1 SMB.

CONF(5) File Formats and

Conventions SMB.CONF(5)
2
3 NAME
4 smb.conf - The configuration file for the Samba suite
5
6 SYNOPSIS
7 The smb.conf file is a configuration file for the Samba suite. smb.conf
contains runtime configuration information for the Samba
8 programs. The complete description of the file format and possible parameters
held within are here for reference purposes.
9
10 HOW CONFIGURATION CHANGES ARE APPLIED
11 The Samba suite includes a number of different programs. Some of them operate
in a client mode, others are server daemons that provide
12 various services to its clients. The smb.conf file is processed in the
following way:
13
14 • The Samba suite's client applications read their configuration
only once. Any changes made after start aren't reflected in the
15 context of already running client code.
16
17 • The Samba suite's server daemons reload their configuration when
requested. However, already active connections do not change
18 their configuration. More detailed information can be found in
smbd(8) and winbindd(8) manual pages.
19
20 To request Samba server daemons to refresh their configuration, please use
smbcontrol(1) utility.
21
22 FILE FORMAT
23 The file consists of sections and parameters. A section begins with the name
of the section in square brackets and continues until the
24 next section begins. Sections contain parameters of the form:
25
26 name = value
27
28 The file is line-based - that is, each newline-terminated line represents
either a comment, a section name or a parameter.
29
30 Section and parameter names are not case sensitive.
31
32 Only the first equals sign in a parameter is significant. Whitespace before
or after the first equals sign is discarded. Leading, trailing
33 and internal whitespace in section and parameter names is irrelevant. Leading
and trailing whitespace in a parameter value is discarded.
34 Internal whitespace within a parameter value is retained verbatim.
35
36 Any line beginning with a semicolon (“;”) or a hash (“#”) character is
ignored, as are lines containing only whitespace.
37
38 Any line ending in a “\” is continued on the next line in the customary UNIX
fashion.
39
40 The values following the equals sign in parameters are all either a string
(no quotes needed) or a boolean, which may be given as yes/no,
41 1/0 or true/false. Case is not significant in boolean values, but is
preserved in string values. Some items such as create masks are
42 numeric.
43
44 SECTION DESCRIPTIONS
45 Each section in the configuration file (except for the [global] section)
describes a shared resource (known as a “share”). The section
46 name is the name of the shared resource and the parameters within the section
define the shares attributes.
47
48 There are three special sections, [global], [homes] and [printers], which are
described under special sections. The following notes apply
49 to ordinary section descriptions.
50
51 A share consists of a directory to which access is being given plus a
description of the access rights which are granted to the user of
52 the service. Some housekeeping options are also specifiable.
 53
54 Sections are either file share services (used by the client as an extension
of their native file systems) or printable services (used by
55 the client to access print services on the host running the server).
56
57 Sections may be designated guest services, in which case no password is
required to access them. A specified UNIX guest account is used to
58 define access privileges in this case.
59
60 Sections other than guest services will require a password to access them.
The client provides the username. As older clients only provide
61 passwords and not usernames, you may specify a list of usernames to check
against the password using the user = option in the share
62 definition. For modern clients such as Windows 95/98/ME/NT/2000, this should
not be necessary.
63
64 The access rights granted by the server are masked by the access rights
granted to the specified or guest UNIX user by the host system.
65 The server does not grant more access than the host system grants.
66
67 The following sample section defines a file space share. The user has write
access to the path /home/bar. The share is accessed via the
68 share name foo:
69
70 [foo]
71 path = /home/bar
72 read only = no
73
74 The following sample section defines a printable share. The share is
read-only, but printable. That is, the only write access permitted is
75 via calls to open, write to and close a spool file. The guest ok parameter
means access will be permitted as the default guest user
76 (specified elsewhere):
77
78 [aprinter]
79 path = /usr/spool/public
80 read only = yes
81 printable = yes
82 guest ok = yes
83
84 SPECIAL SECTIONS
85 The [global] section
86 Parameters in this section apply to the server as a whole, or are defaults
for sections that do not specifically define certain items. See
87 the notes under PARAMETERS for more information.
88
89 The [homes] section
90 If a section called [homes] is included in the configuration file, services
connecting clients to their home directories can be created on
91 the fly by the server.
92
93 When the connection request is made, the existing sections are scanned. If a
match is found, it is used. If no match is found, the
94 requested section name is treated as a username and looked up in the local
password file. If the name exists and the correct password has
95 been given, a share is created by cloning the [homes] section.
96
97 Some modifications are then made to the newly created share:
98
99 • The share name is changed from homes to the located username.
100
101 • If no path was given, the path is set to the user's home directory.
102
103 If you decide to use a path = line in your [homes] section, it may be useful
to use the %S macro. For example:
104
105 path = /data/pchome/%S
106
107 is useful if you have different home directories for your PCs than for UNIX
access.
108
109 This is a fast and simple way to give a large number of clients access to
their home directories with a minimum of fuss.
110
111 A similar process occurs if the requested section name is “homes”, except
that the share name is not changed to that of the requesting
112 user. This method of using the [homes] section works well if different users
share a client PC.
113
114 The [homes] section can specify all the parameters a normal service section
can specify, though some make more sense than others. The
115 following is a typical and suitable [homes] section:
116
117 [homes]
118 read only = no
119
120 An important point is that if guest access is specified in the [homes]
section, all home directories will be visible to all clients
121 without a password. In the very unlikely event that this is actually
desirable, it is wise to also specify read only access.
122
123 The browseable flag for auto home directories will be inherited from the
global browseable flag, not the [homes] browseable flag. This is
124 useful as it means setting browseable = no in the [homes] section will hide
the [homes] share but make any auto home directories visible.
125
126 The [printers] section
127 This section works like [homes], but for printers.
128
129 If a [printers] section occurs in the configuration file, users are able to
connect to any printer specified in the local host's printcap
130 file.
131
132 When a connection request is made, the existing sections are scanned. If a
match is found, it is used. If no match is found, but a [homes]
133 section exists, it is used as described above. Otherwise, the requested
section name is treated as a printer name and the appropriate
134 printcap file is scanned to see if the requested section name is a valid
printer share name. If a match is found, a new printer share is
135 created by cloning the [printers] section.
136
137 A few modifications are then made to the newly created share:
138
139 • The share name is set to the located printer name
140
141 • If no printer name was given, the printer name is set to the
located printer name
142
143 • If the share does not permit guest access and no username was
given, the username is set to the located printer name.
144
145 The [printers] service MUST be printable - if you specify otherwise, the
server will refuse to load the configuration file.
146
147 Typically the path specified is that of a world-writeable spool directory
with the sticky bit set on it. A typical [printers] entry looks
148 like this:
149
150 [printers]
151 path = /usr/spool/public
152 guest ok = yes
153 printable = yes
154
155 All aliases given for a printer in the printcap file are legitimate printer
names as far as the server is concerned. If your printing
156 subsystem doesn't work like that, you will have to set up a pseudo-printcap.
This is a file consisting of one or more lines like this:
157
158 alias|alias|alias|alias...
159
160 Each alias should be an acceptable printer name for your printing subsystem.
In the [global] section, specify the new file as your
161 printcap. The server will only recognize names found in your pseudo-printcap,
which of course can contain whatever aliases you like. The
162 same technique could be used simply to limit access to a subset of your local
printers.
163
164 An alias, by the way, is defined as any component of the first entry of a
printcap record. Records are separated by newlines, components
165 (if there are more than one) are separated by vertical bar symbols (|).
166
167 Note
168 On SYSV systems which use lpstat to determine what printers are defined
on the system you may be able to use printcap name = lpstat to
169 automatically obtain a list of printers. See the printcap name option for
more details.
170
171 USERSHARES
172 Starting with Samba version 3.0.23 the capability for non-root users to add,
modify, and delete their own share definitions has been
173 added. This capability is called usershares and is controlled by a set of
parameters in the [global] section of the smb.conf. The relevant
174 parameters are :
175
176 usershare allow guests
177 Controls if usershares can permit guest access.
178
179 usershare max shares
180 Maximum number of user defined shares allowed.
181
182 usershare owner only
183 If set only directories owned by the sharing user can be shared.
184
185 usershare path
186 Points to the directory containing the user defined share definitions.
The filesystem permissions on this directory control who can
187 create user defined shares.
188
189 usershare prefix allow list
190 Comma-separated list of absolute pathnames restricting what directories
can be shared. Only directories below the pathnames in this
191 list are permitted.
192
193 usershare prefix deny list
194 Comma-separated list of absolute pathnames restricting what directories
can be shared. Directories below the pathnames in this list
195 are prohibited.
196
197 usershare template share
198 Names a pre-existing share used as a template for creating new
usershares. All other share parameters not specified in the user
199 defined share definition are copied from this named share.
200
201 To allow members of the UNIX group foo to create user defined shares, create
the directory to contain the share definitions as follows:
202
203 Become root:
204
205 mkdir /usr/local/samba/lib/usershares
206 chgrp foo /usr/local/samba/lib/usershares
207 chmod 1770 /usr/local/samba/lib/usershares
208
209 Then add the parameters
210
211 usershare path = /usr/local/samba/lib/usershares
212 usershare max shares = 10 # (or the desired number of shares)
213
214 to the global section of your smb.conf. Members of the group foo may then
manipulate the user defined shares using the following commands.
215
216 net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]
217 To create or modify (overwrite) a user defined share.
218
219 net usershare delete sharename
220 To delete a user defined share.
221
222 net usershare list wildcard-sharename
223 To list user defined shares.
224
225 net usershare info wildcard-sharename
226 To print information about user defined shares.
227
228 PARAMETERS
229 Parameters define the specific attributes of sections.
230
231 Some parameters are specific to the [global] section (e.g., security). Some
parameters are usable in all sections (e.g., create mask). All
232 others are permissible only in normal sections. For the purposes of the
following descriptions the [homes] and [printers] sections will be
233 considered normal. The letter G in parentheses indicates that a parameter is
specific to the [global] section. The letter S indicates that
234 a parameter can be specified in a service specific section. All S parameters
can also be specified in the [global] section - in which case
235 they will define the default behavior for all services.
236
237 Parameters are arranged here in alphabetical order - this may not create best
bedfellows, but at least you can find them! Where there are
238 synonyms, the preferred synonym is described, others refer to the preferred
synonym.
239
240 VARIABLE SUBSTITUTIONS
241 Many of the strings that are settable in the config file can take
substitutions. For example the option “path = /tmp/%u” is interpreted as
242 “path = /tmp/john” if the user connected with the username john.
243
244 These substitutions are mostly noted in the descriptions below, but there are
some general substitutions which apply whenever they might
245 be relevant. These are:
246
247 %U
248 session username (the username that the client wanted, not necessarily
the same as the one they got).
249
250 %G
251 primary group name of %U.
252
253 %h
254 the Internet hostname that Samba is running on.
255
256 %m
257 the NetBIOS name of the client machine (very useful).
258
259 This parameter is not available when Samba listens on port 445, as
clients no longer send this information. If you use this macro in
260 an include statement on a domain that has a Samba domain controller be
sure to set in the [global] section smb ports = 139. This will
261 cause Samba to not listen on port 445 and will permit include
functionality to function as it did with Samba 2.x.
262
263 %L
264 the NetBIOS name of the server. This allows you to change your config
based on what the client calls you. Your server can have a “dual
265 personality”.
266
267 %M
268 the Internet name of the client machine.
269
270 %R
271 the selected protocol level after protocol negotiation. It can be one of
CORE, COREPLUS, LANMAN1, LANMAN2, NT1, SMB2_02, SMB2_10,
272 SMB2_22, SMB2_24, SMB3_00, SMB3_02, SMB3_10, SMB3_11 or SMB2_FF.
273
274 %d
275 the process id of the current server process.
276
277 %a
278 The architecture of the remote machine. It currently recognizes Samba
(Samba), the Linux CIFS file system (CIFSFS), OS/2, (OS2), Mac
279 OS X (OSX), Windows for Workgroups (WfWg), Windows 9x/ME (Win95), Windows
NT (WinNT), Windows 2000 (Win2K), Windows XP (WinXP),
280 Windows XP 64-bit(WinXP64), Windows 2003 including 2003R2 (Win2K3), and
Windows Vista (Vista). Anything else will be known as UNKNOWN.
281
282 %I
283 the IP address of the client machine.
284
285 Before 4.0.0 it could contain IPv4 mapped IPv6 addresses, now it only
contains IPv4 or IPv6 addresses.
286
287 %J
288 the IP address of the client machine, colons/dots replaced by underscores.
289
290 %i
291 the local IP address to which a client connected.
292
293 Before 4.0.0 it could contain IPv4 mapped IPv6 addresses, now it only
contains IPv4 or IPv6 addresses.
294
295 %j
296 the local IP address to which a client connected, colons/dots replaced by
underscores.
297
298 %T
299 the current date and time.
300
301 %t
302 the current date and time in a minimal format without colons
(YYYYYmmdd_HHMMSS).
303
304 %D
305 name of the domain or workgroup of the current user.
306
307 %w
308 the winbind separator.
309
310 %$(envvar)
311 the value of the environment variable envar.
312
313 The following substitutes apply only to some configuration options (only
those that are used when a connection has been established):
314
315 %S
316 the name of the current service, if any.
317
318 %P
319 the root directory of the current service, if any.
320
321 %u
322 username of the current service, if any.
323
324 %g
325 primary group name of %u.
326
327 %H
328 the home directory of the user given by %u.
329
330 %N
331 the name of your NIS home directory server. This is obtained from your
NIS auto.map entry. If you have not compiled Samba with the
332 --with-automount option, this value will be the same as %L.
333
334 %p
335 the path of the service's home directory, obtained from your NIS auto.map
entry. The NIS auto.map entry is split up as %N:%p.
336
337 There are some quite creative things that can be done with these
substitutions and other smb.conf options.
338
339 NAME MANGLING
340 Samba supports name mangling so that DOS and Windows clients can use files
that don't conform to the 8.3 format. It can also be set to
341 adjust the case of 8.3 format filenames.
342
343 There are several options that control the way mangling is performed, and
they are grouped here rather than listed separately. For the
344 defaults look at the output of the testparm program.
345
346 These options can be set separately for each service.
347
348 The options are:
349
350 case sensitive = yes/no/auto
351 controls whether filenames are case sensitive. If they aren't, Samba must
do a filename search and match on passed names. The default
352 setting of auto allows clients that support case sensitive filenames
(Linux CIFSVFS and smbclient 3.0.5 and above currently) to tell
353 the Samba server on a per-packet basis that they wish to access the file
system in a case-sensitive manner (to support UNIX case
354 sensitive semantics). No Windows or DOS system supports case-sensitive
filename so setting this option to auto is that same as setting
355 it to no for them. Default auto.
356
357 default case = upper/lower
358 controls what the default case is for new filenames (ie. files that don't
currently exist in the filesystem). Default lower. IMPORTANT
359 NOTE: As part of the optimizations for directories containing large
numbers of files, the following special case applies. If the
360 options case sensitive = yes, preserve case = No, and short preserve case
= No are set, then the case of all incoming client
361 filenames, not just new filenames, will be modified. See additional notes
below.
362
363 preserve case = yes/no
364 controls whether new files (ie. files that don't currently exist in the
filesystem) are created with the case that the client passes,
365 or if they are forced to be the default case. Default yes.
366
367 short preserve case = yes/no
368 controls if new files (ie. files that don't currently exist in the
filesystem) which conform to 8.3 syntax, that is all in upper case
369 and of suitable length, are created upper case, or if they are forced to
be the default case. This option can be used with preserve
370 case = yes to permit long filenames to retain their case, while short
names are lowercased. Default yes.
371
372 By default, Samba 3.0 has the same semantics as a Windows NT server, in that
it is case insensitive but case preserving. As a special case
373 for directories with large numbers of files, if the case options are set as
follows, "case sensitive = yes", "case preserve = no", "short
374 preserve case = no" then the "default case" option will be applied and will
modify all filenames sent from the client when accessing this
375 share.
376
377 REGISTRY-BASED CONFIGURATION
378 Starting with Samba version 3.2.0, the capability to store Samba
configuration in the registry is available. The configuration is stored
379 in the registry key HKLM\Software\Samba\smbconf. There are two levels of
registry configuration:
380
381 1. Share definitions stored in registry are used. This is triggered
by setting the global parameter registry shares to “yes” in
382 smb.conf.
383
384 The registry shares are loaded not at startup but on demand at
runtime by smbd. Shares defined in smb.conf take priority over
385 shares of the same name defined in registry.
386
387 2. Global smb.conf options stored in registry are used. This can be
activated in two different ways:
388
389 Firstly, a registry only configuration is triggered by setting
config backend = registry in the [global] section of smb.conf.
390 This resets everything that has been read from config files to
this point and reads the content of the global configuration
391 section from the registry. This is the recommended method of using
registry based configuration.
392
393 Secondly, a mixed configuration can be activated by a special new
 meaning of the parameter include = registry in the [global]
394 section of smb.conf. This reads the global options from registry
with the same priorities as for an include of a text file.
395 This may be especially useful in cases where an initial
configuration is needed to access the registry.
396
397 Activation of global registry options automatically activates
registry shares. So in the registry only case, shares are loaded
398 on demand only.
399
400 Note: To make registry-based configurations foolproof at least to a certain
extent, the use of lock directory and config backend inside
401 the registry configuration has been disabled: Especially by changing the lock
directory inside the registry configuration, one would
402 create a broken setup where the daemons do not see the configuration they
loaded once it is active.
403
404 The registry configuration can be accessed with tools like regedit or net
(rpc) registry in the key HKLM\Software\Samba\smbconf. More
405 conveniently, the conf subcommand of the net(8) utility offers a dedicated
interface to read and write the registry based configuration
406 locally, i.e. directly accessing the database file, circumventing the server.
407
408 IDENTITY MAPPING CONSIDERATIONS
409 In the SMB protocol, users, groups, and machines are represented by their
security identifiers (SIDs). On POSIX system Samba processes
410 need to run under corresponding POSIX user identities and with supplemental
POSIX groups to allow access to the files owned by those users
411 and groups. The process of mapping SIDs to POSIX users and groups is called
IDENTITY MAPPING or, in short, ID MAPPING.
412
413 Samba supports multiple ways to map SIDs to POSIX users and groups. The
configuration is driven by the idmap config DOMAIN : OPTION option
414 which allows one to specify identity mapping (idmap) options for each domain
separately.
415
416 Identity mapping modules implement different strategies for mapping of SIDs
to POSIX user and group identities. They are applicable to
417 different use cases and scenarios. It is advised to read the documentation of
the individual identity mapping modules before choosing a
418 specific scenario to use. Each identity management module is documented in a
separate manual page. The standard idmap backends are tdb
419 (idmap_tdb(8)), tdb2 (idmap_tdb2(8)), ldap (idmap_ldap(8)), rid
(idmap_rid(8)), hash (idmap_hash(8)), autorid (idmap_autorid(8)), ad
420 (idmap_ad(8)), nss (idmap_nss(8)), and rfc2307 (idmap_rfc2307(8)).
421
422 Overall, ID mapping configuration should be decided carefully. Changes to the
already deployed ID mapping configuration may create the
423 risk of losing access to the data or disclosing the data to the wrong parties.
424
425 This example shows how to configure two domains with idmap_rid(8), the
principal domain and a trusted domain, leaving the default id
426 mapping scheme at tdb.
427
428 [global]
429 security = domain
430 workgroup = MAIN
431
432 idmap config * : backend = tdb
433 idmap config * : range = 1000000-1999999
434
435 idmap config MAIN : backend = rid
436 idmap config MAIN : range = 5000000-5999999
437
438 idmap config TRUSTED : backend = rid
439 idmap config TRUSTED : range = 6000000-6999999
440
441 EXPLANATION OF EACH PARAMETER
442 abort shutdown script (G)
443
444 This a full path name to a script called by smbd(8) that should stop a
shutdown procedure issued by the shutdown script.
445
446 If the connected user possesses the SeRemoteShutdownPrivilege, right,
this command will be run as root.
447
448 Default: abort shutdown script = ""
449
450 Example: abort shutdown script = /sbin/shutdown -c
451
452 access based share enum (S)
453
454 If this parameter is yes for a service, then the share hosted by the
service will only be visible to users who have read or write
455 access to the share during share enumeration (for example net view
\\sambaserver). The share ACLs which allow or deny the access to
456 the share can be modified using for example the sharesec command or using
the appropriate Windows tools. This has parallels to access
457 based enumeration, the main difference being that only share permissions
are evaluated, and security descriptors on files contained on
458 the share are not used in computing enumeration access rights.
459
460 Default: access based share enum = no
461
462 acl allow execute always (S)
463
464 This boolean parameter controls the behaviour of smbd(8) when receiving a
protocol request of "open for execution" from a Windows
465 client. With Samba 3.6 and older, the execution right in the ACL was not
checked, so a client could execute a file even if it did not
466 have execute rights on the file. In Samba 4.0, this has been fixed, so
that by default, i.e. when this parameter is set to "False",
467 "open for execution" is now denied when execution permissions are not
present.
468
469 If this parameter is set to "True", Samba does not check execute
permissions on "open for execution", thus re-establishing the
470 behaviour of Samba 3.6. This can be useful to smoothen upgrades from
older Samba versions to 4.0 and newer. This setting is not meant
471 to be used as a permanent setting, but as a temporary relief: It is
recommended to fix the permissions in the ACLs and reset this
472 parameter to the default after a certain transition period.
473
474 Default: acl allow execute always = no
475
476 acl check permissions (S)
477
478 Please note this parameter is now deprecated in Samba 3.6.2 and will be
removed in a future version of Samba.
479
480 This boolean parameter controls what smbd(8) does on receiving a protocol
request of "open for delete" from a Windows client. If a
481 Windows client doesn't have permissions to delete a file then they expect
this to be denied at open time. POSIX systems normally only
482 detect restrictions on delete by actually attempting to delete the file
or directory. As Windows clients can (and do) "back out" a
483 delete request by unsetting the "delete on close" bit Samba cannot delete
the file immediately on "open for delete" request as we
484 cannot restore such a deleted file. With this parameter set to true (the
default) then smbd checks the file system permissions
485 directly on "open for delete" and denies the request without actually
deleting the file if the file system permissions would seem to
486 deny it. This is not perfect, as it's possible a user could have deleted
a file without Samba being able to check the permissions
487 correctly, but it is close enough to Windows semantics for mostly correct
behaviour. Samba will correctly check POSIX ACL semantics in
488 this case.
489
490 If this parameter is set to "false" Samba doesn't check permissions on
"open for delete" and allows the open. If the user doesn't have
491 permission to delete the file this will only be discovered at close time,
which is too late for the Windows user tools to display an
492 error message to the user. The symptom of this is files that appear to
have been deleted "magically" re-appearing on a Windows
493 explorer refresh. This is an extremely advanced protocol option which
should not need to be changed. This parameter was introduced in
494 its final form in 3.0.21, an earlier version with slightly different
semantics was introduced in 3.0.20. That older version is not
495 documented here.
496
497 Default: acl check permissions = yes
498
499 acl group control (S)
500
501 In a POSIX filesystem, only the owner of a file or directory and the
superuser can modify the permissions and ACLs on a file. If this
502 parameter is set, then Samba overrides this restriction, and also allows
the primary group owner of a file or directory to modify the
503 permissions and ACLs on that file.
504
505 On a Windows server, groups may be the owner of a file or directory -
thus allowing anyone in that group to modify the permissions on
506 it. This allows the delegation of security controls on a point in the
filesystem to the group owner of a directory and anything below
507 it also owned by that group. This means there are multiple people with
permissions to modify ACLs on a file or directory, easing
508 manageability.
509
510 This parameter allows Samba to also permit delegation of the control over
a point in the exported directory hierarchy in much the same
511 way as Windows. This allows all members of a UNIX group to control the
permissions on a file or directory they have group ownership
512 on.
513
514 This parameter is best used with the inherit owner option and also on a
share containing directories with the UNIX setgid bit set on
515 them, which causes new files and directories created within it to inherit
the group ownership from the containing directory.
516
517 This parameter was deprecated in Samba 3.0.23, but re-activated in Samba
3.0.31 and above, as it now only controls permission changes
518 if the user is in the owning primary group. It is now no longer
equivalent to the dos filemode option.
519
520 Default: acl group control = no
521
522 acl map full control (S)
523
524 This boolean parameter controls whether smbd(8) maps a POSIX ACE entry of
"rwx" (read/write/execute), the maximum allowed POSIX
525 permission set, into a Windows ACL of "FULL CONTROL". If this parameter
is set to true any POSIX ACE entry of "rwx" will be returned
526 in a Windows ACL as "FULL CONTROL", is this parameter is set to false any
POSIX ACE entry of "rwx" will be returned as the specific
527 Windows ACL bits representing read, write and execute.
528
529 Default: acl map full control = yes
530
531 add group script (G)
532
533 This is the full pathname to a script that will be run AS ROOT by smbd(8)
when a new group is requested. It will expand any %g to the
534 group name passed. This script is only useful for installations using the
Windows NT domain administration tools. The script is free
535 to create a group with an arbitrary name to circumvent unix group name
restrictions. In that case the script must print the numeric
536 gid of the created group on stdout.
537
538 Default: add group script =
539
540 Example: add group script = /usr/sbin/groupadd %g
541
542 additional dns hostnames (G)
543
544 A list of additional DNS names by which this host can be identified
545
546 Default: additional dns hostnames = # empty string (no additional dns
names)
547
548 Example: additional dns hostnames = host2.example.com host3.other.com
549
550 add machine script (G)
551
552 This is the full pathname to a script that will be run by smbd(8) when a
machine is added to Samba's domain and a Unix account
553 matching the machine's name appended with a "$" does not already exist.
554
555 This option is very similar to the add user script, and likewise uses the
%u substitution for the account name. Do not use the %m
556 substitution.
557
558 Default: add machine script =
559
560 Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine
-d /var/lib/nobody -s /bin/false %u
561
562 addport command (G)
563
564 Samba 3.0.23 introduced support for adding printer ports remotely using
the Windows "Add Standard TCP/IP Port Wizard". This option
565 defines an external program to be executed when smbd receives a request
to add a new Port to the system. The script is passed two
566 parameters:
567
568 • port name
569
570 • device URI
571
572 The deviceURI is in the format of socket://<hostname>[:<portnumber>] or
lpd://<hostname>/<queuename>.
573
574 Default: addport command =
575
576 Example: addport command = /etc/samba/scripts/addport.sh
577
578 addprinter command (G)
579
580 With the introduction of MS-RPC based printing support for Windows
NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon
581 is now also available in the "Printers..." folder displayed a share
listing. The APW allows for printers to be add remotely to a Samba
582 or Windows NT/2000 print server.
583
584 For a Samba host this means that the printer must be physically added to
the underlying printing system. The addprinter command
585 defines a script to be run which will perform the necessary operations
for adding the printer to the print system and to add the
586 appropriate service definition to the smb.conf file in order that it can
be shared by smbd(8).
587
588 The addprinter command is automatically invoked with the following
parameter (in order):
589
590 • printer name
591
592 • share name
593
594 • port name
595
596 • driver name
597
598 • location
599
600 • Windows 9x driver location
601
602 All parameters are filled in from the PRINTER_INFO_2 structure sent by
the Windows NT/2000 client with one exception. The "Windows 9x
603 driver location" parameter is included for backwards compatibility only.
The remaining fields in the structure are generated from
604 answers to the APW questions.
605
606 Once the addprinter command has been executed, smbd will reparse the
 smb.conf to determine if the share defined by the APW exists. If
607 the sharename is still invalid, then smbd will return an ACCESS_DENIED
error to the client.
608
609 The addprinter command program can output a single line of text, which
Samba will set as the port the new printer is connected to. If
610 this line isn't output, Samba won't reload its printer shares.
611
612 Default: addprinter command =
613
614 Example: addprinter command = /usr/bin/addprinter
615
616 add share command (G)
617
618 Samba 2.2.0 introduced the ability to dynamically add and delete shares
via the Windows NT 4.0 Server Manager. The add share command
619 is used to define an external program or script which will add a new
service definition to smb.conf.
620
621 In order to successfully execute the add share command, smbd requires
that the administrator connects using a root account (i.e. uid
622 == 0) or has the SeDiskOperatorPrivilege. Scripts defined in the add
share command parameter are executed as root.
623
624 When executed, smbd will automatically invoke the add share command with
five parameters.
625
626 • configFile - the location of the global smb.conf file.
627
628 • shareName - the name of the new share.
629
630 • pathName - path to an **existing** directory on disk.
631
632 • comment - comment string to associate with the new share.
633
634 • max connections Number of maximum simultaneous connections to
this share.
635
636 This parameter is only used to add file shares. To add printer shares,
see the addprinter command.
637
638 Default: add share command =
639
640 Example: add share command = /usr/local/bin/addshare
641
642 add user script (G)
643
644 This is the full pathname to a script that will be run AS ROOT by smbd(8)
under special circumstances described below.
645
646 Normally, a Samba server requires that UNIX users are created for all
users accessing files on this server. For sites that use Windows
647 NT account databases as their primary user database creating these users
and keeping the user list in sync with the Windows NT PDC is
648 an onerous task. This option allows smbd to create the required UNIX
users ON DEMAND when a user accesses the Samba server.
649
650 When the Windows user attempts to access the Samba server, at login
(session setup in the SMB protocol) time, smbd(8) contacts the
651 password server and attempts to authenticate the given user with the
given password. If the authentication succeeds then smbd attempts
652 to find a UNIX user in the UNIX password database to map the Windows user
into. If this lookup fails, and add user script is set then
653 smbd will call the specified script AS ROOT, expanding any %u argument to
be the user name to create.
654
655 If this script successfully creates the user then smbd will continue on
as though the UNIX user already existed. In this way, UNIX
656 users are dynamically created to match existing Windows NT accounts.
657
658 See also security, password server, delete user script.
659
660 Default: add user script =
661
662 Example: add user script = /usr/local/samba/bin/add_user %u
663
664 add user to group script (G)
665
666 Full path to the script that will be called when a user is added to a
group using the Windows NT domain administration tools. It will
667 be run by smbd(8) AS ROOT. Any %g will be replaced with the group name
and any %u will be replaced with the user name.
668
669 Note that the adduser command used in the example below does not support
the used syntax on all systems.
670
671 Default: add user to group script =
672
673 Example: add user to group script = /usr/sbin/adduser %u %g
674
675 administrative share (S)
676
677 If this parameter is set to yes for a share, then the share will be an
administrative share. The Administrative Shares are the default
678 network shares created by all Windows NT-based operating systems. These
are shares like C$, D$ or ADMIN$. The type of these shares is
679 STYPE_DISKTREE_HIDDEN.
680
681 See the section below on security for more information about this option.
682
683 Default: administrative share = no
684
685 admin users (S)
686
687 This is a list of users who will be granted administrative privileges on
the share. This means that they will do all file operations
688 as the super-user (root).
689
690 You should use this option very carefully, as any user in this list will
be able to do anything they like on the share, irrespective
691 of file permissions.
692
693 Default: admin users =
694
695 Example: admin users = jason
696
697 afs share (S)
698
699 This parameter controls whether special AFS features are enabled for this
share. If enabled, it assumes that the directory exported
700 via the path parameter is a local AFS import. The special AFS features
include the attempt to hand-craft an AFS token if you enabled
701 --with-fake-kaserver in configure.
702
703 Default: afs share = no
704
705 afs token lifetime (G)
706
707 This parameter controls the lifetime of tokens that the AFS fake-kaserver
claims. In reality these never expire but this lifetime
708 controls when the afs client will forget the token.
709
710 Set this parameter to 0 to get NEVERDATE.
711
712 Default: afs token lifetime = 604800
713
714 afs username map (G)
715
716 If you are using the fake kaserver AFS feature, you might want to
hand-craft the usernames you are creating tokens for. For example
717 this is necessary if you have users from several domain in your AFS
Protection Database. One possible scheme to code users as
718 DOMAIN+User as it is done by winbind with the + as a separator.
719
720 The mapped user name must contain the cell name to log into, so without
setting this parameter there will be no token.
721
722 Default: afs username map =
723
724 Example: afs username map = %u@afs.samba.org
725
726 aio max threads (G)
727
728 The integer parameter specifies the maximum number of threads each smbd
process will create when doing parallel asynchronous IO calls.
729 If the number of outstanding calls is greater than this number the
requests will not be refused but go onto a queue and will be
730 scheduled in turn as outstanding requests complete.
731
732 Related command: aio read size
733
734 Related command: aio write size
735
736 Default: aio max threads = 100
737
738 aio read size (S)
739
740 If this integer parameter is set to a non-zero value, Samba will read
from files asynchronously when the request size is bigger than
741 this value. Note that it happens only for non-chained and non-chaining
reads and when not using write cache.
742
743 The only reasonable values for this parameter are 0 (no async I/O) and 1
(always do async I/O).
744
745 Related command: write cache size
746
747 Related command: aio write size
748
749 Default: aio read size = 1
750
751 Example: aio read size = 0 # Always do reads synchronously
752
753 aio write behind (S)
754
755 If Samba has been built with asynchronous I/O support, Samba will not
wait until write requests are finished before returning the
756 result to the client for files listed in this parameter. Instead, Samba
will immediately return that the write request has been
757 finished successfully, no matter if the operation will succeed or not.
This might speed up clients without aio support, but is really
758 dangerous, because data could be lost and files could be damaged.
759
760 The syntax is identical to the veto files parameter.
761
762 Default: aio write behind =
763
764 Example: aio write behind = /*.tmp/
765
766 aio write size (S)
767
768 If this integer parameter is set to a non-zero value, Samba will write to
files asynchronously when the request size is bigger than
769 this value. Note that it happens only for non-chained and non-chaining
reads and when not using write cache.
770
771 The only reasonable values for this parameter are 0 (no async I/O) and 1
(always do async I/O).
772
773 Compared to aio read size this parameter has a smaller effect, most
writes should end up in the file system cache. Writes that require
774 space allocation might benefit most from going asynchronous.
775
776 Related command: write cache size
777
778 Related command: aio read size
779
780 Default: aio write size = 1
781
782 Example: aio write size = 0 # Always do writes synchronously
783
784 algorithmic rid base (G)
785
786 This determines how Samba will use its algorithmic mapping from uids/gid
to the RIDs needed to construct NT Security Identifiers.
787
788 Setting this option to a larger value could be useful to sites
transitioning from WinNT and Win2k, as existing user and group rids
789 would otherwise clash with system users etc.
790
791 All UIDs and GIDs must be able to be resolved into SIDs for the correct
operation of ACLs on the server. As such the algorithmic
792 mapping can't be 'turned off', but pushing it 'out of the way' should
resolve the issues. Users and groups can then be assigned 'low'
793 RIDs in arbitrary-rid supporting backends.
794
795 Default: algorithmic rid base = 1000
796
797 Example: algorithmic rid base = 100000
798
799 allocation roundup size (S)
800
801 This parameter allows an administrator to tune the allocation size
reported to Windows clients. This is only useful for old SMB1
802 clients because modern SMB dialects eliminated that bottleneck and have
better performance by default. Using this parameter may cause
803 difficulties for some applications, e.g. MS Visual Studio. If the MS
Visual Studio compiler starts to crash with an internal error,
804 set this parameter to zero for this share. Settings this parameter to a
large value can also cause small files to allocate more space
805 on the disk than needed.
806
807 This parameter is deprecated and will be removed in one of the next Samba
releases.
808
809 The integer parameter specifies the roundup size in bytes.
810
811 Default: allocation roundup size = 0
812
813 Example: allocation roundup size = 1048576 # (to set it to the former
default of 1 MiB)
814
815 allow dcerpc auth level connect (G)
816
817 This option controls whether DCERPC services are allowed to be used with
DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but
818 no per message integrity nor privacy protection.
819
820 Some interfaces like samr, lsarpc and netlogon have a hard-coded default
of no and epmapper, mgmt and rpcecho have a hard-coded
821 default of yes.
822
823 The behavior can be overwritten per interface name (e.g. lsarpc,
netlogon, samr, srvsvc, winreg, wkssvc ...) by using 'allow dcerpc
824 auth level connect:interface = yes' as option.
825
826 This option yields precedence to the implementation specific
restrictions. E.g. the drsuapi and backupkey protocols require
827 DCERPC_AUTH_LEVEL_PRIVACY. The dnsserver protocol requires
DCERPC_AUTH_LEVEL_INTEGRITY.
828
829 Default: allow dcerpc auth level connect = no
830
831 Example: allow dcerpc auth level connect = yes
832
833 allow dns updates (G)
834
835 This option determines what kind of updates to the DNS are allowed.
836
837 DNS updates can either be disallowed completely by setting it to
disabled, enabled over secure connections only by setting it to
838 secure only or allowed in all cases by setting it to nonsecure.
839
840 Default: allow dns updates = secure only
841
842 Example: allow dns updates = disabled
843
844 allow insecure wide links (G)
845
846 In normal operation the option wide links which allows the server to
follow symlinks outside of a share path is automatically disabled
847 when unix extensions are enabled on a Samba server. This is done for
security purposes to prevent UNIX clients creating symlinks to
848 areas of the server file system that the administrator does not wish to
export.
849
850 Setting allow insecure wide links to true disables the link between these
two parameters, removing this protection and allowing a site
851 to configure the server to follow symlinks (by setting wide links to
"true") even when unix extensions is turned on.
852
853 It is not recommended to enable this option unless you fully understand
the implications of allowing the server to follow symbolic
854 links created by UNIX clients. For most normal Samba configurations this
would be considered a security hole and setting this
855 parameter is not recommended.
856
857 This option was added at the request of sites who had deliberately set
Samba up in this way and needed to continue supporting this
858 functionality without having to patch the Samba code.
859
860 Default: allow insecure wide links = no
861
862 allow nt4 crypto (G)
863
864 This option controls whether the netlogon server (currently only in
'active directory domain controller' mode), will reject clients
865 which does not support NETLOGON_NEG_STRONG_KEYS nor
NETLOGON_NEG_SUPPORTS_AES.
866
867 This option was added with Samba 4.2.0. It may lock out clients which
worked fine with Samba versions up to 4.1.x. as the effective
868 default was "yes" there, while it is "no" now.
869
870 If you have clients without RequireStrongKey = 1 in the registry, you may
need to set "allow nt4 crypto = yes", until you have fixed
871 all clients.
872
873 "allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via
downgrade attacks.
874
875 This option yields precedence to the 'reject md5 clients' option.
876
877 Default: allow nt4 crypto = no
878
879 allow trusted domains (G)
880
881 This option only takes effect when the security option is set to server,
domain or ads. If it is set to no, then attempts to connect
882 to a resource from a domain or workgroup other than the one which smbd is
running in will fail, even if that domain is trusted by the
883 remote server doing the authentication.
884
885 This is useful if you only want your Samba server to serve resources to
users in the domain it is a member of. As an example, suppose
886 that there are two domains DOMA and DOMB. DOMB is trusted by DOMA, which
contains the Samba server. Under normal circumstances, a user
887 with an account in DOMB can then access the resources of a UNIX account
with the same account name on the Samba server even if they do
888 not have an account in DOMA. This can make implementing a security
boundary difficult.
889
890 Default: allow trusted domains = yes
891
892 allow unsafe cluster upgrade (G)
893
894 If set to no (the default), smbd checks at startup if other smbd versions
are running in the cluster and refuses to start if so. This
895 is done to protect data corruption in internal data structures due to
incompatible Samba versions running concurrently in the same
896 cluster. Setting this parameter to yes disables this safety check.
897
898 Default: allow unsafe cluster upgrade = no
899
900 apply group policies (G)
901
902 This option controls whether winbind will execute the gpupdate command
defined in gpo update command on the Group Policy update
903 interval. The Group Policy update interval is defined as every 90
minutes, plus a random offset between 0 and 30 minutes. This applies
904 Group Policy Machine polices to the client or KDC and machine policies to
a server.
905
906 Default: apply group policies = no
907
908 Example: apply group policies = yes
909
910 async smb echo handler (G)
911
912 This parameter specifies whether Samba should fork the async smb echo
handler. It can be beneficial if your file system can block
913 syscalls for a very long time. In some circumstances, it prolongs the
timeout that Windows uses to determine whether a connection is
914 dead. This parameter is only for SMB1. For SMB2 and above TCP keepalives
can be used instead.
915
916 Default: async smb echo handler = no
917
918 auth event notification (G)
919
920 When enabled, this option causes Samba (acting as an Active Directory
Domain Controller) to stream authentication events across the
921 internal message bus. Scripts built using Samba's python bindings can
listen to these events by registering as the service auth_event.
922
923 This is not needed for the audit logging described in log level.
924
925 Instead, this should instead be considered a developer option (it assists
in the Samba testsuite) rather than a facility for external
926 auditing, as message delivery is not guaranteed (a feature that the
testsuite works around).
927
928 The authentication events are also logged via the normal logging methods
when the log level is set appropriately, say to
929 auth_json_audit:3.
930
931 Default: auth event notification = no
932
933 preload
934
935 This parameter is a synonym for auto services.
936
937 auto services (G)
938
939 This is a list of services that you want to be automatically added to the
browse lists. This is most useful for homes and printers
940 services that would otherwise not be visible.
941
942 Note that if you just want all printers in your printcap file loaded then
the load printers option is easier.
943
944 Default: auto services =
945
946 Example: auto services = fred lp colorlp
947
948 available (S)
949
950 This parameter lets you "turn off" a service. If available = no, then ALL
 attempts to connect to the service will fail. Such failures
951 are logged.
952
953 Default: available = yes
954
955 bind dns directory
956
957 This parameter is a synonym for binddns dir.
958
959 binddns dir (G)
960
961 This parameters defines the directory samba will use to store the
configuration files for bind, such as named.conf. NOTE: The bind dns
962 directory needs to be on the same mount point as the private directory!
963
964 Default: binddns dir = /var/lib/samba/bind-dns
965
966 bind interfaces only (G)
967
968 This global parameter allows the Samba admin to limit what interfaces on
a machine will serve SMB requests. It affects file service
969 smbd(8) and name service nmbd(8) in a slightly different ways.
970
971 For name service it causes nmbd to bind to ports 137 and 138 on the
interfaces listed in the interfaces parameter. nmbd also binds to
972 the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the
purposes of reading broadcast messages. If this option is not set
973 then nmbd will service name requests on all of these sockets. If bind
interfaces only is set then nmbd will check the source address
974 of any packets coming in on the broadcast sockets and discard any that
don't match the broadcast addresses of the interfaces in the
975 interfaces parameter list. As unicast packets are received on the other
sockets it allows nmbd to refuse to serve names to machines
976 that send packets that arrive through any interfaces not listed in the
interfaces list. IP Source address spoofing does defeat this
977 simple check, however, so it must not be used seriously as a security
feature for nmbd.
978
979 For file service it causes smbd(8) to bind only to the interface list
given in the interfaces parameter. This restricts the networks
980 that smbd will serve, to packets coming in on those interfaces. Note that
you should not use this parameter for machines that are
981 serving PPP or other intermittent or non-broadcast network interfaces as
it will not cope with non-permanent interfaces.
982
983 If bind interfaces only is set and the network address 127.0.0.1 is not
added to the interfaces parameter list smbpasswd(8) may not
984 work as expected due to the reasons covered below.
985
986 To change a users SMB password, the smbpasswd by default connects to the
localhost - 127.0.0.1 address as an SMB client to issue the
987 password change request. If bind interfaces only is set then unless the
network address 127.0.0.1 is added to the interfaces parameter
988 list then smbpasswd will fail to connect in it's default mode. smbpasswd
can be forced to use the primary IP interface of the local
989 host by using its smbpasswd(8) -r remote machine parameter, with remote
machine set to the IP name of the primary interface of the
990 local host.
991
992 Default: bind interfaces only = no
993
994 blocking locks (S)
995
996 This parameter controls the behavior of smbd(8) when given a request by a
client to obtain a byte range lock on a region of an open
997 file, and the request has a time limit associated with it.
998
999 If this parameter is set and the lock range requested cannot be
immediately satisfied, samba will internally queue the lock request,
1000 and periodically attempt to obtain the lock until the timeout period
expires.
1001
1002 If this parameter is set to no, then samba will behave as previous
 versions of Samba would and will fail the lock request immediately
1003 if the lock range cannot be obtained.
1004
1005 Default: blocking locks = yes
1006
1007 block size (S)
1008
1009 This parameter controls the behavior of smbd(8) when reporting disk free
sizes. By default, this reports a disk block size of 1024
1010 bytes.
1011
1012 Changing this parameter may have some effect on the efficiency of client
writes, this is not yet confirmed. This parameter was added
1013 to allow advanced administrators to change it (usually to a higher value)
and test the effect it has on client write performance
1014 without re-compiling the code. As this is an experimental option it may
be removed in a future release.
1015
1016 Changing this option does not change the disk free reporting size, just
the block size unit reported to the client.
1017
1018 Default: block size = 1024
1019
1020 Example: block size = 4096
1021
1022 browsable
1023
1024 This parameter is a synonym for browseable.
1025
1026 browseable (S)
1027
1028 This controls whether this share is seen in the list of available shares
in a net view and in the browse list.
1029
1030 Default: browseable = yes
1031
1032 browse list (G)
1033
1034 This controls whether smbd(8) will serve a browse list to a client doing
a NetServerEnum call. Normally set to yes. You should never
1035 need to change this.
1036
1037 Default: browse list = yes
1038
1039 cache directory (G)
1040
1041 Usually, most of the TDB files are stored in the lock directory. Since
Samba 3.4.0, it is possible to differentiate between TDB files
1042 with persistent data and TDB files with non-persistent data using the
state directory and the cache directory options.
1043
1044 This option specifies the directory for storing TDB files containing
non-persistent data that will be kept across service restarts.
1045 The directory should be placed on persistent storage, but the data can be
safely deleted by an administrator.
1046
1047 Default: cache directory = /var/cache/samba
1048
1049 Example: cache directory = /var/run/samba/locks/cache
1050
1051 casesignames
1052
1053 This parameter is a synonym for case sensitive.
1054
1055 case sensitive (S)
1056
1057 See the discussion in the section name mangling.
1058
1059 Default: case sensitive = auto
1060
1061 change notify (G)
1062
1063 This parameter specifies whether Samba should reply to a client's file
 change notify requests.
1064
1065 You should never need to change this parameter
1066
1067 Default: change notify = yes
1068
1069 change share command (G)
1070
1071 Samba 2.2.0 introduced the ability to dynamically add and delete shares
via the Windows NT 4.0 Server Manager. The change share
1072 command is used to define an external program or script which will modify
an existing service definition in smb.conf.
1073
1074 In order to successfully execute the change share command, smbd requires
that the administrator connects using a root account (i.e.
1075 uid == 0) or has the SeDiskOperatorPrivilege. Scripts defined in the
change share command parameter are executed as root.
1076
1077 When executed, smbd will automatically invoke the change share command
with six parameters.
1078
1079 • configFile - the location of the global smb.conf file.
1080
1081 • shareName - the name of the new share.
1082
1083 • pathName - path to an **existing** directory on disk.
1084
1085 • comment - comment string to associate with the new share.
1086
1087 • max connections Number of maximum simultaneous connections to
this share.
1088
1089 • CSC policy - client side caching policy in string form. Valid
values are: manual, documents, programs, disable.
1090
1091 This parameter is only used to modify existing file share definitions. To
modify printer shares, use the "Printers..." folder as seen
1092 when browsing the Samba host.
1093
1094 Default: change share command =
1095
1096 Example: change share command = /usr/local/bin/changeshare
1097
1098 check parent directory delete on close (S)
1099
1100 A Windows SMB server prevents the client from creating files in a
directory that has the delete-on-close flag set. By default Samba
1101 doesn't perform this check as this check is a quite expensive operation
in Samba.
1102
1103 Default: check parent directory delete on close = no
1104
1105 check password script (G)
1106
1107 The name of a program that can be used to check password complexity. The
password is sent to the program's standard input.
1108
1109 The program must return 0 on a good password, or any other value if the
password is bad. In case the password is considered weak (the
1110 program does not return 0) the user will be notified and the password
change will fail.
1111
1112 In Samba AD, this script will be run AS ROOT by samba(8) without any
substitutions.
1113
1114 Note that starting with Samba 4.11 the following environment variables
are exported to the script:
1115
1116 • SAMBA_CPS_ACCOUNT_NAME is always present and contains the
sAMAccountName of user, the is the same as the %u substitutions
1117 in the none AD DC case.
1118
1119 • SAMBA_CPS_USER_PRINCIPAL_NAME is optional in the AD DC case if
 the userPrincipalName is present.
1120
1121 • SAMBA_CPS_FULL_NAME is optional if the displayName is present.
1122
1123 Note: In the example directory is a sample program called crackcheck that
uses cracklib to check the password quality.
1124
1125 Default: check password script = # Disabled
1126
1127 Example: check password script = /usr/local/sbin/crackcheck
1128
1129 cldap port (G)
1130
1131 This option controls the port used by the CLDAP protocol.
1132
1133 Default: cldap port = 389
1134
1135 Example: cldap port = 3389
1136
1137 client ipc max protocol (G)
1138
1139 The value of the parameter (a string) is the highest protocol level that
will be supported for IPC$ connections as DCERPC transport.
1140
1141 Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate
1142 protocol.
1143
1144 The value default refers to the latest supported protocol, currently
SMB3_11.
1145
1146 See client max protocol for a full list of available protocols. The
values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to
1147 NT1.
1148
1149 Default: client ipc max protocol = default
1150
1151 Example: client ipc max protocol = SMB2_10
1152
1153 client ipc min protocol (G)
1154
1155 This setting controls the minimum protocol version that the will be
attempted to use for IPC$ connections as DCERPC transport.
1156
1157 Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate
1158 protocol.
1159
1160 The value default refers to the higher value of NT1 and the effective
value of client min protocol.
1161
1162 See client max protocol for a full list of available protocols. The
values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to
1163 NT1.
1164
1165 Default: client ipc min protocol = default
1166
1167 Example: client ipc min protocol = SMB3_11
1168
1169 client ipc signing (G)
1170
1171 This controls whether the client is allowed or required to use SMB
signing for IPC$ connections as DCERPC transport. Possible values
1172 are auto, mandatory and disabled.
1173
1174 When set to mandatory or default, SMB signing is required.
1175
1176 When set to auto, SMB signing is offered, but not enforced and if set to
disabled, SMB signing is not offered either.
1177
1178 Connections from winbindd to Active Directory Domain Controllers always
enforce signing.
1179
1180 Default: client ipc signing = default
1181
1182 client lanman auth (G)
1183
1184 This parameter has been deprecated since Samba 4.13 and support for
LanMan (as distinct from NTLM, NTLMv2 or Kerberos) authentication
1185 as a client will be removed in a future Samba release.
1186
1187 That is, in the future, the current default of client NTLMv2 auth = yes
will be the enforced behaviour.
1188
1189 This parameter determines whether or not smbclient(8) and other samba
client tools will attempt to authenticate itself to servers
1190 using the weaker LANMAN password hash. If disabled, only server which
support NT password hashes (e.g. Windows NT/2000, Samba, etc...
1191 but not Windows 95/98) will be able to be connected from the Samba client.
1192
1193 The LANMAN encrypted response is easily broken, due to its
case-insensitive nature, and the choice of algorithm. Clients without
1194 Windows 95/98 servers are advised to disable this option.
1195
1196 Disabling this option will also disable the client plaintext auth option.
1197
1198 Likewise, if the client ntlmv2 auth parameter is enabled, then only
NTLMv2 logins will be attempted.
1199
1200 Default: client lanman auth = no
1201
1202 client ldap sasl wrapping (G)
1203
1204 The client ldap sasl wrapping defines whether ldap traffic will be signed
or signed and encrypted (sealed). Possible values are plain,
1205 sign and seal.
1206
1207 The values sign and seal are only available if Samba has been compiled
against a modern OpenLDAP version (2.3.x or higher).
1208
1209 This option is needed in the case of Domain Controllers enforcing the
usage of signed LDAP connections (e.g. Windows 2000 SP3 or
1210 higher). LDAP sign and seal can be controlled with the registry key
"HKLM\System\CurrentControlSet\Services\
1211 NTDS\Parameters\LDAPServerIntegrity" on the Windows server side.
1212
1213 Depending on the used KRB5 library (MIT and older Heimdal versions) it is
possible that the message "integrity only" is not supported.
1214 In this case, sign is just an alias for seal.
1215
1216 The default value is sign. That implies synchronizing the time with the
KDC in the case of using Kerberos.
1217
1218 Default: client ldap sasl wrapping = sign
1219
1220 client max protocol (G)
1221
1222 The value of the parameter (a string) is the highest protocol level that
will be supported by the client.
1223
1224 Possible values are :
1225
1226 • CORE: Earliest version. No concept of user names.
1227
1228 • COREPLUS: Slight improvements on CORE for efficiency.
1229
1230 • LANMAN1: First modern version of the protocol. Long filename
support.
1231
1232 • LANMAN2: Updates to Lanman1 protocol.
1233
1234 • NT1: Current up to date version of the protocol. Used by
Windows NT. Known as CIFS.
1235
1236 • SMB2: Re-implementation of the SMB protocol. Used by Windows
Vista and later versions of Windows. SMB2 has sub protocols
1237 available.
1238
1239 • SMB2_02: The earliest SMB2 version.
1240
1241 • SMB2_10: Windows 7 SMB2 version.
1242
1243 • SMB2_22: Early Windows 8 SMB2 version.
1244
1245 • SMB2_24: Windows 8 beta SMB2 version.
1246
1247 By default SMB2 selects the SMB2_10 variant.
1248
1249 • SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub
protocols available.
1250
1251 • SMB3_00: Windows 8 SMB3 version. (mostly the same
as SMB2_24)
1252
1253 • SMB3_02: Windows 8.1 SMB3 version.
1254
1255 • SMB3_10: early Windows 10 technical preview SMB3
version.
1256
1257 • SMB3_11: Windows 10 technical preview SMB3 version
(maybe final).
1258
1259 By default SMB3 selects the SMB3_11 variant.
1260
1261 Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate
1262 protocol.
1263
1264 The value default refers to SMB3_11.
1265
1266 IPC$ connections for DCERPC e.g. in winbindd, are handled by the client
ipc max protocol option.
1267
1268 Default: client max protocol = default
1269
1270 Example: client max protocol = LANMAN1
1271
1272 client min protocol (G)
1273
1274 This setting controls the minimum protocol version that the client will
attempt to use.
1275
1276 Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate
1277 protocol unless you connect to a legacy SMB1-only server.
1278
1279 See Related command: client max protocol for a full list of available
protocols.
1280
1281 IPC$ connections for DCERPC e.g. in winbindd, are handled by the client
ipc min protocol option.
1282
1283 Note that most command line tools support --option='client min
protocol=NT1', so it may not be required to enable SMB1 protocols
1284 globally in smb.conf.
1285
1286 Default: client min protocol = SMB2_02
1287
1288 Example: client min protocol = NT1
1289
1290 client NTLMv2 auth (G)
1291
1292 This parameter has been deprecated since Samba 4.13 and support for NTLM
and LanMan (as distinct from NTLMv2 or Kerberos
1293 authentication) will be removed in a future Samba release.
1294
1295 That is, in the future, the current default of client NTLMv2 auth = yes
will be the enforced behaviour.
1296
1297 This parameter determines whether or not smbclient(8) will attempt to
authenticate itself to servers using the NTLMv2 encrypted
1298 password response.
1299
1300 If enabled, only an NTLMv2 and LMv2 response (both much more secure than
earlier versions) will be sent. Older servers (including NT4
1301 < SP4, Win9x and Samba 2.2) are not compatible with NTLMv2 when not in an
NTLMv2 supporting domain
1302
1303 Similarly, if enabled, NTLMv1, client lanman auth and client plaintext
auth authentication will be disabled. This also disables
1304 share-level authentication.
1305
1306 If disabled, an NTLM response (and possibly a LANMAN response) will be
sent by the client, depending on the value of client lanman
1307 auth.
1308
1309 Note that Windows Vista and later versions already use NTLMv2 by default,
and some sites (particularly those following 'best practice'
1310 security polices) only allow NTLMv2 responses, and not the weaker LM or
NTLM.
1311
1312 When client use spnego is also set to yes extended security (SPNEGO) is
required in order to use NTLMv2 only within NTLMSSP. This
1313 behavior was introduced with the patches for CVE-2016-2111.
1314
1315 Default: client NTLMv2 auth = yes
1316
1317 client plaintext auth (G)
1318
1319 This parameter has been deprecated since Samba 4.13 and support for
plaintext (as distinct from NTLM, NTLMv2 or Kerberos
1320 authentication) will be removed in a future Samba release.
1321
1322 That is, in the future, the current default of client plaintext auth = no
will be the enforced behaviour.
1323
1324 Specifies whether a client should send a plaintext password if the server
does not support encrypted passwords.
1325
1326 Default: client plaintext auth = no
1327
1328 client schannel (G)
1329
1330 This option is deprecated with Samba 4.8 and will be removed in future.
At the same time the default changed to yes, which will be the
1331 hardcoded behavior in future.
1332
1333 This controls whether the client offers or even demands the use of the
netlogon schannel. client schannel = no does not offer the
1334 schannel, client schannel = auto offers the schannel but does not enforce
it, and client schannel = yes denies access if the server is
1335 not able to speak netlogon schannel.
1336
1337 Note that for active directory domains this is hardcoded to client
schannel = yes.
1338
1339 This option yields precedence to the require strong key option.
1340
1341 Default: client schannel = yes
1342
1343 Example: client schannel = auto
1344
1345 client signing (G)
1346
1347 This controls whether the client is allowed or required to use SMB
signing. Possible values are auto, mandatory and disabled.
1348
1349 When set to auto or default, SMB signing is offered, but not enforced.
1350
1351 When set to mandatory, SMB signing is required and if set to disabled,
SMB signing is not offered either.
1352
1353 IPC$ connections for DCERPC e.g. in winbindd, are handled by the client
ipc signing option.
1354
1355 Default: client signing = default
1356
1357 client use spnego principal (G)
1358
1359 This parameter determines whether or not smbclient(8) and other samba
components acting as a client will attempt to use the
1360 server-supplied principal sometimes given in the SPNEGO exchange.
1361
1362 If enabled, Samba can attempt to use Kerberos to contact servers known
only by IP address. Kerberos relies on names, so ordinarily
1363 cannot function in this situation.
1364
1365 This is a VERY BAD IDEA for security reasons, and so this parameter
SHOULD NOT BE USED. It will be removed in a future version of
1366 Samba.
1367
1368 If disabled, Samba will use the name used to look up the server when
asking the KDC for a ticket. This avoids situations where a
1369 server may impersonate another, soliciting authentication as one
principal while being known on the network as another.
1370
1371 Note that Windows XP SP2 and later versions already follow this
behaviour, and Windows Vista and later servers no longer supply this
1372 'rfc4178 hint' principal on the server side.
1373
1374 This parameter is deprecated in Samba 4.2.1 and will be removed (along
with the functionality) in a later release of Samba.
1375
1376 Default: client use spnego principal = no
1377
1378 client use spnego (G)
1379
1380 This parameter has been deprecated since Samba 4.13 and support for
NTLMv2, NTLM and LanMan authentication outside NTLMSSP will be
1381 removed in a future Samba release.
1382
1383 That is, in the future, the current default of client use spnego = yes
will be the enforced behaviour.
1384
1385 This variable controls whether Samba clients will try to use Simple and
Protected NEGOciation (as specified by rfc2478) with
1386 supporting servers (including WindowsXP, Windows2000 and Samba 3.0) to
agree upon an authentication mechanism. This enables Kerberos
1387 authentication in particular.
1388
1389 When client NTLMv2 auth is also set to yes extended security (SPNEGO) is
required in order to use NTLMv2 only within NTLMSSP. This
1390 behavior was introduced with the patches for CVE-2016-2111.
1391
1392 Default: client use spnego = yes
1393
1394 cluster addresses (G)
1395
1396 With this parameter you can add additional addresses that nmbd will
register with a WINS server. Similarly, these addresses will be
1397 registered by default when net ads dns register is called with clustering
= yes configured.
1398
1399 Default: cluster addresses =
1400
1401 Example: cluster addresses = 10.0.0.1 10.0.0.2 10.0.0.3
1402
1403 clustering (G)
1404
1405 This parameter specifies whether Samba should contact ctdb for accessing
its tdb files and use ctdb as a backend for its messaging
1406 backend.
1407
1408 Set this parameter to yes only if you have a cluster setup with ctdb
running.
1409
1410 Default: clustering = no
1411
1412 comment (S)
1413
1414 This is a text field that is seen next to a share when a client does a
queries the server, either via the network neighborhood or via
1415 net view to list what shares are available.
1416
1417 If you want to set the string that is displayed next to the machine name
then see the server string parameter.
1418
1419 Default: comment = # No comment
1420
1421 Example: comment = Fred's Files
1422
1423 config backend (G)
1424
1425 This controls the backend for storing the configuration. Possible values
are file (the default) and registry. When config backend =
1426 registry is encountered while loading smb.conf, the configuration read so
far is dropped and the global options are read from registry
1427 instead. So this triggers a registry only configuration. Share
definitions are not read immediately but instead registry shares is set
1428 to yes.
1429
1430 Note: This option can not be set inside the registry configuration itself.
1431
1432 Default: config backend = file
1433
1434 Example: config backend = registry
1435
1436 config file (G)
1437
1438 This allows you to override the config file to use, instead of the
default (usually smb.conf). There is a chicken and egg problem here
1439 as this option is set in the config file!
1440
1441 For this reason, if the name of the config file has changed when the
parameters are loaded then it will reload them from the new
1442 config file.
1443
1444 This option takes the usual substitutions, which can be very useful.
1445
1446 If the config file doesn't exist then it won't be loaded (allowing you to
special case the config files of just a few clients).
1447
1448 No default
1449
1450 Example: config file = /usr/local/samba/lib/smb.conf.%m
1451
1452 copy (S)
1453
1454 This parameter allows you to "clone" service entries. The specified
service is simply duplicated under the current service's name. Any
1455 parameters specified in the current section will override those in the
section being copied.
1456
1457 This feature lets you set up a 'template' service and create similar
services easily. Note that the service being copied must occur
1458 earlier in the configuration file than the service doing the copying.
1459
1460 Default: copy =
1461
1462 Example: copy = otherservice
1463
1464 create krb5 conf (G)
1465
1466 Setting this parameter to no prevents winbind from creating custom
krb5.conf files. Winbind normally does this because the krb5
1467 libraries are not AD-site-aware and thus would pick any domain controller
out of potentially very many. Winbind is site-aware and
1468 makes the krb5 libraries use a local DC by creating its own krb5.conf
 files.
1469
1470 Preventing winbind from doing this might become necessary if you have to
add special options into your system-krb5.conf that winbind
1471 does not see.
1472
1473 Default: create krb5 conf = yes
1474
1475 create mode
1476
1477 This parameter is a synonym for create mask.
1478
1479 create mask (S)
1480
1481 When a file is created, the necessary permissions are calculated
according to the mapping from DOS modes to UNIX permissions, and the
1482 resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This
parameter may be thought of as a bit-wise MASK for the UNIX
1483 modes of a file. Any bit not set here will be removed from the modes set
on a file when it is created.
1484
1485 The default value of this parameter removes the group and other write and
execute bits from the UNIX modes.
1486
1487 Following this Samba will bit-wise 'OR' the UNIX mode created from this
parameter with the value of the force create mode parameter
1488 which is set to 000 by default.
1489
1490 This parameter does not affect directory masks. See the parameter
directory mask for details.
1491
1492 Default: create mask = 0744
1493
1494 Example: create mask = 0775
1495
1496 csc policy (S)
1497
1498 This stands for client-side caching policy, and specifies how clients
capable of offline caching will cache the files in the share.
1499 The valid values are: manual, documents, programs, disable.
1500
1501 These values correspond to those used on Windows servers.
1502
1503 For example, shares containing roaming profiles can have offline caching
disabled using csc policy = disable.
1504
1505 Default: csc policy = manual
1506
1507 Example: csc policy = programs
1508
1509 ctdbd socket (G)
1510
1511 If you set clustering=yes, you need to tell Samba where ctdbd listens on
its unix domain socket. The default path as of ctdb 1.0 is
1512 /tmp/ctdb.socket which you have to explicitly set for Samba in smb.conf.
1513
1514 Default: ctdbd socket =
1515
1516 Example: ctdbd socket = /tmp/ctdb.socket
1517
1518 ctdb locktime warn threshold (G)
1519
1520 In a cluster environment using Samba and ctdb it is critical that locks
on central ctdb-hosted databases like locking.tdb are not held
1521 for long. With the current Samba architecture it happens that Samba takes
a lock and while holding that lock makes file system calls
1522 into the shared cluster file system. This option makes Samba warn if it
detects that it has held locks for the specified number of
1523 milliseconds. If this happens, smbd will emit a debug level 0 message
into its logs and potentially into syslog. The most likely
1524 reason for such a log message is that an operation of the cluster file
system Samba exports is taking longer than expected. The
1525 messages are meant as a debugging aid for potential cluster problems.
1526
1527 The default value of 0 disables this logging.
1528
1529 Default: ctdb locktime warn threshold = 0
1530
1531 ctdb timeout (G)
1532
1533 This parameter specifies a timeout in milliseconds for the connection
between Samba and ctdb. It is only valid if you have compiled
1534 Samba with clustering and if you have set clustering=yes.
1535
1536 When something in the cluster blocks, it can happen that we wait
indefinitely long for ctdb, just adding to the blocking condition. In
1537 a well-running cluster this should never happen, but there are too many
components in a cluster that might have hickups. Choosing the
1538 right balance for this value is very tricky, because on a busy cluster
long service times to transfer something across the cluster
1539 might be valid. Setting it too short will degrade the service your
cluster presents, setting it too long might make the cluster itself
1540 not recover from something severely broken for too long.
1541
1542 Be aware that if you set this parameter, this needs to be in the file
smb.conf, it is not really helpful to put this into a registry
1543 configuration (typical on a cluster), because to access the registry
contact to ctdb is required.
1544
1545 Setting ctdb timeout to n makes any process waiting longer than n
milliseconds for a reply by the cluster panic. Setting it to 0 (the
1546 default) makes Samba block forever, which is the highly recommended
default.
1547
1548 Default: ctdb timeout = 0
1549
1550 cups connection timeout (G)
1551
1552 This parameter is only applicable if printing is set to cups.
1553
1554 If set, this option specifies the number of seconds that smbd will wait
whilst trying to contact to the CUPS server. The connection
1555 will fail if it takes longer than this number of seconds.
1556
1557 Default: cups connection timeout = 30
1558
1559 Example: cups connection timeout = 60
1560
1561 cups encrypt (G)
1562
1563 This parameter is only applicable if printing is set to cups and if you
use CUPS newer than 1.0.x.It is used to define whether or not
1564 Samba should use encryption when talking to the CUPS server. Possible
values are auto, yes and no
1565
1566 When set to auto we will try to do a TLS handshake on each CUPS
connection setup. If that fails, we will fall back to unencrypted
1567 operation.
1568
1569 Default: cups encrypt = no
1570
1571 cups options (S)
1572
1573 This parameter is only applicable if printing is set to cups. Its value
is a free form string of options passed directly to the cups
1574 library.
1575
1576 You can pass any generic print option known to CUPS (as listed in the
CUPS "Software Users' Manual"). You can also pass any printer
1577 specific option (as listed in "lpoptions -d printername -l") valid for
the target queue. Multiple parameters should be space-delimited
1578 name/value pairs according to the PAPI text option ABNF specification.
Collection values ("name={a=... b=... c=...}") are stored with
1579 the curley brackets intact.
1580
1581 You should set this parameter to raw if your CUPS server error_log file
 contains messages such as "Unsupported format
1582 'application/octet-stream'" when printing from a Windows client through
Samba. It is no longer necessary to enable system wide raw
1583 printing in /etc/cups/mime.{convs,types}.
1584
1585 Default: cups options = ""
1586
1587 Example: cups options = "raw media=a4"
1588
1589 cups server (G)
1590
1591 This parameter is only applicable if printing is set to cups.
1592
1593 If set, this option overrides the ServerName option in the CUPS
client.conf. This is necessary if you have virtual samba servers that
1594 connect to different CUPS daemons.
1595
1596 Optionally, a port can be specified by separating the server name and
port number with a colon. If no port was specified, the default
1597 port for IPP (631) will be used.
1598
1599 Default: cups server = ""
1600
1601 Example: cups server = mycupsserver
1602
1603 Example: cups server = mycupsserver:1631
1604
1605 dcerpc endpoint servers (G)
1606
1607 Specifies which DCE/RPC endpoint servers should be run.
1608
1609 Default: dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6,
1610 backupkey, dnsserver
1611
1612 Example: dcerpc endpoint servers = rpcecho
1613
1614 deadtime (G)
1615
1616 The value of the parameter (a decimal integer) represents the number of
minutes of inactivity before a connection is considered dead,
1617 and it is disconnected. The deadtime only takes effect if the number of
open files is zero.
1618
1619 This is useful to stop a server's resources being exhausted by a large
number of inactive connections.
1620
1621 Most clients have an auto-reconnect feature when a connection is broken
so in most cases this parameter should be transparent to
1622 users.
1623
1624 Using this parameter with a timeout of a few minutes is recommended for
most systems.
1625
1626 A deadtime of zero indicates that no auto-disconnection should be
performed.
1627
1628 Default: deadtime = 10080
1629
1630 Example: deadtime = 15
1631
1632 debug class (G)
1633
1634 With this boolean parameter enabled, the debug class (DBGC_CLASS) will be
displayed in the debug header.
1635
1636 For more information about currently available debug classes, see section
about log level.
1637
1638 Default: debug class = no
1639
1640 debug encryption (G)
1641
1642 This option will make the smbd server and client code using libsmb
(smbclient, smbget, smbspool, ...) dump the Session Id, the
1643 decrypted Session Key, the Signing Key, the Application Key, the
Encryption Key and the Decryption Key every time an SMB3+ session is
1644 established. This information will be printed in logs at level 0.
1645
1646 Warning: access to these values enables the decryption of any encrypted
traffic on the dumped sessions. This option should only be
1647 enabled for debugging purposes.
1648
1649 Default: debug encryption = no
1650
1651 debug hires timestamp (G)
1652
1653 Sometimes the timestamps in the log messages are needed with a resolution
of higher that seconds, this boolean parameter adds
1654 microsecond resolution to the timestamp message header when turned on.
1655
1656 Note that the parameter debug timestamp must be on for this to have an
effect.
1657
1658 Default: debug hires timestamp = yes
1659
1660 debug pid (G)
1661
1662 When using only one log file for more then one forked smbd(8)-process
there may be hard to follow which process outputs which message.
1663 This boolean parameter is adds the process-id to the timestamp message
headers in the logfile when turned on.
1664
1665 Note that the parameter debug timestamp must be on for this to have an
effect.
1666
1667 Default: debug pid = no
1668
1669 debug prefix timestamp (G)
1670
1671 With this option enabled, the timestamp message header is prefixed to the
debug message without the filename and function information
1672 that is included with the debug timestamp parameter. This gives
timestamps to the messages without adding an additional line.
1673
1674 Note that this parameter overrides the debug timestamp parameter.
1675
1676 Default: debug prefix timestamp = no
1677
1678 debug uid (G)
1679
1680 Samba is sometimes run as root and sometime run as the connected user,
this boolean parameter inserts the current euid, egid, uid and
1681 gid to the timestamp message headers in the log file if turned on.
1682
1683 Note that the parameter debug timestamp must be on for this to have an
effect.
1684
1685 Default: debug uid = no
1686
1687 dedicated keytab file (G)
1688
1689 Specifies the absolute path to the kerberos keytab file when kerberos
method is set to "dedicated keytab".
1690
1691 Default: dedicated keytab file =
1692
1693 Example: dedicated keytab file = /usr/local/etc/krb5.keytab
1694
1695 default case (S)
1696
1697 See the section on name mangling. Also note the short preserve case
parameter.
1698
1699 Default: default case = lower
1700
1701 default devmode (S)
1702
1703 This parameter is only applicable to printable services. When smbd is
serving Printer Drivers to Windows NT/2k/XP clients, each
1704 printer on the Samba server has a Device Mode which defines things such
as paper size and orientation and duplex settings. The device
1705 mode can only correctly be generated by the printer driver itself (which
can only be executed on a Win32 platform). Because smbd is
1706 unable to execute the driver code to generate the device mode, the
default behavior is to set this field to NULL.
1707
1708 Most problems with serving printer drivers to Windows NT/2k/XP clients
can be traced to a problem with the generated device mode.
1709 Certain drivers will do things such as crashing the client's Explorer.exe
with a NULL devmode. However, other printer drivers can
1710 cause the client's spooler service (spoolsv.exe) to die if the devmode
was not created by the driver itself (i.e. smbd generates a
1711 default devmode).
1712
1713 This parameter should be used with care and tested with the printer
driver in question. It is better to leave the device mode to NULL
1714 and let the Windows client set the correct values. Because drivers do not
do this all the time, setting default devmode = yes will
1715 instruct smbd to generate a default one.
1716
1717 For more information on Windows NT/2k printing and Device Modes, see the
MSDN documentation.
1718
1719 Default: default devmode = yes
1720
1721 default
1722
1723 This parameter is a synonym for default service.
1724
1725 default service (G)
1726
1727 This parameter specifies the name of a service which will be connected to
if the service actually requested cannot be found. Note that
1728 the square brackets are NOT given in the parameter value (see example
below).
1729
1730 There is no default value for this parameter. If this parameter is not
given, attempting to connect to a nonexistent service results
1731 in an error.
1732
1733 Typically the default service would be a guest ok, read-only service.
1734
1735 Also note that the apparent service name will be changed to equal that of
the requested service, this is very useful as it allows you
1736 to use macros like %S to make a wildcard service.
1737
1738 Note also that any "_" characters in the name of the service used in the
default service will get mapped to a "/". This allows for
1739 interesting things.
1740
1741 Default: default service =
1742
1743 Example: default service = pub
1744
1745 defer sharing violations (G)
1746
1747 Windows allows specifying how a file will be shared with other processes
when it is opened. Sharing violations occur when a file is
1748 opened by a different process using options that violate the share
settings specified by other processes. This parameter causes smbd
1749 to act as a Windows server does, and defer returning a "sharing
violation" error message for up to one second, allowing the client to
1750 close the file causing the violation in the meantime.
1751
1752 UNIX by default does not have this behaviour.
1753
1754 There should be no reason to turn off this parameter, as it is designed
to enable Samba to more correctly emulate Windows.
1755
1756 Default: defer sharing violations = yes
1757
1758 delete group script (G)
1759
1760 This is the full pathname to a script that will be run AS ROOT by smbd(8)
when a group is requested to be deleted. It will expand any
1761 %g to the group name passed. This script is only useful for installations
using the Windows NT domain administration tools.
1762
1763 Default: delete group script =
1764
1765 deleteprinter command (G)
1766
1767 With the introduction of MS-RPC based printer support for Windows NT/2000
clients in Samba 2.2, it is now possible to delete a printer
1768 at run time by issuing the DeletePrinter() RPC call.
1769
1770 For a Samba host this means that the printer must be physically deleted
from the underlying printing system. The deleteprinter command
1771 defines a script to be run which will perform the necessary operations
for removing the printer from the print system and from
1772 smb.conf.
1773
1774 The deleteprinter command is automatically called with only one
parameter: printer name.
1775
1776 Once the deleteprinter command has been executed, smbd will reparse the
smb.conf to check that the associated printer no longer
1777 exists. If the sharename is still valid, then smbd will return an
ACCESS_DENIED error to the client.
1778
1779 Default: deleteprinter command =
1780
1781 Example: deleteprinter command = /usr/bin/removeprinter
1782
1783 delete readonly (S)
1784
1785 This parameter allows readonly files to be deleted. This is not normal
DOS semantics, but is allowed by UNIX.
1786
1787 This option may be useful for running applications such as rcs, where
UNIX file ownership prevents changing file permissions, and DOS
1788 semantics prevent deletion of a read only file.
1789
1790 Default: delete readonly = no
1791
1792 delete share command (G)
1793
1794 Samba 2.2.0 introduced the ability to dynamically add and delete shares
via the Windows NT 4.0 Server Manager. The delete share
1795 command is used to define an external program or script which will remove
an existing service definition from smb.conf.
1796
1797 In order to successfully execute the delete share command, smbd requires
that the administrator connects using a root account (i.e.
1798 uid == 0) or has the SeDiskOperatorPrivilege. Scripts defined in the
delete share command parameter are executed as root.
1799
1800 When executed, smbd will automatically invoke the delete share command
with two parameters.
1801
1802 • configFile - the location of the global smb.conf file.
1803
1804 • shareName - the name of the existing service.
1805
1806 This parameter is only used to remove file shares. To delete printer
shares, see the deleteprinter command.
1807
1808 Default: delete share command =
1809
1810 Example: delete share command = /usr/local/bin/delshare
1811
1812 delete user from group script (G)
1813
1814 Full path to the script that will be called when a user is removed from a
group using the Windows NT domain administration tools. It
1815 will be run by smbd(8) AS ROOT. Any %g will be replaced with the group
name and any %u will be replaced with the user name.
1816
1817 Default: delete user from group script =
1818
1819 Example: delete user from group script = /usr/sbin/deluser %u %g
1820
1821 delete user script (G)
1822
1823 This is the full pathname to a script that will be run by smbd(8) when
managing users with remote RPC (NT) tools.
1824
1825 This script is called when a remote client removes a user from the
server, normally using 'User Manager for Domains' or rpcclient.
1826
1827 This script should delete the given UNIX username.
1828
1829 Default: delete user script =
1830
1831 Example: delete user script = /usr/local/samba/bin/del_user %u
1832
1833 delete veto files (S)
1834
1835 This option is used when Samba is attempting to delete a directory that
contains one or more vetoed directories (see the veto files
1836 option). If this option is set to no (the default) then if a vetoed
directory contains any non-vetoed files or directories then the
1837 directory delete will fail. This is usually what you want.
1838
1839 If this option is set to yes, then Samba will attempt to recursively
delete any files and directories within the vetoed directory.
1840 This can be useful for integration with file serving systems such as
NetAtalk which create meta-files within directories you might
1841 normally veto DOS/Windows users from seeing (e.g. .AppleDouble)
1842
1843 Setting delete veto files = yes allows these directories to be
transparently deleted when the parent directory is deleted (so long as
1844 the user has permissions to do so).
1845
1846 Default: delete veto files = no
1847
1848 dfree cache time (S)
1849
1850 The dfree cache time should only be used on systems where a problem
occurs with the internal disk space calculations. This has been
1851 known to happen with Ultrix, but may occur with other operating systems.
The symptom that was seen was an error of "Abort Retry
1852 Ignore" at the end of each directory listing.
1853
1854 This is a new parameter introduced in Samba version 3.0.21. It specifies
in seconds the time that smbd will cache the output of a disk
1855 free query. If set to zero (the default) no caching is done. This allows
a heavily loaded server to prevent rapid spawning of dfree
1856 command scripts increasing the load.
1857
1858 By default this parameter is zero, meaning no caching will be done.
1859
1860 No default
1861
1862 Example: dfree cache time = 60
1863
1864 dfree command (S)
1865
1866 The dfree command setting should only be used on systems where a problem
occurs with the internal disk space calculations. This has
1867 been known to happen with Ultrix, but may occur with other operating
systems. The symptom that was seen was an error of "Abort Retry
1868 Ignore" at the end of each directory listing.
1869
1870 This setting allows the replacement of the internal routines to calculate
the total disk space and amount available with an external
1871 routine. The example below gives a possible script that might fulfill
this function.
1872
1873 In Samba version 3.0.21 this parameter has been changed to be a per-share
parameter, and in addition the parameter dfree cache time
1874 was added to allow the output of this script to be cached for systems
under heavy load.
1875
1876 The external program will be passed a single parameter indicating a
directory in the filesystem being queried. This will typically
1877 consist of the string ./. The script should return two integers in ASCII.
The first should be the total disk space in blocks, and the
1878 second should be the number of available blocks. An optional third return
value can give the block size in bytes. The default
1879 blocksize is 1024 bytes.
1880
1881 Note: Your script should NOT be setuid or setgid and should be owned by
(and writeable only by) root!
1882
1883 Where the script dfree (which must be made executable) could be:
1884
1885 #!/bin/sh
1886 df "$1" | tail -1 | awk '{print $(NF-4),$(NF-2)}'
1887
1888 or perhaps (on Sys V based systems):
1889
1890 #!/bin/sh
1891 /usr/bin/df -k "$1" | tail -1 | awk '{print $3" "$5}'
1892
1893 Note that you may have to replace the command names with full path names
on some systems. Also note the arguments passed into the
1894 script should be quoted inside the script in case they contain special
characters such as spaces or newlines.
1895
1896 By default internal routines for determining the disk capacity and
remaining space will be used.
1897
1898 No default
1899
1900 Example: dfree command = /usr/local/samba/bin/dfree
1901
1902 dgram port (G)
1903
1904 Specifies which ports the server should listen on for NetBIOS datagram
traffic.
1905
1906 Default: dgram port = 138
1907
1908 directory mode
1909
1910 This parameter is a synonym for directory mask.
1911
1912 directory mask (S)
1913
1914 This parameter is the octal modes which are used when converting DOS
modes to UNIX modes when creating UNIX directories.
1915
1916 When a directory is created, the necessary permissions are calculated
according to the mapping from DOS modes to UNIX permissions, and
1917 the resulting UNIX mode is then bit-wise 'AND'ed with this parameter.
This parameter may be thought of as a bit-wise MASK for the UNIX
1918 modes of a directory. Any bit not set here will be removed from the modes
set on a directory when it is created.
1919
1920 The default value of this parameter removes the 'group' and 'other' write
bits from the UNIX mode, allowing only the user who owns the
1921 directory to modify it.
1922
1923 Following this Samba will bit-wise 'OR' the UNIX mode created from this
parameter with the value of the force directory mode
1924 parameter. This parameter is set to 000 by default (i.e. no extra mode
 bits are added).
1925
1926 Default: directory mask = 0755
1927
1928 Example: directory mask = 0775
1929
1930 directory name cache size (S)
1931
1932 This parameter specifies the size of the directory name cache for SMB1
connections. It is not used for SMB2. It will be needed to turn
1933 this off for *BSD systems.
1934
1935 Default: directory name cache size = 100
1936
1937 directory security mask (S)
1938
1939 This parameter has been removed for Samba 4.0.0.
1940
1941 No default
1942
1943 disable netbios (G)
1944
1945 Enabling this parameter will disable netbios support in Samba. Netbios is
the only available form of browsing in all windows versions
1946 except for 2000 and XP.
1947
1948 Note
1949 Clients that only support netbios won't be able to see your samba
server when netbios support is disabled.
1950 Default: disable netbios = no
1951
1952 disable spoolss (G)
1953
1954 Enabling this parameter will disable Samba's support for the SPOOLSS set
of MS-RPC's and will yield identical behavior as Samba 2.0.x.
1955 Windows NT/2000 clients will downgrade to using Lanman style printing
commands. Windows 9x/ME will be unaffected by the parameter.
1956 However, this will also disable the ability to upload printer drivers to
a Samba server via the Windows NT Add Printer Wizard or by
1957 using the NT printer properties dialog window. It will also disable the
capability of Windows NT/2000 clients to download print
1958 drivers from the Samba host upon demand. Be very careful about enabling
this parameter.
1959
1960 Default: disable spoolss = no
1961
1962 dmapi support (S)
1963
1964 This parameter specifies whether Samba should use DMAPI to determine
whether a file is offline or not. This would typically be used in
1965 conjunction with a hierarchical storage system that automatically
migrates files to tape.
1966
1967 Note that Samba infers the status of a file by examining the events that
a DMAPI application has registered interest in. This
1968 heuristic is satisfactory for a number of hierarchical storage systems,
but there may be system for which it will fail. In this case,
1969 Samba may erroneously report files to be offline.
1970
1971 This parameter is only available if a supported DMAPI implementation was
found at compilation time. It will only be used if DMAPI is
1972 found to enabled on the system at run time.
1973
1974 Default: dmapi support = no
1975
1976 dns forwarder (G)
1977
1978 This option specifies the list of DNS servers that DNS requests will be
forwarded to if they can not be handled by Samba itself.
1979
1980 The DNS forwarder is only used if the internal DNS server in Samba is used.
1981
1982 Default: dns forwarder =
1983
1984 Example: dns forwarder = 192.168.0.1 192.168.0.2
1985
1986 dns proxy (G)
1987
1988 Specifies that nmbd(8) when acting as a WINS server and finding that a
NetBIOS name has not been registered, should treat the NetBIOS
1989 name word-for-word as a DNS name and do a lookup with the DNS server for
that name on behalf of the name-querying client.
1990
1991 Note that the maximum length for a NetBIOS name is 15 characters, so the
DNS name (or DNS alias) can likewise only be 15 characters,
1992 maximum.
1993
1994 nmbd spawns a second copy of itself to do the DNS name lookup requests,
as doing a name lookup is a blocking action.
1995
1996 Default: dns proxy = yes
1997
1998 dns update command (G)
1999
2000 This option sets the command that is called when there are DNS updates.
It should update the local machines DNS names using TSIG-GSS.
2001
2002 Default: dns update command =
/build/samba-UnNxDC/samba-4.13.13+dfsg/source4/scripting/bin/samba_dnsupdat
e
2003
2004 Example: dns update command = /usr/local/sbin/dnsupdate
2005
2006 dns zone scavenging (G)
2007
2008 When enabled (the default is disabled) unused dynamic dns records are
periodically removed.
2009
2010 Warning
2011 This option should not be enabled for installations created with
versions of samba before 4.9. Doing this will result in the loss
2012 of static DNS entries. This is due to a bug in previous versions of
samba (BUG 12451) which marked dynamic DNS records as static
2013 and static records as dynamic.
2014
2015 Note
2016 If one record for a DNS name is static (non-aging) then no other
record for that DNS name will be scavenged.
2017 Default: dns zone scavenging = no
2018
2019 domain logons (G)
2020
2021 This parameter has been deprecated since Samba 4.13 and support for
NT4-style domain logons(as distinct from the Samba AD DC) will be
2022 removed in a future Samba release.
2023
2024 That is, in the future, the current default of domain logons = no will be
the enforced behaviour.
2025
2026 If set to yes, the Samba server will provide the netlogon service for
Windows 9X network logons for the workgroup it is in. This will
2027 also cause the Samba server to act as a domain controller for NT4 style
domain services. For more details on setting up this feature
2028 see the Domain Control chapter of the Samba HOWTO Collection.
2029
2030 Default: domain logons = no
2031
2032 domain master (G)
2033
2034 Tell smbd(8) to enable WAN-wide browse list collation. Setting this
option causes nmbd to claim a special domain specific NetBIOS name
2035 that identifies it as a domain master browser for its given workgroup.
Local master browsers in the same workgroup on
2036 broadcast-isolated subnets will give this nmbd their local browse lists,
and then ask smbd(8) for a complete copy of the browse list
2037 for the whole wide area network. Browser clients will then contact their
 local master browser, and will receive the domain-wide browse
2038 list, instead of just the list for their broadcast-isolated subnet.
2039
2040 Note that Windows NT Primary Domain Controllers expect to be able to
claim this workgroup specific special NetBIOS name that
2041 identifies them as domain master browsers for that workgroup by default
(i.e. there is no way to prevent a Windows NT PDC from
2042 attempting to do this). This means that if this parameter is set and nmbd
claims the special name for a workgroup before a Windows NT
2043 PDC is able to do so then cross subnet browsing will behave strangely and
may fail.
2044
2045 If domain logons = yes, then the default behavior is to enable the domain
master parameter. If domain logons is not enabled (the
2046 default setting), then neither will domain master be enabled by default.
2047
2048 When domain logons = Yes the default setting for this parameter is Yes,
with the result that Samba will be a PDC. If domain master =
2049 No, Samba will function as a BDC. In general, this parameter should be
set to 'No' only on a BDC.
2050
2051 Default: domain master = auto
2052
2053 dont descend (S)
2054
2055 There are certain directories on some systems (e.g., the /proc tree under
Linux) that are either not of interest to clients or are
2056 infinitely deep (recursive). This parameter allows you to specify a
comma-delimited list of directories that the server should always
2057 show as empty.
2058
2059 Note that Samba can be very fussy about the exact format of the "dont
descend" entries. For example you may need ./proc instead of
2060 just /proc. Experimentation is the best policy :-)
2061
2062 Default: dont descend =
2063
2064 Example: dont descend = /proc,/dev
2065
2066 dos charset (G)
2067
2068 DOS SMB clients assume the server has the same charset as they do. This
option specifies which charset Samba should talk to DOS
2069 clients.
2070
2071 The default depends on which charsets you have installed. Samba tries to
use charset 850 but falls back to ASCII in case it is not
2072 available. Run testparm(1) to check the default on your system.
2073
2074 No default
2075
2076 dos filemode (S)
2077
2078 The default behavior in Samba is to provide UNIX-like behavior where only
the owner of a file/directory is able to change the
2079 permissions on it. However, this behavior is often confusing to
DOS/Windows users. Enabling this parameter allows a user who has write
2080 access to the file (by whatever means, including an ACL permission) to
modify the permissions (including ACL) on it. Note that a user
2081 belonging to the group owning the file will not be allowed to change
permissions if the group is only granted read access. Ownership
2082 of the file/directory may also be changed. Note that using the VFS
modules acl_xattr or acl_tdb which store native Windows as
2083 meta-data will automatically turn this option on for any share for which
they are loaded, as they require this option to emulate
2084 Windows ACLs correctly.
2085
2086 Default: dos filemode = no
2087
2088 dos filetime resolution (S)
2089
2090 Under the DOS and Windows FAT filesystem, the finest granularity on time
resolution is two seconds. Setting this parameter for a share
2091 causes Samba to round the reported time down to the nearest two second
boundary when a query call that requires one second resolution
2092 is made to smbd(8).
2093
2094 This option is mainly used as a compatibility option for Visual C++ when
used against Samba shares. If oplocks are enabled on a share,
2095 Visual C++ uses two different time reading calls to check if a file has
changed since it was last read. One of these calls uses a
2096 one-second granularity, the other uses a two second granularity. As the
two second call rounds any odd second down, then if the file
2097 has a timestamp of an odd number of seconds then the two timestamps will
not match and Visual C++ will keep reporting the file has
2098 changed. Setting this option causes the two timestamps to match, and
Visual C++ is happy.
2099
2100 Default: dos filetime resolution = no
2101
2102 dos filetimes (S)
2103
2104 Under DOS and Windows, if a user can write to a file they can change the
timestamp on it. Under POSIX semantics, only the owner of the
2105 file or root may change the timestamp. By default, Samba emulates the DOS
semantics and allows one to change the timestamp on a file
2106 if the user smbd is acting on behalf has write permissions. Due to
changes in Microsoft Office 2000 and beyond, the default for this
2107 parameter has been changed from "no" to "yes" in Samba 3.0.14 and above.
Microsoft Excel will display dialog box warnings about the
2108 file being changed by another user if this parameter is not set to "yes"
and files are being shared between users.
2109
2110 Default: dos filetimes = yes
2111
2112 dsdb event notification (G)
2113
2114 When enabled, this option causes Samba (acting as an Active Directory
Domain Controller) to stream Samba database events across the
2115 internal message bus. Scripts built using Samba's python bindings can
listen to these events by registering as the service dsdb_event.
2116
2117 This is not needed for the audit logging described in log level.
2118
2119 Instead, this should instead be considered a developer option (it assists
in the Samba testsuite) rather than a facility for external
2120 auditing, as message delivery is not guaranteed (a feature that the
testsuite works around).
2121
2122 The Samba database events are also logged via the normal logging methods
when the log level is set appropriately, say to
2123 dsdb_json_audit:5.
2124
2125 Default: dsdb event notification = no
2126
2127 dsdb group change notification (G)
2128
2129 When enabled, this option causes Samba (acting as an Active Directory
Domain Controller) to stream group membership change events
2130 across the internal message bus. Scripts built using Samba's python
bindings can listen to these events by registering as the service
2131 dsdb_group_event.
2132
2133 This is not needed for the audit logging described in log level.
2134
2135 Instead, this should instead be considered a developer option (it assists
in the Samba testsuite) rather than a facility for external
2136 auditing, as message delivery is not guaranteed (a feature that the
testsuite works around).
2137
2138 The Samba database events are also logged via the normal logging methods
when the log level is set appropriately, say to
2139 dsdb_group_json_audit:5.
2140
2141 Default: dsdb group change notification = no
2142
2143 dsdb password event notification (G)
2144
2145 When enabled, this option causes Samba (acting as an Active Directory
Domain Controller) to stream password change and reset events
2146 across the internal message bus. Scripts built using Samba's python
bindings can listen to these events by registering as the service
2147 password_event.
2148
2149 This is not needed for the audit logging described in log level.
2150
2151 Instead, this should instead be considered a developer option (it assists
in the Samba testsuite) rather than a facility for external
2152 auditing, as message delivery is not guaranteed (a feature that the
testsuite works around).
2153
2154 The Samba database events are also logged via the normal logging methods
when the log level is set appropriately, say to
2155 dsdb_password_json_audit:5.
2156
2157 Default: dsdb password event notification = no
2158
2159 durable handles (S)
2160
2161 This boolean parameter controls whether Samba can grant SMB2 durable file
handles on a share.
2162
2163 Note that durable handles are only enabled if kernel oplocks = no, kernel
share modes = no, and posix locking = no, i.e. if the share
2164 is configured for CIFS/SMB2 only access, not supporting interoperability
features with local UNIX processes or NFS operations.
2165
2166 Also note that, for the time being, durability is not granted for a
handle that has the delete on close flag set.
2167
2168 Default: durable handles = yes
2169
2170 ea support (S)
2171
2172 This boolean parameter controls whether smbd(8) will allow clients to
attempt to access extended attributes on a share. In order to
2173 enable this parameter on a setup with default VFS modules:
2174
2175 • Samba must have been built with extended attributes support.
2176
2177 • The underlying filesystem exposed by the share must support
extended attributes (e.g. the getfattr(1) / setfattr(1)
2178 utilities must work).
2179
2180 Note that the SMB protocol allows setting attributes whose value is 64K
bytes long, and that on NTFS, the maximum storage space for
2181 extended attributes per file is 64K. On most UNIX systems (Solaris and
ZFS file system being the exception), the limits are much lower
2182 - typically 4K. Worse, the same 4K space is often used to store system
metadata such as POSIX ACLs, or Samba's NT ACLs. Giving clients
2183 access to this tight space via extended attribute support could consume
all of it by unsuspecting client applications, which would
2184 prevent changing system metadata due to lack of space. The default has
changed to yes in Samba release 4.9.0 and above to allow better
2185 Windows fileserver compatibility in a default install.
2186
2187 Default: ea support = yes
2188
2189 elasticsearch:address (S)
2190
2191 Specifies the name of the Elasticsearch server to use for Spotlight
queries when using the Elasticsearch backend.
2192
2193 Default: elasticsearch:address = localhost
2194
2195 Example: elasticsearch:address = needle.haystack.samba.org
2196
2197 elasticsearch:index (S)
2198
2199 Specifies the name of the Elasticsearch index to use for Spotlight
queries when using the Elasticsearch backend. The default value of
2200 "_all" is a special Elasticsearch value that performs the search
operation on all indices.
2201
2202 Default: elasticsearch:index = _all
2203
2204 Example: elasticsearch:index = spotlight
2205
2206 elasticsearch:mappings (G)
2207
2208 Path to a file specifying metadata attribute mappings in JSON format. Use
by the Elasticsearch backend of the Spotlight RPC service.
2209
2210 Default: elasticsearch:mappings =
/usr/share/samba/elasticsearch_mappings.json
2211
2212 Example: elasticsearch:mappings = /usr/share/foo/mymappings.json
2213
2214 elasticsearch:max results (S)
2215
2216 Path to a file specifying metadata attribute mappings in JSON format.
Used by the Elasticsearch backend of the Spotlight RPC service.
2217 A value of 0 means no limit.
2218
2219 Default: elasticsearch:max results = 100
2220
2221 Example: elasticsearch:max results = 10
2222
2223 elasticsearch:port (S)
2224
2225 Specifies the TCP port of the Elasticsearch server to use for Spotlight
queries when using the Elasticsearch backend.
2226
2227 Default: elasticsearch:port = 9200
2228
2229 Example: elasticsearch:port = 9201
2230
2231 elasticsearch:use tls (S)
2232
2233 Specifies whether to use HTTPS when talking to the Elasticsearch server
used for Spotlight queries when using the Elasticsearch
2234 backend.
2235
2236 Default: elasticsearch:use tls = no
2237
2238 Example: elasticsearch:use tls = yes
2239
2240 enable asu support (G)
2241
2242 Hosts running the "Advanced Server for Unix (ASU)" product require some
special accommodations such as creating a builtin [ADMIN$]
2243 share that only supports IPC connections. The has been the default
behavior in smbd for many years. However, certain Microsoft
2244 applications such as the Print Migrator tool require that the remote
server support an [ADMIN$] file share. Disabling this parameter
2245 allows for creating an [ADMIN$] file share in smb.conf.
2246
2247 Default: enable asu support = no
2248
2249 enable core files (G)
2250
2251 This parameter specifies whether core dumps should be written on internal
exits. Normally set to yes. You should never need to change
2252 this.
2253
2254 Default: enable core files = yes
2255
2256 Example: enable core files = no
2257
2258 enable privileges (G)
2259
2260 This deprecated parameter controls whether or not smbd will honor
 privileges assigned to specific SIDs via either net rpc rights or
2261 one of the Windows user and group manager tools. This parameter is
enabled by default. It can be disabled to prevent members of the
2262 Domain Admins group from being able to assign privileges to users or
groups which can then result in certain smbd operations running
2263 as root that would normally run under the context of the connected user.
2264
2265 An example of how privileges can be used is to assign the right to join
clients to a Samba controlled domain without providing root
2266 access to the server via smbd.
2267
2268 Please read the extended description provided in the Samba HOWTO
documentation.
2269
2270 Default: enable privileges = yes
2271
2272 enable spoolss (G)
2273
2274 Inverted synonym for disable spoolss.
2275
2276 Default: enable spoolss = yes
2277
2278 encrypt passwords (G)
2279
2280 This parameter has been deprecated since Samba 4.11 and support for
plaintext (as distinct from NTLM, NTLMv2 or Kerberos
2281 authentication) will be removed in a future Samba release.
2282
2283 That is, in the future, the current default of encrypt passwords = yes
will be the enforced behaviour.
2284
2285 This boolean controls whether encrypted passwords will be negotiated with
the client. Note that Windows NT 4.0 SP3 and above and also
2286 Windows 98 will by default expect encrypted passwords unless a registry
entry is changed. To use encrypted passwords in Samba see the
2287 chapter "User Database" in the Samba HOWTO Collection.
2288
2289 MS Windows clients that expect Microsoft encrypted passwords and that do
not have plain text password support enabled will be able to
2290 connect only to a Samba server that has encrypted password support
enabled and for which the user accounts have a valid encrypted
2291 password. Refer to the smbpasswd command man page for information
regarding the creation of encrypted passwords for user accounts.
2292
2293 The use of plain text passwords is NOT advised as support for this
feature is no longer maintained in Microsoft Windows products. If
2294 you want to use plain text passwords you must set this parameter to no.
2295
2296 In order for encrypted passwords to work correctly smbd(8) must either
have access to a local smbpasswd(5) file (see the smbpasswd(8)
2297 program for information on how to set up and maintain this file), or set
the security = [domain|ads] parameter which causes smbd to
2298 authenticate against another server.
2299
2300 Default: encrypt passwords = yes
2301
2302 enhanced browsing (G)
2303
2304 This option enables a couple of enhancements to cross-subnet browse
propagation that have been added in Samba but which are not
2305 standard in Microsoft implementations.
2306
2307 The first enhancement to browse propagation consists of a regular
wildcard query to a Samba WINS server for all Domain Master
2308 Browsers, followed by a browse synchronization with each of the returned
DMBs. The second enhancement consists of a regular randomised
2309 browse synchronization with all currently known DMBs.
2310
2311 You may wish to disable this option if you have a problem with empty
workgroups not disappearing from browse lists. Due to the
2312 restrictions of the browse protocols, these enhancements can cause a
empty workgroup to stay around forever which can be annoying.
2313
2314 In general you should leave this option enabled as it makes cross-subnet
browse propagation much more reliable.
2315
2316 Default: enhanced browsing = yes
2317
2318 enumports command (G)
2319
2320 The concept of a "port" is fairly foreign to UNIX hosts. Under Windows
NT/2000 print servers, a port is associated with a port monitor
2321 and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:)
or a remote port (i.e. LPD Port Monitor, etc...). By default,
2322 Samba has only one port defined--"Samba Printer Port". Under Windows
NT/2000, all printers must have a valid port name. If you wish to
2323 have a list of ports displayed (smbd does not use a port name for
anything) other than the default "Samba Printer Port", you can
2324 define enumports command to point to a program which should generate a
list of ports, one per line, to standard output. This listing
2325 will then be used in response to the level 1 and 2 EnumPorts() RPC.
2326
2327 Default: enumports command =
2328
2329 Example: enumports command = /usr/bin/listports
2330
2331 eventlog list (G)
2332
2333 This option defines a list of log names that Samba will report to the
Microsoft EventViewer utility. The listed eventlogs will be
2334 associated with tdb file on disk in the $(statedir)/eventlog.
2335
2336 The administrator must use an external process to parse the normal Unix
logs such as /var/log/messages and write then entries to the
2337 eventlog tdb files. Refer to the eventlogadm(8) utility for how to write
eventlog entries.
2338
2339 Default: eventlog list =
2340
2341 Example: eventlog list = Security Application Syslog Apache
2342
2343 fake directory create times (S)
2344
2345 NTFS and Windows VFAT file systems keep a create time for all files and
directories. This is not the same as the ctime - status change
2346 time - that Unix keeps, so Samba by default reports the earliest of the
various times Unix does keep. Setting this parameter for a
2347 share causes Samba to always report midnight 1-1-1980 as the create time
for directories.
2348
2349 This option is mainly used as a compatibility option for Visual C++ when
used against Samba shares. Visual C++ generated makefiles
2350 have the object directory as a dependency for each object file, and a
make rule to create the directory. Also, when NMAKE compares
2351 timestamps it uses the creation time when examining a directory. Thus the
object directory will be created if it does not exist, but
2352 once it does exist it will always have an earlier timestamp than the
object files it contains.
2353
2354 However, Unix time semantics mean that the create time reported by Samba
will be updated whenever a file is created or deleted in the
2355 directory. NMAKE finds all object files in the object directory. The
timestamp of the last one built is then compared to the timestamp
2356 of the object directory. If the directory's timestamp if newer, then all
object files will be rebuilt. Enabling this option ensures
2357 directories always predate their contents and an NMAKE build will proceed
as expected.
2358
2359 Default: fake directory create times = no
2360
2361 fake oplocks (S)
2362
2363 Oplocks are the way that SMB clients get permission from a server to
locally cache file operations. If a server grants an oplock
2364 (opportunistic lock) then the client is free to assume that it is the
only one accessing the file and it will aggressively cache file
2365 data. With some oplock types the client may even cache file open/close
operations. This can give enormous performance benefits.
2366
2367 When you set fake oplocks = yes, smbd(8) will always grant oplock
requests no matter how many clients are using the file.
2368
2369 It is generally much better to use the real oplocks support rather than
this parameter.
2370
2371 If you enable this option on all read-only shares or shares that you know
will only be accessed from one client at a time such as
2372 physically read-only media like CDROMs, you will see a big performance
improvement on many operations. If you enable this option on
2373 shares where multiple clients may be accessing the files read-write at
the same time you can get data corruption. Use this option
2374 carefully!
2375
2376 Default: fake oplocks = no
2377
2378 follow symlinks (S)
2379
2380 This parameter allows the Samba administrator to stop smbd(8) from
following symbolic links in a particular share. Setting this
2381 parameter to no prevents any file or directory that is a symbolic link
from being followed (the user will get an error). This option
2382 is very useful to stop users from adding a symbolic link to /etc/passwd
in their home directory for instance. However it will slow
2383 filename lookups down slightly.
2384
2385 This option is enabled (i.e. smbd will follow symbolic links) by default.
2386
2387 Default: follow symlinks = yes
2388
2389 force create mode (S)
2390
2391 This parameter specifies a set of UNIX mode bit permissions that will
always be set on a file created by Samba. This is done by
2392 bitwise 'OR'ing these bits onto the mode bits of a file that is being
created. The default for this parameter is (in octal) 000. The
2393 modes in this parameter are bitwise 'OR'ed onto the file mode after the
mask set in the create mask parameter is applied.
2394
2395 The example below would force all newly created files to have read and
execute permissions set for 'group' and 'other' as well as the
2396 read/write/execute bits set for the 'user'.
2397
2398 Default: force create mode = 0000
2399
2400 Example: force create mode = 0755
2401
2402 force directory mode (S)
2403
2404 This parameter specifies a set of UNIX mode bit permissions that will
always be set on a directory created by Samba. This is done by
2405 bitwise 'OR'ing these bits onto the mode bits of a directory that is
being created. The default for this parameter is (in octal) 0000
2406 which will not add any extra permission bits to a created directory. This
operation is done after the mode mask in the parameter
2407 directory mask is applied.
2408
2409 The example below would force all created directories to have read and
execute permissions set for 'group' and 'other' as well as the
2410 read/write/execute bits set for the 'user'.
2411
2412 Default: force directory mode = 0000
2413
2414 Example: force directory mode = 0755
2415
2416 force directory security mode (S)
2417
2418 This parameter has been removed for Samba 4.0.0.
2419
2420 No default
2421
2422 group
2423
2424 This parameter is a synonym for force group.
2425
2426 force group (S)
2427
2428 This specifies a UNIX group name that will be assigned as the default
primary group for all users connecting to this service. This is
2429 useful for sharing files by ensuring that all access to files on service
will use the named group for their permissions checking.
2430 Thus, by assigning permissions for this group to the files and
directories within this service the Samba administrator can restrict or
2431 allow sharing of these files.
2432
2433 In Samba 2.0.5 and above this parameter has extended functionality in the
following way. If the group name listed here has a '+'
2434 character prepended to it then the current user accessing the share only
has the primary group default assigned to this group if they
2435 are already assigned as a member of that group. This allows an
administrator to decide that only users who are already in a particular
2436 group will create files with group ownership set to that group. This
gives a finer granularity of ownership assignment. For example,
2437 the setting force group = +sys means that only users who are already in
group sys will have their default primary group assigned to
2438 sys when accessing this Samba share. All other users will retain their
ordinary primary group.
2439
2440 If the force user parameter is also set the group specified in force
group will override the primary group set in force user.
2441
2442 Default: force group =
2443
2444 Example: force group = agroup
2445
2446 force printername (S)
2447
2448 When printing from Windows NT (or later), each printer in smb.conf has
two associated names which can be used by the client. The first
2449 is the sharename (or shortname) defined in smb.conf. This is the only
printername available for use by Windows 9x clients. The second
2450 name associated with a printer can be seen when browsing to the
"Printers" (or "Printers and Faxes") folder on the Samba server. This
2451 is referred to simply as the printername (not to be confused with the
printer name option).
2452
2453 When assigning a new driver to a printer on a remote Windows compatible
print server such as Samba, the Windows client will rename the
2454 printer to match the driver name just uploaded. This can result in
confusion for users when multiple printers are bound to the same
2455 driver. To prevent Samba from allowing the printer's printername to
differ from the sharename defined in smb.conf, set force
2456 printername = yes.
2457
2458 Be aware that enabling this parameter may affect migrating printers from
a Windows server to Samba since Windows has no way to force
2459 the sharename and printername to match.
2460
2461 It is recommended that this parameter's value not be changed once the
printer is in use by clients as this could cause a user not be
2462 able to delete printer connections from their local Printers folder.
2463
2464 Default: force printername = no
2465
2466 force security mode (S)
2467
2468 This parameter has been removed for Samba 4.0.0.
2469
2470 No default
2471
2472 force unknown acl user (S)
2473
2474 If this parameter is set, a Windows NT ACL that contains an unknown SID
 (security descriptor, or representation of a user or group id)
2475 as the owner or group owner of the file will be silently mapped into the
current UNIX uid or gid of the currently connected user.
2476
2477 This is designed to allow Windows NT clients to copy files and folders
containing ACLs that were created locally on the client machine
2478 and contain users local to that machine only (no domain users) to be
copied to a Samba server (usually with XCOPY /O) and have the
2479 unknown userid and groupid of the file owner map to the current connected
user. This can only be fixed correctly when winbindd allows
2480 arbitrary mapping from any Windows NT SID to a UNIX uid or gid.
2481
2482 Try using this parameter when XCOPY /O gives an ACCESS_DENIED error.
2483
2484 Default: force unknown acl user = no
2485
2486 force user (S)
2487
2488 This specifies a UNIX user name that will be assigned as the default user
for all users connecting to this service. This is useful for
2489 sharing files. You should also use it carefully as using it incorrectly
can cause security problems.
2490
2491 This user name only gets used once a connection is established. Thus
clients still need to connect as a valid user and supply a valid
2492 password. Once connected, all file operations will be performed as the
"forced user", no matter what username the client connected as.
2493 This can be very useful.
2494
2495 In Samba 2.0.5 and above this parameter also causes the primary group of
the forced user to be used as the primary group for all file
2496 activity. Prior to 2.0.5 the primary group was left as the primary group
of the connecting user (this was a bug).
2497
2498 Default: force user =
2499
2500 Example: force user = auser
2501
2502 fss: prune stale (G)
2503
2504 When enabled, Samba's File Server Remote VSS Protocol (FSRVP) server
checks all FSRVP initiated snapshots on startup, and removes any
2505 corresponding state (including share definitions) for nonexistent
snapshot paths.
2506
2507 Default: fss: prune stale = no
2508
2509 Example: fss: prune stale = yes
2510
2511 fss: sequence timeout (G)
2512
2513 The File Server Remote VSS Protocol (FSRVP) server includes a message
sequence timer to ensure cleanup on unexpected client
2514 disconnect. This parameter overrides the default timeout between FSRVP
operations. FSRVP timeouts can be completely disabled via a
2515 value of 0.
2516
2517 Default: fss: sequence timeout = 180 or 1800, depending on operation
2518
2519 Example: fss: sequence timeout = 0
2520
2521 fstype (S)
2522
2523 This parameter allows the administrator to configure the string that
specifies the type of filesystem a share is using that is
2524 reported by smbd(8) when a client queries the filesystem type for a
share. The default type is NTFS for compatibility with Windows NT
2525 but this can be changed to other strings such as Samba or FAT if required.
2526
2527 Default: fstype = NTFS
2528
2529 Example: fstype = Samba
2530
2531 get quota command (G)
2532
2533 The get quota command should only be used whenever there is no operating
system API available from the OS that samba can use.
2534
2535 This option is only available Samba was compiled with quotas support.
2536
2537 This parameter should specify the path to a script that queries the quota
information for the specified user/group for the partition
2538 that the specified directory is on.
2539
2540 Such a script is being given 3 arguments:
2541
2542 • directory
2543
2544 • type of query
2545
2546 • uid of user or gid of group
2547
2548 The directory is actually mostly just "." - It needs to be treated
relatively to the current working directory that the script can
2549 also query.
2550
2551 The type of query can be one of:
2552
2553 • 1 - user quotas
2554
2555 • 2 - user default quotas (uid = -1)
2556
2557 • 3 - group quotas
2558
2559 • 4 - group default quotas (gid = -1)
2560
2561 This script should print one line as output with spaces between the
columns. The printed columns should be:
2562
2563 • 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas
enabled and enforced)
2564
2565 • 2 - number of currently used blocks
2566
2567 • 3 - the softlimit number of blocks
2568
2569 • 4 - the hardlimit number of blocks
2570
2571 • 5 - currently used number of inodes
2572
2573 • 6 - the softlimit number of inodes
2574
2575 • 7 - the hardlimit number of inodes
2576
2577 • 8 (optional) - the number of bytes in a block(default is 1024)
2578
2579 Default: get quota command =
2580
2581 Example: get quota command = /usr/local/sbin/query_quota
2582
2583 getwd cache (G)
2584
2585 This is a tuning option. When this is enabled a caching algorithm will be
used to reduce the time taken for getwd() calls. This can
2586 have a significant impact on performance, especially when the wide links
parameter is set to no.
2587
2588 Default: getwd cache = yes
2589
2590 gpo update command (G)
2591
2592 This option sets the command that is called to apply GPO policies. The
samba-gpupdate script applies System Access and Kerberos
2593 Policies to the KDC. System Access policies set minPwdAge, maxPwdAge,
minPwdLength, and pwdProperties in the samdb. Kerberos Policies
2594 set kdc:service ticket lifetime, kdc:user ticket lifetime, and
 kdc:renewal lifetime in smb.conf.
2595
2596 Default: gpo update command =
/build/samba-UnNxDC/samba-4.13.13+dfsg/source4/scripting/bin/samba-gpupdate
2597
2598 Example: gpo update command = /usr/local/sbin/gpoupdate
2599
2600 guest account (G)
2601
2602 This is a username which will be used for access to services which are
specified as guest ok (see below). Whatever privileges this
2603 user has will be available to any client connecting to the guest service.
This user must exist in the password file, but does not
2604 require a valid login. The user account "ftp" is often a good choice for
this parameter.
2605
2606 On some systems the default guest account "nobody" may not be able to
print. Use another account in this case. You should test this by
2607 trying to log in as your guest user (perhaps by using the su - command)
and trying to print using the system print command such as
2608 lpr(1) or lp(1).
2609
2610 This parameter does not accept % macros, because many parts of the system
require this value to be constant for correct operation.
2611
2612 Default: guest account = nobody # default can be changed at compile-time
2613
2614 Example: guest account = ftp
2615
2616 public
2617
2618 This parameter is a synonym for guest ok.
2619
2620 guest ok (S)
2621
2622 If this parameter is yes for a service, then no password is required to
connect to the service. Privileges will be those of the guest
2623 account.
2624
2625 This parameter nullifies the benefits of setting restrict anonymous = 2
2626
2627 See the section below on security for more information about this option.
2628
2629 Default: guest ok = no
2630
2631 only guest
2632
2633 This parameter is a synonym for guest only.
2634
2635 guest only (S)
2636
2637 If this parameter is yes for a service, then only guest connections to
the service are permitted. This parameter will have no effect
2638 if guest ok is not set for the service.
2639
2640 See the section below on security for more information about this option.
2641
2642 Default: guest only = no
2643
2644 hide dot files (S)
2645
2646 This is a boolean parameter that controls whether files starting with a
dot appear as hidden files.
2647
2648 Default: hide dot files = yes
2649
2650 hide files (S)
2651
2652 This is a list of files or directories that are not visible but are
accessible. The DOS 'hidden' attribute is applied to any files or
2653 directories that match.
2654
2655 Each entry in the list must be separated by a '/', which allows spaces to
 be included in the entry. '*' and '?' can be used to specify
2656 multiple files or directories as in DOS wildcards.
2657
2658 Each entry must be a Unix path, not a DOS path and must not include the
Unix directory separator '/'.
2659
2660 Note that the case sensitivity option is applicable in hiding files.
2661
2662 Setting this parameter will affect the performance of Samba, as it will
be forced to check all files and directories for a match as
2663 they are scanned.
2664
2665 The example shown above is based on files that the Macintosh SMB client
(DAVE) available from Thursby creates for internal use, and
2666 also still hides all files beginning with a dot.
2667
2668 An example of us of this parameter is:
2669
2670 hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
2671
2672 Default: hide files = # no file are hidden
2673
2674 hide new files timeout (S)
2675
2676 Setting this parameter to something but 0 hides files that have been
modified less than N seconds ago.
2677
2678 It can be used for ingest/process queue style workloads. A processing
application should only see files that are definitely finished.
2679 As many applications do not have proper external workflow control, this
can be a way to make sure processing does not interfere with
2680 file ingest.
2681
2682 Default: hide new files timeout = 0
2683
2684 hide special files (S)
2685
2686 This parameter prevents clients from seeing special files such as
sockets, devices and fifo's in directory listings.
2687
2688 Default: hide special files = no
2689
2690 hide unreadable (S)
2691
2692 This parameter prevents clients from seeing the existence of files that
cannot be read. Defaults to off.
2693
2694 Please note that enabling this can slow down listing large directories
significantly. Samba has to evaluate the ACLs of all directory
2695 members, which can be a lot of effort.
2696
2697 Default: hide unreadable = no
2698
2699 hide unwriteable files (S)
2700
2701 This parameter prevents clients from seeing the existence of files that
cannot be written to. Defaults to off. Note that unwriteable
2702 directories are shown as usual.
2703
2704 Please note that enabling this can slow down listing large directories
significantly. Samba has to evaluate the ACLs of all directory
2705 members, which can be a lot of effort.
2706
2707 Default: hide unwriteable files = no
2708
2709 homedir map (G)
2710
2711 If nis homedir is yes, and smbd(8) is also acting as a Win95/98 logon
server then this parameter specifies the NIS (or YP) map from
2712 which the server for the user's home directory should be extracted. At
present, only the Sun auto.home map format is understood. The
2713 form of the map is:
2714
2715 username server:/some/file/system
2716
2717 and the program will extract the servername from before the first ':'.
There should probably be a better parsing system that copes
2718 with different map formats and also Amd (another automounter) maps.
2719
2720 Note
2721 A working NIS client is required on the system for this option to work.
2722 Default: homedir map =
2723
2724 Example: homedir map = amd.homedir
2725
2726 host msdfs (G)
2727
2728 If set to yes, Samba will act as a Dfs server, and allow Dfs-aware
clients to browse Dfs trees hosted on the server.
2729
2730 See also the msdfs root share level parameter. For more information on
setting up a Dfs tree on Samba, refer to the MSFDS chapter in
2731 the book Samba3-HOWTO.
2732
2733 Default: host msdfs = yes
2734
2735 hostname lookups (G)
2736
2737 Specifies whether samba should use (expensive) hostname lookups or use
the ip addresses instead. An example place where hostname
2738 lookups are currently used is when checking the hosts deny and hosts allow.
2739
2740 Default: hostname lookups = no
2741
2742 Example: hostname lookups = yes
2743
2744 allow hosts
2745
2746 This parameter is a synonym for hosts allow.
2747
2748 hosts allow (S)
2749
2750 A synonym for this parameter is allow hosts.
2751
2752 This parameter is a comma, space, or tab delimited set of hosts which are
permitted to access a service.
2753
2754 If specified in the [global] section then it will apply to all services,
regardless of whether the individual service has a different
2755 setting.
2756
2757 You can specify the hosts by name or IP number. For example, you could
restrict access to only the hosts on a Class C subnet with
2758 something like allow hosts = 150.203.5.. The full syntax of the list is
described in the man page hosts_access(5). Note that this man
2759 page may not be present on your system, so a brief description will be
given here also.
2760
2761 Note that the localhost address 127.0.0.1 will always be allowed access
unless specifically denied by a hosts deny option.
2762
2763 You can also specify hosts by network/netmask pairs and by netgroup names
if your system supports netgroups. The EXCEPT keyword can
2764 also be used to limit a wildcard list. The following examples may provide
some help:
2765
2766 Example 1: allow all IPs in 150.203.*.*; except one
2767
2768 hosts allow = 150.203. EXCEPT 150.203.6.66
2769
2770 Example 2: allow hosts that match the given network/netmask
2771
2772 hosts allow = 150.203.15.0/255.255.255.0
2773
2774 Example 3: allow a couple of hosts
2775
2776 hosts allow = lapland, arvidsjaur
2777
2778 Example 4: allow only hosts in NIS netgroup "foonet", but deny access
from one particular host
2779
2780 hosts allow = @foonet
2781
2782 hosts deny = pirate
2783
2784 Note
2785 Note that access still requires suitable user-level passwords.
2786 See testparm(1) for a way of testing your host access to see if it does
what you expect.
2787
2788 Default: hosts allow = # none (i.e., all hosts permitted access)
2789
2790 Example: hosts allow = 150.203.5. myhost.mynet.edu.au
2791
2792 deny hosts
2793
2794 This parameter is a synonym for hosts deny.
2795
2796 hosts deny (S)
2797
2798 The opposite of hosts allow - hosts listed here are NOT permitted access
to services unless the specific services have their own lists
2799 to override this one. Where the lists conflict, the allow list takes
precedence.
2800
2801 In the event that it is necessary to deny all by default, use the keyword
ALL (or the netmask 0.0.0.0/0) and then explicitly specify
2802 to the hosts allow = hosts allow parameter those hosts that should be
permitted access.
2803
2804 Default: hosts deny = # none (i.e., no hosts specifically excluded)
2805
2806 Example: hosts deny = 150.203.4. badhost.mynet.edu.au
2807
2808 idmap backend (G)
2809
2810 The idmap backend provides a plugin interface for Winbind to use varying
backends to store SID/uid/gid mapping tables.
2811
2812 This option specifies the default backend that is used when no special
configuration set, but it is now deprecated in favour of the
2813 new spelling idmap config * : backend.
2814
2815 Default: idmap backend = tdb
2816
2817 idmap cache time (G)
2818
2819 This parameter specifies the number of seconds that Winbind's idmap
interface will cache positive SID/uid/gid query results. By
2820 default, Samba will cache these results for one week.
2821
2822 Default: idmap cache time = 604800
2823
2824 idmap config DOMAIN : OPTION (G)
2825
2826 ID mapping in Samba is the mapping between Windows SIDs and Unix user and
group IDs. This is performed by Winbindd with a configurable
2827 plugin interface. Samba's ID mapping is configured by options starting
with the idmap config prefix. An idmap option consists of the
2828 idmap config prefix, followed by a domain name or the asterisk character
(*), a colon, and the name of an idmap setting for the chosen
2829 domain.
2830
2831 The idmap configuration is hence divided into groups, one group for each
domain to be configured, and one group with the asterisk
2832 instead of a proper domain name, which specifies the default
configuration that is used to catch all domains that do not have an
2833 explicit idmap configuration of their own.
2834
2835 There are three general options available:
2836
2837 backend = backend_name
2838 This specifies the name of the idmap plugin to use as the SID/uid/gid
backend for this domain. The standard backends are tdb
2839 (idmap_tdb(8)), tdb2 (idmap_tdb2(8)), ldap (idmap_ldap(8)), rid
(idmap_rid(8)), hash (idmap_hash(8)), autorid (idmap_autorid(8)),
2840 ad (idmap_ad(8)) and nss (idmap_nss(8)). The corresponding manual
pages contain the details, but here is a summary.
2841
2842 The first three of these create mappings of their own using internal
unixid counters and store the mappings in a database. These
2843 are suitable for use in the default idmap configuration. The rid and
hash backends use a pure algorithmic calculation to determine
2844 the unixid for a SID. The autorid module is a mixture of the tdb and
rid backend. It creates ranges for each domain encountered
2845 and then uses the rid algorithm for each of these automatically
configured domains individually. The ad backend uses unix ids
2846 stored in Active Directory via the standard schema extensions. The
nss backend reverses the standard winbindd setup and gets the
2847 unix ids via names from nsswitch which can be useful in an ldap setup.
2848
2849 range = low - high
2850 Defines the available matching uid and gid range for which the
backend is authoritative. For allocating backends, this also
2851 defines the start and the end of the range for allocating new unique
IDs.
2852
2853 winbind uses this parameter to find the backend that is authoritative
for a unix ID to SID mapping, so it must be set for each
2854 individually configured domain and for the default configuration. The
configured ranges must be mutually disjoint.
2855
2856 Note that the low value interacts with the min domain uid option!
2857
2858 read only = yes|no
2859 This option can be used to turn the writing backends tdb, tdb2, and
ldap into read only mode. This can be useful e.g. in cases
2860 where a pre-filled database exists that should not be extended
automatically.
2861
2862 The following example illustrates how to configure the idmap_ad(8)
backend for the CORP domain and the idmap_tdb(8) backend for all
2863 other domains. This configuration assumes that the admin of CORP assigns
unix ids below 1000000 via the SFU extensions, and winbind is
2864 supposed to use the next million entries for its own mappings from
trusted domains and for local groups for example.
2865
2866 idmap config * : backend = tdb
2867 idmap config * : range = 1000000-1999999
2868
2869 idmap config CORP : backend = ad
2870 idmap config CORP : range = 1000-999999
2871
2872 No default
2873
2874 winbind gid
2875
2876 This parameter is a synonym for idmap gid.
2877
2878 idmap gid (G)
2879
2880 The idmap gid parameter specifies the range of group ids for the default
idmap configuration. It is now deprecated in favour of idmap
2881 config * : range.
2882
2883 See the idmap config option.
2884
2885 Default: idmap gid =
2886
2887 Example: idmap gid = 10000-20000
2888
2889 idmap negative cache time (G)
2890
2891 This parameter specifies the number of seconds that Winbind's idmap
interface will cache negative SID/uid/gid query results.
2892
2893 Default: idmap negative cache time = 120
2894
2895 winbind uid
2896
2897 This parameter is a synonym for idmap uid.
2898
2899 idmap uid (G)
2900
2901 The idmap uid parameter specifies the range of user ids for the default
idmap configuration. It is now deprecated in favour of idmap
2902 config * : range.
2903
2904 See the idmap config option.
2905
2906 Default: idmap uid =
2907
2908 Example: idmap uid = 10000-20000
2909
2910 include (S)
2911
2912 This allows you to include one config file inside another. The file is
included literally, as though typed in place.
2913
2914 It takes the standard substitutions, except %u, %P and %S.
2915
2916 The parameter include = registry has a special meaning: It does not
include a file named registry from the current working directory,
2917 but instead reads the global configuration options from the registry. See
the section on registry-based configuration for details.
2918 Note that this option automatically activates registry shares.
2919
2920 Default: include =
2921
2922 Example: include = /usr/local/samba/lib/admin_smb.conf
2923
2924 include system krb5 conf (G)
2925
2926 Setting this parameter to no will prevent winbind to include the system
/etc/krb5.conf file into the krb5.conf file it creates. See
2927 also create krb5 conf. This option only applies to Samba built with MIT
Kerberos.
2928
2929 Default: include system krb5 conf = yes
2930
2931 inherit acls (S)
2932
2933 This parameter can be used to ensure that if default acls exist on parent
directories, they are always honored when creating a new
2934 file or subdirectory in these parent directories. The default behavior is
to use the unix mode specified when creating the directory.
2935 Enabling this option sets the unix mode to 0777, thus guaranteeing that
default directory acls are propagated. Note that using the VFS
2936 modules acl_xattr or acl_tdb which store native Windows as meta-data will
automatically turn this option on for any share for which
2937 they are loaded, as they require this option to emulate Windows ACLs
correctly.
2938
2939 Default: inherit acls = no
2940
2941 inherit owner (S)
2942
2943 The ownership of new files and directories is normally governed by
effective uid of the connected user. This option allows the Samba
2944 administrator to specify that the ownership for new files and directories
should be controlled by the ownership of the parent
2945 directory.
2946
2947 Valid options are:
2948
2949 • no - Both the Windows (SID) owner and the UNIX (uid) owner of
the file are governed by the identity of the user that
2950 created the file.
2951
2952 • windows and unix - The Windows (SID) owner and the UNIX (uid)
owner of new files and directories are set to the respective
2953 owner of the parent directory.
2954
2955 • yes - a synonym for windows and unix.
2956
2957 • unix only - Only the UNIX owner is set to the UNIX owner of
the parent directory.
2958
2959 Common scenarios where this behavior is useful is in implementing
drop-boxes, where users can create and edit files but not delete
2960 them and ensuring that newly created files in a user's roaming profile
directory are actually owned by the user.
2961
2962 The unix only option effectively breaks the tie between the Windows owner
of a file and the UNIX owner. As a logical consequence, in
2963 this mode, setting the the Windows owner of a file does not modify the
UNIX owner. Using this mode should typically be combined with a
2964 backing store that can emulate the full NT ACL model without affecting
the POSIX permissions, such as the acl_xattr VFS module,
2965 coupled with acl_xattr:ignore system acls = yes. This can be used to
emulate folder quotas, when files are exposed only via SMB
2966 (without UNIX extensions). The UNIX owner of a directory is locally set
and inherited by all subdirectories and files, and they all
2967 consume the same quota.
2968
2969 Default: inherit owner = no
2970
2971 inherit permissions (S)
2972
2973 The permissions on new files and directories are normally governed by
create mask, directory mask, force create mode and force
2974 directory mode but the boolean inherit permissions parameter overrides
this.
2975
2976 New directories inherit the mode of the parent directory, including bits
such as setgid.
2977
2978 New files inherit their read/write bits from the parent directory. Their
execute bits continue to be determined by map archive, map
2979 hidden and map system as usual.
2980
2981 Note that the setuid bit is never set via inheritance (the code
explicitly prohibits this).
2982
2983 This can be particularly useful on large systems with many users, perhaps
several thousand, to allow a single [homes] share to be used
2984 flexibly by each user.
2985
2986 Default: inherit permissions = no
2987
2988 init logon delay (G)
2989
2990 This parameter specifies a delay in milliseconds for the hosts configured
for delayed initial samlogon with init logon delayed hosts.
2991
2992 Default: init logon delay = 100
2993
2994 init logon delayed hosts (G)
2995
2996 This parameter takes a list of host names, addresses or networks for
which the initial samlogon reply should be delayed (so other DCs
2997 get preferred by XP workstations if there are any).
2998
2999 The length of the delay can be specified with the init logon delay
parameter.
3000
3001 Default: init logon delayed hosts =
3002
3003 Example: init logon delayed hosts = 150.203.5. myhost.mynet.de
3004
3005 interfaces (G)
3006
3007 This option allows you to override the default network interfaces list
that Samba will use for browsing, name registration and other
3008 NetBIOS over TCP/IP (NBT) traffic. By default Samba will query the kernel
for the list of all active interfaces and use any interfaces
3009 except 127.0.0.1 that are broadcast capable.
3010
3011 The option takes a list of interface strings. Each string can be in any
of the following forms:
3012
3013 • a network interface name (such as eth0). This may include
shell-like wildcards so eth* will match any interface starting
3014 with the substring "eth"
3015
3016 • an IP address. In this case the netmask is determined from the
list of interfaces obtained from the kernel
3017
3018 • an IP/mask pair.
3019
3020 • a broadcast/mask pair.
3021
3022 The "mask" parameters can either be a bit length (such as 24 for a C
class network) or a full netmask in dotted decimal form.
3023
3024 The "IP" parameters above can either be a full dotted decimal IP address
or a hostname which will be looked up via the OS's normal
3025 hostname resolution mechanisms.
3026
3027 By default Samba enables all active interfaces that are broadcast capable
except the loopback adaptor (IP address 127.0.0.1).
3028
3029 In order to support SMB3 multi-channel configurations, smbd understands
some extra parameters which can be appended after the actual
3030 interface with this extended syntax (note that the quoting is important
in order to handle the ; and , characters):
3031
3032 "interface[;key1=value1[,key2=value2[...]]]"
3033
3034 Known keys are speed, capability, and if_index. Speed is specified in
bits per second. Known capabilities are RSS and RDMA. The
3035 if_index should be used with care: the values must not coincide with
indexes used by the kernel. Note that these options are mainly
3036 intended for testing and development rather than for production use. At
least on Linux systems, these values should be auto-detected,
3037 but the settings can serve as last a resort when autodetection is not
working or is not available. The specified values overwrite the
3038 auto-detected values.
3039
3040 The first two example below configures three network interfaces
corresponding to the eth0 device and IP addresses 192.168.2.10 and
3041 192.168.3.10. The netmasks of the latter two interfaces would be set to
255.255.255.0.
3042
3043 The other examples show how per interface extra parameters can be
specified. Notice the possible usage of "," and ";", which makes the
3044 double quoting necessary.
3045
3046 Default: interfaces =
3047
3048 Example: interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
3049
3050 Example: interfaces = eth0, 192.168.2.10/24; 192.168.3.10/255.255.255.0
3051
3052 Example: interfaces = "eth0;if_index=65,speed=1000000000,capability=RSS"
3053
3054 Example: interfaces = "lo;speed=1000000000" "eth0;capability=RSS"
3055
3056 Example: interfaces = "lo;speed=1000000000" , "eth0;capability=RSS"
3057
3058 Example: interfaces = "eth0;capability=RSS" , "rdma1;capability=RDMA" ;
 "rdma2;capability=RSS,capability=RDMA"
3059
3060 invalid users (S)
3061
3062 This is a list of users that should not be allowed to login to this
service. This is really a paranoid check to absolutely ensure an
3063 improper setting does not breach your security.
3064
3065 A name starting with a '@' is interpreted as an NIS netgroup first (if
your system supports NIS), and then as a UNIX group if the name
3066 was not found in the NIS netgroup database.
3067
3068 A name starting with '+' is interpreted only by looking in the UNIX group
database via the NSS getgrnam() interface. A name starting
3069 with '&' is interpreted only by looking in the NIS netgroup database
(this requires NIS to be working on your system). The characters
3070 '+' and '&' may be used at the start of the name in either order so the
value +&group means check the UNIX group database, followed by
3071 the NIS netgroup database, and the value &+group means check the NIS
netgroup database, followed by the UNIX group database (the same
3072 as the '@' prefix).
3073
3074 The current servicename is substituted for %S. This is useful in the
[homes] section.
3075
3076 Default: invalid users = # no invalid users
3077
3078 Example: invalid users = root fred admin @wheel
3079
3080 iprint server (G)
3081
3082 This parameter is only applicable if printing is set to iprint.
3083
3084 If set, this option overrides the ServerName option in the CUPS
client.conf. This is necessary if you have virtual samba servers that
3085 connect to different CUPS daemons.
3086
3087 Default: iprint server = ""
3088
3089 Example: iprint server = MYCUPSSERVER
3090
3091 keepalive (G)
3092
3093 The value of the parameter (an integer) represents the number of seconds
between keepalive packets. If this parameter is zero, no
3094 keepalive packets will be sent. Keepalive packets, if sent, allow the
server to tell whether a client is still present and responding.
3095
3096 Keepalives should, in general, not be needed if the socket has the
SO_KEEPALIVE attribute set on it by default. (see socket options).
3097 Basically you should only use this option if you strike difficulties.
3098
3099 Please note this option only applies to SMB1 client connections, and has
no effect on SMB2 clients.
3100
3101 Default: keepalive = 300
3102
3103 Example: keepalive = 600
3104
3105 kerberos encryption types (G)
3106
3107 This parameter determines the encryption types to use when operating as a
Kerberos client. Possible values are all, strong, and
3108 legacy.
3109
3110 Samba uses a Kerberos library (MIT or Heimdal) to obtain Kerberos
tickets. This library is normally configured outside of Samba, using
3111 the krb5.conf file. This file may also include directives to configure
the encryption types to be used. However, Samba implements
3112 Active Directory protocols and algorithms to locate a domain controller.
In order to force the Kerberos library into using the correct
3113 domain controller, some Samba processes, such as winbindd(8) and net(8),
build a private krb5.conf file for use by the Kerberos
3114 library while being invoked from Samba. This private file controls all
aspects of the Kerberos library operation, and this parameter
3115 controls how the encryption types are configured within this generated
file, and therefore also controls the encryption types
3116 negotiable by Samba.
3117
3118 When set to all, all active directory encryption types are allowed.
3119
3120 When set to strong, only AES-based encryption types are offered. This can
be used in hardened environments to prevent downgrade
3121 attacks.
3122
3123 When set to legacy, only RC4-HMAC-MD5 is allowed. Avoiding AES this way
has one a very specific use. Normally, the encryption type is
3124 negotiated between the peers. However, there is one scenario in which a
Windows read-only domain controller (RODC) advertises AES
3125 encryption, but then proxies the request to a writeable DC which may not
support AES encryption, leading to failure of the handshake.
3126 Setting this parameter to legacy would cause samba not to negotiate AES
encryption. It is assumed of course that the weaker legacy
3127 encryption types are acceptable for the setup.
3128
3129 Default: kerberos encryption types = all
3130
3131 kerberos method (G)
3132
3133 Controls how kerberos tickets are verified.
3134
3135 Valid options are:
3136
3137 • secrets only - use only the secrets.tdb for ticket
verification (default)
3138
3139 • system keytab - use only the system keytab for ticket
verification
3140
3141 • dedicated keytab - use a dedicated keytab for ticket
verification
3142
3143 • secrets and keytab - use the secrets.tdb first, then the
system keytab
3144
3145 The major difference between "system keytab" and "dedicated keytab" is
that the latter method relies on kerberos to find the correct
3146 keytab entry instead of filtering based on expected principals.
3147
3148 When the kerberos method is in "dedicated keytab" mode, dedicated keytab
file must be set to specify the location of the keytab file.
3149
3150 Default: kerberos method = default
3151
3152 kernel change notify (G)
3153
3154 This parameter specifies whether Samba should ask the kernel for change
notifications in directories so that SMB clients can refresh
3155 whenever the data on the server changes.
3156
3157 This parameter is only used when your kernel supports change notification
to user programs using the inotify interface.
3158
3159 Default: kernel change notify = yes
3160
3161 kernel oplocks (S)
3162
3163 For UNIXes that support kernel based oplocks (currently only Linux), this
parameter allows the use of them to be turned on or off.
3164 However, this disables Level II oplocks for clients as the Linux kernel
does not support them properly.
3165
3166 Kernel oplocks support allows Samba oplocks to be broken whenever a local
UNIX process or NFS operation accesses a file that smbd(8)
3167 has oplocked. This allows complete data consistency between SMB/CIFS, NFS
and local file access (and is a very cool feature :-).
3168
3169 If you do not need this interaction, you should disable the parameter on
Linux to get Level II oplocks and the associated performance
3170 benefit.
3171
3172 This parameter defaults to no and is translated to a no-op on systems
that do not have the necessary kernel support.
3173
3174 Default: kernel oplocks = no
3175
3176 kernel share modes (S)
3177
3178 This parameter controls whether SMB share modes are translated into UNIX
flocks.
3179
3180 Kernel share modes provide a minimal level of interoperability with local
UNIX processes and NFS operations by preventing access with
3181 flocks corresponding to the SMB share modes. Generally, it is very
desirable to leave this enabled.
3182
3183 Note that in order to use SMB2 durable file handles on a share, you have
to turn kernel share modes off.
3184
3185 This parameter defaults to yes and is translated to a no-op on systems
that do not have the necessary kernel flock support.
3186
3187 Default: kernel share modes = yes
3188
3189 kpasswd port (G)
3190
3191 Specifies which ports the Kerberos server should listen on for password
changes.
3192
3193 Default: kpasswd port = 464
3194
3195 krb5 port (G)
3196
3197 Specifies which port the KDC should listen on for Kerberos traffic.
3198
3199 Default: krb5 port = 88
3200
3201 lanman auth (G)
3202
3203 This parameter has been deprecated since Samba 4.11 and support for
LanMan (as distinct from NTLM, NTLMv2 or Kerberos authentication)
3204 will be removed in a future Samba release.
3205
3206 That is, in the future, the current default of lanman auth = no will be
the enforced behaviour.
3207
3208 This parameter determines whether or not smbd(8) will attempt to
authenticate users or permit password changes using the LANMAN
3209 password hash. If disabled, only clients which support NT password hashes
(e.g. Windows NT/2000 clients, smbclient, but not Windows
3210 95/98 or the MS DOS network client) will be able to connect to the Samba
host.
3211
3212 The LANMAN encrypted response is easily broken, due to its
case-insensitive nature, and the choice of algorithm. Servers without
3213 Windows 95/98/ME or MS DOS clients are advised to disable this option.
3214
3215 When this parameter is set to no this will also result in sambaLMPassword
in Samba's passdb being blanked after the next password
3216 change. As a result of that lanman clients won't be able to authenticate,
even if lanman auth is re-enabled later on.
3217
3218 Unlike the encrypt passwords option, this parameter cannot alter client
behaviour, and the LANMAN response will still be sent over the
3219 network. See the client lanman auth to disable this for Samba's clients
(such as smbclient)
3220
3221 This parameter is overridden by ntlm auth, so unless that it is also set
to ntlmv1-permitted or yes, then only NTLMv2 logins will be
3222 permitted and no LM hash will be stored. All modern clients support
NTLMv2, and but some older clients require special configuration
3223 to use it.
3224
3225 Default: lanman auth = no
3226
3227 large readwrite (G)
3228
3229 This parameter determines whether or not smbd(8) supports the new 64k
streaming read and write variant SMB requests introduced with
3230 Windows 2000. Note that due to Windows 2000 client redirector bugs this
requires Samba to be running on a 64-bit capable operating
3231 system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve
performance by 10% with Windows 2000 clients. Defaults to on. Not as
3232 tested as some other Samba code paths.
3233
3234 Default: large readwrite = yes
3235
3236 ldap admin dn (G)
3237
3238 The ldap admin dn defines the Distinguished Name (DN) name used by Samba
to contact the ldap server when retrieving user account
3239 information. The ldap admin dn is used in conjunction with the admin dn
password stored in the private/secrets.tdb file. See the
3240 smbpasswd(8) man page for more information on how to accomplish this.
3241
3242 The ldap admin dn requires a fully specified DN. The ldap suffix is not
appended to the ldap admin dn.
3243
3244 No default
3245
3246 ldap connection timeout (G)
3247
3248 This parameter tells the LDAP library calls which timeout in seconds they
should honor during initial connection establishments to
3249 LDAP servers. It is very useful in failover scenarios in particular. If
one or more LDAP servers are not reachable at all, we do not
3250 have to wait until TCP timeouts are over. This feature must be supported
by your LDAP library.
3251
3252 This parameter is different from ldap timeout which affects operations on
LDAP servers using an existing connection and not
3253 establishing an initial connection.
3254
3255 Default: ldap connection timeout = 2
3256
3257 ldap debug level (G)
3258
3259 This parameter controls the debug level of the LDAP library calls. In the
case of OpenLDAP, it is the same bit-field as understood by
3260 the server and documented in the slapd.conf(5) manpage. A typical useful
value will be 1 for tracing function calls.
3261
3262 The debug output from the LDAP libraries appears with the prefix [LDAP]
in Samba's logging output. The level at which LDAP logging is
3263 printed is controlled by the parameter ldap debug threshold.
3264
3265 Default: ldap debug level = 0
3266
3267 Example: ldap debug level = 1
3268
3269 ldap debug threshold (G)
3270
3271 This parameter controls the Samba debug level at which the ldap library
debug output is printed in the Samba logs. See the description
3272 of ldap debug level for details.
3273
3274 Default: ldap debug threshold = 10
3275
3276 Example: ldap debug threshold = 5
3277
3278 ldap delete dn (G)
3279
3280 This parameter specifies whether a delete operation in the ldapsam
deletes the complete entry or only the attributes specific to
3281 Samba.
3282
3283 Default: ldap delete dn = no
3284
3285 ldap deref (G)
3286
3287 This option controls whether Samba should tell the LDAP library to use a
certain alias dereferencing method. The default is auto,
3288 which means that the default setting of the ldap client library will be
kept. Other possible values are never, finding, searching and
3289 always. Grab your LDAP manual for more information.
3290
3291 Default: ldap deref = auto
3292
3293 Example: ldap deref = searching
3294
3295 ldap follow referral (G)
3296
3297 This option controls whether to follow LDAP referrals or not when
searching for entries in the LDAP database. Possible values are on
3298 to enable following referrals, off to disable this, and auto, to use the
libldap default settings. libldap's choice of following
3299 referrals or not is set in /etc/openldap/ldap.conf with the REFERRALS
parameter as documented in ldap.conf(5).
3300
3301 Default: ldap follow referral = auto
3302
3303 Example: ldap follow referral = off
3304
3305 ldap group suffix (G)
3306
3307 This parameter specifies the suffix that is used for groups when these
are added to the LDAP directory. If this parameter is unset,
3308 the value of ldap suffix will be used instead. The suffix string is
pre-pended to the ldap suffix string so use a partial DN.
3309
3310 Default: ldap group suffix =
3311
3312 Example: ldap group suffix = ou=Groups
3313
3314 ldap idmap suffix (G)
3315
3316 This parameters specifies the suffix that is used when storing idmap
mappings. If this parameter is unset, the value of ldap suffix
3317 will be used instead. The suffix string is pre-pended to the ldap suffix
string so use a partial DN.
3318
3319 Default: ldap idmap suffix =
3320
3321 Example: ldap idmap suffix = ou=Idmap
3322
3323 ldap machine suffix (G)
3324
3325 It specifies where machines should be added to the ldap tree. If this
parameter is unset, the value of ldap suffix will be used
3326 instead. The suffix string is pre-pended to the ldap suffix string so use
a partial DN.
3327
3328 Default: ldap machine suffix =
3329
3330 Example: ldap machine suffix = ou=Computers
3331
3332 ldap max anonymous request size (G)
3333
3334 This parameter specifies the maximum permitted size (in bytes) for an
LDAP request received on an anonymous connection.
3335
3336 If the request size exceeds this limit the request will be rejected.
3337
3338 Default: ldap max anonymous request size = 256000
3339
3340 Example: ldap max anonymous request size = 500000
3341
3342 ldap max authenticated request size (G)
3343
3344 This parameter specifies the maximum permitted size (in bytes) for an
LDAP request received on an authenticated connection.
3345
3346 If the request size exceeds this limit the request will be rejected.
3347
3348 Default: ldap max authenticated request size = 16777216
3349
3350 Example: ldap max authenticated request size = 4194304
3351
3352 ldap max search request size (G)
3353
3354 This parameter specifies the maximum permitted size (in bytes) for an
LDAP search request.
3355
3356 If the request size exceeds this limit the request will be rejected.
3357
3358 Default: ldap max search request size = 256000
3359
3360 Example: ldap max search request size = 4194304
3361
3362 ldap page size (G)
3363
3364 This parameter specifies the number of entries per page.
3365
3366 If the LDAP server supports paged results, clients can request subsets of
search results (pages) instead of the entire list. This
3367 parameter specifies the size of these pages.
3368
3369 Default: ldap page size = 1000
3370
3371 Example: ldap page size = 512
3372
3373 ldap password sync
3374
3375 This parameter is a synonym for ldap passwd sync.
3376
3377 ldap passwd sync (G)
3378
3379 This option is used to define whether or not Samba should sync the LDAP
password with the NT and LM hashes for normal accounts (NOT
3380 for workstation, server or domain trusts) on a password change via SAMBA.
3381
3382 The ldap passwd sync can be set to one of three values:
3383
3384 • Yes = Try to update the LDAP, NT and LM passwords and update
the pwdLastSet time.
3385
3386 • No = Update NT and LM passwords and update the pwdLastSet time.
3387
3388 • Only = Only update the LDAP password and let the LDAP server
do the rest.
3389
3390 Default: ldap passwd sync = no
3391
3392 ldap replication sleep (G)
3393
3394 When Samba is asked to write to a read-only LDAP replica, we are
redirected to talk to the read-write master server. This server then
3395 replicates our changes back to the 'local' server, however the
replication might take some seconds, especially over slow links.
3396 Certain client activities, particularly domain joins, can become confused
by the 'success' that does not immediately change the LDAP
3397 back-end's data.
3398
3399 This option simply causes Samba to wait a short time, to allow the LDAP
server to catch up. If you have a particularly high-latency
3400 network, you may wish to time the LDAP replication with a network
sniffer, and increase this value accordingly. Be aware that no
3401 checking is performed that the data has actually replicated.
3402
3403 The value is specified in milliseconds, the maximum value is 5000 (5
seconds).
3404
3405 Default: ldap replication sleep = 1000
3406
3407 ldapsam:editposix (G)
3408
3409 Editposix is an option that leverages ldapsam:trusted to make it simpler
to manage a domain controller eliminating the need to set up
3410 custom scripts to add and manage the posix users and groups. This option
will instead directly manipulate the ldap tree to create,
3411 remove and modify user and group entries. This option also requires a
running winbindd as it is used to allocate new uids/gids on
3412 user/group creation. The allocation range must be therefore configured.
3413
3414 To use this option, a basic ldap tree must be provided and the ldap
suffix parameters must be properly configured. On virgin servers
3415 the default users and groups (Administrator, Guest, Domain Users, Domain
Admins, Domain Guests) can be precreated with the command net
3416 sam provision. To run this command the ldap server must be running,
Winbindd must be running and the smb.conf ldap options must be
3417 properly configured. The typical ldap setup used with the ldapsam:trusted
= yes option is usually sufficient to use ldapsam:editposix
3418 = yes as well.
3419
3420 An example configuration can be the following:
3421
3422 encrypt passwords = true
3423 passdb backend = ldapsam
3424
3425 ldapsam:trusted=yes
3426 ldapsam:editposix=yes
3427
3428 ldap admin dn = cn=admin,dc=samba,dc=org
3429 ldap delete dn = yes
3430 ldap group suffix = ou=groups
3431 ldap idmap suffix = ou=idmap
3432 ldap machine suffix = ou=computers
3433 ldap user suffix = ou=users
3434 ldap suffix = dc=samba,dc=org
3435
3436 idmap backend = ldap:"ldap://localhost"
3437
3438 idmap uid = 5000-50000
3439 idmap gid = 5000-50000
3440
3441 This configuration assumes a directory layout like described in the
following ldif:
3442
3443 dn: dc=samba,dc=org
3444 objectClass: top
3445 objectClass: dcObject
3446 objectClass: organization
3447 o: samba.org
3448 dc: samba
3449
3450 dn: cn=admin,dc=samba,dc=org
3451 objectClass: simpleSecurityObject
3452 objectClass: organizationalRole
3453 cn: admin
3454 description: LDAP administrator
3455 userPassword: secret
3456
3457 dn: ou=users,dc=samba,dc=org
3458 objectClass: top
3459 objectClass: organizationalUnit
3460 ou: users
3461
3462 dn: ou=groups,dc=samba,dc=org
3463 objectClass: top
3464 objectClass: organizationalUnit
3465 ou: groups
3466
3467 dn: ou=idmap,dc=samba,dc=org
3468 objectClass: top
3469 objectClass: organizationalUnit
3470 ou: idmap
3471
3472 dn: ou=computers,dc=samba,dc=org
3473 objectClass: top
3474 objectClass: organizationalUnit
3475 ou: computers
3476
3477 Default: ldapsam:editposix = no
3478
3479 ldapsam:trusted (G)
3480
3481 By default, Samba as a Domain Controller with an LDAP backend needs to
use the Unix-style NSS subsystem to access user and group
3482 information. Due to the way Unix stores user information in /etc/passwd
and /etc/group this inevitably leads to inefficiencies. One
3483 important question a user needs to know is the list of groups he is
member of. The plain UNIX model involves a complete enumeration of
3484 the file /etc/group and its NSS counterparts in LDAP. UNIX has optimized
functions to enumerate group membership. Sadly, other
3485 functions that are used to deal with user and group attributes lack such
optimization.
3486
3487 To make Samba scale well in large environments, the ldapsam:trusted = yes
option assumes that the complete user and group database
3488 that is relevant to Samba is stored in LDAP with the standard
posixAccount/posixGroup attributes. It further assumes that the Samba
3489 auxiliary object classes are stored together with the POSIX data in the
same LDAP object. If these assumptions are met,
3490 ldapsam:trusted = yes can be activated and Samba can bypass the NSS
system to query user group memberships. Optimized LDAP queries can
3491 greatly speed up domain logon and administration tasks. Depending on the
size of the LDAP database a factor of 100 or more for common
3492 queries is easily achieved.
3493
3494 Default: ldapsam:trusted = no
3495
3496 ldap server require strong auth (G)
3497
3498 The ldap server require strong auth defines whether the ldap server
requires ldap traffic to be signed or signed and encrypted
3499 (sealed). Possible values are no, allow_sasl_over_tls and yes.
3500
3501 A value of no allows simple and sasl binds over all transports.
3502
3503 A value of allow_sasl_over_tls allows simple and sasl binds (without sign
or seal) over TLS encrypted connections. Unencrypted
3504 connections only allow sasl binds with sign or seal.
3505
3506 A value of yes allows only simple binds over TLS encrypted connections.
Unencrypted connections only allow sasl binds with sign or
3507 seal.
3508
3509 Default: ldap server require strong auth = yes
3510
3511 ldap ssl (G)
3512
3513 This option is used to define whether or not Samba should use SSL when
connecting to the ldap server This is NOT related to Samba's
3514 previous SSL support which was enabled by specifying the --with-ssl
option to the configure script.
3515
3516 LDAP connections should be secured where possible. This may be done
setting either this parameter to start tls or by specifying
3517 ldaps:// in the URL argument of passdb backend.
3518
3519 The ldap ssl can be set to one of two values:
3520
3521 • Off = Never use SSL when querying the directory.
3522
3523 • start tls = Use the LDAPv3 StartTLS extended operation
(RFC2830) for communicating with the directory server.
3524
3525 Please note that this parameter does only affect rpc methods. To enable
the LDAPv3 StartTLS extended operation (RFC2830) for ads, set
3526 ldap ssl = start tls and ldap ssl ads = yes. See smb.conf(5) for more
information on ldap ssl ads.
3527
3528 Default: ldap ssl = start tls
3529
3530 ldap suffix (G)
3531
3532 Specifies the base for all ldap suffixes and for storing the sambaDomain
object.
3533
3534 The ldap suffix will be appended to the values specified for the ldap
user suffix, ldap group suffix, ldap machine suffix, and the
3535 ldap idmap suffix. Each of these should be given only a DN relative to
the ldap suffix.
3536
3537 Default: ldap suffix =
3538
3539 Example: ldap suffix = dc=samba,dc=org
3540
3541 ldap timeout (G)
3542
3543 This parameter defines the number of seconds that Samba should use as
timeout for LDAP operations.
3544
3545 Default: ldap timeout = 15
3546
3547 ldap user suffix (G)
3548
3549 This parameter specifies where users are added to the tree. If this
parameter is unset, the value of ldap suffix will be used instead.
3550 The suffix string is pre-pended to the ldap suffix string so use a
partial DN.
3551
3552 Default: ldap user suffix =
3553
3554 Example: ldap user suffix = ou=people
3555
3556 level2 oplocks (S)
3557
3558 This parameter controls whether Samba supports level2 (read-only) oplocks
on a share.
3559
3560 Level2, or read-only oplocks allow Windows NT clients that have an oplock
on a file to downgrade from a read-write oplock to a
3561 read-only oplock once a second client opens the file (instead of
releasing all oplocks on a second open, as in traditional, exclusive
3562 oplocks). This allows all openers of the file that support level2 oplocks
to cache the file for read-ahead only (ie. they may not
3563 cache writes or lock requests) and increases performance for many
accesses of files that are not commonly written (such as application
3564 .EXE files).
3565
3566 Once one of the clients which have a read-only oplock writes to the file
all clients are notified (no reply is needed or waited for)
3567 and told to break their oplocks to "none" and delete any read-ahead caches.
3568
3569 It is recommended that this parameter be turned on to speed access to
shared executables.
3570
3571 For more discussions on level2 oplocks see the CIFS spec.
3572
3573 Currently, if kernel oplocks are supported then level2 oplocks are not
granted (even if this parameter is set to yes). Note also, the
3574 oplocks parameter must be set to yes on this share in order for this
parameter to have any effect.
3575
3576 Default: level2 oplocks = yes
3577
3578 lm announce (G)
3579
3580 This parameter determines if nmbd(8) will produce Lanman announce
broadcasts that are needed by OS/2 clients in order for them to see
3581 the Samba server in their browse list. This parameter can have three
values, yes, no, or auto. The default is auto. If set to no Samba
3582 will never produce these broadcasts. If set to yes Samba will produce
Lanman announce broadcasts at a frequency set by the parameter
3583 lm interval. If set to auto Samba will not send Lanman announce
broadcasts by default but will listen for them. If it hears such a
3584 broadcast on the wire it will then start sending them at a frequency set
by the parameter lm interval.
3585
3586 Default: lm announce = auto
3587
3588 Example: lm announce = yes
3589
3590 lm interval (G)
3591
3592 If Samba is set to produce Lanman announce broadcasts needed by OS/2
clients (see the lm announce parameter) then this parameter
3593 defines the frequency in seconds with which they will be made. If this is
set to zero then no Lanman announcements will be made
3594 despite the setting of the lm announce parameter.
3595
3596 Default: lm interval = 60
3597
3598 Example: lm interval = 120
3599
3600 load printers (G)
3601
3602 A boolean variable that controls whether all printers in the printcap
will be loaded for browsing by default. See the printers section
3603 for more details.
3604
3605 Default: load printers = yes
3606
3607 local master (G)
3608
3609 This option allows nmbd(8) to try and become a local master browser on a
subnet. If set to no then nmbd will not attempt to become a
3610 local master browser on a subnet and will also lose in all browsing
elections. By default this value is set to yes. Setting this value
3611 to yes doesn't mean that Samba will become the local master browser on a
subnet, just that nmbd will participate in elections for
3612 local master browser.
3613
3614 Setting this value to no will cause nmbd never to become a local master
browser.
3615
3616 Default: local master = yes
3617
3618 lock dir
3619
3620 This parameter is a synonym for lock directory.
3621
3622 lock directory (G)
3623
3624 This option specifies the directory where lock files will be placed. The
lock files are used to implement the max connections option.
3625
3626 Note: This option can not be set inside registry configurations.
3627
3628 The files placed in this directory are not required across service
restarts and can be safely placed on volatile storage (e.g. tmpfs
3629 in Linux)
3630
3631 Default: lock directory = /run/samba
3632
3633 Example: lock directory = /var/run/samba/locks
3634
3635 locking (S)
3636
3637 This controls whether or not locking will be performed by the server in
response to lock requests from the client.
3638
3639 If locking = no, all lock and unlock requests will appear to succeed and
all lock queries will report that the file in question is
3640 available for locking.
3641
3642 If locking = yes, real locking will be performed by the server.
3643
3644 This option may be useful for read-only filesystems which may not need
locking (such as CDROM drives), although setting this parameter
3645 of no is not really recommended even in this case.
3646
3647 Be careful about disabling locking either globally or in a specific
service, as lack of locking may result in data corruption. You
3648 should never need to set this parameter.
3649
3650 Default: locking = yes
3651
3652 lock spin time (G)
3653
3654 The time in milliseconds that smbd should keep waiting to see if a failed
lock request can be granted. This parameter has changed in
3655 default value from Samba 3.0.23 from 10 to 200. The associated lock spin
count parameter is no longer used in Samba 3.0.24. You should
3656 not need to change the value of this parameter.
3657
3658 Default: lock spin time = 200
3659
3660 log file (G)
3661
3662 This option allows you to override the name of the Samba log file (also
known as the debug file).
3663
3664 This option takes the standard substitutions, allowing you to have
separate log files for each user or machine.
3665
3666 No default
3667
3668 Example: log file = /usr/local/samba/var/log.%m
3669
3670 logging (G)
3671
3672 This parameter configures logging backends. Multiple backends can be
specified at the same time, with different log levels for each
3673 backend. The parameter is a list of backends, where each backend is
specified as backend[:option][@loglevel].
3674
3675 The 'option' parameter can be used to pass backend-specific options.
3676
3677 The log level for a backend is optional, if it is not set for a backend,
all messages are sent to this backend. The parameter log
3678 level determines overall log levels, while the log levels specified here
define what is sent to the individual backends.
3679
3680 When logging is set, it overrides the syslog and syslog only parameters.
3681
3682 Some backends are only available when Samba has been compiled with the
additional libraries. The overall list of logging backends:
3683
3684 • syslog
3685
3686 • file
3687
3688 • systemd
3689
3690 • lttng
3691
3692 • gpfs
3693
3694 • ringbuf
3695
3696 The ringbuf backend supports an optional size argument to change the
 buffer size used, the default is 1 MB: ringbuf:size=NBYTES
3697
3698 Default: logging =
3699
3700 Example: logging = syslog@1 file
3701
3702 debuglevel
3703
3704 This parameter is a synonym for log level.
3705
3706 log level (G)
3707
3708 The value of the parameter (a string) allows the debug level (logging
level) to be specified in the smb.conf file.
3709
3710 This parameter has been extended since the 2.2.x series, now it allows
one to specify the debug level for multiple debug classes and
3711 distinct logfiles for debug classes. This is to give greater flexibility
in the configuration of the system. The following debug
3712 classes are currently implemented:
3713
3714 • all
3715
3716 • tdb
3717
3718 • printdrivers
3719
3720 • lanman
3721
3722 • smb
3723
3724 • rpc_parse
3725
3726 • rpc_srv
3727
3728 • rpc_cli
3729
3730 • passdb
3731
3732 • sam
3733
3734 • auth
3735
3736 • winbind
3737
3738 • vfs
3739
3740 • idmap
3741
3742 • quota
3743
3744 • acls
3745
3746 • locking
3747
3748 • msdfs
3749
3750 • dmapi
3751
3752 • registry
3753
3754 • scavenger
3755
3756 • dns
3757
3758 • ldb
3759
3760 • tevent
3761
3762 • auth_audit
3763
3764 • auth_json_audit
3765
3766 • kerberos
3767
3768 • drs_repl
3769
3770 • smb2
3771
3772 • smb2_credits
3773
3774 • dsdb_audit
3775
3776 • dsdb_json_audit
3777
3778 • dsdb_password_audit
3779
3780 • dsdb_password_json_audit
3781
3782 • dsdb_transaction_audit
3783
3784 • dsdb_transaction_json_audit
3785
3786 • dsdb_group_audit
3787
3788 • dsdb_group_json_audit
3789
3790 To configure the logging for specific classes to go into a different file
then log file, you can append @PATH to the class, eg log
3791 level = 1 full_audit:1@/var/log/audit.log.
3792
3793 Authentication and authorization audit information is logged under the
auth_audit, and if Samba was not compiled with --without-json,
3794 a JSON representation is logged under auth_json_audit.
3795
3796 Support is comprehensive for all authentication and authorisation of user
accounts in the Samba Active Directory Domain Controller, as
3797 well as the implicit authentication in password changes. In the file
server, NTLM authentication, SMB and RPC authorization is
3798 covered.
3799
3800 Log levels for auth_audit and auth_audit_json are:
3801
3802 • 2: Authentication Failure
3803
3804 • 3: Authentication Success
3805
3806 • 4: Authorization Success
3807
3808 • 5: Anonymous Authentication and Authorization Success
3809
3810 Changes to the AD DC sam.ldb database are logged under the dsdb_audit and
a JSON representation is logged under dsdb_json_audit.
3811
3812 Group membership changes to the AD DC sam.ldb database are logged under
the dsdb_group_audit and a JSON representation is logged under
3813 dsdb_group_json_audit.
3814
3815 Log levels for dsdb_audit, dsdb_json_audit, dsdb_group_audit,
dsdb_group_json_audit and dsdb_json_audit are:
3816
3817 • 5: Database modifications
3818
3819 • 5: Replicated updates from another DC
3820
3821 Password changes and Password resets in the AD DC are logged under
dsdb_password_audit and a JSON representation is logged under the
3822 dsdb_password_json_audit. Password changes will also appears as
authentication events via auth_audit and auth_audit_json.
3823
3824 Log levels for dsdb_password_audit and dsdb_password_json_audit are:
3825
3826 • 5: Successful password changes and resets
3827
3828 Transaction rollbacks and prepare commit failures are logged under the
dsdb_transaction_audit and a JSON representation is logged
3829 under the dsdb_transaction_json_audit.
3830
3831 Log levels for dsdb_transaction_audit and dsdb_transaction_json are:
3832
3833 • 5: Transaction failure (rollback)
3834
3835 • 10: Transaction success (commit)
3836
3837 Transaction roll-backs are possible in Samba, and whilst they rarely
reflect anything more than the failure of an individual operation
3838 (say due to the add of a conflicting record), they are possible. Audit
logs are already generated and sent to the system logs before
3839 the transaction is complete. Logging the transaction details allows the
identification of password and sam.ldb operations that have
3840 been rolled back, and so have not actually persisted.
3841
3842 Warning
3843 Changes to sam.ldb made locally by the root user with direct access
to the database are not logged to the system logs, but to the
3844 administrator's own console. While less than ideal, any user able to
make such modifications could disable the audit logging in
3845 any case.
3846 Default: log level = 0
3847
3848 Example: log level = 3 passdb:5 auth:10 winbind:2
3849
3850 Example: log level = 1 full_audit:1@/var/log/audit.log winbind:2
3851
3852 log nt token command (G)
3853
3854 This option can be set to a command that will be called when new nt
tokens are created.
3855
3856 This is only useful for development purposes.
3857
3858 Default: log nt token command =
3859
3860 logon drive (G)
3861
3862 This parameter specifies the local path to which the home directory will
be connected (see logon home) and is only used by NT
3863 Workstations.
3864
3865 Note that this option is only useful if Samba is set up as a logon server.
3866
3867 Default: logon drive =
3868
3869 Example: logon drive = h:
3870
3871 logon home (G)
3872
3873 This parameter specifies the home directory location when a Win95/98 or
NT Workstation logs into a Samba PDC. It allows you to do
3874
3875 C:\>NET USE H: /HOME
3876
3877 from a command prompt, for example.
3878
3879 This option takes the standard substitutions, allowing you to have
separate logon scripts for each user or machine.
3880
3881 This parameter can be used with Win9X workstations to ensure that roaming
profiles are stored in a subdirectory of the user's home
3882 directory. This is done in the following way:
3883
3884 logon home = \\%N\%U\profile
3885
3886 This tells Samba to return the above string, with substitutions made when
a client requests the info, generally in a NetUserGetInfo
3887 request. Win9X clients truncate the info to \\server\share when a user
does net use /home but use the whole string when dealing with
3888 profiles.
3889
3890 Note that in prior versions of Samba, the logon path was returned rather
than logon home. This broke net use /home but allowed
3891 profiles outside the home directory. The current implementation is
correct, and can be used for profiles if you use the above trick.
3892
3893 Disable this feature by setting logon home = "" - using the empty string.
3894
3895 This option is only useful if Samba is set up as a logon server.
3896
3897 Default: logon home = \\%N\%U
3898
3899 Example: logon home = \\remote_smb_server\%U
3900
3901 logon path (G)
3902
3903 This parameter specifies the directory where roaming profiles (Desktop,
NTuser.dat, etc) are stored. Contrary to previous versions of
3904 these manual pages, it has nothing to do with Win 9X roaming profiles. To
find out how to handle roaming profiles for Win 9X system,
3905 see the logon home parameter.
3906
3907 This option takes the standard substitutions, allowing you to have
separate logon scripts for each user or machine. It also specifies
3908 the directory from which the "Application Data", desktop, start menu,
network neighborhood, programs and other folders, and their
3909 contents, are loaded and displayed on your Windows NT client.
3910
3911 The share and the path must be readable by the user for the preferences
and directories to be loaded onto the Windows NT client. The
3912 share must be writeable when the user logs in for the first time, in
order that the Windows NT client can create the NTuser.dat and
3913 other directories. Thereafter, the directories and any of the contents
can, if required, be made read-only. It is not advisable that
3914 the NTuser.dat file be made read-only - rename it to NTuser.man to
achieve the desired effect (a MANdatory profile).
3915
3916 Windows clients can sometimes maintain a connection to the [homes] share,
even though there is no user logged in. Therefore, it is
3917 vital that the logon path does not include a reference to the homes share
(i.e. setting this parameter to \\%N\homes\profile_path will
3918 cause problems).
3919
3920 This option takes the standard substitutions, allowing you to have
separate logon scripts for each user or machine.
3921
3922 Warning
3923 Do not quote the value. Setting this as “\\%N\profile\%U” will break
profile handling. Where the tdbsam or ldapsam passdb backend
3924 is used, at the time the user account is created the value configured
for this parameter is written to the passdb backend and that
3925 value will over-ride the parameter value present in the smb.conf
file. Any error present in the passdb backend account record must
3926 be editted using the appropriate tool (pdbedit on the command-line,
or any other locally provided system tool).
3927 Note that this option is only useful if Samba is set up as a domain
controller.
3928
3929 Disable the use of roaming profiles by setting the value of this
parameter to the empty string. For example, logon path = "". Take
3930 note that even if the default setting in the smb.conf file is the empty
string, any value specified in the user account settings in
3931 the passdb backend will over-ride the effect of setting this parameter to
null. Disabling of all roaming profile use requires that the
3932 user account settings must also be blank.
3933
3934 An example of use is:
3935
3936 logon path = \\PROFILESERVER\PROFILE\%U
3937
3938 Default: logon path = \\%N\%U\profile
3939
3940 logon script (G)
3941
3942 This parameter specifies the batch file (.bat) or NT command file (.cmd)
to be downloaded and run on a machine when a user
3943 successfully logs in. The file must contain the DOS style CR/LF line
endings. Using a DOS-style editor to create the file is
3944 recommended.
3945
3946 The script must be a relative path to the [netlogon] service. If the
[netlogon] service specifies a path of /usr/local/samba/netlogon,
3947 and logon script = STARTUP.BAT, then the file that will be downloaded is:
3948
3949 /usr/local/samba/netlogon/STARTUP.BAT
3950
3951 The contents of the batch file are entirely your choice. A suggested
command would be to add NET TIME \\SERVER /SET /YES, to force
3952 every machine to synchronize clocks with the same time server. Another
use would be to add NET USE U: \\SERVER\UTILS for commonly used
3953 utilities, or
3954
3955 NET USE Q: \\SERVER\ISO9001_QA
3956
3957 for example.
3958
3959 Note that it is particularly important not to allow write access to the
[netlogon] share, or to grant users write permission on the
3960 batch files in a secure environment, as this would allow the batch files
to be arbitrarily modified and security to be breached.
3961
3962 This option takes the standard substitutions, allowing you to have
separate logon scripts for each user or machine.
3963
3964 This option is only useful if Samba is set up as a logon server in a
classic domain controller role. If Samba is set up as an Active
3965 Directory domain controller, LDAP attribute scriptPath is used instead.
For configurations where passdb backend = ldapsam is in use,
3966 this option only defines a default value in case LDAP attribute
sambaLogonScript is missing.
3967
3968 Default: logon script =
3969
3970 Example: logon script = scripts\%U.bat
3971
3972 log writeable files on exit (G)
3973
3974 When the network connection between a CIFS client and Samba dies, Samba
has no option but to simply shut down the server side of the
3975 network connection. If this happens, there is a risk of data corruption
because the Windows client did not complete all write
3976 operations that the Windows application requested. Setting this option to
"yes" makes smbd log with a level 0 message a list of all
3977 files that have been opened for writing when the network connection died.
Those are the files that are potentially corrupted. It is
3978 meant as an aid for the administrator to give him a list of files to do
consistency checks on.
3979
3980 Default: log writeable files on exit = no
3981
3982 lppause command (S)
3983
3984 This parameter specifies the command to be executed on the server host in
order to stop printing or spooling a specific print job.
3985
3986 This command should be a program or script which takes a printer name and
job number to pause the print job. One way of implementing
3987 this is by using job priorities, where jobs having a too low priority
won't be sent to the printer.
3988
3989 If a %p is given then the printer name is put in its place. A %j is
replaced with the job number (an integer). On HPUX (see
3990 printing=hpux ), if the -p%p option is added to the lpq command, the job
will show up with the correct status, i.e. if the job
3991 priority is lower than the set fence priority it will have the PAUSED
status, whereas if the priority is equal or higher it will have
3992 the SPOOLED or PRINTING status.
3993
3994 Note that it is good practice to include the absolute path in the lppause
command as the PATH may not be available to the server.
3995
3996 Currently no default value is given to this string, unless the value of
the printing parameter is SYSV, in which case the default is :
3997 lp -i %p-%j -H hold or if the value of the printing parameter is SOFTQ,
then the default is: qstat -s -j%j -h.
3998
3999 Default: lppause command = # determined by printing parameter
4000
4001 Example: lppause command = /usr/bin/lpalt %p-%j -p0
4002
4003 lpq cache time (G)
4004
4005 This controls how long lpq info will be cached for to prevent the lpq
command being called too often. A separate cache is kept for
4006 each variation of the lpq command used by the system, so if you use
different lpq commands for different users then they won't share
4007 cache information.
4008
4009 The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash of the
lpq command in use.
4010
4011 The default is 30 seconds, meaning that the cached results of a previous
identical lpq command will be used if the cached data is less
4012 than 30 seconds old. A large value may be advisable if your lpq command
is very slow.
4013
4014 A value of 0 will disable caching completely.
4015
4016 Default: lpq cache time = 30
4017
4018 Example: lpq cache time = 10
4019
4020 lpq command (S)
4021
4022 This parameter specifies the command to be executed on the server host in
order to obtain lpq-style printer status information.
4023
4024 This command should be a program or script which takes a printer name as
its only parameter and outputs printer status information.
4025
4026 Currently nine styles of printer status information are supported; BSD,
AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. This covers
4027 most UNIX systems. You control which type is expected using the printing
= option.
4028
4029 Some clients (notably Windows for Workgroups) may not correctly send the
connection number for the printer they are requesting status
4030 information about. To get around this, the server reports on the first
printer service connected to by the client. This only happens
4031 if the connection number sent is invalid.
4032
4033 If a %p is given then the printer name is put in its place. Otherwise it
is placed at the end of the command.
4034
4035 Note that it is good practice to include the absolute path in the lpq
command as the $PATH may not be available to the server. When
4036 compiled with the CUPS libraries, no lpq command is needed because smbd
will make a library call to obtain the print queue listing.
4037
4038 Default: lpq command = # determined by printing parameter
4039
4040 Example: lpq command = /usr/bin/lpq -P%p
4041
4042 lpresume command (S)
4043
4044 This parameter specifies the command to be executed on the server host in
order to restart or continue printing or spooling a specific
4045 print job.
4046
4047 This command should be a program or script which takes a printer name and
 job number to resume the print job. See also the lppause
4048 command parameter.
4049
4050 If a %p is given then the printer name is put in its place. A %j is
replaced with the job number (an integer).
4051
4052 Note that it is good practice to include the absolute path in the
lpresume command as the PATH may not be available to the server.
4053
4054 See also the printing parameter.
4055
4056 Default: Currently no default value is given to this string, unless the
value of the printing parameter is SYSV, in which case the
4057 default is:
4058
4059 lp -i %p-%j -H resume
4060
4061 or if the value of the printing parameter is SOFTQ, then the default is:
4062
4063 qstat -s -j%j -r
4064
4065 Default: lpresume command = # determined by printing parameter
4066
4067 Example: lpresume command = /usr/bin/lpalt %p-%j -p2
4068
4069 lprm command (S)
4070
4071 This parameter specifies the command to be executed on the server host in
order to delete a print job.
4072
4073 This command should be a program or script which takes a printer name and
job number, and deletes the print job.
4074
4075 If a %p is given then the printer name is put in its place. A %j is
replaced with the job number (an integer).
4076
4077 Note that it is good practice to include the absolute path in the lprm
command as the PATH may not be available to the server.
4078
4079 Examples of use are:
4080
4081 lprm command = /usr/bin/lprm -P%p %j
4082
4083 or
4084
4085 lprm command = /usr/bin/cancel %p-%j
4086
4087 Default: lprm command = # determined by printing parameter
4088
4089 lsa over netlogon (G)
4090
4091 Setting this deprecated option will allow the RPC server in the AD DC to
answer the LSARPC interface on the \pipe\netlogon IPC pipe.
4092
4093 When enabled, this matches the behaviour of Microsoft's Windows, due to
their internal implementation choices.
4094
4095 If it is disabled (the default), the AD DC can offer improved
performance, as the netlogon server is decoupled and can run as multiple
4096 processes.
4097
4098 Default: lsa over netlogon = no
4099
4100 machine password timeout (G)
4101
4102 If a Samba server is a member of a Windows NT or Active Directory Domain
(see the security = domain and security = ads parameters),
4103 then periodically a running winbindd process will try and change the
MACHINE ACCOUNT PASSWORD stored in the TDB called secrets.tdb.
4104 This parameter specifies how often this password will be changed, in
seconds. The default is one week (expressed in seconds), the same
4105 as a Windows NT Domain member server.
4106
4107 See also smbpasswd(8), and the security = domain and security = ads
parameters.
4108
4109 Default: machine password timeout = 604800
4110
4111 magic output (S)
4112
4113 This parameter specifies the name of a file which will contain output
created by a magic script (see the magic script parameter
4114 below).
4115
4116 Warning
4117 If two clients use the same magic script in the same directory the
output file content is undefined.
4118 Default: magic output = # <magic script name>.out
4119
4120 Example: magic output = myfile.txt
4121
4122 magic script (S)
4123
4124 This parameter specifies the name of a file which, if opened, will be
executed by the server when the file is closed. This allows a
4125 UNIX script to be sent to the Samba host and executed on behalf of the
connected user.
4126
4127 Scripts executed in this way will be deleted upon completion assuming
that the user has the appropriate level of privilege and the
4128 file permissions allow the deletion.
4129
4130 If the script generates output, output will be sent to the file specified
by the magic output parameter (see above).
4131
4132 Note that some shells are unable to interpret scripts containing CR/LF
instead of CR as the end-of-line marker. Magic scripts must be
4133 executable as is on the host, which for some hosts and some shells will
require filtering at the DOS end.
4134
4135 Magic scripts are EXPERIMENTAL and should NOT be relied upon.
4136
4137 Default: magic script =
4138
4139 Example: magic script = user.csh
4140
4141 mangled names (S)
4142
4143 This controls whether non-DOS names under UNIX should be mapped to
DOS-compatible names ("mangled") and made visible, or whether
4144 non-DOS names should simply be ignored.
4145
4146 See the section on name mangling for details on how to control the
mangling process.
4147
4148 Possible option settings are
4149
4150 • yes - enables name mangling for all not DOS 8.3 conforming
names.
4151
4152 • no - disables any name mangling.
4153
4154 • illegal (default) - does mangling for names with illegal NTFS
characters. This is the most sensible setting for modern
4155 clients that don't use the shortname anymore.
4156
4157 If mangling is used then the mangling method is as follows:
4158
4159 • The first (up to) five alphanumeric characters before the
rightmost dot of the filename are preserved, forced to upper
4160 case, and appear as the first (up to) five characters of the
mangled name.
4161
4162 • A tilde "~" is appended to the first part of the mangled name,
followed by a two-character unique sequence, based on the
4163 original root name (i.e., the original filename minus its
 final extension). The final extension is included in the hash
4164 calculation only if it contains any upper case characters or
is longer than three characters.
4165
4166 Note that the character to use may be specified using the
mangling char option, if you don't like '~'.
4167
4168 • Files whose UNIX name begins with a dot will be presented as
DOS hidden files. The mangled name will be created as for
4169 other filenames, but with the leading dot removed and "___" as
its extension regardless of actual original extension
4170 (that's three underscores).
4171
4172 The two-digit hash value consists of upper case alphanumeric characters.
4173
4174 This algorithm can cause name collisions only if files in a directory
share the same first five alphanumeric characters. The
4175 probability of such a clash is 1/1300.
4176
4177 The name mangling (if enabled) allows a file to be copied between UNIX
directories from Windows/DOS while retaining the long UNIX
4178 filename. UNIX files can be renamed to a new extension from Windows/DOS
and will retain the same basename. Mangled names do not change
4179 between sessions.
4180
4181 Default: mangled names = illegal
4182
4183 Example: mangled names = no
4184
4185 mangle prefix (G)
4186
4187 controls the number of prefix characters from the original name used when
generating the mangled names. A larger value will give a
4188 weaker hash and therefore more name collisions. The minimum value is 1
and the maximum value is 6.
4189
4190 mangle prefix is effective only when mangling method is hash2.
4191
4192 Default: mangle prefix = 1
4193
4194 Example: mangle prefix = 4
4195
4196 mangling char (S)
4197
4198 This controls what character is used as the magic character in name
mangling. The default is a '~' but this may interfere with some
4199 software. Use this option to set it to whatever you prefer. This is
effective only when mangling method is hash.
4200
4201 Default: mangling char = ~
4202
4203 Example: mangling char = ^
4204
4205 mangling method (G)
4206
4207 controls the algorithm used for the generating the mangled names. Can
take two different values, "hash" and "hash2". "hash" is the
4208 algorithm that was used in Samba for many years and was the default in
Samba 2.2.x "hash2" is now the default and is newer and
4209 considered a better algorithm (generates less collisions) in the names.
Many Win32 applications store the mangled names and so
4210 changing to algorithms must not be done lightly as these applications may
break unless reinstalled.
4211
4212 Default: mangling method = hash2
4213
4214 Example: mangling method = hash
4215
4216 map acl inherit (S)
4217
4218 This boolean parameter controls whether smbd(8) will attempt to map the
'inherit' and 'protected' access control entry flags stored in
4219 Windows ACLs into an extended attribute called user.SAMBA_PAI (POSIX ACL
 Inheritance). This parameter requires supports for extended
4220 attributes on the filesystem and allows the Windows ACL editor to store
inheritance information while NT ACLs are mapped best-effort
4221 to the POSIX ACLs.
4222
4223 Default: map acl inherit = no
4224
4225 map archive (S)
4226
4227 This controls whether the DOS archive attribute should be mapped to the
UNIX owner execute bit. The DOS archive bit is set when a file
4228 has been modified since its last backup. One motivation for this option
is to keep Samba/your PC from making any file it touches from
4229 becoming executable under UNIX. This can be quite annoying for shared
source code, documents, etc...
4230
4231 Note that this parameter will be ignored if the store dos attributes
parameter is set, as the DOS archive attribute will then be
4232 stored inside a UNIX extended attribute.
4233
4234 Note that this requires the create mask parameter to be set such that
owner execute bit is not masked out (i.e. it must include 100).
4235 See the parameter create mask for details.
4236
4237 Default: map archive = yes
4238
4239 map hidden (S)
4240
4241 This controls whether DOS style hidden files should be mapped to the UNIX
world execute bit.
4242
4243 Note that this parameter will be ignored if the store dos attributes
parameter is set, as the DOS hidden attribute will then be stored
4244 inside a UNIX extended attribute.
4245
4246 Note that this requires the create mask to be set such that the world
execute bit is not masked out (i.e. it must include 001). See
4247 the parameter create mask for details.
4248
4249 Default: map hidden = no
4250
4251 map readonly (S)
4252
4253 This controls how the DOS read only attribute should be mapped from a
UNIX filesystem.
4254
4255 This parameter can take three different values, which tell smbd(8) how to
display the read only attribute on files, where either store
4256 dos attributes is set to No, or no extended attribute is present. If
store dos attributes is set to yes then this parameter is
4257 ignored. This is a new parameter introduced in Samba version 3.0.21.
4258
4259 The three settings are :
4260
4261 • Yes - The read only DOS attribute is mapped to the inverse of
the user or owner write bit in the unix permission mode set.
4262 If the owner write bit is not set, the read only attribute is
reported as being set on the file. If the read only DOS
4263 attribute is set, Samba sets the owner, group and others write
bits to zero. Write bits set in an ACL are ignored by Samba.
4264 If the read only DOS attribute is unset, Samba simply sets the
write bit of the owner to one.
4265
4266 • Permissions - The read only DOS attribute is mapped to the
effective permissions of the connecting user, as evaluated by
4267 smbd(8) by reading the unix permissions and POSIX ACL (if
present). If the connecting user does not have permission to
4268 modify the file, the read only attribute is reported as being
set on the file.
4269
4270 • No - The read only DOS attribute is unaffected by permissions,
and can only be set by the store dos attributes method. This
4271 may be useful for exporting mounted CDs.
4272
4273 Note that this parameter will be ignored if the store dos attributes
parameter is set, as the DOS 'read-only' attribute will then be
4274 stored inside a UNIX extended attribute.
4275
4276 The default has changed to no in Samba release 4.9.0 and above to allow
better Windows fileserver compatibility in a default install.
4277 In addition the default setting of store dos attributes has been changed
to Yes in Samba release 4.9.0 and above.
4278
4279 Default: map readonly = no
4280
4281 map system (S)
4282
4283 This controls whether DOS style system files should be mapped to the UNIX
group execute bit.
4284
4285 Note that this parameter will be ignored if the store dos attributes
parameter is set, as the DOS system attribute will then be stored
4286 inside a UNIX extended attribute.
4287
4288 Note that this requires the create mask to be set such that the group
execute bit is not masked out (i.e. it must include 010). See
4289 the parameter create mask for details.
4290
4291 Default: map system = no
4292
4293 map to guest (G)
4294
4295 This parameter can take four different values, which tell smbd(8) what to
do with user login requests that don't match a valid UNIX
4296 user in some way.
4297
4298 The four settings are :
4299
4300 • Never - Means user login requests with an invalid password are
rejected. This is the default.
4301
4302 • Bad User - Means user logins with an invalid password are
rejected, unless the username does not exist, in which case it is
4303 treated as a guest login and mapped into the guest account.
4304
4305 • Bad Password - Means user logins with an invalid password are
treated as a guest login and mapped into the guest account.
4306 Note that this can cause problems as it means that any user
incorrectly typing their password will be silently logged on as
4307 "guest" - and will not know the reason they cannot access
files they think they should - there will have been no message
4308 given to them that they got their password wrong. Helpdesk
services will hate you if you set the map to guest parameter
4309 this way :-).
4310
4311 • Bad Uid - Is only applicable when Samba is configured in some
type of domain mode security (security = {domain|ads}) and
4312 means that user logins which are successfully authenticated
but which have no valid Unix user account (and smbd is unable
4313 to create one) should be mapped to the defined guest account.
This was the default behavior of Samba 2.x releases. Note
4314 that if a member server is running winbindd, this option
should never be required because the nss_winbind library will
4315 export the Windows domain users and groups to the underlying
OS via the Name Service Switch interface.
4316
4317 Note that this parameter is needed to set up "Guest" share services. This
is because in these modes the name of the resource being
4318 requested is not sent to the server until after the server has
successfully authenticated the client so the server cannot make
4319 authentication decisions at the correct time (connection to the share)
for "Guest" shares.
4320
4321 Default: map to guest = Never
4322
4323 Example: map to guest = Bad User
4324
4325 max connections (S)
4326
4327 This option allows the number of simultaneous connections to a service to
be limited. If max connections is greater than 0 then
4328 connections will be refused if this number of connections to the service
are already open. A value of zero mean an unlimited number of
4329 connections may be made.
4330
4331 Record lock files are used to implement this feature. The lock files will
be stored in the directory specified by the lock directory
4332 option.
4333
4334 Default: max connections = 0
4335
4336 Example: max connections = 10
4337
4338 max disk size (G)
4339
4340 This option allows you to put an upper limit on the apparent size of
disks. If you set this option to 100 then all shares will appear
4341 to be not larger than 100 MB in size.
4342
4343 Note that this option does not limit the amount of data you can put on
the disk. In the above case you could still store much more
4344 than 100 MB on the disk, but if a client ever asks for the amount of free
disk space or the total disk size then the result will be
4345 bounded by the amount specified in max disk size.
4346
4347 This option is primarily useful to work around bugs in some pieces of
software that can't handle very large disks, particularly disks
4348 over 1GB in size.
4349
4350 A max disk size of 0 means no limit.
4351
4352 Default: max disk size = 0
4353
4354 Example: max disk size = 1000
4355
4356 max log size (G)
4357
4358 This option (an integer in kilobytes) specifies the max size the log file
should grow to. Samba periodically checks the size and if it
4359 is exceeded it will rename the file, adding a .old extension.
4360
4361 A size of 0 means no limit.
4362
4363 Default: max log size = 5000
4364
4365 Example: max log size = 1000
4366
4367 max mux (G)
4368
4369 This option controls the maximum number of outstanding simultaneous SMB
operations that Samba tells the client it will allow. You
4370 should never need to set this parameter.
4371
4372 Default: max mux = 50
4373
4374 max open files (G)
4375
4376 This parameter limits the maximum number of open files that one smbd(8)
file serving process may have open for a client at any one
4377 time. This parameter can be set very high (16384) as Samba uses only one
bit per unopened file. Setting this parameter lower than
4378 16384 will cause Samba to complain and set this value back to the minimum
of 16384, as Windows 7 depends on this number of open file
4379 handles being available.
4380
4381 The limit of the number of open files is usually set by the UNIX
per-process file descriptor limit rather than this parameter so you
4382 should never need to touch this parameter.
4383
4384 Default: max open files = 16384
4385
4386 max print jobs (S)
4387
4388 This parameter limits the maximum number of jobs allowable in a Samba
printer queue at any given moment. If this number is exceeded,
4389 smbd(8) will remote "Out of Space" to the client.
4390
4391 Default: max print jobs = 1000
4392
4393 Example: max print jobs = 5000
4394
4395 max reported print jobs (S)
4396
4397 This parameter limits the maximum number of jobs displayed in a port
monitor for Samba printer queue at any given moment. If this
4398 number is exceeded, the excess jobs will not be shown. A value of zero
means there is no limit on the number of print jobs reported.
4399
4400 Default: max reported print jobs = 0
4401
4402 Example: max reported print jobs = 1000
4403
4404 max smbd processes (G)
4405
4406 This parameter limits the maximum number of smbd(8) processes
concurrently running on a system and is intended as a stopgap to prevent
4407 degrading service to clients in the event that the server has
insufficient resources to handle more than this number of connections.
4408 Remember that under normal operating conditions, each user will have an
smbd(8) associated with him or her to handle connections to
4409 all shares from a given host.
4410
4411 For a Samba ADDC running the standard process model this option limits
the number of processes forked to handle requests. Currently
4412 new processes are only forked for ldap and netlogon requests.
4413
4414 Default: max smbd processes = 0
4415
4416 Example: max smbd processes = 1000
4417
4418 max stat cache size (G)
4419
4420 This parameter limits the size in memory of any stat cache being used to
speed up case insensitive name mappings. It represents the
4421 number of kilobyte (1024) units the stat cache can use. A value of zero,
meaning unlimited, is not advisable due to increased memory
4422 usage. You should not need to change this parameter.
4423
4424 Default: max stat cache size = 512
4425
4426 Example: max stat cache size = 100
4427
4428 max ttl (G)
4429
4430 This option tells nmbd(8) what the default 'time to live' of NetBIOS
names should be (in seconds) when nmbd is requesting a name using
4431 either a broadcast packet or from a WINS server. You should never need to
change this parameter. The default is 3 days.
4432
4433 Default: max ttl = 259200
4434
4435 max wins ttl (G)
4436
4437 This option tells smbd(8) when acting as a WINS server (wins support =
yes) what the maximum 'time to live' of NetBIOS names that nmbd
4438 will grant will be (in seconds). You should never need to change this
parameter. The default is 6 days (518400 seconds).
4439
4440 Default: max wins ttl = 518400
4441
4442 max xmit (G)
4443
4444 This option controls the maximum packet size that will be negotiated by
Samba's smbd(8) for the SMB1 protocol. The default is 16644,
4445 which matches the behavior of Windows 2000. A value below 2048 is likely
to cause problems. You should never need to change this
4446 parameter from its default value.
4447
4448 Default: max xmit = 16644
4449
4450 Example: max xmit = 8192
4451
4452 mdns name (G)
4453
4454 This parameter controls the name that multicast DNS support advertises as
its' hostname.
4455
4456 The default is to use the NETBIOS name which is typically the hostname in
all capital letters.
4457
4458 A setting of mdns will defer the hostname configuration to the MDNS
library that is used.
4459
4460 Default: mdns name = netbios
4461
4462 message command (G)
4463
4464 This specifies what command to run when the server receives a WinPopup
style message.
4465
4466 This would normally be a command that would deliver the message somehow.
How this is to be done is up to your imagination.
4467
4468 An example is:
4469
4470 message command = csh -c 'xedit %s;rm %s' &
4471
4472 This delivers the message using xedit, then removes it afterwards. NOTE
THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN
4473 IMMEDIATELY. That's why I have the '&' on the end. If it doesn't return
immediately then your PCs may freeze when sending messages
4474 (they should recover after 30 seconds, hopefully).
4475
4476 All messages are delivered as the global guest user. The command takes
the standard substitutions, although
4477 %u won't work (%U may be better in this case).
4478
4479 Apart from the standard substitutions, some additional ones apply. In
particular:
4480
4481 • %s = the filename containing the message.
4482
4483 • %t = the destination that the message was sent to (probably
the server name).
4484
4485 • %f = who the message is from.
4486
4487 You could make this command send mail, or whatever else takes your fancy.
Please let us know of any really interesting ideas you have.
4488
4489 Here's a way of sending the messages as mail to root:
4490
4491 message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s
4492
4493 If you don't have a message command then the message won't be delivered
and Samba will tell the sender there was an error.
4494 Unfortunately WfWg totally ignores the error code and carries on
regardless, saying that the message was delivered.
4495
4496 If you want to silently delete it then try:
4497
4498 message command = rm %s
4499
4500 Default: message command =
4501
4502 Example: message command = csh -c 'xedit %s; rm %s' &
4503
4504 min domain uid (G)
4505
4506 The integer parameter specifies the minimum uid allowed when mapping a
local account to a domain account.
4507
4508 Note that this option interacts with the configured idmap ranges!
4509
4510 Default: min domain uid = 1000
4511
4512 min print space (S)
4513
4514 This sets the minimum amount of free disk space that must be available
before a user will be able to spool a print job. It is
4515 specified in kilobytes. The default is 0, which means a user can always
spool a print job.
4516
4517 Default: min print space = 0
4518
4519 Example: min print space = 2000
4520
4521 min receivefile size (G)
4522
4523 This option changes the behavior of smbd(8) when processing SMBwriteX
calls. Any incoming SMBwriteX call on a non-signed SMB/CIFS
4524 connection greater than this value will not be processed in the normal
way but will be passed to any underlying kernel recvfile or
4525 splice system call (if there is no such call Samba will emulate in user
space). This allows zero-copy writes directly from network
4526 socket buffers into the filesystem buffer cache, if available. It may
improve performance but user testing is recommended. If set to
4527 zero Samba processes SMBwriteX calls in the normal way. To enable POSIX
large write support (SMB/CIFS writes up to 16Mb) this option
4528 must be nonzero. The maximum value is 128k. Values greater than 128k will
be silently set to 128k.
4529
4530 Note this option will have NO EFFECT if set on a SMB signed connection.
4531
4532 The default is zero, which disables this option.
4533
4534 Default: min receivefile size = 0
4535
4536 min wins ttl (G)
4537
4538 This option tells nmbd(8) when acting as a WINS server (wins support =
yes) what the minimum 'time to live' of NetBIOS names that nmbd
4539 will grant will be (in seconds). You should never need to change this
parameter. The default is 6 hours (21600 seconds).
4540
4541 Default: min wins ttl = 21600
4542
4543 mit kdc command (G)
4544
4545 This option specifies the path to the MIT kdc binary.
4546
4547 If the KDC is not installed in the default location and wasn't correctly
detected during build then you should modify this variable
4548 and point it to the correct binary.
4549
4550 Default: mit kdc command =
4551
4552 Example: mit kdc command = /opt/mit/sbin/krb5kdc
4553
4554 msdfs proxy (S)
4555
4556 This parameter indicates that the share is a stand-in for another CIFS
share whose location is specified by the value of the
4557 parameter. When clients attempt to connect to this share, they are
redirected to one or multiple, comma separated proxied shares using
4558 the SMB-Dfs protocol.
4559
4560 Only Dfs roots can act as proxy shares. Take a look at the msdfs root and
 host msdfs options to find out how to set up a Dfs root
4561 share.
4562
4563 No default
4564
4565 Example: msdfs proxy = \otherserver\someshare,\otherserver2\someshare
4566
4567 msdfs root (S)
4568
4569 If set to yes, Samba treats the share as a Dfs root and allows clients to
browse the distributed file system tree rooted at the share
4570 directory. Dfs links are specified in the share directory by symbolic
links of the form msdfs:serverA\\shareA,serverB\\shareB and so
4571 on. For more information on setting up a Dfs tree on Samba, refer to the
MSDFS chapter in the Samba3-HOWTO book.
4572
4573 Default: msdfs root = no
4574
4575 msdfs shuffle referrals (S)
4576
4577 If set to yes, Samba will shuffle Dfs referrals for a given Dfs link if
multiple are available, allowing for load balancing across
4578 clients. For more information on setting up a Dfs tree on Samba, refer to
the MSDFS chapter in the Samba3-HOWTO book.
4579
4580 Default: msdfs shuffle referrals = no
4581
4582 multicast dns register (G)
4583
4584 If compiled with proper support for it, Samba will announce itself with
multicast DNS services like for example provided by the Avahi
4585 daemon.
4586
4587 This parameter allows disabling Samba to register itself.
4588
4589 Default: multicast dns register = yes
4590
4591 name cache timeout (G)
4592
4593 Specifies the number of seconds it takes before entries in samba's
hostname resolve cache time out. If the timeout is set to 0. the
4594 caching is disabled.
4595
4596 Default: name cache timeout = 660
4597
4598 Example: name cache timeout = 0
4599
4600 name resolve order (G)
4601
4602 This option is used by the programs in the Samba suite to determine what
naming services to use and in what order to resolve host
4603 names to IP addresses. Its main purpose to is to control how netbios name
resolution is performed. The option takes a space separated
4604 string of name resolution options.
4605
4606 The options are: "lmhosts", "host", "wins" and "bcast". They cause names
to be resolved as follows:
4607
4608 • lmhosts : Lookup an IP address in the Samba lmhosts file. If
the line in lmhosts has no name type attached to the NetBIOS
4609 name (see the manpage for lmhosts for details) then any name
type matches for lookup.
4610
4611 • host : Do a standard host name to IP address resolution, using
the system /etc/hosts, NIS, or DNS lookups. This method of
4612 name resolution is operating system depended for instance on
IRIX or Solaris this may be controlled by the
4613 /etc/nsswitch.conf file. Note that this method is used only if
the NetBIOS name type being queried is the 0x20 (server)
4614 name type or 0x1c (domain controllers). The latter case is
only useful for active directory domains and results in a DNS
4615 query for the SRV RR entry matching _ldap._tcp.domain.
4616
4617 • wins : Query a name with the IP address listed in the
WINSSERVER parameter. If no WINS server has been specified this
4618 method will be ignored.
4619
4620 • bcast : Do a broadcast on each of the known local interfaces
listed in the interfaces parameter. This is the least reliable
4621 of the name resolution methods as it depends on the target
host being on a locally connected subnet.
4622
4623 The example below will cause the local lmhosts file to be examined first,
followed by a broadcast attempt, followed by a normal system
4624 hostname lookup.
4625
4626 When Samba is functioning in ADS security mode (security = ads) it is
advised to use following settings for name resolve order:
4627
4628 name resolve order = wins bcast
4629
4630 DC lookups will still be done via DNS, but fallbacks to netbios names
will not inundate your DNS servers with needless queries for
4631 DOMAIN<0x1c> lookups.
4632
4633 Default: name resolve order = lmhosts wins host bcast
4634
4635 Example: name resolve order = lmhosts bcast host
4636
4637 socket address
4638
4639 This parameter is a synonym for nbt client socket address.
4640
4641 nbt client socket address (G)
4642
4643 This option allows you to control what address Samba will send NBT client
packets from, and process replies using, including in nmbd.
4644
4645 Setting this option should never be necessary on usual Samba servers
running only one nmbd.
4646
4647 By default Samba will send UDP packets from the OS default address for
the destination, and accept replies on 0.0.0.0.
4648
4649 This parameter is deprecated. See bind interfaces only = Yes and
interfaces for the previous behaviour of controlling the normal
4650 listening sockets.
4651
4652 Default: nbt client socket address = 0.0.0.0
4653
4654 Example: nbt client socket address = 192.168.2.20
4655
4656 nbtd:wins_prepend1Bto1Cqueries (G)
4657
4658 Normally queries for 0x1C names (all logon servers for a domain) will
return the first address of the 0x1B names (domain master
4659 browser and PDC) as first address in the result list. As many client only
use the first address in the list by default, all clients
4660 will use the same server (the PDC). Windows servers have an option to
disable this behavior (since Windows 2000 Service Pack 2).
4661
4662 Default: nbtd:wins_prepend1Bto1Cqueries = yes
4663
4664 nbtd:wins_wins_randomize1Clist (G)
4665
4666 Normally queries for 0x1C names will return the addresses in the same
order as they're stored in the database, that means first all
4667 addresses which have been directly registered at the local wins server
and then all addresses registered at other servers. Windows
4668 servers have an option to change this behavior and randomize the returned
addresses. Set this parameter to "yes" and Samba will sort
4669 the address list depending on the client address and the matching bits of
the addresses, the first address is randomized based on
4670 depending on the "nbtd:wins_randomize1Clist_mask" parameter.
4671
4672 Default: nbtd:wins_wins_randomize1Clist = no
4673
4674 nbtd:wins_randomize1Clist_mask (G)
4675
4676 If the "nbtd:wins_randomize1Clist" parameter is set to "yes", then
randomizing of the first returned address is based on the specified
4677 netmask. If there are addresses which are in the same subnet as the
client address, the first returned address is randomly chosen out
4678 them. Otherwise the first returned address is randomly chosen out of all
addresses.
4679
4680 Default: nbtd:wins_randomize1Clist_mask = 255.255.255.0
4681
4682 nbt port (G)
4683
4684 Specifies which port the server should use for NetBIOS over IP name
services traffic.
4685
4686 Default: nbt port = 137
4687
4688 ncalrpc dir (G)
4689
4690 This directory will hold a series of named pipes to allow RPC over
inter-process communication.
4691
4692 This will allow Samba and other unix processes to interact over DCE/RPC
without using TCP/IP. Additionally a sub-directory 'np' has
4693 restricted permissions, and allows a trusted communication channel
between Samba processes
4694
4695 Default: ncalrpc dir = /var/run/samba/ncalrpc
4696
4697 Example: ncalrpc dir = /var/run/samba/ncalrpc
4698
4699 netbios aliases (G)
4700
4701 This is a list of NetBIOS names that nmbd will advertise as additional
names by which the Samba server is known. This allows one
4702 machine to appear in browse lists under multiple names. If a machine is
acting as a browse server or logon server none of these names
4703 will be advertised as either browse server or logon servers, only the
primary name of the machine will be advertised with these
4704 capabilities.
4705
4706 Default: netbios aliases = # empty string (no additional names)
4707
4708 Example: netbios aliases = TEST TEST1 TEST2
4709
4710 netbios name (G)
4711
4712 This sets the NetBIOS name by which a Samba server is known. By default
it is the same as the first component of the host's DNS name.
4713 If a machine is a browse server or logon server this name (or the first
component of the hosts DNS name) will be the name that these
4714 services are advertised under.
4715
4716 Note that the maximum length for a NetBIOS name is 15 characters.
4717
4718 There is a bug in Samba that breaks operation of browsing and access to
shares if the netbios name is set to the literal name PIPE. To
4719 avoid this problem, do not name your Samba server PIPE.
4720
4721 Default: netbios name = # machine DNS name
4722
4723 Example: netbios name = MYNAME
4724
4725 netbios scope (G)
4726
4727 This sets the NetBIOS scope that Samba will operate under. This should
not be set unless every machine on your LAN also sets this
4728 value.
4729
4730 Default: netbios scope =
4731
4732 neutralize nt4 emulation (G)
4733
4734 This option controls whether winbindd sends the
NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass the NT4
emulation of a
4735 domain controller.
4736
4737 Typically you should not need set this. It can be useful for upgrades
from NT4 to AD domains.
4738
4739 The behavior can be controlled per netbios domain by using 'neutralize
nt4 emulation:NETBIOSDOMAIN = yes' as option.
4740
4741 Default: neutralize nt4 emulation = no
4742
4743 NIS homedir (G)
4744
4745 Get the home share server from a NIS map. For UNIX systems that use an
automounter, the user's home directory will often be mounted on
4746 a workstation on demand from a remote server.
4747
4748 When the Samba logon server is not the actual home directory server, but
is mounting the home directories via NFS then two network
4749 hops would be required to access the users home directory if the logon
server told the client to use itself as the SMB server for home
4750 directories (one over SMB and one over NFS). This can be very slow.
4751
4752 This option allows Samba to return the home share as being on a different
server to the logon server and as long as a Samba daemon is
4753 running on the home directory server, it will be mounted on the Samba
client directly from the directory server. When Samba is
4754 returning the home share to the client, it will consult the NIS map
specified in homedir map and return the server listed there.
4755
4756 Note that for this option to work there must be a working NIS system and
the Samba server with this option must also be a logon
4757 server.
4758
4759 Default: NIS homedir = no
4760
4761 nmbd bind explicit broadcast (G)
4762
4763 This option causes nmbd(8) to explicitly bind to the broadcast address of
the local subnets. This is needed to make nmbd work
4764 correctly in combination with the socket address option. You should not
need to unset this option.
4765
4766 Default: nmbd bind explicit broadcast = yes
4767
4768 nsupdate command (G)
4769
4770 This option sets the path to the nsupdate command which is used for
GSS-TSIG dynamic DNS updates.
4771
4772 Default: nsupdate command = /usr/bin/nsupdate -g
4773
4774 nt acl support (S)
4775
4776 This boolean parameter controls whether smbd(8) will attempt to map UNIX
permissions into Windows NT access control lists. The UNIX
4777 permissions considered are the traditional UNIX owner and group
permissions, as well as POSIX ACLs set on any files or directories.
4778 This parameter was formally a global parameter in releases prior to 2.2.2.
4779
4780 Default: nt acl support = yes
4781
4782 ntlm auth (G)
4783
4784 This parameter determines whether or not smbd(8) will attempt to
authenticate users using the NTLM encrypted password response for
4785 this local passdb (SAM or account database).
4786
4787 If disabled, both NTLM and LanMan authencication against the local passdb
 is disabled.
4788
4789 Note that these settings apply only to local users, authentication will
still be forwarded to and NTLM authentication accepted against
4790 any domain we are joined to, and any trusted domain, even if disabled or
if NTLMv2-only is enforced here. To control NTLM
4791 authentiation for domain users, this must option must be configured on
each DC.
4792
4793 By default with ntlm auth set to ntlmv2-only only NTLMv2 logins will be
permitted. All modern clients support NTLMv2 by default, but
4794 some older clients will require special configuration to use it.
4795
4796 The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
4797
4798 The available settings are:
4799
4800 • ntlmv1-permitted (alias yes) - Allow NTLMv1 and above for all
clients.
4801
4802 This is the required setting for to enable the lanman auth
parameter.
4803
4804 • ntlmv2-only (alias no) - Do not allow NTLMv1 to be used, but
permit NTLMv2.
4805
4806 • mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client
promises that it is providing MSCHAPv2 authentication (such as
4807 the ntlm_auth tool).
4808
4809 • disabled - Do not accept NTLM (or LanMan) authentication of
any level, nor permit NTLM password changes.
4810
4811 The default changed from yes to no with Samba 4.5. The default changed
again to ntlmv2-only with Samba 4.7, however the behaviour is
4812 unchanged.
4813
4814 Default: ntlm auth = ntlmv2-only
4815
4816 nt pipe support (G)
4817
4818 This boolean parameter controls whether smbd(8) will allow Windows NT
clients to connect to the NT SMB specific IPC$ pipes. This is a
4819 developer debugging option and can be left alone.
4820
4821 Default: nt pipe support = yes
4822
4823 ntp signd socket directory (G)
4824
4825 This setting controls the location of the socket that the NTP daemon uses
to communicate with Samba for signing packets.
4826
4827 If a non-default path is specified here, then it is also necessary to
make NTP aware of the new path using the ntpsigndsocket
4828 directive in ntp.conf.
4829
4830 Default: ntp signd socket directory = /var/lib/samba/ntp_signd
4831
4832 nt status support (G)
4833
4834 This boolean parameter controls whether smbd(8) will negotiate NT
specific status support with Windows NT/2k/XP clients. This is a
4835 developer debugging option and should be left alone. If this option is
set to no then Samba offers exactly the same DOS error codes
4836 that versions prior to Samba 2.2.3 reported.
4837
4838 You should not need to ever disable this parameter.
4839
4840 Default: nt status support = yes
4841
4842 ntvfs handler (S)
4843
4844 This specifies the NTVFS handlers for this share.
4845
4846 • unixuid: Sets up user credentials based on POSIX gid/uid.
4847
4848 • cifs: Proxies a remote CIFS FS. Mainly useful for testing.
4849
4850 • nbench: Filter module that saves data useful to the nbench
benchmark suite.
4851
4852 • ipc: Allows using SMB for inter process communication. Only
used for the IPC$ share.
4853
4854 • posix: Maps POSIX FS semantics to NT semantics
4855
4856 • print: Allows printing over SMB. This is LANMAN-style
printing, not the be confused with the spoolss DCE/RPC interface
used
4857 by later versions of Windows.
4858
4859 Note that this option is only used when the NTVFS file server is in use.
It is not used with the (default) s3fs file server.
4860
4861 Default: ntvfs handler = unixuid, default
4862
4863 null passwords (G)
4864
4865 Allow or disallow client access to accounts that have null passwords.
4866
4867 See also smbpasswd(5).
4868
4869 Default: null passwords = no
4870
4871 obey pam restrictions (G)
4872
4873 When Samba 3.0 is configured to enable PAM support (i.e. --with-pam),
this parameter will control whether or not Samba should obey
4874 PAM's account and session management directives. The default behavior is
to use PAM for clear text authentication only and to ignore
4875 any account or session management. Note that Samba always ignores PAM for
authentication in the case of encrypt passwords = yes. The
4876 reason is that PAM modules cannot support the challenge/response
authentication mechanism needed in the presence of SMB password
4877 encryption.
4878
4879 Default: obey pam restrictions = no
4880
4881 old password allowed period (G)
4882
4883 Number of minutes to permit an NTLM login after a password change or
reset using the old password. This allows the user to re-cache
4884 the new password on multiple clients without disrupting a network
reconnection in the meantime.
4885
4886 This parameter only applies when server role is set to Active Directory
Domain Controller
4887
4888 Default: old password allowed period = 60
4889
4890 oplock break wait time (G)
4891
4892 This is a tuning parameter added due to bugs in both Windows 9x and
WinNT. If Samba responds to a client too quickly when that client
4893 issues an SMB that can cause an oplock break request, then the network
client can fail and not respond to the break request. This
4894 tuning parameter (which is set in milliseconds) is the amount of time
Samba will wait before sending an oplock break request to such
4895 (broken) clients.
4896
4897 Warning
4898 DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE
SAMBA OPLOCK CODE.
4899 Default: oplock break wait time = 0
4900
4901 oplocks (S)
4902
4903 This boolean option tells smbd whether to issue oplocks (opportunistic
locks) to file open requests on this share. The oplock code can
4904 dramatically (approx. 30% or more) improve the speed of access to files
on Samba servers. It allows the clients to aggressively cache
4905 files locally and you may want to disable this option for unreliable
network environments (it is turned on by default in Windows NT
4906 Servers).
4907
4908 Oplocks may be selectively turned off on certain files with a share. See
the veto oplock files parameter. On some systems oplocks are
4909 recognized by the underlying operating system. This allows data
synchronization between all access to oplocked files, whether it be
4910 via Samba or NFS or a local UNIX process. See the kernel oplocks
parameter for details.
4911
4912 Default: oplocks = yes
4913
4914 os2 driver map (G)
4915
4916 The parameter is used to define the absolute path to a file containing a
mapping of Windows NT printer driver names to OS/2 printer
4917 driver names. The format is:
4918
4919 <nt driver name> = <os2 driver name>.<device name>
4920
4921 For example, a valid entry using the HP LaserJet 5 printer driver would
appear as HP LaserJet 5L = LASERJET.HP LaserJet 5L.
4922
4923 The need for the file is due to the printer driver namespace problem
described in the chapter on Classical Printing in the
4924 Samba3-HOWTO book. For more details on OS/2 clients, please refer to
chapter on other clients in the Samba3-HOWTO book.
4925
4926 Default: os2 driver map =
4927
4928 os level (G)
4929
4930 This integer value controls what level Samba advertises itself as for
browse elections. The value of this parameter determines whether
4931 nmbd(8) has a chance of becoming a local master browser for the workgroup
in the local broadcast area.
4932
4933 Note: By default, Samba will win a local master browsing election over
all Microsoft operating systems except a Windows NT 4.0/2000
4934 Domain Controller. This means that a misconfigured Samba host can
effectively isolate a subnet for browsing purposes. This parameter
4935 is largely auto-configured in the Samba-3 release series and it is seldom
necessary to manually override the default setting. Please
4936 refer to the chapter on Network Browsing in the Samba-3 HOWTO document
for further information regarding the use of this parameter.
4937 Note: The maximum value for this parameter is 255. If you use higher
values, counting will start at 0!
4938
4939 Default: os level = 20
4940
4941 Example: os level = 65
4942
4943 pam password change (G)
4944
4945 With the addition of better PAM support in Samba 2.2, this parameter, it
is possible to use PAM's password change control flag for
4946 Samba. If enabled, then PAM will be used for password changes when
requested by an SMB client instead of the program listed in passwd
4947 program. It should be possible to enable this without changing your
passwd chat parameter for most setups.
4948
4949 Default: pam password change = no
4950
4951 panic action (G)
4952
4953 This is a Samba developer option that allows a system command to be
called when either smbd(8) or nmbd(8) crashes. This is usually
4954 used to draw attention to the fact that a problem occurred.
4955
4956 Default: panic action =
4957
4958 Example: panic action = /bin/sleep 90000
4959
4960 passdb backend (G)
4961
4962 This option allows the administrator to chose which backend will be used
for storing user and possibly group information. This allows
4963 you to swap between different storage mechanisms without recompile.
4964
4965 The parameter value is divided into two parts, the backend's name, and a
'location' string that has meaning only to that particular
4966 backed. These are separated by a : character.
4967
4968 Available backends can include:
4969
4970 • smbpasswd - The old plaintext passdb backend. Some Samba
features will not work if this passdb backend is used. Takes a
4971 path to the smbpasswd file as an optional argument.
4972
4973 • tdbsam - The TDB based password storage backend. Takes a path
to the TDB as an optional argument (defaults to passdb.tdb in
4974 the private dir directory.
4975
4976 • ldapsam - The LDAP based passdb backend. Takes an LDAP URL as
an optional argument (defaults to ldap://localhost)
4977
4978 LDAP connections should be secured where possible. This may be
done using either Start-TLS (see ldap ssl) or by specifying
4979 ldaps:// in the URL argument.
4980
4981 Multiple servers may also be specified in double-quotes.
Whether multiple servers are supported or not and the exact
syntax
4982 depends on the LDAP library you use.
4983
4984 Examples of use are:
4985
4986 passdb backend = tdbsam:/etc/samba/private/passdb.tdb
4987
4988 or multi server LDAP URL with OpenLDAP library:
4989
4990 passdb backend = ldapsam:"ldap://ldap-1.example.com
ldap://ldap-2.example.com"
4991
4992 or multi server LDAP URL with Netscape based LDAP library:
4993
4994 passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"
4995
4996 Default: passdb backend = tdbsam
4997
4998 passdb expand explicit (G)
4999
5000 This parameter controls whether Samba substitutes %-macros in the passdb
fields if they are explicitly set. We used to expand macros
5001 here, but this turned out to be a bug because the Windows client can
expand a variable %G_osver% in which %G would have been
5002 substituted by the user's primary group.
5003
5004 Default: passdb expand explicit = no
5005
5006 passwd chat (G)
5007
5008 This string controls the "chat" conversation that takes places between
smbd(8) and the local password changing program to change the
5009 user's password. The string describes a sequence of response-receive
pairs that smbd(8) uses to determine what to send to the passwd
5010 program and what to expect back. If the expected output is not received
then the password is not changed.
5011
5012 This chat sequence is often quite site specific, depending on what local
 methods are used for password control (such as NIS etc).
5013
5014 Note that this parameter only is used if the unix password sync parameter
is set to yes. This sequence is then called AS ROOT when the
5015 SMB password in the smbpasswd file is being changed, without access to
the old password cleartext. This means that root must be able
5016 to reset the user's password without knowing the text of the previous
password. In the presence of NIS/YP, this means that the passwd
5017 program must be executed on the NIS master.
5018
5019 The string can contain the macro %n which is substituted for the new
password. The old password (%o) is only available when encrypt
5020 passwords has been disabled. The chat sequence can also contain the
standard macros \n, \r, \t and \s to give line-feed,
5021 carriage-return, tab and space. The chat sequence string can also contain
a '*' which matches any sequence of characters. Double
5022 quotes can be used to collect strings with spaces in them into a single
string.
5023
5024 If the send string in any part of the chat sequence is a full stop ".",
then no string is sent. Similarly, if the expect string is a
5025 full stop then no string is expected.
5026
5027 If the pam password change parameter is set to yes, the chat pairs may be
matched in any order, and success is determined by the PAM
5028 result, not any particular output. The \n macro is ignored for PAM
conversions.
5029
5030 Default: passwd chat = *new*password* %n\n *new*password* %n\n *changed*
5031
5032 Example: passwd chat = "*Enter NEW password*" %n\n "*Reenter NEW
password*" %n\n "*Password changed*"
5033
5034 passwd chat debug (G)
5035
5036 This boolean specifies if the passwd chat script parameter is run in
debug mode. In this mode the strings passed to and received from
5037 the passwd chat are printed in the smbd(8) log with a debug level of 100.
This is a dangerous option as it will allow plaintext
5038 passwords to be seen in the smbd log. It is available to help Samba
admins debug their passwd chat scripts when calling the passwd
5039 program and should be turned off after this has been done. This option
has no effect if the pam password change parameter is set. This
5040 parameter is off by default.
5041
5042 Default: passwd chat debug = no
5043
5044 passwd chat timeout (G)
5045
5046 This integer specifies the number of seconds smbd will wait for an
initial answer from a passwd chat script being run. Once the
5047 initial answer is received the subsequent answers must be received in one
tenth of this time. The default it two seconds.
5048
5049 Default: passwd chat timeout = 2
5050
5051 passwd program (G)
5052
5053 The name of a program that can be used to set UNIX user passwords. Any
occurrences of %u will be replaced with the user name. The user
5054 name is checked for existence before calling the password changing program.
5055
5056 Also note that many passwd programs insist in reasonable passwords, such
as a minimum length, or the inclusion of mixed case chars and
5057 digits. This can pose a problem as some clients (such as Windows for
Workgroups) uppercase the password before sending it.
5058
5059 Note that if the unix password sync parameter is set to yes then this
program is called AS ROOT before the SMB password in the
5060 smbpasswd file is changed. If this UNIX password change fails, then smbd
will fail to change the SMB password also (this is by
5061 design).
5062
5063 If the unix password sync parameter is set this parameter MUST USE
ABSOLUTE PATHS for ALL programs called, and must be examined for
5064 security implications. Note that by default unix password sync is set to
no.
5065
5066 Default: passwd program =
5067
5068 Example: passwd program = /bin/passwd %u
5069
5070 password hash gpg key ids (G)
5071
5072 If samba is running as an active directory domain controller, it is
possible to store the cleartext password of accounts in a
5073 PGP/OpenGPG encrypted form.
5074
5075 You can specify one or more recipients by key id or user id. Note that
32bit key ids are not allowed, specify at least 64bit.
5076
5077 The value is stored as 'Primary:SambaGPG' in the supplementalCredentials
attribute.
5078
5079 As password changes can occur on any domain controller, you should
configure this on each of them. Note that this feature is currently
5080 available only on Samba domain controllers.
5081
5082 This option is only available if samba was compiled with gpgme support.
5083
5084 You may need to export the GNUPGHOME environment variable before starting
samba. It is strongly recommended to only store the public
5085 key in this location. The private key is not used for encryption and
should be only stored where decryption is required.
5086
5087 Being able to restore the cleartext password helps, when they need to be
imported into other authentication systems later (see
5088 samba-tool user getpassword) or you want to keep the passwords in sync
with another system, e.g. an OpenLDAP server (see samba-tool
5089 user syncpasswords).
5090
5091 While this option needs to be configured on all domain controllers, the
samba-tool user syncpasswords command should run on a single
5092 domain controller only (typically the PDC-emulator).
5093
5094 Default: password hash gpg key ids =
5095
5096 Example: password hash gpg key ids = 4952E40301FAB41A
5097
5098 Example: password hash gpg key ids = selftest@samba.example.com
5099
5100 Example: password hash gpg key ids = selftest@samba.example.com,
4952E40301FAB41A
5101
5102 password hash userPassword schemes (G)
5103
5104 This parameter determines whether or not samba(8) acting as an Active
Directory Domain Controller will attempt to store additional
5105 passwords hash types for the user
5106
5107 The values are stored as 'Primary:userPassword' in the
supplementalCredentials attribute. The value of this option is a hash type.
5108
5109 The currently supported hash types are:
5110
5111 • CryptSHA256
5112
5113 • CryptSHA512
5114
5115 Multiple instances of a hash type may be computed and stored. The
password hashes are calculated using the crypt(3) call. The number
5116 of rounds used to compute the hash can be specified by adding
':rounds=xxxx' to the hash type, i.e. CryptSHA512:rounds=4500 would
5117 calculate an SHA512 hash using 4500 rounds. If not specified the
Operating System defaults for crypt(3) are used.
5118
5119 As password changes can occur on any domain controller, you should
configure this on each of them. Note that this feature is currently
5120 available only on Samba domain controllers.
5121
5122 Currently the NT Hash of the password is recorded when these hashes are
calculated and stored. When retrieving the hashes the current
5123 value of the NT Hash is checked against the stored NT Hash. This detects
password changes that have not updated the password hashes.
5124 In this case samba-tool user will ignore the stored hash values.
5125
5126 Being able to obtain the hashed password helps, when they need to be
imported into other authentication systems later (see samba-tool
5127 user getpassword) or you want to keep the passwords in sync with another
system, e.g. an OpenLDAP server (see samba-tool user
5128 syncpasswords).
5129
5130 Related command: unix password sync
5131
5132 Default: password hash userPassword schemes =
5133
5134 Example: password hash userPassword schemes = CryptSHA256
5135
5136 Example: password hash userPassword schemes = CryptSHA256 CryptSHA512
5137
5138 Example: password hash userPassword schemes = CryptSHA256:rounds=5000
CryptSHA512:rounds=7000
5139
5140 password server (G)
5141
5142 By specifying the name of a domain controller with this option, and using
security = [ads|domain] it is possible to get Samba to do
5143 all its username/password validation using a specific remote server.
5144
5145 Ideally, this option should not be used, as the default '*' indicates to
Samba to determine the best DC to contact dynamically, just
5146 as all other hosts in an AD domain do. This allows the domain to be
maintained (addition and removal of domain controllers) without
5147 modification to the smb.conf file. The cryptographic protection on the
authenticated RPC calls used to verify passwords ensures that
5148 this default is safe.
5149
5150 It is strongly recommended that you use the default of '*', however if in
your particular environment you have reason to specify a
5151 particular DC list, then the list of machines in this option must be a
list of names or IP addresses of Domain controllers for the
5152 Domain. If you use the default of '*', or list several hosts in the
password server option then smbd will try each in turn till it
5153 finds one that responds. This is useful in case your primary server goes
down.
5154
5155 If the list of servers contains both names/IP's and the '*' character,
the list is treated as a list of preferred domain controllers,
5156 but an auto lookup of all remaining DC's will be added to the list as
well. Samba will not attempt to optimize this list by locating
5157 the closest DC.
5158
5159 If parameter is a name, it is looked up using the parameter name resolve
order and so may resolved by any method and order described
5160 in that parameter.
5161
5162 Default: password server = *
5163
5164 Example: password server = NT-PDC, NT-BDC1, NT-BDC2, *
5165
5166 Example: password server = windc.mydomain.com:389 192.168.1.101 *
5167
5168 directory
5169
5170 This parameter is a synonym for path.
5171
5172 path (S)
5173
5174 This parameter specifies a directory to which the user of the service is
 to be given access. In the case of printable services, this
5175 is where print data will spool prior to being submitted to the host for
printing.
5176
5177 For a printable service offering guest access, the service should be
readonly and the path should be world-writeable and have the
5178 sticky bit set. This is not mandatory of course, but you probably won't
get the results you expect if you do otherwise.
5179
5180 Any occurrences of %u in the path will be replaced with the UNIX username
that the client is using on this connection. Any occurrences
5181 of %m will be replaced by the NetBIOS name of the machine they are
connecting from. These replacements are very useful for setting up
5182 pseudo home directories for users.
5183
5184 Note that this path will be based on root dir if one was specified.
5185
5186 Default: path =
5187
5188 Example: path = /home/fred
5189
5190 perfcount module (G)
5191
5192 This parameter specifies the perfcount backend to be used when monitoring
SMB operations. Only one perfcount module may be used, and
5193 it must implement all of the apis contained in the smb_perfcount_handler
structure defined in smb.h.
5194
5195 No default
5196
5197 pid directory (G)
5198
5199 This option specifies the directory where pid files will be placed.
5200
5201 Default: pid directory = /run/samba
5202
5203 Example: pid directory = /var/run/
5204
5205 posix locking (S)
5206
5207 The smbd(8) daemon maintains an database of file locks obtained by SMB
clients. The default behavior is to map this internal database
5208 to POSIX locks. This means that file locks obtained by SMB clients are
consistent with those seen by POSIX compliant applications
5209 accessing the files via a non-SMB method (e.g. NFS or local file access).
It is very unlikely that you need to set this parameter to
5210 "no", unless you are sharing from an NFS mount, which is not a good idea
in the first place.
5211
5212 Default: posix locking = yes
5213
5214 postexec (S)
5215
5216 This option specifies a command to be run whenever the service is
disconnected. It takes the usual substitutions. The command may be
5217 run as the root on some systems.
5218
5219 An interesting example may be to unmount server resources:
5220
5221 postexec = /etc/umount /cdrom
5222
5223 Default: postexec =
5224
5225 Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >>
/tmp/log
5226
5227 exec
5228
5229 This parameter is a synonym for preexec.
5230
5231 preexec (S)
5232
5233 This option specifies a command to be run whenever the service is
 connected to. It takes the usual substitutions.
5234
5235 An interesting example is to send the users a welcome message every time
they log in. Maybe a message of the day? Here is an example:
5236
5237 preexec = csh -c 'echo \"Welcome to %S!\" |
/usr/local/samba/bin/smbclient -M %m -I %I' &
5238
5239 Of course, this could get annoying after a while :-)
5240
5241 See also preexec close and postexec.
5242
5243 Default: preexec =
5244
5245 Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log
5246
5247 preexec close (S)
5248
5249 This boolean option controls whether a non-zero return code from preexec
should close the service being connected to.
5250
5251 Default: preexec close = no
5252
5253 prefered master
5254
5255 This parameter is a synonym for preferred master.
5256
5257 preferred master (G)
5258
5259 This boolean parameter controls if nmbd(8) is a preferred master browser
for its workgroup.
5260
5261 If this is set to yes, on startup, nmbd will force an election, and it
will have a slight advantage in winning the election. It is
5262 recommended that this parameter is used in conjunction with domain master
= yes, so that nmbd can guarantee becoming a domain master.
5263
5264 Use this option with caution, because if there are several hosts (whether
Samba servers, Windows 95 or NT) that are preferred master
5265 browsers on the same subnet, they will each periodically and continuously
attempt to become the local master browser. This will result
5266 in unnecessary broadcast traffic and reduced browsing capabilities.
5267
5268 Default: preferred master = auto
5269
5270 prefork backoff increment (G)
5271
5272 This option specifies the number of seconds added to the delay before a
prefork master or worker process is restarted. The restart is
5273 initially zero, the prefork backoff increment is added to the delay on
each restart up to the value specified by "prefork maximum
5274 backoff".
5275
5276 Additionally the the backoff for an individual service by using "prefork
backoff increment: service name" i.e. "prefork backoff
5277 increment:ldap = 2" to set the backoff increment to 2.
5278
5279 If the backoff increment is 2 and the maximum backoff is 5. There will be
a zero second delay for the first restart. A two second
5280 delay for the second restart. A four second delay for the third and any
subsequent restarts
5281
5282 Default: prefork backoff increment = 10
5283
5284 prefork children (G)
5285
5286 This option controls the number of worker processes that are started for
each service when prefork process model is enabled (see
5287 samba(8) -M) The prefork children are only started for those services
that support prefork (currently ldap, kdc and netlogon). For
5288 processes that don't support preforking all requests are handled by a
single process for that service.
5289
5290 This should be set to a small multiple of the number of CPU's available
on the server
5291
5292 Additionally the number of prefork children can be specified for an
individual service by using "prefork children: service name" i.e.
5293 "prefork children:ldap = 8" to set the number of ldap worker processes.
5294
5295 Default: prefork children = 4
5296
5297 prefork maximum backoff (G)
5298
5299 This option controls the maximum delay before a failed pre-fork process
is restarted.
5300
5301 Default: prefork maximum backoff = 120
5302
5303 preload modules (G)
5304
5305 This is a list of paths to modules that should be loaded into smbd before
a client connects. This improves the speed of smbd when
5306 reacting to new connections somewhat.
5307
5308 Default: preload modules =
5309
5310 Example: preload modules = /usr/lib/samba/passdb/mysql.so
5311
5312 preserve case (S)
5313
5314 This controls if new filenames are created with the case that the client
passes, or if they are forced to be the default case.
5315
5316 See the section on NAME MANGLING for a fuller discussion.
5317
5318 Default: preserve case = yes
5319
5320 print ok
5321
5322 This parameter is a synonym for printable.
5323
5324 printable (S)
5325
5326 If this parameter is yes, then clients may open, write to and submit
spool files on the directory specified for the service.
5327
5328 Note that a printable service will ALWAYS allow writing to the service
path (user privileges permitting) via the spooling of print
5329 data. The read only parameter controls only non-printing access to the
resource.
5330
5331 Default: printable = no
5332
5333 printcap cache time (G)
5334
5335 This option specifies the number of seconds before the printing subsystem
is again asked for the known printers.
5336
5337 Setting this parameter to 0 disables any rescanning for new or removed
printers after the initial startup.
5338
5339 Default: printcap cache time = 750
5340
5341 Example: printcap cache time = 600
5342
5343 printcap
5344
5345 This parameter is a synonym for printcap name.
5346
5347 printcap name (G)
5348
5349 This parameter may be used to override the compiled-in default printcap
name used by the server (usually /etc/printcap). See the
5350 discussion of the [printers] section above for reasons why you might want
to do this.
5351
5352 To use the CUPS printing interface set printcap name = cups. This should
be supplemented by an additional setting printing = cups in
5353 the [global] section. printcap name = cups will use the "dummy" printcap
created by CUPS, as specified in your CUPS configuration
5354 file.
5355
5356 On System V systems that use lpstat to list available printers you can
use printcap name = lpstat to automatically obtain lists of
5357 available printers. This is the default for systems that define SYSV at
configure time in Samba (this includes most System V based
5358 systems). If
5359 printcap name is set to lpstat on these systems then Samba will launch
lpstat -v and attempt to parse the output to obtain a printer
5360 list.
5361
5362 A minimal printcap file would look something like this:
5363
5364 print1|My Printer 1
5365 print2|My Printer 2
5366 print3|My Printer 3
5367 print4|My Printer 4
5368 print5|My Printer 5
5369
5370 where the '|' separates aliases of a printer. The fact that the second
alias has a space in it gives a hint to Samba that it's a
5371 comment.
5372
5373 Note
5374 Under AIX the default printcap name is /etc/qconfig. Samba will
assume the file is in AIX qconfig format if the string qconfig
5375 appears in the printcap filename.
5376 Default: printcap name = /etc/printcap
5377
5378 Example: printcap name = /etc/myprintcap
5379
5380 print command (S)
5381
5382 After a print job has finished spooling to a service, this command will
be used via a system() call to process the spool file.
5383 Typically the command specified will submit the spool file to the host's
printing subsystem, but there is no requirement that this be
5384 the case. The server will not remove the spool file, so whatever command
you specify should remove the spool file when it has been
5385 processed, otherwise you will need to manually remove old spool files.
5386
5387 The print command is simply a text string. It will be used verbatim after
macro substitutions have been made:
5388
5389 %s, %f - the path to the spool file name
5390
5391 %p - the appropriate printer name
5392
5393 %J - the job name as transmitted by the client.
5394
5395 %c - The number of printed pages of the spooled job (if known).
5396
5397 %z - the size of the spooled print job (in bytes)
5398
5399 The print command MUST contain at least one occurrence of %s or %f - the
%p is optional. At the time a job is submitted, if no printer
5400 name is supplied the %p will be silently removed from the printer command.
5401
5402 If specified in the [global] section, the print command given will be
used for any printable service that does not have its own print
5403 command specified.
5404
5405 If there is neither a specified print command for a printable service nor
a global print command, spool files will be created but not
5406 processed and (most importantly) not removed.
5407
5408 Note that printing may fail on some UNIXes from the nobody account. If
this happens then create an alternative guest account that can
5409 print and set the guest account in the [global] section.
5410
5411 You can form quite complex print commands by realizing that they are just
passed to a shell. For example the following will log a
5412 print job, print the file, then remove it. Note that ';' is the usual
separator for command in shell scripts.
5413
5414 print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s
5415
5416 You may have to vary this command considerably depending on how you
normally print files on your system. The default for the parameter
5417 varies depending on the setting of the printing parameter.
5418
5419 Default: For printing = BSD, AIX, QNX, LPRNG or PLP :
5420
5421 print command = lpr -r -P%p %s
5422
5423 For printing = SYSV or HPUX :
5424
5425 print command = lp -c -d%p %s; rm %s
5426
5427 For printing = SOFTQ :
5428
5429 print command = lp -d%p -s %s; rm %s
5430
5431 For printing = CUPS : If SAMBA is compiled against libcups, then printcap
= cups uses the CUPS API to submit jobs, etc. Otherwise it
5432 maps to the System V commands with the -oraw option for printing, i.e. it
uses lp -c -d%p -oraw; rm %s. With printing = cups, and if
5433 SAMBA is compiled against libcups, any manually set print command will be
ignored.
5434
5435 No default
5436
5437 Example: print command = /usr/local/samba/bin/myprintscript %p %s
5438
5439 printer
5440
5441 This parameter is a synonym for printer name.
5442
5443 printer name (S)
5444
5445 This parameter specifies the name of the printer to which print jobs
spooled through a printable service will be sent.
5446
5447 If specified in the [global] section, the printer name given will be used
for any printable service that does not have its own printer
5448 name specified.
5449
5450 The default value of the printer name may be lp on many systems.
5451
5452 Default: printer name =
5453
5454 Example: printer name = laserwriter
5455
5456 printing (S)
5457
5458 This parameters controls how printer status information is interpreted on
your system. It also affects the default values for the
5459 print command, lpq command, lppause command , lpresume command, and lprm
command if specified in the [global] section.
5460
5461 Currently nine printing styles are supported. They are BSD, AIX, LPRNG,
PLP, SYSV, HPUX, QNX, SOFTQ, CUPS and IPRINT.
5462
5463 Be aware that CUPS and IPRINT are only available if the CUPS development
library was available at the time Samba was compiled or
5464 packaged.
5465
5466 To see what the defaults are for the other print commands when using the
various options use the testparm(1) program.
5467
5468 This option can be set on a per printer basis. Please be aware however,
 that you must place any of the various printing commands (e.g.
5469 print command, lpq command, etc...) after defining the value for the
printing option since it will reset the printing commands to
5470 default values.
5471
5472 See also the discussion in the [printers] section.
5473
5474 See testparm -v. for the default value on your system
5475
5476 Default: printing = # Depends on the operating system
5477
5478 printjob username (S)
5479
5480 This parameter specifies which user information will be passed to the
printing system. Usually, the username is sent, but in some
5481 cases, e.g. the domain prefix is useful, too.
5482
5483 Default: printjob username = %U
5484
5485 Example: printjob username = %D\%U
5486
5487 print notify backchannel (S)
5488
5489 Windows print clients can update print queue status by expecting the
server to open a backchannel SMB connection to them. Due to
5490 client firewall settings this can cause considerable timeouts and will
often fail, as there is no guarantee the client is even running
5491 an SMB server. By default, the Samba print server will not try to connect
back to clients, and will treat corresponding requests as if
5492 the connection back to the client failed.
5493
5494 Default: print notify backchannel = no
5495
5496 private directory
5497
5498 This parameter is a synonym for private dir.
5499
5500 private dir (G)
5501
5502 This parameters defines the directory smbd will use for storing such
files as smbpasswd and secrets.tdb.
5503
5504 Default: private dir = /var/lib/samba/private
5505
5506 queuepause command (S)
5507
5508 This parameter specifies the command to be executed on the server host in
order to pause the printer queue.
5509
5510 This command should be a program or script which takes a printer name as
its only parameter and stops the printer queue, such that no
5511 longer jobs are submitted to the printer.
5512
5513 This command is not supported by Windows for Workgroups, but can be
issued from the Printers window under Windows 95 and NT.
5514
5515 If a %p is given then the printer name is put in its place. Otherwise it
is placed at the end of the command.
5516
5517 Note that it is good practice to include the absolute path in the command
as the PATH may not be available to the server.
5518
5519 Default: queuepause command = # determined by printing parameter
5520
5521 Example: queuepause command = disable %p
5522
5523 queueresume command (S)
5524
5525 This parameter specifies the command to be executed on the server host in
order to resume the printer queue. It is the command to undo
5526 the behavior that is caused by the previous parameter (queuepause command).
5527
5528 This command should be a program or script which takes a printer name as
 its only parameter and resumes the printer queue, such that
5529 queued jobs are resubmitted to the printer.
5530
5531 This command is not supported by Windows for Workgroups, but can be
issued from the Printers window under Windows 95 and NT.
5532
5533 If a %p is given then the printer name is put in its place. Otherwise it
is placed at the end of the command.
5534
5535 Note that it is good practice to include the absolute path in the command
as the PATH may not be available to the server.
5536
5537 Default: queueresume command = # determined by printing parameter
5538
5539 Example: queueresume command = enable %p
5540
5541 raw NTLMv2 auth (G)
5542
5543 This parameter has been deprecated since Samba 4.13 and support for
NTLMv2 authentication without NTLMSSP will be removed in a future
5544 Samba release.
5545
5546 That is, in the future, the current default of raw NTLMv2 auth = no will
be the enforced behaviour.
5547
5548 This parameter determines whether or not smbd(8) will allow SMB1 clients
without extended security (without SPNEGO) to use NTLMv2
5549 authentication.
5550
5551 If this option, lanman auth and ntlm auth are all disabled, then only
clients with SPNEGO support will be permitted. That means NTLMv2
5552 is only supported within NTLMSSP.
5553
5554 Default: raw NTLMv2 auth = no
5555
5556 read list (S)
5557
5558 This is a list of users that are given read-only access to a service. If
the connecting user is in this list then they will not be
5559 given write access, no matter what the read only option is set to. The
list can include group names using the syntax described in the
5560 invalid users parameter.
5561
5562 Default: read list =
5563
5564 Example: read list = mary, @students
5565
5566 read only (S)
5567
5568 An inverted synonym is writeable.
5569
5570 If this parameter is yes, then users of a service may not create or
modify files in the service's directory.
5571
5572 Note that a printable service (printable = yes) will ALWAYS allow writing
to the directory (user privileges permitting), but only via
5573 spooling operations.
5574
5575 Default: read only = yes
5576
5577 read raw (G)
5578
5579 This is ignored if async smb echo handler is set, because this feature is
incompatible with raw read SMB requests
5580
5581 If enabled, raw reads allow reads of 65535 bytes in one packet. This
typically provides a major performance benefit for some very,
5582 very old clients.
5583
5584 However, some clients either negotiate the allowable block size
incorrectly or are incapable of supporting larger block sizes, and for
5585 these clients you may need to disable raw reads.
5586
5587 In general this parameter should be viewed as a system tuning tool and
left severely alone.
5588
5589 Default: read raw = yes
5590
5591 realm (G)
5592
5593 This option specifies the kerberos realm to use. The realm is used as the
ADS equivalent of the NT4 domain. It is usually set to the
5594 DNS name of the kerberos server.
5595
5596 Default: realm =
5597
5598 Example: realm = mysambabox.mycompany.com
5599
5600 registry shares (G)
5601
5602 This turns on or off support for share definitions read from registry.
Shares defined in smb.conf take precedence over shares with the
5603 same name defined in registry. See the section on registry-based
configuration for details.
5604
5605 Note that this parameter defaults to no, but it is set to yes when config
backend is set to registry.
5606
5607 Default: registry shares = no
5608
5609 Example: registry shares = yes
5610
5611 reject md5 clients (G)
5612
5613 This option controls whether the netlogon server (currently only in
'active directory domain controller' mode), will reject clients
5614 which does not support NETLOGON_NEG_SUPPORTS_AES.
5615
5616 You can set this to yes if all domain members support aes. This will
prevent downgrade attacks.
5617
5618 This option takes precedence to the 'allow nt4 crypto' option.
5619
5620 Default: reject md5 clients = no
5621
5622 reject md5 servers (G)
5623
5624 This option controls whether winbindd requires support for aes support
for the netlogon secure channel.
5625
5626 The following flags will be required NETLOGON_NEG_ARCFOUR,
NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and
5627 NETLOGON_NEG_AUTHENTICATED_RPC.
5628
5629 You can set this to yes if all domain controllers support aes. This will
prevent downgrade attacks.
5630
5631 The behavior can be controlled per netbios domain by using 'reject md5
servers:NETBIOSDOMAIN = yes' as option.
5632
5633 This option takes precedence to the require strong key option.
5634
5635 Default: reject md5 servers = no
5636
5637 remote announce (G)
5638
5639 This option allows you to setup nmbd(8) to periodically announce itself
to arbitrary IP addresses with an arbitrary workgroup name.
5640
5641 This is useful if you want your Samba server to appear in a remote
workgroup for which the normal browse propagation rules don't work.
5642 The remote workgroup can be anywhere that you can send IP packets to.
5643
5644 For example:
5645
5646 remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF
5647
5648 the above line would cause nmbd to announce itself to the two given IP
addresses using the given workgroup names. If you leave out the
5649 workgroup name, then the one given in the workgroup parameter is used
instead.
5650
5651 The IP addresses you choose would normally be the broadcast addresses of
the remote networks, but can also be the IP addresses of
5652 known browse masters if your network config is that stable.
5653
5654 See the chapter on Network Browsing in the Samba-HOWTO book.
5655
5656 Default: remote announce =
5657
5658 remote browse sync (G)
5659
5660 This option allows you to setup nmbd(8) to periodically request
synchronization of browse lists with the master browser of a Samba
5661 server that is on a remote segment. This option will allow you to gain
browse lists for multiple workgroups across routed networks.
5662 This is done in a manner that does not work with any non-Samba servers.
5663
5664 This is useful if you want your Samba server and all local clients to
appear in a remote workgroup for which the normal browse
5665 propagation rules don't work. The remote workgroup can be anywhere that
you can send IP packets to.
5666
5667 For example:
5668
5669 remote browse sync = 192.168.2.255 192.168.4.255
5670
5671 the above line would cause nmbd to request the master browser on the
specified subnets or addresses to synchronize their browse lists
5672 with the local server.
5673
5674 The IP addresses you choose would normally be the broadcast addresses of
the remote networks, but can also be the IP addresses of
5675 known browse masters if your network config is that stable. If a machine
IP address is given Samba makes NO attempt to validate that
5676 the remote machine is available, is listening, nor that it is in fact the
browse master on its segment.
5677
5678 The remote browse sync may be used on networks where there is no WINS
server, and may be used on disjoint networks where each network
5679 has its own WINS server.
5680
5681 Default: remote browse sync =
5682
5683 rename user script (G)
5684
5685 This is the full pathname to a script that will be run as root by smbd(8)
under special circumstances described below.
5686
5687 When a user with admin authority or SeAddUserPrivilege rights renames a
user (e.g.: from the NT4 User Manager for Domains), this
5688 script will be run to rename the POSIX user. Two variables, %uold and
%unew, will be substituted with the old and new usernames,
5689 respectively. The script should return 0 upon successful completion, and
nonzero otherwise.
5690
5691 Note
5692 The script has all responsibility to rename all the necessary data
that is accessible in this posix method. This can mean
5693 different requirements for different backends. The tdbsam and
smbpasswd backends will take care of the contents of their
5694 respective files, so the script is responsible only for changing the
POSIX username, and other data that may required for your
5695 circumstances, such as home directory. Please also consider whether
or not you need to rename the actual home directories
5696 themselves. The ldapsam backend will not make any changes, because of
the potential issues with renaming the LDAP naming
5697 attribute. In this case the script is responsible for changing the
attribute that samba uses (uid) for locating users, as well as
5698 any data that needs to change for other applications using the same
directory.
5699 Default: rename user script =
5700
5701 require strong key (G)
5702
5703 This option controls whether winbindd requires support for md5 strong key
support for the netlogon secure channel.
5704
5705 The following flags will be required NETLOGON_NEG_STRONG_KEYS,
NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.
5706
5707 You can set this to no if some domain controllers only support des. This
might allows weak crypto to be negotiated, may via downgrade
5708 attacks.
5709
5710 The behavior can be controlled per netbios domain by using 'require
strong key:NETBIOSDOMAIN = no' as option.
5711
5712 Note for active directory domain this option is hardcoded to 'yes'
5713
5714 This option yields precedence to the reject md5 servers option.
5715
5716 This option takes precedence to the client schannel option.
5717
5718 Default: require strong key = yes
5719
5720 reset on zero vc (G)
5721
5722 This boolean option controls whether an incoming SMB1 session setup
should kill other connections coming from the same IP. This
5723 matches the default Windows 2003 behaviour. Setting this parameter to yes
becomes necessary when you have a flaky network and windows
5724 decides to reconnect while the old connection still has files with share
modes open. These files become inaccessible over the new
5725 connection. The client sends a zero VC on the new connection, and Windows
2003 kills all other connections coming from the same IP.
5726 This way the locked files are accessible again. Please be aware that
enabling this option will kill connections behind a masquerading
5727 router, and will not trigger for clients that only use SMB2 or SMB3.
5728
5729 Default: reset on zero vc = no
5730
5731 restrict anonymous (G)
5732
5733 The setting of this parameter determines whether SAMR and LSA DCERPC
services can be accessed anonymously. This corresponds to the
5734 following Windows Server registry options:
5735
5736
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Restr
ictAnonymous
5737
5738 The option also affects the browse option which is required by legacy
clients which rely on Netbios browsing. While modern Windows
5739 version should be fine with restricting the access there could still be
applications relying on anonymous access.
5740
5741 Setting restrict anonymous = 1 will disable anonymous SAMR access.
5742
5743 Setting restrict anonymous = 2 will, in addition to restricting SAMR
access, disallow anonymous connections to the IPC$ share in
5744 general. Setting guest ok = yes on any share will remove the security
advantage.
5745
5746 Default: restrict anonymous = 0
5747
5748 root
5749
5750 This parameter is a synonym for root directory.
5751
5752 root dir
5753
5754 This parameter is a synonym for root directory.
5755
5756 root directory (G)
5757
5758 The server will chroot() (i.e. Change its root directory) to this
directory on startup. This is not strictly necessary for secure
5759 operation. Even without it the server will deny access to files not in
one of the service entries. It may also check for, and deny
5760 access to, soft links to other parts of the filesystem, or attempts to
use ".." in file names to access other directories (depending
5761 on the setting of the wide smbconfoptions parameter).
5762
5763 Adding a root directory entry other than "/" adds an extra level of
security, but at a price. It absolutely ensures that no access is
5764 given to files not in the sub-tree specified in the root directory
option, including some files needed for complete operation of the
5765 server. To maintain full operability of the server you will need to
mirror some system files into the root directory tree. In
5766 particular you will need to mirror /etc/passwd (or a subset of it), and
any binaries or configuration files needed for printing (if
5767 required). The set of files that must be mirrored is operating system
dependent.
5768
5769 Default: root directory =
5770
5771 Example: root directory = /homes/smb
5772
5773 root postexec (S)
5774
5775 This is the same as the postexec parameter except that the command is run
as root. This is useful for unmounting filesystems (such as
5776 CDROMs) after a connection is closed.
5777
5778 Default: root postexec =
5779
5780 root preexec (S)
5781
5782 This is the same as the preexec parameter except that the command is run
as root. This is useful for mounting filesystems (such as
5783 CDROMs) when a connection is opened.
5784
5785 Default: root preexec =
5786
5787 root preexec close (S)
5788
5789 This is the same as the preexec close parameter except that the command
is run as root.
5790
5791 Default: root preexec close = no
5792
5793 rpc big endian (G)
5794
5795 Setting this option will force the RPC client and server to transfer data
in big endian.
5796
5797 If it is disabled, data will be transferred in little endian.
5798
5799 The behaviour is independent of the endianness of the host machine.
5800
5801 Default: rpc big endian = no
5802
5803 rpc_daemon:DAEMON (G)
5804
5805 Defines whether to use the embedded code or start a separate daemon for
the defined rpc services. The rpc_daemon prefix must be
5806 followed by the server name, and a value.
5807
5808 Two possible values are currently supported:
5809
5810 disabled
5811 fork
5812
5813 The classic method is to run rpc services as internal daemons embedded in
 smbd, therefore the external daemons are disabled by
5814 default.
5815
5816 Choosing the fork option will cause samba to fork a separate process for
each daemon configured this way. Each daemon may in turn fork
5817 a number of children used to handle requests from multiple smbds and
direct tcp/ip connections (if the Endpoint Mapper is enabled).
5818 Communication with smbd happens over named pipes and require that said
pipes are forward to the external daemon (see rpc_server).
5819
5820 Forked RPC Daemons support dynamically forking children to handle
connections. The heuristics about how many children to keep around
5821 and how fast to allow them to fork and also how many clients each child
is allowed to handle concurrently is defined by parametrical
5822 options named after the daemon. Five options are currently supported:
5823
5824 prefork_min_children
5825 prefork_max_children
5826 prefork_spawn_rate
5827 prefork_max_allowed_clients
5828 prefork_child_min_life
5829
5830 To set one of these options use the following syntax:
5831
5832 daemonname:prefork_min_children = 5
5833
5834 Samba includes separate daemons for spoolss, lsarpc/lsass, netlogon,
samr, FSRVP and mdssvc(Spotlight). Currently five daemons are
5835 available and they are called:
5836
5837 epmd
5838 lsasd
5839 spoolssd
5840 fssd
5841 mdssd
5842
5843 Example:
5844
5845 rpc_daemon:spoolssd = fork
5846
5847 Default: rpc_daemon:DAEMON = disabled
5848
5849 rpc_server:SERVER (G)
5850
5851 With this option you can define if a rpc service should be running
internal/embedded in smbd or should be redirected to an external
5852 daemon like Samba4, the endpoint mapper daemon, the spoolss daemon or the
new LSA service daemon. The rpc_server prefix must be
5853 followed by the pipe name, and a value.
5854
5855 This option can be set for each available rpc service in Samba. The
following list shows all available pipe names services you can
5856 modify with this option.
5857
5858 • epmapper - Endpoint Mapper
5859
5860 • winreg - Remote Registry Service
5861
5862 • srvsvc - Remote Server Services
5863
5864 • lsarpc - Local Security Authority
5865
5866 • samr - Security Account Management
5867
5868 • netlogon - Netlogon Remote Protocol
5869
5870 • netdfs - Settings for Distributed File System
5871
5872 • dssetup - Active Directory Setup
5873
5874 • wkssvc - Workstation Services
5875
5876 • spoolss - Network Printing Spooler
5877
5878 • svcctl - Service Control
5879
5880 • ntsvcs - Plug and Play Services
5881
5882 • eventlog - Event Logger
5883
5884 • initshutdown - Init Shutdown Service
5885
5886 • mdssvc - Spotlight
5887
5888 Three possible values currently supported are: embedded external disabled
5889
5890 The classic method is to run every pipe as an internal function embedded
in smbd. The defaults may vary depending on the service.
5891
5892 Choosing the external option allows one to run a separate daemon or even
a completely independent (3rd party) server capable of
5893 interfacing with samba via the MS-RPC interface over named pipes.
5894
5895 Currently in Samba3 we support four daemons, spoolssd, epmd, lsasd and
mdssd. These daemons can be enabled using the rpc_daemon
5896 option. For spoolssd you have to enable the daemon and proxy the named
pipe with:
5897
5898 Examples:
5899
5900 rpc_daemon:lsasd = fork
5901 rpc_server:lsarpc = external
5902 rpc_server:samr = external
5903 rpc_server:netlogon = external
5904
5905 rpc_server:spoolss = external
5906 rpc_server:epmapper = disabled
5907
5908 rpc_daemon:mdssd = fork
5909 rpc_server:mdssvc = external
5910
5911 There is one special option which allows you to enable rpc services to
listen for ncacn_ip_tcp connections too. Currently this is only
5912 used for testing and doesn't scale!
5913
5914 rpc_server:tcpip = yes
5915
5916 Default: rpc_server:SERVER = embedded
5917
5918 rpc server dynamic port range (G)
5919
5920 This parameter tells the RPC server which port range it is allowed to use
to create a listening socket for LSA, SAM, Netlogon and
5921 others without wellknown tcp ports. The first value is the lowest number
of the port range and the second the highest.
5922
5923 This applies to RPC servers in all server roles.
5924
5925 Default: rpc server dynamic port range = 49152-65535
5926
5927 rpc server port (G)
5928
5929 Specifies which port the server should listen on for DCE/RPC over TCP/IP
traffic.
5930
5931 This controls the default port for all protocols, except for NETLOGON.
5932
5933 If unset, the first available port from rpc server dynamic port range is
used, e.g. 49152.
5934
5935 The NETLOGON server will use the next available port, e.g. 49153. To
change this port use (eg) rpc server port:netlogon = 4000.
5936
5937 Furthermore, all RPC servers can have the port they use specified
independenty, with (for example) rpc server port:drsuapi = 5000.
5938
5939 This option applies currently only when samba(8) runs as an active
directory domain controller.
5940
5941 The default value 0 causes Samba to select the first available port from
rpc server dynamic port range.
5942
5943 Default: rpc server port = 0
5944
5945 samba kcc command (G)
5946
5947 This option specifies the path to the Samba KCC command. This script is
used for replication topology replication.
5948
5949 It should not be necessary to modify this option except for testing
purposes or if the samba_kcc was installed in a non-default
5950 location.
5951
5952 Default: samba kcc command =
/build/samba-UnNxDC/samba-4.13.13+dfsg/source4/scripting/bin/samba_kcc
5953
5954 Example: samba kcc command = /usr/local/bin/kcc
5955
5956 security (G)
5957
5958 This option affects how clients respond to Samba and is one of the most
important settings in the smb.conf file.
5959
5960 The default is security = user, as this is the most common setting, used
for a standalone file server or a DC.
5961
5962 The alternatives are security = ads or security = domain, which support
joining Samba to a Windows domain
5963
5964 You should use security = user and map to guest if you want to mainly
setup shares without a password (guest shares). This is commonly
5965 used for a shared printer server.
5966
5967 The different settings will now be explained.
5968
5969 SECURITY = AUTO
5970
5971 This is the default security setting in Samba, and causes Samba to
consult the server role parameter (if set) to determine the
5972 security mode.
5973
5974 SECURITY = USER
5975
5976 If server role is not specified, this is the default security setting in
Samba. With user-level security a client must first "log-on"
5977 with a valid username and password (which can be mapped using the
username map parameter). Encrypted passwords (see the encrypted
5978 passwords parameter) can also be used in this security mode. Parameters
such as user and guest only if set are then applied and may
5979 change the UNIX user to use on this connection, but only after the user
has been successfully authenticated.
5980
5981 Note that the name of the resource being requested is not sent to the
server until after the server has successfully authenticated the
5982 client. This is why guest shares don't work in user level security
without allowing the server to automatically map unknown users into
5983 the guest account. See the map to guest parameter for details on doing
this.
5984
5985 SECURITY = DOMAIN
5986
5987 This mode will only work correctly if net(8) has been used to add this
machine into a Windows NT Domain. It expects the encrypted
5988 passwords parameter to be set to yes. In this mode Samba will try to
validate the username/password by passing it to a Windows NT
5989 Primary or Backup Domain Controller, in exactly the same way that a
Windows NT Server would do.
5990
5991 Note that a valid UNIX user must still exist as well as the account on
 the Domain Controller to allow Samba to have a valid UNIX
5992 account to map file access to.
5993
5994 Note that from the client's point of view security = domain is the same
as security = user. It only affects how the server deals with
5995 the authentication, it does not in any way affect what the client sees.
5996
5997 Note that the name of the resource being requested is not sent to the
server until after the server has successfully authenticated the
5998 client. This is why guest shares don't work in user level security
without allowing the server to automatically map unknown users into
5999 the guest account. See the map to guest parameter for details on doing
this.
6000
6001 See also the password server parameter and the encrypted passwords
parameter.
6002
6003 SECURITY = ADS
6004
6005 In this mode, Samba will act as a domain member in an ADS realm. To
operate in this mode, the machine running Samba will need to have
6006 Kerberos installed and configured and Samba will need to be joined to the
ADS realm using the net utility.
6007
6008 Note that this mode does NOT make Samba operate as a Active Directory
Domain Controller.
6009
6010 Note that this forces require strong key = yes and client schannel = yes
for the primary domain.
6011
6012 Read the chapter about Domain Membership in the HOWTO for details.
6013
6014 Default: security = AUTO
6015
6016 Example: security = DOMAIN
6017
6018 security mask (S)
6019
6020 This parameter has been removed for Samba 4.0.0.
6021
6022 No default
6023
6024 max protocol
6025
6026 This parameter is a synonym for server max protocol.
6027
6028 protocol
6029
6030 This parameter is a synonym for server max protocol.
6031
6032 server max protocol (G)
6033
6034 The value of the parameter (a string) is the highest protocol level that
will be supported by the server.
6035
6036 Possible values are :
6037
6038 • LANMAN1: First modern version of the protocol. Long filename
support.
6039
6040 • LANMAN2: Updates to Lanman1 protocol.
6041
6042 • NT1: Current up to date version of the protocol. Used by
Windows NT. Known as CIFS.
6043
6044 • SMB2: Re-implementation of the SMB protocol. Used by Windows
Vista and later versions of Windows. SMB2 has sub protocols
6045 available.
6046
6047 • SMB2_02: The earliest SMB2 version.
6048
6049 • SMB2_10: Windows 7 SMB2 version.
6050
6051 • SMB2_22: Early Windows 8 SMB2 version.
6052
6053 • SMB2_24: Windows 8 beta SMB2 version.
6054
6055 By default SMB2 selects the SMB2_10 variant.
6056
6057 • SMB3: The same as SMB2. Used by Windows 8. SMB3 has sub
protocols available.
6058
6059 • SMB3_00: Windows 8 SMB3 version. (mostly the same
as SMB2_24)
6060
6061 • SMB3_02: Windows 8.1 SMB3 version.
6062
6063 • SMB3_10: early Windows 10 technical preview SMB3
version.
6064
6065 • SMB3_11: Windows 10 technical preview SMB3 version
(maybe final).
6066
6067 By default SMB3 selects the SMB3_11 variant.
6068
6069 Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate
6070 protocol.
6071
6072 Default: server max protocol = SMB3
6073
6074 Example: server max protocol = LANMAN1
6075
6076 min protocol
6077
6078 This parameter is a synonym for server min protocol.
6079
6080 server min protocol (G)
6081
6082 This setting controls the minimum protocol version that the server will
allow the client to use.
6083
6084 Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate
6085 protocol unless you have legacy clients which are SMB1 capable only.
6086
6087 See Related command: server max protocol for a full list of available
protocols.
6088
6089 Default: server min protocol = SMB2_02
6090
6091 Example: server min protocol = NT1
6092
6093 server multi channel support (G)
6094
6095 This boolean parameter controls whether smbd(8) will support SMB3
multi-channel.
6096
6097 This parameter was added with version 4.4.
6098
6099 Warning: Note that this feature is still considered experimental. Use it
at your own risk: Even though it may seem to work well in
6100 testing, it may result in data corruption under some race conditions.
Future releases may improve this situation.
6101
6102 Due to dependencies to kernel APIs of Linux or FreeBSD, it's only
possible to use this feature on Linux and FreeBSD for now. For
6103 testing this restriction can be overwritten by specifying force:server
multi channel support=yes in addition.
6104
6105 Default: server multi channel support = no
6106
6107 server role (G)
6108
6109 This option determines the basic operating mode of a Samba server and is
one of the most important settings in the smb.conf file.
6110
6111 The default is server role = auto, as causes Samba to operate according
to the security setting, or if not specified as a simple file
6112 server that is not connected to any domain.
6113
6114 The alternatives are server role = standalone or server role = member
server, which support joining Samba to a Windows domain, along
6115 with server role = domain controller, which run Samba as a Windows domain
controller.
6116
6117 You should use server role = standalone and map to guest if you want to
mainly setup shares without a password (guest shares). This is
6118 commonly used for a shared printer server.
6119
6120 SERVER ROLE = AUTO
6121
6122 This is the default server role in Samba, and causes Samba to consult the
security parameter (if set) to determine the server role,
6123 giving compatible behaviours to previous Samba versions.
6124
6125 SERVER ROLE = STANDALONE
6126
6127 If security is also not specified, this is the default security setting
in Samba. In standalone operation, a client must first
6128 "log-on" with a valid username and password (which can be mapped using
the username map parameter) stored on this machine. Encrypted
6129 passwords (see the encrypted passwords parameter) are by default used in
this security mode. Parameters such as user and guest only if
6130 set are then applied and may change the UNIX user to use on this
connection, but only after the user has been successfully
6131 authenticated.
6132
6133 SERVER ROLE = MEMBER SERVER
6134
6135 This mode will only work correctly if net(8) has been used to add this
machine into a Windows Domain. It expects the encrypted
6136 passwords parameter to be set to yes. In this mode Samba will try to
validate the username/password by passing it to a Windows or
6137 Samba Domain Controller, in exactly the same way that a Windows Server
would do.
6138
6139 Note that a valid UNIX user must still exist as well as the account on
the Domain Controller to allow Samba to have a valid UNIX
6140 account to map file access to. Winbind can provide this.
6141
6142 SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER
6143
6144 This mode of operation runs a classic Samba primary domain controller,
providing domain logon services to Windows and Samba clients of
6145 an NT4-like domain. Clients must be joined to the domain to create a
secure, trusted path across the network. There must be only one
6146 PDC per NetBIOS scope (typcially a broadcast network or clients served by
a single WINS server).
6147
6148 SERVER ROLE = CLASSIC BACKUP DOMAIN CONTROLLER
6149
6150 This mode of operation runs a classic Samba backup domain controller,
providing domain logon services to Windows and Samba clients of
6151 an NT4-like domain. As a BDC, this allows multiple Samba servers to
provide redundant logon services to a single NetBIOS scope.
6152
6153 SERVER ROLE = ACTIVE DIRECTORY DOMAIN CONTROLLER
6154
6155 This mode of operation runs Samba as an active directory domain
controller, providing domain logon services to Windows and Samba
6156 clients of the domain. This role requires special configuration, see the
Samba4 HOWTO
6157
6158 SERVER ROLE = IPA DOMAIN CONTROLLER
6159
6160 This mode of operation runs Samba in a hybrid mode for IPA domain
controller, providing forest trust to Active Directory. This role
6161 requires special configuration performed by IPA installers and should not
 be used manually by any administrator.
6162
6163 Default: server role = AUTO
6164
6165 Example: server role = ACTIVE DIRECTORY DOMAIN CONTROLLER
6166
6167 server schannel (G)
6168
6169 This option is deprecated and will be removed in future, as it is a
security problem if not set to "yes" (which will be the hardcoded
6170 behavior in future).
6171
6172 Samba will complain in the log files at log level 0, about the security
problem if the option is not set to "yes".
6173
6174 See CVE-2020-1472(ZeroLogon)
https://bugzilla.samba.org/show_bug.cgi?id=14497
6175
6176 If you still have legacy domain members use the server require
schannel:COMPUTERACCOUNT option.
6177
6178 This option yields precedence to the server require
schannel:COMPUTERACCOUNT option.
6179
6180 Default: server schannel = yes
6181
6182 server require schannel:COMPUTERACCOUNT (G)
6183
6184 If you still have legacy domain members, which required "server schannel
= auto" before, it is possible to specify explicit expection
6185 per computer account by using 'server require schannel:COMPUTERACCOUNT =
no' as option. Note that COMPUTERACCOUNT has to be the
6186 sAMAccountName value of the computer account (including the trailing '$'
sign).
6187
6188 Samba will complain in the log files at log level 0, about the security
problem if the option is not set to "no", but the related
6189 computer is actually using the netlogon secure channel (schannel) feature.
6190
6191 Samba will warn in the log files at log level 5, if a setting is still
needed for the specified computer account.
6192
6193 See CVE-2020-1472(ZeroLogon)
https://bugzilla.samba.org/show_bug.cgi?id=14497
6194
6195 This option takes precedence to the server schannel option.
6196
6197 server require schannel:LEGACYCOMPUTER1$ = no
6198 server require schannel:NASBOX$ = no
6199 server require schannel:LEGACYCOMPUTER2$ = no
6200
6201 No default
6202
6203 server services (G)
6204
6205 This option contains the services that the Samba daemon will run.
6206
6207 An entry in the smb.conf file can either override the previous value
completely or entries can be removed from or added to it by
6208 prefixing them with + or -.
6209
6210 Default: server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
6211
6212 Example: server services = -s3fs, +smb
6213
6214 server signing (G)
6215
6216 This controls whether the client is allowed or required to use SMB1 and
SMB2 signing. Possible values are default, auto, mandatory and
6217 disabled.
6218
6219 By default, and when smb signing is set to default, smb signing is
 required when server role is active directory domain controller and
6220 disabled otherwise.
6221
6222 When set to auto, SMB1 signing is offered, but not enforced. When set to
mandatory, SMB1 signing is required and if set to disabled,
6223 SMB signing is not offered either.
6224
6225 For the SMB2 protocol, by design, signing cannot be disabled. In the case
where SMB2 is negotiated, if this parameter is set to
6226 disabled, it will be treated as auto. Setting it to mandatory will still
require SMB2 clients to use signing.
6227
6228 Default: server signing = default
6229
6230 server string (G)
6231
6232 This controls what string will show up in the printer comment box in
print manager and next to the IPC connection in net view. It can
6233 be any string that you wish to show to your users.
6234
6235 It also sets what will appear in browse lists next to the machine name.
6236
6237 A %v will be replaced with the Samba version number.
6238
6239 A %h will be replaced with the hostname.
6240
6241 Default: server string = Samba %v
6242
6243 Example: server string = University of GNUs Samba Server
6244
6245 set primary group script (G)
6246
6247 Thanks to the Posix subsystem in NT a Windows User has a primary group in
addition to the auxiliary groups. This script sets the
6248 primary group in the unix user database when an administrator sets the
primary group from the windows user manager or when fetching a
6249 SAM with net rpc vampire. %u will be replaced with the user whose
primary group is to be set. %g will be replaced with the group to
6250 set.
6251
6252 Default: set primary group script =
6253
6254 Example: set primary group script = /usr/sbin/usermod -g '%g' '%u'
6255
6256 set quota command (G)
6257
6258 The set quota command should only be used whenever there is no operating
system API available from the OS that samba can use.
6259
6260 This option is only available if Samba was compiled with quota support.
6261
6262 This parameter should specify the path to a script that can set quota for
the specified arguments.
6263
6264 The specified script should take the following arguments:
6265
6266 • 1 - path to where the quota needs to be set. This needs to be
interpreted relative to the current working directory that
6267 the script may also check for.
6268
6269 • 2 - quota type
6270
6271 • 1 - user quotas
6272
6273 • 2 - user default quotas (uid = -1)
6274
6275 • 3 - group quotas
6276
6277 • 4 - group default quotas (gid = -1)
6278
6279 • 3 - id (uid for user, gid for group, -1 if N/A)
6280
6281 • 4 - quota state (0 = disable, 1 = enable, 2 = enable and
 enforce)
6282
6283 • 5 - block softlimit
6284
6285 • 6 - block hardlimit
6286
6287 • 7 - inode softlimit
6288
6289 • 8 - inode hardlimit
6290
6291 • 9(optional) - block size, defaults to 1024
6292
6293 The script should output at least one line of data on success. And
nothing on failure.
6294
6295 Default: set quota command =
6296
6297 Example: set quota command = /usr/local/sbin/set_quota
6298
6299 share backend (G)
6300
6301 This option specifies the backend that will be used to access the
configuration of file shares.
6302
6303 Traditionally, Samba file shares have been configured in the smb.conf
file and this is still the default.
6304
6305 At the moment there are no other supported backends.
6306
6307 Default: share backend = classic
6308
6309 share:fake_fscaps (G)
6310
6311 This is needed to support some special application that makes QFSINFO
calls to check whether we set the SPARSE_FILES bit (0x40). If
6312 this bit is not set that particular application refuses to work against
Samba. With share:fake_fscaps = 64 the SPARSE_FILES file
6313 system capability flag is set. Use other decimal values to specify the
bitmask you need to fake.
6314
6315 Default: share:fake_fscaps = 0
6316
6317 short preserve case (S)
6318
6319 This boolean parameter controls if new files which conform to 8.3 syntax,
that is all in upper case and of suitable length, are
6320 created upper case, or if they are forced to be the default case. This
option can be use with preserve case = yes to permit long
6321 filenames to retain their case, while short names are lowered.
6322
6323 See the section on NAME MANGLING.
6324
6325 Default: short preserve case = yes
6326
6327 show add printer wizard (G)
6328
6329 With the introduction of MS-RPC based printing support for Windows
NT/2000 client in Samba 2.2, a "Printers..." folder will appear on
6330 Samba hosts in the share listing. Normally this folder will contain an
icon for the MS Add Printer Wizard (APW). However, it is
6331 possible to disable this feature regardless of the level of privilege of
the connected user.
6332
6333 Under normal circumstances, the Windows NT/2000 client will open a handle
on the printer server with OpenPrinterEx() asking for
6334 Administrator privileges. If the user does not have administrative access
on the print server (i.e is not root or has granted the
6335 SePrintOperatorPrivilege), the OpenPrinterEx() call fails and the client
makes another open call with a request for a lower privilege
6336 level. This should succeed, however the APW icon will not be displayed.
6337
6338 Disabling the show add printer wizard parameter will always cause the
OpenPrinterEx() on the server to fail. Thus the APW icon will
6339 never be displayed.
6340
6341 Note
6342 This does not prevent the same user from having administrative
privilege on an individual printer.
6343 Default: show add printer wizard = yes
6344
6345 shutdown script (G)
6346
6347 This a full path name to a script called by smbd(8) that should start a
shutdown procedure.
6348
6349 If the connected user possesses the SeRemoteShutdownPrivilege, right,
this command will be run as root.
6350
6351 The %z %t %r %f variables are expanded as follows:
6352
6353 • %z will be substituted with the shutdown message sent to the
server.
6354
6355 • %t will be substituted with the number of seconds to wait
before effectively starting the shutdown procedure.
6356
6357 • %r will be substituted with the switch -r. It means reboot
after shutdown for NT.
6358
6359 • %f will be substituted with the switch -f. It means force the
shutdown even if applications do not respond for NT.
6360
6361 Shutdown script example:
6362
6363 #!/bin/bash
6364
6365 time=$2
6366 let time="${time} / 60"
6367 let time="${time} + 1"
6368
6369 /sbin/shutdown $3 $4 +$time $1 &
6370
6371 Shutdown does not return so we need to launch it in background.
6372
6373 Default: shutdown script =
6374
6375 Example: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f
6376
6377 smb2 disable lock sequence checking (G)
6378
6379 This boolean parameter controls whether smbd(8) will disable lock
sequence checking even for multi-channel connections as well as
6380 durable handles.
6381
6382 The [MS-SMB2] specification (under 3.3.5.14 Receiving an SMB2 LOCK
Request) documents that a server should do lock sequence if
6383 Open.IsResilient or Open.IsDurable or Open.IsPersistent is TRUE or if
Connection.Dialect belongs to the SMB 3.x dialect family and
6384 Connection.ServerCapabilities includes SMB2_GLOBAL_CAP_MULTI_CHANNEL.
6385
6386 But Windows Server (at least up to v2004) only does these checks for the
Open.IsResilient and Open.IsPersistent. That means they do
6387 not implement the behavior specified in [MS-SMB2].
6388
6389 By default Samba behaves according to the specification and sends smb2
oplock break notification retries.
6390
6391 Warning: Only enable this option if existing clients can't handle lock
sequence checking for handles without Open.IsResilient and
6392 Open.IsPersistent. And it turns out that the Windows Server behavior is
required.
6393
6394 Note: it's likely that this option will be removed again if future
Windows versions change their behavior.
6395
6396 Note: Samba does not implement Open.IsResilient and Open.IsPersistent yet.
6397
6398 Default: smb2 disable lock sequence checking = no
6399
6400 Example: smb2 disable lock sequence checking = yes
6401
6402 smb2 disable oplock break retry (G)
6403
6404 This boolean parameter controls whether smbd(8) will trigger smb2 oplock
break notification retries when using server multi channel
6405 support = yes.
6406
6407 The [MS-SMB2] specification documents that a server should send smb2
oplock break notification retries on all available channel to the
6408 given client.
6409
6410 But Windows Server versions (at least up to 2019) do not send smb2 oplock
break notification retries on channel failures. That means
6411 they do not implement the behavior specified in [MS-SMB2].
6412
6413 By default Samba behaves according to the specification and send smb2
oplock break notification retries.
6414
6415 Warning: Only enable this option if existing clients can't handle
possible retries and it turns out that the Windows Server behavior
6416 is required.
6417
6418 Note: it's likely that this option gets removed again if future Windows
versions change their behavior.
6419
6420 Note: this only applies to oplocks and not SMB2 leases.
6421
6422 Default: smb2 disable oplock break retry = no
6423
6424 Example: smb2 disable oplock break retry = yes
6425
6426 smb2 leases (G)
6427
6428 This boolean option tells smbd whether to globally negotiate SMB2 leases
on file open requests. Leasing is an SMB2-only feature which
6429 allows clients to aggressively cache files locally above and beyond the
caching allowed by SMB1 oplocks.
6430
6431 This is only available with oplocks = yes and kernel oplocks = no.
6432
6433 Note that the write cache won't be used for file handles with a smb2
write lease.
6434
6435 Default: smb2 leases = yes
6436
6437 smb2 max credits (G)
6438
6439 This option controls the maximum number of outstanding simultaneous SMB2
operations that Samba tells the client it will allow. This is
6440 similar to the max mux parameter for SMB1. You should never need to set
this parameter.
6441
6442 The default is 8192 credits, which is the same as a Windows 2008R2 SMB2
server.
6443
6444 Default: smb2 max credits = 8192
6445
6446 smb2 max read (G)
6447
6448 This option specifies the protocol value that smbd(8) will return to a
client, informing the client of the largest size that may be
6449 returned by a single SMB2 read call.
6450
6451 The maximum is 8388608 bytes (8MiB), which is the same as a Windows
Server 2012 r2.
6452
6453 Please note that the default is 8MiB, but it's limit is based on the smb2
dialect (64KiB for SMB == 2.0, 8MiB for SMB >= 2.1 with
6454 LargeMTU). Large MTU is not supported over NBT (tcp port 139).
6455
6456 Default: smb2 max read = 8388608
6457
6458 smb2 max trans (G)
6459
6460 This option specifies the protocol value that smbd(8) will return to a
client, informing the client of the largest size of buffer that
6461 may be used in querying file meta-data via QUERY_INFO and related SMB2
calls.
6462
6463 The maximum is 8388608 bytes (8MiB), which is the same as a Windows
Server 2012 r2.
6464
6465 Please note that the default is 8MiB, but it's limit is based on the smb2
dialect (64KiB for SMB == 2.0, 1MiB for SMB >= 2.1 with
6466 LargeMTU). Large MTU is not supported over NBT (tcp port 139).
6467
6468 Default: smb2 max trans = 8388608
6469
6470 smb2 max write (G)
6471
6472 This option specifies the protocol value that smbd(8) will return to a
client, informing the client of the largest size that may be
6473 sent to the server by a single SMB2 write call.
6474
6475 The maximum is 8388608 bytes (8MiB), which is the same as a Windows
Server 2012 r2.
6476
6477 Please note that the default is 8MiB, but it's limit is based on the smb2
dialect (64KiB for SMB == 2.0, 8MiB for SMB => 2.1 with
6478 LargeMTU). Large MTU is not supported over NBT (tcp port 139).
6479
6480 Default: smb2 max write = 8388608
6481
6482 smbd async dosmode (S)
6483
6484 This parameter control whether the fileserver will use sync or async
methods for fetching the DOS attributes when doing a directory
6485 listing. By default sync methods will be used.
6486
6487 Default: smbd async dosmode = no
6488
6489 smbd getinfo ask sharemode (S)
6490
6491 This parameter allows disabling fetching file write time from the open
file handle database locking.tdb when a client requests file or
6492 directory metadata. It's a performance optimisation at the expense of
protocol correctness.
6493
6494 Default: smbd getinfo ask sharemode = yes
6495
6496 smbd max async dosmode (S)
6497
6498 This parameter controls how many async operations to fetch the DOS
attributes the fileserver will queue when doing directory listings.
6499
6500 Default: smbd max async dosmode = aio max threads * 2
6501
6502 smbd profiling level (G)
6503
6504 This parameter allows the administrator to enable profiling support.
6505
6506 Possible values are off, count and on.
6507
6508 Default: smbd profiling level = off
6509
6510 Example: smbd profiling level = on
6511
6512 smbd search ask sharemode (S)
6513
6514 This parameter allows disabling fetching file write time from the open
file handle database locking.tdb. It's a performance
6515 optimisation at the expense of protocol correctness.
6516
6517 Default: smbd search ask sharemode = yes
6518
6519 smb encrypt (S)
6520
6521 This parameter controls whether a remote client is allowed or required to
use SMB encryption. It has different effects depending on
6522 whether the connection uses SMB1 or SMB2 and newer:
6523
6524 • If the connection uses SMB1, then this option controls the use
of a Samba-specific extension to the SMB protocol introduced
6525 in Samba 3.2 that makes use of the Unix extensions.
6526
6527 • If the connection uses SMB2 or newer, then this option
controls the use of the SMB-level encryption that is supported in
6528 SMB version 3.0 and above and available in Windows 8 and newer.
6529
6530 This parameter can be set globally and on a per-share bases. Possible
values are off (or disabled), enabled (or auto, or if_required),
6531 desired, and required (or mandatory). A special value is default which is
the implicit default setting of enabled.
6532
6533 Effects for SMB1
6534 The Samba-specific encryption of SMB1 connections is an extension to
the SMB protocol negotiated as part of the UNIX extensions.
6535 SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt
and sign every request/response in a SMB protocol stream. When
6536 enabled it provides a secure method of SMB/CIFS communication,
similar to an ssh protected session, but using SMB/CIFS
6537 authentication to negotiate encryption and signing keys. Currently
this is only supported smbclient of by Samba 3.2 and newer, and
6538 hopefully soon Linux CIFSFS and MacOS/X clients. Windows clients do
not support this feature.
6539
6540 This may be set on a per-share basis, but clients may chose to
encrypt the entire session, not just traffic to a specific share.
6541 If this is set to mandatory then all traffic to a share must be
encrypted once the connection has been made to the share. The
6542 server would return "access denied" to all non-encrypted requests on
such a share. Selecting encrypted traffic reduces throughput
6543 as smaller packet sizes must be used (no huge UNIX style read/writes
allowed) as well as the overhead of encrypting and signing
6544 all the data.
6545
6546 If SMB encryption is selected, Windows style SMB signing (see the
server signing option) is no longer necessary, as the GSSAPI
6547 flags use select both signing and sealing of the data.
6548
6549 When set to auto or default, SMB encryption is offered, but not
enforced. When set to mandatory, SMB encryption is required and if
6550 set to disabled, SMB encryption can not be negotiated.
6551
6552 Effects for SMB2
6553 Native SMB transport encryption is available in SMB version 3.0 or
newer. It is only offered by Samba if server max protocol is
6554 set to SMB3 or newer. Clients supporting this type of encryption
include Windows 8 and newer, Windows server 2012 and newer, and
6555 smbclient of Samba 4.1 and newer.
6556
6557 The protocol implementation offers various options:
6558
6559 • The capability to perform SMB encryption can be negotiated
during protocol negotiation.
6560
6561 • Data encryption can be enabled globally. In that case, an
encryption-capable connection will have all traffic in all
6562 its sessions encrypted. In particular all share
connections will be encrypted.
6563
6564 • Data encryption can also be enabled per share if not
enabled globally. For an encryption-capable connection, all
6565 connections to an encryption-enabled share will be
encrypted.
6566
6567 • Encryption can be enforced. This means that session setups
will be denied on non-encryption-capable connections if data
6568 encryption has been enabled globally. And tree connections
will be denied for non-encryption capable connections to
6569 shares with data encryption enabled.
6570
6571 These features can be controlled with settings of smb encrypt as
follows:
6572
6573 • Leaving it as default, explicitly setting default, or
setting it to enabled globally will enable negotiation of
6574 encryption but will not turn on data encryption globally
or per share.
6575
6576 • Setting it to desired globally will enable negotiation and
will turn on data encryption on sessions and share
6577 connections for those clients that support it.
6578
6579 • Setting it to required globally will enable negotiation
and turn on data encryption on sessions and share connections.
6580 Clients that do not support encryption will be denied
access to the server.
6581
6582 • Setting it to off globally will completely disable the
encryption feature for all connections. Setting smb encrypt =
6583 required for individual shares (while it's globally off)
will deny access to this shares for all clients.
6584
6585 • Setting it to desired on a share will turn on data
encryption for this share for clients that support encryption if
6586 negotiation has been enabled globally.
6587
6588 • Setting it to required on a share will enforce data
encryption for this share if negotiation has been enabled
globally.
6589 I.e. clients that do not support encryption will be denied
access to the share.
6590
6591 Note that this allows per-share enforcing to be controlled
in Samba differently from Windows: In Windows,
6592 RejectUnencryptedAccess is a global setting, and if it is
set, all shares with data encryption turned on are
6593 automatically enforcing encryption. In order to achieve
the same effect in Samba, one has to globally set smb
encrypt
6594 to enabled, and then set all shares that should be
encrypted to required. Additionally, it is possible in
Samba to have
6595 some shares with encryption required and some other shares
with encryption only desired, which is not possible in
6596 Windows.
6597
6598 • Setting it to off or enabled for a share has no effect.
6599
6600 Default: smb encrypt = default
6601
6602 smb passwd file (G)
6603
6604 This option sets the path to the encrypted smbpasswd file. By default the
path to the smbpasswd file is compiled into Samba.
6605
6606 An example of use is:
6607
6608 smb passwd file = /etc/samba/smbpasswd
6609
6610 Default: smb passwd file = /etc/samba/smbpasswd
6611
6612 smb ports (G)
6613
6614 Specifies which ports the server should listen on for SMB traffic.
6615
6616 Default: smb ports = 445 139
6617
6618 socket options (G)
6619
6620 Warning
6621 Modern server operating systems are tuned for high network
performance in the majority of situations; when you set socket options
6622 you are overriding those settings. Linux in particular has an
auto-tuning mechanism for buffer sizes that will be disabled if you
6623 specify a socket buffer size. This can potentially cripple your
TCP/IP stack.
6624
6625 Getting the socket options correct can make a big difference to your
performance, but getting them wrong can degrade it by just as
6626 much. As with any other low level setting, if you must make changes
to it, make small changes and test the effect before making
6627 any large changes.
6628
6629 This option allows you to set socket options to be used when talking with
the client.
6630
6631 Socket options are controls on the networking layer of the operating
systems which allow the connection to be tuned.
6632
6633 This option will typically be used to tune your Samba server for optimal
performance for your local network. There is no way that
6634 Samba can know what the optimal parameters are for your net, so you must
experiment and choose them yourself. We strongly suggest you
6635 read the appropriate documentation for your operating system first
(perhaps man setsockopt will help).
6636
6637 You may find that on some systems Samba will say "Unknown socket option"
when you supply an option. This means you either incorrectly
6638 typed it or you need to add an include file to includes.h for your OS. If
the latter is the case please send the patch to
6639 samba-technical@lists.samba.org.
6640
6641 Any of the supported socket options may be combined in any way you like,
as long as your OS allows it.
6642
6643 This is the list of socket options currently settable using this option:
6644
6645 • SO_KEEPALIVE
6646
6647 • SO_REUSEADDR
6648
6649 • SO_BROADCAST
6650
6651 • TCP_NODELAY
6652
6653 • TCP_KEEPCNT *
6654
6655 • TCP_KEEPIDLE *
6656
6657 • TCP_KEEPINTVL *
6658
6659 • IPTOS_LOWDELAY
6660
6661 • IPTOS_THROUGHPUT
6662
6663 • SO_REUSEPORT
6664
6665 • SO_SNDBUF *
6666
6667 • SO_RCVBUF *
6668
6669 • SO_SNDLOWAT *
6670
6671 • SO_RCVLOWAT *
6672
6673 • SO_SNDTIMEO *
6674
6675 • SO_RCVTIMEO *
6676
6677 • TCP_FASTACK *
6678
6679 • TCP_QUICKACK
6680
6681 • TCP_NODELAYACK
6682
6683 • TCP_KEEPALIVE_THRESHOLD *
6684
6685 • TCP_KEEPALIVE_ABORT_THRESHOLD *
6686
6687 • TCP_DEFER_ACCEPT *
6688
6689 • TCP_USER_TIMEOUT *
6690
6691 Those marked with a '*' take an integer argument. The others can
optionally take a 1 or 0 argument to enable or disable the option, by
6692 default they will be enabled if you don't specify 1 or 0.
6693
6694 To specify an argument use the syntax SOME_OPTION = VALUE for example
SO_SNDBUF = 8192. Note that you must not have any spaces before
6695 or after the = sign.
6696
6697 If you are on a local network then a sensible option might be:
6698
6699 socket options = IPTOS_LOWDELAY
6700
6701 If you have a local network then you could try:
6702
6703 socket options = IPTOS_LOWDELAY TCP_NODELAY
6704
6705 If you are on a wide area network then perhaps try setting
IPTOS_THROUGHPUT.
6706
6707 Note that several of the options may cause your Samba server to fail
completely. Use these options with caution!
6708
6709 Default: socket options = TCP_NODELAY
6710
6711 Example: socket options = IPTOS_LOWDELAY
6712
6713 spn update command (G)
6714
6715 This option sets the command that for updating servicePrincipalName names
from spn_update_list.
6716
6717 Default: spn update command =
/build/samba-UnNxDC/samba-4.13.13+dfsg/source4/scripting/bin/samba_spnupdat
e
6718
6719 Example: spn update command = /usr/local/sbin/spnupdate
6720
6721 spoolss: architecture (G)
6722
6723 Windows spoolss print clients only allow association of server-side
drivers with printers when the driver architecture matches the
6724 advertised print server architecture. Samba's spoolss print server
architecture can be changed using this parameter.
6725
6726 Default: spoolss: architecture = Windows x64
6727
6728 Example: spoolss: architecture = Windows NT x86
6729
6730 spoolss: os_major (G)
6731
6732 Windows might require a new os version number. This option allows to
modify the build number. The complete default version number is:
6733 5.0.2195 (Windows 2000). The example is 6.1.7601 (Windows 2008 R2).
6734
6735 Default: spoolss: os_major = 5
6736
6737 Example: spoolss: os_major = 6
6738
6739 spoolss: os_minor (G)
6740
6741 Windows might require a new os version number. This option allows to
modify the build number. The complete default version number is:
6742 5.0.2195 (Windows 2000). The example is 6.1.7601 (Windows 2008 R2).
6743
6744 Default: spoolss: os_minor = 0
6745
6746 Example: spoolss: os_minor = 1
6747
6748 spoolss: os_build (G)
6749
6750 Windows might require a new os version number. This option allows to
modify the build number. The complete default version number is:
6751 5.0.2195 (Windows 2000). The example is 6.1.7601 (Windows 2008 R2).
6752
6753 Default: spoolss: os_build = 2195
6754
6755 Example: spoolss: os_build = 7601
6756
6757 spoolss_client: os_major (G)
6758
6759 Windows might require a new os version number. This option allows to
modify the build number. The complete default version number is:
6760 6.1.7007 (Windows 7 and Windows Server 2008 R2).
6761
6762 Default: spoolss_client: os_major = 6
6763
6764 spoolss_client: os_minor (G)
6765
6766 Windows might require a new os version number. This option allows to
modify the build number. The complete default version number is:
6767 6.1.7007 (Windows 7 and Windows Server 2008 R2).
6768
6769 Default: spoolss_client: os_minor = 1
6770
6771 spoolss_client: os_build (G)
6772
6773 Windows might require a new os version number. This option allows to
modify the build number. The complete default version number is:
6774 6.1.7007 (Windows 7 and Windows Server 2008 R2).
6775
6776 Default: spoolss_client: os_build = 7007
6777
6778 spotlight (S)
6779
6780 This parameter controls whether Samba allows Spotlight queries on a
share. For controlling indexing of filesystems you also have to
6781 use Tracker's own configuration system.
6782
6783 Spotlight has several prerequisites:
6784
6785 • Samba must be configured and built with Spotlight support.
6786
6787 • The mdssvc RPC service must be enabled, see below.
6788
6789 • Tracker integration must be setup and the share must be
indexed by Tracker.
6790
6791 For a detailed set of instructions please see
https://wiki.samba.org/index.php/Spotlight.
6792
6793 The Spotlight RPC service can either be enabled as embedded RPC service:
6794
6795 [Global]
6796 rpc_server:mdsvc = embedded
6797
6798 Or it can be run in a separate RPC service daemon:
6799
6800 [Global]
6801 rpc_server:mdssd = fork
6802 rpc_server:mdsvc = external
6803
6804 Default: spotlight = no
6805
6806 spotlight backend (S)
6807
6808 Spotlight search backend. Available backends:
6809
6810 • noindex - a backend that returns no results.
6811
6812 • tracker - Gnome Tracker.
6813
6814 • elasticsearch - a backend that uses JSON and REST over HTTP(s)
to query an Elasticsearch server.
6815
6816 Default: spotlight backend = noindex
6817
6818 stat cache (G)
6819
6820 This parameter determines if smbd(8) will use a cache in order to speed
up case insensitive name mappings. You should never need to
6821 change this parameter.
6822
6823 Default: stat cache = yes
6824
6825 state directory (G)
6826
6827 Usually, most of the TDB files are stored in the lock directory. Since
Samba 3.4.0, it is possible to differentiate between TDB files
6828 with persistent data and TDB files with non-persistent data using the
state directory and the cache directory options.
6829
6830 This option specifies the directory where TDB files containing important
persistent data will be stored.
6831
6832 Default: state directory = /var/lib/samba
6833
6834 Example: state directory = /var/run/samba/locks/state
6835
6836 store dos attributes (S)
6837
6838 If this parameter is set Samba attempts to first read DOS attributes
(SYSTEM, HIDDEN, ARCHIVE or READ-ONLY) from a filesystem extended
6839 attribute, before mapping DOS attributes to UNIX permission bits (such as
occurs with map hidden and map readonly). When set, DOS
6840 attributes will be stored onto an extended attribute in the UNIX
filesystem, associated with the file or directory. When this
6841 parameter is set it will override the parameters map hidden, map system,
map archive and map readonly and they will behave as if they
6842 were set to off. This parameter writes the DOS attributes as a string
into the extended attribute named "user.DOSATTRIB". This
6843 extended attribute is explicitly hidden from smbd clients requesting an
EA list. On Linux the filesystem must have been mounted with
6844 the mount option user_xattr in order for extended attributes to work,
also extended attributes must be compiled into the Linux kernel.
6845 In Samba 3.5.0 and above the "user.DOSATTRIB" extended attribute has been
extended to store the create time for a file as well as the
6846 DOS attributes. This is done in a backwards compatible way so files
created by Samba 3.5.0 and above can still have the DOS attribute
6847 read from this extended attribute by earlier versions of Samba, but they
will not be able to read the create time stored there.
6848 Storing the create time separately from the normal filesystem meta-data
allows Samba to faithfully reproduce NTFS semantics on top of
6849 a POSIX filesystem. The default has changed to yes in Samba release 4.9.0
and above to allow better Windows fileserver compatibility
6850 in a default install.
6851
6852 Default: store dos attributes = yes
6853
6854 strict allocate (S)
6855
6856 This is a boolean that controls the handling of disk space allocation in
the server. When this is set to yes the server will change
6857 from UNIX behaviour of not committing real disk storage blocks when a
file is extended to the Windows behaviour of actually forcing
6858 the disk system to allocate real storage blocks when a file is created or
 extended to be a given size. In UNIX terminology this means
6859 that Samba will stop creating sparse files.
6860
6861 This option is really designed for file systems that support fast
allocation of large numbers of blocks such as extent-based file
6862 systems. On file systems that don't support extents (most notably ext3)
this can make Samba slower. When you work with large files
6863 over >100MB on file systems without extents you may even run into
problems with clients running into timeouts.
6864
6865 When you have an extent based filesystem it's likely that we can make use
of unwritten extents which allows Samba to allocate even
6866 large amounts of space very fast and you will not see any timeout
problems caused by strict allocate. With strict allocate in use you
6867 will also get much better out of quota messages in case you use quotas.
Another advantage of activating this setting is that it will
6868 help to reduce file fragmentation.
6869
6870 To give you an idea on which filesystems this setting might currently be
a good option for you: XFS, ext4, btrfs, ocfs2 on Linux and
6871 JFS2 on AIX support unwritten extents. On Filesystems that do not support
it, preallocation is probably an expensive operation where
6872 you will see reduced performance and risk to let clients run into
timeouts when creating large files. Examples are ext3, ZFS, HFS+ and
6873 most others, so be aware if you activate this setting on those filesystems.
6874
6875 Default: strict allocate = no
6876
6877 strict locking (S)
6878
6879 This is an enumerated type that controls the handling of file locking in
the server. When this is set to yes, the server will check
6880 every read and write access for file locks, and deny access if locks
exist. This can be slow on some systems.
6881
6882 When strict locking is set to Auto (the default), the server performs
file lock checks only on non-oplocked files. As most Windows
6883 redirectors perform file locking checks locally on oplocked files this is
a good trade off for improved performance.
6884
6885 When strict locking is disabled, the server performs file lock checks
only when the client explicitly asks for them.
6886
6887 Well-behaved clients always ask for lock checks when it is important. So
in the vast majority of cases, strict locking = Auto or
6888 strict locking = no is acceptable.
6889
6890 Default: strict locking = Auto
6891
6892 strict rename (S)
6893
6894 By default a Windows SMB server prevents directory renames when there are
open file or directory handles below it in the filesystem
6895 hierarchy. Historically Samba has always allowed this as POSIX filesystem
semantics require it.
6896
6897 This boolean parameter allows Samba to match the Windows behavior.
Setting this to "yes" is a very expensive change, as it forces
6898 Samba to travers the entire open file handle database on every directory
rename request. In a clustered Samba system the cost is even
6899 greater than the non-clustered case.
6900
6901 When set to "no" smbd only checks the local process the client is
attached to for open files below a directory being renamed, instead
6902 of checking for open files across all smbd processes.
6903
6904 Because of the expense in fully searching the database, the default is
"no", and it is recommended to be left that way unless a
6905 specific Windows application requires it to be changed.
6906
6907 If the client has requested UNIX extensions (POSIX pathnames) then
renames are always allowed and this parameter has no effect.
6908
6909 Default: strict rename = no
6910
6911 strict sync (S)
6912
6913 This parameter controls whether Samba honors a request from an SMB client
to ensure any outstanding operating system buffer contents
6914 held in memory are safely written onto stable storage on disk. If set to
yes, which is the default, then Windows applications can
6915 force the smbd server to synchronize unwritten data onto the disk. If set
to no then smbd will ignore client requests to synchronize
6916 unwritten data onto stable storage on disk.
6917
6918 In Samba 4.7.0, the default for this parameter changed from no to yes to
better match the expectations of SMB2/3 clients and improve
6919 application safety when running against smbd.
6920
6921 The flush request from SMB2/3 clients is handled asynchronously inside
smbd, so leaving the parameter as the default value of yes does
6922 not block the processing of other requests to the smbd process.
6923
6924 Legacy Windows applications (such as the Windows 98 explorer shell)
seemed to confuse writing buffer contents to the operating system
6925 with synchronously writing outstanding data onto stable storage on disk.
Changing this parameter to no means that smbd(8) will ignore
6926 the Windows applications request to synchronize unwritten data onto disk.
Only consider changing this if smbd is serving obsolete SMB1
6927 Windows clients prior to Windows XP (Windows 98 and below). There should
be no need to change this setting for normal operations.
6928
6929 Default: strict sync = yes
6930
6931 svcctl list (G)
6932
6933 This option defines a list of init scripts that smbd will use for
starting and stopping Unix services via the Win32 ServiceControl
6934 API. This allows Windows administrators to utilize the MS Management
Console plug-ins to manage a Unix server running Samba.
6935
6936 The administrator must create a directory name svcctl in Samba's
$(libdir) and create symbolic links to the init scripts in
6937 /etc/init.d/. The name of the links must match the names given as part of
the svcctl list.
6938
6939 Default: svcctl list =
6940
6941 Example: svcctl list = cups postfix portmap httpd
6942
6943 sync always (S)
6944
6945 This is a boolean parameter that controls whether writes will always be
written to stable storage before the write call returns. If
6946 this is no then the server will be guided by the client's request in each
write call (clients can set a bit indicating that a
6947 particular write should be synchronous). If this is yes then every write
will be followed by a fsync() call to ensure the data is
6948 written to disk. Note that the strict sync parameter must be set to yes
in order for this parameter to have any effect.
6949
6950 Default: sync always = no
6951
6952 syslog (G)
6953
6954 This parameter maps how Samba debug messages are logged onto the system
syslog logging levels. Samba debug level zero maps onto syslog
6955 LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps onto
LOG_NOTICE, debug level three maps onto LOG_INFO. All higher
6956 levels are mapped to LOG_DEBUG.
6957
6958 This parameter sets the threshold for sending messages to syslog. Only
messages with debug level less than this value will be sent to
6959 syslog. There still will be some logging to log.[sn]mbd even if syslog
only is enabled.
6960
6961 The logging parameter should be used instead. When logging is set, it
overrides the syslog parameter.
6962
6963 Default: syslog = 1
6964
6965 syslog only (G)
6966
6967 If this parameter is set then Samba debug messages are logged into the
system syslog only, and not to the debug log files. There still
6968 will be some logging to log.[sn]mbd even if syslog only is enabled.
6969
6970 The logging parameter should be used instead. When logging is set, it
overrides the syslog only parameter.
6971
6972 Default: syslog only = no
6973
6974 template homedir (G)
6975
6976 When filling out the user information for a Windows NT user, the
winbindd(8) daemon uses this parameter to fill in the home directory
6977 for that user. If the string %D is present it is substituted with the
user's Windows NT domain name. If the string %U is present it is
6978 substituted with the user's Windows NT user name.
6979
6980 Default: template homedir = /home/%D/%U
6981
6982 template shell (G)
6983
6984 When filling out the user information for a Windows NT user, the
winbindd(8) daemon uses this parameter to fill in the login shell for
6985 that user.
6986
6987 Default: template shell = /bin/false
6988
6989 time server (G)
6990
6991 This parameter determines if nmbd(8) advertises itself as a time server
to Windows clients.
6992
6993 Default: time server = no
6994
6995 debug timestamp
6996
6997 This parameter is a synonym for timestamp logs.
6998
6999 timestamp logs (G)
7000
7001 Samba debug log messages are timestamped by default. If you are running
at a high debug level these timestamps can be distracting.
7002 This boolean parameter allows timestamping to be turned off.
7003
7004 Default: timestamp logs = yes
7005
7006 tls cafile (G)
7007
7008 This option can be set to a file (PEM format) containing CA certificates
of root CAs to trust to sign certificates or intermediate CA
7009 certificates.
7010
7011 This path is relative to private dir if the path does not start with a /.
7012
7013 Default: tls cafile = tls/ca.pem
7014
7015 tls certfile (G)
7016
7017 This option can be set to a file (PEM format) containing the RSA
certificate.
7018
7019 This path is relative to private dir if the path does not start with a /.
7020
7021 Default: tls certfile = tls/cert.pem
7022
7023 tls crlfile (G)
7024
7025 This option can be set to a file containing a certificate revocation list
(CRL).
7026
7027 This path is relative to private dir if the path does not start with a /.
7028
7029 Default: tls crlfile =
7030
7031 tls dh params file (G)
7032
7033 This option can be set to a file with Diffie-Hellman parameters which
will be used with DH ciphers.
7034
7035 This path is relative to private dir if the path does not start with a /.
7036
7037 Default: tls dh params file =
7038
7039 tls enabled (G)
7040
7041 If this option is set to yes, then Samba will use TLS when possible in
communication.
7042
7043 Default: tls enabled = yes
7044
7045 tls keyfile (G)
7046
7047 This option can be set to a file (PEM format) containing the RSA private
key. This file must be accessible without a pass-phrase, i.e.
7048 it must not be encrypted.
7049
7050 This path is relative to private dir if the path does not start with a /.
7051
7052 Default: tls keyfile = tls/key.pem
7053
7054 tls priority (G)
7055
7056 This option can be set to a string describing the TLS protocols to be
supported in the parts of Samba that use GnuTLS, specifically
7057 the AD DC.
7058
7059 The string is appended to the default priority list of GnuTLS.
7060
7061 The valid options are described in the GNUTLS Priority-Strings
documentation at
7062 http://gnutls.org/manual/html_node/Priority-Strings.html
7063
7064 The SSL3.0 protocol will be disabled.
7065
7066 Default: tls priority = NORMAL:-VERS-SSL3.0
7067
7068 tls verify peer (G)
7069
7070 This controls if and how strict the client will verify the peer's
certificate and name. Possible values are (in increasing order):
7071 no_check, ca_only, ca_and_name_if_available, ca_and_name and
as_strict_as_possible.
7072
7073 When set to no_check the certificate is not verified at all, which allows
trivial man in the middle attacks.
7074
7075 When set to ca_only the certificate is verified to be signed from a ca
specified in the tls ca file option. Setting tls ca file to a
7076 valid file is required. The certificate lifetime is also verified. If the
tls crl file option is configured, the certificate is also
7077 verified against the ca crl.
7078
7079 When set to ca_and_name_if_available all checks from ca_only are
performed. In addition, the peer hostname is verified against the
7080 certificate's name, if it is provided by the application layer and not
given as an ip address string.
7081
7082 When set to ca_and_name all checks from ca_and_name_if_available are
performed. In addition the peer hostname needs to be provided and
7083 even an ip address is checked against the certificate's name.
7084
7085 When set to as_strict_as_possible all checks from ca_and_name are
performed. In addition the tls crl file needs to be configured.
7086 Future versions of Samba may implement additional checks.
7087
7088 Default: tls verify peer = as_strict_as_possible
7089
7090 unicode (G)
7091
7092 Specifies whether the server and client should support unicode.
7093
7094 If this option is set to false, the use of ASCII will be forced.
7095
7096 Default: unicode = yes
7097
7098 unix charset (G)
7099
7100 Specifies the charset the unix machine Samba runs on uses. Samba needs to
know this in order to be able to convert text to the
7101 charsets other SMB clients use.
7102
7103 This is also the charset Samba will use when specifying arguments to
scripts that it invokes.
7104
7105 Default: unix charset = UTF-8
7106
7107 Example: unix charset = ASCII
7108
7109 unix extensions (G)
7110
7111 This boolean parameter controls whether Samba implements the CIFS UNIX
extensions, as defined by HP. These extensions enable Samba to
7112 better serve UNIX CIFS clients by supporting features such as symbolic
links, hard links, etc... These extensions require a similarly
7113 enabled client, and are of no current use to Windows clients.
7114
7115 Note if this parameter is turned on, the wide links parameter will
automatically be disabled.
7116
7117 See the parameter allow insecure wide links if you wish to change this
coupling between the two parameters.
7118
7119 Default: unix extensions = yes
7120
7121 unix password sync (G)
7122
7123 This boolean parameter controls whether Samba attempts to synchronize the
UNIX password with the SMB password when the encrypted SMB
7124 password in the smbpasswd file is changed. If this is set to yes the
program specified in the passwd program parameter is called AS
7125 ROOT - to allow the new UNIX password to be set without access to the old
UNIX password (as the SMB password change code has no access
7126 to the old password cleartext, only the new).
7127
7128 This option has no effect if samba is running as an active directory
domain controller, in that case have a look at the password hash
7129 gpg key ids option and the samba-tool user syncpasswords command.
7130
7131 Default: unix password sync = no
7132
7133 use client driver (S)
7134
7135 This parameter applies only to Windows NT/2000 clients. It has no effect
on Windows 95/98/ME clients. When serving a printer to
7136 Windows NT/2000 clients without first installing a valid printer driver
on the Samba host, the client will be required to install a
7137 local printer driver. From this point on, the client will treat the print
as a local printer and not a network printer connection.
7138 This is much the same behavior that will occur when disable spoolss = yes.
7139
7140 The differentiating factor is that under normal circumstances, the
NT/2000 client will attempt to open the network printer using
7141 MS-RPC. The problem is that because the client considers the printer to
be local, it will attempt to issue the OpenPrinterEx() call
7142 requesting access rights associated with the logged on user. If the user
possesses local administrator rights but not root privilege
7143 on the Samba host (often the case), the OpenPrinterEx() call will fail.
The result is that the client will now display an "Access
7144 Denied; Unable to connect" message in the printer queue window (even
though jobs may successfully be printed).
7145
7146 If this parameter is enabled for a printer, then any attempt to open the
printer with the PRINTER_ACCESS_ADMINISTER right is mapped to
7147 PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() call to
succeed. This parameter MUST not be enabled on a print share
7148 which has valid print driver installed on the Samba server.
7149
7150 Default: use client driver = no
7151
7152 use mmap (G)
7153
7154 This global parameter determines if the tdb internals of Samba can depend
on mmap working correctly on the running system. Samba
7155 requires a coherent mmap/read-write system memory cache. Currently only
OpenBSD and HPUX do not have such a coherent cache, and on
7156 those platforms this paramter is overridden internally to be effeceively
no. On all systems this parameter should be left alone. This
7157 parameter is provided to help the Samba developers track down problems
with the tdb internal code.
7158
7159 Default: use mmap = yes
7160
7161 username level (G)
7162
7163 This option helps Samba to try and 'guess' at the real UNIX username, as
many DOS clients send an all-uppercase username. By default
7164 Samba tries all lowercase, followed by the username with the first letter
capitalized, and fails if the username is not found on the
7165 UNIX machine.
7166
7167 If this parameter is set to non-zero the behavior changes. This parameter
is a number that specifies the number of uppercase
7168 combinations to try while trying to determine the UNIX user name. The
higher the number the more combinations will be tried, but the
7169 slower the discovery of usernames will be. Use this parameter when you
have strange usernames on your UNIX machine, such as
7170 AstrangeUser .
7171
7172 This parameter is needed only on UNIX systems that have case sensitive
usernames.
7173
7174 Default: username level = 0
7175
7176 Example: username level = 5
7177
7178 username map (G)
7179
7180 This option allows you to specify a file containing a mapping of
usernames from the clients to the server. This can be used for
7181 several purposes. The most common is to map usernames that users use on
DOS or Windows machines to those that the UNIX box uses. The
7182 other is to map multiple users to a single username so that they can more
easily share files.
7183
7184 Please note that for user mode security, the username map is applied
prior to validating the user credentials. Domain member servers
7185 (domain or ads) apply the username map after the user has been
successfully authenticated by the domain controller and require fully
7186 qualified entries in the map table (e.g. biddle = DOMAIN\foo).
7187
7188 The map file is parsed line by line. Each line should contain a single
UNIX username on the left then a '=' followed by a list of
7189 usernames on the right. The list of usernames on the right may contain
names of the form @group in which case they will match any UNIX
7190 username in that group. The special client name '*' is a wildcard and
 matches any name. Each line of the map file may be up to 1023
7191 characters long.
7192
7193 The file is processed on each line by taking the supplied username and
comparing it with each username on the right hand side of the
7194 '=' signs. If the supplied name matches any of the names on the right
hand side then it is replaced with the name on the left.
7195 Processing then continues with the next line.
7196
7197 If any line begins with a '#' or a ';' then it is ignored.
7198
7199 If any line begins with an '!' then the processing will stop after that
line if a mapping was done by the line. Otherwise mapping
7200 continues with every line being processed. Using '!' is most useful when
you have a wildcard mapping line later in the file.
7201
7202 For example to map from the name admin or administrator to the UNIX name
7203 root you would use:
7204
7205 root = admin administrator
7206
7207 Or to map anyone in the UNIX group system to the UNIX name sys you would
use:
7208
7209 sys = @system
7210
7211 You can have as many mappings as you like in a username map file.
7212
7213 If your system supports the NIS NETGROUP option then the netgroup
database is checked before the /etc/group database for matching
7214 groups.
7215
7216 You can map Windows usernames that have spaces in them by using double
quotes around the name. For example:
7217
7218 tridge = "Andrew Tridgell"
7219
7220 would map the windows username "Andrew Tridgell" to the unix username
"tridge".
7221
7222 The following example would map mary and fred to the unix user sys, and
map the rest to guest. Note the use of the '!' to tell Samba
7223 to stop processing if it gets a match on that line:
7224
7225 !sys = mary fred
7226 guest = *
7227
7228 Note that the remapping is applied to all occurrences of usernames. Thus
if you connect to \\server\fred and fred is remapped to mary
7229 then you will actually be connecting to \\server\mary and will need to
supply a password suitable for mary not fred. The only
7230 exception to this is the username passed to a Domain Controller (if you
have one). The DC will receive whatever username the client
7231 supplies without modification.
7232
7233 Also note that no reverse mapping is done. The main effect this has is
with printing. Users who have been mapped may have trouble
7234 deleting print jobs as PrintManager under WfWg will think they don't own
the print job.
7235
7236 Samba versions prior to 3.0.8 would only support reading the fully
qualified username (e.g.: DOMAIN\user) from the username map when
7237 performing a kerberos login from a client. However, when looking up a map
entry for a user authenticated by NTLM[SSP], only the login
7238 name would be used for matches. This resulted in inconsistent behavior
sometimes even on the same server.
7239
7240 The following functionality is obeyed in version 3.0.8 and later:
7241
7242 When performing local authentication, the username map is applied to the
login name before attempting to authenticate the connection.
7243
7244 When relying upon a external domain controller for validating
 authentication requests, smbd will apply the username map to the fully
7245 qualified username (i.e. DOMAIN\user) only after the user has been
successfully authenticated.
7246
7247 An example of use is:
7248
7249 username map = /usr/local/samba/lib/users.map
7250
7251 Default: username map = # no username map
7252
7253 username map cache time (G)
7254
7255 Mapping usernames with the username map or username map script features
of Samba can be relatively expensive. During login of a user,
7256 the mapping is done several times. In particular, calling the username
map script can slow down logins if external databases have to
7257 be queried from the script being called.
7258
7259 The parameter username map cache time controls a mapping cache. It
specifies the number of seconds a mapping from the username map
7260 file or script is to be efficiently cached. The default of 0 means no
caching is done.
7261
7262 Default: username map cache time = 0
7263
7264 Example: username map cache time = 60
7265
7266 username map script (G)
7267
7268 This script is a mutually exclusive alternative to the username map
parameter. This parameter specifies and external program or script
7269 that must accept a single command line option (the username transmitted
in the authentication request) and return a line on standard
7270 output (the name to which the account should mapped). In this way, it is
possible to store username map tables in an LDAP or NIS
7271 directory services.
7272
7273 Default: username map script =
7274
7275 Example: username map script = /etc/samba/scripts/mapusers.sh
7276
7277 usershare allow guests (G)
7278
7279 This parameter controls whether user defined shares are allowed to be
accessed by non-authenticated users or not. It is the equivalent
7280 of allowing people who can create a share the option of setting guest ok
= yes in a share definition. Due to its security sensitive
7281 nature, the default is set to off.
7282
7283 Default: usershare allow guests = no
7284
7285 usershare max shares (G)
7286
7287 This parameter specifies the number of user defined shares that are
allowed to be created by users belonging to the group owning the
7288 usershare directory. If set to zero (the default) user defined shares are
ignored.
7289
7290 Default: usershare max shares = 100
7291
7292 usershare owner only (G)
7293
7294 This parameter controls whether the pathname exported by a user defined
shares must be owned by the user creating the user defined
7295 share or not. If set to True (the default) then smbd checks that the
directory path being shared is owned by the user who owns the
7296 usershare file defining this share and refuses to create the share if
not. If set to False then no such check is performed and any
7297 directory path may be exported regardless of who owns it.
7298
7299 Default: usershare owner only = yes
7300
7301 usershare path (G)
7302
7303 This parameter specifies the absolute path of the directory on the
filesystem used to store the user defined share definition files.
7304 This directory must be owned by root, and have no access for other, and
be writable only by the group owner. In addition the "sticky"
7305 bit must also be set, restricting rename and delete to owners of a file
(in the same way the /tmp directory is usually configured).
7306 Members of the group owner of this directory are the users allowed to
create usershares.
7307
7308 For example, a valid usershare directory might be
/usr/local/samba/lib/usershares, set up as follows.
7309
7310 ls -ld /usr/local/samba/lib/usershares/
7311 drwxrwx--T 2 root power_users 4096 2006-05-05 12:27
/usr/local/samba/lib/usershares/
7312
7313 In this case, only members of the group "power_users" can create user
defined shares.
7314
7315 Default: usershare path = /var/lib/samba/usershares
7316
7317 usershare prefix allow list (G)
7318
7319 This parameter specifies a list of absolute pathnames the root of which
are allowed to be exported by user defined share definitions.
7320 If the pathname to be exported doesn't start with one of the strings in
this list, the user defined share will not be allowed. This
7321 allows the Samba administrator to restrict the directories on the system
that can be exported by user defined shares.
7322
7323 If there is a "usershare prefix deny list" and also a "usershare prefix
allow list" the deny list is processed first, followed by the
7324 allow list, thus leading to the most restrictive interpretation.
7325
7326 Default: usershare prefix allow list =
7327
7328 Example: usershare prefix allow list = /home /data /space
7329
7330 usershare prefix deny list (G)
7331
7332 This parameter specifies a list of absolute pathnames the root of which
are NOT allowed to be exported by user defined share
7333 definitions. If the pathname exported starts with one of the strings in
this list the user defined share will not be allowed. Any
7334 pathname not starting with one of these strings will be allowed to be
exported as a usershare. This allows the Samba administrator to
7335 restrict the directories on the system that can be exported by user
defined shares.
7336
7337 If there is a "usershare prefix deny list" and also a "usershare prefix
allow list" the deny list is processed first, followed by the
7338 allow list, thus leading to the most restrictive interpretation.
7339
7340 Default: usershare prefix deny list =
7341
7342 Example: usershare prefix deny list = /etc /dev /private
7343
7344 usershare template share (G)
7345
7346 User defined shares only have limited possible parameters such as path,
guest ok, etc. This parameter allows usershares to "cloned"
7347 from an existing share. If "usershare template share" is set to the name
of an existing share, then all usershares created have their
7348 defaults set from the parameters set on this share.
7349
7350 The target share may be set to be invalid for real file sharing by
setting the parameter "-valid = False" on the template share
7351 definition. This causes it not to be seen as a real exported share but to
be able to be used as a template for usershares.
7352
7353 Default: usershare template share =
7354
7355 Example: usershare template share = template_share
7356
7357 use sendfile (S)
7358
7359 If this parameter is yes, and the sendfile() system call is supported by
the underlying operating system, then some SMB read calls
7360 (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system
call for files that are exclusively oplocked. This may make
7361 more efficient use of the system CPU's and cause Samba to be faster.
Samba automatically turns this off for clients that use protocol
7362 levels lower than NT LM 0.12 and when it detects a client is Windows 9x
(using sendfile from Linux will cause these clients to fail).
7363
7364 Default: use sendfile = no
7365
7366 utmp (G)
7367
7368 This boolean parameter is only available if Samba has been configured and
compiled with the option --with-utmp. If set to yes then
7369 Samba will attempt to add utmp or utmpx records (depending on the UNIX
system) whenever a connection is made to a Samba server. Sites
7370 may use this to record the user connecting to a Samba share.
7371
7372 Due to the requirements of the utmp record, we are required to create a
unique identifier for the incoming user. Enabling this option
7373 creates an n^2 algorithm to find this number. This may impede performance
on large installations.
7374
7375 Default: utmp = no
7376
7377 utmp directory (G)
7378
7379 This parameter is only available if Samba has been configured and
compiled with the option --with-utmp. It specifies a directory
7380 pathname that is used to store the utmp or utmpx files (depending on the
UNIX system) that record user connections to a Samba server.
7381 By default this is not set, meaning the system will use whatever utmp
file the native system is set to use (usually /var/run/utmp on
7382 Linux).
7383
7384 Default: utmp directory = # Determined automatically
7385
7386 Example: utmp directory = /var/run/utmp
7387
7388 -valid (S)
7389
7390 This parameter indicates whether a share is valid and thus can be used.
When this parameter is set to false, the share will be in no
7391 way visible nor accessible.
7392
7393 This option should not be used by regular users but might be of help to
developers. Samba uses this option internally to mark shares
7394 as deleted.
7395
7396 Default: -valid = yes
7397
7398 valid users (S)
7399
7400 This is a list of users that should be allowed to login to this service.
Names starting with '@', '+' and '&' are interpreted using
7401 the same rules as described in the invalid users parameter.
7402
7403 If this is empty (the default) then any user can login. If a username is
in both this list and the invalid users list then access is
7404 denied for that user.
7405
7406 The current servicename is substituted for %S. This is useful in the
[homes] section.
7407
7408 Note: When used in the [global] section this parameter may have unwanted
side effects. For example: If samba is configured as a MASTER
7409 BROWSER (see local master, os level, domain master, preferred master)
this option will prevent workstations from being able to browse
7410 the network.
7411
7412 Default: valid users = # No valid users list (anyone can login)
7413
7414 Example: valid users = greg, @pcusers
7415
7416 veto files (S)
7417
7418 This is a list of files and directories that are neither visible nor
accessible. Each entry in the list must be separated by a '/',
7419 which allows spaces to be included in the entry. '*' and '?' can be used
to specify multiple files or directories as in DOS wildcards.
7420
7421 Each entry must be a unix path, not a DOS path and must not include the
unix directory separator '/'.
7422
7423 Note that the case sensitive option is applicable in vetoing files.
7424
7425 One feature of the veto files parameter that it is important to be aware
of is Samba's behaviour when trying to delete a directory. If
7426 a directory that is to be deleted contains nothing but veto files this
deletion will fail unless you also set the delete veto files
7427 parameter to yes.
7428
7429 Setting this parameter will affect the performance of Samba, as it will
be forced to check all files and directories for a match as
7430 they are scanned.
7431
7432 Examples of use include:
7433
7434 ; Veto any files containing the word Security,
7435 ; any ending in .tmp, and any directory containing the
7436 ; word root.
7437 veto files = /*Security*/*.tmp/*root*/
7438
7439 ; Veto the Apple specific files that a NetAtalk server
7440 ; creates.
7441 veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
7442
7443 Default: veto files = # No files or directories are vetoed
7444
7445 veto oplock files (S)
7446
7447 This parameter is only valid when the oplocks parameter is turned on for
a share. It allows the Samba administrator to selectively
7448 turn off the granting of oplocks on selected files that match a
wildcarded list, similar to the wildcarded list used in the veto files
7449 parameter.
7450
7451 You might want to do this on files that you know will be heavily
contended for by clients. A good example of this is in the NetBench
7452 SMB benchmark program, which causes heavy client contention for files
ending in .SEM. To cause Samba not to grant oplocks on these
7453 files you would use the line (either in the [global] section or in the
section for the particular NetBench share.
7454
7455 An example of use is:
7456
7457 veto oplock files = /.*SEM/
7458
7459 Default: veto oplock files = # No files are vetoed for oplock grants
7460
7461 vfs object
7462
7463 This parameter is a synonym for vfs objects.
7464
7465 vfs objects (S)
7466
7467 This parameter specifies the backend names which are used for Samba VFS
I/O operations. By default, normal disk I/O operations are
7468 used but these can be overloaded with one or more VFS objects. Be aware
that the definition of this parameter will overwrite a
7469 possible previous definition of the vfs objects parameter.
7470
7471 Default: vfs objects =
7472
7473 Example: vfs objects = extd_audit recycle
7474
7475 volume (S)
7476
7477 This allows you to override the volume label returned for a share. Useful
for CDROMs with installation programs that insist on a
7478 particular volume label.
7479
7480 Default: volume = # the name of the share
7481
7482 wide links (S)
7483
7484 This parameter controls whether or not links in the UNIX file system may
be followed by the server. Links that point to areas within
7485 the directory tree exported by the server are always allowed; this
parameter controls access only to areas that are outside the
7486 directory tree being exported.
7487
7488 Note: Turning this parameter on when UNIX extensions are enabled will
allow UNIX clients to create symbolic links on the share that
7489 can point to files or directories outside restricted path exported by the
share definition. This can cause access to areas outside of
7490 the share. Due to this problem, this parameter will be automatically
disabled (with a message in the log file) if the unix extensions
7491 option is on.
7492
7493 See the parameter allow insecure wide links if you wish to change this
coupling between the two parameters.
7494
7495 Default: wide links = no
7496
7497 winbind cache time (G)
7498
7499 This parameter specifies the number of seconds the winbindd(8) daemon
will cache user and group information before querying a Windows
7500 NT server again.
7501
7502 This does not apply to authentication requests, these are always
evaluated in real time unless the winbind offline logon option has
7503 been enabled.
7504
7505 Default: winbind cache time = 300
7506
7507 winbindd socket directory (G)
7508
7509 This setting controls the location of the winbind daemon's socket.
7510
7511 Except within automated test scripts, this should not be altered, as the
client tools (nss_winbind etc) do not honour this parameter.
7512 Client tools must then be advised of the altered path with the
WINBINDD_SOCKET_DIR environment variable.
7513
7514 Default: winbindd socket directory = /var/run/samba/winbindd
7515
7516 winbind enum groups (G)
7517
7518 On large installations using winbindd(8) it may be necessary to suppress
the enumeration of groups through the setgrent(), getgrent()
7519 and endgrent() group of system calls. If the winbind enum groups
parameter is no, calls to the getgrent() system call will not return
7520 any data.
7521
7522 Warning
7523 Turning off group enumeration may cause some programs to behave oddly.
7524 Default: winbind enum groups = no
7525
7526 winbind enum users (G)
7527
7528 On large installations using winbindd(8) it may be necessary to suppress
the enumeration of users through the setpwent(), getpwent()
7529 and endpwent() group of system calls. If the winbind enum users parameter
is no, calls to the getpwent system call will not return any
7530 data.
7531
7532 Warning
7533 Turning off user enumeration may cause some programs to behave oddly.
For example, the finger program relies on having access to
7534 the full user list when searching for matching usernames.
7535 Default: winbind enum users = no
7536
7537 winbind expand groups (G)
7538
7539 This option controls the maximum depth that winbindd will traverse when
flattening nested group memberships of Windows domain groups.
7540 This is different from the winbind nested groups option which implements
the Windows NT4 model of local group nesting. The "winbind
7541 expand groups" parameter specifically applies to the membership of domain
groups.
7542
7543 This option also affects the return of non nested group memberships of
Windows domain users. With the new default "winbind expand
7544 groups = 0" winbind does not query group memberships at all.
7545
7546 Be aware that a high value for this parameter can result in system
slowdown as the main parent winbindd daemon must perform the group
7547 unrolling and will be unable to answer incoming NSS or authentication
requests during this time.
7548
7549 The default value was changed from 1 to 0 with Samba 4.2. Some broken
applications (including some implementations of newgrp and sg)
7550 calculate the group memberships of users by traversing groups, such
applications will require "winbind expand groups = 1". But the new
7551 default makes winbindd more reliable as it doesn't require SAMR access to
domain controllers of trusted domains.
7552
7553 Default: winbind expand groups = 0
7554
7555 winbind:ignore domains (G)
7556
7557 Allows one to enter a list of trusted domains winbind should ignore
(untrust). This can avoid the overhead of resources from
7558 attempting to login to DCs that should not be communicated with.
7559
7560 Default: winbind:ignore domains =
7561
7562 Example: winbind:ignore domains = DOMAIN1, DOMAIN2
7563
7564 winbind max clients (G)
7565
7566 This parameter specifies the maximum number of clients the winbindd(8)
daemon can connect with. The parameter is not a hard limit. The
7567 winbindd(8) daemon configures itself to be able to accept at least that
many connections, and if the limit is reached, an attempt is
7568 made to disconnect idle clients.
7569
7570 Default: winbind max clients = 200
7571
7572 winbind max domain connections (G)
7573
7574 This parameter specifies the maximum number of simultaneous connections
that the winbindd(8) daemon should open to the domain
7575 controller of one domain. Setting this parameter to a value greater than
1 can improve scalability with many simultaneous winbind
7576 requests, some of which might be slow.
7577
7578 Note that if winbind offline logon is set to Yes, then only one DC
connection is allowed per domain, regardless of this setting.
7579
7580 Default: winbind max domain connections = 1
7581
7582 Example: winbind max domain connections = 10
7583
7584 winbind nested groups (G)
7585
7586 If set to yes, this parameter activates the support for nested groups.
Nested groups are also called local groups or aliases. They
7587 work like their counterparts in Windows: Nested groups are defined
locally on any machine (they are shared between DC's through their
7588 SAM) and can contain users and global groups from any trusted SAM. To be
able to use nested groups, you need to run nss_winbind.
7589
7590 Default: winbind nested groups = yes
7591
7592 winbind normalize names (G)
7593
7594 This parameter controls whether winbindd will replace whitespace in user
and group names with an underscore (_) character. For
7595 example, whether the name "Space Kadet" should be replaced with the
string "space_kadet". Frequently Unix shell scripts will have
7596 difficulty with usernames contains whitespace due to the default field
separator in the shell. If your domain possesses names
7597 containing the underscore character, this option may cause problems
unless the name aliasing feature is supported by your nss_info
7598 plugin.
7599
7600 This feature also enables the name aliasing API which can be used to make
domain user and group names to a non-qualified version.
7601 Please refer to the manpage for the configured idmap and nss_info plugin
for the specifics on how to configure name aliasing for a
7602 specific configuration. Name aliasing takes precedence (and is mutually
exclusive) over the whitespace replacement mechanism discussed
7603 previously.
7604
7605 Default: winbind normalize names = no
7606
7607 Example: winbind normalize names = yes
7608
7609 winbind nss info (G)
7610
7611 This parameter is designed to control how Winbind retrieves Name Service
Information to construct a user's home directory and login
7612 shell. Currently the following settings are available:
7613
7614 • template - The default, using the parameters of template shell
and template homedir)
7615
7616 • <sfu | sfu20 | rfc2307 > - When Samba is running in security =
ads and your Active Directory Domain Controller does support
7617 the Microsoft "Services for Unix" (SFU) LDAP schema, winbind
can retrieve the login shell and the home directory attributes
7618 directly from your Directory Server. For SFU 3.0 or 3.5 simply
choose "sfu", if you use SFU 2.0 please choose "sfu20".
7619
7620 Note that for the idmap backend idmap_ad you need to configure
those settings in the idmap configuration section. Make sure
7621 to consult the documentation of the idmap backend that you are
using.
7622
7623 Default: winbind nss info = template
7624
7625 Example: winbind nss info = sfu
7626
7627 winbind offline logon (G)
7628
7629 This parameter is designed to control whether Winbind should allow one to
login with the pam_winbind module using Cached Credentials.
7630 If enabled, winbindd will store user credentials from successful logins
encrypted in a local cache.
7631
7632 Default: winbind offline logon = no
7633
7634 Example: winbind offline logon = yes
7635
7636 winbind reconnect delay (G)
7637
7638 This parameter specifies the number of seconds the winbindd(8) daemon
 will wait between attempts to contact a Domain controller for a
7639 domain that is determined to be down or not contactable.
7640
7641 Default: winbind reconnect delay = 30
7642
7643 winbind refresh tickets (G)
7644
7645 This parameter is designed to control whether Winbind should refresh
Kerberos Tickets retrieved using the pam_winbind module.
7646
7647 Default: winbind refresh tickets = no
7648
7649 Example: winbind refresh tickets = yes
7650
7651 winbind request timeout (G)
7652
7653 This parameter specifies the number of seconds the winbindd(8) daemon
will wait before disconnecting either a client connection with
7654 no outstanding requests (idle) or a client connection with a request that
has remained outstanding (hung) for longer than this number
7655 of seconds.
7656
7657 Default: winbind request timeout = 60
7658
7659 winbind rpc only (G)
7660
7661 Setting this parameter to yes forces winbindd to use RPC instead of LDAP
to retrieve information from Domain Controllers.
7662
7663 Default: winbind rpc only = no
7664
7665 winbind scan trusted domains (G)
7666
7667 This option only takes effect when the security option is set to domain
or ads. If it is set to yes (the default), winbindd
7668 periodically tries to scan for new trusted domains and adds them to a
global list inside of winbindd. The list can be extracted with
7669 wbinfo --trusted-domains --verbose. This matches the behaviour of Samba
4.7 and older.
7670
7671 The construction of that global list is not reliable and often incomplete
in complex trust setups. In most situations the list is not
7672 needed any more for winbindd to operate correctly. E.g. for plain file
serving via SMB using a simple idmap setup with autorid, tdb or
7673 ad. However some more complex setups require the list, e.g. if you
specify idmap backends for specific domains. Some pam_winbind
7674 setups may also require the global list.
7675
7676 If you have a setup that doesn't require the global list, you should set
winbind scan trusted domains = no.
7677
7678 Default: winbind scan trusted domains = yes
7679
7680 winbind sealed pipes (G)
7681
7682 This option controls whether any requests from winbindd to domain
controllers pipe will be sealed. Disabling sealing can be useful for
7683 debugging purposes.
7684
7685 The behavior can be controlled per netbios domain by using 'winbind
sealed pipes:NETBIOSDOMAIN = no' as option.
7686
7687 Default: winbind sealed pipes = yes
7688
7689 winbind separator (G)
7690
7691 This parameter allows an admin to define the character used when listing
a username of the form of DOMAIN \user. This parameter is
7692 only applicable when using the pam_winbind.so and nss_winbind.so modules
for UNIX services.
7693
7694 Please note that setting this parameter to + causes problems with group
membership at least on glibc systems, as the character + is
7695 used as a special character for NIS in /etc/group.
7696
7697 Default: winbind separator = \
7698
7699 Example: winbind separator = +
7700
7701 winbind use default domain (G)
7702
7703 This parameter specifies whether the winbindd(8) daemon should operate on
users without domain component in their username. Users
7704 without a domain component are treated as is part of the winbindd
server's own domain. While this does not benefit Windows users, it
7705 makes SSH, FTP and e-mail function in a way much closer to the way they
would in a native unix system.
7706
7707 This option should be avoided if possible. It can cause confusion about
responsibilities for a user or group. In many situations it is
7708 not clear whether winbind or /etc/passwd should be seen as authoritative
for a user, likewise for groups.
7709
7710 Default: winbind use default domain = no
7711
7712 Example: winbind use default domain = yes
7713
7714 winbind use krb5 enterprise principals (G)
7715
7716 winbindd is able to get kerberos tickets for pam_winbind with krb5_auth
or wbinfo -K/--krb5auth=.
7717
7718 winbindd (at least on a domain member) is never be able to have a
complete picture of the trust topology (which is managed by the
7719 DCs). There might be uPNSuffixes and msDS-SPNSuffixes values, which don't
belong to any AD domain at all.
7720
7721 With winbind scan trusted domains = no winbindd don't even get an
incomplete picture of the topology.
7722
7723 It is not really required to know about the trust topology. We can just
rely on the [K]DCs of our primary domain (e.g.
7724 PRIMARY.A.EXAMPLE.COM) and use enterprise principals e.g.
upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM and follow the WRONG_REALM
7725 referrals in order to find the correct DC. The final principal might be
userfromB@INTERNALB.EXAMPLE.PRIVATE.
7726
7727 With winbind use krb5 enterprise principals = yes winbindd enterprise
principals will be used.
7728
7729 Default: winbind use krb5 enterprise principals = no
7730
7731 Example: winbind use krb5 enterprise principals = yes
7732
7733 winsdb:local_owner (G)
7734
7735 This specifies the address that is stored in the winsOwner attribute, of
locally registered winsRecord-objects. The default is to use
7736 the ip-address of the first network interface.
7737
7738 No default
7739
7740 winsdb:dbnosync (G)
7741
7742 This parameter disables fsync() after changes of the WINS database.
7743
7744 Default: winsdb:dbnosync = no
7745
7746 wins hook (G)
7747
7748 When Samba is running as a WINS server this allows you to call an
external program for all changes to the WINS database. The primary
7749 use for this option is to allow the dynamic update of external name
resolution databases such as dynamic DNS.
7750
7751 The wins hook parameter specifies the name of a script or executable that
 will be called as follows:
7752
7753 wins_hook operation name nametype ttl IP_list
7754
7755 • The first argument is the operation and is one of "add",
"delete", or "refresh". In most cases the operation can be ignored
7756 as the rest of the parameters provide sufficient information.
Note that "refresh" may sometimes be called when the name has
7757 not previously been added, in that case it should be treated
as an add.
7758
7759 • The second argument is the NetBIOS name. If the name is not a
legal name then the wins hook is not called. Legal names
7760 contain only letters, digits, hyphens, underscores and periods.
7761
7762 • The third argument is the NetBIOS name type as a 2 digit
hexadecimal number.
7763
7764 • The fourth argument is the TTL (time to live) for the name in
seconds.
7765
7766 • The fifth and subsequent arguments are the IP addresses
currently registered for that name. If this list is empty then the
7767 name should be deleted.
7768
7769 An example script that calls the BIND dynamic DNS update program nsupdate
is provided in the examples directory of the Samba source
7770 code.
7771
7772 No default
7773
7774 wins proxy (G)
7775
7776 This is a boolean that controls if nmbd(8) will respond to broadcast name
queries on behalf of other hosts. You may need to set this
7777 to yes for some older clients.
7778
7779 Default: wins proxy = no
7780
7781 wins server (G)
7782
7783 This specifies the IP address (or DNS name: IP address for preference) of
the WINS server that nmbd(8) should register with. If you
7784 have a WINS server on your network then you should set this to the WINS
server's IP.
7785
7786 You should point this at your WINS server if you have a multi-subnetted
network.
7787
7788 If you want to work in multiple namespaces, you can give every wins
server a 'tag'. For each tag, only one (working) server will be
7789 queried for a name. The tag should be separated from the ip address by a
colon.
7790
7791 Note
7792 You need to set up Samba to point to a WINS server if you have
multiple subnets and wish cross-subnet browsing to work correctly.
7793 See the chapter in the Samba3-HOWTO on Network Browsing.
7794
7795 Default: wins server =
7796
7797 Example: wins server = mary:192.9.200.1 fred:192.168.3.199
mary:192.168.2.61 # For this example when querying a certain name,
7798 192.19.200.1 will be asked first and if that doesn't respond
192.168.2.61. If either of those doesn't know the name 192.168.3.199 will
7799 be queried.
7800
7801 Example: wins server = 192.9.200.1 192.168.2.61
7802
7803 wins support (G)
7804
7805 This boolean controls if the nmbd(8) process in Samba will act as a WINS
server. You should not set this to yes unless you have a
7806 multi-subnetted network and you wish a particular nmbd to be your WINS
server. Note that you should NEVER set this to yes on more than
7807 one machine in your network.
7808
7809 Default: wins support = no
7810
7811 workgroup (G)
7812
7813 This controls what workgroup your server will appear to be in when
queried by clients. Note that this parameter also controls the
7814 Domain name used with the security = domain setting.
7815
7816 Default: workgroup = WORKGROUP
7817
7818 Example: workgroup = MYGROUP
7819
7820 wreplsrv:periodic_interval (G)
7821
7822 This maximum interval in seconds between 2 periodically scheduled runs
where we check for wins.ldb changes and do push notifications
7823 to our push partners. Also wins_config.ldb changes are checked in that
interval and partner configuration reloads are done.
7824
7825 Default: wreplsrv:periodic_interval = 15
7826
7827 wreplsrv:propagate name releases (G)
7828
7829 If this parameter is enabled, then explicit (from the client) and
implicit (via the scavenging) name releases are propagated to the
7830 other servers directly, even if there are still other addresses active,
this applies to SPECIAL GROUP (2) and MULTIHOMED (3) entries.
7831 Also the replication conflict merge algorithm for SPECIAL GROUP (2)
entries discards replica addresses where the address owner is the
7832 local server, if the address was not stored locally before. The merge
result is propagated directly in case an address was discarded.
7833 A Windows servers doesn't propagate name releases of SPECIAL GROUP (2)
and MULTIHOMED (3) entries directly, which means that Windows
7834 servers may return different results to name queries for SPECIAL GROUP
(2) and MULTIHOMED (3) names. The option doesn't have much
7835 negative impact if Windows servers are around, but be aware that they
might return unexpected results.
7836
7837 Default: wreplsrv:propagate name releases = no
7838
7839 wreplsrv:scavenging_interval (G)
7840
7841 This is the interval in s between 2 scavenging runs which clean up the
WINS database and changes the states of expired name records.
7842 Defaults to half of the value of wreplsrv:renew_interval.
7843
7844 No default
7845
7846 wreplsrv:tombstone_extra_timeout (G)
7847
7848 This is the time in s the server needs to be up till we'll remove
tombstone records from our database. Defaults to 3 days.
7849
7850 Default: wreplsrv:tombstone_extra_timeout = 259200
7851
7852 wreplsrv:tombstone_interval (G)
7853
7854 This is the interval in s till released records of the WINS server become
tombstone. Defaults to 6 days.
7855
7856 Default: wreplsrv:tombstone_interval = 518400
7857
7858 wreplsrv:tombstone_timeout (G)
7859
7860 This is the interval in s till tombstone records are deleted from the
WINS database. Defaults to 1 day.
7861
7862 Default: wreplsrv:tombstone_timeout = 86400
7863
7864 wreplsrv:verify_interval (G)
7865
7866 This is the interval in s till we verify active replica records with the
owning WINS server. Unfortunately not implemented yet.
7867 Defaults to 24 days.
7868
7869 Default: wreplsrv:verify_interval = 2073600
7870
7871 writable
7872
7873 This parameter is a synonym for writeable.
7874
7875 write ok
7876
7877 This parameter is a synonym for writeable.
7878
7879 writeable (S)
7880
7881 Inverted synonym for read only.
7882
7883 Default: writeable = no
7884
7885 write list (S)
7886
7887 This is a list of users that are given read-write access to a service. If
the connecting user is in this list then they will be given
7888 write access, no matter what the read only option is set to. The list can
include group names using the @group syntax.
7889
7890 Note that if a user is in both the read list and the write list then they
will be given write access.
7891
7892 Default: write list =
7893
7894 Example: write list = admin, root, @staff
7895
7896 write raw (G)
7897
7898 This is ignored if async smb echo handler is set, because this feature is
incompatible with raw write SMB requests
7899
7900 If enabled, raw writes allow writes of 65535 bytes in one packet. This
typically provides a major performance benefit for some very,
7901 very old clients.
7902
7903 However, some clients either negotiate the allowable block size
incorrectly or are incapable of supporting larger block sizes, and for
7904 these clients you may need to disable raw writes.
7905
7906 In general this parameter should be viewed as a system tuning tool and
left severely alone.
7907
7908 Default: write raw = yes
7909
7910 wtmp directory (G)
7911
7912 This parameter is only available if Samba has been configured and
compiled with the option --with-utmp. It specifies a directory
7913 pathname that is used to store the wtmp or wtmpx files (depending on the
UNIX system) that record user connections to a Samba server.
7914 The difference with the utmp directory is the fact that user info is kept
after a user has logged out.
7915
7916 By default this is not set, meaning the system will use whatever utmp
file the native system is set to use (usually /var/run/wtmp on
7917 Linux).
7918
7919 Default: wtmp directory =
7920
7921 Example: wtmp directory = /var/log/wtmp
7922
7923 WARNINGS
7924 Although the configuration file permits service names to contain spaces, your
 client software may not. Spaces will be ignored in
7925 comparisons anyway, so it shouldn't be a problem - but be aware of the
possibility.
7926
7927 On a similar note, many clients - especially DOS clients - limit service
names to eight characters. smbd(8) has no such limitation, but
7928 attempts to connect from such clients will fail if they truncate the service
names. For this reason you should probably keep your service
7929 names down to eight characters in length.
7930
7931 Use of the [homes] and [printers] special sections make life for an
administrator easy, but the various combinations of default attributes
7932 can be tricky. Take extreme care when designing these sections. In
particular, ensure that the permissions on spool directories are
7933 correct.
7934
7935 VERSION
7936 This man page is part of version 4.13.13-Debian of the Samba suite.
7937
7938 SEE ALSO
7939 samba(7), smbpasswd(8), smbd(8), nmbd(8), winbindd(8), samba(8),
samba-tool(8), smbclient(1), nmblookup(1), testparm(1).
7940
7941 AUTHOR
7942 The original Samba software and related utilities were created by Andrew
Tridgell. Samba is now developed by the Samba Team as an Open
7943 Source project similar to the way the Linux kernel is developed.
7944
7945 Samba 4.13.13-Debian
11/04/2021 SMB.CONF(5)
7946