SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
NAME [Toc] [Back]
smb.conf - The configuration file for the Samba suite
SYNOPSIS [Toc] [Back]
The smb.conf file is a configuration file for the Samba
suite. smb.conf contains runtime configuration information
for the Samba programs. The smb.conf file is designed to be
configured and administered by the swat(8)
program. The complete description of the file format and
possible parameters held within are here for reference
purposes.
FILE FORMAT [Toc] [Back]
The file consists of sections and parameters. A section
begins with the name of the section in square brackets and
continues until the next section begins. Sections contain
parameters of the form
name = value
The file is line-based - that is, each newline-terminated
line represents either a comment, a section name or a
parameter.
Section and parameter names are not case sensitive.
Only the first equals sign in a parameter is significant.
Whitespace before or after the first equals sign is
discarded. Leading, trailing and internal whitespace in
section and parameter names is irrelevant. Leading and
trailing whitespace in a parameter value is discarded.
Internal whitespace within a parameter value is retained
verbatim.
Any line beginning with a semicolon (';') or a hash ('#')
character is ignored, as are lines containing only
whitespace.
Any line ending in a '\' is continued on the next line in
the customary UNIX fashion.
The values following the equals sign in parameters are all
either a string (no quotes needed) or a boolean, which may
be given as yes/no, 0/1 or true/false. Case is not
significant in boolean values, but is preserved in string
values. Some items such as create modes are numeric.
SECTION DESCRIPTIONS [Toc] [Back]
Each section in the configuration file (except for the
[global] section) describes a shared resource (known as a
"share"). The section name is the name of the shared
resource and the parameters within the section define the
Page 1 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
shares attributes.
There are three special sections, [global], [homes] and
[printers], which are described under special sections. The
following notes apply to ordinary section descriptions.
A share consists of a directory to which access is being
given plus a description of the access rights which are
granted to the user of the service. Some housekeeping
options are also specifiable.
Sections are either file share services (used by the client
as an extension of their native file systems) or printable
services (used by the client to access print services on the
host running the server).
Sections may be designated guest services, in which case no
password is required to access them. A specified UNIX guest
account is used to define access privileges in this case.
Sections other than guest services will require a password
to access them. The client provides the username. As older
clients only provide passwords and not usernames, you may
specify a list of usernames to check against the password
using the "user =" option in the share definition. For
modern clients such as Windows 95/98/ME/NT/2000, this should
not be necessary.
Note that the access rights granted by the server are masked
by the access rights granted to the specified or guest UNIX
user by the host system. The server does not grant more
access than the host system grants.
The following sample section defines a file space share. The
user has write access to the path /home/bar. The share is
accessed via the share name "foo":
[foo]
path = /home/bar
read only = no
The following sample section defines a printable share. The
share is readonly, but printable. That is, the only write
access permitted is via calls to open, write to and close a
spool file. The guest ok parameter means access will be
permitted as the default guest user (specified elsewhere):
[aprinter]
path = /usr/spool/public
Page 2 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
read only = yes
printable = yes
guest ok = yes
SPECIAL SECTIONS [Toc] [Back]
THE GLOBAL SECTION
parameters in this section apply to the server as a whole,
or are defaults for sections which do not specifically
define certain items. See the notes under PARAMETERS for
more information.
THE HOMES SECTION
If a section called homes is included in the configuration
file, services connecting clients to their home directories
can be created on the fly by the server.
When the connection request is made, the existing sections
are scanned. If a match is found, it is used. If no match is
found, the requested section name is treated as a user name
and looked up in the local password file. If the name exists
and the correct password has been given, a share is created
by cloning the [homes] section.
Some modifications are then made to the newly created share:
o The share name is changed from homes to the located
username.
o If no path was given, the path is set to the user's home
directory.
If you decide to use a path = line in your [homes] section
then you may find it useful to use the %S macro. For example
:
path = /data/pchome/%S
would be useful if you have different home directories for
your PCs than for UNIX access.
This is a fast and simple way to give a large number of
clients access to their home directories with a minimum of
fuss.
A similar process occurs if the requested section name is
"homes", except that the share name is not changed to that
of the requesting user. This method of using the [homes]
section works well if different users share a client PC.
Page 3 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
The [homes] section can specify all the parameters a normal
service section can specify, though some make more sense
than others. The following is a typical and suitable [homes]
section:
[homes]
read only = no
An important point is that if guest access is specified in
the [homes] section, all home directories will be visible to
all clients without a password. In the very unlikely event
that this is actually desirable, it would be wise to also
specify read only access.
Note that the browseable flag for auto home directories will
be inherited from the global browseable flag, not the
[homes] browseable flag. This is useful as it means setting
browseable = no in the [homes] section will hide the [homes]
share but make any auto home directories visible.
THE PRINTERS SECTION
This section works like [homes], but for printers.
If a [printers] section occurs in the configuration file,
users are able to connect to any printer specified in the
local host's printcap file.
When a connection request is made, the existing sections are
scanned. If a match is found, it is used. If no match is
found, but a [homes] section exists, it is used as described
above. Otherwise, the requested section name is treated as a
printer name and the appropriate printcap file is scanned to
see if the requested section name is a valid printer share
name. If a match is found, a new printer share is created by
cloning the [printers] section.
A few modifications are then made to the newly created
share:
o The share name is set to the located printer name
o If no printer name was given, the printer name is set to
the located printer name
o If the share does not permit guest access and no username
was given, the username is set to the located printer
name.
Note that the [printers] service MUST be printable - if you
Page 4 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
specify otherwise, the server will refuse to load the
configuration file.
Typically the path specified would be that of a worldwriteable
spool directory with the sticky bit set on it. A
typical [printers] entry would look like this:
[printers]
path = /usr/spool/public
guest ok = yes
printable = yes
All aliases given for a printer in the printcap file are
legitimate printer names as far as the server is concerned.
If your printing subsystem doesn't work like that, you will
have to set up a pseudo-printcap. This is a file consisting
of one or more lines like this:
alias|alias|alias|alias...
Each alias should be an acceptable printer name for your
printing subsystem. In the [global] section, specify the new
file as your printcap. The server will then only recognize
names found in your pseudo-printcap, which of course can
contain whatever aliases you like. The same technique could
be used simply to limit access to a subset of your local
printers.
An alias, by the way, is defined as any component of the
first entry of a printcap record. Records are separated by
newlines, components (if there are more than one) are
separated by vertical bar symbols ('|').
NOTE: On SYSV systems which use lpstat to determine what
printers are defined on the system you may be able to use
"printcap name = lpstat" to automatically obtain a list of
printers. See the "printcap name" option for more details.
PARAMETERS [Toc] [Back]
parameters define the specific attributes of sections.
Some parameters are specific to the [global] section (e.g.,
security). Some parameters are usable in all sections (e.g.,
create mode). All others are permissible only in normal
sections. For the purposes of the following descriptions the
[homes] and [printers] sections will be considered normal.
The letter G in parentheses indicates that a parameter is
Page 5 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
specific to the [global] section. The letter S indicates
that a parameter can be specified in a service specific
section. Note that all S parameters can also be specified in
the [global] section - in which case they will define the
default behavior for all services.
parameters are arranged here in alphabetical order - this
may not create best bedfellows, but at least you can find
them! Where there are synonyms, the preferred synonym is
described, others refer to the preferred synonym.
VARIABLE SUBSTITUTIONS [Toc] [Back]
Many of the strings that are settable in the config file can
take substitutions. For example the option "path = /tmp/%u"
would be interpreted as "path = /tmp/john" if the user
connected with the username john.
These substitutions are mostly noted in the descriptions
below, but there are some general substitutions which apply
whenever they might be relevant. These are:
%S the name of the current service, if any.
%P the root directory of the current service, if any.
%u user name of the current service, if any.
%g primary group name of %u.
%U session user name (the user name that the client
wanted, not necessarily the same as the one they got).
%G primary group name of %U.
%H the home directory of the user given by %u.
%v the Samba version.
%h the Internet hostname that Samba is running on.
%m the NetBIOS name of the client machine (very useful).
%L the NetBIOS name of the server. This allows you to
change your config based on what the client calls you.
Your server can have a "dual personality".
Note that this paramater is not available when Samba
listens on port 445, as clients no longer send this
information
%M the Internet name of the client machine.
Page 6 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
%N the name of your NIS home directory server. This is
obtained from your NIS auto.map entry. If you have not
compiled Samba with the --with-automount option then
this value will be the same as %L.
%p the path of the service's home directory, obtained from
your NIS auto.map entry. The NIS auto.map entry is
split up as "%N:%p".
%R the selected protocol level after protocol negotiation.
It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or
NT1.
%d The process id of the current server process.
%a the architecture of the remote machine. Only some are
recognized, and those may not be 100% reliable. It
currently recognizes Samba, WfWg, Win95, WinNT and
Win2k. Anything else will be known as "UNKNOWN". If it
gets it wrong then sending a level 3 log to
samba@samba.org
<URL:samba@samba.org> should allow it to be
fixed.
%I The IP address of the client machine.
%T the current date and time.
%$(envvar)
The value of the environment variable envar.
There are some quite creative things that can be done with
these substitutions and other smb.conf options.
NAME MANGLING [Toc] [Back]
Samba supports "name mangling" so that DOS and Windows
clients can use files that don't conform to the 8.3 format.
It can also be set to adjust the case of 8.3 format
filenames.
There are several options that control the way mangling is
performed, and they are grouped here rather than listed
separately. For the defaults look at the output of the
testparm program.
All of these options can be set separately for each service
(or globally, of course).
The options are:
mangling method
controls the algorithm used for the generating the
Page 7 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
mangled names. Can take two different values, "hash"
and "hash2". "hash" is the default and is the algorithm
that has been used in Samba for many years. "hash2" is
a newer and considered a better algorithm (generates
less collisions) in the names. However, many Win32
applications store the mangled names and so changing to
the new algorithm must not be done lightly as these
applications may break unless reinstalled. New
installations of Samba may set the default to hash2.
Default hash.
mangle case = yes/no
controls if names that have characters that aren't of
the "default" case are mangled. For example, if this is
yes then a name like "Mail" would be mangled. Default
no.
case sensitive = yes/no
controls whether filenames are case sensitive. If they
aren't then Samba must do a filename search and match
on passed names. Default no.
default case = upper/lower
controls what the default case is for new filenames.
Default lower.
preserve case = yes/no
controls if new files are created with the case that
the client passes, or if they are forced to be the
"default" case. Default yes.
short preserve case = yes/no
controls if new files which conform to 8.3 syntax, that
is all in upper case and of suitable length, are
created upper case, or if they are forced to be the
"default" case. This option can be use with "preserve
case = yes" to permit long filenames to retain their
case, while short names are lowercased. Default yes.
By default, Samba 2.2 has the same semantics as a Windows NT
server, in that it is case insensitive but case preserving.
NOTE ABOUT USERNAME/PASSWORD VALIDATION
There are a number of ways in which a user can connect to a
service. The server uses the following steps in determining
if it will allow a connection to a specified service. If all
the steps fail, then the connection request is rejected.
However, if one of the steps succeeds, then the following
steps are not checked.
If the service is marked "guest only = yes" and the server
is running with share-level security ("security = share")
Page 8 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
then steps 1 to 5 are skipped.
1. If the client has passed a username/password pair and
that username/password pair is validated by the UNIX
system's password programs then the connection is made
as that username. Note that this includes the
\\server\service%username method of passing a username.
2. If the client has previously registered a username with
the system and now supplies a correct password for that
username then the connection is allowed.
3. The client's NetBIOS name and any previously used user
names are checked against the supplied password, if
they match then the connection is allowed as the
corresponding user.
4. If the client has previously validated a
username/password pair with the server and the client
has passed the validation token then that username is
used.
5. If a "user = " field is given in the smb.conf file for
the service and the client has supplied a password, and
that password matches (according to the UNIX system's
password checking) with one of the usernames from the
"user =" field then the connection is made as the
username in the "user =" line. If one of the username
in the "user =" list begins with a '@' then that name
expands to a list of names in the group of the same
name.
6. If the service is a guest service then a connection is
made as the username given in the "guest account =" for
the service, irrespective of the supplied password.
COMPLETE LIST OF GLOBAL PARAMETERS [Toc] [Back]
Here is a list of all global parameters. See the section of
each parameter for details. Note that some are synonyms.
o acl compatibility
o add printer command
o add share command
o add user script
o allow trusted domains
o announce as
Page 9 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o announce version
o auto services
o bind interfaces only
o browse list
o change notify timeout
o change share command
o character set
o client code page
o code page directory
o coding system
o config file
o deadtime
o debug hires timestamp
o debug pid
o debug timestamp
o debug uid
o debuglevel
o default
o default service
o delete printer command
o delete share command
o delete user script
o dfree command
o disable spoolss
o dns proxy
o domain admin group
Page 10 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o domain guest group
o domain logons
o domain master
o encrypt passwords
o enhanced browsing
o enumports command
o getwd cache
o hide local users
o hide unreadable
o homedir map
o host msdfs
o hosts equiv
o interfaces
o keepalive
o kernel oplocks
o lanman auth
o large readwrite
o ldap admin dn
o ldap filter
o ldap port
o ldap server
o ldap ssl
o ldap suffix
o lm announce
o lm interval
o load printers
Page 11 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o local master
o lock dir
o lock directory
o lock spin count
o lock spin time
o pid directory
o log file
o log level
o logon drive
o logon home
o logon path
o logon script
o lpq cache time
o machine password timeout
o mangled stack
o mangling method
o map to guest
o max disk size
o max log size
o max mux
o max open files
o max protocol
o max smbd processes
o max ttl
o max wins ttl
o max xmit
Page 12 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o message command
o min passwd length
o min password length
o min protocol
o min wins ttl
o name resolve order
o netbios aliases
o netbios name
o netbios scope
o nis homedir
o nt pipe support
o nt smb support
o nt status support
o null passwords
o obey pam restrictions
o oplock break wait time
o os level
o os2 driver map
o pam password change
o panic action
o passwd chat
o passwd chat debug
o passwd program
o password level
o password server
o prefered master
Page 13 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o preferred master
o preload
o printcap
o printcap name
o printer driver file
o protocol
o read bmpx
o read raw
o read size
o remote announce
o remote browse sync
o restrict anonymous
o root
o root dir
o root directory
o security
o server string
o show add printer wizard
o smb passwd file
o socket address
o socket options
o source environment
o ssl
o ssl CA certDir
o ssl CA certFile
o ssl ciphers
Page 14 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o ssl client cert
o ssl client key
o ssl compatibility
o ssl egd socket
o ssl entropy bytes
o ssl entropy file
o ssl hosts
o ssl hosts resign
o ssl require clientcert
o ssl require servercert
o ssl server cert
o ssl server key
o ssl version
o stat cache
o stat cache size
o strip dot
o syslog
o syslog only
o template homedir
o template shell
o time offset
o time server
o timestamp logs
o total print jobs
o unix extensions
o unix password sync
Page 15 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o update encrypted
o use mmap
o use rhosts
o username level
o username map
o utmp
o utmp directory
o valid chars
o winbind cache time
o winbind enum users
o winbind enum groups
o winbind gid
o winbind separator
o winbind uid
o winbind use default domain
o wins hook
o wins proxy
o wins server
o wins support
o workgroup
o write raw
COMPLETE LIST OF SERVICE PARAMETERS [Toc] [Back]
Here is a list of all service parameters. See the section on
each parameter for details. Note that some are synonyms.
o admin users
o allow hosts
o available
Page 16 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o blocking locks
o block size
o browsable
o browseable
o case sensitive
o casesignames
o comment
o copy
o create mask
o create mode
o csc policy
o default case
o default devmode
o delete readonly
o delete veto files
o deny hosts
o directory
o directory mask
o directory mode
o directory security mask
o dont descend
o dos filemode
o dos filetime resolution
o dos filetimes
o exec
o fake directory create times
Page 17 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o fake oplocks
o follow symlinks
o force create mode
o force directory mode
o force directory security mode
o force group
o force security mode
o force unknown acl user
o force user
o fstype
o group
o guest account
o guest ok
o guest only
o hide dot files
o hide files
o hosts allow
o hosts deny
o include
o inherit acls
o inherit permissions
o invalid users
o level2 oplocks
o locking
o lppause command
o lpq command
Page 18 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o lpresume command
o lprm command
o magic output
o magic script
o mangle case
o mangled map
o mangled names
o mangling char
o map archive
o map hidden
o map system
o max connections
o max print jobs
o min print space
o msdfs root
o nt acl support
o only guest
o only user
o oplock contention limit
o oplocks
o path
o posix locking
o postexec
o postscript
o preexec
o preexec close
Page 19 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o preserve case
o print command
o print ok
o printable
o printer
o printer admin
o printer driver
o printer driver location
o printer name
o printing
o profile acls
o public
o queuepause command
o queueresume command
o read list
o read only
o root postexec
o root preexec
o root preexec close
o security mask
o set directory
o share modes
o short preserve case
o status
o strict allocate
o strict locking
Page 20 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o strict sync
o sync always
o use client driver
o use sendfile
o user
o username
o users
o valid users
o veto files
o veto oplock files
o vfs object
o vfs options
o volume
o wide links
o writable
o write cache size
o write list
o write ok
o writeable
EXPLANATION OF EACH PARAMETER [Toc] [Back]
acl compatibility (G)
New in Samba 2.2.8 and above, this string parameter
tells smbd if it should modify any Windows access
control lists created from POSIX access control lists
to remove features which are not supported by Windows
2000 but not supported by the Windows NT ACL edit.
control.
By default this parameter is set automatically by
detecting the client type and is set to "true" if the
client is Windows NT.
Default: client detected
Page 21 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
Example: acl compatibility = Win2k
Example: acl compatibility = winnt
add printer command (G)
With the introduction of MS-RPC based printing support
for Windows NT/2000 clients in Samba 2.2, The MS Add
Printer Wizard (APW) icon is now also available in the
"Printers..." folder displayed a share listing. The APW
allows for printers to be add remotely to a Samba or
Windows NT/2000 print server.
For a Samba host this means that the printer must be
physically added to the underlying printing system. The
add printer command defines a script to be run which
will perform the necessary operations for adding the
printer to the print system and to add the appropriate
service definition to the smb.conf file in order that
it can be shared by smbd(8)
The add printer command is automatically invoked with
the following parameter (in order:
o printer name
o share name
o port name
o driver name
o location
o Windows 9x driver location
All parameters are filled in from the PRINTER_INFO_2
structure sent by the Windows NT/2000 client with one
exception. The "Windows 9x driver location" parameter is
included for backwards compatibility only. The remaining
fields in the structure are generated from answers to the
APW questions.
Once the add printer command has been executed, smbd will
reparse the smb.conf to determine if the share defined by
the APW exists. If the sharename is still invalid, then smbd
will return an ACCESS_DENIED error to the client.
See also delete printer command, printing, show add printer
wizard
Default: none
Page 22 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
Example: addprinter command = /usr/bin/addprinter
add share command (G)
Samba 2.2.0 introduced the ability to dynamically add
and delete shares via the Windows NT 4.0 Server
Manager. The add share command is used to define an
external program or script which will add a new service
definition to smb.conf. In order to successfully
execute the add share command, smbd requires that the
administrator be connected using a root account (i.e.
uid == 0).
When executed, smbd will automatically invoke the add
share command with four parameters.
o configFile - the location of the global smb.conf
file.
o shareName - the name of the new share.
o pathName - path to an **existing** directory on disk.
o comment - comment string to associate with the new
share.
This parameter is only used for add file shares. To add
printer shares, see the add printer command.
See also change share command, delete share command.
Default: none
Example: add share command = /usr/local/bin/addshare
add user script (G)
This is the full pathname to a script that will be run
AS ROOT by smbd(8)
under special circumstances described below.
Normally, a Samba server requires that UNIX users are
created for all users accessing files on this server.
For sites that use Windows NT account databases as
their primary user database creating these users and
keeping the user list in sync with the Windows NT PDC
is an onerous task. This option allows smbd to create
the required UNIX users ON DEMAND when a user accesses
the Samba server.
In order to use this option, smbd must NOT be set to
security = share and add user script must be set to a
full pathname for a script that will create a UNIX user
given one argument of %u, which expands into the UNIX
Page 23 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
user name to create.
When the Windows user attempts to access the Samba
server, at login (session setup in the SMB protocol)
time, smbd contacts the password server and attempts
to authenticate the given user with the given password.
If the authentication succeeds then smbd attempts to
find a UNIX user in the UNIX password database to map
the Windows user into. If this lookup fails, and add
user script is set then smbd will call the specified
script AS ROOT, expanding any %u argument to be the
user name to create.
If this script successfully creates the user then smbd
will continue on as though the UNIX user already
existed. In this way, UNIX users are dynamically
created to match existing Windows NT accounts.
See also security, password server, delete user
script.
Default: add user script = <empty string>
Example: add user script =
/usr/local/samba/bin/add_user %u
admin users (S)
This is a list of users who will be granted
administrative privileges on the share. This means that
they will do all file operations as the super-user
(root).
You should use this option very carefully, as any user
in this list will be able to do anything they like on
the share, irrespective of file permissions.
Default: no admin users
Example: admin users = jason
allow hosts (S)
Synonym for hosts allow.
allow trusted domains (G)
This option only takes effect when the security option
is set to server or domain. If it is set to no, then
attempts to connect to a resource from a domain or
workgroup other than the one which smbd is running in
will fail, even if that domain is trusted by the remote
server doing the authentication.
This is useful if you only want your Samba server to
Page 24 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
serve resources to users in the domain it is a member
of. As an example, suppose that there are two domains
DOMA and DOMB. DOMB is trusted by DOMA, which contains
the Samba server. Under normal circumstances, a user
with an account in DOMB can then access the resources
of a UNIX account with the same account name on the
Samba server even if they do not have an account in
DOMA. This can make implementing a security boundary
difficult.
Default: allow trusted domains = yes
announce as (G)
This specifies what type of server nmbd will announce
itself as, to a network neighborhood browse list. By
default this is set to Windows NT. The valid options
are : "NT Server" (which can also be written as "NT"),
"NT Workstation", "Win95" or "WfW" meaning Windows NT
Server, Windows NT Workstation, Windows 95 and Windows
for Workgroups respectively. Do not change this
parameter unless you have a specific need to stop Samba
appearing as an NT server as this may prevent Samba
servers from participating as browser servers
correctly.
Default: announce as = NT Server
Example: announce as = Win95
announce version (G)
This specifies the major and minor version numbers that
nmbd will use when announcing itself as a server. The
default is 4.9. Do not change this parameter unless you
have a specific need to set a Samba server to be a
downlevel server.
Default: announce version = 4.9
Example: announce version = 2.0
auto services (G)
This is a synonym for the preload.
available (S)
This parameter lets you "turn off" a service. If
available = no, then ALL attempts to connect to the
service will fail. Such failures are logged.
Default: available = yes
bind interfaces only (G)
This global parameter allows the Samba admin to limit
Page 25 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
what interfaces on a machine will serve SMB requests.
If affects file service smbd(8) and name service
nmbd(8) in slightly different ways.
For name service it causes nmbd to bind to ports 137
and 138 on the interfaces listed in the interfaces
parameter. nmbd also binds to the "all addresses"
interface (0.0.0.0) on ports 137 and 138 for the
purposes of reading broadcast messages. If this option
is not set then nmbd will service name requests on all
of these sockets. If bind interfaces only is set then
nmbd will check the source address of any packets
coming in on the broadcast sockets and discard any that
don't match the broadcast addresses of the interfaces
in the interfaces parameter list. As unicast packets
are received on the other sockets it allows nmbd to
refuse to serve names to machines that send packets
that arrive through any interfaces not listed in the
interfaces list. IP Source address spoofing does defeat
this simple check, however so it must not be used
seriously as a security feature for nmbd.
For file service it causes smbd(8) to bind only to the
interface list given in the interfaces parameter. This
restricts the networks that smbd will serve to packets
coming in those interfaces. Note that you should not
use this parameter for machines that are serving PPP or
other intermittent or non-broadcast network interfaces
as it will not cope with non-permanent interfaces.
If bind interfaces only is set then unless the network
address 127.0.0.1 is added to the interfaces parameter
list smbpasswd(8) and swat(8) may not work as expected
due to the reasons covered below.
To change a users SMB password, the smbpasswd by
default connects to the localhost - 127.0.0.1 address
as an SMB client to issue the password change request.
If bind interfaces only is set then unless the network
address 127.0.0.1 is added to the interfaces parameter
list then smbpasswd will fail to connect in it's
default mode. smbpasswd can be forced to use the
primary IP interface of the local host by using its -r
remote machine
parameter, with remote machine set to the IP name of
the primary interface of the local host.
The swat status page tries to connect with smbd and
nmbd at the address 127.0.0.1 to determine if they are
running. Not adding 127.0.0.1 will cause smbd and nmbd
to always show "not running" even if they really are.
This can prevent swat from
Page 26 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
starting/stopping/restarting smbd and nmbd.
Default: bind interfaces only = no
block size (S)
This parameter controls the behavior of smbd(8) when
reporting disk free sizes. By default, this reports a
disk block size of 1024 bytes.
Changing this parameter may have some effect on the
efficiency of client writes, this is not yet confirmed.
This parameter was added to allow advanced
administrators to change it (usually to a higher value)
and test the effect it has on client write performance
without re-compiling the code. As this is an
experimental option it may be removed in a future
release.
Changing this option does not change the disk free
reporting size, just the block size unit reported to
the client.
Default: block size = 1024
Example: block size = 65536
blocking locks (S)
This parameter controls the behavior of smbd(8) when
given a request by a client to obtain a byte range lock
on a region of an open file, and the request has a time
limit associated with it.
If this parameter is set and the lock range requested
cannot be immediately satisfied, Samba 2.2 will
internally queue the lock request, and periodically
attempt to obtain the lock until the timeout period
expires.
If this parameter is set to no, then Samba 2.2 will
behave as previous versions of Samba would and will
fail the lock request immediately if the lock range
cannot be obtained.
Default: blocking locks = yes
browsable (S)
See the browseable.
browse list (G)
This controls whether smbd(8) will serve a browse list
to a client doing a NetServerEnum call. Normally set to
yes. You should never need to change this.
Page 27 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
Default: browse list = yes
browseable (S)
This controls whether this share is seen in the list of
available shares in a net view and in the browse list.
Default: browseable = yes
case sensitive (S)
See the discussion in the section NAME MANGLING.
Default: case sensitive = no
casesignames (S)
Synonym for case sensitive.
change notify timeout (G)
This SMB allows a client to tell a server to "watch" a
particular directory for any changes and only reply to
the SMB request when a change has occurred. Such
constant scanning of a directory is expensive under
UNIX, hence an smbd(8) daemon only performs such a
scan on each requested directory once every change
notify timeout seconds.
Default: change notify timeout = 60
Example: change notify timeout = 300
Would change the scan time to every 5 minutes.
change share command (G)
Samba 2.2.0 introduced the ability to dynamically add
and delete shares via the Windows NT 4.0 Server
Manager. The change share command is used to define an
external program or script which will modify an
existing service definition in smb.conf. In order to
successfully execute the change share command, smbd
requires that the administrator be connected using a
root account (i.e. uid == 0).
When executed, smbd will automatically invoke the
change share command with four parameters.
o configFile - the location of the global smb.conf
file.
o shareName - the name of the new share.
o pathName - path to an **existing** directory on disk.
o comment - comment string to associate with the new
Page 28 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
share.
This parameter is only used modify existing file shares
definitions. To modify printer shares, use the "Printers..."
folder as seen when browsing the Samba host.
See also add share command, delete share command.
Default: none
Example: change share command = /usr/local/bin/addshare
character set (G)
This allows smbd to map incoming filenames from a DOS
Code page (see the client code page parameter) to
several built in UNIX character sets. The built in code
page translations are:
o ISO8859-1 : Western European UNIX character set. The
parameter client code page MUST be set to code page
850 if the character set parameter is set to
ISO8859-1 in order for the conversion to the UNIX
character set to be done correctly.
o ISO8859-2 : Eastern European UNIX character set. The
parameter client code page MUST be set to code page
852 if the character set parameter is set to
ISO8859-2 in order for the conversion to the UNIX
character set to be done correctly.
o ISO8859-5 : Russian Cyrillic UNIX character set. The
parameter client code page MUST be set to code page
866 if the character set parameter is set to
ISO8859-5 in order for the conversion to the UNIX
character set to be done correctly.
o ISO8859-7 : Greek UNIX character set. The parameter
client code page MUST be set to code page 737 if the
character set parameter is set to ISO8859-7 in order
for the conversion to the UNIX character set to be
done correctly.
o KOI8-R : Alternate mapping for Russian Cyrillic UNIX
character set. The parameter client code page MUST be
set to code page 866 if the character set parameter
is set to KOI8-R in order for the conversion to the
UNIX character set to be done correctly.
BUG. These MSDOS code page to UNIX character set mappings
should be dynamic, like the loading of MS DOS code pages,
not static.
Page 29 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
Normally this parameter is not set, meaning no filename
translation is done.
Default: character set = <empty string>
Example: character set = ISO8859-1
client code page (G)
This parameter specifies the DOS code page that the
clients accessing Samba are using. To determine what
code page a Windows or DOS client is using, open a DOS
command prompt and type the command chcp. This will
output the code page. The default for USA MS-DOS,
Windows 95, and Windows NT releases is code page 437.
The default for western European releases of the above
operating systems is code page 850.
This parameter tells smbd(8) which of the codepage.XXX
files to dynamically load on startup. These files,
described more fully in the manual page
make_smbcodepage(1) tell smbd how to map lower to
upper case characters to provide the case insensitivity
of filenames that Windows clients expect.
Samba currently ships with the following code page
files :
o Code Page 437 - MS-DOS Latin US
o Code Page 737 - Windows '95 Greek
o Code Page 850 - MS-DOS Latin 1
o Code Page 852 - MS-DOS Latin 2
o Code Page 861 - MS-DOS Icelandic
o Code Page 866 - MS-DOS Cyrillic
o Code Page 932 - MS-DOS Japanese SJIS
o Code Page 936 - MS-DOS Simplified Chinese
o Code Page 949 - MS-DOS Korean Hangul
o Code Page 950 - MS-DOS Traditional Chinese
Thus this parameter may have any of the values 437, 737,
850, 852, 861, 932, 936, 949, or 950. If you don't find the
codepage you need, read the comments in one of the other
codepage files and the make_smbcodepage(1) man page and
write one. Please remember to donate it back to the Samba
Page 30 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
user community.
This parameter co-operates with the valid chars parameter in
determining what characters are valid in filenames and how
capitalization is done. If you set both this parameter and
the valid chars parameter the client code page parameter
MUST be set before the valid chars parameter in the smb.conf
file. The valid chars string will then augment the character
settings in the client code page parameter.
If not set, client code page defaults to 850.
See also : valid chars, code page directory
Default: client code page = 850
Example: client code page = 936
code page directory (G)
Define the location of the various client code page
files.
See also client code page
Default: code page directory = ${prefix}/lib/codepages
Example: code page directory =
/usr/share/samba/codepages
coding system (G)
This parameter is used to determine how incoming
Shift-JIS Japanese characters are mapped from the
incoming client code page used by the client, into file
names in the UNIX filesystem. Only useful if client
code page is set to 932 (Japanese Shift-JIS). The
options are :
o SJIS - Shift-JIS. Does no conversion of the incoming
filename.
o JIS8, J8BB, J8BH, J8@B, J8@J, J8@H - Convert from
incoming Shift-JIS to eight bit JIS code with
different shift-in, shift out codes.
o JIS7, J7BB, J7BH, J7@B, J7@J, J7@H - Convert from
incoming Shift-JIS to seven bit JIS code with
different shift-in, shift out codes.
o JUNET, JUBB, JUBH, JU@B, JU@J, JU@H - Convert from
incoming Shift-JIS to JUNET code with different
shift-in, shift out codes.
Page 31 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
o EUC - Convert an incoming Shift-JIS character to EUC
code.
o HEX - Convert an incoming Shift-JIS character to a 3
byte hex representation, i.e. :AB.
o CAP - Convert an incoming Shift-JIS character to the
3 byte hex representation used by the Columbia
AppleTalk Program (CAP), i.e. :AB. This is used for
compatibility between Samba and CAP.
Default: coding system = <empty value>
comment (S)
This is a text field that is seen next to a share when
a client does a queries the server, either via the
network neighborhood or via net view to list what
shares are available.
If you want to set the string that is displayed next to
the machine name then see the server string parameter.
Default: No comment string
Example: comment = Fred's Files
config file (G)
This allows you to override the config file to use,
instead of the default (usually smb.conf). There is a
chicken and egg problem here as this option is set in
the config file!
For this reason, if the name of the config file has
changed when the parameters are loaded then it will
reload them from the new config file.
This option takes the usual substitutions, which can be
very useful.
If the config file doesn't exist then it won't be
loaded (allowing you to special case the config files
of just a few clients).
Example: config file = /usr/local/samba/lib/smb.conf.%m
copy (S)
This parameter allows you to "clone" service entries.
The specified service is simply duplicated under the
current service's name. Any parameters specified in the
current section will override those in the section
being copied.
Page 32 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
This feature lets you set up a 'template' service and
create similar services easily. Note that the service
being copied must occur earlier in the configuration
file than the service doing the copying.
Default: no value
Example: copy = otherservice
create mask (S)
A synonym for this parameter is create mode .
When a file is created, the necessary permissions are
calculated according to the mapping from DOS modes to
UNIX permissions, and the resulting UNIX mode is then
bit-wise 'AND'ed with this parameter. This parameter
may be thought of as a bit-wise MASK for the UNIX modes
of a file. Any bit not set here will be removed from
the modes set on a file when it is created.
The default value of this parameter removes the 'group'
and 'other' write and execute bits from the UNIX modes.
Following this Samba will bit-wise 'OR' the UNIX mode
created from this parameter with the value of the force
create mode parameter which is set to 000 by default.
This parameter does not affect directory modes. See the
parameter directory mode for details.
See also the force create mode parameter for forcing
particular mode bits to be set on created files. See
also the directory mode parameter for masking mode
bits on created directories. See also the inherit
permissions parameter.
Note that this parameter does not apply to permissions
set by Windows NT/2000 ACL editors. If the
administrator wishes to enforce a mask on access
control lists also, they need to set the security mask.
Default: create mask = 0744
Example: create mask = 0775
create mode (S)
This is a synonym for create mask.
csc policy (S)
This stands for client-side caching policy, and
specifies how clients capable of offline caching will
cache the files in the share. The valid values are:
Page 33 (printed 2/13/04)
SMB.CONF(5) UNIX System V (14 March 2003) SMB.CONF(5)
manual, documents, programs, disable.
These values correspond to those used on Windows
servers.
For example, shares containing roaming profiles can
have offline caching disabled using csc policy =
disable .
Default: csc policy = manual
Example: csc policy = programs
deadtime (G)
The value of the parameter (a decimal integer)
represents the number of minutes of inactivity before a
connection is considered dead, and it is disconnected.
The deadtime only takes effect if the number of open
files is zero.
This is useful to stop a server's resources being
exhausted by a large number of inactive connections.
Most clients have an auto-reconnect feature when a
connection is broken so in most cases this par
|