SMB.CONF(5) SMB.CONF(5) NAME smb.conf - Samba SYNOPSIS smb.confSamba,Samba .smb.confswat (8). smb.conf. FILE FORMAT .,. = .,(,,). . ..... ';''#',. UNIX,''.('',,'',--) ()(yes/no,1/0,true/false )... (create modes). SECTION DESCRIPTIONS ([global]).,. ([global],[homes],[printers])'special sections',. .,. ()(). guest,,.UNIXguest account. guest,..,,"user=",.Windos95/98WindowsNT,. ,.samba. ,/home/bar."foo". [foo] path = /home/bar read only = no ,,.,.guest okguest(). [aprinter] path = /usr/spool/public read only = yes printable = yes guest ok = yes SPECIAL SECTIONS [global] ,.'PARAMETERS'. [homes] 'homes',. ,,,.,,.,[homes](). 'homes'. ,. [homes]path=,%S. path = /data/pchome/%S PC UNIX,. . 'homes',,,.. [homes],.[homes] [homes] read only = no ,[homes]guest,.,,,[homes]. ,[global],[homes].,[homes]browseable=no,'homes',. [printers] [homes],. [printers],printcap . ,,,.,[homes],.,,printcap,.,[printers]. . ,. guest,,. ,[printers],,. (spooling)sticky.[printers] [printers] path = /usr/spool/public guest ok = yes printable = yes printcap.,printcap, 1|2|3|4... .[global]printcap.printcap,.. ,printcap..,"|". Note ,SYSV,lpstat."printcap name = lpstat"."printcap name". PARAMETERS . [global](),( ),.,[homes][printers].(G)[global],(S).,(S)[global],,. ,,.,,. VARIABLE SUBSTITUTIONS .,john,"path = /tmp/%u""path = /tmp/john". ,. %U (.) %G %U %h Sambainternet %m NetBIOS() %L NetBIOS.,"". Note that this parameter is not available when Samba listens on port 445, as clients no longer send this information %M internet %R ,CORE,COREPLUS,LANMAN1,LANMAN2NT1. %d samba. %a .,100%.SambaWfWgWinNTWin95."UNKNOWN".samba- bugs@samba.org3bug. %I IP. %T . %D Name of the domain or workgroup of the current user. %$(envvar) The value of the environment variable envar. The following substitutes apply only to some configuration options(only those that are used when a connection has been established): %S %P %u %g %u %H %u %N tNIS.auto.map.--with- auto-mountsamba,%L. %p .NISauot.map.NISauot.map"%N:%p". smb.conf. NAME Samba"",doswindows8.3.8.3. ,.testparm. (). : mangle case = yes/no .,yes,"Mail".no. case sensitive = yes/no .,Samba.no. default case = upper/lower .. preserve case = yes/no ,.yes. short preserve case = yes/no 8.3,."preserve case = yes",.yes. ,Samba3.0Windows NT,. / NOTE ABOUT USERNAME/PASSWORD VALIDATION ..,.,. guest only = yes(security = share) ,1--5. ,unix,.,\\server\service%username. ,,. netbios,,. ,,. smb.conf"user = ",,UNIX,"user=","user="."user="@, . guest,"guest account =",. COMPLETE LIST OF GLOBAL PARAMETERS ,.,. o abort shutdown script o add group script o add machine script o addprinter command o add share command o add user script o add user to group script o afs username map o algorithmic rid base o allow trusted domains o announce as o announce version o auth methods o auto services o bind interfaces only o browse list o change notify timeout o change share command o client lanman auth o client ntlmv2 auth o client plaintext auth o client schannel o client signing o client use spnego o config file o deadtime o debug hires timestamp o debuglevel o debug pid o debug timestamp o debug uid o default o default service o delete group script o deleteprinter command o delete share command o delete user from group script o delete user script o dfree command o disable netbios o disable spoolss o display charset o dns proxy o domain logons o domain master o dos charset o enable rid algorithm o encrypt passwords o enhanced browsing o enumports command o get quota command o getwd cache o guest account o hide local users o homedir map o host msdfs o hostname lookups o hosts equiv o idmap backend o idmap gid o idmap uid o include o interfaces o keepalive o kernel change notify o kernel oplocks o lanman auth o large readwrite o ldap admin dn o ldap delete dn o ldap filter o ldap group suffix o ldap idmap suffix o ldap machine suffix o ldap passwd sync o ldap port o ldap server o ldap ssl o ldap suffix o ldap user suffix o lm announce o lm interval o load printers o local master o lock dir o lock directory o lock spin count o lock spin time o log file o log level o logon drive o logon home o logon path o logon script o lpq cache time o machine password timeout o mangled stack o mangle prefix o mangling method o map to guest o max disk size o max log size o max mux o max open files o max protocol o max smbd processes o max ttl o max wins ttl o max xmit o message command o min passwd length o min password length o min protocol o min wins ttl o name cache timeout o name resolve order o netbios aliases o netbios name o netbios scope o nis homedir o ntlm auth o nt pipe support o nt status support o null passwords o obey pam restrictions o oplock break wait time o os2 driver map o os level o pam password change o panic action o paranoid server security o passdb backend o passwd chat o passwd chat debug o passwd program o password level o password server o pid directory o prefered master o preferred master o preload o preload modules o printcap o private dir o protocol o read bmpx o read raw o read size o realm o remote announce o remote browse sync o restrict anonymous o root o root dir o root directory o security o server schannel o server signing o server string o set primary group script o set quota command o show add printer wizard o shutdown script o smb passwd file o smb ports o socket address o socket options o source environment o stat cache o syslog o syslog only o template homedir o template primary group o template shell o time offset o time server o timestamp logs o unicode o unix charset o unix extensions o unix password sync o update encrypted o use mmap o username level o username map o use spnego o utmp o utmp directory o winbind cache time o winbind enable local accounts o winbind enum groups o winbind enum users o winbind gid o winbind separator o winbind trusted domains only o winbind uid o winbind use default domain o wins hook o wins partners o wins proxy o wins server o wins support o workgroup o write raw o wtmp directory COMPLETE LIST OF SERVICE PARAMETERS ,.,. o acl compatibility o admin users o afs share o allow hosts o available o blocking locks o block size o browsable o browseable o case sensitive o casesignames o comment o copy o create mask o create mode o csc policy o default case o default devmode o delete readonly o delete veto files o deny hosts o directory o directory mask o directory mode o directory security mask o dont descend o dos filemode o dos filetime resolution o dos filetimes o exec o fake directory create times o fake oplocks o follow symlinks o force create mode o force directory mode o force directory security mode o force group o force security mode o force user o fstype o group o guest account o guest ok o guest only o hide dot files o hide files o hide special files o hide unreadable o hide unwriteable files o hosts allow o hosts deny o inherit acls o inherit permissions o invalid users o level2 oplocks o locking o lppause command o lpq command o lpresume command o lprm command o magic output o magic script o mangle case o mangled map o mangled names o mangling char o map acl inherit o map archive o map hidden o map system o max connections o max print jobs o max reported print jobs o min print space o msdfs proxy o msdfs root o nt acl support o only guest o only user o oplock contention limit o oplocks o path o posix locking o postexec o preexec o preexec close o preserve case o printable o printcap name o print command o printer o printer admin o printer name o printing o print ok o profile acls o public o queuepause command o queueresume command o read list o read only o root postexec o root preexec o root preexec close o security mask o set directory o share modes o short preserve case o strict allocate o strict locking o strict sync o sync always o use client driver o user o username o users o use sendfile o -valid o valid users o veto files o veto oplock files o vfs object o vfs objects o volume o wide links o writable o writeable o write cache size o write list o write ok EXPLANATION OF EACH PARAMETER abort shutdown script (G) This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the shutdown script. This command will be run as user. : None. : abort shutdown script = /sbin/shutdown -c acl compatibility (S) This parameter specifies what OS ACL semantics should be compatible with. Possible values are winnt for Windows NT 4, win2k for Windows 2000 and above and auto. If you specify auto, the value for this parameter will be based upon the version of the client. There should be no reason to change this parameter from the default. : acl compatibility = Auto : acl compatibility = win2k add group script (G) This is the full pathname to a script that will be run AS ROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric gid of the created group on stdout. add machine script (G) This is the full pathname to a script that will be run by smbd(8) when a machine is added to it's domain using the administrator username and password method. This option is only required when using sam back-ends tied to the Unix uid method of RID calculation such as smbpasswd. This option is only available in Samba 3.0. : add machine script = <> : add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u addprinter command (G) With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the "Printers..." folder displayed a share listing. The APW allows for printers to be add remotely to a Samba or Windows NT/2000 print server. For a Samba host this means that the printer must be physically added to the underlying printing system. The add printer command defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition to the smb.conf file in order that it can be shared by smbd(8). The addprinter command is automatically invoked with the following parameter (in order): printer name share name port name driver name location Windows 9x driver location All parameters are filled in from the PRINTER_INFO_2 structure sent by the Windows NT/2000 client with one exception. The "Windows 9x driver location" parameter is included for backwards compatibility only. The remaining fields in the structure are generated from answers to the APW questions. Once the addprinter command has been executed, smbd will reparse the smb.conf to determine if the share defined by the APW exists. If the sharename is still invalid, then smbd will return an ACCESS_DENIED error to the client. The "add printer command" program can output a single line of text, which Samba will set as the port the new printer is connected to. If this line isn't output, Samba won't reload its printer shares. deleteprinter command, printing, show add printer wizard : none : addprinter command = /usr/bin/addprinter add share command (G) Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The add share command is used to define an external program or script which will add a new service definition to smb.conf. In order to successfully execute the add share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0). When executed, smbd will automatically invoke the add share command with four parameters. configFile - the location of the global smb.conf file. shareName - the name of the new share. pathName - path to an **existing** directory on disk. comment - comment string to associate with the new share. This parameter is only used for add file shares. To add printer shares, see the addprinter command. change share command, delete share command. : none : add share command = /usr/local/bin/addshare add user script (G) ,()smbd (8)root. ,sambaUNIX.Windows NT,NT.smbdUNIX. ,smbdsecurity=serversecurity=domain,add user script%uunix,%uunix. windowssamba,(SMB),smbd,.,smbdunixwindowsunix.,add user script ,smbdroot,%u. ,smbd.,UNIXNT. security, password server, delete user script. : add user script = <> : add user script = /usr/local/samba/bin/add_user %u add user to group script (G) Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools. It will be run by smbd(8) AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name. : add user to group script = : add user to group script = /usr/sbin/adduser %u %g admin users (S) admin users.. ,. : admin users : admin users = jason afs share (S) This parameter controls whether special AFS features are enabled for this share. If enabled, it assumes that the directory exported via the path parameter is a local AFS import. The special AFS features include the attempt to hand-craft an AFS token if you enabled --with-fake-kaserver in configure. : afs share = no : afs share = yes afs username map (G) If you are using the fake kaserver AFS feature, you might want to hand-craft the usernames you are creating tokens for. For example this is necessary if you have users from several domain in your AFS Protection Database. One possible scheme to code users as DOMAIN+User as it is done by winbind with the + as a separator. The mapped user name must contain the cell name to log into, so without setting this parameter there will be no token. : none : afs username map = %u@afs.samba.org algorithmic rid base (G) This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers. Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with sytem users etc. All UIDs and GIDs must be able to be resolved into SIDs for the correct operation of ACLs on the server. As such the algorithmic mapping can't be 'turned off', but pushing it 'out of the way' should resolve the issues. Users and groups can then be assigned 'low' RIDs in arbitary-rid supporting backends. : algorithmic rid base = 1000 : algorithmic rid base = 100000 allow hosts (S) hosts allow. allow trusted domains (G) securityserverdomain.no,smbd,. .,DOMADOMB,DOMADOMB,sambaDOMA.,DOMBsambaUNIX.DOMA.. : allow trusted domains = yes announce as (G) nmbd(8) .windows NT."NT","NT Server","NT Server","NT Workstation","Win95""WfW",Windows NT Server,Windows NT Workstation,Windows 95Windows for Workgroups.sambawindows NT,,samba. : announce as = NT Server : announce as = Win95 announce version (G) nmbd.4.9samba,. : announce version = 4.9 : announce version = 2.0 auth methods (G) This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on security. This should be considered a developer option and used only in rare circumstances. In the majority (if not all) of production servers, the default setting should be adequate. Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication. Possible options include guest (anonymous access), sam (lookups in local list of accounts based on netbios name or domain name), winbind (relay authentication requests for remote users through winbindd), ntdomain (pre-winbindd method of authentication for remote domain users; deprecated in favour of winbind method), trustdomain (authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method). : auth methods = <> : auth methods = guest sam winbind auto services (G) preload . available (S) .available = no,.. : available = yes bind interfaces only (G) samba.smbd(8)nmbd(8). ,nmbd 'interfaces'137138.,nmbd""(0.0.0.0)137138.,nmbd."bind interfaces only",nmbd,interfaces.,nmbdinterfaces.IP,nmbd. ,smbd(8)'interfaces'.smbd .,PPP,. bind interfaces only,127.0.0.1interfaces,smbpasswd(8)swat(8) ,: SMB,smbpasswdsmblocalhost - 127.0.0.1,.bind interfaces only,smbpasswd,127.0.0.1interfaces.,-r remote machineip,smbpasswdip. swat127.0.0.1smbd nmbd,.127.0.0.1,smbdnmbd . swat//smbd nmbd. : bind interfaces only = no blocking locks (S) smbd(8), . ,,samba,,. no,samba,. : blocking locks = yes block size (S) This parameter controls the behavior of smbd(8) when reporting disk free sizes. By default, this reports a disk block size of 1024 bytes. Changing this parameter may have some effect on the efficiency of client writes, this is not yet confirmed. This parameter was added to allow advanced administrators to change it (usually to a higher value) and test the effect it has on client write performance without re-compiling the code. As this is an experimental option it may be removed in a future release. Changing this option does not change the disk free reporting size, just the block size unit reported to the client. browsable (S) browseable browseable (S) net view. : browseable = yes browse list (G) smbd(8)NetServerEnum.yes.. : browse list = yes case sensitive (S) NAME MANGLING. : case sensitive = no casesignames (S) case sensitive . change notify timeout (G) samba,SMB.unix,,smbd(8)change notify timeout. : change notify timeout = 60 : change notify timeout = 300 5. change share command (G) Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The change share command is used to define an external program or script which will modify an existing service definition in smb.conf. In order to successfully execute the change share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0). When executed, smbd will automatically invoke the change share command with four parameters. configFile - the location of the global smb.conf file. shareName - the name of the new share. pathName - path to an **existing** directory on disk. comment - comment string to associate with the new share. This parameter is only used modify existing file shares definitions. To modify printer shares, use the "Printers..." folder as seen when browsing the Samba host. add share command, delete share command. : none : change share command = /usr/local/bin/addshare client lanman auth (G) This parameter determines whether or not smbclient(8) and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash. If disabled, only server which support NT password hashes (e.g. Windows NT/2000, Samba, etc... but not Windows 95/98) will be able to be connected from the Samba client. The LANMAN encrypted response is easily broken, due to it's case-insensitive nature, and the choice of algorithm. Clients without Windows 95/98 servers are advised to disable this option. Disabling this option will also disable the client plaintext auth option Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 logins will be attempted. Not all servers support NTLMv2, and most will require special configuration to us it. Default : client lanman auth = yes client ntlmv2 auth (G) This parameter determines whether or not smbclient(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted password response. If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent. Many servers (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with NTLMv2. Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth authentication will be disabled. This also disables share-level authentication. If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of client lanman auth. Note that some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM. Default : client ntlmv2 auth = no client plaintext auth (G) Specifies whether a client should send a plaintext password if the server does not support encrypted passwords. : client plaintext auth = yes client schannel (G) This controls whether the client offers or even demands the use of the netlogon schannel. client schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the server is not able to speak netlogon schannel. : client schannel = auto : client schannel = yes client signing (G) This controls whether the client offers or requires the server it talks to to use SMB signing. Possible values are auto, mandatory and disabled. When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either. : client signing = auto client use spnego (G) This variable controls controls whether samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 servers to agree upon an authentication mechanism. SPNEGO client support for SMB Signing is currently broken, so you might want to turn this option off when operating with Windows 2003 domain controllers in particular. : client use spnego = yes comment (S) (net view). server string . : No comment string : comment = Fred's Files config file (G) samba,(smb.conf).,! ,,. . ,.() : config file = /usr/local/samba/lib/smb.conf.%m copy (S) . ,. '',.,. : no value : copy = otherservice create mask (S) create mode . ,dosunix..unix.,. unix. ,sambaunixforce create mode,force create mode 000. .directory mode . force create mode.directory mode. inherit permissions parameter. Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the security mask. : create mask = 0744 : create mask = 0775 create mode (S) create mask . csc policy (S) This stands for client-side caching policy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable. These values correspond to those used on Windows servers. For example, shares containing roaming profiles can have offline caching disabled using csc policy = disable. : csc policy = manual : csc policy = programs deadtime (G) (),..,. . ,, . 0.. : deadtime = 0 : deadtime = 15 debug hires timestamp (G) ,. , debug timestamp. : debug hires timestamp = no debuglevel (G) log level . debug pid (G) smbd(8)fork.. , debug timestamp . : debug pid = no debug timestamp (G) samba.debug level,.. : debug timestamp = yes debug uid (G) sambaroot,.euid,egid,uidgid. Note that the parameter must be on for this to have an effect. , debug timestamp. : debug uid = no default (G) default service . default case (S) "NAME MANGLING". short preserve case. : default case = lower default devmode (S) This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba server has a Device Mode which defines things such as paper size and orientation and duplex settings. The device mode can only correctly be generated by the printer driver itself (which can only be executed on a Win32 platform). Because smbd is unable to execute the driver code to generate the device mode, the default behavior is to set this field to NULL. Most problems with serving printer drivers to Windows NT/2k/XP clients can be traced to a problem with the generated device mode. Certain drivers will do things such as crashing the client's Explorer.exe with a NULL devmode. However, other printer drivers can cause the client's spooler service (spoolsv.exe) to die if the devmode was not created by the driver itself (i.e. smbd generates a default devmode). This parameter should be used with care and tested with the printer driver in question. It is better to leave the device mode to NULL and let the Windows client set the correct values. Because drivers do not do this all the time, setting default devmode = yes will instruct smbd to generate a default one. For more information on Windows NT/2k printing and Device Modes, see the MSDN documentation. : default devmode = no default service (G) .,(). . ,. guest ok, read-only. ,%S. , '_''/'. . : [global] default service = pub [pub] path = /%S delete group script (G) This is the full pathname to a script that will be run AS ROOT smbd(8) when a group is requested to be deleted. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. deleteprinter command (G) With the introduction of MS-RPC based printer support for Windows NT/2000 clients in Samba 2.2, it is now possible to delete printer at run time by issuing the DeletePrinter() RPC call. For a Samba host this means that the printer must be physically deleted from underlying printing system. The deleteprinter command defines a script to be run which will perform the necessary operations for removing the printer from the print system and from smb.conf. The deleteprinter command is automatically called with only one parameter: "printer name". Once the deleteprinter command has been executed, smbd will reparse the smb.conf to associated printer no longer exists. If the sharename is still valid, then smbd will return an ACCESS_DENIED error to the client. addprinter command, printing, show add printer wizard : none : deleteprinter command = /usr/bin/removeprinter delete readonly (S) ,dos,unix. rcs,,unix,dos. : delete readonly = no delete share command (G) Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The delete share command is used to define an external program or script which will remove an existing service definition from smb.conf. In order to successfully execute the delete share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0). When executed, smbd will automatically invoke the delete share command with two parameters. configFile - the location of the global smb.conf file. shareName - the name of the existing service. This parameter is only used to remove file shares. To delete printer shares, see the deleteprinter command. add share command, change share command. : none : delete share command = /usr/local/bin/delshare delete user from group script (G) Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools. It will be run by smbd(8) AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name. : delete user from group script = : delete user from group script = /usr/sbin/deluser %u %g delete user script (G) RPC(NT)fBsmbd(8)root. 'User Manager for Domains' rpcclient unix : delete user script = <> : delete user script = /usr/local/samba/bin/del_user %u delete veto files (S) samba(veto files). no(),,.. yes,Samba.NetAtalk,Dos/windows(e.g. .AppleDouble). delete veto files = yes . veto files . : delete veto files = no deny hosts (S) hosts deny . dfree command (G) dfree command.Ultrix,."Abort Retry Ignore". .. ,./.ascii.(),..1024. :root,root,(setuid or setgid)! : . : dfree command = /usr/local/samba/bin/dfree dfree. #!/bin/sh df $1 | tail -1 | awk '{print $2" "$4}' Sys V: #!/bin/sh /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' . directory (S) path . directory mask (S) 8UNIXdosunix ,dosunix,.unix.unix ,,. Sambaforce directory mode,000(). Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the directory security mask. ,force directory mode. create mode directory security mask. Also refer to the inherit permissions parameter. : directory mask = 0755 : directory mask = 0775 directory mode (S) directory mask directory security mask (S) NTNTunix. ,.,0. ,directory mask.user/group/world,0777. ,samba,.0777. force directory security mode, security mask, force security mode : directory security mask = 0777 : directory security mask = 0700 disable netbios (G) Enabling this parameter will disable netbios support in Samba. Netbios is the only available form of browsing in all windows versions except for 2000 and XP. Note that clients that only support netbios won't be able to see your samba server when netbios support is disabled. : disable netbios = no : disable netbios = yes disable spoolss (G) Enabling this parameter will disable Samba's support for the SPOOLSS set of MS-RPC's and will yield identical behavior as Samba 2.0.x. Windows NT/2000 clients will downgrade to using Lanman style printing commands. Windows 9x/ME will be uneffected by the However, this will also disable the ability to upload printer drivers to a Samba server via the Windows NT Add Printer Wizard or by using the NT printer properties dialog window. It will also disable the capability of Windows NT/2000 clients to download print drivers from the Samba host upon demand. Be very careful about enabling this See also use client driver Default : disable spoolss = no display charset (G) Specifies the charset that samba will use to print messages to stdout and stderr and SWAT will use. Should generally be the same as the unix charset. : display charset = ASCII : display charset = UTF8 dns proxy (G) nmbd(8)WINSNetBIOS,DNSNetBIOS,DNS. ,NetBISO15,DNS(DNS)15. nmbd DNS,. wins support : dns proxy = yes domain logons (G) yes,SambaworkgroupWindows 95/98 .Samba 2.2Windows NT 4 Samba Samba-PDC-HOWTO : domain logons = no domain master (G) smbd(8).,nmbdNetBIOS.nmbd,smbd(8) .,,. ,windows NTNetBIOS(,Windows NT). ,nmbd Windows NT,,. If domain logons = yes , then the default behavior is to enable the domain master If domain logons is not enabled (the default setting), then neither will domain master be enabled by default. : domain master = auto dont descend (S) (linux/proc),(),().,. ,Samba'dont descend'../proc/proc.. : none (,) : dont descend = /proc,/dev dos charset (G) DOS SMB clients assume the server has the same charset as they do. This option specifies which charset Samba should talk to DOS clients. The default depends on which charsets you have installed. Samba tries to use charset 850 but falls back to ASCII in case it is not available. Run testparm(1) to check the default on your system. dos filemode (S) The default behavior in Samba is to provide UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior is often confusing to DOS/Windows users. Enabling this parameter allows a user who has write access to the file (by whatever means) to modify the permissions on it. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access. Ownership of the file/directory is not changed, only the permissions are modified. : dos filemode = no dos filetime resolution (S) DOSWindows FAT,2,smbd(8)1Samba2 Visual C++Samba.(oplocks),Visual C++.1,2.2,,Visual C++,Visual C++.,Visual C++. : dos filetime resolution = no dos filetimes (S) DOSWindows,,.POSIX,root.,SambaPOSIX,smbd,. yes,smbd(8)DOS,DOS. : dos filetimes = no enable rid algorithm (G) This option is used to control whether or not smbd in Samba 3.0 should fallback to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm development goal is to remove the algorithmic mappings of RIDs altogether, but this has proved to be difficult. This parameter is mainly provided so that developers can turn the algorithm on and off and see what breaks. This parameter should not be disabled by non-developers because certain features in Samba will fail to work without it. : enable rid algorithm = encrypt passwords (G) .,NT4.0 SP3 WINDOWS 98,.,Samba HOWTO Collection "User Database" , smbd(8)smbpasswd(5)(,smbpasswd(8)),,security= [server|domain|ads],smbd. : encrypt passwords = yes enhanced browsing (G) This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations. The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, followed by a browse synchronization with each of the returned DMBs. The second enhancement consists of a regular randomised browse synchronization with all currently known DMBs. You may wish to disable this option if you have a problem with empty workgroups not disappearing from browse lists. Due to the restrictions of the browse protocols these enhancements can cause a empty workgroup to stay around forever which can be annoying. In general you should leave this option enabled as it makes cross-subnet browse propagation much more reliable. : enhanced browsing = yes enumports command (G) The concept of a "port" is fairly foreign to UNIX hosts. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default, Samba has only one port defined--"Samba Printer Port". Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed (smbd does not use a port name for anything) other than the default "Samba Printer Port", you can define enumports command to point to a program which should generate a list of ports, one per line, to standard output. This listing will then be used in response to the level 1 and 2 EnumPorts() RPC. : no enumports command : enumports command = /usr/bin/listports exec (S) preexec fake directory create times (S) NTFSWindows VFAT. UNIX--ctime. , , SambaUNIX(/). , Samba, 1980.01.01. Visual C++Samba.Visual C++makefiles, . . , NMAKE, . , ,. UNIX,Samba. NMAKE(), .,NMAKE. : fake directory create times = no fake oplocks (S) oplocks, SMB. oplock(opportunistic lock), , , . oplocks. . fake oplocks = yes,smbd(8)oplock, . , oplocks. (: CDROM),(: ). . , , . . : fake oplocks = no follow symlinks (S) Sambasmbd(8). no().: /etc/passwd. (, ). , . (, smbd) : follow symlinks = yes force create mode (S) UNIX, Samba, , , ., 000,create mask, , . create mask inherit permissions . : force create mode = 000 : force create mode = 0755 , "/()". //. force directory mode (S) UNIX, Samba, , , ., 000,directory mask,, . directory mask inherit permissions. : force directory mode = 000 : force directory mode = 0755 , "/()". //. force directory security mode (S) NTNTunix. ('or'),.,,0'on'. ,force directory mode.user/group/world,0000. ,samba,.0000. directory security mask, security mask, force security mode : force directory security mode = 0 : force directory security mode = 700 force group (S) UNIX, "". . , , Samba. samba 2.0.5.'+',,.,,.,force group = +sys,syssamba.. force user,force group force user. If the force user parameter is also set the group specified in force group will override the primary group set in force user. force user. : no forced group : force group = agroup force security mode (S) NTNTunix. ('or'),.,,0'on'. ,force create mode.user/group/world,000. ,samba,.0000. force directory security mode, directory security mask, security mask : force security mode = 0 : force security mode = 700 force user (S) UNIX, . ()., . . , . , , . samba 2.0.5.2.0.5(bug) force group : no forced user : force user = auser fstype (S) , , smbd(8). Windows NTNTFS, ,,,SambaFAT. : fstype = NTFS : fstype = Samba get quota command (G) The get quota command should only be used whenever there is no operating system API available from the OS that samba can use. This parameter should specify the path to a script that queries the quota information for the specified user/group for the partition that the specified directory is on. Such a script should take 3 arguments: directory type of query uid of user or gid of group The type of query can be one of : 1 - user quotas 2 - user default quotas (uid = -1) 3 - group quotas 4 - group default quotas (gid = -1) This script should print its output according to the following format: Line 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced) Line 2 - number of currently used blocks Line 3 - the softlimit number of blocks Line 4 - the hardlimit number of blocks Line 5 - currently used number of inodes Line 6 - the softlimit number of inodes Line 7 - the hardlimit number of inodes Line 8(optional) - the number of bytes in a block(default is 1024) set quota command : get quota command = : get quota command = /usr/local/sbin/query_quota getwd cache (G) . , "getwd()". , wide linksno. : getwd cache = yes group (S) force group guest account (G,S) (,), , fI guest ok. "(guest)". , passwd, ."ftp",.:,. ,"nobody".,(ftp),(su -),,lpr(1)lp(1). %Samba : "nobody" : guest account = ftp guest ok (S) yes, , , guest account. restrict anonymous = 2 security : guest ok = no guest only (S) yes, , (guest), , .guest ok, . security : guest only = no hide dot files (S) . "."(UNIX, "."). : hide dot files = yes hide files (S) ..DOS"". "/".DOS"*""?" UNIX,DOS,,UNIX"/". :. Samba,. hide dot files, veto files case sensitive. : : hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ Thursby,MacintoshSMB(DAVE),,".". hide local users (G) This parameter toggles the hiding of local UNIX users (root, wheel, floppy, etc) from remote clients. : hide local users = no hide special files (S) This parameter prevents clients from seeing special files such as sockets, devices and fifo's in directory listings. : hide special files = no hide unreadable (S) This parameter prevents clients from seeing the existance of files that cannot be read. Defaults to off. : hide unreadable = no hide unwriteable files (S) This parameter prevents clients from seeing the existance of files that cannot be written to. Defaults to off. Note that unwriteable directories are shown as usual. : hide unwriteable = no homedir map (G) nis homedir yes,, smbd(8)win95/98,,NIS(YP)..,Sunauto.home.: username server:/some/file/system ":".,,Amd(). NIS nis homedir , domain logons . : homedir map = <> : homedir map = amd.homedir host msdfs (G) If set to yes, Samba will act as a Dfs server, and allow Dfs- aware clients to browse Dfs trees hosted on the server. msdfs root share level For more information on setting up a Dfs tree on Samba, refer to ???. : host msdfs = no hostname lookups (G) Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead. An example place where hostname lookups are currently used is when checking the hosts deny and hosts allow. : hostname lookups = yes : hostname lookups = no hosts allow (S) allow hosts . ,tab.. [global],. ip., allow hosts = 150.203.5. c.hosts_access(5).,. 127.0.0.1 ,hosts deny . /.,.EXCEPT(...). Example 1: 150.203.*.* IP hosts allow = 150.203. EXCEPT 150.203.6.66 Example 2: /IP hosts allow = 150.203.15.0/255.255.255.0 Example 3: hosts allow = lapland, arvidsjaur Example 4: NIS"foonet", hosts allow = @foonet hosts deny = pirate ,. testparm(1) . : none (,) : allow hosts = 150.203.5. myhost.mynet.edu.au hosts deny (S) hosts allow.,.,allow. : none () : hosts deny = 150.203.4. badhost.mynet.edu.au hosts equiv (G) ,.. hosts allow ,,. hosts equivsambaNT. :hosts equiv .PC.PC.hosts equiv,(). :-) : no host equivalences : hosts equiv = /etc/hosts.equiv idmap backend (G) The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common LDAP backend. This way all domain members and controllers will have the same UID and GID to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). : idmap backend = <> : idmap backend = ldap:ldap://ldapslave.example.com idmap gid (G) The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise. The availability of an idmap gid range is essential for correct operation of all group mapping. : idmap gid = <> : idmap gid = 10000-20000 idmap uid (G) The idmap uid parameter specifies the range of user ids that are allocated for use in mapping UNIX users to NT user SIDs. This range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise. : idmap uid = <> : idmap uid = 10000-20000 include (G) .,. ,%u , %P %S. : : include = /usr/local/samba/lib/admin_smb.conf inherit acls (S) This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a subdirectory. The default behavior is to use the mode specified when creating the directory. Enabling this option sets the mode to 0777, thus guaranteeing that default directory acls are propagated. : inherit acls = no inherit permissions (S) The permissions on new files and directories are normally governed by create mask, directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this. New directories inherit the mode of the parent directory, including bits such as setgid. New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by map archive , map hidden and map system as usual. Note that the setuid bit is never set via inheritance (the code explicitly prohibits this). This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user. create mask , directory mask, force create mode and force directory mode . : inherit permissions = no interfaces (G) Samba,NBT. Samba127.0.0.1 . , : (eth0).shelleth*"eth". IP.,. IP/. /. "mask"(C24). "IP"IP. ,: interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 ,eth0IP192.168.2.10 192.168.3.10255.255.255.0 bind interfaces only. : 127.0.0.1 that are broadcast capable invalid users (S) .(paranoid),. @NIS(NIS),NIS,UNIX. +UNIX,&NIX(NIS).'+''&',,,+&groupUNIX,NIS,&+group,NIX,UNIX.(@). %S,[homes]. valid users . : : invalid users = root fred admin @wheel keepalive (G) ,keepalive.0,. ,socketSO_KEEPALIVE(socket options),.,,. : keepalive = 300 : keepalive = 600 kernel change notify (G) This parameter specifies whether Samba should ask the kernel for change notifications in directories so that SMB clients can refresh whenever the data on the server changes. This parameter is only usd when your kernel supports change notification to user programs, using the F_NOTIFY fcntl. : Yes kernel oplocks (G) oplocks(opportunistic lock)UNIX(IRIX Linux2.4),. UNIXNFS()smbd(8)oplocks .SMB/CIFS,NFS.(cool :-) ,on(),,Off().. oplocks level2 oplocks . : kernel oplocks = yes lanman auth (G) This parameter determines whether or not smbd(8) will attempt to authenticate users using the LANMAN password hash. If disabled, only clients which support NT password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host. The LANMAN encrypted response is easily broken, due to it's case-insensitive nature, and the choice of algorithm. Servers without Windows 95/98 or MS DOS clients are advised to disable this option. Unlike the encypt passwords option, this parameter cannot alter client behaviour, and the LANMAN response will still be sent over the network. See the client lanman auth to disable this for Samba's clients (such as smbclient) If this option, and ntlm auth are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to us it. Default : lanman auth = yes large readwrite (G) This parameter determines whether or not smbd(8) supports the new 64k streaming read and write varient SMB requests introduced with Windows 2000. Note that due to Windows 2000 client redirector bugs this requires Samba to be running on a 64-bit capable operating system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with Windows 2000 clients. Defaults to on. Not as tested as some other Samba code paths. : large readwrite = yes ldap admin dn (G) The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information. The ldap admin dn is used in conjunction with the admin dn password stored in the private/secrets.tdb file. See the smbpasswd(8) man page for more information on how to accmplish this. ldap delete dn (G) This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba. : ldap delete dn = no ldap filter (G) RFC2254LDAPsambaAccount uid . : ldap filter = (&(uid=%u)(objectclass=sambaAccount)) ldap group suffix (G) This parameters specifies the suffix that is used for groups when these are added to the LDAP directory. If this parameter is unset, the value of ldap suffix will be used instead. : none : dc=samba,ou=Groups ldap idmap suffix (G) This parameters specifies the suffix that is used when storing idmap mappings. If this parameter is unset, the value of ldap suffix will be used instead. : none : ou=Idmap,dc=samba,dc=org ldap machine suffix (G) It specifies where machines should be added to the ldap tree. : none ldap passwd sync (G) This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA. The ldap passwd sync can be set to one of three values: Yes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time. No = Update NT and LM passwords and update the pwdLastSet time. Only = Only update the LDAP password and let the LDAP server do the rest. : ldap passwd sync = no ldap port (G) "--with- ldap". LDAPtcpLDAP636 : ldap ssl Default : ldap port = 636 ; ldap ssl = on Default : ldap port = 389 ; ldap ssl = off ldap server (G) "--with- ldapsam". ldapFQDN Default : ldap server = localhost ldap ssl (G) This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is NOT related to Samba's previous SSL support which was enabled by specifying the --with-ssl option to the configure script. The ldap ssl can be set to one of three values: Off = Never use SSL when querying the directory. Start_tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server. On = Use SSL on the ldaps port when contacting the ldap server. Only available when the backwards-compatiblity --with-ldapsam option is specified to configure. See passdb backend Default : ldap ssl = start_tls ldap suffix (G) ldap user suffixldap machine suffixldapbase dn : none ldap user suffix (G) This parameter specifies where users are added to the tree. If this parameter is not specified, the value from ldap suffix. : none level2 oplocks (S) Samba()oplocks 2,oplocksWindows NToplocks,oplocksoplocks(oplocksoplocks).2oplocks(,),(.exe). oplocks,(), told to break their oplocks to "none",read- ahead caches. 2oplocksCIFS. ,kernel oplocks,2oplocks(yes).,oplocks yes. oplocks kernel oplocks : level2 oplocks = yes lm announce (G) nmbd(8)"Lanman",OS/2Samba.3:yesnoauto.auto.no,Samba.yes,Sambalm interval.auto,Samba,.,,lm interval. lm interval. : lm announce = auto : lm announce = yes lm interval (G) Samba"LanmanOS/2,lm announce.,."0",lm announce,"Lanman". lm announce. : lm interval = 60 : lm interval = 120 load printers (G) "printcap"Samba,."printers". : load printers = yes local master (G) nmbd(8).no, nmbd.,yes.yes,become ,become . no nmbd : local master = yes lock dir (G) lock directory . lock directory (G) "".max connections. : lock directory = ${prefix}/var/locks : lock directory = /var/run/samba/locks locking (S) ,"". locking = no ,.. locking = yes ,:CDROM.,no. ,,.,. : locking = yes lock spin count (G) This parameter controls the number of times that smbd should attempt to gain a byte range lock on the behalf of a client request. Experiments have shown that Windows 2k servers do not reply with a failure if the lock could not be immediately granted, but try a few more times in case the lock could later be aquired. This behavior is used to support PC database formats such as MS Access and FoxPro. : lock spin count = 3 lock spin time (G) The time in microseconds that smbd should pause before attempting to gain a failed lock. See lock spin count for more details. : lock spin time = 10 log file (G) Samba). ,. : log file = /usr/local/samba/var/log.%m log level (G) ()smb.conf().This parameter has been extended since the 2.2.x series, now it allow to specify the debug level for multiple debug classes. . ,,. : log level = 3 passdb:5 auth:10 winbind:2 logon drive (G) ,,(logon home). :Samba. : logon drive = z: : logon drive = h: logon home (G) Win95/98Win NTSamba PDC,.,(DOS): C:\> NET USE H: /HOME ,. This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a subdirectory of the user's home directory. This is done in the following way: logon home = \%NUrofile This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does net use /home but use the whole string when dealing with profiles. Note that in prior versions of Samba, the logon path was returned rather than logon home. This broke net use /home but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use the above trick. ,Sambalogon server. : logon home = "\%NU" : logon home = "\remote_smb_serverU" logon path (G) roaming profile(WindowsNTNTuser.dat ).Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the logon home parameter. ,.Windows NT""(,,). ,,Windows NT.,Windows NTNTuser.dat. ,.NTuser.dat,NTuser.man((MANdatory)user.dat). Windows[homes].,logon pathhomes(,\\%N\HOMES\profile_path). ,. ,Sambalogon server. : logon path = \\%N\%U\profile : logon path = \\PROFILESERVER\PROFILE\%U logon script (G) ,,,.batNT.cmd.DOS/CR/LF,,DOS. [netlogon],,[netlogon]path/usr/local/samba/netlogon,logon script = STARTUP.BAT, : /usr/local/samba/netlogon/STARTUP.BAT ,.:NET TIME \SERVER /SET /YES,:NET USE U:\\SERVER\"" : NET USE Q:\SERVERISO9001_QA :,[netlogon],.,. ,. ,Samba. : no logon script defined : logon script = scriptsU.bat lppause command (S) . .,. %p,%j().HPUX(printing=hpux ),lpq-p%p,,,,'PAUSED',,,'SPOOLED''PRINTING'. ,,PATH. printing parameter. : ,printingSYSV,, : lp -i %p-%j -H hold printingsoftq,: qstat -s -j%j -h HPUX: lppause command = /usr/bin/lpalt %p-%j -p0 lpq cache time (G) lpq,lpq.lpq,lpq,. /tmp/lpq.xxxx,xxxxlpq. 10,lpq10.lpq,. 0. printing . : lpq cache time = 10 : lpq cache time = 30 lpq command (S) lpq. . :CUPS, BSD,AIX,LPRNG,PLP,SYSV,HPUX,QNXSOFTQ.UNIX.printing =. (Windows for Workgroups).,.. %p,.. ,PATH,lpq command. CUPSlpq commandsmbd printing . : printing : lpq command = /usr/bin/lpq -P%p lpresume command (S) . .lppause command %p,.%j, . ,PATH,lpresume command printing . : printing SYSV, lp -i %p-%j -H resume printing SOFTQ, : qstat -s -j%j -r HPUX: lpresume command = /usr/bin/lpalt %p-%j -p2 lprm command (S) . ,. %p,.%j,. ,PATH,lprm command. printing . : printing 1: lprm command = /usr/bin/lprm -P%p %j 2: lprm command = /usr/bin/cancel %p-%j machine password timeout (G) sambaWindows NT(security=domain),smbdprivate/secrets.tdbTDBMACHINE ACCOUNT PASSWORD.(),NT. smbpasswd(8), security = domain . : machine password timeout = 604800 magic output (S) magic,magic script. :magic script,. : magic output = .out : magic output = myfile.txt magic script (S) ,,,.UNIXsamba,. ,. ,magic output(). ,CR/LFCR.magic,shelldos. magic,. : magic script. : magic script = user.csh mangle case (S) NAME MANGLING. : mangle case = no mangled map (S) Windows/DOSunix.,DOSUNIX,,HTMLUNIX.html,Windows/DOS.htm. html htm : mangled map = (*.html *.htm) CDROM;1(UNIX).(*;1 *;). : mangled map : mangled map = (*;1 *;) mangled names (S) UNIXDOSDOS("mangled"),DOS. NAME MANGLING. , ,. "~",,.,. ,'~',mangling char. ,,.'.'.'.',("hidden files" - ). unix,DOS."___",("___"). . ,,1/1300. unixunixWindows/DOS.Windows/DOSunix.. : mangled names = yes mangled stack (G) ,Sambasmbd(8). (3). ,unix.,(256). ,. : mangled stack = 50 : mangled stack = 100 mangle prefix (G) controls the number of prefix characters from the original name used when generating the mangled names. A larger value will give a weaker hash and therefore more name collisions. The minimum value is 1 and the maximum value is 6. mangle prefix is effective only when mangling method is hash2. : mangle prefix = 1 : mangle prefix = 4 mangling char (S) name manglingmagic.'~',.. : mangling char = ~ : mangling char = ^ mangling method (G) controls the algorithm used for the generating the mangled names. Can take two different values, "hash" and "hash2". "hash" is the default and is the algorithm that has been used in Samba for many years. "hash2" is a newer and considered a better algorithm (generates less collisions) in the names. However, many Win32 applications store the mangled names and so changing to the new algorithm must not be done lightly as these applications may break unless reinstalled. : mangling method = hash2 : mangling method = hash map acl inherit (S) This boolean parameter controls whether smbd(8) will attempt to map the 'inherit' and 'protected' access control entry flags stored in Windows ACLs into an extended attribute called user.SAMBA_PAI. This parameter only takes effect if Samba is being run on a platform that supports extended attributes (Linux and IRIX so far) and allows the Windows 2000 ACL editor to correctly use inheritance with the Samba POSIX ACL mapping code. : map acl inherit = no map archive (S) DOSUNIX.DOS.SambaPCUNIX create mask[u4E2D](100).create mask. : map archive = yes map hidden (S) DOSUNIX. create mask(001).create mask. : map hidden = no map system (S) DOSUNIX. create mask(010).create mask. : map system = no map to guest (G) (security=share),,(user, server, domain). ,,smbd(8). : Never - .. Bad User - ,,guest account. Bad Password - ,guest.,,"",,. Helpdesk services will hate you if you set the map to guest parameter this way :-). ,"Guest".,,"Guest". ,local.hGUEST_SESSSETUP. : map to guest = Never : map to guest = Bad User max connections (S) .max connections0,,.0. ,.lock directory. : max connections = 0 : max connections = 10 max disk size (G) .100,100M. .,100M,, max disk size. ,1G. 0. : max disk size = 0 : max disk size = 1000 max log size (G) (kB).samba,.old. 0. : max log size = 5000 : max log size = 1000 max mux (G) SMB.. : max mux = 50 max open files (G) smbd(8).(10,000),. UNIX,. : max open files = 10000 max print jobs (S) This parameter limits the maximum number of jobs allowable in a Samba printer queue at any given moment. If this number is exceeded, smbd(8) will remote "Out of Space" to the client. See all total print jobs. : max print jobs = 1000 : max print jobs = 5000 max protocol (G) ,. : CORE: ,. COREPLUS: CORE. LANMAN1: ,. LANMAN2: LANMAN1. NT1: Windows NT,CIFS. ,,SMB. min protocol : max protocol = NT1 : max protocol = LANMAN1 max reported print jobs (S) This parameter limits the maximum number of jobs displayed in a port monitor for Samba printer queue at any given moment. If this number is exceeded, the excess jobs will not be shown. A value of zero means there is no limit on the number of print jobs reported. See all total print jobs and max print jobs parameters. : max reported print jobs = 0 : max reported print jobs = 1000 max smbd processes (G) This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended as a stopgap to prevent degrading service to clients in the event that the server has insufficient resources to handle more than this number of connections. Remember that under normal operating conditions, each user will have an smbd(8) associated with him or her to handle connections to all shares from a given host. : max smbd processes = 0 ## no limit : max smbd processes = 1000 max ttl (G) nmbd(8) WINS,NetBIOS('time to live', ).,3. : max ttl = 259200 max wins ttl (G) smbd(8)WINS(wins support =true),nmbdNetBIOS('time to live',).,6(518400). min wins ttl . : max wins ttl = 518400 max xmit (G) samba.65535,..2048. : max xmit = 65535 : max xmit = 8192 message command (G) WinPopup. . : message command = csh -c 'xedit %s;rm %s' & xedit,..'&'.,(30). .,%u(%U). ,,: %s = %t = (). %f = . .. root message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s ,,Samba.WfWg(Windows for Workgrups),. message command = rm %s : message command : message command = csh -c 'xedit %s; rm %s' & min passwd length (G) min password length . min password length (G) UNIXsmbd. unix password sync, passwd program passwd chat debug . : min password length = 5 min print space (S) .kB .0,. printing : min print space = 0 : min print space = 2000 min protocol (G) The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer to the max protocol parameter for a list of valid protocol names and a brief description of each. You may also wish to refer to the C source code in source/smbd/negprot.c for a listing of known protocol dialects supported by clients. If you are viewing this parameter as a security measure, you should also refer to the lanman auth Otherwise, you should never need to change this Default : min protocol = CORE Example : min protocol = NT1 # disable DOS clients min wins ttl (G) nmbd(8)WINS(wins support = yes),NetBIOS().,6(21600) : min wins ttl = 21600 msdfs proxy (S) This parameter indicates that the share is a stand-in for another CIFS share whose location is specified by the value of the When clients attempt to connect to this share, they are redirected to the proxied share using the SMB-Dfs protocol. Only Dfs roots can act as proxy shares. Take a look at the msdfs root and host msdfs options to find out how to set up a Dfs root share. : msdfs proxy = \\otherserver\someshare msdfs root (S) If set to yes, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. Dfs links are specified in the share directory by symbolic links of the form msdfs:serverA\\shareA,serverB\\shareB and so on. For more information on setting up a Dfs tree on Samba, refer to ???. host msdfs : msdfs root = no name cache timeout (G) Specifies the number of seconds it takes before entries in samba's hostname resolve cache time out. If the timeout is set to 0. the caching is disabled. : name cache timeout = 660 : name cache timeout = 0 name resolve order (G) sambaIP.netbios. "lmhosts","host","wins""bcast". lmhosts : sambalmhostsIP.lmhostsNetBIOS(lmhosts (5)),. host : IP,/etc/hosts,NISDNS.,IRIXSolaris/etc/nsswitch.conf.NetBIOS0x20()0x1c(),._ldap._tcp.domain SRV RRDNS wins : wins serverIP.WINS,. bcast : interfaces.,. : name resolve order = lmhosts host wins bcast : name resolve order = lmhosts bcast host lmhosts,,. When Samba is functioning in ADS security mode (security = ads) it is advised to use following settings for name resolve order: name resolve order = wins bcast DC lookups will still be done via DNS, but fallbacks to netbios names will not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups. netbios aliases (G) NetBIOSnmbd.., ,. netbios name : () : netbios aliases = TEST TEST1 TEST2 netbios name (G) sambaNetBIOS.DNS.(DNS),. netbios aliases : machine DNS name : netbios name = MYNAME netbios scope (G) This sets the NetBIOS scope that Samba will operate under. This should not be set unless every machine on your LAN also sets this value. nis homedir (G) NIS.UNIX,. sambaNFS,SMB,(SMB,NFS).. Sambasamba,samba.samba,homedir mapNIS. NIS,samba : nis homedir = no nt acl support (S) smbd(8)UNIXNT.2.2.2 : nt acl support = yes ntlm auth (G) This parameter determines whether or not smbd(8) will attempt to authenticate users using the NTLM encrypted password response. If disabled, either the lanman password hash or an NTLMv2 response will need to be sent by the client. If this option, and lanman auth are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to us it. Default : ntlm auth = yes nt pipe support (G) smbd(8)Windows NTNTSMBIPC$.,. : nt pipe support = yes nt status support (G) This boolean parameter controls whether smbd(8) will negotiate NT specific status support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. If this option is set to no then Samba offers exactly the same DOS error codes that versions prior to Samba 2.2.3 reported. You should not need to ever disable this : nt status support = yes null passwords (G) Allow or disallow client access to accounts that have null passwords. . smbpasswd(5). : null passwords = no obey pam restrictions (G) When Samba 3.0 is configured to enable PAM support (i.e. --with- pam), this parameter will control whether or not Samba should obey PAM's account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption. : obey pam restrictions = no only guest (S) guest only. only user (S) user.,.user samba.[homes].user = %S,user,. user : only user = no oplock break wait time (G) Windows 9xWinNT.oplock(oplock break request)SMB,samba,.()sambaoplock. sambaoplock, : oplock break wait time = 0 oplock contention limit (S) smbd(8),oplocks. ,smbd(8)oplock.smbdWindows NT. sambaoplock,! : oplock contention limit = 2 oplocks (S) smbdoplocks().oplocksamba(approx.30% ).,(Windows NT).samba docs/Speed.txt. oplocks. veto oplock files .oplocks.oplocked,sambaNFSUNIX.kernel oplocks. kernel oplocks level2 oplocks parameters. : oplocks = yes os2 driver map (G) The parameter is used to define the absolute path to a file containing a mapping of Windows NT printer driver names to OS/2 printer driver names. The format is: = . For example, a valid entry using the HP LaserJet 5 printer driver would appear as HP LaserJet 5L = LASERJET.HP LaserJet 5L. The need for the file is due to the printer driver namespace problem described in ???. For more details on OS/2 clients, please refer to ???. : os2 driver map = <> os level (G) Samba. nmbd(8 WORKGROUP. : SambaM$Windows NT4.0/2000 SambaSamba docs/ BROWSING.txt : os level = 20 : os level = 65 pam password change (G) With the addition of better PAM support in Samba 2.2, this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in passwd program. It should be possible to enable this without changing your passwd chat parameter for most setups. : pam password change = no panic action (G) sambasmbd(8)smbd(8).. : panic action = <> : panic action = "/bin/sleep 90000" paranoid server security (G) Some version of NT 4.x allow non-guest users with a bad passowrd. When this option is enabled, samba will not use a broken NT 4.x server as password server, but instead complain to the logs and exit. Disabling this option prevents Samba from making this check, which involves deliberatly attempting a bad logon to the remote server. : paranoid server security = yes passdb backend (G) This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. This parameter is in two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated by a : character. Available backends can include: .TP 3 o smbpasswd - The default smbpasswd backend. Takes a path to the smbpasswd file as an optional argument. .TP o tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the private dir directory. .TP o ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to ldap://localhost) LDAP connections should be secured where possible. This may be done using either Start-TLS (see ldap ssl) or by specifying ldaps:// in the URL argument. .TP o nisplussam - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. .TP o mysql - The MySQL based passdb backend. Takes an identifier as argument. Read the Samba HOWTO Collection for configuration details. .LP : passdb backend = smbpasswd : passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd : passdb backend = ldapsam:ldaps://ldap.example.com : passdb backend = mysql:my_plugin_args tdbsam passwd chat (G) smbd(8)"chat".,smbd(8)passwd program.. chat(NIS). unix password syncyessmbpasswdSMBroot. rootNIS/YP passwdNIS %nchat\\n, \\r, \\t \\s tabchat'*' ".",.,".",. pam password changeyeschatPAMPAM\n unix password sync, passwd program , passwd chat debug pam password change. : passwd chat = *new*password* %n\n *new*password* %n\n *changed* : passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" passwd chat debug (G) debug.,debug level100smbd(8).smbd ,.Sambapasswd programpasswd chat ,.pam password change. passwd chat , pam password change , passwd program . : passwd chat debug = no passwd program (G) UNIX.%u.. ,.(WfWg),. unix password syncyes,smbpasswdSMBroot.,smbdSMB,. unix password sync,,.unix password sync no. unix password sync. : passwd program = /bin/passwd : passwd program = /sbin/npasswd %u password level (G) /.WfWg,LANMAN1.COREPLUS! Windows95/98 : NTLM0.12 . ,"FRED". password level1,"FRED" "Fred", "fred", "fRed", "frEd","freD" password level2, "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. .,,. 0 - ,. : password level = 0 : password level = 4 password server (G) SMB,security = [ads|domain|server],samba/. IP. ADS realmLDAP 389ip(192.168.1.100:389)SambaLDAPtcp/389. WindowsNT4.0 netbios name resolve order "LM1.2X002""LM NT 0.12",. UNIX(Samba).. Samba,Samba,. ,%m,Samba., securitydomainads,Domain'*'.'*'sambaRPC. security = domain,password server,smbd ,. password server'*',sambaWORKGROUP<1C>IP. IP'*'DCSambaDC securityserver,security = domain password server,smbd,.security = server SMB/CIFS,Samba. Windows NT,Samba. security = server,,. security : password server = <> : password server = NT-PDC, NT-BDC1, NT-BDC2, * : password server = windc.mydomain.com:389 192.168.1.101 * : password server = * path (S) .,. This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing. ,,(s).,. %uUNIX%mNetBIOS.,. root dir(). : : path = /home/fred pid directory (G) This option specifies the directory where pid files will be placed. : pid directory = ${prefix}/var/locks : pid directory = /var/run/ posix locking (S) The smbd(8) daemon maintains an database of file locks obtained by SMB clients. The default behavior is to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are consistent with those seen by POSIX compliant applications accessing the files via a non-SMB method (e.g. NFS or local file access). You should never need to disable this : posix locking = yes postexec (S) ..root. postexec = /etc/umount /cdrom preexec. : () : postexec = echo preexec (S) .. () preexec = csh -c 'echo ,:-) preexec close postexec . : () : preexec = echo preexec close (S) preexec . : preexec close = no prefered master (G) preferred master :-) preferred master (G) nmbd(8). yes,nmbd,. domain master = yes,nmbd. ,(SambaWindows95NT),,. os level. : preferred master = auto preload (G) .homesprinters,. ,printcap,load printers. : no preloaded services : preload = fred lp colorlp preload modules (G) This is a list of paths to modules that should be loaded into smbd before a client connects. This improves the speed of smbd when reacting to new connections somewhat. : preload modules = : preload modules = /usr/lib/samba/passdb/mysql.so+++ preserve case (S) ,default case . : preserve case = yes NAME MANGLING. printable (S) yes,. ().read only. : printable = no printcap (G) printcap name . printcap name (S) printcap(/etc/printcap).[printers],. To use the CUPS printing interface set printcap name = cups . This should be supplemented by an addtional setting printing = cups in the [global] section. printcap name = cups will use the "dummy" printcap created by CUPS, as specified in your CUPS configuration file. lpstatSystem V,printcap name = lpstat .sambaSYSV(System V).printcap namelpstat,sambalpstat -v. printcap print1|My Printer 1 print2|My Printer 2 print3|My Printer 3 print4|My Printer 4 print5|My Printer 5 '|'.Samba. AIXprintcap/etc/qconfig. qconfigSambaAIX qconfig : printcap name = /etc/printcap : printcap name = /etc/myprintcap print command (S) ,system().,.,,. %s, %f - %p - %J - %c - %z -() %s%f,%p.,,%p. [global],,. ,(). UNIXnobody.[global]guest account. shell.,,.';'shell. print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s .,printing. : printing = BSD, AIX, QNX, LPRNG PLP : print command = lpr -r -P%p %s printing = SYSV HPUX : print command = lp -c -d%p %s; rm %s printing = SOFTQ : print command = lp -d%p -s %s; rm %s printing = CUPS : Samba libcups, printcap=cupsCUPS API-orawSystemVlp -c -d%p -o raw; rm %s.printing = cups, Sambalibcups : print command = /usr/local/samba/bin/myprintscript %p %s printer (S) printer name printer admin (S) This is a list of users that can do anything to printers via the remote administration interfaces offered by MS-RPC (usually using a NT workstation). Note that the root user always has admin rights. : printer admin = <> : printer admin = admin, @staff printer name (S) . [global],. : ( lp ) : printer name = laserwriter printing (S) ,[global]print command,lpq command,lppause command,lpresume commandlprm command ,BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ, CUPS ,testparm(1). . [printers] print ok (S) printable private dir (G) This parameters defines the directory smbd will use for storing such files as smbpasswd and secrets.tdb. Default :private dir = ${prefix}/private profile acls (S) This boolean parameter controls whether smbd(8) This boolean parameter was added to fix the problems that people have been having with storing user profiles on Samba shares from Windows 2000 or Windows XP clients. New versions of Windows 2000 or Windows XP service packs do security ACL checking on the owner and ability to write of the profile directory stored on a local workstation when copied from a Samba share. When not in domain mode with winbindd then the security info copied onto the local workstation has no meaning to the logged in user (SID) on that workstation so the profile storing fails. Adding this parameter onto a share used for profile storage changes two things about the returned Windows ACL. Firstly it changes the owner and group owner of all reported files and directories to be BUILTIN\\Administrators, BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to every returned ACL. This will allow any Windows 2000 or XP workstation user to access the profile. Note that if you have multiple users logging on to a workstation then in order to prevent them from being able to access each others profiles you must remove the "Bypass traverse checking" advanced user right. This will prevent access to other users profile directories as the top level profile directory (named after the user) is created by the workstation profile code and has an ACL restricting entry to the directory tree to the owning user. : profile acls = no protocol (G) max protocol public (S) guest ok queuepause command (S) . ,,. Windows for Workgroups,Windows 95NT. %p.. ,,PATH. : printing : queuepause command = disable %p queueresume command (S) .( queuepause command). ,,. Windows for Workgroups,Windows 95NT. %p.. ,,PATH. : printing : queuepause command = enable %p read bmpx (G) smbd(8)""(Read Block Multiplex)SMB.,no.. : read bmpx = no read list (S) .,,read only. invalid users . write list invalid users : read list = <> : read list = mary, @students read only (S) writeable . yes, (printable = yes) (). : read only = yes read raw (G) SMB. ,65535 65535.. ,(),,. ,.write raw. : read raw = yes read size (G) //.SMB(SMBwrite,SMBwriteXSMBreadbraw),SMBreadbraw,. ,,,. 16384,,,.65536,. : read size = 16384 : read size = 8192 realm (G) This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server. : realm = : realm = mysambabox.mycompany.com remote announce (G) nmbd(8)IP. samba,.IP. : remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF nmbd IP.IP,workgroup. IP,IP. : remote announce = <> remote browse sync (G) nmbd(8)(remote segment)Samba..Samba This is useful if you want your Samba server and all local clients to appear in a remote workgroup for which the normal browse propagation rules don't work. The remote workgroup can be anywhere that you can send IP packets to. : remote browse sync = 192.168.2.255 192.168.4.255 nmbd IP,IP.IP,, samba : remote browse sync = <> restrict anonymous (G) Windows2000 NTHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous 012Windows2000/XPSambaM$ The security advantage of using restrict anonymous = 1 is dubious, as user and group list information can be obtained using other means. The security advantage of using restrict anonymous = 2 is removed by setting guest ok = yes on any share. : restrict anonymous = 0 root (G) root directory" root dir (G) root directory" . root directory (G) chroot()() .,.,.(wide links)"..". root directory,"/",,.root directory,.,root directory. /etc/passwd,,.,. : root directory = / : root directory = /homes/smb root postexec (S) postexec,root.,. postexec. : root postexec = <> root preexec (S) preexec,root.,. preexec preexec close . : root preexec = <> root preexec close (S) preexec close ,root. preexec preexec close. : root preexec close = no security (G) smb.conf,Samba. ""smbd(8) .(). security = user,Windows 98Windows NT. security = share, security = server security = domain . 2.0.0Samba, security = share WfWg,,WfWg"connect drive".WfWgSamba. UNIX,security = user.UNIXsecurity = share. ()security=share..security=userguest,map to guest. smbd(hybrid),NetBIOS aliases. . SECURITY = SHARE ,(WIN95/95NTsecurity = share ,).,(). smbd UNIX, security = share . ,,smbdUNIX. UNIX guest only,guest account. ,( - username map). logon (SessionSetup SMB)SMB. . NetBIOS. user. guest only,.UNIX. guest only,guest account,,. ,UNIX. NOTE ABOUT USERNAME/PASSWORD VALIDATION. SECURITY = USER samba2.0/3.0.,(username map)"".(encrypted passwords).userguest only,UNIX,. ,,.guest account,.map to guest. NOTE ABOUT USERNAME/PASSWORD VALIDATION. SECURITY = DOMAIN net(8)Windows NT,.encrypted passwordsyes.Samba/WindowsNTWindowsNT ,UNIXSambaUNIX ,,security=domainsecurity=user. .. ,,.guest account,.map to guest NOTE ABOUT USERNAME/PASSWORD VALIDATION . password server parameter encrypted passwords SECURITY = SERVER Samba/SMB,NT,.security = user,encrypted passwords yes,sambaUNIX,smbpasswd.Samba HOWTO Collection User Database This mode of operation has significant pitfalls, due to the fact that is activly initiates a man-in-the-middle attack on the remote SMB server. In particular, this mode of operation can cause significant resource consuption on the PDC, as it must maintain an active connection for the duration of the user's session. Furthermore, if this connection is lost, there is no way to reestablish it, and futher authenticaions to the Samba server may fail. (From a single client, till it disconnects). ,,security=serversecurity=user... ,,.guest account,. map to guest. NOTE ABOUT USERNAME/PASSWORD VALIDATION . password server parameter encrypted passwords SECURITY = ADS In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility. Note that this mode does NOT make Samba operate as a Active Directory Domain Controller. Read the chapter about Domain Membership in the HOWTO for details. ads server parameter, the realm paramter encrypted passwords : security = USER : security = DOMAIN security mask (S) NTNTUNIX. This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box. '',.0. This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. ,0777user/group/world. ,Samba,.0777. force directory security mode, directory security mask, force security mode . : security mask = 0777 : security mask = 0770 server schannel (G) This controls whether the server offers or even demands the use of the netlogon schannel. server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel. This is only the case for Windows NT4 before SP4. Please note that with this set to no you will have to apply the WindowsXP requireSignOrSeal-Registry patch found in the docs/Registry subdirectory. : server schannel = auto : server schannel = yes server signing (G) This controls whether the server offers or requires the client it talks to to use SMB signing. Possible values are auto, mandatory and disabled. When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either. : client signing = False server string (G) net view()IPC.. . %v Samba %h : server string = Samba %v : server string = University of GNUs Samba Server set directory (S) set directory = nosetdir. setdirDigital Pathworks.Pathworks. : set directory = no set primary group script (G) Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups. This script sets the primary group in the unix userdatase when an administrator sets the primary group from the windows user manager or when fetching a SAM with net rpc vampire. %u will be replaced with the user whose primary group is to be set. %g will be replaced with the group to set. : No default value : set primary group script = /usr/sbin/usermod -g '%g' '%u' set quota command (G) The set quota command should only be used whenever there is no operating system API available from the OS that samba can use. This parameter should specify the path to a script that can set quota for the specified arguments. The specified script should take the following arguments: 1 - quota type .TP 3 o 1 - user quotas .TP o 2 - user default quotas (uid = -1) .TP o 3 - group quotas .TP o 4 - group default quotas (gid = -1) .LP 2 - id (uid for user, gid for group, -1 if N/A) 3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce) 4 - block softlimit 5 - block hardlimit 6 - inode softlimit 7 - inode hardlimit 8(optional) - block size, defaults to 1024 The script should output at least one line of data. get quota command : set quota command = : set quota command = /usr/local/sbin/set_quota share modes (S) share modes.. UNIX,UNIX(). DENY_DOS, DENY_ALL, DENY_READ,DENY_WRITE, DENY_NONE DENY_FCB. . Windows : share modes = yes short preserve case (S) 8.3(),default case .preserve case = yes, NAME MANGLING . : short preserve case = yes show add printer wizard (G) With the introduction of MS-RPC based printing support for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will appear on Samba hosts in the share listing. Normally this folder will contain an icon for the MS Add Printer Wizard (APW). However, it is possible to disable this feature regardless of the level of privilege of the connected user. Under normal circumstances, the Windows NT/2000 client will open a handle on the printer server with OpenPrinterEx() asking for Administrator privileges. If the user does not have administrative access on the print server (i.e is not root or a member of the printer admin group), the OpenPrinterEx() call fails and the client makes another open call with a request for a lower privilege level. This should succeed, however the APW icon will not be displayed. Disabling the show add printer wizard parameter will always cause the OpenPrinterEx() on the server to fail. Thus the APW icon will never be displayed. Note :This does not prevent the same user from having administrative privilege on an individual printer. addprinter command, deleteprinter command, printer admin Default :show add printer wizard = yes shutdown script (G) This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should start a shutdown procedure. This command will be run as the user connected to the server. %m %t %r %f parameters are expanded: %m will be substituted with the shutdown message sent to the server. %t will be substituted with the number of seconds to wait before effectively starting the shutdown procedure. %r will be substituted with the switch -r. It means reboot after shutdown for NT. %f will be substituted with the switch -f. It means force the shutdown even if applications do not respond for NT. : None. : shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f Shutdown script example: #!/bin/bash $time=0 let "time/60" let "time++" /sbin/shutdown $3 $4 +$time $1 & Shutdown does not return so we need to launch it in background. abort shutdown script. smb passwd file (G) smbpasswd.samba. : smb passwd file = ${prefix}/private/smbpasswd : smb passwd file = /etc/samba/smbpasswd smb ports (G) Specifies which ports the server should listen on for SMB traffic. : smb ports = 445 139 socket address (G) samba..samba. By default Samba will accept connections on any address. : socket address = 192.168.2.20 socket options (G) . . samba.samba,.(man setsockopt). samba"Unknown socket option".includes.h.samba- bugs@samba.org. ,. SO_KEEPALIVE SO_REUSEADDR SO_BROADCAST TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT SO_SNDBUF * SO_RCVBUF * SO_SNDLOWAT * SO_RCVLOWAT * '*'.10,10. "SOME_OPTION=VALUE"SO_SNDBUF=8192.,"=". , socket options = IPTOS_LOWDELAY socket options = IPTOS_LOWDELAY TCP_NODELAY ,IPTOS_THROUGHPU. samba. : socket options = TCP_NODELAY : socket options = IPTOS_LOWDELAY source environment (G) This parameter causes Samba to set environment variables as per the content of the file named. If the value of this parameter starts with a "|" character then Samba will treat that value as a pipe command to open and will set the environment variables from the output of the pipe. The contents of the file or the output of the pipe should be formatted as the output of the standard Unix env(1) command. This is of the form: Example environment entry: SAMBA_NETBIOS_NAME = myhostname : No default value Examples: source environment = |/etc/smb.conf.sh : source environment = /usr/local/smb_env_vars stat cache (G) smbd(8).. : stat cache = yes strict allocate (S) This is a boolean that controls the handling of disk space allocation in the server. When this is set to yes the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour of actually forcing the disk system to allocate real storage blocks when a file is created or extended to be a given size. In UNIX terminology this means that Samba will stop creating sparse files. This can be slow on some systems. When strict allocate is no the server does sparse disk block allocation when a file is extended. Setting this to yes can help Samba return out of quota messages on systems that are restricting the disk quota of users. : strict allocate = no strict locking (S) .yes,,.. strict locking,. ,strict locking = no. : strict locking = no strict sync (S) Windows(Windows 98).UNIX,,.,.no ()smbd(8) Windows.Samba,.,Windows98. sync always : strict sync = no sync always (S) .no().yesfsync() .strict syncyes. strict sync : sync always = no syslog (G) sambasyslog.0syslogLOG_ERR,1 LOG_WARNING,2LOG_NOTICE,3LOG_INFO. LOG_DEBUG. syslog.syslog. : syslog = 1 syslog only (G) sambasyslog,. : syslog only = no template homedir (G) When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the home directory for that user. If the string %D is present it is substituted with the user's Windows NT domain name. If the string %U is present it is substituted with the user's Windows NT user name. : template homedir = /home/%D/%U template primary group (G) This option defines the default primary group for each user created by winbindd(8)'s local account management functions (similar to the 'add user script'). : template primary group = nobody template shell (G) When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the login shell for that user. : template shell = /bin/false time offset (G) GMT.. : time offset = 0 : time offset = 60 time server (G) nmbd(8) Windows. : time server = no timestamp logs (G) debug timestamp . unicode (G) Specifies whether Samba should try to use unicode on the wire by default. Note: This does NOT mean that samba will assume that the unix machine uses unicode! : unicode = yes unix charset (G) Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use. : unix charset = UTF8 : unix charset = ASCII unix extensions (G) This boolean parameter controls whether Samba implments the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients. : unix extensions = yes unix password sync (G) sambasmbpasswdSMBSMBUNIX.yesrootpasswd program - UNIXUNIX(SMB). passwd program, passwd chat. : unix password sync = no update encrypted (G) smbpasswd ().( UNIX)(SMB/ )smbpasswd. .smbpasswd ,no. ,yes encrypt passwordsno . ,smbd,(smbpasswd). : update encrypted = no use client driver (S) This parameter applies only to Windows NT/2000 clients. It has no effect on Windows 95/98/ME clients. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required to install a local printer driver. From this point on, the client will treat the print as a local printer and not a network printer connection. This is much the same behavior that will occur when disable spoolss = yes. The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS-RPC. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user. If the user possesses local administator rights but not root privilegde on the Samba host (often the case), the OpenPrinterEx() call will fail. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed). If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() call to succeed. This parameter MUST not be able enabled on a print share which has valid print driver installed on the Samba server. disable spoolss : use client driver = no use mmap (G) This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent mmap/read-write system memory cache. Currently only HPUX does not have such a coherent cache, and so this parameter is set to no by default on HPUX. On all other systems this parameter should be left alone. This parameter is provided to help the Samba developers track down problems with the tdb internal code. : use mmap = yes user (S) username username (S) (). usernameCOREPLUS UNIXWfWg. ,\\server\share%user. username,Samba username., . . sambaUNIX.,Samba ., telnet., . valid users . '@'NIS(Samba ),UNIX . '+'UNIX. '&'NIS(Samba). ,. NOTE ABOUT USERNAME/PASSWORD VALIDATION : guestguest,. :username = fred, mary, jack, jane, @users, @pcgroup username level (G) DOS,samba"" UNIX.,Samba,, UNIX. 0,.UNIX.,,.UNIXAstrangeUser . : username level = 0 : username level = 5 username map (G) ..DOSWindowsUNIX.. .'='UNIX,.@group,UNIX.'*'.1023. '='... '#' ';'. ,'!',.'!'. admin administratorUNIX root, root = admin administrator UNIX systemUNIXsys sys = @system . NIS NETGROUP,/etc/group . Windows. tridge = "Andrew Tridgell" windows"Andrew Tridgell"unix"tridge". maryfredunixsys,guest.'!'Samba. !sys = mary fred guest = * .\\server\fred fred mary,\\server\mary"mary fred., password server().. ..,WfWg. : no username map : username map = /usr/local/samba/lib/users.map users (S) username . use sendfile (S) If this parameter is yes, and Samba was built with the --with- sendfile-support option, and the underlying operating system supports sendfile system call, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked. This may make more efficient use of the system CPU's and cause Samba to be faster. This is off by default as it's effects are unknown as yet. : use sendfile = no use spnego (G) This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism. Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled. : use spnego = yes utmp (G) This boolean parameter is only available if Samba has been configured and compiled with the option --with-utmp. If set to yes then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server. Sites may use this to record the user connecting to a Samba share. Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user. Enabling this option creates an n^2 algorithm to find this number. This may impede performance on large installations. utmp directory : utmp = no utmp directory (G) This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server. utmp By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually /var/run/utmp on Linux). : no utmp directory : utmp directory = /var/run/utmp -valid (S) This parameter indicates whether a share is valid and thus can be used. When this parameter is set to false, the share will be in no way visible nor accessible. This option should not be used by regular users but might be of help to developers. Samba uses this option internally to mark shares as deleted. : True valid users (S) .'@','+''&'invalid users . ().invalid users,. %S . [homes]. invalid users : () : valid users = greg, @pcusers veto files (S) .'/',.DOS'*''?'. UNIX,DOS, UNIX'/'. case sensitive. : Sambaveto filesdelete veto files yes. Samba,. hide files case sensitive. : . : ; 'Security' ; .tmp,'root' veto files = /*Security*/*.tmp/*root*/ ; NetAtalkApple veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ veto oplock files (S) oplocks.Sambaoplocks,,veto files . : oplocks .NetBench SMB,.SEM.Sambaoplocks,[global]NetBench : veto oplock files = /*.SEM/ vfs object (S) vfs objects . vfs objects (S) This parameter specifies the backend names which are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects. : no value : vfs objects = extd_audit recycle volume (S) ... : wide links (S) UNIX.. ,samba. : wide links = yes winbind cache time (G) This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server again. : winbind cache type = 300 winbind enable local accounts (G) This parameter controls whether or not winbindd will act as a stand in replacement for the various account management hooks in smb.conf (e.g. 'add user script'). If enabled, winbindd will support the creation of local users and groups as another source of UNIX account information available via getpwnam() or getgrgid(), etc... : winbind enable local accounts = yes winbind enum groups (G) On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(), getgrent() and endgrent() group of system calls. If the winbind enum groups parameter is no, calls to the getgrent() system call will not return any data. Warning: Turning off group enumeration may cause some programs to behave oddly. : winbind enum groups = yes winbind enum users (G) On large installations using winbindd(8) it may be necessary to suppress the enumeration of users through the setpwent(), getpwent() and endpwent() group of system calls. If the winbind enum users parameter is no, calls to the getpwent system call will not return any data. Warning: Turning off user enumeration may cause some programs to behave oddly. For example, the finger program relies on having access to the full user list when searching for matching usernames. : winbind enum users = yes winbind gid (G) This parameter is now an alias for idmap gid The winbind gid parameter specifies the range of group ids that are allocated by the winbindd(8) daemon. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise. : winbind gid = <> : winbind gid = 10000-20000 winbind separator (G) This parameter allows an admin to define the character used when listing a username of the form of DOMAIN \user. This parameter is only applicable when using the pam_winbind.so and nss_winbind.so modules for UNIX services. Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the character + is used as a special character for NIS in /etc/group. : winbind separator = '' : winbind separator = + winbind trusted domains only (G) This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. Therefore, the user 'SAMBA\user1' would be mapped to the account 'user1' in /etc/passwd instead of allocating a new uid for him or her. : winbind trusted domains only = winbind uid (G) This parameter is now an alias for idmap uid The winbind gid parameter specifies the range of user ids that are allocated by the winbindd(8) daemon. This range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise. : winbind uid = <> : winbind uid = 10000-20000 winbind use default domain (G) This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail function in a way much closer to the way they would in a native unix system. : winbind use default domain = : winbind use default domain = yes wins hook (G) SambaWINS,WINS.,DNS. wins_hook operation name nametype ttl IP_list opration(),"add""delete""refresh".,.,"refresh",,"add". netbios.,.,,,. 2netbios. TTL (time to live). IP.. BINDDNSnsupdatesamba. wins partners (G) A space separated list of partners' IP addresses for WINS replication. WINS partners are always defined as push/pull partners as defining only one way WINS replication is unreliable. WINS replication is currently experimental and unreliable between samba servers. : wins partners = : wins partners = 192.168.0.1 172.16.1.2 wins proxy (G) nmbd(8) .yes . : wins proxy = no wins server (G) nmbdWINSIP(DNSIP(for preference)).WINS,IP. ,WINS If you want to work in multiple namespaces, you can give every wins server a 'tag'. For each tag, only one (working) server will be queried for a name. The tag should be seperated from the ip address by a colon. ,,SambaWINS. : : wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 For this example when querying a certain name, 192.19.200.1 will be asked first and if that doesn't respond 192.168.2.61 . If either of those doesn't know the name 192.168.3.199 will be queried. : wins server = 192.9.200.1 192.168.2.61 wins support (G) nmbd(8)WINS.yes,nmbdWINS.WINSyes. : wins support = no workgroup (G) Samba.security = domain. : WORKGROUP : workgroup = MYGROUP writable (S) writeable :-) writeable (S) read only . write cache size (S) If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file (it does not do this for non-oplocked files). All writes that the client does not request to be flushed directly to disk will be stored in this cache if possible. The cache is flushed onto disk when a write comes in whose offset would not fit into the cache or when the file is closed by the client. Reads for the file are also served from this cache if the data is stored within it. This cache allows Samba to batch client writes into a more efficient write size for RAID disks (i.e. writes may be tuned to be the RAID stripe size) and can improve performance on systems where the disk subsystem is a bottleneck but there is free memory for userspace programs. The integer parameter specifies the size of this cache (per oplocked file) in bytes. : write cache size = 0 : write cache size = 262144 for a 256k cache size per file. write list (S) .,,read only.@group. . read list : write list = <> : write list = admin, root, @staff write ok (S) read only . write raw (G) SMB.. : write raw = yes wtmp directory (G) This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact that user info is kept after a user has logged out. utmp By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually /var/run/wtmp on Linux). : no wtmp directory : wtmp directory = /var/log/wtmp WARNINGS ,., - . ,DOS,8. smbd(8),,.8. [homes] [printers],... VERSION samba3.0 SEE ALSO samba(7), smbpasswd(8), swat(8), smbd(8), nmbd(8), smbclient(1), nmblookup(1), testparm(1), testprns(1). AUTHOR sambaAndrew TridgellsambaSamba Team linux samba Karl Auer YODL(ftp://ftp.ice.rug.nl/pub/unix)Jeremy Sllison Samba2.0 Gerald Carter Samba2.2DocBook Alexander Bokovoy Samba 3.0DocBook XML4.2 [] meaculpa [] 2000/12/08 linuxman: http://cmpp.linuxforum.net man man https://github.com/man-pages-zh/manpages- zh SMB.CONF(5)