Ignore:
Timestamp:
Apr 25, 2007, 9:44:55 AM (14 years ago)
Author:
Paul Smedley
Message:

Code updated to Samba 3.0.25rc2 level

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/samba/docs/htmldocs/manpages/smb.conf.5.html

    r26 r30  
    11<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smb.conf</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smb.conf.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smb.conf &#8212; The configuration file for the Samba suite</p></div><div class="refsect1" lang="en"><a name="id263106"></a><h2>SYNOPSIS</h2><p>
    22        The <code class="filename">smb.conf</code> file is a configuration  file for the Samba suite. <code class="filename">smb.conf</code> contains  runtime configuration information for the Samba programs. The
    3         <code class="filename">smb.conf</code> file is designed to be configured and administered by the
    4         <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> program. The
     3         <code class="filename">smb.conf</code> file is designed to be configured and administered by the
     4         <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> program. The
    55        complete description of the file format and possible parameters held within are here for reference purposes.
    66        </p></div><div class="refsect1" lang="en"><a name="FILEFORMATSECT"></a><h2>FILE FORMAT</h2><p>
     
    3333        </p><p>
    3434        There are three special sections, [global], [homes] and [printers], which are described under
    35         <span class="emphasis"><em>special sections</em></span>. The following notes apply to ordinary section descriptions.
     35         <span class="emphasis"><em>special sections</em></span>. The following notes apply to ordinary section descriptions.
    3636        </p><p>
    3737        A share consists of a directory to which access is being given plus a description of the access rights
     
    339339        In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions
    340340        and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the
    341         <span class="emphasis"><em>primary group owner</em></span> of a file or directory to modify the permissions and ACLs
     341         <span class="emphasis"><em>primary group owner</em></span> of a file or directory to modify the permissions and ACLs
    342342        on that file.
    343343        </p><p>
     
    381381</p></dd><dt><span class="term"><a name="ADDMACHINESCRIPT"></a>add machine script (G)</span></dt><dd><p>
    382382        This is the full pathname to a script that will  be run by
    383         <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a machine is
     383         <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when a machine is
    384384        added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not
    385385        already exist.
     
    468468        user database creating these users and keeping the user list in sync with the Windows
    469469        NT PDC is an onerous task. This option allows smbd to create the required UNIX users
    470         <span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server.
     470         <span class="emphasis"><em>ON DEMAND</em></span> when a user accesses the Samba server.
    471471        </p><p>
    472472        In order to use this option, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must <span class="emphasis"><em>NOT</em></span> be set to
     
    561561</p></dd><dt><span class="term"><a name="ALLOWTRUSTEDDOMAINS"></a>allow trusted domains (G)</span></dt><dd><p>
    562562    This option only takes effect when the <a class="indexterm" name="id274224"></a>security option is set to
    563     <code class="constant">server</code>,<code class="constant">domain</code> or <code class="constant">ads</code>. 
     563    <code class="constant">server</code>, <code class="constant">domain</code> or <code class="constant">ads</code>. 
    564564    If it is set to no, then attempts to connect to a resource from
    565565    a domain or workgroup other than the one which smbd is running
     
    627627        reading broadcast messages.  If this option is not set then <span><strong class="command">nmbd</strong></span> will
    628628        service name requests on all of these sockets. If <a class="indexterm" name="id274569"></a>bind interfaces only is set then
    629         <span><strong class="command">nmbd</strong></span> will check the source address of any packets coming in on the
     629         <span><strong class="command">nmbd</strong></span> will check the source address of any packets coming in on the
    630630        broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the
    631         <a class="indexterm" name="id274583"></a>interfaces parameter list.  As unicast packets are received on the other sockets it
     631        <a class="indexterm" name="id274584"></a>interfaces parameter list.  As unicast packets are received on the other sockets it
    632632        allows <span><strong class="command">nmbd</strong></span> to refuse to serve names to machines that send packets that
    633633        arrive through any interfaces not listed in the <a class="indexterm" name="id274598"></a>interfaces list.  IP Source address
    634634        spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for
    635         <span><strong class="command">nmbd</strong></span>.
     635         <span><strong class="command">nmbd</strong></span>.
    636636        </p><p>
    637637        For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list given in the <a class="indexterm" name="id274624"></a>interfaces parameter. This restricts the networks that <span><strong class="command">smbd</strong></span> will
     
    641641        </p><p>
    642642        If <a class="indexterm" name="id274642"></a>bind interfaces only is set then unless the network address
    643         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274654"></a>interfaces parameter list
    644         <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and
    645         <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as
     643         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274654"></a>interfaces parameter list
     644         <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and
     645         <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as
    646646        expected due to the reasons covered below.
    647647        </p><p>
    648648        To change a users SMB password, the <span><strong class="command">smbpasswd</strong></span> by default connects to the
    649         <span class="emphasis"><em>localhost - 127.0.0.1</em></span> address as an SMB client to issue the password change request. If
     649         <span class="emphasis"><em>localhost - 127.0.0.1</em></span> address as an SMB client to issue the password change request. If
    650650        <a class="indexterm" name="id274691"></a>bind interfaces only is set then unless the network address
    651         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274702"></a>interfaces parameter list then <span><strong class="command"> smbpasswd</strong></span> will fail to connect in it's default mode.  <span><strong class="command">smbpasswd</strong></span> can be forced to use the primary IP interface of the local host by using
     651         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274702"></a>interfaces parameter list then <span><strong class="command"> smbpasswd</strong></span> will fail to connect in it's default mode.  <span><strong class="command">smbpasswd</strong></span> can be forced to use the primary IP interface of the local host by using
    652652        its <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>    <em class="parameter"><code>-r <em class="replaceable"><code>remote machine</code></em></code></em> parameter, with <em class="replaceable"><code>remote
    653653        machine</code></em> set to the IP name of the primary interface of the local host.
     
    965965        parameter is not given, attempting to connect to a nonexistent
    966966        service results in an error.</p><p>
    967         Typically the default service would be a <a class="indexterm" name="id276708"></a>guest ok, <a class="indexterm" name="id276716"></a>read-only service.</p><p>Also note that the apparent service name will be changed to equal
     967        Typically the default service would be a <a class="indexterm" name="id276709"></a>guest ok, <a class="indexterm" name="id276716"></a>read-only service.</p><p>Also note that the apparent service name will be changed to equal
    968968        that of the requested service, this is very useful as it allows you to use macros like <em class="parameter"><code>%S</code></em> to make a wildcard service.
    969969        </p><p>Note also that any "_" characters in the name of the service
     
    997997    DeletePrinter() RPC call.</p><p>For a Samba host this means that the printer must be
    998998    physically deleted from underlying printing system.  The
    999     <a class="indexterm" name="id276886"></a>deleteprinter command defines a script to be run which
     999    <a class="indexterm" name="id276887"></a>deleteprinter command defines a script to be run which
    10001000    will perform the necessary operations for removing the printer
    10011001    from the print system and from <code class="filename">smb.conf</code>.
     
    12201220        WAN-wide browse list collation. Setting this option causes <span><strong class="command">nmbd</strong></span> to claim a
    12211221        special domain specific NetBIOS name that identifies it as a domain master browser for its given
    1222         <a class="indexterm" name="id278021"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id278029"></a>workgroup on
     1222        <a class="indexterm" name="id278022"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id278029"></a>workgroup on
    12231223        broadcast-isolated subnets will give this <span><strong class="command">nmbd</strong></span> their local browse lists,
    12241224        and then ask <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> for a
     
    12271227        broadcast-isolated subnet.
    12281228        </p><p>
    1229         Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id278056"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that
     1229        Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id278057"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that
    12301230        <a class="indexterm" name="id278064"></a>workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting
    12311231        to do this). This means that if this parameter is set and <span><strong class="command">nmbd</strong></span> claims the
    1232         special name for a <a class="indexterm" name="id278078"></a>workgroup before a Windows NT PDC is able to do so then cross
     1232        special name for a <a class="indexterm" name="id278079"></a>workgroup before a Windows NT PDC is able to do so then cross
    12331233        subnet browsing will behave strangely and may fail.
    12341234        </p><p>
    12351235        If <a class="indexterm" name="id278090"></a>domain logons = yes, then the default behavior is to enable the
    1236         <a class="indexterm" name="id278097"></a>domain master parameter.  If <a class="indexterm" name="id278104"></a>domain logons is not enabled (the
     1236        <a class="indexterm" name="id278097"></a>domain master parameter.  If <a class="indexterm" name="id278105"></a>domain logons is not enabled (the
    12371237        default setting), then neither will <a class="indexterm" name="id278112"></a>domain master be enabled by default.
    12381238        </p><p>
    12391239        When <a class="indexterm" name="id278123"></a>domain logons = Yes the default setting for this parameter is
    1240         Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id278130"></a>domain master = No,
     1240        Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id278131"></a>domain master = No,
    12411241        Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC.
    12421242        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>domain master</code></em> = auto
     
    13141314</p></dd><dt><span class="term"><a name="ENABLEPRIVILEGES"></a>enable privileges (G)</span></dt><dd><p>
    13151315        This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either
    1316         <span><strong class="command">net rpc rights</strong></span> or one of the Windows user and group manager tools.  This parameter is
     1316         <span><strong class="command">net rpc rights</strong></span> or one of the Windows user and group manager tools.  This parameter is
    13171317        enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to
    13181318        assign privileges to users or groups which can then result in certain smbd operations running as root that
     
    17071707</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hostname lookups</code></em> = yes
    17081708</em></span>
    1709 </p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts</span></dt><dd><p>This parameter is a synonym for hosts allow.</p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <a class="indexterm" name="id280528"></a>allow hosts.</p><p>This parameter is a comma, space, or tab delimited
     1709</p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts</span></dt><dd><p>This parameter is a synonym for hosts allow.</p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <a class="indexterm" name="id280529"></a>allow hosts.</p><p>This parameter is a comma, space, or tab delimited
    17101710    set of hosts which are permitted to access a service.</p><p>If specified in the [global] section then it will
    17111711    apply to all services, regardless of whether the individual
     
    17441744        The idmap alloc backend provides a plugin interface for Winbind to use
    17451745        when allocating Unix uids/gids for Windows SIDs.  This option is
    1746         to be used in conjunction with the <a class="indexterm" name="id280797"></a>idmap domains
     1746        to be used in conjunction with the <a class="indexterm" name="id280798"></a>idmap domains
    17471747        parameter and refers to the name of the idmap module which will provide
    17481748        the id allocation functionality.  Please refer to the man page
     
    19381938    sent. Keepalive packets, if sent, allow the server to tell whether
    19391939    a client is still present and responding.</p><p>Keepalives should, in general, not be needed if the socket
    1940     has the SO_KEEPALIVE attribute set on it by default. (see <a class="indexterm" name="id281919"></a>socket options).
     1940    has the SO_KEEPALIVE attribute set on it by default. (see <a class="indexterm" name="id281920"></a>socket options).
    19411941Basically you should only use this option if you strike difficulties.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>keepalive</code></em> = 300
    19421942</em></span>
     
    19881988</p></dd><dt><span class="term"><a name="LDAPADMINDN"></a>ldap admin dn (G)</span></dt><dd><p>
    19891989        The <a class="indexterm" name="id282202"></a>ldap admin dn defines the Distinguished  Name (DN) name used by Samba to contact
    1990         the ldap server when retreiving  user account information. The <a class="indexterm" name="id282210"></a>ldap admin dn is used
     1990        the ldap server when retreiving  user account information. The <a class="indexterm" name="id282211"></a>ldap admin dn is used
    19911991        in conjunction with the admin dn password stored in the <code class="filename">private/secrets.tdb</code>
    19921992        file.  See the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>
    19931993        man page for more information on how  to accomplish this.
    19941994        </p><p>
    1995         The <a class="indexterm" name="id282236"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id282243"></a>ldap  suffix is not appended to the <a class="indexterm" name="id282250"></a>ldap admin dn.
     1995        The <a class="indexterm" name="id282236"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id282243"></a>ldap  suffix is not appended to the <a class="indexterm" name="id282251"></a>ldap admin dn.
    19961996        </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LDAPDELETEDN"></a>ldap delete dn (G)</span></dt><dd><p> This parameter specifies whether a delete
    19971997        operation in the ldapsam deletes the complete entry or only the attributes
     
    20012001</p></dd><dt><span class="term"><a name="LDAPGROUPSUFFIX"></a>ldap group suffix (G)</span></dt><dd><p>This parameter specifies the suffix that is
    20022002        used for groups when these are added to the LDAP directory.
    2003         If this parameter is unset, the value of <a class="indexterm" name="id282318"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
     2003        If this parameter is unset, the value of <a class="indexterm" name="id282319"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
    20042004        <a class="indexterm" name="id282326"></a>ldap suffix string so use a partial DN.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> =
    20052005</em></span>
     
    20592059        the smb.conf ldap options must be properly configured.
    20602060
    2061         The tipical ldap setup used with the <a class="indexterm" name="id282650"></a>ldapsam:trusted = yes option
     2061        The tipical ldap setup used with the <a class="indexterm" name="id282651"></a>ldapsam:trusted = yes option
    20622062        is usually sufficient to use <a class="indexterm" name="id282658"></a>ldapsam:editposix = yes as well.
    20632063        </p><p>
     
    21472147        This is <span class="emphasis"><em>NOT</em></span> related to
    21482148        Samba's previous SSL support which was enabled by specifying the
    2149         <span><strong class="command">--with-ssl</strong></span> option to the <code class="filename">configure</code>
     2149         <span><strong class="command">--with-ssl</strong></span> option to the <code class="filename">configure</code>
    21502150        script.</p><p>The <a class="indexterm" name="id282805"></a>ldap ssl can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Off</code></em> = Never
    21512151                        use SSL when querying the directory.</p></li><li><p><em class="parameter"><code>Start_tls</code></em> = Use
     
    21542154                        on the ldaps port when contacting the <em class="parameter"><code>ldap server</code></em>. Only available when the
    21552155                        backwards-compatiblity <span><strong class="command">--with-ldapsam</strong></span> option is specified
    2156                 to configure. See <a class="indexterm" name="id282861"></a>passdb backend</p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = start_tls
     2156                to configure. See <a class="indexterm" name="id282861"></a>passdb backend</p>.
     2157                </li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = start_tls
    21572158</em></span>
    21582159</p></dd><dt><span class="term"><a name="LDAPSUFFIX"></a>ldap suffix (G)</span></dt><dd><p>Specifies the base for all ldap suffixes and for storing the sambaDomain object.</p><p>
    2159         The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id282907"></a>ldap user suffix,
    2160         <a class="indexterm" name="id282914"></a>ldap group suffix, <a class="indexterm" name="id282922"></a>ldap machine suffix, and the
    2161         <a class="indexterm" name="id282929"></a>ldap idmap suffix. Each of these should be given only a DN relative to the
    2162         <a class="indexterm" name="id282936"></a>ldap suffix.
     2160        The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id282908"></a>ldap user suffix,
     2161         <a class="indexterm" name="id282915"></a>ldap group suffix, <a class="indexterm" name="id282922"></a>ldap machine suffix, and the
     2162         <a class="indexterm" name="id282929"></a>ldap idmap suffix. Each of these should be given only a DN relative to the
     2163         <a class="indexterm" name="id282937"></a>ldap suffix.
    21632164        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> =
    21642165</em></span>
     
    21742175        This parameter specifies where users are added to the tree. If this parameter is unset,
    21752176        the value of <a class="indexterm" name="id283024"></a>ldap suffix will be used instead.  The suffix
    2176         string is pre-pended to the  <a class="indexterm" name="id283031"></a>ldap suffix string so use a partial DN.
     2177        string is pre-pended to the  <a class="indexterm" name="id283032"></a>ldap suffix string so use a partial DN.
    21772178        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap user suffix</code></em> =
    21782179</em></span>
     
    22872288</p></dd><dt><span class="term"><a name="LOGONDRIVE"></a>logon drive (G)</span></dt><dd><p>
    22882289        This parameter specifies the local path to which the home directory will be
    2289         connected (see <a class="indexterm" name="id283789"></a>logon home) and is only used by NT
     2290        connected (see <a class="indexterm" name="id283790"></a>logon home) and is only used by NT
    22902291        Workstations.
    22912292        </p><p>
     
    23122313        This tells Samba to return the above string, with substitutions made when a client requests the info, generally
    23132314        in a NetUserGetInfo request.  Win9X clients truncate the info to \\server\share when a user does
    2314         <span><strong class="command">net use /home</strong></span> but use the whole string when dealing with profiles.
    2315         </p><p>
    2316         Note that in prior versions of Samba, the <a class="indexterm" name="id283897"></a>logon path was returned rather than
     2315         <span><strong class="command">net use /home</strong></span> but use the whole string when dealing with profiles.
     2316        </p><p>
     2317        Note that in prior versions of Samba, the <a class="indexterm" name="id283898"></a>logon path was returned rather than
    23172318        <em class="parameter"><code>logon home</code></em>.  This broke <span><strong class="command">net use /home</strong></span>
    23182319        but allowed profiles outside the home directory. The current implementation is correct, and can be used for
    23192320        profiles if you use the above trick.
    23202321        </p><p>
    2321         Disable this feature by setting <a class="indexterm" name="id283921"></a>logon home = "" - using the empty string.
     2322        Disable this feature by setting <a class="indexterm" name="id283922"></a>logon home = "" - using the empty string.
    23222323        </p><p>
    23232324        This option is only useful if Samba is set up as a logon server.
     
    23302331        stored.  Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming
    23312332        profiles.  To find out how to handle roaming profiles for Win 9X system, see the
    2332         <a class="indexterm" name="id283979"></a>logon home parameter.
     2333        <a class="indexterm" name="id283980"></a>logon home parameter.
    23332334        </p><p>
    23342335        This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
     
    23592360        </p></div><p>Note that this option is only useful if Samba is set up as a domain controller.</p><p>
    23602361        Disable the use of roaming profiles by setting the value of this parameter to the empty string. For
    2361         example, <a class="indexterm" name="id284057"></a>logon path = "". Take note that even if the default setting
     2362        example, <a class="indexterm" name="id284058"></a>logon path = "". Take note that even if the default setting
    23622363        in the smb.conf file is the empty string, any value specified in the user account settings in the passdb
    23632364        backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use
     
    23762377        </p><p>
    23772378        The script must be a relative path to the <em class="parameter"><code>[netlogon]</code></em> service.  If the [netlogon]
    2378         service specifies a <a class="indexterm" name="id284133"></a>path of <code class="filename">/usr/local/samba/netlogon</code>, and <a class="indexterm" name="id284146"></a>logon  script = STARTUP.BAT, then the file that will be downloaded is:
     2379        service specifies a <a class="indexterm" name="id284134"></a>path of <code class="filename">/usr/local/samba/netlogon</code>, and <a class="indexterm" name="id284147"></a>logon  script = STARTUP.BAT, then the file that will be downloaded is:
    23792380</p><pre class="programlisting">
    23802381        /usr/local/samba/netlogon/STARTUP.BAT
     
    24162417    in the lppause command as the PATH may not be available to the server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lppause command</code></em> =
    24172418# Currently no default value is given to
    2418     this string, unless the value of the <a class="indexterm" name="id284300"></a>printing
     2419    this string, unless the value of the <a class="indexterm" name="id284303"></a>printing
    24192420    parameter is <code class="constant">SYSV</code>, in which case the default is :
    24202421    <span><strong class="command">lp -i %p-%j -H hold</strong></span> or if the value of the
     
    24642465    printing or spooling a specific print job.</p><p>This command should be a program or script which takes
    24652466    a printer name and job number to resume the print job. See
    2466     also the <a class="indexterm" name="id284576"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name
     2467    also the <a class="indexterm" name="id284579"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name
    24672468    is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with
    24682469    the job number (an integer).</p><p>Note that it is good practice to include the absolute path
    24692470    in the <em class="parameter"><code>lpresume command</code></em> as the PATH may not
    2470     be available to the server.</p><p>See also the <a class="indexterm" name="id284613"></a>printing parameter.</p><p>Default: Currently no default value is given
     2471    be available to the server.</p><p>See also the <a class="indexterm" name="id284616"></a>printing parameter.</p><p>Default: Currently no default value is given
    24712472    to this string, unless the value of the <em class="parameter"><code>printing</code></em>
    24722473    parameter is <code class="constant">SYSV</code>, in which case the default is :</p><p><span><strong class="command">lp -i %p-%j -H resume</strong></span></p><p>or if the value of the <em class="parameter"><code>printing</code></em> parameter
     
    24912492</em></span>
    24922493</p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p>
    2493         If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id284769"></a>security = domain parameter) then periodically a running smbd process will try and change
     2494        If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id284772"></a>security = domain parameter) then periodically a running smbd process will try and change
    24942495        the MACHINE ACCOUNT PASSWORD stored in the TDB called <code class="filename">private/secrets.tdb
    24952496        </code>.  This parameter specifies how often this password will be changed, in seconds. The default is one
     
    24972498        </p><p>
    24982499        See also <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>,
    2499         and the <a class="indexterm" name="id284795"></a>security = domain parameter.
     2500        and the <a class="indexterm" name="id284798"></a>security = domain parameter.
    25002501        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>machine password timeout</code></em> = 604800
    25012502</em></span>
    25022503</p></dd><dt><span class="term"><a name="MAGICOUTPUT"></a>magic output (S)</span></dt><dd><p>
    25032504        This parameter specifies the name of a file which will contain output created by a magic script (see the
    2504         <a class="indexterm" name="id284836"></a>magic script parameter below).
     2505        <a class="indexterm" name="id284839"></a>magic script parameter below).
    25052506        </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If two clients use the same <em class="parameter"><code>magic script
    25062507        </code></em> in the same directory the output file content is undefined.
     
    25152516        completion assuming that the user has the appropriate level
    25162517        of privilege and the file permissions allow the deletion.</p><p>If the script generates output, output will be sent to
    2517         the file specified by the <a class="indexterm" name="id284910"></a>magic output
     2518        the file specified by the <a class="indexterm" name="id284913"></a>magic output
    25182519        parameter (see above).</p><p>Note that some shells are unable to interpret scripts
    25192520        containing CR/LF instead of CR as
     
    25362537        you would use:
    25372538        </p><p>
    2538         <a class="indexterm" name="id285014"></a>mangled map = (*.html *.htm).
     2539        <a class="indexterm" name="id285017"></a>mangled map = (*.html *.htm).
    25392540        </p><p>
    25402541        One very useful case is to remove the annoying <code class="filename">;1</code> off
     
    25482549</p></dd><dt><span class="term"><a name="MANGLEDNAMES"></a>mangled names (S)</span></dt><dd><p>This controls whether non-DOS names under UNIX
    25492550        should be mapped to DOS-compatible names ("mangled") and made visible,
    2550         or whether non-DOS names should simply be ignored.</p><p>See the section on <a class="indexterm" name="id285081"></a>name mangling for
     2551        or whether non-DOS names should simply be ignored.</p><p>See the section on <a class="indexterm" name="id285084"></a>name mangling for
    25512552        details on how to control the mangling process.</p><p>If mangling is used then the mangling algorithm is as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The first (up to) five alphanumeric characters
    25522553                        before the rightmost dot of the filename are preserved, forced
     
    25582559                        only if it contains any upper case characters or is longer than three
    25592560                        characters.</p><p>Note that the character to use may be specified using
    2560                                 the <a class="indexterm" name="id285115"></a>mangling char
     2561                                the <a class="indexterm" name="id285118"></a>mangling char
    25612562                        option, if you don't like '~'.</p></li><li><p>Files whose UNIX name begins with a dot will be
    25622563                        presented as DOS hidden files. The mangled name will be created as
     
    25822583</em></span>
    25832584</p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as
    2584         the <span class="emphasis"><em>magic</em></span> character in <a class="indexterm" name="id285236"></a>name mangling. The
     2585        the <span class="emphasis"><em>magic</em></span> character in <a class="indexterm" name="id285238"></a>name mangling. The
    25852586        default is a '~' but this may interfere with some software. Use this option to set
    25862587        it to whatever you prefer. This is effective only when mangling method is hash.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangling char</code></em> = ~
     
    26152616        be quite annoying for shared source code, documents, etc...
    26162617        </p><p>
    2617         Note that this requires the <a class="indexterm" name="id285393"></a>create mask        parameter to be set such that owner
     2618        Note that this requires the <a class="indexterm" name="id285396"></a>create mask        parameter to be set such that owner
    26182619        execute bit is not masked out (i.e. it must include 100). See the parameter
    2619         <a class="indexterm" name="id285401"></a>create mask for details.
     2620        <a class="indexterm" name="id285404"></a>create mask for details.
    26202621        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map archive</code></em> = yes
    26212622</em></span>
     
    26232624        This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.
    26242625        </p><p>
    2625         Note that this requires the <a class="indexterm" name="id285446"></a>create mask to be set such that the world execute
    2626         bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id285454"></a>create mask
     2626        Note that this requires the <a class="indexterm" name="id285449"></a>create mask to be set such that the world execute
     2627        bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id285457"></a>create mask
    26272628        for details.
    26282629        </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="MAPREADONLY"></a>map read only (S)</span></dt><dd><p>
     
    26302631        </p><p>
    26312632        This parameter can take three different values, which tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> how to display the read only attribute on files, where either
    2632         <a class="indexterm" name="id285500"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is
    2633         present. If <a class="indexterm" name="id285511"></a>store dos attributes is set to <code class="constant">yes</code> then this
     2633        <a class="indexterm" name="id285503"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is
     2634        present. If <a class="indexterm" name="id285514"></a>store dos attributes is set to <code class="constant">yes</code> then this
    26342635        parameter is <span class="emphasis"><em>ignored</em></span>. This is a new parameter introduced in Samba version 3.0.21.
    26352636        </p><p>The three settings are :</p><div class="itemizedlist"><ul type="disc"><li><p>
     
    26442645                </p></li><li><p>
    26452646                <code class="constant">No</code> - The read only DOS attribute is unaffected by permissions, and can only be set by
    2646                 the <a class="indexterm" name="id285568"></a>store dos attributes method. This may be useful for exporting mounted CDs.
     2647                the <a class="indexterm" name="id285570"></a>store dos attributes method. This may be useful for exporting mounted CDs.
    26472648                </p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>map read only</code></em> = yes
    26482649</em></span>
     
    26502651        This controls whether DOS style system files should be mapped to the UNIX group execute bit.
    26512652        </p><p>
    2652         Note that this requires the <a class="indexterm" name="id285613"></a>create mask        to be set such that the group
     2653        Note that this requires the <a class="indexterm" name="id285616"></a>create mask        to be set such that the group
    26532654        execute bit is not masked out (i.e. it must include 010). See the parameter
    2654         <a class="indexterm" name="id285621"></a>create mask for details.
     2655        <a class="indexterm" name="id285624"></a>create mask for details.
    26552656        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map system</code></em> = no
    26562657</em></span>
    2657 </p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id285661"></a>SECURITY =
     2658</p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id285664"></a>SECURITY =
    26582659    security modes other than <em class="parameter"><code>security = share</code></em>
    2659     - i.e. <code class="constant">user</code>, <code class="constant">server</code>,
    2660     and <code class="constant">domain</code>.</p><p>This parameter can take four different values, which tell
     2660    and <em class="parameter"><code>security = server</code></em>
     2661    - i.e. <code class="constant">user</code>, and <code class="constant">domain</code>.</p><p>This parameter can take four different values, which tell
    26612662    <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> what to do with user
    26622663    login requests that don't match a valid UNIX user in some way.</p><p>The four settings are :</p><div class="itemizedlist"><ul type="disc"><li><p><code class="constant">Never</code> - Means user login
     
    26652666            logins with an invalid password are rejected, unless the username
    26662667            does not exist, in which case it is treated as a guest login and
    2667             mapped into the <a class="indexterm" name="id285723"></a>guest account.</p></li><li><p><code class="constant">Bad Password</code> - Means user logins
     2668            mapped into the <a class="indexterm" name="id285728"></a>guest account.</p></li><li><p><code class="constant">Bad Password</code> - Means user logins
    26682669            with an invalid password are treated as a guest login and mapped
    2669             into the <a class="indexterm" name="id285740"></a>guest account. Note that
     2670            into the <a class="indexterm" name="id285745"></a>guest account. Note that
    26702671            this can cause problems as it means that any user incorrectly typing
    26712672            their password will be silently logged on as "guest" - and
     
    26832684            to the underlying OS via the Name Service Switch interface.</p></li></ul></div><p>Note that this parameter is needed to set up "Guest"
    26842685    share services when using <em class="parameter"><code>security</code></em> modes other than
    2685     share. This is because in these modes the name of the resource being
     2686    share and server. This is because in these modes the name of the resource being
    26862687    requested is <span class="emphasis"><em>not</em></span> sent to the server until after
    26872688    the server has successfully authenticated the client so the server
    26882689    cannot make authentication decisions at the correct time (connection
    2689     to the share) for "Guest" shares.</p><p>For people familiar with the older Samba releases, this
     2690    to the share) for "Guest" shares. This parameter is not useful with
     2691    <em class="parameter"><code>security = server</code></em> as in this security mode
     2692    no information is returned about whether a user logon failed due to
     2693    a bad username or bad password, the same error is returned from a modern server
     2694    in both cases.</p><p>For people familiar with the older Samba releases, this
    26902695    parameter maps to the old compile-time setting of the <code class="constant">
    26912696                GUEST_SESSSETUP</code> value in local.h.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map to guest</code></em> = Never
     
    26972702    will be refused if this number of connections to the service are already open. A value
    26982703    of zero mean an unlimited number of connections may be made.</p><p>Record lock files are used to implement this feature. The lock files will be stored in
    2699     the directory specified by the <a class="indexterm" name="id285862"></a>lock directory option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 0
     2704    the directory specified by the <a class="indexterm" name="id285871"></a>lock directory option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 0
    27002705</em></span>
    27012706</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 10
     
    27882793</em></span>
    27892794</p></dd><dt><span class="term"><a name="MAXWINSTTL"></a>max wins ttl (G)</span></dt><dd><p>This option tells <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when acting as a WINS server
    2790         (<a class="indexterm" name="id286529"></a>wins support = yes) what the maximum
     2795        (<a class="indexterm" name="id286538"></a>wins support = yes) what the maximum
    27912796    'time to live' of NetBIOS names that <span><strong class="command">nmbd</strong></span>
    27922797    will grant will be (in seconds). You should never need to change this
     
    28492854</p></dd><dt><span class="term"><a name="MINPROTOCOL"></a>min protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the
    28502855    lowest SMB protocol dialect than Samba will support.  Please refer
    2851     to the <a class="indexterm" name="id286852"></a>max protocol
     2856    to the <a class="indexterm" name="id286860"></a>max protocol
    28522857    parameter for a list of valid protocol names and a brief description
    28532858    of each.  You may also wish to refer to the C source code in
    28542859    <code class="filename">source/smbd/negprot.c</code> for a listing of known protocol
    28552860    dialects supported by clients.</p><p>If you are viewing this parameter as a security measure, you should
    2856     also refer to the <a class="indexterm" name="id286871"></a>lanman auth parameter.  Otherwise, you should never need
     2861    also refer to the <a class="indexterm" name="id286879"></a>lanman auth parameter.  Otherwise, you should never need
    28572862    to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = CORE
    28582863</em></span>
     
    28602865</em></span>
    28612866</p></dd><dt><span class="term"><a name="MINWINSTTL"></a>min wins ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>
    2862     when acting as a WINS server (<a class="indexterm" name="id286931"></a>wins support = yes) what the minimum 'time to live'
     2867    when acting as a WINS server (<a class="indexterm" name="id286939"></a>wins support = yes) what the minimum 'time to live'
    28632868    of NetBIOS names that <span><strong class="command">nmbd</strong></span> will grant will be (in
    28642869    seconds). You should never need to change this parameter.  The default
     
    28702875        this share, they are redirected to the proxied share using
    28712876        the SMB-Dfs protocol.</p><p>Only Dfs roots can act as proxy shares. Take a look at the
    2872         <a class="indexterm" name="id286985"></a>msdfs root and <a class="indexterm" name="id286992"></a>host msdfs
     2877        <a class="indexterm" name="id286993"></a>msdfs root and <a class="indexterm" name="id287000"></a>host msdfs
    28732878        options to find out how to set up a Dfs root share.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>msdfs proxy</code></em> = \\otherserver\someshare
    28742879</em></span>
     
    29062911                _ldap._tcp.domain.
    29072912        </p></li><li><p><code class="constant">wins</code> : Query a name with
    2908             the IP address listed in the <a class="indexterm" name="id287183"></a>WINSSERVER parameter.  If no WINS server has
     2913            the IP address listed in the <a class="indexterm" name="id287191"></a>WINSSERVER parameter.  If no WINS server has
    29092914            been specified this method will be ignored.</p></li><li><p><code class="constant">bcast</code> : Do a broadcast on
    2910             each of the known local interfaces listed in the <a class="indexterm" name="id287200"></a>interfaces
     2915            each of the known local interfaces listed in the <a class="indexterm" name="id287208"></a>interfaces
    29112916            parameter. This is the least reliable of the name resolution
    29122917            methods as it depends on the target host being on a locally
     
    29602965        server. When Samba is returning the home share to the client, it
    29612966        will consult the NIS map specified in
    2962         <a class="indexterm" name="id287449"></a>homedir map and return the server
     2967        <a class="indexterm" name="id287457"></a>homedir map and return the server
    29632968        listed there.</p><p>Note that for this option to work there must be a working
    29642969        NIS system and the Samba server with this option must also
     
    29993004    default behavior is to use PAM for clear text authentication only
    30003005    and to ignore any account or session management.  Note that Samba
    3001     always ignores PAM for authentication in the case of <a class="indexterm" name="id287735"></a>encrypt passwords = yes.  The reason
     3006    always ignores PAM for authentication in the case of <a class="indexterm" name="id287744"></a>encrypt passwords = yes.  The reason
    30023007    is that PAM modules cannot support the challenge/response
    30033008    authentication mechanism needed in the presence of SMB password encryption.
     
    30103015    this parameter will force the server to only use the login
    30113016    names from the <em class="parameter"><code>user</code></em> list and is only really
    3012     useful in <a class="indexterm" name="id287791"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce
     3017    useful in <a class="indexterm" name="id287800"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce
    30133018    usernames from the service name. This can be annoying for
    30143019    the [homes] section. To get around this you could use <span><strong class="command">user =
     
    30583063        </p><p>
    30593064        Oplocks may be selectively turned off on certain files with a share. See
    3060         the <a class="indexterm" name="id288040"></a>veto oplock files parameter. On some systems
     3065        the <a class="indexterm" name="id288045"></a>veto oplock files parameter. On some systems
    30613066        oplocks are recognized by the underlying operating system. This
    30623067        allows data synchronization between all access to oplocked files,
    30633068        whether it be via Samba or NFS or a local UNIX process. See the
    3064         <a class="indexterm" name="id288049"></a>kernel oplocks parameter for details.
     3069        <a class="indexterm" name="id288054"></a>kernel oplocks parameter for details.
    30653070        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplocks</code></em> = yes
    30663071</em></span>
     
    30773082</p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p>
    30783083        This integer value controls what level Samba advertises itself as for browse elections. The value of this
    3079         parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <a class="indexterm" name="id288153"></a>workgroup in the local broadcast area.
     3084        parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <a class="indexterm" name="id288157"></a>workgroup in the local broadcast area.
    30803085</p><p><span class="emphasis"><em>
    30813086        Note :</em></span>By default, Samba will win a local master browsing election over all Microsoft operating
     
    30923097    flag for Samba.  If enabled, then PAM will be used for password
    30933098    changes when requested by an SMB client instead of the program listed in
    3094     <a class="indexterm" name="id288217"></a>passwd program.
     3099    <a class="indexterm" name="id288221"></a>passwd program.
    30953100    It should be possible to enable this without changing your
    3096     <a class="indexterm" name="id288224"></a>passwd chat parameter for most setups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pam password change</code></em> = no
     3101    <a class="indexterm" name="id288229"></a>passwd chat parameter for most setups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pam password change</code></em> = no
    30973102</em></span>
    30983103</p></dd><dt><span class="term"><a name="PANICACTION"></a>panic action (G)</span></dt><dd><p>This is a Samba developer option that allows a
     
    31203125                </p></li><li><p><span><strong class="command">tdbsam</strong></span> - The TDB based password storage
    31213126                backend.  Takes a path to the TDB as an optional argument (defaults to passdb.tdb
    3122                 in the <a class="indexterm" name="id288401"></a>private dir directory.</p></li><li><p><span><strong class="command">ldapsam</strong></span> - The LDAP based passdb
     3127                in the <a class="indexterm" name="id288406"></a>private dir directory.</p></li><li><p><span><strong class="command">ldapsam</strong></span> - The LDAP based passdb
    31233128                backend.  Takes an LDAP URL as an optional argument (defaults to
    31243129                <span><strong class="command">ldap://localhost</strong></span>)</p><p>LDAP connections should be secured where possible.  This may be done using either
    3125                 Start-TLS (see <a class="indexterm" name="id288431"></a>ldap ssl) or by
     3130                Start-TLS (see <a class="indexterm" name="id288435"></a>ldap ssl) or by
    31263131                specifying <em class="parameter"><code>ldaps://</code></em> in
    31273132                the URL argument. </p><p>Multiple servers may also be specified in double-quotes, if your
     
    31463151    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb expand explicit</code></em> = no
    31473152</em></span>
    3148 </p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script
    3149     parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the
    3150     strings passed to and received from the passwd chat are printed
    3151     in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a
    3152     <a class="indexterm" name="id288541"></a>debug level
    3153     of 100. This is a dangerous option as it will allow plaintext passwords
    3154     to be seen in the <span><strong class="command">smbd</strong></span> log. It is available to help
    3155     Samba admins debug their <em class="parameter"><code>passwd chat</code></em> scripts
    3156     when calling the <em class="parameter"><code>passwd program</code></em> and should
    3157     be turned off after this has been done. This option has no effect if the
    3158     <a class="indexterm" name="id288568"></a>pam password change
    3159         paramter is set. This parameter is off by default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat debug</code></em> = no
    3160 </em></span>
    3161 </p></dd><dt><span class="term"><a name="PASSWDCHATTIMEOUT"></a>passwd chat timeout (G)</span></dt><dd><p>This integer specifies the number of seconds smbd will wait for an initial
    3162     answer from a passwd chat script being run. Once the initial answer is received
    3163     the subsequent answers must be received in one tenth of this time. The default it
    3164     two seconds.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat timeout</code></em> = 2
    3165 </em></span>
    31663153</p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>"chat"</em></span>
    31673154    conversation that takes places between <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and the local password changing
    31683155    program to change the user's password. The string describes a
    31693156    sequence of response-receive pairs that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> uses to determine what to send to the
    3170     <a class="indexterm" name="id288665"></a>passwd program and what to expect back. If the expected output is not
     3157    <a class="indexterm" name="id288553"></a>passwd program and what to expect back. If the expected output is not
    31713158    received then the password is not changed.</p><p>This chat sequence is often quite site specific, depending
    31723159    on what local methods are used for password control (such as NIS
    3173     etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id288681"></a>unix password sync parameter is set  to <code class="constant">yes</code>. This sequence is
     3160    etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id288570"></a>unix password sync parameter is set  to <code class="constant">yes</code>. This sequence is
    31743161    then called <span class="emphasis"><em>AS ROOT</em></span> when the SMB password  in the
    31753162    smbpasswd file is being changed, without access to the old password
    31763163    cleartext. This means that root must be able to reset the user's password without
    31773164    knowing the text of the previous password. In the presence of
    3178     NIS/YP,  this means that the <a class="indexterm" name="id288698"></a>passwd program must
     3165    NIS/YP,  this means that the <a class="indexterm" name="id288586"></a>passwd program must
    31793166    be executed on the NIS master.
    31803167    </p><p>The string can contain the macro <em class="parameter"><code>%n</code></em> which is substituted
     
    31853172    in them into a single string.</p><p>If the send string in any part of the chat sequence  is a full
    31863173    stop ".",  then no string is sent. Similarly,  if the
    3187     expect string is a full stop then no string is expected.</p><p>If the <a class="indexterm" name="id288726"></a>pam password change parameter is set to <code class="constant">yes</code>, the
     3174    expect string is a full stop then no string is expected.</p><p>If the <a class="indexterm" name="id288614"></a>pam password change parameter is set to <code class="constant">yes</code>, the
    31883175        chat pairs may be matched in any order, and success is determined by the PAM result, not any particular
    31893176        output. The \n macro is ignored for PAM conversions.
     
    31913178</em></span>
    31923179</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>passwd chat</code></em> = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*"
     3180</em></span>
     3181</p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script
     3182    parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the
     3183    strings passed to and received from the passwd chat are printed
     3184    in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a
     3185    <a class="indexterm" name="id288686"></a>debug level
     3186    of 100. This is a dangerous option as it will allow plaintext passwords
     3187    to be seen in the <span><strong class="command">smbd</strong></span> log. It is available to help
     3188    Samba admins debug their <em class="parameter"><code>passwd chat</code></em> scripts
     3189    when calling the <em class="parameter"><code>passwd program</code></em> and should
     3190    be turned off after this has been done. This option has no effect if the
     3191    <a class="indexterm" name="id288713"></a>pam password change
     3192        paramter is set. This parameter is off by default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat debug</code></em> = no
     3193</em></span>
     3194</p></dd><dt><span class="term"><a name="PASSWDCHATTIMEOUT"></a>passwd chat timeout (G)</span></dt><dd><p>This integer specifies the number of seconds smbd will wait for an initial
     3195    answer from a passwd chat script being run. Once the initial answer is received
     3196    the subsequent answers must be received in one tenth of this time. The default it
     3197    two seconds.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat timeout</code></em> = 2
    31933198</em></span>
    31943199</p></dd><dt><span class="term"><a name="PASSWDPROGRAM"></a>passwd program (G)</span></dt><dd><p>The name of a program that can be used to set
     
    32313236    made - the password as is and the password in all-lower case.</p><p>This parameter is used only when using plain-text passwords. It is
    32323237    not at all used when encrypted passwords as in use (that is the default
    3233     since samba-3.0.0). Use this only when <a class="indexterm" name="id288953"></a>encrypt passwords = No.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 0
     3238    since samba-3.0.0). Use this only when <a class="indexterm" name="id288957"></a>encrypt passwords = No.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 0
    32343239</em></span>
    32353240</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 4
     
    32473252    have no effect on password servers for Windows NT 4.0 domains or netbios
    32483253    connections.</p><p>If parameter is a name, it is looked up using the
    3249     parameter <a class="indexterm" name="id289024"></a>name resolve order and so may resolved
     3254    parameter <a class="indexterm" name="id289029"></a>name resolve order and so may resolved
    32503255    by any method and order described in that parameter.</p><p>The password server must be a machine capable of using
    32513256    the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
     
    33093314        will be replaced by the NetBIOS name of the machine they are
    33103315        connecting from. These replacements are very useful for setting
    3311         up pseudo home directories for users.</p><p>Note that this path will be based on <a class="indexterm" name="id289308"></a>root dir
     3316        up pseudo home directories for users.</p><p>Note that this path will be based on <a class="indexterm" name="id289313"></a>root dir
    33123317         if one was specified.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>path</code></em> =
    33133318</em></span>
     
    33363341</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>postexec</code></em> = echo \"%u disconnected from %S from %m (%I)\" &gt;&gt; /tmp/log
    33373342</em></span>
    3338 </p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>
    3339         This boolean option controls whether a non-zero return code from <a class="indexterm" name="id289506"></a>preexec
    3340         should close the service being connected to.
    3341         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec close</code></em> = no
    3342 </em></span>
    33433343</p></dd><dt><span class="term"><a name="EXEC"></a>exec</span></dt><dd><p>This parameter is a synonym for preexec.</p></dd><dt><span class="term"><a name="PREEXEC"></a>preexec (S)</span></dt><dd><p>This option specifies a command to be run whenever
    33443344        the service is connected to. It takes the usual substitutions.</p><p>An interesting example is to send the users a welcome
     
    33483348        /usr/local/samba/bin/smbclient -M %m -I %I' &amp; </strong></span>
    33493349        </p><p>Of course, this could get annoying after a while :-)</p><p>
    3350         See also <a class="indexterm" name="id289590"></a>preexec close and <a class="indexterm" name="id289597"></a>postexec.
     3350        See also <a class="indexterm" name="id289554"></a>preexec close and <a class="indexterm" name="id289562"></a>postexec.
    33513351        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> =
    33523352</em></span>
    33533353</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> = echo \"%u connected to %S from %m (%I)\" &gt;&gt; /tmp/log
     3354</em></span>
     3355</p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>
     3356        This boolean option controls whether a non-zero return code from <a class="indexterm" name="id289614"></a>preexec
     3357        should close the service being connected to.
     3358        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec close</code></em> = no
    33543359</em></span>
    33553360</p></dd><dt><span class="term"><a name="PREFEREDMASTER"></a>prefered master</span></dt><dd><p>This parameter is a synonym for preferred master.</p></dd><dt><span class="term"><a name="PREFERREDMASTER"></a>preferred master (G)</span></dt><dd><p>
     
    33583363        If this is set to <code class="constant">yes</code>, on startup, <span><strong class="command">nmbd</strong></span> will force
    33593364        an election, and it will have a slight advantage in winning the election.  It is recommended that this
    3360         parameter is used in conjunction with <a class="indexterm" name="id289694"></a>domain master = yes, so that
     3365        parameter is used in conjunction with <a class="indexterm" name="id289698"></a>domain master = yes, so that
    33613366        <span><strong class="command">nmbd</strong></span> can guarantee becoming a domain master.
    33623367        </p><p>
     
    33673372        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preferred master</code></em> = auto
    33683373</em></span>
    3369 </p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should
    3370         be loaded into smbd before a client connects. This improves
    3371         the speed of smbd when reacting to new connections somewhat. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> =
    3372 </em></span>
    3373 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = /usr/lib/samba/passdb/mysql.so
    3374 </em></span>
    33753374</p></dd><dt><span class="term"><a name="AUTOSERVICES"></a>auto services</span></dt><dd><p>This parameter is a synonym for preload.</p></dd><dt><span class="term"><a name="PRELOAD"></a>preload (G)</span></dt><dd><p>This is a list of services that you want to be
    33763375        automatically added to the browse lists. This is most useful
     
    33783377        visible.</p><p>
    33793378        Note that if you just want all printers in your
    3380         printcap file loaded then the <a class="indexterm" name="id289819"></a>load printers
     3379        printcap file loaded then the <a class="indexterm" name="id289778"></a>load printers
    33813380         option is easier.
    33823381        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> =
     
    33843383</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> = fred lp colorlp
    33853384</em></span>
     3385</p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should
     3386        be loaded into smbd before a client connects. This improves
     3387        the speed of smbd when reacting to new connections somewhat. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> =
     3388</em></span>
     3389</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = /usr/lib/samba/passdb/mysql.so
     3390</em></span>
    33863391</p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p>
    33873392        This controls if new filenames are created with the case that the client passes, or if
    3388         they are forced to be the <a class="indexterm" name="id289871"></a>default case.
     3393        they are forced to be the <a class="indexterm" name="id289876"></a>default case.
    33893394        </p><p>
    33903395        See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for a fuller discussion.
     
    33953400    specified for the service. </p><p>Note that a printable service will ALWAYS allow writing
    33963401    to the service path (user privileges permitting) via the spooling
    3397     of print data. The <a class="indexterm" name="id290056"></a>read only parameter controls only non-printing access to
     3402    of print data. The <a class="indexterm" name="id290060"></a>read only parameter controls only non-printing access to
    33983403    the resource.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printable</code></em> = no
    33993404</em></span>
     
    34133418        </p><p>
    34143419        To use the CUPS printing interface set <span><strong class="command">printcap name = cups </strong></span>. This should
    3415         be supplemented by an addtional setting <a class="indexterm" name="id290194"></a>printing = cups in the [global]
     3420        be supplemented by an addtional setting <a class="indexterm" name="id290198"></a>printing = cups in the [global]
    34163421        section.  <span><strong class="command">printcap name = cups</strong></span> will use the  "dummy" printcap
    34173422        created by CUPS, as specified in your CUPS configuration file.
     
    34663471    be created but not processed and (most importantly) not removed.</p><p>Note that printing may fail on some UNIXes from the
    34673472    <code class="constant">nobody</code> account. If this happens then create
    3468     an alternative guest account that can print and set the <a class="indexterm" name="id290406"></a>guest account
     3473    an alternative guest account that can print and set the <a class="indexterm" name="id290410"></a>guest account
    34693474    in the [global] section.</p><p>You can form quite complex print commands by realizing
    34703475    that they are just passed to a shell. For example the following
     
    34733478    /tmp/print.log; lpr -P %p %s; rm %s</strong></span></p><p>You may have to vary this command considerably depending
    34743479    on how you normally print files on your system. The default for
    3475     the parameter varies depending on the setting of the <a class="indexterm" name="id290432"></a>printing
     3480    the parameter varies depending on the setting of the <a class="indexterm" name="id290437"></a>printing
    34763481        parameter.</p><p>Default: For <span><strong class="command">printing = BSD, AIX, QNX, LPRNG
    34773482    or PLP :</strong></span></p><p><span><strong class="command">print command = lpr -r -P%p %s</strong></span></p><p>For <span><strong class="command">printing = SYSV or HPUX :</strong></span></p><p><span><strong class="command">print command = lp -c -d%p %s; rm %s</strong></span></p><p>For <span><strong class="command">printing = SOFTQ :</strong></span></p><p><span><strong class="command">print command = lp -d%p -s %s; rm %s</strong></span></p><p>For printing = CUPS :   If SAMBA is compiled against
    3478     libcups, then <a class="indexterm" name="id290488"></a>printcap = cups
     3483    libcups, then <a class="indexterm" name="id290493"></a>printcap = cups
    34793484    uses the CUPS API to
    34803485    submit jobs, etc.  Otherwise it maps to the System V
     
    35083513        does not have its own printer name specified.
    35093514        </p><p>
    3510         The default value of the <a class="indexterm" name="id290630"></a>printer name may be <code class="literal">lp</code> on many
     3515        The default value of the <a class="indexterm" name="id290634"></a>printer name may be <code class="literal">lp</code> on many
    35113516        systems.
    35123517        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printer name</code></em> = none
     
    35813586    executed on the server host in order to resume the printer queue. It
    35823587    is the command to undo the behavior that is caused by the
    3583     previous parameter (<a class="indexterm" name="id291021"></a>queuepause command).</p><p>This command should be a program or script which takes
     3588    previous parameter (<a class="indexterm" name="id291026"></a>queuepause command).</p><p>This command should be a program or script which takes
    35843589    a printer name as its only parameter and resumes the printer queue,
    35853590    such that queued jobs are resubmitted to the printer.</p><p>This command is not supported by Windows for Workgroups,
     
    36013606</p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p>
    36023607        This is a list of users that are given read-only access to a service. If the connecting user is in this list
    3603         then they will not be given write access, no matter what the <a class="indexterm" name="id291144"></a>read only option is set
    3604         to. The list can include group names using the syntax described in the <a class="indexterm" name="id291151"></a>invalid users
     3608        then they will not be given write access, no matter what the <a class="indexterm" name="id291148"></a>read only option is set
     3609        to. The list can include group names using the syntax described in the <a class="indexterm" name="id291156"></a>invalid users
    36053610        parameter.
    3606         </p><p>This parameter will not work with the <a class="indexterm" name="id291162"></a>security = share in
     3611        </p><p>This parameter will not work with the <a class="indexterm" name="id291167"></a>security = share in
    36073612    Samba 3.0.  This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> =
    36083613</em></span>
    36093614</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> = mary, @students
    36103615</em></span>
    3611 </p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id291214"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users
     3616</p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id291218"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users
    36123617    of a service may not create or modify files in the service's
    36133618    directory.</p><p>Note that a printable service (<span><strong class="command">printable = yes</strong></span>)
     
    36453650        the above line would cause <span><strong class="command">nmbd</strong></span> to announce itself
    36463651        to the two given IP addresses using the given workgroup names. If you leave out the
    3647         workgroup name then the one given in the <a class="indexterm" name="id291412"></a>workgroup parameter
     3652        workgroup name then the one given in the <a class="indexterm" name="id291416"></a>workgroup parameter
    36483653        is used instead.
    36493654        </p><p>
     
    36823687        is in fact the browse master on its segment.
    36833688        </p><p>
    3684         The <a class="indexterm" name="id291509"></a>remote browse sync may be used on networks
     3689        The <a class="indexterm" name="id291514"></a>remote browse sync may be used on networks
    36853690        where there is no WINS server, and may be used on disjoint networks where
    36863691        each network has its own WINS server.
     
    37053710        </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>rename user script</code></em> = no
    37063711</em></span>
    3707 </p></dd><dt><span class="term"><a name="RESETONZEROVC"></a>reset on zero vc (S)</span></dt><dd><p>
     3712</p></dd><dt><span class="term"><a name="RESETONZEROVC"></a>reset on zero vc (G)</span></dt><dd><p>
    37083713        This boolean option controls whether an incoming session setup
    37093714        should kill other connections coming from the same IP. This matches
     
    37443749        </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
    37453750    The security advantage of using restrict anonymous = 2 is removed
    3746     by setting <a class="indexterm" name="id291682"></a>guest ok = yes on any share.
     3751    by setting <a class="indexterm" name="id291687"></a>guest ok = yes on any share.
    37473752        </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>restrict anonymous</code></em> = 0
    37483753</em></span>
     
    37543759    parts of the filesystem, or attempts to use ".." in file names
    37553760    to access other directories (depending on the setting of the
    3756         <a class="indexterm" name="id291776"></a>wide smbconfoptions parameter).
     3761        <a class="indexterm" name="id291780"></a>wide smbconfoptions parameter).
    37573762    </p><p>Adding a <em class="parameter"><code>root directory</code></em> entry other
    37583763    than "/" adds an extra level of security, but at a price. It
     
    37763781        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root postexec</code></em> =
    37773782</em></span>
    3778 </p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <em class="parameter"><code>preexec close
    3779         </code></em> parameter except that the command is run as root.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec close</code></em> = no
    3780 </em></span>
    37813783</p></dd><dt><span class="term"><a name="ROOTPREEXEC"></a>root preexec (S)</span></dt><dd><p>
    37823784        This is the same as the <em class="parameter"><code>preexec</code></em>
     
    37853787        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec</code></em> =
    37863788</em></span>
    3787 </p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p>
    3788         This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the
    3789         UNIX permission on a file using the native NT security dialog box.
    3790         </p><p>
    3791         This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
    3792         in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id291989"></a>force  security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
    3793         </p><p>
    3794         Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
    3795         </p><p>
    3796         If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
    3797     </p><p><span class="emphasis"><em>
    3798         Note</em></span> that users who can access the Samba server through other means can easily bypass this
    3799     restriction, so it is primarily useful for standalone "appliance" systems.  Administrators of
    3800         most normal systems will probably want to leave it set to <code class="constant">0777</code>.
    3801         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0777
    3802 </em></span>
    3803 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0770
     3789</p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <em class="parameter"><code>preexec close
     3790        </code></em> parameter except that the command is run as root.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec close</code></em> = no
    38043791</em></span>
    38053792</p></dd><dt><span class="term"><a name="SECURITY"></a>security (G)</span></dt><dd><p>This option affects how clients respond to
     
    38273814    is commonly used for a shared printer server. It is more difficult
    38283815    to setup guest shares with <span><strong class="command">security = user</strong></span>, see
    3829     the <a class="indexterm" name="id292166"></a>map to guestparameter for details.</p><p>It is possible to use <span><strong class="command">smbd</strong></span> in a <span class="emphasis"><em>
     3816    the <a class="indexterm" name="id292089"></a>map to guestparameter for details.</p><p>It is possible to use <span><strong class="command">smbd</strong></span> in a <span class="emphasis"><em>
    38303817    hybrid mode</em></span> where it is offers both user and share
    3831     level security under different <a class="indexterm" name="id292187"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
     3818    level security under different <a class="indexterm" name="id292110"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
    38323819    need not log onto the server with a valid username and password before
    38333820    attempting to connect to a shared resource (although modern clients
     
    38423829    techniques to determine the correct UNIX user to use on behalf
    38433830    of the client.</p><p>A list of possible UNIX usernames to match with the given
    3844     client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id292262"></a>guest only parameter is set, then all the other
    3845             stages are missed and only the <a class="indexterm" name="id292270"></a>guest account username is checked.
     3831    client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id292185"></a>guest only parameter is set, then all the other
     3832            stages are missed and only the <a class="indexterm" name="id292193"></a>guest account username is checked.
    38463833            </p></li><li><p>Is a username is sent with the share connection
    3847             request, then this username (after mapping - see <a class="indexterm" name="id292284"></a>username map),
     3834            request, then this username (after mapping - see <a class="indexterm" name="id292208"></a>username map),
    38483835            is added as a potential username.
    38493836            </p></li><li><p>If the client did a previous <span class="emphasis"><em>logon
     
    38543841            </p></li><li><p>The NetBIOS name of the client is added to
    38553842            the list as a potential username.
    3856             </p></li><li><p>Any users on the <a class="indexterm" name="id292325"></a>user list are added as potential usernames.
     3843            </p></li><li><p>Any users on the <a class="indexterm" name="id292248"></a>user list are added as potential usernames.
    38573844            </p></li></ul></div><p>If the <em class="parameter"><code>guest only</code></em> parameter is
    38583845    not set, then this list is then tried with the supplied password.
     
    38663853    NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0.
    38673854    With user-level security a client must first "log-on" with a
    3868     valid username and password (which can be mapped using the <a class="indexterm" name="id292394"></a>username map
    3869     parameter). Encrypted passwords (see the <a class="indexterm" name="id292402"></a>encrypted passwords parameter) can also
    3870     be used in this security mode. Parameters such as <a class="indexterm" name="id292409"></a>user and <a class="indexterm" name="id292416"></a>guest only if set      are then applied and
     3855    valid username and password (which can be mapped using the <a class="indexterm" name="id292317"></a>username map
     3856    parameter). Encrypted passwords (see the <a class="indexterm" name="id292325"></a>encrypted passwords parameter) can also
     3857    be used in this security mode. Parameters such as <a class="indexterm" name="id292332"></a>user and <a class="indexterm" name="id292340"></a>guest only if set      are then applied and
    38713858    may change the UNIX user to use on this connection, but only after
    38723859    the user has been successfully authenticated.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
     
    38743861    the server has successfully authenticated the client. This is why
    38753862    guest shares don't work in user level security without allowing
    3876     the server to automatically map unknown users into the <a class="indexterm" name="id292436"></a>guest account.
    3877     See the <a class="indexterm" name="id292443"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
    3878     machine into a Windows NT Domain. It expects the <a class="indexterm" name="id292482"></a>encrypted passwords
     3863    the server to automatically map unknown users into the <a class="indexterm" name="id292359"></a>guest account.
     3864    See the <a class="indexterm" name="id292366"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
     3865    machine into a Windows NT Domain. It expects the <a class="indexterm" name="id292405"></a>encrypted passwords
    38793866        parameter to be set to <code class="constant">yes</code>. In this
    38803867    mode Samba will try to validate the username/password by passing
     
    38903877    the server has successfully authenticated the client. This is why
    38913878    guest shares don't work in user level security without allowing
    3892     the server to automatically map unknown users into the <a class="indexterm" name="id292532"></a>guest account.
    3893     See the <a class="indexterm" name="id292539"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
    3894     NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292560"></a>password server parameter and
    3895          the <a class="indexterm" name="id292567"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>
     3879    the server to automatically map unknown users into the <a class="indexterm" name="id292455"></a>guest account.
     3880    See the <a class="indexterm" name="id292462"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
     3881    NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292483"></a>password server parameter and
     3882         the <a class="indexterm" name="id292490"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>
    38963883        In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
    38973884        NT box. If this fails it will revert to <span><strong class="command">security = user</strong></span>. It expects the
    3898         <a class="indexterm" name="id292594"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote
     3885        <a class="indexterm" name="id292517"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote
    38993886        server does not support them.  However note that if encrypted passwords have been negotiated then Samba cannot
    39003887        revert back to checking the UNIX password file, it must have a valid <code class="filename">smbpasswd</code> file to check users against. See the chapter about the User Database in
     
    39163903    the server has successfully authenticated the client. This is why
    39173904    guest shares don't work in user level security without allowing
    3918     the server to automatically map unknown users into the <a class="indexterm" name="id292651"></a>guest account.
    3919     See the <a class="indexterm" name="id292658"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
    3920     NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292680"></a>password server parameter and the
    3921         <a class="indexterm" name="id292687"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate
     3905    the server to automatically map unknown users into the <a class="indexterm" name="id292579"></a>guest account.
     3906    See the <a class="indexterm" name="id292586"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
     3907    NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292607"></a>password server parameter and the
     3908        <a class="indexterm" name="id292614"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate
    39223909                in this mode, the machine running Samba will need to have Kerberos installed
    39233910                and configured and Samba will need to be joined to the ADS realm using the
     
    39273914</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security</code></em> = DOMAIN
    39283915</em></span>
     3916</p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p>
     3917        This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the
     3918        UNIX permission on a file using the native NT security dialog box.
     3919        </p><p>
     3920        This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
     3921        in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id292695"></a>force  security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
     3922        </p><p>
     3923        Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
     3924        </p><p>
     3925        If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
     3926    </p><p><span class="emphasis"><em>
     3927        Note</em></span> that users who can access the Samba server through other means can easily bypass this
     3928    restriction, so it is primarily useful for standalone "appliance" systems.  Administrators of
     3929        most normal systems will probably want to leave it set to <code class="constant">0777</code>.
     3930        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0777
     3931</em></span>
     3932</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0770
     3933</em></span>
    39293934</p></dd><dt><span class="term"><a name="SERVERSCHANNEL"></a>server schannel (G)</span></dt><dd><p>
    39303935        This controls whether the server offers or even demands the use of the netlogon schannel.
    3931         <a class="indexterm" name="id292762"></a>server schannel = no does not offer the schannel, <a class="indexterm" name="id292770"></a>server schannel = auto offers the schannel but does not enforce it, and <a class="indexterm" name="id292777"></a>server schannel = yes denies access if the client is not able to speak netlogon schannel.
     3936        <a class="indexterm" name="id292768"></a>server schannel = no does not offer the schannel, <a class="indexterm" name="id292776"></a>server schannel = auto offers the schannel but does not enforce it, and <a class="indexterm" name="id292783"></a>server schannel = yes denies access if the client is not able to speak netlogon schannel.
    39323937        This is only the case for Windows NT4 before SP4.
    39333938        </p><p>
     
    39933998        they are simulated using shared memory, or lock files if your
    39943999        UNIX doesn't support shared memory (almost all do).</p><p>The share modes that are enabled by this option are
    3995         <code class="constant">DENY_DOS</code>, <code class="constant">DENY_ALL</code>,
     4000         <code class="constant">DENY_DOS</code>, <code class="constant">DENY_ALL</code>,
    39964001        <code class="constant">DENY_READ</code>, <code class="constant">DENY_WRITE</code>,
    39974002        <code class="constant">DENY_NONE</code> and <code class="constant">DENY_FCB</code>.
     
    40024007</p></dd><dt><span class="term"><a name="SHORTPRESERVECASE"></a>short preserve case (S)</span></dt><dd><p>
    40034008        This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of
    4004         suitable length, are created upper case, or if they are forced to be the <a class="indexterm" name="id293312"></a>default case.
    4005         This  option can be use with <a class="indexterm" name="id293319"></a>preserve case = yes to permit long filenames
     4009        suitable length, are created upper case, or if they are forced to be the <a class="indexterm" name="id293318"></a>default case.
     4010        This  option can be use with <a class="indexterm" name="id293325"></a>preserve case = yes to permit long filenames
    40064011        to retain their case, while short names are lowered.
    40074012        </p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>short preserve case</code></em> = yes
     
    40264031</em></span>
    40274032</p></dd><dt><span class="term"><a name="SHUTDOWNSCRIPT"></a>shutdown script (G)</span></dt><dd><p>This a full path name to a script called by
    4028         <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that should
     4033         <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that should
    40294034        start a shutdown procedure.</p><p>If the connected user posseses the <code class="constant">SeRemoteShutdownPrivilege</code>,
    40304035        right, this command will be run as user.</p><p>The %z %t %r %f variables are expanded as follows:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>%z</code></em> will be substituted with the
     
    41034108        If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or
    41044109        READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such
    4105         as occurs with <a class="indexterm" name="id293921"></a>map hidden and <a class="indexterm" name="id293928"></a>map readonly).  When set, DOS
     4110        as occurs with <a class="indexterm" name="id293927"></a>map hidden and <a class="indexterm" name="id293934"></a>map readonly).  When set, DOS
    41064111        attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or
    4107         directory.  For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id293937"></a>map hidden,
    4108         <a class="indexterm" name="id293944"></a>map system, <a class="indexterm" name="id293951"></a>map archive and <a class="indexterm" name="id293958"></a>map  readonly must be set to off.  This parameter writes the DOS attributes as a string into the extended
     4112        directory.  For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id293943"></a>map hidden,
     4113        <a class="indexterm" name="id293950"></a>map system, <a class="indexterm" name="id293957"></a>map archive and <a class="indexterm" name="id293964"></a>map  readonly must be set to off.  This parameter writes the DOS attributes as a string into the extended
    41094114        attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an
    41104115        EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for
     
    41364141        </p><p>
    41374142        Well-behaved clients always ask for lock checks when it is important.  So in the vast majority of cases,
    4138         <span><strong class="command">strict locking = Auto</strong></span> or
    4139         <span><strong class="command">strict locking = no</strong></span> is acceptable.
     4143         <span><strong class="command">strict locking = Auto</strong></span> or
     4144         <span><strong class="command">strict locking = no</strong></span> is acceptable.
    41404145        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>strict locking</code></em> = Auto
    41414146</em></span>
     
    41784183    any affect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>sync always</code></em> = no
    41794184</em></span>
    4180 </p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p>
    4181     If this parameter is set then Samba debug messages are logged into the system
    4182     syslog only, and not to the debug log files.
    4183     </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog only</code></em> = no
    4184 </em></span>
    41854185</p></dd><dt><span class="term"><a name="SYSLOG"></a>syslog (G)</span></dt><dd><p>
    41864186    This parameter maps how Samba debug messages are logged onto the system syslog logging levels.
     
    41934193    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog</code></em> = 1
    41944194</em></span>
     4195</p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p>
     4196    If this parameter is set then Samba debug messages are logged into the system
     4197    syslog only, and not to the debug log files.
     4198    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog only</code></em> = no
     4199</em></span>
    41954200</p></dd><dt><span class="term"><a name="TEMPLATEHOMEDIR"></a>template homedir (G)</span></dt><dd><p>When filling out the user information for a Windows NT
    41964201        user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon  uses this
     
    42484253        in the smbpasswd file this parameter should be set to <code class="constant">no</code>.
    42494254        </p><p>
    4250         In order for this parameter to be operative the <a class="indexterm" name="id294717"></a>encrypt passwords parameter must
    4251     be set to <code class="constant">no</code>. The default value of <a class="indexterm" name="id294728"></a>encrypt  passwords = Yes. Note: This must be set to <code class="constant">no</code> for this <a class="indexterm" name="id294739"></a>update encrypted to work.
     4255        In order for this parameter to be operative the <a class="indexterm" name="id294723"></a>encrypt passwords parameter must
     4256    be set to <code class="constant">no</code>. The default value of <a class="indexterm" name="id294734"></a>encrypt  passwords = Yes. Note: This must be set to <code class="constant">no</code> for this <a class="indexterm" name="id294745"></a>update encrypted to work.
    42524257        </p><p>
    42534258        Note that even when this parameter is set a user authenticating to <span><strong class="command">smbd</strong></span>
     
    43024307    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use mmap</code></em> = yes
    43034308</em></span>
     4309</p></dd><dt><span class="term"><a name="USER"></a>user</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERS"></a>users</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERNAME"></a>username (S)</span></dt><dd><p>Multiple users may be specified in a comma-delimited
     4310    list, in which case the supplied password will be tested against
     4311    each username in turn (left to right).</p><p>The <em class="parameter"><code>username</code></em> line is needed only when
     4312    the PC is unable to supply its own username. This is the case
     4313    for the COREPLUS protocol or where your users have different WfWg
     4314    usernames to UNIX usernames. In both these cases you may also be
     4315    better using the \\server\share%user syntax instead.</p><p>The <em class="parameter"><code>username</code></em> line is not a great
     4316    solution in many cases as it means Samba will try to validate
     4317    the supplied password against each of the usernames in the
     4318    <em class="parameter"><code>username</code></em> line in turn. This is slow and
     4319    a bad idea for lots of users in case of duplicate passwords.
     4320    You may get timeouts or security breaches using this parameter
     4321    unwisely.</p><p>Samba relies on the underlying UNIX security. This
     4322    parameter does not restrict who can login, it just offers hints
     4323    to the Samba server as to what usernames might correspond to the
     4324    supplied password. Users can login as whoever they please and
     4325    they will be able to do no more damage than if they started a
     4326    telnet session. The daemon runs as the user that they log in as,
     4327    so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you
     4328    can use the <a class="indexterm" name="id295039"></a>valid users parameter.</p><p>If any of the usernames begin with a '@' then the name
     4329    will be looked up first in the NIS netgroups list (if Samba
     4330    is compiled with netgroup support), followed by a lookup in
     4331    the UNIX groups database and will expand to a list of all users
     4332    in the group of that name.</p><p>If any of the usernames begin with a '+' then the name
     4333    will be looked up only in the UNIX groups database and will
     4334    expand to a list of all users in the group of that name.</p><p>If any of the usernames begin with a '&amp;' then the name
     4335    will be looked up only in the NIS netgroups database (if Samba
     4336    is compiled with netgroup support) and will expand to a list
     4337    of all users in the netgroup group of that name.</p><p>Note that searching though a groups database can take
     4338    quite some time, and some clients may time out during the
     4339    search.</p><p>See the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT
     4340        USERNAME/PASSWORD VALIDATION</a> for more information on how
     4341        this parameter determines access to the services.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username</code></em> =
     4342# The guest account if a guest service,
     4343                else &lt;empty string&gt;.
     4344</em></span>
     4345</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username</code></em> = fred, mary, jack, jane, @users, @pcgroup
     4346</em></span>
    43044347</p></dd><dt><span class="term"><a name="USERNAMELEVEL"></a>username level (G)</span></dt><dd><p>This option helps Samba to try and 'guess' at
    43054348    the real UNIX username, as many DOS clients send an all-uppercase
     
    43174360</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = 5
    43184361</em></span>
    4319 </p></dd><dt><span class="term"><a name="USERNAMEMAPSCRIPT"></a>username map script (G)</span></dt><dd><p>This script is a mutually exclusive alternative to the
    4320         <a class="indexterm" name="id295014"></a>username map parameter.  This parameter
    4321         specifies and external program or script that must accept a single
    4322         command line option (the username transmitted in the authentication
    4323         request) and return a line line on standard output (the name to which
    4324         the account should mapped).  In this way, it is possible to store
    4325         username map tables in an LDAP or NIS directory services.
    4326         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> =
    4327 </em></span>
    4328 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = /etc/samba/scripts/mapusers.sh
    4329 </em></span>
    43304362</p></dd><dt><span class="term"><a name="USERNAMEMAP"></a>username map (G)</span></dt><dd><p>
    43314363        This option allows you to specify a file containing a mapping of usernames from the clients to the server.
     
    43844416        <code class="constant">fred</code> is remapped to <code class="constant">mary</code> then you will actually be connecting to
    43854417        \\server\mary and will need to supply a password suitable for <code class="constant">mary</code> not
    4386         <code class="constant">fred</code>. The only exception to this is the username passed to the <a class="indexterm" name="id295207"></a>password server (if you have one). The password server will receive whatever username the client
     4418        <code class="constant">fred</code>. The only exception to this is the username passed to the <a class="indexterm" name="id295325"></a>password server (if you have one). The password server will receive whatever username the client
    43874419        supplies without  modification.
    43884420    </p><p>
     
    44114443# no username map
    44124444</em></span>
    4413 </p></dd><dt><span class="term"><a name="USER"></a>user</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERS"></a>users</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERNAME"></a>username (S)</span></dt><dd><p>Multiple users may be specified in a comma-delimited
    4414     list, in which case the supplied password will be tested against
    4415     each username in turn (left to right).</p><p>The <em class="parameter"><code>username</code></em> line is needed only when
    4416     the PC is unable to supply its own username. This is the case
    4417     for the COREPLUS protocol or where your users have different WfWg
    4418     usernames to UNIX usernames. In both these cases you may also be
    4419     better using the \\server\share%user syntax instead.</p><p>The <em class="parameter"><code>username</code></em> line is not a great
    4420     solution in many cases as it means Samba will try to validate
    4421     the supplied password against each of the usernames in the
    4422     <em class="parameter"><code>username</code></em> line in turn. This is slow and
    4423     a bad idea for lots of users in case of duplicate passwords.
    4424     You may get timeouts or security breaches using this parameter
    4425     unwisely.</p><p>Samba relies on the underlying UNIX security. This
    4426     parameter does not restrict who can login, it just offers hints
    4427     to the Samba server as to what usernames might correspond to the
    4428     supplied password. Users can login as whoever they please and
    4429     they will be able to do no more damage than if they started a
    4430     telnet session. The daemon runs as the user that they log in as,
    4431     so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you
    4432     can use the <a class="indexterm" name="id295368"></a>valid users parameter.</p><p>If any of the usernames begin with a '@' then the name
    4433     will be looked up first in the NIS netgroups list (if Samba
    4434     is compiled with netgroup support), followed by a lookup in
    4435     the UNIX groups database and will expand to a list of all users
    4436     in the group of that name.</p><p>If any of the usernames begin with a '+' then the name
    4437     will be looked up only in the UNIX groups database and will
    4438     expand to a list of all users in the group of that name.</p><p>If any of the usernames begin with a '&amp;' then the name
    4439     will be looked up only in the NIS netgroups database (if Samba
    4440     is compiled with netgroup support) and will expand to a list
    4441     of all users in the netgroup group of that name.</p><p>Note that searching though a groups database can take
    4442     quite some time, and some clients may time out during the
    4443     search.</p><p>See the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT
    4444         USERNAME/PASSWORD VALIDATION</a> for more information on how
    4445         this parameter determines access to the services.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username</code></em> =
    4446 # The guest account if a guest service,
    4447                 else &lt;empty string&gt;.
    4448 </em></span>
    4449 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username</code></em> = fred, mary, jack, jane, @users, @pcgroup
     4445</p></dd><dt><span class="term"><a name="USERNAMEMAPSCRIPT"></a>username map script (G)</span></dt><dd><p>This script is a mutually exclusive alternative to the
     4446        <a class="indexterm" name="id295402"></a>username map parameter.  This parameter
     4447        specifies and external program or script that must accept a single
     4448        command line option (the username transmitted in the authentication
     4449        request) and return a line line on standard output (the name to which
     4450        the account should mapped).  In this way, it is possible to store
     4451        username map tables in an LDAP or NIS directory services.
     4452        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> =
     4453</em></span>
     4454</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = /etc/samba/scripts/mapusers.sh
    44504455</em></span>
    44514456</p></dd><dt><span class="term"><a name="USERSHAREALLOWGUESTS"></a>usershare allow guests (G)</span></dt><dd><p>This parameter controls whether user defined shares are allowed
     
    45554560        disabled.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use spnego</code></em> = yes
    45564561</em></span>
     4562</p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p>
     4563        This boolean parameter is only available if Samba has been configured and compiled 
     4564        with the option <span><strong class="command">--with-utmp</strong></span>. If set to
     4565         <code class="constant">yes</code> then Samba will attempt to add utmp or utmpx records
     4566        (depending on the UNIX system) whenever a connection is made to a Samba server.
     4567        Sites may use this to record the user connecting to a Samba share.
     4568        </p><p>
     4569        Due to the requirements of the utmp record, we  are required to create a unique
     4570        identifier for the incoming user.  Enabling this option creates an n^2  algorithm
     4571        to find this number.  This may impede performance on large installations.
     4572        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp</code></em> = no
     4573</em></span>
    45574574</p></dd><dt><span class="term"><a name="UTMPDIRECTORY"></a>utmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has
    45584575        been configured and compiled with the option <span><strong class="command">
     
    45674584</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>utmp directory</code></em> = /var/run/utmp
    45684585</em></span>
    4569 </p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p>
    4570         This boolean parameter is only available if Samba has been configured and compiled 
    4571         with the option <span><strong class="command">--with-utmp</strong></span>. If set to
    4572         <code class="constant">yes</code> then Samba will attempt to add utmp or utmpx records
    4573         (depending on the UNIX system) whenever a connection is made to a Samba server.
    4574         Sites may use this to record the user connecting to a Samba share.
    4575         </p><p>
    4576         Due to the requirements of the utmp record, we  are required to create a unique
    4577         identifier for the incoming user.  Enabling this option creates an n^2  algorithm
    4578         to find this number.  This may impede performance on large installations.
    4579         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp</code></em> = no
     4586</p></dd><dt><span class="term"><a name="-VALID"></a>-valid (S)</span></dt><dd><p> This parameter indicates whether a share is
     4587        valid and thus can be used. When this parameter is set to false,
     4588        the share will be in no way visible nor accessible.
     4589        </p><p>
     4590        This option should not be
     4591        used by regular users but might be of help to developers.
     4592        Samba uses this option internally to mark shares as deleted.
     4593        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>-valid</code></em> = yes
    45804594</em></span>
    45814595</p></dd><dt><span class="term"><a name="VALIDUSERS"></a>valid users (S)</span></dt><dd><p>
     
    45954609</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>valid users</code></em> = greg, @pcusers
    45964610</em></span>
    4597 </p></dd><dt><span class="term"><a name="-VALID"></a>-valid (S)</span></dt><dd><p> This parameter indicates whether a share is
    4598         valid and thus can be used. When this parameter is set to false,
    4599         the share will be in no way visible nor accessible.
    4600         </p><p>
    4601         This option should not be
    4602         used by regular users but might be of help to developers.
    4603         Samba uses this option internally to mark shares as deleted.
    4604         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>-valid</code></em> = yes
    4605 </em></span>
    46064611</p></dd><dt><span class="term"><a name="VETOFILES"></a>veto files (S)</span></dt><dd><p>
    46074612        This is a list of files and directories that are neither visible nor accessible.  Each entry in
     
    46124617        unix directory  separator '/'.
    46134618        </p><p>
    4614         Note that the <a class="indexterm" name="id296109"></a>case sensitive option is applicable in vetoing files.
     4619        Note that the <a class="indexterm" name="id296108"></a>case sensitive option is applicable in vetoing files.
    46154620        </p><p>
    46164621        One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when
    46174622        trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this
    4618         deletion will <span class="emphasis"><em>fail</em></span> unless you also set the <a class="indexterm" name="id296126"></a>delete veto files
     4623        deletion will <span class="emphasis"><em>fail</em></span> unless you also set the <a class="indexterm" name="id296124"></a>delete veto files
    46194624        parameter to <em class="parameter"><code>yes</code></em>.
    46204625        </p><p>
     
    46364641</em></span>
    46374642</p></dd><dt><span class="term"><a name="VETOOPLOCKFILES"></a>veto oplock files (S)</span></dt><dd><p>
    4638         This parameter is only valid when the <a class="indexterm" name="id296189"></a>oplocks
     4643        This parameter is only valid when the <a class="indexterm" name="id296187"></a>oplocks
    46394644        parameter is turned on for a share. It allows the Samba administrator
    46404645        to selectively turn off the granting of oplocks on selected files that
    46414646        match a wildcarded list, similar to the wildcarded list used in the
    4642         <a class="indexterm" name="id296197"></a>veto files parameter.
     4647        <a class="indexterm" name="id296196"></a>veto files parameter.
    46434648        </p><p>
    46444649        You might want to do this on files that you know will be heavily contended
     
    46814686        again.</p><p>
    46824687        This does not apply to authentication requests, these are always
    4683         evaluated in real time unless the <a class="indexterm" name="id296416"></a>winbind   offline logon option has been enabled.
     4688        evaluated in real time unless the <a class="indexterm" name="id296414"></a>winbind   offline logon option has been enabled.
    46844689        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind cache time</code></em> = 300
    46854690</em></span>
     
    46944699</p></dd><dt><span class="term"><a name="WINBINDENUMUSERS"></a>winbind enum users (G)</span></dt><dd><p>On large installations using <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> it may be
    46954700        necessary to suppress the enumeration of users through the <span><strong class="command">setpwent()</strong></span>,
    4696         <span><strong class="command">getpwent()</strong></span> and
    4697         <span><strong class="command">endpwent()</strong></span> group of system calls.  If
     4701         <span><strong class="command">getpwent()</strong></span> and
     4702         <span><strong class="command">endpwent()</strong></span> group of system calls.  If
    46984703        the <em class="parameter"><code>winbind enum users</code></em> parameter is
    4699         <code class="constant">no</code>, calls to the <span><strong class="command">getpwent</strong></span> system call
     4704         <code class="constant">no</code>, calls to the <span><strong class="command">getpwent</strong></span> system call
    47004705        will not return any data. </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>Turning off user
    47014706        enumeration may cause some programs to behave oddly.  For
     
    47784783        </p><p>
    47794784        This parameter is not deprecated in favor of the newer idmap_nss backend.
    4780         Refer to the <a class="indexterm" name="id296986"></a>idmap domains smb.conf option and
     4785        Refer to the <a class="indexterm" name="id296984"></a>idmap domains smb.conf option and
    47814786        the <a href="idmap_nss.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_nss</span>(8)</span></a> man page for more information.
    47824787        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind trusted domains only</code></em> = no
    47834788</em></span>
    47844789</p></dd><dt><span class="term"><a name="WINBINDUSEDEFAULTDOMAIN"></a>winbind use default domain (G)</span></dt><dd><p>This parameter specifies whether the
    4785         <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon should operate on users 
     4790         <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon should operate on users 
    47864791        without domain component in their username. Users without a domain
    47874792        component are treated as is part of the winbindd server's own
     
    48454850        appear to be in when queried by clients. Note that this parameter
    48464851        also controls the Domain name used with
    4847         the <a class="indexterm" name="id297376"></a>security = domain
     4852        the <a class="indexterm" name="id297374"></a>security = domain
    48484853                setting.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = WORKGROUP
    48494854</em></span>
    48504855</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = MYGROUP
    48514856</em></span>
    4852 </p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id297449"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
     4857</p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id297447"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
    48534858    Samba will create an in-memory cache for each oplocked file
    48544859    (it does <span class="emphasis"><em>not</em></span> do this for
     
    48714876    This is a list of users that are given read-write access to a service. If the
    48724877    connecting user is in this list then they will be given write access, no matter
    4873     what the <a class="indexterm" name="id297549"></a>read only option is set to. The list can
     4878    what the <a class="indexterm" name="id297544"></a>read only option is set to. The list can
    48744879    include group names using the @group syntax.
    48754880    </p><p>
     
    48784883    </p><p>
    48794884    By design, this parameter will not work with the
    4880     <a class="indexterm" name="id297565"></a>security = share in Samba 3.0.
     4885    <a class="indexterm" name="id297560"></a>security = share in Samba 3.0.
    48814886    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> =
    48824887</em></span>
     
    48994904</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wtmp directory</code></em> = /var/log/wtmp
    49004905</em></span>
    4901 </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id297698"></a><h2>WARNINGS</h2><p>
     4906</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id297693"></a><h2>WARNINGS</h2><p>
    49024907        Although the configuration file permits service names to contain spaces, your client software may not.
    49034908        Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.
     
    49124917        care when designing these sections. In particular, ensure that the permissions on spool directories are
    49134918        correct.
    4914         </p></div><div class="refsect1" lang="en"><a name="id297741"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id297752"></a><h2>SEE ALSO</h2><p>
    4915         <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id297831"></a><h2>AUTHOR</h2><p>
     4919        </p></div><div class="refsect1" lang="en"><a name="id297736"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id297747"></a><h2>SEE ALSO</h2><p>
     4920        <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id297826"></a><h2>AUTHOR</h2><p>
    49164921        The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed
    49174922        by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
Note: See TracChangeset for help on using the changeset viewer.