<refsect1>
<title>EXAMPLE SETUP</title>
- <para>To setup winbindd for user and group lookups plus
+ <para>
+ To setup winbindd for user and group lookups plus
authentication from a domain controller use something like the
- following setup. This was tested on a RedHat 6.2 Linux box. </para>
+ following setup. This was tested on an early Red Hat Linux box.
+ </para>
<para>In <filename>/etc/nsswitch.conf</filename> put the
following:
<programlisting>
-passwd: files winbind
-group: files winbind
-</programlisting></para>
+passwd: files winbind
+group: files winbind
+</programlisting>
+ </para>
<para>In <filename>/etc/pam.d/*</filename> replace the <parameter>
auth</parameter> lines with something like this:
<programlisting>
-auth required /lib/security/pam_securetty.so
-auth required /lib/security/pam_nologin.so
-auth sufficient /lib/security/pam_winbind.so
-auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
-</programlisting></para>
+auth required /lib/security/pam_securetty.so
+auth required /lib/security/pam_nologin.so
+auth sufficient /lib/security/pam_winbind.so
+auth required /lib/security/pam_pwdb.so \
+ use_first_pass shadow nullok
+</programlisting>
+ </para>
<para>Note in particular the use of the <parameter>sufficient
<manvolnum>8</manvolnum></citerefentry> and name service <citerefentry><refentrytitle>nmbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> in a slightly different ways.</para>
- <para>For name service it causes <command moreinfo="none">nmbd</command> to bind
- to ports 137 and 138 on the interfaces listed in
- the <link linkend="INTERFACES">interfaces</link> parameter. <command moreinfo="none">nmbd</command> also
- binds to the "all addresses" interface (0.0.0.0)
- on ports 137 and 138 for the purposes of reading broadcast messages.
- If this option is not set then <command moreinfo="none">nmbd</command> will service
- name requests on all of these sockets. If <smbconfoption name="bind interfaces only"/> is set then <command moreinfo="none">nmbd</command> will check the
- source address of any packets coming in on the broadcast sockets
- and discard any that don't match the broadcast addresses of the
- interfaces in the <smbconfoption name="interfaces"/> parameter list.
- As unicast packets are received on the other sockets it allows
- <command moreinfo="none">nmbd</command> to refuse to serve names to machines that
- send packets that arrive through any interfaces not listed in the
- <smbconfoption name="interfaces"/> list. IP Source address spoofing
- does defeat this simple check, however, so it must not be used
- seriously as a security feature for <command moreinfo="none">nmbd</command>.</para>
+ <para>
+ For name service it causes <command moreinfo="none">nmbd</command> to bind to ports 137 and 138 on the
+ interfaces listed in the <smbconfoption name="interfaces"/> parameter. <command moreinfo="none">nmbd</command>
+ also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of
+ reading broadcast messages. If this option is not set then <command moreinfo="none">nmbd</command> will
+ service name requests on all of these sockets. If <smbconfoption name="bind interfaces only"/> is set then
+ <command moreinfo="none">nmbd</command> will check the source address of any packets coming in on the
+ broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the
+ <smbconfoption name="interfaces"/> parameter list. As unicast packets are received on the other sockets it
+ allows <command moreinfo="none">nmbd</command> to refuse to serve names to machines that send packets that
+ arrive through any interfaces not listed in the <smbconfoption name="interfaces"/> list. IP Source address
+ spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for
+ <command moreinfo="none">nmbd</command>.
+ </para>
- <para>For file service it causes <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> to bind only to the interface list
- given in the <link linkend="INTERFACES">interfaces</link> parameter. This
- restricts the networks that <command moreinfo="none">smbd</command> will serve
- to packets coming in those interfaces. Note that you should not use this parameter
- for machines that are serving PPP or other intermittent or non-broadcast network
- interfaces as it will not cope with non-permanent interfaces.</para>
+ <para>
+ For file service it causes <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> to bind only to the interface list given in the <smbconfoption
+ name="interfaces"/> parameter. This restricts the networks that <command moreinfo="none">smbd</command> will
+ serve to packets coming in those interfaces. Note that you should not use this parameter for machines that
+ are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with
+ non-permanent interfaces.
+ </para>
-<para>If <smbconfoption name="bind interfaces only"/> is set then
- unless the network address <emphasis>127.0.0.1</emphasis> is added
- to the <smbconfoption name="interfaces"/> parameter
- list <citerefentry><refentrytitle>smbpasswd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>swat</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> may not work as expected due
- to the reasons covered below.</para>
+ <para>
+ If <smbconfoption name="bind interfaces only"/> is set then unless the network address
+ <emphasis>127.0.0.1</emphasis> is added to the <smbconfoption name="interfaces"/> parameter list
+ <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> and
+ <citerefentry><refentrytitle>swat</refentrytitle> <manvolnum>8</manvolnum></citerefentry> may not work as
+ expected due to the reasons covered below.
+ </para>
- <para>To change a users SMB password, the <command moreinfo="none">smbpasswd</command>
- by default connects to the <emphasis>localhost - 127.0.0.1</emphasis>
- address as an SMB client to issue the password change request. If
- <smbconfoption name="bind interfaces only"/> is set then unless the
- network address <emphasis>127.0.0.1</emphasis> is added to the
- <smbconfoption name="interfaces"/> parameter list then <command moreinfo="none">
- smbpasswd</command> will fail to connect in it's default mode.
- <command moreinfo="none">smbpasswd</command> can be forced to use the primary IP interface
- of the local host by using its <citerefentry><refentrytitle>smbpasswd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> <parameter moreinfo="none">-r <replaceable>remote machine</replaceable></parameter>
- parameter, with <replaceable>remote machine</replaceable> set
- to the IP name of the primary interface of the local host.</para>
+ <para>
+ To change a users SMB password, the <command moreinfo="none">smbpasswd</command> by default connects to the
+ <emphasis>localhost - 127.0.0.1</emphasis> address as an SMB client to issue the password change request. If
+ <smbconfoption name="bind interfaces only"/> is set then unless the network address
+ <emphasis>127.0.0.1</emphasis> is added to the <smbconfoption name="interfaces"/> parameter list then <command
+ moreinfo="none"> smbpasswd</command> will fail to connect in it's default mode. <command
+ moreinfo="none">smbpasswd</command> can be forced to use the primary IP interface of the local host by using
+ its <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> <parameter
+ moreinfo="none">-r <replaceable>remote machine</replaceable></parameter> parameter, with <replaceable>remote
+ machine</replaceable> set to the IP name of the primary interface of the local host.
+ </para>
- <para>The <command moreinfo="none">swat</command> status page tries to connect with
- <command moreinfo="none">smbd</command> and <command moreinfo="none">nmbd</command> at the address
- <emphasis>127.0.0.1</emphasis> to determine if they are running.
- Not adding <emphasis>127.0.0.1</emphasis> will cause <command moreinfo="none">
- smbd</command> and <command moreinfo="none">nmbd</command> to always show
- "not running" even if they really are. This can prevent <command moreinfo="none">
- swat</command> from starting/stopping/restarting <command moreinfo="none">smbd</command>
- and <command moreinfo="none">nmbd</command>.</para>
+ <para>
+ The <command moreinfo="none">swat</command> status page tries to connect with <command
+ moreinfo="none">smbd</command> and <command moreinfo="none">nmbd</command> at the address
+ <emphasis>127.0.0.1</emphasis> to determine if they are running. Not adding <emphasis>127.0.0.1</emphasis>
+ will cause <command moreinfo="none"> smbd</command> and <command moreinfo="none">nmbd</command> to always show
+ "not running" even if they really are. This can prevent <command moreinfo="none"> swat</command>
+ from starting/stopping/restarting <command moreinfo="none">smbd</command> and <command
+ moreinfo="none">nmbd</command>.
+ </para>
</description>
<value type="default">no</value>
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This controls what character is used as
- the <emphasis>magic</emphasis> character in <link linkend="NAMEMANGLINGSECT">name mangling</link>. The
+ the <emphasis>magic</emphasis> character in <smbconfoption name="name mangling"/>. The
default is a '~' but this may interfere with some software. Use this option to set
it to whatever you prefer. This is effective only when mangling method is hash.</para>
</description>
<refentrytitle>smbd</refentrytitle><manvolnum>8</manvolnum></citerefentry> will
always grant oplock requests no matter how many clients are using the file.</para>
- <para>It is generally much better to use the real <link linkend="OPLOCKS">
- <parameter moreinfo="none">oplocks</parameter></link> support rather
+ <para>It is generally much better to use the real <smbconfoption name="oplocks"/> support rather
than this parameter.</para>
<para>If you enable this option on all read-only shares or
context="G"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>For UNIXes that support kernel based <link linkend="OPLOCKS">
- <parameter moreinfo="none">oplocks</parameter></link>
+ <para>For UNIXes that support kernel based <smbconfoption name="oplocks"/>
(currently only IRIX and the Linux 2.4 kernel), this parameter
allows the use of them to be turned on or off.</para>
<para>For more discussions on level2 oplocks see the CIFS spec.</para>
- <para>Currently, if <link linkend="KERNELOPLOCKS"><parameter moreinfo="none">kernel
- oplocks</parameter></link> are supported then level2 oplocks are
- not granted (even if this parameter is set to <constant>yes</constant>).
- Note also, the <link linkend="OPLOCKS"><parameter moreinfo="none">oplocks</parameter>
- </link> parameter must be set to <constant>yes</constant> on this share in order for
+ <para>
+ Currently, if <smbconfoption name="kernel oplocks"/> are supported then
+ level2 oplocks are not granted (even if this parameter is set to
+ <constant>yes</constant>). Note also, the <smbconfoption name="oplocks"/>
+ parameter must be set to <constant>yes</constant> on this share in order for
this parameter to have any effect.</para>
</description>
<description>
<para>The time in microseconds that smbd should
pause before attempting to gain a failed lock. See
- <link linkend="LOCKSPINCOUNT"><parameter moreinfo="none">lock spin
- count</parameter></link> for more details.</para>
+ <smbconfoption name="lock spin count"/> for more details.</para>
</description>
<value type="default">10</value>
</samba:parameter>
directory.</para>
<para>Oplocks may be selectively turned off on certain files with a
- share. See the <link linkend="VETOOPLOCKFILES"><parameter moreinfo="none">
- veto oplock files</parameter></link> parameter. On some systems
+ share. See the <smbconfoption name="veto oplock files"/> parameter. On some systems
oplocks are recognized by the underlying operating system. This
allows data synchronization between all access to oplocked files,
whether it be via Samba or NFS or a local UNIX process. See the
boolean parameter adds microsecond resolution to the timestamp
message header when turned on.</para>
- <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter moreinfo="none">
- debug timestamp</parameter></link> must be on for this to have an
+ <para>
+ Note that the parameter <smbconfoption name="debug timestamp"/> must be on for this to have an
effect.</para>
</description>
is adds the process-id to the timestamp message headers in the
logfile when turned on.</para>
- <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter moreinfo="none">
- debug timestamp</parameter></link> must be on for this to have an
+ <para>Note that the parameter <smbconfoption name="debug timestamp"/> must be on for this to have an
effect.</para>
</description>
<value type="default">no</value>
<synonym>timestamp logs</synonym>
<description>
<para>Samba debug log messages are timestamped
- by default. If you are running at a high <link linkend="DEBUGLEVEL">
- <parameter moreinfo="none">debug level</parameter></link> these timestamps
+ by default. If you are running at a high <smbconfoption name="debug level"/> these timestamps
can be distracting. This boolean parameter allows timestamping
to be turned off.</para>
</description>
current euid, egid, uid and gid to the timestamp message headers
in the log file if turned on.</para>
- <para>Note that the parameter <link linkend="DEBUGTIMESTAMP"><parameter moreinfo="none">
- debug timestamp</parameter></link> must be on for this to have an
+ <para>Note that the parameter <smbconfoption name="debug timestamp"/> must be on for this to have an
effect.</para>
</description>
<value type="default">no</value>
<description>
<para>This a full path name to a script called by <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> that
- should stop a shutdown procedure issued by the <link linkend="SHUTDOWNSCRIPT">
- <parameter moreinfo="none">shutdown script</parameter></link>.</para>
+ should stop a shutdown procedure issued by the <smbconfoption name="shutdown script"/>.</para>
<para>If the connected user posseses the <constant>SeRemoteShutdownPrivilege</constant>,
right, this command will be run as user.</para>
already existed. In this way, UNIX users are dynamically created to
match existing Windows NT accounts.</para>
- <para>See also <link linkend="SECURITY"><parameter moreinfo="none">
- security</parameter></link>, <link linkend="PASSWORDSERVER">
- <parameter moreinfo="none">password server</parameter></link>,
- <link linkend="DELETEUSERSCRIPT"><parameter moreinfo="none">delete user
- script</parameter></link>.</para>
+ <para>
+ See also <smbconfoption name="security"/>, <smbconfoption name="password server"/>,
+ <smbconfoption name="delete user script"/>.
+ </para>
</description>
<value type="default"/>
<para>
If set to <constant>yes</constant>, the Samba server will
provide the netlogon service for Windows 9X network logons for the
- <link linkend="WORKGROUP">
- <parameter moreinfo="none">workgroup</parameter></link> it is in.
+ <smbconfoption name="workgroup"/> it is in.
This will also cause the Samba server to act as a domain
controller for NT4 style domain services. For more details on
setting up this feature see the Domain Control chapter of the
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This parameter specifies the local path to
- which the home directory will be connected (see <link linkend="LOGONHOME">
- <parameter moreinfo="none">logon home</parameter></link>)
+ which the home directory will be connected (see <smbconfoption name="logon home"/>)
and is only used by NT Workstations. </para>
<para>Note that this option is only useful if Samba is set up as a
\\server\share when a user does <command moreinfo="none">net use /home</command>
but use the whole string when dealing with profiles.</para>
- <para>Note that in prior versions of Samba, the <link linkend="LOGONPATH">
- <parameter moreinfo="none">logon path</parameter></link> was returned rather than
+ <para>Note that in prior versions of Samba, the <smbconfoption name="logon path"/> was returned rather than
<parameter moreinfo="none">logon home</parameter>. This broke <command
moreinfo="none">net use /home</command> but allowed profiles outside the home directory.
The current implementation is correct, and can be used for profiles if you use
where roaming profiles (NTuser.dat etc files for Windows NT) are
stored. Contrary to previous versions of these manual pages, it has
nothing to do with Win 9X roaming profiles. To find out how to
- handle roaming profiles for Win 9X system, see the <link linkend="LOGONHOME">
- <parameter moreinfo="none">logon home</parameter></link> parameter.</para>
+ handle roaming profiles for Win 9X system, see the <smbconfoption name="logon home"/> parameter.</para>
<para>This option takes the standard substitutions, allowing you
to have separate logon scripts for each user or machine. It also
file is recommended.</para>
<para>The script must be a relative path to the [netlogon]
- service. If the [netlogon] service specifies a <link linkend="PATH">
- <parameter moreinfo="none">path</parameter></link> of <filename
- moreinfo="none">/usr/local/samba/netlogon</filename>, and <command
- moreinfo="none">logon script = STARTUP.BAT</command>, then
- the file that will be downloaded is:</para>
-
- <para><filename moreinfo="none">/usr/local/samba/netlogon/STARTUP.BAT</filename></para>
+ service. If the [netlogon] service specifies a <smbconfoption name="path"/> of <filename
+ moreinfo="none">/usr/local/samba/netlogon</filename>, and <smbconfoption name="logon
+ script">STARTUP.BAT</smbconfoption>, then the file that will be downloaded is:
+ <screen>
+ /usr/local/samba/netlogon/STARTUP.BAT
+ </screen>
+ </para>
<para>The contents of the batch file are entirely your choice. A
suggested command would be to add <command moreinfo="none">NET TIME \\SERVER /SET
<para>This option takes the standard substitutions, allowing you
to have separate logon scripts for each user or machine.</para>
- <para>This option is only useful if Samba is set up as a logon
- server.</para>
+ <para>This option is only useful if Samba is set up as a logon server.</para>
</description>
<value type="default"></value>
<value type="example">scripts\%U.bat</value>
<para>
This parameter is only used for add file shares. To add printer shares,
- see the <link linkend="ADDPRINTERCOMMAND"><parameter moreinfo="none">addprinter
- command</parameter></link>.
+ see the <smbconfoption name="addprinter command"/>.
</para>
</description>
parameter is not given, attempting to connect to a nonexistent
service results in an error.</para>
- <para>Typically the default service would be a <link linkend="GUESTOK">
- <parameter moreinfo="none">guest ok</parameter></link>, <link linkend="READONLY">
- <parameter moreinfo="none">read-only</parameter></link> service.</para>
-
- <para>Also note that the apparent service name will be changed
- to equal that of the requested service, this is very useful as it
- allows you to use macros like <parameter moreinfo="none">%S</parameter> to make
- a wildcard service.</para>
+ <para>
+ Typically the default service would be a <smbconfoption name="guest ok"/>, <smbconfoption
+ name="read-only"/> service.</para> <para>Also note that the apparent service name will be changed to equal
+ that of the requested service, this is very useful as it allows you to use macros like <parameter
+ moreinfo="none">%S</parameter> to make a wildcard service.
+ </para>
<para>Note also that any "_" characters in the name of the service
used in the default service will get mapped to a "/". This allows for
<para>
This parameter is only used to remove file shares. To delete printer shares,
- see the <link linkend="DELETEPRINTERCOMMAND"><parameter moreinfo="none">deleteprinter
- command</parameter></link>.
+ see the <smbconfoption name="deleteprinter command"/>.
</para>
</description>
advanced="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>If<link linkend="NISHOMEDIR"><parameter moreinfo="none">nis homedir
- </parameter></link> is <constant>yes</constant>, and <citerefentry><refentrytitle>smbd</refentrytitle>
+ <para>If <smbconfoption name="nis homedir"/> is <constant>yes</constant>,
+ and <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> is also acting
as a Win95/98 <parameter moreinfo="none">logon server</parameter> then this parameter
specifies the NIS (or YP) map from which the server for the user's
<description>
<para>This option specifies the directory where lock
files will be placed. The lock files are used to implement the
- <link linkend="MAXCONNECTIONS"><parameter moreinfo="none">max connections</parameter>
-</link> option.</para>
+ <smbconfoption name="max connections"/> option.
+ </para>
</description>
<value type="default">${prefix}/var/locks</value>
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter specifies the name of a file
+ <para>
+ This parameter specifies the name of a file
which will contain output created by a magic script (see the
- <link linkend="MAGICSCRIPT"><parameter moreinfo="none">magic script</parameter></link>
- parameter below).</para>
+ <smbconfoption name="magic script"/> parameter below).
+ </para>
<warning><para>If two clients use the same <parameter moreinfo="none">magic script
</parameter> in the same directory the output file content
of privilege and the file permissions allow the deletion.</para>
<para>If the script generates output, output will be sent to
- the file specified by the <link linkend="MAGICOUTPUT"><parameter moreinfo="none">
- magic output</parameter></link> parameter (see above).</para>
+ the file specified by the <smbconfoption name="magic output"/>
+ parameter (see above).</para>
<para>Note that some shells are unable to interpret scripts
containing CR/LF instead of CR as
long as a Samba daemon is running on the home directory server,
it will be mounted on the Samba client directly from the directory
server. When Samba is returning the home share to the client, it
- will consult the NIS map specified in <link linkend="HOMEDIRMAP">
- <parameter moreinfo="none">homedir map</parameter></link> and return the server
+ will consult the NIS map specified in
+ <smbconfoption name="homedir map"/> and return the server
listed there.</para>
<para>Note that for this option to work there must be a working
message every time they log in. Maybe a message of the day? Here
is an example:</para>
- <para><command moreinfo="none">preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & </command></para>
+ <para>
+ <command moreinfo="none">preexec = csh -c 'echo \"Welcome to %S!\" |
+ /usr/local/samba/bin/smbclient -M %m -I %I' & </command>
+ </para>
<para>Of course, this could get annoying after a while :-)</para>
- <para>See also <link linkend="PREEXECCLOSE"><parameter moreinfo="none">preexec close</parameter></link> and <link
- linkend="POSTEXEC"><parameter moreinfo="none">postexec
- </parameter></link>.</para>
+ <para>
+ See also <smbconfoption name="preexec close"/> and <smbconfoption name="postexec"/>.
+ </para>
</description>
<value type="default"></value>
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This boolean option controls whether a non-zero
- return code from <link linkend="PREEXEC"><parameter moreinfo="none">preexec
-</parameter></link> should close the service being connected to.</para>
+ return code from <smbconfoption name="preexec"/> should close the service being connected to.</para>
</description>
<value type="default">no</value>
for homes and printers services that would otherwise not be
visible.</para>
- <para>Note that if you just want all printers in your
- printcap file loaded then the <link linkend="LOADPRINTERS">
- <parameter moreinfo="none">load printers</parameter></link> option is easier.</para>
+ <para>
+ Note that if you just want all printers in your
+ printcap file loaded then the <smbconfoption name="load printers"/>
+ option is easier.
+ </para>
</description>
<value type="default"></value>
<para>the above line would cause <command moreinfo="none">nmbd</command> to announce itself
to the two given IP addresses using the given workgroup names.
If you leave out the workgroup name then the one given in
- the <link linkend="WORKGROUP"><parameter moreinfo="none">workgroup</parameter></link>
- parameter is used instead.</para>
+ the <smbconfoption name="workgroup"/> parameter is used instead.</para>
<para>The IP addresses you choose would normally be the broadcast
addresses of the remote networks, but can also be the IP addresses
of known browse masters if your network config is that stable.</para>
-<para>See <link linkend="NetworkBrowsing"/>.</para>
+<para>See <smbconfoption name="NetworkBrowsing"/>.</para>
</description>
<value type="default"></value>
print="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter is only applicable if <link
- linkend="PRINTING"><parameter moreinfo="none">printing</parameter></link> is
+ <para>
+ This parameter is only applicable if <smbconfoption name="printing"/> is
set to <constant>cups</constant>. Its value is a free form string of options
passed directly to the cups library.
</para>
print="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter is only applicable if <link
- linkend="PRINTING"><parameter moreinfo="none">printing</parameter></link> is
- set to <constant>cups</constant>.
+ <para>This parameter is only applicable if <smbconfoption name="printing"/> is set to <constant>cups</constant>.
</para>
<para>If set, this option overrides the ServerName option in the CUPS
print="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter is only applicable to <link linkend="PRINTOK">printable</link> services.
+ <para>This parameter is only applicable to <smbconfoption name="printable"/> services.
When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba
server has a Device Mode which defines things such as paper size and
orientation and duplex settings. The device mode can only correctly be
DeletePrinter() RPC call.</para>
<para>For a Samba host this means that the printer must be
- physically deleted from underlying printing system. The <parameter moreinfo="none">
- deleteprinter command</parameter> defines a script to be run which
+ physically deleted from underlying printing system. The
+ <smbconfoption name="deleteprinter command"/> defines a script to be run which
will perform the necessary operations for removing the printer
from the print system and from <filename moreinfo="none">smb.conf</filename>.
</para>
- <para>The <parameter moreinfo="none">deleteprinter command</parameter> is
- automatically called with only one parameter: <parameter moreinfo="none">
- "printer name"</parameter>.</para>
+ <para>The <smbcomfoption name="deleteprinter command"/> is
+ automatically called with only one parameter: <smbconfoption name="printer name"/>.
+ </para>
- <para>Once the <parameter moreinfo="none">deleteprinter command</parameter> has
+ <para>Once the <smbconfoption name="deleteprinter command"/> has
been executed, <command moreinfo="none">smbd</command> will reparse the <filename moreinfo="none">
smb.conf</filename> to associated printer no longer exists.
If the sharename is still valid, then <command moreinfo="none">smbd
<description>
<para>A boolean variable that controls whether all
printers in the printcap will be loaded for browsing by default.
- See the <link linkend="PRINTERSSECT">printers</link> section for
+ See the <smbconfoption name="printers"/> section for
more details.</para>
</description>
<para>This command should be a program or script which takes
a printer name and job number to resume the print job. See
- also the <link linkend="LPPAUSECOMMAND"><parameter moreinfo="none">lppause command
- </parameter></link> parameter.</para>
+ also the <smbconfoption name="lppause command"/> parameter.</para>
<para>If a <parameter moreinfo="none">%p</parameter> is given then the printer name
is put in its place. A <parameter moreinfo="none">%j</parameter> is replaced with
in the <parameter moreinfo="none">lpresume command</parameter> as the PATH may not
be available to the server.</para>
- <para>See also the <link linkend="PRINTING"><parameter moreinfo="none">printing
- </parameter></link> parameter.</para>
+ <para>See also the <smbconfoption name="printing"/> parameter.</para>
<para>Default: Currently no default value is given
to this string, unless the value of the <parameter moreinfo="none">printing</parameter>
LaserJet 5L</command>.</para>
<para>The need for the file is due to the printer driver namespace
- problem described in <link linkend="printing"/>. For more details on OS/2 clients, please
+ problem described in <link linkend="classicalprinting"/>. For more details on OS/2 clients, please
refer to <link linkend="Other-Clients"/>.</para>
</description>
<value type="default"/>
<para>Note that a printable service will ALWAYS allow writing
to the service path (user privileges permitting) via the spooling
- of print data. The <link linkend="READONLY"><parameter moreinfo="none">read only
- </parameter></link> parameter controls only non-printing access to
+ of print data. The <smbconfoption name="read only"/> parameter controls only non-printing access to
the resource.</para>
</description>
<value type="default">no</value>
<para>To use the CUPS printing interface set <command moreinfo="none">printcap name = cups
</command>. This should be supplemented by an addtional setting
- <link linkend="PRINTING">printing = cups</link> in the [global]
+ <smbconfoption name="printing">cups</smbconfoption> in the [global]
section. <command moreinfo="none">printcap name = cups</command> will use the
"dummy" printcap created by CUPS, as specified in your CUPS
configuration file.
<para>Note that printing may fail on some UNIXes from the
<constant>nobody</constant> account. If this happens then create
- an alternative guest account that can print and set the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link>
+ an alternative guest account that can print and set the <smbconfoption name="guest account"/>
in the [global] section.</para>
<para>You can form quite complex print commands by realizing
<para>You may have to vary this command considerably depending
on how you normally print files on your system. The default for
- the parameter varies depending on the setting of the <link linkend="PRINTING">
- <parameter moreinfo="none">printing</parameter></link> parameter.</para>
+ the parameter varies depending on the setting of the <smbconfoption name="printing"/>
+ parameter.</para>
<para>Default: For <command moreinfo="none">printing = BSD, AIX, QNX, LPRNG
or PLP :</command></para>
<para><command moreinfo="none">print command = lp -d%p -s %s; rm %s</command></para>
<para>For printing = CUPS : If SAMBA is compiled against
- libcups, then <link linkend="PRINTING">printcap = cups</link>
+ libcups, then <smbconfoption name="printcap">cups</smbconfoption>
uses the CUPS API to
submit jobs, etc. Otherwise it maps to the System V
commands with the -oraw option for printing, i.e. it
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<synonym>printer</synonym>
<description>
- <para>This parameter specifies the name of the printer
- to which print jobs spooled through a printable service will be sent.</para>
+ <para>
+ This parameter specifies the name of the printer to which print jobs spooled through a printable service
+ will be sent.
+ </para>
- <para>If specified in the [global] section, the printer
- name given will be used for any printable service that does
- not have its own printer name specified.</para>
+ <para>
+ If specified in the [global] section, the printer name given will be used for any printable service that
+ does not have its own printer name specified.
+ </para>
+
+ <para>
+ The default value of the <smbconfoption name="printer name"/> may be <literal>lp</literal> on many
+ systems.
+ </para>
</description>
-<value type="default"><comment>none (but may be <constant>lp</constant> on many systems)</comment></value>
+<value type="default">none</value>
<value type="example">laserwriter</value>
</samba:parameter>
<para>This parameter specifies the command to be
executed on the server host in order to resume the printer queue. It
is the command to undo the behavior that is caused by the
- previous parameter (<link linkend="QUEUEPAUSECOMMAND"><parameter moreinfo="none">
- queuepause command</parameter></link>).</para>
+ previous parameter (<smbconfoption name="queuepause command"/>).</para>
<para>This command should be a program or script which takes
a printer name as its only parameter and resumes the printer queue,
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option tells <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> when acting as a WINS server (<link linkend="WINSSUPPORT">
- <parameter moreinfo="none">wins support = yes</parameter></link>) what the maximum
+ <manvolnum>8</manvolnum></citerefentry> when acting as a WINS server
+ (<smbconfoption name="wins support">yes</smbconfoption>) what the maximum
'time to live' of NetBIOS names that <command moreinfo="none">nmbd</command>
will grant will be (in seconds). You should never need to change this
parameter. The default is 6 days (518400 seconds).</para>
<description>
<para>The value of the parameter (a string) is the
lowest SMB protocol dialect than Samba will support. Please refer
- to the <link linkend="MAXPROTOCOL"><parameter moreinfo="none">max protocol</parameter></link>
+ to the <smbconfoption name="max protocol"/>
parameter for a list of valid protocol names and a brief description
of each. You may also wish to refer to the C source code in
<filename moreinfo="none">source/smbd/negprot.c</filename> for a listing of known protocol
dialects supported by clients.</para>
<para>If you are viewing this parameter as a security measure, you should
- also refer to the <link linkend="LANMANAUTH"><parameter moreinfo="none">lanman
- auth</parameter></link> parameter. Otherwise, you should never need
+ also refer to the <smbconfoption name="lanman auth"/> parameter. Otherwise, you should never need
to change this parameter.</para>
</description>
<description>
<para>This option tells <citerefentry><refentrytitle>nmbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>
- when acting as a WINS server (<link linkend="WINSSUPPORT"><parameter moreinfo="none">
- wins support = yes</parameter></link>) what the minimum 'time to live'
+ when acting as a WINS server (<smbconfoption name="wins support">yes</smbconfoption>) what the minimum 'time to live'
of NetBIOS names that <command moreinfo="none">nmbd</command> will grant will be (in
seconds). You should never need to change this parameter. The default
is 6 hours (21600 seconds).</para>
<listitem>
<para><constant>lmhosts</constant> : Lookup an IP
address in the Samba lmhosts file. If the line in lmhosts has
- no name type attached to the NetBIOS name (see the <ulink
- noescape="1" url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
+ no name type attached to the NetBIOS name (see the <usmbconfoption
+ noescape="1" url="lmhosts.5.html">lmhosts(5)</usmbconfoption> for details) then
any name type matches for lookup.</para>
</listitem>
<listitem>
<para><constant>wins</constant> : Query a name with
- the IP address listed in the <link linkend="WINSSERVER"><parameter moreinfo="none">
- wins server</parameter></link> parameter. If no WINS server has
+ the IP address listed in the <smbconfoption name="WINSSERVER"><parameter moreinfo="none">
+ wins server</parameter></smbconfoption> parameter. If no WINS server has
been specified this method will be ignored.</para>
</listitem>
<listitem>
<para><constant>bcast</constant> : Do a broadcast on
- each of the known local interfaces listed in the <link linkend="INTERFACES"><parameter moreinfo="none">interfaces</parameter></link>
+ each of the known local interfaces listed in the <smbconfoption name="interfaces"/>
parameter. This is the least reliable of the name resolution
methods as it depends on the target host being on a locally
connected subnet.</para>
this list will be able to do anything they like on the share,
irrespective of file permissions.</para>
- <para>This parameter will not work with the <link linkend="SECURITY">
- <parameter moreinfo="none">security = share</parameter></link> in
+ <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in
Samba 3.0. This is by design.</para>
</description>
advanced="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This option only takes effect when the <link linkend="SECURITY">
- <parameter moreinfo="none">security</parameter></link> option is set to
+ <para>
+ This option only takes effect when the <smbconfoption name="security"/> option is set to
<constant>server</constant>,<constant>domain</constant> or <constant>ads</constant>.
If it is set to no, then attempts to connect to a resource from
a domain or workgroup other than the one which smbd is running
basic="1" advanced="1" wizard="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This option allows the administrator to chose what
- authentication methods <command moreinfo="none">smbd</command> will use when authenticating
- a user. This option defaults to sensible values based on <link linkend="SECURITY">
- <parameter moreinfo="none">security</parameter></link>. This should be considered
- a developer option and used only in rare circumstances. In the majority (if not all)
- of production servers, the default setting should be adequate.</para>
+ <para>
+ This option allows the administrator to chose what authentication methods <command
+ moreinfo="none">smbd</command> will use when authenticating a user. This option defaults to sensible values
+ based on <smbconfoption name="security"/>. This should be considered a developer option and used only in rare
+ circumstances. In the majority (if not all) of production servers, the default setting should be adequate.
+ </para>
<para>Each entry in the list attempts to authenticate the user in turn, until
the user authenticates. In practice only one method will ever actually
'group' and 'other' write and execute bits from the UNIX modes.</para>
<para>Following this Samba will bit-wise 'OR' the UNIX mode created
- from this parameter with the value of the <link linkend="FORCECREATEMODE">
- <parameter moreinfo="none">force create mode</parameter></link>
+ from this parameter with the value of the <smbconfoption name="force create mode"/>
parameter which is set to 000 by default.</para>
<para>This parameter does not affect directory modes. See the
- parameter <link linkend="DIRECTORYMODE"><parameter moreinfo="none">directory mode
- </parameter></link> for details.</para>
+ parameter <smbconfoption name="directory mode"/> for details.</para>
<para>Note that this parameter does not apply to permissions
set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the <link linkend="SECURITYMASK">
- <parameter moreinfo="none">security mask</parameter></link>.</para>
+ a mask on access control lists also, they need to set the <smbconfoption name="security mask"/>.</para>
</description>
<related>force create mode</related>
user who owns the directory to modify it.</para>
<para>Following this Samba will bit-wise 'OR' the UNIX mode
- created from this parameter with the value of the <link linkend="FORCEDIRECTORYMODE">
- <parameter moreinfo="none">force directory mode</parameter></link> parameter.
+ created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter.
This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
<para>Note that this parameter does not apply to permissions
set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the <link linkend="DIRECTORYSECURITYMASK">
- <parameter moreinfo="none">directory security mask</parameter></link>.</para>
+ a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para>
</description>
<related>force directory mode</related>
have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> program for information on how to set up
- and maintain this file), or set the <link linkend="SECURITY">security = [server|domain|ads]</link> parameter which
+ and maintain this file), or set the <smbconfoption name="security">[server|domain|ads]</smbconfoption> parameter which
causes <command moreinfo="none">smbd</command> to authenticate against another
server.</para>
</description>
primary group assigned to sys when accessing this Samba share. All
other users will retain their ordinary primary group.</para>
- <para>If the <link linkend="FORCEUSER"><parameter moreinfo="none">force user</parameter>
- </link> parameter is also set the group specified in
+ <para>
+ If the <smbconfoption name="force user"/> parameter is also set the group specified in
<parameter moreinfo="none">force group</parameter> will override the primary group
set in <parameter moreinfo="none">force user</parameter>.</para>
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This is a username which will be used for access
- to services which are specified as <link linkend="GUESTOK"><parameter moreinfo="none">
- guest ok</parameter></link> (see below). Whatever privileges this
+ to services which are specified as <smbconfoption name="guest ok"/> (see below). Whatever privileges this
user has will be available to any client connecting to the guest service.
This user must exist in the password file, but does not require
a valid login. The user account "ftp" is often a good choice
<description>
<para>If this parameter is <constant>yes</constant> for
a service, then no password is required to connect to the service.
- Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
- guest account</parameter></link>.</para>
+ Privileges will be those of the <smbconfoption name="guest account"/>.</para>
<para>This paramater nullifies the benifits of setting
- <link linkend="RESTRICTANONYMOUS"><parameter moreinfo="none">restrict
- anonymous</parameter></link> = 2</para>
+ <smbconfoption name="restrict anonymous">2</smbconfoption>
+ </para>
- <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
- security</parameter></link> for more information about this option.
+ <para>See the section below on <smbconfoption name="security"/> for more information about this option.
</para>
</description>
<value type="default">no</value>
<description>
<para>If this parameter is <constant>yes</constant> for
a service, then only guest connections to the service are permitted.
- This parameter will have no effect if <link linkend="GUESTOK">
- <parameter moreinfo="none">guest ok</parameter></link> is not set for the service.</para>
+ This parameter will have no effect if <smbconfoption name="guest ok"/> is not set for the service.</para>
- <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
- security</parameter></link> for more information about this option.
+ <para>See the section below on <smbconfoption name="security"/> for more information about this option.
</para>
</description>
<value type="default">no</value>
be given here also.</para>
<para>Note that the localhost address 127.0.0.1 will always
- be allowed access unless specifically denied by a <link linkend="HOSTSDENY">
- <parameter moreinfo="none">hosts deny</parameter></link> option.</para>
+ be allowed access unless specifically denied by a <smbconfoption name="hosts deny"/> option.</para>
<para>You can also specify hosts by network/netmask pairs and
by netgroup names if your system supports netgroups. The
and users who will be allowed access without specifying a password.
</para>
- <para>This is not be confused with <link linkend="HOSTSALLOW">
- <parameter moreinfo="none">hosts allow</parameter></link> which is about hosts
+ <para>This is not be confused with <smbconfoption name="hosts allow"/> which is about hosts
access to services and is more useful for guest services. <parameter moreinfo="none">
hosts equiv</parameter> may be useful for NT clients which will
not supply passwords to Samba.</para>
type="boolean"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>The permissions on new files and directories
- are normally governed by <link linkend="CREATEMASK"><parameter moreinfo="none">
- create mask</parameter></link>, <link linkend="DIRECTORYMASK">
- <parameter moreinfo="none">directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
- <parameter moreinfo="none">force create mode</parameter>
- </link> and <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force
- directory mode</parameter></link> but the boolean inherit
- permissions parameter overrides this.</para>
+ <para>
+ The permissions on new files and directories are normally governed by <smbconfoption name="create mask"/>,
+ <smbconfoption name="directory mask"/>, <smbconfoption name="force create mode"/> and <smbconfoption
+ name="force directory mode"/> but the boolean inherit permissions parameter overrides this.
+ </para>
<para>New directories inherit the mode of the parent directory,
including bits such as setgid.</para>
- <para>New files inherit their read/write bits from the parent
- directory. Their execute bits continue to be determined by
- <link linkend="MAPARCHIVE"><parameter moreinfo="none">map archive</parameter>
- </link>, <link linkend="MAPHIDDEN"><parameter moreinfo="none">map hidden</parameter>
- </link> and <link linkend="MAPSYSTEM"><parameter moreinfo="none">map system</parameter>
- </link> as usual.</para>
+ <para>
+ New files inherit their read/write bits from the parent directory. Their execute bits continue to be
+ determined by <smbconfoption name="map archive"/>, <smbconfoption name="map hidden"/> and <smbconfoption
+ name="map system"/> as usual.
+ </para>
<para>Note that the setuid bit is <emphasis>never</emphasis> set via
inheritance (the code explicitly prohibits this).</para>
advanced="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter is only useful in <link linkend="SECURITY">
- security</link> modes other than <parameter moreinfo="none">security = share</parameter>
+ <para>This parameter is only useful in <smbconfoption name="SECURITY">
+ security</smbconfoption> modes other than <parameter moreinfo="none">security = share</parameter>
- i.e. <constant>user</constant>, <constant>server</constant>,
and <constant>domain</constant>.</para>
<para><constant>Bad User</constant> - Means user
logins with an invalid password are rejected, unless the username
does not exist, in which case it is treated as a guest login and
- mapped into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
- guest account</parameter></link>.</para>
+ mapped into the <smbconfoption name="guest account"/>.</para>
</listitem>
<listitem>
<para><constant>Bad Password</constant> - Means user logins
with an invalid password are treated as a guest login and mapped
- into the <link linkend="GUESTACCOUNT">guest account</link>. Note that
+ into the <smbconfoption name="guest account"/>. Note that
this can cause problems as it means that any user incorrectly typing
their password will be silently logged on as "guest" - and
will not know the reason they cannot access files they think
should obey PAM's account and session management directives. The
default behavior is to use PAM for clear text authentication only
and to ignore any account or session management. Note that Samba
- always ignores PAM for authentication in the case of <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypt passwords = yes</parameter></link>. The reason
+ always ignores PAM for authentication in the case of <smbconfoption
+ name="encrypt passwords">yes</smbconfoption>. The reason
is that PAM modules cannot support the challenge/response
authentication mechanism needed in the presence of SMB password encryption.
</para>
client can supply a username to be used by the server. Enabling
this parameter will force the server to only use the login
names from the <parameter moreinfo="none">user</parameter> list and is only really
- useful in <link linkend="SECURITYEQUALSSHARE">share level</link>
- security.</para>
+ useful in <smbconfoption name="security">share</smbconfoption> level security.</para>
<para>Note that this also means Samba won't try to deduce
usernames from the service name. This can be annoying for
this parameter, it is possible to use PAM's password change control
flag for Samba. If enabled, then PAM will be used for password
changes when requested by an SMB client instead of the program listed in
- <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter></link>.
+ <smbconfoption name="passwd program"/>.
It should be possible to enable this without changing your
- <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter></link>
- parameter for most setups.</para>
+ <smbconfoption name="passwd chat"/> parameter for most setups.</para>
</description>
<value type="default">no</value>
<listitem>
<para><command moreinfo="none">tdbsam</command> - The TDB based password storage
backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
- in the <link linkend="PRIVATEDIR">
- <parameter moreinfo="none">private dir</parameter></link> directory.</para>
+ in the <smbconfoption name="private dir"/> directory.</para>
</listitem>
<listitem>
<command moreinfo="none">ldap://localhost</command>)</para>
<para>LDAP connections should be secured where possible. This may be done using either
- Start-TLS (see <link linkend="LDAPSSL"><parameter moreinfo="none">ldap ssl</parameter></link>) or by
+ Start-TLS (see <smbconfoption name="ldap ssl"/>) or by
specifying <parameter moreinfo="none">ldaps://</parameter> in
the URL argument. </para>
program to change the user's password. The string describes a
sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the
- <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter>
- </link> and what to expect back. If the expected output is not
+ <smbconfoption name="passwd program"/> and what to expect back. If the expected output is not
received then the password is not changed.</para>
<para>This chat sequence is often quite site specific, depending
on what local methods are used for password control (such as NIS
etc).</para>
- <para>Note that this parameter only is only used if the <link
- linkend="UNIXPASSWORDSYNC"> <parameter moreinfo="none">unix password sync</parameter>
- </link> parameter is set to <constant>yes</constant>. This sequence is
+ <para>Note that this parameter only is only used if the <smbconfoption
+ name="unix password sync"/> parameter is set to <constant>yes</constant>. This sequence is
then called <emphasis>AS ROOT</emphasis> when the SMB password in the
smbpasswd file is being changed, without access to the old password
cleartext. This means that root must be able to reset the user's password without
knowing the text of the previous password. In the presence of
- NIS/YP, this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must
+ NIS/YP, this means that the <smbconfoption name="passwd program"/> must
be executed on the NIS master.
</para>
stop ".", then no string is sent. Similarly, if the
expect string is a full stop then no string is expected.</para>
- <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam
- password change</parameter></link> parameter is set to <constant>yes</constant>, the chat pairs
- may be matched in any order, and success is determined by the PAM result,
- not any particular output. The \n macro is ignored for PAM conversions.
+ <para>If the <smbconfoption name="pam password change"/> parameter is set to <constant>yes</constant>, the
+ chat pairs may be matched in any order, and success is determined by the PAM result, not any particular
+ output. The \n macro is ignored for PAM conversions.
</para>
</description>
strings passed to and received from the passwd chat are printed
in the <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> log with a
- <link linkend="DEBUGLEVEL"><parameter moreinfo="none">debug level</parameter></link>
+ <smbconfoption name="debug level"/>
of 100. This is a dangerous option as it will allow plaintext passwords
to be seen in the <command moreinfo="none">smbd</command> log. It is available to help
Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts
when calling the <parameter moreinfo="none">passwd program</parameter> and should
be turned off after this has been done. This option has no effect if the
- <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter></link>
+ <smbconfoption name="pam password change"/>
paramter is set. This parameter is off by default.</para>
</description>
<para>This parameter is used only when using plain-text passwords. It is
not at all used when encrypted passwords as in use (that is the default
- since samba-3.0.0). Use this only when <link linkend="ENCRYPTPASSWORDS">
- encrypt passwords = No</link>.</para>
+ since samba-3.0.0). Use this only when <smbconfoption name="encrypt passwords">No</smbconfoption>.</para>
</description>
<value type="default">0</value>
connections.</para>
<para>If parameter is a name, it is looked up using the
- parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
- resolve order</parameter></link> and so may resolved
+ parameter <smbconfoption name="name resolve order"/> and so may resolved
by any method and order described in that parameter.</para>
<para>The password server must be a machine capable of using
type="list"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This is a list of users that are given read-only
- access to a service. If the connecting user is in this list then
- they will not be given write access, no matter what the <link linkend="READONLY">
- <parameter moreinfo="none">read only</parameter></link>
- option is set to. The list can include group names using the
- syntax described in the <link linkend="INVALIDUSERS"><parameter moreinfo="none">
- invalid users</parameter></link> parameter.</para>
+ <para>
+ This is a list of users that are given read-only access to a service. If the connecting user is in this list
+ then they will not be given write access, no matter what the <smbconfoption name="read only"/> option is set
+ to. The list can include group names using the syntax described in the <smbconfoption name="invalid users"/>
+ parameter.
+ </para>
- <para>This parameter will not work with the <link linkend="SECURITY">
- <parameter moreinfo="none">security = share</parameter></link> in
+ <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in
Samba 3.0. This is by design.</para>
</description>
basic="1" advanced="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>An inverted synonym is <link linkend="WRITEABLE">
- <parameter moreinfo="none">writeable</parameter></link>.</para>
+ <para>An inverted synonym is <smbconfoption name="writeable"/>.</para>
<para>If this parameter is <constant>yes</constant>, then users
of a service may not create or modify files in the service's
<note>
<para>
The security advantage of using restrict anonymous = 2 is removed
- by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest
- ok</parameter> = yes</link> on any share.
+ by setting <smbconfoption name="guest ok">yes</smbconfoption> on any share.
</para>
</note>
</description>
server will deny access to files not in one of the service entries.
It may also check for, and deny access to, soft links to other
parts of the filesystem, or attempts to use ".." in file names
- to access other directories (depending on the setting of the <link linkend="WIDELINKS">
- <parameter moreinfo="none">wide links</parameter></link>
- parameter).
+ to access other directories (depending on the setting of the
+ <smbconfoption name="wide smbconfoptions"/> parameter).
</para>
<para>Adding a <parameter moreinfo="none">root directory</parameter> entry other
want to mainly setup shares without a password (guest shares). This
is commonly used for a shared printer server. It is more difficult
to setup guest shares with <command moreinfo="none">security = user</command>, see
- the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link>parameter for details.</para>
+ the <smbconfoption name="map to guest"/>parameter for details.</para>
<para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
hybrid mode</emphasis> where it is offers both user and share
- level security under different <link linkend="NETBIOSALIASES">
- <parameter moreinfo="none">NetBIOS aliases</parameter></link>. </para>
+ level security under different <smbconfoption name="NetBIOS aliases"/>. </para>
<para>The different settings will now be explained.</para>
<itemizedlist>
<listitem>
- <para>If the <link linkend="GUESTONLY"><parameter moreinfo="none">guest
- only</parameter></link> parameter is set, then all the other
- stages are missed and only the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link> username is checked.
+ <para>If the <smbconfoption name="guest only"/> parameter is set, then all the other
+ stages are missed and only the <smbconfoption name="guest account"/> username is checked.
</para>
</listitem>
<listitem>
<para>Is a username is sent with the share connection
- request, then this username (after mapping - see <link linkend="USERNAMEMAP">
- <parameter moreinfo="none">username map</parameter></link>),
+ request, then this username (after mapping - see <smbconfoption name="username map"/>),
is added as a potential username.
</para>
</listitem>
</listitem>
<listitem>
- <para>Any users on the <link linkend="USER"><parameter moreinfo="none">
- user</parameter></link> list are added as potential usernames.
+ <para>Any users on the <smbconfoption name="user"/> list are added as potential usernames.
</para>
</listitem>
</itemizedlist>
<para>This is the default security setting in Samba 3.0.
With user-level security a client must first "log-on" with a
- valid username and password (which can be mapped using the <link linkend="USERNAMEMAP">
- <parameter moreinfo="none">username map</parameter></link>
- parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter></link> parameter) can also
- be used in this security mode. Parameters such as <link linkend="USER">
- <parameter moreinfo="none">user</parameter></link> and <link linkend="GUESTONLY">
- <parameter moreinfo="none">guest only</parameter></link> if set are then applied and
+ valid username and password (which can be mapped using the <smbconfoption name="username map"/>
+ parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
+ be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
+ name="guest only"/> if set are then applied and
may change the UNIX user to use on this connection, but only after
the user has been successfully authenticated.</para>
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
- <para>See also the section <link linkend="VALIDATIONSECT">
- NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+ <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
<para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
<para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> has been used to add this
- machine into a Windows NT Domain. It expects the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter>
- </link> parameter to be set to <constant>yes</constant>. In this
+ machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
+ parameter to be set to <constant>yes</constant>. In this
mode Samba will try to validate the username/password by passing
it to a Windows NT Primary or Backup Domain Controller, in exactly
the same way that a Windows NT Server would do.</para>
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
<para>See also the section <link linkend="VALIDATIONSECT">
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
- <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
- server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter>
- </link> parameter.</para>
+ <para>See also the <smbconfoption name="password server"/> parameter and
+ the <smbconfoption name="encrypted passwords"/> parameter.</para>
<para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
- <para>In this mode Samba will try to validate the username/password
- by passing it to another SMB server, such as an NT box. If this
- fails it will revert to <command moreinfo="none">security =
- user</command>. It expects the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter></link> parameter
- to be set to <constant>yes</constant>, unless the remote server
- does not support them. However note that if encrypted passwords have been
- negotiated then Samba cannot revert back to checking the UNIX password file,
- it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check
- users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</para>
+ <para>
+ In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
+ NT box. If this fails it will revert to <command moreinfo="none">security = user</command>. It expects the
+ <smbconfoption name="encrypted passwords"/> parameter to be set to <constant>yes</constant>, unless the remote
+ server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot
+ revert back to checking the UNIX password file, it must have a valid <filename
+ moreinfo="none">smbpasswd</filename> file to check users against. See the chapter about the User Database in
+ the Samba HOWTO Collection for details on how to set this up.
+</para>
<note><para>This mode of operation has
significant pitfalls, due to the fact that is activly initiates a
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
<para>See also the section <link linkend="VALIDATIONSECT">
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
- <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
- server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
+ <para>See also the <smbconfoption name="password server"/> parameter and the
+ <smbconfoption name="encrypted passwords"/> parameter.</para>
<para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
basic="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This controls whether the server offers or even
- demands the use of the netlogon schannel.
- <parameter>server schannel = no</parameter> does not
- offer the schannel, <parameter>server schannel =
- auto</parameter> offers the schannel but does not
- enforce it, and <parameter>server schannel =
- yes</parameter> denies access if the client is not
- able to speak netlogon schannel. This is only the case
- for Windows NT4 before SP4.</para>
+ <para>
+ This controls whether the server offers or even demands the use of the netlogon schannel.
+ <smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
+ name="server schannel">auto</smbconfoption> offers the schannel but does not enforce it, and <smbconfoption
+ name="server schannel">yes</smbconfoption> denies access if the client is not able to speak netlogon schannel.
+ This is only the case for Windows NT4 before SP4.
+ </para>
- <para>Please note that with this set to
- <parameter>no</parameter> you will have to apply the
- WindowsXP requireSignOrSeal-Registry patch found in
- the docs/Registry subdirectory.</para>
+ <para>
+ Please note that with this set to <literal>no</literal> you will have to apply the WindowsXP
+ <filename>WinXP_SignOrSeal.reg</filename> registry patch found in the docs/registry subdirectory of the Samba distribution tarball.
+ </para>
</description>
<value type="default">auto</value>
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This boolean parameter allows a user logging on with
- a plaintext password to have their encrypted (hashed) password in
- the smbpasswd file to be updated automatically as they log
- on. This option allows a site to migrate from plaintext
- password authentication (users authenticate with plaintext
- password over the wire, and are checked against a UNIX account
- database) to encrypted password authentication (the SMB
- challenge/response authentication mechanism) without forcing all
- users to re-enter their passwords via smbpasswd at the time the
- change is made. This is a convenience option to allow the change
- over to encrypted passwords to be made over a longer period.
- Once all users have encrypted representations of their passwords
- in the smbpasswd file this parameter should be set to
- <constant>no</constant>.</para>
+ <para>
+ This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed)
+ password in the smbpasswd file to be updated automatically as they log on. This option allows a site to
+ migrate from plaintext password authentication (users authenticate with plaintext password over the
+ wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB
+ challenge/response authentication mechanism) without forcing all users to re-enter their passwords via
+ smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted
+ passwords to be made over a longer period. Once all users have encrypted representations of their passwords
+ in the smbpasswd file this parameter should be set to <constant>no</constant>.
+ </para>
- <para>In order for this parameter to work correctly the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypt passwords</parameter></link> parameter must
- be set to <constant>no</constant> when this parameter is set to <constant>yes</constant>.</para>
+ <para>
+ In order for this parameter to be operative the <smbconfoption name="encrypt passwords"/> parameter must
+ be set to <constant>no</constant>. The default value of <smbconfoption name="encrypt
+ passwords">Yes</smbconfoption>. Note: This must be set to <constant>no</constant> for this <smbconfoption
+ name="update encrypted"/> to work.
+ </para>
- <para>Note that even when this parameter is set a user
- authenticating to <command moreinfo="none">smbd</command> must still enter a valid
- password in order to connect correctly, and to update their hashed
- (smbpasswd) passwords.</para>
+ <para>
+ Note that even when this parameter is set a user authenticating to <command moreinfo="none">smbd</command>
+ must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd)
+ passwords.
+ </para>
</description>
<value type="default">no</value>
so they cannot do anything that user cannot do.</para>
<para>To restrict a service to a particular set of users you
- can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
- </parameter></link> parameter.</para>
+ can use the <smbconfoption name="valid users"/> parameter.</para>
<para>If any of the usernames begin with a '@' then the name
will be looked up first in the NIS netgroups list (if Samba
quite some time, and some clients may time out during the
search.</para>
- <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
- USERNAME/PASSWORD VALIDATION</link> for more information on how
-this parameter determines access to the services.</para>
+ <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
+ USERNAME/PASSWORD VALIDATION</link> for more information on how
+ this parameter determines access to the services.</para>
</description>
<value type="default"><comment>The guest account if a guest service,
will actually be connecting to \\server\mary and will need to
supply a password suitable for <constant>mary</constant> not
<constant>fred</constant>. The only exception to this is the
- username passed to the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">
- password server</parameter></link> (if you have one). The password
+ username passed to the <smbconfoption name="password server"/> (if you have one). The password
server will receive whatever username the client supplies without
modification.</para>
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<synonym>writable</synonym>
<description>
- <para>Inverted synonym for <link linkend="READONLY">
- <parameter moreinfo="none">read only</parameter></link>.</para>
+ <para>Inverted synonym for <smbconfoption name="read only"/>.</para>
</description>
</samba:parameter>
<para>This is a tuning option. When this is enabled a
caching algorithm will be used to reduce the time taken for getwd()
calls. This can have a significant impact on performance, especially
- when the <link linkend="WIDELINKS"><parameter moreinfo="none">wide links</parameter>
-</link> parameter is set to <constant>no</constant>.</para>
+ when the <smbconfoption name="wide smbconfoptions"/> parameter is set to <constant>no</constant>.</para>
</description>
<value type="default">yes</value>
a client is still present and responding.</para>
<para>Keepalives should, in general, not be needed if the socket
- has the SO_KEEPALIVE attribute set on it by default. (see <link linkend="SOCKETOPTIONS">
- <parameter moreinfo="none">socket options</parameter></link>).
+ has the SO_KEEPALIVE attribute set on it by default. (see <smbconfoption name="socket options"/>).
Basically you should only use this option if you strike difficulties.</para>
</description>
of zero mean an unlimited number of connections may be made.</para>
<para>Record lock files are used to implement this feature. The lock files will be stored in
- the directory specified by the <link linkend="LOCKDIRECTORY">
- <parameter moreinfo="none">lock directory</parameter></link> option.</para>
+ the directory specified by the <smbconfoption name="lock directory"/> option.</para>
</description>
<value type="default">0</value>
server, and allow Dfs-aware clients to browse Dfs trees hosted
on the server.</para>
- <para>See also the <link linkend="MSDFSROOT"><parameter moreinfo="none">
- msdfs root</parameter></link> share level parameter. For
+ <para>See also the <smbconfoption name="msdfs root"/> share level parameter. For
more information on setting up a Dfs tree on Samba,
refer to <link linkend="msdfs"/>.
</para>
the SMB-Dfs protocol.</para>
<para>Only Dfs roots can act as proxy shares. Take a look at the
- <link linkend="MSDFSROOT"><parameter moreinfo="none">msdfs root</parameter></link>
- and <link linkend="HOSTMSDFS"><parameter moreinfo="none">host msdfs</parameter></link>
+ <smbconfoption name="msdfs root"/> and <smbconfoption name="host msdfs"/>
options to find out how to set up a Dfs root share.</para>
</description>
<related>host msdfs</related>
<value type="default">no</value>
- <para>See also <link linkend="HOSTMSDFS"><parameter moreinfo="none">host msdfs</parameter></link></para>
+ <para>See also <smbconfoption name="host msdfs"/></para>
</samba:parameter>