Context Navigation

← Previous Change
Next Change →

htmldocs

Timestamp:

Apr 25, 2007, 9:44:55 AM (14 years ago)

Author:

Paul Smedley

Message:

Code updated to Samba 3.0.25rc2 level

Location:

trunk/samba/docs/htmldocs/manpages

Files:

: 3 edited

index.html (modified) (1 diff)
net.8.html (modified) (5 diffs)
smb.conf.5.html (modified) (115 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/samba/docs/htmldocs/manpages/index.html

-                      r26
+                      r30
         MS-RPC functions
 </p></dd><dt><span class="term"><a href="samba.7.html" target="_top">samba(7)</a></span></dt><dd><p>A Windows SMB/CIFS fileserver for UNIX
+</p></dd><dt><span class="term"><a href="smb.conf.5.html" target="_top">smb.conf(5)</a></span></dt><dd><p>The configuration file for the Samba suite
 </p></dd><dt><span class="term"><a href="smbcacls.1.html" target="_top">smbcacls(1)</a></span></dt><dd><p>Set or get ACLs on an NT file or directory names
 </p></dd><dt><span class="term"><a href="smbclient.1.html" target="_top">smbclient(1)</a></span></dt><dd><p>ftp-like client to access SMB/CIFS resources
         on servers
-</p></dd><dt><span class="term"><a href="smb.conf.5.html" target="_top">smb.conf(5)</a></span></dt><dd><p>The configuration file for the Samba suite
 </p></dd><dt><span class="term"><a href="smbcontrol.1.html" target="_top">smbcontrol(1)</a></span></dt><dd><p>send messages to smbd, nmbd or winbindd processes
 </p></dd><dt><span class="term"><a href="smbcquotas.1.html" target="_top">smbcquotas(1)</a></span></dt><dd><p>Set or get QUOTAs of NTFS 5 shares

trunk/samba/docs/htmldocs/manpages/net.8.html

-                      r26
+                      r30
 Properly populates the ldap tree with the basic accounts (Administrator)
 and groups (Domain Users, Domain Admins, Domain Guests) on the ldap tree.
+</p></div><div class="refsect2" lang="en"><a name="id273316"></a><h3>USERSHARE</h3><p>Starting with version 3.0.23, a Samba server now supports the ability for
+</p></div><div class="refsect2" lang="en"><a name="id273316"></a><h3>IDMAP DUMP &lt;output file&gt;</h3><p>
+Dumps the mappings in the specified output file.
+</p></div><div class="refsect2" lang="en"><a name="id273327"></a><h3>IDMAP RESTORE [input file]</h3><p>
+Restore the mappings from the specified file or stdin.
+</p></div><div class="refsect2" lang="en"><a name="id273338"></a><h3>IDMAP SECRET &lt;DOMAIN&gt;|ALLOC &lt;secret&gt;</h3><p>
+Store a secret for the sepcified domain, used primarily for domains
+that use idmap_ldap as a backend. In this case the secret is used
+as the password for the user DN used to bind to the ldap server.
+</p></div><div class="refsect2" lang="en"><a name="id273350"></a><h3>USERSHARE</h3><p>Starting with version 3.0.23, a Samba server now supports the ability for
 non-root users to add user define shares to be exported using the "net usershare"
 commands.
 …
 </p><table class="simplelist" border="0" summary="Simple list"><tr><td>net usershare add sharename path [comment] [acl] [guest_ok=[y|n]] - to add or change a user defined share.</td></tr><tr><td>net usershare delete sharename - to delete a user defined share.</td></tr><tr><td>net usershare info [-l|--long] [wildcard sharename] - to print info about a user defined share.</td></tr><tr><td>net usershare list [-l|--long] [wildcard sharename] - to list user defined shares.</td></tr></table><p>
 </p><div class="refsect3" lang="en"><a name="id273363"></a><h4>USERSHARE ADD <em class="replaceable"><code>sharename</code></em> <em class="replaceable"><code>path</code></em> <em class="replaceable"><code>[comment]</code></em> <em class="replaceable"><code>[acl]</code></em> <em class="replaceable"><code>[guest_ok=[y|n]]</code></em></h4><p>
+</p><div class="refsect3" lang="en"><a name="id273396"></a><h4>USERSHARE ADD <em class="replaceable"><code>sharename</code></em> <em class="replaceable"><code>path</code></em> <em class="replaceable"><code>[comment]</code></em> <em class="replaceable"><code>[acl]</code></em> <em class="replaceable"><code>[guest_ok=[y|n]]</code></em></h4><p>
 Add or replace a new user defined share, with name "sharename".
 </p><p>
 …
 at connect time so will see the change immediately, there is no need
 to restart smbd on adding, deleting or changing a user defined share.
 </div><div class="refsect3" lang="en"><a name="id273421"></a><h4>USERSHARE DELETE <em class="replaceable"><code>sharename</code></em></h4><p>
+</div><div class="refsect3" lang="en"><a name="id273460"></a><h4>USERSHARE DELETE <em class="replaceable"><code>sharename</code></em></h4><p>
 Deletes the user defined share by name. The Samba smbd daemon
 immediately notices this change, although it will not disconnect
 any users currently connected to the deleted share.
 </p></div><div class="refsect3" lang="en"><a name="id273435"></a><h4>USERSHARE INFO <em class="replaceable"><code>[-l|--long]</code></em> <em class="replaceable"><code>[wildcard sharename]</code></em></h4><p>
+</p></div><div class="refsect3" lang="en"><a name="id273474"></a><h4>USERSHARE INFO <em class="replaceable"><code>[-l|--long]</code></em> <em class="replaceable"><code>[wildcard sharename]</code></em></h4><p>
 Get info on user defined shares owned by the current user matching the given pattern, or all users.
 </p><p>
 …
 And is a list of the current settings of the user defined share that can be
 modified by the "net usershare add" command.
 </p></div><div class="refsect3" lang="en"><a name="id273464"></a><h4>USERSHARE LIST <em class="replaceable"><code>[-l|--long]</code></em> <em class="replaceable"><code>wildcard sharename</code></em></h4><p>
+</p></div><div class="refsect3" lang="en"><a name="id273502"></a><h4>USERSHARE LIST <em class="replaceable"><code>[-l|--long]</code></em> <em class="replaceable"><code>wildcard sharename</code></em></h4><p>
 List all the user defined shares owned by the current user matching the given pattern, or all users.
 </p><p>
 …
 If the '-l' or '--long' option is also given, it includes the names of user defined
 shares created by other users.
 </p></div></div><div class="refsect2" lang="en"><a name="id273488"></a><h3>HELP [COMMAND]</h3><p>Gives usage information for the specified command.</p></div></div><div class="refsect1" lang="en"><a name="id273499"></a><h2>VERSION</h2><p>This man page is complete for version 3.0 of the Samba
         suite.</p></div><div class="refsect1" lang="en"><a name="id273510"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities
+</p></div></div><div class="refsect2" lang="en"><a name="id273526"></a><h3>HELP [COMMAND]</h3><p>Gives usage information for the specified command.</p></div></div><div class="refsect1" lang="en"><a name="id273538"></a><h2>VERSION</h2><p>This man page is complete for version 3.0 of the Samba
+        suite.</p></div><div class="refsect1" lang="en"><a name="id273548"></a><h2>AUTHOR</h2><p>The original Samba software and related utilities
         were created by Andrew Tridgell. Samba is now developed
         by the Samba Team as an Open Source project similar

trunk/samba/docs/htmldocs/manpages/smb.conf.5.html

-                      r26
+                      r30
 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smb.conf</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smb.conf.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smb.conf &#8212; The configuration file for the Samba suite</p></div><div class="refsect1" lang="en"><a name="id263106"></a><h2>SYNOPSIS</h2><p>
         The <code class="filename">smb.conf</code> file is a configuration  file for the Samba suite. <code class="filename">smb.conf</code> contains  runtime configuration information for the Samba programs. The
         <code class="filename">smb.conf</code> file is designed to be configured and  administered by the
         <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> program. The
+         <code class="filename">smb.conf</code> file is designed to be configured and administered by the
+         <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> program. The
         complete description of the file format and possible parameters held within are here for reference purposes.
         </p></div><div class="refsect1" lang="en"><a name="FILEFORMATSECT"></a><h2>FILE FORMAT</h2><p>
 …
         </p><p>
         There are three special sections, [global], [homes] and [printers], which are described under
         <span class="emphasis"><em>special sections</em></span>. The following notes apply to ordinary section descriptions.
+         <span class="emphasis"><em>special sections</em></span>. The following notes apply to ordinary section descriptions.
         </p><p>
         A share consists of a directory to which access is being given plus a description of the access rights
 …
         In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions
         and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the
         <span class="emphasis"><em>primary group owner</em></span> of a file or directory to modify the permissions and ACLs
+         <span class="emphasis"><em>primary group owner</em></span> of a file or directory to modify the permissions and ACLs
         on that file.
         </p><p>
 …
 </p></dd><dt><span class="term"><a name="ADDMACHINESCRIPT"></a>add machine script (G)</span></dt><dd><p>
         This is the full pathname to a script that will  be run by
         <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a machine is
+         <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a machine is
         added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not
         already exist.
 …
         user database creating these users and keeping the user list in sync with the Windows
         NT PDC is an onerous task. This option allows smbd to create the required UNIX users
         <span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server.
+         <span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server.
         </p><p>
         In order to use this option, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must <span class="emphasis"><em>NOT</em></span> be set to
 …
 </p></dd><dt><span class="term"><a name="ALLOWTRUSTEDDOMAINS"></a>allow trusted domains (G)</span></dt><dd><p>
     This option only takes effect when the <a class="indexterm" name="id274224"></a>security option is set to
     <code class="constant">server</code>,<code class="constant">domain</code> or <code class="constant">ads</code>.
+    <code class="constant">server</code>, <code class="constant">domain</code> or <code class="constant">ads</code>.
     If it is set to no, then attempts to connect to a resource from
     a domain or workgroup other than the one which smbd is running
 …
         reading broadcast messages.  If this option is not set then <span><strong class="command">nmbd</strong></span> will
         service name requests on all of these sockets. If <a class="indexterm" name="id274569"></a>bind interfaces only is set then
         <span><strong class="command">nmbd</strong></span> will check the source address of any packets coming in on the
+         <span><strong class="command">nmbd</strong></span> will check the source address of any packets coming in on the
         broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the
         <a class="indexterm" name="id274583"></a>interfaces parameter list.  As unicast packets are received on the other sockets it
+        <a class="indexterm" name="id274584"></a>interfaces parameter list.  As unicast packets are received on the other sockets it
         allows <span><strong class="command">nmbd</strong></span> to refuse to serve names to machines that send packets that
         arrive through any interfaces not listed in the <a class="indexterm" name="id274598"></a>interfaces list.  IP Source address
         spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for
         <span><strong class="command">nmbd</strong></span>.
+         <span><strong class="command">nmbd</strong></span>.
         </p><p>
         For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list given in the <a class="indexterm" name="id274624"></a>interfaces parameter. This restricts the networks that <span><strong class="command">smbd</strong></span> will
 …
         </p><p>
         If <a class="indexterm" name="id274642"></a>bind interfaces only is set then unless the network address
         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274654"></a>interfaces parameter list
         <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and
         <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as
+         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274654"></a>interfaces parameter list
+         <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and
+         <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as
         expected due to the reasons covered below.
         </p><p>
         To change a users SMB password, the <span><strong class="command">smbpasswd</strong></span> by default connects to the
         <span class="emphasis"><em>localhost - 127.0.0.1</em></span> address as an SMB client to issue the password change request. If
+         <span class="emphasis"><em>localhost - 127.0.0.1</em></span> address as an SMB client to issue the password change request. If
         <a class="indexterm" name="id274691"></a>bind interfaces only is set then unless the network address
         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274702"></a>interfaces parameter list then <span><strong class="command"> smbpasswd</strong></span> will fail to connect in it's default mode.  <span><strong class="command">smbpasswd</strong></span> can be forced to use the primary IP interface of the local host by using
+         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274702"></a>interfaces parameter list then <span><strong class="command"> smbpasswd</strong></span> will fail to connect in it's default mode.  <span><strong class="command">smbpasswd</strong></span> can be forced to use the primary IP interface of the local host by using
         its <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>    <em class="parameter"><code>-r <em class="replaceable"><code>remote machine</code></em></code></em> parameter, with <em class="replaceable"><code>remote
         machine</code></em> set to the IP name of the primary interface of the local host.
 …
         parameter is not given, attempting to connect to a nonexistent
         service results in an error.</p><p>
         Typically the default service would be a <a class="indexterm" name="id276708"></a>guest ok, <a class="indexterm" name="id276716"></a>read-only service.</p><p>Also note that the apparent service name will be changed to equal
+        Typically the default service would be a <a class="indexterm" name="id276709"></a>guest ok, <a class="indexterm" name="id276716"></a>read-only service.</p><p>Also note that the apparent service name will be changed to equal
         that of the requested service, this is very useful as it allows you to use macros like <em class="parameter"><code>%S</code></em> to make a wildcard service.
         </p><p>Note also that any "_" characters in the name of the service
 …
     DeletePrinter() RPC call.</p><p>For a Samba host this means that the printer must be
     physically deleted from underlying printing system.  The
     <a class="indexterm" name="id276886"></a>deleteprinter command defines a script to be run which
+    <a class="indexterm" name="id276887"></a>deleteprinter command defines a script to be run which
     will perform the necessary operations for removing the printer
     from the print system and from <code class="filename">smb.conf</code>.
 …
         WAN-wide browse list collation. Setting this option causes <span><strong class="command">nmbd</strong></span> to claim a
         special domain specific NetBIOS name that identifies it as a domain master browser for its given
         <a class="indexterm" name="id278021"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id278029"></a>workgroup on
+        <a class="indexterm" name="id278022"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id278029"></a>workgroup on
         broadcast-isolated subnets will give this <span><strong class="command">nmbd</strong></span> their local browse lists,
         and then ask <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> for a
 …
         broadcast-isolated subnet.
         </p><p>
         Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id278056"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that
+        Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id278057"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that
         <a class="indexterm" name="id278064"></a>workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting
         to do this). This means that if this parameter is set and <span><strong class="command">nmbd</strong></span> claims the
         special name for a <a class="indexterm" name="id278078"></a>workgroup before a Windows NT PDC is able to do so then cross
+        special name for a <a class="indexterm" name="id278079"></a>workgroup before a Windows NT PDC is able to do so then cross
         subnet browsing will behave strangely and may fail.
         </p><p>
         If <a class="indexterm" name="id278090"></a>domain logons = yes, then the default behavior is to enable the
         <a class="indexterm" name="id278097"></a>domain master parameter.  If <a class="indexterm" name="id278104"></a>domain logons is not enabled (the
+        <a class="indexterm" name="id278097"></a>domain master parameter.  If <a class="indexterm" name="id278105"></a>domain logons is not enabled (the
         default setting), then neither will <a class="indexterm" name="id278112"></a>domain master be enabled by default.
         </p><p>
         When <a class="indexterm" name="id278123"></a>domain logons = Yes the default setting for this parameter is
         Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id278130"></a>domain master = No,
+        Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id278131"></a>domain master = No,
         Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>domain master</code></em> = auto
 …
 </p></dd><dt><span class="term"><a name="ENABLEPRIVILEGES"></a>enable privileges (G)</span></dt><dd><p>
         This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either
         <span><strong class="command">net rpc rights</strong></span> or one of the Windows user and group manager tools.  This parameter is
+         <span><strong class="command">net rpc rights</strong></span> or one of the Windows user and group manager tools.  This parameter is
         enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to
         assign privileges to users or groups which can then result in certain smbd operations running as root that
 …
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hostname lookups</code></em> = yes
 </em></span>
 </p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts</span></dt><dd><p>This parameter is a synonym for hosts allow.</p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <a class="indexterm" name="id280528"></a>allow hosts.</p><p>This parameter is a comma, space, or tab delimited
+</p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts</span></dt><dd><p>This parameter is a synonym for hosts allow.</p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <a class="indexterm" name="id280529"></a>allow hosts.</p><p>This parameter is a comma, space, or tab delimited
     set of hosts which are permitted to access a service.</p><p>If specified in the [global] section then it will
     apply to all services, regardless of whether the individual
 …
         The idmap alloc backend provides a plugin interface for Winbind to use
         when allocating Unix uids/gids for Windows SIDs.  This option is
         to be used in conjunction with the <a class="indexterm" name="id280797"></a>idmap domains
+        to be used in conjunction with the <a class="indexterm" name="id280798"></a>idmap domains
         parameter and refers to the name of the idmap module which will provide
         the id allocation functionality.  Please refer to the man page
 …
     sent. Keepalive packets, if sent, allow the server to tell whether
     a client is still present and responding.</p><p>Keepalives should, in general, not be needed if the socket
     has the SO_KEEPALIVE attribute set on it by default. (see <a class="indexterm" name="id281919"></a>socket options).
+    has the SO_KEEPALIVE attribute set on it by default. (see <a class="indexterm" name="id281920"></a>socket options).
 Basically you should only use this option if you strike difficulties.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>keepalive</code></em> = 300
 </em></span>
 …
 </p></dd><dt><span class="term"><a name="LDAPADMINDN"></a>ldap admin dn (G)</span></dt><dd><p>
         The <a class="indexterm" name="id282202"></a>ldap admin dn defines the Distinguished  Name (DN) name used by Samba to contact
         the ldap server when retreiving  user account information. The <a class="indexterm" name="id282210"></a>ldap admin dn is used
+        the ldap server when retreiving  user account information. The <a class="indexterm" name="id282211"></a>ldap admin dn is used
         in conjunction with the admin dn password stored in the <code class="filename">private/secrets.tdb</code>
         file.  See the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>
         man page for more information on how  to accomplish this.
         </p><p>
         The <a class="indexterm" name="id282236"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id282243"></a>ldap  suffix is not appended to the <a class="indexterm" name="id282250"></a>ldap admin dn.
+        The <a class="indexterm" name="id282236"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id282243"></a>ldap  suffix is not appended to the <a class="indexterm" name="id282251"></a>ldap admin dn.
         </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LDAPDELETEDN"></a>ldap delete dn (G)</span></dt><dd><p> This parameter specifies whether a delete
         operation in the ldapsam deletes the complete entry or only the attributes
 …
 </p></dd><dt><span class="term"><a name="LDAPGROUPSUFFIX"></a>ldap group suffix (G)</span></dt><dd><p>This parameter specifies the suffix that is
         used for groups when these are added to the LDAP directory.
         If this parameter is unset, the value of <a class="indexterm" name="id282318"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
+        If this parameter is unset, the value of <a class="indexterm" name="id282319"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
         <a class="indexterm" name="id282326"></a>ldap suffix string so use a partial DN.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> =
 </em></span>
 …
         the smb.conf ldap options must be properly configured.
         The tipical ldap setup used with the <a class="indexterm" name="id282650"></a>ldapsam:trusted = yes option
+        The tipical ldap setup used with the <a class="indexterm" name="id282651"></a>ldapsam:trusted = yes option
         is usually sufficient to use <a class="indexterm" name="id282658"></a>ldapsam:editposix = yes as well.
         </p><p>
 …
         This is <span class="emphasis"><em>NOT</em></span> related to
         Samba's previous SSL support which was enabled by specifying the
         <span><strong class="command">--with-ssl</strong></span> option to the <code class="filename">configure</code>
+         <span><strong class="command">--with-ssl</strong></span> option to the <code class="filename">configure</code>
         script.</p><p>The <a class="indexterm" name="id282805"></a>ldap ssl can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Off</code></em> = Never
                         use SSL when querying the directory.</p></li><li><p><em class="parameter"><code>Start_tls</code></em> = Use
 …
                         on the ldaps port when contacting the <em class="parameter"><code>ldap server</code></em>. Only available when the
                         backwards-compatiblity <span><strong class="command">--with-ldapsam</strong></span> option is specified
+                to configure. See <a class="indexterm" name="id282861"></a>passdb backend</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = start_tls
+                to configure. See <a class="indexterm" name="id282861"></a>passdb backend</p>.
+                </li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = start_tls
 </em></span>
 </p></dd><dt><span class="term"><a name="LDAPSUFFIX"></a>ldap suffix (G)</span></dt><dd><p>Specifies the base for all ldap suffixes and for storing the sambaDomain object.</p><p>
         The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id282907"></a>ldap user suffix,
         <a class="indexterm" name="id282914"></a>ldap group suffix, <a class="indexterm" name="id282922"></a>ldap machine suffix, and the
         <a class="indexterm" name="id282929"></a>ldap idmap suffix. Each of these should be given only a DN relative to the
         <a class="indexterm" name="id282936"></a>ldap suffix.
+        The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id282908"></a>ldap user suffix,
+         <a class="indexterm" name="id282915"></a>ldap group suffix, <a class="indexterm" name="id282922"></a>ldap machine suffix, and the
+         <a class="indexterm" name="id282929"></a>ldap idmap suffix. Each of these should be given only a DN relative to the
+         <a class="indexterm" name="id282937"></a>ldap suffix.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> =
 </em></span>
 …
         This parameter specifies where users are added to the tree. If this parameter is unset,
         the value of <a class="indexterm" name="id283024"></a>ldap suffix will be used instead.  The suffix
         string is pre-pended to the  <a class="indexterm" name="id283031"></a>ldap suffix string so use a partial DN.
+        string is pre-pended to the  <a class="indexterm" name="id283032"></a>ldap suffix string so use a partial DN.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap user suffix</code></em> =
 </em></span>
 …
 </p></dd><dt><span class="term"><a name="LOGONDRIVE"></a>logon drive (G)</span></dt><dd><p>
         This parameter specifies the local path to which the home directory will be
         connected (see <a class="indexterm" name="id283789"></a>logon home) and is only used by NT
+        connected (see <a class="indexterm" name="id283790"></a>logon home) and is only used by NT
         Workstations.
         </p><p>
 …
         This tells Samba to return the above string, with substitutions made when a client requests the info, generally
         in a NetUserGetInfo request.  Win9X clients truncate the info to \\server\share when a user does
         <span><strong class="command">net use /home</strong></span> but use the whole string when dealing with profiles.
         </p><p>
         Note that in prior versions of Samba, the <a class="indexterm" name="id283897"></a>logon path was returned rather than
+         <span><strong class="command">net use /home</strong></span> but use the whole string when dealing with profiles.
+        </p><p>
+        Note that in prior versions of Samba, the <a class="indexterm" name="id283898"></a>logon path was returned rather than
         <em class="parameter"><code>logon home</code></em>.  This broke <span><strong class="command">net use /home</strong></span>
         but allowed profiles outside the home directory. The current implementation is correct, and can be used for
         profiles if you use the above trick.
         </p><p>
         Disable this feature by setting <a class="indexterm" name="id283921"></a>logon home = "" - using the empty string.
+        Disable this feature by setting <a class="indexterm" name="id283922"></a>logon home = "" - using the empty string.
         </p><p>
         This option is only useful if Samba is set up as a logon server.
 …
         stored.  Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming
         profiles.  To find out how to handle roaming profiles for Win 9X system, see the
         <a class="indexterm" name="id283979"></a>logon home parameter.
+        <a class="indexterm" name="id283980"></a>logon home parameter.
         </p><p>
         This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
 …
         </p></div><p>Note that this option is only useful if Samba is set up as a domain controller.</p><p>
         Disable the use of roaming profiles by setting the value of this parameter to the empty string. For
         example, <a class="indexterm" name="id284057"></a>logon path = "". Take note that even if the default setting
+        example, <a class="indexterm" name="id284058"></a>logon path = "". Take note that even if the default setting
         in the smb.conf file is the empty string, any value specified in the user account settings in the passdb
         backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use
 …
         </p><p>
         The script must be a relative path to the <em class="parameter"><code>[netlogon]</code></em> service.  If the [netlogon]
         service specifies a <a class="indexterm" name="id284133"></a>path of <code class="filename">/usr/local/samba/netlogon</code>, and <a class="indexterm" name="id284146"></a>logon  script = STARTUP.BAT, then the file that will be downloaded is:
+        service specifies a <a class="indexterm" name="id284134"></a>path of <code class="filename">/usr/local/samba/netlogon</code>, and <a class="indexterm" name="id284147"></a>logon  script = STARTUP.BAT, then the file that will be downloaded is:
 </p><pre class="programlisting">
         /usr/local/samba/netlogon/STARTUP.BAT
 …
     in the lppause command as the PATH may not be available to the server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lppause command</code></em> =
 # Currently no default value is given to
     this string, unless the value of the <a class="indexterm" name="id284300"></a>printing
+    this string, unless the value of the <a class="indexterm" name="id284303"></a>printing
     parameter is <code class="constant">SYSV</code>, in which case the default is :
     <span><strong class="command">lp -i %p-%j -H hold</strong></span> or if the value of the
 …
     printing or spooling a specific print job.</p><p>This command should be a program or script which takes
     a printer name and job number to resume the print job. See
     also the <a class="indexterm" name="id284576"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name
+    also the <a class="indexterm" name="id284579"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name
     is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with
     the job number (an integer).</p><p>Note that it is good practice to include the absolute path
     in the <em class="parameter"><code>lpresume command</code></em> as the PATH may not
     be available to the server.</p><p>See also the <a class="indexterm" name="id284613"></a>printing parameter.</p><p>Default: Currently no default value is given
+    be available to the server.</p><p>See also the <a class="indexterm" name="id284616"></a>printing parameter.</p><p>Default: Currently no default value is given
     to this string, unless the value of the <em class="parameter"><code>printing</code></em>
     parameter is <code class="constant">SYSV</code>, in which case the default is :</p><p><span><strong class="command">lp -i %p-%j -H resume</strong></span></p><p>or if the value of the <em class="parameter"><code>printing</code></em> parameter
 …
 </em></span>
 </p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p>
         If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id284769"></a>security = domain parameter) then periodically a running smbd process will try and change
+        If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id284772"></a>security = domain parameter) then periodically a running smbd process will try and change
         the MACHINE ACCOUNT PASSWORD stored in the TDB called <code class="filename">private/secrets.tdb
         </code>.  This parameter specifies how often this password will be changed, in seconds. The default is one
 …
         </p><p>
         See also <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>,
         and the <a class="indexterm" name="id284795"></a>security = domain parameter.
+        and the <a class="indexterm" name="id284798"></a>security = domain parameter.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>machine password timeout</code></em> = 604800
 </em></span>
 </p></dd><dt><span class="term"><a name="MAGICOUTPUT"></a>magic output (S)</span></dt><dd><p>
         This parameter specifies the name of a file which will contain output created by a magic script (see the
         <a class="indexterm" name="id284836"></a>magic script parameter below).
+        <a class="indexterm" name="id284839"></a>magic script parameter below).
         </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If two clients use the same <em class="parameter"><code>magic script
         </code></em> in the same directory the output file content is undefined.
 …
         completion assuming that the user has the appropriate level
         of privilege and the file permissions allow the deletion.</p><p>If the script generates output, output will be sent to
         the file specified by the <a class="indexterm" name="id284910"></a>magic output
+        the file specified by the <a class="indexterm" name="id284913"></a>magic output
         parameter (see above).</p><p>Note that some shells are unable to interpret scripts
         containing CR/LF instead of CR as
 …
         you would use:
         </p><p>
         <a class="indexterm" name="id285014"></a>mangled map = (*.html *.htm).
+        <a class="indexterm" name="id285017"></a>mangled map = (*.html *.htm).
         </p><p>
         One very useful case is to remove the annoying <code class="filename">;1</code> off
 …
 </p></dd><dt><span class="term"><a name="MANGLEDNAMES"></a>mangled names (S)</span></dt><dd><p>This controls whether non-DOS names under UNIX
         should be mapped to DOS-compatible names ("mangled") and made visible,
         or whether non-DOS names should simply be ignored.</p><p>See the section on <a class="indexterm" name="id285081"></a>name mangling for
+        or whether non-DOS names should simply be ignored.</p><p>See the section on <a class="indexterm" name="id285084"></a>name mangling for
         details on how to control the mangling process.</p><p>If mangling is used then the mangling algorithm is as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The first (up to) five alphanumeric characters
                         before the rightmost dot of the filename are preserved, forced
 …
                         only if it contains any upper case characters or is longer than three
                         characters.</p><p>Note that the character to use may be specified using
                                 the <a class="indexterm" name="id285115"></a>mangling char
+                                the <a class="indexterm" name="id285118"></a>mangling char
                         option, if you don't like '~'.</p></li><li><p>Files whose UNIX name begins with a dot will be
                         presented as DOS hidden files. The mangled name will be created as
 …
 </em></span>
 </p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as
         the <span class="emphasis"><em>magic</em></span> character in <a class="indexterm" name="id285236"></a>name mangling. The
+        the <span class="emphasis"><em>magic</em></span> character in <a class="indexterm" name="id285238"></a>name mangling. The
         default is a '~' but this may interfere with some software. Use this option to set
         it to whatever you prefer. This is effective only when mangling method is hash.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangling char</code></em> = ~
 …
         be quite annoying for shared source code, documents, etc...
         </p><p>
         Note that this requires the <a class="indexterm" name="id285393"></a>create mask        parameter to be set such that owner
+        Note that this requires the <a class="indexterm" name="id285396"></a>create mask        parameter to be set such that owner
         execute bit is not masked out (i.e. it must include 100). See the parameter
         <a class="indexterm" name="id285401"></a>create mask for details.
+        <a class="indexterm" name="id285404"></a>create mask for details.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map archive</code></em> = yes
 </em></span>
 …
         This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.
         </p><p>
         Note that this requires the <a class="indexterm" name="id285446"></a>create mask to be set such that the world execute
         bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id285454"></a>create mask
+        Note that this requires the <a class="indexterm" name="id285449"></a>create mask to be set such that the world execute
+        bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id285457"></a>create mask
         for details.
         </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="MAPREADONLY"></a>map read only (S)</span></dt><dd><p>
 …
         </p><p>
         This parameter can take three different values, which tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> how to display the read only attribute on files, where either
         <a class="indexterm" name="id285500"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is
         present. If <a class="indexterm" name="id285511"></a>store dos attributes is set to <code class="constant">yes</code> then this
+        <a class="indexterm" name="id285503"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is
+        present. If <a class="indexterm" name="id285514"></a>store dos attributes is set to <code class="constant">yes</code> then this
         parameter is <span class="emphasis"><em>ignored</em></span>. This is a new parameter introduced in Samba version 3.0.21.
         </p><p>The three settings are :</p><div class="itemizedlist"><ul type="disc"><li><p>
 …
                 </p></li><li><p>
                 <code class="constant">No</code> - The read only DOS attribute is unaffected by permissions, and can only be set by
                 the <a class="indexterm" name="id285568"></a>store dos attributes method. This may be useful for exporting mounted CDs.
+                the <a class="indexterm" name="id285570"></a>store dos attributes method. This may be useful for exporting mounted CDs.
                 </p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>map read only</code></em> = yes
 </em></span>
 …
         This controls whether DOS style system files should be mapped to the UNIX group execute bit.
         </p><p>
         Note that this requires the <a class="indexterm" name="id285613"></a>create mask        to be set such that the group
+        Note that this requires the <a class="indexterm" name="id285616"></a>create mask        to be set such that the group
         execute bit is not masked out (i.e. it must include 010). See the parameter
         <a class="indexterm" name="id285621"></a>create mask for details.
+        <a class="indexterm" name="id285624"></a>create mask for details.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map system</code></em> = no
 </em></span>
 </p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id285661"></a>SECURITY =
+</p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id285664"></a>SECURITY =
     security modes other than <em class="parameter"><code>security = share</code></em>
     - i.e. <code class="constant">user</code>, <code class="constant">server</code>,
     and <code class="constant">domain</code>.</p><p>This parameter can take four different values, which tell
+    and <em class="parameter"><code>security = server</code></em>
+    - i.e. <code class="constant">user</code>, and <code class="constant">domain</code>.</p><p>This parameter can take four different values, which tell
     <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> what to do with user
     login requests that don't match a valid UNIX user in some way.</p><p>The four settings are :</p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">Never</code> - Means user login
 …
             logins with an invalid password are rejected, unless the username
             does not exist, in which case it is treated as a guest login and
             mapped into the <a class="indexterm" name="id285723"></a>guest account.</p></li><li><p><code class="constant">Bad Password</code> - Means user logins
+            mapped into the <a class="indexterm" name="id285728"></a>guest account.</p></li><li><p><code class="constant">Bad Password</code> - Means user logins
             with an invalid password are treated as a guest login and mapped
             into the <a class="indexterm" name="id285740"></a>guest account. Note that
+            into the <a class="indexterm" name="id285745"></a>guest account. Note that
             this can cause problems as it means that any user incorrectly typing
             their password will be silently logged on as "guest" - and
 …
             to the underlying OS via the Name Service Switch interface.</p></li></ul></div><p>Note that this parameter is needed to set up "Guest"
     share services when using <em class="parameter"><code>security</code></em> modes other than
     share. This is because in these modes the name of the resource being
+    share and server. This is because in these modes the name of the resource being
     requested is <span class="emphasis"><em>not</em></span> sent to the server until after
     the server has successfully authenticated the client so the server
     cannot make authentication decisions at the correct time (connection
+    to the share) for "Guest" shares.</p><p>For people familiar with the older Samba releases, this
+    to the share) for "Guest" shares. This parameter is not useful with
+    <em class="parameter"><code>security = server</code></em> as in this security mode
+    no information is returned about whether a user logon failed due to
+    a bad username or bad password, the same error is returned from a modern server
+    in both cases.</p><p>For people familiar with the older Samba releases, this
     parameter maps to the old compile-time setting of the <code class="constant">
                 GUEST_SESSSETUP</code> value in local.h.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map to guest</code></em> = Never
 …
     will be refused if this number of connections to the service are already open. A value
     of zero mean an unlimited number of connections may be made.</p><p>Record lock files are used to implement this feature. The lock files will be stored in
     the directory specified by the <a class="indexterm" name="id285862"></a>lock directory option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 0
+    the directory specified by the <a class="indexterm" name="id285871"></a>lock directory option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 0
 </em></span>
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 10
 …
 </em></span>
 </p></dd><dt><span class="term"><a name="MAXWINSTTL"></a>max wins ttl (G)</span></dt><dd><p>This option tells <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when acting as a WINS server
         (<a class="indexterm" name="id286529"></a>wins support = yes) what the maximum
+        (<a class="indexterm" name="id286538"></a>wins support = yes) what the maximum
     'time to live' of NetBIOS names that <span><strong class="command">nmbd</strong></span>
     will grant will be (in seconds). You should never need to change this
 …
 </p></dd><dt><span class="term"><a name="MINPROTOCOL"></a>min protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the
     lowest SMB protocol dialect than Samba will support.  Please refer
     to the <a class="indexterm" name="id286852"></a>max protocol
+    to the <a class="indexterm" name="id286860"></a>max protocol
     parameter for a list of valid protocol names and a brief description
     of each.  You may also wish to refer to the C source code in
     <code class="filename">source/smbd/negprot.c</code> for a listing of known protocol
     dialects supported by clients.</p><p>If you are viewing this parameter as a security measure, you should
     also refer to the <a class="indexterm" name="id286871"></a>lanman auth parameter.  Otherwise, you should never need
+    also refer to the <a class="indexterm" name="id286879"></a>lanman auth parameter.  Otherwise, you should never need
     to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = CORE
 </em></span>
 …
 </em></span>
 </p></dd><dt><span class="term"><a name="MINWINSTTL"></a>min wins ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>
     when acting as a WINS server (<a class="indexterm" name="id286931"></a>wins support = yes) what the minimum 'time to live'
+    when acting as a WINS server (<a class="indexterm" name="id286939"></a>wins support = yes) what the minimum 'time to live'
     of NetBIOS names that <span><strong class="command">nmbd</strong></span> will grant will be (in
     seconds). You should never need to change this parameter.  The default
 …
         this share, they are redirected to the proxied share using
         the SMB-Dfs protocol.</p><p>Only Dfs roots can act as proxy shares. Take a look at the
         <a class="indexterm" name="id286985"></a>msdfs root and <a class="indexterm" name="id286992"></a>host msdfs
+        <a class="indexterm" name="id286993"></a>msdfs root and <a class="indexterm" name="id287000"></a>host msdfs
         options to find out how to set up a Dfs root share.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>msdfs proxy</code></em> = \\otherserver\someshare
 </em></span>
 …
                 _ldap._tcp.domain.
         </p></li><li><p><code class="constant">wins</code> : Query a name with
             the IP address listed in the <a class="indexterm" name="id287183"></a>WINSSERVER parameter.  If no WINS server has
+            the IP address listed in the <a class="indexterm" name="id287191"></a>WINSSERVER parameter.  If no WINS server has
             been specified this method will be ignored.</p></li><li><p><code class="constant">bcast</code> : Do a broadcast on
             each of the known local interfaces listed in the <a class="indexterm" name="id287200"></a>interfaces
+            each of the known local interfaces listed in the <a class="indexterm" name="id287208"></a>interfaces
             parameter. This is the least reliable of the name resolution
             methods as it depends on the target host being on a locally
 …
         server. When Samba is returning the home share to the client, it
         will consult the NIS map specified in
         <a class="indexterm" name="id287449"></a>homedir map and return the server
+        <a class="indexterm" name="id287457"></a>homedir map and return the server
         listed there.</p><p>Note that for this option to work there must be a working
         NIS system and the Samba server with this option must also
 …
     default behavior is to use PAM for clear text authentication only
     and to ignore any account or session management.  Note that Samba
     always ignores PAM for authentication in the case of <a class="indexterm" name="id287735"></a>encrypt passwords = yes.  The reason
+    always ignores PAM for authentication in the case of <a class="indexterm" name="id287744"></a>encrypt passwords = yes.  The reason
     is that PAM modules cannot support the challenge/response
     authentication mechanism needed in the presence of SMB password encryption.
 …
     this parameter will force the server to only use the login
     names from the <em class="parameter"><code>user</code></em> list and is only really
     useful in <a class="indexterm" name="id287791"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce
+    useful in <a class="indexterm" name="id287800"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce
     usernames from the service name. This can be annoying for
     the [homes] section. To get around this you could use <span><strong class="command">user =
 …
         </p><p>
         Oplocks may be selectively turned off on certain files with a share. See
         the <a class="indexterm" name="id288040"></a>veto oplock files parameter. On some systems
+        the <a class="indexterm" name="id288045"></a>veto oplock files parameter. On some systems
         oplocks are recognized by the underlying operating system. This
         allows data synchronization between all access to oplocked files,
         whether it be via Samba or NFS or a local UNIX process. See the
         <a class="indexterm" name="id288049"></a>kernel oplocks parameter for details.
+        <a class="indexterm" name="id288054"></a>kernel oplocks parameter for details.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplocks</code></em> = yes
 </em></span>
 …
 </p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p>
         This integer value controls what level Samba advertises itself as for browse elections. The value of this
         parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <a class="indexterm" name="id288153"></a>workgroup in the local broadcast area.
+        parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <a class="indexterm" name="id288157"></a>workgroup in the local broadcast area.
 </p><p><span class="emphasis"><em>
         Note :</em></span>By default, Samba will win a local master browsing election over all Microsoft operating
 …
     flag for Samba.  If enabled, then PAM will be used for password
     changes when requested by an SMB client instead of the program listed in
     <a class="indexterm" name="id288217"></a>passwd program.
+    <a class="indexterm" name="id288221"></a>passwd program.
     It should be possible to enable this without changing your
     <a class="indexterm" name="id288224"></a>passwd chat parameter for most setups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pam password change</code></em> = no
+    <a class="indexterm" name="id288229"></a>passwd chat parameter for most setups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pam password change</code></em> = no
 </em></span>
 </p></dd><dt><span class="term"><a name="PANICACTION"></a>panic action (G)</span></dt><dd><p>This is a Samba developer option that allows a
 …
                 </p></li><li><p><span><strong class="command">tdbsam</strong></span> - The TDB based password storage
                 backend.  Takes a path to the TDB as an optional argument (defaults to passdb.tdb
                 in the <a class="indexterm" name="id288401"></a>private dir directory.</p></li><li><p><span><strong class="command">ldapsam</strong></span> - The LDAP based passdb
+                in the <a class="indexterm" name="id288406"></a>private dir directory.</p></li><li><p><span><strong class="command">ldapsam</strong></span> - The LDAP based passdb
                 backend.  Takes an LDAP URL as an optional argument (defaults to
                 <span><strong class="command">ldap://localhost</strong></span>)</p><p>LDAP connections should be secured where possible.  This may be done using either
                 Start-TLS (see <a class="indexterm" name="id288431"></a>ldap ssl) or by
+                Start-TLS (see <a class="indexterm" name="id288435"></a>ldap ssl) or by
                 specifying <em class="parameter"><code>ldaps://</code></em> in
                 the URL argument. </p><p>Multiple servers may also be specified in double-quotes, if your
 …
     </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb expand explicit</code></em> = no
 </em></span>
-</p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script
-    parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the
-    strings passed to and received from the passwd chat are printed
-    in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a
-    <a class="indexterm" name="id288541"></a>debug level
-    of 100. This is a dangerous option as it will allow plaintext passwords
-    to be seen in the <span><strong class="command">smbd</strong></span> log. It is available to help
-    Samba admins debug their <em class="parameter"><code>passwd chat</code></em> scripts
-    when calling the <em class="parameter"><code>passwd program</code></em> and should
-    be turned off after this has been done. This option has no effect if the
-    <a class="indexterm" name="id288568"></a>pam password change
-        paramter is set. This parameter is off by default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat debug</code></em> = no
-</em></span>
-</p></dd><dt><span class="term"><a name="PASSWDCHATTIMEOUT"></a>passwd chat timeout (G)</span></dt><dd><p>This integer specifies the number of seconds smbd will wait for an initial
-    answer from a passwd chat script being run. Once the initial answer is received
-    the subsequent answers must be received in one tenth of this time. The default it
-    two seconds.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat timeout</code></em> = 2
-</em></span>
 </p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>"chat"</em></span>
     conversation that takes places between <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and the local password changing
     program to change the user's password. The string describes a
     sequence of response-receive pairs that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> uses to determine what to send to the
     <a class="indexterm" name="id288665"></a>passwd program and what to expect back. If the expected output is not
+    <a class="indexterm" name="id288553"></a>passwd program and what to expect back. If the expected output is not
     received then the password is not changed.</p><p>This chat sequence is often quite site specific, depending
     on what local methods are used for password control (such as NIS
     etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id288681"></a>unix password sync parameter is set  to <code class="constant">yes</code>. This sequence is
+    etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id288570"></a>unix password sync parameter is set  to <code class="constant">yes</code>. This sequence is
     then called <span class="emphasis"><em>AS ROOT</em></span> when the SMB password  in the
     smbpasswd file is being changed, without access to the old password
     cleartext. This means that root must be able to reset the user's password without
     knowing the text of the previous password. In the presence of
     NIS/YP,  this means that the <a class="indexterm" name="id288698"></a>passwd program must
+    NIS/YP,  this means that the <a class="indexterm" name="id288586"></a>passwd program must
     be executed on the NIS master.
     </p><p>The string can contain the macro <em class="parameter"><code>%n</code></em> which is substituted
 …
     in them into a single string.</p><p>If the send string in any part of the chat sequence  is a full
     stop ".",  then no string is sent. Similarly,  if the
     expect string is a full stop then no string is expected.</p><p>If the <a class="indexterm" name="id288726"></a>pam password change parameter is set to <code class="constant">yes</code>, the
+    expect string is a full stop then no string is expected.</p><p>If the <a class="indexterm" name="id288614"></a>pam password change parameter is set to <code class="constant">yes</code>, the
         chat pairs may be matched in any order, and success is determined by the PAM result, not any particular
         output. The \n macro is ignored for PAM conversions.
 …
 </em></span>
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>passwd chat</code></em> = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*"
+</em></span>
+</p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script
+    parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the
+    strings passed to and received from the passwd chat are printed
+    in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a
+    <a class="indexterm" name="id288686"></a>debug level
+    of 100. This is a dangerous option as it will allow plaintext passwords
+    to be seen in the <span><strong class="command">smbd</strong></span> log. It is available to help
+    Samba admins debug their <em class="parameter"><code>passwd chat</code></em> scripts
+    when calling the <em class="parameter"><code>passwd program</code></em> and should
+    be turned off after this has been done. This option has no effect if the
+    <a class="indexterm" name="id288713"></a>pam password change
+        paramter is set. This parameter is off by default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat debug</code></em> = no
+</em></span>
+</p></dd><dt><span class="term"><a name="PASSWDCHATTIMEOUT"></a>passwd chat timeout (G)</span></dt><dd><p>This integer specifies the number of seconds smbd will wait for an initial
+    answer from a passwd chat script being run. Once the initial answer is received
+    the subsequent answers must be received in one tenth of this time. The default it
+    two seconds.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat timeout</code></em> = 2
 </em></span>
 </p></dd><dt><span class="term"><a name="PASSWDPROGRAM"></a>passwd program (G)</span></dt><dd><p>The name of a program that can be used to set
 …
     made - the password as is and the password in all-lower case.</p><p>This parameter is used only when using plain-text passwords. It is
     not at all used when encrypted passwords as in use (that is the default
     since samba-3.0.0). Use this only when <a class="indexterm" name="id288953"></a>encrypt passwords = No.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 0
+    since samba-3.0.0). Use this only when <a class="indexterm" name="id288957"></a>encrypt passwords = No.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 0
 </em></span>
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 4
 …
     have no effect on password servers for Windows NT 4.0 domains or netbios
     connections.</p><p>If parameter is a name, it is looked up using the
     parameter <a class="indexterm" name="id289024"></a>name resolve order and so may resolved
+    parameter <a class="indexterm" name="id289029"></a>name resolve order and so may resolved
     by any method and order described in that parameter.</p><p>The password server must be a machine capable of using
     the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
 …
         will be replaced by the NetBIOS name of the machine they are
         connecting from. These replacements are very useful for setting
         up pseudo home directories for users.</p><p>Note that this path will be based on <a class="indexterm" name="id289308"></a>root dir
+        up pseudo home directories for users.</p><p>Note that this path will be based on <a class="indexterm" name="id289313"></a>root dir
          if one was specified.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>path</code></em> =
 </em></span>
 …
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>postexec</code></em> = echo \"%u disconnected from %S from %m (%I)\" &gt;&gt; /tmp/log
 </em></span>
-</p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>
-        This boolean option controls whether a non-zero return code from <a class="indexterm" name="id289506"></a>preexec
-        should close the service being connected to.
-        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec close</code></em> = no
-</em></span>
 </p></dd><dt><span class="term"><a name="EXEC"></a>exec</span></dt><dd><p>This parameter is a synonym for preexec.</p></dd><dt><span class="term"><a name="PREEXEC"></a>preexec (S)</span></dt><dd><p>This option specifies a command to be run whenever
         the service is connected to. It takes the usual substitutions.</p><p>An interesting example is to send the users a welcome
 …
         /usr/local/samba/bin/smbclient -M %m -I %I' &amp; </strong></span>
         </p><p>Of course, this could get annoying after a while :-)</p><p>
         See also <a class="indexterm" name="id289590"></a>preexec close and <a class="indexterm" name="id289597"></a>postexec.
+        See also <a class="indexterm" name="id289554"></a>preexec close and <a class="indexterm" name="id289562"></a>postexec.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> =
 </em></span>
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> = echo \"%u connected to %S from %m (%I)\" &gt;&gt; /tmp/log
+</em></span>
+</p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>
+        This boolean option controls whether a non-zero return code from <a class="indexterm" name="id289614"></a>preexec
+        should close the service being connected to.
+        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec close</code></em> = no
 </em></span>
 </p></dd><dt><span class="term"><a name="PREFEREDMASTER"></a>prefered master</span></dt><dd><p>This parameter is a synonym for preferred master.</p></dd><dt><span class="term"><a name="PREFERREDMASTER"></a>preferred master (G)</span></dt><dd><p>
 …
         If this is set to <code class="constant">yes</code>, on startup, <span><strong class="command">nmbd</strong></span> will force
         an election, and it will have a slight advantage in winning the election.  It is recommended that this
         parameter is used in conjunction with <a class="indexterm" name="id289694"></a>domain master = yes, so that
+        parameter is used in conjunction with <a class="indexterm" name="id289698"></a>domain master = yes, so that
         <span><strong class="command">nmbd</strong></span> can guarantee becoming a domain master.
         </p><p>
 …
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preferred master</code></em> = auto
 </em></span>
-</p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should
-        be loaded into smbd before a client connects. This improves
-        the speed of smbd when reacting to new connections somewhat. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> =
-</em></span>
-</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = /usr/lib/samba/passdb/mysql.so
-</em></span>
 </p></dd><dt><span class="term"><a name="AUTOSERVICES"></a>auto services</span></dt><dd><p>This parameter is a synonym for preload.</p></dd><dt><span class="term"><a name="PRELOAD"></a>preload (G)</span></dt><dd><p>This is a list of services that you want to be
         automatically added to the browse lists. This is most useful
 …
         visible.</p><p>
         Note that if you just want all printers in your
         printcap file loaded then the <a class="indexterm" name="id289819"></a>load printers
+        printcap file loaded then the <a class="indexterm" name="id289778"></a>load printers
          option is easier.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> =
 …
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> = fred lp colorlp
 </em></span>
+</p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should
+        be loaded into smbd before a client connects. This improves
+        the speed of smbd when reacting to new connections somewhat. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> =
+</em></span>
+</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = /usr/lib/samba/passdb/mysql.so
+</em></span>
 </p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p>
         This controls if new filenames are created with the case that the client passes, or if
         they are forced to be the <a class="indexterm" name="id289871"></a>default case.
+        they are forced to be the <a class="indexterm" name="id289876"></a>default case.
         </p><p>
         See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for a fuller discussion.
 …
     specified for the service. </p><p>Note that a printable service will ALWAYS allow writing
     to the service path (user privileges permitting) via the spooling
     of print data. The <a class="indexterm" name="id290056"></a>read only parameter controls only non-printing access to
+    of print data. The <a class="indexterm" name="id290060"></a>read only parameter controls only non-printing access to
     the resource.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printable</code></em> = no
 </em></span>
 …
         </p><p>
         To use the CUPS printing interface set <span><strong class="command">printcap name = cups </strong></span>. This should
         be supplemented by an addtional setting <a class="indexterm" name="id290194"></a>printing = cups in the [global]
+        be supplemented by an addtional setting <a class="indexterm" name="id290198"></a>printing = cups in the [global]
         section.  <span><strong class="command">printcap name = cups</strong></span> will use the  "dummy" printcap
         created by CUPS, as specified in your CUPS configuration file.
 …
     be created but not processed and (most importantly) not removed.</p><p>Note that printing may fail on some UNIXes from the
     <code class="constant">nobody</code> account. If this happens then create
     an alternative guest account that can print and set the <a class="indexterm" name="id290406"></a>guest account
+    an alternative guest account that can print and set the <a class="indexterm" name="id290410"></a>guest account
     in the [global] section.</p><p>You can form quite complex print commands by realizing
     that they are just passed to a shell. For example the following
 …
     /tmp/print.log; lpr -P %p %s; rm %s</strong></span></p><p>You may have to vary this command considerably depending
     on how you normally print files on your system. The default for
     the parameter varies depending on the setting of the <a class="indexterm" name="id290432"></a>printing
+    the parameter varies depending on the setting of the <a class="indexterm" name="id290437"></a>printing
         parameter.</p><p>Default: For <span><strong class="command">printing = BSD, AIX, QNX, LPRNG
     or PLP :</strong></span></p><p><span><strong class="command">print command = lpr -r -P%p %s</strong></span></p><p>For <span><strong class="command">printing = SYSV or HPUX :</strong></span></p><p><span><strong class="command">print command = lp -c -d%p %s; rm %s</strong></span></p><p>For <span><strong class="command">printing = SOFTQ :</strong></span></p><p><span><strong class="command">print command = lp -d%p -s %s; rm %s</strong></span></p><p>For printing = CUPS :   If SAMBA is compiled against
     libcups, then <a class="indexterm" name="id290488"></a>printcap = cups
+    libcups, then <a class="indexterm" name="id290493"></a>printcap = cups
     uses the CUPS API to
     submit jobs, etc.  Otherwise it maps to the System V
 …
         does not have its own printer name specified.
         </p><p>
         The default value of the <a class="indexterm" name="id290630"></a>printer name may be <code class="literal">lp</code> on many
+        The default value of the <a class="indexterm" name="id290634"></a>printer name may be <code class="literal">lp</code> on many
         systems.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printer name</code></em> = none
 …
     executed on the server host in order to resume the printer queue. It
     is the command to undo the behavior that is caused by the
     previous parameter (<a class="indexterm" name="id291021"></a>queuepause command).</p><p>This command should be a program or script which takes
+    previous parameter (<a class="indexterm" name="id291026"></a>queuepause command).</p><p>This command should be a program or script which takes
     a printer name as its only parameter and resumes the printer queue,
     such that queued jobs are resubmitted to the printer.</p><p>This command is not supported by Windows for Workgroups,
 …
 </p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p>
         This is a list of users that are given read-only access to a service. If the connecting user is in this list
         then they will not be given write access, no matter what the <a class="indexterm" name="id291144"></a>read only option is set
         to. The list can include group names using the syntax described in the <a class="indexterm" name="id291151"></a>invalid users
+        then they will not be given write access, no matter what the <a class="indexterm" name="id291148"></a>read only option is set
+        to. The list can include group names using the syntax described in the <a class="indexterm" name="id291156"></a>invalid users
         parameter.
         </p><p>This parameter will not work with the <a class="indexterm" name="id291162"></a>security = share in
+        </p><p>This parameter will not work with the <a class="indexterm" name="id291167"></a>security = share in
     Samba 3.0.  This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> =
 </em></span>
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> = mary, @students
 </em></span>
 </p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id291214"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users
+</p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id291218"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users
     of a service may not create or modify files in the service's
     directory.</p><p>Note that a printable service (<span><strong class="command">printable = yes</strong></span>)
 …
         the above line would cause <span><strong class="command">nmbd</strong></span> to announce itself
         to the two given IP addresses using the given workgroup names. If you leave out the
         workgroup name then the one given in the <a class="indexterm" name="id291412"></a>workgroup parameter
+        workgroup name then the one given in the <a class="indexterm" name="id291416"></a>workgroup parameter
         is used instead.
         </p><p>
 …
         is in fact the browse master on its segment.
         </p><p>
         The <a class="indexterm" name="id291509"></a>remote browse sync may be used on networks
+        The <a class="indexterm" name="id291514"></a>remote browse sync may be used on networks
         where there is no WINS server, and may be used on disjoint networks where
         each network has its own WINS server.
 …
         </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>rename user script</code></em> = no
 </em></span>
 </p></dd><dt><span class="term"><a name="RESETONZEROVC"></a>reset on zero vc (S)</span></dt><dd><p>
+</p></dd><dt><span class="term"><a name="RESETONZEROVC"></a>reset on zero vc (G)</span></dt><dd><p>
         This boolean option controls whether an incoming session setup
         should kill other connections coming from the same IP. This matches
 …
         </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
     The security advantage of using restrict anonymous = 2 is removed
     by setting <a class="indexterm" name="id291682"></a>guest ok = yes on any share.
+    by setting <a class="indexterm" name="id291687"></a>guest ok = yes on any share.
         </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>restrict anonymous</code></em> = 0
 </em></span>
 …
     parts of the filesystem, or attempts to use ".." in file names
     to access other directories (depending on the setting of the
         <a class="indexterm" name="id291776"></a>wide smbconfoptions parameter).
+        <a class="indexterm" name="id291780"></a>wide smbconfoptions parameter).
     </p><p>Adding a <em class="parameter"><code>root directory</code></em> entry other
     than "/" adds an extra level of security, but at a price. It
 …
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root postexec</code></em> =
 </em></span>
-</p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <em class="parameter"><code>preexec close
-        </code></em> parameter except that the command is run as root.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec close</code></em> = no
-</em></span>
 </p></dd><dt><span class="term"><a name="ROOTPREEXEC"></a>root preexec (S)</span></dt><dd><p>
         This is the same as the <em class="parameter"><code>preexec</code></em>
 …
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec</code></em> =
 </em></span>
+</p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p>
+        This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the
+        UNIX permission on a file using the native NT security dialog box.
+        </p><p>
+        This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
+        in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id291989"></a>force  security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
+        </p><p>
+        Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
+        </p><p>
+        If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
+    </p><p><span class="emphasis"><em>
+        Note</em></span> that users who can access the Samba server through other means can easily bypass this
+    restriction, so it is primarily useful for standalone "appliance" systems.  Administrators of
+        most normal systems will probably want to leave it set to <code class="constant">0777</code>.
+        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0777
+</em></span>
+</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0770
+</p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <em class="parameter"><code>preexec close
+        </code></em> parameter except that the command is run as root.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec close</code></em> = no
 </em></span>
 </p></dd><dt><span class="term"><a name="SECURITY"></a>security (G)</span></dt><dd><p>This option affects how clients respond to
 …
     is commonly used for a shared printer server. It is more difficult
     to setup guest shares with <span><strong class="command">security = user</strong></span>, see
     the <a class="indexterm" name="id292166"></a>map to guestparameter for details.</p><p>It is possible to use <span><strong class="command">smbd</strong></span> in a <span class="emphasis"><em>
+    the <a class="indexterm" name="id292089"></a>map to guestparameter for details.</p><p>It is possible to use <span><strong class="command">smbd</strong></span> in a <span class="emphasis"><em>
     hybrid mode</em></span> where it is offers both user and share
     level security under different <a class="indexterm" name="id292187"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
+    level security under different <a class="indexterm" name="id292110"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
     need not log onto the server with a valid username and password before
     attempting to connect to a shared resource (although modern clients
 …
     techniques to determine the correct UNIX user to use on behalf
     of the client.</p><p>A list of possible UNIX usernames to match with the given
     client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id292262"></a>guest only parameter is set, then all the other
             stages are missed and only the <a class="indexterm" name="id292270"></a>guest account username is checked.
+    client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id292185"></a>guest only parameter is set, then all the other
+            stages are missed and only the <a class="indexterm" name="id292193"></a>guest account username is checked.
             </p></li><li><p>Is a username is sent with the share connection
             request, then this username (after mapping - see <a class="indexterm" name="id292284"></a>username map),
+            request, then this username (after mapping - see <a class="indexterm" name="id292208"></a>username map),
             is added as a potential username.
             </p></li><li><p>If the client did a previous <span class="emphasis"><em>logon
 …
             </p></li><li><p>The NetBIOS name of the client is added to
             the list as a potential username.
             </p></li><li><p>Any users on the <a class="indexterm" name="id292325"></a>user list are added as potential usernames.
+            </p></li><li><p>Any users on the <a class="indexterm" name="id292248"></a>user list are added as potential usernames.
             </p></li></ul></div><p>If the <em class="parameter"><code>guest only</code></em> parameter is
     not set, then this list is then tried with the supplied password.
 …
     NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0.
     With user-level security a client must first "log-on" with a
     valid username and password (which can be mapped using the <a class="indexterm" name="id292394"></a>username map
     parameter). Encrypted passwords (see the <a class="indexterm" name="id292402"></a>encrypted passwords parameter) can also
     be used in this security mode. Parameters such as <a class="indexterm" name="id292409"></a>user and <a class="indexterm" name="id292416"></a>guest only if set      are then applied and
+    valid username and password (which can be mapped using the <a class="indexterm" name="id292317"></a>username map
+    parameter). Encrypted passwords (see the <a class="indexterm" name="id292325"></a>encrypted passwords parameter) can also
+    be used in this security mode. Parameters such as <a class="indexterm" name="id292332"></a>user and <a class="indexterm" name="id292340"></a>guest only if set      are then applied and
     may change the UNIX user to use on this connection, but only after
     the user has been successfully authenticated.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
 …
     the server has successfully authenticated the client. This is why
     guest shares don't work in user level security without allowing
     the server to automatically map unknown users into the <a class="indexterm" name="id292436"></a>guest account.
     See the <a class="indexterm" name="id292443"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
     machine into a Windows NT Domain. It expects the <a class="indexterm" name="id292482"></a>encrypted passwords
+    the server to automatically map unknown users into the <a class="indexterm" name="id292359"></a>guest account.
+    See the <a class="indexterm" name="id292366"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
+    machine into a Windows NT Domain. It expects the <a class="indexterm" name="id292405"></a>encrypted passwords
         parameter to be set to <code class="constant">yes</code>. In this
     mode Samba will try to validate the username/password by passing
 …
     the server has successfully authenticated the client. This is why
     guest shares don't work in user level security without allowing
     the server to automatically map unknown users into the <a class="indexterm" name="id292532"></a>guest account.
     See the <a class="indexterm" name="id292539"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
     NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292560"></a>password server parameter and
          the <a class="indexterm" name="id292567"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>
+    the server to automatically map unknown users into the <a class="indexterm" name="id292455"></a>guest account.
+    See the <a class="indexterm" name="id292462"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
+    NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292483"></a>password server parameter and
+         the <a class="indexterm" name="id292490"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>
         In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
         NT box. If this fails it will revert to <span><strong class="command">security = user</strong></span>. It expects the
         <a class="indexterm" name="id292594"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote
+        <a class="indexterm" name="id292517"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote
         server does not support them.  However note that if encrypted passwords have been negotiated then Samba cannot
         revert back to checking the UNIX password file, it must have a valid <code class="filename">smbpasswd</code> file to check users against. See the chapter about the User Database in
 …
     the server has successfully authenticated the client. This is why
     guest shares don't work in user level security without allowing
     the server to automatically map unknown users into the <a class="indexterm" name="id292651"></a>guest account.
     See the <a class="indexterm" name="id292658"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
     NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292680"></a>password server parameter and the
         <a class="indexterm" name="id292687"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate
+    the server to automatically map unknown users into the <a class="indexterm" name="id292579"></a>guest account.
+    See the <a class="indexterm" name="id292586"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
+    NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292607"></a>password server parameter and the
+        <a class="indexterm" name="id292614"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate
                 in this mode, the machine running Samba will need to have Kerberos installed
                 and configured and Samba will need to be joined to the ADS realm using the
 …
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security</code></em> = DOMAIN
 </em></span>
+</p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p>
+        This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the
+        UNIX permission on a file using the native NT security dialog box.
+        </p><p>
+        This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
+        in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id292695"></a>force  security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
+        </p><p>
+        Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
+        </p><p>
+        If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
+    </p><p><span class="emphasis"><em>
+        Note</em></span> that users who can access the Samba server through other means can easily bypass this
+    restriction, so it is primarily useful for standalone "appliance" systems.  Administrators of
+        most normal systems will probably want to leave it set to <code class="constant">0777</code>.
+        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0777
+</em></span>
+</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0770
+</em></span>
 </p></dd><dt><span class="term"><a name="SERVERSCHANNEL"></a>server schannel (G)</span></dt><dd><p>
         This controls whether the server offers or even demands the use of the netlogon schannel.
         <a class="indexterm" name="id292762"></a>server schannel = no does not offer the schannel, <a class="indexterm" name="id292770"></a>server schannel = auto offers the schannel but does not enforce it, and <a class="indexterm" name="id292777"></a>server schannel = yes denies access if the client is not able to speak netlogon schannel.
+        <a class="indexterm" name="id292768"></a>server schannel = no does not offer the schannel, <a class="indexterm" name="id292776"></a>server schannel = auto offers the schannel but does not enforce it, and <a class="indexterm" name="id292783"></a>server schannel = yes denies access if the client is not able to speak netlogon schannel.
         This is only the case for Windows NT4 before SP4.
         </p><p>
 …
         they are simulated using shared memory, or lock files if your
         UNIX doesn't support shared memory (almost all do).</p><p>The share modes that are enabled by this option are
         <code class="constant">DENY_DOS</code>, <code class="constant">DENY_ALL</code>,
+         <code class="constant">DENY_DOS</code>, <code class="constant">DENY_ALL</code>,
         <code class="constant">DENY_READ</code>, <code class="constant">DENY_WRITE</code>,
         <code class="constant">DENY_NONE</code> and <code class="constant">DENY_FCB</code>.
 …
 </p></dd><dt><span class="term"><a name="SHORTPRESERVECASE"></a>short preserve case (S)</span></dt><dd><p>
         This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of
         suitable length, are created upper case, or if they are forced to be the <a class="indexterm" name="id293312"></a>default case.
         This  option can be use with <a class="indexterm" name="id293319"></a>preserve case = yes to permit long filenames
+        suitable length, are created upper case, or if they are forced to be the <a class="indexterm" name="id293318"></a>default case.
+        This  option can be use with <a class="indexterm" name="id293325"></a>preserve case = yes to permit long filenames
         to retain their case, while short names are lowered.
         </p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>short preserve case</code></em> = yes
 …
 </em></span>
 </p></dd><dt><span class="term"><a name="SHUTDOWNSCRIPT"></a>shutdown script (G)</span></dt><dd><p>This a full path name to a script called by
         <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that should
+         <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that should
         start a shutdown procedure.</p><p>If the connected user posseses the <code class="constant">SeRemoteShutdownPrivilege</code>,
         right, this command will be run as user.</p><p>The %z %t %r %f variables are expanded as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>%z</code></em> will be substituted with the
 …
         If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or
         READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such
         as occurs with <a class="indexterm" name="id293921"></a>map hidden and <a class="indexterm" name="id293928"></a>map readonly).  When set, DOS
+        as occurs with <a class="indexterm" name="id293927"></a>map hidden and <a class="indexterm" name="id293934"></a>map readonly).  When set, DOS
         attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or
         directory.  For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id293937"></a>map hidden,
         <a class="indexterm" name="id293944"></a>map system, <a class="indexterm" name="id293951"></a>map archive and <a class="indexterm" name="id293958"></a>map  readonly must be set to off.  This parameter writes the DOS attributes as a string into the extended
+        directory.  For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id293943"></a>map hidden,
+        <a class="indexterm" name="id293950"></a>map system, <a class="indexterm" name="id293957"></a>map archive and <a class="indexterm" name="id293964"></a>map  readonly must be set to off.  This parameter writes the DOS attributes as a string into the extended
         attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an
         EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for
 …
         </p><p>
         Well-behaved clients always ask for lock checks when it is important.  So in the vast majority of cases,
         <span><strong class="command">strict locking = Auto</strong></span> or
         <span><strong class="command">strict locking = no</strong></span> is acceptable.
+         <span><strong class="command">strict locking = Auto</strong></span> or
+         <span><strong class="command">strict locking = no</strong></span> is acceptable.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict locking</code></em> = Auto
 </em></span>
 …
     any affect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>sync always</code></em> = no
 </em></span>
-</p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p>
-    If this parameter is set then Samba debug messages are logged into the system
-    syslog only, and not to the debug log files.
-    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog only</code></em> = no
-</em></span>
 </p></dd><dt><span class="term"><a name="SYSLOG"></a>syslog (G)</span></dt><dd><p>
     This parameter maps how Samba debug messages are logged onto the system syslog logging levels.
 …
     </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog</code></em> = 1
 </em></span>
+</p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p>
+    If this parameter is set then Samba debug messages are logged into the system
+    syslog only, and not to the debug log files.
+    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog only</code></em> = no
+</em></span>
 </p></dd><dt><span class="term"><a name="TEMPLATEHOMEDIR"></a>template homedir (G)</span></dt><dd><p>When filling out the user information for a Windows NT
         user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon  uses this
 …
         in the smbpasswd file this parameter should be set to <code class="constant">no</code>.
         </p><p>
         In order for this parameter to be operative the <a class="indexterm" name="id294717"></a>encrypt passwords parameter must
     be set to <code class="constant">no</code>. The default value of <a class="indexterm" name="id294728"></a>encrypt  passwords = Yes. Note: This must be set to <code class="constant">no</code> for this <a class="indexterm" name="id294739"></a>update encrypted to work.
+        In order for this parameter to be operative the <a class="indexterm" name="id294723"></a>encrypt passwords parameter must
+    be set to <code class="constant">no</code>. The default value of <a class="indexterm" name="id294734"></a>encrypt  passwords = Yes. Note: This must be set to <code class="constant">no</code> for this <a class="indexterm" name="id294745"></a>update encrypted to work.
         </p><p>
         Note that even when this parameter is set a user authenticating to <span><strong class="command">smbd</strong></span>
 …
     </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use mmap</code></em> = yes
 </em></span>
+</p></dd><dt><span class="term"><a name="USER"></a>user</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERS"></a>users</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERNAME"></a>username (S)</span></dt><dd><p>Multiple users may be specified in a comma-delimited
+    list, in which case the supplied password will be tested against
+    each username in turn (left to right).</p><p>The <em class="parameter"><code>username</code></em> line is needed only when
+    the PC is unable to supply its own username. This is the case
+    for the COREPLUS protocol or where your users have different WfWg
+    usernames to UNIX usernames. In both these cases you may also be
+    better using the \\server\share%user syntax instead.</p><p>The <em class="parameter"><code>username</code></em> line is not a great
+    solution in many cases as it means Samba will try to validate
+    the supplied password against each of the usernames in the
+    <em class="parameter"><code>username</code></em> line in turn. This is slow and
+    a bad idea for lots of users in case of duplicate passwords.
+    You may get timeouts or security breaches using this parameter
+    unwisely.</p><p>Samba relies on the underlying UNIX security. This
+    parameter does not restrict who can login, it just offers hints
+    to the Samba server as to what usernames might correspond to the
+    supplied password. Users can login as whoever they please and
+    they will be able to do no more damage than if they started a
+    telnet session. The daemon runs as the user that they log in as,
+    so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you
+    can use the <a class="indexterm" name="id295039"></a>valid users parameter.</p><p>If any of the usernames begin with a '@' then the name
+    will be looked up first in the NIS netgroups list (if Samba
+    is compiled with netgroup support), followed by a lookup in
+    the UNIX groups database and will expand to a list of all users
+    in the group of that name.</p><p>If any of the usernames begin with a '+' then the name
+    will be looked up only in the UNIX groups database and will
+    expand to a list of all users in the group of that name.</p><p>If any of the usernames begin with a '&amp;' then the name
+    will be looked up only in the NIS netgroups database (if Samba
+    is compiled with netgroup support) and will expand to a list
+    of all users in the netgroup group of that name.</p><p>Note that searching though a groups database can take
+    quite some time, and some clients may time out during the
+    search.</p><p>See the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT
+        USERNAME/PASSWORD VALIDATION</a> for more information on how
+        this parameter determines access to the services.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username</code></em> =
+# The guest account if a guest service,
+                else &lt;empty string&gt;.
+</em></span>
+</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username</code></em> = fred, mary, jack, jane, @users, @pcgroup
+</em></span>
 </p></dd><dt><span class="term"><a name="USERNAMELEVEL"></a>username level (G)</span></dt><dd><p>This option helps Samba to try and 'guess' at
     the real UNIX username, as many DOS clients send an all-uppercase
 …
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = 5
 </em></span>
-</p></dd><dt><span class="term"><a name="USERNAMEMAPSCRIPT"></a>username map script (G)</span></dt><dd><p>This script is a mutually exclusive alternative to the
-        <a class="indexterm" name="id295014"></a>username map parameter.  This parameter
-        specifies and external program or script that must accept a single
-        command line option (the username transmitted in the authentication
-        request) and return a line line on standard output (the name to which
-        the account should mapped).  In this way, it is possible to store
-        username map tables in an LDAP or NIS directory services.
-        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> =
-</em></span>
-</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = /etc/samba/scripts/mapusers.sh
-</em></span>
 </p></dd><dt><span class="term"><a name="USERNAMEMAP"></a>username map (G)</span></dt><dd><p>
         This option allows you to specify a file containing a mapping of usernames from the clients to the server.
 …
         <code class="constant">fred</code> is remapped to <code class="constant">mary</code> then you will actually be connecting to
         \\server\mary and will need to supply a password suitable for <code class="constant">mary</code> not
         <code class="constant">fred</code>. The only exception to this is the username passed to the <a class="indexterm" name="id295207"></a>password server (if you have one). The password server will receive whatever username the client
+        <code class="constant">fred</code>. The only exception to this is the username passed to the <a class="indexterm" name="id295325"></a>password server (if you have one). The password server will receive whatever username the client
         supplies without  modification.
     </p><p>
 …
 # no username map
 </em></span>
+</p></dd><dt><span class="term"><a name="USER"></a>user</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERS"></a>users</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERNAME"></a>username (S)</span></dt><dd><p>Multiple users may be specified in a comma-delimited
+    list, in which case the supplied password will be tested against
+    each username in turn (left to right).</p><p>The <em class="parameter"><code>username</code></em> line is needed only when
+    the PC is unable to supply its own username. This is the case
+    for the COREPLUS protocol or where your users have different WfWg
+    usernames to UNIX usernames. In both these cases you may also be
+    better using the \\server\share%user syntax instead.</p><p>The <em class="parameter"><code>username</code></em> line is not a great
+    solution in many cases as it means Samba will try to validate
+    the supplied password against each of the usernames in the
+    <em class="parameter"><code>username</code></em> line in turn. This is slow and
+    a bad idea for lots of users in case of duplicate passwords.
+    You may get timeouts or security breaches using this parameter
+    unwisely.</p><p>Samba relies on the underlying UNIX security. This
+    parameter does not restrict who can login, it just offers hints
+    to the Samba server as to what usernames might correspond to the
+    supplied password. Users can login as whoever they please and
+    they will be able to do no more damage than if they started a
+    telnet session. The daemon runs as the user that they log in as,
+    so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you
+    can use the <a class="indexterm" name="id295368"></a>valid users parameter.</p><p>If any of the usernames begin with a '@' then the name
+    will be looked up first in the NIS netgroups list (if Samba
+    is compiled with netgroup support), followed by a lookup in
+    the UNIX groups database and will expand to a list of all users
+    in the group of that name.</p><p>If any of the usernames begin with a '+' then the name
+    will be looked up only in the UNIX groups database and will
+    expand to a list of all users in the group of that name.</p><p>If any of the usernames begin with a '&amp;' then the name
+    will be looked up only in the NIS netgroups database (if Samba
+    is compiled with netgroup support) and will expand to a list
+    of all users in the netgroup group of that name.</p><p>Note that searching though a groups database can take
+    quite some time, and some clients may time out during the
+    search.</p><p>See the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT
+        USERNAME/PASSWORD VALIDATION</a> for more information on how
+        this parameter determines access to the services.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username</code></em> =
+# The guest account if a guest service,
+                else &lt;empty string&gt;.
+</em></span>
+</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username</code></em> = fred, mary, jack, jane, @users, @pcgroup
+</p></dd><dt><span class="term"><a name="USERNAMEMAPSCRIPT"></a>username map script (G)</span></dt><dd><p>This script is a mutually exclusive alternative to the
+        <a class="indexterm" name="id295402"></a>username map parameter.  This parameter
+        specifies and external program or script that must accept a single
+        command line option (the username transmitted in the authentication
+        request) and return a line line on standard output (the name to which
+        the account should mapped).  In this way, it is possible to store
+        username map tables in an LDAP or NIS directory services.
+        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> =
+</em></span>
+</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = /etc/samba/scripts/mapusers.sh
 </em></span>
 </p></dd><dt><span class="term"><a name="USERSHAREALLOWGUESTS"></a>usershare allow guests (G)</span></dt><dd><p>This parameter controls whether user defined shares are allowed
 …
         disabled.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use spnego</code></em> = yes
 </em></span>
+</p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p>
+        This boolean parameter is only available if Samba has been configured and compiled
+        with the option <span><strong class="command">--with-utmp</strong></span>. If set to
+         <code class="constant">yes</code> then Samba will attempt to add utmp or utmpx records
+        (depending on the UNIX system) whenever a connection is made to a Samba server.
+        Sites may use this to record the user connecting to a Samba share.
+        </p><p>
+        Due to the requirements of the utmp record, we  are required to create a unique
+        identifier for the incoming user.  Enabling this option creates an n^2  algorithm
+        to find this number.  This may impede performance on large installations.
+        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp</code></em> = no
+</em></span>
 </p></dd><dt><span class="term"><a name="UTMPDIRECTORY"></a>utmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has
         been configured and compiled with the option <span><strong class="command">
 …
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>utmp directory</code></em> = /var/run/utmp
 </em></span>
+</p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p>
+        This boolean parameter is only available if Samba has been configured and compiled
+        with the option <span><strong class="command">--with-utmp</strong></span>. If set to
+        <code class="constant">yes</code> then Samba will attempt to add utmp or utmpx records
+        (depending on the UNIX system) whenever a connection is made to a Samba server.
+        Sites may use this to record the user connecting to a Samba share.
+        </p><p>
+        Due to the requirements of the utmp record, we  are required to create a unique
+        identifier for the incoming user.  Enabling this option creates an n^2  algorithm
+        to find this number.  This may impede performance on large installations.
+        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp</code></em> = no
+</p></dd><dt><span class="term"><a name="-VALID"></a>-valid (S)</span></dt><dd><p> This parameter indicates whether a share is
+        valid and thus can be used. When this parameter is set to false,
+        the share will be in no way visible nor accessible.
+        </p><p>
+        This option should not be
+        used by regular users but might be of help to developers.
+        Samba uses this option internally to mark shares as deleted.
+        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>-valid</code></em> = yes
 </em></span>
 </p></dd><dt><span class="term"><a name="VALIDUSERS"></a>valid users (S)</span></dt><dd><p>
 …
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>valid users</code></em> = greg, @pcusers
 </em></span>
-</p></dd><dt><span class="term"><a name="-VALID"></a>-valid (S)</span></dt><dd><p> This parameter indicates whether a share is
-        valid and thus can be used. When this parameter is set to false,
-        the share will be in no way visible nor accessible.
-        </p><p>
-        This option should not be
-        used by regular users but might be of help to developers.
-        Samba uses this option internally to mark shares as deleted.
-        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>-valid</code></em> = yes
-</em></span>
 </p></dd><dt><span class="term"><a name="VETOFILES"></a>veto files (S)</span></dt><dd><p>
         This is a list of files and directories that are neither visible nor accessible.  Each entry in
 …
         unix directory  separator '/'.
         </p><p>
         Note that the <a class="indexterm" name="id296109"></a>case sensitive option is applicable in vetoing files.
+        Note that the <a class="indexterm" name="id296108"></a>case sensitive option is applicable in vetoing files.
         </p><p>
         One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when
         trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this
         deletion will <span class="emphasis"><em>fail</em></span> unless you also set the <a class="indexterm" name="id296126"></a>delete veto files
+        deletion will <span class="emphasis"><em>fail</em></span> unless you also set the <a class="indexterm" name="id296124"></a>delete veto files
         parameter to <em class="parameter"><code>yes</code></em>.
         </p><p>
 …
 </em></span>
 </p></dd><dt><span class="term"><a name="VETOOPLOCKFILES"></a>veto oplock files (S)</span></dt><dd><p>
         This parameter is only valid when the <a class="indexterm" name="id296189"></a>oplocks
+        This parameter is only valid when the <a class="indexterm" name="id296187"></a>oplocks
         parameter is turned on for a share. It allows the Samba administrator
         to selectively turn off the granting of oplocks on selected files that
         match a wildcarded list, similar to the wildcarded list used in the
         <a class="indexterm" name="id296197"></a>veto files parameter.
+        <a class="indexterm" name="id296196"></a>veto files parameter.
         </p><p>
         You might want to do this on files that you know will be heavily contended
 …
         again.</p><p>
         This does not apply to authentication requests, these are always
         evaluated in real time unless the <a class="indexterm" name="id296416"></a>winbind   offline logon option has been enabled.
+        evaluated in real time unless the <a class="indexterm" name="id296414"></a>winbind   offline logon option has been enabled.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind cache time</code></em> = 300
 </em></span>
 …
 </p></dd><dt><span class="term"><a name="WINBINDENUMUSERS"></a>winbind enum users (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be
         necessary to suppress the enumeration of users through the <span><strong class="command">setpwent()</strong></span>,
         <span><strong class="command">getpwent()</strong></span> and
         <span><strong class="command">endpwent()</strong></span> group of system calls.  If
+         <span><strong class="command">getpwent()</strong></span> and
+         <span><strong class="command">endpwent()</strong></span> group of system calls.  If
         the <em class="parameter"><code>winbind enum users</code></em> parameter is
         <code class="constant">no</code>, calls to the <span><strong class="command">getpwent</strong></span> system call
+         <code class="constant">no</code>, calls to the <span><strong class="command">getpwent</strong></span> system call
         will not return any data. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Turning off user
         enumeration may cause some programs to behave oddly.  For
 …
         </p><p>
         This parameter is not deprecated in favor of the newer idmap_nss backend.
         Refer to the <a class="indexterm" name="id296986"></a>idmap domains smb.conf option and
+        Refer to the <a class="indexterm" name="id296984"></a>idmap domains smb.conf option and
         the <a href="idmap_nss.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_nss</span>(8)</span></a> man page for more information.
         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind trusted domains only</code></em> = no
 </em></span>
 </p></dd><dt><span class="term"><a name="WINBINDUSEDEFAULTDOMAIN"></a>winbind use default domain (G)</span></dt><dd><p>This parameter specifies whether the
         <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon should operate on users
+         <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon should operate on users
         without domain component in their username. Users without a domain
         component are treated as is part of the winbindd server's own
 …
         appear to be in when queried by clients. Note that this parameter
         also controls the Domain name used with
         the <a class="indexterm" name="id297376"></a>security = domain
+        the <a class="indexterm" name="id297374"></a>security = domain
                 setting.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = WORKGROUP
 </em></span>
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = MYGROUP
 </em></span>
 </p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id297449"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
+</p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id297447"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
     Samba will create an in-memory cache for each oplocked file
     (it does <span class="emphasis"><em>not</em></span> do this for
 …
     This is a list of users that are given read-write access to a service. If the
     connecting user is in this list then they will be given write access, no matter
     what the <a class="indexterm" name="id297549"></a>read only option is set to. The list can
+    what the <a class="indexterm" name="id297544"></a>read only option is set to. The list can
     include group names using the @group syntax.
     </p><p>
 …
     </p><p>
     By design, this parameter will not work with the
     <a class="indexterm" name="id297565"></a>security = share in Samba 3.0.
+    <a class="indexterm" name="id297560"></a>security = share in Samba 3.0.
     </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> =
 </em></span>
 …
 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wtmp directory</code></em> = /var/log/wtmp
 </em></span>
 </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id297698"></a><h2>WARNINGS</h2><p>
+</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id297693"></a><h2>WARNINGS</h2><p>
         Although the configuration file permits service names to contain spaces, your client software may not.
         Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.
 …
         care when designing these sections. In particular, ensure that the permissions on spool directories are
         correct.
         </p></div><div class="refsect1" lang="en"><a name="id297741"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id297752"></a><h2>SEE ALSO</h2><p>
         <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id297831"></a><h2>AUTHOR</h2><p>
+        </p></div><div class="refsect1" lang="en"><a name="id297736"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id297747"></a><h2>SEE ALSO</h2><p>
+        <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id297826"></a><h2>AUTHOR</h2><p>
         The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed
         by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

Note: See TracChangeset for help on using the changeset viewer.