


SMB.CONF(5)                                           SMB.CONF(5)


NNAAMMEE
       smb.conf - configuration file for smbd

SSYYNNOOPPSSIISS
       ssmmbb..ccoonnff

DDEESSCCRRIIPPTTIIOONN
       The  ssmmbb..ccoonnff  file  is a configuration file for the Samba
       suite.

       ssmmbb..ccoonnff contains runtime  configuration  information  for
       the  ssmmbbdd  program.  The ssmmbbdd program provides LanManager-
       like services to clients using the SMB protocol.

FFIILLEE FFOORRMMAATT
       The file consists of sections and  parameters.  A  section
       begins with the name of the section in square brackets and
       continues until the next section begins. Sections  contain
       parameters of the form 'name = value'.

       The  file is line-based - that is, each newline-terminated
       line represents either a comment,  a  section  name  or  a
       parameter.

       Section and parameter names are not case sensitive.

       Only  the first equals sign in a parameter is significant.
       Whitespace before or after the first equals sign  is  dis
       carded.  Leading, trailing and internal whitespace in sec
       tion and parameter names is irrelevant. Leading and trail
       ing whitespace in a parameter value is discarded. Internal
       whitespace within a parameter value is retained  verbatim.

       Any  line  beginning  with  a semicolon is ignored, as are
       lines containing only whitespace.

       Any line ending in a \ is "continued" on the next line  in
       the customary UNIX fashion.

       The values following the equals sign in parameters are all
       either a string (no quotes needed) or a boolean, which may
       be given as yes/no, 0/1 or true/false. Case is not signif
       icant in boolean values, but is preserved in  string  val
       ues. Some items such as create modes are numeric.

SSEERRVVIICCEE DDEESSCCRRIIPPTTIIOONNSS
       Each  section  in  the configuration file describes a ser
       vice. The section name is the service name and the parame
       ters within the section define the service's attributes.

       There  are  three  special sections, [global], [homes] and
       [printers], which are described under 'special  sections'.
       The  following  notes  apply  to ordinary service descrip
       tions.



smb.conf                     smb.conf                           1





SMB.CONF(5)                                           SMB.CONF(5)


       A service consists of a directory to which access is being
       given  plus  a  description of the access rights which are
       granted to the user  of  the  service.  Some  housekeeping
       options are also specifiable.

       Services are either filespace services (used by the client
       as an extension of their native file systems) or printable
       services  (used  by the client to access print services on
       the host running the server).

       Services may be guest services, in which case no  password
       is  required  to access them. A specified guest account is
       used to define access privileges in this case.

       Services other than guest services will require a password
       to  access them. The client provides the username. As many
       clients only provide passwords and not usernames, you  may
       specify  a list of usernames to check against the password
       using the "user=" option in the service definition.

       Note that the access rights  granted  by  the  server  are
       masked  by  the  access rights granted to the specified or
       guest user by the host system. The server does  not  grant
       more access than the host system grants.

       The following sample section defines a file space service.
       The user has write access to the path /home/bar. The  ser
       vice is accessed via the service name "foo":

            [foo]
                 path = /home/bar
                 writable = true

       The  following sample section defines a printable service.
       The service is readonly, but printable. That is, the  only
       write  access permitted is via calls to open, write to and
       close a spool file. The 'guest ok' parameter means  access
       will  be  permitted  as  the default guest user (specified
       elsewhere):

            [aprinter]
                 path = /usr/spool/public
                 read only = true
                 printable = true
                 public = true

SSPPEECCIIAALL SSEECCTTIIOONNSS
   TThhee [[gglloobbaall]] sseeccttiioonn
          Parameters in this section apply to  the  server  as  a
          whole,  or  are  defaults  for  services  which  do not
          specifically define certain items. See the notes  under
          'Parameters' for more information.





smb.conf                     smb.conf                           2





SMB.CONF(5)                                           SMB.CONF(5)


   TThhee [[hhoommeess]] sseeccttiioonn
          If a section called 'homes' is included in the configu
          ration file, services connecting clients to their  home
          directories can be created on the fly by the server.

          When  the connection request is made, the existing ser
          vices are scanned. If a match is found, it is used.  If
          no  match  is  found,  the  requested  service  name is
          treated as a user name and looked up in the local pass
          words file. If the name exists and the correct password
          has been given, a service is  created  by  cloning  the
          [homes] section.

          Some  modifications  are then made to the newly created
          section:

             The service name is  changed  from  'homes'  to  the
             located username

             If  no path was given, the path is set to the user's
             home directory.

          If you decide to use a path= line in your [homes]  sec
          tion  then  you may find it useful to use the %S macro.
          For example path=/data/pchome/%S would be useful if you
          have  different  home directories for your PCs than for
          UNIX access.

          This is a fast and simple way to give a large number of
          clients access to their home directories with a minimum
          of fuss.

          A similar process occurs if the requested service  name
          is "homes", except that the service name is not changed
          to that of the requesting user. This  method  of  using
          the [homes] section works well if different users share
          a client PC.

          The [homes] section can specify all  the  parameters  a
          normal  service  section  can specify, though some make
          more sense than others. The following is a typical  and
          suitable [homes] section:

               [homes]
                    writable = yes

          An important point:

             If guest access is specified in the [homes] section,
             all home  directories  will  be  accessible  to  all
             clients  wwiitthhoouutt  aa  ppaasssswwoorrdd..  In the very unlikely
             event that this is actually desirable, it  would  be
             wise to also specify read only access.




smb.conf                     smb.conf                           3





SMB.CONF(5)                                           SMB.CONF(5)


       Note  that  the  browseable flag for auto home directories
       will be inherited from the global browseable flag, not the
       [homes]  browseable  flag. This is useful as it means set
       ting browseable=no in the [homes] section  will  hide  the
       [homes]  service  but make any auto home directories visi
       ble.


   TThhee [[pprriinntteerrss]] sseeccttiioonn
          This section works like [homes], but for printers.

          If a [printers] section  occurs  in  the  configuration
          file,  users  are able to connect to any printer speci
          fied in the local host's printcap file.

          When a connection request is made,  the  existing  ser
          vices  are scanned. If a match is found, it is used. If
          no match is found, but a [homes] section exists, it  is
          used  as described above. Otherwise, the requested ser
          vice name is treated as a printer name and  the  appro
          priate printcap file is scanned to see if the requested
          service name is a valid printer name.  If  a  match  is
          found,  a new service is created by cloning the [print
          ers] section.

          A few modifications are then made to the newly  created
          section:

             The service name is set to the located printer name

             If  no  printer  name was given, the printer name is
             set to the located printer name

             If the service does not permit guest access  and  no
             username  was  given,  the  username  is  set to the
             located printer name.

          Note that the [printers] service MUST be printable - if
          you  specify  otherwise, the server will refuse to load
          the configuration file.

          Typically the path specified would be that of a  world-
          writable spool directory with the sticky bit set on it.
          A typical [printers] entry would look like this:

               [printers]
                    path = /usr/spool/public
                    writable = no
                    public = yes
                    printable = yes

          All aliases given for a printer in  the  printcap  file
          are  legitimate  printer  names as far as the server is
          concerned. If your printing subsystem doesn't work like



smb.conf                     smb.conf                           4





SMB.CONF(5)                                           SMB.CONF(5)


          that,  you  will have to set up a pseudo-printcap. This
          is a file consisting of one or more lines like this:

                  alias|alias|alias|alias...

          Each alias should be an  acceptable  printer  name  for
          your printing subsystem. In the [global] section, spec
          ify the new file as your  printcap.   The  server  will
          then  only  recognise names found in your pseudo-print
          cap, which of course can contain whatever  aliases  you
          like.  The same technique could be used simply to limit
          access to a subset of your local printers.

          An alias, by the way, is defined as  any  component  of
          the first entry of a printcap record. Records are sepa
          rated by newlines, components (if there are  more  than
          one) are separated by vertical bar symbols ("|").

PPAARRAAMMEETTEERRSS
       Parameters define the specific attributes of services.

       Some parameters are specific to the [global] section (eg.,
       security).  Some parameters are  usable  in  all  sections
       (eg.,  create  mode).  All  others are permissible only in
       normal  sections.  For  the  purposes  of  the   following
       descriptions  the  [homes] and [printers] sections will be
       considered normal.  The letter 'G'  in  parentheses  indi
       cates  that  a  parameter is specific to the [global] sec
       tion. The letter 'S' indicates that  a  parameter  can  be
       specified  in  a service specific section. Note that all S
       parameters can also be specified in the [global] section -
       in  which  case they will define the default behaviour for
       all services.

       Parameters are arranged here in alphabetical order -  this
       may  not create best bedfellows, but at least you can find
       them! Where there are synonyms, the preferred  synonym  is
       described, others refer to the preferred synonym.


   VVAARRIIAABBLLEE SSUUBBSSTTIITTUUTTIIOONNSS
       Many  of  the strings that are settable in the config file
       can take substitutions. For example  the  option  "path  =
       /tmp/%u" would be interpreted as "path = /tmp/john" if the
       user connected with the username john.

       These substitutions are mostly noted in  the  descriptions
       below,  but  there  are  some  general substitutions which
       apply whenever they might be relevant. These are:

       %S = the name of the current service, if any

       %P = the root directory of the current service, if any




smb.conf                     smb.conf                           5





SMB.CONF(5)                                           SMB.CONF(5)


       %u = user name of the current service, if any

       %g = primary group name of %u

       %U = session user name (the  user  name  that  the  client
       wanted, not necessarily the same as the one they got)

       %G = primary group name of %U

       %H = the home directory of the user given by %u

       %v = the Samba version

       %h = the hostname that Samba is running on

       %m = the netbios name of the client machine (very useful)

       %L  =  the  netbios name of the server. This allows you to
       change your config based on what  the  client  calls  you.
       Your server can have a "dual personality".

       %M = the internet name of the client machine

       %d = The process id of the current server process

       %a = the architecture of the remote machine. Only some are
       recognised, and those may not be 100%  reliable.  It  cur
       rently  recognises  Samba, WfWg, WinNT and Win95. Anything
       else will be known as "UNKNOWN". If it gets it wrong  then
       sending me a level 3 log should allow me to fix it.

       %I = The IP address of the client machine

       %T = the current date and time

       There are some quite creative things that can be done with
       these substitutions and other smb.conf options.


   NNAAMMEE MMAANNGGLLIINNGG
       Samba supports "name mangling" so  that  DOS  and  Windows
       clients  can  use files that don't conform to the 8.3 for
       mat. It can also be set to adjust the case of  8.3  format
       filenames.

       There are several options that control the way mangling is
       performed, and they are grouped here  rather  than  listed
       separately.  For  the  defaults  look at the output of the
       testparm program.

       All of these options can be set separately for  each  ser
       vice (or globally, of course).

       The options are:



smb.conf                     smb.conf                           6





SMB.CONF(5)                                           SMB.CONF(5)


       "mangle case = yes/no" controls if names that have charac
       ters that aren't of the "default" case  are  mangled.  For
       example,  if  this is yes then a name like "Mail" would be
       mangled. Default no.

       "case sensitive = yes/no" controls whether  filenames  are
       case  sensitive. If they aren't then Samba must do a file
       name search and match on passed names. Default no.

       "default case = upper/lower"  controls  what  the  default
       case is for new filenames. Default lower.

       "preserve case = yes/no" controls if new files are created
       with the case that the  client  passes,  or  if  they  are
       forced to be the "default" case. Default no.

       "short preserve case = yes/no" controls if new files which
       conform to 8.3 syntax, that is all in upper  case  and  of
       suitable  length,  are  created upper case, or if they are
       forced to be the "default" case. This option  can  be  use
       with  "preserve  case  =  yes" to permit long filenames to
       retain their case, while short names are lowered.  Default
       no.


   CCOOMMPPLLEETTEE LLIISSTT OOFF GGLLOOBBAALL PPAARRAAMMEETTEERRSS
       Here  is  a list of all global parameters. See the section
       of each parameter for details.  Note that  some  are  syn
       onyms.

       auto services

       config file

       deadtime

       debuglevel

       default

       default service

       dfree command

       domain master

       encrypt passwords

       getwd cache

       hosts equiv

       include




smb.conf                     smb.conf                           7





SMB.CONF(5)                                           SMB.CONF(5)


       keepalive

       lock dir

       load printers

       lock directory

       log file

       log level

       lpq cache time

       mangled stack

       max log size

       max packet

       max xmit

       message command

       null passwords

       os level

       packet size

       passwd chat

       passwd program

       password level

       password server

       preferred master

       preload

       printing

       printcap name

       protocol

       read bmpx

       read prediction

       read raw




smb.conf                     smb.conf                           8





SMB.CONF(5)                                           SMB.CONF(5)


       read size

       remote announce

       root

       root dir

       root directory

       security

       server string

       smbrun

       socket address

       socket options

       status

       strip dot

       time offset

       username map

       use rhosts

       valid chars

       workgroup

       write raw


   CCOOMMPPLLEETTEE LLIISSTT OOFF SSEERRVVIICCEE PPAARRAAMMEETTEERRSS
       Here  is a list of all service parameters. See the section
       of each parameter for details. Note  that  some  are  syn
       onyms.

       admin users

       allow hosts

       alternate permissions

       available

       browseable

       case sensitive




smb.conf                     smb.conf                           9





SMB.CONF(5)                                           SMB.CONF(5)


       case sig names

       copy

       create mask

       create mode

       comment

       default case

       delete readonly

       deny hosts

       directory

       dont descend

       exec

       fake oplocks

       force group

       force user

       guest account

       guest ok

       guest only

       hide dot files

       hosts allow

       hosts deny

       invalid users

       locking

       lppause command

       lpq command

       lpresume command

       lprm command

       magic output




smb.conf                     smb.conf                          10





SMB.CONF(5)                                           SMB.CONF(5)


       magic script

       mangle case

       mangled names

       mangling char

       map archive

       map hidden

       map system

       max connections

       min print space

       only guest

       only user

       path

       postexec

       postscript

       preserve case

       print command

       printer driver

       print ok

       printable

       printer

       printer name

       public

       read only

       read list

       revalidate

       root postexec

       root preexec




smb.conf                     smb.conf                          11





SMB.CONF(5)                                           SMB.CONF(5)


       set directory

       share modes

       short preserve case

       strict locking

       sync always

       user

       username

       users

       valid users

       volume

       wide links

       writable

       write ok

       writeable

       write list


   EEXXPPLLAANNAATTIIOONN OOFF EEAACCHH PPAARRAAMMEETTEERR
   aaddmmiinn uusseerrss ((GG))
       This is a list of users who will be granted administrative
       privileges on the share. This means that they will do  all
       file operations as the super-user (root).

       You  should use this option very carefully, as any user in
       this list will be able to do anything  they  like  on  the
       share, irrespective of file permissions.

       DDeeffaauulltt::      no admin users

       EExxaammppllee::      admin users = jason


   aauuttoo sseerrvviicceess ((GG))
       This  is  a list of services that you want to be automati
       cally added to the browse lists. This is most  useful  for
       homes  and  printers  services that would otherwise not be
       visible.

       Note that if you just want all printers in  your  printcap
       file loaded then the "load printers" option is easier.



smb.conf                     smb.conf                          12





SMB.CONF(5)                                           SMB.CONF(5)


       DDeeffaauulltt::      no auto services

       EExxaammppllee::      auto services = fred lp colorlp


   aallllooww hhoossttss ((SS))
       A synonym for this parameter is 'hosts allow'.

       This parameter is a comma delimited set of hosts which are
       permitted to  access  a  services.  If  specified  in  the
       [global] section, matching hosts will be allowed access to
       any service that does not specifically exclude  them  from
       access.  Specific  services  my have their own list, which
       override those specified in the [global] section.

       You can specify the hosts by name or IP number. For  exam
       ple,  you  could  restrict  access  to only the hosts on a
       Class  C  subnet  with  something  like  "allow  hosts   =
       150.203.5.".  The  full syntax of the list is described in
       the man page hhoossttss__aacccceessss(5).

       You can also specify hosts by network/netmask pairs and by
       netgroup  names  if  your  system  supports netgroups. The
       EXCEPT keyword can also be used to limit a wildcard  list.
       The following examples may provide some help:

       Example 1: allow all IPs in 150.203.*.* except one

            hosts allow = 150.203. EXCEPT 150.203.6.66

       Example  2:  allow hosts that match the given network/net
       mask

            hosts allow = 150.203.15.0/255.255.255.0

       Example 3: allow a couple of hosts

            hosts allow = lapland, arvidsjaur

       Example 4: allow only hosts in netgroup "foonet" or local
       host, but deny access from one particular host

            hosts allow = @foonet, localhost
            hosts deny = pirate

       Note  that access still requires suitable user-level pass
       words.

       See tteessttppaarrmm(1) for a way of testing your host  access  to
       see if it does what you expect.

       DDeeffaauulltt::
            none (i.e., all hosts permitted access)




smb.conf                     smb.conf                          13





SMB.CONF(5)                                           SMB.CONF(5)


       EExxaammppllee::
            allow hosts = 150.203.5. myhost.mynet.edu.au


   aalltteerrnnaattee ppeerrmmiissssiioonnss ((SS))
       This  option affects the way the "read only" DOS attribute
       is produced for UNIX files. If this is false then the read
       only  bit  is  set for files on writeable shares which the
       user cannot write to.

       If this is true then it is set for files whos  user  write
       bit is not set.

       The  latter  behaviour is useful for when users copy files
       from each others directories, and use a file manager  that
       preserves  permissions.  Without  this option they may get
       annoyed as all copied files will have the "read only"  bit
       set.

       DDeeffaauulltt::      alternate permissions = no

       EExxaammppllee::      alternate permissions = yes


   aavvaaiillaabbllee ((SS))
       This  parameter  lets you 'turn off' a service. If 'avail
       able = no', then ALL attempts to connect  to  the  service
       will fail. Such failures are logged.

       DDeeffaauulltt::
            available = yes

       EExxaammppllee::
            available = no

   bbrroowwsseeaabbllee ((SS))
       This  controls  whether  this share is seen in the list of
       available shares in a net view and in the browse list.

       DDeeffaauulltt::      browseable = Yes

       EExxaammppllee::      browseable = No


   ccaassee ssiigg nnaammeess ((GG))
       See "case sensitive"


   ccoommmmeenntt ((SS))
       This is a text field that is seen when a client does a net
       view  to  list  what shares are available. It will also be
       used when browsing is fully supported.

       DDeeffaauulltt::      No comment string



smb.conf                     smb.conf                          14





SMB.CONF(5)                                           SMB.CONF(5)


       EExxaammppllee::      comment = Fred's Files


   ccoonnffiigg ffiillee ((GG))
       This allows you  to  override  the  config  file  to  use,
       instead  of  the  default  (usually  smb.conf). There is a
       chicken and egg problem here as this option is set in  the
       config file!

       For  this  reason,  if  the  name  of  the config file has
       changed when the parameters are loaded then it will reload
       them from the new config file.

       This  option  takes  the usual substitutions, which can be
       very useful.

       If the config file doesn't exist then it won't  be  loaded
       (allowing  you  to special case the config files of just a
       few clients).

       EExxaammppllee::                config           file            =
       /usr/local/samba/lib/smb.conf.%m


   ccooppyy ((SS))
       This  parameter allows you to 'clone' service entries. The
       specified service is simply duplicated under  the  current
       service's  name.  Any  parameters specified in the current
       section will override those in the section being copied.

       This feature lets you set up a 'template' service and cre
       ate  similar  services easily. Note that the service being
       copied must occur earlier in the configuration  file  than
       the service doing the copying.

       DDeeffaauulltt::
            none

       EExxaammppllee::
            copy = otherservice

   ccrreeaattee mmaasskk ((SS))
       A synonym for this parameter is 'create mode'.

       This parameter is the octal modes which are used when con
       verting DOS modes to UNIX modes.

       Note that Samba will or this value with 0700 as  you  must
       have  at  least  user read, write and execute for Samba to
       work properly.

       DDeeffaauulltt::
            create mask = 0755




smb.conf                     smb.conf                          15





SMB.CONF(5)                                           SMB.CONF(5)


       EExxaammppllee::
            create mask = 0775

   ccrreeaattee mmooddee ((SS))
       See ccrreeaattee mmaasskk..

   ddeeaadd ttiimmee ((GG))
       The value of the parameter (a decimal integer)  represents
       the number of minutes of inactivity before a connection is
       considered dead, and it is disconnected. The deadtime only
       takes effect if the number of open files is zero.

       This   is  useful  to  stop  a  server's  resources  being
       exhausted by a large number of inactive connections.

       Most clients have an auto-reconnect feature when a connec
       tion  is  broken so in most cases this parameter should be
       transparent to users.

       Using this parameter with a timeout of a  few  minutes  is
       recommended for most systems.

       A  deadtime  of  zero indicates that no auto-disconnection
       should be performed.

       DDeeffaauulltt::
            dead time = 0

       EExxaammppllee::
            dead time = 15

   ddeebbuugg lleevveell ((GG))
       The value of the parameter (an integer) allows  the  debug
       level  (logging  level)  to  be  specified in the ssmmbb..ccoonnff
       file. This is to give greater flexibility in the  configu
       ration of the system.

       The  default will be the debug level specified on the com
       mand line.

       EExxaammppllee::
            debug level = 3

   ddeeffaauulltt ((GG))
       See ddeeffaauulltt sseerrvviiccee..

   ddeeffaauulltt ccaassee ((SS))
       See the section on "NAME MANGLING" Also note the  addition
       of "short preserve case"


   ddeeffaauulltt sseerrvviiccee ((GG))
       A synonym for this parameter is 'default'.




smb.conf                     smb.conf                          16





SMB.CONF(5)                                           SMB.CONF(5)


       This  parameter specifies the name of a service which will
       be connected to if the service actually  requested  cannot
       be  found.  Note that the square brackets are NOT given in
       the parameter value (see example below).

       There is no default value  for  this  parameter.  If  this
       parameter  is not given, attempting to connect to a nonex
       istent service results in an error.

       Typically the default service would be a public, read-only
       service.

       Also note that as of 1.9.14 the apparent service name will
       be changed to equal that of the requested service, this is
       very useful as it allows you to use macros like %S to make
       a wildcard service.

       Note also that any _ characters in the name of the service
       used  in  the default service will get mapped to a /. This
       allows for interesting things.


       EExxaammppllee::
            default service = pub

               [pub]
                    path = /%S



   ddeelleettee rreeaaddoonnllyy ((SS))
       This parameter allows readonly files to be deleted.   This
       is not normal DOS semantics, but is allowed by UNIX.

       This option may be useful for running applications such as
       rcs, where UNIX file ownership prevents changing file per
       missions,  and  DOS  semantics  prevent deletion of a read
       only file.

       DDeeffaauulltt::
            delete readonly = No

       EExxaammppllee::
            delete readonly = Yes

   ddeennyy hhoossttss ((SS))
       A synonym for this parameter is 'hosts deny'.

       The opposite of 'allow hosts' - hosts listed here are  NOT
       permitted  access to services unless the specific services
       have their own lists to override this one. Where the lists
       conflict, the 'allow' list takes precedence.

       DDeeffaauulltt::



smb.conf                     smb.conf                          17





SMB.CONF(5)                                           SMB.CONF(5)


            none (i.e., no hosts specifically excluded)

       EExxaammppllee::
            deny hosts = 150.203.4. badhost.mynet.edu.au

   ddffrreeee ccoommmmaanndd ((GG))
       The  dfree  command setting should only be used on systems
       where a problem occurs with the internal disk space calcu
       lations.  This  has  been known to happen with Ultrix, but
       may occur with other operating systems. The  symptom  that
       was  seen  was an error of "Abort Retry Ignore" at the end
       of each directory listing.

       This setting allows the replacement of the  internal  rou
       tines  to calculate the total disk space and amount avail
       able with an external routine. The example below  gives  a
       possible script that might fulfill this function.

       The  external  program  will  be passed a single parameter
       indicating a directory in the  filesystem  being  queried.
       This will typically consist of the string "./". The script
       should return two integers in ascii. The first  should  be
       the  total  disk space in blocks, and the second should be
       the number of available blocks. An optional  third  return
       value can give the block size in bytes. The default block
       size is 1024 bytes.

       Note: Your script should  NOT  be  setuid  or  setgid  and
       should be owned by (and writable only by) root!

       DDeeffaauulltt::
            By default internal routines for determining the disk
       capacity and remaining space will be used.

       EExxaammppllee::
            dfree command = /usr/local/samba/bin/dfree

            Where the script  dfree  (which  must  be  made  exe
       cutable) could be

            #!/bin/sh
            df $1 | tail -1 | awk '{print $2" "$4}'

            or perhaps (on Sys V)

            #!/bin/sh
            /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'

            Note  that  you may have to replace the command names
       with full path names on some systems.

   ddiirreeccttoorryy ((SS))
       See ppaatthh..




smb.conf                     smb.conf                          18





SMB.CONF(5)                                           SMB.CONF(5)


   ddoommaaiinn mmaasstteerr ((GG))
       Enable  WAN-wide  browse  list  collation.   Local  master
       browsers  on  broadcast-isolated  subnets  will give samba
       their local browse lists, and ask for a complete  copy  of
       the  browse list for the whole wide area network.  Browser
       clients will then contact their local master browser,  and
       will  receive the domain-wide browse list, instead of just
       the list for their broadcast-isolated subnet.

       DDeeffaauulltt::
            domain master = no


   ddoonntt ddeesscceenndd ((SS))
       There are certain directories on some  systems  (eg.,  the
       /proc tree under Linux) that are either not of interest to
       clients or are infinitely deep (recursive). This parameter
       allows  you  to specify a comma-delimited list of directo
       ries that the server should always show as empty.

       Note that Samba can be very fussy about the  exact  format
       of  the  "dont  descend" entries. For example you may need
       "./proc" instead of just "/proc". Experimentation  is  the
       best policy :-)

       DDeeffaauulltt::
            none (i.e., all directories are OK to descend)

       EExxaammppllee::
            dont descend = /proc,/dev


   eennccrryypptt ppaasssswwoorrddss ((GG))
       This  boolean controls whether encrypted passwords will be
       negotiated with the client. Note that this option  has  no
       effect  if  you  haven't  compiled  in  the  necessary des
       libraries and encryption code. It defaults to no.


   eexxeecc ((SS))
       This is an alias for preexec



   ffoorrccee ggrroouupp ((SS))
       This specifies a group name that all connections  to  this
       service  should be made as. This may be useful for sharing
       files.

       DDeeffaauulltt::
              no forced group

       EExxaammppllee::
              force group = agroup



smb.conf                     smb.conf                          19





SMB.CONF(5)                                           SMB.CONF(5)


   ffoorrccee uusseerr ((SS))
       This specifies a user name that all  connections  to  this
       service  should be made as. This may be useful for sharing
       files. You should also use it carefully as using it incor
       rectly can cause security problems.

       This  user name only gets used once a connection is estab
       lished. Thus clients still need to connect as a valid user
       and  supply  a  valid  password.  Once connected, all file
       operations will be performed as  the  "forced  user",  not
       matter what username the client connected as.

       DDeeffaauulltt::
              no forced user

       EExxaammppllee::
              force user = auser


   gguueesstt aaccccoouunntt ((SS))
       This  is  a username which will be used for access to ser
       vices which are specified as 'guest ok' (see below). What
       ever  privileges  this  user  has will be available to any
       client connecting to the  guest  service.  Typically  this
       user  will exist in the password file, but will not have a
       valid login. If a username is specified in  a  given  ser
       vice, the specified username overrides this one.

       One  some  systems the account "nobody" may not be able to
       print. Use another account in this case. You  should  test
       this  by  trying  to log in as your guest user (perhaps by
       using the "su -" command) and trying to print using llpprr.

       Note that as of version 1.9 of Samba this  option  may  be
       set differently for each service.

       DDeeffaauulltt::
            specified at compile time

       EExxaammppllee::
            guest account = nobody

   ggeettwwdd ccaacchhee ((GG))
       This  is  a tuning option. When this is enabled a cacheing
       algorithm will be  used  to  reduce  the  time  taken  for
       getwd()  calls. This can have a significant impact on per
       formance, especially when widelinks is False.

       DDeeffaauulltt::
            getwd cache = No

       EExxaammppllee::
            getwd cache = Yes




smb.conf                     smb.conf                          20





SMB.CONF(5)                                           SMB.CONF(5)


   gguueesstt ookk ((SS))
       See ppuubblliicc..

   gguueesstt oonnllyy ((SS))
       If this parameter is 'yes' for a service, then only  guest
       connections  to  the service are permitted. This parameter
       will have no affect if "guest ok" or "public" is  not  set
       for the service.

       See the section below on user/password validation for more
       information about this option.

       DDeeffaauulltt::
            guest only = no

       EExxaammppllee::
            guest only = yes

   hhiiddee ddoott ffiilleess ((SS))
       This is a boolean parameter that  controls  whether  files
       starting with a dot appear as hidden files.

       DDeeffaauulltt::      hide dot files = yes

       EExxaammppllee::      hide dot files = no

   hhoossttss aallllooww ((SS))
       See aallllooww hhoossttss..

   hhoossttss ddeennyy ((SS))
       See ddeennyy hhoossttss..


   ggrroouupp ((SS))
       This  is  an  alias for "force group" and is only kept for
       compatibility with  old  versions  of  Samba.  It  may  be
       removed in future versions.


   hhoossttss eeqquuiivv ((GG))
       If  this  global parameter is a non-null string, it speci
       fies the name of a file to read for the names of hosts and
       users  who  will  be  allowed  access without specifying a
       password.

       This is not be confused with aallllooww hhoossttss  which  is  about
       hosts access to services and is more useful for guest ser
       vices.  hhoossttss eeqquuiivv may be useful  for  NT  clients  which
       will not supply passwords to samba.

       NOTE: The use of hosts.equiv can be a major security hole.
       This is because you are trusting the PC to supply the cor
       rect  username.  It  is  very easy to get a PC to supply a
       false username. I recommend that the hosts.equiv option be



smb.conf                     smb.conf                          21





SMB.CONF(5)                                           SMB.CONF(5)


       only  used  if you really know what you are doing, or per
       haps on a home network where you trust your wife and  kids
       :-)

       DDeeffaauulltt      No host equivalences

       EExxaammppllee      hosts equiv = /etc/hosts.equiv


   iinntteerrffaacceess ((GG))
       This  option  allows  you to setup multiple network inter
       faces, so that Samba can properly handle browsing  on  all
       interfaces.

       The  option  takes a list of ip/netmask pairs. The netmask
       may either be a bitmask, or a bitlength.

       For example, the following line:

       interfaces = 192.168.2.10/24 192.168.3.10/24

       would configure two network interfaces with  IP  addresses
       192.168.2.10 and 192.168.3.10. The netmasks of both inter
       faces would be set to 255.255.255.0.

       You could produce an equivalent result by using:

       interfaces          =           192.168.2.10/255.255.255.0
       192.168.3.10/255.255.255.0

       if you prefer that format.

       If  this option is not set then Samba will attempt to find
       a primary interface, but won't attempt to  configure  more
       than one interface.


   iinnvvaalliidd uusseerrss ((SS))
       This  is  a  list  of  users that should not be allowed to
       login to this service. This is really a  "paranoid"  check
       to  absolutely  ensure an improper setting does not breach
       your security.

       A name starting with @ is interpreted as a UNIX group.

       The current servicename is substituted  for  %S.  This  is
       useful in the [homes] section.

       See also "valid users"

       DDeeffaauulltt      No invalid users

       EExxaammppllee      invalid users = root fred admin @wheel




smb.conf                     smb.conf                          22





SMB.CONF(5)                                           SMB.CONF(5)


   iinncclluuddee ((GG))
       This allows you to include one config file inside another.
       The file is included literally, as though typed in  place.

       It takes the standard substitutions, except %u, %P and %S


   kkeeeepp aalliivvee ((GG))
       The  value  of  the  parameter (an integer) represents the
       number of seconds between  'keepalive'  packets.  If  this
       parameter  is  zero,  no  keepalive  packets will be sent.
       Keepalive packets, if  sent,  allow  the  server  to  tell
       whether a client is still present and responding.

       Keepalives should, in general, not be needed if the socket
       being used has the SO_KEEPALIVE attribute set on  it  (see
       "socket  options").  Basically  you  should  only use this
       option if you strike difficulties.

       DDeeffaauulltt::
            keep alive = 0

       EExxaammppllee::
            keep alive = 60

   llooaadd pprriinntteerrss ((GG))
       A boolean variable that controls whether all  printers  in
       the printcap will be loaded for browsing by default.

       DDeeffaauulltt::      load printers = no

       EExxaammppllee::      load printers = yes


   lloocckk ddiirreeccttoorryy ((GG))
       This options specifies the directory where lock files will
       be placed.  The lock files are used to implement the  "max
       connections" option.

       DDeeffaauulltt::      lock directory = /tmp/samba

       EExxaammppllee::      lock directory = /usr/local/samba/var/locks

   lloocckkiinngg ((SS))
       This  controls whether or not locking will be performed by
       the server in response to lock requests from the client.

       If "locking = no",  all  lock  and  unlock  requests  will
       appear  to succeed and all lock queries will indicate that
       the queried lock is clear.

       If "locking = yes", real locking will be performed by  the
       server.




smb.conf                     smb.conf                          23





SMB.CONF(5)                                           SMB.CONF(5)


       This  option  may  be  particularly  useful  for read-only
       filesystems which do  not  need  locking  (such  as  cdrom
       drives).

       Be careful about disabling locking either globally or in a
       specific service, as lack of locking may  result  in  data
       corruption.

       DDeeffaauulltt::
            locking = yes

       EExxaammppllee::
            locking = no


   lloogg ffiillee ((GG))
       This  options allows you to override the name of the Samba
       log file (also known as the debug file).

       This option takes the standard substitutions, allowing you
       to have separate log files for each user or machine.

       EExxaammppllee::      log file = /usr/local/samba/var/log.%m


   lloogg lleevveell ((GG))
       see "debug level"


   llppppaauussee ccoommmmaanndd ((SS))
       This parameter specifies the command to be executed on the
       server host in order to stop printing or spooling  a  spe
       cific print job.

       This  command  should be a program or script which takes a
       printer name and job number to pause the print  job.  Cur
       rently  I  don't know of any print spooler system that can
       do this with a simple option, except for  the  PPR  system
       from  Trinity College (ppr-dist.trincoll.edu/pub/ppr). One
       way of implementing this is by using job priorities, where
       jobs  having  a  too  low  priority  won't  be sent to the
       printer. See also the llppppaauussee command.

       If a %p is given then the printername is put in its place.
       A  %j  is  replaced  with the job number (an integer).  On
       HPUX (see printing=hpux), if the -p%p option is  added  to
       the  lpq  command,  the  job will show up with the correct
       status, i.e. if the job priority is  lower  than  the  set
       fence  priority it will have the PAUSED status, whereas if
       the priority is equal or higher it will have  the  SPOOLED
       or PRINTING status.

       Note that it is good practice to include the absolute path
       in the lppause command as the PATH may not be available to



smb.conf                     smb.conf                          24





SMB.CONF(5)                                           SMB.CONF(5)


       the server.

       DDeeffaauulltt::
               Currently no default value is given to this string

       EExxaammppllee ffoorr HHPPUUXX::
               lppause command = /usr/bin/lpalt %p-%j -p0


   llppqq ccaacchhee ttiimmee ((GG))
       This controls how long lpq info will be cached for to pre
       vent  the  lpq  command being called too often. A separate
       cache is kept for each variation of the lpq  command  used
       by  the  system,  so if you use different lpq commands for
       different users then they won't share cache information.

       The cache files are stored in /tmp/lpq.xxxx where xxxx  is
       a hash of the lpq command in use.

       The default is 10 seconds, meaning that the cached results
       of a previous identical lpq command will be  used  if  the
       cached data is less than 10 seconds old. A large value may
       be advisable if your lpq command is very slow.

       A value of 0 will disable cacheing completely.

       DDeeffaauulltt::      lpq cache time = 10

       EExxaammppllee::      lpq cache time = 30


   llppqq ccoommmmaanndd ((SS))
       This parameter specifies the command to be executed on the
       server  host in order to obtain "lpq"-style printer status
       information.

       This command should be a program or script which  takes  a
       printer  name  as  its  only parameter and outputs printer
       status information.

       Currently six styles of  printer  status  information  are
       supported;  BSD, SYSV, AIX, HPUX, QNX, LPRNG and PLP. This
       covers most  UNIX  systems.  You  control  which  type  is
       expected using the "printing =" option.

       Some clients (notably Windows for Workgroups) may not cor
       rectly send the connection number for the printer they are
       requesting  status  information about. To get around this,
       the server reports on the first printer service  connected
       to by the client. This only happens if the connection num
       ber sent is invalid.

       If a %p is given then the printername is put in its place.
       Otherwise it is placed at the end of the command.



smb.conf                     smb.conf                          25





SMB.CONF(5)                                           SMB.CONF(5)


       Note that it is good practice to include the absolute path
       in the lpq command as the PATH may not be available to the
       server.

       DDeeffaauulltt::
               depends on the setting of "printing ="

       EExxaammppllee::
            lpq command = /usr/bin/lpq %p


   llpprreessuummee ccoommmmaanndd ((SS))
       This parameter specifies the command to be executed on the
       server host in order to restart or  continue  printing  or
       spooling a specific print job.

       This  command  should be a program or script which takes a
       printer name and job number to resume the print  job.  See
       also the lppause command.

       If a %p is given then the printername is put in its place.
       A %j is replaced with the job number (an integer).

       Note that it is good practice to include the absolute path
       in  the  lpresume command as the PATH may not be available
       to the server.

       DDeeffaauulltt::
               Currently no default value is given to this string

       EExxaammppllee ffoorr HHPPUUXX::
               lpresume command = /usr/bin/lpalt %p-%j -p2


   llpprrmm ccoommmmaanndd ((SS))
       This parameter specifies the command to be executed on the
       server host in order to delete a print job.

       This command should be a program or script which  takes  a
       printer name and job number, and deletes the print job.

       Currently  seven  styles of printer control are supported;
       BSD, SYSV, AIX HPUX, QNX, LPRNG and PLP. This covers  most
       UNIX systems. You control which type is expected using the
       "printing =" option.

       If a %p is given then the printername is put in its place.
       A %j is replaced with the job number (an integer).

       Note that it is good practice to include the absolute path
       in the lprm command as the PATH may not  be  available  to
       the server.

       DDeeffaauulltt::



smb.conf                     smb.conf                          26





SMB.CONF(5)                                           SMB.CONF(5)


               depends on the setting of "printing ="

       EExxaammppllee 11::
            lprm command = /usr/bin/lprm -P%p %j

       EExxaammppllee 22::
            lprm command = /usr/bin/cancel %p-%j


   mmaaggiicc oouuttppuutt ((SS))
       This  parameter  specifies  the  name of a file which will
       contain output created by a magic script (see _m_a_g_i_c _s_c_r_i_p_t
       below).

       Warning:  If  two clients use the same magic script in the
       same directory  the  output  file  content  is  undefined.
       DDeeffaauulltt::
            magic output = <magic script name>.out

       EExxaammppllee::
            magic output = myfile.txt

   mmaaggiicc ssccrriipptt ((SS))
       This  parameter  specifies  the  name  of a file which, if
       opened, will be executed by the server when  the  file  is
       closed.  This allows a UNIX script to be sent to the Samba
       host and executed on behalf of the connected user.

       Scripts executed in this way will be deleted upon  comple
       tion, permissions permitting.

       If the script generates output, output will be sent to the
       file specified by the _m_a_g_i_c _o_u_t_p_u_t parameter (see  above).

       Note that some shells are unable to interpret scripts con
       taining carriage-return-linefeed instead  of  linefeed  as
       the  end-of-line  marker. Magic scripts must be executable
       "as is" on the host, which for some hosts and some  shells
       will require filtering at the DOS end.

       Magic  scripts  are  EXPERIMENTAL and should NOT be relied
       upon.

       DDeeffaauulltt::
            None. Magic scripts disabled.

       EExxaammppllee::
            magic script = user.csh

   mmaanngglleedd mmaapp ((SS))
       This is for those who want to directly map UNIX file names
       which are not representable on DOS.  The mangling of names
       is not always what is needed.  In particular you may  have
       documents with file extensions that differ between DOS and



smb.conf                     smb.conf                          27





SMB.CONF(5)                                           SMB.CONF(5)


       UNIX. For example, under UNIX it is common  to  use  .html
       for  HTML  files,  whereas under DOS .htm is more commonly
       used.

       So to map 'html' to 'htm' you put:

         mangled map = (*.html *.htm)

       One very useful case is to remove the annoying ;1 off  the
       ends  of filenames on some CDROMS (only visible under some
       UNIXes). To do this use a map of (*;1 *)

       ddeeffaauulltt::      no mangled map

       EExxaammppllee::      mangled map = (*;1 *)


   mmaannggllee ccaassee ((SS))
       See the section on "NAME MANGLING"


   mmaanngglleedd nnaammeess ((SS))
       This controls whether non-DOS names under UNIX  should  be
       mapped  to DOS-compatible names ("mangled") and made visi
       ble, or whether non-DOS names should simply be ignored.

       See the section on "NAME MANGLING" for details on  how  to
       control the mangling process.

       If mangling is used then the mangling algorithm is as fol
       lows:
              - the first (up to)  five  alphanumeric  characters
              before  the  rightmost dot of the filename are pre
              served, forced to upper case,  and  appear  as  the
              first  (up to) five characters of the mangled name.

              - a tilde ("~") is appended to the  first  part  of
              the  mangled  name,  followed  by  a  two-character
              unique sequence, based on the  original  root  name
              (i.e., the original filename minus its final exten
              sion). The final extension is included in the  hash
              calculation  only  if  it  contains  any upper case
              characters or is longer than three characters.

              Note that the character to  use  may  be  specified
              using the "mangling char" option, if you don't like
              ~.

              - the first three alphanumeric  characters  of  the
              final extension are preserved, forced to upper case
              and appear as the extension of  the  mangled  name.
              The  final extension is defined as that part of the
              original filename after the rightmost dot. If there
              are  no dots in the filename, the mangled name will



smb.conf                     smb.conf                          28





SMB.CONF(5)                                           SMB.CONF(5)


              have no extension (except in  the  case  of  hidden
              files - see below).

              -  files  whose UNIX name begins with a dot will be
              presented as DOS hidden  files.  The  mangled  name
              will  be  created  as for other filenames, but with
              the leading dot removed and "___" as its  extension
              regardless  of  actual  original  extension (that's
              three underscores).

       The two-digit hash value consists of upper  case  alphanu
       meric characters.

       This  algorithm can cause name collisions only if files in
       a directory share the same first five alphanumeric charac
       ters. The probability of such a clash is 1/1300.

       The  name mangling (if enabled) allows a file to be copied
       between UNIX directories from DOS while retaining the long
       UNIX  filename.  UNIX files can be renamed to a new exten
       sion from DOS and will retain the same basename.   Mangled
       names do not change between sessions.

       DDeeffaauulltt::
            mangled names = yes

       EExxaammppllee::
            mangled names = no

   mmaanngglliinngg cchhaarr ((SS))
       This  controls what character is used as the "magic" char
       acter in name mangling. The default is a ~  but  this  may
       interfere with some software. Use this option to set it to
       whatever you prefer.

       DDeeffaauulltt::
            mangling char = ~

       EExxaammppllee::
            mangling char = ^


   mmaaxx ddiisskk ssiizzee ((GG))
       This option allows you to put an upper limit on the appar
       ent  size of disks. If you set this option to 100 then all
       shares will appear to be not larger than 100 MB in size.

       Note that this option does not limit the  amount  of  data
       you can put on the disk. In the above case you could still
       store much more than 100 MB on the disk, but if  a  client
       ever  asks  for the amount of free disk space or the total
       disk size then the result will be bounded  by  the  amount
       specified in "max disk size".




smb.conf                     smb.conf                          29





SMB.CONF(5)                                           SMB.CONF(5)


       This  option  is  primarily  useful to work around bugs in
       some pieces of  software  that  can't  handle  very  large
       disks, particularly disks over 1GB in size.

       A "max disk size" of 0 means no limit.

       DDeeffaauulltt::      max disk size = 0

       EExxaammppllee::      max disk size = 1000

   mmaaxx lloogg ssiizzee ((GG))
       This  option  (an  integer in kilobytes) specifies the max
       size the log  file  should  grow  to.  Samba  periodically
       checks  the  size and if it is exceeded it will rename the
       file, adding a .old extension.

       A size of 0 means no limit.

       DDeeffaauulltt::      max log size = 5000

       EExxaammppllee::
            max log size = 1000


   mmaaxx xxmmiitt ((GG))
       This option controls the maximum packet size that will  be
       negotiated  by  Samba.  The default is 65535, which is the
       maximum. In some cases you may find you get better perfor
       mance  with  a smaller value. A value below 2048 is likely
       to cause problems.

       DDeeffaauulltt::      max xmit = 65535

       EExxaammppllee::
            max xmit = 8192


   mmaanngglleedd ssttaacckk ((GG))
       This parameter controls the number of mangled  names  that
       should be cached in the Samba server.

       This  stack  is  a  list  of  recently  mangled base names
       (extensions are only maintained if they are longer than  3
       characters or contains upper case characters).

       The  larger this value, the more likely it is that mangled
       names can be successfully converted to correct  long  UNIX
       names. However, large stack sizes will slow most directory
       access. Smaller stacks save memory  in  the  server  (each
       stack element costs 256 bytes).

       It  is  not  possible to absolutely guarantee correct long
       file names, so be prepared for some surprises!




smb.conf                     smb.conf                          30





SMB.CONF(5)                                           SMB.CONF(5)


       DDeeffaauulltt::
            mangled stack = 50

       EExxaammppllee::
            mangled stack = 100


   mmaapp aarrcchhiivvee ((SS))
       This controls whether the DOS archive attribute should  be
       mapped  to  UNIX execute bits.  The DOS archive bit is set
       when a file has been modified since its last backup.   One
       motivation  for  this option it to keep Samba/your PC from
       making any file it touches from becoming executable  under
       UNIX.   This can be quite annoying for shared source code,
       documents,  etc...

       DDeeffaauulltt::
             map archive = yes

       EExxaammppllee::
             map archive = no


   mmaapp hhiiddddeenn ((SS))
       This controls whether DOS style  hidden  files  should  be
       mapped to UNIX execute bits.

       DDeeffaauulltt::
            map hidden = no

       EExxaammppllee::
            map hidden = yes

   mmaapp ssyysstteemm ((SS))
       This  controls  whether  DOS  style system files should be
       mapped to UNIX execute bits.

       DDeeffaauulltt::
            map system = no

       EExxaammppllee::
            map system = yes

   mmaaxx ccoonnnneeccttiioonnss ((SS))
       This option allows the number of simultaneous  connections
       to  a  service  to  be  limited.  If  "max connections" is
       greater than 0 then connections will be  refused  if  this
       number  of  connections to the service are already open. A
       value of zero mean an unlimited number of connections  may
       be made.

       Record  lock files are used to implement this feature. The
       lock files will be stored in the  directory  specified  by
       the "lock directory" option.



smb.conf                     smb.conf                          31





SMB.CONF(5)                                           SMB.CONF(5)


       DDeeffaauulltt::      max connections = 0

       EExxaammppllee::      max connections = 10

   oonnllyy uusseerr ((SS))
       This is a boolean option that controls whether connections
       with usernames not in the user= list will be  allowed.  By
       default  this  option is disabled so a client can supply a
       username to be used by the server.

       Note that this also means Samba won't try to deduce  user
       names  from the service name. This can be annoying for the
       [homes] section. To get around this you could use "user  =
       %S"  which means your "user" list will be just the service
       name, which for home directories is the name of the  user.

       DDeeffaauulltt::      only user = False

       EExxaammppllee::      only user = True


   ffaakkee oopplloocckkss ((SS))
       Oplocks are the way that SMB clients get permission from a
       server to locally  cache  file  operations.  If  a  server
       grants  an  oplock (opportunistic lock) then the client is
       free to assume that it is the only one accessing the  file
       and it will aggressively cache file data. With some oplock
       types the client may even  cache  file  open/close  opera
       tions. This can give enormous performance benefits.

       Samba  does  not  support opportunistic locks because they
       are very difficult to do under Unix. Samba can fake  them,
       however,  by  granting a oplock whenever a client asks for
       one. This is controlled using the  smb.conf  option  "fake
       oplocks".  If  you  set  "fake oplocks = yes" then you are
       telling the client that it may aggressively cache the file
       data.

       By  enabling this option on all read-only shares or shares
       that you know will only be accessed from one client  at  a
       time  you  will  see a big performance improvement on many
       operations. If you enable this option on shares where mul
       tiple clients may be accessing the files read-write at the
       same time you can get data  corruption.  Use  this  option
       carefully!

       This option is disabled by default.


   mmeessssaaggee ccoommmmaanndd ((GG))
       This  specifies  what  command  to  run  when  the  server
       receives a WinPopup style message.

       This would normally be a command that  would  deliver  the



smb.conf                     smb.conf                          32





SMB.CONF(5)                                           SMB.CONF(5)


       message  somehow.  How  this  is  to be done is up to your
       imagination.

       What I use is:

          message command = csh -c 'xedit %s;rm %s' &

       This delivers the message using  xedit,  then  removes  it
       afterwards.  NOTE THAT IT IS VERY IMPORTANT THAT THIS COM
       MAND RETURN IMMEDIATELY. That's why I have the  &  on  the
       end.  If  it  doesn't return immediately then your PCs may
       freeze when sending messages (they  should  recover  after
       30secs, hopefully).

       All  messages  are delivered as the global guest user. The
       command takes  the  standard  substitutions,  although  %u
       won't work (%U may be better in this case).

       Apart  from  the  standard  substitutions, some additional
       ones apply. In particular:

       %s = the filename containing the message

       %t = the destination that the message was sent to  (proba
       bly the server name)

       %f = who the message is from

       You  could  make  this command send mail, or whatever else
       takes your fancy. Please let me know of any really  inter
       esting ideas you have.

       Here's a way of sending the messages as mail to root:

       message  command  =  /bin/mail  -s 'message from %f on %m'
       root < %s; rm %s

       If you don't have a message command then the message won't
       be  delivered  and Samba will tell the sender there was an
       error. Unfortunately WfWg totally ignores the  error  code
       and  carries  on  regardless,  saying that the message was
       delivered.

       If you want to silently delete it then try  "message  com
       mand = rm %s".

       For the really adventurous, try something like this:

       message    command    =    csh    -c    'csh   <   %s   |&
       /usr/local/samba/bin/smbclient \
                         -M %m; rm %s' &

       this would execute the command as a script on the  server,
       then give them the result in a WinPopup message. Note that



smb.conf                     smb.conf                          33





SMB.CONF(5)                                           SMB.CONF(5)


       this could cause a loop if you send  a  message  from  the
       server  using  smbclient!  You  better wrap the above in a
       script that checks for this :-)

       DDeeffaauulltt::      no message command

       EExxaammppllee::
               message command = csh -c 'xedit %s;rm %s' &


   mmiinn pprriinntt ssppaaccee ((SS))
       This sets the minimum amount of free disk space that  must
       be  available  before a user will be able to spool a print
       job. It is specified in kilobytes. The default is 0, which
       means no limit.

       DDeeffaauulltt::      min print space = 0

       EExxaammppllee::      min print space = 2000


   nnuullll ppaasssswwoorrddss ((GG))
       Allow  or disallow access to accounts that have null pass
       words.

       DDeeffaauulltt::      null passwords = no

       EExxaammppllee::      null passwords = yes


   ooss lleevveell ((GG))
       This integer value controls what  level  Samba  advertises
       itself  as  for  browse  elections.  See  BROWSING.txt for
       details.


   ppaacckkeett ssiizzee ((GG))
       The maximum transmit packet size during a raw  read.  This
       option  is no longer implemented as of version 1.7.00, and
       is kept only so old  configuration  files  do  not  become
       invalid.


   ppaasssswwdd cchhaatt ((GG))
       This  string  controls  the "chat" conversation that takes
       places between smbd and the local password  changing  pro
       gram  to change the users password. The string describes a
       sequence of  response-receive  pairs  that  smbd  uses  to
       determine  what  to send to the passwd program and what to
       expect back. If the expected output is not  received  then
       the password is not changed.

       This chat sequence is often quite site specific, depending
       on what local methods are used for password control  (such



smb.conf                     smb.conf                          34





SMB.CONF(5)                                           SMB.CONF(5)


       as NIS+ etc).

       The string can contain the macros %o and %n which are sub
       stituted for the old and new  passwords  respectively.  It
       can  also  contain  the standard macros \n \r \t and \s to
       give line-feed, carriage-return, tab and space.

       The string can also contain a * which matches any sequence
       of characters.

       Double  quotes  can be used to collect strings with spaces
       in them into a single string.

       If the send string in any part of the chat sequence  is  a
       fullstop  "."   then  no string is sent. Similarly, is the
       expect string is a fullstop then no string is expected.

       EExxaammppllee::
               passwd chat = "*Enter OLD password*" %o\n  "*Enter
       NEW password*" %n\n \
                              "*Reenter   NEW   password*"   %n\n
       "*Password changed*"


       DDeeffaauulltt::
              passwd chat =  *old*password*  %o\n  *new*password*
       %n\n *new*password* %n\n *changed*


   ppaasssswwdd pprrooggrraamm ((GG))
       The  name  of a program that can be used to set user pass
       words.

       This is only necessary if you have enabled remote password
       changing  at  compile  time. Any occurrences of %u will be
       replaced with the user name.

       Also note that many passwd programs insist in "reasonable"
       passwords,  such  as a minimum length, or the inclusion of
       mixed case chars and digits. This can pose  a  problem  as
       some  clients  (such  as Windows for Workgroups) uppercase
       the password before sending it.

       DDeeffaauulltt::      passwd program = /bin/passwd

       EExxaammppllee::      passwd program = /sbin/passwd %u


   ppaasssswwoorrdd lleevveell ((GG))
       Some  client/server  combinations  have  difficulty   with
       mixed-case passwords.  One offending client is Windows for
       Workgroups, which for  some  reason  forces  passwords  to
       upper  case  when  using  the LANMAN1 protocol, but leaves
       them alone when using COREPLUS!



smb.conf                     smb.conf                          35





SMB.CONF(5)                                           SMB.CONF(5)


       This parameter defines the maximum  number  of  characters
       that may be upper case in passwords.

       For  example,  say the password given was "FRED". If ppaassss
       wwoorrdd lleevveell is set to 1 (one), the  following  combinations
       would  be  tried if "FRED" failed: "Fred", "fred", "fRed",
       "frEd", "freD". If ppaasssswwoorrdd lleevveell wwaass sseett ttoo 22 ((ttwwoo)),,  tthhee
       ffoolllloowwiinngg   ccoommbbiinnaattiioonnss  wwoouulldd  aallssoo  bbee  tried:  "FRed",
       "FrEd", "FreD", "fREd", "fReD", "frED". And so on.

       The higher value this parameter is set to the more  likely
       it is that a mixed case password will be matched against a
       single case password. However, you should  be  aware  that
       use  of  this parameter reduces security and increases the
       time taken to process a new connection.

       A value of zero will cause only two attempts to be made  -
       the password as is and the password in all-lower case.

       If  you find the connections are taking too long with this
       option then you probably  have  a  slow  crypt()  routine.
       Samba  now  comes  with  a  fast  "ufc crypt" that you can
       select in the Makefile. You  should  also  make  sure  the
       PASSWORD_LENGTH  option  is  correct  for  your  system in
       local.h and includes.h. On most systems only the  first  8
       chars  of  a  password  are significant so PASSWORD_LENGTH
       should be 8, but on some longer passwords are significant.
       The  includes.h  file tries to select the right length for
       your system.

       DDeeffaauulltt::
            password level = 0

       EExxaammppllee::
            password level = 4


   ppaasssswwoorrdd sseerrvveerr ((GG))
       By specifying the name of another SMB server  (such  as  a
       WinNT box) with this option, and using "security = server"
       you can get Samba to do all its username/password  valida
       tion via a remote server.

       This  options sets the name of the password server to use.
       It must be a netbios name, so  if  the  machine's  netbios
       name is different from its internet name then you may have
       to add its netbios name to /etc/hosts.

       The password server much be a machine capable of using the
       "LM1.2X002"  or  the "LM NT 0.12" protocol, and it must be
       in user level security mode.

       NOTE: Using a password server means your UNIX box (running
       Samba)  is  only as secure as your password server. DO NOT



smb.conf                     smb.conf                          36





SMB.CONF(5)                                           SMB.CONF(5)


       CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY  TRUST.

       Never point a Samba server at itself for password serving.
       This will cause a  loop  and  could  lock  up  your  Samba
       server!

       The name of the password server takes the standard substi
       tutions, but probably the only useful  one  is  %m,  which
       means the Samba server will use the incoming client as the
       password server. If you use this  then  you  better  trust
       your  clients,  and  you  better  restrict them with hosts
       allow!

       If you list several hosts in the "password server"  option
       then  smbd  will  try  each in turn till it finds one that
       responds. This is useful in case your primary server  goes
       down.


   ppaatthh ((SS))
       A synonym for this parameter is 'directory'.

       This  parameter specifies a directory to which the user of
       the service is to be given access. In the case  of  print
       able  services,  this is where print data will spool prior
       to being submitted to the host for printing.

       For a printable service offering guest access, the service
       should  be  readonly and the path should be world-writable
       and have the sticky bit set.  This  is  not  mandatory  of
       course,  but you probably won't get the results you expect
       if you do otherwise.

       Any occurrences of %u in the path will  be  replaced  with
       the  username that the client is connecting as. Any occur
       rences of %m will be replaced by the name of  the  machine
       they are connecting from. These replacements are very use
       ful for setting up pseudo home directories for users.

       Note that this path will be based on 'root dir' if one was
       specified.  DDeeffaauulltt::
            none

       EExxaammppllee::
            path = /home/fred+


   ppoosstteexxeecc ((SS))
       This  option  specifies  a  command to be run whenever the
       service is disconnected. It takes the usual substitutions.
       The command may be run as the root on some systems.

       An interesting example may be do unmount server resources:




smb.conf                     smb.conf                          37





SMB.CONF(5)                                           SMB.CONF(5)


       postexec = /etc/umount /cdrom

       See also preexec

       DDeeffaauulltt::
             none (no command executed)

       EExxaammppllee::
             postexec = echo \"%u disconnected from  %S  from  %m
       (%I)\" >> /tmp/log


   ppoossttssccrriipptt ((SS))
       This  parameter  forces  a  printer to interpret the print
       files as postscript. This is done by adding a  %!  to  the
       start of print output.

       This is most useful when you have lots of PCs that persist
       in putting a control-D at the start of print  jobs,  which
       then confuses your printer.

       DDeeffaauulltt::      postscript = False

       EExxaammppllee::      postscript = True


   pprreeeexxeecc ((SS))
       This  option  specifies  a  command to be run whenever the
       service is connected to. It takes the usual substitutions.

       An interesting example is to send the users a welcome mes
       sage every time they log in. Maybe a message of  the  day?
       Here is an example:

       preexec = csh -c 'echo \"Welcome to %S!\" | \
              /usr/local/samba/bin/smbclient -M %m -I %I' &

       Of course, this could get annoying after a while :-)

       See also postexec

       DDeeffaauulltt::      none (no command executed)

       EExxaammppllee::
               preexec = echo \"%u connected to %S from %m (%I)\"
       >> /tmp/log


   pprreeffeerrrreedd mmaasstteerr ((GG))
       This boolean parameter controls if Samba  is  a  preferred
       master  browser for its workgroup.  On startup, samba will
       force an election, and it will have a slight advantage  in
       winning the election.  It is recommended that this parame
       ter is used in conjunction with domain master  =  yes,  so



smb.conf                     smb.conf                          38





SMB.CONF(5)                                           SMB.CONF(5)


       that samba can guarantee becoming a domain master.

       See ooss lleevveell == nnnn

       DDeeffaauulltt::
            preferred master = yes


   pprreellooaadd
       This is an alias for "auto services"


   pprreesseerrvvee ccaassee ((SS))
       This  controls  if new filenames are created with the case
       that the client passes, or if they are forced  to  be  the
       "default" case.

       DDeeffaauulltt::
              preserve case = no

       See  the  section  on "NAME MANGLING" for a fuller discus
       sion.


   pprriinntt ccoommmmaanndd ((SS))
       After a print job has finished spooling to a service, this
       command  will  be  used via a system() call to process the
       spool file. Typically the command  specified  will  submit
       the spool file to the host's printing subsystem, but there
       is no requirement that this be the case. The  server  will
       not remove the spool file, so whatever command you specify
       should remove the spool file when it has  been  processed,
       otherwise  you  will  need  to  manually  remove old spool
       files.

       The print command is simply a text string. It will be used
       verbatim,  with  two  exceptions:  All occurrences of "%s"
       will be replaced by the appropriate spool file  name,  and
       all  occurrences of "%p" will be replaced by the appropri
       ate printer name. The spool file name is  generated  auto
       matically  by  the  server,  the printer name is discussed
       below.

       The full path name will be used for the filename if %s  is
       not  preceded by a /. If you don't like this (it can stuff
       up some lpq output) then use %f instead.  Any  occurrences
       of  %f get replaced by the spool filename without the full
       path at the front.

       The print command MUST contain at least one occurrence  of
       "%s"  or  %f  - the "%p" is optional. At the time a job is
       submitted, if no printer name is supplied the "%p" will be
       silently removed from the printer command.




smb.conf                     smb.conf                          39





SMB.CONF(5)                                           SMB.CONF(5)


       If  specified  in  the [global] section, the print command
       given will be used for any printable service that does not
       have its own print command specified.

       If there is neither a specified print command for a print
       able service nor a global print command, spool files  will
       be  created  but  not processed and (most importantly) not
       removed.

       Note that printing  may  fail  on  some  UNIXes  from  the
       "nobody"  account. If this happens then create an alterna
       tive guest account that  can  print  and  set  the  "guest
       account" in the [global] section.

       You  can  form  quite  complex print commands by realising
       that they are just passed to a shell. For example the fol
       lowing  will  log a print job, print the file, then remove
       it. Note that ; is the  usual  separator  for  command  in
       shell scripts.

       print command = echo Printing %s >> /tmp/print.log; lpr -P
       %p %s; rm %s

       You may have to vary this command  considerably  depending
       on how you normally print files on your system.

       DDeeffaauulltt::      print command = lpr -r -P %p %s

       EExxaammppllee::
            print command = /usr/local/samba/bin/myprintscript %p
       %s

   pprriinntt ookk ((SS))
       See pprriinnttaabbllee..

   pprriinnttaabbllee ((SS))
       A synonym for this parameter is 'print ok'.

       If this parameter is 'yes', then clients may  open,  write
       to  and  submit spool files on the directory specified for
       the service.

       Note that a printable service will ALWAYS allow writing to
       the  service  path  (user  privileges  permitting) via the
       spooling of print data. The 'read only' parameter controls
       only non-printing access to the resource.

       DDeeffaauulltt::
            printable = no

       EExxaammppllee::
            printable = yes





smb.conf                     smb.conf                          40





SMB.CONF(5)                                           SMB.CONF(5)


   pprriinnttiinngg ((GG))
       This parameters controls how printer status information is
       interpreted on your system, and also affects  the  default
       values  for  the  "print command", "lpq command" and "lprm
       command".

       Currently six printing  styles  are  supported.  They  are
       "printing  =  bsd",  "printing = sysv", "printing = hpux",
       "printing = aix", "printing = qnx" and "printing = plp".

       To see what the defaults are for the other print  commands
       when using these three options use the "testparm" program.



   pprriinnttccaapp nnaammee ((GG))
       This parameter may be used  to  override  the  compiled-in
       default   printcap   name  used  by  the  server  (usually
       /etc/printcap). See the discussion of the [printers]  sec
       tion above for reasons why you might want to do this.

       For  those of you without a printcap (say on SysV) you can
       just create a minimal file that looks like a printcap  and
       set "printcap name =" in [global] to point at it.

       A minimal printcap file would look something like this:

       print1|My Printer 1
       print2|My Printer 2
       print3|My Printer 3
       print4|My Printer 4
       print5|My Printer 5

       where  the | separates aliases of a printer. The fact that
       the second alias has a space in it gives a hint  to  Samba
       that it's a comment.

       NOTE:  Under  AIX the default printcap name is "/etc/qcon
       fig". Samba will assume the file is in AIX "qconfig"  for
       mat if the string "/qconfig" appears in the printcap file
       name.

       DDeeffaauulltt::
            printcap name = /etc/printcap

       EExxaammppllee::
            printcap name = /etc/myprintcap

   pprriinntteerr ((SS))
       A synonym for this parameter is 'printer name'.

       This parameter specifies the name of the printer to  which
       print  jobs  spooled  through  a printable service will be
       sent.



smb.conf                     smb.conf                          41





SMB.CONF(5)                                           SMB.CONF(5)


       If specified in the [global]  section,  the  printer  name
       given will be used for any printable service that does not
       have its own printer name specified.

       DDeeffaauulltt::
            none (but may be 'lp' on many systems)

       EExxaammppllee::
            printer name = laserwriter


   pprriinntteerr ddrriivveerr ((SS))
       This option allows you to control the string that  clients
       receive  when  they  ask the server for the printer driver
       associated with a printer. If you are using  Windows95  or
       WindowsNT  then  you can use this to automate the setup of
       printers on your system.

       You need to set this parameter to the exact  string  (case
       sensitive)  that  describes the appropriate printer driver
       for your system.  If you don't know the  exact  string  to
       use  then  you  should  first try with no "printer driver"
       option set and the client will give you a list of  printer
       drivers.  The appropriate strings are shown in a scrollbox
       after you have chosen the printer manufacturer.

       EExxaammppllee::      printer driver = HP LaserJet 4L


   pprriinntteerr nnaammee ((SS))
       See pprriinntteerr..


   pprroottooccooll ((GG))
       The value of the parameter (a string) is the highest  pro
       tocol level that will be supported by the server.

       Possible  values  are CORE, COREPLUS, LANMAN1, LANMAN2 and
       NT1. The relative merits of  each  are  discussed  in  the
       README file.

       Normally  this  option  should not be set as the automatic
       negotiation phase in the SMB protocol takes care of choos
       ing the appropriate protocol.

       DDeeffaauulltt::      protocol = NT1

       EExxaammppllee::      protocol = LANMAN1

   ppuubblliicc ((SS))
       A synonym for this parameter is 'guest ok'.

       If this parameter is 'yes' for a service, then no password
       is required to connect to the service. Privileges will  be



smb.conf                     smb.conf                          42





SMB.CONF(5)                                           SMB.CONF(5)


       those of the guest account.

       See the section below on user/password validation for more
       information about this option.

       DDeeffaauulltt::
            public = no

       EExxaammppllee::
            public = yes

   rreeaadd lliisstt ((SS))
       This is a list of users that are given read-only access to
       a  service.  If  the  connecting user is in this list then
       they will not be given write access, no  matter  what  the
       "read  only"  option is set to. The list can include group
       names using the @group syntax.

       See also the "write list" option

       DDeeffaauulltt::
            read list =

       EExxaammppllee::
            read list = mary, @students


   rreeaadd oonnllyy ((SS))
       See wwrriittaabbllee and wwrriittee ookk..  Note that this is an  inverted
       synonym for writable and write ok.

   rreeaadd pprreeddiiccttiioonn ((GG))
       This  options enables or disables the read prediction code
       used to speed up reads from the server. When  enabled  the
       server  will  try  to pre-read data from the last accessed
       file that was opened read-only while waiting for  packets.


   DDeeffaauulltt::
            read prediction = False


   EExxaammppllee::
            read prediction = True

   rreeaadd rraaww ((GG))
       This  parameter  controls  whether  or not the server will
       support raw reads when transferring data to clients.

       If enabled, raw reads allow reads of 65535  bytes  in  one
       packet.  This typically provides a major performance bene
       fit.

       However, some clients either negotiate the allowable block



smb.conf                     smb.conf                          43





SMB.CONF(5)                                           SMB.CONF(5)


       size  incorrectly  or  are  incapable of supporting larger
       block sizes, and for these clients you may need to disable
       raw reads.

       In  general  this  parameter  should be viewed as a system
       tuning tool and left severely alone. See also wwrriittee rraaww..

       DDeeffaauulltt::
            read raw = yes

       EExxaammppllee::
            read raw = no

   rreeaadd ssiizzee ((GG))
       The  option  "read  size"  affects  the  overlap  of  disk
       reads/writes  with  network reads/writes. If the amount of
       data being transferred in  several  of  the  SMB  commands
       (currently  SMBwrite, SMBwriteX and SMBreadbraw) is larger
       than this value then the server begins  writing  the  data
       before  it has received the whole packet from the network,
       or in the case of SMBreadbraw, it begins  writing  to  the
       network before all the data has been read from disk.

       This  overlapping  works  best when the speeds of disk and
       network access are similar, having very little effect when
       the speed of one is much greater than the other.

       The default value is 2048, but very little experimentation
       has been done yet to determine the optimal value,  and  it
       is  likely  that  the best value will vary greatly between
       systems anyway. A value over 65536 is pointless  and  will
       cause you to allocate memory unnecessarily.

       DDeeffaauulltt::      read size = 2048

       EExxaammppllee::      read size = 8192


   rreemmoottee aannnnoouunnccee ((GG))
       This  option  allows  you  to  setup  nmbd to periodically
       announce itself to arbitrary IP addresses  with  an  arbi
       trary workgroup name.

       This  is useful if you want your Samba server to appear in
       a remote workgroup for which the normal browse propagation
       rules  don't  work.  The  remote workgroup can be anywhere
       that you can send IP packets to.

       For example:

              remote     announce     =     192.168.2.255/SERVERS
       192.168.4.255/STAFF

       the  above line would cause nmbd to announce itself to the



smb.conf                     smb.conf                          44





SMB.CONF(5)                                           SMB.CONF(5)


       two given IP addresses using the given workgroup names. If
       you leave out the workgroup name then the one given in the
       "workgroup" option is used instead.

       The IP addresses you choose would normally be  the  broad
       cast addresses of the remote networks, but can also be the
       IP addresses of known browse masters if your network  con
       fig is that stable.

       This  option  replaces similar functionality from the nmbd
       lmhosts file.


   rreevvaalliiddaattee ((SS))
       This options controls whether Samba will  allow  a  previ
       ously  validated  username/password  pair  to  be  used to
       attach to a share. Thus if you connect to  \\server\share1
       then  to  \\server\share2 it won't automatically allow the
       client to request connection to the second  share  as  the
       same username as the first without a password.

       If  "revalidate"  is  True  then the client will be denied
       automatic access as the same username.

       DDeeffaauulltt::      revalidate = False

       EExxaammppllee::      revalidate = True


   rroooott ((GG))
       See rroooott ddiirreeccttoorryy..

   rroooott ddiirr ((GG))
       See rroooott ddiirreeccttoorryy..

   rroooott ddiirreeccttoorryy ((GG))
       Synonyms for this parameter are 'root dir' and 'root'.

       The server will chroot() to  this  directory  on  startup.
       This  is not strictly necessary for secure operation. Even
       without it the server will deny access to files not in one
       of  the  service  entries. It may also check for, and deny
       access to, soft links to other parts of the filesystem, or
       attempts  to use .. in file names to access other directo
       ries (depending on the setting of the "wide links" parame
       ter).

       Adding  a  "root  dir"  entry other than "/" adds an extra
       level of security, but at a price. It  absolutely  ensures
       that no access is given to files not in the sub-tree spec
       ified in the "root dir"  option,  *including*  some  files
       needed  for  complete operation of the server. To maintain
       full operability of the server you  will  need  to  mirror
       some  system files into the "root dir" tree. In particular



smb.conf                     smb.conf                          45





SMB.CONF(5)                                           SMB.CONF(5)


       you will need to mirror /etc/passwd (or a subset  of  it),
       and  any binaries or configuration files needed for print
       ing (if required).  The set of files that must be mirrored
       is operating system dependent.

       DDeeffaauulltt::
            root directory = /

       EExxaammppllee::
            root directory = /homes/smb

   sseeccuurriittyy ((GG))
       This option affects how clients respond to Samba.

       The option sets the "security mode bit" in replies to pro
       tocol negotiations to turn share level security on or off.
       Clients  decide  based  on  this  bit whether (and how) to
       transfer user and password information to the server.

       The default is "security=SHARE", mainly because  that  was
       the only option at one stage.

       The  alternatives  are  "security  =  user" or "security =
       server".

       If your PCs use usernames that are the same as their user
       names on the UNIX machine then you will want to use "secu
       rity = user". If you mostly use usernames that don't exist
       on the UNIX box then use "security = share".

       There is a bug in WfWg that may affect your decision. When
       in user level security a WfWg client will  totally  ignore
       the  password  you type in the "connect drive" dialog box.
       This makes it very difficult (if not impossible)  to  con
       nect to a Samba service as anyone except the user that you
       are logged into WfWg as.

       If you use "security = server" then Samba will try to val
       idate  the  username/password by passing it to another SMB
       server, such as an NT box. If this fails it will revert to
       "security = USER".

       See the "password server" option for more details.

       DDeeffaauulltt::
            security = SHARE

       EExxaammppllee::
            security = USER

   sseerrvveerr ssttrriinngg ((GG))
       This controls what string will show up in the printer com
       ment box in print manager and next to the  IPC  connection
       in  "net view". It can be any string that you wish to show



smb.conf                     smb.conf                          46





SMB.CONF(5)                                           SMB.CONF(5)


       to your users.

       It also sets what will appear in browse lists next to  the
       machine name.

       A %v will be replaced with the Samba version number.

       A %h will be replaced with the hostname.

       DDeeffaauulltt::      server string = Samba %v

       EExxaammppllee::       server  string  =  University of GNUs Samba
       Server


   ssmmbbrruunn ((GG))
       This sets  the  full  path  to  the  smbrun  binary.  This
       defaults to the value in the Makefile.

       You  must  get  this  path right for many services to work
       correctly.

       DDeeffaauulltt:: taken from Makefile

       EExxaammppllee::      smbrun = /usr/local/samba/bin/smbrun


   sshhoorrtt pprreesseerrvvee ccaassee ((SS))
       This controls if new short filenames are created with  the
       case  that  the client passes, or if they are forced to be
       the "default" case.

       DDeeffaauulltt::
              short preserve case = no

       See the section on "NAME MANGLING" for  a  fuller  discus
       sion.


   rroooott pprreeeexxeecc ((SS))
       This is the same as preexec except that the command is run
       as root. This is useful for mounting filesystems (such  as
       cdroms) before a connection is finalised.


   rroooott ppoosstteexxeecc ((SS))
       This  is  the  same as postexec except that the command is
       run as root. This is  useful  for  unmounting  filesystems
       (such as cdroms) after a connection is closed.


   sseett ddiirreeccttoorryy ((SS))
       If 'set directory = no', then users of the service may not
       use the setdir command to change directory.



smb.conf                     smb.conf                          47





SMB.CONF(5)                                           SMB.CONF(5)


       The setdir command is  only  implemented  in  the  Digital
       Pathworks  client.  See  the  Pathworks  documentation for
       details.

       DDeeffaauulltt::
            set directory = no

       EExxaammppllee::
            set directory = yes


   sshhaarree mmooddeess ((SS))
       This enables or  disables  the  honouring  of  the  "share
       modes" during a file open. These modes are used by clients
       to gain exclusive read or write access to a file.

       These open modes are not directly supported  by  UNIX,  so
       they  are  simulated  using lock files in the "lock direc
       tory". The "lock directory" specified in smb.conf must  be
       readable by all users.

       The  share  modes  that  are  enabled  by  this option are
       DENY_DOS, DENY_ALL, DENY_READ, DENY_WRITE,  DENY_NONE  and
       DENY_FCB.

       Enabling  this  option  gives full share compatibility but
       may cost a bit of processing time on the UNIX server. They
       are enabled by default.

       DDeeffaauulltt::      share modes = yes

       EExxaammppllee::      share modes = no


   ssoocckkeett aaddddrreessss ((GG))
       This  option allows you to control what address Samba will
       listen for connections on. This is used to support  multi
       ple virtual interfaces on the one server, each with a dif
       ferent configuration.

       By default samba will accept connections on any address.

       EExxaammppllee::      socket address = 192.168.2.20


   ssoocckkeett ooppttiioonnss ((GG))
       This option (which can also be invoked with the -O command
       line  option)  allows you to set socket options to be used
       when talking with the client.

       Socket options are controls on the networking layer of the
       operating  systems which allow the connection to be tuned.

       This option will typically be  used  to  tune  your  Samba



smb.conf                     smb.conf                          48





SMB.CONF(5)                                           SMB.CONF(5)


       server  for  optimal  performance  for your local network.
       There is no way that  Samba  can  know  what  the  optimal
       parameters  are  for  your net, so you must experiment and
       choose them yourself. I  strongly  suggest  you  read  the
       appropriate  documentation for your operating system first
       (perhaps "man setsockopt" will help).

       You may find that on some systems Samba will say  "Unknown
       socket  option"  when you supply an option. This means you
       either mis-typed it or you need to add an include file  to
       includes.h  for  your OS. If the latter is the case please
       send the patch to me (samba-bugs@samba.anu.edu.au).

       Any of the supported socket options may be combined in any
       way you like, as long as your OS allows it.

       This  is  the  list  of  socket options currently settable
       using this option:

         SO_KEEPALIVE

         SO_REUSEADDR

         SO_BROADCAST

         TCP_NODELAY

         IPTOS_LOWDELAY

         IPTOS_THROUGHPUT

         SO_SNDBUF *

         SO_RCVBUF *

         SO_SNDLOWAT *

         SO_RCVLOWAT *

       Those marked with a * take an integer argument. The others
       can optionally take a 1 or 0 argument to enable or disable
       the option, by default they will be enabled if  you  don't
       specify 1 or 0.

       To  specify  an  argument use the syntax SOME_OPTION=VALUE
       for example SO_SNDBUF=8192. Note that you  must  not  have
       any spaces before or after the = sign.

       If you are on a local network then a sensible option might
       be

       socket options = IPTOS_LOWDELAY

       If you have an almost unloaded local network and you don't



smb.conf                     smb.conf                          49





SMB.CONF(5)                                           SMB.CONF(5)


       mind a lot of extra CPU usage in the server then you could
       try

       socket options = IPTOS_LOWDELAY TCP_NODELAY

       If you are on a wide area network then perhaps try setting
       IPTOS_THROUGHPUT.

       Note  that  several  of  the  options may cause your Samba
       server to fail completely. Use these options with caution!

       DDeeffaauulltt::      no socket options

       EExxaammppllee::      socket options = IPTOS_LOWDELAY





   ssttaattuuss ((GG))
       This  enables or disables logging of connections to a sta
       tus file that ssmmbbssttaattuuss can read.

       With this disabled ssmmbbssttaattuuss won't be  able  to  tell  you
       what connections are active.

       DDeeffaauulltt::      status = yes

       EExxaammppllee::      status = no


   ssttrriipp ddoott ((GG))
       This  is a boolean that controls whether to strip trailing
       dots off filenames. This helps with some CDROMs that  have
       filenames ending in a single dot.

       NOTE:  This  option is now obsolete, and may be removed in
       future. You should use the "mangled map" option instead as
       it is much more general.


   ssttrriicctt lloocckkiinngg ((SS))
       This is a boolean that controls the handling of file lock
       ing in the server. When this is set to yes the server will
       check every read and write access for file locks, and deny
       access if locks exist. This can be slow on some systems.

       When strict locking is "no"  the  server  does  file  lock
       checks only when the client explicitly asks for them.

       Well behaved clients always ask for lock checks when it is
       important, so in the vast majority of cases "strict  lock
       ing = no" is preferable.




smb.conf                     smb.conf                          50





SMB.CONF(5)                                           SMB.CONF(5)


       DDeeffaauulltt::      strict locking = no

       EExxaammppllee::      strict locking = yes


   ssyynncc aallwwaayyss ((SS))
       This  is  a boolean parameter that controls whether writes
       will always be written to stable storage before the  write
       call  returns.  If  this  is false then the server will be
       guided by the client's request in each write call (clients
       can set a bit indicating that a particular write should be
       synchronous). If this is true then  every  write  will  be
       followed  by  a fsync() call to ensure the data is written
       to disk.

       DDeeffaauulltt::      sync always = no

       EExxaammppllee::      sync always = yes


   ttiimmee ooffffsseett ((GG))
       This parameter is a setting in minutes to add to the  nor
       mal  GMT  to  local time conversion. This is useful if you
       are serving a lot of PCs that have incorrect daylight sav
       ing time handling.

       DDeeffaauulltt::      time offset = 0

       EExxaammppllee::      time offset = 60


   uusseerr ((SS))
       See uusseerrnnaammee..

   uusseerrnnaammee ((SS))
       A synonym for this parameter is 'user'.

       Multiple users may be specified in a comma-delimited list,
       in which case the supplied password will be tested against
       each username in turn (left to right).

       The username= line is needed only when the PC is unable to
       supply its own username. This is the case for the coreplus
       protocol or where your users have different WfWg usernames
       to UNIX usernames. In both these cases  you  may  also  be
       better using the \\server\share%user syntax instead.

       The  username=  line is not a great solution in many cases
       as it means Samba will try to validate the supplied  pass
       word  against  each of the usernames in the username= line
       in turn. This is slow and a bad idea for lots of users  in
       case of duplicate passwords. You may get timeouts or secu
       rity breaches using this parameter unwisely.




smb.conf                     smb.conf                          51





SMB.CONF(5)                                           SMB.CONF(5)


       Samba relies on the underlying UNIX security. This parame
       ter  does not restrict who can login, it just offers hints
       to the Samba server as to what usernames might  correspond
       to  the supplied password. Users can login as whoever they
       please and they will be able to do no more damage than  if
       they started a telnet session. The daemon runs as the user
       that they log in as, so they cannot do anything that  user
       cannot do.

       To restrict a service to a particular set of users you can
       use the "valid users=" line.

       If any of the usernames begin with a @ then the name  will
       be  looked up in the groups file and will expand to a list
       of all users in the group of that name. Note that  search
       ing  though  a  groups  file can take quite some time, and
       some clients may time out during the search.

       See the section below on username/password validation  for
       more  information  on how this parameter determines access
       to the services.

       DDeeffaauulltt::
            The guest account if a guest service, else  the  name
       of the service.

       EExxaammpplleess::
            username = fred
            username = fred, mary, jack, jane, @users, @pcgroup


   uusseerrnnaammee mmaapp ((GG))
       This  option  allows you to to specify a file containing a
       mapping of usernames from the clients to the server.  This
       can  be  used  for several purposes. The most common is to
       map usernames that users use on DOS or Windows machines to
       those that the UNIX box uses. The other is to map multiple
       users to a single username so that they  can  more  easily
       share files.

       The map file is parsed line by line. Each line should con
       tain a single UNIX username on the left then  a  '='  fol
       lowed  by  a  list  of usernames on the right. The list of
       usernames on the right  may  contain  names  of  the  form
       @group  in which case they will match any UNIX username in
       that group. The special client name '*' is a wildcard  and
       matches any name.

       The  file is processed on each line by taking the supplied
       username and comparing it with each username on the  right
       hand  side  of the '=' signs. If the supplied name matches
       any of the names  on  the  right  hand  side  then  it  is
       replaced  with  the name on the left. Processing then con
       tinues with the next line.



smb.conf                     smb.conf                          52





SMB.CONF(5)                                           SMB.CONF(5)


       If any line begins with a '#' or a ';' then it is ignored

       For example to map from the name "admin"  or  "administra
       tor" to the UNIX name "root" you would use

            root = admin administrator

       Or  to  map  anyone in the UNIX group "system" to the UNIX
       name "sys" you would use

            sys = @system

       You can have as many mappings as you like  in  a  username
       map file.

       Note  that  the remapping is applied to all occurrences of
       usernames. Thus if  you  connect  to  "\\server\fred"  and
       "fred"  is  remapped  to  "mary" then you will actually be
       connecting to "\\server\mary" and will need  to  supply  a
       password  suitable  for "mary" not "fred". The only excep
       tion to this is  the  username  passed  to  the  "password
       server"  (if  you  have  one).  The  password  server will
       receive whatever username the client supplies without mod
       ification.

       Also note that no reverse mapping is done. The main effect
       this has is with printing. Users who have been mapped  may
       have  trouble  deleting  print  jobs as PrintManager under
       WfWg will think they don't own the print job.

       DDeeffaauulltt      no username map

       EExxaammppllee      username map = /usr/local/samba/lib/users.map


   vvaalliidd cchhaarrss ((SS))
       The  option  allows  you  to specify additional characters
       that should be considered valid by  the  server  in  file
       names.  This is particularly useful for national character
       sets, such as adding u-umlaut or a-ring.

       The option takes a list of characters in either integer or
       character  form  with spaces between them. If you give two
       characters with a colon between them then it will be taken
       as an lowercase:uppercase pair.

       If  you  have an editor capable of entering the characters
       into the config file then it is probably  easiest  to  use
       this  method.  Otherwise you can specify the characters in
       octal, decimal or hexadecimal form using the usual C nota
       tion.

       For example to add the single character 'Z' to the charset
       (which is a pointless thing to do as it's  already  there)



smb.conf                     smb.conf                          53





SMB.CONF(5)                                           SMB.CONF(5)


       you could do one of the following

       valid chars = Z valid chars = z:Z valid chars = 0132:0172

       The  last  two examples above actually add two characters,
       and alter the uppercase and lowercase  mappings  appropri
       ately.

       DDeeffaauulltt
            Samba  defaults  to  using  a reasonable set of valid
       characters
            for english systems

       EExxaammppllee
               valid chars = 0345:0305 0366:0326 0344:0304

       The above example allows filenames  to  have  the  swedish
       characters in them.

       NOTE:  It is actually quite difficult to correctly produce
       a "valid chars" line for a particular system. To  automate
       the process tino@augsburg.net has written a package called
       "validchars" which will automatically produce  a  complete
       "valid  chars" line for a given client system. Look in the
       examples subdirectory for this package.


   vvaalliidd uusseerrss ((SS))
       This is a list of users that should be allowed to login to
       this  service.  A name starting with @ is interpreted as a
       UNIX group.

       If this is empty (the default) then any user can login. If
       a  username  is  in both this list and the "invalid users"
       list then access is denied for that user.

       The current servicename is substituted  for  %S.  This  is
       useful in the [homes] section.

       See also "invalid users"

       DDeeffaauulltt      No valid users list. (anyone can login)

       EExxaammppllee      valid users = greg, @pcusers


   vvoolluummee ((SS))
       This  allows you to override the volume label returned for
       a share. Useful for CDROMs with installation programs that
       insist on a particular volume label.

       The default is the name of the share





smb.conf                     smb.conf                          54





SMB.CONF(5)                                           SMB.CONF(5)


   wwiiddee lliinnkkss ((SS))
       This  parameter  controls whether or not links in the UNIX
       file system may be followed  by  the  server.  Links  that
       point  to  areas within the directory tree exported by the
       server are always allowed; this parameter controls  access
       only  to  areas  that are outside the directory tree being
       exported.

       DDeeffaauulltt::
            wide links = yes

       EExxaammppllee::
            wide links = no


   wwiinnss pprrooxxyy ((GG))
       This is a boolean that controls if nmbd  will  respond  to
       broadcast  name  queries on behalf of other hosts. You may
       need to set this to no for some older clients.

       DDeeffaauulltt::      wins proxy = no

   wwiinnss ssuuppppoorrtt ((GG))
       This boolean controls if Samba will act as a WINS  server.
       You  should  normally  set this to true unless you already
       have another WINS server on the network.

       DDeeffaauulltt::      wins support = yes

   wwiinnss sseerrvveerr ((GG))
       This specifies the DNS name of the WINS server that  Samba
       should  register  with.  If you have a WINS server on your
       network then you should set this to the WINS servers name.

       This  option only takes effect if Samba is not acting as a
       WINS server itself.

       DDeeffaauulltt::      wins server =

   wwoorrkkggrroouupp ((GG))
       This controls what workgroup your server will appear to be
       in when queried by clients.

       DDeeffaauulltt::
            set in the Makefile

       EExxaammppllee::
            workgroup = MYGROUP


   wwrriittee ookk ((SS))
       See wwrriittaabbllee and rreeaadd oonnllyy..





smb.conf                     smb.conf                          55





SMB.CONF(5)                                           SMB.CONF(5)


   wwrriittaabbllee ((SS))
       A  synonym  for  this parameter is 'write ok'. An inverted
       synonym is 'read only'.

       If this parameter is 'no', then users of a service may not
       create or modify files in the service's directory.

       Note  that  a  printable  service ('printable = yes') will
       ALWAYS allow writing to  the  directory  (user  privileges
       permitting), but only via spooling operations.

       DDeeffaauulltt::
            writable = no

       EExxaammpplleess::
            read only = no
            writable = yes
            write ok = yes

   wwrriittee lliisstt ((SS))
       This  is  a list of users that are given read-write access
       to a service. If the connecting user is in this list  then
       they  will be given write access, no matter what the "read
       only" option is set to. The list can include  group  names
       using the @group syntax.

       Note that if a user is in both the read list and the write
       list then they will be given write access.

       See also the "read list" option

       DDeeffaauulltt::
            write list =

       EExxaammppllee::
            write list = admin, root, @staff


   wwrriittee rraaww ((GG))
       This parameter controls whether or  not  the  server  will
       support raw writes when transferring data from clients.

       DDeeffaauulltt::
            write raw = yes

       EExxaammppllee::
            write raw = no

NNOOTTEE AABBOOUUTT UUSSEERRNNAAMMEE//PPAASSSSWWOORRDD VVAALLIIDDAATTIIOONN
       There  are a number of ways in which a user can connect to
       a service. The  server  follows  the  following  steps  in
       determining  if  it will allow a connection to a specified
       service. If all the steps fail then the connection request
       is  rejected.  If one of the steps pass then the following



smb.conf                     smb.conf                          56





SMB.CONF(5)                                           SMB.CONF(5)


       steps are not checked.

       If the service is marked "guest only = yes" then  steps  1
       to 5 are skipped

       Step  1: If the client has passed a username/password pair
       and that username/password pair is validated by  the  UNIX
       system's  password programs then the connection is made as
       that username. Note that this includes  the  \\server\ser
       vice%username method of passing a username.

       Step 2: If the client has previously registered a username
       with the system and now supplies a  correct  password  for
       that username then the connection is allowed.

       Step  3: The client's netbios name and any previously used
       user names are checked against the supplied  password,  if
       they  match  then  the connection is allowed as the corre
       sponding user.

       Step 4: If the client has  previously  validated  a  user
       name/password  pair  with  the  server  and the client has
       passed the validation token then that  username  is  used.
       This  step  is skipped if "revalidate = yes" for this ser
       vice.

       Step 5: If a "user = " field is given in the smb.conf file
       for  the  service  and the client has supplied a password,
       and that password matches (according to the UNIX  system's
       password  checking)  with  one  of  the usernames from the
       user= field then the connection is made as the username in
       the "user=" line. If one of the username in the user= list
       begins with a @ then that name expands to a list of  names
       in the group of the same name.

       Step  6:  If the service is a guest service then a connec
       tion is made as the username given in the  "guest  account
       =" for the service, irrespective of the supplied password.

WWAARRNNIINNGGSS
       Although the configuration file permits service  names  to
       contain  spaces, your client software may not. Spaces will
       be ignored in comparisons anyway, so  it  shouldn't  be  a
       problem - but be aware of the possibility.

       On a similar note, many clients - especially DOS clients -
       limit service names to eight characters. Smbd has no  such
       limitation, but attempts to connect from such clients will
       fail if they truncate the service names.  For this  reason
       you  should probably keep your service names down to eight
       characters in length.

       Use of the [homes] and [printers]  special  sections  make
       life   for   an   administrator   easy,  but  the  various



smb.conf                     smb.conf                          57





SMB.CONF(5)                                           SMB.CONF(5)


       combinations of default attributes  can  be  tricky.  Take
       extreme care when designing these sections. In particular,
       ensure that the permissions on spool directories are  cor
       rect.

VVEERRSSIIOONN
       This  man  page  is (mostly) correct for version 1.9.00 of
       the Samba suite, plus some of the recent  patches  to  it.
       These notes will necessarily lag behind development of the
       software, so it is  possible  that  your  version  of  the
       server  has  extensions or parameter semantics that differ
       from or are not covered by this man  page.  Please  notify
       these to the address below for rectification.

       Prior to version 1.5.21 of the Samba suite, the configura
       tion file was radically different (more primitive). If you
       are  using  a  version earlier than 1.8.05, it is STRONGLY
       recommended that you upgrade.

OOPPTTIIOONNSS
       Not applicable.

FFIILLEESS
       Not applicable.

EENNVVIIRROONNMMEENNTT VVAARRIIAABBLLEESS
       Not applicable.

SSEEEE AALLSSOO
       ssmmbbdd(8), ssmmbbcclliieenntt(1), nnmmbbdd(8), tteessttppaarrmm(1),  tteessttpprrnnss(1),
       llppqq(1), hhoossttss__aacccceessss(5)

DDIIAAGGNNOOSSTTIICCSS
       [This section under construction]

       Most  diagnostics  issued  by  the  server are logged in a
       specified log file. The log file name is specified at com
       pile  time, but may be overridden on the smbd command line
       (see ssmmbbdd(8)).

       The number and nature of diagnostics available depends  on
       the  debug level used by the server. If you have problems,
       set the debug level to 3 and peruse the log files.

       Most messages are  reasonably  self-explanatory.  Unfortu
       nately,  at  time  of creation of this man page the source
       code is still too fluid to  warrant  describing  each  and
       every  diagnostic. At this stage your best bet is still to
       grep the source code and inspect the conditions that  gave
       rise to the diagnostics you are seeing.

BBUUGGSS
       None known.




smb.conf                     smb.conf                          58





SMB.CONF(5)                                           SMB.CONF(5)


       Please send bug reports, comments and so on to:

          ssaammbbaa--bbuuggss@@ssaammbbaa..aannuu..eedduu..aauu ((AAnnddrreeww TTrriiddggeellll))

             or to the mailing list:

          ssaammbbaa@@lliissttpprroocc..aannuu..eedduu..aauu

       You  may  also like to subscribe to the announcement chan
       nel:

          ssaammbbaa--aannnnoouunnccee@@lliissttpprroocc..aannuu..eedduu..aauu

       To subscribe to  these  lists  send  a  message  to  list
       proc@listproc.anu.edu.au  with  a body of "subscribe samba
       Your Name" or "subscribe samba-announce Your Name".

       Errors or suggestions for improvements to  the  Samba  man
       pages should be mailed to:

          ssaammbbaa--bbuuggss@@ssaammbbaa..aannuu..eedduu..aauu ((AAnnddrreeww TTrriiddggeellll))




































smb.conf                     smb.conf                          59


