smb.conf contains runtime configuration information for the smbd program. The smbd program provides LanManager-like services to clients using the SMB protocol.
The file is line-based - that is, each newline-terminated line represents either a comment, a section name or a parameter.
Section and parameter names are not case sensitive.
Only the first equals sign in a parameter is significant. Whitespace before or after the first equals sign is discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value is retained verbatim.
Any line beginning with a semicolon is ignored, as are lines containing only whitespace.
Any line ending in a is "continued" on the next line in the customary unix fashion.
The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved in string values. Some items such as create modes are numeric.
There are three special sections, [global], [homes] and [printers], which are described under 'special sections'. The following notes apply to ordinary service descriptions.
A service consists of a directory to which access is being given plus a description of the access rights which are granted to the user of the service. Some housekeeping options are also specifiable.
Services are either filespace services (used by the client as an extension of their native file systems) or printable services (used by the client to access print services on the host running the server).
Services may be guest services, in which case no password is required to access them. A specified guest account is used to define access privileges in this case.
Services other than guest services will require a password to access them. The client provides the username. As many clients only provide passwords and not usernames, you may specify a list of usernames to check against the password using the "user=" option in the service definition.
Note that the access rights granted by the server are masked by the access rights granted to the specified or guest user by the host system. The server does not grant more access than the host system grants.
The following sample section defines a file space service. The user has write access to the path /home/bar. The service is accessed via the service name "foo":
[foo]
path = /home/bar
writable = true
The following sample section defines a printable service. The service is readonly, but printable. That is, the only write access permitted is via calls to open, write to and close a spool file. The 'guest ok' parameter means access will be permitted as the default guest user (specified elsewhere):
[aprinter]
path = /usr/spool/public
read only = true
printable = true
public = true
When the connection request is made, the existing services are scanned. If a match is found, it is used. If no match is found, the requested service name is treated as a user name and looked up in the local passwords file. If the name exists and the correct password has been given, a service is created by cloning the [homes] section.
Some modifications are then made to the newly created section:
If no path was given, the path is set to the user's home directory.
If you decide to use a path= line in your [homes] section then you may find it useful to use the %S macro. For example path=/data/pchome/%S would be useful if you have different home directories for your PCs than for unix access.
This is a fast and simple way to give a large number of clients access to their home directories with a minimum of fuss.
A similar process occurs if the requested service name is "homes", except that the service name is not changed to that of the requesting user. This method of using the [homes] section works well if different users share a client PC.
The [homes] section can specify all the parameters a normal service section can specify, though some make more sense than others. The following is a typical and suitable [homes] section:
[homes]
writable = yes
An important point:
Note that the browseable flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. This is useful as it means setting browseable=no in the [homes] section will hide the [homes] service but make any auto home directories visible.
If a [printers] section occurs in the configuration file, users are able to connect to any printer specified in the local host's printcap file.
When a connection request is made, the existing services are scanned. If a match is found, it is used. If no match is found, but a [homes] section exists, it is used as described above. Otherwise, the requested service name is treated as a printer name and the appropriate printcap file is scanned to see if the requested service name is a valid printer name. If a match is found, a new service is created by cloning the [printers] section.
A few modifications are then made to the newly created section:
If no printer name was given, the printer name is set to the located printer name
If the service does not permit guest access and no username was given, the username is set to the located printer name.
Note that the [printers] service MUST be printable - if you specify otherwise, the server will refuse to load the configuration file.
Typically the path specified would be that of a world-writable spool directory with the sticky bit set on it. A typical [printers] entry would look like this:
[printers]
path = /usr/spool/public
writable = no
public = yes
printable = yes
All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file consisting of one or more lines like this:
alias|alias|alias|alias...
Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, specify the new file as your printcap. The server will then only recognise names found in your pseudo-printcap, which of course can contain whatever aliases you like. The same technique could be used simply to limit access to a subset of your local printers.
An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, components (if there are more than one) are separated by vertical bar symbols ("|").
Some parameters are specific to the [global] section (eg., security). Some parameters are usable in all sections (eg., create mode). All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] sections will be considered normal. The letter 'G' in parentheses indicates that a parameter is specific to the [global] section. The letter 'S' indicates that a parameter can be specified in a secvice specific section. Note that all S parameters can also be specified in the [global] section - in which case they will define the default behaviour for all services.
Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym.
Many of the strings that are settable in the config file can take substitutions. For example the option "path = /tmp/%u" would be interpreted as "path = /tmp/john" if the user connected with the username john.
These substitutions are mostly noted in the descriptions below, but there are some general substitions which apply whenever they might be relevant. These are:
%S = the name of the current service, if any
%P = the root directory of the current service, if any
%u = user name of the current service, if any
%U = session user name (the user name that the client wanted, not necessarily the same as the one they got)
%H = the home directory of the user given by %u
%v = the Samba version
%h = the hostname that Samba is running on
%m = the netbios name of the client machine (very useful)
%L = the netbios name of the server. This allows you to change your config based on what the client calls you. Your server can have a "dual personality".
%M = the internet name of the client machine
%d = The process id of the current server process
%a = the architecture of the remote machine. Only some are recognised, and those may not be 100% reliable. It currently recognises Samba, WfWg, WinNT and Win95. Anything else will be known as "UNKNOWN". If it gets it wrong then sending me a level 3 log should allow me to fix it.
%I = The IP address of the client machine
%T = the current date and time
There are some quite creative things that can be done with these substitutions and other smb.conf options.
Samba supports "name mangling" so that Dos and Windows clients can use files that don't conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames.
There are several options that control the way mangling is performed, and they are grouped here rather than listed separately. For the defaults look at the output of the testparm program.
All of these options can be set separately for each service (or globally, of course).
The options are:
"mangle case = yes/no" controls if names that have characters that aren't of the "default" case are mangled. For example, if this is yes then a name like "Mail" would be mangled. Default no.
"case sensitive = yes/no" controls whether filenames are case sensitive. If they aren't then Samba must do a filename search and match on passed names. Default no.
"default case = upper/lower" controls what the default case is for new filenames. Default lower.
"preserve case = yes/no" controls if new files are created with the case that the client passes, or if they are forced to be the "default" case. Default no.
"short preserve case = yes/no" controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the "default" case. This option can be use with "preserve case = yes" to permit long filenames to retain their case, while short names are lowered. Default no.
Here is a list of all global parameters. See the section of each parameter for details. Note that some are synonyms.
auto services
config file
deadtime
debuglevel
default
default service
dfree command
encrypt passwords
getwd cache
hosts equiv
include
keepalive
lock dir
load printers
lock directory
log file
log level
lpq cache time
mangled stack
max log size
max packet
max xmit
message command
null passwords
os level
packet size
passwd chat
passwd program
password level
password server
preferred master
preload
printing
printcap name
protocol
read bmpx
read prediction
read raw
read size
root
root dir
root directory
security
server string
smbrun
socket options
status
strip dot
time offset
username map
use rhosts
valid chars
workgroup
write raw
Here is a list of all service parameters. See the section of each parameter for details. Note that some are synonyms.
admin users
allow hosts
alternate permissions
available
browseable
case sensitive
case sig names
copy
create mask
create mode
comment
default case
deny hosts
directory
dont descend
exec
force group
force user
guest account
guest ok
guest only
hide dot files
hosts allow
hosts deny
invalid users
locking
lpq command
lprm command
magic output
magic script
mangle case
mangled names
mangling char
map archive
map hidden
map system
max connections
min print space
only guest
only user
path
postexec
postscript
preserve case
print command
print ok
printable
printer
printer name
public
read only
read list
revalidate
root postexec
root preexec
set directory
share modes
short preserve case
strict locking
sync always
user
username
users
valid users
volume
wide links
writable
write ok
writeable
write list
This is a list of users who will be granted administrative privilages on the share. This means that they will do all file operations as the super-user (root).
You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions.
Default:
no admin users
Example:
admin users = jason
Note that if you just want all printers in your printcap file loaded then the "load printers" option is easier.
Default:
no auto services
Example:
auto services = fred lp colorlp
This parameter is a comma delimited set of hosts which are permitted to access a services. If specified in the [global] section, matching hosts will be allowed access to any service that does not specifically exclude them from access. Specific services my have their own list, which override those specified in the [global] section.
You can specify the hosts by name or IP number. For example, you could restrict access to only the hosts on a Class C subnet with something like "allow hosts = 150.203.5.". The full syntax of the list is described in the man page hosts_access(5).
You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The EXCEPT keyword can also be used to limit a wildcard list. The following examples may provide some help:
Example 1: allow all IPs in 150.203.*.* except one
hosts allow = 150.203. EXCEPT 150.203.6.66
Example 2: allow hosts that match the given network/netmask
hosts allow = 150.203.15.0/255.255.255.0
Example 3: allow a couple of hosts
hosts allow = lapland, arvidsjaur
Example 4: allow only hosts in netgroup "foonet" or localhost, but deny access from one particular host
hosts allow = @foonet, localhost
hosts deny = pirate
Note that access still requires suitable user-level passwords.
See testparm(1) for a way of testing your host access to see if it does what you expect.
Default:
none (ie., all hosts permitted access)
Example:
allow hosts = 150.203.5. myhost.mynet.edu.au
This option affects the way the "read only" DOS attribute is produced for unix files. If this is false then the read only bit is set for files on writeable shares which the user cannot write to.
If this is true then it is set for files whos user write bit is not set.
The latter behaviour of useful for when users copy files from each others directories, and use a file manager that preserves permissions. Without this option they may get annoyed as all copied files will have the "read only" bit set.
Default:
alternate permissions = no
Example:
alternate permissions = yes
Default:
available = yes
Default:
browseable = Yes
Example:
browseable = No
Default:
No comment string
Example:
comment = Fred's Files
This allows you to override the config file to use, instead of the default (usually smb.conf). There is a chicken and egg problem here as this option is set in the config file!
For this reason, if the name of the config file has changed when the parameters are loaded then it will reload them from the new config file.
This option takes the usual substitutions, which can be very useful.
If thew config file doesn't exist then it won't be loaded (allowing you to special case the config files of just a few clients).
Example:
config file = /usr/local/samba/smb.conf.%m
This feature lets you set up a 'template' service and create similar services easily. Note that the service being copied must occur earlier in the configuration file than the service doing the copying.
Default:
none
This parameter is the octal modes which are used when converting DOS modes to Unix modes.
Note that Samba will or this value with 0700 as you must have at least user read, write and execute for Samba to work properly.
Default:
create mask = 0755
This is useful to stop a server's resources being exhausted by a large number of inactive connections.
Most clients have an auto-reconnect feature when a connection is broken so in most cases this parameter should be transparent to users.
Using this parameter with a timeout of a few minutes is recommended for most systems.
A deadtime of zero indicates that no auto-disconnection should be performed.
Default:
dead time = 0
The default will be the debug level specified on the command line.
See the section on "NAME MANGLING" Also note the addition of "short preserve case"
This parameter specifies the name of a service which will be connected to if the service actually requested cannot be found. Note that the square brackets are NOT given in the parameter value (see example below).
There is no default value for this parameter. If this parameter is not given, attempting to connect to a nonexistent service results in an error.
Typically the default service would be a public, read-only service.
Also not that s of 1.9.14 the apparent service name will be changed to equal that of the requested service, this is very useful as it allows you to use macros like %S to make a wildcard service.
Note also that any _ characters in the name of the service used in the default service will get mapped to a /. This allows for interesting things.
Example:
default service = pub
[pub]
path = /%S
The opposite of 'allow hosts' - hosts listed here are NOT permitted access to services unless the specific services have their own lists to override this one. Where the lists conflict, the 'allow' list takes precedence.
Default:
none (ie., no hosts specifically excluded)
Example:
deny hosts = 150.203.4. badhost.mynet.edu.au
This setting allows the replacement of the internal routines to calculate the total disk space and amount available with an external routine. The example below gives a possible script that might fulfill this function.
The external program will be passed a single parameter indicating a directory in the filesystem being queried. This will typically consist of the string "./". The script should return two integers in ascii. The first should be the total disk space in blocks, and the second should be the number of available blocks. An optional third return value can give the block size in bytes. The default blocksize is 1024 bytes.
Note: Your script should NOT be setuid or setgid and should be owned by (and writable only by) root!
Default:
By default internal routines for determining the disk capacity
and remaining space will be used.
Example:
dfree command = /usr/local/smb/dfree
Where the script dfree (which must be made executable) could be
#!/bin/sh
df $1 | tail -1 | awk '{print $2" "$4}'
or perhaps (on Sys V)
#!/bin/sh
/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
Note that you may have to replace the command names with full
path names on some systems.
Note that Samba can be very fussy about the exact format of the "dont descend" entries. For example you ma need "./proc" instead of just "/proc". Experimentation is the best policy :-)
Default:
none (ie., all directories are OK to descend)
Example:
dont descend = /proc,/dev
This boolean controls whether encrypted passwords will be negotiated with the cient. Note that this option has no effect if you haven't compiled in the necessary des libraries and encryption code. It defaults to no.
This is an alias for preexec
Default:
no forced group
Example:
force group = agroup
This user name only gets used once a connection is established. Thus clients still need to connect as a valid user and supply a valid password. Once connected, all file operations will be performed as the "forced user", not matter what username the client connected as.
Default:
no forced user
Example:
force user = auser
One some systems the account "nobody" may not be able to print. Use another account in this case. You should test this by trying to log in as your guest user (perhaps by using the "su -" command) and trying to print using lpr.
Note that as of version 1.9 of Samba this option may be set differently for each service.
Default:
specified at compile time
Example:
guest account = nobody
Default:
getwd cache = No
See the section below on user/password validation for more information about this option.
Default:
guest only = no
Default:
hide dot files = yes
This is not be confused with allow hosts which is about hosts access to services and is more useful for guest services. hosts equiv may be useful for NT clients which will not supply passwords to samba.
NOTE: The use of hosts.equiv can be a major security hole. This is because you are trusting the PC to supply the correct username. It is very easy to get a PC to supply a false username. I recommend that the hosts.equiv option be only used if you really know what you are doing, or perhaps on a home network where you trust your wife and kids :-)
Default
No host equivalences
Example
hosts equiv = /etc/hosts.equiv
A name starting with @ is interpreted as a unix group.
The current servicename is substituted for %S. This is useful in the [homes] section.
See also "valid users"
Default
No invalid users
Example
invalid users = root fred admin @wheel
This allows you to inlcude one config file inside another. the file is included literally, as though typed in place.
It takes the standard substitutions, except %u, %P and %S
Keepalives should, in general, not be needed if the socket being used has the SO_KEEPALIVE attribute set on it (see "socket options"). Basically you should only use this option if you strike difficulties.
Default:
keep alive = 0
Default:
load printers = no
Example:
load printers = yes
Default:
lock directory = /tmp/samba
Example:
lock directory = /usr/local/samba/locks
If "locking = no", all lock and unlock requests will appear to succeed and all lock queries will indicate that the queried lock is clear.
If "locking = yes", real locking will be performed by the server.
This option may be particularly useful for read-only filesystems which do not need locking (such as cdrom drives).
Be careful about disabling locking either globally or in a specific service, as lack of locking may result in data corruption.
Default:
locking = yes
Example:
locking = no
This options allows you to override the name of the Samba log file (also known as the debug file).
This option takes the standard substitutions, allowing you to have separate log files for each user or machine.
Example:
log file = /usr/local/samba/log.%m
This controls how long lpq info will be cached for to prevent the lpq command being called too often. A separate cache is kept for each variation of the lpq command used by the system, so if you use different lpq commands for different users then they won't share cache information.
The cache files are stored in /tmp/lpq.xxxx where xxxx is a hash of the lpq command in use.
The default is 10 seconds, meaning that the cached results of a previous identical lpq command will be used if the cached data is less than 10 seconds old. A large value may be advisable if your lpq command is very slow.
A value of 0 will disable cacheing completely.
Default:
lpq cache time = 10
Example:
lpq cache time = 30
This command should be a program or script which takes a printer name as its only parameter and outputs printer status information.
Currently four styles of printer status information are supported; BSD, SYSV, AIX and HPUX. This covers most unix systems. You control which type is expected using the "printing =" option.
Some clients (notably Windows for Workgroups) may not correctly send the connection number for the printer they are requesting status information about. To get around this, the server reports on the first printer service connected to by the client. This only happens if the connection number sent is invalid.
If a %p is given then the printername is put in it's place. Otherwise it is placed at the end of the command.
Note that it is good practice to include the absolute path in the lpq command as the PATH may not be available to the server.
Default:
depends on the setting of "printing ="
Example:
lpq command = /usr/bin/lpq %p
This command should be a program or script which takes a printer name and job number, and deletes the print job.
Currently four styles of printer control are supported; BSD, SYSV, AIX and HPUX. This covers most unix systems. You control which type is expected using the "printing =" option.
If a %p is given then the printername is put in it's place. A %j is replaced with the job number (an integer).
Note that it is good practice to include the absolute path in the lprm command as the PATH may not be available to the server.
Default:
depends on the setting of "printing ="
Example 1:
lprm command = /usr/bin/lprm -P%p %j
Example 1:
lprm command = /usr/bin/cancel %p-%j
Warning: If two clients use the same magic script in the same directory the
output file content is undefined.
Default:
magic output = <magic script name>.out
Example:
magic output = myfile.txt
Scripts executed in this way will be deleted upon completion, permissions permitting.
If the script generates output, output will be sent to the file specified by the magic output parameter (see above).
Note that some shells are unable to interpret scripts containing carriage-return-linefeed instead of linefeed as the end-of-line marker. Magic scripts must be executable "as is" on the host, which for some hosts and some shells will require filtering at the DOS end.
Magic scripts are EXPERIMENTAL and should NOT be relied upon.
Default:
None. Magic scripts disabled.
Example:
magic script = user.csh
So to map 'html' to 'htm' you put:
mangled map = (*.html *.htm)
One very useful case is to remove the annoying ;1 off the ends of filenames on some CDROMS (only visible under some unixes). To do this use a map of (*;1 *)
default:
no mangled map
Example:
mangled map = (*;1 *)
See the section on "NAME MANGLING"
See the section on "NAME MANGLING" for details on how to control the mangling process.
If mangling is used then the mangling algorithm is as follows:
- a tilde ("~") is appended to the first part of the mangled name, followed by a two-character unique sequence, based on the origonal root name (i.e., the original filename minus its final extension). The final extension is included in the hash calculation only if it contains any upper case characters or is longer than three characters.
Note that the character to use may be specified using the "mangling char" option, if you don't like ~.
- the first three alphanumeric characters of the final extension are preserved, forced to upper case and appear as the extension of the mangled name. The final extension is defined as that part of the original filename after the rightmost dot. If there are no dots in the filename, the mangled name will have no extension (except in the case of hidden files - see below).
- files whose Unix name begins with a dot will be presented as DOS hidden files. The mangled name will be created as for other filenames, but with the leading dot removed and "___" as its extension regardless of actual original extension (that's three underscores).
The two-digit hash value consists of upper case alphanumeric characters.
This algorithm can cause name collisions only if files in a directory share the same first five alphanumeric characters. The probability of such a clash is 1/1300.
The name mangling (if enabled) allows a file to be copied between Unix directories from DOS while retaining the long Unix filename. Unix files can be renamed to a new extension from DOS and will retain the same basename. Mangled names do not change between sessions.
Default:
mangled names = yes
Default:
mangling char = ~
Example:
mangling char = ^
This option (an integer in kilobytes) specifies the max size the log file should grow to. Samba periodically checks the size and if it is exceeded it will rename the file, adding a .old extension.
A size of 0 means no limit.
Default:
max log size = 5000
Example:
max log size = 1000
This option controls the maximum packet size that will be negotiated by Samba. The default is 65535, which is the maximum. In some cases you may find you get better performance with a smaller value. A value below 2048 is likely to cause problems.
Default:
max xmit = 65535
Example:
max xmit = 8192
This stack is a list of recently mangled base names (extensions are only maintained if they are longer than 3 characters or contains upper case characters).
The larger this value, the more likely it is that mangled names can be successfully converted to correct long Unix names. However, large stack sizes will slow most directory access. Smaller stacks save memory in the server (each stack element costs 256 bytes).
It is not possible to absolutely guarantee correct long file names, so be prepared for some surprises!
Default:
mangled stack = 50
Example:
mangled stack = 100
Default:
map archive = yes
Example:
map archive = no
Default:
map hidden = no
Default:
map system = no
Record lock files are used to implement this feature. The lock files will be stored in the directory specified by the "lock directory" option.
Default:
max connections = 0
Note that this also means Samba won't try to deduce usernames from the service name. This can be annoying for the [homes] section. To get around this you could use "user = %S" which means your "user" list will be just the service name, which for home directories is the name of the user.
Default:
only user = False
Example:
only user = True
This specifies what command to run when the server receives a WinPopup style message.
This would normally be a command that would deliver the message somehow. How this is to be done is up to your imagination.
What I use is:
message command = csh -c 'xedit %s;rm %s' &
This delivers the message using xedit, then removes it afterwards. NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY. That's why I have the & on the end. If it doesn't return immediately then your PCs may freeze when sending messages (they should recover after 30secs, hopefully).
All messages are delivered as the global guest user. The command takes the standard substitutions, although %u won't work (%U may be better in this case).
Apart from the standard substitutions, some additional ones apply. In particular:
%s = the filename containing the message
%t = the destination that the message was sent to (probably the server name)
%f = who the message is from
You could make this command send mail, or whatever else takes your fancy. Please let me know of any really interesting ideas you have.
Here's a way of sending the messages as mail to root:
message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s
If you don't have a message command then the message won't be delivered and Samba will tell the sender there was an error. Unfortunately WfWg totally ignores the error code and carries on regardless, saying that the message was delivered.
If you want to silently delete it then try "message command = rm %s".
For the really adventurous, try something like this:
message command = csh -c 'csh < %s |& /usr/local/samba/smbclient
-M %m; rm %s' &
this would execute the command as a script on the server, then give them the result in a WinPopup message. Note that this could cause a loop if you send a message from the server using smbclient! You better wrap the above in a script that checks for this :-)
Default:
no message command
Example:
message command = csh -c 'xedit %s;rm %s' &
This sets the minimum amount of free disk space that must be available before a user will be able to spool a print job. It is specified in kilobytes. The default is 0, which means no limit.
Default:
min print space = 0
Example:
min print space = 2000
Default:
null passwords = no
Example:
null passwords = yes
This chat sequence is often quite site specific, deppending on what local methods are used for password control (such as NIS+ etc).
The string can contain the macros %o and %n which are substituted for the old and new passwords respectively. It can aso contain the standard macros \n \r \t and \s to give line-feed, carriage-return, tab and space.
The string can also contain a * which matches any sequence of characters.
Double quotes can be used to collect strings with spaces in them into a single string.
If the send string in any part of the chat sequence is a fullstop "." then no string is sent. Similarly, is the expect string is a fullstop then no string is expected.
Example:
passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n \
"*Reenter NEW password*" %n\n "*Password changed*"
Default:
passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*
This is only necessary if you have enabled remote password changing at compile time. Any occurances of %u will be replaced with the user name.
Also note that many passwd programs insist in "reasonable" passwords, such as a minimum length, or the inclusion of mixed case chars and digits. This can pose a problem as some clients (such as Windows for Workgroups) uppercase the password before sending it.
Default:
passwd program = /bin/passwd
Example:
passwd program = /sbin/passwd %u
This parameter defines the maximum number of characters that may be upper case in passwords.
For example, say the password given was "FRED". If password level is set to 1 (one), the following combinations would be tried if "FRED" failed: "Fred", "fred", "fRed", "frEd", "freD". If password level was set to 2 (two), the following combinations would also be tried: "FRed", "FrEd", "FreD", "fREd", "fReD", "frED". And so on.
The higher value this parameter is set to the more likely it is that a mixed case password will be matched against a single case password. However, you should be aware that use of this parameter reduces security and increases the time taken to process a new connection.
A value of zero will cause only two attempts to be made - the password as is and the password in all-lower case.
If you find the connections are taking too long with this option then you probably have a slow crypt() routine. Samba now comes with a fast "ufc crypt" that you can select in the Makefile. You should also make sure the PASSWORD_LENGTH option is correct for your system in local.h and includes.h. On most systems only the first 8 chars of a password are significant so PASSWORD_LENGTH should be 8, but on some longer passwords are significant. The inlcudes.h file tries to select the right length for your system.
Default:
password level = 0
Example:
password level = 4
By specifying the name of another SMB server (such as a WinNT box) with this option, and using "security = server" you can get Samba to do all it's username/password validation via a remote server.
This options sets the name of the password server to use. It must be a netbios name, so if the machines netbios name is different from it's internet name then you may have to add it's netbios name to /etc/hosts.
The password server much be a machine capable of using the "LM1.2X002" or the "LM NT 0.12" protocol, and it must be in user level security mode.
NOTE: Using a password server means your unix box (running Samba) is only as secure as your password server. DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST.
Never point a Samba server at itself for password serving. This will cause a loop and could lock up your Samba server!
The name of the password server takes the standard substitutions, but probably the only useful one is %m, which means the Samba server will use the incoming client as the password server. If you use this then you better trust your clients, and you better restrict them with hosts allow!
If you list several hosts in the "password server" option then smbd will try each in turn till it finds one that responds. This is useful in case your primary server goes down.
This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing.
For a printable service offering guest access, the service should be readonly and the path should be world-writable and have the sticky bit set. This is not mandatory of course, but you probably won't get the results you expect if you do otherwise.
Any occurances of %u in the path will be replaced with the username that the client is connecting as. Any occurances of %m will be replaced by the name of the machine they are connecting from. These replacements are very useful for setting up pseudo home directories for users.
Note that this path will be based on 'root dir' if one was specified.
Default:
none
Example:
path = /home/fred+
This option specifies a command to be run whenever the service is disconnected. It takes the usual substitutions. The command may be run as the root on some systems.
An interesting example may be do unmount server resources:
postexec = /etc/umount /cdrom
See also preexec
Default:
none (no command executed)
Example:
postexec = echo
This is most useful when you have lots of PCs that persist in putting a control-D at the start of print jobs, which then confuses your printer.
Default:
postscript = False
Example:
postscript = True
This option specifies a command to be run whenever the service is connected to. It takes the usual substitutions.
An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here is an example:
preexec = csh -c 'echo
/usr/local/samba/smbclient -M %m -I %I' &
Of course, this could get annoying after a while :-)
See also postexec
Default:
none (no command executed)
Example: preexec = echo
It is on by default.
This controls if new filenames are created with the case that the client passes, or if they are forced to be the "default" case.
Default:
preserve case = no
See the section on "NAME MANGLING" for a fuller discussion.
The print command is simply a text string. It will be used verbatim, with two exceptions: All occurrences of "%s" will be replaced by the appropriate spool file name, and all occurrences of "%p" will be replaced by the appropriate printer name. The spool file name is generated automatically by the server, the printer name is discussed below.
The full path name will be used for the filename if %s is not preceded by a /. If you don't like this (it can stuff up some lpq output) then use %f instead. Any occurances of %f get replaced by the spool filename without the full path at the front.
The print command MUST contain at least one occurrence of "%s" or %f - the "%p" is optional. At the time a job is submitted, if no printer name is supplied the "%p" will be silently removed from the printer command.
If specified in the [global] section, the print command given will be used for any printable service that does not have its own print command specified.
If there is neither a specified print command for a printable service nor a global print command, spool files will be created but not processed and (most importantly) not removed.
Note that printing may fail on some unixes from the "nobody" account. If this happens then create an alternative guest account that can print and set the "guest account" in the [global] section.
You can form quite complex print commands by realising that they are just passed to a shell. For example the following will log a print job, print the file, then remove it. Note that ; is the usual separator for command in shell scripts.
print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s
You may have to vary this command considerably depending on how you normally print files on your system.
Default:
print command = lpr -r -P %p %s
Example:
print command = /usr/local/samba/myprintscript %p %s
If this parameter is 'yes', then clients may open, write to and submit spool files on the directory specified for the service.
Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data. The 'read only' parameter controls only non-printing access to the resource.
Default:
printable = no
Example:
printable = yes
Currently three printing styles are supported. They are "printing = bsd", "printing = sysv", "printing = hpux" and "printing = aix".
To see what the defaults are for the other print commands when using these three options use the "testparm" program.
For those of you without a printcap (say on SysV) you can just create a minimal file that looks like a printcap and set "printcap name =" in [global] to point at it.
A minimal printcap file would look something like this:
print1|My Printer 1 print2|My Printer 2 print3|My Printer 3 print4|My Printer 4 print5|My Printer 5
where the | separates aliases of a printer. The fact that the second alias has a space in it gives a hint to Samba that it's a comment.
NOTE: Under AIX the default printcap name is "/etc/qconfig". Samba will assume the file is in AIX "qconfig" format if the string "/qconfig" appears in the printcap filename.
Default:
printcap name = /etc/printcap
Example:
printcap name = /etc/myprintcap
This parameter specifies the name of the printer to which print jobs spooled through a printable service will be sent.
If specified in the [global] section, the printer name given will be used for any printable service that does not have its own printer name specified.
Default:
none (but may be 'lp' on many systems)
Example:
printer name = laserwriter
Possible values are CORE, COREPLUS, LANMAN1, LANMAN2 and NT1. The relative merits of each are discussed in the README file.
Default:
protocol = NT1
If this parameter is 'yes' for a service, then no password is required to connect to the service. Privileges will be those of the guest account.
See the section below on user/password validation for more information about this option.
Default:
public = no
See also the "write list" option
Default:
read list =
Example:
read list = mary, @students
If enabled, raw reads allow reads of 65535 bytes in one packet. This typically provides a major performance benefit.
However, some clients either negotiate the allowable block size incorrectly or are incapable of supporting larger block sizes, and for these clients you may need to disable raw reads.
In general this parameter should be viewed as a system tuning tool and left severely alone. See also write raw.
Default:
read raw = yes
The option "read size" affects the overlap of disk reads/writes with network reads/writes. If the amount of data being transferred in several of the SMB commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger than this value then the server begins writing the data before it has received the whole packet from the network, or in the case of SMBreadbraw, it begins writing to the network before all the data has been read from disk.
This overlapping works best when the speeds of disk and network access are similar, having very little effect when the speed of one is much greater than the other.
The default value is 2048, but very little experimentation has been done yet to determine the optimal value, and it is likely that the best value will vary greatly between systems anyway. A value over 65536 is pointless and will cause you to allocate memory unnecessarily.
Default:
read size = 2048
Example:
read size = 8192
This options controls whether Samba will allow a previously validated username/password pair to be used to attach to a share. Thus if you connect to \\server\share1 then to \\server\share2 it won't automatically allow the client to request connection to the second share as the same username as the first without a password.
If "revalidate" is True then the client will be denied automatic access as the same username.
Default:
revalidate = False
Example:
revalidate = True
The server will chroot() to this directory on startup. This is not strictly necessary for secure operation. Even without it the server will deny access to files not in one of the service entries. It may also check for, and deny access to, soft links to other parts of the filesystem, or attempts to use .. in file names to access other directories (depending on the setting of the "wide links" parameter).
Adding a "root dir" entry other than "/" adds an extra level of security, but at a price. It absolutely ensures that no access is given to files not in the sub-tree specified in the "root dir" option, *including* some files needed for complete operation of the server. To maintain full operability of the server you will need to mirror some system files into the "root dir" tree. In particular you will need to mirror /etc/passwd (or a subset of it), and any binaries or configuration files needed for printing (if required). The set of files that must be mirrored is operating system dependent.
Default:
root directory = /
Example:
root directory = /homes/smb
The option sets the "security mode bit" in replies to protocol negotiations to turn share level security on or off. Clients decide based on this bit whether (and how) to transfer user and password information to the server.
The default is "security=SHARE", mainly because that was the only option at one stage.
The alternatives are "security = user" or "security = server".
If your PCs use usernames that are the same as their usernames on the unix machine then you will want to use "security = user". If you mostly use usernames that don't exist on the unix box then use "security = share".
There is a bug in WfWg that may affect your decision. When in user level security a WfWg client will totally ignore the password you type in the "connect drive" dialog box. This makes it very difficult (if not impossible) to connect to a Samba service as anyone except the user that you are logged into WfWg as.
If you use "security = server" then Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to "security = USER".
See the "password server" option for more details.
Default:
security = SHARE
Note that it DOES NOT affect the string that appears in browse lists. That is controlled by a nmbd command line option instead.
A %v will be replaced with the Samba version number.
A %h will be replaced with the hostname.
Default:
server string = Samba %v
Example:
server string = University of GNUs Samba Server
You must get this path right for many services to work correctly.
Default: taken from Makefile
Example:
smbrun = /usr/local/samba/bin/smbrun
This controls if new short filenames are created with the case that the client passes, or if they are forced to be the "default" case.
Default:
short preserve case = no
See the section on "NAME MANGLING" for a fuller discussion.
This is the same as preexec except that the command is run as root. This is useful for mounting filesystems (such as cdroms) before a connection is finalised.
This is the same as postexec except that the command is run as root. This is useful for unmounting filesystems (such as cdroms) after a connection is closed.
The setdir comand is only implemented in the Digital Pathworks client. See the
Pathworks documentation for details.
Default:
set directory = no
Example:
set directory = yes
This enables or disables the honouring of the "share modes" during a file open. These modes are used by clients to gain exclusive read or write access to a file.
These open modes are not directly supported by unix, so they are simulated using lock files in the "lock directory". The "lock directory" specified in smb.conf must be readable by all users.
The share modes that are enabled by this option are DENY_DOS, DENY_ALL, DENY_READ, DENY_WRITE, DENY_NONE and DENY_FCB.
Enabling this option gives full share compatability but may cost a bit of processing time on the unix server. They are enabled by default.
Default:
share modes = yes
Example:
share modes = no
Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned.
This option will typically be used to tune your Samba server for optimal performance for your local network. There is no way that Samba can know what the optimal parameters are for your net, so you must experiment and choose them yourself. I strongly suggest you read the appropriate documentation for your operating system first (perhaps "man setsockopt" will help).
You may find that on some systems Samba will say "Unknown socket option" when you supply an option. This means you either mis-typed it or you need to add an include file to includes.h for your OS. If the latter is the case please send the patch to me (samba-bugs@anu.edu.au).
Any of the supported socket options may be combined in any way you like, as long as your OS allows it.
This is the list of socket options currently settable using this option:
SO_KEEPALIVE
SO_REUSEADDR
SO_BROADCAST
TCP_NODELAY
IPTOS_LOWDELAY
IPTOS_THROUGHPUT
SO_SNDBUF *
SO_RCVBUF *
SO_SNDLOWAT *
SO_RCVLOWAT *
Those marked with a * take an integer argument. The others can optionally take a 1 or 0 argument to enable or disable the option, by default they will be enabled if you don't specify 1 or 0.
To specify an argument use the syntax SOME_OPTION=VALUE for example SO_SNDBUF=8192. Note that you must not have any spaces before or after the = sign.
If you are on a local network then a sensible option might be
socket options = IPTOS_LOWDELAY
If you have an almost unloaded local network and you don't mind a lot of extra CPU usage in the server then you could try
socket options = IPTOS_LOWDELAY TCP_NODELAY
If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT.
Note that several of the options may cause your Samba server to fail completely. Use these options with caution!
Default:
no socket options
Example:
socket options = IPTOS_LOWDELAY
With this disabled smbstatus won't be able to tell you what connections are active.
Default:
status = yes
Example:
status = no
NOTE: This option is now obsolete, and may be removed in future. You should use the "mangled map" option instead as it is much more general.
When strict locking is "no" the server does file lock checks only when the client explicitly asks for them.
Well behaved clients always ask for lock checks when it is important, so in the vast majority of cases "strict locking = no" is preferable.
Default:
strict locking = no
Example:
strict locking = yes
This is a boolean parameter that controls whether writes will always be written to stable storage before the write call returns. If this is false then the server will be guided by the clients request in each write call (clients can set a bit indicating that a particular write should be synchronous). If this is true then every write will be followed by a fsync() call to ensure the data is written to disk.
Default:
sync always = no
Example:
sync always = yes
Default:
time offset = 0
Example:
time offset = 60
Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right).
The username= line is needed only when the PC is unable to supply it's own username. This is the case for the coreplus protocol or where your users have different WfWg usernames to unix usernames. In both these cases you may also be better using the \\server\share%user syntax instead.
The username= line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the username= line in turn. This is slow and a bad idea for lots of users in case of duplicate passwords. You may get timeouts or security breaches using this parameter unwisely.
Samba relies on the underlying unix security. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do.
To restrict a service to a particular set of users you can use the "valid users=" line.
If any of the usernames begin with a @ then the name will be looked up in the groups file and will expand to a list of all users in the group of that name. Note that searching though a groups file can take quite some time, and some clients may time out during the search.
See the section below on username/password validation for more information on how this parameter determines access to the services.
Default:
The guest account if a guest service, else the name of the service.
Examples:
username = fred
username = fred, mary, jack, jane, @users, @pcgroup
This option allows you to to specify a file containing a mapping of usernames from the clients to the server. This can be used for several purposes. The most common is to map usernames that users use on dos or windows machines to those that the unix box uses. The other is to map multiple users to a single username so that they can more easily share files.
The map file is parsed line by line. Each line should contain a single unix username on the left then a '=' followed by a list of usernames on the right. The list of usernames on the right may contain names of the form @group in which case they will match any unix username in that group. The special client name '*' is a wildcard and matches any name.
The file is processed on each line by taking the supplied username and comparing it with each username on the right hand side of the '=' signs. If the supplied name matrches any of the names on the right hand side then it is replaced with the name on the left. Processing then continues with the next line.
If any line begins with a '#' or a ';' then it is ignored
For example to map from he name "admin" or "administrator" to the unix name "root" you would use
root = admin administrator
Or to map anyone in the unix group "system" to the unix name "sys" you would use
sys = @system
You can have as many mappings as you like in a username map file.
Note that the remapping is applied to all occurances of usernames. Thus if you connect to "\\server\fred" and "fred" is remapped to "mary" then you will actually be connecting to "\\server\mary" and will need to supply a password suitable for "mary" not "fred". The only exception to this is the username passwed to the "password server" (if you have one). The password server will receive whatever username the client supplies without modification.
Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print job.
Default
no username map
Example
username map = /usr/local/samba/lib/users.map
The option allows you to specify additional characters that should be considered valid by the server in filenames. This is particularly useful for national character sets, such as adding u-umlaut or a-ring.
The option takes a list of characters in either integer or character form with spaces between them. If you give two characters with a colon between them then it will be taken as an lowercase:uppercase pair.
If you have an editor capable of entering the characters into the config file then it is probably easiest to use this method. Otherwise you can specify the characters in octal, decimal or hexidecimal form using the usual C notation.
For example to add the single character 'Z' to the charset (which is a pointless thing to do as it's already there) you could do one of the following
valid chars = Z valid chars = z:Z valid chars = 0132:0172
The last two examples above actually add two characters, and alters the uppercase and lowercase mappings appropriately.
Default
Samba defaults to using a reasonable set of valid characters
for english systems
Example
valid chars = 0345:0305 0366:0326 0344:0304
The above example allows filenames to have the swedish characters in them.
If this is empty (the default) then any user can login. If a username is in both this list and the "invalid users" list then access is denied for that user.
The current servicename is substituted for %S. This is useful in the [homes] section.
See also "invalid users"
Default
No valid users list. (anyone can login)
Example
valid users = greg, @pcusers
The default is the name of the share
Default:
wide links = yes
Example:
wide links = no
This controls what workgroup your server will appear to be in when queried by clients. This can be different to the workgroup specified in the nmbd configuration, but it is probably best if you set them to the same value.
Default:
set in the Makefile
Example:
workgroup = MYGROUP
If this parameter is 'no', then users of a service may not create or modify files in the service's directory.
Note that a printable service ('printable = yes') will ALWAYS allow writing to the directory (user privileges permitting), but only via spooling operations.
Default:
writable = no
Examples:
read only = no
writable = yes
write ok = yes
Note that if a user is in both the read list and the write list then they will be given write access.
See also the "read list" option
Default:
write list =
Example:
write list = admin, root, @staff
Default:
write raw = yes
If the service is marked "guest only = yes" then steps 1 to 5 are skipped
Step 1: If the client has passed a username/password pair and that username/password pair is validated by the unix systems password programs then the connection is made as that username. Note that this includes the \\server\service%username method of passing a username.
Step 2: If the client has previously registered a username with the system and now supplies a correct password for that username then the connection is allowed.
Step 3: The clients netbios name and any previously used user names are checked against the supplied password, if they match then the connection is allowed as the corresponding user.
Step 4: If the client has previously validated a username/password pair with the server and the client has passed the validation token then that username is used. This step is skipped if "revalidate = yes" for this service.
Step 5: If a "user = " field is given in the smb.conf file for the service and the client has supplied a password, and that password matches (according to the unix systems password checking) with one of the usernames from the user= field then the connection is made as the username in the "user=" line. If one of the username in the user= list begins with a @ then that name expands to a list of names in the group of the same name.
Step 6: If the service is a guest service then a connection is made as the username given in the "guest account =" for the service, irrespective of the supplied password.
On a similar note, many clients - especially DOS clients - limit service names to eight characters. Smbd has no such limitation, but attempts to connect from such clients will fail if they truncate the service names. For this reason you should probably keep your service names down to eight characters in length.
Use of the [homes] and [printers] special sections make life for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme care when designing these sections. In particular, ensure that the permissions on spool directories are correct.
Prior to version 1.5.21 of the Samba suite, the configuration file was radically different (more primitive). If you are using a version earlier than 1.8.05, it is STRONGLY recommended that you upgrade.
Most diagnostics issued by the server are logged in a specified log file. The log file name is specified at compile time, but may be overridden on the smbd (see smbd(8)) command line.
The number and nature of diagnostics available depends on the debug level used by the server. If you have problems, set the debug level to 3 and peruse the log files.
Most messages are reasonably self-explanatory. Unfortunately, at time of creation of this man page the source code is still too fluid to warrant describing each and every diagnostic. At this stage your best bet is still to grep the source code and inspect the conditions that gave rise to the diagnostics you are seeing.
Please send bug reports, comments and so on to:
To subscribe to these lists send a message to listproc@listproc.anu.edu.au with a body of "subscribe samba Your Name" or "subscribe samba-announce Your Name".
Errors or suggestions for improvements to the Samba man pages should be mailed to: