DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH
 

smb.conf(5)





NAME

       smb.conf - The configuration file for the Samba suite


SYNOPSIS

       The smb.conf file is a configuration file for the Samba suite. smb.conf
       contains runtime configuration  information  for  the  Samba  programs.
       Thesmb.conf  file  is  designed  to  be  configured and administered by
       theswat(8) program. The complete description of  the  file  format  and
       possible parameters held within are here for reference purposes.


FILE FORMAT

       The file consists of sections and parameters. A section begins with the
       name of the section in square brackets and  continues  until  the  next
       section begins. Sections contain parameters of the form:

       name = value

       The  file  is line-based - that is, each newline-terminated line repre-
       sents either a comment, a section name or a parameter.

       Section and parameter names are not case sensitive.

       Only the first equals sign in a parameter  is  significant.  Whitespace
       before  or  after the first equals sign is discarded. Leading, trailing
       and internal whitespace in section and parameter names  is  irrelevant.
       Leading  and  trailing  whitespace  in  a parameter value is discarded.
       Internal whitespace within a parameter value is retained verbatim.

       Any line beginning with a semicolon (``;'') or a hash (``#'') character
       is ignored, as are lines containing only whitespace.

       Any line ending in a ``\'' is continued on the next line in the custom-
       ary UNIX fashion.

       The values following the equals sign in parameters  are  all  either  a
       string  (no  quotes needed) or a boolean, which may be given as yes/no,
       0/1 or true/false. Case is not significant in boolean  values,  but  is
       preserved  in  string  values.  Some  items  such  as  create masks are
       numeric.


SECTION DESCRIPTIONS

       Each section in the configuration file (except for  the  [global]  sec-
       tion)  describes  a shared resource (known as a ``share''). The section
       name is the name of the shared resource and the parameters  within  the
       section define the shares attributes.

       There  are  three  special  sections, [global], [homes] and [printers],
       which are described underspecial sections. The following notes apply to
       ordinary section descriptions.

       A  share  consists of a directory to which access is being given plus a
       description of the access rights which are granted to the user  of  the
       service. Some housekeeping options are also specifiable.

       Sections  are  either  file  share  services  (used by the client as an
       extension of their native file systems) or printable services (used  by
       the client to access print services on the host running the server).

       Sections may be designated guest services, in which case no password is
       required to access them. A specified UNIX  guest  account  is  used  to
       define access privileges in this case.

       Sections  other  than  guest services will require a password to access
       them. The client provides the username. As older clients  only  provide
       passwords  and  not  usernames,  you may specify a list of usernames to
       check against the password using the user = option in the share defini-
       tion.  For modern clients such as Windows 95/98/ME/NT/2000, this should
       not be necessary.

       The access rights granted by the server are masked by the access rights
       granted  to  the  specified  or guest UNIX user by the host system. The
       server does not grant more access than the host system grants.

       The following sample section defines a file space share. The  user  has
       write access to the path /home/bar. The share is accessed via the share
       name foo:
        [foo]path = /home/barread only = read only = no

       The following sample section defines a printable share.  The  share  is
       read-only,  but  printable. That is, the only write access permitted is
       via calls to open, write to and close a spool file. The guest ok param-
       eter  means  access will be permitted as the default guest user (speci-
       fied elsewhere):
        [aprinter]path = /usr/spool/publicread only = yesprintable =  yesguest
       ok = yes


SPECIAL SECTIONS

   The [global] section
       Parameters  in  this  section  apply  to  the server as a whole, or are
       defaults for sections that do not specifically  define  certain  items.
       See the notes under PARAMETERS for more information.

   The [homes] section
       If a section called [homes] is included in the configuration file, ser-
       vices connecting clients to their home directories can  be  created  on
       the fly by the server.

       When the connection request is made, the existing sections are scanned.
       If a match is found, it is used. If no match is  found,  the  requested
       section  name is treated as a username and looked up in the local pass-
       word file. If the name exists and the correct password has been  given,
       a share is created by cloning the [homes] section.

       Some modifications are then made to the newly created share:

       o  The share name is changed from homes to the located username.

       o  If  no path was given, the path is set to the user's home directory.

       If you decide to use a path = line in your [homes] section, it  may  be
       useful to use the %S macro. For example:

       path = /data/pchome/%S
        is useful if you have different home directories for your PCs than for
       UNIX access.

       This is a fast and simple way to give a large number of clients  access
       to their home directories with a minimum of fuss.

       A  similar  process  occurs if the requested section name is ``homes'',
       except that the share name is not changed to  that  of  the  requesting
       user.  This method of using the [homes] section works well if different
       users share a client PC.

       The [homes] section can specify all the  parameters  a  normal  service
       section  can specify, though some make more sense than others. The fol-
       lowing is a typical and suitable [homes] section:
        [homes]read only = no

       An important point is that if guest access is specified in the  [homes]
       section,  all home directories will be visible to all clients without a
       password. In the very unlikely event that this is  actually  desirable,
       it is wise to also specify read only access.

       The  browseable  flag  for auto home directories will be inherited from
       the global browseable flag, not the [homes] browseable  flag.  This  is
       useful  as it means setting browseable = no in the [homes] section will
       hide the [homes] share but make any auto home directories visible.

   The [printers] section
       This section works like [homes], but for printers.

       If a [printers] section occurs in the  configuration  file,  users  are
       able  to  connect to any printer specified in the local host's printcap
       file.

       When a connection request is made, the existing sections  are  scanned.
       If  a  match  is found, it is used. If no match is found, but a [homes]
       section exists, it is used as described above. Otherwise, the requested
       section  name is treated as a printer name and the appropriate printcap
       file is scanned to see if the requested section name is a valid printer
       share  name.  If  a  match  is found, a new printer share is created by
       cloning the [printers] section.

       A few modifications are then made to the newly created share:

       o  The share name is set to the located printer name

       o  If no printer name was given, the printer name is set to the located
          printer name

       o  If the share does not permit guest access and no username was given,
          the username is set to the located printer name.

       The [printers] service MUST be printable - if  you  specify  otherwise,
       the server will refuse to load the configuration file.

       Typically  the path specified is that of a world-writeable spool direc-
       tory with the sticky bit set on it. A typical  [printers]  entry  looks
       like this:
        [printers]path = /usr/spool/publicguest ok = yesprintable = yes

       All  aliases  given  for  a printer in the printcap file are legitimate
       printer names as far as the server is concerned. If your printing  sub-
       system  doesn't work like that, you will have to set up a pseudo-print-
       cap. This is a file consisting of one or more lines like this:

       alias|alias|alias|alias...

       Each alias should be an acceptable printer name for your printing  sub-
       system. In the [global] section, specify the new file as your printcap.
       The server will only recognize names  found  in  your  pseudo-printcap,
       which  of  course can contain whatever aliases you like. The same tech-
       nique could be used simply to limit access to a subset  of  your  local
       printers.

       An alias, by the way, is defined as any component of the first entry of
       a printcap record. Records are separated by  newlines,  components  (if
       there are more than one) are separated by vertical bar symbols (|).

              Note

              On  SYSV systems which use lpstat to determine what printers are
              defined on the system you may be  able  to  useprintcap  name  =
              lpstat to automatically obtain a list of printers. See theprint-
              cap name option for more details.


PARAMETERS

       Parameters define the specific attributes of sections.

       Some parameters are specific to the [global] section (e.g.,  security).
       Some  parameters  are  usable  in all sections (e.g., create mask). All
       others are permissible only in normal sections. For the purposes of the
       following descriptions the [homes] and [printers] sections will be con-
       sidered normal. The letter G in parentheses indicates that a  parameter
       is  specific  to  the  [global]  section. The letter S indicates that a
       parameter can be specified in a service specific section. All S parame-
       ters can also be specified in the [global] section - in which case they
       will define the default behavior for all services.

       Parameters are arranged here in alphabetical order - this may not  cre-
       ate  best  bedfellows,  but at least you can find them! Where there are
       synonyms, the preferred synonym is described, others refer to the  pre-
       ferred synonym.


VARIABLE SUBSTITUTIONS

       Many  of the strings that are settable in the config file can take sub-
       stitutions. For example the option``path = /tmp/%u'' is interpreted  as
       ``path = /tmp/john'' if the user connected with the username john.

       These  substitutions  are  mostly  noted in the descriptions below, but
       there are some general substitutions which apply whenever they might be
       relevant. These are:

       %U     session  username (the username that the client wanted, not nec-
              essarily the same as the one they got).

       %G     primary group name of %U.

       %h     the Internet hostname that Samba is running on.

       %m     the NetBIOS name of the client machine (very useful).

              This parameter is not available when Samba listens on port  445,
              as  clients  no  longer  send  this information. If you use this
              macro in an include statement on  a  domain  that  has  a  Samba
              domain  controller  be  sure  to set in the [global] section smb
              ports = 139. This will cause Samba to not listen on port 445 and
              will  permit  include  functionality  to function as it did with
              Samba 2.x.

       %L     the NetBIOS name of the server. This allows you to  change  your
              config  based on what the client calls you. Your server can have
              a ``dual personality''.

       %M     the Internet name of the client machine.

       %R     the selected protocol level after protocol negotiation.  It  can
              be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.

       %d     the process id of the current server process.

       %a     the  architecture of the remote machine. It currently recognizes
              Samba (Samba), the Linux CIFS file system (CIFSFS), OS/2, (OS2),
              Windows for Workgroups (WfWg), Windows 9x/ME (Win95), Windows NT
              (WinNT), Windows 2000 (Win2K), Windows XP (WinXP),  and  Windows
              2003 (Win2K3). Anything else will be known asUNKNOWN.

       %I     the IP address of the client machine.

       %i     the local IP address to which a client connected.

       %T     the current date and time.

       %D     name of the domain or workgroup of the current user.

       %$(envvar)
              the value of the environment variableenvar.

       The  following  substitutes  apply  only  to some configuration options
       (only those that are used when a connection has been established):

       %S     the name of the current service, if any.

       %P     the root directory of the current service, if any.

       %u     username of the current service, if any.

       %g     primary group name of %u.

       %H     the home directory of the user given by %u.

       %N     the name of your NIS home directory  server.  This  is  obtained
              from  your  NIS  auto.map  entry. If you have not compiled Samba
              with the --with-automount option, this value will be the same as
              %L.

       %p     the path of the service's home directory, obtained from your NIS
              auto.map entry. The NIS auto.map entry is split up as %N:%p.

       There are some quite creative things that can be done with  these  sub-
       stitutions and othersmb.conf options.


NAME MANGLING

       Samba  supports  name  mangling so that DOS and Windows clients can use
       files that don't conform to the 8.3 format.  It  can  also  be  set  to
       adjust the case of 8.3 format filenames.

       There  are  several options that control the way mangling is performed,
       and they are grouped  here  rather  than  listed  separately.  For  the
       defaults look at the output of the testparm program.

       All  of  these options can be set separately for each service (or glob-
       ally, of course).

       The options are:

       case sensitive = yes/no/auto
              controls whether filenames are case sensitive. If  they  aren't,
              Samba  must  do a filename search and match on passed names. The
              default setting of auto allows clients that support case  sensi-
              tive filenames (Linux CIFSVFS and smbclient 3.0.5 and above cur-
              rently) to tell the Samba server on a per-packet basis that they
              wish  to  access  the file system in a case-sensitive manner (to
              support UNIX case sensitive semantics). No Windows or DOS system
              supports  case-sensitive filename so setting this option to auto
              is that same as setting it to no for them. Default auto.

       default case = upper/lower
              controls what the default case is  for  new  filenames.  Default
              lower.

       preserve case = yes/no
              controls  whether  new  files are created with the case that the
              client passes, or if they are  forced  to  be  thedefault  case.
              Default yes.

       short preserve case = yes/no
              controls  if  new files which conform to 8.3 syntax, that is all
              in upper case and of suitable length, are created upper case, or
              if  they  are  forced to be the default case. This option can be
              used with preserve case = yes to permit long filenames to retain
              their case, while short names are lowercased. Default yes.

       By default, Samba 3.0 has the same semantics as a Windows NT server, in
       that it is case insensitive but case preserving.


NOTE ABOUT USERNAME/PASSWORD VALIDATION

       There are a number of ways in which a user can connect  to  a  service.
       The  server  uses the following steps in determining if it will allow a
       connection to a specified service. If all the steps fail,  the  connec-
       tion  request  is  rejected. However, if one of the steps succeeds, the
       following steps are not checked.

       If the service is marked ``guest only = yes'' and the server is running
       with  share-level  security  (``security  =  share'',  steps 1 to 5 are
       skipped.

       1. If the client has passed a username/password  pair  and  that  user-
          name/password  pair  is validated by the UNIX system's password pro-
          grams, the connection  is  made  as  that  username.  This  includes
          the\\server\service%username method of passing a username.

       2. If  the  client has previously registered a username with the system
          and now supplies a correct password for that username,  the  connec-
          tion is allowed.

       3. The  client's  NetBIOS  name  and  any previously used usernames are
          checked against the supplied password. If they match, the connection
          is allowed as the corresponding user.

       4. If the client has previously validated a username/password pair with
          the server and the client has  passed  the  validation  token,  that
          username is used.

       5. If  a user = field is given in the smb.conf file for the service and
          the client has  supplied  a  password,  and  that  password  matches
          (according  to  the UNIX system's password checking) with one of the
          usernames from the user = field, the connection is made as the user-
          name  in the user = line. If one of the usernames in the user = list
          begins with a @, that name expands to a list of names in  the  group
          of the same name.

       6. If the service is a guest service, a connection is made as the user-
          name given in the guest account = for the service,  irrespective  of
          the supplied password.


EXPLANATION OF EACH PARAMETER

       abort shutdown script (G)
              This  a full path name to a script called by smbd(8) that should
              stop a shutdown procedure issued by the shutdown script.

              If the connected user  posseses  the  SeRemoteShutdownPrivilege,
              right, this command will be run as user.

              Default: abort shutdown script =

              Example: abort shutdown script = /sbin/shutdown -c

       acl compatibility (S)
              This parameter specifies what OS ACL semantics should be compat-
              ible with. Possible values are winnt for Windows NT 4,win2k  for
              Windows  2000 and above and auto. If you specify auto, the value
              for this parameter will be based upon the version of the client.
              There  should  be  no  reason  to change this parameter from the
              default.

              Default: acl compatibility = Auto

              Example: acl compatibility = win2k

       acl group control (S)
              In a POSIX filesystem, only the owner of a file or directory and
              the  superuser can modify the permissions and ACLs on a file. If
              this parameter is set, then Samba  overrides  this  restriction,
              and also allows theprimary group owner of a file or directory to
              modify the permissions and ACLs on that file.

              On a Windows server, groups may be the owner of a file or direc-
              tory  - thus allowing anyone in that group to modify the permis-
              sions on it. This allows the delegation of security controls  on
              a  point in the filesystem to the group owner of a directory and
              anything below it also owned by that group. This means there are
              multiple  people  with  permissions  to modify ACLs on a file or
              directory, easing managability.

              This parameter allows Samba to also  permit  delegation  of  the
              control over a point in the exported directory hierarchy in much
              the same was as Windows. This allows all members of a UNIX group
              to  control  the  permissions  on  a file or directory they have
              group ownership on.

              This parameter is best used with the inherit  owner  option  and
              also  on  on a share containing directories with the UNIX setgid
              bit bit set on them, which causes new files and directories cre-
              ated  within it to inherit the group ownership from the contain-
              ing directory.

              This is a new parameter introduced in Samba 3.0.20.

              This can be particularly useful to allow groups to manage  their
              own  security on a part of the filesystem they have group owner-
              ship of, removing the bottleneck of having only the  user  owner
              or superuser able to reset permissions.

              Default: acl group control = no

       add group script (G)
              This is the full pathname to a script that will be runAS ROOT by
              smbd(8) when a new group is requested. It will expand any %g  to
              the  group name passed. This script is only useful for installa-
              tions using the Windows  NT  domain  administration  tools.  The
              script  is free to create a group with an arbitrary name to cir-
              cumvent unix group name restrictions. In that  case  the  script
              must print the numeric gid of the created group on stdout.

              No default

       add machine script (G)
              This is the full pathname to a script that will be run bysmbd(8)
              when a machine is added to it's domain using  the  administrator
              username and password method.

              This  option  is  only required when using sam back-ends tied to
              the Unix uid method of RID calculation such as  smbpasswd.  This
              option is only available in Samba 3.0.

              Default: add machine script =

              Example:  add  machine script = /usr/sbin/adduser -n -g machines
              -c Machine -d /var/lib/nobody -s /bin/false %u

       addprinter command (G)
              With the introduction of MS-RPC based printing support for  Win-
              dows  NT/2000  clients  in  Samba 2.2, The MS Add Printer Wizard
              (APW) icon is now also available  in  the  "Printers..."  folder
              displayed a share listing. The APW allows for printers to be add
              remotely to a Samba or Windows NT/2000 print server.

              For a Samba host this means that the printer must be  physically
              added to the underlying printing system. The add printer command
              defines a script to be run  which  will  perform  the  necessary
              operations for adding the printer to the print system and to add
              the appropriate service definition to the smb.conf file in order
              that it can be shared by smbd(8).

              The addprinter command is automatically invoked with the follow-
              ing parameter (in order):

              o  printer name

              o  share name

              o  port name

              o  driver name

              o  location

              o  Windows 9x driver location

              All parameters are filled in from the  PRINTER_INFO_2  structure
              sent by the Windows NT/2000 client with one exception. The "Win-
              dows 9x driver location" parameter  is  included  for  backwards
              compatibility  only.  The  remaining fields in the structure are
              generated from answers to the APW questions.

              Once the addprinter command has been executed, smbd will reparse
              the   smb.conf  to  determine  if  the  share defined by the APW
              exists. If the sharename  is  still  invalid,  then  smbd   will
              return an ACCESS_DENIED error to the client.

              The  "add  printer  command" program can output a single line of
              text, which Samba will set as the port the new printer  is  con-
              nected  to.  If  this  line isn't output, Samba won't reload its
              printer shares.

              Default: addprinter command =

              Example: addprinter command = /usr/bin/addprinter

       add share command (G)
              Samba 2.2.0 introduced the ability to dynamically add and delete
              shares  via the Windows NT 4.0 Server Manager. Theadd share com-
              mand is used to define an external program or script which  will
              add  a  new service definition to smb.conf. In order to success-
              fully execute the add share  command,  smbd  requires  that  the
              administrator be connected using a root account (i.e. uid == 0).

              When executed, smbd will automatically invoke theadd share  com-
              mand with four parameters.

              o  configFile - the location of the global smb.conf file.

              o  shareName - the name of the new share.

              o  pathName - path to an **existing** directory on disk.

              o  comment - comment string to associate with the new share.

              This  parameter is only used for add file shares. To add printer
              shares, see the addprinter command.

              Default: add share command =

              Example: add share command = /usr/local/bin/addshare

       add user script (G)
              This is the full pathname to a script that will be run  AS  ROOT
              by smbd(8) under special circumstances described below.

              Normally,  a  Samba  server requires that UNIX users are created
              for all users accessing files on this server. For sites that use
              Windows NT account databases as their primary user database cre-
              ating these users and keeping the user list  in  sync  with  the
              Windows  NT  PDC  is an onerous task. This option allows smbd to
              create the required UNIX usersON DEMAND when a user accesses the
              Samba server.

              In order to use this option, smbd(8) must NOT be set to security
              = share and add user script must be set to a full pathname for a
              script  that  will  create a UNIX user given one argument of %u,
              which expands into the UNIX user name to create.

              When the Windows user attempts to access the  Samba  server,  at
              login (session setup in the SMB protocol) time, smbd(8) contacts
              the password server and attempts to authenticate the given  user
              with  the  given  password.  If the authentication succeeds then
              smbd attempts to find a UNIX user in the UNIX password  database
              to map the Windows user into. If this lookup fails, and add user
              script  is set then smbd will call the specified script AS ROOT,
              expanding any %u argument to be the user name to create.

              If  this  script  successfully  creates the user then smbd  will
              continue on as though the UNIX user  already  existed.  In  this
              way,  UNIX  users are dynamically created to match existing Win-
              dows NT accounts.

              See also security, password server,delete user script.

              Default: add user script =

              Example: add user script = /usr/local/samba/bin/add_user %u

       add user to group script (G)
              Full path to the script that will be called when a user is added
              to  a group using the Windows NT domain administration tools. It
              will be run by smbd(8)AS ROOT. Any %g will be replaced with  the
              group name and any %u will be replaced with the user name.

              Note that the adduser command used in the example below does not
              support the used syntax on all systems.

              Default: add user to group script =

              Example: add user to group script = /usr/sbin/adduser %u %g

       admin users (S)
              This is a list of users who will be granted administrative priv-
              ileges on the share. This means that they will do all file oper-
              ations as the super-user (root).

              You should use this option very carefully, as any user  in  this
              list  will  be able to do anything they like on the share, irre-
              spective of file permissions.

              This parameter will not work with the security = share in  Samba
              3.0. This is by design.

              Default: admin users =

              Example: admin users = jason

       afs share (S)
              This parameter controls whether special AFS features are enabled
              for this share.  If  enabled,  it  assumes  that  the  directory
              exported  via the path parameter is a local AFS import. The spe-
              cial AFS features include the attempt to hand-craft an AFS token
              if you enabled --with-fake-kaserver in configure.

              Default: afs share = no

       afs username map (G)
              If  you  are using the fake kaserver AFS feature, you might want
              to hand-craft the usernames you are  creating  tokens  for.  For
              example  this is necessary if you have users from several domain
              in your AFS Protection Database. One  possible  scheme  to  code
              users  as  DOMAIN+User  as it is done by winbind with the + as a
              separator.

              The mapped user name must contain the cell name to log into,  so
              without setting this parameter there will be no token.

              Default: afs username map =

              Example: afs username map = %u@afs.samba.org

       algorithmic rid base (G)
              This  determines how Samba will use its algorithmic mapping from
              uids/gid to the RIDs needed to  construct  NT  Security  Identi-
              fiers.

              Setting  this  option to a larger value could be useful to sites
              transitioning from WinNT and Win2k, as existing user  and  group
              rids would otherwise clash with sytem users etc.

              All  UIDs and GIDs must be able to be resolved into SIDs for the
              correct operation of ACLs on the server. As such the algorithmic
              mapping  can't  be 'turned off', but pushing it 'out of the way'
              should resolve the issues. Users and groups can then be assigned
              'low' RIDs in arbitary-rid supporting backends.

              Default: algorithmic rid base = 1000

              Example: algorithmic rid base = 100000

       allocation roundup size (S)
              This  parameter  allows  an administrator to tune the allocation
              size reported to Windows clients. The default size of 1Mb gener-
              ally  results  in  improved Windows client performance. However,
              rounding the allocation size may  cause  difficulties  for  some
              applications,  e.g.  MS  Visual  Studio. If the MS Visual Studio
              compiler starts to crash with an internal error, set this param-
              eter to zero for this share.

              The integer parameter specifies the roundup size in bytes.

              Default: allocation roundup size = 1048576

              Example: allocation roundup size = 0 # (to disable roundups)

       allow trusted domains (G)
              This option only takes effect when the security option is set to
              server,domain or ads. If it is set to no, then attempts to  con-
              nect to a resource from a domain or workgroup other than the one
              which smbd is running in will  fail,  even  if  that  domain  is
              trusted by the remote server doing the authentication.

              This  is  useful  if  you  only  want your Samba server to serve
              resources to users in the domain it is a member of. As an  exam-
              ple,  suppose  that there are two domains DOMA and DOMB. DOMB is
              trusted by DOMA, which contains the Samba server.  Under  normal
              circumstances,  a  user  with an account in DOMB can then access
              the resources of a UNIX account with the same  account  name  on
              the  Samba  server  even if they do not have an account in DOMA.
              This can make implementing a security boundary difficult.

              Default: allow trusted domains = yes

       announce as (G)
              This specifies what type of server nmbd(8) will announce  itself
              as,  to  a  network neighborhood browse list. By default this is
              set to Windows NT. The valid options are :  "NT  Server"  (which
              can also be written as "NT"), "NT Workstation", "Win95" or "WfW"
              meaning Windows NT Server, Windows NT  Workstation,  Windows  95
              and  Windows  for  Workgroups  respectively.  Do not change this
              parameter unless you have a specific need to stop Samba  appear-
              ing  as an NT server as this may prevent Samba servers from par-
              ticipating as browser servers correctly.

              Default: announce as = NT Server

              Example: announce as = Win95

       announce version (G)
              This specifies the major and minor  version  numbers  that  nmbd
              will use when announcing itself as a server. The default is 4.9.
              Do not change this parameter unless you have a specific need  to
              set a Samba server to be a downlevel server.

              Default: announce version = 4.9

              Example: announce version = 2.0

       auth methods (G)
              This  option  allows the administrator to chose what authentica-
              tion methods smbd will use  when  authenticating  a  user.  This
              option  defaults  to  sensible  values  based  on security. This
              should be considered a developer option and used  only  in  rare
              circumstances.  In  the  majority  (if  not  all)  of production
              servers, the default setting should be adequate.

              Each entry in the list attempts  to  authenticate  the  user  in
              turn,  until the user authenticates. In practice only one method
              will ever actually be able to complete the authentication.

              Possible options include guest (anonymous access), sam  (lookups
              in local list of accounts based on netbios name or domain name),
              winbind (relay authentication requests for remote users  through
              winbindd),  ntdomain  (pre-winbindd method of authentication for
              remote domain users; deprecated in favour  of  winbind  method),
              trustdomain (authenticate trusted users by contacting the remote
              DC directly from smbd; deprecated in favour of winbind  method).

              Default: auth methods =

              Example: auth methods = guest sam winbind

       available (S)
              This  parameter lets you "turn off" a service. Ifavailable = no,
              then ALL attempts to connect to  the  service  will  fail.  Such
              failures are logged.

              Default: available = yes

       bind interfaces only (G)
              This  global  parameter  allows  the  Samba  admin to limit what
              interfaces on a machine will serve SMB requests. It affects file
              service smbd(8) and name service nmbd(8) in a slightly different
              ways.

              For name service it causes nmbd to bind to ports 137 and 138  on
              the  interfaces  listed  in  the interfaces parameter. nmbd also
              binds to the "all addresses" interface (0.0.0.0)  on  ports  137
              and  138 for the purposes of reading broadcast messages. If this
              option is not set then nmbd will service name requests on all of
              these  sockets.  If  bind  interfaces  only is set thennmbd will
              check the source address of any packets coming in on the  broad-
              cast  sockets  and  discard  any  that don't match the broadcast
              addresses of the interfaces in theinterfaces parameter list.  As
              unicast packets are received on the other sockets it allows nmbd
              to refuse to serve names to  machines  that  send  packets  that
              arrive through any interfaces not listed in the interfaces list.
              IP Source address spoofing does defeat this simple  check,  how-
              ever,  so  it  must  not be used seriously as a security feature
              fornmbd.

              For file service it causes smbd(8) to bind only to the interface
              list  given in the interfaces parameter. This restricts the net-
              works that smbd will serve to packets  coming  in  those  inter-
              faces.  Note that you should not use this parameter for machines
              that are serving PPP or other intermittent or non-broadcast net-
              work  interfaces  as  it will not cope with non-permanent inter-
              faces.

              If  bind  interfaces  only  is  set  then  unless  the   network
              address127.0.0.1  is  added to the interfaces parameter listsmb-
              passwd(8) andswat(8) may not work as expected due to the reasons
              covered below.

              To  change  a  users SMB password, the smbpasswd by default con-
              nects to thelocalhost - 127.0.0.1 address as an  SMB  client  to
              issue the password change request. Ifbind interfaces only is set
              then unless the network address127.0.0.1 is added to the  inter-
              faces  parameter  list  then   smbpasswd will fail to connect in
              it's default mode. smbpasswd can be forced to use the primary IP
              interface  of  the local host by using its smbpasswd(8)-r remote
              machine parameter, with remote machine set to the IP name of the
              primary interface of the local host.

              The  swat status page tries to connect with smbd and nmbd at the
              address127.0.0.1 to determine if they are  running.  Not  adding
              127.0.0.1 will cause  smbd and nmbd to always show "not running"
              even if they really are. This  can  prevent   swat  from  start-
              ing/stopping/restarting smbd and nmbd.

              Default: bind interfaces only = no

       blocking locks (S)
              This  parameter  controls  the  behavior of smbd(8) when given a
              request by a client to obtain a byte range lock on a  region  of
              an  open  file, and the request has a time limit associated with
              it.

              If this parameter is set and the lock range requested cannot  be
              immediately  satisfied,  samba  will  internally  queue the lock
              request, and periodically attempt to obtain the lock  until  the
              timeout period expires.

              If this parameter is set to no, then samba will behave as previ-
              ous versions of Samba would and will fail the lock request imme-
              diately if the lock range cannot be obtained.

              Default: blocking locks = yes

       block size (S)
              This  parameter  controls the behavior of smbd(8) when reporting
              disk free sizes. By default, this reports a disk block  size  of
              1024 bytes.

              Changing  this  parameter may have some effect on the efficiency
              of client writes, this is not yet confirmed. This parameter  was
              added  to allow advanced administrators to change it (usually to
              a higher value) and test the effect it has on client write  per-
              formance without re-compiling the code. As this is an experimen-
              tal option it may be removed in a future release.

              Changing this option does not change  the  disk  free  reporting
              size, just the block size unit reported to the client.

              No default

       browsable
              This parameter is a synonym for browseable.

       browseable (S)
              This  controls  whether this share is seen in the list of avail-
              able shares in a net view and in the browse list.

              Default: browseable = yes

       browse list (G)
              This controls whether smbd(8) will serve  a  browse  list  to  a
              client  doing  a  NetServerEnum  call.  Normally set to yes. You
              should never need to change this.

              Default: browse list = yes

       casesignames
              This parameter is a synonym for case sensitive.

       case sensitive (S)
              See the discussion in the section name mangling.

              Default: case sensitive = no

       change notify timeout (G)
              This SMB allows a client to tell a server to "watch" a  particu-
              lar  directory for any changes and only reply to the SMB request
              when a change has occurred. Such constant scanning of  a  direc-
              tory  is expensive under UNIX, hence an smbd(8) daemon only per-
              forms such a scan on each requested directory once every  change
              notify timeout seconds.

              Default: change notify timeout = 60

              Example:  change  notify  timeout  = 300 # Would change the scan
              time to every 5 minutes.

       change share command (G)
              Samba 2.2.0 introduced the ability to dynamically add and delete
              shares  via  the  Windows NT 4.0 Server Manager. Thechange share
              command is used to define an external program  or  script  which
              will modify an existing service definition in smb.conf. In order
              to successfully execute the change share command, smbd  requires
              that  the  administrator be connected using a root account (i.e.
              uid == 0).

              When executed, smbd will automatically  invoke  thechange  share
              command with four parameters.

              o  configFile - the location of the global smb.conf file.

              o  shareName - the name of the new share.

              o  pathName - path to an **existing** directory on disk.

              o  comment - comment string to associate with the new share.

              This  parameter is only used modify existing file shares defini-
              tions. To modify printer shares, use the "Printers..." folder as
              seen when browsing the Samba host.

              Default: change share command =

              Example: change share command = /usr/local/bin/addshare

       check password script (G)
              The  name  of  a program that can be used to check password com-
              plexity. The password is sent to the program's standrad input.

              The program must return 0 on good password any other value  oth-
              erwise.  In case the password is considered weak (the program do
              not return 0) the user will be notified and the password  change
              will fail.

              Note:  In the example directory there is a sample program called
              crackcheck that uses cracklib to checkpassword quality

              .

              Default: check password script = Disabled

              Example:  check  password  script  =  check  password  script  =
              /usr/local/sbin/crackcheck

       client lanman auth (G)
              This  parameter determines whether or not smbclient(8) and other
              samba client  tools  will  attempt  to  authenticate  itself  to
              servers using the weaker LANMAN password hash. If disabled, only
              server which support NT password hashes (e.g.  Windows  NT/2000,
              Samba,  etc...  but  not  Windows 95/98) will be able to be con-
              nected from the Samba client.

              The LANMAN encrypted response is  easily  broken,  due  to  it's
              case-insensitive  nature,  and  the choice of algorithm. Clients
              without Windows  95/98  servers  are  advised  to  disable  this
              option.

              Disabling  this  option  will  also disable the client plaintext
              auth option

              Likewise, if the client ntlmv2 auth parameter is  enabled,  then
              only NTLMv2 logins will be attempted.

              Default: client lanman auth = yes

       client ntlmv2 auth (G)
              This  parameter  determines  whether  or  not  smbclient(8) will
              attempt to authenticate  itself  to  servers  using  the  NTLMv2
              encrypted password response.

              If  enabled,  only  an  NTLMv2 and LMv2 response (both much more
              secure  than  earlier  versions)  will  be  sent.  Many  servers
              (including  NT4  <  SP4, Win9x and Samba 2.2) are not compatible
              with NTLMv2.

              Similarly, if enabled, NTLMv1, client  lanman  auth  and  client
              plaintext  auth  authentication will be disabled. This also dis-
              ables share-level authentication.

              If disabled, an NTLM response (and possibly a  LANMAN  response)
              will  be  sent  by  the client, depending on the value of client
              lanman auth.

              Note that some sites (particularly those following  'best  prac-
              tice' security polices) only allow NTLMv2 responses, and not the
              weaker LM or NTLM.

              Default: client ntlmv2 auth = no

       client plaintext auth (G)
              Specifies whether a client should send a plaintext  password  if
              the server does not support encrypted passwords.

              Default: client plaintext auth = yes

       client schannel (G)
              This  controls whether the client offers or even demands the use
              of the netlogon schannel. client schannel = no  does  not  offer
              the  schannel,  client  schannel  = auto offers the schannel but
              does not enforce it, and client schannel = yes denies access  if
              the server is not able to speak netlogon schannel.

              Default: client schannel = auto

              Example: client schannel = yes

       client signing (G)
              This  controls  whether the client offers or requires the server
              it talks to to use SMB signing. Possible values are auto, manda-
              tory and disabled.

              When set to auto, SMB signing is offered, but not enforced. When
              set to mandatory, SMB signing is required and  if  set  to  dis-
              abled, SMB signing is not offered either.

              Default: client signing = auto

       client use spnego (G)
              This  variable  controls  whether  Samba clients will try to use
              Simple and Protected NEGOciation (as specified by rfc2478)  with
              supporting  servers  (including WindowsXP, Windows2000 and Samba
              3.0) to agree upon an  authentication  mechanism.  This  enables
              Kerberos authentication in particular.

              Default: client use spnego = yes

       comment (S)
              This  is a text field that is seen next to a share when a client
              does a queries the server, either via the  network  neighborhood
              or via net view to list what shares are available.

              If  you  want  to  set  the string that is displayed next to the
              machine name then see the server string parameter.

              Default: comment = # No comment

              Example: comment = Fred's Files

       config file (G)
              This allows you to override the config file to use,  instead  of
              the default (usually smb.conf). There is a chicken and egg prob-
              lem here as this option is set in the config file!

              For this reason, if the name of the config file has changed when
              the  parameters are loaded then it will reload them from the new
              config file.

              This option takes the usual substitutions,  which  can  be  very
              useful.

              If the config file doesn't exist then it won't be loaded (allow-
              ing you to special case the config files of just a few clients).

              No default

              Example: config file = /usr/local/samba/lib/smb.conf.%m

       copy (S)
              This parameter allows you to "clone" service entries. The speci-
              fied service is simply duplicated under  the  current  service's
              name. Any parameters specified in the current section will over-
              ride those in the section being copied.

              This feature lets you set up a  'template'  service  and  create
              similar services easily. Note that the service being copied must
              occur earlier in the configuration file than the  service  doing
              the copying.

              Default: copy =

              Example: copy = otherservice

       create mode
              This parameter is a synonym for create mask.

       create mask (S)
              When a file is created, the necessary permissions are calculated
              according to the mapping from DOS modes to UNIX permissions, and
              the  resulting  UNIX  mode  is  then  bit-wise 'AND'ed with this
              parameter. This parameter may be thought of as a  bit-wise  MASK
              for  the  UNIX  modes  of  a  file. Any bit not set here will be
              removed from the modes set on a file when it is created.

              The default value of this parameter removes the group and  other
              write and execute bits from the UNIX modes.

              Following  this  Samba  will bit-wise 'OR' the UNIX mode created
              from this parameter with  the  value  of  theforce  create  mode
              parameter which is set to 000 by default.

              This  parameter does not affect directory masks. See the parame-
              ter directory mask for details.

              Note that this parameter does not apply to  permissions  set  by
              Windows  NT/2000  ACL  editors.  If  the administrator wishes to
              enforce a mask on access control lists also, they  need  to  set
              the security mask.

              Default: create mask = 0744

              Example: create mask = 0775

       csc policy (S)
              This  stands  for  client-side caching policy, and specifies how
              clients capable of offline caching will cache the files  in  the
              share.  The  valid values are: manual, documents, programs, dis-
              able.

              These values correspond to those used on Windows servers.

              For example, shares containing roaming profiles can have offline
              caching disabled using csc policy = disable.

              Default: csc policy = manual

              Example: csc policy = programs

       cups options (S)
              This  parameter  is  only applicable if printing is set to cups.
              Its value is a free form string of options  passed  directly  to
              the cups library.

              You  can  pass any generic print option known to CUPS (as listed
              in the CUPS "Software Users' Manual"). You  can  also  pass  any
              printer  specific option (as listed in "lpoptions -d printername
              -l") valid for the target queue.

              You should set  this  parameter  to  raw  if  your  CUPS  server
              error_log  file  contains  messages  such as "Unsupported format
              'application/octet-stream'" when printing from a Windows  client
              through  Samba.  It is no longer necessary to enable system wide
              raw printing in /etc/cups/mime.{convs,types}.

              Default: cups options = ""

              Example: cups options = "raw,media=a4,job-sheets=secret,secret"

       cups server (G)
              This parameter is only applicable if printing is set to cups.

              If set, this option overrides the ServerName option in the  CUPS
              client.conf. This is necessary if you have virtual samba servers
              that connect to different CUPS daemons.

              Default: cups server = ""

              Example: cups server = MYCUPSSERVER

       deadtime (G)
              The value of the parameter (a decimal  integer)  represents  the
              number  of  minutes of inactivity before a connection is consid-
              ered dead, and it  is  disconnected.  The  deadtime  only  takes
              effect if the number of open files is zero.

              This is useful to stop a server's resources being exhausted by a
              large number of inactive connections.

              Most clients have an auto-reconnect feature when a connection is
              broken  so in most cases this parameter should be transparent to
              users.

              Using this parameter with a timeout of a few minutes  is  recom-
              mended for most systems.

              A  deadtime  of zero indicates that no auto-disconnection should
              be performed.

              Default: deadtime = 0

              Example: deadtime = 15

       debug hires timestamp (G)
              Sometimes the timestamps in the log messages are needed  with  a
              resolution  of  higher that seconds, this boolean parameter adds
              microsecond resolution to  the  timestamp  message  header  when
              turned on.

              Note  that  the parameter debug timestamp must be on for this to
              have an effect.

              Default: debug hires timestamp = no

       debug pid (G)
              When  using  only  one  log  file  for  more  then  one   forked
              smbd(8)-process  there  may be hard to follow which process out-
              puts  which  message.  This  boolean  parameter  is   adds   the
              process-id  to the timestamp message headers in the logfile when
              turned on.

              Note that the parameter debug timestamp must be on for  this  to
              have an effect.

              Default: debug pid = no

       timestamp logs
              This parameter is a synonym for debug timestamp.

       debug timestamp (G)
              Samba  debug log messages are timestamped by default. If you are
              running at a high debug level these timestamps can be  distract-
              ing.  This  boolean  parameter  allows timestamping to be turned
              off.

              Default: debug timestamp = yes

       debug uid (G)
              Samba is sometimes run as root and sometime run as the connected
              user, this boolean parameter inserts the current euid, egid, uid
              and gid to the timestamp message headers  in  the  log  file  if
              turned on.

              Note  that  the parameter debug timestamp must be on for this to
              have an effect.

              Default: debug uid = no

       default case (S)
              See the section on name mangling . Also note the short  preserve
              case parameter.

              Default: default case = lower

       default devmode (S)
              This  parameter  is  only applicable to printable services. When
              smbd is serving Printer Drivers  to  Windows  NT/2k/XP  clients,
              each printer on the Samba server has a Device Mode which defines
              things such as paper size and orientation and  duplex  settings.
              The  device  mode can only correctly be generated by the printer
              driver itself (which can only be executed on a Win32  platform).
              Because  smbd  is  unable to execute the driver code to generate
              the device mode, the default behavior is to set  this  field  to
              NULL.

              Most  problems  with serving printer drivers to Windows NT/2k/XP
              clients can be traced to a problem  with  the  generated  device
              mode.  Certain  drivers  will  do  things  such  as crashing the
              client's  Explorer.exe  with  a  NULL  devmode.  However,  other
              printer   drivers   can   cause  the  client's  spooler  service
              (spoolsv.exe) to die if the  devmode  was  not  created  by  the
              driver itself (i.e. smbd generates a default devmode).

              This  parameter  should  be  used  with care and tested with the
              printer driver in question. It is better  to  leave  the  device
              mode  to NULL and let the Windows client set the correct values.
              Because drivers do not do this all  the  time,  setting  default
              devmode = yes will instruct smbd to generate a default one.

              For more information on Windows NT/2k printing and Device Modes,
              see the MSDN documentation.

              Default: default devmode = no

       default
              This parameter is a synonym for default service.

       default service (G)
              This parameter specifies the name of a  service  which  will  be
              connected  to if the service actually requested cannot be found.
              Note that the square brackets are NOT  given  in  the  parameter
              value (see example below).

              There  is no default value for this parameter. If this parameter
              is not given, attempting to connect  to  a  nonexistent  service
              results in an error.

              Typically  the  default  service  would be a guest ok, read-only
              service.

              Also note that the apparent service  name  will  be  changed  to
              equal  that  of the requested service, this is very useful as it
              allows you to use macros like %S to make a wildcard service.

              Note also that any "_" characters in the  name  of  the  service
              used  in  the  default  service  will  get mapped to a "/". This
              allows for interesting things.

              Default: default service =

              Example: default service = pub

       defer sharing violations (G)
              Windows allows specifying how a file will be shared  with  other
              processes  when  it  is  opened. Sharing violations occur when a
              file is opened by a different process using options that violate
              the  share settings specified by other processes. This parameter
              causes smbd to act as a Windows server does, and defer returning
              a "sharing violation" error message for up to one second, allow-
              ing the client to close the file causing the  violation  in  the
              meantime.

              Unix by default does not have this behaviour.

              There  should  be no reason to turn off this parameter, as it is
              designed to enable Samba to more correctly emulate Windows.

              Default: defer sharing violations = True

       delete group script (G)
              This is the full pathname to a script that will be run  AS  ROOT
              smbd(8)  when a group is requested to be deleted. It will expand
              any %g to the group name passed. This script is only useful  for
              installations  using the Windows NT domain administration tools.

              Default: delete group script =

       deleteprinter command (G)
              With the introduction of MS-RPC based printer support  for  Win-
              dows  NT/2000 clients in Samba 2.2, it is now possible to delete
              printer at run time by issuing the DeletePrinter() RPC call.

              For a Samba host this means that the printer must be  physically
              deleted  from underlying printing system. The deleteprinter com-
              mand defines a script to be run which will perform the necessary
              operations  for  removing  the printer from the print system and
              from smb.conf.

              The deleteprinter command is automatically called with only  one
              parameter: printer name.

              Once  the  deleteprinter  command  has  been executed, smbd will
              reparse the  smb.conf to associated printer no longer exists. If
              the  sharename  is  still  valid,  then  smbd   will  return  an
              ACCESS_DENIED error to the client.

              Default: deleteprinter command =

              Example: deleteprinter command = /usr/bin/removeprinter

       delete readonly (S)
              This parameter allows readonly files to be deleted. This is  not
              normal DOS semantics, but is allowed by UNIX.

              This  option may be useful for running applications such as rcs,
              where UNIX file ownership prevents  changing  file  permissions,
              and DOS semantics prevent deletion of a read only file.

              Default: delete readonly = no

       delete share command (G)
              Samba 2.2.0 introduced the ability to dynamically add and delete
              shares via the Windows NT 4.0 Server  Manager.  Thedelete  share
              command  is  used  to define an external program or script which
              will remove an existing service  definition  from  smb.conf.  In
              order  to  successfully  execute  the delete share command, smbd
              requires that  the  administrator  be  connected  using  a  root
              account (i.e. uid == 0).

              When  executed,  smbd  will automatically invoke thedelete share
              command with two parameters.

              o  configFile - the location of the global smb.conf file.

              o  shareName - the name of the existing service.

              This parameter is only used to remove  file  shares.  To  delete
              printer shares, see the deleteprinter command.

              Default: delete share command =

              Example: delete share command = /usr/local/bin/delshare

       delete user from group script (G)
              Full  path  to  the  script  that  will be called when a user is
              removed from a group using the Windows NT domain  administration
              tools.  It  will  be  run  by  smbd(8)   AS ROOT. Any %g will be
              replaced with the group name and any %u will  be  replaced  with
              the user name.

              Default: delete user from group script =

              Example: delete user from group script = /usr/sbin/deluser %u %g

       delete user script (G)
              This is the full pathname to  a  script  that  will  be  run  by
              smbd(8) when managing users with remote RPC (NT) tools.

              This  script  is called when a remote client removes a user from
              the server, normally using 'User  Manager  for  Domains'  orrpc-
              client.

              This script should delete the given UNIX username.

              Default: delete user script =

              Example: delete user script = /usr/local/samba/bin/del_user %u

       delete veto files (S)
              This  option is used when Samba is attempting to delete a direc-
              tory that contains one or more vetoed directories (see the  veto
              files option). If this option is set to no (the default) then if
              a vetoed directory contains any non-vetoed files or  directories
              then  the  directory  delete will fail. This is usually what you
              want.

              If this option is set to yes, then Samba will attempt to  recur-
              sively delete any files and directories within the vetoed direc-
              tory. This can be useful for integration with file serving  sys-
              tems such as NetAtalk which create meta-files within directories
              you might normally veto  DOS/Windows  users  from  seeing  (e.g.
              .AppleDouble)

              Setting  delete  veto files = yes allows these directories to be
              transparently deleted when the parent directory is  deleted  (so
              long as the user has permissions to do so).

              Default: delete veto files = no

       dfree command (G)
              The dfree command setting should only be used on systems where a
              problem occurs with the internal disk space  calculations.  This
              has  been  known to happen with Ultrix, but may occur with other
              operating systems. The symptom that was seen  was  an  error  of
              "Abort Retry Ignore" at the end of each directory listing.

              This  setting allows the replacement of the internal routines to
              calculate the total disk space  and  amount  available  with  an
              external routine. The example below gives a possible script that
              might fulfill this function.

              The external program will be passed a single parameter  indicat-
              ing a directory in the filesystem being queried. This will typi-
              cally consist of the string ./. The  script  should  return  two
              integers  in  ASCII. The first should be the total disk space in
              blocks, and the second should be the number of available blocks.
              An optional third return value can give the block size in bytes.
              The default blocksize is 1024 bytes.

              Note: Your script should NOT be setuid or setgid and  should  be
              owned by (and writeable only by) root!

              Where the script dfree (which must be made executable) could be:

              #!/bin/sh
              df $1 | tail -1 | awk '{print $2" "$4}'

              or perhaps (on Sys V based systems):

              #!/bin/sh
              /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'

              Note that you may have to replace the command  names  with  full
              path names on some systems.

              Default:  dfree  command  =  #  By default internal routines for
              determining the disk capacity and remaining space will be  used.

              Example: dfree command = /usr/local/samba/bin/dfree

       directory mode
              This parameter is a synonym for directory mask.

       directory mask (S)
              This parameter is the octal modes which are used when converting
              DOS modes to UNIX modes when creating UNIX directories.

              When a directory is created, the necessary permissions are  cal-
              culated  according to the mapping from DOS modes to UNIX permis-
              sions, and the resulting UNIX mode is then bit-wise 'AND'ed with
              this  parameter.  This parameter may be thought of as a bit-wise
              MASK for the UNIX modes of a directory. Any  bit  not  set  here
              will  be  removed  from  the modes set on a directory when it is
              created.

              The default value of this  parameter  removes  the  'group'  and
              'other'  write  bits  from the UNIX mode, allowing only the user
              who owns the directory to modify it.

              Following this Samba will bit-wise 'OR' the  UNIX  mode  created
              from  this  parameter with the value of the force directory mode
              parameter. This parameter is set to  000  by  default  (i.e.  no
              extra mode bits are added).

              Note  that  this  parameter does not apply to permissions set by
              Windows NT/2000 ACL editors.  If  the  administrator  wishes  to
              enforce  a  mask  on access control lists also, they need to set
              the directory security mask.

              Default: directory mask = 0755

              Example: directory mask = 0775

       directory security mask (S)
              This parameter controls what UNIX permission bits can  be  modi-
              fied  when  a Windows NT client is manipulating the UNIX permis-
              sion on a directory using the native NT security dialog box.

              This parameter is applied as a mask (AND'ed with) to the changed
              permission  bits, thus preventing any bits not in this mask from
              being modified. Make sure not to  mix  up  this  parameter  with
              force directory security mode, which works similar like this one
              but uses logical OR instead of AND. Essentially,  zero  bits  in
              this  mask  may  be  treated  as  a  set of bits the user is not
              allowed to change.

              If not set explicitly this parameter is set to  0777  meaning  a
              user  is  allowed to modify all the user/group/world permissions
              on a directory.

              Note that users who can access the Samba  server  through  other
              means  can  easily  bypass  this restriction, so it is primarily
              useful for standalone  "appliance"  systems.  Administrators  of
              most  normal  systems  will  probably  want  to  leave it as the
              default of 0777.

              Default: directory security mask = 0777

              Example: directory security mask = 0700

       disable netbios (G)
              Enabling this parameter will disable netbios support  in  Samba.
              Netbios  is  the  only available form of browsing in all windows
              versions except for 2000 and XP.

              Note

              Clients that only support netbios won't  be  able  to  see  your
              samba server when netbios support is disabled.

       Default: disable netbios = no

       disable spoolss (G)
              Enabling  this  parameter  will  disable Samba's support for the
              SPOOLSS set of MS-RPC's and will  yield  identical  behavior  as
              Samba  2.0.x.  Windows  NT/2000  clients will downgrade to using
              Lanman style printing commands. Windows 9x/ME will be uneffected
              by the parameter. However, this will also disable the ability to
              upload printer drivers to a Samba server via the Windows NT  Add
              Printer Wizard or by using the NT printer properties dialog win-
              dow. It will also disable  the  capability  of  Windows  NT/2000
              clients  to  download  print  drivers  from  the Samba host upon
              demand. Be very careful about enabling this parameter.

              Default: disable spoolss = no

       display charset (G)
              Specifies the charset that samba will use to print  messages  to
              stdout  and  stderr  and  SWAT will use. Should generally be the
              same as the unix charset.

              Default: display charset = ASCII

              Example: display charset = UTF8

       dns proxy (G)
              Specifies that nmbd(8) when acting as a WINS server and  finding
              that  a  NetBIOS  name has not been registered, should treat the
              NetBIOS name word-for-word as a DNS name and do  a  lookup  with
              the  DNS  server  for  that  name on behalf of the name-querying
              client.

              Note that the maximum length for a NetBIOS name  is  15  charac-
              ters,  so  the  DNS  name (or DNS alias) can likewise only be 15
              characters, maximum.

              nmbd spawns a second copy of itself to do the  DNS  name  lookup
              requests, as doing a name lookup is a blocking action.

              Default: dns proxy = yes

       domain logons (G)
              If  set  to yes, the Samba server will provide the netlogon ser-
              vice for Windows 9X network logons for theworkgroup  it  is  in.
              This  will  also  cause the Samba server to act as a domain con-
              troller for NT4 style domain services. For more details on  set-
              ting up this feature see the Domain Control chapter of the Samba
              HOWTO Collection.

              Default: domain logons = no

       domain master (G)
              Tell smbd(8) to enable WAN-wide browse list  collation.  Setting
              this  option causes nmbd to claim a special domain specific Net-
              BIOS name that identifies it as a domain master browser for  its
              givenworkgroup.  Local  master browsers in the same workgroup on
              broadcast-isolated subnets  will  give  this  nmbd  their  local
              browse  lists,  and  then ask smbd(8) for a complete copy of the
              browse list for the whole wide  area  network.  Browser  clients
              will  then  contact their local master browser, and will receive
              the domain-wide browse list, instead of just the list for  their
              broadcast-isolated subnet.

              Note  that  Windows  NT  Primary Domain Controllers expect to be
              able to claim this workgroup specific special NetBIOS name  that
              identifies  them as domain master browsers for that workgroup by
              default (i.e. there is no way to prevent a Windows NT  PDC  from
              attempting to do this). This means that if this parameter is set
              and nmbd claims the special name for a workgroup before  a  Win-
              dows  NT  PDC  is  able to do so then cross subnet browsing will
              behave strangely and may fail.

              If domain logons = yes , then the default behavior is to  enable
              the  domain  master  parameter.  If domain logons is not enabled
              (the default  setting),  then  neither  will  domain  master  be
              enabled by default.

              Default: domain master = auto

       dont descend (S)
              There  are  certain directories on some systems (e.g., the /proc
              tree under Linux) that are either not of interest to clients  or
              are  infinitely  deep  (recursive). This parameter allows you to
              specify a comma-delimited list of directories  that  the  server
              should always show as empty.

              Note  that Samba can be very fussy about the exact format of the
              "dont descend" entries. For example you may need  ./proc instead
              of just /proc. Experimentation is the best policy :-)

              Default: dont descend =

              Example: dont descend = /proc,/dev

       dos charset (G)
              DOS  SMB  clients assume the server has the same charset as they
              do. This option specifies which charset Samba should talk to DOS
              clients.

              The  default depends on which charsets you have installed. Samba
              tries to use charset 850 but falls back to ASCII in case  it  is
              not available. Run testparm(1) to check the default on your sys-
              tem.

              No default

       dos filemode (S)
              The default behavior in Samba is to provide  UNIX-like  behavior
              where  only  the owner of a file/directory is able to change the
              permissions on it. However, this behavior is often confusing  to
              DOS/Windows users. Enabling this parameter allows a user who has
              write access to the file (by whatever means) to modify the  per-
              missions  on  it. Note that a user belonging to the group owning
              the file will not be allowed to change permissions if the  group
              is  only granted read access. Ownership of the file/directory is
              not changed, only the permissions are modified.

              Default: dos filemode = no

       dos filetime resolution (S)
              Under the DOS and Windows FAT filesystem, the finest granularity
              on  time resolution is two seconds. Setting this parameter for a
              share causes Samba to round the reported time down to the  near-
              est two second boundary when a query call that requires one sec-
              ond resolution is made to smbd(8).

              This option is mainly used as a compatibility option for  Visual
              C++  when used against Samba shares. If oplocks are enabled on a
              share, Visual C++ uses two different time reading calls to check
              if a file has changed since it was last read. One of these calls
              uses a one-second granularity, the other uses a two second gran-
              ularity. As the two second call rounds any odd second down, then
              if the file has a timestamp of an odd number of seconds then the
              two timestamps will not match and Visual C++ will keep reporting
              the file has changed. Setting this option causes the  two  time-
              stamps to match, and Visual C++ is happy.

              Default: dos filetime resolution = no

       dos filetimes (S)
              Under  DOS  and  Windows, if a user can write to a file they can
              change the timestamp on it.  Under  POSIX  semantics,  only  the
              owner  of the file or root may change the timestamp. By default,
              Samba runs with POSIX semantics and refuses to change the  time-
              stamp  on  a file if the user smbd is acting on behalf of is not
              the file owner. Setting this option to  yes allows DOS semantics
              and  smbd(8) will change the file timestamp as DOS requires. Due
              to changes in Microsoft Office 2000 and beyond, the default  for
              this  parameter  has  been  changed  from "no" to "yes" in Samba
              3.0.14 and above. Microsoft Excel will display dialog box  warn-
              ings about the file being changed by another user if this param-
              eter is not set to "yes" and  files  are  being  shared  between
              users.

              Default: dos filetimes = yes

       ea support (S)
              This  boolean  parameter  controls  whether  smbd(8)  will allow
              clients to attempt to store OS/2 style Extended attributes on  a
              share. In order to enable this parameter the underlying filesys-
              tem exported by the share must support extended attributes (such
              as  provided  on  XFS and EXT3 on Linux, with the correct kernel
              patches). On Linux the filesystem must have  been  mounted  with
              the  mount option user_xattr in order for extended attributes to
              work, also extended attributes must be compiled into  the  Linux
              kernel.

              Default: ea support = no

       enable asu support (G)
              Hosts  running  the  "Advanced  Server  for  Unix (ASU)" product
              require some special accomodations such as creating  a  builting
              [ADMIN$]  share that only supports IPC connections. The has been
              the default behavior in smbd for many  years.  However,  certain
              Microsoft  applications  such as the Print Migrator tool require
              that the remote server support an [ADMIN$} file share. Disabling
              this  parameter  allows  for  creating an [ADMIN$] file share in
              smb.conf.

              Default: enable asu support = yes

       enable privileges (G)
              This parameter controls whether or not smbd  will  honor  privi-
              leges assigned to specific SIDs via either net rpc rights or one
              of the Windows user and group manager tools. This  parameter  is
              disabled  by  default  to  prevent  members of the Domain Admins
              group from being able to assign privileges to  users  or  groups
              which can then result in certain smbd operations running as root
              that would normally run under the context of the connected user.

              An  example of how privileges can be used is to assign the right
              to join clients to a Samba controlled domain  without  providing
              root access to the server via smbd.

              Please read the extended description provided in the Samba docu-
              mentation before enabling this option.

              Default: enable privileges = no

       enable rid algorithm (G)
              This option is used to control whether or not smbd in Samba  3.0
              should  fallback  to the algorithm used by Samba 2.2 to generate
              user and group RIDs. The longterm development goal is to  remove
              the algorithmic mappings of RIDs altogether, but this has proved
              to be difficult. This  parameter  is  mainly  provided  so  that
              developers  can  turn  the  algorithm  on  and  off and see what
              breaks. This parameter should not be disabled by  non-developers
              because  certain features in Samba will fail to work without it.

              Default: enable rid algorithm = yes

       encrypt passwords (G)
              This boolean controls whether encrypted passwords will be  nego-
              tiated  with  the client. Note that Windows NT 4.0 SP3 and above
              and also Windows 98 will by default expect  encrypted  passwords
              unless  a  registry entry is changed. To use encrypted passwords
              in Samba see the chapter "User Database" in the Samba HOWTO Col-
              lection.

              MS Windows clients that expect Microsoft encrypted passwords and
              that do not have plain text password  support  enabled  will  be
              able  to  connect only to a Samba server that has encypted pass-
              word support enabled and for which  the  user  accounts  have  a
              valid  encrypted  password.  Refer  to the smbpasswd command man
              page for information regarding the creation of  encrypted  pass-
              words for user accounts.

              The  use  of  plain text passwords is NOT advised as support for
              this feature is no longer maintained in Microsoft Windows  prod-
              ucts.  If you want to use plain text passwords you must set this
              parameter to no.

              In order for encrypted passwords to work correctly smbd(8)  must
              either  have  access  to a local smbpasswd(5) file (see the smb-
              passwd(8) program for information on how to set up and  maintain
              this  file), or set the security = [server|domain|ads] parameter
              which causes smbd to authenticate against another server.

              Default: encrypt passwords = yes

       enhanced browsing (G)
              This option enables a couple  of  enhancements  to  cross-subnet
              browse  propagation  that have been added in Samba but which are
              not standard in Microsoft implementations.

              The first enhancement to browse propagation consists of a  regu-
              lar  wildcard query to a Samba WINS server for all Domain Master
              Browsers, followed by a browse synchronization with each of  the
              returned DMBs. The second enhancement consists of a regular ran-
              domised browse synchronization with all currently known DMBs.

              You may wish to disable this option if you have a  problem  with
              empty  workgroups not disappearing from browse lists. Due to the
              restrictions of the  browse  protocols  these  enhancements  can
              cause  a  empty  workgroup  to  stay around forever which can be
              annoying.

              In general you should leave this  option  enabled  as  it  makes
              cross-subnet browse propagation much more reliable.

              Default: enhanced browsing = yes

       enumports command (G)
              The  concept  of a "port" is fairly foreign to UNIX hosts. Under
              Windows NT/2000 print servers, a port is associated with a  port
              monitor  and  generally  takes  the  form  of a local port (i.e.
              LPT1:, COM1:, FILE:) or a remote port (i.e.  LPD  Port  Monitor,
              etc...).  By  default,  Samba  has only one port defined--"Samba
              Printer Port". Under Windows NT/2000, all printers must  have  a
              valid  port  name. If you wish to have a list of ports displayed
              (smbd  does not use a port name for  anything)  other  than  the
              default  "Samba  Printer Port", you can define enumports command
              to point to a program which should generate a list of ports, one
              per  line, to standard output. This listing will then be used in
              response to the level 1 and 2 EnumPorts() RPC.

              Default: enumports command =

              Example: enumports command = /usr/bin/listports

       fake directory create times (S)
              NTFS and Windows VFAT file systems keep a create  time  for  all
              files  and directories. This is not the same as the ctime - sta-
              tus change time - that Unix keeps, so Samba by  default  reports
              the  earliest  of the various times Unix does keep. Setting this
              parameter for a share causes Samba  to  always  report  midnight
              1-1-1980 as the create time for directories.

              This  option is mainly used as a compatibility option for Visual
              C++ when used against Samba shares. Visual C++  generated  make-
              files  have the object directory as a dependency for each object
              file, and a make rule to create the directory. Also, when  NMAKE
              compares  timestamps  it uses the creation time when examining a
              directory. Thus the object directory will be created if it  does
              not exist, but once it does exist it will always have an earlier
              timestamp than the object files it contains.

              However, Unix time semantics mean that the create time  reported
              by  Samba  will  be  updated  whenever  a  file is created or or
              deleted in the directory. NMAKE finds all object  files  in  the
              object  directory.  The  timestamp of the last one built is then
              compared to the timestamp of the object directory. If the direc-
              tory's  timestamp  if  newer,  then  all  object  files  will be
              rebuilt. Enabling this option ensures directories always predate
              their contents and an NMAKE build will proceed as expected.

              Default: fake directory create times = no

       fake oplocks (S)
              Oplocks  are  the  way  that  SMB  clients get permission from a
              server to locally cache file operations. If a server  grants  an
              oplock  (opportunistic  lock)  then the client is free to assume
              that it is the only one accessing the file and it  will  aggres-
              sively  cache  file  data. With some oplock types the client may
              even cache file open/close operations. This  can  give  enormous
              performance benefits.

              When  you  set  fake  oplocks  =  yes, smbd(8) will always grant
              oplock requests no matter how many clients are using the file.

              It is generally much better to  use  the  real  oplocks  support
              rather than this parameter.

              If you enable this option on all read-only shares or shares that
              you know will only be accessed from one client at a time such as
              physically  read-only media like CDROMs, you will see a big per-
              formance improvement on many  operations.  If  you  enable  this
              option  on  shares  where  multiple clients may be accessing the
              files read-write at the same time you can get  data  corruption.
              Use this option carefully!

              Default: fake oplocks = no

       follow symlinks (S)
              This   parameter   allows   the   Samba  administrator  to  stop
              smbd(8)from following symbolic links in a particular share. Set-
              ting this parameter to no prevents any file or directory that is
              a symbolic link from  being  followed  (the  user  will  get  an
              error).  This  option is very useful to stop users from adding a
              symbolic  link  to  /etc/passwd  in  their  home  directory  for
              instance. However it will slow filename lookups down slightly.

              This option is enabled (i.e. smbd will follow symbolic links) by
              default.

              Default: follow symlinks = yes

       force create mode (S)
              This parameter specifies a set of UNIX mode bit permissions that
              will  always  be set on a file created by Samba. This is done by
              bitwise 'OR'ing these bits onto the mode bits of a file that  is
              being created or having its permissions changed. The default for
              this parameter is (in octal) 000. The modes  in  this  parameter
              are  bitwise 'OR'ed onto the file mode after the mask set in the
              create mask parameter is applied.

              The example below would force all created files to have read and
              execute  permissions  set for 'group' and 'other' as well as the
              read/write/execute bits set for the 'user'.

              Default: force create mode = 000

              Example: force create mode = 0755

       force directory mode (S)
              This parameter specifies a set of UNIX mode bit permissions that
              will always be set on a directory created by Samba. This is done
              by bitwise 'OR'ing these bits onto the mode bits of a  directory
              that  is  being  created.  The default for this parameter is (in
              octal) 0000 which will not add any extra permission  bits  to  a
              created directory. This operation is done after the mode mask in
              the parameter directory mask is applied.

              The example below would force all created  directories  to  have
              read and execute permissions set for 'group' and 'other' as well
              as the read/write/execute bits set for the 'user'.

              Default: force directory mode = 000

              Example: force directory mode = 0755

       force directory security mode (S)
              This parameter controls what UNIX permission bits can  be  modi-
              fied  when  a Windows NT client is manipulating the UNIX permis-
              sion on a directory using the native NT security dialog box.

              This parameter is applied as a mask (OR'ed with) to the  changed
              permission  bits,  thus  forcing  any bits in this mask that the
              user may have modified to be on. Make sure not to  mix  up  this
              parameter with directory security mask, which works in a similar
              manner to this one, but uses a logical AND instead of an OR.

              Essentially, this mask may be treated as a  set  of  bits  that,
              when  modifying  security on a directory, to will enable (1) any
              flags that are off (0) but which the mask has set to on (1).

              If not set explicitly this parameter is  0000,  which  allows  a
              user  to modify all the user/group/world permissions on a direc-
              tory without restrictions.

              Note

              Users who can access the Samba server through  other  means  can
              easily  bypass  this  restriction, so it is primarily useful for
              standalone "appliance" systems. Administrators  of  most  normal
              systems will probably want to leave it set as 0000.

       Default: force directory security mode = 0

       Example: force directory security mode = 700

       group  This parameter is a synonym for force group.

       force group (S)
              This  specifies  a  UNIX group name that will be assigned as the
              default primary group for all users connecting to this  service.
              This  is useful for sharing files by ensuring that all access to
              files on service will use the named group for their  permissions
              checking.  Thus,  by assigning permissions for this group to the
              files and directories within this service the Samba  administra-
              tor can restrict or allow sharing of these files.

              In Samba 2.0.5 and above this parameter has extended functional-
              ity in the following way. If the group name listed  here  has  a
              '+'  character  prepended  to it then the current user accessing
              the share only has the primary group default  assigned  to  this
              group  if  they  are already assigned as a member of that group.
              This allows an administrator to decide that only users  who  are
              already  in a particular group will create files with group own-
              ership set to that group. This gives a finer granularity of own-
              ership  assignment.  For example, the setting force group = +sys
              means that only users who are already in  group  sys  will  have
              their  default primary group assigned to sys when accessing this
              Samba share. All other users will retain their ordinary  primary
              group.

              If  the  force user parameter is also set the group specified in
              force group will override the primary group set in force user.

              Default: force group =

              Example: force group = agroup

       force printername (S)
              When printing from  Windows  NT  (or  later),  each  printer  in
              smb.conf  has  two  associated  names  which  can be used by the
              client. The first is the sharename  (or  shortname)  defined  in
              smb.conf. This is the only printername available for use by Win-
              dows 9x clients. The second name associated with a  printer  can
              be  seen  when  browsing  to  the  "Printers"  (or "Printers and
              Faxes") folder on the Samba server. This is referred  to  simply
              as  the  printername  (not  to be confused with the printer name
              option).

              When assigning a new driver to a printer  on  a  remote  Windows
              compatible  print  server such as Samba, the Windows client will
              rename the printer to match the driver name just uploaded.  This
              can  result  in  confusion  for users when multiple printers are
              bound to the same driver. To prevent  Samba  from  allowing  the
              printer's  printername  to  differ from the sharename defined in
              smb.conf, set force printername = yes.

              Be aware that  enabling  this  parameter  may  affect  migrating
              printers from a Windows server to Samba since Windows has no way
              to force the sharename and printername to match.

              It is recommended that this parameter's  value  not  be  changed
              once the printer is in use by clients as this could cause a user
              not be able to  delete  printer  connections  from  their  local
              Printers folder.

              Default: force printername = no

       force security mode (S)
              This  parameter  controls what UNIX permission bits can be modi-
              fied when a Windows NT client is manipulating the  UNIX  permis-
              sion on a file using the native NT security dialog box.

              This  parameter is applied as a mask (OR'ed with) to the changed
              permission bits, thus forcing any bits in  this  mask  that  the
              user  may  have  modified to be on. Make sure not to mix up this
              parameter with security mask, which works similar like this  one
              but uses logical AND instead of OR.

              Essentially,  one  bits  in this mask may be treated as a set of
              bits that, when modifying security  on  a  file,  the  user  has
              always set to be on.

              If  not  set explicitly this parameter is set to 0, and allows a
              user to modify all the user/group/world permissions on  a  file,
              with no restrictions.

               Note  that  users who can access the Samba server through other
              means can easily bypass this restriction,  so  it  is  primarily
              useful  for  standalone  "appliance"  systems. Administrators of
              most normal systems will probably want  to  leave  this  set  to
              0000.

              Default: force security mode = 0

              Example: force security mode = 700

       force unknown acl user (S)
              If  this  parameter  is  set,  a Windows NT ACL that contains an
              unknown SID (security descriptor, or representation of a user or
              group  id)  as  the  owner  or  group  owner of the file will be
              silently mapped into the current UNIX uid or  gid  of  the  cur-
              rently connected user.

              This  is  designed to allow Windows NT clients to copy files and
              folders containing ACLs that were created locally on the  client
              machine  and contain users local to that machine only (no domain
              users) to be copied to a Samba server (usually  with  XCOPY  /O)
              and have the unknown userid and groupid of the file owner map to
              the current connected user. This can  only  be  fixed  correctly
              when  winbindd  allows arbitrary mapping from any Windows NT SID
              to a UNIX uid or gid.

              Try using this parameter when XCOPY /O  gives  an  ACCESS_DENIED
              error.

              Default: force unknown acl user = no

       force user (S)
              This  specifies  a  UNIX  user name that will be assigned as the
              default user for all users connecting to this service.  This  is
              useful  for  sharing  files. You should also use it carefully as
              using it incorrectly can cause security problems.

              This user name only gets used once a connection is  established.
              Thus  clients still need to connect as a valid user and supply a
              valid password. Once connected, all file operations will be per-
              formed  as the "forced user", no matter what username the client
              connected as. This can be very useful.

              In Samba 2.0.5 and above this parameter also causes the  primary
              group of the forced user to be used as the primary group for all
              file activity. Prior to 2.0.5 the primary group was left as  the
              primary group of the connecting user (this was a bug).

              Default: force user =

              Example: force user = auser

       fstype (S)
              This  parameter allows the administrator to configure the string
              that specifies the type of filesystem a share is using  that  is
              reported  by  smbd(8)  when a client queries the filesystem type
              for a share. The default type is  NTFS  for  compatibility  with
              Windows  NT  but  this  can  be changed to other strings such as
              Samba or FAT  if required.

              Default: fstype = NTFS

              Example: fstype = Samba

       get quota command (G)
              The get quota command should only be used whenever there  is  no
              operating system API available from the OS that samba can use.

              This  option  is only available with ./configure --with-sys-quo-
              tas. Or on linux when ./configure --with-quotas was used  and  a
              working quota api was found in the system.

              This  parameter should specify the path to a script that queries
              the quota information for the specified user/group for the  par-
              tition that the specified directory is on.

              Such a script should take 3 arguments:

              o  directory

              o  type of query

              o  uid of user or gid of group

              The type of query can be one of :

              o  1 - user quotas

              o  2 - user default quotas (uid = -1)

              o  3 - group quotas

              o  4 - group default quotas (gid = -1)

              This  script should print one line as output with spaces between
              the arguments. The arguments are:

              o  Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled,  2  =
                 quotas enabled and enforced)

              o  Arg 2 - number of currently used blocks

              o  Arg 3 - the softlimit number of blocks

              o  Arg 4 - the hardlimit number of blocks

              o  Arg 5 - currently used number of inodes

              o  Arg 6 - the softlimit number of inodes

              o  Arg 7 - the hardlimit number of inodes

              o  Arg  8(optional)  - the number of bytes in a block(default is
                 1024)

              Default: get quota command =

              Example: get quota command = /usr/local/sbin/query_quota

       getwd cache (G)
              This is a tuning option. When this is enabled  a  caching  algo-
              rithm  will  be used to reduce the time taken for getwd() calls.
              This can have a significant impact  on  performance,  especially
              when the wide smbconfoptions parameter is set to no.

              Default: getwd cache = yes

       guest account (G)
              This  is  a  username  which will be used for access to services
              which are specified as guest ok (see below). Whatever privileges
              this  user has will be available to any client connecting to the
              guest service. This user must exist in the  password  file,  but
              does  not require a valid login. The user account "ftp" is often
              a good choice for this parameter.

              On some systems the default guest account "nobody"  may  not  be
              able to print. Use another account in this case. You should test
              this by trying to log in as your guest user  (perhaps  by  using
              the  su  -  command)  and trying to print using the system print
              command such as lpr(1) or  lp(1).

              This parameter does not accept % macros, because many  parts  of
              the  system require this value to be constant for correct opera-
              tion.

              Default: guest account = nobody # default can be changed at com-
              pile-time

              Example: guest account = ftp

       public This parameter is a synonym for guest ok.

       guest ok (S)
              If  this  parameter  is  yes  for a service, then no password is
              required to connect to the service. Privileges will be those  of
              the guest account.

              This paramater nullifies the benifits of setting restrict anony-
              mous = 2

              See the section below on security  for  more  information  about
              this option.

              Default: guest ok = no

       only guest
              This parameter is a synonym for guest only.

       guest only (S)
              If  this parameter is yes for a service, then only guest connec-
              tions to the service are permitted. This parameter will have  no
              effect if guest ok is not set for the service.

              See  the  section  below  on security for more information about
              this option.

              Default: guest only = no

       hide dot files (S)
              This is a boolean parameter that controls whether files starting
              with a dot appear as hidden files.

              Default: hide dot files = yes

       hide files (S)
              This  is a list of files or directories that are not visible but
              are accessible. The DOS 'hidden' attribute  is  applied  to  any
              files or directories that match.

              Each  entry in the list must be separated by a '/', which allows
              spaces to be included in the entry. '*' and '?' can be  used  to
              specify multiple files or directories as in DOS wildcards.

              Each  entry  must  be  a  Unix path, not a DOS path and must not
              include the Unix directory separator '/'.

              Note that the case sensitivity option is  applicable  in  hiding
              files.

              Setting  this parameter will affect the performance of Samba, as
              it will be forced to check all files and directories for a match
              as they are scanned.

              The example shown above is based on files that the Macintosh SMB
              client (DAVE) available from Thursby creates for  internal  use,
              and also still hides all files beginning with a dot.

              An example of us of this parameter is:

              hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/

              Default: hide files = # no file are hidden

       hide special files (S)
              This  parameter  prevents clients from seeing special files such
              as sockets, devices and fifo's in directory listings.

              Default: hide special files = no

       hide unreadable (S)
              This parameter prevents clients from  seeing  the  existance  of
              files that cannot be read. Defaults to off.

              Default: hide unreadable = no

       hide unwriteable files (S)
              This  parameter  prevents  clients  from seeing the existance of
              files that cannot be written to.  Defaults  to  off.  Note  that
              unwriteable directories are shown as usual.

              Default: hide unwriteable files = no

       homedir map (G)
              If  nis homedir is yes, and smbd(8) is also acting as a Win95/98
              logon server then this parameter specifies the NIS (or  YP)  map
              from  which  the  server for the user's home directory should be
              extracted. At present, only the  Sun  auto.home  map  format  is
              understood. The form of the map is:

              username server:/some/file/system

              and  the  program  will  extract  the servername from before the
              first ':'. There should probably be a better parsing system that
              copes  with  different  map  formats and also Amd (another auto-
              mounter) maps.

              Note

              A working NIS client is required on the system for  this  option
              to work.

       Default: homedir map =

       Example: homedir map = amd.homedir

       host msdfs (G)
              If  set  to  yes,  Samba  will  act  as  a Dfs server, and allow
              Dfs-aware clients to browse Dfs trees hosted on the server.

              See also the msdfs root share level parameter. For more informa-
              tion on setting up a Dfs tree on Samba, refer to the MSFDS chap-
              ter in the book Samba3-HOWTO.

              Default: host msdfs = no

       hostname lookups (G)
              Specifies whether samba should use (expensive) hostname  lookups
              or use the ip addresses instead. An example place where hostname
              lookups are currently used is when checking the hosts  deny  and
              hosts allow.

              Default: hostname lookups = no

              Example: hostname lookups = yes

       allow hosts
              This parameter is a synonym for hosts allow.

       hosts allow (S)
              A synonym for this parameter is allow hosts.

              This  parameter is a comma, space, or tab delimited set of hosts
              which are permitted to access a service.

              If specified in the [global] section then it will apply  to  all
              services,  regardless  of  whether  the individual service has a
              different setting.

              You can specify the hosts by name or IP number. For example, you
              could restrict access to only the hosts on a Class C subnet with
              something like allow hosts = 150.203.5. . The full syntax of the
              list  is  described  in  the man page hosts_access(5). Note that
              this man page may not be present on  your  system,  so  a  brief
              description will be given here also.

              Note that the localhost address 127.0.0.1 will always be allowed
              access unless specifically denied by a hosts deny option.

              You can also specify hosts by network/netmask pairs and by  net-
              group  names  if your system supports netgroups. The EXCEPT key-
              word can also be used to limit a wildcard  list.  The  following
              examples may provide some help:

              Example 1: allow all IPs in 150.203.*.*; except one

              hosts allow = 150.203. EXCEPT 150.203.6.66

              Example 2: allow hosts that match the given network/netmask

              hosts allow = 150.203.15.0/255.255.255.0

              Example 3: allow a couple of hosts

              hosts allow = lapland, arvidsjaur

              Example  4:  allow only hosts in NIS netgroup "foonet", but deny
              access from one particular host

              hosts allow = @foonet

              hosts deny = pirate

              Note

              Note that access still requires suitable user-level passwords.

       See testparm(1) for a way of testing your host access to see if it does
       what you expect.

       Default: hosts allow = # none (i.e., all hosts permitted access)

       Example: hosts allow = 150.203.5. myhost.mynet.edu.au

       deny hosts
              This parameter is a synonym for hosts deny.

       hosts deny (S)
              The  opposite of hosts allow - hosts listed here are NOT permit-
              ted access to services unless the specific services  have  their
              own  lists  to  override this one. Where the lists conflict, the
              allow list takes precedence.

              Default: hosts deny  =  #  none  (i.e.,  no  hosts  specifically
              excluded)

              Example: hosts deny = 150.203.4. badhost.mynet.edu.au

       hosts equiv (G)
              If  this global parameter is a non-null string, it specifies the
              name of a file to read for the names of hosts and users who will
              be allowed access without specifying a password.

              This  is  not  be confused with hosts allow which is about hosts
              access to services and is more useful for guest services.  hosts
              equiv  may  be useful for NT clients which will not supply pass-
              words to Samba.

              Note

              The use of hosts equiv  can be a major security  hole.  This  is
              because  you are trusting the PC to supply the correct username.
              It is very easy to get a PC to supply a false username. I recom-
              mend that the hosts equiv option be only used if you really know
              what you are doing, or perhaps on a home network where you trust
              your spouse and kids. And only if you really trust them :-).

       Default: hosts equiv = # no host equivalences

       Example: hosts equiv = hosts equiv = /etc/hosts.equiv

       idmap backend (G)
              The  purpose of the idmap backend parameter is to allow idmap to
              NOT use the local idmap tdb file to obtain SID to UID / GID map-
              pings,  but  instead  to obtain them from a common LDAP backend.
              This way all domain members and controllers will have  the  same
              UID  and  GID to SID mappings. This avoids the risk of UID / GID
              inconsistencies across UNIX / Linux  systems  that  are  sharing
              information over protocols other than SMB/CIFS (ie: NFS).

              An  alternate method of SID to UID / GID mapping can be achieved
              using the idmap_rid plug-in. This plug-in uses the  account  RID
              to  derive  the  UID  and  GID by adding the RID to a base value
              specified.  This  utility  requires  that  the  parameter``allow
              trusted  domains = No'' must be specified, as it is not compati-
              ble with multiple domain environments. The idmap uid  and  idmap
              gid ranges must also be specified.

              Default: idmap backend =

              Example: idmap backend = ldap:ldap://ldapslave.example.com

              Example: idmap backend = idmap_rid:DOMNAME=1000-100000000

       winbind gid
              This parameter is a synonym for idmap gid.

       idmap gid (G)
              The  idmap  gid  parameter specifies the range of group ids that
              are allocated for the purpose of mapping UNX groups to NT  group
              SIDs.  This  range of group ids should have no existing local or
              NIS groups within it as strange conflicts can occur otherwise.

              The availability of an idmap gid range is essential for  correct
              operation of all group mapping.

              Default: idmap gid =

              Example: idmap gid = 10000-20000

       winbind uid
              This parameter is a synonym for idmap uid.

       idmap uid (G)
              The idmap uid parameter specifies the range of user ids that are
              allocated for use in mapping UNIX users to NT  user  SIDs.  This
              range  of  ids should have no existing local or NIS users within
              it as strange conflicts can occur otherwise.

              Default: idmap uid =

              Example: idmap uid = 10000-20000

       include (G)
              This allows you to include one config file inside  another.  The
              file is included literally, as though typed in place.

              It takes the standard substitutions, except %u , %P and %S.

              Default: include =

              Example: include = /usr/local/samba/lib/admin_smb.conf

       inherit acls (S)
              This  parameter can be used to ensure that if default acls exist
              on parent directories, they are always honored when  creating  a
              subdirectory.  The default behavior is to use the mode specified
              when creating the directory. Enabling this option sets the  mode
              to 0777, thus guaranteeing that default directory acls are prop-
              agated.

              Default: inherit acls = no

       inherit owner (S)
              The ownership of new files and directories is normally  governed
              by  effective  uid of the connected user. This option allows the
              Samba administrator to specify that the ownership for new  files
              and  directories  should  be  controlled by the ownership of the
              parent directory.

              Common scenarios where this behavior is useful is in  implement-
              ing  drop-boxes  where  users  can create and edit files but not
              delete them and to ensure that newly create files  in  a  user's
              roaming profile directory are actually owner by the user.

              Default: inherit owner = no

       inherit permissions (S)
              The  permissions  on new files and directories are normally gov-
              erned by create mask,directory mask, force create mode and force
              directory  mode  but  the  boolean inherit permissions parameter
              overrides this.

              New directories  inherit  the  mode  of  the  parent  directory,
              including bits such as setgid.

              New  files  inherit their read/write bits from the parent direc-
              tory. Their execute bits continue to be determined  by  map  ar-
              chive, map hidden and map system as usual.

              Note  that the setuid bit is never set via inheritance (the code
              explicitly prohibits this).

              This can be particularly  useful  on  large  systems  with  many
              users, perhaps several thousand, to allow a single [homes] share
              to be used flexibly by each user.

              Default: inherit permissions = no

       interfaces (G)
              This option allows you to override the  default  network  inter-
              faces  list  that Samba will use for browsing, name registration
              and other NBT traffic. By default Samba will  query  the  kernel
              for  the  list  of  all active interfaces and use any interfaces
              except 127.0.0.1 that are broadcast capable.

              The option takes a list of interface strings. Each string can be
              in any of the following forms:

              o  a  network  interface  name  (such as eth0). This may include
                 shell-like wildcards so eth* will match any interface  start-
                 ing with the substring "eth"

              o  an  IP  address.  In this case the netmask is determined from
                 the list of interfaces obtained from the kernel

              o  an IP/mask pair.

              o  a broadcast/mask pair.

              The "mask" parameters can either be a bit length (such as 24 for
              a C class network) or a full netmask in dotted decimal form.

              The "IP" parameters above can either be a full dotted decimal IP
              address or a hostname which will be looked up via the OS's  nor-
              mal hostname resolution mechanisms.

              Default:  interfaces  = # all active interfaces except 127.0.0.1
              that are broadcast capable

              Example: interfaces =  #  This  would  configure  three  network
              interfaces  corresponding  to  the  eth0 device and IP addresses
              192.168.2.10 and 192.168.3.10. The netmasks of  the  latter  two
              interfaces  would  be set to 255.255.255.0. eth0 192.168.2.10/24
              192.168.3.10/255.255.255.0

       invalid users (S)
              This is a list of users that should not be allowed to  login  to
              this  service.  This  is  really  a paranoid check to absolutely
              ensure an improper setting does not breach your security.

              A name starting with a '@' is interpreted  as  an  NIS  netgroup
              first (if your system supports NIS), and then as a UNIX group if
              the name was not found in the NIS netgroup database.

              A name starting with '+' is interpreted only by looking  in  the
              UNIX  group  database.  A  name starting with '&' is interpreted
              only by looking in the NIS netgroup database (this requires  NIS
              to be working on your system). The characters '+' and '&' may be
              used at the start of the name  in  either  order  so  the  value
              +&group means check the UNIX group database, followed by the NIS
              netgroup database, and the value &+group  means  check  the  NIS
              netgroup database, followed by the UNIX group database (the same
              as the '@' prefix).

              The current servicename is substituted for %S. This is useful in
              the [homes] section.

              Default: invalid users = # no invalid users

              Example: invalid users = root fred admin @wheel

       keepalive (G)
              The value of the parameter (an integer) represents the number of
              seconds between keepalive packets. If this parameter is zero, no
              keepalive  packets  will  be  sent.  Keepalive packets, if sent,
              allow the server to tell whether a client is still  present  and
              responding.

              Keepalives  should,  in general, not be needed if the socket has
              the SO_KEEPALIVE attribute set on it  by  default.  (see  socket
              options).  Basically  you  should  only  use  this option if you
              strike difficulties.

              Default: keepalive = 300

              Example: keepalive = 600

       kernel change notify (G)
              This parameter specifies whether Samba should ask the kernel for
              change  notifications  in  directories  so  that SMB clients can
              refresh whenever the data on the server changes.

              This parameter is only used when  your  kernel  supports  change
              notification to user programs, using the F_NOTIFY fcntl.

              Default: kernel change notify = yes

       kernel oplocks (G)
              For  UNIXes  that  support  kernel based oplocks (currently only
              IRIX and the Linux 2.4 kernel), this parameter allows the use of
              them to be turned on or off.

              Kernel  oplocks support allows Samba oplocks  to be broken when-
              ever a local UNIX process or NFS operation accesses a file  that
              smbd(8)  has  oplocked.  This  allows  complete data consistency
              between SMB/CIFS, NFS and local file access (and is a very  cool
              feature :-).

              This  parameter  defaults to on, but is translated to a no-op on
              systems that no not  have  the  necessary  kernel  support.  You
              should never need to touch this parameter.

              Default: kernel oplocks = yes

       lanman auth (G)
              This parameter determines whether or not smbd(8) will attempt to
              authenticate users or permit password changes using  the  LANMAN
              password  hash. If disabled, only clients which support NT pass-
              word hashes (e.g. Windows NT/2000 clients,  smbclient,  but  not
              Windows 95/98 or the MS DOS network client) will be able to con-
              nect to the Samba host.

              The LANMAN encrypted response is  easily  broken,  due  to  it's
              case-insensitive  nature,  and  the choice of algorithm. Servers
              without Windows 95/98/ME or MS DOS clients are advised  to  dis-
              able this option.

              Unlike  the encypt passwords option, this parameter cannot alter
              client behaviour, and the LANMAN response  will  still  be  sent
              over the network. See the client lanman auth to disable this for
              Samba's clients (such as smbclient)

              If this option, and ntlm  auth  are  both  disabled,  then  only
              NTLMv2  logins will be permited. Not all clients support NTLMv2,
              and most will require special configuration to use it.

              Default: lanman auth = yes

       large readwrite (G)
              This parameter determines whether or not  smbd(8)  supports  the
              new 64k streaming read and write varient SMB requests introduced
              with Windows 2000. Note that due to Windows 2000 client redirec-
              tor  bugs  this requires Samba to be running on a 64-bit capable
              operating system such as IRIX, Solaris or a  Linux  2.4  kernel.
              Can  improve  performance  by  10%  with  Windows  2000 clients.
              Defaults to on. Not as tested as some other Samba code paths.

              Default: large readwrite = yes

       ldap admin dn (G)
              The ldap admin dn defines the Distinguished Name (DN) name  used
              by Samba to contact the ldap server when retreiving user account
              information. The ldap admin dn is used in conjunction  with  the
              admin  dn  password  stored in the private/secrets.tdb file. See
              the smbpasswd(8) man page for more information on how to  accom-
              plish this.

              The ldap admin dn requires a fully specified DN. The ldap suffix
              is not appended to the ldap admin dn.

              No default

       ldap delete dn (G)
              This parameter specifies whether a delete operation in the ldap-
              sam  deletes  the complete entry or only the attributes specific
              to Samba.

              Default: ldap delete dn = no

       ldap group suffix (G)
              This parameters specifies the suffix that  is  used  for  groups
              when these are added to the LDAP directory. If this parameter is
              unset, the value of ldap suffix will be used instead. The suffix
              string  is pre-pended to the ldap suffix string so use a partial
              DN.

              Default: ldap group suffix =

              Example: ldap group suffix = ou=Groups

       ldap idmap suffix (G)
              This parameters specifies the suffix that is used  when  storing
              idmap  mappings.  If  this parameter is unset, the value of ldap
              suffix will be used instead. The suffix string is pre-pended  to
              theldap suffix string so use a partial DN.

              Default: ldap idmap suffix =

              Example: ldap idmap suffix = ou=Idmap

       ldap machine suffix (G)
              It specifies where machines should be added to the ldap tree. If
              this parameter is unset, the value of ldap suffix will  be  used
              instead.  The  suffix  string  is  pre-pended to the ldap suffix
              string so use a partial DN.

              Default: ldap machine suffix =

              Example: ldap machine suffix = ou=Computers

       ldap passwd sync (G)
              This option is used to define whether or not Samba  should  sync
              the  LDAP password with the NT and LM hashes for normal accounts
              (NOT for workstation, server or domain  trusts)  on  a  password
              change via SAMBA.

              The ldap passwd sync can be set to one of three values:

              o  Yes  = Try to update the LDAP, NT and LM passwords and update
                 the pwdLastSet time.

              o  No = Update NT and LM passwords  and  update  the  pwdLastSet
                 time.

              o  Only  = Only update the LDAP password and let the LDAP server
                 do the rest.

              Default: ldap passwd sync = no

       ldap port (G)
              This parameter is only available if Samba has been configure  to
              include the --with-ldapsam option at compile time.

              This  option is used to control the tcp port number used to con-
              tact the ldap server. The default is to use the stand LDAPS port
              636.

              Default: ldap port = 636 # if ldap ssl = on

              Default: ldap port = 389 # if ldap ssl = off

       ldap replication sleep (G)
              When Samba is asked to write to a read-only LDAP replica, we are
              redirected to talk to the read-write master server. This  server
              then  replicates our changes back to the 'local' server, however
              the replication might take some seconds,  especially  over  slow
              links. Certain client activities, particularly domain joins, can
              become confused by  the  'success'  that  does  not  immediately
              change the LDAP back-end's data.

              This  option  simply causes Samba to wait a short time, to allow
              the LDAP  server  to  catch  up.  If  you  have  a  particularly
              high-latency  network, you may wish to time the LDAP replication
              with a network sniffer, and increase this value accordingly.  Be
              aware  that  no checking is performed that the data has actually
              replicated.

              The value is specified in milliseconds,  the  maximum  value  is
              5000 (5 seconds).

              Default: ldap replication sleep = 1000

       ldapsam:trusted (G)
              By  default,  Samba  as a Domain Controller with an LDAP backend
              needs to use the Unix-style NSS subsystem  to  access  user  and
              group  information.  Due to the way Unix stores user information
              in /etc/passwd and /etc/group this inevitably leads  to  ineffi-
              ciencies.  One  important  question  a user needs to know is the
              list of groups he is member of. The plain Unix model involves  a
              complete enumeration of the file /etc/group and its NSS counter-
              parts in LDAP. In this particular  case  there  often  optimized
              functions  are available in Unix, but for other queries there is
              no optimized function available.

              To make Samba  scale  well  in  large  environments,  the  ldap-
              sam:trusted=yes  option assumes that the complete user and group
              database that is relevant to Samba is stored in  LDAP  with  the
              standard  posixAccount/posixGroup model, and that the Samba aux-
              iliary object classes are stored together  with  the  the  posix
              data  in  the  same  LDAP  object. If these assumptions are met,
              ldapsam:trusted=yes can be activated and  Samba  can  completely
              bypass  the NSS system to query user information. Optimized LDAP
              queries can speed up domain logon  and  administration  tasks  a
              lot.  Depending on the size of the LDAP database a factor of 100
              or more for common queries is easily achieved.

              Default: ldapsam:trusted = no

       ldap server (G)
              This parameter is only available if Samba has been configure  to
              include the --with-ldapsam option at compile time.

              This  parameter  should  contain  the FQDN of the ldap directory
              server which should be queried to locate user  account  informa-
              tion.

              Default: ldap server = localhost

       ldap ssl (G)
              This  option  is  used to define whether or not Samba should use
              SSL when connecting to the ldap server This is  NOT  related  to
              Samba's  previous  SSL  support  which was enabled by specifying
              the--with-ssl option to the configure script.

              The ldap ssl can be set to one of three values:

              o  Off = Never use SSL when querying the directory.

              o  Start_tls  =  Use  the  LDAPv3  StartTLS  extended  operation
                 (RFC2830) for communicating with the directory server.

              o  On  =  Use  SSL  on  the  ldaps port when contacting the ldap
                 server.  Only  available  when   the   backwards-compatiblity
                 --with-ldapsam  option  is specified to configure. See passdb
                 backend

              Default: ldap ssl = start_tls

       ldap suffix (G)
              Specifies the base for all ldap suffixes  and  for  storing  the
              sambaDomain object.

              The ldap suffix will be appended to the values specified for the
              ldap user suffix,ldap group suffix,  ldap  machine  suffix,  and
              theldap  idmap  suffix.  Each of these should be given only a DN
              relative to theldap suffix.

              Default: ldap suffix =

              Example: ldap suffix = dc=samba,dc=org

       ldap timeout (G)
              When Samba connects to an ldap server that server may be down or
              unreachable.  To  prevent  Samba from hanging whilst waiting for
              the connection this parameter  specifies  in  seconds  how  long
              Samba  should wait before failing the connect. The default is to
              only wait fifteen seconds for the ldap server to respond to  the
              connect request.

              Default: ldap timeout = 15

       ldap user suffix (G)
              This  parameter  specifies where users are added to the tree. If
              this parameter is unset, the value of ldap suffix will  be  used
              instead.  The  suffix  string  is  pre-pended to the ldap suffix
              string so use a partial DN.

              Default: ldap user suffix =

              Example: ldap user suffix = ou=people

       level2 oplocks (S)
              This  parameter   controls   whether   Samba   supports   level2
              (read-only) oplocks on a share.

              Level2,  or read-only oplocks allow Windows NT clients that have
              an oplock on a file to downgrade from a read-write oplock  to  a
              read-only oplock once a second client opens the file (instead of
              releasing all oplocks on  a  second  open,  as  in  traditional,
              exclusive  oplocks).  This  allows  all openers of the file that
              support level2 oplocks to cache the  file  for  read-ahead  only
              (ie.  they  may not cache writes or lock requests) and increases
              performance for many accesses of files  that  are  not  commonly
              written (such as application .EXE files).

              Once  one of the clients which have a read-only oplock writes to
              the file all clients are notified (no reply is needed or  waited
              for)  and  told  to break their oplocks to "none" and delete any
              read-ahead caches.

              It is recommended that this parameter  be  turned  on  to  speed
              access to shared executables.

              For more discussions on level2 oplocks see the CIFS spec.

              Currently,  if  kernel oplocks are supported then level2 oplocks
              are not granted (even if this  parameter  is  set  toyes).  Note
              also,  the oplocks parameter must be set to yes on this share in
              order for this parameter to have any effect.

              Default: level2 oplocks = yes

       lm announce (G)
              This  parameter  determines  if  nmbd(8)  will  produce   Lanman
              announce broadcasts that are needed by OS/2 clients in order for
              them to see the Samba server in their browse list. This  parame-
              ter can have three values, yes, no, orauto. The default is auto.
              If set to no Samba will never produce these broadcasts.  If  set
              to  yes  Samba will produce Lanman announce broadcasts at a fre-
              quency set by the parameterlm interval. If  set  to  auto  Samba
              will  not  send  Lanman  announce broadcasts by default but will
              listen for them. If it hears such a broadcast  on  the  wire  it
              will  then  start sending them at a frequency set by the parame-
              terlm interval.

              Default: lm announce = auto

              Example: lm announce = yes

       lm interval (G)
              If Samba is set to produce Lanman announce broadcasts needed  by
              OS/2  clients (see thelm announce parameter) then this parameter
              defines the frequency in seconds with which they will  be  made.
              If this is set to zero then no Lanman announcements will be made
              despite the setting of the lm announce parameter.

              Default: lm interval = 60

              Example: lm interval = 120

       load printers (G)
              A boolean variable that controls whether  all  printers  in  the
              printcap  will be loaded for browsing by default. See the print-
              ers section for more details.

              Default: load printers = yes

       local master (G)
              This option allows nmbd(8) to try  and  become  a  local  master
              browser on a subnet. If set to no then  nmbd will not attempt to
              become a local master browser on a subnet and will also lose  in
              all  browsing  elections.  By  default this value is set to yes.
              Setting this value toyes doesn't mean that Samba will become the
              local  master  browser on a subnet, just that nmbd will partici-
              pate in elections for local master browser.

              Setting this value to no will cause  nmbd   never  to  become  a
              local master browser.

              Default: local master = yes

       lock dir
              This parameter is a synonym for lock directory.

       lock directory (G)
              This  option  specifies  the  directory where lock files will be
              placed. The lock files are used to implement themax  connections
              option.

              Default: lock directory = ${prefix}/var/locks

              Example: lock directory = /var/run/samba/locks

       locking (S)
              This  controls  whether  or not locking will be performed by the
              server in response to lock requests from the client.

              If locking = no, all lock and unlock  requests  will  appear  to
              succeed  and all lock queries will report that the file in ques-
              tion is available for locking.

              If locking = yes, real locking will be performed by the  server.

              This  option  may  be useful for read-only filesystems which may
              not need locking (such as CDROM drives), although  setting  this
              parameter of no is not really recommended even in this case.

              Be  careful about disabling locking either globally or in a spe-
              cific service, as lack of locking may result in data corruption.
              You should never need to set this parameter.

              No default

       lock spin count (G)
              This  parameter  controls  the  number of times that smbd should
              attempt to gain a byte range lock on  the  behalf  of  a  client
              request.  Experiments  have shown that Windows 2k servers do not
              reply with a failure  if  the  lock  could  not  be  immediately
              granted,  but  try a few more times in case the lock could later
              be acquired. This behavior is used to support PC  database  for-
              mats such as MS Access and FoxPro.

              Default: lock spin count = 3

       lock spin time (G)
              The  time in microseconds that smbd should pause before attempt-
              ing to gain a failed lock. Seelock spin count for more  details.

              Default: lock spin time = 10

       log file (G)
              This  option  allows  you  to override the name of the Samba log
              file (also known as the debug file).

              This option takes the standard substitutions,  allowing  you  to
              have separate log files for each user or machine.

              No default

              Example: log file = /usr/local/samba/var/log.%m

       debuglevel
              This parameter is a synonym for log level.

       log level (G)
              The  value  of  the parameter (a astring) allows the debug level
              (logging level) to be  specified  in  the  smb.conf  file.  This
              parameter has been extended since the 2.2.x series, now it allow
              to specify the debug level for multiple debug classes.  This  is
              to  give greater flexibility in the configuration of the system.

              The default will be the log level specified on the command  line
              or level zero if none was specified.

              No default

              Example: log level = 3 passdb:5 auth:10 winbind:2

       logon drive (G)
              This parameter specifies the local path to which the home direc-
              tory will be connected (see logon home) and is only used  by  NT
              Workstations.

              Note  that  this  option  is only useful if Samba is set up as a
              logon server.

              Default: logon drive = z:

              Example: logon drive = h:

       logon home (G)
              This parameter specifies the  home  directory  location  when  a
              Win95/98  or NT Workstation logs into a Samba PDC. It allows you
              to do

              C:\>NET USE H: /HOME

              from a command prompt, for example.

              This option takes the standard substitutions,  allowing  you  to
              have separate logon scripts for each user or machine.

              This  parameter  can  be  used with Win9X workstations to ensure
              that roaming profiles are stored in a subdirectory of the user's
              home directory. This is done in the following way:

              logon home = \\%N\%U\profile

              This  tells Samba to return the above string, with substitutions
              made when a client requests the info, generally in a NetUserGet-
              Info  request. Win9X clients truncate the info to \\server\share
              when a user doesnet use /home but  use  the  whole  string  when
              dealing with profiles.

              Note  that  in  prior  versions  of  Samba,  the  logon path was
              returned rather thanlogon home. This broke  net  use  /home  but
              allowed  profiles outside the home directory. The current imple-
              mentation is correct, and can be used for profiles  if  you  use
              the above trick.

              Disable  this  feature  by  setting  logon home = "" - using the
              empty string.

              This option is only useful if Samba is set up as a logon server.

              Default: logon home = \\%N\%U

              Example: logon home = \\remote_smb_server\%U

       logon path (G)
              This  parameter  specifies  the directory where roaming profiles
              (Desktop, NTuser.dat, etc) are stored. Contrary to previous ver-
              sions  of  these  manual pages, it has nothing to do with Win 9X
              roaming profiles. To find out how to handle roaming profiles for
              Win 9X system, see thelogon home parameter.

              This  option  takes  the standard substitutions, allowing you to
              have separate logon scripts for each user or  machine.  It  also
              specifies  the  directory  from  which  the  "Application Data",
              (desktop, start menu, network neighborhood, programs  and  other
              folders,  and  their  contents, are loaded and displayed on your
              Windows NT client.

              The share and the path must be readable  by  the  user  for  the
              preferences  and  directories  to  be loaded onto the Windows NT
              client. The share must be writeable when the user  logs  in  for
              the  first  time, in order that the Windows NT client can create
              the NTuser.dat and other directories. Thereafter,  the  directo-
              ries  and  any  of  the  contents  can,  if  required,  be  made
              read-only. It is not advisable that the NTuser.dat file be  made
              read-only  -  rename  it  to  NTuser.man  to achieve the desired
              effect (aMANdatory profile).

              Windows clients can  sometimes  maintain  a  connection  to  the
              [homes]  share,  even  though there is no user logged in. There-
              fore, it is vital that the logon path does not include a  refer-
              ence  to  the  homes  share  (i.e.  setting  this  parameter  to
              \\%N\homes\profile_path will cause problems).

              This option takes the standard substitutions,  allowing  you  to
              have separate logon scripts for each user or machine.

              Warning

              Do not quote the value. Setting this as ``\\%N\profile\%U'' will
              break profile handling. Where the tdbsam or ldapsam passdb back-
              end  is  used, at the time the user account is created the value
              configured for this parameter is written to the  passdb  backend
              and that value will over-ride the parameter value present in the
              smb.conf file. Any error present in the passdb  backend  account
              record  must  be  editted using the appropriate tool (pdbedit on
              the command-line, or any other locally provided system tool.

       Note that this option is only useful if Samba is set  up  as  a  domain
       controller.

       Disable the use of roaming profiles by setting the value of this param-
       eter to the empty string. For example, logon path = "". Take note  that
       even  if  the default setting in the smb.conf file is the empty string,
       any value specified in the user account settings in the passdb  backend
       will  over-ride the effect of setting this parameter to null. Disabling
       of all roaming profile use requires that the user account settings must
       also be blank.

       An example of use is:

       logon path = \\PROFILESERVER\PROFILE\%U

       Default: logon path = \\%N\%U\profile

       logon script (G)
              This  parameter  specifies  the  batch file (.bat) or NT command
              file (.cmd) to be downloaded and run on a machine  when  a  user
              successfully  logs in. The file must contain the DOS style CR/LF
              line endings. Using a DOS-style editor to  create  the  file  is
              recommended.

              The script must be a relative path to the [netlogon] service. If
              the [netlogon] service specifies a path of /usr/local/samba/net-
              logon,  and  logon script = STARTUP.BAT, then the file that will
              be downloaded is:

                   /usr/local/samba/netlogon/STARTUP.BAT
                   .fi

              The contents of the batch file are entirely your choice. A suggested command would be to add NET TIME \\SERVER /SET /YES, to force every machine to synchronize clocks with the same time server. Another use would be to add NET USE U: \\SERVER\UTILS for commonly used utilities, or
               NET USE Q: \\SERVER\ISO9001_QA.fi
               for example.

              Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users write permission on the batch files in a secure environment, as this would allow the batch files to be arbitrarily modified and security to be breached.

              This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.

              This option is only useful if Samba is set up as a logon server.

              Default: logon script =

              Example: logon script = scripts\%U.bat

       lppause command (S)
              This parameter specifies the command to be executed on the server host in order to stop printing or spooling a specific print job.

              This command should be a program or script which takes a printer name and job number to pause the print job. One way of implementing this is by using job priorities, where jobs having a too low priority won't be sent to the printer.

              If a %p is given then the printer name is put in its place. A %j is replaced with the job number (an integer). On HPUX (see printing=hpux ), if the -p%p option is added to the lpq command, the job will show up with the correct status, i.e. if the job priority is lower than the set fence priority it will have the PAUSED status, whereas if the priority is equal or higher it will have the SPOOLED or PRINTING status.

              Note that it is good practice to include the absolute path in the lppause command as the PATH may not be available to the server.

              Default: lppause command = # Currently no default value is given to this string, unless the value of the printing parameter is SYSV, in which case the default is : lp -i %p-%j -H hold or if the value of the printing parameter is SOFTQ, then the default is: qstat -s -j%j -h.

              Example: lppause command = /usr/bin/lpalt %p-%j -p0

       lpq cache time (G)
              This controls how long lpq info will be cached for to prevent the lpq command being called too often. A separate cache is kept for each variation of the  lpq command used by the system, so if you use differentlpq commands for different users then they won't share cache information.

              The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash of the lpq command in use.

              The default is 10 seconds, meaning that the cached results of a previous identical lpq command will be used if the cached data is less than 10 seconds old. A large value may be advisable if your lpq command is very slow.

              A value of 0 will disable caching completely.

              Default: lpq cache time = 10

              Example: lpq cache time = 30

       lpq command (S)
              This parameter specifies the command to be executed on the server host in order to obtain lpq -style printer status information.

              This command should be a program or script which takes a printer name as its only parameter and outputs printer status information.

              Currently nine styles of printer status information are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. This covers most UNIX systems. You control which type is expected using the printing = option.

              Some clients (notably Windows for Workgroups) may not correctly send the connection number for the printer they are requesting status information about. To get around this, the server reports on the first printer service connected to by the client. This only happens if the connection number sent is invalid.

              If a %p is given then the printer name is put in its place. Otherwise it is placed at the end of the command.

              Note that it is good practice to include the absolute path in the lpq command as the $PATH  may not be available to the server. When compiled with the CUPS libraries, no lpq command is needed because smbd will make a library call to obtain the print queue listing.

              Default: lpq command =

              Example: lpq command = /usr/bin/lpq -P%p

       lpresume command (S)
              This parameter specifies the command to be executed on the server host in order to restart or continue printing or spooling a specific print job.

              This command should be a program or script which takes a printer name and job number to resume the print job. See also the lppause command parameter.

              If a %p is given then the printer name is put in its place. A %j is replaced with the job number (an integer).

              Note that it is good practice to include the absolute path in the lpresume command as the PATH may not be available to the server.

              See also the printing parameter.

              Default: Currently no default value is given to this string, unless the value of the printing parameter is SYSV, in which case the default is :

              lp -i %p-%j -H resume

              or if the value of the printing parameter is SOFTQ, then the default is:

              qstat -s -j%j -r

              Default: lpresume command = lpresume command = /usr/bin/lpalt %p-%j -p2

       lprm command (S)
              This parameter specifies the command to be executed on the server host in order to delete a print job.

              This command should be a program or script which takes a printer name and job number, and deletes the print job.

              If a %p is given then the printer name is put in its place. A %j is replaced with the job number (an integer).

              Note that it is good practice to include the absolute path in the lprm command as the PATH may not be available to the server.

              Examples of use are:

              lprm command = /usr/bin/lprm -P%p %j

              or

              lprm command = /usr/bin/cancel %p-%j

              Default: lprm command = determined by printing parameter

       machine password timeout (G)
              If a Samba server is a member of a Windows NT  Domain  (see  the
              security  =  domain  parameter) then periodically a running smbd
              process will try and change the MACHINE ACCOUNT PASSWORD  stored
              in the TDB called private/secrets.tdb . This parameter specifies
              how often this password will be changed, in seconds. The default
              is  one  week  (expressed  in seconds), the same as a Windows NT
              Domain member server.

              See also smbpasswd(8), and the security = domain parameter.

              Default: machine password timeout = 604800

       magic output (S)
              This parameter specifies the name of a file which  will  contain
              output  created by a magic script (see themagic script parameter
              below).

              Warning

              If two clients use the same magic script  in the same  directory
              the output file content is undefined.

       Default: magic output = <magic script name>.out

       Example: magic output = myfile.txt

       magic script (S)
              This  parameter  specifies  the name of a file which, if opened,
              will be executed by the server when the  file  is  closed.  This
              allows  a  UNIX script to be sent to the Samba host and executed
              on behalf of the connected user.

              Scripts executed in this way will  be  deleted  upon  completion
              assuming  that  the  user has the appropriate level of privilege
              and the file permissions allow the deletion.

              If the script generates output, output will be sent to the  file
              specified by the magic output parameter (see above).

              Note that some shells are unable to interpret scripts containing
              CR/LF instead of CR as the  end-of-line  marker.  Magic  scripts
              must  be  executableas  is on the host, which for some hosts and
              some shells will require filtering at the DOS end.

              Magic scripts are EXPERIMENTAL and should NOT be relied upon.

              Default: magic script =

              Example: magic script = user.csh

       mangled map (S)
              This is for those who want to directly map UNIX file names which
              cannot  be  represented on Windows/DOS. The mangling of names is
              not always what is needed. In particular you may have  documents
              with file extensions that differ between DOS and UNIX. For exam-
              ple, under UNIX it is  common  to  use  .html  for  HTML  files,
              whereas under Windows/DOS .htm is more commonly used.

              So to map html to htm you would use:

              mangled map = (*.html *.htm).

              One  very useful case is to remove the annoying ;1  off the ends
              of filenames on some CDROMs (only visible under some UNIXes). To
              do this use a map of (*;1 *;).

              Default: mangled map = # no mangled map

              Example: mangled map = (*;1 *;)

       mangled names (S)
              This  controls whether non-DOS names under UNIX should be mapped
              to DOS-compatible names ("mangled") and made visible, or whether
              non-DOS names should simply be ignored.

              See  the  section on name mangling for details on how to control
              the mangling process.

              If mangling is used then the mangling algorithm is as follows:

              o  The first (up to) five  alphanumeric  characters  before  the
                 rightmost  dot of the filename are preserved, forced to upper
                 case, and appear as the first (up to) five characters of  the
                 mangled name.

              o  A  tilde  "~"  is  appended  to the first part of the mangled
                 name, followed by a two-character unique sequence,  based  on
                 the original root name (i.e., the original filename minus its
                 final extension). The final extension is included in the hash
                 calculation  only if it contains any upper case characters or
                 is longer than three characters.

                 Note that the character to use may  be  specified  using  the
                 mangling char option, if you don't like '~'.

              o  Files  whose UNIX name begins with a dot will be presented as
                 DOS hidden files. The mangled name will  be  created  as  for
                 other  filenames,  but with the leading dot removed and "___"
                 as its extension  regardless  of  actual  original  extension
                 (that's three underscores).

              The  two-digit  hash  value  consists of upper case alphanumeric
              characters.

              This algorithm can cause name collisions  only  if  files  in  a
              directory share the same first five alphanumeric characters. The
              probability of such a clash is 1/1300.

              The name mangling (if  enabled)  allows  a  file  to  be  copied
              between  UNIX  directories  from Windows/DOS while retaining the
              long UNIX filename. UNIX files can be renamed to a new extension
              from  Windows/DOS  and  will  retain  the same basename. Mangled
              names do not change between sessions.

              Default: mangled names = yes

       mangle prefix (G)
              controls the number of prefix characters from the original  name
              used when generating the mangled names. A larger value will give
              a weaker hash and therefore more name  collisions.  The  minimum
              value is 1 and the maximum value is 6.

              mangle prefix is effective only when mangling method is hash2.

              Default: mangle prefix = 1

              Example: mangle prefix = 4

       mangling char (S)
              This  controls  what character is used as the magic character in
              name mangling. The default is a '~' but this may interfere  with
              some software. Use this option to set it to whatever you prefer.
              This is effective only when mangling method is hash.

              Default: mangling char = ~

              Example: mangling char = ^

       mangling method (G)
              controls the algorithm  used  for  the  generating  the  mangled
              names. Can take two different values, "hash" and "hash2". "hash"
              is the algorithm that was used used in Samba for many years  and
              was the default in Samba 2.2.x "hash2" is now the default and is
              newer and considered a better algorithm (generates  less  colli-
              sions)  in  the names. Many Win32 applications store the mangled
              names and so changing to algorithms must not be done lightly  as
              these applications may break unless reinstalled.

              Default: mangling method = hash2

              Example: mangling method = hash

       map acl inherit (S)
              This  boolean parameter controls whether smbd(8) will attempt to
              map the 'inherit' and 'protected'  access  control  entry  flags
              stored  in  Windows  ACLs  into  an  extended  attribute  called
              user.SAMBA_PAI. This parameter only takes  effect  if  Samba  is
              being run on a platform that supports extended attributes (Linux
              and IRIX so far) and allows the Windows 2000 ACL editor to  cor-
              rectly use inheritance with the Samba POSIX ACL mapping code.

              Default: map acl inherit = no

       map archive (S)
              This controls whether the DOS archive attribute should be mapped
              to the UNIX owner execute bit. The DOS archive bit is set when a
              file has been modified since its last backup. One motivation for
              this option it to keep Samba/your PC from  making  any  file  it
              touches  from  becoming executable under UNIX. This can be quite
              annoying for shared source code, documents, etc...

              Note that this requires the create mask parameter to be set such
              that  owner  execute bit is not masked out (i.e. it must include
              100). See the parameter create mask for details.

              Default: map archive = yes

       map hidden (S)
              This controls whether DOS style hidden files should be mapped to
              the UNIX world execute bit.

              Note  that this requires the create mask to be set such that the
              world execute bit is not masked out (i.e. it must include  001).
              See the parameter create mask for details.

              No default

       map system (S)
              This controls whether DOS style system files should be mapped to
              the UNIX group execute bit.

              Note that this requires the create mask to be set such that  the
              group  execute bit is not masked out (i.e. it must include 010).
              See the parameter create mask for details.

              Default: map system = no

       map to guest (G)
              This parameter is only useful in SECURITY = security modes other
              than security = share - i.e. user, server, and domain.

              This  parameter  can  take  four  different  values,  which tell
              smbd(8) what to do with user login requests that don't  match  a
              valid UNIX user in some way.

              The three settings are :

              o  Never  -  Means  user login requests with an invalid password
                 are rejected. This is the default.

              o  Bad User - Means user logins with  an  invalid  password  are
                 rejected,  unless  the username does not exist, in which case
                 it is treated as a guest login  and  mapped  into  the  guest
                 account.

              o  Bad Password - Means user logins with an invalid password are
                 treated as a guest login and mapped into the  guest  account.
                 Note  that  this can cause problems as it means that any user
                 incorrectly typing their password will be silently logged  on
                 as  "guest" - and will not know the reason they cannot access
                 files they think they should - there will have been  no  mes-
                 sage  given  to  them  that  they  got  their password wrong.
                 Helpdesk services will hate you if you set the map  to  guest
                 parameter this way :-).

              o  Bad Uid - Is only applicable when Samba is configured in some
                 type of domain mode security (security  =  {domain|ads})  and
                 means  that  user logins which are successfully authenticated
                 but which have no valid Unix user account (and smbd is unable
                 to create one) should be mapped to the defined guest account.
                 This was the default behavior of  Samba  2.x  releases.  Note
                 that  if  a  member  server  is running winbindd, this option
                 should never be required because the nss_winbind library will
                 export  the Windows domain users and groups to the underlying
                 OS via the Name Service Switch interface.

              Note that this parameter is needed to set up "Guest" share  ser-
              vices  when  using  security  modes  other  than  share. This is
              because in these modes the name of the resource being  requested
              is  not  sent  to the server until after the server has success-
              fully authenticated the client so the server cannot make authen-
              tication decisions at the correct time (connection to the share)
              for "Guest" shares.

              For people familiar with the older Samba releases, this  parame-
              ter maps to the old compile-time setting of the  GUEST_SESSSETUP
              value in local.h.

              Default: map to guest = Never

              Example: map to guest = Bad User

       max connections (S)
              This option allows the number of simultaneous connections  to  a
              service to be limited. If max connections is greater than 0 then
              connections will be refused if this number of connections to the
              service are already open. A value of zero mean an unlimited num-
              ber of connections may be made.

              Record lock files are used to implement this feature.  The  lock
              files  will  be  stored  in  the directory specified by the lock
              directory option.

              Default: max connections = 0

              Example: max connections = 10

       max disk size (G)
              This option allows you to put an upper  limit  on  the  apparent
              size  of  disks.  If  you set this option to 100 then all shares
              will appear to be not larger than 100 MB in size.

              Note that this option does not limit the amount of data you  can
              put  on  the  disk. In the above case you could still store much
              more than 100 MB on the disk, but if a client ever asks for  the
              amount of free disk space or the total disk size then the result
              will be bounded by the amount specified in max disk size.

              This option is primarily useful to  work  around  bugs  in  some
              pieces  of software that can't handle very large disks, particu-
              larly disks over 1GB in size.

              A max disk size of 0 means no limit.

              Default: max disk size = 0

              Example: max disk size = 1000

       max log size (G)
              This option (an integer in kilobytes) specifies the max size the
              log  file should grow to. Samba periodically checks the size and
              if it is exceeded it will rename the file, adding a .old  exten-
              sion.

              A size of 0 means no limit.

              Default: max log size = 5000

              Default: max log size = 1000

       max mux (G)
              This  option controls the maximum number of outstanding simulta-
              neous SMB operations that Samba tells the client it will  allow.
              You should never need to set this parameter.

              Default: max mux = 50

       max open files (G)
              This  parameter limits the maximum number of open files that one
              smbd(8) file serving process may have open for a client  at  any
              one  time.  The  default  for  this  parameter  is set very high
              (10,000) as Samba uses only one bit per unopened file.

              The limit of the number of open files is usually set by the UNIX
              per-process  file descriptor limit rather than this parameter so
              you should never need to touch this parameter.

              Default: max open files = 10000

       max print jobs (S)
              This parameter limits the maximum number of jobs allowable in  a
              Samba  printer  queue  at  any  given  moment. If this number is
              exceeded, smbd(8) will remote "Out of Space" to the client.

              Default: max print jobs = 1000

              Example: max print jobs = 5000

       protocol
              This parameter is a synonym for max protocol.

       max protocol (G)
              The value of the parameter (a string) is  the  highest  protocol
              level that will be supported by the server.

              Possible values are :

              o  CORE: Earliest version. No concept of user names.

              o  COREPLUS: Slight improvements on CORE for efficiency.

              o  LANMAN1: First  modern version of the protocol. Long filename
                 support.

              o  LANMAN2: Updates to Lanman1 protocol.

              o  NT1: Current up to date version of the protocol. Used by Win-
                 dows NT. Known as CIFS.

              Normally this option should not be set as the automatic negotia-
              tion phase in the SMB protocol takes care of choosing the appro-
              priate protocol.

              Default: max protocol = NT1

              Example: max protocol = LANMAN1

       max reported print jobs (S)
              This  parameter limits the maximum number of jobs displayed in a
              port monitor for Samba printer queue at  any  given  moment.  If
              this  number  is  exceeded, the excess jobs will not be shown. A
              value of zero means there is no limit on  the  number  of  print
              jobs reported.

              Default: max reported print jobs = 0

              Example: max reported print jobs = 1000

       max smbd processes (G)
              This  parameter  limits  the maximum number of smbd(8) processes
              concurrently running on a system and is intended as a stopgap to
              prevent  degrading  service  to  clients  in  the event that the
              server has insufficient resources to handle more than this  num-
              ber  of connections. Remember that under normal operating condi-
              tions, each user will have an smbd(8) associated with him or her
              to handle connections to all shares from a given host.

              Default: max smbd processes = 0

              Example: max smbd processes = 1000

       max stat cache size (G)
              This parameter limits the size in memory of any stat cache being
              used to speed up case insensitive name mappings. This  parameter
              is  the  number of kilobyte (1024) units the stat cache can use.
              The default is zero, which means unlimited. You should not  need
              to change this parameter.

              Default: max stat cache size = 0

              Example: max stat cache size = 1024

       max ttl (G)
              This  option  tells  nmbd(8)  what the default 'time to live' of
              NetBIOS names should be (in seconds) when nmbd is  requesting  a
              name  using either a broadcast packet or from a WINS server. You
              should never need to change this parameter.  The  default  is  3
              days.

              Default: max ttl = 259200

       max wins ttl (G)
              This  option  tells  smbd(8)  when acting as a WINS server (wins
              support = yes) what the maximum 'time to live' of NetBIOS  names
              that nmbd will grant will be (in seconds). You should never need
              to change this parameter. The default is  6  days  (518400  sec-
              onds).

              Default: max wins ttl = 518400

       max xmit (G)
              This  option controls the maximum packet size that will be nego-
              tiated by Samba. The default is 65535, which is the maximum.  In
              some  cases  you  may  find  you  get  better performance with a
              smaller value. A value below 2048 is likely to cause problems.

              Default: max xmit = 65535

              Example: max xmit = 8192

       message command (G)
              This specifies what command to run when the  server  receives  a
              WinPopup style message.

              This  would normally be a command that would deliver the message
              somehow. How this is to be done is up to your imagination.

              An example is:

              message command = csh -c 'xedit %s;rm %s' &

              This delivers the message using xedit, then  removes  it  after-
              wards.  NOTE  THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
              IMMEDIATELY. That's why I have the '&' on the end. If it doesn't
              return  immediately  then  your PCs may freeze when sending mes-
              sages (they should recover after 30 seconds, hopefully).

              All messages are delivered as the global guest user. The command
              takes  the  standard  substitutions, although  %u won't work (%U
              may be better in this case).

              Apart from the  standard  substitutions,  some  additional  ones
              apply. In particular:

              o  %s = the filename containing the message.

              o  %t  =  the destination that the message was sent to (probably
                 the server name).

              o  %f = who the message is from.

              You could make this command send mail, or  whatever  else  takes
              your  fancy.  Please let us know of any really interesting ideas
              you have.

              Here's a way of sending the messages as mail to root:

              message command = /bin/mail -s 'message from %f on  %m'  root  <
              %s; rm %s

              If  you  don't  have a message command then the message won't be
              delivered and Samba will tell the sender  there  was  an  error.
              Unfortunately WfWg totally ignores the error code and carries on
              regardless, saying that the message was delivered.

              If you want to silently delete it then try:

              message command = rm %s

              Default: message command =

              Example: message command = csh -c 'xedit %s; rm %s' &

       min print space (S)
              This sets the minimum amount of free disk  space  that  must  be
              available before a user will be able to spool a print job. It is
              specified in kilobytes. The default is 0, which means a user can
              always spool a print job.

              Default: min print space = 0

              Example: min print space = 2000

       min protocol (G)
              The value of the parameter (a string) is the lowest SMB protocol
              dialect than Samba will support. Please refer to the max  proto-
              col  parameter  for  a  list of valid protocol names and a brief
              description of each. You may also wish to refer to the C  source
              code  in  source/smbd/negprot.c  for a listing of known protocol
              dialects supported by clients.

              If you are viewing this parameter as  a  security  measure,  you
              should  also  refer to the lanman auth parameter. Otherwise, you
              should never need to change this parameter.

              Default: min protocol = CORE

              Example: min protocol = NT1

       min wins ttl (G)
              This option tells nmbd(8) when acting as  a  WINS  server  (wins
              support  = yes) what the minimum 'time to live' of NetBIOS names
              that nmbd will grant will be (in seconds). You should never need
              to  change  this  parameter.  The default is 6 hours (21600 sec-
              onds).

              Default: min wins ttl = 21600

       msdfs proxy (S)
              This parameter indicates  that  the  share  is  a  stand-in  for
              another  CIFS  share whose location is specified by the value of
              the parameter. When clients attempt to connect  to  this  share,
              they  are redirected to the proxied share using the SMB-Dfs pro-
              tocol.

              Only Dfs roots can act as proxy shares. Take a look at  themsdfs
              root and host msdfs options to find out how to set up a Dfs root
              share.

              No default

              Example: msdfs proxy = \otherserver\someshare

       msdfs root (S)
              If set to yes, Samba treats the share as a Dfs root  and  allows
              clients to browse the distributed file system tree rooted at the
              share directory. Dfs links are specified in the share  directory
              by        symbolic        links        of        the        form
              msdfs:serverA\\shareA,serverB\\shareB and so on. For more infor-
              mation  on  setting  up  a Dfs tree on Samba, refer to the MSDFS
              chapter in the Samba3-HOWTO book.

              Default: msdfs root = no

       name cache timeout (G)
              Specifies the number of  seconds  it  takes  before  entries  in
              samba's  hostname  resolve cache time out. If the timeout is set
              to 0. the caching is disabled.

              Default: name cache timeout = 660

              Example: name cache timeout = 0

       name resolve order (G)
              This option is used by the programs in the Samba suite to deter-
              mine  what  naming  services to use and in what order to resolve
              host names to IP addresses. Its main purpose to  is  to  control
              how  netbios  name  resolution  is performed. The option takes a
              space separated string of name resolution options.

              The options are: "lmhosts", "host",  "wins"  and  "bcast".  They
              cause names to be resolved as follows:

              o  lmhosts  : Lookup an IP address in the Samba lmhosts file. If
                 the line in lmhosts has no name type attached to the  NetBIOS
                 name (see the <usmbconfoption>lmhosts(5)</usmbconfoption> for
                 details) then any name type matches for lookup.

              o  host : Do a standard host  name  to  IP  address  resolution,
                 using  the  system  /etc/hosts  ,  NIS,  or DNS lookups. This
                 method of name resolution is operating  system  depended  for
                 instance  on  IRIX  or  Solaris this may be controlled by the
                 /etc/nsswitch.conf file. Note that this method is  used  only
                 if  the  NetBIOS name type being queried is the 0x20 (server)
                 name type or 0x1c (domain controllers). The  latter  case  is
                 only useful for active directory domains and results in a DNS
                 query for the SRV RR entry matching _ldap._tcp.domain.

              o  wins : Query a  name  with  the  IP  address  listed  in  the
                 WINSSERVER  parameter.  If  no WINS server has been specified
                 this method will be ignored.

              o  bcast : Do a broadcast on each of the known local  interfaces
                 listed  in  the interfaces parameter. This is the least reli-
                 able of the name resolution methods as it depends on the tar-
                 get host being on a locally connected subnet.

              The  example below will cause the local lmhosts file to be exam-
              ined first, followed by a broadcast attempt, followed by a  nor-
              mal system hostname lookup.

              When  Samba is functioning in ADS security mode (security = ads)
              it is advised to use following settings for name resolve order:

              name resolve order = wins bcast

              DC lookups will still be done via DNS, but fallbacks to  netbios
              names  will  not  inundate your DNS servers with needless querys
              for DOMAIN<0x1c> lookups.

              Default: name resolve order = lmhosts host wins bcast

              Example: name resolve order = lmhosts bcast host

       netbios aliases (G)
              This is a list of NetBIOS names  that  nmbd  will  advertise  as
              additional names by which the Samba server is known. This allows
              one machine to appear in browse lists under multiple names. If a
              machine  is  acting  as  a browse server or logon server none of
              these names will be advertised as either browse server or  logon
              servers, only the primary name of the machine will be advertised
              with these capabilities.

              Default: netbios aliases = # empty string (no additional names)

              Example: netbios aliases = TEST TEST1 TEST2

       netbios name (G)
              This sets the NetBIOS name by which a Samba server is known.  By
              default  it is the same as the first component of the host's DNS
              name. If a machine is a browse server or logon server this  name
              (or  the first component of the hosts DNS name) will be the name
              that these services are advertised under.

              Default: netbios name = # machine DNS name

              Example: netbios name = MYNAME

       netbios scope (G)
              This sets the NetBIOS scope that Samba will operate under.  This
              should  not  be  set  unless every machine on your LAN also sets
              this value.

              Default: netbios scope =

       nis homedir (G)
              Get the home share server from a NIS map. For UNIX systems  that
              use  an  automounter,  the  user's  home directory will often be
              mounted on a workstation on demand from a remote server.

              When the Samba logon server is not  the  actual  home  directory
              server,  but  is  mounting the home directories via NFS then two
              network hops would be required to access the users  home  direc-
              tory  if  the  logon server told the client to use itself as the
              SMB server for home directories (one over SMB and one over NFS).
              This can be very slow.

              This  option allows Samba to return the home share as being on a
              different server to the logon server and as long as a Samba dae-
              mon  is running on the home directory server, it will be mounted
              on the Samba client directly from  the  directory  server.  When
              Samba is returning the home share to the client, it will consult
              the NIS map specified inhomedir map and return the server listed
              there.

              Note  that  for  this option to work there must be a working NIS
              system and the Samba server with this  option  must  also  be  a
              logon server.

              Default: nis homedir = no

       nt acl support (S)
              This  boolean parameter controls whether smbd(8) will attempt to
              map UNIX permissions into Windows NT access control lists.  This
              parameter  was  formally a global parameter in releases prior to
              2.2.2.

              Default: nt acl support = yes

       ntlm auth (G)
              This parameter determines whether or not smbd(8) will attempt to
              authenticate  users  using the NTLM encrypted password response.
              If disabled, either  the  lanman  password  hash  or  an  NTLMv2
              response will need to be sent by the client.

              If  this  option,  and  lanman auth are both disabled, then only
              NTLMv2 logins will be permited. Not all clients support  NTLMv2,
              and most will require special configuration to us it.

              Default: ntlm auth = yes

       nt pipe support (G)
              This  boolean parameter controls whether smbd(8) will allow Win-
              dows NT clients to connect to the NT SMB  specific  IPC$  pipes.
              This is a developer debugging option and can be left alone.

              Default: nt pipe support = yes

       nt status support (G)
              This  boolean  parameter controls whether smbd(8) will negotiate
              NT specific status support with Windows NT/2k/XP  clients.  This
              is  a  developer  debugging  option and should be left alone. If
              this option is set to no then Samba offers exactly the same  DOS
              error codes that versions prior to Samba 2.2.3 reported.

              You should not need to ever disable this parameter.

              Default: nt status support = yes

       null passwords (G)
              Allow or disallow client access to accounts that have null pass-
              words.

              See also smbpasswd(5).

              Default: null passwords = no

       obey pam restrictions (G)
              When Samba  3.0  is  configured  to  enable  PAM  support  (i.e.
              --with-pam),  this  parameter  will control whether or not Samba
              should obey PAM's account and session management directives. The
              default  behavior  is  to  use PAM for clear text authentication
              only and to ignore any account or session management. Note  that
              Samba  always  ignores  PAM  for  authentication  in the case of
              encrypt passwords = yes. The reason is that PAM  modules  cannot
              support  the  challenge/response authentication mechanism needed
              in the presence of SMB password encryption.

              Default: obey pam restrictions = no

       only user (S)
              This is a boolean option that controls whether connections  with
              usernames  not in the user list will be allowed. By default this
              option is disabled so that a client can supply a username to  be
              used  by  the  server.  Enabling  this  parameter will force the
              server to only use the login names from the  user  list  and  is
              only really useful in security = share level security.

              Note  that  this  also means Samba won't try to deduce usernames
              from the service name. This can be annoying for the [homes] sec-
              tion.  To  get  around  this you could use user = %S which means
              your user list will be just the service  name,  which  for  home
              directories is the name of the user.

              Default: only user = no

       oplock break wait time (G)
              This  is a tuning parameter added due to bugs in both Windows 9x
              and WinNT. If Samba responds to a client too quickly  when  that
              client  issues  an  SMB  that can cause an oplock break request,
              then the network client can fail and not respond  to  the  break
              request. This tuning parameter (which is set in milliseconds) is
              the amount of time Samba will  wait  before  sending  an  oplock
              break request to such (broken) clients.

              Warning

              DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD
              THE SAMBA OPLOCK CODE.

       Default: oplock break wait time = 0

       oplock contention limit (S)
              This is a very advancedsmbd(8)  tuning  option  to  improve  the
              efficiency of the granting of oplocks under multiple client con-
              tention for the same file.

              In brief it specifies a number, which causes smbd(8)not to grant
              an  oplock  even  when  requested  if  the approximate number of
              clients contending for an oplock on the same file goes over this
              limit.  This  causes  smbd to behave in a similar way to Windows
              NT.

              Warning

              DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD
              THE SAMBA OPLOCK CODE.

       Default: oplock contention limit = 2

       oplocks (S)
              This  boolean option tells smbd whether to issue oplocks (oppor-
              tunistic locks) to file open requests on this share. The  oplock
              code can dramatically (approx. 30% or more) improve the speed of
              access to files on Samba  servers.  It  allows  the  clients  to
              aggressively  cache  files  locally  and you may want to disable
              this option for unreliable network environments (it is turned on
              by  default in Windows NT Servers). For more information see the
              fileSpeed.txt in the Samba docs/ directory.

              Oplocks may be selectively turned off on certain  files  with  a
              share.  See  the  veto  oplock  files parameter. On some systems
              oplocks are recognized by the underlying operating system.  This
              allows  data  synchronization  between  all  access  to oplocked
              files, whether it be via Samba or NFS or a local  UNIX  process.
              See thekernel oplocks parameter for details.

              Default: oplocks = yes

       os2 driver map (G)
              The parameter is used to define the absolute path to a file con-
              taining a mapping of Windows NT printer  driver  names  to  OS/2
              printer driver names. The format is:

              <nt driver name> = <os2 driver name>.<device name>

              For  example,  a  valid  entry  using  the HP LaserJet 5 printer
              driver would appear as HP LaserJet 5L = LASERJET.HP LaserJet 5L.

              The  need  for  the  file is due to the printer driver namespace
              problem described in the chapter on Classical  Printing  in  the
              book  Samba3-HOWTO.  For  more  details  on OS/2 clients, please
              refer to ???.

              Default: os2 driver map =

       os level (G)
              This integer value controls what level Samba  advertises  itself
              as  for browse elections. The value of this parameter determines
              whether nmbd(8) has a chance of becoming a local master  browser
              for the workgroup in the local broadcast area.

              Note  :By  default, Samba will win a local master browsing elec-
              tion over all Microsoft operating systems except  a  Windows  NT
              4.0/2000  Domain  Controller.  This  means  that a misconfigured
              Samba host can effectively isolate a subnet  for  browsing  pur-
              poses.  See  BROWSING.txt   in  the  Samba  docs/  directory for
              details.

              Default: os level = 20

              Example: os level = 65

       pam password change (G)
              With the addition of better  PAM  support  in  Samba  2.2,  this
              parameter,  it  is possible to use PAM's password change control
              flag for Samba. If enabled, then PAM will be used  for  password
              changes  when  requested by an SMB client instead of the program
              listed in passwd program. It should be possible to  enable  this
              without changing your passwd chat parameter for most setups.

              Default: pam password change = no

       panic action (G)
              This is a Samba developer option that allows a system command to
              be called when either smbd(8) or smbd(8)crashes. This is usually
              used to draw attention to the fact that a problem occurred.

              Default: panic action =

              Example: panic action = "/bin/sleep 90000"

       paranoid server security (G)
              Some  version  of  NT  4.x allow non-guest users with a bad pas-
              sowrd. When this option is enabled, samba will not use a  broken
              NT  4.x  server  as password server, but instead complain to the
              logs and exit.

              Disabling this option prevents Samba  from  making  this  check,
              which  involves deliberatly attempting a bad logon to the remote
              server.

              Default: paranoid server security = yes

       passdb backend (G)
              This option allows the administrator to chose which backends  to
              retrieve  and  store  passwords  with. This allows (for example)
              both smbpasswd and tdbsam to be used without a recompile. Multi-
              ple backends can be specified, separated by spaces. The backends
              will be searched in the order they are specified. New users  are
              always added to the first backend specified.

              This parameter is in two parts, the backend's name, and a 'loca-
              tion' string that has meaning only to  that  particular  backed.
              These are separated by a : character.

              Available backends can include:

              o  smbpasswd  -  The  default smbpasswd backend. Takes a path to
                 the smbpasswd file as an optional argument.

              o  tdbsam - The TDB based password storage backend. Takes a path
                 to the TDB as an optional argument (defaults to passdb.tdb in
                 the private dir directory.

              o  ldapsam - The LDAP based passdb backend. Takes an LDAP URL as
                 an optional argument (defaults to ldap://localhost)

                 LDAP  connections  should be secured where possible. This may
                 be done using either Start-TLS (see ldap ssl) or by  specify-
                 ing ldaps:// in the URL argument.

                 Multiple  servers  may also be specified in double-quotes, if
                 your LDAP libraries supports the LDAP URL notation. (OpenLDAP
                 does).

              o  nisplussam  -  The  NIS+ based passdb backend. Takes name NIS
                 domain as an optional argument.  Only  works  with  sun  NIS+
                 servers.

              o  mysql  -  The MySQL based passdb backend. Takes an identifier
                 as argument. Read the Samba HOWTO Collection  for  configura-
                 tion details.

                   Examples of use are:

              passdb backend = tdbsam:/etc/samba/private/passdb.tdb \
                  smbpasswd:/etc/samba/smbpasswd

              or

              passdb backend = ldapsam:ldaps://ldap.example.com

              or

              passdb backend = ldapsam:"ldap://ldap-1.example.com \
                  ldap://ldap-2.example.com"

              or

              passdb backend = mysql:my_plugin_args tdbsam
              Default: passdb backend = smbpasswd

       passwd chat (G)
              This  string  controls the "chat" conversation that takes places
              between smbd(8) and  the  local  password  changing  program  to
              change  the  user's password. The string describes a sequence of
              response-receive pairs that smbd(8) uses to  determine  what  to
              send  to  the  passwd  program  and  what to expect back. If the
              expected output  is  not  received  then  the  password  is  not
              changed.

              This  chat  sequence  is often quite site specific, depending on
              what local methods are used for password control  (such  as  NIS
              etc).

              Note  that this parameter only is only used if the unix password
              sync parameter is set to yes. This sequence is  then  called  AS
              ROOT  when  the  SMB  password  in  the  smbpasswd file is being
              changed, without access to  the  old  password  cleartext.  This
              means  that root must be able to reset the user's password with-
              out knowing the text of the previous password. In  the  presence
              of  NIS/YP,  this means that the passwd program must be executed
              on the NIS master.

              The string can contain the macro %n which is substituted for the
              new  password.  The  chat sequence can also contain the standard
              macros \n, \r, \t and \s to give line-feed, carriage-return, tab
              and space. The chat sequence string can also contain a '*' which
              matches any sequence of characters. Double quotes can be used to
              collect strings with spaces in them into a single string.

              If  the  send  string in any part of the chat sequence is a full
              stop ".", then no string  is  sent.  Similarly,  if  the  expect
              string is a full stop then no string is expected.

              If  the  pam  password  change parameter is set to yes, the chat
              pairs may be matched in any order, and success is determined  by
              the  PAM  result,  not  any  particular  output. The \n macro is
              ignored for PAM conversions.

              Default: passwd chat =  *new*password*  %n\n*new*password*  %n\n
              *changed*

              Example:  passwd  chat = "*Enter OLD password*" %o\n "*Enter NEW
              password*"  %n\n  "*Reenter  NEW  password*"   %n\n   "*Password
              changed*"

       passwd chat debug (G)
              This  boolean  specifies  if the passwd chat script parameter is
              run in debug mode. In  this  mode  the  strings  passed  to  and
              received  from  the  passwd  chat are printed in the smbd(8) log
              with a debug level of 100. This is a dangerous option as it will
              allow  plaintext  passwords  to  be  seen in the smbd log. It is
              available to help Samba admins debug their passwd  chat  scripts
              when  calling  the passwd program and should be turned off after
              this has been done. This option has no effect if the  pam  pass-
              word change paramter is set. This parameter is off by default.

              Default: passwd chat debug = no

       passwd chat timeout (G)
              This  integer specifies the number of seconds smbd will wait for
              an initial answer from a passwd chat script being run. Once  the
              initial  answer  is  received  the  subsequent  answers  must be
              received in one tenth of this time. The default it two  seconds.

              Default: passwd chat timeout = 2

       passwd program (G)
              The  name  of  a program that can be used to set UNIX user pass-
              words. Any occurrences of %u will  be  replaced  with  the  user
              name.  The user name is checked for existence before calling the
              password changing program.

              Also note that many passwd programs insist in reasonable   pass-
              words,  such as a minimum length, or the inclusion of mixed case
              chars and digits. This can pose a problem as some clients  (such
              as Windows for Workgroups) uppercase the password before sending
              it.

              Note that if the unix password sync  parameter  is  set  to  yes
              then  this  program is called AS ROOT before the SMB password in
              the smbpasswd file is changed.  If  this  UNIX  password  change
              fails, then smbd will fail to change the SMB password also (this
              is by design).

              If the unix password sync parameter is set this  parameter  MUST
              USE ABSOLUTE PATHS for ALL programs called, and must be examined
              for security implications. Note that by  default  unix  password
              sync is set to no.

              Default: passwd program =

              Example: passwd program = /bin/passwd %u

       password level (G)
              Some  client/server combinations have difficulty with mixed-case
              passwords. One offending client is Windows for Workgroups, which
              for  some  reason  forces passwords to upper case when using the
              LANMAN1 protocol, but leaves them  alone  when  using  COREPLUS!
              Another  problem  child is the Windows 95/98 family of operating
              systems. These clients upper case clear text passwords even when
              NT    LM    0.12    selected   by   the   protocol   negotiation
              request/response.

              This parameter defines the maximum number of characters that may
              be upper case in passwords.

              For  example,  say  the  password given was "FRED". If  password
              level is set to 1, the following combinations would be tried  if
              "FRED" failed:

              "Fred", "fred", "fRed", "frEd","freD"

              If password level was set to 2, the following combinations would
              also be tried:

              "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..

              And so on.

              The higher value this parameter is set to the more likely it  is
              that a mixed case password will be matched against a single case
              password. However, you should be aware that use of this  parame-
              ter  reduces  security and increases the time taken to process a
              new connection.

              A value of zero will cause only two attempts to be  made  -  the
              password as is and the password in all-lower case.

              This  parameter is used only when using plain-text passwords. It
              is not at all used when encrypted passwords as in use  (that  is
              the default since samba-3.0.0). Use this only when encrypt pass-
              words = No.

              Default: password level = 0

              Example: password level = 4

       password server (G)
              By specifying the name of another SMB server or Active Directory
              domain  controller  with  this  option,  and  using  security  =
              [ads|domain|server] it is possible to get Samba to to do all its
              username/password validation using a specific remote server.

              This  option  sets the name or IP address of the password server
              to use. New syntax has been added to support defining  the  port
              to  use  when connecting to the server the case of an ADS realm.
              To define a port other than the default LDAP port  of  389,  add
              the port number using a colon after the name or IP address (e.g.
              192.168.1.100:389). If you do not specify a port, Samba will use
              the  standard  LDAP port of tcp/389. Note that port numbers have
              no effect on password servers for Windows NT 4.0 domains or net-
              bios connections.

              If parameter is a name, it is looked up using the parameter name
              resolve order and so  may  resolved  by  any  method  and  order
              described in that parameter.

              The  password  server  must  be  a  machine capable of using the
              "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user
              level security mode.

              Note

              Using  a  password server means your UNIX box (running Samba) is
              only as secure as your password server. DO NOT CHOOSE A PASSWORD
              SERVER THAT YOU DON'T COMPLETELY TRUST.

       Never  point  a  Samba server at itself for password serving. This will
       cause a loop and could lock up your Samba server!

       The name of the password server takes the standard  substitutions,  but
       probably  the only useful one is %m , which means the Samba server will
       use the incoming client as the password server. If you  use  this  then
       you  better  trust  your clients, and you had better restrict them with
       hosts allow!

       If the security parameter is set to domain or ads,  then  the  list  of
       machines in this option must be a list of Primary or Backup Domain con-
       trollers for the Domain or the character '*', as the  Samba  server  is
       effectively  in  that  domain, and will use cryptographically authenti-
       cated RPC calls to authenticate the user logging on. The  advantage  of
       using  security = domain is that if you list several hosts in the pass-
       word server option then smbd  will try each in turn till it  finds  one
       that responds. This is useful in case your primary server goes down.

       If  the  password server option is set to the character '*', then Samba
       will attempt to auto-locate the Primary or Backup Domain controllers to
       authenticate  against  by  doing a query for the name WORKGROUP<1C> and
       then contacting each server returned in the list of IP  addresses  from
       the name resolution source.

       If  the list of servers contains both names/IP's and the '*' character,
       the list is treated as a list of preferred domain controllers,  but  an
       auto  lookup  of  all remaining DC's will be added to the list as well.
       Samba will not attempt to optimize this list by  locating  the  closest
       DC.

       If  the  security  parameter is set to server, then there are different
       restrictions that security = domain doesn't suffer from:

              o  You may list several password servers in the password  server
                 parameter,  however  if an smbd makes a connection to a pass-
                 word server, and then the  password  server  fails,  no  more
                 users  will  be able to be authenticated from this smbd. This
                 is a restriction of the SMB/CIFS protocol when in security  =
                 server  mode and cannot be fixed in Samba.

              o  If  you are using a Windows NT server as your password server
                 then you will have to ensure that  your  users  are  able  to
                 login  from  the  Samba server, as when in  security = server
                 mode the network logon will appear to come from there  rather
                 than from the users workstation.

              Default: password server =

              Example: password server = NT-PDC, NT-BDC1, NT-BDC2, *

              Example:  password server = windc.mydomain.com:389 192.168.1.101
              *

              Example: password server = *

       directory
              This parameter is a synonym for path.

       path (S)
              This parameter specifies a directory to which the  user  of  the
              service  is  to  be  given access. In the case of printable ser-
              vices, this is where print data will spool prior to  being  sub-
              mitted to the host for printing.

              For  a  printable  service  offering  guest  access, the service
              should be readonly and the path should  be  world-writeable  and
              have  the  sticky  bit set. This is not mandatory of course, but
              you probably won't get the results you expect if you  do  other-
              wise.

              Any occurrences of %u in the path will be replaced with the UNIX
              username that the client is using on this connection. Any occur-
              rences of %m will be replaced by the NetBIOS name of the machine
              they are connecting from. These replacements are very useful for
              setting up pseudo home directories for users.

              Note  that this path will be based on root dir if one was speci-
              fied.

              Default: path =

              Example: path = /home/fred

       pid directory (G)
              This option specifies the directory  where  pid  files  will  be
              placed.

              Default: pid directory = ${prefix}/var/locks

              Example: pid directory = pid directory = /var/run/

       posix locking (S)
              The  smbd(8) daemon maintains an database of file locks obtained
              by SMB clients. The default behavior is  to  map  this  internal
              database  to POSIX locks. This means that file locks obtained by
              SMB clients are consistent with those seen  by  POSIX  compliant
              applications  accessing the files via a non-SMB method (e.g. NFS
              or local file access). You should never  need  to  disable  this
              parameter.

              Default: posix locking = yes

       postexec (S)
              This  option  specifies a command to be run whenever the service
              is disconnected. It takes the usual substitutions.  The  command
              may be run as the root on some systems.

              An interesting example may be to unmount server resources:

              postexec = /etc/umount /cdrom

              Default: postexec =

              Example:  postexec  =  echo  \"%u  disconnected  from %S from %m
              (%I)\" >> /tmp/log

       exec   This parameter is a synonym for preexec.

       preexec (S)
              This option specifies a command to be run whenever  the  service
              is connected to. It takes the usual substitutions.

              An  interesting  example  is to send the users a welcome message
              every time they log in. Maybe a message of the day? Here  is  an
              example:

              preexec    =    csh    -c    'echo    \"Welcome   to   %S!\"   |
              /usr/local/samba/bin/smbclient -M %m -I %I' &

              Of course, this could get annoying after a while :-)

              See also preexec close and postexec.

              Default: preexec =

              Example: preexec = echo \"%u connected to %S from %m  (%I)\"  >>
              /tmp/log

       preexec close (S)
              This boolean option controls whether a non-zero return code from
              preexec should close the service being connected to.

              Default: preexec close = no

       prefered master
              This parameter is a synonym for preferred master.

       preferred master (G)
              This boolean parameter controls ifnmbd(8) is a preferred  master
              browser for its workgroup.

              If  this is set to yes, on startup, nmbd will force an election,
              and it will have a slight advantage in winning the election.  It
              is  recommended that this parameter is used in conjunction with-
              domain master = yes, so  that  nmbd  can  guarantee  becoming  a
              domain master.

              Use this option with caution, because if there are several hosts
              (whether Samba servers, Windows 95 or  NT)  that  are  preferred
              master  browsers on the same subnet, they will each periodically
              and continuously attempt to become  the  local  master  browser.
              This  will  result  in unnecessary broadcast traffic and reduced
              browsing capabilities.

              Default: preferred master = auto

       auto services
              This parameter is a synonym for preload.

       preload (G)
              This is a list of services that you  want  to  be  automatically
              added  to  the  browse  lists. This is most useful for homes and
              printers services that would otherwise not be visible.

              Note that if you just want all printers in  your  printcap  file
              loaded then the load printers option is easier.

              Default: preload =

              Example: preload = fred lp colorlp

       preload modules (G)
              This  is  a  list of paths to modules that should be loaded into
              smbd before a client connects. This improves the speed  of  smbd
              when reacting to new connections somewhat.

              Default: preload modules =

              Example: preload modules = /usr/lib/samba/passdb/mysql.so

       preserve case (S)
              This  controls  if  new filenames are created with the case that
              the client passes, or if they are forced to be the default case.

              See the section on NAME MANGLING for a fuller discussion.

              Default: preserve case = yes

       print ok
              This parameter is a synonym for printable.

       printable (S)
              If  this  parameter  is yes, then clients may open, write to and
              submit spool files on the directory specified for the service.

              Note that a printable service will ALWAYS allow writing  to  the
              service  path  (user  privileges permitting) via the spooling of
              print data. The read only parameter controls  only  non-printing
              access to the resource.

              Default: printable = no

       printcap cache time (G)
              This  option specifies the number of seconds before the printing
              subsystem is again asked for the known printers. If the value is
              greater than 60 the initial waiting time is set to 60 seconds to
              allow an earlier first rescan of the printing subsystem.

              Setting this parameter to 0 (the default) disables  any  rescan-
              ning for new or removed printers after the initial startup.

              Default: printcap cache time = 0

              Example: printcap cache time = 600

       printcap
              This parameter is a synonym for printcap name.

       printcap name (S)
              This  parameter  may be used to override the compiled-in default
              printcap name used by the server (usually   /etc/printcap).  See
              the  discussion  of the [printers] section above for reasons why
              you might want to do this.

              To use the CUPS printing interface set printcap name  =  cups  .
              This  should  be supplemented by an addtional setting printing =
              cups in the [global] section. printcap name = cups will use  the
              "dummy" printcap created by CUPS, as specified in your CUPS con-
              figuration file.

              On System V systems that use lpstat to list  available  printers
              you  can  use  printcap  name  = lpstat  to automatically obtain
              lists of available printers. This is  the  default  for  systems
              that  define SYSV at configure time in Samba (this includes most
              System V based systems). If  printcap name is set to  lpstat  on
              these  systems  then  Samba will launch lpstat -v and attempt to
              parse the output to obtain a printer list.

              A minimal printcap file would look something like this:

              print1|My Printer 1
              print2|My Printer 2
              print3|My Printer 3
              print4|My Printer 4
              print5|My Printer 5

              where the '|' separates aliases of a printer. The fact that  the
              second alias has a space in it gives a hint to Samba that it's a
              comment.

              Note

              Under AIX the default printcap name is /etc/qconfig. Samba  will
              assume  the  file  is in AIX qconfig format if the stringqconfig
              appears in the printcap filename.

       Default: printcap name = /etc/printcap

       Example: printcap name = /etc/myprintcap

       print command (S)
              After a print job has finished spooling to a service, this  com-
              mand will be used via a system() call to process the spool file.
              Typically the command specified will submit the  spool  file  to
              the  host's printing subsystem, but there is no requirement that
              this be the case. The server will not remove the spool file,  so
              whatever  command  you specify should remove the spool file when
              it has been processed,  otherwise  you  will  need  to  manually
              remove old spool files.

              The  print command is simply a text string. It will be used ver-
              batim after macro substitutions have been made:

              %s, %f - the path to the spool file name

              %p - the appropriate printer name

              %J - the job name as transmitted by the client.

              %c - The number of printed pages of the spooled job (if  known).

              %z - the size of the spooled print job (in bytes)

              The  print command MUST contain at least one occurrence of %s or
              %f  - the %p is optional. At the time a job is submitted, if  no
              printer  name  is supplied the %p  will be silently removed from
              the printer command.

              If specified in the [global] section, the  print  command  given
              will  be  used  for any printable service that does not have its
              own print command specified.

              If there is neither a specified print command  for  a  printable
              service  nor a global print command, spool files will be created
              but not processed and (most importantly) not removed.

              Note that printing may fail  on  some  UNIXes  from  the  nobody
              account.  If  this  happens  then  create  an  alternative guest
              account that can print and set the guest account in the [global]
              section.

              You can form quite complex print commands by realizing that they
              are just passed to a shell. For example the following will log a
              print  job, print the file, then remove it. Note that ';' is the
              usual separator for command in shell scripts.

              print command = echo Printing %s >> /tmp/print.log;  lpr  -P  %p
              %s; rm %s

              You  may have to vary this command considerably depending on how
              you normally print files on your system.  The  default  for  the
              parameter varies depending on the setting of the printing param-
              eter.

              Default: For printing = BSD, AIX, QNX, LPRNG or PLP :

              print command = lpr -r -P%p %s

              For printing = SYSV or HPUX :

              print command = lp -c -d%p %s; rm %s

              For printing = SOFTQ :

              print command = lp -d%p -s %s; rm %s

              For printing = CUPS : If SAMBA is compiled against libcups, then
              printcap = cups uses the CUPS API to submit jobs, etc. Otherwise
              it maps to the System V  commands  with  the  -oraw  option  for
              printing,  i.e. it uses lp -c -d%p -oraw; rm %s. With printing =
              cups, and if SAMBA is compiled against libcups, any manually set
              print command will be ignored.

              No default

              Example:  print  command = /usr/local/samba/bin/myprintscript %p
              %s

       printer admin (S)
              This lists users who can do anything to printers via the  remote
              administration  interfaces offered by MS-RPC (usually using a NT
              workstation). This parameter can be set per-share  or  globally.
              Note:  The  root  user always has admin rights. Use caution with
              use in the global stanza as this can cause side effects.

              Default: printer admin =

              Example: printer admin = admin, @staff

       printer
              This parameter is a synonym for printer name.

       printer name (S)
              This parameter specifies the name of the printer to which  print
              jobs spooled through a printable service will be sent.

              If  specified  in  the  [global] section, the printer name given
              will be used for any printable service that does  not  have  its
              own printer name specified.

              The default value of the printer name may be lp on many systems.

              Default: printer name = none

              Example: printer name = laserwriter

       printing (S)
              This parameters  controls  how  printer  status  information  is
              interpreted  on  your system. It also affects the default values
              for the print command, lpq command, lppause command  ,  lpresume
              command,  and lprm command if specified in the [global] section.

              Currently nine printing styles are supported. They are BSD, AIX,
              LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ, and CUPS.

              To  see  what the defaults are for the other print commands when
              using the various options use the testparm(1) program.

              This option can be set on a per printer basis. Please  be  aware
              however,  that  you  must place any of the various printing com-
              mands (e.g. print command, lpq command, etc...)  after  defining
              the value for the printing option since it will reset the print-
              ing commands to default values.

              See also the discussion in the [printers] section.

              No default

       private dir (G)
              This parameters defines the directory smbd will use for  storing
              such files as smbpasswd and secrets.tdb.

              Default: private dir = ${prefix}/private

       profile acls (S)
              This boolean parameter was added to fix the problems that people
              have been having with storing user profiles on Samba shares from
              Windows 2000 or Windows XP clients. New versions of Windows 2000
              or Windows XP service packs do  security  ACL  checking  on  the
              owner  and ability to write of the profile directory stored on a
              local workstation when copied from a Samba share.

              When not in domain mode with winbindd  then  the  security  info
              copied  onto  the local workstation has no meaning to the logged
              in user (SID) on that workstation so the profile storing  fails.
              Adding  this  parameter  onto  a  share used for profile storage
              changes two things about the returned Windows  ACL.  Firstly  it
              changes  the  owner  and  group  owner of all reported files and
              directories  to   be   BUILTIN\\Administrators,   BUILTIN\\Users
              respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds
              an ACE entry of "Full Control"  to  the  SID  BUILTIN\\Users  to
              every returned ACL. This will allow any Windows 2000 or XP work-
              station user to access the profile.

              Note that if you have multiple users logging on to a workstation
              then  in  order  to  prevent them from being able to access each
              others profiles you must remove the "Bypass  traverse  checking"
              advanced  user  right.  This  will prevent access to other users
              profile directories as the top level  profile  directory  (named
              after  the  user) is created by the workstation profile code and
              has an ACL restricting entry to the directory tree to the owning
              user.

              Default: profile acls = no

       queuepause command (S)
              This  parameter  specifies  the  command  to  be executed on the
              server host in order to pause the printer queue.

              This command should be a program or script which takes a printer
              name  as  its  only  parameter and stops the printer queue, such
              that no longer jobs are submitted to the printer.

              This command is not supported by Windows for Workgroups, but can
              be issued from the Printers window under Windows 95 and NT.

              If a %p is given then the printer name is put in its place. Oth-
              erwise it is placed at the end of the command.

              Note that it is good practice to include the  absolute  path  in
              the command as the PATH may not be available to the server.

              No default

              Example: queuepause command = disable %p

       queueresume command (S)
              This  parameter  specifies  the  command  to  be executed on the
              server host in order to resume the printer queue. It is the com-
              mand to undo the behavior that is caused by the previous parame-
              ter (queuepause command).

              This command should be a program or script which takes a printer
              name  as  its only parameter and resumes the printer queue, such
              that queued jobs are resubmitted to the printer.

              This command is not supported by Windows for Workgroups, but can
              be issued from the Printers window under Windows 95 and NT.

              If a %p is given then the printer name is put in its place. Oth-
              erwise it is placed at the end of the command.

              Note that it is good practice to include the  absolute  path  in
              the command as the PATH may not be available to the server.

              Default: queueresume command =

              Example: queueresume command = enable %p

       read bmpx (G)
              This boolean parameter controls whether smbd(8) will support the
              "Read Block Multiplex" SMB. This is now rarely used and defaults
              to no. You should never need to set this parameter.

              Default: read bmpx = no

       read list (S)
              This  is  a  list  of users that are given read-only access to a
              service. If the connecting user is in this list then  they  will
              not  be  given write access, no matter what the read only option
              is set to. The list can include group  names  using  the  syntax
              described in the invalid users parameter.

              This  parameter will not work with the security = share in Samba
              3.0. This is by design.

              Default: read list =

              Example: read list = mary, @students

       read only (S)
              An inverted synonym is writeable.

              If this parameter is yes, then users of a service may not create
              or modify files in the service's directory.

              Note  that  a  printable  service  (printable = yes) will ALWAYS
              allow writing to the directory (user privileges permitting), but
              only via spooling operations.

              Default: read only = yes

       read raw (G)
              This  parameter  controls whether or not the server will support
              the raw read SMB requests when transferring data to clients.

              If enabled, raw reads allow reads of 65535 bytes in one  packet.
              This typically provides a major performance benefit.

              However,  some clients either negotiate the allowable block size
              incorrectly or are incapable of supporting larger  block  sizes,
              and for these clients you may need to disable raw reads.

              In  general  this  parameter should be viewed as a system tuning
              tool and left severely alone.

              Default: read raw = yes

       realm (G)
              This option specifies the kerberos realm to use.  The  realm  is
              used  as the ADS equivalent of the NT4 domain. It is usually set
              to the DNS name of the kerberos server.

              Default: realm =

              Example: realm = mysambabox.mycompany.com

       remote announce (G)
              This option allows you to setup nmbd(8)to periodically  announce
              itself  to  arbitrary  IP  addresses with an arbitrary workgroup
              name.

              This is useful if you want your Samba  server  to  appear  in  a
              remote  workgroup  for which the normal browse propagation rules
              don't work. The remote workgroup can be anywhere  that  you  can
              send IP packets to.

              For example:

              remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF

              the  above  line  would cause nmbd to announce itself to the two
              given IP addresses using the given workgroup names. If you leave
              out  the  workgroup  name  then  the  one given in the workgroup
              parameter is used instead.

              The IP addresses you choose  would  normally  be  the  broadcast
              addresses  of  the  remote  networks,  but  can  also  be the IP
              addresses of known browse masters if your network config is that
              stable.

              See NetworkBrowsing.

              Default: remote announce =

       remote browse sync (G)
              This  option allows you to setup nmbd(8) to periodically request
              synchronization of browse lists with the  master  browser  of  a
              Samba server that is on a remote segment. This option will allow
              you to gain browse lists for multiple workgroups  across  routed
              networks.  This  is done in a manner that does not work with any
              non-Samba servers.

              This is useful if you want  your  Samba  server  and  all  local
              clients  to  appear  in  a remote workgroup for which the normal
              browse propagation rules don't work. The remote workgroup can be
              anywhere that you can send IP packets to.

              For example:

              remote browse sync = 192.168.2.255 192.168.4.255

              the above line would cause nmbd to request the master browser on
              the specified subnets or addresses to synchronize  their  browse
              lists with the local server.

              The  IP  addresses  you  choose  would normally be the broadcast
              addresses of the  remote  networks,  but  can  also  be  the  IP
              addresses of known browse masters if your network config is that
              stable. If a machine IP address is given Samba makes NO  attempt
              to  validate that the remote machine is available, is listening,
              nor that it is in fact the browse master on its segment.

              Default: remote browse sync =

       restrict anonymous (G)
              The setting of this parameter determines whether user and  group
              list  information  is  returned for an anonymous connection. and
              mirrors the effects of the

              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
                         Control\LSA\RestrictAnonymous
               registry key in Windows 2000 and Windows NT.  When  set  to  0,
              user  and group list information is returned to anyone who asks.
              When set to 1, only an authenticated user can retrive  user  and
              group  list  information.  For the value 2, supported by Windows
              2000/XP and Samba, no anonymous connections are allowed at  all.
              This  can  break  third  party  and Microsoft applications which
              expect to be allowed to perform operations anonymously.

              The security advantage of using restrict anonymous = 1 is  dubi-
              ous,  as  user  and group list information can be obtained using
              other means.

              Note

              The security advantage  of  using  restrict  anonymous  =  2  is
              removed by setting guest ok = yes on any share.

       Default: restrict anonymous = 0

       root   This parameter is a synonym for root directory.

       root dir
              This parameter is a synonym for root directory.

       root directory (G)
              The  server  will  chroot()  (i.e. Change its root directory) to
              this directory on startup. This is not  strictly  necessary  for
              secure operation. Even without it the server will deny access to
              files not in one of the service entries. It may also check  for,
              and deny access to, soft links to other parts of the filesystem,
              or attempts to use ".." in file names to access  other  directo-
              ries (depending on the setting of thewide smbconfoptions parame-
              ter).

              Adding a root directory entry other than "/" adds an extra level
              of  security,  but  at  a  price.  It absolutely ensures that no
              access is given to files not in the sub-tree  specified  in  the
              root  directory option, including some files needed for complete
              operation of the server. To maintain  full  operability  of  the
              server  you  will need to mirror some system files into the root
              directory  tree.  In  particular  you  will   need   to   mirror
              /etc/passwd  (or a subset of it), and any binaries or configura-
              tion files needed for printing (if required). The set  of  files
              that must be mirrored is operating system dependent.

              Default: root directory = /

              Example: root directory = /homes/smb

       root postexec (S)
              This  is the same as the postexec parameter except that the com-
              mand is run as root. This is useful for  unmounting  filesystems
              (such as CDROMs) after a connection is closed.

              Default: root postexec =

       root preexec (S)
              This  is  the same as the preexec parameter except that the com-
              mand is run as root. This is  useful  for  mounting  filesystems
              (such as CDROMs) when a connection is opened.

              Default: root preexec =

       root preexec close (S)
              This is the same as the preexec close  parameter except that the
              command is run as root.

              Default: root preexec close = no

       security (G)
              This option affects how clients respond to Samba and is  one  of
              the most important settings in the  smb.conf file.

              The  option  sets the "security mode bit" in replies to protocol
              negotiations with smbd(8) to turn share  level  security  on  or
              off.  Clients  decide  based  on  this  bit whether (and how) to
              transfer user and password information to the server.

              The default is security = user, as this is the most common  set-
              ting needed when talking to Windows 98 and Windows NT.

              The  alternatives  are  security  =  share, security = server or
              security = domain .

              In versions of Samba prior to 2.0.0, the default was security  =
              share mainly because that was the only option at one stage.

              There  is a bug in WfWg that has relevance to this setting. When
              in user or server level security  a  WfWg  client  will  totally
              ignore  the password you type in the "connect drive" dialog box.
              This makes it very difficult (if not impossible) to connect to a
              Samba service as anyone except the user that you are logged into
              WfWg as.

              If your PCs use usernames that are the same as  their  usernames
              on  the  UNIX machine then you will want to use security = user.
              If you mostly use usernames that don't exist  on  the  UNIX  box
              then use security = share.

              You should also use security = share if you want to mainly setup
              shares without a password (guest shares). This is commonly  used
              for a shared printer server. It is more difficult to setup guest
              shares with security = user, see the map to  guestparameter  for
              details.

              It  is possible to use smbd in a  hybrid mode where it is offers
              both user and  share  level  security  under  different  NetBIOS
              aliases.

              The different settings will now be explained.

              SECURITY = SHARE

              When  clients connect to a share level security server they need
              not log onto the server  with  a  valid  username  and  password
              before attempting to connect to a shared resource (although mod-
              ern clients such as Windows 95/98 and Windows  NT  will  send  a
              logon  request with a username but no password when talking to a
              security = share  server). Instead, the clients send authentica-
              tion  information  (passwords) on a per-share basis, at the time
              they attempt to connect to that share.

              Note that smbd  ALWAYS uses a valid UNIX user to act  on  behalf
              of the client, even in security = share level security.

              As  clients are not required to send a username to the server in
              share level security, smbd uses several techniques to  determine
              the correct UNIX user to use on behalf of the client.

              A list of possible UNIX usernames to match with the given client
              password is constructed using the following methods :

              o  If the guest only parameter is set, then all the other stages
                 are missed and only the guest account username is checked.

              o  Is a username is sent with the share connection request, then
                 this username (after mapping - see username map), is added as
                 a potential username.

              o  If the client did a previous logon  request (the SessionSetup
                 SMB call) then the username sent in this SMB will be added as
                 a potential username.

              o  The  name  of  the service the client requested is added as a
                 potential username.

              o  The NetBIOS name of the client is added  to  the  list  as  a
                 potential username.

              o  Any  users on the user list are added as potential usernames.

              If the guest only parameter is not set, then this list  is  then
              tried  with  the  supplied password. The first user for whom the
              password matches will be used as the UNIX user.

              If the guest only parameter is set, or no username can be deter-
              mined  then  if  the  share  is marked as available to the guest
              account, then this guest user will be used, otherwise access  is
              denied.

              Note that it can be very confusing in share-level security as to
              which UNIX username will eventually be used in granting  access.

              See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

              SECURITY = USER

              This  is  the  default  security  setting  in  Samba  3.0.  With
              user-level security a client must first "log-on"  with  a  valid
              username  and  password  (which can be mapped using the username
              map parameter). Encrypted passwords (see the encrypted passwords
              parameter)  can  also  be used in this security mode. Parameters
              such as user and guest only if set  are  then  applied  and  may
              change  the  UNIX user to use on this connection, but only after
              the user has been successfully authenticated.

              Note that the name of the resource being requested is  not  sent
              to  the server until after the server has successfully authenti-
              cated the client. This is why guest shares don't  work  in  user
              level  security without allowing the server to automatically map
              unknown users into the guest  account.  See  the  map  to  guest
              parameter for details on doing this.

              See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

              SECURITY = DOMAIN

              This  mode  will  only work correctly if net(8) has been used to
              add this machine into  a  Windows  NT  Domain.  It  expects  the
              encrypted  passwords  parameter  to  be set to yes. In this mode
              Samba will try to validate the username/password by  passing  it
              to  a Windows NT Primary or Backup Domain Controller, in exactly
              the same way that a Windows NT Server would do.

              Note that a valid UNIX user must still  exist  as  well  as  the
              account  on the Domain Controller to allow Samba to have a valid
              UNIX account to map file access to.

              Note that from the client's point of view security =  domain  is
              the  same  as  security  =  user. It only affects how the server
              deals with the authentication, it does not  in  any  way  affect
              what the client sees.

              Note  that  the name of the resource being requested is not sent
              to the server until after the server has successfully  authenti-
              cated  the  client.  This is why guest shares don't work in user
              level security without allowing the server to automatically  map
              unknown  users  into  the  guest  account.  See the map to guest
              parameter for details on doing this.

              See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

              See also the password server parameter and the  encrypted  pass-
              words parameter.

              SECURITY = SERVER

              In this mode Samba will try to validate the username/password by
              passing it to another SMB server, such as an  NT  box.  If  this
              fails it will revert to security = user. It expects theencrypted
              passwords parameter to be set to yes, unless the  remote  server
              does  not support them. However note that if encrypted passwords
              have been negotiated then Samba cannot revert back  to  checking
              the  UNIX  password file, it must have a valid smbpasswd file to
              check users against. See the chapter about the User Database  in
              the Samba HOWTO Collection for details on how to set this up.

              Note

              This mode of operation has significant pitfalls, due to the fact
              that is activly initiates  a  man-in-the-middle  attack  on  the
              remote  SMB  server.  In  particular, this mode of operation can
              cause significant resource consuption on the  PDC,  as  it  must
              maintain  an  active  connection  for the duration of the user's
              session. Furthermore, if this connection is lost,  there  is  no
              way  to  reestablish  it, and futher authenticaions to the Samba
              server may fail. (From a single client, till it disconnects).

              Note

              From the client's point of view security = server is the same as
              security  =  user. It only affects how the server deals with the
              authentication, it does not in any way affect  what  the  client
              sees.

       Note  that  the name of the resource being requested is not sent to the
       server until  after  the  server  has  successfully  authenticated  the
       client.  This  is  why  guest  shares don't work in user level security
       without allowing the server to automatically map unknown users into the
       guest  account.  See  the  map  to guest parameter for details on doing
       this.

       See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

       See also the  password  server  parameter  and  theencrypted  passwords
       parameter.

       SECURITY = ADS

       In  this  mode,  Samba  will act as a domain member in an ADS realm. To
       operate in this mode, the machine running Samba will need to have  Ker-
       beros  installed and configured and Samba will need to be joined to the
       ADS realm using the net utility.

       Note that this mode does NOT make Samba operate as a  Active  Directory
       Domain Controller.

       Read the chapter about Domain Membership in the HOWTO for details.

       Default: security = USER

       Example: security = DOMAIN

       security mask (S)
              This  parameter  controls what UNIX permission bits can be modi-
              fied when a Windows NT client is manipulating the  UNIX  permis-
              sion on a file using the native NT security dialog box.

              This parameter is applied as a mask (AND'ed with) to the changed
              permission bits, thus preventing any bits not in this mask  from
              being  modified.  Make  sure  not  to mix up this parameter with
              force security mode, which works in a manner similar to this one
              but uses a logical OR instead of an AND.

              Essentially,  zero  bits in this mask may be treated as a set of
              bits the user is not allowed to change.

              If not set explicitly this parameter is 0777, allowing a user to
              modify all the user/group/world permissions on a file.

               Note  that  users who can access the Samba server through other
              means can easily bypass this restriction,  so  it  is  primarily
              useful  for  standalone  "appliance"  systems. Administrators of
              most normal systems will probably want to leave it set to  0777.

              Default: security mask = 0777

              Example: security mask = 0770

       server schannel (G)
              This  controls whether the server offers or even demands the use
              of the netlogon schannel.server schannel = no does not offer the
              schannel,  server  schannel  = auto offers the schannel but does
              not enforce it, and server schannel = yes denies access  if  the
              client  is not able to speak netlogon schannel. This is only the
              case for Windows NT4 before SP4.

              Please note that with this set to no you will have to apply  the
              WindowsXPWinXP_SignOrSeal.reg   registry   patch  found  in  the
              docs/registry subdirectory of the Samba distribution tarball.

              Default: server schannel = auto

              Example: server schannel = yes

       server signing (G)
              This controls whether the server offers or requires  the  client
              it talks to to use SMB signing. Possible values are auto, manda-
              tory and disabled.

              When set to auto, SMB signing is offered, but not enforced. When
              set  to  mandatory,  SMB  signing is required and if set to dis-
              abled, SMB signing is not offered either.

              Default: server signing = Disabled

       server string (G)
              This controls what string will show up in  the  printer  comment
              box in print manager and next to the IPC connection in net view.
              It can be any string that you wish to show to your users.

              It also sets what will  appear  in  browse  lists  next  to  the
              machine name.

              A %v will be replaced with the Samba version number.

              A %h will be replaced with the hostname.

              Default: server string = Samba %v

              Example: server string = University of GNUs Samba Server

       set directory (S)
              If set directory = no, then users of the service may not use the
              setdir command to change directory.

              The setdir command is only implemented in the Digital  Pathworks
              client. See the Pathworks documentation for details.

              Default: set directory = no

       set primary group script (G)
              Thanks to the Posix subsystem in NT a Windows User has a primary
              group in addition to the auxiliary groups. This script sets  the
              primary  group in the unix userdatase when an administrator sets
              the primary group from the windows user manager or when fetching
              a  SAM  with  net rpc vampire. %u will be replaced with the user
              whose primary group is to be set.%g will be  replaced  with  the
              group to set.

              Default: set primary group script =

              Example:  set  primary  group script = /usr/sbin/usermod -g '%g'
              '%u'

       set quota command (G)
              The set quota command should only be used whenever there  is  no
              operating system API available from the OS that samba can use.

              This  option  is only available if Samba was configured with the
              argument  --with-sys-quotas  or  on   linux   when   ./configure
              --with-quotas  was used and a working quota api was found in the
              system. Most packages are configured with these options already.

              This  parameter should specify the path to a script that can set
              quota for the specified arguments.

              The specified script should take the following arguments:

              o  1 - quota type

                 o  1 - user quotas

                 o  2 - user default quotas (uid = -1)

                 o  3 - group quotas

                 o  4 - group default quotas (gid = -1)

              o  2 - id (uid for user, gid for group, -1 if N/A)

              o  3 - quota state (0 = disable, 1 =  enable,  2  =  enable  and
                 enforce)

              o  4 - block softlimit

              o  5 - block hardlimit

              o  6 - inode softlimit

              o  7 - inode hardlimit

              o  8(optional) - block size, defaults to 1024

              The  script  should output at least one line of data on success.
              And nothing on failure.

              Default: set quota command =

              Example: set quota command = /usr/local/sbin/set_quota

       share modes (S)
              This enables or disables the honoring of the share modes  during
              a  file  open. These modes are used by clients to gain exclusive
              read or write access to a file.

              These open modes are not directly supported by UNIX, so they are
              simulated  using  shared  memory,  or  lock  files  if your UNIX
              doesn't support shared memory (almost all do).

              The share modes that are enabled  by  this  option  areDENY_DOS,
              DENY_ALL,DENY_READ, DENY_WRITE,DENY_NONE and DENY_FCB.

              This  option  gives  full  share  compatibility  and  enabled by
              default.

              You should NEVER turn this parameter off as many Windows  appli-
              cations will break if you do so.

              Default: share modes = yes

       short preserve case (S)
              This  boolean  parameter  controls if new files which conform to
              8.3 syntax, that is all in upper case and  of  suitable  length,
              are  created upper case, or if they are forced to be the default
              case . This option can be use with preserve case = yes to permit
              long  filenames to retain their case, while short names are low-
              ered.

              See the section on NAME MANGLING.

              Default: short preserve case = yes

       show add printer wizard (G)
              With the introduction of MS-RPC based printing support for  Win-
              dows  NT/2000  client  in Samba 2.2, a "Printers..." folder will
              appear on Samba hosts in the share listing. Normally this folder
              will  contain  an icon for the MS Add Printer Wizard (APW). How-
              ever, it is possible to disable this feature regardless  of  the
              level of privilege of the connected user.

              Under normal circumstances, the Windows NT/2000 client will open
              a handle on the printer server with OpenPrinterEx()  asking  for
              Administrator  privileges. If the user does not have administra-
              tive access on the print server (i.e is not root or a member  of
              the printer admin group), the OpenPrinterEx() call fails and the
              client makes another open call with a request for a lower privi-
              lege  level.  This should succeed, however the APW icon will not
              be displayed.

              Disabling the show add  printer  wizard  parameter  will  always
              cause  the  OpenPrinterEx()  on the server to fail. Thus the APW
              icon will never be displayed.

              Note

              This does not prevent the same user from  having  administrative
              privilege on an individual printer.

       Default: show add printer wizard = yes

       shutdown script (G)
              This  a  full path name to a script called bysmbd(8) that should
              start a shutdown procedure.

              If the connected user  posseses  the  SeRemoteShutdownPrivilege,
              right, this command will be run as user.

              The %z %t %r %f variables are expanded as follows:

              o  %z  will be substituted with the shutdown message sent to the
                 server.

              o  %t will be substituted with the number  of  seconds  to  wait
                 before effectively starting the shutdown procedure.

              o  %r  will  be  substituted with the switch -r. It means reboot
                 after shutdown for NT.

              o  %f will be substituted with the switch -f. It means force the
                 shutdown even if applications do not respond for NT.

              Shutdown script example:

              #!/bin/bash

              $time=0
              let "time/60"
              let "time++"

              /sbin/shutdown $3 $4 +$time $1 &
               Shutdown does not return so we need to launch it in background.

              Default: shutdown script =

              Example: shutdown script = /usr/local/samba/sbin/shutdown %m  %t
              %r %f

       smb passwd file (G)
              This  option  sets  the path to the encrypted smbpasswd file. By
              default the path to the smbpasswd file is compiled into Samba.

              An example of use is:

              smb passwd file = /etc/samba/smbpasswd

              Default: smb passwd file = ${prefix}/private/smbpasswd

       smb ports (G)
              Specifies which ports the server should listen on for SMB  traf-
              fic.

              Default: smb ports = 445 139

       socket address (G)
              This option allows you to control what address Samba will listen
              for connections on. This is used  to  support  multiple  virtual
              interfaces  on  the one server, each with a different configura-
              tion.

              By default Samba will accept connections on any address.

              Default: socket address =

              Example: socket address = 192.168.2.20

       socket options (G)
              This option allows you to set socket options  to  be  used  when
              talking with the client.

              Socket options are controls on the networking layer of the oper-
              ating systems which allow the connection to be tuned.

              This option will typically be used to tune your Samba server for
              optimal performance for your local network. There is no way that
              Samba can know what the optimal parameters are for your net,  so
              you  must  experiment and choose them yourself. We strongly sug-
              gest you read the appropriate documentation for  your  operating
              system first (perhaps man setsockopt will help).

              You may find that on some systems Samba will say "Unknown socket
              option" when you supply an option. This means you either  incor-
              rectly typed it or you need to add an include file to includes.h
              for your OS. If the latter is the case please send the patch  to
              samba-technical@samba.org.

              Any  of  the supported socket options may be combined in any way
              you like, as long as your OS allows it.

              This is the list of socket options currently settable using this
              option:

              o  SO_KEEPALIVE

              o  SO_REUSEADDR

              o  SO_BROADCAST

              o  TCP_NODELAY

              o  IPTOS_LOWDELAY

              o  IPTOS_THROUGHPUT

              o  SO_SNDBUF *

              o  SO_RCVBUF *

              o  SO_SNDLOWAT *

              o  SO_RCVLOWAT *

              Those marked with a '*' take an integer argument. The others can
              optionally take a 1 or 0  argument  to  enable  or  disable  the
              option,  by  default they will be enabled if you don't specify 1
              or 0.

              To specify an argument use the syntax SOME_OPTION  =  VALUE  for
              example SO_SNDBUF = 8192. Note that you must not have any spaces
              before or after the = sign.

              If you are on a local network then a sensible option might be:

              socket options = IPTOS_LOWDELAY

              If you have a local network then you could try:

              socket options = IPTOS_LOWDELAY TCP_NODELAY

              If you are on a wide  area  network  then  perhaps  try  setting
              IPTOS_THROUGHPUT.

              Note  that several of the options may cause your Samba server to
              fail completely. Use these options with caution!

              Default: socket options = TCP_NODELAY

              Example: socket options = IPTOS_LOWDELAY

       stat cache (G)
              This parameter determines if smbd(8) will use a cache  in  order
              to  speed  up  case  insensitive name mappings. You should never
              need to change this parameter.

              Default: stat cache = yes

       store dos attributes (S)
              If this parameter is set Samba no longer  attempts  to  map  DOS
              attributes  like  SYSTEM,  HIDDEN,  ARCHIVE or READ-ONLY to UNIX
              permission bits (such as the map hidden. Instead, DOS attributes
              will  be  stored onto an extended attribute in the UNIX filesys-
              tem, associated with the file or directory. For this to  operate
              correctly,  the  parameters  map hidden, map system, map archive
              must be set to off. This parameter writes the DOS attributes  as
              a  string  into  the  extended attribute named "user.DOSATTRIB".
              This extended attribute is explicitly hidden from  smbd  clients
              requesting  an  EA  list. On Linux the filesystem must have been
              mounted with the mount option user_xattr in order  for  extended
              attributes  to  work,  also extended attributes must be compiled
              into the Linux kernel.

              Default: store dos attributes = no

       strict allocate (S)
              This is a boolean that controls the handling of disk space allo-
              cation  in  the  server. When this is set to yes the server will
              change from UNIX behaviour of not committing real  disk  storage
              blocks when a file is extended to the Windows behaviour of actu-
              ally forcing the disk system to  allocate  real  storage  blocks
              when  a  file is created or extended to be a given size. In UNIX
              terminology this means that  Samba  will  stop  creating  sparse
              files. This can be slow on some systems.

              When  strict  allocate  is  no the server does sparse disk block
              allocation when a file is extended.

              Setting this to yes can help Samba return out of quota  messages
              on systems that are restricting the disk quota of users.

              Default: strict allocate = no

       strict locking (S)
              This  is a boolean that controls the handling of file locking in
              the server. When this is set to yes, the server will check every
              read  and  write access for file locks, and deny access if locks
              exist. This can be slow on some systems.

              When strict locking is disabled, the server performs  file  lock
              checks only when the client explicitly asks for them.

              Well-behaved  clients  always  ask  for  lock  checks when it is
              important. So in the vast majority of cases, strict locking = no
              is acceptable.

              Default: strict locking = yes

       strict sync (S)
              Many  Windows  applications  (including  the Windows 98 explorer
              shell) seem to confuse flushing buffer  contents  to  disk  with
              doing a sync to disk. Under UNIX, a sync call forces the process
              to be suspended until the kernel has ensured that all  outstand-
              ing data in kernel disk buffers has been safely stored onto sta-
              ble storage. This is very slow and should only be  done  rarely.
              Setting  this  parameter  to no (the default) means that smbd(8)
              ignores the Windows applications requests for a sync call. There
              is  only  a  possibility  of losing data if the operating system
              itself that Samba is running on crashes, so there is little dan-
              ger  in  this default setting. In addition, this fixes many per-
              formance problems that people have reported with  the  new  Win-
              dows98 explorer shell file copies.

              Default: strict sync = no

       sync always (S)
              This  is  a  boolean parameter that controls whether writes will
              always be written  to  stable  storage  before  the  write  call
              returns.  If  this  is  no then the server will be guided by the
              client's request in each write call (clients can set a bit indi-
              cating  that  a particular write should be synchronous). If this
              is yes then every write will be followed by a fsync()   call  to
              ensure  the  data  is written to disk. Note that the strict sync
              parameter must be set to yes in order for this parameter to have
              any affect.

              Default: sync always = no

       syslog (G)
              This parameter maps how Samba debug messages are logged onto the
              system syslog logging levels. Samba debug level zero  maps  onto
              syslog  LOG_ERR,  debug  level  one maps onto LOG_WARNING, debug
              level two maps onto LOG_NOTICE,  debug  level  three  maps  onto
              LOG_INFO. All higher levels are mapped to  LOG_DEBUG.

              This  parameter  sets the threshold for sending messages to sys-
              log. Only messages with debug level less than this value will be
              sent to syslog.

              Default: syslog = 1

       syslog only (G)
              If  this  parameter  is set then Samba debug messages are logged
              into the system syslog only, and not to the debug log files.

              Default: syslog only = no

       template homedir (G)
              When filling out the user information for a Windows NT user, the
              winbindd(8)  daemon  uses  this  parameter  to  fill in the home
              directory for that user. If the string %D is present it is  sub-
              stituted  with  the user's Windows NT domain name. If the string
              %U is present it is substituted with the user's Windows NT  user
              name.

              Default: template homedir = /home/%D/%U

       template shell (G)
              When filling out the user information for a Windows NT user, the
              winbindd(8) daemon uses this parameter  to  fill  in  the  login
              shell for that user.

              No default

       time offset (G)
              This  parameter is a setting in minutes to add to the normal GMT
              to local time conversion. This is useful if you  are  serving  a
              lot of PCs that have incorrect daylight saving time handling.

              Default: time offset = 0

              Example: time offset = 60

       time server (G)
              This parameter determines if nmbd(8) advertises itself as a time
              server to Windows clients.

              Default: time server = no

       unix charset (G)
              Specifies the charset the unix machine Samba runs on uses. Samba
              needs  to  know  this in order to be able to convert text to the
              charsets other SMB clients use.

              This is also the charset Samba will use  when  specifying  argu-
              ments to scripts that it invokes.

              Default: unix charset = UTF8

              Example: unix charset = ASCII

       unix extensions (G)
              This boolean parameter controls whether Samba implments the CIFS
              UNIX extensions, as defined by HP. These extensions enable Samba
              to better serve UNIX CIFS clients by supporting features such as
              symbolic links, hard links, etc... These  extensions  require  a
              similarly  enabled  client, and are of no current use to Windows
              clients.

              Default: unix extensions = yes

       unix password sync (G)
              This boolean parameter controls whether Samba attempts  to  syn-
              chronize  the  UNIX  password  with  the  SMB  password when the
              encrypted SMB password in the smbpasswd file is changed. If this
              is set to yes the program specified in the passwd programparame-
              ter is called AS ROOT - to allow the new UNIX password to be set
              without  access  to  the  old UNIX password (as the SMB password
              change code has no access to the old  password  cleartext,  only
              the new).

              Default: unix password sync = no

       update encrypted (G)
              This boolean parameter allows a user logging on with a plaintext
              password to have their encrypted (hashed) password in  the  smb-
              passwd  file  to  be  updated automatically as they log on. This
              option allows a site to migrate from plaintext password  authen-
              tication  (users  authenticate  with plaintext password over the
              wire, and  are  checked  against  a  UNIX  account  atabase)  to
              encrypted  password  authentication  (the SMB challenge/response
              authentication mechanism) without forcing all users to  re-enter
              their  passwords  via  smbpasswd at the time the change is made.
              This is a  convenience  option  to  allow  the  change  over  to
              encrypted  passwords  to  be made over a longer period. Once all
              users have encrypted representations of their passwords  in  the
              smbpasswd file this parameter should be set to no.

              In  order  for  this parameter to be operative the encrypt pass-
              words parameter must be set to no. The default value of  encrypt
              passwords  =  Yes.  Note: This must be set to no for this update
              encrypted to work.

              Note that even when this parameter is set a user  authenticating
              to  smbd  must  still enter a valid password in order to connect
              correctly, and to update their hashed (smbpasswd) passwords.

              Default: update encrypted = no

       use client driver (S)
              This parameter applies only to Windows NT/2000 clients.  It  has
              no effect on Windows 95/98/ME clients. When serving a printer to
              Windows NT/2000 clients without first installing a valid printer
              driver on the Samba host, the client will be required to install
              a local printer driver. From this  point  on,  the  client  will
              treat  the  print  as  a local printer and not a network printer
              connection. This is much the same behavior that will occur  when
              disable spoolss = yes.

              The  differentiating  factor is that under normal circumstances,
              the NT/2000 client will attempt  to  open  the  network  printer
              using  MS-RPC.  The problem is that because the client considers
              the printer to be local, it will attempt to issue the OpenPrint-
              erEx()  call requesting access rights associated with the logged
              on user. If the user possesses local administator rights but not
              root  privilege  on  the  Samba host (often the case), the Open-
              PrinterEx() call will fail. The result is that the  client  will
              now display an "Access Denied; Unable to connect" message in the
              printer queue window  (even  though  jobs  may  successfully  be
              printed).

              If  this parameter is enabled for a printer, then any attempt to
              open the printer with  the  PRINTER_ACCESS_ADMINISTER  right  is
              mapped  to  PRINTER_ACCESS_USE  instead. Thus allowing the Open-
              PrinterEx() call to succeed. This parameter  MUST  not  be  able
              enabled  on a print share which has valid print driver installed
              on the Samba server.

              Default: use client driver = no

       use kerberos keytab (G)
              Specifies whether Samba should attempt to maintain service prin-
              cipals in the systems keytab file for host/FQDN and cifs/FQDN.

              When you are using the heimdal Kerberos libraries, you must also
              specify the following in /etc/krb5.conf:

              [libdefaults]
                default_keytab_name = FILE:/etc/krb5.keytab
              Default: use kerberos keytab = False

       use mmap (G)
              This global parameter determines if the tdb internals  of  Samba
              can  depend  on  mmap  working  correctly on the running system.
              Samba requires a coherent mmap/read-write system  memory  cache.
              Currently  only HPUX does not have such a coherent cache, and so
              this parameter is set to no by default on  HPUX.  On  all  other
              systems  this  parameter should be left alone. This parameter is
              provided to help the Samba developers track down  problems  with
              the tdb internal code.

              Default: use mmap = yes

       user   This parameter is a synonym for username.

       users  This parameter is a synonym for username.

       username (S)
              Multiple  users  may  be specified in a comma-delimited list, in
              which case the supplied password will  be  tested  against  each
              username in turn (left to right).

              The username line is needed only when the PC is unable to supply
              its own username. This is the case for the COREPLUS protocol  or
              where  your  users  have  different WfWg usernames to UNIX user-
              names. In both these cases you may  also  be  better  using  the
              \\server\share%user syntax instead.

              The  username  line  is not a great solution in many cases as it
              means Samba will try to validate the supplied  password  against
              each of the usernames in the username line in turn. This is slow
              and a bad idea for lots of users in case of duplicate passwords.
              You  may  get timeouts or security breaches using this parameter
              unwisely.

              Samba relies on the underlying  UNIX  security.  This  parameter
              does  not  restrict  who  can login, it just offers hints to the
              Samba server as to what usernames might correspond to  the  sup-
              plied  password. Users can login as whoever they please and they
              will be able to do no more damage than if they started a  telnet
              session.  The  daemon  runs  as the user that they log in as, so
              they cannot do anything that user cannot do.

              To restrict a service to a particular set of users you  can  use
              the valid users parameter.

              If  any  of the usernames begin with a '@' then the name will be
              looked up first in the NIS netgroups list (if Samba is  compiled
              with  netgroup support), followed by a lookup in the UNIX groups
              database and will expand to a list of all users in the group  of
              that name.

              If  any  of the usernames begin with a '+' then the name will be
              looked up only in the UNIX groups database and will expand to  a
              list of all users in the group of that name.

              If  any  of the usernames begin with a '&' then the name will be
              looked up only in the NIS netgroups database (if Samba  is  com-
              piled  with  netgroup  support) and will expand to a list of all
              users in the netgroup group of that name.

              Note that searching though a groups database can take quite some
              time, and some clients may time out during the search.

              See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more
              information on how this parameter determines access to the  ser-
              vices.

              Default: username = # The guest account if a guest service, else
              <empty string>.

              Example: username = fred, mary, jack, jane, @users, @pcgroup

       username level (G)
              This option helps Samba to try and  'guess'  at  the  real  UNIX
              username, as many DOS clients send an all-uppercase username. By
              default Samba tries all lowercase, followed by the username with
              the  first  letter capitalized, and fails if the username is not
              found on the UNIX machine.

              If this parameter is set to non-zero the behavior changes.  This
              parameter  is  a  number  that specifies the number of uppercase
              combinations to try while trying  to  determine  the  UNIX  user
              name. The higher the number the more combinations will be tried,
              but the slower the discovery of  usernames  will  be.  Use  this
              parameter  when you have strange usernames on your UNIX machine,
              such as AstrangeUser .

              This parameter is needed only on UNIX  systems  that  have  case
              sensitive usernames.

              Default: username level = 0

              Example: username level = 5

       username map (G)
              This option allows you to specify a file containing a mapping of
              usernames from the clients to the server. This can be  used  for
              several purposes. The most common is to map usernames that users
              use on DOS or Windows machines to those that the UNIX box  uses.
              The  other is to map multiple users to a single username so that
              they can more easily share files.

              Please note that for user or share mode security,  the  username
              map  is applied prior to validating the user credentials. Domain
              member servers (domain or ads) apply the username map after  the
              user  has  been  successfully  authenticated  by the domain con-
              troller and require fully qualified  enties  in  the  map  table
              (e.g. biddle = DOMAIN\foo).

              The  map file is parsed line by line. Each line should contain a
              single UNIX username on the left then a '=' followed by  a  list
              of  usernames  on  the right. The list of usernames on the right
              may contain names of the form @group in  which  case  they  will
              match  any  UNIX username in that group. The special client name
              '*' is a wildcard and matches any name. Each  line  of  the  map
              file may be up to 1023 characters long.

              The  file is processed on each line by taking the supplied user-
              name and comparing it with each username on the right hand  side
              of  the '=' signs. If the supplied name matches any of the names
              on the right hand side then it is replaced with the name on  the
              left. Processing then continues with the next line.

              If any line begins with a '#' or a ';' then it is ignored

              If  any  line  begins  with an '!' then the processing will stop
              after that line if a mapping was done  by  the  line.  Otherwise
              mapping  continues with every line being processed. Using '!' is
              most useful when you have a wildcard mapping line later  in  the
              file.

              For  example  to map from the name admin or administrator to the
              UNIX name  root you would use:

              root = admin administrator

              Or to map anyone in the UNIX group system to the UNIX  name  sys
              you would use:

              sys = @system

              You  can  have  as  many  mappings as you like in a username map
              file.

              If your system supports the NIS NETGROUP option  then  the  net-
              group  database  is  checked before the /etc/group  database for
              matching groups.

              You can map Windows usernames that have spaces in them by  using
              double quotes around the name. For example:

              tridge = "Andrew Tridgell"

              would  map  the  windows  username "Andrew Tridgell" to the unix
              username "tridge".

              The following example would map mary and fred to the  unix  user
              sys,  and map the rest to guest. Note the use of the '!' to tell
              Samba to stop processing if it gets a match on that line.

              !sys = mary fred
              guest = *

              Note that the remapping is applied to all occurrences  of  user-
              names.  Thus  if  you  connect  to  \\server\fred  and   fred is
              remapped to  mary  then  you  will  actually  be  connecting  to
              \\server\mary  and  will  need to supply a password suitable for
              mary not fred. The only exception to this is the username passed
              to  the  password  server (if you have one). The password server
              will receive whatever username the client supplies without modi-
              fication.

              Also  note that no reverse mapping is done. The main effect this
              has is with printing. Users who have been mapped may have  trou-
              ble  deleting  print  jobs as PrintManager under WfWg will think
              they don't own the print job.

              Samba versions prior to 3.0.8 would  only  support  reading  the
              fully  qualified  username (e.g.: DOMAIN\user) from the username
              map when performing a kerberos login  from  a  client.  However,
              when  looking  up  a  map  entry  for  a  user  authenticated by
              NTLM[SSP], only the login name would be used for  matches.  This
              resulted  in  inconsistent  behavior  sometimes even on the same
              server.

              The following functionality  is  obeyed  in  version  3.0.8  and
              later:

              When  performing  local  authentication,  the  username  map  is
              applied to the login name before attempting to authenticate  the
              connection.

              When  relying  upon  a external domain controller for validating
              authentication requests, smbd will apply the username map to the
              fully  qualified username (i.e. DOMAIN\user) only after the user
              has been successfully authenticated.

              An example of use is:

              username map = /usr/local/samba/lib/users.map

              Default: username map = # no username map

       username map script (G)
              This script is a mutually exclusive alternative  to  theusername
              map  parameter. This parameter specifies and external program or
              script that must accept a single command line option (the  user-
              name  transmitted  in  the  authentication request) and return a
              line line on standard output (the  name  to  which  the  account
              should  mapped).  In  this way, it is possible to store username
              map tables in an LDAP or NIS directory services.

              Default: username map script =

              Example: username map script = /etc/samba/scripts/mapusers.sh

       use sendfile (S)
              If this parameter is yes, and the sendfile() system call is sup-
              ported  by  the  underlying operating system, then some SMB read
              calls (mainly ReadAndX and ReadRaw) will use the more  efficient
              sendfile  system  call  for files that are exclusively oplocked.
              This may make more efficient use of the system CPU's  and  cause
              Samba  to  be  faster.  Samba  automatically  turns this off for
              clients that use protocol levels lower than NT LM 0.12 and  when
              it  detects  a  client  is Windows 9x (using sendfile from Linux
              will cause these clients to fail).

              Default: use sendfile = yes

       use spnego (G)
              This variable controls controls whether samba will  try  to  use
              Simple  and Protected NEGOciation (as specified by rfc2478) with
              WindowsXP and Windows2000 clients to agree upon  an  authentica-
              tion mechanism.

              Unless further issues are discovered with our SPNEGO implementa-
              tion, there is no reason this should ever be disabled.

              Default: use spnego = yes

       utmp (G)
              This boolean parameter is only available if Samba has been  con-
              figured and compiled with the option  --with-utmp. If set to yes
              then Samba will attempt to add utmp or utmpx records  (depending
              on  the  UNIX  system)  whenever a connection is made to a Samba
              server. Sites may use this to record the user  connecting  to  a
              Samba share.

              Due  to  the requirements of the utmp record, we are required to
              create a unique identifier for the incoming user. Enabling  this
              option  creates  an  n^2 algorithm to find this number. This may
              impede performance on large installations.

              Default: utmp = no

       utmp directory (G)
              This parameter is only available if Samba  has  been  configured
              and compiled with the option  --with-utmp. It specifies a direc-
              tory pathname that is used to store  the  utmp  or  utmpx  files
              (depending on the UNIX system) that record user connections to a
              Samba server. By default this is not  set,  meaning  the  system
              will  use  whatever  utmp  file  the native system is set to use
              (usually/var/run/utmp on Linux).

              Default: utmp directory = # Determined automatically

              Example: utmp directory = /var/run/utmp

       -valid (S)
              This parameter indicates whether a share is valid and  thus  can
              be  used. When this parameter is set to false, the share will be
              in no way visible nor accessible.

              This option should not be used by regular users but might be  of
              help  to  developers.  Samba uses this option internally to mark
              shares as deleted.

              Default: -valid = yes

       valid users (S)
              This is a list of users that should be allowed to login to  this
              service.  Names  starting  with '@', '+' and '&' are interpreted
              using the same rules as described in the invalid  users  parame-
              ter.

              If  this  is  empty  (the default) then any user can login. If a
              username is in both this list and the invalid  users  list  then
              access is denied for that user.

              The  current  servicename is substituted for %S . This is useful
              in the [homes] section.

              Default: valid users = # No valid users list (anyone can login)

              Example: valid users = greg, @pcusers

       veto files (S)
              This is a list of files and directories that are neither visible
              nor  accessible.  Each  entry in the list must be separated by a
              '/', which allows spaces to be included in the  entry.  '*'  and
              '?'  can  be used to specify multiple files or directories as in
              DOS wildcards.

              Each entry must be a unix path, not a  DOS  path  and  must  not
              include the unix directory separator '/'.

              Note  that  the  case  sensitive option is applicable in vetoing
              files.

              One feature of the veto files parameter that it is important  to
              be  aware of is Samba's behaviour when trying to delete a direc-
              tory. If a directory that is to be deleted contains nothing  but
              veto  files  this  deletion  will  fail  unless you also set the
              delete veto files parameter toyes.

              Setting this parameter will affect the performance of Samba,  as
              it will be forced to check all files and directories for a match
              as they are scanned.

              Examples of use include:

              ; Veto any files containing the word Security,
              ; any ending in .tmp, and any directory containing the
              ; word root.
              veto files = /*Security*/*.tmp/*root*/

              ; Veto the Apple specific files that a NetAtalk server
              ; creates.
              veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/

              Default: veto files = No files or directories are vetoed.

       veto oplock files (S)
              This parameter is only valid when theoplocks parameter is turned
              on for a share. It allows the Samba administrator to selectively
              turn off the granting of oplocks on selected files that match  a
              wildcarded  list, similar to the wildcarded list used in theveto
              files parameter.

              You might want to do this on files that you know will be heavily
              contended  for by clients. A good example of this is in the Net-
              Bench SMB benchmark program,  which  causes  heavy  client  con-
              tention  for  files  ending in .SEM. To cause Samba not to grant
              oplocks on these files you would use the  line  (either  in  the
              [global]  section  or in the section for the particular NetBench
              share :

              An example of use is:

              veto oplock files = /.*SEM/

              Default: veto oplock files = # No files are  vetoed  for  oplock
              grants

       vfs object
              This parameter is a synonym for vfs objects.

       vfs objects (S)
              This  parameter  specifies  the backend names which are used for
              Samba VFS I/O operations. By default, normal disk I/O operations
              are  used  but  these  can  be  overloaded  with one or more VFS
              objects.

              Default: vfs objects =

              Example: vfs objects = extd_audit recycle

       volume (S)
              This allows you to override the  volume  label  returned  for  a
              share.  Useful for CDROMs with installation programs that insist
              on a particular volume label.

              Default: volume = # the name of the share

       wide links (S)
              This parameter controls whether or not links in  the  UNIX  file
              system  may be followed by the server. Links that point to areas
              within the directory tree exported  by  the  server  are  always
              allowed;  this  parameter controls access only to areas that are
              outside the directory tree being exported.

              Note that setting this parameter can have a negative  effect  on
              your server performance due to the extra system calls that Samba
              has to do in order to perform the link checks.

              Default: wide links = yes

       winbind cache time (G)
              This parameter specifies the number of seconds  the  winbindd(8)
              daemon  will  cache user and group information before querying a
              Windows NT server again.

              Note

              This does not apply to authentication requests, these are always
              evaluated in real time.

       Default: winbind cache time = 300

       winbind enum groups (G)
              On  large installations using winbindd(8) it may be necessary to
              suppress the enumeration of groups through  the  setgrent(),get-
              grent() andendgrent() group of system calls. If the winbind enum
              groups parameter isno, calls to the getgrent() system call  will
              not return any data.

              Warning

              Turning  off group enumeration may cause some programs to behave
              oddly.

       Default: winbind enum groups = yes

       winbind enum users (G)
              On large installations using winbindd(8) it may be necessary  to
              suppress  the  enumeration of users through the setpwent(),getp-
              went() andendpwent() group of system calls. If the winbind  enum
              users parameter isno, calls to the getpwent system call will not
              return any data.

              Warning

              Turning off user enumeration may cause some programs  to  behave
              oddly.  For  example, the finger program relies on having access
              to the full user list when searching for matching usernames.

       Default: winbind enum users = yes

       winbind nested groups (G)
              If set to yes, this parameter activates the support  for  nested
              groups.  Nested  groups are also called local groups or aliases.
              They work like their counterparts in Windows: Nested groups  are
              defined  locally  on  any  machine (they are shared between DC's
              through their SAM) and can contain users and global groups  from
              any  trusted  SAM.  To be able to use nested groups, you need to
              run nss_winbind.

              Please note that per 3.0.3 this is a new feature, so handle with
              care.

              Default: winbind nested groups = no

       winbind separator (G)
              This parameter allows an admin to define the character used when
              listing a username of the form of DOMAIN \user.  This  parameter
              is  only  applicable  when using the pam_winbind.so and nss_win-
              bind.so modules for UNIX services.

              Please note that setting this parameter  to  +  causes  problems
              with  group membership at least on glibc systems, as the charac-
              ter + is used as a special character for NIS in /etc/group.

              Default: winbind separator = '\'

              Example: winbind separator = +

       winbind trusted domains only (G)
              This parameter is designed to allow Samba servers that are  mem-
              bers  of a Samba controlled domain to use UNIX accounts distrib-
              uted via NIS, rsync, or LDAP as the uid's for winbindd users  in
              the hosts primary domain. Therefore, the user DOMAIN\user1 would
              be mapped to the account user1 in /etc/passwd instead  of  allo-
              cating a new uid for him or her.

              Default: winbind trusted domains only = no

       winbind use default domain (G)
              This  parameter  specifies  whether thewinbindd(8) daemon should
              operate on users without domain  component  in  their  username.
              Users  without  a domain component are treated as is part of the
              winbindd server's own domain. While this does not  benifit  Win-
              dows  users, it makes SSH, FTP and e-mail function in a way much
              closer to the way they would in a native unix system.

              Default: winbind use default domain = no

              Example: winbind use default domain = yes

       wins hook (G)
              When Samba is running as a WINS server this allows you  to  call
              an  external  program  for all changes to the WINS database. The
              primary use for this option is to allow the  dynamic  update  of
              external name resolution databases such as dynamic DNS.

              The  wins  hook parameter specifies the name of a script or exe-
              cutable that will be called as follows:

              wins_hook operation name nametype ttl IP_list

              o  The first argument is the operation  and  is  one  of  "add",
                 "delete",  or  "refresh".  In most cases the operation can be
                 ignored as the rest  of  the  parameters  provide  sufficient
                 information. Note that "refresh" may sometimes be called when
                 the name has not previously  been  added,  in  that  case  it
                 should be treated as an add.

              o  The second argument is the NetBIOS name. If the name is not a
                 legal name then the wins hook is not called. Legal names con-
                 tain  only letters, digits, hyphens, underscores and periods.

              o  The third argument is the NetBIOS name  type  as  a  2  digit
                 hexadecimal number.

              o  The fourth argument is the TTL (time to live) for the name in
                 seconds.

              o  The fifth and subsequent arguments are the IP addresses  cur-
                 rently  registered  for that name. If this list is empty then
                 the name should be deleted.

              An example script that calls the BIND dynamic DNS update program
              nsupdate  is  provided  in  the  examples directory of the Samba
              source code.

              No default

       wins proxy (G)
              This is a boolean that  controls  if  nmbd(8)  will  respond  to
              broadcast name queries on behalf of other hosts. You may need to
              set this to yes for some older clients.

              Default: wins proxy = no

       wins server (G)
              This specifies the IP address (or DNS name: IP address for pref-
              erence) of the WINS server that nmbd(8) should register with. If
              you have a WINS server on your network then you should set  this
              to the WINS server's IP.

              You  should  point  this  at  your  WINS  server  if  you have a
              multi-subnetted network.

              If you want to work in multiple namespaces, you can  give  every
              wins  server  a  'tag'.  For each tag, only one (working) server
              will be queried for a name. The tag should be separated from the
              ip address by a colon.

              Note

              You  need  to set up Samba to point to a WINS server if you have
              multiple subnets and wish cross-subnet  browsing  to  work  cor-
              rectly.

       See the ???.

       Default: wins server =

       Example:    wins    server    =   mary:192.9.200.1   fred:192.168.3.199
       mary:192.168.2.61 # For this example  when  querying  a  certain  name,
       192.19.200.1   will   be  asked  first  and  if  that  doesn't  respond
       192.168.2.61. If either of those doesn't know  the  name  192.168.3.199
       will be queried.

       Example: wins server = 192.9.200.1 192.168.2.61

       wins support (G)
              This  boolean  controls if the nmbd(8) process in Samba will act
              as a WINS server. You should not set this to yes unless you have
              a  multi-subnetted  network and you wish a particular nmbd to be
              your WINS server. Note that you should NEVER set this to yes  on
              more than one machine in your network.

              Default: wins support = no

       workgroup (G)
              This  controls  what  workgroup your server will appear to be in
              when queried by clients. Note that this parameter also  controls
              the Domain name used with the security = domain setting.

              Default: workgroup = WORKGROUP

              Example: workgroup = MYGROUP

       writable
              This parameter is a synonym for writeable.

       writeable (S)
              Inverted synonym for read only.

              No default

       write cache size (S)
              If  this  integer parameter is set to non-zero value, Samba will
              create an in-memory cache for each oplocked file (it does not do
              this  for  non-oplocked  files). All writes that the client does
              not request to be flushed directly to disk  will  be  stored  in
              this  cache  if  possible. The cache is flushed onto disk when a
              write comes in whose offset would not fit into the cache or when
              the  file  is  closed by the client. Reads for the file are also
              served from this cache if the data is stored within it.

              This cache allows Samba to batch client writes into a more effi-
              cient  write size for RAID disks (i.e. writes may be tuned to be
              the RAID stripe size) and can  improve  performance  on  systems
              where  the disk subsystem is a bottleneck but there is free mem-
              ory for userspace programs.

              The integer parameter specifies the  size  of  this  cache  (per
              oplocked file) in bytes.

              Default: write cache size = 0

              Example:  write  cache size = 262144 # for a 256k cache size per
              file

       write list (S)
              This is a list of users that are given read-write  access  to  a
              service.  If  the connecting user is in this list then they will
              be given write access, no matter what the read  only  option  is
              set  to.  The list can include group names using the @group syn-
              tax.

              Note that if a user is in both the read list and the write  list
              then they will be given write access.

              This  parameter will not work with the security = share in Samba
              3.0. This is by design.

              Default: write list =

              Example: write list = admin, root, @staff

       write raw (G)
              This parameter controls whether or not the server  will  support
              raw  write SMB's when transferring data from clients. You should
              never need to change this parameter.

              Default: write raw = yes

       wtmp directory (G)
              This parameter is only available if Samba  has  been  configured
              and compiled with the option  --with-utmp. It specifies a direc-
              tory pathname that is used to store  the  wtmp  or  wtmpx  files
              (depending on the UNIX system) that record user connections to a
              Samba server. The difference with the utmp directory is the fact
              that user info is kept after a user has logged out.

              By default this is not set, meaning the system will use whatever
              utmp file the native system is set to use  (usually/var/run/wtmp
              on Linux).

              Default: wtmp directory =

              Example: wtmp directory = /var/log/wtmp


WARNINGS

       Although  the  configuration file permits service names to contain spa-
       ces, your client software may not. Spaces will be  ignored  in  compar-
       isons anyway, so it shouldn't be a problem - but be aware of the possi-
       bility.

       On a similar note, many clients - especially DOS clients -  limit  ser-
       vice  names  to  eight  characters.smbd(8)  has no such limitation, but
       attempts to connect from such clients will fail if  they  truncate  the
       service  names.  For  this reason you should probably keep your service
       names down to eight characters in length.

       Use of the [homes] and [printers] special sections  make  life  for  an
       administrator  easy, but the various combinations of default attributes
       can be tricky. Take extreme care when designing these sections. In par-
       ticular,  ensure that the permissions on spool directories are correct.


VERSION

       This man page is correct for version 3.0 of the Samba suite.


SEE ALSO

       samba(7),  smbpasswd(8),  swat(8),  smbd(8),   nmbd(8),   smbclient(1),
       nmblookup(1), testparm(1), testprns(1).


AUTHOR

       The  original  Samba  software  and  related  utilities were created by
       Andrew Tridgell. Samba is now developed by the Samba Team  as  an  Open
       Source project similar to the way the Linux kernel is developed.

       The  original  Samba  man pages were written by Karl Auer. The man page
       sources were converted to YODL format (another excellent piece of  Open
       Source  software,  available  at  ftp://ftp.icce.rug.nl/pub/unix/)  and
       updated for the Samba 2.0 release by Jeremy Allison. The conversion  to
       DocBook for Samba 2.2 was done by Gerald Carter. The conversion to Doc-
       Book XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.

                                                                   SMB.CONF(5)

Man(1) output converted with man2html