Ignore:
Timestamp:
Apr 25, 2007, 9:44:55 AM (14 years ago)
Author:
Paul Smedley
Message:

Code updated to Samba 3.0.25rc2 level

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/samba/docs/manpages/smb.conf.5

    r26 r30  
    2424
    2525.PP
    26 The \fIsmb\&.conf\fR file is a configuration file for the Samba suite\&. \fIsmb\&.conf\fR contains runtime configuration information for the Samba programs\&. The\fIsmb\&.conf\fR file is designed to be configured and administered by the\fBswat\fR(8) program\&. The complete description of the file format and possible parameters held within are here for reference purposes\&.
     26The \fIsmb\&.conf\fR file is a configuration file for the Samba suite\&. \fIsmb\&.conf\fR contains runtime configuration information for the Samba programs\&. The \fIsmb\&.conf\fR file is designed to be configured and administered by the \fBswat\fR(8) program\&. The complete description of the file format and possible parameters held within are here for reference purposes\&.
    2727
    2828.SH "FILE FORMAT"
     
    6262
    6363.PP
    64 There are three special sections, [global], [homes] and [printers], which are described under\fBspecial sections\fR\&. The following notes apply to ordinary section descriptions\&.
     64There are three special sections, [global], [homes] and [printers], which are described under \fBspecial sections\fR\&. The following notes apply to ordinary section descriptions\&.
    6565
    6666.PP
     
    509509.TP
    510510acl group control (S)
    511 In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions and ACLs on a file\&. If this parameter is set, then Samba overrides this restriction, and also allows the\fBprimary group owner\fR of a file or directory to modify the permissions and ACLs on that file\&.
     511In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions and ACLs on a file\&. If this parameter is set, then Samba overrides this restriction, and also allows the \fBprimary group owner\fR of a file or directory to modify the permissions and ACLs on that file\&.
    512512
    513513On a Windows server, groups may be the owner of a file or directory \- thus allowing anyone in that group to modify the permissions on it\&. This allows the delegation of security controls on a point in the filesystem to the group owner of a directory and anything below it also owned by that group\&. This means there are multiple people with permissions to modify ACLs on a file or directory, easing managability\&.
     
    537537.TP
    538538add machine script (G)
    539 This is the full pathname to a script that will be run by\fBsmbd\fR(8) when a machine is added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not already exist\&.
     539This is the full pathname to a script that will be run by \fBsmbd\fR(8) when a machine is added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not already exist\&.
    540540
    541541This option is very similar to the add user script, and likewise uses the %u substitution for the account name\&. Do not use the %m substitution\&.
     
    643643This is the full pathname to a script that will be run \fBAS ROOT\fR by\fBsmbd\fR(8) under special circumstances described below\&.
    644644
    645 Normally, a Samba server requires that UNIX users are created for all users accessing files on this server\&. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task\&. This option allows smbd to create the required UNIX users\fBON DEMAND\fR when a user accesses the Samba server\&.
     645Normally, a Samba server requires that UNIX users are created for all users accessing files on this server\&. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task\&. This option allows smbd to create the required UNIX users \fBON DEMAND\fR when a user accesses the Samba server\&.
    646646
    647647In order to use this option, \fBsmbd\fR(8) must \fBNOT\fR be set tosecurity = share and add user script must be set to a full pathname for a script that will create a UNIX user given one argument of\fI%u\fR, which expands into the UNIX user name to create\&.
     
    719719.TP
    720720allow trusted domains (G)
    721 This option only takes effect when the security option is set to \fBserver\fR,\fBdomain\fR or \fBads\fR\&. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication\&.
     721This option only takes effect when the security option is set to \fBserver\fR, \fBdomain\fR or \fBads\fR\&. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication\&.
    722722
    723723This is useful if you only want your Samba server to serve resources to users in the domain it is a member of\&. As an example, suppose that there are two domains DOMA and DOMB\&. DOMB is trusted by DOMA, which contains the Samba server\&. Under normal circumstances, a user with an account in DOMB can then access the resources of a UNIX account with the same account name on the Samba server even if they do not have an account in DOMA\&. This can make implementing a security boundary difficult\&.
     
    763763This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests\&. It affects file service \fBsmbd\fR(8) and name service \fBnmbd\fR(8) in a slightly different ways\&.
    764764
    765 For name service it causes \fBnmbd\fR to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter\&. \fBnmbd\fR also binds to the "all addresses" interface (0\&.0\&.0\&.0) on ports 137 and 138 for the purposes of reading broadcast messages\&. If this option is not set then \fBnmbd\fR will service name requests on all of these sockets\&. If bind interfaces only is set then\fBnmbd\fR will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in theinterfaces parameter list\&. As unicast packets are received on the other sockets it allows \fBnmbd\fR to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the interfaces list\&. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for\fBnmbd\fR\&.
     765For name service it causes \fBnmbd\fR to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter\&. \fBnmbd\fR also binds to the "all addresses" interface (0\&.0\&.0\&.0) on ports 137 and 138 for the purposes of reading broadcast messages\&. If this option is not set then \fBnmbd\fR will service name requests on all of these sockets\&. If bind interfaces only is set then \fBnmbd\fR will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in theinterfaces parameter list\&. As unicast packets are received on the other sockets it allows \fBnmbd\fR to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the interfaces list\&. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for \fBnmbd\fR\&.
    766766
    767767For file service it causes \fBsmbd\fR(8) to bind only to the interface list given in the interfaces parameter\&. This restricts the networks that \fBsmbd\fR will serve to packets coming in those interfaces\&. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non\-broadcast network interfaces as it will not cope with non\-permanent interfaces\&.
    768768
    769 If bind interfaces only is set then unless the network address\fB127\&.0\&.0\&.1\fR is added to the interfaces parameter list\fBsmbpasswd\fR(8) and\fBswat\fR(8) may not work as expected due to the reasons covered below\&.
    770 
    771 To change a users SMB password, the \fBsmbpasswd\fR by default connects to the\fBlocalhost \- 127\&.0\&.0\&.1\fR address as an SMB client to issue the password change request\&. Ifbind interfaces only is set then unless the network address\fB127\&.0\&.0\&.1\fR is added to the interfaces parameter list then \fB smbpasswd\fR will fail to connect in it's default mode\&. \fBsmbpasswd\fR can be forced to use the primary IP interface of the local host by using its \fBsmbpasswd\fR(8)\fI\-r \fIremote machine\fR\fR parameter, with \fIremote machine\fR set to the IP name of the primary interface of the local host\&.
     769If bind interfaces only is set then unless the network address \fB127\&.0\&.0\&.1\fR is added to the interfaces parameter list \fBsmbpasswd\fR(8) and \fBswat\fR(8) may not work as expected due to the reasons covered below\&.
     770
     771To change a users SMB password, the \fBsmbpasswd\fR by default connects to the \fBlocalhost \- 127\&.0\&.0\&.1\fR address as an SMB client to issue the password change request\&. Ifbind interfaces only is set then unless the network address \fB127\&.0\&.0\&.1\fR is added to the interfaces parameter list then \fB smbpasswd\fR will fail to connect in it's default mode\&. \fBsmbpasswd\fR can be forced to use the primary IP interface of the local host by using its \fBsmbpasswd\fR(8)\fI\-r \fIremote machine\fR\fR parameter, with \fIremote machine\fR set to the IP name of the primary interface of the local host\&.
    772772
    773773The \fBswat\fR status page tries to connect with \fBsmbd\fR and \fBnmbd\fR at the address\fB127\&.0\&.0\&.1\fR to determine if they are running\&. Not adding \fB127\&.0\&.0\&.1\fR will cause \fB smbd\fR and \fBnmbd\fR to always show "not running" even if they really are\&. This can prevent \fB swat\fR from starting/stopping/restarting \fBsmbd\fR and \fBnmbd\fR\&.
     
    14111411.TP
    14121412enable privileges (G)
    1413 This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either\fBnet rpc rights\fR or one of the Windows user and group manager tools\&. This parameter is enabled by default\&. It can be disabled to prevent members of the Domain Admins group from being able to assign privileges to users or groups which can then result in certain smbd operations running as root that would normally run under the context of the connected user\&.
     1413This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either \fBnet rpc rights\fR or one of the Windows user and group manager tools\&. This parameter is enabled by default\&. It can be disabled to prevent members of the Domain Admins group from being able to assign privileges to users or groups which can then result in certain smbd operations running as root that would normally run under the context of the connected user\&.
    14141414
    14151415An example of how privileges can be used is to assign the right to join clients to a Samba controlled domain without providing root access to the server via smbd\&.
     
    22852285.TP
    22862286ldap ssl (G)
    2287 This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is \fBNOT\fR related to Samba's previous SSL support which was enabled by specifying the\fB\-\-with\-ssl\fR option to the \fIconfigure\fR script\&.
     2287This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is \fBNOT\fR related to Samba's previous SSL support which was enabled by specifying the \fB\-\-with\-ssl\fR option to the \fIconfigure\fR script\&.
    22882288
    22892289The ldap ssl can be set to one of three values:
     
    23002300\(bu
    23012301\fIOn\fR = Use SSL on the ldaps port when contacting the \fIldap server\fR\&. Only available when the backwards\-compatiblity \fB\-\-with\-ldapsam\fR option is specified to configure\&. See passdb backend
    2302 .LP
     2302\&.
     2303                .LP
    23032304.RE
    23042305.IP
     
    23092310Specifies the base for all ldap suffixes and for storing the sambaDomain object\&.
    23102311
    2311 The ldap suffix will be appended to the values specified for the ldap user suffix,ldap group suffix, ldap machine suffix, and theldap idmap suffix\&. Each of these should be given only a DN relative to theldap suffix\&.
     2312The ldap suffix will be appended to the values specified for the ldap user suffix, ldap group suffix, ldap machine suffix, and the ldap idmap suffix\&. Each of these should be given only a DN relative to the ldap suffix\&.
    23122313
    23132314Default: \fB\fIldap suffix\fR = \fR
     
    24612462\fBlogon home = \\\\%N\\%U\\profile\fR
    24622463
    2463 This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request\&. Win9X clients truncate the info to \\\\server\\share when a user does\fBnet use /home\fR but use the whole string when dealing with profiles\&.
     2464This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request\&. Win9X clients truncate the info to \\\\server\\share when a user does \fBnet use /home\fR but use the whole string when dealing with profiles\&.
    24642465
    24652466Note that in prior versions of Samba, the logon path was returned rather than\fIlogon home\fR\&. This broke \fBnet use /home\fR but allowed profiles outside the home directory\&. The current implementation is correct, and can be used for profiles if you use the above trick\&.
     
    27972798.TP
    27982799map to guest (G)
    2799 This parameter is only useful in SECURITY = security modes other than \fIsecurity = share\fR \- i\&.e\&. \fBuser\fR, \fBserver\fR, and \fBdomain\fR\&.
     2800This parameter is only useful in SECURITY = security modes other than \fIsecurity = share\fR and \fIsecurity = server\fR \- i\&.e\&. \fBuser\fR, and \fBdomain\fR\&.
    28002801
    28012802This parameter can take four different values, which tell \fBsmbd\fR(8) what to do with user login requests that don't match a valid UNIX user in some way\&.
     
    28202821.RE
    28212822.IP
    2822 Note that this parameter is needed to set up "Guest" share services when using \fIsecurity\fR modes other than share\&. This is because in these modes the name of the resource being requested is \fBnot\fR sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for "Guest" shares\&.
     2823Note that this parameter is needed to set up "Guest" share services when using \fIsecurity\fR modes other than share and server\&. This is because in these modes the name of the resource being requested is \fBnot\fR sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for "Guest" shares\&. This parameter is not useful with \fIsecurity = server\fR as in this security mode no information is returned about whether a user logon failed due to a bad username or bad password, the same error is returned from a modern server in both cases\&.
    28232824
    28242825For people familiar with the older Samba releases, this parameter maps to the old compile\-time setting of the \fB GUEST_SESSSETUP\fR value in local\&.h\&.
     
    33283329
    33293330.TP
     3331passwd chat (G)
     3332This string controls the \fB"chat"\fR conversation that takes places between \fBsmbd\fR(8) and the local password changing program to change the user's password\&. The string describes a sequence of response\-receive pairs that \fBsmbd\fR(8) uses to determine what to send to the passwd program and what to expect back\&. If the expected output is not received then the password is not changed\&.
     3333
     3334This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc)\&.
     3335
     3336Note that this parameter only is only used if the unix password sync parameter is set to \fByes\fR\&. This sequence is then called \fBAS ROOT\fR when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext\&. This means that root must be able to reset the user's password without knowing the text of the previous password\&. In the presence of NIS/YP, this means that the passwd program must be executed on the NIS master\&.
     3337
     3338The string can contain the macro \fI%n\fR which is substituted for the new password\&. The chat sequence can also contain the standard macros \\n, \\r, \\t and \\s to give line\-feed, carriage\-return, tab and space\&. The chat sequence string can also contain a '*' which matches any sequence of characters\&. Double quotes can be used to collect strings with spaces in them into a single string\&.
     3339
     3340If the send string in any part of the chat sequence is a full stop "\&.", then no string is sent\&. Similarly, if the expect string is a full stop then no string is expected\&.
     3341
     3342If the pam password change parameter is set to \fByes\fR, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output\&. The \\n macro is ignored for PAM conversions\&.
     3343
     3344Default: \fB\fIpasswd chat\fR = *new*password* %n\\n*new*password* %n\\n *changed* \fR
     3345
     3346Example: \fB\fIpasswd chat\fR = "*Enter OLD password*" %o\\n "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password changed*" \fR
     3347
     3348.TP
    33303349passwd chat debug (G)
    33313350This boolean specifies if the passwd chat script parameter is run in \fBdebug\fR mode\&. In this mode the strings passed to and received from the passwd chat are printed in the \fBsmbd\fR(8) log with a debug level of 100\&. This is a dangerous option as it will allow plaintext passwords to be seen in the \fBsmbd\fR log\&. It is available to help Samba admins debug their \fIpasswd chat\fR scripts when calling the \fIpasswd program\fR and should be turned off after this has been done\&. This option has no effect if the pam password change paramter is set\&. This parameter is off by default\&.
     
    33383357
    33393358Default: \fB\fIpasswd chat timeout\fR = 2 \fR
    3340 
    3341 .TP
    3342 passwd chat (G)
    3343 This string controls the \fB"chat"\fR conversation that takes places between \fBsmbd\fR(8) and the local password changing program to change the user's password\&. The string describes a sequence of response\-receive pairs that \fBsmbd\fR(8) uses to determine what to send to the passwd program and what to expect back\&. If the expected output is not received then the password is not changed\&.
    3344 
    3345 This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc)\&.
    3346 
    3347 Note that this parameter only is only used if the unix password sync parameter is set to \fByes\fR\&. This sequence is then called \fBAS ROOT\fR when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext\&. This means that root must be able to reset the user's password without knowing the text of the previous password\&. In the presence of NIS/YP, this means that the passwd program must be executed on the NIS master\&.
    3348 
    3349 The string can contain the macro \fI%n\fR which is substituted for the new password\&. The chat sequence can also contain the standard macros \\n, \\r, \\t and \\s to give line\-feed, carriage\-return, tab and space\&. The chat sequence string can also contain a '*' which matches any sequence of characters\&. Double quotes can be used to collect strings with spaces in them into a single string\&.
    3350 
    3351 If the send string in any part of the chat sequence is a full stop "\&.", then no string is sent\&. Similarly, if the expect string is a full stop then no string is expected\&.
    3352 
    3353 If the pam password change parameter is set to \fByes\fR, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output\&. The \\n macro is ignored for PAM conversions\&.
    3354 
    3355 Default: \fB\fIpasswd chat\fR = *new*password* %n\\n*new*password* %n\\n *changed* \fR
    3356 
    3357 Example: \fB\fIpasswd chat\fR = "*Enter OLD password*" %o\\n "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password changed*" \fR
    33583359
    33593360.TP
     
    34893490
    34903491.TP
     3492exec
     3493This parameter is a synonym for preexec\&.
     3494
     3495.TP
     3496preexec (S)
     3497This option specifies a command to be run whenever the service is connected to\&. It takes the usual substitutions\&.
     3498
     3499An interesting example is to send the users a welcome message every time they log in\&. Maybe a message of the day? Here is an example:
     3500
     3501\fBpreexec = csh \-c 'echo \\"Welcome to %S!\\" | /usr/local/samba/bin/smbclient \-M %m \-I %I' & \fR
     3502
     3503Of course, this could get annoying after a while :\-)
     3504
     3505See also preexec close and postexec\&.
     3506
     3507Default: \fB\fIpreexec\fR = \fR
     3508
     3509Example: \fB\fIpreexec\fR = echo \\"%u connected to %S from %m (%I)\\" >> /tmp/log \fR
     3510
     3511.TP
    34913512preexec close (S)
    34923513This boolean option controls whether a non\-zero return code from preexec should close the service being connected to\&.
     
    34953516
    34963517.TP
    3497 exec
    3498 This parameter is a synonym for preexec\&.
    3499 
    3500 .TP
    3501 preexec (S)
    3502 This option specifies a command to be run whenever the service is connected to\&. It takes the usual substitutions\&.
    3503 
    3504 An interesting example is to send the users a welcome message every time they log in\&. Maybe a message of the day? Here is an example:
    3505 
    3506 \fBpreexec = csh \-c 'echo \\"Welcome to %S!\\" | /usr/local/samba/bin/smbclient \-M %m \-I %I' & \fR
    3507 
    3508 Of course, this could get annoying after a while :\-)
    3509 
    3510 See also preexec close and postexec\&.
    3511 
    3512 Default: \fB\fIpreexec\fR = \fR
    3513 
    3514 Example: \fB\fIpreexec\fR = echo \\"%u connected to %S from %m (%I)\\" >> /tmp/log \fR
    3515 
    3516 .TP
    35173518prefered master
    35183519This parameter is a synonym for preferred master\&.
     
    35293530
    35303531.TP
     3532auto services
     3533This parameter is a synonym for preload\&.
     3534
     3535.TP
     3536preload (G)
     3537This is a list of services that you want to be automatically added to the browse lists\&. This is most useful for homes and printers services that would otherwise not be visible\&.
     3538
     3539Note that if you just want all printers in your printcap file loaded then the load printers option is easier\&.
     3540
     3541Default: \fB\fIpreload\fR = \fR
     3542
     3543Example: \fB\fIpreload\fR = fred lp colorlp \fR
     3544
     3545.TP
    35313546preload modules (G)
    35323547This is a list of paths to modules that should be loaded into smbd before a client connects\&. This improves the speed of smbd when reacting to new connections somewhat\&.
     
    35353550
    35363551Example: \fB\fIpreload modules\fR = /usr/lib/samba/passdb/mysql\&.so \fR
    3537 
    3538 .TP
    3539 auto services
    3540 This parameter is a synonym for preload\&.
    3541 
    3542 .TP
    3543 preload (G)
    3544 This is a list of services that you want to be automatically added to the browse lists\&. This is most useful for homes and printers services that would otherwise not be visible\&.
    3545 
    3546 Note that if you just want all printers in your printcap file loaded then the load printers option is easier\&.
    3547 
    3548 Default: \fB\fIpreload\fR = \fR
    3549 
    3550 Example: \fB\fIpreload\fR = fred lp colorlp \fR
    35513552
    35523553.TP
     
    38623863
    38633864.TP
    3864 reset on zero vc (S)
     3865reset on zero vc (G)
    38653866This boolean option controls whether an incoming session setup should kill other connections coming from the same IP\&. This matches the default Windows 2003 behaviour\&. Setting this parameter to yes becomes necessary when you have a flaky network and windows decides to reconnect while the old connection still has files with share modes open\&. These files become inaccessible over the new connection\&. The client sends a zero VC on the new connection, and Windows 2003 kills all other connections coming from the same IP\&. This way the locked files are accessible again\&. Please be aware that enabling this option will kill connections behind a masquerading router\&.
    38663867
     
    39143915
    39153916.TP
     3917root preexec (S)
     3918This is the same as the \fIpreexec\fR parameter except that the command is run as root\&. This is useful for mounting filesystems (such as CDROMs) when a connection is opened\&.
     3919
     3920Default: \fB\fIroot preexec\fR = \fR
     3921
     3922.TP
    39163923root preexec close (S)
    39173924This is the same as the \fIpreexec close \fR parameter except that the command is run as root\&.
    39183925
    39193926Default: \fB\fIroot preexec close\fR = no \fR
    3920 
    3921 .TP
    3922 root preexec (S)
    3923 This is the same as the \fIpreexec\fR parameter except that the command is run as root\&. This is useful for mounting filesystems (such as CDROMs) when a connection is opened\&.
    3924 
    3925 Default: \fB\fIroot preexec\fR = \fR
    3926 
    3927 .TP
    3928 security mask (S)
    3929 This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box\&.
    3930 
    3931 This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified\&. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND\&.
    3932 
    3933 Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change\&.
    3934 
    3935 If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file\&.
    3936 
    3937 \fB Note\fR that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set to \fB0777\fR\&.
    3938 
    3939 Default: \fB\fIsecurity mask\fR = 0777 \fR
    3940 
    3941 Example: \fB\fIsecurity mask\fR = 0770 \fR
    39423927
    39433928.TP
     
    40614046
    40624047.TP
     4048security mask (S)
     4049This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box\&.
     4050
     4051This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified\&. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND\&.
     4052
     4053Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change\&.
     4054
     4055If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file\&.
     4056
     4057\fB Note\fR that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set to \fB0777\fR\&.
     4058
     4059Default: \fB\fIsecurity mask\fR = 0777 \fR
     4060
     4061Example: \fB\fIsecurity mask\fR = 0770 \fR
     4062
     4063.TP
    40634064server schannel (G)
    40644065This controls whether the server offers or even demands the use of the netlogon schannel\&.server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel\&. This is only the case for Windows NT4 before SP4\&.
     
    41774178These open modes are not directly supported by UNIX, so they are simulated using shared memory, or lock files if your UNIX doesn't support shared memory (almost all do)\&.
    41784179
    4179 The share modes that are enabled by this option are\fBDENY_DOS\fR, \fBDENY_ALL\fR,\fBDENY_READ\fR, \fBDENY_WRITE\fR,\fBDENY_NONE\fR and \fBDENY_FCB\fR\&.
     4180The share modes that are enabled by this option are \fBDENY_DOS\fR, \fBDENY_ALL\fR,\fBDENY_READ\fR, \fBDENY_WRITE\fR,\fBDENY_NONE\fR and \fBDENY_FCB\fR\&.
    41804181
    41814182This option gives full share compatibility and enabled by default\&.
     
    42114212.TP
    42124213shutdown script (G)
    4213 This a full path name to a script called by\fBsmbd\fR(8) that should start a shutdown procedure\&.
     4214This a full path name to a script called by \fBsmbd\fR(8) that should start a shutdown procedure\&.
    42144215
    42154216If the connected user posseses the \fBSeRemoteShutdownPrivilege\fR, right, this command will be run as user\&.
     
    43834384When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them\&.
    43844385
    4385 Well\-behaved clients always ask for lock checks when it is important\&. So in the vast majority of cases,\fBstrict locking = Auto\fR or\fBstrict locking = no\fR is acceptable\&.
     4386Well\-behaved clients always ask for lock checks when it is important\&. So in the vast majority of cases, \fBstrict locking = Auto\fR or \fBstrict locking = no\fR is acceptable\&.
    43864387
    43874388Default: \fB\fIstrict locking\fR = Auto \fR
     
    44104411
    44114412.TP
     4413syslog (G)
     4414This parameter maps how Samba debug messages are logged onto the system syslog logging levels\&. Samba debug level zero maps onto syslog \fBLOG_ERR\fR, debug level one maps onto \fBLOG_WARNING\fR, debug level two maps onto \fBLOG_NOTICE\fR, debug level three maps onto LOG_INFO\&. All higher levels are mapped to \fBLOG_DEBUG\fR\&.
     4415
     4416This parameter sets the threshold for sending messages to syslog\&. Only messages with debug level less than this value will be sent to syslog\&.
     4417
     4418Default: \fB\fIsyslog\fR = 1 \fR
     4419
     4420.TP
    44124421syslog only (G)
    44134422If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files\&.
     
    44164425
    44174426.TP
    4418 syslog (G)
    4419 This parameter maps how Samba debug messages are logged onto the system syslog logging levels\&. Samba debug level zero maps onto syslog \fBLOG_ERR\fR, debug level one maps onto \fBLOG_WARNING\fR, debug level two maps onto \fBLOG_NOTICE\fR, debug level three maps onto LOG_INFO\&. All higher levels are mapped to \fBLOG_DEBUG\fR\&.
    4420 
    4421 This parameter sets the threshold for sending messages to syslog\&. Only messages with debug level less than this value will be sent to syslog\&.
    4422 
    4423 Default: \fB\fIsyslog\fR = 1 \fR
    4424 
    4425 .TP
    44264427template homedir (G)
    44274428When filling out the user information for a Windows NT user, the \fBwinbindd\fR(8) daemon uses this parameter to fill in the home directory for that user\&. If the string \fI%D\fR is present it is substituted with the user's Windows NT domain name\&. If the string \fI%U\fR is present it is substituted with the user's Windows NT user name\&.
     
    45144515
    45154516.TP
     4517user
     4518This parameter is a synonym for username\&.
     4519
     4520.TP
     4521users
     4522This parameter is a synonym for username\&.
     4523
     4524.TP
     4525username (S)
     4526Multiple users may be specified in a comma\-delimited list, in which case the supplied password will be tested against each username in turn (left to right)\&.
     4527
     4528The \fIusername\fR line is needed only when the PC is unable to supply its own username\&. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames\&. In both these cases you may also be better using the \\\\server\\share%user syntax instead\&.
     4529
     4530The \fIusername\fR line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the \fIusername\fR line in turn\&. This is slow and a bad idea for lots of users in case of duplicate passwords\&. You may get timeouts or security breaches using this parameter unwisely\&.
     4531
     4532Samba relies on the underlying UNIX security\&. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password\&. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session\&. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do\&.
     4533
     4534To restrict a service to a particular set of users you can use the valid users parameter\&.
     4535
     4536If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name\&.
     4537
     4538If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name\&.
     4539
     4540If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name\&.
     4541
     4542Note that searching though a groups database can take quite some time, and some clients may time out during the search\&.
     4543
     4544See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how this parameter determines access to the services\&.
     4545
     4546Default: \fB\fIusername\fR = # The guest account if a guest service, else <empty string>\&. \fR
     4547
     4548Example: \fB\fIusername\fR = fred, mary, jack, jane, @users, @pcgroup \fR
     4549
     4550.TP
    45164551username level (G)
    45174552This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all\-uppercase username\&. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the username is not found on the UNIX machine\&.
     
    45264561
    45274562.TP
     4563username map (G)
     4564This option allows you to specify a file containing a mapping of usernames from the clients to the server\&. This can be used for several purposes\&. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses\&. The other is to map multiple users to a single username so that they can more easily share files\&.
     4565
     4566Please note that for user or share mode security, the username map is applied prior to validating the user credentials\&. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified enties in the map table (e\&.g\&. biddle = DOMAIN\\foo)\&.
     4567
     4568The map file is parsed line by line\&. Each line should contain a single UNIX username on the left then a '=' followed by a list of usernames on the right\&. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group\&. The special client name '*' is a wildcard and matches any name\&. Each line of the map file may be up to 1023 characters long\&.
     4569
     4570The file is processed on each line by taking the supplied username and comparing it with each username on the right hand side of the '=' signs\&. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left\&. Processing then continues with the next line\&.
     4571
     4572If any line begins with a '#' or a ';' then it is ignored\&.
     4573
     4574If any line begins with an '!' then the processing will stop after that line if a mapping was done by the line\&. Otherwise mapping continues with every line being processed\&. Using '!' is most useful when you have a wildcard mapping line later in the file\&.
     4575
     4576For example to map from the name \fBadmin\fR or \fBadministrator\fR to the UNIX name \fB root\fR you would use:
     4577
     4578.nf
     4579
     4580\fBroot = admin administrator\fR
     4581
     4582.fi
     4583 Or to map anyone in the UNIX group \fBsystem\fR to the UNIX name \fBsys\fR you would use:
     4584
     4585.nf
     4586
     4587\fBsys = @system\fR
     4588
     4589.fi
     4590 
     4591
     4592You can have as many mappings as you like in a username map file\&.
     4593
     4594If your system supports the NIS NETGROUP option then the netgroup database is checked before the \fI/etc/group \fR database for matching groups\&.
     4595
     4596You can map Windows usernames that have spaces in them by using double quotes around the name\&. For example:
     4597
     4598.nf
     4599
     4600\fBtridge = "Andrew Tridgell"\fR
     4601
     4602.fi
     4603 would map the windows username "Andrew Tridgell" to the unix username "tridge"\&.
     4604
     4605The following example would map mary and fred to the unix user sys, and map the rest to guest\&. Note the use of the '!' to tell Samba to stop processing if it gets a match on that line:
     4606
     4607.nf
     4608
     4609!sys = mary fred
     4610guest = *
     4611
     4612.fi
     4613 
     4614
     4615Note that the remapping is applied to all occurrences of usernames\&. Thus if you connect to \\\\server\\fred and\fBfred\fR is remapped to \fBmary\fR then you will actually be connecting to \\\\server\\mary and will need to supply a password suitable for \fBmary\fR not\fBfred\fR\&. The only exception to this is the username passed to the password server (if you have one)\&. The password server will receive whatever username the client supplies without modification\&.
     4616
     4617Also note that no reverse mapping is done\&. The main effect this has is with printing\&. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print job\&.
     4618
     4619Samba versions prior to 3\&.0\&.8 would only support reading the fully qualified username (e\&.g\&.: DOMAIN\\user) from the username map when performing a kerberos login from a client\&. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches\&. This resulted in inconsistent behavior sometimes even on the same server\&.
     4620
     4621The following functionality is obeyed in version 3\&.0\&.8 and later:
     4622
     4623When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection\&.
     4624
     4625When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i\&.e\&. DOMAIN\\user) only after the user has been successfully authenticated\&.
     4626
     4627An example of use is:
     4628
     4629.nf
     4630
     4631username map = /usr/local/samba/lib/users\&.map
     4632
     4633.fi
     4634 
     4635
     4636Default: \fB\fIusername map\fR = # no username map \fR
     4637
     4638.TP
    45284639username map script (G)
    45294640This script is a mutually exclusive alternative to theusername map parameter\&. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line line on standard output (the name to which the account should mapped)\&. In this way, it is possible to store username map tables in an LDAP or NIS directory services\&.
     
    45324643
    45334644Example: \fB\fIusername map script\fR = /etc/samba/scripts/mapusers\&.sh \fR
    4534 
    4535 .TP
    4536 username map (G)
    4537 This option allows you to specify a file containing a mapping of usernames from the clients to the server\&. This can be used for several purposes\&. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses\&. The other is to map multiple users to a single username so that they can more easily share files\&.
    4538 
    4539 Please note that for user or share mode security, the username map is applied prior to validating the user credentials\&. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified enties in the map table (e\&.g\&. biddle = DOMAIN\\foo)\&.
    4540 
    4541 The map file is parsed line by line\&. Each line should contain a single UNIX username on the left then a '=' followed by a list of usernames on the right\&. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group\&. The special client name '*' is a wildcard and matches any name\&. Each line of the map file may be up to 1023 characters long\&.
    4542 
    4543 The file is processed on each line by taking the supplied username and comparing it with each username on the right hand side of the '=' signs\&. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left\&. Processing then continues with the next line\&.
    4544 
    4545 If any line begins with a '#' or a ';' then it is ignored\&.
    4546 
    4547 If any line begins with an '!' then the processing will stop after that line if a mapping was done by the line\&. Otherwise mapping continues with every line being processed\&. Using '!' is most useful when you have a wildcard mapping line later in the file\&.
    4548 
    4549 For example to map from the name \fBadmin\fR or \fBadministrator\fR to the UNIX name \fB root\fR you would use:
    4550 
    4551 .nf
    4552 
    4553 \fBroot = admin administrator\fR
    4554 
    4555 .fi
    4556  Or to map anyone in the UNIX group \fBsystem\fR to the UNIX name \fBsys\fR you would use:
    4557 
    4558 .nf
    4559 
    4560 \fBsys = @system\fR
    4561 
    4562 .fi
    4563  
    4564 
    4565 You can have as many mappings as you like in a username map file\&.
    4566 
    4567 If your system supports the NIS NETGROUP option then the netgroup database is checked before the \fI/etc/group \fR database for matching groups\&.
    4568 
    4569 You can map Windows usernames that have spaces in them by using double quotes around the name\&. For example:
    4570 
    4571 .nf
    4572 
    4573 \fBtridge = "Andrew Tridgell"\fR
    4574 
    4575 .fi
    4576  would map the windows username "Andrew Tridgell" to the unix username "tridge"\&.
    4577 
    4578 The following example would map mary and fred to the unix user sys, and map the rest to guest\&. Note the use of the '!' to tell Samba to stop processing if it gets a match on that line:
    4579 
    4580 .nf
    4581 
    4582 !sys = mary fred
    4583 guest = *
    4584 
    4585 .fi
    4586  
    4587 
    4588 Note that the remapping is applied to all occurrences of usernames\&. Thus if you connect to \\\\server\\fred and\fBfred\fR is remapped to \fBmary\fR then you will actually be connecting to \\\\server\\mary and will need to supply a password suitable for \fBmary\fR not\fBfred\fR\&. The only exception to this is the username passed to the password server (if you have one)\&. The password server will receive whatever username the client supplies without modification\&.
    4589 
    4590 Also note that no reverse mapping is done\&. The main effect this has is with printing\&. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print job\&.
    4591 
    4592 Samba versions prior to 3\&.0\&.8 would only support reading the fully qualified username (e\&.g\&.: DOMAIN\\user) from the username map when performing a kerberos login from a client\&. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches\&. This resulted in inconsistent behavior sometimes even on the same server\&.
    4593 
    4594 The following functionality is obeyed in version 3\&.0\&.8 and later:
    4595 
    4596 When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection\&.
    4597 
    4598 When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i\&.e\&. DOMAIN\\user) only after the user has been successfully authenticated\&.
    4599 
    4600 An example of use is:
    4601 
    4602 .nf
    4603 
    4604 username map = /usr/local/samba/lib/users\&.map
    4605 
    4606 .fi
    4607  
    4608 
    4609 Default: \fB\fIusername map\fR = # no username map \fR
    4610 
    4611 .TP
    4612 user
    4613 This parameter is a synonym for username\&.
    4614 
    4615 .TP
    4616 users
    4617 This parameter is a synonym for username\&.
    4618 
    4619 .TP
    4620 username (S)
    4621 Multiple users may be specified in a comma\-delimited list, in which case the supplied password will be tested against each username in turn (left to right)\&.
    4622 
    4623 The \fIusername\fR line is needed only when the PC is unable to supply its own username\&. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames\&. In both these cases you may also be better using the \\\\server\\share%user syntax instead\&.
    4624 
    4625 The \fIusername\fR line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the \fIusername\fR line in turn\&. This is slow and a bad idea for lots of users in case of duplicate passwords\&. You may get timeouts or security breaches using this parameter unwisely\&.
    4626 
    4627 Samba relies on the underlying UNIX security\&. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password\&. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session\&. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do\&.
    4628 
    4629 To restrict a service to a particular set of users you can use the valid users parameter\&.
    4630 
    4631 If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name\&.
    4632 
    4633 If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name\&.
    4634 
    4635 If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name\&.
    4636 
    4637 Note that searching though a groups database can take quite some time, and some clients may time out during the search\&.
    4638 
    4639 See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how this parameter determines access to the services\&.
    4640 
    4641 Default: \fB\fIusername\fR = # The guest account if a guest service, else <empty string>\&. \fR
    4642 
    4643 Example: \fB\fIusername\fR = fred, mary, jack, jane, @users, @pcgroup \fR
    46444645
    46454646.TP
     
    47264727
    47274728.TP
     4729utmp (G)
     4730This boolean parameter is only available if Samba has been configured and compiled with the option \fB\-\-with\-utmp\fR\&. If set to \fByes\fR then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&.
     4731
     4732Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&.
     4733
     4734Default: \fB\fIutmp\fR = no \fR
     4735
     4736.TP
    47284737utmp directory (G)
    47294738This parameter is only available if Samba has been configured and compiled with the option \fB \-\-with\-utmp\fR\&. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server\&. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually\fI/var/run/utmp\fR on Linux)\&.
     
    47344743
    47354744.TP
    4736 utmp (G)
    4737 This boolean parameter is only available if Samba has been configured and compiled with the option \fB\-\-with\-utmp\fR\&. If set to\fByes\fR then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&.
    4738 
    4739 Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&.
    4740 
    4741 Default: \fB\fIutmp\fR = no \fR
     4745\-valid (S)
     4746This parameter indicates whether a share is valid and thus can be used\&. When this parameter is set to false, the share will be in no way visible nor accessible\&.
     4747
     4748This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&.
     4749
     4750Default: \fB\fI\-valid\fR = yes \fR
    47424751
    47434752.TP
     
    47524761
    47534762Example: \fB\fIvalid users\fR = greg, @pcusers \fR
    4754 
    4755 .TP
    4756 \-valid (S)
    4757 This parameter indicates whether a share is valid and thus can be used\&. When this parameter is set to false, the share will be in no way visible nor accessible\&.
    4758 
    4759 This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&.
    4760 
    4761 Default: \fB\fI\-valid\fR = yes \fR
    47624763
    47634764.TP
     
    48564857.TP
    48574858winbind enum users (G)
    4858 On large installations using \fBwinbindd\fR(8) it may be necessary to suppress the enumeration of users through the \fBsetpwent()\fR,\fBgetpwent()\fR and\fBendpwent()\fR group of system calls\&. If the \fIwinbind enum users\fR parameter is\fBno\fR, calls to the \fBgetpwent\fR system call will not return any data\&.
     4859On large installations using \fBwinbindd\fR(8) it may be necessary to suppress the enumeration of users through the \fBsetpwent()\fR, \fBgetpwent()\fR and \fBendpwent()\fR group of system calls\&. If the \fIwinbind enum users\fR parameter is \fBno\fR, calls to the \fBgetpwent\fR system call will not return any data\&.
    48594860
    48604861
     
    49364937.TP
    49374938winbind use default domain (G)
    4938 This parameter specifies whether the\fBwinbindd\fR(8) daemon should operate on users without domain component in their username\&. Users without a domain component are treated as is part of the winbindd server's own domain\&. While this does not benifit Windows users, it makes SSH, FTP and e\-mail function in a way much closer to the way they would in a native unix system\&.
     4939This parameter specifies whether the \fBwinbindd\fR(8) daemon should operate on users without domain component in their username\&. Users without a domain component are treated as is part of the winbindd server's own domain\&. While this does not benifit Windows users, it makes SSH, FTP and e\-mail function in a way much closer to the way they would in a native unix system\&.
    49394940
    49404941Default: \fB\fIwinbind use default domain\fR = no \fR
Note: See TracChangeset for help on using the changeset viewer.