smb (5) Linux Manual Page

smb.conf – The configuration file for the Samba suite

Synopsis

The smb.conf file is a configuration file for the Samba suite. smb.conf contains runtime configuration information for the Samba programs. The complete description of the file format and possible parameters held within are here for reference purposes.

File Format

The file consists of sections and parameters. A section begins with the name of the section in square brackets and continues until the next section begins. Sections contain parameters of the form:

name = value 

The file is line-based – that is, each newline-terminated line represents either a comment, a section name or a parameter.

Section and parameter names are not case sensitive.

Only the first equals sign in a parameter is significant. Whitespace before or after the first equals sign is discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value is retained verbatim.

Any line beginning with a semicolon (“;”) or a hash (“#”) character is ignored, as are lines containing only whitespace.

Any line ending in a “\” is continued on the next line in the customary UNIX fashion.

The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 1/0 or true/false. Case is not significant in boolean values, but is preserved in string values. Some items such as create masks are numeric.

Section Descriptions

Each section in the configuration file (except for the [global] section) describes a shared resource (known as a “share”). The section name is the name of the shared resource and the parameters within the section define the shares attributes.

There are three special sections, [global], [homes] and [printers], which are described under special sections. The following notes apply to ordinary section descriptions.

A share consists of a directory to which access is being given plus a description of the access rights which are granted to the user of the service. Some housekeeping options are also specifiable.

Sections are either file share services (used by the client as an extension of their native file systems) or printable services (used by the client to access print services on the host running the server).

Sections may be designated guest services, in which case no password is required to access them. A specified UNIX guest account is used to define access privileges in this case.

Sections other than guest services will require a password to access them. The client provides the username. As older clients only provide passwords and not usernames, you may specify a list of usernames to check against the password using the user = option in the share definition. For modern clients such as Windows 95/98/ME/NT/2000, this should not be necessary.

The access rights granted by the server are masked by the access rights granted to the specified or guest UNIX user by the host system. The server does not grant more access than the host system grants.

The following sample section defines a file space share. The user has write access to the path /home/bar. The share is accessed via the share name foo:

 [foo]
 m[blue]path = /home/barm[]
 m[blue]read only = nom[]

The following sample section defines a printable share. The share is read-only, but printable. That is, the only write access permitted is via calls to open, write to and close a spool file. The guest ok parameter means access will be permitted as the default guest user (specified elsewhere):

 [aprinter]
 m[blue]path = /usr/spool/publicm[]
 m[blue]read only = yesm[]
 m[blue]printable = yesm[]
 m[blue]guest ok = yesm[]

Special Sections

The [global] section

Parameters in this section apply to the server as a whole, or are defaults for sections that do not specifically define certain items. See the notes under PARAMETERS for more information.

The [homes] section

If a section called [homes] is included in the configuration file, services connecting clients to their home directories can be created on the fly by the server.

When the connection request is made, the existing sections are scanned. If a match is found, it is used. If no match is found, the requested section name is treated as a username and looked up in the local password file. If the name exists and the correct password has been given, a share is created by cloning the [homes] section.

Some modifications are then made to the newly created share:

• The share name is changed from homes to the located username.

• If no path was given, the path is set to the user’s home directory.

If you decide to use a path = line in your [homes] section, it may be useful to use the %S macro. For example:

path = /data/pchome/%S

is useful if you have different home directories for your PCs than for UNIX access.

This is a fast and simple way to give a large number of clients access to their home directories with a minimum of fuss.

A similar process occurs if the requested section name is “homes”, except that the share name is not changed to that of the requesting user. This method of using the [homes] section works well if different users share a client PC.

The [homes] section can specify all the parameters a normal service section can specify, though some make more sense than others. The following is a typical and suitable [homes] section:

[homes]
m[blue]read only = nom[]

An important point is that if guest access is specified in the [homes] section, all home directories will be visible to all clients without a password. In the very unlikely event that this is actually desirable, it is wise to also specify read only access.

The browseable flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. This is useful as it means setting browseable = no in the [homes] section will hide the [homes] share but make any auto home directories visible.

The [printers] section

This section works like [homes], but for printers.

If a [printers] section occurs in the configuration file, users are able to connect to any printer specified in the local host’s printcap file.

When a connection request is made, the existing sections are scanned. If a match is found, it is used. If no match is found, but a [homes] section exists, it is used as described above. Otherwise, the requested section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested section name is a valid printer share name. If a match is found, a new printer share is created by cloning the [printers] section.

A few modifications are then made to the newly created share:

• The share name is set to the located printer name

• If no printer name was given, the printer name is set to the located printer name

• If the share does not permit guest access and no username was given, the username is set to the located printer name.

The [printers] service MUST be printable – if you specify otherwise, the server will refuse to load the configuration file.

Typically the path specified is that of a world-writeable spool directory with the sticky bit set on it. A typical [printers] entry looks like this:

[printers]
m[blue]path = /usr/spool/publicm[]
m[blue]guest ok = yesm[]
m[blue]printable = yesm[]

All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. If your printing subsystem doesn’t work like that, you will have to set up a pseudo-printcap. This is a file consisting of one or more lines like this:

alias|alias|alias|alias... 

Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, specify the new file as your printcap. The server will only recognize names found in your pseudo-printcap, which of course can contain whatever aliases you like. The same technique could be used simply to limit access to a subset of your local printers.

An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, components (if there are more than one) are separated by vertical bar symbols (|).

Note

On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use printcap name = lpstat to automatically obtain a list of printers. See the printcap name option for more details.

Usershares

Starting with Samba version 3.0.23 the capability for non-root users to add, modify, and delete their own share definitions has been added. This capability is called usershares and is controlled by a set of parameters in the [global] section of the smb.conf. The relevant parameters are :

usershare allow guests

Controls if usershares can permit guest access.

usershare max shares

Maximum number of user defined shares allowed.

usershare owner only

If set only directories owned by the sharing user can be shared.

usershare path

Points to the directory containing the user defined share definitions. The filesystem permissions on this directory control who can create user defined shares.

usershare prefix allow list

Comma-separated list of absolute pathnames restricting what directories can be shared. Only directories below the pathnames in this list are permitted.

usershare prefix deny list

Comma-separated list of absolute pathnames restricting what directories can be shared. Directories below the pathnames in this list are prohibited.

usershare template share

Names a pre-existing share used as a template for creating new usershares. All other share parameters not specified in the user defined share definition are copied from this named share.

To allow members of the UNIX group foo to create user defined shares, create the directory to contain the share definitions as follows:

Become root:

mkdir /usr/local/samba/lib/usershares
chgrp foo /usr/local/samba/lib/usershares
chmod 1770 /usr/local/samba/lib/usershares

Then add the parameters

 m[blue]usershare path = /usr/local/samba/lib/usersharesm[]
 m[blue]usershare max shares = 10m[] # (or the desired number of shares)

to the global section of your smb.conf. Members of the group foo may then manipulate the user defined shares using the following commands.

net usershare add sharename path [comment] [acl] [guest_ok=[y|n]]

To create or modify (overwrite) a user defined share.

net usershare delete sharename

To delete a user defined share.

net usershare list wildcard-sharename

To list user defined shares.

net usershare info wildcard-sharename

To print information about user defined shares.

Parameters

Parameters define the specific attributes of sections.

Some parameters are specific to the [global] section (e.g., security). Some parameters are usable in all sections (e.g., create mask). All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] sections will be considered normal. The letter G in parentheses indicates that a parameter is specific to the [global] section. The letter S indicates that a parameter can be specified in a service specific section. All S parameters can also be specified in the [global] section – in which case they will define the default behavior for all services.

Parameters are arranged here in alphabetical order – this may not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym.

Variable Substitutions

Many of the strings that are settable in the config file can take substitutions. For example the option “path = /tmp/%u” is interpreted as “path = /tmp/john” if the user connected with the username john.

These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant. These are:

%U

session username (the username that the client wanted, not necessarily the same as the one they got).

%G

primary group name of %U.

%h

the Internet hostname that Samba is running on.

%m

the NetBIOS name of the client machine (very useful).

This parameter is not available when Samba listens on port 445, as clients no longer send this information. If you use this macro in an include statement on a domain that has a Samba domain controller be sure to set in the [global] section smb ports = 139. This will cause Samba to not listen on port 445 and will permit include functionality to function as it did with Samba 2.x.

%L

the NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your server can have a “dual personality”.

%M

the Internet name of the client machine.

%R

the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2, NT1, SMB2_02, SMB2_10, SMB2_22, SMB2_24, SMB3_00 or SMB2_FF.

%d

the process id of the current server process.

%a

The architecture of the remote machine. It currently recognizes Samba (Samba), the Linux CIFS file system (CIFSFS), OS/2, (OS2), Mac OS X (OSX), Windows for Workgroups (WfWg), Windows 9x/ME (Win95), Windows NT (WinNT), Windows 2000 (Win2K), Windows XP (WinXP), Windows XP 64-bit(WinXP64), Windows 2003 including 2003R2 (Win2K3), and Windows Vista (Vista). Anything else will be known as UNKNOWN.

%I

the IP address of the client machine.

Before 4.0.0 it could contain IPv4 mapped IPv6 addresses, now it only contains IPv4 or IPv6 addresses.

%i

the local IP address to which a client connected.

Before 4.0.0 it could contain IPv4 mapped IPv6 addresses, now it only contains IPv4 or IPv6 addresses.

%T

the current date and time.

%D

name of the domain or workgroup of the current user.

%w

the winbind separator.

%$(envvar)

the value of the environment variable envar.

The following substitutes apply only to some configuration options (only those that are used when a connection has been established):

%S

the name of the current service, if any.

%P

the root directory of the current service, if any.

%u

username of the current service, if any.

%g

primary group name of %u.

%H

the home directory of the user given by %u.

%N

the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have not compiled Samba with the –with-automount option, this value will be the same as %L.

%p

the path of the service’s home directory, obtained from your NIS auto.map entry. The NIS auto.map entry is split up as %N:%p.

There are some quite creative things that can be done with these substitutions and other smb.conf options.

Name Mangling

Samba supports name mangling so that DOS and Windows clients can use files that don’t conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames.

There are several options that control the way mangling is performed, and they are grouped here rather than listed separately. For the defaults look at the output of the testparm program.

These options can be set separately for each service.

The options are:

case sensitive = yes/no/auto

controls whether filenames are case sensitive. If they aren’t, Samba must do a filename search and match on passed names. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS and smbclient 3.0.5 and above currently) to tell the Samba server on a per-packet basis that they wish to access the file system in a case-sensitive manner (to support UNIX case sensitive semantics). No Windows or DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no for them. Default auto.

default case = upper/lower

controls what the default case is for new filenames (ie. files that don’t currently exist in the filesystem). Default lower. IMPORTANT NOTE: As part of the optimizations for directories containing large numbers of files, the following special case applies. If the options m[blue]case sensitive = yesm[], m[blue]preserve case = Nom[], and m[blue]short preserve case = Nom[] are set, then the case of all incoming client filenames, not just new filenames, will be modified. See additional notes below.

preserve case = yes/no

controls whether new files (ie. files that don’t currently exist in the filesystem) are created with the case that the client passes, or if they are forced to be the default case. Default yes.

short preserve case = yes/no

controls if new files (ie. files that don’t currently exist in the filesystem) which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the default case. This option can be used with preserve case = yes to permit long filenames to retain their case, while short names are lowercased. Default yes.

By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving. As a special case for directories with large numbers of files, if the case options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no" then the "default case" option will be applied and will modify all filenames sent from the client when accessing this share.

Registry-Based Configuration

Starting with Samba version 3.2.0, the capability to store Samba configuration in the registry is available. The configuration is stored in the registry key HKLM\Software\Samba\smbconf. There are two levels of registry configuration:

1. Share definitions stored in registry are used. This is triggered by setting the global parameter registry shares to “yes” in smb.conf.

The registry shares are loaded not at startup but on demand at runtime by smbd. Shares defined in smb.conf take priority over shares of the same name defined in registry.

2. Global smb.conf options stored in registry are used. This can be activated in two different ways:

Firstly, a registry only configuration is triggered by setting m[blue]config backend = registrym[] in the [global] section of smb.conf. This resets everything that has been read from config files to this point and reads the content of the global configuration section from the registry. This is the recommended method of using registry based configuration.

Secondly, a mixed configuration can be activated by a special new meaning of the parameter m[blue]include = registrym[] in the [global] section of smb.conf. This reads the global options from registry with the same priorities as for an include of a text file. This may be especially useful in cases where an initial configuration is needed to access the registry.

Activation of global registry options automatically activates registry shares. So in the registry only case, shares are loaded on demand only.

Note: To make registry-based configurations foolproof at least to a certain extent, the use of lock directory and config backend inside the registry configuration has been disabled: Especially by changing the lock directory inside the registry configuration, one would create a broken setup where the daemons do not see the configuration they loaded once it is active.

The registry configuration can be accessed with tools like regedit or net (rpc) registry in the key HKLM\Software\Samba\smbconf. More conveniently, the conf subcommand of the net(8) utility offers a dedicated interface to read and write the registry based configuration locally, i.e. directly accessing the database file, circumventing the server.

Explanation Of Each Parameter

bind interfaces only (G)

This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests. It affects file service smbd(8) and name service nmbd(8) in a slightly different ways.

For name service it causes nmbd to bind to ports 137 and 138 on the interfaces listed in the m[blue]interfacesm[] parameter. nmbd also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then nmbd will service name requests on all of these sockets. If m[blue]bind interfaces onlym[] is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don’t match the broadcast addresses of the interfaces in the m[blue]interfacesm[] parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the m[blue]interfacesm[] list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for nmbd.

For file service it causes smbd(8) to bind only to the interface list given in the m[blue]interfacesm[] parameter. This restricts the networks that smbd will serve, to packets coming in on those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces.

If m[blue]bind interfaces onlym[] is set and the network address 127.0.0.1 is not added to the m[blue]interfacesm[] parameter list smbpasswd(8) may not work as expected due to the reasons covered below.

To change a users SMB password, the smbpasswd by default connects to the localhost – 127.0.0.1 address as an SMB client to issue the password change request. If m[blue]bind interfaces onlym[] is set then unless the network address 127.0.0.1 is added to the m[blue]interfacesm[] parameter list then smbpasswd will fail to connect in it’s default mode. smbpasswd can be forced to use the primary IP interface of the local host by using its smbpasswd(8)-r remote machine parameter, with remote machine set to the IP name of the primary interface of the local host.

Default: bind interfaces only = no

comment (S)

This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via net view to list what shares are available.

If you want to set the string that is displayed next to the machine name then see the m[blue]server stringm[] parameter.

Default: comment = # No comment

Example: comment = Fred’s Files

config backend (G)

This controls the backend for storing the configuration. Possible values are file (the default) and registry. When m[blue]config backend = registrym[] is encountered while loading smb.conf, the configuration read so far is dropped and the global options are read from registry instead. So this triggers a registry only configuration. Share definitions are not read immediately but instead registry shares is set to yes.

Note: This option can not be set inside the registry configuration itself.

Default: config backend = file

Example: config backend = registry

dos charset (G)

DOS SMB clients assume the server has the same charset as they do. This option specifies which charset Samba should talk to DOS clients.

The default depends on which charsets you have installed. Samba tries to use charset 850 but falls back to ASCII in case it is not available. Run testparm(1) to check the default on your system.

No default

enable core files (G)

This parameter specifies whether core dumps should be written on internal exits. Normally set to yes. You should never need to change this.

Default: enable core files = yes

Example: enable core files = no

interfaces (G)

This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NetBIOS over TCP/IP (NBT) traffic. By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable.

The option takes a list of interface strings. Each string can be in any of the following forms:

• a network interface name (such as eth0). This may include shell-like wildcards so eth* will match any interface starting with the substring "eth"

• an IP address. In this case the netmask is determined from the list of interfaces obtained from the kernel

• an IP/mask pair.

• a broadcast/mask pair.

The "mask" parameters can either be a bit length (such as 24 for a C class network) or a full netmask in dotted decimal form.

The "IP" parameters above can either be a full dotted decimal IP address or a hostname which will be looked up via the OS’s normal hostname resolution mechanisms.

By default Samba enables all active interfaces that are broadcast capable except the loopback adaptor (IP address 127.0.0.1).

The example below configures three network interfaces corresponding to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of the latter two interfaces would be set to 255.255.255.0.

Default: interfaces =

Example: interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0

multicast dns register (G)

If compiled with proper support for it, Samba will announce itself with multicast DNS services like for example provided by the Avahi daemon.

This parameter allows disabling Samba to register itself.

Default: multicast dns register = yes

netbios aliases (G)

This is a list of NetBIOS names that nmbd will advertise as additional names by which the Samba server is known. This allows one machine to appear in browse lists under multiple names. If a machine is acting as a browse server or logon server none of these names will be advertised as either browse server or logon servers, only the primary name of the machine will be advertised with these capabilities.

Default: netbios aliases = # empty string (no additional names)

Example: netbios aliases = TEST TEST1 TEST2

netbios name (G)

This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component of the host’s DNS name. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under.

There is a bug in Samba-3 that breaks operation of browsing and access to shares if the netbios name is set to the literal name PIPE. To avoid this problem, do not name your Samba-3 server PIPE.

Default: netbios name = # machine DNS name

Example: netbios name = MYNAME

netbios scope (G)

This sets the NetBIOS scope that Samba will operate under. This should not be set unless every machine on your LAN also sets this value.

Default: netbios scope =

directory

This parameter is a synonym for path.

path (S)

This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing.

For a printable service offering guest access, the service should be readonly and the path should be world-writeable and have the sticky bit set. This is not mandatory of course, but you probably won’t get the results you expect if you do otherwise.

Any occurrences of %u in the path will be replaced with the UNIX username that the client is using on this connection. Any occurrences of %m will be replaced by the NetBIOS name of the machine they are connecting from. These replacements are very useful for setting up pseudo home directories for users.

Note that this path will be based on m[blue]root dirm[] if one was specified.

Default: path =

Example: path = /home/fred

realm (G)

This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server.

Default: realm =

Example: realm = mysambabox.mycompany.com

server services (G)

This option contains the services that the Samba daemon will run.

An entry in the smb.conf file can either override the previous value completely or entries can be removed from or added to it by prefixing them with + or –.

Default: server services = s3fs rpc nbt wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns

Example: server services = -s3fs +smb

server string (G)

This controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view. It can be any string that you wish to show to your users.

It also sets what will appear in browse lists next to the machine name.

A %v will be replaced with the Samba version number.

A %h will be replaced with the hostname.

Default: server string = Samba %v

Example: server string = University of GNUs Samba Server

share backend (G)

This option specifies the backend that will be used to access the configuration of file shares.

Traditionally, Samba file shares have been configured in the smb.conf file and this is still the default.

At the moment there are no other supported backends.

Default: share backend = classic

unix charset (G)

Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.

This is also the charset Samba will use when specifying arguments to scripts that it invokes.

Default: unix charset = UTF8

Example: unix charset = ASCII

workgroup (G)

This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the m[blue]security = domainm[] setting.

Default: workgroup = WORKGROUP

Example: workgroup = MYGROUP

administrative share (S)

If this parameter is set to yes for a share, then the share will be an administrative share. The Administrative Shares are the default network shares created by all Windows NT-based operating systems. These are shares like C$, D$ or ADMIN$. The type of these shares is STYPE_DISKTREE_HIDDEN.

See the section below on m[blue]securitym[] for more information about this option.

Default: administrative share = no

browsable

This parameter is a synonym for browseable.

browseable (S)

This controls whether this share is seen in the list of available shares in a net view and in the browse list.

Default: browseable = yes

browse list (G)

This controls whether smbd(8) will serve a browse list to a client doing a NetServerEnum call. Normally set to yes. You should never need to change this.

Default: browse list = yes

domain master (G)

Tell smbd(8) to enable WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given m[blue]workgroupm[]. Local master browsers in the same m[blue]workgroupm[] on broadcast-isolated subnets will give this nmbd their local browse lists, and then ask smbd(8) for a complete copy of the browse list for the whole wide area network. Browser clients will then contact their local master browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.

Note that Windows NT Primary Domain Controllers expect to be able to claim this m[blue]workgroupm[] specific special NetBIOS name that identifies them as domain master browsers for that m[blue]workgroupm[] by default (i.e. there is no way to prevent a Windows NT PDC from attempting to do this). This means that if this parameter is set and nmbd claims the special name for a m[blue]workgroupm[] before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail.

If m[blue]domain logons = yesm[], then the default behavior is to enable the m[blue]domain masterm[] parameter. If m[blue]domain logonsm[] is not enabled (the default setting), then neither will m[blue]domain masterm[] be enabled by default.

When m[blue]domain logons = Yesm[] the default setting for this parameter is Yes, with the result that Samba will be a PDC. If m[blue]domain master = Nom[], Samba will function as a BDC. In general, this parameter should be set to ‘No’ only on a BDC.

Default: domain master = auto

enhanced browsing (G)

This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations.

The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, followed by a browse synchronization with each of the returned DMBs. The second enhancement consists of a regular randomised browse synchronization with all currently known DMBs.

You may wish to disable this option if you have a problem with empty workgroups not disappearing from browse lists. Due to the restrictions of the browse protocols, these enhancements can cause a empty workgroup to stay around forever which can be annoying.

In general you should leave this option enabled as it makes cross-subnet browse propagation much more reliable.

Default: enhanced browsing = yes

lm announce (G)

This parameter determines if nmbd(8) will produce Lanman announce broadcasts that are needed by OS/2 clients in order for them to see the Samba server in their browse list. This parameter can have three values, yes, no, or auto. The default is auto. If set to no Samba will never produce these broadcasts. If set to yes Samba will produce Lanman announce broadcasts at a frequency set by the parameter m[blue]lm intervalm[]. If set to auto Samba will not send Lanman announce broadcasts by default but will listen for them. If it hears such a broadcast on the wire it will then start sending them at a frequency set by the parameter m[blue]lm intervalm[].

Default: lm announce = auto

Example: lm announce = yes

lm interval (G)

If Samba is set to produce Lanman announce broadcasts needed by OS/2 clients (see the m[blue]lm announcem[] parameter) then this parameter defines the frequency in seconds with which they will be made. If this is set to zero then no Lanman announcements will be made despite the setting of the m[blue]lm announcem[] parameter.

Default: lm interval = 60

Example: lm interval = 120

local master (G)

This option allows nmbd(8) to try and become a local master browser on a subnet. If set to no then nmbd will not attempt to become a local master browser on a subnet and will also lose in all browsing elections. By default this value is set to yes. Setting this value to yes doesn’t mean that Samba will become the local master browser on a subnet, just that nmbd will participate in elections for local master browser.

Setting this value to no will cause nmbdnever to become a local master browser.

Default: local master = yes

os level (G)

This integer value controls what level Samba advertises itself as for browse elections. The value of this parameter determines whether nmbd(8) has a chance of becoming a local master browser for the m[blue]workgroupm[] in the local broadcast area.

Note: By default, Samba will win a local master browsing election over all Microsoft operating systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can effectively isolate a subnet for browsing purposes. This parameter is largely auto-configured in the Samba-3 release series and it is seldom necessary to manually override the default setting. Please refer to the chapter on Network Browsing in the Samba-3 HOWTO document for further information regarding the use of this parameter. Note: The maximum value for this parameter is 255. If you use higher values, counting will start at 0!

Default: os level = 20

Example: os level = 65

prefered master

This parameter is a synonym for preferred master.

preferred master (G)

This boolean parameter controls if nmbd(8) is a preferred master browser for its workgroup.

If this is set to yes, on startup, nmbd will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with m[blue]domain master = yesm[], so that nmbd can guarantee becoming a domain master.

Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing capabilities.

Default: preferred master = auto

allow dns updates (G)

This option determines what kind of updates to the DNS are allowed.

DNS updates can either be disallowed completely by setting it to disabled, enabled over secure connections only by setting it to secure only or allowed in all cases by setting it to nonsecure.

Default: allow dns updates = secure only

Example: allow dns updates = disabled

dns forwarder (G)

This option specifies the DNS server that DNS requests will be forwarded to if they can not be handled by Samba itself.

The DNS forwarder is only used if the internal DNS server in Samba is used.

Default: dns forwarder =

Example: dns forwarder = 192.168.0.1

dns update command (G)

This option sets the command that is called when there are DNS updates. It should update the local machines DNS names using TSIG-GSS.

Default: dns update command = $prefix/sbin/samba_dnsupdate

Example: dns update command = /usr/local/sbin/dnsupdate

machine password timeout (G)

If a Samba server is a member of a Windows NT Domain (see the m[blue]security = domainm[] parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called private/secrets.tdb (or private/secrets.ntdb). This parameter specifies how often this password will be changed, in seconds. The default is one week (expressed in seconds), the same as a Windows NT Domain member server.

See also smbpasswd(8), and the m[blue]security = domainm[] parameter.

Default: machine password timeout = 604800

nsupdate command (G)

This option sets the path to the nsupdate command which is used for GSS-TSIG dynamic DNS updates.

Default: nsupdate command = $prefix/sbin/nsupdate -g

rndc command (G)

This option specifies the path to the name server control utility.

The rndc utility should be a part of the bind installation.

Default: rndc command = /usr/sbin/rndc

Example: rndc command = /usr/local/bind9/sbin/rndc

spn update command (G)

This option sets the command that for updating servicePrincipalName names from spn_update_list.

Default: spn update command = $prefix/sbin/samba_spnupdate

Example: spn update command = /usr/local/sbin/spnupdate

casesignames

This parameter is a synonym for case sensitive.

case sensitive (S)

See the discussion in the section m[blue]name manglingm[].

Default: case sensitive = auto

default case (S)

See the section on m[blue]name manglingm[]. Also note the m[blue]short preserve casem[] parameter.

Default: default case = lower

delete veto files (S)

This option is used when Samba is attempting to delete a directory that contains one or more vetoed directories (see the m[blue]veto filesm[] option). If this option is set to no (the default) then if a vetoed directory contains any non-vetoed files or directories then the directory delete will fail. This is usually what you want.

If this option is set to yes, then Samba will attempt to recursively delete any files and directories within the vetoed directory. This can be useful for integration with file serving systems such as NetAtalk which create meta-files within directories you might normally veto DOS/Windows users from seeing (e.g. .AppleDouble)

Setting m[blue]delete veto files = yesm[] allows these directories to be transparently deleted when the parent directory is deleted (so long as the user has permissions to do so).

Default: delete veto files = no

hide dot files (S)

This is a boolean parameter that controls whether files starting with a dot appear as hidden files.

Default: hide dot files = yes

hide files (S)

This is a list of files or directories that are not visible but are accessible. The DOS ‘hidden’ attribute is applied to any files or directories that match.

Each entry in the list must be separated by a ‘/’, which allows spaces to be included in the entry. ‘*’ and ‘?’ can be used to specify multiple files or directories as in DOS wildcards.

Each entry must be a Unix path, not a DOS path and must not include the Unix directory separator ‘/’.

Note that the case sensitivity option is applicable in hiding files.

Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned.

The example shown above is based on files that the Macintosh SMB client (DAVE) available from Thursby creates for internal use, and also still hides all files beginning with a dot.

An example of us of this parameter is:

hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/

Default: hide files = # no file are hidden

hide special files (S)

This parameter prevents clients from seeing special files such as sockets, devices and fifo’s in directory listings.

Default: hide special files = no

hide unreadable (S)

This parameter prevents clients from seeing the existance of files that cannot be read. Defaults to off.

Please note that enabling this can slow down listing large directories significantly. Samba has to evaluate the ACLs of all directory members, which can be a lot of effort.

Default: hide unreadable = no

hide unwriteable files (S)

This parameter prevents clients from seeing the existance of files that cannot be written to. Defaults to off. Note that unwriteable directories are shown as usual.

Please note that enabling this can slow down listing large directories significantly. Samba has to evaluate the ACLs of all directory members, which can be a lot of effort.

Default: hide unwriteable files = no

mangled names (S)

This controls whether non-DOS names under UNIX should be mapped to DOS-compatible names ("mangled") and made visible, or whether non-DOS names should simply be ignored.

See the section on m[blue]name manglingm[] for details on how to control the mangling process.

If mangling is used then the mangling method is as follows:

• The first (up to) five alphanumeric characters before the rightmost dot of the filename are preserved, forced to upper case, and appear as the first (up to) five characters of the mangled name.

• A tilde "~" is appended to the first part of the mangled name, followed by a two-character unique sequence, based on the original root name (i.e., the original filename minus its final extension). The final extension is included in the hash calculation only if it contains any upper case characters or is longer than three characters.

Note that the character to use may be specified using the m[blue]mangling charm[] option, if you don’t like ‘~’.

• Files whose UNIX name begins with a dot will be presented as DOS hidden files. The mangled name will be created as for other filenames, but with the leading dot removed and "___" as its extension regardless of actual original extension (that’s three underscores).

The two-digit hash value consists of upper case alphanumeric characters.

This algorithm can cause name collisions only if files in a directory share the same first five alphanumeric characters. The probability of such a clash is 1/1300.

The name mangling (if enabled) allows a file to be copied between UNIX directories from Windows/DOS while retaining the long UNIX filename. UNIX files can be renamed to a new extension from Windows/DOS and will retain the same basename. Mangled names do not change between sessions.

Default: mangled names = yes

mangle prefix (G)

controls the number of prefix characters from the original name used when generating the mangled names. A larger value will give a weaker hash and therefore more name collisions. The minimum value is 1 and the maximum value is 6.

mangle prefix is effective only when mangling method is hash2.

Default: mangle prefix = 1

Example: mangle prefix = 4

mangling char (S)

This controls what character is used as the magic character in m[blue]name manglingm[]. The default is a ‘~’ but this may interfere with some software. Use this option to set it to whatever you prefer. This is effective only when mangling method is hash.

Default: mangling char = ~

Example: mangling char = ^

mangling method (G)

controls the algorithm used for the generating the mangled names. Can take two different values, "hash" and "hash2". "hash" is the algorithm that was used in Samba for many years and was the default in Samba 2.2.x "hash2" is now the default and is newer and considered a better algorithm (generates less collisions) in the names. Many Win32 applications store the mangled names and so changing to algorithms must not be done lightly as these applications may break unless reinstalled.

Default: mangling method = hash2

Example: mangling method = hash

map archive (S)

This controls whether the DOS archive attribute should be mapped to the UNIX owner execute bit. The DOS archive bit is set when a file has been modified since its last backup. One motivation for this option is to keep Samba/your PC from making any file it touches from becoming executable under UNIX. This can be quite annoying for shared source code, documents, etc…

Note that this parameter will be ignored if the m[blue]store dos attributesm[] parameter is set, as the DOS archive attribute will then be stored inside a UNIX extended attribute.

Note that this requires the m[blue]create maskm[] parameter to be set such that owner execute bit is not masked out (i.e. it must include 100). See the parameter m[blue]create maskm[] for details.

Default: map archive = yes

map hidden (S)

This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.

Note that this parameter will be ignored if the m[blue]store dos attributesm[] parameter is set, as the DOS hidden attribute will then be stored inside a UNIX extended attribute.

Note that this requires the m[blue]create maskm[] to be set such that the world execute bit is not masked out (i.e. it must include 001). See the parameter m[blue]create maskm[] for details.

No default

map readonly (S)

This controls how the DOS read only attribute should be mapped from a UNIX filesystem.

This parameter can take three different values, which tell smbd(8) how to display the read only attribute on files, where either m[blue]store dos attributesm[] is set to No, or no extended attribute is present. If m[blue]store dos attributesm[] is set to yes then this parameter is ignored. This is a new parameter introduced in Samba version 3.0.21.

The three settings are :

• Yes – The read only DOS attribute is mapped to the inverse of the user or owner write bit in the unix permission mode set. If the owner write bit is not set, the read only attribute is reported as being set on the file. If the read only DOS attribute is set, Samba sets the owner, group and others write bits to zero. Write bits set in an ACL are ignored by Samba. If the read only DOS attribute is unset, Samba simply sets the write bit of the owner to one.

• Permissions – The read only DOS attribute is mapped to the effective permissions of the connecting user, as evaluated by smbd(8) by reading the unix permissions and POSIX ACL (if present). If the connecting user does not have permission to modify the file, the read only attribute is reported as being set on the file.

• No – The read only DOS attribute is unaffected by permissions, and can only be set by the m[blue]store dos attributesm[] method. This may be useful for exporting mounted CDs.

Note that this parameter will be ignored if the m[blue]store dos attributesm[] parameter is set, as the DOS ‘read-only’ attribute will then be stored inside a UNIX extended attribute.

Default: map readonly = yes

map system (S)

This controls whether DOS style system files should be mapped to the UNIX group execute bit.

Note that this parameter will be ignored if the m[blue]store dos attributesm[] parameter is set, as the DOS system attribute will then be stored inside a UNIX extended attribute.

Note that this requires the m[blue]create maskm[] to be set such that the group execute bit is not masked out (i.e. it must include 010). See the parameter m[blue]create maskm[] for details.

Default: map system = no

max stat cache size (G)

This parameter limits the size in memory of any stat cache being used to speed up case insensitive name mappings. It represents the number of kilobyte (1024) units the stat cache can use. A value of zero, meaning unlimited, is not advisable due to increased memory usage. You should not need to change this parameter.

Default: max stat cache size = 256

Example: max stat cache size = 100

preserve case (S)

This controls if new filenames are created with the case that the client passes, or if they are forced to be the m[blue]default casem[].

See the section on NAME MANGLING for a fuller discussion.

Default: preserve case = yes

short preserve case (S)

This boolean parameter controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the m[blue]default casem[]. This option can be use with m[blue]preserve case = yesm[] to permit long filenames to retain their case, while short names are lowered.

See the section on NAME MANGLING.

Default: short preserve case = yes

stat cache (G)

This parameter determines if smbd(8) will use a cache in order to speed up case insensitive name mappings. You should never need to change this parameter.

Default: stat cache = yes

store dos attributes (S)

If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such as occurs with m[blue]map hiddenm[] and m[blue]map readonlym[]). When set, DOS attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or directory. When this parameter is set it will override the parameters m[blue]map hiddenm[], m[blue]map systemm[], m[blue]map archivem[] and m[blue]map readonlym[] and they will behave as if they were set to off. This parameter writes the DOS attributes as a string into the extended attribute named "user.DOSATTRIB". This extended attribute is explicitly hidden from smbd clients requesting an EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel. In Samba 3.5.0 and above the "user.DOSATTRIB" extended attribute has been extended to store the create time for a file as well as the DOS attributes. This is done in a backwards compatible way so files created by Samba 3.5.0 and above can still have the DOS attribute read from this extended attribute by earlier versions of Samba, but they will not be able to read the create time stored there. Storing the create time separately from the normal filesystem meta-data allows Samba to faithfully reproduce NTFS semantics on top of a POSIX filesystem.

Default: store dos attributes = no

veto files (S)

This is a list of files and directories that are neither visible nor accessible. Each entry in the list must be separated by a ‘/’, which allows spaces to be included in the entry. ‘*’ and ‘?’ can be used to specify multiple files or directories as in DOS wildcards.

Each entry must be a unix path, not a DOS path and must not include the unix directory separator ‘/’.

Note that the m[blue]case sensitivem[] option is applicable in vetoing files.

One feature of the veto files parameter that it is important to be aware of is Samba’s behaviour when trying to delete a directory. If a directory that is to be deleted contains nothing but veto files this deletion will fail unless you also set the m[blue]delete veto filesm[] parameter to yes.

Setting this parameter will affect the performance of Samba, as it will be forced to check all files and directories for a match as they are scanned.

Examples of use include:

; Veto any files containing the word Security,
; any ending in .tmp, and any directory containing the
; word root.
veto files = /*Security*/*.tmp/*root*/
; Veto the Apple specific files that a NetAtalk server
; creates.
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/

Default: veto files = No files or directories are vetoed.

veto oplock files (S)

This parameter is only valid when the m[blue]oplocksm[] parameter is turned on for a share. It allows the Samba administrator to selectively turn off the granting of oplocks on selected files that match a wildcarded list, similar to the wildcarded list used in the m[blue]veto filesm[] parameter.

You might want to do this on files that you know will be heavily contended for by clients. A good example of this is in the NetBench SMB benchmark program, which causes heavy client contention for files ending in .SEM. To cause Samba not to grant oplocks on these files you would use the line (either in the [global] section or in the section for the particular NetBench share.

An example of use is:

veto oplock files = /.*SEM/

Default: veto oplock files = # No files are vetoed for oplock grants

client ldap sasl wrapping (G)

The m[blue]client ldap sasl wrappingm[] defines whether ldap traffic will be signed or signed and encrypted (sealed). Possible values are plain, sign and seal.

The values sign and seal are only available if Samba has been compiled against a modern OpenLDAP version (2.3.x or higher).

This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). LDAP sign and seal can be controlled with the registry key "HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity" on the Windows server side.

Depending on the used KRB5 library (MIT and older Heimdal versions) it is possible that the message "integrity only" is not supported. In this case, sign is just an alias for seal.

The default value is plain which is not irritable to KRB5 clock skew errors. That implies synchronizing the time with the KDC in the case of using sign or seal.

Default: client ldap sasl wrapping = plain

ldap admin dn (G)

The m[blue]ldap admin dnm[] defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information. The m[blue]ldap admin dnm[] is used in conjunction with the admin dn password stored in the private/secrets.tdb (or private/secrets.ntdb) file. See the smbpasswd(8) man page for more information on how to accomplish this.

The m[blue]ldap admin dnm[] requires a fully specified DN. The m[blue]ldap suffixm[] is not appended to the m[blue]ldap admin dnm[].

No default

ldap connection timeout (G)

This parameter tells the LDAP library calls which timeout in seconds they should honor during initial connection establishments to LDAP servers. It is very useful in failover scenarios in particular. If one or more LDAP servers are not reachable at all, we do not have to wait until TCP timeouts are over. This feature must be supported by your LDAP library.

This parameter is different from m[blue]ldap timeoutm[] which affects operations on LDAP servers using an existing connection and not establishing an initial connection.

Default: ldap connection timeout = 2

ldap delete dn (G)

This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba.

Default: ldap delete dn = no

ldap deref (G)

This option controls whether Samba should tell the LDAP library to use a certain alias dereferencing method. The default is auto, which means that the default setting of the ldap client library will be kept. Other possible values are never, finding, searching and always. Grab your LDAP manual for more information.

Default: ldap deref = auto

Example: ldap deref = searching

ldap follow referral (G)

This option controls whether to follow LDAP referrals or not when searching for entries in the LDAP database. Possible values are on to enable following referrals, off to disable this, and auto, to use the libldap default settings. libldap’s choice of following referrals or not is set in /etc/openldap/ldap.conf with the REFERRALS parameter as documented in ldap.conf(5).

Default: ldap follow referral = auto

Example: ldap follow referral = off

ldap group suffix (G)

This parameter specifies the suffix that is used for groups when these are added to the LDAP directory. If this parameter is unset, the value of m[blue]ldap suffixm[] will be used instead. The suffix string is pre-pended to the m[blue]ldap suffixm[] string so use a partial DN.

Default: ldap group suffix =

Example: ldap group suffix = ou=Groups

ldap idmap suffix (G)

This parameters specifies the suffix that is used when storing idmap mappings. If this parameter is unset, the value of m[blue]ldap suffixm[] will be used instead. The suffix string is pre-pended to the m[blue]ldap suffixm[] string so use a partial DN.

Default: ldap idmap suffix =

Example: ldap idmap suffix = ou=Idmap

ldap machine suffix (G)

It specifies where machines should be added to the ldap tree. If this parameter is unset, the value of m[blue]ldap suffixm[] will be used instead. The suffix string is pre-pended to the m[blue]ldap suffixm[] string so use a partial DN.

Default: ldap machine suffix =

Example: ldap machine suffix = ou=Computers

ldap page size (G)

This parameter specifies the number of entries per page.

If the LDAP server supports paged results, clients can request subsets of search results (pages) instead of the entire list. This parameter specifies the size of these pages.

Default: ldap page size = 1024

Example: ldap page size = 512

ldap password sync

This parameter is a synonym for ldap passwd sync.

ldap passwd sync (G)

This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA.

The m[blue]ldap passwd syncm[] can be set to one of three values:

• Yes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.

• No = Update NT and LM passwords and update the pwdLastSet time.

• Only = Only update the LDAP password and let the LDAP server do the rest.

Default: ldap passwd sync = no

ldap replication sleep (G)

When Samba is asked to write to a read-only LDAP replica, we are redirected to talk to the read-write master server. This server then replicates our changes back to the ‘local’ server, however the replication might take some seconds, especially over slow links. Certain client activities, particularly domain joins, can become confused by the ‘success’ that does not immediately change the LDAP back-end’s data.

This option simply causes Samba to wait a short time, to allow the LDAP server to catch up. If you have a particularly high-latency network, you may wish to time the LDAP replication with a network sniffer, and increase this value accordingly. Be aware that no checking is performed that the data has actually replicated.

The value is specified in milliseconds, the maximum value is 5000 (5 seconds).

Default: ldap replication sleep = 1000

ldapsam:editposix (G)

Editposix is an option that leverages ldapsam:trusted to make it simpler to manage a domain controller eliminating the need to set up custom scripts to add and manage the posix users and groups. This option will instead directly manipulate the ldap tree to create, remove and modify user and group entries. This option also requires a running winbindd as it is used to allocate new uids/gids on user/group creation. The allocation range must be therefore configured.

To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users, Domain Admins, Domain Guests) can be precreated with the command net sam provision. To run this command the ldap server must be running, Winbindd must be running and the smb.conf ldap options must be properly configured. The typical ldap setup used with the m[blue]ldapsam:trusted = yesm[] option is usually sufficient to use m[blue]ldapsam:editposix = yesm[] as well.

An example configuration can be the following:

 encrypt passwords = true
 passdb backend = ldapsam
 ldapsam:trusted=yes
 ldapsam:editposix=yes
 ldap admin dn = cn=admin,dc=samba,dc=org
 ldap delete dn = yes
 ldap group suffix = ou=groups
 ldap idmap suffix = ou=idmap
 ldap machine suffix = ou=computers
 ldap user suffix = ou=users
 ldap suffix = dc=samba,dc=org
 idmap backend = ldap:"ldap://localhost"
 idmap uid = 5000-50000
 idmap gid = 5000-50000

This configuration assumes a directory layout like described in the following ldif:

 dn: dc=samba,dc=org
 objectClass: top
 objectClass: dcObject
 objectClass: organization
 o: samba.org
 dc: samba
 dn: cn=admin,dc=samba,dc=org
 objectClass: simpleSecurityObject
 objectClass: organizationalRole
 cn: admin
 description: LDAP administrator
 userPassword: secret
 dn: ou=users,dc=samba,dc=org
 objectClass: top
 objectClass: organizationalUnit
 ou: users
 dn: ou=groups,dc=samba,dc=org
 objectClass: top
 objectClass: organizationalUnit
 ou: groups
 dn: ou=idmap,dc=samba,dc=org
 objectClass: top
 objectClass: organizationalUnit
 ou: idmap
 dn: ou=computers,dc=samba,dc=org
 objectClass: top
 objectClass: organizationalUnit
 ou: computers

Default: ldapsam:editposix = no

ldapsam:trusted (G)

By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that are used to deal with user and group attributes lack such optimization.

To make Samba scale well in large environments, the m[blue]ldapsam:trusted = yesm[] option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are stored together with the POSIX data in the same LDAP object. If these assumptions are met, m[blue]ldapsam:trusted = yesm[] can be activated and Samba can bypass the NSS system to query user group memberships. Optimized LDAP queries can greatly speed up domain logon and administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries is easily achieved.

Default: ldapsam:trusted = no

ldap ssl (G)

This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is NOT related to Samba’s previous SSL support which was enabled by specifying the –with-ssl option to the configure script.

LDAP connections should be secured where possible. This may be done setting either this parameter to Start_tlsor by specifying ldaps:// in the URL argument of m[blue]passdb backendm[].

The m[blue]ldap sslm[] can be set to one of two values:

• Off = Never use SSL when querying the directory.

• start tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server.

Please note that this parameter does only affect rpc methods. To enable the LDAPv3 StartTLS extended operation (RFC2830) for ads, set m[blue]ldap ssl = yesm[]andm[blue]ldap ssl ads = yesm[]. See smb.conf(5) for more information on m[blue]ldap ssl adsm[].

Default: ldap ssl = start tls

ldap ssl ads (G)

This option is used to define whether or not Samba should use SSL when connecting to the ldap server using ads methods. Rpc methods are not affected by this parameter. Please note, that this parameter won’t have any effect if m[blue]ldap sslm[] is set to no.

See smb.conf(5) for more information on m[blue]ldap sslm[].

Default: ldap ssl ads = no

ldap suffix (G)

Specifies the base for all ldap suffixes and for storing the sambaDomain object.

The ldap suffix will be appended to the values specified for the m[blue]ldap user suffixm[], m[blue]ldap group suffixm[], m[blue]ldap machine suffixm[], and the m[blue]ldap idmap suffixm[]. Each of these should be given only a DN relative to the m[blue]ldap suffixm[].

Default: ldap suffix =

Example: ldap suffix = dc=samba,dc=org

ldap timeout (G)

This parameter defines the number of seconds that Samba should use as timeout for LDAP operations.

Default: ldap timeout = 15

ldap user suffix (G)

This parameter specifies where users are added to the tree. If this parameter is unset, the value of m[blue]ldap suffixm[] will be used instead. The suffix string is pre-pended to the m[blue]ldap suffixm[] string so use a partial DN.

Default: ldap user suffix =

Example: ldap user suffix = ou=people

blocking locks (S)

This parameter controls the behavior of smbd(8) when given a request by a client to obtain a byte range lock on a region of an open file, and the request has a time limit associated with it.

If this parameter is set and the lock range requested cannot be immediately satisfied, samba will internally queue the lock request, and periodically attempt to obtain the lock until the timeout period expires.

If this parameter is set to no, then samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained.

Default: blocking locks = yes

csc policy (S)

This stands for client-side caching policy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable.

These values correspond to those used on Windows servers.

For example, shares containing roaming profiles can have offline caching disabled using m[blue]csc policy = disablem[].

Default: csc policy = manual

Example: csc policy = programs

fake oplocks (S)

Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an oplock (opportunistic lock) then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data. With some oplock types the client may even cache file open/close operations. This can give enormous performance benefits.

When you set fake oplocks = yes, smbd(8) will always grant oplock requests no matter how many clients are using the file.

It is generally much better to use the real m[blue]oplocksm[] support rather than this parameter.

If you enable this option on all read-only shares or shares that you know will only be accessed from one client at a time such as physically read-only media like CDROMs, you will see a big performance improvement on many operations. If you enable this option on shares where multiple clients may be accessing the files read-write at the same time you can get data corruption. Use this option carefully!

Default: fake oplocks = no

kernel oplocks (S)

For UNIXes that support kernel based m[blue]oplocksm[] (currently only IRIX and the Linux 2.4 kernel), this parameter allows the use of them to be turned on or off. However, this disables Level II oplocks for clients as the Linux and IRIX kernels do not support them properly.

Kernel oplocks support allows Samba oplocks to be broken whenever a local UNIX process or NFS operation accesses a file that smbd(8) has oplocked. This allows complete data consistency between SMB/CIFS, NFS and local file access (and is a very cool feature :-).

If you do not need this interaction, you should disable the parameter on Linux and IRIX to get Level II oplocks and the associated performance benefit.

This parameter defaults to no and is translated to a no-op on systems that do not have the necessary kernel support.

Default: kernel oplocks = no

kernel share modes (S)

This parameter controls whether SMB share modes are translated into UNIX flocks.

Kernel share modes provide a minimal level of interoperability with local UNIX processes and NFS operations by preventing access with flocks corresponding to the SMB share modes. Generally, it is very desirable to leave this enabled.

Note that in order to use SMB2 durable file handles on a share, you have to turn kernel share modes off.

This parameter defaults to yes and is translated to a no-op on systems that do not have the necessary kernel flock support.

Default: kernel share modes = yes

level2 oplocks (S)

This parameter controls whether Samba supports level2 (read-only) oplocks on a share.

Level2, or read-only oplocks allow Windows NT clients that have an oplock on a file to downgrade from a read-write oplock to a read-only oplock once a second client opens the file (instead of releasing all oplocks on a second open, as in traditional, exclusive oplocks). This allows all openers of the file that support level2 oplocks to cache the file for read-ahead only (ie. they may not cache writes or lock requests) and increases performance for many accesses of files that are not commonly written (such as application .EXE files).

Once one of the clients which have a read-only oplock writes to the file all clients are notified (no reply is needed or waited for) and told to break their oplocks to "none" and delete any read-ahead caches.

It is recommended that this parameter be turned on to speed access to shared executables.

For more discussions on level2 oplocks see the CIFS spec.

Currently, if m[blue]kernel oplocksm[] are supported then level2 oplocks are not granted (even if this parameter is set to yes). Note also, the m[blue]oplocksm[] parameter must be set to yes on this share in order for this parameter to have any effect.

Default: level2 oplocks = yes

locking (S)

This controls whether or not locking will be performed by the server in response to lock requests from the client.

If locking = no, all lock and unlock requests will appear to succeed and all lock queries will report that the file in question is available for locking.

If locking = yes, real locking will be performed by the server.

This option may be useful for read-only filesystems which may not need locking (such as CDROM drives), although setting this parameter of no is not really recommended even in this case.

Be careful about disabling locking either globally or in a specific service, as lack of locking may result in data corruption. You should never need to set this parameter.

No default

lock spin time (G)

The time in milliseconds that smbd should keep waiting to see if a failed lock request can be granted. This parameter has changed in default value from Samba 3.0.23 from 10 to 200. The associated m[blue]lock spin countm[] parameter is no longer used in Samba 3.0.24. You should not need to change the value of this parameter.

Default: lock spin time = 200

oplock break wait time (G)

This is a tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba responds to a client too quickly when that client issues an SMB that can cause an oplock break request, then the network client can fail and not respond to the break request. This tuning parameter (which is set in milliseconds) is the amount of time Samba will wait before sending an oplock break request to such (broken) clients.

Warning
DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.

Default: oplock break wait time = 0

oplock contention limit (S)

This is a very advanced smbd(8) tuning option to improve the efficiency of the granting of oplocks under multiple client contention for the same file.

In brief it specifies a number, which causes smbd(8)not to grant an oplock even when requested if the approximate number of clients contending for an oplock on the same file goes over this limit. This causes smbd to behave in a similar way to Windows NT.

Warning
DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA OPLOCK CODE.

Default: oplock contention limit = 2

oplocks (S)

This boolean option tells smbd whether to issue oplocks (opportunistic locks) to file open requests on this share. The oplock code can dramatically (approx. 30% or more) improve the speed of access to files on Samba servers. It allows the clients to aggressively cache files locally and you may want to disable this option for unreliable network environments (it is turned on by default in Windows NT Servers).

Oplocks may be selectively turned off on certain files with a share. See the m[blue]veto oplock filesm[] parameter. On some systems oplocks are recognized by the underlying operating system. This allows data synchronization between all access to oplocked files, whether it be via Samba or NFS or a local UNIX process. See the m[blue]kernel oplocksm[] parameter for details.

Default: oplocks = yes

posix locking (S)

The smbd(8) daemon maintains an database of file locks obtained by SMB clients. The default behavior is to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are consistent with those seen by POSIX compliant applications accessing the files via a non-SMB method (e.g. NFS or local file access). It is very unlikely that you need to set this parameter to "no", unless you are sharing from an NFS mount, which is not a good idea in the first place.

Default: posix locking = yes

strict locking (S)

This is an enumerated type that controls the handling of file locking in the server. When this is set to yes, the server will check every read and write access for file locks, and deny access if locks exist. This can be slow on some systems.

When strict locking is set to Auto (the default), the server performs file lock checks only on non-oplocked files. As most Windows redirectors perform file locking checks locally on oplocked files this is a good trade off for improved performance.

When strict locking is disabled, the server performs file lock checks only when the client explicitly asks for them.

Well-behaved clients always ask for lock checks when it is important. So in the vast majority of cases, strict locking = Auto or strict locking = no is acceptable.

Default: strict locking = Auto

debug class (G)

With this boolean parameter enabled, the debug class (DBGC_CLASS) will be displayed in the debug header.

For more information about currently available debug classes, see section about m[blue]log levelm[].

Default: debug class = no

debug hires timestamp (G)

Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this boolean parameter adds microsecond resolution to the timestamp message header when turned on.

Note that the parameter m[blue]debug timestampm[] must be on for this to have an effect.

Default: debug hires timestamp = yes

debug pid (G)

When using only one log file for more then one forked smbd(8)-process there may be hard to follow which process outputs which message. This boolean parameter is adds the process-id to the timestamp message headers in the logfile when turned on.

Note that the parameter m[blue]debug timestampm[] must be on for this to have an effect.

Default: debug pid = no

debug prefix timestamp (G)

With this option enabled, the timestamp message header is prefixed to the debug message without the filename and function information that is included with the m[blue]debug timestampm[] parameter. This gives timestamps to the messages without adding an additional line.

Note that this parameter overrides the m[blue]debug timestampm[] parameter.

Default: debug prefix timestamp = no

timestamp logs

This parameter is a synonym for debug timestamp.

debug timestamp (G)

Samba debug log messages are timestamped by default. If you are running at a high m[blue]debug levelm[] these timestamps can be distracting. This boolean parameter allows timestamping to be turned off.

Default: debug timestamp = yes

debug uid (G)

Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.

Note that the parameter m[blue]debug timestampm[] must be on for this to have an effect.

Default: debug uid = no

ldap debug level (G)

This parameter controls the debug level of the LDAP library calls. In the case of OpenLDAP, it is the same bit-field as understood by the server and documented in the slapd.conf(5) manpage. A typical useful value will be 1 for tracing function calls.

The debug output from the LDAP libraries appears with the prefix [LDAP] in Samba’s logging output. The level at which LDAP logging is printed is controlled by the parameter ldap debug threshold.

Default: ldap debug level = 0

Example: ldap debug level = 1

ldap debug threshold (G)

This parameter controls the Samba debug level at which the ldap library debug output is printed in the Samba logs. See the description of ldap debug level for details.

Default: ldap debug threshold = 10

Example: ldap debug threshold = 5

log file (G)

This option allows you to override the name of the Samba log file (also known as the debug file).

This option takes the standard substitutions, allowing you to have separate log files for each user or machine.

No default

Example: log file = /usr/local/samba/var/log.%m

debuglevel

This parameter is a synonym for log level.

log level (G)

The value of the parameter (a astring) allows the debug level (logging level) to be specified in the smb.conf file.

This parameter has been extended since the 2.2.x series, now it allows to specify the debug level for multiple debug classes. This is to give greater flexibility in the configuration of the system. The following debug classes are currently implemented:

• all

• tdb

• printdrivers

• lanman

• smb

• rpc_parse

• rpc_srv

• rpc_cli

• passdb

• sam

• auth

• winbind

• vfs

• idmap

• quota

• acls

• locking

• msdfs

• dmapi

• registry

Default: log level = 0

Example: log level = 3 passdb:5 auth:10 winbind:2

max log size (G)

This option (an integer in kilobytes) specifies the max size the log file should grow to. Samba periodically checks the size and if it is exceeded it will rename the file, adding a .old extension.

A size of 0 means no limit.

Default: max log size = 5000

Example: max log size = 1000

syslog (G)

This parameter maps how Samba debug messages are logged onto the system syslog logging levels. Samba debug level zero maps onto syslog LOG_ERR, debug level one maps onto LOG_WARNING, debug level two maps onto LOG_NOTICE, debug level three maps onto LOG_INFO. All higher levels are mapped to LOG_DEBUG.

This parameter sets the threshold for sending messages to syslog. Only messages with debug level less than this value will be sent to syslog. There still will be some logging to log.[sn]mbd even if syslog only is enabled.

Default: syslog = 1

syslog only (G)

If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files. There still will be some logging to log.[sn]mbd even if syslog only is enabled.

Default: syslog only = no

abort shutdown script (G)

This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the m[blue]shutdown scriptm[].

If the connected user possesses the SeRemoteShutdownPrivilege, right, this command will be run as root.

Default: abort shutdown script = ""

Example: abort shutdown script = /sbin/shutdown -c

add group script (G)

This is the full pathname to a script that will be run AS ROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric gid of the created group on stdout.

Default: add group script =

Example: add group script = /usr/sbin/groupadd %g

add machine script (G)

This is the full pathname to a script that will be run by smbd(8) when a machine is added to Samba’s domain and a Unix account matching the machine’s name appended with a "$" does not already exist.

This option is very similar to the m[blue]add user scriptm[], and likewise uses the %u substitution for the account name. Do not use the %m substitution.

Default: add machine script =

Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u

add user script (G)

This is the full pathname to a script that will be run AS ROOT by smbd(8) under special circumstances described below.

Normally, a Samba server requires that UNIX users are created for all users accessing files on this server. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users ON DEMAND when a user accesses the Samba server.

When the Windows user attempts to access the Samba server, at login (session setup in the SMB protocol) time, smbd(8) contacts the m[blue]password serverm[] and attempts to authenticate the given user with the given password. If the authentication succeeds then smbd attempts to find a UNIX user in the UNIX password database to map the Windows user into. If this lookup fails, and m[blue]add user scriptm[] is set then smbd will call the specified script AS ROOT, expanding any %u argument to be the user name to create.

If this script successfully creates the user then smbd will continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to match existing Windows NT accounts.

See also m[blue]securitym[], m[blue]password serverm[], m[blue]delete user scriptm[].

Default: add user script =

Example: add user script = /usr/local/samba/bin/add_user %u

add user to group script (G)

Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools. It will be run by smbd(8)AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name.

Note that the adduser command used in the example below does not support the used syntax on all systems.

Default: add user to group script =

Example: add user to group script = /usr/sbin/adduser %u %g

delete group script (G)

This is the full pathname to a script that will be run AS ROOTsmbd(8) when a group is requested to be deleted. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools.

Default: delete group script =

delete user from group script (G)

Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools. It will be run by smbd(8)AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name.

Default: delete user from group script =

Example: delete user from group script = /usr/sbin/deluser %u %g

delete user script (G)

This is the full pathname to a script that will be run by smbd(8) when managing users with remote RPC (NT) tools.

This script is called when a remote client removes a user from the server, normally using ‘User Manager for Domains’ or rpcclient.

This script should delete the given UNIX username.

Default: delete user script =

Example: delete user script = /usr/local/samba/bin/del_user %u

domain logons (G)

If set to yes, the Samba server will provide the netlogon service for Windows 9X network logons for the m[blue]workgroupm[] it is in. This will also cause the Samba server to act as a domain controller for NT4 style domain services. For more details on setting up this feature see the Domain Control chapter of the Samba HOWTO Collection.

Default: domain logons = no

enable privileges (G)

This deprecated parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either net rpc rights or one of the Windows user and group manager tools. This parameter is enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to assign privileges to users or groups which can then result in certain smbd operations running as root that would normally run under the context of the connected user.

An example of how privileges can be used is to assign the right to join clients to a Samba controlled domain without providing root access to the server via smbd.

Please read the extended description provided in the Samba HOWTO documentation.

Default: enable privileges = yes

init logon delay (G)

This parameter specifies a delay in milliseconds for the hosts configured for delayed initial samlogon with m[blue]init logon delayed hostsm[].

Default: init logon delay = 100

init logon delayed hosts (G)

This parameter takes a list of host names, addresses or networks for which the initial samlogon reply should be delayed (so other DCs get preferred by XP workstations if there are any).

The length of the delay can be specified with the m[blue]init logon delaym[] parameter.

Default: init logon delayed hosts =

Example: init logon delayed hosts = 150.203.5. myhost.mynet.de

logon drive (G)

This parameter specifies the local path to which the home directory will be connected (see m[blue]logon homem[]) and is only used by NT Workstations.

Note that this option is only useful if Samba is set up as a logon server.

Default: logon drive =

Example: logon drive = h:

logon home (G)

This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. It allows you to do

C:\>NET USE H: /HOME

from a command prompt, for example.

This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.

This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a subdirectory of the user’s home directory. This is done in the following way:

logon home = \%N\%U\profile

This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request. Win9X clients truncate the info to \server\share when a user does net use /home but use the whole string when dealing with profiles.

Note that in prior versions of Samba, the m[blue]logon pathm[] was returned rather than logon home. This broke net use /home but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use the above trick.

Disable this feature by setting m[blue]logon home = ""m[] – using the empty string.

This option is only useful if Samba is set up as a logon server.

Default: logon home = \%N\%U

Example: logon home = \remote_smb_server\%U

logon path (G)

This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles. To find out how to handle roaming profiles for Win 9X system, see the m[blue]logon homem[] parameter.

This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. It also specifies the directory from which the "Application Data", desktop, start menu, network neighborhood, programs and other folders, and their contents, are loaded and displayed on your Windows NT client.

The share and the path must be readable by the user for the preferences and directories to be loaded onto the Windows NT client. The share must be writeable when the user logs in for the first time, in order that the Windows NT client can create the NTuser.dat and other directories. Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable that the NTuser.dat file be made read-only – rename it to NTuser.man to achieve the desired effect (a MANdatory profile).

Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting this parameter to \%N\homes\profile_path will cause problems).

This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.

Warning
Do not quote the value. Setting this as “\%N\profile\%U” will break profile handling. Where the tdbsam or ldapsam passdb backend is used, at the time the user account is created the value configured for this parameter is written to the passdb backend and that value will over-ride the parameter value present in the smb.conf file. Any error present in the passdb backend account record must be editted using the appropriate tool (pdbedit on the command-line, or any other locally provided system tool).

Note that this option is only useful if Samba is set up as a domain controller.

Disable the use of roaming profiles by setting the value of this parameter to the empty string. For example, m[blue]logon path = ""m[]. Take note that even if the default setting in the smb.conf file is the empty string, any value specified in the user account settings in the passdb backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use requires that the user account settings must also be blank.

An example of use is:

logon path = \PROFILESERVER\PROFILE\%U

Default: logon path = \%N\%U\profile

logon script (G)

This parameter specifies the batch file (.bat) or NT command file (.cmd) to be downloaded and run on a machine when a user successfully logs in. The file must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.

The script must be a relative path to the [netlogon] service. If the [netlogon] service specifies a m[blue]pathm[] of /usr/local/samba/netlogon, and m[blue]logon script = STARTUP.BATm[], then the file that will be downloaded is:

 /usr/local/samba/netlogon/STARTUP.BAT

The contents of the batch file are entirely your choice. A suggested command would be to add NET TIME \SERVER /SET /YES, to force every machine to synchronize clocks with the same time server. Another use would be to add NET USE U: \SERVER