Ignore:
Timestamp:
Apr 10, 2007, 5:27:38 AM (14 years ago)
Author:
Paul Smedley
Message:

Updated source to 3.0.25rc1

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/samba/docs/htmldocs/manpages/smb.conf.5.html

    r22 r26  
    384384        added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not
    385385        already exist.
    386         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add machine script</code></em> =
     386        </p><p>This option is very similar to the <a class="indexterm" name="id273163"></a>add user script, and likewise uses the %u
     387        substitution for the account name.  Do not use the %m
     388        substitution.  </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add machine script</code></em> =
    387389</em></span>
    388390</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>add machine script</code></em> = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u
     
    452454                        </p></li></ul></div><p>
    453455        This parameter is only used for add file shares.  To add printer shares,
    454         see the <a class="indexterm" name="id273562"></a>addprinter command.
     456        see the <a class="indexterm" name="id273574"></a>addprinter command.
    455457        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add share command</code></em> =
    456458</em></span>
     
    469471        </p><p>
    470472        In order to use this option, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must <span class="emphasis"><em>NOT</em></span> be set to
    471         <a class="indexterm" name="id273651"></a>security = share and <a class="indexterm" name="id273658"></a>add user script
     473        <a class="indexterm" name="id229350"></a>security = share and <a class="indexterm" name="id229357"></a>add user script
    472474        must be set to a full pathname for a script that will create a UNIX user given one argument of
    473475        <em class="parameter"><code>%u</code></em>, which expands into the UNIX user name to create.
    474476        </p><p>
    475477        When the Windows user attempts to access the Samba server, at login (session setup in
    476         the SMB protocol) time, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> contacts the <a class="indexterm" name="id273684"></a>password server
     478        the SMB protocol) time, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> contacts the <a class="indexterm" name="id229383"></a>password server
    477479        and attempts to authenticate the given user with the given password. If the authentication
    478480        succeeds then <span><strong class="command">smbd</strong></span> attempts to find a UNIX user in the UNIX
    479481        password database to map the Windows user into. If this lookup fails, and
    480         <a class="indexterm" name="id273699"></a>add user script is set then <span><strong class="command">smbd</strong></span> will
     482        <a class="indexterm" name="id229398"></a>add user script is set then <span><strong class="command">smbd</strong></span> will
    481483        call the specified script <span class="emphasis"><em>AS ROOT</em></span>, expanding any
    482484        <em class="parameter"><code>%u</code></em> argument to be the user name to create.
     
    486488        match existing Windows NT accounts.
    487489        </p><p>
    488         See also <a class="indexterm" name="id273737"></a>security, <a class="indexterm" name="id273744"></a>password server,
    489         <a class="indexterm" name="id273751"></a>delete user script.
     490        See also <a class="indexterm" name="id273817"></a>security, <a class="indexterm" name="id273824"></a>password server,
     491        <a class="indexterm" name="id273831"></a>delete user script.
    490492        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add user script</code></em> =
    491493</em></span>
     
    508510    will do all file operations as the super-user (root).</p><p>You should use this option very carefully, as any user in
    509511    this list will be able to do anything they like on the share,
    510     irrespective of file permissions.</p><p>This parameter will not work with the <a class="indexterm" name="id273891"></a>security = share in
     512    irrespective of file permissions.</p><p>This parameter will not work with the <a class="indexterm" name="id273971"></a>security = share in
    511513    Samba 3.0.  This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>admin users</code></em> =
    512514</em></span>
     
    558560</em></span>
    559561</p></dd><dt><span class="term"><a name="ALLOWTRUSTEDDOMAINS"></a>allow trusted domains (G)</span></dt><dd><p>
    560     This option only takes effect when the <a class="indexterm" name="id274144"></a>security option is set to
     562    This option only takes effect when the <a class="indexterm" name="id274224"></a>security option is set to
    561563    <code class="constant">server</code>,<code class="constant">domain</code> or <code class="constant">ads</code>. 
    562564    If it is set to no, then attempts to connect to a resource from
     
    593595</p></dd><dt><span class="term"><a name="AUTHMETHODS"></a>auth methods (G)</span></dt><dd><p>
    594596    This option allows the administrator to chose what authentication methods <span><strong class="command">smbd</strong></span>
    595     will use when authenticating a user. This option defaults to sensible values based on <a class="indexterm" name="id274314"></a>security. 
     597    will use when authenticating a user. This option defaults to sensible values based on <a class="indexterm" name="id274394"></a>security. 
    596598    This should be considered a developer option and used only in rare circumstances.  In the majority (if not all)
    597599    of production servers, the default setting should be adequate.
     
    621623        affects file service <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and name service <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> in a slightly different ways.</p><p>
    622624        For name service it causes <span><strong class="command">nmbd</strong></span> to bind to ports 137 and 138 on the
    623         interfaces listed in the <a class="indexterm" name="id274468"></a>interfaces parameter. <span><strong class="command">nmbd</strong></span>
     625        interfaces listed in the <a class="indexterm" name="id274548"></a>interfaces parameter. <span><strong class="command">nmbd</strong></span>
    624626        also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of
    625627        reading broadcast messages.  If this option is not set then <span><strong class="command">nmbd</strong></span> will
    626         service name requests on all of these sockets. If <a class="indexterm" name="id274489"></a>bind interfaces only is set then
     628        service name requests on all of these sockets. If <a class="indexterm" name="id274569"></a>bind interfaces only is set then
    627629        <span><strong class="command">nmbd</strong></span> will check the source address of any packets coming in on the
    628630        broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the
    629         <a class="indexterm" name="id274503"></a>interfaces parameter list.  As unicast packets are received on the other sockets it
     631        <a class="indexterm" name="id274583"></a>interfaces parameter list.  As unicast packets are received on the other sockets it
    630632        allows <span><strong class="command">nmbd</strong></span> to refuse to serve names to machines that send packets that
    631         arrive through any interfaces not listed in the <a class="indexterm" name="id274518"></a>interfaces list.  IP Source address
     633        arrive through any interfaces not listed in the <a class="indexterm" name="id274598"></a>interfaces list.  IP Source address
    632634        spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for
    633635        <span><strong class="command">nmbd</strong></span>.
    634636        </p><p>
    635         For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list given in the <a class="indexterm" name="id274544"></a>interfaces parameter. This restricts the networks that <span><strong class="command">smbd</strong></span> will
     637        For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list given in the <a class="indexterm" name="id274624"></a>interfaces parameter. This restricts the networks that <span><strong class="command">smbd</strong></span> will
    636638        serve to packets coming in those interfaces.  Note that you should not use this parameter for machines that
    637639        are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with
    638640        non-permanent interfaces.
    639641        </p><p>
    640         If <a class="indexterm" name="id274562"></a>bind interfaces only is set then unless the network address
    641         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274574"></a>interfaces parameter list
     642        If <a class="indexterm" name="id274642"></a>bind interfaces only is set then unless the network address
     643        <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274654"></a>interfaces parameter list
    642644        <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and
    643645        <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as
     
    646648        To change a users SMB password, the <span><strong class="command">smbpasswd</strong></span> by default connects to the
    647649        <span class="emphasis"><em>localhost - 127.0.0.1</em></span> address as an SMB client to issue the password change request. If
    648         <a class="indexterm" name="id274611"></a>bind interfaces only is set then unless the network address
    649         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274622"></a>interfaces parameter list then <span><strong class="command"> smbpasswd</strong></span> will fail to connect in it's default mode.  <span><strong class="command">smbpasswd</strong></span> can be forced to use the primary IP interface of the local host by using
     650        <a class="indexterm" name="id274691"></a>bind interfaces only is set then unless the network address
     651        <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274702"></a>interfaces parameter list then <span><strong class="command"> smbpasswd</strong></span> will fail to connect in it's default mode.  <span><strong class="command">smbpasswd</strong></span> can be forced to use the primary IP interface of the local host by using
    650652        its <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>    <em class="parameter"><code>-r <em class="replaceable"><code>remote machine</code></em></code></em> parameter, with <em class="replaceable"><code>remote
    651653        machine</code></em> set to the IP name of the primary interface of the local host.
     
    691693        this.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>browse list</code></em> = yes
    692694</em></span>
    693 </p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames</span></dt><dd><p>This parameter is a synonym for case sensitive.</p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a class="indexterm" name="id275001"></a>name mangling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>case sensitive</code></em> = no
     695</p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames</span></dt><dd><p>This parameter is a synonym for case sensitive.</p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a class="indexterm" name="id275081"></a>name mangling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>case sensitive</code></em> = no
    694696</em></span>
    695697</p></dd><dt><span class="term"><a name="CHANGENOTIFY"></a>change notify (S)</span></dt><dd><p>This parameter specifies whether Samba should reply
     
    766768</p></dd><dt><span class="term"><a name="CLIENTSCHANNEL"></a>client schannel (G)</span></dt><dd><p>
    767769    This controls whether the client offers or even demands the use of the netlogon schannel.
    768     <a class="indexterm" name="id275474"></a>client schannel = no does not offer the schannel,
    769     <a class="indexterm" name="id275481"></a>client schannel = auto offers the schannel but does not
    770     enforce it, and <a class="indexterm" name="id275489"></a>client schannel = yes denies access
     770    <a class="indexterm" name="id275554"></a>client schannel = no does not offer the schannel,
     771    <a class="indexterm" name="id275561"></a>client schannel = auto offers the schannel but does not
     772    enforce it, and <a class="indexterm" name="id275569"></a>client schannel = yes denies access
    771773    if the server is not able to speak netlogon schannel.
    772774    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client schannel</code></em> = auto
     
    792794        neighborhood or via <span><strong class="command">net view</strong></span> to list what shares
    793795        are available.</p><p>If you want to set the string that is displayed next to the
    794                 machine name then see the <a class="indexterm" name="id275637"></a>server string parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>comment</code></em> =
     796                machine name then see the <a class="indexterm" name="id275717"></a>server string parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>comment</code></em> =
    795797# No comment
    796798</em></span>
     
    827829        </p><p>
    828830        Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the
    829         <a class="indexterm" name="id275845"></a>force create mode parameter which is set to 000 by default.
    830         </p><p>
    831         This parameter does not affect directory masks. See the parameter <a class="indexterm" name="id275856"></a>directory mask
     831        <a class="indexterm" name="id275925"></a>force create mode parameter which is set to 000 by default.
     832        </p><p>
     833        This parameter does not affect directory masks. See the parameter <a class="indexterm" name="id275936"></a>directory mask
    832834        for details.
    833835        </p><p>
    834836        Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
    835         administrator wishes to enforce a mask on access control lists also, they need to set the <a class="indexterm" name="id275868"></a>security mask.
     837        administrator wishes to enforce a mask on access control lists also, they need to set the <a class="indexterm" name="id275948"></a>security mask.
    836838        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>create mask</code></em> = 0744
    837839</em></span>
     
    845847        </p><p>
    846848        For example, shares containing roaming profiles can have offline caching disabled using
    847         <a class="indexterm" name="id275933"></a>csc policy = disable.
     849        <a class="indexterm" name="id276013"></a>csc policy = disable.
    848850        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>csc policy</code></em> = manual
    849851</em></span>
     
    851853</em></span>
    852854</p></dd><dt><span class="term"><a name="CUPSOPTIONS"></a>cups options (S)</span></dt><dd><p>
    853     This parameter is only applicable if <a class="indexterm" name="id275986"></a>printing is
     855    This parameter is only applicable if <a class="indexterm" name="id276066"></a>printing is
    854856    set to <code class="constant">cups</code>.  Its value is a free form string of options
    855857    passed directly to the cups library. 
     
    870872</em></span>
    871873</p></dd><dt><span class="term"><a name="CUPSSERVER"></a>cups server (G)</span></dt><dd><p>
    872     This parameter is only applicable if <a class="indexterm" name="id276069"></a>printing is set to <code class="constant">cups</code>.
     874    This parameter is only applicable if <a class="indexterm" name="id276149"></a>printing is set to <code class="constant">cups</code>.
    873875    </p><p>
    874876   If set, this option overrides the ServerName option in the CUPS <code class="filename">client.conf</code>. This is
     
    899901    boolean parameter adds microsecond resolution to the timestamp  message header when turned on.
    900902    </p><p>
    901     Note that the parameter <a class="indexterm" name="id276219"></a>debug timestamp must be on for this to have an effect.
     903    Note that the parameter <a class="indexterm" name="id276299"></a>debug timestamp must be on for this to have an effect.
    902904    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug hires timestamp</code></em> = no
    903905</em></span>
     
    907909    logfile when turned on.
    908910    </p><p>
    909     Note that the parameter <a class="indexterm" name="id276272"></a>debug timestamp must be on for this to have an effect.
     911    Note that the parameter <a class="indexterm" name="id276352"></a>debug timestamp must be on for this to have an effect.
    910912    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug pid</code></em> = no
    911913</em></span>
    912914</p></dd><dt><span class="term"><a name="DEBUGPREFIXTIMESTAMP"></a>debug prefix timestamp (G)</span></dt><dd><p>
    913915    With this option enabled, the timestamp message header is prefixed to the debug message without the
    914     filename and function information that is included with the <a class="indexterm" name="id276315"></a>debug timestamp
     916    filename and function information that is included with the <a class="indexterm" name="id276395"></a>debug timestamp
    915917    parameter. This gives timestamps to the messages without adding an additional line.
    916918    </p><p>
    917     Note that this parameter overrides the <a class="indexterm" name="id276326"></a>debug timestamp parameter.
     919    Note that this parameter overrides the <a class="indexterm" name="id276406"></a>debug timestamp parameter.
    918920    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug prefix timestamp</code></em> = no
    919921</em></span>
    920922</p></dd><dt><span class="term"><a name="TIMESTAMPLOGS"></a>timestamp logs</span></dt><dd><p>This parameter is a synonym for debug timestamp.</p></dd><dt><span class="term"><a name="DEBUGTIMESTAMP"></a>debug timestamp (G)</span></dt><dd><p>
    921923    Samba debug log messages are timestamped by default. If you are running at a high
    922     <a class="indexterm" name="id276388"></a>debug level these timestamps can be distracting. This
     924    <a class="indexterm" name="id276468"></a>debug level these timestamps can be distracting. This
    923925    boolean parameter allows timestamping to be turned off.
    924926        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug timestamp</code></em> = yes
     
    928930    current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.
    929931    </p><p>
    930     Note that the parameter <a class="indexterm" name="id276434"></a>debug timestamp must be on for this to have an effect.
     932    Note that the parameter <a class="indexterm" name="id276514"></a>debug timestamp must be on for this to have an effect.
    931933    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug uid</code></em> = no
    932934</em></span>
    933 </p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a class="indexterm" name="id276474"></a>name mangling.
    934         Also note the <a class="indexterm" name="id276481"></a>short preserve case parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default case</code></em> = lower
    935 </em></span>
    936 </p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a class="indexterm" name="id276522"></a>printable services.
     935</p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a class="indexterm" name="id276554"></a>name mangling.
     936        Also note the <a class="indexterm" name="id276561"></a>short preserve case parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default case</code></em> = lower
     937</em></span>
     938</p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a class="indexterm" name="id276602"></a>printable services.
    937939    When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
    938940    server has a Device Mode which defines things such as paper size and
     
    963965        parameter is not given, attempting to connect to a nonexistent
    964966        service results in an error.</p><p>
    965         Typically the default service would be a <a class="indexterm" name="id276633"></a>guest ok, <a class="indexterm" name="id276640"></a>read-only service.</p><p>Also note that the apparent service name will be changed to equal
     967        Typically the default service would be a <a class="indexterm" name="id276708"></a>guest ok, <a class="indexterm" name="id276716"></a>read-only service.</p><p>Also note that the apparent service name will be changed to equal
    966968        that of the requested service, this is very useful as it allows you to use macros like <em class="parameter"><code>%S</code></em> to make a wildcard service.
    967969        </p><p>Note also that any "_" characters in the name of the service
     
    995997    DeletePrinter() RPC call.</p><p>For a Samba host this means that the printer must be
    996998    physically deleted from underlying printing system.  The
    997     <a class="indexterm" name="id276811"></a>deleteprinter command defines a script to be run which
     999    <a class="indexterm" name="id276886"></a>deleteprinter command defines a script to be run which
    9981000    will perform the necessary operations for removing the printer
    9991001    from the print system and from <code class="filename">smb.conf</code>.
    1000     </p><p>The <a class="indexterm" name="id276828"></a>deleteprinter command is
    1001     automatically called with only one parameter: <a class="indexterm" name="id276836"></a>printer name.
    1002         </p><p>Once the <a class="indexterm" name="id276846"></a>deleteprinter command has
     1002    </p><p>The <a class="indexterm" name="id276904"></a>deleteprinter command is
     1003    automatically called with only one parameter: <a class="indexterm" name="id276912"></a>printer name.
     1004        </p><p>Once the <a class="indexterm" name="id276922"></a>deleteprinter command has
    10031005    been executed, <span><strong class="command">smbd</strong></span> will reparse the <code class="filename">
    10041006    smb.conf</code> to associated printer no longer exists. 
     
    10301032                        </p></li></ul></div><p>
    10311033        This parameter is only used to remove file shares.  To delete printer shares,
    1032         see the <a class="indexterm" name="id277034"></a>deleteprinter command.
     1034        see the <a class="indexterm" name="id277110"></a>deleteprinter command.
    10331035        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete share command</code></em> =
    10341036</em></span>
     
    10551057</p></dd><dt><span class="term"><a name="DELETEVETOFILES"></a>delete veto files (S)</span></dt><dd><p>This option is used when Samba is attempting to
    10561058        delete a directory that contains one or more vetoed directories
    1057         (see the <a class="indexterm" name="id277224"></a>veto files
     1059        (see the <a class="indexterm" name="id277300"></a>veto files
    10581060        option).  If this option is set to <code class="constant">no</code> (the default) then if a vetoed
    10591061        directory contains any non-vetoed files or directories then the
     
    10631065        serving systems such as NetAtalk which create meta-files within
    10641066        directories you might normally veto DOS/Windows users from seeing
    1065         (e.g. <code class="filename">.AppleDouble</code>)</p><p>Setting <a class="indexterm" name="id277254"></a>delete veto files = yes allows these
     1067        (e.g. <code class="filename">.AppleDouble</code>)</p><p>Setting <a class="indexterm" name="id277330"></a>delete veto files = yes allows these
    10661068        directories to be  transparently deleted when the parent directory
    10671069        is deleted (so long as the user has permissions to do so).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete veto files</code></em> = no
     
    10751077        This is a new parameter introduced in Samba version 3.0.21.  It specifies in seconds the time that smbd will
    10761078        cache the output of a disk free query. If set to zero (the default) no caching is done. This allows a heavily
    1077         loaded server to prevent rapid spawning of <a class="indexterm" name="id277309"></a>dfree command scripts increasing the load.
     1079        loaded server to prevent rapid spawning of <a class="indexterm" name="id277385"></a>dfree command scripts increasing the load.
    10781080        </p><p>
    10791081        By default this parameter is zero, meaning no caching will be done.
     
    10911093        </p><p>
    10921094        In Samba version 3.0.21 this parameter has been changed to be a per-share parameter, and in addition the
    1093         parameter <a class="indexterm" name="id277376"></a>dfree cache time was added to allow the output of this script to be cached
     1095        parameter <a class="indexterm" name="id277452"></a>dfree cache time was added to allow the output of this script to be cached
    10941096        for systems under heavy load.
    10951097        </p><p>
     
    11291131    and 'other' write bits from the UNIX mode, allowing only the
    11301132    user who owns the directory to modify it.</p><p>Following this Samba will bit-wise 'OR' the UNIX mode
    1131     created from this parameter with the value of the <a class="indexterm" name="id277504"></a>force directory mode parameter.
     1133    created from this parameter with the value of the <a class="indexterm" name="id277580"></a>force directory mode parameter.
    11321134    This parameter is set to 000 by default (i.e. no extra mode bits are added).</p><p>Note that this parameter does not apply to permissions
    11331135    set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
    1134     a mask on access control lists also, they need to set the <a class="indexterm" name="id277517"></a>directory security mask.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = 0755
     1136    a mask on access control lists also, they need to set the <a class="indexterm" name="id277593"></a>directory security mask.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = 0755
    11351137</em></span>
    11361138</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = 0775
     
    11411143    box.</p><p>
    11421144        This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
    1143         in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id277576"></a>force  directory security mode, which works similar like this one but uses logical OR instead of AND.
     1145        in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id277652"></a>force  directory security mode, which works similar like this one but uses logical OR instead of AND.
    11441146        Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
    11451147        </p><p>If not set explicitly this parameter is set to 0777
     
    11751177        The default value is "LOCALE", which means automatically set, depending on the
    11761178        current locale. The value should generally be the same as the value of the parameter
    1177         <a class="indexterm" name="id277728"></a>unix charset.
     1179        <a class="indexterm" name="id277804"></a>unix charset.
    11781180        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>display charset</code></em> = "LOCALE" or "ASCII" (depending on the system)
    11791181</em></span>
     
    12071209        If set to <code class="constant">yes</code>, the Samba server will
    12081210        provide the netlogon service for Windows 9X network logons for the
    1209         <a class="indexterm" name="id277888"></a>workgroup it is in.
     1211        <a class="indexterm" name="id277964"></a>workgroup it is in.
    12101212        This will also cause the Samba server to act as a domain
    12111213        controller for NT4 style domain services. For more details on
     
    12181220        WAN-wide browse list collation. Setting this option causes <span><strong class="command">nmbd</strong></span> to claim a
    12191221        special domain specific NetBIOS name that identifies it as a domain master browser for its given
    1220         <a class="indexterm" name="id277946"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id277953"></a>workgroup on
     1222        <a class="indexterm" name="id278021"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id278029"></a>workgroup on
    12211223        broadcast-isolated subnets will give this <span><strong class="command">nmbd</strong></span> their local browse lists,
    12221224        and then ask <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> for a
     
    12251227        broadcast-isolated subnet.
    12261228        </p><p>
    1227         Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id277981"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that
    1228         <a class="indexterm" name="id277988"></a>workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting
     1229        Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id278056"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that
     1230        <a class="indexterm" name="id278064"></a>workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting
    12291231        to do this). This means that if this parameter is set and <span><strong class="command">nmbd</strong></span> claims the
    1230         special name for a <a class="indexterm" name="id278003"></a>workgroup before a Windows NT PDC is able to do so then cross
     1232        special name for a <a class="indexterm" name="id278078"></a>workgroup before a Windows NT PDC is able to do so then cross
    12311233        subnet browsing will behave strangely and may fail.
    12321234        </p><p>
    1233         If <a class="indexterm" name="id278014"></a>domain logons = yes, then the default behavior is to enable the
    1234         <a class="indexterm" name="id278021"></a>domain master parameter.  If <a class="indexterm" name="id278029"></a>domain logons is not enabled (the
    1235         default setting), then neither will <a class="indexterm" name="id278036"></a>domain master be enabled by default.
    1236         </p><p>
    1237         When <a class="indexterm" name="id278047"></a>domain logons = Yes the default setting for this parameter is
    1238         Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id278055"></a>domain master = No,
     1235        If <a class="indexterm" name="id278090"></a>domain logons = yes, then the default behavior is to enable the
     1236        <a class="indexterm" name="id278097"></a>domain master parameter.  If <a class="indexterm" name="id278104"></a>domain logons is not enabled (the
     1237        default setting), then neither will <a class="indexterm" name="id278112"></a>domain master be enabled by default.
     1238        </p><p>
     1239        When <a class="indexterm" name="id278123"></a>domain logons = Yes the default setting for this parameter is
     1240        Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id278130"></a>domain master = No,
    12391241        Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC.
    12401242        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>domain master</code></em> = auto
     
    13421344    <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must either
    13431345    have access to a local <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> file (see the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> program for information on how to set up
    1344     and maintain this file), or set the <a class="indexterm" name="id229365"></a>security = [server|domain|ads] parameter which
     1346    and maintain this file), or set the <a class="indexterm" name="id278606"></a>security = [server|domain|ads] parameter which
    13451347    causes <span><strong class="command">smbd</strong></span> to authenticate against another
    13461348        server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>encrypt passwords</code></em> = yes
     
    14181420        file open/close operations. This can give enormous performance benefits.
    14191421        </p><p>When you set <span><strong class="command">fake oplocks = yes</strong></span>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will
    1420         always grant oplock requests no matter how many clients are using the file.</p><p>It is generally much better to use the real <a class="indexterm" name="id278900"></a>oplocks support rather
     1422        always grant oplock requests no matter how many clients are using the file.</p><p>It is generally much better to use the real <a class="indexterm" name="id278911"></a>oplocks support rather
    14211423        than this parameter.</p><p>If you enable this option on all read-only shares or
    14221424        shares that you know will only be accessed from one client at a
     
    14681470        </p><p>
    14691471        This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
    1470         mask that the user may have modified to be on.  Make sure not to mix up this parameter with <a class="indexterm" name="id279143"></a>directory security mask, which works in a similar manner to this one, but uses a logical AND instead
     1472        mask that the user may have modified to be on.  Make sure not to mix up this parameter with <a class="indexterm" name="id279154"></a>directory security mask, which works in a similar manner to this one, but uses a logical AND instead
    14711473        of an OR.
    14721474        </p><p>
     
    15021504    primary group assigned to sys when accessing this Samba share. All
    15031505    other users will retain their ordinary primary group.</p><p>
    1504         If the <a class="indexterm" name="id279255"></a>force user parameter is also set the group specified in
     1506        If the <a class="indexterm" name="id279266"></a>force user parameter is also set the group specified in
    15051507    <em class="parameter"><code>force group</code></em> will override the primary group
    15061508    set in <em class="parameter"><code>force user</code></em>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force group</code></em> =
     
    15361538        </p><p>
    15371539        This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
    1538         mask that the user may have modified to be on.  Make sure not to mix up this parameter with <a class="indexterm" name="id279401"></a>security mask, which works similar like this one but uses logical AND instead of OR.
     1540        mask that the user may have modified to be on.  Make sure not to mix up this parameter with <a class="indexterm" name="id279408"></a>security mask, which works similar like this one but uses logical AND instead of OR.
    15391541        </p><p>
    15401542        Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
     
    16041606    caching algorithm will be used to reduce the time taken for getwd()
    16051607    calls. This can have a significant impact on performance, especially
    1606     when the <a class="indexterm" name="id279805"></a>wide smbconfoptions parameter is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>getwd cache</code></em> = yes
     1608    when the <a class="indexterm" name="id279813"></a>wide smbconfoptions parameter is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>getwd cache</code></em> = yes
    16071609</em></span>
    16081610</p></dd><dt><span class="term"><a name="GUESTACCOUNT"></a>guest account (G)</span></dt><dd><p>This is a username which will be used for access
    1609     to services which are specified as <a class="indexterm" name="id279850"></a>guest ok (see below). Whatever privileges this
     1611    to services which are specified as <a class="indexterm" name="id279857"></a>guest ok (see below). Whatever privileges this
    16101612    user has will be available to any client connecting to the guest service.
    16111613    This user must exist in the password file, but does not require
     
    16261628</p></dd><dt><span class="term"><a name="PUBLIC"></a>public</span></dt><dd><p>This parameter is a synonym for guest ok.</p></dd><dt><span class="term"><a name="GUESTOK"></a>guest ok (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for
    16271629    a service, then no password is required to connect to the service.
    1628     Privileges will be those of the <a class="indexterm" name="id279957"></a>guest account.</p><p>This paramater nullifies the benifits of setting
    1629     <a class="indexterm" name="id279968"></a>restrict anonymous = 2
    1630         </p><p>See the section below on <a class="indexterm" name="id279979"></a>security for more information about this option.
     1630    Privileges will be those of the <a class="indexterm" name="id279965"></a>guest account.</p><p>This paramater nullifies the benifits of setting
     1631    <a class="indexterm" name="id279976"></a>restrict anonymous = 2
     1632        </p><p>See the section below on <a class="indexterm" name="id279986"></a>security for more information about this option.
    16311633        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest ok</code></em> = no
    16321634</em></span>
    16331635</p></dd><dt><span class="term"><a name="ONLYGUEST"></a>only guest</span></dt><dd><p>This parameter is a synonym for guest only.</p></dd><dt><span class="term"><a name="GUESTONLY"></a>guest only (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for
    16341636    a service, then only guest connections to the service are permitted.
    1635     This parameter will have no effect if <a class="indexterm" name="id280044"></a>guest ok is not set for the service.</p><p>See the section below on <a class="indexterm" name="id280055"></a>security for more information about this option.
     1637    This parameter will have no effect if <a class="indexterm" name="id280052"></a>guest ok is not set for the service.</p><p>See the section below on <a class="indexterm" name="id280063"></a>security for more information about this option.
    16361638        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest only</code></em> = no
    16371639</em></span>
     
    16751677</em></span>
    16761678</p></dd><dt><span class="term"><a name="HOMEDIRMAP"></a>homedir map (G)</span></dt><dd><p>
    1677         If <a class="indexterm" name="id280303"></a>nis homedir is <code class="constant">yes</code>, and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> is also acting         as a Win95/98 <em class="parameter"><code>logon server</code></em>
     1679        If <a class="indexterm" name="id280310"></a>nis homedir is <code class="constant">yes</code>, and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> is also acting         as a Win95/98 <em class="parameter"><code>logon server</code></em>
    16781680        then this parameter specifies the NIS (or YP) map from which the server for the user's  home directory should be extracted. 
    16791681        At present, only the Sun auto.home map format is understood. The form of the map is:
     
    16931695        Dfs trees hosted on the server.
    16941696        </p><p>
    1695         See also the <a class="indexterm" name="id280400"></a>msdfs root share  level  parameter.  For more  information  on
     1697        See also the <a class="indexterm" name="id280408"></a>msdfs root share  level  parameter.  For more  information  on
    16961698        setting  up a Dfs tree on Samba, refer to the MSFDS chapter in the book Samba3-HOWTO.
    16971699        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>host msdfs</code></em> = yes
     
    17051707</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hostname lookups</code></em> = yes
    17061708</em></span>
    1707 </p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts</span></dt><dd><p>This parameter is a synonym for hosts allow.</p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <a class="indexterm" name="id280521"></a>allow hosts.</p><p>This parameter is a comma, space, or tab delimited
     1709</p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts</span></dt><dd><p>This parameter is a synonym for hosts allow.</p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <a class="indexterm" name="id280528"></a>allow hosts.</p><p>This parameter is a comma, space, or tab delimited
    17081710    set of hosts which are permitted to access a service.</p><p>If specified in the [global] section then it will
    17091711    apply to all services, regardless of whether the individual
     
    17151717    page may not be present on your system, so a brief description will
    17161718    be given here also.</p><p>Note that the localhost address 127.0.0.1 will always
    1717     be allowed access unless specifically denied by a <a class="indexterm" name="id280559"></a>hosts deny option.</p><p>You can also specify hosts by network/netmask pairs and
     1719    be allowed access unless specifically denied by a <a class="indexterm" name="id280567"></a>hosts deny option.</p><p>You can also specify hosts by network/netmask pairs and
    17181720    by netgroup names if your system supports netgroups. The
    17191721    <span class="emphasis"><em>EXCEPT</em></span> keyword can also be used to limit a
     
    17321734        In the event that it is necessary to deny all by default, use the keyword
    17331735        ALL (or the netmask <code class="literal">0.0.0.0/0</code>) and then explicitly specify
    1734         to the <a class="indexterm" name="id280736"></a>hosts allow = hosts allow parameter those hosts
     1736        to the <a class="indexterm" name="id280743"></a>hosts allow = hosts allow parameter those hosts
    17351737        that should be permitted access.
    17361738        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hosts deny</code></em> =
     
    17421744        The idmap alloc backend provides a plugin interface for Winbind to use
    17431745        when allocating Unix uids/gids for Windows SIDs.  This option is
    1744         to be used in conjunction with the <a class="indexterm" name="id280790"></a>idmap domains
     1746        to be used in conjunction with the <a class="indexterm" name="id280797"></a>idmap domains
    17451747        parameter and refers to the name of the idmap module which will provide
    17461748        the id allocation functionality.  Please refer to the man page
     
    17481750        the allocation feature.  The most common plugins are the tdb (<a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a>)
    17491751        and ldap (<a href="idmap_ldap.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_ldap</span>(8)</span></a>) libraries.
    1750         </p><p>Also refer to the <a class="indexterm" name="id280819"></a>idmap alloc config option.
     1752        </p><p>Also refer to the <a class="indexterm" name="id280826"></a>idmap alloc config option.
    17511753        </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap alloc backend</code></em> = tdb
    17521754</em></span>
    17531755</p></dd><dt><span class="term"><a name="IDMAPALLOCCONFIG"></a>idmap alloc config (G)</span></dt><dd><p>
    17541756        The idmap alloc config prefix provides a means of managing settings
    1755         for the backend defined by the <a class="indexterm" name="id280864"></a>idmap alloc backend
     1757        for the backend defined by the <a class="indexterm" name="id280871"></a>idmap alloc backend
    17561758        parameter.  Refer to the man page for each idmap plugin regarding
    17571759        specific configuration details.
     
    17601762        varying backends to store SID/uid/gid mapping tables.  This
    17611763        option is mutually exclusive with the newer and more flexible
    1762         <a class="indexterm" name="id280899"></a>idmap domains parameter.  The main difference
     1764        <a class="indexterm" name="id280906"></a>idmap domains parameter.  The main difference
    17631765        between the "idmap backend" and the "idmap domains"
    17641766        is that the former only allows on backend for all domains while the
     
    17751777</p></dd><dt><span class="term"><a name="IDMAPCONFIG"></a>idmap config (G)</span></dt><dd><p>
    17761778        The idmap config prefix provides a means of managing each domain
    1777         defined by the <a class="indexterm" name="id281011"></a>idmap domains option using Samba's
     1779        defined by the <a class="indexterm" name="id281018"></a>idmap domains option using Samba's
    17781780        parameteric option support.  The idmap config prefix should be
    17791781        followed by the name of the domain, a colon, and a setting specific to
     
    17891791                </p></dd><dt><span class="term">readonly = [yes|no]</span></dt><dd><p>
    17901792                        Mark the domain as readonly which means that no attempts to
    1791                         allocate a uid or gid (by the <a class="indexterm" name="id281058"></a>idmap alloc     backend) for any user or group in that domain
     1793                        allocate a uid or gid (by the <a class="indexterm" name="id281066"></a>idmap alloc     backend) for any user or group in that domain
    17921794                        will be attempted.
    17931795                </p></dd></dl></div><p>
     
    18081810        The idmap domains option defines a list of Windows domains which will each
    18091811        have a separately configured backend for managing Winbind's SID/uid/gid
    1810         tables.  This parameter is mutually exclusive with the older <a class="indexterm" name="id281126"></a>idmap backend option.
     1812        tables.  This parameter is mutually exclusive with the older <a class="indexterm" name="id281133"></a>idmap backend option.
    18111813        </p><p>
    18121814        Values consist of the short domain name for Winbind's primary or collection
     
    18141816        domain backend for any domain not explicitly listed.
    18151817        </p><p>
    1816         Refer to the <a class="indexterm" name="id281141"></a>idmap config for details about
     1818        Refer to the <a class="indexterm" name="id281149"></a>idmap config for details about
    18171819        managing the SID/uid/gid backend for each domain.
    18181820        </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap domains</code></em> = default AD CORP
     
    18221824        SIDs. This range of group ids should have no
    18231825        existing local or NIS groups within it as strange conflicts can
    1824         occur otherwise.</p><p>See also the <a class="indexterm" name="id281214"></a>idmap backend, <a class="indexterm" name="id281221"></a>idmap domains, and <a class="indexterm" name="id281228"></a>idmap config options.
     1826        occur otherwise.</p><p>See also the <a class="indexterm" name="id281221"></a>idmap backend, <a class="indexterm" name="id281228"></a>idmap domains, and <a class="indexterm" name="id281235"></a>idmap config options.
    18251827        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap gid</code></em> =
    18261828</em></span>
     
    18351837        allocated for use in mapping UNIX users to NT user SIDs. This
    18361838        range of ids should have no existing local
    1837         or NIS users within it as strange conflicts can occur otherwise.</p><p>See also the <a class="indexterm" name="id281340"></a>idmap backend, <a class="indexterm" name="id281347"></a>idmap domains, and <a class="indexterm" name="id281354"></a>idmap config options.
     1839        or NIS users within it as strange conflicts can occur otherwise.</p><p>See also the <a class="indexterm" name="id281348"></a>idmap backend, <a class="indexterm" name="id281355"></a>idmap domains, and <a class="indexterm" name="id281362"></a>idmap config options.
    18381840        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap uid</code></em> =
    18391841</em></span>
     
    18671869</em></span>
    18681870</p></dd><dt><span class="term"><a name="INHERITPERMISSIONS"></a>inherit permissions (S)</span></dt><dd><p>
    1869         The permissions on new files and directories are normally governed by <a class="indexterm" name="id281548"></a>create mask,
    1870         <a class="indexterm" name="id281555"></a>directory mask, <a class="indexterm" name="id281562"></a>force create mode and <a class="indexterm" name="id281570"></a>force directory mode but the boolean inherit permissions parameter overrides this.
     1871        The permissions on new files and directories are normally governed by <a class="indexterm" name="id281556"></a>create mask,
     1872        <a class="indexterm" name="id281563"></a>directory mask, <a class="indexterm" name="id281570"></a>force create mode and <a class="indexterm" name="id281577"></a>force directory mode but the boolean inherit permissions parameter overrides this.
    18711873        </p><p>New directories inherit the mode of the parent directory,
    18721874    including bits such as setgid.</p><p>
    18731875        New files inherit their read/write bits from the parent directory.  Their execute bits continue to be
    1874         determined by <a class="indexterm" name="id281586"></a>map archive, <a class="indexterm" name="id281593"></a>map hidden and <a class="indexterm" name="id281600"></a>map system as usual.
     1876        determined by <a class="indexterm" name="id281593"></a>map archive, <a class="indexterm" name="id281600"></a>map hidden and <a class="indexterm" name="id281607"></a>map system as usual.
    18751877        </p><p>Note that the setuid bit is <span class="emphasis"><em>never</em></span> set via
    18761878    inheritance (the code explicitly prohibits this).</p><p>This can be particularly useful on large systems with
     
    19231925</em></span>
    19241926</p></dd><dt><span class="term"><a name="IPRINTSERVER"></a>iprint server (G)</span></dt><dd><p>
    1925     This parameter is only applicable if <a class="indexterm" name="id281833"></a>printing is set to <code class="constant">iprint</code>.
     1927    This parameter is only applicable if <a class="indexterm" name="id281841"></a>printing is set to <code class="constant">iprint</code>.
    19261928    </p><p>
    19271929   If set, this option overrides the ServerName option in the CUPS <code class="filename">client.conf</code>. This is
     
    19361938    sent. Keepalive packets, if sent, allow the server to tell whether
    19371939    a client is still present and responding.</p><p>Keepalives should, in general, not be needed if the socket
    1938     has the SO_KEEPALIVE attribute set on it by default. (see <a class="indexterm" name="id281912"></a>socket options).
     1940    has the SO_KEEPALIVE attribute set on it by default. (see <a class="indexterm" name="id281919"></a>socket options).
    19391941Basically you should only use this option if you strike difficulties.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>keepalive</code></em> = 300
    19401942</em></span>
     
    19481950        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>kernel change notify</code></em> = yes
    19491951</em></span>
    1950 </p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a class="indexterm" name="id282002"></a>oplocks
     1952</p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a class="indexterm" name="id282010"></a>oplocks
    19511953        (currently only IRIX and the Linux 2.4 kernel), this parameter
    19521954        allows the use of them to be turned on or off.</p><p>Kernel oplocks support allows Samba <em class="parameter"><code>oplocks
     
    19851987</em></span>
    19861988</p></dd><dt><span class="term"><a name="LDAPADMINDN"></a>ldap admin dn (G)</span></dt><dd><p>
    1987         The <a class="indexterm" name="id282195"></a>ldap admin dn defines the Distinguished  Name (DN) name used by Samba to contact
    1988         the ldap server when retreiving  user account information. The <a class="indexterm" name="id282203"></a>ldap admin dn is used
     1989        The <a class="indexterm" name="id282202"></a>ldap admin dn defines the Distinguished  Name (DN) name used by Samba to contact
     1990        the ldap server when retreiving  user account information. The <a class="indexterm" name="id282210"></a>ldap admin dn is used
    19891991        in conjunction with the admin dn password stored in the <code class="filename">private/secrets.tdb</code>
    19901992        file.  See the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>
    19911993        man page for more information on how  to accomplish this.
    19921994        </p><p>
    1993         The <a class="indexterm" name="id282228"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id282236"></a>ldap  suffix is not appended to the <a class="indexterm" name="id282243"></a>ldap admin dn.
     1995        The <a class="indexterm" name="id282236"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id282243"></a>ldap  suffix is not appended to the <a class="indexterm" name="id282250"></a>ldap admin dn.
    19941996        </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LDAPDELETEDN"></a>ldap delete dn (G)</span></dt><dd><p> This parameter specifies whether a delete
    19951997        operation in the ldapsam deletes the complete entry or only the attributes
     
    19992001</p></dd><dt><span class="term"><a name="LDAPGROUPSUFFIX"></a>ldap group suffix (G)</span></dt><dd><p>This parameter specifies the suffix that is
    20002002        used for groups when these are added to the LDAP directory.
    2001         If this parameter is unset, the value of <a class="indexterm" name="id282311"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
    2002         <a class="indexterm" name="id282319"></a>ldap suffix string so use a partial DN.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> =
     2003        If this parameter is unset, the value of <a class="indexterm" name="id282318"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
     2004        <a class="indexterm" name="id282326"></a>ldap suffix string so use a partial DN.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> =
    20032005</em></span>
    20042006</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> = ou=Groups
     
    20062008</p></dd><dt><span class="term"><a name="LDAPIDMAPSUFFIX"></a>ldap idmap suffix (G)</span></dt><dd><p>
    20072009        This parameters specifies the suffix that is used when storing idmap mappings. If this parameter
    2008         is unset, the value of <a class="indexterm" name="id282372"></a>ldap suffix will be used instead.  The suffix
    2009         string is pre-pended to the <a class="indexterm" name="id282379"></a>ldap suffix string so use a partial DN.
     2010        is unset, the value of <a class="indexterm" name="id282379"></a>ldap suffix will be used instead.  The suffix
     2011        string is pre-pended to the <a class="indexterm" name="id282387"></a>ldap suffix string so use a partial DN.
    20102012        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap idmap suffix</code></em> =
    20112013</em></span>
     
    20142016</p></dd><dt><span class="term"><a name="LDAPMACHINESUFFIX"></a>ldap machine suffix (G)</span></dt><dd><p>
    20152017        It specifies where machines should be added to the ldap tree.  If this parameter is unset, the value of
    2016         <a class="indexterm" name="id282432"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
    2017         <a class="indexterm" name="id282439"></a>ldap suffix string so use a partial DN.
     2018        <a class="indexterm" name="id282439"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
     2019        <a class="indexterm" name="id282447"></a>ldap suffix string so use a partial DN.
    20182020        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap machine suffix</code></em> =
    20192021</em></span>
     
    20252027        change via SAMBA. 
    20262028        </p><p>
    2027         The <a class="indexterm" name="id282496"></a>ldap passwd sync can be set to one of three values:
     2029        The <a class="indexterm" name="id282504"></a>ldap passwd sync can be set to one of three values:
    20282030        </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Yes</code></em>  =  Try
    20292031                        to update the LDAP, NT and LM passwords and update the pwdLastSet time.</p></li><li><p><em class="parameter"><code>No</code></em> = Update NT and
     
    20432045        The value is specified in milliseconds, the maximum value is 5000 (5 seconds).
    20442046        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap replication sleep</code></em> = 1000
     2047</em></span>
     2048</p></dd><dt><span class="term"><a name="LDAPSAM:EDITPOSIX"></a>ldapsam:editposix (G)</span></dt><dd><p>
     2049        Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller
     2050        eliminating the need to set up custom scripts to add and manage the posix users and groups. This option
     2051        will instead directly manipulate the ldap tree to create, remove and modify user and group entries.
     2052        This option also requires a running winbindd as it is used to allocate new uids/gids on user/group
     2053        creation. The allocation range must be therefore configured.
     2054        </p><p>
     2055        To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly
     2056        configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users,
     2057        Domain Admins, Domain Guests) can be precreated with the command <span><strong class="command">net sam
     2058        provision</strong></span>. To run this command the ldap server must be running, Winindd must be running and
     2059        the smb.conf ldap options must be properly configured.
     2060
     2061        The tipical ldap setup used with the <a class="indexterm" name="id282650"></a>ldapsam:trusted = yes option
     2062        is usually sufficient to use <a class="indexterm" name="id282658"></a>ldapsam:editposix = yes as well.
     2063        </p><p>
     2064        An example configuration can be the following:
     2065
     2066        </p><pre class="programlisting">
     2067        encrypt passwords = true
     2068        passdb backend = ldapsam
     2069
     2070        ldapsam:trusted=yes
     2071        ldapsam:editposix=yes
     2072
     2073        ldap admin dn = cn=admin,dc=samba,dc=org
     2074        ldap delete dn = yes
     2075        ldap group suffix = ou=groups
     2076        ldap idmap suffix = ou=idmap
     2077        ldap machine suffix = ou=computers
     2078        ldap user suffix = ou=users
     2079        ldap suffix = dc=samba,dc=org
     2080
     2081        idmap backend = ldap:"ldap://localhost"
     2082
     2083        idmap uid = 5000-50000
     2084        idmap gid = 5000-50000
     2085        </pre><p>
     2086
     2087        This configuration assume the ldap server have been loaded with a base tree like described
     2088        in the following ldif:
     2089
     2090        </p><pre class="programlisting">
     2091        dn: dc=samba,dc=org
     2092        objectClass: top
     2093        objectClass: dcObject
     2094        objectClass: organization
     2095        o: samba.org
     2096        dc: samba
     2097
     2098        dn: cn=admin,dc=samba,dc=org
     2099        objectClass: simpleSecurityObject
     2100        objectClass: organizationalRole
     2101        cn: admin
     2102        description: LDAP administrator
     2103        userPassword: secret
     2104
     2105        dn: ou=users,dc=samba,dc=org
     2106        objectClass: top
     2107        objectClass: organizationalUnit
     2108        ou: users
     2109
     2110        dn: ou=groups,dc=samba,dc=org
     2111        objectClass: top
     2112        objectClass: organizationalUnit
     2113        ou: groups
     2114
     2115        dn: ou=idmap,dc=samba,dc=org
     2116        objectClass: top
     2117        objectClass: organizationalUnit
     2118        ou: idmap
     2119
     2120        dn: ou=computers,dc=samba,dc=org
     2121        objectClass: top
     2122        objectClass: organizationalUnit
     2123        ou: computers
     2124        </pre><p>
     2125        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldapsam:editposix</code></em> = no
    20452126</em></span>
    20462127</p></dd><dt><span class="term"><a name="LDAPSAM:TRUSTED"></a>ldapsam:trusted (G)</span></dt><dd><p>
     
    20522133        are used to deal with user and group attributes lack such optimization.
    20532134        </p><p>
    2054         To make Samba scale well in large environments, the <a class="indexterm" name="id282636"></a>ldapsam:trusted = yes
     2135        To make Samba scale well in large environments, the <a class="indexterm" name="id282732"></a>ldapsam:trusted = yes
    20552136        option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the
    20562137        standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are
    20572138        stored together with the POSIX data in the same LDAP object. If these assumptions are met,
    2058         <a class="indexterm" name="id282646"></a>ldapsam:trusted = yes can be activated and Samba can bypass the
     2139        <a class="indexterm" name="id282742"></a>ldapsam:trusted = yes can be activated and Samba can bypass the
    20592140        NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and
    20602141        administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries
     
    20672148        Samba's previous SSL support which was enabled by specifying the
    20682149        <span><strong class="command">--with-ssl</strong></span> option to the <code class="filename">configure</code>
    2069         script.</p><p>The <a class="indexterm" name="id282709"></a>ldap ssl can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Off</code></em> = Never
     2150        script.</p><p>The <a class="indexterm" name="id282805"></a>ldap ssl can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Off</code></em> = Never
    20702151                        use SSL when querying the directory.</p></li><li><p><em class="parameter"><code>Start_tls</code></em> = Use
    20712152                        the LDAPv3 StartTLS extended operation (RFC2830) for
     
    20732154                        on the ldaps port when contacting the <em class="parameter"><code>ldap server</code></em>. Only available when the
    20742155                        backwards-compatiblity <span><strong class="command">--with-ldapsam</strong></span> option is specified
    2075                 to configure. See <a class="indexterm" name="id282765"></a>passdb backend</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = start_tls
     2156                to configure. See <a class="indexterm" name="id282861"></a>passdb backend</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = start_tls
    20762157</em></span>
    20772158</p></dd><dt><span class="term"><a name="LDAPSUFFIX"></a>ldap suffix (G)</span></dt><dd><p>Specifies the base for all ldap suffixes and for storing the sambaDomain object.</p><p>
    2078         The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id282812"></a>ldap user suffix,
    2079         <a class="indexterm" name="id282819"></a>ldap group suffix, <a class="indexterm" name="id282826"></a>ldap machine suffix, and the
    2080         <a class="indexterm" name="id282833"></a>ldap idmap suffix. Each of these should be given only a DN relative to the
    2081         <a class="indexterm" name="id282841"></a>ldap suffix.
     2159        The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id282907"></a>ldap user suffix,
     2160        <a class="indexterm" name="id282914"></a>ldap group suffix, <a class="indexterm" name="id282922"></a>ldap machine suffix, and the
     2161        <a class="indexterm" name="id282929"></a>ldap idmap suffix. Each of these should be given only a DN relative to the
     2162        <a class="indexterm" name="id282936"></a>ldap suffix.
    20822163        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> =
    20832164</em></span>
     
    20922173</p></dd><dt><span class="term"><a name="LDAPUSERSUFFIX"></a>ldap user suffix (G)</span></dt><dd><p>
    20932174        This parameter specifies where users are added to the tree. If this parameter is unset,
    2094         the value of <a class="indexterm" name="id282931"></a>ldap suffix will be used instead.  The suffix
    2095         string is pre-pended to the  <a class="indexterm" name="id282938"></a>ldap suffix string so use a partial DN.
     2175        the value of <a class="indexterm" name="id283024"></a>ldap suffix will be used instead.  The suffix
     2176        string is pre-pended to the  <a class="indexterm" name="id283031"></a>ldap suffix string so use a partial DN.
    20962177        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap user suffix</code></em> =
    20972178</em></span>
     
    21122193        delete any read-ahead caches.</p><p>It is recommended that this parameter be turned on to
    21132194        speed access to shared executables.</p><p>For more discussions on level2 oplocks see the CIFS spec.</p><p>
    2114         Currently, if <a class="indexterm" name="id283016"></a>kernel oplocks are supported then
     2195        Currently, if <a class="indexterm" name="id283109"></a>kernel oplocks are supported then
    21152196        level2 oplocks are not granted (even if this parameter is set to
    2116         <code class="constant">yes</code>).  Note also, the <a class="indexterm" name="id283027"></a>oplocks
     2197        <code class="constant">yes</code>).  Note also, the <a class="indexterm" name="id283120"></a>oplocks
    21172198        parameter must be set to <code class="constant">yes</code> on this share in order for
    21182199        this parameter to have any effect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>level2 oplocks</code></em> = yes
     
    21262207        broadcasts. If set to <code class="constant">yes</code> Samba will produce
    21272208        Lanman announce broadcasts at a frequency set by the parameter
    2128         <a class="indexterm" name="id283103"></a>lm interval. If set to <code class="constant">auto</code>
     2209        <a class="indexterm" name="id283196"></a>lm interval. If set to <code class="constant">auto</code>
    21292210        Samba will not send Lanman announce broadcasts by default but will
    21302211        listen for them. If it hears such a broadcast on the wire it will
    21312212        then start sending them at a frequency set by the parameter
    2132         <a class="indexterm" name="id283115"></a>lm interval.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = auto
     2213        <a class="indexterm" name="id283208"></a>lm interval.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = auto
    21332214</em></span>
    21342215</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = yes
     
    21362217</p></dd><dt><span class="term"><a name="LMINTERVAL"></a>lm interval (G)</span></dt><dd><p>If Samba is set to produce Lanman announce
    21372218        broadcasts needed by OS/2 clients (see the
    2138                 <a class="indexterm" name="id283167"></a>lm announce parameter) then this
     2219                <a class="indexterm" name="id283260"></a>lm announce parameter) then this
    21392220        parameter defines the frequency in seconds with which they will be
    21402221        made.  If this is set to zero then no Lanman announcements will be
    2141         made despite the setting of the <a class="indexterm" name="id283176"></a>lm announce
     2222        made despite the setting of the <a class="indexterm" name="id283269"></a>lm announce
    21422223        parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm interval</code></em> = 60
    21432224</em></span>
     
    21462227</p></dd><dt><span class="term"><a name="LOADPRINTERS"></a>load printers (G)</span></dt><dd><p>A boolean variable that controls whether all
    21472228    printers in the printcap will be loaded for browsing by default.
    2148     See the <a class="indexterm" name="id283229"></a>printers section for
     2229    See the <a class="indexterm" name="id283322"></a>printers section for
    21492230    more details.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>load printers</code></em> = yes
    21502231</em></span>
     
    21612242</p></dd><dt><span class="term"><a name="LOCKDIR"></a>lock dir</span></dt><dd><p>This parameter is a synonym for lock directory.</p></dd><dt><span class="term"><a name="LOCKDIRECTORY"></a>lock directory (G)</span></dt><dd><p>This option specifies the directory where lock
    21622243        files will be placed.  The lock files are used to implement the
    2163         <a class="indexterm" name="id283380"></a>max connections option.
     2244        <a class="indexterm" name="id283473"></a>max connections option.
    21642245        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock directory</code></em> = ${prefix}/var/locks
    21652246</em></span>
     
    21782259        You should never need to set this parameter.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LOCKSPINCOUNT"></a>lock spin count (G)</span></dt><dd><p>This parameter has been made inoperative in Samba 3.0.24.
    21792260        The functionality it contolled is now controlled by the parameter
    2180         <a class="indexterm" name="id283500"></a>lock spin time.
     2261        <a class="indexterm" name="id283593"></a>lock spin time.
    21812262        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin count</code></em> = 0
    21822263</em></span>
     
    21852266        be granted. This parameter has changed in default
    21862267        value from Samba 3.0.23 from 10 to 200. The associated
    2187         <a class="indexterm" name="id283542"></a>lock spin count parameter is
     2268        <a class="indexterm" name="id283635"></a>lock spin count parameter is
    21882269        no longer used in Samba 3.0.24. You should not need
    21892270        to change the value of this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin time</code></em> = 200
     
    22062287</p></dd><dt><span class="term"><a name="LOGONDRIVE"></a>logon drive (G)</span></dt><dd><p>
    22072288        This parameter specifies the local path to which the home directory will be
    2208         connected (see <a class="indexterm" name="id283696"></a>logon home) and is only used by NT
     2289        connected (see <a class="indexterm" name="id283789"></a>logon home) and is only used by NT
    22092290        Workstations.
    22102291        </p><p>
     
    22332314        <span><strong class="command">net use /home</strong></span> but use the whole string when dealing with profiles.
    22342315        </p><p>
    2235         Note that in prior versions of Samba, the <a class="indexterm" name="id283804"></a>logon path was returned rather than
     2316        Note that in prior versions of Samba, the <a class="indexterm" name="id283897"></a>logon path was returned rather than
    22362317        <em class="parameter"><code>logon home</code></em>.  This broke <span><strong class="command">net use /home</strong></span>
    22372318        but allowed profiles outside the home directory. The current implementation is correct, and can be used for
    22382319        profiles if you use the above trick.
    22392320        </p><p>
    2240         Disable this feature by setting <a class="indexterm" name="id283828"></a>logon home = "" - using the empty string.
     2321        Disable this feature by setting <a class="indexterm" name="id283921"></a>logon home = "" - using the empty string.
    22412322        </p><p>
    22422323        This option is only useful if Samba is set up as a logon server.
     
    22492330        stored.  Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming
    22502331        profiles.  To find out how to handle roaming profiles for Win 9X system, see the
    2251         <a class="indexterm" name="id283886"></a>logon home parameter.
     2332        <a class="indexterm" name="id283979"></a>logon home parameter.
    22522333        </p><p>
    22532334        This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
     
    22782359        </p></div><p>Note that this option is only useful if Samba is set up as a domain controller.</p><p>
    22792360        Disable the use of roaming profiles by setting the value of this parameter to the empty string. For
    2280         example, <a class="indexterm" name="id283964"></a>logon path = "". Take note that even if the default setting
     2361        example, <a class="indexterm" name="id284057"></a>logon path = "". Take note that even if the default setting
    22812362        in the smb.conf file is the empty string, any value specified in the user account settings in the passdb
    22822363        backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use
     
    22952376        </p><p>
    22962377        The script must be a relative path to the <em class="parameter"><code>[netlogon]</code></em> service.  If the [netlogon]
    2297         service specifies a <a class="indexterm" name="id284040"></a>path of <code class="filename">/usr/local/samba/netlogon</code>, and <a class="indexterm" name="id284054"></a>logon  script = STARTUP.BAT, then the file that will be downloaded is:
     2378        service specifies a <a class="indexterm" name="id284133"></a>path of <code class="filename">/usr/local/samba/netlogon</code>, and <a class="indexterm" name="id284146"></a>logon  script = STARTUP.BAT, then the file that will be downloaded is:
    22982379</p><pre class="programlisting">
    22992380        /usr/local/samba/netlogon/STARTUP.BAT
     
    23352416    in the lppause command as the PATH may not be available to the server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lppause command</code></em> =
    23362417# Currently no default value is given to
    2337     this string, unless the value of the <a class="indexterm" name="id284207"></a>printing
     2418    this string, unless the value of the <a class="indexterm" name="id284300"></a>printing
    23382419    parameter is <code class="constant">SYSV</code>, in which case the default is :
    23392420    <span><strong class="command">lp -i %p-%j -H hold</strong></span> or if the value of the
     
    23832464    printing or spooling a specific print job.</p><p>This command should be a program or script which takes
    23842465    a printer name and job number to resume the print job. See
    2385     also the <a class="indexterm" name="id284484"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name
     2466    also the <a class="indexterm" name="id284576"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name
    23862467    is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with
    23872468    the job number (an integer).</p><p>Note that it is good practice to include the absolute path
    23882469    in the <em class="parameter"><code>lpresume command</code></em> as the PATH may not
    2389     be available to the server.</p><p>See also the <a class="indexterm" name="id284520"></a>printing parameter.</p><p>Default: Currently no default value is given
     2470    be available to the server.</p><p>See also the <a class="indexterm" name="id284613"></a>printing parameter.</p><p>Default: Currently no default value is given
    23902471    to this string, unless the value of the <em class="parameter"><code>printing</code></em>
    23912472    parameter is <code class="constant">SYSV</code>, in which case the default is :</p><p><span><strong class="command">lp -i %p-%j -H resume</strong></span></p><p>or if the value of the <em class="parameter"><code>printing</code></em> parameter
     
    24102491</em></span>
    24112492</p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p>
    2412         If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id284676"></a>security = domain parameter) then periodically a running smbd process will try and change
     2493        If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id284769"></a>security = domain parameter) then periodically a running smbd process will try and change
    24132494        the MACHINE ACCOUNT PASSWORD stored in the TDB called <code class="filename">private/secrets.tdb
    24142495        </code>.  This parameter specifies how often this password will be changed, in seconds. The default is one
     
    24162497        </p><p>
    24172498        See also <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>,
    2418         and the <a class="indexterm" name="id284702"></a>security = domain parameter.
     2499        and the <a class="indexterm" name="id284795"></a>security = domain parameter.
    24192500        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>machine password timeout</code></em> = 604800
    24202501</em></span>
    24212502</p></dd><dt><span class="term"><a name="MAGICOUTPUT"></a>magic output (S)</span></dt><dd><p>
    24222503        This parameter specifies the name of a file which will contain output created by a magic script (see the
    2423         <a class="indexterm" name="id284743"></a>magic script parameter below).
     2504        <a class="indexterm" name="id284836"></a>magic script parameter below).
    24242505        </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If two clients use the same <em class="parameter"><code>magic script
    24252506        </code></em> in the same directory the output file content is undefined.
     
    24342515        completion assuming that the user has the appropriate level
    24352516        of privilege and the file permissions allow the deletion.</p><p>If the script generates output, output will be sent to
    2436         the file specified by the <a class="indexterm" name="id284817"></a>magic output
     2517        the file specified by the <a class="indexterm" name="id284910"></a>magic output
    24372518        parameter (see above).</p><p>Note that some shells are unable to interpret scripts
    24382519        containing CR/LF instead of CR as
     
    24552536        you would use:
    24562537        </p><p>
    2457         <a class="indexterm" name="id284921"></a>mangled map = (*.html *.htm).
     2538        <a class="indexterm" name="id285014"></a>mangled map = (*.html *.htm).
    24582539        </p><p>
    24592540        One very useful case is to remove the annoying <code class="filename">;1</code> off
     
    24672548</p></dd><dt><span class="term"><a name="MANGLEDNAMES"></a>mangled names (S)</span></dt><dd><p>This controls whether non-DOS names under UNIX
    24682549        should be mapped to DOS-compatible names ("mangled") and made visible,
    2469         or whether non-DOS names should simply be ignored.</p><p>See the section on <a class="indexterm" name="id284988"></a>name mangling for
     2550        or whether non-DOS names should simply be ignored.</p><p>See the section on <a class="indexterm" name="id285081"></a>name mangling for
    24702551        details on how to control the mangling process.</p><p>If mangling is used then the mangling algorithm is as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The first (up to) five alphanumeric characters
    24712552                        before the rightmost dot of the filename are preserved, forced
     
    24772558                        only if it contains any upper case characters or is longer than three
    24782559                        characters.</p><p>Note that the character to use may be specified using
    2479                                 the <a class="indexterm" name="id285022"></a>mangling char
     2560                                the <a class="indexterm" name="id285115"></a>mangling char
    24802561                        option, if you don't like '~'.</p></li><li><p>Files whose UNIX name begins with a dot will be
    24812562                        presented as DOS hidden files. The mangled name will be created as
     
    25012582</em></span>
    25022583</p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as
    2503         the <span class="emphasis"><em>magic</em></span> character in <a class="indexterm" name="id285143"></a>name mangling. The
     2584        the <span class="emphasis"><em>magic</em></span> character in <a class="indexterm" name="id285236"></a>name mangling. The
    25042585        default is a '~' but this may interfere with some software. Use this option to set
    25052586        it to whatever you prefer. This is effective only when mangling method is hash.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangling char</code></em> = ~
     
    25342615        be quite annoying for shared source code, documents, etc...
    25352616        </p><p>
    2536         Note that this requires the <a class="indexterm" name="id285296"></a>create mask        parameter to be set such that owner
     2617        Note that this requires the <a class="indexterm" name="id285393"></a>create mask        parameter to be set such that owner
    25372618        execute bit is not masked out (i.e. it must include 100). See the parameter
    2538         <a class="indexterm" name="id285304"></a>create mask for details.
     2619        <a class="indexterm" name="id285401"></a>create mask for details.
    25392620        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map archive</code></em> = yes
    25402621</em></span>
     
    25422623        This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.
    25432624        </p><p>
    2544         Note that this requires the <a class="indexterm" name="id285349"></a>create mask to be set such that the world execute
    2545         bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id285357"></a>create mask
     2625        Note that this requires the <a class="indexterm" name="id285446"></a>create mask to be set such that the world execute
     2626        bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id285454"></a>create mask
    25462627        for details.
    25472628        </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="MAPREADONLY"></a>map read only (S)</span></dt><dd><p>
     
    25492630        </p><p>
    25502631        This parameter can take three different values, which tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> how to display the read only attribute on files, where either
    2551         <a class="indexterm" name="id285402"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is
    2552         present. If <a class="indexterm" name="id285413"></a>store dos attributes is set to <code class="constant">yes</code> then this
     2632        <a class="indexterm" name="id285500"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is
     2633        present. If <a class="indexterm" name="id285511"></a>store dos attributes is set to <code class="constant">yes</code> then this
    25532634        parameter is <span class="emphasis"><em>ignored</em></span>. This is a new parameter introduced in Samba version 3.0.21.
    25542635        </p><p>The three settings are :</p><div class="itemizedlist"><ul type="disc"><li><p>
     
    25632644                </p></li><li><p>
    25642645                <code class="constant">No</code> - The read only DOS attribute is unaffected by permissions, and can only be set by
    2565                 the <a class="indexterm" name="id285470"></a>store dos attributes method. This may be useful for exporting mounted CDs.
     2646                the <a class="indexterm" name="id285568"></a>store dos attributes method. This may be useful for exporting mounted CDs.
    25662647                </p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>map read only</code></em> = yes
    25672648</em></span>
     
    25692650        This controls whether DOS style system files should be mapped to the UNIX group execute bit.
    25702651        </p><p>
    2571         Note that this requires the <a class="indexterm" name="id285516"></a>create mask        to be set such that the group
     2652        Note that this requires the <a class="indexterm" name="id285613"></a>create mask        to be set such that the group
    25722653        execute bit is not masked out (i.e. it must include 010). See the parameter
    2573         <a class="indexterm" name="id285524"></a>create mask for details.
     2654        <a class="indexterm" name="id285621"></a>create mask for details.
    25742655        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map system</code></em> = no
    25752656</em></span>
    2576 </p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id285564"></a>SECURITY =
     2657</p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id285661"></a>SECURITY =
    25772658    security modes other than <em class="parameter"><code>security = share</code></em>
    25782659    - i.e. <code class="constant">user</code>, <code class="constant">server</code>,
     
    25842665            logins with an invalid password are rejected, unless the username
    25852666            does not exist, in which case it is treated as a guest login and
    2586             mapped into the <a class="indexterm" name="id285625"></a>guest account.</p></li><li><p><code class="constant">Bad Password</code> - Means user logins
     2667            mapped into the <a class="indexterm" name="id285723"></a>guest account.</p></li><li><p><code class="constant">Bad Password</code> - Means user logins
    25872668            with an invalid password are treated as a guest login and mapped
    2588             into the <a class="indexterm" name="id285642"></a>guest account. Note that
     2669            into the <a class="indexterm" name="id285740"></a>guest account. Note that
    25892670            this can cause problems as it means that any user incorrectly typing
    25902671            their password will be silently logged on as "guest" - and
     
    26162697    will be refused if this number of connections to the service are already open. A value
    26172698    of zero mean an unlimited number of connections may be made.</p><p>Record lock files are used to implement this feature. The lock files will be stored in
    2618     the directory specified by the <a class="indexterm" name="id285760"></a>lock directory option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 0
     2699    the directory specified by the <a class="indexterm" name="id285862"></a>lock directory option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 0
    26192700</em></span>
    26202701</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 10
     
    27072788</em></span>
    27082789</p></dd><dt><span class="term"><a name="MAXWINSTTL"></a>max wins ttl (G)</span></dt><dd><p>This option tells <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when acting as a WINS server
    2709         (<a class="indexterm" name="id286427"></a>wins support = yes) what the maximum
     2790        (<a class="indexterm" name="id286529"></a>wins support = yes) what the maximum
    27102791    'time to live' of NetBIOS names that <span><strong class="command">nmbd</strong></span>
    27112792    will grant will be (in seconds). You should never need to change this
     
    27682849</p></dd><dt><span class="term"><a name="MINPROTOCOL"></a>min protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the
    27692850    lowest SMB protocol dialect than Samba will support.  Please refer
    2770     to the <a class="indexterm" name="id286749"></a>max protocol
     2851    to the <a class="indexterm" name="id286852"></a>max protocol
    27712852    parameter for a list of valid protocol names and a brief description
    27722853    of each.  You may also wish to refer to the C source code in
    27732854    <code class="filename">source/smbd/negprot.c</code> for a listing of known protocol
    27742855    dialects supported by clients.</p><p>If you are viewing this parameter as a security measure, you should
    2775     also refer to the <a class="indexterm" name="id286768"></a>lanman auth parameter.  Otherwise, you should never need
     2856    also refer to the <a class="indexterm" name="id286871"></a>lanman auth parameter.  Otherwise, you should never need
    27762857    to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = CORE
    27772858</em></span>
     
    27792860</em></span>
    27802861</p></dd><dt><span class="term"><a name="MINWINSTTL"></a>min wins ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>
    2781     when acting as a WINS server (<a class="indexterm" name="id286828"></a>wins support = yes) what the minimum 'time to live'
     2862    when acting as a WINS server (<a class="indexterm" name="id286931"></a>wins support = yes) what the minimum 'time to live'
    27822863    of NetBIOS names that <span><strong class="command">nmbd</strong></span> will grant will be (in
    27832864    seconds). You should never need to change this parameter.  The default
     
    27892870        this share, they are redirected to the proxied share using
    27902871        the SMB-Dfs protocol.</p><p>Only Dfs roots can act as proxy shares. Take a look at the
    2791         <a class="indexterm" name="id286882"></a>msdfs root and <a class="indexterm" name="id286889"></a>host msdfs
     2872        <a class="indexterm" name="id286985"></a>msdfs root and <a class="indexterm" name="id286992"></a>host msdfs
    27922873        options to find out how to set up a Dfs root share.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>msdfs proxy</code></em> = \\otherserver\someshare
    27932874</em></span>
     
    28252906                _ldap._tcp.domain.
    28262907        </p></li><li><p><code class="constant">wins</code> : Query a name with
    2827             the IP address listed in the <a class="indexterm" name="id287080"></a>WINSSERVER parameter.  If no WINS server has
     2908            the IP address listed in the <a class="indexterm" name="id287183"></a>WINSSERVER parameter.  If no WINS server has
    28282909            been specified this method will be ignored.</p></li><li><p><code class="constant">bcast</code> : Do a broadcast on
    2829             each of the known local interfaces listed in the <a class="indexterm" name="id287097"></a>interfaces
     2910            each of the known local interfaces listed in the <a class="indexterm" name="id287200"></a>interfaces
    28302911            parameter. This is the least reliable of the name resolution
    28312912            methods as it depends on the target host being on a locally
     
    28792960        server. When Samba is returning the home share to the client, it
    28802961        will consult the NIS map specified in
    2881         <a class="indexterm" name="id287347"></a>homedir map and return the server
     2962        <a class="indexterm" name="id287449"></a>homedir map and return the server
    28822963        listed there.</p><p>Note that for this option to work there must be a working
    28832964        NIS system and the Samba server with this option must also
     
    29182999    default behavior is to use PAM for clear text authentication only
    29193000    and to ignore any account or session management.  Note that Samba
    2920     always ignores PAM for authentication in the case of <a class="indexterm" name="id287633"></a>encrypt passwords = yes.  The reason
     3001    always ignores PAM for authentication in the case of <a class="indexterm" name="id287735"></a>encrypt passwords = yes.  The reason
    29213002    is that PAM modules cannot support the challenge/response
    29223003    authentication mechanism needed in the presence of SMB password encryption.
     
    29293010    this parameter will force the server to only use the login
    29303011    names from the <em class="parameter"><code>user</code></em> list and is only really
    2931     useful in <a class="indexterm" name="id287689"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce
     3012    useful in <a class="indexterm" name="id287791"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce
    29323013    usernames from the service name. This can be annoying for
    29333014    the [homes] section. To get around this you could use <span><strong class="command">user =
     
    29773058        </p><p>
    29783059        Oplocks may be selectively turned off on certain files with a share. See
    2979         the <a class="indexterm" name="id287934"></a>veto oplock files parameter. On some systems
     3060        the <a class="indexterm" name="id288040"></a>veto oplock files parameter. On some systems
    29803061        oplocks are recognized by the underlying operating system. This
    29813062        allows data synchronization between all access to oplocked files,
    29823063        whether it be via Samba or NFS or a local UNIX process. See the
    2983         <a class="indexterm" name="id287943"></a>kernel oplocks parameter for details.
     3064        <a class="indexterm" name="id288049"></a>kernel oplocks parameter for details.
    29843065        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplocks</code></em> = yes
    29853066</em></span>
     
    29963077</p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p>
    29973078        This integer value controls what level Samba advertises itself as for browse elections. The value of this
    2998         parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <a class="indexterm" name="id288046"></a>workgroup in the local broadcast area.
     3079        parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <a class="indexterm" name="id288153"></a>workgroup in the local broadcast area.
    29993080</p><p><span class="emphasis"><em>
    30003081        Note :</em></span>By default, Samba will win a local master browsing election over all Microsoft operating
     
    30113092    flag for Samba.  If enabled, then PAM will be used for password
    30123093    changes when requested by an SMB client instead of the program listed in
    3013     <a class="indexterm" name="id288111"></a>passwd program.
     3094    <a class="indexterm" name="id288217"></a>passwd program.
    30143095    It should be possible to enable this without changing your
    3015     <a class="indexterm" name="id288118"></a>passwd chat parameter for most setups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pam password change</code></em> = no
     3096    <a class="indexterm" name="id288224"></a>passwd chat parameter for most setups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pam password change</code></em> = no
    30163097</em></span>
    30173098</p></dd><dt><span class="term"><a name="PANICACTION"></a>panic action (G)</span></dt><dd><p>This is a Samba developer option that allows a
     
    30393120                </p></li><li><p><span><strong class="command">tdbsam</strong></span> - The TDB based password storage
    30403121                backend.  Takes a path to the TDB as an optional argument (defaults to passdb.tdb
    3041                 in the <a class="indexterm" name="id288295"></a>private dir directory.</p></li><li><p><span><strong class="command">ldapsam</strong></span> - The LDAP based passdb
     3122                in the <a class="indexterm" name="id288401"></a>private dir directory.</p></li><li><p><span><strong class="command">ldapsam</strong></span> - The LDAP based passdb
    30423123                backend.  Takes an LDAP URL as an optional argument (defaults to
    30433124                <span><strong class="command">ldap://localhost</strong></span>)</p><p>LDAP connections should be secured where possible.  This may be done using either
    3044                 Start-TLS (see <a class="indexterm" name="id288325"></a>ldap ssl) or by
     3125                Start-TLS (see <a class="indexterm" name="id288431"></a>ldap ssl) or by
    30453126                specifying <em class="parameter"><code>ldaps://</code></em> in
    30463127                the URL argument. </p><p>Multiple servers may also be specified in double-quotes, if your
     
    30693150    strings passed to and received from the passwd chat are printed
    30703151    in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a
    3071     <a class="indexterm" name="id288435"></a>debug level
     3152    <a class="indexterm" name="id288541"></a>debug level
    30723153    of 100. This is a dangerous option as it will allow plaintext passwords
    30733154    to be seen in the <span><strong class="command">smbd</strong></span> log. It is available to help
     
    30753156    when calling the <em class="parameter"><code>passwd program</code></em> and should
    30763157    be turned off after this has been done. This option has no effect if the
    3077     <a class="indexterm" name="id288462"></a>pam password change
     3158    <a class="indexterm" name="id288568"></a>pam password change
    30783159        paramter is set. This parameter is off by default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat debug</code></em> = no
    30793160</em></span>
     
    30873168    program to change the user's password. The string describes a
    30883169    sequence of response-receive pairs that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> uses to determine what to send to the
    3089     <a class="indexterm" name="id288559"></a>passwd program and what to expect back. If the expected output is not
     3170    <a class="indexterm" name="id288665"></a>passwd program and what to expect back. If the expected output is not
    30903171    received then the password is not changed.</p><p>This chat sequence is often quite site specific, depending
    30913172    on what local methods are used for password control (such as NIS
    3092     etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id288575"></a>unix password sync parameter is set  to <code class="constant">yes</code>. This sequence is
     3173    etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id288681"></a>unix password sync parameter is set  to <code class="constant">yes</code>. This sequence is
    30933174    then called <span class="emphasis"><em>AS ROOT</em></span> when the SMB password  in the
    30943175    smbpasswd file is being changed, without access to the old password
    30953176    cleartext. This means that root must be able to reset the user's password without
    30963177    knowing the text of the previous password. In the presence of
    3097     NIS/YP,  this means that the <a class="indexterm" name="id288592"></a>passwd program must
     3178    NIS/YP,  this means that the <a class="indexterm" name="id288698"></a>passwd program must
    30983179    be executed on the NIS master.
    30993180    </p><p>The string can contain the macro <em class="parameter"><code>%n</code></em> which is substituted
     
    31043185    in them into a single string.</p><p>If the send string in any part of the chat sequence  is a full
    31053186    stop ".",  then no string is sent. Similarly,  if the
    3106     expect string is a full stop then no string is expected.</p><p>If the <a class="indexterm" name="id288620"></a>pam password change parameter is set to <code class="constant">yes</code>, the
     3187    expect string is a full stop then no string is expected.</p><p>If the <a class="indexterm" name="id288726"></a>pam password change parameter is set to <code class="constant">yes</code>, the
    31073188        chat pairs may be matched in any order, and success is determined by the PAM result, not any particular
    31083189        output. The \n macro is ignored for PAM conversions.
     
    31503231    made - the password as is and the password in all-lower case.</p><p>This parameter is used only when using plain-text passwords. It is
    31513232    not at all used when encrypted passwords as in use (that is the default
    3152     since samba-3.0.0). Use this only when <a class="indexterm" name="id288846"></a>encrypt passwords = No.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 0
     3233    since samba-3.0.0). Use this only when <a class="indexterm" name="id288953"></a>encrypt passwords = No.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 0
    31533234</em></span>
    31543235</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 4
     
    31663247    have no effect on password servers for Windows NT 4.0 domains or netbios
    31673248    connections.</p><p>If parameter is a name, it is looked up using the
    3168     parameter <a class="indexterm" name="id288918"></a>name resolve order and so may resolved
     3249    parameter <a class="indexterm" name="id289024"></a>name resolve order and so may resolved
    31693250    by any method and order described in that parameter.</p><p>The password server must be a machine capable of using
    31703251    the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
     
    32283309        will be replaced by the NetBIOS name of the machine they are
    32293310        connecting from. These replacements are very useful for setting
    3230         up pseudo home directories for users.</p><p>Note that this path will be based on <a class="indexterm" name="id289202"></a>root dir
     3311        up pseudo home directories for users.</p><p>Note that this path will be based on <a class="indexterm" name="id289308"></a>root dir
    32313312         if one was specified.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>path</code></em> =
    32323313</em></span>
     
    32563337</em></span>
    32573338</p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>
    3258         This boolean option controls whether a non-zero return code from <a class="indexterm" name="id289400"></a>preexec
     3339        This boolean option controls whether a non-zero return code from <a class="indexterm" name="id289506"></a>preexec
    32593340        should close the service being connected to.
    32603341        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec close</code></em> = no
     
    32673348        /usr/local/samba/bin/smbclient -M %m -I %I' &amp; </strong></span>
    32683349        </p><p>Of course, this could get annoying after a while :-)</p><p>
    3269         See also <a class="indexterm" name="id289484"></a>preexec close and <a class="indexterm" name="id289491"></a>postexec.
     3350        See also <a class="indexterm" name="id289590"></a>preexec close and <a class="indexterm" name="id289597"></a>postexec.
    32703351        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> =
    32713352</em></span>
     
    32773358        If this is set to <code class="constant">yes</code>, on startup, <span><strong class="command">nmbd</strong></span> will force
    32783359        an election, and it will have a slight advantage in winning the election.  It is recommended that this
    3279         parameter is used in conjunction with <a class="indexterm" name="id289588"></a>domain master = yes, so that
     3360        parameter is used in conjunction with <a class="indexterm" name="id289694"></a>domain master = yes, so that
    32803361        <span><strong class="command">nmbd</strong></span> can guarantee becoming a domain master.
    32813362        </p><p>
     
    32973378        visible.</p><p>
    32983379        Note that if you just want all printers in your
    3299         printcap file loaded then the <a class="indexterm" name="id289713"></a>load printers
     3380        printcap file loaded then the <a class="indexterm" name="id289819"></a>load printers
    33003381         option is easier.
    33013382        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> =
     
    33053386</p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p>
    33063387        This controls if new filenames are created with the case that the client passes, or if
    3307         they are forced to be the <a class="indexterm" name="id289765"></a>default case.
     3388        they are forced to be the <a class="indexterm" name="id289871"></a>default case.
    33083389        </p><p>
    33093390        See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for a fuller discussion.
     
    33143395    specified for the service. </p><p>Note that a printable service will ALWAYS allow writing
    33153396    to the service path (user privileges permitting) via the spooling
    3316     of print data. The <a class="indexterm" name="id289950"></a>read only parameter controls only non-printing access to
     3397    of print data. The <a class="indexterm" name="id290056"></a>read only parameter controls only non-printing access to
    33173398    the resource.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printable</code></em> = no
    33183399</em></span>
     
    33323413        </p><p>
    33333414        To use the CUPS printing interface set <span><strong class="command">printcap name = cups </strong></span>. This should
    3334         be supplemented by an addtional setting <a class="indexterm" name="id290088"></a>printing = cups in the [global]
     3415        be supplemented by an addtional setting <a class="indexterm" name="id290194"></a>printing = cups in the [global]
    33353416        section.  <span><strong class="command">printcap name = cups</strong></span> will use the  "dummy" printcap
    33363417        created by CUPS, as specified in your CUPS configuration file.
     
    33853466    be created but not processed and (most importantly) not removed.</p><p>Note that printing may fail on some UNIXes from the
    33863467    <code class="constant">nobody</code> account. If this happens then create
    3387     an alternative guest account that can print and set the <a class="indexterm" name="id290300"></a>guest account
     3468    an alternative guest account that can print and set the <a class="indexterm" name="id290406"></a>guest account
    33883469    in the [global] section.</p><p>You can form quite complex print commands by realizing
    33893470    that they are just passed to a shell. For example the following
     
    33923473    /tmp/print.log; lpr -P %p %s; rm %s</strong></span></p><p>You may have to vary this command considerably depending
    33933474    on how you normally print files on your system. The default for
    3394     the parameter varies depending on the setting of the <a class="indexterm" name="id290326"></a>printing
     3475    the parameter varies depending on the setting of the <a class="indexterm" name="id290432"></a>printing
    33953476        parameter.</p><p>Default: For <span><strong class="command">printing = BSD, AIX, QNX, LPRNG
    33963477    or PLP :</strong></span></p><p><span><strong class="command">print command = lpr -r -P%p %s</strong></span></p><p>For <span><strong class="command">printing = SYSV or HPUX :</strong></span></p><p><span><strong class="command">print command = lp -c -d%p %s; rm %s</strong></span></p><p>For <span><strong class="command">printing = SOFTQ :</strong></span></p><p><span><strong class="command">print command = lp -d%p -s %s; rm %s</strong></span></p><p>For printing = CUPS :   If SAMBA is compiled against
    3397     libcups, then <a class="indexterm" name="id290382"></a>printcap = cups
     3478    libcups, then <a class="indexterm" name="id290488"></a>printcap = cups
    33983479    uses the CUPS API to
    33993480    submit jobs, etc.  Otherwise it maps to the System V
     
    34273508        does not have its own printer name specified.
    34283509        </p><p>
    3429         The default value of the <a class="indexterm" name="id290524"></a>printer name may be <code class="literal">lp</code> on many
     3510        The default value of the <a class="indexterm" name="id290630"></a>printer name may be <code class="literal">lp</code> on many
    34303511        systems.
    34313512        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printer name</code></em> = none
     
    35003581    executed on the server host in order to resume the printer queue. It
    35013582    is the command to undo the behavior that is caused by the
    3502     previous parameter (<a class="indexterm" name="id290915"></a>queuepause command).</p><p>This command should be a program or script which takes
     3583    previous parameter (<a class="indexterm" name="id291021"></a>queuepause command).</p><p>This command should be a program or script which takes
    35033584    a printer name as its only parameter and resumes the printer queue,
    35043585    such that queued jobs are resubmitted to the printer.</p><p>This command is not supported by Windows for Workgroups,
     
    35203601</p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p>
    35213602        This is a list of users that are given read-only access to a service. If the connecting user is in this list
    3522         then they will not be given write access, no matter what the <a class="indexterm" name="id291037"></a>read only option is set
    3523         to. The list can include group names using the syntax described in the <a class="indexterm" name="id291045"></a>invalid users
     3603        then they will not be given write access, no matter what the <a class="indexterm" name="id291144"></a>read only option is set
     3604        to. The list can include group names using the syntax described in the <a class="indexterm" name="id291151"></a>invalid users
    35243605        parameter.
    3525         </p><p>This parameter will not work with the <a class="indexterm" name="id291056"></a>security = share in
     3606        </p><p>This parameter will not work with the <a class="indexterm" name="id291162"></a>security = share in
    35263607    Samba 3.0.  This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> =
    35273608</em></span>
    35283609</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> = mary, @students
    35293610</em></span>
    3530 </p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id291107"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users
     3611</p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id291214"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users
    35313612    of a service may not create or modify files in the service's
    35323613    directory.</p><p>Note that a printable service (<span><strong class="command">printable = yes</strong></span>)
     
    35643645        the above line would cause <span><strong class="command">nmbd</strong></span> to announce itself
    35653646        to the two given IP addresses using the given workgroup names. If you leave out the
    3566         workgroup name then the one given in the <a class="indexterm" name="id291305"></a>workgroup parameter
     3647        workgroup name then the one given in the <a class="indexterm" name="id291412"></a>workgroup parameter
    35673648        is used instead.
    35683649        </p><p>
     
    36013682        is in fact the browse master on its segment.
    36023683        </p><p>
    3603         The <a class="indexterm" name="id291402"></a>remote browse sync may be used on networks
     3684        The <a class="indexterm" name="id291509"></a>remote browse sync may be used on networks
    36043685        where there is no WINS server, and may be used on disjoint networks where
    36053686        each network has its own WINS server.
     
    36633744        </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
    36643745    The security advantage of using restrict anonymous = 2 is removed
    3665     by setting <a class="indexterm" name="id291576"></a>guest ok = yes on any share.
     3746    by setting <a class="indexterm" name="id291682"></a>guest ok = yes on any share.
    36663747        </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>restrict anonymous</code></em> = 0
    36673748</em></span>
     
    36733754    parts of the filesystem, or attempts to use ".." in file names
    36743755    to access other directories (depending on the setting of the
    3675         <a class="indexterm" name="id291669"></a>wide smbconfoptions parameter).
     3756        <a class="indexterm" name="id291776"></a>wide smbconfoptions parameter).
    36763757    </p><p>Adding a <em class="parameter"><code>root directory</code></em> entry other
    36773758    than "/" adds an extra level of security, but at a price. It
     
    37093790        </p><p>
    37103791        This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
    3711         in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id291883"></a>force  security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
     3792        in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id291989"></a>force  security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
    37123793        </p><p>
    37133794        Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
     
    37463827    is commonly used for a shared printer server. It is more difficult
    37473828    to setup guest shares with <span><strong class="command">security = user</strong></span>, see
    3748     the <a class="indexterm" name="id292056"></a>map to guestparameter for details.</p><p>It is possible to use <span><strong class="command">smbd</strong></span> in a <span class="emphasis"><em>
     3829    the <a class="indexterm" name="id292166"></a>map to guestparameter for details.</p><p>It is possible to use <span><strong class="command">smbd</strong></span> in a <span class="emphasis"><em>
    37493830    hybrid mode</em></span> where it is offers both user and share
    3750     level security under different <a class="indexterm" name="id292077"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
     3831    level security under different <a class="indexterm" name="id292187"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
    37513832    need not log onto the server with a valid username and password before
    37523833    attempting to connect to a shared resource (although modern clients
     
    37613842    techniques to determine the correct UNIX user to use on behalf
    37623843    of the client.</p><p>A list of possible UNIX usernames to match with the given
    3763     client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id292153"></a>guest only parameter is set, then all the other
    3764             stages are missed and only the <a class="indexterm" name="id292160"></a>guest account username is checked.
     3844    client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id292262"></a>guest only parameter is set, then all the other
     3845            stages are missed and only the <a class="indexterm" name="id292270"></a>guest account username is checked.
    37653846            </p></li><li><p>Is a username is sent with the share connection
    3766             request, then this username (after mapping - see <a class="indexterm" name="id292175"></a>username map),
     3847            request, then this username (after mapping - see <a class="indexterm" name="id292284"></a>username map),
    37673848            is added as a potential username.
    37683849            </p></li><li><p>If the client did a previous <span class="emphasis"><em>logon
     
    37733854            </p></li><li><p>The NetBIOS name of the client is added to
    37743855            the list as a potential username.
    3775             </p></li><li><p>Any users on the <a class="indexterm" name="id292215"></a>user list are added as potential usernames.
     3856            </p></li><li><p>Any users on the <a class="indexterm" name="id292325"></a>user list are added as potential usernames.
    37763857            </p></li></ul></div><p>If the <em class="parameter"><code>guest only</code></em> parameter is
    37773858    not set, then this list is then tried with the supplied password.
     
    37853866    NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0.
    37863867    With user-level security a client must first "log-on" with a
    3787     valid username and password (which can be mapped using the <a class="indexterm" name="id292284"></a>username map
    3788     parameter). Encrypted passwords (see the <a class="indexterm" name="id292292"></a>encrypted passwords parameter) can also
    3789     be used in this security mode. Parameters such as <a class="indexterm" name="id292300"></a>user and <a class="indexterm" name="id292307"></a>guest only if set      are then applied and
     3868    valid username and password (which can be mapped using the <a class="indexterm" name="id292394"></a>username map
     3869    parameter). Encrypted passwords (see the <a class="indexterm" name="id292402"></a>encrypted passwords parameter) can also
     3870    be used in this security mode. Parameters such as <a class="indexterm" name="id292409"></a>user and <a class="indexterm" name="id292416"></a>guest only if set      are then applied and
    37903871    may change the UNIX user to use on this connection, but only after
    37913872    the user has been successfully authenticated.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
     
    37933874    the server has successfully authenticated the client. This is why
    37943875    guest shares don't work in user level security without allowing
    3795     the server to automatically map unknown users into the <a class="indexterm" name="id292326"></a>guest account.
    3796     See the <a class="indexterm" name="id292334"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
    3797     machine into a Windows NT Domain. It expects the <a class="indexterm" name="id292372"></a>encrypted passwords
     3876    the server to automatically map unknown users into the <a class="indexterm" name="id292436"></a>guest account.
     3877    See the <a class="indexterm" name="id292443"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
     3878    machine into a Windows NT Domain. It expects the <a class="indexterm" name="id292482"></a>encrypted passwords
    37983879        parameter to be set to <code class="constant">yes</code>. In this
    37993880    mode Samba will try to validate the username/password by passing
     
    38093890    the server has successfully authenticated the client. This is why
    38103891    guest shares don't work in user level security without allowing
    3811     the server to automatically map unknown users into the <a class="indexterm" name="id292422"></a>guest account.
    3812     See the <a class="indexterm" name="id292429"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
    3813     NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292450"></a>password server parameter and
    3814          the <a class="indexterm" name="id292458"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>
     3892    the server to automatically map unknown users into the <a class="indexterm" name="id292532"></a>guest account.
     3893    See the <a class="indexterm" name="id292539"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
     3894    NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292560"></a>password server parameter and
     3895         the <a class="indexterm" name="id292567"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>
    38153896        In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
    38163897        NT box. If this fails it will revert to <span><strong class="command">security = user</strong></span>. It expects the
    3817         <a class="indexterm" name="id292484"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote
     3898        <a class="indexterm" name="id292594"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote
    38183899        server does not support them.  However note that if encrypted passwords have been negotiated then Samba cannot
    38193900        revert back to checking the UNIX password file, it must have a valid <code class="filename">smbpasswd</code> file to check users against. See the chapter about the User Database in
     
    38353916    the server has successfully authenticated the client. This is why
    38363917    guest shares don't work in user level security without allowing
    3837     the server to automatically map unknown users into the <a class="indexterm" name="id292542"></a>guest account.
    3838     See the <a class="indexterm" name="id292549"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
    3839     NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292570"></a>password server parameter and the
    3840         <a class="indexterm" name="id292577"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate
     3918    the server to automatically map unknown users into the <a class="indexterm" name="id292651"></a>guest account.
     3919    See the <a class="indexterm" name="id292658"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
     3920    NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292680"></a>password server parameter and the
     3921        <a class="indexterm" name="id292687"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate
    38413922                in this mode, the machine running Samba will need to have Kerberos installed
    38423923                and configured and Samba will need to be joined to the ADS realm using the
     
    38483929</p></dd><dt><span class="term"><a name="SERVERSCHANNEL"></a>server schannel (G)</span></dt><dd><p>
    38493930        This controls whether the server offers or even demands the use of the netlogon schannel.
    3850         <a class="indexterm" name="id292653"></a>server schannel = no does not offer the schannel, <a class="indexterm" name="id292660"></a>server schannel = auto offers the schannel but does not enforce it, and <a class="indexterm" name="id292668"></a>server schannel = yes denies access if the client is not able to speak netlogon schannel.
     3931        <a class="indexterm" name="id292762"></a>server schannel = no does not offer the schannel, <a class="indexterm" name="id292770"></a>server schannel = auto offers the schannel but does not enforce it, and <a class="indexterm" name="id292777"></a>server schannel = yes denies access if the client is not able to speak netlogon schannel.
    38513932        This is only the case for Windows NT4 before SP4.
    38523933        </p><p>
     
    39214002</p></dd><dt><span class="term"><a name="SHORTPRESERVECASE"></a>short preserve case (S)</span></dt><dd><p>
    39224003        This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of
    3923         suitable length, are created upper case, or if they are forced to be the <a class="indexterm" name="id293202"></a>default case.
    3924         This  option can be use with <a class="indexterm" name="id293209"></a>preserve case = yes to permit long filenames
     4004        suitable length, are created upper case, or if they are forced to be the <a class="indexterm" name="id293312"></a>default case.
     4005        This  option can be use with <a class="indexterm" name="id293319"></a>preserve case = yes to permit long filenames
    39254006        to retain their case, while short names are lowered.
    39264007        </p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>short preserve case</code></em> = yes
     
    40224103        If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or
    40234104        READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such
    4024         as occurs with <a class="indexterm" name="id293812"></a>map hidden and <a class="indexterm" name="id293818"></a>map readonly).  When set, DOS
     4105        as occurs with <a class="indexterm" name="id293921"></a>map hidden and <a class="indexterm" name="id293928"></a>map readonly).  When set, DOS
    40254106        attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or
    4026         directory.  For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id293827"></a>map hidden,
    4027         <a class="indexterm" name="id293834"></a>map system, <a class="indexterm" name="id293841"></a>map archive and <a class="indexterm" name="id293848"></a>map  readonly must be set to off.  This parameter writes the DOS attributes as a string into the extended
     4107        directory.  For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id293937"></a>map hidden,
     4108        <a class="indexterm" name="id293944"></a>map system, <a class="indexterm" name="id293951"></a>map archive and <a class="indexterm" name="id293958"></a>map  readonly must be set to off.  This parameter writes the DOS attributes as a string into the extended
    40284109        attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an
    40294110        EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for
     
    41674248        in the smbpasswd file this parameter should be set to <code class="constant">no</code>.
    41684249        </p><p>
    4169         In order for this parameter to be operative the <a class="indexterm" name="id294608"></a>encrypt passwords parameter must
    4170     be set to <code class="constant">no</code>. The default value of <a class="indexterm" name="id294618"></a>encrypt  passwords = Yes. Note: This must be set to <code class="constant">no</code> for this <a class="indexterm" name="id294629"></a>update encrypted to work.
     4250        In order for this parameter to be operative the <a class="indexterm" name="id294717"></a>encrypt passwords parameter must
     4251    be set to <code class="constant">no</code>. The default value of <a class="indexterm" name="id294728"></a>encrypt  passwords = Yes. Note: This must be set to <code class="constant">no</code> for this <a class="indexterm" name="id294739"></a>update encrypted to work.
    41714252        </p><p>
    41724253        Note that even when this parameter is set a user authenticating to <span><strong class="command">smbd</strong></span>
     
    42374318</em></span>
    42384319</p></dd><dt><span class="term"><a name="USERNAMEMAPSCRIPT"></a>username map script (G)</span></dt><dd><p>This script is a mutually exclusive alternative to the
    4239         <a class="indexterm" name="id294901"></a>username map parameter.  This parameter
     4320        <a class="indexterm" name="id295014"></a>username map parameter.  This parameter
    42404321        specifies and external program or script that must accept a single
    42414322        command line option (the username transmitted in the authentication
     
    43034384        <code class="constant">fred</code> is remapped to <code class="constant">mary</code> then you will actually be connecting to
    43044385        \\server\mary and will need to supply a password suitable for <code class="constant">mary</code> not
    4305         <code class="constant">fred</code>. The only exception to this is the username passed to the <a class="indexterm" name="id295094"></a>password server (if you have one). The password server will receive whatever username the client
     4386        <code class="constant">fred</code>. The only exception to this is the username passed to the <a class="indexterm" name="id295207"></a>password server (if you have one). The password server will receive whatever username the client
    43064387        supplies without  modification.
    43074388    </p><p>
     
    43494430    telnet session. The daemon runs as the user that they log in as,
    43504431    so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you
    4351     can use the <a class="indexterm" name="id295255"></a>valid users parameter.</p><p>If any of the usernames begin with a '@' then the name
     4432    can use the <a class="indexterm" name="id295368"></a>valid users parameter.</p><p>If any of the usernames begin with a '@' then the name
    43524433    will be looked up first in the NIS netgroups list (if Samba
    43534434    is compiled with netgroup support), followed by a lookup in
     
    45314612        unix directory  separator '/'.
    45324613        </p><p>
    4533         Note that the <a class="indexterm" name="id295996"></a>case sensitive option is applicable in vetoing files.
     4614        Note that the <a class="indexterm" name="id296109"></a>case sensitive option is applicable in vetoing files.
    45344615        </p><p>
    45354616        One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when
    45364617        trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this
    4537         deletion will <span class="emphasis"><em>fail</em></span> unless you also set the <a class="indexterm" name="id296012"></a>delete veto files
     4618        deletion will <span class="emphasis"><em>fail</em></span> unless you also set the <a class="indexterm" name="id296126"></a>delete veto files
    45384619        parameter to <em class="parameter"><code>yes</code></em>.
    45394620        </p><p>
     
    45554636</em></span>
    45564637</p></dd><dt><span class="term"><a name="VETOOPLOCKFILES"></a>veto oplock files (S)</span></dt><dd><p>
    4557         This parameter is only valid when the <a class="indexterm" name="id296075"></a>oplocks
     4638        This parameter is only valid when the <a class="indexterm" name="id296189"></a>oplocks
    45584639        parameter is turned on for a share. It allows the Samba administrator
    45594640        to selectively turn off the granting of oplocks on selected files that
    45604641        match a wildcarded list, similar to the wildcarded list used in the
    4561         <a class="indexterm" name="id296084"></a>veto files parameter.
     4642        <a class="indexterm" name="id296197"></a>veto files parameter.
    45624643        </p><p>
    45634644        You might want to do this on files that you know will be heavily contended
     
    46004681        again.</p><p>
    46014682        This does not apply to authentication requests, these are always
    4602         evaluated in real time unless the <a class="indexterm" name="id296302"></a>winbind   offline logon option has been enabled.
     4683        evaluated in real time unless the <a class="indexterm" name="id296416"></a>winbind   offline logon option has been enabled.
    46034684        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind cache time</code></em> = 300
    46044685</em></span>
     
    46974778        </p><p>
    46984779        This parameter is not deprecated in favor of the newer idmap_nss backend.
    4699         Refer to the <a class="indexterm" name="id296873"></a>idmap domains smb.conf option and
     4780        Refer to the <a class="indexterm" name="id296986"></a>idmap domains smb.conf option and
    47004781        the <a href="idmap_nss.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_nss</span>(8)</span></a> man page for more information.
    47014782        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind trusted domains only</code></em> = no
     
    47644845        appear to be in when queried by clients. Note that this parameter
    47654846        also controls the Domain name used with
    4766         the <a class="indexterm" name="id297262"></a>security = domain
     4847        the <a class="indexterm" name="id297376"></a>security = domain
    47674848                setting.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = WORKGROUP
    47684849</em></span>
    47694850</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = MYGROUP
    47704851</em></span>
    4771 </p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id297335"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
     4852</p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id297449"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
    47724853    Samba will create an in-memory cache for each oplocked file
    47734854    (it does <span class="emphasis"><em>not</em></span> do this for
     
    47904871    This is a list of users that are given read-write access to a service. If the
    47914872    connecting user is in this list then they will be given write access, no matter
    4792     what the <a class="indexterm" name="id297432"></a>read only option is set to. The list can
     4873    what the <a class="indexterm" name="id297549"></a>read only option is set to. The list can
    47934874    include group names using the @group syntax.
    47944875    </p><p>
     
    47974878    </p><p>
    47984879    By design, this parameter will not work with the
    4799     <a class="indexterm" name="id297448"></a>security = share in Samba 3.0.
     4880    <a class="indexterm" name="id297565"></a>security = share in Samba 3.0.
    48004881    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> =
    48014882</em></span>
     
    48184899</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wtmp directory</code></em> = /var/log/wtmp
    48194900</em></span>
    4820 </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id297581"></a><h2>WARNINGS</h2><p>
     4901</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id297698"></a><h2>WARNINGS</h2><p>
    48214902        Although the configuration file permits service names to contain spaces, your client software may not.
    48224903        Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.
     
    48314912        care when designing these sections. In particular, ensure that the permissions on spool directories are
    48324913        correct.
    4833         </p></div><div class="refsect1" lang="en"><a name="id297624"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id297635"></a><h2>SEE ALSO</h2><p>
    4834         <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id297714"></a><h2>AUTHOR</h2><p>
     4914        </p></div><div class="refsect1" lang="en"><a name="id297741"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id297752"></a><h2>SEE ALSO</h2><p>
     4915        <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id297831"></a><h2>AUTHOR</h2><p>
    48354916        The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed
    48364917        by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
Note: See TracChangeset for help on using the changeset viewer.