


SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


NAME
       smb.conf - configuration file for smbd

SYNOPSIS
       smb.conf

DESCRIPTION
       The  smb.conf  file  is a configuration file for the Samba
       suite.

       smb.conf contains runtime  configuration  information  for
       the  smbd  program.  The smbd program provides LanManager-
       like services to clients using the SMB protocol.


FILE FORMAT
       The file consists of sections and  parameters.  A  section
       begins with the name of the section in square brackets and
       continues until the next section begins. Sections  contain
       parameters of the form 'name = value'.

       The  file is line-based - that is, each newline-terminated
       line represents either a comment,  a  section  name  or  a
       parameter.

       Section and parameter names are not case sensitive.

       Only  the first equals sign in a parameter is significant.
       Whitespace before or after the first equals sign  is  dis-
       carded.  Leading, trailing and internal whitespace in sec-
       tion and parameter names is irrelevant. Leading and trail-
       ing whitespace in a parameter value is discarded. Internal
       whitespace within a parameter value is retained  verbatim.

       Any  line  beginning  with  a semicolon is ignored, as are
       lines containing only whitespace.

       Any line ending in a  is "continued" on the next  line  in
       the customary unix fashion.

       The values following the equals sign in parameters are all
       either a string (no quotes needed) or a boolean, which may
       be given as yes/no, 0/1 or true/false. Case is not signif-
       icant in boolean values, but is preserved in  string  val-
       ues. Some items such as create modes are numeric.

SERVICE DESCRIPTIONS
       Each  section  in  the configuration file describes a ser-
       vice. The section name is the service name and the parame-
       ters within the section define the service's attributes.

       There  are  three  special sections, [global], [homes] and
       [printers], which are described under 'special  sections'.
       The    following   notes   apply   to   ordinary   service



smb.conf                     11/10/94                           1





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       descriptions.

       A service consists of a directory to which access is being
       given  plus  a  description of the access rights which are
       granted to the user  of  the  service.  Some  housekeeping
       options are also specifiable.

       Services are either filespace services (used by the client
       as an extension of their native file systems) or printable
       services  (used  by the client to access print services on
       the host running the server).

       Services may be guest services, in which case no  password
       is  required  to access them. A specified guest account is
       used to define access privileges in this case.

       Services other than guest services will require a password
       to  access them. The client provides the username. As many
       clients only provide passwords and not usernames, you  may
       specify  a list of usernames to check against the password
       using the "user=" option in the service definition.

       Note that the access rights  granted  by  the  server  are
       masked  by  the  access rights granted to the specified or
       guest user by the host system. The server does  not  grant
       more access than the host system grants.

       The following sample section defines a file space service.
       The user has write access to the path /home/bar. The  ser-
       vice is accessed via the service name "foo":

            [foo]
                 path = /home/bar
                 writable = true

       The  following sample section defines a printable service.
       The service is readonly, but printable. That is, the  only
       write  access permitted is via calls to open, write to and
       close a spool file. The 'guest ok' parameter means  access
       will  be  permitted  as  the default guest user (specified
       elsewhere):

            [aprinter]
                 path = /usr/spool/public
                 read only = true
                 printable = true
                 public = true


SPECIAL SECTIONS
   The [global] section
          Parameters in this section apply to  the  server  as  a
          whole,  or  are  defaults  for  services  which  do not
          specifically define certain items. See the notes  under



smb.conf                     11/10/94                           2





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


          'Parameters' for more information.


   The [homes] section
          If a section called 'homes' is included in the configu-
          ration file, services connecting clients to their  home
          directories can be created on the fly by the server.

          When  the connection request is made, the existing ser-
          vices are scanned. If a match is found, it is used.  If
          no  match  is  found,  the  requested  service  name is
          treated as a user name and looked up in the local pass-
          words file. If the name exists and the correct password
          has been given, a service is  created  by  cloning  the
          [homes] section.

          Some  modifications  are then made to the newly created
          section:

             The service name is  changed  from  'homes'  to  the
             located username

             If  no path was given, the path is set to the user's
             home directory.

          If you decide to use a path= line in your [homes]  sec-
          tion  then  you may find it useful to use the %S macro.
          For example path=/data/pchome/%S would be useful if you
          have  different  home directories for your PCs than for
          unix access.

          This is a fast and simple way to give a large number of
          clients access to their home directories with a minimum
          of fuss.

          A similar process occurs if the requested service  name
          is "homes", except that the service name is not changed
          to that of the requesting user. This  method  of  using
          the [homes] section works well if different users share
          a client PC.

          The [homes] section can specify all  the  parameters  a
          normal  service  section  can specify, though some make
          more sense than others. The following is a typical  and
          suitable [homes] section:

               [homes]
                    writable = yes

          An important point:

             If guest access is specified in the [homes] section,
             all home  directories  will  be  accessible  to  all
             clients  without  a  password.  In the very unlikely



smb.conf                     11/10/94                           3





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


             event that this is actually desirable, it  would  be
             wise to also specify read only access.

       Note  that  the  browseable flag for auto home directories
       will be inherited from the global browseable flag, not the
       [homes]  browseable  flag. This is useful as it means set-
       ting browseable=no in the [homes] section  will  hide  the
       [homes]  service  but make any auto home directories visi-
       ble.


   The [printers] section
          This section works like [homes], but for printers.

          If a [printers] section  occurs  in  the  configuration
          file,  users  are able to connect to any printer speci-
          fied in the local host's printcap file.

          When a connection request is made,  the  existing  ser-
          vices  are scanned. If a match is found, it is used. If
          no match is found, but a [homes] section exists, it  is
          used  as described above. Otherwise, the requested ser-
          vice name is treated as a printer name and  the  appro-
          priate printcap file is scanned to see if the requested
          service name is a valid printer name.  If  a  match  is
          found,  a new service is created by cloning the [print-
          ers] section.

          A few modifications are then made to the newly  created
          section:

             The service name is set to the located printer name

             If  no  printer  name was given, the printer name is
             set to the located printer name

             If the service does not permit guest access  and  no
             username  was  given,  the  username  is  set to the
             located printer name.

          Note that the [printers] service MUST be printable - if
          you  specify  otherwise, the server will refuse to load
          the configuration file.

          Typically the path specified would be that of a  world-
          writable spool directory with the sticky bit set on it.
          A typical [printers] entry would look like this:

               [printers]
                    path = /usr/spool/public
                    writable = no
                    public = yes
                    printable = yes




smb.conf                     11/10/94                           4





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


          All aliases given for a printer in  the  printcap  file
          are  legitimate  printer  names as far as the server is
          concerned. If your printing subsystem doesn't work like
          that,  you  will have to set up a pseudo-printcap. This
          is a file consisting of one or more lines like this:

                  alias|alias|alias|alias...

          Each alias should be an  acceptable  printer  name  for
          your printing subsystem. In the [global] section, spec-
          ify the new file as your  printcap.   The  server  will
          then   only  recognise  names  found  in  your  pseudo-
          printcap, which of course can contain whatever  aliases
          you  like.  The  same technique could be used simply to
          limit access to a subset of your local printers.

          An alias, by the way, is defined as  any  component  of
          the first entry of a printcap record. Records are sepa-
          rated by newlines, components (if there are  more  than
          one) are separated by vertical bar symbols ("|").

PARAMETERS
       Parameters define the specific attributes of services.

       Some parameters are specific to the [global] section (eg.,
       security).  Some parameters are  usable  in  all  sections
       (eg.,  create  mode).  All  others are permissible only in
       normal  sections.  For  the  purposes  of  the   following
       descriptions  the  [homes] and [printers] sections will be
       considered normal.  The letter 'G'  in  parentheses  indi-
       cates  that  a  parameter is specific to the [global] sec-
       tion. The letter 'S' indicates that  a  parameter  can  be
       specified  in  a secvice specific section. Note that all S
       parameters can also be specified in the [global] section -
       in  which  case they will define the default behaviour for
       all services.

       Parameters are arranged here in alphabetical order -  this
       may  not create best bedfellows, but at least you can find
       them! Where there are synonyms, the preferred  synonym  is
       described, others refer to the preferred synonym.


   VARIABLE SUBSTITUTIONS
       Many  of  the strings that are settable in the config file
       can take substitutions. For example  the  option  "path  =
       /tmp/%u" would be interpreted as "path = /tmp/john" if the
       user connected with the username john.

       These substitutions are mostly noted in  the  descriptions
       below,  but there are some general substitions which apply
       whenever they might be relevant. These are:

       %S = the name of the current service, if any



smb.conf                     11/10/94                           5





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       %P = the root directory of the current service, if any

       %u = user name of the current service, if any

       %U = session user name (the  user  name  that  the  client
       wanted, not necessarily the same as the one they got)

       %H = the home directory of the user given by %u

       %v = the Samba version

       %h = the hostname that Samba is running on

       %m = the netbios name of the client machine (very useful)

       %L  =  the  netbios name of the server. This allows you to
       change your config based on what  the  client  calls  you.
       Your server can have a "dual personality".

       %M = the internet name of the client machine

       %d = The process id of the current server process

       %a = the architecture of the remote machine. Only some are
       recognised, and those may not be 100%  reliable.  It  cur-
       rently  recognises  Samba, WfWg, WinNT and Win95. Anything
       else will be known as "UNKNOWN". If it gets it wrong  then
       sending me a level 3 log should allow me to fix it.

       %I = The IP address of the client machine

       %T = the current date and time

       There are some quite creative things that can be done with
       these substitutions and other smb.conf options.


   NAME MANGLING
       Samba supports "name mangling" so  that  Dos  and  Windows
       clients  can  use files that don't conform to the 8.3 for-
       mat. It can also be set to adjust the case of  8.3  format
       filenames.

       There are several options that control the way mangling is
       performed, and they are grouped here  rather  than  listed
       separately.  For  the  defaults  look at the output of the
       testparm program.

       All of these options can be set separately for  each  ser-
       vice (or globally, of course).

       The options are:

       "mangle  case  =  yes/no"  controls  if  names  that  have



smb.conf                     11/10/94                           6





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       characters that aren't of the "default" case are  mangled.
       For  example, if this is yes then a name like "Mail" would
       be mangled. Default no.

       "case sensitive = yes/no" controls whether  filenames  are
       case  sensitive. If they aren't then Samba must do a file-
       name search and match on passed names. Default no.

       "default case = upper/lower"  controls  what  the  default
       case is for new filenames. Default lower.

       "preserve case = yes/no" controls if new files are created
       with the case that the  client  passes,  or  if  they  are
       forced to be the "default" case. Default no.

       "short preserve case = yes/no" controls if new files which
       conform to 8.3 syntax, that is all in upper  case  and  of
       suitable  length,  are  created upper case, or if they are
       forced to be the "default" case. This option  can  be  use
       with  "preserve  case  =  yes" to permit long filenames to
       retain their case, while short names are lowered.  Default
       no.


   COMPLETE LIST OF GLOBAL PARAMETER
       Here  is  a list of all global parameters. See the section
       of each parameter for details.  Note that  some  are  syn-
       onyms.

       auto services

       config file

       deadtime

       debuglevel

       default

       default service

       dfree command

       encrypt passwords

       getwd cache

       hosts equiv

       include

       keepalive

       lock dir



smb.conf                     11/10/94                           7





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       load printers

       lock directory

       log file

       log level

       lpq cache time

       mangled stack

       max log size

       max packet

       max xmit

       message command

       null passwords

       os level

       packet size

       passwd chat

       passwd program

       password level

       password server

       preferred master

       preload

       printing

       printcap name

       protocol

       read bmpx

       read prediction

       read raw

       read size

       root




smb.conf                     11/10/94                           8





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       root dir

       root directory

       security

       server string

       smbrun

       socket options

       status

       strip dot

       time offset

       username map

       use rhosts

       valid chars

       workgroup

       write raw


   COMPLETE LIST OF SERVICE PARAMETER
       Here  is a list of all service parameters. See the section
       of each parameter for details. Note  that  some  are  syn-
       onyms.

       admin users

       allow hosts

       alternate permissions

       available

       browseable

       case sensitive

       case sig names

       copy

       create mask

       create mode




smb.conf                     11/10/94                           9





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       comment

       default case

       deny hosts

       directory

       dont descend

       exec

       force group

       force user

       guest account

       guest ok

       guest only

       hide dot files

       hosts allow

       hosts deny

       invalid users

       locking

       lpq command

       lprm command

       magic output

       magic script

       mangle case

       mangled names

       mangling char

       map archive

       map hidden

       map system

       max connections




smb.conf                     11/10/94                          10





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       min print space

       only guest

       only user

       path

       postexec

       postscript

       preserve case

       print command

       print ok

       printable

       printer

       printer name

       public

       read only

       read list

       revalidate

       root postexec

       root preexec

       set directory

       share modes

       short preserve case

       strict locking

       sync always

       user

       username

       users

       valid users




smb.conf                     11/10/94                          11





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       volume

       wide links

       writable

       write ok

       writeable

       write list


   EXPLANATION OF EACH PARAMETER
   admin users (G)
       This is a list of users who will be granted administrative
       privilages on the share. This means that they will do  all
       file operations as the super-user (root).

       You  should use this option very carefully, as any user in
       this list will be able to do anything  they  like  on  the
       share, irrespective of file permissions.

       Default:      no admin users

       Example:      admin users = jason


   auto services (G)
       This  is  a list of services that you want to be automati-
       cally added to the browse lists. This is most  useful  for
       homes  and  printers  services that would otherwise not be
       visible.

       Note that if you just want all printers in  your  printcap
       file loaded then the "load printers" option is easier.

       Default:      no auto services

       Example:      auto services = fred lp colorlp



   allow hosts (S)
       A synonym for this parameter is 'hosts allow'.

       This parameter is a comma delimited set of hosts which are
       permitted to  access  a  services.  If  specified  in  the
       [global] section, matching hosts will be allowed access to
       any service that does not specifically exclude  them  from
       access.  Specific  services  my have their own list, which
       override those specified in the [global] section.

       You can specify the  hosts  by  name  or  IP  number.  For



smb.conf                     11/10/94                          12





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       example,  you could restrict access to only the hosts on a
       Class  C  subnet  with  something  like  "allow  hosts   =
       150.203.5.".  The  full syntax of the list is described in
       the man page hosts_access(5).

       You can also specify hosts by network/netmask pairs and by
       netgroup  names  if  your  system  supports netgroups. The
       EXCEPT keyword can also be used to limit a wildcard  list.
       The following examples may provide some help:

       Example 1: allow all IPs in 150.203.*.* except one

            hosts allow = 150.203. EXCEPT 150.203.6.66

       Example   2:   allow  hosts  that  match  the  given  net-
       work/netmask

            hosts allow = 150.203.15.0/255.255.255.0

       Example 3: allow a couple of hosts

            hosts allow = lapland, arvidsjaur

       Example 4: allow only hosts in netgroup "foonet" or local-
       host, but deny access from one particular host

            hosts allow = @foonet, localhost
            hosts deny = pirate

       Note  that access still requires suitable user-level pass-
       words.

       See testparm(1) for a way of testing your host  access  to
       see if it does what you expect.

       Default:
            none (ie., all hosts permitted access)

       Example:
            allow hosts = 150.203.5. myhost.mynet.edu.au


   alternate permissions (S)
       This  option affects the way the "read only" DOS attribute
       is produced for unix files. If this is false then the read
       only  bit  is  set for files on writeable shares which the
       user cannot write to.

       If this is true then it is set for files whos  user  write
       bit is not set.

       The  latter  behaviour of useful for when users copy files
       from each others directories, and use a file manager  that
       preserves  permissions.  Without  this option they may get



smb.conf                     11/10/94                          13





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       annoyed as all copied files will have the "read only"  bit
       set.

       Default:      alternate permissions = no

       Example:      alternate permissions = yes


   available (S)
       This  parameter  lets you 'turn off' a service. If 'avail-
       able = no', then ALL attempts to connect  to  the  service
       will fail. Such failures are logged.

       Default:
            available = yes

       Example:
            available = no

   browseable (S)
       This  controls  whether  this share is seen in the list of
       available shares in a net view and in the browse list.

       Default:      browseable = Yes

       Example:      browseable = No


   case sig names (G)
       See "case sensitive"


   comment (S)
       This is a text field that is seen when a client does a net
       view  to  list  what shares are available. It will also be
       used when browsing is fully supported.

       Default:      No comment string

       Example:      comment = Fred's Files


   config file (G)
       This allows you  to  override  the  config  file  to  use,
       instead  of  the  default  (usually  smb.conf). There is a
       chicken and egg problem here as this option is set in  the
       config file!

       For  this  reason,  if  the  name  of  the config file has
       changed when the parameters are loaded then it will reload
       them from the new config file.

       This  option  takes  the usual substitutions, which can be
       very useful.



smb.conf                     11/10/94                          14





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       If thew config file doesn't exist then it won't be  loaded
       (allowing  you  to special case the config files of just a
       few clients).

       Example:      config file = /usr/local/samba/smb.conf.%m


   copy (S)
       This parameter allows you to 'clone' service entries.  The
       specified  service  is simply duplicated under the current
       service's name. Any parameters specified  in  the  current
       section will override those in the section being copied.

       This feature lets you set up a 'template' service and cre-
       ate similar services easily. Note that the  service  being
       copied  must  occur earlier in the configuration file than
       the service doing the copying.

       Default:
            none

       Example:
            copy = otherservice

   create mask (S)
       A synonym for this parameter is 'create mode'.

       This parameter is the octal modes which are used when con-
       verting DOS modes to Unix modes.

       Note  that  Samba will or this value with 0700 as you must
       have at least user read, write and execute  for  Samba  to
       work properly.

       Default:
            create mask = 0755

       Example:
            create mask = 0775

   create mode (S)
       See create mask.

   dead time (G)
       The  value of the parameter (a decimal integer) represents
       the number of minutes of inactivity before a connection is
       considered dead, and it is disconnected. The deadtime only
       takes effect if the number of open files is zero.

       This  is  useful  to  stop  a  server's  resources   being
       exhausted by a large number of inactive connections.

       Most clients have an auto-reconnect feature when a connec-
       tion is broken so in most cases this parameter  should  be



smb.conf                     11/10/94                          15





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       transparent to users.

       Using  this  parameter  with a timeout of a few minutes is
       recommended for most systems.

       A deadtime of zero indicates  that  no  auto-disconnection
       should be performed.

       Default:
            dead time = 0

       Example:
            dead time = 15

   debug level (G)
       The  value  of the parameter (an integer) allows the debug
       level (logging level) to  be  specified  in  the  smb.conf
       file.  This is to give greater flexibility in the configu-
       ration of the system.

       The default will be the debug level specified on the  com-
       mand line.

       Example:
            debug level = 3

   default (G)
       See default service.

   default case (S)
       See  the section on "NAME MANGLING" Also note the addition
       of "short preserve case"


   default service (G)
       A synonym for this parameter is 'default'.

       This parameter specifies the name of a service which  will
       be  connected  to if the service actually requested cannot
       be found. Note that the square brackets are NOT  given  in
       the parameter value (see example below).

       There  is  no  default  value  for this parameter. If this
       parameter is not given, attempting to connect to a  nonex-
       istent service results in an error.

       Typically the default service would be a public, read-only
       service.

       Also not that s of 1.9.14 the apparent service  name  will
       be changed to equal that of the requested service, this is
       very useful as it allows you to use macros like %S to make
       a wildcard service.




smb.conf                     11/10/94                          16





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       Note also that any _ characters in the name of the service
       used in the default service will get mapped to a  /.  This
       allows for interesting things.


       Example:
            default service = pub

               [pub]
                    path = /%S



   deny hosts (S)
       A synonym for this parameter is 'hosts deny'.

       The  opposite of 'allow hosts' - hosts listed here are NOT
       permitted access to services unless the specific  services
       have their own lists to override this one. Where the lists
       conflict, the 'allow' list takes precedence.

       Default:
            none (ie., no hosts specifically excluded)

       Example:
            deny hosts = 150.203.4. badhost.mynet.edu.au

   dfree command (G)
       The dfree command setting should only be used  on  systems
       where a problem occurs with the internal disk space calcu-
       lations. This has been known to happen  with  Ultrix,  but
       may  occur  with other operating systems. The symptom that
       was seen was an error of "Abort Retry Ignore" at  the  end
       of each directory listing.

       This  setting  allows the replacement of the internal rou-
       tines to calculate the total disk space and amount  avail-
       able  with  an external routine. The example below gives a
       possible script that might fulfill this function.

       The external program will be  passed  a  single  parameter
       indicating  a  directory  in the filesystem being queried.
       This will typically consist of the string "./". The script
       should  return  two integers in ascii. The first should be
       the total disk space in blocks, and the second  should  be
       the  number  of available blocks. An optional third return
       value can give the block size in bytes. The default block-
       size is 1024 bytes.

       Note:  Your  script  should  NOT  be  setuid or setgid and
       should be owned by (and writable only by) root!

       Default:
            By default internal routines for determining the disk



smb.conf                     11/10/94                          17





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       capacity and remaining space will be used.

       Example:
            dfree command = /usr/local/smb/dfree

            Where  the  script  dfree  (which  must  be made exe-
       cutable) could be

            #!/bin/sh
            df $1 | tail -1 | awk '{print $2" "$4}'

            or perhaps (on Sys V)

            #!/bin/sh      /usr/bin/df -k $1  |  tail  -1  |  awk
       '{print $3" "$5}'


            Note  that  you may have to replace the command names
       with full path names on some systems.

   directory (S)
       See path.

   dont descend (S)
       There are certain directories on some  systems  (eg.,  the
       /proc tree under Linux) that are either not of interest to
       clients or are infinitely deep (recursive). This parameter
       allows  you  to specify a comma-delimited list of directo-
       ries that the server should always show as empty.

       Note that Samba can be very fussy about the  exact  format
       of  the  "dont  descend"  entries. For example you ma need
       "./proc" instead of just "/proc". Experimentation  is  the
       best policy :-)

       Default:
            none (ie., all directories are OK to descend)

       Example:
            dont descend = /proc,/dev


   encrypt passwords (G)
       This  boolean controls whether encrypted passwords will be
       negotiated with the cient. Note that this  option  has  no
       effect  if  you  haven't  compiled  in  the  necessary des
       libraries and encryption code. It defaults to no.


   exec (S)
       This is an alias for preexec






smb.conf                     11/10/94                          18





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


   force group (S)
       This specifies a group name that all connections  to  this
       service  should be made as. This may be useful for sharing
       files.

       Default:
              no forced group

       Example:
              force group = agroup


   force user (S)
       This specifies a user name that all  connections  to  this
       service  should be made as. This may be useful for sharing
       files. You should also use it carefully as using it incor-
       rectly can cause security problems.

       This  user name only gets used once a connection is estab-
       lished. Thus clients still need to connect as a valid user
       and  supply  a  valid  password.  Once connected, all file
       operations will be performed as  the  "forced  user",  not
       matter what username the client connected as.

       Default:
              no forced user

       Example:
              force user = auser


   guest account (S)
       This  is  a username which will be used for access to ser-
       vices which are specified as 'guest ok' (see below). What-
       ever  privileges  this  user  has will be available to any
       client connecting to the  guest  service.  Typically  this
       user  will exist in the password file, but will not have a
       valid login. If a username is specified in  a  given  ser-
       vice, the specified username overrides this one.

       One  some  systems the account "nobody" may not be able to
       print. Use another account in this case. You  should  test
       this  by  trying  to log in as your guest user (perhaps by
       using the "su -" command) and trying to print using lpr.

       Note that as of version 1.9 of Samba this  option  may  be
       set differently for each service.

       Default:
            specified at compile time

       Example:
            guest account = nobody




smb.conf                     11/10/94                          19





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


   getwd cache (G)
       This  is  a tuning option. When this is enabled a cacheing
       algorithm will be  used  to  reduce  the  time  taken  for
       getwd()  calls. This can have a significant impact on per-
       formance, especially when widelinks is False.

       Default:
            getwd cache = No

       Example:
            getwd cache = Yes

   guest ok (S)
       See public.

   guest only (S)
       If this parameter is 'yes' for a service, then only  guest
       connections  to  the service are permitted. This parameter
       will have no affect if "guest ok" or "public" is  not  set
       for the service.

       See the section below on user/password validation for more
       information about this option.

       Default:
            guest only = no

       Example:
            guest only = yes

   hide dot files (S)
       This is a boolean parameter that  controls  whether  files
       starting with a dot appear as hidden files.

       Default:      hide dot files = yes

       Example:      hide dot files = no

   hosts allow (S)
       See allow hosts.

   hosts deny (S)
       See deny hosts.


   group (S)
       This  is  an  alias for "force group" and is only kept for
       compatability with  old  versions  of  Samba.  It  may  be
       removed in future versions.


   hosts equiv (G)
       If  this  global parameter is a non-null string, it speci-
       fies the name of a file to read for the names of hosts and



smb.conf                     11/10/94                          20





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       users  who  will  be  allowed  access without specifying a
       password.

       This is not be confused with allow hosts  which  is  about
       hosts access to services and is more useful for guest ser-
       vices.  hosts equiv may be useful  for  NT  clients  which
       will not supply passwords to samba.

       NOTE: The use of hosts.equiv can be a major security hole.
       This is because you are trusting the PC to supply the cor-
       rect  username.  It  is  very easy to get a PC to supply a
       false username. I recommend that the hosts.equiv option be
       only  used  if you really know what you are doing, or per-
       haps on a home network where you trust your wife and  kids
       :-)

       Default      No host equivalences

       Example      hosts equiv = /etc/hosts.equiv


   invalid users (S)
       This  is  a  list  of  users that should not be allowed to
       login to this service. This is really a  "paranoid"  check
       to  absolutely  ensure an improper setting does not breach
       your security.

       A name starting with @ is interpreted as a unix group.

       The current servicename is substituted  for  %S.  This  is
       useful in the [homes] section.

       See also "valid users"

       Default      No invalid users

       Example      invalid users = root fred admin @wheel


   include (G)
       This allows you to inlcude one config file inside another.
       the file is included literally, as though typed in  place.

       It takes the standard substitutions, except %u, %P and %S


   keep alive (G)
       The  value  of  the  parameter (an integer) represents the
       number of seconds between  'keepalive'  packets.  If  this
       parameter  is  zero,  no  keepalive  packets will be sent.
       Keepalive packets, if  sent,  allow  the  server  to  tell
       whether a client is still present and responding.

       Keepalives should, in general, not be needed if the socket



smb.conf                     11/10/94                          21





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       being used has the SO_KEEPALIVE attribute set on  it  (see
       "socket  options").  Basically  you  should  only use this
       option if you strike difficulties.

       Default:
            keep alive = 0

       Example:
            keep alive = 60

   load printers (G)
       A boolean variable that controls whether all  printers  in
       the printcap will be loaded for browsing by default.

       Default:      load printers = no

       Example:      load printers = yes


   lock directory (G)
       This options specifies the directory where lock files will
       be placed.  The lock files are used to implement the  "max
       connections" option.

       Default:      lock directory = /tmp/samba

       Example:      lock directory = /usr/local/samba/locks

   locking (S)
       This  controls whether or not locking will be performed by
       the server in response to lock requests from the client.

       If "locking = no",  all  lock  and  unlock  requests  will
       appear  to succeed and all lock queries will indicate that
       the queried lock is clear.

       If "locking = yes", real locking will be performed by  the
       server.

       This  option  may  be  particularly  useful  for read-only
       filesystems which do  not  need  locking  (such  as  cdrom
       drives).

       Be careful about disabling locking either globally or in a
       specific service, as lack of locking may  result  in  data
       corruption.

       Default:
            locking = yes

       Example:
            locking = no





smb.conf                     11/10/94                          22





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


   log file (G)
       This  options allows you to override the name of the Samba
       log file (also known as the debug file).

       This option takes the standard substitutions, allowing you
       to have separate log files for each user or machine.

       Example:      log file = /usr/local/samba/log.%m


   log level (G)
       see "debug level"


   lpq cache time (G)
       This controls how long lpq info will be cached for to pre-
       vent the lpq command being called too  often.  A  separate
       cache  is  kept for each variation of the lpq command used
       by the system, so if you use different  lpq  commands  for
       different users then they won't share cache information.

       The  cache files are stored in /tmp/lpq.xxxx where xxxx is
       a hash of the lpq command in use.

       The default is 10 seconds, meaning that the cached results
       of  a  previous  identical lpq command will be used if the
       cached data is less than 10 seconds old. A large value may
       be advisable if your lpq command is very slow.

       A value of 0 will disable cacheing completely.

       Default:      lpq cache time = 10

       Example:      lpq cache time = 30


   lpq command (S)
       This parameter specifies the command to be executed on the
       server host in order to obtain "lpq"-style printer  status
       information.

       This  command  should be a program or script which takes a
       printer name as its only  parameter  and  outputs  printer
       status information.

       Currently  four  styles  of printer status information are
       supported; BSD, SYSV, AIX and HPUX. This covers most  unix
       systems.  You  control  which  type  is expected using the
       "printing =" option.

       Some clients (notably Windows for Workgroups) may not cor-
       rectly send the connection number for the printer they are
       requesting status information about. To get  around  this,
       the  server reports on the first printer service connected



smb.conf                     11/10/94                          23





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       to by the client. This only happens if the connection num-
       ber sent is invalid.

       If  a  %p  is  given  then  the printername is put in it's
       place. Otherwise it is placed at the end of the command.

       Note that it is good practice to include the absolute path
       in the lpq command as the PATH may not be available to the
       server.

       Default:
               depends on the setting of "printing ="

       Example:
            lpq command = /usr/bin/lpq %p


   lprm command (S)
       This parameter specifies the command to be executed on the
       server host in order to delete a print job.

       This  command  should be a program or script which takes a
       printer name and job number, and deletes the print job.

       Currently four styles of printer  control  are  supported;
       BSD,  SYSV,  AIX  and HPUX. This covers most unix systems.
       You control which type is expected using the "printing  ="
       option.

       If  a  %p  is  given  then  the printername is put in it's
       place. A %j is replaced with the job number (an  integer).

       Note that it is good practice to include the absolute path
       in the lprm command as the PATH may not  be  available  to
       the server.

       Default:
               depends on the setting of "printing ="

       Example 1:
            lprm command = /usr/bin/lprm -P%p %j

       Example 1:
            lprm command = /usr/bin/cancel %p-%j


   magic output (S)
       This  parameter  specifies  the  name of a file which will
       contain output created by a magic script (see magic script
       below).

       Warning:  If  two clients use the same magic script in the
       same directory  the  output  file  content  is  undefined.
       Default:



smb.conf                     11/10/94                          24





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


            magic output = <magic script name>.out

       Example:
            magic output = myfile.txt

   magic script (S)
       This  parameter  specifies  the  name  of a file which, if
       opened, will be executed by the server when  the  file  is
       closed.  This allows a Unix script to be sent to the Samba
       host and executed on behalf of the connected user.

       Scripts executed in this way will be deleted upon  comple-
       tion, permissions permitting.

       If the script generates output, output will be sent to the
       file specified by the magic output parameter (see  above).

       Note that some shells are unable to interpret scripts con-
       taining carriage-return-linefeed instead  of  linefeed  as
       the  end-of-line  marker. Magic scripts must be executable
       "as is" on the host, which for some hosts and some  shells
       will require filtering at the DOS end.

       Magic  scripts  are  EXPERIMENTAL and should NOT be relied
       upon.  Default:
            None. Magic scripts disabled.

       Example:
            magic script = user.csh

   mangled map (S)
       This is for those who want to directly map UNIX file names
       which are not representable on DOS.  The mangling of names
       is not always what is needed.  In particular you may  have
       documents with file extensiosn that differ between dos and
       unix. For example, under unix it is common  to  use  .html
       for  HTML  files,  whereas under dos .htm is more commonly
       used.

       So to map 'html' to 'htm' you put:

         mangled map = (*.html *.htm)

       One very useful case is to remove the annoying ;1 off  the
       ends  of filenames on some CDROMS (only visible under some
       unixes). To do this use a map of (*;1 *)

       default:      no mangled map

       Example:      mangled map = (*;1 *)


   mangle case (S)
       See the section on "NAME MANGLING"



smb.conf                     11/10/94                          25





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


   mangled names (S)
       This controls whether non-DOS names under Unix  should  be
       mapped  to DOS-compatible names ("mangled") and made visi-
       ble, or whether non-DOS names should simply be ignored.

       See the section on "NAME MANGLING" for details on  how  to
       control the mangling process.

       If mangling is used then the mangling algorithm is as fol-
       lows:
              - the first (up to)  five  alphanumeric  characters
              before  the  rightmost dot of the filename are pre-
              served, forced to upper case,  and  appear  as  the
              first  (up to) five characters of the mangled name.

              - a tilde ("~") is appended to the  first  part  of
              the  mangled  name,  followed  by  a  two-character
              unique sequence, based on the  origonal  root  name
              (i.e., the original filename minus its final exten-
              sion). The final extension is included in the  hash
              calculation  only  if  it  contains  any upper case
              characters or is longer than three characters.

              Note that the character to  use  may  be  specified
              using the "mangling char" option, if you don't like
              ~.

              - the first three alphanumeric  characters  of  the
              final extension are preserved, forced to upper case
              and appear as the extension of  the  mangled  name.
              The  final extension is defined as that part of the
              original filename after the rightmost dot. If there
              are  no dots in the filename, the mangled name will
              have no extension (except in  the  case  of  hidden
              files - see below).

              -  files  whose Unix name begins with a dot will be
              presented as DOS hidden  files.  The  mangled  name
              will  be  created  as for other filenames, but with
              the leading dot removed and "___" as its  extension
              regardless  of  actual  original  extension (that's
              three underscores).

       The two-digit hash value consists of upper  case  alphanu-
       meric characters.

       This  algorithm can cause name collisions only if files in
       a directory share the same first five alphanumeric charac-
       ters. The probability of such a clash is 1/1300.

       The  name mangling (if enabled) allows a file to be copied
       between Unix directories from DOS while retaining the long
       Unix  filename.  Unix files can be renamed to a new exten-
       sion from DOS and will retain the same basename.   Mangled



smb.conf                     11/10/94                          26





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       names do not change between sessions.

       Default:
            mangled names = yes

       Example:
            mangled names = no

   mangling char (S)
       This  controls what character is used as the "magic" char-
       acter in name mangling. The default is a ~  but  this  may
       interfere with some software. Use this option to set it to
       whatever you prefer.

       Default:
            mangling char = ~

       Example:
            mangling char = ^


   max log file (G)
       This option (an integer in kilobytes)  specifies  the  max
       size  the  log  file  should  grow  to. Samba periodically
       checks the size and if it is exceeded it will  rename  the
       file, adding a .old extension.

       A size of 0 means no limit.

       Default:      max log size = 5000

       Example:
            max log size = 1000


   max xmit (G)
       This  option controls the maximum packet size that will be
       negotiated by Samba. The default is 65535,  which  is  the
       maximum. In some cases you may find you get better perfor-
       mance with a smaller value. A value below 2048  is  likely
       to cause problems.

       Default:      max xmit = 65535

       Example:
            max xmit = 8192


   mangled stack (G)
       This  parameter  controls the number of mangled names that
       should be cached in the Samba server.

       This stack is  a  list  of  recently  mangled  base  names
       (extensions  are only maintained if they are longer than 3



smb.conf                     11/10/94                          27





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       characters or contains upper case characters).

       The larger this value, the more likely it is that  mangled
       names  can  be successfully converted to correct long Unix
       names. However, large stack sizes will slow most directory
       access.  Smaller  stacks  save  memory in the server (each
       stack element costs 256 bytes).

       It is not possible to absolutely  guarantee  correct  long
       file names, so be prepared for some surprises!

       Default:
            mangled stack = 50

       Example:
            mangled stack = 100


   map archive (S)
       This  controls whether the DOS archive attribute should be
       mapped to Unix execute bits.  The DOS archive bit  is  set
       when  a file has been modified since its last backup.  One
       motivation for this option it to keep Samba/your  PC  from
       making  any file it touches from becoming executable under
       UNIX.  This can be quite annoying for shared source  code,
       documents,  etc...

       Default:
             map archive = yes

       Example:
             map archive = no


   map hidden (S)
       This  controls  whether  DOS  style hidden files should be
       mapped to Unix execute bits.

       Default:
            map hidden = no

       Example:
            map hidden = yes

   map system (S)
       This controls whether DOS style  system  files  should  be
       mapped to Unix execute bits.

       Default:
            map system = no

       Example:
            map system = yes




smb.conf                     11/10/94                          28





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


   max connections (S)
       This  option allows the number of simultaneous connections
       to a service  to  be  limited.  If  "max  connections"  is
       greater  than  0  then connections will be refused if this
       number of connections to the service are already  open.  A
       value  of zero mean an unlimited number of connections may
       be made.

       Record lock files are used to implement this feature.  The
       lock  files  will  be stored in the directory specified by
       the "lock directory" option.

       Default:      max connections = 0

       Example:      max connections = 10

   only user (S)
       This is a boolean option that controls whether connections
       with  usernames  not in the user= list will be allowed. By
       default this option is disabled so a client can  supply  a
       username to be used by the server.

       Note  that this also means Samba won't try to deduce user-
       names from the service name. This can be annoying for  the
       [homes]  section. To get around this you could use "user =
       %S" which means your "user" list will be just the  service
       name,  which for home directories is the name of the user.

       Default:      only user = False

       Example:      only user = True


   message command (G)
       This  specifies  what  command  to  run  when  the  server
       receives a WinPopup style message.

       This  would  normally  be a command that would deliver the
       message somehow. How this is to be  done  is  up  to  your
       imagination.

       What I use is:

          message command = csh -c 'xedit %s;rm %s' &

       This  delivers  the  message  using xedit, then removes it
       afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS  COM-
       MAND  RETURN  IMMEDIATELY.  That's why I have the & on the
       end. If it doesn't return immediately then  your  PCs  may
       freeze  when  sending  messages (they should recover after
       30secs, hopefully).

       All messages are delivered as the global guest  user.  The
       command  takes  the  standard  substitutions,  although %u



smb.conf                     11/10/94                          29





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       won't work (%U may be better in this case).

       Apart from the  standard  substitutions,  some  additional
       ones apply. In particular:

       %s = the filename containing the message

       %t  = the destination that the message was sent to (proba-
       bly the server name)

       %f = who the message is from

       You could make this command send mail,  or  whatever  else
       takes  your fancy. Please let me know of any really inter-
       esting ideas you have.

       Here's a way of sending the messages as mail to root:

       message command = /bin/mail -s 'message  from  %f  on  %m'
       root < %s; rm %s

       If you don't have a message command then the message won't
       be delivered and Samba will tell the sender there  was  an
       error.  Unfortunately  WfWg totally ignores the error code
       and carries on regardless, saying  that  the  message  was
       delivered.

       If  you  want to silently delete it then try "message com-
       mand = rm %s".

       For the really adventurous, try something like this:

       message   command   =   csh    -c    'csh    <    %s    |&
       /usr/local/samba/smbclient                   -M %m; rm %s'
       &

       this would execute the command as a script on the  server,
       then give them the result in a WinPopup message. Note that
       this could cause a loop if you send  a  message  from  the
       server  using  smbclient!  You  better wrap the above in a
       script that checks for this :-)

       Default:      no message command

       Example:
               message command = csh -c 'xedit %s;rm %s' &


   min print space (S)
       This sets the minimum amount of free disk space that  must
       be  available  before a user will be able to spool a print
       job. It is specified in kilobytes. The default is 0, which
       means no limit.




smb.conf                     11/10/94                          30





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       Default:      min print space = 0

       Example:      min print space = 2000


   null passwords (G)
       Allow  or disallow access to accounts that have null pass-
       words.

       Default:      null passwords = no

       Example:      null passwords = yes


   os level (G)
       This integer value controls what  level  Samba  advertises
       itself  as  for  browse  elections.  See  BROWSING.txt for
       details.


   packet size (G)
       The maximum transmit packet size during a raw  read.  This
       option  is no longer implemented as of version 1.7.00, and
       is kept only so old  configuration  files  do  not  become
       invalid.


   passwd chat (G)
       This  string  coontrols the "chat" conversation that takes
       places between smbd and the local password  changing  pro-
       gram  to change the users password. The string describes a
       sequence of  response-receive  pairs  that  smbd  uses  to
       determine  what  to send to the passwd program and what to
       expect back. If the expected output is not  received  then
       the password is not changed.

       This  chat sequence is often quite site specific, deppend-
       ing on what local methods are used  for  password  control
       (such as NIS+ etc).

       The string can contain the macros %o and %n which are sub-
       stituted for the old and new  passwords  respectively.  It
       can  aso  contain  the  standard macros \n \r \t and \s to
       give line-feed, carriage-return, tab and space.

       The string can also contain a * which matches any sequence
       of characters.

       Double  quotes  can be used to collect strings with spaces
       in them into a single string.

       If the send string in any part of the chat sequence  is  a
       fullstop  "."   then  no string is sent. Similarly, is the
       expect string is a fullstop then no string is expected.



smb.conf                     11/10/94                          31





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       Example:      passwd chat = "*Enter  OLD  password*"  %o\n
       "*Enter NEW password*" %n\n \
                             "*Reenter    NEW   password*"   %n\n
       "*Password changed*"

       Default:        passwd   chat   =   *old*password*    %o\n
       *new*password* %n\n *new*password* %n\n *changed*


   passwd program (G)
       The  name  of a program that can be used to set user pass-
       words.

       This is only necessary if you have enabled remote password
       changing  at  compile  time.  Any occurances of %u will be
       replaced with the user name.

       Also note that many passwd programs insist in "reasonable"
       passwords,  such  as a minimum length, or the inclusion of
       mixed case chars and digits. This can pose  a  problem  as
       some  clients  (such  as Windows for Workgroups) uppercase
       the password before sending it.

       Default:      passwd program = /bin/passwd

       Example:      passwd program = /sbin/passwd %u


   password level (G)
       Some  client/server  conbinations  have  difficulty   with
       mixed-case passwords.  One offending client is Windows for
       Workgroups, which for  some  reason  forces  passwords  to
       upper  case  when  using  the LANMAN1 protocol, but leaves
       them alone when using COREPLUS!

       This parameter defines the maximum  number  of  characters
       that may be upper case in passwords.

       For  example,  say the password given was "FRED". If pass-
       word level is set to 1 (one), the  following  combinations
       would  be  tried if "FRED" failed: "Fred", "fred", "fRed",
       "frEd", "freD". If password level was set to 2 (two),  the
       following   combinations  would  also  be  tried:  "FRed",
       "FrEd", "FreD", "fREd", "fReD", "frED". And so on.

       The higher value this parameter is set to the more  likely
       it is that a mixed case password will be matched against a
       single case password. However, you should  be  aware  that
       use  of  this parameter reduces security and increases the
       time taken to process a new connection.

       A value of zero will cause only two attempts to be made  -
       the password as is and the password in all-lower case.




smb.conf                     11/10/94                          32





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


       If  you find the connections are taking too long with this
       option then you probably  have  a  slow  crypt()  routine.
       Samba  now  comes  with  a  fast  "ufc crypt" that you can
       select in the Makefile. You  should  also  make  sure  the
       PASSWORD_LENGTH  option  is  correct  for  your  system in
       local.h and includes.h. On most systems only the  first  8
       chars  of  a  password  are significant so PASSWORD_LENGTH
       should be 8, but on some longer passwords are significant.
       The  inlcudes.h  file tries to select the right length for
       your system.

       Default:
            password level = 0

       Example:
            password level = 4


   password server (G)
       By specifying the name of another SMB server  (such  as  a
       WinNT box) with this option, and using "security = server"
       you can get Samba to do all it's username/password valida-
       tion via a remote server.

       This  options sets the name of the password server to use.
       It must be a netbios name, so if the machines netbios name
       is  different from it's internet name then you may have to
       add it's netbios name to /etc/hosts.

       The password server much be a machine capable of using the
       "LM1.2X002"  or  the "LM NT 0.12" protocol, and it must be
       in user level security mode.

       NOTE: Using a password server means your unix box (running
       Samba)  is  only as secure as your password server. DO NOT
       CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY  TRUST.

       Never point a Samba server at itself for password serving.
       This will cause a  loop  and  could  lock  up  your  Samba
       server!

       The name of the password server takes the standard substi-
       tutions, but probably the only useful  one  is  %m,  which
       means the Samba server will use the incoming client as the
       password server. If you use this  then  you  better  trust
       your  clients,  and  you  better  restrict them with hosts
       allow!

       If you list several hosts in the "password server"  option
       then  smbd  will  try  each in turn till it finds one that
       responds. This is useful in case your primary server  goes
       down.





smb.conf                     11/10/94                          33





SMB.CONF(5)                  smb.conf                 SMB.CONF(5)


   path (S)
       A synonym for this parameter is 'directory'.

       This  parameter specifies a directory to which the user of
       t