diff options
Diffstat (limited to 'swat')
| -rw-r--r-- | swat/README | 126 | ||||
| -rw-r--r-- | swat/help/parameters.html | 2260 | ||||
| -rw-r--r-- | swat/help/welcome.html | 74 | ||||
| -rw-r--r-- | swat/images/background.gif | bin | 0 -> 34618 bytes | |||
| -rw-r--r-- | swat/images/background.jpg | bin | 0 -> 11726 bytes | |||
| -rw-r--r-- | swat/images/globals.gif | bin | 0 -> 376 bytes | |||
| -rw-r--r-- | swat/images/home.gif | bin | 0 -> 391 bytes | |||
| -rw-r--r-- | swat/images/printers.gif | bin | 0 -> 377 bytes | |||
| -rw-r--r-- | swat/images/samba.gif | bin | 0 -> 3643 bytes | |||
| -rw-r--r-- | swat/images/shares.gif | bin | 0 -> 440 bytes | |||
| -rw-r--r-- | swat/images/status.gif | bin | 0 -> 412 bytes | |||
| -rw-r--r-- | swat/images/viewconfig.gif | bin | 0 -> 365 bytes | |||
| -rw-r--r-- | swat/include/footer.html | 3 | ||||
| -rw-r--r-- | swat/include/header.html | 10 |
14 files changed, 2473 insertions, 0 deletions
diff --git a/swat/README b/swat/README new file mode 100644 index 00000000000..2810e4e086a --- /dev/null +++ b/swat/README @@ -0,0 +1,126 @@ +This is a brief description of how to install and use the Samba Web +Administration Tool on your machine. + +Please note that SWAT is still being developed so you should not +expect it to be bug free. You should only install and use it if you +want to either get a preview of what we are doing with SWAT or you +want to help in the development of SWAT. + +Installation +------------ + +After you compile SWAT you need to run "make install" to install the +swat binary and the various help files and images. A default install +would put these in: + +/usr/local/samba/bin/swat +/usr/local/samba/swat/images/* +/usr/local/samba/swat/help/* + +Running via inetd +----------------- + +You then need to edit your /etc/inetd.conf and /etc/services to enable +SWAT to be launched via inetd. Note that SWAT can also be launched via +the cgi-bin mechanisms of a web server (such as apache) and that is +described below. + +In /etc/services you need to add a line like this: + +swat 901/tcp + +the choice of port number isn't really important except that it should +be less than 1024 and not currently used (using a number above 1024 +presents an obscure security hole depending on the implementation +details of your inetd daemon). + +In /etc/inetd.conf you should add a line like this: + +swat stream tcp nowait.400 root /usr/local/samba/bin/swat swat + +If you just want to see a demo of how swat works and don't want to be +able to actually change any Samba config via swat then you may chose +to change "root" to some other user that does not have permission to +write to smb.conf. + +One you have edited /etc/services and /etc/inetd.conf you need to send +a HUP signal to inetd. On many systems "killall -1 inetd" will do this +on others you will need to use "kill -1 PID" where PID is the process +ID of the inetd daemon. + + +Running via cgi-bin +------------------- + +To run SWAT via your web servers cgi-bin capability you need to copy +the swat binary to your cgi-bin directory. Note that you should run +SWAT either via inetd or via cgi-bin but not both. + +Then you need to create a swat directory in your web servers root +directory and copy the images/* and help/* files into there so that +they are visible via the URL http://your.web.server/swat/ + +Next you need to make sure you modify your web servers authentication +to require a username/pssword for the URL +http://your.web.server/cgi-bin/swat. Don't forgt this step! If you do +forget it then you will be allowing anyone to edit your Samba +configuration which would allow them to easily gain root access on your +machine. + +After testing the authentication you need to change the ownership and +permissions on the swat binary. It should be owned by root wth the +setuid bit set. It should be ONLY executable by the user that the web +server runs as. Make sure you do this carefully! + +for example, the following would be correct if the web server ran as +group "nobody". + +-rws--x--- 1 root nobody + +You must also realise that this means that any user who can run +programs as the "nobody" group can run swat and modify your Samba +config. Be sure to think about this! + + +Launching +--------- + +To launch SWAT just run your favourite web browser and point it at +http://localhost:901/ or http://localhost/cgi-bin/swat/ depending on +how you installed it. + +Note that you can attach to SWAT from any IP connected machine but +connecting from a remote machine leaves your connection open to +password sniffing as passwords will be sent in the clear over the +wire. + +If installed via inetd then you should be prompted for a +username/password when you connect. You will need to provide the +username "root" and the correct root password. More sophisticated +authentication options are planned for future versions of SWAT. + +If installed via cgi-bin then you should receive whatever +authentication request you configured in your web server. + +Running +------- + +Just follow your nose! If you can't work out how to use it then maybe +you should use "vi smb.conf" instead. + + +WARNINGS +-------- + +SWAT will rewrite your smb.conf file. It will rearrange the entries +and delete all comments, include= and copy= options. If you have a +carefully crafted smb.conf then back it up or don't use SWAT! + + +Development +----------- + +Please join the samba-technical mailing list if you want to discuss +the development of SWAT. Note that this list is for technical developer +discussions and is not a general help list. + diff --git a/swat/help/parameters.html b/swat/help/parameters.html new file mode 100644 index 00000000000..b1f80a17e72 --- /dev/null +++ b/swat/help/parameters.html @@ -0,0 +1,2260 @@ +<HTML> +<BODY> + +<H1 ALIGN=CENTER>SWAT Parameters help</H1> + +<hr> + +<H3><A NAME="admin users">admin users (S)</A></H3> +This is a list of users who will be granted administrative privileges on the +share. This means that they will do all file operations as the super-user +(root).<P> +You should use this option very carefully, as any user in this list will be +able to do anything they like on the share, irrespective of file permissions.<P> +<B>Default:</B> no admin users <P> +<B>Example:</B> admin users = jason <P> + +<H3><A NAME="announce as">announce as (G)</A></H3> +This specifies what type of server nmbd will announce itself as in browse +lists. By default this is set to Windows NT. The valid options are "NT", +"Win95" or "WfW" meaining Windows NT, Windows 95 and Windows for Workgroups +respectively. Do not change this parameter unless you have a specific need to +stop Samba appearing as an NT server as this may prevent Samba servers from +participating as browser servers correctly. <P> +<B>Default:</B> announce as = NT <P> +<B>Example:</B> announce as = Win95 <P> + +<H3><A NAME="announce version">announce version (G)</A></H3> +This specifies the major and minor version numbers that nmbd will use when +announcing itself as a server. The default is 4.2. Do not change this parameter +unless you have a specific need to set a Samba server to be a downlevel +server. <P> +<B>Default:</B> announce version = 4.2 <P> +<B>Example:</B> announce version = 2.0 <P> + +<H3><A NAME="alternate permissions">alternate permissions (S)</A></H3> +This option affects the way the "read only" DOS attribute is produced for +UNIX files. If this is No then the read only bit is set for files on +writeable shares which the user cannot write to. <P> +If this is Yes then "read only" is set for files when the user write bit is +not set. <P> +The latter behaviour is useful when users copy files from each others +directories, and use a file manager that preserves permissions. Without this +option they may get annoyed as all copied files will have the "read only" +bit set. <P> +<B>Default:</B> alternate permissions = no <P> +<B>Example:</B> alternate permissions = yes <P> + +<H3><A NAME="available">available (S)</A></H3> +This parameter lets you 'turn off' a service. If 'available = no', then ALL +attempts to connect to the service will fail. Such failures are logged. <P> +<B>Default:</B> available = yes <P> +<B>Example:</B> available = no <P> + +<H3><A NAME="bind interfaces only">bind interfaces only (G)</A></H3> +This global parameter (new for 1.9.18) allows the Samba admin to limit what +interfaces on a machine will serve smb requests. If affects file service +(smbd) and name service (nmbd) in slightly different ways. <P> +For name service it causes nmbd to bind to ports 137 and 138 on the interfaces +listed in the 'interfaces' parameter. nmbd also binds to the 'all addresses' +interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast +messages. If this option is not set then nmbd will service name requests on +all of these sockets. If "bind interfaces only" is set then nmbd will check +the source address of any packets coming in on the broadcast sockets and +discard any that don't match the broadcast addresses of the interfaces in the +<A HREF="#interfaces">interfaces</A> parameter list. As unicast packets are +received on the other sockets it allows nmbd to refuse to serve names to +machines that send packets that arrive through any interfaces not listed in +the 'interfaces' list. IP Source address spoofing does defeat this simple +check, however so it must not be used seriously as a security feature for +nmbd. <P> +For file service it causes smbd to bind only to the interface list given in +the <A HREF="#interfaces">interfaces</A> parameter. This restricts +the networks that smbd will serve to packets coming in those interfaces. +Note that you should not use this parameter for machines that are serving +ppp or other intermittant or non-broadcast network interfaces as it will +not cope with non-permanent interfaces. <P> +<B>Default:</B> bind interfaces only = No <P> +<B>Example:</B> bind interfaces only = Yes <P> + +<H3><A NAME="browseable">browseable (S)</A></H3> +This controls whether this share is seen in the list of available shares +in a net view and in the browse list. <P> +<B>Default:</B> browseable = Yes <P> +<B>Example:</B> browseable = No <P> + +<H3><A NAME="browse list">browse list(G)</A></H3> +This controls whether the smbd will serve a browse list to a client doing a +NetServerEnum call. Normally set to Yes. You should never need to change +this. <P> +<B>Default:</B> browse list = Yes <P> + +<H3><A NAME="case sensitive">case sensitive (G)</A></H3> +Controls whether filenames are case sensitive. If they aren't then Samba must +do a filename search and match on passed names.<P> +<B>Default:</B> case sensitive = No <P> +See the discussion on <A HREF="#NAME MANGLING">NAME MANGLING</A>. <P> + +<H3><A NAME="character set">character set (G)</A></H3> +This allows smbd to map incoming characters from a DOS 850 Code page to +either a Western European (ISO8859-1) or Easter European (ISO8859-2) code page. +Normally not set, meaning no filename translation is done. <P> +<B>Default:</B> character set = <P> +<B>Example:</B> character set = iso8859-1 <P> + +<H3><A NAME="client code page">client code page (G)</A></H3> +Currently (Samba 1.9.19 and above) this may be set to one of the following +values: 437, 850, 852, 866, 932, 936, 949, or 950. It specifies the base DOS +code page that the clients accessing Samba are using. To determine this, +open a DOS command prompt and type the command "chcp". This will output +the code page. The default for USA MS-DOS, Windows 95, and Windows NT releases +is code page 437. The default for western european releases of the above +operating systems is code page 850. <P> +This parameter co-operates with the <A HREF="#valid chars">valid chars</A> +parameter in determining what characters are valid in filenames +and how capitalization is done. It has been added as a convenience for +clients whose code page is either 437 or 850 so a convoluted "valid chars" +string does not have to be determined. If you set both this parameter and +the "valid chars" parameter the "client code page" parameter MUST be +set before the "valid chars" in the smb.conf file. The "valid chars" string +will then augment the character settings in the "client code page" parameter. +<P> +If "client code page" is set to a value other than those listed above, it will +default to 850. <P> +See also : <A HREF="#valid chars">valid chars</A>. <P> +<B>Default:</B> client code page = 850 <P> +<B>Example:</B> client code page = 437 <P> + +<H3><A NAME="coding system">coding system (G)</A></H3> +<B>Default:</B> coding system = <P> + +<H3><A NAME="comment">comment (S)</A></H3> +This is a text field that is seen next to a share when a client does a net +view to list what shares are available. <P> +If you want to set the string that is displayed next to the machine name then +see the <A HREF="#server string">server string</A> command. <P> +<B>Default:</B> No comment string <P> +<B>Example:</B> comment = Fred's Files <P> + +<H3><A NAME="create mask">create mask (S)</A></H3> +A synonym for this parameter is 'create mode'. <P> +When a file is created, the neccessary permissions are calculated according +to the mapping from DOS modes to UNIX permissions, and the resulting UNIX +mode is then bit-wise 'AND'ed with this parameter. This parameter may be +thought of as a bit-wise MASK for the UNIX modes of a file. Any bit *not* set +here will be removed from the modes set on a file when it is created. <P> +The default value of this parameter removes the 'group' and 'other' write and +execute bits from the UNIX modes. <P> +Following this Samba will bit-wise 'OR' the UNIX mode created from this +parameter with the value of the +<A HREF="#force create mode">force create mode</A> +parameter which is set to 000 by default. <P> +For Samba 1.9.17 and above this parameter no longer affects directory modes. +See the parameter <A HREF="#directory mask">directory mask</A> for details. <P> +See also the <A HREF="#force create mode">force create mode</A> parameter for +forcing particular mode bits to be set on created files. See also the +<A HREF="#directory mask">directory mask</A> +parameter for masking mode bits on created directories. <P> +<B>Default:</B> create mask = 0744 <P> +<B>Example:</B> create mask = 0775 <P> + +<H3><A NAME="deadtime">deadtime (G)</A></H3> +The value of the parameter (a decimal integer) represents the number of +minutes of inactivity before a connection is considered dead, and it is +disconnected. The deadtime only takes effect if the number of open files is +zero. <P> +This is useful to stop a server's resources being exhausted by a large number +of inactive connections. <P> +Most clients have an auto-reconnect feature when a connection is broken so in +most cases this parameter should be transparent to users. <P> +Using this parameter with a timeout of a few minutes is recommended for most +systems. <P> +A deadtime of zero indicates that no auto-disconnection should be performed.<P> +<B>Default:</B> deadtime = 0 <P> +<B>Example:</B> deadtime = 15 + +<H3><A NAME="default case">default case (S)</A></H3> +Controls what the default case (upper/lower) is for new filenames.<P> +See the section on <A HREF="#NAME MANGLING">NAME MANGLING</A> <P> +<B>Default:</B> default case = lower <P> +<B>Example:</B> default case = upper <P> + +<H3><A NAME="default service">default service (G)</A></H3> A synonym for this +parameter is 'default'. <P> +This parameter specifies the name of a service which will be connected to if +the service actually requested cannot be found. Note that the square brackets +are NOT given in the parameter value (see example below). <P> +There is no default value for this parameter. If this parameter is not given, +attempting to connect to a nonexistent service results in an error. <P> +Typically the default service would be a public, read-only service. <P> +Also note that as of 1.9.14 the apparent service name will be changed to be +that of the requested service, this is very useful as it allows +you to use macros like %S to make a wildcard service. <P> +Note also that any _ characters in the name of the service used in the default +service will get mapped to a /. This allows for interesting things. <P> +<B>Example:</B> default service = pub<P> +<pre> +[pub] + path = /%S +</pre> + +<H3><A NAME="delete readonly">delete readonly (S)</A></H3> +This parameter allows readonly files to be deleted. This is not normal DOS +semantics, but is allowed by UNIX. <P> +This option may be useful for running applications such as rcs, where UNIX +file ownership prevents changing file permissions, and DOS semantics prevent +deletion of a read only file. <P> +<B>Default:</B> delete readonly = No <P> +<B>Example:</B> delete readonly = Yes <P> + +<H3><A NAME="delete veto files">delete veto files (S)</A></H3> +This option is used when Samba is attempting to delete a directory that +contains one or more vetoed directories (see the +<A HREF="#veto files">veto files</A> option). If this option is set to No +(the default) then if a vetoed directory contains any non-vetoed files or +directories then the directory delete will fail. This is usually what you +want. <P> +If this option is set to Yes, then Samba will attempt to recursively delete +any files and directories within the vetoed directory. This can be useful +for integration with file serving systems such as Netatalk, which create +meta-files within directories you might normally veto DOS/Windows users +from seeing (eg. .AppleDouble) <P> +Setting 'delete veto files = Yes' allows these directories to be +transparently deleted when the parent directory is deleted (so long as the +user has permissions to do so). <P> +<B>Default:</B> delete veto files = No <P> +<B>Example:</B> delete veto files = Yes <P> +See <A HREF="#veto files">veto files</A> <P> + +<H3><A NAME="dfree command">dfree command (G)</A></H3> +The dfree command setting should only be used on systems where a problem +occurs with the internal disk space calculations. This has been known to +happen with Ultrix, but may occur with other operating systems. The symptom +that was seen was an error of "Abort Retry Ignore" at the end of each +directory listing. <P> +This setting allows the replacement of the internal routines to calculate the +total disk space and amount available with an external routine. The example +below gives a possible script that might fulfill this function. <P> +The external program will be passed a single parameter indicating a directory +in the filesystem being queried. This will typically consist of the string +"./". The script should return two integers in ascii. The first should be the +total disk space in blocks, and the second should be the number of available +blocks. An optional third return value can give the block size in bytes. The +default blocksize is 1024 bytes. <P> +Note: Your script should NOT be setuid or setgid and should be owned by +(and writable only by) root! <P> +<B>Default:</B> By default internal routines for determining the disk capacity +and remaining space will be used. <P> +<B>Example:</B> dfree command = /usr/local/samba/bin/dfree <P> +Where the script dfree (which must be made executable) could be <P> +<pre> + #!/bin/sh + df $1 | tail -1 | awk '{print $2" "$4}' +</pre> +or perhaps (on Sys V) <P> +<pre> + #!/bin/sh + /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' +</pre> +Note that you may have to replace the command names with full path names on +some systems. <P> + +<H3><A NAME="directory mask">directory mask (S)</A></H3> +A synonym for this parameter is 'directory mode'. <P> +This parameter is the octal modes which are used when converting DOS modes +to UNIX modes when creating UNIX directories. <P> +When a directory is created, the neccessary permissions are calculated +according to the mapping from DOS modes to UNIX permissions, and the resulting +UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be +thought of as a bit-wise MASK for the UNIX modes of a directory. Any bit *not* +set here will be removed from the modes set on a directory when it is +created. <P> +The default value of this parameter removes the 'group' and 'other' write +bits from the UNIX mode, allowing only the user who owns the directory to +modify it. <P> +Following this Samba will bit-wise 'OR' the UNIX mode created from this +parameter with the value of the +<A HREF="#force directory mode">force directory mode</A> +parameter. This parameter is set to 000 by default (ie. no extra mode bits +are added). <P> +See the <A HREF="#force directory mode">force directory mode</A> +parameter to cause particular mode bits to always be set on created +directories. <P> +See also the <A HREF="#create mask">create mask</A> parameter +for masking mode bits on created files. <P> +<B>Default:</B> directory mask = 0755 <P> +<B>Example:</B> directory mask = 0775 <P> + +<H3><A NAME="dns proxy">dns proxy (G)</A></H3> +Specifies that nmbd should (as a WINS server), on finding that a NetBIOS name +has not been registered, treat the NetBIOS name word-for-word as a DNS name.<P> +Note that the maximum length for a NetBIOS name is 15 characters, so the DNS +name (or DNS alias) can likewise only be 15 characters, maximum. <P> +<B>Default:</B> dns proxy = yes <P> + +<H3><A NAME="domain admin users">domain admin users (G)</A></H3> +<P> + +<H3><A NAME="domain controller">domain controller (G)</A></H3> +<h4>This is wrong</h4> +Specifies the DNS name or IP address of the machine to refer domain logons +from Win95 machines to. You should never need to set this parameter. <P> +<B>Default:</B> domain controller = no <P> + +<H3><A NAME="domain groups">domain groups (G)</A></H3> +<P> + +<H3><A NAME="domain guest users">domain guest users (G)</A></H3> +<P> + +<H3><A NAME="domain hosts allow">domain hosts allow (G)</A></H3> +<P> + +<H3><A NAME="domain hosts deny">domain hosts deny (G)</A></H3> +<P> + +<H3><A NAME="domain logons">domain logons (G)</A></H3> +If set to Yes, the Samba server will serve Windows 95 domain +logons for the workgroup it is in. For more details on setting up this +feature see the file DOMAINS.txt in the Samba source documentation directory. +<P> +<B>Default:</B> domain logons = no <P> + +<H3><A NAME="domain master">domain master (G)</A></H3> +Enable WAN-wide browse list collation. Local master browsers on +broadcast-isolated subnets will give samba their local browse lists, and +ask for a complete copy of the browse list for the whole wide area network. +Browser clients will then contact their local master browser, and will +receive the domain-wide browse list, instead of just the list for their +broadcast-isolated subnet. There should only be one "domain master" for +each workgroup name.<P> +<B>Default:</B> domain master = no <P> + +<H3><A NAME="domain other sid">domain other sid (G)</A></H3> +<P> + +<H3><A NAME="domain sid">domain sid (G)</A></H3> +<P> + +<H3><A NAME="dont descend">dont descend (S)</A></H3> +There are certain directories on some systems (eg., the /proc tree under Linux) +that are either not of interest to clients or are infinitely deep (recursive). +This parameter allows you to specify a comma-delimited list of directories +that the server should always show as empty. <P> +Note that Samba can be very fussy about the exact format of the "dont descend" +entries. For example you may need "./proc" instead of just "/proc". +Experimentation is the best policy :-) <P> +<B>Default:</B> none (i.e., all directories are OK to descend) <P> +<B>Example:</B> dont descend = /proc,/dev <P> + +<H3><A NAME="dos filetimes">dos filetimes (S)</A></H3> +Under DOS and Windows, if a user can write to a file they can change the +timestamp on it. Under POSIX semantics, only the owner of the file or root +may change the timestamp. By default, Samba runs with POSIX semantics and +refuses to change the timestamp on a file if the user smbd is acting on +behalf of is not the file owner. Setting this option to Yes allows DOS +semantics and smbd will change the file timstamp as DOS requires. This is a +correct implementation of a previous compile-time options (UTIME_WORKAROUND) +which was broken and is now removed. <P> +<B>Default:</B> dos filetimes = No <P> +<B>Example:</B> dos filetimes = Yes <P> + +<H3><A NAME="dos filetime resolution">dos filetime resolution (S)</A></H3> +Under the DOS and Windows FAT filesystem, the finest granulatity on time +resolution is two seconds. Setting this parameter for a share causes Samba +to round the reported time down to the nearest two second boundary when a +query call that requires one second resolution is made to smbd. <P> +This option is mainly used as a compatibility option for Visual C++ when +used against Samba shares. If oplocks are enabled on a share, Visual C++ +uses two different time reading calls to check if a file has changed since +it was last read. One of these calls uses a one-second granularity, the +other uses a two second granularity. As the two second call rounds any odd +second down, then if the file has a timestamp of an odd number of seconds +then the two timestamps will not match and Visual C++ will keep reporting +the file has changed. Setting this option causes the two timestamps to +match, and Visual C++ is happy. <P> +<B>Default:</B> dos filetime resolution = No <P> +<B>Example:</B> dos filetime resolution = Yes <P> + +<H3><A NAME="encrypt passwords">encrypt passwords (G)</A></H3> +This boolean controls whether encrypted passwords will be negotiated with +the client. Note that Windows NT 4.0 SP3 and above will by default expect +encrypted passwords unless a registry entry is changed. To use encrypted +passwords in Samba see the file docs/ENCRYPTION.txt. <P> +<B>Default:</B> encrypt passwords = No <P> + +<H3><A NAME="exec">exec (S)</A></H3> +A synonym for this is preexec. <P> +This option specifies a command to be run whenever a connection is made to +the service. It takes the usual substitutions. <P> +An interesting example is to send the users a welcome message every time +they log in. Maybe a message of the day? Here is an example: <P> +exec = csh -c 'echo \"Welcome to %S!\" | \ /usr/local/samba/bin/smbclient -M %m -I %I' & <P> +Of course, this could get annoying after a while :-) <P> +See also <A HREF="#postexec">postexec</A> <P> +<B>Default:</B> none (no command executed) <P> +<B>Example:</B> exec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log <P> + + +<H3><A NAME="fake directory create times">fake directory create times (S)</A></H3> +NTFS and Windows VFAT file systems keep a create time for all files and +directories. This is not the same as the ctime - status change time - that +Unix keeps, so Samba by default reports the earliest of the various times +Unix does keep. Setting this parameter for a share causes Samba to always +report midnight 1-1-1980 as the create time for directories. <P> +This option is mainly used as a compatibility option for Visual C++ +when used against Samba shares. Visual C++ generated makefiles have the +object directory as a dependency for each object file, and a make rule +to create the directory. Also, when NMAKE compares timestamps it uses the +creation time when examining a directory. Thus the object directory will +be created if it does not exist, but once it does exist it will always +have an earlier timestamp than the object files it contains. <P> +However, Unix time semantics mean that the create time reported by Samba +will be updated whenever a file is created or deleted in the directory. +NMAKE therefore finds all object files in the object directory bar the last +one built are out of date compared to the directory and rebuilds them. +Enabling this option ensures directories always predate their contents and +an NMAKE build will proceed as expected. <P> +<B>Default:</B> fake directory create times = No <P> +<B>Example:</B> fake directory create times = Yes <P> + +<H3><A NAME="fake oplocks">fake oplocks (S)</A></H3> +Oplocks are the way that SMB clients get permission from a server to locally +cache file operations. If a server grants an oplock (opportunistic +lock) then the client is free to assume that it is the only one accessing +the file and it will aggressively cache file data. With some oplock types +the client may even cache file open/close operations. This can give enormous +performance benefits. <P> +When you set "fake oplocks = yes" Samba will always grant oplock requests +no matter how many clients are using the file. <P> +By enabling this option on all read-only shares or shares that you know +will only be accessed from one client at a time you will see a big performance +improvement on many operations. If you enable this option on shares where +multiple clients may be accessing the files read-write at the same time +you can get data corruption. Use this option carefully! <P> +It is generally much better to use the real oplock support except for +physically read-only media such as CDROMs. <P> +<B>Default:</B> fake oplocks = No <P> +<B>Example:</B> fake oplocks = Yes <P> + +<H3><A NAME="follow symlinks">follow symlinks (S)</A></H3> +This parameter allows the Samba administrator to stop smbd from following +symbolic links in a particular share. Setting this parameter to "No" prevents +any file or directory that is a symbolic link from being followed (the +user will get an error). This option is very useful to stop users from +adding a symbolic link to /etc/pasword in their home directory for instance. +However it will slow filename lookups down slightly. <P> +<B>Default:</B> follow symlinks = Yes (smbd will follow symbolic links)<P> + +<H3><A NAME="force create mode">force create mode (S)</A></H3> +This parameter specifies a set of UNIX mode bit permissions that will *always* +be set on a file created by Samba. This is done by bitwise 'OR'ing these +bits onto the mode bits of a file that is being created. The modes in this +parameter are bitwise 'OR'ed onto the file mode after the mask set in the +<A HREF="#create mask">create mask</A> parameter is applied. <P> +See also the parameter <A HREF="#create mask">create mask</A> for details +on masking mode bits on created files. <P> +<B>Default:</B> force create mode = 000 <P> +<B>Example:</B> force create mode = 0755 <P> +would force all created files to have read and execute permissions set for +'group' and 'other' as well as the read/write/execute bits set for the +'user'. <P> + +<H3><A NAME="force directory mode">force directory mode (S)</A></H3> +This parameter specifies a set of UNIX mode bit permissions that will *always* +be set on a directory created by Samba. This is done by bitwise 'OR'ing these +bits onto the mode bits of a directory that is being created. The default for +this parameter is (in octel) 0000 which will not add any extra permission bits +to a created directory. This operation is done after the mode mask in the +parameter <A HREF="#directory mask">directory mask</A> is applied. <P> +See also the parameter <A HREF="#directory mask">directory mask</A> +for details on masking mode bits on created directories. <P> +<B>Default:</B> force directory mode = 000 <P> +<B>Example:</B> force directory mode = 0755 <P> +would force all created directories to have read and execute permissions +set for 'group' and 'other' as well as the read/write/execute bits set for +the 'user'. <P> + +<H3><A NAME="force group">force group (S)</A></H3> +This specifies a group name that all connections to this service should be +made as. This may be useful for sharing files. <P> +<B>Default:</B> no forced group <P> +<B>Example:</B> force group = agroup <P> + +<H3><A NAME="force user">force user (S)</A></H3> +This specifies a user name that all connections to this service should be +made as. This may be useful for sharing files. You should also use it +carefully as using it incorrectly can cause security problems. <P> +This user name only gets used once a connection is established. Thus clients +still need to connect as a valid user and supply a valid password. Once +connected, all file operations will be performed as the "forced user", +no matter what username the client connected as. <P> +<B>Default:</B> no forced user <P> +<B>Example:</B> force user = auser <P> + +<H3><A NAME="getwd cache">getwd cache (G)</A></H3> +This is a tuning option. When this is enabled a cacheing algorithm will be +used to reduce the time taken for getwd() calls. This can have a significant +impact on performance, especially when widelinks is No. <P> +<B>Default:</B>getwd cache = No <P> +<B>Example:</B>getwd cache = Yes <P> + +<H3><A NAME="guest account">guest account (S)</A></H3> +This is a username which will be used for access to services which are +specified as <A HREF="#guest ok">guest ok</A>. Whatever privileges this +user has will be available to any client connecting to the guest service. +Typically this user will exist in the password file, but will not have a +valid login. If a username is specified in a given service, the specified +username overrides this one. <P> +One some systems the account "nobody" may not be able to print. Use another +account in this case. You should test this by trying to log in as your +guest user (perhaps by using the "su -" command) and trying to print using +<B>lpr</B>. <P> +Note that as of version 1.9 of Samba this option may be set differently +for each service. <P> +<B>Default:</B>specified at compile time <P> +<B>Example:</B>guest account = nobody + +<H3><A NAME="guest ok">guest ok (S)</A></H3> +A synonym for this parameter is 'public'. <P> +If this parameter is 'Yes' for a service, then no password is required +to connect to the service. Privileges will be those of the guest account. <P> +See the section below on +<A HREF="#USERNAME/PASSWORD VALIDATION">USERNAME/PASSWORD VALIDATION</A> +for more information about this option. <P> +<B>Default:</B> guest ok = No <P> +<B>Example:</B> guest ok = Yes + +<H3><A NAME="guest only">guest only (S)</A></H3> +If this parameter is 'Yes' for a service, then only guest connections to the +service are permitted. This parameter will have no affect if +<A HREF="#guest ok">guest ok</A> is not set for the service. <P> +See the section below on +<A HREF="#USERNAME/PASSWORD VALIDATION">USERNAME/PASSWORD VALIDATION</A> for +more information about this option. <P> +<B>Default:</B> guest only = No <P> +<B>Example:</B> guest only = Yes + +<H3><A NAME="hide dot files">hide dot files (S)</A></H3> +This is a boolean parameter that controls whether files starting with a dot +appear as hidden files. <P> +<B>Default:</B> hide dot files = Yes <P> +<B>Example:</B> hide dot files = No <P> + +<H3><A NAME="hide files">hide files (S)</A></H3> +This is a list of files or directories that are not visible but are accessible. +The DOS 'hidden' attribute is applied to any files or directories that match.<P> +Each entry in the list must be separated by a "/", which allows spaces +to be included in the entry. '*' and '?' can be used to specify multiple +files or directories as in DOS wildcards. <P> +Each entry must be a unix path, not a DOS path and must not include the unix +directory separator "/". <P> +Note that the case sensitivity option is applicable in hiding files. <P> +Setting this parameter will affect the performance of Samba, as it will +be forced to check all files and directories for a match as they are scanned.<P> +See also <A HREF="#hide dot files">hide dot files</A>, +<A HREF="#veto files">veto files</A> and +<A HREF="#case sensitive">case sensitive</A> <P> +<B>Default</B> No files or directories are hidden by this option +(dot files are hidden by default because of the "hide dot files" option). <P> +<B>Example</B> hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ <P> +The above example is based on files that the Macintosh client (DAVE) creates +for internal use, and also still hides all files beginning with a dot. <P> + +<H3><A NAME="homedir map">homedir map (G)</A></H3> +If <A HREF="#NIS homedir">NIS homedir</A> is Yes, this parameter specifies +the NIS (or YP) map from which the server for the user's home directory should +be extracted. At present, only the Sun auto.home map format is understood. +The form of the map is: <P> + username server:/some/file/system <P> +and the program will extract the servername from before the first ':'. There +should probably be a better parsing system that copes with different map +formats and also Amd (another automounter) maps. <P> +NB: The -DNETGROUP option is required in the Makefile for option +to work and on some architectures the line -lrpcsvc needs to be added to +the LIBSM variable. This is required for Solaris 2, FreeBSD and HPUX. <P> +See also <A HREF="#NIS homedir">NIS homedir</A> <P> +<B>Default:</B> homedir map = auto.home <P> +<B>Example:</B> homedir map = amd.homedir + +<H3><A NAME="hosts allow">hosts allow (S)</A></H3> +A synonym for this parameter is 'allow hosts'. <P> +This parameter is a comma delimited set of hosts which are permitted to access +a service. <P> +If specified in the [global] section then it will apply to all services, +regardless of whether the individual service has a different setting. <P> +You can specify the hosts by name or IP number. For example, you could restrict +access to only the hosts on a Class C subnet with something like +"hosts allow = 150.203.5.". <P> +You can also specify hosts by network/netmask pairs and by netgroup names +if your system supports netgroups. The EXCEPT keyword can also be used +to limit a wildcard list. The following examples may provide some help: <P> +Example 1: allow all IPs in 150.203.*.* except one <P> + hosts allow = 150.203. EXCEPT 150.203.6.66 <P> +Example 2: allow hosts that match the given network/netmask <P> + hosts allow = 150.203.15.0/255.255.255.0 <P> +Example 3: allow a couple of hosts <P> + hosts allow = lapland, arvidsjaur <P> +Example 4: allow only hosts in netgroup "foonet" or localhost, but deny +access from one particular host <P> + hosts allow = @foonet, localhost<P> + hosts deny = pirate <P> +Note that access still requires suitable user-level passwords. <P> +See <B>testparm</B>(1) for a way of testing your host access to see if it +does what you expect. <P> +<B>Default:</B> none (i.e., all hosts permitted access) <P> +<B>Example:</B> hosts allow = 150.203.5. myhost.mynet.edu.au<P> + +<H3><A NAME="hosts deny">hosts deny (S)</A></H3> +A synonym for this parameter is 'deny hosts'. <P> +This is the opposite of <A HREF="#hosts allow">hosts allow</A> - hosts listed +here are NOT permitted access to services unless the specific services have +their own lists to override this one. Where the lists conflict, the 'allow' +list takes precedence. <P> +<B>Default:</B> none (i.e., no hosts specifically excluded) <P> +<B>Example:</B>hosts deny = 150.203.4. badhost.mynet.edu.au <P> + +<H3><A NAME="hosts equiv">hosts equiv (G)</A></H3> +If this global parameter is a non-null string, it specifies the name of a +file to read for the names of hosts and users who will be allowed access +without specifying a password. <P> +This is not be confused with <A HREF="#hosts allow">hosts allow</A> which is +about hosts access to services and is more useful for guest services. +<B>hosts equiv</B> may be useful for NT clients which will not supply +passwords to samba. <P> +NOTE: The use of hosts.equiv can be a major security hole. This is because you +are trusting the PC to supply the correct username. It is very easy to get a +PC to supply a false username. I recommend that the hosts.equiv option be +only used if you really know what you are doing, or perhaps on a home network +where you trust your wife and kids :-) <P> +<B>Default</B> No host equivalences <P> +<B>Example</B> hosts equiv = /etc/hosts.equiv <P> + +<H3><A NAME="include">include (G)</A></H3> +This allows you to include one config file +inside another. The file is included literally, as though typed in place. <P> +It takes the standard substitutions, except %u, %P and %S <P> + +<H3><A NAME="interfaces">interfaces (G)</A></H3> +This option allows you to setup multiple network interfaces, so that +Samba can properly handle browsing on all interfaces. <P> +The option takes a list of ip/netmask pairs. The netmask may either be a +bitmask, or a bitlength. <P> +For example, the following line: <P> + interfaces = 192.168.2.10/24 192.168.3.10/24 <P> +would configure two network interfaces with IP addresses 192.168.2.10 and +192.168.3.10. The netmasks of both interfaces would be set to 255.255.255.0.<P> +You could produce an equivalent result by using: <P> + interfaces = 192.168.2.10/255.255.255.0 192.168.3.10/255.255.255.0<P> +if you prefer that format. <P> +If this option is not set then Samba will attempt to find a primary interface, +but won't attempt to configure more than one interface. <P> + +<H3><A NAME="invalid users">invalid users (S)</A></H3> +This is a list of users that should not be allowed to login to this service. +This is really a "paranoid" check to absolutely ensure an improper setting +does not breach your security. <P> +A name starting with @ is interpreted as a UNIX group. <P> +The current servicename is substituted for %S. This is useful in the [homes] +section. <P> +See also <A HREF="#valid users">valid users</A> <P> +<B>Default</B> No invalid users <P> +<B>Example</B> invalid users = root fred admin @wheel <P> + +<H3><A NAME="keepalive">keepalive (G)</A></H3> +The value of the parameter (an integer) represents the number of seconds +between 'keepalive' packets. If this parameter is zero, no keepalive packets +will be sent. Keepalive packets, if sent, allow the server to tell whether a +client is still present and responding. <P> +<B>Default:</B> keep alive = 300 <P> +<B>Example:</B> keep alive = 60 <P> + +<H3><A NAME="lm announce">lm announce (G)</A></H3> +This parameter determines if Samba will produce Lanman announce broadcasts +that are needed by OS/2 clients in order for them to see the Samba server in +their browse list. This parameter can have three values, True, False, or Auto. +The default is Auto. If set to False Samba will never produce these broadcasts. +If set to True Samba will produce Lanman announce broadcasts at a frequency +set by the parameter <A HREF="#lm interval">lm interval</A>. If set to Auto +Samba will not send Lanman announce broadcasts by default but will listen for +them. If it hears such a broadcast on the wire it will then start sending +them at a frequency set by the 'lm interval' parameter<P> +See also <A HREF="#lm interval">lm interval</A>. <P> +<B>Default:</B> lm announce = Auto <P> +<B>Example:</B> lm announce = True <P> + +<H3><A NAME="lm interval">lm interval (G)</A></H3> +If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients +(see the <A HREF="#lm announce">lm announce</A> parameter) this +parameter defines the frequency in seconds with which they will be made. +If this is set to zero then no Lanman announcements will be made despite +the setting of the <A HREF="#lm announce">lm announce</A> parameter. <P> +See also <A HREF="#lm announce">lm announce</A>. <P> +<B>Default:</B> lm interval = 60 <P> +<B>Example:</B> lm interval = 120 <P> + +<H3><A NAME="load printers">load printers (G)</A></H3> +A boolean variable that controls whether all printers in the printcap +will be loaded for browsing by default. <P> +<B>Default:</B> load printers = Yes <P> +<B>Example:</B> load printers = No <P> + +<H3><A NAME="local master">local master (G)</A></H3> +This option allows nmbd to become a local master browser on a subnet. If set +to No then nmbd will not attempt to become a local master browser on a subnet +and will also lose in all browsing elections. By default this value is set +to Yes. Setting this value to Yes doesn't mean that Samba will become the local +master browser on a subnet, just that the nmbd will participate in elections +for local master browser. <P> +<B>Default:</B> local master = yes <P> + +<H3><A NAME="lock dir">lock dir (G)</A></H3> +This option specifies the directory where lock files will be placed. +The lock files are used to implement the +<A HREF="#max connections">max connections</A> option. <P> +<B>Default:</B> lock dir = /tmp/samba <P> +<B>Example:</B> lock dir = /usr/local/samba/var/locks <P> + +<H3><A NAME="locking">locking (S)</A></H3> +This controls whether or not locking will be performed by the server in +response to lock requests from the client. <P> +If set to No, all lock and unlock requests will appear to succeed and all +lock queries will indicate that the queried lock is clear. <P> +If set to Yes, real locking will be performed by the server. <P> +This option may be particularly useful for read-only filesystems which do not +need locking (such as CDROM drives). <P> +Be careful about disabling locking either globally or in a specific +service, as lack of locking may result in data corruption. <P> +<B>Default:</B> locking = Yes <P> +<B>Example:</B> locking = No <P> + +<H3><A NAME="log file">log file (G)</A></H3> +This options allows you to override the name of the Samba log file (also +known as the debug file). <P> +This option takes the standard substitutions, allowing you to have separate +log files for each user or machine. <P> +<B>Example:</B> log file = /usr/local/samba/var/log.%m <P> + +<H3><A NAME="log level">log level (G)</A></H3> +A synonym for this is debuglevel<P> +The value of the parameter (an integer) allows the logging level (debug level) +to be specified in the <B>smb.conf</B> file. This is to give greater +flexibility in the configuration of the system. <P> +The default will be the logging level specified on the command line. <P> +<B>Example:</B> log level = 3 + +<H3><A NAME="logon drive">logon drive (G)</A></H3> +This parameter specifies the local path to which the home directory will be +connected (see <A HREF="#logon home">logon home</A>) and is only used by NT +Workstations. <P> +<B>Example:</B> logon drive = h: <P> + +<H3><A NAME="logon home">logon home (G)</A></H3> +This parameter specifies the home directory location when a Win95 or NT +Workstation logs into a Samba PDC. It allows you to do "NET USE H: /HOME" +from a command prompt, for example. <P> +This option takes the standard substitutions, allowing you to have separate +logon scripts for each user or machine. <P> +<B>Default:</B> logon home = "\\%N\%U" <P> +<B>Example:</B> logon home = "\\remote_smb_server\%U" <P> + +<H3><A NAME="logon path">logon path (G)</A></H3> +This parameter specifies the home directory where roaming profiles (USER.DAT +/ USER.MAN files for Windows 95) are stored. <P> +This option takes the standard substitutions, allowing you to have separate +logon scripts for each user or machine. It also specifies the directory from +which the "desktop", "start menu", "nethood" and "programs" folders, and their +contents, are loaded and displayed on your Windows 95 client. <P> +The share and the path must be readable by the user for the preferences and +directories to be loaded onto the Windows 95 client. The share must be +writeable when the user logs in for the first time, in order that the +Windows 95 client can create the user.dat and other directories. <P> +Thereafter, the directories and any of contents can, if required, be +made read-only. It is not adviseable that the USER.DAT file be made read-only +- rename it to USER.MAN to achieve the desired effect (a MANdatory profile). <P> +Windows clients can sometimes maintain a connection to the [homes] share, +even though there is no user logged in. Therefore, it is vital that the +logon path does not include a reference to the homes share (i.e +\\%N\HOMESprofile_path will cause problems). <P> +This option takes the standard substitutions, allowing you to have separate +logon scripts for each user or machine. <P> +<B>Default:</B> logon path = \\%N\%U\profile <P> +<B>Example:</B> logon path = \\PROFILESERVER\HOME_DIR\%U\PROFILE <P> + +<H3><A NAME="logon script">logon script (G)</A></H3> +This parameter specifies the batch file (.bat) or NT command file (.cmd) to +be downloaded and run on a machine when a user successfully logs in. The file +must contain the DOS style cr/lf line endings. Using a DOS-style editor to +create the file is recommended. <P> +The script must be a relative path to the [netlogon] service. If the +[netlogon] service specifies a path of /usr/local/samba/netlogon, and logon +script = STARTUP.BAT, then file that will be downloaded is: <P> + <B>/usr/local/samba/netlogon/STARTUP.BAT</B> <P> +The contents of the batch file is entirely your choice. A suggested command +would be to add NET TIME \\SERVER /SET /YES, to force every machine to +synchronise clocks with the same time server. Another use would be to add +NET USE U: \\SERVER\UTILS for commonly used utilities, or +NET USE Q: \\SERVER\ISO9001_QA. <P> +Note that it is particularly important not to allow write access to the +[netlogon] share, or to grant users write permission on the batch files +in a secure environment, as this would allow the batch files to be arbitrarily +modified. <P> +This option takes the standard substitutions, allowing you to have separate +logon scripts for each user or machine. <P> +<B>Example:</B> logon script = scripts/%U.bat <P> + +<H3><A NAME="lppause command">lppause command (S)</A></H3> +This parameter specifies the command to be executed on the server host in +order to stop printing or spooling a specific print job. <P> +This command should be a program or script which takes a printer name and +job number to pause the print job. Currently I don't know of any print spooler +system that can do this with a simple option, except for the PPR system from +Trinity College (ppr-dist.trincoll.edu/pub/ppr). One way of implementing this +is by using job priorities, where jobs having a too low priority won't be +sent to the printer. See also +<A HREF="#lpresume command">lpresume command</A>.<P> +If a %p is given then the printername is put in its place. A %j is replaced +with the job number (an integer). On HPUX (see +<A HREF="#printing">printing</A>=hpux), if the -p%p +option is added to the lpq command, the job will show up with the correct +status, i.e. if the job priority is lower than the set fence priority it +will have the PAUSED status, whereas if the priority is equal or higher +it will have the SPOOLED or PRINTING status. <P> +Note that it is good practice to include the absolute path in the lppause +command as the PATH may not be available to the server. <P> +<B>Default:</B> Currently no default value is given to this string <P> +<B>Example for HPUX:</B> lppause command = /usr/bin/lpalt %p-%j -p0 <P> + +<H3><A NAME="lpq cache time">lpq cache time (G)</A></H3> +This controls how long lpq info will be cached for to prevent the lpq command +being called too often. A separate cache is kept for each variation of the +lpq command used by the system, so if you use different lpq commands for +different users then they won't share cache information. <P> +The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash of the lpq +command in use. <P> +The default is 10 seconds, meaning that the cached results of a previous +identical lpq command will be used if the cached data is less than 10 seconds +old. A large value may be advisable if your lpq command is very slow. <P> +A value of 0 will disable cacheing completely. <P> +<B>Default:</B> lpq cache time = 10 <P> +<B>Example:</B> lpq cache time = 30 <P> + +<H3><A NAME="lpq command">lpq command (S)</A></H3> +This parameter specifies the command to be executed on the server host +in order to obtain "lpq"-style printer status information. <P> +This command should be a program or script which takes a printer name as its +only parameter and outputs printer status information. <P> +Currently six styles of printer status information are supported; BSD, SYSV, +AIX, HPUX, QNX, LPRNG and PLP. This covers most UNIX systems. You control +which type is expected using the <A HREF="#printing">printing</A> option. <P> +Some clients (notably Windows for Workgroups) may not correctly send the +connection number for the printer they are requesting status information +about. To get around this, the server reports on the first printer service +connected to by the client. This only happens if the connection number sent +is invalid. <P> +If a %p is given then the printername is put in its place. Otherwise it is +placed at the end of the command. <P> +Note that it is good practice to include the absolute path in the lpq +command as the PATH may not be available to the server. <P> +<B>Default:</B> depends on the setting of <A HREF="#printing">printing</A><P> +<B>Example:</B> lpq command = /usr/bin/lpq %p <P> + +<H3><A NAME="lpresume command">lpresume command (S)</A></H3> +This parameter specifies the command to be executed on the server host in +order to restart or continue printing or spooling a specific print job. <P> +This command should be a program or script which takes a printer name and +job number to resume the print job. See also the +<A HREF="#lppause command">lppause command</A>. <P> +If a %p is given then the printername is put in its place. +A %j is replaced with the job number (an integer). <P> +Note that it is good practice to include the absolute path in the lpresume +command as the PATH may not be available to the server. <P> +<B>Default:</B> Currently no default value is given to this string <P> +<B>Example for HPUX:</B> lpresume command = /usr/bin/lpalt %p-%j -p2 <P> + +<H3><A NAME="lprm command">lprm command (S)</A></H3> +This parameter specifies the command to be executed on the server host in +order to delete a print job. <P> +This command should be a program or script which takes a printer name +and job number, and deletes the print job. <P> +Currently seven styles of printer control are supported; BSD, SYSV, AIX HPUX, +QNX, LPRNG and PLP. This covers most UNIX systems. You control which type is +expected using the <A HREF="#printing">printing</A> option. <P> +If a %p is given then the printername is put in its place. A +%j is replaced with the job number (an integer). <P> +Note that it is good practice to include the absolute path in the lprm +command as the PATH may not be available to the server. <P> +<B>Default:</B> depends on the setting of <A HREF="#printing">printing</A><P> +<B>Example 1:</B>lprm command = /usr/bin/lprm -P%p %j <P> +<B>Example 2:</B>lprm command = /usr/bin/cancel %p-%j <P> + +<H3><A NAME="magic output">magic output (S)</A></H3> +This parameter specifies the name of a file which will contain output +created by a magic script (see <A HREF="#magic script">magic script</A> +below). <P> +Warning: If two clients use the same magic script in the same directory the +output file content is undefined. <P> +<B>Default:</B> magic output = <magic script name>.out <P> +<B>Example:</B> magic output = myfile.txt <P> + +<H3><A NAME="magic script">magic script (S)</A></H3> +This parameter specifies the name of a file which, if opened, will be +executed by the server when the file is closed. This allows a UNIX script to +be sent to the Samba host and executed on behalf of the connected user. <P> +Scripts executed in this way will be deleted upon completion, permissions +permitting. <P> +If the script generates output, output will be sent to the file specified by +the <A HREF="#magic output">magic output</A> parameter. <P> +Note that some shells are unable to interpret scripts containing +carriage-return-linefeed instead of linefeed as the end-of-line marker. Magic +scripts must be executable "as is" on the host, which for some hosts and +some shells will require filtering at the DOS end. <P> +Magic scripts are EXPERIMENTAL and should NOT be relied upon. <P> +<B>Default:</B> None. Magic scripts disabled. <P> +<B>Example:</B> magic script = user.csh <P> + +<H3><A NAME="mangle case">mangle case (S)</A></H3> +Controls if names that have characters that aren't of the "default" case are +mangled. <P> +See the section on <A HREF="#NAME MANGLING">NAME MANGLING</A> <P> + +<H3><A NAME="mangled map">mangled map (S)</A></H3> +This is for those who want to directly map UNIX file names which are not +representable on DOS. The mangling of names is not always what is needed. In +particular you may have documents with file extensions that differ between +DOS and UNIX. For example, under UNIX it is common to use .html for HTML +files, whereas under DOS .htm is more commonly used. <P> +So to map 'html' to 'htm' you put: <P> +mangled map = (*.html *.htm) <P> +One very useful case is to remove the annoying ;1 off the ends of filenames +on some CDROMS (only visible under some UNIXes). To do this use a map of +(*;1 *) <P> +<B>default:</B> no mangled map <P> +<B>Example:</B> mangled map = (*;1 *) <P> + +<H3><A NAME="mangled names">mangled names (S)</A></H3> +This controls whether non-DOS names under UNIX should be mapped +to DOS-compatible names ("mangled") and made visible, or whether non-DOS +names should simply be ignored. <P> +See the section on <A HREF="#NAME MANGLING">NAME MANGLING</A> for +details on how to control the mangling process. <P> +If mangling is used then the mangling algorithm is as follows: +<blockquote>- the first (up to) five alphanumeric characters before the +rightmost dot of the filename are preserved, forced to upper case, and appear +as the first (up to) five characters of the mangled name. <P> +- a tilde ("~") is appended to the first part of the mangled name, followed +by a two-character unique sequence, based on the original root name (i.e., +the original filename minus its final extension). The final +extension is included in the hash calculation only if it contains any +upper case characters or is longer than three characters. <P> +Note that the character to use may be specified using the +<A HREF="#mangling char">mangling char</A> option, if you don't like ~. <P> +- the first three alphanumeric characters of the final +extension are preserved, forced to upper case and appear as the extension +of the mangled name. The final extension is defined as that part of the +original filename after the rightmost dot. If there are no dots in the +filename, the mangled name will have no extension (except in the case +of hidden files - see below). <P> +- files whose UNIX name begins with a dot will be presented as DOS hidden +files. The mangled name will be created as for other filenames, but with the +leading dot removed and "___" as its extension regardless of actual original +extension (that's three underscores). +</blockquote> +The two-digit hash value consists of upper case alphanumeric characters. <P> +This algorithm can cause name collisions only if files in a directory +share the same first five alphanumeric characters. The probability of such +a clash is 1/1300. <P> +The name mangling (if enabled) allows a file to be copied between UNIX +directories from DOS while retaining the long UNIX filename. UNIX files can +be renamed to a new extension from DOS and will retain the same basename. +Mangled names do not change between sessions. <P> +<B>Default:</B> mangled names = Yes <P> +<B>Example:</B> mangled names = No <P> + +<H3><A NAME="mangling char">mangling char (S)</A></H3> +This controls what character is used as the "magic" character +in name mangling. The default is a ~ but this may interfere with some software. +Use this option to set it to whatever you prefer. <P> +<B>Default:</B> mangling char = ~ <P> +<B>Example:</B> mangling char = ^ <P> + +<H3><A NAME="mangled stack">mangled stack (G)</A></H3> +This parameter controls the number of mangled names that should be cached in +the Samba server. <P> +This stack is a list of recently mangled base names (extensions are only +maintained if they are longer than 3 characters or contains upper case +characters). <P> +The larger this value, the more likely it is that mangled +names can be successfully converted to correct long UNIX names. However, +large stack sizes will slow most directory access. Smaller stacks save +memory in the server (each stack element costs 256 bytes). <P> +It is not possible to absolutely guarantee correct long file names, so be +prepared for some surprises! <P> +<B>Default:</B> mangled stack = 50 <P> +<B>Example:</B> mangled stack = 100 <P> + +<H3><A NAME="map archive">map archive (S)</A></H3> +This controls whether the DOS archive attribute should +be mapped to the UNIX owner execute bit. The DOS archive bit is set when +a file has been modified since its last backup. One motivation for this +option it to keep Samba/your PC from making any file it touches from becoming +executable under UNIX. This can be quite annoying for shared source code, +documents, etc... <P> +Note that this requires the 'create mask' to be set such +that owner execute bit is not masked out (ie. it must include 100). See +the parameter <A HREF="#create mask">create mask</A> for details. <P> +<B>Default:</B> map archive = Yes <P> +<B>Example:</B> map archive = No <P> + +<H3><A NAME="map hidden">map hidden (S)</A></H3> +This controls whether DOS style hidden files should be mapped to the UNIX +world execute bit. <P> +Note that this requires the 'create mask' to be set such that the world +execute bit is not masked out (ie. it must include 001). See the parameter +<A HREF="#create mask">create mask</A> for details. <P> +<B>Default:</B> map hidden = No <P> +<B>Example:</B> map hidden = Yes <P> + +<H3><A NAME="map system">map system (S)</A></H3> +This controls whether DOS style system files should be mapped to the UNIX +group execute bit. <P> +Note that this requires the 'create mask' to be set such that the group +execute bit is not masked out (ie. it must include 010). See the parameter +<A HREF="#create mask">create mask</A> for details. <P> +<B>Default:</B> map system = No <P> +<B>Example:</B> map system = Yes <P> + +<H3><A NAME="max connections">max connections (S)</A></H3> +This option allows the number of simultaneous connections to a service to be +limited. If "max connections" is greater than 0 then connections will be +refused if this number of connections to the service are already open. A value +of zero mean an unlimited number of connections may be made. <P> +Record lock files are used to implement this feature. The lock files will be +stored in the directory specified by the +<A HREF="#lock dir">lock dir</A> option. <P> +<B>Default:</B> max connections = 0 <P> +<B>Example:</B> max connections = 10 <P> + +<H3><A NAME="max disk size">max disk size (G)</A></H3> +This option allows you to put an upper limit on the apparent size of disks. +If you set this option to 100 then all shares will appear to be not larger +than 100 MB in size. <P> +Note that this option does not limit the amount of data you can put on the +disk. In the above case you could still store much more than 100 MB on the +disk, but if a client ever asks for the amount of free disk space or the +total disk size then the result will be bounded by the amount specified in +"max disk size". <P> +This option is primarily useful to work around bugs in some pieces of +software that can't handle very large disks, particularly disks over 1GB in +size. <P> +A "max disk size" of 0 means no limit. <P> +<B>Default:</B> max disk size = 0 <P> +<B>Example:</B> max disk size = 1000 <P> + +<H3><A NAME="max log size">max log size (G)</A></H3> +This option (an integer in kilobytes) specifies the max size +the log file should grow to. Samba periodically checks the size and if +it is exceeded it will rename the file, adding a .old extension. <P> +A size of 0 means no limit. <P> +<B>Default:</B> max log size = 5000 <P> +<B>Example:</B> max log size = 1000 <P> + +<H3><A NAME="max mux">max mux (G)</A></H3> +This option controls the maximum number of outstanding simultaneous SMB +operations that samba tells the client it will allow. You should never need +to set this parameter. <P> +<B>Default:</B> max mux = 50 <P> + +<H3><A NAME="max packet">max packet (G)</A></H3> +A synonym for this parameter is 'packet size'. <P> +The maximum transmit packet size during a raw read. This option is no longer +implemented as of version 1.7.00, and is kept only so old configuration files +do not become invalid. <P> + +<H3><A NAME="max ttl">max ttl (G)</A></H3> +This option tells nmbd what the default 'time to live' of NetBIOS names should +be (in seconds) when nmbd is requesting a name using either a broadcast +or from a WINS server. You should never need to change this parameter. <P> +<B>Default:</B> max ttl = 14400 <P> + +<H3><A NAME="max wins ttl">max wins ttl (G)</A></H3> +This option tells nmbd when acting as a WINS server +(<A HREF="#wins support">wins support</A> = Yes) what the maximum 'time to +live' of NetBIOS names that nmbd will grant will be (in seconds). You should +never need to change this parameter. The default is 3 days (259200 +seconds). <P> +<B>Default:</B> max wins ttl = 259200 <P> + +<H3><A NAME="max xmit">max xmit (G)</A></H3> +This option controls the maximum packet size that will be negotiated by +Samba. The default is 65535, which is the maximum. In some cases you may find +you get better performance with a smaller value. A value below 2048 is likely +to cause problems. <P> +<B>Default:</B> max xmit = 65535 <P> +<B>Example:</B> max xmit = 8192 <P> + +<H3><A NAME="message command">message command (G)</A></H3> +This specifies what command to run when the server receives a WinPopup style +message. <P> +This would normally be a command that would deliver the message somehow. +How this is to be done is up to your imagination. <P> +What I use is: <P> +message command = csh -c 'xedit %s;rm %s' & <P> +This delivers the message using xedit, then removes it afterwards. NOTE +THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY. That's why +I have the & on the end. If it doesn't return immediately then your PCs may +freeze when sending messages (they should recover after 30secs, hopefully). <P> +All messages are delivered as the global guest user. The command takes +the standard substitutions, although %u won't work (%U may be better in +this case). <P> +Apart from the standard substitutions, some additional ones apply. In +particular: <P> +%s = the filename containing the message <P> +%t = the destination that the message was sent to (probably the server name) <P> +%f = who the message is from <P> +You could make this command send mail, or whatever else takes your fancy. +Please let me know of any really interesting ideas you have. <P> +Here's a way of sending the messages as mail to root: <P> +message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s <P> +If you don't have a message command then the message won't be delivered and +Samba will tell the sender there was an error. Unfortunately WfWg totally +ignores the error code and carries on regardless, saying that the message was +delivered. <P> +If you want to silently delete it then try "message command = rm %s". <P> +For the really adventurous, try something like this: <P> +message command = csh -c 'csh < %s |& /usr/local/samba/bin/smbclient \ + -M %m; rm %s' & <P> +this would execute the command as a script on the server, +then give them the result in a WinPopup message. Note that this could cause +a loop if you send a message from the server using smbclient! You better +wrap the above in a script that checks for this :-) <P> +<B>Default:</B> no message command <P> +<B>Example:</B> message command = csh -c 'xedit %s;rm %s' & <P> + +<H3><A NAME="min print space">min print space (S)</A></H3> +This sets the minimum amount of free disk space that must +be available before a user will be able to spool a print job. It is specified +in kilobytes. The default is 0, which means no limit. <P> +<B>Default:</B> min print space = 0 <P> +<B>Example:</B> min print space = 2000 <P> + +<H3><A NAME="min wins ttl">min wins ttl (G)</A></H3> +This option tells nmbd when acting as a WINS server +(<A HREF="#wins support">wins support</A> = Yes) what the +minimum 'time to live' of NetBIOS names that nmbd will grant will be (in +seconds). You should never need to change this parameter. The default is +6 hours (21600 seconds). <P> +<B>Default:</B> min wins ttl = 21600 <P> + +<H3><A NAME="name resolve order">name resolve order (G)</A></H3> +This option is used by the programs smbd, nmbd and smbclient +to determine what naming services and in what order to resolve host names +to IP addresses. This option is most useful in smbclient. The option takes +a space separated string of different name resolution options. These are +"lmhosts", "host", "wins" and "bcast". They cause names to be resolved +as follows : <P> +<pre> +lmhosts Lookup an IP address in the Samba lmhosts file. +host Do a standard host name to IP address resolution, using the + system /etc/hosts, NIS, or DNS lookups. This method of name + resolution is operating system depended (for instance on Solaris + this may be controlled by the /etc/nsswitch.conf file). +wins Query a name with the IP address listed in the "wins server =" + parameter. If no WINS server has been specified this method will + be ignored. +bcast Do a broadcast on each of the known local + interfaces listed in the "interfaces =" parameter. This is the + least reliable of the name resolution methods as it depends + on the target host being on a locally connected subnet. +</pre> +The default order is lmhosts, host, wins, bcast and these name resolution +methods will be attempted in this order. <P> +This option was first introduced in Samba 1.9.18p4. <P> +<B>Default:</B> name resolve order = lmhosts host wins bcast <P> +<B>example:</B> name resolve order = lmhosts bcast host <P> +This will cause the local lmhosts file to be examined first, followed by a +broadcast attempt, followed by a normal system hostname lookup. <P> + +<H3><A NAME="netbios aliases">netbios aliases (G)</A></H3> +This is a list of names that nmbd will advertise as additional names by which +the Samba server is known. This allows one machine to appear in browse +lists under multiple names. If a machine is acting as a browse server or +logon server none of these names will be advertised as either browse server +or logon servers, only the primary name of the machine will be advertised +with these capabilities. <P> +See also <A HREF="#netbios name">netbios name</A>. <P> +<B>Example:</B>netbios aliases = TEST TEST1 TEST2 <P> + +<H3><A NAME="netbios name">netbios name (G)</A></H3> +This sets the NetBIOS name by which a Samba server is known. By default it is +the same as the first component of the host's DNS name. If a machine is a +browse server or logon server this name (or the first component of the hosts +DNS name) will be the name that these services are advertised under. <P> +See also <A HREF="#netbios aliases">netbios aliases</A>. <P> +<B>Example:</B> netbios name = MYNAME <P> + +<H3><A NAME="NIS homedir">NIS homedir (G)</A></H3> +Get the home share server from a NIS (or YP) map. For unix systems that use +an automounter, the user's home directory will often be mounted on a +workstation on demand from a remote server. When the Samba logon server is +not the actual home directory server, two network hops are required to access +the home directory and this can be very slow especially with writing via +Samba to an NFS mounted directory. This option allows samba to return the +home share as being on a different server to the logon server and as long as +a samba daemon is running on the home directory server, it will be mounted +on the Samba client directly from the directory server. When Samba is +returning the home share to the client, it will consult the NIS (or YP) map +specified in <A HREF="#homedir map">homedir map</A> and return the server +listed there. <P> +<B>Default:</B> NIS homedir = No <P> +<B>Example:</B> NIS homedir = Yes <P> + +<H3><A NAME="networkstation user login">networkstation user login (G)</A></H3> +This global parameter (new for 1.9.18p3) affects server level security. With +this set (recommended) samba will do a full NetWkstaUserLogon to confirm that +the client really should have login rights. This can cause problems with +machines in trust relationships in which case you can disable it here, +but be warned, we have heard that some NT machines will then allow anyone +in with any password! Make sure you test it. <P> +<B>Default:</B> networkstation user login = Yes <P> +<B>Example:</B> networkstation user login = No <P> + +<H3><A NAME="null passwords">null passwords (G)</A></H3> +Allow or disallow access to accounts that have null passwords. <P> +<B>Default:</B> null passwords = No <P> +<B>Example:</B> null passwords = Yes <P> + +<H3><A NAME="only user">only user (S)</A></H3> +This is a boolean option that controls whether connections with usernames not +in the <A HREF="#username">username</A> list will be allowed. By default this +option is disabled so a client can supply a username to be used by the +server. <P> +Note that this also means Samba won't try to deduce usernames from the +service name. This can be annoying for the [homes] section. To get around +this you could use "<A HREF="#username">username</A> = %S" which means your +"username" list will be just the service name, which for home directories +is the name of the user. <P> +<B>Default: </B> only user = No <P> +<B>Example: </B> only user = Yes <P> + +<H3><A NAME="oplocks">oplocks (S)</A></H3> +This boolean option tells smbd whether to issue oplocks (opportunistic locks) +to file open requests on this share. The oplock code +was introduced in Samba 1.9.18 and can dramatically (approx 30% or more) +improve the speed of access to files on Samba servers. It allows the clients +to agressively cache files locally and you may want to disable this option +for unreliable network environments (it is turned on by default in Windows +NT Servers). For more information see the file Speed.txt in the Samba docs/ +directory. <P> +Oplocks may be selectively turned off on certain files on a per share basis. +See the <A HREF="#veto oplock files">veto oplock files</A> parameter. <P> +<B>Default:</B> oplocks = Yes <P> +<B>Example:</B> oplocks = No <P> + +<H3><A NAME="os level">os level (G)</A></H3> +This integer value controls what level Samba advertises itself as for browse +elections. See BROWSING.txt for details. <P> + +<H3><A NAME="passwd chat debug">passwd chat debug (G)</A></H3> +This boolean specifies if the passwd chat script parameter is run +in 'debug' mode. In this mode the strings passed to and received from the +passwd chat are printed in the smbd log with a debug level of 100. This +is a dangerous option as it will allow plaintext passwords to be seen +in the smbd log. It is available to help Samba admins debug their passwd +chat scripts and should be turned off after this has been done. This parameter +is off by default. <P> +<B>Example:</B> passwd chat debug = Yes <P> +<B>Default:</B> passwd chat debug = No <P> + +<H3><A NAME="passwd chat">passwd chat (G)</A></H3> +This string controls the "chat" conversation that takes places +between smbd and the local password changing program to change the users +password. The string describes a sequence of response-receive pairs that +smbd uses to determine what to send to the passwd program and what to +expect back. If the expected output is not received then the password is +not changed. <P> +This chat sequence is often quite site specific, depending +on what local methods are used for password control (such as NIS+ etc). <P> +The string can contain the macros %o and %n which are substituted for +the old and new passwords respectively. It can also contain the standard +macros \n \r \t and \s to give line-feed, carriage-return, tab and space. <P> +The string can also contain a * which matches any sequence of characters. <P> +Double quotes can be used to collect strings with spaces in them into +a single string. <P> +If the send string in any part of the chat sequence is +a fullstop "." then no string is sent. Similarly, is the expect string is +a fullstop then no string is expected. <P> +<B>Default:</B> passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed* <P> +<B>Example:</B> passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n \ + "*Reenter NEW password*" %n\n "*Password changed*" <P> + +<H3><A NAME="passwd program">passwd program (G)</A></H3> +The name of a program that can be used to set user passwords. <P> +This is only necessary if you have enabled remote password changing at +compile time. Any occurrences of %u will be replaced with the user name. <P> +Also note that many passwd programs insist in "reasonable" +passwords, such as a minimum length, or the inclusion of mixed case chars +and digits. This can pose a problem as some clients (such as Windows for +Workgroups) uppercase the password before sending it. <P> +<B>Default:</B> passwd program = /bin/passwd <P> +<B>Example:</B> passwd program = /sbin/passwd %u <P> + +<H3><A NAME="password level">password level (G)</A></H3> +Some client/server combinations have difficulty with mixed-case +passwords. One offending client is Windows for Workgroups, which for some +reason forces passwords to upper case when using the LANMAN1 protocol, +but leaves them alone when using COREPLUS! <P> +This parameter defines the maximum number of characters that may be upper +case in passwords. <P> +For example, say the password given was "FRED". If password level is set to +1 (one), the following combinations would be tried if "FRED" failed: "Fred", +"fred", "fRed", "frEd", "freD". If password level was set to 2 (two), the +following combinations would also be tried: "FRed", "FrEd", "FreD", "fREd", +"fReD", "frED". And so on. <P> +The higher value this parameter is set to the more likely it is that a mixed +case password will be matched against a single case password. However, you +should be aware that use of this parameter reduces security and increases the +time taken to process a new connection. <P> +A value of zero will cause only two attempts to be made - the password +as is and the password in all-lower case. <P> +If you find the connections are taking too long with this option then you +probably have a slow crypt() routine. Samba now comes with a fast "ufc crypt" +that you can select in the Makefile. You should also make sure the +PASSWORD_LENGTH option is correct for your system in local.h and includes.h. +On most systems only the first 8 chars of a password are significant so +PASSWORD_LENGTH should be 8, but on some longer passwords are significant. +The includes.h file tries to select the right length for your system. <P> +<B>Default:</B> password level = 0 <P> +<B>Example:</B> password level = 4 <P> + +<H3><A NAME="password server">password server (G)</A></H3> +By specifying the name of another SMB server (such as a WinNT box) with this +option, and using "<A HREF="#security">security</A> = server" you can get +Samba to do all its username/password validation via a remote server. <P> +This options sets the name of the password server to use. It must be a netbios +name, so if the machine's netbios name is different from its internet name +then you may have to add its netbios name to /etc/hosts. <P> +Note that with Samba 1.9.18p4 and above the name of the password server is +looked up using the <A HREF="#name resolve order">name resolve order</A> +parameter and so may resolved by any method and order described in that +parameter. <P> +The password server much be a machine capable of using the "LM1.2X002" +or the "LM NT 0.12" protocol, and it must be in user level security mode. <P> +NOTE: Using a password server means your UNIX box (running Samba) is +only as secure as your password server. DO NOT CHOOSE A PASSWORD SERVER +THAT YOU DON'T COMPLETELY TRUST. <P> +Never point a Samba server at itself for password serving. This will cause a +loop and could lock up your Samba server! <P> +The name of the password server takes the standard substitutions, but +probably the only useful one is %m, which means the Samba server will +use the incoming client as the password server. If you use this then you +better trust your clients, and you better restrict them with +<A HREF="#hosts allow">hosts allow</A>! <P> +If you list several hosts in the "password server" option then smbd will +try each in turn till it finds one that responds. This is useful in case +your primary server goes down. <P> +If you are using a WindowsNT server as your password server then you will +have to ensure that your users are able to login from the Samba server, as +the network logon will appear to come from there rather than from the users +workstation. <P> + +<H3><A NAME="path">path (S)</A></H3> +A synonym for this parameter is "directory". <P> +This parameter specifies a directory to which the user of the service is to +be given access. In the case of printable services, this is where print data +will spool prior to being submitted to the host for printing. <P> +For a printable service offering guest access, the service should be readonly +and the path should be world-writable and have the sticky bit set. This is +not mandatory of course, but you probably won't get the results you expect if +you do otherwise. <P> +Any occurrences of %u in the path will be replaced with the username that the +client is connecting as. Any occurrences of %m will be replaced by the name +of the machine they are connecting from. These replacements are very useful +for setting up pseudo home directories for users. <P> +Note that this path will be based on +<A HREF="#root directory">root directory</A> if one was specified.<P> +<B>Default:</B> none <P> +<B>Example:</B> path = /home/fred <P> + +<H3><A NAME="postexec">postexec (S)</A></H3> +This option specifies a command to be run whenever the +service is disconnected. It takes the usual substitutions. The command may +be run as the root on some systems. <P> +An interesting example may be do unmount server resources: <P> +postexec = /etc/umount /cdrom <P> +See also <A HREF="#preexec">preexec</A> <P> +<B>Default:</B> none (no command executed) <P> +<B>Example:</B> postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log <P> + +<H3><A NAME="postscript">postscript (S)</A></H3> +This parameter forces a printer to interpret the print files as postscript. +This is done by adding a %! to the start of print output. <P> +This is most useful when you have lots of PCs that persist in putting a +control-D at the start of print jobs, which then confuses your printer. <P> +<B>Default:</B> postscript = No <P> +<B>Example:</B> postscript = Yes <P> + +<H3><A NAME="preferred master">preferred master (G)</A></H3> +This boolean parameter controls if Samba is a preferred master browser for +its workgroup. If this is set to Yes, on startup, samba will force an +election, and it will have a slight advantage in winning the election. +It is recommended that this parameter is used in conjunction with +<A HREF="#domain master">domain master</A> = yes, so that samba can guarantee +becoming a domain master. <P> +Use this option with caution, because if there are several hosts (whether +samba servers, Windows 95 or NT) that are preferred master browsers on +the same subnet, they will each periodically and continuously attempt +to become the local master browser. This will result in unnecessary broadcast +traffic and reduced browsing capabilities. <P> +See <A HREF="#os level">os level</A> = nn <P> +<B>Default:</B> preferred master = no <P> + +<H3><A NAME="preload">preload</A></H3> +An alias is "auto services". This is a list of services that you want to be +automatically added to the browse lists. This is most useful for homes and +printers services that would otherwise not be visible. <P> +Note that if you just want all printers in your printcap file loaded then the +<A HREF="#load printers">load printers</A> option is easier. <P> +<B>Default:</B> no preloaded services <P> +<B>Example:</B> preload = fred lp colorlp <P> + +<H3><A NAME="preserve case">preserve case (S)</A></H3> +This controls if new filenames are created with the case that +the client passes, or if they are forced to be the "default" case. <P> +<B>Default:</B> preserve case = no <P> +See the section on <A HREF="#NAME MANGLING">NAME MANGLING</A> for a fuller +discussion. <P> + +<H3><A NAME="print command">print command (S)</A></H3> +After a print job has finished spooling to a service, this command will be +used via a system() call to process the spool file. Typically the command +specified will submit the spool file to the host's printing subsystem, but +there is no requirement that this be the case. The server will not remove +the spool file, so whatever command you specify should remove the spool file +when it has been processed, otherwise you will need to manually remove old +spool files. <P> +The print command is simply a text string. It will be used verbatim, with +two exceptions: All occurrences of "%s" will be replaced by the appropriate +spool file name, and all occurrences of "%p" will be replaced by the +appropriate printer name. The spool file name is generated automatically by +the server, the <A HREF="#printer name">printer name</A> is discussed below. <P> +The full path name will be used for the filename if %s is not preceded by a +/. If you don't like this (it can stuff up some lpq output) then use %f +instead. Any occurrences of %f get replaced by the spool filename without +the full path at the front. <P> +The print command MUST contain at least one occurrence of "%s" or %f - +the "%p" is optional. At the time a job is submitted, if no printer name is +supplied the "%p" will be silently removed from the printer command. <P> +If specified in the [global] section, the print command given will be used for +any printable service that does not have its own print command specified.<P> +If there is neither a specified print command for a printable service nor a +global print command, spool files will be created but not processed and (most +importantly) not removed. <P> +Note that printing may fail on some UNIXes from the "nobody" account. If this +happens then create an alternative guest account that can print and set the +<A HREF="#guest account">guest account</A> in the [global] section. <P> +You can form quite complex print commands by realising that they are +just passed to a shell. For example the following will log a print job, +print the file, then remove it. Note that ; is the usual separator for +command in shell scripts. <P> +print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s<P> +You may have to vary this command considerably depending on how you normally +print files on your system. <P> +<B>Default:</B> print command = lpr -r -P %p %s <P> +<B>Example:</B>print command = /usr/local/samba/bin/myprintscript %p %s <P> + +<H3><A NAME="print ok">print ok (S)</A></H3> +A synonym for this parameter is 'printable'. <P> +If this parameter is 'Yes', then clients may open, write to +and submit spool files on the directory specified for the service. <P> +Note that a printable service will ALWAYS allow writing to the service path +(user privileges permitting) via the spooling of print data. The +<A HREF="#read only">read only</A> parameter controls only non-printing +access to the resource. <P> +<B>Default:</B> print ok = No <P> +<B>Example:</B> print ok = Yes <P> + +<H3><A NAME="printcap name">printcap name (G)</A></H3> +This parameter may be used to override the compiled-in default printcap name +used by the server (usually /etc/printcap). On SystemV systems that +use lpstat to list available printers you can use "printcap name = lpstat" +to automatically obtain lists of available printers. This is the default +for systems that define SYSV at compile time in Samba (this includes +most SystemV based systems). If "printcap name" is set to lpstat on these +systems then Samba will launch "lpstat -v" and attempt to parse the output +to obtain a printer list. <P> +A minimal printcap file would look something like this: <P> +print1|My Printer 1 <BR> +print2|My Printer 2 <BR> +print3|My Printer 3 <BR> +print4|My Printer 4 <BR> +print5|My Printer 5 <P> +where the | separates aliases of a printer. The fact that the second alias +has a space in it gives a hint to Samba that it's a comment. <P> +NOTE: Under AIX the default printcap name is "/etc/qconfig". +Samba will assume the file is in AIX "qconfig" format if the string "/qconfig" +appears in the printcap filename. <P> +<B>Default:</B> printcap name = /etc/printcap <P> +<B>Example:</B> printcap name = /etc/myprintcap <P> + +<H3><A NAME="printer driver">printer driver (S)</A></H3> +This option allows you to control the string that clients receive when they +ask the server for the printer driver associated with a printer. If you are +using Windows95 or WindowsNT then you can use this to automate the setup of +printers on your system. <P> +You need to set this parameter to the exact string (case sensitive) that +describes the appropriate printer driver for your system. If you don't know +the exact string to use then you should first try with no "printer driver" +option set and the client will give you a list of printer drivers. The +appropriate strings are shown in a scrollbox after you have chosen the +printer manufacturer. <P> +<B>Example:</B> printer driver = HP LaserJet 4L <P> + +<H3><A NAME="printer name">printer name (S)</A></H3> +A synonym for this parameter is 'printer'. <P> +This parameter specifies the name of the printer to which print jobs spooled +through a printable service will be sent. <P> +If specified in the [global] section, the printer name given will be used for +any printable service that does not have its own printer name specified. <P> +<B>Default:</B> none (but may be 'lp' on many systems) <P> +<B>Example:</B> printer name = laserwriter <P> + +<H3><A NAME="printer driver file">printer driver file (G)</A></H3> +This parameter tells Samba where the printer driver definition file, used +when serving drivers to Windows 95 clients, is to be found. If this is not +set, the default is : <P> +SAMBA_INSTALL_DIRECTORY/lib/printers.def <P> +This file is created from Windows 95 'msprint.def' files found on the Windows +95 client system. For more details on setting up serving of printer drivers +to Windows 95 clients, see the documentation file docs/PRINTER_DRIVER.txt. <P> +<B>Default:</B> None (set in compile). <P> +<B>Example:</B> printer driver file = /usr/local/samba/printers/drivers.def <P> +Related parameters. +<A HREF="#printer driver location">printer driver location</A> <P> + +<H3><A NAME="printer driver location">printer driver location (S)</A></H3> +This parameter tells clients of a particular printer share where to find the +printer driver files for the automatic installation of drivers for Windows 95 +machines. If Samba is set up to serve printer drivers to Windows 95 machines, +this should be set to <P> +\\MACHINE\PRINTER$ <P> +Where MACHINE is the NetBIOS name of your Samba +server, and PRINTER$ is a share you set up for serving printer driver +files. For more details on setting this up see the documentation file +docs/PRINTER_DRIVER.txt. <P> +<B>Default:</B> None <P> +<B>Example:</B> printer driver location = \\MACHINE\PRINTER$ <P> +Related paramerers. +<A HREF="#printer driver file">printer driver file</A><P> + +<H3><A NAME="printing">printing (S)</A></H3> +This parameters controls how printer status information is interpreted +on your system, and also affects the default values for the +<A HREF="#print command">print command</A>, +<A HREF="#lpq command">lpq command</A> and +<A HREF="#lprm command">lprm command</A>. <P> +Currently six printing styles are supported. They are bsd, sysv, hpux, aix, +qnx and plp. <P> +To see what the defaults are for the other print commands when using these +options use the "testparm" program. <P> +As of version 1.9.18 of Samba this option can be set on a per printer basis <P> +<B>Example:</B> printing = sysv <P> + +<H3><A NAME="protocol">protocol (G)</A></H3> +The value of the parameter (a string) is the highest protocol level that will +be supported by the server. <P> +Possible values are CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. The relative +merits of each are discussed in the README file. <P> +Normally this option should not be set as the automatic negotiation phase in +the SMB protocol takes care of choosing the appropriate protocol. <P> +<B>Default:</B> protocol = NT1 <P> +<B>Example:</B> protocol = LANMAN1 <P> + +<H3><A NAME="read bmpx">read bmpx (S)</A></H3> +<B>Default:</B> read bmpx = Yes <P> + +<H3><A NAME="read list">read list (S)</A></H3> +This is a list of users that are given read-only access to a service. +If the connecting user is in this list then they will not be given write +access, no matter what the <A HREF="#read only">read only</A> option is set +to. The list can include group names using the @group syntax. <P> +See also the <A HREF="#write list">write list</A> option <P> +<B>Default:</B> read list = <P> +<B>Example:</B> read list = mary, @students <P> + +<H3><A NAME="read only">read only (S)</A></H3> +Inverted synonyms for this parameter are 'writable' and 'write ok'. <P> +If this parameter is 'Yes', then users of the service may not create or +modify files in the service's directory. <P> +Note that a printable service ('<A HREF="#printable">printable</A> = Yes') +will ALWAYS allow writing to the directory (user privileges permitting), but +only via spooling operations. <P> +<B>Default:</B> read only = Yes <P> +<B>Examples:</B> read only = No <BR> +writable = No <BR> +write ok = Yes <P> + +<H3><A NAME="read prediction">read prediction (G)</A></H3> +This options enables or disables the read prediction code used to speed up +reads from the server. When enabled the server will try to pre-read data +from the last accessed file that was opened read-only while waiting for +packets. <P> +<B>Default:</B> read prediction = No <P> +<B>Example:</B> read prediction = Yes <P> + +<H3><A NAME="read raw">read raw (G)</A></H3> +This parameter controls whether or not the server will support raw reads when +transferring data to clients. <P> +If enabled, raw reads allow reads of 65535 bytes in one packet. This typically +provides a major performance benefit. <P> +However, some clients either negotiate the allowable block size incorrectly +or are incapable of supporting larger block sizes, and for these clients you +may need to disable raw reads. <P> +In general this parameter should be viewed as a system tuning tool and left +severely alone. See also <A HREF="#write raw">write raw.</A> <P> +<B>Default:</B> read raw = Yes <P> +<B>Example:</B> read raw = No <P> + +<H3><A NAME="read size">read size (G)</A></H3> +The option "read size" affects the overlap of disk reads/writes with network +reads/writes. If the amount of data being transferred in several of the SMB +commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger than this +value then the server begins writing the data before it has received the +whole packet from the network, or in the case of SMBreadbraw, it begins +writing to the network before all the data has been read from disk. <P> +This overlapping works best when the speeds of disk and network access are +similar, having very little effect when the speed of one is much greater +than the other. <P> +The default value is 2048, but very little experimentation has been done +yet to determine the optimal value, and it is likely that the best value +will vary greatly between systems anyway. A value over 65536 is pointless +and will cause you to allocate memory unnecessarily. <P> +<B>Default:</B> read size = 2048 <P> +<B>Example:</B> read size = 8192 <P> + +<H3><A NAME="remote announce">remote announce (G)</A></H3> +This option allows you to setup nmbd to periodically announce itself to +arbitrary IP addresses with an arbitrary workgroup name. <P> +This is useful if you want your Samba server to appear in a remote workgroup +for which the normal browse propagation rules don't work. The remote +workgroup can be anywhere that you can send IP packets to. <P> +For example: <P> +remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF <P> +the above line would cause nmbd to announce itself to the two given IP +addresses using the given workgroup names. If you leave out the workgroup +name then the one given in the <A HREF="#workgroup">workgroup</A> option is +used instead. <P> +The IP addresses you choose would normally be the broadcast +addresses of the remote networks, but can also be the IP addresses of +known browse masters if your network config is that stable. <P> +This option replaces similar functionality from the nmbd lmhosts file. <P> + +<H3><A NAME="remote browse sync">remote browse sync (G)</A></H3> +This option allows you to setup nmbd to periodically request +synchronisation of browse lists with the master browser of a samba server +that is on a remote segment. This option will allow you to gain browse +lists for multiple workgroups across routed networks. This is done in a +manner that does not work with any non-samba servers. <P> +This is useful if you want your Samba server and all local clients to appear +in a remote workgroup for which the normal browse propagation rules don't +work. The remote workgroup can be anywhere that you can send IP packets to.<P> +For example: <P> +remote browse sync = 192.168.2.255 192.168.4.255 <P> +the above line would cause nmbd to request the master browser on the +specified subnets or addresses to synchronise their browse lists with the +local server. <P> +The IP addresses you choose would normally be the broadcast addresses +of the remote networks, but can also be the IP addresses of known browse +masters if your network config is that stable. If a machine IP address +is given Samba makes NO attempt to validate that the remote machine is +available, is listening, nor that it is in fact the browse master on it's +segment. <P> + +<H3><A NAME="revalidate">revalidate (S)</A></H3> +This options controls whether Samba will allow a previously validated +username/password pair to be used to attach to a share. Thus if you connect +to \\server\share1 then to \\server\share2 it won't automatically allow the +client to request connection to the second share as the same username as the +first without a password. <P> +If "revalidate" is Yes then the client will be denied automatic access as +the same username. <P> +<B>Default:</B> revalidate = No <P> +<B>Example:</B> revalidate = Yes <P> + +<H3><A NAME="root directory">root directory (G)</A></H3> +Synonyms for this parameter are 'root dir' and 'root'. <P> +The server will chroot() to this directory on startup. This is not strictly +necessary for secure operation. Even without it the server will deny access +to files not in one of the service entries. It may also check for, and deny +access to, soft links to other parts of the filesystem, or attempts to use +.. in file names to access other directories (depending on the setting of +the <A HREF="#wide links">wide links</A> parameter). <P> +Adding a "root dir" entry other than "/" adds an extra level +of security, but at a price. It absolutely ensures that no access is given +to files not in the sub-tree specified in the "root dir" option, *including* +some files needed for complete operation of the server. To maintain full +operability of the server you will need to mirror some system files into +the "root dir" tree. In particular you will need to mirror /etc/passwd +(or a subset of it), and any binaries or configuration files needed for +printing (if required). The set of files that must be mirrored is operating +system dependent. <P> +<B>Default:</B> root directory = / <P> +<B>Example:</B> root directory = /homes/smb <P> + +<H3><A NAME="root postexec">root postexec (S)</A></H3> +This is the same as <A HREF="#postexec">postexec</A> except that +the command is run as root. This is useful for unmounting filesystems (such +as CDROMS) after a connection is closed. <P> + +<H3><A NAME="root preexec">root preexec (S)</A></H3> +This is the same as <A HREF="#exec">exec</A> except that the command is run +as root. This is useful for mounting filesystems (such as CDROMS) before a +connection is finalised. <P> + +<H3><A NAME="security">security (G)</A></H3> +This option affects how clients respond to Samba. <P> +The option sets the "security mode bit" in replies to protocol negotiations +to turn share level security on or off. Clients decide based on this bit +whether (and how) to transfer user and password information to the server.<P> +The default is "security=SHARE", mainly because that was the only option at +one stage. <P> +The alternatives are "security = user" or "security = server". <P> +If your PCs use usernames that are the same as their usernames on the +UNIX machine then you will want to use "security = user". If you mostly +use usernames that don't exist on the UNIX box then use "security = share".<P> +There is a bug in WfWg that may affect your decision. When in user level +security a WfWg client will totally ignore the password you type in the +"connect drive" dialog box. This makes it very difficult (if not impossible) +to connect to a Samba service as anyone except the user that you are logged +into WfWg as. <P> +If you use "security = server" then Samba will try to validate +the username/password by passing it to another SMB server, such as an +NT box. If this fails it will revert to "security = USER". <P> +See the <A HREF="#password server">password server</A> option for more +details. <P> +<B>Default:</B> security = SHARE <P> +<B>Example:</B> security = USER <P> + +<H3><A NAME="server string">server string (G)</A></H3> +This controls what string will show up in the printer comment box in print +manager and next to the IPC connection in "net view". It can be any string +that you wish to show to your users. <P> +It also sets what will appear in browse lists next to the machine name. <P> +A %v will be replaced with the Samba version number. <P> +A %h will be replaced with the hostname. <P> +<B>Default:</B> server string = Samba %v <P> +<B>Example:</B> server string = University of GNUs Samba Server <P> + +<H3><A NAME="set directory">set directory (S)</A></H3> +If 'set directory = No', then users of the service may not use the setdir +command to change directory. <P> +The setdir command is only implemented in the Digital Pathworks +client. See the Pathworks documentation for details. <P> +<B>Default:</B> set directory = No <P> +<B>Example:</B> set directory = Yes <P> + +<H3><A NAME="shared mem size">shared mem size (G)</A></H3> +This parameter is only useful when Samba has been compiled with +FAST_SHARE_MODES. It specifies the size of the shared +memory (in bytes) to use between smbd processes. You should never change +this parameter unless you have studied the source and know what you are +doing. This parameter defaults to 1024 multiplied by the setting of the +maximum number of open files in the file local.h in the Samba source code. +MAX_OPEN_FILES is normally set to 100, so this parameter defaults to 102400 +bytes. <P> +<B>Default</B> shared mem size = 102400 <P> + +<H3><A NAME="smb passwd file">smb passwd file (G)</A></H3> +This option sets the path to the encrypted smbpasswd file. This is a +*VERY DANGEROUS OPTION* if the smb.conf is user writable. By default the +path to the smbpasswd file is compiled into Samba. <P> + +<H3><A NAME="smbrun">smbrun (G)</A></H3> +This sets the full path to the smbrun binary. This defaults to the value in +the Makefile. <P> +You must get this path right for many services to work correctly. <P> +<B>Default:</B> taken from Makefile <P> +<B>Example:</B> smbrun = /usr/local/samba/bin/smbrun <P> + +<H3><A NAME="share modes">share modes (S)</A></H3> +This enables or disables the honouring of the "share modes" during a file +open. These modes are used by clients to gain exclusive read or write access +to a file. <P> +These open modes are not directly supported by UNIX, so they are simulated +using lock files in the <A HREF="#lock dir">lock dir</A>. The "lock dir" +specified in smb.conf must be readable by all users. <P> +The share modes that are enabled by this option are DENY_DOS, DENY_ALL, +DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB. <P> +Enabling this option gives full share compatibility but may cost a bit of +processing time on the UNIX server. They are enabled by default. <P> +<B>Default:</B> share modes = Yes <P> +<B>Example:</B> share modes = No <P> + +<H3><A NAME="short preserve case">short preserve case (S)</A></H3> +This controls if new short filenames are created with the case that the client +passes, or if they are forced to be the "default" case. <P> +<B>Default:</B> short preserve case = No <P> +See the section on <A HREF="#NAME MANGLING">NAME MANGLING</A> for a fuller +discussion. <P> + +<H3><A NAME="socket address">socket address (G)</A></H3> +This option allows you to control what address Samba will listen for +connections on. This is used to support multiple virtual interfaces on the +one server, each with a different configuration. <P> +By default samba will accept connections on any address. <P> +<B>Example:</B> socket address = 192.168.2.20 <P> + +<H3><A NAME="socket options">socket options (G)</A></H3> +This option (which can also be invoked with the -O command line option) allows +you to set socket options to be used when talking with the client. <P> +Socket options are controls on the networking layer of the operating systems +which allow the connection to be tuned. <P> +This option will typically be used to tune your Samba server for optimal +performance for your local network. There is no way that Samba can know what +the optimal parameters are for your net, so you must experiment and choose +them yourself. I strongly suggest you read the appropriate documentation for +your operating system first (perhaps "man setsockopt" will help). <P> +You may find that on some systems Samba will say "Unknown socket option" when +you supply an option. This means you either mis-typed it or you need to add +an include file to includes.h for your OS. If the latter is the case please +send the patch to me (samba-bugs@samba.anu.edu.au). <P> +Any of the supported socket options may be combined in any way you like, as +long as your OS allows it. <P> +This is the list of socket options currently settable using this option: <P> +SO_KEEPALIVE <BR> +SO_REUSEADDR <BR> +SO_BROADCAST <BR> +TCP_NODELAY <BR> +IPTOS_LOWDELAY <BR> +IPTOS_THROUGHPUT <BR> +SO_SNDBUF * <BR> +SO_RCVBUF * <BR> +SO_SNDLOWAT * <BR> +SO_RCVLOWAT * <P> +Those marked with a * take an integer argument. The others can optionally take +a 1 or 0 argument to enable or disable the option, by default they will +be enabled if you don't specify 1 or 0. <P> +To specify an argument use the syntax SOME_OPTION=VALUE for example +SO_SNDBUF=8192. Note that you must not have any spaces before or after the = +sign. <P> +If you are on a local network then a sensible option might be <P> +socket options = IPTOS_LOWDELAY <P> +If you have an almost unloaded local network and you don't mind a lot +of extra CPU usage in the server then you could try <P> +socket options = IPTOS_LOWDELAY TCP_NODELAY <P> +If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT. <P> +Note that several of the options may cause your Samba server to fail +completely. Use these options with caution! <P> +<B>Default:</B> no socket options <P> +<B>Example:</B> socket options = IPTOS_LOWDELAY <P> + +<H3><A NAME="status">status (G)</A></H3> +This enables or disables logging of connections to a status +file that <B>smbstatus</B> can read. <P> +With this disabled <B>smbstatus</B> won't be able to tell you what connections +are active. <P> +<B>Default:</B> status = Yes <P> +<B>Example:</B> status = No <P> + +<H3><A NAME="strict locking">strict locking (S)</A></H3> +This is a boolean that controls the handling of file locking in the server. +When this is set to yes the server will check every read and write access +for file locks, and deny access if locks exist. This can be slow on some +systems. <P> +When strict locking is "no" the server does file lock checks only when the +client explicitly asks for them. <P> +Well behaved clients always ask for lock checks when it is important, +so in the vast majority of cases "strict locking = no" is preferable. <P> +<B>Default:</B> strict locking = No <P> +<B>Example:</B> strict locking = Yes <P> + +<H3><A NAME="strip dot">strip dot (G)</A></H3> +This is a boolean that controls whether to strip trailing dots off +UNIX filenames. This helps with some CDROMs that have filenames ending +in a single dot. <P> +<B>Default:</B> strip dot = No <P> +<B>Example:</B> strip dot = Yes <P> + +<H3><A NAME="syslog">syslog (G)</A></H3> +This parameter maps how Samba debug messages are logged onto +the system syslog logging levels. Samba debug level zero maps onto syslog +LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps to +LOG_NOTICE, debug level three maps onto LOG_INFO. The paramter sets the +threshold for doing the mapping, all Samba debug messages above this threashold +are mapped to syslog LOG_DEBUG messages. <P> +<B>Default:</B> syslog = 1 <P> + +<H3><A NAME="syslog only">syslog only (G)</A></H3> +If this parameter is set then Samba debug messages are logged +into the system syslog only, and not to the debug log files. <P> +<B>Default:</B> syslog only = no <P> + +<H3><A NAME="sync always">sync always (S)</A></H3> +This is a boolean parameter that controls whether writes will always be +written to stable storage before the write call returns. If this is No then +the server will be guided by the client's request in each write call (clients +can set a bit indicating that a particular write should be synchronous). If +this is Yes then every write will be followed by a fsync() call to ensure the +data is written to disk. <P> +<B>Default:</B> sync always = No <P> +<B>Example:</B> sync always = Yes <P> + +<H3><A NAME="time offset">time offset (G)</A></H3> +This parameter is a setting in minutes to add to the normal GMT to local time +conversion. This is useful if you are serving a lot of PCs that have incorrect +daylight saving time handling. <P> +<B>Default:</B> time offset = 0 <P> +<B>Example:</B> time offset = 60 <P> + +<H3><A NAME="time server">time server (G)</A></H3> +This parameter determines if nmbd advertises itself as a time server to +Windows clients. <P> +<B>Default:</B> time server = No <P> +<B>Example:</B> time server = Yes <P> + +<H3><A NAME="unix password sync">unix password sync (G)</A></H3> +This boolean parameter controlls whether Samba attempts to synchronise the +UNIX password with the SMB password when the encrypted SMB password in +the smbpasswd file is changed. If this is set to Yes the +<A HREF="#passwd program">passwd program</A> +program is called *AS ROOT* - to allow the new UNIX password to be set +without access to the old UNIX password (as the SMB password has change +code has no access to the old password cleartext, only the new). By default +this is set to No. <P> +See also <A HREF="#passwd program">passwd program</A>, +<A HREF="#passwd chat">passwd chat</A> <P> +<B>Default:</B> unix password sync = No <P> +<B>Example:</B> unix password sync = Yes <P> + +<H3><A NAME="unix realname">unix realname (G)</A></H3> +This boolean parameter when set causes samba to supply the real name field +from the unix password file to the client. This is useful for setting up mail +clients and WWW browsers on systems used by more than one person. <P> +<B>Default:</B> unix realname = No <P> +<B>Example:</B> unix realname = Yes <P> + +<H3><A NAME="update encrypted">update encrypted (S)</A></H3> +This boolean parameter allows a user logging on with a plaintext password to +have their encrypted (hashed) password in the smbpasswd file to be updated +automatically as they log on. This option allows a site to migrate from +plaintext password authentication (users authenticate with plaintext +password over the wire, and are checked against a UNIX account database) to +encrypted password authentication (the SMB challenge/response authentication +mechanism) without forcing all users to re-enter their passwords via smbpasswd +at the time the change is made. This is a convenience option to allow the +change over to encrypted passwords to be made over a longer period. Once all +users have encrypted representations of their passwords in the smbpasswd file \ +this parameter should be set to "No". <P> +In order for this parameter to work correctly the +i<A HREF="#encrypt passwords">encrypt passwords</A> must be set to "No" when +this parameter is set to "Yes". <P> +Note that even when this parameter is set a user authenticating to smbd must +still enter a valid password in order to connect correctly, and to update their +hashed (smbpasswd) passwords. <P> +<B>Default:</B> update encrypted = No <P> + +<H3><A NAME="use rhosts">use rhosts (S)</A></H3> +<B>Default:</B> use rhosts = No <P> + +<H3><A NAME="username">username (S)</A></H3> +A synonym for this parameter is 'user'. <P> +Multiple users may be specified in a comma-delimited list, in which case the +supplied password will be tested against each username in turn (left to +right). <P> +The username= line is needed only when the PC is unable to supply its own +username. This is the case for the coreplus protocol or where your users have +different WfWg usernames to UNIX usernames. In both these cases you may also +be better using the \\server\share%user syntax instead. <P> +The username= line is not a great solution in many cases as it means Samba +will try to validate the supplied password against each of the usernames in +the username= line in turn. This is slow and a bad idea for lots of users in +case of duplicate passwords. You may get timeouts or security breaches using +this parameter unwisely. <P> +Samba relies on the underlying UNIX security. This parameter does not restrict +who can login, it just offers hints to the Samba server as to what usernames +might correspond to the supplied password. Users can login as whoever they +please and they will be able to do no more damage than if they started a +telnet session. The daemon runs as the user that they log in as, so they +cannot do anything that user cannot do. <P> +To restrict a service to a particular set of users you can use the +<A HREF="#valid users">valid users</A> line. <P> +If any of the usernames begin with a @ then the name will be looked +up in the groups file and will expand to a list of all users in the group +of that name. Note that searching though a groups file can take quite some +time, and some clients may time out during the search. <P> +See the section below on +<A HREF="#USERNAME/PASSWORD VALIDATION">USERNAME/PASSWORD VALIDATION</A> +for more information on how this parameter determines access to the services.<P> +<B>Default:</B> The guest account if a guest service, else the name of the service. <P> +<B>Examples:</B>username = fredusername = fred, mary, jack, jane, @users, @pcgroup <P> + +<H3><A NAME="username level">username level (G)</A></H3> +This option helps Samba to try and 'guess' at the real UNIX username, +as many DOS clients send an all-uppercase username. By default Samba tries +all lowercase, followed by the username with the first letter capitalized, +and fails if the username is not found on the UNIX machine. <P> +If this parameter is set to non-zero the behaviour changes. This parameter +is a number that specifies the number of uppercase combinations to try whilst +trying to determine the UNIX user name. The higher the number the more +combinations will be tried, but the slower the discovery of usernames will be. +Use this parameter when you have strange usernames on your UNIX machine, +such as 'AstrangeUser'. <P> +<B>Default:</B> username level = 0 <P> +<B>Example:</B> username level = 5 <P> + +<H3><A NAME="username map">username map (G)</A></H3> +This option allows you to to specify a file containing +a mapping of usernames from the clients to the server. This can be used +for several purposes. The most common is to map usernames that users use +on DOS or Windows machines to those that the UNIX box uses. The other is +to map multiple users to a single username so that they can more easily +share files. <P> +The map file is parsed line by line. Each line should contain +a single UNIX username on the left then a '=' followed by a list of usernames +on the right. The list of usernames on the right may contain names of the +form @group in which case they will match any UNIX username in that group. +The special client name '*' is a wildcard and matches any name. <P> +The file is processed on each line by taking the supplied username and +comparing it with each username on the right hand side of the '=' signs. If +the supplied name matches any of the names on the right hand side then it is +replaced with the name on the left. Processing then continues with the next +line. <P> +If any line begins with a '#' or a ';' then it is ignored <P> +If any line begins with an ! then the processing will stop after that line if +a mapping was done by the line. Otherwise mapping continues with every line +being processed. Using ! is most useful when you have a wildcard mapping line +later in the file. <P> +For example to map from the name "admin" or "administrator" to the UNIX name +"root" you would use <P> +root = admin administrator <P> +Or to map anyone in the UNIX group "system" to the UNIX name "sys" you would +use <P> +sys = @system <P> +You can have as many mappings as you like in a username map file. <P> +You can map Windows usernames that have spaces in them by using +double quotes around the name. For example: <P> +tridge = "Andrew Tridgell" <P> +would map the windows username "Andrew Tridgell" to the unix username +tridge. <P> +The following example would map mary and fred to the unix user +sys, and map the rest to guest. Note the use of the ! to tell Samba to +stop processing if it gets a match on that line. <P> +!sys = mary fred guest = * <P> +Note that the remapping is applied to all occurrences of usernames. +Thus if you connect to "\\server\fred" and "fred" is remapped to "mary" then +you will actually be connecting to "\\server\mary" and will need to supply +a password suitable for "mary" not "fred". The only exception to this is +the username passed to the <A HREF="#password server">password server</A> +(if you have one). The password server will receive whatever username the +client supplies without modification. <P> +Also note that no reverse mapping is done. The main effect this has is +with printing. Users who have been mapped may have trouble deleting print +jobs as PrintManager under WfWg will think they don't own the print job. <P> +<B>Default</B> no username map <P> +<B>Example</B> username map = /usr/local/samba/lib/users.map <P> + +<H3><A NAME="valid chars">valid chars (S)</A></H3> +The option allows you to specify additional characters that should be +considered valid by the server in filenames. This is particularly +useful for national character sets, such as adding u-umlaut or a-ring. <P> +The option takes a list of characters in either integer or character form +with spaces between them. If you give two characters with a colon between +them then it will be taken as an lowercase:uppercase pair. <P> +If you have an editor capable of entering the characters into the config file +then it is probably easiest to use this method. Otherwise you can specify the +characters in octal, decimal or hexadecimal form using the usual C notation.<P> +For example to add the single character 'Z' to the charset (which is a +pointless thing to do as it's already there) you could do one of the following +<P> +valid chars = Z <BR> +valid chars = z:Z <BR> +valid chars = 0132:0172 <P> +The last two examples above actually add two characters, and alter the +uppercase and lowercase mappings appropriately. <P> +Note that you MUST specify this parameter after the +<A HREF="#client code page">client code page</A> parameter if you have both +set. If "client code page" is set after the "valid chars" parameter the +"valid chars" settings will be overwritten. <P> +See also the <A HREF="#client code page">client code page</A> parameter. <P> +<B>Default:</B> Samba defaults to using a reasonable set of valid characters +for english systems <P> +<B>Example:</B> valid chars = 0345:0305 0366:0326 0344:0304 <P> +The above example allows filenames to have the swedish characters in them. <P> +NOTE: It is actually quite difficult to correctly produce a "valid chars" line +for a particular system. To automate the process tino@augsburg.net +has written a package called "validchars" which will automatically produce +a complete "valid chars" line for a given client system. Look in the examples +subdirectory for this package. <P> + +<H3><A NAME="valid users">valid users (S)</A></H3> +This is a list of users that should be allowed to login to this service. A +name starting with @ is interpreted as a UNIX group. <P> +If this is empty (the default) then any user can login. If a username is in +both this list and the <A HREF="#invalid users">invalid users</A> list then +access is denied for that user. <P> +The current servicename is substituted for %S. This is useful in the [homes] +section. <P> +See also <A HREF="#invalid users">invalid users</A> <P> +<B>Default</B> No valid users list. (anyone can login) <P> +<B>Example</B> valid users = greg, @pcusers <P> + +<H3><A NAME="veto files">veto files (S)</A></H3> +This is a list of files and directories that are neither visible nor +accessible. Each entry in the list must be separated by a "/", which allows +spaces to be included in the entry. '*' and '?' can be used to specify +multiple files or directories as in DOS wildcards. <P> +Each entry must be a unix path, not a DOS path and must not include the +unix directory separator "/". <P> +Note that the case sensitivity option is applicable in vetoing files. <P> +One feature of the veto files parameter that it is important to be aware of, +is that if a directory contains nothing but files that match the veto files +parameter (which means that Windows/DOS clients cannot ever see them) is +deleted, the veto files within that directory *are automatically deleted* +along with it, if the user has UNIX permissions to do so.Setting this +parameter will affect the performance of Samba, as it will be forced to check +all files and directories for a match as they are scanned. <P> +See also <A HREF="#hide files">hide files</A> and +<A HREF="#case sensitive">case sensitive</A> <P> +<B>Default</B> No files or directories are vetoed. <P> +<B>Examples</B> Example 1. Veto any files containing the word Security, any +ending in .tmp, and any directory containing the word root. <P> +veto files = /*Security*/*.tmp/*root*/ <P> +Example 2. Veto the Apple specific files that a NetAtalk server creates. <P> +veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ <P> + +<H3><A NAME="veto oplock files">veto oplock files (S)</A></H3> +This parameter is only valid when the <A HREF="#oplocks">oplocks</A> +parameter is turned on for a share. It allows the Samba administrator to +selectively turn off the granting of oplocks on selected files that match +a wildcarded list, similar to the wildcarded list used in the +<A HREF="#veto files">veto files</A> parameter. <P> +<B>Default</B> No files are vetoed for oplock grants. <P> +<B>Examples</B> You might want to do this on files that you know will be +heavily contended for by clients. A good example of this is in the NetBench +SMB benchmark program, which causes heavy client contention for files ending +in .SEM. To cause Samba not to grant oplocks on these files you would use the +line (either in the [global] section or in the section for the particular +NetBench share : <P> +veto oplock files = /*.SEM/ <P> + +<H3><A NAME="volume">volume (S)</A></H3> +This allows you to override the volume label returned for a share. Useful for +CDROMs with installation programs that insist on a particular volume label.<P> +The default is the name of the share <P> + +<H3><A NAME="wide links">wide links (S)</A></H3> +This parameter controls whether or not links in the UNIX file system may be +followed by the server. Links that point to areas within the directory tree +exported by the server are always allowed; this parameter controls access only +to areas that are outside the directory tree being exported. <P> +<B>Default:</B> wide links = Yes <P> +<B>Example:</B> wide links = No <P> + +<H3><A NAME="wins proxy">wins proxy (G)</A></H3> +This is a boolean that controls if nmbd will respond to broadcast name queries +on behalf of other hosts. You may need to set this to no for some older +clients. <P> +<B>Default:</B> wins proxy = No <P> + +<H3><A NAME="wins server">wins server (G)</A></H3> +This specifies the DNS name (or IP address) of the WINS server that Samba +should register with. If you have a WINS server on your network then you +should set this to the WINS servers name. <P> +You should point this at your WINS server if you have a multi-subnetted +network. <P> +<B>Default:</B> wins server = <P> + +<H3><A NAME="wins support">wins support (G)</A></H3> +This boolean controls if the nmbd process in Samba will act as a WINS server. +You should not set this to Yes unless you have a multi-subnetted network and +you wish a particular nmbd to be your WINS server. Note that you should +*NEVER* set this to Yes on more than one machine in your network. <P> +<B>Default:</B> wins support = No <P> + +<H3><A NAME="workgroup">workgroup (G)</A></H3> +This controls what workgroup your server will appear to be in when queried by +clients. <P> +<B>Default:</B> set in the Makefile <P> +<B>Example:</B> workgroup = MYGROUP <P> + +<H3><A NAME="write list">write list (S)</A></H3> +This is a list of users that are given read-write access to a service. If +the connecting user is in this list then they will be given write access, +no matter what the <A HREF="#writable">writable</A> option is set to. +The list can include group names using the @group syntax. <P> +Note that if a user is in both the read list and the write list then they +will be given write access. <P> +See also the <A HREF="#read list">read list</A> option <P> +<B>Default:</B> write list = <P> +<B>Example:</B> write list = admin, root, @staff <P> + +<H3><A NAME="write raw">write raw (G)</A></H3> +This parameter controls whether or not the server will support raw writes +when transferring data from clients. <P> +<B>Default:</B> write raw = Yes <P> +<B>Example:</B> write raw = No <P> + +<H3><A NAME="USERNAME/PASSWORD VALIDATION">USERNAME/PASSWORD VALIDATION</A></H3> +There are a number of ways in which a user can connect to a +service. The server follows the following steps in determining if it will +allow a connection to a specified service. If all the steps fail then the +connection request is rejected. If one of the steps pass then the following +steps are not checked. <P> +If the service is marked "<A HREF="#guest only">guest only</A> = yes" then +steps 1 to 5 are skipped <P> +Step 1: If the client has passed a username/password +pair and that username/password pair is validated by the UNIX system's +password programs then the connection is made as that username. Note that +this includes the \\server\service%username method of passing a username. <P> +Step 2: If the client has previously registered a username with the system +and now supplies a correct password for that username then the connection +is allowed. <P> +Step 3: The client's netbios name and any previously used user +names are checked against the supplied password, if they match then the +connection is allowed as the corresponding user. <P> +Step 4: If the client has previously validated a username/password pair with +the server and the client has passed the validation token then that username +is used. This step is skipped if "<A HREF="#revalidate">revalidate</A> = yes" +for this service. <P> +Step 5: If a "<A HREF="#username">username</A> = " field is given in the +smb.conf file for the service and the client has supplied a password, and +that password matches (according to the UNIX system's password checking) with +one of the usernames from the username= field then the connection is made as +the username in the "username=" line. If one of the username in the username= +list begins with a @ then that name expands to a list of names in the group +of the same name. <P> +Step 6: If the service is a guest service then a connection is made as the +username given in the "<A HREF="#guest account">guest account</A> =" for the +service, irrespective of the supplied password.<P> + +<H3><A NAME="NAME MANGLING">NAME MANGLING </A></H3> +Samba supports "name mangling" so that DOS and Windows clients can use files +that don't conform to the 8.3 format. It can also be set to adjust the case of +8.3 format filenames. <P> +There are several options that control the way mangling is +performed, and they are grouped here rather than listed separately. <P> +All of these options can be set separately for each service (or globally, +of course). <P> +The options are: <P> +"<A HREF="#mangle case">mangle case</A> = yes/no" controls if names that have +characters that aren't of the "default" case are mangled. For example, if +this is yes then a name like "Mail" would be mangled. Default no. <P> +"<A HREF="#case sensitive">case sensitive</A> = yes/no" controls whether +filenames are case sensitive. If they aren't then Samba must do a filename +search and match on passed names. Default no. <P> +"<A HREF="#default case">default case</A> = upper/lower" controls what the +default case is for new filenames. Default lower. <P> +"<A HREF="#preserve case">preserve case</A> = yes/no" controls if new +files are created with the case that the client passes, or if they are +forced to be the "default" case. Default no. <P> +"<A HREF="#short preserve case">short preserve case</A> = yes/no" +controls if new files which conform to 8.3 syntax, that is all in upper +case and of suitable length, are created upper case, or if they are forced +to be the "default" case. This option can be use with "preserve case = +yes" to permit long filenames to retain their case, while short names +are lowered. Default no. <P> + +</BODY> +</HTML> + + diff --git a/swat/help/welcome.html b/swat/help/welcome.html new file mode 100644 index 00000000000..a1545ac9d7f --- /dev/null +++ b/swat/help/welcome.html @@ -0,0 +1,74 @@ +Welcome to SWAT!<p> + +This is a online demonstration of the current version of the Samba Web +Administration Tool. This tool is still being written so you'll find +it looks very rough at this stage.<p> + +Normally this opening page would contain the (as yet unwritten) welcome +blurb for SWAT, giving basic instructions on how to use it. I've put +this bit of waffle in its place for the moment. <p> + +Also note that SWAT normally demands authentication before showing you +this page, otherwise anyone could modify your smb.conf! I've disabled +that for this demo.<p> + +<H2>Features</H2> + +Here are some of the features we want to eventually incorporate.<p> + +<ul> +<li> manage smbpasswd (add/delete users, change passwords etc) +<li> be able to run the disgnosis steps from DIAGNOSIS.txt +<li> wizard style config building +</ul> + +There are also some obvious flaws with what has already been done: + +<ul> +<li> help is ghastly +<li> ordering of parameters needs to be looked at +<li> images need redoing +</ul> + +On the positive side, here are some good features of SWAT: + +<ul> +<li> built in mini web server so you don't need a web server installed to +manage a Samba server, you just need a browser +<li> links to loadparm.c so it automatically makes available new +parameters as they are added to Samba. +<li> it's quite small (around 500 lines of code currently) +<li> layout and dialog building is done automatically based on the type +fields in loadparm.c +</ul> + + +<H2>Installation</H2> + +Before you install SWAT you need to realise that it is still work in +progress. It does work but don't be totally surprised if you hit +problems. Also make sure you are prepared to give us some feedback.<p> + +If you still want to install it then you will need to fetch the latest +version of Samba via anonymous CVS. See <A +HREF="http://samba.anu.edu.au/cvs.html">http://samba.anu.edu.au/cvs.html</A>. Then +build and install Samba as usual and read the swat/README file that +comes with the source. + +<H2>Feedback</H2> + +Join the <A +HREF="http://samba.anu.edu.au/listproc/">samba-technical</A> mailing +list if you want to discuss SWAT. + +-- <p> +<A HREF="http://samba.anu.edu.au/~tridge">Andrew Tridgell</A> + + + + + + + + + diff --git a/swat/images/background.gif b/swat/images/background.gif Binary files differnew file mode 100644 index 00000000000..b3484629654 --- /dev/null +++ b/swat/images/background.gif diff --git a/swat/images/background.jpg b/swat/images/background.jpg Binary files differnew file mode 100644 index 00000000000..e84e11fbefc --- /dev/null +++ b/swat/images/background.jpg diff --git a/swat/images/globals.gif b/swat/images/globals.gif Binary files differnew file mode 100644 index 00000000000..03bc4baaf5e --- /dev/null +++ b/swat/images/globals.gif diff --git a/swat/images/home.gif b/swat/images/home.gif Binary files differnew file mode 100644 index 00000000000..fcb7d383171 --- /dev/null +++ b/swat/images/home.gif diff --git a/swat/images/printers.gif b/swat/images/printers.gif Binary files differnew file mode 100644 index 00000000000..68f4a34dafb --- /dev/null +++ b/swat/images/printers.gif diff --git a/swat/images/samba.gif b/swat/images/samba.gif Binary files differnew file mode 100644 index 00000000000..3ec3d2195ff --- /dev/null +++ b/swat/images/samba.gif diff --git a/swat/images/shares.gif b/swat/images/shares.gif Binary files differnew file mode 100644 index 00000000000..79ac7353c7b --- /dev/null +++ b/swat/images/shares.gif diff --git a/swat/images/status.gif b/swat/images/status.gif Binary files differnew file mode 100644 index 00000000000..1b4ee8a9a56 --- /dev/null +++ b/swat/images/status.gif diff --git a/swat/images/viewconfig.gif b/swat/images/viewconfig.gif Binary files differnew file mode 100644 index 00000000000..081a62e6566 --- /dev/null +++ b/swat/images/viewconfig.gif diff --git a/swat/include/footer.html b/swat/include/footer.html new file mode 100644 index 00000000000..7c3b483684c --- /dev/null +++ b/swat/include/footer.html @@ -0,0 +1,3 @@ +</TD></TR></TABLE></CENTER> +</BODY> +</HTML> diff --git a/swat/include/header.html b/swat/include/header.html new file mode 100644 index 00000000000..f964133316a --- /dev/null +++ b/swat/include/header.html @@ -0,0 +1,10 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> +<HEAD> +<TITLE>Samba Web Administration Tool</TITLE> +</HEAD> +<BODY bgcolor="white"> +<CENTER> +<IMG SRC="/swat/images/samba.gif" ALT="[ Samba ]" border=0><BR> +<TABLE WIDTH="98%" CELLSPACING=1 CELLPADDING=4 BORDER=1> +<TR><TD BGCOLOR="#ddddd0"> |
