*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->IRIX man pages -> smb.conf.5 (5)              
Title
Content
Arch
Section
 

Contents


     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



     NAME    [Toc]    [Back]
	  smb.conf - The configuration file for	the Samba suite

     SYNOPSIS    [Toc]    [Back]
	  The smb.conf file is a configuration file for	the Samba
	  suite. smb.conf contains runtime configuration information
	  for the Samba	programs. The smb.conf file is designed	to be
	  configured and administered by the swat(8)
	   program. The	complete description of	the file format	and
	  possible parameters held within are here for reference
	  purposes.

     FILE FORMAT    [Toc]    [Back]
	  The file consists of sections	and parameters.	A section
	  begins with the name of the section in square	brackets and
	  continues until the next section begins. Sections contain
	  parameters of	the form

	  name = value

	  The file is line-based - that	is, each newline-terminated
	  line represents either a comment, a section name or a
	  parameter.

	  Section and parameter	names are not case sensitive.

	  Only the first equals	sign in	a parameter is significant.
	  Whitespace before or after the first equals sign is
	  discarded.  Leading, trailing	and internal whitespace	in
	  section and parameter	names is irrelevant. Leading and
	  trailing whitespace in a parameter value is discarded.
	  Internal whitespace within a parameter value is retained
	  verbatim.

	  Any line beginning with a semicolon (';') or a hash ('#')
	  character is ignored,	as are lines containing	only
	  whitespace.

	  Any line ending in a '\' is continued	on the next line in
	  the customary	UNIX fashion.

	  The values following the equals sign in parameters are all
	  either a string (no quotes needed) or	a boolean, which may
	  be given as yes/no, 0/1 or true/false. Case is not
	  significant in boolean values, but is	preserved in string
	  values. Some items such as create modes are numeric.

     SECTION DESCRIPTIONS    [Toc]    [Back]
	  Each section in the configuration file (except for the
	  [global] section) describes a	shared resource	(known as a
	  "share"). The	section	name is	the name of the	shared
	  resource and the parameters within the section define	the



     Page 1					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  shares attributes.

	  There	are three special sections, [global], [homes] and
	  [printers], which are	described under	special	sections. The
	  following notes apply	to ordinary section descriptions.

	  A share consists of a	directory to which access is being
	  given	plus a description of the access rights	which are
	  granted to the user of the service. Some housekeeping
	  options are also specifiable.

	  Sections are either file share services (used	by the client
	  as an	extension of their native file systems)	or printable
	  services (used by the	client to access print services	on the
	  host running the server).

	  Sections may be designated guest services, in	which case no
	  password is required to access them. A specified UNIX	guest
	  account is used to define access privileges in this case.

	  Sections other than guest services will require a password
	  to access them. The client provides the username. As older
	  clients only provide passwords and not usernames, you	may
	  specify a list of usernames to check against the password
	  using	the "user =" option in the share definition. For
	  modern clients such as Windows 95/98/ME/NT/2000, this	should
	  not be necessary.

	  Note that the	access rights granted by the server are	masked
	  by the access	rights granted to the specified	or guest UNIX
	  user by the host system. The server does not grant more
	  access than the host system grants.

	  The following	sample section defines a file space share. The
	  user has write access	to the path /home/bar. The share is
	  accessed via the share name "foo":

		    [foo]
		    path = /home/bar
		    read only =	no




	  The following	sample section defines a printable share. The
	  share	is readonly, but printable. That is, the only write
	  access permitted is via calls	to open, write to and close a
	  spool	file. The guest	ok parameter means access will be
	  permitted as the default guest user (specified elsewhere):

		    [aprinter]
		    path = /usr/spool/public



     Page 2					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



		    read only =	yes
		    printable =	yes
		    guest ok = yes




     SPECIAL SECTIONS    [Toc]    [Back]
	THE  GLOBAL  SECTION
	  parameters in	this section apply to the server as a whole,
	  or are defaults for sections which do	not specifically
	  define certain items.	See the	notes under PARAMETERS for
	  more information.

	THE  HOMES  SECTION
	  If a section called homes is included	in the configuration
	  file,	services connecting clients to their home directories
	  can be created on the	fly by the server.

	  When the connection request is made, the existing sections
	  are scanned. If a match is found, it is used.	If no match is
	  found, the requested section name is treated as a user name
	  and looked up	in the local password file. If the name	exists
	  and the correct password has been given, a share is created
	  by cloning the [homes] section.

	  Some modifications are then made to the newly	created	share:

	  o The	share name is changed from homes to the	located
	    username.

	  o If no path was given, the path is set to the user's	home
	    directory.

	  If you decide	to use a path =	line in	your [homes] section
	  then you may find it useful to use the %S macro. For example
	  :

	  path = /data/pchome/%S

	  would	be useful if you have different	home directories for
	  your PCs than	for UNIX access.

	  This is a fast and simple way	to give	a large	number of
	  clients access to their home directories with	a minimum of
	  fuss.

	  A similar process occurs if the requested section name is
	  "homes", except that the share name is not changed to	that
	  of the requesting user. This method of using the [homes]
	  section works	well if	different users	share a	client PC.




     Page 3					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  The [homes] section can specify all the parameters a normal
	  service section can specify, though some make	more sense
	  than others. The following is	a typical and suitable [homes]
	  section:

			      [homes]
			 read only = no




	  An important point is	that if	guest access is	specified in
	  the [homes] section, all home	directories will be visible to
	  all clients without a	password. In the very unlikely event
	  that this is actually	desirable, it would be wise to also
	  specify read only access.

	  Note that the	browseable flag	for auto home directories will
	  be inherited from the	global browseable flag,	not the
	  [homes] browseable flag. This	is useful as it	means setting
	  browseable = no in the [homes] section will hide the [homes]
	  share	but make any auto home directories visible.

	THE  PRINTERS  SECTION
	  This section works like [homes], but for printers.

	  If a [printers] section occurs in the	configuration file,
	  users	are able to connect to any printer specified in	the
	  local	host's printcap	file.

	  When a connection request is made, the existing sections are
	  scanned. If a	match is found,	it is used. If no match	is
	  found, but a [homes] section exists, it is used as described
	  above. Otherwise, the	requested section name is treated as a
	  printer name and the appropriate printcap file is scanned to
	  see if the requested section name is a valid printer share
	  name.	If a match is found, a new printer share is created by
	  cloning the [printers] section.

	  A few	modifications are then made to the newly created
	  share:

	  o The	share name is set to the located printer name

	  o If no printer name was given, the printer name is set to
	    the	located	printer	name

	  o If the share does not permit guest access and no username
	    was	given, the username is set to the located printer
	    name.

	  Note that the	[printers] service MUST	be printable - if you



     Page 4					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  specify otherwise, the server	will refuse to load the
	  configuration	file.

	  Typically the	path specified would be	that of	a worldwriteable
 spool directory with the sticky bit	set on it. A
	  typical [printers] entry would look like this:

		    [printers]
			 path =	/usr/spool/public
			 guest ok = yes
			 printable = yes



	  All aliases given for	a printer in the printcap file are
	  legitimate printer names as far as the server	is concerned.
	  If your printing subsystem doesn't work like that, you will
	  have to set up a pseudo-printcap. This is a file consisting
	  of one or more lines like this:

				 alias|alias|alias|alias...




	  Each alias should be an acceptable printer name for your
	  printing subsystem. In the [global] section, specify the new
	  file as your printcap. The server will then only recognize
	  names	found in your pseudo-printcap, which of	course can
	  contain whatever aliases you like. The same technique	could
	  be used simply to limit access to a subset of	your local
	  printers.

	  An alias, by the way,	is defined as any component of the
	  first	entry of a printcap record. Records are	separated by
	  newlines, components (if there are more than one) are
	  separated by vertical	bar symbols ('|').

	  NOTE:	On SYSV	systems	which use lpstat to determine what
	  printers are defined on the system you may be	able to	use
	  "printcap name = lpstat" to automatically obtain a list of
	  printers. See	the "printcap name" option for more details.

     PARAMETERS    [Toc]    [Back]
	  parameters define the	specific attributes of sections.

	  Some parameters are specific to the [global] section (e.g.,
	  security). Some parameters are usable	in all sections	(e.g.,
	  create mode).	All others are permissible only	in normal
	  sections. For	the purposes of	the following descriptions the
	  [homes] and [printers] sections will be considered normal.
	  The letter G in parentheses indicates	that a parameter is



     Page 5					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  specific to the [global] section. The	letter S indicates
	  that a parameter can be specified in a service specific
	  section. Note	that all S parameters can also be specified in
	  the [global] section - in which case they will define	the
	  default behavior for all services.

	  parameters are arranged here in alphabetical order - this
	  may not create best bedfellows, but at least you can find
	  them!	Where there are	synonyms, the preferred	synonym	is
	  described, others refer to the preferred synonym.

     VARIABLE SUBSTITUTIONS    [Toc]    [Back]
	  Many of the strings that are settable	in the config file can
	  take substitutions. For example the option "path = /tmp/%u"
	  would	be interpreted as "path	= /tmp/john" if	the user
	  connected with the username john.

	  These	substitutions are mostly noted in the descriptions
	  below, but there are some general substitutions which	apply
	  whenever they	might be relevant. These are:

	  %S   the name	of the current service,	if any.

	  %P   the root	directory of the current service, if any.

	  %u   user name of the	current	service, if any.

	  %g   primary group name of %u.

	  %U   session user name (the user name	that the client
	       wanted, not necessarily the same	as the one they	got).

	  %G   primary group name of %U.

	  %H   the home	directory of the user given by %u.

	  %v   the Samba version.

	  %h   the Internet hostname that Samba	is running on.

	  %m   the NetBIOS name	of the client machine (very useful).

	  %L   the NetBIOS name	of the server. This allows you to
	       change your config based	on what	the client calls you.
	       Your server can have a "dual personality".

	       Note that this paramater	is not available when Samba
	       listens on port 445, as clients no longer send this
	       information

	  %M   the Internet name of the	client machine.




     Page 6					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  %N   the name	of your	NIS home directory server. This	is
	       obtained	from your NIS auto.map entry. If you have not
	       compiled	Samba with the --with-automount	option then
	       this value will be the same as %L.

	  %p   the path	of the service's home directory, obtained from
	       your NIS	auto.map entry.	The NIS	auto.map entry is
	       split up	as "%N:%p".

	  %R   the selected protocol level after protocol negotiation.
	       It can be one of	CORE, COREPLUS,	LANMAN1, LANMAN2 or
	       NT1.

	  %d   The process id of the current server process.

	  %a   the architecture	of the remote machine. Only some are
	       recognized, and those may not be	100% reliable. It
	       currently recognizes Samba, WfWg, Win95,	WinNT and
	       Win2k. Anything else will be known as "UNKNOWN".	If it
	       gets it wrong then sending a level 3 log	to
	       samba@samba.org
		<URL:samba@samba.org> should allow it to	be
	       fixed.

	  %I   The IP address of the client machine.

	  %T   the current date	and time.

	  %$(envvar)
	       The value of the	environment variable envar.

	  There	are some quite creative	things that can	be done	with
	  these	substitutions and other	smb.conf options.

     NAME MANGLING    [Toc]    [Back]
	  Samba	supports "name mangling" so that DOS and Windows
	  clients can use files	that don't conform to the 8.3 format.
	  It can also be set to	adjust the case	of 8.3 format
	  filenames.

	  There	are several options that control the way mangling is
	  performed, and they are grouped here rather than listed
	  separately. For the defaults look at the output of the
	  testparm program.

	  All of these options can be set separately for each service
	  (or globally,	of course).

	  The options are:

	  mangling method
	       controls	the algorithm used for the generating the



     Page 7					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	       mangled names. Can take two different values, "hash"
	       and "hash2". "hash" is the default and is the algorithm
	       that has	been used in Samba for many years. "hash2" is
	       a newer and considered a	better algorithm (generates
	       less collisions)	in the names.  However,	many Win32
	       applications store the mangled names and	so changing to
	       the new algorithm must not be done lightly as these
	       applications may	break unless reinstalled.  New
	       installations of	Samba may set the default to hash2.
	       Default hash.

	  mangle case =	yes/no
	       controls	if names that have characters that aren't of
	       the "default" case are mangled. For example, if this is
	       yes then	a name like "Mail" would be mangled. Default
	       no.

	  case sensitive = yes/no
	       controls	whether	filenames are case sensitive. If they
	       aren't then Samba must do a filename search and match
	       on passed names.	Default	no.

	  default case = upper/lower
	       controls	what the default case is for new filenames.
	       Default lower.

	  preserve case	= yes/no
	       controls	if new files are created with the case that
	       the client passes, or if	they are forced	to be the
	       "default" case. Default yes.

	  short	preserve case =	yes/no
	       controls	if new files which conform to 8.3 syntax, that
	       is all in upper case and	of suitable length, are
	       created upper case, or if they are forced to be the
	       "default" case. This option can be use with "preserve
	       case = yes" to permit long filenames to retain their
	       case, while short names are lowercased. Default yes.

	  By default, Samba 2.2	has the	same semantics as a Windows NT
	  server, in that it is	case insensitive but case preserving.

     NOTE ABOUT	USERNAME/PASSWORD VALIDATION
	  There	are a number of	ways in	which a	user can connect to a
	  service. The server uses the following steps in determining
	  if it	will allow a connection	to a specified service.	If all
	  the steps fail, then the connection request is rejected.
	  However, if one of the steps succeeds, then the following
	  steps	are not	checked.

	  If the service is marked "guest only = yes" and the server
	  is running with share-level security ("security = share")



     Page 8					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  then steps 1 to 5 are	skipped.

	  1.   If the client has passed	a username/password pair and
	       that username/password pair is validated	by the UNIX
	       system's	password programs then the connection is made
	       as that username. Note that this	includes the
	       \\server\service%username method	of passing a username.

	  2.   If the client has previously registered a username with
	       the system and now supplies a correct password for that
	       username	then the connection is allowed.

	  3.   The client's NetBIOS name and any previously used user
	       names are checked against the supplied password,	if
	       they match then the connection is allowed as the
	       corresponding user.

	  4.   If the client has previously validated a
	       username/password pair with the server and the client
	       has passed the validation token then that username is
	       used.

	  5.   If a "user = " field is given in	the smb.conf file for
	       the service and the client has supplied a password, and
	       that password matches (according	to the UNIX system's
	       password	checking) with one of the usernames from the
	       "user ="	field then the connection is made as the
	       username	in the "user ="	line. If one of	the username
	       in the "user =" list begins with	a '@' then that	name
	       expands to a list of names in the group of the same
	       name.

	  6.   If the service is a guest service then a	connection is
	       made as the username given in the "guest	account	=" for
	       the service, irrespective of the	supplied password.

     COMPLETE LIST OF GLOBAL PARAMETERS    [Toc]    [Back]
	  Here is a list of all	global parameters. See the section of
	  each parameter for details. Note that	some are synonyms.

	  o acl	compatibility

	  o add	printer	command

	  o add	share command

	  o add	user script

	  o allow trusted domains

	  o announce as




     Page 9					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o announce version

	  o auto services

	  o bind interfaces only

	  o browse list

	  o change notify timeout

	  o change share command

	  o character set

	  o client code	page

	  o code page directory

	  o coding system

	  o config file

	  o deadtime

	  o debug hires	timestamp

	  o debug pid

	  o debug timestamp

	  o debug uid

	  o debuglevel

	  o default

	  o default service

	  o delete printer command

	  o delete share command

	  o delete user	script

	  o dfree command

	  o disable spoolss

	  o dns	proxy

	  o domain admin group




     Page 10					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o domain guest group

	  o domain logons

	  o domain master

	  o encrypt passwords

	  o enhanced browsing

	  o enumports command

	  o getwd cache

	  o hide local users

	  o hide unreadable

	  o homedir map

	  o host msdfs

	  o hosts equiv

	  o interfaces

	  o keepalive

	  o kernel oplocks

	  o lanman auth

	  o large readwrite

	  o ldap admin dn

	  o ldap filter

	  o ldap port

	  o ldap server

	  o ldap ssl

	  o ldap suffix

	  o lm announce

	  o lm interval

	  o load printers




     Page 11					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o local master

	  o lock dir

	  o lock directory

	  o lock spin count

	  o lock spin time

	  o pid	directory

	  o log	file

	  o log	level

	  o logon drive

	  o logon home

	  o logon path

	  o logon script

	  o lpq	cache time

	  o machine password timeout

	  o mangled stack

	  o mangling method

	  o map	to guest

	  o max	disk size

	  o max	log size

	  o max	mux

	  o max	open files

	  o max	protocol

	  o max	smbd processes

	  o max	ttl

	  o max	wins ttl

	  o max	xmit




     Page 12					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o message command

	  o min	passwd length

	  o min	password length

	  o min	protocol

	  o min	wins ttl

	  o name resolve order

	  o netbios aliases

	  o netbios name

	  o netbios scope

	  o nis	homedir

	  o nt pipe support

	  o nt smb support

	  o nt status support

	  o null passwords

	  o obey pam restrictions

	  o oplock break wait time

	  o os level

	  o os2	driver map

	  o pam	password change

	  o panic action

	  o passwd chat

	  o passwd chat	debug

	  o passwd program

	  o password level

	  o password server

	  o prefered master




     Page 13					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o preferred master

	  o preload

	  o printcap

	  o printcap name

	  o printer driver file

	  o protocol

	  o read bmpx

	  o read raw

	  o read size

	  o remote announce

	  o remote browse sync

	  o restrict anonymous

	  o root

	  o root dir

	  o root directory

	  o security

	  o server string

	  o show add printer wizard

	  o smb	passwd file

	  o socket address

	  o socket options

	  o source environment

	  o ssl

	  o ssl	CA certDir

	  o ssl	CA certFile

	  o ssl	ciphers




     Page 14					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o ssl	client cert

	  o ssl	client key

	  o ssl	compatibility

	  o ssl	egd socket

	  o ssl	entropy	bytes

	  o ssl	entropy	file

	  o ssl	hosts

	  o ssl	hosts resign

	  o ssl	require	clientcert

	  o ssl	require	servercert

	  o ssl	server cert

	  o ssl	server key

	  o ssl	version

	  o stat cache

	  o stat cache size

	  o strip dot

	  o syslog

	  o syslog only

	  o template homedir

	  o template shell

	  o time offset

	  o time server

	  o timestamp logs

	  o total print	jobs

	  o unix extensions

	  o unix password sync




     Page 15					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o update encrypted

	  o use	mmap

	  o use	rhosts

	  o username level

	  o username map

	  o utmp

	  o utmp directory

	  o valid chars

	  o winbind cache time

	  o winbind enum users

	  o winbind enum groups

	  o winbind gid

	  o winbind separator

	  o winbind uid

	  o winbind use	default	domain

	  o wins hook

	  o wins proxy

	  o wins server

	  o wins support

	  o workgroup

	  o write raw

     COMPLETE LIST OF SERVICE PARAMETERS    [Toc]    [Back]
	  Here is a list of all	service	parameters. See	the section on
	  each parameter for details. Note that	some are synonyms.

	  o admin users

	  o allow hosts

	  o available




     Page 16					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o blocking locks

	  o block size

	  o browsable

	  o browseable

	  o case sensitive

	  o casesignames

	  o comment

	  o copy

	  o create mask

	  o create mode

	  o csc	policy

	  o default case

	  o default devmode

	  o delete readonly

	  o delete veto	files

	  o deny hosts

	  o directory

	  o directory mask

	  o directory mode

	  o directory security mask

	  o dont descend

	  o dos	filemode

	  o dos	filetime resolution

	  o dos	filetimes

	  o exec

	  o fake directory create times




     Page 17					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o fake oplocks

	  o follow symlinks

	  o force create mode

	  o force directory mode

	  o force directory security mode

	  o force group

	  o force security mode

	  o force unknown acl user

	  o force user

	  o fstype

	  o group

	  o guest account

	  o guest ok

	  o guest only

	  o hide dot files

	  o hide files

	  o hosts allow

	  o hosts deny

	  o include

	  o inherit acls

	  o inherit permissions

	  o invalid users

	  o level2 oplocks

	  o locking

	  o lppause command

	  o lpq	command




     Page 18					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o lpresume command

	  o lprm command

	  o magic output

	  o magic script

	  o mangle case

	  o mangled map

	  o mangled names

	  o mangling char

	  o map	archive

	  o map	hidden

	  o map	system

	  o max	connections

	  o max	print jobs

	  o min	print space

	  o msdfs root

	  o nt acl support

	  o only guest

	  o only user

	  o oplock contention limit

	  o oplocks

	  o path

	  o posix locking

	  o postexec

	  o postscript

	  o preexec

	  o preexec close




     Page 19					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o preserve case

	  o print command

	  o print ok

	  o printable

	  o printer

	  o printer admin

	  o printer driver

	  o printer driver location

	  o printer name

	  o printing

	  o profile acls

	  o public

	  o queuepause command

	  o queueresume	command

	  o read list

	  o read only

	  o root postexec

	  o root preexec

	  o root preexec close

	  o security mask

	  o set	directory

	  o share modes

	  o short preserve case

	  o status

	  o strict allocate

	  o strict locking




     Page 20					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  o strict sync

	  o sync always

	  o use	client driver

	  o use	sendfile

	  o user

	  o username

	  o users

	  o valid users

	  o veto files

	  o veto oplock	files

	  o vfs	object

	  o vfs	options

	  o volume

	  o wide links

	  o writable

	  o write cache	size

	  o write list

	  o write ok

	  o writeable

     EXPLANATION OF EACH PARAMETER    [Toc]    [Back]
	  acl compatibility (G)
	       New in Samba 2.2.8 and above, this string parameter
	       tells smbd if it	should modify any Windows access
	       control lists created from POSIX	access control lists
	       to remove features which	are not	supported by Windows
	       2000 but	not supported by the Windows NT	ACL edit.
	       control.

	       By default this parameter is set	automatically by
	       detecting the client type and is	set to "true" if the
	       client is Windows NT.

	       Default:	client detected



     Page 21					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	       Example:	acl compatibility = Win2k

	       Example:	acl compatibility = winnt

	  add printer command (G)
	       With the	introduction of	MS-RPC based printing support
	       for Windows NT/2000 clients in Samba 2.2, The MS	Add
	       Printer Wizard (APW) icon is now	also available in the
	       "Printers..." folder displayed a	share listing. The APW
	       allows for printers to be add remotely to a Samba or
	       Windows NT/2000 print server.

	       For a Samba host	this means that	the printer must be
	       physically added	to the underlying printing system. The
	       add printer command defines a script to be run which
	       will perform the	necessary operations for adding	the
	       printer to the print system and to add the appropriate
	       service definition to the smb.conf file in order	that
	       it can be shared	by smbd(8)


	       The add printer command is automatically	invoked	with
	       the following parameter (in order:

	       o printer name

	       o share name

	       o port name

	       o driver	name

	       o location

	       o Windows 9x driver location

	  All parameters are filled in from the	PRINTER_INFO_2
	  structure sent by the	Windows	NT/2000	client with one
	  exception. The "Windows 9x driver location" parameter	is
	  included for backwards compatibility only. The remaining
	  fields in the	structure are generated	from answers to	the
	  APW questions.

	  Once the add printer command has been	executed, smbd will
	  reparse the  smb.conf	to determine if	the share defined by
	  the APW exists. If the sharename is still invalid, then smbd
	  will return an ACCESS_DENIED error to	the client.

	  See also  delete printer command, printing, show add printer
	  wizard

	  Default: none



     Page 22					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  Example: addprinter command =	/usr/bin/addprinter

	  add share command (G)
	       Samba 2.2.0 introduced the ability to dynamically add
	       and delete shares via the Windows NT 4.0	Server
	       Manager.	The add	share command is used to define	an
	       external	program	or script which	will add a new service
	       definition to smb.conf. In order	to successfully
	       execute the add share command, smbd requires that the
	       administrator be	connected using	a root account (i.e.
	       uid == 0).

	       When executed, smbd will	automatically invoke the add
	       share command with four parameters.

	       o configFile - the location of the global smb.conf
		 file.

	       o shareName - the name of the new share.

	       o pathName - path to an **existing** directory on disk.

	       o comment - comment string to associate with the	new
		 share.

	  This parameter is only used for add file shares. To add
	  printer shares, see the add printer command.

	  See also change share	command, delete	share command.

	  Default: none

	  Example: add share command = /usr/local/bin/addshare

	  add user script (G)
	       This is the full	pathname to a script that will be run
	       AS ROOT by smbd(8)
		under special circumstances described below.

	       Normally, a Samba server	requires that UNIX users are
	       created for all users accessing files on	this server.
	       For sites that use Windows NT account databases as
	       their primary user database creating these users	and
	       keeping the user	list in	sync with the Windows NT PDC
	       is an onerous task. This	option allows smbd to create
	       the required UNIX users ON DEMAND when a	user accesses
	       the Samba server.

	       In order	to use this option, smbd must NOT be set to
	       security	= share	and add	user script must be set	to a
	       full pathname for a script that will create a UNIX user
	       given one argument of %u, which expands into the	UNIX



     Page 23					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	       user name to create.

	       When the	Windows	user attempts to access	the Samba
	       server, at login	(session setup in the SMB protocol)
	       time,  smbd contacts the	password server	and attempts
	       to authenticate the given user with the given password.
	       If the authentication succeeds then smbd	attempts to
	       find a UNIX user	in the UNIX password database to map
	       the Windows user	into. If this lookup fails, and	add
	       user script is set then smbd will call the specified
	       script AS ROOT, expanding any %u	argument to be the
	       user name to create.

	       If this script successfully creates the user then smbd
	       will continue on	as though the UNIX user	already
	       existed.	In this	way, UNIX users	are dynamically
	       created to match	existing Windows NT accounts.

	       See also	 security,  password server, delete user
	       script.

	       Default:	add user script	= <empty string>

	       Example:	add user script	=
	       /usr/local/samba/bin/add_user %u

	  admin	users (S)
	       This is a list of users who will	be granted
	       administrative privileges on the	share. This means that
	       they will do all	file operations	as the super-user
	       (root).

	       You should use this option very carefully, as any user
	       in this list will be able to do anything	they like on
	       the share, irrespective of file permissions.

	       Default:	no admin users

	       Example:	admin users = jason

	  allow	hosts (S)
	       Synonym for  hosts allow.

	  allow	trusted	domains	(G)
	       This option only	takes effect when the security option
	       is set to server	or domain. If it is set	to no, then
	       attempts	to connect to a	resource from a	domain or
	       workgroup other than the	one which smbd is running in
	       will fail, even if that domain is trusted by the	remote
	       server doing the	authentication.

	       This is useful if you only want your Samba server to



     Page 24					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	       serve resources to users	in the domain it is a member
	       of. As an example, suppose that there are two domains
	       DOMA and	DOMB. DOMB is trusted by DOMA, which contains
	       the Samba server. Under normal circumstances, a user
	       with an account in DOMB can then	access the resources
	       of a UNIX account with the same account name on the
	       Samba server even if they do not	have an	account	in
	       DOMA. This can make implementing	a security boundary
	       difficult.

	       Default:	allow trusted domains =	yes

	  announce as (G)
	       This specifies what type	of server nmbd will announce
	       itself as, to a network neighborhood browse list. By
	       default this is set to Windows NT. The valid options
	       are : "NT Server" (which	can also be written as "NT"),
	       "NT Workstation", "Win95" or "WfW" meaning Windows NT
	       Server, Windows NT Workstation, Windows 95 and Windows
	       for Workgroups respectively. Do not change this
	       parameter unless	you have a specific need to stop Samba
	       appearing as an NT server as this may prevent Samba
	       servers from participating as browser servers
	       correctly.

	       Default:	announce as = NT Server

	       Example:	announce as = Win95

	  announce version (G)
	       This specifies the major	and minor version numbers that
	       nmbd will use when announcing itself as a server. The
	       default is 4.9. Do not change this parameter unless you
	       have a specific need to set a Samba server to be	a
	       downlevel server.

	       Default:	announce version = 4.9

	       Example:	announce version = 2.0

	  auto services	(G)
	       This is a synonym for the  preload.

	  available (S)
	       This parameter lets you "turn off" a service. If
	       available = no, then ALL	attempts to connect to the
	       service will fail. Such failures	are logged.

	       Default:	available = yes

	  bind interfaces only (G)
	       This global parameter allows the	Samba admin to limit



     Page 25					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	       what interfaces on a machine will serve SMB requests.
	       If affects file service smbd(8) and name	service
	       nmbd(8) in slightly different ways.

	       For name	service	it causes nmbd to bind to ports	137
	       and 138 on the interfaces listed	in the interfaces
	       parameter. nmbd also binds to the "all addresses"
	       interface (0.0.0.0) on ports 137	and 138	for the
	       purposes	of reading broadcast messages. If this option
	       is not set then nmbd will service name requests on all
	       of these	sockets. If bind interfaces only is set	then
	       nmbd will check the source address of any packets
	       coming in on the	broadcast sockets and discard any that
	       don't match the broadcast addresses of the interfaces
	       in the interfaces parameter list. As unicast packets
	       are received on the other sockets it allows nmbd	to
	       refuse to serve names to	machines that send packets
	       that arrive through any interfaces not listed in	the
	       interfaces list.	IP Source address spoofing does	defeat
	       this simple check, however so it	must not be used
	       seriously as a security feature for nmbd.

	       For file	service	it causes smbd(8) to bind only to the
	       interface list given in the  interfaces parameter. This
	       restricts the networks that smbd	will serve to packets
	       coming in those interfaces. Note	that you should	not
	       use this	parameter for machines that are	serving	PPP or
	       other intermittent or non-broadcast network interfaces
	       as it will not cope with	non-permanent interfaces.

	       If bind interfaces only is set then unless the network
	       address 127.0.0.1 is added to the interfaces parameter
	       list smbpasswd(8) and swat(8) may not work as expected
	       due to the reasons covered below.

	       To change a users SMB password, the smbpasswd by
	       default connects	to the localhost - 127.0.0.1 address
	       as an SMB client	to issue the password change request.
	       If bind interfaces only is set then unless the network
	       address 127.0.0.1 is added to the interfaces parameter
	       list then  smbpasswd will fail to connect in it's
	       default mode. smbpasswd can be forced to	use the
	       primary IP interface of the local host by using its  -r
	       remote machine
		parameter, with	remote machine set to the IP name of
	       the primary interface of	the local host.

	       The swat	status page tries to connect with smbd and
	       nmbd at the address 127.0.0.1 to	determine if they are
	       running.	Not adding 127.0.0.1 will cause	 smbd and nmbd
	       to always show "not running" even if they really	are.
	       This can	prevent	 swat from



     Page 26					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	       starting/stopping/restarting smbd and nmbd.

	       Default:	bind interfaces	only = no

	  block	size (S)
	       This parameter controls the behavior of smbd(8) when
	       reporting disk free sizes.  By default, this reports a
	       disk block size of 1024 bytes.

	       Changing	this parameter may have	some effect on the
	       efficiency of client writes, this is not	yet confirmed.
	       This parameter was added	to allow advanced
	       administrators to change	it (usually to a higher	value)
	       and test	the effect it has on client write performance
	       without re-compiling the	code. As this is an
	       experimental option it may be removed in	a future
	       release.

	       Changing	this option does not change the	disk free
	       reporting size, just the	block size unit	reported to
	       the client.

	       Default:	block size = 1024

	       Example:	block size = 65536

	  blocking locks (S)
	       This parameter controls the behavior of smbd(8) when
	       given a request by a client to obtain a byte range lock
	       on a region of an open file, and	the request has	a time
	       limit associated	with it.

	       If this parameter is set	and the	lock range requested
	       cannot be immediately satisfied,	Samba 2.2 will
	       internally queue	the lock request, and periodically
	       attempt to obtain the lock until	the timeout period
	       expires.

	       If this parameter is set	to no, then Samba 2.2 will
	       behave as previous versions of Samba would and will
	       fail the	lock request immediately if the	lock range
	       cannot be obtained.

	       Default:	blocking locks = yes

	  browsable (S)
	       See the	browseable.

	  browse list (G)
	       This controls whether  smbd(8) will serve a browse list
	       to a client doing a NetServerEnum call. Normally	set to
	       yes. You	should never need to change this.



     Page 27					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	       Default:	browse list = yes

	  browseable (S)
	       This controls whether this share	is seen	in the list of
	       available shares	in a net view and in the browse	list.

	       Default:	browseable = yes

	  case sensitive (S)
	       See the discussion in the section NAME MANGLING.

	       Default:	case sensitive = no

	  casesignames (S)
	       Synonym for case	sensitive.

	  change notify	timeout	(G)
	       This SMB	allows a client	to tell	a server to "watch" a
	       particular directory for	any changes and	only reply to
	       the SMB request when a change has occurred. Such
	       constant	scanning of a directory	is expensive under
	       UNIX, hence an  smbd(8) daemon only performs such a
	       scan on each requested directory	once every change
	       notify timeout seconds.

	       Default:	change notify timeout =	60

	       Example:	change notify timeout =	300

	       Would change the	scan time to every 5 minutes.

	  change share command (G)
	       Samba 2.2.0 introduced the ability to dynamically add
	       and delete shares via the Windows NT 4.0	Server
	       Manager.	The change share command is used to define an
	       external	program	or script which	will modify an
	       existing	service	definition in smb.conf.	In order to
	       successfully execute the	change share command, smbd
	       requires	that the administrator be connected using a
	       root account (i.e. uid == 0).

	       When executed, smbd will	automatically invoke the
	       change share command with four parameters.

	       o configFile - the location of the global smb.conf
		 file.

	       o shareName - the name of the new share.

	       o pathName - path to an **existing** directory on disk.

	       o comment - comment string to associate with the	new



     Page 28					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



		 share.

	  This parameter is only used modify existing file shares
	  definitions. To modify printer shares, use the "Printers..."
	  folder as seen when browsing the Samba host.

	  See also add share command, delete share command.

	  Default: none

	  Example: change share	command	= /usr/local/bin/addshare

	  character set	(G)
	       This allows smbd	to map incoming	filenames from a DOS
	       Code page (see the client code page parameter) to
	       several built in	UNIX character sets. The built in code
	       page translations are:

	       o ISO8859-1 : Western European UNIX character set. The
		 parameter client code page MUST be set	to code	page
		 850 if	the character set parameter is set to
		 ISO8859-1 in order for	the conversion to the UNIX
		 character set to be done correctly.

	       o ISO8859-2 : Eastern European UNIX character set. The
		 parameter client code page MUST be set	to code	page
		 852 if	the  character set parameter is	set to
		 ISO8859-2 in order for	the conversion to the UNIX
		 character set to be done correctly.

	       o ISO8859-5 : Russian Cyrillic UNIX character set. The
		 parameter client code page MUST be set	to code	page
		 866 if	the character set  parameter is	set to
		 ISO8859-5 in order for	the conversion to the UNIX
		 character set to be done correctly.

	       o ISO8859-7 : Greek UNIX	character set. The parameter
		 client	code page MUST be set to code page 737 if the
		 character set parameter is set	to ISO8859-7 in	order
		 for the conversion to the UNIX	character set to be
		 done correctly.

	       o KOI8-R	: Alternate mapping for	Russian	Cyrillic UNIX
		 character set.	The parameter client code page MUST be
		 set to	code page 866 if the character set parameter
		 is set	to KOI8-R in order for the conversion to the
		 UNIX character	set to be done correctly.

	  BUG. These MSDOS code	page to	UNIX character set mappings
	  should be dynamic, like the loading of MS DOS	code pages,
	  not static.




     Page 29					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  Normally this	parameter is not set, meaning no filename
	  translation is done.

	  Default: character set = <empty string>

	  Example: character set = ISO8859-1

	  client code page (G)
	       This parameter specifies	the DOS	code page that the
	       clients accessing Samba are using. To determine what
	       code page a Windows or DOS client is using, open	a DOS
	       command prompt and type the command chcp. This will
	       output the code page. The default for USA MS-DOS,
	       Windows 95, and Windows NT releases is code page	437.
	       The default for western European	releases of the	above
	       operating systems is code page 850.

	       This parameter tells smbd(8) which of the codepage.XXX
	       files to	dynamically load on startup. These files,
	       described more fully in the manual page
	       make_smbcodepage(1) tell	 smbd how to map lower to
	       upper case characters to	provide	the case insensitivity
	       of filenames that Windows clients expect.

	       Samba currently ships with the following	code page
	       files :

	       o Code Page 437 - MS-DOS	Latin US

	       o Code Page 737 - Windows '95 Greek

	       o Code Page 850 - MS-DOS	Latin 1

	       o Code Page 852 - MS-DOS	Latin 2

	       o Code Page 861 - MS-DOS	Icelandic

	       o Code Page 866 - MS-DOS	Cyrillic

	       o Code Page 932 - MS-DOS	Japanese SJIS

	       o Code Page 936 - MS-DOS	Simplified Chinese

	       o Code Page 949 - MS-DOS	Korean Hangul

	       o Code Page 950 - MS-DOS	Traditional Chinese

	  Thus this parameter may have any of the values 437, 737,
	  850, 852, 861, 932, 936, 949,	or 950.	If you don't find the
	  codepage you need, read the comments in one of the other
	  codepage files and the make_smbcodepage(1) man page and
	  write	one. Please remember to	donate it back to the Samba



     Page 30					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	  user community.

	  This parameter co-operates with the valid chars parameter in
	  determining what characters are valid	in filenames and how
	  capitalization is done. If you set both this parameter and
	  the valid chars parameter the	client code page parameter
	  MUST be set before the valid chars parameter in the smb.conf
	  file.	The valid chars	string will then augment the character
	  settings in the client code page parameter.

	  If not set, client code page defaults	to 850.

	  See also : valid chars,  code	page directory

	  Default: client code page = 850

	  Example: client code page = 936

	  code page directory (G)
	       Define the location of the various client code page
	       files.

	       See also	client code page

	       Default:	code page directory = ${prefix}/lib/codepages

	       Example:	code page directory =
	       /usr/share/samba/codepages

	  coding system	(G)
	       This parameter is used to determine how incoming
	       Shift-JIS Japanese characters are mapped	from the
	       incoming	client code page used by the client, into file
	       names in	the UNIX filesystem. Only useful if client
	       code page is set	to 932 (Japanese Shift-JIS). The
	       options are :

	       o SJIS -	Shift-JIS. Does	no conversion of the incoming
		 filename.

	       o JIS8, J8BB, J8BH, J8@B, J8@J, J8@H  - Convert from
		 incoming Shift-JIS to eight bit JIS code with
		 different shift-in, shift out codes.

	       o JIS7, J7BB, J7BH, J7@B, J7@J, J7@H  - Convert from
		 incoming Shift-JIS to seven bit JIS code with
		 different shift-in, shift out codes.

	       o JUNET,	JUBB, JUBH, JU@B, JU@J,	JU@H - Convert from
		 incoming Shift-JIS to JUNET code with different
		 shift-in, shift out codes.




     Page 31					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	       o EUC - Convert an incoming Shift-JIS character to EUC
		 code.

	       o HEX - Convert an incoming Shift-JIS character to a 3
		 byte hex representation, i.e. :AB.

	       o CAP - Convert an incoming Shift-JIS character to the
		 3 byte	hex representation used	by the Columbia
		 AppleTalk Program (CAP), i.e. :AB. This is used for
		 compatibility between Samba and CAP.

	  Default: coding system = <empty value>

	  comment (S)
	       This is a text field that is seen next to a share when
	       a client	does a queries the server, either via the
	       network neighborhood or via net view to list what
	       shares are available.

	       If you want to set the string that is displayed next to
	       the machine name	then see the  server string parameter.

	       Default:	No comment string

	       Example:	comment	= Fred's Files

	  config file (G)
	       This allows you to override the config file to use,
	       instead of the default (usually smb.conf). There	is a
	       chicken and egg problem here as this option is set in
	       the config file!

	       For this	reason,	if the name of the config file has
	       changed when the	parameters are loaded then it will
	       reload them from	the new	config file.

	       This option takes the usual substitutions, which	can be
	       very useful.

	       If the config file doesn't exist	then it	won't be
	       loaded (allowing	you to special case the	config files
	       of just a few clients).

	       Example:	config file = /usr/local/samba/lib/smb.conf.%m

	  copy (S)
	       This parameter allows you to "clone" service entries.
	       The specified service is	simply duplicated under	the
	       current service's name. Any parameters specified	in the
	       current section will override those in the section
	       being copied.




     Page 32					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	       This feature lets you set up a 'template' service and
	       create similar services easily. Note that the service
	       being copied must occur earlier in the configuration
	       file than the service doing the copying.

	       Default:	no value

	       Example:	copy = otherservice

	  create mask (S)
	       A synonym for this parameter is create mode .

	       When a file is created, the necessary permissions are
	       calculated according to the mapping from	DOS modes to
	       UNIX permissions, and the resulting UNIX	mode is	then
	       bit-wise	'AND'ed	with this parameter. This parameter
	       may be thought of as a bit-wise MASK for	the UNIX modes
	       of a file. Any bit not set here will be removed from
	       the modes set on	a file when it is created.

	       The default value of this parameter removes the 'group'
	       and 'other' write and execute bits from the UNIX	modes.

	       Following this Samba will bit-wise 'OR' the UNIX	mode
	       created from this parameter with	the value of the force
	       create mode parameter which is set to 000 by default.

	       This parameter does not affect directory	modes. See the
	       parameter directory mode	for details.

	       See also	the force create mode parameter	for forcing
	       particular mode bits to be set on created files.	See
	       also the	 directory mode	parameter for masking mode
	       bits on created directories. See	also the  inherit
	       permissions parameter.

	       Note that this parameter	does not apply to permissions
	       set by Windows NT/2000 ACL editors. If the
	       administrator wishes to enforce a mask on access
	       control lists also, they	need to	set the	security mask.

	       Default:	create mask = 0744

	       Example:	create mask = 0775

	  create mode (S)
	       This is a synonym for  create mask.

	  csc policy (S)
	       This stands for client-side caching policy, and
	       specifies how clients capable of	offline	caching	will
	       cache the files in the share. The valid values are:



     Page 33					     (printed 2/13/04)






     SMB.CONF(5)       UNIX System V (14 March 2003)	   SMB.CONF(5)



	       manual, documents, programs, disable.

	       These values correspond to those	used on	Windows
	       servers.

	       For example, shares containing roaming profiles can
	       have offline caching disabled using csc policy =
	       disable .

	       Default:	csc policy = manual

	       Example:	csc policy = programs

	  deadtime (G)
	       The value of the	parameter (a decimal integer)
	       represents the number of	minutes	of inactivity before a
	       connection is considered	dead, and it is	disconnected.
	       The deadtime only takes effect if the number of open
	       files is	zero.

	       This is useful to stop a	server's resources being
	       exhausted by a large number of inactive connections.

	       Most clients have an auto-reconnect feature when	a
	       connection is broken so in most cases this par

 Similar pages
Name OS Title
smbpasswd.5 IRIX The Samba encrypted password file
make_smbcodepage.1 IRIX construct a codepage file for Samba
lmhosts.5 IRIX The Samba NetBIOS hosts file
make_unicodemap.1 IRIX construct a unicode map file for Samba
debhelper Linux the debhelper tool suite
cvspeed IRIX The suite of WorkShop Performance Tools
swat.8 IRIX Samba Web Administration Tool
smbstatus.1 IRIX report on current Samba connections
aurema Tru64 Aurema's ARMTech (Active Resource Management Technology) resource management suite
armtech Tru64 Aurema's ARMTech (Active Resource Management Technology) resource management suite
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service