Ignore:
Timestamp:
May 26, 2007, 10:26:26 PM (14 years ago)
Author:
Paul Smedley
Message:

Upgrade source to 3.0.25a

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/samba/docs/htmldocs/manpages/smb.conf.5.html

    r30 r39  
    1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smb.conf</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smb.conf.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smb.conf &#8212; The configuration file for the Samba suite</p></div><div class="refsect1" lang="en"><a name="id263106"></a><h2>SYNOPSIS</h2><p>
     1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>smb.conf</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.71.0"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"><a name="smb.conf.5"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>smb.conf &#8212; The configuration file for the Samba suite</p></div><div class="refsect1" lang="en"><a name="id291806"></a><h2>SYNOPSIS</h2><p>
    22        The <code class="filename">smb.conf</code> file is a configuration  file for the Samba suite. <code class="filename">smb.conf</code> contains  runtime configuration information for the Samba programs. The
    33         <code class="filename">smb.conf</code> file is designed to be configured and administered by the
     
    2727        which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved
    2828        in string values. Some items such as create masks are numeric.
    29         </p></div><div class="refsect1" lang="en"><a name="id231177"></a><h2>SECTION DESCRIPTIONS</h2><p>
     29        </p></div><div class="refsect1" lang="en"><a name="id259593"></a><h2>SECTION DESCRIPTIONS</h2><p>
    3030        Each section in the configuration file (except for the [global] section) describes a shared resource (known as
    3131        a &#8220;<span class="quote">share</span>&#8221;). The section name is the name of the shared resource and the parameters within the
     
    5656</p><pre class="programlisting">
    5757        <em class="parameter"><code>[foo]</code></em>
    58         <a class="indexterm" name="id231463"></a>path = /home/bar
    59         <a class="indexterm" name="id231470"></a>read only = no
     58        <a class="indexterm" name="id259430"></a>path = /home/bar
     59        <a class="indexterm" name="id259437"></a>read only = no
    6060</pre><p>
    6161        </p><p>
     
    6565</p><pre class="programlisting">
    6666        <em class="parameter"><code>[aprinter]</code></em>
    67         <a class="indexterm" name="id231497"></a>path = /usr/spool/public
    68         <a class="indexterm" name="id231504"></a>read only = yes
    69         <a class="indexterm" name="id231512"></a>printable = yes
    70         <a class="indexterm" name="id231519"></a>guest ok = yes
     67        <a class="indexterm" name="id260380"></a>path = /usr/spool/public
     68        <a class="indexterm" name="id260387"></a>read only = yes
     69        <a class="indexterm" name="id260394"></a>printable = yes
     70        <a class="indexterm" name="id260401"></a>guest ok = yes
    7171</pre><p>
    72         </p></div><div class="refsect1" lang="en"><a name="id231529"></a><h2>SPECIAL SECTIONS</h2><div class="refsect2" lang="en"><a name="id231534"></a><h3>The [global] section</h3><p>
     72        </p></div><div class="refsect1" lang="en"><a name="id260411"></a><h2>SPECIAL SECTIONS</h2><div class="refsect2" lang="en"><a name="id260417"></a><h3>The [global] section</h3><p>
    7373                Parameters in this section apply to the server as a whole, or are defaults for sections that do not
    7474                specifically define certain items. See the notes under PARAMETERS for more information.
     
    106106</p><pre class="programlisting">
    107107<em class="parameter"><code>[homes]</code></em>
    108 <a class="indexterm" name="id230577"></a>read only = no
     108<a class="indexterm" name="id260154"></a>read only = no
    109109</pre><p>
    110110                </p><p>
     
    138138</p><pre class="programlisting">
    139139<em class="parameter"><code>[printers]</code></em>
    140 <a class="indexterm" name="id271778"></a>path = /usr/spool/public
    141 <a class="indexterm" name="id271785"></a>guest ok = yes
    142 <a class="indexterm" name="id271792"></a>printable = yes
     140<a class="indexterm" name="id300477"></a>path = /usr/spool/public
     141<a class="indexterm" name="id300484"></a>guest ok = yes
     142<a class="indexterm" name="id300492"></a>printable = yes
    143143</pre><p>
    144144                </p><p>
     
    161161                <code class="literal">printcap name = lpstat</code> to automatically obtain a list of printers. See the
    162162                <code class="literal">printcap name</code> option for more details.
    163                 </p></div></div></div><div class="refsect1" lang="en"><a name="id271850"></a><h2>USERSHARES</h2><p>Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete
     163                </p></div></div></div><div class="refsect1" lang="en"><a name="id300549"></a><h2>USERSHARES</h2><p>Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete
    164164        their own share definitions has been added. This capability is called <span class="emphasis"><em>usershares</em></span> and
    165165        is controlled by a set of parameters in the [global] section of the smb.conf.
     
    179179
    180180</p><pre class="programlisting">
    181         <a class="indexterm" name="id271980"></a>usershare path = /usr/local/samba/lib/usershares
    182         <a class="indexterm" name="id271987"></a>usershare max shares = 10 # (or the desired number of shares)
     181        <a class="indexterm" name="id300679"></a>usershare path = /usr/local/samba/lib/usershares
     182        <a class="indexterm" name="id300686"></a>usershare max shares = 10 # (or the desired number of shares)
    183183</pre><p>
    184184
    185185        to the global
    186186        section of your <code class="filename">smb.conf</code>. Members of the group foo may then manipulate the user defined shares
    187         using the following commands.</p><div class="variablelist"><dl><dt><span class="term">net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]</span></dt><dd><p>To create or modify (overwrite) a user defined share.</p></dd><dt><span class="term">net usershare delete sharename</span></dt><dd><p>To delete a user defined share.</p></dd><dt><span class="term">net usershare list wildcard-sharename</span></dt><dd><p>To list user defined shares.</p></dd><dt><span class="term">net usershare info wildcard-sharename</span></dt><dd><p>To print information about user defined shares.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id272054"></a><h2>PARAMETERS</h2><p>Parameters define the specific attributes of sections.</p><p>
     187        using the following commands.</p><div class="variablelist"><dl><dt><span class="term">net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]</span></dt><dd><p>To create or modify (overwrite) a user defined share.</p></dd><dt><span class="term">net usershare delete sharename</span></dt><dd><p>To delete a user defined share.</p></dd><dt><span class="term">net usershare list wildcard-sharename</span></dt><dd><p>To list user defined shares.</p></dd><dt><span class="term">net usershare info wildcard-sharename</span></dt><dd><p>To print information about user defined shares.</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id300754"></a><h2>PARAMETERS</h2><p>Parameters define the specific attributes of sections.</p><p>
    188188        Some parameters are specific to the [global] section (e.g., <span class="emphasis"><em>security</em></span>).  Some parameters
    189189        are usable in all sections (e.g., <span class="emphasis"><em>create mask</em></span>). All others are permissible only in normal
     
    197197        find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred
    198198        synonym.
    199         </p></div><div class="refsect1" lang="en"><a name="id272095"></a><h2>VARIABLE SUBSTITUTIONS</h2><p>
     199        </p></div><div class="refsect1" lang="en"><a name="id300795"></a><h2>VARIABLE SUBSTITUTIONS</h2><p>
    200200        Many of the strings that are settable in the config file can take substitutions. For example the option
    201201        &#8220;<span class="quote">path = /tmp/%u</span>&#8221; is interpreted as &#8220;<span class="quote">path = /tmp/john</span>&#8221; if the user connected with the
     
    254254                controls what the default case is for new filenames (ie. files that don't currently exist in the filesystem).
    255255                Default <span class="emphasis"><em>lower</em></span>.  IMPORTANT NOTE: This option will be used to modify the case of
    256                 <span class="emphasis"><em>all</em></span> incoming client filenames, not just new filenames if the options <a class="indexterm" name="id272536"></a>case sensitive = yes, <a class="indexterm" name="id272543"></a>preserve case = No,
    257                 <a class="indexterm" name="id272550"></a>short preserve case = No are set.  This change is needed as part of the
     256                <span class="emphasis"><em>all</em></span> incoming client filenames, not just new filenames if the options <a class="indexterm" name="id301235"></a>case sensitive = yes, <a class="indexterm" name="id301242"></a>preserve case = No,
     257                <a class="indexterm" name="id301249"></a>short preserve case = No are set.  This change is needed as part of the
    258258                optimisations for directories containing large numbers of files.
    259259                </p></dd><dt><span class="term">preserve case = yes/no</span></dt><dd><p>
     
    301301                If the service is a guest service, a connection is made as the username given in the <code class="literal">guest account
    302302                =</code> for the service, irrespective of the supplied password.
    303                 </p></li></ol></div></div><div class="refsect1" lang="en"><a name="id272744"></a><h2>EXPLANATION OF EACH PARAMETER</h2><div class="variablelist"><dl><dt><span class="term"><a name="ABORTSHUTDOWNSCRIPT"></a>abort shutdown script (G)</span></dt><dd><p>This a full path name to a script called by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that
    304         should stop a shutdown procedure issued by the <a class="indexterm" name="id272784"></a>shutdown script.</p><p>If the connected user posseses the <code class="constant">SeRemoteShutdownPrivilege</code>,
     303                </p></li></ol></div></div><div class="refsect1" lang="en"><a name="id301444"></a><h2>EXPLANATION OF EACH PARAMETER</h2><div class="variablelist"><dl><dt><span class="term"><a name="ABORTSHUTDOWNSCRIPT"></a>abort shutdown script (G)</span></dt><dd><p>This a full path name to a script called by <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> that
     304        should stop a shutdown procedure issued by the <a class="indexterm" name="id301484"></a>shutdown script.</p><p>If the connected user posseses the <code class="constant">SeRemoteShutdownPrivilege</code>,
    305305        right, this command will be run as user.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>abort shutdown script</code></em> = ""
    306306</em></span>
     
    352352        control the permissions on a file or directory they have group ownership on.
    353353        </p><p>
    354         This parameter is best used with the <a class="indexterm" name="id272985"></a>inherit owner option and also
     354        This parameter is best used with the <a class="indexterm" name="id301685"></a>inherit owner option and also
    355355        on on a share containing directories with the UNIX <span class="emphasis"><em>setgid bit</em></span> bit set
    356356        on them, which causes new files and directories created within it to inherit the group
     
    384384        added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not
    385385        already exist.
    386         </p><p>This option is very similar to the <a class="indexterm" name="id273163"></a>add user script, and likewise uses the %u
     386        </p><p>This option is very similar to the <a class="indexterm" name="id301862"></a>add user script, and likewise uses the %u
    387387        substitution for the account name.  Do not use the %m
    388388        substitution.  </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add machine script</code></em> =
     
    454454                        </p></li></ul></div><p>
    455455        This parameter is only used for add file shares.  To add printer shares,
    456         see the <a class="indexterm" name="id273574"></a>addprinter command.
     456        see the <a class="indexterm" name="id302273"></a>addprinter command.
    457457        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add share command</code></em> =
    458458</em></span>
     
    471471        </p><p>
    472472        In order to use this option, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must <span class="emphasis"><em>NOT</em></span> be set to
    473         <a class="indexterm" name="id229350"></a>security = share and <a class="indexterm" name="id229357"></a>add user script
     473        <a class="indexterm" name="id258179"></a>security = share and <a class="indexterm" name="id258186"></a>add user script
    474474        must be set to a full pathname for a script that will create a UNIX user given one argument of
    475475        <em class="parameter"><code>%u</code></em>, which expands into the UNIX user name to create.
    476476        </p><p>
    477477        When the Windows user attempts to access the Samba server, at login (session setup in
    478         the SMB protocol) time, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> contacts the <a class="indexterm" name="id229383"></a>password server
     478        the SMB protocol) time, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> contacts the <a class="indexterm" name="id258212"></a>password server
    479479        and attempts to authenticate the given user with the given password. If the authentication
    480480        succeeds then <span><strong class="command">smbd</strong></span> attempts to find a UNIX user in the UNIX
    481481        password database to map the Windows user into. If this lookup fails, and
    482         <a class="indexterm" name="id229398"></a>add user script is set then <span><strong class="command">smbd</strong></span> will
     482        <a class="indexterm" name="id258227"></a>add user script is set then <span><strong class="command">smbd</strong></span> will
    483483        call the specified script <span class="emphasis"><em>AS ROOT</em></span>, expanding any
    484484        <em class="parameter"><code>%u</code></em> argument to be the user name to create.
     
    488488        match existing Windows NT accounts.
    489489        </p><p>
    490         See also <a class="indexterm" name="id273817"></a>security, <a class="indexterm" name="id273824"></a>password server,
    491         <a class="indexterm" name="id273831"></a>delete user script.
     490        See also <a class="indexterm" name="id302516"></a>security, <a class="indexterm" name="id302523"></a>password server,
     491        <a class="indexterm" name="id302530"></a>delete user script.
    492492        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>add user script</code></em> =
    493493</em></span>
     
    510510    will do all file operations as the super-user (root).</p><p>You should use this option very carefully, as any user in
    511511    this list will be able to do anything they like on the share,
    512     irrespective of file permissions.</p><p>This parameter will not work with the <a class="indexterm" name="id273971"></a>security = share in
     512    irrespective of file permissions.</p><p>This parameter will not work with the <a class="indexterm" name="id302671"></a>security = share in
    513513    Samba 3.0.  This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>admin users</code></em> =
    514514</em></span>
     
    560560</em></span>
    561561</p></dd><dt><span class="term"><a name="ALLOWTRUSTEDDOMAINS"></a>allow trusted domains (G)</span></dt><dd><p>
    562     This option only takes effect when the <a class="indexterm" name="id274224"></a>security option is set to
     562    This option only takes effect when the <a class="indexterm" name="id302924"></a>security option is set to
    563563    <code class="constant">server</code>, <code class="constant">domain</code> or <code class="constant">ads</code>. 
    564564    If it is set to no, then attempts to connect to a resource from
     
    595595</p></dd><dt><span class="term"><a name="AUTHMETHODS"></a>auth methods (G)</span></dt><dd><p>
    596596    This option allows the administrator to chose what authentication methods <span><strong class="command">smbd</strong></span>
    597     will use when authenticating a user. This option defaults to sensible values based on <a class="indexterm" name="id274394"></a>security. 
     597    will use when authenticating a user. This option defaults to sensible values based on <a class="indexterm" name="id303094"></a>security. 
    598598    This should be considered a developer option and used only in rare circumstances.  In the majority (if not all)
    599599    of production servers, the default setting should be adequate.
     
    623623        affects file service <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and name service <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> in a slightly different ways.</p><p>
    624624        For name service it causes <span><strong class="command">nmbd</strong></span> to bind to ports 137 and 138 on the
    625         interfaces listed in the <a class="indexterm" name="id274548"></a>interfaces parameter. <span><strong class="command">nmbd</strong></span>
     625        interfaces listed in the <a class="indexterm" name="id303248"></a>interfaces parameter. <span><strong class="command">nmbd</strong></span>
    626626        also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of
    627627        reading broadcast messages.  If this option is not set then <span><strong class="command">nmbd</strong></span> will
    628         service name requests on all of these sockets. If <a class="indexterm" name="id274569"></a>bind interfaces only is set then
     628        service name requests on all of these sockets. If <a class="indexterm" name="id303269"></a>bind interfaces only is set then
    629629         <span><strong class="command">nmbd</strong></span> will check the source address of any packets coming in on the
    630630        broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the
    631         <a class="indexterm" name="id274584"></a>interfaces parameter list.  As unicast packets are received on the other sockets it
     631        <a class="indexterm" name="id303283"></a>interfaces parameter list.  As unicast packets are received on the other sockets it
    632632        allows <span><strong class="command">nmbd</strong></span> to refuse to serve names to machines that send packets that
    633         arrive through any interfaces not listed in the <a class="indexterm" name="id274598"></a>interfaces list.  IP Source address
     633        arrive through any interfaces not listed in the <a class="indexterm" name="id303298"></a>interfaces list.  IP Source address
    634634        spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for
    635635         <span><strong class="command">nmbd</strong></span>.
    636636        </p><p>
    637         For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list given in the <a class="indexterm" name="id274624"></a>interfaces parameter. This restricts the networks that <span><strong class="command">smbd</strong></span> will
     637        For file service it causes <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> to bind only to the interface list given in the <a class="indexterm" name="id303323"></a>interfaces parameter. This restricts the networks that <span><strong class="command">smbd</strong></span> will
    638638        serve to packets coming in those interfaces.  Note that you should not use this parameter for machines that
    639639        are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with
    640640        non-permanent interfaces.
    641641        </p><p>
    642         If <a class="indexterm" name="id274642"></a>bind interfaces only is set then unless the network address
    643          <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274654"></a>interfaces parameter list
     642        If <a class="indexterm" name="id303342"></a>bind interfaces only is set then unless the network address
     643         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id303353"></a>interfaces parameter list
    644644         <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> and
    645645         <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a> may not work as
     
    648648        To change a users SMB password, the <span><strong class="command">smbpasswd</strong></span> by default connects to the
    649649         <span class="emphasis"><em>localhost - 127.0.0.1</em></span> address as an SMB client to issue the password change request. If
    650         <a class="indexterm" name="id274691"></a>bind interfaces only is set then unless the network address
    651          <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id274702"></a>interfaces parameter list then <span><strong class="command"> smbpasswd</strong></span> will fail to connect in it's default mode.  <span><strong class="command">smbpasswd</strong></span> can be forced to use the primary IP interface of the local host by using
     650        <a class="indexterm" name="id303391"></a>bind interfaces only is set then unless the network address
     651         <span class="emphasis"><em>127.0.0.1</em></span> is added to the <a class="indexterm" name="id303402"></a>interfaces parameter list then <span><strong class="command"> smbpasswd</strong></span> will fail to connect in it's default mode.  <span><strong class="command">smbpasswd</strong></span> can be forced to use the primary IP interface of the local host by using
    652652        its <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>    <em class="parameter"><code>-r <em class="replaceable"><code>remote machine</code></em></code></em> parameter, with <em class="replaceable"><code>remote
    653653        machine</code></em> set to the IP name of the primary interface of the local host.
     
    693693        this.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>browse list</code></em> = yes
    694694</em></span>
    695 </p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames</span></dt><dd><p>This parameter is a synonym for case sensitive.</p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a class="indexterm" name="id275081"></a>name mangling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>case sensitive</code></em> = no
     695</p></dd><dt><span class="term"><a name="CASESIGNAMES"></a>casesignames</span></dt><dd><p>This parameter is a synonym for case sensitive.</p></dd><dt><span class="term"><a name="CASESENSITIVE"></a>case sensitive (S)</span></dt><dd><p>See the discussion in the section <a class="indexterm" name="id303781"></a>name mangling.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>case sensitive</code></em> = no
    696696</em></span>
    697697</p></dd><dt><span class="term"><a name="CHANGENOTIFY"></a>change notify (S)</span></dt><dd><p>This parameter specifies whether Samba should reply
     
    768768</p></dd><dt><span class="term"><a name="CLIENTSCHANNEL"></a>client schannel (G)</span></dt><dd><p>
    769769    This controls whether the client offers or even demands the use of the netlogon schannel.
    770     <a class="indexterm" name="id275554"></a>client schannel = no does not offer the schannel,
    771     <a class="indexterm" name="id275561"></a>client schannel = auto offers the schannel but does not
    772     enforce it, and <a class="indexterm" name="id275569"></a>client schannel = yes denies access
     770    <a class="indexterm" name="id304254"></a>client schannel = no does not offer the schannel,
     771    <a class="indexterm" name="id304261"></a>client schannel = auto offers the schannel but does not
     772    enforce it, and <a class="indexterm" name="id304268"></a>client schannel = yes denies access
    773773    if the server is not able to speak netlogon schannel.
    774774    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>client schannel</code></em> = auto
     
    794794        neighborhood or via <span><strong class="command">net view</strong></span> to list what shares
    795795        are available.</p><p>If you want to set the string that is displayed next to the
    796                 machine name then see the <a class="indexterm" name="id275717"></a>server string parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>comment</code></em> =
     796                machine name then see the <a class="indexterm" name="id304416"></a>server string parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>comment</code></em> =
    797797# No comment
    798798</em></span>
     
    829829        </p><p>
    830830        Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the
    831         <a class="indexterm" name="id275925"></a>force create mode parameter which is set to 000 by default.
    832         </p><p>
    833         This parameter does not affect directory masks. See the parameter <a class="indexterm" name="id275936"></a>directory mask
     831        <a class="indexterm" name="id304624"></a>force create mode parameter which is set to 000 by default.
     832        </p><p>
     833        This parameter does not affect directory masks. See the parameter <a class="indexterm" name="id304636"></a>directory mask
    834834        for details.
    835835        </p><p>
    836836        Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
    837         administrator wishes to enforce a mask on access control lists also, they need to set the <a class="indexterm" name="id275948"></a>security mask.
     837        administrator wishes to enforce a mask on access control lists also, they need to set the <a class="indexterm" name="id304648"></a>security mask.
    838838        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>create mask</code></em> = 0744
    839839</em></span>
     
    847847        </p><p>
    848848        For example, shares containing roaming profiles can have offline caching disabled using
    849         <a class="indexterm" name="id276013"></a>csc policy = disable.
     849        <a class="indexterm" name="id304713"></a>csc policy = disable.
    850850        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>csc policy</code></em> = manual
    851851</em></span>
     
    853853</em></span>
    854854</p></dd><dt><span class="term"><a name="CUPSOPTIONS"></a>cups options (S)</span></dt><dd><p>
    855     This parameter is only applicable if <a class="indexterm" name="id276066"></a>printing is
     855    This parameter is only applicable if <a class="indexterm" name="id304765"></a>printing is
    856856    set to <code class="constant">cups</code>.  Its value is a free form string of options
    857857    passed directly to the cups library. 
     
    872872</em></span>
    873873</p></dd><dt><span class="term"><a name="CUPSSERVER"></a>cups server (G)</span></dt><dd><p>
    874     This parameter is only applicable if <a class="indexterm" name="id276149"></a>printing is set to <code class="constant">cups</code>.
     874    This parameter is only applicable if <a class="indexterm" name="id304848"></a>printing is set to <code class="constant">cups</code>.
    875875    </p><p>
    876876   If set, this option overrides the ServerName option in the CUPS <code class="filename">client.conf</code>. This is
     
    901901    boolean parameter adds microsecond resolution to the timestamp  message header when turned on.
    902902    </p><p>
    903     Note that the parameter <a class="indexterm" name="id276299"></a>debug timestamp must be on for this to have an effect.
     903    Note that the parameter <a class="indexterm" name="id304999"></a>debug timestamp must be on for this to have an effect.
    904904    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug hires timestamp</code></em> = no
    905905</em></span>
     
    909909    logfile when turned on.
    910910    </p><p>
    911     Note that the parameter <a class="indexterm" name="id276352"></a>debug timestamp must be on for this to have an effect.
     911    Note that the parameter <a class="indexterm" name="id305052"></a>debug timestamp must be on for this to have an effect.
    912912    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug pid</code></em> = no
    913913</em></span>
    914914</p></dd><dt><span class="term"><a name="DEBUGPREFIXTIMESTAMP"></a>debug prefix timestamp (G)</span></dt><dd><p>
    915915    With this option enabled, the timestamp message header is prefixed to the debug message without the
    916     filename and function information that is included with the <a class="indexterm" name="id276395"></a>debug timestamp
     916    filename and function information that is included with the <a class="indexterm" name="id305095"></a>debug timestamp
    917917    parameter. This gives timestamps to the messages without adding an additional line.
    918918    </p><p>
    919     Note that this parameter overrides the <a class="indexterm" name="id276406"></a>debug timestamp parameter.
     919    Note that this parameter overrides the <a class="indexterm" name="id305106"></a>debug timestamp parameter.
    920920    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug prefix timestamp</code></em> = no
    921921</em></span>
    922922</p></dd><dt><span class="term"><a name="TIMESTAMPLOGS"></a>timestamp logs</span></dt><dd><p>This parameter is a synonym for debug timestamp.</p></dd><dt><span class="term"><a name="DEBUGTIMESTAMP"></a>debug timestamp (G)</span></dt><dd><p>
    923923    Samba debug log messages are timestamped by default. If you are running at a high
    924     <a class="indexterm" name="id276468"></a>debug level these timestamps can be distracting. This
     924    <a class="indexterm" name="id305168"></a>debug level these timestamps can be distracting. This
    925925    boolean parameter allows timestamping to be turned off.
    926926        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug timestamp</code></em> = yes
     
    930930    current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.
    931931    </p><p>
    932     Note that the parameter <a class="indexterm" name="id276514"></a>debug timestamp must be on for this to have an effect.
     932    Note that the parameter <a class="indexterm" name="id305213"></a>debug timestamp must be on for this to have an effect.
    933933    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>debug uid</code></em> = no
    934934</em></span>
    935 </p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a class="indexterm" name="id276554"></a>name mangling.
    936         Also note the <a class="indexterm" name="id276561"></a>short preserve case parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default case</code></em> = lower
    937 </em></span>
    938 </p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a class="indexterm" name="id276602"></a>printable services.
     935</p></dd><dt><span class="term"><a name="DEFAULTCASE"></a>default case (S)</span></dt><dd><p>See the section on <a class="indexterm" name="id305254"></a>name mangling.
     936        Also note the <a class="indexterm" name="id305261"></a>short preserve case parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>default case</code></em> = lower
     937</em></span>
     938</p></dd><dt><span class="term"><a name="DEFAULTDEVMODE"></a>default devmode (S)</span></dt><dd><p>This parameter is only applicable to <a class="indexterm" name="id305301"></a>printable services.
    939939    When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
    940940    server has a Device Mode which defines things such as paper size and
     
    965965        parameter is not given, attempting to connect to a nonexistent
    966966        service results in an error.</p><p>
    967         Typically the default service would be a <a class="indexterm" name="id276709"></a>guest ok, <a class="indexterm" name="id276716"></a>read-only service.</p><p>Also note that the apparent service name will be changed to equal
     967        Typically the default service would be a <a class="indexterm" name="id305408"></a>guest ok, <a class="indexterm" name="id305415"></a>read-only service.</p><p>Also note that the apparent service name will be changed to equal
    968968        that of the requested service, this is very useful as it allows you to use macros like <em class="parameter"><code>%S</code></em> to make a wildcard service.
    969969        </p><p>Note also that any "_" characters in the name of the service
     
    997997    DeletePrinter() RPC call.</p><p>For a Samba host this means that the printer must be
    998998    physically deleted from underlying printing system.  The
    999     <a class="indexterm" name="id276887"></a>deleteprinter command defines a script to be run which
     999    <a class="indexterm" name="id305586"></a>deleteprinter command defines a script to be run which
    10001000    will perform the necessary operations for removing the printer
    10011001    from the print system and from <code class="filename">smb.conf</code>.
    1002     </p><p>The <a class="indexterm" name="id276904"></a>deleteprinter command is
    1003     automatically called with only one parameter: <a class="indexterm" name="id276912"></a>printer name.
    1004         </p><p>Once the <a class="indexterm" name="id276922"></a>deleteprinter command has
     1002    </p><p>The <a class="indexterm" name="id305604"></a>deleteprinter command is
     1003    automatically called with only one parameter: <a class="indexterm" name="id305611"></a>printer name.
     1004        </p><p>Once the <a class="indexterm" name="id305622"></a>deleteprinter command has
    10051005    been executed, <span><strong class="command">smbd</strong></span> will reparse the <code class="filename">
    10061006    smb.conf</code> to associated printer no longer exists. 
     
    10321032                        </p></li></ul></div><p>
    10331033        This parameter is only used to remove file shares.  To delete printer shares,
    1034         see the <a class="indexterm" name="id277110"></a>deleteprinter command.
     1034        see the <a class="indexterm" name="id305810"></a>deleteprinter command.
    10351035        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete share command</code></em> =
    10361036</em></span>
     
    10571057</p></dd><dt><span class="term"><a name="DELETEVETOFILES"></a>delete veto files (S)</span></dt><dd><p>This option is used when Samba is attempting to
    10581058        delete a directory that contains one or more vetoed directories
    1059         (see the <a class="indexterm" name="id277300"></a>veto files
     1059        (see the <a class="indexterm" name="id306000"></a>veto files
    10601060        option).  If this option is set to <code class="constant">no</code> (the default) then if a vetoed
    10611061        directory contains any non-vetoed files or directories then the
     
    10651065        serving systems such as NetAtalk which create meta-files within
    10661066        directories you might normally veto DOS/Windows users from seeing
    1067         (e.g. <code class="filename">.AppleDouble</code>)</p><p>Setting <a class="indexterm" name="id277330"></a>delete veto files = yes allows these
     1067        (e.g. <code class="filename">.AppleDouble</code>)</p><p>Setting <a class="indexterm" name="id306030"></a>delete veto files = yes allows these
    10681068        directories to be  transparently deleted when the parent directory
    10691069        is deleted (so long as the user has permissions to do so).</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>delete veto files</code></em> = no
     
    10771077        This is a new parameter introduced in Samba version 3.0.21.  It specifies in seconds the time that smbd will
    10781078        cache the output of a disk free query. If set to zero (the default) no caching is done. This allows a heavily
    1079         loaded server to prevent rapid spawning of <a class="indexterm" name="id277385"></a>dfree command scripts increasing the load.
     1079        loaded server to prevent rapid spawning of <a class="indexterm" name="id306085"></a>dfree command scripts increasing the load.
    10801080        </p><p>
    10811081        By default this parameter is zero, meaning no caching will be done.
     
    10931093        </p><p>
    10941094        In Samba version 3.0.21 this parameter has been changed to be a per-share parameter, and in addition the
    1095         parameter <a class="indexterm" name="id277452"></a>dfree cache time was added to allow the output of this script to be cached
     1095        parameter <a class="indexterm" name="id306152"></a>dfree cache time was added to allow the output of this script to be cached
    10961096        for systems under heavy load.
    10971097        </p><p>
     
    11311131    and 'other' write bits from the UNIX mode, allowing only the
    11321132    user who owns the directory to modify it.</p><p>Following this Samba will bit-wise 'OR' the UNIX mode
    1133     created from this parameter with the value of the <a class="indexterm" name="id277580"></a>force directory mode parameter.
     1133    created from this parameter with the value of the <a class="indexterm" name="id306280"></a>force directory mode parameter.
    11341134    This parameter is set to 000 by default (i.e. no extra mode bits are added).</p><p>Note that this parameter does not apply to permissions
    11351135    set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
    1136     a mask on access control lists also, they need to set the <a class="indexterm" name="id277593"></a>directory security mask.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = 0755
     1136    a mask on access control lists also, they need to set the <a class="indexterm" name="id306293"></a>directory security mask.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = 0755
    11371137</em></span>
    11381138</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>directory mask</code></em> = 0775
     
    11431143    box.</p><p>
    11441144        This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
    1145         in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id277652"></a>force  directory security mode, which works similar like this one but uses logical OR instead of AND.
     1145        in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id306351"></a>force  directory security mode, which works similar like this one but uses logical OR instead of AND.
    11461146        Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
    11471147        </p><p>If not set explicitly this parameter is set to 0777
     
    11771177        The default value is "LOCALE", which means automatically set, depending on the
    11781178        current locale. The value should generally be the same as the value of the parameter
    1179         <a class="indexterm" name="id277804"></a>unix charset.
     1179        <a class="indexterm" name="id306503"></a>unix charset.
    11801180        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>display charset</code></em> = "LOCALE" or "ASCII" (depending on the system)
    11811181</em></span>
     
    12091209        If set to <code class="constant">yes</code>, the Samba server will
    12101210        provide the netlogon service for Windows 9X network logons for the
    1211         <a class="indexterm" name="id277964"></a>workgroup it is in.
     1211        <a class="indexterm" name="id306664"></a>workgroup it is in.
    12121212        This will also cause the Samba server to act as a domain
    12131213        controller for NT4 style domain services. For more details on
     
    12201220        WAN-wide browse list collation. Setting this option causes <span><strong class="command">nmbd</strong></span> to claim a
    12211221        special domain specific NetBIOS name that identifies it as a domain master browser for its given
    1222         <a class="indexterm" name="id278022"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id278029"></a>workgroup on
     1222        <a class="indexterm" name="id306721"></a>workgroup. Local master browsers in the same <a class="indexterm" name="id306728"></a>workgroup on
    12231223        broadcast-isolated subnets will give this <span><strong class="command">nmbd</strong></span> their local browse lists,
    12241224        and then ask <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> for a
     
    12271227        broadcast-isolated subnet.
    12281228        </p><p>
    1229         Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id278057"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that
    1230         <a class="indexterm" name="id278064"></a>workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting
     1229        Note that Windows NT Primary Domain Controllers expect to be able to claim this <a class="indexterm" name="id306756"></a>workgroup specific special NetBIOS name that identifies them as domain master browsers for that
     1230        <a class="indexterm" name="id306764"></a>workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting
    12311231        to do this). This means that if this parameter is set and <span><strong class="command">nmbd</strong></span> claims the
    1232         special name for a <a class="indexterm" name="id278079"></a>workgroup before a Windows NT PDC is able to do so then cross
     1232        special name for a <a class="indexterm" name="id306778"></a>workgroup before a Windows NT PDC is able to do so then cross
    12331233        subnet browsing will behave strangely and may fail.
    12341234        </p><p>
    1235         If <a class="indexterm" name="id278090"></a>domain logons = yes, then the default behavior is to enable the
    1236         <a class="indexterm" name="id278097"></a>domain master parameter.  If <a class="indexterm" name="id278105"></a>domain logons is not enabled (the
    1237         default setting), then neither will <a class="indexterm" name="id278112"></a>domain master be enabled by default.
    1238         </p><p>
    1239         When <a class="indexterm" name="id278123"></a>domain logons = Yes the default setting for this parameter is
    1240         Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id278131"></a>domain master = No,
     1235        If <a class="indexterm" name="id306790"></a>domain logons = yes, then the default behavior is to enable the
     1236        <a class="indexterm" name="id306797"></a>domain master parameter.  If <a class="indexterm" name="id306804"></a>domain logons is not enabled (the
     1237        default setting), then neither will <a class="indexterm" name="id306812"></a>domain master be enabled by default.
     1238        </p><p>
     1239        When <a class="indexterm" name="id306822"></a>domain logons = Yes the default setting for this parameter is
     1240        Yes, with the result that Samba will be a PDC. If <a class="indexterm" name="id306830"></a>domain master = No,
    12411241        Samba will function as a BDC. In general, this parameter should be set to 'No' only on a BDC.
    12421242        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>domain master</code></em> = auto
     
    13441344    <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> must either
    13451345    have access to a local <a href="smbpasswd.5.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(5)</span></a> file (see the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a> program for information on how to set up
    1346     and maintain this file), or set the <a class="indexterm" name="id278606"></a>security = [server|domain|ads] parameter which
     1346    and maintain this file), or set the <a class="indexterm" name="id307306"></a>security = [server|domain|ads] parameter which
    13471347    causes <span><strong class="command">smbd</strong></span> to authenticate against another
    13481348        server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>encrypt passwords</code></em> = yes
     
    14201420        file open/close operations. This can give enormous performance benefits.
    14211421        </p><p>When you set <span><strong class="command">fake oplocks = yes</strong></span>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> will
    1422         always grant oplock requests no matter how many clients are using the file.</p><p>It is generally much better to use the real <a class="indexterm" name="id278911"></a>oplocks support rather
     1422        always grant oplock requests no matter how many clients are using the file.</p><p>It is generally much better to use the real <a class="indexterm" name="id307611"></a>oplocks support rather
    14231423        than this parameter.</p><p>If you enable this option on all read-only shares or
    14241424        shares that you know will only be accessed from one client at a
     
    14701470        </p><p>
    14711471        This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
    1472         mask that the user may have modified to be on.  Make sure not to mix up this parameter with <a class="indexterm" name="id279154"></a>directory security mask, which works in a similar manner to this one, but uses a logical AND instead
     1472        mask that the user may have modified to be on.  Make sure not to mix up this parameter with <a class="indexterm" name="id307854"></a>directory security mask, which works in a similar manner to this one, but uses a logical AND instead
    14731473        of an OR.
    14741474        </p><p>
     
    15041504    primary group assigned to sys when accessing this Samba share. All
    15051505    other users will retain their ordinary primary group.</p><p>
    1506         If the <a class="indexterm" name="id279266"></a>force user parameter is also set the group specified in
     1506        If the <a class="indexterm" name="id307966"></a>force user parameter is also set the group specified in
    15071507    <em class="parameter"><code>force group</code></em> will override the primary group
    15081508    set in <em class="parameter"><code>force user</code></em>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>force group</code></em> =
     
    15381538        </p><p>
    15391539        This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
    1540         mask that the user may have modified to be on.  Make sure not to mix up this parameter with <a class="indexterm" name="id279408"></a>security mask, which works similar like this one but uses logical AND instead of OR.
     1540        mask that the user may have modified to be on.  Make sure not to mix up this parameter with <a class="indexterm" name="id308108"></a>security mask, which works similar like this one but uses logical AND instead of OR.
    15411541        </p><p>
    15421542        Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
     
    16061606    caching algorithm will be used to reduce the time taken for getwd()
    16071607    calls. This can have a significant impact on performance, especially
    1608     when the <a class="indexterm" name="id279813"></a>wide smbconfoptions parameter is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>getwd cache</code></em> = yes
     1608    when the <a class="indexterm" name="id308512"></a>wide smbconfoptions parameter is set to <code class="constant">no</code>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>getwd cache</code></em> = yes
    16091609</em></span>
    16101610</p></dd><dt><span class="term"><a name="GUESTACCOUNT"></a>guest account (G)</span></dt><dd><p>This is a username which will be used for access
    1611     to services which are specified as <a class="indexterm" name="id279857"></a>guest ok (see below). Whatever privileges this
     1611    to services which are specified as <a class="indexterm" name="id308557"></a>guest ok (see below). Whatever privileges this
    16121612    user has will be available to any client connecting to the guest service.
    16131613    This user must exist in the password file, but does not require
     
    16281628</p></dd><dt><span class="term"><a name="PUBLIC"></a>public</span></dt><dd><p>This parameter is a synonym for guest ok.</p></dd><dt><span class="term"><a name="GUESTOK"></a>guest ok (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for
    16291629    a service, then no password is required to connect to the service.
    1630     Privileges will be those of the <a class="indexterm" name="id279965"></a>guest account.</p><p>This paramater nullifies the benifits of setting
    1631     <a class="indexterm" name="id279976"></a>restrict anonymous = 2
    1632         </p><p>See the section below on <a class="indexterm" name="id279986"></a>security for more information about this option.
     1630    Privileges will be those of the <a class="indexterm" name="id308664"></a>guest account.</p><p>This paramater nullifies the benifits of setting
     1631    <a class="indexterm" name="id308675"></a>restrict anonymous = 2
     1632        </p><p>See the section below on <a class="indexterm" name="id308686"></a>security for more information about this option.
    16331633        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest ok</code></em> = no
    16341634</em></span>
    16351635</p></dd><dt><span class="term"><a name="ONLYGUEST"></a>only guest</span></dt><dd><p>This parameter is a synonym for guest only.</p></dd><dt><span class="term"><a name="GUESTONLY"></a>guest only (S)</span></dt><dd><p>If this parameter is <code class="constant">yes</code> for
    16361636    a service, then only guest connections to the service are permitted.
    1637     This parameter will have no effect if <a class="indexterm" name="id280052"></a>guest ok is not set for the service.</p><p>See the section below on <a class="indexterm" name="id280063"></a>security for more information about this option.
     1637    This parameter will have no effect if <a class="indexterm" name="id308752"></a>guest ok is not set for the service.</p><p>See the section below on <a class="indexterm" name="id308762"></a>security for more information about this option.
    16381638        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>guest only</code></em> = no
    16391639</em></span>
     
    16771677</em></span>
    16781678</p></dd><dt><span class="term"><a name="HOMEDIRMAP"></a>homedir map (G)</span></dt><dd><p>
    1679         If <a class="indexterm" name="id280310"></a>nis homedir is <code class="constant">yes</code>, and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> is also acting         as a Win95/98 <em class="parameter"><code>logon server</code></em>
     1679        If <a class="indexterm" name="id309010"></a>nis homedir is <code class="constant">yes</code>, and <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> is also acting         as a Win95/98 <em class="parameter"><code>logon server</code></em>
    16801680        then this parameter specifies the NIS (or YP) map from which the server for the user's  home directory should be extracted. 
    16811681        At present, only the Sun auto.home map format is understood. The form of the map is:
     
    16951695        Dfs trees hosted on the server.
    16961696        </p><p>
    1697         See also the <a class="indexterm" name="id280408"></a>msdfs root share  level  parameter.  For more  information  on
     1697        See also the <a class="indexterm" name="id309107"></a>msdfs root share  level  parameter.  For more  information  on
    16981698        setting  up a Dfs tree on Samba, refer to the MSFDS chapter in the book Samba3-HOWTO.
    16991699        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>host msdfs</code></em> = yes
     
    17071707</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>hostname lookups</code></em> = yes
    17081708</em></span>
    1709 </p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts</span></dt><dd><p>This parameter is a synonym for hosts allow.</p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <a class="indexterm" name="id280529"></a>allow hosts.</p><p>This parameter is a comma, space, or tab delimited
     1709</p></dd><dt><span class="term"><a name="ALLOWHOSTS"></a>allow hosts</span></dt><dd><p>This parameter is a synonym for hosts allow.</p></dd><dt><span class="term"><a name="HOSTSALLOW"></a>hosts allow (S)</span></dt><dd><p>A synonym for this parameter is <a class="indexterm" name="id309228"></a>allow hosts.</p><p>This parameter is a comma, space, or tab delimited
    17101710    set of hosts which are permitted to access a service.</p><p>If specified in the [global] section then it will
    17111711    apply to all services, regardless of whether the individual
     
    17171717    page may not be present on your system, so a brief description will
    17181718    be given here also.</p><p>Note that the localhost address 127.0.0.1 will always
    1719     be allowed access unless specifically denied by a <a class="indexterm" name="id280567"></a>hosts deny option.</p><p>You can also specify hosts by network/netmask pairs and
     1719    be allowed access unless specifically denied by a <a class="indexterm" name="id309266"></a>hosts deny option.</p><p>You can also specify hosts by network/netmask pairs and
    17201720    by netgroup names if your system supports netgroups. The
    17211721    <span class="emphasis"><em>EXCEPT</em></span> keyword can also be used to limit a
     
    17341734        In the event that it is necessary to deny all by default, use the keyword
    17351735        ALL (or the netmask <code class="literal">0.0.0.0/0</code>) and then explicitly specify
    1736         to the <a class="indexterm" name="id280743"></a>hosts allow = hosts allow parameter those hosts
     1736        to the <a class="indexterm" name="id309443"></a>hosts allow = hosts allow parameter those hosts
    17371737        that should be permitted access.
    17381738        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>hosts deny</code></em> =
     
    17441744        The idmap alloc backend provides a plugin interface for Winbind to use
    17451745        when allocating Unix uids/gids for Windows SIDs.  This option is
    1746         to be used in conjunction with the <a class="indexterm" name="id280798"></a>idmap domains
     1746        to be used in conjunction with the <a class="indexterm" name="id309497"></a>idmap domains
    17471747        parameter and refers to the name of the idmap module which will provide
    17481748        the id allocation functionality.  Please refer to the man page
     
    17501750        the allocation feature.  The most common plugins are the tdb (<a href="idmap_tdb.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_tdb</span>(8)</span></a>)
    17511751        and ldap (<a href="idmap_ldap.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_ldap</span>(8)</span></a>) libraries.
    1752         </p><p>Also refer to the <a class="indexterm" name="id280826"></a>idmap alloc config option.
     1752        </p><p>Also refer to the <a class="indexterm" name="id309526"></a>idmap alloc config option.
    17531753        </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap alloc backend</code></em> = tdb
    17541754</em></span>
    17551755</p></dd><dt><span class="term"><a name="IDMAPALLOCCONFIG"></a>idmap alloc config (G)</span></dt><dd><p>
    17561756        The idmap alloc config prefix provides a means of managing settings
    1757         for the backend defined by the <a class="indexterm" name="id280871"></a>idmap alloc backend
     1757        for the backend defined by the <a class="indexterm" name="id309571"></a>idmap alloc backend
    17581758        parameter.  Refer to the man page for each idmap plugin regarding
    17591759        specific configuration details.
     
    17621762        varying backends to store SID/uid/gid mapping tables.  This
    17631763        option is mutually exclusive with the newer and more flexible
    1764         <a class="indexterm" name="id280906"></a>idmap domains parameter.  The main difference
     1764        <a class="indexterm" name="id309606"></a>idmap domains parameter.  The main difference
    17651765        between the "idmap backend" and the "idmap domains"
    17661766        is that the former only allows on backend for all domains while the
     
    17771777</p></dd><dt><span class="term"><a name="IDMAPCONFIG"></a>idmap config (G)</span></dt><dd><p>
    17781778        The idmap config prefix provides a means of managing each domain
    1779         defined by the <a class="indexterm" name="id281018"></a>idmap domains option using Samba's
     1779        defined by the <a class="indexterm" name="id309718"></a>idmap domains option using Samba's
    17801780        parameteric option support.  The idmap config prefix should be
    17811781        followed by the name of the domain, a colon, and a setting specific to
     
    17911791                </p></dd><dt><span class="term">readonly = [yes|no]</span></dt><dd><p>
    17921792                        Mark the domain as readonly which means that no attempts to
    1793                         allocate a uid or gid (by the <a class="indexterm" name="id281066"></a>idmap alloc     backend) for any user or group in that domain
     1793                        allocate a uid or gid (by the <a class="indexterm" name="id309765"></a>idmap alloc     backend) for any user or group in that domain
    17941794                        will be attempted.
    17951795                </p></dd></dl></div><p>
     
    18101810        The idmap domains option defines a list of Windows domains which will each
    18111811        have a separately configured backend for managing Winbind's SID/uid/gid
    1812         tables.  This parameter is mutually exclusive with the older <a class="indexterm" name="id281133"></a>idmap backend option.
     1812        tables.  This parameter is mutually exclusive with the older <a class="indexterm" name="id309833"></a>idmap backend option.
    18131813        </p><p>
    18141814        Values consist of the short domain name for Winbind's primary or collection
     
    18161816        domain backend for any domain not explicitly listed.
    18171817        </p><p>
    1818         Refer to the <a class="indexterm" name="id281149"></a>idmap config for details about
     1818        Refer to the <a class="indexterm" name="id309849"></a>idmap config for details about
    18191819        managing the SID/uid/gid backend for each domain.
    18201820        </p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>idmap domains</code></em> = default AD CORP
     
    18241824        SIDs. This range of group ids should have no
    18251825        existing local or NIS groups within it as strange conflicts can
    1826         occur otherwise.</p><p>See also the <a class="indexterm" name="id281221"></a>idmap backend, <a class="indexterm" name="id281228"></a>idmap domains, and <a class="indexterm" name="id281235"></a>idmap config options.
     1826        occur otherwise.</p><p>See also the <a class="indexterm" name="id309921"></a>idmap backend, <a class="indexterm" name="id309928"></a>idmap domains, and <a class="indexterm" name="id309935"></a>idmap config options.
    18271827        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap gid</code></em> =
    18281828</em></span>
     
    18371837        allocated for use in mapping UNIX users to NT user SIDs. This
    18381838        range of ids should have no existing local
    1839         or NIS users within it as strange conflicts can occur otherwise.</p><p>See also the <a class="indexterm" name="id281348"></a>idmap backend, <a class="indexterm" name="id281355"></a>idmap domains, and <a class="indexterm" name="id281362"></a>idmap config options.
     1839        or NIS users within it as strange conflicts can occur otherwise.</p><p>See also the <a class="indexterm" name="id310047"></a>idmap backend, <a class="indexterm" name="id310054"></a>idmap domains, and <a class="indexterm" name="id310062"></a>idmap config options.
    18401840        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>idmap uid</code></em> =
    18411841</em></span>
     
    18541854</p></dd><dt><span class="term"><a name="INHERITACLS"></a>inherit acls (S)</span></dt><dd><p>This parameter can be used to ensure that if default acls
    18551855    exist on parent directories, they are always honored when creating a
    1856     subdirectory. The default behavior is to use the mode specified when
    1857     creating the directory.  Enabling this option sets the mode to 0777,
    1858     thus guaranteeing that  default directory acls are propagated.
     1856    new file or subdirectory in these parent directories. The default
     1857    behavior is to use the unix mode specified when creating the directory.
     1858    Enabling this option sets the unix mode to 0777, thus guaranteeing that
     1859    default directory acls are propagated.
    18591860</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>inherit acls</code></em> = no
    18601861</em></span>
     
    18691870</em></span>
    18701871</p></dd><dt><span class="term"><a name="INHERITPERMISSIONS"></a>inherit permissions (S)</span></dt><dd><p>
    1871         The permissions on new files and directories are normally governed by <a class="indexterm" name="id281556"></a>create mask,
    1872         <a class="indexterm" name="id281563"></a>directory mask, <a class="indexterm" name="id281570"></a>force create mode and <a class="indexterm" name="id281577"></a>force directory mode but the boolean inherit permissions parameter overrides this.
     1872        The permissions on new files and directories are normally governed by <a class="indexterm" name="id310256"></a>create mask,
     1873        <a class="indexterm" name="id310263"></a>directory mask, <a class="indexterm" name="id310270"></a>force create mode and <a class="indexterm" name="id310277"></a>force directory mode but the boolean inherit permissions parameter overrides this.
    18731874        </p><p>New directories inherit the mode of the parent directory,
    18741875    including bits such as setgid.</p><p>
    18751876        New files inherit their read/write bits from the parent directory.  Their execute bits continue to be
    1876         determined by <a class="indexterm" name="id281593"></a>map archive, <a class="indexterm" name="id281600"></a>map hidden and <a class="indexterm" name="id281607"></a>map system as usual.
     1877        determined by <a class="indexterm" name="id310293"></a>map archive, <a class="indexterm" name="id310300"></a>map hidden and <a class="indexterm" name="id310307"></a>map system as usual.
    18771878        </p><p>Note that the setuid bit is <span class="emphasis"><em>never</em></span> set via
    18781879    inheritance (the code explicitly prohibits this).</p><p>This can be particularly useful on large systems with
     
    19251926</em></span>
    19261927</p></dd><dt><span class="term"><a name="IPRINTSERVER"></a>iprint server (G)</span></dt><dd><p>
    1927     This parameter is only applicable if <a class="indexterm" name="id281841"></a>printing is set to <code class="constant">iprint</code>.
     1928    This parameter is only applicable if <a class="indexterm" name="id310541"></a>printing is set to <code class="constant">iprint</code>.
    19281929    </p><p>
    19291930   If set, this option overrides the ServerName option in the CUPS <code class="filename">client.conf</code>. This is
     
    19381939    sent. Keepalive packets, if sent, allow the server to tell whether
    19391940    a client is still present and responding.</p><p>Keepalives should, in general, not be needed if the socket
    1940     has the SO_KEEPALIVE attribute set on it by default. (see <a class="indexterm" name="id281920"></a>socket options).
     1941    has the SO_KEEPALIVE attribute set on it by default. (see <a class="indexterm" name="id310620"></a>socket options).
    19411942Basically you should only use this option if you strike difficulties.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>keepalive</code></em> = 300
    19421943</em></span>
     
    19501951        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>kernel change notify</code></em> = yes
    19511952</em></span>
    1952 </p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a class="indexterm" name="id282010"></a>oplocks
     1953</p></dd><dt><span class="term"><a name="KERNELOPLOCKS"></a>kernel oplocks (G)</span></dt><dd><p>For UNIXes that support kernel based <a class="indexterm" name="id310710"></a>oplocks
    19531954        (currently only IRIX and the Linux 2.4 kernel), this parameter
    19541955        allows the use of them to be turned on or off.</p><p>Kernel oplocks support allows Samba <em class="parameter"><code>oplocks
     
    19871988</em></span>
    19881989</p></dd><dt><span class="term"><a name="LDAPADMINDN"></a>ldap admin dn (G)</span></dt><dd><p>
    1989         The <a class="indexterm" name="id282202"></a>ldap admin dn defines the Distinguished  Name (DN) name used by Samba to contact
    1990         the ldap server when retreiving  user account information. The <a class="indexterm" name="id282211"></a>ldap admin dn is used
     1990        The <a class="indexterm" name="id310902"></a>ldap admin dn defines the Distinguished  Name (DN) name used by Samba to contact
     1991        the ldap server when retreiving  user account information. The <a class="indexterm" name="id310911"></a>ldap admin dn is used
    19911992        in conjunction with the admin dn password stored in the <code class="filename">private/secrets.tdb</code>
    19921993        file.  See the <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>
    19931994        man page for more information on how  to accomplish this.
    19941995        </p><p>
    1995         The <a class="indexterm" name="id282236"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id282243"></a>ldap  suffix is not appended to the <a class="indexterm" name="id282251"></a>ldap admin dn.
     1996        The <a class="indexterm" name="id310936"></a>ldap admin dn requires a fully specified DN. The <a class="indexterm" name="id310943"></a>ldap  suffix is not appended to the <a class="indexterm" name="id310951"></a>ldap admin dn.
    19961997        </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LDAPDELETEDN"></a>ldap delete dn (G)</span></dt><dd><p> This parameter specifies whether a delete
    19971998        operation in the ldapsam deletes the complete entry or only the attributes
     
    20012002</p></dd><dt><span class="term"><a name="LDAPGROUPSUFFIX"></a>ldap group suffix (G)</span></dt><dd><p>This parameter specifies the suffix that is
    20022003        used for groups when these are added to the LDAP directory.
    2003         If this parameter is unset, the value of <a class="indexterm" name="id282319"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
    2004         <a class="indexterm" name="id282326"></a>ldap suffix string so use a partial DN.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> =
     2004        If this parameter is unset, the value of <a class="indexterm" name="id311019"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
     2005        <a class="indexterm" name="id311026"></a>ldap suffix string so use a partial DN.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> =
    20052006</em></span>
    20062007</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>ldap group suffix</code></em> = ou=Groups
     
    20082009</p></dd><dt><span class="term"><a name="LDAPIDMAPSUFFIX"></a>ldap idmap suffix (G)</span></dt><dd><p>
    20092010        This parameters specifies the suffix that is used when storing idmap mappings. If this parameter
    2010         is unset, the value of <a class="indexterm" name="id282379"></a>ldap suffix will be used instead.  The suffix
    2011         string is pre-pended to the <a class="indexterm" name="id282387"></a>ldap suffix string so use a partial DN.
     2011        is unset, the value of <a class="indexterm" name="id311079"></a>ldap suffix will be used instead.  The suffix
     2012        string is pre-pended to the <a class="indexterm" name="id311087"></a>ldap suffix string so use a partial DN.
    20122013        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap idmap suffix</code></em> =
    20132014</em></span>
     
    20162017</p></dd><dt><span class="term"><a name="LDAPMACHINESUFFIX"></a>ldap machine suffix (G)</span></dt><dd><p>
    20172018        It specifies where machines should be added to the ldap tree.  If this parameter is unset, the value of
    2018         <a class="indexterm" name="id282439"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
    2019         <a class="indexterm" name="id282447"></a>ldap suffix string so use a partial DN.
     2019        <a class="indexterm" name="id311139"></a>ldap suffix will be used instead.  The suffix string is pre-pended to the
     2020        <a class="indexterm" name="id311147"></a>ldap suffix string so use a partial DN.
    20202021        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap machine suffix</code></em> =
    20212022</em></span>
     
    20272028        change via SAMBA. 
    20282029        </p><p>
    2029         The <a class="indexterm" name="id282504"></a>ldap passwd sync can be set to one of three values:
     2030        The <a class="indexterm" name="id311204"></a>ldap passwd sync can be set to one of three values:
    20302031        </p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Yes</code></em>  =  Try
    20312032                        to update the LDAP, NT and LM passwords and update the pwdLastSet time.</p></li><li><p><em class="parameter"><code>No</code></em> = Update NT and
     
    20592060        the smb.conf ldap options must be properly configured.
    20602061
    2061         The tipical ldap setup used with the <a class="indexterm" name="id282651"></a>ldapsam:trusted = yes option
    2062         is usually sufficient to use <a class="indexterm" name="id282658"></a>ldapsam:editposix = yes as well.
     2062        The tipical ldap setup used with the <a class="indexterm" name="id311347"></a>ldapsam:trusted = yes option
     2063        is usually sufficient to use <a class="indexterm" name="id311354"></a>ldapsam:editposix = yes as well.
    20632064        </p><p>
    20642065        An example configuration can be the following:
     
    21332134        are used to deal with user and group attributes lack such optimization.
    21342135        </p><p>
    2135         To make Samba scale well in large environments, the <a class="indexterm" name="id282732"></a>ldapsam:trusted = yes
     2136        To make Samba scale well in large environments, the <a class="indexterm" name="id311428"></a>ldapsam:trusted = yes
    21362137        option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the
    21372138        standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are
    21382139        stored together with the POSIX data in the same LDAP object. If these assumptions are met,
    2139         <a class="indexterm" name="id282742"></a>ldapsam:trusted = yes can be activated and Samba can bypass the
     2140        <a class="indexterm" name="id311438"></a>ldapsam:trusted = yes can be activated and Samba can bypass the
    21402141        NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and
    21412142        administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries
     
    21482149        Samba's previous SSL support which was enabled by specifying the
    21492150         <span><strong class="command">--with-ssl</strong></span> option to the <code class="filename">configure</code>
    2150         script.</p><p>The <a class="indexterm" name="id282805"></a>ldap ssl can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Off</code></em> = Never
     2151        script.</p><p>The <a class="indexterm" name="id311504"></a>ldap ssl can be set to one of three values:</p><div class="itemizedlist"><ul type="disc"><li><p><em class="parameter"><code>Off</code></em> = Never
    21512152                        use SSL when querying the directory.</p></li><li><p><em class="parameter"><code>Start_tls</code></em> = Use
    21522153                        the LDAPv3 StartTLS extended operation (RFC2830) for
     
    21542155                        on the ldaps port when contacting the <em class="parameter"><code>ldap server</code></em>. Only available when the
    21552156                        backwards-compatiblity <span><strong class="command">--with-ldapsam</strong></span> option is specified
    2156                 to configure. See <a class="indexterm" name="id282861"></a>passdb backend</p>.
     2157                to configure. See <a class="indexterm" name="id311559"></a>passdb backend</p>.
    21572158                </li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap ssl</code></em> = start_tls
    21582159</em></span>
    21592160</p></dd><dt><span class="term"><a name="LDAPSUFFIX"></a>ldap suffix (G)</span></dt><dd><p>Specifies the base for all ldap suffixes and for storing the sambaDomain object.</p><p>
    2160         The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id282908"></a>ldap user suffix,
    2161          <a class="indexterm" name="id282915"></a>ldap group suffix, <a class="indexterm" name="id282922"></a>ldap machine suffix, and the
    2162          <a class="indexterm" name="id282929"></a>ldap idmap suffix. Each of these should be given only a DN relative to the
    2163          <a class="indexterm" name="id282937"></a>ldap suffix.
     2161        The ldap suffix will be appended to the values specified for the <a class="indexterm" name="id311606"></a>ldap user suffix,
     2162         <a class="indexterm" name="id311614"></a>ldap group suffix, <a class="indexterm" name="id311621"></a>ldap machine suffix, and the
     2163         <a class="indexterm" name="id311628"></a>ldap idmap suffix. Each of these should be given only a DN relative to the
     2164         <a class="indexterm" name="id311635"></a>ldap suffix.
    21642165        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap suffix</code></em> =
    21652166</em></span>
     
    21742175</p></dd><dt><span class="term"><a name="LDAPUSERSUFFIX"></a>ldap user suffix (G)</span></dt><dd><p>
    21752176        This parameter specifies where users are added to the tree. If this parameter is unset,
    2176         the value of <a class="indexterm" name="id283024"></a>ldap suffix will be used instead.  The suffix
    2177         string is pre-pended to the  <a class="indexterm" name="id283032"></a>ldap suffix string so use a partial DN.
     2177        the value of <a class="indexterm" name="id311723"></a>ldap suffix will be used instead.  The suffix
     2178        string is pre-pended to the  <a class="indexterm" name="id311730"></a>ldap suffix string so use a partial DN.
    21782179        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>ldap user suffix</code></em> =
    21792180</em></span>
     
    21942195        delete any read-ahead caches.</p><p>It is recommended that this parameter be turned on to
    21952196        speed access to shared executables.</p><p>For more discussions on level2 oplocks see the CIFS spec.</p><p>
    2196         Currently, if <a class="indexterm" name="id283109"></a>kernel oplocks are supported then
     2197        Currently, if <a class="indexterm" name="id311808"></a>kernel oplocks are supported then
    21972198        level2 oplocks are not granted (even if this parameter is set to
    2198         <code class="constant">yes</code>).  Note also, the <a class="indexterm" name="id283120"></a>oplocks
     2199        <code class="constant">yes</code>).  Note also, the <a class="indexterm" name="id311819"></a>oplocks
    21992200        parameter must be set to <code class="constant">yes</code> on this share in order for
    22002201        this parameter to have any effect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>level2 oplocks</code></em> = yes
     
    22082209        broadcasts. If set to <code class="constant">yes</code> Samba will produce
    22092210        Lanman announce broadcasts at a frequency set by the parameter
    2210         <a class="indexterm" name="id283196"></a>lm interval. If set to <code class="constant">auto</code>
     2211        <a class="indexterm" name="id311895"></a>lm interval. If set to <code class="constant">auto</code>
    22112212        Samba will not send Lanman announce broadcasts by default but will
    22122213        listen for them. If it hears such a broadcast on the wire it will
    22132214        then start sending them at a frequency set by the parameter
    2214         <a class="indexterm" name="id283208"></a>lm interval.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = auto
     2215        <a class="indexterm" name="id311907"></a>lm interval.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = auto
    22152216</em></span>
    22162217</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>lm announce</code></em> = yes
     
    22182219</p></dd><dt><span class="term"><a name="LMINTERVAL"></a>lm interval (G)</span></dt><dd><p>If Samba is set to produce Lanman announce
    22192220        broadcasts needed by OS/2 clients (see the
    2220                 <a class="indexterm" name="id283260"></a>lm announce parameter) then this
     2221                <a class="indexterm" name="id311959"></a>lm announce parameter) then this
    22212222        parameter defines the frequency in seconds with which they will be
    22222223        made.  If this is set to zero then no Lanman announcements will be
    2223         made despite the setting of the <a class="indexterm" name="id283269"></a>lm announce
     2224        made despite the setting of the <a class="indexterm" name="id311968"></a>lm announce
    22242225        parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lm interval</code></em> = 60
    22252226</em></span>
     
    22282229</p></dd><dt><span class="term"><a name="LOADPRINTERS"></a>load printers (G)</span></dt><dd><p>A boolean variable that controls whether all
    22292230    printers in the printcap will be loaded for browsing by default.
    2230     See the <a class="indexterm" name="id283322"></a>printers section for
     2231    See the <a class="indexterm" name="id312021"></a>printers section for
    22312232    more details.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>load printers</code></em> = yes
    22322233</em></span>
     
    22432244</p></dd><dt><span class="term"><a name="LOCKDIR"></a>lock dir</span></dt><dd><p>This parameter is a synonym for lock directory.</p></dd><dt><span class="term"><a name="LOCKDIRECTORY"></a>lock directory (G)</span></dt><dd><p>This option specifies the directory where lock
    22442245        files will be placed.  The lock files are used to implement the
    2245         <a class="indexterm" name="id283473"></a>max connections option.
     2246        <a class="indexterm" name="id312172"></a>max connections option.
    22462247        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock directory</code></em> = ${prefix}/var/locks
    22472248</em></span>
     
    22602261        You should never need to set this parameter.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="LOCKSPINCOUNT"></a>lock spin count (G)</span></dt><dd><p>This parameter has been made inoperative in Samba 3.0.24.
    22612262        The functionality it contolled is now controlled by the parameter
    2262         <a class="indexterm" name="id283593"></a>lock spin time.
     2263        <a class="indexterm" name="id312292"></a>lock spin time.
    22632264        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin count</code></em> = 0
    22642265</em></span>
     
    22672268        be granted. This parameter has changed in default
    22682269        value from Samba 3.0.23 from 10 to 200. The associated
    2269         <a class="indexterm" name="id283635"></a>lock spin count parameter is
     2270        <a class="indexterm" name="id312334"></a>lock spin count parameter is
    22702271        no longer used in Samba 3.0.24. You should not need
    22712272        to change the value of this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lock spin time</code></em> = 200
     
    22882289</p></dd><dt><span class="term"><a name="LOGONDRIVE"></a>logon drive (G)</span></dt><dd><p>
    22892290        This parameter specifies the local path to which the home directory will be
    2290         connected (see <a class="indexterm" name="id283790"></a>logon home) and is only used by NT
     2291        connected (see <a class="indexterm" name="id312488"></a>logon home) and is only used by NT
    22912292        Workstations.
    22922293        </p><p>
     
    23152316         <span><strong class="command">net use /home</strong></span> but use the whole string when dealing with profiles.
    23162317        </p><p>
    2317         Note that in prior versions of Samba, the <a class="indexterm" name="id283898"></a>logon path was returned rather than
     2318        Note that in prior versions of Samba, the <a class="indexterm" name="id312597"></a>logon path was returned rather than
    23182319        <em class="parameter"><code>logon home</code></em>.  This broke <span><strong class="command">net use /home</strong></span>
    23192320        but allowed profiles outside the home directory. The current implementation is correct, and can be used for
    23202321        profiles if you use the above trick.
    23212322        </p><p>
    2322         Disable this feature by setting <a class="indexterm" name="id283922"></a>logon home = "" - using the empty string.
     2323        Disable this feature by setting <a class="indexterm" name="id312620"></a>logon home = "" - using the empty string.
    23232324        </p><p>
    23242325        This option is only useful if Samba is set up as a logon server.
     
    23312332        stored.  Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming
    23322333        profiles.  To find out how to handle roaming profiles for Win 9X system, see the
    2333         <a class="indexterm" name="id283980"></a>logon home parameter.
     2334        <a class="indexterm" name="id312679"></a>logon home parameter.
    23342335        </p><p>
    23352336        This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
     
    23602361        </p></div><p>Note that this option is only useful if Samba is set up as a domain controller.</p><p>
    23612362        Disable the use of roaming profiles by setting the value of this parameter to the empty string. For
    2362         example, <a class="indexterm" name="id284058"></a>logon path = "". Take note that even if the default setting
     2363        example, <a class="indexterm" name="id312756"></a>logon path = "". Take note that even if the default setting
    23632364        in the smb.conf file is the empty string, any value specified in the user account settings in the passdb
    23642365        backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use
     
    23772378        </p><p>
    23782379        The script must be a relative path to the <em class="parameter"><code>[netlogon]</code></em> service.  If the [netlogon]
    2379         service specifies a <a class="indexterm" name="id284134"></a>path of <code class="filename">/usr/local/samba/netlogon</code>, and <a class="indexterm" name="id284147"></a>logon  script = STARTUP.BAT, then the file that will be downloaded is:
     2380        service specifies a <a class="indexterm" name="id312832"></a>path of <code class="filename">/usr/local/samba/netlogon</code>, and <a class="indexterm" name="id312846"></a>logon  script = STARTUP.BAT, then the file that will be downloaded is:
    23802381</p><pre class="programlisting">
    23812382        /usr/local/samba/netlogon/STARTUP.BAT
     
    24172418    in the lppause command as the PATH may not be available to the server.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>lppause command</code></em> =
    24182419# Currently no default value is given to
    2419     this string, unless the value of the <a class="indexterm" name="id284303"></a>printing
     2420    this string, unless the value of the <a class="indexterm" name="id312999"></a>printing
    24202421    parameter is <code class="constant">SYSV</code>, in which case the default is :
    24212422    <span><strong class="command">lp -i %p-%j -H hold</strong></span> or if the value of the
     
    24652466    printing or spooling a specific print job.</p><p>This command should be a program or script which takes
    24662467    a printer name and job number to resume the print job. See
    2467     also the <a class="indexterm" name="id284579"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name
     2468    also the <a class="indexterm" name="id313276"></a>lppause command parameter.</p><p>If a <em class="parameter"><code>%p</code></em> is given then the printer name
    24682469    is put in its place. A <em class="parameter"><code>%j</code></em> is replaced with
    24692470    the job number (an integer).</p><p>Note that it is good practice to include the absolute path
    24702471    in the <em class="parameter"><code>lpresume command</code></em> as the PATH may not
    2471     be available to the server.</p><p>See also the <a class="indexterm" name="id284616"></a>printing parameter.</p><p>Default: Currently no default value is given
     2472    be available to the server.</p><p>See also the <a class="indexterm" name="id313312"></a>printing parameter.</p><p>Default: Currently no default value is given
    24722473    to this string, unless the value of the <em class="parameter"><code>printing</code></em>
    24732474    parameter is <code class="constant">SYSV</code>, in which case the default is :</p><p><span><strong class="command">lp -i %p-%j -H resume</strong></span></p><p>or if the value of the <em class="parameter"><code>printing</code></em> parameter
     
    24922493</em></span>
    24932494</p></dd><dt><span class="term"><a name="MACHINEPASSWORDTIMEOUT"></a>machine password timeout (G)</span></dt><dd><p>
    2494         If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id284772"></a>security = domain parameter) then periodically a running smbd process will try and change
     2495        If a Samba server is a member of a Windows NT Domain (see the <a class="indexterm" name="id313468"></a>security = domain parameter) then periodically a running smbd process will try and change
    24952496        the MACHINE ACCOUNT PASSWORD stored in the TDB called <code class="filename">private/secrets.tdb
    24962497        </code>.  This parameter specifies how often this password will be changed, in seconds. The default is one
     
    24982499        </p><p>
    24992500        See also <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>,
    2500         and the <a class="indexterm" name="id284798"></a>security = domain parameter.
     2501        and the <a class="indexterm" name="id313495"></a>security = domain parameter.
    25012502        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>machine password timeout</code></em> = 604800
    25022503</em></span>
    25032504</p></dd><dt><span class="term"><a name="MAGICOUTPUT"></a>magic output (S)</span></dt><dd><p>
    25042505        This parameter specifies the name of a file which will contain output created by a magic script (see the
    2505         <a class="indexterm" name="id284839"></a>magic script parameter below).
     2506        <a class="indexterm" name="id313535"></a>magic script parameter below).
    25062507        </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If two clients use the same <em class="parameter"><code>magic script
    25072508        </code></em> in the same directory the output file content is undefined.
     
    25162517        completion assuming that the user has the appropriate level
    25172518        of privilege and the file permissions allow the deletion.</p><p>If the script generates output, output will be sent to
    2518         the file specified by the <a class="indexterm" name="id284913"></a>magic output
     2519        the file specified by the <a class="indexterm" name="id313609"></a>magic output
    25192520        parameter (see above).</p><p>Note that some shells are unable to interpret scripts
    25202521        containing CR/LF instead of CR as
     
    25372538        you would use:
    25382539        </p><p>
    2539         <a class="indexterm" name="id285017"></a>mangled map = (*.html *.htm).
     2540        <a class="indexterm" name="id313714"></a>mangled map = (*.html *.htm).
    25402541        </p><p>
    25412542        One very useful case is to remove the annoying <code class="filename">;1</code> off
     
    25492550</p></dd><dt><span class="term"><a name="MANGLEDNAMES"></a>mangled names (S)</span></dt><dd><p>This controls whether non-DOS names under UNIX
    25502551        should be mapped to DOS-compatible names ("mangled") and made visible,
    2551         or whether non-DOS names should simply be ignored.</p><p>See the section on <a class="indexterm" name="id285084"></a>name mangling for
     2552        or whether non-DOS names should simply be ignored.</p><p>See the section on <a class="indexterm" name="id313780"></a>name mangling for
    25522553        details on how to control the mangling process.</p><p>If mangling is used then the mangling algorithm is as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The first (up to) five alphanumeric characters
    25532554                        before the rightmost dot of the filename are preserved, forced
     
    25592560                        only if it contains any upper case characters or is longer than three
    25602561                        characters.</p><p>Note that the character to use may be specified using
    2561                                 the <a class="indexterm" name="id285118"></a>mangling char
     2562                                the <a class="indexterm" name="id313814"></a>mangling char
    25622563                        option, if you don't like '~'.</p></li><li><p>Files whose UNIX name begins with a dot will be
    25632564                        presented as DOS hidden files. The mangled name will be created as
     
    25832584</em></span>
    25842585</p></dd><dt><span class="term"><a name="MANGLINGCHAR"></a>mangling char (S)</span></dt><dd><p>This controls what character is used as
    2585         the <span class="emphasis"><em>magic</em></span> character in <a class="indexterm" name="id285238"></a>name mangling. The
     2586        the <span class="emphasis"><em>magic</em></span> character in <a class="indexterm" name="id313935"></a>name mangling. The
    25862587        default is a '~' but this may interfere with some software. Use this option to set
    25872588        it to whatever you prefer. This is effective only when mangling method is hash.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>mangling char</code></em> = ~
     
    26162617        be quite annoying for shared source code, documents, etc...
    26172618        </p><p>
    2618         Note that this requires the <a class="indexterm" name="id285396"></a>create mask        parameter to be set such that owner
     2619        Note that this requires the <a class="indexterm" name="id314093"></a>create mask        parameter to be set such that owner
    26192620        execute bit is not masked out (i.e. it must include 100). See the parameter
    2620         <a class="indexterm" name="id285404"></a>create mask for details.
     2621        <a class="indexterm" name="id314101"></a>create mask for details.
    26212622        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map archive</code></em> = yes
    26222623</em></span>
     
    26242625        This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.
    26252626        </p><p>
    2626         Note that this requires the <a class="indexterm" name="id285449"></a>create mask to be set such that the world execute
    2627         bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id285457"></a>create mask
     2627        Note that this requires the <a class="indexterm" name="id314145"></a>create mask to be set such that the world execute
     2628        bit is not masked out (i.e. it must include 001). See the parameter <a class="indexterm" name="id314153"></a>create mask
    26282629        for details.
    26292630        </p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="MAPREADONLY"></a>map read only (S)</span></dt><dd><p>
     
    26312632        </p><p>
    26322633        This parameter can take three different values, which tell <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> how to display the read only attribute on files, where either
    2633         <a class="indexterm" name="id285503"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is
    2634         present. If <a class="indexterm" name="id285514"></a>store dos attributes is set to <code class="constant">yes</code> then this
     2634        <a class="indexterm" name="id314199"></a>store dos attributes is set to <code class="constant">No</code>, or no extended attribute is
     2635        present. If <a class="indexterm" name="id314210"></a>store dos attributes is set to <code class="constant">yes</code> then this
    26352636        parameter is <span class="emphasis"><em>ignored</em></span>. This is a new parameter introduced in Samba version 3.0.21.
    26362637        </p><p>The three settings are :</p><div class="itemizedlist"><ul type="disc"><li><p>
     
    26452646                </p></li><li><p>
    26462647                <code class="constant">No</code> - The read only DOS attribute is unaffected by permissions, and can only be set by
    2647                 the <a class="indexterm" name="id285570"></a>store dos attributes method. This may be useful for exporting mounted CDs.
     2648                the <a class="indexterm" name="id314267"></a>store dos attributes method. This may be useful for exporting mounted CDs.
    26482649                </p></li></ul></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>map read only</code></em> = yes
    26492650</em></span>
     
    26512652        This controls whether DOS style system files should be mapped to the UNIX group execute bit.
    26522653        </p><p>
    2653         Note that this requires the <a class="indexterm" name="id285616"></a>create mask        to be set such that the group
     2654        Note that this requires the <a class="indexterm" name="id314312"></a>create mask        to be set such that the group
    26542655        execute bit is not masked out (i.e. it must include 010). See the parameter
    2655         <a class="indexterm" name="id285624"></a>create mask for details.
     2656        <a class="indexterm" name="id314320"></a>create mask for details.
    26562657        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>map system</code></em> = no
    26572658</em></span>
    2658 </p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id285664"></a>SECURITY =
     2659</p></dd><dt><span class="term"><a name="MAPTOGUEST"></a>map to guest (G)</span></dt><dd><p>This parameter is only useful in <a class="indexterm" name="id314360"></a>SECURITY =
    26592660    security modes other than <em class="parameter"><code>security = share</code></em>
    26602661    and <em class="parameter"><code>security = server</code></em>
     
    26662667            logins with an invalid password are rejected, unless the username
    26672668            does not exist, in which case it is treated as a guest login and
    2668             mapped into the <a class="indexterm" name="id285728"></a>guest account.</p></li><li><p><code class="constant">Bad Password</code> - Means user logins
     2669            mapped into the <a class="indexterm" name="id314424"></a>guest account.</p></li><li><p><code class="constant">Bad Password</code> - Means user logins
    26692670            with an invalid password are treated as a guest login and mapped
    2670             into the <a class="indexterm" name="id285745"></a>guest account. Note that
     2671            into the <a class="indexterm" name="id314441"></a>guest account. Note that
    26712672            this can cause problems as it means that any user incorrectly typing
    26722673            their password will be silently logged on as "guest" - and
     
    27022703    will be refused if this number of connections to the service are already open. A value
    27032704    of zero mean an unlimited number of connections may be made.</p><p>Record lock files are used to implement this feature. The lock files will be stored in
    2704     the directory specified by the <a class="indexterm" name="id285871"></a>lock directory option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 0
     2705    the directory specified by the <a class="indexterm" name="id314567"></a>lock directory option.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 0
    27052706</em></span>
    27062707</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>max connections</code></em> = 10
     
    27932794</em></span>
    27942795</p></dd><dt><span class="term"><a name="MAXWINSTTL"></a>max wins ttl (G)</span></dt><dd><p>This option tells <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> when acting as a WINS server
    2795         (<a class="indexterm" name="id286538"></a>wins support = yes) what the maximum
     2796        (<a class="indexterm" name="id315234"></a>wins support = yes) what the maximum
    27962797    'time to live' of NetBIOS names that <span><strong class="command">nmbd</strong></span>
    27972798    will grant will be (in seconds). You should never need to change this
     
    28542855</p></dd><dt><span class="term"><a name="MINPROTOCOL"></a>min protocol (G)</span></dt><dd><p>The value of the parameter (a string) is the
    28552856    lowest SMB protocol dialect than Samba will support.  Please refer
    2856     to the <a class="indexterm" name="id286860"></a>max protocol
     2857    to the <a class="indexterm" name="id315556"></a>max protocol
    28572858    parameter for a list of valid protocol names and a brief description
    28582859    of each.  You may also wish to refer to the C source code in
    28592860    <code class="filename">source/smbd/negprot.c</code> for a listing of known protocol
    28602861    dialects supported by clients.</p><p>If you are viewing this parameter as a security measure, you should
    2861     also refer to the <a class="indexterm" name="id286879"></a>lanman auth parameter.  Otherwise, you should never need
     2862    also refer to the <a class="indexterm" name="id315575"></a>lanman auth parameter.  Otherwise, you should never need
    28622863    to change this parameter.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>min protocol</code></em> = CORE
    28632864</em></span>
     
    28652866</em></span>
    28662867</p></dd><dt><span class="term"><a name="MINWINSTTL"></a>min wins ttl (G)</span></dt><dd><p>This option tells <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>
    2867     when acting as a WINS server (<a class="indexterm" name="id286939"></a>wins support = yes) what the minimum 'time to live'
     2868    when acting as a WINS server (<a class="indexterm" name="id315635"></a>wins support = yes) what the minimum 'time to live'
    28682869    of NetBIOS names that <span><strong class="command">nmbd</strong></span> will grant will be (in
    28692870    seconds). You should never need to change this parameter.  The default
     
    28752876        this share, they are redirected to the proxied share using
    28762877        the SMB-Dfs protocol.</p><p>Only Dfs roots can act as proxy shares. Take a look at the
    2877         <a class="indexterm" name="id286993"></a>msdfs root and <a class="indexterm" name="id287000"></a>host msdfs
     2878        <a class="indexterm" name="id315689"></a>msdfs root and <a class="indexterm" name="id315696"></a>host msdfs
    28782879        options to find out how to set up a Dfs root share.</p><p><span class="emphasis"><em>No default</em></span></p><p>Example: <span class="emphasis"><em><em class="parameter"><code>msdfs proxy</code></em> = \\otherserver\someshare
    28792880</em></span>
     
    29112912                _ldap._tcp.domain.
    29122913        </p></li><li><p><code class="constant">wins</code> : Query a name with
    2913             the IP address listed in the <a class="indexterm" name="id287191"></a>WINSSERVER parameter.  If no WINS server has
     2914            the IP address listed in the <a class="indexterm" name="id315887"></a>WINSSERVER parameter.  If no WINS server has
    29142915            been specified this method will be ignored.</p></li><li><p><code class="constant">bcast</code> : Do a broadcast on
    2915             each of the known local interfaces listed in the <a class="indexterm" name="id287208"></a>interfaces
     2916            each of the known local interfaces listed in the <a class="indexterm" name="id315904"></a>interfaces
    29162917            parameter. This is the least reliable of the name resolution
    29172918            methods as it depends on the target host being on a locally
     
    29652966        server. When Samba is returning the home share to the client, it
    29662967        will consult the NIS map specified in
    2967         <a class="indexterm" name="id287457"></a>homedir map and return the server
     2968        <a class="indexterm" name="id316157"></a>homedir map and return the server
    29682969        listed there.</p><p>Note that for this option to work there must be a working
    29692970        NIS system and the Samba server with this option must also
     
    30043005    default behavior is to use PAM for clear text authentication only
    30053006    and to ignore any account or session management.  Note that Samba
    3006     always ignores PAM for authentication in the case of <a class="indexterm" name="id287744"></a>encrypt passwords = yes.  The reason
     3007    always ignores PAM for authentication in the case of <a class="indexterm" name="id316444"></a>encrypt passwords = yes.  The reason
    30073008    is that PAM modules cannot support the challenge/response
    30083009    authentication mechanism needed in the presence of SMB password encryption.
     
    30153016    this parameter will force the server to only use the login
    30163017    names from the <em class="parameter"><code>user</code></em> list and is only really
    3017     useful in <a class="indexterm" name="id287800"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce
     3018    useful in <a class="indexterm" name="id316499"></a>security = share level security.</p><p>Note that this also means Samba won't try to deduce
    30183019    usernames from the service name. This can be annoying for
    30193020    the [homes] section. To get around this you could use <span><strong class="command">user =
     
    30633064        </p><p>
    30643065        Oplocks may be selectively turned off on certain files with a share. See
    3065         the <a class="indexterm" name="id288045"></a>veto oplock files parameter. On some systems
     3066        the <a class="indexterm" name="id316744"></a>veto oplock files parameter. On some systems
    30663067        oplocks are recognized by the underlying operating system. This
    30673068        allows data synchronization between all access to oplocked files,
    30683069        whether it be via Samba or NFS or a local UNIX process. See the
    3069         <a class="indexterm" name="id288054"></a>kernel oplocks parameter for details.
     3070        <a class="indexterm" name="id316753"></a>kernel oplocks parameter for details.
    30703071        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>oplocks</code></em> = yes
    30713072</em></span>
     
    30823083</p></dd><dt><span class="term"><a name="OSLEVEL"></a>os level (G)</span></dt><dd><p>
    30833084        This integer value controls what level Samba advertises itself as for browse elections. The value of this
    3084         parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <a class="indexterm" name="id288157"></a>workgroup in the local broadcast area.
     3085        parameter determines whether <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a> has a chance of becoming a local master browser for the <a class="indexterm" name="id316857"></a>workgroup in the local broadcast area.
    30853086</p><p><span class="emphasis"><em>
    30863087        Note :</em></span>By default, Samba will win a local master browsing election over all Microsoft operating
     
    30973098    flag for Samba.  If enabled, then PAM will be used for password
    30983099    changes when requested by an SMB client instead of the program listed in
    3099     <a class="indexterm" name="id288221"></a>passwd program.
     3100    <a class="indexterm" name="id316921"></a>passwd program.
    31003101    It should be possible to enable this without changing your
    3101     <a class="indexterm" name="id288229"></a>passwd chat parameter for most setups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pam password change</code></em> = no
     3102    <a class="indexterm" name="id316929"></a>passwd chat parameter for most setups.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>pam password change</code></em> = no
    31023103</em></span>
    31033104</p></dd><dt><span class="term"><a name="PANICACTION"></a>panic action (G)</span></dt><dd><p>This is a Samba developer option that allows a
     
    31253126                </p></li><li><p><span><strong class="command">tdbsam</strong></span> - The TDB based password storage
    31263127                backend.  Takes a path to the TDB as an optional argument (defaults to passdb.tdb
    3127                 in the <a class="indexterm" name="id288406"></a>private dir directory.</p></li><li><p><span><strong class="command">ldapsam</strong></span> - The LDAP based passdb
     3128                in the <a class="indexterm" name="id317106"></a>private dir directory.</p></li><li><p><span><strong class="command">ldapsam</strong></span> - The LDAP based passdb
    31283129                backend.  Takes an LDAP URL as an optional argument (defaults to
    31293130                <span><strong class="command">ldap://localhost</strong></span>)</p><p>LDAP connections should be secured where possible.  This may be done using either
    3130                 Start-TLS (see <a class="indexterm" name="id288435"></a>ldap ssl) or by
     3131                Start-TLS (see <a class="indexterm" name="id317135"></a>ldap ssl) or by
    31313132                specifying <em class="parameter"><code>ldaps://</code></em> in
    31323133                the URL argument. </p><p>Multiple servers may also be specified in double-quotes, if your
     
    31513152    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passdb expand explicit</code></em> = no
    31523153</em></span>
     3154</p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script
     3155    parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the
     3156    strings passed to and received from the passwd chat are printed
     3157    in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a
     3158    <a class="indexterm" name="id317245"></a>debug level
     3159    of 100. This is a dangerous option as it will allow plaintext passwords
     3160    to be seen in the <span><strong class="command">smbd</strong></span> log. It is available to help
     3161    Samba admins debug their <em class="parameter"><code>passwd chat</code></em> scripts
     3162    when calling the <em class="parameter"><code>passwd program</code></em> and should
     3163    be turned off after this has been done. This option has no effect if the
     3164    <a class="indexterm" name="id317272"></a>pam password change
     3165        paramter is set. This parameter is off by default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat debug</code></em> = no
     3166</em></span>
     3167</p></dd><dt><span class="term"><a name="PASSWDCHATTIMEOUT"></a>passwd chat timeout (G)</span></dt><dd><p>This integer specifies the number of seconds smbd will wait for an initial
     3168    answer from a passwd chat script being run. Once the initial answer is received
     3169    the subsequent answers must be received in one tenth of this time. The default it
     3170    two seconds.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat timeout</code></em> = 2
     3171</em></span>
    31533172</p></dd><dt><span class="term"><a name="PASSWDCHAT"></a>passwd chat (G)</span></dt><dd><p>This string controls the <span class="emphasis"><em>"chat"</em></span>
    31543173    conversation that takes places between <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> and the local password changing
    31553174    program to change the user's password. The string describes a
    31563175    sequence of response-receive pairs that <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> uses to determine what to send to the
    3157     <a class="indexterm" name="id288553"></a>passwd program and what to expect back. If the expected output is not
     3176    <a class="indexterm" name="id317369"></a>passwd program and what to expect back. If the expected output is not
    31583177    received then the password is not changed.</p><p>This chat sequence is often quite site specific, depending
    31593178    on what local methods are used for password control (such as NIS
    3160     etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id288570"></a>unix password sync parameter is set  to <code class="constant">yes</code>. This sequence is
     3179    etc).</p><p>Note that this parameter only is only used if the <a class="indexterm" name="id317385"></a>unix password sync parameter is set  to <code class="constant">yes</code>. This sequence is
    31613180    then called <span class="emphasis"><em>AS ROOT</em></span> when the SMB password  in the
    31623181    smbpasswd file is being changed, without access to the old password
    31633182    cleartext. This means that root must be able to reset the user's password without
    31643183    knowing the text of the previous password. In the presence of
    3165     NIS/YP,  this means that the <a class="indexterm" name="id288586"></a>passwd program must
     3184    NIS/YP,  this means that the <a class="indexterm" name="id317402"></a>passwd program must
    31663185    be executed on the NIS master.
    31673186    </p><p>The string can contain the macro <em class="parameter"><code>%n</code></em> which is substituted
     
    31723191    in them into a single string.</p><p>If the send string in any part of the chat sequence  is a full
    31733192    stop ".",  then no string is sent. Similarly,  if the
    3174     expect string is a full stop then no string is expected.</p><p>If the <a class="indexterm" name="id288614"></a>pam password change parameter is set to <code class="constant">yes</code>, the
     3193    expect string is a full stop then no string is expected.</p><p>If the <a class="indexterm" name="id317430"></a>pam password change parameter is set to <code class="constant">yes</code>, the
    31753194        chat pairs may be matched in any order, and success is determined by the PAM result, not any particular
    31763195        output. The \n macro is ignored for PAM conversions.
     
    31783197</em></span>
    31793198</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>passwd chat</code></em> = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*"
    3180 </em></span>
    3181 </p></dd><dt><span class="term"><a name="PASSWDCHATDEBUG"></a>passwd chat debug (G)</span></dt><dd><p>This boolean specifies if the passwd chat script
    3182     parameter is run in <span class="emphasis"><em>debug</em></span> mode. In this mode the
    3183     strings passed to and received from the passwd chat are printed
    3184     in the <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a> log with a
    3185     <a class="indexterm" name="id288686"></a>debug level
    3186     of 100. This is a dangerous option as it will allow plaintext passwords
    3187     to be seen in the <span><strong class="command">smbd</strong></span> log. It is available to help
    3188     Samba admins debug their <em class="parameter"><code>passwd chat</code></em> scripts
    3189     when calling the <em class="parameter"><code>passwd program</code></em> and should
    3190     be turned off after this has been done. This option has no effect if the
    3191     <a class="indexterm" name="id288713"></a>pam password change
    3192         paramter is set. This parameter is off by default.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat debug</code></em> = no
    3193 </em></span>
    3194 </p></dd><dt><span class="term"><a name="PASSWDCHATTIMEOUT"></a>passwd chat timeout (G)</span></dt><dd><p>This integer specifies the number of seconds smbd will wait for an initial
    3195     answer from a passwd chat script being run. Once the initial answer is received
    3196     the subsequent answers must be received in one tenth of this time. The default it
    3197     two seconds.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>passwd chat timeout</code></em> = 2
    31983199</em></span>
    31993200</p></dd><dt><span class="term"><a name="PASSWDPROGRAM"></a>passwd program (G)</span></dt><dd><p>The name of a program that can be used to set
     
    32363237    made - the password as is and the password in all-lower case.</p><p>This parameter is used only when using plain-text passwords. It is
    32373238    not at all used when encrypted passwords as in use (that is the default
    3238     since samba-3.0.0). Use this only when <a class="indexterm" name="id288957"></a>encrypt passwords = No.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 0
     3239    since samba-3.0.0). Use this only when <a class="indexterm" name="id317661"></a>encrypt passwords = No.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 0
    32393240</em></span>
    32403241</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>password level</code></em> = 4
     
    32523253    have no effect on password servers for Windows NT 4.0 domains or netbios
    32533254    connections.</p><p>If parameter is a name, it is looked up using the
    3254     parameter <a class="indexterm" name="id289029"></a>name resolve order and so may resolved
     3255    parameter <a class="indexterm" name="id317733"></a>name resolve order and so may resolved
    32553256    by any method and order described in that parameter.</p><p>The password server must be a machine capable of using
    32563257    the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
     
    33143315        will be replaced by the NetBIOS name of the machine they are
    33153316        connecting from. These replacements are very useful for setting
    3316         up pseudo home directories for users.</p><p>Note that this path will be based on <a class="indexterm" name="id289313"></a>root dir
     3317        up pseudo home directories for users.</p><p>Note that this path will be based on <a class="indexterm" name="id318016"></a>root dir
    33173318         if one was specified.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>path</code></em> =
    33183319</em></span>
     
    33413342</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>postexec</code></em> = echo \"%u disconnected from %S from %m (%I)\" &gt;&gt; /tmp/log
    33423343</em></span>
     3344</p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>
     3345        This boolean option controls whether a non-zero return code from <a class="indexterm" name="id318215"></a>preexec
     3346        should close the service being connected to.
     3347        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec close</code></em> = no
     3348</em></span>
    33433349</p></dd><dt><span class="term"><a name="EXEC"></a>exec</span></dt><dd><p>This parameter is a synonym for preexec.</p></dd><dt><span class="term"><a name="PREEXEC"></a>preexec (S)</span></dt><dd><p>This option specifies a command to be run whenever
    33443350        the service is connected to. It takes the usual substitutions.</p><p>An interesting example is to send the users a welcome
     
    33483354        /usr/local/samba/bin/smbclient -M %m -I %I' &amp; </strong></span>
    33493355        </p><p>Of course, this could get annoying after a while :-)</p><p>
    3350         See also <a class="indexterm" name="id289554"></a>preexec close and <a class="indexterm" name="id289562"></a>postexec.
     3356        See also <a class="indexterm" name="id318299"></a>preexec close and <a class="indexterm" name="id318306"></a>postexec.
    33513357        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> =
    33523358</em></span>
    33533359</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preexec</code></em> = echo \"%u connected to %S from %m (%I)\" &gt;&gt; /tmp/log
    3354 </em></span>
    3355 </p></dd><dt><span class="term"><a name="PREEXECCLOSE"></a>preexec close (S)</span></dt><dd><p>
    3356         This boolean option controls whether a non-zero return code from <a class="indexterm" name="id289614"></a>preexec
    3357         should close the service being connected to.
    3358         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preexec close</code></em> = no
    33593360</em></span>
    33603361</p></dd><dt><span class="term"><a name="PREFEREDMASTER"></a>prefered master</span></dt><dd><p>This parameter is a synonym for preferred master.</p></dd><dt><span class="term"><a name="PREFERREDMASTER"></a>preferred master (G)</span></dt><dd><p>
     
    33633364        If this is set to <code class="constant">yes</code>, on startup, <span><strong class="command">nmbd</strong></span> will force
    33643365        an election, and it will have a slight advantage in winning the election.  It is recommended that this
    3365         parameter is used in conjunction with <a class="indexterm" name="id289698"></a>domain master = yes, so that
     3366        parameter is used in conjunction with <a class="indexterm" name="id318402"></a>domain master = yes, so that
    33663367        <span><strong class="command">nmbd</strong></span> can guarantee becoming a domain master.
    33673368        </p><p>
     
    33723373        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preferred master</code></em> = auto
    33733374</em></span>
     3375</p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should
     3376        be loaded into smbd before a client connects. This improves
     3377        the speed of smbd when reacting to new connections somewhat. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> =
     3378</em></span>
     3379</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = /usr/lib/samba/passdb/mysql.so
     3380</em></span>
    33743381</p></dd><dt><span class="term"><a name="AUTOSERVICES"></a>auto services</span></dt><dd><p>This parameter is a synonym for preload.</p></dd><dt><span class="term"><a name="PRELOAD"></a>preload (G)</span></dt><dd><p>This is a list of services that you want to be
    33753382        automatically added to the browse lists. This is most useful
     
    33773384        visible.</p><p>
    33783385        Note that if you just want all printers in your
    3379         printcap file loaded then the <a class="indexterm" name="id289778"></a>load printers
     3386        printcap file loaded then the <a class="indexterm" name="id318527"></a>load printers
    33803387         option is easier.
    33813388        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> =
     
    33833390</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload</code></em> = fred lp colorlp
    33843391</em></span>
    3385 </p></dd><dt><span class="term"><a name="PRELOADMODULES"></a>preload modules (G)</span></dt><dd><p>This is a list of paths to modules that should
    3386         be loaded into smbd before a client connects. This improves
    3387         the speed of smbd when reacting to new connections somewhat. </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> =
    3388 </em></span>
    3389 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>preload modules</code></em> = /usr/lib/samba/passdb/mysql.so
    3390 </em></span>
    33913392</p></dd><dt><span class="term"><a name="PRESERVECASE"></a>preserve case (S)</span></dt><dd><p>
    33923393        This controls if new filenames are created with the case that the client passes, or if
    3393         they are forced to be the <a class="indexterm" name="id289876"></a>default case.
     3394        they are forced to be the <a class="indexterm" name="id318580"></a>default case.
    33943395        </p><p>
    33953396        See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a> for a fuller discussion.
     
    34003401    specified for the service. </p><p>Note that a printable service will ALWAYS allow writing
    34013402    to the service path (user privileges permitting) via the spooling
    3402     of print data. The <a class="indexterm" name="id290060"></a>read only parameter controls only non-printing access to
     3403    of print data. The <a class="indexterm" name="id318764"></a>read only parameter controls only non-printing access to
    34033404    the resource.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printable</code></em> = no
    34043405</em></span>
     
    34183419        </p><p>
    34193420        To use the CUPS printing interface set <span><strong class="command">printcap name = cups </strong></span>. This should
    3420         be supplemented by an addtional setting <a class="indexterm" name="id290198"></a>printing = cups in the [global]
     3421        be supplemented by an addtional setting <a class="indexterm" name="id318902"></a>printing = cups in the [global]
    34213422        section.  <span><strong class="command">printcap name = cups</strong></span> will use the  "dummy" printcap
    34223423        created by CUPS, as specified in your CUPS configuration file.
     
    34713472    be created but not processed and (most importantly) not removed.</p><p>Note that printing may fail on some UNIXes from the
    34723473    <code class="constant">nobody</code> account. If this happens then create
    3473     an alternative guest account that can print and set the <a class="indexterm" name="id290410"></a>guest account
     3474    an alternative guest account that can print and set the <a class="indexterm" name="id319114"></a>guest account
    34743475    in the [global] section.</p><p>You can form quite complex print commands by realizing
    34753476    that they are just passed to a shell. For example the following
     
    34783479    /tmp/print.log; lpr -P %p %s; rm %s</strong></span></p><p>You may have to vary this command considerably depending
    34793480    on how you normally print files on your system. The default for
    3480     the parameter varies depending on the setting of the <a class="indexterm" name="id290437"></a>printing
     3481    the parameter varies depending on the setting of the <a class="indexterm" name="id319140"></a>printing
    34813482        parameter.</p><p>Default: For <span><strong class="command">printing = BSD, AIX, QNX, LPRNG
    34823483    or PLP :</strong></span></p><p><span><strong class="command">print command = lpr -r -P%p %s</strong></span></p><p>For <span><strong class="command">printing = SYSV or HPUX :</strong></span></p><p><span><strong class="command">print command = lp -c -d%p %s; rm %s</strong></span></p><p>For <span><strong class="command">printing = SOFTQ :</strong></span></p><p><span><strong class="command">print command = lp -d%p -s %s; rm %s</strong></span></p><p>For printing = CUPS :   If SAMBA is compiled against
    3483     libcups, then <a class="indexterm" name="id290493"></a>printcap = cups
     3484    libcups, then <a class="indexterm" name="id319197"></a>printcap = cups
    34843485    uses the CUPS API to
    34853486    submit jobs, etc.  Otherwise it maps to the System V
     
    35133514        does not have its own printer name specified.
    35143515        </p><p>
    3515         The default value of the <a class="indexterm" name="id290634"></a>printer name may be <code class="literal">lp</code> on many
     3516        The default value of the <a class="indexterm" name="id319338"></a>printer name may be <code class="literal">lp</code> on many
    35163517        systems.
    35173518        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>printer name</code></em> = none
     
    35863587    executed on the server host in order to resume the printer queue. It
    35873588    is the command to undo the behavior that is caused by the
    3588     previous parameter (<a class="indexterm" name="id291026"></a>queuepause command).</p><p>This command should be a program or script which takes
     3589    previous parameter (<a class="indexterm" name="id319730"></a>queuepause command).</p><p>This command should be a program or script which takes
    35893590    a printer name as its only parameter and resumes the printer queue,
    35903591    such that queued jobs are resubmitted to the printer.</p><p>This command is not supported by Windows for Workgroups,
     
    36063607</p></dd><dt><span class="term"><a name="READLIST"></a>read list (S)</span></dt><dd><p>
    36073608        This is a list of users that are given read-only access to a service. If the connecting user is in this list
    3608         then they will not be given write access, no matter what the <a class="indexterm" name="id291148"></a>read only option is set
    3609         to. The list can include group names using the syntax described in the <a class="indexterm" name="id291156"></a>invalid users
     3609        then they will not be given write access, no matter what the <a class="indexterm" name="id319852"></a>read only option is set
     3610        to. The list can include group names using the syntax described in the <a class="indexterm" name="id319860"></a>invalid users
    36103611        parameter.
    3611         </p><p>This parameter will not work with the <a class="indexterm" name="id291167"></a>security = share in
     3612        </p><p>This parameter will not work with the <a class="indexterm" name="id319871"></a>security = share in
    36123613    Samba 3.0.  This is by design.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> =
    36133614</em></span>
    36143615</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>read list</code></em> = mary, @students
    36153616</em></span>
    3616 </p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id291218"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users
     3617</p></dd><dt><span class="term"><a name="READONLY"></a>read only (S)</span></dt><dd><p>An inverted synonym is <a class="indexterm" name="id319922"></a>writeable.</p><p>If this parameter is <code class="constant">yes</code>, then users
    36173618    of a service may not create or modify files in the service's
    36183619    directory.</p><p>Note that a printable service (<span><strong class="command">printable = yes</strong></span>)
     
    36503651        the above line would cause <span><strong class="command">nmbd</strong></span> to announce itself
    36513652        to the two given IP addresses using the given workgroup names. If you leave out the
    3652         workgroup name then the one given in the <a class="indexterm" name="id291416"></a>workgroup parameter
     3653        workgroup name then the one given in the <a class="indexterm" name="id320120"></a>workgroup parameter
    36533654        is used instead.
    36543655        </p><p>
     
    36873688        is in fact the browse master on its segment.
    36883689        </p><p>
    3689         The <a class="indexterm" name="id291514"></a>remote browse sync may be used on networks
     3690        The <a class="indexterm" name="id320218"></a>remote browse sync may be used on networks
    36903691        where there is no WINS server, and may be used on disjoint networks where
    36913692        each network has its own WINS server.
     
    37493750        </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
    37503751    The security advantage of using restrict anonymous = 2 is removed
    3751     by setting <a class="indexterm" name="id291687"></a>guest ok = yes on any share.
     3752    by setting <a class="indexterm" name="id320391"></a>guest ok = yes on any share.
    37523753        </p></div><p>Default: <span class="emphasis"><em><em class="parameter"><code>restrict anonymous</code></em> = 0
    37533754</em></span>
     
    37593760    parts of the filesystem, or attempts to use ".." in file names
    37603761    to access other directories (depending on the setting of the
    3761         <a class="indexterm" name="id291780"></a>wide smbconfoptions parameter).
     3762        <a class="indexterm" name="id320484"></a>wide smbconfoptions parameter).
    37623763    </p><p>Adding a <em class="parameter"><code>root directory</code></em> entry other
    37633764    than "/" adds an extra level of security, but at a price. It
     
    37813782        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root postexec</code></em> =
    37823783</em></span>
     3784</p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <em class="parameter"><code>preexec close
     3785        </code></em> parameter except that the command is run as root.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec close</code></em> = no
     3786</em></span>
    37833787</p></dd><dt><span class="term"><a name="ROOTPREEXEC"></a>root preexec (S)</span></dt><dd><p>
    37843788        This is the same as the <em class="parameter"><code>preexec</code></em>
     
    37873791        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec</code></em> =
    37883792</em></span>
    3789 </p></dd><dt><span class="term"><a name="ROOTPREEXECCLOSE"></a>root preexec close (S)</span></dt><dd><p>This is the same as the <em class="parameter"><code>preexec close
    3790         </code></em> parameter except that the command is run as root.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>root preexec close</code></em> = no
     3793</p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p>
     3794        This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the
     3795        UNIX permission on a file using the native NT security dialog box.
     3796        </p><p>
     3797        This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
     3798        in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id320698"></a>force  security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
     3799        </p><p>
     3800        Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
     3801        </p><p>
     3802        If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
     3803    </p><p><span class="emphasis"><em>
     3804        Note</em></span> that users who can access the Samba server through other means can easily bypass this
     3805    restriction, so it is primarily useful for standalone "appliance" systems.  Administrators of
     3806        most normal systems will probably want to leave it set to <code class="constant">0777</code>.
     3807        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0777
     3808</em></span>
     3809</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0770
    37913810</em></span>
    37923811</p></dd><dt><span class="term"><a name="SECURITY"></a>security (G)</span></dt><dd><p>This option affects how clients respond to
     
    38033822    the only option at one stage.</p><p>There is a bug in WfWg that has relevance to this
    38043823    setting. When in user or server level security a WfWg client
    3805     will totally ignore the password you type in the "connect
     3824    will totally ignore the username and password you type in the "connect
    38063825    drive" dialog box. This makes it very difficult (if not impossible)
    38073826    to connect to a Samba service as anyone except the user that
     
    38143833    is commonly used for a shared printer server. It is more difficult
    38153834    to setup guest shares with <span><strong class="command">security = user</strong></span>, see
    3816     the <a class="indexterm" name="id292089"></a>map to guestparameter for details.</p><p>It is possible to use <span><strong class="command">smbd</strong></span> in a <span class="emphasis"><em>
     3835    the <a class="indexterm" name="id320872"></a>map to guestparameter for details.</p><p>It is possible to use <span><strong class="command">smbd</strong></span> in a <span class="emphasis"><em>
    38173836    hybrid mode</em></span> where it is offers both user and share
    3818     level security under different <a class="indexterm" name="id292110"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
     3837    level security under different <a class="indexterm" name="id320893"></a>NetBIOS aliases. </p><p>The different settings will now be explained.</p><p><a name="SECURITYEQUALSSHARE"></a><span class="emphasis"><em>SECURITY = SHARE</em></span></p><p>When clients connect to a share level security server they
    38193838    need not log onto the server with a valid username and password before
    38203839    attempting to connect to a shared resource (although modern clients
     
    38293848    techniques to determine the correct UNIX user to use on behalf
    38303849    of the client.</p><p>A list of possible UNIX usernames to match with the given
    3831     client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id292185"></a>guest only parameter is set, then all the other
    3832             stages are missed and only the <a class="indexterm" name="id292193"></a>guest account username is checked.
     3850    client password is constructed using the following methods :</p><div class="itemizedlist"><ul type="disc"><li><p>If the <a class="indexterm" name="id320968"></a>guest only parameter is set, then all the other
     3851            stages are missed and only the <a class="indexterm" name="id320976"></a>guest account username is checked.
    38333852            </p></li><li><p>Is a username is sent with the share connection
    3834             request, then this username (after mapping - see <a class="indexterm" name="id292208"></a>username map),
     3853            request, then this username (after mapping - see <a class="indexterm" name="id320990"></a>username map),
    38353854            is added as a potential username.
    38363855            </p></li><li><p>If the client did a previous <span class="emphasis"><em>logon
     
    38413860            </p></li><li><p>The NetBIOS name of the client is added to
    38423861            the list as a potential username.
    3843             </p></li><li><p>Any users on the <a class="indexterm" name="id292248"></a>user list are added as potential usernames.
     3862            </p></li><li><p>Any users on the <a class="indexterm" name="id321030"></a>user list are added as potential usernames.
    38443863            </p></li></ul></div><p>If the <em class="parameter"><code>guest only</code></em> parameter is
    38453864    not set, then this list is then tried with the supplied password.
     
    38533872    NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSUSER"></a><span class="emphasis"><em>SECURITY = USER</em></span></p><p>This is the default security setting in Samba 3.0.
    38543873    With user-level security a client must first "log-on" with a
    3855     valid username and password (which can be mapped using the <a class="indexterm" name="id292317"></a>username map
    3856     parameter). Encrypted passwords (see the <a class="indexterm" name="id292325"></a>encrypted passwords parameter) can also
    3857     be used in this security mode. Parameters such as <a class="indexterm" name="id292332"></a>user and <a class="indexterm" name="id292340"></a>guest only if set      are then applied and
     3874    valid username and password (which can be mapped using the <a class="indexterm" name="id321100"></a>username map
     3875    parameter). Encrypted passwords (see the <a class="indexterm" name="id321107"></a>encrypted passwords parameter) can also
     3876    be used in this security mode. Parameters such as <a class="indexterm" name="id321115"></a>user and <a class="indexterm" name="id321122"></a>guest only if set      are then applied and
    38583877    may change the UNIX user to use on this connection, but only after
    38593878    the user has been successfully authenticated.</p><p><span class="emphasis"><em>Note</em></span> that the name of the resource being
     
    38613880    the server has successfully authenticated the client. This is why
    38623881    guest shares don't work in user level security without allowing
    3863     the server to automatically map unknown users into the <a class="indexterm" name="id292359"></a>guest account.
    3864     See the <a class="indexterm" name="id292366"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
    3865     machine into a Windows NT Domain. It expects the <a class="indexterm" name="id292405"></a>encrypted passwords
     3882    the server to automatically map unknown users into the <a class="indexterm" name="id321142"></a>guest account.
     3883    See the <a class="indexterm" name="id321149"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p><a name="SECURITYEQUALSDOMAIN"></a><span class="emphasis"><em>SECURITY = DOMAIN</em></span></p><p>This mode will only work correctly if <a href="net.8.html"><span class="citerefentry"><span class="refentrytitle">net</span>(8)</span></a> has been used to add this
     3884    machine into a Windows NT Domain. It expects the <a class="indexterm" name="id321187"></a>encrypted passwords
    38663885        parameter to be set to <code class="constant">yes</code>. In this
    38673886    mode Samba will try to validate the username/password by passing
     
    38773896    the server has successfully authenticated the client. This is why
    38783897    guest shares don't work in user level security without allowing
    3879     the server to automatically map unknown users into the <a class="indexterm" name="id292455"></a>guest account.
    3880     See the <a class="indexterm" name="id292462"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
    3881     NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292483"></a>password server parameter and
    3882          the <a class="indexterm" name="id292490"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>
     3898    the server to automatically map unknown users into the <a class="indexterm" name="id321237"></a>guest account.
     3899    See the <a class="indexterm" name="id321245"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
     3900    NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id321266"></a>password server parameter and
     3901         the <a class="indexterm" name="id321273"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSSERVER"></a><span class="emphasis"><em>SECURITY = SERVER</em></span></p><p>
    38833902        In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
    38843903        NT box. If this fails it will revert to <span><strong class="command">security = user</strong></span>. It expects the
    3885         <a class="indexterm" name="id292517"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote
     3904        <a class="indexterm" name="id321300"></a>encrypted passwords parameter to be set to <code class="constant">yes</code>, unless the remote
    38863905        server does not support them.  However note that if encrypted passwords have been negotiated then Samba cannot
    38873906        revert back to checking the UNIX password file, it must have a valid <code class="filename">smbpasswd</code> file to check users against. See the chapter about the User Database in
     
    39033922    the server has successfully authenticated the client. This is why
    39043923    guest shares don't work in user level security without allowing
    3905     the server to automatically map unknown users into the <a class="indexterm" name="id292579"></a>guest account.
    3906     See the <a class="indexterm" name="id292586"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
    3907     NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id292607"></a>password server parameter and the
    3908         <a class="indexterm" name="id292614"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate
     3924    the server to automatically map unknown users into the <a class="indexterm" name="id321357"></a>guest account.
     3925    See the <a class="indexterm" name="id321364"></a>map to guest parameter for details on doing this.</p><p>See also the section <a href="#VALIDATIONSECT" title="NOTE ABOUT USERNAME/PASSWORD VALIDATION">
     3926    NOTE ABOUT USERNAME/PASSWORD VALIDATION</a>.</p><p>See also the <a class="indexterm" name="id321385"></a>password server parameter and the
     3927        <a class="indexterm" name="id321393"></a>encrypted passwords parameter.</p><p><a name="SECURITYEQUALSADS"></a><span class="emphasis"><em>SECURITY = ADS</em></span></p><p>In this mode, Samba will act as a domain member in an ADS realm. To operate
    39093928                in this mode, the machine running Samba will need to have Kerberos installed
    39103929                and configured and Samba will need to be joined to the ADS realm using the
     
    39143933</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security</code></em> = DOMAIN
    39153934</em></span>
    3916 </p></dd><dt><span class="term"><a name="SECURITYMASK"></a>security mask (S)</span></dt><dd><p>
    3917         This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the
    3918         UNIX permission on a file using the native NT security dialog box.
    3919         </p><p>
    3920         This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
    3921         in this mask from being modified.  Make sure not to mix up this parameter with <a class="indexterm" name="id292695"></a>force  security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
    3922         </p><p>
    3923         Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
    3924         </p><p>
    3925         If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
    3926     </p><p><span class="emphasis"><em>
    3927         Note</em></span> that users who can access the Samba server through other means can easily bypass this
    3928     restriction, so it is primarily useful for standalone "appliance" systems.  Administrators of
    3929         most normal systems will probably want to leave it set to <code class="constant">0777</code>.
    3930         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0777
    3931 </em></span>
    3932 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>security mask</code></em> = 0770
    3933 </em></span>
    39343935</p></dd><dt><span class="term"><a name="SERVERSCHANNEL"></a>server schannel (G)</span></dt><dd><p>
    39353936        This controls whether the server offers or even demands the use of the netlogon schannel.
    3936         <a class="indexterm" name="id292768"></a>server schannel = no does not offer the schannel, <a class="indexterm" name="id292776"></a>server schannel = auto offers the schannel but does not enforce it, and <a class="indexterm" name="id292783"></a>server schannel = yes denies access if the client is not able to speak netlogon schannel.
     3937        <a class="indexterm" name="id321468"></a>server schannel = no does not offer the schannel, <a class="indexterm" name="id321475"></a>server schannel = auto offers the schannel but does not enforce it, and <a class="indexterm" name="id321483"></a>server schannel = yes denies access if the client is not able to speak netlogon schannel.
    39373938        This is only the case for Windows NT4 before SP4.
    39383939        </p><p>
     
    40074008</p></dd><dt><span class="term"><a name="SHORTPRESERVECASE"></a>short preserve case (S)</span></dt><dd><p>
    40084009        This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of
    4009         suitable length, are created upper case, or if they are forced to be the <a class="indexterm" name="id293318"></a>default case.
    4010         This  option can be use with <a class="indexterm" name="id293325"></a>preserve case = yes to permit long filenames
     4010        suitable length, are created upper case, or if they are forced to be the <a class="indexterm" name="id322017"></a>default case.
     4011        This  option can be use with <a class="indexterm" name="id322025"></a>preserve case = yes to permit long filenames
    40114012        to retain their case, while short names are lowered.
    40124013        </p><p>See the section on <a href="#NAMEMANGLINGSECT" title="NAME MANGLING">NAME MANGLING</a>.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>short preserve case</code></em> = yes
     
    41084109        If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or
    41094110        READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such
    4110         as occurs with <a class="indexterm" name="id293927"></a>map hidden and <a class="indexterm" name="id293934"></a>map readonly).  When set, DOS
     4111        as occurs with <a class="indexterm" name="id322627"></a>map hidden and <a class="indexterm" name="id322634"></a>map readonly).  When set, DOS
    41114112        attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or
    4112         directory.  For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id293943"></a>map hidden,
    4113         <a class="indexterm" name="id293950"></a>map system, <a class="indexterm" name="id293957"></a>map archive and <a class="indexterm" name="id293964"></a>map  readonly must be set to off.  This parameter writes the DOS attributes as a string into the extended
     4113        directory.  For no other mapping to occur as a fall-back, the parameters <a class="indexterm" name="id322642"></a>map hidden,
     4114        <a class="indexterm" name="id322649"></a>map system, <a class="indexterm" name="id322656"></a>map archive and <a class="indexterm" name="id322664"></a>map  readonly must be set to off.  This parameter writes the DOS attributes as a string into the extended
    41144115        attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an
    41154116        EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for
     
    41834184    any affect.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>sync always</code></em> = no
    41844185</em></span>
     4186</p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p>
     4187    If this parameter is set then Samba debug messages are logged into the system
     4188    syslog only, and not to the debug log files.
     4189    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog only</code></em> = no
     4190</em></span>
    41854191</p></dd><dt><span class="term"><a name="SYSLOG"></a>syslog (G)</span></dt><dd><p>
    41864192    This parameter maps how Samba debug messages are logged onto the system syslog logging levels.
     
    41934199    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog</code></em> = 1
    41944200</em></span>
    4195 </p></dd><dt><span class="term"><a name="SYSLOGONLY"></a>syslog only (G)</span></dt><dd><p>
    4196     If this parameter is set then Samba debug messages are logged into the system
    4197     syslog only, and not to the debug log files.
    4198     </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>syslog only</code></em> = no
    4199 </em></span>
    42004201</p></dd><dt><span class="term"><a name="TEMPLATEHOMEDIR"></a>template homedir (G)</span></dt><dd><p>When filling out the user information for a Windows NT
    42014202        user, the <a href="winbindd.8.html"><span class="citerefentry"><span class="refentrytitle">winbindd</span>(8)</span></a> daemon  uses this
     
    42534254        in the smbpasswd file this parameter should be set to <code class="constant">no</code>.
    42544255        </p><p>
    4255         In order for this parameter to be operative the <a class="indexterm" name="id294723"></a>encrypt passwords parameter must
    4256     be set to <code class="constant">no</code>. The default value of <a class="indexterm" name="id294734"></a>encrypt  passwords = Yes. Note: This must be set to <code class="constant">no</code> for this <a class="indexterm" name="id294745"></a>update encrypted to work.
     4256        In order for this parameter to be operative the <a class="indexterm" name="id323423"></a>encrypt passwords parameter must
     4257    be set to <code class="constant">no</code>. The default value of <a class="indexterm" name="id323434"></a>encrypt  passwords = Yes. Note: This must be set to <code class="constant">no</code> for this <a class="indexterm" name="id323445"></a>update encrypted to work.
    42574258        </p><p>
    42584259        Note that even when this parameter is set a user authenticating to <span><strong class="command">smbd</strong></span>
     
    43074308    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use mmap</code></em> = yes
    43084309</em></span>
     4310</p></dd><dt><span class="term"><a name="USERNAMELEVEL"></a>username level (G)</span></dt><dd><p>This option helps Samba to try and 'guess' at
     4311    the real UNIX username, as many DOS clients send an all-uppercase
     4312    username. By default Samba tries all lowercase, followed by the
     4313    username with the first letter capitalized, and fails if the
     4314    username is not found on the UNIX machine.</p><p>If this parameter is set to non-zero the behavior changes.
     4315    This parameter is a number that specifies the number of uppercase
     4316    combinations to try while trying to determine the UNIX user name. The
     4317    higher the number the more combinations will be tried, but the slower
     4318    the discovery of usernames will be. Use this parameter when you have
     4319    strange usernames on your UNIX machine, such as <code class="constant">AstrangeUser
     4320    </code>.</p><p>This parameter is needed only on UNIX systems that have case
     4321    sensitive usernames.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = 0
     4322</em></span>
     4323</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = 5
     4324</em></span>
     4325</p></dd><dt><span class="term"><a name="USERNAMEMAPSCRIPT"></a>username map script (G)</span></dt><dd><p>This script is a mutually exclusive alternative to the
     4326        <a class="indexterm" name="id323716"></a>username map parameter.  This parameter
     4327        specifies and external program or script that must accept a single
     4328        command line option (the username transmitted in the authentication
     4329        request) and return a line line on standard output (the name to which
     4330        the account should mapped).  In this way, it is possible to store
     4331        username map tables in an LDAP or NIS directory services.
     4332        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> =
     4333</em></span>
     4334</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = /etc/samba/scripts/mapusers.sh
     4335</em></span>
     4336</p></dd><dt><span class="term"><a name="USERNAMEMAP"></a>username map (G)</span></dt><dd><p>
     4337        This option allows you to specify a file containing a mapping of usernames from the clients to the server.
     4338        This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows
     4339        machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they
     4340        can more easily share files.
     4341        </p><p>
     4342        Please note that for user or share mode security, the username map is applied prior to validating the user
     4343        credentials.  Domain member servers (domain or ads) apply the username map after the user has been
     4344        successfully authenticated by the domain controller and require fully qualified enties in the map table (e.g.
     4345        biddle = DOMAIN\foo).
     4346        </p><p>
     4347        The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '='
     4348        followed by a list of usernames on the right. The list of usernames on the right may contain names of the form
     4349        @group in which case they will match any UNIX username in that group. The special client name '*' is a
     4350        wildcard and matches any name. Each line of the map file may be up to 1023 characters long.
     4351        </p><p>
     4352        The file is processed on each line by taking the supplied username and comparing it with each username on the
     4353        right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it
     4354        is replaced with the name on the left. Processing then continues with the next line.
     4355        </p><p>
     4356        If any line begins with a '#' or a ';' then it is ignored.
     4357        </p><p>
     4358        If any line begins with an '!' then the processing will stop after that line if a mapping was done by the
     4359        line.  Otherwise mapping continues with every line being processed.  Using '!' is most useful when you have a
     4360        wildcard mapping line later in the file.
     4361        </p><p>
     4362        For example to map from the name <code class="constant">admin</code> or <code class="constant">administrator</code> to the UNIX
     4363        name <code class="constant"> root</code> you would use:
     4364</p><pre class="programlisting">
     4365<span><strong class="command">root = admin administrator</strong></span>
     4366</pre><p>
     4367        Or to map anyone in the UNIX group <code class="constant">system</code> to the UNIX name <code class="constant">sys</code> you would use:
     4368</p><pre class="programlisting">
     4369<span><strong class="command">sys = @system</strong></span>
     4370</pre><p>
     4371        </p><p>
     4372        You can have as many mappings as you like in a username map file.
     4373        </p><p>
     4374        If your system supports the NIS NETGROUP option then the netgroup database is checked before the <code class="filename">/etc/group </code> database for matching groups.
     4375        </p><p>
     4376        You can map Windows usernames that have spaces in them by using double quotes around the name. For example:
     4377</p><pre class="programlisting">
     4378<span><strong class="command">tridge = "Andrew Tridgell"</strong></span>
     4379</pre><p>
     4380    would map the windows username "Andrew Tridgell" to the unix username "tridge".
     4381        </p><p>
     4382        The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the
     4383    '!' to tell Samba to stop processing if it gets a match on that line:
     4384</p><pre class="programlisting">
     4385!sys = mary fred
     4386guest = *
     4387</pre><p>
     4388    </p><p>
     4389        Note that the remapping is applied to all occurrences of usernames.  Thus if you connect to \\server\fred and
     4390        <code class="constant">fred</code> is remapped to <code class="constant">mary</code> then you will actually be connecting to
     4391        \\server\mary and will need to supply a password suitable for <code class="constant">mary</code> not
     4392        <code class="constant">fred</code>. The only exception to this is the username passed to the <a class="indexterm" name="id323909"></a>password server (if you have one). The password server will receive whatever username the client
     4393        supplies without  modification.
     4394    </p><p>
     4395        Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been
     4396        mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print
     4397        job.
     4398        </p><p>
     4399        Samba versions prior to 3.0.8 would only support reading the fully qualified username (e.g.: DOMAIN\user) from
     4400        the username map when performing a kerberos login from a client.  However, when looking up a map entry for a
     4401        user authenticated by NTLM[SSP], only the login name would be used for matches.  This resulted in inconsistent
     4402        behavior sometimes even on the same server.
     4403   </p><p>
     4404   The following functionality is obeyed in version 3.0.8 and later:
     4405   </p><p>
     4406    When performing local authentication, the username map is applied to the login name before attempting to authenticate
     4407    the connection.
     4408    </p><p>
     4409    When relying upon a external domain controller for validating authentication requests, smbd will apply the username map
     4410    to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated.
     4411    </p><p>
     4412    An example of use is:
     4413</p><pre class="programlisting">
     4414username map = /usr/local/samba/lib/users.map
     4415</pre><p>
     4416    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map</code></em> =
     4417# no username map
     4418</em></span>
    43094419</p></dd><dt><span class="term"><a name="USER"></a>user</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERS"></a>users</span></dt><dd><p>This parameter is a synonym for username.</p></dd><dt><span class="term"><a name="USERNAME"></a>username (S)</span></dt><dd><p>Multiple users may be specified in a comma-delimited
    43104420    list, in which case the supplied password will be tested against
     
    43264436    telnet session. The daemon runs as the user that they log in as,
    43274437    so they cannot do anything that user cannot do.</p><p>To restrict a service to a particular set of users you
    4328     can use the <a class="indexterm" name="id295039"></a>valid users parameter.</p><p>If any of the usernames begin with a '@' then the name
     4438    can use the <a class="indexterm" name="id324070"></a>valid users parameter.</p><p>If any of the usernames begin with a '@' then the name
    43294439    will be looked up first in the NIS netgroups list (if Samba
    43304440    is compiled with netgroup support), followed by a lookup in
     
    43454455</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username</code></em> = fred, mary, jack, jane, @users, @pcgroup
    43464456</em></span>
    4347 </p></dd><dt><span class="term"><a name="USERNAMELEVEL"></a>username level (G)</span></dt><dd><p>This option helps Samba to try and 'guess' at
    4348     the real UNIX username, as many DOS clients send an all-uppercase
    4349     username. By default Samba tries all lowercase, followed by the
    4350     username with the first letter capitalized, and fails if the
    4351     username is not found on the UNIX machine.</p><p>If this parameter is set to non-zero the behavior changes.
    4352     This parameter is a number that specifies the number of uppercase
    4353     combinations to try while trying to determine the UNIX user name. The
    4354     higher the number the more combinations will be tried, but the slower
    4355     the discovery of usernames will be. Use this parameter when you have
    4356     strange usernames on your UNIX machine, such as <code class="constant">AstrangeUser
    4357     </code>.</p><p>This parameter is needed only on UNIX systems that have case
    4358     sensitive usernames.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = 0
    4359 </em></span>
    4360 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username level</code></em> = 5
    4361 </em></span>
    4362 </p></dd><dt><span class="term"><a name="USERNAMEMAP"></a>username map (G)</span></dt><dd><p>
    4363         This option allows you to specify a file containing a mapping of usernames from the clients to the server.
    4364         This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows
    4365         machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they
    4366         can more easily share files.
    4367         </p><p>
    4368         Please note that for user or share mode security, the username map is applied prior to validating the user
    4369         credentials.  Domain member servers (domain or ads) apply the username map after the user has been
    4370         successfully authenticated by the domain controller and require fully qualified enties in the map table (e.g.
    4371         biddle = DOMAIN\foo).
    4372         </p><p>
    4373         The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '='
    4374         followed by a list of usernames on the right. The list of usernames on the right may contain names of the form
    4375         @group in which case they will match any UNIX username in that group. The special client name '*' is a
    4376         wildcard and matches any name. Each line of the map file may be up to 1023 characters long.
    4377         </p><p>
    4378         The file is processed on each line by taking the supplied username and comparing it with each username on the
    4379         right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it
    4380         is replaced with the name on the left. Processing then continues with the next line.
    4381         </p><p>
    4382         If any line begins with a '#' or a ';' then it is ignored.
    4383         </p><p>
    4384         If any line begins with an '!' then the processing will stop after that line if a mapping was done by the
    4385         line.  Otherwise mapping continues with every line being processed.  Using '!' is most useful when you have a
    4386         wildcard mapping line later in the file.
    4387         </p><p>
    4388         For example to map from the name <code class="constant">admin</code> or <code class="constant">administrator</code> to the UNIX
    4389         name <code class="constant"> root</code> you would use:
    4390 </p><pre class="programlisting">
    4391 <span><strong class="command">root = admin administrator</strong></span>
    4392 </pre><p>
    4393         Or to map anyone in the UNIX group <code class="constant">system</code> to the UNIX name <code class="constant">sys</code> you would use:
    4394 </p><pre class="programlisting">
    4395 <span><strong class="command">sys = @system</strong></span>
    4396 </pre><p>
    4397         </p><p>
    4398         You can have as many mappings as you like in a username map file.
    4399         </p><p>
    4400         If your system supports the NIS NETGROUP option then the netgroup database is checked before the <code class="filename">/etc/group </code> database for matching groups.
    4401         </p><p>
    4402         You can map Windows usernames that have spaces in them by using double quotes around the name. For example:
    4403 </p><pre class="programlisting">
    4404 <span><strong class="command">tridge = "Andrew Tridgell"</strong></span>
    4405 </pre><p>
    4406     would map the windows username "Andrew Tridgell" to the unix username "tridge".
    4407         </p><p>
    4408         The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the
    4409     '!' to tell Samba to stop processing if it gets a match on that line:
    4410 </p><pre class="programlisting">
    4411 !sys = mary fred
    4412 guest = *
    4413 </pre><p>
    4414     </p><p>
    4415         Note that the remapping is applied to all occurrences of usernames.  Thus if you connect to \\server\fred and
    4416         <code class="constant">fred</code> is remapped to <code class="constant">mary</code> then you will actually be connecting to
    4417         \\server\mary and will need to supply a password suitable for <code class="constant">mary</code> not
    4418         <code class="constant">fred</code>. The only exception to this is the username passed to the <a class="indexterm" name="id295325"></a>password server (if you have one). The password server will receive whatever username the client
    4419         supplies without  modification.
    4420     </p><p>
    4421         Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been
    4422         mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print
    4423         job.
    4424         </p><p>
    4425         Samba versions prior to 3.0.8 would only support reading the fully qualified username (e.g.: DOMAIN\user) from
    4426         the username map when performing a kerberos login from a client.  However, when looking up a map entry for a
    4427         user authenticated by NTLM[SSP], only the login name would be used for matches.  This resulted in inconsistent
    4428         behavior sometimes even on the same server.
    4429    </p><p>
    4430    The following functionality is obeyed in version 3.0.8 and later:
    4431    </p><p>
    4432     When performing local authentication, the username map is applied to the login name before attempting to authenticate
    4433     the connection.
    4434     </p><p>
    4435     When relying upon a external domain controller for validating authentication requests, smbd will apply the username map
    4436     to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated.
    4437     </p><p>
    4438     An example of use is:
    4439 </p><pre class="programlisting">
    4440 username map = /usr/local/samba/lib/users.map
    4441 </pre><p>
    4442     </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map</code></em> =
    4443 # no username map
    4444 </em></span>
    4445 </p></dd><dt><span class="term"><a name="USERNAMEMAPSCRIPT"></a>username map script (G)</span></dt><dd><p>This script is a mutually exclusive alternative to the
    4446         <a class="indexterm" name="id295402"></a>username map parameter.  This parameter
    4447         specifies and external program or script that must accept a single
    4448         command line option (the username transmitted in the authentication
    4449         request) and return a line line on standard output (the name to which
    4450         the account should mapped).  In this way, it is possible to store
    4451         username map tables in an LDAP or NIS directory services.
    4452         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> =
    4453 </em></span>
    4454 </p><p>Example: <span class="emphasis"><em><em class="parameter"><code>username map script</code></em> = /etc/samba/scripts/mapusers.sh
    4455 </em></span>
    44564457</p></dd><dt><span class="term"><a name="USERSHAREALLOWGUESTS"></a>usershare allow guests (G)</span></dt><dd><p>This parameter controls whether user defined shares are allowed
    44574458        to be accessed by non-authenticated users or not. It is the equivalent
     
    45604561        disabled.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>use spnego</code></em> = yes
    45614562</em></span>
    4562 </p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p>
    4563         This boolean parameter is only available if Samba has been configured and compiled 
    4564         with the option <span><strong class="command">--with-utmp</strong></span>. If set to
    4565          <code class="constant">yes</code> then Samba will attempt to add utmp or utmpx records
    4566         (depending on the UNIX system) whenever a connection is made to a Samba server.
    4567         Sites may use this to record the user connecting to a Samba share.
    4568         </p><p>
    4569         Due to the requirements of the utmp record, we  are required to create a unique
    4570         identifier for the incoming user.  Enabling this option creates an n^2  algorithm
    4571         to find this number.  This may impede performance on large installations.
    4572         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp</code></em> = no
    4573 </em></span>
    45744563</p></dd><dt><span class="term"><a name="UTMPDIRECTORY"></a>utmp directory (G)</span></dt><dd><p>This parameter is only available if Samba has
    45754564        been configured and compiled with the option <span><strong class="command">
     
    45844573</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>utmp directory</code></em> = /var/run/utmp
    45854574</em></span>
    4586 </p></dd><dt><span class="term"><a name="-VALID"></a>-valid (S)</span></dt><dd><p> This parameter indicates whether a share is
    4587         valid and thus can be used. When this parameter is set to false,
    4588         the share will be in no way visible nor accessible.
    4589         </p><p>
    4590         This option should not be
    4591         used by regular users but might be of help to developers.
    4592         Samba uses this option internally to mark shares as deleted.
    4593         </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>-valid</code></em> = yes
     4575</p></dd><dt><span class="term"><a name="UTMP"></a>utmp (G)</span></dt><dd><p>
     4576        This boolean parameter is only available if Samba has been configured and compiled 
     4577        with the option <span><strong class="command">--with-utmp</strong></span>. If set to
     4578         <code class="constant">yes</code> then Samba will attempt to add utmp or utmpx records
     4579        (depending on the UNIX system) whenever a connection is made to a Samba server.
     4580        Sites may use this to record the user connecting to a Samba share.
     4581        </p><p>
     4582        Due to the requirements of the utmp record, we  are required to create a unique
     4583        identifier for the incoming user.  Enabling this option creates an n^2  algorithm
     4584        to find this number.  This may impede performance on large installations.
     4585        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>utmp</code></em> = no
    45944586</em></span>
    45954587</p></dd><dt><span class="term"><a name="VALIDUSERS"></a>valid users (S)</span></dt><dd><p>
     
    46094601</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>valid users</code></em> = greg, @pcusers
    46104602</em></span>
     4603</p></dd><dt><span class="term"><a name="-VALID"></a>-valid (S)</span></dt><dd><p> This parameter indicates whether a share is
     4604        valid and thus can be used. When this parameter is set to false,
     4605        the share will be in no way visible nor accessible.
     4606        </p><p>
     4607        This option should not be
     4608        used by regular users but might be of help to developers.
     4609        Samba uses this option internally to mark shares as deleted.
     4610        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>-valid</code></em> = yes
     4611</em></span>
    46114612</p></dd><dt><span class="term"><a name="VETOFILES"></a>veto files (S)</span></dt><dd><p>
    46124613        This is a list of files and directories that are neither visible nor accessible.  Each entry in
     
    46174618        unix directory  separator '/'.
    46184619        </p><p>
    4619         Note that the <a class="indexterm" name="id296108"></a>case sensitive option is applicable in vetoing files.
     4620        Note that the <a class="indexterm" name="id324807"></a>case sensitive option is applicable in vetoing files.
    46204621        </p><p>
    46214622        One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when
    46224623        trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this
    4623         deletion will <span class="emphasis"><em>fail</em></span> unless you also set the <a class="indexterm" name="id296124"></a>delete veto files
     4624        deletion will <span class="emphasis"><em>fail</em></span> unless you also set the <a class="indexterm" name="id324824"></a>delete veto files
    46244625        parameter to <em class="parameter"><code>yes</code></em>.
    46254626        </p><p>
     
    46414642</em></span>
    46424643</p></dd><dt><span class="term"><a name="VETOOPLOCKFILES"></a>veto oplock files (S)</span></dt><dd><p>
    4643         This parameter is only valid when the <a class="indexterm" name="id296187"></a>oplocks
     4644        This parameter is only valid when the <a class="indexterm" name="id324887"></a>oplocks
    46444645        parameter is turned on for a share. It allows the Samba administrator
    46454646        to selectively turn off the granting of oplocks on selected files that
    46464647        match a wildcarded list, similar to the wildcarded list used in the
    4647         <a class="indexterm" name="id296196"></a>veto files parameter.
     4648        <a class="indexterm" name="id324895"></a>veto files parameter.
    46484649        </p><p>
    46494650        You might want to do this on files that you know will be heavily contended
     
    46864687        again.</p><p>
    46874688        This does not apply to authentication requests, these are always
    4688         evaluated in real time unless the <a class="indexterm" name="id296414"></a>winbind   offline logon option has been enabled.
     4689        evaluated in real time unless the <a class="indexterm" name="id325114"></a>winbind   offline logon option has been enabled.
    46894690        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind cache time</code></em> = 300
    46904691</em></span>
     
    47834784        </p><p>
    47844785        This parameter is not deprecated in favor of the newer idmap_nss backend.
    4785         Refer to the <a class="indexterm" name="id296984"></a>idmap domains smb.conf option and
     4786        Refer to the <a class="indexterm" name="id325684"></a>idmap domains smb.conf option and
    47864787        the <a href="idmap_nss.8.html"><span class="citerefentry"><span class="refentrytitle">idmap_nss</span>(8)</span></a> man page for more information.
    47874788        </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>winbind trusted domains only</code></em> = no
     
    48504851        appear to be in when queried by clients. Note that this parameter
    48514852        also controls the Domain name used with
    4852         the <a class="indexterm" name="id297374"></a>security = domain
     4853        the <a class="indexterm" name="id326074"></a>security = domain
    48534854                setting.</p><p>Default: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = WORKGROUP
    48544855</em></span>
    48554856</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>workgroup</code></em> = MYGROUP
    48564857</em></span>
    4857 </p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id297447"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
     4858</p></dd><dt><span class="term"><a name="WRITABLE"></a>writable</span></dt><dd><p>This parameter is a synonym for writeable.</p></dd><dt><span class="term"><a name="WRITEABLE"></a>writeable (S)</span></dt><dd><p>Inverted synonym for <a class="indexterm" name="id326147"></a>read only.</p><p><span class="emphasis"><em>No default</em></span></p></dd><dt><span class="term"><a name="WRITECACHESIZE"></a>write cache size (S)</span></dt><dd><p>If this integer parameter is set to non-zero value,
    48584859    Samba will create an in-memory cache for each oplocked file
    48594860    (it does <span class="emphasis"><em>not</em></span> do this for
     
    48764877    This is a list of users that are given read-write access to a service. If the
    48774878    connecting user is in this list then they will be given write access, no matter
    4878     what the <a class="indexterm" name="id297544"></a>read only option is set to. The list can
     4879    what the <a class="indexterm" name="id326244"></a>read only option is set to. The list can
    48794880    include group names using the @group syntax.
    48804881    </p><p>
     
    48834884    </p><p>
    48844885    By design, this parameter will not work with the
    4885     <a class="indexterm" name="id297560"></a>security = share in Samba 3.0.
     4886    <a class="indexterm" name="id326260"></a>security = share in Samba 3.0.
    48864887    </p><p>Default: <span class="emphasis"><em><em class="parameter"><code>write list</code></em> =
    48874888</em></span>
     
    49044905</p><p>Example: <span class="emphasis"><em><em class="parameter"><code>wtmp directory</code></em> = /var/log/wtmp
    49054906</em></span>
    4906 </p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id297693"></a><h2>WARNINGS</h2><p>
     4907</p></dd></dl></div></div><div class="refsect1" lang="en"><a name="id326393"></a><h2>WARNINGS</h2><p>
    49074908        Although the configuration file permits service names to contain spaces, your client software may not.
    49084909        Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.
     
    49174918        care when designing these sections. In particular, ensure that the permissions on spool directories are
    49184919        correct.
    4919         </p></div><div class="refsect1" lang="en"><a name="id297736"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id297747"></a><h2>SEE ALSO</h2><p>
    4920         <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id297826"></a><h2>AUTHOR</h2><p>
     4920        </p></div><div class="refsect1" lang="en"><a name="id326436"></a><h2>VERSION</h2><p>This man page is correct for version 3.0 of the Samba suite.</p></div><div class="refsect1" lang="en"><a name="id326447"></a><h2>SEE ALSO</h2><p>
     4921        <a href="samba.7.html"><span class="citerefentry"><span class="refentrytitle">samba</span>(7)</span></a>, <a href="smbpasswd.8.html"><span class="citerefentry"><span class="refentrytitle">smbpasswd</span>(8)</span></a>, <a href="swat.8.html"><span class="citerefentry"><span class="refentrytitle">swat</span>(8)</span></a>, <a href="smbd.8.html"><span class="citerefentry"><span class="refentrytitle">smbd</span>(8)</span></a>, <a href="nmbd.8.html"><span class="citerefentry"><span class="refentrytitle">nmbd</span>(8)</span></a>, <a href="smbclient.1.html"><span class="citerefentry"><span class="refentrytitle">smbclient</span>(1)</span></a>, <a href="nmblookup.1.html"><span class="citerefentry"><span class="refentrytitle">nmblookup</span>(1)</span></a>, <a href="testparm.1.html"><span class="citerefentry"><span class="refentrytitle">testparm</span>(1)</span></a>, <a href="testprns.1.html"><span class="citerefentry"><span class="refentrytitle">testprns</span>(1)</span></a>.</p></div><div class="refsect1" lang="en"><a name="id326526"></a><h2>AUTHOR</h2><p>
    49214922        The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed
    49224923        by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
Note: See TracChangeset for help on using the changeset viewer.