p><a name="minusV"></a> -<p></p><dt><strong><strong>-V</strong></strong><dd> Prints the version number for <strong>smbd</strong>. -<p><a name="minusd"></a> -<p></p><dt><strong><strong>-d debuglevel</strong></strong><dd> debuglevel is an integer from 0 to 10. -<p>The default value if this parameter is not specified is zero. -<p>The higher this value, the more detail will be logged to the log files -about the activities of the server. At level 0, only critical errors -and serious warnings will be logged. Level 1 is a reasonable level for -day to day running - it generates a small amount of information about -operations carried out. -<p>Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic. -<p>Note that specifying this parameter here will override the <a href="smb.conf.5.html#loglevel"><strong>log -level</strong></a> parameter in the <a href="smb.conf.5.html"><strong>smb.conf -(5)</strong></a> file. -<p><a name="minusl"></a> -<p></p><dt><strong><strong>-l log file</strong></strong><dd> If specified, <em>log file</em> specifies -a log filename into which informational and debug messages from the -running server will be logged. The log file generated is never removed -by the server although its size may be controlled by the <a href="smb.conf.5.html#maxlogsize"><strong>max -log size</strong></a> option in the <a href="smb.conf.5.html"><strong>smb.conf -(5)</strong></a> file. The default log file name is specified -at compile time. -<p><a name="minusO"></a> -<p></p><dt><strong><strong>-O socket options</strong></strong><dd> See the <a href="smb.conf.5.html#socketoptions"><strong>socket -options</strong></a> parameter in the -<a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> file for details. -<p><a name="minusp"></a> -<p></p><dt><strong><strong>-p port number</strong></strong><dd> port number is a positive integer value. The -default value if this parameter is not specified is 139. -<p>This number is the port number that will be used when making -connections to the server from client software. The standard -(well-known) port number for the SMB over TCP is 139, hence the -default. If you wish to run the server as an ordinary user rather than -as root, most systems will require you to use a port number greater -than 1024 - ask your system administrator for help if you are in this -situation. -<p>In order for the server to be useful by most clients, should you -configure it on a port other than 139, you will require port -redirection services on port 139, details of which are outlined in -rfc1002.txt section 4.3.5. -<p>This parameter is not normally specified except in the above -situation. -<p><a name="minuss"></a> -<p></p><dt><strong><strong>-s configuration file</strong></strong><dd> -The file specified contains the configuration details required by the -server. The information in this file includes server-specific -information such as what printcap file to use, as well as descriptions -of all the services that the server is to provide. See <strong>smb.conf -(5)</strong> for more information. -The default configuration file name is determined at compile time. -<p></dl> -<p><a name="FILES"></a> -<h2>FILES</h2> - -<p><strong>/etc/inetd.conf</strong> -<p>If the server is to be run by the inetd meta-daemon, this file must -contain suitable startup information for the meta-daemon. See the -section <a href="smbd.8.html#INSTALLATION">INSTALLATION</a> below. -<p><strong>/etc/rc</strong> -<p>(or whatever initialization script your system uses). -<p>If running the server as a daemon at startup, this file will need to -contain an appropriate startup sequence for the server. See the -section <a href="smbd.8.html#INSTALLATION">INSTALLATION</a> below. -<p><strong>/etc/services</strong> -<p>If running the server via the meta-daemon inetd, this file must -contain a mapping of service name (e.g., netbios-ssn) to service port -(e.g., 139) and protocol type (e.g., tcp). See the section -<a href="smbd.8.html#INSTALLATION">INSTALLATION</a> below. -<p><strong>/usr/local/samba/lib/smb.conf</strong> -<p>This is the default location of the <em>smb.conf</em> server configuration -file. Other common places that systems install this file are -<em>/usr/samba/lib/smb.conf</em> and <em>/etc/smb.conf</em>. -<p>This file describes all the services the server is to make available -to clients. See <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> for more information. -<p><a name="LIMITATIONS"></a> -<h2>LIMITATIONS</h2> - -<p>On some systems <strong>smbd</strong> cannot change uid back to root after a -setuid() call. Such systems are called "trapdoor" uid systems. If you -have such a system, you will be unable to connect from a client (such -as a PC) as two different users at once. Attempts to connect the -second user will result in "access denied" or similar. -<p><a name="ENVIRONMENTVARIABLES"></a> -<h2>ENVIRONMENT VARIABLES</h2> - -<p><strong>PRINTER</strong> -<p>If no printer name is specified to printable services, most systems -will use the value of this variable (or "lp" if this variable is not -defined) as the name of the printer to use. This is not specific to -the server, however. -<p><a name="INSTALLATION"></a> -<h2>INSTALLATION</h2> - -<p>The location of the server and its support files is a matter for -individual system administrators. The following are thus suggestions -only. -<p>It is recommended that the server software be installed under the -/usr/local/samba hierarchy, in a directory readable by all, writeable -only by root. The server program itself should be executable by all, -as users may wish to run the server themselves (in which case it will -of course run with their privileges). The server should NOT be -setuid. On some systems it may be worthwhile to make smbd setgid to an -empty group. This is because some systems may have a security hole -where daemon processes that become a user can be attached to with a -debugger. Making the smbd file setgid to an empty group may prevent -this hole from being exploited. This security hole and the suggested -fix has only been confirmed on old versions (pre-kernel 2.0) of Linux -at the time this was written. It is possible that this hole only -exists in Linux, as testing on other systems has thus far shown them -to be immune. -<p>The server log files should be put in a directory readable and -writeable only by root, as the log files may contain sensitive -information. -<p>The configuration file should be placed in a directory readable and -writeable only by root, as the configuration file controls security for -the services offered by the server. The configuration file can be made -readable by all if desired, but this is not necessary for correct -operation of the server and is not recommended. A sample configuration -file "smb.conf.sample" is supplied with the source to the server - -this may be renamed to "smb.conf" and modified to suit your needs. -<p>The remaining notes will assume the following: -<p><dl> -<p><li > <strong>smbd</strong> (the server program) installed in /usr/local/samba/bin -<p><li > <strong>smb.conf</strong> (the configuration file) installed in /usr/local/samba/lib -<p><li > log files stored in /var/adm/smblogs -<p></dl> -<p>The server may be run either as a daemon by users or at startup, or it -may be run from a meta-daemon such as inetd upon request. If run as a -daemon, the server will always be ready, so starting sessions will be -faster. If run from a meta-daemon some memory will be saved and -utilities such as the tcpd TCP-wrapper may be used for extra security. -For serious use as file server it is recommended that <strong>smbd</strong> be run -as a daemon. -<p>When you've decided, continue with either -<a href="smbd.8.html#RUNNINGTHESERVERASADAEMON">RUNNING THE SERVER AS A DAEMON</a> or -<a href="smbd.8.html#RUNNINGTHESERVERONREQUEST">RUNNING THE SERVER ON REQUEST</a>. -<p><a name="RUNNINGTHESERVERASADAEMON"></a> -<h2>RUNNING THE SERVER AS A DAEMON</h2> - -<p>To run the server as a daemon from the command line, simply put the -<a href="smbd.8.html#minusD"><strong>-D</strong></a> option on the command line. There is no need to place an -ampersand at the end of the command line - the <a href="smbd.8.html#minusD"><strong>-D</strong></a> option causes -the server to detach itself from the tty anyway. -<p>Any user can run the server as a daemon (execute permissions -permitting, of course). This is useful for testing purposes, and may -even be useful as a temporary substitute for something like ftp. When -run this way, however, the server will only have the privileges of the -user who ran it. -<p>To ensure that the server is run as a daemon whenever the machine is -started, and to ensure that it runs as root so that it can serve -multiple clients, you will need to modify the system startup -files. Wherever appropriate (for example, in /etc/rc), insert the -following line, substituting port number, log file location, -configuration file location and debug level as desired: -<p><code>/usr/local/samba/bin/smbd -D -l /var/adm/smblogs/log -s /usr/local/samba/lib/smb.conf</code> -<p>(The above should appear in your initialization script as a single line. -Depending on your terminal characteristics, it may not appear that way in -this man page. If the above appears as more than one line, please treat any -newlines or indentation as a single space or TAB character.) -<p>If the options used at compile time are appropriate for your system, -all parameters except <a href="smbd.8.html#minusD"><strong>-D</strong></a> may be -omitted. See the section <a href="smbd.8.html#OPTIONS">OPTIONS</a> above. -<p><a name="RUNNINGTHESERVERONREQUEST"></a> -<h2>RUNNING THE SERVER ON REQUEST</h2> - -<p>If your system uses a meta-daemon such as <strong>inetd</strong>, you can arrange to -have the smbd server started whenever a process attempts to connect to -it. This requires several changes to the startup files on the host -machine. If you are experimenting as an ordinary user rather than as -root, you will need the assistance of your system administrator to -modify the system files. -<p>You will probably want to set up the NetBIOS name server <a href="nmbd.8.html"><strong>nmbd</strong></a> at -the same time as <strong>smbd</strong>. To do this refer to the man page for -<a href="nmbd.8.html"><strong>nmbd (8)</strong></a>. -<p>First, ensure that a port is configured in the file <code>/etc/services</code>. The -well-known port 139 should be used if possible, though any port may be -used. -<p>Ensure that a line similar to the following is in <code>/etc/services</code>: -<p><code>netbios-ssn 139/tcp</code> -<p>Note for NIS/YP users - you may need to rebuild the NIS service maps -rather than alter your local <code>/etc/services file</code>. -<p>Next, put a suitable line in the file <code>/etc/inetd.conf</code> (in the unlikely -event that you are using a meta-daemon other than inetd, you are on -your own). Note that the first item in this line matches the service -name in <code>/etc/services</code>. Substitute appropriate values for your system -in this line (see <strong>inetd (8)</strong>): -<p><code>netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd -d1 -l/var/adm/smblogs/log -s/usr/local/samba/lib/smb.conf</code> -<p>(The above should appear in <code>/etc/inetd.conf</code> as a single -line. Depending on your terminal characteristics, it may not appear -that way in this man page. If the above appears as more than one -line, please treat any newlines or indentation as a single space or -TAB character.) -<p>Note that there is no need to specify a port number here, even if you -are using a non-standard port number. -<p>Lastly, edit the configuration file to provide suitable services. To -start with, the following two services should be all you need: -<p><pre> - - -[homes] - writeable = yes - -[printers] - writeable = no - printable = yes - path = /tmp - public = yes - - -</pre> - -<p>This will allow you to connect to your home directory and print to any -printer supported by the host (user privileges permitting). -<p><a name="TESTINGTHEINSTALLATION"></a> -<h2>TESTING THE INSTALLATION</h2> - -<p>If running the server as a daemon, execute it before proceeding. If -using a meta-daemon, either restart the system or kill and restart the -meta-daemon. Some versions of inetd will reread their configuration -tables if they receive a HUP signal. -<p>If your machine's name is "fred" and your name is "mary", you should -now be able to connect to the service <code>\\fred\mary</code>. -<p>To properly test and experiment with the server, we recommend using -the smbclient program (see -<a href="smbclient.1.html"><strong>smbclient (1)</strong></a>) and also going through -the steps outlined in the file <em>DIAGNOSIS.txt</em> in the <em>docs/</em> -directory of your Samba installation. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="DIAGNOSTICS"></a> -<h2>DIAGNOSTICS</h2> - -<p>Most diagnostics issued by the server are logged in a specified log -file. The log file name is specified at compile time, but may be -overridden on the command line. -<p>The number and nature of diagnostics available depends on the debug -level used by the server. If you have problems, set the debug level to -3 and peruse the log files. -<p>Most messages are reasonably self-explanatory. Unfortunately, at the time -this man page was created, there are too many diagnostics available -in the source code to warrant describing each and every diagnostic. At -this stage your best bet is still to grep the source code and inspect -the conditions that gave rise to the diagnostics you are seeing. -<p><a name="SIGNALS"></a> -<h2>SIGNALS</h2> - -<p>Sending the smbd a SIGHUP will cause it to re-load its smb.conf -configuration file within a short period of time. -<p>To shut down a users smbd process it is recommended that SIGKILL (-9) -<em>NOT</em> be used, except as a last resort, as this may leave the shared -memory area in an inconsistent state. The safe way to terminate an -smbd is to send it a SIGTERM (-15) signal and wait for it to die on -its own. -<p>The debug log level of smbd may be raised -by sending it a SIGUSR1 <code>(kill -USR1 <smbd-pid>)</code> and lowered by -sending it a SIGUSR2 <code>(kill -USR2 <smbd-pid>)</code>. This is to allow -transient problems to be diagnosed, whilst still running at a normally -low log level. -<p>Note that as the signal handlers send a debug write, they are not -re-entrant in smbd. This you should wait until smbd is in a state of -waiting for an incoming smb before issuing them. It is possible to -make the signal handlers safe by un-blocking the signals before the -select call and re-blocking them after, however this would affect -performance. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><strong>hosts_access (5)</strong>, <strong>inetd (8)</strong>, <a href="nmbd.8.html"><strong>nmbd (8)</strong></a>, -<a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a>, <a href="smbclient.1.html"><strong>smbclient -(1)</strong></a>, <a href="testparm.1.html"><strong>testparm (1)</strong></a>, -<a href="testprns.1.html"><strong>testprns (1)</strong></a>, and the Internet RFC's -<strong>rfc1001.txt</strong>, <strong>rfc1002.txt</strong>. In addition the CIFS (formerly SMB) -specification is available as a link from the Web page : -<a href="http://samba.org/cifs/">http://samba.org/cifs/</a>. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full list of contributors -and details on how to submit bug reports, comments etc. -</body> -</html> + [printers] + writeable = no + printable = yes + path = /tmp + public = yes + </TT +> + </PRE +><P +>This will allow you to connect to your home directory + and print to any printer supported by the host (user privileges + permitting).</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN223" +></A +><H2 +>TESTING THE INSTALLATION</H2 +><P +>If running the server as a daemon, execute it before + proceeding. If using a meta-daemon, either restart the system + or kill and restart the meta-daemon. Some versions of + <B +CLASS="COMMAND" +>inetd</B +> will reread their configuration + tables if they receive a HUP signal.</P +><P +>If your machine's name is fred and your + name is mary, you should now be able to connect + to the service <TT +CLASS="FILENAME" +>\\fred\mary</TT +>. + </P +><P +>To properly test and experiment with the server, we + recommend using the <B +CLASS="COMMAND" +>smbclient</B +> program (see + <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1)</B +></A +>) + and also going through the steps outlined in the file + <TT +CLASS="FILENAME" +>DIAGNOSIS.txt</TT +> in the <TT +CLASS="FILENAME" +>docs/</TT +> + directory of your Samba installation.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN235" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN238" +></A +><H2 +>DIAGNOSTICS</H2 +><P +>Most diagnostics issued by the server are logged + in a specified log file. The log file name is specified + at compile time, but may be overridden on the command line.</P +><P +>The number and nature of diagnostics available depends + on the debug level used by the server. If you have problems, set + the debug level to 3 and peruse the log files.</P +><P +>Most messages are reasonably self-explanatory. Unfortunately, + at the time this man page was created, there are too many diagnostics + available in the source code to warrant describing each and every + diagnostic. At this stage your best bet is still to grep the + source code and inspect the conditions that gave rise to the + diagnostics you are seeing.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN243" +></A +><H2 +>SIGNALS</H2 +><P +>Sending the smbd a SIGHUP will cause it to + re-load its <TT +CLASS="FILENAME" +>smb.conf</TT +> configuration + file within a short period of time.</P +><P +>To shut down a users smbd process it is recommended + that <B +CLASS="COMMAND" +>SIGKILL (-9)</B +> <I +CLASS="EMPHASIS" +>NOT</I +> + be used, except as a last resort, as this may leave the shared + memory area in an inconsistent state. The safe way to terminate + an smbd is to send it a SIGTERM (-15) signal and wait for + it to die on its own.</P +><P +>The debug log level of smbd may be raised by sending + it a SIGUSR1 (<B +CLASS="COMMAND" +>kill -USR1 <smbd-pid></B +>) + and lowered by sending it a SIGUSR2 (<B +CLASS="COMMAND" +>kill -USR2 <smbd-pid> + </B +>). This is to allow transient problems to be diagnosed, + whilst still running at a normally low log level.</P +><P +>Note that as the signal handlers send a debug write, + they are not re-entrant in smbd. This you should wait until + smbd is in a state of waiting for an incoming smb before + issuing them. It is possible to make the signal handlers safe + by un-blocking the signals before the select call and re-blocking + them after, however this would affect performance.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN254" +></A +><H2 +>SEE ALSO</H2 +><P +>hosts_access(5), <B +CLASS="COMMAND" +>inetd(8)</B +>, + <A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmbd(8)</B +></A +>, + <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +> + </A +>, <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1) + </B +></A +>, <A +HREF="testparm.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +> testparm(1)</B +></A +>, <A +HREF="testprns.1.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>testprns(1)</B +></A +>, and the Internet RFC's + <TT +CLASS="FILENAME" +>rfc1001.txt</TT +>, <TT +CLASS="FILENAME" +>rfc1002.txt</TT +>. + In addition the CIFS (formerly SMB) specification is available + as a link from the Web page <A +HREF="http://samba.org/cifs/" +TARGET="_top" +> + http://samba.org/cifs/</A +>.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN271" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbpasswd.5.html b/docs/htmldocs/smbpasswd.5.html index 29690227909..4ec7b7c86a3 100644 --- a/docs/htmldocs/smbpasswd.5.html +++ b/docs/htmldocs/smbpasswd.5.html @@ -1,195 +1,326 @@ - - - - - - -<html><head><title>smbpasswd (5)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbpasswd (5)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbpasswd - The Samba encrypted password file -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p>smbpasswd is the <strong>Samba</strong> encrypted password file. -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This file is part of the <strong>Samba</strong> suite. -<p>smbpasswd is the <strong>Samba</strong> encrypted password file. It contains -the username, Unix user id and the SMB hashed passwords of the -user, as well as account flag information and the time the password -was last changed. This file format has been evolving with Samba -and has had several different formats in the past. -<p><a name="FILEFORMAT"></a> -<h2>FILE FORMAT</h2> - -<p>The format of the smbpasswd file used by Samba 2.0 is very similar to -the familiar Unix <strong>passwd (5)</strong> file. It is an ASCII file containing -one line for each user. Each field within each line is separated from -the next by a colon. Any entry beginning with # is ignored. The -smbpasswd file contains the following information for each user: -<p><dl> -<p><a name="name"></a> -<p></p><dt><strong><strong>name</strong></strong><dd> <br> <br> -<p>This is the user name. It must be a name that already exists - in the standard UNIX passwd file. -<p><a name="uid"></a> -<p></p><dt><strong><strong>uid</strong></strong><dd> <br> <br> -<p>This is the UNIX uid. It must match the uid field for the same - user entry in the standard UNIX passwd file. If this does not - match then Samba will refuse to recognize this <strong>smbpasswd</strong> file entry - as being valid for a user. -<p><a name="LanmanPasswordHash"></a> -<p></p><dt><strong><strong>Lanman Password Hash</strong></strong><dd> <br> <br> -<p>This is the <em>LANMAN</em> hash of the users password, encoded as 32 hex - digits. The <em>LANMAN</em> hash is created by DES encrypting a well known - string with the users password as the DES key. This is the same - password used by Windows 95/98 machines. Note that this password hash - is regarded as weak as it is vulnerable to dictionary attacks and if - two users choose the same password this entry will be identical (i.e. - the password is not <em>"salted"</em> as the UNIX password is). If the - user has a null password this field will contain the characters - <code>"NO PASSWORD"</code> as the start of the hex string. If the hex string - is equal to 32 <code>'X'</code> characters then the users account is marked as - <em>disabled</em> and the user will not be able to log onto the Samba - server. -<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as <em>"plain text equivalent"</em> - and must <em>NOT</em> be made available to anyone but the root user. To - protect these passwords the <strong>smbpasswd</strong> file is placed in a - directory with read and traverse access only to the root user and the - <strong>smbpasswd</strong> file itself must be set to be read/write only by root, - with no other access. -<p><a name="NTPasswordHash"></a> -<p></p><dt><strong><strong>NT Password Hash</strong></strong><dd> <br> <br> -<p>This is the <em>Windows NT</em> hash of the users password, encoded as 32 - hex digits. The <em>Windows NT</em> hash is created by taking the users - password as represented in 16-bit, little-endian UNICODE and then - applying the <em>MD4</em> (internet rfc1321) hashing algorithm to it. -<p>This password hash is considered more secure than the <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman - Password Hash</strong></a> as it preserves the case of the - password and uses a much higher quality hashing algorithm. However, it - is still the case that if two users choose the same password this - entry will be identical (i.e. the password is not <em>"salted"</em> as the - UNIX password is). -<p><em>WARNING !!</em>. Note that, due to the challenge-response nature of the - SMB/CIFS authentication protocol, anyone with a knowledge of this - password hash will be able to impersonate the user on the network. - For this reason these hashes are known as <em>"plain text equivalent"</em> - and must <em>NOT</em> be made available to anyone but the root user. To - protect these passwords the <strong>smbpasswd</strong> file is placed in a - directory with read and traverse access only to the root user and the - <strong>smbpasswd</strong> file itself must be set to be read/write only by root, - with no other access. -<p><a name="AccountFlags"></a> -<p></p><dt><strong><strong>Account Flags</strong></strong><dd> <br> <br> -<p>This section contains flags that describe the attributes of the users - account. In the <strong>Samba2.0</strong> release this field is bracketed by <code>'['</code> - and <code>']'</code> characters and is always 13 characters in length (including - the <code>'['</code> and <code>']'</code> characters). The contents of this field may be - any of the characters. -<p><dl> -<p><a name="capU"></a> - <li > <strong>'U'</strong> This means this is a <em>"User"</em> account, i.e. an ordinary - user. Only <strong>User</strong> and <a href="smbpasswd.5.html#capW"><strong>Workstation Trust</strong></a> accounts are - currently supported in the <strong>smbpasswd</strong> file. -<p><a name="capN"></a> - <li > <strong>'N'</strong> This means the account has <em>no</em> password (the passwords - in the fields <a href="smbpasswd.5.html#LanmanPasswordHash"><strong>Lanman Password Hash</strong></a> and - <a href="smbpasswd.5.html#NTPasswordHash"><strong>NT Password Hash</strong></a> are ignored). Note that this - will only allow users to log on with no password if the - <a href="smb.conf.5.html#nullpasswords"><strong>null passwords</strong></a> parameter is set - in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> config file. -<p><a name="capD"></a> - <li > <strong>'D'</strong> This means the account is disabled and no SMB/CIFS logins - will be allowed for this user. -<p><a name="capW"></a> - <li > <strong>'W'</strong> This means this account is a <em>"Workstation Trust"</em> account. - This kind of account is used in the Samba PDC code stream to allow Windows - NT Workstations and Servers to join a Domain hosted by a Samba PDC. -<p></dl> -<p>Other flags may be added as the code is extended in future. The rest of - this field space is filled in with spaces. -<p><a name="LastChangeTime"></a> -<p></p><dt><strong><strong>Last Change Time</strong></strong><dd> <br> <br> -<p>This field consists of the time the account was last modified. It consists of - the characters <code>LCT-</code> (standing for <em>"Last Change Time"</em>) followed by a numeric - encoding of the UNIX time in seconds since the epoch (1970) that the last change - was made. -<p><p></p><dt><strong><strong>Following fields</strong></strong><dd> <br> <br> -<p>All other colon separated fields are ignored at this time. -<p></dl> -<p><a name="NOTES"></a> -<h2>NOTES</h2> - -<p>In previous versions of Samba (notably the 1.9.18 series) this file -did not contain the <a href="smbpasswd.5.html#AccountFlags"><strong>Account Flags</strong></a> or -<a href="smbpasswd.5.html#LastChangeTime"><strong>Last Change Time</strong></a> fields. The Samba 2.0 -code will read and write these older password files but will not be able to -modify the old entries to add the new fields. New entries added with -<a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a> will contain the new fields -in the added accounts however. Thus an older <strong>smbpasswd</strong> file used -with Samba 2.0 may end up with some accounts containing the new fields -and some not. -<p>In order to convert from an old-style <strong>smbpasswd</strong> file to a new -style, run the script <strong>convert_smbpasswd</strong>, installed in the -Samba <code>bin/</code> directory (the same place that the <a href="smbd.8.html"><strong>smbd</strong></a> -and <a href="nmbd.8.html"><strong>nmbd</strong></a> binaries are installed) as follows: -<p><pre> - - - cat old_smbpasswd_file | convert_smbpasswd > new_smbpasswd_file - - -</pre> - -<p>The <strong>convert_smbpasswd</strong> script reads from stdin and writes to stdout -so as not to overwrite any files by accident. -<p>Once this script has been run, check the contents of the new smbpasswd -file to ensure that it has not been damaged by the conversion script -(which uses <strong>awk</strong>), and then replace the <code><old smbpasswd file></code> -with the <code><new smbpasswd file></code>. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smbpasswd.8.html"><strong>smbpasswd (8)</strong></a>, <a href="samba.7.html"><strong>samba -(7)</strong></a>, and the Internet RFC1321 for details on the MD4 -algorithm. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy -Allison, <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbpasswd</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBPASSWD" +>smbpasswd</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbpasswd -- The Samba encrypted password file</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><TT +CLASS="FILENAME" +>smbpasswd</TT +></P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN11" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +>smbpasswd is the Samba encrypted password file. It contains + the username, Unix user id and the SMB hashed passwords of the + user, as well as account flag information and the time the + password was last changed. This file format has been evolving with + Samba and has had several different formats in the past. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN16" +></A +><H2 +>FILE FORMAT</H2 +><P +>The format of the smbpasswd file used by Samba 2.2 + is very similar to the familiar Unix <TT +CLASS="FILENAME" +>passwd(5)</TT +> + file. It is an ASCII file containing one line for each user. Each field + ithin each line is separated from the next by a colon. Any entry + beginning with '#' is ignored. The smbpasswd file contains the + following information for each user: </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>name</DT +><DD +><P +> This is the user name. It must be a name that + already exists in the standard UNIX passwd file. </P +></DD +><DT +>uid</DT +><DD +><P +>This is the UNIX uid. It must match the uid + field for the same user entry in the standard UNIX passwd file. + If this does not match then Samba will refuse to recognize + this smbpasswd file entry as being valid for a user. + </P +></DD +><DT +>Lanman Password Hash</DT +><DD +><P +>This is the LANMAN hash of the users password, + encoded as 32 hex digits. The LANMAN hash is created by DES + encrypting a well known string with the users password as the + DES key. This is the same password used by Windows 95/98 machines. + Note that this password hash is regarded as weak as it is + vulnerable to dictionary attacks and if two users choose the + same password this entry will be identical (i.e. the password + is not "salted" as the UNIX password is). If the user has a + null password this field will contain the characters "NO PASSWORD" + as the start of the hex string. If the hex string is equal to + 32 'X' characters then the users account is marked as + <TT +CLASS="CONSTANT" +>disabled</TT +> and the user will not be able to + log onto the Samba server. </P +><P +><I +CLASS="EMPHASIS" +>WARNING !!</I +> Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <I +CLASS="EMPHASIS" +>plain text + equivalents</I +> and must <I +CLASS="EMPHASIS" +>NOT</I +> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </P +></DD +><DT +>NT Password Hash</DT +><DD +><P +>This is the Windows NT hash of the users + password, encoded as 32 hex digits. The Windows NT hash is + created by taking the users password as represented in + 16-bit, little-endian UNICODE and then applying the MD4 + (internet rfc1321) hashing algorithm to it. </P +><P +>This password hash is considered more secure than + the Lanman Password Hash as it preserves the case of the + password and uses a much higher quality hashing algorithm. + However, it is still the case that if two users choose the same + password this entry will be identical (i.e. the password is + not "salted" as the UNIX password is). </P +><P +><I +CLASS="EMPHASIS" +>WARNING !!</I +>. Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as <I +CLASS="EMPHASIS" +>plain text + equivalents</I +> and must <I +CLASS="EMPHASIS" +>NOT</I +> be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access. </P +></DD +><DT +>Account Flags</DT +><DD +><P +>This section contains flags that describe + the attributes of the users account. In the Samba 2.2 release + this field is bracketed by '[' and ']' characters and is always + 13 characters in length (including the '[' and ']' characters). + The contents of this field may be any of the characters. + </P +><P +></P +><UL +><LI +><P +><I +CLASS="EMPHASIS" +>U</I +> - This means + this is a "User" account, i.e. an ordinary user. Only User + and Workstation Trust accounts are currently supported + in the smbpasswd file. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>N</I +> - This means the + account has no password (the passwords in the fields Lanman + Password Hash and NT Password Hash are ignored). Note that this + will only allow users to log on with no password if the <TT +CLASS="PARAMETER" +><I +> null passwords</I +></TT +> parameter is set in the <A +HREF="smb.conf.5.html#NULLPASSWORDS" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5) + </TT +></A +> config file. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>D</I +> - This means the account + is disabled and no SMB/CIFS logins will be allowed for + this user. </P +></LI +><LI +><P +><I +CLASS="EMPHASIS" +>W</I +> - This means this account + is a "Workstation Trust" account. This kind of account is used + in the Samba PDC code stream to allow Windows NT Workstations + and Servers to join a Domain hosted by a Samba PDC. </P +></LI +></UL +><P +>Other flags may be added as the code is extended in future. + The rest of this field space is filled in with spaces. </P +></DD +><DT +>Last Change Time</DT +><DD +><P +>This field consists of the time the account was + last modified. It consists of the characters 'LCT-' (standing for + "Last Change Time") followed by a numeric encoding of the UNIX time + in seconds since the epoch (1970) that the last change was made. + </P +></DD +></DL +></DIV +><P +>All other colon separated fields are ignored at this time.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN73" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN76" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbpasswd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbpasswd(8)</B +></A +>, + <A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +>, and + the Internet RFC1321 for details on the MD4 algorithm. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN82" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbpasswd.8.html b/docs/htmldocs/smbpasswd.8.html index a0f4577b08c..8fb2c580e77 100644 --- a/docs/htmldocs/smbpasswd.8.html +++ b/docs/htmldocs/smbpasswd.8.html @@ -1,281 +1,636 @@ - - - - - - -<html><head><title>smbpasswd (8)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbpasswd (8)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbpasswd - change a users SMB password -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>smbpasswd</strong> [<a href="smbpasswd.8.html#minusa">-a</a>] [<a href="smbpasswd.8.html#minusx">-x</a>] [<a href="smbpasswd.8.html#minusd">-d</a>] [<a href="smbpasswd.8.html#minuse">-e</a>] [<a href="smbpasswd.8.html#minusD">-D debug level</a>] [<a href="smbpasswd.8.html#minusn">-n</a>] [<a href="smbpasswd.8.html#minusr">-r remote_machine</a>] [<a href="smbpasswd.8.html#minusR">-R name resolve order</a>] [<a href="smbpasswd.8.html#minusm">-m</a>] [<a href="smbpasswd.8.html#minusj">-j DOMAIN</a>] [<a href="smbpasswd.8.html#minusU">-U username</a>] [<a href="smbpasswd.8.html#minush">-h</a>] [<a href="smbpasswd.8.html#minuss">-s</a>] <a href="smbpasswd.8.html#username">username</a> -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p>The <strong>smbpasswd</strong> program has several different functions, depending -on whether it is run by the <em>root</em> user or not. When run as a normal -user it allows the user to change the password used for their SMB -sessions on any machines that store SMB passwords. -<p>By default (when run with no arguments) it will attempt to change the -current users SMB password on the local machine. This is similar to -the way the <strong>passwd (1)</strong> program works. <strong>smbpasswd</strong> differs from how -the <strong>passwd</strong> program works however in that it is not <em>setuid root</em> -but works in a client-server mode and communicates with a locally -running <a href="smbd.8.html"><strong>smbd</strong></a>. As a consequence in order for this -to succeed the <a href="smbd.8.html"><strong>smbd</strong></a> daemon must be running on -the local machine. On a UNIX machine the encrypted SMB passwords are -usually stored in the <a href="smbpasswd.5.html"><strong>smbpasswd (5)</strong></a> file. -<p>When run by an ordinary user with no options. <strong>smbpasswd</strong> will -prompt them for their old smb password and then ask them for their new -password twice, to ensure that the new password was typed -correctly. No passwords will be echoed on the screen whilst being -typed. If you have a blank smb password (specified by the string "NO -PASSWORD" in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file) then just -press the <Enter> key when asked for your old password. -<p><strong>smbpasswd</strong> can also be used by a normal user to change their SMB -password on remote machines, such as Windows NT Primary Domain -Controllers. See the <a href="smbpasswd.8.html#minusr">(<strong>-r</strong>)</a> and -<a href="smbpasswd.8.html#minusU"><strong>-U</strong></a> options below. -<p>When run by root, <strong>smbpasswd</strong> allows new users to be added and -deleted in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, as well as -allows changes to the attributes of the user in this file to be made. When -run by root, <strong>smbpasswd</strong> accesses the local -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file directly, thus enabling -changes to be made even if <a href="smbd.8.html"><strong>smbd</strong></a> is not running. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="minusa"></a> -<p></p><dt><strong><strong>-a</strong></strong><dd> This option specifies that the username following should -be added to the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, with -the new password typed (type <Enter> for the old password). This -option is ignored if the username following already exists in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file and it is treated like a -regular change password command. Note that the user to be added -<strong>must</strong> already exist in the system password file (usually /etc/passwd) -else the request to add the user will fail. -<p>This option is only available when running <strong>smbpasswd</strong> as -root. -<p><a name="minusx"></a> -<p></p><dt><strong><strong>-x</strong></strong><dd> This option specifies that the username following should -be deleted from the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -<p>This option is only available when running <strong>smbpasswd</strong> as -root. -<p><a name="minusd"></a> -<p></p><dt><strong><strong>-d</strong></strong><dd> This option specifies that the username following should be -<em>disabled</em> in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -This is done by writing a <em>'D'</em> flag into the account control space -in the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. Once this is done -all attempts to authenticate via SMB using this username will fail. -<p>If the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file is in the 'old' -format (pre-Samba 2.0 format) there is no space in the users password -entry to write this information and so the user is disabled by writing -'X' characters into the password space in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. See <a href="smbpasswd.5.html"><strong>smbpasswd -(5)</strong></a> for details on the 'old' and new password file -formats. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minuse"></a> -<p></p><dt><strong><strong>-e</strong></strong><dd> This option specifies that the username following should be -<em>enabled</em> in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file, -if the account was previously disabled. If the account was not -disabled this option has no effect. Once the account is enabled -then the user will be able to authenticate via SMB once again. -<p>If the smbpasswd file is in the 'old' format then <strong>smbpasswd</strong> will -prompt for a new password for this user, otherwise the account will be -enabled by removing the <em>'D'</em> flag from account control space in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. See <a href="smbpasswd.5.html"><strong>smbpasswd -(5)</strong></a> for details on the 'old' and new password file -formats. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusD"></a> -<p></p><dt><strong><strong>-D debuglevel</strong></strong><dd> debuglevel is an integer from 0 -to 10. The default value if this parameter is not specified is zero. -<p>The higher this value, the more detail will be logged to the log files -about the activities of smbpasswd. At level 0, only critical errors -and serious warnings will be logged. -<p>Levels above 1 will generate considerable amounts of log data, and -should only be used when investigating a problem. Levels above 3 are -designed for use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic. -<p><a name="minusn"></a> -<p></p><dt><strong><strong>-n</strong></strong><dd> This option specifies that the username following should -have their password set to null (i.e. a blank password) in the local -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. This is done by writing the -string "NO PASSWORD" as the first part of the first password stored in -the <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -<p>Note that to allow users to logon to a Samba server once the password -has been set to "NO PASSWORD" in the -<a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file the administrator must set -the following parameter in the [global] section of the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file : -<p><a href="smb.conf.5.html#nullpasswords">null passwords = true</a> -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusr"></a> -<p></p><dt><strong><strong>-r remote machine name</strong></strong><dd> This option allows a -user to specify what machine they wish to change their password -on. Without this parameter <strong>smbpasswd</strong> defaults to the local -host. The <em>"remote machine name"</em> is the NetBIOS name of the -SMB/CIFS server to contact to attempt the password change. This name -is resolved into an IP address using the standard name resolution -mechanism in all programs of the <a href="samba.7.html"><strong>Samba</strong></a> -suite. See the <a href="smbpasswd.8.html#minusR"><strong>-R name resolve order</strong></a> parameter for details on changing this resolving -mechanism. -<p>The username whose password is changed is that of the current UNIX -logged on user. See the <a href="smbpasswd.8.html#minusU"><strong>-U username</strong></a> -parameter for details on changing the password for a different -username. -<p>Note that if changing a Windows NT Domain password the remote machine -specified must be the Primary Domain Controller for the domain (Backup -Domain Controllers only have a read-only copy of the user account -database and will not allow the password change). -<p><em>Note</em> that Windows 95/98 do not have a real password database -so it is not possible to change passwords specifying a Win95/98 -machine as remote machine target. -<p><a name="minusR"></a> -<p></p><dt><strong><strong>-R name resolve order</strong></strong><dd> This option allows the user of -smbclient to determine what name resolution services to use when -looking up the NetBIOS name of the host being connected to. -<p>The options are :<a href="smbpasswd.8.html#lmhosts">"lmhosts"</a>, <a href="smbpasswd.8.html#host">"host"</a>, -<a href="smbpasswd.8.html#wins">"wins"</a> and <a href="smbpasswd.8.html#bcast">"bcast"</a>. They cause names to be -resolved as follows : -<p><dl> -<p><a name="lmhosts"></a> -<li > <strong>lmhosts</strong> : Lookup an IP address in the Samba lmhosts file. -<p><a name="host"></a> -<li > <strong>host</strong> : Do a standard host name to IP address resolution, -using the system /etc/hosts, NIS, or DNS lookups. This method of name -resolution is operating system dependent. For instance on IRIX or -Solaris, this may be controlled by the <em>/etc/nsswitch.conf</em> file). -<p><a name="wins"></a> -<li > <strong>wins</strong> : Query a name with the IP address listed in the -<a href="smb.conf.5.html#winsserver"><strong>wins server</strong></a> parameter in the -<a href="smb.conf.5.html"><strong>smb.conf file</strong></a>. If -no WINS server has been specified this method will be ignored. -<p><a name="bcast"></a> -<li > <strong>bcast</strong> : Do a broadcast on each of the known local interfaces -listed in the <a href="smb.conf.5.html#interfaces"><strong>interfaces</strong></a> parameter -in the smb.conf file. This is the least reliable of the name resolution -methods as it depends on the target host being on a locally connected -subnet. -<p></dl> -<p>If this parameter is not set then the name resolve order defined -in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file parameter -<a href="smb.conf.5.html#nameresolveorder"><strong>name resolve order</strong></a> -will be used. -<p>The default order is lmhosts, host, wins, bcast and without this -parameter or any entry in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> -file the name resolution methods will be attempted in this order. -<p><a name="minusm"></a> -<p></p><dt><strong><strong>-m</strong></strong><dd> This option tells <strong>smbpasswd</strong> that the account being -changed is a <em>MACHINE</em> account. Currently this is used when Samba is -being used as an NT Primary Domain Controller. PDC support is not a -supported feature in Samba2.0 but will become supported in a later -release. If you wish to know more about using Samba as an NT PDC then -please subscribe to the mailing list -<a href="mailto:samba-ntdom@samba.org"><em>samba-ntdom@samba.org</em></a>. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusj"></a> -<p></p><dt><strong><strong>-j DOMAIN</strong></strong><dd> This option is used to add a Samba server into a -Windows NT Domain, as a Domain member capable of authenticating user -accounts to any Domain Controller in the same way as a Windows NT -Server. See the <a href="smb.conf.5.html#security"><strong>security=domain</strong></a> -option in the <a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a> man page. -<p>In order to be used in this way, the Administrator for the Windows -NT Domain must have used the program <em>"Server Manager for Domains"</em> -to add the <a href="smb.conf.5.html#netbiosname">primary NetBIOS name</a> of -the Samba server as a member of the Domain. -<p>After this has been done, to join the Domain invoke <strong>smbpasswd</strong> with -this parameter. <strong>smbpasswd</strong> will then look up the Primary Domain -Controller for the Domain (found in the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file in the parameter -<a href="smb.conf.5.html#passwordserver"><strong>password server</strong></a> and change -the machine account password used to create the secure Domain -communication. This password is then stored by <strong>smbpasswd</strong> in a -file, read only by root, called <code><Domain>.<Machine>.mac</code> where -<code><Domain></code> is the name of the Domain we are joining and <code><Machine></code> -is the primary NetBIOS name of the machine we are running on. -<p>Once this operation has been performed the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file may be updated to set the -<a href="smb.conf.5.html#security"><strong>security=domain</strong></a> option and all -future logins to the Samba server will be authenticated to the Windows -NT PDC. -<p>Note that even though the authentication is being done to the PDC all -users accessing the Samba server must still have a valid UNIX account -on that machine. -<p>This option is only available when running <strong>smbpasswd</strong> as root. -<p><a name="minusU"></a> -<p></p><dt><strong><strong>-U username</strong></strong><dd> This option may only be used in -conjunction with the <a href="smbpasswd.8.html#minusr"><strong>-r</strong></a> -option. When changing a password on a remote machine it allows the -user to specify the user name on that machine whose password will be -changed. It is present to allow users who have different user names on -different systems to change these passwords. -<p><a name="minush"></a> -<p></p><dt><strong><strong>-h</strong></strong><dd> This option prints the help string for <strong>smbpasswd</strong>, -selecting the correct one for running as root or as an ordinary user. -<p><a name="minuss"></a> -<p></p><dt><strong><strong>-s</strong></strong><dd> This option causes <strong>smbpasswd</strong> to be silent (i.e. not -issue prompts) and to read it's old and new passwords from standard -input, rather than from <code>/dev/tty</code> (like the <strong>passwd (1)</strong> program -does). This option is to aid people writing scripts to drive <strong>smbpasswd</strong> -<p><a name="username"></a> -<p></p><dt><strong><strong>username</strong></strong><dd> This specifies the username for all of the <em>root -only</em> options to operate on. Only root can specify this parameter as -only root has the permission needed to modify attributes directly -in the local <a href="smbpasswd.5.html"><strong>smbpasswd</strong></a> file. -<p><a name="NOTES"></a> -<h2>NOTES</h2> - -<p>Since <strong>smbpasswd</strong> works in client-server mode communicating with a -local <a href="smbd.8.html"><strong>smbd</strong></a> for a non-root user then the <strong>smbd</strong> -daemon must be running for this to work. A common problem is to add a -restriction to the hosts that may access the <strong>smbd</strong> running on the -local machine by specifying a <a href="smb.conf.5.html#allowhosts"><strong>"allow -hosts"</strong></a> or <a href="smb.conf.5.html#denyhosts"><strong>"deny -hosts"</strong></a> entry in the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file and neglecting to allow -<em>"localhost"</em> access to the <strong>smbd</strong>. -<p>In addition, the <strong>smbpasswd</strong> command is only useful if <strong>Samba</strong> has -been set up to use encrypted passwords. See the file <strong>ENCRYPTION.txt</strong> -in the docs directory for details on how to do this. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbpasswd</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBPASSWD" +>smbpasswd</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbpasswd -- change a users SMB password</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbpasswd</B +> [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-j DOMAIN] [-U username] [-h] [-s] [username]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN25" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +>The smbpasswd program has several different + functions, depending on whether it is run by the <I +CLASS="EMPHASIS" +>root</I +> + user or not. When run as a normal user it allows the user to change + the password used for their SMB sessions on any machines that store + SMB passwords. </P +><P +>By default (when run with no arguments) it will attempt to + change the current users SMB password on the local machine. This is + similar to the way the <B +CLASS="COMMAND" +>passwd(1)</B +> program works. + <B +CLASS="COMMAND" +>smbpasswd</B +> differs from how the passwd program works + however in that it is not <I +CLASS="EMPHASIS" +>setuid root</I +> but works in + a client-server mode and communicates with a locally running + <B +CLASS="COMMAND" +>smbd(8)</B +>. As a consequence in order for this to + succeed the smbd daemon must be running on the local machine. On a + UNIX machine the encrypted SMB passwords are usually stored in + the <TT +CLASS="FILENAME" +>smbpasswd(5)</TT +> file. </P +><P +>When run by an ordinary user with no options. smbpasswd + will prompt them for their old smb password and then ask them + for their new password twice, to ensure that the new password + was typed correctly. No passwords will be echoed on the screen + whilst being typed. If you have a blank smb password (specified by + the string "NO PASSWORD" in the smbpasswd file) then just press + the <Enter> key when asked for your old password. </P +><P +>smbpasswd can also be used by a normal user to change their + SMB password on remote machines, such as Windows NT Primary Domain + Controllers. See the (-r) and -U options below. </P +><P +>When run by root, smbpasswd allows new users to be added + and deleted in the smbpasswd file, as well as allows changes to + the attributes of the user in this file to be made. When run by root, + <B +CLASS="COMMAND" +>smbpasswd</B +> accesses the local smbpasswd file + directly, thus enabling changes to be made even if smbd is not + running. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN41" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-a</DT +><DD +><P +>This option specifies that the username + following should be added to the local smbpasswd file, with the + new password typed (type <Enter> for the old password). This + option is ignored if the username following already exists in + the smbpasswd file and it is treated like a regular change + password command. Note that the user to be added must already exist + in the system password file (usually <TT +CLASS="FILENAME" +>/etc/passwd</TT +>) + else the request to add the user will fail. </P +><P +>This option is only available when running smbpasswd + as root. </P +></DD +><DT +>-x</DT +><DD +><P +>This option specifies that the username + following should be deleted from the local smbpasswd file. + </P +><P +>This option is only available when running smbpasswd as + root.</P +></DD +><DT +>-d</DT +><DD +><P +>This option specifies that the username following + should be <TT +CLASS="CONSTANT" +>disabled</TT +> in the local smbpasswd + file. This is done by writing a <TT +CLASS="CONSTANT" +>'D'</TT +> flag + into the account control space in the smbpasswd file. Once this + is done all attempts to authenticate via SMB using this username + will fail. </P +><P +>If the smbpasswd file is in the 'old' format (pre-Samba 2.0 + format) there is no space in the users password entry to write + this information and so the user is disabled by writing 'X' characters + into the password space in the smbpasswd file. See <B +CLASS="COMMAND" +>smbpasswd(5) + </B +> for details on the 'old' and new password file formats. + </P +><P +>This option is only available when running smbpasswd as + root.</P +></DD +><DT +>-e</DT +><DD +><P +>This option specifies that the username following + should be <TT +CLASS="CONSTANT" +>enabled</TT +> in the local smbpasswd file, + if the account was previously disabled. If the account was not + disabled this option has no effect. Once the account is enabled then + the user will be able to authenticate via SMB once again. </P +><P +>If the smbpasswd file is in the 'old' format, then <B +CLASS="COMMAND" +> smbpasswd</B +> will prompt for a new password for this user, + otherwise the account will be enabled by removing the <TT +CLASS="CONSTANT" +>'D' + </TT +> flag from account control space in the <TT +CLASS="FILENAME" +> smbpasswd</TT +> file. See <B +CLASS="COMMAND" +>smbpasswd (5)</B +> for + details on the 'old' and new password file formats. </P +><P +>This option is only available when running smbpasswd as root. + </P +></DD +><DT +>-D debuglevel</DT +><DD +><P +><TT +CLASS="PARAMETER" +><I +>debuglevel</I +></TT +> is an integer + from 0 to 10. The default value if this parameter is not specified + is zero. </P +><P +>The higher this value, the more detail will be logged to the + log files about the activities of smbpasswd. At level 0, only + critical errors and serious warnings will be logged. </P +><P +>Levels above 1 will generate considerable amounts of log + data, and should only be used when investigating a problem. Levels + above 3 are designed for use only by developers and generate + HUGE amounts of log data, most of which is extremely cryptic. + </P +></DD +><DT +>-n</DT +><DD +><P +>This option specifies that the username following + should have their password set to null (i.e. a blank password) in + the local smbpasswd file. This is done by writing the string "NO + PASSWORD" as the first part of the first password stored in the + smbpasswd file. </P +><P +>Note that to allow users to logon to a Samba server once + the password has been set to "NO PASSWORD" in the smbpasswd + file the administrator must set the following parameter in the [global] + section of the <TT +CLASS="FILENAME" +>smb.conf</TT +> file : </P +><P +><B +CLASS="COMMAND" +>null passwords = yes</B +></P +><P +>This option is only available when running smbpasswd as + root.</P +></DD +><DT +>-r remote machine name</DT +><DD +><P +>This option allows a user to specify what machine + they wish to change their password on. Without this parameter + smbpasswd defaults to the local host. The <TT +CLASS="REPLACEABLE" +><I +>remote + machine name</I +></TT +> is the NetBIOS name of the SMB/CIFS + server to contact to attempt the password change. This name is + resolved into an IP address using the standard name resolution + mechanism in all programs of the Samba suite. See the <TT +CLASS="PARAMETER" +><I +>-R + name resolve order</I +></TT +> parameter for details on changing + this resolving mechanism. </P +><P +>The username whose password is changed is that of the + current UNIX logged on user. See the <TT +CLASS="PARAMETER" +><I +>-U username</I +></TT +> + parameter for details on changing the password for a different + username. </P +><P +>Note that if changing a Windows NT Domain password the + remote machine specified must be the Primary Domain Controller for + the domain (Backup Domain Controllers only have a read-only + copy of the user account database and will not allow the password + change).</P +><P +><I +CLASS="EMPHASIS" +>Note</I +> that Windows 95/98 do not have + a real password database so it is not possible to change passwords + specifying a Win95/98 machine as remote machine target. </P +></DD +><DT +>-R name resolve order</DT +><DD +><P +>This option allows the user of smbclient to determine + what name resolution services to use when looking up the NetBIOS + name of the host being connected to. </P +><P +>The options are :"lmhosts", "host", "wins" and "bcast". They cause + names to be resolved as follows : </P +><P +></P +><UL +><LI +><P +><TT +CLASS="CONSTANT" +>lmhosts</TT +> : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the <A +HREF="lmhosts.5.html" +TARGET="_top" +>lmhosts(5)</A +> for details) then + any name type matches for lookup.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>host</TT +> : Do a standard host + name to IP address resolution, using the system <TT +CLASS="FILENAME" +>/etc/hosts + </TT +>, NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>wins</TT +> : Query a name with + the IP address listed in the <TT +CLASS="PARAMETER" +><I +>wins server</I +></TT +> + parameter. If no WINS server has been specified this method + will be ignored.</P +></LI +><LI +><P +><TT +CLASS="CONSTANT" +>bcast</TT +> : Do a broadcast on + each of the known local interfaces listed in the + <TT +CLASS="PARAMETER" +><I +>interfaces</I +></TT +> parameter. This is the least + reliable of the name resolution methods as it depends on the + target host being on a locally connected subnet.</P +></LI +></UL +><P +>The default order is <B +CLASS="COMMAND" +>lmhosts, host, wins, bcast</B +> + and without this parameter or any entry in the + <TT +CLASS="FILENAME" +>smb.conf</TT +> file the name resolution methods will + be attempted in this order. </P +></DD +><DT +>-m</DT +><DD +><P +>This option tells smbpasswd that the account + being changed is a MACHINE account. Currently this is used + when Samba is being used as an NT Primary Domain Controller.</P +><P +>This option is only available when running smbpasswd as root. + </P +></DD +><DT +>-j DOMAIN</DT +><DD +><P +>This option is used to add a Samba server + into a Windows NT Domain, as a Domain member capable of authenticating + user accounts to any Domain Controller in the same way as a Windows + NT Server. See the <B +CLASS="COMMAND" +>security = domain</B +> option in + the <TT +CLASS="FILENAME" +>smb.conf(5)</TT +> man page. </P +><P +>In order to be used in this way, the Administrator for + the Windows NT Domain must have used the program "Server Manager + for Domains" to add the primary NetBIOS name of the Samba server + as a member of the Domain. </P +><P +>After this has been done, to join the Domain invoke <B +CLASS="COMMAND" +> smbpasswd</B +> with this parameter. smbpasswd will then + look up the Primary Domain Controller for the Domain (found in + the <TT +CLASS="FILENAME" +>smb.conf</TT +> file in the parameter + <TT +CLASS="PARAMETER" +><I +>password server</I +></TT +> and change the machine account + password used to create the secure Domain communication. This + password is then stored by smbpasswd in a TDB, writeable only by root, + called <TT +CLASS="FILENAME" +>secrets.tdb</TT +> </P +><P +>Once this operation has been performed the <TT +CLASS="FILENAME" +> smb.conf</TT +> file may be updated to set the <B +CLASS="COMMAND" +> security = domain</B +> option and all future logins + to the Samba server will be authenticated to the Windows NT + PDC. </P +><P +>Note that even though the authentication is being + done to the PDC all users accessing the Samba server must still + have a valid UNIX account on that machine. </P +><P +>This option is only available when running smbpasswd as root. + </P +></DD +><DT +>-U username</DT +><DD +><P +>This option may only be used in conjunction + with the <TT +CLASS="PARAMETER" +><I +>-r</I +></TT +> option. When changing + a password on a remote machine it allows the user to specify + the user name on that machine whose password will be changed. It + is present to allow users who have different user names on + different systems to change these passwords. </P +></DD +><DT +>-h</DT +><DD +><P +>This option prints the help string for <B +CLASS="COMMAND" +> smbpasswd</B +>, selecting the correct one for running as root + or as an ordinary user. </P +></DD +><DT +>-s</DT +><DD +><P +>This option causes smbpasswd to be silent (i.e. + not issue prompts) and to read it's old and new passwords from + standard input, rather than from <TT +CLASS="FILENAME" +>/dev/tty</TT +> + (like the <B +CLASS="COMMAND" +>passwd(1)</B +> program does). This option + is to aid people writing scripts to drive smbpasswd</P +></DD +><DT +>username</DT +><DD +><P +>This specifies the username for all of the + <I +CLASS="EMPHASIS" +>root only</I +> options to operate on. Only root + can specify this parameter as only root has the permission needed + to modify attributes directly in the local smbpasswd file. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN171" +></A +><H2 +>NOTES</H2 +><P +>Since <B +CLASS="COMMAND" +>smbpasswd</B +> works in client-server + mode communicating with a local smbd for a non-root user then + the smbd daemon must be running for this to work. A common problem + is to add a restriction to the hosts that may access the <B +CLASS="COMMAND" +> smbd</B +> running on the local machine by specifying a + <TT +CLASS="PARAMETER" +><I +>allow hosts</I +></TT +> or <TT +CLASS="PARAMETER" +><I +>deny hosts</I +></TT +> + entry in the <TT +CLASS="FILENAME" +>smb.conf</TT +> file and neglecting to + allow "localhost" access to the smbd. </P +><P +>In addition, the smbpasswd command is only useful if Samba + has been set up to use encrypted passwords. See the file + <TT +CLASS="FILENAME" +>ENCRYPTION.txt</TT +> in the docs directory for details + on how to do this. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN181" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN184" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbpasswd.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smbpasswd(5)</TT +></A +>, + <A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN190" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbrun.1.html b/docs/htmldocs/smbrun.1.html index 16133fcb220..95de5bebdf5 100644 --- a/docs/htmldocs/smbrun.1.html +++ b/docs/htmldocs/smbrun.1.html @@ -1,86 +1,215 @@ - - - - - - -<html><head><title>smbrun (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbrun (1)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbrun - interface program between smbd and external programs -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>smbrun</strong> <a href="smbrun.1.html#shellcommand">shell-command</a> -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p><strong>smbrun</strong> is a very small 'glue' program, which runs shell commands -for the <a href="smbd.8.html"><strong>smbd</strong></a> daemon <a href="smbd.8.html"><strong>smbd -(8)</strong></a>. -<p>It first changes to the highest effective user and group ID that it -can, then runs the command line provided using the system() call. This -program is necessary to allow some operating systems to run external -programs as non-root. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="shellcommand"></a> -<p></p><dt><strong><strong>shell-command</strong></strong><dd> The shell command to execute. The command -should have a fully-qualified path. -<p></dl> -<p><a name="ENVIRONMENTVARIABLES"></a> -<h2>ENVIRONMENT VARIABLES</h2> - -<p>The <em>PATH</em> variable set for the environment in which <strong>smbrun</strong> is -executed will affect what executables are located and executed if a -fully-qualified path is not given in the command. -<p><a name="DIAGNOSTICS"></a> -<h2>DIAGNOSTICS</h2> - -<p>If <strong>smbrun</strong> cannot be located or cannot be executed by -<a href="smbd.8.html"><strong>smbd</strong></a> then appropriate messages will be found in -the <a href="smbd.8.html"><strong>smbd</strong></a> logs. Other diagnostics are dependent -on the shell-command being run. It is advisable for your shell -commands to issue suitable diagnostics to aid trouble-shooting. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a>, <a href="smbd.8.html"><strong>smbd (8)</strong></a> -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbrun</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="FINDSMB" +>smbrun</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbrun -- interface program between smbd and external + programs</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbrun</B +> {<shell command>}</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN12" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>smbrun</B +> is a very small 'glue' program, + which runs shell commands for the <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +> smbd(8)</B +></A +> daemon.</P +><P +>It first changes to the highest effective user and group + ID that it can, then runs the command line provided using the + system() call. This program is necessary to allow some operating + systems to run external programs as non-root.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN21" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>shell command</DT +><DD +><P +>The shell command to execute. The + command should have a fully-qualified path.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN28" +></A +><H2 +>ENVIRONMENT VARIABLES</H2 +><P +>The <TT +CLASS="PARAMETER" +><I +>PATH</I +></TT +> variable set for the + environment in which <B +CLASS="COMMAND" +>smbrun</B +> is executed will affect + what executables are located and executed if a fully-qualified path + is not given in the command.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN33" +></A +><H2 +>DIAGNOSTICS</H2 +><P +>If <B +CLASS="COMMAND" +>smbrun</B +> cannot be located or cannot + be executed by <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +> + </A +>, then appropriate messages will be found in the <B +CLASS="COMMAND" +> smbd</B +> logs. Other diagnostics are dependent on the shell-command + being run. It is advisable for your shell commands to issue suitable + diagnostics to aid trouble-shooting.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN40" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN43" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="nmbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>nmbd(8)</B +></A +>, + <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1) + </B +></A +>, and <A +HREF="nmblookup.1.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>nmblookup(1)</B +></A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN52" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbsh.1.html b/docs/htmldocs/smbsh.1.html index ac5162b306e..1264e241ba4 100644 --- a/docs/htmldocs/smbsh.1.html +++ b/docs/htmldocs/smbsh.1.html @@ -1,91 +1,237 @@ - - - - - - -<html><head><title>smbsh (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbsh (1)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbsh - Allows access to Windows NT filesystem using UNIX commands -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>smbsh</strong> -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p><strong>smbsh</strong> allows you to access an NT filesystem using UNIX commands -such as <strong>ls</strong>, <strong>egrep</strong>, and <strong>rcp</strong>. You must use a shell that -is dynmanically linked in order for <strong>smbsh</strong> to work correctly. -<p>To use the <strong>smbsh</strong> command, execute <strong>smbsh</strong> from the prompt and -enter the username and password that authenticate you to the -machine running the Windows NT operating system. -<p><pre> - -system% smbsh -Username: user -Password: - -</pre> - -<p>Any dynamically linked command you execute from this shell will -access the <strong>/smb</strong> directory using the smb protocol. -For example, the command -<p><code>ls /smb</code> -<p>will show all the machines in your workgroup. -The command -<p><code>ls /smb/<machine-name></code> -<p>will show the share names for that machine. You could then, for example, use the -<strong>cd</strong> command to change directories, <strong>vi</strong> to edit files, and <strong>rcp</strong> - to copy files. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for the 2.0.3 of the Samba suite. -<p><a name="BUGS"></a> -<h2>BUGS</h2> - -<p><strong>smbsh</strong> works by intercepting the standard libc calls with the dynamically loaded -versions in <strong>smbwrapper.o</strong>. Not all calls have been "wrapped" so some programs -may not function correctly under <strong>smbsh</strong>. -<p>Programs which are not dynamically linked cannot make use of <strong>smbsh</strong>'s -functionality. Most versions of UNIX have a <strong>file</strong> command that will describe how -a program was linked. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a>, -<a href="smbd.8.html"><strong>smbd (8)</strong></a>. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell (samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -<p></body> -</html> +<HTML +><HEAD +><TITLE +>smbsh</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="FINDSMB" +>smbsh</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbsh -- Allows access to Windows NT filesystem + using UNIX commands</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbsh</B +> </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN11" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>smbsh</B +> allows you to access an NT filesystem + using UNIX commands such as <B +CLASS="COMMAND" +>ls</B +>, <B +CLASS="COMMAND" +> egrep</B +>, and <B +CLASS="COMMAND" +>rcp</B +>. You must use a + shell that is dynmanically linked in order for <B +CLASS="COMMAND" +>smbsh</B +> + to work correctly.</P +><P +>To use the <B +CLASS="COMMAND" +>smbsh</B +> command, execute <B +CLASS="COMMAND" +> smbsh</B +> from the prompt and enter the username and password + that authenticate you to the machine running the Windows NT + operating system.</P +><P +><PRE +CLASS="PROGRAMLISTING" +> <TT +CLASS="PROMPT" +>system% </TT +><TT +CLASS="USERINPUT" +><B +>smbsh</B +></TT +> + <TT +CLASS="PROMPT" +>Username: </TT +><TT +CLASS="USERINPUT" +><B +>user</B +></TT +> + <TT +CLASS="PROMPT" +>Password: </TT +><TT +CLASS="USERINPUT" +><B +>XXXXXXX</B +></TT +> + </PRE +></P +><P +>Any dynamically linked command you execute from + this shell will access the <TT +CLASS="FILENAME" +>/smb</TT +> directory + using the smb protocol. For example, the command <B +CLASS="COMMAND" +>ls /smb + </B +> will show all the machines in your workgroup. The command + <B +CLASS="COMMAND" +>ls /smb/<machine-name></B +> will show the share + names for that machine. You could then, for example, use the <B +CLASS="COMMAND" +> cd</B +> command to change directories, <B +CLASS="COMMAND" +>vi</B +> to + edit files, and <B +CLASS="COMMAND" +>rcp</B +> to copy files.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN39" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN42" +></A +><H2 +>BUGS</H2 +><P +><B +CLASS="COMMAND" +>smbsh</B +> works by intercepting the standard + libc calls with the dynamically loaded versions in <TT +CLASS="FILENAME" +> smbwrapper.o</TT +>. Not all calls have been "wrapped", so + some programs may not function correctly under <B +CLASS="COMMAND" +>smbsh + </B +>.</P +><P +>Programs which are not dynamically linked cannot make + use of <B +CLASS="COMMAND" +>smbsh</B +>'s functionality. Most versions + of UNIX have a <B +CLASS="COMMAND" +>file</B +> command that will + describe how a program was linked.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN51" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +>, + <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5)</A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN57" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbspool.8.html b/docs/htmldocs/smbspool.8.html index e9f489b376e..321cc5d8d62 100644 --- a/docs/htmldocs/smbspool.8.html +++ b/docs/htmldocs/smbspool.8.html @@ -1,88 +1,227 @@ - - - - - - -<html><head><title>smbspool (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbspool (1)</h1> -<h2>Samba</h2> -<h2>11 October 1999</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbspool - send print file to an SMB printer -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<strong>smbspool</strong> job user title copies options [filename] -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the Samba suite. -<p>smbspool is a very small print spooling program that sends a print -file to an SMB printer. The command-line arguments are position-dependent for -compatibility with the Common UNIX Printing System, but you can use -smbspool with any printing system or from a program or script. -<p><h2>DEVICE URI</h2> - -<p>smbspool specifies the destination using a Uniform Resource Identifier -("URI") with a method of "smb". This string can take a number of -forms: -<p><dl> -<li > smb://server/printer -<p><li > smb://workgroup/server/printer -<p><li > smb://username:password@server/printer -<p><li > smb://username:password@workgroup/server/printer -<p></dl> -<p>smbspool tries to get the URI from argv[0]. If argv[0] contains the -name of the program then it looks in the DEVICE_URI environment variable. -<p>Programs using the exec(2) functions can pass the URI in argv[0], -while shell scripts must set the DEVICE_URI environment variable prior to -running smbspool. -<p><h2>OPTIONS</h2> - -<p>The job argument (argv[1]) contains the job ID number and is presently -not used by smbspool. -<p>The user argument (argv[2]) contains the print user's name and is -presently not used by smbspool. -<p>The title argument (argv[3]) contains the job title string and is -passed as the remote file name when sending the print job. -<p>The copies argument (argv[4]) contains the number of copies to be -printed of the named file. If no filename is provided than this argument is -not used by smbspool. -<p>The options argument (argv[5]) contains the print options in a single -string and is presently not used by smbspool. -<p>The filename argument (argv[6]) contains the name of the file to print. -If this argument is not specified then the print file is read from the -standard input. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<a href="smbd.8.html"><strong>smbd (8)</strong></a> -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>smbspool was written by Michael Sweet at Easy Software Products. -<p>The original Samba software and related utilities were created by -Andrew Tridgell samba@samba.org. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>See samba (7) to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbspool</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="FINDSMB" +>smbspool</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>nmblookup -- send print file to an SMB printer</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbspool</B +> [job] [user] [title] [copies] [options] [filename]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN17" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +>smbspool is a very small print spooling program that + sends a print file to an SMB printer. The command-line arguments + are position-dependent for compatibility with the Common UNIX + Printing System, but you can use smbspool with any printing system + or from a program or script.</P +><P +><I +CLASS="EMPHASIS" +>DEVICE URI</I +></P +><P +>smbspool specifies the destination using a Uniform Resource + Identifier ("URI") with a method of "smb". This string can take + a number of forms:</P +><P +></P +><UL +><LI +><P +>smb://server/printer</P +></LI +><LI +><P +>smb://workgroup/server/printer</P +></LI +><LI +><P +>smb://username:password@server/printer</P +></LI +><LI +><P +>smb://username:password@workgroup/server/printer + </P +></LI +></UL +><P +>smbspool tries to get the URI from argv[0]. If argv[0] + contains the name of the program then it looks in the <TT +CLASS="PARAMETER" +><I +> DEVICE_URI</I +></TT +> environment variable.</P +><P +>Programs using the <B +CLASS="COMMAND" +>exec(2)</B +> functions can + pass the URI in argv[0], while shell scripts must set the + <TT +CLASS="PARAMETER" +><I +>DEVICE_URI</I +></TT +> environment variable prior to + running smbspool.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN39" +></A +><H2 +>OPTIONS</H2 +><P +></P +><UL +><LI +><P +>The job argument (argv[1]) contains the + job ID number and is presently not used by smbspool. + </P +></LI +><LI +><P +>The user argument (argv[2]) contains the + print user's name and is presently not used by smbspool. + </P +></LI +><LI +><P +>The title argument (argv[3]) contains the + job title string and is passed as the remote file name + when sending the print job.</P +></LI +><LI +><P +>The copies argument (argv[4]) contains + the number of copies to be printed of the named file. If + no filename is provided than this argument is not used by + smbspool.</P +></LI +><LI +><P +>The options argument (argv[5]) contains + the print options in a single string and is presently + not used by smbspool.</P +></LI +><LI +><P +>The filename argument (argv[6]) contains the + name of the file to print. If this argument is not specified + then the print file is read from the standard input.</P +></LI +></UL +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN54" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN57" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +>, + and <A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +>. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN63" +></A +><H2 +>AUTHOR</H2 +><P +><B +CLASS="COMMAND" +>smbspool</B +> was written by Michael Sweet + at Easy Software Products.</P +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbstatus.1.html b/docs/htmldocs/smbstatus.1.html index cdce69cdbf8..b31437afea3 100644 --- a/docs/htmldocs/smbstatus.1.html +++ b/docs/htmldocs/smbstatus.1.html @@ -1,86 +1,209 @@ - - - - - - -<html><head><title>smbstatus (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbstatus (1)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbstatus - report on current Samba connections -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>smbstatus</strong> [<a href="smbstatus.1.html#minusP">-P</a>] [<a href="smbstatus.1.html#minusb">-b</a>] [<a href="smbstatus.1.html#minusd">-d</a>] [<a href="smbstatus.1.html#minusL">-L</a>] [<a href="smbstatus.1.html#minusp">-p</a>] [<a href="smbstatus.1.html#minusS">-S</a>] [<a href="smbstatus.1.html#minuss">-s configuration file</a>] [<a href="smbstatus.1.html#minusu">-u username</a>] -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p><strong>smbstatus</strong> is a very simple program to list the current Samba -connections. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="minusP"></a> -<p></p><dt><strong><strong>-P</strong></strong><dd> If samba has been compiled with the profiling option, -print only the contents of the profiling shared memory area. -<p><a name="minusb"></a> -<p></p><dt><strong><strong>-b</strong></strong><dd> gives brief output. -<p><a name="minusd"></a> -<p></p><dt><strong><strong>-d</strong></strong><dd> gives verbose output. -<p><a name="minusL"></a> -<p></p><dt><strong><strong>-L</strong></strong><dd> causes smbstatus to only list locks. -<p><a name="minusp"></a> -<p></p><dt><strong><strong>-p</strong></strong><dd> print a list of <a href="smbd.8.html"><strong>smbd</strong></a> -processes and exit. Useful for scripting. -<p><a name="minusS"></a> -<p></p><dt><strong><strong>-S</strong></strong><dd> causes smbstatus to only list shares. -<p><a name="minuss"></a> -<p></p><dt><strong><strong>-s configuration file</strong></strong><dd> The default configuration file name is -determined at compile time. The file specified contains the -configuration details required by the server. See <a href="smb.conf.5.html"><strong>smb.conf -(5)</strong></a> for more information. -<p><a name="minusu"></a> -<p></p><dt><strong><strong>-u username</strong></strong><dd> selects information relevant to <em>username</em> -only. -<p></dl> -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a>, <a href="smbd.8.html"><strong>smbd (8)</strong></a> -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>smbstatus</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="FINDSMB" +>smbstatus</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbstatus -- report on current Samba connections</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbstatus</B +> [-P] [-b] [-d] [-L] [-p] [-S] [-s <configuration file>] [-u <username>]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN19" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>smbstatus</B +> is a very simple program to + list the current Samba connections.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN25" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-P</DT +><DD +><P +>If samba has been compiled with the + profiling option, print only the contents of the profiling + shared memory area.</P +></DD +><DT +>-b</DT +><DD +><P +>gives brief output.</P +></DD +><DT +>-d</DT +><DD +><P +>gives verbose output.</P +></DD +><DT +>-L</DT +><DD +><P +>causes smbstatus to only list locks.</P +></DD +><DT +>-p</DT +><DD +><P +>print a list of <A +HREF="smbd.8.html" +TARGET="_top" +> <B +CLASS="COMMAND" +>smbd(8)</B +></A +> processes and exit. + Useful for scripting.</P +></DD +><DT +>-S</DT +><DD +><P +>causes smbstatus to only list shares.</P +></DD +><DT +>-s <configuration file></DT +><DD +><P +>The default configuration file name is + determined at compile time. The file specified contains the + configuration details required by the server. See <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +> + </A +> for more information.</P +></DD +><DT +>-u <username></DT +><DD +><P +>selects information relevant to + <TT +CLASS="PARAMETER" +><I +>username</I +></TT +> only.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN65" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN68" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +> and + <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5)</A +>.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN74" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/smbtar.1.html b/docs/htmldocs/smbtar.1.html index 68aab355ed5..5e13ef3577c 100644 --- a/docs/htmldocs/smbtar.1.html +++ b/docs/htmldocs/smbtar.1.html @@ -1,130 +1,352 @@ - - - - - - -<html><head><title>smbtar (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>smbtar (1)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - smbtar - shell script for backing up SMB/CIFS shares directly to UNIX tape drives -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>smbtar</strong> <a href="smbtar.1.html#minuss">-s server</a> [<a href="smbtar.1.html#minusp">-p password</a>] [<a href="smbtar.1.html#minusx">-x service</a>] [<a href="smbtar.1.html#minusX">-X</a>] [<a href="smbtar.1.html#minusd">-d directory</a>] [<a href="smbtar.1.html#minusu">-u user</a>] [<a href="smbtar.1.html#minust">-t tape</a>] [<a href="smbtar.1.html#minusb">-b blocksize</a>] [<a href="smbtar.1.html#minusN">-N filename</a>] [<a href="smbtar.1.html#minusi">-i</a>] [<a href="smbtar.1.html#minusr">-r</a>] [<a href="smbtar.1.html#minusl">-l log level</a>] [<a href="smbtar.1.html#minusv">-v</a>] filenames -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p><strong>smbtar</strong> is a very small shell script on top of -<a href="smbclient.1.html"><strong>smbclient</strong></a> which dumps SMB shares directly -to tape. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="minuss"></a> -<p></p><dt><strong><strong>-s server</strong></strong><dd> The SMB/CIFS server that the share resides upon. -<p><a name="minusx"></a> -<p></p><dt><strong><strong>-x service</strong></strong><dd> The share name on the server to connect -to. The default is <code>backup</code>. -<p><a name="minusX"></a> -<p></p><dt><strong><strong>-X</strong></strong><dd> Exclude mode. Exclude filenames... from tar create or -restore. -<p><a name="minusd"></a> -<p></p><dt><strong><strong>-d directory</strong></strong><dd> Change to initial <em>directory</em> before restoring -/ backing up files. -<p><a name="minusv"></a> -<p></p><dt><strong><strong>-v</strong></strong><dd> Verbose mode. -<p><a name="minusp"></a> -<p></p><dt><strong><strong>-p password</strong></strong><dd> The password to use to access a share. Default: -none -<p><a name="minusu"></a> -<p></p><dt><strong><strong>-u user</strong></strong><dd> The user id to connect as. Default: UNIX login name. -<p><a name="minust"></a> -<p></p><dt><strong><strong>-t tape</strong></strong><dd> Tape device. May be regular file or tape -device. Default: <em>TAPE</em> environmental variable; if not set, a file -called <code>tar.out</code>. -<p><a name="minusb"></a> -<p></p><dt><strong><strong>-b blocksize</strong></strong><dd> Blocking factor. Defaults to 20. See <strong>tar (1)</strong> -for a fuller explanation. -<p><a name="minusN"></a> -<p></p><dt><strong><strong>-N filename</strong></strong><dd> Backup only files newer than filename. Could be -used (for example) on a log file to implement incremental backups. -<p><a name="minusi"></a> -<p></p><dt><strong><strong>-i</strong></strong><dd> Incremental mode; tar files are only backed up if they -have the archive bit set. The archive bit is reset after each file is -read. -<p><a name="minusr"></a> -<p></p><dt><strong><strong>-r</strong></strong><dd> Restore. Files are restored to the share from the tar -file. -<p><a name="minusl"></a> -<p></p><dt><strong><strong>-l log level</strong></strong><dd> Log (debug) level. Corresponds to the -<a href="smbclient.1.html#minusd"><strong>-d</strong></a> flag of <a href="smbclient.1.html"><strong>smbclient -(1)</strong></a>. -<p></dl> -<p><a name="ENVIRONMENTVARIABLES"></a> -<h2>ENVIRONMENT VARIABLES</h2> - -<p>The TAPE variable specifies the default tape device to write to. May -be overridden with the <a href="smbtar.1.html#minust"><strong>-t</strong></a> option. -<p><a name="BUGS"></a> -<h2>BUGS</h2> - -<p>The <strong>smbtar</strong> script has different options from ordinary tar and tar -called from <a href="smbclient.1.html"><strong>smbclient</strong></a>. -<p><a name="CAVEATS"></a> -<h2>CAVEATS</h2> - -<p>Sites that are more careful about security may not like the way the -script handles PC passwords. Backup and restore work on entire shares, -should work on file lists. <strong>smbtar</strong> works best with GNU tar and may -not work well with other versions. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smbclient.1.html"><strong>smbclient (1)</strong></a>, <a href="smb.conf.5.html"><strong>smb.conf -(5)</strong></a> -<p><a name="DIAGNOSTICS"></a> -<h2>DIAGNOSTICS</h2> - -<p>See the <a href="smbclient.1.html#DIAGNOSTICS"><strong>DIAGNOSTICS</strong></a> section for -the <a href="smbclient.1.html"><strong>smbclient</strong></a> command. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>Ricky Poulten <a href="mailto:poultenr@logica.co.uk"><em>poultenr@logica.co.uk</em></a> wrote the tar extension and -this man page. The <strong>smbtar</strong> script was heavily rewritten and -improved by Martin Kraemer <a href="mailto:Martin.Kraemer@mch.sni.de"><em>Martin.Kraemer@mch.sni.de</em></a>. Many -thanks to everyone who suggested extensions, improvements, bug fixes, -etc. The man page sources were converted to YODL format (another -excellent piece of Open Source software available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison, -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -<p></body> -</html> +<HTML +><HEAD +><TITLE +>smbtar</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SMBTAR" +>smbtar</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>smbtar -- shell script for backing up SMB/CIFS shares + directly to UNIX tape drives</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>smbtar</B +> {-s server} [-p password] [-x services] [-X] [-d directory] [-u user] [-t tape] [-t tape] [-b blocksize] [-N filename] [-i] [-r] [-l loglevel] [-v] {filenames}</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN26" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>smbtar</B +> is a very small shell script on top + of <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1)</B +></A +> + which dumps SMB shares directly to tape. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN34" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-s server</DT +><DD +><P +>The SMB/CIFS server that the share resides + upon.</P +></DD +><DT +>-x service</DT +><DD +><P +>The share name on the server to connect to. + The default is "backup".</P +></DD +><DT +>-X</DT +><DD +><P +>Exclude mode. Exclude filenames... from tar + create or restore. </P +></DD +><DT +>-d directory</DT +><DD +><P +>Change to initial <TT +CLASS="PARAMETER" +><I +>directory + </I +></TT +> before restoring / backing up files. </P +></DD +><DT +>-v</DT +><DD +><P +>Verbose mode.</P +></DD +><DT +>-p password</DT +><DD +><P +>The password to use to access a share. + Default: none </P +></DD +><DT +>-u user</DT +><DD +><P +>The user id to connect as. Default: + UNIX login name. </P +></DD +><DT +>-t tape</DT +><DD +><P +>Tape device. May be regular file or tape + device. Default: <TT +CLASS="PARAMETER" +><I +>$TAPE</I +></TT +> environmental + variable; if not set, a file called <TT +CLASS="FILENAME" +>tar.out + </TT +>. </P +></DD +><DT +>-b blocksize</DT +><DD +><P +>Blocking factor. Defaults to 20. See + <B +CLASS="COMMAND" +>tar(1)</B +> for a fuller explanation. </P +></DD +><DT +>-N filename</DT +><DD +><P +>Backup only files newer than filename. Could + be used (for example) on a log file to implement incremental + backups. </P +></DD +><DT +>-i</DT +><DD +><P +>Incremental mode; tar files are only backed + up if they have the archive bit set. The archive bit is reset + after each file is read. </P +></DD +><DT +>-r</DT +><DD +><P +>Restore. Files are restored to the share + from the tar file. </P +></DD +><DT +>-l log level</DT +><DD +><P +>Log (debug) level. Corresponds to the + <TT +CLASS="PARAMETER" +><I +>-d</I +></TT +> flag of <B +CLASS="COMMAND" +>smbclient(1) + </B +>. </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN95" +></A +><H2 +>ENVIRONMENT VARIABLES</H2 +><P +>The <TT +CLASS="PARAMETER" +><I +>$TAPE</I +></TT +> variable specifies the + default tape device to write to. May be overridden + with the -t option. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN99" +></A +><H2 +>BUGS</H2 +><P +>The <B +CLASS="COMMAND" +>smbtar</B +> script has different + options from ordinary tar and tar called from smbclient. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN103" +></A +><H2 +>CAVEATS</H2 +><P +>Sites that are more careful about security may not like + the way the script handles PC passwords. Backup and restore work + on entire shares, should work on file lists. smbtar works best + with GNU tar and may not work well with other versions. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN106" +></A +><H2 +>DIAGNOSTICS</H2 +><P +>See the <I +CLASS="EMPHASIS" +>DIAGNOSTICS</I +> section for the + <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1)</B +> + </A +> command.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN112" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN115" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +>, + <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1)</B +></A +>, + <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5)</A +>, + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN123" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +><A +HREF="mailto:poultenr@logica.co.uk" +TARGET="_top" +>Ricky Poulten</A +> + wrote the tar extension and this man page. The <B +CLASS="COMMAND" +>smbtar</B +> + script was heavily rewritten and improved by <A +HREF="mailto:Martin.Kraemer@mch.sni.de" +TARGET="_top" +>Martin Kraemer</A +>. Many + thanks to everyone who suggested extensions, improvements, bug + fixes, etc. The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter.</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/swat.8.html b/docs/htmldocs/swat.8.html index 12d83247fdd..f91366b1d6f 100644 --- a/docs/htmldocs/swat.8.html +++ b/docs/htmldocs/swat.8.html @@ -1,148 +1,400 @@ - - - - - - -<html><head><title>swat (8)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>swat (8)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - swat - Samba Web Administration Tool -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>swat</strong> [<a href="swat.8.html#minuss">-s smb config file</a>] [<a href="swat.8.html#minusa">-a</a>] -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p><strong>swat</strong> allows a Samba administrator to configure the complex -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file via a Web browser. In -addition, a swat configuration page has help links to all the -configurable options in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file -allowing an administrator to easily look up the effects of any change. -<p><strong>swat</strong> is run from <strong>inetd</strong> -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="minuss"></a> -<p></p><dt><strong><strong>-s smb configuration file</strong></strong><dd> The default configuration file path is -determined at compile time. -<p>The file specified contains the configuration details required by the -<a href="smbd.8.html"><strong>smbd</strong></a> server. This is the file that <strong>swat</strong> will -modify. The information in this file includes server-specific -information such as what printcap file to use, as well as descriptions -of all the services that the server is to provide. See <a href="smb.conf.5.html">smb.conf -(5)</a> for more information. -<p><a name="minusa"></a> -<p></p><dt><strong><strong>-a</strong></strong><dd> -<p>This option disables authentication and puts <strong>swat</strong> in demo mode. In -that mode anyone will be able to modify the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file. -<p>Do NOT enable this option on a production server. -<p></dl> -<p><a name="INSTALLATION"></a> -<h2>INSTALLATION</h2> - -<p>After you compile SWAT you need to run <code>"make install"</code> to install the -swat binary and the various help files and images. A default install -would put these in: -<p><pre> - -/usr/local/samba/bin/swat -/usr/local/samba/swat/images/* -/usr/local/samba/swat/help/* - -</pre> - -<p><a name="INETD"></a> -<h2>INETD INSTALLATION</h2> - -<p>You need to edit your <code>/etc/inetd.conf</code> and <code>/etc/services</code> to -enable <strong>SWAT</strong> to be launched via inetd. -<p>In <code>/etc/services</code> you need to add a line like this: -<p><code>swat 901/tcp</code> -<p>Note for NIS/YP users - you may need to rebuild the NIS service maps -rather than alter your local <code>/etc/services</code> file. -<p>the choice of port number isn't really important except that it should -be less than 1024 and not currently used (using a number above 1024 -presents an obscure security hole depending on the implementation -details of your <strong>inetd</strong> daemon). -<p>In <code>/etc/inetd.conf</code> you should add a line like this: -<p><code>swat stream tcp nowait.400 root /usr/local/samba/bin/swat swat</code> -<p>One you have edited <code>/etc/services</code> and <code>/etc/inetd.conf</code> you need -to send a HUP signal to inetd. To do this use <code>"kill -1 PID"</code> where -PID is the process ID of the inetd daemon. -<p><a name="LAUNCHING"></a> -<h2>LAUNCHING</h2> - -<p>To launch <strong>swat</strong> just run your favorite web browser and point it at -<code>http://localhost:901/</code>. -<p><strong>Note that you can attach to <strong>swat</strong> from any IP connected machine but -connecting from a remote machine leaves your connection open to -password sniffing as passwords will be sent in the clear over the -wire.</strong> -<p><h2>FILES</h2> - -<p><strong>/etc/inetd.conf</strong> -<p>This file must contain suitable startup information for the -meta-daemon. -<p><strong>/etc/services</strong> -<p>This file must contain a mapping of service name (e.g., swat) to -service port (e.g., 901) and protocol type (e.g., tcp). -<p><strong>/usr/local/samba/lib/smb.conf</strong> -<p>This is the default location of the <em>smb.conf</em> server configuration -file that <strong>swat</strong> edits. Other common places that systems install -this file are <em>/usr/samba/lib/smb.conf</em> and <em>/etc/smb.conf</em>. -<p>This file describes all the services the server is to make available -to clients. See <strong>smb.conf (5)</strong> for more information. -<p><a name="WARNINGS"></a> -<h2>WARNINGS</h2> - -<p><strong>swat</strong> will rewrite your <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file. It -will rearrange the entries and delete all comments, -<a href="smb.conf.5.html#include"><strong>"include="</strong></a> and -<a href="smb.conf.5.html#copy"><strong>"copy="</strong></a> options. If you have a -carefully crafted <a href="smb.conf.5.html"><strong>smb.conf</strong></a> then back it up -or don't use <strong>swat</strong>! -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><strong>inetd (8)</strong>, <a href="nmbd.8.html"><strong>nmbd (8)</strong></a>, -<a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a>. -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell (samba@samba.org). Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>swat</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="SWAT" +>swat</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>swat -- Samba Web Administration Tool</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>nmblookup</B +> [-s <smb config file>] [-a]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN13" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>swat</B +> allows a Samba administrator to + configure the complex <A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +> smb.conf(5)</TT +></A +> file via a Web browser. In addition, + a <B +CLASS="COMMAND" +>swat</B +> configuration page has help links + to all the configurable options in the smb.conf file allowing an + administrator to easily look up the effects of any change. </P +><P +>swat is run from inetd </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN23" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-s smb configuration file</DT +><DD +><P +>The default configuration file path is + determined at compile time. The file specified contains + the configuration details required by the <B +CLASS="COMMAND" +>smbd + </B +> server. This is the file that swat will modify. + The information in this file includes server-specific + information such as what printcap file to use, as well as + descriptions of all the services that the server is to provide. + See <TT +CLASS="FILENAME" +>smb.conf</TT +> for more information. + </P +></DD +><DT +>-a</DT +><DD +><P +>This option disables authentication and puts + swat in demo mode. In that mode anyone will be able to modify + the smb.conf file. </P +><P +><I +CLASS="EMPHASIS" +>Do NOT enable this option on a production + server. </I +></P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN38" +></A +><H2 +>INSTALLATION</H2 +><P +>After you compile SWAT you need to run <B +CLASS="COMMAND" +>make install + </B +> to install the <B +CLASS="COMMAND" +>swat</B +> binary + and the various help files and images. A default install would put + these in: </P +><P +></P +><UL +><LI +><P +>/usr/local/samba/bin/swat</P +></LI +><LI +><P +>/usr/local/samba/swat/images/*</P +></LI +><LI +><P +>/usr/local/samba/swat/help/*</P +></LI +></UL +><DIV +CLASS="REFSECT2" +><A +NAME="AEN50" +></A +><H3 +>Inetd Installation</H3 +><P +>You need to edit your <TT +CLASS="FILENAME" +>/etc/inetd.conf + </TT +> and <TT +CLASS="FILENAME" +>/etc/services</TT +> + to enable SWAT to be launched via inetd.</P +><P +>In <TT +CLASS="FILENAME" +>/etc/services</TT +> you need to + add a line like this: </P +><P +><B +CLASS="COMMAND" +>swat 901/tcp</B +></P +><P +>Note for NIS/YP users - you may need to rebuild the + NIS service maps rather than alter your local <TT +CLASS="FILENAME" +> /etc/services</TT +> file. </P +><P +>the choice of port number isn't really important + except that it should be less than 1024 and not currently + used (using a number above 1024 presents an obscure security + hole depending on the implementation details of your + <B +CLASS="COMMAND" +>inetd</B +> daemon). </P +><P +>In <TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +> you should + add a line like this: </P +><P +><B +CLASS="COMMAND" +>swat stream tcp nowait.400 root + /usr/local/samba/bin/swat swat</B +></P +><P +>One you have edited <TT +CLASS="FILENAME" +>/etc/services</TT +> + and <TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +> you need to send a + HUP signal to inetd. To do this use <B +CLASS="COMMAND" +>kill -1 PID + </B +> where PID is the process ID of the inetd daemon. </P +></DIV +><DIV +CLASS="REFSECT2" +><A +NAME="AEN71" +></A +><H3 +>Launching</H3 +><P +>To launch swat just run your favorite web browser and + point it at "http://localhost:901/".</P +><P +>Note that you can attach to swat from any IP connected + machine but connecting from a remote machine leaves your + connection open to password sniffing as passwords will be sent + in the clear over the wire. </P +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN75" +></A +><H2 +>FILES</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +><TT +CLASS="FILENAME" +>/etc/inetd.conf</TT +></DT +><DD +><P +>This file must contain suitable startup + information for the meta-daemon.</P +></DD +><DT +><TT +CLASS="FILENAME" +>/etc/services</TT +></DT +><DD +><P +>This file must contain a mapping of service name + (e.g., swat) to service port (e.g., 901) and protocol type + (e.g., tcp). </P +></DD +><DT +><TT +CLASS="FILENAME" +>/usr/local/samba/lib/smb.conf</TT +></DT +><DD +><P +>This is the default location of the <TT +CLASS="FILENAME" +>smb.conf(5) + </TT +> server configuration file that swat edits. Other + common places that systems install this file are <TT +CLASS="FILENAME" +> /usr/samba/lib/smb.conf</TT +> and <TT +CLASS="FILENAME" +>/etc/smb.conf + </TT +>. This file describes all the services the server + is to make available to clients. </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN96" +></A +><H2 +>WARNINGS</H2 +><P +><B +CLASS="COMMAND" +>swat</B +> will rewrite your <TT +CLASS="FILENAME" +>smb.conf + </TT +> file. It will rearrange the entries and delete all + comments, <TT +CLASS="PARAMETER" +><I +>include=</I +></TT +> and <TT +CLASS="PARAMETER" +><I +>copy=" + </I +></TT +> options. If you have a carefully crafted <TT +CLASS="FILENAME" +> smb.conf</TT +> then back it up or don't use swat! </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN104" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN107" +></A +><H2 +>SEE ALSO</H2 +><P +><B +CLASS="COMMAND" +>inetd(5)</B +>, + <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +>, + <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5)</A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN114" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/testparm.1.html b/docs/htmldocs/testparm.1.html index 8babecbcfab..d1a1e4333a5 100644 --- a/docs/htmldocs/testparm.1.html +++ b/docs/htmldocs/testparm.1.html @@ -1,114 +1,291 @@ - - - - - - -<html><head><title>testparm (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>testparm (1)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - testparm - check an smb.conf configuration file for internal correctness -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>testparm</strong> [<a href="testparm.1.html#minuss">-s</a>] [<a href="testparm.1.html#minush">-h</a>] [<a href="testparm.1.html#minusL">-L servername</a>] [<a href="testparm.1.html#configfilename">configfilename</a>] [<a href="testparm.1.html#hostname">hostname</a> <a href="testparm.1.html#hostIP">hostIP</a>] -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p><strong>testparm</strong> is a very simple test program to check an -<a href="smbd.8.html"><strong>smbd</strong></a> configuration file for internal -correctness. If this program reports no problems, you can use the -configuration file with confidence that <a href="smbd.8.html"><strong>smbd</strong></a> -will successfully load the configuration file. -<p>Note that this is <em>NOT</em> a guarantee that the services specified in the -configuration file will be available or will operate as expected. -<p>If the optional host name and host IP address are specified on the -command line, this test program will run through the service entries -reporting whether the specified host has access to each service. -<p>If <strong>testparm</strong> finds an error in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> -file it returns an exit code of 1 to the calling program, else it returns -an exit code of 0. This allows shell scripts to test the output from -<strong>testparm</strong>. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="minuss"></a> -<p></p><dt><strong><strong>-s</strong></strong><dd> Without this option, <strong>testparm</strong> will prompt for a -carriage return after printing the service names and before dumping -the service definitions. -<p><a name="minush"></a> -<p></p><dt><strong><strong>-h</strong></strong><dd> Print usage message -<p><a name="minusL"></a> -<p></p><dt><strong><strong>-L servername</strong></strong><dd> Sets the value of the %L macro to servername. This -is useful for testing include files specified with the %L macro. -<p><a name="configfilename"></a> -<p></p><dt><strong><strong>configfilename</strong></strong><dd> This is the name of the configuration file to -check. If this parameter is not present then the default -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file will be checked. -<p><a name="hostname"></a> -<p></p><dt><strong><strong>hostname</strong></strong><dd> If this parameter and the following are specified, -then testparm will examine the <a href="smb.conf.5.html#hostsallow"><strong>"hosts -allow"</strong></a> and <a href="smb.conf.5.html#hostsdeny"><strong>"hosts -deny"</strong></a> parameters in the -<a href="smb.conf.5.html"><strong>smb.conf</strong></a> file to determine if the hostname -with this IP address would be allowed access to the -<a href="smbd.8.html"><strong>smbd</strong></a> server. If this parameter is supplied, the -<a href="testparm.1.html#hostIP">hostIP</a> parameter must also be supplied. -<p><a name="hostIP"></a> -<p></p><dt><strong><strong>hostIP</strong></strong><dd> This is the IP address of the host specified in the -previous parameter. This address must be supplied if the hostname -parameter is supplied. -<p></dl> -<p><a name="FILES"></a> -<h2>FILES</h2> - -<p><a href="smb.conf.5.html"><strong>smb.conf</strong></a>. This is usually the name of the -configuration file used by <a href="smbd.8.html"><strong>smbd</strong></a>. -<p><a name="DIAGNOSTICS"></a> -<h2>DIAGNOSTICS</h2> - -<p>The program will issue a message saying whether the configuration file -loaded OK or not. This message may be preceded by errors and warnings -if the file did not load. If the file was loaded OK, the program then -dumps all known service details to stdout. -<p><a name="VERSION"></a> -<h2>VERSION</h2> - -<p>This man page is correct for version 2.0 of the Samba suite. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="smb.conf.5.html"><strong>smb.conf (5)</strong></a>, <a href="smbd.8.html"><strong>smbd (8)</strong></a> -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>testparm</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="TESTPARM" +>testparm</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>testparm -- check an smb.conf configuration file for + internal correctness</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>testparm</B +> [-s] [-h] [-L <servername>] {config filename} [hostname hostIP]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN16" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>testparm</B +> is a very simple test program + to check an <B +CLASS="COMMAND" +>smbd</B +> configuration file for + internal correctness. If this program reports no problems, you + can use the configuration file with confidence that <B +CLASS="COMMAND" +>smbd + </B +> will successfully load the configuration file.</P +><P +>Note that this is <I +CLASS="EMPHASIS" +>NOT</I +> a guarantee that + the services specified in the configuration file will be + available or will operate as expected. </P +><P +>If the optional host name and host IP address are + specified on the command line, this test program will run through + the service entries reporting whether the specified host + has access to each service. </P +><P +>If <B +CLASS="COMMAND" +>testparm</B +> finds an error in the <TT +CLASS="FILENAME" +> smb.conf</TT +> file it returns an exit code of 1 to the calling + program, else it returns an exit code of 0. This allows shell scripts + to test the output from <B +CLASS="COMMAND" +>testparm</B +>.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN31" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-s</DT +><DD +><P +>Without this option, <B +CLASS="COMMAND" +>testparm</B +> + will prompt for a carriage return after printing the service + names and before dumping the service definitions.</P +></DD +><DT +>-h</DT +><DD +><P +>Print usage message </P +></DD +><DT +>-L servername</DT +><DD +><P +>Sets the value of the %L macro to servername. + This is useful for testing include files specified with the + %L macro. </P +></DD +><DT +>configfilename</DT +><DD +><P +>This is the name of the configuration file + to check. If this parameter is not present then the + default <TT +CLASS="FILENAME" +>smb.conf</TT +> file will be checked. + </P +></DD +><DT +>hostname</DT +><DD +><P +>If this parameter and the following are + specified, then testparm will examine the <TT +CLASS="PARAMETER" +><I +>hosts + allow</I +></TT +> and <TT +CLASS="PARAMETER" +><I +>hosts deny</I +></TT +> + parameters in the <TT +CLASS="FILENAME" +>smb.conf</TT +> file to + determine if the hostname with this IP address would be + allowed access to the <B +CLASS="COMMAND" +>smbd</B +> server. If + this parameter is supplied, the hostIP parameter must also + be supplied.</P +></DD +><DT +>hostIP</DT +><DD +><P +>This is the IP address of the host specified + in the previous parameter. This address must be supplied + if the hostname parameter is supplied. </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN64" +></A +><H2 +>FILES</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +><TT +CLASS="FILENAME" +>smb.conf</TT +></DT +><DD +><P +>This is usually the name of the configuration + file used by <B +CLASS="COMMAND" +>smbd</B +>. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN73" +></A +><H2 +>DIAGNOSTICS</H2 +><P +>The program will issue a message saying whether the + configuration file loaded OK or not. This message may be preceeded by + errors and warnings if the file did not load. If the file was + loaded OK, the program then dumps all known service details + to stdout. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN76" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN79" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="smb.conf.5.html" +TARGET="_top" +><TT +CLASS="FILENAME" +>smb.conf(5)</TT +></A +>, + <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN86" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/testprns.1.html b/docs/htmldocs/testprns.1.html index 42f5aebe742..94ab41c98d4 100644 --- a/docs/htmldocs/testprns.1.html +++ b/docs/htmldocs/testprns.1.html @@ -1,98 +1,252 @@ - - - - - - -<html><head><title>testprns (1)</title> - -<link rev="made" href="mailto:samba@samba.org"> -</head> -<body> - -<hr> - -<h1>testprns (1)</h1> -<h2>Samba</h2> -<h2>23 Oct 1998</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - testprns - check printer name for validity with smbd -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>testprns</strong> <a href="testprns.1.html#printername">printername</a> [<a href="testprns.1.html#printcapname">printcapname</a>] -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite. -<p><strong>testprns</strong> is a very simple test program to determine whether a -given printer name is valid for use in a service to be provided by -<a href="smbd.8.html"><strong>smbd</strong></a>. -<p>"Valid" in this context means "can be found in the printcap -specified". This program is very stupid - so stupid in fact that it -would be wisest to always specify the printcap file to use. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p><dl> -<p><a name="printername"></a> -<p></p><dt><strong><strong>printername</strong></strong><dd> The printer name to validate. -<p>Printer names are taken from the first field in each record in the -printcap file, single printer names and sets of aliases separated by -vertical bars ("|") are recognized. Note that no validation or -checking of the printcap syntax is done beyond that required to -extract the printer name. It may be that the print spooling system is -more forgiving or less forgiving than <strong>testprns</strong>. However, if -<strong>testprns</strong> finds the printer then <a href="smbd.8.html"><strong>smbd</strong></a> should -do so as well. -<p><a name="printcapname"></a> -<p></p><dt><strong><strong>printcapname</strong></strong><dd> This is the name of the printcap file within -which to search for the given printer name. -<p>If no printcap name is specified <strong>testprns</strong> will attempt to scan the -printcap file name specified at compile time. -<p></dl> -<p><a name="FILES"></a> -<h2>FILES</h2> - -<p><strong>/etc/printcap</strong> This is usually the default printcap file to -scan. See <strong>printcap (5)</strong>. -<p><a name="DIAGNOSTICS"></a> -<h2>DIAGNOSTICS</h2> - -<p>If a printer is found to be valid, the message "Printer name -<printername> is valid" will be displayed. -<p>If a printer is found to be invalid, the message "Printer name -<printername> is not valid" will be displayed. -<p>All messages that would normally be logged during operation of the -<a href="samba.7.html"><strong>Samba</strong></a> daemons are logged by this program to the -file <code>test.log</code> in the current directory. The program runs at -debuglevel 3, so quite extensive logging information is written. The -log should be checked carefully for errors and warnings. -<p>Other messages are self-explanatory. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><strong>printcap (5)</strong>, <a href="smbd.8.html"><strong>smbd (8)</strong></a>, <a href="smbclient.1.html"><strong>smbclient -(1)</strong></a> -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell <a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. Samba is now developed -by the Samba Team as an Open Source project similar to the way the -Linux kernel is developed. -<p>The original Samba man pages were written by Karl Auer. The man page -sources were converted to YODL format (another excellent piece of Open -Source software, available at -<a href="ftp://ftp.icce.rug.nl/pub/unix/"><strong>ftp://ftp.icce.rug.nl/pub/unix/</strong></a>) -and updated for the Samba2.0 release by Jeremy Allison. -<a href="mailto:samba@samba.org"><em>samba@samba.org</em></a>. -<p>See <a href="samba.7.html"><strong>samba (7)</strong></a> to find out how to get a full -list of contributors and details on how to submit bug reports, -comments etc. -</body> -</html> +<HTML +><HEAD +><TITLE +>testprns</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="TESTPRNS" +>testprns</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>testprns -- check printer name for validity with smbd</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>testprns</B +> {printername} [printcapname]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN13" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +><B +CLASS="COMMAND" +>testprns</B +> is a very simple test program + to determine whether a given printer name is valid for use in + a service to be provided by <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +> smbd(8)</B +></A +>. </P +><P +>"Valid" in this context means "can be found in the + printcap specified". This program is very stupid - so stupid in + fact that it would be wisest to always specify the printcap file + to use. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN22" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>printername</DT +><DD +><P +>The printer name to validate.</P +><P +>Printer names are taken from the first field in each + record in the printcap file, single printer names and sets + of aliases separated by vertical bars ("|") are recognized. + Note that no validation or checking of the printcap syntax is + done beyond that required to extract the printer name. It may + be that the print spooling system is more forgiving or less + forgiving than <B +CLASS="COMMAND" +>testprns</B +>. However, if + <B +CLASS="COMMAND" +>testprns</B +> finds the printer then + <B +CLASS="COMMAND" +>smbd</B +> should do so as well. </P +></DD +><DT +>printcapname</DT +><DD +><P +>This is the name of the printcap file within + which to search for the given printer name. </P +><P +>If no printcap name is specified <B +CLASS="COMMAND" +>testprns + </B +> will attempt to scan the printcap file name + specified at compile time. </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN39" +></A +><H2 +>FILES</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +><TT +CLASS="FILENAME" +>/etc/printcap</TT +></DT +><DD +><P +>This is usually the default printcap + file to scan. See <TT +CLASS="FILENAME" +>printcap (5)</TT +>. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN48" +></A +><H2 +>DIAGNOSTICS</H2 +><P +>If a printer is found to be valid, the message + "Printer name <printername> is valid" will be + displayed. </P +><P +>If a printer is found to be invalid, the message + "Printer name <printername> is not valid" will be + displayed. </P +><P +>All messages that would normally be logged during + operation of the Samba daemons are logged by this program to the + file <TT +CLASS="FILENAME" +>test.log</TT +> in the current directory. The + program runs at debuglevel 3, so quite extensive logging + information is written. The log should be checked carefully + for errors and warnings. </P +><P +>Other messages are self-explanatory. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN55" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN58" +></A +><H2 +>SEE ALSO</H2 +><P +><TT +CLASS="FILENAME" +>printcap(5)</TT +>, + <A +HREF="smbd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbd(8)</B +></A +>, + <A +HREF="smbclient.1.html" +TARGET="_top" +><B +CLASS="COMMAND" +>smbclient(1)</B +></A +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN66" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +>The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + <A +HREF="ftp://ftp.icce.rug.nl/pub/unix/" +TARGET="_top" +> ftp://ftp.icce.rug.nl/pub/unix/</A +>) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/wbinfo.1.html b/docs/htmldocs/wbinfo.1.html index 5a71611c636..2787f514c07 100644 --- a/docs/htmldocs/wbinfo.1.html +++ b/docs/htmldocs/wbinfo.1.html @@ -1,121 +1,306 @@ - - - - - -<html><head><title>wbinfo (1)</title> - -<link rev="made" href="mailto:samba-bugs@samba.org"> -</head> -<body> - -<hr> - -<h1>wbinfo (1)</h1> -<h2>Samba</h2> -<h2>13 Jun 2000</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - wbinfo - Query information from winbind daemon -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>wbinfo</strong> <a href="wbinfo.1.html#minusu">-u</a> [<a href="wbinfo.1.html#minusg">-g</a>] [<a href="wbinfo.1.html#minusn">-n name</a>] -[<a href="wbinfo.1.html#minuss">-s sid</a>] [<a href="wbinfo.1.html#minusU">-U uid</a>] [<a href="wbinfo.1.html#minusG">-G gid</a>] -[<a href="wbinfo.1.html#minusS">-S sid</a>] [<a href="wbinfo.1.html#minusY">-Y sid</a>] [<a href="wbinfo.1.html#minust">-t</a>] -[<a href="wbinfo.1.html#minusm">-m</a>] -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite version 3.0 and describes -functionality not yet implemented in the main version of Samba. -<p>The <strong>wbinfo</strong> program queries and returns information created and used by -the <a href="winbindd.8.html"><strong>winbindd(8)</strong></a> daemon. -<p>The <a href="winbindd.8.html"><strong>winbindd(8)</strong></a> daemon must be configured and -running for the <strong>wbinfo</strong> program to be able to return information. -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p>The following options are available to the <strong>wbinfo</strong> program: -<p><dl> -<p><a name="minusu"></a> -<p></p><dt><strong><strong>-u</strong></strong><dd> -<p>This option will list all users available in the Windows NT domain for -which the <a href="winbindd.8.html"><strong>winbindd(8)</strong></a> daemon is operating in. -Users in all trusted domains will also be listed. Note that this operation -does not assign user ids to any users that have not already been seen by -<a href="winbindd.8.html"><strong>winbindd(8)</strong></a>. -<p><a name="minusg"></a> -<p></p><dt><strong><strong>-g</strong></strong><dd> -<p>This option will list all groups available in the Windows NT domain for -which the <a href="winbindd.8.html"><strong>winbindd(8)</strong></a> daemon is operating in. -Groups in all trusted domains will also be listed. Note that this -operation does not assign group ids to any groups that have not already -been seen by <a href="winbindd.8.html"><strong>winbindd(8)</strong></a>. -<p><a name="minusn"></a> -<p></p><dt><strong><strong>-n name</strong></strong><dd> -<p>The <strong>-n</strong> option queries <a href="winbindd.8.html"><strong>winbindd(8)</strong></a> for the SID -associated with the name specified. Domain names can be specified before -the user name by using the winbind separator character. For example -<code>DOM1/Administrator</code> refers to the <code>Administrator</code> user in the domain -<code>DOM1</code>. If no domain is specified then the domain used is the one -specified in the <strong>smb.conf</strong> <strong>workgroup</strong> parameter. -<p><a name="minuss"></a> -<p></p><dt><strong><strong>-s sid</strong></strong><dd> -<p>Use <strong>-s</strong> to resolve a SID to a name. This is the inverse of the <strong>-n</strong> -option above. SIDs must be specified as ASCII strings in the traditional -Microsoft format. For example -<code>S-1-5-21-1455342024-3071081365-2475485837-500</code>. -<p><a name="minusU"></a> -<p></p><dt><strong><strong>-U uid</strong></strong><dd> -<p>Try to convert a UNIX user id to a Windows NT SID. If the uid specified -does not refer to one within the <strong>winbind uid range</strong> then the operation -will fail. -<p><a name="minusG"></a> -<p></p><dt><strong><strong>-G gid</strong></strong><dd> -<p>Try to convert a UNIX group id to a Windows NT SID. If the gid specified -does not refer to one within the <strong>winbind gid range</strong> then the operation -will fail. -<p><a name="minusS"></a> -<p></p><dt><strong><strong>-S sid</strong></strong><dd> -<p>Convert a SID to a UNIX user id. If the SID does not correspond to a UNIX -user mapped by <a href="winbindd.8.html"><strong>winbindd(8)</strong></a> then the operation -will fail. -<p><a name="minusY"></a> -<p></p><dt><strong><strong>-Y sid</strong></strong><dd> -<p>Convert a SID to a UNIX group id. If the SID does not correspond to a UNIX -group mapped by <a href="winbindd.8.html"><strong>winbindd(8)</strong></a> then the operation -will fail. -<p><a name="minust"></a> -<p></p><dt><strong><strong>-t</strong></strong><dd> -<p>Verify that the workstation trust account created when the Samba server is -added to the Windows NT domain is working. -<p><a name="minusm"></a> -<p></p><dt><strong><strong>-m</strong></strong><dd> -<p>Produce a list of domains trusted by the Windows NT server -<a href="winbindd.8.html"><strong>winbindd(8)</strong></a> contacts when resolving names. This -list does not include the Windows NT domain the server is a Primary Domain -Controller for. -<p></dl> -<p><a name="EXITSTATUS"></a> -<h2>EXIT STATUS</h2> - -<p>The <strong>wbinfo</strong> program returns 0 if the operation succeeded, or 1 if -the operation failed. If the <a href="winbindd.8.html"><strong>winbindd(8)</strong></a> daemon -is not working <strong>wbinfo</strong> will always return failure. -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="winbindd.8.html"><strong>winbindd(8)</strong></a> -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell. Samba is now developed by the Samba Team as an Open -Source project. -<p><strong>wbinfo</strong> was written by Tim Potter. -</body> -</html> +<HTML +><HEAD +><TITLE +>wbinfo</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="WBINFO" +>wbinfo</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>wbinfo -- Query information from winbind daemon</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>nmblookup</B +> [-u] [-g] [-n name] [-s sid] [-U uid] [-G gid] [-S sid] [-Y sid] [-t] [-m]</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN21" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite.</P +><P +>The <B +CLASS="COMMAND" +>wbinfo</B +> program queries and returns information + created and used by the <A +HREF="winbindd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +> winbindd(8)</B +></A +> daemon. </P +><P +>The <B +CLASS="COMMAND" +>winbindd(8)</B +> daemon must be configured + and running for the <B +CLASS="COMMAND" +>wbinfo</B +> program to be able + to return information.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN32" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-u</DT +><DD +><P +>This option will list all users available + in the Windows NT domain for which the <B +CLASS="COMMAND" +>winbindd(8) + </B +> daemon is operating in. Users in all trusted domains + will also be listed. Note that this operation does not assign + user ids to any users that have not already been seen by + <B +CLASS="COMMAND" +>winbindd(8)</B +>.</P +></DD +><DT +>-g</DT +><DD +><P +>This option will list all groups available + in the Windows NT domain for which the <B +CLASS="COMMAND" +>winbindd(8) + </B +> daemon is operating in. Groups in all trusted domains + will also be listed. Note that this operation does not assign + group ids to any groups that have not already been seen by + <B +CLASS="COMMAND" +>winbindd(8)</B +>. </P +></DD +><DT +>-n name</DT +><DD +><P +>The <TT +CLASS="PARAMETER" +><I +>-n</I +></TT +> option + queries <B +CLASS="COMMAND" +>winbindd(8)</B +> for the SID + associated with the name specified. Domain names can be specified + before the user name by using the winbind separator character. + For example CWDOM1/Administrator refers to the Administrator + user in the domain CWDOM1. If no domain is specified then the + domain used is the one specified in the <TT +CLASS="FILENAME" +>smb.conf</TT +> + <TT +CLASS="PARAMETER" +><I +>workgroup</I +></TT +> parameter. </P +></DD +><DT +>-s sid</DT +><DD +><P +>Use <TT +CLASS="PARAMETER" +><I +>-s</I +></TT +> to resolve + a SID to a name. This is the inverse of the <TT +CLASS="PARAMETER" +><I +>-n + </I +></TT +> option above. SIDs must be specified as ASCII strings + in the traditional Microsoft format. For example, + S-1-5-21-1455342024-3071081365-2475485837-500. </P +></DD +><DT +>-U uid</DT +><DD +><P +>Try to convert a UNIX user id to a Windows NT + SID. If the uid specified does not refer to one within + the winbind uid range then the operation will fail. </P +></DD +><DT +>-G gid</DT +><DD +><P +>Try to convert a UNIX group id to a Windows + NT SID. If the gid specified does not refer to one within + the winbind gid range then the operation will fail. </P +></DD +><DT +>-S sid</DT +><DD +><P +>Convert a SID to a UNIX user id. If the SID + does not correspond to a UNIX user mapped by <B +CLASS="COMMAND" +> winbindd(8)</B +> then the operation will fail. </P +></DD +><DT +>-Y sid</DT +><DD +><P +>Convert a SID to a UNIX group id. If the SID + does not correspond to a UNIX group mapped by <B +CLASS="COMMAND" +> winbindd(8)</B +> then the operation will fail. </P +></DD +><DT +>-t</DT +><DD +><P +>Verify that the workstation trust account + created when the Samba server is added to the Windows NT + domain is working. </P +></DD +><DT +>-m</DT +><DD +><P +>Produce a list of domains trusted by the + Windows NT server <B +CLASS="COMMAND" +>winbindd(8)</B +> contacts + when resolving names. This list does not include the Windows + NT domain the server is a Primary Domain Controller for. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN88" +></A +><H2 +>EXIT STATUS</H2 +><P +>The wbinfo program returns 0 if the operation + succeeded, or 1 if the operation failed. If the <B +CLASS="COMMAND" +>winbindd(8) + </B +> daemon is not working wbinfo will always return + failure. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN92" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite. winbindd is however not available in + stable release of Samba as of yet.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN95" +></A +><H2 +>SEE ALSO</H2 +><P +><A +HREF="winbindd.8.html" +TARGET="_top" +><B +CLASS="COMMAND" +>winbindd(8)</B +> + </A +></P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN100" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +><B +CLASS="COMMAND" +>wbinfo</B +> and <B +CLASS="COMMAND" +>winbindd</B +> + were written by TIm Potter.</P +><P +>The conversion to DocBook for Samba 2.2 was done + by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file diff --git a/docs/htmldocs/winbindd.8.html b/docs/htmldocs/winbindd.8.html index d9e8017daaf..a98b7a28640 100644 --- a/docs/htmldocs/winbindd.8.html +++ b/docs/htmldocs/winbindd.8.html @@ -1,225 +1,594 @@ - - - - - -<html><head><title>winbindd (8)</title> - -<link rev="made" href="mailto:samba-bugs@samba.org"> -</head> -<body> - -<hr> - -<h1>winbindd (8)</h1> -<h2>Samba</h2> -<h2>13 Jun 2000</h2> - - - -<p><a name="NAME"></a> -<h2>NAME</h2> - winbindd - Name Service Switch daemon for resolving names from NT servers -<p><a name="SYNOPSIS"></a> -<h2>SYNOPSIS</h2> - -<p><strong>winbindd</strong> [<a href="winbindd.8.html#minusd">-d debuglevel</a>] [<a href="winbindd.8.html#minusi">-i</a>] -<p><a name="DESCRIPTION"></a> -<h2>DESCRIPTION</h2> - -<p>This program is part of the <strong>Samba</strong> suite version 3.0 and describes -functionality not yet implemented in the main version of Samba. -<p><strong>winbindd</strong> is a daemon that provides a service for the Name Service -Switch capability that is present in most modern C libraries. The Name -Service Switch allows user and system information to be obtained from -different databases services such as NIS or DNS. The exact behaviour can -be configured throught the <code>/etc/nsswitch.conf</code> file. Users and groups -are allocated as they are resolved to a range of user and group ids -specified by the administrator of the Samba system. -<p>The service provided by <strong>winbindd</strong> is called `winbind' and can be -used to resolve user and group information from a Windows NT server. -The service can also provide authentication services via an associated -PAM module. -<p>The following nsswitch databases are implemented by the <strong>winbindd</strong> -service: -<p><dl> -<p><p></p><dt><strong>passwd</strong><dd> -<p>User information traditionally stored in the <strong>passwd(5)</strong> file and used by -<strong>getpwent(3)</strong> functions. -<p><p></p><dt><strong>group</strong><dd> -<p>Group information traditionally stored in the <strong>group(5)</strong> file and used by -<strong>getgrent(3)</strong> functions. -<p></dl> -<p>For example, the following simple configuration in the -<code>/etc/nsswitch.conf</code> file can be used to initially resolve user and group -information from <code>/etc/passwd</code> and <code>/etc/group</code> and then from the -Windows NT server. -<p><pre> - - passwd: files winbind - group: files winbind - -</pre> - -<p><a name="OPTIONS"></a> -<h2>OPTIONS</h2> - -<p>The following options are available to the <strong>winbindd</strong> daemon: -<p><dl> -<p><a name="minusd"></a> -<p></p><dt><strong><strong>-d debuglevel</strong></strong><dd> -Sets the debuglevel to an integer between 0 and 100. 0 is for no debugging -and 100 is for reams and reams. To submit a bug report to the Samba Team, -use debug level 100 (see <strong>BUGS.txt</strong>). -<p><a name="minusi"></a> -<p></p><dt><strong><strong>-i</strong></strong><dd> -Tells <strong>winbindd</strong> to not become a daemon and detach from the current terminal. -This option is used by developers when interactive debugging of <strong>winbindd</strong> is -required. -<p></dl> -<p><a name="NAMEANDIDRESOLUTION"></a> -<h2>NAME AND ID RESOLUTION</h2> - -<p>Users and groups on a Windows NT server are assigned a relative id (rid) -which is unique for the domain when the user or group is created. To -convert the Windows NT user or group into a unix user or group, a mapping -between rids and unix user and group ids is required. This is one of the -jobs that <strong>winbindd</strong> performs. -<p>As <strong>winbindd</strong> users and groups are resolved from a server, user and group -ids are allocated from a specified range. This is done on a first come, -first served basis, although all existing users and groups will be mapped -as soon as a client performs a user or group enumeration command. The -allocated unix ids are stored in a database file under the Samba lock -directory and will be remembered. -<p>WARNING: The rid to unix id database is the only location where the user -and group mappings are stored by <strong>winbindd</strong>. If this file is deleted or -corrupted, there is no way for <strong>winbindd</strong> to determine which user and -group ids correspond to Windows NT user and group rids. -<p><a name="CONFIGURATION"></a> -<h2>CONFIGURATION</h2> - -<p>Configuration of the <strong>winbindd</strong> daemon is done through configuration -parameters in the <a href="smb.conf.5.html"><strong>smb.conf</strong></a> file. All parameters -should be specified in the [global] section of -<a href="smb.conf.5.html"><strong>smb.conf</strong></a>. -<p><dl> -<p><p></p><dt><strong>winbind separator</strong><dd> -<p>The winbind separator option allows you to specify how NT domain names -and user names are combined into unix user names when presented to -users. By default winbind will use the traditional \ separator so -that the unix user names look like DOMAIN\username. In some cases -this separator character may cause problems as the \ character has -special meaning in unix shells. In that case you can use the winbind -separator option to specify an alternative sepataror character. Good -alternatives may be / (although that conflicts with the unix directory -separator) or a + character. The + character appears to be the best -choice for 100% compatibility with existing unix utilities, but may be -an aesthetically bad choice depending on your taste. -<p><strong>Default:</strong> -<code> winbind separator = \</code> -<p><strong>Example:</strong> -<code> winbind separator = +</code> -<p><p></p><dt><strong>winbind uid</strong><dd> -<p>The winbind uid parameter specifies the range of user ids that are -allocated by the <strong>winbindd</strong> daemon. This range of -ids should have no existing local or nis users within it as strange -conflicts can occur otherwise. -<p><strong>Default:</strong> -<code> winbind uid = <empty string></code> -<p><strong>Example:</strong> -<code> winbind uid = 10000-20000</code> -<p><p></p><dt><strong>winbind gid</strong><dd> -<p>The winbind gid parameter specifies the range of group ids that are -allocated by the <strong>winbindd</strong> daemon. This range of group ids should have -no existing local or nis groups within it as strange conflicts can occur -otherwise. -<p><strong>Default:</strong> -<code> winbind gid = <empty string></code> -<p><strong>Example:</strong> -<code> winbind gid = 10000-20000</code> -<p><p></p><dt><strong>winbind cache time</strong><dd> -<p>This parameter specifies the number of seconds the <strong>winbindd</strong> daemon will -cache user and group information before querying a Windows NT server -again. When a item in the cache is older than this time <strong>winbindd</strong> will ask -the domain controller for the sequence number of the servers account -database. If the sequence number has not changed then the cached item is -marked as valid for a further "winbind cache time" seconds. Otherwise the -item is fetched from the server. This means that as long as the account -database is not actively changing <strong>winbindd</strong> will only have to send one -sequence number query packet every "winbind cache time" seconds. -<p><strong>Default:</strong> -<code> winbind cache time = 15</code> -<p><p></p><dt><strong>template homedir</strong><dd> -<p>When filling out the user information for a Windows NT user, the -<strong>winbindd</strong> daemon uses this parameter to fill in the home directory for -that user. If the string <code>%D</code> is present it is substituted with the -user's Windows NT domain name. If the string <code>%U</code> is present it is -substituted with the user's Windows NT user name. -<p><strong>Default:</strong> -<code> template homedir = /home/%D/%U</code> -<p><p></p><dt><strong>template shell</strong><dd> -<p>When filling out the user information for a Windows NT user, the -<strong>winbindd</strong> daemon uses this parameter to fill in the shell for that user. -<p><strong>Default:</strong> -<code> template shell = /bin/false</code> -<p></dl> -<p><a name="EXAMPLESETUP"></a> -<h2>EXAMPLE SETUP</h2> - -<p>To setup <strong>winbindd</strong> for user and group lookups plus authentication from -a domain controller use something like the following setup. This was -tested on a RedHat 6.2 Linux box. -<p>In <code>/etc/nsswitch.conf</code> put the following: -<pre> - - passwd: files winbind - group: files winbind - -</pre> - -<p>In <code>/etc/pam.d/*</code> replace the <code>auth</code> lines with something like this: -<pre> - - auth required /lib/security/pam_securetty.so - auth required /lib/security/pam_nologin.so - auth sufficient /lib/security/pam_winbind.so - auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok - -</pre> - -<p>Note in particular the use of the <code>sufficient</code> keyword and the -<code>use_first_pass</code> keyword. -<p>Now replace the account lines with this: -<pre> - - account required /lib/security/pam_winbind.so - -</pre> - -<p>The next step is to join the domain. To do that use the samedit -program like this: -<pre> - - samedit -S '*' -W DOMAIN -UAdministrator - -</pre> - -<p>Then within samedit run the command: -<pre> - - createuser MACHINE$ -j DOMAIN -L - -</pre> - -<p>This assumes your domain is called <code>DOMAIN</code> and your Samba workstation -is called <code>MACHINE</code>. -<p>Next copy <code>libnss_winbind.so.2</code> to <code>/lib</code> and <code>pam_winbind.so</code> to -<code>/lib/security</code>. -<p>Finally, setup a smb.conf containing directives like the following: -<pre> - - [global] - winbind separator = + +<HTML +><HEAD +><TITLE +>winbindd</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.57"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="WINBINDD" +>winbindd</A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN5" +></A +><H2 +>Name</H2 +>winbindd -- Name Service Switch daemon for resolving names + from NT servers</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN8" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>nmblookup</B +> [-d debuglevel] [-i] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] {name}</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN24" +></A +><H2 +>DESCRIPTION</H2 +><P +>This tool is part of the <A +HREF="samba.7.html" +TARGET="_top" +> Samba</A +> suite version 3.0 and describes functionality not + yet implemented in the main version of Samba.</P +><P +><B +CLASS="COMMAND" +>winbindd</B +> is a daemon that provides + a service for the Name Service Switch capability that is present + in most modern C libraries. The Name Service Switch allows user + and system information to be obtained from different databases + services such as NIS or DNS. The exact behaviour can be configured + throught the <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> file. + Users and groups are allocated as they are resolved to a range + of user and group ids specified by the administrator of the + Samba system.</P +><P +>The service provided by winbindd is called `winbind' and + can be used to resolve user and group information from a + Windows NT server. The service can also provide authentication + services via an associated PAM module. </P +><P +>The following nsswitch databases are implemented by + the winbindd service: </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>passwd</DT +><DD +><P +>User information traditionally stored in + the <TT +CLASS="FILENAME" +>passwd(5)</TT +> file and used by + <B +CLASS="COMMAND" +>getpwent(3)</B +> functions. </P +></DD +><DT +>group</DT +><DD +><P +>Group information traditionally stored in + the <TT +CLASS="FILENAME" +>group(5)</TT +> file and used by + <B +CLASS="COMMAND" +>getgrent(3)</B +> functions. </P +></DD +></DL +></DIV +><P +>For example, the following simple configuration in the + <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> file can be used to initially + resolve user and group information from <TT +CLASS="FILENAME" +>/etc/passwd + </TT +> and <TT +CLASS="FILENAME" +>/etc/group</TT +> and then from the + Windows NT server. </P +><P +><PRE +CLASS="PROGRAMLISTING" +>passwd: files winbind +group: files winbind + </PRE +></P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN52" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-d debuglevel</DT +><DD +><P +>Sets the debuglevel to an integer between + 0 and 100. 0 is for no debugging and 100 is for reams and + reams. To submit a bug report to the Samba Team, use debug + level 100 (see BUGS.txt). </P +></DD +><DT +>-i</DT +><DD +><P +>Tells <B +CLASS="COMMAND" +>winbindd</B +> to not + become a daemon and detach from the current terminal. This + option is used by developers when interactive debugging + of <B +CLASS="COMMAND" +>winbindd</B +> is required. </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN65" +></A +><H2 +>NAME AND ID RESOLUTION</H2 +><P +>Users and groups on a Windows NT server are assigned + a relative id (rid) which is unique for the domain when the + user or group is created. To convert the Windows NT user or group + into a unix user or group, a mapping between rids and unix user + and group ids is required. This is one of the jobs that <B +CLASS="COMMAND" +> winbindd</B +> performs. </P +><P +>As winbindd users and groups are resolved from a server, user + and group ids are allocated from a specified range. This + is done on a first come, first served basis, although all existing + users and groups will be mapped as soon as a client performs a user + or group enumeration command. The allocated unix ids are stored + in a database file under the Samba lock directory and will be + remembered. </P +><P +>WARNING: The rid to unix id database is the only location + where the user and group mappings are stored by winbindd. If this + file is deleted or corrupted, there is no way for winbindd to + determine which user and group ids correspond to Windows NT user + and group rids. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN71" +></A +><H2 +>CONFIGURATION</H2 +><P +>Configuration of the <B +CLASS="COMMAND" +>winbindd</B +> daemon + is done through configuration parameters in the <TT +CLASS="FILENAME" +>smb.conf(5) + </TT +> file. All parameters should be specified in the + [global] section of smb.conf. </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>winbind separator</DT +><DD +><P +>The winbind separator option allows you + to specify how NT domain names and user names are combined + into unix user names when presented to users. By default, + <B +CLASS="COMMAND" +>winbindd</B +> will use the traditional '\' + separator so that the unix user names look like + DOMAIN\username. In some cases this separator character may + cause problems as the '\' character has special meaning in + unix shells. In that case you can use the winbind separator + option to specify an alternative sepataror character. Good + alternatives may be '/' (although that conflicts + with the unix directory separator) or a '+ 'character. + The '+' character appears to be the best choice for 100% + compatibility with existing unix utilities, but may be an + aesthetically bad choice depending on your taste. </P +><P +>Default: <B +CLASS="COMMAND" +>winbind separator = \ </B +> + </P +><P +>Example: <B +CLASS="COMMAND" +>winbind separator = + </B +></P +></DD +><DT +>winbind uid</DT +><DD +><P +>The winbind uid parameter specifies the + range of user ids that are allocated by the winbindd daemon. + This range of ids should have no existing local or nis users + within it as strange conflicts can occur otherwise. </P +><P +>Default: <B +CLASS="COMMAND" +>winbind uid = <empty string> + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>winbind uid = 10000-20000</B +></P +></DD +><DT +>winbind gid</DT +><DD +><P +>The winbind gid parameter specifies the + range of group ids that are allocated by the winbindd daemon. + This range of group ids should have no existing local or nis + groups within it as strange conflicts can occur otherwise.</P +><P +>Default: <B +CLASS="COMMAND" +>winbind gid = <empty string> + </B +></P +><P +>Example: <B +CLASS="COMMAND" +>winbind gid = 10000-20000 + </B +> </P +></DD +><DT +>winbind cache time</DT +><DD +><P +>This parameter specifies the number of + seconds the winbindd daemon will cache user and group information + before querying a Windows NT server again. When a item in the + cache is older than this time winbindd will ask the domain + controller for the sequence number of the servers account database. + If the sequence number has not changed then the cached item is + marked as valid for a further <TT +CLASS="PARAMETER" +><I +>winbind cache time + </I +></TT +> seconds. Otherwise the item is fetched from the + server. This means that as long as the account database is not + actively changing winbindd will only have to send one sequence + number query packet every <TT +CLASS="PARAMETER" +><I +>winbind cache time + </I +></TT +> seconds. </P +><P +>Default: <B +CLASS="COMMAND" +>winbind cache time = 15</B +> + </P +></DD +><DT +>winbind enum users</DT +><DD +><P +>On large installations it may be necessary + to suppress the enumeration of users through the <B +CLASS="COMMAND" +> setpwent()</B +>, <B +CLASS="COMMAND" +>getpwent()</B +> and + <B +CLASS="COMMAND" +>endpwent()</B +> group of system calls. If + the <TT +CLASS="PARAMETER" +><I +>winbind enum users</I +></TT +> parameter is false, + calls to the <B +CLASS="COMMAND" +>getpwent</B +> system call will not + return any data. </P +><P +><I +CLASS="EMPHASIS" +>Warning:</I +> Turning off user enumeration + may cause some programs to behave oddly. For example, the finger + program relies on having access to the full user list when + searching for matching usernames. </P +><P +>Default: <B +CLASS="COMMAND" +>winbind enum users = yes </B +></P +></DD +><DT +>winbind enum groups</DT +><DD +><P +>On large installations it may be necessary + to suppress the enumeration of groups through the <B +CLASS="COMMAND" +> setgrent()</B +>, <B +CLASS="COMMAND" +>getgrent()</B +> and + <B +CLASS="COMMAND" +>endgrent()</B +> group of system calls. If + the <TT +CLASS="PARAMETER" +><I +>winbind enum groups</I +></TT +> parameter is + false, calls to the <B +CLASS="COMMAND" +>getgrent()</B +> system + call will not return any data. </P +><P +><I +CLASS="EMPHASIS" +>Warning:</I +> Turning off group + enumeration may cause some programs to behave oddly. + </P +><P +>Default: <B +CLASS="COMMAND" +>winbind enum groups = no </B +> + </P +></DD +><DT +>template homedir</DT +><DD +><P +>When filling out the user information + for a Windows NT user, the <B +CLASS="COMMAND" +>winbindd</B +> daemon + uses this parameter to fill in the home directory for that user. + If the string <TT +CLASS="PARAMETER" +><I +>%D</I +></TT +> is present it is + substituted with the user's Windows NT domain name. If the + string <TT +CLASS="PARAMETER" +><I +>%U</I +></TT +> is present it is substituted + with the user's Windows NT user name. </P +><P +>Default: <B +CLASS="COMMAND" +>template homedir = /home/%D/%U </B +> + </P +></DD +><DT +>template shell</DT +><DD +><P +>When filling out the user information for + a Windows NT user, the <B +CLASS="COMMAND" +>winbindd</B +> daemon + uses this parameter to fill in the shell for that user. + </P +><P +>Default: <B +CLASS="COMMAND" +>template shell = /bin/false </B +> + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN152" +></A +><H2 +>EXAMPLE SETUP</H2 +><P +>To setup winbindd for user and group lookups plus + authentication from a domain controller use something like the + following setup. This was tested on a RedHat 6.2 Linux box. </P +><P +>In <TT +CLASS="FILENAME" +>/etc/nsswitch.conf</TT +> put the + following:</P +><P +><PRE +CLASS="PROGRAMLISTING" +>passwd: files winbind +group: files winbind + </PRE +></P +><P +>In <TT +CLASS="FILENAME" +>/etc/pam.d/*</TT +> replace the + <TT +CLASS="PARAMETER" +><I +>auth</I +></TT +> lines with something like this: </P +><P +><PRE +CLASS="PROGRAMLISTING" +>auth required /lib/security/pam_securetty.so +auth required /lib/security/pam_nologin.so +auth sufficient /lib/security/pam_winbind.so +auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok + </PRE +></P +><P +>Note in particular the use of the <TT +CLASS="PARAMETER" +><I +>sufficient</I +></TT +> + keyword and the <TT +CLASS="PARAMETER" +><I +>use_first_pass</I +></TT +> keyword. </P +><P +>Now replace the account lines with this: </P +><P +><B +CLASS="COMMAND" +>account required /lib/security/pam_winbind.so + </B +></P +><P +>The next step is to join the domain. To do that use the + <B +CLASS="COMMAND" +>samedit</B +> program like this: </P +><P +><B +CLASS="COMMAND" +>samedit -S '*' -W DOMAIN -UAdministrator</B +></P +><P +>The username after the <TT +CLASS="PARAMETER" +><I +>-U</I +></TT +> can be any Domain + user that has administrator priviliges on the machine. Next from + within <B +CLASS="COMMAND" +>samedit</B +>, run the command: </P +><P +><B +CLASS="COMMAND" +>createuser MACHINE$ -j DOMAIN -L</B +></P +><P +>This assumes your domain is called "DOMAIN" and your Samba + workstation is called "MACHINE". </P +><P +>Next copy <TT +CLASS="FILENAME" +>libnss_winbind.so.2</TT +> to + <TT +CLASS="FILENAME" +>/lib</TT +> and <TT +CLASS="FILENAME" +>pam_winbind.so</TT +> + to <TT +CLASS="FILENAME" +>/lib/security</TT +>.</P +><P +>Finally, setup a smb.conf containing directives like the + following: </P +><P +><PRE +CLASS="PROGRAMLISTING" +>[global] + winbind separator = + winbind cache time = 10 template shell = /bin/bash template homedir = /home/%D/%U @@ -228,95 +597,272 @@ is called <code>MACHINE</code>. workgroup = DOMAIN security = domain password server = * - -</pre> - -<p>Now start <strong>winbindd</strong> and you should find that your user and group -database is expanded to include your NT users and groups, and that you -can login to your unix box as a domain user, using the <code>DOMAIN+user</code> -syntax for the username. You may wish to use the commands "getent -passwd" and "getent group" to confirm the correct operation of -<strong>winbindd</strong>. -<p><a name="NOTES"></a> -<h2>NOTES</h2> - -<p>The following notes are useful when configuring and running <strong>winbindd</strong>: -<p><dl> -<p><p></p><dt><strong></strong><dd> -<a href="nmbd.8.html"><strong>nmbd</strong></a> must be running on the local machine for -<strong>winbindd</strong> to work. -<p><p></p><dt><strong></strong><dd> -<strong>winbindd</strong> queries the list of trusted domains for the Windows NT server -on startup and when a SIGHUP is received. Thus, for a running <strong>winbindd</strong> -to become aware of new trust relationships between servers, it must be sent -a SIGHUP signal. -<p><p></p><dt><strong></strong><dd> -Client processes resolving names through the <strong>winbindd</strong> nsswitch module -read an environment variable named <code>WINBINDD_DOMAIN</code>. If this variable -contains a comma separated list of Windows NT domain names, then <strong>winbindd</strong> -will only resolve users and groups within those Windows NT domains. -<p><p></p><dt><strong></strong><dd> -PAM is really easy to misconfigure. Make sure you know what you are doing -when modifying PAM configuration files. It is possible to set up PAM -such that you can no longer log into your system. -<p><p></p><dt><strong></strong><dd> -If more than one UNIX machine is running <strong>winbindd</strong>, then in general the -user and groups ids allocated by <strong>winbindd</strong> will not be the same. The -user and group ids will only be valid for the local machine. -<p><p></p><dt><strong></strong><dd> -If the the Windows NT RID to UNIX user and group id mapping file -is damaged or destroyed then the mappings will be lost. -<p></dl> -<p><a name="SIGNALS"></a> -<h2>SIGNALS</h2> - -<p>The following signals can be used to manipulate the <strong>winbindd</strong> daemon. -<p><dl> -<p><p></p><dt><strong><code>SIGHUP</code></strong><dd> -<p>Reload the <code>smb.conf</code> file and apply any parameter changes to the running -version of <strong>winbindd</strong>. This signal also clears any cached user and group -information. The list of other domains trusted by <strong>winbindd</strong> is also -reloaded. -<p><p></p><dt><strong><code>SIGUSR1</code></strong><dd> -<p>The <code>SIGUSR1</code> signal will cause <strong>winbindd</strong> to write status information -to the winbind log file including information about the number of user and -group ids allocated by <strong>winbindd</strong>. -<p>Log files are stored in the filename specified by the <strong>log file</strong> parameter. -<p></dl> -<p><a name="FILES"></a> -<h2>FILES</h2> - -<p>The following files are relevant to the operation of the <strong>winbindd</strong> -daemon. -<p><dl> -<p><p></p><dt><strong>/etc/nsswitch.conf(5)</strong><dd> -<p>Name service switch configuration file. -<p><p></p><dt><strong>/tmp/.winbindd/pipe</strong><dd> -<p>The UNIX pipe over which clients communicate with the <strong>winbindd</strong> program. -For security reasons, the winbind client will only attempt to connect to the -<strong>winbindd</strong> daemon if both the <code>/tmp/.winbindd</code> directory and -<code>/tmp/.winbindd/pipe</code> file are owned by root. -<p><p></p><dt><strong>/lib/libnss_winbind.so.X</strong><dd> -<p>Implementation of name service switch library. -<p><p></p><dt><strong>$LOCKDIR/winbindd_idmap.tdb</strong><dd> -<p>Storage for the Windows NT rid to UNIX user/group id mapping. The lock -directory is specified when Samba is initially compiled using the -<code>--with-lockdir</code> option. This directory is by default -<code>/usr/local/samba/var/locks</code>. -<p><p></p><dt><strong>$LOCKDIR/winbindd_cache.tdb</strong><dd> -<p>Storage for cached user and group information. -<p></dl> -<p><a name="SEEALSO"></a> -<h2>SEE ALSO</h2> - -<p><a href="samba.7.html"><strong>samba(7)</strong></a>, <a href="smb.conf.5.html"><strong>smb.conf(5)</strong></a>, -<strong>nsswitch.conf(5)</strong>, <a href="wbinfo.1.html"><strong>wbinfo(1)</strong></a> -<p><a name="AUTHOR"></a> -<h2>AUTHOR</h2> - -<p>The original Samba software and related utilities were created by -Andrew Tridgell. Samba is now developed by the Samba Team as an Open -Source project. -<p><strong>winbindd</strong> was written by Tim Potter. -</body> -</html> + </PRE +></P +><P +>Now start winbindd and you should find that your user and + group database is expanded to include your NT users and groups, + and that you can login to your unix box as a domain user, using + the DOMAIN+user syntax for the username. You may wish to use the + commands <B +CLASS="COMMAND" +>getent passwd</B +> and <B +CLASS="COMMAND" +>getent group + </B +> to confirm the correct operation of winbindd.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN191" +></A +><H2 +>Notes</H2 +><P +>The following notes are useful when configuring and + running <B +CLASS="COMMAND" +>winbindd</B +>: </P +><P +><B +CLASS="COMMAND" +>nmbd</B +> must be running on the local machine + for <B +CLASS="COMMAND" +>winbindd</B +> to work. <B +CLASS="COMMAND" +>winbindd</B +> + queries the list of trusted domains for the Windows NT server + on startup and when a SIGHUP is received. Thus, for a running <B +CLASS="COMMAND" +> winbindd</B +> to become aware of new trust relationships between + servers, it must be sent a SIGHUP signal. </P +><P +>Client processes resolving names through the <B +CLASS="COMMAND" +>winbindd</B +> + nsswitch module read an environment variable named <TT +CLASS="PARAMETER" +><I +> $WINBINDD_DOMAIN</I +></TT +>. If this variable contains a comma separated + list of Windows NT domain names, then winbindd will only resolve users + and groups within those Windows NT domains. </P +><P +>PAM is really easy to misconfigure. Make sure you know what + you are doing when modifying PAM configuration files. It is possible + to set up PAM such that you can no longer log into your system. </P +><P +>If more than one UNIX machine is running <B +CLASS="COMMAND" +>winbindd</B +>, + then in general the user and groups ids allocated by winbindd will not + be the same. The user and group ids will only be valid for the local + machine.</P +><P +>If the the Windows NT RID to UNIX user and group id mapping + file is damaged or destroyed then the mappings will be lost. </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN207" +></A +><H2 +>Signals</H2 +><P +>The following signals can be used to manipulate the + <B +CLASS="COMMAND" +>winbindd</B +> daemon. </P +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>SIGHUP</DT +><DD +><P +>Reload the <TT +CLASS="FILENAME" +>smb.conf(5)</TT +> + file and apply any parameter changes to the running + version of winbindd. This signal also clears any cached + user and group information. The list of other domains trusted + by winbindd is also reloaded. </P +></DD +><DT +>SIGUSR1</DT +><DD +><P +>The SIGUSR1 signal will cause <B +CLASS="COMMAND" +> winbindd</B +> to write status information to the winbind + log file including information about the number of user and + group ids allocated by <B +CLASS="COMMAND" +>winbindd</B +>.</P +><P +>Log files are stored in the filename specified by the + log file parameter.</P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN224" +></A +><H2 +>Files</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +><TT +CLASS="FILENAME" +>/etc/nsswitch.conf(5)</TT +></DT +><DD +><P +>Name service switch configuration file.</P +></DD +><DT +>/tmp/.winbindd/pipe</DT +><DD +><P +>The UNIX pipe over which clients communicate with + the <B +CLASS="COMMAND" +>winbindd</B +> program. For security reasons, the + winbind client will only attempt to connect to the winbindd daemon + if both the <TT +CLASS="FILENAME" +>/tmp/.winbindd</TT +> directory + and <TT +CLASS="FILENAME" +>/tmp/.winbindd/pipe</TT +> file are owned by + root. </P +></DD +><DT +>/lib/libnss_winbind.so.X</DT +><DD +><P +>Implementation of name service switch library. + </P +></DD +><DT +>$LOCKDIR/winbindd_idmap.tdb</DT +><DD +><P +>Storage for the Windows NT rid to UNIX user/group + id mapping. The lock directory is specified when Samba is initially + compiled using the <TT +CLASS="FILENAME" +>--with-lockdir</TT +> option. + This directory is by default <TT +CLASS="FILENAME" +>/usr/local/samba/var/locks + </TT +>. </P +></DD +><DT +>$LOCKDIR/winbindd_cache.tdb</DT +><DD +><P +>Storage for cached user and group information. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN253" +></A +><H2 +>VERSION</H2 +><P +>This man page is correct for version 2.2 of + the Samba suite. winbindd is however not available in + stable release of Samba as of yet.</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN256" +></A +><H2 +>SEE ALSO</H2 +><P +><TT +CLASS="FILENAME" +>nsswitch.conf(5)</TT +>, + <A +HREF="samba.7.html" +TARGET="_top" +>samba(7)</A +>, + <A +HREF="wbinfo.1.html" +TARGET="_top" +>wbinfo(1)</A +>, + <A +HREF="smb.conf.5.html" +TARGET="_top" +>smb.conf(5)</A +></P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN263" +></A +><H2 +>AUTHOR</H2 +><P +>The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.</P +><P +><B +CLASS="COMMAND" +>wbinfo</B +> and <B +CLASS="COMMAND" +>winbindd</B +> + were written by Tim Potter.</P +><P +>The conversion to DocBook for Samba 2.2 was done + by Gerald Carter</P +></DIV +></BODY +></HTML +>
\ No newline at end of file |