smb.conf 中文man页面

系统
smb.conf是Samba组件的配置文件,包含Samba程序运行时的配置信息.smb.conf被设计成可由swat (8)程序来配置和管理.本文件包含了关于smb.conf的文件格式和可能出现的选项的完整描述以供参考.

NAME

smb.conf - Samba组件的配置文件  

总览 SYNOPSIS

smb.conf是Samba组件的配置文件,包含Samba程序运行时的配置信息.smb.conf被设计成可由swat (8)程序来配置和管理.本文件包含了关于smb.conf的文件格式和可能出现的选项的完整描述以供参考.

文件格式 FILE FORMAT

本文件由一系列段和选项构成.一个段由一对方括号中的段名开始,直到下一个段名结束.包含在段中的选项按以下格式定义:

选项名 = 选项值

本文件是基于文本行的.这就是说,每一个以换行符结束的行描述了一个项目(注释,段名,或选项).

段名和选项名是不区分大小写的.

只有选项设置中的第一个等号才有意义.第一个等号前后的空格会被忽略.段名和选项名的前后以及中间包含的空格是无关的.选项值前后的空格会被忽略.选项值中包含的空格会原样保留.

所有以';'和'#'符开头的行都会被忽略,就象只有空格的行那样.

按照UNIX上的惯例,以''符号结尾的行续下一行.(也就是说:''是续行符,如果一行写不下,可以在行尾以''结束,在下一行继续写--译注)

等号后面跟的是字符串(无需引号)或者逻辑值(可以是yes/no,1/0,或者true/false 来表示).逻辑值是不区分大小写的.字符串值则原样保留了输入的大小写.某些选项 (例如create modes)的值是数值型的.

段描述 SECTION DESCRIPTIONS

配置文件的每一段([global]段除外)描述一项共享资源.段名就是共享名,段内的选项设置确定了该共享资源的属性.

三个特殊段([global],[homes],[printers])将在后面'special sections'单独说明,以下的内容是普通段的说明.

一个共享资源由一个文件目录和用户对此目录的操作权限的说明构成.另外,还列入了一些用于内部管理的选项.

每一段定义了一项文件服务(客户端可以把它看作其本机文件系统的延伸)或打印服务(客户端可以通过它来使用服务器提供的打印服务).

段可以定义成guest服务类型,在这种情况下,客户无需口令就可以访问该资源.一个特定的UNIX系统下的guest account通常用来指定这种情况下的客户访问权限.

除了guest服务类型以外,其他类型的段定义的共享资源都需要口令才能访问.用户名是由客户端提供的.由于某些老的客户端只提供口令,没有用户名,你需要在共享定义中使用"user="选项来指定一个用户列表,以便根据这个用户列表进行口令验证.对于象Windos95/98和WindowsNT这样的现代客户端程序,这个选项是不需要的.

注意,对于资源的操作权限还取决于主机系统赋予指定用户或来访者账户的权限.samba提供的服务权限不能超出主机系统指定的权限范围.

下面的示范段定义了一项文件服务,用户拥有对/home/bar目录进行写操作的权限.这个共享资源是通过共享名"foo"来访问的.

[foo]
        path = /home/bar
        read only = no

下面示范段定义了一项打印服务,此共享资源是只读的,但是可以进行打印操作.也就是说,唯一允许的写操作只能是打开、写入并关闭一个打印假脱机文件.其中的guest ok选项定义意味着允许以缺省的guest用户(在别处定义的)权限进行访问.

[aprinter]
        path = /usr/spool/public
        read only = yes
        printable = yes
        guest ok = yes

特殊段 SPECIAL SECTIONS

[global] 全局选项段

这一段中定义的选项是服务器的全局性设置,如果在其他段中没有再对这些选项进行重新设置的话还可以作为它们的缺省选项.更多的说明请参阅'PARAMETERS'部分的内容.

[homes] 个人目录段

如果配置文件中包含名为'homes'的段,就可以建立客户到自己在服务器上的个人目录的连接.

当服务器收到连接请求时,首先在已定义的段中搜索,如果段名与被请求的共享资源名一致,则该段的内容就被采用.如果没有找到匹配的段,则被请求的资源就被当作是一个用户名,同时服务器查看本地的口令文件.如果该用户名在口令文件中存在且用户给出了正确的口令,服务器就会复制[homes]段的内容来生成一个共享资源(供该用户访问).

对新建共享会做以下修改:

共享名从'homes'改为查到的用户名.
如果没有指定访问路径,则设置为该用户的个人目录.

如果要在[homes]段中定义访问路径path=,宏%S也许对你很有用.举例如下:

path = /data/pchome/%S

如果你的PC 有与UNIX服务器上个人目录不同的目录,象上面这样的设置会很有用的.

这是为大量用户提供对他们个人目录的访问的一种快速简洁的办法.

如果被请求访问的共享资源名就是'homes',那么,除了共享名不被改变为发出请求的用户名外,其他处理过程和前面提到的过程是类似的.这种方式适合于不同用户共享一台终端的情况.

在[homes]段中可以定义所有普通段中可以使用的选项,可是有些选项更有意义.下面是一个实用的、典型的[homes]段的例子:

[homes]
        read only = no

注意,很重要的一点是:如果在[homes]段中定义了允许以guest账户访问的话,任何人都可以无须口令而访问所有账户的宿主目录.也许在某些特殊情况下,这正是想要的结果,在这种情况下,你最好同时把[homes]段设置成只读.

注意,自动的宿主目录共享资源的可浏览标志是从[global]段继承来的,而不是[homes]段.这样,当在[homes]段中设置browseable=no时,用户就看不到单独的'homes'共享,但可以看到自动的宿主目录.

[printers] 打印机共享设置段

这一段很象[homes]段,不过是用于设置共享打印机的.

如果在本配置文件中存在[printers]段,用户就可以连接到在主机上的printcap文件中指定的任一打印机.

当服务器收到连接请求时,首先在已定义的段中搜索,如果有段名与被请求的共享资源名一致,则该段的内容就被采用.如果没有找到匹配的段,且在配置文件中存在[homes]段,则按照前面所说的方式处理.否则,被请求的资源就被当作是一个打印机名,服务器在适当的printcap文件中查找,检验被请求的共享资源名是否是有效的打印机共享名.如果共享名匹配,服务器就会复制[printers]段的内容来生成一个共享打印服务.

对新建共享的修改:

共享名被设置为查找到的打印机名.
如果未给出打印机名,则把打印机名设为前面查找到的打印机名.
如果该共享资源不允许以guest身份进行访问,且没有给出用户名,那么用户名就被设为前面查找到的打印机名.

注意,[printers]段必须设置为可打印,如果你不这样设置,服务器会拒绝装载配置文件.

指定的典型路径应该设为一个公用的可写假脱机目录(spooling)并且设置sticky标志.一个典型的[printers]段如下所示:

[printers]
        path = /usr/spool/public
        guest ok = yes
        printable = yes 

上台打印机在printcap文件中列出的所有别名都是服务器相关的有效打印机名.如果你系统的打印子系统的工作方式不是这样,你就必须设置一个伪printcap文件,其中包含一行或多行如下格式的设置:

别名1|别名2|别名3|别名4... 

每个别名必须是你的打印子系统可以接受的打印机名.在[global]段中指定这个新文件作为你的printcap文件.这个伪printcap文件可以包含任何你要的别名,而服务器只识别在此文件中列出的名字.这个技术可以很方便的用于限制对本地打印机子集的访问.

顺便提一下,printcap文件中的别名用每个记录第一项的任何部分来定义.记录由换行进行分隔.如果一条记录中有多个部分,中间用"|"符号分隔.

Note

注意,在SYSV系统中,用lpstat可以确定系统中安装了什么样的打印机.你可以设置"printcap name = lpstat"来自动获得打印机列表.详情参见"printcap name"选项.

选项 PARAMETERS

选项定义了每个段的属性.

有些选项是在[global]段中设定的(比如有关安全特性的设置),有些可以用在任何段中的(比如建立方式 ),剩下的就只能用在普通的段中了.在以下的描述中,[homes]和[printers]段被看作是普通段.标记(G)表示此选项只能在[global]段中使用,标记(S)表示此选项可以在服务定义段中使用.注意,有(S)标记的选项也可以用在[global]段中,在这种情况下,这个选项设置被当作所有其他段的缺省设置.

选项的详细说明是按照字母顺序排列的,这样也许不是最好的分类方式,但至少保证你可以找得到他们.如果有多个同义词,那么我们只对首选的那个作详细说明,其他的同义词都只指明参阅那个首选的选项名.

变量替换 VARIABLE SUBSTITUTIONS

在配置文件中可以用很多字符串进行替换.例如,当用户以john的名称建立连接后,选项"path = /tmp/%u"就被解释成"path = /tmp/john".

这些置换会在后面的描述中说明,这里说明一些可以用在任何地方的通用置换.它们是:

%U
对话用户名(客户端想要的用户名不一定与取得的一致.)
%G
%U的用户组名
%h
运行Samba的主机的internet主机名
%m
客户机的NetBIOS名(非常有用)
%L
服务器的NetBIOS名.这使得你可以根据调用的客户端来改变你的配置,这样你的服务器就可以拥有"双重个性".

Note that this parameter is not available when Samba listens on port 445, as clients no longer send this information

%M
客户端的internet主机名
%R
协议协商后选择的协议,它可以是CORE,COREPLUS,LANMAN1,LANMAN2或NT1中的一种.
%d
当前samba服务器的进程号.
%a
远程主机的结构.现在只能认出来某些类型,并且不是100%可靠.目前支持的有Samba、WfWg、WinNT和Win95.任何其他的都被认作"UNKNOWN".如果出现错误就给samba-bugs@samba.org发一个3级的日志以便修复这个bug.
%I
客户机的IP地址.
%T
当前的日期和时间.
%D
Name of the domain or workgroup of the current user.
%$(envvar)
The value of the environment variable envar.

The following substitutes apply only to some configuration options(only those that are used when a connection has been established):

%S
当前服务名
%P
当前服务的根目录
%u
当前服务的用户名
%g
%u的用户组名
%H
%u所表示的用户的宿主目录
%N
tNIS服务器的名字.它从auto.map获得.如果没有用--with-auto-mount选项编译samba,那么它的值和%L相同.
%p
用户宿主目录的路径.它由NIS的auot.map得到.NIS的auot.map入口项被分为"%N:%p".

灵活运用这些置换和其他的smb.conf选项可以做出非常有创造性的事情来.

NAME

Samba支持"名称修正",这样dos和windows客户端就可以使用与8.3格式不一致的文件.也可以用来调整8.3格式文件名的大小写.

有一些选项可以控制名称修正的执行,下面集中列出来.对于缺省情况请看testparm程序的输出结果.

所有这些选项都可以针对每个服务项单独设置(当然也可以设为全局变量).

这些选项是:

mangle case = yes/no
作用是控制是否对不符合缺省写法的名称进行修正.例如,如果设为yes,象"Mail"这样的文件名就会被修正.缺省设置是no.
case sensitive = yes/no
控制文件名是否区分大小写.如果不区分的话,Samba就必须在传递名称时查找并匹配文件名.缺省设置是no.
default case = upper/lower
控制新文件名大小写缺省值.缺省设置是小写.
preserve case = yes/no
控制建新文件时是否用客户所提供的大小写形式,或强制用缺省形式.缺省为yes.
short preserve case = yes/no
控制新建8.3格式的文件名时是全部用大写及合适长度,还是强制用缺省情况.它可以和上面的"preserve case = yes"联用以允许长文件名保持大小写不变,而短文件名为小写.本项的缺省设置是yes.

缺省情况下,Samba3.0与Windows NT相同,就是不区分大小写但保持大小写形式.

用户名/口令检验中的注意事项 NOTE ABOUT USERNAME/PASSWORD VALIDATION

用户有多种连接到服务项的方式.服务器按照下面的步骤来确定是否允许客户对指定服务的连接.如果下面步骤全部失败,则拒绝用户的连接请求.如果某一步通过,余下的检验就不再进行.

如果被请求的服务项设置为guest only = yes,并且,服务运行在共享级安全模式(security = share) ,则跳过1--5步检查.

第一步:
如果客户端提供一对用户名和口令,且这对用户名和口令经unix系统口令程序检验为有效,那么就以该用户名建立连接.注意,这包括用\\server\service%username方式传递用户名.
第二步:
如果客户端事先在系统上注册了一个用户名,并且提供了正确的口令,就允许建立连接.
第三步:
根据提供的口令检查客户端的netbios名及以前用过的用户名,如匹配,就允许以该用户名建立连接.
第四步:
如果客户端以前有合法的用户名和口令,并获得了有效的令牌,就允许以该用户名建立连接.
第五步:
如果在smb.conf里设置了"user = "字段,且客户端提供了一个口令,口令经UNIX系统检验,并与"user="字段里某一个用户匹配,那么就允许以"user="里匹配到的用户名建立连接.如果"user="字段是以@开始,那么该名字会展开为同名组里的用户名列表 .
第六步:
如果这是一个提供给guest用的服务项,那么连接以"guest account ="里给出的用户名建立,而不考虑提供的口令.

全局选项完整列表 COMPLETE LIST OF GLOBAL PARAMETERS

以下列出了所有的全局选项,各选项的详细说明请参看后面的相应段落.注意,有些选项的意义是相同的.

*
abort shutdown script
*
add group script
*
add machine script
*
addprinter command
*
add share command
*
add user script
*
add user to group script
*
afs username map
*
algorithmic rid base
*
allow trusted domains
*
announce as
*
announce version
*
auth methods
*
auto services
*
bind interfaces only
*
browse list
*
change notify timeout
*
change share command
*
client lanman auth
*
client ntlmv2 auth
*
client plaintext auth
*
client schannel
*
client signing
*
client use spnego
*
config file
*
deadtime
*
debug hires timestamp
*
debuglevel
*
debug pid
*
debug timestamp
*
debug uid
*
default
*
default service
*
delete group script
*
deleteprinter command
*
delete share command
*
delete user from group script
*
delete user script
*
dfree command
*
disable netbios
*
disable spoolss
*
display charset
*
dns proxy
*
domain logons
*
domain master
*
dos charset
*
enable rid algorithm
*
encrypt passwords
*
enhanced browsing
*
enumports command
*
get quota command
*
getwd cache
*
guest account
*
hide local users
*
homedir map
*
host msdfs
*
hostname lookups
*
hosts equiv
*
idmap backend
*
idmap gid
*
idmap uid
*
include
*
interfaces
*
keepalive
*
kernel change notify
*
kernel oplocks
*
lanman auth
*
large readwrite
*
ldap admin dn
*
ldap delete dn
*
ldap filter
*
ldap group suffix
*
ldap idmap suffix
*
ldap machine suffix
*
ldap passwd sync
*
ldap port
*
ldap server
*
ldap ssl
*
ldap suffix
*
ldap user suffix
*
lm announce
*
lm interval
*
load printers
*
local master
*
lock dir
*
lock directory
*
lock spin count
*
lock spin time
*
log file
*
log level
*
logon drive
*
logon home
*
logon path
*
logon script
*
lpq cache time
*
machine password timeout
*
mangled stack
*
mangle prefix
*
mangling method
*
map to guest
*
max disk size
*
max log size
*
max mux
*
max open files
*
max protocol
*
max smbd processes
*
max ttl
*
max wins ttl
*
max xmit
*
message command
*
min passwd length
*
min password length
*
min protocol
*
min wins ttl
*
name cache timeout
*
name resolve order
*
netbios aliases
*
netbios name
*
netbios scope
*
nis homedir
*
ntlm auth
*
nt pipe support
*
nt status support
*
null passwords
*
obey pam restrictions
*
oplock break wait time
*
os2 driver map
*
os level
*
pam password change
*
panic action
*
paranoid server security
*
passdb backend
*
passwd chat
*
passwd chat debug
*
passwd program
*
password level
*
password server
*
pid directory
*
prefered master
*
preferred master
*
preload
*
preload modules
*
printcap
*
private dir
*
protocol
*
read bmpx
*
read raw
*
read size
*
realm
*
remote announce
*
remote browse sync
*
restrict anonymous
*
root
*
root dir
*
root directory
*
security
*
server schannel
*
server signing
*
server string
*
set primary group script
*
set quota command
*
show add printer wizard
*
shutdown script
*
smb passwd file
*
smb ports
*
socket address
*
socket options
*
source environment
*
stat cache
*
syslog
*
syslog only
*
template homedir
*
template primary group
*
template shell
*
time offset
*
time server
*
timestamp logs
*
unicode
*
unix charset
*
unix extensions
*
unix password sync
*
update encrypted
*
use mmap
*
username level
*
username map
*
use spnego
*
utmp
*
utmp directory
*
winbind cache time
*
winbind enable local accounts
*
winbind enum groups
*
winbind enum users
*
winbind gid
*
winbind separator
*
winbind trusted domains only
*
winbind uid
*
winbind use default domain
*
wins hook
*
wins partners
*
wins proxy
*
wins server
*
wins support
*
workgroup
*
write raw
*
wtmp directory

服务选项完整列表 COMPLETE LIST OF SERVICE PARAMETERS

以下列出了所有关于服务项的选项,各选项的详细说明请参见后面的相应段落.注意,有些选项的意义是相同的.

*
acl compatibility
*
admin users
*
afs share
*
allow hosts
*
available
*
blocking locks
*
block size
*
browsable
*
browseable
*
case sensitive
*
casesignames
*
comment
*
copy
*
create mask
*
create mode
*
csc policy
*
default case
*
default devmode
*
delete readonly
*
delete veto files
*
deny hosts
*
directory
*
directory mask
*
directory mode
*
directory security mask
*
dont descend
*
dos filemode
*
dos filetime resolution
*
dos filetimes
*
exec
*
fake directory create times
*
fake oplocks
*
follow symlinks
*
force create mode
*
force directory mode
*
force directory security mode
*
force group
*
force security mode
*
force user
*
fstype
*
group
*
guest account
*
guest ok
*
guest only
*
hide dot files
*
hide files
*
hide special files
*
hide unreadable
*
hide unwriteable files
*
hosts allow
*
hosts deny
*
inherit acls
*
inherit permissions
*
invalid users
*
level2 oplocks
*
locking
*
lppause command
*
lpq command
*
lpresume command
*
lprm command
*
magic output
*
magic script
*
mangle case
*
mangled map
*
mangled names
*
mangling char
*
map acl inherit
*
map archive
*
map hidden
*
map system
*
max connections
*
max print jobs
*
max reported print jobs
*
min print space
*
msdfs proxy
*
msdfs root
*
nt acl support
*
only guest
*
only user
*
oplock contention limit
*
oplocks
*
path
*
posix locking
*
postexec
*
preexec
*
preexec close
*
preserve case
*
printable
*
printcap name
*
print command
*
printer
*
printer admin
*
printer name
*
printing
*
print ok
*
profile acls
*
public
*
queuepause command
*
queueresume command
*
read list
*
read only
*
root postexec
*
root preexec
*
root preexec close
*
security mask
*
set directory
*
share modes
*
short preserve case
*
strict allocate
*
strict locking
*
strict sync
*
sync always
*
use client driver
*
user
*
username
*
users
*
use sendfile
*
-valid
*
valid users
*
veto files
*
veto oplock files
*
vfs object
*
vfs objects
*
volume
*
wide links
*
writable
*
writeable
*
write cache size
*
write list
*
write ok

每一个选项的详细解释 EXPLANATION OF EACH PARAMETER

abort shutdown script (G)
This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the shutdown script.

This command will be run as user.

缺省设置: None.

示例: abort shutdown script = /sbin/shutdown -c

acl compatibility (S)
This parameter specifies what OS ACL semantics should be compatible with. Possible values are winnt for Windows NT 4, win2k for Windows 2000 and above and auto. If you specify auto, the value for this parameter will be based upon the version of the client. There should be no reason to change this parameter from the default.

缺省设置: acl compatibility = Auto

示例: acl compatibility = win2k

add group script (G)
This is the full pathname to a script that will be run AS ROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric gid of the created group on stdout.
add machine script (G)
This is the full pathname to a script that will be run by smbd(8) when a machine is added to it's domain using the administrator username and password method.

This option is only required when using sam back-ends tied to the Unix uid method of RID calculation such as smbpasswd. This option is only available in Samba 3.0.

缺省设置: add machine script = <空字符串>

示例: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u

addprinter command (G)
With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the "Printers..." folder displayed a share listing. The APW allows for printers to be add remotely to a Samba or Windows NT/2000 print server.

For a Samba host this means that the printer must be physically added to the underlying printing system. The add printer command defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition to the smb.conf file in order that it can be shared by smbd(8).

The addprinter command is automatically invoked with the following parameter (in order):

printer name

share name

port name

driver name

location

Windows 9x driver location

All parameters are filled in from the PRINTER_INFO_2 structure sent by the Windows NT/2000 client with one exception. The "Windows 9x driver location" parameter is included for backwards compatibility only. The remaining fields in the structure are generated from answers to the APW questions.

Once the addprinter command has been executed, smbd will reparse the smb.conf to determine if the share defined by the APW exists. If the sharename is still invalid, then smbd will return an ACCESS_DENIED error to the client.

The "add printer command" program can output a single line of text, which Samba will set as the port the new printer is connected to. If this line isn't output, Samba won't reload its printer shares.

参见 deleteprinter command, printing, show add printer wizard

缺省设置: none

示例: addprinter command = /usr/bin/addprinter

add share command (G)
Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The add share command is used to define an external program or script which will add a new service definition to smb.conf. In order to successfully execute the add share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0).

When executed, smbd will automatically invoke the add share command with four parameters.

configFile - the location of the global smb.conf file.

shareName - the name of the new share.

pathName - path to an **existing** directory on disk.

comment - comment string to associate with the new share.

This parameter is only used for add file shares. To add printer shares, see the addprinter command.

参见 change share command, delete share command.

缺省设置: none

示例: add share command = /usr/local/bin/addshare

add user script (G)
这个选项指出一个脚本的完整文件路径,这个脚本将在特定环境下(下面有详细解释)由smbd (8)以root身份执行.

通常,samba服务器需要为所有访问服务器上文件的用户建立UNIX用户账号.但是在使用Windows NT账号数据库作为主用户数据库的站点,建立这些用户并在与NT的主域控制器保持用户列表同步是一件很麻烦的事情.这个选项使smbd可以在用户访问时根据需要自动生成UNIX用户账号.

为了使用这个选项,smbd必须被设置成security=server或者security=domain,并且add user script必须设为用%u参数来建立unix帐号的脚本文件的全路径,%u扩展成建立的unix帐号名.

当windows用户尝试访问samba服务器时,在登陆时(建立SMB协议会话),smbd口令服务器联系,并尝试验证用户名和口令.如果成功,smbd就会根据unix的口令文件试着将这个windows用户映射成一个unix用户.如果查找失败,但设置了add user script ,smbd就会以root的身份调用这个脚本,将%u扩展成该要建立的用户账号.

如果这个脚本执行成功,smbd就认为这个用户已经存在.用这种方式,可以动态建立UNIX用户账号并匹配已有的NT账号.

参见 security, password server, delete user script.

缺省设置: add user script = <空字符串>

示例: add user script = /usr/local/samba/bin/add_user %u

add user to group script (G)
Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools. It will be run by smbd(8) AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name.

缺省设置: add user to group script =

示例: add user to group script = /usr/sbin/adduser %u %g

admin users (S)
admin users定义一组对共享有管理特权的用户.就相当于这些用户可以象超级用户那样操作所有的文件.

小心使用该选项,因为在这个名单里的用户可以对共享资源作任何他们想做的事.

缺省设置: 没有 admin users

示例: admin users = jason

afs share (S)
This parameter controls whether special AFS features are enabled for this share. If enabled, it assumes that the directory exported via the path parameter is a local AFS import. The special AFS features include the attempt to hand-craft an AFS token if you enabled --with-fake-kaserver in configure.

缺省设置: afs share = no

示例: afs share = yes

afs username map (G)
If you are using the fake kaserver AFS feature, you might want to hand-craft the usernames you are creating tokens for. For example this is necessary if you have users from several domain in your AFS Protection Database. One possible scheme to code users as DOMAIN+User as it is done by winbind with the + as a separator.

The mapped user name must contain the cell name to log into, so without setting this parameter there will be no token.

缺省设置: none

示例: afs username map = %u@afs.samba.org

algorithmic rid base (G)
This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers.

Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with sytem users etc.

All UIDs and GIDs must be able to be resolved into SIDs for the correct operation of ACLs on the server. As such the algorithmic mapping can't be 'turned off', but pushing it 'out of the way' should resolve the issues. Users and groups can then be assigned 'low' RIDs in arbitary-rid supporting backends.

缺省设置: algorithmic rid base = 1000

示例: algorithmic rid base = 100000

allow hosts (S)
hosts allow同义.
allow trusted domains (G)
这个选项只在security选项被设成serverdomain模式时才有效果.如果设为no的话,尝试联接到smbd运行的域或工作组以外的资源时会失败,即使那个域是由远程服务器验证为可信的也不行.

如果你只需要在域中对成员提供服务资源的话这个选项是非常有用的.举例来说,假设有两个域DOMA和DOMB,DOMA已经向DOMB进行了委托,而samba服务器位于DOMA中.在通常情况下,在DOMB中有账号的用户可以用同样的samba服务器账号名访问UNIX上的资源.而无须他在DOMA上有账号.不过这样就使安全界线更难分清了.

缺省设置: allow trusted domains = yes

announce as (G)
这个选项定义nmbd(8) 对网络邻居声称的服务器类型.缺省为windows NT.可选项有"NT",它与"NT Server"同义,"NT Server","NT Workstation","Win95"或"WfW",它们分别代表Windows NT Server,Windows NT Workstation,Windows 95和Windows for Workgroups.除非有特殊的需要不想让samba以windows NT的身份出现,一般不要改动这个选项,因为这可能会影响samba作为浏览服务器的正确性.

缺省设置: announce as = NT Server

示例: announce as = Win95

announce version (G)
此选项定义nmbd用于声明服务器版本号的主版本号和次版本号.缺省版本号的是4.9。除非有特殊的必要想将samba设为低版本,一般不要改动这个选项.

缺省设置: announce version = 4.9

示例: announce version = 2.0

auth methods (G)
This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on security. This should be considered a developer option and used only in rare circumstances. In the majority (if not all) of production servers, the default setting should be adequate.

Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication.

Possible options include guest (anonymous access), sam (lookups in local list of accounts based on netbios name or domain name), winbind (relay authentication requests for remote users through winbindd), ntdomain (pre-winbindd method of authentication for remote domain users; deprecated in favour of winbind method), trustdomain (authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method).

缺省设置: auth methods = <空字符串>

示例: auth methods = guest sam winbind

auto services (G)
preload 同义.
available (S)
这个选项可以用来关掉一个服务项.如果available = no,那么所有对该服务的连接都会失败.而这些失败会被记录下来.

缺省设置: available = yes

bind interfaces only (G)
这个全局选项允许samba管理员限制一台主机的某一个网络接口用于响应请求.这会对于smbd(8)文件服务和nmbd(8)名字服务造成些许影响.

对于名字服务,它将使nmbd 绑定到'interfaces'选项里列出的网络接口的137和138端口上.为了读取广播消息,nmbd也会绑定到"所有地址"接口(0.0.0.0)的137和138端口上.如果没有设置这个选项,nmbd将在所有的接口上响应名字服务请求.如果设置了"bind interfaces only",那么nmbd将在广播接口上检查任何分组的源地址,丢弃任何不匹配interfaces选项所列接口之广播地址的分组.当在其它接口上收到单播分组,此选项使nmbd拒绝对任何不是是interfaces选项所列接口来发送分组的主机的服务.IP源地址哄骗可以使这个简单的检查失效,所以不要将nmbd安全功能用于严肃场合.

对于文件服务,该选项使smbd(8)只在'interfaces'选项所列的网络接口上绑定.这就限制smbd 只响应那些接口上发出的分组.注意,不应该在PPP和时断时续的机器上或非广播网络接口上使用这个选项,因为它处理不了非永久连接的接口.

如果设置了bind interfaces only,除非网络地址127.0.0.1被加到interfaces选项的列表中,否则smbpasswd(8)和swat(8) 可能不会象我们所期望的那样工作,原因如下:

为了改变用户SMB口令,smbpasswd缺省情况下会以smb客户端的身份连接本地主机地址localhost - 127.0.0.1,发出更改口令请求.如果设置了bind interfaces only,smbpasswd在缺省情况下将会连接失败,除非127.0.0.1已被加入到interfaces选项.另外,可以用-r remote machine选项指定本地主机的主网络接口ip地址,这样smbpasswd就会强制使用本地的主ip地址.

swat的状态页面会在127.0.0.1尝试连接smbdnmbd,以确定它们是否正在运行.如果不加入127.0.0.1,将会使smbdnmbd 总表示没有运行甚至实际情况并不是这样.这就阻止了 swat启动/停止/重启动smbdnmbd进程.

缺省设置: bind interfaces only = no

blocking locks (S)
此项控制在客户为了在打开文件处获得一个字节范围的锁定而发出请求时smbd(8)的动作,同时该请求会有一个与之相关的时限.

如果设置了这个选项,锁定范围请求不能立即满足的话,samba将会在内部对请求进行排队,并且周期性地尝试获得锁定,直到超时.

如果这个选项设置为no,samba就会同以前版本那样,在锁定范围无法获得时立即使锁定请求失败.

缺省设置: blocking locks = yes

block size (S)
This parameter controls the behavior of smbd(8) when reporting disk free sizes. By default, this reports a disk block size of 1024 bytes.

Changing this parameter may have some effect on the efficiency of client writes, this is not yet confirmed. This parameter was added to allow advanced administrators to change it (usually to a higher value) and test the effect it has on client write performance without re-compiling the code. As this is an experimental option it may be removed in a future release.

Changing this option does not change the disk free reporting size, just the block size unit reported to the client.

browsable (S)
browseable 同义。
browseable (S)
这个选项控制共享资源在可获得共享列表、net view命令及浏览列表里是否可见.

缺省设置: browseable = yes

browse list (G)
它控制smbd(8)是否执行一个NetServerEnum调用来为客户提供一个浏览列表.正常情况它被设为yes.这个选项可能永远不需要改动.

缺省设置: browse list = yes

case sensitive (S)
参见NAME MANGLING段的讨论.

缺省设置: case sensitive = no

casesignames (S)
case sensitive 同义.
change notify timeout (G)
samba允许客户端告诉服务器监视某个特定目录的任何变化,仅当有变化发生的时候回复SMB请求.这种连续不断的扫描在unix系统上代价很高,因此,smbd(8)只在等待change notify timeout时间后才对每个请求的目录执行一次扫描.

缺省设置: change notify timeout = 60

示例: change notify timeout = 300

这将把扫描时间改为每5分钟一次.

change share command (G)
Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The change share command is used to define an external program or script which will modify an existing service definition in smb.conf. In order to successfully execute the change share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0).

When executed, smbd will automatically invoke the change share command with four parameters.

configFile - the location of the global smb.conf file.

shareName - the name of the new share.

pathName - path to an **existing** directory on disk.

comment - comment string to associate with the new share.

This parameter is only used modify existing file shares definitions. To modify printer shares, use the "Printers..." folder as seen when browsing the Samba host.

参见 add share command, delete share command.

缺省设置: none

示例: change share command = /usr/local/bin/addshare

client lanman auth (G)
This parameter determines whether or not smbclient(8) and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash. If disabled, only server which support NT password hashes (e.g. Windows NT/2000, Samba, etc... but not Windows 95/98) will be able to be connected from the Samba client.

The LANMAN encrypted response is easily broken, due to it's case-insensitive nature, and the choice of algorithm. Clients without Windows 95/98 servers are advised to disable this option.

Disabling this option will also disable the client plaintext auth option

Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 logins will be attempted. Not all servers support NTLMv2, and most will require special configuration to us it.

Default : client lanman auth = yes

client ntlmv2 auth (G)
This parameter determines whether or not smbclient(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted password response.

If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent. Many servers (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with NTLMv2.

Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth authentication will be disabled. This also disables share-level authentication.

If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of client lanman auth.

Note that some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM.

Default : client ntlmv2 auth = no

client plaintext auth (G)
Specifies whether a client should send a plaintext password if the server does not support encrypted passwords.

缺省设置: client plaintext auth = yes

client schannel (G)
This controls whether the client offers or even demands the use of the netlogon schannel. client schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the server is not able to speak netlogon schannel.

缺省设置: client schannel = auto

示例: client schannel = yes

client signing (G)
This controls whether the client offers or requires the server it talks to to use SMB signing. Possible values are auto, mandatory and disabled.

When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either.

缺省设置: client signing = auto

client use spnego (G)
This variable controls controls whether samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 servers to agree upon an authentication mechanism. SPNEGO client support for SMB Signing is currently broken, so you might want to turn this option off when operating with Windows 2003 domain controllers in particular.

缺省设置: client use spnego = yes

comment (S)
这是一段当客户用网上邻居(net view)察看服务器上共享资源时显示的说明文字.

如果想设置机器名后的说明文字请参考 server string 命令.

缺省设置: No comment string

示例: comment = Fred's Files

config file (G)
这可以使samba使用指定的配置文件来替代缺省的配置文件,(通常是smb.conf).如果设置了这个选项,会出现一个先有鸡还是先有蛋的问题!

由于这个原因,如果在加载这个选项的时候发现配置文件名变化了,就会从新的配置文件里重新加载选项.

这个选项作为常用的替换非常有用.

如果这个配置文件不存在,那么就不会被加载.(允许你特殊地处理少数客户的配置文件)

示例: config file = /usr/local/samba/lib/smb.conf.%m

copy (S)
这使你可以克隆服务. 指定的服务以当前服务的名字进行简单的复制,当前服务里定义的选项将替代被拷服务里任何相应的选项.

这个特性允许建立一个服务的'模版',可以很容易的生成相似的服务.注意,被拷贝的服务在配置文件里必须先于拷贝的服务出现.

缺省设置: no value

示例: copy = otherservice

create mask (S)
create mode 同义.

当生成一个文件的时候,需要知道从dos模式映射到unix下的文件权限.最后的结果用这个参数进行逐位的与运算得到.这个选项可以理解成unix下文件的位掩码.在生成文件的时候,任何没有设置的位将会从创建模式中去掉.

这个选项的缺省值是从unix的文件创建模式中去掉组和其他用户的写和执行标志位.

根据这个规则,samba将会把这个选项生成的unix文件创建模式和由force create mode设置的选项进行逐位的或运算,force create mode 的缺省选项是000.

这个选项不会影响目录创建模式.细节参见directory mode .

参考force create mode以进一步了解在创建文件时设置的特殊位.关于创建目录模式参见directory mode选项.参见 inherit permissions parameter.

Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the security mask.

缺省设置: create mask = 0744

示例: create mask = 0775

create mode (S)
create mask 同义.
csc policy (S)
This stands for client-side caching policy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable.

These values correspond to those used on Windows servers.

For example, shares containing roaming profiles can have offline caching disabled using csc policy = disable.

缺省设置: csc policy = manual

示例: csc policy = programs

deadtime (G)
这个值(十进制整数)定义连接发呆超时,单位是分钟.如果一个连接发超过了这个时间就会被断开.如果有文件被打开了,这个时间就不起作用.

这可以保护服务器不被过多的发呆连接耗尽资源.

多数客户端有连接断开后的自动重连功能,所以大多数情况下,这个选项对用户应该是透明的

对多数系统建议使用较短的发呆超时的选项.

发呆超时选项被设为0意味着不会自动断开连接..

缺省设置: deadtime = 0

示例: deadtime = 15

debug hires timestamp (G)
有些时候记录信息需要比秒更高层次的时间标识,用这个布尔量选项可以向时间标识信息头中加入以微秒级的频率.

注意要使用这个选项,必须打开 debug timestamp选项.

缺省设置: debug hires timestamp = no

debuglevel (G)
log level 同义.
debug pid (G)
为很多从smbd(8)fork出来的进程使用同一个记录文件时,很难精确地跟踪信息是哪个进程输出的.用这个布尔量选项向时间标识信息头中自动添加进程号.

注意要使用这个选项,必须打开 debug timestamp 选项.

缺省设置: debug pid = no

debug timestamp (G)
samba缺省会给调试纪录信息加上时间标识.如果运行的是高级别debug level的调试,这个时间标识可以被转移.用这个选项可以将时间标识关闭.

缺省设置: debug timestamp = yes

debug uid (G)
samba有时以root身份运行,而有时以已联接的用户来运行.使用这个布尔量选项可以向记录文件的时间标识信息头中自动插入当前的euid,egid,uid和gid标识.

Note that the parameter must be on for this to have an effect. 注意要使用这个选项,必须打开 debug timestamp选项.

缺省设置: debug uid = no

default (G)
default service 同义.
default case (S)
参见"NAME MANGLING"段. 也注意一下short preserve case选项.

缺省设置: default case = lower

default devmode (S)
This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba server has a Device Mode which defines things such as paper size and orientation and duplex settings. The device mode can only correctly be generated by the printer driver itself (which can only be executed on a Win32 platform). Because smbd is unable to execute the driver code to generate the device mode, the default behavior is to set this field to NULL.

Most problems with serving printer drivers to Windows NT/2k/XP clients can be traced to a problem with the generated device mode. Certain drivers will do things such as crashing the client's Explorer.exe with a NULL devmode. However, other printer drivers can cause the client's spooler service (spoolsv.exe) to die if the devmode was not created by the driver itself (i.e. smbd generates a default devmode).

This parameter should be used with care and tested with the printer driver in question. It is better to leave the device mode to NULL and let the Windows client set the correct values. Because drivers do not do this all the time, setting default devmode = yes will instruct smbd to generate a default one.

For more information on Windows NT/2k printing and Device Modes, see the MSDN documentation.

缺省设置: default devmode = no

default service (G)
这个选项定义一个当指定服务找不到时的缺省服务.注意,在选项值里没有方括号(看示例!).

这个选项没有缺省值. 如果没给出这个选项的话,对不存在的服务的请求将返回错误.

缺省服务一般是那些允许guest ok, read-only的服务.

外在的服务名可能被替换成请求的服务名,这样就可以用象%S这样的宏来做一个通用的服务.

注意在缺省服务选项指定的服务名里, 字符'_'被映射为'/'. 这样可能会出现有趣的事情.

示例:

[global]
        default service = pub
[pub]
        path = /%S
delete group script (G)
This is the full pathname to a script that will be run AS ROOT smbd(8) when a group is requested to be deleted. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools.
deleteprinter command (G)
With the introduction of MS-RPC based printer support for Windows NT/2000 clients in Samba 2.2, it is now possible to delete printer at run time by issuing the DeletePrinter() RPC call.

For a Samba host this means that the printer must be physically deleted from underlying printing system. The deleteprinter command defines a script to be run which will perform the necessary operations for removing the printer from the print system and from smb.conf.

The deleteprinter command is automatically called with only one parameter: "printer name".

Once the deleteprinter command has been executed, smbd will reparse the smb.conf to associated printer no longer exists. If the sharename is still valid, then smbd will return an ACCESS_DENIED error to the client.

参见 addprinter command, printing, show add printer wizard

缺省设置: none

示例: deleteprinter command = /usr/bin/removeprinter

delete readonly (S)
这个选项允许删除只读文件,这个只读不是通常dos里的含义,而是unix中的.

这个选项对于rcs这样的应用很有用,在这种情况下,unix文件的属主不允许改变权限,dos文件只读.

缺省设置: delete readonly = no

delete share command (G)
Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The delete share command is used to define an external program or script which will remove an existing service definition from smb.conf. In order to successfully execute the delete share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0).

When executed, smbd will automatically invoke the delete share command with two parameters.

configFile - the location of the global smb.conf file.

shareName - the name of the existing service.

This parameter is only used to remove file shares. To delete printer shares, see the deleteprinter command.

参见 add share command, change share command.

缺省设置: none

示例: delete share command = /usr/local/bin/delshare

delete user from group script (G)
Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools. It will be run by smbd(8) AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name.

缺省设置: delete user from group script =

示例: delete user from group script = /usr/sbin/deluser %u %g

delete user script (G)
它定义一个在使用RPC(NT)工具管理用户时,fBsmbd(8)以root身份运行的包括路径的一个脚本.

当远程客户使用'User Manager for Domains' 或是 rpcclient 从服务器上删除一个用户时执行此操作。

这个脚本删除给定的unix用户。

缺省设置: delete user script = <空字符串>

示例: delete user script = /usr/local/samba/bin/del_user %u

delete veto files (S)
这个选项用于samba试图删除一个或多个包含禁止文件的目录的情况(参见veto files选项). 如果这个选项设置为no(缺省情况),那么如果一个禁止目录里包含了任何非禁止的文件或目录,删除就会失败.这通常正是你所希望的.

如果这个选项被设为了 yes,Samba将试图递归删除在被禁止目录里的任何文件和目录.这对于整合象NetAtalk这样的文件服务系统很有用,它通常会在目录里生成Dos/windows用户看不见的中间文件(e.g. .AppleDouble).

设置delete veto files = yes 使那些有权限的用户可以在删除父目录的时候透明的删除子目录.

参见 veto files 选项.

缺省设置: delete veto files = no

deny hosts (S)
hosts deny 同义.
dfree command (G)
dfree command只需在磁盘空间计算有问题的系统上使用.这个空间计算的问题仅在Ultrix系统上发生过,但在其他的操作系统上也有可能发生.发生这个问题的现象是在每个目录列表最后发生错误并提示"Abort Retry Ignore".

这个设置允许用外部程序代替内部程序来计算总共的磁盘空间和可用的磁盘空间.下面的例子给出了一个能完成这个功能的脚本.

这个外部程序的输入是文件系统里一个需要计算的目录,典型的包括./字符串.以ascii码返回两个整数.第一个是总共的磁盘空间(以块为单位),第二个是可用块树.可选的第三个返回值可以以字节为单位给出块的大小.缺省的块的大小是1024字节.

注意:这个脚本应该属主为root,只有root可写,并且不能带有用户标识位和组标识位(setuid or setgid)!

缺省设置: 缺省用内部程序来计算磁盘容量和可用空间.

示例: dfree command = /usr/local/samba/bin/dfree

如下这个dfree脚本必须是可执行的.

 
#!/bin/sh
df $1 | tail -1 | awk '{print $2" "$4}'

在Sys V一类的系统上可能是:

 
#!/bin/sh
/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'

注意在特定的系统上可能需要给出相应的带有全路径的命令.

directory (S)
path 同义.
directory mask (S)
这个选项是8进制的模式。用来控制在生成UNIX目录时,将其从dos模式转换为unix模式。

当生成一个路径的时候,必须指定的目录权限从dos模式映射到unix模式,然后这个结果和这个选项进行逐位的与运算.这个选项可以理解成unix模式下的位掩码.这个选项里任何没有设置的位在生成unix下的目录时将会被去掉

缺省情况下,这个选项把组和其他用户的写权限位去掉,只允许目录的属主对目录进行修改.

Samba将把这个选项和force directory mode的选项进行逐位的或运算,这个选项缺省时设置为000(也就是不加额外的限制).

Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the directory security mask.

在生成目录时如果需要设置特殊的模式位,参见force directory mode选项.

关于生成文件时的模式位参见create mode 选项和directory security mask选项.

Also refer to the inherit permissions parameter.

缺省设置: directory mask = 0755

示例: directory mask = 0775

directory mode (S)
directory mask 同义。
directory security mask (S)
此选项控制了NT客户在他的本地NT安全对话框中操纵unix目录权限时可以修改哪些权限位.

这个选项以掩码来实现改变权限位,所以在修改时要防止不在掩码中涉及的那些位.实际上,在这个掩码中的位0可以使用户无法改变任何东东.

如果没有明确设定的话,这个选项会用与directory mask选项同样的值.要允许用户在目录中可以修改所有的user/group/world权限,可以把这个选项设为0777.

注意,能访问samba服务器的用户通过其它方法也可以很容易地绕过这个限制,所以对独立工作的系统来说这个选项是最根本最有用的.很多系统管理的管理员都会把它设为默认的0777.

参见 force directory security mode, security mask, force security mode 选项。

缺省设置: directory security mask = 0777

示例: directory security mask = 0700

disable netbios (G)
Enabling this parameter will disable netbios support in Samba. Netbios is the only available form of browsing in all windows versions except for 2000 and XP.

Note that clients that only support netbios won't be able to see your samba server when netbios support is disabled.

缺省设置: disable netbios = no

示例: disable netbios = yes

disable spoolss (G)
Enabling this parameter will disable Samba's support for the SPOOLSS set of MS-RPC's and will yield identical behavior as Samba 2.0.x. Windows NT/2000 clients will downgrade to using Lanman style printing commands. Windows 9x/ME will be uneffected by the 选项。 However, this will also disable the ability to upload printer drivers to a Samba server via the Windows NT Add Printer Wizard or by using the NT printer properties dialog window. It will also disable the capability of Windows NT/2000 clients to download print drivers from the Samba host upon demand. Be very careful about enabling this 选项。

See also use client driver

Default : disable spoolss = no

display charset (G)
Specifies the charset that samba will use to print messages to stdout and stderr and SWAT will use. Should generally be the same as the unix charset.

缺省设置: display charset = ASCII

示例: display charset = UTF8

dns proxy (G)
指定nmbd(8)象WINS服务器那样寻找没有登记的NetBIOS名,象对待DNS名那样逐字的对待NetBIOS名,向DNS服务器查询该名称所代表的客户端.

注意,NetBISO名的最大长度是15个字符,所以DNS名(或DNS别名)同样最多只能有15个字符.

nmbd 在做DNS名查询的时候将自身复制一份,因为域名查询是一个阻塞的动作.

参见 wins support

缺省设置: dns proxy = yes

domain logons (G)
如果这个选项为yes,Samba服务器将为workgroup提供Windows 95/98 登陆域服务.Samba 2.2只能实现Windows NT 4 域中域控制器的有限功能。有关设置这个功能的更详细信息参见Samba 文档中的Samba-PDC-HOWTO。

缺省设置: domain logons = no

domain master (G)
这个选项告诉smbd(8)收集广域网内的浏览列表.设置这个选项后,nmbd用一个特定的NetBIOS名向它的工作组标识它自己是一个主控浏览器.在同一工作组不同子网中的本地主控浏览器将把自己的浏览列表传给nmbd,然后向smbd(8) 请求整个网络上浏览列表的完整拷贝.客户端将和他们的本地主控浏览器联系,得到整个域范围内的浏览列表,而不只是子网上的列表.

注意,windows NT主域控制器默认情况总是占有这个在工作组中的特殊的NetBIOS名,宣称自己是工作组的主域浏览器(也就是说,没有什么方法可以阻止一个Windows NT主域控制器这样做). 这样如果设置了这个选项,并且nmbd 在Windows NT之前向工作组宣称了这个特殊的名字,那么跨子网的浏览行为会变得奇怪,并且可能会失败.

If domain logons = yes , then the default behavior is to enable the domain master 选项。 If domain logons is not enabled (the default setting), then neither will domain master be enabled by default.

缺省设置: domain master = auto

dont descend (S)
有些系统上存在某些特殊的路径(比如linux中的/proc),这些目录不需要(也不希望)客户端关心,甚至可能具有无限的层次深度(递归的).这个选项允许你指定一个由逗号分隔的列表,服务器将把列表内包含的目录始终显示成空目录.

注意,Samba对'dont descend'选项的输入格式十分挑剔.例如他也许要求你输入./proc而不是仅仅是/proc.实践是最好的策略.

缺省设置: none (也就是说,所有目录的内容会正常的传递给客户端)

示例: dont descend = /proc,/dev

dos charset (G)
DOS SMB clients assume the server has the same charset as they do. This option specifies which charset Samba should talk to DOS clients.

The default depends on which charsets you have installed. Samba tries to use charset 850 but falls back to ASCII in case it is not available. Run testparm(1) to check the default on your system.

dos filemode (S)
The default behavior in Samba is to provide UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior is often confusing to DOS/Windows users. Enabling this parameter allows a user who has write access to the file (by whatever means) to modify the permissions on it. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access. Ownership of the file/directory is not changed, only the permissions are modified.

缺省设置: dos filemode = no

dos filetime resolution (S)
在DOS和Windows FAT文件系统中,时间的计量精度是2秒。对共享资源设置这个选项,可以使得在一个向smbd(8)的查询需要1秒精度时,Samba把报告的时间精度降低到2秒左右。

这个选项的主要用于解决Visual C++与Samba的兼容性问题.当共享文件被锁定时(oplocks选项被设置为允许),Visual C++使用两个不同的读取时间的函数调用来检查文件自从最后一次读操作以来是否有改变.其中一个函数使用1秒的时间尺度,而另一个则使用2秒的时间尺度.由于使用基于2秒的方法要舍去任何的奇数秒,当文件的时间记录是奇数秒时,Visual C++的两次函数调用结果就会不一致,Visual C++就会总是认为文件被改变.设置这个选项可以使得两次函数调用的结果一致,Visual C++会很高兴的接受这一切.

缺省设置: dos filetime resolution = no

dos filetimes (S)
在DOS和Windows操作系统中,如果用户对文件进行写操作,就会改变文件的时间记录.而在POSIX规则中,只有文件的所有者和root才有改变文件时间记录的能力.缺省的,Samba按照POSIX规则运行,如果smbd的用户不是文件的所有者,那么他对文件的操作不会改变文件的时间记录.如果设置这个选项为 yes,那么smbd(8)就按照DOS的规则运行,并且按照DOS系统的要求改变文件的时间记录.

缺省设置: dos filetimes = no

enable rid algorithm (G)
This option is used to control whether or not smbd in Samba 3.0 should fallback to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm development goal is to remove the algorithmic mappings of RIDs altogether, but this has proved to be difficult. This parameter is mainly provided so that developers can turn the algorithm on and off and see what breaks. This parameter should not be disabled by non-developers because certain features in Samba will fail to work without it.

缺省设置: enable rid algorithm = <yes>

encrypt passwords (G)
这个布尔型值控制着是否与客户端用加密口令进行交谈.注意,NT4.0 SP3 及以上还有WINDOWS 98在缺省情况下使用加密口令进行交谈,除非改变了注册表的相应健值.想要使用加密口令,清参阅Samba HOWTO Collection中的 "User Database" 章节。

想要使加密口令能正确的工作, smbd(8)必须能访问本地的smbpasswd(5)文件(如何正确设置和维护这个文件,请参阅smbpasswd(8)手册),或者,设置选项security= [server|domain|ads],这样设置将使得smbd依赖其它的服务器来帮它鉴别口令.

缺省设置: encrypt passwords = yes

enhanced browsing (G)
This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations.

The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, followed by a browse synchronization with each of the returned DMBs. The second enhancement consists of a regular randomised browse synchronization with all currently known DMBs.

You may wish to disable this option if you have a problem with empty workgroups not disappearing from browse lists. Due to the restrictions of the browse protocols these enhancements can cause a empty workgroup to stay around forever which can be annoying.

In general you should leave this option enabled as it makes cross-subnet browse propagation much more reliable.

缺省设置: enhanced browsing = yes

enumports command (G)
The concept of a "port" is fairly foreign to UNIX hosts. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default, Samba has only one port defined--"Samba Printer Port". Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed (smbd does not use a port name for anything) other than the default "Samba Printer Port", you can define enumports command to point to a program which should generate a list of ports, one per line, to standard output. This listing will then be used in response to the level 1 and 2 EnumPorts() RPC.

缺省设置: no enumports command

示例: enumports command = /usr/bin/listports

exec (S)
preexec 同义。
fake directory create times (S)
NTFS和Windows VFAT文件系统为每一个文件和目录保留一个创建时间. 这个时间和UNIX下的状态改变时间--ctime不同. 所以, 在缺省状态下, Samba将报告UNIX系统所保持的各种时间属性中的最早的那个作为(文件/目录)建立时间. 如果在一个共享中设置了这个选项, 将会使得Samba伪造一个目录生成时间, 这个时间就是1980.01.01的午夜.

这个选项的主要用于解决Visual C++与Samba的兼容性问题.Visual C++生成makefiles文件时, 包含目标文件所依赖的目的目录. 包含建立目录的规则. 同样的, 当NMAKE比较时间属性时, 它检查目录建立时间. 目标目录不存在的话, 会建立一个;如果存在,它的建立时间总是比它所包含的目标文件的建立时间早.

UNIX的时间规则意味着只要有文件在共享目录中建立或删除,Samba将更新关于该目录建立时间的报告. NMAKE将发现目录中除了最后建立的文件以外的所有目标文件都过期了(与目录的建立时间相比较), 然后重新编译目标文件.设置这个选项值将保证目录的建立时间早于它里面的文件,NMAKE就能够正常工作.

缺省设置: fake directory create times = no

fake oplocks (S)
oplocks是这样一个选项, 它允许SMB客户端在本地缓存对服务器的文件操作. 如果服务器允许oplock(opportunistic lock)操作, 客户端可以简单的认为, 它自己是唯一的文件访问者, 可以随意的缓存文件. 有些oplocks类型甚至允许缓存文件的打开和关闭操作. 这个操作换来性能上的巨大提升.

当你设置fake oplocks = yes后,smbd(8)总是允许oplock请求, 而不管到底有多少的客户端在使用这个文件.

在通常情况下, 使用真实的oplocks支持总是比使用这个选项好.

如果你使用这个选项在一些只读的共享上(例如: CDROM共享),或者你知道这个共享只能够被一个客户端所访问(例如: 客户主目录). 你将会注意到性能上的重大提升. 如果你将这个选项用在多个客户端都可以读写的共享上, 由于客户可能同时访问一个共享文件, 这样会造成文件损坏. 请一定小心使用.

缺省设置: fake oplocks = no

follow symlinks (S)
这个选项允许Samba管理员禁止某个特殊共享下smbd(8)对符号链接的访问. 将这个选项设置为no将会阻止这个共享下的任何链接形式的文件或目录被查看(用户将会得到一个错误信息).例如: 这个选项将阻止客户将/etc/passwd文件链接到自己的主目录. (我们看到, 这是很有用的). 但是, 它将会使文件名字的查找速度慢一些.

这个选项缺省是允许(也就是, smbd将允许访问符号链接)

缺省设置: follow symlinks = yes

force create mode (S)
这个选项设置一组UNIX格式的权限代码, 当Samba建立新文档的时候, 总是会使用这个权限设置新文档, 通过将新文档的权限位和这组权限代码做逐位与, 就完成了设置工作.缺省状态下, 这个选项设置为八进制000,在create mask加到新建立的文件的权限位上后, 与这个值进行按位与操作, 就得到文件建立时的权限设置.

参见 create mask 来获得关于建立文件时的掩码的详细资料。

另外也参见 inherit permissions 参数.

缺省设置: force create mode = 000

示例: force create mode = 0755

这个例子中, 将迫使所有被建立的文档对"同组/其它(用户)"有读和执行权. 对用户自己有读/写/执行权力.

force directory mode (S)
这个选项设置一组UNIX格式的权限代码, 当Samba建立新目录的时候, 总是会使用这个权限设置新目录, 通过将新目录的权限位和这组权限代码做逐位与, 就完成了设置工作.缺省状态下, 这个选项设置为八进制000,在directory mask加到新建立的目录的权限位上后,与这个值进行按位与操作, 就得到目录建立时的权限设置.

参见 directory mask 来获得关于建立目录时的掩码的详细资料。

另外也参见 inherit permissions参数.

缺省设置: force directory mode = 000

示例: force directory mode = 0755

这个例子中, 将迫使所有被建立的目录对"同组/其它(用户)"有读和进入权. 对用户自己有读/写/进入权力.

force directory security mode (S)
此选项控制NT用户通过本地NT安全对话框可以操作哪些目录上的unix权限位.

此选项以掩码('or')来实现权限位的改变,所以它强制了任何掩码中用户可以更改的位.实际上,当在修改目录的安全性时,这个掩码中的一个0位可以作为一组用户已经设为'on'的位来看待.

如果没有明确设定的话,这个选项会用与force directory mode选项同样的值.要允许用户在目录中可以修改所有的user/group/world权限,可以把这个选项设为0000.

注意,能访问samba服务器的用户通过其它方法也可以很容易地绕过这个限制,所以这个参数只对独立工作的应用系统来说有用.很多系统管理的管理员都会把它设为默认的0000.

参见 directory security mask, security mask, force security mode 参数。

缺省设置: force directory security mode = 0

示例: force directory security mode = 700

force group (S)
这个选项指定一个UNIX组, 所有连接到服务上的用户都被强迫使用这个组作为"主组". 所有访问文件的用户都使用这个组的访问权限做权限检查. 因此, 通过分配文件和目录的访问权限给这个用户组, Samba的管理员可以限制或允许对共享文件的访问.

在samba 2.0.5及更新的版本中这个选项已经按下面的方法有了一些扩展功能.如果在此列出的组名有一个'+'字符加在名称前的话,当前用户正在访问的共享资源只有初始组被缺省分配到这个组中,而可能的情况是用户已经是其它组成员了.这样,管理员可以决定只有在特殊组里的用户才能以设定的组身份建立文件,更有益于所有权分配管理.例如,设定force group = +sys的话,只有在sys组里的用户才能在访问samba共享资源时拥有缺省的初始组标识.而其它所有用户保留他们原始的组标识.

如果又设定了 force user选项的话,force group选项中指定的组将会越过在 force user中指定的初始组. If the force user parameter is also set the group specified in force group will override the primary group set in force user.

参见 force user选项.

缺省设置: no forced group

示例: force group = agroup

force security mode (S)
此选项控制NT用户通过本地NT安全对话框可以操作哪些目录上的unix权限位.

此选项以掩码('or')来实现权限位的改变,所以它强制了任何掩码中用户可以更改的位.实际上,当在修改目录的安全性时,这个掩码中的一个0位可以作为一组用户已经设为'on'的位来看待.

如果没有明确设定的话,这个选项会用与force create mode选项同样的值.要允许用户在文件上可以修改所有的user/group/world权限,可以把这个选项设为000.

注意,能访问samba服务器的用户通过其它方法可以很容易地绕过这个限制,所以这个选项对独立工作的系统来说才有用的.很多系统管理的管理员都会把它设为默认的0000.

参见 force directory security mode, directory security mask, security mask 参数。

缺省设置: force security mode = 0

示例: force security mode = 700

force user (S)
这个选项指定一个UNIX用户的名字, 所有连接到服务上的用户的缺省名字就使用这个名字. (由于权限的原因)在共享文件时这个选项是有用的.你必须小心使用这个选项, 它有可能带来安全上的问题.

这个选项只有当一个连接建立起来后才有用. 在建立连接的使用, 用户还是必须有合法的用户名和口令. 一旦连接建立起来, 所有的操作将强迫以这个名字进行, 而不管它是以什么名字登录的.

samba 2.0.5和更新的版本中这个选项会导致用户的初始组被作为所有文件操作的初始组.2.0.5以前的初始组被允许作为联接用户的初始组(这是个bug)

参见 force group 选项。

缺省设置: no forced user

示例: force user = auser

fstype (S)
这个选项允许管理员设置一个字符串说明共享的文件系统的类型, 当客户端有查询时, smbd(8)将这个字符串作为正在使用的文件系统的类型报告给客户端. 为了和Windows NT兼容缺省值设置是NTFS, 当然,如果必要的话,也可以改变为其它的字符串,例如SambaFAT.

缺省设置: fstype = NTFS

示例: fstype = Samba

get quota command (G)
The get quota command should only be used whenever there is no operating system API available from the OS that samba can use.

This parameter should specify the path to a script that queries the quota information for the specified user/group for the partition that the specified directory is on.

Such a script should take 3 arguments:

directory

type of query

uid of user or gid of group

The type of query can be one of :

1 - user quotas

2 - user default quotas (uid = -1)

3 - group quotas

4 - group default quotas (gid = -1)

This script should print its output according to the following format:

Line 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)

Line 2 - number of currently used blocks

Line 3 - the softlimit number of blocks

Line 4 - the hardlimit number of blocks

Line 5 - currently used number of inodes

Line 6 - the softlimit number of inodes

Line 7 - the hardlimit number of inodes

Line 8(optional) - the number of bytes in a block(default is 1024)

参见 set quota command 选项。

缺省设置: get quota command =

示例: get quota command = /usr/local/sbin/query_quota

getwd cache (G)
这是一个性能调节选项. 当这个选项允许时, 一个高速缓冲算法将被用来减少调用"getwd()"的时间. 这个选项对性能会产生很大的影响, 特别是在wide links选项设为no的时候.

缺省设置: getwd cache = yes

group (S)
force group 同义。
guest account (G,S)
这是一个用来访问服务的用户名(作为客户来访账户,区别于系统上的用户), 当然, 被访问的服务必须先设置了选项fI guest ok. 这个账户所拥有的所有权利都会反映到以"访问客户(guest)"身份连接进来的客户身上. 典型的, 这个客户必须在passwd文件中存在, 但是没有有效的登录权限.通常系统中存在着名为"ftp"的账户,把这个账户名使用在这里是个好主意.注意:如果一个服务指定了一个专用的访问用户名,这个专用名将代替这里的用户名.

在某些系统上,缺省的访问用户名"nobody"账户可能不能打印.如果遇到这种情况,请使用其它的账户名(例如ftp)。想要测试这种情况,可以试着用来访账户登录(可以用su -命令),然后,使用系统打印命令lpr(1)或lp(1).

这个参数不接受%宏,因为Samba系统的很多组件要正确工作都需要这个值是一个常量。

缺省设置: 编译时指定,通常是"nobody"

示例: guest account = ftp

guest ok (S)
如果一个服务的这个选项的值设为yes, 那末, 连接到这个服务不需要口令, 权限设置为 guest account的权限.

这个选项抵消了设置 restrict anonymous = 2 的好处。

参见下面的 security来获得更多信息。

缺省设置: guest ok = no

guest only (S)
如果一个服务的这个选项设置为 yes, 那末, 只有客户(guest)访问被允许, 也就是说, 不允许以其他用户的身份访问.如果没有设置guest ok选项, 则此选项无效.

参见下面的 security 参数来获得更多信息。

缺省设置: guest only = no

hide dot files (S)
这是一个布尔值选项. 控制文件名最前面一个字符为"."的文件是否表现为隐含文件(UNIX文件系统中, 最前面为"."的文件是隐含文件).

缺省设置: hide dot files = yes

hide files (S)
这是一个隐藏文件或目录的列表.这些文件不能被看见但是能被访问.列表中的文件或目录将被赋予DOS下的"隐藏"属性.

每个条目必须以"/"分隔以便允许在条目中使用空格.可以使用DOS风格的通配符"*"和"?"匹配多个目录和文件。

每一个条目必须使用UNIX格式的路径,而不是DOS格式的路径,同时,不能包含UNIX路径分隔符"/".

注意:大小写敏感的特性也适用于隐含文件.

设置这个选项会影响Samba的性能,它会迫使系统检查所有的文件和目录以确定是否与它的所要寻找的项目匹配.

参见 hide dot files, veto filescase sensitive.

缺省设置: 没有隐藏文件

示例: hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/

上面的例子中的文件从Thursby共享出来,给Macintosh的SMB客户端(DAVE),供内部使用,仍然隐藏了"."打头的文件.

hide local users (G)
This parameter toggles the hiding of local UNIX users (root, wheel, floppy, etc) from remote clients.

缺省设置: hide local users = no

hide special files (S)
This parameter prevents clients from seeing special files such as sockets, devices and fifo's in directory listings.

缺省设置: hide special files = no

hide unreadable (S)
This parameter prevents clients from seeing the existance of files that cannot be read. Defaults to off.

缺省设置: hide unreadable = no

hide unwriteable files (S)
This parameter prevents clients from seeing the existance of files that cannot be written to. Defaults to off. Note that unwriteable directories are shown as usual.

缺省设置: hide unwriteable = no

homedir map (G)
如果nis homedir 选项的值为yes,同时, smbd(8)也作为win95/98的登录服务器,那么,这个选项指明一个NIS(或者YP)映射.指向用户主目录所在的服务器.目前,只认识Sun的auto.home映射格式.映射格式如下:

username server:/some/file/system

程序从":"号前取得服务器名字.将来也许会有更好的解释系统来处理不同的映射格式,当然,也包括Amd(另一种自动装载方式)映射.

需要系统中有一个运行的NIS客户来使这个选项工作。

参见 nis homedir , domain logons .

缺省设置: homedir map = <空字符串>

示例: homedir map = amd.homedir

host msdfs (G)
If set to yes, Samba will act as a Dfs server, and allow Dfs-aware clients to browse Dfs trees hosted on the server.

参见 msdfs root share level 选项。 For more information on setting up a Dfs tree on Samba, refer to ???.

缺省设置: host msdfs = no

hostname lookups (G)
Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead. An example place where hostname lookups are currently used is when checking the hosts deny and hosts allow.

缺省设置: hostname lookups = yes

示例: hostname lookups = no

hosts allow (S)
allow hosts 同义.

这个选项是一个由逗号,空格或者tab字符隔开的一组主机名.列入其中的主机才允许访问.

如果该选项出现在[global]段中,它会作用于所有服务而忽略单个服务所作的不同设置.

你可以用ip地址或主机名来指定主机.比如,你可以用类似 allow hosts = 150.203.5. 来限定只允许访问在这个c类子网中的主机.hosts_access(5)中详细描述了关于这个选项设置的完整语法.注意到你的系统中也许没有这个参考手册,这里也作一个简单的说明.

注意,本机地址127.0.0.1 总是允许连接,除非在hosts deny 选项中加以禁止.

你也可以使用子网号/子网掩码对来指定主机.如果你的网络支持网络组,你还可以用网络组名来指定组内的主机.EXCEPT(除了...)关键字可以在使用了通配符的情况下起到限定作用.

Example 1: 允许150.203.*.* 中除了一台机器之外的所有IP访问

hosts allow = 150.203. EXCEPT 150.203.6.66

Example 2: 允许满足给定的子网号/子网掩码的IP访问

hosts allow = 150.203.15.0/255.255.255.0

Example 3: 允许一系列主机访问

hosts allow = lapland, arvidsjaur

Example 4: 允许NIS网络组"foonet"访问,但是禁止其中的一台主机

hosts allow = @foonet

hosts deny = pirate

注意,访问时还是需要有适当的用户级口令.

参见testparm(1) 来检测主机是否可以按照你希望的方式被访问.

缺省设置: none (也就是说,所有机器都可以访问)

示例: allow hosts = 150.203.5. myhost.mynet.edu.au

hosts deny (S)
hosts allow选项的反义词.所有被列入这个选项中的主机的服务都允许被访问,除非这个被访问的服务定义了自己的允许列表.当允许的主机列表和禁止的主机列表发生冲突的时候,allow优先.

缺省设置: none (没有禁止访问的主机)

示例: hosts deny = 150.203.4. badhost.mynet.edu.au

hosts equiv (G)
如果这个选项值不是空字符串,就指定了一个文件名.这个文件中列出了可以不用口令就允许访问的主机和用户的名字.

不要把这个选项和hosts allow 搞混了,那是关于控制主机对服务的访问的,用于管理对来访者的服务.而 hosts equiv是用于支持那些不对samba提供口令的NT客户的.

注意:使用hosts equiv 可能会成为一个很大的安全漏洞.这是因为你相信发起访问的PC提供了正确的用户名.找一台PC来提供一个假的用户名是很容易的.我建议你只有在完全明白你在干什么的情况下才使用hosts equiv选项,或者在你自己的家里(那里有你可以完全信任的配偶和孩子)使用它.仅仅是在你完全可以信任他们的时候才用 :-)

缺省设置: no host equivalences

示例: hosts equiv = /etc/hosts.equiv

idmap backend (G)
The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common LDAP backend. This way all domain members and controllers will have the same UID and GID to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS).

缺省设置: idmap backend = <空字符串>

示例: idmap backend = ldap:ldap://ldapslave.example.com

idmap gid (G)
The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise.

The availability of an idmap gid range is essential for correct operation of all group mapping.

缺省设置: idmap gid = <空字符串>

示例: idmap gid = 10000-20000

idmap uid (G)
The idmap uid parameter specifies the range of user ids that are allocated for use in mapping UNIX users to NT user SIDs. This range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise.

缺省设置: idmap uid = <空字符串>

示例: idmap uid = 10000-20000

include (G)
这个选项使得你可以把一个配置文件插入到另一个配置文件中去.这只是一种文本替换,就在好像被插入的文件的那个位置直接写入那个插入文件一样.

它支持标准替换,除%u , %P%S以外.

缺省设置: 没有包含其他文件

示例: include = /usr/local/samba/lib/admin_smb.conf

inherit acls (S)
This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a subdirectory. The default behavior is to use the mode specified when creating the directory. Enabling this option sets the mode to 0777, thus guaranteeing that default directory acls are propagated.

缺省设置: inherit acls = no

inherit permissions (S)
The permissions on new files and directories are normally governed by create mask, directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this.

New directories inherit the mode of the parent directory, including bits such as setgid.

New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by map archive , map hidden and map system as usual.

Note that the setuid bit is never set via inheritance (the code explicitly prohibits this).

This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user.

参见 create mask , directory mask, force create mode and force directory mode .

缺省设置: inherit permissions = no

interfaces (G)
这个选项允许你超越默认的Samba用来处理浏览,名字注册和其他NBT网络流量的网络借口列表. 默认情况Samba向内核查询所有活动的接口列表并且使用除了127.0.0.1 之外的接口.

这个选项的内容是一个接口字符串的列表, 每个字符串可以是下列任何一种格式:

一个网络接口名(例如eth0).它可以包含象在shell风格的通配符如eth*来匹配任何以子字符品"eth"起始的网络接口.

一个IP地址.这种情况下,网络掩码是从内核中获得的接口列表中检测的.

一个IP/掩码对.

一个广播地址/掩码对.

"mask"选项可以是一个位长度(例如C类网络可以是24)或者是以点分格式出现的完整网络地址掩码.

"IP"选项可以是完整点分十六进制IP地址或是按操作系统通常使用的主机名解析机制查找的主机名.

例如,下面这一行:

interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0

将配置三个网络接口,对应eth0设备以及IP地址192.168.2.10 和192.168.3.10。后两个接口的网络掩码将设置为255.255.255.0。

参见bind interfaces only.

缺省设置: 除了127.0.0.1 之外的所有活动接口 that are broadcast capable

invalid users (S)
这是一个不允许在这个服务上登录的用户的名单.这的确是一个非常严格的(paranoid)检查,确保任何可能的不适当的设置都不会破坏你的系统的安全.

以@开头的用户名首先被当作NIS网络组名(如果你的系统支持NIS的话),如果在NIS的网络组数据库中找不到这个组,那么这个名字就被当作一个UNIX用户组名来处理.

以+开头的用户名仅表示UNIX用户组名,以&开头的用户名仅表示NIX网络组名(这个设置要求你的系统中有NIS在运行).'+'和'&'符号可以以任何顺序出现在用户组名前,因此,你可以指定对这个名称的查找次序,比如+&group表示先在UNIX用户组中查找,再在NIS网络组中查找,而&+group则相反,先在NIX网络组中查找,再到UNIX用户组中查找.(这与使用@前缀的效果相同).

当前的服务名可以用%S来表示,这在[homes]段中是很有用的.

参见 valid users .

缺省设置: 没有非法用户

示例: invalid users = root fred admin @wheel

keepalive (G)
这个选项是一个整数,它表示用于keepalive包间隔的秒数.如果这个选项是0,那么就不发送保持连接的包.发送保持连接的包使得主机可以确定客户端是否还在响应。

通常,如果用于连接的socket使用了SO_KEEPALIVE属性设置(参见socket options),那么发送保持连接的包是不需要的.基本上,除非你遇到了某些困难,这个选项是用不到的.

缺省设置: keepalive = 300

示例: keepalive = 600

kernel change notify (G)
This parameter specifies whether Samba should ask the kernel for change notifications in directories so that SMB clients can refresh whenever the data on the server changes.

This parameter is only usd when your kernel supports change notification to user programs, using the F_NOTIFY fcntl.

缺省设置: Yes

kernel oplocks (G)
在支持基于内核的 oplocks(opportunistic lock)的UNIX系统上(目前只有IRIX 和Linux2.4内核),这个选项允许打开或关闭对这个特性的利用.

内核机会性锁定操作使得本地UNIX进程或NFS对文件进行操作时可以锁定(冻结)smbd(8)对同一个文件的oplocks 操作.这可以保持SMB/CIFS,NFS和本地文件操作之间的数据一致性.(这是一个很cool的特性哦 :-)

如果你的系统支持这个设置,缺省设置就是on(打开),如果系统不支持,缺省设置就是Off(关闭).你根本不必去管这个选项.

参见 oplockslevel2 oplocks 参数.

缺省设置: kernel oplocks = yes

lanman auth (G)
This parameter determines whether or not smbd(8) will attempt to authenticate users using the LANMAN password hash. If disabled, only clients which support NT password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.

The LANMAN encrypted response is easily broken, due to it's case-insensitive nature, and the choice of algorithm. Servers without Windows 95/98 or MS DOS clients are advised to disable this option.

Unlike the encypt passwords option, this parameter cannot alter client behaviour, and the LANMAN response will still be sent over the network. See the client lanman auth to disable this for Samba's clients (such as smbclient)

If this option, and ntlm auth are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to us it.

Default : lanman auth = yes

large readwrite (G)
This parameter determines whether or not smbd(8) supports the new 64k streaming read and write varient SMB requests introduced with Windows 2000. Note that due to Windows 2000 client redirector bugs this requires Samba to be running on a 64-bit capable operating system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with Windows 2000 clients. Defaults to on. Not as tested as some other Samba code paths.

缺省设置: large readwrite = yes

ldap admin dn (G)
The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information. The ldap admin dn is used in conjunction with the admin dn password stored in the private/secrets.tdb file. See the smbpasswd(8) man page for more information on how to accmplish this.
ldap delete dn (G)
This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba.

缺省设置: ldap delete dn = no

ldap filter (G)
这个选项指定了RFC2254兼容的LDAP搜索过滤器。默认对所有匹配sambaAccount对象类的条目进行登录名和 uid 属性之间的匹配。注意这个过滤器只应当返回一个条目.

缺省设置: ldap filter = (&(uid=%u)(objectclass=sambaAccount))

ldap group suffix (G)
This parameters specifies the suffix that is used for groups when these are added to the LDAP directory. If this parameter is unset, the value of ldap suffix will be used instead.

缺省设置: none

示例: dc=samba,ou=Groups

ldap idmap suffix (G)
This parameters specifies the suffix that is used when storing idmap mappings. If this parameter is unset, the value of ldap suffix will be used instead.

缺省设置: none

示例: ou=Idmap,dc=samba,dc=org

ldap machine suffix (G)
It specifies where machines should be added to the ldap tree.

缺省设置: none

ldap passwd sync (G)
This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA.

The ldap passwd sync can be set to one of three values:

Yes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.

No = Update NT and LM passwords and update the pwdLastSet time.

Only = Only update the LDAP password and let the LDAP server do the rest.

缺省设置: ldap passwd sync = no

ldap port (G)
这个选项只有在编译时配置了"--with-ldap"选项的情况下才可用.

这个选项控制用于和LDAP服务器通讯的tcp端口号。默认应用标准的LDAP端口636。

参见: ldap ssl

Default : ldap port = 636 ; 如果 ldap ssl = on

Default : ldap port = 389 ; 如果 ldap ssl = off

ldap server (G)
这个选项只有在编译时配置了"--with-ldapsam"选项的情况下才可用.

这个选项应当包含ldap目录服务器的FQDN,用来查询和定位用户帐户信息。

Default : ldap server = localhost

ldap ssl (G)
This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is NOT related to Samba's previous SSL support which was enabled by specifying the --with-ssl option to the configure script.

The ldap ssl can be set to one of three values:

Off = Never use SSL when querying the directory.

Start_tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server.

On = Use SSL on the ldaps port when contacting the ldap server. Only available when the backwards-compatiblity --with-ldapsam option is specified to configure. See passdb backend

Default : ldap ssl = start_tls

ldap suffix (G)
指定用户和机器帐号从哪里加入树中。可以被ldap user suffixldap machine suffix选项越过。它也用作所有ldap搜索的base dn。

缺省设置: none

ldap user suffix (G)
This parameter specifies where users are added to the tree. If this parameter is not specified, the value from ldap suffix.

缺省设置: none

level2 oplocks (S)
这个参数控制了是否Samba在一个共享上支持第二级(只读)oplocks。

2级,或者只读oplocks允许Windows NT客户在文件中可以保持一个oplocks,一旦第二个用户请求同一文件时可以从读写oplocks级降为只读oplocks(而不是像传统的做法,保持唯一的oplocks,在第二次打开时释放所有的oplocks).这样就可以允许支持2级oplocks的文件打开者缓存用于只读的文件(也就是说,他们的写和锁定请求不可能被缓冲),并且使只读文件的大量访问提升性能(例如.exe文件).

一旦在拥有只读oplocks的客户中有一位对文件进行了写操作,所有的客户都会被通知(不需要回复及等待), told to break their oplocks to "none",然后删除所有read-ahead caches.

推荐打开这个选项,为共享的可执行程序提高访问速度。

更多关于2级oplocks的讨论请查看CIFS的规约.

当前,如果使用了kernel oplocks的话,就不会认可2级oplocks(即使把那个选项设为yes也没用).还要注意,oplocks 选项必须在共享上被设成yes才有效果.

参见 oplockskernel oplocks 选项。

缺省设置: level2 oplocks = yes

lm announce (G)
这个选项决定nmbd(8)是否产生"Lanman宣告广播",OS/2的客户端需要这个广播用以在它们的浏览列表里看到Samba服务器.这个选项有3个值:yesnoauto.缺省值是auto.如果这值为no,Samba将不会产生这种广播.如果设置为yes,Samba将以lm interval选项的值为频率产生这种广播.如果设置为auto,Samba并不发出这类广播,但是侦听他们.如果收到这样的广播,它就开始发送这种广播,频率还是以lm interval选项设定的为准.

参见 lm interval.

缺省设置: lm announce = auto

示例: lm announce = yes

lm interval (G)
如果Samba设置为产生"Lanman宣告广播(给OS/2客户端使用,参见lm announce选项).那么,这里的选项设定了以秒为单位的发生频率.如果这个选项设置为"0",则不管lm announce选项的值,永远不会发出任何"Lanman宣告广播".

参见lm announce.

缺省设置: lm interval = 60

示例: lm interval = 120

load printers (G)
这个布尔值控制是否在"printcap"文件中的所有打印机将会被缺省的安装到Samba环境,并且可以被浏览.参见"printers"段获得更多细节.

缺省设置: load printers = yes

local master (G)
这个选项允许nmbd(8)试着去成为本地子网的主控浏览器.如果选项值为no, nmbd不会去争取这个权利.在缺省情况下,这个值为yes.设置这个值为yes,并不意味着become 就一定会成为本地的主浏览器,只是意味着become 会参加成为主浏览器的选举.

设置这个值为 no 将使 nmbd 永远不会 成为主控浏览器。

缺省设置: local master = yes

lock dir (G)
lock directory 同义.
lock directory (G)
这个选项指出"加锁文件"放置的目录.加锁文件用以实现最大连接数max connections.

缺省设置: lock directory = ${prefix}/var/locks

示例: lock directory = /var/run/samba/locks

locking (S)
这个选项控制当客户端发出锁定请求时,服务器是否执行"锁定".

如果 locking = no ,所有的锁定请求和解除锁定请求将表现为成功执行.对锁定的查询将会显示没有锁定.

如果locking = yes 服务器将执行真正的锁定。

这个选项可能对只读文件系统有用,因为它可能不需要锁定(例如:CDROM).即使在这种情况下,我们也不真正推荐使用no.

要特别小心,不管是全局的关闭这个选项或者在某个服务上关闭这个选项,都有可能由于缺少锁定而导致数据损坏.其实,你根本就不需要设置这个选项.

缺省设置: locking = yes

lock spin count (G)
This parameter controls the number of times that smbd should attempt to gain a byte range lock on the behalf of a client request. Experiments have shown that Windows 2k servers do not reply with a failure if the lock could not be immediately granted, but try a few more times in case the lock could later be aquired. This behavior is used to support PC database formats such as MS Access and FoxPro.

缺省设置: lock spin count = 3

lock spin time (G)
The time in microseconds that smbd should pause before attempting to gain a failed lock. See lock spin count for more details.

缺省设置: lock spin time = 10

log file (G)
这个选项允许设置其它的文件名字来替代Samba日志文件(也就是调试文件).

这个选项支持标准的文件名代换变量,允许方便的为每个用户或者机器设置专用的日志文件.

示例: log file = /usr/local/samba/var/log.%m

log level (G)
这个值(字符串)允许在smb.conf里定义调试水平(记录水平).This parameter has been extended since the 2.2.x series, now it allow to specify the debug level for multiple debug classes. 这给系统配置带来更大的灵活性.

缺省的调试水平将在命令行里定义,如果没有定义,调试水平为零.

示例: log level = 3 passdb:5 auth:10 winbind:2

logon drive (G)
这个选项设置一个本地路径(可以理解为网络映射盘),当登录时,用户的主目录就连接到这个本地路径(参见logon home).

注意:这个选项只有在Samba是登录服务器时才有用.

缺省设置: logon drive = z:

示例: logon drive = h:

logon home (G)
当Win95/98或Win NT工作站登录到Samba PDC时,它们的主目录的位置.设置了这个选项,就允许在(DOS)提示符下使用形如:

C:\> NET USE H: /HOME

这样的命令。

这个选项支持标准的命令选项替换,方便为每个用户或者机器提供登录脚本.

This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a subdirectory of the user's home directory. This is done in the following way:

logon home = \%NU
rofile

This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does net use /home but use the whole string when dealing with profiles.

Note that in prior versions of Samba, the logon path was returned rather than logon home. This broke net use /home but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use the above trick.

注意,这个选项只在Samba被设置成为登录服务器logon server时才起作用.

缺省设置: logon home = "\%NU"

示例: logon home = "\remote_smb_serverU"

logon path (G)
这个选项指定了存放roaming profile(WindowsNT的NTuser.dat 等文件)的用户目录.Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the logon home parameter.

这个选项支持标准替换,允许你为每一个用户或机器设置不同的登录脚本.它也可以指定那些显示在Windows NT客户端上的"应用程序数据"(桌面,开始菜单,网上邻居程序等文件夹和他们的内容).

指定的共享资源和路径必须是用户可读的,这样,设定的选项和目录才能被Windows NT客户端装载使用.这个共享资源在用户第一次登录时必须是可写的,这样Windows NT客户端才能建立NTuser.dat文件及其他目录.

然后,这些目录以及其中的任何内容都可以根据需要设置为只读的.把NTuser.dat文件设置成只读是不明智的,你应该把它改名成NTuser.man(一个强制使用(MANdatory)的user.dat)来达到同样的目的.

Windows终端有时候即使没有用户登录也会保持对[homes]共享资源的连接.因此,logon path不能包含对homes共享资源的任何参照(也就是说,把这个选项设置成类似\\%N\HOMES\profile_path会引起问题).

这个选项支持标准替换,允许你为不同的机器或用户设置不同的登录脚本.

注意,这个选项只有在Samba被设置成为登录服务器logon server的时候才起作用.

缺省设置: logon path = \\%N\%U\profile

示例: logon path = \\PROFILESERVER\PROFILE\%U

logon script (G)
这个选项指明,当一个用户成功的登录后,将会自动下载到本地执行的脚本文件,这个脚本文件可能是一个批处理文件(.bat)或者一个NT命令文件(.cmd).这个脚本文件必须使用DOS风格的回车/换行(CR/LF)来结束每一行,因此,我们推荐使用DOS风格的文本编辑器来建立这个文件.

脚本文件的存放位置必须是相对于[netlogon]服务中指明的目录路径,举例来说,如果[netlogon]服务指定了了一个path/usr/local/samba/netlogon,而logon script = STARTUP.BAT, 那么将要下载到客户端执行的文件的实际存放位置是:

/usr/local/samba/netlogon/STARTUP.BAT

登录脚本的内容包含什么,完全由你决定.我们建议包含这个指令:NET TIME \SERVER /SET /YES,它强迫每一台机器的时间和服务器的时间同步(以服务器的时间为准);另一个建议是映射公共工具盘:NET USE U:\\SERVER\"公共工具目录" 例如:

NET USE Q:\SERVERISO9001_QA

注意:在一个有安全要求的系统环境中,特别重要的是要记住不要允许客户在[netlogon]上有写的权限,也不要给以客户改写登录脚本文件的权利.如果允许客户随意的修改,安全规则就给撕裂了一个口子.

这个选项支持标准的置换规则,允许你为每个不同的用户或机器定制不同的登录脚本.

注意,这个选项只有在Samba设置为登录服务器时才起作用.

缺省设置: no logon script defined

示例: logon script = scriptsU.bat

lppause command (S)
这个选项指定在服务器上中断指定的打印作业的打印或假脱机打印操作所使用的指令.

这个指令应该是一个可以根据打印机名和作业号中断打印作业的程序或脚本.实现这个操作的一个办法是使用作业优先级,优先级别太低的作业不会被发送到打印机上.

%p置换可以取得打印机名,而%j会被打印作业号(一个整数)置换.在HPUX系统中(参见printing=hpux ),如果给lpq命令加上-p%p选项,打印作业会显示其执行状态,具体的说,如果作业的优先级低于阻塞级别,它会显示'PAUSED'状态,反之,如果作业的优先级等于或高于阻塞级别,它会显示'SPOOLED'或'PRINTING'状态.

注意,在这个设置中使用绝对路径是一个好习惯,因为这个路径有可能不在服务器的PATH环境变量中.

参见 printing parameter选项.

缺省设置: 目前这个选项没有缺省设置,除非printing选项设置SYSV,在这种情况下,缺省参数是:

lp -i %p-%j -H hold

或者在printing选项设置为softq时,缺省选项是:

qstat -s -j%j -h

在HPUX系统中的例子: lppause command = /usr/bin/lpalt %p-%j -p0

lpq cache time (G)
此选项控制了lpq信息多长时间被缓冲一次,以防止频繁调用lpq命令.每一次系统使用lpq命令会保留一个单独的缓冲,所以如果不同的用户分别使用了不同的lpq命令的话,他们不可能共享缓冲信息.

缓冲文件被存放在/tmp/lpq.xxxx文件中,其中的xxxx是正在使用的lpq命令哈希表.

这个选项的缺省值是10秒,这就是说以前相同的lpq命令的缓冲内容将在周期为10秒内被使用.如果lpq命令非常慢的话,可以取稍大的值.

把这个值设为0就完全禁止了缓冲技术的使用.

参见 printing 选项.

缺省设置: lpq cache time = 10

示例: lpq cache time = 30

lpq command (S)
这个选项指定为了获得lpq风格的打印机状态信息而要在服务器上要执行的命令.

这个命令应该是一个只以打印机名作为选项并可以输出打印机状态信息的程序或脚本.

通常支持九种打印机状态信息:CUPS, BSD,AIX,LPRNG,PLP,SYSV,HPUX,QNX和SOFTQ.而这些正好覆盖了大多数的UNIX系统.你可以用printing =选项来控制到底要用哪种类型.

有些客户端(特别是Windows for Workgroups)可能不能正确地向打印机发送联接号以获得状态信息.对此,服务器会向客户报告它所联接的首个打印服务.这样的情况只当联接号发送非法时才会发生.

如果使用%p变量的话,系统会在此处放置打印机名.否则在命令后放置打印机名.

注意,当服务器不能获得PATH变量的话,以绝对路径来描述lpq command是个好习惯. 当与CUPS库编译连接时,不需要lpq command,因为smbd将使用库调用来获得打印队列列表。

参见 printing 选项.

缺省设置: 依赖于 printing 的设置情况

示例: lpq command = /usr/bin/lpq -P%p

lpresume command (S)
此选项指定为了继续连续打印或假脱机一个指定的打印任务时要在服务器上执行的命令.

此命令应该是一个以打印机名和要恢复的打印任务号作为选项的程序或脚本.参见lppause command 参数。

如果使用%p变量的话,系统会在此处放置打印机名.用%j来代替打印任务号,当然是用整数形式罗.

注意,当服务器不能获得PATH变量的话,以绝对路径来描述lpresume command是个好习惯

参见 printing 选项.

缺省设置: 当前没有缺省设置,除非 printing 选项是 SYSV, 此时默认是

lp -i %p-%j -H resume

或者如果printing 选项是 SOFTQ, 那么默认是:

qstat -s -j%j -r

HPUX的示例: lpresume command = /usr/bin/lpalt %p-%j -p2

lprm command (S)
此选项指定为了要删除一个打印任务而需要在服务器上执行的命令.

此命令应该是一个使用打印机名和打印任务号的程序或脚本,并且执行它们可以删掉打印任务.

如果使用%p变量的话,系统会在此处放置打印机名.用%j来代替打印任务号,当然是也用整数形式罗.

注意,当不能从服务器获得PATH变量的话,以绝对路径来描述lprm command是个好习惯.

参见printing 选项.

缺省设置: 依赖于 printing 选项设置

示例 1: lprm command = /usr/bin/lprm -P%p %j

示例 2: lprm command = /usr/bin/cancel %p-%j

machine password timeout (G)
如果samba服务器是Windows NT域成员的话(参见security=domain选项),那么运行中的smbd进程会周期性地试着改变储存在叫做private/secrets.tdb的TDB中的MACHINE ACCOUNT PASSWORD.这个参数指定了密码将多久更换一次,以秒为单位。缺省值是一个星期(当然要以秒来表示),这与NT域成员服务器是一样的.

参见 smbpasswd(8), 和 security = domain 选项.

缺省设置: machine password timeout = 604800

magic output (S)
此选项指定了一个用magic脚本输出内容而建立的文件的名称,参见下面对magic script选项的描述.

警告:如果两个客户在同样的目录下用相同的magic script,输出文件内容是无法确定的.

缺省设置: magic output = <magic script name>.out

示例: magic output = myfile.txt

magic script (S)
这个选项用来指定将被服务器执行的文件的名字,这个文件如果已经打开,那么,当这个文件关闭后服务器同样也可以运行.这样就允许了一个UNIX脚本可以传送到samba主机,并为所连接的用户运行.

以这种方式运行的脚本将会在完成以后被删除,只要权限允许的话.

如果脚本产生了输出的话,这些信息就被送到magic output选项指定的文件中(见以上描述).

注意,一些命令解释器不能解释包含CR/LF而不是CR回车换行符的脚本.magic脚本必须是可以被运行的(就象在本地主机运行一样),而有些脚本在某些主机上或某些shell下可能会在dos客户端进行过滤处理.

magic脚本仍处于实验阶段,所以不能对此完全依赖.

缺省设置: 无。禁止使用magic script.

示例: magic script = user.csh

mangle case (S)
参见NAME MANGLING部分.

缺省设置: mangle case = no

mangled map (S)
这个选项是用来直接映射那些不能在Windows/DOS上描述的unix文件名.不过并不经常出现这样的情况,只有一些特殊的扩展名在DOS和UNIX之间才会不同,例如,HTML文件在UNIX下通常都是.html,而在Windows/DOS下通常却是.htm.

所以如果要将 html 映射为 htm 你应当这样:

mangled map = (*.html *.htm)

有一个非常有用的经验是删掉在CDROM光盘上一些文件名后面讨人厌的;1(只有在一些UNIX可以看到它们).为此可以这样映射:(*;1 *;).

缺省设置: 没有 mangled map

示例: mangled map = (*;1 *;)

mangled names (S)
这个选项控制是否要把UNIX下的非DOS文件名映射为DOS兼容的形式("mangled")并使得它们可以查阅,或者简单地忽略掉这些非DOS文件名.

NAME MANGLING部分有更多关于如何控制这类处理的详细信息.

如果使用了这种映射,那么其算法就象下面这样:

把文件名最后一个点符号前面首五个字母数字字符强制转换成大写,作为要映射名字的首五个字符.

在要映射名字的起始部分加上"~"符号,后面跟两个字符的特殊序列字串,而这个序列字串是由原始的文件名而来(也就是:原文件名去掉最后的文件扩展名).只有当文件的扩展名含有大写字母或长于三个字符时,文件的最后扩展名才被包含在散列计算中.

注意,如果你不喜欢'~'的话,可以用mangling char选项来指定你想要的字符.

最后,扩展名部分的前三个字符会被保留,强制转换到大写并作为映射后名字的扩展名.最后的扩展名就是原始文件名中最后一个'.'右面的那部分.如果文件名中没有'.',那么映射后的文件名也没有扩展名部分(除非用了"hidden files" - 参见后面的介绍).

unix的文件名如果以点开始,那么好比DOS中的隐藏文件.这些文件映射后的文件名就会拿掉点符号并用"___"来作为它的扩展名,而不管原来的扩展名是什么("___"是三个下划线).

大写字母数字字符组成了两位散列值.

如果目录中的文件与要映射的文件名使用了相同的前五位字符,这样的算法会导致名称冲突,不过发生冲突的可能性是1/1300.

名称映射允许当需要保留unix长文件名时在unix目录与Windows/DOS之间拷贝文件.从Windows/DOS中拷过来的unix文件可以更换新的扩展名并保留同样的主文件名.名称映射并不会在转换时更改什么东西.

缺省设置: mangled names = yes

mangled stack (G)
这个选项控制了映射文件名的数量,以便让Samba服务器smbd(8)对其进行缓存.

栈里保存了最近映射的基本文件名(扩展名只有在超过3个字符或者包含大写字符时才会保留).

栈值设得稍大一些,对于映射unix的长文件名操作会更顺利一些.但是,它会使目录访问变得更慢;小一些的栈可以保存在服务器的内存中(每个栈元素占256个字节).

并不保证在转换长文件名时绝对正确无误,准备好面对可能出现的惊奇.

缺省设置: mangled stack = 50

示例: mangled stack = 100

mangle prefix (G)
controls the number of prefix characters from the original name used when generating the mangled names. A larger value will give a weaker hash and therefore more name collisions. The minimum value is 1 and the maximum value is 6.

mangle prefix is effective only when mangling method is hash2.

缺省设置: mangle prefix = 1

示例: mangle prefix = 4

mangling char (S)
这个选项指定在name mangling操作中使用什么样的字符作为magic字符.缺省是用了'~',不过有些软件可能会在使用上受到某些妨碍.可以设定为你想要的字符.

缺省设置: mangling char = ~

示例: mangling char = ^

mangling method (G)
controls the algorithm used for the generating the mangled names. Can take two different values, "hash" and "hash2". "hash" is the default and is the algorithm that has been used in Samba for many years. "hash2" is a newer and considered a better algorithm (generates less collisions) in the names. However, many Win32 applications store the mangled names and so changing to the new algorithm must not be done lightly as these applications may break unless reinstalled.

缺省设置: mangling method = hash2

示例: mangling method = hash

map acl inherit (S)
This boolean parameter controls whether smbd(8) will attempt to map the 'inherit' and 'protected' access control entry flags stored in Windows ACLs into an extended attribute called user.SAMBA_PAI. This parameter only takes effect if Samba is being run on a platform that supports extended attributes (Linux and IRIX so far) and allows the Windows 2000 ACL editor to correctly use inheritance with the Samba POSIX ACL mapping code.

缺省设置: map acl inherit = no

map archive (S)
这个选项决定了是否把DOS的归档属性映射为UNIX可执行位.在文件修改后DOS的归档位会被设定到文件上.保持归档位的一个理由是使得Samba或者你的PC在新建任何文件的时候,不会为它们设置UNIX可执行属性。那样对于共享源代码、文档等等非常让人厌烦。

注意这个选项需要在create mask忻挥信懦募属主的执行权限�(也就是说它必须包含100).参见create mask选项中的描述.

缺省设置: map archive = yes

map hidden (S)
这个选项决定DOS下的隐藏文件是否要映射为UNIX全局可执行位.

注意这个选项需要在create mask中没有排除所有用户的执行权限位(也就是说它必须包含001).参见create mask选项中的描述.

缺省设置: map hidden = no

map system (S)
这个选项决定DOS下的系统文件是否要映射为UNIX组可执行位.

注意这个选项需要在create mask中没有排除组用户的执行权限位(也就是说它必须包含010).参见create mask选项中的描述.

缺省设置: map system = no

map to guest (G)
这个选项只在安全模式不是共享级(security=share)时才有用,也就是选用了用户安全级,服务器安全级或者域安全级(user, server, 和domain).

这时,选项会有三种不同的值,分别通知smbd(8)在用户以非法身份登录时作何相应处理.

这三种设定是:

Never - 意思是用户登录时用了个非法口令并且被服务器所拒.这是个缺省值.

Bad User - 意思是用户登录时用了非法口令并且被服务器所拒,除非用户名不存在,否则也可以以来宾身份登录并映射到对应的guest account账号. - 意思是用户登录时即使用了非法口令,但是还会以来宾身份登录并映射到对应的guest账号.可能出现这样的问题,就是用户虽然输错了口令,却非常平静地以“来宾”身份登录到系统上。他们不明白为什么他们不能访问那些他们认为可以访问的资源,因为在登录时没有任何信息提示他们输错了口令。所以应该小心使用它,以避免不必要的麻烦. Helpdesk services will hate you if you set the map to guest parameter this way :-).

Bad Password

注意当使用共享级以外的其它安全模式时,要设定这个选项,以使"Guest"共享资源服务发挥作用.因为在这些安全级模式中,用户请求的共享资源名在服务器成功验证用户登录前不会发送到服务器作处理,所以服务器就在不能处理联接验证结果时为联接提供"Guest"共享.

对于那些以前的版本,这个选项会映射到编译时所用的local.h文件里定义的GUEST_SESSSETUP变量的值.

缺省设置: map to guest = Never

示例: map to guest = Bad User

max connections (S)
最大联接数就是允许同时联接到一个资源服务的最大数量限制.在max connections大于0的情况下,如果联接数超过了最大联接数设定时,超出的联接将被拒绝.如果设为0的话就没有这样的联接限制了.

为了实现这样的功能,系统会使用记录锁定文件.锁定文件存放在lock directory选项指定的目录中.

缺省设置: max connections = 0

示例: max connections = 10

max disk size (G)
控制磁盘使用的上限.如果把它设为100的话,所有的共享资源容量都不会超过100M.

注意这个选项并不是限制管理员往磁盘上存放数据的容量.在上面所说的情况中,管理员仍然可以存放超过100M的数据到磁盘上,但如果客户查询剩余磁盘空间或磁盘总空间的话,所得到的结果就只在这个 max disk size指定的容量范围之内.

使用这个选项主要是为了对一些疯狂使用磁盘空间的软件进行一定的限制,特别是它们可能会使用超过1G上以的磁盘空间.

把这个选项设为0说明没有限制.

缺省设置: max disk size = 0

示例: max disk size = 1000

max log size (G)
这个选项(一个kB为单位的整数)用来指定使用的记录文件最大到多少容量.samba会周期性地检查这个容量,如果超过这个选项值就把老的文件换名成扩展名为.old的文件.

把这个选项设为0说明没有限制.

缺省设置: max log size = 5000

示例: max log size = 1000

max mux (G)
这个选项控制了对用户允许的最大SMB并发操作数.你应该不需要设定这个选项的.

缺省设置: max mux = 50

max open files (G)
这个选项限定了在任意时间客户端用一个 smbd(8)文件服务进程可以打开的最大文件数.缺省的值非常高(10,000),因为对于每个未打开的文件只使用其中的一位.

打开文件极限通常用UNIX每进程最大文件描述符数来限制更好,所以你不需要去碰这个选项的.

缺省设置: max open files = 10000

max print jobs (S)
This parameter limits the maximum number of jobs allowable in a Samba printer queue at any given moment. If this number is exceeded, smbd(8) will remote "Out of Space" to the client. See all total print jobs.

缺省设置: max print jobs = 1000

示例: max print jobs = 5000

max protocol (G)
此项的值是一个字符串,定义了服务器支持的最高协议等级.

可能的值是:

CORE: 早期版本,不接受用户名.

COREPLUS: 在CORE的基础上改进了一些性能.

LANMAN1: 第一个比较流行的协议,支持长文件名.

LANMAN2: 对LANMAN1进行了更新.

NT1: 目前用于Windows NT,一般称为CIFS.

通常,此选项不必设定,因为在SMB协议中会自动协商并选择合适的协议.

参见 min protocol

缺省设置: max protocol = NT1

示例: max protocol = LANMAN1

max reported print jobs (S)
This parameter limits the maximum number of jobs displayed in a port monitor for Samba printer queue at any given moment. If this number is exceeded, the excess jobs will not be shown. A value of zero means there is no limit on the number of print jobs reported. See all total print jobs and max print jobs parameters.

缺省设置: max reported print jobs = 0

示例: max reported print jobs = 1000

max smbd processes (G)
This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended as a stopgap to prevent degrading service to clients in the event that the server has insufficient resources to handle more than this number of connections. Remember that under normal operating conditions, each user will have an smbd(8) associated with him or her to handle connections to all shares from a given host.

缺省设置: max smbd processes = 0 ## no limit

示例: max smbd processes = 1000

max ttl (G)
这个选项通知nmbd(8) 当它用广播或从WINS服务器请求一个名字时,这个NetBIOS名字的有效时间('time to live', 以秒计)是多长.你不需要去碰这个选项,缺省值是3天.

缺省设置: max ttl = 259200

max wins ttl (G)
这个选项通知smbd(8)程序当它作为一个WINS服务器时(wins support =true),nmbd承认的最长NetBIOS名字生存时间('time to live',以秒计).你不需要去改变这个选项的,缺省值是6天(518400秒).

参见 min wins ttl 选项.

缺省设置: max wins ttl = 518400

max xmit (G)
这个选项控制通过samba的最大包容量.缺省值是65535,同时这也是最大值.有时你可能用一个较小的值可以得到更好的性能.不过低于2048通常会有一些问题.

缺省设置: max xmit = 65535

示例: max xmit = 8192

message command (G)
当服务器接收到一个WinPopup类似的信息时运行一个指定的命令.

通常这个命令所做之事都取决于你的想象.

例如:

message command = csh -c 'xedit %s;rm %s' &

这个命令用xedit发出一条信息,然后再删除它.注意很重要的一点是这个命令应该立即返回.这就是为什么在行末用'&'的原因.如果它没有立即返回的话,计算机可能会在发送信息时当掉的(不过一般都会在30秒后恢复).

所有信息都被以全局访客用户身份发送.命令可以使用标准的替换符,不过%u将不会有效(在这里用%U可能更好).

除了标准替换的部分,还可以应用一些附加的替换,比如:

%s =包含消息的文件名

%t = 发送信息的目标(很可能是服务器名).

%f = 信息的来源.

你可以用这个命令来发送邮件或者你想要的内容.如果你有关于发送内容的好主意请通知开发人员.

有个例子可以以邮件形式发送信息给root:

message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s

如果没有指定发送信息所用的命令,那么这个信息并不会被发出,同时Samba向发送者报告出错.不幸的是WfWg(Windows for Workgrups)完全忽略出错代码,提示信息已被发出.

如果你想要悄悄地删掉它的话请用:

message command = rm %s

缺省设置: 没有 message command

示例: message command = csh -c 'xedit %s; rm %s' &

min passwd length (G)
min password length 同义.
min password length (G)
此项设定当执行变更UNIX口令时smbd接受的明文口令的最小字符长度.

参见 unix password sync, passwd programpasswd chat debug 选项.

缺省设置: min password length = 5

min print space (S)
此项设定一个用户假脱机打印作业必须的最小剩余磁盘空间.当然是用kB 为单位.缺省设为0,就是说用户总是可以假脱机打印作业.

参见 printing 选项。

缺省设置: min print space = 0

示例: min print space = 2000

min protocol (G)
The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer to the max protocol parameter for a list of valid protocol names and a brief description of each. You may also wish to refer to the C source code in source/smbd/negprot.c for a listing of known protocol dialects supported by clients.

If you are viewing this parameter as a security measure, you should also refer to the lanman auth 选项。 Otherwise, you should never need to change this 选项。

Default : min protocol = CORE

Example : min protocol = NT1 # disable DOS clients

min wins ttl (G)
此项通知nmbd(8)当以WINS服务器的形式(wins support = yes)执行时,它所承认的NetBIOS名字的最小有效时间(以秒为单位).这个选项无需更改,缺省是6小时(21600秒)

缺省设置: min wins ttl = 21600

msdfs proxy (S)
This parameter indicates that the share is a stand-in for another CIFS share whose location is specified by the value of the 选项。 When clients attempt to connect to this share, they are redirected to the proxied share using the SMB-Dfs protocol.

Only Dfs roots can act as proxy shares. Take a look at the msdfs root and host msdfs options to find out how to set up a Dfs root share.

示例: msdfs proxy = \\otherserver\someshare

msdfs root (S)
If set to yes, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. Dfs links are specified in the share directory by symbolic links of the form msdfs:serverA\\shareA,serverB\\shareB and so on. For more information on setting up a Dfs tree on Samba, refer to ???.

参见 host msdfs

缺省设置: msdfs root = no

name cache timeout (G)
Specifies the number of seconds it takes before entries in samba's hostname resolve cache time out. If the timeout is set to 0. the caching is disabled.

缺省设置: name cache timeout = 660

示例: name cache timeout = 0

name resolve order (G)
samba套件中的一些程序使用此项来决定使用的名字服务以及解析主机名到IP地址的次序.主要目的是控制netbios名称怎样解析。此选项列出不同的名字解析选项,以空格为分隔符.

这些名字解析选项是:"lmhosts","host","wins"和"bcast".它们决定了名字解析是以如下方式的:

lmhosts : 在samba的lmhosts文件中查找IP地址.如果lmhosts文件的内容行中没有名字类型附加在NetBIOS名上时(参见lmhosts (5)中的详细描述),任何类型的名字都可以匹配这个查询.

host : 执行标准的主机名到IP地址的解析操作,此操作会使用系统的/etc/hosts,NIS或者是DNS来查询.具体方法取决于操作系统,在IRIX和Solaris中解析名字的方法可能是由/etc/nsswitch.conf文件来控制的.注意此方法只适用于对被查询的NetBIOS名字类型为0x20(服务器)或者是0x1c(域控制器)时才有用,其它类型都会被忽略.后一种情况只在活动目录域中有用,返回一个匹配_ldap._tcp.domain 的SRV RR条目的DNS 查询。

wins : 向列在wins server选项中的服务器查询一个名字对应的IP地址.如果没有指定WINS服务器,那么此方法就被略过了.

bcast : 向在interfaces选项中列出的每一个已知本地网络接口进行广播来作查询.这是最不可信的名字解析方法,除非目标主机就在本地子网中.

缺省设置: name resolve order = lmhosts host wins bcast

示例: name resolve order = lmhosts bcast host

在上例中首先检查本地lmhosts文件,然后尝试广播,接下来就是用通常的系统主机名查询方式了.

When Samba is functioning in ADS security mode (security = ads) it is advised to use following settings for name resolve order:

name resolve order = wins bcast

DC lookups will still be done via DNS, but fallbacks to netbios names will not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.

netbios aliases (G)
此项指定一串NetBIOS名字让nmbd作为附加的名字进行宣布.这样就使一个机器在可浏览列表中可以出现多个名字形式.如果主机是浏览服务器或登录服务器, 就不会出现这些附加的别名,而只会使用它的初始名字.

参见 netbios name 选项。

缺省设置: 空字符串 (没有附加的名字)

示例: netbios aliases = TEST TEST1 TEST2

netbios name (G)
此项对一已知的samba服务器设置它的NetBIOS名.缺省情况下会使用此主机DNS名字的主机名部分.如果这个服务器是作浏览服务器或登录服务器时(或是主机DNS名的第一个成分时),这个服务器名将成为这些服务对外宣布时所用的名字.

参见 netbios aliases 选项

缺省设置: machine DNS name

示例: netbios name = MYNAME

netbios scope (G)
This sets the NetBIOS scope that Samba will operate under. This should not be set unless every machine on your LAN also sets this value.
nis homedir (G)
此项从NIS映射表中取得有效共享服务器.对于用自动装载程序的UNIX系统来说,用户的主目录经常根据需要从远程服务器装载到一个需要的工作站上.

如果samba登录服务器不是作为真正主目录服务器而是通过NFS来实现,却通知用户以SMB服务器来使用主目录时,用户装载主目录来进行访问需要两个网络跳步(一个以SMB方式,另一个以NFS方式装载).这样的使用方式是非常慢的.

此选项允许当Samba在主目录服务器方式运行时让samba反馈目录服务器而非登录服务器上的主共享资源,这样samba用户可以直接从目录服务器上装载目录.当samba把目录共享资源反馈给用户,这时它会参考homedir map选项指定的NIS映射表然后再反馈表中列出的服务.

注意要使此项起作用必须有一个运作中的NIS系统,并且samba服务器必须是一个登录服务器。

缺省设置: nis homedir = no

nt acl support (S)
此布尔量选项控制是否让smbd(8)尝试把UNIX权限映射到NT的访问控制列表.这个参数在2.2.2之前是一个全局选项。

缺省设置: nt acl support = yes

ntlm auth (G)
This parameter determines whether or not smbd(8) will attempt to authenticate users using the NTLM encrypted password response. If disabled, either the lanman password hash or an NTLMv2 response will need to be sent by the client.

If this option, and lanman auth are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to us it.

Default : ntlm auth = yes

nt pipe support (G)
此布尔量选项控制是否让smbd(8)允许Windows NT用户联接到NT的特殊SMB管道IPC$.这通常是开发者所用的调试项,其它用户可以不管.

缺省设置: nt pipe support = yes

nt status support (G)
This boolean parameter controls whether smbd(8) will negotiate NT specific status support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. If this option is set to no then Samba offers exactly the same DOS error codes that versions prior to Samba 2.2.3 reported.

You should not need to ever disable this 选项。

缺省设置: nt status support = yes

null passwords (G)
Allow or disallow client access to accounts that have null passwords. 允许或禁止用户以空口令使用账号.

参见smbpasswd(5).

缺省设置: null passwords = no

obey pam restrictions (G)
When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAM's account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption.

缺省设置: obey pam restrictions = no

only guest (S)
guest only同义.
only user (S)
此布尔量选项控制是否允许当前进行联接所用的用户名没有列在user列表中.缺省情况下此项是被禁止了,这样用户只要提供服务需要的用户名就可以了.设置这个选项将强制服务器使用user列表中的登录用户名,这只在共享级安全中有效。

要注意的是上面的说法也表明了samba并不会从服务名而推演出相应的用户名.这样的话对于[homes]段就比较麻烦了.要避免麻烦的话需要用user = %S,这句就表明你的用户列表user正好就是这个服务资源名,这时的主目录名就是用户名.

参见 user 选项。

缺省设置: only user = no

oplock break wait time (G)
此项调整性的选项以适应在Windows 9x和WinNT中可能出现的错误.当用户发起一个会导致oplock暂停请求(oplock break request)的SMB对话时,如果samba对其响应太快的话,客户端将会失败并且不能响应此请求.这个可调整的选项(以毫秒为单位)是一个samba在向这样的客户发送oplock暂停请求前等待的时间量.

除非你理解了samba的oplock代码,否则不要改变这个选项!

缺省设置: oplock break wait time = 0

oplock contention limit (S)
这是个非常高级的smbd(8)调整选项,用以改进在多个用户争夺相同文件时oplocks认可操作的效率.

简单地说,这个选项指定了一个数字,如果争夺相同文件的用户数量超过了此设定极限的话,即使有请求,smbd(8)也不再认可oplock的操作了.这样的话smbd就象Windows NT一样的运行.

除非你理解了samba的oplock代码,否则不要改变这个选项!

缺省设置: oplock contention limit = 2

oplocks (S)
此布尔量通知smbd是否对当前请求的共享资源上的文件打开操作启用oplocks(机会性的锁定操作).oplock代码可以明显改善访问samba服务器文件的速度(approx.30% 甚至更多).它允许本地缓存文件,对于不可信赖的网络环境来说可能需要禁止掉这个选项(在Windows NT服务器上它是缺省打开的).请参考samba docs/目录下的Speed.txt文件.

oplocks会有选择性地关闭每一个基本共享资源上的特定文件.参见 veto oplock files 选项.在有些系统上会通过最底层的操作系统确认oplocks.这样就可以在所有的访问与oplocked文件中进行数据同步,而不管此访问是通过samba或NFS或者是本地的UNIX进程.参见kernel oplocks选项查看细节.

参见 kernel oplocks 以及 level2 oplocks parameters.

缺省设置: oplocks = yes

os2 driver map (G)
The parameter is used to define the absolute path to a file containing a mapping of Windows NT printer driver names to OS/2 printer driver names. The format is:

<nt driver name> = <os2 driver name>.<device name>

For example, a valid entry using the HP LaserJet 5 printer driver would appear as HP LaserJet 5L = LASERJET.HP LaserJet 5L.

The need for the file is due to the printer driver namespace problem described in ???. For more details on OS/2 clients, please refer to ???.

缺省设置: os2 driver map = <空字符串>

os level (G)
这个整数值控制在浏览器选举中Samba宣布它本身是什么系统级别. 此选项的值决定了nmbd(8是否有机会成为本地广播区域内工作组 WORKGROUP中的主控浏览器.

注意: 默认情况下,Samba将在本地主控浏览器选举中超越所有M$操作系统并且获胜,除非还有Windows NT4.0/2000 域控制器。这意味着Samba主机的错误配置将使一个子网的浏览无效。参见Samba docs/ 目录中的BROWSING.txt 来获取详细信息。

缺省设置: os level = 20

示例: os level = 65

pam password change (G)
With the addition of better PAM support in Samba 2.2, this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in passwd program. It should be possible to enable this without changing your passwd chat parameter for most setups.

缺省设置: pam password change = no

panic action (G)
此项是一个samba开发者使用的选项以允许当smbd(8)或smbd(8)程序崩溃时可以调用一个系统命令.通常这种功能被用于发出对问题的警告.

缺省设置: panic action = <空字符串>

示例: panic action = "/bin/sleep 90000"

paranoid server security (G)
Some version of NT 4.x allow non-guest users with a bad passowrd. When this option is enabled, samba will not use a broken NT 4.x server as password server, but instead complain to the logs and exit.

Disabling this option prevents Samba from making this check, which involves deliberatly attempting a bad logon to the remote server.

缺省设置: paranoid server security = yes

passdb backend (G)
This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.

This parameter is in two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated by a : character.

Available backends can include: .TP 3 * smbpasswd - The default smbpasswd backend. Takes a path to the smbpasswd file as an optional argument. .TP * tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the private dir directory. .TP * ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to ldap://localhost) LDAP connections should be secured where possible. This may be done using either Start-TLS (see ldap ssl) or by specifying ldaps:// in the URL argument. .TP * nisplussam - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. .TP * mysql - The MySQL based passdb backend. Takes an identifier as argument. Read the Samba HOWTO Collection for configuration details. .LP

缺省设置: passdb backend = smbpasswd

示例: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd

示例: passdb backend = ldapsam:ldaps://ldap.example.com

示例: passdb backend = mysql:my_plugin_args tdbsam

passwd chat (G)
这个字串控制在smbd(8)和本地口令更改程序间更用户口令时发生的"chat"对话.字符串描述一个应答接收对的序列,让smbd(8)用于决定对passwd program发送并等待接收哪些具体的内容.如果没有收到预计的输出时不会更改口令.

这个chat序列一般发生在特定的主机上,取决于本地口令控制的方法(就象NIS或者别的).

注意这个选项仅仅在unix password sync选项设置为yes的时候有用。当smbpasswd文件中的SMB口令被更改时是以root身份运行的,不必输入旧密码文本. 这意味着root必须可以在不知道用户密码时重置他的密码。在NIS/YP 中这意味着passwd程序必须在NIS主控服务器上运行。

这个字符串可以包含%n宏,用于替换新密码。chat序列还可以包含标准宏\\n, \\r, \\t\\s 来给出换行,回车,tab和空格。chat序列字符串还可以包含'*' 来匹配任何字符序列。双引号用来将带空格的字符串设为一个单独的字符串。

如果在对话序列的任何部分发送的字符串为一个句号".",那么不会发送任何内容.同样,如果等待接收部分有字符串是一个".",那么不等待任何的内容.

如果pam password change参数设置为yes,chat可以以任何顺序进行,没有特定的输出,是否成功可以由PAM结果得到。在PAM会话中宏\n被忽略。

参见 unix password sync, passwd program , passwd chat debugpam password change.

缺省设置: passwd chat = *new*password* %n\n *new*password* %n\n *changed*

示例: passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*"

passwd chat debug (G)
此布尔量指定口令对话脚本选项是否以 debug模式运行.在调试模式下,发送和接收的口令对话字符串会打印到debug level为100时的smbd(8)记录文件中.由于在smbd 记录中允许使用明文口令,所以这是个危险的选项.不过这个选项可以帮助Samba管理员在调用passwd program设好的口令程序时调试其passwd chat 对话脚本,并且应该在完成以后把它关闭.这个选项在设置了pam password change选项时无效。缺省情况下这个选项是关闭的.

参见 passwd chat , pam password change , passwd program .

缺省设置: passwd chat debug = no

passwd program (G)
指定用于设定UNIX用户口令的程序名.出现%u的地方表示以用户名替换.在调用口令更改程序前会先检查用户名是否存在.

需要注意的是很多口令程序强调口令要合法,例如应该有最小长度或者是字母与数字的混合.这可能在一些客户端(如WfWg)总将口令转为大写发送时,引起一些问题.

注意如果把unix password sync选项设为yes的话,在改变smbpasswd文件中的SMB口令时是以root身份调用改口令程序的.如果口令更改失败的话,smbd对SMB口令的更改也会失败,这是设计时的机制.

如果设定了unix password sync选项的话,指定口令程序时必须使用所有程序的绝对路径,必须检查安全问题.缺省的unix password sync选项值是 no.

参见 unix password sync.

缺省设置: passwd program = /bin/passwd

示例: passwd program = /sbin/npasswd %u

password level (G)
在一些客户端/服务器群体中使用大小写混合口令存在着困难.其中比较麻烦的一类客户是WfWg,因为它在使用LANMAN1协议时出于某些理由而强调要使用大写口令.不过当使用COREPLUS时不要修改它! 另外在Windows95/98 操作系统中会出问题: 即使选择了会话中的NTLM0.12协议,这些客户端也会将明文口令转为大写。

此选项定义了口令字中大写字母的最大数量.

例如,假定给出的口令是"FRED".如果 password level设为1的话,在"FRED"验证失败时会尝试以下的口令组合:

"Fred", "fred", "fRed", "frEd","freD"

如果password level设为2的话,就会尝试下面的组合:

"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..

等等。

把此选项设成的值越高,相对单一大小写口令来说大小写混合的口令越容易匹配。.不过,要小心使用这个选项会降低安全性,同时增加处理新联接所花的时间量.

如果把选项设为0时会使处理口令时只作两种尝试 - 先与给出的口令比较,再比较它的全部小写形式.

缺省设置: password level = 0

示例: password level = 4

password server (G)
通过在这里指定其它的SMB服务器或者活动目录域控制器,同时使用security = [ads|domain|server],能把联接samba的用户名/口令合法性验证交给指定的远程服务器去干.

此选项设定上面所说的其它口令服务器的名字或者IP地址. 新的语法允许在连接到ADS realm服务器时指定端口号。要指定默认的LDAP 389端口之外的号码,可以将端口号放在名字或ip后面,中间用一个冒号连接(比如说,192.168.1.100:389)。如果你不指定一个端口,Samba将使用标准的LDAP端口tcp/389. 注意端口号在WindowsNT4.0 域或者netbios连接的服务器上无效

如果参数是一个名称,它将使用 name resolve order 中指定的方式来解析。

口令服务器应该是使用"LM1.2X002"或"LM NT 0.12"协议的主机,而且它本身必须使用用户级安全模式.

注意:使用口令服务器表明你的UNIX主机(就是运行Samba的那台)就只与你指定的口令服务器具有相同的安全等级了.在没有完全信任的情况下不要选择使用其它的口令服务器.

不要把口令服务指向Samba服务器本身,这产生一个循环而去查找你的Samba服务器,导致死锁.

在指定口令服务器名时可以使用标准的替换符,而实际能用的可能只是%m这一个,这个替换符说明Samba服务器会用联入的客户作为口令服务器.如果这样用的话说明你非常信任你的客户,同时最好以主机允许策略对他们进行限制!

如果把安全级security选项设为domain或者ads的话,指定的其它口令服务器必须是在这个Domain中的一个主域控制器或备份域控制器或者'*'.另外指定字符'*'的话就以samba服务器会在整个域中使用加密验证RPC调用来验证用户登录.使用 security = domain的好处是,如果指定了几个password server时,smbd 会对每一个进行尝试直到它收到回应,对于初始服务器当机时这就很有用了.

如果password server选项设为字符'*'的话,samba将尝试通过查询WORKGROUP<1C>名字来自动查找主或者备份域控制器并联系经过名字解析得到的IP地址列表中的每个服务器来进行用户验证.

如果服务器列表包含名字或IP同时也包含'*'时,列表将视为首选域控制器的列表,但是也会添加一个自动的对所有其余DC的查找。Samba不会通过定位最近的DC来优化这张列表。

如果securityserver的话,会有一些安全级为security = domain时所没有的限制:

如果在password server选项中指定了几个口令服务器的话,smbd在联接具体的服务器时会失败,也不能验证任何的用户账号.这是安全级为security = server 模式时SMB/CIFS协议的一个限制,并且Samba无法修改.

如果把Windows NT服务器作为口令服务器,你必须确保用户可以从Samba服务器上进行登录.当使用 security = server模式时,网络登录看起来是从那里处理的,而不是从用户工作站.

参见 security 选项。

缺省设置: password server = <空字符串>

示例: password server = NT-PDC, NT-BDC1, NT-BDC2, *

示例: password server = windc.mydomain.com:389 192.168.1.101 *

示例: password server = *

path (S)
此项指定给出的服务项所用的系统路径.在服务项具有可打印属性时,打印假脱机数据会先存放在这个路径所指的位置中. This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing.

对于那些要对访客提供的可打印服务来说,服务项应该设为只读,而且路径应该设为全局可写属性并具有粘性(s)位.这当然不是强制性的,不过不这样做的话可能会无法得到你所希望的结果.

路径出现%u的地方将以正处于联接状态的UNIX用户名来替换;同样出现%m的地方将以请求联接的主机NetBIOS名替换.在设定伪主目录时,这种替换项很有用的.

所指定的路径都是基于根目录root dir(如果有的话)的.

缺省设置:

示例: path = /home/fred

pid directory (G)
This option specifies the directory where pid files will be placed.

缺省设置: pid directory = ${prefix}/var/locks

示例: pid directory = /var/run/

posix locking (S)
The smbd(8) daemon maintains an database of file locks obtained by SMB clients. The default behavior is to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are consistent with those seen by POSIX compliant applications accessing the files via a non-SMB method (e.g. NFS or local file access). You should never need to disable this 选项。

缺省设置: posix locking = yes

postexec (S)
此项指定在断开服务时运行的一个命令.它使用通常的替换项.此命令在一些系统中可能是以root身份来运行的.

一个有趣的示例,用于卸载服务器资源:

postexec = /etc/umount /cdrom

参见 preexec.

缺省设置: 无 (不执行命令)

示例: postexec = echo preexec closepostexec .

preexec (S)
此项指定在联接到服务时运行一个命令.通常这也可以用一些替换项.

一个有趣的示例,在用户每一次登录时向对方发送一个欢迎信息:(一条格言?)

preexec = csh -c 'echo

当然,一段时间以后这类信息可能就比较讨厌了:-)

参见

缺省设置: 无 (不执行命令)

示例: preexec = echo preexec 返回的非零代码会关闭所联接的服务.

缺省设置: preexec close = no

 

preexec close (S)
此布尔量选项控制是否从
prefered master (G)
这是为拼写错误准备的。请查看 preferred master :-)
preferred master (G)
此布尔量选项控制nmbd(8)是否作为工作组里的首选主浏览器.

如果设此选项为yes时,nmbd会在启动时强制进行一次选举,它有一些有利条件来赢得选举.推荐把此选项与 domain master = yes联合使用,这样nmbd可以保证成为一个域浏览器.

小心使用此项,因为如果在相同的子网内有多个主机(不管是Samba服务器,Windows95还是NT)参加选举的话,他们每个都会周期性不断地尝试成为本地主浏览器,这时会造成不必须的广播交通流量并降低浏览性能.

参见 os level.

缺省设置: preferred master = auto

preload (G)
此选项定义了要自动加入到浏览列表的服务项清单.这对于homes和printers服务项非常有用,否则这些服务将是不可见的.

注意,如果你想加载printcap里所有的打印机,那么用load printers会更容易.

缺省设置: no preloaded services

示例: preload = fred lp colorlp

preload modules (G)
This is a list of paths to modules that should be loaded into smbd before a client connects. This improves the speed of smbd when reacting to new connections somewhat.

缺省设置: preload modules =

示例: preload modules = /usr/lib/samba/passdb/mysql.so+++

preserve case (S)
此项控制建立新的文件时取名是否使用用户传递的大小写,还是强制使用default case .

缺省设置: preserve case = yes

参见NAME MANGLING段中的完整讨论.

printable (S)
如果此项设为yes,那么用户可以读写并发送打印缓存文件到服务项指定的目录中.

注意一个可打印的服务总是允许通过缓存打印数据的方法向服务项路径中执行写操作(需要用户有可写权限).read only选项控制只允许不可打印地访问资源.

缺省设置: printable = no

printcap (G)
printcap name 同义.
printcap name (S)
此项用于覆盖掉编译时产生的缺省printcap名(通常是/etc/printcap).参见[printers]段的讨论,它说明了为什么要这样做的理由.

To use the CUPS printing interface set printcap name = cups . This should be supplemented by an addtional setting printing = cups in the [global] section. printcap name = cups will use the "dummy" printcap created by CUPS, as specified in your CUPS configuration file.

在可以用lpstat命令列出可用打印机的列表的System V系统上,可以用printcap name = lpstat 来自动获得可用打印机列表.这对于配置samba时定义成SYSV的系统(这就包括了很多基于System V的系统)来说是缺省情况.如果在这些系统上设好printcap namelpstat的话,samba就会执行lpstat -v并尝试分析输出信息以获得一份打印机列表.

通常最小的printcap文件看起来就象下面这样:

print1|My Printer 1
print2|My Printer 2
print3|My Printer 3
print4|My Printer 4
print5|My Printer 5

我们看到'|'符号用来定义打印机的别名.第二个带有空格的别名其实是提示Samba它是注释.

在AIX中默认的printcap文件名是/etc/qconfig. 如果在文件名中找到qconfig字样,Samba将假定文件是AIX 的qconfig格式。

缺省设置: printcap name = /etc/printcap

示例: printcap name = /etc/myprintcap

print command (S)
当一个打印作业完全缓冲到了服务项时,此项指定的命令就能过调用system()来处理那些缓存文件.通常我们指定典型的命令来发送缓存文件到主机的打印子系统,不过也不一定要这样.服务器不会删除那些缓存文件,所以你指定的任何命令都应当在处理完以后删除文件,否则的话就需要手工来删除旧的缓存文件了.

打印命令是一个简单的文本字符串。它可以在宏替换之后逐字传递给系统。

%s, %f - 缓冲文件名路径

%p - 适当的打印机名

%J - 客户提交的作业名

%c - 缓冲的作业需要打印的页数

%z -缓冲的打印作业的大小(以字节计)

打印命令至少必须包含%s%f替换符中的一个,而%p是个可选项.在提交打印作业时,如果不提供打印机名的话,%p替换符会从打印命令中删掉.

如果在[global]段中指定了打印命令,它将被用于任何可打印性的服务项,而不再需要在它们之中单独指定了.

如果既没有对可打印性服务项单独指定打印命令又没有指定一个全局的打印命令时,假脱机文件虽然会建立却不会被处理也不会被删除(这很重要哦).

注意在某些UNIX上以nobody账号身份进行打印会导致失败.如果发生了这样的情况请建立一个单独的有打印权的访客账号并在[global]段里设置guest account选项.

如果你明白命令是直接传递给shell的话,你可以组织非常复杂的打印命令.举例来说,下面的命令会记录一个打印作业,打印这个文件然后删掉它.注意这里的';'是shell脚本命令常用的分隔符.

print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s

你可能必须根据平时在系统上打印文件的方式来改变这个命令.缺省情况下,此选项会根据printing选项的设定而变化.

缺省设置: 对于 printing = BSD, AIX, QNX, LPRNG 或者 PLP :

print command = lpr -r -P%p %s

对于 printing = SYSV 或者 HPUX :

print command = lp -c -d%p %s; rm %s

对于 printing = SOFTQ :

print command = lp -d%p -s %s; rm %s

对于 printing = CUPS :

如果Samba 编译时加入了libcups, 那么printcap=cups将使用CUPS API来提交作业等等。否则它用-oraw选项,使用SystemV命令来打印,也就是说它会用lp -c -d%p -o raw; rm %s.当printing = cups, 并且Samba编译时加入了libcups时,任何手工设置的打印命令将被忽略。

示例: print command = /usr/local/samba/bin/myprintscript %p %s

printer (S)
printer name 同义。
printer admin (S)
This is a list of users that can do anything to printers via the remote administration interfaces offered by MS-RPC (usually using a NT workstation). Note that the root user always has admin rights.

缺省设置: printer admin = <空字符串>

示例: printer admin = admin, @staff

printer name (S)
此选项指定可打印性服务项用来打印缓存作业数据的打印机.

如果在[global]段里指定了打印机名称,那么给出的打印机就用于任何可打印性服务项而不需个别的指定打印机名称了.

缺省设置: 空 (在很多系统中可能是 lp )

示例: printer name = laserwriter

printing (S)
此选项控制系统上如何解释打印机状态信息,而如果在[global]段中定义,它也会影响print command,lpq command,lppause command,lpresume commandlprm command这些选项的缺省值

通常系统支持九种打印机风格,它们是BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ,还有 CUPS

要在系统上查看使用了不同的选项后其它打印命令的缺省值,可以用testparm(1)程序.

此项可以在每一台打印机上分别设置.

参见[printers]段的讨论。

print ok (S)
printable 同义。
private dir (G)
This parameters defines the directory smbd will use for storing such files as smbpasswd and secrets.tdb.

Default :private dir = ${prefix}/private

profile acls (S)
This boolean parameter controls whether smbd(8) This boolean parameter was added to fix the problems that people have been having with storing user profiles on Samba shares from Windows 2000 or Windows XP clients. New versions of Windows 2000 or Windows XP service packs do security ACL checking on the owner and ability to write of the profile directory stored on a local workstation when copied from a Samba share.

When not in domain mode with winbindd then the security info copied onto the local workstation has no meaning to the logged in user (SID) on that workstation so the profile storing fails. Adding this parameter onto a share used for profile storage changes two things about the returned Windows ACL. Firstly it changes the owner and group owner of all reported files and directories to be BUILTIN\\Administrators, BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to every returned ACL. This will allow any Windows 2000 or XP workstation user to access the profile.

Note that if you have multiple users logging on to a workstation then in order to prevent them from being able to access each others profiles you must remove the "Bypass traverse checking" advanced user right. This will prevent access to other users profile directories as the top level profile directory (named after the user) is created by the workstation profile code and has an ACL restricting entry to the directory tree to the owning user.

缺省设置: profile acls = no

protocol (G)
max protocol 同义
public (S)
guest ok 同义
queuepause command (S)
定义服务器暂停打印队列时要执行的命令.

此命令应该是个只用打印机名作为选项的程序或脚本,以便用来停止打印队列,使打印作业不再向打印机发送.

此命令不支持Windows for Workgroups,但可以在Windows 95和NT的打印机窗口中发送.

此处用替换符%p可以替代打印机名称.否则这个名称将被放置在命令后面.

注意,在命令中使用绝对路径是个好习惯,因为不一定可以获得服务器的PATH变量.

缺省设置: 依赖于 printing 选项的设置

示例: queuepause command = disable %p

queueresume command (S)
定义服务器恢复暂停了的打印队列时要执行的命令.就是用于恢复因为上面的选项( queuepause command)而导致的结果的.

此命令应该是个只用打印机名作为选项的程序或脚本,以便用来恢复打印队列,使打印作业继续向打印机发送.

此命令不支持Windows for Workgroups,但可以在Windows 95和NT的打印机窗口中发送.

此处用替换符%p可以替代打印机名称.否则这个名称将被放置在命令后面.

注意,在命令中使用绝对路径是个好习惯,因为不一定可以获得服务器的PATH变量.

缺省设置: 依赖于 printing 选项的设置

示例: queuepause command = enable %p

read bmpx (G)
此布尔量选项控制是否让smbd(8)支持"多工读块"(Read Block Multiplex)的SMB.现在这种方式已经很少用了,所以缺省是no.一般你不需要设定此选项.

缺省设置: read bmpx = no

read list (S)
此处给出对服务项有只读权限的用户清单.如果正在联接的用户属于此列表,那么他们将没有写权限,此时是不管read only选项是否设置的.此列表可以包括用在 invalid users 选项中描述的语法定义的组名称.

参见 write listinvalid users 选项。

缺省设置: read list = <空字符串>

示例: read list = mary, @students

read only (S)
注意它与 writeable 反义.

如果这个参数是yes, 那么服务的用户不能建立或修改服务目录中的文件。

注意一个可打印的服务(printable = yes) 的目录 总是 可写的(需要用户可写权限)但是只能通过缓冲操作来写.

缺省设置: read only = yes

read raw (G)
此选项控制着是否让服务器在传送数据到客户端时支持读取原始的SMB请求.

如果允许,那么它会以65535 字节为单位来读取一个数据包的65535字节.这会带来较多的性能方面的好处.

但是,有些客户端使用不正确的包容量(虽然是可允许的),或者它们不支持大容量包,所以对这些客户端你应该禁止这一选项.

通常将此选项作为一种系统调试工具,而且严格来说不应修改.参见write raw选项.

缺省设置: read raw = yes

read size (G)
此项影响着磁盘读/写与网络读/写的轮流交替.如果在若干个SMB命令(通常是SMBwrite,SMBwriteX和SMBreadbraw)中传送的数据量超过此项设定的值时,服务器开始就会在从网络接收整个数据包之前进行写操作;在执行SMBreadbraw的情况下,服务器在从磁盘上读出所有数据之前就开始向网络中写数据.

在磁盘与网络的访问速度相近时,这种交迭式的工作就会做得非常好,不过当其中一类设备的速度大大高于另一类时,它只会有那么一点点效果.

缺省的值是16384,但没有做过测试最优值的实验。根据已经了解的情况来看,在使用不同的系统时,最优化值的差别很大.一个大于65536的值是没有任何意义的,它只会造成不必要的内存分配.

缺省设置: read size = 16384

示例: read size = 8192

realm (G)
This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server.

缺省设置: realm =

示例: realm = mysambabox.mycompany.com

remote announce (G)
此项允许你设置nmbd(8)周期性地向任意工作组的任意IP地址申明自己的存在.

如果你要samba服务器处在一个通常浏览传播规则没有正常工作的远程工作组里时,用此项就很有用了.此远程工作组可以位于IP包到得到的任何地方.

例如:

remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF

以上这行说明nmbd 对两个给出的使用工作组名的IP地址进行申明.如果你只用了IP地址的话,那么会用workgroup选项里给出的工作组名来替代.

你选用的IP地址通常应该是远程网络的广播地址,不过也可以用配置稳定的网络中的已知主浏览器IP地址.

缺省设置: remote announce = <空字符串>

remote browse sync (G)
此项允许你设定nmbd(8)周期性地同步位于远程(remote segment)的Samba主浏览器上的浏览列表.同时也允许你收集位于具有交叉路由子网中主浏览器上的浏览列表.这是以一种和其他非Samba的服务器不兼容的方式进行的。

This is useful if you want your Samba server and all local clients to appear in a remote workgroup for which the normal browse propagation rules don't work. The remote workgroup can be anywhere that you can send IP packets to.

例如:

remote browse sync = 192.168.2.255 192.168.4.255

以上行会使nmbd向位于指定子网或地址中的主浏览器请求同步他们本地服务器中的浏览列表

你选用的IP地址通常应该是远程网络的广播地址,不过也可以用配置非常稳定的网络中的已知主浏览器IP地址.如果给出一个主机的IP地址,或者主控浏览器事实上在自己的网段中, samba就验证远程主机是否有效、是否正在侦听了。

缺省设置: remote browse sync = <空字符串>

restrict anonymous (G)
这个选项限制了是否在匿名连接中返回用户和组列表信息,仿照了Windows2000 和NT在注册表键值HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous 中的做法。设置为0的时候,任何请求都返回用户和组列表。设置为1的时候,只有认证的用户可以获得用户和组列表。设置为2的时候,只有Windows2000/XP和Samba支持,不允许匿名连接。这样做会阻止需要匿名操作的M$或第三方程序运行。

The security advantage of using restrict anonymous = 1 is dubious, as user and group list information can be obtained using other means.

The security advantage of using restrict anonymous = 2 is removed by setting guest ok = yes on any share.

缺省设置: restrict anonymous = 0

root (G)
root directory" 同义
root dir (G)
root directory" 同义.
root directory (G)
服务器将在启动时对此项所设之目录进行chroot()(也就是改变根目录) 操作.对于安全操作来说,这并不是十分必要的.如果没有这步操作,服务器会拒绝对服务项以外的文件进行访问.同时也检查并拒绝那些文件系统其它部分的软链接或者尝试在其它目录(取决于选项wide links的设置情况)中使用".."这些操作.

加入一个root directory,注意不是实际的"/"目录,可以增加额外的安全级别,但是代价就高了.这样完全确保了所指定的root directory及所属子目录外的文件都是不能访问的,包括服务器正常运行时所需的一些文件也是如此.因此要想维护服务器整体的可操作性,你需要镜像一些系统文件到所指定的root directory下.特别是要镜像 /etc/passwd文件或此文件的子集,如果需要的话,任何打印操作要用到的二进制文件或配置文件也要镜像.当然,应该由操作系统决定必须被镜像的文件集合.

缺省设置: root directory = /

示例: root directory = /homes/smb

root postexec (S)
此项与 postexec选项含义相同,只是以root身份来运行命令而已.在一次联接关闭之后对文件系统,特别是光盘驱动器进行卸载是非常有用的.

参见 postexec.

缺省设置: root postexec = <空字符串>

root preexec (S)
此项与 preexec选项含义相同,只是以root身份来运行命令而已.在一次联接稳定建立之后装载文件系统,特别是光盘驱动器是非常有用的.

参见 preexecpreexec close 选项.

缺省设置: root preexec = <空字符串>

root preexec close (S)
此项与preexec close 选项含义相同,只是以root身份来运行命令而已.

参见 preexecpreexec close.

缺省设置: root preexec close = no

security (G)
此项是smb.conf文件中最重要的一个设定之一,它影响了客户是如何应答Samba服务器的.

这个选项设置了“安全模式位”用于答复协议协商以使smbd(8) 调整共享安全级是开或者关.客户端根据此位决定是否(以及如何)向服务器传送用户和口令信息.

缺省值是security = user,这也是在Windows 98和Windows NT环境中最常用的设定.

可选的值 security = share, security = server 或者security = domain .


 2.0.0版本之前的Samba中,缺省值是 security = share 主要因为当时只有这一个值可选。

在WfWg里有一个错误,当在使用用户和服务器安全级时,WfWg客户将会完全忽略你在"connect drive"对话框里键入的口令.这就使除了在WfWg里已登录的用户以外的任何人要联接Samba服务项变得非常困难.

如果你的主机使用与UNIX主机上相同的用户名时,就应当使用security = user.如果你用的用户名通常在UNIX上不存在时就应该用security = share.

如果你想设置共享而不用口令的话(访客级共享)也应该用security=share.这通常用于提供共享打印的服务器.在security=user里设定guest帐户非常困难,详细的情况请参见map to guest选项.

smbd可能会使用一种混杂模式(hybrid),这样就可以在不同的NetBIOS aliases下提供用户和共享级的安全特性.

现在解释各个不同的设定.

SECURITY = SHARE

当客户联接到一个共享安全级的服务器,在联接共享资源之前无需用一个合法的用户名和口令登录到服务器(虽然现在的客户端象WIN95/95及NT在与security = share 的服务器交谈时都会以用户名发送一个登录请求,但却没有带口令).相反,客户端会在每一个共享上发送认证信息(口令)以尝试联接到这个共享项.

注意 smbd 总是 用合法的UNIX用户代表客户进行操作, 即使是在 security = share 的时候.

因为在共享安全级中,客户无需向服务器发送用户名,所以smbd用一些技术来为客户决定正确的UNIX用户账号.

用于匹配给出客户口令的可能的UNIX用户名列表可以用以下方法建立:

如果设置了guest only选项,则跳过所有其它步骤只检查guest account用户名.

如果通过共享连接请求发送一个用户名,则此用户名(映射后 - 参见username map)被作为潜在用户名加入.

如果客户使用一个先前的 logon 请求(SessionSetup SMB调用)则在SMB中发送的用户名将作为潜在用户名加入.

客户请求的服务项名被作为潜在用户名加入.

客户的NetBIOS名被作为潜在用户名加入到列表中.

user列表中的任何用户都被作为潜在用户名加入.

如果未设guest only选项,则使用提供的口令来尝试此列表.对于匹配到口令的第一个用户将作为UNIX用户身份使用.

如果设置了guest only选项或未检测到用户名,则如果共享项中标志为可以使用guest account,那么使用此访客用户账号,否则拒绝访问.

注意,在共享安全级中关于哪个UNIX用户名最后将在允许访问中使用非常混淆.

参见NOTE ABOUT USERNAME/PASSWORD VALIDATION段.

SECURITY = USER 这是samba2.0/3.0缺省安全级设置.对于用户安全级,一个客户必须先以合法的用户名和口令(也可以用username map选项进程映射)“登录”.在此安全模式中也可使用加密口令(参见encrypted passwords选项).如果设置了如userguest only这样的选项,则它们会被应用并且在此连接上更改UNIX用户账号,但只能在用户账号被成功验证之后才行.

注意,当服务器成功验证客户身份之前,请求的资源名称是发送到服务器上的.这就是为什么用户安全级中在没有允许服务器自动把未知用户映射为guest account的情况下,访客共享无法工作.参见map to guest选项获得完成映射的细节.

参见NOTE ABOUT USERNAME/PASSWORD VALIDATION段.

SECURITY = DOMAIN

只有已经用 net(8)把服务器添加进一个Windows NT的域中,此安全模式才能正常工作.它要求encrypted passwords选项设为yes.在此模式中Samba将试图把用户名/口令传送到一个WindowsNT主域或备份域控制器进行验证像一台真正的WindowsNT服务器那样。

注意,仍然需要存在一个和域控制器上的用户名一致的有效的UNIX用户,来使Samba拥有一个有效的UNIX帐户来映射存取文件操作。

注意,对于客户端来说,security=domain模式与security=user是一样的.它只影响服务器处理验证工作的方式.对于客户端无任何影响.

注意,当服务器成功验证客户身份之前,请求的资源名称是不发送到服务器上的.这就是为什么域安全级中在没有允许服务器自动把未知用户映射为guest account的情况下,访客共享无法工作.参见map to guest选项获得完成映射的细节

参见 NOTE ABOUT USERNAME/PASSWORD VALIDATION 段.

参见 password server parameter 和 encrypted passwords 选项。

SECURITY = SERVER

在此模式中Samba将试图把用户名/口令传送到其它SMB服务器,比如一台NT服务器,进行验证.如果验证失败则回到security = user模式,它需要encrypted passwords 参数设置为yes,除非远端系统不支持它们。但是要注意,如果使用了加密口令的话,samba不会再去检查UNIX系统口令文件的,它必须有一个合法的smbpasswd文件以再次检查用户账号.参见Samba HOWTO Collection 中关于User Database 的章节来获得如何设置的信息。

This mode of operation has significant pitfalls, due to the fact that is activly initiates a man-in-the-middle attack on the remote SMB server. In particular, this mode of operation can cause significant resource consuption on the PDC, as it must maintain an active connection for the duration of the user's session. Furthermore, if this connection is lost, there is no way to reestablish it, and futher authenticaions to the Samba server may fail. (From a single client, till it disconnects).

注意,对于客户端来说,security=server模式与security=user是一样的.它只影响服务器处理验证工作的方式.对于客户端无任何影响.

注意,当服务器成功验证客户身份之前,请求的资源名称是发送到服务器上的.这就是为什么服务器安全级中在没有允许服务器自动把未知用户映射为guest account的情况下,访客共享无法工作.参见 map to guest选项获得完成映射的细节.

参见 NOTE ABOUT USERNAME/PASSWORD VALIDATION 段.

参见 password server parameter 和 encrypted passwords 选项。

SECURITY = ADS

In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility.

Note that this mode does NOT make Samba operate as a Active Directory Domain Controller.

Read the chapter about Domain Membership in the HOWTO for details.

参见 ads server parameter, the realm paramter 和encrypted passwords 选项。

缺省设置: security = USER

示例: security = DOMAIN

security mask (S)
此选项控制NT客户用本地NT安全对话框操作UNIX权限时对权限所作的修改情况. This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box.

此选项用掩码值'与'实现对权限位的更改,从而防止修改未出现在此掩码中的任何位.可以将掩码中的0看作用户无权更改的位值. This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.

如未明确设定此选项,则把此选项设为0777,允许用户修改文件的所有user/group/world这些权限.

注意,可通过其它手段访问到Samba服务器的用户可以轻而易举地绕过此限制,所以此选项只对独立的服务器系统有用.多数普通系统的管理员可以将它保留为0777.

参见 force directory security mode, directory security mask, force security mode 选项.

缺省设置: security mask = 0777

示例: security mask = 0770

server schannel (G)
This controls whether the server offers or even demands the use of the netlogon schannel. server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel. This is only the case for Windows NT4 before SP4.

Please note that with this set to no you will have to apply the WindowsXP requireSignOrSeal-Registry patch found in the docs/Registry subdirectory.

缺省设置: server schannel = auto

示例: server schannel = yes

server signing (G)
This controls whether the server offers or requires the client it talks to to use SMB signing. Possible values are auto, mandatory and disabled.

When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either.

缺省设置: client signing = False

server string (G)
此选项在打印管理器中的打印机信息对话框以及在net view(网上邻居)的IPC连接中显示的服务器信息.它可以是任何你希望向用户显示的字串.

它还设置显示在浏览列表中主机名后的内容.

%v 将替换为Samba版本号

%h 将替换为主机名

缺省设置: server string = Samba %v

示例: server string = University of GNUs Samba Server

set directory (S)
如果 set directory = no,则使用服务的用户不能用setdir命令更变目录.

setdir命令只在Digital Pathworks客户端中实现.参见Pathworks文档的细节.

缺省设置: set directory = no

set primary group script (G)
Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups. This script sets the primary group in the unix userdatase when an administrator sets the primary group from the windows user manager or when fetching a SAM with net rpc vampire. %u will be replaced with the user whose primary group is to be set. %g will be replaced with the group to set.

缺省设置: No default value

示例: set primary group script = /usr/sbin/usermod -g '%g' '%u'

set quota command (G)
The set quota command should only be used whenever there is no operating system API available from the OS that samba can use.

This parameter should specify the path to a script that can set quota for the specified arguments.

The specified script should take the following arguments:

1 - quota type .TP 3 * 1 - user quotas .TP * 2 - user default quotas (uid = -1) .TP * 3 - group quotas .TP * 4 - group default quotas (gid = -1) .LP

2 - id (uid for user, gid for group, -1 if N/A)

3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce)

4 - block softlimit

5 - block hardlimit

6 - inode softlimit

7 - inode hardlimit

8(optional) - block size, defaults to 1024

The script should output at least one line of data.

参见 get quota command 选项。

缺省设置: set quota command =

示例: set quota command = /usr/local/sbin/set_quota

share modes (S)
此选项在一个文件打开时允许或禁止share modes.此模式可用于使客户获得对一个文件独占的读或写访问.

这些打开模式UNIX是不直接支持的,所以要用共享内存或在UNIX不支持共享内存时(一般都支持)用锁定文件来模拟.

允许共享模式的选项是DENY_DOS, DENY_ALL, DENY_READ,DENY_WRITE, DENY_NONEDENY_FCB.

缺省情况下此选项提供了完全的共享兼容和许可.

不应 把此选项关闭因为很多Windows应用会因此停止运行。

缺省设置: share modes = yes

short preserve case (S)
此布尔值选项控制着如果新文件符合8.3文件名格式(所有字母都为大写且长度适当),则以大写字母建立文件,否则就转换为default case .此选项可与preserve case = yes选项联用,以允许长文件名保留大小写,同时短文件名转换为小写。

参见 NAME MANGLING 段.

缺省设置: short preserve case = yes

show add printer wizard (G)
With the introduction of MS-RPC based printing support for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will appear on Samba hosts in the share listing. Normally this folder will contain an icon for the MS Add Printer Wizard (APW). However, it is possible to disable this feature regardless of the level of privilege of the connected user.

Under normal circumstances, the Windows NT/2000 client will open a handle on the printer server with OpenPrinterEx() asking for Administrator privileges. If the user does not have administrative access on the print server (i.e is not root or a member of the printer admin group), the OpenPrinterEx() call fails and the client makes another open call with a request for a lower privilege level. This should succeed, however the APW icon will not be displayed.

Disabling the show add printer wizard parameter will always cause the OpenPrinterEx() on the server to fail. Thus the APW icon will never be displayed. Note :This does not prevent the same user from having administrative privilege on an individual printer.

参见 addprinter command, deleteprinter command, printer admin

Default :show add printer wizard = yes

shutdown script (G)
This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should start a shutdown procedure.

This command will be run as the user connected to the server.

%m %t %r %f parameters are expanded:

%m will be substituted with the shutdown message sent to the server.

%t will be substituted with the number of seconds to wait before effectively starting the shutdown procedure.

%r will be substituted with the switch -r. It means reboot after shutdown for NT.

%f will be substituted with the switch -f. It means force the shutdown even if applications do not respond for NT.

缺省设置: None.

示例: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f

Shutdown script example:

#!/bin/bash
                
$time=0
let "time/60"
let "time++"

/sbin/shutdown $3 $4 +$time $1 &

Shutdown does not return so we need to launch it in background.

参见 abort shutdown script.

smb passwd file (G)
此选项设置加密口令文件smbpasswd的路径.缺省路径在编译samba时指定.

缺省设置: smb passwd file = ${prefix}/private/smbpasswd

示例: smb passwd file = /etc/samba/smbpasswd

smb ports (G)
Specifies which ports the server should listen on for SMB traffic.

缺省设置: smb ports = 445 139

socket address (G)
此选项允许你控制samba监听连接所用的地址.它用于在一个服务器上支持多个配置不同的虚拟接口.缺省情况下samba会在任何地址上都接受连接请求.

By default Samba will accept connections on any address.

示例: socket address = 192.168.2.20

socket options (G)
此选项设置用于与客户端交谈的套接字选项.

套接字选项是使用在允许调整连接的操作系统的网络层的控制命令.

此选项通常用于在局域网上优化调整samba服务器的性能.因为samba无法知道与你的网络所对应的优化选项,所以你必须自己进行试验并作出选择.我们强烈推荐你先阅读与你的操作系统有关的相应文件(也许man setsockopt会有帮助).

你可能会发现在有些系统上samba会在你使用一个选项时发出"Unknown socket option"的信息.这就说明你没有正确拼写或者需要为操作系统添加一个包含文件到includes.h中.如有后面指出的问题请写信到samba-bugs@samba.org.

只要操作系统允许,你可以以任何方法组合任何所支持的套接字选项.

当前可用于此选项的可设置套接字选项列表有:

SO_KEEPALIVE

SO_REUSEADDR

SO_BROADCAST

TCP_NODELAY

IPTOS_LOWDELAY

IPTOS_THROUGHPUT

SO_SNDBUF *

SO_RCVBUF *

SO_SNDLOWAT *

SO_RCVLOWAT *

标有'*'的要使用一个整数参数.其它的有时使用1或0代表允许或禁止该选项,如未指定1或0则缺省值都为允许.

要指定一个变量,用"SOME_OPTION=VALUE"格式。比如可以是SO_SNDBUF=8192.注意,在"="前后不能有任何空格.

如在局域网上,则使用下面这个是比较明智的:

socket options = IPTOS_LOWDELAY

如有一个局域网则可以试一下:

socket options = IPTOS_LOWDELAY TCP_NODELAY

如有一个广域网,则试一下IPTOS_THROUGHPU.

注意有些选项可导致samba服务器完全失效.小心使用它们!

缺省设置: socket options = TCP_NODELAY

示例: socket options = IPTOS_LOWDELAY

source environment (G)
This parameter causes Samba to set environment variables as per the content of the file named.

If the value of this parameter starts with a "|" character then Samba will treat that value as a pipe command to open and will set the environment variables from the output of the pipe.

The contents of the file or the output of the pipe should be formatted as the output of the standard Unix env(1) command. This is of the form:

Example environment entry:

SAMBA_NETBIOS_NAME = myhostname

缺省设置: No default value

Examples: source environment = |/etc/smb.conf.sh

示例: source environment = /usr/local/smb_env_vars

stat cache (G)
此选项检测smbd(8)是否使用缓存以提升映射不分大小写名称的速度.你无须更改此选项.

缺省设置: stat cache = yes

strict allocate (S)
This is a boolean that controls the handling of disk space allocation in the server. When this is set to yes the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour of actually forcing the disk system to allocate real storage blocks when a file is created or extended to be a given size. In UNIX terminology this means that Samba will stop creating sparse files. This can be slow on some systems.

When strict allocate is no the server does sparse disk block allocation when a file is extended.

Setting this to yes can help Samba return out of quota messages on systems that are restricting the disk quota of users.

缺省设置: strict allocate = no

strict locking (S)
此布尔量选项控制服务器对文件锁的处理.当设为yes,则服务器对文件锁检查每次读写访问,并拒绝锁存在时的访问.在有些系统上这可能会很慢.

当禁用strict locking时,服务器只在客户明确要求时才为他们检查文件锁.

循规蹈矩的客户总是在重要的时候要求检查文件锁,所以在多数情况下strict locking = no是可取的.

缺省设置: strict locking = no

strict sync (S)
很多Windows应用(包括Windows 98浏览器)都会干扰对刷新缓冲区内容到磁盘的操作.在UNIX下,一次同步调用强制进程挂起,直到内核确保把所有磁盘缓存区中的未完成数据安全地存到固定存储设备中为止.此操作很慢,而且只能很少用到.把此选项设为no (缺省值)说明smbd(8) 忽略Windows应用请求的一次同步调用.这样只有在Samba运行的操作系统崩溃时才可能丢失数据,因此缺省设置危险性很小.另外,它修正人们报告的很多关于Windows98浏览器拷贝文件的性能问题.

参见 sync always 选项。

缺省设置: strict sync = no

sync always (S)
此布尔量选项控制是否在写操作结束前把所写的内容写到固定存储设备上.如果为no则服务器将在每次写调用中让客户请求来操纵它(客户可以设置一个位码来指出要同步一次特殊的写操作).如果为yes则在每次写操作后调用一次fsync() 以确保将数据写到磁盘上.注意必须把strict sync选项设为yes以使本选项产生效果.

参见 strict sync 选项。

缺省设置: sync always = no

syslog (G)
此选项决定samba调试信息号如何映射为系统syslog的记录等级.调试级0映射为syslog的LOG_ERR,调试级1映射为 LOG_WARNING,调试级2映射为LOG_NOTICE,调试级3映射为LOG_INFO.所有更高的级别号映射为 LOG_DEBUG.

此选项设置了对syslog发送信息的阈值.只有小于此值的调试级信息号才发给syslog.

缺省设置: syslog = 1

syslog only (G)
此选项使samba只把调试级别号记录到系统syslog,而不是调试记录文件.

缺省设置: syslog only = no

template homedir (G)
When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the home directory for that user. If the string %D is present it is substituted with the user's Windows NT domain name. If the string %U is present it is substituted with the user's Windows NT user name.

缺省设置: template homedir = /home/%D/%U

template primary group (G)
This option defines the default primary group for each user created by winbindd(8)'s local account management functions (similar to the 'add user script').

缺省设置: template primary group = nobody

template shell (G)
When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the login shell for that user.

缺省设置: template shell = /bin/false

time offset (G)
此选项是个加入到转换标准GMT为当地时间操作的分钟数.如果你向很多有不正确保存时间操作的主机提供服务时这就很有用了.

缺省设置: time offset = 0

示例: time offset = 60

time server (G)
此选项检测nmbd(8) 是否以时间服务器身份向Windows客户通告自身.

缺省设置: time server = no

timestamp logs (G)
debug timestamp 同义.
unicode (G)
Specifies whether Samba should try to use unicode on the wire by default. Note: This does NOT mean that samba will assume that the unix machine uses unicode!

缺省设置: unicode = yes

unix charset (G)
Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.

缺省设置: unix charset = UTF8

示例: unix charset = ASCII

unix extensions (G)
This boolean parameter controls whether Samba implments the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.

缺省设置: unix extensions = yes

unix password sync (G)
此布尔量选项控制samba是否在smbpasswd文件中的加密SMB口令被更改时尝试用SMB口令来同步UNIX口令.如设为yes以root身份调用passwd program选项中指定的程序 - 以允许设置新的UNIX口令而无需访问原UNIX口令(因为更改SMB口令时代码不访问明文的原口令而只涉及新口令).

参见 passwd program, passwd chat.

缺省设置: unix password sync = no

update encrypted (G)
此布尔量选项使以明文口令登录的用户在登录时自动更新smbpasswd文件中的加密(散列计算过的)口令.此选项允许一个站点从明文口令验证方式(以明文口令验证用户账号并再次检查UNIX账号数据库)移植到加密口令验证方式(SMB的询问/响应验证机制)而无需强制所有用户在移植时通过smbpasswd重新输入他们的口令.这对改变加密口令移交要较长周期这种状况来说很方便.一旦所有用户都在smbpasswd文件中拥有他们加密过的口令,则此应该把此选项设为no.

为了让此选项正确工作,当它设为yes时必须把 encrypt passwords选项设为no .

注意即使设置了此选项,smbd还是必须验证用户账号,直到输入合法的口令后才能正确连接并更新他们的散列计算(由smbpasswd完成)后的口令字.

缺省设置: update encrypted = no

use client driver (S)
This parameter applies only to Windows NT/2000 clients. It has no effect on Windows 95/98/ME clients. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required to install a local printer driver. From this point on, the client will treat the print as a local printer and not a network printer connection. This is much the same behavior that will occur when disable spoolss = yes.

The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS-RPC. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user. If the user possesses local administator rights but not root privilegde on the Samba host (often the case), the OpenPrinterEx() call will fail. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed).

If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() call to succeed. This parameter MUST not be able enabled on a print share which has valid print driver installed on the Samba server.

参见 disable spoolss

缺省设置: use client driver = no

use mmap (G)
This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent mmap/read-write system memory cache. Currently only HPUX does not have such a coherent cache, and so this parameter is set to no by default on HPUX. On all other systems this parameter should be left alone. This parameter is provided to help the Samba developers track down problems with the tdb internal code.

缺省设置: use mmap = yes

user (S)
username 同义
username (S)
在逗号分隔的列表中指定多个用户以用于轮流(从左到右)测试所提供的口令.

只有当主机无法提供它自己的用户名时才需要username选项。当用COREPLUS协议或你的用户拥有与UNIX用户名不同的WfWg用户名时就会有这样的情况.在这两种情况下,用\serverhare%user语句代替会更好的.

在大多数情况下username选项并不是最好的解决方案,因为它意味着Samba会尝试对username选项行中的每个用户名轮流作测试.这样做是很慢的,而且万一很多用户重复口令的话这就是个坏主意了.错误使用此选项可能会带来超时或安全缺陷.

samba依靠底层的UNIX安全.此选项不限制登录者,它只对Samba服务器提供响应所提供口令的用户名的线索.任何喜欢的人都可以登录,而且如果他们只是启动一次telnet对话的话不会造成破坏.进程以登录的用户身份运行,所以他们无法做任何他们不能做的事儿.

要对一组特殊的用户限制一个服务的话可以用 valid users 选项.

如果任何用户名以'@'字符开始则此用户名将首先在NIS网络组列表(如果Samba编译时加入了网络组支持的话)中进行查找,然后在UNIX用户组数据库中查找并展开成属于以此名为组的所有用户的列表.

如果任何用户名以'+'字符开始则此用户名只在UNIX用户组数据库中进行查找并展开成属于以此名为组的所有用户的列表.

如果任何用户名以'&'字符开始则此用户名只在NIS网络组列表(如果Samba编译时加入了网络组支持的话)中进行查找并展开成属于以此名为组的所有用户的列表.

注意通过用户组数据库进行查找要花很长时间,在此期间有些客户可能会超时.

查看 NOTE ABOUT USERNAME/PASSWORD VALIDATION 段来获得这个选项如何决定访问服务方面的信息。

缺省设置: 如果是guest服务就是guest帐号,否则是空字符串.

示例:username = fred, mary, jack, jane, @users, @pcgroup

username level (G)
此选项在很多DOS客户发送全大写的用户名时,帮助samba尝试和“猜测”实际UNIX用户名.对于缺省情况,Samba尝试所有小写形式,然后是首字母大写形式,如果该用户名在UNIX主机上没有找到则失败.

如果把此选项设为非0,则情况就改变了.此选项指定的是用于尝试同时检测UNIX用户名的大写字母的组合数.数字越高,则尝试的组合数越多,但用户名的发现也越慢.当在你的UNIX主机上有奇特的用户名如AstrangeUser 时使用此选项.

缺省设置: username level = 0

示例: username level = 5

username map (G)
此选项允许你指定一个包含对客户机到服务器上的用户名映射的文件.它可用于几个目的.最常见的是把用DOS或Windows主机的用户的名称映射到UNIX主机上的用户.其它还有把多个用户映射到单个用户名上以使他们可以更简单地共享文件.

映射文件被逐行解析.每个行都应该在'='号左边包含一个UNIX用户名,而在右边跟上一列用户名.右边的用户名列表可以包含@group形式的名称,它表示匹配任何组中的UNIX用户名.特殊客户名'*'是一个通配符用于匹配任何名称.映射文件的每个行可以达到1023个字符的长度.

对文件的处理是在每个行上取得提供的用户名并把它与'='号右边的每个用户名进行比较.如果提供的名称匹配右边的任何名称则用左边的名称替换右边的.然后继续处理下一行.

忽略以'#' 或 ';'号开始的行.

当在行中发现了匹配,则在以'!'开始的行后中止处理,否则继续处理每一行的映射.当你在文件中用了通配映射的话'!'就很有用了.

例如把名称adminadministrator映射为UNIX名 root,你可以这样:

root = admin administrator

或把UNIX组 system中的任何人映射为UNIX名sys就可以这样:

sys = @system

可以在一个用户名映射文件中包含很多映射关系.

如果你的系统支持NIS NETGROUP选项,则在使用/etc/group 匹配组之前先检查网络组数据库.

你可以通过在名称上使用双引号来映射含有空格的Windows用户名.例如:

tridge = "Andrew Tridgell"

将把windows用户名"Andrew Tridgell"映射为unix用户名"tridge".

以下示例将把mary和fred映射为unix用户sys,然后把其余的映射为guest.注意使用'!'符号可以告诉Samba如果在该行获得一个匹配的话就停止处理.

!sys = mary fred
guest = *

注意重映射作用于所有出现用户名的地方.因此如果你连接到\\server\fred而 fred已被重映射为 mary,则你实际会连接到\\server\mary"并需要提供mary的口令而不是 fred的.这种情况只有一个例外,那就是用户名是被传到 password server(如果你有一个的话)验证的.口令服务器会接收客户提供的未经修改的用户名.

同时要注意反向映射是不会出现的.这主要影响的是打印任务.已经被映射的用户会在删除打印任务时遇到麻烦,因为WfWg上的打印管理器会认为他们不是打印任务的属主.

缺省设置: no username map

示例: username map = /usr/local/samba/lib/users.map

users (S)
username 同义.
use sendfile (S)
If this parameter is yes, and Samba was built with the --with-sendfile-support option, and the underlying operating system supports sendfile system call, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked. This may make more efficient use of the system CPU's and cause Samba to be faster. This is off by default as it's effects are unknown as yet.

缺省设置: use sendfile = no

use spnego (G)
This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism. Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled.

缺省设置: use spnego = yes

utmp (G)
This boolean parameter is only available if Samba has been configured and compiled with the option --with-utmp. If set to yes then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server. Sites may use this to record the user connecting to a Samba share.

Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user. Enabling this option creates an n^2 algorithm to find this number. This may impede performance on large installations.

参见 utmp directory 选项。

缺省设置: utmp = no

utmp directory (G)
This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server. 参见 utmp 选项。 By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually /var/run/utmp on Linux).

缺省设置: no utmp directory

示例: utmp directory = /var/run/utmp

-valid (S)
This parameter indicates whether a share is valid and thus can be used. When this parameter is set to false, the share will be in no way visible nor accessible.

This option should not be used by regular users but might be of help to developers. Samba uses this option internally to mark shares as deleted.

缺省设置: True

valid users (S)
这是一份允许登录服务项的用户列表.以'@','+'和'&'开始的名称用invalid users 选项中的规则进行解析.

如果此项为空(缺省)则任何用户都可以登录.如果一个用户名同时存在于此列表及invalid users列表,则拒绝此用户访问.

%S 替换为当前服务名. 这在[homes]段里非常有用.

参见 invalid users

缺省设置: 空 (任何人都不会被拒绝)

示例: valid users = greg, @pcusers

veto files (S)
这是一份既不可见又不可访问的文件及目录的列表.在列表中的每一项必须用'/'进行分隔,项目中允许有空格.可以用DOS通配符'*'和'?'来指定多个文件或目录.

每项必须是一个UNIX路径,而非一个DOS路径,同时必须不含 UNIX目录分隔符'/'.

注意case sensitive选项适用于对文件的禁止目的.

需要明白这个选项的很重要的一个特点: 在Samba删除一个目录时的行为。如果一个目录除了veto files之外不包含任何内容,删除操作将失败,除非设置了delete veto filesyes.

设置此选项会影响Samba的性能,因为它将强制在扫描所有文件和目录时检查是否匹配.

参见 hide files case sensitive.

缺省设置: 没有隐藏任何文件.

示例:

; 隐藏任何文件名带有'Security'的文件,
; 任何扩展名是.tmp的文件,任何文件名带有'root'的文件
veto files = /*Security*/*.tmp/*root*/

; 隐藏NetAtalk服务器创建的Apple专用的文件
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
veto oplock files (S)
此选项只在对一个共享打开了oplocks选项时才有效.它允许Samba管理员在所选文件上选择性地关闭允许oplocks,这些文件可以用通配符列表来匹配,类拟于在veto files 选项中所用的通配符列表.

缺省设置: 没有隐藏oplocks许可

你可能想在已知客户会猛烈争夺的文件上使用此项.在NetBench SMB基准程序下面就是个好例子,它导致客户猛烈地对以.SEM后缀的文件进行连接.为使Samba不在这些文件上允许oplocks,你可以在[global]段或特定的NetBench共享中使用此行:

示例: veto oplock files = /*.SEM/

vfs object (S)
vfs objects 同义.
vfs objects (S)
This parameter specifies the backend names which are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects.

缺省设置: no value

示例: vfs objects = extd_audit recycle

volume (S)
此选项允许你忽略共享项提供的卷标.这对于那些坚持要使用一个特殊卷标的安装程序光盘来说很有用.缺省就是共享项的卷标.

缺省设置: 共享的名称

wide links (S)
此选项控制服务器是否跟踪UNIX文件系统中的符号链接.指向服务器导出的目录树的链接总是被允许的;此选项只是控制对导出目录树以外的区域的访问情况.

注意设置此选项可对服务器性能产生负面影响,因为samba必须做一些额外的系统调用以检查那些链接.

缺省设置: wide links = yes

winbind cache time (G)
This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server again.

缺省设置: winbind cache type = 300

winbind enable local accounts (G)
This parameter controls whether or not winbindd will act as a stand in replacement for the various account management hooks in smb.conf (e.g. 'add user script'). If enabled, winbindd will support the creation of local users and groups as another source of UNIX account information available via getpwnam() or getgrgid(), etc...

缺省设置: winbind enable local accounts = yes

winbind enum groups (G)
On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(), getgrent() and endgrent() group of system calls. If the winbind enum groups parameter is no, calls to the getgrent() system call will not return any data.

Warning: Turning off group enumeration may cause some programs to behave oddly.

缺省设置: winbind enum groups = yes

winbind enum users (G)
On large installations using winbindd(8) it may be necessary to suppress the enumeration of users through the setpwent(), getpwent() and endpwent() group of system calls. If the winbind enum users parameter is no, calls to the getpwent system call will not return any data.

Warning: Turning off user enumeration may cause some programs to behave oddly. For example, the finger program relies on having access to the full user list when searching for matching usernames.

缺省设置: winbind enum users = yes

winbind gid (G)
This parameter is now an alias for idmap gid

The winbind gid parameter specifies the range of group ids that are allocated by the winbindd(8) daemon. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise.

缺省设置: winbind gid = <空字符串>

示例: winbind gid = 10000-20000

winbind separator (G)
This parameter allows an admin to define the character used when listing a username of the form of DOMAIN \user. This parameter is only applicable when using the pam_winbind.so and nss_winbind.so modules for UNIX services.

Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the character + is used as a special character for NIS in /etc/group.

缺省设置: winbind separator = ''

示例: winbind separator = +

winbind trusted domains only (G)
This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. Therefore, the user 'SAMBA\user1' would be mapped to the account 'user1' in /etc/passwd instead of allocating a new uid for him or her.

缺省设置: winbind trusted domains only = <no>

winbind uid (G)
This parameter is now an alias for idmap uid

The winbind gid parameter specifies the range of user ids that are allocated by the winbindd(8) daemon. This range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise.

缺省设置: winbind uid = <空字符串>

示例: winbind uid = 10000-20000

winbind use default domain (G)
This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail function in a way much closer to the way they would in a native unix system.

缺省设置: winbind use default domain = <no>

示例: winbind use default domain = yes

wins hook (G)
当把Samba作为一台WINS服务器运行时,此选项允许你调用一个外部程序更改WINS数据库.此项主要用于动态更新外部名字解析数据库,如动态DNS.

此选项以如下形式指定要调用的一个脚本名或可执行程序:

wins_hook operation name nametype ttl IP_list

第一部分参数是opration(操作符),它有三种:"add"、"delete"和"refresh".在很多情况下该操作符可以忽略,因为其它选项可提供足够的信息.注意当有名称以前没有加入过,则有时会用到"refresh",在这种情况下,它应该和"add"有同样含义.

第二部分参数是netbios名.如果该名称不是合法名的话,该功能就不运行.合法的名称应只包含字母,数字,减号,下划线和句点.

第三部分参数是用2位十六进制数字表示的netbios名称类型.

第四部分参数是以秒计算的名称有效时间TTL (time to live).

第五部分是当前该名称所注册的IP地址表.如果表为空则该名称被删除.

一个调用BIND动态DNS更新程序nsupdate的脚本示例在samba源代码的示例目录可以找到.

wins partners (G)
A space separated list of partners' IP addresses for WINS replication. WINS partners are always defined as push/pull partners as defining only one way WINS replication is unreliable. WINS replication is currently experimental and unreliable between samba servers.

缺省设置: wins partners =

示例: wins partners = 192.168.0.1 172.16.1.2

wins proxy (G)
此布尔量选项控制nmbd(8) 是否代替其它主机响应广播名字查询.对一些旧版本客户就可能需要把它设为yes .

缺省设置: wins proxy = no

wins server (G)
此选项指定nmbd要注册的WINS服务器的IP地址(或DNS域名:IP地址优先(for preference)).如果在你的网络上有一台WINS服务器,就应该把此项设为该服务器的IP地址.

如果你有多个子网的话,应该指定向你的WINS服务器

If you want to work in multiple namespaces, you can give every wins server a 'tag'. For each tag, only one (working) server will be queried for a name. The tag should be seperated from the ip address by a colon.

注意,如有多子网并希望跨子网浏览工作正常的话,应该设置Samba指向一台WINS服务器.

缺省设置: 未启用

示例: wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61

For this example when querying a certain name, 192.19.200.1 will be asked first and if that doesn't respond 192.168.2.61 . If either of those doesn't know the name 192.168.3.199 will be queried.

示例: wins server = 192.9.200.1 192.168.2.61

wins support (G)
此布尔量选项控制nmbd(8)进程是否作为WINS服务器.你不应该把它设为yes,除非有多子网或希望特定的nmbd作为你的WINS服务器.注意在网络上有多台WINS服务器时应把它设为yes.

缺省设置: wins support = no

workgroup (G)
此选项规定Samba所在的工作组以便让客户查询.注意它也规定在使用security = domain时所用的域名.

缺省设置: 编译时设置为 WORKGROUP

示例: workgroup = MYGROUP

writable (S)
writeable 相同,是为拼写错误者准备的 :-)
writeable (S)
注意它与 read only 反义.
write cache size (S)
If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file (it does not do this for non-oplocked files). All writes that the client does not request to be flushed directly to disk will be stored in this cache if possible. The cache is flushed onto disk when a write comes in whose offset would not fit into the cache or when the file is closed by the client. Reads for the file are also served from this cache if the data is stored within it.

This cache allows Samba to batch client writes into a more efficient write size for RAID disks (i.e. writes may be tuned to be the RAID stripe size) and can improve performance on systems where the disk subsystem is a bottleneck but there is free memory for userspace programs.

The integer parameter specifies the size of this cache (per oplocked file) in bytes.

缺省设置: write cache size = 0

示例: write cache size = 262144

for a 256k cache size per file.

write list (S)
此选项设置对服务项有读写权的用户列表.如果正在连接的用户属于此列表,那他们就可以有写入权,而不管read only为何值.此列表可以用@group形式描述组名.

注意如果一个用户同时属于读列表和写列表则拥有写入权.

参见 read list 选项。

缺省设置: write list = <空字符串>

示例: write list = admin, root, @staff

write ok (S)
注意它与 read only 反义.
write raw (G)
此选项规定服务器是否在从客户端传输数据时支持原始方式写SMB消息块.你不应该更改它.

缺省设置: write raw = yes

wtmp directory (G)
This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact that user info is kept after a user has logged out.

参见 utmp 选项。 By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually /var/run/wtmp on Linux).

缺省设置: no wtmp directory

示例: wtmp directory = /var/log/wtmp

警告 WARNINGS

虽然配置文件允许服务项名包含空格,但你的客户端软件就不一定了.因为在比较中总是忽略空格,所以这不成问题 - 但应该认识到其它可能性.

有一条类似提示,很多客户特别是DOS客户,会限制服务项名为8个字符.虽然 smbd(8)没有这样的限制,但如果这样的客户截去部分服务项名的话,他们的连接尝试会失败.为此你可能要保持你的服务项名在8个字符以内.

对于管理员来说[homes] 和 [printers]特殊段的使用很容易,但对缺省属性的多样组合应该小心.当设计这些段时要特别仔细.特别是要确保假脱机目录权限的正确性.

版本 VERSION

此手册页是针对samba套件版本3.0的。

参见 SEE ALSO

samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).

#p#

NAME

smb.conf - The configuration file for the Samba suite  

SYNOPSIS

The smb.conf file is a configuration file for the Samba suite. smb.conf contains runtime configuration information for the Samba programs. The smb.conf file is designed to be configured and administered by the swat(8) program. The complete description of the file format and possible parameters held within are here for reference purposes.

FILE FORMAT

The file consists of sections and parameters. A section begins with the name of the section in square brackets and continues until the next section begins. Sections contain parameters of the form

name = value

The file is line-based - that is, each newline-terminated line represents either a comment, a section name or a parameter.

Section and parameter names are not case sensitive.

Only the first equals sign in a parameter is significant. Whitespace before or after the first equals sign is discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value is retained verbatim.

Any line beginning with a semicolon (``;'') or a hash (``#'') character is ignored, as are lines containing only whitespace.

Any line ending in a ``\'' is continued on the next line in the customary UNIX fashion.

The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved in string values. Some items such as create modes are numeric.

SECTION DESCRIPTIONS

Each section in the configuration file (except for the [global] section) describes a shared resource (known as a ``share''). The section name is the name of the shared resource and the parameters within the section define the shares attributes.

There are three special sections, [global], [homes] and [printers], which are described under special sections. The following notes apply to ordinary section descriptions.

A share consists of a directory to which access is being given plus a description of the access rights which are granted to the user of the service. Some housekeeping options are also specifiable.

Sections are either file share services (used by the client as an extension of their native file systems) or printable services (used by the client to access print services on the host running the server).

Sections may be designated guest services, in which case no password is required to access them. A specified UNIX guest account is used to define access privileges in this case.

Sections other than guest services will require a password to access them. The client provides the username. As older clients only provide passwords and not usernames, you may specify a list of usernames to check against the password using the ``user ='' option in the share definition. For modern clients such as Windows 95/98/ME/NT/2000, this should not be necessary.

The access rights granted by the server are masked by the access rights granted to the specified or guest UNIX user by the host system. The server does not grant more access than the host system grants.

The following sample section defines a file space share. The user has write access to the path /home/bar. The share is accessed via the share name ``foo'':

Example 1.

[foo]
        path = /home/bar
        read only = read only = no

The following sample section defines a printable share. The share is read-only, but printable. That is, the only write access permitted is via calls to open, write to and close a spool file. The guest ok parameter means access will be permitted as the default guest user (specified elsewhere):

Example 2.

[aprinter]
        path = /usr/spool/public
        read only = yes
        printable = yes
        guest ok = yes

SPECIAL SECTIONS

The [global] section

Parameters in this section apply to the server as a whole, or are defaults for sections that do not specifically define certain items. See the notes under PARAMETERS for more information.

The [homes] section

If a section called [homes] is included in the configuration file, services connecting clients to their home directories can be created on the fly by the server.

When the connection request is made, the existing sections are scanned. If a match is found, it is used. If no match is found, the requested section name is treated as a username and looked up in the local password file. If the name exists and the correct password has been given, a share is created by cloning the [homes] section.

Some modifications are then made to the newly created share:

*
The share name is changed from homes to the located username.
*
If no path was given, the path is set to the user's home directory.

If you decide to use a path = line in your [homes] section, you may find it useful to use the %S macro. For example :

path = /data/pchome/%S

is useful if you have different home directories for your PCs than for UNIX access.

This is a fast and simple way to give a large number of clients access to their home directories with a minimum of fuss.

A similar process occurs if the requested section name is ``homes'', except that the share name is not changed to that of the requesting user. This method of using the [homes] section works well if different users share a client PC.

The [homes] section can specify all the parameters a normal service section can specify, though some make more sense than others. The following is a typical and suitable [homes] section:

Example 3.

[homes]
        read only = no

An important point is that if guest access is specified in the [homes] section, all home directories will be visible to all clients without a password. In the very unlikely event that this is actually desirable, it is wise to also specify read only access.

The browseable flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. This is useful as it means setting browseable = no in the [homes] section will hide the [homes] share but make any auto home directories visible.

The [printers] section

This section works like [homes], but for printers.

If a [printers] section occurs in the configuration file, users are able to connect to any printer specified in the local host's printcap file.

When a connection request is made, the existing sections are scanned. If a match is found, it is used. If no match is found, but a [homes] section exists, it is used as described above. Otherwise, the requested section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested section name is a valid printer share name. If a match is found, a new printer share is created by cloning the [printers] section.

A few modifications are then made to the newly created share:

*
The share name is set to the located printer name
*
If no printer name was given, the printer name is set to the located printer name
*
If the share does not permit guest access and no username was given, the username is set to the located printer name.

The [printers] service MUST be printable - if you specify otherwise, the server will refuse to load the configuration file.

Typically the path specified is that of a world-writeable spool directory with the sticky bit set on it. A typical [printers] entry looks like this:

Example 4.

[printers]
        path = /usr/spool/public
        guest ok = yes
        printable = yes

All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file consisting of one or more lines like this:

alias|alias|alias|alias...    
                .fi


Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, specify the new file as your printcap. The server will only recognize names found in your pseudo-printcap, which of course can contain whatever aliases you like. The same technique could be used simply to limit access to a subset of your local printers.


An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, components (if there are more than one) are separated by vertical bar symbols (``|'').

Note

On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use``printcap name = lpstat'' to automatically obtain a list of printers. See the ``printcap name'' option for more details.

PARAMETERS

Parameters define the specific attributes of sections.

Some parameters are specific to the [global] section (e.g., security). Some parameters are usable in all sections (e.g., create mode). All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] sections will be considered normal. The letter G in parentheses indicates that a parameter is specific to the [global] section. The letter S indicates that a parameter can be specified in a service specific section. All S parameters can also be specified in the [global] section - in which case they will define the default behavior for all services.

Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym.

VARIABLE SUBSTITUTIONS

Many of the strings that are settable in the config file can take substitutions. For example the option ``path = /tmp/%u'' is interpreted as ``path = /tmp/john'' if the user connected with the username john.

These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant. These are:

%U
session username (the username that the client wanted, not necessarily the same as the one they got).
%G
primary group name of %U.
%h
the Internet hostname that Samba is running on.
%m
the NetBIOS name of the client machine (very useful).
%L
the NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your server can have a ``dual personality''.

This parameter is not available when Samba listens on port 445, as clients no longer send this information.

%M
the Internet name of the client machine.
%R
the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.
%d
The process id of the current server process.
%a
the architecture of the remote machine. Only some are recognized, and those may not be 100% reliable. It currently recognizes Samba, Windows for Workgroups, Windows 95, Windows NT and Windows 2000. Anything else will be known as``UNKNOWN''. If it gets it wrong sending a level 3 log to samba@samba.org should allow it to be fixed.
%I
The IP address of the client machine.
%T
the current date and time.
%D
Name of the domain or workgroup of the current user.
%$(envvar)
The value of the environment variableenvar.

The following substitutes apply only to some configuration options (only those that are used when a connection has been established):

%S
the name of the current service, if any.
%P
the root directory of the current service, if any.
%u
username of the current service, if any.
%g
primary group name of %u.
%H
the home directory of the user given by %u.
%N
the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have not compiled Samba with the --with-automount option, this value will be the same as %L.
%p
the path of the service's home directory, obtained from your NIS auto.map entry. The NIS auto.map entry is split up as ``%N:%p''.

There are some quite creative things that can be done with these substitutions and other smb.conf options.

NAME MANGLING

Samba supports ``name mangling'' so that DOS and Windows clients can use files that don't conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames.

There are several options that control the way mangling is performed, and they are grouped here rather than listed separately. For the defaults look at the output of the testparm program.

All of these options can be set separately for each service (or globally, of course).

The options are:

mangle case = yes/no
controls whether names that have characters that aren't of the ``default'' case are mangled. For example, if this is yes, a name like ``Mail'' will be mangled. Default no.
case sensitive = yes/no/auto
controls whether filenames are case sensitive. If they aren't, Samba must do a filename search and match on passed names. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS and smbclient 3.0.5 and above currently) to tell the Samba server on a per-packet basis that they wish to access the file system in a case-sensitive manner (to support UNIX case sensitive semantics). No Windows or DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no for them. Default auto.
default case = upper/lower
controls what the default case is for new filenames. Default lower.
preserve case = yes/no
controls whether new files are created with the case that the client passes, or if they are forced to be the``default'' case. Default yes.
short preserve case = yes/no
controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the ``default'' case. This option can be used with ``preserve case = yes'' to permit long filenames to retain their case, while short names are lowercased. Default yes.

By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving.

NOTE ABOUT USERNAME/PASSWORD VALIDATION

There are a number of ways in which a user can connect to a service. The server uses the following steps in determining if it will allow a connection to a specified service. If all the steps fail, the connection request is rejected. However, if one of the steps succeeds, the following steps are not checked.

If the service is marked ``guest only = yes'' and the server is running with share-level security (``security = share'', steps 1 to 5 are skipped.

1.
If the client has passed a username/password pair and that username/password pair is validated by the UNIX system's password programs, the connection is made as that username. This includes the \\server\service%username method of passing a username.
2.
If the client has previously registered a username with the system and now supplies a correct password for that username, the connection is allowed.
3.
The client's NetBIOS name and any previously used usernames are checked against the supplied password. If they match, the connection is allowed as the corresponding user.
4.
If the client has previously validated a username/password pair with the server and the client has passed the validation token, that username is used.
5.
If a ``user = '' field is given in thesmb.conf file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password checking) with one of the usernames from the ``user ='' field, the connection is made as the username in the ``user ='' line. If one of the usernames in the ``user ='' list begins with a``@'', that name expands to a list of names in the group of the same name.
6.
If the service is a guest service, a connection is made as the username given in the ``guest account ='' for the service, irrespective of the supplied password.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)
This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the shutdown script.

This command will be run as user.

Default: abort shutdown script =

Example: abort shutdown script = /sbin/shutdown -c

acl compatibility (S)
This parameter specifies what OS ACL semantics should be compatible with. Possible values are winnt for Windows NT 4,win2k for Windows 2000 and above and auto. If you specify auto, the value for this parameter will be based upon the version of the client. There should be no reason to change this parameter from the default.

Default: acl compatibility = Auto

Example: acl compatibility = win2k

add group script (G)
This is the full pathname to a script that will be runAS ROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric gid of the created group on stdout.

No default

add machine script (G)
This is the full pathname to a script that will be run bysmbd(8) when a machine is added to it's domain using the administrator username and password method.

This option is only required when using sam back-ends tied to the Unix uid method of RID calculation such as smbpasswd. This option is only available in Samba 3.0.

Default: add machine script =

Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u

addprinter command (G)
With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the "Printers..." folder displayed a share listing. The APW allows for printers to be add remotely to a Samba or Windows NT/2000 print server.

For a Samba host this means that the printer must be physically added to the underlying printing system. The add printer command defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition to the smb.conf file in order that it can be shared by smbd(8).

The addprinter command is automatically invoked with the following parameter (in order):

*
printer name
*
share name
*
port name
*
driver name
*
location
*
Windows 9x driver location
All parameters are filled in from the PRINTER_INFO_2 structure sent by the Windows NT/2000 client with one exception. The "Windows 9x driver location" parameter is included for backwards compatibility only. The remaining fields in the structure are generated from answers to the APW questions.

Once the addprinter command has been executed, smbd will reparse the smb.conf to determine if the share defined by the APW exists. If the sharename is still invalid, then smbd will return an ACCESS_DENIED error to the client.

The "add printer command" program can output a single line of text, which Samba will set as the port the new printer is connected to. If this line isn't output, Samba won't reload its printer shares.

Default: addprinter command =

Example: addprinter command = /usr/bin/addprinter

add share command (G)
Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. Theadd share command is used to define an external program or script which will add a new service definition to smb.conf. In order to successfully execute the add share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0).

When executed, smbd will automatically invoke theadd share command with four parameters.

*
configFile - the location of the global smb.conf file.
*
shareName - the name of the new share.
*
pathName - path to an **existing** directory on disk.
*
comment - comment string to associate with the new share.
This parameter is only used for add file shares. To add printer shares, see the addprinter command.

Default: add share command =

Example: add share command = /usr/local/bin/addshare

add user script (G)
This is the full pathname to a script that will be run AS ROOT by smbd(8) under special circumstances described below.

Normally, a Samba server requires that UNIX users are created for all users accessing files on this server. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX usersON DEMAND when a user accesses the Samba server.

In order to use this option, smbd(8) must NOT be set to security = share and add user script must be set to a full pathname for a script that will create a UNIX user given one argument of %u, which expands into the UNIX user name to create.

When the Windows user attempts to access the Samba server, at login (session setup in the SMB protocol) time, smbd(8) contacts the password server and attempts to authenticate the given user with the given password. If the authentication succeeds then smbd attempts to find a UNIX user in the UNIX password database to map the Windows user into. If this lookup fails, and add user script is set then smbd will call the specified script AS ROOT, expanding any %u argument to be the user name to create.

If this script successfully creates the user then smbd will continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to match existing Windows NT accounts.

See also security, password server,delete user script.

Default: add user script =

Example: add user script = /usr/local/samba/bin/add_user %u

add user to group script (G)
Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools. It will be run by smbd(8)AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name.

Default: add user to group script =

Example: add user to group script = /usr/sbin/adduser %u %g

admin users (S)
This is a list of users who will be granted administrative privileges on the share. This means that they will do all file operations as the super-user (root).

You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions.

Default: admin users =

Example: admin users = jason

afs share (S)
This parameter controls whether special AFS features are enabled for this share. If enabled, it assumes that the directory exported via the path parameter is a local AFS import. The special AFS features include the attempt to hand-craft an AFS token if you enabled --with-fake-kaserver in configure.

Default: afs share = no

afs username map (G)
If you are using the fake kaserver AFS feature, you might want to hand-craft the usernames you are creating tokens for. For example this is necessary if you have users from several domain in your AFS Protection Database. One possible scheme to code users as DOMAIN+User as it is done by winbind with the + as a separator.

The mapped user name must contain the cell name to log into, so without setting this parameter there will be no token.

Default: afs username map =

Example: afs username map = %u@afs.samba.org

algorithmic rid base (G)
This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers.

Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with sytem users etc.

All UIDs and GIDs must be able to be resolved into SIDs for the correct operation of ACLs on the server. As such the algorithmic mapping can't be 'turned off', but pushing it 'out of the way' should resolve the issues. Users and groups can then be assigned 'low' RIDs in arbitary-rid supporting backends.

Default: algorithmic rid base = 1000

Example: algorithmic rid base = 100000

allow trusted domains (G)
This option only takes effect when the security option is set to server or domain. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication.

This is useful if you only want your Samba server to serve resources to users in the domain it is a member of. As an example, suppose that there are two domains DOMA and DOMB. DOMB is trusted by DOMA, which contains the Samba server. Under normal circumstances, a user with an account in DOMB can then access the resources of a UNIX account with the same account name on the Samba server even if they do not have an account in DOMA. This can make implementing a security boundary difficult.

Default: allow trusted domains = yes

announce as (G)
This specifies what type of server nmbd(8) will announce itself as, to a network neighborhood browse list. By default this is set to Windows NT. The valid options are : "NT Server" (which can also be written as "NT"), "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 and Windows for Workgroups respectively. Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this may prevent Samba servers from participating as browser servers correctly.

Default: announce as = NT Server

Example: announce as = Win95

announce version (G)
This specifies the major and minor version numbers that nmbd will use when announcing itself as a server. The default is 4.9. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server.

Default: announce version = 4.9

Example: announce version = 2.0

auth methods (G)
This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on security. This should be considered a developer option and used only in rare circumstances. In the majority (if not all) of production servers, the default setting should be adequate.

Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication.

Possible options include guest (anonymous access), sam (lookups in local list of accounts based on netbios name or domain name), winbind (relay authentication requests for remote users through winbindd), ntdomain (pre-winbindd method of authentication for remote domain users; deprecated in favour of winbind method), trustdomain (authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method).

Default: auth methods =

Example: auth methods = guest sam winbind

available (S)
This parameter lets you "turn off" a service. Ifavailable = no, then ALL attempts to connect to the service will fail. Such failures are logged.

Default: available = yes

bind interfaces only (G)
This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests. It affects file service smbd(8) and name service nmbd(8) in a slightly different ways.

For name service it causes nmbd to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter. nmbd also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then nmbd will service name requests on all of these sockets. If bind interfaces only is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the interfaces parameter list. As unicast packets are received on the other sockets it allowsnmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in theinterfaces list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for nmbd.

For file service it causes smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will serve to packets coming in those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces.

If bind interfaces only is set then unless the network address 127.0.0.1 is added to the interfaces parameter list smbpasswd(8) and swat(8) may not work as expected due to the reasons covered below.

To change a users SMB password, the smbpasswd by default connects to the localhost - 127.0.0.1 address as an SMB client to issue the password change request. Ifbind interfaces only is set then unless the network address 127.0.0.1 is added to theinterfaces parameter list then smbpasswd will fail to connect in it's default mode.smbpasswd can be forced to use the primary IP interface of the local host by using its smbpasswd(8)-r remote machine parameter, with remote machine set to the IP name of the primary interface of the local host.

The swat status page tries to connect withsmbd and nmbd at the address127.0.0.1 to determine if they are running. Not adding 127.0.0.1 will cause smbd and nmbd to always show "not running" even if they really are. This can prevent swat from starting/stopping/restarting smbd and nmbd.

Default: bind interfaces only = no

blocking locks (S)
This parameter controls the behavior of smbd(8) when given a request by a client to obtain a byte range lock on a region of an open file, and the request has a time limit associated with it.

If this parameter is set and the lock range requested cannot be immediately satisfied, samba will internally queue the lock request, and periodically attempt to obtain the lock until the timeout period expires.

If this parameter is set to no, then samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained.

Default: blocking locks = yes

block size (S)
This parameter controls the behavior of smbd(8) when reporting disk free sizes. By default, this reports a disk block size of 1024 bytes.

Changing this parameter may have some effect on the efficiency of client writes, this is not yet confirmed. This parameter was added to allow advanced administrators to change it (usually to a higher value) and test the effect it has on client write performance without re-compiling the code. As this is an experimental option it may be removed in a future release.

Changing this option does not change the disk free reporting size, just the block size unit reported to the client.

No default

browsable
This parameter is a synonym for browseable.
browseable (S)
This controls whether this share is seen in the list of available shares in a net view and in the browse list.

Default: browseable = yes

browse list (G)
This controls whether smbd(8) will serve a browse list to a client doing a NetServerEnum call. Normally set to yes. You should never need to change this.

Default: browse list = yes

casesignames
This parameter is a synonym for case sensitive.
case sensitive (S)
See the discussion in the section NAME MANGLING.

Default: case sensitive = no

change notify timeout (G)
This SMB allows a client to tell a server to "watch" a particular directory for any changes and only reply to the SMB request when a change has occurred. Such constant scanning of a directory is expensive under UNIX, hence an smbd(8) daemon only performs such a scan on each requested directory once every change notify timeout seconds.

Default: change notify timeout = 60

Example: change notify timeout = 300 # Would change the scan time to every 5 minutes.

change share command (G)
Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. Thechange share command is used to define an external program or script which will modify an existing service definition in smb.conf. In order to successfully execute the change share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0).

When executed, smbd will automatically invoke thechange share command with four parameters.

*
configFile - the location of the global smb.conf file.
*
shareName - the name of the new share.
*
pathName - path to an **existing** directory on disk.
*
comment - comment string to associate with the new share.
This parameter is only used modify existing file shares definitions. To modify printer shares, use the "Printers..." folder as seen when browsing the Samba host.

Default: change share command =

Example: change share command = /usr/local/bin/addshare

client lanman auth (G)
This parameter determines whether or not smbclient(8) and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash. If disabled, only server which support NT password hashes (e.g. Windows NT/2000, Samba, etc... but not Windows 95/98) will be able to be connected from the Samba client.

The LANMAN encrypted response is easily broken, due to it's case-insensitive nature, and the choice of algorithm. Clients without Windows 95/98 servers are advised to disable this option.

Disabling this option will also disable the client plaintext auth option

Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 logins will be attempted.

Default: client lanman auth = yes

client ntlmv2 auth (G)
This parameter determines whether or not smbclient(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted password response.

If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent. Many servers (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with NTLMv2.

Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth authentication will be disabled. This also disables share-level authentication.

If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of client lanman auth.

Note that some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM.

Default: client ntlmv2 auth = no

client plaintext auth (G)
Specifies whether a client should send a plaintext password if the server does not support encrypted passwords.

Default: client plaintext auth = yes

client schannel (G)
This controls whether the client offers or even demands the use of the netlogon schannel. client schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the server is not able to speak netlogon schannel.

Default: client schannel = auto

Example: client schannel = yes

client signing (G)
This controls whether the client offers or requires the server it talks to to use SMB signing. Possible values are auto, mandatory and disabled.

When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either.

Default: client signing = auto

client use spnego (G)
This variable controls whether samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 servers to agree upon an authentication mechanism. SPNEGO client support for SMB Signing is currently broken, so you might want to turn this option off when operating with Windows 2003 domain controllers in particular.

Default: client use spnego = yes

comment (S)
This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via net view to list what shares are available.

If you want to set the string that is displayed next to the machine name then see the server string parameter.

Default: comment = # No comment

Example: comment = Fred's Files

config file (G)
This allows you to override the config file to use, instead of the default (usually smb.conf). There is a chicken and egg problem here as this option is set in the config file!

For this reason, if the name of the config file has changed when the parameters are loaded then it will reload them from the new config file.

This option takes the usual substitutions, which can be very useful.

If the config file doesn't exist then it won't be loaded (allowing you to special case the config files of just a few clients).

No default

Example: config file = /usr/local/samba/lib/smb.conf.%m

copy (S)
This parameter allows you to "clone" service entries. The specified service is simply duplicated under the current service's name. Any parameters specified in the current section will override those in the section being copied.

This feature lets you set up a 'template' service and create similar services easily. Note that the service being copied must occur earlier in the configuration file than the service doing the copying.

Default: copy =

Example: copy = otherservice

create mode
This parameter is a synonym for create mask.
create mask (S)
When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created.

The default value of this parameter removes the 'group' and 'other' write and execute bits from the UNIX modes.

Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default.

This parameter does not affect directory modes. See the parameter directory mode for details.

Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the security mask.

Default: create mask = 0744

Example: create mask = 0775

csc policy (S)
This stands for client-side caching policy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable.

These values correspond to those used on Windows servers.

For example, shares containing roaming profiles can have offline caching disabled using csc policy = disable.

Default: csc policy = manual

Example: csc policy = programs

cups options (S)
This parameter is only applicable if printing is set to cups. Its value is a free form string of options passed directly to the cups library.

You can pass any generic print option known to CUPS (as listed in the CUPS "Software Users' Manual"). You can also pass any printer specific option (as listed in "lpoptions -d printername -l") valid for the target queue.

You should set this parameter to raw if your CUPS server error_log file contains messages such as "Unsupported format 'application/octet-stream'" when printing from a Windows client through Samba. It is no longer necessary to enable system wide raw printing in /etc/cups/mime.{convs,types}.

Default: cups options = ""

Example: cups options = "raw,media=a4,job-sheets=secret,secret"

cups server (G)
This parameter is only applicable if printing is set to cups.

If set, this option overrides the ServerName option in the CUPS client.conf. This is necessary if you have virtual samba servers that connect to different CUPS daemons.

Default: cups server = ""

Example: cups server = MYCUPSSERVER

deadtime (G)
The value of the parameter (a decimal integer) represents the number of minutes of inactivity before a connection is considered dead, and it is disconnected. The deadtime only takes effect if the number of open files is zero.

This is useful to stop a server's resources being exhausted by a large number of inactive connections.

Most clients have an auto-reconnect feature when a connection is broken so in most cases this parameter should be transparent to users.

Using this parameter with a timeout of a few minutes is recommended for most systems.

A deadtime of zero indicates that no auto-disconnection should be performed.

Default: deadtime = 0

Example: deadtime = 15

debug hires timestamp (G)
Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this boolean parameter adds microsecond resolution to the timestamp message header when turned on.

Note that the parameter debug timestamp must be on for this to have an effect.

Default: debug hires timestamp = no

debug pid (G)
When using only one log file for more then one forked smbd(8)-process there may be hard to follow which process outputs which message. This boolean parameter is adds the process-id to the timestamp message headers in the logfile when turned on.

Note that the parameter debug timestamp must be on for this to have an effect.

Default: debug pid = no

timestamp logs
This parameter is a synonym for debug timestamp.
debug timestamp (G)
Samba debug log messages are timestamped by default. If you are running at a high debug level these timestamps can be distracting. This boolean parameter allows timestamping to be turned off.

Default: debug timestamp = yes

debug uid (G)
Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.

Note that the parameter debug timestamp must be on for this to have an effect.

Default: debug uid = no

default case (S)
See the section on NAME MANGLING. Also note the short preserve case parameter.

Default: default case = lower

default devmode (S)
This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba server has a Device Mode which defines things such as paper size and orientation and duplex settings. The device mode can only correctly be generated by the printer driver itself (which can only be executed on a Win32 platform). Because smbd is unable to execute the driver code to generate the device mode, the default behavior is to set this field to NULL.

Most problems with serving printer drivers to Windows NT/2k/XP clients can be traced to a problem with the generated device mode. Certain drivers will do things such as crashing the client's Explorer.exe with a NULL devmode. However, other printer drivers can cause the client's spooler service (spoolsv.exe) to die if the devmode was not created by the driver itself (i.e. smbd generates a default devmode).

This parameter should be used with care and tested with the printer driver in question. It is better to leave the device mode to NULL and let the Windows client set the correct values. Because drivers do not do this all the time, setting default devmode = yes will instruct smbd to generate a default one.

For more information on Windows NT/2k printing and Device Modes, see the MSDN documentation.

Default: default devmode = no

default
This parameter is a synonym for default service.
default service (G)
This parameter specifies the name of a service which will be connected to if the service actually requested cannot be found. Note that the square brackets are NOT given in the parameter value (see example below).

There is no default value for this parameter. If this parameter is not given, attempting to connect to a nonexistent service results in an error.

Typically the default service would be a guest ok, read-only service.

Also note that the apparent service name will be changed to equal that of the requested service, this is very useful as it allows you to use macros like %S to make a wildcard service.

Note also that any "_" characters in the name of the service used in the default service will get mapped to a "/". This allows for interesting things.

Default: default service =

Example: default service = pub

delete group script (G)
This is the full pathname to a script that will be run AS ROOT smbd(8) when a group is requested to be deleted. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools.

Default: delete group script =

deleteprinter command (G)
With the introduction of MS-RPC based printer support for Windows NT/2000 clients in Samba 2.2, it is now possible to delete printer at run time by issuing the DeletePrinter() RPC call.

For a Samba host this means that the printer must be physically deleted from underlying printing system. The deleteprinter command defines a script to be run which will perform the necessary operations for removing the printer from the print system and from smb.conf.

The deleteprinter command is automatically called with only one parameter: "printer name".

Once the deleteprinter command has been executed, smbd will reparse the smb.conf to associated printer no longer exists. If the sharename is still valid, then smbd will return an ACCESS_DENIED error to the client.

Default: deleteprinter command =

Example: deleteprinter command = /usr/bin/removeprinter

delete readonly (S)
This parameter allows readonly files to be deleted. This is not normal DOS semantics, but is allowed by UNIX.

This option may be useful for running applications such as rcs, where UNIX file ownership prevents changing file permissions, and DOS semantics prevent deletion of a read only file.

Default: delete readonly = no

delete share command (G)
Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. Thedelete share command is used to define an external program or script which will remove an existing service definition from smb.conf. In order to successfully execute the delete share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0).

When executed, smbd will automatically invoke thedelete share command with two parameters.

*
configFile - the location of the global smb.conf file.
*
shareName - the name of the existing service.
This parameter is only used to remove file shares. To delete printer shares, see the deleteprinter command.

Default: delete share command =

Example: delete share command = /usr/local/bin/delshare

delete user from group script (G)
Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools. It will be run by smbd(8) AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name.

Default: delete user from group script =

Example: delete user from group script = /usr/sbin/deluser %u %g

delete user script (G)
This is the full pathname to a script that will be run by smbd(8) when managing users with remote RPC (NT) tools.

This script is called when a remote client removes a user from the server, normally using 'User Manager for Domains' orrpcclient.

This script should delete the given UNIX username.

Default: delete user script =

Example: delete user script = /usr/local/samba/bin/del_user %u

delete veto files (S)
This option is used when Samba is attempting to delete a directory that contains one or more vetoed directories (see the veto files option). If this option is set to no (the default) then if a vetoed directory contains any non-vetoed files or directories then the directory delete will fail. This is usually what you want.

If this option is set to yes, then Samba will attempt to recursively delete any files and directories within the vetoed directory. This can be useful for integration with file serving systems such as NetAtalk which create meta-files within directories you might normally veto DOS/Windows users from seeing (e.g. .AppleDouble)

Setting delete veto files = yes allows these directories to be transparently deleted when the parent directory is deleted (so long as the user has permissions to do so).

Default: delete veto files = no

dfree command (G)
The dfree command setting should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" at the end of each directory listing.

This setting allows the replacement of the internal routines to calculate the total disk space and amount available with an external routine. The example below gives a possible script that might fulfill this function.

The external program will be passed a single parameter indicating a directory in the filesystem being queried. This will typically consist of the string ./. The script should return two integers in ASCII. The first should be the total disk space in blocks, and the second should be the number of available blocks. An optional third return value can give the block size in bytes. The default blocksize is 1024 bytes.

Note: Your script should NOT be setuid or setgid and should be owned by (and writeable only by) root!

Where the script dfree (which must be made executable) could be:

 
#!/bin/sh
df $1 | tail -1 | awk '{print $2" "$4}'

or perhaps (on Sys V based systems):

 
#!/bin/sh
/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'

Note that you may have to replace the command names with full path names on some systems.

Default: dfree command = # By default internal routines for determining the disk capacity and remaining space will be used.

Example: dfree command = /usr/local/samba/bin/dfree

directory mode
This parameter is a synonym for directory mask.
directory mask (S)
This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.

When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a directory. Any bit not set here will be removed from the modes set on a directory when it is created.

The default value of this parameter removes the 'group' and 'other' write bits from the UNIX mode, allowing only the user who owns the directory to modify it.

Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force directory mode parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added).

Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the directory security mask.

Default: directory mask = 0755

Example: directory mask = 0775

directory security mask (S)
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box.

This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.

If not set explicitly this parameter is set to 0777 meaning a user is allowed to modify all the user/group/world permissions on a directory.

Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it as the default of 0777.

Default: directory security mask = 0777

Example: directory security mask = 0700

disable netbios (G)
Enabling this parameter will disable netbios support in Samba. Netbios is the only available form of browsing in all windows versions except for 2000 and XP.

Note

Clients that only support netbios won't be able to see your samba server when netbios support is disabled.

Default: disable netbios = no

disable spoolss (G)
Enabling this parameter will disable Samba's support for the SPOOLSS set of MS-RPC's and will yield identical behavior as Samba 2.0.x. Windows NT/2000 clients will downgrade to using Lanman style printing commands. Windows 9x/ME will be uneffected by the parameter. However, this will also disable the ability to upload printer drivers to a Samba server via the Windows NT Add Printer Wizard or by using the NT printer properties dialog window. It will also disable the capability of Windows NT/2000 clients to download print drivers from the Samba host upon demand. Be very careful about enabling this parameter.

Default: disable spoolss = no

display charset (G)
Specifies the charset that samba will use to print messages to stdout and stderr and SWAT will use. Should generally be the same as the unix charset.

Default: display charset = ASCII

Example: display charset = UTF8

dns proxy (G)
Specifies that nmbd(8) when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.

Note that the maximum length for a NetBIOS name is 15 characters, so the DNS name (or DNS alias) can likewise only be 15 characters, maximum.

nmbd spawns a second copy of itself to do the DNS name lookup requests, as doing a name lookup is a blocking action.

Default: dns proxy = yes

domain logons (G)
If set to yes, the Samba server will serve Windows 95/98 Domain logons for the workgroup it is in. Samba 2.2 has limited capability to act as a domain controller for Windows NT 4 Domains. For more details on setting up this feature see the PDC chapter of the Samba HOWTO Collection.

Default: domain logons = no

domain master (G)
Tell smbd(8) to enable WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. Local master browsers in the same workgroup on broadcast-isolated subnets will give this nmbd their local browse lists, and then ask smbd(8) for a complete copy of the browse list for the whole wide area network. Browser clients will then contact their local master browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.

Note that Windows NT Primary Domain Controllers expect to be able to claim this workgroup specific special NetBIOS name that identifies them as domain master browsers for that workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting to do this). This means that if this parameter is set and nmbd claims the special name for a workgroup before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail.

If domain logons = yes, then the default behavior is to enable the domain master parameter. If domain logons is not enabled (the default setting), then neither will domain master be enabled by default.

Default: domain master = auto

dont descend (S)
There are certain directories on some systems (e.g., the /proc tree under Linux) that are either not of interest to clients or are infinitely deep (recursive). This parameter allows you to specify a comma-delimited list of directories that the server should always show as empty.

Note that Samba can be very fussy about the exact format of the "dont descend" entries. For example you may need ./proc instead of just /proc. Experimentation is the best policy :-)

Default: dont descend =

Example: dont descend = /proc,/dev

dos charset (G)
DOS SMB clients assume the server has the same charset as they do. This option specifies which charset Samba should talk to DOS clients.

The default depends on which charsets you have installed. Samba tries to use charset 850 but falls back to ASCII in case it is not available. Run testparm(1) to check the default on your system.

No default

dos filemode (S)
The default behavior in Samba is to provide UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior is often confusing to DOS/Windows users. Enabling this parameter allows a user who has write access to the file (by whatever means) to modify the permissions on it. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access. Ownership of the file/directory is not changed, only the permissions are modified.

Default: dos filemode = no

dos filetime resolution (S)
Under the DOS and Windows FAT filesystem, the finest granularity on time resolution is two seconds. Setting this parameter for a share causes Samba to round the reported time down to the nearest two second boundary when a query call that requires one second resolution is made to smbd(8).

This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. If oplocks are enabled on a share, Visual C++ uses two different time reading calls to check if a file has changed since it was last read. One of these calls uses a one-second granularity, the other uses a two second granularity. As the two second call rounds any odd second down, then if the file has a timestamp of an odd number of seconds then the two timestamps will not match and Visual C++ will keep reporting the file has changed. Setting this option causes the two timestamps to match, and Visual C++ is happy.

Default: dos filetime resolution = no

dos filetimes (S)
Under DOS and Windows, if a user can write to a file they can change the timestamp on it. Under POSIX semantics, only the owner of the file or root may change the timestamp. By default, Samba runs with POSIX semantics and refuses to change the timestamp on a file if the user smbd is acting on behalf of is not the file owner. Setting this option to yes allows DOS semantics and smbd(8) will change the file timestamp as DOS requires.

Default: dos filetimes = no

ea support (S)
This boolean parameter controls whether smbd(8) will allow clients to attempt to store OS/2 style Extended attributes on a share. In order to enable this parameter the underlying filesystem exported by the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the correct kernel patches). On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel.

Default: ea support = no

enable rid algorithm (G)
This option is used to control whether or not smbd in Samba 3.0 should fallback to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm development goal is to remove the algorithmic mappings of RIDs altogether, but this has proved to be difficult. This parameter is mainly provided so that developers can turn the algorithm on and off and see what breaks. This parameter should not be disabled by non-developers because certain features in Samba will fail to work without it.

Default: enable rid algorithm = yes

encrypt passwords (G)
This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter "User Database" in the Samba HOWTO Collection.

In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes smbd to authenticate against another server.

Default: encrypt passwords = yes

enhanced browsing (G)
This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations.

The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, followed by a browse synchronization with each of the returned DMBs. The second enhancement consists of a regular randomised browse synchronization with all currently known DMBs.

You may wish to disable this option if you have a problem with empty workgroups not disappearing from browse lists. Due to the restrictions of the browse protocols these enhancements can cause a empty workgroup to stay around forever which can be annoying.

In general you should leave this option enabled as it makes cross-subnet browse propagation much more reliable.

Default: enhanced browsing = yes

enumports command (G)
The concept of a "port" is fairly foreign to UNIX hosts. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default, Samba has only one port defined--"Samba Printer Port". Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed (smbd does not use a port name for anything) other than the default "Samba Printer Port", you can define enumports command to point to a program which should generate a list of ports, one per line, to standard output. This listing will then be used in response to the level 1 and 2 EnumPorts() RPC.

Default: enumports command =

Example: enumports command = /usr/bin/listports

fake directory create times (S)
NTFS and Windows VFAT file systems keep a create time for all files and directories. This is not the same as the ctime - status change time - that Unix keeps, so Samba by default reports the earliest of the various times Unix does keep. Setting this parameter for a share causes Samba to always report midnight 1-1-1980 as the create time for directories.

This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. Visual C++ generated makefiles have the object directory as a dependency for each object file, and a make rule to create the directory. Also, when NMAKE compares timestamps it uses the creation time when examining a directory. Thus the object directory will be created if it does not exist, but once it does exist it will always have an earlier timestamp than the object files it contains.

However, Unix time semantics mean that the create time reported by Samba will be updated whenever a file is created or or deleted in the directory. NMAKE finds all object files in the object directory. The timestamp of the last one built is then compared to the timestamp of the object directory. If the directory's timestamp if newer, then all object files will be rebuilt. Enabling this option ensures directories always predate their contents and an NMAKE build will proceed as expected.

Default: fake directory create times = no

fake oplocks (S)
Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an oplock (opportunistic lock) then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data. With some oplock types the client may even cache file open/close operations. This can give enormous performance benefits.

When you set fake oplocks = yes, smbd(8) will always grant oplock requests no matter how many clients are using the file.

It is generally much better to use the real oplocks support rather than this parameter.

If you enable this option on all read-only shares or shares that you know will only be accessed from one client at a time such as physically read-only media like CDROMs, you will see a big performance improvement on many operations. If you enable this option on shares where multiple clients may be accessing the files read-write at the same time you can get data corruption. Use this option carefully!

Default: fake oplocks = no

follow symlinks (S)
This parameter allows the Samba administrator to stop smbd(8)from following symbolic links in a particular share. Setting this parameter to no prevents any file or directory that is a symbolic link from being followed (the user will get an error). This option is very useful to stop users from adding a symbolic link to /etc/passwd in their home directory for instance. However it will slow filename lookups down slightly.

This option is enabled (i.e. smbd will follow symbolic links) by default.

Default: follow symlinks = yes

force create mode (S)
This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a file that is being created or having its permissions changed. The default for this parameter is (in octal) 000. The modes in this parameter are bitwise 'OR'ed onto the file mode after the mask set in the create mask parameter is applied.

The example below would force all created files to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'.

Default: force create mode = 000

Example: force create mode = 0755

force directory mode (S)
This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a directory that is being created. The default for this parameter is (in octal) 0000 which will not add any extra permission bits to a created directory. This operation is done after the mode mask in the parameter directory mask is applied.

The example below would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'.

Default: force directory mode = 000

Example: force directory mode = 0755

force directory security mode (S)
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box.

This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on. Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a directory, the user has always set to be 'on'.

If not set explicitly this parameter is 000, which allows a user to modify all the user/group/world permissions on a directory without restrictions.

Note

Users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it set as 0000.

Default: force directory security mode = 0

Example: force directory security mode = 700

group
This parameter is a synonym for force group.
force group (S)
This specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service. This is useful for sharing files by ensuring that all access to files on service will use the named group for their permissions checking. Thus, by assigning permissions for this group to the files and directories within this service the Samba administrator can restrict or allow sharing of these files.

In Samba 2.0.5 and above this parameter has extended functionality in the following way. If the group name listed here has a '+' character prepended to it then the current user accessing the share only has the primary group default assigned to this group if they are already assigned as a member of that group. This allows an administrator to decide that only users who are already in a particular group will create files with group ownership set to that group. This gives a finer granularity of ownership assignment. For example, the setting force group = +sys means that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group.

If the force user parameter is also set the group specified in force group will override the primary group set in force user.

Default: force group =

Example: force group = agroup

force security mode (S)
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box.

This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on. Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, the user has always set to be 'on'.

If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world permissions on a file, with no restrictions.

Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave this set to 0000.

Default: force security mode = 0

Example: force security mode = 700

force unknown acl user (S)
If this parameter is set, a Windows NT ACL that contains an unknown SID (security descriptor, or representation of a user or group id) as the owner or group owner of the file will be silently mapped into the current UNIX uid or gid of the currently connected user.

This is designed to allow Windows NT clients to copy files and folders containing ACLs that were created locally on the client machine and contain users local to that machine only (no domain users) to be copied to a Samba server (usually with XCOPY /O) and have the unknown userid and groupid of the file owner map to the current connected user. This can only be fixed correctly when winbindd allows arbitrary mapping from any Windows NT SID to a UNIX uid or gid.

Try using this parameter when XCOPY /O gives an ACCESS_DENIED error.

Default: force unknown acl user = no

force user (S)
This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. You should also use it carefully as using it incorrectly can cause security problems.

This user name only gets used once a connection is established. Thus clients still need to connect as a valid user and supply a valid password. Once connected, all file operations will be performed as the "forced user", no matter what username the client connected as. This can be very useful.

In Samba 2.0.5 and above this parameter also causes the primary group of the forced user to be used as the primary group for all file activity. Prior to 2.0.5 the primary group was left as the primary group of the connecting user (this was a bug).

Default: force user =

Example: force user = auser

fstype (S)
This parameter allows the administrator to configure the string that specifies the type of filesystem a share is using that is reported by smbd(8) when a client queries the filesystem type for a share. The default type is NTFS for compatibility with Windows NT but this can be changed to other strings such as Samba or FAT if required.

Default: fstype = NTFS

Example: fstype = Samba

get quota command (G)
The get quota command should only be used whenever there is no operating system API available from the OS that samba can use.

This option is only available with ./configure --with-sys-quotas. Or on linux when ./configure --with-quotas was used and a working quota api was found in the system.

This parameter should specify the path to a script that queries the quota information for the specified user/group for the partition that the specified directory is on.

Such a script should take 3 arguments:

*
directory
*
type of query
*
uid of user or gid of group
The type of query can be one of :
*
1 - user quotas
*
2 - user default quotas (uid = -1)
*
3 - group quotas
*
4 - group default quotas (gid = -1)
This script should print one line as output with spaces between the arguments. The arguments are:
*
Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)
*
Arg 2 - number of currently used blocks
*
Arg 3 - the softlimit number of blocks
*
Arg 4 - the hardlimit number of blocks
*
Arg 5 - currently used number of inodes
*
Arg 6 - the softlimit number of inodes
*
Arg 7 - the hardlimit number of inodes
*
Arg 8(optional) - the number of bytes in a block(default is 1024)
Default: get quota command =

Example: get quota command = /usr/local/sbin/query_quota

getwd cache (G)
This is a tuning option. When this is enabled a caching algorithm will be used to reduce the time taken for getwd() calls. This can have a significant impact on performance, especially when the wide links parameter is set to no.

Default: getwd cache = yes

guest account (G)
This is a username which will be used for access to services which are specified as guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. This user must exist in the password file, but does not require a valid login. The user account "ftp" is often a good choice for this parameter.

On some systems the default guest account "nobody" may not be able to print. Use another account in this case. You should test this by trying to log in as your guest user (perhaps by using the su - command) and trying to print using the system print command such as lpr(1) or lp(1).

This parameter does not accept % macros, because many parts of the system require this value to be constant for correct operation.

Default: guest account = nobody # default can be changed at compile-time

Example: guest account = ftp

public
This parameter is a synonym for guest ok.
guest ok (S)
If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account.

This paramater nullifies the benifits of setting restrict anonymous = 2

See the section below on security for more information about this option.

Default: guest ok = no

only guest
This parameter is a synonym for guest only.
guest only (S)
If this parameter is yes for a service, then only guest connections to the service are permitted. This parameter will have no effect if guest ok is not set for the service.

See the section below on security for more information about this option.

Default: guest only = no

hide dot files (S)
This is a boolean parameter that controls whether files starting with a dot appear as hidden files.

Default: hide dot files = yes

hide files (S)
This is a list of files or directories that are not visible but are accessible. The DOS 'hidden' attribute is applied to any files or directories that match.

Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards.

Each entry must be a Unix path, not a DOS path and must not include the Unix directory separator '/'.

Note that the case sensitivity option is applicable in hiding files.

Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned.

Default: hide files = # no file are hidden

Example: hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ # The above example is based on files that the Macintosh SMB client (DAVE) available from Thursby creates for internal use, and also still hides all files beginning with a dot.

hide special files (S)
This parameter prevents clients from seeing special files such as sockets, devices and fifo's in directory listings.

Default: hide special files = no

hide unreadable (S)
This parameter prevents clients from seeing the existance of files that cannot be read. Defaults to off.

Default: hide unreadable = no

hide unwriteable files (S)
This parameter prevents clients from seeing the existance of files that cannot be written to. Defaults to off. Note that unwriteable directories are shown as usual.

Default: hide unwriteable files = no

homedir map (G)
Ifnis homedir is yes, and smbd(8) is also acting as a Win95/98 logon server then this parameter specifies the NIS (or YP) map from which the server for the user's home directory should be extracted. At present, only the Sun auto.home map format is understood. The form of the map is:

username server:/some/file/system

and the program will extract the servername from before the first ':'. There should probably be a better parsing system that copes with different map formats and also Amd (another automounter) maps.

Note

A working NIS client is required on the system for this option to work.

Default: homedir map =

Example: homedir map = amd.homedir

host msdfs (G)
If set to yes, Samba will act as a Dfs server, and allow Dfs-aware clients to browse Dfs trees hosted on the server.

See also the msdfs root share level parameter. For more information on setting up a Dfs tree on Samba, refer to ???.

Default: host msdfs = no

hostname lookups (G)
Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead. An example place where hostname lookups are currently used is when checking the hosts deny and hosts allow.

Default: hostname lookups = yes

Example: hostname lookups = no

allow hosts
This parameter is a synonym for hosts allow.
hosts allow (S)
A synonym for this parameter is allow hosts.

This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service.

If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting.

You can specify the hosts by name or IP number. For example, you could restrict access to only the hosts on a Class C subnet with something like allow hosts = 150.203.5. . The full syntax of the list is described in the man page hosts_access(5). Note that this man page may not be present on your system, so a brief description will be given here also.

Note that the localhost address 127.0.0.1 will always be allowed access unless specifically denied by a hosts deny option.

You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The EXCEPT keyword can also be used to limit a wildcard list. The following examples may provide some help:

Example 1: allow all IPs in 150.203.*.*; except one

hosts allow = 150.203. EXCEPT 150.203.6.66

Example 2: allow hosts that match the given network/netmask

hosts allow = 150.203.15.0/255.255.255.0

Example 3: allow a couple of hosts

hosts allow = lapland, arvidsjaur

Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host

hosts allow = @foonet

hosts deny = pirate

Note

Note that access still requires suitable user-level passwords.

See testparm(1) for a way of testing your host access to see if it does what you expect.

Default: hosts allow = # none (i.e., all hosts permitted access)

Example: hosts allow = 150.203.5. myhost.mynet.edu.au

deny hosts
This parameter is a synonym for hosts deny.
hosts deny (S)
The opposite of hosts allow - hosts listed here are NOT permitted access to services unless the specific services have their own lists to override this one. Where the lists conflict, the allow list takes precedence.

Default: hosts deny = # none (i.e., no hosts specifically excluded)

Example: hosts deny = 150.203.4. badhost.mynet.edu.au

hosts equiv (G)
If this global parameter is a non-null string, it specifies the name of a file to read for the names of hosts and users who will be allowed access without specifying a password.

This is not be confused with hosts allow which is about hosts access to services and is more useful for guest services. hosts equiv may be useful for NT clients which will not supply passwords to Samba.

Note

The use of hosts equiv can be a major security hole. This is because you are trusting the PC to supply the correct username. It is very easy to get a PC to supply a false username. I recommend that the hosts equiv option be only used if you really know what you are doing, or perhaps on a home network where you trust your spouse and kids. And only if you really trust them :-).

Default: hosts equiv = # no host equivalences

Example: hosts equiv = hosts equiv = /etc/hosts.equiv

idmap backend (G)
The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common LDAP backend. This way all domain members and controllers will have the same UID and GID to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS).

Default: idmap backend =

Example: idmap backend = ldap:ldap://ldapslave.example.com

winbind gid
This parameter is a synonym for idmap gid.
idmap gid (G)
The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise.

The availability of an idmap gid range is essential for correct operation of all group mapping.

Default: idmap gid =

Example: idmap gid = 10000-20000

winbind uid
This parameter is a synonym for idmap uid.
idmap uid (G)
The idmap uid parameter specifies the range of user ids that are allocated for use in mapping UNIX users to NT user SIDs. This range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise.

Default: idmap uid =

Example: idmap uid = 10000-20000

include (G)
This allows you to include one config file inside another. The file is included literally, as though typed in place.

It takes the standard substitutions, except %u , %P and %S.

Default: include =

Example: include = /usr/local/samba/lib/admin_smb.conf

inherit acls (S)
This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a subdirectory. The default behavior is to use the mode specified when creating the directory. Enabling this option sets the mode to 0777, thus guaranteeing that default directory acls are propagated.

Default: inherit acls = no

inherit permissions (S)
The permissions on new files and directories are normally governed by create mask, directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this.

New directories inherit the mode of the parent directory, including bits such as setgid.

New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by map archive, map hidden and map system as usual.

Note that the setuid bit is never set via inheritance (the code explicitly prohibits this).

This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user.

Default: inherit permissions = no

interfaces (G)
This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable.

The option takes a list of interface strings. Each string can be in any of the following forms:

*
a network interface name (such as eth0). This may include shell-like wildcards so eth* will match any interface starting with the substring "eth"
*
an IP address. In this case the netmask is determined from the list of interfaces obtained from the kernel
*
an IP/mask pair.
*
a broadcast/mask pair.
The "mask" parameters can either be a bit length (such as 24 for a C class network) or a full netmask in dotted decimal form.

The "IP" parameters above can either be a full dotted decimal IP address or a hostname which will be looked up via the OS's normal hostname resolution mechanisms.

Default: interfaces = # all active interfaces except 127.0.0.1 that are broadcast capable

Example: interfaces = # This would configure three network interfaces corresponding to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of the latter two interfaces would be set to 255.255.255.0. eth0 192.168.2.10/24 192.168.3.10/255.255.255.0

invalid users (S)
This is a list of users that should not be allowed to login to this service. This is really a paranoid check to absolutely ensure an improper setting does not breach your security.

A name starting with a '@' is interpreted as an NIS netgroup first (if your system supports NIS), and then as a UNIX group if the name was not found in the NIS netgroup database.

A name starting with '+' is interpreted only by looking in the UNIX group database. A name starting with '&' is interpreted only by looking in the NIS netgroup database (this requires NIS to be working on your system). The characters '+' and '&' may be used at the start of the name in either order so the value +&group means check the UNIX group database, followed by the NIS netgroup database, and the value &+group means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix).

The current servicename is substituted for %S. This is useful in the [homes] section.

Default: invalid users = # no invalid users

Example: invalid users = root fred admin @wheel

keepalive (G)
The value of the parameter (an integer) represents the number of seconds between keepalive packets. If this parameter is zero, no keepalive packets will be sent. Keepalive packets, if sent, allow the server to tell whether a client is still present and responding.

Keepalives should, in general, not be needed if the socket being used has the SO_KEEPALIVE attribute set on it (see socket options). Basically you should only use this option if you strike difficulties.

Default: keepalive = 300

Example: keepalive = 600

kernel change notify (G)
This parameter specifies whether Samba should ask the kernel for change notifications in directories so that SMB clients can refresh whenever the data on the server changes.

This parameter is only used when your kernel supports change notification to user programs, using the F_NOTIFY fcntl.

Default: kernel change notify = yes

kernel oplocks (G)
For UNIXes that support kernel based oplocks (currently only IRIX and the Linux 2.4 kernel), this parameter allows the use of them to be turned on or off.

Kernel oplocks support allows Samba oplocks to be broken whenever a local UNIX process or NFS operation accesses a file that smbd(8) has oplocked. This allows complete data consistency between SMB/CIFS, NFS and local file access (and is a very cool feature :-).

This parameter defaults to on, but is translated to a no-op on systems that no not have the necessary kernel support. You should never need to touch this parameter.

Default: kernel oplocks = yes

lanman auth (G)
This parameter determines whether or not smbd(8) will attempt to authenticate users using the LANMAN password hash. If disabled, only clients which support NT password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.

The LANMAN encrypted response is easily broken, due to it's case-insensitive nature, and the choice of algorithm. Servers without Windows 95/98 or MS DOS clients are advised to disable this option.

Unlike the encypt passwords option, this parameter cannot alter client behaviour, and the LANMAN response will still be sent over the network. See the client lanman auth to disable this for Samba's clients (such as smbclient)

If this option, and ntlm auth are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to us it.

Default: lanman auth = yes

large readwrite (G)
This parameter determines whether or not smbd(8) supports the new 64k streaming read and write varient SMB requests introduced with Windows 2000. Note that due to Windows 2000 client redirector bugs this requires Samba to be running on a 64-bit capable operating system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with Windows 2000 clients. Defaults to on. Not as tested as some other Samba code paths.

Default: large readwrite = yes

ldap admin dn (G)
The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information. The ldap admin dn is used in conjunction with the admin dn password stored in the private/secrets.tdb file. See the smbpasswd(8) man page for more information on how to accmplish this.

No default

ldap delete dn (G)
This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba.

Default: ldap delete dn = no

ldap filter (G)
This parameter specifies the RFC 2254 compliant LDAP search filter. The default is to match the login name with the uid attribute. Note that this filter should only return one entry.

Default: ldap filter = (uid=%u)

Example: ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))

ldap group suffix (G)
This parameters specifies the suffix that is used for groups when these are added to the LDAP directory. If this parameter is unset, the value of ldap suffix will be used instead.

Default: ldap group suffix =

Example: ldap group suffix = dc=samba,ou=Groups

ldap idmap suffix (G)
This parameters specifies the suffix that is used when storing idmap mappings. If this parameter is unset, the value of ldap suffix will be used instead.

Default: ldap idmap suffix =

Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org

ldap machine suffix (G)
It specifies where machines should be added to the ldap tree.

Default: ldap machine suffix =

ldap passwd sync (G)
This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA.

The ldap passwd sync can be set to one of three values:

*
Yes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.
*
No = Update NT and LM passwords and update the pwdLastSet time.
*
Only = Only update the LDAP password and let the LDAP server do the rest.
Default: ldap passwd sync = no
ldap port (G)
This parameter is only available if Samba has been configure to include the --with-ldapsam option at compile time.

This option is used to control the tcp port number used to contact the ldap server. The default is to use the stand LDAPS port 636.

Default: ldap port = 636 # if ldap ssl = on

Default: ldap port = 389 # if ldap ssl = off

ldap replication sleep (G)
When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server. This server then replicates our changes back to the 'local' server, however the replication might take some seconds, especially over slow links. Certain client activities, particularly domain joins, can become confused by the 'success' that does not immediately change the LDAP back-end's data.

This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. If you have a particularly high-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly. Be aware that no checking is performed that the data has actually replicated.

The value is specified in milliseconds, the maximum value is 5000 (5 seconds).

Default: ldap replication sleep = 1000

ldap server (G)
This parameter is only available if Samba has been configure to include the --with-ldapsam option at compile time.

This parameter should contain the FQDN of the ldap directory server which should be queried to locate user account information.

Default: ldap server = localhost

ldap ssl (G)
This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is NOT related to Samba's previous SSL support which was enabled by specifying the--with-ssl option to the configure script.

The ldap ssl can be set to one of three values:

*
Off = Never use SSL when querying the directory.
*
Start_tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server.
*
On = Use SSL on the ldaps port when contacting the ldap server. Only available when the backwards-compatiblity --with-ldapsam option is specified to configure. See passdb backend
Default: ldap ssl = start_tls
ldap suffix (G)
Specifies where user and machine accounts are added to the tree. Can be overriden by ldap user suffix and ldap machine suffix. It also used as the base dn for all ldap searches.

Default: ldap suffix =

ldap timeout (G)
When Samba connects to an ldap server that server may be down or unreachable. To prevent Samba from handing whilst waiting for the connection this parameter specifies in seconds how long Samba should wait before failing the connect. The default is to only wait five seconds for the ldap server to respond to the connect request.

Default: ldap timeout = 5

ldap user suffix (G)
This parameter specifies where users are added to the tree. If this parameter is not specified, the value from ldap suffix.

Default: ldap user suffix =

level2 oplocks (S)
This parameter controls whether Samba supports level2 (read-only) oplocks on a share.

Level2, or read-only oplocks allow Windows NT clients that have an oplock on a file to downgrade from a read-write oplock to a read-only oplock once a second client opens the file (instead of releasing all oplocks on a second open, as in traditional, exclusive oplocks). This allows all openers of the file that support level2 oplocks to cache the file for read-ahead only (ie. they may not cache writes or lock requests) and increases performance for many accesses of files that are not commonly written (such as application .EXE files).

Once one of the clients which have a read-only oplock writes to the file all clients are notified (no reply is needed or waited for) and told to break their oplocks to "none" and delete any read-ahead caches.

It is recommended that this parameter be turned on to speed access to shared executables.

For more discussions on level2 oplocks see the CIFS spec.

Currently, if kernel oplocks are supported then level2 oplocks are not granted (even if this parameter is set to yes). Note also, the oplocks parameter must be set to yes on this share in order for this parameter to have any effect.

Default: level2 oplocks = yes

lm announce (G)
This parameter determines if nmbd(8) will produce Lanman announce broadcasts that are needed by OS/2 clients in order for them to see the Samba server in their browse list. This parameter can have three values, yes, no, orauto. The default is auto. If set to no Samba will never produce these broadcasts. If set to yes Samba will produce Lanman announce broadcasts at a frequency set by the parameterlm interval. If set to auto Samba will not send Lanman announce broadcasts by default but will listen for them. If it hears such a broadcast on the wire it will then start sending them at a frequency set by the parameterlm interval.

Default: lm announce = auto

Example: lm announce = yes

lm interval (G)
If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the lm announce parameter) then this parameter defines the frequency in seconds with which they will be made. If this is set to zero then no Lanman announcements will be made despite the setting of the lm announce parameter.

Default: lm interval = 60

Example: lm interval = 120

load printers (G)
A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. See the printers section for more details.

Default: load printers = yes

local master (G)
This option allows nmbd(8) to try and become a local master browser on a subnet. If set to no then nmbd will not attempt to become a local master browser on a subnet and will also lose in all browsing elections. By default this value is set to yes. Setting this value toyes doesn't mean that Samba will become the local master browser on a subnet, just that nmbd will participate in elections for local master browser.

Setting this value to no will cause nmbd never to become a local master browser.

Default: local master = yes

lock dir
This parameter is a synonym for lock directory.
lock directory (G)
This option specifies the directory where lock files will be placed. The lock files are used to implement themax connections option.

Default: lock directory = ${prefix}/var/locks

Example: lock directory = /var/run/samba/locks

locking (S)
This controls whether or not locking will be performed by the server in response to lock requests from the client.

If locking = no, all lock and unlock requests will appear to succeed and all lock queries will report that the file in question is available for locking.

If locking = yes, real locking will be performed by the server.

This option may be useful for read-only filesystems which may not need locking (such as CDROM drives), although setting this parameter of no is not really recommended even in this case.

Be careful about disabling locking either globally or in a specific service, as lack of locking may result in data corruption. You should never need to set this parameter.

No default

lock spin count (G)
This parameter controls the number of times that smbd should attempt to gain a byte range lock on the behalf of a client request. Experiments have shown that Windows 2k servers do not reply with a failure if the lock could not be immediately granted, but try a few more times in case the lock could later be acquired. This behavior is used to support PC database formats such as MS Access and FoxPro.

Default: lock spin count = 3

lock spin time (G)
The time in microseconds that smbd should pause before attempting to gain a failed lock. Seelock spin count for more details.

Default: lock spin time = 10

log file (G)
This option allows you to override the name of the Samba log file (also known as the debug file).

This option takes the standard substitutions, allowing you to have separate log files for each user or machine.

No default

Example: log file = /usr/local/samba/var/log.%m

debuglevel
This parameter is a synonym for log level.
log level (G)
The value of the parameter (a astring) allows the debug level (logging level) to be specified in the smb.conf file. This parameter has been extended since the 2.2.x series, now it allow to specify the debug level for multiple debug classes. This is to give greater flexibility in the configuration of the system.

The default will be the log level specified on the command line or level zero if none was specified.

No default

Example: log level = 3 passdb:5 auth:10 winbind:2

logon drive (G)
This parameter specifies the local path to which the home directory will be connected (see logon home) and is only used by NT Workstations.

Note that this option is only useful if Samba is set up as a logon server.

Default: logon drive = z:

Example: logon drive = h:

logon home (G)
This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. It allows you to do

C:\> NET USE H: /HOME

from a command prompt, for example.

This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.

This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a subdirectory of the user's home directory. This is done in the following way:

logon home = \\%N\%U\profile

This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does net use /home but use the whole string when dealing with profiles.

Note that in prior versions of Samba, the logon path was returned rather thanlogon home. This broke net use /home but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use the above trick.

This option is only useful if Samba is set up as a logon server.

Default: logon home = \\%N\%U

Example: logon home = \\remote_smb_server\%U

logon path (G)
This parameter specifies the home directory where roaming profiles (NTuser.dat etc files for Windows NT) are stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the logon home parameter.

This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. It also specifies the directory from which the "Application Data", (desktop, start menu,network neighborhood, programs and other folders, and their contents, are loaded and displayed on your Windows NT client.

The share and the path must be readable by the user for the preferences and directories to be loaded onto the Windows NT client. The share must be writeable when the user logs in for the first time, in order that the Windows NT client can create the NTuser.dat and other directories.

Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a MANdatory profile).

Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting this parameter to \%N\%U\profile_path will cause problems).

This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.

Note that this option is only useful if Samba is set up as a logon server.

Default: logon path = \\%N\%U\profile

Example: logon path = >\\PROFILESERVER\PROFILE\%U

logon script (G)
This parameter specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. The file must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.

The script must be a relative path to the [netlogon] service. If the [netlogon] service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is:

/usr/local/samba/netlogon/STARTUP.BAT

The contents of the batch file are entirely your choice. A suggested command would be to add NET TIME \\SERVER /SET /YES, to force every machine to synchronize clocks with the same time server. Another use would be to add NET USE U: \\SERVER\UTILS for commonly used utilities, or

        NET USE Q: \\SERVER\ISO9001_QA.fi
 for example.

Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users write permission on the batch files in a secure environment, as this would allow the batch files to be arbitrarily modified and security to be breached.

This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.

This option is only useful if Samba is set up as a logon server.

Default: logon script =  

Example: logon script = scripts\%U.bat  

lppause command (S)
This parameter specifies the command to be executed on the server host in order to stop printing or spooling a specific print job. This command should be a program or script which takes a printer name and job number to pause the print job. One way of implementing this is by using job priorities, where jobs having a too low priority won't be sent to the printer. If a %p is given then the printer name is put in its place. A %j is replaced with the job number (an integer). On HPUX (see printing=hpux ), if the -p%p option is added to the lpq command, the job will show up with the correct status, i.e. if the job priority is lower than the set fence priority it will have the PAUSED status, whereas if the priority is equal or higher it will have the SPOOLED or PRINTING status. Note that it is good practice to include the absolute path in the lppause command as the PATH may not be available to the server. Default: lppause command = # Currently no default value is given to this string, unless the value of the printing parameter is SYSV, in which case the default is : lp -i %p-%j -H hold or if the value of the printing parameter is SOFTQ, then the default is: qstat -s -j%j -h. Example: lppause command = /usr/bin/lpalt %p-%j -p0
lpq cache time (G)
This controls how long lpq info will be cached for to prevent the lpq command being called too often. A separate cache is kept for each variation of the lpq command used by the system, so if you use differentlpq commands for different users then they won't share cache information. The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash of the lpq command in use. The default is 10 seconds, meaning that the cached results of a previous identical lpq command will be used if the cached data is less than 10 seconds old. A large value may be advisable if your lpq command is very slow. A value of 0 will disable caching completely. Default: lpq cache time = 10 Example: lpq cache time = 30
lpq command (S)
This parameter specifies the command to be executed on the server host in order to obtain lpq -style printer status information. This command should be a program or script which takes a printer name as its only parameter and outputs printer status information. Currently nine styles of printer status information are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. This covers most UNIX systems. You control which type is expected using the printing = option. Some clients (notably Windows for Workgroups) may not correctly send the connection number for the printer they are requesting status information about. To get around this, the server reports on the first printer service connected to by the client. This only happens if the connection number sent is invalid. If a %p is given then the printer name is put in its place. Otherwise it is placed at the end of the command. Note that it is good practice to include the absolute path in the lpq command as the $PATH may not be available to the server. When compiled with the CUPS libraries, no lpq command is needed because smbd will make a library call to obtain the print queue listing. Default: lpq command = Example: lpq command = /usr/bin/lpq -P%p
lpresume command (S)
This parameter specifies the command to be executed on the server host in order to restart or continue printing or spooling a specific print job. This command should be a program or script which takes a printer name and job number to resume the print job. See also the lppause command parameter. If a %p is given then the printer name is put in its place. A %j is replaced with the job number (an integer). Note that it is good practice to include the absolute path in the lpresume command as the PATH may not be available to the server. See also the printing parameter. Default: Currently no default value is given to this string, unless the value of the printing parameter is SYSV, in which case the default is : lp -i %p-%j -H resume or if the value of the printing parameter is SOFTQ, then the default is: qstat -s -j%j -r Default: lpresume command = lpresume command = /usr/bin/lpalt %p-%j -p2
lprm command (S)
This parameter specifies the command to be executed on the server host in order to delete a print job. This command should be a program or script which takes a printer name and job number, and deletes the print job. If a %p is given then the printer name is put in its place. A %j is replaced with the job number (an integer). Note that it is good practice to include the absolute path in the lprm command as the PATH may not be available to the server. Default: lprm command = # depends on the setting of printing Example: lprm command = /usr/bin/lprm -P%p %j Example: lprm command = /usr/bin/cancel %p-%j
machine password timeout (G)
If a Samba server is a member of a Windows NT Domain (see the security = domain parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb . This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in seconds), the same as a Windows NT Domain member server. See also smbpasswd(8), and the security = domain parameter. Default: machine password timeout = 604800
magic output (S)
This parameter specifies the name of a file which will contain output created by a magic script (see themagic script parameter below).
 

Warning

If two clients use the same magic script in the same directory the output file content is undefined.

Default: magic output = <magic script name>.out

Example: magic output = myfile.txt

magic script (S)
This parameter specifies the name of a file which, if opened, will be executed by the server when the file is closed. This allows a UNIX script to be sent to the Samba host and executed on behalf of the connected user.

Scripts executed in this way will be deleted upon completion assuming that the user has the appropriate level of privilege and the file permissions allow the deletion.

If the script generates output, output will be sent to the file specified by the magic output parameter (see above).

Note that some shells are unable to interpret scripts containing CR/LF instead of CR as the end-of-line marker. Magic scripts must be executableas is on the host, which for some hosts and some shells will require filtering at the DOS end.

Magic scripts are EXPERIMENTAL and should NOT be relied upon.

Default: magic script =

Example: magic script = user.csh

mangle case (S)
See the section on NAME MANGLING

Default: mangle case = no

mangled map (S)
This is for those who want to directly map UNIX file names which cannot be represented on Windows/DOS. The mangling of names is not always what is needed. In particular you may have documents with file extensions that differ between DOS and UNIX. For example, under UNIX it is common to use .html for HTML files, whereas under Windows/DOS .htm is more commonly used.

So to map html to htm you would use:

mangled map = (*.html *.htm)

One very useful case is to remove the annoying ;1 off the ends of filenames on some CDROMs (only visible under some UNIXes). To do this use a map of (*;1 *;).

Default: mangled map = # no mangled map

Example: mangled map = (*;1 *;)

mangled names (S)
This controls whether non-DOS names under UNIX should be mapped to DOS-compatible names ("mangled") and made visible, or whether non-DOS names should simply be ignored.

See the section on NAME MANGLING for details on how to control the mangling process.

If mangling is used then the mangling algorithm is as follows:

*
The first (up to) five alphanumeric characters before the rightmost dot of the filename are preserved, forced to upper case, and appear as the first (up to) five characters of the mangled name.
*
A tilde "~" is appended to the first part of the mangled name, followed by a two-character unique sequence, based on the original root name (i.e., the original filename minus its final extension). The final extension is included in the hash calculation only if it contains any upper case characters or is longer than three characters.

Note that the character to use may be specified using the mangling char option, if you don't like '~'.

*
The first three alphanumeric characters of the final extension are preserved, forced to upper case and appear as the extension of the mangled name. The final extension is defined as that part of the original filename after the rightmost dot. If there are no dots in the filename, the mangled name will have no extension (except in the case of "hidden files" - see below).
*
Files whose UNIX name begins with a dot will be presented as DOS hidden files. The mangled name will be created as for other filenames, but with the leading dot removed and "___" as its extension regardless of actual original extension (that's three underscores).
The two-digit hash value consists of upper case alphanumeric characters.

This algorithm can cause name collisions only if files in a directory share the same first five alphanumeric characters. The probability of such a clash is 1/1300.

The name mangling (if enabled) allows a file to be copied between UNIX directories from Windows/DOS while retaining the long UNIX filename. UNIX files can be renamed to a new extension from Windows/DOS and will retain the same basename. Mangled names do not change between sessions.

Default: mangled names = yes

mangle prefix (G)
controls the number of prefix characters from the original name used when generating the mangled names. A larger value will give a weaker hash and therefore more name collisions. The minimum value is 1 and the maximum value is 6.

mangle prefix is effective only when mangling method is hash2.

Default: mangle prefix = 1

Example: mangle prefix = 4

mangling char (S)
This controls what character is used as the magic character in name mangling. The default is a '~' but this may interfere with some software. Use this option to set it to whatever you prefer. This is effective only when mangling method is hash.

Default: mangling char = ~

Example: mangling char = ^

mangling method (G)
controls the algorithm used for the generating the mangled names. Can take two different values, "hash" and "hash2". "hash" is the algorithm that was used used in Samba for many years and was the default in Samba 2.2.x "hash2" is now the default and is newer and considered a better algorithm (generates less collisions) in the names. Many Win32 applications store the mangled names and so changing to algorithms must not be done lightly as these applications may break unless reinstalled.

Default: mangling method = hash2

Example: mangling method = hash

map acl inherit (S)
This boolean parameter controls whether smbd(8) will attempt to map the 'inherit' and 'protected' access control entry flags stored in Windows ACLs into an extended attribute called user.SAMBA_PAI. This parameter only takes effect if Samba is being run on a platform that supports extended attributes (Linux and IRIX so far) and allows the Windows 2000 ACL editor to correctly use inheritance with the Samba POSIX ACL mapping code.

Default: map acl inherit = no

map archive (S)
This controls whether the DOS archive attribute should be mapped to the UNIX owner execute bit. The DOS archive bit is set when a file has been modified since its last backup. One motivation for this option it to keep Samba/your PC from making any file it touches from becoming executable under UNIX. This can be quite annoying for shared source code, documents, etc...

Note that this requires the create mask parameter to be set such that owner execute bit is not masked out (i.e. it must include 100). See the parameter create mask for details.

Default: map archive = yes

map hidden (S)
This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.

Note that this requires the create mask to be set such that the world execute bit is not masked out (i.e. it must include 001). See the parameter create mask for details.

No default

map system (S)
This controls whether DOS style system files should be mapped to the UNIX group execute bit.

Note that this requires the create mask to be set such that the group execute bit is not masked out (i.e. it must include 010). See the parameter create mask for details.

Default: map system = no

map to guest (G)
This parameter is only useful in security modes other than security = share - i.e. user, server, and domain.

This parameter can take three different values, which tell smbd(8) what to do with user login requests that don't match a valid UNIX user in some way.

The three settings are :

*
Never - Means user login requests with an invalid password are rejected. This is the default.
*
Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account.
*
Bad Password - Means user logins with an invalid password are treated as a guest login and mapped into the guest account. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think they should - there will have been no message given to them that they got their password wrong. Helpdesk services will hate you if you set the map to guest parameter this way :-).
Note that this parameter is needed to set up "Guest" share services when using security modes other than share. This is because in these modes the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for "Guest" shares.

For people familiar with the older Samba releases, this parameter maps to the old compile-time setting of the GUEST_SESSSETUP value in local.h.

Default: map to guest = Never

Example: map to guest = Bad User

max connections (S)
This option allows the number of simultaneous connections to a service to be limited. If max connections is greater than 0 then connections will be refused if this number of connections to the service are already open. A value of zero mean an unlimited number of connections may be made.

Record lock files are used to implement this feature. The lock files will be stored in the directory specified by the lock directory option.

Default: max connections = 0

Default: max connections = 10

max disk size (G)
This option allows you to put an upper limit on the apparent size of disks. If you set this option to 100 then all shares will appear to be not larger than 100 MB in size.

Note that this option does not limit the amount of data you can put on the disk. In the above case you could still store much more than 100 MB on the disk, but if a client ever asks for the amount of free disk space or the total disk size then the result will be bounded by the amount specified in max disk size.

This option is primarily useful to work around bugs in some pieces of software that can't handle very large disks, particularly disks over 1GB in size.

A max disk size of 0 means no limit.

Default: max disk size = 0

Example: max disk size = 1000

max log size (G)
This option (an integer in kilobytes) specifies the max size the log file should grow to. Samba periodically checks the size and if it is exceeded it will rename the file, adding a .old extension.

A size of 0 means no limit.

Default: max log size = 5000

Default: max log size = 1000

max mux (G)
This option controls the maximum number of outstanding simultaneous SMB operations that Samba tells the client it will allow. You should never need to set this parameter.

Default: max mux = 50

max open files (G)
This parameter limits the maximum number of open files that one smbd(8) file serving process may have open for a client at any one time. The default for this parameter is set very high (10,000) as Samba uses only one bit per unopened file.

The limit of the number of open files is usually set by the UNIX per-process file descriptor limit rather than this parameter so you should never need to touch this parameter.

Default: max open files = 10000

max print jobs (S)
This parameter limits the maximum number of jobs allowable in a Samba printer queue at any given moment. If this number is exceeded, smbd(8) will remote "Out of Space" to the client.

Default: max print jobs = 1000

Example: max print jobs = 5000

protocol
This parameter is a synonym for max protocol.
max protocol (G)
The value of the parameter (a string) is the highest protocol level that will be supported by the server.

Possible values are :

*
CORE: Earliest version. No concept of user names.
*
COREPLUS: Slight improvements on CORE for efficiency.
*
LANMAN1: First modern version of the protocol. Long filename support.
*
LANMAN2: Updates to Lanman1 protocol.
*
NT1: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol.

Default: max protocol = NT1

Example: max protocol = LANMAN1

max reported print jobs (S)
This parameter limits the maximum number of jobs displayed in a port monitor for Samba printer queue at any given moment. If this number is exceeded, the excess jobs will not be shown. A value of zero means there is no limit on the number of print jobs reported.

Default: max reported print jobs = 0

Example: max reported print jobs = 1000

max smbd processes (G)
This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended as a stopgap to prevent degrading service to clients in the event that the server has insufficient resources to handle more than this number of connections. Remember that under normal operating conditions, each user will have an smbd(8) associated with him or her to handle connections to all shares from a given host.

Default: max smbd processes = 0

Example: max smbd processes = 1000

max ttl (G)
This option tells nmbd(8) what the default 'time to live' of NetBIOS names should be (in seconds) when nmbd is requesting a name using either a broadcast packet or from a WINS server. You should never need to change this parameter. The default is 3 days.

Default: max ttl = 259200

max wins ttl (G)
This option tells smbd(8) when acting as a WINS server (wins support = yes) what the maximum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 days (518400 seconds).

Default: max wins ttl = 518400

max xmit (G)
This option controls the maximum packet size that will be negotiated by Samba. The default is 65535, which is the maximum. In some cases you may find you get better performance with a smaller value. A value below 2048 is likely to cause problems.

Default: max xmit = 65535

Example: max xmit = 8192

message command (G)
This specifies what command to run when the server receives a WinPopup style message.

This would normally be a command that would deliver the message somehow. How this is to be done is up to your imagination.

An example is:

message command = csh -c 'xedit %s;rm %s' &

This delivers the message using xedit, then removes it afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY. That's why I have the '&' on the end. If it doesn't return immediately then your PCs may freeze when sending messages (they should recover after 30 seconds, hopefully).

All messages are delivered as the global guest user. The command takes the standard substitutions, although %u won't work (%U may be better in this case).

Apart from the standard substitutions, some additional ones apply. In particular:

*
%s = the filename containing the message.
*
%t = the destination that the message was sent to (probably the server name).
*
%f = who the message is from.
You could make this command send mail, or whatever else takes your fancy. Please let us know of any really interesting ideas you have.

Here's a way of sending the messages as mail to root:

message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s

If you don't have a message command then the message won't be delivered and Samba will tell the sender there was an error. Unfortunately WfWg totally ignores the error code and carries on regardless, saying that the message was delivered.

If you want to silently delete it then try:

message command = rm %s

Default: message command =

Example: message command = csh -c 'xedit %s; rm %s' &

min passwd length
This parameter is a synonym for min password length.
min password length (G)
This option sets the minimum length in characters of a plaintext password that smbd will accept when performing UNIX password changing.

Default: min password length = 5

min print space (S)
This sets the minimum amount of free disk space that must be available before a user will be able to spool a print job. It is specified in kilobytes. The default is 0, which means a user can always spool a print job.

Default: min print space = 0

Example: min print space = 2000

min protocol (G)
The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer to the max protocol parameter for a list of valid protocol names and a brief description of each. You may also wish to refer to the C source code in source/smbd/negprot.c for a listing of known protocol dialects supported by clients.

If you are viewing this parameter as a security measure, you should also refer to the lanman auth parameter. Otherwise, you should never need to change this parameter.

Default: min protocol = CORE

Example: min protocol = NT1

min wins ttl (G)
This option tells nmbd(8) when acting as a WINS server ( wins support = yes) what the minimum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 hours (21600 seconds).

Default: min wins ttl = 21600

msdfs proxy (S)
This parameter indicates that the share is a stand-in for another CIFS share whose location is specified by the value of the parameter. When clients attempt to connect to this share, they are redirected to the proxied share using the SMB-Dfs protocol.

Only Dfs roots can act as proxy shares. Take a look at themsdfs root and host msdfs options to find out how to set up a Dfs root share.

No default

Example: msdfs proxy = \otherserver\someshare

msdfs root (S)
If set to yes, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. Dfs links are specified in the share directory by symbolic links of the form msdfs:serverA\\shareA,serverB\\shareB and so on. For more information on setting up a Dfs tree on Samba, refer to ???.

Default: msdfs root = no

name cache timeout (G)
Specifies the number of seconds it takes before entries in samba's hostname resolve cache time out. If the timeout is set to 0. the caching is disabled.

Default: name cache timeout = 660

Example: name cache timeout = 0

name resolve order (G)
This option is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. Its main purpose to is to control how netbios name resolution is performed. The option takes a space separated string of name resolution options.

The options are: "lmhosts", "host", "wins" and "bcast". They cause names to be resolved as follows:

*
lmhosts : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has no name type attached to the NetBIOS name (see the lmhosts(5) for details) then any name type matches for lookup.
*
host : Do a standard host name to IP address resolution, using the system /etc/hosts , NIS, or DNS lookups. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the /etc/nsswitch.conf file. Note that this method is used only if the NetBIOS name type being queried is the 0x20 (server) name type or 0x1c (domain controllers). The latter case is only useful for active directory domains and results in a DNS query for the SRV RR entry matching _ldap._tcp.domain.
*
wins : Query a name with the IP address listed in the wins server parameter. If no WINS server has been specified this method will be ignored.
*
bcast : Do a broadcast on each of the known local interfaces listed in the interfaces parameter. This is the least reliable of the name resolution methods as it depends on the target host being on a locally connected subnet.
The example below will cause the local lmhosts file to be examined first, followed by a broadcast attempt, followed by a normal system hostname lookup.

When Samba is functioning in ADS security mode (security = ads) it is advised to use following settings for name resolve order:

name resolve order = wins bcast

DC lookups will still be done via DNS, but fallbacks to netbios names will not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.

Default: name resolve order = lmhosts host wins bcast

Example: name resolve order = lmhosts bcast host

netbios aliases (G)
This is a list of NetBIOS names that nmbd will advertise as additional names by which the Samba server is known. This allows one machine to appear in browse lists under multiple names. If a machine is acting as a browse server or logon server none of these names will be advertised as either browse server or logon servers, only the primary name of the machine will be advertised with these capabilities.

Default: netbios aliases = # empty string (no additional names)

Example: netbios aliases = TEST TEST1 TEST2

netbios name (G)
This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component of the host's DNS name. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under.

Default: netbios name = # machine DNS name

Example: netbios name = MYNAME

netbios scope (G)
This sets the NetBIOS scope that Samba will operate under. This should not be set unless every machine on your LAN also sets this value.

Default: netbios scope =

nis homedir (G)
Get the home share server from a NIS map. For UNIX systems that use an automounter, the user's home directory will often be mounted on a workstation on demand from a remote server.

When the Samba logon server is not the actual home directory server, but is mounting the home directories via NFS then two network hops would be required to access the users home directory if the logon server told the client to use itself as the SMB server for home directories (one over SMB and one over NFS). This can be very slow.

This option allows Samba to return the home share as being on a different server to the logon server and as long as a Samba daemon is running on the home directory server, it will be mounted on the Samba client directly from the directory server. When Samba is returning the home share to the client, it will consult the NIS map specified in homedir map and return the server listed there.

Note that for this option to work there must be a working NIS system and the Samba server with this option must also be a logon server.

Default: nis homedir = no

nt acl support (S)
This boolean parameter controls whether smbd(8) will attempt to map UNIX permissions into Windows NT access control lists. This parameter was formally a global parameter in releases prior to 2.2.2.

Default: nt acl support = yes

ntlm auth (G)
This parameter determines whether or not smbd(8) will attempt to authenticate users using the NTLM encrypted password response. If disabled, either the lanman password hash or an NTLMv2 response will need to be sent by the client.

If this option, and lanman auth are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to us it.

Default: ntlm auth = yes

nt pipe support (G)
This boolean parameter controls whether smbd(8) will allow Windows NT clients to connect to the NT SMB specific IPC$ pipes. This is a developer debugging option and can be left alone.

Default: nt pipe support = yes

nt status support (G)
This boolean parameter controls whether smbd(8) will negotiate NT specific status support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. If this option is set to no then Samba offers exactly the same DOS error codes that versions prior to Samba 2.2.3 reported.

You should not need to ever disable this parameter.

Default: nt status support = yes

null passwords (G)
Allow or disallow client access to accounts that have null passwords.

See also smbpasswd(5).

Default: null passwords = no

obey pam restrictions (G)
When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAM's account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption.

Default: obey pam restrictions = no

only user (S)
This is a boolean option that controls whether connections with usernames not in the user list will be allowed. By default this option is disabled so that a client can supply a username to be used by the server. Enabling this parameter will force the server to only use the login names from the user list and is only really useful in share level security.

Note that this also means Samba won't try to deduce usernames from the service name. This can be annoying for the [homes] section. To get around this you could use user = %S which means your user list will be just the service name, which for home directories is the name of the user.

Default: only user = no

oplock break wait time (G)
This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too quickly when that client issues an SMB that can cause an oplock break request, then the network client can fail and not respond to the break request. This tuning parameter (which is set in milliseconds) is the amount of time Samba will wait before sending an oplock break request to such (broken) clients.

Warning

DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.

Default: oplock break wait time = 0

oplock contention limit (S)
This is a very advancedsmbd(8) tuning option to improve the efficiency of the granting of oplocks under multiple client contention for the same file.

In brief it specifies a number, which causes smbd(8)not to grant an oplock even when requested if the approximate number of clients contending for an oplock on the same file goes over this limit. This causes smbd to behave in a similar way to Windows NT.

Warning

DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.

Default: oplock contention limit = 2

oplocks (S)
This boolean option tells smbd whether to issue oplocks (opportunistic locks) to file open requests on this share. The oplock code can dramatically (approx. 30% or more) improve the speed of access to files on Samba servers. It allows the clients to aggressively cache files locally and you may want to disable this option for unreliable network environments (it is turned on by default in Windows NT Servers). For more information see the fileSpeed.txt in the Samba docs/ directory.

Oplocks may be selectively turned off on certain files with a share. See the veto oplock files parameter. On some systems oplocks are recognized by the underlying operating system. This allows data synchronization between all access to oplocked files, whether it be via Samba or NFS or a local UNIX process. See thekernel oplocks parameter for details.

Default: oplocks = yes

os2 driver map (G)
The parameter is used to define the absolute path to a file containing a mapping of Windows NT printer driver names to OS/2 printer driver names. The format is:

<nt driver name> = <os2 driver name>.<device name>

For example, a valid entry using the HP LaserJet 5 printer driver would appear as HP LaserJet 5L = LASERJET.HP LaserJet 5L.

The need for the file is due to the printer driver namespace problem described in ???. For more details on OS/2 clients, please refer to ???.

Default: os2 driver map =

os level (G)
This integer value controls what level Samba advertises itself as for browse elections. The value of this parameter determines whether nmbd(8) has a chance of becoming a local master browser for the WORKGROUP in the local broadcast area.

Note :By default, Samba will win a local master browsing election over all Microsoft operating systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can effectively isolate a subnet for browsing purposes. See BROWSING.txt in the Samba docs/ directory for details.

Default: os level = 20

Example: os level = 65

pam password change (G)
With the addition of better PAM support in Samba 2.2, this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in passwd program. It should be possible to enable this without changing your passwd chat parameter for most setups.

Default: pam password change = no

panic action (G)
This is a Samba developer option that allows a system command to be called when either smbd(8) or smbd(8)crashes. This is usually used to draw attention to the fact that a problem occurred.

Default: panic action =

Example: panic action = "/bin/sleep 90000"

paranoid server security (G)
Some version of NT 4.x allow non-guest users with a bad passowrd. When this option is enabled, samba will not use a broken NT 4.x server as password server, but instead complain to the logs and exit.

Disabling this option prevents Samba from making this check, which involves deliberatly attempting a bad logon to the remote server.

Default: paranoid server security = yes

passdb backend (G)
This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.

This parameter is in two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated by a : character.

Available backends can include:

*
smbpasswd - The default smbpasswd backend. Takes a path to the smbpasswd file as an optional argument.
*
tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the private dir directory.
*
ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to ldap://localhost)

LDAP connections should be secured where possible. This may be done using either Start-TLS (see ldap ssl) or by specifying ldaps:// in the URL argument.

Multiple servers may also be specified in double-quotes, if your LDAP libraries supports the LDAP URL notation. (OpenLDAP does).

*
nisplussam - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers.
*
mysql - The MySQL based passdb backend. Takes an identifier as argument. Read the Samba HOWTO Collection for configuration details.

 

Default: passdb backend = smbpasswd

Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd

Example: passdb backend = ldapsam:ldaps://ldap.example.com

Example: passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"

Example: passdb backend = mysql:my_plugin_args tdbsam

passwd chat (G)
This string controls the "chat" conversation that takes places between smbd(8) and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that smbd(8) uses to determine what to send to the passwd program and what to expect back. If the expected output is not received then the password is not changed.

This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc).

Note that this parameter only is only used if the unix password sync parameter is set to yes. This sequence is then called AS ROOT when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext. This means that root must be able to reset the user's password without knowing the text of the previous password. In the presence of NIS/YP, this means that the passwd program must be executed on the NIS master.

The string can contain the macro %n which is substituted for the new password. The chat sequence can also contain the standard macros \\n, \\r, \\t and \\s to give line-feed, carriage-return, tab and space. The chat sequence string can also contain a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces in them into a single string.

If the send string in any part of the chat sequence is a full stop ".", then no string is sent. Similarly, if the expect string is a full stop then no string is expected.

If the pam password change parameter is set to yes, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output. The \n macro is ignored for PAM conversions.

Default: passwd chat = *new*password* %n\\n*new*password* %n\\n *changed*

Example: passwd chat = "*Enter OLD password*" %o\\n "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password changed*"

passwd chat debug (G)
This boolean specifies if the passwd chat script parameter is run in debug mode. In this mode the strings passed to and received from the passwd chat are printed in the smbd(8) log with a debug level of 100. This is a dangerous option as it will allow plaintext passwords to be seen in the smbd log. It is available to help Samba admins debug their passwd chat scripts when calling the passwd program and should be turned off after this has been done. This option has no effect if the pam password change paramter is set. This parameter is off by default.

Default: passwd chat debug = no

passwd chat timeout (G)
This integer specifies the number of seconds smbd will wait for an initial answer from a passwd chat script being run. Once the initial answer is received the subsequent answers must be received in one tenth of this time. The default it two seconds.

Default: passwd chat timeout = 2

passwd program (G)
The name of a program that can be used to set UNIX user passwords. Any occurrences of %u will be replaced with the user name. The user name is checked for existence before calling the password changing program.

Also note that many passwd programs insist in reasonable passwords, such as a minimum length, or the inclusion of mixed case chars and digits. This can pose a problem as some clients (such as Windows for Workgroups) uppercase the password before sending it.

Note that if the unix password sync parameter is set to yes then this program is called AS ROOT before the SMB password in the smbpasswd file is changed. If this UNIX password change fails, then smbd will fail to change the SMB password also (this is by design).

If the unix password sync parameter is set this parameter MUST USE ABSOLUTE PATHS for ALL programs called, and must be examined for security implications. Note that by default unix password sync is set to no.

Default: passwd program =

Example: passwd program = /bin/passwd %u

password level (G)
Some client/server combinations have difficulty with mixed-case passwords. One offending client is Windows for Workgroups, which for some reason forces passwords to upper case when using the LANMAN1 protocol, but leaves them alone when using COREPLUS! Another problem child is the Windows 95/98 family of operating systems. These clients upper case clear text passwords even when NT LM 0.12 selected by the protocol negotiation request/response.

This parameter defines the maximum number of characters that may be upper case in passwords.

For example, say the password given was "FRED". If password level is set to 1, the following combinations would be tried if "FRED" failed:

"Fred", "fred", "fRed", "frEd","freD"

If password level was set to 2, the following combinations would also be tried:

"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..

And so on.

The higher value this parameter is set to the more likely it is that a mixed case password will be matched against a single case password. However, you should be aware that use of this parameter reduces security and increases the time taken to process a new connection.

A value of zero will cause only two attempts to be made - the password as is and the password in all-lower case.

This parameter is used only when using plain-text passwords. It is not at all used when encrypted passwords as in use (that is the default since samba-3.0.0). Use this only when encrypt passwords = No.

Default: password level = 0

Example: password level = 4

password server (G)
By specifying the name of another SMB server or Active Directory domain controller with this option, and using security = [ads|domain|server] it is possible to get Samba to to do all its username/password validation using a specific remote server.

This option sets the name or IP address of the password server to use. New syntax has been added to support defining the port to use when connecting to the server the case of an ADS realm. To define a port other than the default LDAP port of 389, add the port number using a colon after the name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, Samba will use the standard LDAP port of tcp/389. Note that port numbers have no effect on password servers for Windows NT 4.0 domains or netbios connections.

If parameter is a name, it is looked up using the parameter name resolve order and so may resolved by any method and order described in that parameter.

The password server must be a machine capable of using the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode.

Note

Using a password server means your UNIX box (running Samba) is only as secure as your password server. DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST.

Never point a Samba server at itself for password serving. This will cause a loop and could lock up your Samba server!

The name of the password server takes the standard substitutions, but probably the only useful one is %m , which means the Samba server will use the incoming client as the password server. If you use this then you better trust your clients, and you had better restrict them with hosts allow!

If the security parameter is set to domain or ads, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on. The advantage of using security = domain is that if you list several hosts in the password server option then smbd will try each in turn till it finds one that responds. This is useful in case your primary server goes down.

If the password server option is set to the character '*', then Samba will attempt to auto-locate the Primary or Backup Domain controllers to authenticate against by doing a query for the name WORKGROUP<1C> and then contacting each server returned in the list of IP addresses from the name resolution source.

If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC's will be added to the list as well. Samba will not attempt to optimize this list by locating the closest DC.

If the security parameter is set to server, then there are different restrictions that security = domain doesn't suffer from:

*
You may list several password servers in the password server parameter, however if an smbd makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this smbd. This is a restriction of the SMB/CIFS protocol when in security = server mode and cannot be fixed in Samba.
*
If you are using a Windows NT server as your password server then you will have to ensure that your users are able to login from the Samba server, as when in security = server mode the network logon will appear to come from there rather than from the users workstation.

Default: password server =

Example: password server = NT-PDC, NT-BDC1, NT-BDC2, *

Example: password server = windc.mydomain.com:389 192.168.1.101 *

Example: password server = *

directory
This parameter is a synonym for path.
path (S)
This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing.

For a printable service offering guest access, the service should be readonly and the path should be world-writeable and have the sticky bit set. This is not mandatory of course, but you probably won't get the results you expect if you do otherwise.

Any occurrences of %u in the path will be replaced with the UNIX username that the client is using on this connection. Any occurrences of %m will be replaced by the NetBIOS name of the machine they are connecting from. These replacements are very useful for setting up pseudo home directories for users.

Note that this path will be based on root dir if one was specified.

Default: path =

Example: path = /home/fred

pid directory (G)
This option specifies the directory where pid files will be placed.

Default: pid directory = ${prefix}/var/locks

Example: pid directory = pid directory = /var/run/

posix locking (S)
The smbd(8) daemon maintains an database of file locks obtained by SMB clients. The default behavior is to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are consistent with those seen by POSIX compliant applications accessing the files via a non-SMB method (e.g. NFS or local file access). You should never need to disable this parameter.

Default: posix locking = yes

postexec (S)
This option specifies a command to be run whenever the service is disconnected. It takes the usual substitutions. The command may be run as the root on some systems.

An interesting example may be to unmount server resources:

postexec = /etc/umount /cdrom

Default: postexec =

Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log

exec
This parameter is a synonym for preexec.
preexec (S)
This option specifies a command to be run whenever the service is connected to. It takes the usual substitutions.

An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here is an example:

preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' &

Of course, this could get annoying after a while :-)

See also preexec close and postexec .

Default: preexec =

Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log

preexec close (S)
This boolean option controls whether a non-zero return code from preexec should close the service being connected to.

Default: preexec close = no

prefered master
This parameter is a synonym for preferred master.
preferred master (G)
This boolean parameter controls ifnmbd(8) is a preferred master browser for its workgroup.

If this is set to yes, on startup, nmbd will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with domain master = yes, so that nmbd can guarantee becoming a domain master.

Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing capabilities.

Default: preferred master = auto

auto services
This parameter is a synonym for preload.
preload (G)
This is a list of services that you want to be automatically added to the browse lists. This is most useful for homes and printers services that would otherwise not be visible.

Note that if you just want all printers in your printcap file loaded then the load printers option is easier.

Default: preload =

Example: preload = fred lp colorlp

preload modules (G)
This is a list of paths to modules that should be loaded into smbd before a client connects. This improves the speed of smbd when reacting to new connections somewhat.

Default: preload modules =

Example: preload modules = /usr/lib/samba/passdb/mysql.so

preserve case (S)
This controls if new filenames are created with the case that the client passes, or if they are forced to be the default case .

See the section on NAME MANGLING for a fuller discussion.

Default: preserve case = yes

print ok
This parameter is a synonym for printable.
printable (S)
If this parameter is yes, then clients may open, write to and submit spool files on the directory specified for the service.

Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data. The read only parameter controls only non-printing access to the resource.

Default: printable = no

printcap cache time (G)
This option specifies the number of seconds before the printing subsystem is again asked for the known printers. If the value is greater than 60 the initial waiting time is set to 60 seconds to allow an earlier first rescan of the printing subsystem.

Setting this parameter to 0 (the default) disables any rescanning for new or removed printers after the initial startup.

Default: printcap cache time = 0

Example: printcap cache time = 600

printcap
This parameter is a synonym for printcap name.
printcap name (S)
This parameter may be used to override the compiled-in default printcap name used by the server (usually /etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this.

To use the CUPS printing interface set printcap name = cups . This should be supplemented by an addtional setting printing = cups in the [global] section. printcap name = cups will use the "dummy" printcap created by CUPS, as specified in your CUPS configuration file.

On System V systems that use lpstat to list available printers you can use printcap name = lpstat to automatically obtain lists of available printers. This is the default for systems that define SYSV at configure time in Samba (this includes most System V based systems). If printcap name is set to lpstat on these systems then Samba will launch lpstat -v and attempt to parse the output to obtain a printer list.

A minimal printcap file would look something like this:

print1|My Printer 1
print2|My Printer 2
print3|My Printer 3
print4|My Printer 4
print5|My Printer 5

where the '|' separates aliases of a printer. The fact that the second alias has a space in it gives a hint to Samba that it's a comment.

Note

Under AIX the default printcap name is /etc/qconfig. Samba will assume the file is in AIX qconfig format if the stringqconfig appears in the printcap filename.

Default: printcap name = /etc/printcap

Example: printcap name = /etc/myprintcap

print command (S)
After a print job has finished spooling to a service, this command will be used via a system() call to process the spool file. Typically the command specified will submit the spool file to the host's printing subsystem, but there is no requirement that this be the case. The server will not remove the spool file, so whatever command you specify should remove the spool file when it has been processed, otherwise you will need to manually remove old spool files.

The print command is simply a text string. It will be used verbatim after macro substitutions have been made:

%s, %f - the path to the spool file name

%p - the appropriate printer name

%J - the job name as transmitted by the client.

%c - The number of printed pages of the spooled job (if known).

%z - the size of the spooled print job (in bytes)

The print command MUST contain at least one occurrence of %s or %f - the %p is optional. At the time a job is submitted, if no printer name is supplied the %p will be silently removed from the printer command.

If specified in the [global] section, the print command given will be used for any printable service that does not have its own print command specified.

If there is neither a specified print command for a printable service nor a global print command, spool files will be created but not processed and (most importantly) not removed.

Note that printing may fail on some UNIXes from the nobody account. If this happens then create an alternative guest account that can print and set the guest account in the [global] section.

You can form quite complex print commands by realizing that they are just passed to a shell. For example the following will log a print job, print the file, then remove it. Note that ';' is the usual separator for command in shell scripts.

print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s

You may have to vary this command considerably depending on how you normally print files on your system. The default for the parameter varies depending on the setting of the printing parameter.

Default: For printing = BSD, AIX, QNX, LPRNG or PLP :

print command = lpr -r -P%p %s

For printing = SYSV or HPUX :

print command = lp -c -d%p %s; rm %s

For printing = SOFTQ :

print command = lp -d%p -s %s; rm %s

For printing = CUPS : If SAMBA is compiled against libcups, then printcap = cups uses the CUPS API to submit jobs, etc. Otherwise it maps to the System V commands with the -oraw option for printing, i.e. it uses lp -c -d%p -oraw; rm %s. With printing = cups, and if SAMBA is compiled against libcups, any manually set print command will be ignored.

No default

Example: print command = /usr/local/samba/bin/myprintscript %p %s

printer admin (S)
This is a list of users that can do anything to printers via the remote administration interfaces offered by MS-RPC (usually using a NT workstation). Note that the root user always has admin rights.

Default: printer admin =

Example: printer admin = admin, @staff

printer
This parameter is a synonym for printer name.
printer name (S)
This parameter specifies the name of the printer to which print jobs spooled through a printable service will be sent.

If specified in the [global] section, the printer name given will be used for any printable service that does not have its own printer name specified.

Default: printer name = # none (but may be lp on many systems)

Example: printer name = laserwriter

printing (S)
This parameters controls how printer status information is interpreted on your system. It also affects the default values for the print command, lpq command, lppause command , lpresume command, and lprm command if specified in the [global] section.

Currently nine printing styles are supported. They are BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ, and CUPS.

To see what the defaults are for the other print commands when using the various options use the testparm(1) program.

This option can be set on a per printer basis

See also the discussion in the [printers] section.

No default

private dir (G)
This parameters defines the directory smbd will use for storing such files as smbpasswd and secrets.tdb.

Default: private dir = ${prefix}/private

profile acls (S)
This boolean parameter was added to fix the problems that people have been having with storing user profiles on Samba shares from Windows 2000 or Windows XP clients. New versions of Windows 2000 or Windows XP service packs do security ACL checking on the owner and ability to write of the profile directory stored on a local workstation when copied from a Samba share.

When not in domain mode with winbindd then the security info copied onto the local workstation has no meaning to the logged in user (SID) on that workstation so the profile storing fails. Adding this parameter onto a share used for profile storage changes two things about the returned Windows ACL. Firstly it changes the owner and group owner of all reported files and directories to be BUILTIN\\Administrators, BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to every returned ACL. This will allow any Windows 2000 or XP workstation user to access the profile.

Note that if you have multiple users logging on to a workstation then in order to prevent them from being able to access each others profiles you must remove the "Bypass traverse checking" advanced user right. This will prevent access to other users profile directories as the top level profile directory (named after the user) is created by the workstation profile code and has an ACL restricting entry to the directory tree to the owning user.

Default: profile acls = no

queuepause command (S)
This parameter specifies the command to be executed on the server host in order to pause the printer queue.

This command should be a program or script which takes a printer name as its only parameter and stops the printer queue, such that no longer jobs are submitted to the printer.

This command is not supported by Windows for Workgroups, but can be issued from the Printers window under Windows 95 and NT.

If a %p is given then the printer name is put in its place. Otherwise it is placed at the end of the command.

Note that it is good practice to include the absolute path in the command as the PATH may not be available to the server.

No default

Example: queuepause command = disable %p

queueresume command (S)
This parameter specifies the command to be executed on the server host in order to resume the printer queue. It is the command to undo the behavior that is caused by the previous parameter ( queuepause command).

This command should be a program or script which takes a printer name as its only parameter and resumes the printer queue, such that queued jobs are resubmitted to the printer.

This command is not supported by Windows for Workgroups, but can be issued from the Printers window under Windows 95 and NT.

If a %p is given then the printer name is put in its place. Otherwise it is placed at the end of the command.

Note that it is good practice to include the absolute path in the command as the PATH may not be available to the server.

Default: queueresume command =

Example: queueresume command = enable %p

read bmpx (G)
This boolean parameter controls whether smbd(8) will support the "Read Block Multiplex" SMB. This is now rarely used and defaults to no. You should never need to set this parameter.

Default: read bmpx = no

read list (S)
This is a list of users that are given read-only access to a service. If the connecting user is in this list then they will not be given write access, no matter what the read only option is set to. The list can include group names using the syntax described in the invalid users parameter.

Default: read list =

Example: read list = mary, @students

read only (S)
An inverted synonym is writeable.

If this parameter is yes, then users of a service may not create or modify files in the service's directory.

Note that a printable service (printable = yes) will ALWAYS allow writing to the directory (user privileges permitting), but only via spooling operations.

Default: read only = yes

read raw (G)
This parameter controls whether or not the server will support the raw read SMB requests when transferring data to clients.

If enabled, raw reads allow reads of 65535 bytes in one packet. This typically provides a major performance benefit.

However, some clients either negotiate the allowable block size incorrectly or are incapable of supporting larger block sizes, and for these clients you may need to disable raw reads.

In general this parameter should be viewed as a system tuning tool and left severely alone.

Default: read raw = yes

realm (G)
This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server.

Default: realm =

Example: realm = mysambabox.mycompany.com

remote announce (G)
This option allows you to setup nmbd(8)to periodically announce itself to arbitrary IP addresses with an arbitrary workgroup name.

This is useful if you want your Samba server to appear in a remote workgroup for which the normal browse propagation rules don't work. The remote workgroup can be anywhere that you can send IP packets to.

For example:

remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF

the above line would cause nmbd to announce itself to the two given IP addresses using the given workgroup names. If you leave out the workgroup name then the one given in the workgroup parameter is used instead.

The IP addresses you choose would normally be the broadcast addresses of the remote networks, but can also be the IP addresses of known browse masters if your network config is that stable.

See ???.

Default: remote announce =

remote browse sync (G)
This option allows you to setup nmbd(8) to periodically request synchronization of browse lists with the master browser of a Samba server that is on a remote segment. This option will allow you to gain browse lists for multiple workgroups across routed networks. This is done in a manner that does not work with any non-Samba servers.

This is useful if you want your Samba server and all local clients to appear in a remote workgroup for which the normal browse propagation rules don't work. The remote workgroup can be anywhere that you can send IP packets to.

For example:

remote browse sync = 192.168.2.255 192.168.4.255

the above line would cause nmbd to request the master browser on the specified subnets or addresses to synchronize their browse lists with the local server.

The IP addresses you choose would normally be the broadcast addresses of the remote networks, but can also be the IP addresses of known browse masters if your network config is that stable. If a machine IP address is given Samba makes NO attempt to validate that the remote machine is available, is listening, nor that it is in fact the browse master on its segment.

Default: remote browse sync =

restrict anonymous (G)
The setting of this parameter determines whether user and group list information is returned for an anonymous connection. and mirrors the effects of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous registry key in Windows 2000 and Windows NT. When set to 0, user and group list information is returned to anyone who asks. When set to 1, only an authenticated user can retrive user and group list information. For the value 2, supported by Windows 2000/XP and Samba, no anonymous connections are allowed at all. This can break third party and Microsoft applications which expect to be allowed to perform operations anonymously.

The security advantage of using restrict anonymous = 1 is dubious, as user and group list information can be obtained using other means.

Note

The security advantage of using restrict anonymous = 2 is removed by setting guest ok = yes on any share.

Default: restrict anonymous = 0

root
This parameter is a synonym for root directory.
root dir
This parameter is a synonym for root directory.
root directory (G)
The server will chroot() (i.e. Change its root directory) to this directory on startup. This is not strictly necessary for secure operation. Even without it the server will deny access to files not in one of the service entries. It may also check for, and deny access to, soft links to other parts of the filesystem, or attempts to use ".." in file names to access other directories (depending on the setting of the wide links parameter).

Adding a root directory entry other than "/" adds an extra level of security, but at a price. It absolutely ensures that no access is given to files not in the sub-tree specified in the root directory option, including some files needed for complete operation of the server. To maintain full operability of the server you will need to mirror some system files into the root directory tree. In particular you will need to mirror /etc/passwd (or a subset of it), and any binaries or configuration files needed for printing (if required). The set of files that must be mirrored is operating system dependent.

Default: root directory = /

Example: root directory = /homes/smb

root postexec (S)
This is the same as the postexec parameter except that the command is run as root. This is useful for unmounting filesystems (such as CDROMs) after a connection is closed.

Default: root postexec =

root preexec (S)
This is the same as the preexec parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.

Default: root preexec =

root preexec close (S)
This is the same as the preexec close parameter except that the command is run as root.

Default: root preexec close = no

security (G)
This option affects how clients respond to Samba and is one of the most important settings in the smb.conf file.

The option sets the "security mode bit" in replies to protocol negotiations with smbd(8) to turn share level security on or off. Clients decide based on this bit whether (and how) to transfer user and password information to the server.

The default is security = user, as this is the most common setting needed when talking to Windows 98 and Windows NT.

The alternatives are security = share, security = server or security = domain .

In versions of Samba prior to 2.0.0, the default was security = share mainly because that was the only option at one stage.

There is a bug in WfWg that has relevance to this setting. When in user or server level security a WfWg client will totally ignore the password you type in the "connect drive" dialog box. This makes it very difficult (if not impossible) to connect to a Samba service as anyone except the user that you are logged into WfWg as.

If your PCs use usernames that are the same as their usernames on the UNIX machine then you will want to use security = user. If you mostly use usernames that don't exist on the UNIX box then use security = share.

You should also use security = share if you want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server. It is more difficult to setup guest shares with security = user, see the map to guestparameter for details.

It is possible to use smbd in a hybrid mode where it is offers both user and share level security under different NetBIOS aliases.

The different settings will now be explained.

SECURITY = SHARE

When clients connect to a share level security server they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with a username but no password when talking to a security = share server). Instead, the clients send authentication information (passwords) on a per-share basis, at the time they attempt to connect to that share.

Note that smbd ALWAYS uses a valid UNIX user to act on behalf of the client, even in security = share level security.

As clients are not required to send a username to the server in share level security, smbd uses several techniques to determine the correct UNIX user to use on behalf of the client.

A list of possible UNIX usernames to match with the given client password is constructed using the following methods :

*
If the guest only parameter is set, then all the other stages are missed and only the guest account username is checked.
*
Is a username is sent with the share connection request, then this username (after mapping - see username map), is added as a potential username.
*
If the client did a previous logon request (the SessionSetup SMB call) then the username sent in this SMB will be added as a potential username.
*
The name of the service the client requested is added as a potential username.
*
The NetBIOS name of the client is added to the list as a potential username.
*
Any users on the user list are added as potential usernames.
If the guest only parameter is not set, then this list is then tried with the supplied password. The first user for whom the password matches will be used as the UNIX user.

If the guest only parameter is set, or no username can be determined then if the share is marked as available to the guest account, then this guest user will be used, otherwise access is denied.

Note that it can be very confusing in share-level security as to which UNIX username will eventually be used in granting access.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

SECURITY = USER

This is the default security setting in Samba 3.0. With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the username map parameter). Encrypted passwords (see the encrypted passwords parameter) can also be used in this security mode. Parameters such as user and guest only if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated.

Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the guest account. See the map to guest parameter for details on doing this.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

SECURITY = DOMAIN

This mode will only work correctly if net(8) has been used to add this machine into a Windows NT Domain. It expects the encrypted passwords parameter to be set to yes. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly the same way that a Windows NT Server would do.

Note that a valid UNIX user must still exist as well as the account on the Domain Controller to allow Samba to have a valid UNIX account to map file access to.

Note that from the client's point of view security = domain is the same as security = user. It only affects how the server deals with the authentication, it does not in any way affect what the client sees.

Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the guest account. See the map to guest parameter for details on doing this.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

See also the password server parameter and the encrypted passwords parameter.

SECURITY = SERVER

In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to security = user. It expects the encrypted passwords parameter to be set to yes, unless the remote server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.

Note

This mode of operation has significant pitfalls, due to the fact that is activly initiates a man-in-the-middle attack on the remote SMB server. In particular, this mode of operation can cause significant resource consuption on the PDC, as it must maintain an active connection for the duration of the user's session. Furthermore, if this connection is lost, there is no way to reestablish it, and futher authenticaions to the Samba server may fail. (From a single client, till it disconnects).

Note

From the client's point of view security = server is the same as security = user. It only affects how the server deals with the authentication, it does not in any way affect what the client sees.

Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the guest account. See the map to guest parameter for details on doing this.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

See also the password server parameter and the encrypted passwords parameter.

SECURITY = ADS

In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility.

Note that this mode does NOT make Samba operate as a Active Directory Domain Controller.

Read the chapter about Domain Membership in the HOWTO for details.

Default: security = USER

Example: security = DOMAIN

security mask (S)
This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box.

This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.

If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.

Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it set to 0777.

Default: security mask = 0777

Example: security mask = 0770

server schannel (G)
This controls whether the server offers or even demands the use of the netlogon schannel. server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel. This is only the case for Windows NT4 before SP4.

Please note that with this set to no you will have to apply the WindowsXP requireSignOrSeal-Registry patch found in the docs/Registry subdirectory.

Default: server schannel = auto

Example: server schannel = yes

server signing (G)
This controls whether the server offers or requires the client it talks to to use SMB signing. Possible values are auto, mandatory and disabled.

When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either.

Default: server signing = Disabled

server string (G)
This controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view. It can be any string that you wish to show to your users.

It also sets what will appear in browse lists next to the machine name.

A %v will be replaced with the Samba version number.

A %h will be replaced with the hostname.

Default: server string = Samba %v

Example: server string = University of GNUs Samba Server

set directory (S)
If set directory = no, then users of the service may not use the setdir command to change directory.

The setdir command is only implemented in the Digital Pathworks client. See the Pathworks documentation for details.

Default: set directory = no

set primary group script (G)
Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups. This script sets the primary group in the unix userdatase when an administrator sets the primary group from the windows user manager or when fetching a SAM with net rpc vampire. %u will be replaced with the user whose primary group is to be set.%g will be replaced with the group to set.

Default: set primary group script =

Example: set primary group script = /usr/sbin/usermod -g '%g' '%u'

set quota command (G)
The set quota command should only be used whenever there is no operating system API available from the OS that samba can use.

This option is only available if Samba was configured with the argument --with-sys-quotas or on linux when ./configure --with-quotas was used and a working quota api was found in the system. Most packages are configured with these options already.

This parameter should specify the path to a script that can set quota for the specified arguments.

The specified script should take the following arguments:

*
1 - quota type
*
1 - user quotas
*
2 - user default quotas (uid = -1)
*
3 - group quotas
*
4 - group default quotas (gid = -1)

 
*
2 - id (uid for user, gid for group, -1 if N/A)
*
3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce)
*
4 - block softlimit
*
5 - block hardlimit
*
6 - inode softlimit
*
7 - inode hardlimit
*
8(optional) - block size, defaults to 1024
The script should output at least one line of data on success. And nothing on failure.

Default: set quota command =

Example: set quota command = /usr/local/sbin/set_quota

share modes (S)
This enables or disables the honoring of the share modes during a file open. These modes are used by clients to gain exclusive read or write access to a file.

These open modes are not directly supported by UNIX, so they are simulated using shared memory, or lock files if your UNIX doesn't support shared memory (almost all do).

The share modes that are enabled by this option areDENY_DOS, DENY_ALL,DENY_READ, DENY_WRITE,DENY_NONE and DENY_FCB.

This option gives full share compatibility and enabled by default.

You should NEVER turn this parameter off as many Windows applications will break if you do so.

Default: share modes = yes

short preserve case (S)
This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the default case . This option can be use with preserve case = yes to permit long filenames to retain their case, while short names are lowered.

See the section on NAME MANGLING.

Default: short preserve case = yes

show add printer wizard (G)
With the introduction of MS-RPC based printing support for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will appear on Samba hosts in the share listing. Normally this folder will contain an icon for the MS Add Printer Wizard (APW). However, it is possible to disable this feature regardless of the level of privilege of the connected user.

Under normal circumstances, the Windows NT/2000 client will open a handle on the printer server with OpenPrinterEx() asking for Administrator privileges. If the user does not have administrative access on the print server (i.e is not root or a member of the printer admin group), the OpenPrinterEx() call fails and the client makes another open call with a request for a lower privilege level. This should succeed, however the APW icon will not be displayed.

Disabling the show add printer wizard parameter will always cause the OpenPrinterEx() on the server to fail. Thus the APW icon will never be displayed.

Note

This does not prevent the same user from having administrative privilege on an individual printer.

Default: show add printer wizard = yes

shutdown script (G)
This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should start a shutdown procedure.

This command will be run as the user connected to the server.

%m %t %r %f parameters are expanded:

*
%m will be substituted with the shutdown message sent to the server.
*
%t will be substituted with the number of seconds to wait before effectively starting the shutdown procedure.
*
%r will be substituted with the switch -r. It means reboot after shutdown for NT.
*
%f will be substituted with the switch -f. It means force the shutdown even if applications do not respond for NT.
Shutdown script example:
#!/bin/bash
                
$time=0
let "time/60"
let "time++"

/sbin/shutdown $3 $4 +$time $1 &

 Shutdown does not return so we need to launch it in background.

Default: shutdown script =

Example: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f

smb passwd file (G)
This option sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file is compiled into Samba.

Default: smb passwd file = ${prefix}/private/smbpasswd

Example: smb passwd file = /etc/samba/smbpasswd

smb ports (G)
Specifies which ports the server should listen on for SMB traffic.

Default: smb ports = 445 139

socket address (G)
This option allows you to control what address Samba will listen for connections on. This is used to support multiple virtual interfaces on the one server, each with a different configuration.

By default Samba will accept connections on any address.

Default: socket address =

Example: socket address = 192.168.2.20

socket options (G)
This option allows you to set socket options to be used when talking with the client.

Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned.

This option will typically be used to tune your Samba server for optimal performance for your local network. There is no way that Samba can know what the optimal parameters are for your net, so you must experiment and choose them yourself. We strongly suggest you read the appropriate documentation for your operating system first (perhaps man setsockopt will help).

You may find that on some systems Samba will say "Unknown socket option" when you supply an option. This means you either incorrectly typed it or you need to add an include file to includes.h for your OS. If the latter is the case please send the patch to samba-technical@samba.org.

Any of the supported socket options may be combined in any way you like, as long as your OS allows it.

This is the list of socket options currently settable using this option:

*
SO_KEEPALIVE
*
SO_REUSEADDR
*
SO_BROADCAST
*
TCP_NODELAY
*
IPTOS_LOWDELAY
*
IPTOS_THROUGHPUT
*
SO_SNDBUF *
*
SO_RCVBUF *
*
SO_SNDLOWAT *
*
SO_RCVLOWAT *
Those marked with a '*' take an integer argument. The others can optionally take a 1 or 0 argument to enable or disable the option, by default they will be enabled if you don't specify 1 or 0.

To specify an argument use the syntax SOME_OPTION = VALUE for example SO_SNDBUF = 8192. Note that you must not have any spaces before or after the = sign.

If you are on a local network then a sensible option might be:

socket options = IPTOS_LOWDELAY

If you have a local network then you could try:

socket options = IPTOS_LOWDELAY TCP_NODELAY

If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT.

Note that several of the options may cause your Samba server to fail completely. Use these options with caution!

Default: socket options = TCP_NODELAY

Example: socket options = IPTOS_LOWDELAY

stat cache (G)
This parameter determines if smbd(8) will use a cache in order to speed up case insensitive name mappings. You should never need to change this parameter.

Default: stat cache = yes

store dos attributes (S)
If this parameter is set Samba no longer attempts to map DOS attributes like SYSTEM, HIDDEN, ARCHIVE or READ-ONLY to UNIX permission bits (such as the map hidden. Instead, DOS attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or directory. For this to operate correctly, the parameters map hidden, map system, map archive must be set to off. This parameter writes the DOS attributes as a string into the extended attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel.

Default: store dos attributes = no

strict allocate (S)
This is a boolean that controls the handling of disk space allocation in the server. When this is set to yes the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour of actually forcing the disk system to allocate real storage blocks when a file is created or extended to be a given size. In UNIX terminology this means that Samba will stop creating sparse files. This can be slow on some systems.

When strict allocate is no the server does sparse disk block allocation when a file is extended.

Setting this to yes can help Samba return out of quota messages on systems that are restricting the disk quota of users.

Default: strict allocate = no

strict locking (S)
This is a boolean that controls the handling of file locking in the server. When this is set to yes, the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on some systems.

When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them.

Well-behaved clients always ask for lock checks when it is important. So in the vast majority of cases, strict locking = no is preferable.

Default: strict locking = no

strict sync (S)
Many Windows applications (including the Windows 98 explorer shell) seem to confuse flushing buffer contents to disk with doing a sync to disk. Under UNIX, a sync call forces the process to be suspended until the kernel has ensured that all outstanding data in kernel disk buffers has been safely stored onto stable storage. This is very slow and should only be done rarely. Setting this parameter to no (the default) means that smbd(8) ignores the Windows applications requests for a sync call. There is only a possibility of losing data if the operating system itself that Samba is running on crashes, so there is little danger in this default setting. In addition, this fixes many performance problems that people have reported with the new Windows98 explorer shell file copies.

Default: strict sync = no

sync always (S)
This is a boolean parameter that controls whether writes will always be written to stable storage before the write call returns. If this is no then the server will be guided by the client's request in each write call (clients can set a bit indicating that a particular write should be synchronous). If this is yes then every write will be followed by a fsync() call to ensure the data is written to disk. Note that the strict sync parameter must be set to yes in order for this parameter to have any affect.

Default: sync always = no

syslog (G)
This parameter maps how Samba debug messages are logged onto the system syslog logging levels. Samba debug level zero maps onto syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps onto LOG_NOTICE, debug level three maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG.

This parameter sets the threshold for sending messages to syslog. Only messages with debug level less than this value will be sent to syslog.

Default: syslog = 1

syslog only (G)
If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files.

Default: syslog only = no

template homedir (G)
When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the home directory for that user. If the string %D is present it is substituted with the user's Windows NT domain name. If the string %U is present it is substituted with the user's Windows NT user name.

Default: template homedir = /home/%D/%U

template primary group (G)
This option defines the default primary group for each user created by winbindd(8)'s local account management functions (similar to the 'add user script').

Default: template primary group = nobody

template shell (G)
When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the login shell for that user.

No default

time offset (G)
This parameter is a setting in minutes to add to the normal GMT to local time conversion. This is useful if you are serving a lot of PCs that have incorrect daylight saving time handling.

Default: time offset = 0

Example: time offset = 60

time server (G)
This parameter determines if nmbd(8) advertises itself as a time server to Windows clients.

Default: time server = no

unix charset (G)
Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.

This is also the charset Samba will use when specifying arguments to scripts that it invokes.

Default: unix charset = UTF8

Example: unix charset = ASCII

unix extensions (G)
This boolean parameter controls whether Samba implments the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.

Default: unix extensions = yes

unix password sync (G)
This boolean parameter controls whether Samba attempts to synchronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. If this is set to yes the program specified in the passwd programparameter is called AS ROOT - to allow the new UNIX password to be set without access to the old UNIX password (as the SMB password change code has no access to the old password cleartext, only the new).

Default: unix password sync = no

update encrypted (G)
This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) password in the smbpasswd file to be updated automatically as they log on. This option allows a site to migrate from plaintext password authentication (users authenticate with plaintext password over the wire, and are checked against a UNIX account database) to encrypted password authentication (the SMB challenge/response authentication mechanism) without forcing all users to re-enter their passwords via smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted passwords to be made over a longer period. Once all users have encrypted representations of their passwords in the smbpasswd file this parameter should be set to no.

In order for this parameter to work correctly the encrypt passwords parameter must be set to no when this parameter is set to yes.

Note that even when this parameter is set a user authenticating to smbd must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) passwords.

Default: update encrypted = no

use client driver (S)
This parameter applies only to Windows NT/2000 clients. It has no effect on Windows 95/98/ME clients. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required to install a local printer driver. From this point on, the client will treat the print as a local printer and not a network printer connection. This is much the same behavior that will occur when disable spoolss = yes.

The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS-RPC. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user. If the user possesses local administator rights but not root privilegde on the Samba host (often the case), the OpenPrinterEx() call will fail. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed).

If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() call to succeed. This parameter MUST not be able enabled on a print share which has valid print driver installed on the Samba server.

Default: use client driver = no

use mmap (G)
This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent mmap/read-write system memory cache. Currently only HPUX does not have such a coherent cache, and so this parameter is set to no by default on HPUX. On all other systems this parameter should be left alone. This parameter is provided to help the Samba developers track down problems with the tdb internal code.

Default: use mmap = yes

user
This parameter is a synonym for username.
users
This parameter is a synonym for username.
username (S)
Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right).

The username line is needed only when the PC is unable to supply its own username. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames. In both these cases you may also be better using the \\server\share%user syntax instead.

The username line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the username line in turn. This is slow and a bad idea for lots of users in case of duplicate passwords. You may get timeouts or security breaches using this parameter unwisely.

Samba relies on the underlying UNIX security. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do.

To restrict a service to a particular set of users you can use the valid users parameter.

If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name.

If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name.

If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name.

Note that searching though a groups database can take quite some time, and some clients may time out during the search.

See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how this parameter determines access to the services.

Default: username = # The guest account if a guest service, else <empty string>.

Example: username = fred, mary, jack, jane, @users, @pcgroup

username level (G)
This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all-uppercase username. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the username is not found on the UNIX machine.

If this parameter is set to non-zero the behavior changes. This parameter is a number that specifies the number of uppercase combinations to try while trying to determine the UNIX user name. The higher the number the more combinations will be tried, but the slower the discovery of usernames will be. Use this parameter when you have strange usernames on your UNIX machine, such as AstrangeUser .

This parameter is needed only on UNIX systems that have case sensitive usernames.

Default: username level = 0

Example: username level = 5

username map (G)
This option allows you to specify a file containing a mapping of usernames from the clients to the server. This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they can more easily share files.

The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '=' followed by a list of usernames on the right. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group. The special client name '*' is a wildcard and matches any name. Each line of the map file may be up to 1023 characters long.

The file is processed on each line by taking the supplied username and comparing it with each username on the right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left. Processing then continues with the next line.

If any line begins with a '#' or a ';' then it is ignored

If any line begins with an '!' then the processing will stop after that line if a mapping was done by the line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a wildcard mapping line later in the file.

For example to map from the name admin or administrator to the UNIX name root you would use:

root = admin administrator

Or to map anyone in the UNIX group system to the UNIX name sys you would use:

sys = @system

You can have as many mappings as you like in a username map file.

If your system supports the NIS NETGROUP option then the netgroup database is checked before the /etc/group database for matching groups.

You can map Windows usernames that have spaces in them by using double quotes around the name. For example:

tridge = "Andrew Tridgell"

would map the windows username "Andrew Tridgell" to the unix username "tridge".

The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the '!' to tell Samba to stop processing if it gets a match on that line.

!sys = mary fred
guest = *

Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and fred is remapped to mary then you will actually be connecting to \\server\mary and will need to supply a password suitable for mary not fred. The only exception to this is the username passed to the password server (if you have one). The password server will receive whatever username the client supplies without modification.

Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print job.

Default: username map = # no username map

Example: username map = /usr/local/samba/lib/users.map

use sendfile (S)
If this parameter is yes, and the sendfile() system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked. This may make more efficient use of the system CPU's and cause Samba to be faster. Samba automatically turns this off for clients that use protocol levels lower than NT LM 0.12 and when it detects a client is Windows 9x (using sendfile from Linux will cause these clients to fail).

Default: use sendfile = yes

use spnego (G)
This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism.

Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled.

Default: use spnego = yes

utmp (G)
This boolean parameter is only available if Samba has been configured and compiled with the option --with-utmp. If set to yes then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server. Sites may use this to record the user connecting to a Samba share.

Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user. Enabling this option creates an n^2 algorithm to find this number. This may impede performance on large installations.

Default: utmp = no

utmp directory (G)
This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually/var/run/utmp on Linux).

Default: utmp directory = # Determined automatically

Example: utmp directory = /var/run/utmp

-valid (S)
This parameter indicates whether a share is valid and thus can be used. When this parameter is set to false, the share will be in no way visible nor accessible.

This option should not be used by regular users but might be of help to developers. Samba uses this option internally to mark shares as deleted.

Default: -valid = yes

valid users (S)
This is a list of users that should be allowed to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the invalid users parameter.

If this is empty (the default) then any user can login. If a username is in both this list and the invalid users list then access is denied for that user.

The current servicename is substituted for %S . This is useful in the [homes] section.

Default: valid users = # No valid users list (anyone can login)

Example: valid users = greg, @pcusers

veto files (S)
This is a list of files and directories that are neither visible nor accessible. Each entry in the list must be separated by a '/', which allows spaces to be included in the entry. '*' and '?' can be used to specify multiple files or directories as in DOS wildcards.

Each entry must be a unix path, not a DOS path and must not include the unix directory separator '/'.

Note that the case sensitive option is applicable in vetoing files.

One feature of the veto files parameter that it is important to be aware of is Samba's behaviour when trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this deletion will fail unless you also set the delete veto files parameter toyes.

Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned.

Default: veto files = # No files or directories are vetoed.

Example: veto files = ; Veto any files containing the word Security, ; any ending in .tmp, and any directory containing the ; word root. veto files = /*Security*/*.tmp/*root*/ ; Veto the Apple specific files that a NetAtalk server ; creates. veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/

veto oplock files (S)
This parameter is only valid when the oplocks parameter is turned on for a share. It allows the Samba administrator to selectively turn off the granting of oplocks on selected files that match a wildcarded list, similar to the wildcarded list used in theveto files parameter.

You might want to do this on files that you know will be heavily contended for by clients. A good example of this is in the NetBench SMB benchmark program, which causes heavy client contention for files ending in .SEM. To cause Samba not to grant oplocks on these files you would use the line (either in the [global] section or in the section for the particular NetBench share :

Default: veto oplock files = # No files are vetoed for oplock grants

Example: veto oplock files = /.*SEM/

vfs object
This parameter is a synonym for vfs objects.
vfs objects (S)
This parameter specifies the backend names which are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects.

Default: vfs objects =

Example: vfs objects = extd_audit recycle

volume (S)
This allows you to override the volume label returned for a share. Useful for CDROMs with installation programs that insist on a particular volume label.

Default: volume = # the name of the share

wide links (S)
This parameter controls whether or not links in the UNIX file system may be followed by the server. Links that point to areas within the directory tree exported by the server are always allowed; this parameter controls access only to areas that are outside the directory tree being exported.

Note that setting this parameter can have a negative effect on your server performance due to the extra system calls that Samba has to do in order to perform the link checks.

Default: wide links = yes

winbind cache time (G)
This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server again.

Default: winbind cache time = 300

winbind enable local accounts (G)
This parameter controls whether or not winbindd will act as a stand in replacement for the various account management hooks in smb.conf (e.g. 'add user script'). If enabled, winbindd will support the creation of local users and groups as another source of UNIX account information available via getpwnam() or getgrgid(), etc...

Default: winbind enable local accounts = no

winbind enum groups (G)
On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(),getgrent() andendgrent() group of system calls. If the winbind enum groups parameter isno, calls to the getgrent() system call will not return any data.

Warning

Turning off group enumeration may cause some programs to behave oddly.

Default: winbind enum groups = yes

winbind enum users (G)
On large installations using winbindd(8) it may be necessary to suppress the enumeration of users through the setpwent(),getpwent() andendpwent() group of system calls. If the winbind enum users parameter isno, calls to the getpwent system call will not return any data.

Warning

Turning off user enumeration may cause some programs to behave oddly. For example, the finger program relies on having access to the full user list when searching for matching usernames.

Default: winbind enum users = yes

winbind nested groups (G)
If set to yes, this parameter activates the support for nested groups. Nested groups are also called local groups or aliases. They work like their counterparts in Windows: Nested groups are defined locally on any machine (they are shared between DC's through their SAM) and can contain users and global groups from any trusted SAM. To be able to use nested groups, you need to run nss_winbind.

Please note that per 3.0.3 this is a new feature, so handle with care.

Default: winbind nested groups = no

winbind separator (G)
This parameter allows an admin to define the character used when listing a username of the form of DOMAIN \user. This parameter is only applicable when using the pam_winbind.so and nss_winbind.so modules for UNIX services.

Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the character + is used as a special character for NIS in /etc/group.

Default: winbind separator = '\'

Example: winbind separator = +

winbind trusted domains only (G)
This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use UNIX accounts distributed via NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. Therefore, the user DOMAIN\user1 would be mapped to the account user1 in /etc/passwd instead of allocating a new uid for him or her.

Default: winbind trusted domains only = no

winbind use default domain (G)
This parameter specifies whether thewinbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail function in a way much closer to the way they would in a native unix system.

Default: winbind use default domain = no

Example: winbind use default domain = yes

wins hook (G)
When Samba is running as a WINS server this allows you to call an external program for all changes to the WINS database. The primary use for this option is to allow the dynamic update of external name resolution databases such as dynamic DNS.

The wins hook parameter specifies the name of a script or executable that will be called as follows:

wins_hook operation name nametype ttl IP_list

*
The first argument is the operation and is one of "add", "delete", or "refresh". In most cases the operation can be ignored as the rest of the parameters provide sufficient information. Note that "refresh" may sometimes be called when the name has not previously been added, in that case it should be treated as an add.
*
The second argument is the NetBIOS name. If the name is not a legal name then the wins hook is not called. Legal names contain only letters, digits, hyphens, underscores and periods.
*
The third argument is the NetBIOS name type as a 2 digit hexadecimal number.
*
The fourth argument is the TTL (time to live) for the name in seconds.
*
The fifth and subsequent arguments are the IP addresses currently registered for that name. If this list is empty then the name should be deleted.
An example script that calls the BIND dynamic DNS update program nsupdate is provided in the examples directory of the Samba source code.

No default

wins proxy (G)
This is a boolean that controls if nmbd(8) will respond to broadcast name queries on behalf of other hosts. You may need to set this to yes for some older clients.

Default: wins proxy = no

wins server (G)
This specifies the IP address (or DNS name: IP address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on your network then you should set this to the WINS server's IP.

You should point this at your WINS server if you have a multi-subnetted network.

If you want to work in multiple namespaces, you can give every wins server a 'tag'. For each tag, only one (working) server will be queried for a name. The tag should be separated from the ip address by a colon.

Note

You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross-subnet browsing to work correctly.

See the ???.

Default: wins server =

Example: wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 # For this example when querying a certain name, 192.19.200.1 will be asked first and if that doesn't respond 192.168.2.61. If either of those doesn't know the name 192.168.3.199 will be queried.

Example: wins server = 192.9.200.1 192.168.2.61

wins support (G)
This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should not set this to yes unless you have a multi-subnetted network and you wish a particular nmbd to be your WINS server. Note that you should NEVER set this to yes on more than one machine in your network.

Default: wins support = no

workgroup (G)
This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain setting.

Default: workgroup = WORKGROUP

Example: workgroup = MYGROUP

writable
This parameter is a synonym for writeable.
writeable (S)
Inverted synonym for read only.

No default

write cache size (S)
If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file (it does not do this for non-oplocked files). All writes that the client does not request to be flushed directly to disk will be stored in this cache if possible. The cache is flushed onto disk when a write comes in whose offset would not fit into the cache or when the file is closed by the client. Reads for the file are also served from this cache if the data is stored within it.

This cache allows Samba to batch client writes into a more efficient write size for RAID disks (i.e. writes may be tuned to be the RAID stripe size) and can improve performance on systems where the disk subsystem is a bottleneck but there is free memory for userspace programs.

The integer parameter specifies the size of this cache (per oplocked file) in bytes.

Default: write cache size = 0

Example: write cache size = 262144 # for a 256k cache size per file

write list (S)
This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what the read only option is set to. The list can include group names using the @group syntax.

Note that if a user is in both the read list and the write list then they will be given write access.

Default: write list =

Example: write list = admin, root, @staff

write raw (G)
This parameter controls whether or not the server will support raw write SMB's when transferring data from clients. You should never need to change this parameter.

Default: write raw = yes

wtmp directory (G)
This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact that user info is kept after a user has logged out.

By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually/var/run/wtmp on Linux).

Default: wtmp directory =

Example: wtmp directory = /var/log/wtmp

WARNINGS

Although the configuration file permits service names to contain spaces, your client software may not. Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility.

On a similar note, many clients - especially DOS clients - limit service names to eight characters. smbd(8) has no such limitation, but attempts to connect from such clients will fail if they truncate the service names. For this reason you should probably keep your service names down to eight characters in length.

Use of the [homes] and [printers] special sections make life for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme care when designing these sections. In particular, ensure that the permissions on spool directories are correct.

VERSION

This man page is correct for version 3.0 of the Samba suite.

SEE ALSO

samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1).

责任编辑:韩亚珊 来源: CMPP.net
相关推荐

2011-08-25 10:21:56

man.conf中文man

2011-08-25 10:33:52

nsswitch.co中文man

2011-08-25 10:31:17

nscd.conf中文man

2011-08-25 11:25:51

svnserve.co中文man

2011-08-12 13:44:23

host.conf中文man

2011-08-18 19:18:22

host.conf中文man

2011-08-25 10:12:44

lilo.conf中文man

2011-08-15 10:21:09

man中文man

2011-08-24 16:48:36

man中文man

2011-08-11 16:11:49

at中文man

2011-09-01 18:02:45

samba服务器

2011-08-11 15:03:21

ACCESS中文man

2011-08-16 10:59:16

pwconv中文man

2011-08-18 19:02:43

environ中文man

2011-08-25 17:43:07

snprintf中文man

2011-08-19 18:30:52

ipc中文man

2011-08-24 15:35:52

hier中文man

2011-08-25 17:18:07

putc中文man

2011-08-15 13:53:19

stat中文man

2011-08-16 10:10:58

setup中文man
点赞
收藏

51CTO技术栈公众号