smb.conf The smb.conf file is a configuration file for the
Samba suite. smb.conf contains runtime configuration information
for the Samba programs. The smb.conf file is designed to be
configured and administered by the swat (8)
program. The complete description of the file format and possible
parameters held within are here for reference purposes.
The file consists of sections and parameters. A section begins with
the name of the section in square brackets and continues until the
next section begins. Sections contain parameters of the form
'name = value'
The file is line-based - that is, each newline-terminated line
represents either a comment, a section name or a parameter.
Section and parameter names are not case sensitive.
Only the first equals sign in a parameter is significant. Whitespace
before or after the first equals sign is discarded. Leading, trailing
and internal whitespace in section and parameter names is
irrelevant. Leading and trailing whitespace in a parameter value is
discarded. Internal whitespace within a parameter value is retained
verbatim.
Any line beginning with a semicolon (';') or a hash ('#') character is
ignored, as are lines containing only whitespace.
Any line ending in a '\' is "continued" on the next line in the
customary UNIX fashion.
The values following the equals sign in parameters are all either a
string (no quotes needed) or a boolean, which may be given as yes/no,
0/1 or true/false. Case is not significant in boolean values, but is
preserved in string values. Some items such as create modes are
numeric.
Each section in the configuration file (except for the
[global] section) describes a shared resource (known
as a "share"). The section name is the name of the shared resource
and the parameters within the section define the shares attributes.
There are three special sections, [global],
[homes] and [printers], which are
described under 'special sections'. The
following notes apply to ordinary section descriptions.
A share consists of a directory to which access is being given plus
a description of the access rights which are granted to the user of
the service. Some housekeeping options are also specifiable.
Sections are either filespace services (used by the client as an
extension of their native file systems) or printable services (used by
the client to access print services on the host running the server).
Sections may be designated guest services, in which
case no password is required to access them. A specified UNIX
guest account is used to define access
privileges in this case.
Sections other than guest services will require a password to access
them. The client provides the username. As older clients only provide
passwords and not usernames, you may specify a list of usernames to
check against the password using the "user=" option in
the share definition. For modern clients such as Windows 95/98 and
Windows NT, this should not be necessary.
Note that the access rights granted by the server are masked by the
access rights granted to the specified or guest UNIX user by the host
system. The server does not grant more access than the host system
grants.
The following sample section defines a file space share. The user has
write access to the path /home/bar. The share is accessed via
the share name "foo":
[foo] path = /home/bar writeable = true
The following sample section defines a printable share. The share
is readonly, but printable. That is, the only write access permitted
is via calls to open, write to and close a spool file. The
'guest ok' parameter means access will be permitted
as the default guest user (specified elsewhere):
[aprinter] path = /usr/spool/public read only = true printable = true guest ok = true
Parameters in this section apply to the server as a whole, or are
defaults for sections which do not specifically define certain
items. See the notes under 'PARAMETERS' for more
information.
If a section called 'homes' is included in the configuration file,
services connecting clients to their home directories can be created
on the fly by the server.
When the connection request is made, the existing sections are
scanned. If a match is found, it is used. If no match is found, the
requested section name is treated as a user name and looked up in the
local password file. If the name exists and the correct password has
been given, a share is created by cloning the [homes] section.
Some modifications are then made to the newly created share:
'homes' to the located
username
If you decide to use a path= line in your [homes]
section then you may find it useful to use the %S
macro. For example :
path=/data/pchome/%S
would be useful if you have different home directories for your PCs
than for UNIX access.
This is a fast and simple way to give a large number of clients access
to their home directories with a minimum of fuss.
A similar process occurs if the requested section name is "homes",
except that the share name is not changed to that of the requesting
user. This method of using the [homes] section works well if different
users share a client PC.
The [homes] section can specify all the parameters a normal service
section can specify, though some make more sense than others. The
following is a typical and suitable [homes] section:
[homes] writeable = yes
An important point is that if guest access is specified in the [homes]
section, all home directories will be visible to all clients
without a password. In the very unlikely event that this is
actually desirable, it would be wise to also specify read only
access.
Note that the browseable flag for auto home
directories will be inherited from the global browseable flag, not the
[homes] browseable flag. This is useful as it means setting
browseable=no in the [homes] section will hide the [homes] share but
make any auto home directories visible.
This section works like [homes], but for printers.
If a [printers] section occurs in the configuration file, users are
able to connect to any printer specified in the local host's printcap
file.
When a connection request is made, the existing sections are
scanned. If a match is found, it is used. If no match is found, but a
[homes] section exists, it is used as described
above. Otherwise, the requested section name is treated as a printer
name and the appropriate printcap file is scanned to see if the
requested section name is a valid printer share name. If a match is
found, a new printer share is created by cloning the [printers]
section.
A few modifications are then made to the newly created share:
Note that the [printers] service MUST be printable - if you specify
otherwise, the server will refuse to load the configuration file.
Typically the path specified would be that of a world-writeable spool
directory with the sticky bit set on it. A typical [printers] entry
would look like this:
[printers] path = /usr/spool/public writeable = no guest ok = yes printable = yes
All aliases given for a printer in the printcap file are legitimate
printer names as far as the server is concerned. If your printing
subsystem doesn't work like that, you will have to set up a
pseudo-printcap. This is a file consisting of one or more lines like
this:
alias|alias|alias|alias...
Each alias should be an acceptable printer name for your printing
subsystem. In the [global] section, specify the new
file as your printcap. The server will then only recognize names
found in your pseudo-printcap, which of course can contain whatever
aliases you like. The same technique could be used simply to limit
access to a subset of your local printers.
An alias, by the way, is defined as any component of the first entry
of a printcap record. Records are separated by newlines, components
(if there are more than one) are separated by vertical bar symbols
("|").
NOTE: On SYSV systems which use lpstat to determine what printers are
defined on the system you may be able to use "printcap name =
lpstat" to automatically obtain a list of
printers. See the "printcap name" option for
more details.
Parameters define the specific attributes of sections.
Some parameters are specific to the [global] section
(e.g., security). Some parameters are usable in
all sections (e.g., create mode). All others are
permissible only in normal sections. For the purposes of the following
descriptions the [homes] and
[printers] sections will be considered normal.
The letter 'G' in parentheses indicates that a parameter is
specific to the [global] section. The letter 'S'
indicates that a parameter can be specified in a service specific
section. Note that all 'S' parameters can also be specified in the
[global] section - in which case they will define
the default behavior for all services.
Parameters are arranged here in alphabetical order - this may not
create best bedfellows, but at least you can find them! Where there
are synonyms, the preferred synonym is described, others refer to the
preferred synonym.
Many of the strings that are settable in the config file can take
substitutions. For example the option "path =
/tmp/%u" would be interpreted as "path = /tmp/john" if
the user connected with the username john.
These substitutions are mostly noted in the descriptions below, but
there are some general substitutions which apply whenever they might
be relevant. These are:
There are some quite creative things that can be done with these
substitutions and other smb.conf options.
Samba supports "name mangling" so that DOS and Windows clients can
use files that don't conform to the 8.3 format. It can also be set to
adjust the case of 8.3 format filenames.
There are several options that control the way mangling is performed,
and they are grouped here rather than listed separately. For the
defaults look at the output of the testparm program.
All of these options can be set separately for each service (or
globally, of course).
The options are:
"mangle case = yes/no" controls if names that have characters that
aren't of the "default" case are mangled. For example, if this is yes
then a name like "Mail" would be mangled. Default no.
"case sensitive = yes/no" controls whether filenames are case
sensitive. If they aren't then Samba must do a filename search and
match on passed names. Default no.
"default case = upper/lower" controls what the default case is for new
filenames. Default lower.
"preserve case = yes/no" controls if new files are created with the
case that the client passes, or if they are forced to be the "default"
case. Default Yes.
"short preserve case = yes/no" controls if new files which conform
to 8.3 syntax, that is all in upper case and of suitable length, are
created upper case, or if they are forced to be the "default"
case. This option can be use with "preserve case =
yes" to permit long filenames to retain their
case, while short names are lowered. Default Yes.
By default, Samba 2.0 has the same semantics as a Windows NT
server, in that it is case insensitive but case preserving.
There are a number of ways in which a user can connect to a
service. The server follows the following steps in determining if it
will allow a connection to a specified service. If all the steps fail
then the connection request is rejected. If one of the steps pass then
the following steps are not checked.
If the service is marked "guest only = yes" then
steps 1 to 5 are skipped.
\\server\service%username method of passing a
username.
'@' then that name
expands to a list of names in the group of the same name.
Here is a list of all global parameters. See the section of each
parameter for details. Note that some are synonyms.
Here is a list of all service parameters. See the section of each
parameter for details. Note that some are synonyms.
This is the full pathname to a script that will be run AS ROOT by
smbd (8) under special circumstances decribed
below.
Normally, a Samba server requires that UNIX users are created for all
users accessing files on this server. For sites that use Windows NT
account databases as their primary user database creating these users
and keeping the user list in sync with the Windows NT PDC is an
onerous task. This option allows smbd to create
the required UNIX users ON DEMAND when a user accesses the Samba
server.
In order to use this option, smbd must be set to
security=server or
security=domain and "add user script"
must be set to a full pathname for a script that will create a UNIX user
given one argument of %u, which expands into the UNIX user name to
create.
When the Windows user attempts to access the Samba server, at
"login"(session setup in the SMB protocol) time,
smbd contacts the password
server and attempts to authenticate the given user
with the given password. If the authentication succeeds then
smbd attempts to find a UNIX user in the UNIX
password database to map the Windows user into. If this lookup fails,
and "add user script" is set then smbd will
call the specified script AS ROOT, expanding any %u argument
to be the user name to create.
If this script successfully creates the user then
smbd will continue on as though the UNIX user
already existed. In this way, UNIX users are dynamically created to
match existing Windows NT accounts.
See also security=server,
security=domain, password
server, delete user
script.
Default:
add user script = <empty string>
Example:
add user script = /usr/local/samba/bin/add_user %u
This is a list of users who will be granted administrative privileges
on the share. This means that they will do all file operations as the
super-user (root).
You should use this option very carefully, as any user in this list
will be able to do anything they like on the share, irrespective of
file permissions.
Default:
no admin users
Example:
admin users = jason
Synonym for hosts allow.
This option only takes effect when the security
option is set to server or domain. If it is set to no,
then attempts to connect to a resource from a domain or workgroup other than
the one which smbd is running in will fail, even if that domain
is trusted by the remote server doing the authentication.
This is useful if you only want your Samba server to serve resources
to users in the domain it is a member of. As an example, suppose that there are
two domains DOMA and DOMB. DOMB is trusted by DOMA, which contains
the Samba server. Under normal circumstances, a user with an account
in DOMB can then access the resources of a UNIX account with the same
account name on the Samba server even if they do not have an account
in DOMA. This can make implementing a security boundary difficult.
Default:
allow trusted domains = Yes
Example:
allow trusted domains = No
This is a deprecated parameter. It no longer has any effect in Samba2.0.
In previous versions of Samba it affected the way the DOS "read only"
attribute was mapped for a file. In Samba2.0 a file is marked "read only"
if the UNIX file does not have the 'w' bit set for the owner of the file,
regardless if the owner of the file is the currently logged on user or not.
This specifies what type of server nmbd will
announce itself as, to a network neighborhood browse list. By default
this is set to Windows NT. The valid options are : "NT", which is a
synonym for "NT Server", "NT Server", "NT Workstation", "Win95" or
"WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95
and Windows for Workgroups respectively. Do not change this parameter
unless you have a specific need to stop Samba appearing as an NT server
as this may prevent Samba servers from participating as browser servers correctly.
Default:
announce as = NT Server
Example
announce as = Win95
This specifies the major and minor version numbers that nmbd will use
when announcing itself as a server. The default is 4.2. Do not change
this parameter unless you have a specific need to set a Samba server
to be a downlevel server.
Default:
announce version = 4.2
Example:
announce version = 2.0
This is a list of services that you want to be automatically added to
the browse lists. This is most useful for homes and printers services
that would otherwise not be visible.
Note that if you just want all printers in your printcap file loaded
then the "load printers" option is easier.
Default:
no auto services
Example:
auto services = fred lp colorlp
This parameter lets you 'turn off' a service. If 'available = no',
then ALL attempts to connect to the service will fail. Such failures
are logged.
Default:
available = yes
Example:
available = no
This global parameter allows the Samba admin to limit what interfaces
on a machine will serve smb requests. If affects file service
smbd and name service nmbd
in slightly different ways.
For name service it causes nmbd to bind to ports
137 and 138 on the interfaces listed in the
'interfaces'
parameter. nmbd also binds to the 'all
addresses' interface (0.0.0.0) on ports 137 and 138 for the purposes
of reading broadcast messages. If this option is not set then
nmbd will service name requests on all of these
sockets. If "bind interfaces only" is set then
nmbd will check the source address of any
packets coming in on the broadcast sockets and discard any that don't
match the broadcast addresses of the interfaces in the
'interfaces' parameter list. As unicast packets
are received on the other sockets it allows nmbd
to refuse to serve names to machines that send packets that arrive
through any interfaces not listed in the
"interfaces" list. IP Source address spoofing
does defeat this simple check, however so it must not be used
seriously as a security feature for nmbd.
For file service it causes smbd to bind only to
the interface list given in the 'interfaces'
parameter. This restricts the networks that smbd
will serve to packets coming in those interfaces. Note that you
should not use this parameter for machines that are serving PPP or
other intermittent or non-broadcast network interfaces as it will not
cope with non-permanent interfaces.
If "bind interfaces only" is set then unless the network address
127.0.0.1 is added to the 'interfaces' parameter
list smbpasswd and
swat may not work as expected due to the
reasons covered below.
To change a users SMB password, the smbpasswd
by default connects to the "localhost" - 127.0.0.1 address as an SMB
client to issue the password change request. If "bind interfaces only"
is set then unless the network address 127.0.0.1 is added to the
'interfaces' parameter list then
smbpasswd will fail to connect in it's
default mode. smbpasswd can be forced to
use the primary IP interface of the local host by using its
"-r remote machine" parameter, with
"remote machine" set to the IP name of the primary interface
of the local host.
The swat status page tries to connect with
smbd and nmbd at the address
127.0.0.1 to determine if they are running. Not adding 127.0.0.1 will cause
smbd and nmbd to always show
"not running" even if they really are. This can prevent
swat from starting/stopping/restarting
smbd and nmbd.
Default:
bind interfaces only = False
Example:
bind interfaces only = True
This parameter controls the behavior of smbd when
given a request by a client to obtain a byte range lock on a region
of an open file, and the request has a time limit associated with it.
If this parameter is set and the lock range requested cannot be
immediately satisfied, Samba 2.0 will internally queue the lock
request, and periodically attempt to obtain the lock until the
timeout period expires.
If this parameter is set to "False", then Samba 2.0 will behave
as previous versions of Samba would and will fail the lock
request immediately if the lock range cannot be obtained.
This parameter can be set per share.
Default:
blocking locks = True
Example:
blocking locks = False
Synonym for browseable.
This controls whether smbd will serve a browse
list to a client doing a NetServerEnum call. Normally set to true. You
should never need to change this.
Default:
browse list = Yes
This controls whether this share is seen in the list of available
shares in a net view and in the browse list.
Default:
browseable = Yes
Example:
browseable = No
See the discussion in the section NAME MANGLING.
Synonym for "case sensitive".
One of the new NT SMB requests that Samba 2.0 supports is the
"ChangeNotify" requests. This SMB allows a client to tell a server to
"watch" a particular directory for any changes and only reply to
the SMB request when a change has occurred. Such constant scanning of
a directory is expensive under UNIX, hence an
smbd daemon only performs such a scan on each
requested directory once every change notify timeout seconds.
change notify timeout is specified in units of seconds.
Default:
change notify timeout = 60
Example:
change notify timeout = 300
Would change the scan time to every 5 minutes.
This allows a smbd to map incoming filenames from a DOS Code page (see
the client code page parameter) to several
built in UNIX character sets. The built in code page translations are:
BUG. These MSDOS code page to UNIX character set mappings should
be dynamic, like the loading of MS DOS code pages, not static.
See also client code page. Normally this
parameter is not set, meaning no filename translation is done.
Default:
character set = <empty string>
Example:
character set = ISO8859-1
This parameter specifies the DOS code page that the clients accessing
Samba are using. To determine what code page a Windows or DOS client
is using, open a DOS command prompt and type the command "chcp". This
will output the code page. The default for USA MS-DOS, Windows 95, and
Windows NT releases is code page 437. The default for western european
releases of the above operating systems is code page 850.
This parameter tells smbd which of the
codepage.XXX files to dynamically load on startup. These files,
described more fully in the manual page make_smbcodepage
(1), tell smbd how
to map lower to upper case characters to provide the case insensitivity
of filenames that Windows clients expect.
Samba currently ships with the following code page files :
Thus this parameter may have any of the values 437, 737, 850, 852,
861, 932, 936, 949, or 950. If you don't find the codepage you need,
read the comments in one of the other codepage files and the
make_smbcodepage (1) man page and
write one. Please remember to donate it back to the Samba user
community.
This parameter co-operates with the "valid
chars" parameter in determining what characters are
valid in filenames and how capitalization is done. If you set both
this parameter and the "valid chars" parameter
the "client code page" parameter MUST be set before the
"valid chars" parameter in the smb.conf
file. The "valid chars" string will then augment
the character settings in the "client code page" parameter.
If not set, "client code page" defaults to 850.
See also : "valid chars"
Default:
client code page = 850
Example:
client code page = 936
This parameter is used to determine how incoming Shift-JIS Japanese
characters are mapped from the incoming "client code
page" used by the client, into file names in the
UNIX filesystem. Only useful if "client code
page" is set to 932 (Japanese Shift-JIS).
The options are :
:AB.
:AB. This is used for compatibility between Samba and CAP.
This is a text field that is seen next to a share when a client does a
queries the server, either via the network neighborhood or via "net
view" to list what shares are available.
If you want to set the string that is displayed next to the machine
name then see the server string command.
Default:
No comment string
Example:
comment = Fred's Files
This allows you to override the config file to use, instead of the
default (usually smb.conf). There is a chicken and egg problem
here as this option is set in the config file!
For this reason, if the name of the config file has changed when the
parameters are loaded then it will reload them from the new config
file.
This option takes the usual substitutions, which can be very useful.
If the config file doesn't exist then it won't be loaded (allowing you
to special case the config files of just a few clients).
Example:
config file = /usr/local/samba/lib/smb.conf.%m
This parameter allows you to 'clone' service entries. The specified
service is simply duplicated under the current service's name. Any
parameters specified in the current section will override those in the
section being copied.
This feature lets you set up a 'template' service and create similar
services easily. Note that the service being copied must occur earlier
in the configuration file than the service doing the copying.
Default:
none
Example:
copy = otherservice
A synonym for this parameter is 'create mode'.
When a file is created, the necessary permissions are calculated
according to the mapping from DOS modes to UNIX permissions, and the
resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
This parameter may be thought of as a bit-wise MASK for the UNIX modes
of a file. Any bit *not* set here will be removed from the modes set
on a file when it is created.
The default value of this parameter removes the 'group' and 'other'
write and execute bits from the UNIX modes.
Following this Samba will bit-wise 'OR' the UNIX mode created from
this parameter with the value of the "force create mode" parameter
which is set to 000 by default.
This parameter does not affect directory modes. See the parameter
'directory mode' for details.
See also the "force create mode" parameter
for forcing particular mode bits to be set on created files. See also
the "directory mode" parameter for masking
mode bits on created directories.
Default:
create mask = 0744
Example:
create mask = 0775
This is a synonym for create mask.
The value of the parameter (a decimal integer) represents the number
of minutes of inactivity before a connection is considered dead, and
it is disconnected. The deadtime only takes effect if the number of
open files is zero.
This is useful to stop a server's resources being exhausted by a large
number of inactive connections.
Most clients have an auto-reconnect feature when a connection is
broken so in most cases this parameter should be transparent to users.
Using this parameter with a timeout of a few minutes is recommended
for most systems.
A deadtime of zero indicates that no auto-disconnection should be
performed.
Default:
deadtime = 0
Example:
deadtime = 15
Sometimes the timestamps in the log messages are needed with a
resolution of higher that seconds, this boolean parameter adds
microsecond resolution to the timestamp message header when turned on.
Note that the parameter debug timestamp
must be on for this to have an effect.
Default:
debug hires timestamp = No
Example:
debug hires timestamp = Yes
Samba2.0 debug log messages are timestamped by default. If you are
running at a high "debug level" these timestamps
can be distracting. This boolean parameter allows them to be turned
off.
Default:
debug timestamp = Yes
Example:
debug timestamp = No
When using only one log file for more then one forked smbd-process
there may be hard to follow which process outputs which message.
This boolean parameter is adds the process-id to the timestamp message
headers in the logfile when turned on.
Note that the parameter debug timestamp
must be on for this to have an effect.
Default:
debug pid = No
Example:
debug pid = Yes
Samba is sometimes run as root and sometime run as the connected
user, this boolean parameter inserts the current euid, egid, uid
and gid to the timestamp message headers in the log file if turned on.
Note that the parameter debug timestamp
must be on for this to have an effect.
Default:
debug uid = No
Example:
debug uid = Yes
The value of the parameter (an integer) allows the debug level
(logging level) to be specified in the smb.conf file. This is to
give greater flexibility in the configuration of the system.
The default will be the debug level specified on the command line
or level zero if none was specified.
Example:
debug level = 3
A synonym for default service.
See the section on "NAME MANGLING". Also note
the "short preserve case" parameter.
This parameter specifies the name of a service which will be connected
to if the service actually requested cannot be found. Note that the
square brackets are NOT given in the parameter value (see example
below).
There is no default value for this parameter. If this parameter is not
given, attempting to connect to a nonexistent service results in an
error.
Typically the default service would be a guest ok,
read-only service.
Also note that the apparent service name will be changed to equal that
of the requested service, this is very useful as it allows you to use
macros like %S to make a wildcard service.
Note also that any '_' characters in the name of the service used
in the default service will get mapped to a '/'. This allows for
interesting things.
Example:
default service = pub
[pub]
path = /%S
This is the full pathname to a script that will be run AS ROOT by
smbd (8) under special circumstances decribed
below.
Normally, a Samba server requires that UNIX users are created for all
users accessing files on this server. For sites that use Windows NT
account databases as their primary user database creating these users
and keeping the user list in sync with the Windows NT PDC is an
onerous task. This option allows smbd to delete
the required UNIX users ON DEMAND when a user accesses the Samba
server and the Windows NT user no longer exists.
In order to use this option, smbd must be set to
security=domain and "delete user
script" must be set to a full pathname for a script that will delete
a UNIX user given one argument of %u, which expands into the UNIX
user name to delete. NOTE that this is different to the
add user script which will work with the
security=server option as well as
security=domain. The reason for this
is only when Samba is a domain member does it get the information
on an attempted user logon that a user no longer exists. In the
security=server mode a missing user
is treated the same as an invalid password logon attempt. Deleting
the user in this circumstance would not be a good idea.
When the Windows user attempts to access the Samba server, at
"login"(session setup in the SMB protocol) time,
smbd contacts the password
server and attempts to authenticate the given user
with the given password. If the authentication fails with the specific
Domain error code meaning that the user no longer exists then
smbd attempts to find a UNIX user in the UNIX
password database that matches the Windows user account. If this lookup succeeds,
and "delete user script" is set then smbd will
call the specified script AS ROOT, expanding any %u argument
to be the user name to delete.
This script should delete the given UNIX username. In this way, UNIX
users are dynamically deleted to match existing Windows NT accounts.
See also security=domain,
password server, add user
script.
Default:
delete user script = <empty string>
Example:
delete user script = /usr/local/samba/bin/del_user %u
This parameter allows readonly files to be deleted. This is not
normal DOS semantics, but is allowed by UNIX.
This option may be useful for running applications such as rcs, where
UNIX file ownership prevents changing file permissions, and DOS
semantics prevent deletion of a read only file.
Default:
delete readonly = No
Example:
delete readonly = Yes
This option is used when Samba is attempting to delete a directory
that contains one or more vetoed directories (see the 'veto
files' option). If this option is set to False (the
default) then if a vetoed directory contains any non-vetoed files or
directories then the directory delete will fail. This is usually what
you want.
If this option is set to True, then Samba will attempt to recursively
delete any files and directories within the vetoed directory. This can
be useful for integration with file serving systems such as NetAtalk,
which create meta-files within directories you might normally veto
DOS/Windows users from seeing (e.g. .AppleDouble)
Setting 'delete veto files = True' allows these directories to be
transparently deleted when the parent directory is deleted (so long
as the user has permissions to do so).
See also the veto files parameter.
Default:
delete veto files = False
Example:
delete veto files = True
Synonym for hosts deny.
The dfree command setting should only be used on systems where a
problem occurs with the internal disk space calculations. This has
been known to happen with Ultrix, but may occur with other operating
systems. The symptom that was seen was an error of "Abort Retry
Ignore" at the end of each directory listing.
This setting allows the replacement of the internal routines to
calculate the total disk space and amount available with an external
routine. The example below gives a possible script that might fulfill
this function.
The external program will be passed a single parameter indicating a
directory in the filesystem being queried. This will typically consist
of the string "./". The script should return two integers in
ascii. The first should be the total disk space in blocks, and the
second should be the number of available blocks. An optional third
return value can give the block size in bytes. The default blocksize
is 1024 bytes.
Note: Your script should NOT be setuid or setgid and should be
owned by (and writeable only by) root!
Default:
By default internal routines for determining the disk capacity
and remaining space will be used.
Example:
dfree command = /usr/local/samba/bin/dfree
Where the script dfree (which must be made executable) could be:
#!/bin/sh
df $1 | tail -1 | awk '{print $2" "$4}'
or perhaps (on Sys V based systems):
#!/bin/sh
/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
Note that you may have to replace the command names with full
path names on some systems.
Synonym for path.
This parameter is the octal modes which are used when converting DOS
modes to UNIX modes when creating UNIX directories.
When a directory is created, the necessary permissions are calculated
according to the mapping from DOS modes to UNIX permissions, and the
resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
This parameter may be thought of as a bit-wise MASK for the UNIX modes
of a directory. Any bit *not* set here will be removed from the
modes set on a directory when it is created.
The default value of this parameter removes the 'group' and 'other'
write bits from the UNIX mode, allowing only the user who owns the
directory to modify it.
Following this Samba will bit-wise 'OR' the UNIX mode created from
this parameter with the value of the "force directory mode"
parameter. This parameter is set to 000 by default (i.e. no extra mode
bits are added).
See the "force directory mode" parameter
to cause particular mode bits to always be set on created directories.
See also the "create mode" parameter for masking
mode bits on created files, and the "directory security mask"
parameter.
Default:
directory mask = 0755
Example:
directory mask = 0775
Synonym for directory mask.
This parameter controls what UNIX permission bits can be modified
when a Windows NT client is manipulating the UNIX permission on a
directory using the native NT security dialog box.
This parameter is applied as a mask (AND'ed with) to the changed
permission bits, thus preventing any bits not in this mask from
being modified. Essentially, zero bits in this mask may be treated
as a set of bits the user is not allowed to change.
If not set explicitly this parameter is set to the same value as the
directory mask parameter. To allow a user to
modify all the user/group/world permissions on a directory, set this
parameter to 0777.
Note that users who can access the Samba server through other
means can easily bypass this restriction, so it is primarily
useful for standalone "appliance" systems. Administrators of
most normal systems will probably want to set it to 0777.
See also the force directory security
mode, security
mask, force security mode
parameters.
Default:
directory security mask = <same as directory mask>
Example:
directory security mask = 0777
Specifies that nmbd when acting as a WINS
server and finding that a NetBIOS name has not been registered, should
treat the NetBIOS name word-for-word as a DNS name and do a lookup
with the DNS server for that name on behalf of the name-querying
client.
Note that the maximum length for a NetBIOS name is 15 characters, so
the DNS name (or DNS alias) can likewise only be 15 characters,
maximum.
nmbd spawns a second copy of itself to do the
DNS name lookup requests, as doing a name lookup is a blocking action.
See also the parameter wins support.
Default:
dns proxy = yes
This is an EXPERIMENTAL parameter that is part of the unfinished
Samba NT Domain Controller Code. It may be removed in a later release.
To work with the latest code builds that may have more support for
Samba NT Domain Controller functionality please subscribe to the
mailing list Samba-ntdom available by sending email to
listproc@samba.org
This is an EXPERIMENTAL parameter that is part of the unfinished
Samba NT Domain Controller Code. It may be removed in a later release.
To work with the latest code builds that may have more support for
Samba NT Domain Controller functionality please subscribe to the
mailing list Samba-ntdom available by sending email to
listproc@samba.org
This is a DEPRECATED parameter. It is currently not used within
the Samba source and should be removed from all current smb.conf
files. It is left behind for compatibility reasons.
This is an EXPERIMENTAL parameter that is part of the unfinished
Samba NT Domain Controller Code. It may be removed in a later release.
To work with the latest code builds that may have more support for
Samba NT Domain Controller functionality please subscribe to the
mailing list Samba-ntdom available by sending email to
listproc@samba.org
This is an EXPERIMENTAL parameter that is part of the unfinished
Samba NT Domain Controller Code. It may be removed in a later release.
To work with the latest code builds that may have more support for
Samba NT Domain Controller functionality please subscribe to the
mailing list Samba-ntdom available by sending email to
listproc@samba.org
This is an EXPERIMENTAL parameter that is part of the unfinished
Samba NT Domain Controller Code. It may be removed in a later release.
To work with the latest code builds that may have more support for
Samba NT Domain Controller functionality please subscribe to the
mailing list Samba-ntdom available by sending email to
listproc@samba.org
If set to true, the Samba server will serve Windows 95/98 Domain
logons for the workgroup it is in. For more
details on setting up this feature see the file DOMAINS.txt in the
Samba documentation directory docs/ shipped with the source code.
Note that Win95/98 Domain logons are NOT the same as Windows
NT Domain logons. NT Domain logons require a Primary Domain Controller
(PDC) for the Domain. It is intended that in a future release Samba
will be able to provide this functionality for Windows NT clients
also.
Default:
domain logons = no
Tell nmbd to enable WAN-wide browse list
collation. Setting this option causes nmbd to
claim a special domain specific NetBIOS name that identifies it as a
domain master browser for its given
workgroup. Local master browsers in the same
workgroup on broadcast-isolated subnets will give
this nmbd their local browse lists, and then
ask smbd for a complete copy of the browse list
for the whole wide area network. Browser clients will then contact
their local master browser, and will receive the domain-wide browse
list, instead of just the list for their broadcast-isolated subnet.
Note that Windows NT Primary Domain Controllers expect to be able to
claim this workgroup specific special NetBIOS
name that identifies them as domain master browsers for that
workgroup by default (i.e. there is no way to
prevent a Windows NT PDC from attempting to do this). This means that
if this parameter is set and nmbd claims the
special name for a workgroup before a Windows NT
PDC is able to do so then cross subnet browsing will behave strangely
and may fail.
Default:
domain master = no
There are certain directories on some systems (e.g., the /proc tree
under Linux) that are either not of interest to clients or are
infinitely deep (recursive). This parameter allows you to specify a
comma-delimited list of directories that the server should always show
as empty.
Note that Samba can be very fussy about the exact format of the "dont
descend" entries. For example you may need "./proc" instead of
just "/proc". Experimentation is the best policy :-)
Default:
none (i.e., all directories are OK to descend)
Example:
dont descend = /proc,/dev
Under the DOS and Windows FAT filesystem, the finest granularity on
time resolution is two seconds. Setting this parameter for a share
causes Samba to round the reported time down to the nearest two second
boundary when a query call that requires one second resolution is made
to smbd.
This option is mainly used as a compatibility option for Visual C++
when used against Samba shares. If oplocks are enabled on a share,
Visual C++ uses two different time reading calls to check if a file
has changed since it was last read. One of these calls uses a
one-second granularity, the other uses a two second granularity. As
the two second call rounds any odd second down, then if the file has a
timestamp of an odd number of seconds then the two timestamps will not
match and Visual C++ will keep reporting the file has changed. Setting
this option causes the two timestamps to match, and Visual C++ is
happy.
Default:
dos filetime resolution = False
Example:
dos filetime resolution = True
Under DOS and Windows, if a user can write to a file they can change
the timestamp on it. Under POSIX semantics, only the owner of the file
or root may change the timestamp. By default, Samba runs with POSIX
semantics and refuses to change the timestamp on a file if the user
smbd is acting on behalf of is not the file owner. Setting this option
to True allows DOS semantics and smbd will change the file timestamp as
DOS requires.
Default:
dos filetimes = False
Example:
dos filetimes = True
This boolean controls whether encrypted passwords will be negotiated
with the client. Note that Windows NT 4.0 SP3 and above and also
Windows 98 will by default expect encrypted passwords unless a
registry entry is changed. To use encrypted passwords in Samba see the
file ENCRYPTION.txt in the Samba documentation directory docs/
shipped with the source code.
In order for encrypted passwords to work correctly
smbd must either have access to a local
smbpasswd (5) file (see the
smbpasswd (8) program for information on
how to set up and maintain this file), or set the
security= parameter to either
"server" or
"domain" which causes
smbd to authenticate against another server.
This is a synonym for preexec.
NTFS and Windows VFAT file systems keep a create time for all files
and directories. This is not the same as the ctime - status change
time - that Unix keeps, so Samba by default reports the earliest of
the various times Unix does keep. Setting this parameter for a share
causes Samba to always report midnight 1-1-1980 as the create time for
directories.
This option is mainly used as a compatibility option for Visual C++
when used against Samba shares. Visual C++ generated makefiles have
the object directory as a dependency for each object file, and a make
rule to create the directory. Also, when NMAKE compares timestamps it
uses the creation time when examining a directory. Thus the object
directory will be created if it does not exist, but once it does exist
it will always have an earlier timestamp than the object files it
contains.
However, Unix time semantics mean that the create time reported by
Samba will be updated whenever a file is created or deleted in the
directory. NMAKE therefore finds all object files in the object
directory bar the last one built are out of date compared to the
directory and rebuilds them. Enabling this option ensures directories
always predate their contents and an NMAKE build will proceed as
expected.
Default:
fake directory create times = False
Example:
fake directory create times = True
Oplocks are the way that SMB clients get permission from a server to
locally cache file operations. If a server grants an oplock
(opportunistic lock) then the client is free to assume that it is the
only one accessing the file and it will aggressively cache file
data. With some oplock types the client may even cache file open/close
operations. This can give enormous performance benefits.
When you set "fake oplocks = yes" smbd will
always grant oplock requests no matter how many clients are using the
file.
It is generally much better to use the real oplocks
support rather than this parameter.
If you enable this option on all read-only shares or shares that you
know will only be accessed from one client at a time such as
physically read-only media like CDROMs, you will see a big performance
improvement on many operations. If you enable this option on shares
where multiple clients may be accessing the files read-write at the
same time you can get data corruption. Use this option carefully!
This option is disabled by default.
This parameter allows the Samba administrator to stop
smbd from following symbolic links in a
particular share. Setting this parameter to "No" prevents any file
or directory that is a symbolic link from being followed (the user
will get an error). This option is very useful to stop users from
adding a symbolic link to /etc/passwd in their home directory for
instance. However it will slow filename lookups down slightly.
This option is enabled (i.e. smbd will follow
symbolic links) by default.
This parameter specifies a set of UNIX mode bit permissions that will
*always* be set on a file created by Samba. This is done by
bitwise 'OR'ing these bits onto the mode bits of a file that is being
created. The default for this parameter is (in octal) 000. The modes
in this parameter are bitwise 'OR'ed onto the file mode after the mask
set in the "create mask" parameter is applied.
See also the parameter "create mask" for details
on masking mode bits on created files.
Default:
force create mode = 000
Example:
force create mode = 0755
would force all created files to have read and execute permissions set
for 'group' and 'other' as well as the read/write/execute bits set for
the 'user'.
This parameter specifies a set of UNIX mode bit permissions that will
*always* be set on a directory created by Samba. This is done by
bitwise 'OR'ing these bits onto the mode bits of a directory that is
being created. The default for this parameter is (in octal) 0000 which
will not add any extra permission bits to a created directory. This
operation is done after the mode mask in the parameter
"directory mask" is applied.
See also the parameter "directory mask" for
details on masking mode bits on created directories.
Default:
force directory mode = 000
Example:
force directory mode = 0755
would force all created directories to have read and execute
permissions set for 'group' and 'other' as well as the
read/write/execute bits set for the 'user'.
This parameter controls what UNIX permission bits can be modified when
a Windows NT client is manipulating the UNIX permission on a directory
using the native NT security dialog box.
This parameter is applied as a mask (OR'ed with) to the changed
permission bits, thus forcing any bits in this mask that the user may
have modified to be on. Essentially, one bits in this mask may be
treated as a set of bits that, when modifying security on a directory,
the user has always set to be 'on'.
If not set explicitly this parameter is set to the same value as the
force directory mode parameter. To allow
a user to modify all the user/group/world permissions on a directory,
with restrictions set this parameter to 000.
Note that users who can access the Samba server through other
means can easily bypass this restriction, so it is primarily
useful for standalone "appliance" systems. Administrators of
most normal systems will probably want to set it to 0000.
See also the directory security mask,
security mask, force security
mode parameters.
Default:
force directory security mode = <same as force directory mode>
Example:
force directory security mode = 0
This specifies a UNIX group name that will be assigned as the default
primary group for all users connecting to this service. This is useful
for sharing files by ensuring that all access to files on service will
use the named group for their permissions checking. Thus, by assigning
permissions for this group to the files and directories within this
service the Samba administrator can restrict or allow sharing of these
files.
In Samba 2.0.5 and above this parameter has extended functionality in the following
way. If the group name listed here has a '+' character prepended to it
then the current user accessing the share only has the primary group
default assigned to this group if they are already assigned as a member
of that group. This allows an administrator to decide that only users
who are already in a particular group will create files with group
ownership set to that group. This gives a finer granularity of ownership
assignment. For example, the setting force group = +sys means
that only users who are already in group sys will have their default
primary group assigned to sys when accessing this Samba share. All
other users will retain their ordinary primary group.
If the "force user" parameter is also set the
group specified in force group will override the primary group
set in "force user".
See also "force user"
Default:
no forced group
Example:
force group = agroup
This parameter controls what UNIX permission bits can be modified when
a Windows NT client is manipulating the UNIX permission on a file
using the native NT security dialog box.
This parameter is applied as a mask (OR'ed with) to the changed
permission bits, thus forcing any bits in this mask that the user may
have modified to be on. Essentially, one bits in this mask may be
treated as a set of bits that, when modifying security on a file, the
user has always set to be 'on'.
If not set explicitly this parameter is set to the same value as the
force create mode parameter. To allow
a user to modify all the user/group/world permissions on a file,
with no restrictions set this parameter to 000.
Note that users who can access the Samba server through other
means can easily bypass this restriction, so it is primarily
useful for standalone "appliance" systems. Administrators of
most normal systems will probably want to set it to 0000.
See also the force directory security
mode, directory security
mask, security mask
parameters.
Default:
force security mode = <same as force create mode>
Example:
force security mode = 0
This specifies a UNIX user name that will be assigned as the default
user for all users connecting to this service. This is useful for
sharing files. You should also use it carefully as using it
incorrectly can cause security problems.
This user name only gets used once a connection is established. Thus
clients still need to connect as a valid user and supply a valid
password. Once connected, all file operations will be performed as the
"forced user", no matter what username the client connected as.
This can be very useful.
In Samba 2.0.5 and above this parameter also causes the primary
group of the forced user to be used as the primary group for all
file activity. Prior to 2.0.5 the primary group was left as the
primary group of the connecting user (this was a bug).
See also "force group"
Default:
no forced user
Example:
force user = auser
This parameter allows the administrator to configure the string that
specifies the type of filesystem a share is using that is reported by
smbd when a client queries the filesystem type
for a share. The default type is "NTFS" for compatibility with
Windows NT but this can be changed to other strings such as "Samba" or
"FAT" if required.
Default:
fstype = NTFS
Example:
fstype = Samba
This is a tuning option. When this is enabled a caching algorithm
will be used to reduce the time taken for getwd() calls. This can have
a significant impact on performance, especially when the
widelinks parameter is set to False.
Default:
getwd cache = No
Example:
getwd cache = Yes
Synonym for "force group".
This is a username which will be used for access to services which are
specified as 'guest ok' (see below). Whatever
privileges this user has will be available to any client connecting to
the guest service. Typically this user will exist in the password
file, but will not have a valid login. The user account "ftp" is
often a good choice for this parameter. If a username is specified in
a given service, the specified username overrides this one.
One some systems the default guest account "nobody" may not be able to
print. Use another account in this case. You should test this by
trying to log in as your guest user (perhaps by using the "su -"
command) and trying to print using the system print command such as
lpr (1) or lp (1).
Default:
specified at compile time, usually "nobody"
Example:
guest account = ftp
If this parameter is 'yes' for a service, then no password is
required to connect to the service. Privileges will be those of the
guest account.
See the section below on security for more
information about this option.
Default:
guest ok = no
Example:
guest ok = yes
If this parameter is 'yes' for a service, then only guest
connections to the service are permitted. This parameter will have no
affect if "guest ok" or "public"
is not set for the service.
See the section below on security for more
information about this option.
Default:
guest only = no
Example:
guest only = yes
This is a boolean parameter that controls whether files starting with
a dot appear as hidden files.
Default:
hide dot files = yes
Example:
hide dot files = no
This is a list of files or directories that are not visible but are
accessible. The DOS 'hidden' attribute is applied to any files or
directories that match.
Each entry in the list must be separated by a '/', which allows
spaces to be included in the entry. '*' and '?' can be used
to specify multiple files or directories as in DOS wildcards.
Each entry must be a Unix path, not a DOS path and must not include the
Unix directory separator '/'.
Note that the case sensitivity option is applicable in hiding files.
Setting this parameter will affect the performance of Samba, as it
will be forced to check all files and directories for a match as they
are scanned.
See also "hide dot files", "veto
files" and "case sensitive".
Default
No files or directories are hidden by this option (dot files are hidden by default because of the "hide dot files" option).
Example
hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
The above example is based on files that the Macintosh SMB client
(DAVE) available from Thursby creates for
internal use, and also still hides all files beginning with a dot.
If "nis homedir" is true, and
smbd is also acting as a Win95/98 logon
server then this parameter specifies the NIS (or YP)
map from which the server for the user's home directory should be
extracted. At present, only the Sun auto.home map format is
understood. The form of the map is:
username server:/some/file/system
and the program will extract the servername from before the first
':'. There should probably be a better parsing system that copes
with different map formats and also Amd (another automounter) maps.
NB: A working NIS is required on the system for this option to work.
See also "nis homedir", domain
logons.
Default:
homedir map = auto.home
Example:
homedir map = amd.homedir
A synonym for this parameter is 'allow hosts'
This parameter is a comma, space, or tab delimited set of hosts which
are permitted to access a service.
If specified in the [global] section then it will
apply to all services, regardless of whether the individual service
has a different setting.
You can specify the hosts by name or IP number. For example, you could
restrict access to only the hosts on a Class C subnet with something
like "allow hosts = 150.203.5.". The full syntax of the list is
described in the man page hosts_access (5). Note that this man
page may not be present on your system, so a brief description will
be given here also.
Note that the localhost address 127.0.0.1 will always be allowed
access unless specifically denied by a "hosts deny" option.
You can also specify hosts by network/netmask pairs and by netgroup
names if your system supports netgroups. The EXCEPT keyword can also
be used to limit a wildcard list. The following examples may provide
some help:
Example 1: allow all IPs in 150.203.*.* except one
hosts allow = 150.203. EXCEPT 150.203.6.66
Example 2: allow hosts that match the given network/netmask
hosts allow = 150.203.15.0/255.255.255.0
Example 3: allow a couple of hosts
hosts allow = lapland, arvidsjaur
Example 4: allow only hosts in NIS netgroup "foonet", but
deny access from one particular host
hosts allow = @foonet
hosts deny = pirate
Note that access still requires suitable user-level passwords.
See testparm (1) for a way of testing your
host access to see if it does what you expect.
Default:
none (i.e., all hosts permitted access)
Example:
allow hosts = 150.203.5. myhost.mynet.edu.au
The opposite of 'hosts allow' - hosts listed
here are NOT permitted access to services unless the specific
services have their own lists to override this one. Where the lists
conflict, the 'allow' list takes precedence.
Default:
none (i.e., no hosts specifically excluded)
Example:
hosts deny = 150.203.4. badhost.mynet.edu.au
If this global parameter is a non-null string, it specifies the name
of a file to read for the names of hosts and users who will be allowed
access without specifying a password.
This is not be confused with hosts allow which
is about hosts access to services and is more useful for guest
services. hosts equiv may be useful for NT clients which will not
supply passwords to samba.
NOTE: The use of hosts equiv can be a major security hole. This is
because you are trusting the PC to supply the correct username. It is
very easy to get a PC to supply a false username. I recommend that the
hosts equiv option be only used if you really know what you are
doing, or perhaps on a home network where you trust your spouse and
kids. And only if you really trust them :-).
Default
No host equivalences
Example
hosts equiv = /etc/hosts.equiv
This allows you to include one config file inside another. The file
is included literally, as though typed in place.
This option allows you to override the default network interfaces list
that Samba will use for browsing, name registration and other NBT
traffic. By default Samba will query the kernel for the list of all
active interfaces and use any interfaces except 127.0.0.1 that are
broadcast capable.
The option takes a list of interface strings. Each string can be in
any of the following forms:
The "mask" parameters can either be a bit length (such as 24 for a C
class network) or a full netmask in dotted decmal form.
The "IP" parameters above can either be a full dotted decimal IP
address or a hostname which will be looked up via the OSes normal
hostname resolution mechanisms.
For example, the following line:
interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
would configure three network interfaces corresponding to the eth0
device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of
the latter two interfaces would be set to 255.255.255.0.
See also "bind interfaces only".
This is a list of users that should not be allowed to login to this
service. This is really a "paranoid" check to absolutely ensure an
improper setting does not breach your security.
A name starting with a '@' is interpreted as an NIS netgroup first
(if your system supports NIS), and then as a UNIX group if the name
was not found in the NIS netgroup database.
A name starting with '+' is interpreted only by looking in the
UNIX group database. A name starting with '&' is interpreted only
by looking in the NIS netgroup database (this requires NIS to be
working on your system). The characters '+' and '&' may be
used at the start of the name in either order so the value
"+&group" means check the UNIX group database, followed by the NIS
netgroup database, and the value "&+group" means check the NIS
netgroup database, followed by the UNIX group database (the same as
the '@' prefix).
The current servicename is substituted for
%S. This is useful in the [homes]
section.
See also "valid users".
Default:
No invalid users
Example:
invalid users = root fred admin @wheel
The value of the parameter (an integer) represents the number of
seconds between 'keepalive' packets. If this parameter is zero, no
keepalive packets will be sent. Keepalive packets, if sent, allow the
server to tell whether a client is still present and responding.
Keepalives should, in general, not be needed if the socket being used
has the SO_KEEPALIVE attribute set on it (see "socket
options"). Basically you should only use this option
if you strike difficulties.
Default:
keepalive = 0
Example:
keepalive = 60
For UNIXs that support kernel based oplocks
(currently only IRIX but hopefully also Linux and FreeBSD soon) this
parameter allows the use of them to be turned on or off.
Kernel oplocks support allows Samba oplocks to be
broken whenever a local UNIX process or NFS operation accesses a file
that smbd has oplocked. This allows complete
data consistency between SMB/CIFS, NFS and local file access (and is a
very cool feature :-).
This parameter defaults to "On" on systems that have the support,
and "off" on systems that don't. You should never need to touch
this parameter.
See also the "oplocks" and "level2 oplocks"
parameters.
This parameter is part of the EXPERIMENTAL Samba support for a
password database stored on an LDAP server back-end. These options
are only available if your version of Samba was configured with
the --with-ldap option.
This parameter specifies an LDAP search filter used to search for a
user name in the LDAP database. It must contain the string
%u which will be replaced with the user being
searched for.
Default:
empty string.
This parameter is part of the EXPERIMENTAL Samba support for a
password database stored on an LDAP server back-end. These options
are only available if your version of Samba was configured with
the --with-ldap option.
This parameter specifies the TCP port number to use to contact
the LDAP server on.
Default:
ldap port = 389.
This parameter is part of the EXPERIMENTAL Samba support for a
password database stored on an LDAP server back-end. These options
are only available if your version of Samba was configured with
the --with-ldap option.
This parameter specifies the entity to bind to the LDAP server
as (essentially the LDAP username) in order to be able to perform
queries and modifications on the LDAP database.
See also ldap root passwd.
Default:
empty string (no user defined)
This parameter is part of the EXPERIMENTAL Samba support for a
password database stored on an LDAP server back-end. These options
are only available if your version of Samba was configured with
the --with-ldap option.
This parameter specifies the password for the entity to bind to the
LDAP server as (the password for this LDAP username) in order to be
able to perform queries and modifications on the LDAP database.
BUGS: This parameter should NOT be a readable parameter
in the smb.conf file and will be removed once a correct
storage place is found.
See also ldap root.
Default:
empty string.
This parameter is part of the EXPERIMENTAL Samba support for a
password database stored on an LDAP server back-end. These options
are only available if your version of Samba was configured with
the --with-ldap option.
This parameter specifies the DNS name of the LDAP server to use
for SMB/CIFS authentication purposes.
Default:
ldap server = localhost
This parameter is part of the EXPERIMENTAL Samba support for a
password database stored on an LDAP server back-end. These options
are only available if your version of Samba was configured with
the --with-ldap option.
This parameter specifies the "dn" or LDAP "distinguished name"
that tells smbd to start from when searching
for an entry in the LDAP password database.
Default:
empty string.
This parameter (new in Samba 2.0.5) controls whether Samba supports
level2 (read-only) oplocks on a share. In Samba 2.0.4 this parameter
defaults to "False" as the code is new, but will default to "True"
in a later release.
Level2, or read-only oplocks allow Windows NT clients that have an
oplock on a file to downgrade from a read-write oplock to a read-only
oplock once a second client opens the file (instead of releasing all
oplocks on a second open, as in traditional, exclusive oplocks). This
allows all openers of the file that support level2 oplocks to cache
the file for read-ahead only (ie. they may not cache writes or lock
requests) and increases performance for many acesses of files that
are not commonly written (such as application .EXE files).
Once one of the clients which have a read-only oplock writes to
the file all clients are notified (no reply is needed or waited
for) and told to break their oplocks to "none" and delete any
read-ahead caches.
It is recommended that this parameter be turned on to speed access
to shared executables (and also to test the code :-).
For more discussions on level2 oplocks see the CIFS spec.
Currently, if "kernel oplocks" are supported
then level2 oplocks are not granted (even if this parameter is set
to "true"). Note also, the "oplocks" parameter must
be set to "true" on this share in order for this parameter to have any
effect.
See also the "oplocks" and "kernel oplocks" parameters.
Default:
level2 oplocks = False
Example:
level2 oplocks = True
This parameter determines if nmbd will produce
Lanman announce broadcasts that are needed by OS/2 clients in order
for them to see the Samba server in their browse list. This parameter
can have three values, "true", "false", or "auto". The
default is "auto". If set to "false" Samba will never produce
these broadcasts. If set to "true" Samba will produce Lanman
announce broadcasts at a frequency set by the parameter "lm
interval". If set to "auto" Samba will not send Lanman
announce broadcasts by default but will listen for them. If it hears
such a broadcast on the wire it will then start sending them at a
frequency set by the parameter "lm interval".
See also "lm interval".
Default:
lm announce = auto
Example:
lm announce = true
If Samba is set to produce Lanman announce broadcasts needed by
OS/2 clients (see the "lm announce"
parameter) then this parameter defines the frequency in seconds with
which they will be made. If this is set to zero then no Lanman
announcements will be made despite the setting of the "lm
ann