diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/editreg.1.html samba-3.0.20/docs/htmldocs/manpages/editreg.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/editreg.1.html 2005-08-07 11:16:33.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/editreg.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,12 +0,0 @@ -editreg

Name

editreg — A utility for printing and editing NT4 registry files -

Synopsis

editreg [-v] [-c file] {file}

DESCRIPTION

This tool is part of the samba(7) suite.

editreg is a utility that - can visualize windows registry files (currently only NT4) and apply - so-called commandfiles to them. -

OPTIONS

registry_file: Registry file to view or edit.
-v,--verbose: Increases verbosity of messages. -
-c commandfile: Read commands to execute on registry_file from commandfile. Currently not yet supported! -
-h|--help: Print a summary of command line options. -

VERSION

This man page is correct for version 3.0 of the Samba - suite.

AUTHOR

The original Samba software and related utilities - were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar - to the way the Linux kernel is developed.

The editreg man page was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/findsmb.1.html samba-3.0.20/docs/htmldocs/manpages/findsmb.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/findsmb.1.html 2005-08-07 11:16:37.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/findsmb.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,62 +0,0 @@ -findsmb

Name

findsmb — list info about machines that respond to SMB - name queries on a subnet

Synopsis

findsmb [subnet broadcast address]

DESCRIPTION

This perl script is part of the samba(7) - suite.

findsmb is a perl script that - prints out several pieces of information about machines - on a subnet that respond to SMB name query requests. - It uses nmblookup(1) - and smbclient(1) - to obtain this information. -

OPTIONS

-r: Controls whether findsmb takes - bugs in Windows95 into account when trying to find a Netbios name - registered of the remote machine. This option is disabled by default - because it is specific to Windows 95 and Windows 95 machines only. - If set, nmblookup(1) - will be called with -B option.
subnet broadcast address: Without this option, findsmb - will probe the subnet of the machine where - findsmb(1) - is run. This value is passed to - nmblookup(1) - as part of the -B option.

EXAMPLES

The output of findsmb lists the following - information for all machines that respond to the initial - nmblookup for any name: IP address, NetBIOS name, - Workgroup name, operating system, and SMB server version.

There will be a '+' in front of the workgroup name for - machines that are local master browsers for that workgroup. There - will be an '*' in front of the workgroup name for - machines that are the domain master browser for that workgroup. - Machines that are running Windows for Workgroups, Windows 95 or - Windows 98 will - not show any information about the operating system or server - version.

The command with -r option - must be run on a system without nmbd(8) running. - - If nmbd is running on the system, you will - only get the IP address and the DNS name of the machine. To - get proper responses from Windows 95 and Windows 98 machines, - the command must be run as root and with -r - option on a machine without nmbd running.

For example, running findsmb - without -r option set would yield output similar - to the following

-IP ADDR         NETBIOS NAME   WORKGROUP/OS/VERSION 
---------------------------------------------------------------------- 
-192.168.35.10   MINESET-TEST1  [DMVENGR]
-192.168.35.55   LINUXBOX      *[MYGROUP] [Unix] [Samba 2.0.6]
-192.168.35.56   HERBNT2        [HERB-NT]
-192.168.35.63   GANDALF        [MVENGR] [Unix] [Samba 2.0.5a for IRIX]
-192.168.35.65   SAUNA          [WORKGROUP] [Unix] [Samba 1.9.18p10]
-192.168.35.71   FROGSTAR       [ENGR] [Unix] [Samba 2.0.0 for IRIX]
-192.168.35.78   HERBDHCP1     +[HERB]
-192.168.35.88   SCNT2         +[MVENGR] [Windows NT 4.0] [NT LAN Manager 4.0]
-192.168.35.93   FROGSTAR-PC    [MVENGR] [Windows 5.0] [Windows 2000 LAN Manager]
-192.168.35.97   HERBNT1       *[HERB-NT] [Windows NT 4.0] [NT LAN Manager 4.0]
-

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at ftp://ftp.icce.rug.nl/pub/unix/) - and updated for the Samba 2.0 release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook - XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/index.html samba-3.0.20/docs/htmldocs/manpages/index.html --- samba-3.0.20rc2/docs/htmldocs/manpages/index.html 2005-08-07 11:19:33.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/index.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,57 +0,0 @@ -

editreg(1): A utility for printing and editing NT4 registry files - -
findsmb(1): list info about machines that respond to SMB - name queries on a subnet -
libsmbclient(8): An extension library for browsers and that can be used as a generic browsing API. -
lmhosts(5): The Samba NetBIOS hosts file -
log2pcap(1): Extract network traces from Samba log files -
mount.cifs(8): mount using the Common Internet File System (CIFS) -
net(8): Tool for administration of Samba and remote - CIFS servers. - -
nmbd(8): NetBIOS name server to provide NetBIOS - over IP naming services to clients -
nmblookup(1): NetBIOS over TCP/IP client used to lookup NetBIOS - names -
ntlm_auth(1): tool to allow external access to Winbind's NTLM authentication function -
pam_winbind(8): PAM module for Winbind -
pdbedit(8): manage the SAM database (Database of Samba Users) -
profiles(1): A utility to report and change SIDs in registry files - -
rpcclient(1): tool for executing client side - MS-RPC functions -
samba(7): A Windows SMB/CIFS fileserver for UNIX -
smb.conf(5): The configuration file for the Samba suite -
smbcacls(1): Set or get ACLs on an NT file or directory names -
smbclient(1): ftp-like client to access SMB/CIFS resources - on servers -
smbcontrol(1): send messages to smbd, nmbd or winbindd processes -
smbcquotas(1): Set or get QUOTAs of NTFS 5 shares -
smbd(8): server to provide SMB/CIFS services to clients -
smbget(1): wget-like utility for download files over SMB -
smbgetrc(5): configuration file for smbget -
smbmnt(8): helper utility for mounting SMB filesystems -
smbmount(8): mount an smbfs filesystem -
smbpasswd(5): The Samba encrypted password file -
smbpasswd(8): change a user's SMB password -
smbsh(1): Allows access to remote SMB shares - using UNIX commands -
smbspool(8): send a print file to an SMB printer -
smbstatus(1): report on current Samba connections -
smbtar(1): shell script for backing up SMB/CIFS shares - directly to UNIX tape drives -
smbtree(1): A text based smb network browser - -
smbumount(8): smbfs umount for normal users -
swat(8): Samba Web Administration Tool -
tdbbackup(8): tool for backing up and for validating the integrity of samba .tdb files -
tdbdump(8): tool for printing the contents of a TDB file -
testparm(1): check an smb.conf configuration file for - internal correctness -
testprns(1): check printer name for validity with smbd -
umount.cifs(8): for normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts -
vfstest(1): tool for testing samba VFS modules -
wbinfo(1): Query information from winbind daemon -
winbindd(8): Name Service Switch daemon for resolving names - from NT servers -

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/libsmbclient.8.html samba-3.0.20/docs/htmldocs/manpages/libsmbclient.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/libsmbclient.8.html 2005-08-07 11:16:41.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/libsmbclient.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,59 +0,0 @@ -libsmbclient

Name

libsmbclient — An extension library for browsers and that can be used as a generic browsing API.

Synopsis

Browser URL:

- smb://[[[domain:]user[:password@]]server[/share[/path[/file]]]] [?options] -

DESCRIPTION

- This tool is part of the samba(8) suite. -

- libsmbclient is a library toolset that permits applications - to manipulate CIFS/SMB network resources using many of the standards POSIX functions - available for manipulating local UNIX/Linux files. It permits much more than just browsing, - files can be opened and read or written, permissions changed, file times modified, attributes - and ACL's can be manipulated, and so on. Of course, its functionality includes all the - capabilities commonly called browsing. -

- libsmbclient can not be used directly from the command line, instead - it provides an extension of the capabilities of tools such as file managers and browsers. - This man page describes the configuration options for this tool so that the user may - obtain greatest utility of use. -

OPTIONS

- What the URLs mean: -

smb://

- Shows all workgroups or domains that are visible in the network. The behavior matches - that of the Microsoft Windows Explorer. -

- The method of locating the list of workgroups (domains also) varies depending on the setting of - the context variable (context->options.browse_max_lmb_count). It is the - responsibility of the application that calls this library to set this to a sensible value. This - is a compile-time option. This value determines the maximum number of local master browsers to - query for the list of workgroups. In order to ensure that the list is complete for those present - on the network, all master browsers must be querried. If there are a large number of workgroups - on the network, the time spent querying will be significant. For small networks (just a few - workgroups), it is suggested to set this value to 0, instructing libsmbclient to query all local - master browsers. In an environment that has many workgroups a more reasonable setting may be around 3. -

smb://name/

- This command causes libsmbclient to perform a name look-up. If the NAME<1D> or - NAME<1B> exists (workgroup name), libsmbclient will list all servers in the - workgroup (or domain). Otherwise, a name look-up for the NAME<20> (machine name) - will be performed, and the list of shared resources on the server will be displayed. -

- When libsmbclient is invoked by an application it searches for a directory called - .smb in the $HOME directory that is specified in the users shell - environment. It then searches for a file called smb.conf which, - if present, will fully over-ride the system /etc/samba/smb.conf file. If - instead libsmbclient finds a file called ~/.smb/smb.conf.append, - it will read the system /etc/samba/smb.conf and then append the - contents of the ~/.smb/smb.conf.append to it. -

- libsmbclient will check the users shell environment for the USER - parameter and will use its value when if the user parameter was not included - in the URL. -

PROGRAMMERS GUIDE

- Watch this space for future updates. -

VERSION

- This man page is correct for version 3.0 of the Samba suite. -

AUTHOR

- The original Samba software and related utilities were created by Andrew Tridgell. - Samba is now developed by the Samba Team as an Open Source project similar to the way - the Linux kernel is developed. -

- The libsmbclient manpage page was written by John H Terpstra. -

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/lmhosts.5.html samba-3.0.20/docs/htmldocs/manpages/lmhosts.5.html --- samba-3.0.20rc2/docs/htmldocs/manpages/lmhosts.5.html 2005-08-07 11:16:45.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/lmhosts.5.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,39 +0,0 @@ -lmhosts

Name

lmhosts — The Samba NetBIOS hosts file

Synopsis

lmhosts is the samba(7) NetBIOS name to IP address mapping file.

DESCRIPTION

This file is part of the samba(7) suite.

lmhosts is the Samba - NetBIOS name to IP address mapping file. It - is very similar to the /etc/hosts file - format, except that the hostname component must correspond - to the NetBIOS naming format.

FILE FORMAT

It is an ASCII file containing one line for NetBIOS name. - The two fields on each line are separated from each other by - white space. Any entry beginning with '#' is ignored. Each line - in the lmhosts file contains the following information:

IP Address - in dotted decimal format.
NetBIOS Name - This name format is a - maximum fifteen character host name, with an optional - trailing '#' character followed by the NetBIOS name type - as two hexadecimal digits.
If the trailing '#' is omitted then the given IP - address will be returned for all names that match the given - name, whatever the NetBIOS name type in the lookup.

An example follows:

-#
-# Sample Samba lmhosts file.
-#
-192.9.200.1	TESTPC
-192.9.200.20	NTSERVER#20
-192.9.200.21	SAMBASERVER
-

Contains three IP to NetBIOS name mappings. The first - and third will be returned for any queries for the names "TESTPC" - and "SAMBASERVER" respectively, whatever the type component of - the NetBIOS name requested.

The second mapping will be returned only when the "0x20" name - type for a name "NTSERVER" is queried. Any other name type will not - be resolved.

The default location of the lmhosts file - is in the same directory as the smb.conf(5) file.

FILES

lmhosts is loaded from the configuration directory. This is - usually /etc/samba or /usr/local/samba/lib. -

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook - XML 4.2 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/log2pcap.1.html samba-3.0.20/docs/htmldocs/manpages/log2pcap.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/log2pcap.1.html 2005-08-07 11:16:49.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/log2pcap.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,29 +0,0 @@ -log2pcap

Name

log2pcap — Extract network traces from Samba log files

Synopsis

log2pcap [-h] [-q] [logfile] [pcap_file]

DESCRIPTION

This tool is part of the samba(7) suite.

log2pcap reads in a - samba log file and generates a pcap file (readable - by most sniffers, such as ethereal or tcpdump) based on the packet - dumps in the log file.

The log file must have a log level - of at least 5 to get the SMB header/parameters - right, 10 to get the first 512 data bytes of the - packet and 50 to get the whole packet. -

OPTIONS

-h: If this parameter is - specified the output file will be a - hex dump, in a format that is readable - by the text2pcap utility.
-q: Be quiet. No warning messages about missing - or incomplete data will be given.
logfile: - Samba log file. log2pcap will try to read the log from stdin - if the log file is not specified. -
pcap_file: - Name of the output file to write the pcap (or hexdump) data to. - If this argument is not specified, output data will be written - to stdout. -
-h|--help: Print a summary of command line options. -

EXAMPLES

Extract all network traffic from all samba log files:

-			$ log2pcap < /var/log/* > trace.pcap
-

Convert to pcap using text2pcap:

-	$ log2pcap -h samba.log | text2pcap -T 139,139 - trace.pcap
-

VERSION

This man page is correct for version 3.0 of the Samba suite.

BUGS

Only SMB data is extracted from the samba logs, no LDAP, - NetBIOS lookup or other data.

The generated TCP and IP headers don't contain a valid - checksum.

AUTHOR

This manpage was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/mount.cifs.8.html samba-3.0.20/docs/htmldocs/manpages/mount.cifs.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/mount.cifs.8.html 2005-08-07 11:16:55.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/mount.cifs.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,174 +0,0 @@ -mount.cifs

Name

mount.cifs — mount using the Common Internet File System (CIFS)

Synopsis

mount.cifs {service} {mount-point} [-o options]

DESCRIPTION

This tool is part of the samba(7) suite.

mount.cifs mounts a Linux CIFS filesystem. It -is usually invoked indirectly by -the mount(8) command when using the -"-t cifs" option. This command only works in Linux, and the kernel must -support the cifs filesystem. The CIFS protocol is the successor to the -SMB protocol and is supported by most Windows servers and many other -commercial servers and Network Attached Storage appliances as well as -by the popular Open Source server Samba. -

- The mount.cifs utility attaches the UNC name (exported network resource) to - the local directory mount-point. It is possible to set the mode for mount.cifs to -setuid root to allow non-root users to mount shares to directories for which they -have write permission. -

- Options to mount.cifs are specified as a comma-separated -list of key=value pairs. It is possible to send options other -than those listed here, assuming that the cifs filesystem kernel module (cifs.ko) supports them. -Unrecognized cifs mount options passed to the cifs vfs kernel code will be logged to the -kernel log. - -

mount.cifs causes the cifs vfs to launch a thread named cifsd. After mounting it keeps running until - the mounted resource is unmounted (usually via the umount utility). -

OPTIONS

user=arg

specifies the username to connect as. If - this is not given, then the environment variable USER is used. This option can also take the -form "user%password" or "workgroup/user" or -"workgroup/user%password" to allow the password and workgroup -to be specified as part of the username. -

Note

- The cifs vfs accepts the parameter user=, or for users familiar with smbfs it accepts the longer form of the parameter username=. Similarly the longer smbfs style parameter names may be accepted as synonyms for the shorter cifs parameters pass=,dom= and cred=. -

password=arg

specifies the CIFS password. If this -option is not given then the environment variable -PASSWD is used. If the password is not specified -directly or indirectly via an argument to mount mount.cifs will prompt -for a password, unless the guest option is specified. -

Note that a password which contains the delimiter -character (i.e. a comma ',') will fail to be parsed correctly -on the command line. However, the same password defined -in the PASSWD environment variable or via a credentials file (see -below) or entered at the password prompt will be read correctly. -

credentials=filename

- specifies a file that contains a username - and/or password. The format of the file is: -

-		username=value
-		password=value
-

-This is preferred over having passwords in plaintext in a -shared file, such as /etc/fstab. Be sure to protect any -credentials file properly. -

uid=arg

sets the uid that will own all files on - the mounted filesystem. - It may be specified as either a username or a numeric uid. - This parameter is ignored when the target server supports - the CIFS Unix extensions.

gid=arg

sets the gid that will own all files on -the mounted filesystem. -It may be specified as either a groupname or a numeric -gid. This parameter is ignored when the target server supports -the CIFS Unix extensions. -

port=arg

sets the port number on the server to attempt to contact to negotiate -CIFS support. If the CIFS server is not listening on this port or -if it is not specified, the default ports will be tried i.e. -port 445 is tried and if no response then port 139 is tried. -

netbiosname=arg

When mounting to servers via port 139, specifies the RFC1001 - source name to use to represent the client netbios machine - name when doing the RFC1001 netbios session initialize. -

file_mode=arg

If the server does not support the CIFS Unix extensions this - overrides the default file mode.

dir_mode=arg

If the server does not support the CIFS Unix extensions this - overrides the default mode for directories.

ip=arg

sets the destination host or IP address.

domain=arg

sets the domain (workgroup) of the user

guest

don't prompt for a password

iocharset

Charset used to convert local path names to and from - Unicode. Unicode is used by default for network path - names if the server supports it. If iocharset is - not specified then the nls_default specified - during the local client kernel build will be used. - If server does not support Unicode, this parameter is - unused.

ro

mount read-only

rw

mount read-write

setuids

If the CIFS Unix extensions are negotiated with the server - the client will attempt to set the effective uid and gid of - the local process on newly created files, directories, and - devices (create, mkdir, mknod).

nosetuids

The client will not attempt to set the uid and gid on - on newly created files, directories, and devices (create, - mkdir, mknod) which will result in the server setting the - uid and gid to the default (usually the server uid of the - user who mounted the share). Letting the server (rather than - the client) set the uid and gid is the default. This - parameter has no effect if the CIFS Unix Extensions are not - negotiated.

perm

Client does permission checks (vfs_permission check of uid - and gid of the file against the mode and desired operation), - Note that this is in addition to the normal ACL check on the - target machine done by the server software. - Client permission checking is enabled by default.

noperm

Client does not do permission checks. This can expose - files on this mount to access by other users on the local - client system. It is typically only needed when the server - supports the CIFS Unix Extensions but the UIDs/GIDs on the - client and server system do not match closely enough to allow - access by the user doing the mount. - Note that this does not affect the normal ACL check on the - target machine done by the server software (of the server - ACL against the user name provided at mount time).

directio

Do not do inode data caching on files opened on this mount. - This precludes mmaping files on this mount. In some cases - with fast networks and little or no caching benefits on the - client (e.g. when the application is doing large sequential - reads bigger than page size without rereading the same data) - this can provide better performance than the default - behavior which caches reads (readahead) and writes - (writebehind) through the local Linux client pagecache - if oplock (caching token) is granted and held. Note that - direct allows write operations larger than page size - to be sent to the server. On some kernels this requires the cifs.ko module - to be built with the CIFS_EXPERIMENTAL configure option.

mapchars

Translate six of the seven reserved characters (not backslash, but including the colon, question mark, pipe, asterik, greater than and less than characters) - to the remap range (above 0xF000), which also - allows the CIFS client to recognize files created with - such characters by Windows's POSIX emulation. This can - also be useful when mounting to most versions of Samba - (which also forbids creating and opening files - whose names contain any of these seven characters). - This has no effect if the server does not support - Unicode on the wire.

nomapchars

Do not translate any of these seven characters (default)

intr

currently unimplemented

nointr

(default) currently unimplemented

hard

The program accessing a file on the cifs mounted file system will hang when the - server crashes.

soft

(default) The program accessing a file on the cifs mounted file system will not hang when the server crashes and will return errors to the user application.

--verbose

Print additional debugging information for the mount. Note that this parameter must be specified before the -o. For example:

mount -t cifs //server/share /mnt --verbose -o user=username

noacl

Do not allow POSIX ACL operations even if server would support them.

- The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba servers - version 3.10 and later. Setting POSIX ACLs requires enabling both XATTR and - then POSIX support in the CIFS configuration options when building the cifs - module. POSIX ACL support can be disabled on a per mount basic by specifying - "noacl" on mount.

serverino

Use inode numbers (unique persistent file identifiers) - returned by the server instead of automatically generating - temporary inode numbers on the client. Although server inode numbers - make it easier to spot hardlinked files (as they will have - the same inode numbers) and inode numbers may be persistent (which is - userful for some sofware), - the server does not guarantee that the inode numbers - are unique if multiple server side mounts are exported under a - single share (since inode numbers on the servers might not - be unique if multiple filesystems are mounted under the same - shared higher level directory). Note that not all - servers support returning server inode numbers, although - those that support the CIFS Unix Extensions, and Windows 2000 and - later servers typically do support this (although not necessarily - on every local server filesystem). Parameter has no effect if - the server lacks support for returning inode numbers or equivalent. -

noserverino

client generates inode numbers (rather than using the actual one - from the server) by default. -

nouser_xattr

(default) Do not allow getfattr/setfattr to get/set xattrs, even if server would support it otherwise.

rsize=arg

default network read size

wsize=arg

default network write size

ENVIRONMENT VARIABLES

- The variable USER may contain the username of the -person to be used to authenticate to the server. -The variable can be used to set both username and -password by using the format username%password. -

- The variable PASSWD may contain the password of the -person using the client. -

- The variable PASSWD_FILE may contain the pathname -of a file to read the password from. A single line of input is -read and used as the password. -

NOTES

This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled.

CONFIGURATION

-The primary mechanism for making configuration changes and for reading -debug information for the cifs vfs is via the Linux /proc filesystem. -In the directory /proc/fs/cifs are various -configuration files and pseudo files which can display debug information. -For more information see the kernel file fs/cifs/README. -

BUGS

Mounting using the CIFS URL specification is currently not supported. -

The credentials file does not handle usernames or passwords with - leading space.

-Note that the typical response to a bug report is a suggestion -to try the latest version first. So please try doing that first, -and always include which versions you use of relevant software -when reporting bugs (minimum: mount.cifs (try mount.cifs -V), kernel (see /proc/version) and -server type you are trying to contact. -

VERSION

This man page is correct for version 1.34 of - the cifs vfs filesystem (roughly Linux kernel 2.6.12).

AUTHOR

Steve French

The syntax and manpage were loosely based on that of smbmount. It - was converted to Docbook/XML by Jelmer Vernooij.

The maintainer of the Linux cifs vfs and the userspace - tool mount.cifs is Steve French. - The Linux CIFS Mailing list - is the preferred place to ask questions regarding these programs. -

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/net.8.html samba-3.0.20/docs/htmldocs/manpages/net.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/net.8.html 2005-08-07 11:17:00.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/net.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,166 +0,0 @@ -net

Name

net — Tool for administration of Samba and remote - CIFS servers. -

Synopsis

net {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-l] [-P] [-D debuglevel]

DESCRIPTION

This tool is part of the samba(7) suite.

The samba net utility is meant to work just like the net utility - available for windows and DOS. The first argument should be used - to specify the protocol to use when executing a certain command. - ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) - clients and RPC can be used for NT4 and Windows 2000. If this - argument is omitted, net will try to determine it automatically. - Not all commands are available on all protocols. -

OPTIONS

-h|--help

Print a summary of command line options. -

-w target-workgroup

- Sets target workgroup or domain. You have to specify - either this option or the IP address or the name of a server. -

-W workgroup

- Sets client workgroup or domain -

-U user

- User name to use -

-I ip-address

- IP address of target server to use. You have to - specify either this option or a target workgroup or - a target server. -

-p port

- Port on the target server to connect to (usually 139 or 445). - Defaults to trying 445 first, then 139. -

-n <primary NetBIOS name>

This option allows you to override -the NetBIOS name that Samba uses for itself. This is identical -to setting the parameter in the smb.conf file. -However, a command -line setting will take precedence over settings in -smb.conf.

-s <configuration file>

The file specified contains the -configuration details required by the server. The -information in this file includes server-specific -information such as what printcap file to use, as well -as descriptions of all the services that the server is -to provide. See smb.conf for more information. -The default configuration file name is determined at -compile time.

-S server

- Name of target server. You should specify either - this option or a target workgroup or a target IP address. -

-l

- When listing data, give more information on each item. -

-P

- Make queries to the external server using the machine account of the local server. -

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

The higher this value, the more detail will be -logged to the log files about the activities of the -server. At level 0, only critical errors and serious -warnings will be logged. Level 1 is a reasonable level for -day-to-day running - it generates a small amount of -information about operations carried out.

Levels above 1 will generate considerable -amounts of log data, and should only be used when -investigating a problem. Levels above 3 are designed for -use only by developers and generate HUGE amounts of log -data, most of which is extremely cryptic.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

COMMANDS

CHANGESECRETPW

This command allows the Samba machine account password to be set from an external application -to a machine account password that has already been stored in Active Directory. DO NOT USE this command -unless you know exactly what you are doing. The use of this command requires that the force flag (-f) -be used also. There will be NO command prompt. Whatever information is piped into stdin, either by -typing at the command line or otherwise, will be stored as the literal machine password. Do NOT use -this without care and attention as it will overwrite a legitimate machine password without warning. -YOU HAVE BEEN WARNED. -

TIME

The NET TIME command allows you to view the time on a remote server - or synchronise the time on the local server with the time on the remote server.

TIME

Without any options, the NET TIME command -displays the time on the remote server. -

TIME SYSTEM

Displays the time on the remote server in a format ready for /bin/date

TIME SET

Tries to set the date and time of the local server to that on -the remote server using /bin/date.

TIME ZONE

Displays the timezone in hours from GMT on the remote computer.

[RPC|ADS] JOIN [TYPE] [-U username[%password]] [options]

-Join a domain. If the account already exists on the server, and -[TYPE] is MEMBER, the machine will attempt to join automatically. -(Assuming that the machine has been created in server manager) -Otherwise, a password will be prompted for, and a new account may -be created.

-[TYPE] may be PDC, BDC or MEMBER to specify the type of server -joining the domain. -

[RPC] OLDJOIN [options]

Join a domain. Use the OLDJOIN option to join the domain -using the old style of domain joining - you need to create a trust -account in server manager first.

[RPC|ADS] USER

List all users

[RPC|ADS] USER DELETE `target`

Delete specified user

[RPC|ADS] USER INFO `target`

List the domain groups of a the specified user.

[RPC|ADS] USER RENAME `oldname` `newname`

Rename specified user.

[RPC|ADS] USER ADD `name` [password] [-F user flags] [-C comment]

Add specified user.

[RPC|ADS] GROUP

[RPC|ADS] GROUP [misc options] [targets]

List user groups.

[RPC|ADS] GROUP DELETE `name` [misc. options]

Delete specified group.

[RPC|ADS] GROUP ADD `name` [-C comment]

Create specified group.

[RAP|RPC] SHARE

[RAP|RPC] SHARE [misc. options] [targets]

Enumerates all exported resources (network shares) on target server.

[RAP|RPC] SHARE ADD `name=serverpath` [-C comment] [-M maxusers] [targets]

Adds a share from a server (makes the export active). Maxusers -specifies the number of users that can be connected to the -share simultaneously.

SHARE DELETE `sharenam`

Delete specified share.

[RPC|RAP] FILE

List all open files on remote server.

[RPC|RAP] FILE CLOSE `fileid`

Close file with specified fileid on -remote server.

[RPC|RAP] FILE INFO `fileid`

-Print information on specified fileid. -Currently listed are: file-id, username, locks, path, permissions. -

[RAP|RPC] FILE USER

Note

Currently NOT implemented.

SESSION

RAP SESSION

Without any other options, SESSION enumerates all active SMB/CIFS -sessions on the target server.

RAP SESSION DELETE|CLOSE `CLIENT_NAME`

Close the specified sessions.

RAP SESSION INFO `CLIENT_NAME`

Give a list with all the open files in specified session.

RAP SERVER `DOMAIN`

List all servers in specified domain or workgroup. Defaults -to local domain.

RAP DOMAIN

Lists all domains and workgroups visible on the -current network.

RAP PRINTQ

RAP PRINTQ LIST `QUEUE_NAME`

Lists the specified print queue and print jobs on the server. -If the QUEUE_NAME is omitted, all -queues are listed.

RAP PRINTQ DELETE `JOBID`

Delete job with specified id.

RAP VALIDATE `user` [`password`]

-Validate whether the specified user can log in to the -remote server. If the password is not specified on the commandline, it -will be prompted. -

Note

Currently NOT implemented.

RAP GROUPMEMBER

RAP GROUPMEMBER LIST `GROUP`

List all members of the specified group.

RAP GROUPMEMBER DELETE `GROUP` `USER`

Delete member from group.

RAP GROUPMEMBER ADD `GROUP` `USER`

Add member to group.

RAP ADMIN `command`

Execute the specified command on -the remote server. Only works with OS/2 servers. -

Note

Currently NOT implemented.

RAP SERVICE

RAP SERVICE START `NAME` [arguments...]

Start the specified service on the remote server. Not implemented yet.

Note

Currently NOT implemented.

RAP SERVICE STOP

Stop the specified service on the remote server.

Note

Currently NOT implemented.

RAP PASSWORD `USER` `OLDPASS` `NEWPASS`

-Change password of USER from OLDPASS to NEWPASS. -

LOOKUP

LOOKUP HOST `HOSTNAME` [`TYPE`]

-Lookup the IP address of the given host with the specified type (netbios suffix). -The type defaults to 0x20 (workstation). -

LOOKUP LDAP [`DOMAIN`

Give IP address of LDAP server of specified DOMAIN. Defaults to local domain.

LOOKUP KDC [`REALM`]

Give IP address of KDC for the specified REALM. -Defaults to local realm.

LOOKUP DC [`DOMAIN`]

Give IP's of Domain Controllers for specified -DOMAIN. Defaults to local domain.

LOOKUP MASTER `DOMAIN`

Give IP of master browser for specified DOMAIN -or workgroup. Defaults to local domain.

CACHE

Samba uses a general caching interface called 'gencache'. It -can be controlled using 'NET CACHE'.

All the timeout parameters support the suffixes: - -

s - Seconds

m - Minutes

h - Hours

d - Days

w - Weeks

- -

CACHE ADD `key` `data` `time-out`

Add specified key+data to the cache with the given timeout.

CACHE DEL `key`

Delete key from the cache.

CACHE SET `key` `data` `time-out`

Update data of existing cache entry.

CACHE SEARCH `PATTERN`

Search for the specified pattern in the cache data.

CACHE LIST

-List all current items in the cache. -

CACHE FLUSH

Remove all the current items from the cache.

GETLOCALSID [DOMAIN]

Print the SID of the specified domain, or if the parameter is -omitted, the SID of the domain the local server is in.

SETLOCALSID S-1-5-21-x-y-z

Sets domain sid for the local server to the specified SID.

GROUPMAP

Manage the mappings between Windows group SIDs and UNIX groups. -Parameters take the for "parameter=value". Common options include:

unixgroup - Name of the UNIX group
ntgroup - Name of the Windows NT group (must be - resolvable to a SID
rid - Unsigned 32-bit integer
sid - Full SID in the form of "S-1-..."
type - Type of the group; either 'domain', 'local', - or 'builtin'
comment - Freeform text description of the group

GROUPMAP ADD

-Add a new group mapping entry: -

-net groupmap add {rid=int|sid=string} unixgroup=string \
-      [type={domain|local}] [ntgroup=string] [comment=string]
-

GROUPMAP DELETE

Delete a group mapping entry. If more then one group name matches, the first entry found is deleted.

net groupmap delete {ntgroup=string|sid=SID}

GROUPMAP MODIFY

Update en existing group entry

-net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
-       [comment=string] [type={domain|local}]
-

GROUPMAP LIST

List existing group mapping entries

net groupmap list [verbose] [ntgroup=string] [sid=SID]

MAXRID

Prints out the highest RID currently in use on the local -server (by the active 'passdb backend'). -

RPC INFO

Print information about the domain of the remote server, -such as domain name, domain sid and number of users and groups. -

[RPC|ADS] TESTJOIN

Check whether participation in a domain is still valid.

[RPC|ADS] CHANGETRUSTPW

Force change of domain trust password.

RPC TRUSTDOM

RPC TRUSTDOM ADD `DOMAIN`

Add a interdomain trust account for -DOMAIN to the remote server. -

RPC TRUSTDOM DEL `DOMAIM`

Remove interdomain trust account for -DOMAIN from the remote server. -

Note

Currently NOT implemented.

RPC TRUSTDOM ESTABLISH `DOMAIN`

-Establish a trust relationship to a trusting domain. -Interdomain account must already be created on the remote PDC. -

RPC TRUSTDOM REVOKE `DOMAIN`

Abandon relationship to trusted domain

RPC TRUSTDOM LIST

List all current interdomain trust relationships.

RPC RIGHTS

This subcommand is used to view and manage Samba's rights assignments (also -referred to as privileges). There are three options current available: -list, grant, and -revoke. More details on Samba's privilege model and its use -can be found in the Samba-HOWTO-Collection.

RPC ABORTSHUTDOWN

Abort the shutdown of a remote server.

SHUTDOWN [-t timeout] [-r] [-f] [-C message]

Shut down the remote server.

-r: -Reboot after shutdown. -
-f: -Force shutting down all applications. -
-t timeout: -Timeout before system will be shut down. An interactive -user of the system can use this time to cancel the shutdown. -
-C message: Display the specified message on the screen to -announce the shutdown.

SAMDUMP

Print out sam database of remote server. You need -to run this on either a BDC.

VAMPIRE

Export users, aliases and groups from remote server to -local server. Can only be run an a BDC. -

GETSID

Fetch domain SID and store it in the local secrets.tdb.

ADS LEAVE

Make the remote host leave the domain it is part of.

ADS STATUS

Print out status of machine account of the local machine in ADS. -Prints out quite some debug info. Aimed at developers, regular -users should use NET ADS TESTJOIN.

ADS PRINTER

ADS PRINTER INFO [`PRINTER`] [`SERVER`]

-Lookup info for PRINTER on SERVER. The printer name defaults to "*", the -server name defaults to the local host.

ADS PRINTER PUBLISH `PRINTER`

Publish specified printer using ADS.

ADS PRINTER REMOVE `PRINTER`

Remove specified printer from ADS directory.

ADS SEARCH `EXPRESSION` `ATTRIBUTES...`

Perform a raw LDAP search on a ADS server and dump the results. The -expression is a standard LDAP search expression, and the -attributes are a list of LDAP fields to show in the results.

Example: net ads search '(objectCategory=group)' sAMAccountName -

ADS DN `DN` `(attributes)`

-Perform a raw LDAP search on a ADS server and dump the results. The -DN standard LDAP DN, and the attributes are a list of LDAP fields -to show in the result. -

Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName

WORKGROUP

Print out workgroup name for specified kerberos realm.

HELP [COMMAND]

Gives usage information for the specified command.

VERSION

This man page is complete for version 3.0 of the Samba - suite.

AUTHOR

The net manpage was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/nmbd.8.html samba-3.0.20/docs/htmldocs/manpages/nmbd.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/nmbd.8.html 2005-08-07 11:17:04.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/nmbd.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,147 +0,0 @@ -nmbd

Name

nmbd — NetBIOS name server to provide NetBIOS - over IP naming services to clients

Synopsis

nmbd [-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-p <port number>] [-s <configuration file>]

DESCRIPTION

This program is part of the samba(7) suite.

nmbd is a server that understands - and can reply to NetBIOS over IP name service requests, like - those produced by SMB/CIFS clients such as Windows 95/98/ME, - Windows NT, Windows 2000, Windows XP and LanManager clients. It also - participates in the browsing protocols which make up the - Windows "Network Neighborhood" view.

SMB/CIFS clients, when they start up, may wish to - locate an SMB/CIFS server. That is, they wish to know what - IP number a specified host is using.

Amongst other services, nmbd will - listen for such requests, and if its own NetBIOS name is - specified it will respond with the IP number of the host it - is running on. Its "own NetBIOS name" is by - default the primary DNS name of the host it is running on, - but this can be overridden by the netbios name - in smb.conf. Thus nmbd will - reply to broadcast queries for its own name(s). Additional - names for nmbd to respond on can be set - via parameters in the smb.conf(5) configuration file.

nmbd can also be used as a WINS - (Windows Internet Name Server) server. What this basically means - is that it will act as a WINS database server, creating a - database from name registration requests that it receives and - replying to queries from clients for these names.

In addition, nmbd can act as a WINS - proxy, relaying broadcast queries from clients that do - not understand how to talk the WINS protocol to a WINS - server.

OPTIONS

-D

If specified, this parameter causes - nmbd to operate as a daemon. That is, - it detaches itself and runs in the background, fielding - requests on the appropriate port. By default, nmbd - will operate as a daemon if launched from a command shell. - nmbd can also be operated from the inetd - meta-daemon, although this is not recommended. -

-F

If specified, this parameter causes - the main nmbd process to not daemonize, - i.e. double-fork and disassociate with the terminal. - Child processes are still created as normal to service - each connection request, but the main process does not - exit. This operation mode is suitable for running - nmbd under process supervisors such - as supervise and svscan - from Daniel J. Bernstein's daemontools - package, or the AIX process monitor. -

-S

If specified, this parameter causes - nmbd to log to standard output rather - than a file.

-i

If this parameter is specified it causes the - server to run "interactively", not as a daemon, even if the - server is executed on the command line of a shell. Setting this - parameter negates the implicit daemon mode when run from the - command line. nmbd also logs to standard - output, as if the -S parameter had been - given.

-h|--help

Print a summary of command line options. -

-H <filename>

NetBIOS lmhosts file. The lmhosts - file is a list of NetBIOS names to IP addresses that - is loaded by the nmbd server and used via the name - resolution mechanism name resolve order described in smb.conf(5) to resolve any - NetBIOS name queries needed by the server. Note - that the contents of this file are NOT - used by nmbd to answer any name queries. - Adding a line to this file affects name NetBIOS resolution - from this host ONLY.

The default path to this file is compiled into - Samba as part of the build process. Common defaults - are /usr/local/samba/lib/lmhosts, - /usr/samba/lib/lmhosts or - /etc/samba/lmhosts. See the lmhosts(5) man page for details on the contents of this file.

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

-p <UDP port number>

UDP port number is a positive integer value. - This option changes the default UDP port number (normally 137) - that nmbd responds to name queries on. Don't - use this option unless you are an expert, in which case you - won't need help!

FILES

/etc/inetd.conf

If the server is to be run by the - inetd meta-daemon, this file - must contain suitable startup information for the - meta-daemon. -

/etc/rc

or whatever initialization script your - system uses).

If running the server as a daemon at startup, - this file will need to contain an appropriate startup - sequence for the server.

/etc/services

If running the server via the - meta-daemon inetd, this file - must contain a mapping of service name (e.g., netbios-ssn) - to service port (e.g., 139) and protocol type (e.g., tcp). -

/usr/local/samba/lib/smb.conf

This is the default location of - the smb.conf(5) server - configuration file. Other common places that systems - install this file are /usr/samba/lib/smb.conf - and /etc/samba/smb.conf.

When run as a WINS server (see the - wins support - parameter in the smb.conf(5) man page), - nmbd - will store the WINS database in the file wins.dat - in the var/locks directory configured under - wherever Samba was configured to install itself.

If nmbd is acting as a - browse master (see the local master - parameter in the smb.conf(5) man page, nmbd - will store the browsing database in the file browse.dat - in the var/locks directory - configured under wherever Samba was configured to install itself. -

SIGNALS

To shut down an nmbd process it is recommended - that SIGKILL (-9) NOT be used, except as a last - resort, as this may leave the name database in an inconsistent state. - The correct way to terminate nmbd is to send it - a SIGTERM (-15) signal and wait for it to die on its own.

nmbd will accept SIGHUP, which will cause - it to dump out its namelists into the file namelist.debug - in the /usr/local/samba/var/locks - directory (or the var/locks directory configured - under wherever Samba was configured to install itself). This will also - cause nmbd to dump out its server database in - the log.nmb file.

The debug log level of nmbd may be raised or lowered - using smbcontrol(1) (SIGUSR[1|2] signals - are no longer used since Samba 2.2). This is to allow - transient problems to be diagnosed, whilst still running - at a normally low log level.

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook - XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/nmblookup.1.html samba-3.0.20/docs/htmldocs/manpages/nmblookup.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/nmblookup.1.html 2005-08-07 11:17:07.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/nmblookup.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,105 +0,0 @@ -nmblookup

Name

nmblookup — NetBIOS over TCP/IP client used to lookup NetBIOS - names

Synopsis

nmblookup [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] [-f] {name}

DESCRIPTION

This tool is part of the samba(7) suite.

nmblookup is used to query NetBIOS names - and map them to IP addresses in a network using NetBIOS over TCP/IP - queries. The options allow the name queries to be directed at a - particular IP broadcast area or to a particular machine. All queries - are done over UDP.

OPTIONS

-M

Searches for a master browser by looking - up the NetBIOS name name with a - type of 0x1d. If - name is "-" then it does a lookup on the special name - __MSBROWSE__. Please note that in order to - use the name "-", you need to make sure "-" isn't parsed as an - argument, e.g. use : - nmblookup -M -- -.

-R

Set the recursion desired bit in the packet - to do a recursive lookup. This is used when sending a name - query to a machine running a WINS server and the user wishes - to query the names in the WINS server. If this bit is unset - the normal (broadcast responding) NetBIOS processing code - on a machine is used instead. See RFC1001, RFC1002 for details. -

-S

Once the name query has returned an IP - address then do a node status query as well. A node status - query returns the NetBIOS names registered by a host. -

-r

Try and bind to UDP port 137 to send and receive UDP - datagrams. The reason for this option is a bug in Windows 95 - where it ignores the source port of the requesting packet - and only replies to UDP port 137. Unfortunately, on most UNIX - systems root privilege is needed to bind to this port, and - in addition, if the nmbd(8) daemon is running on this machine it also binds to this port. -

-A

Interpret name as - an IP Address and do a node status query on this address.

-n <primary NetBIOS name>

-i <scope>

This specifies a NetBIOS scope that -nmblookup will use to communicate with when -generating NetBIOS names. For details on the use of NetBIOS -scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are -very rarely used, only set this parameter -if you are the system administrator in charge of all the -NetBIOS systems you communicate with.

-W|--workgroup=domain

Set the SMB domain of the username. This -overrides the default domain which is the domain defined in -smb.conf. If the domain specified is the same as the servers -NetBIOS name, it causes the client to log on using the servers local -SAM (as opposed to the Domain SAM).

-O socket options

TCP socket options to set on the client -socket. See the socket options parameter in -the smb.conf manual page for the list of valid -options.

-h|--help

Print a summary of command line options. -

-B <broadcast address>

Send the query to the given broadcast address. Without - this option the default behavior of nmblookup is to send the - query to the broadcast address of the network interfaces as - either auto-detected or defined in the interfaces - parameter of the smb.conf(5) file. -

-U <unicast address>

Do a unicast query to the specified address or - host unicast address. This option - (along with the -R option) is needed to - query a WINS server.

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

-T

This causes any IP addresses found in the - lookup to be looked up via a reverse DNS lookup into a - DNS name, and printed out before each

IP address .... NetBIOS name

pair that is the normal output.

-f

- Show which flags apply to the name that has been looked up. Possible - answers are zero or more of: Response, Authoritative, - Truncated, Recursion_Desired, Recursion_Available, Broadcast. -

name

This is the NetBIOS name being queried. Depending - upon the previous options this may be a NetBIOS name or IP address. - If a NetBIOS name then the different name types may be specified - by appending '#<type>' to the name. This name may also be - '*', which will return all registered names within a broadcast - area.

EXAMPLES

nmblookup can be used to query - a WINS server (in the same way nslookup is - used to query DNS servers). To query a WINS server, nmblookup - must be called like this:

nmblookup -U server -R 'name'

For example, running :

nmblookup -U samba.org -R 'IRIX#1B'

would query the WINS server samba.org for the domain - master browser (1B name type) for the IRIX workgroup.

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/ntlm_auth.1.html samba-3.0.20/docs/htmldocs/manpages/ntlm_auth.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/ntlm_auth.1.html 2005-08-07 11:17:12.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/ntlm_auth.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,157 +0,0 @@ -ntlm_auth

Name

ntlm_auth — tool to allow external access to Winbind's NTLM authentication function

Synopsis

ntlm_auth [-d debuglevel] [-l logdir] [-s <smb config file>]

DESCRIPTION

This tool is part of the samba(7) suite.

ntlm_auth is a helper utility that authenticates - users using NT/LM authentication. It returns 0 if the users is authenticated - successfully and 1 if access was denied. ntlm_auth uses winbind to access - the user and authentication data for a domain. This utility - is only indended to be used by other programs (currently - Squid - and mod_ntlm_winbind) -

OPERATIONAL REQUIREMENTS

- The winbindd(8) daemon must be operational - for many of these commands to function.

Some of these commands also require access to the directory - winbindd_privileged in - $LOCKDIR. This should be done either by running - this command as root or providing group access - to the winbindd_privileged directory. For - security reasons, this directory should not be world-accessable.

OPTIONS

--helper-protocol=PROTO

- Operate as a stdio-based helper. Valid helper protocols are: -

squid-2.4-basic

- Server-side helper for use with Squid 2.4's basic (plaintext) - authentication.

squid-2.5-basic

- Server-side helper for use with Squid 2.5's basic (plaintext) - authentication.

squid-2.5-ntlmssp

- Server-side helper for use with Squid 2.5's NTLMSSP - authentication.

Requires access to the directory - winbindd_privileged in - $LOCKDIR. The protocol used is - described here: http://devel.squid-cache.org/ntlm/squid_helper_protocol.html. - This protocol has been extended to allow the - NTLMSSP Negotiate packet to be included as an argument - to the YR command. (Thus avoiding - loss of information in the protocol exchange). -

ntlmssp-client-1

- Client-side helper for use with arbitary external - programs that may wish to use Samba's NTLMSSP - authentication knowlege.

This helper is a client, and as such may be run by any - user. The protocol used is - effectivly the reverse of the previous protocol. A - YR command (without any arguments) - starts the authentication exchange. -

gss-spnego

- Server-side helper that implements GSS-SPNEGO. This - uses a protocol that is almost the same as - squid-2.5-ntlmssp, but has some - subtle differences that are undocumented outside the - source at this stage. -

Requires access to the directory - winbindd_privileged in - $LOCKDIR. -

gss-spnego-client

- Client-side helper that implements GSS-SPNEGO. This - also uses a protocol similar to the above helpers, but - is currently undocumented. -

ntlm-server-1

- Server-side helper protocol, intended for use by a - RADIUS server or the 'winbind' plugin for pppd, for - the provision of MSCHAP and MSCHAPv2 authentication. -

This protocol consists of lines in for form: - Parameter: value and Paramter:: - Base64-encode value. The presence of a single - period . indicates that one side has - finished supplying data to the other. (Which in turn - could cause the helper to authenticate the - user).

Curently implemented parameters from the - external program to the helper are:

Warning

Implementors should take care to base64 encode - any data (such as usernames/passwords) that may contain malicous user data, such as - a newline. They may also need to decode strings from - the helper, which likewise may have been base64 encoded.

Username: The username, expected to be in - Samba's unix charset. -
Example 1.
Username: bob
Example 2.
Username:: Ym9i
Username: The user's domain, expected to be in - Samba's unix charset. -
Example 3.
Domain: WORKGROUP
Example 4.
Domain:: V09SS0dST1VQ
Full-Username: The fully qualified username, expected to be in - Samba's and qualified with the - winbind separator. -
Example 5.
Full-Username: WORKGROUP\bob
Example 6.
Full-Username:: V09SS0dST1VQYm9i
LANMAN-Challenge: The 8 byte LANMAN Challenge value, - generated randomly by the server, or (in cases such as - MSCHAPv2) generated in some way by both the server and - the client. -
Example 7.
LANMAN-Challege: 0102030405060708
LANMAN-Response: The 24 byte LANMAN Response value, - calculated from the user's password and the supplied - LANMAN Challenge. Typically, this - is provided over the network by a client wishing to authenticate. -
Example 8.
LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
NT-Response: The >= 24 byte NT Response - calculated from the user's password and the supplied - LANMAN Challenge. Typically, this is - provided over the network by a client wishing to authenticate. -
Example 9.
NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
Password: The user's password. This would be - provided by a network client, if the helper is being - used in a legacy situation that exposes plaintext - passwords in this way. -
Example 10.
Password: samba2
Example 11.
Password:: c2FtYmEy
Request-User-Session-Key: Apon sucessful authenticaiton, return - the user session key associated with the login. -
Example 12.
Request-User-Session-Key: Yes
Request-LanMan-Session-Key: Apon sucessful authenticaiton, return - the LANMAN session key associated with the login. -
Example 13.
Request-LanMan-Session-Key: Yes

--username=USERNAME

- Specify username of user to authenticate -

--domain=DOMAIN

- Specify domain of user to authenticate -

--workstation=WORKSTATION

- Specify the workstation the user authenticated from -

--challenge=STRING

NTLM challenge (in HEXADECIMAL)

--lm-response=RESPONSE

LM Response to the challenge (in HEXADECIMAL)

--nt-response=RESPONSE

NT or NTLMv2 Response to the challenge (in HEXADECIMAL)

--password=PASSWORD

User's plaintext password

If - not specified on the command line, this is prompted for when - required.

For the NTLMSSP based server roles, this paramter - specifies the expected password, allowing testing without - winbindd operational.

--request-lm-key

Retreive LM session key

--request-nt-key

Request NT key

--diagnostics

Perform Diagnostics on the authentication - chain. Uses the password from --password - or prompts for one.

--require-membership-of={SID|Name}

Require that a user be a member of specified - group (either name or SID) for authentication to succeed.

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

-h|--help

Print a summary of command line options. -

EXAMPLE SETUP

To setup ntlm_auth for use by squid 2.5, with both basic and - NTLMSSP authentication, the following - should be placed in the squid.conf file. -

-auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp
-auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic
-auth_param basic children 5
-auth_param basic realm Squid proxy-caching web server
-auth_param basic credentialsttl 2 hours
-

Note

This example assumes that ntlm_auth has been installed into your - path, and that the group permissions on - winbindd_privileged are as described above.

To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above - example, the following should be added to the squid.conf file. -

-auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
-auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
-

TROUBLESHOOTING

If you're experiencing problems with authenticating Internet Explorer running - under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication - helper (--helper-protocol=squid-2.5-ntlmssp), then please read - - the Microsoft Knowledge Base article #239869 and follow instructions described there. -

VERSION

This man page is correct for version 3.0 of the Samba - suite.

AUTHOR

The ntlm_auth manpage was written by Jelmer Vernooij and - Andrew Bartlett.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/pam_winbind.8.html samba-3.0.20/docs/htmldocs/manpages/pam_winbind.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/pam_winbind.8.html 2005-08-07 11:17:16.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/pam_winbind.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,28 +0,0 @@ -pam_winbind

Name

pam_winbind — PAM module for Winbind

DESCRIPTION

This tool is part of the samba(7) suite.

pam_winbind is a PAM module that can authenticate users against the local domain - by talking to the Winbind daemon.

OPTIONS

- pam_winbind supports several options: -

debug: Gives debugging output to syslog.
require_membership_of=[SID or NAME]: - If this option is set, pam_winbind will only succeed if the - user is a member of the given SID or NAME. A SID can be either a group-SID, a - alias-SID or even a user-SID. It is also possible to give a NAME instead of the - SID. That name must have the form: MYDOMAIN\mygroup or - MYDOMAIN\myuser. pam_winbind will, in that case, lookup - the SID internally. Note that NAME may not contain any spaces. It is thus - recommended to only use SIDs. You can verify the list of SIDs a user is a member - of with wbinfo --user-sids=SID. -
try_first_pass
use_first_pass: - By default, pam_winbind tries to get the - authentication token from a previous module. If no token is available it asks the user - for the old password. With this option, pam_winbind aborts with an - error if no authentication token from a previous module is available. -
use_authtok: - Set the new password to the one provided by the previously - stacked password module. If this option is not set pam_winbind will ask the - user for the new password. -

- - -

VERSION

This man page is correct for version 3.0 of Samba.

AUTHOR

This manpage was written by Jelmer Vernooij and Guenther Deschner.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/pdbedit.8.html samba-3.0.20/docs/htmldocs/manpages/pdbedit.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/pdbedit.8.html 2005-08-07 11:17:21.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/pdbedit.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,145 +0,0 @@ -pdbedit

Name

pdbedit — manage the SAM database (Database of Samba Users)

Synopsis

pdbedit [-L] [-v] [-w] [-u username] [-f fullname] [-h homedir] [-D drive] [-S script] [-p profile] [-a] [-m] [-r] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy] [-C value] [-c account-control]

DESCRIPTION

This tool is part of the samba(7) suite.

The pdbedit program is used to manage the users accounts - stored in the sam database and can only be run by root.

The pdbedit tool uses the passdb modular interface and is - independent from the kind of users database used (currently there - are smbpasswd, ldap, nis+ and tdb based and more can be added - without changing the tool).

There are five main ways to use pdbedit: adding a user account, - removing a user account, modifing a user account, listing user - accounts, importing users accounts.

OPTIONS

-L

This option lists all the user accounts - present in the users database. - This option prints a list of user/uid pairs separated by - the ':' character.

Example: pdbedit -L

-sorce:500:Simo Sorce
-samba:45:Test User
-

-v

This option enables the verbose listing format. - It causes pdbedit to list the users in the database, printing - out the account fields in a descriptive format.

Example: pdbedit -L -v

----------------
-username:       sorce
-user ID/Group:  500/500
-user RID/GRID:  2000/2001
-Full Name:      Simo Sorce
-Home Directory: \\BERSERKER\sorce
-HomeDir Drive:  H:
-Logon Script:   \\BERSERKER\netlogon\sorce.bat
-Profile Path:   \\BERSERKER\profile
----------------
-username:       samba
-user ID/Group:  45/45
-user RID/GRID:  1090/1091
-Full Name:      Test User
-Home Directory: \\BERSERKER\samba
-HomeDir Drive:  
-Logon Script:   
-Profile Path:   \\BERSERKER\profile
-

-w

This option sets the "smbpasswd" listing format. - It will make pdbedit list the users in the database, printing - out the account fields in a format compatible with the - smbpasswd file format. (see the - smbpasswd(5) for details)

Example: pdbedit -L -w

-sorce:500:508818B733CE64BEAAD3B435B51404EE:
-          D2A2418EFC466A8A0F6B1DBB5C3DB80C:
-          [UX         ]:LCT-00000000:
-samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
-          BC281CE3F53B6A5146629CD4751D3490:
-          [UX         ]:LCT-3BFA1E8D:
-

-u username

This option specifies the username to be - used for the operation requested (listing, adding, removing). - It is required in add, remove and modify - operations and optional in list - operations.

-f fullname

This option can be used while adding or - modifing a user account. It will specify the user's full - name.

Example: -f "Simo Sorce"

-h homedir

This option can be used while adding or - modifing a user account. It will specify the user's home - directory network path.

Example: -h "\\\\BERSERKER\\sorce" -

-D drive

This option can be used while adding or - modifing a user account. It will specify the windows drive - letter to be used to map the home directory.

Example: -d "H:" -

-S script

This option can be used while adding or - modifing a user account. It will specify the user's logon - script path.

Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat" -

-p profile

This option can be used while adding or - modifing a user account. It will specify the user's profile - directory.

Example: -p "\\\\BERSERKER\\netlogon" -

-G SID|rid

- This option can be used while adding or modifying a user account. It - will specify the users' new primary group SID (Security Identifier) or - rid.

Example: -G S-1-5-21-2447931902-1787058256-3961074038-1201

-U SID|rid

- This option can be used while adding or modifying a user account. It - will specify the users' new SID (Security Identifier) or - rid.

Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004

-c account-control

This option can be used while adding or modifying a user - account. It will specify the users' account control property. Possible flags are listed below. -

N: No password required
D: Account disabled
H: Home directory required
T: Temporary duplicate of other account
U: Regular user account
M: MNS logon user account
W: Workstation Trust Account
S: Server Trust Account
L: Automatic Locking
X: Password does not expire
I: Domain Trust Account

Example: -c "[X ]"

-a

This option is used to add a user into the - database. This command needs a user name specified with - the -u switch. When adding a new user, pdbedit will also - ask for the password to be used.

Example: pdbedit -a -u sorce -

new password:
-retype new password
-

Note

pdbedit does not call the unix password syncronisation - script if unix password sync - has been set. It only updates the data in the Samba - user database. -

If you wish to add a user and synchronise the password - that immediately, use smbpasswd's -a option. -

-r

This option is used to modify an existing user - in the database. This command needs a user name specified with the -u - switch. Other options can be specified to modify the properties of - the specified user. This flag is kept for backwards compatibility, but - it is no longer necessary to specify it. -

-m

This option may only be used in conjunction - with the -a option. It will make - pdbedit to add a machine trust account instead of a user - account (-u username will provide the machine name).

Example: pdbedit -a -m -u w2k-wks -

-x

This option causes pdbedit to delete an account - from the database. It needs a username specified with the - -u switch.

Example: pdbedit -x -u bob

-i passdb-backend

Use a different passdb backend to retrieve users - than the one specified in smb.conf. Can be used to import data into - your local user database.

This option will ease migration from one passdb backend to - another.

Example: pdbedit -i smbpasswd:/etc/smbpasswd.old -

-e passdb-backend

Exports all currently available users to the - specified password database backend.

This option will ease migration from one passdb backend to - another and will ease backing up.

Example: pdbedit -e smbpasswd:/root/samba-users.backup

-g

If you specify -g, - then -i in-backend -e out-backend - applies to the group mapping instead of the user database.

This option will ease migration from one passdb backend to - another and will ease backing up.

-b passdb-backend

Use a different default passdb backend.

Example: pdbedit -b xml:/root/pdb-backup.xml -l

-P account-policy

Display an account policy

Valid policies are: minimum password age, reset count minutes, disconnect time, - user must logon to change password, password history, lockout duration, min password length, - maximum password age and bad lockout attempt.

Example: pdbedit -P "bad lockout attempt"

-account policy value for bad lockout attempt is 0
-

-C account-policy-value

Sets an account policy to a specified value. - This option may only be used in conjunction - with the -P option. -

Example: pdbedit -P "bad lockout attempt" -C 3

-account policy value for bad lockout attempt was 0
-account policy value for bad lockout attempt is now 3
-

-h|--help

Print a summary of command line options. -

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

NOTES

This command may be used only by root.

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/profiles.1.html samba-3.0.20/docs/htmldocs/manpages/profiles.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/profiles.1.html 2005-08-07 11:17:24.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/profiles.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,12 +0,0 @@ -profiles

Name

profiles — A utility to report and change SIDs in registry files -

Synopsis

profiles [-v] [-c SID] [-n SID] {file}

DESCRIPTION

This tool is part of the samba(7) suite.

profiles is a utility that - reports and changes SIDs in windows registry files. It currently only - supports NT. -

OPTIONS

file: Registry file to view or edit.
-v,--verbose: Increases verbosity of messages. -
-c SID1 -n SID2: Change all occurences of SID1 in file by SID2. -
-h|--help: Print a summary of command line options. -

VERSION

This man page is correct for version 3.0 of the Samba - suite.

AUTHOR

The profiles man page was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/rpcclient.1.html samba-3.0.20/docs/htmldocs/manpages/rpcclient.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/rpcclient.1.html 2005-08-07 11:17:28.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/rpcclient.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,204 +0,0 @@ -rpcclient

Name

rpcclient — tool for executing client side - MS-RPC functions

Synopsis

rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server}

DESCRIPTION

This tool is part of the samba(7) suite.

rpcclient is a utility initially developed - to test MS-RPC functionality in Samba itself. It has undergone - several stages of development and stability. Many system administrators - have now written scripts around it to manage Windows NT clients from - their UNIX workstation.

OPTIONS

server

NetBIOS name of Server to which to connect. - The server can be any SMB/CIFS server. The name is - resolved using the name resolve order line from smb.conf(5).

-c|--command='command string'

execute semicolon separated commands (listed - below))

-I IP-address

IP address is the address of the server to connect to. - It should be specified in standard "a.b.c.d" notation.

Normally the client would attempt to locate a named - SMB/CIFS server by looking it up via the NetBIOS name resolution - mechanism described above in the name resolve order - parameter above. Using this parameter will force the client - to assume that the server is on the machine with the specified IP - address and the NetBIOS name component of the resource being - connected to will be ignored.

There is no default for this parameter. If not supplied, - it will be determined automatically by the client as described - above.

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

-N

If specified, this parameter suppresses the normal -password prompt from the client to the user. This is useful when -accessing a service that does not require a password.

Unless a password is specified on the command line or -this parameter is specified, the client will request a -password.

-k

-Try to authenticate with kerberos. Only useful in -an Active Directory environment. -

-A|--authentication-file=filename

This option allows -you to specify a file from which to read the username and -password used in the connection. The format of the file is -

-username = <value>
-password = <value>
-domain   = <value>
-

Make certain that the permissions on the file restrict -access from unwanted users.

-U|--user=username[%password]

Sets the SMB username or username and password.

If %password is not specified, the user will be prompted. The -client will first check the USER environment variable, then the -LOGNAME variable and if either exists, the -string is uppercased. If these environmental variables are not -found, the username GUEST is used.

A third option is to use a credentials file which -contains the plaintext of the username and password. This -option is mainly provided for scripts where the admin does not -wish to pass the credentials on the command line or via environment -variables. If this method is used, make certain that the permissions -on the file restrict access from unwanted users. See the --A for more details.

Be cautious about including passwords in scripts. Also, on -many systems the command line of a running process may be seen -via the ps command. To be safe always allow -rpcclient to prompt for a password and type -it in directly.

-n <primary NetBIOS name>

-i <scope>

-W|--workgroup=domain

-O socket options

TCP socket options to set on the client -socket. See the socket options parameter in -the smb.conf manual page for the list of valid -options.

-h|--help

Print a summary of command line options. -

COMMANDS

LSARPC

lsaquery: Query info policy
lookupsids: Resolve a list - of SIDs to usernames. -
lookupnames: Resolve a list - of usernames to SIDs. -
enumtrusts: Enumerate trusted domains
enumprivs: Enumerate privileges
getdispname: Get the privilege name
lsaenumsid: Enumerate the LSA SIDS
lsaenumprivsaccount: Enumerate the privileges of an SID
lsaenumacctrights: Enumerate the rights of an SID
lsaenumacctwithright: Enumerate accounts with a right
lsaaddacctrights: Add rights to an account
lsaremoveacctrights: Remove rights from an account
lsalookupprivvalue: Get a privilege value given its name
lsaquerysecobj: Query LSA security object

LSARPC-DS

dsroledominfo: Get Primary Domain Information

DFS

dfsexist: Query DFS support
dfsadd: Add a DFS share
dfsremove: Remove a DFS share
dfsgetinfo: Query DFS share info
dfsenum: Enumerate dfs shares

REG

shutdown: Remote Shutdown
abortshutdown: Abort Shutdown

SRVSVC

srvinfo: Server query info
netshareenum: Enumerate shares
netfileenum: Enumerate open files
netremotetod: Fetch remote time of day

SAMR

queryuser: Query user info
querygroup: Query group info
queryusergroups: Query user groups
querygroupmem: Query group membership
queryaliasmem: Query alias membership
querydispinfo: Query display info
querydominfo: Query domain info
enumdomusers: Enumerate domain users
enumdomgroups: Enumerate domain groups
enumalsgroups: Enumerate alias groups
createdomuser: Create domain user
samlookupnames: Look up names
samlookuprids: Look up names
deletedomuser: Delete domain user
samquerysecobj: Query SAMR security object
getdompwinfo: Retrieve domain password info
lookupdomain: Look up domain

SPOOLSS

adddriver <arch> <config> [<version>]

- Execute an AddPrinterDriver() RPC to install the printer driver - information on the server. Note that the driver files should - already exist in the directory returned by - getdriverdir. Possible values for - arch are the same as those for - the getdriverdir command. - The config parameter is defined as - follows:

-Long Printer Name:\
-Driver File Name:\
-Data File Name:\
-Config File Name:\
-Help File Name:\
-Language Monitor Name:\
-Default Data Type:\
-Comma Separated list of Files
-

Any empty fields should be enter as the string "NULL".

Samba does not need to support the concept of Print Monitors - since these only apply to local printers whose driver can make - use of a bi-directional link for communication. This field should - be "NULL". On a remote NT print server, the Print Monitor for a - driver must already be installed prior to adding the driver or - else the RPC will fail.

The version parameter lets you - specify the printer driver version number. If omitted, the - default driver version for the specified architecture will - be used. This option can be used to upload Windows 2000 - (version 3) printer drivers.

addprinter <printername> - <sharename> <drivername> <port>

- Add a printer on the remote server. This printer - will be automatically shared. Be aware that the printer driver - must already be installed on the server (see adddriver) - and the portmust be a valid port name (see - enumports.

deldriver

Delete the - specified printer driver for all architectures. This - does not delete the actual driver files from the server, - only the entry from the server's list of drivers. -

deldriverex <driver> [architecture] [version] -

Delete the specified printer driver including driver files. - You can limit this action to a specific architecture and a specific version. - If no architecure is given, all driver files of that driver will be deleted. -

enumdata

Enumerate all - printer setting data stored on the server. On Windows NT clients, - these values are stored in the registry, while Samba servers - store them in the printers TDB. This command corresponds - to the MS Platform SDK GetPrinterData() function (* This - command is currently unimplemented).

enumdataex

Enumerate printer data for a key

enumjobs <printer>

List the jobs and status of a given printer. - This command corresponds to the MS Platform SDK EnumJobs() - function

enumkey

Enumerate - printer keys

enumports [level]

- Executes an EnumPorts() call using the specified - info level. Currently only info levels 1 and 2 are supported. -

enumdrivers [level]

- Execute an EnumPrinterDrivers() call. This lists the various installed - printer drivers for all architectures. Refer to the MS Platform SDK - documentation for more details of the various flags and calling - options. Currently supported info levels are 1, 2, and 3.

enumprinters [level]

Execute an EnumPrinters() call. This lists the various installed - and share printers. Refer to the MS Platform SDK documentation for - more details of the various flags and calling options. Currently - supported info levels are 1, 2 and 5.

getdata <printername> <valuename;>

Retrieve the data for a given printer setting. See - the enumdata command for more information. - This command corresponds to the GetPrinterData() MS Platform - SDK function.

getdataex

Get - printer driver data with - keyname

getdriver <printername>

- Retrieve the printer driver information (such as driver file, - config file, dependent files, etc...) for - the given printer. This command corresponds to the GetPrinterDriver() - MS Platform SDK function. Currently info level 1, 2, and 3 are supported. -

getdriverdir <arch>

- Execute a GetPrinterDriverDirectory() - RPC to retrieve the SMB share name and subdirectory for - storing printer driver files for a given architecture. Possible - values for arch are "Windows 4.0" - (for Windows 95/98), "Windows NT x86", "Windows NT PowerPC", "Windows - Alpha_AXP", and "Windows NT R4000".

getprinter <printername>

Retrieve the current printer information. This command - corresponds to the GetPrinter() MS Platform SDK function. -

getprintprocdir

Get - print processor - directory

openprinter <printername>

Execute an OpenPrinterEx() and ClosePrinter() RPC - against a given printer.

setdriver <printername> - <drivername>

Execute a SetPrinter() command to update the printer driver - associated with an installed printer. The printer driver must - already be correctly installed on the print server.

See also the enumprinters and - enumdrivers commands for obtaining a list of - of installed printers and drivers.

addform

Add form

setform

Set form

getform

Get form

deleteform

Delete form

enumforms

Enumerate form

setprinter

Set printer comment

setprinterdata

Set REG_SZ printer data

setprintername <printername> - <newprintername>

Set printer name

rffpcnex

Rffpcnex test

NETLOGON

logonctrl2: Logon Control 2
logonctrl: Logon Control
samsync: Sam Synchronisation
samdeltas: Query Sam Deltas
samlogon: Sam Logon

GENERAL COMMANDS

debuglevel: Set the current - debug level used to log information.
help (?): Print a listing of all - known commands or extended help on a particular command. -
quit (exit): Exit rpcclient - .

BUGS

rpcclient is designed as a developer testing tool - and may not be robust in certain areas (such as command line parsing). - It has been known to generate a core dump upon failures when invalid - parameters where passed to the interpreter.

From Luke Leighton's original rpcclient man page:

WARNING! The MSRPC over SMB code has - been developed from examining Network traces. No documentation is - available from the original creators (Microsoft) on how MSRPC over - SMB works, or how the individual MSRPC services work. Microsoft's - implementation of these services has been demonstrated (and reported) - to be... a bit flaky in places.

The development of Samba's implementation is also a bit rough, - and as more of the services are understood, it can even result in - versions of smbd(8) and rpcclient(1) that are incompatible for some commands or services. Additionally, - the developers are sending reports to Microsoft, and problems found - or reported to Microsoft are fixed in Service Packs, which may - result in incompatibilities.

VERSION

This man page is correct for version 3.0 of the Samba - suite.

AUTHOR

The original rpcclient man page was written by Matthew - Geddes, Luke Kenneth Casson Leighton, and rewritten by Gerald Carter. - The conversion to DocBook for Samba 2.2 was done by Gerald - Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was - done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/samba.7.html samba-3.0.20/docs/htmldocs/manpages/samba.7.html --- samba-3.0.20rc2/docs/htmldocs/manpages/samba.7.html 2005-08-07 11:17:31.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/samba.7.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,115 +0,0 @@ -samba

Name

samba — A Windows SMB/CIFS fileserver for UNIX

Synopsis

samba

DESCRIPTION

The Samba software suite is a collection of programs - that implements the Server Message Block (commonly abbreviated - as SMB) protocol for UNIX systems. This protocol is sometimes - also referred to as the Common Internet File System (CIFS). For a - more thorough description, see - http://www.ubiqx.org/cifs/. Samba also implements the NetBIOS - protocol in nmbd.

smbd(8): The smbd daemon provides the file and print services to - SMB clients, such as Windows 95/98, Windows NT, Windows - for Workgroups or LanManager. The configuration file - for this daemon is described in smb.conf(5) -
nmbd(8): The nmbd - daemon provides NetBIOS nameservice and browsing - support. The configuration file for this daemon - is described in smb.conf(5)
smbclient(1): The smbclient - program implements a simple ftp-like client. This - is useful for accessing SMB shares on other compatible - servers (such as Windows NT), and can also be used - to allow a UNIX box to print to a printer attached to - any SMB server (such as a PC running Windows NT).
testparm(1): The testparm - utility is a simple syntax checker for Samba's smb.conf(5) configuration file.
testprns(1): The testprns - utility supports testing printer names defined - in your printcap file used - by Samba.
smbstatus(1): The smbstatus - tool provides access to information about the - current connections to smbd.
nmblookup(1): The nmblookup - tools allows NetBIOS name queries to be made - from a UNIX host.
smbpasswd(8): The smbpasswd - command is a tool for changing LanMan and Windows NT - password hashes on Samba and Windows NT servers.
smbcacls(1): The smbcacls command is - a tool to set ACL's on remote CIFS servers.
smbsh(1): The smbsh command is - a program that allows you to run a unix shell with - with an overloaded VFS.
smbtree(1): The smbtree command - is a text-based network neighborhood tool.
smbtar(1): The smbtar can make - backups of data on CIFS/SMB servers.
smbspool(8): smbspool is a - helper utility for printing on printers connected - to CIFS servers.
smbcontrol(1): smbcontrol is a utility - that can change the behaviour of running samba daemons. -
rpcclient(1): rpcclient is a utility - that can be used to execute RPC commands on remote - CIFS servers.
pdbedit(8): The pdbedit command - can be used to maintain the local user database on - a samba server.
findsmb(1): The findsmb command - can be used to find SMB servers on the local network. -
net(8): The net command - is supposed to work similar to the DOS/Windows - NET.EXE command.
swat(8): swat is a web-based - interface to configuring smb.conf. -
winbindd(8): winbindd is a daemon - that is used for integrating authentication and - the user database into unix.
wbinfo(1): wbinfo is a utility - that retrieves and stores information related to winbind. -
editreg(1): editreg is a command-line - utility that can edit windows registry files. -
profiles(1): profiles is a command-line - utility that can be used to replace all occurences of - a certain SID with another SID. -
log2pcap(1): log2pcap is a utility - for generating pcap trace files from Samba log - files.
vfstest(1): vfstest is a utility - that can be used to test vfs modules.
ntlm_auth(1): ntlm_auth is a helper-utility - for external programs wanting to do NTLM-authentication. -
-smbmount(8), -smbumount(8), -smbmnt(8): smbmount,smbumount and smbmnt are commands that can be used to - mount CIFS/SMB shares on Linux. -
smbcquotas(1): smbcquotas is a tool that - can set remote QUOTA's on server with NTFS 5.

COMPONENTS

The Samba suite is made up of several components. Each - component is described in a separate manual page. It is strongly - recommended that you read the documentation that comes with Samba - and the manual pages of those components that you use. If the - manual pages and documents aren't clear enough then please visit - http://devel.samba.org - for information on how to file a bug report or submit a patch.

If you require help, visit the Samba webpage at - http://www.samba.org/ and - explore the many option available to you. -

AVAILABILITY

The Samba software suite is licensed under the - GNU Public License(GPL). A copy of that license should - have come with the package in the file COPYING. You are - encouraged to distribute copies of the Samba suite, but - please obey the terms of this license.

The latest version of the Samba suite can be - obtained via anonymous ftp from samba.org in the - directory pub/samba/. It is also available on several - mirror sites worldwide.

You may also find useful information about Samba - on the newsgroup - comp.protocol.smb and the Samba mailing - list. Details on how to join the mailing list are given in - the README file that comes with Samba.

If you have access to a WWW viewer (such as Mozilla - or Konqueror) then you will also find lots of useful information, - including back issues of the Samba mailing list, at - http://lists.samba.org.

VERSION

This man page is correct for version 3.0 of the - Samba suite.

CONTRIBUTIONS

If you wish to contribute to the Samba project, - then I suggest you join the Samba mailing list at - http://lists.samba.org. -

If you have patches to submit, visit - http://devel.samba.org/ - for information on how to do it properly. We prefer patches - in diff -u format.

CONTRIBUTORS

Contributors to the project are now too numerous - to mention here but all deserve the thanks of all Samba - users. To see a full list, look at the - change-log in the source package - for the pre-CVS changes and at - http://cvs.samba.org/ - for the contributors to Samba post-CVS. CVS is the Open Source - source code control system used by the Samba Team to develop - Samba. The project would have been unmanageable without it.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML - 4.2 for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbcacls.1.html samba-3.0.20/docs/htmldocs/manpages/smbcacls.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbcacls.1.html 2005-08-07 11:17:40.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbcacls.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,93 +0,0 @@ -smbcacls

Name

smbcacls — Set or get ACLs on an NT file or directory names

Synopsis

smbcacls {//server/share} {filename} [-D acls] [-M acls] [-a acls] [-S acls] [-C name] [-G name] [--numeric] [-t] [-U username] [-h] [-d]

DESCRIPTION

This tool is part of the samba(7) suite.

The smbcacls program manipulates NT Access Control - Lists (ACLs) on SMB file shares.

OPTIONS

The following options are available to the smbcacls program. - The format of ACLs is described in the section ACL FORMAT

-a acls

Add the ACLs specified to the ACL list. Existing - access control entries are unchanged.

-M acls

Modify the mask value (permissions) for the ACLs - specified on the command line. An error will be printed for each - ACL specified that was not already present in the ACL list -

-D acls

Delete any ACLs specified on the command line. - An error will be printed for each ACL specified that was not - already present in the ACL list.

-S acls

This command sets the ACLs on the file with - only the ones specified on the command line. All other ACLs are - erased. Note that the ACL specified must contain at least a revision, - type, owner and group for the call to succeed.

-U username

Specifies a username used to connect to the - specified service. The username may be of the form "username" in - which case the user is prompted to enter in a password and the - workgroup specified in the smb.conf(5) file is - used, or "username%password" or "DOMAIN\username%password" and the - password and workgroup names are used as provided.

-C name

The owner of a file or directory can be changed - to the name given using the -C option. - The name can be a sid in the form S-1-x-y-z or a name resolved - against the server specified in the first argument.

This command is a shortcut for -M OWNER:name. -

-G name

The group owner of a file or directory can - be changed to the name given using the -G - option. The name can be a sid in the form S-1-x-y-z or a name - resolved against the server specified n the first argument. -

This command is a shortcut for -M GROUP:name.

--numeric

This option displays all ACL information in numeric - format. The default is to convert SIDs to names and ACE types - and masks to a readable string format.

-t

- Don't actually do anything, only validate the correctness of - the arguments. -

-h|--help

Print a summary of command line options. -

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

ACL FORMAT

The format of an ACL is one or more ACL entries separated by - either commas or newlines. An ACL entry is one of the following:

 
-REVISION:<revision number>
-OWNER:<sid or name>
-GROUP:<sid or name>
-ACL:<sid or name>:<type>/<flags>/<mask>
-

The revision of the ACL specifies the internal Windows - NT ACL revision for the security descriptor. - If not specified it defaults to 1. Using values other than 1 may - cause strange behaviour.

The owner and group specify the owner and group sids for the - object. If a SID in the format S-1-x-y-z is specified this is used, - otherwise the name specified is resolved using the server on which - the file or directory resides.

ACLs specify permissions granted to the SID. This SID again - can be specified in S-1-x-y-z format or as a name in which case - it is resolved against the server on which the file or directory - resides. The type, flags and mask values determine the type of - access granted to the SID.

The type can be either 0 or 1 corresponding to ALLOWED or - DENIED access to the SID. The flags values are generally - zero for file ACLs and either 9 or 2 for directory ACLs. Some - common flags are:

#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
#define SEC_ACE_FLAG_INHERIT_ONLY 0x8

At present flags can only be specified as decimal or - hexadecimal values.

The mask is a value which expresses the access right - granted to the SID. It can be given as a decimal or hexadecimal value, - or by using one of the following text strings which map to the NT - file permissions of the same name.

R - Allow read access
W - Allow write access
X - Execute permission on the object
D - Delete the object
P - Change permissions
O - Take ownership

The following combined permissions can be specified:

READ - Equivalent to 'RX' - permissions
CHANGE - Equivalent to 'RXWD' permissions -
FULL - Equivalent to 'RWXDPO' - permissions

EXIT STATUS

The smbcacls program sets the exit status - depending on the success or otherwise of the operations performed. - The exit status may be one of the following values.

If the operation succeeded, smbcacls returns and exit - status of 0. If smbcacls couldn't connect to the specified server, - or there was an error getting or setting the ACLs, an exit status - of 1 is returned. If there was an error parsing any command line - arguments, an exit status of 2 is returned.

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

smbcacls was written by Andrew Tridgell - and Tim Potter.

The conversion to DocBook for Samba 2.2 was done - by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done - by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbclient.1.html samba-3.0.20/docs/htmldocs/manpages/smbclient.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbclient.1.html 2005-08-07 11:17:44.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbclient.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,429 +0,0 @@ -smbclient

Name

smbclient — ftp-like client to access SMB/CIFS resources - on servers

Synopsis

smbclient [-b <buffer size>] [-d debuglevel] [-L <netbios name>] [-U username] [-I destinationIP] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-k]

smbclient {servicename} [password] [-b <buffer size>] [-d debuglevel] [-D Directory] [-U username] [-W workgroup] [-M <netbios name>] [-m maxprotocol] [-A authfile] [-N] [-l logdir] [-I destinationIP] [-E] [-c <command string>] [-i scope] [-O <socket options>] [-p port] [-R <name resolve order>] [-s <smb config file>] [-T<c|x>IXFqgbNan] [-k]

DESCRIPTION

This tool is part of the samba(7) suite.

smbclient is a client that can - 'talk' to an SMB/CIFS server. It offers an interface - similar to that of the ftp program (see ftp(1)). - Operations include things like getting files from the server - to the local machine, putting files from the local machine to - the server, retrieving directory information from the server - and so on.

OPTIONS

servicename

servicename is the name of the service - you want to use on the server. A service name takes the form - //server/service where server - is the NetBIOS name of the SMB/CIFS server - offering the desired service and service - is the name of the service offered. Thus to connect to - the service "printer" on the SMB/CIFS server "smbserver", - you would use the servicename //smbserver/printer -

Note that the server name required is NOT necessarily - the IP (DNS) host name of the server ! The name required is - a NetBIOS server name, which may or may not be the - same as the IP hostname of the machine running the server. -

The server name is looked up according to either - the -R parameter to smbclient or - using the name resolve order parameter in - the smb.conf(5) file, - allowing an administrator to change the order and methods - by which server names are looked up.

password

The password required to access the specified - service on the specified server. If this parameter is - supplied, the -N option (suppress - password prompt) is assumed.

There is no default password. If no password is supplied - on the command line (either by using this parameter or adding - a password to the -U option (see - below)) and the -N option is not - specified, the client will prompt for a password, even if - the desired service does not require one. (If no password is - required, simply press ENTER to provide a null password.) -

Note: Some servers (including OS/2 and Windows for - Workgroups) insist on an uppercase password. Lowercase - or mixed case passwords may be rejected by these servers. -

Be cautious about including passwords in scripts. -

-R <name resolve order>

This option is used by the programs in the Samba - suite to determine what naming services and in what order to resolve - host names to IP addresses. The option takes a space-separated - string of different name resolution options.

The options are :"lmhosts", "host", "wins" and "bcast". They - cause names to be resolved as follows:

lmhosts: Lookup an IP - address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see - the lmhosts(5) for details) then - any name type matches for lookup.
host: Do a standard host - name to IP address resolution, using the system /etc/hosts -, NIS, or DNS lookups. This method of name resolution - is operating system dependent, for instance on IRIX or Solaris this - may be controlled by the /etc/nsswitch.conf - file). Note that this method is only used if the NetBIOS name - type being queried is the 0x20 (server) name type, otherwise - it is ignored.
wins: Query a name with - the IP address listed in the wins server - parameter. If no WINS server has - been specified this method will be ignored.
bcast: Do a broadcast on - each of the known local interfaces listed in the - interfaces - parameter. This is the least reliable of the name resolution - methods as it depends on the target host being on a locally - connected subnet.

If this parameter is not set then the name resolve order - defined in the smb.conf(5) file parameter - (name resolve order) will be used.

The default order is lmhosts, host, wins, bcast and without - this parameter or any entry in the name resolve order - parameter of the smb.conf(5) file the name resolution - methods will be attempted in this order.

-M NetBIOS name

This options allows you to send messages, using - the "WinPopup" protocol, to another computer. Once a connection is - established you then type your message, pressing ^D (control-D) to - end.

If the receiving computer is running WinPopup the user will - receive the message and probably a beep. If they are not running - WinPopup the message will be lost, and no error message will - occur.

The message is also automatically truncated if the message - is over 1600 bytes, as this is the limit of the protocol. -

One useful trick is to cat the message through - smbclient. For example: - cat mymessage.txt | smbclient -M FRED will - send the message in the file mymessage.txt - to the machine FRED.

You may also find the -U and - -I options useful, as they allow you to - control the FROM and TO parts of the message.

See the message command parameter in the smb.conf(5) for a description of how to handle incoming - WinPopup messages in Samba.

Note: Copy WinPopup into the startup group - on your WfWg PCs if you want them to always be able to receive - messages.

-p port

This number is the TCP port number that will be used - when making connections to the server. The standard (well-known) - TCP port number for an SMB/CIFS server is 139, which is the - default.

-h|--help

Print a summary of command line options. -

-I IP-address

IP address is the address of the server to connect to. - It should be specified in standard "a.b.c.d" notation.

There is no default for this parameter. If not supplied, - it will be determined automatically by the client as described - above.

-E

This parameter causes the client to write messages - to the standard error stream (stderr) rather than to the standard - output stream.

By default, the client writes messages to standard output - - typically the user's tty.

-L

This option allows you to look at what services - are available on a server. You use it as smbclient -L - host and a list should appear. The -I - option may be useful if your NetBIOS names don't - match your TCP/IP DNS host names or if you are trying to reach a - host on another network.

-t terminal code

This option tells smbclient how to interpret - filenames coming from the remote server. Usually Asian language - multibyte UNIX implementations use different character sets than - SMB/CIFS servers (EUC instead of - SJIS for example). Setting this parameter will let - smbclient convert between the UNIX filenames and - the SMB filenames correctly. This option has not been seriously tested - and may have some problems.

The terminal codes include CWsjis, CWeuc, CWjis7, CWjis8, - CWjunet, CWhex, CWcap. This is not a complete list, check the Samba - source code for the complete list.

-b buffersize

This option changes the transmit/send buffer - size when getting or putting a file from/to the server. The default - is 65520 bytes. Setting this value smaller (to 1200 bytes) has been - observed to speed up file transfers to and from a Win9x server. -

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

-N

If specified, this parameter suppresses the normal -password prompt from the client to the user. This is useful when -accessing a service that does not require a password.

Unless a password is specified on the command line or -this parameter is specified, the client will request a -password.

-k

-Try to authenticate with kerberos. Only useful in -an Active Directory environment. -

-A|--authentication-file=filename

This option allows -you to specify a file from which to read the username and -password used in the connection. The format of the file is -

-username = <value>
-password = <value>
-domain   = <value>
-

Make certain that the permissions on the file restrict -access from unwanted users.

-U|--user=username[%password]

Sets the SMB username or username and password.

-n <primary NetBIOS name>

-i <scope>

-W|--workgroup=domain

-O socket options

TCP socket options to set on the client -socket. See the socket options parameter in -the smb.conf manual page for the list of valid -options.

-T tar options

smbclient may be used to create tar(1) - compatible backups of all the files on an SMB/CIFS - share. The secondary tar flags that can be given to this option - are :

c - Create a tar file on UNIX. - Must be followed by the name of a tar file, tape device - or "-" for standard output. If using standard output you must - turn the log level to its lowest value -d0 to avoid corrupting - your tar file. This flag is mutually exclusive with the - x flag.
x - Extract (restore) a local - tar file back to a share. Unless the -D option is given, the tar - files will be restored from the top level of the share. Must be - followed by the name of the tar file, device or "-" for standard - input. Mutually exclusive with the c flag. - Restored files have their creation times (mtime) set to the - date saved in the tar file. Directories currently do not get - their creation dates restored properly.
I - Include files and directories. - Is the default behavior when filenames are specified above. Causes - tar files to be included in an extract or create (and therefore - everything else to be excluded). See example below. Filename globbing - works in one of two ways. See r below.
X - Exclude files and directories. - Causes tar files to be excluded from an extract or create. See - example below. Filename globbing works in one of two ways now. - See r below.
b - Blocksize. Must be followed - by a valid (greater than zero) blocksize. Causes tar file to be - written out in blocksize*TBLOCK (usually 512 byte) blocks. -
g - Incremental. Only back up - files that have the archive bit set. Useful only with the - c flag.
q - Quiet. Keeps tar from printing - diagnostics as it works. This is the same as tarmode quiet. -
r - Regular expression include - or exclude. Uses regular expression matching for - excluding or excluding files if compiled with HAVE_REGEX_H. - However this mode can be very slow. If not compiled with - HAVE_REGEX_H, does a limited wildcard match on '*' and '?'. -
N - Newer than. Must be followed - by the name of a file whose date is compared against files found - on the share during a create. Only files newer than the file - specified are backed up to the tar file. Useful only with the - c flag.
a - Set archive bit. Causes the - archive bit to be reset when a file is backed up. Useful with the - g and c flags. -

Tar Long File Names

smbclient's tar option now supports long - file names both on backup and restore. However, the full path - name of the file must be less than 1024 bytes. Also, when - a tar archive is created, smbclient's tar option places all - files in the archive with relative names, not absolute names. -

Tar Filenames

All file names can be given as DOS path names (with '\\' - as the component separator) or as UNIX path names (with '/' as - the component separator).

Examples

Restore from tar file backup.tar into myshare on mypc - (no password on share).

smbclient //mypc/yshare "" -N -Tx backup.tar -

Restore everything except users/docs -

smbclient //mypc/myshare "" -N -TXx backup.tar - users/docs

Create a tar file of the files beneath - users/docs.

smbclient //mypc/myshare "" -N -Tc - backup.tar users/docs

Create the same tar file as above, but now use - a DOS path name.

smbclient //mypc/myshare "" -N -tc backup.tar - users\edocs

Create a tar file of all the files and directories in - the share.

smbclient //mypc/myshare "" -N -Tc backup.tar * -

-D initial directory

Change to initial directory before starting. Probably - only of any use with the tar -T option.

-c command string

command string is a semicolon-separated list of - commands to be executed instead of prompting from stdin. - -N is implied by -c.

This is particularly useful in scripts and for printing stdin - to the server, e.g. -c 'print -'.

OPERATIONS

Once the client is running, the user is presented with - a prompt :

smb:\>

The backslash ("\\") indicates the current working directory - on the server, and will change if the current working directory - is changed.

The prompt indicates that the client is ready and waiting to - carry out a user command. Each command is a single word, optionally - followed by parameters specific to that command. Command and parameters - are space-delimited unless these notes specifically - state otherwise. All commands are case-insensitive. Parameters to - commands may or may not be case sensitive, depending on the command. -

You can specify file names which have spaces in them by quoting - the name with double quotes, for example "a long file name".

Parameters shown in square brackets (e.g., "[parameter]") are - optional. If not given, the command will use suitable defaults. Parameters - shown in angle brackets (e.g., "<parameter>") are required. -

Note that all commands operating on the server are actually - performed by issuing a request to the server. Thus the behavior may - vary from server to server, depending on how the server was implemented. -

The commands available are given here in alphabetical order.

? [command]

If command is specified, the ? command will display - a brief informative message about the specified command. If no - command is specified, a list of available commands will - be displayed.

! [shell command]

If shell command is specified, the ! - command will execute a shell locally and run the specified shell - command. If no command is specified, a local shell will be run. -

altname file

The client will request that the server return - the "alternate" name (the 8.3 name) for a file or directory. -

case_sensitive

Toggles the setting of the flag in SMB packets that - tells the server to treat filenames as case sensitive. Set to OFF by - default (tells file server to treat filenames as case insensitive). Only - currently affects Samba 3.0.5 and above file servers with the case sensitive - parameter set to auto in the smb.conf. -

cancel jobid0 [jobid1] ... [jobidN]

The client will request that the server cancel - the printjobs identified by the given numeric print job ids. -

chmod file mode in octal

This command depends on the server supporting the CIFS - UNIX extensions and will fail if the server does not. The client requests that the server - change the UNIX permissions to the given octal mode, in standard UNIX format. -

chown file uid gid

This command depends on the server supporting the CIFS - UNIX extensions and will fail if the server does not. The client requests that the server - change the UNIX user and group ownership to the given decimal values. Note there is - currently no way to remotely look up the UNIX uid and gid values for a given name. - This may be addressed in future versions of the CIFS UNIX extensions. -

cd [directory name]

If "directory name" is specified, the current - working directory on the server will be changed to the directory - specified. This operation will fail if for any reason the specified - directory is inaccessible.

If no directory name is specified, the current working - directory on the server will be reported.

del <mask>

The client will request that the server attempt - to delete all files matching mask from the current working - directory on the server.

dir <mask>

A list of the files matching mask in the current - working directory on the server will be retrieved from the server - and displayed.

exit

Terminate the connection with the server and exit - from the program.

get <remote file name> [local file name]

Copy the file called remote file name from - the server to the machine running the client. If specified, name - the local copy local file name. Note that all transfers in - smbclient are binary. See also the - lowercase command.

help [command]

See the ? command above.

lcd [directory name]

If directory name is specified, the current - working directory on the local machine will be changed to - the directory specified. This operation will fail if for any - reason the specified directory is inaccessible.

If no directory name is specified, the name of the - current working directory on the local machine will be reported. -

link target linkname

This command depends on the server supporting the CIFS - UNIX extensions and will fail if the server does not. The client requests that the server - create a hard link between the linkname and target files. The linkname file - must not exist. -

lowercase

Toggle lowercasing of filenames for the get and - mget commands.

When lowercasing is toggled ON, local filenames are converted - to lowercase when using the get and mget commands. This is - often useful when copying (say) MSDOS files from a server, because - lowercase filenames are the norm on UNIX systems.

ls <mask>

See the dir command above.

mask <mask>

This command allows the user to set up a mask - which will be used during recursive operation of the mget and - mput commands.

The masks specified to the mget and mput commands act as - filters for directories rather than files when recursion is - toggled ON.

The mask specified with the mask command is necessary - to filter files within those directories. For example, if the - mask specified in an mget command is "source*" and the mask - specified with the mask command is "*.c" and recursion is - toggled ON, the mget command will retrieve all files matching - "*.c" in all directories below and including all directories - matching "source*" in the current working directory.

Note that the value for mask defaults to blank (equivalent - to "*") and remains so until the mask command is used to change it. - It retains the most recently specified value indefinitely. To - avoid unexpected results it would be wise to change the value of - mask back to "*" after using the mget or mput commands.

md <directory name>

See the mkdir command.

mget <mask>

Copy all files matching mask from the server to - the machine running the client.

Note that mask is interpreted differently during recursive - operation and non-recursive operation - refer to the recurse and - mask commands for more information. Note that all transfers in - smbclient are binary. See also the lowercase command.

mkdir <directory name>

Create a new directory on the server (user access - privileges permitting) with the specified name.

mput <mask>

Copy all files matching mask in the current working - directory on the local machine to the current working directory on - the server.

Note that mask is interpreted differently during recursive - operation and non-recursive operation - refer to the recurse and mask - commands for more information. Note that all transfers in smbclient - are binary.

print <file name>

Print the specified file from the local machine - through a printable service on the server.

NOTES

Some servers are fussy about the case of supplied usernames, - passwords, share names (AKA service names) and machine names. - If you fail to connect try giving all parameters in uppercase. -

It is often necessary to use the -n option when connecting - to some types of servers. For example OS/2 LanManager insists - on a valid NetBIOS name being used, so you need to supply a valid - name that would be known to the server.

smbclient supports long file names where the server - supports the LANMAN2 protocol or above.

ENVIRONMENT VARIABLES

The variable USER may contain the - username of the person using the client. This information is - used only if the protocol level is high enough to support - session-level passwords.

The variable PASSWD may contain - the password of the person using the client. This information is - used only if the protocol level is high enough to support - session-level passwords.

The variable LIBSMB_PROG may contain - the path, executed with system(), which the client should connect - to instead of connecting to a server. This functionality is primarily - intended as a development aid, and works best when using a LMHOSTS - file

INSTALLATION

The location of the client program is a matter for - individual system administrators. The following are thus - suggestions only.

It is recommended that the smbclient software be installed - in the /usr/local/samba/bin/ or - /usr/samba/bin/ directory, this directory readable - by all, writeable only by root. The client program itself should - be executable by all. The client should NOT be - setuid or setgid!

The client log files should be put in a directory readable - and writeable only by the user.

To test the client, you will need to know the name of a - running SMB/CIFS server. It is possible to run smbd(8) as an ordinary user - running that server as a daemon - on a user-accessible port (typically any port number over 1024) - would provide a suitable test server.

DIAGNOSTICS

Most diagnostics issued by the client are logged in a - specified log file. The log file name is specified at compile time, - but may be overridden on the command line.

The number and nature of diagnostics available depends - on the debug level used by the client. If you have problems, - set the debug level to 3 and peruse the log files.

VERSION

This man page is correct for version 2.2 of the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 - was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smb.conf.5.html samba-3.0.20/docs/htmldocs/manpages/smb.conf.5.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smb.conf.5.html 2005-08-07 11:17:37.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smb.conf.5.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,4209 +0,0 @@ -smb.conf

Name

smb.conf — The configuration file for the Samba suite

SYNOPSIS

- The smb.conf file is a configuration file for the Samba suite. smb.conf contains runtime configuration information for the Samba programs. The - smb.conf file is designed to be configured and administered by the - swat(8) program. The - complete description of the file format and possible parameters held within are here for reference purposes. -

FILE FORMAT

- The file consists of sections and parameters. A section begins with the name of the section in square brackets - and continues until the next section begins. Sections contain parameters of the form: -

-name = value 
-

- The file is line-based - that is, each newline-terminated line represents either a comment, a section name or - a parameter. -

Section and parameter names are not case sensitive.

- Only the first equals sign in a parameter is significant. Whitespace before or after the first equals sign is - discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading - and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value is - retained verbatim. -

- Any line beginning with a semicolon (“;”) or a hash (“#”) - character is ignored, as are lines containing only whitespace. -

- Any line ending in a “\” is continued on the next line in the customary UNIX fashion. -

- The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, - which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved - in string values. Some items such as create masks are numeric. -

SECTION DESCRIPTIONS

- Each section in the configuration file (except for the [global] section) describes a shared resource (known as - a “share”). The section name is the name of the shared resource and the parameters within the - section define the shares attributes. -

- There are three special sections, [global], [homes] and [printers], which are described under - special sections. The following notes apply to ordinary section descriptions. -

- A share consists of a directory to which access is being given plus a description of the access rights - which are granted to the user of the service. Some housekeeping options are also specifiable. -

- Sections are either file share services (used by the client as an extension of their native file systems) - or printable services (used by the client to access print services on the host running the server). -

- Sections may be designated guest services, in which case no password is required to - access them. A specified UNIX guest account is used to define access privileges in this - case. -

- Sections other than guest services will require a password to access them. The client provides the - username. As older clients only provide passwords and not usernames, you may specify a list of usernames to - check against the password using the user = option in the share definition. For modern clients - such as Windows 95/98/ME/NT/2000, this should not be necessary. -

- The access rights granted by the server are masked by the access rights granted to the specified or guest - UNIX user by the host system. The server does not grant more access than the host system grants. -

- The following sample section defines a file space share. The user has write access to the path /home/bar. The share is accessed via the share name foo: -

[foo]

path = /home/bar

read only = read only = no

- The following sample section defines a printable share. The share is read-only, but printable. That is, - the only write access permitted is via calls to open, write to and close a spool file. The guest - ok parameter means access will be permitted as the default guest user (specified elsewhere): -

[aprinter]

path = /usr/spool/public

read only = yes

printable = yes

guest ok = yes

SPECIAL SECTIONS

The [global] section

- Parameters in this section apply to the server as a whole, or are defaults for sections that do not - specifically define certain items. See the notes under PARAMETERS for more information. -

The [homes] section

- If a section called [homes] is included in the configuration file, services connecting clients - to their home directories can be created on the fly by the server. -

- When the connection request is made, the existing sections are scanned. If a match is found, it is - used. If no match is found, the requested section name is treated as a username and looked up in the local - password file. If the name exists and the correct password has been given, a share is created by cloning the - [homes] section. -

- Some modifications are then made to the newly created share: -

- The share name is changed from homes to the located username. -
- If no path was given, the path is set to the user's home directory. -

- If you decide to use a path = line in your [homes] section, it may be useful - to use the %S macro. For example: -

-path = /data/pchome/%S
-

- is useful if you have different home directories for your PCs than for UNIX access. -

- This is a fast and simple way to give a large number of clients access to their home directories with a minimum - of fuss. -

- A similar process occurs if the requested section name is “homes”, except that the share - name is not changed to that of the requesting user. This method of using the [homes] section works well if - different users share a client PC. -

- The [homes] section can specify all the parameters a normal service section can specify, though some make more sense - than others. The following is a typical and suitable [homes] section: -

[homes]

read only = no

- An important point is that if guest access is specified in the [homes] section, all home directories will be - visible to all clients without a password. In the very unlikely event that this is actually - desirable, it is wise to also specify read only access. -

- The browseable flag for auto home directories will be inherited from the global browseable - flag, not the [homes] browseable flag. This is useful as it means setting browseable = no in - the [homes] section will hide the [homes] share but make any auto home directories visible. -

The [printers] section

- This section works like [homes], but for printers. -

- If a [printers] section occurs in the configuration file, users are able to connect to any printer - specified in the local host's printcap file. -

- When a connection request is made, the existing sections are scanned. If a match is found, it is used. - If no match is found, but a [homes] section exists, it is used as described above. Otherwise, the requested - section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested - section name is a valid printer share name. If a match is found, a new printer share is created by cloning the - [printers] section. -

- A few modifications are then made to the newly created share: -

The share name is set to the located printer name
If no printer name was given, the printer name is set to the located printer name
If the share does not permit guest access and no username was given, the username is set - to the located printer name.

- The [printers] service MUST be printable - if you specify otherwise, the server will refuse - to load the configuration file. -

- Typically the path specified is that of a world-writeable spool directory with the sticky bit set on - it. A typical [printers] entry looks like this: -

[printers]

path = /usr/spool/public

guest ok = yes

printable = yes

- All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. - If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file - consisting of one or more lines like this: -

-alias|alias|alias|alias...    
-

- Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, - specify the new file as your printcap. The server will only recognize names found in your pseudo-printcap, - which of course can contain whatever aliases you like. The same technique could be used simply to limit access - to a subset of your local printers. -

- An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, - components (if there are more than one) are separated by vertical bar symbols (|). -

Note

- On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use - printcap name = lpstat to automatically obtain a list of printers. See the - printcap name option for more details. -

PARAMETERS

Parameters define the specific attributes of sections.

- Some parameters are specific to the [global] section (e.g., security). Some parameters - are usable in all sections (e.g., create mask). All others are permissible only in normal - sections. For the purposes of the following descriptions the [homes] and [printers] sections will be - considered normal. The letter G in parentheses indicates that a parameter is specific to - the [global] section. The letter S indicates that a parameter can be specified in a - service specific section. All S parameters can also be specified in the [global] section - - in which case they will define the default behavior for all services. -

- Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can - find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred - synonym. -

VARIABLE SUBSTITUTIONS

- Many of the strings that are settable in the config file can take substitutions. For example the option - “path = /tmp/%u” is interpreted as “path = /tmp/john” if the user connected with the - username john. -

- These substitutions are mostly noted in the descriptions below, but there are some general substitutions - which apply whenever they might be relevant. These are: -

%U

session username (the username that the client wanted, not - necessarily the same as the one they got).

%G

primary group name of %U.

%h

the Internet hostname that Samba is running on.

%m

the NetBIOS name of the client machine (very useful).

This parameter is not available when Samba listens on port 445, as clients no longer - send this information. If you use this macro in an include statement on a domain that has - a Samba domain controller be sure to set in the [global] section smb ports = - 139. This will cause Samba to not listen on port 445 and will permit include - functionality to function as it did with Samba 2.x. -

%L

the NetBIOS name of the server. This allows you to change your config based on what - the client calls you. Your server can have a “dual personality”. -

%M

the Internet name of the client machine. -

%R

the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, - LANMAN1, LANMAN2 or NT1.

%d

the process id of the current server - process.

%a

the architecture of the remote - machine. It currently recognizes Samba (Samba), - the Linux CIFS file system (CIFSFS), OS/2, (OS2), - Windows for Workgroups (WfWg), Windows 9x/ME - (Win95), Windows NT (WinNT), - Windows 2000 (Win2K), Windows XP (WinXP), - and Windows 2003 (Win2K3). Anything else will be known as - UNKNOWN.

%I

the IP address of the client machine.

%i

the local IP address to which a client connected.

%T

the current date and time.

%D

name of the domain or workgroup of the current user.

%$(envvar)

the value of the environment variable - envar.

- The following substitutes apply only to some configuration options (only those that are - used when a connection has been established): -

%S: the name of the current service, if any.
%P: the root directory of the current service, if any.
%u: username of the current service, if any.
%g: primary group name of %u.
%H: the home directory of the user given by %u.
%N: - the name of your NIS home directory server. This is obtained from your NIS auto.map entry. - If you have not compiled Samba with the --with-automount option, this - value will be the same as %L.
%p: - the path of the service's home directory, obtained from your NIS auto.map entry. The NIS - auto.map entry is split up as %N:%p.

- There are some quite creative things that can be done with these substitutions and other - smb.conf options. -

NAME MANGLING

- Samba supports name mangling so that DOS and Windows clients can use files that don't - conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames. -

- There are several options that control the way mangling is performed, and they are grouped here rather - than listed separately. For the defaults look at the output of the testparm program. -

- All of these options can be set separately for each service (or globally, of course). -

- The options are: -

case sensitive = yes/no/auto: - controls whether filenames are case sensitive. If they aren't, Samba must do a filename search and match on - passed names. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS - and smbclient 3.0.5 and above currently) to tell the Samba server on a per-packet basis that they wish to - access the file system in a case-sensitive manner (to support UNIX case sensitive semantics). No Windows or - DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no - for them. Default auto. -
default case = upper/lower: - controls what the default case is for new filenames. Default lower. -
preserve case = yes/no: - controls whether new files are created with the case that the client passes, or if they are forced to be the - default case. Default yes. -
short preserve case = yes/no: - controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, - are created upper case, or if they are forced to be the default case. This option can be - used with preserve case = yes to permit long filenames to retain their case, while short - names are lowercased. Default yes. -

- By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving. -

NOTE ABOUT USERNAME/PASSWORD VALIDATION

- There are a number of ways in which a user can connect to a service. The server uses the following steps - in determining if it will allow a connection to a specified service. If all the steps fail, the connection - request is rejected. However, if one of the steps succeeds, the following steps are not checked. -

- If the service is marked “guest only = yes” and the server is running with share-level - security (“security = share”, steps 1 to 5 are skipped. -

- If the client has passed a username/password pair and that username/password pair is validated by the UNIX - system's password programs, the connection is made as that username. This includes the - \\server\service%username method of passing a username. -
- If the client has previously registered a username with the system and now supplies a correct password for that - username, the connection is allowed. -
- The client's NetBIOS name and any previously used usernames are checked against the supplied password. If - they match, the connection is allowed as the corresponding user. -
- If the client has previously validated a username/password pair with the server and the client has passed - the validation token, that username is used. -
- If a user = field is given in the smb.conf file for the - service and the client has supplied a password, and that password matches (according to the UNIX system's - password checking) with one of the usernames from the user = field, the connection is made as - the username in the user = line. If one of the usernames in the user = list - begins with a @, that name expands to a list of names in the group of the same name. -
- If the service is a guest service, a connection is made as the username given in the guest account - = for the service, irrespective of the supplied password. -

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This a full path name to a script called by smbd(8) that - should stop a shutdown procedure issued by the shutdown script.

If the connected user posseses the SeRemoteShutdownPrivilege, - right, this command will be run as user.

Default: abort shutdown script = - -

Example: abort shutdown script = /sbin/shutdown -c - -

acl compatibility (S)

This parameter specifies what OS ACL semantics should - be compatible with. Possible values are winnt for Windows NT 4, - win2k for Windows 2000 and above and auto. - If you specify auto, the value for this parameter - will be based upon the version of the client. There should - be no reason to change this parameter from the default.

Default: acl compatibility = Auto - -

Example: acl compatibility = win2k - -

add group script (G)

This is the full pathname to a script that will be run - AS ROOT by smbd(8) - when a new group is requested. It will expand any %g to the group name passed. This - script is only useful for installations using the Windows NT - domain administration tools. The script is free to create a - group with an arbitrary name to circumvent unix group name - restrictions. In that case the script must print the numeric gid - of the created group on stdout.

No default

add machine script (G)

This is the full pathname to a script that will be run by - smbd(8) when a machine is added - to it's domain using the administrator username and password - method.

This option is only required when using sam back-ends tied - to the Unix uid method of RID calculation such as smbpasswd. - This option is only available in Samba 3.0.

Default: add machine script = - -

Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u - -

addprinter command (G)

With the introduction of MS-RPC based printing - support for Windows NT/2000 clients in Samba 2.2, The MS Add - Printer Wizard (APW) icon is now also available in the - "Printers..." folder displayed a share listing. The APW - allows for printers to be add remotely to a Samba or Windows - NT/2000 print server.

For a Samba host this means that the printer must be - physically added to the underlying printing system. The add - printer command defines a script to be run which - will perform the necessary operations for adding the printer - to the print system and to add the appropriate service definition - to the smb.conf file in order that it can be - shared by smbd(8).

The addprinter command is - automatically invoked with the following parameter (in - order):

printer name
share name
port name
driver name
location
Windows 9x driver location

All parameters are filled in from the PRINTER_INFO_2 structure sent - by the Windows NT/2000 client with one exception. The "Windows 9x - driver location" parameter is included for backwards compatibility - only. The remaining fields in the structure are generated from answers - to the APW questions.

Once the addprinter command has - been executed, smbd will reparse the - smb.conf to determine if the share defined by the APW - exists. If the sharename is still invalid, then smbd - will return an ACCESS_DENIED error to the client.

- The "add printer command" program can output a single line of text, - which Samba will set as the port the new printer is connected to. - If this line isn't output, Samba won't reload its printer shares. -

Default: addprinter command = - -

Example: addprinter command = /usr/bin/addprinter - -

add share command (G)

Samba 2.2.0 introduced the ability to dynamically - add and delete shares via the Windows NT 4.0 Server Manager. The - add share command is used to define an - external program or script which will add a new service definition - to smb.conf. In order to successfully - execute the add share command, smbd - requires that the administrator be connected using a root account (i.e. - uid == 0). -

- When executed, smbd will automatically invoke the - add share command with four parameters. -

configFile - the location - of the global smb.conf file. -
shareName - the name of the new - share. -
pathName - path to an **existing** - directory on disk. -
comment - comment string to associate - with the new share. -

- This parameter is only used for add file shares. To add printer shares, - see the addprinter command. -

Default: add share command = - -

Example: add share command = /usr/local/bin/addshare - -

add user script (G)

This is the full pathname to a script that will - be run AS ROOT by smbd(8) under special circumstances described below.

Normally, a Samba server requires that UNIX users are - created for all users accessing files on this server. For sites - that use Windows NT account databases as their primary user database - creating these users and keeping the user list in sync with the - Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users - ON DEMAND when a user accesses the Samba server.

In order to use this option, smbd(8) must NOT be set to security = share - and add user script - must be set to a full pathname for a script that will create a UNIX - user given one argument of %u, which expands into - the UNIX user name to create.

When the Windows user attempts to access the Samba server, - at login (session setup in the SMB protocol) time, smbd(8) contacts the password server and - attempts to authenticate the given user with the given password. If the - authentication succeeds then smbd - attempts to find a UNIX user in the UNIX password database to map the - Windows user into. If this lookup fails, and add user script - is set then smbd will - call the specified script AS ROOT, expanding - any %u argument to be the user name to create.

If this script successfully creates the user then smbd - will continue on as though the UNIX user - already existed. In this way, UNIX users are dynamically created to - match existing Windows NT accounts.

- See also security, password server, - delete user script. -

Default: add user script = - -

Example: add user script = /usr/local/samba/bin/add_user %u - -

add user to group script (G)

Full path to the script that will be called when - a user is added to a group using the Windows NT domain administration - tools. It will be run by smbd(8) AS ROOT. - Any %g will be replaced with the group name and - any %u will be replaced with the user name. -

Note that the adduser command used in the example below does - not support the used syntax on all systems.

Default: add user to group script = - -

Example: add user to group script = /usr/sbin/adduser %u %g - -

admin users (S)

This is a list of users who will be granted - administrative privileges on the share. This means that they - will do all file operations as the super-user (root).

You should use this option very carefully, as any user in - this list will be able to do anything they like on the share, - irrespective of file permissions.

This parameter will not work with the security = share in - Samba 3.0. This is by design.

Default: admin users = - -

Example: admin users = jason - -

afs share (S)

This parameter controls whether special AFS features are enabled - for this share. If enabled, it assumes that the directory exported via - the path parameter is a local AFS import. The - special AFS features include the attempt to hand-craft an AFS token - if you enabled --with-fake-kaserver in configure. -

Default: afs share = no - -

afs username map (G)

If you are using the fake kaserver AFS feature, you might - want to hand-craft the usernames you are creating tokens for. - For example this is necessary if you have users from several domain - in your AFS Protection Database. One possible scheme to code users - as DOMAIN+User as it is done by winbind with the + as a separator. -

The mapped user name must contain the cell name to log into, - so without setting this parameter there will be no token.

Default: afs username map = - -

Example: afs username map = %u@afs.samba.org - -

algorithmic rid base (G)

This determines how Samba will use its - algorithmic mapping from uids/gid to the RIDs needed to construct - NT Security Identifiers. -

Setting this option to a larger value could be useful to sites - transitioning from WinNT and Win2k, as existing user and - group rids would otherwise clash with sytem users etc. -

All UIDs and GIDs must be able to be resolved into SIDs for - the correct operation of ACLs on the server. As such the algorithmic - mapping can't be 'turned off', but pushing it 'out of the way' should - resolve the issues. Users and groups can then be assigned 'low' RIDs - in arbitary-rid supporting backends. -

Default: algorithmic rid base = 1000 - -

Example: algorithmic rid base = 100000 - -

allocation roundup size (S)

This parameter allows an administrator to tune the - allocation size reported to Windows clients. The default - size of 1Mb generally results in improved Windows client - performance. However, rounding the allocation size may cause - difficulties for some applications, e.g. MS Visual Studio. - If the MS Visual Studio compiler starts to crash with an - internal error, set this parameter to zero for this share. -

The integer parameter specifies the roundup size in bytes.

Default: allocation roundup size = 1048576 - -

Example: allocation roundup size = 0 -# (to disable roundups) - -

allow trusted domains (G)

- This option only takes effect when the security option is set to - server,domain or ads. - If it is set to no, then attempts to connect to a resource from - a domain or workgroup other than the one which smbd is running - in will fail, even if that domain is trusted by the remote server - doing the authentication.

This is useful if you only want your Samba server to - serve resources to users in the domain it is a member of. As - an example, suppose that there are two domains DOMA and DOMB. DOMB - is trusted by DOMA, which contains the Samba server. Under normal - circumstances, a user with an account in DOMB can then access the - resources of a UNIX account with the same account name on the - Samba server even if they do not have an account in DOMA. This - can make implementing a security boundary difficult.

Default: allow trusted domains = yes - -

announce as (G)

This specifies what type of server nmbd(8) will announce itself as, to a network neighborhood browse - list. By default this is set to Windows NT. The valid options - are : "NT Server" (which can also be written as "NT"), - "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, - Windows NT Workstation, Windows 95 and Windows for Workgroups - respectively. Do not change this parameter unless you have a - specific need to stop Samba appearing as an NT server as this - may prevent Samba servers from participating as browser servers - correctly.

Default: announce as = NT Server - -

Example: announce as = Win95 - -

announce version (G)

This specifies the major and minor version numbers - that nmbd will use when announcing itself as a server. The default - is 4.9. Do not change this parameter unless you have a specific - need to set a Samba server to be a downlevel server.

Default: announce version = 4.9 - -

Example: announce version = 2.0 - -

auth methods (G)

- This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values - based on security. This should be considered a developer option and used only in rare - circumstances. In the majority (if not all) of production servers, the default setting should be adequate. -

Each entry in the list attempts to authenticate the user in turn, until - the user authenticates. In practice only one method will ever actually - be able to complete the authentication. -

Possible options include guest (anonymous access), - sam (lookups in local list of accounts based on netbios - name or domain name), winbind (relay authentication requests - for remote users through winbindd), ntdomain (pre-winbindd - method of authentication for remote domain users; deprecated in favour of winbind method), - trustdomain (authenticate trusted users by contacting the - remote DC directly from smbd; deprecated in favour of winbind method).

Default: auth methods = - -

Example: auth methods = guest sam winbind - -

available (S)

This parameter lets you "turn off" a service. If - available = no, then ALL - attempts to connect to the service will fail. Such failures are - logged.

Default: available = yes - -

bind interfaces only (G)

This global parameter allows the Samba admin - to limit what interfaces on a machine will serve SMB requests. It - affects file service smbd(8) and name service nmbd(8) in a slightly different ways.

- For name service it causes nmbd to bind to ports 137 and 138 on the - interfaces listed in the interfaces parameter. nmbd - also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of - reading broadcast messages. If this option is not set then nmbd will - service name requests on all of these sockets. If bind interfaces only is set then - nmbd will check the source address of any packets coming in on the - broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the - interfaces parameter list. As unicast packets are received on the other sockets it - allows nmbd to refuse to serve names to machines that send packets that - arrive through any interfaces not listed in the interfaces list. IP Source address - spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for - nmbd. -

- For file service it causes smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will - serve to packets coming in those interfaces. Note that you should not use this parameter for machines that - are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with - non-permanent interfaces. -

- If bind interfaces only is set then unless the network address - 127.0.0.1 is added to the interfaces parameter list - smbpasswd(8) and - swat(8) may not work as - expected due to the reasons covered below. -

- To change a users SMB password, the smbpasswd by default connects to the - localhost - 127.0.0.1 address as an SMB client to issue the password change request. If - bind interfaces only is set then unless the network address - 127.0.0.1 is added to the interfaces parameter list then smbpasswd will fail to connect in it's default mode. smbpasswd can be forced to use the primary IP interface of the local host by using - its smbpasswd(8) -r remote machine parameter, with remote - machine set to the IP name of the primary interface of the local host. -

- The swat status page tries to connect with smbd and nmbd at the address - 127.0.0.1 to determine if they are running. Not adding 127.0.0.1 - will cause smbd and nmbd to always show - "not running" even if they really are. This can prevent swat - from starting/stopping/restarting smbd and nmbd. -

Default: bind interfaces only = no - -

blocking locks (S)

This parameter controls the behavior - of smbd(8) when given a request by a client - to obtain a byte range lock on a region of an open file, and the - request has a time limit associated with it.

If this parameter is set and the lock range requested - cannot be immediately satisfied, samba will internally - queue the lock request, and periodically attempt to obtain - the lock until the timeout period expires.

If this parameter is set to no, then - samba will behave as previous versions of Samba would and - will fail the lock request immediately if the lock range - cannot be obtained.

Default: blocking locks = yes - -

block size (S)

This parameter controls the behavior of smbd(8) when reporting disk free - sizes. By default, this reports a disk block size of 1024 bytes. -

Changing this parameter may have some effect on the - efficiency of client writes, this is not yet confirmed. This - parameter was added to allow advanced administrators to change - it (usually to a higher value) and test the effect it has on - client write performance without re-compiling the code. As this - is an experimental option it may be removed in a future release. -

Changing this option does not change the disk free reporting - size, just the block size unit reported to the client. -

No default

browsable

This parameter is a synonym for browseable.

browseable (S)

This controls whether this share is seen in - the list of available shares in a net view and in the browse list.

Default: browseable = yes - -

browse list (G)

This controls whether smbd(8) will serve a browse list to - a client doing a NetServerEnum call. Normally - set to yes. You should never need to change - this.

Default: browse list = yes - -

casesignames

This parameter is a synonym for case sensitive.

case sensitive (S)

See the discussion in the section name mangling.

Default: case sensitive = no - -

change notify timeout (G)

This SMB allows a client to tell a server to - "watch" a particular directory for any changes and only reply to - the SMB request when a change has occurred. Such constant scanning of - a directory is expensive under UNIX, hence an smbd(8) daemon only performs such a scan - on each requested directory once every change notify - timeout seconds.

Default: change notify timeout = 60 - -

Example: change notify timeout = 300 -# Would change the scan time to every 5 minutes. - -

change share command (G)

Samba 2.2.0 introduced the ability to dynamically - add and delete shares via the Windows NT 4.0 Server Manager. The - change share command is used to define an - external program or script which will modify an existing service definition - in smb.conf. In order to successfully - execute the change share command, smbd - requires that the administrator be connected using a root account (i.e. - uid == 0). -

- When executed, smbd will automatically invoke the - change share command with four parameters. -

configFile - the location - of the global smb.conf file. -
shareName - the name of the new - share. -
pathName - path to an **existing** - directory on disk. -
comment - comment string to associate - with the new share. -

- This parameter is only used modify existing file shares definitions. To modify - printer shares, use the "Printers..." folder as seen when browsing the Samba host. -

Default: change share command = - -

Example: change share command = /usr/local/bin/addshare - -

check password script (G)

The name of a program that can be used to check password - complexity. The password is sent to the program's standrad input.

The program must return 0 on good password any other value otherwise. - In case the password is considered weak (the program do not return 0) the - user will be notified and the password change will fail.

Note: In the example directory there is a sample program called crackcheck - that uses cracklib to checkpassword quality

. - - -

Default: check password script = Disabled - -

Example: check password script = check password script = /usr/local/sbin/crackcheck - -

client lanman auth (G)

This parameter determines whether or not smbclient(8) and other samba client - tools will attempt to authenticate itself to servers using the - weaker LANMAN password hash. If disabled, only server which support NT - password hashes (e.g. Windows NT/2000, Samba, etc... but not - Windows 95/98) will be able to be connected from the Samba client.

The LANMAN encrypted response is easily broken, due to it's - case-insensitive nature, and the choice of algorithm. Clients - without Windows 95/98 servers are advised to disable - this option.

Disabling this option will also disable the client plaintext auth option

Likewise, if the client ntlmv2 - auth parameter is enabled, then only NTLMv2 logins will be - attempted.

Default: client lanman auth = yes - -

client ntlmv2 auth (G)

This parameter determines whether or not smbclient(8) will attempt to - authenticate itself to servers using the NTLMv2 encrypted password - response.

If enabled, only an NTLMv2 and LMv2 response (both much more - secure than earlier versions) will be sent. Many servers - (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with - NTLMv2.

Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth - authentication will be disabled. This also disables share-level - authentication.

If disabled, an NTLM response (and possibly a LANMAN response) - will be sent by the client, depending on the value of client lanman auth.

Note that some sites (particularly - those following 'best practice' security polices) only allow NTLMv2 - responses, and not the weaker LM or NTLM.

Default: client ntlmv2 auth = no - -

client plaintext auth (G)

Specifies whether a client should send a plaintext - password if the server does not support encrypted passwords.

Default: client plaintext auth = yes - -

client schannel (G)

This controls whether the client offers or even - demands the use of the netlogon schannel. - client schannel = no does not - offer the schannel, client schannel = - auto offers the schannel but does not - enforce it, and client schannel = - yes denies access if the server is not - able to speak netlogon schannel.

Default: client schannel = auto - -

Example: client schannel = yes - -

client signing (G)

This controls whether the client offers or requires - the server it talks to to use SMB signing. Possible values - are auto, mandatory - and disabled. -

When set to auto, SMB signing is offered, but not enforced. - When set to mandatory, SMB signing is required and if set - to disabled, SMB signing is not offered either.

Default: client signing = auto - -

client use spnego (G)

This variable controls whether Samba clients will try - to use Simple and Protected NEGOciation (as specified by rfc2478) with - supporting servers (including WindowsXP, Windows2000 and Samba - 3.0) to agree upon an authentication - mechanism. This enables Kerberos authentication in particular.

Default: client use spnego = yes - -

comment (S)

This is a text field that is seen next to a share - when a client does a queries the server, either via the network - neighborhood or via net view to list what shares - are available.

If you want to set the string that is displayed next to the - machine name then see the server string parameter.

Default: comment = -# No comment - -

Example: comment = Fred's Files - -

config file (G)

This allows you to override the config file - to use, instead of the default (usually smb.conf). - There is a chicken and egg problem here as this option is set - in the config file!

For this reason, if the name of the config file has changed - when the parameters are loaded then it will reload them from - the new config file.

This option takes the usual substitutions, which can - be very useful.

If the config file doesn't exist then it won't be loaded - (allowing you to special case the config files of just a few - clients).

No default

Example: config file = /usr/local/samba/lib/smb.conf.%m - -

copy (S)

This parameter allows you to "clone" service - entries. The specified service is simply duplicated under the - current service's name. Any parameters specified in the current - section will override those in the section being copied.

This feature lets you set up a 'template' service and - create similar services easily. Note that the service being - copied must occur earlier in the configuration file than the - service doing the copying.

Default: copy = - -

Example: copy = otherservice - -

create mode

This parameter is a synonym for create mask.

create mask (S)

- When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to - UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may - be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will - be removed from the modes set on a file when it is created. -

- The default value of this parameter removes the group and other - write and execute bits from the UNIX modes. -

- Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the - force create mode parameter which is set to 000 by default. -

- This parameter does not affect directory masks. See the parameter directory mask - for details. -

- Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the - administrator wishes to enforce a mask on access control lists also, they need to set the security mask. -

Default: create mask = 0744 - -

Example: create mask = 0775 - -

csc policy (S)

This stands for client-side caching - policy, and specifies how clients capable of offline - caching will cache the files in the share. The valid values - are: manual, documents, programs, disable.

These values correspond to those used on Windows servers.

For example, shares containing roaming profiles can have - offline caching disabled using csc policy = disable.

Default: csc policy = manual - -

Example: csc policy = programs - -

cups options (S)

- This parameter is only applicable if printing is - set to cups. Its value is a free form string of options - passed directly to the cups library. -

You can pass any generic print option known to CUPS (as listed - in the CUPS "Software Users' Manual"). You can also pass any printer - specific option (as listed in "lpoptions -d printername -l") - valid for the target queue.

You should set this parameter to raw if your CUPS server - error_log file contains messages such as - "Unsupported format 'application/octet-stream'" when printing from a Windows client - through Samba. It is no longer necessary to enable - system wide raw printing in /etc/cups/mime.{convs,types}. -

Default: cups options = "" - -

Example: cups options = "raw,media=a4,job-sheets=secret,secret" - -

cups server (G)

This parameter is only applicable if printing is set to cups. -

If set, this option overrides the ServerName option in the CUPS - client.conf. This is necessary if you have virtual - samba servers that connect to different CUPS daemons.

Default: cups server = "" - -

Example: cups server = MYCUPSSERVER - -

deadtime (G)

The value of the parameter (a decimal integer) - represents the number of minutes of inactivity before a connection - is considered dead, and it is disconnected. The deadtime only takes - effect if the number of open files is zero.

This is useful to stop a server's resources being - exhausted by a large number of inactive connections.

Most clients have an auto-reconnect feature when a - connection is broken so in most cases this parameter should be - transparent to users.

Using this parameter with a timeout of a few minutes - is recommended for most systems.

A deadtime of zero indicates that no auto-disconnection - should be performed.

Default: deadtime = 0 - -

Example: deadtime = 15 - -

debug hires timestamp (G)

Sometimes the timestamps in the log messages - are needed with a resolution of higher that seconds, this - boolean parameter adds microsecond resolution to the timestamp - message header when turned on.

- Note that the parameter debug timestamp must be on for this to have an - effect.

Default: debug hires timestamp = no - -

debug pid (G)

When using only one log file for more then one forked - smbd(8)-process there may be hard to - follow which process outputs which message. This boolean parameter - is adds the process-id to the timestamp message headers in the - logfile when turned on.

Note that the parameter debug timestamp must be on for this to have an - effect.

Default: debug pid = no - -

timestamp logs

This parameter is a synonym for debug timestamp.

debug timestamp (G)

Samba debug log messages are timestamped - by default. If you are running at a high debug level these timestamps - can be distracting. This boolean parameter allows timestamping - to be turned off.

Default: debug timestamp = yes - -

debug uid (G)

Samba is sometimes run as root and sometime - run as the connected user, this boolean parameter inserts the - current euid, egid, uid and gid to the timestamp message headers - in the log file if turned on.

Note that the parameter debug timestamp must be on for this to have an - effect.

Default: debug uid = no - -

default case (S)

See the section on name mangling - . Also note the short preserve case parameter.

Default: default case = lower - -

default devmode (S)

This parameter is only applicable to printable services. - When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba - server has a Device Mode which defines things such as paper size and - orientation and duplex settings. The device mode can only correctly be - generated by the printer driver itself (which can only be executed on a - Win32 platform). Because smbd is unable to execute the driver code - to generate the device mode, the default behavior is to set this field - to NULL. -

Most problems with serving printer drivers to Windows NT/2k/XP clients - can be traced to a problem with the generated device mode. Certain drivers - will do things such as crashing the client's Explorer.exe with a NULL devmode. - However, other printer drivers can cause the client's spooler service - (spoolsv.exe) to die if the devmode was not created by the driver itself - (i.e. smbd generates a default devmode). -

This parameter should be used with care and tested with the printer - driver in question. It is better to leave the device mode to NULL - and let the Windows client set the correct values. Because drivers do not - do this all the time, setting default devmode = yes - will instruct smbd to generate a default one. -

For more information on Windows NT/2k printing and Device Modes, - see the MSDN documentation. -

Default: default devmode = no - -

default

This parameter is a synonym for default service.

default service (G)

This parameter specifies the name of a service - which will be connected to if the service actually requested cannot - be found. Note that the square brackets are NOT - given in the parameter value (see example below).

There is no default value for this parameter. If this - parameter is not given, attempting to connect to a nonexistent - service results in an error.

- Typically the default service would be a guest ok, read-only service.

Also note that the apparent service name will be changed to equal - that of the requested service, this is very useful as it allows you to use macros like %S to make a wildcard service. -

Note also that any "_" characters in the name of the service - used in the default service will get mapped to a "/". This allows for - interesting things.

Default: default service = - -

Example: default service = pub - -

defer sharing violations (G)

- Windows allows specifying how a file will be shared with - other processes when it is opened. Sharing violations occur when - a file is opened by a different process using options that violate - the share settings specified by other processes. This parameter causes - smbd to act as a Windows server does, and defer returning a "sharing - violation" error message for up to one second, allowing the client - to close the file causing the violation in the meantime. -

Unix by default does not have this behaviour.

- There should be no reason to turn off this parameter, as it is - designed to enable Samba to more correctly emulate Windows. -

Default: defer sharing violations = True - -

delete group script (G)

This is the full pathname to a script that will - be run AS ROOT smbd(8) when a group is requested to be deleted. - It will expand any %g to the group name passed. - This script is only useful for installations using the Windows NT domain administration tools. -

Default: delete group script = - -

deleteprinter command (G)

With the introduction of MS-RPC based printer - support for Windows NT/2000 clients in Samba 2.2, it is now - possible to delete printer at run time by issuing the - DeletePrinter() RPC call.

For a Samba host this means that the printer must be - physically deleted from underlying printing system. The - deleteprinter command defines a script to be run which - will perform the necessary operations for removing the printer - from the print system and from smb.conf. -

The deleteprinter command is - automatically called with only one parameter: printer name. -

Once the deleteprinter command has - been executed, smbd will reparse the - smb.conf to associated printer no longer exists. - If the sharename is still valid, then smbd - will return an ACCESS_DENIED error to the client.

Default: deleteprinter command = - -

Example: deleteprinter command = /usr/bin/removeprinter - -

delete readonly (S)

This parameter allows readonly files to be deleted. - This is not normal DOS semantics, but is allowed by UNIX.

This option may be useful for running applications such - as rcs, where UNIX file ownership prevents changing file - permissions, and DOS semantics prevent deletion of a read only file.

Default: delete readonly = no - -

delete share command (G)

Samba 2.2.0 introduced the ability to dynamically - add and delete shares via the Windows NT 4.0 Server Manager. The - delete share command is used to define an - external program or script which will remove an existing service - definition from smb.conf. In order to successfully - execute the delete share command, smbd - requires that the administrator be connected using a root account (i.e. - uid == 0). -

- When executed, smbd will automatically invoke the - delete share command with two parameters. -

configFile - the location - of the global smb.conf file. -
shareName - the name of - the existing service. -

- This parameter is only used to remove file shares. To delete printer shares, - see the deleteprinter command. -

Default: delete share command = - -

Example: delete share command = /usr/local/bin/delshare - -

delete user from group script (G)

Full path to the script that will be called when - a user is removed from a group using the Windows NT domain administration - tools. It will be run by smbd(8) AS ROOT. - Any %g will be replaced with the group name and - any %u will be replaced with the user name. -

Default: delete user from group script = - -

Example: delete user from group script = /usr/sbin/deluser %u %g - -

delete user script (G)

This is the full pathname to a script that will - be run by smbd(8) when managing users - with remote RPC (NT) tools. -

This script is called when a remote client removes a user - from the server, normally using 'User Manager for Domains' or - rpcclient.

This script should delete the given UNIX username.

Default: delete user script = - -

Example: delete user script = /usr/local/samba/bin/del_user %u - -

delete veto files (S)

This option is used when Samba is attempting to - delete a directory that contains one or more vetoed directories - (see the veto files - option). If this option is set to no (the default) then if a vetoed - directory contains any non-vetoed files or directories then the - directory delete will fail. This is usually what you want.

If this option is set to yes, then Samba - will attempt to recursively delete any files and directories within - the vetoed directory. This can be useful for integration with file - serving systems such as NetAtalk which create meta-files within - directories you might normally veto DOS/Windows users from seeing - (e.g. .AppleDouble)

Setting delete veto files = yes allows these - directories to be transparently deleted when the parent directory - is deleted (so long as the user has permissions to do so).

Default: delete veto files = no - -

dfree command (G)

The dfree command setting - should only be used on systems where a problem occurs with the - internal disk space calculations. This has been known to happen - with Ultrix, but may occur with other operating systems. The - symptom that was seen was an error of "Abort Retry - Ignore" at the end of each directory listing.

This setting allows the replacement of the internal routines to - calculate the total disk space and amount available with an external - routine. The example below gives a possible script that might fulfill - this function.

The external program will be passed a single parameter indicating - a directory in the filesystem being queried. This will typically consist - of the string ./. The script should return two - integers in ASCII. The first should be the total disk space in blocks, - and the second should be the number of available blocks. An optional - third return value can give the block size in bytes. The default - blocksize is 1024 bytes.

Note: Your script should NOT be setuid or - setgid and should be owned by (and writeable only by) root!

Where the script dfree (which must be made executable) could be:

 
-#!/bin/sh
-df $1 | tail -1 | awk '{print $2" "$4}'
-

or perhaps (on Sys V based systems):

 
-#!/bin/sh
-/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
-

Note that you may have to replace the command names with full path names on some systems.

Default: dfree command = -# By default internal routines for - determining the disk capacity and remaining space will be used. - -

Example: dfree command = /usr/local/samba/bin/dfree - -

directory mode

This parameter is a synonym for directory mask.

directory mask (S)

This parameter is the octal modes which are - used when converting DOS modes to UNIX modes when creating UNIX - directories.

When a directory is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX permissions, - and the resulting UNIX mode is then bit-wise 'AND'ed with this - parameter. This parameter may be thought of as a bit-wise MASK for - the UNIX modes of a directory. Any bit not set - here will be removed from the modes set on a directory when it is - created.

The default value of this parameter removes the 'group' - and 'other' write bits from the UNIX mode, allowing only the - user who owns the directory to modify it.

Following this Samba will bit-wise 'OR' the UNIX mode - created from this parameter with the value of the force directory mode parameter. - This parameter is set to 000 by default (i.e. no extra mode bits are added).

Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the directory security mask.

Default: directory mask = 0755 - -

Example: directory mask = 0775 - -

directory security mask (S)

This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box.

- This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not - in this mask from being modified. Make sure not to mix up this parameter with force directory security mode, which works similar like this one but uses logical OR instead of AND. - Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. -

If not set explicitly this parameter is set to 0777 - meaning a user is allowed to modify all the user/group/world - permissions on a directory.

Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it as the default of 0777.

Default: directory security mask = 0777 - -

Example: directory security mask = 0700 - -

disable netbios (G)

Enabling this parameter will disable netbios support - in Samba. Netbios is the only available form of browsing in - all windows versions except for 2000 and XP.

Note

Clients that only support netbios won't be able to - see your samba server when netbios support is disabled. -

Default: disable netbios = no - -

disable spoolss (G)

Enabling this parameter will disable Samba's support - for the SPOOLSS set of MS-RPC's and will yield identical behavior - as Samba 2.0.x. Windows NT/2000 clients will downgrade to using - Lanman style printing commands. Windows 9x/ME will be uneffected by - the parameter. However, this will also disable the ability to upload - printer drivers to a Samba server via the Windows NT Add Printer - Wizard or by using the NT printer properties dialog window. It will - also disable the capability of Windows NT/2000 clients to download - print drivers from the Samba host upon demand. - Be very careful about enabling this parameter. -

Default: disable spoolss = no - -

display charset (G)

Specifies the charset that samba will use - to print messages to stdout and stderr and SWAT will use. - Should generally be the same as the unix charset. -

Default: display charset = ASCII - -

Example: display charset = UTF8 - -

dns proxy (G)

Specifies that nmbd(8) when acting as a WINS server and - finding that a NetBIOS name has not been registered, should treat the - NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server - for that name on behalf of the name-querying client.

Note that the maximum length for a NetBIOS name is 15 - characters, so the DNS name (or DNS alias) can likewise only be - 15 characters, maximum.

nmbd spawns a second copy of itself to do the - DNS name lookup requests, as doing a name lookup is a blocking - action.

Default: dns proxy = yes - -

domain logons (G)

- If set to yes, the Samba server will - provide the netlogon service for Windows 9X network logons for the - workgroup it is in. - This will also cause the Samba server to act as a domain - controller for NT4 style domain services. For more details on - setting up this feature see the Domain Control chapter of the - Samba HOWTO Collection. -

Default: domain logons = no - -

domain master (G)

Tell smbd(8) to enable WAN-wide browse list - collation. Setting this option causes nmbd to - claim a special domain specific NetBIOS name that identifies - it as a domain master browser for its given - workgroup. Local master browsers - in the same workgroup on broadcast-isolated - subnets will give this nmbd their local browse lists, - and then ask smbd(8) for a complete copy of the browse - list for the whole wide area network. Browser clients will then contact - their local master browser, and will receive the domain-wide browse list, - instead of just the list for their broadcast-isolated subnet.

Note that Windows NT Primary Domain Controllers expect to be - able to claim this workgroup specific special - NetBIOS name that identifies them as domain master browsers for - that workgroup by default (i.e. there is no - way to prevent a Windows NT PDC from attempting to do this). This - means that if this parameter is set and nmbd claims - the special name for a workgroup before a Windows - NT PDC is able to do so then cross subnet browsing will behave - strangely and may fail.

If domain logons = yes - , then the default behavior is to enable the domain master parameter. If domain logons is - not enabled (the default setting), then neither will domain master be enabled by default.

Default: domain master = auto - -

dont descend (S)

There are certain directories on some systems - (e.g., the /proc tree under Linux) that are either not - of interest to clients or are infinitely deep (recursive). This - parameter allows you to specify a comma-delimited list of directories - that the server should always show as empty.

Note that Samba can be very fussy about the exact format - of the "dont descend" entries. For example you may need - ./proc instead of just /proc. - Experimentation is the best policy :-)

Default: dont descend = - -

Example: dont descend = /proc,/dev - -

dos charset (G)

DOS SMB clients assume the server has - the same charset as they do. This option specifies which - charset Samba should talk to DOS clients. -

The default depends on which charsets you have installed. - Samba tries to use charset 850 but falls back to ASCII in - case it is not available. Run testparm(1) to check the default on your system.

No default

dos filemode (S)

The default behavior in Samba is to provide - UNIX-like behavior where only the owner of a file/directory is - able to change the permissions on it. However, this behavior - is often confusing to DOS/Windows users. Enabling this parameter - allows a user who has write access to the file (by whatever - means) to modify the permissions on it. Note that a user - belonging to the group owning the file will not be allowed to - change permissions if the group is only granted read access. - Ownership of the file/directory is not changed, only the permissions - are modified.

Default: dos filemode = no - -

dos filetime resolution (S)

Under the DOS and Windows FAT filesystem, the finest - granularity on time resolution is two seconds. Setting this parameter - for a share causes Samba to round the reported time down to the - nearest two second boundary when a query call that requires one second - resolution is made to smbd(8).

This option is mainly used as a compatibility option for Visual - C++ when used against Samba shares. If oplocks are enabled on a - share, Visual C++ uses two different time reading calls to check if a - file has changed since it was last read. One of these calls uses a - one-second granularity, the other uses a two second granularity. As - the two second call rounds any odd second down, then if the file has a - timestamp of an odd number of seconds then the two timestamps will not - match and Visual C++ will keep reporting the file has changed. Setting - this option causes the two timestamps to match, and Visual C++ is - happy.

Default: dos filetime resolution = no - -

dos filetimes (S)

Under DOS and Windows, if a user can write to a - file they can change the timestamp on it. Under POSIX semantics, - only the owner of the file or root may change the timestamp. By - default, Samba runs with POSIX semantics and refuses to change the - timestamp on a file if the user smbd is acting - on behalf of is not the file owner. Setting this option to - yes allows DOS semantics and smbd(8) will change the file - timestamp as DOS requires. Due to changes in Microsoft Office 2000 and beyond, - the default for this parameter has been changed from "no" to "yes" in Samba 3.0.14 - and above. Microsoft Excel will display dialog box warnings about the file being - changed by another user if this parameter is not set to "yes" and files are being - shared between users. -

Default: dos filetimes = yes - -

ea support (S)

This boolean parameter controls whether smbd(8) will allow clients to attempt to store OS/2 style Extended - attributes on a share. In order to enable this parameter the underlying filesystem exported by - the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the - correct kernel patches). On Linux the filesystem must have been mounted with the mount - option user_xattr in order for extended attributes to work, also - extended attributes must be compiled into the Linux kernel.

Default: ea support = no - -

enable asu support (G)

Hosts running the "Advanced Server for Unix (ASU)" product - require some special accomodations such as creating a builting [ADMIN$] - share that only supports IPC connections. The has been the default - behavior in smbd for many years. However, certain Microsoft applications - such as the Print Migrator tool require that the remote server support - an [ADMIN$} file share. Disabling this parameter allows for creating - an [ADMIN$] file share in smb.conf.

Default: enable asu support = yes - -

enable privileges (G)

This parameter controls whether or not smbd will honor - privileges assigned to specific SIDs via either net rpc rights - or one of the Windows user and group manager tools. This parameter is - disabled by default to prevent members of the Domain Admins group from - being able to assign privileges to users or groups which can then result in certain - smbd operations running as root that would normally run under the context - of the connected user.

An example of how privileges can be used is to assign - the right to join clients to a Samba controlled domain without - providing root access to the server via smbd.

Please read the extended description provided in the - Samba documentation before enabling this option.

Default: enable privileges = no - -

enable rid algorithm (G)

This option is used to control whether or not smbd in Samba 3.0 should fallback - to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm - development goal is to remove the algorithmic mappings of RIDs altogether, but - this has proved to be difficult. This parameter is mainly provided so that - developers can turn the algorithm on and off and see what breaks. This parameter - should not be disabled by non-developers because certain features in Samba will fail - to work without it. -

Default: enable rid algorithm = yes - -

encrypt passwords (G)

This boolean controls whether encrypted passwords - will be negotiated with the client. Note that Windows NT 4.0 SP3 and - above and also Windows 98 will by default expect encrypted passwords - unless a registry entry is changed. To use encrypted passwords in - Samba see the chapter "User Database" in the Samba HOWTO Collection. -

- MS Windows clients that expect Microsoft encrypted passwords and that - do not have plain text password support enabled will be able to - connect only to a Samba server that has encypted password support - enabled and for which the user accounts have a valid encrypted password. - Refer to the smbpasswd command man page for information regarding the - creation of encrypted passwords for user accounts. -

- The use of plain text passwords is NOT advised as support for this feature - is no longer maintained in Microsoft Windows products. If you want to use - plain text passwords you must set this parameter to no. -

In order for encrypted passwords to work correctly - smbd(8) must either - have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up - and maintain this file), or set the security = [server|domain|ads] parameter which - causes smbd to authenticate against another - server.

Default: encrypt passwords = yes - -

enhanced browsing (G)

This option enables a couple of enhancements to - cross-subnet browse propagation that have been added in Samba - but which are not standard in Microsoft implementations. -

The first enhancement to browse propagation consists of a regular - wildcard query to a Samba WINS server for all Domain Master Browsers, - followed by a browse synchronization with each of the returned - DMBs. The second enhancement consists of a regular randomised browse - synchronization with all currently known DMBs.

You may wish to disable this option if you have a problem with empty - workgroups not disappearing from browse lists. Due to the restrictions - of the browse protocols these enhancements can cause a empty workgroup - to stay around forever which can be annoying.

In general you should leave this option enabled as it makes - cross-subnet browse propagation much more reliable.

Default: enhanced browsing = yes - -

enumports command (G)

The concept of a "port" is fairly foreign - to UNIX hosts. Under Windows NT/2000 print servers, a port - is associated with a port monitor and generally takes the form of - a local port (i.e. LPT1:, COM1:, FILE:) or a remote port - (i.e. LPD Port Monitor, etc...). By default, Samba has only one - port defined--"Samba Printer Port". Under - Windows NT/2000, all printers must have a valid port name. - If you wish to have a list of ports displayed (smbd - does not use a port name for anything) other than - the default "Samba Printer Port", you - can define enumports command to point to - a program which should generate a list of ports, one per line, - to standard output. This listing will then be used in response - to the level 1 and 2 EnumPorts() RPC.

Default: enumports command = - -

Example: enumports command = /usr/bin/listports - -

fake directory create times (S)

NTFS and Windows VFAT file systems keep a create - time for all files and directories. This is not the same as the - ctime - status change time - that Unix keeps, so Samba by default - reports the earliest of the various times Unix does keep. Setting - this parameter for a share causes Samba to always report midnight - 1-1-1980 as the create time for directories.

This option is mainly used as a compatibility option for - Visual C++ when used against Samba shares. Visual C++ generated - makefiles have the object directory as a dependency for each object - file, and a make rule to create the directory. Also, when NMAKE - compares timestamps it uses the creation time when examining a - directory. Thus the object directory will be created if it does not - exist, but once it does exist it will always have an earlier - timestamp than the object files it contains.

However, Unix time semantics mean that the create time - reported by Samba will be updated whenever a file is created or - or deleted in the directory. NMAKE finds all object files in - the object directory. The timestamp of the last one built is then - compared to the timestamp of the object directory. If the - directory's timestamp if newer, then all object files - will be rebuilt. Enabling this option - ensures directories always predate their contents and an NMAKE build - will proceed as expected.

Default: fake directory create times = no - -

fake oplocks (S)

Oplocks are the way that SMB clients get permission - from a server to locally cache file operations. If a server grants - an oplock (opportunistic lock) then the client is free to assume - that it is the only one accessing the file and it will aggressively - cache file data. With some oplock types the client may even cache - file open/close operations. This can give enormous performance benefits. -

When you set fake oplocks = yes, smbd(8) will - always grant oplock requests no matter how many clients are using the file.

It is generally much better to use the real oplocks support rather - than this parameter.

If you enable this option on all read-only shares or - shares that you know will only be accessed from one client at a - time such as physically read-only media like CDROMs, you will see - a big performance improvement on many operations. If you enable - this option on shares where multiple clients may be accessing the - files read-write at the same time you can get data corruption. Use - this option carefully!

Default: fake oplocks = no - -

follow symlinks (S)

This parameter allows the Samba administrator - to stop smbd(8) from following symbolic - links in a particular share. Setting this - parameter to no prevents any file or directory - that is a symbolic link from being followed (the user will get an - error). This option is very useful to stop users from adding a - symbolic link to /etc/passwd in their home - directory for instance. However it will slow filename lookups - down slightly.

This option is enabled (i.e. smbd will - follow symbolic links) by default.

Default: follow symlinks = yes - -

force create mode (S)

This parameter specifies a set of UNIX mode bit - permissions that will always be set on a - file created by Samba. This is done by bitwise 'OR'ing these bits onto - the mode bits of a file that is being created or having its - permissions changed. The default for this parameter is (in octal) - 000. The modes in this parameter are bitwise 'OR'ed onto the file - mode after the mask set in the create mask - parameter is applied.

The example below would force all created files to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'.

Default: force create mode = 000 - -

Example: force create mode = 0755 - -

force directory mode (S)

This parameter specifies a set of UNIX mode bit - permissions that will always be set on a directory - created by Samba. This is done by bitwise 'OR'ing these bits onto the - mode bits of a directory that is being created. The default for this - parameter is (in octal) 0000 which will not add any extra permission - bits to a created directory. This operation is done after the mode - mask in the parameter directory mask is - applied.

The example below would force all created directories to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'.

Default: force directory mode = 000 - -

Example: force directory mode = 0755 - -

force directory security mode (S)

- This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a directory using the native NT security dialog box. -

- This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with directory security mask, which works in a similar manner to this one, but uses a logical AND instead - of an OR. -

- Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, - to will enable (1) any flags that are off (0) but which the mask has set to on (1). -

- If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world - permissions on a directory without restrictions. -

Note

- Users who can access the Samba server through other means can easily bypass this restriction, so it is - primarily useful for standalone "appliance" systems. Administrators of most normal systems will - probably want to leave it set as 0000. -

Default: force directory security mode = 0 - -

Example: force directory security mode = 700 - -

group

This parameter is a synonym for force group.

force group (S)

This specifies a UNIX group name that will be - assigned as the default primary group for all users connecting - to this service. This is useful for sharing files by ensuring - that all access to files on service will use the named group for - their permissions checking. Thus, by assigning permissions for this - group to the files and directories within this service the Samba - administrator can restrict or allow sharing of these files.

In Samba 2.0.5 and above this parameter has extended - functionality in the following way. If the group name listed here - has a '+' character prepended to it then the current user accessing - the share only has the primary group default assigned to this group - if they are already assigned as a member of that group. This allows - an administrator to decide that only users who are already in a - particular group will create files with group ownership set to that - group. This gives a finer granularity of ownership assignment. For - example, the setting force group = +sys means - that only users who are already in group sys will have their default - primary group assigned to sys when accessing this Samba share. All - other users will retain their ordinary primary group.

- If the force user parameter is also set the group specified in - force group will override the primary group - set in force user.

Default: force group = - -

Example: force group = agroup - -

force printername (S)

When printing from Windows NT (or later), - each printer in smb.conf has two - associated names which can be used by the client. The first - is the sharename (or shortname) defined in smb.conf. This - is the only printername available for use by Windows 9x clients. - The second name associated with a printer can be seen when - browsing to the "Printers" (or "Printers and Faxes") folder - on the Samba server. This is referred to simply as the printername - (not to be confused with the printer name option). -

When assigning a new driver to a printer on a remote - Windows compatible print server such as Samba, the Windows client - will rename the printer to match the driver name just uploaded. - This can result in confusion for users when multiple - printers are bound to the same driver. To prevent Samba from - allowing the printer's printername to differ from the sharename - defined in smb.conf, set force printername = yes. -

Be aware that enabling this parameter may affect migrating - printers from a Windows server to Samba since Windows has no way to - force the sharename and printername to match.

It is recommended that this parameter's value not be changed - once the printer is in use by clients as this could cause a user - not be able to delete printer connections from their local Printers - folder.

Default: force printername = no - -

force security mode (S)

- This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog box. -

- This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this - mask that the user may have modified to be on. Make sure not to mix up this parameter with security mask, which works similar like this one but uses logical AND instead of OR. -

- Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, - the user has always set to be on. -

- If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world - permissions on a file, with no restrictions. -

- Note that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most - normal systems will probably want to leave this set to 0000. -

Default: force security mode = 0 - -

Example: force security mode = 700 - -

force unknown acl user (S)

If this parameter is set, a Windows NT ACL that contains an unknown - SID (security descriptor, or representation of a user or group - id) as the owner or group owner of the file will be silently - mapped into the current UNIX uid or gid of the currently - connected user.

This is designed to allow Windows NT clients to copy files and - folders containing ACLs that were created locally on the client - machine and contain users local to that machine only (no domain - users) to be copied to a Samba server (usually with XCOPY /O) - and have the unknown userid and groupid of the file owner map to - the current connected user. This can only be fixed correctly - when winbindd allows arbitrary mapping from any Windows NT SID - to a UNIX uid or gid.

Try using this parameter when XCOPY /O gives an ACCESS_DENIED - error.

Default: force unknown acl user = no - -

force user (S)

This specifies a UNIX user name that will be - assigned as the default user for all users connecting to this service. - This is useful for sharing files. You should also use it carefully - as using it incorrectly can cause security problems.

This user name only gets used once a connection is established. - Thus clients still need to connect as a valid user and supply a - valid password. Once connected, all file operations will be performed - as the "forced user", no matter what username the client connected - as. This can be very useful.

In Samba 2.0.5 and above this parameter also causes the - primary group of the forced user to be used as the primary group - for all file activity. Prior to 2.0.5 the primary group was left - as the primary group of the connecting user (this was a bug).

Default: force user = - -

Example: force user = auser - -

fstype (S)

This parameter allows the administrator to - configure the string that specifies the type of filesystem a share - is using that is reported by smbd(8) when a client queries the filesystem type - for a share. The default type is NTFS for - compatibility with Windows NT but this can be changed to other - strings such as Samba or FAT - if required.

Default: fstype = NTFS - -

Example: fstype = Samba - -

get quota command (G)

The get quota command should only be used - whenever there is no operating system API available from the OS that - samba can use.

This option is only available with ./configure --with-sys-quotas. - Or on linux when ./configure --with-quotas was used and a working quota api - was found in the system.

This parameter should specify the path to a script that - queries the quota information for the specified - user/group for the partition that - the specified directory is on.

Such a script should take 3 arguments:

directory
type of query
uid of user or gid of group

The type of query can be one of :

1 - user quotas
2 - user default quotas (uid = -1)
3 - group quotas
4 - group default quotas (gid = -1)

This script should print one line as output with spaces between the arguments. The arguments are: -

Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)
Arg 2 - number of currently used blocks
Arg 3 - the softlimit number of blocks
Arg 4 - the hardlimit number of blocks
Arg 5 - currently used number of inodes
Arg 6 - the softlimit number of inodes
Arg 7 - the hardlimit number of inodes
Arg 8(optional) - the number of bytes in a block(default is 1024)

Default: get quota command = - -

Example: get quota command = /usr/local/sbin/query_quota - -

getwd cache (G)

This is a tuning option. When this is enabled a - caching algorithm will be used to reduce the time taken for getwd() - calls. This can have a significant impact on performance, especially - when the wide smbconfoptions parameter is set to no.

Default: getwd cache = yes - -

guest account (G)

This is a username which will be used for access - to services which are specified as guest ok (see below). Whatever privileges this - user has will be available to any client connecting to the guest service. - This user must exist in the password file, but does not require - a valid login. The user account "ftp" is often a good choice - for this parameter. -

On some systems the default guest account "nobody" may not - be able to print. Use another account in this case. You should test - this by trying to log in as your guest user (perhaps by using the - su - command) and trying to print using the - system print command such as lpr(1) or - lp(1).

This parameter does not accept % macros, because - many parts of the system require this value to be - constant for correct operation.

Default: guest account = nobody -# default can be changed at compile-time - -

Example: guest account = ftp - -

public

This parameter is a synonym for guest ok.

guest ok (S)

If this parameter is yes for - a service, then no password is required to connect to the service. - Privileges will be those of the guest account.

This paramater nullifies the benifits of setting - restrict anonymous = 2 -

See the section below on security for more information about this option. -

Default: guest ok = no - -

only guest

This parameter is a synonym for guest only.

guest only (S)

If this parameter is yes for - a service, then only guest connections to the service are permitted. - This parameter will have no effect if guest ok is not set for the service.

See the section below on security for more information about this option. -

Default: guest only = no - -

hide dot files (S)

This is a boolean parameter that controls whether - files starting with a dot appear as hidden files.

Default: hide dot files = yes - -

hide files (S)

This is a list of files or directories that are not - visible but are accessible. The DOS 'hidden' attribute is applied - to any files or directories that match.

Each entry in the list must be separated by a '/', - which allows spaces to be included in the entry. '*' - and '?' can be used to specify multiple files or directories - as in DOS wildcards.

Each entry must be a Unix path, not a DOS path and must - not include the Unix directory separator '/'.

Note that the case sensitivity option is applicable - in hiding files.

Setting this parameter will affect the performance of Samba, - as it will be forced to check all files and directories for a match - as they are scanned.

- The example shown above is based on files that the Macintosh - SMB client (DAVE) available from - Thursby creates for internal use, and also still hides - all files beginning with a dot. -

- An example of us of this parameter is: -

-hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
-

Default: hide files = -# no file are hidden - -

hide special files (S)

This parameter prevents clients from seeing - special files such as sockets, devices and fifo's in directory - listings. -

Default: hide special files = no - -

hide unreadable (S)

This parameter prevents clients from seeing the - existance of files that cannot be read. Defaults to off.

Default: hide unreadable = no - -

hide unwriteable files (S)

This parameter prevents clients from seeing - the existance of files that cannot be written to. Defaults to off. - Note that unwriteable directories are shown as usual. -

Default: hide unwriteable files = no - -

homedir map (G)

If nis homedir is yes, - and smbd(8) is also acting - as a Win95/98 logon server then this parameter - specifies the NIS (or YP) map from which the server for the user's - home directory should be extracted. At present, only the Sun - auto.home map format is understood. The form of the map is:

username server:/some/file/system

and the program will extract the servername from before - the first ':'. There should probably be a better parsing system - that copes with different map formats and also Amd (another - automounter) maps.

Note

A working NIS client is required on - the system for this option to work.

Default: homedir map = - -

Example: homedir map = amd.homedir - -

host msdfs (G)

If set to yes, Samba will act as a Dfs - server, and allow Dfs-aware clients to browse Dfs trees hosted - on the server.

See also the msdfs root share level parameter. For - more information on setting up a Dfs tree on Samba, - refer to the MSFDS chapter in the book Samba3-HOWTO. -

Default: host msdfs = no - -

hostname lookups (G)

Specifies whether samba should use (expensive) - hostname lookups or use the ip addresses instead. An example place - where hostname lookups are currently used is when checking - the hosts deny and hosts allow. -

Default: hostname lookups = no - -

Example: hostname lookups = yes - -

allow hosts

This parameter is a synonym for hosts allow.

hosts allow (S)

A synonym for this parameter is allow - hosts.

This parameter is a comma, space, or tab delimited - set of hosts which are permitted to access a service.

If specified in the [global] section then it will - apply to all services, regardless of whether the individual - service has a different setting.

You can specify the hosts by name or IP number. For - example, you could restrict access to only the hosts on a - Class C subnet with something like allow hosts = 150.203.5. - . The full syntax of the list is described in the man - page hosts_access(5). Note that this man - page may not be present on your system, so a brief description will - be given here also.

Note that the localhost address 127.0.0.1 will always - be allowed access unless specifically denied by a hosts deny option.

You can also specify hosts by network/netmask pairs and - by netgroup names if your system supports netgroups. The - EXCEPT keyword can also be used to limit a - wildcard list. The following examples may provide some help:

Example 1: allow all IPs in 150.203.*.*; except one

hosts allow = 150.203. EXCEPT 150.203.6.66

Example 2: allow hosts that match the given network/netmask

hosts allow = 150.203.15.0/255.255.255.0

Example 3: allow a couple of hosts

hosts allow = lapland, arvidsjaur

Example 4: allow only hosts in NIS netgroup "foonet", but - deny access from one particular host

hosts allow = @foonet

hosts deny = pirate

Note

Note that access still requires suitable user-level passwords.

See testparm(1) for a way of testing your host access - to see if it does what you expect.

Default: hosts allow = -# none (i.e., all hosts permitted access) - -

Example: hosts allow = 150.203.5. myhost.mynet.edu.au - -

deny hosts

This parameter is a synonym for hosts deny.

hosts deny (S)

The opposite of hosts allow - - hosts listed here are NOT permitted access to - services unless the specific services have their own lists to override - this one. Where the lists conflict, the allow - list takes precedence.

Default: hosts deny = -# none (i.e., no hosts specifically excluded) - -

Example: hosts deny = 150.203.4. badhost.mynet.edu.au - -

hosts equiv (G)

If this global parameter is a non-null string, - it specifies the name of a file to read for the names of hosts - and users who will be allowed access without specifying a password. -

This is not be confused with hosts allow which is about hosts - access to services and is more useful for guest services. - hosts equiv may be useful for NT clients which will - not supply passwords to Samba.

Note

The use of hosts equiv - can be a major security hole. This is because you are - trusting the PC to supply the correct username. It is very easy to - get a PC to supply a false username. I recommend that the - hosts equiv option be only used if you really - know what you are doing, or perhaps on a home network where you trust - your spouse and kids. And only if you really trust - them :-).

Default: hosts equiv = -# no host equivalences - -

Example: hosts equiv = hosts equiv = /etc/hosts.equiv - -

idmap backend (G)

- The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap - tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common - LDAP backend. This way all domain members and controllers will have the same UID and GID - to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux - systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). -

- An alternate method of SID to UID / GID mapping can be achieved using the idmap_rid - plug-in. This plug-in uses the account RID to derive the UID and GID by adding the - RID to a base value specified. This utility requires that the parameter - “allow trusted domains = No” must be specified, as it is not compatible - with multiple domain environments. The idmap uid and idmap gid ranges must also be - specified. -

Default: idmap backend = - -

Example: idmap backend = ldap:ldap://ldapslave.example.com - -

Example: idmap backend = idmap_rid:DOMNAME=1000-100000000 - -

winbind gid

This parameter is a synonym for idmap gid.

idmap gid (G)

The idmap gid parameter specifies the range of group ids that are allocated for - the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no - existing local or NIS groups within it as strange conflicts can occur otherwise.

The availability of an idmap gid range is essential for correct operation of - all group mapping.

Default: idmap gid = - -

Example: idmap gid = 10000-20000 - -

winbind uid

This parameter is a synonym for idmap uid.

idmap uid (G)

The idmap uid parameter specifies the range of user ids that are allocated for use - in mapping UNIX users to NT user SIDs. This range of ids should have no existing local - or NIS users within it as strange conflicts can occur otherwise.

Default: idmap uid = - -

Example: idmap uid = 10000-20000 - -

include (G)

This allows you to include one config file - inside another. The file is included literally, as though typed - in place.

It takes the standard substitutions, except %u -, %P and %S. -

Default: include = - -

Example: include = /usr/local/samba/lib/admin_smb.conf - -

inherit acls (S)

This parameter can be used to ensure that if default acls - exist on parent directories, they are always honored when creating a - subdirectory. The default behavior is to use the mode specified when - creating the directory. Enabling this option sets the mode to 0777, - thus guaranteeing that default directory acls are propagated. -

Default: inherit acls = no - -

inherit owner (S)

The ownership of new files and directories - is normally governed by effective uid of the connected user. - This option allows the Samba administrator to specify that - the ownership for new files and directories should be controlled - by the ownership of the parent directory.

Common scenarios where this behavior is useful is in - implementing drop-boxes where users can create and edit files but not - delete them and to ensure that newly create files in a user's - roaming profile directory are actually owner by the user.

Default: inherit owner = no - -

inherit permissions (S)

- The permissions on new files and directories are normally governed by create mask, - directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this. -

New directories inherit the mode of the parent directory, - including bits such as setgid.

- New files inherit their read/write bits from the parent directory. Their execute bits continue to be - determined by map archive, map hidden and map system as usual. -

Note that the setuid bit is never set via - inheritance (the code explicitly prohibits this).

This can be particularly useful on large systems with - many users, perhaps several thousand, to allow a single [homes] - share to be used flexibly by each user.

Default: inherit permissions = no - -

interfaces (G)

This option allows you to override the default - network interfaces list that Samba will use for browsing, name - registration and other NBT traffic. By default Samba will query - the kernel for the list of all active interfaces and use any - interfaces except 127.0.0.1 that are broadcast capable.

The option takes a list of interface strings. Each string - can be in any of the following forms:

a network interface name (such as eth0). - This may include shell-like wildcards so eth* will match - any interface starting with the substring "eth"
an IP address. In this case the netmask is - determined from the list of interfaces obtained from the - kernel
an IP/mask pair.
a broadcast/mask pair.

The "mask" parameters can either be a bit length (such - as 24 for a C class network) or a full netmask in dotted - decimal form.

The "IP" parameters above can either be a full dotted - decimal IP address or a hostname which will be looked up via - the OS's normal hostname resolution mechanisms.

Default: interfaces = -# all active interfaces except 127.0.0.1 that are broadcast capable - -

Example: interfaces = - -# This would configure three network interfaces corresponding - to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. - The netmasks of the latter two interfaces would be set to 255.255.255.0. - eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 - - -

invalid users (S)

This is a list of users that should not be allowed - to login to this service. This is really a paranoid - check to absolutely ensure an improper setting does not breach - your security.

A name starting with a '@' is interpreted as an NIS - netgroup first (if your system supports NIS), and then as a UNIX - group if the name was not found in the NIS netgroup database.

A name starting with '+' is interpreted only - by looking in the UNIX group database. A name starting with - '&' is interpreted only by looking in the NIS netgroup database - (this requires NIS to be working on your system). The characters - '+' and '&' may be used at the start of the name in either order - so the value +&group means check the - UNIX group database, followed by the NIS netgroup database, and - the value &+group means check the NIS - netgroup database, followed by the UNIX group database (the - same as the '@' prefix).

The current servicename is substituted for %S. - This is useful in the [homes] section.

Default: invalid users = -# no invalid users - -

Example: invalid users = root fred admin @wheel - -

keepalive (G)

The value of the parameter (an integer) represents - the number of seconds between keepalive - packets. If this parameter is zero, no keepalive packets will be - sent. Keepalive packets, if sent, allow the server to tell whether - a client is still present and responding.

Keepalives should, in general, not be needed if the socket - has the SO_KEEPALIVE attribute set on it by default. (see socket options). -Basically you should only use this option if you strike difficulties.

Default: keepalive = 300 - -

Example: keepalive = 600 - -

kernel change notify (G)

This parameter specifies whether Samba should ask the - kernel for change notifications in directories so that - SMB clients can refresh whenever the data on the server changes. -

This parameter is only used when your kernel supports - change notification to user programs, using the F_NOTIFY fcntl. -

Default: kernel change notify = yes - -

kernel oplocks (G)

For UNIXes that support kernel based oplocks - (currently only IRIX and the Linux 2.4 kernel), this parameter - allows the use of them to be turned on or off.

Kernel oplocks support allows Samba oplocks - to be broken whenever a local UNIX process or NFS operation - accesses a file that smbd(8) has oplocked. This allows complete - data consistency between SMB/CIFS, NFS and local file access (and is - a very cool feature :-).

This parameter defaults to on, but is translated - to a no-op on systems that no not have the necessary kernel support. - You should never need to touch this parameter.

Default: kernel oplocks = yes - -

lanman auth (G)

This parameter determines whether or not smbd(8) will attempt to - authenticate users or permit password changes - using the LANMAN password hash. If disabled, only clients which support NT - password hashes (e.g. Windows NT/2000 clients, smbclient, but not - Windows 95/98 or the MS DOS network client) will be able to - connect to the Samba host.

The LANMAN encrypted response is easily broken, due to it's - case-insensitive nature, and the choice of algorithm. Servers - without Windows 95/98/ME or MS DOS clients are advised to disable - this option.

Unlike the encypt - passwords option, this parameter cannot alter client - behaviour, and the LANMAN response will still be sent over the - network. See the client lanman - auth to disable this for Samba's clients (such as smbclient)

If this option, and ntlm - auth are both disabled, then only NTLMv2 logins will be - permited. Not all clients support NTLMv2, and most will require - special configuration to use it.

Default: lanman auth = yes - -

large readwrite (G)

This parameter determines whether or not - smbd(8) supports the new 64k - streaming read and write varient SMB requests introduced with - Windows 2000. Note that due to Windows 2000 client redirector bugs - this requires Samba to be running on a 64-bit capable operating - system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve - performance by 10% with Windows 2000 clients. Defaults to on. Not as - tested as some other Samba code paths.

Default: large readwrite = yes - -

ldap admin dn (G)

The ldap admin dn - defines the Distinguished Name (DN) name used by Samba to - contact the ldap server when retreiving user account - information. The ldap admin dn is used in conjunction with the admin dn password - stored in the private/secrets.tdb file. - See the smbpasswd(8) man page for more - information on how to accmplish this.

No default

ldap delete dn (G)

This parameter specifies whether a delete - operation in the ldapsam deletes the complete entry or only the attributes - specific to Samba. -

Default: ldap delete dn = no - -

ldap group suffix (G)

This parameters specifies the suffix that is - used for groups when these are added to the LDAP directory. - If this parameter is unset, the value of ldap suffix will be used instead.

Default: ldap group suffix = - -

Example: ldap group suffix = ou=Groups,dc=samba,ou=Groups - -

ldap idmap suffix (G)

This parameters specifies the suffix that is - used when storing idmap mappings. If this parameter - is unset, the value of ldap suffix - will be used instead.

Default: ldap idmap suffix = - -

Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org - -

ldap machine suffix (G)

It specifies where machines should be added to the ldap tree.

Default: ldap machine suffix = - -

ldap passwd sync (G)

This option is used to define whether - or not Samba should sync the LDAP password with the NT - and LM hashes for normal accounts (NOT for - workstation, server or domain trusts) on a password - change via SAMBA. -

The ldap passwd sync can be set to one of three values:

Yes = Try - to update the LDAP, NT and LM passwords and update the pwdLastSet time.
No = Update NT and - LM passwords and update the pwdLastSet time.
Only = Only update - the LDAP password and let the LDAP server do the rest.

Default: ldap passwd sync = no - -

ldap port (G)

This parameter is only available if Samba has been - configure to include the --with-ldapsam option - at compile time.

This option is used to control the tcp port number used to contact - the ldap server. - The default is to use the stand LDAPS port 636.

Default: ldap port = 636 -# if ldap ssl = on - -

Default: ldap port = 389 -# if ldap ssl = off - -

ldap replication sleep (G)

When Samba is asked to write to a read-only LDAP -replica, we are redirected to talk to the read-write master server. -This server then replicates our changes back to the 'local' server, -however the replication might take some seconds, especially over slow -links. Certain client activities, particularly domain joins, can become -confused by the 'success' that does not immediately change the LDAP -back-end's data.

This option simply causes Samba to wait a short time, to -allow the LDAP server to catch up. If you have a particularly -high-latency network, you may wish to time the LDAP replication with a -network sniffer, and increase this value accordingly. Be aware that no -checking is performed that the data has actually replicated.

The value is specified in milliseconds, the maximum -value is 5000 (5 seconds).

Default: ldap replication sleep = 1000 - -

ldapsam:trusted (G)

-By default, Samba as a Domain Controller with an LDAP backend needs to use the -Unix-style NSS subsystem to access user and group information. Due to the way -Unix stores user information in /etc/passwd and /etc/group this inevitably -leads to inefficiencies. One important question a user needs to know is the -list of groups he is member of. The plain Unix model involves a complete -enumeration of the file /etc/group and its NSS counterparts in LDAP. In this -particular case there often optimized functions are available in Unix, but for -other queries there is no optimized function available.

To make Samba scale well in large environments, the ldapsam:trusted=yes -option assumes that the complete user and group database that is relevant to -Samba is stored in LDAP with the standard posixAccount/posixGroup model, and -that the Samba auxiliary object classes are stored together with the the posix -data in the same LDAP object. If these assumptions are met, -ldapsam:trusted=yes can be activated and Samba can completely bypass the NSS -system to query user information. Optimized LDAP queries can speed up domain -logon and administration tasks a lot. Depending on the size of the LDAP -database a factor of 100 or more for common queries is easily achieved.

Default: ldapsam:trusted = no - -

ldap server (G)

This parameter is only available if Samba has been - configure to include the --with-ldapsam - option at compile time.

This parameter should contain the FQDN of the ldap directory - server which should be queried to locate user account information. -

Default: ldap server = localhost - -

ldap ssl (G)

This option is used to define whether or not Samba should - use SSL when connecting to the ldap server - This is NOT related to - Samba's previous SSL support which was enabled by specifying the - --with-ssl option to the configure - script.

The ldap ssl can be set to one of three values:

Off = Never - use SSL when querying the directory.
Start_tls = Use - the LDAPv3 StartTLS extended operation (RFC2830) for - communicating with the directory server.
On = Use SSL - on the ldaps port when contacting the ldap server. Only available when the - backwards-compatiblity --with-ldapsam option is specified - to configure. See passdb backend

Default: ldap ssl = start_tls - -

ldap suffix (G)

Specifies where user and machine accounts are added to the - tree. Can be overriden by ldap user suffix and - ldap machine suffix. It also used as the base dn for all ldap -searches.

Default: ldap suffix = - -

ldap timeout (G)

When Samba connects to an ldap server that server -may be down or unreachable. To prevent Samba from hanging whilst -waiting for the connection this parameter specifies in seconds how -long Samba should wait before failing the connect. The default is -to only wait fifteen seconds for the ldap server to respond to the -connect request.

Default: ldap timeout = 15 - -

ldap user suffix (G)

This parameter specifies where users are added to the tree. - If this parameter is not specified, the value from ldap suffix.

Default: ldap user suffix = - -

level2 oplocks (S)

This parameter controls whether Samba supports - level2 (read-only) oplocks on a share.

Level2, or read-only oplocks allow Windows NT clients - that have an oplock on a file to downgrade from a read-write oplock - to a read-only oplock once a second client opens the file (instead - of releasing all oplocks on a second open, as in traditional, - exclusive oplocks). This allows all openers of the file that - support level2 oplocks to cache the file for read-ahead only (ie. - they may not cache writes or lock requests) and increases performance - for many accesses of files that are not commonly written (such as - application .EXE files).

Once one of the clients which have a read-only oplock - writes to the file all clients are notified (no reply is needed - or waited for) and told to break their oplocks to "none" and - delete any read-ahead caches.

It is recommended that this parameter be turned on to - speed access to shared executables.

For more discussions on level2 oplocks see the CIFS spec.

- Currently, if kernel oplocks are supported then - level2 oplocks are not granted (even if this parameter is set to - yes). Note also, the oplocks - parameter must be set to yes on this share in order for - this parameter to have any effect.

Default: level2 oplocks = yes - -

lm announce (G)

This parameter determines if nmbd(8) will produce Lanman announce - broadcasts that are needed by OS/2 clients in order for them to see - the Samba server in their browse list. This parameter can have three - values, yes, no, or - auto. The default is auto. - If set to no Samba will never produce these - broadcasts. If set to yes Samba will produce - Lanman announce broadcasts at a frequency set by the parameter - lm interval. If set to auto - Samba will not send Lanman announce broadcasts by default but will - listen for them. If it hears such a broadcast on the wire it will - then start sending them at a frequency set by the parameter - lm interval.

Default: lm announce = auto - -

Example: lm announce = yes - -

lm interval (G)

If Samba is set to produce Lanman announce - broadcasts needed by OS/2 clients (see the - lm announce parameter) then this - parameter defines the frequency in seconds with which they will be - made. If this is set to zero then no Lanman announcements will be - made despite the setting of the lm announce - parameter.

Default: lm interval = 60 - -

Example: lm interval = 120 - -

load printers (G)

A boolean variable that controls whether all - printers in the printcap will be loaded for browsing by default. - See the printers section for - more details.

Default: load printers = yes - -

local master (G)

This option allows nmbd(8) to try and become a local master browser - on a subnet. If set to no then - nmbd will not attempt to become a local master browser - on a subnet and will also lose in all browsing elections. By - default this value is set to yes. Setting this value to - yes doesn't mean that Samba will become the - local master browser on a subnet, just that nmbd - will participate in elections for local master browser.

Setting this value to no will cause nmbd never to become a local -master browser.

Default: local master = yes - -

lock dir

This parameter is a synonym for lock directory.

lock directory (G)

This option specifies the directory where lock - files will be placed. The lock files are used to implement the - max connections option. -

Default: lock directory = ${prefix}/var/locks - -

Example: lock directory = /var/run/samba/locks - -

locking (S)

This controls whether or not locking will be - performed by the server in response to lock requests from the - client.

If locking = no, all lock and unlock - requests will appear to succeed and all lock queries will report - that the file in question is available for locking.

If locking = yes, real locking will be performed - by the server.

This option may be useful for read-only - filesystems which may not need locking (such as - CDROM drives), although setting this parameter of no - is not really recommended even in this case.

Be careful about disabling locking either globally or in a - specific service, as lack of locking may result in data corruption. - You should never need to set this parameter.

No default

lock spin count (G)

This parameter controls the number of times - that smbd should attempt to gain a byte range lock on the - behalf of a client request. Experiments have shown that - Windows 2k servers do not reply with a failure if the lock - could not be immediately granted, but try a few more times - in case the lock could later be acquired. This behavior - is used to support PC database formats such as MS Access - and FoxPro. -

Default: lock spin count = 3 - -

lock spin time (G)

The time in microseconds that smbd should - pause before attempting to gain a failed lock. See - lock spin count for more details.

Default: lock spin time = 10 - -

log file (G)

This option allows you to override the name - of the Samba log file (also known as the debug file).

This option takes the standard substitutions, allowing - you to have separate log files for each user or machine.

No default

Example: log file = /usr/local/samba/var/log.%m - -

debuglevel

This parameter is a synonym for log level.

log level (G)

The value of the parameter (a astring) allows - the debug level (logging level) to be specified in the - smb.conf file. This parameter has been - extended since the 2.2.x series, now it allow to specify the debug - level for multiple debug classes. This is to give greater - flexibility in the configuration of the system.

The default will be the log level specified on - the command line or level zero if none was specified.

No default

Example: log level = 3 passdb:5 auth:10 winbind:2 - -

logon drive (G)

- This parameter specifies the local path to which the home directory will be - connected (see logon home) and is only used by NT - Workstations. -

- Note that this option is only useful if Samba is set up as a logon server. -

Default: logon drive = z: - -

Example: logon drive = h: - -

logon home (G)

- This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. - It allows you to do -

- C:\>NET USE H: /HOME -

- from a command prompt, for example. -

- This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. -

- This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a - subdirectory of the user's home directory. This is done in the following way: -

- logon home = \\%N\%U\profile -

- This tells Samba to return the above string, with substitutions made when a client requests the info, generally - in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does - net use /home but use the whole string when dealing with profiles. -

- Note that in prior versions of Samba, the logon path was returned rather than - logon home. This broke net use /home - but allowed profiles outside the home directory. The current implementation is correct, and can be used for - profiles if you use the above trick. -

- Disable this feature by setting logon home = "" - using the empty string. -

- This option is only useful if Samba is set up as a logon server. -

Default: logon home = \\%N\%U - -

Example: logon home = \\remote_smb_server\%U - -

logon path (G)

- This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are - stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming - profiles. To find out how to handle roaming profiles for Win 9X system, see the - logon home parameter. -

- This option takes the standard substitutions, allowing you to have separate logon scripts for each user or - machine. It also specifies the directory from which the "Application Data", (desktop, start menu, network neighborhood, programs and other - folders, and their contents, are loaded and displayed on your Windows NT client. -

- The share and the path must be readable by the user for the preferences and directories to be loaded onto the - Windows NT client. The share must be writeable when the user logs in for the first time, in order that the - Windows NT client can create the NTuser.dat and other directories. - Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable - that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a - MANdatory profile). -

- Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged - in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting - this parameter to \\%N\homes\profile_path will cause problems). -

- This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. -

Warning

- Do not quote the value. Setting this as “\\%N\profile\%U” - will break profile handling. Where the tdbsam or ldapsam passdb backend - is used, at the time the user account is created the value configured - for this parameter is written to the passdb backend and that value will - over-ride the parameter value present in the smb.conf file. Any error - present in the passdb backend account record must be editted using the - appropriate tool (pdbedit on the command-line, or any other locally - provided system tool. -

Note that this option is only useful if Samba is set up as a domain controller.

- Disable the use of roaming profiles by setting the value of this parameter to the empty string. For - example, logon path = "". Take note that even if the default setting - in the smb.conf file is the empty string, any value specified in the user account settings in the passdb - backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use - requires that the user account settings must also be blank. -

- An example of use is: -

-logon path = \\PROFILESERVER\PROFILE\%U
-

Default: logon path = \\%N\%U\profile - -

logon script (G)

- This parameter specifies the batch file (.bat) or NT command file - (.cmd) to be downloaded and run on a machine when a user successfully logs in. The file - must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended. -

- The script must be a relative path to the [netlogon] service. If the [netlogon] - service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is: -

-	/usr/local/samba/netlogon/STARTUP.BAT
-

- The contents of the batch file are entirely your choice. A suggested command would be to add NET TIME \\SERVER /SET /YES, to force every machine to synchronize clocks with the - same time server. Another use would be to add NET USE U: \\SERVER\UTILS - for commonly used utilities, or

 NET USE Q: \\SERVER\ISO9001_QA

for - example. -

- Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users - write permission on the batch files in a secure environment, as this would allow the batch files to be - arbitrarily modified and security to be breached. -

- This option takes the standard substitutions, allowing you to have separate logon scripts for each user or - machine. -

- This option is only useful if Samba is set up as a logon server. -

Default: logon script = - -

Example: logon script = scripts\%U.bat - -

lppause command (S)

This parameter specifies the command to be - executed on the server host in order to stop printing or spooling - a specific print job.

This command should be a program or script which takes - a printer name and job number to pause the print job. One way - of implementing this is by using job priorities, where jobs - having a too low priority won't be sent to the printer.

If a %p is given then the printer name - is put in its place. A %j is replaced with - the job number (an integer). On HPUX (see printing=hpux -), if the -p%p option is added - to the lpq command, the job will show up with the correct status, i.e. - if the job priority is lower than the set fence priority it will - have the PAUSED status, whereas if the priority is equal or higher it - will have the SPOOLED or PRINTING status.

Note that it is good practice to include the absolute path - in the lppause command as the PATH may not be available to the server.

Default: lppause command = -# Currently no default value is given to - this string, unless the value of the printing - parameter is SYSV, in which case the default is : lp -i %p-%j -H hold or if the value of the printing parameter is SOFTQ, then the default is: qstat -s -j%j -h. - -

Example: lppause command = /usr/bin/lpalt %p-%j -p0 - -

lpq cache time (G)

This controls how long lpq info will be cached - for to prevent the lpq command being called too - often. A separate cache is kept for each variation of the - lpq command used by the system, so if you use different - lpq commands for different users then they won't - share cache information.

The cache files are stored in /tmp/lpq.xxxx - where xxxx is a hash of the lpq command in use.

The default is 10 seconds, meaning that the cached results - of a previous identical lpq command will be used - if the cached data is less than 10 seconds old. A large value may - be advisable if your lpq command is very slow.

A value of 0 will disable caching completely.

Default: lpq cache time = 10 - -

Example: lpq cache time = 30 - -

lpq command (S)

This parameter specifies the command to be - executed on the server host in order to obtain lpq - -style printer status information.

This command should be a program or script which - takes a printer name as its only parameter and outputs printer - status information.

Currently nine styles of printer status information - are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. - This covers most UNIX systems. You control which type is expected - using the printing = option.

Some clients (notably Windows for Workgroups) may not - correctly send the connection number for the printer they are - requesting status information about. To get around this, the - server reports on the first printer service connected to by the - client. This only happens if the connection number sent is invalid.

If a %p is given then the printer name - is put in its place. Otherwise it is placed at the end of the - command.

Note that it is good practice to include the absolute path - in the lpq command as the $PATH - may not be available to the server. When compiled with - the CUPS libraries, no lpq command is - needed because smbd will make a library call to obtain the - print queue listing.

Default: lpq command = - -

Example: lpq command = /usr/bin/lpq -P%p - -

lpresume command (S)

This parameter specifies the command to be - executed on the server host in order to restart or continue - printing or spooling a specific print job.

This command should be a program or script which takes - a printer name and job number to resume the print job. See - also the lppause command parameter.

If a %p is given then the printer name - is put in its place. A %j is replaced with - the job number (an integer).

Note that it is good practice to include the absolute path - in the lpresume command as the PATH may not - be available to the server.

Warning

If two clients use the same magic script - in the same directory the output file content - is undefined.

Default: magic output = <magic script name>.out - -

Example: magic output = myfile.txt - -

magic script (S)

This parameter specifies the name of a file which, - if opened, will be executed by the server when the file is closed. - This allows a UNIX script to be sent to the Samba host and - executed on behalf of the connected user.

Scripts executed in this way will be deleted upon - completion assuming that the user has the appropriate level - of privilege and the file permissions allow the deletion.

If the script generates output, output will be sent to - the file specified by the magic output - parameter (see above).

Note that some shells are unable to interpret scripts - containing CR/LF instead of CR as - the end-of-line marker. Magic scripts must be executable - as is on the host, which for some hosts and - some shells will require filtering at the DOS end.

Magic scripts are EXPERIMENTAL and - should NOT be relied upon.

Default: magic script = - -

Example: magic script = user.csh - -

mangled map (S)

This is for those who want to directly map UNIX - file names which cannot be represented on Windows/DOS. The mangling - of names is not always what is needed. In particular you may have - documents with file extensions that differ between DOS and UNIX. - For example, under UNIX it is common to use .html - for HTML files, whereas under Windows/DOS .htm - is more commonly used.

So to map html to htm - you would use:

mangled map = (*.html *.htm).

One very useful case is to remove the annoying ;1 - off the ends of filenames on some CDROMs (only visible - under some UNIXes). To do this use a map of (*;1 *;).

Default: mangled map = -# no mangled map - -

Example: mangled map = (*;1 *;) - -

mangled names (S)

This controls whether non-DOS names under UNIX - should be mapped to DOS-compatible names ("mangled") and made visible, - or whether non-DOS names should simply be ignored.

See the section on name mangling for - details on how to control the mangling process.

If mangling is used then the mangling algorithm is as follows:

The first (up to) five alphanumeric characters - before the rightmost dot of the filename are preserved, forced - to upper case, and appear as the first (up to) five characters - of the mangled name.
A tilde "~" is appended to the first part of the mangled - name, followed by a two-character unique sequence, based on the - original root name (i.e., the original filename minus its final - extension). The final extension is included in the hash calculation - only if it contains any upper case characters or is longer than three - characters.
Note that the character to use may be specified using - the mangling char - option, if you don't like '~'.
Files whose UNIX name begins with a dot will be - presented as DOS hidden files. The mangled name will be created as - for other filenames, but with the leading dot removed and "___" as - its extension regardless of actual original extension (that's three - underscores).

The two-digit hash value consists of upper case alphanumeric characters.

This algorithm can cause name collisions only if files - in a directory share the same first five alphanumeric characters. - The probability of such a clash is 1/1300.

The name mangling (if enabled) allows a file to be - copied between UNIX directories from Windows/DOS while retaining - the long UNIX filename. UNIX files can be renamed to a new extension - from Windows/DOS and will retain the same basename. Mangled names - do not change between sessions.

Default: mangled names = yes - -

mangle prefix (G)

controls the number of prefix - characters from the original name used when generating - the mangled names. A larger value will give a weaker - hash and therefore more name collisions. The minimum - value is 1 and the maximum value is 6.

- mangle prefix is effective only when mangling method is hash2. -

Default: mangle prefix = 1 - -

Example: mangle prefix = 4 - -

mangling char (S)

This controls what character is used as - the magic character in name mangling. The - default is a '~' but this may interfere with some software. Use this option to set - it to whatever you prefer. This is effective only when mangling method is hash.

Default: mangling char = ~ - -

Example: mangling char = ^ - -

mangling method (G)

controls the algorithm used for the generating - the mangled names. Can take two different values, "hash" and - "hash2". "hash" is the algorithm that was used - used in Samba for many years and was the default in Samba 2.2.x "hash2" is - now the default and is newer and considered a better algorithm (generates less collisions) in - the names. Many Win32 applications store the mangled names and so - changing to algorithms must not be done lightly as these applications - may break unless reinstalled.

Default: mangling method = hash2 - -

Example: mangling method = hash - -

map acl inherit (S)

This boolean parameter controls whether smbd(8) will attempt to map the 'inherit' and 'protected' - access control entry flags stored in Windows ACLs into an extended attribute - called user.SAMBA_PAI. This parameter only takes effect if Samba is being run - on a platform that supports extended attributes (Linux and IRIX so far) and - allows the Windows 2000 ACL editor to correctly use inheritance with the Samba - POSIX ACL mapping code. -

Default: map acl inherit = no - -

map archive (S)

This controls whether the DOS archive attribute - should be mapped to the UNIX owner execute bit. The DOS archive bit - is set when a file has been modified since its last backup. One - motivation for this option it to keep Samba/your PC from making - any file it touches from becoming executable under UNIX. This can - be quite annoying for shared source code, documents, etc...

Note that this requires the create mask - parameter to be set such that owner execute bit is not masked out - (i.e. it must include 100). See the parameter create mask for details.

Default: map archive = yes - -

map hidden (S)

This controls whether DOS style hidden files - should be mapped to the UNIX world execute bit.

Note that this requires the create mask - to be set such that the world execute bit is not masked out (i.e. - it must include 001). See the parameter create mask for details.

No default

map system (S)

This controls whether DOS style system files - should be mapped to the UNIX group execute bit.

Note that this requires the create mask - to be set such that the group execute bit is not masked out (i.e. - it must include 010). See the parameter create mask - for details.

Default: map system = no - -

map to guest (G)

This parameter is only useful in SECURITY = - security modes other than security = share - - i.e. user, server, - and domain.

This parameter can take four different values, which tell - smbd(8) what to do with user - login requests that don't match a valid UNIX user in some way.

The three settings are :

Never - Means user login - requests with an invalid password are rejected. This is the - default.
Bad User - Means user - logins with an invalid password are rejected, unless the username - does not exist, in which case it is treated as a guest login and - mapped into the guest account.
Bad Password - Means user logins - with an invalid password are treated as a guest login and mapped - into the guest account. Note that - this can cause problems as it means that any user incorrectly typing - their password will be silently logged on as "guest" - and - will not know the reason they cannot access files they think - they should - there will have been no message given to them - that they got their password wrong. Helpdesk services will - hate you if you set the map to - guest parameter this way :-).
Bad Uid - Is only applicable when Samba is configured - in some type of domain mode security (security = {domain|ads}) and means that - user logins which are successfully authenticated but which have no valid Unix - user account (and smbd is unable to create one) should be mapped to the defined - guest account. This was the default behavior of Samba 2.x releases. Note that - if a member server is running winbindd, this option should never be required - because the nss_winbind library will export the Windows domain users and groups - to the underlying OS via the Name Service Switch interface.

Note that this parameter is needed to set up "Guest" - share services when using security modes other than - share. This is because in these modes the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client so the server - cannot make authentication decisions at the correct time (connection - to the share) for "Guest" shares.

For people familiar with the older Samba releases, this - parameter maps to the old compile-time setting of the - GUEST_SESSSETUP value in local.h.

Default: map to guest = Never - -

Example: map to guest = Bad User - -

max connections (S)

This option allows the number of simultaneous connections to a service to be limited. - If max connections is greater than 0 then connections - will be refused if this number of connections to the service are already open. A value - of zero mean an unlimited number of connections may be made.

Record lock files are used to implement this feature. The lock files will be stored in - the directory specified by the lock directory option.

Default: max connections = 0 - -

Example: max connections = 10 - -

max disk size (G)

This option allows you to put an upper limit - on the apparent size of disks. If you set this option to 100 - then all shares will appear to be not larger than 100 MB in - size.

Note that this option does not limit the amount of - data you can put on the disk. In the above case you could still - store much more than 100 MB on the disk, but if a client ever asks - for the amount of free disk space or the total disk size then the - result will be bounded by the amount specified in max - disk size.

This option is primarily useful to work around bugs - in some pieces of software that can't handle very large disks, - particularly disks over 1GB in size.

A max disk size of 0 means no limit.

Default: max disk size = 0 - -

Example: max disk size = 1000 - -

max log size (G)

This option (an integer in kilobytes) specifies - the max size the log file should grow to. Samba periodically checks - the size and if it is exceeded it will rename the file, adding - a .old extension.

A size of 0 means no limit.

Default: max log size = 5000 - -

Default: max log size = 1000 - -

max mux (G)

This option controls the maximum number of - outstanding simultaneous SMB operations that Samba tells the client - it will allow. You should never need to set this parameter.

Default: max mux = 50 - -

max open files (G)

This parameter limits the maximum number of - open files that one smbd(8) file - serving process may have open for a client at any one time. The - default for this parameter is set very high (10,000) as Samba uses - only one bit per unopened file.

The limit of the number of open files is usually set - by the UNIX per-process file descriptor limit rather than - this parameter so you should never need to touch this parameter.

Default: max open files = 10000 - -

max print jobs (S)

This parameter limits the maximum number of - jobs allowable in a Samba printer queue at any given moment. - If this number is exceeded, smbd(8) will remote "Out of Space" to the client. -

Default: max print jobs = 1000 - -

Example: max print jobs = 5000 - -

protocol

This parameter is a synonym for max protocol.

max protocol (G)

The value of the parameter (a string) is the highest - protocol level that will be supported by the server.

Possible values are :

CORE: Earliest version. No - concept of user names.
COREPLUS: Slight improvements on - CORE for efficiency.
LANMAN1: First - modern version of the protocol. Long filename - support.
LANMAN2: Updates to Lanman1 protocol.
NT1: Current up to date version of the protocol. - Used by Windows NT. Known as CIFS.

Normally this option should not be set as the automatic - negotiation phase in the SMB protocol takes care of choosing - the appropriate protocol.

Default: max protocol = NT1 - -

Example: max protocol = LANMAN1 - -

max reported print jobs (S)

This parameter limits the maximum number of - jobs displayed in a port monitor for Samba printer queue at any given - moment. If this number is exceeded, the excess jobs will not be shown. - A value of zero means there is no limit on the number of print - jobs reported.

Default: max reported print jobs = 0 - -

Example: max reported print jobs = 1000 - -

max smbd processes (G)

This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended - as a stopgap to prevent degrading service to clients in the event that the server has insufficient - resources to handle more than this number of connections. Remember that under normal operating - conditions, each user will have an smbd(8) associated with him or her to handle connections to all - shares from a given host.

Default: max smbd processes = 0 - -

Example: max smbd processes = 1000 - -

max stat cache size (G)

This parameter limits the size in memory of any - stat cache being used - to speed up case insensitive name mappings. This parameter is - the number of kilobyte (1024) units the stat cache can use. - The default is zero, which means unlimited. You should not need - to change this parameter.

Default: max stat cache size = 0 - -

Example: max stat cache size = 1024 - -

max ttl (G)

This option tells nmbd(8) what the default 'time to live' - of NetBIOS names should be (in seconds) when nmbd is - requesting a name using either a broadcast packet or from a WINS server. You should - never need to change this parameter. The default is 3 days.

Default: max ttl = 259200 - -

max wins ttl (G)

This option tells smbd(8) when acting as a WINS server - (wins support = yes) what the maximum - 'time to live' of NetBIOS names that nmbd - will grant will be (in seconds). You should never need to change this - parameter. The default is 6 days (518400 seconds).

Default: max wins ttl = 518400 - -

max xmit (G)

This option controls the maximum packet size - that will be negotiated by Samba. The default is 65535, which - is the maximum. In some cases you may find you get better performance - with a smaller value. A value below 2048 is likely to cause problems. -

Default: max xmit = 65535 - -

Example: max xmit = 8192 - -

message command (G)

This specifies what command to run when the - server receives a WinPopup style message.

This would normally be a command that would - deliver the message somehow. How this is to be done is - up to your imagination.

An example is:

message command = csh -c 'xedit %s;rm %s' & -

This delivers the message using xedit, then - removes it afterwards. NOTE THAT IT IS VERY IMPORTANT - THAT THIS COMMAND RETURN IMMEDIATELY. That's why I - have the '&' on the end. If it doesn't return immediately then - your PCs may freeze when sending messages (they should recover - after 30 seconds, hopefully).

All messages are delivered as the global guest user. - The command takes the standard substitutions, although - %u won't work (%U may be better - in this case).

Apart from the standard substitutions, some additional - ones apply. In particular:

%s = the filename containing - the message.
%t = the destination that - the message was sent to (probably the server name).
%f = who the message - is from.

You could make this command send mail, or whatever else - takes your fancy. Please let us know of any really interesting - ideas you have.

Here's a way of sending the messages as mail to root:

message command = /bin/mail -s 'message from %f on - %m' root < %s; rm %s

If you don't have a message command then the message - won't be delivered and Samba will tell the sender there was - an error. Unfortunately WfWg totally ignores the error code - and carries on regardless, saying that the message was delivered. -

If you want to silently delete it then try:

message command = rm %s

Default: message command = - -

Example: message command = csh -c 'xedit %s; rm %s' & - -

min print space (S)

This sets the minimum amount of free disk - space that must be available before a user will be able to spool - a print job. It is specified in kilobytes. The default is 0, which - means a user can always spool a print job.

Default: min print space = 0 - -

Example: min print space = 2000 - -

min protocol (G)

The value of the parameter (a string) is the - lowest SMB protocol dialect than Samba will support. Please refer - to the max protocol - parameter for a list of valid protocol names and a brief description - of each. You may also wish to refer to the C source code in - source/smbd/negprot.c for a listing of known protocol - dialects supported by clients.

If you are viewing this parameter as a security measure, you should - also refer to the lanman auth parameter. Otherwise, you should never need - to change this parameter.

Default: min protocol = CORE - -

Example: min protocol = NT1 - -

min wins ttl (G)

This option tells nmbd(8) - when acting as a WINS server (wins support = yes) what the minimum 'time to live' - of NetBIOS names that nmbd will grant will be (in - seconds). You should never need to change this parameter. The default - is 6 hours (21600 seconds).

Default: min wins ttl = 21600 - -

msdfs proxy (S)

This parameter indicates that the share is a - stand-in for another CIFS share whose location is specified by - the value of the parameter. When clients attempt to connect to - this share, they are redirected to the proxied share using - the SMB-Dfs protocol.

Only Dfs roots can act as proxy shares. Take a look at the - msdfs root and host msdfs - options to find out how to set up a Dfs root share.

No default

Example: msdfs proxy = \otherserver\someshare - -

msdfs root (S)

If set to yes, Samba treats the - share as a Dfs root and allows clients to browse the - distributed file system tree rooted at the share directory. - Dfs links are specified in the share directory by symbolic - links of the form msdfs:serverA\\shareA,serverB\\shareB - and so on. For more information on setting up a Dfs tree on - Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.

Default: msdfs root = no - -

name cache timeout (G)

Specifies the number of seconds it takes before - entries in samba's hostname resolve cache time out. If - the timeout is set to 0. the caching is disabled. -

Default: name cache timeout = 660 - -

Example: name cache timeout = 0 - -

name resolve order (G)

This option is used by the programs in the Samba - suite to determine what naming services to use and in what order - to resolve host names to IP addresses. Its main purpose to is to - control how netbios name resolution is performed. The option takes a space - separated string of name resolution options.

The options are: "lmhosts", "host", - "wins" and "bcast". They cause names to be - resolved as follows:

lmhosts : Lookup an IP - address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see the <usmbconfoption>lmhosts(5)</usmbconfoption> for details) then - any name type matches for lookup.
host : Do a standard host - name to IP address resolution, using the system /etc/hosts -, NIS, or DNS lookups. This method of name resolution - is operating system depended for instance on IRIX or Solaris this - may be controlled by the /etc/nsswitch.conf - file. Note that this method is used only if the NetBIOS name - type being queried is the 0x20 (server) name type or 0x1c (domain controllers). - The latter case is only useful for active directory domains and results in a DNS - query for the SRV RR entry matching _ldap._tcp.domain.
wins : Query a name with - the IP address listed in the WINSSERVER parameter. If no WINS server has - been specified this method will be ignored.
bcast : Do a broadcast on - each of the known local interfaces listed in the interfaces - parameter. This is the least reliable of the name resolution - methods as it depends on the target host being on a locally - connected subnet.

The example below will cause the local lmhosts file to be examined - first, followed by a broadcast attempt, followed by a normal - system hostname lookup.

When Samba is functioning in ADS security mode (security = ads) - it is advised to use following settings for name resolve order:

name resolve order = wins bcast

DC lookups will still be done via DNS, but fallbacks to netbios names will - not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.

Default: name resolve order = lmhosts host wins bcast - -

Example: name resolve order = lmhosts bcast host - -

netbios aliases (G)

This is a list of NetBIOS names that nmbd will - advertise as additional names by which the Samba server is known. This allows one machine - to appear in browse lists under multiple names. If a machine is acting as a browse server - or logon server none of these names will be advertised as either browse server or logon - servers, only the primary name of the machine will be advertised with these capabilities. -

Default: netbios aliases = -# empty string (no additional names) - -

Example: netbios aliases = TEST TEST1 TEST2 - -

netbios name (G)

This sets the NetBIOS name by which a Samba - server is known. By default it is the same as the first component - of the host's DNS name. If a machine is a browse server or - logon server this name (or the first component - of the hosts DNS name) will be the name that these services are - advertised under.

Default: netbios name = -# machine DNS name - -

Example: netbios name = MYNAME - -

netbios scope (G)

This sets the NetBIOS scope that Samba will - operate under. This should not be set unless every machine - on your LAN also sets this value.

Default: netbios scope = - -

nis homedir (G)

Get the home share server from a NIS map. For - UNIX systems that use an automounter, the user's home directory - will often be mounted on a workstation on demand from a remote - server.

When the Samba logon server is not the actual home directory - server, but is mounting the home directories via NFS then two - network hops would be required to access the users home directory - if the logon server told the client to use itself as the SMB server - for home directories (one over SMB and one over NFS). This can - be very slow.

This option allows Samba to return the home share as - being on a different server to the logon server and as - long as a Samba daemon is running on the home directory server, - it will be mounted on the Samba client directly from the directory - server. When Samba is returning the home share to the client, it - will consult the NIS map specified in - homedir map and return the server - listed there.

Note that for this option to work there must be a working - NIS system and the Samba server with this option must also - be a logon server.

Default: nis homedir = no - -

nt acl support (S)

This boolean parameter controls whether smbd(8) will attempt to map - UNIX permissions into Windows NT access control lists. - This parameter was formally a global parameter in releases - prior to 2.2.2.

Default: nt acl support = yes - -

ntlm auth (G)

This parameter determines whether or not smbd(8) will attempt to - authenticate users using the NTLM encrypted password response. - If disabled, either the lanman password hash or an NTLMv2 response - will need to be sent by the client.

If this option, and lanman - auth are both disabled, then only NTLMv2 logins will be - permited. Not all clients support NTLMv2, and most will require - special configuration to us it.

Default: ntlm auth = yes - -

nt pipe support (G)

This boolean parameter controls whether - smbd(8) will allow Windows NT - clients to connect to the NT SMB specific IPC$ - pipes. This is a developer debugging option and can be left - alone.

Default: nt pipe support = yes - -

nt status support (G)

This boolean parameter controls whether smbd(8) will negotiate NT specific status - support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. - If this option is set to no then Samba offers - exactly the same DOS error codes that versions prior to Samba 2.2.3 - reported.

You should not need to ever disable this parameter.

Default: nt status support = yes - -

null passwords (G)

Allow or disallow client access to accounts that have null passwords.

Warning

DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND - UNDERSTOOD THE SAMBA OPLOCK CODE.

Default: oplock break wait time = 0 - -

oplock contention limit (S)

This is a very advanced - smbd(8) tuning option to - improve the efficiency of the granting of oplocks under multiple - client contention for the same file.

In brief it specifies a number, which causes smbd(8)not to grant an oplock even when requested - if the approximate number of clients contending for an oplock on the same file goes over this - limit. This causes smbd to behave in a similar - way to Windows NT.

Warning

DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ - AND UNDERSTOOD THE SAMBA OPLOCK CODE.

Default: oplock contention limit = 2 - -

oplocks (S)

This boolean option tells smbd whether to - issue oplocks (opportunistic locks) to file open requests on this - share. The oplock code can dramatically (approx. 30% or more) improve - the speed of access to files on Samba servers. It allows the clients - to aggressively cache files locally and you may want to disable this - option for unreliable network environments (it is turned on by - default in Windows NT Servers). For more information see the file - Speed.txt in the Samba docs/ - directory.

Oplocks may be selectively turned off on certain files with a - share. See the veto oplock files parameter. On some systems - oplocks are recognized by the underlying operating system. This - allows data synchronization between all access to oplocked files, - whether it be via Samba or NFS or a local UNIX process. See the - kernel oplocks parameter for details.

Default: oplocks = yes - -

os2 driver map (G)

The parameter is used to define the absolute - path to a file containing a mapping of Windows NT printer driver - names to OS/2 printer driver names. The format is:

For example, a valid entry using the HP LaserJet 5 - printer driver would appear as HP LaserJet 5L = LASERJET.HP - LaserJet 5L.

- The need for the file is due to the printer driver namespace problem described in the chapter on Classical Printing in the book Samba3-HOWTO. For more - details on OS/2 clients, please refer to ???. -

Default: os2 driver map = - -

os level (G)

This integer value controls what level Samba - advertises itself as for browse elections. The value of this - parameter determines whether nmbd(8) -has a chance of becoming a local master browser for the workgroup in the local broadcast area.

Note :By default, Samba will win - a local master browsing election over all Microsoft operating - systems except a Windows NT 4.0/2000 Domain Controller. This - means that a misconfigured Samba host can effectively isolate - a subnet for browsing purposes. See BROWSING.txt - in the Samba docs/ directory - for details.

Default: os level = 20 - -

Example: os level = 65 - -

pam password change (G)

With the addition of better PAM support in Samba 2.2, - this parameter, it is possible to use PAM's password change control - flag for Samba. If enabled, then PAM will be used for password - changes when requested by an SMB client instead of the program listed in - passwd program. - It should be possible to enable this without changing your - passwd chat parameter for most setups.

Default: pam password change = no - -

panic action (G)

This is a Samba developer option that allows a - system command to be called when either smbd(8) or smbd(8) crashes. This is usually used to -draw attention to the fact that a problem occurred.

Default: panic action = - -

Example: panic action = "/bin/sleep 90000" - -

paranoid server security (G)

Some version of NT 4.x allow non-guest - users with a bad passowrd. When this option is enabled, samba will not - use a broken NT 4.x server as password server, but instead complain - to the logs and exit. -

Disabling this option prevents Samba from making - this check, which involves deliberatly attempting a - bad logon to the remote server.

Default: paranoid server security = yes - -

passdb backend (G)

This option allows the administrator to chose which backends - to retrieve and store passwords with. This allows (for example) both - smbpasswd and tdbsam to be used without a recompile. Multiple - backends can be specified, separated by spaces. The backends will be - searched in the order they are specified. New users are always added - to the first backend specified.

This parameter is in two parts, the backend's name, and a 'location' - string that has meaning only to that particular backed. These are separated - by a : character.

Available backends can include: -

smbpasswd - The default smbpasswd - backend. Takes a path to the smbpasswd file as an optional argument. -
tdbsam - The TDB based password storage - backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the private dir directory.
ldapsam - The LDAP based passdb - backend. Takes an LDAP URL as an optional argument (defaults to - ldap://localhost)
LDAP connections should be secured where possible. This may be done using either - Start-TLS (see ldap ssl) or by - specifying ldaps:// in - the URL argument.
Multiple servers may also be specified in double-quotes, if your - LDAP libraries supports the LDAP URL notation. - (OpenLDAP does). -
nisplussam - - The NIS+ based passdb backend. Takes name NIS domain as - an optional argument. Only works with sun NIS+ servers. -
mysql - - The MySQL based passdb backend. Takes an identifier as - argument. Read the Samba HOWTO Collection for configuration - details. -

- -

- Examples of use are: -

-passdb backend = tdbsam:/etc/samba/private/passdb.tdb \
-    smbpasswd:/etc/samba/smbpasswd
-
-or
-
-passdb backend = ldapsam:ldaps://ldap.example.com
-
-or
-
-passdb backend = ldapsam:"ldap://ldap-1.example.com \
-    ldap://ldap-2.example.com"
-
-or
-
-passdb backend = mysql:my_plugin_args tdbsam
-

Default: passdb backend = smbpasswd - -

passwd chat (G)

This string controls the "chat" - conversation that takes places between smbd(8) and the local password changing - program to change the user's password. The string describes a - sequence of response-receive pairs that smbd(8) uses to determine what to send to the - passwd program and what to expect back. If the expected output is not - received then the password is not changed.

This chat sequence is often quite site specific, depending - on what local methods are used for password control (such as NIS - etc).

Note that this parameter only is only used if the unix password sync parameter is set to yes. This sequence is - then called AS ROOT when the SMB password in the - smbpasswd file is being changed, without access to the old password - cleartext. This means that root must be able to reset the user's password without - knowing the text of the previous password. In the presence of - NIS/YP, this means that the passwd program must - be executed on the NIS master. -

The string can contain the macro %n which is substituted - for the new password. The chat sequence can also contain the standard - macros \n, \r, \t and \s to - give line-feed, carriage-return, tab and space. The chat sequence string can also contain - a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces - in them into a single string.

If the send string in any part of the chat sequence is a full - stop ".", then no string is sent. Similarly, if the - expect string is a full stop then no string is expected.

If the pam password change parameter is set to yes, the - chat pairs may be matched in any order, and success is determined by the PAM result, not any particular - output. The \n macro is ignored for PAM conversions. -

Default: passwd chat = *new*password* %n\n*new*password* %n\n *changed* - -

Example: passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" - -

passwd chat debug (G)

This boolean specifies if the passwd chat script - parameter is run in debug mode. In this mode the - strings passed to and received from the passwd chat are printed - in the smbd(8) log with a - debug level - of 100. This is a dangerous option as it will allow plaintext passwords - to be seen in the smbd log. It is available to help - Samba admins debug their passwd chat scripts - when calling the passwd program and should - be turned off after this has been done. This option has no effect if the - pam password change - paramter is set. This parameter is off by default.

Default: passwd chat debug = no - -

passwd chat timeout (G)

This integer specifies the number of seconds smbd will wait for an initial - answer from a passwd chat script being run. Once the initial answer is received - the subsequent answers must be received in one tenth of this time. The default it - two seconds.

Default: passwd chat timeout = 2 - -

passwd program (G)

The name of a program that can be used to set - UNIX user passwords. Any occurrences of %u - will be replaced with the user name. The user name is checked for - existence before calling the password changing program.

Also note that many passwd programs insist in reasonable - passwords, such as a minimum length, or the inclusion - of mixed case chars and digits. This can pose a problem as some clients - (such as Windows for Workgroups) uppercase the password before sending - it.

Note that if the unix - password sync parameter is set to yes - then this program is called AS ROOT - before the SMB password in the smbpasswd - file is changed. If this UNIX password change fails, then - smbd will fail to change the SMB password also - (this is by design).

If the unix password sync parameter - is set this parameter MUST USE ABSOLUTE PATHS - for ALL programs called, and must be examined - for security implications. Note that by default unix - password sync is set to no.

Default: passwd program = - -

Example: passwd program = /bin/passwd %u - -

password level (G)

Some client/server combinations have difficulty - with mixed-case passwords. One offending client is Windows for - Workgroups, which for some reason forces passwords to upper - case when using the LANMAN1 protocol, but leaves them alone when - using COREPLUS! Another problem child is the Windows 95/98 - family of operating systems. These clients upper case clear - text passwords even when NT LM 0.12 selected by the protocol - negotiation request/response.

This parameter defines the maximum number of characters - that may be upper case in passwords.

For example, say the password given was "FRED". If - password level is set to 1, the following combinations - would be tried if "FRED" failed:

"Fred", "fred", "fRed", "frEd","freD"

If password level was set to 2, - the following combinations would also be tried:

"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..

And so on.

The higher value this parameter is set to the more likely - it is that a mixed case password will be matched against a single - case password. However, you should be aware that use of this - parameter reduces security and increases the time taken to - process a new connection.

A value of zero will cause only two attempts to be - made - the password as is and the password in all-lower case.

This parameter is used only when using plain-text passwords. It is - not at all used when encrypted passwords as in use (that is the default - since samba-3.0.0). Use this only when encrypt passwords = No.

Default: password level = 0 - -

Example: password level = 4 - -

password server (G)

By specifying the name of another SMB server - or Active Directory domain controller with this option, - and using security = [ads|domain|server] - it is possible to get Samba to - to do all its username/password validation using a specific remote server.

This option sets the name or IP address of the password server to use. - New syntax has been added to support defining the port to use when connecting - to the server the case of an ADS realm. To define a port other than the - default LDAP port of 389, add the port number using a colon after the - name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, - Samba will use the standard LDAP port of tcp/389. Note that port numbers - have no effect on password servers for Windows NT 4.0 domains or netbios - connections.

If parameter is a name, it is looked up using the - parameter name resolve order and so may resolved - by any method and order described in that parameter.

The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode.

Note

Using a password server means your UNIX box (running - Samba) is only as secure as your password server. DO NOT - CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. -

Never point a Samba server at itself for password serving. - This will cause a loop and could lock up your Samba server!

The name of the password server takes the standard - substitutions, but probably the only useful one is %m -, which means the Samba server will use the incoming - client as the password server. If you use this then you better - trust your clients, and you had better restrict them with hosts allow!

If the security parameter is set to - domain or ads, then the list of machines in this - option must be a list of Primary or Backup Domain controllers for the - Domain or the character '*', as the Samba server is effectively - in that domain, and will use cryptographically authenticated RPC calls - to authenticate the user logging on. The advantage of using - security = domain is that if you list several hosts in the - password server option then smbd - will try each in turn till it finds one that responds. This - is useful in case your primary server goes down.

If the password server option is set - to the character '*', then Samba will attempt to auto-locate the - Primary or Backup Domain controllers to authenticate against by - doing a query for the name WORKGROUP<1C> - and then contacting each server returned in the list of IP - addresses from the name resolution source.

If the list of servers contains both names/IP's and the '*' - character, the list is treated as a list of preferred - domain controllers, but an auto lookup of all remaining DC's - will be added to the list as well. Samba will not attempt to optimize - this list by locating the closest DC.

If the security parameter is - set to server, then there are different - restrictions that security = domain doesn't - suffer from:

You may list several password servers in - the password server parameter, however if an - smbd makes a connection to a password server, - and then the password server fails, no more users will be able - to be authenticated from this smbd. This is a - restriction of the SMB/CIFS protocol when in security = server - mode and cannot be fixed in Samba.
If you are using a Windows NT server as your - password server then you will have to ensure that your users - are able to login from the Samba server, as when in - security = server mode the network logon will appear to - come from there rather than from the users workstation.

Default: password server = - -

Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * - -

Example: password server = windc.mydomain.com:389 192.168.1.101 * - -

Example: password server = * - -

directory

This parameter is a synonym for path.

path (S)

This parameter specifies a directory to which - the user of the service is to be given access. In the case of - printable services, this is where print data will spool prior to - being submitted to the host for printing.

For a printable service offering guest access, the service - should be readonly and the path should be world-writeable and - have the sticky bit set. This is not mandatory of course, but - you probably won't get the results you expect if you do - otherwise.

Any occurrences of %u in the path - will be replaced with the UNIX username that the client is using - on this connection. Any occurrences of %m - will be replaced by the NetBIOS name of the machine they are - connecting from. These replacements are very useful for setting - up pseudo home directories for users.

Note that this path will be based on root dir - if one was specified.

Default: path = - -

Example: path = /home/fred - -

pid directory (G)

This option specifies the directory where pid - files will be placed.

Default: pid directory = ${prefix}/var/locks - -

Example: pid directory = pid directory = /var/run/ - -

posix locking (S)

The smbd(8) - daemon maintains an database of file locks obtained by SMB clients. - The default behavior is to map this internal database to POSIX - locks. This means that file locks obtained by SMB clients are - consistent with those seen by POSIX compliant applications accessing - the files via a non-SMB method (e.g. NFS or local file access). - You should never need to disable this parameter.

Default: posix locking = yes - -

postexec (S)

This option specifies a command to be run - whenever the service is disconnected. It takes the usual - substitutions. The command may be run as the root on some - systems.

An interesting example may be to unmount server - resources:

postexec = /etc/umount /cdrom

Default: postexec = - -

Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log - -

exec

This parameter is a synonym for preexec.

preexec (S)

This option specifies a command to be run whenever - the service is connected to. It takes the usual substitutions.

An interesting example is to send the users a welcome - message every time they log in. Maybe a message of the day? Here - is an example:

- preexec = csh -c 'echo \"Welcome to %S!\" | - /usr/local/samba/bin/smbclient -M %m -I %I' & -

Of course, this could get annoying after a while :-)

- See also preexec close and postexec. -

Default: preexec = - -

Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log - -

preexec close (S)

This boolean option controls whether a non-zero - return code from preexec should close the service being connected to.

Default: preexec close = no - -

prefered master

This parameter is a synonym for preferred master.

preferred master (G)

This boolean parameter controls if - nmbd(8) is a preferred master - browser for its workgroup.

If this is set to yes, on startup, nmbd - will force an election, and it will have a slight advantage in - winning the election. It is recommended that this parameter is - used in conjunction with - domain master = yes, so - that nmbd can guarantee becoming a domain master.

Use this option with caution, because if there are several - hosts (whether Samba servers, Windows 95 or NT) that are - preferred master browsers on the same subnet, they will each - periodically and continuously attempt to become the local - master browser. This will result in unnecessary broadcast - traffic and reduced browsing capabilities.

Default: preferred master = auto - -

auto services

This parameter is a synonym for preload.

preload (G)

This is a list of services that you want to be - automatically added to the browse lists. This is most useful - for homes and printers services that would otherwise not be - visible.

- Note that if you just want all printers in your - printcap file loaded then the load printers - option is easier. -

Default: preload = - -

Example: preload = fred lp colorlp - -

preload modules (G)

This is a list of paths to modules that should - be loaded into smbd before a client connects. This improves - the speed of smbd when reacting to new connections somewhat.

Default: preload modules = - -

Example: preload modules = /usr/lib/samba/passdb/mysql.so - -

preserve case (S)

This controls if new filenames are created - with the case that the client passes, or if they are forced to - be the default case.

See the section on NAME MANGLING for a fuller discussion.

Default: preserve case = yes - -

print ok

This parameter is a synonym for printable.

printable (S)

If this parameter is yes, then - clients may open, write to and submit spool files on the directory - specified for the service.

Note that a printable service will ALWAYS allow writing - to the service path (user privileges permitting) via the spooling - of print data. The read only parameter controls only non-printing access to - the resource.

Default: printable = no - -

printcap cache time (G)

This option specifies the number of seconds before the printing - subsystem is again asked for the known printers. If the value - is greater than 60 the initial waiting time is set to 60 seconds - to allow an earlier first rescan of the printing subsystem. -

Setting this parameter to 0 (the default) disables any - rescanning for new or removed printers after the initial startup. -

Default: printcap cache time = 0 - -

Example: printcap cache time = 600 - -

printcap

This parameter is a synonym for printcap name.

printcap name (S)

This parameter may be used to override the - compiled-in default printcap name used by the server (usually - /etc/printcap). See the discussion of the [printers] section above for reasons - why you might want to do this.

To use the CUPS printing interface set printcap name = cups - . This should be supplemented by an addtional setting - printing = cups in the [global] - section. printcap name = cups will use the - "dummy" printcap created by CUPS, as specified in your CUPS - configuration file. -

On System V systems that use lpstat to - list available printers you can use printcap name = lpstat - to automatically obtain lists of available printers. This - is the default for systems that define SYSV at configure time in - Samba (this includes most System V based systems). If - printcap name is set to lpstat on - these systems then Samba will launch lpstat -v and - attempt to parse the output to obtain a printer list.

A minimal printcap file would look something like this:

-print1|My Printer 1
-print2|My Printer 2
-print3|My Printer 3
-print4|My Printer 4
-print5|My Printer 5
-

where the '|' separates aliases of a printer. The fact - that the second alias has a space in it gives a hint to Samba - that it's a comment.

Note

Under AIX the default printcap - name is /etc/qconfig. Samba will assume the - file is in AIX qconfig format if the string - qconfig appears in the printcap filename.

Default: printcap name = /etc/printcap - -

Example: printcap name = /etc/myprintcap - -

print command (S)

After a print job has finished spooling to - a service, this command will be used via a system() - call to process the spool file. Typically the command specified will - submit the spool file to the host's printing subsystem, but there - is no requirement that this be the case. The server will not remove - the spool file, so whatever command you specify should remove the - spool file when it has been processed, otherwise you will need to - manually remove old spool files.

The print command is simply a text string. It will be used - verbatim after macro substitutions have been made:

%s, %f - the path to the spool - file name

%p - the appropriate printer - name

%J - the job - name as transmitted by the client.

%c - The number of printed pages - of the spooled job (if known).

%z - the size of the spooled - print job (in bytes)

The print command MUST contain at least - one occurrence of %s or %f - - the %p is optional. At the time - a job is submitted, if no printer name is supplied the %p - will be silently removed from the printer command.

If specified in the [global] section, the print command given - will be used for any printable service that does not have its own - print command specified.

If there is neither a specified print command for a - printable service nor a global print command, spool files will - be created but not processed and (most importantly) not removed.

Note that printing may fail on some UNIXes from the - nobody account. If this happens then create - an alternative guest account that can print and set the guest account - in the [global] section.

You can form quite complex print commands by realizing - that they are just passed to a shell. For example the following - will log a print job, print the file, then remove it. Note that - ';' is the usual separator for command in shell scripts.

print command = echo Printing %s >> - /tmp/print.log; lpr -P %p %s; rm %s

You may have to vary this command considerably depending - on how you normally print files on your system. The default for - the parameter varies depending on the setting of the printing - parameter.

Default: For printing = BSD, AIX, QNX, LPRNG - or PLP :

print command = lpr -r -P%p %s

For printing = SYSV or HPUX :

print command = lp -c -d%p %s; rm %s

For printing = SOFTQ :

print command = lp -d%p -s %s; rm %s

For printing = CUPS : If SAMBA is compiled against - libcups, then printcap = cups - uses the CUPS API to - submit jobs, etc. Otherwise it maps to the System V - commands with the -oraw option for printing, i.e. it - uses lp -c -d%p -oraw; rm %s. - With printing = cups, - and if SAMBA is compiled against libcups, any manually - set print command will be ignored.

No default

Example: print command = /usr/local/samba/bin/myprintscript %p %s - -

printer admin (S)

- This lists users who can do anything to printers - via the remote administration interfaces offered - by MS-RPC (usually using a NT workstation). - This parameter can be set per-share or globally. - Note: The root user always has admin rights. Use - caution with use in the global stanza as this can - cause side effects. -

Default: printer admin = - -

Example: printer admin = admin, @staff - -

printer

This parameter is a synonym for printer name.

printer name (S)

- This parameter specifies the name of the printer to which print jobs spooled through a printable service - will be sent. -

- If specified in the [global] section, the printer name given will be used for any printable service that - does not have its own printer name specified. -

- The default value of the printer name may be lp on many - systems. -

Default: printer name = none - -

Example: printer name = laserwriter - -

printing (S)

This parameters controls how printer status information is - interpreted on your system. It also affects the default values for - the print command, lpq command, lppause command , lpresume command, and lprm command if specified in the - [global] section.

Currently nine printing styles are supported. They are - BSD, AIX, - LPRNG, PLP, - SYSV, HPUX, - QNX, SOFTQ, - and CUPS.

To see what the defaults are for the other print - commands when using the various options use the testparm(1) program.

This option can be set on a per printer basis. Please be - aware however, that you must place any of the various printing - commands (e.g. print command, lpq command, etc...) after defining - the value for the printing option since it will - reset the printing commands to default values.

See also the discussion in the - [printers] section.

No default

private dir (G)

This parameters defines the directory - smbd will use for storing such files as smbpasswd - and secrets.tdb. -

Default: private dir = ${prefix}/private - -

profile acls (S)

- This boolean parameter was added to fix the problems that people have been - having with storing user profiles on Samba shares from Windows 2000 or - Windows XP clients. New versions of Windows 2000 or Windows XP service - packs do security ACL checking on the owner and ability to write of the - profile directory stored on a local workstation when copied from a Samba - share. -

When not in domain mode with winbindd then the security info copied - onto the local workstation has no meaning to the logged in user (SID) on - that workstation so the profile storing fails. Adding this parameter - onto a share used for profile storage changes two things about the - returned Windows ACL. Firstly it changes the owner and group owner - of all reported files and directories to be BUILTIN\\Administrators, - BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly - it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to - every returned ACL. This will allow any Windows 2000 or XP workstation - user to access the profile.

Note that if you have multiple users logging - on to a workstation then in order to prevent them from being able to access - each others profiles you must remove the "Bypass traverse checking" advanced - user right. This will prevent access to other users profile directories as - the top level profile directory (named after the user) is created by the - workstation profile code and has an ACL restricting entry to the directory - tree to the owning user. -

Default: profile acls = no - -

queuepause command (S)

This parameter specifies the command to be - executed on the server host in order to pause the printer queue.

This command should be a program or script which takes - a printer name as its only parameter and stops the printer queue, - such that no longer jobs are submitted to the printer.

This command is not supported by Windows for Workgroups, - but can be issued from the Printers window under Windows 95 - and NT.

If a %p is given then the printer name - is put in its place. Otherwise it is placed at the end of the command. -

Note that it is good practice to include the absolute - path in the command as the PATH may not be available to the - server.

No default

Example: queuepause command = disable %p - -

queueresume command (S)

This parameter specifies the command to be - executed on the server host in order to resume the printer queue. It - is the command to undo the behavior that is caused by the - previous parameter (queuepause command).

This command should be a program or script which takes - a printer name as its only parameter and resumes the printer queue, - such that queued jobs are resubmitted to the printer.

This command is not supported by Windows for Workgroups, - but can be issued from the Printers window under Windows 95 - and NT.

If a %p is given then the printer name - is put in its place. Otherwise it is placed at the end of the - command.

Note that it is good practice to include the absolute - path in the command as the PATH may not be available to the - server.

Default: queueresume command = - -

Example: queueresume command = enable %p - -

read bmpx (G)

This boolean parameter controls whether - smbd(8) will support the "Read - Block Multiplex" SMB. This is now rarely used and defaults to - no. You should never need to set this - parameter.

Default: read bmpx = no - -

read list (S)

- This is a list of users that are given read-only access to a service. If the connecting user is in this list - then they will not be given write access, no matter what the read only option is set - to. The list can include group names using the syntax described in the invalid users - parameter. -

This parameter will not work with the security = share in - Samba 3.0. This is by design.

Default: read list = - -

Example: read list = mary, @students - -

read only (S)

An inverted synonym is writeable.

If this parameter is yes, then users - of a service may not create or modify files in the service's - directory.

Note that a printable service (printable = yes) - will ALWAYS allow writing to the directory - (user privileges permitting), but only via spooling operations.

Default: read only = yes - -

read raw (G)

This parameter controls whether or not the server - will support the raw read SMB requests when transferring data - to clients.

If enabled, raw reads allow reads of 65535 bytes in - one packet. This typically provides a major performance benefit. -

However, some clients either negotiate the allowable - block size incorrectly or are incapable of supporting larger block - sizes, and for these clients you may need to disable raw reads.

In general this parameter should be viewed as a system tuning - tool and left severely alone.

Default: read raw = yes - -

realm (G)

This option specifies the kerberos realm to use. The realm is - used as the ADS equivalent of the NT4 domain. It - is usually set to the DNS name of the kerberos server. -

Default: realm = - -

Example: realm = mysambabox.mycompany.com - -

remote announce (G)

This option allows you to setup nmbd(8)to periodically announce itself - to arbitrary IP addresses with an arbitrary workgroup name.

This is useful if you want your Samba server to appear - in a remote workgroup for which the normal browse propagation - rules don't work. The remote workgroup can be anywhere that you - can send IP packets to.

For example:

remote announce = 192.168.2.255/SERVERS - 192.168.4.255/STAFF

the above line would cause nmbd to announce itself - to the two given IP addresses using the given workgroup names. - If you leave out the workgroup name then the one given in - the workgroup parameter is used instead.

The IP addresses you choose would normally be the broadcast - addresses of the remote networks, but can also be the IP addresses - of known browse masters if your network config is that stable.

See NetworkBrowsing.

Default: remote announce = - -

remote browse sync (G)

This option allows you to setup nmbd(8) to periodically request - synchronization of browse lists with the master browser of a Samba - server that is on a remote segment. This option will allow you to - gain browse lists for multiple workgroups across routed networks. This - is done in a manner that does not work with any non-Samba servers.

This is useful if you want your Samba server and all local - clients to appear in a remote workgroup for which the normal browse - propagation rules don't work. The remote workgroup can be anywhere - that you can send IP packets to.

For example:

remote browse sync = 192.168.2.255 192.168.4.255

the above line would cause nmbd to request - the master browser on the specified subnets or addresses to - synchronize their browse lists with the local server.

The IP addresses you choose would normally be the broadcast - addresses of the remote networks, but can also be the IP addresses - of known browse masters if your network config is that stable. If - a machine IP address is given Samba makes NO attempt to validate - that the remote machine is available, is listening, nor that it - is in fact the browse master on its segment.

Default: remote browse sync = - -

restrict anonymous (G)

The setting of this parameter determines whether user and - group list information is returned for an anonymous connection. - and mirrors the effects of the -

-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
-           Control\LSA\RestrictAnonymous
-

- registry key in Windows 2000 and Windows NT. When set to 0, user - and group list information is returned to anyone who asks. When set - to 1, only an authenticated user can retrive user and - group list information. For the value 2, supported by - Windows 2000/XP and Samba, no anonymous connections are allowed at - all. This can break third party and Microsoft - applications which expect to be allowed to perform - operations anonymously.

- The security advantage of using restrict anonymous = 1 is dubious, - as user and group list information can be obtained using other - means. -

Note

- The security advantage of using restrict anonymous = 2 is removed - by setting guest ok = yes on any share. -

Default: restrict anonymous = 0 - -

root

This parameter is a synonym for root directory.

root dir

This parameter is a synonym for root directory.

root directory (G)

The server will chroot() (i.e. - Change its root directory) to this directory on startup. This is - not strictly necessary for secure operation. Even without it the - server will deny access to files not in one of the service entries. - It may also check for, and deny access to, soft links to other - parts of the filesystem, or attempts to use ".." in file names - to access other directories (depending on the setting of the - wide smbconfoptions parameter). -

Adding a root directory entry other - than "/" adds an extra level of security, but at a price. It - absolutely ensures that no access is given to files not in the - sub-tree specified in the root directory - option, including some files needed for - complete operation of the server. To maintain full operability - of the server you will need to mirror some system files - into the root directory tree. In particular - you will need to mirror /etc/passwd (or a - subset of it), and any binaries or configuration files needed for - printing (if required). The set of files that must be mirrored is - operating system dependent.

Default: root directory = / - -

Example: root directory = /homes/smb - -

root postexec (S)

This is the same as the postexec - parameter except that the command is run as root. This - is useful for unmounting filesystems - (such as CDROMs) after a connection is closed.

Default: root postexec = - -

root preexec (S)

This is the same as the preexec - parameter except that the command is run as root. This - is useful for mounting filesystems (such as CDROMs) when a - connection is opened.

Default: root preexec = - -

root preexec close (S)

This is the same as the preexec close - parameter except that the command is run as root.

Default: root preexec close = no - -

security (G)

This option affects how clients respond to - Samba and is one of the most important settings in the - smb.conf file.

The option sets the "security mode bit" in replies to - protocol negotiations with smbd(8) to turn share level security on or off. Clients decide - based on this bit whether (and how) to transfer user and password - information to the server.

The default is security = user, as this is - the most common setting needed when talking to Windows 98 and - Windows NT.

The alternatives are security = share, - security = server or security = domain - .

In versions of Samba prior to 2.0.0, the default was - security = share mainly because that was - the only option at one stage.

There is a bug in WfWg that has relevance to this - setting. When in user or server level security a WfWg client - will totally ignore the password you type in the "connect - drive" dialog box. This makes it very difficult (if not impossible) - to connect to a Samba service as anyone except the user that - you are logged into WfWg as.

If your PCs use usernames that are the same as their - usernames on the UNIX machine then you will want to use - security = user. If you mostly use usernames - that don't exist on the UNIX box then use security = - share.

You should also use security = share if you - want to mainly setup shares without a password (guest shares). This - is commonly used for a shared printer server. It is more difficult - to setup guest shares with security = user, see - the map to guestparameter for details.

It is possible to use smbd in a - hybrid mode where it is offers both user and share - level security under different NetBIOS aliases.

The different settings will now be explained.

SECURITY = SHARE

When clients connect to a share level security server they - need not log onto the server with a valid username and password before - attempting to connect to a shared resource (although modern clients - such as Windows 95/98 and Windows NT will send a logon request with - a username but no password when talking to a security = share - server). Instead, the clients send authentication information - (passwords) on a per-share basis, at the time they attempt to connect - to that share.

Note that smbd ALWAYS - uses a valid UNIX user to act on behalf of the client, even in - security = share level security.

As clients are not required to send a username to the server - in share level security, smbd uses several - techniques to determine the correct UNIX user to use on behalf - of the client.

A list of possible UNIX usernames to match with the given - client password is constructed using the following methods :

If the guest only parameter is set, then all the other - stages are missed and only the guest account username is checked. -
Is a username is sent with the share connection - request, then this username (after mapping - see username map), - is added as a potential username. -
If the client did a previous logon - request (the SessionSetup SMB call) then the - username sent in this SMB will be added as a potential username. -
The name of the service the client requested is - added as a potential username. -
The NetBIOS name of the client is added to - the list as a potential username. -
Any users on the user list are added as potential usernames. -

If the guest only parameter is - not set, then this list is then tried with the supplied password. - The first user for whom the password matches will be used as the - UNIX user.

If the guest only parameter is - set, or no username can be determined then if the share is marked - as available to the guest account, then this - guest user will be used, otherwise access is denied.

Note that it can be very confusing - in share-level security as to which UNIX username will eventually - be used in granting access.

See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION.

SECURITY = USER

This is the default security setting in Samba 3.0. - With user-level security a client must first "log-on" with a - valid username and password (which can be mapped using the username map - parameter). Encrypted passwords (see the encrypted passwords parameter) can also - be used in this security mode. Parameters such as user and guest only if set are then applied and - may change the UNIX user to use on this connection, but only after - the user has been successfully authenticated.

Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest parameter for details on doing this.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

SECURITY = DOMAIN

This mode will only work correctly if net(8) has been used to add this - machine into a Windows NT Domain. It expects the encrypted passwords - parameter to be set to yes. In this - mode Samba will try to validate the username/password by passing - it to a Windows NT Primary or Backup Domain Controller, in exactly - the same way that a Windows NT Server would do.

Note that a valid UNIX user must still - exist as well as the account on the Domain Controller to allow - Samba to have a valid UNIX account to map file access to.

Note that from the client's point - of view security = domain is the same - as security = user. It only - affects how the server deals with the authentication, - it does not in any way affect what the client sees.

See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION.

See also the password server parameter and - the encrypted passwords parameter.

SECURITY = SERVER

- In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an - NT box. If this fails it will revert to security = user. It expects the - encrypted passwords parameter to be set to yes, unless the remote - server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot - revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the chapter about the User Database in - the Samba HOWTO Collection for details on how to set this up. -

Note

This mode of operation has - significant pitfalls, due to the fact that is activly initiates a - man-in-the-middle attack on the remote SMB server. In particular, - this mode of operation can cause significant resource consuption on - the PDC, as it must maintain an active connection for the duration - of the user's session. Furthermore, if this connection is lost, - there is no way to reestablish it, and futher authenticaions to the - Samba server may fail. (From a single client, till it disconnects). -

Note

From the client's point of - view security = server is the - same as security = user. It - only affects how the server deals with the authentication, it does - not in any way affect what the client sees.

See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION.

See also the password server parameter and the - encrypted passwords parameter.

SECURITY = ADS

In this mode, Samba will act as a domain member in an ADS realm. To operate - in this mode, the machine running Samba will need to have Kerberos installed - and configured and Samba will need to be joined to the ADS realm using the - net utility.

Note that this mode does NOT make Samba operate as a Active Directory Domain - Controller.

Read the chapter about Domain Membership in the HOWTO for details.

Default: security = USER - -

Example: security = DOMAIN - -

security mask (S)

- This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the - UNIX permission on a file using the native NT security dialog box. -

- This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not - in this mask from being modified. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND. -

- Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. -

- If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file. -

- Note that users who can access the Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone "appliance" systems. Administrators of - most normal systems will probably want to leave it set to 0777. -

Default: security mask = 0777 - -

Example: security mask = 0770 - -

server schannel (G)

- This controls whether the server offers or even demands the use of the netlogon schannel. - server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel. - This is only the case for Windows NT4 before SP4. -

- Please note that with this set to no you will have to apply the WindowsXP - WinXP_SignOrSeal.reg registry patch found in the docs/registry subdirectory of the Samba distribution tarball. -

Default: server schannel = auto - -

Example: server schannel = yes - -

server signing (G)

This controls whether the server offers or requires - the client it talks to to use SMB signing. Possible values - are auto, mandatory - and disabled. -

When set to auto, SMB signing is offered, but not enforced. - When set to mandatory, SMB signing is required and if set - to disabled, SMB signing is not offered either.

Default: server signing = Disabled - -

server string (G)

This controls what string will show up in the printer comment box in print - manager and next to the IPC connection in net view. It - can be any string that you wish to show to your users.

It also sets what will appear in browse lists next - to the machine name.

A %v will be replaced with the Samba - version number.

A %h will be replaced with the - hostname.

Default: server string = Samba %v - -

Example: server string = University of GNUs Samba Server - -

set directory (S)

If set directory = no, then - users of the service may not use the setdir command to change - directory.

The setdir command is only implemented - in the Digital Pathworks client. See the Pathworks documentation - for details.

Default: set directory = no - -

set primary group script (G)

Thanks to the Posix subsystem in NT a Windows User has a - primary group in addition to the auxiliary groups. This script - sets the primary group in the unix userdatase when an - administrator sets the primary group from the windows user - manager or when fetching a SAM with net rpc - vampire. %u will be replaced - with the user whose primary group is to be set. - %g will be replaced with the group to - set.

Default: set primary group script = - -

Example: set primary group script = /usr/sbin/usermod -g '%g' '%u' - -

set quota command (G)

The set quota command should only be used - whenever there is no operating system API available from the OS that - samba can use.

This option is only available if Samba was configured with the argument --with-sys-quotas or - on linux when ./configure --with-quotas was used and a working quota api - was found in the system. Most packages are configured with these options already.

This parameter should specify the path to a script that - can set quota for the specified arguments.

The specified script should take the following arguments:

1 - quota type -
- 1 - user quotas
- 2 - user default quotas (uid = -1)
- 3 - group quotas
- 4 - group default quotas (gid = -1)
-
2 - id (uid for user, gid for group, -1 if N/A)
3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce)
4 - block softlimit
5 - block hardlimit
6 - inode softlimit
7 - inode hardlimit
8(optional) - block size, defaults to 1024

The script should output at least one line of data on success. And nothing on failure.

Default: set quota command = - -

Example: set quota command = /usr/local/sbin/set_quota - -

share modes (S)

This enables or disables the honoring of - the share modes during a file open. These - modes are used by clients to gain exclusive read or write access - to a file.

These open modes are not directly supported by UNIX, so - they are simulated using shared memory, or lock files if your - UNIX doesn't support shared memory (almost all do).

The share modes that are enabled by this option are - DENY_DOS, DENY_ALL, - DENY_READ, DENY_WRITE, - DENY_NONE and DENY_FCB. -

This option gives full share compatibility and enabled - by default.

You should NEVER turn this parameter - off as many Windows applications will break if you do so.

Default: share modes = yes - -

short preserve case (S)

This boolean parameter controls if new files - which conform to 8.3 syntax, that is all in upper case and of - suitable length, are created upper case, or if they are forced - to be the default case - . This option can be use with preserve case = yes - to permit long filenames to retain their case, while short - names are lowered.

See the section on NAME MANGLING.

Default: short preserve case = yes - -

show add printer wizard (G)

With the introduction of MS-RPC based printing support - for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will - appear on Samba hosts in the share listing. Normally this folder will - contain an icon for the MS Add Printer Wizard (APW). However, it is - possible to disable this feature regardless of the level of privilege - of the connected user.

Under normal circumstances, the Windows NT/2000 client will - open a handle on the printer server with OpenPrinterEx() asking for - Administrator privileges. If the user does not have administrative - access on the print server (i.e is not root or a member of the - printer admin group), the OpenPrinterEx() - call fails and the client makes another open call with a request for - a lower privilege level. This should succeed, however the APW - icon will not be displayed.

Disabling the show add printer wizard - parameter will always cause the OpenPrinterEx() on the server - to fail. Thus the APW icon will never be displayed. -

Note

This does not prevent the same user from having - administrative privilege on an individual printer.

Default: show add printer wizard = yes - -

shutdown script (G)

This a full path name to a script called by - smbd(8) that should - start a shutdown procedure.

If the connected user posseses the SeRemoteShutdownPrivilege, - right, this command will be run as user.

The %z %t %r %f variables are expanded as follows:

%z will be substituted with the - shutdown message sent to the server.
%t will be substituted with the - number of seconds to wait before effectively starting the - shutdown procedure.
%r will be substituted with the - switch -r. It means reboot after shutdown - for NT.
%f will be substituted with the - switch -f. It means force the shutdown - even if applications do not respond for NT.

Shutdown script example: -

-#!/bin/bash
-		
-$time=0
-let "time/60"
-let "time++"
-
-/sbin/shutdown $3 $4 +$time $1 &
-

-Shutdown does not return so we need to launch it in background. -

Default: shutdown script = - -

Example: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f - -

smb passwd file (G)

This option sets the path to the encrypted smbpasswd file. By - default the path to the smbpasswd file is compiled into Samba.

- An example of use is: -

-smb passwd file = /etc/samba/smbpasswd
-

Default: smb passwd file = ${prefix}/private/smbpasswd - -

smb ports (G)

Specifies which ports the server should listen on for SMB traffic.

Default: smb ports = 445 139 - -

socket address (G)

This option allows you to control what - address Samba will listen for connections on. This is used to - support multiple virtual interfaces on the one server, each - with a different configuration.

By default Samba will accept connections on any - address.

Default: socket address = - -

Example: socket address = 192.168.2.20 - -

socket options (G)

This option allows you to set socket options - to be used when talking with the client.

Socket options are controls on the networking layer - of the operating systems which allow the connection to be - tuned.

This option will typically be used to tune your Samba server - for optimal performance for your local network. There is no way - that Samba can know what the optimal parameters are for your net, - so you must experiment and choose them yourself. We strongly - suggest you read the appropriate documentation for your operating - system first (perhaps man - setsockopt will help).

You may find that on some systems Samba will say - "Unknown socket option" when you supply an option. This means you - either incorrectly typed it or you need to add an include file - to includes.h for your OS. If the latter is the case please - send the patch to - samba-technical@samba.org.

Any of the supported socket options may be combined - in any way you like, as long as your OS allows it.

This is the list of socket options currently settable - using this option:

SO_KEEPALIVE
SO_REUSEADDR
SO_BROADCAST
TCP_NODELAY
IPTOS_LOWDELAY
IPTOS_THROUGHPUT
SO_SNDBUF *
SO_RCVBUF *
SO_SNDLOWAT *
SO_RCVLOWAT *

Those marked with a '*' take an integer - argument. The others can optionally take a 1 or 0 argument to enable - or disable the option, by default they will be enabled if you - don't specify 1 or 0.

To specify an argument use the syntax SOME_OPTION = VALUE - for example SO_SNDBUF = 8192. Note that you must - not have any spaces before or after the = sign.

If you are on a local network then a sensible option - might be:

socket options = IPTOS_LOWDELAY

If you have a local network then you could try:

socket options = IPTOS_LOWDELAY TCP_NODELAY

If you are on a wide area network then perhaps try - setting IPTOS_THROUGHPUT.

Note that several of the options may cause your Samba - server to fail completely. Use these options with caution!

Default: socket options = TCP_NODELAY - -

Example: socket options = IPTOS_LOWDELAY - -

stat cache (G)

This parameter determines if smbd(8) will use a cache in order to - speed up case insensitive name mappings. You should never need - to change this parameter.

Default: stat cache = yes - -

store dos attributes (S)

If this parameter is set Samba no longer attempts to - map DOS attributes like SYSTEM, HIDDEN, ARCHIVE or READ-ONLY - to UNIX permission bits (such as the map hidden. Instead, DOS attributes will be stored onto an extended - attribute in the UNIX filesystem, associated with the file or directory. - For this to operate correctly, the parameters map hidden, map system, map archive must be set to off. - This parameter writes the DOS attributes as a string into the - extended attribute named "user.DOSATTRIB". This extended attribute - is explicitly hidden from smbd clients requesting an EA list. - On Linux the filesystem must have been mounted with the mount - option user_xattr in order for extended attributes to work, also - extended attributes must be compiled into the Linux kernel. -

Default: store dos attributes = no - -

strict allocate (S)

This is a boolean that controls the handling of - disk space allocation in the server. When this is set to yes - the server will change from UNIX behaviour of not committing real - disk storage blocks when a file is extended to the Windows behaviour - of actually forcing the disk system to allocate real storage blocks - when a file is created or extended to be a given size. In UNIX - terminology this means that Samba will stop creating sparse files. - This can be slow on some systems.

When strict allocate is no the server does sparse - disk block allocation when a file is extended.

Setting this to yes can help Samba return - out of quota messages on systems that are restricting the disk quota - of users.

Default: strict allocate = no - -

strict locking (S)

This is a boolean that controls the handling of - file locking in the server. When this is set to yes, - the server will check every read and write access for file locks, and - deny access if locks exist. This can be slow on some systems.

When strict locking is disabled, the server performs file - lock checks only when the client explicitly asks for them.

Well-behaved clients always ask for lock checks when it - is important. So in the vast majority of cases, strict - locking = no is acceptable.

Default: strict locking = yes - -

strict sync (S)

Many Windows applications (including the Windows 98 explorer - shell) seem to confuse flushing buffer contents to disk with doing - a sync to disk. Under UNIX, a sync call forces the process to be - suspended until the kernel has ensured that all outstanding data in - kernel disk buffers has been safely stored onto stable storage. - This is very slow and should only be done rarely. Setting this - parameter to no (the default) means that - smbd(8) ignores the Windows - applications requests for a sync call. There is only a possibility - of losing data if the operating system itself that Samba is running - on crashes, so there is little danger in this default setting. In - addition, this fixes many performance problems that people have - reported with the new Windows98 explorer shell file copies.

Default: strict sync = no - -

sync always (S)

This is a boolean parameter that controls - whether writes will always be written to stable storage before - the write call returns. If this is no then the server will be - guided by the client's request in each write call (clients can - set a bit indicating that a particular write should be synchronous). - If this is yes then every write will be followed by a fsync() - call to ensure the data is written to disk. Note that - the strict sync parameter must be set to - yes in order for this parameter to have - any affect.

Default: sync always = no - -

syslog (G)

This parameter maps how Samba debug messages - are logged onto the system syslog logging levels. Samba debug - level zero maps onto syslog LOG_ERR, debug - level one maps onto LOG_WARNING, debug level - two maps onto LOG_NOTICE, debug level three - maps onto LOG_INFO. All higher levels are mapped to - LOG_DEBUG.

This parameter sets the threshold for sending messages - to syslog. Only messages with debug level less than this value - will be sent to syslog.

Default: syslog = 1 - -

syslog only (G)

If this parameter is set then Samba debug - messages are logged into the system syslog only, and not to - the debug log files.

Default: syslog only = no - -

template homedir (G)

When filling out the user information for a Windows NT - user, the winbindd(8) daemon uses this - parameter to fill in the home directory for that user. If the - string %D is present it - is substituted with the user's Windows NT domain name. If the - string %U is present it - is substituted with the user's Windows NT user name.

Default: template homedir = /home/%D/%U - -

template shell (G)

When filling out the user information for a Windows NT - user, the winbindd(8) daemon uses this - parameter to fill in the login shell for that user.

No default

time offset (G)

This parameter is a setting in minutes to add - to the normal GMT to local time conversion. This is useful if - you are serving a lot of PCs that have incorrect daylight - saving time handling.

Default: time offset = 0 - -

Example: time offset = 60 - -

time server (G)

This parameter determines if nmbd(8) advertises itself as a time server to Windows -clients.

Default: time server = no - -

unix charset (G)

Specifies the charset the unix machine - Samba runs on uses. Samba needs to know this in order to be able to - convert text to the charsets other SMB clients use. -

This is also the charset Samba will use when specifying arguments - to scripts that it invokes. -

Default: unix charset = UTF8 - -

Example: unix charset = ASCII - -

unix extensions (G)

This boolean parameter controls whether Samba - implments the CIFS UNIX extensions, as defined by HP. - These extensions enable Samba to better serve UNIX CIFS clients - by supporting features such as symbolic links, hard links, etc... - These extensions require a similarly enabled client, and are of - no current use to Windows clients.

Default: unix extensions = yes - -

unix password sync (G)

This boolean parameter controls whether Samba - attempts to synchronize the UNIX password with the SMB password - when the encrypted SMB password in the smbpasswd file is changed. - If this is set to yes the program specified in the passwd - programparameter is called AS ROOT - - to allow the new UNIX password to be set without access to the - old UNIX password (as the SMB password change code has no - access to the old password cleartext, only the new).

Default: unix password sync = no - -

update encrypted (G)

- This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) - password in the smbpasswd file to be updated automatically as they log on. This option allows a site to - migrate from plaintext password authentication (users authenticate with plaintext password over the - wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB - challenge/response authentication mechanism) without forcing all users to re-enter their passwords via - smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted - passwords to be made over a longer period. Once all users have encrypted representations of their passwords - in the smbpasswd file this parameter should be set to no. -

- In order for this parameter to be operative the encrypt passwords parameter must - be set to no. The default value of encrypt passwords = Yes. Note: This must be set to no for this update encrypted to work. -

- Note that even when this parameter is set a user authenticating to smbd - must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) - passwords. -

Default: update encrypted = no - -

use client driver (S)

This parameter applies only to Windows NT/2000 - clients. It has no effect on Windows 95/98/ME clients. When - serving a printer to Windows NT/2000 clients without first installing - a valid printer driver on the Samba host, the client will be required - to install a local printer driver. From this point on, the client - will treat the print as a local printer and not a network printer - connection. This is much the same behavior that will occur - when disable spoolss = yes. -

The differentiating factor is that under normal - circumstances, the NT/2000 client will attempt to open the network - printer using MS-RPC. The problem is that because the client - considers the printer to be local, it will attempt to issue the - OpenPrinterEx() call requesting access rights associated with the - logged on user. If the user possesses local administator rights but - not root privilege on the Samba host (often the case), the - OpenPrinterEx() call will fail. The result is that the client will - now display an "Access Denied; Unable to connect" message - in the printer queue window (even though jobs may successfully be - printed).

If this parameter is enabled for a printer, then any attempt - to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped - to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() - call to succeed. This parameter MUST not be able enabled - on a print share which has valid print driver installed on the Samba - server.

Default: use client driver = no - -

use kerberos keytab (G)

-Specifies whether Samba should attempt to maintain service principals in the systems -keytab file for host/FQDN and cifs/FQDN. -

When you are using the heimdal Kerberos libraries, you must also -specify the following in /etc/krb5.conf:

-[libdefaults]
-  default_keytab_name = FILE:/etc/krb5.keytab
-

Default: use kerberos keytab = False - -

use mmap (G)

This global parameter determines if the tdb internals of Samba can - depend on mmap working correctly on the running system. Samba requires a coherent - mmap/read-write system memory cache. Currently only HPUX does not have such a - coherent cache, and so this parameter is set to no by - default on HPUX. On all other systems this parameter should be left alone. This - parameter is provided to help the Samba developers track down problems with - the tdb internal code. -

Default: use mmap = yes - -

user

This parameter is a synonym for username.

users

This parameter is a synonym for username.

username (S)

Multiple users may be specified in a comma-delimited - list, in which case the supplied password will be tested against - each username in turn (left to right).

The username line is needed only when - the PC is unable to supply its own username. This is the case - for the COREPLUS protocol or where your users have different WfWg - usernames to UNIX usernames. In both these cases you may also be - better using the \\server\share%user syntax instead.

The username line is not a great - solution in many cases as it means Samba will try to validate - the supplied password against each of the usernames in the - username line in turn. This is slow and - a bad idea for lots of users in case of duplicate passwords. - You may get timeouts or security breaches using this parameter - unwisely.

Samba relies on the underlying UNIX security. This - parameter does not restrict who can login, it just offers hints - to the Samba server as to what usernames might correspond to the - supplied password. Users can login as whoever they please and - they will be able to do no more damage than if they started a - telnet session. The daemon runs as the user that they log in as, - so they cannot do anything that user cannot do.

To restrict a service to a particular set of users you - can use the valid users parameter.

If any of the usernames begin with a '@' then the name - will be looked up first in the NIS netgroups list (if Samba - is compiled with netgroup support), followed by a lookup in - the UNIX groups database and will expand to a list of all users - in the group of that name.

If any of the usernames begin with a '+' then the name - will be looked up only in the UNIX groups database and will - expand to a list of all users in the group of that name.

If any of the usernames begin with a '&' then the name - will be looked up only in the NIS netgroups database (if Samba - is compiled with netgroup support) and will expand to a list - of all users in the netgroup group of that name.

Note that searching though a groups database can take - quite some time, and some clients may time out during the - search.

See the section NOTE ABOUT - USERNAME/PASSWORD VALIDATION for more information on how - this parameter determines access to the services.

Default: username = -# The guest account if a guest service, - else <empty string>. - -

Example: username = fred, mary, jack, jane, @users, @pcgroup - -

username level (G)

This option helps Samba to try and 'guess' at - the real UNIX username, as many DOS clients send an all-uppercase - username. By default Samba tries all lowercase, followed by the - username with the first letter capitalized, and fails if the - username is not found on the UNIX machine.

If this parameter is set to non-zero the behavior changes. - This parameter is a number that specifies the number of uppercase - combinations to try while trying to determine the UNIX user name. The - higher the number the more combinations will be tried, but the slower - the discovery of usernames will be. Use this parameter when you have - strange usernames on your UNIX machine, such as AstrangeUser -.

This parameter is needed only on UNIX systems that have case - sensitive usernames.

Default: username level = 0 - -

Example: username level = 5 - -

username map (G)

This option allows you to specify a file containing - a mapping of usernames from the clients to the server. This can be - used for several purposes. The most common is to map usernames - that users use on DOS or Windows machines to those that the UNIX - box uses. The other is to map multiple users to a single username - so that they can more easily share files.

Please note that for user or share mode security, the - username map is applied prior to validating the user credentials. - Domain member servers (domain or ads) apply the username map - after the user has been successfully authenticated by the domain - controller and require fully qualified enties in the map table - (e.g. biddle = DOMAIN\foo).

The map file is parsed line by line. Each line should - contain a single UNIX username on the left then a '=' followed - by a list of usernames on the right. The list of usernames on the - right may contain names of the form @group in which case they - will match any UNIX username in that group. The special client - name '*' is a wildcard and matches any name. Each line of the - map file may be up to 1023 characters long.

The file is processed on each line by taking the - supplied username and comparing it with each username on the right - hand side of the '=' signs. If the supplied name matches any of - the names on the right hand side then it is replaced with the name - on the left. Processing then continues with the next line.

If any line begins with a '#' or a ';' then it is ignored

If any line begins with an '!' then the processing - will stop after that line if a mapping was done by the line. - Otherwise mapping continues with every line being processed. - Using '!' is most useful when you have a wildcard mapping line - later in the file.

For example to map from the name admin - or administrator to the UNIX name - root you would use:

root = admin administrator

Or to map anyone in the UNIX group system - to the UNIX name sys you would use:

sys = @system

You can have as many mappings as you like in a username map file.

If your system supports the NIS NETGROUP option then - the netgroup database is checked before the /etc/group - database for matching groups.

You can map Windows usernames that have spaces in them - by using double quotes around the name. For example:

tridge = "Andrew Tridgell"

would map the windows username "Andrew Tridgell" to the - unix username "tridge".

The following example would map mary and fred to the - unix user sys, and map the rest to guest. Note the use of the - '!' to tell Samba to stop processing if it gets a match on - that line.

-!sys = mary fred
-guest = *
-

Note that the remapping is applied to all occurrences - of usernames. Thus if you connect to \\server\fred and - fred is remapped to mary then you - will actually be connecting to \\server\mary and will need to - supply a password suitable for mary not - fred. The only exception to this is the - username passed to the password server (if you have one). The password - server will receive whatever username the client supplies without - modification.

Also note that no reverse mapping is done. The main effect - this has is with printing. Users who have been mapped may have - trouble deleting print jobs as PrintManager under WfWg will think - they don't own the print job.

- Samba versions prior to 3.0.8 would only support reading the fully qualified - username (e.g.: DOMAIN\user) from the username map when performing a - kerberos login from a client. However, when looking up a map - entry for a user authenticated by NTLM[SSP], only the login name would be - used for matches. This resulted in inconsistent behavior sometimes - even on the same server. -

- The following functionality is obeyed in version 3.0.8 and later: -

- When performing local authentication, the username map is - applied to the login name before attempting to authenticate - the connection. -

- When relying upon a external domain controller for validating - authentication requests, smbd will apply the username map - to the fully qualified username (i.e. DOMAIN\user) only - after the user has been successfully authenticated. -

- An example of use is: -

-username map = /usr/local/samba/lib/users.map
-

Default: username map = -# no username map - -

username map script (G)

This script is a mutually exclusive alternative to the - username map parameter. This parameter - specifies and external program or script that must accept a single - command line option (the username transmitted in the authentication - request) and return a line line on standard output (the name to which - the account should mapped). In this way, it is possible to store - username map tables in an LDAP or NIS directory services. -

Default: username map script = - -

Example: username map script = /etc/samba/scripts/mapusers.sh - -

use sendfile (S)

If this parameter is yes, and the sendfile() system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX - and ReadRaw) will use the more efficient sendfile system call for files that - are exclusively oplocked. This may make more efficient use of the system CPU's - and cause Samba to be faster. Samba automatically turns this off for clients - that use protocol levels lower than NT LM 0.12 and when it detects a client is - Windows 9x (using sendfile from Linux will cause these clients to fail). -

Default: use sendfile = yes - -

use spnego (G)

This variable controls controls whether samba will try - to use Simple and Protected NEGOciation (as specified by rfc2478) with - WindowsXP and Windows2000 clients to agree upon an authentication mechanism. -

- Unless further issues are discovered with our SPNEGO - implementation, there is no reason this should ever be - disabled.

Default: use spnego = yes - -

utmp (G)

This boolean parameter is only available if - Samba has been configured and compiled with the option - --with-utmp. If set to yes then Samba will attempt - to add utmp or utmpx records (depending on the UNIX system) whenever a - connection is made to a Samba server. Sites may use this to record the - user connecting to a Samba share.

Due to the requirements of the utmp record, we - are required to create a unique identifier for the - incoming user. Enabling this option creates an n^2 - algorithm to find this number. This may impede - performance on large installations.

Default: utmp = no - -

utmp directory (G)

This parameter is only available if Samba has - been configured and compiled with the option - --with-utmp. It specifies a directory pathname that is - used to store the utmp or utmpx files (depending on the UNIX system) that - record user connections to a Samba server. By default this is - not set, meaning the system will use whatever utmp file the - native system is set to use (usually - /var/run/utmp on Linux).

Default: utmp directory = -# Determined automatically - -

Example: utmp directory = /var/run/utmp - -

-valid (S)

This parameter indicates whether a share is - valid and thus can be used. When this parameter is set to false, - the share will be in no way visible nor accessible. -

- This option should not be - used by regular users but might be of help to developers. - Samba uses this option internally to mark shares as deleted. -

Default: -valid = yes - -

valid users (S)

This is a list of users that should be allowed - to login to this service. Names starting with '@', '+' and '&' - are interpreted using the same rules as described in the - invalid users parameter.

If this is empty (the default) then any user can login. - If a username is in both this list and the invalid - users list then access is denied for that user.

The current servicename is substituted for %S -. This is useful in the [homes] section.

Default: valid users = -# No valid users list (anyone can login) - -

Example: valid users = greg, @pcusers - -

veto files (S)

This is a list of files and directories that - are neither visible nor accessible. Each entry in the list must - be separated by a '/', which allows spaces to be included - in the entry. '*' and '?' can be used to specify multiple files - or directories as in DOS wildcards.

Each entry must be a unix path, not a DOS path and - must not include the unix directory - separator '/'.

Note that the case sensitive option - is applicable in vetoing files.

One feature of the veto files parameter that it - is important to be aware of is Samba's behaviour when - trying to delete a directory. If a directory that is - to be deleted contains nothing but veto files this - deletion will fail unless you also set - the delete veto files parameter to - yes.

Setting this parameter will affect the performance - of Samba, as it will be forced to check all files and directories - for a match as they are scanned.

- Examples of use include: -

-; Veto any files containing the word Security,
-; any ending in .tmp, and any directory containing the
-; word root.
-veto files = /*Security*/*.tmp/*root*/
-
-; Veto the Apple specific files that a NetAtalk server
-; creates.
-veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
-

Default: veto files = No files or directories are vetoed. - -

veto oplock files (S)

This parameter is only valid when the - oplocks - parameter is turned on for a share. It allows the Samba administrator - to selectively turn off the granting of oplocks on selected files that - match a wildcarded list, similar to the wildcarded list used in the - veto files - parameter.

You might want to do this on files that you know will - be heavily contended for by clients. A good example of this - is in the NetBench SMB benchmark program, which causes heavy - client contention for files ending in .SEM. - To cause Samba not to grant oplocks on these files you would use - the line (either in the [global] section or in the section for - the particular NetBench share :

- An example of use is: -

-veto oplock files = /.*SEM/
-

Default: veto oplock files = -# No files are vetoed for oplock grants - -

vfs object

This parameter is a synonym for vfs objects.

vfs objects (S)

This parameter specifies the backend names which - are used for Samba VFS I/O operations. By default, normal - disk I/O operations are used but these can be overloaded - with one or more VFS objects.

Default: vfs objects = - -

Example: vfs objects = extd_audit recycle - -

volume (S)

This allows you to override the volume label - returned for a share. Useful for CDROMs with installation programs - that insist on a particular volume label.

Default: volume = -# the name of the share - -

wide links (S)

This parameter controls whether or not links - in the UNIX file system may be followed by the server. Links - that point to areas within the directory tree exported by the - server are always allowed; this parameter controls access only - to areas that are outside the directory tree being exported.

Note that setting this parameter can have a negative - effect on your server performance due to the extra system calls - that Samba has to do in order to perform the link checks.

Default: wide links = yes - -

winbind cache time (G)

This parameter specifies the number of - seconds the winbindd(8) daemon will cache - user and group information before querying a Windows NT server - again.

Note

This does not apply to authentication requests, - these are always evaluated in real time.

Default: winbind cache time = 300 - -

winbind enum groups (G)

On large installations using winbindd(8) it may be necessary to suppress - the enumeration of groups through the setgrent(), - getgrent() and - endgrent() group of system calls. If - the winbind enum groups parameter is - no, calls to the getgrent() system - call will not return any data.

Warning

Turning off group enumeration may cause some programs to behave oddly.

Default: winbind enum groups = yes - -

winbind enum users (G)

On large installations using winbindd(8) it may be - necessary to suppress the enumeration of users through the setpwent(), - getpwent() and - endpwent() group of system calls. If - the winbind enum users parameter is - no, calls to the getpwent system call - will not return any data.

Warning

Turning off user - enumeration may cause some programs to behave oddly. For - example, the finger program relies on having access to the - full user list when searching for matching - usernames.

Default: winbind enum users = yes - -

winbind nested groups (G)

If set to yes, this parameter activates the support for nested - groups. Nested groups are also called local groups or - aliases. They work like their counterparts in Windows: Nested - groups are defined locally on any machine (they are shared - between DC's through their SAM) and can contain users and - global groups from any trusted SAM. To be able to use nested - groups, you need to run nss_winbind.

Please note that per 3.0.3 this is a new feature, so - handle with care.

Default: winbind nested groups = no - -

winbind separator (G)

This parameter allows an admin to define the character - used when listing a username of the form of DOMAIN -\user. This parameter - is only applicable when using the pam_winbind.so - and nss_winbind.so modules for UNIX services. -

Please note that setting this parameter to + causes problems - with group membership at least on glibc systems, as the character + - is used as a special character for NIS in /etc/group.

Default: winbind separator = '\' - -

Example: winbind separator = + - -

winbind trusted domains only (G)

This parameter is designed to allow Samba servers that - are members of a Samba controlled domain to use UNIX accounts - distributed via NIS, rsync, or LDAP as the uid's for winbindd users - in the hosts primary domain. Therefore, the user DOMAIN\user1 would - be mapped to the account user1 in /etc/passwd instead of allocating - a new uid for him or her. -

Default: winbind trusted domains only = no - -

winbind use default domain (G)

This parameter specifies whether the - winbindd(8) daemon should operate on users - without domain component in their username. Users without a domain - component are treated as is part of the winbindd server's own - domain. While this does not benifit Windows users, it makes SSH, FTP and - e-mail function in a way much closer to the way they - would in a native unix system.

Default: winbind use default domain = no - -

Example: winbind use default domain = yes - -

wins hook (G)

When Samba is running as a WINS server this - allows you to call an external program for all changes to the - WINS database. The primary use for this option is to allow the - dynamic update of external name resolution databases such as - dynamic DNS.

The wins hook parameter specifies the name of a script - or executable that will be called as follows:

wins_hook operation name nametype ttl IP_list

The first argument is the operation and is - one of "add", "delete", or - "refresh". In most cases the operation - can be ignored as the rest of the parameters - provide sufficient information. Note that - "refresh" may sometimes be called when - the name has not previously been added, in that - case it should be treated as an add.
The second argument is the NetBIOS name. If the - name is not a legal name then the wins hook is not called. - Legal names contain only letters, digits, hyphens, underscores - and periods.
The third argument is the NetBIOS name - type as a 2 digit hexadecimal number.
The fourth argument is the TTL (time to live) - for the name in seconds.
The fifth and subsequent arguments are the IP - addresses currently registered for that name. If this list is - empty then the name should be deleted.

An example script that calls the BIND dynamic DNS update - program nsupdate is provided in the examples - directory of the Samba source code.

No default

wins proxy (G)

This is a boolean that controls if nmbd(8) will respond to broadcast name - queries on behalf of other hosts. You may need to set this - to yes for some older clients.

Default: wins proxy = no - -

wins server (G)

This specifies the IP address (or DNS name: IP - address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on - your network then you should set this to the WINS server's IP.

You should point this at your WINS server if you have a - multi-subnetted network.

If you want to work in multiple namespaces, you can - give every wins server a 'tag'. For each tag, only one - (working) server will be queried for a name. The tag should be - separated from the ip address by a colon. -

Note

You need to set up Samba to point - to a WINS server if you have multiple subnets and wish cross-subnet - browsing to work correctly.

See the ???.

Default: wins server = - -

Example: wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 - -# For this example when querying a certain name, 192.19.200.1 will - be asked first and if that doesn't respond 192.168.2.61. If either - of those doesn't know the name 192.168.3.199 will be queried. - -

Example: wins server = 192.9.200.1 192.168.2.61 - -

wins support (G)

This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should - not set this to yes unless you have a multi-subnetted network and - you wish a particular nmbd to be your WINS server. - Note that you should NEVER set this to yes - on more than one machine in your network.

Default: wins support = no - -

workgroup (G)

This controls what workgroup your server will - appear to be in when queried by clients. Note that this parameter - also controls the Domain name used with - the security = domain - setting.

Default: workgroup = WORKGROUP - -

Example: workgroup = MYGROUP - -

writable

This parameter is a synonym for writeable.

writeable (S)

Inverted synonym for read only.

No default

write cache size (S)

If this integer parameter is set to non-zero value, - Samba will create an in-memory cache for each oplocked file - (it does not do this for - non-oplocked files). All writes that the client does not request - to be flushed directly to disk will be stored in this cache if possible. - The cache is flushed onto disk when a write comes in whose offset - would not fit into the cache or when the file is closed by the client. - Reads for the file are also served from this cache if the data is stored - within it.

This cache allows Samba to batch client writes into a more - efficient write size for RAID disks (i.e. writes may be tuned to - be the RAID stripe size) and can improve performance on systems - where the disk subsystem is a bottleneck but there is free - memory for userspace programs.

The integer parameter specifies the size of this cache - (per oplocked file) in bytes.

Default: write cache size = 0 - -

Example: write cache size = 262144 -# for a 256k cache size per file - -

write list (S)

This is a list of users that are given read-write - access to a service. If the connecting user is in this list then - they will be given write access, no matter what the read only - option is set to. The list can include group names using the - @group syntax.

Note that if a user is in both the read list and the - write list then they will be given write access.

This parameter will not work with the security = share in - Samba 3.0. This is by design.

Default: write list = - -

Example: write list = admin, root, @staff - -

write raw (G)

This parameter controls whether or not the server - will support raw write SMB's when transferring data from clients. - You should never need to change this parameter.

Default: write raw = yes - -

wtmp directory (G)

This parameter is only available if Samba has - been configured and compiled with the option - --with-utmp. It specifies a directory pathname that is - used to store the wtmp or wtmpx files (depending on the UNIX system) that - record user connections to a Samba server. The difference with - the utmp directory is the fact that user info is kept after a user - has logged out.

- By default this is - not set, meaning the system will use whatever utmp file the - native system is set to use (usually - /var/run/wtmp on Linux).

Default: wtmp directory = - -

Example: wtmp directory = /var/log/wtmp - -

WARNINGS

- Although the configuration file permits service names to contain spaces, your client software may not. - Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility. -

- On a similar note, many clients - especially DOS clients - limit service names to eight characters. - smbd(8) has no such - limitation, but attempts to connect from such clients will fail if they truncate the service names. For this - reason you should probably keep your service names down to eight characters in length. -

- Use of the [homes] and [printers] special sections make life - for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme - care when designing these sections. In particular, ensure that the permissions on spool directories are - correct. -

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

- The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. -

- The original Samba man pages were written by Karl Auer. The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 release by Jeremy Allison. The conversion - to DocBook for Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done by - Alexander Bokovoy. -

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbcontrol.1.html samba-3.0.20/docs/htmldocs/manpages/smbcontrol.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbcontrol.1.html 2005-08-07 11:17:47.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbcontrol.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,72 +0,0 @@ -smbcontrol

Name

smbcontrol — send messages to smbd, nmbd or winbindd processes

Synopsis

smbcontrol [-i] [-s]

smbcontrol [destination] [message-type] [parameter]

DESCRIPTION

This tool is part of the samba(7) suite.

smbcontrol is a very small program, which - sends messages to a smbd(8), a nmbd(8), or a winbindd(8) daemon running on the system.

OPTIONS

-h|--help

Print a summary of command line options. -

-s <configuration file>

-i

Run interactively. Individual commands - of the form destination message-type parameters can be entered - on STDIN. An empty command line or a "q" will quit the - program.

destination

One of nmbd, smbd or a process ID.

The smbd destination causes the - message to "broadcast" to all smbd daemons.

The nmbd destination causes the - message to be sent to the nmbd daemon specified in the - nmbd.pid file.

If a single process ID is given, the message is sent - to only that process.

message-type

Type of message to send. See - the section MESSAGE-TYPES for details. -

parameters

any parameters required for the message-type

MESSAGE-TYPES

Available message types are:

close-share

Order smbd to close the client - connections to the named share. Note that this doesn't affect client - connections to any other shares. This message-type takes an argument of the - share name for which client connections will be closed, or the - "*" character which will close all currently open shares. - This may be useful if you made changes to the access controls on the share. - This message can only be sent to smbd.

debug

Set debug level to the value specified by the - parameter. This can be sent to any of the destinations.

force-election

This message causes the nmbd daemon to - force a new browse master election.

ping

- Send specified number of "ping" messages and - wait for the same number of reply "pong" messages. This can be sent to - any of the destinations.

profile

Change profile settings of a daemon, based on the - parameter. The parameter can be "on" to turn on profile stats - collection, "off" to turn off profile stats collection, "count" - to enable only collection of count stats (time stats are - disabled), and "flush" to zero the current profile stats. This can - be sent to any smbd or nmbd destinations.

debuglevel

- Request debuglevel of a certain daemon and write it to stdout. This - can be sent to any of the destinations.

profilelevel

- Request profilelevel of a certain daemon and write it to stdout. - This can be sent to any smbd or nmbd destinations.

printnotify

- Order smbd to send a printer notify message to any Windows NT clients - connected to a printer. This message-type takes the following arguments: -

queuepause printername: Send a queue pause change notify - message to the printer specified.
queueresume printername: Send a queue resume change notify - message for the printer specified.
jobpause printername unixjobid: Send a job pause change notify - message for the printer and unix jobid - specified.
jobresume printername unixjobid: Send a job resume change notify - message for the printer and unix jobid - specified.
jobdelete printername unixjobid: Send a job delete change notify - message for the printer and unix jobid - specified.

- Note that this message only sends notification that an - event has occured. It doesn't actually cause the - event to happen. -

This message can only be sent to smbd.

samsync

Order smbd to synchronise sam database from PDC (being BDC). Can only be sent to smbd.

Note

Not working at the moment

samrepl

Send sam replication message, with specified serial. Can only be sent to smbd. Should not be used manually.

dmalloc-mark

Set a mark for dmalloc. Can be sent to both smbd and nmbd. Only available if samba is built with dmalloc support.

dmalloc-log-changed

- Dump the pointers that have changed since the mark set by dmalloc-mark. - Can be sent to both smbd and nmbd. Only available if samba is built with dmalloc support.

shutdown

Shut down specified daemon. Can be sent to both smbd and nmbd.

pool-usage

Print a human-readable description of all - talloc(pool) memory usage by the specified daemon/process. Available - for both smbd and nmbd.

drvupgrade

Force clients of printers using specified driver - to update their local version of the driver. Can only be - sent to smbd.

reload-config

Force daemon to reload smb.conf configuration file. Can be sent - to smbd, nmbd, or winbindd. -

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for - Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbcquotas.1.html samba-3.0.20/docs/htmldocs/manpages/smbcquotas.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbcquotas.1.html 2005-08-07 11:17:51.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbcquotas.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,85 +0,0 @@ -smbcquotas

Name

smbcquotas — Set or get QUOTAs of NTFS 5 shares

Synopsis

smbcquotas {//server/share} [-u user] [-L] [-F] [-S QUOTA_SET_COMMAND] [-n] [-t] [-v] [-d debuglevel] [-s configfile] [-l logdir] [-V] [-U username] [-N] [-k] [-A]

DESCRIPTION

This tool is part of the samba(7) suite.

The smbcquotas program manipulates NT Quotas on SMB file shares.

OPTIONS

The following options are available to the smbcquotas program.

-u user

Specifies the user of whom the quotas are get or set. - By default the current user's username will be used.

-L

Lists all quota records of the share.

-F

Show the share quota status and default limits.

-S QUOTA_SET_COMMAND

This command sets/modifies quotas for a user or on the share, - depending on the QUOTA_SET_COMMAND parameter which is described later.

-n

This option displays all QUOTA information in numeric - format. The default is to convert SIDs to names and QUOTA limits - to a readable string format.

-t

- Don't actually do anything, only validate the correctness of the arguments. -

-v

- Be verbose. -

-h|--help

Print a summary of command line options. -

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

-N

If specified, this parameter suppresses the normal -password prompt from the client to the user. This is useful when -accessing a service that does not require a password.

Unless a password is specified on the command line or -this parameter is specified, the client will request a -password.

-k

-Try to authenticate with kerberos. Only useful in -an Active Directory environment. -

-A|--authentication-file=filename

This option allows -you to specify a file from which to read the username and -password used in the connection. The format of the file is -

-username = <value>
-password = <value>
-domain   = <value>
-

Make certain that the permissions on the file restrict -access from unwanted users.

-U|--user=username[%password]

Sets the SMB username or username and password.

QUOTA_SET_COMAND

The format of an ACL is one or more ACL entries separated by - either commas or newlines. An ACL entry is one of the following:

- for setting user quotas for the user specified by -u or the current username: -

- UQLIM:<username>:<softlimit>/<hardlimit> -

- for setting the default quotas for a share: -

- FSQLIM:<softlimit>/<hardlimit> -

- for changing the share quota settings: -

- FSQFLAGS:QUOTA_ENABLED/DENY_DISK/LOG_SOFTLIMIT/LOG_HARD_LIMIT -

EXIT STATUS

The smbcquotas program sets the exit status - depending on the success or otherwise of the operations performed. - The exit status may be one of the following values.

If the operation succeeded, smbcquotas returns an exit - status of 0. If smbcquotas couldn't connect to the specified server, - or when there was an error getting or setting the quota(s), an exit status - of 1 is returned. If there was an error parsing any command line - arguments, an exit status of 2 is returned.

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

smbcquotas was written by Stefan Metzmacher.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbd.8.html samba-3.0.20/docs/htmldocs/manpages/smbd.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbd.8.html 2005-08-07 11:17:54.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbd.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,159 +0,0 @@ -smbd

Name

smbd — server to provide SMB/CIFS services to clients

Synopsis

smbd [-D] [-F] [-S] [-i] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number(s)>] [-O <socket option>] [-s <configuration file>]

DESCRIPTION

This program is part of the samba(7) suite.

smbd is the server daemon that - provides filesharing and printing services to Windows clients. - The server provides filespace and printer services to - clients using the SMB (or CIFS) protocol. This is compatible - with the LanManager protocol, and can service LanManager - clients. These include MSCLIENT 3.0 for DOS, Windows for - Workgroups, Windows 95/98/ME, Windows NT, Windows 2000, - OS/2, DAVE for Macintosh, and smbfs for Linux.

An extensive description of the services that the - server can provide is given in the man page for the - configuration file controlling the attributes of those - services (see smb.conf(5). This man page will not describe the - services, but will concentrate on the administrative aspects - of running the server.

Please note that there are significant security - implications to running this server, and the smb.conf(5) manual page should be regarded as mandatory reading before - proceeding with installation.

A session is created whenever a client requests one. - Each client gets a copy of the server for each session. This - copy then services all connections made by the client during - that session. When all connections from its client are closed, - the copy of the server for that client terminates.

The configuration file, and any files that it includes, - are automatically reloaded every minute, if they change. You - can force a reload by sending a SIGHUP to the server. Reloading - the configuration file will not affect connections to any service - that is already established. Either the user will have to - disconnect from the service, or smbd killed and restarted.

OPTIONS

-D

If specified, this parameter causes - the server to operate as a daemon. That is, it detaches - itself and runs in the background, fielding requests - on the appropriate port. Operating the server as a - daemon is the recommended way of running smbd for - servers that provide more than casual use file and - print services. This switch is assumed if smbd - is executed on the command line of a shell. -

-F

If specified, this parameter causes - the main smbd process to not daemonize, - i.e. double-fork and disassociate with the terminal. - Child processes are still created as normal to service - each connection request, but the main process does not - exit. This operation mode is suitable for running - smbd under process supervisors such - as supervise and svscan - from Daniel J. Bernstein's daemontools - package, or the AIX process monitor. -

-S

If specified, this parameter causes - smbd to log to standard output rather - than a file.

-i

If this parameter is specified it causes the - server to run "interactively", not as a daemon, even if the - server is executed on the command line of a shell. Setting this - parameter negates the implicit deamon mode when run from the - command line. smbd also logs to standard - output, as if the -S parameter had been - given. -

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

-h|--help

Print a summary of command line options. -

-b

Prints information about how - Samba was built.

-p <port number(s)>

port number(s) is a - space or comma-separated list of TCP ports smbd should listen on. - The default value is taken from the ports parameter in smb.conf

The default ports are 139 (used for SMB over NetBIOS over TCP) - and port 445 (used for plain SMB over TCP). -

FILES

/etc/inetd.conf

If the server is to be run by the - inetd meta-daemon, this file - must contain suitable startup information for the - meta-daemon. -

/etc/rc

or whatever initialization script your - system uses).

If running the server as a daemon at startup, - this file will need to contain an appropriate startup - sequence for the server.

/etc/services

If running the server via the - meta-daemon inetd, this file - must contain a mapping of service name (e.g., netbios-ssn) - to service port (e.g., 139) and protocol type (e.g., tcp). -

/usr/local/samba/lib/smb.conf

This is the default location of the smb.conf(5) server configuration file. Other common places that systems - install this file are /usr/samba/lib/smb.conf - and /etc/samba/smb.conf.

This file describes all the services the server - is to make available to clients. See smb.conf(5) for more information.

LIMITATIONS

On some systems smbd cannot change uid back - to root after a setuid() call. Such systems are called - trapdoor uid systems. If you have such a system, - you will be unable to connect from a client (such as a PC) as - two different users at once. Attempts to connect the - second user will result in access denied or - similar.

ENVIRONMENT VARIABLES

PRINTER: If no printer name is specified to - printable services, most systems will use the value of - this variable (or lp if this variable is - not defined) as the name of the printer to use. This - is not specific to the server, however.

PAM INTERACTION

Samba uses PAM for authentication (when presented with a plaintext - password), for account checking (is this account disabled?) and for - session management. The degree too which samba supports PAM is restricted - by the limitations of the SMB protocol and the obey pam restrictions smb.conf(5) paramater. When this is set, the following restrictions apply: -

Account Validation: All accesses to a - samba server are checked - against PAM to see if the account is vaild, not disabled and is permitted to - login at this time. This also applies to encrypted logins. -
Session Management: When not using share - level secuirty, users must pass PAM's session checks before access - is granted. Note however, that this is bypassed in share level secuirty. - Note also that some older pam configuration files may need a line - added for session support. -

VERSION

This man page is correct for version 3.0 of - the Samba suite.

DIAGNOSTICS

Most diagnostics issued by the server are logged - in a specified log file. The log file name is specified - at compile time, but may be overridden on the command line.

The number and nature of diagnostics available depends - on the debug level used by the server. If you have problems, set - the debug level to 3 and peruse the log files.

Most messages are reasonably self-explanatory. Unfortunately, - at the time this man page was created, there are too many diagnostics - available in the source code to warrant describing each and every - diagnostic. At this stage your best bet is still to grep the - source code and inspect the conditions that gave rise to the - diagnostics you are seeing.

TDB FILES

Samba stores it's data in several TDB (Trivial Database) files, usually located in /var/lib/samba.

- (*) information persistent across restarts (but not - necessarily important to backup). -

account_policy.tdb*: NT account policy settings such as pw expiration, etc...
brlock.tdb: byte range locks
browse.dat: browse lists
connections.tdb: share connections (used to enforce max connections, etc...)
gencache.tdb: generic caching db
group_mapping.tdb*: group mapping information
locking.tdb: share modes & oplocks
login_cache.tdb*: bad pw attempts
messages.tdb: Samba messaging system
netsamlogon_cache.tdb*: cache of user net_info_3 struct from net_samlogon() request (as a domain member)
ntdrivers.tdb*: installed printer drivers
ntforms.tdb*: installed printer forms
ntprinters.tdb*: installed printer information
printing/: directory containing tdb per print queue of cached lpq output
registry.tdb: Windows registry skeleton (connect via regedit.exe)
sessionid.tdb: session information (e.g. support for 'utmp = yes')
share_info.tdb*: share acls
winbindd_cache.tdb: winbindd's cache of user lists, etc...
winbindd_idmap.tdb*: winbindd's local idmap db
wins.dat*: wins database when 'wins support = yes'

SIGNALS

Sending the smbd a SIGHUP will cause it to - reload its smb.conf configuration - file within a short period of time.

To shut down a user's smbd process it is recommended - that SIGKILL (-9) NOT - be used, except as a last resort, as this may leave the shared - memory area in an inconsistent state. The safe way to terminate - an smbd is to send it a SIGTERM (-15) signal and wait for - it to die on its own.

The debug log level of smbd may be raised - or lowered using smbcontrol(1) program (SIGUSR[1|2] signals are no longer - used since Samba 2.2). This is to allow transient problems to be diagnosed, - whilst still running at a normally low log level.

Note that as the signal handlers send a debug write, - they are not re-entrant in smbd. This you should wait until - smbd is in a state of waiting for an incoming SMB before - issuing them. It is possible to make the signal handlers safe - by un-blocking the signals before the select call and re-blocking - them after, however this would affect performance.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for - Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbget.1.html samba-3.0.20/docs/htmldocs/manpages/smbget.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbget.1.html 2005-08-07 11:17:57.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbget.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,26 +0,0 @@ -smbget

Name

smbget — wget-like utility for download files over SMB

Synopsis

smbget [-a, --guest] [-r, --resume] [-R, --recursive] [-u, --username=STRING] [-p, --password=STRING] [-w, --workgroup=STRING] [-n, --nonprompt] [-d, --debuglevel=INT] [-D, --dots] [-P, --keep-permissions] [-o, --outputfile] [-f, --rcfile] [-q, --quiet] [-v, --verbose] [-b, --blocksize] [-?, --help] [--usage] {smb://host/share/path/to/file} [smb://url2/] [...]

DESCRIPTION

This tool is part of the samba(7) suite.

smbget is a simple utility with wget-like semantics, that can download files from SMB servers. You can specify the files you would like to download on the command-line. -

- The files should be in the smb-URL standard, e.g. use smb://host/share/file - for the UNC path \\\\HOST\\SHARE\\file. -

OPTIONS

-a, --guest

Work as user guest

-r, --resume

Automatically resume aborted files

-R, --recursive

Recursively download files

-u, --username=STRING

Username to use

-p, --password=STRING

Password to use

-w, --workgroup=STRING

Workgroup to use (optional)

-n, --nonprompt

Don't ask anything (non-interactive)

-d, --debuglevel=INT

Debuglevel to use

-D, --dots

Show dots as progress indication

-P, --keep-permissions

Set same permissions on local file as are set on remote file.

-o, --outputfile

Write the file that is being download to the specified file. Can not be used together with -R.

-f, --rcfile

Use specified rcfile. This will be loaded in the order it was specified - e.g. if you specify any options before this one, they might get overriden by the contents of the rcfile.

-q, --quiet

Be quiet

-v, --verbose

Be verbose

-b, --blocksize

Number of bytes to download in a block. Defaults to 64000.

-?, --help

Show help message

--usage

Display brief usage message

SMB URLS

SMB URL's should be specified in the following format:

-smb://[[[domain;]user[:password@]]server[/share[/path[/file]]]]
-

-smb:// means all the workgroups
-

-smb://name/ means, if name is a workgroup, all the servers in this workgroup, or if name is a server, all the shares on this server.
-

EXAMPLES

-# Recursively download 'src' directory
-smbget -R smb://rhonwyn/jelmer/src
-# Download FreeBSD ISO and enable resuming
-smbget -r smb://rhonwyn/isos/FreeBSD5.1.iso
-# Recursively download all ISOs
-smbget -Rr smb://rhonwyn/isos
-# Backup my data on rhonwyn
-smbget -Rr smb://rhonwyn/
-

BUGS

Permission denied is returned in some cases where the cause of the error is unknown -(such as an illegally formatted smb:// url or trying to get a directory without -R -turned on).

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

The smbget manpage was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbgetrc.5.html samba-3.0.20/docs/htmldocs/manpages/smbgetrc.5.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbgetrc.5.html 2005-08-07 11:18:01.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbgetrc.5.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,17 +0,0 @@ -smbgetrc

Name

smbgetrc — configuration file for smbget

Synopsis

smbgetrc

DESCRIPTION

- This manual page documents the format and options of the smbgetrc - file. This is the configuration file used by the smbget(1) - utility. The file contains of key-value pairs, one pair on each line. The key - and value should be separated by a space. -

By default, smbget reads its configuration from $HOME/.smbgetrc, though - other locations can be specified using the command-line options.

OPTIONS

- The following keys can be set: -

resume on|off: - Whether aborted downloads should be automatically resumed. -
recursive on|off: Whether directories should be downloaded recursively
username name: Username to use when logging in to the remote server. Use an empty string for anonymous access. -
password pass: Password to use when logging in.
workgroup wg: Workgroup to use when logging in
nonprompt on|off: Turns off asking for username and password. Useful for scripts.
debuglevel int: (Samba) debuglevel to run at. Useful for tracking down protocol level problems.
dots on|off: Whether a single dot should be printed for each block that has been downloaded, instead of the default progress indicator.
blocksize int: Number of bytes to put in a block.

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

This manual page was written by Jelmer Vernooij

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbmnt.8.html samba-3.0.20/docs/htmldocs/manpages/smbmnt.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbmnt.8.html 2005-08-07 11:18:05.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbmnt.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,24 +0,0 @@ -smbmnt

Name

smbmnt — helper utility for mounting SMB filesystems

Synopsis

smbmnt {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>] [-h]

DESCRIPTION

smbmnt is a helper application used - by the smbmount program to do the actual mounting of SMB shares. - smbmnt can be installed setuid root if you want - normal users to be able to mount their SMB shares.

A setuid smbmnt will only allow mounts on directories owned - by the user, and that the user has write permission on.

The smbmnt program is normally invoked - by smbmount(8). It should not be invoked directly by users.

smbmount searches the normal PATH for smbmnt. You must ensure - that the smbmnt version in your path matches the smbmount used.

OPTIONS

-r: mount the filesystem read-only -
-u uid: specify the uid that the files will - be owned by
-g gid: specify the gid that the files will be - owned by
-f mask: specify the octal file mask applied -
-d mask: specify the octal directory mask - applied
-o options: - list of options that are passed as-is to smbfs, if this - command is run on a 2.4 or higher Linux kernel. -
-h|--help: Print a summary of command line options. -

AUTHOR

Volker Lendecke, Andrew Tridgell, Michael H. Warfield - and others.

The current maintainer of smbfs and the userspace - tools smbmount, smbumount, - and smbmnt is Urban Widmark. - The SAMBA Mailing list - is the preferred place to ask questions regarding these programs. -

The conversion of this manpage for Samba 2.2 was performed - by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 - was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbmount.8.html samba-3.0.20/docs/htmldocs/manpages/smbmount.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbmount.8.html 2005-08-07 11:18:09.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbmount.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,108 +0,0 @@ -smbmount

Name

smbmount — mount an smbfs filesystem

Synopsis

smbmount {service} {mount-point} [-o options]

DESCRIPTION

smbmount mounts a Linux SMB filesystem. It - is usually invoked as mount.smbfs by - the mount(8) command when using the - "-t smbfs" option. This command only works in Linux, and the kernel must - support the smbfs filesystem.

Options to smbmount are specified as a comma-separated - list of key=value pairs. It is possible to send options other - than those listed here, assuming that smbfs supports them. If - you get mount failures, check your kernel log for errors on - unknown options.

smbmount is a daemon. After mounting it keeps running until - the mounted smbfs is umounted. It will log things that happen - when in daemon mode using the "machine name" smbmount, so - typically this output will end up in log.smbmount. The - smbmount process may also be called mount.smbfs.

Note

smbmount - calls smbmnt(8) to do the actual mount. You - must make sure that smbmnt is in the path so - that it can be found.

OPTIONS

username=<arg>

specifies the username to connect as. If - this is not given, then the environment variable - USER is used. This option can also take the - form "user%password" or "user/workgroup" or - "user/workgroup%password" to allow the password and workgroup - to be specified as part of the username.

password=<arg>

specifies the SMB password. If this - option is not given then the environment variable - PASSWD is used. If it can find - no password smbmount will prompt - for a passeword, unless the guest option is - given.

- Note that passwords which contain the argument delimiter - character (i.e. a comma ',') will failed to be parsed correctly - on the command line. However, the same password defined - in the PASSWD environment variable or a credentials file (see - below) will be read correctly. -

credentials=<filename>

specifies a file that contains a username and/or password. -The format of the file is: -

-username = <value>
-password = <value>
-

This is preferred over having passwords in plaintext in a - shared file, such as /etc/fstab. Be sure to protect any - credentials file properly. -

krb

Use kerberos (Active Directory).

netbiosname=<arg>

sets the source NetBIOS name. It defaults - to the local hostname.

uid=<arg>

sets the uid that will own all files on - the mounted filesystem. - It may be specified as either a username or a numeric uid. -

gid=<arg>

sets the gid that will own all files on - the mounted filesystem. - It may be specified as either a groupname or a numeric - gid.

port=<arg>

sets the remote SMB port number. The default - is 445, fallback is 139.

fmask=<arg>

sets the file mask. This determines the - permissions that remote files have in the local filesystem. - This is not a umask, but the actual permissions for the files. - The default is based on the current umask.

dmask=<arg>

Sets the directory mask. This determines the - permissions that remote directories have in the local filesystem. - This is not a umask, but the actual permissions for the directories. - The default is based on the current umask.

debug=<arg>

Sets the debug level. This is useful for - tracking down SMB connection problems. A suggested value to - start with is 4. If set too high there will be a lot of - output, possibly hiding the useful output.

ip=<arg>

Sets the destination host or IP address. -

workgroup=<arg>

Sets the workgroup on the destination

sockopt=<arg>

Sets the TCP socket options. See the smb.conf(5) socket options option. -

scope=<arg>

Sets the NetBIOS scope

guest

Don't prompt for a password

ro

mount read-only

rw

mount read-write

iocharset=<arg>

- sets the charset used by the Linux side for codepage - to charset translations (NLS). Argument should be the - name of a charset, like iso8859-1. (Note: only kernel - 2.4.0 or later) -

codepage=<arg>

- sets the codepage the server uses. See the iocharset - option. Example value cp850. (Note: only kernel 2.4.0 - or later) -

ttl=<arg>

- sets how long a directory listing is cached in milliseconds - (also affects visibility of file size and date - changes). A higher value means that changes on the - server take longer to be noticed but it can give - better performance on large directories, especially - over long distances. Default is 1000ms but something - like 10000ms (10 seconds) is probably more reasonable - in many cases. - (Note: only kernel 2.4.2 or later) -

ENVIRONMENT VARIABLES

The variable USER may contain the username of the - person using the client. This information is used only if the - protocol level is high enough to support session-level - passwords. The variable can be used to set both username and - password by using the format username%password.

The variable PASSWD may contain the password of the - person using the client. This information is used only if the - protocol level is high enough to support session-level - passwords.

The variable PASSWD_FILE may contain the pathname - of a file to read the password from. A single line of input is - read and used as the password.

BUGS

Passwords and other options containing , can not be handled. - For passwords an alternative way of passing them is in a credentials - file or in the PASSWD environment.

The credentials file does not handle usernames or passwords with - leading space.

One smbfs bug is important enough to mention here, even if it - is a bit misplaced:

Mounts sometimes stop working. This is usually - caused by smbmount terminating. Since smbfs needs smbmount to - reconnect when the server disconnects, the mount will eventually go - dead. An umount/mount normally fixes this. At least 2 ways to - trigger this bug are known.

Note that the typical response to a bug report is suggestion - to try the latest version first. So please try doing that first, - and always include which versions you use of relevant software - when reporting bugs (minimum: samba, kernel, distribution)

AUTHOR

Volker Lendecke, Andrew Tridgell, Michael H. Warfield - and others.

The conversion of this manpage for Samba 2.2 was performed - by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 - was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbpasswd.5.html samba-3.0.20/docs/htmldocs/manpages/smbpasswd.5.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbpasswd.5.html 2005-08-07 11:18:13.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbpasswd.5.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,90 +0,0 @@ -smbpasswd

Name

smbpasswd — The Samba encrypted password file

Synopsis

smbpasswd

DESCRIPTION

This tool is part of the samba(7) suite.

smbpasswd is the Samba encrypted password file. It contains - the username, Unix user id and the SMB hashed passwords of the - user, as well as account flag information and the time the - password was last changed. This file format has been evolving with - Samba and has had several different formats in the past.

FILE FORMAT

The format of the smbpasswd file used by Samba 2.2 - is very similar to the familiar Unix passwd(5) - file. It is an ASCII file containing one line for each user. Each field - ithin each line is separated from the next by a colon. Any entry - beginning with '#' is ignored. The smbpasswd file contains the - following information for each user:

name

This is the user name. It must be a name that - already exists in the standard UNIX passwd file.

uid

This is the UNIX uid. It must match the uid - field for the same user entry in the standard UNIX passwd file. - If this does not match then Samba will refuse to recognize - this smbpasswd file entry as being valid for a user. -

Lanman Password Hash

This is the LANMAN hash of the user's password, - encoded as 32 hex digits. The LANMAN hash is created by DES - encrypting a well known string with the user's password as the - DES key. This is the same password used by Windows 95/98 machines. - Note that this password hash is regarded as weak as it is - vulnerable to dictionary attacks and if two users choose the - same password this entry will be identical (i.e. the password - is not "salted" as the UNIX password is). If the user has a - null password this field will contain the characters "NO PASSWORD" - as the start of the hex string. If the hex string is equal to - 32 'X' characters then the user's account is marked as - disabled and the user will not be able to - log onto the Samba server.

WARNING !! Note that, due to - the challenge-response nature of the SMB/CIFS authentication - protocol, anyone with a knowledge of this password hash will - be able to impersonate the user on the network. For this - reason these hashes are known as plain text - equivalents and must NOT be made - available to anyone but the root user. To protect these passwords - the smbpasswd file is placed in a directory with read and - traverse access only to the root user and the smbpasswd file - itself must be set to be read/write only by root, with no - other access.

NT Password Hash

This is the Windows NT hash of the user's - password, encoded as 32 hex digits. The Windows NT hash is - created by taking the user's password as represented in - 16-bit, little-endian UNICODE and then applying the MD4 - (internet rfc1321) hashing algorithm to it.

This password hash is considered more secure than - the LANMAN Password Hash as it preserves the case of the - password and uses a much higher quality hashing algorithm. - However, it is still the case that if two users choose the same - password this entry will be identical (i.e. the password is - not "salted" as the UNIX password is).

WARNING !!. Note that, due to - the challenge-response nature of the SMB/CIFS authentication - protocol, anyone with a knowledge of this password hash will - be able to impersonate the user on the network. For this - reason these hashes are known as plain text - equivalents and must NOT be made - available to anyone but the root user. To protect these passwords - the smbpasswd file is placed in a directory with read and - traverse access only to the root user and the smbpasswd file - itself must be set to be read/write only by root, with no - other access.

Account Flags

This section contains flags that describe - the attributes of the users account. In the Samba 2.2 release - this field is bracketed by '[' and ']' characters and is always - 13 characters in length (including the '[' and ']' characters). - The contents of this field may be any of the following characters: -

U - This means - this is a "User" account, i.e. an ordinary user. Only User - and Workstation Trust accounts are currently supported - in the smbpasswd file.
N - This means the - account has no password (the passwords in the fields LANMAN - Password Hash and NT Password Hash are ignored). Note that this - will only allow users to log on with no password if the - null passwords parameter is set in the - smb.conf(5) config file.
D - This means the account - is disabled and no SMB/CIFS logins will be allowed for this user.
W - This means this account - is a "Workstation Trust" account. This kind of account is used - in the Samba PDC code stream to allow Windows NT Workstations - and Servers to join a Domain hosted by a Samba PDC.

Other flags may be added as the code is extended in future. - The rest of this field space is filled in with spaces.

Last Change Time

This field consists of the time the account was - last modified. It consists of the characters 'LCT-' (standing for - "Last Change Time") followed by a numeric encoding of the UNIX time - in seconds since the epoch (1970) that the last change was made. -

All other colon separated fields are ignored at this time.

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 - for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbpasswd.8.html samba-3.0.20/docs/htmldocs/manpages/smbpasswd.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbpasswd.8.html 2005-08-07 11:18:17.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbpasswd.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,159 +0,0 @@ -smbpasswd

Name

smbpasswd — change a user's SMB password

Synopsis

smbpasswd [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-i] [-L] [username]

DESCRIPTION

This tool is part of the samba(7) suite.

The smbpasswd program has several different - functions, depending on whether it is run by the root user - or not. When run as a normal user it allows the user to change - the password used for their SMB sessions on any machines that store - SMB passwords.

By default (when run with no arguments) it will attempt to - change the current user's SMB password on the local machine. This is - similar to the way the passwd(1) program works. - smbpasswd differs from how the passwd program works - however in that it is not setuid root but works in - a client-server mode and communicates with a - locally running smbd(8). As a consequence in order for this to - succeed the smbd daemon must be running on the local machine. On a - UNIX machine the encrypted SMB passwords are usually stored in - the smbpasswd(5) file.

When run by an ordinary user with no options, smbpasswd - will prompt them for their old SMB password and then ask them - for their new password twice, to ensure that the new password - was typed correctly. No passwords will be echoed on the screen - whilst being typed. If you have a blank SMB password (specified by - the string "NO PASSWORD" in the smbpasswd file) then just press - the <Enter> key when asked for your old password.

smbpasswd can also be used by a normal user to change their - SMB password on remote machines, such as Windows NT Primary Domain - Controllers. See the (-r) and -U options - below.

When run by root, smbpasswd allows new users to be added - and deleted in the smbpasswd file, as well as allows changes to - the attributes of the user in this file to be made. When run by root, - smbpasswd accesses the local smbpasswd file - directly, thus enabling changes to be made even if smbd is not - running.

OPTIONS

-a

This option specifies that the username - following should be added to the local smbpasswd file, with the - new password typed (type <Enter> for the old password). This - option is ignored if the username following already exists in - the smbpasswd file and it is treated like a regular change - password command. Note that the default passdb backends require - the user to already exist in the system password file (usually - /etc/passwd), else the request to add the - user will fail.

This option is only available when running smbpasswd - as root.

-x

This option specifies that the username - following should be deleted from the local smbpasswd file. -

This option is only available when running smbpasswd as - root.

-d

This option specifies that the username following - should be disabled in the local smbpasswd - file. This is done by writing a 'D' flag - into the account control space in the smbpasswd file. Once this - is done all attempts to authenticate via SMB using this username - will fail.

If the smbpasswd file is in the 'old' format (pre-Samba 2.0 - format) there is no space in the user's password entry to write - this information and the command will FAIL. See smbpasswd(5) for details on the 'old' and new password file formats. -

This option is only available when running smbpasswd as - root.

-e

This option specifies that the username following - should be enabled in the local smbpasswd file, - if the account was previously disabled. If the account was not - disabled this option has no effect. Once the account is enabled then - the user will be able to authenticate via SMB once again.

If the smbpasswd file is in the 'old' format, then - smbpasswd will FAIL to enable the account. - See smbpasswd(5) for - details on the 'old' and new password file formats.

This option is only available when running smbpasswd as root. -

-D debuglevel

debuglevel is an integer - from 0 to 10. The default value if this parameter is not specified - is zero.

The higher this value, the more detail will be logged to the - log files about the activities of smbpasswd. At level 0, only - critical errors and serious warnings will be logged.

Levels above 1 will generate considerable amounts of log - data, and should only be used when investigating a problem. Levels - above 3 are designed for use only by developers and generate - HUGE amounts of log data, most of which is extremely cryptic. -

-n

This option specifies that the username following - should have their password set to null (i.e. a blank password) in - the local smbpasswd file. This is done by writing the string "NO - PASSWORD" as the first part of the first password stored in the - smbpasswd file.

Note that to allow users to logon to a Samba server once - the password has been set to "NO PASSWORD" in the smbpasswd - file the administrator must set the following parameter in the [global] - section of the smb.conf file :

null passwords = yes

This option is only available when running smbpasswd as - root.

-r remote machine name

This option allows a user to specify what machine - they wish to change their password on. Without this parameter - smbpasswd defaults to the local host. The remote - machine name is the NetBIOS name of the SMB/CIFS - server to contact to attempt the password change. This name is - resolved into an IP address using the standard name resolution - mechanism in all programs of the Samba suite. See the -R - name resolve order parameter for details on changing - this resolving mechanism.

The username whose password is changed is that of the - current UNIX logged on user. See the -U username - parameter for details on changing the password for a different - username.

Note that if changing a Windows NT Domain password the - remote machine specified must be the Primary Domain Controller for - the domain (Backup Domain Controllers only have a read-only - copy of the user account database and will not allow the password - change).

Note that Windows 95/98 do not have - a real password database so it is not possible to change passwords - specifying a Win95/98 machine as remote machine target.

-R name resolve order

This option allows the user of smbpasswd to determine - what name resolution services to use when looking up the NetBIOS - name of the host being connected to.

The options are :"lmhosts", "host", "wins" and "bcast". They - cause names to be resolved as follows:

lmhosts: Lookup an IP - address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see the lmhosts(5) for details) then - any name type matches for lookup.
host: Do a standard host - name to IP address resolution, using the system /etc/hosts -, NIS, or DNS lookups. This method of name resolution - is operating system depended for instance on IRIX or Solaris this - may be controlled by the /etc/nsswitch.conf - file). Note that this method is only used if the NetBIOS name - type being queried is the 0x20 (server) name type, otherwise - it is ignored.
wins: Query a name with - the IP address listed in the wins server - parameter. If no WINS server has been specified this method - will be ignored.
bcast: Do a broadcast on - each of the known local interfaces listed in the - interfaces parameter. This is the least - reliable of the name resolution methods as it depends on the - target host being on a locally connected subnet.

The default order is lmhosts, host, wins, bcast - and without this parameter or any entry in the smb.conf(5) file the name resolution methods will - be attempted in this order.

-m

This option tells smbpasswd that the account - being changed is a MACHINE account. Currently this is used - when Samba is being used as an NT Primary Domain Controller.

This option is only available when running smbpasswd as root. -

-U username

This option may only be used in conjunction - with the -r option. When changing - a password on a remote machine it allows the user to specify - the user name on that machine whose password will be changed. It - is present to allow users who have different user names on - different systems to change these passwords.

-h

This option prints the help string for - smbpasswd, selecting the correct one for running as root - or as an ordinary user.

-s

This option causes smbpasswd to be silent (i.e. - not issue prompts) and to read its old and new passwords from - standard input, rather than from /dev/tty - (like the passwd(1) program does). This option - is to aid people writing scripts to drive smbpasswd

-w password

This parameter is only available if Samba - has been compiled with LDAP support. The -w - switch is used to specify the password to be used with the - ldap admin dn. Note that the password is stored in - the secrets.tdb and is keyed off - of the admin's DN. This means that if the value of ldap - admin dn ever changes, the password will need to be - manually updated as well. -

-i

This option tells smbpasswd that the account - being changed is an interdomain trust account. Currently this is used - when Samba is being used as an NT Primary Domain Controller. - The account contains the info about another trusted domain.

This option is only available when running smbpasswd as root. -

-L

Run in local mode.

username

This specifies the username for all of the - root only options to operate on. Only root - can specify this parameter as only root has the permission needed - to modify attributes directly in the local smbpasswd file. -

NOTES

Since smbpasswd works in client-server - mode communicating with a local smbd for a non-root user then - the smbd daemon must be running for this to work. A common problem - is to add a restriction to the hosts that may access the - smbd running on the local machine by specifying either allow - hosts or deny hosts entry in - the smb.conf(5) file and neglecting to - allow "localhost" access to the smbd.

In addition, the smbpasswd command is only useful if Samba - has been set up to use encrypted passwords.

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 - for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbsh.1.html samba-3.0.20/docs/htmldocs/manpages/smbsh.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbsh.1.html 2005-08-07 11:18:20.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbsh.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,108 +0,0 @@ -smbsh

Name

smbsh — Allows access to remote SMB shares - using UNIX commands

Synopsis

smbsh [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logdir] [-L libdir]

DESCRIPTION

This tool is part of the samba(7) suite.

smbsh allows you to access an NT filesystem - using UNIX commands such as ls, - egrep, and rcp. You must use a - shell that is dynamically linked in order for smbsh - to work correctly.

OPTIONS

-W WORKGROUP

Override the default workgroup specified in the - workgroup parameter of the smb.conf(5) file - for this session. This may be needed to connect to some - servers.

-U username[%pass]

Sets the SMB username or username and password. - If this option is not specified, the user will be prompted for - both the username and the password. If %pass is not specified, - the user will be prompted for the password. -

-P prefix

This option allows - the user to set the directory prefix for SMB access. The - default value if this option is not specified is - smb. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-R <name resolve order>

This option is used to determine what naming -services and in what order to resolve -host names to IP addresses. The option takes a space-separated -string of different name resolution options.

The options are: "lmhosts", "host", "wins" and "bcast". -They cause names to be resolved as follows :

lmhosts: -Lookup an IP address in the Samba lmhosts file. If the -line in lmhosts has no name type attached to the -NetBIOS name -(see the lmhosts(5) for details) -then any name type matches for lookup. -
host: -Do a standard host name to IP address resolution, using -the system /etc/hosts, NIS, or DNS -lookups. This method of name resolution is operating -system dependent, for instance on IRIX or Solaris this -may be controlled by the /etc/nsswitch.conf - file). Note that this method is only used -if the NetBIOS name type being queried is the 0x20 -(server) name type, otherwise it is ignored. -
wins: -Query a name with the IP address listed in the -wins server parameter. If no -WINS server has been specified this method will be -ignored. -
bcast: -Do a broadcast on each of the known local interfaces -listed in the interfaces -parameter. This is the least reliable of the name -resolution methods as it depends on the target host -being on a locally connected subnet. -

If this parameter is not set then the name resolve order -defined in the smb.conf file parameter -() will be used. -

The default order is lmhosts, host, wins, bcast. Without -this parameter or any entry in the parameter of the smb.conf file, the name -resolution methods will be attempted in this order.

-L libdir

This parameter specifies the location of the - shared libraries used by smbsh. The default - value is specified at compile time. -

EXAMPLES

To use the smbsh command, execute - smbsh from the prompt and enter the username and password - that authenticates you to the machine running the Windows NT - operating system. -

-system% smbsh
-Username: user
-Password: XXXXXXX
-

Any dynamically linked command you execute from - this shell will access the /smb directory - using the smb protocol. For example, the command ls /smb - will show a list of workgroups. The command - ls /smb/MYGROUP will show all the machines in - the workgroup MYGROUP. The command - ls /smb/MYGROUP/<machine-name> will show the share - names for that machine. You could then, for example, use the - cd command to change directories, vi to - edit files, and rcp to copy files.

VERSION

This man page is correct for version 3.0 of the Samba suite.

BUGS

smbsh works by intercepting the standard - libc calls with the dynamically loaded versions in - smbwrapper.o. Not all calls have been "wrapped", so - some programs may not function correctly under smbsh - .

Programs which are not dynamically linked cannot make - use of smbsh's functionality. Most versions - of UNIX have a file command that will - describe how a program was linked.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 - for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbspool.8.html samba-3.0.20/docs/htmldocs/manpages/smbspool.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbspool.8.html 2005-08-07 11:18:24.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbspool.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,36 +0,0 @@ -smbspool

Name

smbspool — send a print file to an SMB printer

Synopsis

smbspool {job} {user} {title} {copies} {options} [filename]

DESCRIPTION

This tool is part of the samba(7) suite.

smbspool is a very small print spooling program that - sends a print file to an SMB printer. The command-line arguments - are position-dependent for compatibility with the Common UNIX - Printing System, but you can use smbspool with any printing system - or from a program or script.

DEVICE URI

smbspool specifies the destination using a Uniform Resource - Identifier ("URI") with a method of "smb". This string can take - a number of forms:

smb://server[:port]/printer
smb://workgroup/server[:port]/printer
smb://username:password@server[:port]/printer
smb://username:password@workgroup/server[:port]/printer

smbspool tries to get the URI from the environment variable - DEVICE_URI. If DEVICE_URI is not present, - smbspool will use argv[0] if that starts with “smb://” - or argv[1] if that is not the case.

Programs using the exec(2) functions can - pass the URI in argv[0], while shell scripts must set the - DEVICE_URI environment variable prior to - running smbspool.

OPTIONS

The job argument (argv[1]) contains the - job ID number and is presently not used by smbspool. -
The user argument (argv[2]) contains the - print user's name and is presently not used by smbspool. -
The title argument (argv[3]) contains the - job title string and is passed as the remote file name - when sending the print job.
The copies argument (argv[4]) contains - the number of copies to be printed of the named file. If - no filename is provided then this argument is not used by - smbspool.
The options argument (argv[5]) contains - the print options in a single string and is currently - not used by smbspool.
The filename argument (argv[6]) contains the - name of the file to print. If this argument is not specified - then the print file is read from the standard input.

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

smbspool was written by Michael Sweet - at Easy Software Products.

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 - for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbstatus.1.html samba-3.0.20/docs/htmldocs/manpages/smbstatus.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbstatus.1.html 2005-08-07 11:18:27.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbstatus.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,41 +0,0 @@ -smbstatus

Name

smbstatus — report on current Samba connections

Synopsis

smbstatus [-P] [-b] [-d <debug level>] [-v] [-L] [-B] [-p] [-S] [-s <configuration file>] [-u <username>]

DESCRIPTION

This tool is part of the samba(7) suite.

smbstatus is a very simple program to - list the current Samba connections.

OPTIONS

-P|--profile

If samba has been compiled with the - profiling option, print only the contents of the profiling - shared memory area.

-b|--brief

gives brief output.

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

-v|--verbose

gives verbose output.

-L|--locks

causes smbstatus to only list locks.

-B|--byterange

causes smbstatus to include byte range locks. -

-p|--processes

print a list of smbd(8) processes and exit. - Useful for scripting.

-S|--shares

causes smbstatus to only list shares.

-h|--help

Print a summary of command line options. -

-u|--user=<username>

selects information relevant to username only.

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 - for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbtar.1.html samba-3.0.20/docs/htmldocs/manpages/smbtar.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbtar.1.html 2005-08-07 11:18:30.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbtar.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,39 +0,0 @@ -smbtar

Name

smbtar — shell script for backing up SMB/CIFS shares - directly to UNIX tape drives

Synopsis

smbtar [-r] [-i] [-a] [-v] {-s server} [-p password] [-x services] [-X] [-N filename] [-b blocksize] [-d directory] [-l loglevel] [-u user] [-t tape] {filenames}

DESCRIPTION

This tool is part of the samba(7) suite.

smbtar is a very small shell script on top - of smbclient(1) which dumps SMB shares directly to tape.

OPTIONS

-s server: The SMB/CIFS server that the share resides - upon.
-x service: The share name on the server to connect to. - The default is "backup".
-X: Exclude mode. Exclude filenames... from tar - create or restore.
-d directory: Change to initial directory - before restoring / backing up files.
-v: Verbose mode.
-p password: The password to use to access a share. - Default: none
-u user: The user id to connect as. Default: - UNIX login name.
-a: Reset DOS archive bit mode to - indicate file has been archived.
-t tape: Tape device. May be regular file or tape - device. Default: $TAPE environmental - variable; if not set, a file called tar.out -.
-b blocksize: Blocking factor. Defaults to 20. See - tar(1) for a fuller explanation.
-N filename: Backup only files newer than filename. Could - be used (for example) on a log file to implement incremental - backups.
-i: Incremental mode; tar files are only backed - up if they have the archive bit set. The archive bit is reset - after each file is read.
-r: Restore. Files are restored to the share - from the tar file.
-l log level: Log (debug) level. Corresponds to the - -d flag of smbclient(1).

ENVIRONMENT VARIABLES

The $TAPE variable specifies the - default tape device to write to. May be overridden - with the -t option.

BUGS

The smbtar script has different - options from ordinary tar and from smbclient's tar command.

CAVEATS

Sites that are more careful about security may not like - the way the script handles PC passwords. Backup and restore work - on entire shares; should work on file lists. smbtar works best - with GNU tar and may not work well with other versions.

DIAGNOSTICS

See the DIAGNOSTICS section for the smbclient(1) command.

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

Ricky Poulten - wrote the tar extension and this man page. The smbtar - script was heavily rewritten and improved by Martin Kraemer. Many - thanks to everyone who suggested extensions, improvements, bug - fixes, etc. The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for - Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbtree.1.html samba-3.0.20/docs/htmldocs/manpages/smbtree.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbtree.1.html 2005-08-07 11:18:34.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbtree.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,72 +0,0 @@ -smbtree

Name

smbtree — A text based smb network browser -

Synopsis

smbtree [-b] [-D] [-S]

DESCRIPTION

This tool is part of the samba(7) suite.

smbtree is a smb browser program - in text mode. It is similar to the "Network Neighborhood" found - on Windows computers. It prints a tree with all - the known domains, the servers in those domains and - the shares on the servers. -

OPTIONS

-b

Query network nodes by sending requests - as broadcasts instead of querying the local master browser. -

-D

Only print a list of all - the domains known on broadcast or by the - master browser

-S

Only print a list of - all the domains and servers responding on broadcast or - known by the master browser. -

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

-N

If specified, this parameter suppresses the normal -password prompt from the client to the user. This is useful when -accessing a service that does not require a password.

Unless a password is specified on the command line or -this parameter is specified, the client will request a -password.

-k

-Try to authenticate with kerberos. Only useful in -an Active Directory environment. -

-A|--authentication-file=filename

This option allows -you to specify a file from which to read the username and -password used in the connection. The format of the file is -

-username = <value>
-password = <value>
-domain   = <value>
-

Make certain that the permissions on the file restrict -access from unwanted users.

-U|--user=username[%password]

Sets the SMB username or username and password.

-h|--help

Print a summary of command line options. -

VERSION

This man page is correct for version 3.0 of the Samba - suite.

AUTHOR

The smbtree man page was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/smbumount.8.html samba-3.0.20/docs/htmldocs/manpages/smbumount.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/smbumount.8.html 2005-08-07 11:18:37.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/smbumount.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,16 +0,0 @@ -smbumount

Name

smbumount — smbfs umount for normal users

Synopsis

smbumount {mount-point}

DESCRIPTION

With this program, normal users can unmount smb-filesystems, - provided that it is suid root. smbumount has - been written to give normal Linux users more control over their - resources. It is safe to install this program suid root, because only - the user who has mounted a filesystem is allowed to unmount it again. - For root it is not necessary to use smbumount. The normal umount - program works perfectly well, but it would certainly be problematic - to make umount setuid root.

OPTIONS

mount-point: The directory to unmount.

AUTHOR

Volker Lendecke, Andrew Tridgell, Michael H. Warfield - and others.

The conversion of this manpage for Samba 2.2 was performed - by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 - was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/swat.8.html samba-3.0.20/docs/htmldocs/manpages/swat.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/swat.8.html 2005-08-07 11:18:42.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/swat.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,88 +0,0 @@ -swat

Name

swat — Samba Web Administration Tool

Synopsis

swat [-s <smb config file>] [-a] [-P]

DESCRIPTION

This tool is part of the samba(7) suite.

swat allows a Samba administrator to - configure the complex smb.conf(5) file via a Web browser. In addition, - a swat configuration page has help links - to all the configurable options in the smb.conf file allowing an - administrator to easily look up the effects of any change.

swat is run from inetd

OPTIONS

-s smb configuration file

The default configuration file path is - determined at compile time. The file specified contains - the configuration details required by the smbd(8) server. This is the file - that swat will modify. - The information in this file includes server-specific - information such as what printcap file to use, as well as - descriptions of all the services that the server is to provide. - See smb.conf for more information. -

-a

This option disables authentication and puts - swat in demo mode. In that mode anyone will be able to modify - the smb.conf file.

WARNING: Do NOT enable this option on a production - server.

-P

This option restricts read-only users to the password - management page. swat can then be used to change - user passwords without users seeing the "View" and "Status" menu - buttons.

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

-h|--help

Print a summary of command line options. -

INSTALLATION

Swat is included as binary package with most distributions. The - package manager in this case takes care of the installation and - configuration. This section is only for those who have compiled - swat from scratch. -

After you compile SWAT you need to run make install - to install the swat binary - and the various help files and images. A default install would put - these in:

/usr/local/samba/sbin/swat
/usr/local/samba/swat/images/*
/usr/local/samba/swat/help/*

Inetd Installation

You need to edit your /etc/inetd.conf - and /etc/services - to enable SWAT to be launched via inetd.

In /etc/services you need to - add a line like this:

swat 901/tcp

Note for NIS/YP and LDAP users - you may need to rebuild the - NIS service maps rather than alter your local - /etc/services file.

the choice of port number isn't really important - except that it should be less than 1024 and not currently - used (using a number above 1024 presents an obscure security - hole depending on the implementation details of your - inetd daemon).

In /etc/inetd.conf you should - add a line like this:

swat stream tcp nowait.400 root - /usr/local/samba/sbin/swat swat

Once you have edited /etc/services - and /etc/inetd.conf you need to send a - HUP signal to inetd. To do this use kill -1 PID - where PID is the process ID of the inetd daemon.

LAUNCHING

To launch SWAT just run your favorite web browser and - point it at "http://localhost:901/".

Note that you can attach to SWAT from any IP connected - machine but connecting from a remote machine leaves your - connection open to password sniffing as passwords will be sent - in the clear over the wire.

FILES

/etc/inetd.conf: This file must contain suitable startup - information for the meta-daemon.
/etc/services: This file must contain a mapping of service name - (e.g., swat) to service port (e.g., 901) and protocol type - (e.g., tcp).
/usr/local/samba/lib/smb.conf: This is the default location of the smb.conf(5) server configuration file that swat edits. Other - common places that systems install this file are - /usr/samba/lib/smb.conf and /etc/smb.conf -. This file describes all the services the server - is to make available to clients.

WARNINGS

swat will rewrite your smb.conf(5) file. It will rearrange the entries and delete all - comments, include= and copy= - options. If you have a carefully crafted - smb.conf then back it up or don't use swat!

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for - Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/tdbbackup.8.html samba-3.0.20/docs/htmldocs/manpages/tdbbackup.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/tdbbackup.8.html 2005-08-07 11:18:45.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/tdbbackup.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,36 +0,0 @@ -tdbbackup

Name

tdbbackup — tool for backing up and for validating the integrity of samba .tdb files

Synopsis

tdbbackup [-s suffix] [-v] [-h]

DESCRIPTION

This tool is part of the samba(1) suite.

tdbbackup is a tool that may be used to backup samba .tdb - files. This tool may also be used to verify the integrity of the .tdb files prior - to samba startup or during normal operation. If it finds file damage and it finds - a prior backup the backup file will be restored. -

OPTIONS

-h: - Get help information. -
-s suffix: - The -s option allows the adminisistrator to specify a file - backup extension. This way it is possible to keep a history of tdb backup - files by using a new suffix for each backup. -
-v: - The -v will check the database for damages (currupt data) - which if detected causes the backup to be restored. -

COMMANDS

GENERAL INFORMATION

- The tdbbackup utility can safely be run at any time. It was designed so - that it can be used at any time to validate the integrity of tdb files, even during Samba - operation. Typical usage for the command will be: -

tdbbackup [-s suffix] *.tdb

- Before restarting samba the following command may be run to validate .tdb files: -

tdbbackup -v [-s suffix] *.tdb

- Samba .tdb files are stored in various locations, be sure to run backup all - .tdb file on the system. Important files includes: -

- secrets.tdb - usual location is in the /usr/local/samba/private - directory, or on some systems in /etc/samba. -
- passdb.tdb - usual location is in the /usr/local/samba/private - directory, or on some systems in /etc/samba. -
- *.tdb located in the /usr/local/samba/var directory or on some - systems in the /var/cache or /var/lib/samba directories. -

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

The tdbbackup man page was written by John H Terpstra.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/tdbdump.8.html samba-3.0.20/docs/htmldocs/manpages/tdbdump.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/tdbdump.8.html 2005-08-07 11:18:49.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/tdbdump.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,10 +0,0 @@ -tdbdump

Name

tdbdump — tool for printing the contents of a TDB file

Synopsis

tdbdump {filename}

DESCRIPTION

This tool is part of the samba(1) suite.

tdbdump is a very simple utility that 'dumps' the - contents of a TDB (Trivial DataBase) file to standard output in a - human-readable format. -

This tool can be used when debugging problems with TDB files. It is - intended for those who are somewhat familiar with Samba internals. -

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

The tdbdump man page was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/testparm.1.html samba-3.0.20/docs/htmldocs/manpages/testparm.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/testparm.1.html 2005-08-07 11:18:53.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/testparm.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,51 +0,0 @@ -testparm

Name

testparm — check an smb.conf configuration file for - internal correctness

Synopsis

testparm [-s] [-h] [-v] [-L <servername>] [-t <encoding>] {config filename} [hostname hostIP]

DESCRIPTION

This tool is part of the samba(7) suite.

testparm is a very simple test program - to check an smbd(8) configuration file for - internal correctness. If this program reports no problems, you - can use the configuration file with confidence that smbd - will successfully load the configuration file.

Note that this is NOT a guarantee that - the services specified in the configuration file will be - available or will operate as expected.

If the optional host name and host IP address are - specified on the command line, this test program will run through - the service entries reporting whether the specified host - has access to each service.

If testparm finds an error in the - smb.conf file it returns an exit code of 1 to the calling - program, else it returns an exit code of 0. This allows shell scripts - to test the output from testparm.

OPTIONS

-s: Without this option, testparm - will prompt for a carriage return after printing the service - names and before dumping the service definitions.
-h|--help: Print a summary of command line options. -
-V: Prints the program version number. -
-L servername: Sets the value of the %L macro to servername. - This is useful for testing include files specified with the - %L macro.
-v: If this option is specified, testparm - will also output all options that were not used in smb.conf(5) and are thus set to their defaults.
-t encoding: - Output data in specified encoding. -
configfilename: This is the name of the configuration file - to check. If this parameter is not present then the - default smb.conf(5) file will be checked. -
hostname: If this parameter and the following are - specified, then testparm will examine the hosts - allow and hosts deny - parameters in the smb.conf(5) file to - determine if the hostname with this IP address would be - allowed access to the smbd server. If - this parameter is supplied, the hostIP parameter must also - be supplied.
hostIP: This is the IP address of the host specified - in the previous parameter. This address must be supplied - if the hostname parameter is supplied.

FILES

smb.conf(5): This is usually the name of the configuration - file used by smbd(8). -

DIAGNOSTICS

The program will issue a message saying whether the - configuration file loaded OK or not. This message may be preceded by - errors and warnings if the file did not load. If the file was - loaded OK, the program then dumps all known service details - to stdout.

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 - for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/testprns.1.html samba-3.0.20/docs/htmldocs/manpages/testprns.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/testprns.1.html 2005-08-07 11:18:56.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/testprns.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,38 +0,0 @@ -testprns

Name

testprns — check printer name for validity with smbd

Synopsis

testprns {printername} [printcapname]

DESCRIPTION

This tool is part of the samba(7) suite.

testprns is a very simple test program - to determine whether a given printer name is valid for use in - a service to be provided by smbd(8).

"Valid" in this context means "can be found in the - printcap specified". This program is very stupid - so stupid in - fact that it would be wisest to always specify the printcap file - to use.

OPTIONS

printername

The printer name to validate.

Printer names are taken from the first field in each - record in the printcap file, single printer names and sets - of aliases separated by vertical bars ("|") are recognized. - Note that no validation or checking of the printcap syntax is - done beyond that required to extract the printer name. It may - be that the print spooling system is more forgiving or less - forgiving than testprns. However, if - testprns finds the printer then smbd(8) should do so as well.

printcapname

This is the name of the printcap file within - which to search for the given printer name.

If no printcap name is specified testprns - will attempt to scan the printcap file name - specified at compile time.

FILES

/etc/printcap: This is usually the default printcap - file to scan. See printcap (5). -

DIAGNOSTICS

If a printer is found to be valid, the message - "Printer name <printername> is valid" will be - displayed.

If a printer is found to be invalid, the message - "Printer name <printername> is not valid" will be - displayed.

All messages that would normally be logged during - operation of the Samba daemons are logged by this program to the - file test.log in the current directory. The - program runs at debuglevel 3, so quite extensive logging - information is written. The log should be checked carefully - for errors and warnings.

Other messages are self-explanatory.

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. - The man page sources were converted to YODL format (another - excellent piece of Open Source software, available at - ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 - release by Jeremy Allison. The conversion to DocBook for - Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 - for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/umount.cifs.8.html samba-3.0.20/docs/htmldocs/manpages/umount.cifs.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/umount.cifs.8.html 2005-08-07 11:18:59.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/umount.cifs.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,35 +0,0 @@ -umount.cifs

Name

umount.cifs — for normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts

Synopsis

umount.cifs {mount-point} [-nVvhfle]

DESCRIPTION

This tool is part of the samba(7) suite.

umount.cifs unmounts a Linux CIFS filesystem. It can be invoked -indirectly by the -umount(8) command -when umount.cifs is in /sbin directory, unless you specify the "-i" option to umount. Specifying -i to umount avoids execution of umount helpers such as umount.cifs. The umount.cifs command only works in Linux, and the kernel must -support the cifs filesystem. The CIFS protocol is the successor to the -SMB protocol and is supported by most Windows servers and many other -commercial servers and Network Attached Storage appliances as well as -by the popular Open Source server Samba. -

- The umount.cifs utility detaches the local directory mount-point from the corresponding UNC name (exported network resource) and frees the associated kernel resources. -It is possible to set the mode for umount.cifs to -setuid root (or equivalently update the /etc/permissions file) to allow non-root users to umount shares to directories for which they have write permission. The umount.cifs utility is typically -not needed if unmounts need only be performed by root users, or if user mounts and unmounts -can rely on specifying explicit entries in /etc/fstab See

fstab(5)

OPTIONS

--verbose: print additional debugging information
--no-mtab: Do not update the mtab even if unmount completes successfully (/proc/mounts will still display the correct information)

NOTES

This command is normally intended to be installed setuid (since root users can already run unmount). An alternative to using umount.cifs is to add specfic entries for the user mounts that you wish a particular user or users to mount and unmount to /etc/fstab

CONFIGURATION

BUGS

At this time umount.cifs does not lock the mount table using the same lock as the umount utility does, so do not attempt to do multiple unmounts from different processes (and in particular unmounts of a cifs mount and another type of filesystem mount at the same time). -

If the same mount point is mounted multiple times by cifs, umount.cifs will remove all of the matching entries from the mount table (although umount.cifs will actually only unmount the last one), rather than only removing the last matching entry in /etc/mtab. The pseudofile /proc/mounts will display correct information though, and the lack of an entry in /etc/mtab does not prevent subsequent unmounts.

-Note that the typical response to a bug report is a suggestion -to try the latest version first. So please try doing that first, -and always include which versions you use of relevant software -when reporting bugs (minimum: umount.cifs (try umount.cifs -V), kernel (see /proc/version) and -server type you are trying to contact. -

VERSION

This man page is correct for version 1.34 of - the cifs vfs filesystem (roughly Linux kernel 2.6.12).

AUTHOR

Steve French

The syntax was loosely based on the umount utility and the manpage was loosely based on that of mount.cifs.8. The man page was created by Steve French

The maintainer of the Linux cifs vfs and the userspace - tool umount.cifs is Steve French. - The Linux CIFS Mailing list - is the preferred place to ask questions regarding these programs. -

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/vfstest.1.html samba-3.0.20/docs/htmldocs/manpages/vfstest.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/vfstest.1.html 2005-08-07 11:19:04.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/vfstest.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,41 +0,0 @@ -vfstest

Name

vfstest — tool for testing samba VFS modules

Synopsis

vfstest [-d debuglevel] [-c command] [-l logdir] [-h]

DESCRIPTION

This tool is part of the samba(7) suite.

vfstest is a small command line - utility that has the ability to test dso samba VFS modules. It gives the - user the ability to call the various VFS functions manually and - supports cascaded VFS modules. -

OPTIONS

-c|--command=command

Execute the specified (colon-separated) commands. - See below for the commands that are available. -

-h|--help

Print a summary of command line options. -

-l|--logfile=logbasename

File name for log/debug files. The extension - '.client' will be appended. The log file is never removed - by the client. -

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

COMMANDS

VFS COMMANDS

load <module.so> - Load specified VFS module
populate <char> <size> - Populate a data buffer with the specified data -
showdata [<offset> <len>] - Show data currently in data buffer -
connect - VFS connect()
disconnect - VFS disconnect()
disk_free - VFS disk_free()
opendir - VFS opendir()
readdir - VFS readdir()
mkdir - VFS mkdir()
rmdir - VFS rmdir()
closedir - VFS closedir()
open - VFS open()
close - VFS close()
read - VFS read()
write - VFS write()
lseek - VFS lseek()
rename - VFS rename()
fsync - VFS fsync()
stat - VFS stat()
fstat - VFS fstat()
lstat - VFS lstat()
unlink - VFS unlink()
chmod - VFS chmod()
fchmod - VFS fchmod()
chown - VFS chown()
fchown - VFS fchown()
chdir - VFS chdir()
getwd - VFS getwd()
utime - VFS utime()
ftruncate - VFS ftruncate()
lock - VFS lock()
symlink - VFS symlink()
readlink - VFS readlink()
link - VFS link()
mknod - VFS mknod()
realpath - VFS realpath()

GENERAL COMMANDS

conf <smb.conf> - Load a different configuration file
help [<command>] - Get list of commands or info about specified command
debuglevel <level> - Set debug level
freemem - Free memory currently in use
exit - Exit vfstest

VERSION

This man page is correct for version 3.0 of the Samba - suite.

AUTHOR

The vfstest man page was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/wbinfo.1.html samba-3.0.20/docs/htmldocs/manpages/wbinfo.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages/wbinfo.1.html 2005-08-07 11:19:07.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/wbinfo.1.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,86 +0,0 @@ -wbinfo

Name

wbinfo — Query information from winbind daemon

Synopsis

wbinfo [-a user%password] [-c username] [-C groupname] [--domain domain] [-I ip] [-s sid] [-u] [-U uid] [-g] [--get-auth-user] [-G gid] [-m] [-n name] [-N netbios-name] [-o user:group] [-O user:group] [-p] [-r user] [--set-auth-user user%password] [--sequence] [-S sid] [-t] [-x username] [-X groupname] [-Y sid]

DESCRIPTION

This tool is part of the samba(7) suite.

The wbinfo program queries and returns information - created and used by the winbindd(8) daemon.

The winbindd(8) daemon must be configured - and running for the wbinfo program to be able - to return information.

OPTIONS

-a username%password: Attempt to authenticate a user via winbindd. - This checks both authenticaion methods and reports its results. -
Note
Do not be tempted to use this - functionality for authentication in third-party - applications. Instead use ntlm_auth(1).
-c user: Create a local winbind user. -
-C group: Create a local winbindd group. -
--domain name: This parameter sets the domain on which any specified - operations will performed. If special domain name '.' is used to represent - the current domain to which winbindd belongs. Currently only the - --sequence, - -u, and -g options honor this parameter. -
-g: This option will list all groups available - in the Windows NT domain for which the samba(7) daemon is operating in. Groups in all trusted domains - will also be listed. Note that this operation does not assign - group ids to any groups that have not already been - seen by winbindd(8).
--get-auth-user: Print username and password used by winbindd - during session setup to a domain controller. Username - and password can be set using '-A'. Only available for - root.
-G gid: Try to convert a UNIX group id to a Windows - NT SID. If the gid specified does not refer to one within - the idmap gid range then the operation will fail.
-I ip: The -I option - queries winbindd(8) to send a node status - request to get the NetBIOS name associated with the IP address - specified by the ip parameter. -
-m: Produce a list of domains trusted by the - Windows NT server winbindd(8) contacts - when resolving names. This list does not include the Windows - NT domain the server is a Primary Domain Controller for. -
-n name: The -n option - queries winbindd(8) for the SID - associated with the name specified. Domain names can be specified - before the user name by using the winbind separator character. - For example CWDOM1/Administrator refers to the Administrator - user in the domain CWDOM1. If no domain is specified then the - domain used is the one specified in the smb.conf(5) workgroup - parameter.
-N name: The -N option - queries winbindd(8) to query the WINS - server for the IP address associated with the NetBIOS name - specified by the name parameter. -
-o user:group: Add a winbindd local group as a secondary group - for the specified winbindd local user. -
-O user:group: Remove a winbindd local group as a secondary group - for the specified winbindd local user. -
-p: Check whether winbindd is still alive. - Prints out either 'succeeded' or 'failed'. -
-r username: Try to obtain the list of UNIX group ids - to which the user belongs. This only works for users - defined on a Domain Controller. -
-s sid: Use -s to resolve - a SID to a name. This is the inverse of the -n - option above. SIDs must be specified as ASCII strings - in the traditional Microsoft format. For example, - S-1-5-21-1455342024-3071081365-2475485837-500.
--set-auth-user username%password: Store username and password used by winbindd - during session setup to a domain controller. This enables - winbindd to operate in a Windows 2000 domain with Restrict - Anonymous turned on (a.k.a. Permissions compatiable with - Windows 2000 servers only). -
--sequence: Show sequence numbers of - all known domains
-S sid: Convert a SID to a UNIX user id. If the SID - does not correspond to a UNIX user mapped by winbindd(8) then the operation will fail.
-t: Verify that the workstation trust account - created when the Samba server is added to the Windows NT - domain is working.
-u: This option will list all users available - in the Windows NT domain for which the winbindd(8) daemon is operating in. Users in all trusted domains - will also be listed. Note that this operation does not assign - user ids to any users that have not already been seen by winbindd(8) - .
-U uid: Try to convert a UNIX user id to a Windows NT - SID. If the uid specified does not refer to one within - the idmap uid range then the operation will fail.
-x user: Delete an existing local winbind user. -
-X group: Delete an existing local winbindd group. -
-Y sid: Convert a SID to a UNIX group id. If the SID - does not correspond to a UNIX group mapped by winbindd(8) then - the operation will fail.
-V: Prints the program version number. -
-h|--help: Print a summary of command line options. -

EXIT STATUS

The wbinfo program returns 0 if the operation - succeeded, or 1 if the operation failed. If the winbindd(8) daemon is not working wbinfo will always return - failure.

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

wbinfo and winbindd - were written by Tim Potter.

The conversion to DocBook for Samba 2.2 was done - by Gerald Carter. The conversion to DocBook XML 4.2 for Samba - 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages/winbindd.8.html samba-3.0.20/docs/htmldocs/manpages/winbindd.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages/winbindd.8.html 2005-08-07 11:19:12.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/manpages/winbindd.8.html 1969-12-31 18:00:00.000000000 -0600 @@ -1,229 +0,0 @@ -winbindd

Name

winbindd — Name Service Switch daemon for resolving names - from NT servers

Synopsis

winbindd [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]

DESCRIPTION

This program is part of the samba(7) suite.

winbindd is a daemon that provides - a number of services to the Name Service Switch capability found - in most modern C libraries, to arbitary applications via PAM - and ntlm_auth and to Samba itself.

Even if winbind is not used for nsswitch, it still provides a - service to smbd, ntlm_auth - and the pam_winbind.so PAM module, by managing connections to - domain controllers. In this configuraiton the - idmap uid and - idmap gid - parameters are not required. (This is known as `netlogon proxy only mode'.)

The Name Service Switch allows user - and system information to be obtained from different databases - services such as NIS or DNS. The exact behaviour can be configured - throught the /etc/nsswitch.conf file. - Users and groups are allocated as they are resolved to a range - of user and group ids specified by the administrator of the - Samba system.

The service provided by winbindd is called `winbind' and - can be used to resolve user and group information from a - Windows NT server. The service can also provide authentication - services via an associated PAM module.

- The pam_winbind module supports the - auth, account - and password - module-types. It should be noted that the - account module simply performs a getpwnam() to verify that - the system can obtain a uid for the user, as the domain - controller has already performed access control. If the - libnss_winbind library has been correctly - installed, or an alternate source of names configured, this should always succeed. -

The following nsswitch databases are implemented by - the winbindd service:

hosts: This feature is only available on IRIX. - User information traditionally stored in - the hosts(5) file and used by - gethostbyname(3) functions. Names are - resolved through the WINS server or by broadcast. -
passwd: User information traditionally stored in - the passwd(5) file and used by - getpwent(3) functions.
group: Group information traditionally stored in - the group(5) file and used by - getgrent(3) functions.

For example, the following simple configuration in the - /etc/nsswitch.conf file can be used to initially - resolve user and group information from /etc/passwd - and /etc/group and then from the - Windows NT server. -

-passwd:         files winbind
-group:          files winbind
-## only available on IRIX; Linux users should us libnss_wins.so
-hosts:          files dns winbind
-

The following simple configuration in the - /etc/nsswitch.conf file can be used to initially - resolve hostnames from /etc/hosts and then from the - WINS server.

-hosts:		files wins
-

OPTIONS

-F

If specified, this parameter causes - the main winbindd process to not daemonize, - i.e. double-fork and disassociate with the terminal. - Child processes are still created as normal to service - each connection request, but the main process does not - exit. This operation mode is suitable for running - winbindd under process supervisors such - as supervise and svscan - from Daniel J. Bernstein's daemontools - package, or the AIX process monitor. -

-S

If specified, this parameter causes - winbindd to log to standard output rather - than a file.

-V

Prints the program version number. -

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer -from 0 to 10. The default value if this parameter is -not specified is zero.

Note that specifying this parameter here will -override the parameter -in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension -".progname" will be appended (e.g. log.smbclient, -log.smbd, etc...). The log file is never removed by the client. -

-h|--help

Print a summary of command line options. -

-i

Tells winbindd to not - become a daemon and detach from the current terminal. This - option is used by developers when interactive debugging - of winbindd is required. - winbindd also logs to standard output, - as if the -S parameter had been given. -

-n

Disable caching. This means winbindd will - always have to wait for a response from the domain controller - before it can respond to a client and this thus makes things - slower. The results will however be more accurate, since - results from the cache might not be up-to-date. This - might also temporarily hang winbindd if the DC doesn't respond. -

-Y

Single daemon mode. This means winbindd will run - as a single process (the mode of operation in Samba 2.2). Winbindd's - default behavior is to launch a child process that is responsible for - updating expired cache entries. -

NAME AND ID RESOLUTION

Users and groups on a Windows NT server are assigned - a security id (SID) which is globally unique when the - user or group is created. To convert the Windows NT user or group - into a unix user or group, a mapping between SIDs and unix user - and group ids is required. This is one of the jobs that - winbindd performs.

As winbindd users and groups are resolved from a server, user - and group ids are allocated from a specified range. This - is done on a first come, first served basis, although all existing - users and groups will be mapped as soon as a client performs a user - or group enumeration command. The allocated unix ids are stored - in a database file under the Samba lock directory and will be - remembered.

WARNING: The SID to unix id database is the only location - where the user and group mappings are stored by winbindd. If this - file is deleted or corrupted, there is no way for winbindd to - determine which user and group ids correspond to Windows NT user - and group rids.

See the parameter in - smb.conf for options for sharing this - database, such as via LDAP.

CONFIGURATION

Configuration of the winbindd daemon - is done through configuration parameters in the smb.conf(5) file. All parameters should be specified in the - [global] section of smb.conf.

- winbind separator
- idmap uid
- idmap gid
- idmap backend
- winbind cache time
- winbind enum users
- winbind enum groups
- template homedir
- template shell
- winbind use default domain

EXAMPLE SETUP

- To setup winbindd for user and group lookups plus - authentication from a domain controller use something like the - following setup. This was tested on an early Red Hat Linux box. -

In /etc/nsswitch.conf put the - following: -

-passwd: files winbind
-group:  files winbind
-

In /etc/pam.d/* replace the - auth lines with something like this: -

-auth  required    /lib/security/pam_securetty.so
-auth  required	  /lib/security/pam_nologin.so
-auth  sufficient  /lib/security/pam_winbind.so
-auth  required    /lib/security/pam_pwdb.so \
-                  use_first_pass shadow nullok
-

Note in particular the use of the sufficient - keyword and the use_first_pass keyword.

Now replace the account lines with this:

account required /lib/security/pam_winbind.so -

The next step is to join the domain. To do that use the - net program like this:

net join -S PDC -U Administrator

The username after the -U can be any - Domain user that has administrator privileges on the machine. - Substitute the name or IP of your PDC for "PDC".

Next copy libnss_winbind.so to - /lib and pam_winbind.so - to /lib/security. A symbolic link needs to be - made from /lib/libnss_winbind.so to - /lib/libnss_winbind.so.2. If you are using an - older version of glibc then the target of the link should be - /lib/libnss_winbind.so.1.

Finally, setup a smb.conf(5) containing directives like the - following: -

-[global]
-	winbind separator = +
-        winbind cache time = 10
-        template shell = /bin/bash
-        template homedir = /home/%D/%U
-        idmap uid = 10000-20000
-        idmap gid = 10000-20000
-        workgroup = DOMAIN
-        security = domain
-        password server = *
-

Now start winbindd and you should find that your user and - group database is expanded to include your NT users and groups, - and that you can login to your unix box as a domain user, using - the DOMAIN+user syntax for the username. You may wish to use the - commands getent passwd and getent group - to confirm the correct operation of winbindd.

NOTES

The following notes are useful when configuring and - running winbindd:

nmbd(8) must be running on the local machine - for winbindd to work.

PAM is really easy to misconfigure. Make sure you know what - you are doing when modifying PAM configuration files. It is possible - to set up PAM such that you can no longer log into your system.

If more than one UNIX machine is running winbindd, - then in general the user and groups ids allocated by winbindd will not - be the same. The user and group ids will only be valid for the local - machine, unless a shared is configured.

If the the Windows NT SID to UNIX user and group id mapping - file is damaged or destroyed then the mappings will be lost.

SIGNALS

The following signals can be used to manipulate the - winbindd daemon.

SIGHUP

Reload the smb.conf(5) file and - apply any parameter changes to the running - version of winbindd. This signal also clears any cached - user and group information. The list of other domains trusted - by winbindd is also reloaded.

SIGUSR2

The SIGUSR2 signal will cause - winbindd to write status information to the winbind - log file.

Log files are stored in the filename specified by the - log file parameter.

FILES

/etc/nsswitch.conf(5): Name service switch configuration file.
/tmp/.winbindd/pipe: The UNIX pipe over which clients communicate with - the winbindd program. For security reasons, the - winbind client will only attempt to connect to the winbindd daemon - if both the /tmp/.winbindd directory - and /tmp/.winbindd/pipe file are owned by - root.
$LOCKDIR/winbindd_privileged/pipe: The UNIX pipe over which 'privileged' clients - communicate with the winbindd program. For security - reasons, access to some winbindd functions - like those needed by - the ntlm_auth utility - is restricted. By default, - only users in the 'root' group will get this access, however the administrator - may change the group permissions on $LOCKDIR/winbindd_privileged to allow - programs like 'squid' to use ntlm_auth. - Note that the winbind client will only attempt to connect to the winbindd daemon - if both the $LOCKDIR/winbindd_privileged directory - and $LOCKDIR/winbindd_privileged/pipe file are owned by - root.
/lib/libnss_winbind.so.X: Implementation of name service switch library. -
$LOCKDIR/winbindd_idmap.tdb: Storage for the Windows NT rid to UNIX user/group - id mapping. The lock directory is specified when Samba is initially - compiled using the --with-lockdir option. - This directory is by default /usr/local/samba/var/locks -.
$LOCKDIR/winbindd_cache.tdb: Storage for cached user and group information. -

VERSION

This man page is correct for version 3.0 of - the Samba suite.

AUTHOR

wbinfo and winbindd were - written by Tim Potter.

The conversion to DocBook for Samba 2.2 was done - by Gerald Carter. The conversion to DocBook XML 4.2 for - Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/editreg.1.html samba-3.0.20/docs/htmldocs/manpages-3/editreg.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/editreg.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/editreg.1.html 2005-08-19 12:55:08.000000000 -0500 @@ -0,0 +1,12 @@ +editreg

Name

editreg — A utility for printing and editing NT4 registry files +

Synopsis

editreg [-v] [-c file] {file}

DESCRIPTION

This tool is part of the samba(7) suite.

editreg is a utility that + can visualize windows registry files (currently only NT4) and apply + so-called commandfiles to them. +

OPTIONS

registry_file: Registry file to view or edit.
-v,--verbose: Increases verbosity of messages. +
-c commandfile: Read commands to execute on registry_file from commandfile. Currently not yet supported! +
-h|--help: Print a summary of command line options. +

VERSION

This man page is correct for version 3.0 of the Samba + suite.

AUTHOR

The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed.

The editreg man page was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/findsmb.1.html samba-3.0.20/docs/htmldocs/manpages-3/findsmb.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/findsmb.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/findsmb.1.html 2005-08-19 12:55:12.000000000 -0500 @@ -0,0 +1,62 @@ +findsmb

Name

findsmb — list info about machines that respond to SMB + name queries on a subnet

Synopsis

findsmb [subnet broadcast address]

DESCRIPTION

This perl script is part of the samba(7) + suite.

findsmb is a perl script that + prints out several pieces of information about machines + on a subnet that respond to SMB name query requests. + It uses nmblookup(1) + and smbclient(1) + to obtain this information. +

OPTIONS

-r: Controls whether findsmb takes + bugs in Windows95 into account when trying to find a Netbios name + registered of the remote machine. This option is disabled by default + because it is specific to Windows 95 and Windows 95 machines only. + If set, nmblookup(1) + will be called with -B option.
subnet broadcast address: Without this option, findsmb + will probe the subnet of the machine where + findsmb(1) + is run. This value is passed to + nmblookup(1) + as part of the -B option.

EXAMPLES

The output of findsmb lists the following + information for all machines that respond to the initial + nmblookup for any name: IP address, NetBIOS name, + Workgroup name, operating system, and SMB server version.

There will be a '+' in front of the workgroup name for + machines that are local master browsers for that workgroup. There + will be an '*' in front of the workgroup name for + machines that are the domain master browser for that workgroup. + Machines that are running Windows for Workgroups, Windows 95 or + Windows 98 will + not show any information about the operating system or server + version.

The command with -r option + must be run on a system without nmbd(8) running. + + If nmbd is running on the system, you will + only get the IP address and the DNS name of the machine. To + get proper responses from Windows 95 and Windows 98 machines, + the command must be run as root and with -r + option on a machine without nmbd running.

For example, running findsmb + without -r option set would yield output similar + to the following

+IP ADDR         NETBIOS NAME   WORKGROUP/OS/VERSION 
+--------------------------------------------------------------------- 
+192.168.35.10   MINESET-TEST1  [DMVENGR]
+192.168.35.55   LINUXBOX      *[MYGROUP] [Unix] [Samba 2.0.6]
+192.168.35.56   HERBNT2        [HERB-NT]
+192.168.35.63   GANDALF        [MVENGR] [Unix] [Samba 2.0.5a for IRIX]
+192.168.35.65   SAUNA          [WORKGROUP] [Unix] [Samba 1.9.18p10]
+192.168.35.71   FROGSTAR       [ENGR] [Unix] [Samba 2.0.0 for IRIX]
+192.168.35.78   HERBDHCP1     +[HERB]
+192.168.35.88   SCNT2         +[MVENGR] [Windows NT 4.0] [NT LAN Manager 4.0]
+192.168.35.93   FROGSTAR-PC    [MVENGR] [Windows 5.0] [Windows 2000 LAN Manager]
+192.168.35.97   HERBNT1       *[HERB-NT] [Windows NT 4.0] [NT LAN Manager 4.0]
+

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at ftp://ftp.icce.rug.nl/pub/unix/) + and updated for the Samba 2.0 release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook + XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/index.html samba-3.0.20/docs/htmldocs/manpages-3/index.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/index.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/index.html 2005-08-19 12:58:05.000000000 -0500 @@ -0,0 +1,57 @@ +

editreg(1): A utility for printing and editing NT4 registry files + +
findsmb(1): list info about machines that respond to SMB + name queries on a subnet +
libsmbclient(8): An extension library for browsers and that can be used as a generic browsing API. +
lmhosts(5): The Samba NetBIOS hosts file +
log2pcap(1): Extract network traces from Samba log files +
mount.cifs(8): mount using the Common Internet File System (CIFS) +
net(8): Tool for administration of Samba and remote + CIFS servers. + +
nmbd(8): NetBIOS name server to provide NetBIOS + over IP naming services to clients +
nmblookup(1): NetBIOS over TCP/IP client used to lookup NetBIOS + names +
ntlm_auth(1): tool to allow external access to Winbind's NTLM authentication function +
pam_winbind(8): PAM module for Winbind +
pdbedit(8): manage the SAM database (Database of Samba Users) +
profiles(1): A utility to report and change SIDs in registry files + +
rpcclient(1): tool for executing client side + MS-RPC functions +
samba(7): A Windows SMB/CIFS fileserver for UNIX +
smb.conf(5): The configuration file for the Samba suite +
smbcacls(1): Set or get ACLs on an NT file or directory names +
smbclient(1): ftp-like client to access SMB/CIFS resources + on servers +
smbcontrol(1): send messages to smbd, nmbd or winbindd processes +
smbcquotas(1): Set or get QUOTAs of NTFS 5 shares +
smbd(8): server to provide SMB/CIFS services to clients +
smbget(1): wget-like utility for download files over SMB +
smbgetrc(5): configuration file for smbget +
smbmnt(8): helper utility for mounting SMB filesystems +
smbmount(8): mount an smbfs filesystem +
smbpasswd(5): The Samba encrypted password file +
smbpasswd(8): change a user's SMB password +
smbsh(1): Allows access to remote SMB shares + using UNIX commands +
smbspool(8): send a print file to an SMB printer +
smbstatus(1): report on current Samba connections +
smbtar(1): shell script for backing up SMB/CIFS shares + directly to UNIX tape drives +
smbtree(1): A text based smb network browser + +
smbumount(8): smbfs umount for normal users +
swat(8): Samba Web Administration Tool +
tdbbackup(8): tool for backing up and for validating the integrity of samba .tdb files +
tdbdump(8): tool for printing the contents of a TDB file +
testparm(1): check an smb.conf configuration file for + internal correctness +
testprns(1): check printer name for validity with smbd +
umount.cifs(8): for normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts +
vfstest(1): tool for testing samba VFS modules +
wbinfo(1): Query information from winbind daemon +
winbindd(8): Name Service Switch daemon for resolving names + from NT servers +

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/libsmbclient.8.html samba-3.0.20/docs/htmldocs/manpages-3/libsmbclient.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/libsmbclient.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/libsmbclient.8.html 2005-08-19 12:55:15.000000000 -0500 @@ -0,0 +1,59 @@ +libsmbclient

Name

libsmbclient — An extension library for browsers and that can be used as a generic browsing API.

Synopsis

Browser URL:

+ smb://[[[domain:]user[:password@]]server[/share[/path[/file]]]] [?options] +

DESCRIPTION

+ This tool is part of the samba(8) suite. +

+ libsmbclient is a library toolset that permits applications + to manipulate CIFS/SMB network resources using many of the standards POSIX functions + available for manipulating local UNIX/Linux files. It permits much more than just browsing, + files can be opened and read or written, permissions changed, file times modified, attributes + and ACL's can be manipulated, and so on. Of course, its functionality includes all the + capabilities commonly called browsing. +

+ libsmbclient can not be used directly from the command line, instead + it provides an extension of the capabilities of tools such as file managers and browsers. + This man page describes the configuration options for this tool so that the user may + obtain greatest utility of use. +

OPTIONS

+ What the URLs mean: +

smb://

+ Shows all workgroups or domains that are visible in the network. The behavior matches + that of the Microsoft Windows Explorer. +

+ The method of locating the list of workgroups (domains also) varies depending on the setting of + the context variable (context->options.browse_max_lmb_count). It is the + responsibility of the application that calls this library to set this to a sensible value. This + is a compile-time option. This value determines the maximum number of local master browsers to + query for the list of workgroups. In order to ensure that the list is complete for those present + on the network, all master browsers must be querried. If there are a large number of workgroups + on the network, the time spent querying will be significant. For small networks (just a few + workgroups), it is suggested to set this value to 0, instructing libsmbclient to query all local + master browsers. In an environment that has many workgroups a more reasonable setting may be around 3. +

smb://name/

+ This command causes libsmbclient to perform a name look-up. If the NAME<1D> or + NAME<1B> exists (workgroup name), libsmbclient will list all servers in the + workgroup (or domain). Otherwise, a name look-up for the NAME<20> (machine name) + will be performed, and the list of shared resources on the server will be displayed. +

+ When libsmbclient is invoked by an application it searches for a directory called + .smb in the $HOME directory that is specified in the users shell + environment. It then searches for a file called smb.conf which, + if present, will fully over-ride the system /etc/samba/smb.conf file. If + instead libsmbclient finds a file called ~/.smb/smb.conf.append, + it will read the system /etc/samba/smb.conf and then append the + contents of the ~/.smb/smb.conf.append to it. +

+ libsmbclient will check the users shell environment for the USER + parameter and will use its value when if the user parameter was not included + in the URL. +

PROGRAMMERS GUIDE

+ Watch this space for future updates. +

VERSION

+ This man page is correct for version 3.0 of the Samba suite. +

AUTHOR

+ The original Samba software and related utilities were created by Andrew Tridgell. + Samba is now developed by the Samba Team as an Open Source project similar to the way + the Linux kernel is developed. +

+ The libsmbclient manpage page was written by John H Terpstra. +

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/lmhosts.5.html samba-3.0.20/docs/htmldocs/manpages-3/lmhosts.5.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/lmhosts.5.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/lmhosts.5.html 2005-08-19 12:55:19.000000000 -0500 @@ -0,0 +1,39 @@ +lmhosts

Name

lmhosts — The Samba NetBIOS hosts file

Synopsis

lmhosts is the samba(7) NetBIOS name to IP address mapping file.

DESCRIPTION

This file is part of the samba(7) suite.

lmhosts is the Samba + NetBIOS name to IP address mapping file. It + is very similar to the /etc/hosts file + format, except that the hostname component must correspond + to the NetBIOS naming format.

FILE FORMAT

It is an ASCII file containing one line for NetBIOS name. + The two fields on each line are separated from each other by + white space. Any entry beginning with '#' is ignored. Each line + in the lmhosts file contains the following information:

IP Address - in dotted decimal format.
NetBIOS Name - This name format is a + maximum fifteen character host name, with an optional + trailing '#' character followed by the NetBIOS name type + as two hexadecimal digits.
If the trailing '#' is omitted then the given IP + address will be returned for all names that match the given + name, whatever the NetBIOS name type in the lookup.

An example follows:

+#
+# Sample Samba lmhosts file.
+#
+192.9.200.1	TESTPC
+192.9.200.20	NTSERVER#20
+192.9.200.21	SAMBASERVER
+

Contains three IP to NetBIOS name mappings. The first + and third will be returned for any queries for the names "TESTPC" + and "SAMBASERVER" respectively, whatever the type component of + the NetBIOS name requested.

The second mapping will be returned only when the "0x20" name + type for a name "NTSERVER" is queried. Any other name type will not + be resolved.

The default location of the lmhosts file + is in the same directory as the smb.conf(5) file.

FILES

lmhosts is loaded from the configuration directory. This is + usually /etc/samba or /usr/local/samba/lib. +

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook + XML 4.2 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/log2pcap.1.html samba-3.0.20/docs/htmldocs/manpages-3/log2pcap.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/log2pcap.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/log2pcap.1.html 2005-08-19 12:55:23.000000000 -0500 @@ -0,0 +1,29 @@ +log2pcap

Name

log2pcap — Extract network traces from Samba log files

Synopsis

log2pcap [-h] [-q] [logfile] [pcap_file]

DESCRIPTION

This tool is part of the samba(7) suite.

log2pcap reads in a + samba log file and generates a pcap file (readable + by most sniffers, such as ethereal or tcpdump) based on the packet + dumps in the log file.

The log file must have a log level + of at least 5 to get the SMB header/parameters + right, 10 to get the first 512 data bytes of the + packet and 50 to get the whole packet. +

OPTIONS

-h: If this parameter is + specified the output file will be a + hex dump, in a format that is readable + by the text2pcap utility.
-q: Be quiet. No warning messages about missing + or incomplete data will be given.
logfile: + Samba log file. log2pcap will try to read the log from stdin + if the log file is not specified. +
pcap_file: + Name of the output file to write the pcap (or hexdump) data to. + If this argument is not specified, output data will be written + to stdout. +
-h|--help: Print a summary of command line options. +

EXAMPLES

Extract all network traffic from all samba log files:

+			$ log2pcap < /var/log/* > trace.pcap
+

Convert to pcap using text2pcap:

+	$ log2pcap -h samba.log | text2pcap -T 139,139 - trace.pcap
+

VERSION

This man page is correct for version 3.0 of the Samba suite.

BUGS

Only SMB data is extracted from the samba logs, no LDAP, + NetBIOS lookup or other data.

The generated TCP and IP headers don't contain a valid + checksum.

AUTHOR

This manpage was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/mount.cifs.8.html samba-3.0.20/docs/htmldocs/manpages-3/mount.cifs.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/mount.cifs.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/mount.cifs.8.html 2005-08-19 12:55:26.000000000 -0500 @@ -0,0 +1,174 @@ +mount.cifs

Name

mount.cifs — mount using the Common Internet File System (CIFS)

Synopsis

mount.cifs {service} {mount-point} [-o options]

DESCRIPTION

This tool is part of the samba(7) suite.

mount.cifs mounts a Linux CIFS filesystem. It +is usually invoked indirectly by +the mount(8) command when using the +"-t cifs" option. This command only works in Linux, and the kernel must +support the cifs filesystem. The CIFS protocol is the successor to the +SMB protocol and is supported by most Windows servers and many other +commercial servers and Network Attached Storage appliances as well as +by the popular Open Source server Samba. +

+ The mount.cifs utility attaches the UNC name (exported network resource) to + the local directory mount-point. It is possible to set the mode for mount.cifs to +setuid root to allow non-root users to mount shares to directories for which they +have write permission. +

+ Options to mount.cifs are specified as a comma-separated +list of key=value pairs. It is possible to send options other +than those listed here, assuming that the cifs filesystem kernel module (cifs.ko) supports them. +Unrecognized cifs mount options passed to the cifs vfs kernel code will be logged to the +kernel log. + +

mount.cifs causes the cifs vfs to launch a thread named cifsd. After mounting it keeps running until + the mounted resource is unmounted (usually via the umount utility). +

OPTIONS

user=arg

specifies the username to connect as. If + this is not given, then the environment variable USER is used. This option can also take the +form "user%password" or "workgroup/user" or +"workgroup/user%password" to allow the password and workgroup +to be specified as part of the username. +

Note

+ The cifs vfs accepts the parameter user=, or for users familiar with smbfs it accepts the longer form of the parameter username=. Similarly the longer smbfs style parameter names may be accepted as synonyms for the shorter cifs parameters pass=,dom= and cred=. +

password=arg

specifies the CIFS password. If this +option is not given then the environment variable +PASSWD is used. If the password is not specified +directly or indirectly via an argument to mount mount.cifs will prompt +for a password, unless the guest option is specified. +

Note that a password which contains the delimiter +character (i.e. a comma ',') will fail to be parsed correctly +on the command line. However, the same password defined +in the PASSWD environment variable or via a credentials file (see +below) or entered at the password prompt will be read correctly. +

credentials=filename

+ specifies a file that contains a username + and/or password. The format of the file is: +

+		username=value
+		password=value
+

+This is preferred over having passwords in plaintext in a +shared file, such as /etc/fstab. Be sure to protect any +credentials file properly. +

uid=arg

sets the uid that will own all files on + the mounted filesystem. + It may be specified as either a username or a numeric uid. + This parameter is ignored when the target server supports + the CIFS Unix extensions.

gid=arg

sets the gid that will own all files on +the mounted filesystem. +It may be specified as either a groupname or a numeric +gid. This parameter is ignored when the target server supports +the CIFS Unix extensions. +

port=arg

sets the port number on the server to attempt to contact to negotiate +CIFS support. If the CIFS server is not listening on this port or +if it is not specified, the default ports will be tried i.e. +port 445 is tried and if no response then port 139 is tried. +

netbiosname=arg

When mounting to servers via port 139, specifies the RFC1001 + source name to use to represent the client netbios machine + name when doing the RFC1001 netbios session initialize. +

file_mode=arg

If the server does not support the CIFS Unix extensions this + overrides the default file mode.

dir_mode=arg

If the server does not support the CIFS Unix extensions this + overrides the default mode for directories.

ip=arg

sets the destination host or IP address.

domain=arg

sets the domain (workgroup) of the user

guest

don't prompt for a password

iocharset

Charset used to convert local path names to and from + Unicode. Unicode is used by default for network path + names if the server supports it. If iocharset is + not specified then the nls_default specified + during the local client kernel build will be used. + If server does not support Unicode, this parameter is + unused.

ro

mount read-only

rw

mount read-write

setuids

If the CIFS Unix extensions are negotiated with the server + the client will attempt to set the effective uid and gid of + the local process on newly created files, directories, and + devices (create, mkdir, mknod).

nosetuids

The client will not attempt to set the uid and gid on + on newly created files, directories, and devices (create, + mkdir, mknod) which will result in the server setting the + uid and gid to the default (usually the server uid of the + user who mounted the share). Letting the server (rather than + the client) set the uid and gid is the default. This + parameter has no effect if the CIFS Unix Extensions are not + negotiated.

perm

Client does permission checks (vfs_permission check of uid + and gid of the file against the mode and desired operation), + Note that this is in addition to the normal ACL check on the + target machine done by the server software. + Client permission checking is enabled by default.

noperm

Client does not do permission checks. This can expose + files on this mount to access by other users on the local + client system. It is typically only needed when the server + supports the CIFS Unix Extensions but the UIDs/GIDs on the + client and server system do not match closely enough to allow + access by the user doing the mount. + Note that this does not affect the normal ACL check on the + target machine done by the server software (of the server + ACL against the user name provided at mount time).

directio

Do not do inode data caching on files opened on this mount. + This precludes mmaping files on this mount. In some cases + with fast networks and little or no caching benefits on the + client (e.g. when the application is doing large sequential + reads bigger than page size without rereading the same data) + this can provide better performance than the default + behavior which caches reads (readahead) and writes + (writebehind) through the local Linux client pagecache + if oplock (caching token) is granted and held. Note that + direct allows write operations larger than page size + to be sent to the server. On some kernels this requires the cifs.ko module + to be built with the CIFS_EXPERIMENTAL configure option.

mapchars

Translate six of the seven reserved characters (not backslash, but including the colon, question mark, pipe, asterik, greater than and less than characters) + to the remap range (above 0xF000), which also + allows the CIFS client to recognize files created with + such characters by Windows's POSIX emulation. This can + also be useful when mounting to most versions of Samba + (which also forbids creating and opening files + whose names contain any of these seven characters). + This has no effect if the server does not support + Unicode on the wire.

nomapchars

Do not translate any of these seven characters (default)

intr

currently unimplemented

nointr

(default) currently unimplemented

hard

The program accessing a file on the cifs mounted file system will hang when the + server crashes.

soft

(default) The program accessing a file on the cifs mounted file system will not hang when the server crashes and will return errors to the user application.

--verbose

Print additional debugging information for the mount. Note that this parameter must be specified before the -o. For example:

mount -t cifs //server/share /mnt --verbose -o user=username

noacl

Do not allow POSIX ACL operations even if server would support them.

+ The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba servers + version 3.10 and later. Setting POSIX ACLs requires enabling both XATTR and + then POSIX support in the CIFS configuration options when building the cifs + module. POSIX ACL support can be disabled on a per mount basic by specifying + "noacl" on mount.

serverino

Use inode numbers (unique persistent file identifiers) + returned by the server instead of automatically generating + temporary inode numbers on the client. Although server inode numbers + make it easier to spot hardlinked files (as they will have + the same inode numbers) and inode numbers may be persistent (which is + userful for some sofware), + the server does not guarantee that the inode numbers + are unique if multiple server side mounts are exported under a + single share (since inode numbers on the servers might not + be unique if multiple filesystems are mounted under the same + shared higher level directory). Note that not all + servers support returning server inode numbers, although + those that support the CIFS Unix Extensions, and Windows 2000 and + later servers typically do support this (although not necessarily + on every local server filesystem). Parameter has no effect if + the server lacks support for returning inode numbers or equivalent. +

noserverino

client generates inode numbers (rather than using the actual one + from the server) by default. +

nouser_xattr

(default) Do not allow getfattr/setfattr to get/set xattrs, even if server would support it otherwise.

rsize=arg

default network read size

wsize=arg

default network write size

ENVIRONMENT VARIABLES

+ The variable USER may contain the username of the +person to be used to authenticate to the server. +The variable can be used to set both username and +password by using the format username%password. +

+ The variable PASSWD may contain the password of the +person using the client. +

+ The variable PASSWD_FILE may contain the pathname +of a file to read the password from. A single line of input is +read and used as the password. +

NOTES

This command may be used only by root, unless installed setuid, in which case the noeexec and nosuid mount flags are enabled.

CONFIGURATION

+The primary mechanism for making configuration changes and for reading +debug information for the cifs vfs is via the Linux /proc filesystem. +In the directory /proc/fs/cifs are various +configuration files and pseudo files which can display debug information. +For more information see the kernel file fs/cifs/README. +

BUGS

Mounting using the CIFS URL specification is currently not supported. +

The credentials file does not handle usernames or passwords with + leading space.

+Note that the typical response to a bug report is a suggestion +to try the latest version first. So please try doing that first, +and always include which versions you use of relevant software +when reporting bugs (minimum: mount.cifs (try mount.cifs -V), kernel (see /proc/version) and +server type you are trying to contact. +

VERSION

This man page is correct for version 1.34 of + the cifs vfs filesystem (roughly Linux kernel 2.6.12).

AUTHOR

Steve French

The syntax and manpage were loosely based on that of smbmount. It + was converted to Docbook/XML by Jelmer Vernooij.

The maintainer of the Linux cifs vfs and the userspace + tool mount.cifs is Steve French. + The Linux CIFS Mailing list + is the preferred place to ask questions regarding these programs. +

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/net.8.html samba-3.0.20/docs/htmldocs/manpages-3/net.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/net.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/net.8.html 2005-08-19 12:55:30.000000000 -0500 @@ -0,0 +1,166 @@ +net

Name

net — Tool for administration of Samba and remote + CIFS servers. +

Synopsis

net {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-l] [-P] [-D debuglevel]

DESCRIPTION

This tool is part of the samba(7) suite.

The samba net utility is meant to work just like the net utility + available for windows and DOS. The first argument should be used + to specify the protocol to use when executing a certain command. + ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) + clients and RPC can be used for NT4 and Windows 2000. If this + argument is omitted, net will try to determine it automatically. + Not all commands are available on all protocols. +

OPTIONS

-h|--help

Print a summary of command line options. +

-w target-workgroup

+ Sets target workgroup or domain. You have to specify + either this option or the IP address or the name of a server. +

-W workgroup

+ Sets client workgroup or domain +

-U user

+ User name to use +

-I ip-address

+ IP address of target server to use. You have to + specify either this option or a target workgroup or + a target server. +

-p port

+ Port on the target server to connect to (usually 139 or 445). + Defaults to trying 445 first, then 139. +

-n <primary NetBIOS name>

This option allows you to override +the NetBIOS name that Samba uses for itself. This is identical +to setting the parameter in the smb.conf file. +However, a command +line setting will take precedence over settings in +smb.conf.

-s <configuration file>

The file specified contains the +configuration details required by the server. The +information in this file includes server-specific +information such as what printcap file to use, as well +as descriptions of all the services that the server is +to provide. See smb.conf for more information. +The default configuration file name is determined at +compile time.

-S server

+ Name of target server. You should specify either + this option or a target workgroup or a target IP address. +

-l

+ When listing data, give more information on each item. +

-P

+ Make queries to the external server using the machine account of the local server. +

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

The higher this value, the more detail will be +logged to the log files about the activities of the +server. At level 0, only critical errors and serious +warnings will be logged. Level 1 is a reasonable level for +day-to-day running - it generates a small amount of +information about operations carried out.

Levels above 1 will generate considerable +amounts of log data, and should only be used when +investigating a problem. Levels above 3 are designed for +use only by developers and generate HUGE amounts of log +data, most of which is extremely cryptic.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

COMMANDS

CHANGESECRETPW

This command allows the Samba machine account password to be set from an external application +to a machine account password that has already been stored in Active Directory. DO NOT USE this command +unless you know exactly what you are doing. The use of this command requires that the force flag (-f) +be used also. There will be NO command prompt. Whatever information is piped into stdin, either by +typing at the command line or otherwise, will be stored as the literal machine password. Do NOT use +this without care and attention as it will overwrite a legitimate machine password without warning. +YOU HAVE BEEN WARNED. +

TIME

The NET TIME command allows you to view the time on a remote server + or synchronise the time on the local server with the time on the remote server.

TIME

Without any options, the NET TIME command +displays the time on the remote server. +

TIME SYSTEM

Displays the time on the remote server in a format ready for /bin/date

TIME SET

Tries to set the date and time of the local server to that on +the remote server using /bin/date.

TIME ZONE

Displays the timezone in hours from GMT on the remote computer.

[RPC|ADS] JOIN [TYPE] [-U username[%password]] [options]

+Join a domain. If the account already exists on the server, and +[TYPE] is MEMBER, the machine will attempt to join automatically. +(Assuming that the machine has been created in server manager) +Otherwise, a password will be prompted for, and a new account may +be created.

+[TYPE] may be PDC, BDC or MEMBER to specify the type of server +joining the domain. +

[RPC] OLDJOIN [options]

Join a domain. Use the OLDJOIN option to join the domain +using the old style of domain joining - you need to create a trust +account in server manager first.

[RPC|ADS] USER

List all users

[RPC|ADS] USER DELETE `target`

Delete specified user

[RPC|ADS] USER INFO `target`

List the domain groups of a the specified user.

[RPC|ADS] USER RENAME `oldname` `newname`

Rename specified user.

[RPC|ADS] USER ADD `name` [password] [-F user flags] [-C comment]

Add specified user.

[RPC|ADS] GROUP

[RPC|ADS] GROUP [misc options] [targets]

List user groups.

[RPC|ADS] GROUP DELETE `name` [misc. options]

Delete specified group.

[RPC|ADS] GROUP ADD `name` [-C comment]

Create specified group.

[RAP|RPC] SHARE

[RAP|RPC] SHARE [misc. options] [targets]

Enumerates all exported resources (network shares) on target server.

[RAP|RPC] SHARE ADD `name=serverpath` [-C comment] [-M maxusers] [targets]

Adds a share from a server (makes the export active). Maxusers +specifies the number of users that can be connected to the +share simultaneously.

SHARE DELETE `sharenam`

Delete specified share.

[RPC|RAP] FILE

List all open files on remote server.

[RPC|RAP] FILE CLOSE `fileid`

Close file with specified fileid on +remote server.

[RPC|RAP] FILE INFO `fileid`

+Print information on specified fileid. +Currently listed are: file-id, username, locks, path, permissions. +

[RAP|RPC] FILE USER

Note

Currently NOT implemented.

SESSION

RAP SESSION

Without any other options, SESSION enumerates all active SMB/CIFS +sessions on the target server.

RAP SESSION DELETE|CLOSE `CLIENT_NAME`

Close the specified sessions.

RAP SESSION INFO `CLIENT_NAME`

Give a list with all the open files in specified session.

RAP SERVER `DOMAIN`

List all servers in specified domain or workgroup. Defaults +to local domain.

RAP DOMAIN

Lists all domains and workgroups visible on the +current network.

RAP PRINTQ

RAP PRINTQ LIST `QUEUE_NAME`

Lists the specified print queue and print jobs on the server. +If the QUEUE_NAME is omitted, all +queues are listed.

RAP PRINTQ DELETE `JOBID`

Delete job with specified id.

RAP VALIDATE `user` [`password`]

+Validate whether the specified user can log in to the +remote server. If the password is not specified on the commandline, it +will be prompted. +

Note

Currently NOT implemented.

RAP GROUPMEMBER

RAP GROUPMEMBER LIST `GROUP`

List all members of the specified group.

RAP GROUPMEMBER DELETE `GROUP` `USER`

Delete member from group.

RAP GROUPMEMBER ADD `GROUP` `USER`

Add member to group.

RAP ADMIN `command`

Execute the specified command on +the remote server. Only works with OS/2 servers. +

Note

Currently NOT implemented.

RAP SERVICE

RAP SERVICE START `NAME` [arguments...]

Start the specified service on the remote server. Not implemented yet.

Note

Currently NOT implemented.

RAP SERVICE STOP

Stop the specified service on the remote server.

Note

Currently NOT implemented.

RAP PASSWORD `USER` `OLDPASS` `NEWPASS`

+Change password of USER from OLDPASS to NEWPASS. +

LOOKUP

LOOKUP HOST `HOSTNAME` [`TYPE`]

+Lookup the IP address of the given host with the specified type (netbios suffix). +The type defaults to 0x20 (workstation). +

LOOKUP LDAP [`DOMAIN`

Give IP address of LDAP server of specified DOMAIN. Defaults to local domain.

LOOKUP KDC [`REALM`]

Give IP address of KDC for the specified REALM. +Defaults to local realm.

LOOKUP DC [`DOMAIN`]

Give IP's of Domain Controllers for specified +DOMAIN. Defaults to local domain.

LOOKUP MASTER `DOMAIN`

Give IP of master browser for specified DOMAIN +or workgroup. Defaults to local domain.

CACHE

Samba uses a general caching interface called 'gencache'. It +can be controlled using 'NET CACHE'.

All the timeout parameters support the suffixes: + +

s - Seconds

m - Minutes

h - Hours

d - Days

w - Weeks

+ +

CACHE ADD `key` `data` `time-out`

Add specified key+data to the cache with the given timeout.

CACHE DEL `key`

Delete key from the cache.

CACHE SET `key` `data` `time-out`

Update data of existing cache entry.

CACHE SEARCH `PATTERN`

Search for the specified pattern in the cache data.

CACHE LIST

+List all current items in the cache. +

CACHE FLUSH

Remove all the current items from the cache.

GETLOCALSID [DOMAIN]

Print the SID of the specified domain, or if the parameter is +omitted, the SID of the domain the local server is in.

SETLOCALSID S-1-5-21-x-y-z

Sets domain sid for the local server to the specified SID.

GROUPMAP

Manage the mappings between Windows group SIDs and UNIX groups. +Parameters take the for "parameter=value". Common options include:

unixgroup - Name of the UNIX group
ntgroup - Name of the Windows NT group (must be + resolvable to a SID
rid - Unsigned 32-bit integer
sid - Full SID in the form of "S-1-..."
type - Type of the group; either 'domain', 'local', + or 'builtin'
comment - Freeform text description of the group

GROUPMAP ADD

+Add a new group mapping entry: +

+net groupmap add {rid=int|sid=string} unixgroup=string \
+      [type={domain|local}] [ntgroup=string] [comment=string]
+

GROUPMAP DELETE

Delete a group mapping entry. If more then one group name matches, the first entry found is deleted.

net groupmap delete {ntgroup=string|sid=SID}

GROUPMAP MODIFY

Update en existing group entry

+net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
+       [comment=string] [type={domain|local}]
+

GROUPMAP LIST

List existing group mapping entries

net groupmap list [verbose] [ntgroup=string] [sid=SID]

MAXRID

Prints out the highest RID currently in use on the local +server (by the active 'passdb backend'). +

RPC INFO

Print information about the domain of the remote server, +such as domain name, domain sid and number of users and groups. +

[RPC|ADS] TESTJOIN

Check whether participation in a domain is still valid.

[RPC|ADS] CHANGETRUSTPW

Force change of domain trust password.

RPC TRUSTDOM

RPC TRUSTDOM ADD `DOMAIN`

Add a interdomain trust account for +DOMAIN to the remote server. +

RPC TRUSTDOM DEL `DOMAIM`

Remove interdomain trust account for +DOMAIN from the remote server. +

Note

Currently NOT implemented.

RPC TRUSTDOM ESTABLISH `DOMAIN`

+Establish a trust relationship to a trusting domain. +Interdomain account must already be created on the remote PDC. +

RPC TRUSTDOM REVOKE `DOMAIN`

Abandon relationship to trusted domain

RPC TRUSTDOM LIST

List all current interdomain trust relationships.

RPC RIGHTS

This subcommand is used to view and manage Samba's rights assignments (also +referred to as privileges). There are three options current available: +list, grant, and +revoke. More details on Samba's privilege model and its use +can be found in the Samba-HOWTO-Collection.

RPC ABORTSHUTDOWN

Abort the shutdown of a remote server.

SHUTDOWN [-t timeout] [-r] [-f] [-C message]

Shut down the remote server.

-r: +Reboot after shutdown. +
-f: +Force shutting down all applications. +
-t timeout: +Timeout before system will be shut down. An interactive +user of the system can use this time to cancel the shutdown. +
-C message: Display the specified message on the screen to +announce the shutdown.

SAMDUMP

Print out sam database of remote server. You need +to run this on either a BDC.

VAMPIRE

Export users, aliases and groups from remote server to +local server. Can only be run an a BDC. +

GETSID

Fetch domain SID and store it in the local secrets.tdb.

ADS LEAVE

Make the remote host leave the domain it is part of.

ADS STATUS

Print out status of machine account of the local machine in ADS. +Prints out quite some debug info. Aimed at developers, regular +users should use NET ADS TESTJOIN.

ADS PRINTER

ADS PRINTER INFO [`PRINTER`] [`SERVER`]

+Lookup info for PRINTER on SERVER. The printer name defaults to "*", the +server name defaults to the local host.

ADS PRINTER PUBLISH `PRINTER`

Publish specified printer using ADS.

ADS PRINTER REMOVE `PRINTER`

Remove specified printer from ADS directory.

ADS SEARCH `EXPRESSION` `ATTRIBUTES...`

Perform a raw LDAP search on a ADS server and dump the results. The +expression is a standard LDAP search expression, and the +attributes are a list of LDAP fields to show in the results.

Example: net ads search '(objectCategory=group)' sAMAccountName +

ADS DN `DN` `(attributes)`

+Perform a raw LDAP search on a ADS server and dump the results. The +DN standard LDAP DN, and the attributes are a list of LDAP fields +to show in the result. +

Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName

WORKGROUP

Print out workgroup name for specified kerberos realm.

HELP [COMMAND]

Gives usage information for the specified command.

VERSION

This man page is complete for version 3.0 of the Samba + suite.

AUTHOR

The net manpage was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/nmbd.8.html samba-3.0.20/docs/htmldocs/manpages-3/nmbd.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/nmbd.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/nmbd.8.html 2005-08-19 12:55:33.000000000 -0500 @@ -0,0 +1,147 @@ +nmbd

Name

nmbd — NetBIOS name server to provide NetBIOS + over IP naming services to clients

Synopsis

nmbd [-D] [-F] [-S] [-a] [-i] [-o] [-h] [-V] [-d <debug level>] [-H <lmhosts file>] [-l <log directory>] [-p <port number>] [-s <configuration file>]

DESCRIPTION

This program is part of the samba(7) suite.

nmbd is a server that understands + and can reply to NetBIOS over IP name service requests, like + those produced by SMB/CIFS clients such as Windows 95/98/ME, + Windows NT, Windows 2000, Windows XP and LanManager clients. It also + participates in the browsing protocols which make up the + Windows "Network Neighborhood" view.

SMB/CIFS clients, when they start up, may wish to + locate an SMB/CIFS server. That is, they wish to know what + IP number a specified host is using.

Amongst other services, nmbd will + listen for such requests, and if its own NetBIOS name is + specified it will respond with the IP number of the host it + is running on. Its "own NetBIOS name" is by + default the primary DNS name of the host it is running on, + but this can be overridden by the netbios name + in smb.conf. Thus nmbd will + reply to broadcast queries for its own name(s). Additional + names for nmbd to respond on can be set + via parameters in the smb.conf(5) configuration file.

nmbd can also be used as a WINS + (Windows Internet Name Server) server. What this basically means + is that it will act as a WINS database server, creating a + database from name registration requests that it receives and + replying to queries from clients for these names.

In addition, nmbd can act as a WINS + proxy, relaying broadcast queries from clients that do + not understand how to talk the WINS protocol to a WINS + server.

OPTIONS

-D

If specified, this parameter causes + nmbd to operate as a daemon. That is, + it detaches itself and runs in the background, fielding + requests on the appropriate port. By default, nmbd + will operate as a daemon if launched from a command shell. + nmbd can also be operated from the inetd + meta-daemon, although this is not recommended. +

-F

If specified, this parameter causes + the main nmbd process to not daemonize, + i.e. double-fork and disassociate with the terminal. + Child processes are still created as normal to service + each connection request, but the main process does not + exit. This operation mode is suitable for running + nmbd under process supervisors such + as supervise and svscan + from Daniel J. Bernstein's daemontools + package, or the AIX process monitor. +

-S

If specified, this parameter causes + nmbd to log to standard output rather + than a file.

-i

If this parameter is specified it causes the + server to run "interactively", not as a daemon, even if the + server is executed on the command line of a shell. Setting this + parameter negates the implicit daemon mode when run from the + command line. nmbd also logs to standard + output, as if the -S parameter had been + given.

-h|--help

Print a summary of command line options. +

-H <filename>

NetBIOS lmhosts file. The lmhosts + file is a list of NetBIOS names to IP addresses that + is loaded by the nmbd server and used via the name + resolution mechanism name resolve order described in smb.conf(5) to resolve any + NetBIOS name queries needed by the server. Note + that the contents of this file are NOT + used by nmbd to answer any name queries. + Adding a line to this file affects name NetBIOS resolution + from this host ONLY.

The default path to this file is compiled into + Samba as part of the build process. Common defaults + are /usr/local/samba/lib/lmhosts, + /usr/samba/lib/lmhosts or + /etc/samba/lmhosts. See the lmhosts(5) man page for details on the contents of this file.

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

-p <UDP port number>

UDP port number is a positive integer value. + This option changes the default UDP port number (normally 137) + that nmbd responds to name queries on. Don't + use this option unless you are an expert, in which case you + won't need help!

FILES

/etc/inetd.conf

If the server is to be run by the + inetd meta-daemon, this file + must contain suitable startup information for the + meta-daemon. +

/etc/rc

or whatever initialization script your + system uses).

If running the server as a daemon at startup, + this file will need to contain an appropriate startup + sequence for the server.

/etc/services

If running the server via the + meta-daemon inetd, this file + must contain a mapping of service name (e.g., netbios-ssn) + to service port (e.g., 139) and protocol type (e.g., tcp). +

/usr/local/samba/lib/smb.conf

This is the default location of + the smb.conf(5) server + configuration file. Other common places that systems + install this file are /usr/samba/lib/smb.conf + and /etc/samba/smb.conf.

When run as a WINS server (see the + wins support + parameter in the smb.conf(5) man page), + nmbd + will store the WINS database in the file wins.dat + in the var/locks directory configured under + wherever Samba was configured to install itself.

If nmbd is acting as a + browse master (see the local master + parameter in the smb.conf(5) man page, nmbd + will store the browsing database in the file browse.dat + in the var/locks directory + configured under wherever Samba was configured to install itself. +

SIGNALS

To shut down an nmbd process it is recommended + that SIGKILL (-9) NOT be used, except as a last + resort, as this may leave the name database in an inconsistent state. + The correct way to terminate nmbd is to send it + a SIGTERM (-15) signal and wait for it to die on its own.

nmbd will accept SIGHUP, which will cause + it to dump out its namelists into the file namelist.debug + in the /usr/local/samba/var/locks + directory (or the var/locks directory configured + under wherever Samba was configured to install itself). This will also + cause nmbd to dump out its server database in + the log.nmb file.

The debug log level of nmbd may be raised or lowered + using smbcontrol(1) (SIGUSR[1|2] signals + are no longer used since Samba 2.2). This is to allow + transient problems to be diagnosed, whilst still running + at a normally low log level.

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook + XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/nmblookup.1.html samba-3.0.20/docs/htmldocs/manpages-3/nmblookup.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/nmblookup.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/nmblookup.1.html 2005-08-19 12:55:38.000000000 -0500 @@ -0,0 +1,105 @@ +nmblookup

Name

nmblookup — NetBIOS over TCP/IP client used to lookup NetBIOS + names

Synopsis

nmblookup [-M] [-R] [-S] [-r] [-A] [-h] [-B <broadcast address>] [-U <unicast address>] [-d <debug level>] [-s <smb config file>] [-i <NetBIOS scope>] [-T] [-f] {name}

DESCRIPTION

This tool is part of the samba(7) suite.

nmblookup is used to query NetBIOS names + and map them to IP addresses in a network using NetBIOS over TCP/IP + queries. The options allow the name queries to be directed at a + particular IP broadcast area or to a particular machine. All queries + are done over UDP.

OPTIONS

-M

Searches for a master browser by looking + up the NetBIOS name name with a + type of 0x1d. If + name is "-" then it does a lookup on the special name + __MSBROWSE__. Please note that in order to + use the name "-", you need to make sure "-" isn't parsed as an + argument, e.g. use : + nmblookup -M -- -.

-R

Set the recursion desired bit in the packet + to do a recursive lookup. This is used when sending a name + query to a machine running a WINS server and the user wishes + to query the names in the WINS server. If this bit is unset + the normal (broadcast responding) NetBIOS processing code + on a machine is used instead. See RFC1001, RFC1002 for details. +

-S

Once the name query has returned an IP + address then do a node status query as well. A node status + query returns the NetBIOS names registered by a host. +

-r

Try and bind to UDP port 137 to send and receive UDP + datagrams. The reason for this option is a bug in Windows 95 + where it ignores the source port of the requesting packet + and only replies to UDP port 137. Unfortunately, on most UNIX + systems root privilege is needed to bind to this port, and + in addition, if the nmbd(8) daemon is running on this machine it also binds to this port. +

-A

Interpret name as + an IP Address and do a node status query on this address.

-n <primary NetBIOS name>

-i <scope>

This specifies a NetBIOS scope that +nmblookup will use to communicate with when +generating NetBIOS names. For details on the use of NetBIOS +scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are +very rarely used, only set this parameter +if you are the system administrator in charge of all the +NetBIOS systems you communicate with.

-W|--workgroup=domain

Set the SMB domain of the username. This +overrides the default domain which is the domain defined in +smb.conf. If the domain specified is the same as the servers +NetBIOS name, it causes the client to log on using the servers local +SAM (as opposed to the Domain SAM).

-O socket options

TCP socket options to set on the client +socket. See the socket options parameter in +the smb.conf manual page for the list of valid +options.

-h|--help

Print a summary of command line options. +

-B <broadcast address>

Send the query to the given broadcast address. Without + this option the default behavior of nmblookup is to send the + query to the broadcast address of the network interfaces as + either auto-detected or defined in the interfaces + parameter of the smb.conf(5) file. +

-U <unicast address>

Do a unicast query to the specified address or + host unicast address. This option + (along with the -R option) is needed to + query a WINS server.

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

-T

This causes any IP addresses found in the + lookup to be looked up via a reverse DNS lookup into a + DNS name, and printed out before each

IP address .... NetBIOS name

pair that is the normal output.

-f

+ Show which flags apply to the name that has been looked up. Possible + answers are zero or more of: Response, Authoritative, + Truncated, Recursion_Desired, Recursion_Available, Broadcast. +

name

This is the NetBIOS name being queried. Depending + upon the previous options this may be a NetBIOS name or IP address. + If a NetBIOS name then the different name types may be specified + by appending '#<type>' to the name. This name may also be + '*', which will return all registered names within a broadcast + area.

EXAMPLES

nmblookup can be used to query + a WINS server (in the same way nslookup is + used to query DNS servers). To query a WINS server, nmblookup + must be called like this:

nmblookup -U server -R 'name'

For example, running :

nmblookup -U samba.org -R 'IRIX#1B'

would query the WINS server samba.org for the domain + master browser (1B name type) for the IRIX workgroup.

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/ntlm_auth.1.html samba-3.0.20/docs/htmldocs/manpages-3/ntlm_auth.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/ntlm_auth.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/ntlm_auth.1.html 2005-08-19 12:55:42.000000000 -0500 @@ -0,0 +1,157 @@ +ntlm_auth

Name

ntlm_auth — tool to allow external access to Winbind's NTLM authentication function

Synopsis

ntlm_auth [-d debuglevel] [-l logdir] [-s <smb config file>]

DESCRIPTION

This tool is part of the samba(7) suite.

ntlm_auth is a helper utility that authenticates + users using NT/LM authentication. It returns 0 if the users is authenticated + successfully and 1 if access was denied. ntlm_auth uses winbind to access + the user and authentication data for a domain. This utility + is only indended to be used by other programs (currently + Squid + and mod_ntlm_winbind) +

OPERATIONAL REQUIREMENTS

+ The winbindd(8) daemon must be operational + for many of these commands to function.

Some of these commands also require access to the directory + winbindd_privileged in + $LOCKDIR. This should be done either by running + this command as root or providing group access + to the winbindd_privileged directory. For + security reasons, this directory should not be world-accessable.

OPTIONS

--helper-protocol=PROTO

+ Operate as a stdio-based helper. Valid helper protocols are: +

squid-2.4-basic

+ Server-side helper for use with Squid 2.4's basic (plaintext) + authentication.

squid-2.5-basic

+ Server-side helper for use with Squid 2.5's basic (plaintext) + authentication.

squid-2.5-ntlmssp

+ Server-side helper for use with Squid 2.5's NTLMSSP + authentication.

Requires access to the directory + winbindd_privileged in + $LOCKDIR. The protocol used is + described here: http://devel.squid-cache.org/ntlm/squid_helper_protocol.html. + This protocol has been extended to allow the + NTLMSSP Negotiate packet to be included as an argument + to the YR command. (Thus avoiding + loss of information in the protocol exchange). +

ntlmssp-client-1

+ Client-side helper for use with arbitary external + programs that may wish to use Samba's NTLMSSP + authentication knowlege.

This helper is a client, and as such may be run by any + user. The protocol used is + effectivly the reverse of the previous protocol. A + YR command (without any arguments) + starts the authentication exchange. +

gss-spnego

+ Server-side helper that implements GSS-SPNEGO. This + uses a protocol that is almost the same as + squid-2.5-ntlmssp, but has some + subtle differences that are undocumented outside the + source at this stage. +

Requires access to the directory + winbindd_privileged in + $LOCKDIR. +

gss-spnego-client

+ Client-side helper that implements GSS-SPNEGO. This + also uses a protocol similar to the above helpers, but + is currently undocumented. +

ntlm-server-1

+ Server-side helper protocol, intended for use by a + RADIUS server or the 'winbind' plugin for pppd, for + the provision of MSCHAP and MSCHAPv2 authentication. +

This protocol consists of lines in for form: + Parameter: value and Paramter:: + Base64-encode value. The presence of a single + period . indicates that one side has + finished supplying data to the other. (Which in turn + could cause the helper to authenticate the + user).

Curently implemented parameters from the + external program to the helper are:

Warning

Implementors should take care to base64 encode + any data (such as usernames/passwords) that may contain malicous user data, such as + a newline. They may also need to decode strings from + the helper, which likewise may have been base64 encoded.

Username: The username, expected to be in + Samba's unix charset. +
Example 1.
Username: bob
Example 2.
Username:: Ym9i
Username: The user's domain, expected to be in + Samba's unix charset. +
Example 3.
Domain: WORKGROUP
Example 4.
Domain:: V09SS0dST1VQ
Full-Username: The fully qualified username, expected to be in + Samba's and qualified with the + winbind separator. +
Example 5.
Full-Username: WORKGROUP\bob
Example 6.
Full-Username:: V09SS0dST1VQYm9i
LANMAN-Challenge: The 8 byte LANMAN Challenge value, + generated randomly by the server, or (in cases such as + MSCHAPv2) generated in some way by both the server and + the client. +
Example 7.
LANMAN-Challege: 0102030405060708
LANMAN-Response: The 24 byte LANMAN Response value, + calculated from the user's password and the supplied + LANMAN Challenge. Typically, this + is provided over the network by a client wishing to authenticate. +
Example 8.
LANMAN-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
NT-Response: The >= 24 byte NT Response + calculated from the user's password and the supplied + LANMAN Challenge. Typically, this is + provided over the network by a client wishing to authenticate. +
Example 9.
NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
Password: The user's password. This would be + provided by a network client, if the helper is being + used in a legacy situation that exposes plaintext + passwords in this way. +
Example 10.
Password: samba2
Example 11.
Password:: c2FtYmEy
Request-User-Session-Key: Apon sucessful authenticaiton, return + the user session key associated with the login. +
Example 12.
Request-User-Session-Key: Yes
Request-LanMan-Session-Key: Apon sucessful authenticaiton, return + the LANMAN session key associated with the login. +
Example 13.
Request-LanMan-Session-Key: Yes

--username=USERNAME

+ Specify username of user to authenticate +

--domain=DOMAIN

+ Specify domain of user to authenticate +

--workstation=WORKSTATION

+ Specify the workstation the user authenticated from +

--challenge=STRING

NTLM challenge (in HEXADECIMAL)

--lm-response=RESPONSE

LM Response to the challenge (in HEXADECIMAL)

--nt-response=RESPONSE

NT or NTLMv2 Response to the challenge (in HEXADECIMAL)

--password=PASSWORD

User's plaintext password

If + not specified on the command line, this is prompted for when + required.

For the NTLMSSP based server roles, this paramter + specifies the expected password, allowing testing without + winbindd operational.

--request-lm-key

Retreive LM session key

--request-nt-key

Request NT key

--diagnostics

Perform Diagnostics on the authentication + chain. Uses the password from --password + or prompts for one.

--require-membership-of={SID|Name}

Require that a user be a member of specified + group (either name or SID) for authentication to succeed.

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

-h|--help

Print a summary of command line options. +

EXAMPLE SETUP

To setup ntlm_auth for use by squid 2.5, with both basic and + NTLMSSP authentication, the following + should be placed in the squid.conf file. +

+auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp
+auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic
+auth_param basic children 5
+auth_param basic realm Squid proxy-caching web server
+auth_param basic credentialsttl 2 hours
+

Note

This example assumes that ntlm_auth has been installed into your + path, and that the group permissions on + winbindd_privileged are as described above.

To setup ntlm_auth for use by squid 2.5 with group limitation in addition to the above + example, the following should be added to the squid.conf file. +

+auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
+auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
+

TROUBLESHOOTING

If you're experiencing problems with authenticating Internet Explorer running + under MS Windows 9X or Millenium Edition against ntlm_auth's NTLMSSP authentication + helper (--helper-protocol=squid-2.5-ntlmssp), then please read + + the Microsoft Knowledge Base article #239869 and follow instructions described there. +

VERSION

This man page is correct for version 3.0 of the Samba + suite.

AUTHOR

The ntlm_auth manpage was written by Jelmer Vernooij and + Andrew Bartlett.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/pam_winbind.8.html samba-3.0.20/docs/htmldocs/manpages-3/pam_winbind.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/pam_winbind.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/pam_winbind.8.html 2005-08-19 12:55:46.000000000 -0500 @@ -0,0 +1,28 @@ +pam_winbind

Name

pam_winbind — PAM module for Winbind

DESCRIPTION

This tool is part of the samba(7) suite.

pam_winbind is a PAM module that can authenticate users against the local domain + by talking to the Winbind daemon.

OPTIONS

+ pam_winbind supports several options: +

debug: Gives debugging output to syslog.
require_membership_of=[SID or NAME]: + If this option is set, pam_winbind will only succeed if the + user is a member of the given SID or NAME. A SID can be either a group-SID, a + alias-SID or even a user-SID. It is also possible to give a NAME instead of the + SID. That name must have the form: MYDOMAIN\mygroup or + MYDOMAIN\myuser. pam_winbind will, in that case, lookup + the SID internally. Note that NAME may not contain any spaces. It is thus + recommended to only use SIDs. You can verify the list of SIDs a user is a member + of with wbinfo --user-sids=SID. +
try_first_pass
use_first_pass: + By default, pam_winbind tries to get the + authentication token from a previous module. If no token is available it asks the user + for the old password. With this option, pam_winbind aborts with an + error if no authentication token from a previous module is available. +
use_authtok: + Set the new password to the one provided by the previously + stacked password module. If this option is not set pam_winbind will ask the + user for the new password. +

+ + +

VERSION

This man page is correct for version 3.0 of Samba.

AUTHOR

This manpage was written by Jelmer Vernooij and Guenther Deschner.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/pdbedit.8.html samba-3.0.20/docs/htmldocs/manpages-3/pdbedit.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/pdbedit.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/pdbedit.8.html 2005-08-19 12:55:50.000000000 -0500 @@ -0,0 +1,145 @@ +pdbedit

Name

pdbedit — manage the SAM database (Database of Samba Users)

Synopsis

DESCRIPTION

This tool is part of the samba(7) suite.

The pdbedit program is used to manage the users accounts + stored in the sam database and can only be run by root.

The pdbedit tool uses the passdb modular interface and is + independent from the kind of users database used (currently there + are smbpasswd, ldap, nis+ and tdb based and more can be added + without changing the tool).

There are five main ways to use pdbedit: adding a user account, + removing a user account, modifing a user account, listing user + accounts, importing users accounts.

OPTIONS

-L

This option lists all the user accounts + present in the users database. + This option prints a list of user/uid pairs separated by + the ':' character.

Example: pdbedit -L

+sorce:500:Simo Sorce
+samba:45:Test User
+

-v

This option enables the verbose listing format. + It causes pdbedit to list the users in the database, printing + out the account fields in a descriptive format.

Example: pdbedit -L -v

+---------------
+username:       sorce
+user ID/Group:  500/500
+user RID/GRID:  2000/2001
+Full Name:      Simo Sorce
+Home Directory: \\BERSERKER\sorce
+HomeDir Drive:  H:
+Logon Script:   \\BERSERKER\netlogon\sorce.bat
+Profile Path:   \\BERSERKER\profile
+---------------
+username:       samba
+user ID/Group:  45/45
+user RID/GRID:  1090/1091
+Full Name:      Test User
+Home Directory: \\BERSERKER\samba
+HomeDir Drive:  
+Logon Script:   
+Profile Path:   \\BERSERKER\profile
+

-w

This option sets the "smbpasswd" listing format. + It will make pdbedit list the users in the database, printing + out the account fields in a format compatible with the + smbpasswd file format. (see the + smbpasswd(5) for details)

Example: pdbedit -L -w

+sorce:500:508818B733CE64BEAAD3B435B51404EE:
+          D2A2418EFC466A8A0F6B1DBB5C3DB80C:
+          [UX         ]:LCT-00000000:
+samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
+          BC281CE3F53B6A5146629CD4751D3490:
+          [UX         ]:LCT-3BFA1E8D:
+

-u username

This option specifies the username to be + used for the operation requested (listing, adding, removing). + It is required in add, remove and modify + operations and optional in list + operations.

-f fullname

This option can be used while adding or + modifing a user account. It will specify the user's full + name.

Example: -f "Simo Sorce"

-h homedir

This option can be used while adding or + modifing a user account. It will specify the user's home + directory network path.

Example: -h "\\\\BERSERKER\\sorce" +

-D drive

This option can be used while adding or + modifing a user account. It will specify the windows drive + letter to be used to map the home directory.

Example: -d "H:" +

-S script

This option can be used while adding or + modifing a user account. It will specify the user's logon + script path.

Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat" +

-p profile

This option can be used while adding or + modifing a user account. It will specify the user's profile + directory.

Example: -p "\\\\BERSERKER\\netlogon" +

-G SID|rid

+ This option can be used while adding or modifying a user account. It + will specify the users' new primary group SID (Security Identifier) or + rid.

Example: -G S-1-5-21-2447931902-1787058256-3961074038-1201

-U SID|rid

+ This option can be used while adding or modifying a user account. It + will specify the users' new SID (Security Identifier) or + rid.

Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004

-c account-control

This option can be used while adding or modifying a user + account. It will specify the users' account control property. Possible flags are listed below. +

N: No password required
D: Account disabled
H: Home directory required
T: Temporary duplicate of other account
U: Regular user account
M: MNS logon user account
W: Workstation Trust Account
S: Server Trust Account
L: Automatic Locking
X: Password does not expire
I: Domain Trust Account

Example: -c "[X ]"

-a

This option is used to add a user into the + database. This command needs a user name specified with + the -u switch. When adding a new user, pdbedit will also + ask for the password to be used.

Example: pdbedit -a -u sorce +

new password:
+retype new password
+

Note

pdbedit does not call the unix password syncronisation + script if unix password sync + has been set. It only updates the data in the Samba + user database. +

If you wish to add a user and synchronise the password + that immediately, use smbpasswd's -a option. +

-r

This option is used to modify an existing user + in the database. This command needs a user name specified with the -u + switch. Other options can be specified to modify the properties of + the specified user. This flag is kept for backwards compatibility, but + it is no longer necessary to specify it. +

-m

This option may only be used in conjunction + with the -a option. It will make + pdbedit to add a machine trust account instead of a user + account (-u username will provide the machine name).

Example: pdbedit -a -m -u w2k-wks +

-x

This option causes pdbedit to delete an account + from the database. It needs a username specified with the + -u switch.

Example: pdbedit -x -u bob

-i passdb-backend

Use a different passdb backend to retrieve users + than the one specified in smb.conf. Can be used to import data into + your local user database.

This option will ease migration from one passdb backend to + another.

Example: pdbedit -i smbpasswd:/etc/smbpasswd.old +

-e passdb-backend

Exports all currently available users to the + specified password database backend.

This option will ease migration from one passdb backend to + another and will ease backing up.

Example: pdbedit -e smbpasswd:/root/samba-users.backup

-g

If you specify -g, + then -i in-backend -e out-backend + applies to the group mapping instead of the user database.

This option will ease migration from one passdb backend to + another and will ease backing up.

-b passdb-backend

Use a different default passdb backend.

Example: pdbedit -b xml:/root/pdb-backup.xml -l

-P account-policy

Display an account policy

Valid policies are: minimum password age, reset count minutes, disconnect time, + user must logon to change password, password history, lockout duration, min password length, + maximum password age and bad lockout attempt.

Example: pdbedit -P "bad lockout attempt"

+account policy value for bad lockout attempt is 0
+

-C account-policy-value

Sets an account policy to a specified value. + This option may only be used in conjunction + with the -P option. +

Example: pdbedit -P "bad lockout attempt" -C 3

+account policy value for bad lockout attempt was 0
+account policy value for bad lockout attempt is now 3
+

-h|--help

Print a summary of command line options. +

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

NOTES

This command may be used only by root.

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/profiles.1.html samba-3.0.20/docs/htmldocs/manpages-3/profiles.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/profiles.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/profiles.1.html 2005-08-19 12:55:53.000000000 -0500 @@ -0,0 +1,12 @@ +profiles

Name

profiles — A utility to report and change SIDs in registry files +

Synopsis

profiles [-v] [-c SID] [-n SID] {file}

DESCRIPTION

This tool is part of the samba(7) suite.

profiles is a utility that + reports and changes SIDs in windows registry files. It currently only + supports NT. +

OPTIONS

file: Registry file to view or edit.
-v,--verbose: Increases verbosity of messages. +
-c SID1 -n SID2: Change all occurences of SID1 in file by SID2. +
-h|--help: Print a summary of command line options. +

VERSION

This man page is correct for version 3.0 of the Samba + suite.

AUTHOR

The profiles man page was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/rpcclient.1.html samba-3.0.20/docs/htmldocs/manpages-3/rpcclient.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/rpcclient.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/rpcclient.1.html 2005-08-19 12:55:58.000000000 -0500 @@ -0,0 +1,204 @@ +rpcclient

Name

rpcclient — tool for executing client side + MS-RPC functions

Synopsis

rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-l logdir] [-N] [-s <smb config file>] [-U username[%password]] [-W workgroup] [-N] [-I destinationIP] {server}

DESCRIPTION

This tool is part of the samba(7) suite.

rpcclient is a utility initially developed + to test MS-RPC functionality in Samba itself. It has undergone + several stages of development and stability. Many system administrators + have now written scripts around it to manage Windows NT clients from + their UNIX workstation.

OPTIONS

server

NetBIOS name of Server to which to connect. + The server can be any SMB/CIFS server. The name is + resolved using the name resolve order line from smb.conf(5).

-c|--command='command string'

execute semicolon separated commands (listed + below))

-I IP-address

IP address is the address of the server to connect to. + It should be specified in standard "a.b.c.d" notation.

Normally the client would attempt to locate a named + SMB/CIFS server by looking it up via the NetBIOS name resolution + mechanism described above in the name resolve order + parameter above. Using this parameter will force the client + to assume that the server is on the machine with the specified IP + address and the NetBIOS name component of the resource being + connected to will be ignored.

There is no default for this parameter. If not supplied, + it will be determined automatically by the client as described + above.

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

-N

If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password.

Unless a password is specified on the command line or +this parameter is specified, the client will request a +password.

-k

+Try to authenticate with kerberos. Only useful in +an Active Directory environment. +

-A|--authentication-file=filename

This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is +

+username = <value>
+password = <value>
+domain   = <value>
+

Make certain that the permissions on the file restrict +access from unwanted users.

-U|--user=username[%password]

Sets the SMB username or username and password.

If %password is not specified, the user will be prompted. The +client will first check the USER environment variable, then the +LOGNAME variable and if either exists, the +string is uppercased. If these environmental variables are not +found, the username GUEST is used.

A third option is to use a credentials file which +contains the plaintext of the username and password. This +option is mainly provided for scripts where the admin does not +wish to pass the credentials on the command line or via environment +variables. If this method is used, make certain that the permissions +on the file restrict access from unwanted users. See the +-A for more details.

Be cautious about including passwords in scripts. Also, on +many systems the command line of a running process may be seen +via the ps command. To be safe always allow +rpcclient to prompt for a password and type +it in directly.

-n <primary NetBIOS name>

-i <scope>

-W|--workgroup=domain

-O socket options

TCP socket options to set on the client +socket. See the socket options parameter in +the smb.conf manual page for the list of valid +options.

-h|--help

Print a summary of command line options. +

COMMANDS

LSARPC

lsaquery: Query info policy
lookupsids: Resolve a list + of SIDs to usernames. +
lookupnames: Resolve a list + of usernames to SIDs. +
enumtrusts: Enumerate trusted domains
enumprivs: Enumerate privileges
getdispname: Get the privilege name
lsaenumsid: Enumerate the LSA SIDS
lsaenumprivsaccount: Enumerate the privileges of an SID
lsaenumacctrights: Enumerate the rights of an SID
lsaenumacctwithright: Enumerate accounts with a right
lsaaddacctrights: Add rights to an account
lsaremoveacctrights: Remove rights from an account
lsalookupprivvalue: Get a privilege value given its name
lsaquerysecobj: Query LSA security object

LSARPC-DS

dsroledominfo: Get Primary Domain Information

DFS

dfsexist: Query DFS support
dfsadd: Add a DFS share
dfsremove: Remove a DFS share
dfsgetinfo: Query DFS share info
dfsenum: Enumerate dfs shares

REG

shutdown: Remote Shutdown
abortshutdown: Abort Shutdown

SRVSVC

srvinfo: Server query info
netshareenum: Enumerate shares
netfileenum: Enumerate open files
netremotetod: Fetch remote time of day

SAMR

queryuser: Query user info
querygroup: Query group info
queryusergroups: Query user groups
querygroupmem: Query group membership
queryaliasmem: Query alias membership
querydispinfo: Query display info
querydominfo: Query domain info
enumdomusers: Enumerate domain users
enumdomgroups: Enumerate domain groups
enumalsgroups: Enumerate alias groups
createdomuser: Create domain user
samlookupnames: Look up names
samlookuprids: Look up names
deletedomuser: Delete domain user
samquerysecobj: Query SAMR security object
getdompwinfo: Retrieve domain password info
lookupdomain: Look up domain

SPOOLSS

adddriver <arch> <config> [<version>]

+ Execute an AddPrinterDriver() RPC to install the printer driver + information on the server. Note that the driver files should + already exist in the directory returned by + getdriverdir. Possible values for + arch are the same as those for + the getdriverdir command. + The config parameter is defined as + follows:

+Long Printer Name:\
+Driver File Name:\
+Data File Name:\
+Config File Name:\
+Help File Name:\
+Language Monitor Name:\
+Default Data Type:\
+Comma Separated list of Files
+

Any empty fields should be enter as the string "NULL".

Samba does not need to support the concept of Print Monitors + since these only apply to local printers whose driver can make + use of a bi-directional link for communication. This field should + be "NULL". On a remote NT print server, the Print Monitor for a + driver must already be installed prior to adding the driver or + else the RPC will fail.

The version parameter lets you + specify the printer driver version number. If omitted, the + default driver version for the specified architecture will + be used. This option can be used to upload Windows 2000 + (version 3) printer drivers.

addprinter <printername> + <sharename> <drivername> <port>

+ Add a printer on the remote server. This printer + will be automatically shared. Be aware that the printer driver + must already be installed on the server (see adddriver) + and the portmust be a valid port name (see + enumports.

deldriver

Delete the + specified printer driver for all architectures. This + does not delete the actual driver files from the server, + only the entry from the server's list of drivers. +

deldriverex <driver> [architecture] [version] +

Delete the specified printer driver including driver files. + You can limit this action to a specific architecture and a specific version. + If no architecure is given, all driver files of that driver will be deleted. +

enumdata

Enumerate all + printer setting data stored on the server. On Windows NT clients, + these values are stored in the registry, while Samba servers + store them in the printers TDB. This command corresponds + to the MS Platform SDK GetPrinterData() function (* This + command is currently unimplemented).

enumdataex

Enumerate printer data for a key

enumjobs <printer>

List the jobs and status of a given printer. + This command corresponds to the MS Platform SDK EnumJobs() + function

enumkey

Enumerate + printer keys

enumports [level]

+ Executes an EnumPorts() call using the specified + info level. Currently only info levels 1 and 2 are supported. +

enumdrivers [level]

+ Execute an EnumPrinterDrivers() call. This lists the various installed + printer drivers for all architectures. Refer to the MS Platform SDK + documentation for more details of the various flags and calling + options. Currently supported info levels are 1, 2, and 3.

enumprinters [level]

Execute an EnumPrinters() call. This lists the various installed + and share printers. Refer to the MS Platform SDK documentation for + more details of the various flags and calling options. Currently + supported info levels are 1, 2 and 5.

getdata <printername> <valuename;>

Retrieve the data for a given printer setting. See + the enumdata command for more information. + This command corresponds to the GetPrinterData() MS Platform + SDK function.

getdataex

Get + printer driver data with + keyname

getdriver <printername>

+ Retrieve the printer driver information (such as driver file, + config file, dependent files, etc...) for + the given printer. This command corresponds to the GetPrinterDriver() + MS Platform SDK function. Currently info level 1, 2, and 3 are supported. +

getdriverdir <arch>

+ Execute a GetPrinterDriverDirectory() + RPC to retrieve the SMB share name and subdirectory for + storing printer driver files for a given architecture. Possible + values for arch are "Windows 4.0" + (for Windows 95/98), "Windows NT x86", "Windows NT PowerPC", "Windows + Alpha_AXP", and "Windows NT R4000".

getprinter <printername>

Retrieve the current printer information. This command + corresponds to the GetPrinter() MS Platform SDK function. +

getprintprocdir

Get + print processor + directory

openprinter <printername>

Execute an OpenPrinterEx() and ClosePrinter() RPC + against a given printer.

setdriver <printername> + <drivername>

Execute a SetPrinter() command to update the printer driver + associated with an installed printer. The printer driver must + already be correctly installed on the print server.

See also the enumprinters and + enumdrivers commands for obtaining a list of + of installed printers and drivers.

addform

Add form

setform

Set form

getform

Get form

deleteform

Delete form

enumforms

Enumerate form

setprinter

Set printer comment

setprinterdata

Set REG_SZ printer data

setprintername <printername> + <newprintername>

Set printer name

rffpcnex

Rffpcnex test

NETLOGON

logonctrl2: Logon Control 2
logonctrl: Logon Control
samsync: Sam Synchronisation
samdeltas: Query Sam Deltas
samlogon: Sam Logon

GENERAL COMMANDS

debuglevel: Set the current + debug level used to log information.
help (?): Print a listing of all + known commands or extended help on a particular command. +
quit (exit): Exit rpcclient + .

BUGS

rpcclient is designed as a developer testing tool + and may not be robust in certain areas (such as command line parsing). + It has been known to generate a core dump upon failures when invalid + parameters where passed to the interpreter.

From Luke Leighton's original rpcclient man page:

WARNING! The MSRPC over SMB code has + been developed from examining Network traces. No documentation is + available from the original creators (Microsoft) on how MSRPC over + SMB works, or how the individual MSRPC services work. Microsoft's + implementation of these services has been demonstrated (and reported) + to be... a bit flaky in places.

The development of Samba's implementation is also a bit rough, + and as more of the services are understood, it can even result in + versions of smbd(8) and rpcclient(1) that are incompatible for some commands or services. Additionally, + the developers are sending reports to Microsoft, and problems found + or reported to Microsoft are fixed in Service Packs, which may + result in incompatibilities.

VERSION

This man page is correct for version 3.0 of the Samba + suite.

AUTHOR

The original rpcclient man page was written by Matthew + Geddes, Luke Kenneth Casson Leighton, and rewritten by Gerald Carter. + The conversion to DocBook for Samba 2.2 was done by Gerald + Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was + done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/samba.7.html samba-3.0.20/docs/htmldocs/manpages-3/samba.7.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/samba.7.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/samba.7.html 2005-08-19 12:56:03.000000000 -0500 @@ -0,0 +1,115 @@ +samba

Name

samba — A Windows SMB/CIFS fileserver for UNIX

Synopsis

samba

DESCRIPTION

The Samba software suite is a collection of programs + that implements the Server Message Block (commonly abbreviated + as SMB) protocol for UNIX systems. This protocol is sometimes + also referred to as the Common Internet File System (CIFS). For a + more thorough description, see + http://www.ubiqx.org/cifs/. Samba also implements the NetBIOS + protocol in nmbd.

smbd(8): The smbd daemon provides the file and print services to + SMB clients, such as Windows 95/98, Windows NT, Windows + for Workgroups or LanManager. The configuration file + for this daemon is described in smb.conf(5) +
nmbd(8): The nmbd + daemon provides NetBIOS nameservice and browsing + support. The configuration file for this daemon + is described in smb.conf(5)
smbclient(1): The smbclient + program implements a simple ftp-like client. This + is useful for accessing SMB shares on other compatible + servers (such as Windows NT), and can also be used + to allow a UNIX box to print to a printer attached to + any SMB server (such as a PC running Windows NT).
testparm(1): The testparm + utility is a simple syntax checker for Samba's smb.conf(5) configuration file.
testprns(1): The testprns + utility supports testing printer names defined + in your printcap file used + by Samba.
smbstatus(1): The smbstatus + tool provides access to information about the + current connections to smbd.
nmblookup(1): The nmblookup + tools allows NetBIOS name queries to be made + from a UNIX host.
smbpasswd(8): The smbpasswd + command is a tool for changing LanMan and Windows NT + password hashes on Samba and Windows NT servers.
smbcacls(1): The smbcacls command is + a tool to set ACL's on remote CIFS servers.
smbsh(1): The smbsh command is + a program that allows you to run a unix shell with + with an overloaded VFS.
smbtree(1): The smbtree command + is a text-based network neighborhood tool.
smbtar(1): The smbtar can make + backups of data on CIFS/SMB servers.
smbspool(8): smbspool is a + helper utility for printing on printers connected + to CIFS servers.
smbcontrol(1): smbcontrol is a utility + that can change the behaviour of running samba daemons. +
rpcclient(1): rpcclient is a utility + that can be used to execute RPC commands on remote + CIFS servers.
pdbedit(8): The pdbedit command + can be used to maintain the local user database on + a samba server.
findsmb(1): The findsmb command + can be used to find SMB servers on the local network. +
net(8): The net command + is supposed to work similar to the DOS/Windows + NET.EXE command.
swat(8): swat is a web-based + interface to configuring smb.conf. +
winbindd(8): winbindd is a daemon + that is used for integrating authentication and + the user database into unix.
wbinfo(1): wbinfo is a utility + that retrieves and stores information related to winbind. +
editreg(1): editreg is a command-line + utility that can edit windows registry files. +
profiles(1): profiles is a command-line + utility that can be used to replace all occurences of + a certain SID with another SID. +
log2pcap(1): log2pcap is a utility + for generating pcap trace files from Samba log + files.
vfstest(1): vfstest is a utility + that can be used to test vfs modules.
ntlm_auth(1): ntlm_auth is a helper-utility + for external programs wanting to do NTLM-authentication. +
+smbmount(8), +smbumount(8), +smbmnt(8): smbmount,smbumount and smbmnt are commands that can be used to + mount CIFS/SMB shares on Linux. +
smbcquotas(1): smbcquotas is a tool that + can set remote QUOTA's on server with NTFS 5.

COMPONENTS

The Samba suite is made up of several components. Each + component is described in a separate manual page. It is strongly + recommended that you read the documentation that comes with Samba + and the manual pages of those components that you use. If the + manual pages and documents aren't clear enough then please visit + http://devel.samba.org + for information on how to file a bug report or submit a patch.

If you require help, visit the Samba webpage at + http://www.samba.org/ and + explore the many option available to you. +

AVAILABILITY

The Samba software suite is licensed under the + GNU Public License(GPL). A copy of that license should + have come with the package in the file COPYING. You are + encouraged to distribute copies of the Samba suite, but + please obey the terms of this license.

The latest version of the Samba suite can be + obtained via anonymous ftp from samba.org in the + directory pub/samba/. It is also available on several + mirror sites worldwide.

You may also find useful information about Samba + on the newsgroup + comp.protocol.smb and the Samba mailing + list. Details on how to join the mailing list are given in + the README file that comes with Samba.

If you have access to a WWW viewer (such as Mozilla + or Konqueror) then you will also find lots of useful information, + including back issues of the Samba mailing list, at + http://lists.samba.org.

VERSION

This man page is correct for version 3.0 of the + Samba suite.

CONTRIBUTIONS

If you wish to contribute to the Samba project, + then I suggest you join the Samba mailing list at + http://lists.samba.org. +

If you have patches to submit, visit + http://devel.samba.org/ + for information on how to do it properly. We prefer patches + in diff -u format.

CONTRIBUTORS

Contributors to the project are now too numerous + to mention here but all deserve the thanks of all Samba + users. To see a full list, look at the + change-log in the source package + for the pre-CVS changes and at + http://cvs.samba.org/ + for the contributors to Samba post-CVS. CVS is the Open Source + source code control system used by the Samba Team to develop + Samba. The project would have been unmanageable without it.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML + 4.2 for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbcacls.1.html samba-3.0.20/docs/htmldocs/manpages-3/smbcacls.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbcacls.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbcacls.1.html 2005-08-19 12:56:15.000000000 -0500 @@ -0,0 +1,93 @@ +smbcacls

Name

smbcacls — Set or get ACLs on an NT file or directory names

Synopsis

smbcacls {//server/share} {filename} [-D acls] [-M acls] [-a acls] [-S acls] [-C name] [-G name] [--numeric] [-t] [-U username] [-h] [-d]

DESCRIPTION

This tool is part of the samba(7) suite.

The smbcacls program manipulates NT Access Control + Lists (ACLs) on SMB file shares.

OPTIONS

The following options are available to the smbcacls program. + The format of ACLs is described in the section ACL FORMAT

-a acls

Add the ACLs specified to the ACL list. Existing + access control entries are unchanged.

-M acls

Modify the mask value (permissions) for the ACLs + specified on the command line. An error will be printed for each + ACL specified that was not already present in the ACL list +

-D acls

Delete any ACLs specified on the command line. + An error will be printed for each ACL specified that was not + already present in the ACL list.

-S acls

This command sets the ACLs on the file with + only the ones specified on the command line. All other ACLs are + erased. Note that the ACL specified must contain at least a revision, + type, owner and group for the call to succeed.

-U username

Specifies a username used to connect to the + specified service. The username may be of the form "username" in + which case the user is prompted to enter in a password and the + workgroup specified in the smb.conf(5) file is + used, or "username%password" or "DOMAIN\username%password" and the + password and workgroup names are used as provided.

-C name

The owner of a file or directory can be changed + to the name given using the -C option. + The name can be a sid in the form S-1-x-y-z or a name resolved + against the server specified in the first argument.

This command is a shortcut for -M OWNER:name. +

-G name

The group owner of a file or directory can + be changed to the name given using the -G + option. The name can be a sid in the form S-1-x-y-z or a name + resolved against the server specified n the first argument. +

This command is a shortcut for -M GROUP:name.

--numeric

This option displays all ACL information in numeric + format. The default is to convert SIDs to names and ACE types + and masks to a readable string format.

-t

+ Don't actually do anything, only validate the correctness of + the arguments. +

-h|--help

Print a summary of command line options. +

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

ACL FORMAT

The format of an ACL is one or more ACL entries separated by + either commas or newlines. An ACL entry is one of the following:

 
+REVISION:<revision number>
+OWNER:<sid or name>
+GROUP:<sid or name>
+ACL:<sid or name>:<type>/<flags>/<mask>
+

The revision of the ACL specifies the internal Windows + NT ACL revision for the security descriptor. + If not specified it defaults to 1. Using values other than 1 may + cause strange behaviour.

The owner and group specify the owner and group sids for the + object. If a SID in the format S-1-x-y-z is specified this is used, + otherwise the name specified is resolved using the server on which + the file or directory resides.

ACLs specify permissions granted to the SID. This SID again + can be specified in S-1-x-y-z format or as a name in which case + it is resolved against the server on which the file or directory + resides. The type, flags and mask values determine the type of + access granted to the SID.

The type can be either 0 or 1 corresponding to ALLOWED or + DENIED access to the SID. The flags values are generally + zero for file ACLs and either 9 or 2 for directory ACLs. Some + common flags are:

#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1
#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2
#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4
#define SEC_ACE_FLAG_INHERIT_ONLY 0x8

At present flags can only be specified as decimal or + hexadecimal values.

The mask is a value which expresses the access right + granted to the SID. It can be given as a decimal or hexadecimal value, + or by using one of the following text strings which map to the NT + file permissions of the same name.

R - Allow read access
W - Allow write access
X - Execute permission on the object
D - Delete the object
P - Change permissions
O - Take ownership

The following combined permissions can be specified:

READ - Equivalent to 'RX' + permissions
CHANGE - Equivalent to 'RXWD' permissions +
FULL - Equivalent to 'RWXDPO' + permissions

EXIT STATUS

The smbcacls program sets the exit status + depending on the success or otherwise of the operations performed. + The exit status may be one of the following values.

If the operation succeeded, smbcacls returns and exit + status of 0. If smbcacls couldn't connect to the specified server, + or there was an error getting or setting the ACLs, an exit status + of 1 is returned. If there was an error parsing any command line + arguments, an exit status of 2 is returned.

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

smbcacls was written by Andrew Tridgell + and Tim Potter.

The conversion to DocBook for Samba 2.2 was done + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done + by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbclient.1.html samba-3.0.20/docs/htmldocs/manpages-3/smbclient.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbclient.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbclient.1.html 2005-08-19 12:56:18.000000000 -0500 @@ -0,0 +1,429 @@ +smbclient

Name

smbclient — ftp-like client to access SMB/CIFS resources + on servers

Synopsis

DESCRIPTION

This tool is part of the samba(7) suite.

smbclient is a client that can + 'talk' to an SMB/CIFS server. It offers an interface + similar to that of the ftp program (see ftp(1)). + Operations include things like getting files from the server + to the local machine, putting files from the local machine to + the server, retrieving directory information from the server + and so on.

OPTIONS

servicename

servicename is the name of the service + you want to use on the server. A service name takes the form + //server/service where server + is the NetBIOS name of the SMB/CIFS server + offering the desired service and service + is the name of the service offered. Thus to connect to + the service "printer" on the SMB/CIFS server "smbserver", + you would use the servicename //smbserver/printer +

Note that the server name required is NOT necessarily + the IP (DNS) host name of the server ! The name required is + a NetBIOS server name, which may or may not be the + same as the IP hostname of the machine running the server. +

The server name is looked up according to either + the -R parameter to smbclient or + using the name resolve order parameter in + the smb.conf(5) file, + allowing an administrator to change the order and methods + by which server names are looked up.

password

The password required to access the specified + service on the specified server. If this parameter is + supplied, the -N option (suppress + password prompt) is assumed.

There is no default password. If no password is supplied + on the command line (either by using this parameter or adding + a password to the -U option (see + below)) and the -N option is not + specified, the client will prompt for a password, even if + the desired service does not require one. (If no password is + required, simply press ENTER to provide a null password.) +

Note: Some servers (including OS/2 and Windows for + Workgroups) insist on an uppercase password. Lowercase + or mixed case passwords may be rejected by these servers. +

Be cautious about including passwords in scripts. +

-R <name resolve order>

This option is used by the programs in the Samba + suite to determine what naming services and in what order to resolve + host names to IP addresses. The option takes a space-separated + string of different name resolution options.

The options are :"lmhosts", "host", "wins" and "bcast". They + cause names to be resolved as follows:

lmhosts: Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see + the lmhosts(5) for details) then + any name type matches for lookup.
host: Do a standard host + name to IP address resolution, using the system /etc/hosts +, NIS, or DNS lookups. This method of name resolution + is operating system dependent, for instance on IRIX or Solaris this + may be controlled by the /etc/nsswitch.conf + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.
wins: Query a name with + the IP address listed in the wins server + parameter. If no WINS server has + been specified this method will be ignored.
bcast: Do a broadcast on + each of the known local interfaces listed in the + interfaces + parameter. This is the least reliable of the name resolution + methods as it depends on the target host being on a locally + connected subnet.

If this parameter is not set then the name resolve order + defined in the smb.conf(5) file parameter + (name resolve order) will be used.

The default order is lmhosts, host, wins, bcast and without + this parameter or any entry in the name resolve order + parameter of the smb.conf(5) file the name resolution + methods will be attempted in this order.

-M NetBIOS name

This options allows you to send messages, using + the "WinPopup" protocol, to another computer. Once a connection is + established you then type your message, pressing ^D (control-D) to + end.

If the receiving computer is running WinPopup the user will + receive the message and probably a beep. If they are not running + WinPopup the message will be lost, and no error message will + occur.

The message is also automatically truncated if the message + is over 1600 bytes, as this is the limit of the protocol. +

One useful trick is to cat the message through + smbclient. For example: + cat mymessage.txt | smbclient -M FRED will + send the message in the file mymessage.txt + to the machine FRED.

You may also find the -U and + -I options useful, as they allow you to + control the FROM and TO parts of the message.

See the message command parameter in the smb.conf(5) for a description of how to handle incoming + WinPopup messages in Samba.

Note: Copy WinPopup into the startup group + on your WfWg PCs if you want them to always be able to receive + messages.

-p port

This number is the TCP port number that will be used + when making connections to the server. The standard (well-known) + TCP port number for an SMB/CIFS server is 139, which is the + default.

-h|--help

Print a summary of command line options. +

-I IP-address

IP address is the address of the server to connect to. + It should be specified in standard "a.b.c.d" notation.

There is no default for this parameter. If not supplied, + it will be determined automatically by the client as described + above.

-E

This parameter causes the client to write messages + to the standard error stream (stderr) rather than to the standard + output stream.

By default, the client writes messages to standard output + - typically the user's tty.

-L

This option allows you to look at what services + are available on a server. You use it as smbclient -L + host and a list should appear. The -I + option may be useful if your NetBIOS names don't + match your TCP/IP DNS host names or if you are trying to reach a + host on another network.

-t terminal code

This option tells smbclient how to interpret + filenames coming from the remote server. Usually Asian language + multibyte UNIX implementations use different character sets than + SMB/CIFS servers (EUC instead of + SJIS for example). Setting this parameter will let + smbclient convert between the UNIX filenames and + the SMB filenames correctly. This option has not been seriously tested + and may have some problems.

The terminal codes include CWsjis, CWeuc, CWjis7, CWjis8, + CWjunet, CWhex, CWcap. This is not a complete list, check the Samba + source code for the complete list.

-b buffersize

This option changes the transmit/send buffer + size when getting or putting a file from/to the server. The default + is 65520 bytes. Setting this value smaller (to 1200 bytes) has been + observed to speed up file transfers to and from a Win9x server. +

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

-N

If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password.

Unless a password is specified on the command line or +this parameter is specified, the client will request a +password.

-k

+Try to authenticate with kerberos. Only useful in +an Active Directory environment. +

-A|--authentication-file=filename

This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is +

+username = <value>
+password = <value>
+domain   = <value>
+

Make certain that the permissions on the file restrict +access from unwanted users.

-U|--user=username[%password]

Sets the SMB username or username and password.

-n <primary NetBIOS name>

-i <scope>

-W|--workgroup=domain

-O socket options

TCP socket options to set on the client +socket. See the socket options parameter in +the smb.conf manual page for the list of valid +options.

-T tar options

smbclient may be used to create tar(1) + compatible backups of all the files on an SMB/CIFS + share. The secondary tar flags that can be given to this option + are :

c - Create a tar file on UNIX. + Must be followed by the name of a tar file, tape device + or "-" for standard output. If using standard output you must + turn the log level to its lowest value -d0 to avoid corrupting + your tar file. This flag is mutually exclusive with the + x flag.
x - Extract (restore) a local + tar file back to a share. Unless the -D option is given, the tar + files will be restored from the top level of the share. Must be + followed by the name of the tar file, device or "-" for standard + input. Mutually exclusive with the c flag. + Restored files have their creation times (mtime) set to the + date saved in the tar file. Directories currently do not get + their creation dates restored properly.
I - Include files and directories. + Is the default behavior when filenames are specified above. Causes + tar files to be included in an extract or create (and therefore + everything else to be excluded). See example below. Filename globbing + works in one of two ways. See r below.
X - Exclude files and directories. + Causes tar files to be excluded from an extract or create. See + example below. Filename globbing works in one of two ways now. + See r below.
b - Blocksize. Must be followed + by a valid (greater than zero) blocksize. Causes tar file to be + written out in blocksize*TBLOCK (usually 512 byte) blocks. +
g - Incremental. Only back up + files that have the archive bit set. Useful only with the + c flag.
q - Quiet. Keeps tar from printing + diagnostics as it works. This is the same as tarmode quiet. +
r - Regular expression include + or exclude. Uses regular expression matching for + excluding or excluding files if compiled with HAVE_REGEX_H. + However this mode can be very slow. If not compiled with + HAVE_REGEX_H, does a limited wildcard match on '*' and '?'. +
N - Newer than. Must be followed + by the name of a file whose date is compared against files found + on the share during a create. Only files newer than the file + specified are backed up to the tar file. Useful only with the + c flag.
a - Set archive bit. Causes the + archive bit to be reset when a file is backed up. Useful with the + g and c flags. +

Tar Long File Names

smbclient's tar option now supports long + file names both on backup and restore. However, the full path + name of the file must be less than 1024 bytes. Also, when + a tar archive is created, smbclient's tar option places all + files in the archive with relative names, not absolute names. +

Tar Filenames

All file names can be given as DOS path names (with '\\' + as the component separator) or as UNIX path names (with '/' as + the component separator).

Examples

Restore from tar file backup.tar into myshare on mypc + (no password on share).

smbclient //mypc/yshare "" -N -Tx backup.tar +

Restore everything except users/docs +

smbclient //mypc/myshare "" -N -TXx backup.tar + users/docs

Create a tar file of the files beneath + users/docs.

smbclient //mypc/myshare "" -N -Tc + backup.tar users/docs

Create the same tar file as above, but now use + a DOS path name.

smbclient //mypc/myshare "" -N -tc backup.tar + users\edocs

Create a tar file of all the files and directories in + the share.

smbclient //mypc/myshare "" -N -Tc backup.tar * +

-D initial directory

Change to initial directory before starting. Probably + only of any use with the tar -T option.

-c command string

command string is a semicolon-separated list of + commands to be executed instead of prompting from stdin. + -N is implied by -c.

This is particularly useful in scripts and for printing stdin + to the server, e.g. -c 'print -'.

OPERATIONS

Once the client is running, the user is presented with + a prompt :

smb:\>

The backslash ("\\") indicates the current working directory + on the server, and will change if the current working directory + is changed.

The prompt indicates that the client is ready and waiting to + carry out a user command. Each command is a single word, optionally + followed by parameters specific to that command. Command and parameters + are space-delimited unless these notes specifically + state otherwise. All commands are case-insensitive. Parameters to + commands may or may not be case sensitive, depending on the command. +

You can specify file names which have spaces in them by quoting + the name with double quotes, for example "a long file name".

Parameters shown in square brackets (e.g., "[parameter]") are + optional. If not given, the command will use suitable defaults. Parameters + shown in angle brackets (e.g., "<parameter>") are required. +

Note that all commands operating on the server are actually + performed by issuing a request to the server. Thus the behavior may + vary from server to server, depending on how the server was implemented. +

The commands available are given here in alphabetical order.

? [command]

If command is specified, the ? command will display + a brief informative message about the specified command. If no + command is specified, a list of available commands will + be displayed.

! [shell command]

If shell command is specified, the ! + command will execute a shell locally and run the specified shell + command. If no command is specified, a local shell will be run. +

altname file

The client will request that the server return + the "alternate" name (the 8.3 name) for a file or directory. +

case_sensitive

Toggles the setting of the flag in SMB packets that + tells the server to treat filenames as case sensitive. Set to OFF by + default (tells file server to treat filenames as case insensitive). Only + currently affects Samba 3.0.5 and above file servers with the case sensitive + parameter set to auto in the smb.conf. +

cancel jobid0 [jobid1] ... [jobidN]

The client will request that the server cancel + the printjobs identified by the given numeric print job ids. +

chmod file mode in octal

This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests that the server + change the UNIX permissions to the given octal mode, in standard UNIX format. +

chown file uid gid

This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests that the server + change the UNIX user and group ownership to the given decimal values. Note there is + currently no way to remotely look up the UNIX uid and gid values for a given name. + This may be addressed in future versions of the CIFS UNIX extensions. +

cd [directory name]

If "directory name" is specified, the current + working directory on the server will be changed to the directory + specified. This operation will fail if for any reason the specified + directory is inaccessible.

If no directory name is specified, the current working + directory on the server will be reported.

del <mask>

The client will request that the server attempt + to delete all files matching mask from the current working + directory on the server.

dir <mask>

A list of the files matching mask in the current + working directory on the server will be retrieved from the server + and displayed.

exit

Terminate the connection with the server and exit + from the program.

get <remote file name> [local file name]

Copy the file called remote file name from + the server to the machine running the client. If specified, name + the local copy local file name. Note that all transfers in + smbclient are binary. See also the + lowercase command.

help [command]

See the ? command above.

lcd [directory name]

If directory name is specified, the current + working directory on the local machine will be changed to + the directory specified. This operation will fail if for any + reason the specified directory is inaccessible.

If no directory name is specified, the name of the + current working directory on the local machine will be reported. +

link target linkname

This command depends on the server supporting the CIFS + UNIX extensions and will fail if the server does not. The client requests that the server + create a hard link between the linkname and target files. The linkname file + must not exist. +

lowercase

Toggle lowercasing of filenames for the get and + mget commands.

When lowercasing is toggled ON, local filenames are converted + to lowercase when using the get and mget commands. This is + often useful when copying (say) MSDOS files from a server, because + lowercase filenames are the norm on UNIX systems.

ls <mask>

See the dir command above.

mask <mask>

This command allows the user to set up a mask + which will be used during recursive operation of the mget and + mput commands.

The masks specified to the mget and mput commands act as + filters for directories rather than files when recursion is + toggled ON.

The mask specified with the mask command is necessary + to filter files within those directories. For example, if the + mask specified in an mget command is "source*" and the mask + specified with the mask command is "*.c" and recursion is + toggled ON, the mget command will retrieve all files matching + "*.c" in all directories below and including all directories + matching "source*" in the current working directory.

Note that the value for mask defaults to blank (equivalent + to "*") and remains so until the mask command is used to change it. + It retains the most recently specified value indefinitely. To + avoid unexpected results it would be wise to change the value of + mask back to "*" after using the mget or mput commands.

md <directory name>

See the mkdir command.

mget <mask>

Copy all files matching mask from the server to + the machine running the client.

Note that mask is interpreted differently during recursive + operation and non-recursive operation - refer to the recurse and + mask commands for more information. Note that all transfers in + smbclient are binary. See also the lowercase command.

mkdir <directory name>

Create a new directory on the server (user access + privileges permitting) with the specified name.

mput <mask>

Copy all files matching mask in the current working + directory on the local machine to the current working directory on + the server.

Note that mask is interpreted differently during recursive + operation and non-recursive operation - refer to the recurse and mask + commands for more information. Note that all transfers in smbclient + are binary.

print <file name>

Print the specified file from the local machine + through a printable service on the server.

NOTES

Some servers are fussy about the case of supplied usernames, + passwords, share names (AKA service names) and machine names. + If you fail to connect try giving all parameters in uppercase. +

It is often necessary to use the -n option when connecting + to some types of servers. For example OS/2 LanManager insists + on a valid NetBIOS name being used, so you need to supply a valid + name that would be known to the server.

smbclient supports long file names where the server + supports the LANMAN2 protocol or above.

ENVIRONMENT VARIABLES

The variable USER may contain the + username of the person using the client. This information is + used only if the protocol level is high enough to support + session-level passwords.

The variable PASSWD may contain + the password of the person using the client. This information is + used only if the protocol level is high enough to support + session-level passwords.

The variable LIBSMB_PROG may contain + the path, executed with system(), which the client should connect + to instead of connecting to a server. This functionality is primarily + intended as a development aid, and works best when using a LMHOSTS + file

INSTALLATION

The location of the client program is a matter for + individual system administrators. The following are thus + suggestions only.

It is recommended that the smbclient software be installed + in the /usr/local/samba/bin/ or + /usr/samba/bin/ directory, this directory readable + by all, writeable only by root. The client program itself should + be executable by all. The client should NOT be + setuid or setgid!

The client log files should be put in a directory readable + and writeable only by the user.

To test the client, you will need to know the name of a + running SMB/CIFS server. It is possible to run smbd(8) as an ordinary user - running that server as a daemon + on a user-accessible port (typically any port number over 1024) + would provide a suitable test server.

DIAGNOSTICS

Most diagnostics issued by the client are logged in a + specified log file. The log file name is specified at compile time, + but may be overridden on the command line.

The number and nature of diagnostics available depends + on the debug level used by the client. If you have problems, + set the debug level to 3 and peruse the log files.

VERSION

This man page is correct for version 2.2 of the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 + was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smb.conf.5.html samba-3.0.20/docs/htmldocs/manpages-3/smb.conf.5.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smb.conf.5.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smb.conf.5.html 2005-08-19 12:56:11.000000000 -0500 @@ -0,0 +1,4251 @@ +smb.conf

Name

smb.conf — The configuration file for the Samba suite

SYNOPSIS

+ The smb.conf file is a configuration file for the Samba suite. smb.conf contains runtime configuration information for the Samba programs. The + smb.conf file is designed to be configured and administered by the + swat(8) program. The + complete description of the file format and possible parameters held within are here for reference purposes. +

FILE FORMAT

+ The file consists of sections and parameters. A section begins with the name of the section in square brackets + and continues until the next section begins. Sections contain parameters of the form: +

+name = value 
+

+ The file is line-based - that is, each newline-terminated line represents either a comment, a section name or + a parameter. +

Section and parameter names are not case sensitive.

+ Only the first equals sign in a parameter is significant. Whitespace before or after the first equals sign is + discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading + and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value is + retained verbatim. +

+ Any line beginning with a semicolon (“;”) or a hash (“#”) + character is ignored, as are lines containing only whitespace. +

+ Any line ending in a “\” is continued on the next line in the customary UNIX fashion. +

+ The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, + which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved + in string values. Some items such as create masks are numeric. +

SECTION DESCRIPTIONS

+ Each section in the configuration file (except for the [global] section) describes a shared resource (known as + a “share”). The section name is the name of the shared resource and the parameters within the + section define the shares attributes. +

+ There are three special sections, [global], [homes] and [printers], which are described under + special sections. The following notes apply to ordinary section descriptions. +

+ A share consists of a directory to which access is being given plus a description of the access rights + which are granted to the user of the service. Some housekeeping options are also specifiable. +

+ Sections are either file share services (used by the client as an extension of their native file systems) + or printable services (used by the client to access print services on the host running the server). +

+ Sections may be designated guest services, in which case no password is required to + access them. A specified UNIX guest account is used to define access privileges in this + case. +

+ Sections other than guest services will require a password to access them. The client provides the + username. As older clients only provide passwords and not usernames, you may specify a list of usernames to + check against the password using the user = option in the share definition. For modern clients + such as Windows 95/98/ME/NT/2000, this should not be necessary. +

+ The access rights granted by the server are masked by the access rights granted to the specified or guest + UNIX user by the host system. The server does not grant more access than the host system grants. +

+ The following sample section defines a file space share. The user has write access to the path /home/bar. The share is accessed via the share name foo: +

[foo]

path = /home/bar

read only = read only = no

+ The following sample section defines a printable share. The share is read-only, but printable. That is, + the only write access permitted is via calls to open, write to and close a spool file. The guest + ok parameter means access will be permitted as the default guest user (specified elsewhere): +

[aprinter]

path = /usr/spool/public

read only = yes

printable = yes

guest ok = yes

SPECIAL SECTIONS

The [global] section

+ Parameters in this section apply to the server as a whole, or are defaults for sections that do not + specifically define certain items. See the notes under PARAMETERS for more information. +

The [homes] section

+ If a section called [homes] is included in the configuration file, services connecting clients + to their home directories can be created on the fly by the server. +

+ When the connection request is made, the existing sections are scanned. If a match is found, it is + used. If no match is found, the requested section name is treated as a username and looked up in the local + password file. If the name exists and the correct password has been given, a share is created by cloning the + [homes] section. +

+ Some modifications are then made to the newly created share: +

+ The share name is changed from homes to the located username. +
+ If no path was given, the path is set to the user's home directory. +

+ If you decide to use a path = line in your [homes] section, it may be useful + to use the %S macro. For example: +

+path = /data/pchome/%S
+

+ is useful if you have different home directories for your PCs than for UNIX access. +

+ This is a fast and simple way to give a large number of clients access to their home directories with a minimum + of fuss. +

+ A similar process occurs if the requested section name is “homes”, except that the share + name is not changed to that of the requesting user. This method of using the [homes] section works well if + different users share a client PC. +

+ The [homes] section can specify all the parameters a normal service section can specify, though some make more sense + than others. The following is a typical and suitable [homes] section: +

[homes]

read only = no

+ An important point is that if guest access is specified in the [homes] section, all home directories will be + visible to all clients without a password. In the very unlikely event that this is actually + desirable, it is wise to also specify read only access. +

+ The browseable flag for auto home directories will be inherited from the global browseable + flag, not the [homes] browseable flag. This is useful as it means setting browseable = no in + the [homes] section will hide the [homes] share but make any auto home directories visible. +

The [printers] section

+ This section works like [homes], but for printers. +

+ If a [printers] section occurs in the configuration file, users are able to connect to any printer + specified in the local host's printcap file. +

+ When a connection request is made, the existing sections are scanned. If a match is found, it is used. + If no match is found, but a [homes] section exists, it is used as described above. Otherwise, the requested + section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested + section name is a valid printer share name. If a match is found, a new printer share is created by cloning the + [printers] section. +

+ A few modifications are then made to the newly created share: +

The share name is set to the located printer name
If no printer name was given, the printer name is set to the located printer name
If the share does not permit guest access and no username was given, the username is set + to the located printer name.

+ The [printers] service MUST be printable - if you specify otherwise, the server will refuse + to load the configuration file. +

+ Typically the path specified is that of a world-writeable spool directory with the sticky bit set on + it. A typical [printers] entry looks like this: +

[printers]

path = /usr/spool/public

guest ok = yes

printable = yes

+ All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. + If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap. This is a file + consisting of one or more lines like this: +

+alias|alias|alias|alias...    
+

+ Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, + specify the new file as your printcap. The server will only recognize names found in your pseudo-printcap, + which of course can contain whatever aliases you like. The same technique could be used simply to limit access + to a subset of your local printers. +

+ An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, + components (if there are more than one) are separated by vertical bar symbols (|). +

Note

+ On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use + printcap name = lpstat to automatically obtain a list of printers. See the + printcap name option for more details. +

PARAMETERS

Parameters define the specific attributes of sections.

+ Some parameters are specific to the [global] section (e.g., security). Some parameters + are usable in all sections (e.g., create mask). All others are permissible only in normal + sections. For the purposes of the following descriptions the [homes] and [printers] sections will be + considered normal. The letter G in parentheses indicates that a parameter is specific to + the [global] section. The letter S indicates that a parameter can be specified in a + service specific section. All S parameters can also be specified in the [global] section + - in which case they will define the default behavior for all services. +

+ Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can + find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred + synonym. +

VARIABLE SUBSTITUTIONS

+ Many of the strings that are settable in the config file can take substitutions. For example the option + “path = /tmp/%u” is interpreted as “path = /tmp/john” if the user connected with the + username john. +

+ These substitutions are mostly noted in the descriptions below, but there are some general substitutions + which apply whenever they might be relevant. These are: +

%U

session username (the username that the client wanted, not + necessarily the same as the one they got).

%G

primary group name of %U.

%h

the Internet hostname that Samba is running on.

%m

the NetBIOS name of the client machine (very useful).

This parameter is not available when Samba listens on port 445, as clients no longer + send this information. If you use this macro in an include statement on a domain that has + a Samba domain controller be sure to set in the [global] section smb ports = + 139. This will cause Samba to not listen on port 445 and will permit include + functionality to function as it did with Samba 2.x. +

%L

the NetBIOS name of the server. This allows you to change your config based on what + the client calls you. Your server can have a “dual personality”. +

%M

the Internet name of the client machine. +

%R

the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, + LANMAN1, LANMAN2 or NT1.

%d

the process id of the current server + process.

%a

the architecture of the remote + machine. It currently recognizes Samba (Samba), + the Linux CIFS file system (CIFSFS), OS/2, (OS2), + Windows for Workgroups (WfWg), Windows 9x/ME + (Win95), Windows NT (WinNT), + Windows 2000 (Win2K), Windows XP (WinXP), + and Windows 2003 (Win2K3). Anything else will be known as + UNKNOWN.

%I

the IP address of the client machine.

%i

the local IP address to which a client connected.

%T

the current date and time.

%D

name of the domain or workgroup of the current user.

%$(envvar)

the value of the environment variable + envar.

+ The following substitutes apply only to some configuration options (only those that are + used when a connection has been established): +

%S: the name of the current service, if any.
%P: the root directory of the current service, if any.
%u: username of the current service, if any.
%g: primary group name of %u.
%H: the home directory of the user given by %u.
%N: + the name of your NIS home directory server. This is obtained from your NIS auto.map entry. + If you have not compiled Samba with the --with-automount option, this + value will be the same as %L.
%p: + the path of the service's home directory, obtained from your NIS auto.map entry. The NIS + auto.map entry is split up as %N:%p.

+ There are some quite creative things that can be done with these substitutions and other + smb.conf options. +

NAME MANGLING

+ Samba supports name mangling so that DOS and Windows clients can use files that don't + conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames. +

+ There are several options that control the way mangling is performed, and they are grouped here rather + than listed separately. For the defaults look at the output of the testparm program. +

+ All of these options can be set separately for each service (or globally, of course). +

+ The options are: +

case sensitive = yes/no/auto: + controls whether filenames are case sensitive. If they aren't, Samba must do a filename search and match on + passed names. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS + and smbclient 3.0.5 and above currently) to tell the Samba server on a per-packet basis that they wish to + access the file system in a case-sensitive manner (to support UNIX case sensitive semantics). No Windows or + DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no + for them. Default auto. +
default case = upper/lower: + controls what the default case is for new filenames. Default lower. +
preserve case = yes/no: + controls whether new files are created with the case that the client passes, or if they are forced to be the + default case. Default yes. +
short preserve case = yes/no: + controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, + are created upper case, or if they are forced to be the default case. This option can be + used with preserve case = yes to permit long filenames to retain their case, while short + names are lowercased. Default yes. +

+ By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving. +

NOTE ABOUT USERNAME/PASSWORD VALIDATION

+ There are a number of ways in which a user can connect to a service. The server uses the following steps + in determining if it will allow a connection to a specified service. If all the steps fail, the connection + request is rejected. However, if one of the steps succeeds, the following steps are not checked. +

+ If the service is marked “guest only = yes” and the server is running with share-level + security (“security = share”, steps 1 to 5 are skipped. +

+ If the client has passed a username/password pair and that username/password pair is validated by the UNIX + system's password programs, the connection is made as that username. This includes the + \\server\service%username method of passing a username. +
+ If the client has previously registered a username with the system and now supplies a correct password for that + username, the connection is allowed. +
+ The client's NetBIOS name and any previously used usernames are checked against the supplied password. If + they match, the connection is allowed as the corresponding user. +
+ If the client has previously validated a username/password pair with the server and the client has passed + the validation token, that username is used. +
+ If a user = field is given in the smb.conf file for the + service and the client has supplied a password, and that password matches (according to the UNIX system's + password checking) with one of the usernames from the user = field, the connection is made as + the username in the user = line. If one of the usernames in the user = list + begins with a @, that name expands to a list of names in the group of the same name. +
+ If the service is a guest service, a connection is made as the username given in the guest account + = for the service, irrespective of the supplied password. +

EXPLANATION OF EACH PARAMETER

abort shutdown script (G)

This a full path name to a script called by smbd(8) that + should stop a shutdown procedure issued by the shutdown script.

If the connected user posseses the SeRemoteShutdownPrivilege, + right, this command will be run as user.

Default: abort shutdown script = + +

Example: abort shutdown script = /sbin/shutdown -c + +

acl compatibility (S)

This parameter specifies what OS ACL semantics should + be compatible with. Possible values are winnt for Windows NT 4, + win2k for Windows 2000 and above and auto. + If you specify auto, the value for this parameter + will be based upon the version of the client. There should + be no reason to change this parameter from the default.

Default: acl compatibility = Auto + +

Example: acl compatibility = win2k + +

acl group control (S)

+ In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions + and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the + primary group owner of a file or directory to modify the permissions and ACLs + on that file. +

+ On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in + that group to modify the permissions on it. This allows the delegation of security controls + on a point in the filesystem to the group owner of a directory and anything below it also owned + by that group. This means there are multiple people with permissions to modify ACLs on a file + or directory, easing managability. +

+ This parameter allows Samba to also permit delegation of the control over a point in the exported + directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to + control the permissions on a file or directory they have group ownership on. +

+ This parameter is best used with the inherit owner option and also + on on a share containing directories with the UNIX setgid bit bit set + on them, which causes new files and directories created within it to inherit the group + ownership from the containing directory. +

+ This is a new parameter introduced in Samba 3.0.20. +

+ This can be particularly useful to allow groups to manage their own security on a part + of the filesystem they have group ownership of, removing the bottleneck of having only + the user owner or superuser able to reset permissions. +

Default: acl group control = no + +

add group script (G)

This is the full pathname to a script that will be run + AS ROOT by smbd(8) + when a new group is requested. It will expand any %g to the group name passed. This + script is only useful for installations using the Windows NT + domain administration tools. The script is free to create a + group with an arbitrary name to circumvent unix group name + restrictions. In that case the script must print the numeric gid + of the created group on stdout.

No default

add machine script (G)

This is the full pathname to a script that will be run by + smbd(8) when a machine is added + to it's domain using the administrator username and password + method.

This option is only required when using sam back-ends tied + to the Unix uid method of RID calculation such as smbpasswd. + This option is only available in Samba 3.0.

Default: add machine script = + +

Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u + +

addprinter command (G)

With the introduction of MS-RPC based printing + support for Windows NT/2000 clients in Samba 2.2, The MS Add + Printer Wizard (APW) icon is now also available in the + "Printers..." folder displayed a share listing. The APW + allows for printers to be add remotely to a Samba or Windows + NT/2000 print server.

For a Samba host this means that the printer must be + physically added to the underlying printing system. The add + printer command defines a script to be run which + will perform the necessary operations for adding the printer + to the print system and to add the appropriate service definition + to the smb.conf file in order that it can be + shared by smbd(8).

The addprinter command is + automatically invoked with the following parameter (in + order):

printer name
share name
port name
driver name
location
Windows 9x driver location

All parameters are filled in from the PRINTER_INFO_2 structure sent + by the Windows NT/2000 client with one exception. The "Windows 9x + driver location" parameter is included for backwards compatibility + only. The remaining fields in the structure are generated from answers + to the APW questions.

Once the addprinter command has + been executed, smbd will reparse the + smb.conf to determine if the share defined by the APW + exists. If the sharename is still invalid, then smbd + will return an ACCESS_DENIED error to the client.

+ The "add printer command" program can output a single line of text, + which Samba will set as the port the new printer is connected to. + If this line isn't output, Samba won't reload its printer shares. +

Default: addprinter command = + +

Example: addprinter command = /usr/bin/addprinter + +

add share command (G)

Samba 2.2.0 introduced the ability to dynamically + add and delete shares via the Windows NT 4.0 Server Manager. The + add share command is used to define an + external program or script which will add a new service definition + to smb.conf. In order to successfully + execute the add share command, smbd + requires that the administrator be connected using a root account (i.e. + uid == 0). +

+ When executed, smbd will automatically invoke the + add share command with four parameters. +

configFile - the location + of the global smb.conf file. +
shareName - the name of the new + share. +
pathName - path to an **existing** + directory on disk. +
comment - comment string to associate + with the new share. +

+ This parameter is only used for add file shares. To add printer shares, + see the addprinter command. +

Default: add share command = + +

Example: add share command = /usr/local/bin/addshare + +

add user script (G)

This is the full pathname to a script that will + be run AS ROOT by smbd(8) under special circumstances described below.

Normally, a Samba server requires that UNIX users are + created for all users accessing files on this server. For sites + that use Windows NT account databases as their primary user database + creating these users and keeping the user list in sync with the + Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users + ON DEMAND when a user accesses the Samba server.

In order to use this option, smbd(8) must NOT be set to security = share + and add user script + must be set to a full pathname for a script that will create a UNIX + user given one argument of %u, which expands into + the UNIX user name to create.

When the Windows user attempts to access the Samba server, + at login (session setup in the SMB protocol) time, smbd(8) contacts the password server and + attempts to authenticate the given user with the given password. If the + authentication succeeds then smbd + attempts to find a UNIX user in the UNIX password database to map the + Windows user into. If this lookup fails, and add user script + is set then smbd will + call the specified script AS ROOT, expanding + any %u argument to be the user name to create.

If this script successfully creates the user then smbd + will continue on as though the UNIX user + already existed. In this way, UNIX users are dynamically created to + match existing Windows NT accounts.

+ See also security, password server, + delete user script. +

Default: add user script = + +

Example: add user script = /usr/local/samba/bin/add_user %u + +

add user to group script (G)

Full path to the script that will be called when + a user is added to a group using the Windows NT domain administration + tools. It will be run by smbd(8) AS ROOT. + Any %g will be replaced with the group name and + any %u will be replaced with the user name. +

Note that the adduser command used in the example below does + not support the used syntax on all systems.

Default: add user to group script = + +

Example: add user to group script = /usr/sbin/adduser %u %g + +

admin users (S)

This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root).

You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions.

This parameter will not work with the security = share in + Samba 3.0. This is by design.

Default: admin users = + +

Example: admin users = jason + +

afs share (S)

This parameter controls whether special AFS features are enabled + for this share. If enabled, it assumes that the directory exported via + the path parameter is a local AFS import. The + special AFS features include the attempt to hand-craft an AFS token + if you enabled --with-fake-kaserver in configure. +

Default: afs share = no + +

afs username map (G)

If you are using the fake kaserver AFS feature, you might + want to hand-craft the usernames you are creating tokens for. + For example this is necessary if you have users from several domain + in your AFS Protection Database. One possible scheme to code users + as DOMAIN+User as it is done by winbind with the + as a separator. +

The mapped user name must contain the cell name to log into, + so without setting this parameter there will be no token.

Default: afs username map = + +

Example: afs username map = %u@afs.samba.org + +

algorithmic rid base (G)

This determines how Samba will use its + algorithmic mapping from uids/gid to the RIDs needed to construct + NT Security Identifiers. +

Setting this option to a larger value could be useful to sites + transitioning from WinNT and Win2k, as existing user and + group rids would otherwise clash with sytem users etc. +

All UIDs and GIDs must be able to be resolved into SIDs for + the correct operation of ACLs on the server. As such the algorithmic + mapping can't be 'turned off', but pushing it 'out of the way' should + resolve the issues. Users and groups can then be assigned 'low' RIDs + in arbitary-rid supporting backends. +

Default: algorithmic rid base = 1000 + +

Example: algorithmic rid base = 100000 + +

allocation roundup size (S)

This parameter allows an administrator to tune the + allocation size reported to Windows clients. The default + size of 1Mb generally results in improved Windows client + performance. However, rounding the allocation size may cause + difficulties for some applications, e.g. MS Visual Studio. + If the MS Visual Studio compiler starts to crash with an + internal error, set this parameter to zero for this share. +

The integer parameter specifies the roundup size in bytes.

Default: allocation roundup size = 1048576 + +

Example: allocation roundup size = 0 +# (to disable roundups) + +

allow trusted domains (G)

+ This option only takes effect when the security option is set to + server,domain or ads. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication.

This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult.

Default: allow trusted domains = yes + +

announce as (G)

This specifies what type of server nmbd(8) will announce itself as, to a network neighborhood browse + list. By default this is set to Windows NT. The valid options + are : "NT Server" (which can also be written as "NT"), + "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, + Windows NT Workstation, Windows 95 and Windows for Workgroups + respectively. Do not change this parameter unless you have a + specific need to stop Samba appearing as an NT server as this + may prevent Samba servers from participating as browser servers + correctly.

Default: announce as = NT Server + +

Example: announce as = Win95 + +

announce version (G)

This specifies the major and minor version numbers + that nmbd will use when announcing itself as a server. The default + is 4.9. Do not change this parameter unless you have a specific + need to set a Samba server to be a downlevel server.

Default: announce version = 4.9 + +

Example: announce version = 2.0 + +

auth methods (G)

+ This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values + based on security. This should be considered a developer option and used only in rare + circumstances. In the majority (if not all) of production servers, the default setting should be adequate. +

Each entry in the list attempts to authenticate the user in turn, until + the user authenticates. In practice only one method will ever actually + be able to complete the authentication. +

Possible options include guest (anonymous access), + sam (lookups in local list of accounts based on netbios + name or domain name), winbind (relay authentication requests + for remote users through winbindd), ntdomain (pre-winbindd + method of authentication for remote domain users; deprecated in favour of winbind method), + trustdomain (authenticate trusted users by contacting the + remote DC directly from smbd; deprecated in favour of winbind method).

Default: auth methods = + +

Example: auth methods = guest sam winbind + +

available (S)

This parameter lets you "turn off" a service. If + available = no, then ALL + attempts to connect to the service will fail. Such failures are + logged.

Default: available = yes + +

bind interfaces only (G)

This global parameter allows the Samba admin + to limit what interfaces on a machine will serve SMB requests. It + affects file service smbd(8) and name service nmbd(8) in a slightly different ways.

+ For name service it causes nmbd to bind to ports 137 and 138 on the + interfaces listed in the interfaces parameter. nmbd + also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of + reading broadcast messages. If this option is not set then nmbd will + service name requests on all of these sockets. If bind interfaces only is set then + nmbd will check the source address of any packets coming in on the + broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the + interfaces parameter list. As unicast packets are received on the other sockets it + allows nmbd to refuse to serve names to machines that send packets that + arrive through any interfaces not listed in the interfaces list. IP Source address + spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for + nmbd. +

+ For file service it causes smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will + serve to packets coming in those interfaces. Note that you should not use this parameter for machines that + are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with + non-permanent interfaces. +

+ If bind interfaces only is set then unless the network address + 127.0.0.1 is added to the interfaces parameter list + smbpasswd(8) and + swat(8) may not work as + expected due to the reasons covered below. +

+ To change a users SMB password, the smbpasswd by default connects to the + localhost - 127.0.0.1 address as an SMB client to issue the password change request. If + bind interfaces only is set then unless the network address + 127.0.0.1 is added to the interfaces parameter list then smbpasswd will fail to connect in it's default mode. smbpasswd can be forced to use the primary IP interface of the local host by using + its smbpasswd(8) -r remote machine parameter, with remote + machine set to the IP name of the primary interface of the local host. +

+ The swat status page tries to connect with smbd and nmbd at the address + 127.0.0.1 to determine if they are running. Not adding 127.0.0.1 + will cause smbd and nmbd to always show + "not running" even if they really are. This can prevent swat + from starting/stopping/restarting smbd and nmbd. +

Default: bind interfaces only = no + +

blocking locks (S)

This parameter controls the behavior + of smbd(8) when given a request by a client + to obtain a byte range lock on a region of an open file, and the + request has a time limit associated with it.

If this parameter is set and the lock range requested + cannot be immediately satisfied, samba will internally + queue the lock request, and periodically attempt to obtain + the lock until the timeout period expires.

If this parameter is set to no, then + samba will behave as previous versions of Samba would and + will fail the lock request immediately if the lock range + cannot be obtained.

Default: blocking locks = yes + +

block size (S)

This parameter controls the behavior of smbd(8) when reporting disk free + sizes. By default, this reports a disk block size of 1024 bytes. +

Changing this parameter may have some effect on the + efficiency of client writes, this is not yet confirmed. This + parameter was added to allow advanced administrators to change + it (usually to a higher value) and test the effect it has on + client write performance without re-compiling the code. As this + is an experimental option it may be removed in a future release. +

Changing this option does not change the disk free reporting + size, just the block size unit reported to the client. +

No default

browsable

This parameter is a synonym for browseable.

browseable (S)

This controls whether this share is seen in + the list of available shares in a net view and in the browse list.

Default: browseable = yes + +

browse list (G)

This controls whether smbd(8) will serve a browse list to + a client doing a NetServerEnum call. Normally + set to yes. You should never need to change + this.

Default: browse list = yes + +

casesignames

This parameter is a synonym for case sensitive.

case sensitive (S)

See the discussion in the section name mangling.

Default: case sensitive = no + +

change notify timeout (G)

This SMB allows a client to tell a server to + "watch" a particular directory for any changes and only reply to + the SMB request when a change has occurred. Such constant scanning of + a directory is expensive under UNIX, hence an smbd(8) daemon only performs such a scan + on each requested directory once every change notify + timeout seconds.

Default: change notify timeout = 60 + +

Example: change notify timeout = 300 +# Would change the scan time to every 5 minutes. + +

change share command (G)

Samba 2.2.0 introduced the ability to dynamically + add and delete shares via the Windows NT 4.0 Server Manager. The + change share command is used to define an + external program or script which will modify an existing service definition + in smb.conf. In order to successfully + execute the change share command, smbd + requires that the administrator be connected using a root account (i.e. + uid == 0). +

+ When executed, smbd will automatically invoke the + change share command with four parameters. +

configFile - the location + of the global smb.conf file. +
shareName - the name of the new + share. +
pathName - path to an **existing** + directory on disk. +
comment - comment string to associate + with the new share. +

+ This parameter is only used modify existing file shares definitions. To modify + printer shares, use the "Printers..." folder as seen when browsing the Samba host. +

Default: change share command = + +

Example: change share command = /usr/local/bin/addshare + +

check password script (G)

The name of a program that can be used to check password + complexity. The password is sent to the program's standrad input.

The program must return 0 on good password any other value otherwise. + In case the password is considered weak (the program do not return 0) the + user will be notified and the password change will fail.

Note: In the example directory there is a sample program called crackcheck + that uses cracklib to checkpassword quality

. + + +

Default: check password script = Disabled + +

Example: check password script = check password script = /usr/local/sbin/crackcheck + +

client lanman auth (G)

This parameter determines whether or not smbclient(8) and other samba client + tools will attempt to authenticate itself to servers using the + weaker LANMAN password hash. If disabled, only server which support NT + password hashes (e.g. Windows NT/2000, Samba, etc... but not + Windows 95/98) will be able to be connected from the Samba client.

The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Clients + without Windows 95/98 servers are advised to disable + this option.

Disabling this option will also disable the client plaintext auth option

Likewise, if the client ntlmv2 + auth parameter is enabled, then only NTLMv2 logins will be + attempted.

Default: client lanman auth = yes + +

client ntlmv2 auth (G)

This parameter determines whether or not smbclient(8) will attempt to + authenticate itself to servers using the NTLMv2 encrypted password + response.

If enabled, only an NTLMv2 and LMv2 response (both much more + secure than earlier versions) will be sent. Many servers + (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with + NTLMv2.

Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth + authentication will be disabled. This also disables share-level + authentication.

If disabled, an NTLM response (and possibly a LANMAN response) + will be sent by the client, depending on the value of client lanman auth.

Note that some sites (particularly + those following 'best practice' security polices) only allow NTLMv2 + responses, and not the weaker LM or NTLM.

Default: client ntlmv2 auth = no + +

client plaintext auth (G)

Specifies whether a client should send a plaintext + password if the server does not support encrypted passwords.

Default: client plaintext auth = yes + +

client schannel (G)

This controls whether the client offers or even + demands the use of the netlogon schannel. + client schannel = no does not + offer the schannel, client schannel = + auto offers the schannel but does not + enforce it, and client schannel = + yes denies access if the server is not + able to speak netlogon schannel.

Default: client schannel = auto + +

Example: client schannel = yes + +

client signing (G)

This controls whether the client offers or requires + the server it talks to to use SMB signing. Possible values + are auto, mandatory + and disabled. +

When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.

Default: client signing = auto + +

client use spnego (G)

This variable controls whether Samba clients will try + to use Simple and Protected NEGOciation (as specified by rfc2478) with + supporting servers (including WindowsXP, Windows2000 and Samba + 3.0) to agree upon an authentication + mechanism. This enables Kerberos authentication in particular.

Default: client use spnego = yes + +

comment (S)

This is a text field that is seen next to a share + when a client does a queries the server, either via the network + neighborhood or via net view to list what shares + are available.

If you want to set the string that is displayed next to the + machine name then see the server string parameter.

Default: comment = +# No comment + +

Example: comment = Fred's Files + +

config file (G)

This allows you to override the config file + to use, instead of the default (usually smb.conf). + There is a chicken and egg problem here as this option is set + in the config file!

For this reason, if the name of the config file has changed + when the parameters are loaded then it will reload them from + the new config file.

This option takes the usual substitutions, which can + be very useful.

If the config file doesn't exist then it won't be loaded + (allowing you to special case the config files of just a few + clients).

No default

Example: config file = /usr/local/samba/lib/smb.conf.%m + +

copy (S)

This parameter allows you to "clone" service + entries. The specified service is simply duplicated under the + current service's name. Any parameters specified in the current + section will override those in the section being copied.

This feature lets you set up a 'template' service and + create similar services easily. Note that the service being + copied must occur earlier in the configuration file than the + service doing the copying.

Default: copy = + +

Example: copy = otherservice + +

create mode

This parameter is a synonym for create mask.

create mask (S)

+ When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to + UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may + be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will + be removed from the modes set on a file when it is created. +

+ The default value of this parameter removes the group and other + write and execute bits from the UNIX modes. +

+ Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the + force create mode parameter which is set to 000 by default. +

+ This parameter does not affect directory masks. See the parameter directory mask + for details. +

+ Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the + administrator wishes to enforce a mask on access control lists also, they need to set the security mask. +

Default: create mask = 0744 + +

Example: create mask = 0775 + +

csc policy (S)

This stands for client-side caching + policy, and specifies how clients capable of offline + caching will cache the files in the share. The valid values + are: manual, documents, programs, disable.

These values correspond to those used on Windows servers.

For example, shares containing roaming profiles can have + offline caching disabled using csc policy = disable.

Default: csc policy = manual + +

Example: csc policy = programs + +

cups options (S)

+ This parameter is only applicable if printing is + set to cups. Its value is a free form string of options + passed directly to the cups library. +

You can pass any generic print option known to CUPS (as listed + in the CUPS "Software Users' Manual"). You can also pass any printer + specific option (as listed in "lpoptions -d printername -l") + valid for the target queue.

You should set this parameter to raw if your CUPS server + error_log file contains messages such as + "Unsupported format 'application/octet-stream'" when printing from a Windows client + through Samba. It is no longer necessary to enable + system wide raw printing in /etc/cups/mime.{convs,types}. +

Default: cups options = "" + +

Example: cups options = "raw,media=a4,job-sheets=secret,secret" + +

cups server (G)

This parameter is only applicable if printing is set to cups. +

If set, this option overrides the ServerName option in the CUPS + client.conf. This is necessary if you have virtual + samba servers that connect to different CUPS daemons.

Default: cups server = "" + +

Example: cups server = MYCUPSSERVER + +

deadtime (G)

The value of the parameter (a decimal integer) + represents the number of minutes of inactivity before a connection + is considered dead, and it is disconnected. The deadtime only takes + effect if the number of open files is zero.

This is useful to stop a server's resources being + exhausted by a large number of inactive connections.

Most clients have an auto-reconnect feature when a + connection is broken so in most cases this parameter should be + transparent to users.

Using this parameter with a timeout of a few minutes + is recommended for most systems.

A deadtime of zero indicates that no auto-disconnection + should be performed.

Default: deadtime = 0 + +

Example: deadtime = 15 + +

debug hires timestamp (G)

Sometimes the timestamps in the log messages + are needed with a resolution of higher that seconds, this + boolean parameter adds microsecond resolution to the timestamp + message header when turned on.

+ Note that the parameter debug timestamp must be on for this to have an + effect.

Default: debug hires timestamp = no + +

debug pid (G)

When using only one log file for more then one forked + smbd(8)-process there may be hard to + follow which process outputs which message. This boolean parameter + is adds the process-id to the timestamp message headers in the + logfile when turned on.

Note that the parameter debug timestamp must be on for this to have an + effect.

Default: debug pid = no + +

timestamp logs

This parameter is a synonym for debug timestamp.

debug timestamp (G)

Samba debug log messages are timestamped + by default. If you are running at a high debug level these timestamps + can be distracting. This boolean parameter allows timestamping + to be turned off.

Default: debug timestamp = yes + +

debug uid (G)

Samba is sometimes run as root and sometime + run as the connected user, this boolean parameter inserts the + current euid, egid, uid and gid to the timestamp message headers + in the log file if turned on.

Note that the parameter debug timestamp must be on for this to have an + effect.

Default: debug uid = no + +

default case (S)

See the section on name mangling + . Also note the short preserve case parameter.

Default: default case = lower + +

default devmode (S)

This parameter is only applicable to printable services. + When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba + server has a Device Mode which defines things such as paper size and + orientation and duplex settings. The device mode can only correctly be + generated by the printer driver itself (which can only be executed on a + Win32 platform). Because smbd is unable to execute the driver code + to generate the device mode, the default behavior is to set this field + to NULL. +

Most problems with serving printer drivers to Windows NT/2k/XP clients + can be traced to a problem with the generated device mode. Certain drivers + will do things such as crashing the client's Explorer.exe with a NULL devmode. + However, other printer drivers can cause the client's spooler service + (spoolsv.exe) to die if the devmode was not created by the driver itself + (i.e. smbd generates a default devmode). +

This parameter should be used with care and tested with the printer + driver in question. It is better to leave the device mode to NULL + and let the Windows client set the correct values. Because drivers do not + do this all the time, setting default devmode = yes + will instruct smbd to generate a default one. +

For more information on Windows NT/2k printing and Device Modes, + see the MSDN documentation. +

Default: default devmode = no + +

default

This parameter is a synonym for default service.

default service (G)

This parameter specifies the name of a service + which will be connected to if the service actually requested cannot + be found. Note that the square brackets are NOT + given in the parameter value (see example below).

There is no default value for this parameter. If this + parameter is not given, attempting to connect to a nonexistent + service results in an error.

+ Typically the default service would be a guest ok, read-only service.

Also note that the apparent service name will be changed to equal + that of the requested service, this is very useful as it allows you to use macros like %S to make a wildcard service. +

Note also that any "_" characters in the name of the service + used in the default service will get mapped to a "/". This allows for + interesting things.

Default: default service = + +

Example: default service = pub + +

defer sharing violations (G)

+ Windows allows specifying how a file will be shared with + other processes when it is opened. Sharing violations occur when + a file is opened by a different process using options that violate + the share settings specified by other processes. This parameter causes + smbd to act as a Windows server does, and defer returning a "sharing + violation" error message for up to one second, allowing the client + to close the file causing the violation in the meantime. +

Unix by default does not have this behaviour.

+ There should be no reason to turn off this parameter, as it is + designed to enable Samba to more correctly emulate Windows. +

Default: defer sharing violations = True + +

delete group script (G)

This is the full pathname to a script that will + be run AS ROOT smbd(8) when a group is requested to be deleted. + It will expand any %g to the group name passed. + This script is only useful for installations using the Windows NT domain administration tools. +

Default: delete group script = + +

deleteprinter command (G)

With the introduction of MS-RPC based printer + support for Windows NT/2000 clients in Samba 2.2, it is now + possible to delete printer at run time by issuing the + DeletePrinter() RPC call.

For a Samba host this means that the printer must be + physically deleted from underlying printing system. The + deleteprinter command defines a script to be run which + will perform the necessary operations for removing the printer + from the print system and from smb.conf. +

The deleteprinter command is + automatically called with only one parameter: printer name. +

Once the deleteprinter command has + been executed, smbd will reparse the + smb.conf to associated printer no longer exists. + If the sharename is still valid, then smbd + will return an ACCESS_DENIED error to the client.

Default: deleteprinter command = + +

Example: deleteprinter command = /usr/bin/removeprinter + +

delete readonly (S)

This parameter allows readonly files to be deleted. + This is not normal DOS semantics, but is allowed by UNIX.

This option may be useful for running applications such + as rcs, where UNIX file ownership prevents changing file + permissions, and DOS semantics prevent deletion of a read only file.

Default: delete readonly = no + +

delete share command (G)

Samba 2.2.0 introduced the ability to dynamically + add and delete shares via the Windows NT 4.0 Server Manager. The + delete share command is used to define an + external program or script which will remove an existing service + definition from smb.conf. In order to successfully + execute the delete share command, smbd + requires that the administrator be connected using a root account (i.e. + uid == 0). +

+ When executed, smbd will automatically invoke the + delete share command with two parameters. +

configFile - the location + of the global smb.conf file. +
shareName - the name of + the existing service. +

+ This parameter is only used to remove file shares. To delete printer shares, + see the deleteprinter command. +

Default: delete share command = + +

Example: delete share command = /usr/local/bin/delshare + +

delete user from group script (G)

Full path to the script that will be called when + a user is removed from a group using the Windows NT domain administration + tools. It will be run by smbd(8) AS ROOT. + Any %g will be replaced with the group name and + any %u will be replaced with the user name. +

Default: delete user from group script = + +

Example: delete user from group script = /usr/sbin/deluser %u %g + +

delete user script (G)

This is the full pathname to a script that will + be run by smbd(8) when managing users + with remote RPC (NT) tools. +

This script is called when a remote client removes a user + from the server, normally using 'User Manager for Domains' or + rpcclient.

This script should delete the given UNIX username.

Default: delete user script = + +

Example: delete user script = /usr/local/samba/bin/del_user %u + +

delete veto files (S)

This option is used when Samba is attempting to + delete a directory that contains one or more vetoed directories + (see the veto files + option). If this option is set to no (the default) then if a vetoed + directory contains any non-vetoed files or directories then the + directory delete will fail. This is usually what you want.

If this option is set to yes, then Samba + will attempt to recursively delete any files and directories within + the vetoed directory. This can be useful for integration with file + serving systems such as NetAtalk which create meta-files within + directories you might normally veto DOS/Windows users from seeing + (e.g. .AppleDouble)

Setting delete veto files = yes allows these + directories to be transparently deleted when the parent directory + is deleted (so long as the user has permissions to do so).

Default: delete veto files = no + +

dfree command (G)

The dfree command setting + should only be used on systems where a problem occurs with the + internal disk space calculations. This has been known to happen + with Ultrix, but may occur with other operating systems. The + symptom that was seen was an error of "Abort Retry + Ignore" at the end of each directory listing.

This setting allows the replacement of the internal routines to + calculate the total disk space and amount available with an external + routine. The example below gives a possible script that might fulfill + this function.

The external program will be passed a single parameter indicating + a directory in the filesystem being queried. This will typically consist + of the string ./. The script should return two + integers in ASCII. The first should be the total disk space in blocks, + and the second should be the number of available blocks. An optional + third return value can give the block size in bytes. The default + blocksize is 1024 bytes.

Note: Your script should NOT be setuid or + setgid and should be owned by (and writeable only by) root!

Where the script dfree (which must be made executable) could be:

 
+#!/bin/sh
+df $1 | tail -1 | awk '{print $2" "$4}'
+

or perhaps (on Sys V based systems):

 
+#!/bin/sh
+/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
+

Note that you may have to replace the command names with full path names on some systems.

Default: dfree command = +# By default internal routines for + determining the disk capacity and remaining space will be used. + +

Example: dfree command = /usr/local/samba/bin/dfree + +

directory mode

This parameter is a synonym for directory mask.

directory mask (S)

This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories.

When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit not set + here will be removed from the modes set on a directory when it is + created.

The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it.

Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the force directory mode parameter. + This parameter is set to 000 by default (i.e. no extra mode bits are added).

Note that this parameter does not apply to permissions + set by Windows NT/2000 ACL editors. If the administrator wishes to enforce + a mask on access control lists also, they need to set the directory security mask.

Default: directory mask = 0755 + +

Example: directory mask = 0775 + +

directory security mask (S)

This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog + box.

+ This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with force directory security mode, which works similar like this one but uses logical OR instead of AND. + Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. +

If not set explicitly this parameter is set to 0777 + meaning a user is allowed to modify all the user/group/world + permissions on a directory.

Note that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + it as the default of 0777.

Default: directory security mask = 0777 + +

Example: directory security mask = 0700 + +

disable netbios (G)

Enabling this parameter will disable netbios support + in Samba. Netbios is the only available form of browsing in + all windows versions except for 2000 and XP.

Note

Clients that only support netbios won't be able to + see your samba server when netbios support is disabled. +

Default: disable netbios = no + +

disable spoolss (G)

Enabling this parameter will disable Samba's support + for the SPOOLSS set of MS-RPC's and will yield identical behavior + as Samba 2.0.x. Windows NT/2000 clients will downgrade to using + Lanman style printing commands. Windows 9x/ME will be uneffected by + the parameter. However, this will also disable the ability to upload + printer drivers to a Samba server via the Windows NT Add Printer + Wizard or by using the NT printer properties dialog window. It will + also disable the capability of Windows NT/2000 clients to download + print drivers from the Samba host upon demand. + Be very careful about enabling this parameter. +

Default: disable spoolss = no + +

display charset (G)

Specifies the charset that samba will use + to print messages to stdout and stderr and SWAT will use. + Should generally be the same as the unix charset. +

Default: display charset = ASCII + +

Example: display charset = UTF8 + +

dns proxy (G)

Specifies that nmbd(8) when acting as a WINS server and + finding that a NetBIOS name has not been registered, should treat the + NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server + for that name on behalf of the name-querying client.

Note that the maximum length for a NetBIOS name is 15 + characters, so the DNS name (or DNS alias) can likewise only be + 15 characters, maximum.

nmbd spawns a second copy of itself to do the + DNS name lookup requests, as doing a name lookup is a blocking + action.

Default: dns proxy = yes + +

domain logons (G)

+ If set to yes, the Samba server will + provide the netlogon service for Windows 9X network logons for the + workgroup it is in. + This will also cause the Samba server to act as a domain + controller for NT4 style domain services. For more details on + setting up this feature see the Domain Control chapter of the + Samba HOWTO Collection. +

Default: domain logons = no + +

domain master (G)

Tell smbd(8) to enable WAN-wide browse list + collation. Setting this option causes nmbd to + claim a special domain specific NetBIOS name that identifies + it as a domain master browser for its given + workgroup. Local master browsers + in the same workgroup on broadcast-isolated + subnets will give this nmbd their local browse lists, + and then ask smbd(8) for a complete copy of the browse + list for the whole wide area network. Browser clients will then contact + their local master browser, and will receive the domain-wide browse list, + instead of just the list for their broadcast-isolated subnet.

Note that Windows NT Primary Domain Controllers expect to be + able to claim this workgroup specific special + NetBIOS name that identifies them as domain master browsers for + that workgroup by default (i.e. there is no + way to prevent a Windows NT PDC from attempting to do this). This + means that if this parameter is set and nmbd claims + the special name for a workgroup before a Windows + NT PDC is able to do so then cross subnet browsing will behave + strangely and may fail.

If domain logons = yes + , then the default behavior is to enable the domain master parameter. If domain logons is + not enabled (the default setting), then neither will domain master be enabled by default.

Default: domain master = auto + +

dont descend (S)

There are certain directories on some systems + (e.g., the /proc tree under Linux) that are either not + of interest to clients or are infinitely deep (recursive). This + parameter allows you to specify a comma-delimited list of directories + that the server should always show as empty.

Note that Samba can be very fussy about the exact format + of the "dont descend" entries. For example you may need + ./proc instead of just /proc. + Experimentation is the best policy :-)

Default: dont descend = + +

Example: dont descend = /proc,/dev + +

dos charset (G)

DOS SMB clients assume the server has + the same charset as they do. This option specifies which + charset Samba should talk to DOS clients. +

The default depends on which charsets you have installed. + Samba tries to use charset 850 but falls back to ASCII in + case it is not available. Run testparm(1) to check the default on your system.

No default

dos filemode (S)

The default behavior in Samba is to provide + UNIX-like behavior where only the owner of a file/directory is + able to change the permissions on it. However, this behavior + is often confusing to DOS/Windows users. Enabling this parameter + allows a user who has write access to the file (by whatever + means) to modify the permissions on it. Note that a user + belonging to the group owning the file will not be allowed to + change permissions if the group is only granted read access. + Ownership of the file/directory is not changed, only the permissions + are modified.

Default: dos filemode = no + +

dos filetime resolution (S)

Under the DOS and Windows FAT filesystem, the finest + granularity on time resolution is two seconds. Setting this parameter + for a share causes Samba to round the reported time down to the + nearest two second boundary when a query call that requires one second + resolution is made to smbd(8).

This option is mainly used as a compatibility option for Visual + C++ when used against Samba shares. If oplocks are enabled on a + share, Visual C++ uses two different time reading calls to check if a + file has changed since it was last read. One of these calls uses a + one-second granularity, the other uses a two second granularity. As + the two second call rounds any odd second down, then if the file has a + timestamp of an odd number of seconds then the two timestamps will not + match and Visual C++ will keep reporting the file has changed. Setting + this option causes the two timestamps to match, and Visual C++ is + happy.

Default: dos filetime resolution = no + +

dos filetimes (S)

Under DOS and Windows, if a user can write to a + file they can change the timestamp on it. Under POSIX semantics, + only the owner of the file or root may change the timestamp. By + default, Samba runs with POSIX semantics and refuses to change the + timestamp on a file if the user smbd is acting + on behalf of is not the file owner. Setting this option to + yes allows DOS semantics and smbd(8) will change the file + timestamp as DOS requires. Due to changes in Microsoft Office 2000 and beyond, + the default for this parameter has been changed from "no" to "yes" in Samba 3.0.14 + and above. Microsoft Excel will display dialog box warnings about the file being + changed by another user if this parameter is not set to "yes" and files are being + shared between users. +

Default: dos filetimes = yes + +

ea support (S)

This boolean parameter controls whether smbd(8) will allow clients to attempt to store OS/2 style Extended + attributes on a share. In order to enable this parameter the underlying filesystem exported by + the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the + correct kernel patches). On Linux the filesystem must have been mounted with the mount + option user_xattr in order for extended attributes to work, also + extended attributes must be compiled into the Linux kernel.

Default: ea support = no + +

enable asu support (G)

Hosts running the "Advanced Server for Unix (ASU)" product + require some special accomodations such as creating a builting [ADMIN$] + share that only supports IPC connections. The has been the default + behavior in smbd for many years. However, certain Microsoft applications + such as the Print Migrator tool require that the remote server support + an [ADMIN$} file share. Disabling this parameter allows for creating + an [ADMIN$] file share in smb.conf.

Default: enable asu support = yes + +

enable privileges (G)

This parameter controls whether or not smbd will honor + privileges assigned to specific SIDs via either net rpc rights + or one of the Windows user and group manager tools. This parameter is + disabled by default to prevent members of the Domain Admins group from + being able to assign privileges to users or groups which can then result in certain + smbd operations running as root that would normally run under the context + of the connected user.

An example of how privileges can be used is to assign + the right to join clients to a Samba controlled domain without + providing root access to the server via smbd.

Please read the extended description provided in the + Samba documentation before enabling this option.

Default: enable privileges = no + +

enable rid algorithm (G)

This option is used to control whether or not smbd in Samba 3.0 should fallback + to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm + development goal is to remove the algorithmic mappings of RIDs altogether, but + this has proved to be difficult. This parameter is mainly provided so that + developers can turn the algorithm on and off and see what breaks. This parameter + should not be disabled by non-developers because certain features in Samba will fail + to work without it. +

Default: enable rid algorithm = yes + +

encrypt passwords (G)

This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the chapter "User Database" in the Samba HOWTO Collection. +

+ MS Windows clients that expect Microsoft encrypted passwords and that + do not have plain text password support enabled will be able to + connect only to a Samba server that has encypted password support + enabled and for which the user accounts have a valid encrypted password. + Refer to the smbpasswd command man page for information regarding the + creation of encrypted passwords for user accounts. +

+ The use of plain text passwords is NOT advised as support for this feature + is no longer maintained in Microsoft Windows products. If you want to use + plain text passwords you must set this parameter to no. +

In order for encrypted passwords to work correctly + smbd(8) must either + have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up + and maintain this file), or set the security = [server|domain|ads] parameter which + causes smbd to authenticate against another + server.

Default: encrypt passwords = yes + +

enhanced browsing (G)

This option enables a couple of enhancements to + cross-subnet browse propagation that have been added in Samba + but which are not standard in Microsoft implementations. +

The first enhancement to browse propagation consists of a regular + wildcard query to a Samba WINS server for all Domain Master Browsers, + followed by a browse synchronization with each of the returned + DMBs. The second enhancement consists of a regular randomised browse + synchronization with all currently known DMBs.

You may wish to disable this option if you have a problem with empty + workgroups not disappearing from browse lists. Due to the restrictions + of the browse protocols these enhancements can cause a empty workgroup + to stay around forever which can be annoying.

In general you should leave this option enabled as it makes + cross-subnet browse propagation much more reliable.

Default: enhanced browsing = yes + +

enumports command (G)

The concept of a "port" is fairly foreign + to UNIX hosts. Under Windows NT/2000 print servers, a port + is associated with a port monitor and generally takes the form of + a local port (i.e. LPT1:, COM1:, FILE:) or a remote port + (i.e. LPD Port Monitor, etc...). By default, Samba has only one + port defined--"Samba Printer Port". Under + Windows NT/2000, all printers must have a valid port name. + If you wish to have a list of ports displayed (smbd + does not use a port name for anything) other than + the default "Samba Printer Port", you + can define enumports command to point to + a program which should generate a list of ports, one per line, + to standard output. This listing will then be used in response + to the level 1 and 2 EnumPorts() RPC.

Default: enumports command = + +

Example: enumports command = /usr/bin/listports + +

fake directory create times (S)

NTFS and Windows VFAT file systems keep a create + time for all files and directories. This is not the same as the + ctime - status change time - that Unix keeps, so Samba by default + reports the earliest of the various times Unix does keep. Setting + this parameter for a share causes Samba to always report midnight + 1-1-1980 as the create time for directories.

This option is mainly used as a compatibility option for + Visual C++ when used against Samba shares. Visual C++ generated + makefiles have the object directory as a dependency for each object + file, and a make rule to create the directory. Also, when NMAKE + compares timestamps it uses the creation time when examining a + directory. Thus the object directory will be created if it does not + exist, but once it does exist it will always have an earlier + timestamp than the object files it contains.

However, Unix time semantics mean that the create time + reported by Samba will be updated whenever a file is created or + or deleted in the directory. NMAKE finds all object files in + the object directory. The timestamp of the last one built is then + compared to the timestamp of the object directory. If the + directory's timestamp if newer, then all object files + will be rebuilt. Enabling this option + ensures directories always predate their contents and an NMAKE build + will proceed as expected.

Default: fake directory create times = no + +

fake oplocks (S)

Oplocks are the way that SMB clients get permission + from a server to locally cache file operations. If a server grants + an oplock (opportunistic lock) then the client is free to assume + that it is the only one accessing the file and it will aggressively + cache file data. With some oplock types the client may even cache + file open/close operations. This can give enormous performance benefits. +

When you set fake oplocks = yes, smbd(8) will + always grant oplock requests no matter how many clients are using the file.

It is generally much better to use the real oplocks support rather + than this parameter.

If you enable this option on all read-only shares or + shares that you know will only be accessed from one client at a + time such as physically read-only media like CDROMs, you will see + a big performance improvement on many operations. If you enable + this option on shares where multiple clients may be accessing the + files read-write at the same time you can get data corruption. Use + this option carefully!

Default: fake oplocks = no + +

follow symlinks (S)

This parameter allows the Samba administrator + to stop smbd(8) from following symbolic + links in a particular share. Setting this + parameter to no prevents any file or directory + that is a symbolic link from being followed (the user will get an + error). This option is very useful to stop users from adding a + symbolic link to /etc/passwd in their home + directory for instance. However it will slow filename lookups + down slightly.

This option is enabled (i.e. smbd will + follow symbolic links) by default.

Default: follow symlinks = yes + +

force create mode (S)

This parameter specifies a set of UNIX mode bit + permissions that will always be set on a + file created by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created or having its + permissions changed. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the create mask + parameter is applied.

The example below would force all created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.

Default: force create mode = 000 + +

Example: force create mode = 0755 + +

force directory mode (S)

This parameter specifies a set of UNIX mode bit + permissions that will always be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter directory mask is + applied.

The example below would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.

Default: force directory mode = 000 + +

Example: force directory mode = 0755 + +

force directory security mode (S)

+ This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a directory using the native NT security dialog box. +

+ This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with directory security mask, which works in a similar manner to this one, but uses a logical AND instead + of an OR. +

+ Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, + to will enable (1) any flags that are off (0) but which the mask has set to on (1). +

+ If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world + permissions on a directory without restrictions. +

Note

+ Users who can access the Samba server through other means can easily bypass this restriction, so it is + primarily useful for standalone "appliance" systems. Administrators of most normal systems will + probably want to leave it set as 0000. +

Default: force directory security mode = 0 + +

Example: force directory security mode = 700 + +

group

This parameter is a synonym for force group.

force group (S)

This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files.

In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting force group = +sys means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group.

+ If the force user parameter is also set the group specified in + force group will override the primary group + set in force user.

Default: force group = + +

Example: force group = agroup + +

force printername (S)

When printing from Windows NT (or later), + each printer in smb.conf has two + associated names which can be used by the client. The first + is the sharename (or shortname) defined in smb.conf. This + is the only printername available for use by Windows 9x clients. + The second name associated with a printer can be seen when + browsing to the "Printers" (or "Printers and Faxes") folder + on the Samba server. This is referred to simply as the printername + (not to be confused with the printer name option). +

When assigning a new driver to a printer on a remote + Windows compatible print server such as Samba, the Windows client + will rename the printer to match the driver name just uploaded. + This can result in confusion for users when multiple + printers are bound to the same driver. To prevent Samba from + allowing the printer's printername to differ from the sharename + defined in smb.conf, set force printername = yes. +

Be aware that enabling this parameter may affect migrating + printers from a Windows server to Samba since Windows has no way to + force the sharename and printername to match.

It is recommended that this parameter's value not be changed + once the printer is in use by clients as this could cause a user + not be able to delete printer connections from their local Printers + folder.

Default: force printername = no + +

force security mode (S)

+ This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog box. +

+ This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with security mask, which works similar like this one but uses logical AND instead of OR. +

+ Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, + the user has always set to be on. +

+ If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world + permissions on a file, with no restrictions. +

+ Note that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most + normal systems will probably want to leave this set to 0000. +

Default: force security mode = 0 + +

Example: force security mode = 700 + +

force unknown acl user (S)

If this parameter is set, a Windows NT ACL that contains an unknown + SID (security descriptor, or representation of a user or group + id) as the owner or group owner of the file will be silently + mapped into the current UNIX uid or gid of the currently + connected user.

This is designed to allow Windows NT clients to copy files and + folders containing ACLs that were created locally on the client + machine and contain users local to that machine only (no domain + users) to be copied to a Samba server (usually with XCOPY /O) + and have the unknown userid and groupid of the file owner map to + the current connected user. This can only be fixed correctly + when winbindd allows arbitrary mapping from any Windows NT SID + to a UNIX uid or gid.

Try using this parameter when XCOPY /O gives an ACCESS_DENIED + error.

Default: force unknown acl user = no + +

force user (S)

This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems.

This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as. This can be very useful.

In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug).

Default: force user = + +

Example: force user = auser + +

fstype (S)

This parameter allows the administrator to + configure the string that specifies the type of filesystem a share + is using that is reported by smbd(8) when a client queries the filesystem type + for a share. The default type is NTFS for + compatibility with Windows NT but this can be changed to other + strings such as Samba or FAT + if required.

Default: fstype = NTFS + +

Example: fstype = Samba + +

get quota command (G)

The get quota command should only be used + whenever there is no operating system API available from the OS that + samba can use.

This option is only available with ./configure --with-sys-quotas. + Or on linux when ./configure --with-quotas was used and a working quota api + was found in the system.

This parameter should specify the path to a script that + queries the quota information for the specified + user/group for the partition that + the specified directory is on.

Such a script should take 3 arguments:

directory
type of query
uid of user or gid of group

The type of query can be one of :

1 - user quotas
2 - user default quotas (uid = -1)
3 - group quotas
4 - group default quotas (gid = -1)

This script should print one line as output with spaces between the arguments. The arguments are: +

Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)
Arg 2 - number of currently used blocks
Arg 3 - the softlimit number of blocks
Arg 4 - the hardlimit number of blocks
Arg 5 - currently used number of inodes
Arg 6 - the softlimit number of inodes
Arg 7 - the hardlimit number of inodes
Arg 8(optional) - the number of bytes in a block(default is 1024)

Default: get quota command = + +

Example: get quota command = /usr/local/sbin/query_quota + +

getwd cache (G)

This is a tuning option. When this is enabled a + caching algorithm will be used to reduce the time taken for getwd() + calls. This can have a significant impact on performance, especially + when the wide smbconfoptions parameter is set to no.

Default: getwd cache = yes + +

guest account (G)

This is a username which will be used for access + to services which are specified as guest ok (see below). Whatever privileges this + user has will be available to any client connecting to the guest service. + This user must exist in the password file, but does not require + a valid login. The user account "ftp" is often a good choice + for this parameter. +

On some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + su - command) and trying to print using the + system print command such as lpr(1) or + lp(1).

This parameter does not accept % macros, because + many parts of the system require this value to be + constant for correct operation.

Default: guest account = nobody +# default can be changed at compile-time + +

Example: guest account = ftp + +

public

This parameter is a synonym for guest ok.

guest ok (S)

If this parameter is yes for + a service, then no password is required to connect to the service. + Privileges will be those of the guest account.

This paramater nullifies the benifits of setting + restrict anonymous = 2 +

See the section below on security for more information about this option. +

Default: guest ok = no + +

only guest

This parameter is a synonym for guest only.

guest only (S)

If this parameter is yes for + a service, then only guest connections to the service are permitted. + This parameter will have no effect if guest ok is not set for the service.

See the section below on security for more information about this option. +

Default: guest only = no + +

hide dot files (S)

This is a boolean parameter that controls whether + files starting with a dot appear as hidden files.

Default: hide dot files = yes + +

hide files (S)

This is a list of files or directories that are not + visible but are accessible. The DOS 'hidden' attribute is applied + to any files or directories that match.

Each entry in the list must be separated by a '/', + which allows spaces to be included in the entry. '*' + and '?' can be used to specify multiple files or directories + as in DOS wildcards.

Each entry must be a Unix path, not a DOS path and must + not include the Unix directory separator '/'.

Note that the case sensitivity option is applicable + in hiding files.

Setting this parameter will affect the performance of Samba, + as it will be forced to check all files and directories for a match + as they are scanned.

+ The example shown above is based on files that the Macintosh + SMB client (DAVE) available from + Thursby creates for internal use, and also still hides + all files beginning with a dot. +

+ An example of us of this parameter is: +

+hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
+

Default: hide files = +# no file are hidden + +

hide special files (S)

This parameter prevents clients from seeing + special files such as sockets, devices and fifo's in directory + listings. +

Default: hide special files = no + +

hide unreadable (S)

This parameter prevents clients from seeing the + existance of files that cannot be read. Defaults to off.

Default: hide unreadable = no + +

hide unwriteable files (S)

This parameter prevents clients from seeing + the existance of files that cannot be written to. Defaults to off. + Note that unwriteable directories are shown as usual. +

Default: hide unwriteable files = no + +

homedir map (G)

If nis homedir is yes, + and smbd(8) is also acting + as a Win95/98 logon server then this parameter + specifies the NIS (or YP) map from which the server for the user's + home directory should be extracted. At present, only the Sun + auto.home map format is understood. The form of the map is:

username server:/some/file/system

and the program will extract the servername from before + the first ':'. There should probably be a better parsing system + that copes with different map formats and also Amd (another + automounter) maps.

Note

A working NIS client is required on + the system for this option to work.

Default: homedir map = + +

Example: homedir map = amd.homedir + +

host msdfs (G)

If set to yes, Samba will act as a Dfs + server, and allow Dfs-aware clients to browse Dfs trees hosted + on the server.

See also the msdfs root share level parameter. For + more information on setting up a Dfs tree on Samba, + refer to the MSFDS chapter in the book Samba3-HOWTO. +

Default: host msdfs = no + +

hostname lookups (G)

Specifies whether samba should use (expensive) + hostname lookups or use the ip addresses instead. An example place + where hostname lookups are currently used is when checking + the hosts deny and hosts allow. +

Default: hostname lookups = no + +

Example: hostname lookups = yes + +

allow hosts

This parameter is a synonym for hosts allow.

hosts allow (S)

A synonym for this parameter is allow + hosts.

This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service.

If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting.

You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like allow hosts = 150.203.5. + . The full syntax of the list is described in the man + page hosts_access(5). Note that this man + page may not be present on your system, so a brief description will + be given here also.

Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a hosts deny option.

You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + EXCEPT keyword can also be used to limit a + wildcard list. The following examples may provide some help:

Example 1: allow all IPs in 150.203.*.*; except one

hosts allow = 150.203. EXCEPT 150.203.6.66

Example 2: allow hosts that match the given network/netmask

hosts allow = 150.203.15.0/255.255.255.0

Example 3: allow a couple of hosts

hosts allow = lapland, arvidsjaur

Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host

hosts allow = @foonet

hosts deny = pirate

Note

Note that access still requires suitable user-level passwords.

See testparm(1) for a way of testing your host access + to see if it does what you expect.

Default: hosts allow = +# none (i.e., all hosts permitted access) + +

Example: hosts allow = 150.203.5. myhost.mynet.edu.au + +

deny hosts

This parameter is a synonym for hosts deny.

hosts deny (S)

The opposite of hosts allow + - hosts listed here are NOT permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the allow + list takes precedence.

Default: hosts deny = +# none (i.e., no hosts specifically excluded) + +

Example: hosts deny = 150.203.4. badhost.mynet.edu.au + +

hosts equiv (G)

If this global parameter is a non-null string, + it specifies the name of a file to read for the names of hosts + and users who will be allowed access without specifying a password. +

This is not be confused with hosts allow which is about hosts + access to services and is more useful for guest services. + hosts equiv may be useful for NT clients which will + not supply passwords to Samba.

Note

The use of hosts equiv + can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the + hosts equiv option be only used if you really + know what you are doing, or perhaps on a home network where you trust + your spouse and kids. And only if you really trust + them :-).

Default: hosts equiv = +# no host equivalences + +

Example: hosts equiv = hosts equiv = /etc/hosts.equiv + +

idmap backend (G)

+ The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap + tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common + LDAP backend. This way all domain members and controllers will have the same UID and GID + to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux + systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). +

+ An alternate method of SID to UID / GID mapping can be achieved using the idmap_rid + plug-in. This plug-in uses the account RID to derive the UID and GID by adding the + RID to a base value specified. This utility requires that the parameter + “allow trusted domains = No” must be specified, as it is not compatible + with multiple domain environments. The idmap uid and idmap gid ranges must also be + specified. +

Default: idmap backend = + +

Example: idmap backend = ldap:ldap://ldapslave.example.com + +

Example: idmap backend = idmap_rid:DOMNAME=1000-100000000 + +

winbind gid

This parameter is a synonym for idmap gid.

idmap gid (G)

The idmap gid parameter specifies the range of group ids that are allocated for + the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no + existing local or NIS groups within it as strange conflicts can occur otherwise.

The availability of an idmap gid range is essential for correct operation of + all group mapping.

Default: idmap gid = + +

Example: idmap gid = 10000-20000 + +

winbind uid

This parameter is a synonym for idmap uid.

idmap uid (G)

The idmap uid parameter specifies the range of user ids that are allocated for use + in mapping UNIX users to NT user SIDs. This range of ids should have no existing local + or NIS users within it as strange conflicts can occur otherwise.

Default: idmap uid = + +

Example: idmap uid = 10000-20000 + +

include (G)

This allows you to include one config file + inside another. The file is included literally, as though typed + in place.

It takes the standard substitutions, except %u +, %P and %S. +

Default: include = + +

Example: include = /usr/local/samba/lib/admin_smb.conf + +

inherit acls (S)

This parameter can be used to ensure that if default acls + exist on parent directories, they are always honored when creating a + subdirectory. The default behavior is to use the mode specified when + creating the directory. Enabling this option sets the mode to 0777, + thus guaranteeing that default directory acls are propagated. +

Default: inherit acls = no + +

inherit owner (S)

The ownership of new files and directories + is normally governed by effective uid of the connected user. + This option allows the Samba administrator to specify that + the ownership for new files and directories should be controlled + by the ownership of the parent directory.

Common scenarios where this behavior is useful is in + implementing drop-boxes where users can create and edit files but not + delete them and to ensure that newly create files in a user's + roaming profile directory are actually owner by the user.

Default: inherit owner = no + +

inherit permissions (S)

+ The permissions on new files and directories are normally governed by create mask, + directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this. +

New directories inherit the mode of the parent directory, + including bits such as setgid.

+ New files inherit their read/write bits from the parent directory. Their execute bits continue to be + determined by map archive, map hidden and map system as usual. +

Note that the setuid bit is never set via + inheritance (the code explicitly prohibits this).

This can be particularly useful on large systems with + many users, perhaps several thousand, to allow a single [homes] + share to be used flexibly by each user.

Default: inherit permissions = no + +

interfaces (G)

This option allows you to override the default + network interfaces list that Samba will use for browsing, name + registration and other NBT traffic. By default Samba will query + the kernel for the list of all active interfaces and use any + interfaces except 127.0.0.1 that are broadcast capable.

The option takes a list of interface strings. Each string + can be in any of the following forms:

a network interface name (such as eth0). + This may include shell-like wildcards so eth* will match + any interface starting with the substring "eth"
an IP address. In this case the netmask is + determined from the list of interfaces obtained from the + kernel
an IP/mask pair.
a broadcast/mask pair.

The "mask" parameters can either be a bit length (such + as 24 for a C class network) or a full netmask in dotted + decimal form.

The "IP" parameters above can either be a full dotted + decimal IP address or a hostname which will be looked up via + the OS's normal hostname resolution mechanisms.

Default: interfaces = +# all active interfaces except 127.0.0.1 that are broadcast capable + +

Example: interfaces = + +# This would configure three network interfaces corresponding + to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. + The netmasks of the latter two interfaces would be set to 255.255.255.0. + eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 + + +

invalid users (S)

This is a list of users that should not be allowed + to login to this service. This is really a paranoid + check to absolutely ensure an improper setting does not breach + your security.

A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database.

A name starting with '+' is interpreted only + by looking in the UNIX group database. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value +&group means check the + UNIX group database, followed by the NIS netgroup database, and + the value &+group means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix).

The current servicename is substituted for %S. + This is useful in the [homes] section.

Default: invalid users = +# no invalid users + +

Example: invalid users = root fred admin @wheel + +

keepalive (G)

The value of the parameter (an integer) represents + the number of seconds between keepalive + packets. If this parameter is zero, no keepalive packets will be + sent. Keepalive packets, if sent, allow the server to tell whether + a client is still present and responding.

Keepalives should, in general, not be needed if the socket + has the SO_KEEPALIVE attribute set on it by default. (see socket options). +Basically you should only use this option if you strike difficulties.

Default: keepalive = 300 + +

Example: keepalive = 600 + +

kernel change notify (G)

This parameter specifies whether Samba should ask the + kernel for change notifications in directories so that + SMB clients can refresh whenever the data on the server changes. +

This parameter is only used when your kernel supports + change notification to user programs, using the F_NOTIFY fcntl. +

Default: kernel change notify = yes + +

kernel oplocks (G)

For UNIXes that support kernel based oplocks + (currently only IRIX and the Linux 2.4 kernel), this parameter + allows the use of them to be turned on or off.

Kernel oplocks support allows Samba oplocks + to be broken whenever a local UNIX process or NFS operation + accesses a file that smbd(8) has oplocked. This allows complete + data consistency between SMB/CIFS, NFS and local file access (and is + a very cool feature :-).

This parameter defaults to on, but is translated + to a no-op on systems that no not have the necessary kernel support. + You should never need to touch this parameter.

Default: kernel oplocks = yes + +

lanman auth (G)

This parameter determines whether or not smbd(8) will attempt to + authenticate users or permit password changes + using the LANMAN password hash. If disabled, only clients which support NT + password hashes (e.g. Windows NT/2000 clients, smbclient, but not + Windows 95/98 or the MS DOS network client) will be able to + connect to the Samba host.

The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Servers + without Windows 95/98/ME or MS DOS clients are advised to disable + this option.

Unlike the encypt + passwords option, this parameter cannot alter client + behaviour, and the LANMAN response will still be sent over the + network. See the client lanman + auth to disable this for Samba's clients (such as smbclient)

If this option, and ntlm + auth are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to use it.

Default: lanman auth = yes + +

large readwrite (G)

This parameter determines whether or not + smbd(8) supports the new 64k + streaming read and write varient SMB requests introduced with + Windows 2000. Note that due to Windows 2000 client redirector bugs + this requires Samba to be running on a 64-bit capable operating + system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve + performance by 10% with Windows 2000 clients. Defaults to on. Not as + tested as some other Samba code paths.

Default: large readwrite = yes + +

ldap admin dn (G)

+ The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact + the ldap server when retreiving user account information. The ldap admin dn is used + in conjunction with the admin dn password stored in the private/secrets.tdb + file. See the smbpasswd(8) + man page for more information on how to accomplish this. +

+ The ldap admin dn requires a fully specified DN. The ldap suffix is not appended to the ldap admin dn. +

No default

ldap delete dn (G)

This parameter specifies whether a delete + operation in the ldapsam deletes the complete entry or only the attributes + specific to Samba. +

Default: ldap delete dn = no + +

ldap group suffix (G)

This parameters specifies the suffix that is + used for groups when these are added to the LDAP directory. + If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the + ldap suffix string so use a partial DN.

Default: ldap group suffix = + +

Example: ldap group suffix = ou=Groups + +

ldap idmap suffix (G)

This parameters specifies the suffix that is + used when storing idmap mappings. If this parameter + is unset, the value of ldap suffix + will be used instead. The suffix string is pre-pended to the + ldap suffix string so use a partial DN.

Default: ldap idmap suffix = + +

Example: ldap idmap suffix = ou=Idmap + +

ldap machine suffix (G)

It specifies where machines should be added to the ldap tree. + If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the + ldap suffix string so use a partial DN.

Default: ldap machine suffix = + +

Example: ldap machine suffix = ou=Computers + +

ldap passwd sync (G)

+ This option is used to define whether or not Samba should sync the LDAP password with the NT + and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password + change via SAMBA. +

The ldap passwd sync can be set to one of three values:

Yes = Try + to update the LDAP, NT and LM passwords and update the pwdLastSet time.
No = Update NT and + LM passwords and update the pwdLastSet time.
Only = Only update + the LDAP password and let the LDAP server do the rest.

Default: ldap passwd sync = no + +

ldap port (G)

This parameter is only available if Samba has been + configure to include the --with-ldapsam option + at compile time.

This option is used to control the tcp port number used to contact + the ldap server. + The default is to use the stand LDAPS port 636.

Default: ldap port = 636 +# if ldap ssl = on + +

Default: ldap port = 389 +# if ldap ssl = off + +

ldap replication sleep (G)

When Samba is asked to write to a read-only LDAP +replica, we are redirected to talk to the read-write master server. +This server then replicates our changes back to the 'local' server, +however the replication might take some seconds, especially over slow +links. Certain client activities, particularly domain joins, can become +confused by the 'success' that does not immediately change the LDAP +back-end's data.

This option simply causes Samba to wait a short time, to +allow the LDAP server to catch up. If you have a particularly +high-latency network, you may wish to time the LDAP replication with a +network sniffer, and increase this value accordingly. Be aware that no +checking is performed that the data has actually replicated.

The value is specified in milliseconds, the maximum +value is 5000 (5 seconds).

Default: ldap replication sleep = 1000 + +

ldapsam:trusted (G)

+By default, Samba as a Domain Controller with an LDAP backend needs to use the +Unix-style NSS subsystem to access user and group information. Due to the way +Unix stores user information in /etc/passwd and /etc/group this inevitably +leads to inefficiencies. One important question a user needs to know is the +list of groups he is member of. The plain Unix model involves a complete +enumeration of the file /etc/group and its NSS counterparts in LDAP. In this +particular case there often optimized functions are available in Unix, but for +other queries there is no optimized function available.

To make Samba scale well in large environments, the ldapsam:trusted=yes +option assumes that the complete user and group database that is relevant to +Samba is stored in LDAP with the standard posixAccount/posixGroup model, and +that the Samba auxiliary object classes are stored together with the the posix +data in the same LDAP object. If these assumptions are met, +ldapsam:trusted=yes can be activated and Samba can completely bypass the NSS +system to query user information. Optimized LDAP queries can speed up domain +logon and administration tasks a lot. Depending on the size of the LDAP +database a factor of 100 or more for common queries is easily achieved.

Default: ldapsam:trusted = no + +

ldap server (G)

This parameter is only available if Samba has been + configure to include the --with-ldapsam + option at compile time.

This parameter should contain the FQDN of the ldap directory + server which should be queried to locate user account information. +

Default: ldap server = localhost + +

ldap ssl (G)

This option is used to define whether or not Samba should + use SSL when connecting to the ldap server + This is NOT related to + Samba's previous SSL support which was enabled by specifying the + --with-ssl option to the configure + script.

The ldap ssl can be set to one of three values:

Off = Never + use SSL when querying the directory.
Start_tls = Use + the LDAPv3 StartTLS extended operation (RFC2830) for + communicating with the directory server.
On = Use SSL + on the ldaps port when contacting the ldap server. Only available when the + backwards-compatiblity --with-ldapsam option is specified + to configure. See passdb backend

Default: ldap ssl = start_tls + +

ldap suffix (G)

Specifies the base for all ldap suffixes and for storing the sambaDomain object.

+ The ldap suffix will be appended to the values specified for the ldap user suffix, + ldap group suffix, ldap machine suffix, and the + ldap idmap suffix. Each of these should be given only a DN relative to the + ldap suffix. +

Default: ldap suffix = + +

Example: ldap suffix = dc=samba,dc=org + +

ldap timeout (G)

When Samba connects to an ldap server that server +may be down or unreachable. To prevent Samba from hanging whilst +waiting for the connection this parameter specifies in seconds how +long Samba should wait before failing the connect. The default is +to only wait fifteen seconds for the ldap server to respond to the +connect request.

Default: ldap timeout = 15 + +

ldap user suffix (G)

This parameter specifies where users are added to the tree. + If this parameter is unset, the value of ldap suffix will be used instead. The suffix string is pre-pended to the + ldap suffix string so use a partial DN.

Default: ldap user suffix = + +

Example: ldap user suffix = ou=people + +

level2 oplocks (S)

This parameter controls whether Samba supports + level2 (read-only) oplocks on a share.

Level2, or read-only oplocks allow Windows NT clients + that have an oplock on a file to downgrade from a read-write oplock + to a read-only oplock once a second client opens the file (instead + of releasing all oplocks on a second open, as in traditional, + exclusive oplocks). This allows all openers of the file that + support level2 oplocks to cache the file for read-ahead only (ie. + they may not cache writes or lock requests) and increases performance + for many accesses of files that are not commonly written (such as + application .EXE files).

Once one of the clients which have a read-only oplock + writes to the file all clients are notified (no reply is needed + or waited for) and told to break their oplocks to "none" and + delete any read-ahead caches.

It is recommended that this parameter be turned on to + speed access to shared executables.

For more discussions on level2 oplocks see the CIFS spec.

+ Currently, if kernel oplocks are supported then + level2 oplocks are not granted (even if this parameter is set to + yes). Note also, the oplocks + parameter must be set to yes on this share in order for + this parameter to have any effect.

Default: level2 oplocks = yes + +

lm announce (G)

This parameter determines if nmbd(8) will produce Lanman announce + broadcasts that are needed by OS/2 clients in order for them to see + the Samba server in their browse list. This parameter can have three + values, yes, no, or + auto. The default is auto. + If set to no Samba will never produce these + broadcasts. If set to yes Samba will produce + Lanman announce broadcasts at a frequency set by the parameter + lm interval. If set to auto + Samba will not send Lanman announce broadcasts by default but will + listen for them. If it hears such a broadcast on the wire it will + then start sending them at a frequency set by the parameter + lm interval.

Default: lm announce = auto + +

Example: lm announce = yes + +

lm interval (G)

If Samba is set to produce Lanman announce + broadcasts needed by OS/2 clients (see the + lm announce parameter) then this + parameter defines the frequency in seconds with which they will be + made. If this is set to zero then no Lanman announcements will be + made despite the setting of the lm announce + parameter.

Default: lm interval = 60 + +

Example: lm interval = 120 + +

load printers (G)

A boolean variable that controls whether all + printers in the printcap will be loaded for browsing by default. + See the printers section for + more details.

Default: load printers = yes + +

local master (G)

This option allows nmbd(8) to try and become a local master browser + on a subnet. If set to no then + nmbd will not attempt to become a local master browser + on a subnet and will also lose in all browsing elections. By + default this value is set to yes. Setting this value to + yes doesn't mean that Samba will become the + local master browser on a subnet, just that nmbd + will participate in elections for local master browser.

Setting this value to no will cause nmbd never to become a local +master browser.

Default: local master = yes + +

lock dir

This parameter is a synonym for lock directory.

lock directory (G)

This option specifies the directory where lock + files will be placed. The lock files are used to implement the + max connections option. +

Default: lock directory = ${prefix}/var/locks + +

Example: lock directory = /var/run/samba/locks + +

locking (S)

This controls whether or not locking will be + performed by the server in response to lock requests from the + client.

If locking = no, all lock and unlock + requests will appear to succeed and all lock queries will report + that the file in question is available for locking.

If locking = yes, real locking will be performed + by the server.

This option may be useful for read-only + filesystems which may not need locking (such as + CDROM drives), although setting this parameter of no + is not really recommended even in this case.

Be careful about disabling locking either globally or in a + specific service, as lack of locking may result in data corruption. + You should never need to set this parameter.

No default

lock spin count (G)

This parameter controls the number of times + that smbd should attempt to gain a byte range lock on the + behalf of a client request. Experiments have shown that + Windows 2k servers do not reply with a failure if the lock + could not be immediately granted, but try a few more times + in case the lock could later be acquired. This behavior + is used to support PC database formats such as MS Access + and FoxPro. +

Default: lock spin count = 3 + +

lock spin time (G)

The time in microseconds that smbd should + pause before attempting to gain a failed lock. See + lock spin count for more details.

Default: lock spin time = 10 + +

log file (G)

This option allows you to override the name + of the Samba log file (also known as the debug file).

This option takes the standard substitutions, allowing + you to have separate log files for each user or machine.

No default

Example: log file = /usr/local/samba/var/log.%m + +

debuglevel

This parameter is a synonym for log level.

log level (G)

The value of the parameter (a astring) allows + the debug level (logging level) to be specified in the + smb.conf file. This parameter has been + extended since the 2.2.x series, now it allow to specify the debug + level for multiple debug classes. This is to give greater + flexibility in the configuration of the system.

The default will be the log level specified on + the command line or level zero if none was specified.

No default

Example: log level = 3 passdb:5 auth:10 winbind:2 + +

logon drive (G)

+ This parameter specifies the local path to which the home directory will be + connected (see logon home) and is only used by NT + Workstations. +

+ Note that this option is only useful if Samba is set up as a logon server. +

Default: logon drive = z: + +

Example: logon drive = h: + +

logon home (G)

+ This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. + It allows you to do +

+ C:\>NET USE H: /HOME +

+ from a command prompt, for example. +

+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. +

+ This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a + subdirectory of the user's home directory. This is done in the following way: +

+ logon home = \\%N\%U\profile +

+ This tells Samba to return the above string, with substitutions made when a client requests the info, generally + in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does + net use /home but use the whole string when dealing with profiles. +

+ Note that in prior versions of Samba, the logon path was returned rather than + logon home. This broke net use /home + but allowed profiles outside the home directory. The current implementation is correct, and can be used for + profiles if you use the above trick. +

+ Disable this feature by setting logon home = "" - using the empty string. +

+ This option is only useful if Samba is set up as a logon server. +

Default: logon home = \\%N\%U + +

Example: logon home = \\remote_smb_server\%U + +

logon path (G)

+ This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are + stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming + profiles. To find out how to handle roaming profiles for Win 9X system, see the + logon home parameter. +

+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. It also specifies the directory from which the "Application Data", (desktop, start menu, network neighborhood, programs and other + folders, and their contents, are loaded and displayed on your Windows NT client. +

+ The share and the path must be readable by the user for the preferences and directories to be loaded onto the + Windows NT client. The share must be writeable when the user logs in for the first time, in order that the + Windows NT client can create the NTuser.dat and other directories. + Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable + that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a + MANdatory profile). +

+ Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged + in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting + this parameter to \\%N\homes\profile_path will cause problems). +

+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. +

Warning

+ Do not quote the value. Setting this as “\\%N\profile\%U” + will break profile handling. Where the tdbsam or ldapsam passdb backend + is used, at the time the user account is created the value configured + for this parameter is written to the passdb backend and that value will + over-ride the parameter value present in the smb.conf file. Any error + present in the passdb backend account record must be editted using the + appropriate tool (pdbedit on the command-line, or any other locally + provided system tool. +

Note that this option is only useful if Samba is set up as a domain controller.

+ Disable the use of roaming profiles by setting the value of this parameter to the empty string. For + example, logon path = "". Take note that even if the default setting + in the smb.conf file is the empty string, any value specified in the user account settings in the passdb + backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use + requires that the user account settings must also be blank. +

+ An example of use is: +

+logon path = \\PROFILESERVER\PROFILE\%U
+

Default: logon path = \\%N\%U\profile + +

logon script (G)

+ This parameter specifies the batch file (.bat) or NT command file + (.cmd) to be downloaded and run on a machine when a user successfully logs in. The file + must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended. +

+ The script must be a relative path to the [netlogon] service. If the [netlogon] + service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is: +

+	/usr/local/samba/netlogon/STARTUP.BAT
+

+ The contents of the batch file are entirely your choice. A suggested command would be to add NET TIME \\SERVER /SET /YES, to force every machine to synchronize clocks with the + same time server. Another use would be to add NET USE U: \\SERVER\UTILS + for commonly used utilities, or

 NET USE Q: \\SERVER\ISO9001_QA

for + example. +

+ Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users + write permission on the batch files in a secure environment, as this would allow the batch files to be + arbitrarily modified and security to be breached. +

+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. +

+ This option is only useful if Samba is set up as a logon server. +

Default: logon script = + +

Example: logon script = scripts\%U.bat + +

lppause command (S)

This parameter specifies the command to be + executed on the server host in order to stop printing or spooling + a specific print job.

This command should be a program or script which takes + a printer name and job number to pause the print job. One way + of implementing this is by using job priorities, where jobs + having a too low priority won't be sent to the printer.

If a %p is given then the printer name + is put in its place. A %j is replaced with + the job number (an integer). On HPUX (see printing=hpux +), if the -p%p option is added + to the lpq command, the job will show up with the correct status, i.e. + if the job priority is lower than the set fence priority it will + have the PAUSED status, whereas if the priority is equal or higher it + will have the SPOOLED or PRINTING status.

Note that it is good practice to include the absolute path + in the lppause command as the PATH may not be available to the server.

Default: lppause command = +# Currently no default value is given to + this string, unless the value of the printing + parameter is SYSV, in which case the default is : lp -i %p-%j -H hold or if the value of the printing parameter is SOFTQ, then the default is: qstat -s -j%j -h. + +

Example: lppause command = /usr/bin/lpalt %p-%j -p0 + +

lpq cache time (G)

This controls how long lpq info will be cached + for to prevent the lpq command being called too + often. A separate cache is kept for each variation of the + lpq command used by the system, so if you use different + lpq commands for different users then they won't + share cache information.

The cache files are stored in /tmp/lpq.xxxx + where xxxx is a hash of the lpq command in use.

The default is 10 seconds, meaning that the cached results + of a previous identical lpq command will be used + if the cached data is less than 10 seconds old. A large value may + be advisable if your lpq command is very slow.

A value of 0 will disable caching completely.

Default: lpq cache time = 10 + +

Example: lpq cache time = 30 + +

lpq command (S)

This parameter specifies the command to be + executed on the server host in order to obtain lpq + -style printer status information.

This command should be a program or script which + takes a printer name as its only parameter and outputs printer + status information.

Currently nine styles of printer status information + are supported; BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ. + This covers most UNIX systems. You control which type is expected + using the printing = option.

Some clients (notably Windows for Workgroups) may not + correctly send the connection number for the printer they are + requesting status information about. To get around this, the + server reports on the first printer service connected to by the + client. This only happens if the connection number sent is invalid.

If a %p is given then the printer name + is put in its place. Otherwise it is placed at the end of the + command.

Note that it is good practice to include the absolute path + in the lpq command as the $PATH + may not be available to the server. When compiled with + the CUPS libraries, no lpq command is + needed because smbd will make a library call to obtain the + print queue listing.

Default: lpq command = + +

Example: lpq command = /usr/bin/lpq -P%p + +

lpresume command (S)

This parameter specifies the command to be + executed on the server host in order to restart or continue + printing or spooling a specific print job.

This command should be a program or script which takes + a printer name and job number to resume the print job. See + also the lppause command parameter.

If a %p is given then the printer name + is put in its place. A %j is replaced with + the job number (an integer).

Note that it is good practice to include the absolute path + in the lpresume command as the PATH may not + be available to the server.

Warning

If two clients use the same magic script + in the same directory the output file content + is undefined.

Default: magic output = <magic script name>.out + +

Example: magic output = myfile.txt + +

magic script (S)

This parameter specifies the name of a file which, + if opened, will be executed by the server when the file is closed. + This allows a UNIX script to be sent to the Samba host and + executed on behalf of the connected user.

Scripts executed in this way will be deleted upon + completion assuming that the user has the appropriate level + of privilege and the file permissions allow the deletion.

If the script generates output, output will be sent to + the file specified by the magic output + parameter (see above).

Note that some shells are unable to interpret scripts + containing CR/LF instead of CR as + the end-of-line marker. Magic scripts must be executable + as is on the host, which for some hosts and + some shells will require filtering at the DOS end.

Magic scripts are EXPERIMENTAL and + should NOT be relied upon.

Default: magic script = + +

Example: magic script = user.csh + +

mangled map (S)

This is for those who want to directly map UNIX + file names which cannot be represented on Windows/DOS. The mangling + of names is not always what is needed. In particular you may have + documents with file extensions that differ between DOS and UNIX. + For example, under UNIX it is common to use .html + for HTML files, whereas under Windows/DOS .htm + is more commonly used.

So to map html to htm + you would use:

mangled map = (*.html *.htm).

One very useful case is to remove the annoying ;1 + off the ends of filenames on some CDROMs (only visible + under some UNIXes). To do this use a map of (*;1 *;).

Default: mangled map = +# no mangled map + +

Example: mangled map = (*;1 *;) + +

mangled names (S)

This controls whether non-DOS names under UNIX + should be mapped to DOS-compatible names ("mangled") and made visible, + or whether non-DOS names should simply be ignored.

See the section on name mangling for + details on how to control the mangling process.

If mangling is used then the mangling algorithm is as follows:

The first (up to) five alphanumeric characters + before the rightmost dot of the filename are preserved, forced + to upper case, and appear as the first (up to) five characters + of the mangled name.
A tilde "~" is appended to the first part of the mangled + name, followed by a two-character unique sequence, based on the + original root name (i.e., the original filename minus its final + extension). The final extension is included in the hash calculation + only if it contains any upper case characters or is longer than three + characters.
Note that the character to use may be specified using + the mangling char + option, if you don't like '~'.
Files whose UNIX name begins with a dot will be + presented as DOS hidden files. The mangled name will be created as + for other filenames, but with the leading dot removed and "___" as + its extension regardless of actual original extension (that's three + underscores).

The two-digit hash value consists of upper case alphanumeric characters.

This algorithm can cause name collisions only if files + in a directory share the same first five alphanumeric characters. + The probability of such a clash is 1/1300.

The name mangling (if enabled) allows a file to be + copied between UNIX directories from Windows/DOS while retaining + the long UNIX filename. UNIX files can be renamed to a new extension + from Windows/DOS and will retain the same basename. Mangled names + do not change between sessions.

Default: mangled names = yes + +

mangle prefix (G)

controls the number of prefix + characters from the original name used when generating + the mangled names. A larger value will give a weaker + hash and therefore more name collisions. The minimum + value is 1 and the maximum value is 6.

+ mangle prefix is effective only when mangling method is hash2. +

Default: mangle prefix = 1 + +

Example: mangle prefix = 4 + +

mangling char (S)

This controls what character is used as + the magic character in name mangling. The + default is a '~' but this may interfere with some software. Use this option to set + it to whatever you prefer. This is effective only when mangling method is hash.

Default: mangling char = ~ + +

Example: mangling char = ^ + +

mangling method (G)

controls the algorithm used for the generating + the mangled names. Can take two different values, "hash" and + "hash2". "hash" is the algorithm that was used + used in Samba for many years and was the default in Samba 2.2.x "hash2" is + now the default and is newer and considered a better algorithm (generates less collisions) in + the names. Many Win32 applications store the mangled names and so + changing to algorithms must not be done lightly as these applications + may break unless reinstalled.

Default: mangling method = hash2 + +

Example: mangling method = hash + +

map acl inherit (S)

This boolean parameter controls whether smbd(8) will attempt to map the 'inherit' and 'protected' + access control entry flags stored in Windows ACLs into an extended attribute + called user.SAMBA_PAI. This parameter only takes effect if Samba is being run + on a platform that supports extended attributes (Linux and IRIX so far) and + allows the Windows 2000 ACL editor to correctly use inheritance with the Samba + POSIX ACL mapping code. +

Default: map acl inherit = no + +

map archive (S)

This controls whether the DOS archive attribute + should be mapped to the UNIX owner execute bit. The DOS archive bit + is set when a file has been modified since its last backup. One + motivation for this option it to keep Samba/your PC from making + any file it touches from becoming executable under UNIX. This can + be quite annoying for shared source code, documents, etc...

Note that this requires the create mask + parameter to be set such that owner execute bit is not masked out + (i.e. it must include 100). See the parameter create mask for details.

Default: map archive = yes + +

map hidden (S)

This controls whether DOS style hidden files + should be mapped to the UNIX world execute bit.

Note that this requires the create mask + to be set such that the world execute bit is not masked out (i.e. + it must include 001). See the parameter create mask for details.

No default

map system (S)

This controls whether DOS style system files + should be mapped to the UNIX group execute bit.

Note that this requires the create mask + to be set such that the group execute bit is not masked out (i.e. + it must include 010). See the parameter create mask + for details.

Default: map system = no + +

map to guest (G)

This parameter is only useful in SECURITY = + security modes other than security = share + - i.e. user, server, + and domain.

This parameter can take four different values, which tell + smbd(8) what to do with user + login requests that don't match a valid UNIX user in some way.

The three settings are :

Never - Means user login + requests with an invalid password are rejected. This is the + default.
Bad User - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the guest account.
Bad Password - Means user logins + with an invalid password are treated as a guest login and mapped + into the guest account. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + hate you if you set the map to + guest parameter this way :-).
Bad Uid - Is only applicable when Samba is configured + in some type of domain mode security (security = {domain|ads}) and means that + user logins which are successfully authenticated but which have no valid Unix + user account (and smbd is unable to create one) should be mapped to the defined + guest account. This was the default behavior of Samba 2.x releases. Note that + if a member server is running winbindd, this option should never be required + because the nss_winbind library will export the Windows domain users and groups + to the underlying OS via the Name Service Switch interface.

Note that this parameter is needed to set up "Guest" + share services when using security modes other than + share. This is because in these modes the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares.

For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the + GUEST_SESSSETUP value in local.h.

Default: map to guest = Never + +

Example: map to guest = Bad User + +

max connections (S)

This option allows the number of simultaneous connections to a service to be limited. + If max connections is greater than 0 then connections + will be refused if this number of connections to the service are already open. A value + of zero mean an unlimited number of connections may be made.

Record lock files are used to implement this feature. The lock files will be stored in + the directory specified by the lock directory option.

Default: max connections = 0 + +

Example: max connections = 10 + +

max disk size (G)

This option allows you to put an upper limit + on the apparent size of disks. If you set this option to 100 + then all shares will appear to be not larger than 100 MB in + size.

Note that this option does not limit the amount of + data you can put on the disk. In the above case you could still + store much more than 100 MB on the disk, but if a client ever asks + for the amount of free disk space or the total disk size then the + result will be bounded by the amount specified in max + disk size.

This option is primarily useful to work around bugs + in some pieces of software that can't handle very large disks, + particularly disks over 1GB in size.

A max disk size of 0 means no limit.

Default: max disk size = 0 + +

Example: max disk size = 1000 + +

max log size (G)

This option (an integer in kilobytes) specifies + the max size the log file should grow to. Samba periodically checks + the size and if it is exceeded it will rename the file, adding + a .old extension.

A size of 0 means no limit.

Default: max log size = 5000 + +

Default: max log size = 1000 + +

max mux (G)

This option controls the maximum number of + outstanding simultaneous SMB operations that Samba tells the client + it will allow. You should never need to set this parameter.

Default: max mux = 50 + +

max open files (G)

This parameter limits the maximum number of + open files that one smbd(8) file + serving process may have open for a client at any one time. The + default for this parameter is set very high (10,000) as Samba uses + only one bit per unopened file.

The limit of the number of open files is usually set + by the UNIX per-process file descriptor limit rather than + this parameter so you should never need to touch this parameter.

Default: max open files = 10000 + +

max print jobs (S)

This parameter limits the maximum number of + jobs allowable in a Samba printer queue at any given moment. + If this number is exceeded, smbd(8) will remote "Out of Space" to the client. +

Default: max print jobs = 1000 + +

Example: max print jobs = 5000 + +

protocol

This parameter is a synonym for max protocol.

max protocol (G)

The value of the parameter (a string) is the highest + protocol level that will be supported by the server.

Possible values are :

CORE: Earliest version. No + concept of user names.
COREPLUS: Slight improvements on + CORE for efficiency.
LANMAN1: First + modern version of the protocol. Long filename + support.
LANMAN2: Updates to Lanman1 protocol.
NT1: Current up to date version of the protocol. + Used by Windows NT. Known as CIFS.

Normally this option should not be set as the automatic + negotiation phase in the SMB protocol takes care of choosing + the appropriate protocol.

Default: max protocol = NT1 + +

Example: max protocol = LANMAN1 + +

max reported print jobs (S)

This parameter limits the maximum number of + jobs displayed in a port monitor for Samba printer queue at any given + moment. If this number is exceeded, the excess jobs will not be shown. + A value of zero means there is no limit on the number of print + jobs reported.

Default: max reported print jobs = 0 + +

Example: max reported print jobs = 1000 + +

max smbd processes (G)

This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended + as a stopgap to prevent degrading service to clients in the event that the server has insufficient + resources to handle more than this number of connections. Remember that under normal operating + conditions, each user will have an smbd(8) associated with him or her to handle connections to all + shares from a given host.

Default: max smbd processes = 0 + +

Example: max smbd processes = 1000 + +

max stat cache size (G)

This parameter limits the size in memory of any + stat cache being used + to speed up case insensitive name mappings. This parameter is + the number of kilobyte (1024) units the stat cache can use. + The default is zero, which means unlimited. You should not need + to change this parameter.

Default: max stat cache size = 0 + +

Example: max stat cache size = 1024 + +

max ttl (G)

This option tells nmbd(8) what the default 'time to live' + of NetBIOS names should be (in seconds) when nmbd is + requesting a name using either a broadcast packet or from a WINS server. You should + never need to change this parameter. The default is 3 days.

Default: max ttl = 259200 + +

max wins ttl (G)

This option tells smbd(8) when acting as a WINS server + (wins support = yes) what the maximum + 'time to live' of NetBIOS names that nmbd + will grant will be (in seconds). You should never need to change this + parameter. The default is 6 days (518400 seconds).

Default: max wins ttl = 518400 + +

max xmit (G)

This option controls the maximum packet size + that will be negotiated by Samba. The default is 65535, which + is the maximum. In some cases you may find you get better performance + with a smaller value. A value below 2048 is likely to cause problems. +

Default: max xmit = 65535 + +

Example: max xmit = 8192 + +

message command (G)

This specifies what command to run when the + server receives a WinPopup style message.

This would normally be a command that would + deliver the message somehow. How this is to be done is + up to your imagination.

An example is:

message command = csh -c 'xedit %s;rm %s' & +

This delivers the message using xedit, then + removes it afterwards. NOTE THAT IT IS VERY IMPORTANT + THAT THIS COMMAND RETURN IMMEDIATELY. That's why I + have the '&' on the end. If it doesn't return immediately then + your PCs may freeze when sending messages (they should recover + after 30 seconds, hopefully).

All messages are delivered as the global guest user. + The command takes the standard substitutions, although + %u won't work (%U may be better + in this case).

Apart from the standard substitutions, some additional + ones apply. In particular:

%s = the filename containing + the message.
%t = the destination that + the message was sent to (probably the server name).
%f = who the message + is from.

You could make this command send mail, or whatever else + takes your fancy. Please let us know of any really interesting + ideas you have.

Here's a way of sending the messages as mail to root:

message command = /bin/mail -s 'message from %f on + %m' root < %s; rm %s

If you don't have a message command then the message + won't be delivered and Samba will tell the sender there was + an error. Unfortunately WfWg totally ignores the error code + and carries on regardless, saying that the message was delivered. +

If you want to silently delete it then try:

message command = rm %s

Default: message command = + +

Example: message command = csh -c 'xedit %s; rm %s' & + +

min print space (S)

This sets the minimum amount of free disk + space that must be available before a user will be able to spool + a print job. It is specified in kilobytes. The default is 0, which + means a user can always spool a print job.

Default: min print space = 0 + +

Example: min print space = 2000 + +

min protocol (G)

The value of the parameter (a string) is the + lowest SMB protocol dialect than Samba will support. Please refer + to the max protocol + parameter for a list of valid protocol names and a brief description + of each. You may also wish to refer to the C source code in + source/smbd/negprot.c for a listing of known protocol + dialects supported by clients.

If you are viewing this parameter as a security measure, you should + also refer to the lanman auth parameter. Otherwise, you should never need + to change this parameter.

Default: min protocol = CORE + +

Example: min protocol = NT1 + +

min wins ttl (G)

This option tells nmbd(8) + when acting as a WINS server (wins support = yes) what the minimum 'time to live' + of NetBIOS names that nmbd will grant will be (in + seconds). You should never need to change this parameter. The default + is 6 hours (21600 seconds).

Default: min wins ttl = 21600 + +

msdfs proxy (S)

This parameter indicates that the share is a + stand-in for another CIFS share whose location is specified by + the value of the parameter. When clients attempt to connect to + this share, they are redirected to the proxied share using + the SMB-Dfs protocol.

Only Dfs roots can act as proxy shares. Take a look at the + msdfs root and host msdfs + options to find out how to set up a Dfs root share.

No default

Example: msdfs proxy = \otherserver\someshare + +

msdfs root (S)

If set to yes, Samba treats the + share as a Dfs root and allows clients to browse the + distributed file system tree rooted at the share directory. + Dfs links are specified in the share directory by symbolic + links of the form msdfs:serverA\\shareA,serverB\\shareB + and so on. For more information on setting up a Dfs tree on + Samba, refer to the MSDFS chapter in the Samba3-HOWTO book.

Default: msdfs root = no + +

name cache timeout (G)

Specifies the number of seconds it takes before + entries in samba's hostname resolve cache time out. If + the timeout is set to 0. the caching is disabled. +

Default: name cache timeout = 660 + +

Example: name cache timeout = 0 + +

name resolve order (G)

This option is used by the programs in the Samba + suite to determine what naming services to use and in what order + to resolve host names to IP addresses. Its main purpose to is to + control how netbios name resolution is performed. The option takes a space + separated string of name resolution options.

The options are: "lmhosts", "host", + "wins" and "bcast". They cause names to be + resolved as follows:

lmhosts : Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the <usmbconfoption>lmhosts(5)</usmbconfoption> for details) then + any name type matches for lookup.
host : Do a standard host + name to IP address resolution, using the system /etc/hosts +, NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the /etc/nsswitch.conf + file. Note that this method is used only if the NetBIOS name + type being queried is the 0x20 (server) name type or 0x1c (domain controllers). + The latter case is only useful for active directory domains and results in a DNS + query for the SRV RR entry matching _ldap._tcp.domain.
wins : Query a name with + the IP address listed in the WINSSERVER parameter. If no WINS server has + been specified this method will be ignored.
bcast : Do a broadcast on + each of the known local interfaces listed in the interfaces + parameter. This is the least reliable of the name resolution + methods as it depends on the target host being on a locally + connected subnet.

The example below will cause the local lmhosts file to be examined + first, followed by a broadcast attempt, followed by a normal + system hostname lookup.

When Samba is functioning in ADS security mode (security = ads) + it is advised to use following settings for name resolve order:

name resolve order = wins bcast

DC lookups will still be done via DNS, but fallbacks to netbios names will + not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.

Default: name resolve order = lmhosts host wins bcast + +

Example: name resolve order = lmhosts bcast host + +

netbios aliases (G)

This is a list of NetBIOS names that nmbd will + advertise as additional names by which the Samba server is known. This allows one machine + to appear in browse lists under multiple names. If a machine is acting as a browse server + or logon server none of these names will be advertised as either browse server or logon + servers, only the primary name of the machine will be advertised with these capabilities. +

Default: netbios aliases = +# empty string (no additional names) + +

Example: netbios aliases = TEST TEST1 TEST2 + +

netbios name (G)

This sets the NetBIOS name by which a Samba + server is known. By default it is the same as the first component + of the host's DNS name. If a machine is a browse server or + logon server this name (or the first component + of the hosts DNS name) will be the name that these services are + advertised under.

Default: netbios name = +# machine DNS name + +

Example: netbios name = MYNAME + +

netbios scope (G)

This sets the NetBIOS scope that Samba will + operate under. This should not be set unless every machine + on your LAN also sets this value.

Default: netbios scope = + +

nis homedir (G)

Get the home share server from a NIS map. For + UNIX systems that use an automounter, the user's home directory + will often be mounted on a workstation on demand from a remote + server.

When the Samba logon server is not the actual home directory + server, but is mounting the home directories via NFS then two + network hops would be required to access the users home directory + if the logon server told the client to use itself as the SMB server + for home directories (one over SMB and one over NFS). This can + be very slow.

This option allows Samba to return the home share as + being on a different server to the logon server and as + long as a Samba daemon is running on the home directory server, + it will be mounted on the Samba client directly from the directory + server. When Samba is returning the home share to the client, it + will consult the NIS map specified in + homedir map and return the server + listed there.

Note that for this option to work there must be a working + NIS system and the Samba server with this option must also + be a logon server.

Default: nis homedir = no + +

nt acl support (S)

This boolean parameter controls whether smbd(8) will attempt to map + UNIX permissions into Windows NT access control lists. + This parameter was formally a global parameter in releases + prior to 2.2.2.

Default: nt acl support = yes + +

ntlm auth (G)

This parameter determines whether or not smbd(8) will attempt to + authenticate users using the NTLM encrypted password response. + If disabled, either the lanman password hash or an NTLMv2 response + will need to be sent by the client.

If this option, and lanman + auth are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to us it.

Default: ntlm auth = yes + +

nt pipe support (G)

This boolean parameter controls whether + smbd(8) will allow Windows NT + clients to connect to the NT SMB specific IPC$ + pipes. This is a developer debugging option and can be left + alone.

Default: nt pipe support = yes + +

nt status support (G)

This boolean parameter controls whether smbd(8) will negotiate NT specific status + support with Windows NT/2k/XP clients. This is a developer debugging option and should be left alone. + If this option is set to no then Samba offers + exactly the same DOS error codes that versions prior to Samba 2.2.3 + reported.

You should not need to ever disable this parameter.

Default: nt status support = yes + +

null passwords (G)

Allow or disallow client access to accounts that have null passwords.

Warning

DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND + UNDERSTOOD THE SAMBA OPLOCK CODE.

Default: oplock break wait time = 0 + +

oplock contention limit (S)

This is a very advanced + smbd(8) tuning option to + improve the efficiency of the granting of oplocks under multiple + client contention for the same file.

In brief it specifies a number, which causes smbd(8)not to grant an oplock even when requested + if the approximate number of clients contending for an oplock on the same file goes over this + limit. This causes smbd to behave in a similar + way to Windows NT.

Warning

DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ + AND UNDERSTOOD THE SAMBA OPLOCK CODE.

Default: oplock contention limit = 2 + +

oplocks (S)

This boolean option tells smbd whether to + issue oplocks (opportunistic locks) to file open requests on this + share. The oplock code can dramatically (approx. 30% or more) improve + the speed of access to files on Samba servers. It allows the clients + to aggressively cache files locally and you may want to disable this + option for unreliable network environments (it is turned on by + default in Windows NT Servers). For more information see the file + Speed.txt in the Samba docs/ + directory.

Oplocks may be selectively turned off on certain files with a + share. See the veto oplock files parameter. On some systems + oplocks are recognized by the underlying operating system. This + allows data synchronization between all access to oplocked files, + whether it be via Samba or NFS or a local UNIX process. See the + kernel oplocks parameter for details.

Default: oplocks = yes + +

os2 driver map (G)

The parameter is used to define the absolute + path to a file containing a mapping of Windows NT printer driver + names to OS/2 printer driver names. The format is:

For example, a valid entry using the HP LaserJet 5 + printer driver would appear as HP LaserJet 5L = LASERJET.HP + LaserJet 5L.

+ The need for the file is due to the printer driver namespace problem described in the chapter on Classical Printing in the book Samba3-HOWTO. For more + details on OS/2 clients, please refer to ???. +

Default: os2 driver map = + +

os level (G)

This integer value controls what level Samba + advertises itself as for browse elections. The value of this + parameter determines whether nmbd(8) +has a chance of becoming a local master browser for the workgroup in the local broadcast area.

Note :By default, Samba will win + a local master browsing election over all Microsoft operating + systems except a Windows NT 4.0/2000 Domain Controller. This + means that a misconfigured Samba host can effectively isolate + a subnet for browsing purposes. See BROWSING.txt + in the Samba docs/ directory + for details.

Default: os level = 20 + +

Example: os level = 65 + +

pam password change (G)

With the addition of better PAM support in Samba 2.2, + this parameter, it is possible to use PAM's password change control + flag for Samba. If enabled, then PAM will be used for password + changes when requested by an SMB client instead of the program listed in + passwd program. + It should be possible to enable this without changing your + passwd chat parameter for most setups.

Default: pam password change = no + +

panic action (G)

This is a Samba developer option that allows a + system command to be called when either smbd(8) or smbd(8) crashes. This is usually used to +draw attention to the fact that a problem occurred.

Default: panic action = + +

Example: panic action = "/bin/sleep 90000" + +

paranoid server security (G)

Some version of NT 4.x allow non-guest + users with a bad passowrd. When this option is enabled, samba will not + use a broken NT 4.x server as password server, but instead complain + to the logs and exit. +

Disabling this option prevents Samba from making + this check, which involves deliberatly attempting a + bad logon to the remote server.

Default: paranoid server security = yes + +

passdb backend (G)

This option allows the administrator to chose which backends + to retrieve and store passwords with. This allows (for example) both + smbpasswd and tdbsam to be used without a recompile. Multiple + backends can be specified, separated by spaces. The backends will be + searched in the order they are specified. New users are always added + to the first backend specified.

This parameter is in two parts, the backend's name, and a 'location' + string that has meaning only to that particular backed. These are separated + by a : character.

Available backends can include: +

smbpasswd - The default smbpasswd + backend. Takes a path to the smbpasswd file as an optional argument. +
tdbsam - The TDB based password storage + backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb + in the private dir directory.
ldapsam - The LDAP based passdb + backend. Takes an LDAP URL as an optional argument (defaults to + ldap://localhost)
LDAP connections should be secured where possible. This may be done using either + Start-TLS (see ldap ssl) or by + specifying ldaps:// in + the URL argument.
Multiple servers may also be specified in double-quotes, if your + LDAP libraries supports the LDAP URL notation. + (OpenLDAP does). +
nisplussam - + The NIS+ based passdb backend. Takes name NIS domain as + an optional argument. Only works with sun NIS+ servers. +
mysql - + The MySQL based passdb backend. Takes an identifier as + argument. Read the Samba HOWTO Collection for configuration + details. +

+ +

+ Examples of use are: +

+passdb backend = tdbsam:/etc/samba/private/passdb.tdb \
+    smbpasswd:/etc/samba/smbpasswd
+
+or
+
+passdb backend = ldapsam:ldaps://ldap.example.com
+
+or
+
+passdb backend = ldapsam:"ldap://ldap-1.example.com \
+    ldap://ldap-2.example.com"
+
+or
+
+passdb backend = mysql:my_plugin_args tdbsam
+

Default: passdb backend = smbpasswd + +

passwd chat (G)

This string controls the "chat" + conversation that takes places between smbd(8) and the local password changing + program to change the user's password. The string describes a + sequence of response-receive pairs that smbd(8) uses to determine what to send to the + passwd program and what to expect back. If the expected output is not + received then the password is not changed.

This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc).

Note that this parameter only is only used if the unix password sync parameter is set to yes. This sequence is + then called AS ROOT when the SMB password in the + smbpasswd file is being changed, without access to the old password + cleartext. This means that root must be able to reset the user's password without + knowing the text of the previous password. In the presence of + NIS/YP, this means that the passwd program must + be executed on the NIS master. +

The string can contain the macro %n which is substituted + for the new password. The chat sequence can also contain the standard + macros \n, \r, \t and \s to + give line-feed, carriage-return, tab and space. The chat sequence string can also contain + a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces + in them into a single string.

If the send string in any part of the chat sequence is a full + stop ".", then no string is sent. Similarly, if the + expect string is a full stop then no string is expected.

If the pam password change parameter is set to yes, the + chat pairs may be matched in any order, and success is determined by the PAM result, not any particular + output. The \n macro is ignored for PAM conversions. +

Default: passwd chat = *new*password* %n\n*new*password* %n\n *changed* + +

Example: passwd chat = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" + +

passwd chat debug (G)

This boolean specifies if the passwd chat script + parameter is run in debug mode. In this mode the + strings passed to and received from the passwd chat are printed + in the smbd(8) log with a + debug level + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the smbd log. It is available to help + Samba admins debug their passwd chat scripts + when calling the passwd program and should + be turned off after this has been done. This option has no effect if the + pam password change + paramter is set. This parameter is off by default.

Default: passwd chat debug = no + +

passwd chat timeout (G)

This integer specifies the number of seconds smbd will wait for an initial + answer from a passwd chat script being run. Once the initial answer is received + the subsequent answers must be received in one tenth of this time. The default it + two seconds.

Default: passwd chat timeout = 2 + +

passwd program (G)

The name of a program that can be used to set + UNIX user passwords. Any occurrences of %u + will be replaced with the user name. The user name is checked for + existence before calling the password changing program.

Also note that many passwd programs insist in reasonable + passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it.

Note that if the unix + password sync parameter is set to yes + then this program is called AS ROOT + before the SMB password in the smbpasswd + file is changed. If this UNIX password change fails, then + smbd will fail to change the SMB password also + (this is by design).

If the unix password sync parameter + is set this parameter MUST USE ABSOLUTE PATHS + for ALL programs called, and must be examined + for security implications. Note that by default unix + password sync is set to no.

Default: passwd program = + +

Example: passwd program = /bin/passwd %u + +

password level (G)

Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS! Another problem child is the Windows 95/98 + family of operating systems. These clients upper case clear + text passwords even when NT LM 0.12 selected by the protocol + negotiation request/response.

This parameter defines the maximum number of characters + that may be upper case in passwords.

For example, say the password given was "FRED". If + password level is set to 1, the following combinations + would be tried if "FRED" failed:

"Fred", "fred", "fRed", "frEd","freD"

If password level was set to 2, + the following combinations would also be tried:

"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..

And so on.

The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection.

A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case.

This parameter is used only when using plain-text passwords. It is + not at all used when encrypted passwords as in use (that is the default + since samba-3.0.0). Use this only when encrypt passwords = No.

Default: password level = 0 + +

Example: password level = 4 + +

password server (G)

By specifying the name of another SMB server + or Active Directory domain controller with this option, + and using security = [ads|domain|server] + it is possible to get Samba to + to do all its username/password validation using a specific remote server.

This option sets the name or IP address of the password server to use. + New syntax has been added to support defining the port to use when connecting + to the server the case of an ADS realm. To define a port other than the + default LDAP port of 389, add the port number using a colon after the + name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, + Samba will use the standard LDAP port of tcp/389. Note that port numbers + have no effect on password servers for Windows NT 4.0 domains or netbios + connections.

If parameter is a name, it is looked up using the + parameter name resolve order and so may resolved + by any method and order described in that parameter.

The password server must be a machine capable of using + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + user level security mode.

Note

Using a password server means your UNIX box (running + Samba) is only as secure as your password server. DO NOT + CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. +

Never point a Samba server at itself for password serving. + This will cause a loop and could lock up your Samba server!

The name of the password server takes the standard + substitutions, but probably the only useful one is %m +, which means the Samba server will use the incoming + client as the password server. If you use this then you better + trust your clients, and you had better restrict them with hosts allow!

If the security parameter is set to + domain or ads, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is effectively + in that domain, and will use cryptographically authenticated RPC calls + to authenticate the user logging on. The advantage of using + security = domain is that if you list several hosts in the + password server option then smbd + will try each in turn till it finds one that responds. This + is useful in case your primary server goes down.

If the password server option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name WORKGROUP<1C> + and then contacting each server returned in the list of IP + addresses from the name resolution source.

If the list of servers contains both names/IP's and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC.

If the security parameter is + set to server, then there are different + restrictions that security = domain doesn't + suffer from:

You may list several password servers in + the password server parameter, however if an + smbd makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this smbd. This is a + restriction of the SMB/CIFS protocol when in security = server + mode and cannot be fixed in Samba.
If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in + security = server mode the network logon will appear to + come from there rather than from the users workstation.

Default: password server = + +

Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * + +

Example: password server = windc.mydomain.com:389 192.168.1.101 * + +

Example: password server = * + +

directory

This parameter is a synonym for path.

path (S)

This parameter specifies a directory to which + the user of the service is to be given access. In the case of + printable services, this is where print data will spool prior to + being submitted to the host for printing.

For a printable service offering guest access, the service + should be readonly and the path should be world-writeable and + have the sticky bit set. This is not mandatory of course, but + you probably won't get the results you expect if you do + otherwise.

Any occurrences of %u in the path + will be replaced with the UNIX username that the client is using + on this connection. Any occurrences of %m + will be replaced by the NetBIOS name of the machine they are + connecting from. These replacements are very useful for setting + up pseudo home directories for users.

Note that this path will be based on root dir + if one was specified.

Default: path = + +

Example: path = /home/fred + +

pid directory (G)

This option specifies the directory where pid + files will be placed.

Default: pid directory = ${prefix}/var/locks + +

Example: pid directory = pid directory = /var/run/ + +

posix locking (S)

The smbd(8) + daemon maintains an database of file locks obtained by SMB clients. + The default behavior is to map this internal database to POSIX + locks. This means that file locks obtained by SMB clients are + consistent with those seen by POSIX compliant applications accessing + the files via a non-SMB method (e.g. NFS or local file access). + You should never need to disable this parameter.

Default: posix locking = yes + +

postexec (S)

This option specifies a command to be run + whenever the service is disconnected. It takes the usual + substitutions. The command may be run as the root on some + systems.

An interesting example may be to unmount server + resources:

postexec = /etc/umount /cdrom

Default: postexec = + +

Example: postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log + +

exec

This parameter is a synonym for preexec.

preexec (S)

This option specifies a command to be run whenever + the service is connected to. It takes the usual substitutions.

An interesting example is to send the users a welcome + message every time they log in. Maybe a message of the day? Here + is an example:

+ preexec = csh -c 'echo \"Welcome to %S!\" | + /usr/local/samba/bin/smbclient -M %m -I %I' & +

Of course, this could get annoying after a while :-)

+ See also preexec close and postexec. +

Default: preexec = + +

Example: preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log + +

preexec close (S)

This boolean option controls whether a non-zero + return code from preexec should close the service being connected to.

Default: preexec close = no + +

prefered master

This parameter is a synonym for preferred master.

preferred master (G)

This boolean parameter controls if + nmbd(8) is a preferred master + browser for its workgroup.

If this is set to yes, on startup, nmbd + will force an election, and it will have a slight advantage in + winning the election. It is recommended that this parameter is + used in conjunction with + domain master = yes, so + that nmbd can guarantee becoming a domain master.

Use this option with caution, because if there are several + hosts (whether Samba servers, Windows 95 or NT) that are + preferred master browsers on the same subnet, they will each + periodically and continuously attempt to become the local + master browser. This will result in unnecessary broadcast + traffic and reduced browsing capabilities.

Default: preferred master = auto + +

auto services

This parameter is a synonym for preload.

preload (G)

This is a list of services that you want to be + automatically added to the browse lists. This is most useful + for homes and printers services that would otherwise not be + visible.

+ Note that if you just want all printers in your + printcap file loaded then the load printers + option is easier. +

Default: preload = + +

Example: preload = fred lp colorlp + +

preload modules (G)

This is a list of paths to modules that should + be loaded into smbd before a client connects. This improves + the speed of smbd when reacting to new connections somewhat.

Default: preload modules = + +

Example: preload modules = /usr/lib/samba/passdb/mysql.so + +

preserve case (S)

This controls if new filenames are created + with the case that the client passes, or if they are forced to + be the default case.

See the section on NAME MANGLING for a fuller discussion.

Default: preserve case = yes + +

print ok

This parameter is a synonym for printable.

printable (S)

If this parameter is yes, then + clients may open, write to and submit spool files on the directory + specified for the service.

Note that a printable service will ALWAYS allow writing + to the service path (user privileges permitting) via the spooling + of print data. The read only parameter controls only non-printing access to + the resource.

Default: printable = no + +

printcap cache time (G)

This option specifies the number of seconds before the printing + subsystem is again asked for the known printers. If the value + is greater than 60 the initial waiting time is set to 60 seconds + to allow an earlier first rescan of the printing subsystem. +

Setting this parameter to 0 (the default) disables any + rescanning for new or removed printers after the initial startup. +

Default: printcap cache time = 0 + +

Example: printcap cache time = 600 + +

printcap

This parameter is a synonym for printcap name.

printcap name (S)

This parameter may be used to override the + compiled-in default printcap name used by the server (usually + /etc/printcap). See the discussion of the [printers] section above for reasons + why you might want to do this.

To use the CUPS printing interface set printcap name = cups + . This should be supplemented by an addtional setting + printing = cups in the [global] + section. printcap name = cups will use the + "dummy" printcap created by CUPS, as specified in your CUPS + configuration file. +

On System V systems that use lpstat to + list available printers you can use printcap name = lpstat + to automatically obtain lists of available printers. This + is the default for systems that define SYSV at configure time in + Samba (this includes most System V based systems). If + printcap name is set to lpstat on + these systems then Samba will launch lpstat -v and + attempt to parse the output to obtain a printer list.

A minimal printcap file would look something like this:

+print1|My Printer 1
+print2|My Printer 2
+print3|My Printer 3
+print4|My Printer 4
+print5|My Printer 5
+

where the '|' separates aliases of a printer. The fact + that the second alias has a space in it gives a hint to Samba + that it's a comment.

Note

Under AIX the default printcap + name is /etc/qconfig. Samba will assume the + file is in AIX qconfig format if the string + qconfig appears in the printcap filename.

Default: printcap name = /etc/printcap + +

Example: printcap name = /etc/myprintcap + +

print command (S)

After a print job has finished spooling to + a service, this command will be used via a system() + call to process the spool file. Typically the command specified will + submit the spool file to the host's printing subsystem, but there + is no requirement that this be the case. The server will not remove + the spool file, so whatever command you specify should remove the + spool file when it has been processed, otherwise you will need to + manually remove old spool files.

The print command is simply a text string. It will be used + verbatim after macro substitutions have been made:

%s, %f - the path to the spool + file name

%p - the appropriate printer + name

%J - the job + name as transmitted by the client.

%c - The number of printed pages + of the spooled job (if known).

%z - the size of the spooled + print job (in bytes)

The print command MUST contain at least + one occurrence of %s or %f + - the %p is optional. At the time + a job is submitted, if no printer name is supplied the %p + will be silently removed from the printer command.

If specified in the [global] section, the print command given + will be used for any printable service that does not have its own + print command specified.

If there is neither a specified print command for a + printable service nor a global print command, spool files will + be created but not processed and (most importantly) not removed.

Note that printing may fail on some UNIXes from the + nobody account. If this happens then create + an alternative guest account that can print and set the guest account + in the [global] section.

You can form quite complex print commands by realizing + that they are just passed to a shell. For example the following + will log a print job, print the file, then remove it. Note that + ';' is the usual separator for command in shell scripts.

print command = echo Printing %s >> + /tmp/print.log; lpr -P %p %s; rm %s

You may have to vary this command considerably depending + on how you normally print files on your system. The default for + the parameter varies depending on the setting of the printing + parameter.

Default: For printing = BSD, AIX, QNX, LPRNG + or PLP :

print command = lpr -r -P%p %s

For printing = SYSV or HPUX :

print command = lp -c -d%p %s; rm %s

For printing = SOFTQ :

print command = lp -d%p -s %s; rm %s

For printing = CUPS : If SAMBA is compiled against + libcups, then printcap = cups + uses the CUPS API to + submit jobs, etc. Otherwise it maps to the System V + commands with the -oraw option for printing, i.e. it + uses lp -c -d%p -oraw; rm %s. + With printing = cups, + and if SAMBA is compiled against libcups, any manually + set print command will be ignored.

No default

Example: print command = /usr/local/samba/bin/myprintscript %p %s + +

printer admin (S)

+ This lists users who can do anything to printers + via the remote administration interfaces offered + by MS-RPC (usually using a NT workstation). + This parameter can be set per-share or globally. + Note: The root user always has admin rights. Use + caution with use in the global stanza as this can + cause side effects. +

Default: printer admin = + +

Example: printer admin = admin, @staff + +

printer

This parameter is a synonym for printer name.

printer name (S)

+ This parameter specifies the name of the printer to which print jobs spooled through a printable service + will be sent. +

+ If specified in the [global] section, the printer name given will be used for any printable service that + does not have its own printer name specified. +

+ The default value of the printer name may be lp on many + systems. +

Default: printer name = none + +

Example: printer name = laserwriter + +

printing (S)

This parameters controls how printer status information is + interpreted on your system. It also affects the default values for + the print command, lpq command, lppause command , lpresume command, and lprm command if specified in the + [global] section.

Currently nine printing styles are supported. They are + BSD, AIX, + LPRNG, PLP, + SYSV, HPUX, + QNX, SOFTQ, + and CUPS.

To see what the defaults are for the other print + commands when using the various options use the testparm(1) program.

This option can be set on a per printer basis. Please be + aware however, that you must place any of the various printing + commands (e.g. print command, lpq command, etc...) after defining + the value for the printing option since it will + reset the printing commands to default values.

See also the discussion in the + [printers] section.

No default

private dir (G)

This parameters defines the directory + smbd will use for storing such files as smbpasswd + and secrets.tdb. +

Default: private dir = ${prefix}/private + +

profile acls (S)

+ This boolean parameter was added to fix the problems that people have been + having with storing user profiles on Samba shares from Windows 2000 or + Windows XP clients. New versions of Windows 2000 or Windows XP service + packs do security ACL checking on the owner and ability to write of the + profile directory stored on a local workstation when copied from a Samba + share. +

When not in domain mode with winbindd then the security info copied + onto the local workstation has no meaning to the logged in user (SID) on + that workstation so the profile storing fails. Adding this parameter + onto a share used for profile storage changes two things about the + returned Windows ACL. Firstly it changes the owner and group owner + of all reported files and directories to be BUILTIN\\Administrators, + BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly + it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to + every returned ACL. This will allow any Windows 2000 or XP workstation + user to access the profile.

Note that if you have multiple users logging + on to a workstation then in order to prevent them from being able to access + each others profiles you must remove the "Bypass traverse checking" advanced + user right. This will prevent access to other users profile directories as + the top level profile directory (named after the user) is created by the + workstation profile code and has an ACL restricting entry to the directory + tree to the owning user. +

Default: profile acls = no + +

queuepause command (S)

This parameter specifies the command to be + executed on the server host in order to pause the printer queue.

This command should be a program or script which takes + a printer name as its only parameter and stops the printer queue, + such that no longer jobs are submitted to the printer.

This command is not supported by Windows for Workgroups, + but can be issued from the Printers window under Windows 95 + and NT.

If a %p is given then the printer name + is put in its place. Otherwise it is placed at the end of the command. +

Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.

No default

Example: queuepause command = disable %p + +

queueresume command (S)

This parameter specifies the command to be + executed on the server host in order to resume the printer queue. It + is the command to undo the behavior that is caused by the + previous parameter (queuepause command).

This command should be a program or script which takes + a printer name as its only parameter and resumes the printer queue, + such that queued jobs are resubmitted to the printer.

This command is not supported by Windows for Workgroups, + but can be issued from the Printers window under Windows 95 + and NT.

If a %p is given then the printer name + is put in its place. Otherwise it is placed at the end of the + command.

Note that it is good practice to include the absolute + path in the command as the PATH may not be available to the + server.

Default: queueresume command = + +

Example: queueresume command = enable %p + +

read bmpx (G)

This boolean parameter controls whether + smbd(8) will support the "Read + Block Multiplex" SMB. This is now rarely used and defaults to + no. You should never need to set this + parameter.

Default: read bmpx = no + +

read list (S)

+ This is a list of users that are given read-only access to a service. If the connecting user is in this list + then they will not be given write access, no matter what the read only option is set + to. The list can include group names using the syntax described in the invalid users + parameter. +

This parameter will not work with the security = share in + Samba 3.0. This is by design.

Default: read list = + +

Example: read list = mary, @students + +

read only (S)

An inverted synonym is writeable.

If this parameter is yes, then users + of a service may not create or modify files in the service's + directory.

Note that a printable service (printable = yes) + will ALWAYS allow writing to the directory + (user privileges permitting), but only via spooling operations.

Default: read only = yes + +

read raw (G)

This parameter controls whether or not the server + will support the raw read SMB requests when transferring data + to clients.

If enabled, raw reads allow reads of 65535 bytes in + one packet. This typically provides a major performance benefit. +

However, some clients either negotiate the allowable + block size incorrectly or are incapable of supporting larger block + sizes, and for these clients you may need to disable raw reads.

In general this parameter should be viewed as a system tuning + tool and left severely alone.

Default: read raw = yes + +

realm (G)

This option specifies the kerberos realm to use. The realm is + used as the ADS equivalent of the NT4 domain. It + is usually set to the DNS name of the kerberos server. +

Default: realm = + +

Example: realm = mysambabox.mycompany.com + +

remote announce (G)

This option allows you to setup nmbd(8)to periodically announce itself + to arbitrary IP addresses with an arbitrary workgroup name.

This is useful if you want your Samba server to appear + in a remote workgroup for which the normal browse propagation + rules don't work. The remote workgroup can be anywhere that you + can send IP packets to.

For example:

remote announce = 192.168.2.255/SERVERS + 192.168.4.255/STAFF

the above line would cause nmbd to announce itself + to the two given IP addresses using the given workgroup names. + If you leave out the workgroup name then the one given in + the workgroup parameter is used instead.

The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable.

See NetworkBrowsing.

Default: remote announce = + +

remote browse sync (G)

This option allows you to setup nmbd(8) to periodically request + synchronization of browse lists with the master browser of a Samba + server that is on a remote segment. This option will allow you to + gain browse lists for multiple workgroups across routed networks. This + is done in a manner that does not work with any non-Samba servers.

This is useful if you want your Samba server and all local + clients to appear in a remote workgroup for which the normal browse + propagation rules don't work. The remote workgroup can be anywhere + that you can send IP packets to.

For example:

remote browse sync = 192.168.2.255 192.168.4.255

the above line would cause nmbd to request + the master browser on the specified subnets or addresses to + synchronize their browse lists with the local server.

The IP addresses you choose would normally be the broadcast + addresses of the remote networks, but can also be the IP addresses + of known browse masters if your network config is that stable. If + a machine IP address is given Samba makes NO attempt to validate + that the remote machine is available, is listening, nor that it + is in fact the browse master on its segment.

Default: remote browse sync = + +

restrict anonymous (G)

The setting of this parameter determines whether user and + group list information is returned for an anonymous connection. + and mirrors the effects of the +

+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
+           Control\LSA\RestrictAnonymous
+

+ registry key in Windows 2000 and Windows NT. When set to 0, user + and group list information is returned to anyone who asks. When set + to 1, only an authenticated user can retrive user and + group list information. For the value 2, supported by + Windows 2000/XP and Samba, no anonymous connections are allowed at + all. This can break third party and Microsoft + applications which expect to be allowed to perform + operations anonymously.

+ The security advantage of using restrict anonymous = 1 is dubious, + as user and group list information can be obtained using other + means. +

Note

+ The security advantage of using restrict anonymous = 2 is removed + by setting guest ok = yes on any share. +

Default: restrict anonymous = 0 + +

root

This parameter is a synonym for root directory.

root dir

This parameter is a synonym for root directory.

root directory (G)

The server will chroot() (i.e. + Change its root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the + wide smbconfoptions parameter). +

Adding a root directory entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the root directory + option, including some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the root directory tree. In particular + you will need to mirror /etc/passwd (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent.

Default: root directory = / + +

Example: root directory = /homes/smb + +

root postexec (S)

This is the same as the postexec + parameter except that the command is run as root. This + is useful for unmounting filesystems + (such as CDROMs) after a connection is closed.

Default: root postexec = + +

root preexec (S)

This is the same as the preexec + parameter except that the command is run as root. This + is useful for mounting filesystems (such as CDROMs) when a + connection is opened.

Default: root preexec = + +

root preexec close (S)

This is the same as the preexec close + parameter except that the command is run as root.

Default: root preexec close = no + +

security (G)

This option affects how clients respond to + Samba and is one of the most important settings in the + smb.conf file.

The option sets the "security mode bit" in replies to + protocol negotiations with smbd(8) to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server.

The default is security = user, as this is + the most common setting needed when talking to Windows 98 and + Windows NT.

The alternatives are security = share, + security = server or security = domain + .

In versions of Samba prior to 2.0.0, the default was + security = share mainly because that was + the only option at one stage.

There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as.

If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + security = user. If you mostly use usernames + that don't exist on the UNIX box then use security = + share.

You should also use security = share if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with security = user, see + the map to guestparameter for details.

It is possible to use smbd in a + hybrid mode where it is offers both user and share + level security under different NetBIOS aliases.

The different settings will now be explained.

SECURITY = SHARE

When clients connect to a share level security server they + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a security = share + server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share.

Note that smbd ALWAYS + uses a valid UNIX user to act on behalf of the client, even in + security = share level security.

As clients are not required to send a username to the server + in share level security, smbd uses several + techniques to determine the correct UNIX user to use on behalf + of the client.

A list of possible UNIX usernames to match with the given + client password is constructed using the following methods :

If the guest only parameter is set, then all the other + stages are missed and only the guest account username is checked. +
Is a username is sent with the share connection + request, then this username (after mapping - see username map), + is added as a potential username. +
If the client did a previous logon + request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. +
The name of the service the client requested is + added as a potential username. +
The NetBIOS name of the client is added to + the list as a potential username. +
Any users on the user list are added as potential usernames. +

If the guest only parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user.

If the guest only parameter is + set, or no username can be determined then if the share is marked + as available to the guest account, then this + guest user will be used, otherwise access is denied.

Note that it can be very confusing + in share-level security as to which UNIX username will eventually + be used in granting access.

See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION.

SECURITY = USER

This is the default security setting in Samba 3.0. + With user-level security a client must first "log-on" with a + valid username and password (which can be mapped using the username map + parameter). Encrypted passwords (see the encrypted passwords parameter) can also + be used in this security mode. Parameters such as user and guest only if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated.

Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the guest account. + See the map to guest parameter for details on doing this.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

SECURITY = DOMAIN

This mode will only work correctly if net(8) has been used to add this + machine into a Windows NT Domain. It expects the encrypted passwords + parameter to be set to yes. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do.

Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to.

Note that from the client's point + of view security = domain is the same + as security = user. It only + affects how the server deals with the authentication, + it does not in any way affect what the client sees.

See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION.

See also the password server parameter and + the encrypted passwords parameter.

SECURITY = SERVER

+ In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an + NT box. If this fails it will revert to security = user. It expects the + encrypted passwords parameter to be set to yes, unless the remote + server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the chapter about the User Database in + the Samba HOWTO Collection for details on how to set this up. +

Note

This mode of operation has + significant pitfalls, due to the fact that is activly initiates a + man-in-the-middle attack on the remote SMB server. In particular, + this mode of operation can cause significant resource consuption on + the PDC, as it must maintain an active connection for the duration + of the user's session. Furthermore, if this connection is lost, + there is no way to reestablish it, and futher authenticaions to the + Samba server may fail. (From a single client, till it disconnects). +

Note

From the client's point of + view security = server is the + same as security = user. It + only affects how the server deals with the authentication, it does + not in any way affect what the client sees.

See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION.

See also the password server parameter and the + encrypted passwords parameter.

SECURITY = ADS

In this mode, Samba will act as a domain member in an ADS realm. To operate + in this mode, the machine running Samba will need to have Kerberos installed + and configured and Samba will need to be joined to the ADS realm using the + net utility.

Note that this mode does NOT make Samba operate as a Active Directory Domain + Controller.

Read the chapter about Domain Membership in the HOWTO for details.

Default: security = USER + +

Example: security = DOMAIN + +

security mask (S)

+ This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the + UNIX permission on a file using the native NT security dialog box. +

+ This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND. +

+ Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. +

+ If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file. +

+ Note that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of + most normal systems will probably want to leave it set to 0777. +

Default: security mask = 0777 + +

Example: security mask = 0770 + +

server schannel (G)

+ This controls whether the server offers or even demands the use of the netlogon schannel. + server schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the client is not able to speak netlogon schannel. + This is only the case for Windows NT4 before SP4. +

+ Please note that with this set to no you will have to apply the WindowsXP + WinXP_SignOrSeal.reg registry patch found in the docs/registry subdirectory of the Samba distribution tarball. +

Default: server schannel = auto + +

Example: server schannel = yes + +

server signing (G)

This controls whether the server offers or requires + the client it talks to to use SMB signing. Possible values + are auto, mandatory + and disabled. +

When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.

Default: server signing = Disabled + +

server string (G)

This controls what string will show up in the printer comment box in print + manager and next to the IPC connection in net view. It + can be any string that you wish to show to your users.

It also sets what will appear in browse lists next + to the machine name.

A %v will be replaced with the Samba + version number.

A %h will be replaced with the + hostname.

Default: server string = Samba %v + +

Example: server string = University of GNUs Samba Server + +

set directory (S)

If set directory = no, then + users of the service may not use the setdir command to change + directory.

The setdir command is only implemented + in the Digital Pathworks client. See the Pathworks documentation + for details.

Default: set directory = no + +

set primary group script (G)

Thanks to the Posix subsystem in NT a Windows User has a + primary group in addition to the auxiliary groups. This script + sets the primary group in the unix userdatase when an + administrator sets the primary group from the windows user + manager or when fetching a SAM with net rpc + vampire. %u will be replaced + with the user whose primary group is to be set. + %g will be replaced with the group to + set.

Default: set primary group script = + +

Example: set primary group script = /usr/sbin/usermod -g '%g' '%u' + +

set quota command (G)

The set quota command should only be used + whenever there is no operating system API available from the OS that + samba can use.

This option is only available if Samba was configured with the argument --with-sys-quotas or + on linux when ./configure --with-quotas was used and a working quota api + was found in the system. Most packages are configured with these options already.

This parameter should specify the path to a script that + can set quota for the specified arguments.

The specified script should take the following arguments:

1 - quota type +
- 1 - user quotas
- 2 - user default quotas (uid = -1)
- 3 - group quotas
- 4 - group default quotas (gid = -1)
+
2 - id (uid for user, gid for group, -1 if N/A)
3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce)
4 - block softlimit
5 - block hardlimit
6 - inode softlimit
7 - inode hardlimit
8(optional) - block size, defaults to 1024

The script should output at least one line of data on success. And nothing on failure.

Default: set quota command = + +

Example: set quota command = /usr/local/sbin/set_quota + +

share modes (S)

This enables or disables the honoring of + the share modes during a file open. These + modes are used by clients to gain exclusive read or write access + to a file.

These open modes are not directly supported by UNIX, so + they are simulated using shared memory, or lock files if your + UNIX doesn't support shared memory (almost all do).

The share modes that are enabled by this option are + DENY_DOS, DENY_ALL, + DENY_READ, DENY_WRITE, + DENY_NONE and DENY_FCB. +

This option gives full share compatibility and enabled + by default.

You should NEVER turn this parameter + off as many Windows applications will break if you do so.

Default: share modes = yes + +

short preserve case (S)

This boolean parameter controls if new files + which conform to 8.3 syntax, that is all in upper case and of + suitable length, are created upper case, or if they are forced + to be the default case + . This option can be use with preserve case = yes + to permit long filenames to retain their case, while short + names are lowered.

See the section on NAME MANGLING.

Default: short preserve case = yes + +

show add printer wizard (G)

With the introduction of MS-RPC based printing support + for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will + appear on Samba hosts in the share listing. Normally this folder will + contain an icon for the MS Add Printer Wizard (APW). However, it is + possible to disable this feature regardless of the level of privilege + of the connected user.

Under normal circumstances, the Windows NT/2000 client will + open a handle on the printer server with OpenPrinterEx() asking for + Administrator privileges. If the user does not have administrative + access on the print server (i.e is not root or a member of the + printer admin group), the OpenPrinterEx() + call fails and the client makes another open call with a request for + a lower privilege level. This should succeed, however the APW + icon will not be displayed.

Disabling the show add printer wizard + parameter will always cause the OpenPrinterEx() on the server + to fail. Thus the APW icon will never be displayed. +

Note

This does not prevent the same user from having + administrative privilege on an individual printer.

Default: show add printer wizard = yes + +

shutdown script (G)

This a full path name to a script called by + smbd(8) that should + start a shutdown procedure.

If the connected user posseses the SeRemoteShutdownPrivilege, + right, this command will be run as user.

The %z %t %r %f variables are expanded as follows:

%z will be substituted with the + shutdown message sent to the server.
%t will be substituted with the + number of seconds to wait before effectively starting the + shutdown procedure.
%r will be substituted with the + switch -r. It means reboot after shutdown + for NT.
%f will be substituted with the + switch -f. It means force the shutdown + even if applications do not respond for NT.

Shutdown script example: +

+#!/bin/bash
+		
+$time=0
+let "time/60"
+let "time++"
+
+/sbin/shutdown $3 $4 +$time $1 &
+

+Shutdown does not return so we need to launch it in background. +

Default: shutdown script = + +

Example: shutdown script = /usr/local/samba/sbin/shutdown %m %t %r %f + +

smb passwd file (G)

This option sets the path to the encrypted smbpasswd file. By + default the path to the smbpasswd file is compiled into Samba.

+ An example of use is: +

+smb passwd file = /etc/samba/smbpasswd
+

Default: smb passwd file = ${prefix}/private/smbpasswd + +

smb ports (G)

Specifies which ports the server should listen on for SMB traffic.

Default: smb ports = 445 139 + +

socket address (G)

This option allows you to control what + address Samba will listen for connections on. This is used to + support multiple virtual interfaces on the one server, each + with a different configuration.

By default Samba will accept connections on any + address.

Default: socket address = + +

Example: socket address = 192.168.2.20 + +

socket options (G)

This option allows you to set socket options + to be used when talking with the client.

Socket options are controls on the networking layer + of the operating systems which allow the connection to be + tuned.

This option will typically be used to tune your Samba server + for optimal performance for your local network. There is no way + that Samba can know what the optimal parameters are for your net, + so you must experiment and choose them yourself. We strongly + suggest you read the appropriate documentation for your operating + system first (perhaps man + setsockopt will help).

You may find that on some systems Samba will say + "Unknown socket option" when you supply an option. This means you + either incorrectly typed it or you need to add an include file + to includes.h for your OS. If the latter is the case please + send the patch to + samba-technical@samba.org.

Any of the supported socket options may be combined + in any way you like, as long as your OS allows it.

This is the list of socket options currently settable + using this option:

SO_KEEPALIVE
SO_REUSEADDR
SO_BROADCAST
TCP_NODELAY
IPTOS_LOWDELAY
IPTOS_THROUGHPUT
SO_SNDBUF *
SO_RCVBUF *
SO_SNDLOWAT *
SO_RCVLOWAT *

Those marked with a '*' take an integer + argument. The others can optionally take a 1 or 0 argument to enable + or disable the option, by default they will be enabled if you + don't specify 1 or 0.

To specify an argument use the syntax SOME_OPTION = VALUE + for example SO_SNDBUF = 8192. Note that you must + not have any spaces before or after the = sign.

If you are on a local network then a sensible option + might be:

socket options = IPTOS_LOWDELAY

If you have a local network then you could try:

socket options = IPTOS_LOWDELAY TCP_NODELAY

If you are on a wide area network then perhaps try + setting IPTOS_THROUGHPUT.

Note that several of the options may cause your Samba + server to fail completely. Use these options with caution!

Default: socket options = TCP_NODELAY + +

Example: socket options = IPTOS_LOWDELAY + +

stat cache (G)

This parameter determines if smbd(8) will use a cache in order to + speed up case insensitive name mappings. You should never need + to change this parameter.

Default: stat cache = yes + +

store dos attributes (S)

If this parameter is set Samba no longer attempts to + map DOS attributes like SYSTEM, HIDDEN, ARCHIVE or READ-ONLY + to UNIX permission bits (such as the map hidden. Instead, DOS attributes will be stored onto an extended + attribute in the UNIX filesystem, associated with the file or directory. + For this to operate correctly, the parameters map hidden, map system, map archive must be set to off. + This parameter writes the DOS attributes as a string into the + extended attribute named "user.DOSATTRIB". This extended attribute + is explicitly hidden from smbd clients requesting an EA list. + On Linux the filesystem must have been mounted with the mount + option user_xattr in order for extended attributes to work, also + extended attributes must be compiled into the Linux kernel. +

Default: store dos attributes = no + +

strict allocate (S)

This is a boolean that controls the handling of + disk space allocation in the server. When this is set to yes + the server will change from UNIX behaviour of not committing real + disk storage blocks when a file is extended to the Windows behaviour + of actually forcing the disk system to allocate real storage blocks + when a file is created or extended to be a given size. In UNIX + terminology this means that Samba will stop creating sparse files. + This can be slow on some systems.

When strict allocate is no the server does sparse + disk block allocation when a file is extended.

Setting this to yes can help Samba return + out of quota messages on systems that are restricting the disk quota + of users.

Default: strict allocate = no + +

strict locking (S)

This is a boolean that controls the handling of + file locking in the server. When this is set to yes, + the server will check every read and write access for file locks, and + deny access if locks exist. This can be slow on some systems.

When strict locking is disabled, the server performs file + lock checks only when the client explicitly asks for them.

Well-behaved clients always ask for lock checks when it + is important. So in the vast majority of cases, strict + locking = no is acceptable.

Default: strict locking = yes + +

strict sync (S)

Many Windows applications (including the Windows 98 explorer + shell) seem to confuse flushing buffer contents to disk with doing + a sync to disk. Under UNIX, a sync call forces the process to be + suspended until the kernel has ensured that all outstanding data in + kernel disk buffers has been safely stored onto stable storage. + This is very slow and should only be done rarely. Setting this + parameter to no (the default) means that + smbd(8) ignores the Windows + applications requests for a sync call. There is only a possibility + of losing data if the operating system itself that Samba is running + on crashes, so there is little danger in this default setting. In + addition, this fixes many performance problems that people have + reported with the new Windows98 explorer shell file copies.

Default: strict sync = no + +

sync always (S)

This is a boolean parameter that controls + whether writes will always be written to stable storage before + the write call returns. If this is no then the server will be + guided by the client's request in each write call (clients can + set a bit indicating that a particular write should be synchronous). + If this is yes then every write will be followed by a fsync() + call to ensure the data is written to disk. Note that + the strict sync parameter must be set to + yes in order for this parameter to have + any affect.

Default: sync always = no + +

syslog (G)

This parameter maps how Samba debug messages + are logged onto the system syslog logging levels. Samba debug + level zero maps onto syslog LOG_ERR, debug + level one maps onto LOG_WARNING, debug level + two maps onto LOG_NOTICE, debug level three + maps onto LOG_INFO. All higher levels are mapped to + LOG_DEBUG.

This parameter sets the threshold for sending messages + to syslog. Only messages with debug level less than this value + will be sent to syslog.

Default: syslog = 1 + +

syslog only (G)

If this parameter is set then Samba debug + messages are logged into the system syslog only, and not to + the debug log files.

Default: syslog only = no + +

template homedir (G)

When filling out the user information for a Windows NT + user, the winbindd(8) daemon uses this + parameter to fill in the home directory for that user. If the + string %D is present it + is substituted with the user's Windows NT domain name. If the + string %U is present it + is substituted with the user's Windows NT user name.

Default: template homedir = /home/%D/%U + +

template shell (G)

When filling out the user information for a Windows NT + user, the winbindd(8) daemon uses this + parameter to fill in the login shell for that user.

No default

time offset (G)

This parameter is a setting in minutes to add + to the normal GMT to local time conversion. This is useful if + you are serving a lot of PCs that have incorrect daylight + saving time handling.

Default: time offset = 0 + +

Example: time offset = 60 + +

time server (G)

This parameter determines if nmbd(8) advertises itself as a time server to Windows +clients.

Default: time server = no + +

unix charset (G)

Specifies the charset the unix machine + Samba runs on uses. Samba needs to know this in order to be able to + convert text to the charsets other SMB clients use. +

This is also the charset Samba will use when specifying arguments + to scripts that it invokes. +

Default: unix charset = UTF8 + +

Example: unix charset = ASCII + +

unix extensions (G)

This boolean parameter controls whether Samba + implments the CIFS UNIX extensions, as defined by HP. + These extensions enable Samba to better serve UNIX CIFS clients + by supporting features such as symbolic links, hard links, etc... + These extensions require a similarly enabled client, and are of + no current use to Windows clients.

Default: unix extensions = yes + +

unix password sync (G)

This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to yes the program specified in the passwd + programparameter is called AS ROOT - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password change code has no + access to the old password cleartext, only the new).

Default: unix password sync = no + +

update encrypted (G)

+ This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) + password in the smbpasswd file to be updated automatically as they log on. This option allows a site to + migrate from plaintext password authentication (users authenticate with plaintext password over the + wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing all users to re-enter their passwords via + smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted + passwords to be made over a longer period. Once all users have encrypted representations of their passwords + in the smbpasswd file this parameter should be set to no. +

+ In order for this parameter to be operative the encrypt passwords parameter must + be set to no. The default value of encrypt passwords = Yes. Note: This must be set to no for this update encrypted to work. +

+ Note that even when this parameter is set a user authenticating to smbd + must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) + passwords. +

Default: update encrypted = no + +

use client driver (S)

This parameter applies only to Windows NT/2000 + clients. It has no effect on Windows 95/98/ME clients. When + serving a printer to Windows NT/2000 clients without first installing + a valid printer driver on the Samba host, the client will be required + to install a local printer driver. From this point on, the client + will treat the print as a local printer and not a network printer + connection. This is much the same behavior that will occur + when disable spoolss = yes. +

The differentiating factor is that under normal + circumstances, the NT/2000 client will attempt to open the network + printer using MS-RPC. The problem is that because the client + considers the printer to be local, it will attempt to issue the + OpenPrinterEx() call requesting access rights associated with the + logged on user. If the user possesses local administator rights but + not root privilege on the Samba host (often the case), the + OpenPrinterEx() call will fail. The result is that the client will + now display an "Access Denied; Unable to connect" message + in the printer queue window (even though jobs may successfully be + printed).

If this parameter is enabled for a printer, then any attempt + to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped + to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() + call to succeed. This parameter MUST not be able enabled + on a print share which has valid print driver installed on the Samba + server.

Default: use client driver = no + +

use kerberos keytab (G)

+Specifies whether Samba should attempt to maintain service principals in the systems +keytab file for host/FQDN and cifs/FQDN. +

When you are using the heimdal Kerberos libraries, you must also +specify the following in /etc/krb5.conf:

+[libdefaults]
+  default_keytab_name = FILE:/etc/krb5.keytab
+

Default: use kerberos keytab = False + +

use mmap (G)

This global parameter determines if the tdb internals of Samba can + depend on mmap working correctly on the running system. Samba requires a coherent + mmap/read-write system memory cache. Currently only HPUX does not have such a + coherent cache, and so this parameter is set to no by + default on HPUX. On all other systems this parameter should be left alone. This + parameter is provided to help the Samba developers track down problems with + the tdb internal code. +

Default: use mmap = yes + +

user

This parameter is a synonym for username.

users

This parameter is a synonym for username.

username (S)

Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right).

The username line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead.

The username line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + username line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely.

Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do.

To restrict a service to a particular set of users you + can use the valid users parameter.

If any of the usernames begin with a '@' then the name + will be looked up first in the NIS netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name.

If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name.

If any of the usernames begin with a '&' then the name + will be looked up only in the NIS netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name.

Note that searching though a groups database can take + quite some time, and some clients may time out during the + search.

See the section NOTE ABOUT + USERNAME/PASSWORD VALIDATION for more information on how + this parameter determines access to the services.

Default: username = +# The guest account if a guest service, + else <empty string>. + +

Example: username = fred, mary, jack, jane, @users, @pcgroup + +

username level (G)

This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine.

If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try while trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as AstrangeUser +.

This parameter is needed only on UNIX systems that have case + sensitive usernames.

Default: username level = 0 + +

Example: username level = 5 + +

username map (G)

This option allows you to specify a file containing + a mapping of usernames from the clients to the server. This can be + used for several purposes. The most common is to map usernames + that users use on DOS or Windows machines to those that the UNIX + box uses. The other is to map multiple users to a single username + so that they can more easily share files.

Please note that for user or share mode security, the + username map is applied prior to validating the user credentials. + Domain member servers (domain or ads) apply the username map + after the user has been successfully authenticated by the domain + controller and require fully qualified enties in the map table + (e.g. biddle = DOMAIN\foo).

The map file is parsed line by line. Each line should + contain a single UNIX username on the left then a '=' followed + by a list of usernames on the right. The list of usernames on the + right may contain names of the form @group in which case they + will match any UNIX username in that group. The special client + name '*' is a wildcard and matches any name. Each line of the + map file may be up to 1023 characters long.

The file is processed on each line by taking the + supplied username and comparing it with each username on the right + hand side of the '=' signs. If the supplied name matches any of + the names on the right hand side then it is replaced with the name + on the left. Processing then continues with the next line.

If any line begins with a '#' or a ';' then it is ignored

If any line begins with an '!' then the processing + will stop after that line if a mapping was done by the line. + Otherwise mapping continues with every line being processed. + Using '!' is most useful when you have a wildcard mapping line + later in the file.

For example to map from the name admin + or administrator to the UNIX name + root you would use:

root = admin administrator

Or to map anyone in the UNIX group system + to the UNIX name sys you would use:

sys = @system

You can have as many mappings as you like in a username map file.

If your system supports the NIS NETGROUP option then + the netgroup database is checked before the /etc/group + database for matching groups.

You can map Windows usernames that have spaces in them + by using double quotes around the name. For example:

tridge = "Andrew Tridgell"

would map the windows username "Andrew Tridgell" to the + unix username "tridge".

The following example would map mary and fred to the + unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on + that line.

+!sys = mary fred
+guest = *
+

Note that the remapping is applied to all occurrences + of usernames. Thus if you connect to \\server\fred and + fred is remapped to mary then you + will actually be connecting to \\server\mary and will need to + supply a password suitable for mary not + fred. The only exception to this is the + username passed to the password server (if you have one). The password + server will receive whatever username the client supplies without + modification.

Also note that no reverse mapping is done. The main effect + this has is with printing. Users who have been mapped may have + trouble deleting print jobs as PrintManager under WfWg will think + they don't own the print job.

+ Samba versions prior to 3.0.8 would only support reading the fully qualified + username (e.g.: DOMAIN\user) from the username map when performing a + kerberos login from a client. However, when looking up a map + entry for a user authenticated by NTLM[SSP], only the login name would be + used for matches. This resulted in inconsistent behavior sometimes + even on the same server. +

+ The following functionality is obeyed in version 3.0.8 and later: +

+ When performing local authentication, the username map is + applied to the login name before attempting to authenticate + the connection. +

+ When relying upon a external domain controller for validating + authentication requests, smbd will apply the username map + to the fully qualified username (i.e. DOMAIN\user) only + after the user has been successfully authenticated. +

+ An example of use is: +

+username map = /usr/local/samba/lib/users.map
+

Default: username map = +# no username map + +

username map script (G)

This script is a mutually exclusive alternative to the + username map parameter. This parameter + specifies and external program or script that must accept a single + command line option (the username transmitted in the authentication + request) and return a line line on standard output (the name to which + the account should mapped). In this way, it is possible to store + username map tables in an LDAP or NIS directory services. +

Default: username map script = + +

Example: username map script = /etc/samba/scripts/mapusers.sh + +

use sendfile (S)

If this parameter is yes, and the sendfile() system call is supported by the underlying operating system, then some SMB read calls (mainly ReadAndX + and ReadRaw) will use the more efficient sendfile system call for files that + are exclusively oplocked. This may make more efficient use of the system CPU's + and cause Samba to be faster. Samba automatically turns this off for clients + that use protocol levels lower than NT LM 0.12 and when it detects a client is + Windows 9x (using sendfile from Linux will cause these clients to fail). +

Default: use sendfile = yes + +

use spnego (G)

This variable controls controls whether samba will try + to use Simple and Protected NEGOciation (as specified by rfc2478) with + WindowsXP and Windows2000 clients to agree upon an authentication mechanism. +

+ Unless further issues are discovered with our SPNEGO + implementation, there is no reason this should ever be + disabled.

Default: use spnego = yes + +

utmp (G)

This boolean parameter is only available if + Samba has been configured and compiled with the option + --with-utmp. If set to yes then Samba will attempt + to add utmp or utmpx records (depending on the UNIX system) whenever a + connection is made to a Samba server. Sites may use this to record the + user connecting to a Samba share.

Due to the requirements of the utmp record, we + are required to create a unique identifier for the + incoming user. Enabling this option creates an n^2 + algorithm to find this number. This may impede + performance on large installations.

Default: utmp = no + +

utmp directory (G)

This parameter is only available if Samba has + been configured and compiled with the option + --with-utmp. It specifies a directory pathname that is + used to store the utmp or utmpx files (depending on the UNIX system) that + record user connections to a Samba server. By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + /var/run/utmp on Linux).

Default: utmp directory = +# Determined automatically + +

Example: utmp directory = /var/run/utmp + +

-valid (S)

This parameter indicates whether a share is + valid and thus can be used. When this parameter is set to false, + the share will be in no way visible nor accessible. +

+ This option should not be + used by regular users but might be of help to developers. + Samba uses this option internally to mark shares as deleted. +

Default: -valid = yes + +

valid users (S)

This is a list of users that should be allowed + to login to this service. Names starting with '@', '+' and '&' + are interpreted using the same rules as described in the + invalid users parameter.

If this is empty (the default) then any user can login. + If a username is in both this list and the invalid + users list then access is denied for that user.

The current servicename is substituted for %S +. This is useful in the [homes] section.

Default: valid users = +# No valid users list (anyone can login) + +

Example: valid users = greg, @pcusers + +

veto files (S)

This is a list of files and directories that + are neither visible nor accessible. Each entry in the list must + be separated by a '/', which allows spaces to be included + in the entry. '*' and '?' can be used to specify multiple files + or directories as in DOS wildcards.

Each entry must be a unix path, not a DOS path and + must not include the unix directory + separator '/'.

Note that the case sensitive option + is applicable in vetoing files.

One feature of the veto files parameter that it + is important to be aware of is Samba's behaviour when + trying to delete a directory. If a directory that is + to be deleted contains nothing but veto files this + deletion will fail unless you also set + the delete veto files parameter to + yes.

Setting this parameter will affect the performance + of Samba, as it will be forced to check all files and directories + for a match as they are scanned.

+ Examples of use include: +

+; Veto any files containing the word Security,
+; any ending in .tmp, and any directory containing the
+; word root.
+veto files = /*Security*/*.tmp/*root*/
+
+; Veto the Apple specific files that a NetAtalk server
+; creates.
+veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
+

Default: veto files = No files or directories are vetoed. + +

veto oplock files (S)

This parameter is only valid when the + oplocks + parameter is turned on for a share. It allows the Samba administrator + to selectively turn off the granting of oplocks on selected files that + match a wildcarded list, similar to the wildcarded list used in the + veto files + parameter.

You might want to do this on files that you know will + be heavily contended for by clients. A good example of this + is in the NetBench SMB benchmark program, which causes heavy + client contention for files ending in .SEM. + To cause Samba not to grant oplocks on these files you would use + the line (either in the [global] section or in the section for + the particular NetBench share :

+ An example of use is: +

+veto oplock files = /.*SEM/
+

Default: veto oplock files = +# No files are vetoed for oplock grants + +

vfs object

This parameter is a synonym for vfs objects.

vfs objects (S)

This parameter specifies the backend names which + are used for Samba VFS I/O operations. By default, normal + disk I/O operations are used but these can be overloaded + with one or more VFS objects.

Default: vfs objects = + +

Example: vfs objects = extd_audit recycle + +

volume (S)

This allows you to override the volume label + returned for a share. Useful for CDROMs with installation programs + that insist on a particular volume label.

Default: volume = +# the name of the share + +

wide links (S)

This parameter controls whether or not links + in the UNIX file system may be followed by the server. Links + that point to areas within the directory tree exported by the + server are always allowed; this parameter controls access only + to areas that are outside the directory tree being exported.

Note that setting this parameter can have a negative + effect on your server performance due to the extra system calls + that Samba has to do in order to perform the link checks.

Default: wide links = yes + +

winbind cache time (G)

This parameter specifies the number of + seconds the winbindd(8) daemon will cache + user and group information before querying a Windows NT server + again.

Note

This does not apply to authentication requests, + these are always evaluated in real time.

Default: winbind cache time = 300 + +

winbind enum groups (G)

On large installations using winbindd(8) it may be necessary to suppress + the enumeration of groups through the setgrent(), + getgrent() and + endgrent() group of system calls. If + the winbind enum groups parameter is + no, calls to the getgrent() system + call will not return any data.

Warning

Turning off group enumeration may cause some programs to behave oddly.

Default: winbind enum groups = yes + +

winbind enum users (G)

On large installations using winbindd(8) it may be + necessary to suppress the enumeration of users through the setpwent(), + getpwent() and + endpwent() group of system calls. If + the winbind enum users parameter is + no, calls to the getpwent system call + will not return any data.

Warning

Turning off user + enumeration may cause some programs to behave oddly. For + example, the finger program relies on having access to the + full user list when searching for matching + usernames.

Default: winbind enum users = yes + +

winbind nested groups (G)

If set to yes, this parameter activates the support for nested + groups. Nested groups are also called local groups or + aliases. They work like their counterparts in Windows: Nested + groups are defined locally on any machine (they are shared + between DC's through their SAM) and can contain users and + global groups from any trusted SAM. To be able to use nested + groups, you need to run nss_winbind.

Please note that per 3.0.3 this is a new feature, so + handle with care.

Default: winbind nested groups = no + +

winbind separator (G)

This parameter allows an admin to define the character + used when listing a username of the form of DOMAIN +\user. This parameter + is only applicable when using the pam_winbind.so + and nss_winbind.so modules for UNIX services. +

Please note that setting this parameter to + causes problems + with group membership at least on glibc systems, as the character + + is used as a special character for NIS in /etc/group.

Default: winbind separator = '\' + +

Example: winbind separator = + + +

winbind trusted domains only (G)

This parameter is designed to allow Samba servers that + are members of a Samba controlled domain to use UNIX accounts + distributed via NIS, rsync, or LDAP as the uid's for winbindd users + in the hosts primary domain. Therefore, the user DOMAIN\user1 would + be mapped to the account user1 in /etc/passwd instead of allocating + a new uid for him or her. +

Default: winbind trusted domains only = no + +

winbind use default domain (G)

This parameter specifies whether the + winbindd(8) daemon should operate on users + without domain component in their username. Users without a domain + component are treated as is part of the winbindd server's own + domain. While this does not benifit Windows users, it makes SSH, FTP and + e-mail function in a way much closer to the way they + would in a native unix system.

Default: winbind use default domain = no + +

Example: winbind use default domain = yes + +

wins hook (G)

When Samba is running as a WINS server this + allows you to call an external program for all changes to the + WINS database. The primary use for this option is to allow the + dynamic update of external name resolution databases such as + dynamic DNS.

The wins hook parameter specifies the name of a script + or executable that will be called as follows:

wins_hook operation name nametype ttl IP_list

The first argument is the operation and is + one of "add", "delete", or + "refresh". In most cases the operation + can be ignored as the rest of the parameters + provide sufficient information. Note that + "refresh" may sometimes be called when + the name has not previously been added, in that + case it should be treated as an add.
The second argument is the NetBIOS name. If the + name is not a legal name then the wins hook is not called. + Legal names contain only letters, digits, hyphens, underscores + and periods.
The third argument is the NetBIOS name + type as a 2 digit hexadecimal number.
The fourth argument is the TTL (time to live) + for the name in seconds.
The fifth and subsequent arguments are the IP + addresses currently registered for that name. If this list is + empty then the name should be deleted.

An example script that calls the BIND dynamic DNS update + program nsupdate is provided in the examples + directory of the Samba source code.

No default

wins proxy (G)

This is a boolean that controls if nmbd(8) will respond to broadcast name + queries on behalf of other hosts. You may need to set this + to yes for some older clients.

Default: wins proxy = no + +

wins server (G)

This specifies the IP address (or DNS name: IP + address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on + your network then you should set this to the WINS server's IP.

You should point this at your WINS server if you have a + multi-subnetted network.

If you want to work in multiple namespaces, you can + give every wins server a 'tag'. For each tag, only one + (working) server will be queried for a name. The tag should be + separated from the ip address by a colon. +

Note

You need to set up Samba to point + to a WINS server if you have multiple subnets and wish cross-subnet + browsing to work correctly.

See the ???.

Default: wins server = + +

Example: wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 + +# For this example when querying a certain name, 192.19.200.1 will + be asked first and if that doesn't respond 192.168.2.61. If either + of those doesn't know the name 192.168.3.199 will be queried. + +

Example: wins server = 192.9.200.1 192.168.2.61 + +

wins support (G)

This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should + not set this to yes unless you have a multi-subnetted network and + you wish a particular nmbd to be your WINS server. + Note that you should NEVER set this to yes + on more than one machine in your network.

Default: wins support = no + +

workgroup (G)

This controls what workgroup your server will + appear to be in when queried by clients. Note that this parameter + also controls the Domain name used with + the security = domain + setting.

Default: workgroup = WORKGROUP + +

Example: workgroup = MYGROUP + +

writable

This parameter is a synonym for writeable.

writeable (S)

Inverted synonym for read only.

No default

write cache size (S)

If this integer parameter is set to non-zero value, + Samba will create an in-memory cache for each oplocked file + (it does not do this for + non-oplocked files). All writes that the client does not request + to be flushed directly to disk will be stored in this cache if possible. + The cache is flushed onto disk when a write comes in whose offset + would not fit into the cache or when the file is closed by the client. + Reads for the file are also served from this cache if the data is stored + within it.

This cache allows Samba to batch client writes into a more + efficient write size for RAID disks (i.e. writes may be tuned to + be the RAID stripe size) and can improve performance on systems + where the disk subsystem is a bottleneck but there is free + memory for userspace programs.

The integer parameter specifies the size of this cache + (per oplocked file) in bytes.

Default: write cache size = 0 + +

Example: write cache size = 262144 +# for a 256k cache size per file + +

write list (S)

This is a list of users that are given read-write + access to a service. If the connecting user is in this list then + they will be given write access, no matter what the read only + option is set to. The list can include group names using the + @group syntax.

Note that if a user is in both the read list and the + write list then they will be given write access.

This parameter will not work with the security = share in + Samba 3.0. This is by design.

Default: write list = + +

Example: write list = admin, root, @staff + +

write raw (G)

This parameter controls whether or not the server + will support raw write SMB's when transferring data from clients. + You should never need to change this parameter.

Default: write raw = yes + +

wtmp directory (G)

This parameter is only available if Samba has + been configured and compiled with the option + --with-utmp. It specifies a directory pathname that is + used to store the wtmp or wtmpx files (depending on the UNIX system) that + record user connections to a Samba server. The difference with + the utmp directory is the fact that user info is kept after a user + has logged out.

+ By default this is + not set, meaning the system will use whatever utmp file the + native system is set to use (usually + /var/run/wtmp on Linux).

Default: wtmp directory = + +

Example: wtmp directory = /var/log/wtmp + +

WARNINGS

+ Although the configuration file permits service names to contain spaces, your client software may not. + Spaces will be ignored in comparisons anyway, so it shouldn't be a problem - but be aware of the possibility. +

+ On a similar note, many clients - especially DOS clients - limit service names to eight characters. + smbd(8) has no such + limitation, but attempts to connect from such clients will fail if they truncate the service names. For this + reason you should probably keep your service names down to eight characters in length. +

+ Use of the [homes] and [printers] special sections make life + for an administrator easy, but the various combinations of default attributes can be tricky. Take extreme + care when designing these sections. In particular, ensure that the permissions on spool directories are + correct. +

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

+ The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. +

+ The original Samba man pages were written by Karl Auer. The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 release by Jeremy Allison. The conversion + to DocBook for Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 was done by + Alexander Bokovoy. +

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbcontrol.1.html samba-3.0.20/docs/htmldocs/manpages-3/smbcontrol.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbcontrol.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbcontrol.1.html 2005-08-19 12:56:22.000000000 -0500 @@ -0,0 +1,72 @@ +smbcontrol

Name

smbcontrol — send messages to smbd, nmbd or winbindd processes

Synopsis

smbcontrol [-i] [-s]

smbcontrol [destination] [message-type] [parameter]

DESCRIPTION

This tool is part of the samba(7) suite.

smbcontrol is a very small program, which + sends messages to a smbd(8), a nmbd(8), or a winbindd(8) daemon running on the system.

OPTIONS

-h|--help

Print a summary of command line options. +

-s <configuration file>

-i

Run interactively. Individual commands + of the form destination message-type parameters can be entered + on STDIN. An empty command line or a "q" will quit the + program.

destination

One of nmbd, smbd or a process ID.

The smbd destination causes the + message to "broadcast" to all smbd daemons.

The nmbd destination causes the + message to be sent to the nmbd daemon specified in the + nmbd.pid file.

If a single process ID is given, the message is sent + to only that process.

message-type

Type of message to send. See + the section MESSAGE-TYPES for details. +

parameters

any parameters required for the message-type

MESSAGE-TYPES

Available message types are:

close-share

Order smbd to close the client + connections to the named share. Note that this doesn't affect client + connections to any other shares. This message-type takes an argument of the + share name for which client connections will be closed, or the + "*" character which will close all currently open shares. + This may be useful if you made changes to the access controls on the share. + This message can only be sent to smbd.

debug

Set debug level to the value specified by the + parameter. This can be sent to any of the destinations.

force-election

This message causes the nmbd daemon to + force a new browse master election.

ping

+ Send specified number of "ping" messages and + wait for the same number of reply "pong" messages. This can be sent to + any of the destinations.

profile

Change profile settings of a daemon, based on the + parameter. The parameter can be "on" to turn on profile stats + collection, "off" to turn off profile stats collection, "count" + to enable only collection of count stats (time stats are + disabled), and "flush" to zero the current profile stats. This can + be sent to any smbd or nmbd destinations.

debuglevel

+ Request debuglevel of a certain daemon and write it to stdout. This + can be sent to any of the destinations.

profilelevel

+ Request profilelevel of a certain daemon and write it to stdout. + This can be sent to any smbd or nmbd destinations.

printnotify

+ Order smbd to send a printer notify message to any Windows NT clients + connected to a printer. This message-type takes the following arguments: +

queuepause printername: Send a queue pause change notify + message to the printer specified.
queueresume printername: Send a queue resume change notify + message for the printer specified.
jobpause printername unixjobid: Send a job pause change notify + message for the printer and unix jobid + specified.
jobresume printername unixjobid: Send a job resume change notify + message for the printer and unix jobid + specified.
jobdelete printername unixjobid: Send a job delete change notify + message for the printer and unix jobid + specified.

+ Note that this message only sends notification that an + event has occured. It doesn't actually cause the + event to happen. +

This message can only be sent to smbd.

samsync

Order smbd to synchronise sam database from PDC (being BDC). Can only be sent to smbd.

Note

Not working at the moment

samrepl

Send sam replication message, with specified serial. Can only be sent to smbd. Should not be used manually.

dmalloc-mark

Set a mark for dmalloc. Can be sent to both smbd and nmbd. Only available if samba is built with dmalloc support.

dmalloc-log-changed

+ Dump the pointers that have changed since the mark set by dmalloc-mark. + Can be sent to both smbd and nmbd. Only available if samba is built with dmalloc support.

shutdown

Shut down specified daemon. Can be sent to both smbd and nmbd.

pool-usage

Print a human-readable description of all + talloc(pool) memory usage by the specified daemon/process. Available + for both smbd and nmbd.

drvupgrade

Force clients of printers using specified driver + to update their local version of the driver. Can only be + sent to smbd.

reload-config

Force daemon to reload smb.conf configuration file. Can be sent + to smbd, nmbd, or winbindd. +

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for + Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbcquotas.1.html samba-3.0.20/docs/htmldocs/manpages-3/smbcquotas.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbcquotas.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbcquotas.1.html 2005-08-19 12:56:26.000000000 -0500 @@ -0,0 +1,85 @@ +smbcquotas

Name

smbcquotas — Set or get QUOTAs of NTFS 5 shares

Synopsis

smbcquotas {//server/share} [-u user] [-L] [-F] [-S QUOTA_SET_COMMAND] [-n] [-t] [-v] [-d debuglevel] [-s configfile] [-l logdir] [-V] [-U username] [-N] [-k] [-A]

DESCRIPTION

This tool is part of the samba(7) suite.

The smbcquotas program manipulates NT Quotas on SMB file shares.

OPTIONS

The following options are available to the smbcquotas program.

-u user

Specifies the user of whom the quotas are get or set. + By default the current user's username will be used.

-L

Lists all quota records of the share.

-F

Show the share quota status and default limits.

-S QUOTA_SET_COMMAND

This command sets/modifies quotas for a user or on the share, + depending on the QUOTA_SET_COMMAND parameter which is described later.

-n

This option displays all QUOTA information in numeric + format. The default is to convert SIDs to names and QUOTA limits + to a readable string format.

-t

+ Don't actually do anything, only validate the correctness of the arguments. +

-v

+ Be verbose. +

-h|--help

Print a summary of command line options. +

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

-N

If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password.

Unless a password is specified on the command line or +this parameter is specified, the client will request a +password.

-k

+Try to authenticate with kerberos. Only useful in +an Active Directory environment. +

-A|--authentication-file=filename

This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is +

+username = <value>
+password = <value>
+domain   = <value>
+

Make certain that the permissions on the file restrict +access from unwanted users.

-U|--user=username[%password]

Sets the SMB username or username and password.

QUOTA_SET_COMAND

The format of an ACL is one or more ACL entries separated by + either commas or newlines. An ACL entry is one of the following:

+ for setting user quotas for the user specified by -u or the current username: +

+ UQLIM:<username>:<softlimit>/<hardlimit> +

+ for setting the default quotas for a share: +

+ FSQLIM:<softlimit>/<hardlimit> +

+ for changing the share quota settings: +

+ FSQFLAGS:QUOTA_ENABLED/DENY_DISK/LOG_SOFTLIMIT/LOG_HARD_LIMIT +

EXIT STATUS

The smbcquotas program sets the exit status + depending on the success or otherwise of the operations performed. + The exit status may be one of the following values.

If the operation succeeded, smbcquotas returns an exit + status of 0. If smbcquotas couldn't connect to the specified server, + or when there was an error getting or setting the quota(s), an exit status + of 1 is returned. If there was an error parsing any command line + arguments, an exit status of 2 is returned.

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

smbcquotas was written by Stefan Metzmacher.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbd.8.html samba-3.0.20/docs/htmldocs/manpages-3/smbd.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbd.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbd.8.html 2005-08-19 12:56:29.000000000 -0500 @@ -0,0 +1,159 @@ +smbd

Name

smbd — server to provide SMB/CIFS services to clients

Synopsis

smbd [-D] [-F] [-S] [-i] [-h] [-V] [-b] [-d <debug level>] [-l <log directory>] [-p <port number(s)>] [-O <socket option>] [-s <configuration file>]

DESCRIPTION

This program is part of the samba(7) suite.

smbd is the server daemon that + provides filesharing and printing services to Windows clients. + The server provides filespace and printer services to + clients using the SMB (or CIFS) protocol. This is compatible + with the LanManager protocol, and can service LanManager + clients. These include MSCLIENT 3.0 for DOS, Windows for + Workgroups, Windows 95/98/ME, Windows NT, Windows 2000, + OS/2, DAVE for Macintosh, and smbfs for Linux.

An extensive description of the services that the + server can provide is given in the man page for the + configuration file controlling the attributes of those + services (see smb.conf(5). This man page will not describe the + services, but will concentrate on the administrative aspects + of running the server.

Please note that there are significant security + implications to running this server, and the smb.conf(5) manual page should be regarded as mandatory reading before + proceeding with installation.

A session is created whenever a client requests one. + Each client gets a copy of the server for each session. This + copy then services all connections made by the client during + that session. When all connections from its client are closed, + the copy of the server for that client terminates.

The configuration file, and any files that it includes, + are automatically reloaded every minute, if they change. You + can force a reload by sending a SIGHUP to the server. Reloading + the configuration file will not affect connections to any service + that is already established. Either the user will have to + disconnect from the service, or smbd killed and restarted.

OPTIONS

-D

If specified, this parameter causes + the server to operate as a daemon. That is, it detaches + itself and runs in the background, fielding requests + on the appropriate port. Operating the server as a + daemon is the recommended way of running smbd for + servers that provide more than casual use file and + print services. This switch is assumed if smbd + is executed on the command line of a shell. +

-F

If specified, this parameter causes + the main smbd process to not daemonize, + i.e. double-fork and disassociate with the terminal. + Child processes are still created as normal to service + each connection request, but the main process does not + exit. This operation mode is suitable for running + smbd under process supervisors such + as supervise and svscan + from Daniel J. Bernstein's daemontools + package, or the AIX process monitor. +

-S

If specified, this parameter causes + smbd to log to standard output rather + than a file.

-i

If this parameter is specified it causes the + server to run "interactively", not as a daemon, even if the + server is executed on the command line of a shell. Setting this + parameter negates the implicit deamon mode when run from the + command line. smbd also logs to standard + output, as if the -S parameter had been + given. +

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

-h|--help

Print a summary of command line options. +

-b

Prints information about how + Samba was built.

-p <port number(s)>

port number(s) is a + space or comma-separated list of TCP ports smbd should listen on. + The default value is taken from the ports parameter in smb.conf

The default ports are 139 (used for SMB over NetBIOS over TCP) + and port 445 (used for plain SMB over TCP). +

FILES

/etc/inetd.conf

If the server is to be run by the + inetd meta-daemon, this file + must contain suitable startup information for the + meta-daemon. +

/etc/rc

or whatever initialization script your + system uses).

If running the server as a daemon at startup, + this file will need to contain an appropriate startup + sequence for the server.

/etc/services

If running the server via the + meta-daemon inetd, this file + must contain a mapping of service name (e.g., netbios-ssn) + to service port (e.g., 139) and protocol type (e.g., tcp). +

/usr/local/samba/lib/smb.conf

This is the default location of the smb.conf(5) server configuration file. Other common places that systems + install this file are /usr/samba/lib/smb.conf + and /etc/samba/smb.conf.

This file describes all the services the server + is to make available to clients. See smb.conf(5) for more information.

LIMITATIONS

On some systems smbd cannot change uid back + to root after a setuid() call. Such systems are called + trapdoor uid systems. If you have such a system, + you will be unable to connect from a client (such as a PC) as + two different users at once. Attempts to connect the + second user will result in access denied or + similar.

ENVIRONMENT VARIABLES

PRINTER: If no printer name is specified to + printable services, most systems will use the value of + this variable (or lp if this variable is + not defined) as the name of the printer to use. This + is not specific to the server, however.

PAM INTERACTION

Samba uses PAM for authentication (when presented with a plaintext + password), for account checking (is this account disabled?) and for + session management. The degree too which samba supports PAM is restricted + by the limitations of the SMB protocol and the obey pam restrictions smb.conf(5) paramater. When this is set, the following restrictions apply: +

Account Validation: All accesses to a + samba server are checked + against PAM to see if the account is vaild, not disabled and is permitted to + login at this time. This also applies to encrypted logins. +
Session Management: When not using share + level secuirty, users must pass PAM's session checks before access + is granted. Note however, that this is bypassed in share level secuirty. + Note also that some older pam configuration files may need a line + added for session support. +

VERSION

This man page is correct for version 3.0 of + the Samba suite.

DIAGNOSTICS

Most diagnostics issued by the server are logged + in a specified log file. The log file name is specified + at compile time, but may be overridden on the command line.

The number and nature of diagnostics available depends + on the debug level used by the server. If you have problems, set + the debug level to 3 and peruse the log files.

Most messages are reasonably self-explanatory. Unfortunately, + at the time this man page was created, there are too many diagnostics + available in the source code to warrant describing each and every + diagnostic. At this stage your best bet is still to grep the + source code and inspect the conditions that gave rise to the + diagnostics you are seeing.

TDB FILES

Samba stores it's data in several TDB (Trivial Database) files, usually located in /var/lib/samba.

+ (*) information persistent across restarts (but not + necessarily important to backup). +

account_policy.tdb*: NT account policy settings such as pw expiration, etc...
brlock.tdb: byte range locks
browse.dat: browse lists
connections.tdb: share connections (used to enforce max connections, etc...)
gencache.tdb: generic caching db
group_mapping.tdb*: group mapping information
locking.tdb: share modes & oplocks
login_cache.tdb*: bad pw attempts
messages.tdb: Samba messaging system
netsamlogon_cache.tdb*: cache of user net_info_3 struct from net_samlogon() request (as a domain member)
ntdrivers.tdb*: installed printer drivers
ntforms.tdb*: installed printer forms
ntprinters.tdb*: installed printer information
printing/: directory containing tdb per print queue of cached lpq output
registry.tdb: Windows registry skeleton (connect via regedit.exe)
sessionid.tdb: session information (e.g. support for 'utmp = yes')
share_info.tdb*: share acls
winbindd_cache.tdb: winbindd's cache of user lists, etc...
winbindd_idmap.tdb*: winbindd's local idmap db
wins.dat*: wins database when 'wins support = yes'

SIGNALS

Sending the smbd a SIGHUP will cause it to + reload its smb.conf configuration + file within a short period of time.

To shut down a user's smbd process it is recommended + that SIGKILL (-9) NOT + be used, except as a last resort, as this may leave the shared + memory area in an inconsistent state. The safe way to terminate + an smbd is to send it a SIGTERM (-15) signal and wait for + it to die on its own.

The debug log level of smbd may be raised + or lowered using smbcontrol(1) program (SIGUSR[1|2] signals are no longer + used since Samba 2.2). This is to allow transient problems to be diagnosed, + whilst still running at a normally low log level.

Note that as the signal handlers send a debug write, + they are not re-entrant in smbd. This you should wait until + smbd is in a state of waiting for an incoming SMB before + issuing them. It is possible to make the signal handlers safe + by un-blocking the signals before the select call and re-blocking + them after, however this would affect performance.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for + Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbget.1.html samba-3.0.20/docs/htmldocs/manpages-3/smbget.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbget.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbget.1.html 2005-08-19 12:56:33.000000000 -0500 @@ -0,0 +1,26 @@ +smbget

Name

smbget — wget-like utility for download files over SMB

Synopsis

DESCRIPTION

This tool is part of the samba(7) suite.

smbget is a simple utility with wget-like semantics, that can download files from SMB servers. You can specify the files you would like to download on the command-line. +

+ The files should be in the smb-URL standard, e.g. use smb://host/share/file + for the UNC path \\\\HOST\\SHARE\\file. +

OPTIONS

-a, --guest

Work as user guest

-r, --resume

Automatically resume aborted files

-R, --recursive

Recursively download files

-u, --username=STRING

Username to use

-p, --password=STRING

Password to use

-w, --workgroup=STRING

Workgroup to use (optional)

-n, --nonprompt

Don't ask anything (non-interactive)

-d, --debuglevel=INT

Debuglevel to use

-D, --dots

Show dots as progress indication

-P, --keep-permissions

Set same permissions on local file as are set on remote file.

-o, --outputfile

Write the file that is being download to the specified file. Can not be used together with -R.

-f, --rcfile

Use specified rcfile. This will be loaded in the order it was specified - e.g. if you specify any options before this one, they might get overriden by the contents of the rcfile.

-q, --quiet

Be quiet

-v, --verbose

Be verbose

-b, --blocksize

Number of bytes to download in a block. Defaults to 64000.

-?, --help

Show help message

--usage

Display brief usage message

SMB URLS

SMB URL's should be specified in the following format:

+smb://[[[domain;]user[:password@]]server[/share[/path[/file]]]]
+

+smb:// means all the workgroups
+

+smb://name/ means, if name is a workgroup, all the servers in this workgroup, or if name is a server, all the shares on this server.
+

EXAMPLES

+# Recursively download 'src' directory
+smbget -R smb://rhonwyn/jelmer/src
+# Download FreeBSD ISO and enable resuming
+smbget -r smb://rhonwyn/isos/FreeBSD5.1.iso
+# Recursively download all ISOs
+smbget -Rr smb://rhonwyn/isos
+# Backup my data on rhonwyn
+smbget -Rr smb://rhonwyn/
+

BUGS

Permission denied is returned in some cases where the cause of the error is unknown +(such as an illegally formatted smb:// url or trying to get a directory without -R +turned on).

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

The smbget manpage was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbgetrc.5.html samba-3.0.20/docs/htmldocs/manpages-3/smbgetrc.5.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbgetrc.5.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbgetrc.5.html 2005-08-19 12:56:36.000000000 -0500 @@ -0,0 +1,17 @@ +smbgetrc

Name

smbgetrc — configuration file for smbget

Synopsis

smbgetrc

DESCRIPTION

+ This manual page documents the format and options of the smbgetrc + file. This is the configuration file used by the smbget(1) + utility. The file contains of key-value pairs, one pair on each line. The key + and value should be separated by a space. +

By default, smbget reads its configuration from $HOME/.smbgetrc, though + other locations can be specified using the command-line options.

OPTIONS

+ The following keys can be set: +

resume on|off: + Whether aborted downloads should be automatically resumed. +
recursive on|off: Whether directories should be downloaded recursively
username name: Username to use when logging in to the remote server. Use an empty string for anonymous access. +
password pass: Password to use when logging in.
workgroup wg: Workgroup to use when logging in
nonprompt on|off: Turns off asking for username and password. Useful for scripts.
debuglevel int: (Samba) debuglevel to run at. Useful for tracking down protocol level problems.
dots on|off: Whether a single dot should be printed for each block that has been downloaded, instead of the default progress indicator.
blocksize int: Number of bytes to put in a block.

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

This manual page was written by Jelmer Vernooij

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbmnt.8.html samba-3.0.20/docs/htmldocs/manpages-3/smbmnt.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbmnt.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbmnt.8.html 2005-08-19 12:56:40.000000000 -0500 @@ -0,0 +1,24 @@ +smbmnt

Name

smbmnt — helper utility for mounting SMB filesystems

Synopsis

smbmnt {mount-point} [-s <share>] [-r] [-u <uid>] [-g <gid>] [-f <mask>] [-d <mask>] [-o <options>] [-h]

DESCRIPTION

smbmnt is a helper application used + by the smbmount program to do the actual mounting of SMB shares. + smbmnt can be installed setuid root if you want + normal users to be able to mount their SMB shares.

A setuid smbmnt will only allow mounts on directories owned + by the user, and that the user has write permission on.

The smbmnt program is normally invoked + by smbmount(8). It should not be invoked directly by users.

smbmount searches the normal PATH for smbmnt. You must ensure + that the smbmnt version in your path matches the smbmount used.

OPTIONS

-r: mount the filesystem read-only +
-u uid: specify the uid that the files will + be owned by
-g gid: specify the gid that the files will be + owned by
-f mask: specify the octal file mask applied +
-d mask: specify the octal directory mask + applied
-o options: + list of options that are passed as-is to smbfs, if this + command is run on a 2.4 or higher Linux kernel. +
-h|--help: Print a summary of command line options. +

AUTHOR

Volker Lendecke, Andrew Tridgell, Michael H. Warfield + and others.

The current maintainer of smbfs and the userspace + tools smbmount, smbumount, + and smbmnt is Urban Widmark. + The SAMBA Mailing list + is the preferred place to ask questions regarding these programs. +

The conversion of this manpage for Samba 2.2 was performed + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 + was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbmount.8.html samba-3.0.20/docs/htmldocs/manpages-3/smbmount.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbmount.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbmount.8.html 2005-08-19 12:56:45.000000000 -0500 @@ -0,0 +1,108 @@ +smbmount

Name

smbmount — mount an smbfs filesystem

Synopsis

smbmount {service} {mount-point} [-o options]

DESCRIPTION

smbmount mounts a Linux SMB filesystem. It + is usually invoked as mount.smbfs by + the mount(8) command when using the + "-t smbfs" option. This command only works in Linux, and the kernel must + support the smbfs filesystem.

Options to smbmount are specified as a comma-separated + list of key=value pairs. It is possible to send options other + than those listed here, assuming that smbfs supports them. If + you get mount failures, check your kernel log for errors on + unknown options.

smbmount is a daemon. After mounting it keeps running until + the mounted smbfs is umounted. It will log things that happen + when in daemon mode using the "machine name" smbmount, so + typically this output will end up in log.smbmount. The + smbmount process may also be called mount.smbfs.

Note

smbmount + calls smbmnt(8) to do the actual mount. You + must make sure that smbmnt is in the path so + that it can be found.

OPTIONS

username=<arg>

specifies the username to connect as. If + this is not given, then the environment variable + USER is used. This option can also take the + form "user%password" or "user/workgroup" or + "user/workgroup%password" to allow the password and workgroup + to be specified as part of the username.

password=<arg>

specifies the SMB password. If this + option is not given then the environment variable + PASSWD is used. If it can find + no password smbmount will prompt + for a passeword, unless the guest option is + given.

+ Note that passwords which contain the argument delimiter + character (i.e. a comma ',') will failed to be parsed correctly + on the command line. However, the same password defined + in the PASSWD environment variable or a credentials file (see + below) will be read correctly. +

credentials=<filename>

specifies a file that contains a username and/or password. +The format of the file is: +

+username = <value>
+password = <value>
+

This is preferred over having passwords in plaintext in a + shared file, such as /etc/fstab. Be sure to protect any + credentials file properly. +

krb

Use kerberos (Active Directory).

netbiosname=<arg>

sets the source NetBIOS name. It defaults + to the local hostname.

uid=<arg>

sets the uid that will own all files on + the mounted filesystem. + It may be specified as either a username or a numeric uid. +

gid=<arg>

sets the gid that will own all files on + the mounted filesystem. + It may be specified as either a groupname or a numeric + gid.

port=<arg>

sets the remote SMB port number. The default + is 445, fallback is 139.

fmask=<arg>

sets the file mask. This determines the + permissions that remote files have in the local filesystem. + This is not a umask, but the actual permissions for the files. + The default is based on the current umask.

dmask=<arg>

Sets the directory mask. This determines the + permissions that remote directories have in the local filesystem. + This is not a umask, but the actual permissions for the directories. + The default is based on the current umask.

debug=<arg>

Sets the debug level. This is useful for + tracking down SMB connection problems. A suggested value to + start with is 4. If set too high there will be a lot of + output, possibly hiding the useful output.

ip=<arg>

Sets the destination host or IP address. +

workgroup=<arg>

Sets the workgroup on the destination

sockopt=<arg>

Sets the TCP socket options. See the smb.conf(5) socket options option. +

scope=<arg>

Sets the NetBIOS scope

guest

Don't prompt for a password

ro

mount read-only

rw

mount read-write

iocharset=<arg>

+ sets the charset used by the Linux side for codepage + to charset translations (NLS). Argument should be the + name of a charset, like iso8859-1. (Note: only kernel + 2.4.0 or later) +

codepage=<arg>

+ sets the codepage the server uses. See the iocharset + option. Example value cp850. (Note: only kernel 2.4.0 + or later) +

ttl=<arg>

+ sets how long a directory listing is cached in milliseconds + (also affects visibility of file size and date + changes). A higher value means that changes on the + server take longer to be noticed but it can give + better performance on large directories, especially + over long distances. Default is 1000ms but something + like 10000ms (10 seconds) is probably more reasonable + in many cases. + (Note: only kernel 2.4.2 or later) +

ENVIRONMENT VARIABLES

The variable USER may contain the username of the + person using the client. This information is used only if the + protocol level is high enough to support session-level + passwords. The variable can be used to set both username and + password by using the format username%password.

The variable PASSWD may contain the password of the + person using the client. This information is used only if the + protocol level is high enough to support session-level + passwords.

The variable PASSWD_FILE may contain the pathname + of a file to read the password from. A single line of input is + read and used as the password.

BUGS

Passwords and other options containing , can not be handled. + For passwords an alternative way of passing them is in a credentials + file or in the PASSWD environment.

The credentials file does not handle usernames or passwords with + leading space.

One smbfs bug is important enough to mention here, even if it + is a bit misplaced:

Mounts sometimes stop working. This is usually + caused by smbmount terminating. Since smbfs needs smbmount to + reconnect when the server disconnects, the mount will eventually go + dead. An umount/mount normally fixes this. At least 2 ways to + trigger this bug are known.

Note that the typical response to a bug report is suggestion + to try the latest version first. So please try doing that first, + and always include which versions you use of relevant software + when reporting bugs (minimum: samba, kernel, distribution)

AUTHOR

Volker Lendecke, Andrew Tridgell, Michael H. Warfield + and others.

The conversion of this manpage for Samba 2.2 was performed + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 + was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbpasswd.5.html samba-3.0.20/docs/htmldocs/manpages-3/smbpasswd.5.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbpasswd.5.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbpasswd.5.html 2005-08-19 12:56:49.000000000 -0500 @@ -0,0 +1,90 @@ +smbpasswd

Name

smbpasswd — The Samba encrypted password file

Synopsis

smbpasswd

DESCRIPTION

This tool is part of the samba(7) suite.

smbpasswd is the Samba encrypted password file. It contains + the username, Unix user id and the SMB hashed passwords of the + user, as well as account flag information and the time the + password was last changed. This file format has been evolving with + Samba and has had several different formats in the past.

FILE FORMAT

The format of the smbpasswd file used by Samba 2.2 + is very similar to the familiar Unix passwd(5) + file. It is an ASCII file containing one line for each user. Each field + ithin each line is separated from the next by a colon. Any entry + beginning with '#' is ignored. The smbpasswd file contains the + following information for each user:

name

This is the user name. It must be a name that + already exists in the standard UNIX passwd file.

uid

This is the UNIX uid. It must match the uid + field for the same user entry in the standard UNIX passwd file. + If this does not match then Samba will refuse to recognize + this smbpasswd file entry as being valid for a user. +

Lanman Password Hash

This is the LANMAN hash of the user's password, + encoded as 32 hex digits. The LANMAN hash is created by DES + encrypting a well known string with the user's password as the + DES key. This is the same password used by Windows 95/98 machines. + Note that this password hash is regarded as weak as it is + vulnerable to dictionary attacks and if two users choose the + same password this entry will be identical (i.e. the password + is not "salted" as the UNIX password is). If the user has a + null password this field will contain the characters "NO PASSWORD" + as the start of the hex string. If the hex string is equal to + 32 'X' characters then the user's account is marked as + disabled and the user will not be able to + log onto the Samba server.

WARNING !! Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as plain text + equivalents and must NOT be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access.

NT Password Hash

This is the Windows NT hash of the user's + password, encoded as 32 hex digits. The Windows NT hash is + created by taking the user's password as represented in + 16-bit, little-endian UNICODE and then applying the MD4 + (internet rfc1321) hashing algorithm to it.

This password hash is considered more secure than + the LANMAN Password Hash as it preserves the case of the + password and uses a much higher quality hashing algorithm. + However, it is still the case that if two users choose the same + password this entry will be identical (i.e. the password is + not "salted" as the UNIX password is).

WARNING !!. Note that, due to + the challenge-response nature of the SMB/CIFS authentication + protocol, anyone with a knowledge of this password hash will + be able to impersonate the user on the network. For this + reason these hashes are known as plain text + equivalents and must NOT be made + available to anyone but the root user. To protect these passwords + the smbpasswd file is placed in a directory with read and + traverse access only to the root user and the smbpasswd file + itself must be set to be read/write only by root, with no + other access.

Account Flags

This section contains flags that describe + the attributes of the users account. In the Samba 2.2 release + this field is bracketed by '[' and ']' characters and is always + 13 characters in length (including the '[' and ']' characters). + The contents of this field may be any of the following characters: +

U - This means + this is a "User" account, i.e. an ordinary user. Only User + and Workstation Trust accounts are currently supported + in the smbpasswd file.
N - This means the + account has no password (the passwords in the fields LANMAN + Password Hash and NT Password Hash are ignored). Note that this + will only allow users to log on with no password if the + null passwords parameter is set in the + smb.conf(5) config file.
D - This means the account + is disabled and no SMB/CIFS logins will be allowed for this user.
W - This means this account + is a "Workstation Trust" account. This kind of account is used + in the Samba PDC code stream to allow Windows NT Workstations + and Servers to join a Domain hosted by a Samba PDC.

Other flags may be added as the code is extended in future. + The rest of this field space is filled in with spaces.

Last Change Time

This field consists of the time the account was + last modified. It consists of the characters 'LCT-' (standing for + "Last Change Time") followed by a numeric encoding of the UNIX time + in seconds since the epoch (1970) that the last change was made. +

All other colon separated fields are ignored at this time.

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbpasswd.8.html samba-3.0.20/docs/htmldocs/manpages-3/smbpasswd.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbpasswd.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbpasswd.8.html 2005-08-19 12:56:53.000000000 -0500 @@ -0,0 +1,159 @@ +smbpasswd

Name

smbpasswd — change a user's SMB password

Synopsis

smbpasswd [-a] [-x] [-d] [-e] [-D debuglevel] [-n] [-r <remote machine>] [-R <name resolve order>] [-m] [-U username[%password]] [-h] [-s] [-w pass] [-i] [-L] [username]

DESCRIPTION

This tool is part of the samba(7) suite.

The smbpasswd program has several different + functions, depending on whether it is run by the root user + or not. When run as a normal user it allows the user to change + the password used for their SMB sessions on any machines that store + SMB passwords.

By default (when run with no arguments) it will attempt to + change the current user's SMB password on the local machine. This is + similar to the way the passwd(1) program works. + smbpasswd differs from how the passwd program works + however in that it is not setuid root but works in + a client-server mode and communicates with a + locally running smbd(8). As a consequence in order for this to + succeed the smbd daemon must be running on the local machine. On a + UNIX machine the encrypted SMB passwords are usually stored in + the smbpasswd(5) file.

When run by an ordinary user with no options, smbpasswd + will prompt them for their old SMB password and then ask them + for their new password twice, to ensure that the new password + was typed correctly. No passwords will be echoed on the screen + whilst being typed. If you have a blank SMB password (specified by + the string "NO PASSWORD" in the smbpasswd file) then just press + the <Enter> key when asked for your old password.

smbpasswd can also be used by a normal user to change their + SMB password on remote machines, such as Windows NT Primary Domain + Controllers. See the (-r) and -U options + below.

When run by root, smbpasswd allows new users to be added + and deleted in the smbpasswd file, as well as allows changes to + the attributes of the user in this file to be made. When run by root, + smbpasswd accesses the local smbpasswd file + directly, thus enabling changes to be made even if smbd is not + running.

OPTIONS

-a

This option specifies that the username + following should be added to the local smbpasswd file, with the + new password typed (type <Enter> for the old password). This + option is ignored if the username following already exists in + the smbpasswd file and it is treated like a regular change + password command. Note that the default passdb backends require + the user to already exist in the system password file (usually + /etc/passwd), else the request to add the + user will fail.

This option is only available when running smbpasswd + as root.

-x

This option specifies that the username + following should be deleted from the local smbpasswd file. +

This option is only available when running smbpasswd as + root.

-d

This option specifies that the username following + should be disabled in the local smbpasswd + file. This is done by writing a 'D' flag + into the account control space in the smbpasswd file. Once this + is done all attempts to authenticate via SMB using this username + will fail.

If the smbpasswd file is in the 'old' format (pre-Samba 2.0 + format) there is no space in the user's password entry to write + this information and the command will FAIL. See smbpasswd(5) for details on the 'old' and new password file formats. +

This option is only available when running smbpasswd as + root.

-e

This option specifies that the username following + should be enabled in the local smbpasswd file, + if the account was previously disabled. If the account was not + disabled this option has no effect. Once the account is enabled then + the user will be able to authenticate via SMB once again.

If the smbpasswd file is in the 'old' format, then + smbpasswd will FAIL to enable the account. + See smbpasswd(5) for + details on the 'old' and new password file formats.

This option is only available when running smbpasswd as root. +

-D debuglevel

debuglevel is an integer + from 0 to 10. The default value if this parameter is not specified + is zero.

The higher this value, the more detail will be logged to the + log files about the activities of smbpasswd. At level 0, only + critical errors and serious warnings will be logged.

Levels above 1 will generate considerable amounts of log + data, and should only be used when investigating a problem. Levels + above 3 are designed for use only by developers and generate + HUGE amounts of log data, most of which is extremely cryptic. +

-n

This option specifies that the username following + should have their password set to null (i.e. a blank password) in + the local smbpasswd file. This is done by writing the string "NO + PASSWORD" as the first part of the first password stored in the + smbpasswd file.

Note that to allow users to logon to a Samba server once + the password has been set to "NO PASSWORD" in the smbpasswd + file the administrator must set the following parameter in the [global] + section of the smb.conf file :

null passwords = yes

This option is only available when running smbpasswd as + root.

-r remote machine name

This option allows a user to specify what machine + they wish to change their password on. Without this parameter + smbpasswd defaults to the local host. The remote + machine name is the NetBIOS name of the SMB/CIFS + server to contact to attempt the password change. This name is + resolved into an IP address using the standard name resolution + mechanism in all programs of the Samba suite. See the -R + name resolve order parameter for details on changing + this resolving mechanism.

The username whose password is changed is that of the + current UNIX logged on user. See the -U username + parameter for details on changing the password for a different + username.

Note that if changing a Windows NT Domain password the + remote machine specified must be the Primary Domain Controller for + the domain (Backup Domain Controllers only have a read-only + copy of the user account database and will not allow the password + change).

Note that Windows 95/98 do not have + a real password database so it is not possible to change passwords + specifying a Win95/98 machine as remote machine target.

-R name resolve order

This option allows the user of smbpasswd to determine + what name resolution services to use when looking up the NetBIOS + name of the host being connected to.

The options are :"lmhosts", "host", "wins" and "bcast". They + cause names to be resolved as follows:

lmhosts: Lookup an IP + address in the Samba lmhosts file. If the line in lmhosts has + no name type attached to the NetBIOS name (see the lmhosts(5) for details) then + any name type matches for lookup.
host: Do a standard host + name to IP address resolution, using the system /etc/hosts +, NIS, or DNS lookups. This method of name resolution + is operating system depended for instance on IRIX or Solaris this + may be controlled by the /etc/nsswitch.conf + file). Note that this method is only used if the NetBIOS name + type being queried is the 0x20 (server) name type, otherwise + it is ignored.
wins: Query a name with + the IP address listed in the wins server + parameter. If no WINS server has been specified this method + will be ignored.
bcast: Do a broadcast on + each of the known local interfaces listed in the + interfaces parameter. This is the least + reliable of the name resolution methods as it depends on the + target host being on a locally connected subnet.

The default order is lmhosts, host, wins, bcast + and without this parameter or any entry in the smb.conf(5) file the name resolution methods will + be attempted in this order.

-m

This option tells smbpasswd that the account + being changed is a MACHINE account. Currently this is used + when Samba is being used as an NT Primary Domain Controller.

This option is only available when running smbpasswd as root. +

-U username

This option may only be used in conjunction + with the -r option. When changing + a password on a remote machine it allows the user to specify + the user name on that machine whose password will be changed. It + is present to allow users who have different user names on + different systems to change these passwords.

-h

This option prints the help string for + smbpasswd, selecting the correct one for running as root + or as an ordinary user.

-s

This option causes smbpasswd to be silent (i.e. + not issue prompts) and to read its old and new passwords from + standard input, rather than from /dev/tty + (like the passwd(1) program does). This option + is to aid people writing scripts to drive smbpasswd

-w password

This parameter is only available if Samba + has been compiled with LDAP support. The -w + switch is used to specify the password to be used with the + ldap admin dn. Note that the password is stored in + the secrets.tdb and is keyed off + of the admin's DN. This means that if the value of ldap + admin dn ever changes, the password will need to be + manually updated as well. +

-i

This option tells smbpasswd that the account + being changed is an interdomain trust account. Currently this is used + when Samba is being used as an NT Primary Domain Controller. + The account contains the info about another trusted domain.

This option is only available when running smbpasswd as root. +

-L

Run in local mode.

username

This specifies the username for all of the + root only options to operate on. Only root + can specify this parameter as only root has the permission needed + to modify attributes directly in the local smbpasswd file. +

NOTES

Since smbpasswd works in client-server + mode communicating with a local smbd for a non-root user then + the smbd daemon must be running for this to work. A common problem + is to add a restriction to the hosts that may access the + smbd running on the local machine by specifying either allow + hosts or deny hosts entry in + the smb.conf(5) file and neglecting to + allow "localhost" access to the smbd.

In addition, the smbpasswd command is only useful if Samba + has been set up to use encrypted passwords.

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbsh.1.html samba-3.0.20/docs/htmldocs/manpages-3/smbsh.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbsh.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbsh.1.html 2005-08-19 12:56:56.000000000 -0500 @@ -0,0 +1,108 @@ +smbsh

Name

smbsh — Allows access to remote SMB shares + using UNIX commands

Synopsis

smbsh [-W workgroup] [-U username] [-P prefix] [-R <name resolve order>] [-d <debug level>] [-l logdir] [-L libdir]

DESCRIPTION

This tool is part of the samba(7) suite.

smbsh allows you to access an NT filesystem + using UNIX commands such as ls, + egrep, and rcp. You must use a + shell that is dynamically linked in order for smbsh + to work correctly.

OPTIONS

-W WORKGROUP

Override the default workgroup specified in the + workgroup parameter of the smb.conf(5) file + for this session. This may be needed to connect to some + servers.

-U username[%pass]

Sets the SMB username or username and password. + If this option is not specified, the user will be prompted for + both the username and the password. If %pass is not specified, + the user will be prompted for the password. +

-P prefix

This option allows + the user to set the directory prefix for SMB access. The + default value if this option is not specified is + smb. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-R <name resolve order>

This option is used to determine what naming +services and in what order to resolve +host names to IP addresses. The option takes a space-separated +string of different name resolution options.

The options are: "lmhosts", "host", "wins" and "bcast". +They cause names to be resolved as follows :

lmhosts: +Lookup an IP address in the Samba lmhosts file. If the +line in lmhosts has no name type attached to the +NetBIOS name +(see the lmhosts(5) for details) +then any name type matches for lookup. +
host: +Do a standard host name to IP address resolution, using +the system /etc/hosts, NIS, or DNS +lookups. This method of name resolution is operating +system dependent, for instance on IRIX or Solaris this +may be controlled by the /etc/nsswitch.conf + file). Note that this method is only used +if the NetBIOS name type being queried is the 0x20 +(server) name type, otherwise it is ignored. +
wins: +Query a name with the IP address listed in the +wins server parameter. If no +WINS server has been specified this method will be +ignored. +
bcast: +Do a broadcast on each of the known local interfaces +listed in the interfaces +parameter. This is the least reliable of the name +resolution methods as it depends on the target host +being on a locally connected subnet. +

If this parameter is not set then the name resolve order +defined in the smb.conf file parameter +() will be used. +

The default order is lmhosts, host, wins, bcast. Without +this parameter or any entry in the parameter of the smb.conf file, the name +resolution methods will be attempted in this order.

-L libdir

This parameter specifies the location of the + shared libraries used by smbsh. The default + value is specified at compile time. +

EXAMPLES

To use the smbsh command, execute + smbsh from the prompt and enter the username and password + that authenticates you to the machine running the Windows NT + operating system. +

+system% smbsh
+Username: user
+Password: XXXXXXX
+

Any dynamically linked command you execute from + this shell will access the /smb directory + using the smb protocol. For example, the command ls /smb + will show a list of workgroups. The command + ls /smb/MYGROUP will show all the machines in + the workgroup MYGROUP. The command + ls /smb/MYGROUP/<machine-name> will show the share + names for that machine. You could then, for example, use the + cd command to change directories, vi to + edit files, and rcp to copy files.

VERSION

This man page is correct for version 3.0 of the Samba suite.

BUGS

smbsh works by intercepting the standard + libc calls with the dynamically loaded versions in + smbwrapper.o. Not all calls have been "wrapped", so + some programs may not function correctly under smbsh + .

Programs which are not dynamically linked cannot make + use of smbsh's functionality. Most versions + of UNIX have a file command that will + describe how a program was linked.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbspool.8.html samba-3.0.20/docs/htmldocs/manpages-3/smbspool.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbspool.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbspool.8.html 2005-08-19 12:57:00.000000000 -0500 @@ -0,0 +1,36 @@ +smbspool

Name

smbspool — send a print file to an SMB printer

Synopsis

smbspool {job} {user} {title} {copies} {options} [filename]

DESCRIPTION

This tool is part of the samba(7) suite.

smbspool is a very small print spooling program that + sends a print file to an SMB printer. The command-line arguments + are position-dependent for compatibility with the Common UNIX + Printing System, but you can use smbspool with any printing system + or from a program or script.

DEVICE URI

smbspool specifies the destination using a Uniform Resource + Identifier ("URI") with a method of "smb". This string can take + a number of forms:

smb://server[:port]/printer
smb://workgroup/server[:port]/printer
smb://username:password@server[:port]/printer
smb://username:password@workgroup/server[:port]/printer

smbspool tries to get the URI from the environment variable + DEVICE_URI. If DEVICE_URI is not present, + smbspool will use argv[0] if that starts with “smb://” + or argv[1] if that is not the case.

Programs using the exec(2) functions can + pass the URI in argv[0], while shell scripts must set the + DEVICE_URI environment variable prior to + running smbspool.

OPTIONS

The job argument (argv[1]) contains the + job ID number and is presently not used by smbspool. +
The user argument (argv[2]) contains the + print user's name and is presently not used by smbspool. +
The title argument (argv[3]) contains the + job title string and is passed as the remote file name + when sending the print job.
The copies argument (argv[4]) contains + the number of copies to be printed of the named file. If + no filename is provided then this argument is not used by + smbspool.
The options argument (argv[5]) contains + the print options in a single string and is currently + not used by smbspool.
The filename argument (argv[6]) contains the + name of the file to print. If this argument is not specified + then the print file is read from the standard input.

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

smbspool was written by Michael Sweet + at Easy Software Products.

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbstatus.1.html samba-3.0.20/docs/htmldocs/manpages-3/smbstatus.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbstatus.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbstatus.1.html 2005-08-19 12:57:05.000000000 -0500 @@ -0,0 +1,41 @@ +smbstatus

Name

smbstatus — report on current Samba connections

Synopsis

smbstatus [-P] [-b] [-d <debug level>] [-v] [-L] [-B] [-p] [-S] [-s <configuration file>] [-u <username>]

DESCRIPTION

This tool is part of the samba(7) suite.

smbstatus is a very simple program to + list the current Samba connections.

OPTIONS

-P|--profile

If samba has been compiled with the + profiling option, print only the contents of the profiling + shared memory area.

-b|--brief

gives brief output.

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

-v|--verbose

gives verbose output.

-L|--locks

causes smbstatus to only list locks.

-B|--byterange

causes smbstatus to include byte range locks. +

-p|--processes

print a list of smbd(8) processes and exit. + Useful for scripting.

-S|--shares

causes smbstatus to only list shares.

-h|--help

Print a summary of command line options. +

-u|--user=<username>

selects information relevant to username only.

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbtar.1.html samba-3.0.20/docs/htmldocs/manpages-3/smbtar.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbtar.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbtar.1.html 2005-08-19 12:57:09.000000000 -0500 @@ -0,0 +1,39 @@ +smbtar

Name

smbtar — shell script for backing up SMB/CIFS shares + directly to UNIX tape drives

Synopsis

smbtar [-r] [-i] [-a] [-v] {-s server} [-p password] [-x services] [-X] [-N filename] [-b blocksize] [-d directory] [-l loglevel] [-u user] [-t tape] {filenames}

DESCRIPTION

This tool is part of the samba(7) suite.

smbtar is a very small shell script on top + of smbclient(1) which dumps SMB shares directly to tape.

OPTIONS

-s server: The SMB/CIFS server that the share resides + upon.
-x service: The share name on the server to connect to. + The default is "backup".
-X: Exclude mode. Exclude filenames... from tar + create or restore.
-d directory: Change to initial directory + before restoring / backing up files.
-v: Verbose mode.
-p password: The password to use to access a share. + Default: none
-u user: The user id to connect as. Default: + UNIX login name.
-a: Reset DOS archive bit mode to + indicate file has been archived.
-t tape: Tape device. May be regular file or tape + device. Default: $TAPE environmental + variable; if not set, a file called tar.out +.
-b blocksize: Blocking factor. Defaults to 20. See + tar(1) for a fuller explanation.
-N filename: Backup only files newer than filename. Could + be used (for example) on a log file to implement incremental + backups.
-i: Incremental mode; tar files are only backed + up if they have the archive bit set. The archive bit is reset + after each file is read.
-r: Restore. Files are restored to the share + from the tar file.
-l log level: Log (debug) level. Corresponds to the + -d flag of smbclient(1).

ENVIRONMENT VARIABLES

The $TAPE variable specifies the + default tape device to write to. May be overridden + with the -t option.

BUGS

The smbtar script has different + options from ordinary tar and from smbclient's tar command.

CAVEATS

Sites that are more careful about security may not like + the way the script handles PC passwords. Backup and restore work + on entire shares; should work on file lists. smbtar works best + with GNU tar and may not work well with other versions.

DIAGNOSTICS

See the DIAGNOSTICS section for the smbclient(1) command.

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

Ricky Poulten + wrote the tar extension and this man page. The smbtar + script was heavily rewritten and improved by Martin Kraemer. Many + thanks to everyone who suggested extensions, improvements, bug + fixes, etc. The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for + Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbtree.1.html samba-3.0.20/docs/htmldocs/manpages-3/smbtree.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbtree.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbtree.1.html 2005-08-19 12:57:14.000000000 -0500 @@ -0,0 +1,72 @@ +smbtree

Name

smbtree — A text based smb network browser +

Synopsis

smbtree [-b] [-D] [-S]

DESCRIPTION

This tool is part of the samba(7) suite.

smbtree is a smb browser program + in text mode. It is similar to the "Network Neighborhood" found + on Windows computers. It prints a tree with all + the known domains, the servers in those domains and + the shares on the servers. +

OPTIONS

-b

Query network nodes by sending requests + as broadcasts instead of querying the local master browser. +

-D

Only print a list of all + the domains known on broadcast or by the + master browser

-S

Only print a list of + all the domains and servers responding on broadcast or + known by the master browser. +

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

-N

If specified, this parameter suppresses the normal +password prompt from the client to the user. This is useful when +accessing a service that does not require a password.

Unless a password is specified on the command line or +this parameter is specified, the client will request a +password.

-k

+Try to authenticate with kerberos. Only useful in +an Active Directory environment. +

-A|--authentication-file=filename

This option allows +you to specify a file from which to read the username and +password used in the connection. The format of the file is +

+username = <value>
+password = <value>
+domain   = <value>
+

Make certain that the permissions on the file restrict +access from unwanted users.

-U|--user=username[%password]

Sets the SMB username or username and password.

-h|--help

Print a summary of command line options. +

VERSION

This man page is correct for version 3.0 of the Samba + suite.

AUTHOR

The smbtree man page was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/smbumount.8.html samba-3.0.20/docs/htmldocs/manpages-3/smbumount.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/smbumount.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/smbumount.8.html 2005-08-19 12:57:18.000000000 -0500 @@ -0,0 +1,16 @@ +smbumount

Name

smbumount — smbfs umount for normal users

Synopsis

smbumount {mount-point}

DESCRIPTION

With this program, normal users can unmount smb-filesystems, + provided that it is suid root. smbumount has + been written to give normal Linux users more control over their + resources. It is safe to install this program suid root, because only + the user who has mounted a filesystem is allowed to unmount it again. + For root it is not necessary to use smbumount. The normal umount + program works perfectly well, but it would certainly be problematic + to make umount setuid root.

OPTIONS

mount-point: The directory to unmount.

AUTHOR

Volker Lendecke, Andrew Tridgell, Michael H. Warfield + and others.

The conversion of this manpage for Samba 2.2 was performed + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba 3.0 + was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/swat.8.html samba-3.0.20/docs/htmldocs/manpages-3/swat.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/swat.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/swat.8.html 2005-08-19 12:57:22.000000000 -0500 @@ -0,0 +1,88 @@ +swat

Name

swat — Samba Web Administration Tool

Synopsis

swat [-s <smb config file>] [-a] [-P]

DESCRIPTION

This tool is part of the samba(7) suite.

swat allows a Samba administrator to + configure the complex smb.conf(5) file via a Web browser. In addition, + a swat configuration page has help links + to all the configurable options in the smb.conf file allowing an + administrator to easily look up the effects of any change.

swat is run from inetd

OPTIONS

-s smb configuration file

The default configuration file path is + determined at compile time. The file specified contains + the configuration details required by the smbd(8) server. This is the file + that swat will modify. + The information in this file includes server-specific + information such as what printcap file to use, as well as + descriptions of all the services that the server is to provide. + See smb.conf for more information. +

-a

This option disables authentication and puts + swat in demo mode. In that mode anyone will be able to modify + the smb.conf file.

WARNING: Do NOT enable this option on a production + server.

-P

This option restricts read-only users to the password + management page. swat can then be used to change + user passwords without users seeing the "View" and "Status" menu + buttons.

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

-h|--help

Print a summary of command line options. +

INSTALLATION

Swat is included as binary package with most distributions. The + package manager in this case takes care of the installation and + configuration. This section is only for those who have compiled + swat from scratch. +

After you compile SWAT you need to run make install + to install the swat binary + and the various help files and images. A default install would put + these in:

/usr/local/samba/sbin/swat
/usr/local/samba/swat/images/*
/usr/local/samba/swat/help/*

Inetd Installation

You need to edit your /etc/inetd.conf + and /etc/services + to enable SWAT to be launched via inetd.

In /etc/services you need to + add a line like this:

swat 901/tcp

Note for NIS/YP and LDAP users - you may need to rebuild the + NIS service maps rather than alter your local + /etc/services file.

the choice of port number isn't really important + except that it should be less than 1024 and not currently + used (using a number above 1024 presents an obscure security + hole depending on the implementation details of your + inetd daemon).

In /etc/inetd.conf you should + add a line like this:

swat stream tcp nowait.400 root + /usr/local/samba/sbin/swat swat

Once you have edited /etc/services + and /etc/inetd.conf you need to send a + HUP signal to inetd. To do this use kill -1 PID + where PID is the process ID of the inetd daemon.

LAUNCHING

To launch SWAT just run your favorite web browser and + point it at "http://localhost:901/".

Note that you can attach to SWAT from any IP connected + machine but connecting from a remote machine leaves your + connection open to password sniffing as passwords will be sent + in the clear over the wire.

FILES

/etc/inetd.conf: This file must contain suitable startup + information for the meta-daemon.
/etc/services: This file must contain a mapping of service name + (e.g., swat) to service port (e.g., 901) and protocol type + (e.g., tcp).
/usr/local/samba/lib/smb.conf: This is the default location of the smb.conf(5) server configuration file that swat edits. Other + common places that systems install this file are + /usr/samba/lib/smb.conf and /etc/smb.conf +. This file describes all the services the server + is to make available to clients.

WARNINGS

swat will rewrite your smb.conf(5) file. It will rearrange the entries and delete all + comments, include= and copy= + options. If you have a carefully crafted + smb.conf then back it up or don't use swat!

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 for + Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/tdbbackup.8.html samba-3.0.20/docs/htmldocs/manpages-3/tdbbackup.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/tdbbackup.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/tdbbackup.8.html 2005-08-19 12:57:25.000000000 -0500 @@ -0,0 +1,36 @@ +tdbbackup

Name

tdbbackup — tool for backing up and for validating the integrity of samba .tdb files

Synopsis

tdbbackup [-s suffix] [-v] [-h]

DESCRIPTION

This tool is part of the samba(1) suite.

tdbbackup is a tool that may be used to backup samba .tdb + files. This tool may also be used to verify the integrity of the .tdb files prior + to samba startup or during normal operation. If it finds file damage and it finds + a prior backup the backup file will be restored. +

OPTIONS

-h: + Get help information. +
-s suffix: + The -s option allows the adminisistrator to specify a file + backup extension. This way it is possible to keep a history of tdb backup + files by using a new suffix for each backup. +
-v: + The -v will check the database for damages (currupt data) + which if detected causes the backup to be restored. +

COMMANDS

GENERAL INFORMATION

+ The tdbbackup utility can safely be run at any time. It was designed so + that it can be used at any time to validate the integrity of tdb files, even during Samba + operation. Typical usage for the command will be: +

tdbbackup [-s suffix] *.tdb

+ Before restarting samba the following command may be run to validate .tdb files: +

tdbbackup -v [-s suffix] *.tdb

+ Samba .tdb files are stored in various locations, be sure to run backup all + .tdb file on the system. Important files includes: +

+ secrets.tdb - usual location is in the /usr/local/samba/private + directory, or on some systems in /etc/samba. +
+ passdb.tdb - usual location is in the /usr/local/samba/private + directory, or on some systems in /etc/samba. +
+ *.tdb located in the /usr/local/samba/var directory or on some + systems in the /var/cache or /var/lib/samba directories. +

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

The tdbbackup man page was written by John H Terpstra.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/tdbdump.8.html samba-3.0.20/docs/htmldocs/manpages-3/tdbdump.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/tdbdump.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/tdbdump.8.html 2005-08-19 12:57:29.000000000 -0500 @@ -0,0 +1,10 @@ +tdbdump

Name

tdbdump — tool for printing the contents of a TDB file

Synopsis

tdbdump {filename}

DESCRIPTION

This tool is part of the samba(1) suite.

tdbdump is a very simple utility that 'dumps' the + contents of a TDB (Trivial DataBase) file to standard output in a + human-readable format. +

This tool can be used when debugging problems with TDB files. It is + intended for those who are somewhat familiar with Samba internals. +

VERSION

This man page is correct for version 3.0 of the Samba suite.

AUTHOR

The tdbdump man page was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/testparm.1.html samba-3.0.20/docs/htmldocs/manpages-3/testparm.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/testparm.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/testparm.1.html 2005-08-19 12:57:33.000000000 -0500 @@ -0,0 +1,51 @@ +testparm

Name

testparm — check an smb.conf configuration file for + internal correctness

Synopsis

testparm [-s] [-h] [-v] [-L <servername>] [-t <encoding>] {config filename} [hostname hostIP]

DESCRIPTION

This tool is part of the samba(7) suite.

testparm is a very simple test program + to check an smbd(8) configuration file for + internal correctness. If this program reports no problems, you + can use the configuration file with confidence that smbd + will successfully load the configuration file.

Note that this is NOT a guarantee that + the services specified in the configuration file will be + available or will operate as expected.

If the optional host name and host IP address are + specified on the command line, this test program will run through + the service entries reporting whether the specified host + has access to each service.

If testparm finds an error in the + smb.conf file it returns an exit code of 1 to the calling + program, else it returns an exit code of 0. This allows shell scripts + to test the output from testparm.

OPTIONS

-s: Without this option, testparm + will prompt for a carriage return after printing the service + names and before dumping the service definitions.
-h|--help: Print a summary of command line options. +
-V: Prints the program version number. +
-L servername: Sets the value of the %L macro to servername. + This is useful for testing include files specified with the + %L macro.
-v: If this option is specified, testparm + will also output all options that were not used in smb.conf(5) and are thus set to their defaults.
-t encoding: + Output data in specified encoding. +
configfilename: This is the name of the configuration file + to check. If this parameter is not present then the + default smb.conf(5) file will be checked. +
hostname: If this parameter and the following are + specified, then testparm will examine the hosts + allow and hosts deny + parameters in the smb.conf(5) file to + determine if the hostname with this IP address would be + allowed access to the smbd server. If + this parameter is supplied, the hostIP parameter must also + be supplied.
hostIP: This is the IP address of the host specified + in the previous parameter. This address must be supplied + if the hostname parameter is supplied.

FILES

smb.conf(5): This is usually the name of the configuration + file used by smbd(8). +

DIAGNOSTICS

The program will issue a message saying whether the + configuration file loaded OK or not. This message may be preceded by + errors and warnings if the file did not load. If the file was + loaded OK, the program then dumps all known service details + to stdout.

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/testprns.1.html samba-3.0.20/docs/htmldocs/manpages-3/testprns.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/testprns.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/testprns.1.html 2005-08-19 12:57:37.000000000 -0500 @@ -0,0 +1,38 @@ +testprns

Name

testprns — check printer name for validity with smbd

Synopsis

testprns {printername} [printcapname]

DESCRIPTION

This tool is part of the samba(7) suite.

testprns is a very simple test program + to determine whether a given printer name is valid for use in + a service to be provided by smbd(8).

"Valid" in this context means "can be found in the + printcap specified". This program is very stupid - so stupid in + fact that it would be wisest to always specify the printcap file + to use.

OPTIONS

printername

The printer name to validate.

Printer names are taken from the first field in each + record in the printcap file, single printer names and sets + of aliases separated by vertical bars ("|") are recognized. + Note that no validation or checking of the printcap syntax is + done beyond that required to extract the printer name. It may + be that the print spooling system is more forgiving or less + forgiving than testprns. However, if + testprns finds the printer then smbd(8) should do so as well.

printcapname

This is the name of the printcap file within + which to search for the given printer name.

If no printcap name is specified testprns + will attempt to scan the printcap file name + specified at compile time.

FILES

/etc/printcap: This is usually the default printcap + file to scan. See printcap (5). +

DIAGNOSTICS

If a printer is found to be valid, the message + "Printer name <printername> is valid" will be + displayed.

If a printer is found to be invalid, the message + "Printer name <printername> is not valid" will be + displayed.

All messages that would normally be logged during + operation of the Samba daemons are logged by this program to the + file test.log in the current directory. The + program runs at debuglevel 3, so quite extensive logging + information is written. The log should be checked carefully + for errors and warnings.

Other messages are self-explanatory.

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

The original Samba man pages were written by Karl Auer. + The man page sources were converted to YODL format (another + excellent piece of Open Source software, available at + ftp://ftp.icce.rug.nl/pub/unix/) and updated for the Samba 2.0 + release by Jeremy Allison. The conversion to DocBook for + Samba 2.2 was done by Gerald Carter. The conversion to DocBook XML 4.2 + for Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/umount.cifs.8.html samba-3.0.20/docs/htmldocs/manpages-3/umount.cifs.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/umount.cifs.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/umount.cifs.8.html 2005-08-19 12:57:41.000000000 -0500 @@ -0,0 +1,35 @@ +umount.cifs

Name

umount.cifs — for normal, non-root users, to unmount their own Common Internet File System (CIFS) mounts

Synopsis

umount.cifs {mount-point} [-nVvhfle]

DESCRIPTION

This tool is part of the samba(7) suite.

umount.cifs unmounts a Linux CIFS filesystem. It can be invoked +indirectly by the +umount(8) command +when umount.cifs is in /sbin directory, unless you specify the "-i" option to umount. Specifying -i to umount avoids execution of umount helpers such as umount.cifs. The umount.cifs command only works in Linux, and the kernel must +support the cifs filesystem. The CIFS protocol is the successor to the +SMB protocol and is supported by most Windows servers and many other +commercial servers and Network Attached Storage appliances as well as +by the popular Open Source server Samba. +

+ The umount.cifs utility detaches the local directory mount-point from the corresponding UNC name (exported network resource) and frees the associated kernel resources. +It is possible to set the mode for umount.cifs to +setuid root (or equivalently update the /etc/permissions file) to allow non-root users to umount shares to directories for which they have write permission. The umount.cifs utility is typically +not needed if unmounts need only be performed by root users, or if user mounts and unmounts +can rely on specifying explicit entries in /etc/fstab See

fstab(5)

OPTIONS

--verbose: print additional debugging information
--no-mtab: Do not update the mtab even if unmount completes successfully (/proc/mounts will still display the correct information)

NOTES

CONFIGURATION

BUGS

+Note that the typical response to a bug report is a suggestion +to try the latest version first. So please try doing that first, +and always include which versions you use of relevant software +when reporting bugs (minimum: umount.cifs (try umount.cifs -V), kernel (see /proc/version) and +server type you are trying to contact. +

VERSION

This man page is correct for version 1.34 of + the cifs vfs filesystem (roughly Linux kernel 2.6.12).

AUTHOR

Steve French

The syntax was loosely based on the umount utility and the manpage was loosely based on that of mount.cifs.8. The man page was created by Steve French

The maintainer of the Linux cifs vfs and the userspace + tool umount.cifs is Steve French. + The Linux CIFS Mailing list + is the preferred place to ask questions regarding these programs. +

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/vfstest.1.html samba-3.0.20/docs/htmldocs/manpages-3/vfstest.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/vfstest.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/vfstest.1.html 2005-08-19 12:57:45.000000000 -0500 @@ -0,0 +1,41 @@ +vfstest

Name

vfstest — tool for testing samba VFS modules

Synopsis

vfstest [-d debuglevel] [-c command] [-l logdir] [-h]

DESCRIPTION

This tool is part of the samba(7) suite.

vfstest is a small command line + utility that has the ability to test dso samba VFS modules. It gives the + user the ability to call the various VFS functions manually and + supports cascaded VFS modules. +

OPTIONS

-c|--command=command

Execute the specified (colon-separated) commands. + See below for the commands that are available. +

-h|--help

Print a summary of command line options. +

-l|--logfile=logbasename

File name for log/debug files. The extension + '.client' will be appended. The log file is never removed + by the client. +

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

COMMANDS

VFS COMMANDS

load <module.so> - Load specified VFS module
populate <char> <size> - Populate a data buffer with the specified data +
showdata [<offset> <len>] - Show data currently in data buffer +
connect - VFS connect()
disconnect - VFS disconnect()
disk_free - VFS disk_free()
opendir - VFS opendir()
readdir - VFS readdir()
mkdir - VFS mkdir()
rmdir - VFS rmdir()
closedir - VFS closedir()
open - VFS open()
close - VFS close()
read - VFS read()
write - VFS write()
lseek - VFS lseek()
rename - VFS rename()
fsync - VFS fsync()
stat - VFS stat()
fstat - VFS fstat()
lstat - VFS lstat()
unlink - VFS unlink()
chmod - VFS chmod()
fchmod - VFS fchmod()
chown - VFS chown()
fchown - VFS fchown()
chdir - VFS chdir()
getwd - VFS getwd()
utime - VFS utime()
ftruncate - VFS ftruncate()
lock - VFS lock()
symlink - VFS symlink()
readlink - VFS readlink()
link - VFS link()
mknod - VFS mknod()
realpath - VFS realpath()

GENERAL COMMANDS

conf <smb.conf> - Load a different configuration file
help [<command>] - Get list of commands or info about specified command
debuglevel <level> - Set debug level
freemem - Free memory currently in use
exit - Exit vfstest

VERSION

This man page is correct for version 3.0 of the Samba + suite.

AUTHOR

The vfstest man page was written by Jelmer Vernooij.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/wbinfo.1.html samba-3.0.20/docs/htmldocs/manpages-3/wbinfo.1.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/wbinfo.1.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/wbinfo.1.html 2005-08-19 12:57:48.000000000 -0500 @@ -0,0 +1,86 @@ +wbinfo

Name

wbinfo — Query information from winbind daemon

Synopsis

DESCRIPTION

This tool is part of the samba(7) suite.

The wbinfo program queries and returns information + created and used by the winbindd(8) daemon.

The winbindd(8) daemon must be configured + and running for the wbinfo program to be able + to return information.

OPTIONS

-a username%password: Attempt to authenticate a user via winbindd. + This checks both authenticaion methods and reports its results. +
Note
Do not be tempted to use this + functionality for authentication in third-party + applications. Instead use ntlm_auth(1).
-c user: Create a local winbind user. +
-C group: Create a local winbindd group. +
--domain name: This parameter sets the domain on which any specified + operations will performed. If special domain name '.' is used to represent + the current domain to which winbindd belongs. Currently only the + --sequence, + -u, and -g options honor this parameter. +
-g: This option will list all groups available + in the Windows NT domain for which the samba(7) daemon is operating in. Groups in all trusted domains + will also be listed. Note that this operation does not assign + group ids to any groups that have not already been + seen by winbindd(8).
--get-auth-user: Print username and password used by winbindd + during session setup to a domain controller. Username + and password can be set using '-A'. Only available for + root.
-G gid: Try to convert a UNIX group id to a Windows + NT SID. If the gid specified does not refer to one within + the idmap gid range then the operation will fail.
-I ip: The -I option + queries winbindd(8) to send a node status + request to get the NetBIOS name associated with the IP address + specified by the ip parameter. +
-m: Produce a list of domains trusted by the + Windows NT server winbindd(8) contacts + when resolving names. This list does not include the Windows + NT domain the server is a Primary Domain Controller for. +
-n name: The -n option + queries winbindd(8) for the SID + associated with the name specified. Domain names can be specified + before the user name by using the winbind separator character. + For example CWDOM1/Administrator refers to the Administrator + user in the domain CWDOM1. If no domain is specified then the + domain used is the one specified in the smb.conf(5) workgroup + parameter.
-N name: The -N option + queries winbindd(8) to query the WINS + server for the IP address associated with the NetBIOS name + specified by the name parameter. +
-o user:group: Add a winbindd local group as a secondary group + for the specified winbindd local user. +
-O user:group: Remove a winbindd local group as a secondary group + for the specified winbindd local user. +
-p: Check whether winbindd is still alive. + Prints out either 'succeeded' or 'failed'. +
-r username: Try to obtain the list of UNIX group ids + to which the user belongs. This only works for users + defined on a Domain Controller. +
-s sid: Use -s to resolve + a SID to a name. This is the inverse of the -n + option above. SIDs must be specified as ASCII strings + in the traditional Microsoft format. For example, + S-1-5-21-1455342024-3071081365-2475485837-500.
--set-auth-user username%password: Store username and password used by winbindd + during session setup to a domain controller. This enables + winbindd to operate in a Windows 2000 domain with Restrict + Anonymous turned on (a.k.a. Permissions compatiable with + Windows 2000 servers only). +
--sequence: Show sequence numbers of + all known domains
-S sid: Convert a SID to a UNIX user id. If the SID + does not correspond to a UNIX user mapped by winbindd(8) then the operation will fail.
-t: Verify that the workstation trust account + created when the Samba server is added to the Windows NT + domain is working.
-u: This option will list all users available + in the Windows NT domain for which the winbindd(8) daemon is operating in. Users in all trusted domains + will also be listed. Note that this operation does not assign + user ids to any users that have not already been seen by winbindd(8) + .
-U uid: Try to convert a UNIX user id to a Windows NT + SID. If the uid specified does not refer to one within + the idmap uid range then the operation will fail.
-x user: Delete an existing local winbind user. +
-X group: Delete an existing local winbindd group. +
-Y sid: Convert a SID to a UNIX group id. If the SID + does not correspond to a UNIX group mapped by winbindd(8) then + the operation will fail.
-V: Prints the program version number. +
-h|--help: Print a summary of command line options. +

EXIT STATUS

The wbinfo program returns 0 if the operation + succeeded, or 1 if the operation failed. If the winbindd(8) daemon is not working wbinfo will always return + failure.

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

wbinfo and winbindd + were written by Tim Potter.

The conversion to DocBook for Samba 2.2 was done + by Gerald Carter. The conversion to DocBook XML 4.2 for Samba + 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/manpages-3/winbindd.8.html samba-3.0.20/docs/htmldocs/manpages-3/winbindd.8.html --- samba-3.0.20rc2/docs/htmldocs/manpages-3/winbindd.8.html 1969-12-31 18:00:00.000000000 -0600 +++ samba-3.0.20/docs/htmldocs/manpages-3/winbindd.8.html 2005-08-19 12:57:51.000000000 -0500 @@ -0,0 +1,229 @@ +winbindd

Name

winbindd — Name Service Switch daemon for resolving names + from NT servers

Synopsis

winbindd [-F] [-S] [-i] [-Y] [-d <debug level>] [-s <smb config file>] [-n]

DESCRIPTION

This program is part of the samba(7) suite.

winbindd is a daemon that provides + a number of services to the Name Service Switch capability found + in most modern C libraries, to arbitary applications via PAM + and ntlm_auth and to Samba itself.

Even if winbind is not used for nsswitch, it still provides a + service to smbd, ntlm_auth + and the pam_winbind.so PAM module, by managing connections to + domain controllers. In this configuraiton the + idmap uid and + idmap gid + parameters are not required. (This is known as `netlogon proxy only mode'.)

The Name Service Switch allows user + and system information to be obtained from different databases + services such as NIS or DNS. The exact behaviour can be configured + throught the /etc/nsswitch.conf file. + Users and groups are allocated as they are resolved to a range + of user and group ids specified by the administrator of the + Samba system.

The service provided by winbindd is called `winbind' and + can be used to resolve user and group information from a + Windows NT server. The service can also provide authentication + services via an associated PAM module.

+ The pam_winbind module supports the + auth, account + and password + module-types. It should be noted that the + account module simply performs a getpwnam() to verify that + the system can obtain a uid for the user, as the domain + controller has already performed access control. If the + libnss_winbind library has been correctly + installed, or an alternate source of names configured, this should always succeed. +

The following nsswitch databases are implemented by + the winbindd service:

hosts: This feature is only available on IRIX. + User information traditionally stored in + the hosts(5) file and used by + gethostbyname(3) functions. Names are + resolved through the WINS server or by broadcast. +
passwd: User information traditionally stored in + the passwd(5) file and used by + getpwent(3) functions.
group: Group information traditionally stored in + the group(5) file and used by + getgrent(3) functions.

For example, the following simple configuration in the + /etc/nsswitch.conf file can be used to initially + resolve user and group information from /etc/passwd + and /etc/group and then from the + Windows NT server. +

+passwd:         files winbind
+group:          files winbind
+## only available on IRIX; Linux users should us libnss_wins.so
+hosts:          files dns winbind
+

The following simple configuration in the + /etc/nsswitch.conf file can be used to initially + resolve hostnames from /etc/hosts and then from the + WINS server.

+hosts:		files wins
+

OPTIONS

-F

If specified, this parameter causes + the main winbindd process to not daemonize, + i.e. double-fork and disassociate with the terminal. + Child processes are still created as normal to service + each connection request, but the main process does not + exit. This operation mode is suitable for running + winbindd under process supervisors such + as supervise and svscan + from Daniel J. Bernstein's daemontools + package, or the AIX process monitor. +

-S

If specified, this parameter causes + winbindd to log to standard output rather + than a file.

-V

Prints the program version number. +

-s <configuration file>

-d|--debug=debuglevel

debuglevel is an integer +from 0 to 10. The default value if this parameter is +not specified is zero.

Note that specifying this parameter here will +override the parameter +in the smb.conf file.

-l|--logfile=logdirectory

Base directory name for log/debug files. The extension +".progname" will be appended (e.g. log.smbclient, +log.smbd, etc...). The log file is never removed by the client. +

-h|--help

Print a summary of command line options. +

-i

Tells winbindd to not + become a daemon and detach from the current terminal. This + option is used by developers when interactive debugging + of winbindd is required. + winbindd also logs to standard output, + as if the -S parameter had been given. +

-n

Disable caching. This means winbindd will + always have to wait for a response from the domain controller + before it can respond to a client and this thus makes things + slower. The results will however be more accurate, since + results from the cache might not be up-to-date. This + might also temporarily hang winbindd if the DC doesn't respond. +

-Y

Single daemon mode. This means winbindd will run + as a single process (the mode of operation in Samba 2.2). Winbindd's + default behavior is to launch a child process that is responsible for + updating expired cache entries. +

NAME AND ID RESOLUTION

Users and groups on a Windows NT server are assigned + a security id (SID) which is globally unique when the + user or group is created. To convert the Windows NT user or group + into a unix user or group, a mapping between SIDs and unix user + and group ids is required. This is one of the jobs that + winbindd performs.

As winbindd users and groups are resolved from a server, user + and group ids are allocated from a specified range. This + is done on a first come, first served basis, although all existing + users and groups will be mapped as soon as a client performs a user + or group enumeration command. The allocated unix ids are stored + in a database file under the Samba lock directory and will be + remembered.

WARNING: The SID to unix id database is the only location + where the user and group mappings are stored by winbindd. If this + file is deleted or corrupted, there is no way for winbindd to + determine which user and group ids correspond to Windows NT user + and group rids.

See the parameter in + smb.conf for options for sharing this + database, such as via LDAP.

CONFIGURATION

Configuration of the winbindd daemon + is done through configuration parameters in the smb.conf(5) file. All parameters should be specified in the + [global] section of smb.conf.

+ winbind separator
+ idmap uid
+ idmap gid
+ idmap backend
+ winbind cache time
+ winbind enum users
+ winbind enum groups
+ template homedir
+ template shell
+ winbind use default domain

EXAMPLE SETUP

+ To setup winbindd for user and group lookups plus + authentication from a domain controller use something like the + following setup. This was tested on an early Red Hat Linux box. +

In /etc/nsswitch.conf put the + following: +

+passwd: files winbind
+group:  files winbind
+

In /etc/pam.d/* replace the + auth lines with something like this: +

+auth  required    /lib/security/pam_securetty.so
+auth  required	  /lib/security/pam_nologin.so
+auth  sufficient  /lib/security/pam_winbind.so
+auth  required    /lib/security/pam_pwdb.so \
+                  use_first_pass shadow nullok
+

Note in particular the use of the sufficient + keyword and the use_first_pass keyword.

Now replace the account lines with this:

account required /lib/security/pam_winbind.so +

The next step is to join the domain. To do that use the + net program like this:

net join -S PDC -U Administrator

The username after the -U can be any + Domain user that has administrator privileges on the machine. + Substitute the name or IP of your PDC for "PDC".

Next copy libnss_winbind.so to + /lib and pam_winbind.so + to /lib/security. A symbolic link needs to be + made from /lib/libnss_winbind.so to + /lib/libnss_winbind.so.2. If you are using an + older version of glibc then the target of the link should be + /lib/libnss_winbind.so.1.

Finally, setup a smb.conf(5) containing directives like the + following: +

+[global]
+	winbind separator = +
+        winbind cache time = 10
+        template shell = /bin/bash
+        template homedir = /home/%D/%U
+        idmap uid = 10000-20000
+        idmap gid = 10000-20000
+        workgroup = DOMAIN
+        security = domain
+        password server = *
+

Now start winbindd and you should find that your user and + group database is expanded to include your NT users and groups, + and that you can login to your unix box as a domain user, using + the DOMAIN+user syntax for the username. You may wish to use the + commands getent passwd and getent group + to confirm the correct operation of winbindd.

NOTES

The following notes are useful when configuring and + running winbindd:

nmbd(8) must be running on the local machine + for winbindd to work.

PAM is really easy to misconfigure. Make sure you know what + you are doing when modifying PAM configuration files. It is possible + to set up PAM such that you can no longer log into your system.

If more than one UNIX machine is running winbindd, + then in general the user and groups ids allocated by winbindd will not + be the same. The user and group ids will only be valid for the local + machine, unless a shared is configured.

If the the Windows NT SID to UNIX user and group id mapping + file is damaged or destroyed then the mappings will be lost.

SIGNALS

The following signals can be used to manipulate the + winbindd daemon.

SIGHUP

Reload the smb.conf(5) file and + apply any parameter changes to the running + version of winbindd. This signal also clears any cached + user and group information. The list of other domains trusted + by winbindd is also reloaded.

SIGUSR2

The SIGUSR2 signal will cause + winbindd to write status information to the winbind + log file.

Log files are stored in the filename specified by the + log file parameter.

FILES

/etc/nsswitch.conf(5): Name service switch configuration file.
/tmp/.winbindd/pipe: The UNIX pipe over which clients communicate with + the winbindd program. For security reasons, the + winbind client will only attempt to connect to the winbindd daemon + if both the /tmp/.winbindd directory + and /tmp/.winbindd/pipe file are owned by + root.
$LOCKDIR/winbindd_privileged/pipe: The UNIX pipe over which 'privileged' clients + communicate with the winbindd program. For security + reasons, access to some winbindd functions - like those needed by + the ntlm_auth utility - is restricted. By default, + only users in the 'root' group will get this access, however the administrator + may change the group permissions on $LOCKDIR/winbindd_privileged to allow + programs like 'squid' to use ntlm_auth. + Note that the winbind client will only attempt to connect to the winbindd daemon + if both the $LOCKDIR/winbindd_privileged directory + and $LOCKDIR/winbindd_privileged/pipe file are owned by + root.
/lib/libnss_winbind.so.X: Implementation of name service switch library. +
$LOCKDIR/winbindd_idmap.tdb: Storage for the Windows NT rid to UNIX user/group + id mapping. The lock directory is specified when Samba is initially + compiled using the --with-lockdir option. + This directory is by default /usr/local/samba/var/locks +.
$LOCKDIR/winbindd_cache.tdb: Storage for cached user and group information. +

VERSION

This man page is correct for version 3.0 of + the Samba suite.

AUTHOR

wbinfo and winbindd were + written by Tim Potter.

The conversion to DocBook for Samba 2.2 was done + by Gerald Carter. The conversion to DocBook XML 4.2 for + Samba 3.0 was done by Alexander Bokovoy.

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/AccessControls.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/AccessControls.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/AccessControls.html 2005-08-07 11:24:57.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/AccessControls.html 2005-08-19 13:03:31.000000000 -0500 @@ -1,59 +1,59 @@ -Chapter 15. File, Directory, and Share Access Controls

Chapter 15. File, Directory, and Share Access Controls
Prev	Part III. Advanced Configuration	Next

Chapter 15. File, Directory, and Share Access Controls

John H. Terpstra

Samba Team

<jht@samba.org>

Jeremy Allison

Samba Team

<jra@samba.org>

Jelmer R. Vernooij

drawing

The Samba Team

<jelmer@samba.org>

May 10, 2003

Table of Contents

Features and Benefits

File System Access Controls

MS Windows NTFS Comparison with UNIX File Systems
Managing Directories
File and Directory Access Control

Share Definition Access Controls

User- and Group-Based Controls
File and Directory Permissions-Based Controls
Miscellaneous Controls

Access Controls on Shares

Share Permissions Management

MS Windows Access Control Lists and UNIX Interoperability

Managing UNIX Permissions Using NT Security Dialogs
Viewing File Security on a Samba Share
Viewing File Ownership
Viewing File or Directory Permissions
Modifying File or Directory Permissions
Interaction with the Standard Samba “create mask” Parameters
Interaction with the Standard Samba File Attribute Mapping
Windows NT/200X ACLs and POSIX ACLs Limitations

Common Errors

Users Cannot Write to a Public Share
File Operations Done as root with force user Set
MS Word with Samba Changes Owner of File

- - - - +Chapter 15. File, Directory, and Share Access Controls

Chapter 15. File, Directory, and Share Access Controls
Prev	Part III. Advanced Configuration	Next

Chapter 15. File, Directory, and Share Access Controls

John H. Terpstra

Samba Team

<jht@samba.org>

Jeremy Allison

Samba Team

<jra@samba.org>

Jelmer R. Vernooij

drawing

The Samba Team

<jelmer@samba.org>

May 10, 2003

Table of Contents

Features and Benefits

File System Access Controls

MS Windows NTFS Comparison with UNIX File Systems
Managing Directories
File and Directory Access Control

Share Definition Access Controls

User- and Group-Based Controls
File and Directory Permissions-Based Controls
Miscellaneous Controls

Access Controls on Shares

Share Permissions Management

MS Windows Access Control Lists and UNIX Interoperability

Managing UNIX Permissions Using NT Security Dialogs
Viewing File Security on a Samba Share
Viewing File Ownership
Viewing File or Directory Permissions
Modifying File or Directory Permissions
Interaction with the Standard Samba “create mask” Parameters
Interaction with the Standard Samba File Attribute Mapping
Windows NT/200X ACLs and POSIX ACLs Limitations

Common Errors

Users Cannot Write to a Public Share
File Operations Done as root with force user Set
MS Word with Samba Changes Owner of File

+ + + + Advanced MS Windows users are frequently perplexed when file, directory, and share manipulation of resources shared via Samba do not behave in the manner they might expect. MS Windows network administrators are often confused regarding network access controls and how to provide users with the access they need while protecting resources from unauthorized access.

- - + + Many UNIX administrators are unfamiliar with the MS Windows environment and in particular have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file and directory access permissions.

- - - - + + + + The problem lies in the differences in how file and directory permissions and controls work between the two environments. This difference is one that Samba cannot completely hide, even though it does try to bridge the chasm to a degree.

- - - - + + + + POSIX Access Control List technology has been available (along with extended attributes) for UNIX for many years, yet there is little evidence today of any significant use. This explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows administrators are astounded at this, given that ACLs were a foundational capability of the now decade-old MS Windows NT operating system.

- + The purpose of this chapter is to present each of the points of control that are possible with Samba-3 in the hope that this will help the network administrator to find the optimum method for delivering the best environment for MS Windows desktop users.

- - + + This is an opportune point to mention that Samba was created to provide a means of interoperability and interchange of data between differing operating environments. Samba has no intent to change UNIX/Linux into a platform like MS Windows. Instead the purpose was and is to provide a sufficient level of exchange of data between the two environments. What is available today extends well beyond early plans and expectations, yet the gap continues to shrink. -

Features and Benefits

Samba offers much flexibility in file system access management. These are the key access control facilities present in Samba today:

Samba Access Control Facilities

- + UNIX File and Directory Permissions
- - - + + + Samba honors and implements UNIX file system access controls. Users who access a Samba server will do so as a particular MS Windows user. This information is passed to the Samba server as part of the logon or @@ -64,7 +64,7 @@
Samba Share Definitions
- + In configuring share settings and controls in the smb.conf file, the network administrator can exercise overrides to native file system permissions and behaviors. This can be handy and convenient @@ -73,20 +73,20 @@ The basic options and techniques are described herein.
Samba Share ACLs - +
- + Just as it is possible in MS Windows NT to set ACLs on shares themselves, so it is possible to do in Samba. Few people make use of this facility, yet it remains one of the easiest ways to affect access controls (restrictions) and can often do so with minimum invasiveness compared with other methods.
- - + + MS Windows ACLs through UNIX POSIX ACLs
- + The use of POSIX ACLs on UNIX/Linux is possible only if the underlying operating system supports them. If not, then this option will not be available to you. Current UNIX technology platforms have native support @@ -94,16 +94,16 @@ this support. Sadly, few Linux platforms ship today with native ACLs and extended attributes enabled. This chapter has pertinent information for users of platforms that support them. -

File System Access Controls

Perhaps the most important recognition to be made is the simple fact that MS Windows NT4/200x/XP implement a totally divergent file system technology from what is provided in the UNIX operating system environment. First we consider what the most significant differences are, then we look at how Samba helps to bridge the differences. -

MS Windows NTFS Comparison with UNIX File Systems

- - - - +

MS Windows NTFS Comparison with UNIX File Systems

+ + + + Samba operates on top of the UNIX file system. This means it is subject to UNIX file system conventions and permissions. It also means that if the MS Windows networking environment requires file system behavior, that differs from UNIX file system behavior then somehow Samba is responsible for emulating @@ -114,7 +114,7 @@ but for the greater part we stay within the bounds of default behavior. Those wishing to explore the depths of control ability should review the smb.conf man page.

The following compares file system features for UNIX with those of MS Windows NT/200x: - +

Name Space

MS Windows NT4/200x/XP file names may be up to 254 characters long, and UNIX file names @@ -123,8 +123,8 @@

What MS Windows calls a folder, UNIX calls a directory.

Case Sensitivity

- - + + MS Windows file names are generally uppercase if made up of 8.3 (8-character file name and 3 character extension. File names that are longer than 8.3 are case preserving and case insensitive. @@ -151,26 +151,26 @@ event that the UNIX directory contains multiple files that would match a case insensitive file listing.

Directory Separators

- + MS Windows and DOS use the backslash \ as a directory delimiter, and UNIX uses the forward-slash / as its directory delimiter. This is handled transparently by Samba.

Drive Identification

- + MS Windows products support a notion of drive letters, like C:, to represent disk partitions. UNIX has no concept of separate identifiers for file partitions; each such file system is mounted to become part of the overall directory tree. The UNIX directory tree begins at / just as the root of a DOS drive is specified as C:\.

File Naming Conventions

- + MS Windows generally never experiences file names that begin with a dot (.), while in UNIX these are commonly found in a user's home directory. Files that begin with a dot (.) are typically startup files for various UNIX applications, or they may be files that contain startup configuration data.

Links and Short-Cuts

- - - + + + MS Windows make use of links and shortcuts that are actually special types of files that will redirect an attempt to execute the file to the real location of the file. UNIX knows of file and directory links, but they are entirely different from what MS Windows users are used to. @@ -183,17 +183,17 @@ There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort in the process of becoming familiar with UNIX/Linux. These are best left for a text that is dedicated to the purpose of UNIX/Linux training and education. -

Managing Directories

- - - +

Managing Directories

+ + + There are three basic operations for managing directories: create, delete, rename. Managing Directories with UNIX and Windows compares the commands in Windows and UNIX that implement these operations. -

Table 15.1. Managing Directories with UNIX and Windows

Action	MS Windows Command	UNIX Command
create	md folder	mkdir folder
delete	rd folder	rmdir folder
rename	rename oldname newname	mv oldname newname

File and Directory Access Control

- - - +

Table 15.1. Managing Directories with UNIX and Windows

Action	MS Windows Command	UNIX Command
create	md folder	mkdir folder
delete	rd folder	rmdir folder
rename	rename oldname newname	mv oldname newname

File and Directory Access Control

+ + + The network administrator is strongly advised to read basic UNIX training manuals and reference materials regarding file and directory permissions maintenance. Much can be achieved with the basic UNIX permissions without having to resort to more complex facilities like POSIX ACLs or extended attributes (EAs). @@ -226,47 +226,47 @@

Figure 15.1. Overview of UNIX permissions field.

Any bit flag may be unset. An unset bit flag is the equivalent of "cannot" and is represented as a “-” character (see ???) - - - - - - + + + + + +

Example 15.1. Example File

 -rwxr-x---   Means: 
  ^^^                The owner (user) can read, write, execute
     ^^^             the group can read and execute
        ^^^          everyone else cannot do anything with it.

- - - - + + + + Additional possibilities in the [type] field are c = character device, b = block device, p = pipe device, s = UNIX Domain Socket.

- - - - - + + + + + The letters rwxXst set permissions for the user, group, and others as read (r), write (w), execute (or access for directories) (x), execute only if the file is a directory or already has execute permission for some user (X), set user (SUID) or group ID (SGID) on execution (s), sticky (t).

- - - - + + + + When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable.

- - - - - + + + + + When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or group whose `set user or group' bit is set. This can be helpful in setting up directories for which it is desired that all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file @@ -276,11 +276,11 @@ the (r) read flags are not set, files cannot be listed (seen) in the directory by anyone. The group can read files in the directory but cannot create new files. If files in the directory are set to be readable and writable for the group, then group members will be able to write to (or delete) them. -

Protecting Directories and Files from Deletion

- - - - +

Protecting Directories and Files from Deletion

+ + + + People have asked on the Samba mailing list how is it possible to protect files or directories from deletion by users. For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to @@ -288,27 +288,27 @@ anyone who has the ability to create a file can write to it. Anyone who has write permission on the directory that contains a file and has write permission for it has the capability to delete it.

- - - + + + For the record, in the UNIX environment the ability to delete a file is controlled by the permissions on the directory that the file is in. In other words, a user can delete a file in a directory to which that user has write access, even if that user does not own the file.

- - - - + + + + Of necessity, Samba is subject to the file system semantics of the host operating system. Samba is therefore limited in the file system capabilities that can be made available through Windows ACLs, and therefore performs a "best fit" translation to POSIX ACLs. Some UNIX file systems do, however support, a feature known as extended attributes. Only the Windows concept of inheritance is implemented by Samba through the appropriate extended attribute.

- - - - + + + + The specific semantics of the extended attributes are not consistent across UNIX and UNIX-like systems such as Linux. For example, it is possible on some implementations of the extended attributes to set a flag that prevents the directory or file from being deleted. The extended attribute that may achieve this is called the immutible bit. @@ -322,7 +322,7 @@

A simple test can be done to check if the immutible flag is supported on files in the file system of the Samba host server. -

Procedure 15.1. Test for File Immutibility Support

+
Procedure 15.1. Test for File Immutibility Support
1. Create a file called filename.
2. Login as the root user, then set the immutibile flag on a test file as follows: @@ -340,17 +340,17 @@ that cannot be deleted. Check the man page on your particular host system to determine whether or not immutable directories are writable. If they are not, then the entire directory and its contents will effectively be protected from writing (file creation also) and deletion. -

Share Definition Access Controls

- +

Share Definition Access Controls

+ The following parameters in the smb.conf file sections define a share control or affect access controls. Before using any of the following options, please refer to the man page for smb.conf. -

User- and Group-Based Controls

User- and group-based controls can prove quite useful. In some situations it is distinctly desirable to force all file system operations as if a single user were doing so. The use of the - force user and force group behavior will achieve this. + force user and force group behavior will achieve this. In other situations it may be necessary to use a paranoia level of control to ensure that only particular authorized persons will be able to access a share or its contents. Here the use of the - valid users or the invalid users parameter may be useful. + valid users or the invalid users parameter may be useful.

As always, it is highly advisable to use the easiest to maintain and the least ambiguous method for controlling access. Remember, when you leave the scene, someone else will need to provide assistance, and @@ -358,34 +358,34 @@ Samba being removed and an alternative solution being adopted.

User and Group Based Controls enumerates these controls. -

Table 15.2. User- and Group-Based Controls

Control Parameter Description, Action, Notes

admin users

Table 15.2. User- and Group-Based Controls

Control Parameter	Description, Action, Notes
admin users	List of users who will be granted administrative privileges on the share. They will do all file operations as the superuser (root). Users in this list will be able to do anything they like on the share, irrespective of file permissions. -
force group	+
force group	Specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service. -
force user	+
force user	Specifies a UNIX username that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. Incorrect use can cause security problems. -
guest ok	+
guest ok	If this parameter is set for a service, then no password is required to connect to the service. Privileges will be those of the guest account. -
invalid users	+
invalid users	List of users that should not be allowed to login to this service. -
only user	+
only user	Controls whether connections with usernames not in the user list will be allowed. -
read list	+
read list	List of users that are given read-only access to a service. Users in this list will not be given write access, no matter what the read-only option is set to. -
username	+
username	Refer to the `smb.conf` man page for more information; this is a complex and potentially misused parameter. -
valid users	+
valid users	List of users that should be allowed to login to this service. -
write list	+
write list	List of users that are given read-write access to a service. -

File and Directory Permissions-Based Controls

Directory permission-based controls, if misused, can result in considerable difficulty in diagnosing the causes of misconfiguration. Use them sparingly and carefully. By gradually introducing each, one at a time, undesirable side effects may be detected. In the event of a problem, always comment all of them out and then gradually reintroduce @@ -393,126 +393,126 @@

Refer to File and Directory Permission Based Controls for information regarding the parameters that may be used to set file and directory permission-based access controls. -

Table 15.3. File and Directory Permission-Based Controls

Control Parameter Description, Action, Notes

create mask

Table 15.3. File and Directory Permission-Based Controls

Control Parameter	Description, Action, Notes
create mask	Refer to the `smb.conf` man page. -
directory mask	+
directory mask	The octal modes used when converting DOS modes to UNIX modes when creating UNIX directories. See also directory security mask. -
dos filemode	+
dos filemode	Enabling this parameter allows a user who has write access to the file to modify the permissions on it. -
force create mode	+
force create mode	This parameter specifies a set of UNIX-mode bit permissions that will always be set on a file created by Samba. -
force directory mode	+
force directory mode	This parameter specifies a set of UNIX-mode bit permissions that will always be set on a directory created by Samba. -
force directory security mode	+
force directory security mode	Controls UNIX permission bits modified when a Windows NT client is manipulating UNIX permissions on a directory. -
force security mode	+
force security mode	Controls UNIX permission bits modified when a Windows NT client manipulates UNIX permissions. -
hide unreadable	+
hide unreadable	Prevents clients from seeing the existence of files that cannot be read. -
hide unwriteable files	+
hide unwriteable files	Prevents clients from seeing the existence of files that cannot be written to. Unwritable directories are shown as usual. -
nt acl support	+
nt acl support	This parameter controls whether smbd will attempt to map UNIX permissions into Windows NT ACLs. -
security mask	+
security mask	Controls UNIX permission bits modified when a Windows NT client is manipulating the UNIX permissions on a file. -

Miscellaneous Controls

The parameter documented in Other Controls are often used by administrators in ways that create inadvertent barriers to file access. Such are the consequences of not understanding the full implications of smb.conf file settings.

Table 15.4. Other Controls

Control Parameter	Description, Action, Notes
- case sensitive, - default case, - short preserve case + case sensitive, + default case, + short preserve case	This means that all file name lookup will be done in a case-sensitive manner. Files will be created with the precise file name Samba received from the MS Windows client. -
csc policy	+
csc policy	Client-side caching policy parallels MS Windows client-side file caching capabilities. -
dont descend	+
dont descend	Allows specifying a comma-delimited list of directories that the server should always show as empty. -
dos filetime resolution	+
dos filetime resolution	This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. -
dos filetimes	+
dos filetimes	DOS and Windows allow users to change file timestamps if they can write to the file. POSIX semantics prevent this. This option allows DOS and Windows behavior. -
fake oplocks	+
fake oplocks	Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an oplock, the client is free to assume that it is the only one accessing the file, and it will aggressively cache file data.
- hide dot files, - hide files, - veto files + hide dot files, + hide files, + veto files	Note: MS Windows Explorer allows override of files marked as hidden so they will still be visible. -
read only	+
read only	If this parameter is yes, then users of a service may not create or modify files in the service's directory. -
veto files	+
veto files	List of files and directories that are neither visible nor accessible. -

Access Controls on Shares

- - - - - +

Access Controls on Shares

+ + + + + This section deals with how to configure Samba per-share access control restrictions. By default, Samba sets no restrictions on the share itself. Restrictions on the share itself can be set on MS Windows NT4/200x/XP shares. This can be an effective way to limit who can connect to a share. In the absence of specific restrictions, the default setting is to allow the global user Everyone - Full Control (full control, change and read).

- - - + + + At this time Samba does not provide a tool for configuring access control settings on the share itself the only way to create those settings is to use either the NT4 Server Manager or the Windows 200x Microsoft Management Console (MMC) for Computer Management. There are currently no plans to provide this capability in the Samba command-line tool set.

- - - - + + + + Samba stores the per-share access control settings in a file called share_info.tdb. The location of this file on your system will depend on how Samba was compiled. The default location for Samba's tdb files is under /usr/local/samba/var. If the tdbdump utility has been compiled and installed on your system, then you can examine the contents of this file by executing tdbdump share_info.tdb in the directory containing the tdb files. -

Share Permissions Management

The best tool for share permissions management is platform-dependent. Choose the best tool for your environment. -

Windows NT4 Workstation/Server

- - - - +

Windows NT4 Workstation/Server

+ + + + The tool you need to manage share permissions on a Samba server from a Windows NT4 Workstation or Server is the NT Server Manager. Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. You can obtain the NT Server Manager for MS Windows NT4 Workstation from the Microsoft web site support section. -

Procedure 15.2. Instructions

+
Procedure 15.2. Instructions
1. Launch the NT4 Server Manager and click on the Samba server you want to administer. From the menu select Computer, then click on Shared Directories.
2. Click on the share that you wish to manage and click the Properties tab, then click the Permissions tab. Now you can add or change access control settings as you wish. -

Windows 200x/XP

- - - - +

Windows 200x/XP

+ + + + On MS Windows NT4/200x/XP system, ACLs on the share itself are set using native tools, usually from File Manager. For example, in Windows 200x, right-click on the shared folder, then select Sharing, then click on Permissions. The default Windows NT4/200x permission allows "Everyone" full control on the share.

- - - + + + MS Windows 200x and later versions come with a tool called the Computer Management snap-in for the MMC. This tool is located by clicking on Control Panel -> Administrative Tools -> Computer Management. -

Procedure 15.3. Instructions

+
Procedure 15.3. Instructions
1. After launching the MMC with the Computer Management snap-in, click the menu item Action and select Connect to another computer. If you are not logged onto a domain you will be prompted to enter a domain login user identifier and a password. This will authenticate you to the domain. @@ -523,7 +523,7 @@ System Tools, then on the [+] next to Shared Folders in the left panel.
2. - + In the right panel, double-click on the share on which you wish to set access control permissions. Then click the tab Share Permissions. It is now possible to add access control entities to the shared folder. Remember to set what type of access (full control, change, read) you @@ -534,8 +534,8 @@ ACL precedence. Everyone with no access means that MaryK who is part of the group Everyone will have no access even if she is given explicit full control access. -

MS Windows Access Control Lists and UNIX Interoperability

Managing UNIX Permissions Using NT Security Dialogs

- +

MS Windows Access Control Lists and UNIX Interoperability

Managing UNIX Permissions Using NT Security Dialogs

+ Windows NT clients can use their native security settings dialog box to view and modify the underlying UNIX permissions.

@@ -549,7 +549,7 @@ When trying to figure out file access problems, it is vitally important to find the identity of the Windows user as it is presented by Samba at the point of file access. This can best be determined from the Samba log files. -

Viewing File Security on a Samba Share

From an NT4/2000/XP client, right-click on any file or directory in a Samba-mounted drive letter or UNC path. When the menu pops up, click on the Properties entry at the bottom of the menu. This brings up the file Properties dialog box. Click on the @@ -560,7 +560,7 @@ to add auditing requirements to a file if the user is logged on as the NT administrator. This dialog is nonfunctional with a Samba share at this time, because the only useful button, the Add button, will not currently allow a list of users to be seen. -

Viewing File Ownership

Clicking on the Ownership button brings up a dialog box telling you who owns the given file. The owner name will be displayed like this:

@@ -571,10 +571,10 @@
 		descriptive string identifying the user (normally found in the GECOS field of the UNIX password database).
 		Click on the Close button to remove this dialog.
 		

-		If the parameter nt acl support is set to false,
+		If the parameter nt acl support is set to false,
 		the file owner will be shown as the NT user Everyone.
 		

-
+
 		The Take Ownership button will not allow you to change the ownership of this file to
 		yourself (clicking it will display a dialog box complaining that the user as whom you are currently logged onto
 		the NT client cannot be found). The reason for this is that changing the ownership of a file is a privileged
@@ -582,14 +582,14 @@
 		NT to attempt to change the ownership of a file to the current user logged into the NT client, this will
 		not work with Samba at this time.
 		

-
-
-
+
+
+
 		There is an NT chown command that will work with Samba and allow a user with administrator
 		privilege connected to a Samba server as root to change the ownership of files on both a local NTFS file system
 		or remote mounted NTFS or Samba drive. This is available as part of the Seclib NT
 		security library written by Jeremy Allison of the Samba Team and is downloadable from the main Samba FTP site.
-

Viewing File or Directory Permissions

The third button is the Permissions button. Clicking on it brings up a dialog box that shows both the permissions and the UNIX owner of the file or directory. The owner is displayed like this:

SERVER\ @@ -598,12 +598,12 @@ user is the username of the UNIX user who owns the file, and (Long name) is the descriptive string identifying the user (normally found in the GECOS field of the UNIX password database).

- If the parameter nt acl support is set to false, + If the parameter nt acl support is set to false, the file owner will be shown as the NT user Everyone, and the permissions will be shown as NT Full Control.

The permissions field is displayed differently for files and directories. Both are discussed next. -

File Permissions

The standard UNIX user/group/world triplet and the corresponding read, write, execute permissions triplets are mapped by Samba into a three-element NT ACL with the “r”, “w”, and “x” bits mapped into the corresponding NT @@ -621,7 +621,7 @@ Take Ownership ACL attribute (which has no meaning in UNIX) and reports a component with no permissions as having the NT O bit set. This was chosen, of course, to make it look like a zero, meaning zero permissions. More details on the decision behind this action are given below. -

Directory Permissions

Directories on an NT NTFS file system have two different sets of permissions. The first set is the ACL set on the directory itself, which is usually displayed in the first set of parentheses in the normal RW NT style. This first set of permissions is created by Samba in exactly the same way as normal file permissions are, described @@ -632,13 +632,13 @@

Samba synthesizes these inherited permissions for NT by returning as an NT ACL the UNIX permission mode that a new file created by Samba on this share would receive. -

Modifying File or Directory Permissions

Modifying file and directory permissions is as simple as changing the displayed permissions in the dialog box and clicking on OK. However, there are limitations that a user needs to be aware of, and also interactions with the standard Samba permission masks and mapping of DOS attributes that also need to be taken into account.

- If the parameter nt acl support is set to false, any attempt to + If the parameter nt acl support is set to false, any attempt to set security permissions will fail with an "Access Denied" message.

The first thing to note is that the Add button will not return a list of users in Samba @@ -665,39 +665,39 @@ If you wish to remove all permissions from a user/group/world component, you may either highlight the component and click on the Remove button or set the component to only have the special Take Ownership permission (displayed as O) highlighted. -

Interaction with the Standard Samba “create mask” Parameters

There are four parameters that control interaction with the standard Samba create mask parameters: +

Interaction with the Standard Samba “create mask” Parameters

There are four parameters that control interaction with the standard Samba create mask parameters: -

security mask
force security mode
directory security mask
force directory security mode

security mask
force security mode
directory security mask
force directory security mode

When a user clicks on OK to apply the permissions, Samba maps the given permissions into a user/group/world r/w/x triplet set, and then checks the changed permissions for a file against the bits set in the - security mask parameter. Any bits that + security mask parameter. Any bits that were changed that are not set to 1 in this parameter are left alone in the file permissions.

- Essentially, zero bits in the security mask + Essentially, zero bits in the security mask may be treated as a set of bits the user is not allowed to change, and one bits are those the user is allowed to change.

If not explicitly set, this parameter defaults to the same value as - the create mask parameter. To allow a user to modify all the + the create mask parameter. To allow a user to modify all the user/group/world permissions on a file, set this parameter to 0777.

Next Samba checks the changed permissions for a file against the bits set in the - force security mode parameter. Any bits + force security mode parameter. Any bits that were changed that correspond to bits set to 1 in this parameter are forced to be set.

Essentially, bits set in the force security mode parameter may be treated as a set of bits that, when modifying security on a file, the user has always set to be on.

If not explicitly set, this parameter defaults to the same value - as the force create mode parameter. + as the force create mode parameter. To allow a user to modify all the user/group/world permissions on a file with no restrictions, set this parameter to 000. The - security mask and force + security mask and force security mode parameters are applied to the change request in that order.

For a directory, Samba performs the same operations as @@ -706,11 +706,11 @@ mask, and force directory security mode parameter instead of force security mode.

- The directory security mask parameter + The directory security mask parameter by default is set to the same value as the directory mask parameter and the force directory security mode parameter by default is set to the same value as - the force directory mode parameter. + the force directory mode parameter. In this way Samba enforces the permission restrictions that an administrator can set on a Samba share, while still allowing users to modify the permission bits within that restriction.

@@ -719,7 +719,7 @@ does not force any particular bits to be set on, then set the following parameters in the smb.conf file in that share-specific section: -

security mask = 0777

force security mode = 0

directory security mask = 0777

force directory security mode = 0

Interaction with the Standard Samba File Attribute Mapping

Note

security mask = 0777

force security mode = 0

directory security mask = 0777

force directory security mode = 0

Interaction with the Standard Samba File Attribute Mapping

Note

Samba maps some of the DOS attribute bits (such as “read-only”) into the UNIX permissions of a file. This means there can be a conflict between the permission bits set via the security @@ -740,7 +740,7 @@ attributes dialog, you should always press Cancel rather than OK to ensure that your changes are not overridden. -

Windows NT/200X ACLs and POSIX ACLs Limitations

Windows administrators are familiar with simple ACL controls, and they typically consider that UNIX user/group/other (ugo) permissions are inadequate and not sufficiently fine-grained. @@ -768,7 +768,7 @@ ACLs as implemented in UNIX file systems. Samba provides support for masks that permit normal ugo and ACLs functionality to be overrided. This further complicates the way in which Windows ACLs must be implemented. -

UNIX POSIX ACL Overview

In examining POSIX ACLs we must consider the manner in which they operate for both files and directories. File ACLs have the following significance:

@@ -797,7 +797,7 @@
 default:mask:rwx      <-- inherited default mask
 default:other:---     <-- inherited permissions for everyone (other)

Mapping of Windows File ACLs to UNIX POSIX ACLs

Microsoft Windows NT4/200X ACLs must of necessity be mapped to POSIX ACLs. The mappings for file permissions are shown in How Windows File ACLs Map to UNIX POSIX File ACLs. @@ -816,7 +816,7 @@ The UNIX administrator can set any directory permission from within the UNIX environment. The Windows administrator is more restricted in that it is not possible from within Windows Explorer to remove read permission for the file owner. -

Mapping of Windows Directory ACLs to UNIX POSIX ACLs

Interesting things happen in the mapping of UNIX POSIX directory permissions and UNIX POSIX ACLs to Windows ACEs (Access Control Entries, the discrete components of an ACL) are mapped to Windows directory ACLs. @@ -824,10 +824,10 @@ Directory permissions function in much the same way as shown for file permissions, but there are some notable exceptions and a few peculiarities that the astute administrator will want to take into account in the setting up of directory permissions. -

Common Errors

File, directory, and share access problems are common topics on the mailing list. The following are examples recently taken from the mailing list. -

Users Cannot Write to a Public Share

“ We are facing some troubles with file/directory permissions. I can log on the domain as admin user (root), and there's a public share on which everyone needs to have permission to create/modify files, but only @@ -885,17 +885,17 @@

Now in your smb.conf for the share add: -

force create mode = 0775

force directory mode = 6775

force create mode = 0775

force directory mode = 6775

Note

These procedures are needed only if your users are not members of the group you have used that is, if within the OS they do not have write permission on the directory.

An alternative is to set in the smb.conf entry for the share: -

force user = jack

force group = engr

**File Operations Done as root with force user Set**

- When you have a user in admin users, Samba will always do file operations for - this user as root, even if force user has been set. -

MS Word with Samba Changes Owner of File

force user = jack

force group = engr

**File Operations Done as root with force user Set**

+ When you have a user in admin users, Samba will always do file operations for + this user as root, even if force user has been set. +

MS Word with Samba Changes Owner of File

Question: “When user B saves a word document that is owned by user A, the updated file is now owned by user B. Why is Samba doing this? How do I fix this?”

@@ -910,7 +910,7 @@ in which you are changing Word documents: chmod g+s `directory_name'. This ensures that all files will be created with the group that owns the directory. In smb.conf share declaration section set:

force create mode = 0660

force directory mode = 0770

force create mode = 0660

force directory mode = 0770

These two settings will ensure that all directories and files that get created in the share will be readable/writable by the owner and group set on the directory itself. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html 2005-08-07 11:25:09.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html 2005-08-19 13:03:41.000000000 -0500 @@ -1,9 +1,9 @@ -Chapter 24. Advanced Network Management

Chapter 24. Advanced Network Management
Prev	Part III. Advanced Configuration	Next

Chapter 24. Advanced Network Management

John H. Terpstra

Samba Team
<jht@samba.org>

June 15 2005

Table of Contents

Features and Benefits

Remote Server Administration

Remote Desktop Management

Remote Management from NoMachine.Com

Network Logon Script Magic

Adding Printers without User Intervention
Limiting Logon Connections

- +Chapter 24. Advanced Network Management

Chapter 24. Advanced Network Management
Prev	Part III. Advanced Configuration	Next

Chapter 24. Advanced Network Management

John H. Terpstra

Samba Team
<jht@samba.org>

June 15 2005

Table of Contents

Features and Benefits

Remote Server Administration

Remote Desktop Management

Remote Management from NoMachine.Com

Network Logon Script Magic

Adding Printers without User Intervention
Limiting Logon Connections

+ This section documents peripheral issues that are of great importance to network administrators who want to improve network resource access control, to automate the user environment, and to make their lives a little easier. -

Features and Benefits

Often the difference between a working network environment and a well-appreciated one can best be measured by the little things that make everything work more harmoniously. A key part of every network environment solution is the ability to remotely @@ -13,48 +13,48 @@

This chapter presents information on each of these areas. They are placed here, and not in other chapters, for ease of reference. -

Remote Server Administration

“How do I get User Manager and Server Manager?”

- - - +

Remote Server Administration

“How do I get User Manager and Server Manager?”

+ + + Since I do not need to buy an NT4 server, how do I get the User Manager for Domains and the Server Manager?

- - + + Microsoft distributes a version of these tools called Nexus.exe for installation on Windows 9x/Me systems. The tools set includes:

Server Manager
User Manager for Domains
Event Viewer

Download the archived file at the Microsoft Nexus link.

- - - + + + The Windows NT 4.0 version of the User Manager for Domains and Server Manager are available from Microsoft via ftp. -

Remote Desktop Management

- - +

Remote Desktop Management

+ + There are a number of possible remote desktop management solutions that range from free through costly. Do not let that put you off. Sometimes the most costly solution is the most cost effective. In any case, you will need to draw your own conclusions as to which is the best tool in your network environment. -

Remote Management from NoMachine.Com

- +

Remote Management from NoMachine.Com

+ The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003. It is presented in slightly edited form (with author details omitted for privacy reasons). The entire answer is reproduced below with some comments removed.

“ - + I have a wonderful Linux/Samba server running as PDC for a network. Now I would like to add remote desktop capabilities so users outside could login to the system and get their desktop up from home or another country. ”

“ - - - - + + + + Is there a way to accomplish this? Do I need a Windows Terminal server? Do I need to configure it so it is a member of the domain or a BDC or PDC? Are there any hacks for MS Windows XP to enable remote login even if the computer is in a domain? @@ -62,22 +62,22 @@ Answer provided: Check out the new offer of “NX” software from NoMachine.

- - - + + + It implements an easy-to-use interface to the Remote X protocol as well as incorporating VNC/RFB and rdesktop/RDP into it, but at a speed performance much better than anything you may have ever seen.

- + Remote X is not new at all, but what they did achieve successfully is a new way of compression and caching technologies that makes the thing fast enough to run even over slow modem/ISDN connections.

- - - - + + + + I test drove their (public) Red Hat machine in Italy, over a loaded Internet connection, with enabled thumbnail previews in KDE konqueror, which popped up immediately on “mouse-over”. From inside that (remote X) @@ -85,18 +85,18 @@ To test the performance, I played Pinball. I am proud to announce that my score was 631,750 points at first try.

- - - - + + + + NX performs better on my local LAN than any of the other “pure” connection methods I use from time to time: TightVNC, rdesktop or Remote X. It is even faster than a direct crosslink connection between two nodes.

- - - + + + I even got sound playing from the Remote X app to my local boxes, and had a working “copy'n'paste” from an NX window (running a KDE session in Italy) to my Mozilla mailing agent. These guys are certainly doing @@ -118,7 +118,7 @@ full-screen, and after a short time you forget that it is a remote session at all).

- + Now the best thing for last: All the core compression and caching technologies are released under the GPL and available as source code to anybody who wants to build on it! These technologies are working, @@ -140,15 +140,15 @@ you can now use a (very inconvenient) command line at no cost, but you can buy a comfortable (proprietary) NX GUI front end for money.

- - - - - + + + + + NoMachine is encouraging and offering help to OSS/Free Software implementations for such a front-end too, even if it means competition to them (they have written to this effect even to the LTSP, KDE, and GNOME developer mailing lists). -

Network Logon Script Magic

There are several opportunities for creating a custom network startup configuration environment.

No Logon Script.
Simple universal Logon Script that applies to all users.
Use of a conditional Logon Script that applies per-user or per-group attributes.
Use of Samba's preexec and postexec functions on access to the NETLOGON share to create a custom logon script and then execute it.
User of a tool such as KixStart.

@@ -158,7 +158,7 @@

The following listings are from the genlogon directory.

- + This is the genlogon.pl file:

@@ -237,15 +237,15 @@

Those wishing to use a more elaborate or capable logon processing system should check out these sites: -

Adding Printers without User Intervention

- +

Adding Printers without User Intervention

+ Printers may be added automatically during logon script processing through the use of:

 C:\> rundll32 printui.dll,PrintUIEntry /?

See the documentation in the Microsoft Knowledge Base article 189105. -

Limiting Logon Connections

Sometimes it is necessary to limit the number of concurrent connections to a Samba shared resource. For example, a site may wish to permit only one network logon per user. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/Appendix.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/Appendix.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/Appendix.html 2005-08-07 11:25:20.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/Appendix.html 2005-08-19 13:03:50.000000000 -0500 @@ -1 +1 @@ -Part VI. Reference Section

Part VI. Reference Section
Prev		Next

Reference Section

Table of Contents

40. How to Compile Samba

Access Samba Source Code via Subversion

Introduction
Subversion Access to samba.org

Accessing the Samba Sources via rsync and ftp

Verifying Samba's PGP Signature

Building the Binaries

Compiling Samba with Active Directory Support

Starting the smbd nmbd and winbindd

Starting from inetd.conf
Alternative: Starting smbd as a Daemon

41. Portability

HPUX

SCO UNIX

DNIX

Red Hat Linux

AIX: Sequential Read Ahead

Solaris

Locking Improvements
Winbind on Solaris 9

42. Samba and Other CIFS Clients

Macintosh Clients

OS2 Client

Configuring OS/2 Warp Connect or OS/2 Warp 4
Configuring Other Versions of OS/2
Printer Driver Download for OS/2 Clients

Windows for Workgroups

Latest TCP/IP Stack from Microsoft
Delete .pwl Files After Password Change
Configuring Windows for Workgroups Password Handling
Password Case Sensitivity
Use TCP/IP as Default Protocol
Speed Improvement

Windows 95/98

Speed Improvement

Windows 2000 Service Pack 2

Windows NT 3.1

43. Samba Performance Tuning

Comparisons
Socket Options
Read Size
Max Xmit
Log Level
Read Raw
Write Raw
Slow Logins
Client Tuning
Samba Performance Problem Due to Changing Linux Kernel
Corrupt tdb Files
Samba Performance is Very Slow

44. LDAP and Transport Layer Security

Introduction

Configuring

Generating the Certificate Authority
Generating the Server Certificate
Installing the Certificates

Testing

Troubleshooting

45. Samba Support

Free Support
Commercial Support

46. DNS and DHCP Configuration Guide

Features and Benefits

Example Configuration

Dynamic DNS
DHCP Server

Prev		Next
Chapter 39. Reporting Bugs	Home	Chapter 40. How to Compile Samba

+Part VI. Reference Section
Part VI. Reference Section
Prev Next
Reference Section
Table of Contents
40. How to Compile Samba
Access Samba Source Code via Subversion
Introduction
Subversion Access to samba.org
Accessing the Samba Sources via rsync and ftp
Verifying Samba's PGP Signature
Building the Binaries
Compiling Samba with Active Directory Support
Starting the smbd nmbd and winbindd
Starting from inetd.conf
Alternative: Starting smbd as a Daemon
41. Portability
HPUX
SCO UNIX
DNIX
Red Hat Linux
AIX: Sequential Read Ahead
Solaris
Locking Improvements
Winbind on Solaris 9
42. Samba and Other CIFS Clients
Macintosh Clients
OS2 Client
Configuring OS/2 Warp Connect or OS/2 Warp 4
Configuring Other Versions of OS/2
Printer Driver Download for OS/2 Clients
Windows for Workgroups
Latest TCP/IP Stack from Microsoft
Delete .pwl Files After Password Change
Configuring Windows for Workgroups Password Handling
Password Case Sensitivity
Use TCP/IP as Default Protocol
Speed Improvement
Windows 95/98
Speed Improvement
Windows 2000 Service Pack 2
Windows NT 3.1
43. Samba Performance Tuning
Comparisons
Socket Options
Read Size
Max Xmit
Log Level
Read Raw
Write Raw
Slow Logins
Client Tuning
Samba Performance Problem Due to Changing Linux Kernel
Corrupt tdb Files
Samba Performance is Very Slow
44. LDAP and Transport Layer Security
Introduction
Configuring
Generating the Certificate Authority
Generating the Server Certificate
Installing the Certificates
Testing
Troubleshooting
45. Samba Support
Free Support
Commercial Support
46. DNS and DHCP Configuration Guide
Features and Benefits
Example Configuration
Dynamic DNS
DHCP Server
Prev Next
Chapter 39. Reporting Bugs Home Chapter 40. How to Compile Samba
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/Backup.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/Backup.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/Backup.html 2005-08-07 11:25:12.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/Backup.html 2005-08-19 13:03:44.000000000 -0500 @@ -1,33 +1,33 @@ -Chapter 30. Backup Techniques
Chapter 30. Backup Techniques
Prev Part III. Advanced Configuration Next
Chapter 30. Backup Techniques
John H. Terpstra
Samba Team
<jht@samba.org>
Table of Contents
Features and Benefits
Discussion of Backup Solutions
BackupPC
Rsync
Amanda
BOBS: Browseable Online Backup System
Features and Benefits
- - - - +Chapter 30. Backup Techniques
Chapter 30. Backup Techniques
Prev Part III. Advanced Configuration Next
Chapter 30. Backup Techniques
John H. Terpstra
Samba Team
<jht@samba.org>
Table of Contents
Features and Benefits
Discussion of Backup Solutions
BackupPC
Rsync
Amanda
BOBS: Browseable Online Backup System
Features and Benefits
+ + + + The Samba project is over 10 years old. During the early history of Samba, UNIX administrators were its key implementors. UNIX administrators use UNIX system tools to backup UNIX system files. Over the past 4 years, an increasing number of Microsoft network administrators have taken an interest in Samba. This is reflected in the questions about backup in general on the Samba mailing lists. -
Discussion of Backup Solutions
- - +
Discussion of Backup Solutions
+ + During discussions at a Microsoft Windows training course, one of the pro-UNIX delegates stunned the class when he pointed out that Windows NT4 is limiting compared with UNIX. He likened UNIX to a Meccano set that has an unlimited number of tools that are simple, efficient, and, in combination, capable of achieving any desired outcome.
- - + + One of the Windows networking advocates retorted that if she wanted a Meccano set, she would buy one. She made it clear that a complex single tool that does more than is needed but does it with a clear purpose and intent is preferred by some like her.
- - - + + + Please note that all information here is provided as is and without recommendation of fitness or suitability. The network administrator is strongly encouraged to perform due diligence research before implementing any backup solution, whether free @@ -38,31 +38,31 @@ www.allmerchants.com.
The following three free software projects might also merit consideration. -
BackupPC
- - - +
BackupPC
+ + + BackupPC version 2.0.0 has been released on SourceForge. New features include support for rsync/rsyncd and internationalization of the CGI interface (including English, French, Spanish, and German).
- - - - - - - - + + + + + + + + BackupPC is a high-performance Perl-based package for backing up Linux, UNIX, and Windows PCs and laptops to a server's disk. BackupPC is highly configurable and easy to install and maintain. SMB (via smbclient), tar over rsh/ssh, or rsync/rsyncd are used to extract client data.
- - - + + + Given the ever-decreasing cost of disks and RAID systems, it is now practical and cost effective to backup a large number of machines onto a server's local disk or network storage. This is what BackupPC does. @@ -71,24 +71,24 @@ space), compression, and a comprehensive CGI interface that allows users to browse backups and restore files.
- + BackupPC is free software distributed under a GNU GPL license. BackupPC runs on Linux/UNIX/freenix servers and has been tested on Linux, UNIX, Windows 9x/Me, Windows 98, Windows 200x, Windows XP, and Mac OSX clients. -
Rsync
- - - - - - +
Rsync
+ + + + + + rsync is a flexible program for efficiently copying files or directory trees.
rsync has many options to select which files will be copied and how they are to be transferred. It may be used as an alternative to ftp, http, scp, or rcp.
- - - + + + The rsync remote-update protocol allows rsync to transfer just the differences between two sets of files across the network link, using an efficient checksum-search algorithm described in the @@ -107,10 +107,10 @@
Support for anonymous or authenticated rsync servers (ideal for mirroring). -
Amanda
- - - +
Amanda
+ + + Amanda, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that allows the administrator of a LAN to set up a single master backup server to back up multiple hosts to a single large capacity tape drive. Amanda uses native dump and/or @@ -119,8 +119,8 @@
For more information regarding Amanda, please check the www.amanda.org/ site. -
BOBS: Browseable Online Backup System
- +
BOBS: Browseable Online Backup System
+ Browseable Online Backup System (BOBS) is a complete online backup system. Uses large disks for storing backups and lets users browse the files using a Web browser. Handles some special files like AppleDouble and icon files. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/bugreport.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/bugreport.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/bugreport.html 2005-08-07 11:25:17.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/bugreport.html 2005-08-19 13:03:48.000000000 -0500 @@ -1,6 +1,6 @@ -Chapter 39. Reporting Bugs
Chapter 39. Reporting Bugs
Prev Part V. Troubleshooting Next
Chapter 39. Reporting Bugs
John H. Terpstra
Samba Team
<jht@samba.org>
Jelmer R. Vernooij
The Samba Team
<jelmer@samba.org>
Andrew Tridgell
Samba Team
<tridge@samba.org>
27 June 1997
Table of Contents
Introduction
General Information
Debug Levels
Debugging-Specific Operations
Internal Errors
Attaching to a Running Process
Patches
Introduction
- - +Chapter 39. Reporting Bugs
Chapter 39. Reporting Bugs
Prev Part V. Troubleshooting Next
Chapter 39. Reporting Bugs
John H. Terpstra
Samba Team
<jht@samba.org>
Jelmer R. Vernooij
The Samba Team
<jelmer@samba.org>
Andrew Tridgell
Samba Team
<tridge@samba.org>
27 June 1997
Table of Contents
Introduction
General Information
Debug Levels
Debugging-Specific Operations
Internal Errors
Attaching to a Running Process
Patches
Introduction
+ + Please report bugs using Samba's Bugzilla facilities and take the time to read this file before you submit a bug report. Also, check to see if it has changed between releases, as we may be changing the bug reporting mechanism at some point. @@ -12,9 +12,9 @@ and a fix if you send us a “developer-friendly” bug report that lets us fix it fast.
- - - + + + If you post the bug to the comp.protocols.smb newsgroup or the mailing list, do not assume that we will read it. If you suspect that your problem is not a bug but a configuration problem, it is better to send @@ -24,7 +24,7 @@ You may also like to look though the recent mailing list archives, which are conveniently accessible on the Samba Web pages at http://samba.org/samba/. -
General Information
+
General Information
Before submitting a bug report, check your config for silly errors. Look in your log files for obvious messages that tell you've misconfigured something. Run testparm to check your config @@ -42,42 +42,42 @@ 10 showing the problem may be appropriate. A higher level gives more detail but may use too much disk space.
- - -To set the debug level, use the log level in your + + +To set the debug level, use the log level in your smb.conf. You may also find it useful to set the log level higher for just one machine and keep separate logs for each machine. To do this, add the following lines to your main smb.conf file: -
log level = 10
log file = /usr/local/samba/lib/log.%m
include = /usr/local/samba/lib/smb.conf.%m
+
log level = 10
log file = /usr/local/samba/lib/log.%m
include = /usr/local/samba/lib/smb.conf.%m
and create a file /usr/local/samba/lib/smb.conf.machine where machine is the name of the client you wish to debug. In that file put any -smb.conf commands you want; for example, log level may be useful. This also allows +smb.conf commands you want; for example, log level may be useful. This also allows you to experiment with different security systems, protocol levels, and so on, on just one machine.
-The smb.conf entry log level is synonymous with the parameter debuglevel that has been used in older versions of Samba and is being retained for backward +The smb.conf entry log level is synonymous with the parameter debuglevel that has been used in older versions of Samba and is being retained for backward compatibility of smb.conf files.
-As the log level value is increased, you will record a significantly greater level of +As the log level value is increased, you will record a significantly greater level of debugging information. For most debugging operations, you may not need a setting higher than 3. Nearly all bugs can be tracked at a setting of 10, but be prepared for a large volume of log data. -
Debugging-Specific Operations
- - - - +
Debugging-Specific Operations
+ + + + Samba-3.x permits debugging (logging) of specific functional components without unnecessarily cluttering the log files with detailed logs for all operations. An example configuration to achieve this is shown in:
-
log level = 0 tdb:3 passdb:5 auth:4 vfs:2
max log size = 0
log file = /var/log/samba/%U.%m.log
+
log level = 0 tdb:3 passdb:5 auth:4 vfs:2
max log size = 0
log file = /var/log/samba/%U.%m.log

This will cause the level of detail to be expanded to the debug class (log level) passed to each functional area per the value shown above. The first value passed to the log level of 0 means turn off all unnecessary debugging except the debug classes set for the functional areas as specified. The table shown in Debuggable Functions may be used to attain very precise analysis of each SMB operation Samba is conducting. -
Table 39.1. Debuggable Functions
Function Name Function Name
all passdb
tdb sam
printdrivers auth
lanman winbind
smb vfs
rpc_parse idmap
rpc_srv quota
rpc_cli acls
Internal Errors
+
Table 39.1. Debuggable Functions
Function Name Function Name
all passdb
tdb sam
printdrivers auth
lanman winbind
smb vfs
rpc_parse idmap
rpc_srv quota
rpc_cli acls
Internal Errors
If you get the message “INTERNAL ERROR” in your log files, it means that Samba got an unexpected signal while running. It is probably a segmentation fault and almost certainly means a bug in Samba (unless @@ -91,35 +91,35 @@ You should also detail how to reproduce the problem, if possible. Please make this reasonably detailed.
- + You may also find that a core file appeared in a corefiles subdirectory of the directory where you keep your Samba log files. This file is the most useful tool for tracking down the bug. To use it, you do this: - - + +
$ gdb smbd core

- - + + adding appropriate paths to smbd and core so gdb can find them. If you do not have gdb, try dbx. Then within the debugger, use the command where to give a stack trace of where the problem occurred. Include this in your report.
- + If you know any assembly language, do a disass of the routine where the problem occurred (if it's in a library routine, then disassemble the routine that called it) and try to work out exactly where the problem is by looking at the surrounding code. Even if you do not know assembly, including this information in the bug report can be useful. -
Attaching to a Running Process
- - - +
Attaching to a Running Process
+ + + Unfortunately, some UNIXes (in particular some recent Linux kernels) refuse to dump a core file if the task has changed UID (which smbd does often). To debug with this sort of system, you could try to attach @@ -145,12 +145,12 @@
root# gdb /usr/local/samba/sbin/smbd
- + then “attach `pid'” (of the spinning process), then type “bt” to get a backtrace to see where the smbd is in the call path. -
Patches
- - +
Patches
+ + The best sort of bug report is one that includes a fix! If you send us patches, please use diff -u format if your version of diff supports it; otherwise, use diff -c4. Make sure diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html 2005-08-07 11:25:14.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/cfgsmarts.html 2005-08-19 13:03:45.000000000 -0500 @@ -1,52 +1,52 @@ -Chapter 33. Advanced Configuration Techniques
Chapter 33. Advanced Configuration Techniques
Prev Part III. Advanced Configuration Next
Chapter 33. Advanced Configuration Techniques
John H. Terpstra
Samba Team
<jht@samba.org>
June 30, 2005
Table of Contents
Implementation
Multiple Server Hosting
Multiple Virtual Server Personalities
Multiple Virtual Server Hosting
- - +Chapter 33. Advanced Configuration Techniques
Chapter 33. Advanced Configuration Techniques
Prev Part III. Advanced Configuration Next
Chapter 33. Advanced Configuration Techniques
John H. Terpstra
Samba Team
<jht@samba.org>
June 30, 2005
Table of Contents
Implementation
Multiple Server Hosting
Multiple Virtual Server Personalities
Multiple Virtual Server Hosting
+ + Since the release of the first edition of this book there have been repeated requests to better document configuration techniques that may help a network administrator to get more out of Samba. Some users have asked -for documentation regarding the use of the include = file-name parameter. +for documentation regarding the use of the include = file-name parameter.
- - + + Commencing around mid-2004 there has been increasing interest in the ability to host multiple Samba servers on one machine. There has also been an interest in the hosting of multiple Samba server personalities on one server.
- - + + Feedback from technical reviewers made the inclusion of this chapter a necessity. So, here is an answer the questions that have to date not been adequately addressed. Additional user input is welcome as it will help this chapter to mature. What is presented here is just a small beginning.
- - - + + + There are a number of ways in which multiple servers can be hosted on a single Samba server. Multiple server hosting makes it possible to host multiple domain controllers on one machine. Each such machine is independent, and each can be stopped or started without affecting another.
- - - + + + Sometimes it is desirable to host multiple servers, each with its own security mode. For example, a single UNIX/Linux host may be a domain member server (DMS) as well as a generic anonymous print server. In this case, only domain member machines and domain users can access the DMS, but even guest users can access the generic print server. Another example of a situation where it may be beneficial to host a generic (anonymous) server is to host a CDROM server.
- - + + Some environments dictate the need to have separate servers, each with their own resources, each of which are accessible only by certain users or groups. This is one of the simple, but highly effective, ways that Samba can replace many physical Windows servers in one Samba installation. -
Implementation
-
Multiple Server Hosting
- - - - - - - +
Implementation
+
Multiple Server Hosting
+ + + + + + + The use of multiple server hosting involves running multiple separate instances of Samba, each with it's own configuration file. This method is complicated by the fact that each instance of nmbd, smbd and winbindd must have write access to entirely separate TDB files. The ability to keep separate the TDB files used by @@ -54,78 +54,78 @@ own default TDB directories, or by configuring these in the smb.conf file, in which case each instance of nmbd, smbd and winbindd must be told to start up with its own smb.conf configuration file.
- - - - + + + + Each instance should operate on its own IP address (that independent IP address can be an IP Alias). Each instance of nmbd, smbd and winbindd should listen only on its own IP socket. This can be secured -using the socket address parameter. Each instance of the Samba server will have its +using the socket address parameter. Each instance of the Samba server will have its own SID also, this means that the servers are discrete and independent of each other.
- - - - - - - - - + + + + + + + + + The user of multiple server hosting is non-trivial, and requires careful configuration of each aspect of process management and start up. The smb.conf parameters that must be carefully configured includes: -private dir, pid directory,lock directory, interfaces, bind interfaces only, netbios name, workgroup, socket address. +private dir, pid directory,lock directory, interfaces, bind interfaces only, netbios name, workgroup, socket address.
- - - + + + Those who elect to create multiple Samba servers should have the ability to read and follow the Samba source code, and to modify it as needed. This mode of deployment is considered beyond the scope of this book. However, if someone will contribute more comprehensive documentation we will gladly review it, and if it is suitable extend this section of this chapter. Until such documentation becomes available the hosting of multiple samba servers on a single host is considered not supported for Samba-3 by the Samba Team. -
Multiple Virtual Server Personalities
- - - +
Multiple Virtual Server Personalities
+ + + Samba has the ability to host multiple virtual servers, each of which have their own personality. This is achieved by configuring an smb.conf file that is common to all personalities hosted. Each server -personality is hosted using its own netbios alias name, and each has its own distinct -[global] section. Each server may have its own stanzas for services and meta-services. +personality is hosted using its own netbios alias name, and each has its own distinct +[global] section. Each server may have its own stanzas for services and meta-services.
- - - + + + When hosting multiple virtual servers, each with their own personality, each can be in a different workgroup. Only the primary server can be a domain member or a domain controller. The personality is defined by the -combination of the security mode it is operating in, the netbios aliases it has, and the workgroup that is defined for it. +combination of the security mode it is operating in, the netbios aliases it has, and the workgroup that is defined for it.
- - - - - - + + + + + + This configuration style can be used either with NetBIOS names, or using NetBIOS-less SMB over TCP services. -If run using NetBIOS mode (the most common method) it is important that the parameter smb ports = 139 should be specified in the primary smb.conf file. Failure to do this will result +If run using NetBIOS mode (the most common method) it is important that the parameter smb ports = 139 should be specified in the primary smb.conf file. Failure to do this will result in Samba operating over TCP port 445 and problematic operation at best, and at worst only being able to obtain the functionality that is specified in the primary smb.conf file. The use of NetBIOS over TCP/IP using only -TCP port 139 means that the use of the %L macro is fully enabled. If the smb ports = 139 is not specified (the default is 445 139, or if +TCP port 139 means that the use of the %L macro is fully enabled. If the smb ports = 139 is not specified (the default is 445 139, or if the value of this parameter is set at 139 445 then the %L macro is not serviceable.
- - - - + + + + It is possible to host multiple servers, each with their own personality, using port 445 (the NetBIOS-less SMB port), in which case the %i macro can be used to provide separate server identities (by -IP Address). Each can have its own security mode. It will be necessary to use the -interfaces, bind interfaces only and IP aliases in addition to -the netbios name parameters to create the virtual servers. This method is considerably +IP Address). Each can have its own security mode. It will be necessary to use the +interfaces, bind interfaces only and IP aliases in addition to +the netbios name parameters to create the virtual servers. This method is considerably more complex than that using NetBIOS names only using TCP port 139.
- + Consider an example environment that consists of a standalone, user-mode security Samba server and a read-only Windows 95 file server that has to be replaced. Instead of replacing the Windows 95 machine with a new PC, it is possible to add this server as a read-only anonymous file server that is hosted on the Samba server. Here @@ -135,46 +135,46 @@ The CDROM server is called CDSERVER and its workgroup is ARTSDEPT. A possible implementation is shown here:
- - - - + + + + The smb.conf file for the master server is shown in Elastic smb.conf File. This file is placed in the /etc/samba directory. Only the nmbd and the smbd daemons are needed. When started the server will appear in Windows Network Neighborhood as the machine ELASTIC under the workgroup ROBINSNEST. It is helpful if the Windows clients that must access this server are also in the workgroup ROBINSNEST as this will make browsing much more reliable. -
Example 33.1. Elastic smb.conf File
# Global parameters

[global]
workgroup = ROBINSNEST
netbios name = ELASTIC
netbios aliases = CDSERVER
smb ports = 139
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
printing = cups
include = /etc/samba/smb-%L.conf

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[office]
comment = Data
path = /data
read only = No

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No
- +
Example 33.1. Elastic smb.conf File
# Global parameters

[global]
workgroup = ROBINSNEST
netbios name = ELASTIC
netbios aliases = CDSERVER
smb ports = 139
printcap name = cups
disable spoolss = Yes
show add printer wizard = No
printing = cups
include = /etc/samba/smb-%L.conf

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[office]
comment = Data
path = /data
read only = No

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No
+ The configuration file for the CDROM server is listed in CDROM Server smb-cdserver.conf file. This file is called smb-cdserver.conf and it should be located in the /etc/samba directory. Machines that are in the workgroup ARTSDEPT will be able to browse this server freely. -
Example 33.2. CDROM Server smb-cdserver.conf file
# Global parameters

[global]
workgroup = ARTSDEPT
netbios name = CDSERVER
map to guest = Bad User
guest ok = Yes

[carousel]
comment = CDROM Share
path = /export/cddata
read only = Yes
guest ok = Yes
- - - - +
Example 33.2. CDROM Server smb-cdserver.conf file
# Global parameters

[global]
workgroup = ARTSDEPT
netbios name = CDSERVER
map to guest = Bad User
guest ok = Yes

[carousel]
comment = CDROM Share
path = /export/cddata
read only = Yes
guest ok = Yes
+ + + + The two servers have different resources and are in separate workgroups. The server ELASTIC can only be accessed by uses who have an appropriate account on the host server. All users will be able to access the CDROM data that is stored in the /export/cddata directory. File system permissions should set so that the others user has read-only access to the directory and its contents. The files can be owned by root (any user other than the nobody account). -
Multiple Virtual Server Hosting
- - - +
Multiple Virtual Server Hosting
+ + + In this example, the requirement is for a primary domain controller for the domain called MIDEARTH. The PDC will be called MERLIN. An extra machine called SAURON is required. Each machine will have only its own shares. Both machines belong to the same domain/workgroup.
- - - + + + The master smb.conf file is shown in the Master smb.conf File Global Section. The two files that specify the share information for each server are shown in the smb-merlin.conf File Share Section, and the smb-sauron.conf File Share Section. All three files are locate in the /etc/samba directory. -
Example 33.3. Master smb.conf File Global Section
# Global parameters

[global]
workgroup = MIDEARTH
netbios name = MERLIN
netbios aliases = SAURON
passdb backend = tdbsam
smb ports = 139
syslog = 0
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
logon script = scripts\login.bat
logon path =
logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
printing = CUPS
include = /etc/samba/smb-%L.conf
Example 33.4. MERLIN smb-merlin.conf File Share Section
# Global parameters

[global]
workgroup = MIDEARTH
netbios name = MERLIN

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[office]
comment = Data
path = /data
read only = No

[netlogon]
comment = NETLOGON
path = /var/lib/samba/netlogon
read only = Yes
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
use client driver = Yes
browseable = No
Example 33.5. SAURON smb-sauron.conf File Share Section
# Global parameters

[global]
workgroup = MIDEARTH
netbios name = SAURON

[www]
comment = Web Pages
path = /srv/www/htdocs
read only = No
Prev Up Next
Chapter 32. Handling Large Directories Home Part IV. Migration and Updating
+
Example 33.3. Master smb.conf File Global Section
# Global parameters

[global]
workgroup = MIDEARTH
netbios name = MERLIN
netbios aliases = SAURON
passdb backend = tdbsam
smb ports = 139
syslog = 0
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody '%u'
logon script = scripts\login.bat
logon path =
logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
printing = CUPS
include = /etc/samba/smb-%L.conf
Example 33.4. MERLIN smb-merlin.conf File Share Section
# Global parameters

[global]
workgroup = MIDEARTH
netbios name = MERLIN

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[office]
comment = Data
path = /data
read only = No

[netlogon]
comment = NETLOGON
path = /var/lib/samba/netlogon
read only = Yes
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
use client driver = Yes
browseable = No
Example 33.5. SAURON smb-sauron.conf File Share Section
# Global parameters

[global]
workgroup = MIDEARTH
netbios name = SAURON

[www]
comment = Web Pages
path = /srv/www/htdocs
read only = No
Prev Up Next
Chapter 32. Handling Large Directories Home Part IV. Migration and Updating
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/ch45.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/ch45.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/ch45.html 2005-08-07 11:25:19.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/ch45.html 2005-08-19 13:03:50.000000000 -0500 @@ -1,9 +1,9 @@ -Chapter 45. Samba Support
Chapter 45. Samba Support
Prev Part VI. Reference Section Next
Chapter 45. Samba Support
Table of Contents
Free Support
Commercial Support
- +Chapter 45. Samba Support
Chapter 45. Samba Support
Prev Part VI. Reference Section Next
Chapter 45. Samba Support
Table of Contents
Free Support
Commercial Support
+ One of the most difficult to answer questions in the information technology industry is, “What is support?”. That question irritates some folks, as much as common answers may annoy others.
- + The most aggravating situation pertaining to support is typified when, as a Linux user, a call is made to an Internet service provider who, instead of listening to the problem to find a solution, blandly replies: “Oh, Linux? We do not support Linux!”. It has happened to me, and similar situations happen @@ -15,50 +15,50 @@ at the right time, no matter the situation. Support is all that it takes to take away pain, disruption, inconvenience, loss of productivity, disorientation, uncertainty, and real or perceived risk.
- - - + + + One of the forces that has become a driving force for the adoption of open source software is the fact that many IT businesses have provided services that have perhaps failed to deliver what the customer expected, or that have been found wanting for other reasons.
- - + + In recognition of the need for needs satisfaction as the primary experience an information technology user or consumer expects, the information provided in this chapter may help someone to avoid an unpleasant experience in respect of problem resolution.
- - - + + + In the open source software arena there are two support options: free support and paid-for (commercial) support. -
Free Support
- - - - - +
Free Support
+ + + + + Free support may be obtained from friends, colleagues, user groups, mailing lists, and interactive help facilities. An example of an interactive dacility is the Internet relay chat (IRC) channels that host user supported mutual assistance.
- - - - - + + + + + The Samba project maintains a mailing list that is commonly used to discuss solutions to Samba deployments. Information regarding subscription to the Samba mailing list can be found on the Samba web site. The public mailing list that can be used to obtain free, user contributed, support is called the samba list. The email address for this list is at mail:samba@samba.org. Information regarding the Samba IRC channels may be found on the Samba IRC web page.
- - - - + + + + As a general rule, it is considered poor net behavior to contact a Samba Team member directly for free support. Most active members of the Samba Team work exceptionally long hours to assist users who have demonstrated a qualified problem. Some team members may respond to direct email @@ -66,9 +66,9 @@ Team members actually provide professional paid-for Samba support and it is therefore wise to show appropriate discretion and reservation in all direct contact.
- - - + + + When you stumble across a Samba bug, often the quickest way to get it resolved is by posting a bug report. All such reports are mailed to the responsible code maintainer for action. The better the report, and the more serious it is, @@ -76,16 +76,16 @@ the reported bug it is likely to be rejected. It is up to you to provide sufficient information that will permit the problem to be reproduced.
- + We all recognize that sometimes free support does not provide the answer that is sought within the time-frame required. At other times the problem is elusive and you may lack the experience necessary to isolate the problem and thus to resolve it. This is a situation where is may be prudent to purchase paid-for support. -
Commercial Support
+
Commercial Support
There are six basic support oriented services that are most commonly sought by Samba sites:
Assistance with network design
Staff Training
Assistance with Samba network deployment and installation
Priority telephone or email Samba configuration assistance
Trouble-shooting and diagnostic assistance
Provision of quality assured ready-to-install Samba binary packages
- - + + Information regarding companies that provide professional Samba support can be obtained by performing a Google search, as well as by reference to the Samba Support web page. Companies who notify the Samba Team that they provide commercial support are given a free listing that is sorted by the country of origin. @@ -93,13 +93,13 @@ provider and to satisfy yourself that both the company and its staff are able to deliver what is required of them.
- + The policy within the Samba Team is to treat all commercial support providers equally and to show no preference. As a result, Samba Team members who provide commercial support are lumped in with everyone else. You are encouraged to obtain the services needed from a company in your local area. The open source movement is pro-community; so do what you can to help a local business to prosper.
- + Open source software support can be found in any quality, at any price and in any place you can to obtain it. Over 180 companies around the world provide Samba support, there is no excuse for suffering in the mistaken belief that Samba is unsupported software it is supported. diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html 2005-08-07 11:25:19.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html 2005-08-19 13:03:50.000000000 -0500 @@ -1,40 +1,40 @@ Chapter 44. LDAP and Transport Layer Security
Chapter 44. LDAP and Transport Layer Security
Prev Part VI. Reference Section Next
Chapter 44. LDAP and Transport Layer Security
Table of Contents
Introduction
Configuring
Generating the Certificate Authority
Generating the Server Certificate
Installing the Certificates
Testing
Troubleshooting
Introduction
- - + + Up until now, we have discussed the straightforward configuration of OpenLDAP™, with some advanced features such as ACLs. This does not however, deal with the fact that the network transmissions are still in plain text. This is where Transport Layer Security (TLS) comes in.
- + OpenLDAP™ clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections in accordance with RFC 2830; Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security.
- + TLS uses X.509 certificates. All servers are required to have valid certificates, whereas client certificates are optional. We will only be discussing server certificates.
Tip
- - - + + + The DN of a server certificate must use the CN attribute to name the server, and the CN must carry the server's fully qualified domain name (FQDN). Additional alias names and wildcards may be present in the subjectAltName certificate extension. More details on server certificate names are in RFC2830.
We will discuss this more in the next sections.
Configuring
- + Now on to the good bit.
Generating the Certificate Authority
- + In order to create the relevant certificates, we need to become our own Certificate Authority (CA). - ^[8] This is necessary, so we can sign the server certificate. + ^[8] This is necessary, so we can sign the server certificate.
- - We will be using the OpenSSL ^[9] software for this, which is included with every great Linux® distribution. + + We will be using the OpenSSL ^[9] software for this, which is included with every great Linux® distribution.
- TLS is used for many types of servers, but the instructions^[10] presented here, are tailored for OpenLDAP. + TLS is used for many types of servers, but the instructions^[10] presented here, are tailored for OpenLDAP.
Note
The Common Name (CN), in the following example, MUST be the fully qualified domain name (FQDN) of your ldap server. @@ -51,7 +51,7 @@ root# cd myCA
- Now generate the CA:^[11] + Now generate the CA:^[11]
root# /usr/share/ssl/misc/CA.pl -newca @@ -209,7 +209,7 @@ That's all there is to it. Now on to the section called “Testing”
Testing
- + This is the easy part. Restart the server:
@@ -220,7 +220,7 @@
Then, using ldapsearch, test an anonymous search with the - -ZZ^[12] option: + -ZZ^[12] option:
root# ldapsearch -x -b "dc=ldap,dc=abmas,dc=biz" \ @@ -265,7 +265,7 @@
If you have any problems, please read the section called “Troubleshooting”
Troubleshooting
- + The most common error when configuring TLS, as I have already mentioned numerous times, is that the Common Name (CN) you entered in the section called “Generating the Server Certificate” is NOT the Fully Qualified Domain Name (FQDN) of your ldap server. @@ -275,13 +275,13 @@ files. They should be set with chmod 640, as per the section called “Installing the Certificates”.
For anything else, it's best to read through your ldap logfile or join the OpenLDAP mailing list. -
^[8]We could however, get our generated server certificate signed by proper CAs, like Thawte and VeriSign, which + ^[8]We could however, get our generated server certificate signed by proper CAs, like Thawte and VeriSign, which you pay for, or the free ones, via CAcert - ^[9]The downside to + ^[9]The downside to making our own CA, is that the certificate is not automatically recognized by clients, like the commercial - ones are. ^[10]For information straight from the + ones are. ^[10]For information straight from the horse's mouth, please visit http://www.openssl.org/docs/HOWTO/; the main OpenSSL - site. ^[11]Your CA.pl or CA.sh might not be + site. ^[11]Your CA.pl or CA.sh might not be in the same location as mine is, you can find it by using the locate command, i.e., locate CA.pl. If the command complains about the database being too old, run - updatedb as root to update it. ^[12]See man ldapsearch
Prev Up Next
Chapter 43. Samba Performance Tuning Home Chapter 45. Samba Support
+ updatedb as root to update it.
^[12]See man ldapsearch
Prev Up Next
Chapter 43. Samba Performance Tuning Home Chapter 45. Samba Support
diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/classicalprinting.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/classicalprinting.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/classicalprinting.html 2005-08-07 11:25:00.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/classicalprinting.html 2005-08-19 13:03:35.000000000 -0500 @@ -1,22 +1,22 @@ -Chapter 20. Classical Printing SupportChapter 20. Classical Printing Support Prev Part III. Advanced Configuration Next Chapter 20. Classical Printing Support Kurt Pfeifle Danka Deutschland GmbH <kpfeifle@danka.de> Gerald (Jerry) Carter Samba Team <jerry@samba.org> John H. Terpstra Samba Team <jht@samba.org> May 31, 2003 Table of Contents Features and Benefits Technical Introduction Client to Samba Print Job Processing Printing-Related Configuration Parameters Simple Print Configuration Verifying Configuration with testparm Rapid Configuration Validation Extended Printing Configuration Detailed Explanation Settings Printing Developments Since Samba-2.2 Point'n'Print Client Drivers on Samba Servers The Obsoleted [printer$] Section Creating the [print$] Share [print$] Stanza Parameters The [print$] Share Directory Installing Drivers into [print$] Add Printer Wizard Driver Installation Installing Print Drivers Using rpcclient Client Driver Installation Procedure First Client Driver Installation Setting Device Modes on New Printers Additional Client Driver Installation Always Make First Client Connection as root or “printer admin” Other Gotchas Setting Default Print Options for Client Drivers Supporting Large Numbers of Printers Adding New Printers with the Windows NT APW Error Message: “Cannot connect under a different Name” Take Care When Assembling Driver Files Samba and Printer Ports Avoiding Common Client Driver Misconfiguration The Imprints Toolset What Is Imprints? Creating Printer Driver Packages The Imprints Server The Installation Client Adding Network Printers without User Interaction The addprinter Command Migration of Classical Printing to Samba Publishing Printer Information in Active Directory or LDAP Common Errors I Give My Root Password but I Do Not Get Access My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost Features and Benefits - +Chapter 20. Classical Printing Support Chapter 20. Classical Printing Support Prev Part III. Advanced Configuration Next Chapter 20. Classical Printing Support Kurt Pfeifle Danka Deutschland GmbH <kpfeifle@danka.de> Gerald (Jerry) Carter Samba Team <jerry@samba.org> John H. Terpstra Samba Team <jht@samba.org> May 31, 2003 Table of Contents Features and Benefits Technical Introduction Client to Samba Print Job Processing Printing-Related Configuration Parameters Simple Print Configuration Verifying Configuration with testparm Rapid Configuration Validation Extended Printing Configuration Detailed Explanation Settings Printing Developments Since Samba-2.2 Point'n'Print Client Drivers on Samba Servers The Obsoleted [printer$] Section Creating the [print$] Share [print$] Stanza Parameters The [print$] Share Directory Installing Drivers into [print$] Add Printer Wizard Driver Installation Installing Print Drivers Using rpcclient Client Driver Installation Procedure First Client Driver Installation Setting Device Modes on New Printers Additional Client Driver Installation Always Make First Client Connection as root or “printer admin” Other Gotchas Setting Default Print Options for Client Drivers Supporting Large Numbers of Printers Adding New Printers with the Windows NT APW Error Message: “Cannot connect under a different Name” Take Care When Assembling Driver Files Samba and Printer Ports Avoiding Common Client Driver Misconfiguration The Imprints Toolset What Is Imprints? Creating Printer Driver Packages The Imprints Server The Installation Client Adding Network Printers without User Interaction The addprinter Command Migration of Classical Printing to Samba Publishing Printer Information in Active Directory or LDAP Common Errors I Give My Root Password but I Do Not Get Access My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost Features and Benefits + Printing is often a mission-critical service for the users. Samba can provide this service reliably and seamlessly for a client network consisting of Windows workstations. - - - - - - - - - - - - - + + + + + + + + + + + + + A Samba print service may be run on a standalone or domain member server, side by side with file serving functions, or on a dedicated print server. It can be made as tightly or as loosely secured as needs dictate. Configurations may be simple or complex. Available authentication schemes are essentially the same as @@ -30,23 +30,23 @@ page and supplying the raw data for all sorts of statistical reports) is required, this function is best supported by the newer Common UNIX Printing System (CUPS) as the print subsystem underneath the Samba hood. - - + + This chapter outlines the fundamentals of Samba printing as implemented by the more traditional UNIX BSD- and System V-style printing systems. Much of the information in this chapter applies also to CUPS. If you use CUPS, you may be tempted to jump to the next chapter, but you will certainly miss a few things if you do. For further information refer to CUPS Printing Support. Note - - - + + + Most of the following examples have been verified on Windows XP Professional clients. Where this document describes the responses to commands given, bear in mind that Windows 200x/XP clients are quite similar but may differ in minor details. Windows NT4 is somewhat different again. - Technical Introduction - - - + Technical Introduction + + + Samba's printing support always relies on the installed print subsystem of the UNIX OS it runs on. Samba is a middleman. It takes print files from Windows (or other SMB) clients and passes them to the real printing system for further processing; therefore, it needs to communicate with both sides: the Windows print @@ -54,42 +54,42 @@ of which behave differently, as well as the various UNIX print subsystems, which themselves have different features and are accessed differently. - - + + This chapter deals with the traditional way of UNIX printing. The next chapter covers in great detail the more modern CUPS. Important - + CUPS users, be warned: do not just jump on to the next chapter. You might miss important information only found here! - - - - + + + + It is apparent from postings on the Samba mailing list that print configuration is one of the most problematic aspects of Samba administration today. Many new Samba administrators have the impression that Samba performs some sort of print processing. Rest assured, Samba does not perform any type of print processing. It does not do any form of print filtering. - - - - + + + + Samba obtains from its clients a data stream (print job) that it spools to a local spool area. When the entire print job has been received, Samba invokes a local UNIX/Linux print command and passes the spooled file to it. It is up to the local system printing subsystems to correctly process the print job and to submit it to the printer. - Client to Samba Print Job Processing + Client to Samba Print Job Processing Successful printing from a Windows client via a Samba print server to a UNIX printer involves six (potentially seven) stages: Windows opens a connection to the printer share. Samba must authenticate the user. Windows sends a copy of the print file over the network into Samba's spooling area. Windows closes the connection. Samba invokes the print command to hand the file over to the UNIX print subsystem's spooling area. The UNIX print subsystem processes the print job. The print file may need to be explicitly deleted from the Samba spooling area. This item depends on your print spooler - configuration settings. Printing-Related Configuration Parameters - - - + configuration settings. Printing-Related Configuration Parameters + + + There are a number of configuration parameters to control Samba's printing behavior. Please refer to the man page for smb.conf for an overview of these. As with other parameters, there are global-level (tagged with a G in the listings) and service-level (S) parameters. @@ -103,20 +103,20 @@ or service-level shares (provided they do not have a different setting defined for the same parameter, thus overriding the global default). - Simple Print Configuration - - - - +
Simple Print Configuration
+ + + + Simple Configuration with BSD Printing shows a simple printing configuration. If you compare this with your own, you may find additional parameters that have been preconfigured by your OS vendor. Following is a discussion and explanation of the parameters. This example does not use many parameters. However, in many environments these are enough to provide a valid smb.conf file that enables all clients to print. -
Example 20.1. Simple Configuration with BSD Printing [global] printing = bsd load printers = yes [printers] path = /var/spool/samba printable = yes public = yes writable = no
- - - +
Example 20.1. Simple Configuration with BSD Printing [global] printing = bsd load printers = yes [printers] path = /var/spool/samba printable = yes public = yes writable = no
+ + + This is only an example configuration. Samba assigns default values to all configuration parameters. The defaults are conservative and sensible. When a parameter is specified in the smb.conf file, this overwrites the default value. The testparm utility when run as root is capable of reporting all @@ -124,26 +124,26 @@ misconfigured settings. The complete output is easily 360 lines and more, so you may want to pipe it through a pager program.
- - - + + + The syntax for the configuration file is easy to grasp. You should know that is not very picky about its syntax. As has been explained elsewhere in this book, Samba tolerates some spelling errors (such as -browseable instead of browsable), and spelling is +browseable instead of browsable), and spelling is case-insensitive. It is permissible to use Yes/No or True/False for Boolean settings. Lists of names may be separated by commas, spaces, or tabs. -
Verifying Configuration with testparm
- - - - - - - - - - - +
Verifying Configuration with testparm
+ + + + + + + + + + + To see all (or at least most) printing-related settings in Samba, including the implicitly used ones, try the command outlined below. This command greps for all occurrences of lp, print, spool, driver, @@ -194,14 +194,14 @@ The testparm in Samba-3 behaves differently from that in 2.2.x: used without the “-v” switch, it only shows you the settings actually written into! To see the complete configuration used, add the “-v” parameter to testparm. -
Rapid Configuration Validation
- - - - +
Rapid Configuration Validation
+ + + + Should you need to troubleshoot at any stage, please always come back to this point first and verify if testparm shows the parameters you expect. To give you a warning from personal experience, -try to just comment out the load printers parameter. If your 2.2.x system behaves like +try to just comment out the load printers parameter. If your 2.2.x system behaves like mine, you'll see this:
root# grep "load printers" /etc/samba/smb.conf @@ -211,8 +211,8 @@ root# testparm -v /etc/samba/smb.conf | egrep "(load printers)" load printers = Yes
- - + + I assumed that commenting out of this setting should prevent Samba from publishing my printers, but it still did. It took some time to figure out the reason. But I am no longer fooled ... at least not by this. @@ -226,8 +226,8 @@ root# testparm -s -v smb.conf.simpleprinting | egrep "(load printers)" load printers = No
- -Only when the parameter is explicitly set to load printers = No would + +Only when the parameter is explicitly set to load printers = No would Samba conform with my intentions. So, my strong advice is:
Never rely on commented-out parameters.
Always set parameters explicitly as you intend them to behave.
Use testparm to uncover hidden @@ -237,8 +237,8 @@ root# cat /etc/samba/smb.conf-minimal [printers]
- - + + This example should show that you can use testparm to test any Samba configuration file. Actually, we encourage you not to change your working system (unless you know exactly what you are doing). Don't rely on the assumption that changes will only take effect after you restart smbd! @@ -276,10 +276,10 @@
testparm issued two warnings:
We did not specify the [printers] section as printable.
We did not tell Samba which spool directory to use.
- - - - + + + + However, this was not fatal, and Samba will default to values that will work. Please, do not rely on this and do not use this example. This was included to encourage you to be careful to design and specify your setup to do precisely what you require. The outcome on your system may vary for some parameters given, since Samba may @@ -288,15 +288,15 @@ put the comment sign at the front). At first I regarded this as a bug in my Samba versions. But the man page clearly says: Internal whitespace in a parameter value is retained verbatim. This means that a line consisting of, for example, -
# This defines LPRng as the printing system
printing = lprng
+
# This defines LPRng as the printing system
printing = lprng
will regard the whole of the string after the = sign as the value you want to define. This is an invalid value that will be ignored, and a default value will be used in its place. -
Extended Printing Configuration
- - - - +
Extended Printing Configuration
+ + + + Extended BSD Printing Configuration shows a more verbose configuration for print-related settings in a BSD-style printing environment. What follows is a discussion and explanation of the various parameters. We chose to use BSD-style printing here because it is still the most commonly used @@ -304,68 +304,68 @@ separate chapter. The example explicitly names many parameters that do not need to be specified because they are set by default. You could use a much leaner smb.conf file, or you can use testparm or SWAT to optimize the smb.conf file to remove all parameters that are set at default. -
Example 20.2. Extended BSD Printing Configuration [global] printing = bsd load printers = yes show add printer wizard = yes printcap name = /etc/printcap printer admin = @ntadmin, root max print jobs = 100 lpq cache time = 20 use client driver = no [printers] comment = All Printers printable = yes path = /var/spool/samba browseable = no guest ok = yes public = yes read only = yes writable = no [my_printer_name] comment = Printer with Restricted Access path = /var/spool/samba_my_printer printer admin = kurt browseable = yes printable = yes writable = no hosts allow = 0.0.0.0 hosts deny = turbo_xp, 10.160.50.23, 10.160.51.60 guest ok = no
- - - +
Example 20.2. Extended BSD Printing Configuration [global] printing = bsd load printers = yes show add printer wizard = yes printcap name = /etc/printcap printer admin = @ntadmin, root max print jobs = 100 lpq cache time = 20 use client driver = no [printers] comment = All Printers printable = yes path = /var/spool/samba browseable = no guest ok = yes public = yes read only = yes writable = no [my_printer_name] comment = Printer with Restricted Access path = /var/spool/samba_my_printer printer admin = kurt browseable = yes printable = yes writable = no hosts allow = 0.0.0.0 hosts deny = turbo_xp, 10.160.50.23, 10.160.51.60 guest ok = no
+ + + This is an example configuration. You may not find all the settings that are in the configuration file that was provided by the OS vendor. Samba configuration parameters, if not explicitly set, default to a sensible value. To see all settings, as root use the testparm utility. testparm gives warnings for misconfigured settings. -
Detailed Explanation Settings
+
Detailed Explanation Settings
The following is a discussion of the settings from Extended BSD Printing Configuration Extended BSD Printing Configuration. -
The [global] Section
- - - - +
The [global] Section
+ + + + The [global] section is one of four special sections (along with [homes], [printers], and [print$]). The [global] contains all parameters that apply to the server as a whole. It is the place for parameters that have only a global meaning. It may also contain service-level parameters that define default settings for all other sections and shares. This way you can simplify the configuration and avoid setting the same value repeatedly. (Within each individual section or share, you may, however, override these globally set share settings and specify other values). -
printing = bsd
- - - - - - - - - - - - +
printing = bsd
+ + + + + + + + + + + + Causes Samba to use default print commands applicable for the BSD (also known as RFC 1179 style or LPR/LPD) printing system. In general, the printing parameter informs Samba about the print subsystem it should expect. Samba supports CUPS, LPD, LPRNG, SYSV, HPUX, AIX, QNX, and PLP. Each of these - systems defaults to a different print command (and other queue control commands). + systems defaults to a different print command (and other queue control commands).
Caution
- - - The printing parameter is normally a service-level parameter. Since it is included + + + The printing parameter is normally a service-level parameter. Since it is included here in the [global] section, it will take effect for all printer shares that are not defined differently. Samba-3 no longer supports the SOFTQ printing system. -
load printers = yes
- - - - +
load printers = yes
+ + + + Tells Samba to create automatically all available printer shares. Available printer shares are discovered by scanning the printcap file. All created printer shares are also loaded for browsing. If you use this parameter, you do not need to specify separate shares for each printer. Each automatically created printer share will clone the configuration options found in the [printers] section. (The load printers = no setting will allow you to specify each UNIX printer you want to share separately, leaving out some you do not want to be publicly visible and available). -
show add printer wizard = yes
- - - - - +
show add printer wizard = yes
+ + + + + Setting is normally enabled by default (even if the parameter is not specified in smb.conf). It causes the Add Printer Wizard icon to appear in the Printers folder of the Samba host's share listing (as shown in Network Neighborhood or by the net @@ -373,78 +373,78 @@ it out will not suffice). The Add Printer Wizard lets you upload a printer driver to the [print$] share and associate it with a printer (if the respective queue exists before the action), or exchange a printer's driver for any other previously uploaded driver. -
max print jobs = 100
- +
max print jobs = 100
+ Sets the upper limit to 100 print jobs being active on the Samba server at any one time. Should a client submit a job that exceeds this number, a "no more space available on server" type of error message will be returned by Samba to the client. A setting of zero (the default) means there is no limit at all. -
printcap name = /etc/printcap
- - - +
printcap name = /etc/printcap
+ + + Tells Samba where to look for a list of available printer names. Where CUPS is used, make sure that a printcap file is written. This is controlled by the Printcap directive in the cupsd.conf file. -
printer admin = @ntadmin
- - - - +
printer admin = @ntadmin
+ + + + Members of the ntadmin group should be able to add drivers and set printer properties (ntadmin is only an example name; it needs to be a valid UNIX group name); root is - implicitly always a printer admin. The @ sign precedes group names + implicitly always a printer admin. The @ sign precedes group names in the /etc/group. A printer admin can do anything to printers via the remote administration interfaces offered by MS-RPC (see Printing Developments Since - Samba-2.2). In larger installations, the printer admin parameter is normally a + Samba-2.2). In larger installations, the printer admin parameter is normally a per-share parameter. This permits different groups to administer each printer share. -
lpq cache time = 20
- - +
lpq cache time = 20
+ + Controls the cache time for the results of the lpq command. It prevents the lpq command being called too often and reduces the load on a heavily used print server. -
use client driver = no
- +
use client driver = no
+ If set to yes, only takes effect for Windows NT/200x/XP clients (and not for Win 95/98/ME). Its default value is No (or False). It must not be enabled on print shares (with a yes or true setting) that have valid drivers installed on the Samba server. For more detailed explanations, see the smb.conf man page.
The [printers] Section
- - + + The printers section is the second special section. If a section with this name appears in the smb.conf, users are able to connect to any printer specified in the Samba host's printcap file, because Samba on startup then creates a printer share for every printer name it finds in the printcap file. You could regard this section as a convenient shortcut to share all printers with minimal configuration. It is also a container for settings that should apply as default to all printers. (For more details, see the smb.conf man page.) Settings inside this container must be share-level parameters. -
comment = All printers
- The comment is shown next to the share if +
comment = All printers
+ The comment is shown next to the share if a client queries the server, either via Network Neighborhood or with the net view command, to list available shares. -
printable = yes
+
printable = yes
The [printers] service must be declared as printable. If you specify otherwise, smbd will refuse to load at startup. This parameter allows connected clients to open, write to, and submit spool files - into the directory specified with the path + into the directory specified with the path parameter for this service. It is used by Samba to differentiate printer shares from file shares. -
path = /var/spool/samba
+
path = /var/spool/samba
Must point to a directory used by Samba to spool incoming print files. It must not be the same as the spool directory specified in the configuration of your UNIX print subsystem! The path typically points to a directory that is world writable, with the sticky bit set to it. -
browseable = no
+
browseable = no
Is always set to no if - printable = yes. It makes + printable = yes. It makes the [printer] share itself invisible in the list of available shares in a net view command or in the Explorer browse list. (You will of course see the individual printers.) -
guest ok = yes
+
guest ok = yes
If this parameter is set to yes, no password is required to connect to the printer's service. Access will be granted with the privileges of the - guest account. On many systems the guest + guest account. On many systems the guest account will map to a user named "nobody." This user will usually be found in the UNIX passwd file with an empty password, but with no valid UNIX login. On some systems the guest account might not have the privilege to be able to print. Test this @@ -452,65 +452,65 @@ print command like:
lpr -P printername /etc/motd -
public = yes
- Is a synonym for guest ok = yes. - Since we have guest ok = yes, it +
public = yes
+ Is a synonym for guest ok = yes. + Since we have guest ok = yes, it really does not need to be here. (This leads to the interesting question, “What if I by accident have two contradictory settings for the same share?” The answer is that the last one encountered by Samba wins. testparm does not complain about different settings of the same parameter for the same share. You can test this by setting up multiple lines for the guest account parameter with different usernames, and then run testparm to see which one is actually used by Samba.) -
read only = yes
+
read only = yes
Normally (for other types of shares) prevents users from creating or modifying files in the service's directory. However, in a printable service, it is always allowed to write to the directory (if user privileges allow the connection), but only via print spooling operations. Normal write operations are not permitted. -
writable = no
- Is a synonym for read only = yes. -
Any [my_printer_name] Section
- - +
writable = no
+ Is a synonym for read only = yes. +
Any [my_printer_name] Section
+ + If a [my_printer_name] section appears in the smb.conf file, which includes the -parameter printable = yes Samba will configure it as a printer share. +parameter printable = yes Samba will configure it as a printer share. Windows 9x/Me clients may have problems with connecting or loading printer drivers if the share name has more than eight characters. Do not name a printer share with a name that may conflict with an existing user or file share name. On client connection requests, Samba always tries to find file shares with that name first. If it finds one, it will connect to this and will not connect to a printer with the same name! -
comment = Printer with Restricted Access
+
comment = Printer with Restricted Access
The comment says it all. -
path = /var/spool/samba_my_printer
+
path = /var/spool/samba_my_printer
Sets the spooling area for this printer to a directory other than the default. It is not necessary to set it differently, but the option is available. -
printer admin = kurt
+
printer admin = kurt
The printer admin definition is different for this explicitly defined printer share from the general [printers] share. It is not a requirement; we did it to show that it is possible. -
browseable = yes
+
browseable = yes
This makes the printer browseable so the clients may conveniently find it when browsing the Network Neighborhood. -
printable = yes
+
printable = yes
See Section 20.4.1.2. -
writable = no
+
writable = no
See Section 20.4.1.2. -
hosts allow = 10.160.50.,10.160.51.
- Here we exercise a certain degree of access control by using the hosts allow - and hosts deny parameters. This is not by any means a safe bet. It is not a +
hosts allow = 10.160.50.,10.160.51.
+ Here we exercise a certain degree of access control by using the hosts allow + and hosts deny parameters. This is not by any means a safe bet. It is not a way to secure your printers. This line accepts all clients from a certain subnet in a first evaluation of access control. -
hosts deny = turbo_xp,10.160.50.23,10.160.51.60
+
hosts deny = turbo_xp,10.160.50.23,10.160.51.60
All listed hosts are not allowed here (even if they belong to the allowed subnets). As you can see, you could name IP addresses as well as NetBIOS hostnames here. -
guest ok = no
+
guest ok = no
This printer is not open for the guest account. -
Print Commands
- - - - +
Print Commands
+ + + + In each section defining a printer (or in the [printers] section), a print command parameter may be defined. It sets a command to process the files that have been placed into the Samba print spool directory for that printer. (That spool directory was, -if you remember, set up with the path parameter). Typically, +if you remember, set up with the path parameter). Typically, this command will submit the spool file to the Samba host's print subsystem, using the suitable system print command. But there is no requirement that this needs to be the case. For debugging or some other reason, you may want to do something completely different than print the file. An example is a @@ -518,39 +518,39 @@ to debug printing. If you craft your own print commands (or even develop print command shell scripts), make sure you pay attention to the need to remove the files from the Samba spool directory. Otherwise, your hard disk may soon suffer from shortage of free space. -
Default UNIX System Printing Commands
- +
Default UNIX System Printing Commands
+ You learned earlier that Samba, in most cases, uses its built-in settings for many parameters if it cannot -find an explicitly stated one in its configuration file. The same is true for the print command. The default print command varies depending on the printing parameter +find an explicitly stated one in its configuration file. The same is true for the print command. The default print command varies depending on the printing parameter setting. In the commands listed in Default Printing Settings , you will notice some parameters of the form %X where X is p, s, J, and so on. These letters stand for printer name, spool file, and job ID, respectively. They are explained in more detail in Default Printing Settings presents an overview of key printing options but excludes the special case of CUPS, is discussed in CUPS Printing Support. -
Table 20.1. Default Printing Settings Setting Default Printing Commands printing = bsd|aix|lprng|plp print command is lpr -r -P%p %s printing = sysv|hpux print command is lp -c -P%p %s; rm %s printing = qnx print command is lp -r -P%p -s %s printing = bsd|aix|lprng|plp lpq command is lpq -P%p printing = sysv|hpux lpq command is lpstat -o%p printing = qnx lpq command is lpq -P%p printing = bsd|aix|lprng|plp lprm command is lprm -P%p %j printing = sysv|hpux lprm command is cancel %p-%j printing = qnx lprm command is cancel %p-%j printing = bsd|aix|lprng|plp lppause command is lp -i %p-%j -H hold printing = sysv|hpux lppause command (...is empty) printing = qnx lppause command (...is empty) printing = bsd|aix|lprng|plp lpresume command is lp -i %p-%j -H resume printing = sysv|hpux lpresume command (...is empty) printing = qnx lpresume command (...is empty)
- - - - +
Table 20.1. Default Printing Settings Setting Default Printing Commands printing = bsd|aix|lprng|plp print command is lpr -r -P%p %s printing = sysv|hpux print command is lp -c -P%p %s; rm %s printing = qnx print command is lp -r -P%p -s %s printing = bsd|aix|lprng|plp lpq command is lpq -P%p printing = sysv|hpux lpq command is lpstat -o%p printing = qnx lpq command is lpq -P%p printing = bsd|aix|lprng|plp lprm command is lprm -P%p %j printing = sysv|hpux lprm command is cancel %p-%j printing = qnx lprm command is cancel %p-%j printing = bsd|aix|lprng|plp lppause command is lp -i %p-%j -H hold printing = sysv|hpux lppause command (...is empty) printing = qnx lppause command (...is empty) printing = bsd|aix|lprng|plp lpresume command is lp -i %p-%j -H resume printing = sysv|hpux lpresume command (...is empty) printing = qnx lpresume command (...is empty)
+ + + + For printing = CUPS, if Samba is compiled against libcups, it uses the CUPS API to -submit jobs. (It is a good idea also to set printcap = cups in case your +submit jobs. (It is a good idea also to set printcap = cups in case your cupsd.conf is set to write its autogenerated printcap file to an unusual place). Otherwise, Samba maps to the System V printing commands with the -oraw option for printing; that is, it uses lp -c -d%p -oraw; rm %s. With printing = cups, and if Samba is compiled against libcups, any manually set print command will be ignored! -
Custom Print Commands
- - -After a print job has finished spooling to a service, the print command will be used +
Custom Print Commands
+ + +After a print job has finished spooling to a service, the print command will be used by Samba via a system() call to process the spool file. Usually the command specified will submit the spool file to the host's printing subsystem. But there is no requirement at all that this must be the case. The print subsystem may not remove the spool file on its own, so whatever command you specify, you should ensure that the spool file is deleted after it has been processed.
- - - - + + + + There is no difficulty with using your own customized print commands with the traditional printing systems. However, if you do not wish to roll your own, you should be well informed about the default built-in commands that Samba uses for each printing subsystem (see Default Printing @@ -560,44 +560,44 @@ appropriate value automatically. Print commands can handle all Samba macro substitutions. In regard to printing, the following ones do have special relevance:
%s, %f the path to the spool file name.
%p the appropriate printer name.
%J the job name as transmitted by the client.
%c the number of printed pages of the spooled job (if known).
%z the size of the spooled print job (in bytes).
- + The print command must contain at least one occurrence of %s or %f. The %p is optional. If no printer name is supplied, the %p will be silently removed from the print command. In this case, the job is sent to the default printer.
- - + + If specified in the [global] section, the print command given will be used for any printable service that does not have its own print command specified. If there is neither a specified print command for a printable service nor a global print command, spool files will be created but not processed! Most importantly, print files will not be removed, so they will consume disk space.
- - + + Printing may fail on some UNIX systems when using the nobody account. If this happens, create an alternative guest account and give it the privilege to print. Set up this guest account in the [global] section with the guest account parameter.
- - - + + + You can form quite complex print commands. You need to realize that print commands are just passed to a UNIX shell. The shell is able to expand the included environment variables as usual. (The syntax to include a UNIX environment variable $variable in the Samba print command is %$variable.) To give you a working -print command example, the following will log a print job +print command example, the following will log a print job to /tmp/print.log, print the file, then remove it. The semicolon (“;” is the usual separator for commands in shell scripts: -
print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s
+
print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s
You may have to vary your own command considerably from this example depending on how you normally print -files on your system. The default for the print command -parameter varies depending on the setting of the printing +files on your system. The default for the print command +parameter varies depending on the setting of the printing parameter. Another example is: -
print command = /usr/local/samba/bin/myprintscript %p %s
Printing Developments Since Samba-2.2
- - - +
print command = /usr/local/samba/bin/myprintscript %p %s
Printing Developments Since Samba-2.2
+ + + Prior to Samba-2.2.x, print server support for Windows clients was limited to LanMan printing calls. This is the same protocol level as Windows 9x/Me PCs offer when they share printers. Beginning with the 2.2.0 release, Samba started to support the native Windows NT printing mechanisms. These @@ -606,67 +606,67 @@
The additional functionality provided by the new SPOOLSS support includes:
- + Support for downloading printer driver files to Windows 95/98/NT/2000 clients upon demand (Point'n'Print).
- + Uploading of printer drivers via the Windows NT Add Printer Wizard (APW) or the Imprints tool set.
- - - - - + + + + + Support for the native MS-RPC printing calls such as StartDocPrinter, EnumJobs(), and so on. (See the MSDN documentation for more information on the Win32 printing API).
- - + + Support for NT Access Control Lists (ACL) on printer objects.
- + Improved support for printer queue manipulation through the use of internal databases for spooled job information (implemented by various *.tdb files).
- - + + A benefit of updating is that Samba-3 is able to publish its printers to Active Directory (or LDAP).
- + A fundamental difference exists between MS Windows NT print servers and Samba operation. Windows NT permits the installation of local printers that are not shared. This is an artifact of the fact that any Windows NT machine (server or client) may be used by a user as a workstation. Samba will publish all printers that are made available, either by default or by specific declaration via printer-specific shares.
- - - - - + + + + + Windows NT/200x/XP Professional clients do not have to use the standard SMB printer share; they can print directly to any printer on another Windows NT host using MS-RPC. This, of course, assumes that the client has the necessary privileges on the remote host that serves the printer resource. The default permissions assigned by Windows NT to a printer gives the print permissions to the well-known Everyone group. (The older clients of type Windows 9x/Me can only print to shared printers.) -
Point'n'Print Client Drivers on Samba Servers
- +
Point'n'Print Client Drivers on Samba Servers
+ There is much confusion about what all this means. The question is often asked, “Is it or is it not necessary for printer drivers to be installed on a Samba host in order to support printing from Windows clients?” The answer to this is no, it is not necessary.
- - + + Windows NT/2000 clients can, of course, also run their APW to install drivers locally (which then connect to a Samba-served print queue). This is the same method used by Windows 9x/Me clients. (However, a bug existed in Samba 2.2.0 that made Windows NT/2000 clients require that the Samba server possess a valid driver for the printer. This was fixed in Samba 2.2.1).
- - + + But it is a new capability to install the printer drivers into the [print$] share of the Samba server, and a big convenience, too. Then all clients (including 95/98/ME) get the driver installed when they first connect to this printer share. The @@ -682,16 +682,16 @@
Using cupsaddsmb (only works for the CUPS printing system, not for LPR/LPD, LPRng, and so on).
- - + + Samba does not use these uploaded drivers in any way to process spooled files. These drivers are utilized entirely by the clients who download and install them via the “Point'n'Print” mechanism supported by Samba. The clients use these drivers to generate print files in the format the printer (or the UNIX print system) requires. Print files received by Samba are handed over to the UNIX printing system, which is responsible for all further processing, as needed. -
The Obsoleted [printer$] Section
- - +
The Obsoleted [printer$] Section
+ + Versions of Samba prior to 2.2 made it possible to use a share named [printer$]. This name was taken from the same named service created by Windows 9x/Me clients when a printer was shared by them. Windows 9x/Me printer servers always have a [printer$] service that provides @@ -701,9 +701,9 @@ parameter named printer driver provided a means of defining the printer driver name to be sent to the client.
- - - + + + These parameters, including the printer driver file parameter, are now removed and cannot be used in installations of Samba-3. The share name [print$] is now used for the location of downloadable printer @@ -713,8 +713,8 @@ of its ACLs) to support printer driver downloads and uploads. This does not mean Windows 9x/Me clients are now thrown aside. They can use Samba's [print$] share support just fine. -
Creating the [print$] Share
- +
Creating the [print$] Share
+ In order to support the uploading and downloading of printer driver files, you must first configure a file share named [print$]. The public name of this share is hard coded in the MS Windows clients. It cannot be renamed, since Windows clients are programmed to search for a @@ -722,27 +722,27 @@
You should modify the server's file to add the global parameters and create the [print$] file share (of course, some of the parameter values, such -as path, are arbitrary and should be replaced with appropriate values for your +as path, are arbitrary and should be replaced with appropriate values for your site). See [print\$] Example. -
Example 20.3. [print$] Example [global] # members of the ntadmin group should be able to add drivers and set # printer properties. root is implicitly always a 'printer admin'. printer admin = @ntadmin # ... [printers] # ... [print$] comment = Printer Driver Download Area path = /etc/samba/drivers browseable = yes guest ok = yes read only = yes write list = @ntadmin, root
+
Example 20.3. [print$] Example [global] # members of the ntadmin group should be able to add drivers and set # printer properties. root is implicitly always a 'printer admin'. printer admin = @ntadmin # ... [printers] # ... [print$] comment = Printer Driver Download Area path = /etc/samba/drivers browseable = yes guest ok = yes read only = yes write list = @ntadmin, root
Of course, you also need to ensure that the directory named by the -path parameter exists on the UNIX file system. -
[print$] Stanza Parameters
- - - - - +path parameter exists on the UNIX file system. +
[print$] Stanza Parameters
+ + + + + The [print$] is a special section in smb.conf. It contains settings relevant to potential printer driver download and is used by Windows clients for local print driver installation. The following parameters are frequently needed in this share section: -
comment = Printer Driver Download Area
+
comment = Printer Driver Download Area
The comment appears next to the share name if it is listed in a share list (usually Windows clients will not see it, but it will also appear up in a smbclient -L sambaserver output). -
path = /etc/samba/printers
+
path = /etc/samba/printers
The path to the location of the Windows driver file deposit from the UNIX point of view. -
browseable = no
+
browseable = no
Makes the [print$] share invisible to clients from the Network Neighborhood. By excuting from a cmd shell:
@@ -750,7 +750,7 @@
you can still mount it from any client. This can also be done from the Connect network drive menu> from Windows Explorer. -
guest ok = yes
+
guest ok = yes
Gives read-only access to this share for all guest users. Access may be granted to download and install printer drivers on clients. The requirement for guest ok = yes depends on how your site is configured. If users will be guaranteed @@ -761,13 +761,13 @@ validated by the domain controller in order to log on to the Windows NT session), then guest access is not necessary. Of course, in a workgroup environment where you just want to print without worrying about silly accounts and security, then configure the share for - guest access. You should consider adding map to guest = Bad User + guest access. You should consider adding map to guest = Bad User in the [global] section as well. Make sure you understand what this parameter does before using it. -
read only = yes
+
read only = yes
Because we do not want everybody to upload driver files (or even change driver settings), we tagged this share as not writable. -
write list = @ntadmin, root
+
write list = @ntadmin, root
The [print$] was made read-only by the previous setting so we should create a write list entry also. UNIX groups are denoted with a leading “@” character. Users listed here are allowed @@ -775,12 +775,12 @@ update files on the share. Normally, you will want to name only administrative-level user account in this setting. Check the file system permissions to make sure these accounts can copy files to the share. If this is a non-root account, then the account should also - be mentioned in the global printer admin + be mentioned in the global printer admin parameter. See the smb.conf man page for more information on configuring file shares. -
The [print$] Share Directory
+
The [print$] Share Directory
In order for a Windows NT print server to support the downloading of driver files by multiple client architectures, you must create several subdirectories within the [print$] -service (i.e., the UNIX directory named by the path +service (i.e., the UNIX directory named by the path parameter). These correspond to each of the supported client architectures. Samba follows this model as well. Just like the name of the [print$] share itself, the subdirectories must be exactly the names listed below (you may leave out the subdirectories of architectures you do @@ -812,7 +812,7 @@ Neighborhood or My Network Places and browse for the Samba host. Once you have located the server, navigate to its Printers and Faxes folder. You should see an initial listing of printers that matches the printer shares defined on your Samba host. -
Installing Drivers into [print$]
+
Installing Drivers into [print$]
Have you successfully created the [print$] share in smb.conf, and have you forced Samba to reread its smb.conf file? Good. But you are not yet ready to use the new facility. The client driver files need to be installed into this share. So far, it is still an empty share. Unfortunately, it is @@ -828,7 +828,7 @@ from any Windows NT/200x/XP client workstation.
The latter option is probably the easier one (even if the process may seem a little bit weird at first). -
Add Printer Wizard Driver Installation
+
Add Printer Wizard Driver Installation
The printers initially listed in the Samba host's Printers folder accessed from a client's Explorer will have no real printer driver assigned to them. By default this driver name is set to a null string. This must be changed now. The local Add Printer Wizard (APW), run from @@ -854,13 +854,13 @@
Once the APW is started, the procedure is exactly the same as the one you are familiar with in Windows (we assume here that you are familiar with the printer driver installations procedure on Windows NT). Make sure -your connection is, in fact, set up as a user with printer admin +your connection is, in fact, set up as a user with printer admin privileges (if in doubt, use smbstatus to check for this). If you wish to install printer drivers for client operating systems other than Windows NT x86, you will need to use the Sharing tab of the printer properties dialog.
Assuming you have connected with an administrative (or root) account (as named by the -printer admin parameter), you will also be able to modify +printer admin parameter), you will also be able to modify other printer properties such as ACLs and default device settings using this dialog. For the default device settings, please consider the advice given further in Installing Print Drivers Using rpcclient. @@ -879,10 +879,10 @@ Run rpcclient a second time with the setdriver subcommand.
We provide detailed hints for each of these steps in the paragraphs that follow. -
Identifying Driver Files
- - - +
Identifying Driver Files
+ + + To find out about the driver files, you have two options. You can check the contents of the driver CDROM that came with your printer. Study the *.inf files located on the CD-ROM. This may not be possible, since the *.inf file might be missing. Unfortunately, vendors have now started @@ -890,14 +890,14 @@ archive format. Additionally, the files may be re-named during the installation process. This makes it extremely difficult to identify the driver files required.
- + Then you have the second option. Install the driver locally on a Windows client and investigate which filenames and paths it uses after they are installed. (You need to repeat this procedure for every client platform you want to support. We show it here for the W32X86 platform only, a name used by Microsoft for all Windows NT/200x/XP clients.)
- + A good method to recognize the driver files is to print the test page from the driver's Properties dialog (General tab). Then look at the list of driver files named on the printout. You'll need to recognize what Windows (and Samba) are calling the @@ -905,9 +905,9 @@ Help File, and (optionally) Dependent Driver Files (this may vary slightly for Windows NT). You need to note all filenames for the next steps.
- - - + + + Another method to quickly test the driver filenames and related paths is provided by the rpcclient utility. Run it with enumdrivers or with the getdriver subcommand, each at the 3 info level. In the following example, @@ -948,10 +948,10 @@ Monitorname: [] Defaultdatatype: []
- - - - + + + + You may notice that this driver has quite a large number of Dependent files (there are worse cases, however). Also, strangely, the Driver File is tagged here @@ -961,9 +961,9 @@ addition to those for W32X86 (i.e., the Windows NT 2000/XP clients) onto a Windows PC. This PC can also host the Windows 9x/Me drivers, even if it runs on Windows NT, 2000, or XP.
- - - + + + Since the [print$] share is usually accessible through the Network Neighborhood, you can also use the UNC notation from Windows Explorer to poke at it. The Windows 9x/Me driver files will end up in subdirectory 0 of the WIN40 @@ -974,7 +974,7 @@ mode. Windows 2000 changed this. While it still can use the kernel mode drivers (if this is enabled by the Admin), its native mode for printer drivers is user mode execution. This requires drivers designed for this purpose. These types of drivers install into the “3” subdirectory. -
Obtaining Driver Files from Windows Client [print$] Shares
+
Obtaining Driver Files from Windows Client [print$] Shares
Now we need to collect all the driver files we identified in our previous step. Where do we get them from? Well, why not retrieve them from the very PC and the same [print$] share that we investigated in our last step to identify the files? We can use smbclient @@ -999,12 +999,12 @@ This ensures that all commands are executed in sequence on the remote Windows server before smbclient exits again.
- + Remember to repeat the procedure for the WIN40 architecture should you need to support Windows 9x/Me/XP clients. Remember too, the files for these architectures are in the WIN40/0/ subdirectory. Once this is complete, we can run smbclient. . .put to store the collected files on the Samba server's [print$] share. -
Installing Driver Files into [print$]
+
Installing Driver Files into [print$]
We are now going to locate the driver files into the [print$] share. Remember, the UNIX path to this share has been defined previously in your smb.conf file. You also have created subdirectories for the different Windows client types you want to support. If, for example, your @@ -1017,8 +1017,8 @@ For all Windows 95, 98, and Me clients, /etc/samba/drivers/WIN40/ but not (yet) into the 0 subdirectory.
- - + + We again use smbclient to transfer the driver files across the network. We specify the same files and paths as were leaked to us by running getdriver against the original Windows install. However, now we are going to store the files into a @@ -1055,18 +1055,18 @@ putting file HDNIS01Aux.dll as \W32X86\HDNIS01Aux.dll putting file HDNIS01_de.NTF as \W32X86\HDNIS01_de.NTF
- - - + + + Whew that was a lot of typing! Most drivers are a lot smaller many have only three generic PostScript driver files plus one PPD. While we did retrieve the files from the 2 subdirectory of the W32X86 directory from the Windows box, we do not put them (for now) in this same subdirectory of the Samba box. This relocation will automatically be done by the adddriver command, which we will run shortly (and do not forget to also put the files for the Windows 9x/Me architecture into the WIN40/ subdirectory should you need them). -
smbclient to Confirm Driver Installation
- - +
smbclient to Confirm Driver Installation
+ + For now we verify that our files are there. This can be done with smbclient, too (but, of course, you can log in via SSH also and do this through a standard UNIX shell access):
@@ -1107,9 +1107,9 @@ PDFcreator2.PPD A 15746 Sun Apr 20 22:24:07 2003 40976 blocks of size 262144. 709 blocks available
- - - + + + Notice that there are already driver files present in the 2 subdirectory (probably from a previous installation). Once the files for the new driver are there too, you are still a few steps away from being able to use them on the clients. The only thing you could do now is retrieve them from a client just @@ -1117,10 +1117,10 @@ install them per Point'n'Print. The reason is that Samba does not yet know that these files are something special, namely printer driver files, and it does not know to which print queue(s) these driver files belong. -
Running rpcclient with adddriver
- - - +
Running rpcclient with adddriver
+ + + Next, you must tell Samba about the special category of the files you just uploaded into the [print$] share. This is done by the adddriver command. It will prompt Samba to register the driver files into its internal TDB database files. The @@ -1144,16 +1144,16 @@ Printer Driver dm9110 successfully installed.
- - - + + + After this step, the driver should be recognized by Samba on the print server. You need to be very careful when typing the command. Don't exchange the order of the fields. Some changes would lead to an NT_STATUS_UNSUCCESSFUL error message. These become obvious. Other changes might install the driver files successfully but render the driver unworkable. So take care! Hints about the syntax of the adddriver command are in the man page. provides a more detailed description, should you need it. -
Checking adddriver Completion
+
Checking adddriver Completion
One indication for Samba's recognition of the files as driver files is the successfully installed message. Another one is the fact that our files have been moved by the adddriver command into the 2 subdirectory. You can check this @@ -1198,17 +1198,17 @@
Another verification is that the timestamp of the printing TDB files is now updated (and possibly their file size has increased). -
Check Samba for Driver Recognition
- +
Check Samba for Driver Recognition
+ Now the driver should be registered with Samba. We can easily verify this and will do so in a moment. However, this driver is not yet associated with a particular printer. We may check the driver status of the files by at least three methods:
- - - - - + + + + + From any Windows client browse Network Neighborhood, find the Samba host, and open the Samba Printers and Faxes folder. Select any printer icon, right-click and select the printer Properties. Click the Advanced @@ -1218,7 +1218,7 @@ see only its own architecture's list. If you do not have every driver installed for each platform, the list will differ if you look at it from Windows95/98/ME or Windows NT/2000/XP.)
- + From a Windows 200x/XP client (not Windows NT) browse Network Neighborhood, search for the Samba server, open the server's Printers folder, and right-click on the white background (with no printer highlighted). Select Server @@ -1247,8 +1247,8 @@ for Windows NT 4.0 or 2000. To have it present for Windows 95, 98, and Me, you'll have to repeat the whole procedure with the WIN40 architecture and subdirectory. -
Specific Driver Name Flexibility
- +
Specific Driver Name Flexibility
+ You can name the driver as you like. If you repeat the adddriver step with the same files as before but with a different driver name, it will work the same:
@@ -1271,18 +1271,18 @@ Printer Driver mydrivername successfully installed.
- - - + + + You will be able to bind that driver to any print queue (however, you are responsible that you associate drivers to queues that make sense with respect to target printers). You cannot run the rpcclient adddriver command repeatedly. Each run consumes the files you had put into the [print$] share by moving them into the respective subdirectories, so you must execute an smbclient ... put command before each rpcclient ... adddriver command. -
Running rpcclient with setdriver
- - +
Running rpcclient with setdriver
+ + Samba needs to know which printer owns which driver. Create a mapping of the driver to a printer, and store this information in Samba's memory, the TDB files. The rpcclient setdriver command achieves exactly this: @@ -1309,18 +1309,18 @@ bug in 2.2.x prevented Samba from recognizing freshly installed printers. You had to restart Samba, or at least send an HUP signal to all running smbd processes to work around this: kill -HUP `pidof smbd`. -
Client Driver Installation Procedure
+

Chapter 39. Reporting Bugs
Prev	Part V. Troubleshooting	Next

Chapter 39. Reporting Bugs
Prev	Part V. Troubleshooting	Next

Function Name	Function Name
all	passdb
tdb	sam
printdrivers	auth
lanman	winbind
smb	vfs
rpc_parse	idmap
rpc_srv	quota
rpc_cli	acls

Function Name	Function Name
all	passdb
tdb	sam
printdrivers	auth
lanman	winbind
smb	vfs
rpc_parse	idmap
rpc_srv	quota
rpc_cli	acls

`Client Driver Installation Procedure`

As Don Quixote said, “The proof of the pudding is in the eating.” The proof for our setup lies in the printing. So let's install the printer driver onto the client PCs. This is not as straightforward as it may seem. Read on. -

`First Client Driver Installation`

+

`First Client Driver Installation`

Especially important is the installation onto the first client PC (for each architectural platform separately). Once this is done correctly, all further clients are easy to set up and shouldn't need further attention. What follows is a description for the recommended first procedure. You now work from a client workstation. You should check that your connection is not unwittingly mapped to bad user nobody. In a DOS box type:

net use \\SAMBA-SERVER\print$ /user:root

-Replace root, if needed, by another valid printer admin user as given in +Replace root, if needed, by another valid printer admin user as given in the definition. Should you already be connected as a different user, you will get an error message. There is no easy way to get rid of that connection, because Windows does not seem to know a concept of logging off from a share connection (do not confuse this with logging off from the local workstation; that is @@ -1347,7 +1347,7 @@ Settings -> Control Panel -> Printers and Faxes).

- + Most likely you are tempted to try to print a test page. After all, you now can open the printer properties, and on the General tab there is a button offering to do just that. But chances are that you get an error message saying "Unable to print Test Page." The @@ -1359,18 +1359,18 @@

`Setting Device Modes on New Printers`

For a printer to be truly usable by a Windows NT/200x/XP client, it must possess:

- + A valid device mode generated by the driver for the printer (defining things like paper size, orientation and duplex settings).
- + A complete set of printer driver data generated by the driver.

- - - - - + + + + + If either of these is incomplete, the clients can produce less than optimal output at best. In the worst cases, unreadable garbage or nothing at all comes from the printer, or it produces a harvest of error messages when attempting to print. Samba stores the named values and all printing-related information in @@ -1384,7 +1384,7 @@ This can be achieved by accessing the drivers remotely from an NT (or 200x/XP) client, as discussed in the following paragraphs.

-Be aware that a valid device mode can only be initiated by a printer admin or root +Be aware that a valid device mode can only be initiated by a printer admin or root (the reason should be obvious). Device modes can be correctly set only by executing the printer driver program itself. Since Samba cannot execute this Win32 platform driver code, it sets this field initially to NULL (which is not a valid setting for clients to use). Fortunately, most drivers automatically generate the @@ -1396,7 +1396,7 @@ the server's printer. This executes enough of the printer driver program on the client for the desired effect to happen and feeds back the new device mode to our Samba server. You can use the native Windows NT/200x/XP printer properties page from a Window client for this: -

Procedure 20.2. Procedure to Initialize the Printer Driver Settings + Procedure 20.2. Procedure to Initialize the Printer Driver Settings Browse the Network Neighborhood. Find the Samba server. @@ -1426,13 +1426,13 @@ you can follow the analogous steps by accessing the local Printers folder, too, if you are a Samba printer admin user. From now on, printing should work as expected. - + Samba includes a service-level parameter name default devmode for generating a default device mode for a printer. Some drivers function well with Samba's default set of properties. Others may crash the client's spooler service. So use this parameter with caution. It is always better to have the client generate a valid device mode for the printer and store it on the server for you. - Additional Client Driver Installation - + Additional Client Driver Installation + Every additional driver may be installed in the same way as just described. Browse Network Neighborhood, open the Printers folder on Samba server, right-click on Printer, and choose Connect.... Once this completes (should be @@ -1445,17 +1445,17 @@ rundll32 shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder or this command on Windows NT 4.0 workstations: - + rundll32 shell32.dll,Control_RunDLL MAIN.CPL @2 You can enter the commands either inside a DOS box window or in the Run command... field from the Start menu. - Always Make First Client Connection as root or “printer admin” + Always Make First Client Connection as root or “printer admin” After you installed the driver on the Samba server (in its [print$] share), you should always make sure that your first client installation completes correctly. Make it a habit for yourself -to build the very first connection from a client as printer admin. This is to make +to build the very first connection from a client as printer admin. This is to make sure that: A first valid device mode is really initialized (see above Setting Device Modes on New Printers) for more explanation details). @@ -1467,7 +1467,7 @@ Letter when you are all using A4, right? You may want to set the printer for duplex as the default, and so on). - + To connect as root to a Samba printer, try this command from a Windows 200x/XP DOS box command prompt: C:\> runas /netonly /user:root "rundll32 printui.dll,PrintUIEntry /p /t3 /n @@ -1476,18 +1476,18 @@ You will be prompted for root's Samba password; type it, wait a few seconds, click on Printing Defaults, and proceed to set the job options that should be used as defaults -by all clients. Alternatively, instead of root you can name one other member of the printer admin from the setting. +by all clients. Alternatively, instead of root you can name one other member of the printer admin from the setting. Now all the other users downloading and installing the driver the same way (using Point'n'Print) will have the same defaults set for them. If you miss this step, you'll get a lot of help desk calls from your users, but maybe you like to talk to people. - Other Gotchas +

`Other Gotchas`

Your driver is installed. It is now ready for Point'n'Print installation by the clients. You may have tried to download and use it on your first client machine, but wait. Let's make sure you are acquainted first with a few tips and tricks you may find useful. For example, suppose you did not set the defaults on the printer, as advised in the preceding paragraphs. Your users complain about various issues (such as, “We need to set the paper size for each job from Letter to A4 and it will not store it”). -

`Setting Default Print Options for Client Drivers`

+

`Setting Default Print Options for Client Drivers`

The last sentence might be viewed with mixed feelings by some users and Admins. They have struggled for hours and could not arrive at a point where their settings seemed to be saved. It is not their fault. The confusing thing is that in the multitabbed dialog that pops up when you right-click on the printer name and select @@ -1524,7 +1524,7 @@ Do you see any difference in the two settings dialogs? I do not either. However, only the last one, which you arrived at with steps C.1 through C.6 will permanently save any settings which will then become the defaults for new users. If you want all clients to have the same defaults, you need to conduct these steps as -administrator (printer admin) before a client downloads the driver (the clients can +administrator (printer admin) before a client downloads the driver (the clients can later set their own per-user defaults by following procedures A or B above). Windows 200x/XP allow per-user default settings and the ones the administrator gives them before they set up their own. The parents of the identical-looking dialogs have a slight difference in their window names; one is called @@ -1536,7 +1536,7 @@ there is now a different path to arrive at an identical-looking, but functionally different, dialog to set defaults for all users.

`Tip`

Try (on Windows 200x/XP) to run this command (as a user with the right privileges): - +

rundll32 printui.dll,PrintUIEntry /p /t3 /n\\SAMBA-SERVER\printersharename

@@ -1547,7 +1547,7 @@ To see the tab with the Printing Preferences button (the one that does not set systemwide defaults), you can start the commands from inside a DOS box or from Start -> Run. -

`Supporting Large Numbers of Printers`

+

`Supporting Large Numbers of Printers`

One issue that has arisen during the recent development phase of Samba is the need to support driver downloads for hundreds of printers. Using Windows NT APW for this task is somewhat awkward (to say the least). If you do not want to acquire RSS pains from the printer installation clicking orgy alone, you need @@ -1630,19 +1630,19 @@ “dm9110” printer with an empty string where the driver should have been listed (between the two commas in the description field). After the setdriver command succeeds, all is well. -

`Adding New Printers with the Windows NT APW`

+

`Adding New Printers with the Windows NT APW`

By default, Samba exhibits all printer shares defined in smb.conf in the Printers folder. Also located in this folder is the Windows NT Add Printer Wizard icon. The APW will be shown only if:

The connected user is able to successfully execute an OpenPrinterEx(\\server) with - administrative privileges (i.e., root or printer admin). + administrative privileges (i.e., root or printer admin).
Tip
Try this from a Windows 200x/XP DOS box command prompt:
runas /netonly /user:root rundll32 printui.dll,PrintUIEntry /p /t0 /n \\SAMBA-SERVER\printersharename
Click on Printing Preferences.
... contains the setting - show add printer wizard = yes (the + show add printer wizard = yes (the default).

The APW can do various things:

@@ -1653,28 +1653,28 @@ Exchange the currently used driver for an existing print queue with one that has been uploaded before.
Add an entirely new printer to the Samba host (only in conjunction with a working - add printer command. A corresponding - delete printer command for removing entries from the + add printer command. A corresponding + delete printer command for removing entries from the Printers folder may also be provided).

The last one (add a new printer) requires more effort than the previous ones. To use the APW to successfully -add a printer to a Samba server, the add printer command must have a defined value. +add a printer to a Samba server, the add printer command must have a defined value. The program hook must successfully add the printer to the UNIX print system (i.e., to /etc/printcap, /etc/cups/printers.conf or other appropriate files) and to smb.conf if necessary.

When using the APW from a client, if the named printer share does not exist, smbd will execute the -add printer command and reparse to attempt to locate the new printer share. If the +add printer command and reparse to attempt to locate the new printer share. If the share is still not defined, an error of "Access Denied" is returned to the client. The -add printer command is executed under the context of the connected user, not -necessarily a root account. A map to guest = bad user may have connected +add printer command is executed under the context of the connected user, not +necessarily a root account. A map to guest = bad user may have connected you unwittingly under the wrong privilege. You should check it by using the smbstatus command. -

`Error Message: “Cannot connect under a different Name”`

+

`Error Message: “Cannot connect under a different Name”`

Once you are connected with the wrong credentials, there is no means to reverse the situation other than to close all Explorer windows, and perhaps reboot.

- + The net use \\SAMBA-SERVER\sharename /user:root gives you an error message: “Multiple connections to a server or a shared resource by the same user utilizing several user names are not allowed. Disconnect all previous connections to the server, @@ -1700,7 +1700,7 @@ C:\> net use * /delete
This will also disconnect all mapped drives and will allow you create fresh connection as required. -

`Take Care When Assembling Driver Files`

+

`Take Care When Assembling Driver Files`

You need to be extremely careful when you take notes about the files belonging to a particular driver. Don't confuse the files for driver version “0” (for Windows 9x/Me, going into [print$]/WIN/0/), driver version 2 (kernel mode driver for Windows NT, @@ -1831,11 +1831,11 @@ In my example were even more differences than shown here. Conclusion: you must be careful to select the correct driver files for each driver version. Don't rely on the names alone, and don't interchange files belonging to different driver versions. -

`Samba and Printer Ports`

- - - - +

`Samba and Printer Ports`

+ + + + Windows NT/2000 print servers associate a port with each printer. These normally take the form of LPT1:, COM1:, FILE:, and so on. Samba must also support the concept of ports associated with a printer. By default, only one printer port, named “Samba @@ -1844,22 +1844,22 @@ they request this information; otherwise, they throw an error message at you. So Samba fakes the port information to keep the Windows clients happy.

- + Samba does not support the concept of Printer Pooling internally either. Printer pooling assigns a logical printer to multiple ports as a form of load balancing or failover.

If you require multiple ports to be defined for some reason or another (my users and my boss should not know -that they are working with Samba), configure the enumports command, +that they are working with Samba), configure the enumports command, which can be used to define an external program that generates a listing of ports on a system. -

`Avoiding Common Client Driver Misconfiguration`

+

`Avoiding Common Client Driver Misconfiguration`

So now the printing works, but there are still problems. Most jobs print well, some do not print at all. Some jobs have problems with fonts, which do not look good. Some jobs print fast and some are dead-slow. We cannot cover it all, but we want to encourage you to read the brief paragraph about “Avoiding the Wrong PostScript Driver Settings” in CUPS Printing Chapter, Avoiding Critical PostScript Driver Settings on the Client. -

`The Imprints Toolset`

- +

`The Imprints Toolset`

+ The Imprints tool set provides a UNIX equivalent of the Windows NT APW. For complete information, please refer to the Imprints Web site as well as the documentation included with the Imprints source distribution. This section provides only a brief introduction @@ -1871,7 +1871,7 @@ mailing list. The toolset is still in usable form, but only for a series of older printer models where there are prepared packages to use. Packages for more up-to-date print devices are needed if Imprints should have a future. Information regarding the Imprints toolset can be obtained from the Imprints home page. -

`What Is Imprints?`

+

`What Is Imprints?`

Imprints is a collection of tools for supporting these goals:

Providing a central repository of information regarding Windows NT and 95/98 printer driver packages. @@ -1880,19 +1880,19 @@
Providing an installation client that will obtain printer drivers from a central Internet (or intranet) Imprints Server repository and install them on remote Samba and Windows NT4 print servers. -

`Creating Printer Driver Packages`

+

`Creating Printer Driver Packages`

The process of creating printer driver packages is beyond the scope of this document (refer to Imprints.txt, included with the Samba distribution for more information). In short, an Imprints driver package is a gzipped tarball containing the driver files, related INF files, and a control file needed by the installation client. -

`The Imprints Server`

+

`The Imprints Server`

The Imprints server is really a database server that may be queried via standard HTTP mechanisms. Each printer entry in the database has an associated URL for the actual downloading of the package. Each package is digitally signed via GnuPG, which can be used to verify that the package downloaded is actually the one referred in the Imprints database. It is strongly recommended that this security check not be disabled. -

`The Installation Client`

+

`The Installation Client`

More information regarding the Imprints installation client is available from the the documentation file Imprints-Client-HOWTO.ps that is included with the Imprints source package. The Imprints installation client comes in two forms: @@ -1922,7 +1922,7 @@

The way of sidestepping this limitation is to require that all Imprints printer driver packages include both the Intel Windows NT and 95/98 printer drivers and that the NT driver is installed first. -

`Adding Network Printers without User Interaction`

+

`Adding Network Printers without User Interaction`

The following MS Knowledge Base article may be of some help if you need to handle Windows 2000 clients: How to Add Printers with No User Interaction in Windows 2000, (Microsoft KB 189105). It also applies to Windows XP Professional clients. The ideas sketched out in this section are inspired by this @@ -1981,7 +1981,7 @@ up to date. The few extra seconds at logon time will not really be noticeable. Printers can be centrally added, changed, and deleted at will on the server with no user intervention required from the clients (you just need to keep the logon scripts up to date). -

`The addprinter Command`

+

`The addprinter Command`

The addprinter command can be configured to be a shell script or program executed by Samba. It is triggered by running the APW from a client against the Samba print server. The APW asks the user to fill in several fields (such as printer name, driver to be used, comment, port monitor, @@ -1989,7 +1989,7 @@ way that it can create a new printer (through writing correct printcap entries on legacy systems or by executing the lpadmin command on more modern systems) and create the associated share, then the APW will in effect really create a new printer on Samba and the UNIX print subsystem! -

`Migration of Classical Printing to Samba`

+

`Migration of Classical Printing to Samba`

The basic NT-style printer driver management has not changed considerably in 3.0 over the 2.2.x releases (apart from many small improvements). Here migration should be quite easy, especially if you followed previous advice to stop using deprecated parameters in your setup. For migrations from an existing 2.0.x @@ -2019,11 +2019,11 @@ solution is to use the Windows NT APW to install the NT drivers and the 9x/Me drivers. This can be scripted using smbclient and rpcclient. See the Imprints installation client on the Imprints web site for example. See also the discussion of rpcclient usage in CUPS Printing. -

`Publishing Printer Information in Active Directory or LDAP`

+

`Publishing Printer Information in Active Directory or LDAP`

This topic has also been addressed in Remote and Local Management The Net Command. If you wish to volunteer your services to help document this further, please contact John H. Terpstra. -

`Common Errors`

`I Give My Root Password but I Do Not Get Access`

+

`Common Errors`

`I Give My Root Password but I Do Not Get Access`

Do not confuse the root password, which is valid for the UNIX system (and in most cases stored in the form of a one-way hash in a file named /etc/shadow), with the password used to authenticate against Samba. Samba does not know the UNIX password. Root access to Samba resources @@ -2034,7 +2034,7 @@ New SMB password: secret Retype new SMB password: secret

-

`My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost`

+

`My Print Jobs Get Spooled into the Spooling Directory, but Then Get Lost`

Do not use the existing UNIX print system spool directory for the Samba spool directory. It may seem convenient and a savings of space, but it only leads to problems. The two must be separate. The UNIX/Linux system print spool directory (e.g., /var/spool/cups) is typically owned by a diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/ClientConfig.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/ClientConfig.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/ClientConfig.html 2005-08-07 11:24:47.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/ClientConfig.html 2005-08-19 13:03:24.000000000 -0500 @@ -1,20 +1,20 @@ -Chapter 8. MS Windows Network Configuration Guide

Chapter 8. MS Windows Network Configuration Guide
Prev	Part II. Server Configuration Basics	Next

`Chapter 8. MS Windows Network Configuration Guide`

`John H. Terpstra`

Samba Team <jht@samba.org>

Table of Contents

Features and Benefits

Technical Details

TCP/IP Configuration
Joining a Domain: Windows 2000/XP Professional
Domain Logon Configuration: Windows 9x/Me

Common Errors

`Features and Benefits`

- - - +Chapter 8. MS Windows Network Configuration Guide

Chapter 8. MS Windows Network Configuration Guide
Prev	Part II. Server Configuration Basics	Next

`Chapter 8. MS Windows Network Configuration Guide`

`John H. Terpstra`

Samba Team <jht@samba.org>

Table of Contents

Features and Benefits

Technical Details

TCP/IP Configuration
Joining a Domain: Windows 2000/XP Professional
Domain Logon Configuration: Windows 9x/Me

Common Errors

`Features and Benefits`

+ + + Occasionally network administrators report difficulty getting Microsoft Windows clients to interoperate correctly with Samba servers. It seems that some folks just cannot accept the fact that the right way to configure an MS Windows network client is precisely as one would do when using MS Windows NT4 or 200x servers. Yet there is repetitious need to provide detailed Windows client configuration instructions.

- - + + The purpose of this chapter is to graphically illustrate MS Windows client configuration for the most common critical aspects of such configuration. An experienced network administrator will not be interested in the details of this chapter. -

`Technical Details`

- - +

`Technical Details`

+ + This chapter discusses TCP/IP protocol configuration as well as network membership for the platforms that are in common use today. These are:

@@ -23,27 +23,27 @@ Windows 2000 Professional
Windows Millennium edition (Me) -

`TCP/IP Configuration`

- - +

`TCP/IP Configuration`

+ + The builder of a house must ensure that all construction takes place on a firm foundation. The same is true for the builder of a TCP/IP-based networking system. Fundamental network configuration problems will plague all network users until they are resolved.

- - + + MS Windows workstations and servers can be configured either with fixed IP addresses or via DHCP. The examples that follow demonstrate the use of DHCP and make only passing reference to those situations where fixed IP configuration settings can be effected.

- - + + It is possible to use shortcuts or abbreviated keystrokes to arrive at a particular configuration screen. The decision was made to base all examples in this chapter on use of the Start button. -

`MS Windows XP Professional`

- +

`MS Windows XP Professional`

+ There are two paths to the Windows XP TCP/IP configuration panel. Choose the access method that you prefer:

Click Start -> Control Panel -> Network Connections. @@ -51,48 +51,48 @@ Alternately, click Start ->, and right-click My Network Places then select Properties.

- + The following procedure steps through the Windows XP Professional TCP/IP configuration process:

- - - + + + On some installations the interface will be called Local Area Connection and on others it will be called Network Bridge. On our system it is called Network Bridge. Right-click on Network Bridge -> Properties. See ???.
Figure 8.1. Network Bridge Configuration.
- - + + The Network Bridge Configuration, or Local Area Connection, panel is used to set TCP/IP protocol settings. In This connection uses the following items: box, click on Internet Protocol (TCP/IP), then click on Properties.
- - + + The default setting is DHCP-enabled operation (i.e., “Obtain an IP address automatically”). See ???.
Figure 8.2. Internet Protocol (TCP/IP) Properties.
- - - - + + + + Many network administrators will want to use DHCP to configure all client TCP/IP protocol stack settings. (For information on how to configure the ISC DHCP server for Windows client support see the DNS and DHCP Configuration Guide, DHCP Server.
- - - + + + If it is necessary to provide a fixed IP address, click on “Use the following IP address” and enter the IP Address, the subnet mask, and the default gateway address in the boxes provided.
- - - - + + + + Click the Advanced button to proceed with TCP/IP configuration. This opens a panel in which it is possible to create additional IP addresses for this interface. The technical name for the additional addresses is IP aliases, and additionally this @@ -100,28 +100,28 @@ necessary to create additional settings. See ??? to see the appearance of this panel.
Figure 8.3. Advanced Network Settings
- - - + + + Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP.
- - + + Click the DNS tab to add DNS server settings. The example system uses manually configured DNS settings. When finished making changes, click the OK to commit the settings. See ???.
Figure 8.4. DNS Configuration.
- - + + Click the WINS tab to add manual WINS server entries. This step demonstrates an example system that uses manually configured WINS settings. When finished making changes, click OK to commit the settings. See ???.
Figure 8.5. WINS Configuration
-

`MS Windows 2000`

- - +

`MS Windows 2000`

+ + There are two paths to the Windows 2000 Professional TCP/IP configuration panel. Choose the access method that you prefer:

Click Start -> Control Panel -> Network and Dial-up Connections. @@ -129,33 +129,33 @@ Alternatively, click Start, then right-click My Network Places, and select Properties.

- + The following procedure steps through the Windows XP Professional TCP/IP configuration process:

Right-click on Local Area Connection, then click Properties. See ???.
Figure 8.6. Local Area Connection Properties.
- - + + The Local Area Connection Properties is used to set TCP/IP protocol settings. Click on Internet Protocol (TCP/IP) in the Components checked are used by this connection: box, then click the Properties button.
- - + + The default setting is DHCP-enabled operation (i.e., “Obtain an IP address automatically”). See ???.
Figure 8.7. Internet Protocol (TCP/IP) Properties.
- - + + Many network administrators will want to use DHCP to configure all client TCP/IP protocol stack settings. (For information on how to configure the ISC DHCP server for Windows client support, see, ???.
- - + + If it is necessary to provide a fixed IP address, click on “Use the following IP address” and enter the IP Address, the subnet mask, and the default gateway address in the boxes provided. For this example we are assuming that all network clients will be configured using DHCP. @@ -164,50 +164,50 @@ Refer to ???.
Figure 8.8. Advanced Network Settings.
- - - + + + Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP.
- - + + Click the DNS tab to add DNS server settings. The example system uses manually configured DNS settings. When finished making changes, click OK to commit the settings. See ???.
Figure 8.9. DNS Configuration.
- - + + Click the WINS tab to add manual WINS server entries. This step demonstrates an example system that uses manually configured WINS settings. When finished making changes, click OK to commit the settings. See ???.
Figure 8.10. WINS Configuration.
-

`MS Windows Me`

- - - +

`MS Windows Me`

+ + + There are two paths to the Windows Millennium edition (Me) TCP/IP configuration panel. Choose the access method that you prefer:

Click Start -> Control Panel -> Network Connections.

- - + + Alternatively, click on Start ->, and right click on My Network Places then select Properties.

- + The following procedure steps through the Windows Me TCP/IP configuration process:

- + In the box labeled The following network components are installed:, click on Internet Protocol TCP/IP, then click on the Properties button. See ???.
Figure 8.11. The Windows Me Network Configuration Panel.
- - - + + + Many network administrators will want to use DHCP to configure all client TCP/IP protocol stack settings. (For information on how to configure the ISC DHCP server for Windows client support see the DNS and DHCP Configuration Guide, @@ -215,41 +215,41 @@ (i.e., Obtain IP address automatically is enabled). See ???.
Figure 8.12. IP Address.
- - - + + + If it is necessary to provide a fixed IP address, click on Specify an IP address and enter the IP Address and the subnet mask in the boxes provided. For this example we are assuming that all network clients will be configured using DHCP.
- - + + Fixed settings may be required for DNS and WINS if these settings are not provided automatically via DHCP.
- + If necessary, click the DNS Configuration tab to add DNS server settings. Click the WINS Configuration tab to add WINS server settings. The Gateway tab allows additional gateways (router addresses) to be added to the network interface settings. In most cases where DHCP is used, it will not be necessary to create these manual settings.
- - + + The following example uses manually configured WINS settings. See ???. When finished making changes, click OK to commit the settings.
Figure 8.13. DNS Configuration.
- - + + This is an example of a system that uses manually configured WINS settings. One situation where this might apply is on a network that has a single DHCP server that provides settings for multiple Windows workgroups or domains. See ???.
Figure 8.14. WINS Configuration.
-

`Joining a Domain: Windows 2000/XP Professional`

- - - - +

`Joining a Domain: Windows 2000/XP Professional`

+ + + + Microsoft Windows NT/200x/XP Professional platforms can participate in domain security. This section steps through the process for making a Windows 200x/XP Professional machine a member of a domain security environment. It should be noted that this process is identical @@ -259,18 +259,18 @@

Right-click My Computer, then select Properties.

- + The opening panel is the same one that can be reached by clicking System on the Control Panel. See ???.

Figure 8.15. The General Panel.

- + Click the Computer Name tab. This panel shows the Computer Description, the Full computer name, and the Workgroup or Domain name.

- - + + Clicking the Network ID button will launch the configuration wizard. Do not use this with Samba-3. If you wish to change the computer name or join or leave the domain, click the Change button. See ???. @@ -280,38 +280,38 @@ We will join the domain called MIDEARTH. See ???.

Figure 8.17. The Computer Name Changes Panel.

- + Enter the name MIDEARTH in the field below the domain radio button.

This panel shows that our example machine (TEMPTATION) is set to join the domain called MIDEARTH. See ???.

Figure 8.18. The Computer Name Changes Panel Domain MIDEARTH.

- - + + Now click the OK button. A dialog box should appear to allow you to provide the credentials (username and password) of a domain administrative account that has the rights to add machines to the domain.

- + Enter the name “root” and the root password from your Samba-3 server. See ???.

Figure 8.19. Computer Name Changes Username and Password Panel.

Click on OK.

- - + + The “Welcome to the MIDEARTH domain.” dialog box should appear. At this point the machine must be rebooted. Joining the domain is now complete. -

`Domain Logon Configuration: Windows 9x/Me`

- - - +

`Domain Logon Configuration: Windows 9x/Me`

+ + + We follow the convention used by most in saying that Windows 9x/Me machines can participate in domain logons. The truth is that these platforms can use only the LanManager network logon protocols.

`Note`

- - - + + + Windows XP Home edition cannot participate in domain or LanManager network logons.

Right-click on the Network Neighborhood icon. @@ -320,44 +320,44 @@ See ???.
Figure 8.20. The Network Panel.
- - + + Make sure that the Client for Microsoft Networks driver is installed as shown. Click on the Client for Microsoft Networks entry in The following network components are installed: box. Then click the Properties button.
- - + + The Client for Microsoft Networks Properties panel is the correct location to configure network logon settings. See ???.
Figure 8.21. Client for Microsoft Networks Properties Panel.
- - + + Enter the Windows NT domain name, check the Log on to Windows NT domain box, and click OK.
- - - + + + Click on the Identification button. This is the location at which the workgroup (domain) name and the machine name (computer name) need to be set. See ???.
Figure 8.22. Identification Panel.
- - - - + + + + Now click the Access Control button. If you want to be able to assign share access permissions using domain user and group accounts, it is necessary to enable User-level access control as shown in this panel. See ???.
Figure 8.23. Access Control Panel.
-

`Common Errors`

- - +

`Common Errors`

+ + The most common errors that can afflict Windows networking systems include:

Incorrect IP address.
Incorrect or inconsistent netmasks.
Incorrect router address.
Incorrect DNS server address.
Incorrect WINS server address.
Use of a Network Scope setting watch out for this one!

- - + + The most common reasons for which a Windows NT/200x/XP Professional client cannot join the Samba controlled domain are: -

smb.conf does not have correct add machine script settings.
“root” account is not in password backend database.
Attempt to use a user account instead of the “root” account to join a machine to the domain.
Open connections from the workstation to the server.
Firewall or filter configurations in place on either the client or the Samba server.

Prev	Up	Next
Chapter 7. Standalone Servers	Home	Part III. Advanced Configuration

+ smb.conf does not have correct add machine script settings. “root” account is not in password backend database. Attempt to use a user account instead of the “root” account to join a machine to the domain. Open connections from the workstation to the server. Firewall or filter configurations in place on either the client or the Samba server.

Prev	Up	Next
Chapter 7. Standalone Servers	Home	Part III. Advanced Configuration

diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/compiling.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/compiling.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/compiling.html 2005-08-07 11:25:18.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/compiling.html 2005-08-19 13:03:48.000000000 -0500 @@ -1,9 +1,9 @@ -Chapter 40. How to Compile SambaChapter 40. How to Compile Samba Prev Part VI. Reference Section Next Chapter 40. How to Compile Samba Jelmer R. Vernooij The Samba Team <jelmer@samba.org> John H. Terpstra Samba Team <jht@samba.org> Andrew Tridgell Samba Team <tridge@samba.org> 22 May 2001 18 March 2003 June 2005 Table of Contents Access Samba Source Code via Subversion Introduction Subversion Access to samba.org Accessing the Samba Sources via rsync and ftp Verifying Samba's PGP Signature Building the Binaries Compiling Samba with Active Directory Support Starting the smbd nmbd and winbindd Starting from inetd.conf Alternative: Starting smbd as a Daemon +Chapter 40. How to Compile Samba Chapter 40. How to Compile Samba Prev Part VI. Reference Section Next Chapter 40. How to Compile Samba Jelmer R. Vernooij The Samba Team <jelmer@samba.org> John H. Terpstra Samba Team <jht@samba.org> Andrew Tridgell Samba Team <tridge@samba.org> 22 May 2001 18 March 2003 June 2005 Table of Contents Access Samba Source Code via Subversion Introduction Subversion Access to samba.org Accessing the Samba Sources via rsync and ftp Verifying Samba's PGP Signature Building the Binaries Compiling Samba with Active Directory Support Starting the smbd nmbd and winbindd Starting from inetd.conf Alternative: Starting smbd as a Daemon You can obtain the Samba source file from the Samba Web site. To obtain a development version, you can download Samba from Subversion or using rsync. - Access Samba Source Code via Subversion Introduction - + Access Samba Source Code via Subversion Introduction + Samba is developed in an open environment. Developers use a Subversion to “checkin” (also known as “commit”) new source code. Samba's various Subversion branches can @@ -12,13 +12,13 @@ This chapter is a modified version of the instructions found at the Samba Web site. - Subversion Access to samba.org + Subversion Access to samba.org The machine samba.org runs a publicly accessible Subversion repository for access to the source code of several packages, including Samba, rsync, distcc, ccache, and jitterbug. There are two main ways of accessing the Subversion server on this host. - Access via SVNweb - + Access via SVNweb + You can access the source code via your favorite WWW browser. This allows you to access the contents of individual files in the repository and also to look at the revision history and commit logs of individual files. You can also ask for a diff @@ -26,8 +26,8 @@ Use the URL http://svnweb.samba.org/. - Access via Subversion - + Access via Subversion + You can also access the source code via a normal Subversion client. This gives you much more control over what you can do with the repository and allows you to check out whole source trees and keep them up to date via normal Subversion commands. This is the preferred method of access if you are a developer and not just a @@ -37,7 +37,7 @@ sources from http://subversion.tigris.org/. To gain access via anonymous Subversion, use the following steps. - Procedure 40.1. Retrieving Samba using Subversion + Procedure 40.1. Retrieving Samba using Subversion Install a recent copy of Subversion. All you really need is a copy of the Subversion client binary. @@ -62,9 +62,9 @@ svn update - Accessing the Samba Sources via rsync and ftp - - + Accessing the Samba Sources via rsync and ftp + + pserver.samba.org also exports unpacked copies of most parts of the Subversion tree at the Samba pserver location and also via anonymous rsync at the Samba rsync server location. I recommend using rsync rather @@ -74,9 +74,9 @@ The disadvantage of the unpacked trees is that they do not support automatic merging of local changes as Subversion does. rsync access is most convenient for an initial install. - Verifying Samba's PGP Signature - - + Verifying Samba's PGP Signature + + It is strongly recommended that you verify the PGP signature for any source file before installing it. Even if you're not downloading from a mirror site, verifying PGP signatures should be a standard reflex. Many people today use the GNU GPG tool set in place of PGP. @@ -87,7 +87,7 @@ $ wget http://us1.samba.org/samba/ftp/samba-3.0.20.tar.asc $ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc - + The first file is the PGP signature for the Samba source file; the other is the Samba public PGP key itself. Import the public PGP key with: @@ -105,9 +105,9 @@ gpg: BAD signature from “Samba Distribution Verification Key” - Building the Binaries - - + Building the Binaries + + After the source tarball has been unpacked, the next step involves configuration to match Samba to your operating system platform. If your source directory does not contain the configure script, @@ -120,7 +120,7 @@ root# ./autogen.sh - + To build the binaries, run the program ./configure in the source directory. This should automatically configure Samba for your operating system. If you have unusual @@ -135,7 +135,7 @@ root# ./configure [... arguments ...] - + Execute the following create the binaries: root# make @@ -164,7 +164,7 @@ As you can see from this, building and installing Samba does not need to result in disaster! - Compiling Samba with Active Directory Support + Compiling Samba with Active Directory Support In order to compile Samba with ADS support, you need to have installed on your system: @@ -187,13 +187,13 @@ If it does not, configure did not find your KRB5 libraries or your LDAP libraries. Look in config.log to figure out why and fix it. - Installing the Required Packages for Debian On Debian, you need to install the following packages: + Installing the Required Packages for Debian On Debian, you need to install the following packages: libkrb5-dev krb5-user - Installing the Required Packages for Red Hat Linux On Red Hat Linux, this means you should have at least: + Installing the Required Packages for Red Hat Linux On Red Hat Linux, this means you should have at least: krb5-workstation (for kinit) krb5-libs (for linking with) krb5-devel (because you are compiling from source) in addition to the standard development environment. If these files are not installed on your system, you should check the installation CDs to find which has them and install the files using your tool of choice. If in doubt - about what tool to use, refer to the Red Hat Linux documentation. SuSE Linux Package Requirements + about what tool to use, refer to the Red Hat Linux documentation. SuSE Linux Package Requirements SuSE Linux installs Heimdal packages that may be required to allow you to build binary packages. You should verify that the development libraries have been installed on your system. @@ -204,7 +204,7 @@ the maximum capabilities that are available. You should consider using SuSE-provided packages where they are available. Starting the smbd nmbd and winbindd - + You must choose to start smbd, winbindd and nmbd either as daemons or from inetd. Don't try to do both! Either you can put them in inetd.conf and have them started on demand by @@ -216,7 +216,7 @@ The main advantage of starting smbd and nmbd using the recommended daemon method is that they will respond slightly more quickly to an initial connection request. - Starting from inetd.conf Note The following will be different if + Starting from inetd.conf Note The following will be different if you use NIS, NIS+, or LDAP to distribute services maps. Look at your /etc/services. What is defined at port 139/tcp? If nothing is defined, then add a line like this: netbios-ssn 139/tcp Similarly for 137/udp, you should have an entry like: netbios-ns 137/udp @@ -225,12 +225,12 @@ netbios-ssn stream tcp nowait root /usr/local/samba/bin/smbd smbd netbios-ns dgram udp wait root /usr/local/samba/bin/nmbd nmbd - + The exact syntax of /etc/inetd.conf varies between UNIXes. Look at the other entries in inetd.conf for a guide. - + Some distributions use xinetd instead of inetd. Consult the xinetd manual for configuration information. Note Some UNIXes already have entries like netbios_ns @@ -238,9 +238,9 @@ You must edit /etc/services or /etc/inetd.conf to make them consistent. Note - + On many systems you may need to use the - interfaces option in smb.conf to specify + interfaces option in smb.conf to specify the IP address and netmask of your interfaces. Run ifconfig as root if you do not know what the broadcast is for your net. nmbd tries @@ -253,13 +253,13 @@ Restart inetd, perhaps just send it a HUP, like this: - + root# killall -HUP inetd - Alternative: Starting smbd as a Daemon - - + Alternative: Starting smbd as a Daemon + + To start the server as a daemon, you should create a script something like this one, perhaps calling it startsmb. @@ -278,7 +278,7 @@ If you use the SVR4-style init system, you may like to look at the examples/svr4-startup script to make Samba fit into that system. - Starting Samba for Red Hat Linux + Starting Samba for Red Hat Linux Red Hat Linux has not always included all Samba components in the standard installation. So versions of Red Hat Linux do not install the winbind utility, even though it is present on the installation CDROM media. Check to see if the winbindd is present @@ -311,7 +311,7 @@ root# chkconfig winbind on Samba will be started automatically at every system reboot. - Starting Samba for Novell SUSE Linux + Starting Samba for Novell SUSE Linux Novell SUSE Linux products automatically install all essential Samba components in a default installation. Configure your smb.conf file, then execute the following to start Samba: diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/CUPS-printing.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/CUPS-printing.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/CUPS-printing.html 2005-08-07 11:25:05.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/CUPS-printing.html 2005-08-19 13:03:40.000000000 -0500 @@ -1,8 +1,8 @@ -Chapter 21. CUPS Printing SupportChapter 21. CUPS Printing Support Prev Part III. Advanced Configuration Next Chapter 21. CUPS Printing Support Kurt Pfeifle Danka Deutschland GmbH <kpfeifle@danka.de> Ciprian Vizitiu drawings<CVizitiu@gbif.org> Jelmer R. Vernooij drawingsThe Samba Team <jelmer@samba.org> (27 Jan 2004) Table of Contents Introduction Features and Benefits Overview Basic CUPS Support Configuration Linking smbd with libcups.so Simple smb.conf Settings for CUPS More Complex CUPS smb.conf Settings Advanced Configuration Central Spooling vs. “Peer-to-Peer” Printing Raw Print Serving: Vendor Drivers on Windows Clients Installation of Windows Client Drivers Explicitly Enable “raw” Printing for application/octet-stream Driver Upload Methods Advanced Intelligent Printing with PostScript Driver Download GDI on Windows, PostScript on UNIX Windows Drivers, GDI, and EMF UNIX Printfile Conversion and GUI Basics PostScript and Ghostscript Ghostscript: The Software RIP for Non-PostScript Printers PostScript Printer Description (PPD) Specification Using Windows-Formatted Vendor PPDs CUPS Also Uses PPDs for Non-PostScript Printers The CUPS Filtering Architecture MIME Types and CUPS Filters MIME Type Conversion Rules Filtering Overview Prefilters pstops pstoraster imagetops and imagetoraster rasterto [printers specific] CUPS Backends The Role of cupsomatic/foomatic The Complete Picture mime.convs “Raw” Printing application/octet-stream Printing PostScript Printer Descriptions for Non-PostScript Printers cupsomatic/foomatic-rip Versus Native CUPS Printing Examples for Filtering Chains Sources of CUPS Drivers/PPDs Printing with Interface Scripts Network Printing (Purely Windows) From Windows Clients to an NT Print Server Driver Execution on the Client Driver Execution on the Server Network Printing (Windows Clients and UNIX/Samba Print -Servers) From Windows Clients to a CUPS/Samba Print Server Samba Receiving Job-Files and Passing Them to CUPS Network PostScript RIP PPDs for Non-PS Printers on UNIX PPDs for Non-PS Printers on Windows Windows Terminal Servers (WTS) as CUPS Clients Printer Drivers Running in “Kernel Mode” Cause Many -Problems Workarounds Impose Heavy Limitations CUPS: A “Magical Stone”? PostScript Drivers with No Major Problems, Even in Kernel -Mode Configuring CUPS for Driver Download cupsaddsmb: The Unknown Utility Prepare Your smb.conf for cupsaddsmb CUPS “PostScript Driver for Windows NT/200x/XP” Recognizing Different Driver Files Acquiring the Adobe Driver Files ESP Print Pro PostScript Driver for Windows NT/200x/XP Caveats to Be Considered Windows CUPS PostScript Driver Versus Adobe Driver Run cupsaddsmb (Quiet Mode) Run cupsaddsmb with Verbose Output Understanding cupsaddsmb How to Recognize If cupsaddsmb Completed Successfully cupsaddsmb with a Samba PDC cupsaddsmb Flowchart Installing the PostScript Driver on a Client Avoiding Critical PostScript Driver Settings on the Client Installing PostScript Driver Files Manually Using rpcclient A Check of the rpcclient man Page Understanding the rpcclient man Page Producing an Example by Querying a Windows Box Requirements for adddriver and setdriver to Succeed Manual Driver Installation in 15 Steps Troubleshooting Revisited The Printing *.tdb Files Trivial Database Files Binary Format Losing *.tdb Files Using tdbbackup CUPS Print Drivers from Linuxprinting.org foomatic-rip and Foomatic Explained foomatic-rip and Foomatic PPD Download and Installation Page Accounting with CUPS Setting Up Quotas Correct and Incorrect Accounting Adobe and CUPS PostScript Drivers for Windows Clients The page_log File Syntax Possible Shortcomings Future Developments Other Accounting Tools Additional Material Autodeletion or Preservation of CUPS Spool Files CUPS Configuration Settings Explained Preconditions Manual Configuration Printing from CUPS to Windows-Attached Printers More CUPS Filtering Chains Common Errors Windows 9x/Me Client Can't Install Driver “cupsaddsmb” Keeps Asking for Root Password in Never-ending Loop “cupsaddsmb” or “rpcclient addriver” Emit Error “cupsaddsmb” Errors Client Can't Connect to Samba Printer New Account Reconnection from Windows 200x/XP Troubles Avoid Being Connected to the Samba Server as the Wrong User Upgrading to CUPS Drivers from Adobe Drivers Can't Use “cupsaddsmb” on Samba Server, Which Is a PDC Deleted Windows 200x Printer Driver Is Still Shown Windows 200x/XP Local Security Policies Administrator Cannot Install Printers for All Local Users Print Change, Notify Functions on NT Clients Win XP-SP1 Print Options for All Users Can't Be Set on Windows 200x/XP Most Common Blunders in Driver Settings on Windows Clients cupsaddsmb Does Not Work with Newly Installed Printer Permissions on /var/spool/samba/ Get Reset After Each Reboot Print Queue Called “lp” Mishandles Print Jobs Location of Adobe PostScript Driver Files for “cupsaddsmb” Overview of the CUPS Printing Processes Introduction Features and Benefits - +Chapter 21. CUPS Printing Support Chapter 21. CUPS Printing Support Prev Part III. Advanced Configuration Next Chapter 21. CUPS Printing Support Kurt Pfeifle Danka Deutschland GmbH <kpfeifle@danka.de> Ciprian Vizitiu drawings<CVizitiu@gbif.org> Jelmer R. Vernooij drawingsThe Samba Team <jelmer@samba.org> (27 Jan 2004) Table of Contents Introduction Features and Benefits Overview Basic CUPS Support Configuration Linking smbd with libcups.so Simple smb.conf Settings for CUPS More Complex CUPS smb.conf Settings Advanced Configuration Central Spooling vs. “Peer-to-Peer” Printing Raw Print Serving: Vendor Drivers on Windows Clients Installation of Windows Client Drivers Explicitly Enable “raw” Printing for application/octet-stream Driver Upload Methods Advanced Intelligent Printing with PostScript Driver Download GDI on Windows, PostScript on UNIX Windows Drivers, GDI, and EMF UNIX Printfile Conversion and GUI Basics PostScript and Ghostscript Ghostscript: The Software RIP for Non-PostScript Printers PostScript Printer Description (PPD) Specification Using Windows-Formatted Vendor PPDs CUPS Also Uses PPDs for Non-PostScript Printers The CUPS Filtering Architecture MIME Types and CUPS Filters MIME Type Conversion Rules Filtering Overview Prefilters pstops pstoraster imagetops and imagetoraster rasterto [printers specific] CUPS Backends The Role of cupsomatic/foomatic The Complete Picture mime.convs “Raw” Printing application/octet-stream Printing PostScript Printer Descriptions for Non-PostScript Printers cupsomatic/foomatic-rip Versus Native CUPS Printing Examples for Filtering Chains Sources of CUPS Drivers/PPDs Printing with Interface Scripts Network Printing (Purely Windows) From Windows Clients to an NT Print Server Driver Execution on the Client Driver Execution on the Server Network Printing (Windows Clients and UNIX/Samba Print +Servers) From Windows Clients to a CUPS/Samba Print Server Samba Receiving Job-Files and Passing Them to CUPS Network PostScript RIP PPDs for Non-PS Printers on UNIX PPDs for Non-PS Printers on Windows Windows Terminal Servers (WTS) as CUPS Clients Printer Drivers Running in “Kernel Mode” Cause Many +Problems Workarounds Impose Heavy Limitations CUPS: A “Magical Stone”? PostScript Drivers with No Major Problems, Even in Kernel +Mode Configuring CUPS for Driver Download cupsaddsmb: The Unknown Utility Prepare Your smb.conf for cupsaddsmb CUPS “PostScript Driver for Windows NT/200x/XP” Recognizing Different Driver Files Acquiring the Adobe Driver Files ESP Print Pro PostScript Driver for Windows NT/200x/XP Caveats to Be Considered Windows CUPS PostScript Driver Versus Adobe Driver Run cupsaddsmb (Quiet Mode) Run cupsaddsmb with Verbose Output Understanding cupsaddsmb How to Recognize If cupsaddsmb Completed Successfully cupsaddsmb with a Samba PDC cupsaddsmb Flowchart Installing the PostScript Driver on a Client Avoiding Critical PostScript Driver Settings on the Client Installing PostScript Driver Files Manually Using rpcclient A Check of the rpcclient man Page Understanding the rpcclient man Page Producing an Example by Querying a Windows Box Requirements for adddriver and setdriver to Succeed Manual Driver Installation in 15 Steps Troubleshooting Revisited The Printing *.tdb Files Trivial Database Files Binary Format Losing *.tdb Files Using tdbbackup CUPS Print Drivers from Linuxprinting.org foomatic-rip and Foomatic Explained foomatic-rip and Foomatic PPD Download and Installation Page Accounting with CUPS Setting Up Quotas Correct and Incorrect Accounting Adobe and CUPS PostScript Drivers for Windows Clients The page_log File Syntax Possible Shortcomings Future Developments Other Accounting Tools Additional Material Autodeletion or Preservation of CUPS Spool Files CUPS Configuration Settings Explained Preconditions Manual Configuration Printing from CUPS to Windows-Attached Printers More CUPS Filtering Chains Common Errors Windows 9x/Me Client Can't Install Driver “cupsaddsmb” Keeps Asking for Root Password in Never-ending Loop “cupsaddsmb” or “rpcclient addriver” Emit Error “cupsaddsmb” Errors Client Can't Connect to Samba Printer New Account Reconnection from Windows 200x/XP Troubles Avoid Being Connected to the Samba Server as the Wrong User Upgrading to CUPS Drivers from Adobe Drivers Can't Use “cupsaddsmb” on Samba Server, Which Is a PDC Deleted Windows 200x Printer Driver Is Still Shown Windows 200x/XP Local Security Policies Administrator Cannot Install Printers for All Local Users Print Change, Notify Functions on NT Clients Win XP-SP1 Print Options for All Users Can't Be Set on Windows 200x/XP Most Common Blunders in Driver Settings on Windows Clients cupsaddsmb Does Not Work with Newly Installed Printer Permissions on /var/spool/samba/ Get Reset After Each Reboot Print Queue Called “lp” Mishandles Print Jobs Location of Adobe PostScript Driver Files for “cupsaddsmb” Overview of the CUPS Printing Processes Introduction Features and Benefits + The Common UNIX Print System (CUPS) has become quite popular. All major Linux distributions now ship it as their default printing system. To many, it is still a mystical tool. Mostly, it just works. People tend to regard @@ -11,21 +11,21 @@ Classical Printing, which contains much information that is also relevant to CUPS. - + CUPS sports quite a few unique and powerful features. While its basic functions may be grasped quite easily, they are also new. Because it is different from other, more traditional printing systems, it is best not to try to apply any prior knowledge about printing to this new system. Rather, try to understand CUPS from the beginning. This documentation will lead you to a complete understanding of CUPS. Let's start with the most basic things first. - Overview - - - - - + Overview + - - + + + + + + CUPS is more than just a print spooling system. It is a complete printer management system that complies with the new Internet Printing Protocol (IPP). IPP is an industry and Internet Engineering Task Force (IETF) standard for network printing. Many of its functions can be managed remotely (or locally) via a Web @@ -33,21 +33,21 @@ traditional command line and several more modern GUI interfaces (GUI interfaces developed by third parties, like KDE's overwhelming KDEPrint). - - + + CUPS allows creation of raw printers (i.e., no print file format translation) as well as smart printers (i.e., CUPS does file format conversion as required for the printer). In many ways, this gives CUPS capabilities similar to the MS Windows print monitoring system. Of course, if you are a CUPS advocate, you would argue that CUPS is better! In any case, let us now explore how to configure CUPS for interfacing with MS Windows print clients via Samba. - Basic CUPS Support Configuration - - - - - + Basic CUPS Support Configuration + + + + + Printing with CUPS in the most basic smb.conf setup in Samba-3.0 (as was true for 2.2.x) requires just two -parameters: printing = cups and printcap = cups. CUPS does not need a printcap file. However, the +parameters: printing = cups and printcap = cups. CUPS does not need a printcap file. However, the cupsd.conf configuration file knows of two related directives that control how such a file will be automatically created and maintained by CUPS for the convenience of third-party applications (example: Printcap /etc/printcap and PrintcapFormat BSD). @@ -55,17 +55,17 @@ print. Make sure CUPS is set to generate and maintain a printcap file. For details, see man cupsd.conf and other CUPS-related documentation, like the wealth of documents regarding the CUPS server itself available from the CUPS web site. - Linking smbd with libcups.so - + Linking smbd with libcups.so + Samba has a special relationship to CUPS. Samba can be compiled with CUPS library support. Most recent installations have this support enabled. By default, CUPS linking is compiled into smbd and other Samba binaries. Of course, you can use CUPS even if Samba is not linked against libcups.so but there are some differences in required or supported configuration. - - - When Samba is compiled and linked with libcups, printcap = cups + + + When Samba is compiled and linked with libcups, printcap = cups uses the CUPS API to list printers, submit jobs, query queues, and so on. Otherwise it maps to the System V commands with an additional -oraw option for printing. On a Linux system, you can use the ldd utility to find out if smbd has been linked with the @@ -79,30 +79,30 @@ [....] - + The line libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000) shows there is CUPS support compiled into this version of Samba. If this is the case, and printing = cups is set, then any otherwise manually set print command in smb.conf is ignored. This is an important point to remember! Tip Should it be necessary, for any reason, to set your own print commands, you can do this by setting - printing = sysv. However, you will lose all the benefits + printing = sysv. However, you will lose all the benefits of tight CUPS-Samba integration. When you do this, you must manually configure the printing system commands (most important: - print command; other commands are - lppause command, - lpresume command, - lpq command, - lprm command, - queuepause command and - queue resume command). - Simple smb.conf Settings for CUPS + print command; other commands are + lppause command, + lpresume command, + lpq command, + lprm command, + queuepause command and + queue resume command). + Simple smb.conf Settings for CUPS To summarize, the Simplest Printing-Related smb.conf file shows the simplest printing-related setup for smb.conf to enable basic CUPS support: - Example 21.1. Simplest Printing-Related smb.conf [global] load printers = yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba browseable = no public = yes guest ok = yes writable = no printable = yes printer admin = root, @ntadmins - - - + Example 21.1. Simplest Printing-Related smb.conf [global] load printers = yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba browseable = no public = yes guest ok = yes writable = no printable = yes printer admin = root, @ntadmins + + + This is all you need for basic printing setup for CUPS. It will print all graphic, text, PDF, and PostScript files submitted from Windows clients. However, most of your Windows users would not know how to send these kinds of files to print without opening a GUI application. Windows clients tend to have local printer drivers @@ -112,25 +112,25 @@ hooked between the application's native format and the print data stream. If the backend printer is not a PostScript device, the print data stream is “binary,” sensible only for the target printer. Read on to learn what problem this may cause and how to avoid it. - More Complex CUPS smb.conf Settings + More Complex CUPS smb.conf Settings The Overriding Global CUPS Settings for One Printer example is a slightly more complex printing-related setup for smb.conf. It enables general CUPS printing support for all printers, but defines one printer share, which is set up differently. - Example 21.2. Overriding Global CUPS Settings for One Printer [global] printing = cups printcap name = cups load printers = yes [printers] comment = All Printers path = /var/spool/samba public = yes guest ok = yes writable = no printable = yes printer admin = root, @ntadmins [special_printer] comment = A special printer with his own settings path = /var/spool/samba-special printing = sysv printcap = lpstat print command = echo "NEW: `date`: printfile %f" >> /tmp/smbprn.log ; echo " `date`: p-%p s-%s f-%f" >> /tmp/smbprn.log ; echo " `date`: j-%j J-%J z-%z c-%c" >> /tmp/smbprn.log ; rm %f public = no guest ok = no writable = no printable = yes printer admin = kurt hosts deny = 0.0.0.0 hosts allow = turbo_xp, 10.160.50.23, 10.160.51.60 + Example 21.2. Overriding Global CUPS Settings for One Printer [global] printing = cups printcap name = cups load printers = yes [printers] comment = All Printers path = /var/spool/samba public = yes guest ok = yes writable = no printable = yes printer admin = root, @ntadmins [special_printer] comment = A special printer with his own settings path = /var/spool/samba-special printing = sysv printcap = lpstat print command = echo "NEW: `date`: printfile %f" >> /tmp/smbprn.log ; echo " `date`: p-%p s-%s f-%f" >> /tmp/smbprn.log ; echo " `date`: j-%j J-%J z-%z c-%c" >> /tmp/smbprn.log ; rm %f public = no guest ok = no writable = no printable = yes printer admin = kurt hosts deny = 0.0.0.0 hosts allow = turbo_xp, 10.160.50.23, 10.160.51.60 This special share is only for testing purposes. It does not write the print job to a file. It just logs the job parameters known to Samba into the /tmp/smbprn.log file and deletes the job-file. Moreover, the - printer admin of this share is “kurt” (not the “@ntadmins” group), + printer admin of this share is “kurt” (not the “@ntadmins” group), guest access is not allowed, the share isn't published to the Network Neighborhood (so you need to know it is there), and it allows access from only three hosts. To prevent CUPS from kicking in and taking over the print jobs for that share, we need to set - printing = sysv and printcap = lpstat. - Advanced Configuration + printing = sysv and printcap = lpstat. + Advanced Configuration Before we delve into all the configuration options, let us clarify a few points. Network printing needs to be organized and set up correctly. This frequently doesn't happen. Legacy systems or small business LAN environments often lack design and good housekeeping. - Central Spooling vs. “Peer-to-Peer” Printing - - - + Central Spooling vs. “Peer-to-Peer” Printing + + + Many small office or home networks, as well as badly organized larger environments, allow each client a direct access to available network printers. This is generally a bad idea. It often blocks one client's access to the printer when another client's job is printing. It might freeze the first client's application while it is @@ -138,9 +138,9 @@ pages mixed with each other. A better concept is the use of a print server: it routes all jobs through one central system, which responds immediately, takes jobs from multiple concurrent clients, and transfers them to the printer(s) in the correct order. - Raw Print Serving: Vendor Drivers on Windows Clients - - + Raw Print Serving: Vendor Drivers on Windows Clients + + Most traditionally configured UNIX print servers acting on behalf of Samba's Windows clients represented a really simple setup. Their only task was to manage the “raw” spooling of all jobs handed to them by @@ -149,8 +149,8 @@ device. In this case, a native (vendor-supplied) Windows printer driver needs to be installed on each and every client for the target device. - - + + It is possible to configure CUPS, Samba, and your Windows clients in the same traditional and simple way. When CUPS printers are configured for raw print-through mode operation, it is the responsibility of the @@ -164,15 +164,15 @@ This is achieved by installation of the printer as if it were physically attached to the Windows client. You then redirect output to a raw network print queue. This procedure may be followed to achieve this: - Procedure 21.1. Configuration Steps for Raw CUPS Printing Support - + Procedure 21.1. Configuration Steps for Raw CUPS Printing Support + Edit /etc/cups/mime.types to uncomment the line near the end of the file that has: #application/octet-... - + Do the same for the file /etc/cups/mime.convs. Add a raw printer using the Web interface. Point your browser at @@ -181,10 +181,10 @@ Choose Raw. Choose queue name Raw Queue. In the smb.conf file [printers] section add - use client driver = Yes, + use client driver = Yes, and in the [global] section add - printing = CUPS, plus - printcap = CUPS. + printing = CUPS, plus + printcap = CUPS. Install the printer as if it is a local printer, that is, Printing to LPT1:. @@ -193,14 +193,14 @@ you have configured above. Example: \\server\raw_q. Here, the name raw_q is the name you gave the print queue in the CUPS environment. - Installation of Windows Client Drivers + Installation of Windows Client Drivers The printer drivers on the Windows clients may be installed in two functionally different ways: Manually install the drivers locally on each client, one by one; this yields the old LanMan style printing and uses a \\sambaserver\printershare type of connection. - + Deposit and prepare the drivers (for later download) on the print server (Samba); this enables the clients to use “Point'n'Print” to get drivers semi-automatically installed the @@ -209,9 +209,9 @@ type printing calls. The second method is recommended for use over the first. Explicitly Enable “raw” Printing for application/octet-stream - - - + + + If you use the first option (drivers are installed on the client side), there is one setting to take care of: CUPS needs to be told that it should allow “raw” printing of deliberate (binary) file @@ -223,10 +223,10 @@ application/octet-stream - - + + In /etc/cups/mime.convs, have this line: - + application/octet-stream application/vnd.cups-raw 0 - @@ -237,8 +237,8 @@ Editing the mime.convs and the mime.types file does not enforce “raw” printing, it only allows it. Background. - - + + That CUPS is a more security-aware printing system than traditional ones does not by default allow a user to send deliberate (possibly binary) data to printing devices. This could be easily abused to launch a “Denial of Service” attack on your printer(s), causing at least the loss of a lot of paper and @@ -252,11 +252,11 @@ locally installed. If you are not interested in background information about more advanced CUPS/Samba printing, simply skip the remaining sections of this chapter. - Driver Upload Methods + Driver Upload Methods This section describes three familiar methods, plus one new one, by which printer drivers may be uploaded. - + If you want to use the MS-RPC-type printing, you must upload the drivers onto the Samba server first ([print$] share). For a discussion on how to deposit printer drivers on the @@ -265,27 +265,27 @@ chapter of this book. There you will find a description or reference to three methods of preparing the client drivers on the Samba server: - + The GUI, “Add Printer Wizard” upload-from-a-Windows-client method. The command line, “smbclient/rpcclient” upload-from-a-UNIX-workstation method. - + The Imprints tool set method. - + These three methods apply to CUPS all the same. The cupsaddsmb utility is a new and more convenient way to load the Windows drivers into Samba and is provided if you use CUPS. cupsaddsmb is discussed in much detail later in this chapter. But we first explore the CUPS filtering system and compare the Windows and UNIX printing architectures. - Advanced Intelligent Printing with PostScript Driver Download - + Advanced Intelligent Printing with PostScript Driver Download + We now know how to set up a “dump” print server, that is, a server that spools print jobs “raw”, leaving the print data untouched. You might need to set up CUPS in a smarter way. The reasons could be manifold: - Maybe your boss wants to get monthly statistics: Which + Maybe your boss wants to get monthly statistics: Which printer did how many pages? What was the average data size of a job? What was the average print run per day? What are the typical hourly peaks in printing? Which department prints how much? Maybe you are asked to set up a print quota system: @@ -301,28 +301,28 @@ Windows and UNIX printing, then a description of the CUPS filtering system, how it works, and how you can tweak it. GDI on Windows, PostScript on UNIX - - + + Network printing is one of the most complicated and error-prone day-to-day tasks any user or administrator may encounter. This is true for all OS platforms, and there are reasons it is so. - - - - - + + + + + You can't expect to throw just any file format at a printer and have it get printed. A file format conversion must take place. The problem is that there is no common standard for print file formats across all manufacturers and printer types. While PostScript (trademark held by Adobe) and, to an extent, PCL (trademark held by Hewlett-Packard) have developed into semi-official “standards” by being the most widely used page description languages (PDLs), there are still many manufacturers who “roll their own” (their reasons may be unacceptable license fees for using printer-embedded PostScript interpreters, and so on). - Windows Drivers, GDI, and EMF - - - - + Windows Drivers, GDI, and EMF + + + + In Windows OS, the format conversion job is done by the printer drivers. On MS Windows OS platforms all application programmers have at their disposal a built-in API, the graphical device interface (GDI), as part and parcel of the OS itself to base themselves on. This GDI core is used as one common unified ground for all @@ -333,21 +333,21 @@ the GDI, often produces a file format called Enhanced MetaFile (EMF). The EMF is processed by the printer driver and converted to the printer-specific file format. Note - - - + + + To the GDI foundation in MS Windows, Apple has chosen to put paper and screen output on a common foundation - for its (BSD-UNIX-based, did you know?) Mac OS X and Darwin operating - systems. + for its (BSD-UNIX-based, did you know?) Mac OS X and Darwin operating + systems. Apple's core graphic engine uses a PDF derivative for all display work. The example in Windows Printing to a Local Printer illustrates local Windows printing. - Figure 21.1. Windows Printing to a Local Printer. UNIX Printfile Conversion and GUI Basics - - - - + Figure 21.1. Windows Printing to a Local Printer. UNIX Printfile Conversion and GUI Basics + + + + In UNIX and Linux, there is no comparable layer built into the OS kernel(s) or the X (screen display) server. Every application is responsible for itself to create its print output. Fortunately, most use PostScript and that at least gives some common ground. Unfortunately, there are many different levels of quality for this @@ -361,16 +361,16 @@ unfavorable inheritance up to the present day by looking into the various “font” directories on your system; there are separate ones for fonts used for X display and fonts to be used on paper. Background. - - - - - - - - - + + + + + + + + + The PostScript programming language is an “invention” by Adobe, but its specifications have been published extensively. Its strength lies in its powerful abilities to describe graphical objects (fonts, shapes, patterns, lines, curves, and dots), their attributes (color, linewidth), and the way to manipulate @@ -382,11 +382,11 @@ interpreted by a rasterizer. Rasterizers produce pixel images, which may be displayed on screen by a viewer program or on paper by a printer. PostScript and Ghostscript - - - - - + + + + + So UNIX is lacking a common ground for printing on paper and displaying on screen. Despite this unfavorable legacy for UNIX, basic printing is fairly easy if you have PostScript printers at your disposal. The reason is that these devices have a built-in PostScript language “interpreter,” also called a raster image @@ -395,31 +395,31 @@ commands into a bitmap picture as you see it on paper, in a resolution as done by your printer. This is no different than PostScript printing a file from a Windows origin. Note - - - + + + Traditional UNIX programs and printing systems while using PostScript are largely not PPD-aware. PPDs are “PostScript Printer Description” files. They enable you to specify and control all options a printer supports: duplexing, stapling, and punching. Therefore, UNIX users for a long time couldn't choose many of the supported device and job options, unlike Windows or Apple users. But now there is CUPS. as illustrated in Printing to a PostScript Printer. Figure 21.2. Printing to a PostScript Printer. - + However, there are other types of printers out there. These do not know how to print PostScript. They use their own PDL, often proprietary. To print to them is much more demanding. Since your UNIX applications mostly produce PostScript, and since these devices do not understand PostScript, you need to convert the print files to a format suitable for your printer on the host before you can send it away. - Ghostscript: The Software RIP for Non-PostScript Printers - + Ghostscript: The Software RIP for Non-PostScript Printers + Here is where Ghostscript kicks in. Ghostscript is the traditional (and quite powerful) PostScript interpreter used on UNIX platforms. It is a RIP in software, capable of doing a lot of file format conversions for a very broad spectrum of hardware devices as well as software file formats. Ghostscript technology and drivers are what enable PostScript printing to non-PostScript hardware. This is shown in Ghostscript as a RIP for Non-PostScript Printers. Figure 21.3. Ghostscript as a RIP for Non-PostScript Printers. Tip - - - + + + Use the “gs -h” command to check for all built-in “devices” on your Ghostscript version. If you specify a parameter of -sDEVICE=png256 on your Ghostscript command line, you are asking Ghostscript to convert the input into a PNG file. Naming a “device” on the @@ -427,14 +427,14 @@ input. New Ghostscript versions are released at fairly regular intervals, now by artofcode LLC. They are initially put under the “AFPL” license, but re-released under the GNU GPL as soon as the next AFPL version appears. GNU Ghostscript is probably the version installed on most Samba systems. But it has some - deficiencies. Therefore, ESP Ghostscript was developed as an enhancement over GNU Ghostscript, + deficiencies. Therefore, ESP Ghostscript was developed as an enhancement over GNU Ghostscript, with lots of bug-fixes, additional devices, and improvements. It is jointly maintained by developers from CUPS, Gimp-Print, MandrakeSoft, SuSE, Red Hat, and Debian. It includes the “cups” device (essential to print to non-PS printers from CUPS). - PostScript Printer Description (PPD) Specification - - - + PostScript Printer Description (PPD) Specification + + + While PostScript in essence is a PDL to represent the page layout in a device-independent way, real-world print jobs are always ending up being output on hardware with device-specific features. To take care of all the differences in hardware and to allow for innovations, Adobe has specified a syntax and file format for @@ -456,17 +456,17 @@ PostScript, PJL, JCL, or vendor-dependent commands) into the PostScript file created by the driver. Warning - - + + A PostScript file that was created to contain device-specific commands for achieving a certain print job output (e.g., duplexed, stapled, and punched) on a specific target machine may not print as expected, or may not be printable at all on other models; it also may not be fit for further processing by software (e.g., by a PDF distilling program). - Using Windows-Formatted Vendor PPDs - - - + Using Windows-Formatted Vendor PPDs + + + CUPS can handle all spec-compliant PPDs as supplied by the manufacturers for their PostScript models. Even if a vendor does not mention our favorite OS in his or her manuals and brochures, you can safely trust this: If you get the Windows NT version of the PPD, you can use it unchanged in CUPS and thus @@ -477,31 +477,31 @@ parsing and checking code enabled; in case of printing trouble, this online resource should be one of your first pit stops. Warning - - + + For real PostScript printers, do not use the Foomatic or cupsomatic PPDs from Linuxprinting.org. With these devices, the original vendor-provided PPDs are always the first choice. Tip - + If you are looking for an original vendor-provided PPD of a specific device, and you know that an NT4 box (or any other Windows box) on your LAN has the PostScript driver installed, just use smbclient //NT4-box/print\$ -U username to access the Windows directory where all printer driver files are stored. First look in the W32X86/2 subdirectory for the PPD you are seeking. - CUPS Also Uses PPDs for Non-PostScript Printers - - - + CUPS Also Uses PPDs for Non-PostScript Printers + + + CUPS also uses specially crafted PPDs to handle non-PostScript printers. These PPDs are usually not available from the vendors (and no, you can't just take the PPD of a PostScript printer with the same model name and hope it works for the non-PostScript version too). To understand how these PPDs work for non-PS printers, we first need to dive deeply into the CUPS filtering and file format conversion architecture. Stay tuned. - The CUPS Filtering Architecture - - + The CUPS Filtering Architecture + + The core of the CUPS filtering system is based on Ghostscript. In addition to Ghostscript, CUPS uses some other filters of its own. You (or your OS vendor) may have plugged in even more filters. CUPS handles all data file formats under the label of various MIME types. Every incoming print file is subjected to an initial @@ -512,82 +512,82 @@ If CUPS rasterizes a PostScript file natively to a bitmap, this is done in two stages: - - + + The first stage uses a Ghostscript device named “cups” (this is since version 1.1.15) and produces a generic raster format called “CUPS raster”. - + The second stage uses a “raster driver” that converts the generic CUPS raster to a device-specific raster. - - + + Make sure your Ghostscript version has the “cups” device compiled in (check with gs -h | grep cups). Otherwise you may encounter the dreaded Unable to convert file 0 in your CUPS error_log file. To have “cups” as a device in your Ghostscript, you either need to patch GNU Ghostscript and recompile or use -ESP Ghostscript. The superior alternative is ESP +ESP Ghostscript. The superior alternative is ESP Ghostscript. It supports not just CUPS, but 300 other devices (while GNU Ghostscript supports only about 180). Because of this broad output device support, ESP Ghostscript is the first choice for non-CUPS spoolers, too. It is now recommended by Linuxprinting.org for all spoolers. - - + + CUPS printers may be set up to use external rendering paths. One of the most common is provided by the Foomatic/cupsomatic concept from Linuxprinting.org. This uses the classical Ghostscript approach, doing everything in one step. It does not use the “cups” device, but one of the many others. However, even for Foomatic/cupsomatic usage, best -results and broadest printer +results and broadest printer model support is provided by ESP Ghostscript (more about Foomatic/cupsomatic, particularly the new version called now foomatic-rip, follows). - MIME Types and CUPS Filters - - - - + MIME Types and CUPS Filters + + + + CUPS reads the file /etc/cups/mime.types (and all other files carrying a *.types suffix in the same directory) upon startup. These files contain the MIME type recognition rules that are applied when CUPS runs its autotyping routines. The rule syntax is explained in the man page for mime.types and in the comments section of the mime.types file itself. A simple rule reads like this: - + application/pdf pdf string(0,%PDF) - - + + This means if a filename has a .pdf suffix or if the magic string %PDF is right at the beginning of the file itself (offset 0 from the start), then it is a PDF file (application/pdf). Another rule is this: application/postscript ai eps ps string(0,%!) string(0,<04>%!) - - - + + + If the filename has one of the suffixes .ai, .eps, .ps, or if the file itself starts with one of the strings %! or <04>%!, it is a generic PostScript file (application/postscript). Warning - + Don't confuse the other mime.types files your system might be using with the one in the /etc/cups/ directory. Note - - - + + + There is an important difference between two similar MIME types in CUPS: one is application/postscript, the other is application/vnd.cups-postscript. While application/postscript is @@ -598,32 +598,32 @@ (application/vnd.cups-postscript) is the responsibility of the CUPS pstops filter. pstops uses information contained in the PPD to do the transformation. - - - + - + - + + + CUPS can handle ASCII text, HP-GL, PDF, PostScript, DVI, and many image formats (GIF, PNG, TIFF, JPEG, Photo-CD, SUN-Raster, PNM, PBM, SGI-RGB, and more) and their associated MIME types with its filters. - MIME Type Conversion Rules - - - - + MIME Type Conversion Rules + + + + CUPS reads the file /etc/cups/mime.convs (and all other files named with a *.convs suffix in the same directory) upon startup. These files contain @@ -634,44 +634,44 @@ application/pdf application/postscript 33 pdftops - + This means that the pdftops filter will take application/pdf as input and produce application/postscript as output; the virtual cost of this operation is 33 CUPS-$. The next filter is more expensive, costing 66 CUPS-$: - + application/vnd.hp-HPGL application/postscript 66 hpgltops - + This is the hpgltops, which processes HP-GL plotter files to PostScript. - + application/octet-stream Here are two more examples: - - - + + + application/x-shell application/postscript 33 texttops text/plain application/postscript 33 texttops - + The last two examples name the texttops filter to work on text/plain as well as on application/x-shell. (Hint: This differentiation is needed for the syntax highlighting feature of texttops). - Filtering Overview - + Filtering Overview + There are many more combinations named in mime.convs. However, you are not limited to use the ones predefined there. You can plug in any filter you like to the CUPS framework. It must meet, or must be made to meet, some minimal requirements. If you find (or write) a cool conversion filter of some kind, make sure it complies with what CUPS needs and put in the right lines in mime.types and mime.convs; then it will work seamlessly inside CUPS. - Filter Requirements + Filter Requirements The “CUPS requirements” for filters are simple. Take filenames or stdin as input and write to stdout. They should take these arguments: printer @@ -690,24 +690,24 @@ (optionally) The print request file (if missing, filters expected data fed through stdin). In most cases, it is easy to write a simple wrapper script around existing filters to make them work with CUPS. - Prefilters - - - + Prefilters + + + As previously stated, PostScript is the central file format to any UNIX-based printing system. From PostScript, CUPS generates raster data to feed non-PostScript printers. - - - + - + + + But what happens if you send one of the supported non-PS formats to print? Then CUPS runs “prefilters” on these input formats to generate PostScript first. There are prefilters to create PostScript from ASCII text, PDF, DVI, or HP-GL. The outcome of these filters is always of MIME type @@ -717,14 +717,14 @@ MIME type application/vnd.cups-postscript (not application/postscript), meaning it has the print options already embedded into the file. This is shown in Prefiltering in CUPS to Form PostScript. - Figure 21.4. Prefiltering in CUPS to Form PostScript. pstops - - + Figure 21.4. Prefiltering in CUPS to Form PostScript. pstops - - + + + + pstops is a filter that is used to convert application/postscript to application/vnd.cups-postscript. As stated earlier, this filter inserts all device-specific print options (commands to the printer to ask for the duplexing of output, or stapling and @@ -740,10 +740,10 @@ so-called “number-up” function). Counting the pages of the job to insert the accounting information into the /var/log/cups/page_log. - pstoraster - - + pstoraster + + pstoraster is at the core of the CUPS filtering system. It is responsible for the first stage of the rasterization process. Its input is of MIME type application/vnd.cups-postscript; its output is application/vnd.cups-raster. This output format is not yet meant to be printable. Its aim is to serve as a @@ -751,10 +751,10 @@ generate device-specific printer data. This is shown in the PostScript to Intermediate Raster Format diagram. Figure 21.6. PostScript to Intermediate Raster Format. - - + + CUPS raster is a generic raster format with powerful features. It is able to include per-page information, color profiles, and more, to be used by the downstream raster drivers. Its MIME type is registered with IANA and its specification is, of course, completely open. It is designed to make it quite easy and inexpensive for @@ -764,10 +764,10 @@ raster drivers). This is illustrated in the CUPS-Raster Production Using Ghostscript illustration. Figure 21.7. CUPS-Raster Production Using Ghostscript. - - + + CUPS versions before version 1.1.15 shipped a binary (or source code) standalone filter, named pstoraster. pstoraster, which was derived from GNU Ghostscript 5.50 and could be installed instead of and in addition to any GNU or AFPL Ghostscript package without @@ -778,27 +778,27 @@ now a simple shell script calling gs with the -sDEVICE=cups parameter. If your Ghostscript fails when this command is executed: gs -h |grep cups, you might not be able to print, update your Ghostscript. - imagetops and imagetoraster - - + imagetops and imagetoraster + + In the section about prefilters, we mentioned the prefilter that generates PostScript from image formats. The imagetoraster filter is used to convert directly from image to raster, without the intermediate PostScript stage. It is used more often than the previously mentioned prefilters. We summarize in a flowchart the image file filtering in the Image Format to CUPS-Raster Format Conversion illustration. - Figure 21.8. Image Format to CUPS-Raster Format Conversion. rasterto [printers specific] - - + Figure 21.8. Image Format to CUPS-Raster Format Conversion. rasterto [printers specific] - + + + CUPS ships with quite a variety of raster drivers for processing CUPS raster. On my system, I find in /usr/lib/cups/filter/ the following: rastertoalps, rastertobj, rastertoepson, rastertoescp, rastertopcl, @@ -809,9 +809,9 @@ rastertoprinter) by third-party driver development projects (such as Gimp-Print) wanting to cooperate as closely as possible with CUPS. See the Raster to Printer-Specific Formats illustration. - Figure 21.9. Raster to Printer-Specific Formats. CUPS Backends - - + Figure 21.9. Raster to Printer-Specific Formats. CUPS Backends + + The last part of any CUPS filtering chain is a backend. Backends are special programs that send the print-ready file to the final device. There is a separate backend program for any transfer @@ -885,8 +885,8 @@ email back to the $USER asking him or her to always specify the correct printer name.) - - + + Not all of the mentioned backends may be present on your system or usable (depending on your hardware configuration). One test for all available CUPS backends is provided by the lpinfo @@ -894,12 +894,12 @@ all available backends: $ lpinfo -v - The Role of cupsomatic/foomatic - - - - + The Role of cupsomatic/foomatic + + + + cupsomatic filters may be the most widely used on CUPS installations. You must be clear that these were not developed by the CUPS people. They are a third-party add-on to @@ -923,9 +923,7 @@ autoconstructed from the selected PPD and command line options give to the print job. - - - + @@ -934,6 +932,8 @@ + + However, cupsomatic is now deprecated. Its PPDs (especially the first generation of them, still in heavy use out there) are not meeting the Adobe specifications. You might also suffer difficulties when you try @@ -955,11 +955,11 @@ best thing is that the new foomatic-rip works seamlessly with all legacy spoolers too (like LPRng, BSD-LPD, PDQ, PPR, and so on), providing for them access to use PPDs for their printing. - The Complete Picture + The Complete Picture If you want to see an overview of all the filters and how they relate to each other, the complete picture of the puzzle is at the end of this chapter. - mime.convs + mime.convs CUPS autoconstructs all possible filtering chain paths for any given MIME type and every printer installed. But how does it decide in favor of or against a specific alternative? (There may be cases @@ -969,8 +969,8 @@ assigned to this filter. Every possible filtering chain will sum up to a total “filter cost.” CUPS decides for the most “inexpensive” route. Tip - - + + Setting FilterLimit 1000 in cupsd.conf will not allow more filters to run concurrently than will consume a total of 1000 virtual filter @@ -978,10 +978,10 @@ server by setting an appropriate “FilterLimit” value. A FilterLimit of 200 allows roughly one job at a time, while a FilterLimit of 1000 allows approximately five jobs maximum at a time. - “Raw” Printing - - + “Raw” Printing + + You can tell CUPS to print (nearly) any file “raw”. “Raw” means it will not be filtered. CUPS will send the file to the printer “as is” without bothering if the printer is able to digest it. Users need to take care themselves that they send sensible data formats only. Raw printing can @@ -999,9 +999,9 @@ if it can't find a PPD associated with the queue. However, CUPS will only send known MIME types (as defined in its own mime.types file) and refuse others. - application/octet-stream Printing - - + application/octet-stream Printing + + Any MIME type with no rule in the /etc/cups/mime.types file is regarded as unknown or application/octet-stream and will not be sent. Because CUPS refuses to print unknown MIME types by default, @@ -1014,11 +1014,11 @@ To enable the printing of application/octet-stream files, edit these two files: /etc/cups/mime.convs /etc/cups/mime.types - + Both contain entries (at the end of the respective files) that must be uncommented to allow raw mode operation for application/octet-stream. In /etc/cups/mime.types make sure this line is present: - + application/octet-stream @@ -1029,7 +1029,7 @@ application/octet-stream application/vnd.cups-raw 0 - - + This line tells CUPS to use the Null Filter (denoted as “-”, doing nothing at all) on application/octet-stream, and tag the result as @@ -1040,10 +1040,10 @@ Editing the mime.convs and the mime.types file does not enforce “raw” printing, it only allows it. Background. - - + + That CUPS is a more security-aware printing system than traditional ones does not by default allow one to send deliberate (possibly binary) data to printing devices. (This could be easily abused to launch a @@ -1055,13 +1055,13 @@ /etc/cups/mime.types defines the “rules” of how CUPS recognizes MIME types. The file /etc/cups/mime.convs decides which file conversion filter(s) may be applied to which MIME types. -

`PostScript Printer Descriptions for Non-PostScript Printers`

- - - +

`PostScript Printer Descriptions for Non-PostScript Printers`

+ + + Originally PPDs were meant to be used for PostScript printers only. Here, they help to send device-specific commands and settings to the RIP, which processes the job file. CUPS has extended this @@ -1074,7 +1074,7 @@

PPDs for a non-PostScript printer have a few lines that are unique to CUPS. The most important one looks similar to this: - +

 *cupsFilter: application/vnd.cups-raster  66   rastertoprinter

@@ -1092,14 +1092,14 @@ several hundred printer models. You may not be able to control different paper trays, or you may get larger margins than your specific model supports. See Table 21.1??? for summary information. -

Table 21.1. PPDs Shipped with CUPS PPD file Printer type deskjet.ppd older HP inkjet printers and compatible deskjet2.ppd newer HP inkjet printers and compatible dymo.ppd label printers epson9.ppd Epson 24-pin impact printers and compatible epson24.ppd Epson 24-pin impact printers and compatible okidata9.ppd Okidata 9-pin impact printers and compatible okidat24.ppd Okidata 24-pin impact printers and compatible stcolor.ppd older Epson Stylus Color printers stcolor2.ppd newer Epson Stylus Color printers stphoto.ppd older Epson Stylus Photo printers stphoto2.ppd newer Epson Stylus Photo printers laserjet.ppd all PCL printers

`cupsomatic/foomatic-rip Versus Native CUPS Printing`

- - +

`cupsomatic/foomatic-rip Versus Native CUPS Printing`

+ + Native CUPS rasterization works in two steps:

- + First is the pstoraster step. It uses the special CUPS - + device from ESP Ghostscript 7.05.x as its tool.
Second is the rasterdriver step. It uses various @@ -1114,7 +1114,7 @@ One other method is the cupsomatic/foomatic-rip way. Note that cupsomatic is not made by the CUPS developers. It is an independent contribution to printing development, - made by people from Linuxprinting.org.^[6] + made by people from Linuxprinting.org.^[6] cupsomatic is no longer developed, maintained, or supported. It now been replaced by foomatic-rip. foomatic-rip is a complete rewrite of the old cupsomatic idea, but very much improved and generalized to @@ -1122,8 +1122,8 @@ advised, especially if you are upgrading to a recent version of CUPS, too.
- - + + Like the old cupsomatic method, the foomatic-rip (new) method from Linuxprinting.org uses the traditional Ghostscript print file processing, doing everything in a single step. It therefore relies on all the other devices built into Ghostscript. The quality is as good (or bad) as @@ -1133,12 +1133,12 @@ Of course, you can use both methods side by side on one system (and even for one printer, if you set up different queues) and find out which works best for you.
- - - + + + cupsomatic kidnaps the print file after the application/vnd.cups-postscript stage and deviates it through the CUPS-external, systemwide Ghostscript installation. Therefore, the print file bypasses the pstoraster @@ -1147,14 +1147,14 @@ backend. cupsomatic/foomatic Processing Versus Native CUPS, illustrates the difference between native CUPS rendering and the Foomatic/cupsomatic method. -

`Examples for Filtering Chains`

+

`Examples for Filtering Chains`

Here are a few examples of commonly occurring filtering chains to illustrate the workings of CUPS.

- - - + + + Assume you want to print a PDF file to an HP JetDirect-connected PostScript printer, but you want to print pages 3-5, 7, and 11-13 only, and you want to print them “two-up” and “duplex”: @@ -1173,10 +1173,10 @@ backend, which transfers the job to the printers.

The resulting filter chain, therefore, is as shown in the PDF to socket chain illustration. -

Figure 21.11. PDF to Socket Chain. - - + Figure 21.11. PDF to Socket Chain. + + Assume you want to print the same filter to an USB-connected Epson Stylus Photo Printer installed with the CUPS stphoto2.ppd. The first few filtering stages are nearly the same: @@ -1186,14 +1186,14 @@ The (complete) PDF file is sent to CUPS and autotyped as application/pdf. - - + + The file must first pass the pdftops prefilter, which produces PostScript MIME type application/postscript (a preview here would still show all pages of the original PDF). - - + + The file then passes the “pstops” filter that applies the command-line options: it selects the pages 2-5, 7, and 11-13, creates the imposed layout “two pages on one sheet,” and inserts the @@ -1205,7 +1205,7 @@ The file then passes the pstoraster stage and becomes MIME type application/cups-raster. - + Finally, the rastertoepson filter does its work (as indicated in the printer's PPD), creating the printer-specific raster data and embedding any user-selected @@ -1215,11 +1215,11 @@ The resulting filter chain therefore is as shown in the PDF to USB Chain illustration. - Figure 21.12. PDF to USB Chain.

`Sources of CUPS Drivers/PPDs`

+

Figure 21.12. PDF to USB Chain.

`Sources of CUPS Drivers/PPDs`

On the Internet you can now find many thousands of CUPS-PPD files (with their companion filters), in many national languages supporting more than 1,000 non-PostScript models. -

+ ESP PrintPro (commercial, non-free) is packaged with more than 3,000 PPDs, ready for successful use “out of the box” on Linux, Mac OS X, IBM-AIX, @@ -1247,9 +1247,9 @@ Foomatic/cupsomatic (LPGL, free) from Linuxprinting.org provide PPDs for practically every Ghostscript filter known to the world (including Omni, Gimp-Print, and HPIJS). -

`Printing with Interface Scripts`

- - +

`Printing with Interface Scripts`

+ + CUPS also supports the use of “interface scripts” as known from System V AT&T printing systems. These are often used for PCL printers, from applications that generate PCL print jobs. Interface @@ -1271,16 +1271,16 @@ use of interface scripts is found at http://playground.sun.com/printing/documentation/interface.html). -

`Network Printing (Purely Windows)`

+

`Network Printing (Purely Windows)`

Network printing covers a lot of ground. To understand what exactly goes on with Samba when it is printing on behalf of its Windows clients, let's first look at a “purely Windows” setup: Windows clients with a Windows NT print server. -

`From Windows Clients to an NT Print Server`

+

`From Windows Clients to an NT Print Server`

Windows clients printing to an NT-based print server have two options. They may: - - + +

Execute the driver locally and render the GDI output (EMF) into the printer-specific format on their own.
Send the GDI output (EMF) to the server, where the @@ -1289,7 +1289,7 @@ Both print paths are shown in the flowcharts in Print Driver Execution on the Client, and Print Driver Execution on the Server. -

`Driver Execution on the Client`

+

`Driver Execution on the Client`

In the first case, the print server must spool the file as raw, meaning it shouldn't touch the job file and try to convert it in any way. This is what a traditional UNIX-based print server can do too, and at a better performance and more reliably than an NT print server. This is what most Samba administrators probably are @@ -1297,12 +1297,12 @@ even if no driver(s) for UNIX is available. It is sufficient to have the Windows client drivers available and installed on the clients. This is illustrated in the Print Driver Execution on the Client diagram. -

Figure 21.13. Print Driver Execution on the Client.

`Driver Execution on the Server`

- - - - - +

Figure 21.13. Print Driver Execution on the Client.

`Driver Execution on the Server`

+ + + + + The other path executes the printer driver on the server. The client transfers print files in EMF format to the server. The server uses the PostScript, PCL, ESC/P, or other driver to convert the EMF file into the printer-specific language. It is not possible for UNIX to do the same. Currently, there is no program or @@ -1310,14 +1310,14 @@ This is illustrated in the Print Driver Execution on the Server diagram.

Figure 21.14. Print Driver Execution on the Server.

However, something similar is possible with CUPS, so read on. -

`Network Printing (Windows Clients and UNIX/Samba Print +`

`Network Printing (Windows Clients and UNIX/Samba Print Servers)`

Since UNIX print servers cannot execute the Win32 program code on their platform, the picture is somewhat different. However, this does not limit your options all that much. On the contrary, you may have a way here to implement printing features that are not possible otherwise. -

`From Windows Clients to a CUPS/Samba Print Server`

+

`From Windows Clients to a CUPS/Samba Print Server`

Here is a simple recipe showing how you can take advantage of CUPS's powerful features for the benefit of your Windows network printing clients: @@ -1329,16 +1329,16 @@

First, to enable CUPS-based printing through Samba, the following options should be set in your smb.conf file [global] section: -

printing = cups

printcap = cups

-When these parameters are specified, all manually set print directives (like print command or lppause command) in smb.conf (as well as in Samba itself) will be +

printing = cups

printcap = cups

+When these parameters are specified, all manually set print directives (like print command or lppause command) in smb.conf (as well as in Samba itself) will be ignored. Instead, Samba will directly interface with CUPS through its application program interface (API), as long as Samba has been compiled with CUPS library (libcups) support. If Samba has not been compiled with CUPS support, and if no other print commands are set up, then printing will use the System V AT&T command set, with the -oraw option automatically passing through (if you want your own defined print -commands to work with a Samba server that has CUPS support compiled in, simply use classicalprinting = sysv). This is illustrated in the Printing via +commands to work with a Samba server that has CUPS support compiled in, simply use classicalprinting = sysv). This is illustrated in the Printing via CUPS/Samba Server diagram. -

Figure 21.15. Printing via CUPS/Samba Server.

`Samba Receiving Job-Files and Passing Them to CUPS`

-Samba must use its own spool directory (it is set by a line similar to path = /var/spool/samba, in the [printers] or [printername] section of smb.conf). Samba receives the job in its own spool space and passes it +

Figure 21.15. Printing via CUPS/Samba Server.

`Samba Receiving Job-Files and Passing Them to CUPS`

+Samba must use its own spool directory (it is set by a line similar to path = /var/spool/samba, in the [printers] or [printername] section of smb.conf). Samba receives the job in its own spool space and passes it into the spool directory of CUPS (the CUPS spool directory is set by the RequestRoot directive in a line that defaults to RequestRoot /var/spool/cups). CUPS checks the access rights of its spool directory and resets it to healthy values with every restart. We have seen quite a @@ -1349,13 +1349,13 @@ configured). If Samba runs on the same host as CUPS, you only need to allow “localhost” to print. If it runs on different machines, you need to make sure the Samba host gets access to printing on CUPS. -

`Network PostScript RIP`

+

`Network PostScript RIP`

This section discusses the use of CUPS filters on the server configuration where clients make use of a PostScript driver with CUPS-PPDs.

- - - + + + PPDs can control all print device options. They are usually provided by the manufacturer if you own a PostScript printer, that is. PPD files are always a component of PostScript printer drivers on MS Windows or Apple Mac OS systems. They are ASCII files containing user-selectable print options, mapped to appropriate @@ -1368,8 +1368,8 @@ lpoptions or see if you have lphelp on your system). There are also some different GUI front-ends on Linux/UNIX, which can present PPD options to users. PPD options are normally meant to be evaluated by the PostScript RIP on the real PostScript printer. -

`PPDs for Non-PS Printers on UNIX`

- +

`PPDs for Non-PS Printers on UNIX`

+ CUPS does not limit itself to “real” PostScript printers in its use of PPDs. The CUPS developers have extended the scope of the PPD concept to also describe available device and driver options for non-PostScript printers through CUPS-PPDs. @@ -1381,8 +1381,8 @@ for the interpretation of the supplied PostScript. Thus CUPS lets all its printers appear as PostScript devices to its clients, because it can act as a PostScript RIP for those printers, processing the received PostScript code into a proper raster print format. -

`PPDs for Non-PS Printers on Windows`

- +

`PPDs for Non-PS Printers on Windows`

+ CUPS-PPDs can also be used on Windows clients, on top of a “core” PostScript driver (now recommended is the CUPS PostScript Driver for Windows NT/200x/XP; you can also use the Adobe one, with limitations). This feature enables CUPS to do a few tricks no other spooler can do: @@ -1396,11 +1396,11 @@ Enable clients to consolidate on a single PostScript driver, even for many different target printers.

Using CUPS PPDs on Windows clients enables them to control all print job settings just as a UNIX client can do. -

`Windows Terminal Servers (WTS) as CUPS Clients`

+

`Windows Terminal Servers (WTS) as CUPS Clients`

This setup may be of special interest to people experiencing major problems in WTS environments. WTS often need a multitude of non-PostScript drivers installed to run their clients' variety of different printer models. This often imposes the price of much increased instability. -

Printer Drivers Running in “Kernel Mode” Cause Many + Printer Drivers Running in “Kernel Mode” Cause Many Problems Windows NT printer drivers, which run in “kernel mode”, introduce a high risk for the stability of the system if the driver is not really stable and well-tested. And there are a lot of bad drivers out @@ -1412,14 +1412,14 @@ run in kernel mode. This might be because until now there have been only two different PostScript drivers: the one from Adobe and the one from Microsoft. Both are well-tested and are as stable as you can imagine on Windows. The CUPS driver is derived from the Microsoft one. - Workarounds Impose Heavy Limitations + Workarounds Impose Heavy Limitations In an attempt to work around problems, site administrators have resorted to restricting the allowed drivers installed on their WTS to one generic PCL and one PostScript driver. This, however, restricts the the number of printer options available for clients to use. Often they can't get out more than simplex prints from one standard paper tray, while their devices could do much better if driven by a different driver! - CUPS: A “Magical Stone”? - - + CUPS: A “Magical Stone”? + + Using a PostScript driver, enabled with a CUPS-PPD, seems to be a very elegant way to overcome all these shortcomings. There are, depending on the version of Windows OS you use, up to three different PostScript drivers now available: Adobe, Microsoft, and CUPS PostScript drivers. None of them is known to cause major @@ -1428,14 +1428,14 @@ server acting as a PostScript RIP for its clients requires more CPU and RAM than when just acting as a “raw spooling” device. Plus, this setup is not yet widely tested, although the first feedbacks look very promising. - PostScript Drivers with No Major Problems, Even in Kernel + PostScript Drivers with No Major Problems, Even in Kernel Mode - - - - - - + + + + + + More recent printer drivers on W200x and XP no longer run in kernel mode (unlike Windows NT). However, both operating systems can still use the NT drivers, running in kernel mode (you can roughly tell which is which as the drivers in subdirectory “2” of “W32X86” are “old” ones). As was @@ -1447,13 +1447,13 @@ allow them to publish the whole of the source code. However, they have released the “diff” under the GPL, and if you are the owner of an “MS DDK for Windows NT,” you can check the driver yourself. - Configuring CUPS for Driver Download + Configuring CUPS for Driver Download As we have said before, all previously known methods to prepare client printer drivers on the Samba server for download and Point'n'Print convenience of Windows workstations are working with CUPS, too. These methods were described in Classical Printing. In reality, this is a pure Samba business and relates only to the Samba-Windows client relationship. - cupsaddsmb: The Unknown Utility - + cupsaddsmb: The Unknown Utility + The cupsaddsmb utility (shipped with all current CUPS versions) is an alternative method to transfer printer drivers into the Samba [print$] share. Remember, this share is where clients expect drivers deposited and set up for download and installation. It makes the sharing @@ -1470,11 +1470,11 @@ However, currently only Windows NT, 2000, and XP are supported by the CUPS drivers. You will also need to get the respective part of the Adobe driver if you need to support Windows 95, 98, and Me clients. - Prepare Your smb.conf for cupsaddsmb + Prepare Your smb.conf for cupsaddsmb Prior to running cupsaddsmb, you need the settings in smb.conf as shown in the smb.conf for cupsaddsmb Usage. - Example 21.3. smb.conf for cupsaddsmb Usage [global] load printers = yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba browseable = no public = yes # setting depends on your requirements guest ok = yes writable = no printable = yes printer admin = root [print$] comment = Printer Drivers path = /etc/samba/drivers browseable = yes guest ok = no read only = yes write list = root CUPS “PostScript Driver for Windows NT/200x/XP” - + Example 21.3. smb.conf for cupsaddsmb Usage [global] load printers = yes printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba browseable = no public = yes # setting depends on your requirements guest ok = yes writable = no printable = yes printer admin = root [print$] comment = Printer Drivers path = /etc/samba/drivers browseable = yes guest ok = no read only = yes write list = root CUPS “PostScript Driver for Windows NT/200x/XP” + CUPS users may get the exact same package from http://www.cups.org/software.html. It is a separate package from the CUPS-based software files, tagged as CUPS 1.1.x Windows NT/200x/XP Printer Driver for Samba (tar.gz, 192k). The filename to download is cups-samba-1.1.x.tar.gz. Upon untar and unzipping, it @@ -1487,8 +1487,8 @@ cups-samba.remove cups-samba.ss - - + + These have been packaged with the ESP meta-packager software EPM. The .install and .remove files are simple shell scripts, which untar the .ss (the .ss is nothing else but a tar archive, which can be untarred by “tar” too). @@ -1520,32 +1520,32 @@ around this, copy/move the file (after running the ./cups-samba.install script) manually to the correct place. - + This new CUPS PostScript driver is currently binary only, but free of charge. No complete source code is provided (yet). The reason is that it has been developed with the help of the Microsoft DDK and compiled with Microsoft Visual Studio 6. Driver developers are not allowed to distribute the whole of the source code as free software. However, CUPS developers released the “diff” in source code under the GPL, so anybody with a license for Visual Studio and a DDK will be able to compile for himself or herself. - Recognizing Different Driver Files + Recognizing Different Driver Files The CUPS drivers do not support the older Windows 95/98/Me, but only the Windows NT/2000/XP client. Windows NT, 2000, and XP are supported by: cups.hlp cupsdrvr.dll cupsui.dll Adobe drivers are available for the older Windows 95/98/Me as well as for Windows NT/2000/XP clients. The set of files is different from the different platforms. Windows 95, 98, and ME are supported by: ADFONTS.MFM ADOBEPS4.DRV ADOBEPS4.HLP DEFPRTR2.PPD ICONLIB.DLL PSMON.DLL Windows NT, 2000, and XP are supported by: ADOBEPS5.DLL ADOBEPSU.DLL ADOBEPSU.HLP Note - + If both the Adobe driver files and the CUPS driver files for the support of Windows NT/200x/XP are presently installed on the server, the Adobe files will be ignored and the CUPS files will be used. If you prefer for whatever reason to use Adobe-only drivers, move away the three CUPS driver files. The Windows 9x/Me clients use the Adobe drivers in any case. - Acquiring the Adobe Driver Files + Acquiring the Adobe Driver Files Acquiring the Adobe driver files seems to be unexpectedly difficult for many users. They are not available on the Adobe Web site as single files, and the self-extracting and/or self-installing Windows-.exe is not easy to locate either. You probably need to use the included native installer and run the installation process on one client once. This will install the drivers (and one generic PostScript printer) locally on the client. When they are installed, share the generic PostScript printer. After this, the client's [print$] share holds the Adobe files, which you can get with smbclient from the CUPS host. - ESP Print Pro PostScript Driver for Windows NT/200x/XP - + ESP Print Pro PostScript Driver for Windows NT/200x/XP + Users of the ESP Print Pro software are able to install the ESP print drivers package as an alternative to the Adobe PostScript drivers. To do so, retrieve the driver files from the normal download area of the ESP Print Pro software at Easy Software web site. @@ -1555,19 +1555,19 @@ the menu. Of course, you need to have prepared Samba beforehand to handle the driver files; that is, set up the [print$] share, and so on. The ESP Print Pro package includes the CUPS driver files as well as a (licensed) set of Adobe drivers for the Windows 95/98/Me client family. - Caveats to Be Considered - - - - + Caveats to Be Considered + + + + Once you have run the install script (and possibly manually moved the cups.hlp file to /usr/share/cups/drivers/), the driver is ready to be put into Samba's [print$] share (which often maps to /etc/samba/drivers/ and contains a subdirectory tree with WIN40 and W32X86 branches). You do this by running cupsaddsmb (see also man cupsaddsmb for CUPS since release 1.1.16). Tip - - + + You may need to put root into the smbpasswd file by running smbpasswd; this is especially important if you should run this whole procedure for the first time and are not working in an environment where everything is configured for single sign-on to a Windows Domain Controller. @@ -1582,8 +1582,8 @@ in the /usr/share/cups/drivers/ directory. The new cupsaddsmb (from 1.1.16) will automatically prefer its own drivers if it finds both. Note - - + + Should your Windows clients have had the old ADOBE. files for the Adobe PostScript driver installed, the download and installation of the new CUPS PostScript driver for Windows NT/200x/XP will fail at first. You need to wipe the old driver from the clients first. It is not enough to @@ -1597,43 +1597,43 @@ printers using this driver in the Printers folder first. You will need Administrator privileges to do this. Note - - + + Once you have successfully downloaded the CUPS PostScript driver to a client, you can easily switch all printers to this one by proceeding as described in Classical Printing Support. Either change a driver for an existing printer by running the Printer Properties dialog, or use rpcclient with the setdriver subcommand. - Windows CUPS PostScript Driver Versus Adobe Driver + Windows CUPS PostScript Driver Versus Adobe Driver Are you interested in a comparison between the CUPS and the Adobe PostScript drivers? For our purposes, these are the most important items that weigh in favor of CUPS: No hassle with the Adobe EULA. No hassle with the question, “Where do I get the ADOBE. driver files?” - + The Adobe drivers (on request of the printer PPD associated with them) often put a PJL header in front of the main PostScript part of the print file. Thus, the print file starts with <1B >%-12345X or <escape>%-12345X instead of %!PS. This leads to the CUPS daemon autotyping the incoming file as a print-ready file, not initiating a pass through the pstops filter (to speak more technically, it is not - regarded as the generic MIME-type + regarded as the generic MIME-type application/postscript, but as the more special MIME type - + application/cups.vnd-postscript), which therefore also leads to the page accounting in /var/log/cups/page_log not receiving the exact number of pages; instead the dummy page number of “1” is logged in a standard setup). The Adobe driver has more options to misconfigure the - + PostScript generated by it (like setting it inadvertently to Optimize for Speed instead of Optimize for Portability, which could lead to CUPS being unable to process it). The CUPS PostScript driver output sent by Windows - + clients to the CUPS server is guaranteed to autotype as the generic MIME type application/postscript, thus passing through the CUPS pstops filter and logging the correct number of pages in the page_log for accounting and quota purposes. - + The CUPS PostScript driver supports the sending of additional standard (IPP) print options by Windows NT/200x/XP clients. Such additional print options are naming the CUPS standard banner pages (or the custom ones, should they be installed at the time of driver download), using the CUPS @@ -1646,36 +1646,36 @@ not disturb any other applications because they will regard it as a comment and simply ignore it). The CUPS PostScript driver will be the heart of the fully fledged CUPS IPP client for Windows NT/200x/XP to be released soon - (probably alongside the first beta release for CUPS 1.2). Run cupsaddsmb (Quiet Mode) - - + (probably alongside the first beta release for CUPS 1.2).

`Run cupsaddsmb (Quiet Mode)`

+ + The cupsaddsmb command copies the needed files into your [print$] share. Additionally, the PPD associated with this printer is copied from /etc/cups/ppd/ to [print$]. There the files wait for convenient Windows client installations via Point'n'Print. Before we can run the command successfully, we need to be sure that we can authenticate toward -Samba. If you have a small network, you are probably using user-level security (security = user). +Samba. If you have a small network, you are probably using user-level security (security = user).

Here is an example of a successfully run cupsaddsmb command: - - + +

 root# cupsaddsmb -U root infotec_IS2027
 Password for root required to access localhost via Samba: ['secret']

- + To share all printers and drivers, use the -a parameter instead of a printer name. Since cupsaddsmb “exports” the printer drivers to Samba, it should be obvious that it only works for queues with a CUPS driver associated. -

`Run cupsaddsmb with Verbose Output`

- +

`Run cupsaddsmb with Verbose Output`

+ Probably you want to see what's going on. Use the -v parameter to get a more verbose output. The output below was edited for better readability: all “\” at the end of a line indicate that I inserted an artificial line break plus some indentation here: - - + +

 root# cupsaddsmb -U root -v infotec_2105
 Password for root required to access localhost via GANDALF:
@@ -1744,17 +1744,17 @@
 Also, if you look further, you may discover error messages like NT_STATUS_OBJECT_NAME_COLLISION in the output.
 This will occur when the directories WIN40 and W32X86 already existed in the [print$]
 driver download share (from a previous driver installation). These are harmless warning messages.
-

`Understanding cupsaddsmb`

- +

`Understanding cupsaddsmb`

+ What has happened? What did cupsaddsmb do? There are five stages of the procedure:

- + Call the CUPS server via IPP and request the driver files and the PPD file for the named printer.
Store the files temporarily in the local TEMPDIR (as defined in cupsd.conf).
Connect via smbclient to the Samba server's [print$] share and put the files into the share's WIN40 (for Windows 9x/Me) and W32X86 (for Windows NT/200x/XP) subdirectories.
- + Connect via rpcclient to the Samba server and execute the adddriver command with the correct parameters.
- + Connect via rpcclient to the Samba server a second time and execute the setdriver command.

`Note`

You can run the cupsaddsmb utility with parameters to specify one remote host as Samba host and a second remote host as CUPS host. Especially if you want to get a deeper understanding, it is a good idea @@ -1763,7 +1763,7 @@

 root# cupsaddsmb -H sambaserver -h cupsserver -v printer

-

`How to Recognize If cupsaddsmb Completed Successfully`

+

`How to Recognize If cupsaddsmb Completed Successfully`

You must always check if the utility completed successfully in all fields. You need at minimum these three messages among the output: @@ -1785,16 +1785,16 @@ SetPrinter call failed! result was WERR_ACCESS_DENIED

-it means that you might have set use client driver = yes for this printer. +it means that you might have set use client driver = yes for this printer. Setting it to “no” will solve the problem. Refer to the smb.conf man page for explanation of the use client driver.

`Note`

It is impossible to see any diagnostic output if you do not run cupsaddsmb in verbose mode. Therefore, we strongly recommend against use of the default quiet mode. It will hide any problems from you that might occur. -

`cupsaddsmb with a Samba PDC`

- - +

`cupsaddsmb with a Samba PDC`

+ + Can't get the standard cupsaddsmb command to run on a Samba PDC? Are you asked for the password credential again and again, and the command just will not take off at all? Try one of these variations: @@ -1804,20 +1804,20 @@ root# cupsaddsmb -H SAURON -U MIDEARTH\\root -h cups-server -v printername

(Note the two backslashes: the first one is required to “escape” the second one). -

`cupsaddsmb Flowchart`

- - +

`cupsaddsmb Flowchart`

+ + The cupsaddsmb Flowchart shows a chart about the procedures, command flows, and data flows of the cupaddsmb command. Note again: cupsaddsmb is not intended to, and does not work with, raw print queues! -

Figure 21.16. cupsaddsmb Flowchart.

`Installing the PostScript Driver on a Client`

- - +

Figure 21.16. cupsaddsmb Flowchart.

`Installing the PostScript Driver on a Client`

+ + After cupsaddsmb is completed, your driver is prepared for the clients to use. Here are the steps you must perform to download and install it via Point'n'Print. From a Windows client, browse to the CUPS/Samba server:

- + Open the Printers share of Samba in Network Neighborhood.
Right-click on the printer in question.
From the opening context menu select Install... or Connect... (depending on the Windows version you use).

@@ -1827,9 +1827,9 @@ you want to test it and send your first job from an application like Winword, the new printer appears in a \\SambaServer\PrinterName entry in the drop-down list of available printers.

- - - + + + cupsaddsmb will only reliably work with CUPS version 1.1.15 or higher and with Samba version 2.2.4, or later. If it does not work, or if the automatic printer driver download to the clients does not succeed, you can still manually install the CUPS printer PPD on top of the Adobe PostScript driver on @@ -1858,34 +1858,34 @@ Sometimes you can choose PostScript Language Level: in case of problems try 2 instead of 3 (the latest ESP Ghostscript package handles Level 3 PostScript very well; Adobe).

- Say Yes to PostScript Error Handler (Adobe).

`Installing PostScript Driver Files Manually Using rpcclient`

+ Say Yes to PostScript Error Handler (Adobe).

`Installing PostScript Driver Files Manually Using rpcclient`

Of course, you can run all the commands that are embedded into the cupsaddsmb convenience utility yourself, one by one, and upload and prepare the driver files for future client downloads.

Prepare Samba (a CUPS print queue with the name of the printer should be there. We are providing the driver now).
Copy all files to [print$].
- + Run rpcclient adddriver (for each client architecture you want to support).
- + Run rpcclient setdriver.

- - - - - + + + + + We are going to do this now. First, read the man page on rpcclient to get a first idea. Look at all the printing-related subcommands: enumprinters, enumdrivers, enumports, adddriver, and setdriver are among the most interesting ones. rpcclient implements an important part of the MS-RPC protocol. You can use it to query (and command) a Windows NT (or 200x/XP) PC, too. MS-RPC is used by Windows clients, among other things, to benefit from the Point'n'Print features. Samba can now mimic this as well. -

`A Check of the rpcclient man Page`

+

`A Check of the rpcclient man Page`

First let's check the rpcclient man page. Here are two relevant passages:

- - - + + + adddriver <arch> <config> Execute an AddPrinterDriver() RPC to install the printer driver information on the server. The driver files should already exist in the directory returned by getdriverdir. Possible values for arch are the @@ -1908,18 +1908,18 @@ NT print server, the print monitor for a driver must already be installed before adding the driver or else the RPC will fail.

- - + + setdriver <printername> <drivername> Execute a SetPrinter() command to update the printer driver associated with an installed printer. The printer driver must already be correctly installed on the print server.

- - + + See also the enumprinters and enumdrivers commands to obtain a list of installed printers and drivers. -

`Understanding the rpcclient man Page`

- +

`Understanding the rpcclient man Page`

+ The exact format isn't made too clear by the man page, since you have to deal with some parameters containing spaces. Here is a better description for it. We have line-broken the command and indicated the breaks with “\”. Usually you would type the command in one line without the line @@ -1943,9 +1943,9 @@ listening to the traffic caused by Windows computers on the wire. We may as well turn to a Windows box now and access it from a UNIX workstation. We will query it with rpcclient to see what it tells us and try to understand the man page more clearly. -

`Producing an Example by Querying a Windows Box`

- - +

`Producing an Example by Querying a Windows Box`

+ + We could run rpcclient with a getdriver or a getprinter subcommand (in level 3 verbosity) against it. Just sit down at a UNIX or Linux workstation with the Samba utilities installed, then type the following command: @@ -1953,7 +1953,7 @@ root# rpcclient -U'user%secret' NT-SERVER -c 'getdriver printername 3'

From the result it should become clear which is which. Here is an example from my installation: - +

 root# rpcclient -U'Danka%xxxx' W200xSERVER \
     -c'getdriver "DANKA InfoStream Virtual Printer" 3'
@@ -1984,15 +1984,15 @@
 would go into the last field ListOfFiles,Comma-separated. For the CUPS PostScript
 drivers, we do not need any (nor would we for the Adobe PostScript driver); therefore, the field will get a
 “NULL” entry.
-

`Requirements for adddriver and setdriver to Succeed`

- - - +

`Requirements for adddriver and setdriver to Succeed`

+ + + From the man page (and from the quoted output of cupsaddsmb above) it becomes clear that you need to have certain conditions in order to make the manual uploading and initializing of the driver files succeed. The two rpcclient subcommands (adddriver and setdriver) need to encounter the following preconditions to complete successfully: -

You are connected as printer admin or root (this is +
- You are connected as printer admin or root (this is not the “Printer Operators” group in NT, but the printer admin group as defined in the [global] section of smb.conf).
- Copy all required driver files to \\SAMBA\print$\w32x86 and @@ -2004,19 +2004,19 @@ the [print$] share and create subdirectories.
- The printer you are going to set up for the Windows clients needs to be installed in CUPS already.
- - - + + The CUPS printer must be known to Samba; otherwise the setdriver subcommand fails with an NT_STATUS_UNSUCCESSFUL error. To check if the printer is known by Samba, you may use the enumprinters subcommand to rpcclient. A long-standing bug prevented a proper update of the printer list until every smbd process had received a SIGHUP or was restarted. Remember this in case you've created the CUPS printer just recently and encounter problems: try restarting Samba. -

`Manual Driver Installation in 15 Steps`

+

`Manual Driver Installation in 15 Steps`

We are going to install a printer driver now by manually executing all required commands. Because this may seem a rather complicated process at first, we go through the procedure step by step, explaining every single action item as it comes up. -

Procedure 21.2. Manual Driver Installation Install the printer on CUPS. + Procedure 21.2. Manual Driver Installation Install the printer on CUPS. root# lpadmin -p mysmbtstprn -v socket://10.160.51.131:9100 -E \ -P canonIR85.ppd @@ -2025,7 +2025,7 @@ (a.k.a. JetDirect or Direct TCP/IP) connection. You need to be root for this step. (Optional.) Check if the printer is recognized by Samba. - + root# rpcclient -Uroot%xxxx -c 'enumprinters' localhost \ | grep -C2 mysmbtstprn @@ -2045,8 +2045,8 @@ of the following steps. Alternatively, you can authenticate as one of the users from the “write list” as defined in smb.conf for [print$]. (Optional.) Check if Samba knows a driver for the printer. - - + + root# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2'\ localhost | grep driver @@ -2102,7 +2102,7 @@ The driver files now are in the W32X86 architecture “root” of [print$]. Tell Samba that these are driver files (adddriver). - + root# rpcclient -Uroot%xxxx -c 'adddriver "Windows NT x86" \ "mydrivername:cupsdrvr.dll:mysmbtstprn.PPD: \ @@ -2133,7 +2133,7 @@ Notice how step 6 also moved the driver files to the appropriate subdirectory. Compare this with the situation after step 5. (Optional.) Verify if Samba now recognizes the driver. - + root# rpcclient -Uroot%xxxx -c 'enumdrivers 3' \ localhost | grep -B2 -A5 mydrivername @@ -2149,7 +2149,7 @@ Remember, this command greps for the name you chose for the driver in step 6. This command must succeed before you can proceed. <title>Tell Samba which printer should use these driver files (setdriver).</title> - + root# rpcclient -Uroot%xxxx -c 'setdriver mysmbtstprn mydrivername' \ localhost @@ -2160,9 +2160,9 @@ succeed. The only preconditions are that enumdrivers must find the driver and enumprinters must find the printer. (Optional) Verify if Samba has recognized this association. - - - + + + root# rpcclient -Uroot%xxxx -c 'getprinter mysmbtstprn 2' localhost \ | grep driver @@ -2202,13 +2202,13 @@ comment:[mysmbtstprn] - + Compare these results with the ones from steps 2 and 3. Every one of these commands show the driver is installed. Even the enumprinters command now lists the driver on the “description” line. (Optional.) Tickle the driver into a correct device mode. - + You certainly know how to install the driver on the client. In case you are not particularly familiar with Windows, here is a short recipe: Browse the Network Neighborhood, go to the Samba server, and look @@ -2231,12 +2231,12 @@ Change any printer setting once (like changing portrait to landscape), click on Apply, and change the setting back. Install the printer on a client (Point'n'Print). - + C:\> rundll32 printui.dll,PrintUIEntry /in /n "\\sambaserver\mysmbtstprn" If it does not work, it could be a permissions problem with the [print$] share. - (Optional) Print a test page. + (Optional) Print a test page. C:\> rundll32 printui.dll,PrintUIEntry /p /n "\\sambaserver\mysmbtstprn" Then hit [TAB] five times, [ENTER] twice, [TAB] once, and [ENTER] again, and march to the printer. @@ -2246,8 +2246,8 @@ why not just throw it away! (Obligatory.) Enjoy. Jump. Celebrate your success. root# echo "Cheeeeerioooooo! Success..." >> /var/log/samba/log.smbd -

`Troubleshooting Revisited`

- +

`Troubleshooting Revisited`

+ The setdriver command will fail if in Samba's mind the queue is not already there. A successful installation displys the promising message that the:

@@ -2258,20 +2258,20 @@
 
 result was NT_STATUS_UNSUCCESSFUL
 

-
-
+
+
 It is not good enough that you can see the queue in CUPS, using the lpstat -p ir85wm
 command. A bug in most recent versions of Samba prevents the proper update of the queue list. The recognition
 of newly installed CUPS printers fails unless you restart Samba or send a HUP to all smbd processes. To verify
 if this is the reason why Samba does not execute the setdriver command successfully, check
 if Samba “sees” the printer:
-
+
 
 root# rpcclient transmeta -N -U'root%xxxx' -c 'enumprinters 0'|grep ir85wm
         printername:[ir85wm]
 

 An alternate command could be this: 
-
+
 
 root# rpcclient transmeta -N -U'root%secret' -c 'getprinter ir85wm' 
         cmd = getprinter ir85wm
@@ -2281,28 +2281,28 @@
         comment:[CUPS PostScript-Treiber for Windows NT/200x/XP]
 

 By the way, you can use these commands, plus a few more, of course, to install drivers on remote Windows NT print servers too!
-

**`The Printing *.tdb Files`**

- - - - - - - - - - - - - +

**`The Printing *.tdb Files`**

+ + + + + + + + + + + + + Some mystery is associated with the series of files with a tdb suffix appearing in every Samba installation. They are connections.tdb, printing.tdb, share_info.tdb, ntdrivers.tdb, unexpected.tdb, brlock.tdb, locking.tdb, ntforms.tdb, messages.tdb , ntprinters.tdb, sessionid.tdb, and secrets.tdb. What is their purpose? -

`Trivial Database Files`

- +

`Trivial Database Files`

+ A Windows NT (print) server keeps track of all information needed to serve its duty toward its clients by storing entries in the Windows registry. Client queries are answered by reading from the registry, Administrator or user configuration settings that are saved by writing into the registry. Samba and UNIX @@ -2311,7 +2311,7 @@ /var/lib/samba/ or /var/lock/samba/. The printing-related files are ntprinters.tdb, printing.tdb,ntforms.tdb, and ntdrivers.tdb. -

`Binary Format`

+

`Binary Format`

*.tdb files are not human readable. They are written in a binary format. “Why not ASCII?”, you may ask. “After all, ASCII configuration files are a good and proven tradition on UNIX.” The reason for this design decision by the Samba Team is mainly performance. Samba needs to be @@ -2320,16 +2320,16 @@ *.tdb file at the same time. The file format of Samba's *.tdb files allows for this provision. Many smbd processes may write to the same *.tdb file at the same time. This wouldn't be possible with pure ASCII files. -

**`Losing *.tdb Files`**

+

**`Losing *.tdb Files`**

It is very important that all *.tdb files remain consistent over all write and read accesses. However, it may happen that these files do get corrupted. (A kill -9 `pidof smbd' while a write access is in progress could do the damage, as could a power interruption, etc.). In cases of trouble, a deletion of the old printing-related *.tdb files may be the only option. After that, you need to re-create all print-related setups unless you have made a backup of the *.tdb files in time. -

`Using tdbbackup`

- - +

`Using tdbbackup`

+ + Samba ships with a little utility that helps the root user of your system to backup your *.tdb files. If you run it with no argument, it prints a usage message:

@@ -2356,10 +2356,10 @@
  -rw-------    1 root     root        40960 May  2 03:44 printing.tdb
  -rw-------    1 root     root        40960 May  2 03:44 printing.tdb.bak
 
-

`CUPS Print Drivers from Linuxprinting.org`

- +

`CUPS Print Drivers from Linuxprinting.org`

+ CUPS ships with good support for HP LaserJet-type printers. You can install the generic driver as follows: - +

 root# lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -m laserjet.ppd

@@ -2375,9 +2375,9 @@ the tireless work of Till Kamppeter from Mandrakesoft, who is also the principal author of the foomatic-rip utility.

`Note`

- - - + + + The former cupsomatic concept is now being replaced by the new successor, a much more powerful foomatic-rip. cupsomatic is no longer maintained. Here is the new URL to the Foomatic-3.0 @@ -2386,9 +2386,9 @@ cupsomatic. The new-style PPDs are 100% compliant with the Adobe PPD specification. They are also intended to be used by Samba and the cupsaddsmb utility, to provide the driver files for the Windows clients! -

`foomatic-rip and Foomatic Explained`

- - +

`foomatic-rip and Foomatic Explained`

+ + Nowadays, most Linux distributions rely on the utilities from the Linuxprinting.org to create their printing-related software (which, by the way, works on all UNIXes and on Mac OS X and Darwin, too). The utilities from this sire have a very end-user-friendly interface that allows for an easy update of drivers and PPDs for all supported models, @@ -2399,8 +2399,8 @@ Linuxprinting.org keeps all the important facts about printer drivers, supported models, and which options are available for the various driver/printer combinations in its Foomatic database. Currently there are 245 drivers in the database. Many drivers support various models, and many models may be driven by different drivers its your choice! -

`690 “Perfect” Printers`

- +

`690 “Perfect” Printers`

+ At present, there are 690 devices dubbed as working perfectly: 181 are mostly perfect, 96 are partially perfect, and 46 are paperweights. Keeping in mind that most of these are non-PostScript models (PostScript printers are automatically supported by CUPS to perfection by using their @@ -2408,7 +2408,7 @@ if it does not also scan and copy and fax under GNU/Linux then this is a truly astonishing achievement! Three years ago the number was not more than 500, and Linux or UNIX printing at the time wasn't anywhere near the quality it is today. -

`How the Printing HOWTO Started It All`

+

`How the Printing HOWTO Started It All`

A few years ago Grant Taylor started it all. The roots of today's Linuxprinting.org are in the first Linux Printing HOWTO that he authored. As a side-project to this document, which served many Linux users and admins to guide their first steps in this @@ -2417,8 +2417,8 @@ Postgres database with information about the hardware and driver zoo that made up Linux printing of the time. This database became the core component of today's Foomatic collection of tools and data. In the meantime, it has moved to an XML representation of the data. -

`Foomatic's Strange Name`

- +

`Foomatic's Strange Name`

+ “Why the funny name?” you ask. When it really took off, around spring 2000, CUPS was far less popular than today, and most systems used LPD, LPRng, or even PDQ to print. CUPS shipped with a few generic drivers (good for a few hundred different printer models). These didn't support many device-specific options. @@ -2436,10 +2436,10 @@ to CUPS users (because often the traditional Ghostscript way of printing was the only one available).

It gave all the advanced CUPS options (Web interface, GUI driver configurations) to users wanting (or needing) to use - Ghostscript filters.

`cupsomatic, pdqomatic, lpdomatic, directomatic`

- - - + Ghostscript filters.

`cupsomatic, pdqomatic, lpdomatic, directomatic`

+ + + CUPS worked through a quickly hacked-up filter script named cupsomatic. cupsomatic ran the printfile through Ghostscript, constructing automatically the rather complicated command line needed. It just needed to be copied into the CUPS system to make it work. To configure the way cupsomatic controls the @@ -2460,8 +2460,8 @@ behind the “*omatic” scripts. Foomatic, up to versions 2.0.x, required (ugly) Perl data structures attached to Linuxprinting.org PPDs for CUPS. It had a different “*omatic” script for every spooler, as well as different printer configuration files. -

`The Grand Unification Achieved`

- +

`The Grand Unification Achieved`

+ This has all changed in Foomatic versions 2.9 (beta) and released as “stable” 3.0. It has now achieved the convergence of all *omatic scripts and is called the foomatic-rip. This single script is the unification of the previously different spooler-specific *omatic scripts. @@ -2470,18 +2470,18 @@ have the power of PPDs at their disposal. Users only need to plug foomatic-rip into their system. For users there is improved media type and source support paper sizes and trays are easier to configure.

+ - - + Also, the new generation of Linuxprinting.org PPDs no longer contains Perl data structures. If you are a distro maintainer and have used the previous version of Foomatic, you may want to give the new one a spin, but remember to generate a new-version set of PPDs via the new foomatic-db-engine!. Individual users just need to generate a single new PPD specific to their model by following the steps outlined in the Foomatic tutorial or in this chapter. This new development is truly amazing.

- - - + + + foomatic-rip is a very clever wrapper around the need to run Ghostscript with a different syntax, options, device selections, and/or filters for each different printer or spooler. At the same time, it can read the PPD associated with a print queue and modify the print job according to the user selections. Together with this @@ -2489,8 +2489,8 @@ Foomatic concept may surprise users. It will support custom paper sizes for many printers and will support printing on media drawn from different paper trays within the same job (in both cases, even where there is no support for this from Windows-based vendor printer drivers). -

`Driver Development Outside`

- +

`Driver Development Outside`

+ Most driver development itself does not happen within Linuxprinting.org. Drivers are written by independent maintainers. Linuxprinting.org just pools all the information and stores it in its database. In addition, it also provides the Foomatic glue to integrate the many drivers into any modern (or legacy) printing system @@ -2498,25 +2498,25 @@

Speaking of the different driver development groups, most of the work is currently done in three projects:

- + Omni a free software project by IBM that tries to convert its printer driver knowledge from good-ol' OS/2 times into a modern, modular, universal driver architecture for Linux/UNIX (still beta). This currently supports 437 models.
- + HPIJS a free software project by HP to provide the support for its own range of models (very mature, printing in most cases is perfect and provides true photo quality). This currently supports 369 models.
- + Gimp-Print a free software effort, started by Michael Sweet (also lead developer for CUPS), now directed by Robert Krawitz, which has achieved an amazing level of photo print quality (many Epson users swear that its quality is better than the vendor drivers provided by Epson for the Microsoft - platforms). This currently supports 522 models.

`Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)`

+ platforms). This currently supports 522 models.

`Forums, Downloads, Tutorials, Howtos (Also for Mac OS X and Commercial UNIX)`

Linuxprinting.org today is the one-stop shop to download printer drivers. Look for printer information and tutorials or solve printing problems in its popular forums. This @@ -2525,9 +2525,9 @@ Mac OS X forum has turned out to be one of the most frequented forums after only a few weeks.

- - - + + + Linuxprinting.org and the Foomatic driver wrappers around Ghostscript are now a standard tool-chain for printing on all the important distros. Most of them also have CUPS underneath. While in recent years most printer data had been added by Kamppeter, many additional contributions came from engineers with SuSE, Red @@ -2536,16 +2536,16 @@

`Note`

Till Kamppeter from Mandrakesoft is doing an excellent job in his spare time to maintain Linuxprinting.org and Foomatic. So if you use it often, please send him a note showing your appreciation. -

`Foomatic Database-Generated PPDs`

- - - - - - - - - +

`Foomatic Database-Generated PPDs`

+ + + + + + + + + The Foomatic database is an amazing piece of ingenuity in itself. Not only does it keep the printer and driver information, but it is organized in a way that it can generate PPD files on the fly from its internal XML-based datasets. While these PPDs are modeled to the Adobe specification of PPDs, the @@ -2560,7 +2560,7 @@ This usage of PPDs to describe the options of non-PostScript printers was the invention of the CUPS developers. The rest is easy. GUI tools (like KDE's marvelous kprinter or the GNOME gtklp xpp and the CUPS Web interface) read the PPD as well and use this information to present the available settings to the user as an intuitive menu selection. -

`foomatic-rip and Foomatic PPD Download and Installation`

+

`foomatic-rip and Foomatic PPD Download and Installation`

Here are the steps to install a foomatic-rip-driven LaserJet 4 Plus-compatible printer in CUPS (note that recent distributions of SuSE, UnitedLinux and Mandrake may ship with a complete package of Foomatic-PPDs plus the @@ -2653,8 +2653,8 @@ fit for your printer model's consumption.

Ghostscript must (depending on the driver/model) contain support for a certain device representing the selected driver for your model (as shown by gs -h).

foomatic-rip needs a new version of PPDs (PPD versions - produced for cupsomatic do not work with foomatic-rip).

`Page Accounting with CUPS`

- + produced for cupsomatic do not work with foomatic-rip).

`Page Accounting with CUPS`

+ Often there are questions regarding print quotas where Samba users (that is, Windows clients) should not be able to print beyond a certain number of pages or data volume per day, week, or month. This feature is dependent on the real print subsystem you're using. Samba's part is always to receive the job files from the @@ -2662,18 +2662,18 @@

Of course one could hack things with one's own scripts. But then there is CUPS. CUPS supports quotas that can be based on the size of jobs or on the number of pages or both, and can span any time period you want. -

`Setting Up Quotas`

- +

`Setting Up Quotas`

+ This is an example command of how root would set a print quota in CUPS, assuming an existing printer named “quotaprinter”: - +

 root# lpadmin -p quotaprinter -o job-quota-period=604800 \
 	-o job-k-limit=1024 -o job-page-limit=100

This would limit every single user to print no more than 100 pages or 1024 KB of data (whichever comes first) within the last 604,800 seconds ( = 1 week). -

`Correct and Incorrect Accounting`

+

`Correct and Incorrect Accounting`

For CUPS to count correctly, the printfile needs to pass the CUPS pstops filter; otherwise it uses a dummy count of “one”. Some print files do not pass it (e.g., image files), but then those are mostly one-page jobs anyway. This also means that proprietary drivers for the target printer running on the client @@ -2684,12 +2684,12 @@ accounting done. If the printer is a non-PostScript model, you need to let CUPS do the job to convert the file to a print-ready format for the target printer. This is currently working for about a thousand different printer models. Linuxprinting.org has a driver list. -

`Adobe and CUPS PostScript Drivers for Windows Clients`

- - - - - +

`Adobe and CUPS PostScript Drivers for Windows Clients`

+ + + + + Before CUPS 1.1.16, your only option was to use the Adobe PostScript driver on the Windows clients. The output of this driver was not always passed through the pstops filter on the CUPS/Samba side, and therefore was not counted correctly (the reason is that it often, depending on the PPD being used, wrote a @@ -2700,13 +2700,13 @@ clients (which is tagged in the download area of http://www.cups.org/ as the cups-samba-1.1.16.tar.gz package). It does not work for Windows 9x/Me clients, but it guarantees: -

To not write a PJL-header.
To still read and support all PJL-options named in the +
- To not write a PJL-header.
- To still read and support all PJL-options named in the driver PPD with its own means.
- That the file will pass through the pstops filter on the CUPS/Samba server.
- To page-count correctly the print file.
You can read more about the setup of this combination in the man page for cupsaddsmb (which is only present with CUPS installed, and only current from CUPS 1.1.16). -

`The page_log File Syntax`

- +

`The page_log File Syntax`

+ These are the items CUPS logs in the page_log for every page of a job:

Printer name
User name
Job ID
Time of printing
Page number
Number of copies
A billing information string (optional)
The host that sent the job (included since version 1.1.19)

Here is an extract of my CUPS server's page_log file to illustrate the @@ -2724,7 +2724,7 @@ The next job had ID 402, was sent by user boss from IP address 10.160.51.33, printed from one page 440 copies, and is set to be billed to finance-dep. -

`Possible Shortcomings`

+

`Possible Shortcomings`

What flaws or shortcomings are there with this quota system?

The ones named above (wrongly logged job in case of printer hardware failure, and so on).
In reality, CUPS counts the job pages that are being @@ -2738,7 +2738,7 @@ “used-up” number of current quota.
A user having used up 99 sheets of a 100 quota will still be able to send and print a 1,000 sheet job.
A user being denied a job because of a filled-up quota does not get a meaningful error message from CUPS other than - “client-error-not-possible”.

`Future Developments`

+ “client-error-not-possible”.

`Future Developments`

This is the best system currently available, and there are huge improvements under development for CUPS 1.2:

Page counting will go into the backends (these talk @@ -2746,10 +2746,10 @@ actual printing process; thus, a jam at the fifth sheet will lead to a stop in the counting).
Quotas will be handled more flexibly.
Probably there will be support for users to inquire about their accounts in advance.
Probably there will be support for some other tools - around this topic.

`Other Accounting Tools`

+ around this topic.

`Other Accounting Tools`

Other accounting tools that can be used includes: PrintAnalyzer, pyKota, printbill, LogReport. For more information regarding these tools you can try a Google search. -

`Additional Material`

+

`Additional Material`

A printer queue with no PPD associated to it is a “raw” printer, and all files will go directly there as received by the spooler. The exceptions are file types application/octet-stream @@ -2828,15 +2828,15 @@ allowed to have direct access (such as when the operators often need to load the proper paper type before running the 10,000 page job requested by marketing for the mailing, and so on). -

`Autodeletion or Preservation of CUPS Spool Files`

- - - +

`Autodeletion or Preservation of CUPS Spool Files`

+ + + Samba print files pass through two spool directories. One is the incoming directory managed by Samba (set in -the path = /var/spool/samba directive in the [printers] section of smb.conf). The other is the spool directory of your UNIX print subsystem. For +the path = /var/spool/samba directive in the [printers] section of smb.conf). The other is the spool directory of your UNIX print subsystem. For CUPS it is normally /var/spool/cups/, as set by the cupsd.conf directive RequestRoot /var/spool/cups. -

`CUPS Configuration Settings Explained`

+

`CUPS Configuration Settings Explained`

Some important parameter settings in the CUPS configuration file cupsd.conf are:

PreserveJobHistory Yes: @@ -2860,27 +2860,27 @@

(There are also additional settings for MaxJobsPerUser and MaxJobsPerPrinter.) -

`Preconditions`

+

`Preconditions`

For everything to work as it should, you need to have three things:

A Samba smbd that is compiled against libcups (check on Linux by running ldd `which smbd').
A Samba-smb.conf setting of - printing = cups.
Another Samba smb.conf setting of - printcap = cups.

`Note`

+ printing = cups.

Another Samba smb.conf setting of + printcap = cups.

`Note`

In this case, all other manually set printing-related commands (like -print command, -lpq command, -lprm command, -lppause command, and -lpresume command) are ignored, and they should normally have no +print command, +lpq command, +lprm command, +lppause command, and +lpresume command) are ignored, and they should normally have no influence whatsoever on your printing. -

`Manual Configuration`

-If you want to do things manually, replace the printing = cups -by printing = bsd. Then your manually set commands may work -(I haven't tested this), and a print command = lp -d %P %s; rm %s +

`Manual Configuration`

+If you want to do things manually, replace the printing = cups +by printing = bsd. Then your manually set commands may work +(I haven't tested this), and a print command = lp -d %P %s; rm %s may do what you need. -

`Printing from CUPS to Windows-Attached Printers`

- - +

`Printing from CUPS to Windows-Attached Printers`

+ + From time to time the question arises, how can you print to a Windows-attached printer from Samba? Normally the local connection from Windows host to printer would be done by USB or parallel cable, but this does not matter to Samba. From here only an SMB connection needs to be opened @@ -2915,8 +2915,8 @@

 root# ln -s `which smbspool` /usr/lib/cups/backend/smb

- - + + smbspool was written by Mike Sweet from the CUPS folks. It is included and ships with Samba. It may also be used with print subsystems other than CUPS, to spool jobs to Windows printer shares. To set up printer winprinter on CUPS, you need to have a driver for it. Essentially @@ -2931,9 +2931,9 @@ root# lpadmin -p winprinter -v smb://WINDOWSNETBIOSNAME/printersharename \ -P /path/to/PPD

- - - + + + The PPD must be able to direct CUPS to generate the print data for the target model. For PostScript printers, just use the PPD that would be used with the Windows NT PostScript driver. But what can you do if the printer is only accessible with a password? Or if the printer's host is part of another workgroup? This is provided @@ -2946,12 +2946,12 @@ Printing will only work if you have a working NetBIOS name resolution up and running. Note that this is a feature of CUPS and you do not necessarily need to have smbd running. -

`More CUPS Filtering Chains`

+

`More CUPS Filtering Chains`

The diagrams in Filtering Chain 1 and Filtering Chain with cupsomatic show how CUPS handles print jobs. -

Figure 21.17. Filtering Chain 1.

Figure 21.18. Filtering Chain with cupsomatic

`Common Errors`

`Windows 9x/Me Client Can't Install Driver`

For Windows 9x/Me, clients require the printer names to be eight +

Figure 21.17. Filtering Chain 1.

Figure 21.18. Filtering Chain with cupsomatic

`Common Errors`

`Windows 9x/Me Client Can't Install Driver`

For Windows 9x/Me, clients require the printer names to be eight characters (or “8 plus 3 chars suffix”) max; otherwise, the driver files - will not get transferred when you want to download them from Samba.

`“cupsaddsmb” Keeps Asking for Root Password in Never-ending Loop`

Have you set security = user? Have + will not get transferred when you want to download them from Samba.

`“cupsaddsmb” Keeps Asking for Root Password in Never-ending Loop`

Have you set security = user? Have you used smbpasswd to give root a Samba account? You can do two things: open another terminal and execute smbpasswd -a root to create the account and @@ -2960,10 +2960,10 @@ password).

If the error is “Tree connect failed: NT_STATUS_BAD_NETWORK_NAME”, you may have forgotten to create the /etc/samba/drivers directory. -

`“cupsaddsmb” or “rpcclient addriver” Emit Error`

+

`“cupsaddsmb” or “rpcclient addriver” Emit Error`

If cupsaddsmb, or rpcclient addriver emit the error message WERR_BAD_PASSWORD, refer to the previous common error. -

`“cupsaddsmb” Errors`

+

`“cupsaddsmb” Errors`

The use of “cupsaddsmb” gives “No PPD file for printer...” message while PPD file is present. What might the problem be?

@@ -2974,12 +2974,12 @@ cupsaddsmb -H sambaserver -h cupsserver -v printername.

Is your TempDir directive in cupsd.conf set to a valid value, and is it writable? -

`Client Can't Connect to Samba Printer`

Use smbstatus to check which user +

`Client Can't Connect to Samba Printer`

Use smbstatus to check which user you are from Samba's point of view. Do you have the privileges to write into the [print$] - share?

`New Account Reconnection from Windows 200x/XP Troubles`

+ share?

`New Account Reconnection from Windows 200x/XP Troubles`

Once you are connected as the wrong user (for example, as nobody, which often occurs if -you have map to guest = bad user), Windows Explorer will not accept an +you have map to guest = bad user), Windows Explorer will not accept an attempt to connect again as a different user. There will not be any bytes transferred on the wire to Samba, but still you'll see a stupid error message that makes you think Samba has denied access. Use smbstatus to check for active connections. Kill the PIDs. You still can't re-connect, and @@ -2992,44 +2992,44 @@ connected under a different account. Now open the Printers folder (on the Samba server in the Network Neighborhood), right-click on the printer in question, and select Connect..... -

`Avoid Being Connected to the Samba Server as the Wrong User`

- +

`Avoid Being Connected to the Samba Server as the Wrong User`

+ You see per smbstatus that you are connected as user nobody, but you want to be root or -printer admin. This is probably due to map to guest = bad user, which +printer admin. This is probably due to map to guest = bad user, which silently connected you under the guest account when you gave (maybe by accident) an incorrect username. Remove -map to guest if you want to prevent this. -

`Upgrading to CUPS Drivers from Adobe Drivers`

+map to guest if you want to prevent this. +

`Upgrading to CUPS Drivers from Adobe Drivers`

This information came from a mailing list posting regarding problems experienced when upgrading from Adobe drivers to CUPS drivers on Microsoft Windows NT/200x/XP clients.

First delete all old Adobe-using printers. Then delete all old Adobe drivers. (On Windows 200x/XP, right-click in the background of Printers folder, select Server Properties..., select -tab Drivers, and delete here).

`Can't Use “cupsaddsmb” on Samba Server, Which Is a PDC`

Do you use the “naked” root user name? Try to do it +tab Drivers, and delete here).

`Can't Use “cupsaddsmb” on Samba Server, Which Is a PDC`

Do you use the “naked” root user name? Try to do it this way: cupsaddsmb -U DOMAINNAME\\root -v printername> (note the two backslashes: the first one is -required to “escape” the second one).

`Deleted Windows 200x Printer Driver Is Still Shown`

Deleting a printer on the client will not delete the +required to “escape” the second one).

`Deleted Windows 200x Printer Driver Is Still Shown`

Deleting a printer on the client will not delete the driver too (to verify, right-click on the white background of the Printers folder, select Server Properties and click on the Drivers tab). These same old drivers will be re-used when you try to install a printer with the same name. If you want to update to a new driver, delete the old ones first. Deletion is only possible if no -other printer uses the same driver.

`Windows 200x/XP Local Security Policies`

Local security policies may not allow the installation of unsigned drivers “local -security policies” may not allow the installation of printer drivers at all.

`Administrator Cannot Install Printers for All Local Users`

- - +other printer uses the same driver.

`Windows 200x/XP Local Security Policies`

Local security policies may not allow the installation of unsigned drivers “local +security policies” may not allow the installation of printer drivers at all.

`Administrator Cannot Install Printers for All Local Users`

+ + Windows XP handles SMB printers on a “per-user” basis. This means every user needs to install the printer himself or herself. To have a printer available for everybody, you might want to use the built-in IPP client capabilities of Win XP. Add a printer with the print path of http://cupsserver:631/printers/printername. We're still looking into this one. Maybe a logon script could automatically install printers for all users. -

`Print Change, Notify Functions on NT Clients`

For print change, notify functions on NT++ clients. These need to run the Server -service first (renamed to File & Print Sharing for MS Networks in XP).

`Win XP-SP1`

Win XP-SP1 introduced a Point and Print Restriction Policy (this restriction does not apply to +

`Print Change, Notify Functions on NT Clients`

For print change, notify functions on NT++ clients. These need to run the Server +service first (renamed to File & Print Sharing for MS Networks in XP).

`Win XP-SP1`

Win XP-SP1 introduced a Point and Print Restriction Policy (this restriction does not apply to “Administrator” or “Power User” groups of users). In Group Policy Object Editor, go to User Configuration -> Administrative Templates -> Control Panel -> Printers. The policy is automatically set to Enabled and the Users can only Point and Print to machines in their Forest . You probably need to change it to Disabled or Users can only Point and Print to these servers to make driver downloads from Samba possible. -

`Print Options for All Users Can't Be Set on Windows 200x/XP`

How are you doing it? I bet the wrong way (it is not easy to find out, though). There are three +

`Print Options for All Users Can't Be Set on Windows 200x/XP`

How are you doing it? I bet the wrong way (it is not easy to find out, though). There are three different ways to bring you to a dialog that seems to set everything. All three dialogs look the same, yet only one of them does what you intend. You need to be Administrator or Print Administrator to do this for all users. Here is how I do in on XP: @@ -3057,36 +3057,36 @@ Do you see any difference? I don't either. However, only the last one, which you arrived at with steps “C.1. to C.6.”, will save any settings permanently and be the defaults for new users. If you want all clients to get the same defaults, you need to conduct these steps as Administrator -(printer admin in smb.conf) before a client downloads the +(printer admin in smb.conf) before a client downloads the driver (the clients can later set their own per-user defaults by following the procedures A or B). -

`Most Common Blunders in Driver Settings on Windows Clients`

+

`Most Common Blunders in Driver Settings on Windows Clients`

Don't use Optimize for Speed, but use Optimize for Portability instead (Adobe PS Driver). Don't use Page Independence: No. Always settle with Page Independence: Yes (Microsoft PS Driver and CUPS PS Driver for Windows NT/200x/XP). If there are problems with fonts, use Download as Softfont into printer (Adobe PS Driver). For TrueType Download Options choose Outline. Use PostScript Level 2 if you are having trouble with a non-PS printer and if there is a choice. -

`cupsaddsmb Does Not Work with Newly Installed Printer`

+

`cupsaddsmb Does Not Work with Newly Installed Printer`

Symptom: The last command of cupsaddsmb does not complete successfully. If the cmd = setdriver printername printername result was NT_STATUS_UNSUCCESSFUL, then possibly the printer was not yet recognized by Samba. Did it show up in Network Neighborhood? Did it show up in rpcclient hostname -c `enumprinters'? Restart smbd (or send a kill -HUP to all processes listed by smbstatus, and try again. -

`Permissions on /var/spool/samba/ Get Reset After Each Reboot`

+

`Permissions on /var/spool/samba/ Get Reset After Each Reboot`

Have you ever by accident set the CUPS spool directory to the same location (RequestRoot /var/spool/samba/ in cupsd.conf or the other way round: -/var/spool/cups/ is set as path> in the [printers] section)? These must be different. Set RequestRoot -/var/spool/cups/ in cupsd.conf and path = +/var/spool/cups/ is set as path> in the [printers] section)? These must be different. Set RequestRoot +/var/spool/cups/ in cupsd.conf and path = /var/spool/samba in the [printers] section of smb.conf. Otherwise, cupsd will sanitize permissions to its spool directory with each restart and printing will not work reliably. -

`Print Queue Called “lp” Mishandles Print Jobs`

+

`Print Queue Called “lp” Mishandles Print Jobs`

In this case a print queue called “lp” intermittently swallows jobs and spits out completely different ones from what was sent.

- - - + + + It is a bad idea to name any printer “lp”. This is the traditional UNIX name for the default printer. CUPS may be set up to do an automatic creation of Implicit Classes. This means, to group all printers with the same name to a pool of devices and load-balance the jobs across them in a round-robin fashion. @@ -3095,13 +3095,13 @@ BrowseShortNames No. It will present any printer as printername@cupshost, which gives you better control over what may happen in a large networked environment. -

`Location of Adobe PostScript Driver Files for “cupsaddsmb”`

+

`Location of Adobe PostScript Driver Files for “cupsaddsmb”`

Use smbclient to connect to any Windows box with a shared PostScript printer: smbclient //windowsbox/print\$ -U guest. You can navigate to the W32X86/2 subdir to mget ADOBE* and other files or to WIN40/0 to do the same. Another option is to download the *.exe packaged files from the Adobe Web site. -

`Overview of the CUPS Printing Processes`

+

`Overview of the CUPS Printing Processes`

A complete overview of the CUPS printing processes can be found in the CUPS Printing Overview diagram. -

Figure 21.19. CUPS Printing Overview.

^[6]See also http://www.cups.org/cups-help.html

Prev	Up	Next
Chapter 20. Classical Printing Support	Home	Chapter 22. Stackable VFS modules

+ Figure 21.19. CUPS Printing Overview. ^[6]See also http://www.cups.org/cups-help.html Prev Up Next Chapter 20. Classical Printing Support Home Chapter 22. Stackable VFS modules diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/diagnosis.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/diagnosis.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/diagnosis.html 2005-08-07 11:25:16.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/diagnosis.html 2005-08-19 13:03:47.000000000 -0500 @@ -1,5 +1,5 @@ -Chapter 37. The Samba ChecklistChapter 37. The Samba Checklist Prev Part V. Troubleshooting Next Chapter 37. The Samba Checklist Andrew Tridgell Samba Team <tridge@samba.org> Jelmer R. Vernooij The Samba Team <jelmer@samba.org> Dan Shearer Samba Team <dan@samba.org> Wed Jan 15 Table of Contents Introduction Assumptions The Tests Introduction - +Chapter 37. The Samba Checklist Chapter 37. The Samba Checklist Prev Part V. Troubleshooting Next Chapter 37. The Samba Checklist Andrew Tridgell Samba Team <tridge@samba.org> Jelmer R. Vernooij The Samba Team <jelmer@samba.org> Dan Shearer Samba Team <dan@samba.org> Wed Jan 15 Table of Contents Introduction Assumptions The Tests Introduction + This file contains a list of tests you can perform to validate your Samba server. It also tells you what the likely cause of the problem is if it fails any one of these steps. If it passes all these tests, @@ -14,7 +14,7 @@ If you send one of the Samba mailing lists an email saying, “It does not work,” and you have not followed this test procedure, you should not be surprised if your email is ignored. - Assumptions + Assumptions In all of the tests, it is assumed you have a Samba server called BIGSERVER and a PC called ACLIENT, both in workgroup TESTGROUP. @@ -24,31 +24,31 @@ smb.conf. I for our examples this share is called tmp. You can add a tmp share like this by adding the lines shown in the next example. - Example 37.1. smb.conf with [tmp] Share [tmp] comment = temporary files path = /tmp read only = yes Note + Example 37.1. smb.conf with [tmp] Share [tmp] comment = temporary files path = /tmp read only = yes Note These tests assume version 3.0.0 or later of the Samba suite. Some commands shown did not exist in earlier versions. - - - + + + Please pay attention to the error messages you receive. If any error message reports that your server is being unfriendly, you should first check that your IP name resolution is correctly set up. Make sure your /etc/resolv.conf file points to name servers that really do exist. - - - - + + + + Also, if you do not have DNS server access for name resolution, please check that the settings for your smb.conf file results in dns proxy = no. The best way to check this is with testparm smb.conf. - - - - - + + + + + It is helpful to monitor the log files during testing by using the tail -F log_file_name in a separate terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X). @@ -59,36 +59,36 @@ If you make changes to your smb.conf file while going through these test, remember to restart smbd and nmbd. - The Tests Procedure 37.1. Diagnosing Your Samba Server - + The Tests Procedure 37.1. Diagnosing Your Samba Server + In the directory in which you store your smb.conf file, run the command testparm smb.conf. If it reports any errors, then your smb.conf configuration file is faulty. Note - - + + Your smb.conf file may be located in /etc/samba or in /usr/local/samba/lib. - + Run the command ping BIGSERVER from the PC and ping ACLIENT from the UNIX box. If you do not get a valid response, then your TCP/IP software is not correctly installed. You will need to start a “DOS prompt” window on the PC to run ping. - - - + + + If you get a message saying “host not found” or a similar message, then your DNS software or /etc/hosts file is not correctly set up. If using DNS, check that the /etc/resolv.conf has correct, current, entries in it. It is possible to run Samba without DNS entries for the server and client, but it is assumed you do have correct entries for the remainder of these tests. - - - + + + Another reason why ping might fail is if your host is running firewall software. You will need to relax the rules to let in the workstation in question, perhaps by allowing access from another subnet (on Linux @@ -98,8 +98,8 @@ Modern Linux distributions install ipchains/iptables by default. This is a common problem that is often overlooked. - - + + If you wish to check what firewall rules may be present in a system under test, simply run iptables -L -v, or if ipchains-based firewall rules are in use, ipchains -L -v. @@ -133,12 +133,12 @@ Run the command smbclient -L BIGSERVER on the UNIX box. You should get back a list of available shares. - - - - - - + + + + + + If you get an error message containing the string “bad password”, then you probably have either an incorrect hosts allow, hosts deny, or valid users line in your @@ -146,15 +146,15 @@ temporarily remove any hosts allow, hosts deny, valid users, or invalid users lines. - + If you get a message connection refused response, then the smbd server may not be running. If you installed it in inetd.conf, then you probably edited that file incorrectly. If you installed it as a daemon, then check that it is running and check that the netbios-ssn port is in a LISTEN state using netstat -a. Note - - + + Some UNIX/Linux systems use xinetd in place of inetd. Check your system documentation for the location of the control files for your particular system implementation of @@ -171,36 +171,36 @@ There are a number of reasons for which smbd may refuse or decline a session request. The most common of these involve one or more of the smb.conf file entries as shown in the next example. - Example 37.2. Configuration for Allowing Connections Only from a Certain Subnet [globals] hosts deny = ALL hosts allow = xxx.xxx.xxx.xxx/yy interfaces = eth0 bind interfaces only = Yes - + Example 37.2. Configuration for Allowing Connections Only from a Certain Subnet [globals] hosts deny = ALL hosts allow = xxx.xxx.xxx.xxx/yy interfaces = eth0 bind interfaces only = Yes + In Configuration for Allowing Connections Only from a Certain Subnet, no allowance has been made for any session requests that will automatically translate to the loopback adapter address 127.0.0.1. To solve this problem, change these lines as shown in the following example. - Example 37.3. Configuration for Allowing Connections from a Certain Subnet and localhost [globals] hosts deny = ALL hosts allow = xxx.xxx.xxx.xxx/yy 127. interfaces = eth0 lo - - + Example 37.3. Configuration for Allowing Connections from a Certain Subnet and localhost [globals] hosts deny = ALL hosts allow = xxx.xxx.xxx.xxx/yy 127. interfaces = eth0 lo + + Another common cause of these two errors is having something already running on port 139, such as Samba (smbd is running from inetd already) or Digital's Pathworks. Check your inetd.conf file before trying to start smbd as a daemon it can avoid a lot of frustration! - - - - - + + + + + And yet another possible cause for failure of this test is when the subnet mask and/or broadcast address settings are incorrect. Please check that the network interface IP address/broadcast address/subnet mask settings are correct and that Samba has correctly noted these in the log.nmbd file. - + Run the command nmblookup -B BIGSERVER __SAMBA__. You should get back the IP address of your Samba server. - - - + + + If you do not, then nmbd is incorrectly installed. Check your inetd.conf if you run it from there, or that the daemon is running and listening to UDP port 137. @@ -209,7 +209,7 @@ one-line script that contains the right parameters and run that from inetd. - + Run the command nmblookup -B ACLIENT `*'. You should get the PC's IP address back. If you do not, then the client @@ -228,9 +228,9 @@ should see the got a positive name query response messages from several hosts. - + If this does not give a result similar to the previous test, then nmblookup isn't correctly getting your -broadcast address through its automatic mechanism. In this case you should experiment with the interfaces option in smb.conf to manually configure your IP address, broadcast, and netmask. +broadcast address through its automatic mechanism. In this case you should experiment with the interfaces option in smb.conf to manually configure your IP address, broadcast, and netmask. If your PC and server aren't on the same subnet, then you will need to use the -B option to set the broadcast address to that of the PC's subnet. @@ -238,7 +238,7 @@ This test will probably fail if your subnet mask and broadcast address are not correct. (Refer to test 3 notes above). - + Run the command smbclient //BIGSERVER/TMP. You should then be prompted for a password. You should use the password of the account with which you are logged into the UNIX box. If you want to test with @@ -257,29 +257,29 @@ You have shadow passwords (or some other password system) but didn't compile in support for them in smbd. - Your valid users configuration is incorrect. + Your valid users configuration is incorrect. - You have a mixed-case password and you haven't enabled the password level option at a high enough level. + You have a mixed-case password and you haven't enabled the password level option at a high enough level. - The path line in smb.conf is incorrect. Check it with testparm. + The path line in smb.conf is incorrect. Check it with testparm. You enabled password encryption but didn't map UNIX to Samba users. Run smbpasswd -a username - - - - + + + + Once connected, you should be able to use the commands dir, get, put, and so on. Type help command for instructions. You should especially check that the amount of free disk space shown is correct when you type dir. - + On the PC, type the command net view \\BIGSERVER. You will need to do this from within a DOS prompt window. You should get back a list of shares available on the server. - + If you get a message network name not found or similar error, then NetBIOS name resolution is not working. This is usually caused by a problem in nmbd. To overcome it, you could do one of the following (you only need to choose one of them): @@ -317,14 +317,14 @@ It's also possible that the server can't work out what username to connect you as. To see if this is the problem, add the line -user = username to the +user = username to the [tmp] section of smb.conf where username is the username corresponding to the password you typed. If you find this fixes things, you may need the username mapping option. It might also be the case that your client only sends encrypted passwords -and you have encrypt passwords = no in smb.conf. +and you have encrypt passwords = no in smb.conf. Change this setting to `yes' to fix this. Run the command nmblookup -M testgroup where @@ -335,7 +335,7 @@ If you do not, then the election process has failed. Wait a minute to see if it is just being slow, then try again. If it still fails after that, then look at the browsing options you have set in smb.conf. Make -sure you have preferred master = yes to ensure that +sure you have preferred master = yes to ensure that an election is held at startup. From file manager, try to browse the server. Your Samba server should @@ -345,8 +345,8 @@ you are probably running Windows NT and it is refusing to browse a server that has no encrypted password capability and is in user-level security mode. In this case, either set -security = server and -password server = Windows_NT_Machine in your -smb.conf file or make sure encrypt passwords is +security = server and +password server = Windows_NT_Machine in your +smb.conf file or make sure encrypt passwords is set to “yes”. Prev Up Next Part V. Troubleshooting Home Chapter 38. Analyzing and Solving Samba Problems diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/DNSDHCP.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/DNSDHCP.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/DNSDHCP.html 2005-08-07 11:25:20.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/DNSDHCP.html 2005-08-19 13:03:50.000000000 -0500 @@ -1,6 +1,6 @@ -Chapter 46. DNS and DHCP Configuration GuideChapter 46. DNS and DHCP Configuration Guide Prev Part VI. Reference Section Next Chapter 46. DNS and DHCP Configuration Guide John H. Terpstra Samba Team <jht@samba.org> Table of Contents Features and Benefits Example Configuration Dynamic DNS DHCP Server Features and Benefits - - +Chapter 46. DNS and DHCP Configuration Guide Chapter 46. DNS and DHCP Configuration Guide Prev Part VI. Reference Section Next Chapter 46. DNS and DHCP Configuration Guide John H. Terpstra Samba Team <jht@samba.org> Table of Contents Features and Benefits Example Configuration Dynamic DNS DHCP Server Features and Benefits + + There are few subjects in the UNIX world that might raise as much contention as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP). Not all opinions held for or against particular implementations of DNS and DHCP @@ -10,16 +10,16 @@ and freedom. Microsoft Windows users in particular expect to be able to plug their notebook computer into a network port and have things “just work.” - + UNIX administrators have a point. Many of the normative practices in the Microsoft Windows world at best border on bad practice from a security perspective. Microsoft Windows networking protocols allow workstations to arbitrarily register themselves on a network. Windows 2000 Active Directory registers entries in the DNS namespace that are equally perplexing to UNIX administrators. Welcome to the new world! - - - + + + The purpose of this chapter is to demonstrate the configuration of the Internet Software Consortium (ISC) DNS and DHCP servers to provide dynamic services that are compatible with their equivalents in the Microsoft Windows 2000 Server products. @@ -27,26 +27,26 @@ This chapter provides no more than a working example of configuration files for both DNS and DHCP servers. The examples used match configuration examples used elsewhere in this document. - - - + + + This chapter explicitly does not provide a tutorial, nor does it pretend to be a reference guide on DNS and DHCP, as this is well beyond the scope and intent of this document as a whole. Anyone who wants more detailed reference materials on DNS or DHCP should visit the ISC Web site at http://www.isc.org. Those wanting a written text might also be interested in the O'Reilly publications on DNS, see the O'Reilly web site, and the BIND9.NET web site for details. The books are: - DNS and BIND, By Cricket Liu, Paul Albitz, ISBN: 1-56592-010-4 DNS & Bind Cookbook, By Cricket Liu, ISBN: 0-596-00410-9 The DHCP Handbook (2nd Edition), By: Ralph Droms, Ted Lemon, ISBN 0-672-32327-3 Example Configuration - - + DNS and BIND, By Cricket Liu, Paul Albitz, ISBN: 1-56592-010-4 DNS & Bind Cookbook, By Cricket Liu, ISBN: 0-596-00410-9 The DHCP Handbook (2nd Edition), By: Ralph Droms, Ted Lemon, ISBN 0-672-32327-3 Example Configuration + + The DNS is to the Internet what water is to life. Nearly all information resources (host names) are resolved to their Internet protocol (IP) addresses through DNS. Windows networking tried hard to avoid the -complexities of DNS, but alas, DNS won. The alternative to +complexities of DNS, but alas, DNS won. The alternative to DNS, the Windows Internet Name Service (WINS) an artifact of NetBIOS networking over the TCP/IP protocols has demonstrated scalability problems as well as a flat, nonhierarchical namespace that became unmanageable as the size and complexity of information technology networks grew. - - + + WINS is a Microsoft implementation of the RFC1001/1002 NetBIOS Name Service (NBNS). It allows NetBIOS clients (like Microsoft Windows machines) to register an arbitrary machine name that the administrator or user has chosen together with the IP @@ -66,13 +66,13 @@ The following configurations demonstrate a simple, insecure dynamic DNS server and a simple DHCP server that matches the DNS configuration. - Dynamic DNS - + Dynamic DNS + The example DNS configuration is for a private network in the IP address space for network 192.168.1.0/24. The private class network address space is set forth in RFC1918. - + It is assumed that this network will be situated behind a secure firewall. The files that follow work with ISC BIND version 9. BIND is the Berkeley Internet Name Daemon. @@ -223,8 +223,8 @@ 2 PTR marvel.quenya.org. - - + + The configuration files shown here were copied from a fully working system. All dynamically registered entries have been removed. In addition to these files, BIND version 9 will create for each of the dynamic registration files a file that has a @@ -260,4 +260,4 @@ In this example, IP addresses between 192.168.1.1 and 192.168.1.59 are reserved for fixed-address (commonly called hard-wired) IP addresses. The addresses between 192.168.1.60 and 192.168.1.254 are allocated for dynamic use. - Prev Up Next Chapter 45. Samba Support Home Manual pages + Prev Up Next Chapter 45. Samba Support Home Appendix A. GNU General Public License diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/domain-member.html samba-3.0.20/docs/htmldocs/Samba3-HOWTO/domain-member.html --- samba-3.0.20rc2/docs/htmldocs/Samba3-HOWTO/domain-member.html 2005-08-07 11:24:45.000000000 -0500 +++ samba-3.0.20/docs/htmldocs/Samba3-HOWTO/domain-member.html 2005-08-19 13:03:23.000000000 -0500 @@ -1,14 +1,14 @@ -Chapter 6. Domain MembershipChapter 6. Domain Membership Prev Part II. Server Configuration Basics Next Chapter 6. Domain Membership John H. Terpstra Samba Team <jht@samba.org> Jeremy Allison Samba Team <jra@samba.org> Gerald (Jerry) Carter Samba Team <jerry@samba.org> Andrew Tridgell Samba Team <tridge@samba.org> Jelmer R. Vernooij The Samba Team <jelmer@samba.org> Guenther Deschner LDAP updatesSuSE <gd@suse.de> Table of Contents Features and Benefits MS Windows Workstation/Server Machine Trust Accounts Manual Creation of Machine Trust Accounts Managing Domain Machine Accounts using NT4 Server Manager On-the-Fly Creation of Machine Trust Accounts Making an MS Windows Workstation or Server a Domain Member Domain Member Server Joining an NT4-type Domain with Samba-3 Why Is This Better Than security = server? Samba ADS Domain Membership Configure smb.conf Configure /etc/krb5.conf Create the Computer Account Testing Server Setup Testing with smbclient Notes Sharing User ID Mappings between Samba Domain Members Common Errors Cannot Add Machine Back to Domain Adding Machine to Domain Fails I Can't Join a Windows 2003 PDC - - - +Chapter 6. Domain Membership Chapter 6. Domain Membership Prev Part II. Server Configuration Basics Next Chapter 6. Domain Membership John H. Terpstra Samba Team <jht@samba.org> Jeremy Allison Samba Team <jra@samba.org> Gerald (Jerry) Carter Samba Team <jerry@samba.org> Andrew Tridgell Samba Team <tridge@samba.org> Jelmer R. Vernooij The Samba Team <jelmer@samba.org> Guenther Deschner LDAP updatesSuSE <gd@suse.de> Table of Contents Features and Benefits MS Windows Workstation/Server Machine Trust Accounts Manual Creation of Machine Trust Accounts Managing Domain Machine Accounts using NT4 Server Manager On-the-Fly Creation of Machine Trust Accounts Making an MS Windows Workstation or Server a Domain Member Domain Member Server Joining an NT4-type Domain with Samba-3 Why Is This Better Than security = server? Samba ADS Domain Membership Configure smb.conf Configure /etc/krb5.conf Create the Computer Account Testing Server Setup Testing with smbclient Notes Sharing User ID Mappings between Samba Domain Members Common Errors Cannot Add Machine Back to Domain Adding Machine to Domain Fails I Can't Join a Windows 2003 PDC + + + Domain membership is a subject of vital concern. Samba must be able to participate as a member server in a Microsoft domain security context, and Samba must be capable of providing domain machine member trust accounts; otherwise it would not be able to offer a viable option for many users. - - + + This chapter covers background information pertaining to domain membership, the Samba configuration for it, and MS Windows client procedures for joining a domain. Why is this necessary? Because both are areas in which there exists @@ -16,10 +16,10 @@ UNIX/Linux networking and administration world, a considerable level of misinformation, incorrect understanding, and lack of knowledge. Hopefully this chapter will fill the voids. - Features and Benefits - - - + Features and Benefits + + + MS Windows workstations and servers that want to participate in domain security need to be made domain members. Participating in domain security is often called single sign-on, or SSO for short. This @@ -27,68 +27,68 @@ (or another server be it an MS Windows NT4/200x server) or a Samba server a member of an MS Windows domain security context. - - - - + + + + Samba-3 can join an MS Windows NT4-style domain as a native member server, an MS Windows Active Directory domain as a native member server, or a Samba domain control network. Domain membership has many advantages: - + MS Windows workstation users get the benefit of SSO. - - - - + + + + Domain user access rights and file ownership/access controls can be set from the single Domain Security Account Manager (SAM) database (works with domain member servers as well as with MS Windows workstations that are domain members). - - + + Only MS Windows NT4/200x/XP Professional workstations that are domain members can use network logon facilities. - - - - + + + + Domain member workstations can be better controlled through the use of policy files (NTConfig.POL) and desktop profiles. - - - + + + Through the use of logon scripts, users can be given transparent access to network applications that run off application servers. - - - - + + + + Network administrators gain better application and user access management abilities because there is no need to maintain user accounts on any network client or server other than the central domain database (either NT4/Samba SAM-style domain, NT4 domain that is backend-ed with an LDAP directory, or via an Active Directory infrastructure). MS Windows Workstation/Server Machine Trust Accounts - - - - + + + + A Machine Trust Account is an account that is used to authenticate a client machine (rather than a user) to the domain controller server. In Windows terminology, this is known as a “computer account.” The purpose of the machine trust account is to prevent a rogue user and domain controller from colluding to gain access to a domain member workstation. - - - - - + + + + + The password of a Machine Trust Account acts as the shared secret for secure communication with the domain controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from joining the domain, participating in domain security operations, and gaining access to domain user/group @@ -96,10 +96,10 @@ clients do not. Hence, a Windows 9x/Me/XP Home client is never a true member of a domain because it does not possess a Machine Trust Account, and, thus, has no shared secret with the domain controller. - - - - + + + + A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory, the new repository for Machine Trust Accounts. A Samba PDC, however, stores @@ -107,69 +107,69 @@ as follows: - - - - A domain security account (stored in the passdb backend) that has been configured in + + + + A domain security account (stored in the passdb backend) that has been configured in the smb.conf file. The precise nature of the account information that is stored depends on the type of backend database that has been chosen. - - - - - - + + + + + + The older format of this data is the smbpasswd database that contains the UNIX login ID, the UNIX user identifier (UID), and the LanMan and NT-encrypted passwords. There is also some other information in this file that we do not need to concern ourselves with here. - - - - + + + + The two newer database types are called ldapsam and tdbsam. Both store considerably more data than the older smbpasswd file did. The extra information enables new user account controls to be implemented. - - + + A corresponding UNIX account, typically stored in /etc/passwd. Work is in progress to allow a simplified mode of operation that does not require UNIX user accounts, but this has not been a feature of the early releases of Samba-3, and is not currently planned for release either. - + There are three ways to create Machine Trust Accounts: - + Manual creation from the UNIX/Linux command line. Here, both the Samba and corresponding UNIX account are created by hand. - - + + Using the MS Windows NT4 Server Manager, either from an NT4 domain member server or using the Nexus toolkit available from the Microsoft Web site. This tool can be run from any MS Windows machine as long as the user is logged on as the administrator account. - - + + “On-the-fly” creation. The Samba Machine Trust Account is automatically created by Samba at the time the client is joined to the domain. (For security, this is the recommended method.) The corresponding UNIX account may be created automatically or manually. - - + + Neither MS Windows NT4/200x/XP Professional, nor Samba, provide any method for enforcing the method of machine trust account creation. This is a matter of the administrator's choice. - Manual Creation of Machine Trust Accounts - - - - + Manual Creation of Machine Trust Accounts + + + + The first step in manually creating a Machine Trust Account is to manually create the corresponding UNIX account in /etc/passwd. This can be done using vipw or another “adduser” command @@ -183,25 +183,25 @@ root# passwd -l machine_name$ - - - + + + In the example above there is an existing system group “machines” which is used as the primary group for all machine accounts. In the following examples the “machines” group numeric GID is 100. - - + + On *BSD systems, this can be done using the chpass utility: root# chpass -a \ 'machine_name$:*:101:100::0:0:Windows machine_name:/dev/null:/sbin/nologin' - - - - + + + + The /etc/passwd entry will list the machine name with a “$” appended, and will not have a password, will have a null shell and no home directory. For example, a machine named “doppy” would have an @@ -210,9 +210,9 @@ doppy$:x:505:100:machine_nickname:/dev/null:/bin/false - - - + + + in which machine_nickname can be any descriptive name for the client, such as BasementComputer. machine_name absolutely must be the NetBIOS @@ -220,9 +220,9 @@ appended to the NetBIOS name of the client or Samba will not recognize this as a Machine Trust Account. - - - + + + Now that the corresponding UNIX account has been created, the next step is to create the Samba account for the client containing the well-known initial Machine Trust Account password. This can be done using the @@ -232,48 +232,48 @@ root# smbpasswd -a -m machine_name - - - - + + + + where machine_name is the machine's NetBIOS name. The RID of the new machine account is generated from the UID of the corresponding UNIX account. Join the client to the domain immediately - - - - - + + + + + Manually creating a Machine Trust Account using this method is the equivalent of creating a Machine Trust Account on a Windows NT PDC using - + the Server Manager. From the time at which the account is created to the time the client joins the domain and changes the password, your domain is vulnerable to an intruder joining your domain using a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user information to such clients. You have been warned! - Managing Domain Machine Accounts using NT4 Server Manager - - - -A working add machine script is essential + Managing Domain Machine Accounts using NT4 Server Manager + + + +A working add machine script is essential for machine trust accounts to be automatically created. This applies no matter whether you use automatic account creation or the NT4 Domain Server Manager. - - - - + + + + If the machine from which you are trying to manage the domain is an MS Windows NT4 workstation or MS Windows 200x/XP Professional, the tool of choice is the package called SRVTOOLS.EXE. When executed in the target directory it will unpack SrvMgr.exe and UsrMgr.exe (both are domain management tools for MS Windows NT4 workstation). - - + + If your workstation is a Microsoft Windows 9x/Me family product, you should download the Nexus.exe package from the Microsoft Web site. When executed from the target directory, it will unpack the same tools but for use on @@ -283,10 +283,10 @@ 173673, and 172540 - - + + Launch the srvmgr.exe (Server Manager for Domains) and follow these steps: - Procedure 6.1. Server Manager Account Machine Account Management + Procedure 6.1. Server Manager Account Machine Account Management From the menu select Computer. Click Select Domain. @@ -303,82 +303,82 @@ Add NT Workstation of Server, then enter the machine name in the field provided, and click the Add button. - On-the-Fly Creation of Machine Trust Accounts - + On-the-Fly Creation of Machine Trust Accounts + The third (and recommended) way of creating Machine Trust Accounts is simply to allow the Samba server to create them as needed when the client is joined to the domain. - - - + + + Since each Samba Machine Trust Account requires a corresponding UNIX account, a method for automatically creating the UNIX account is usually supplied; this requires configuration of the add machine script option in smb.conf. This method is not required; however, corresponding UNIX accounts may also be created manually. - - + + Here is an example for a Red Hat Linux system: - [global] add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u - Making an MS Windows Workstation or Server a Domain Member + [global] add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u + Making an MS Windows Workstation or Server a Domain Member The procedure for making an MS Windows workstation or server a member of the domain varies with the version of Windows. - Windows 200x/XP Professional Client - - - - + Windows 200x/XP Professional Client + + + + When the user elects to make the client a domain member, Windows 200x prompts for an account and password that has privileges to create machine accounts in the domain. A Samba administrator account (i.e., a Samba account that has root privileges on the Samba server) must be entered here; the operation will fail if an ordinary user account is given. - - + + For security reasons, the password for this administrator account should be set to a password that is other than that used for the root user in /etc/passwd. - - - - + + + + The name of the account that is used to create domain member machine trust accounts can be anything the network administrator may choose. If it is other than root, then this is easily mapped to root in the file named in the smb.conf parameter - username map = /etc/samba/smbusers. + username map = /etc/samba/smbusers. - - - + + + The session key of the Samba administrator account acts as an encryption key for setting the password of the machine trust account. The Machine Trust Account will be created on-the-fly, or updated if it already exists. - Windows NT4 Client - - - + Windows NT4 Client + + + If the Machine Trust Account was created manually, on the Identification Changes menu enter the domain name, but do not check the box Create a Computer Account in the Domain. In this case, the existing Machine Trust Account is used to join the machine to the domain. - - - - + + + + If the Machine Trust Account is to be created on the fly, on the Identification Changes menu enter the domain name and check the box Create a Computer Account in the Domain. In this case, joining the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba administrator account when prompted). - Samba Client - + Samba Client + Joining a Samba client to a domain is documented in the next section. Domain Member Server - - - - + + + + This mode of server operation involves the Samba machine being made a member of a domain security context. This means by definition that all user authentication will be done from a centrally defined authentication regime. @@ -387,106 +387,106 @@ MS Windows 2000 or later. - - - - - - - - + + + + + + + + Of course it should be clear that the authentication backend itself could be from any distributed directory architecture server that is supported by Samba. This can be LDAP (from OpenLDAP), or Sun's iPlanet, or Novell e-Directory Server, and so on. Note - - - + + + When Samba is configured to use an LDAP or other identity management and/or directory service, it is Samba that continues to perform user and machine authentication. It should be noted that the LDAP server does not perform authentication handling in place of what Samba is designed to do. - - - + + + Please refer to Domain Control, for more information regarding how to create a domain machine account for a domain member server as well as for information on how to enable the Samba domain member machine to join the domain and be fully trusted by it. - Joining an NT4-type Domain with Samba-3 Assumptions lists names that are used in the remainder of this chapter. Table 6.1. Assumptions Samba DMS NetBIOS name: SERV1 Windows 200x/NT domain name: MIDEARTH Domain's PDC NetBIOS name: DOMPDC Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 - + Joining an NT4-type Domain with Samba-3 Assumptions lists names that are used in the remainder of this chapter. Table 6.1. Assumptions Samba DMS NetBIOS name: SERV1 Windows 200x/NT domain name: MIDEARTH Domain's PDC NetBIOS name: DOMPDC Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 + First, you must edit your smb.conf file to tell Samba it should now use domain security. - - - - -Change (or add) your security line in the [global] section + + + + +Change (or add) your security line in the [global] section of your smb.conf to read: - security = domain + security = domain Note that if the parameter security = user is used, this machine would function as a standalone server and not as a domain member server. Domain security mode causes Samba to work within the domain security context. -Next change the workgroup line in the [global] +Next change the workgroup line in the [global] section to read: - workgroup = MIDEARTH + workgroup = MIDEARTH This is the name of the domain we are joining. - - -You must also have the parameter encrypt passwords + + +You must also have the parameter encrypt passwords set to yes in order for your users to authenticate to the NT PDC. This is the default setting if this parameter is not specified. There is no need to specify this parameter, but if it is specified in the smb.conf file, it must be set to Yes. - - - - -Finally, add (or modify) a password server line in the [global] + + + + +Finally, add (or modify) a password server line in the [global] section to read: - password server = DOMPDC DOMBDC1 DOMBDC2 + password server = DOMPDC DOMBDC1 DOMBDC2 These are the PDC and BDCs Samba will attempt to contact in order to authenticate users. Samba will try to contact each of these servers in order, so you may want to rearrange this list in order to spread out the authentication load among Domain Controllers. - - - - + + + + Alternatively, if you want smbd to determine automatically the list of domain controllers to use for authentication, you may set this line to be: - password server = * - + password server = * + This method allows Samba to use exactly the same mechanism that NT does. The method either uses broadcast-based name resolution, performs a WINS database lookup in order to find a domain controller against which to authenticate, or locates the domain controller using DNS name resolution. To join the domain, run this command: - + root# net rpc join -S DOMPDC -UAdministrator%password - - - - + + + + If the -S DOMPDC argument is not given, the domain name will be obtained from smb.conf and the NetBIOS name of the PDC will be obtained either using a WINS lookup or via NetBIOS broadcast based name look up. - - - - + + + + The machine is joining the domain DOM, and the PDC for that domain (the only machine that has write access to the domain SAM database) is DOMPDC; therefore, use the -S option. The Administrator%password is the login name and @@ -497,9 +497,9 @@ Joined domain DOM. - - - + + + Where Active Directory is used, the command used to join the ADS domain is: root# net ads join -UAdministrator%password @@ -512,75 +512,75 @@ Refer to the net man page and to the chapter on remote administration for further information. - - - + + + This process joins the server to the domain without separately having to create the machine trust account on the PDC beforehand. - - - - + + + + This command goes through the machine account password change protocol, then writes the new (random) machine account password for this Samba server into a file in the same directory in which a smbpasswd file would be normally stored. The trust account information that is needed by the DMS is written into the file /usr/local/samba/private/secrets.tdb or /etc/samba/secrets.tdb. - - + + This file is created and owned by root and is not readable by any other user. It is the key to the domain-level security for your system and should be treated as carefully as a shadow password file. - - - + + + Finally, restart your Samba daemons and get ready for clients to begin using domain security. The way you can restart your Samba daemons depends on your distribution, but in most cases the following will suffice: root# /etc/init.d/samba restart - Why Is This Better Than security = server? - - - + Why Is This Better Than security = server? + + + Currently, domain security in Samba does not free you from having to create local UNIX users to represent the users attaching to your server. This means that if domain user DOM\fred attaches to your domain security Samba server, there needs to be a local UNIX user fred to represent that user in the UNIX file -system. This is similar to the older Samba security mode security = server, where Samba would pass through the authentication request to a Windows +system. This is similar to the older Samba security mode security = server, where Samba would pass through the authentication request to a Windows NT server in the same way as a Windows 95 or Windows 98 server would. - - - + + + Please refer to Winbind: Use of Domain Accounts, for information on a system to automatically assign UNIX UIDs and GIDs to Windows NT domain users and groups. - - - + + + The advantage of domain-level security is that the authentication in domain-level security is passed down the authenticated RPC channel in exactly the same way that an NT server would do it. This means Samba servers now participate in domain trust relationships in exactly the same way NT servers do (i.e., you can add Samba servers into a resource domain and have the authentication passed on from a resource domain PDC to an account domain PDC). - - - -In addition, with security = server, every Samba daemon on a server has to + + + +In addition, with security = server, every Samba daemon on a server has to keep a connection open to the authenticating server for as long as that daemon lasts. This can drain the connection resources on a Microsoft NT server and cause it to run out of available connections. With -security = domain, however, the Samba daemons connect to the PDC or BDC +security = domain, however, the Samba daemons connect to the PDC or BDC only for as long as is necessary to authenticate the user and then drop the connection, thus conserving PDC connection resources. - - - - + + + + Finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the authentication reply, the Samba server gets the user identification information such as the user SID, the list of NT groups the user belongs to, and so on. @@ -589,58 +589,58 @@ LinuxWorld as the article http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html Doing the NIS/NT Samba. Samba ADS Domain Membership - - - - + + + + This is a rough guide to setting up Samba-3 with Kerberos authentication against a Windows 200x KDC. A familiarity with Kerberos is assumed. - Configure smb.conf + Configure smb.conf You must use at least the following three options in smb.conf: - realm = your.kerberos.REALM security = ADS # The following parameter need only be specified if present. # The default setting if not present is Yes. encrypt passwords = yes - - - - - + realm = your.kerberos.REALM security = ADS # The following parameter need only be specified if present. # The default setting if not present is Yes. encrypt passwords = yes + + + + + In case samba cannot correctly identify the appropriate ADS server using the realm name, use the -password server option in smb.conf: - password server = your.kerberos.server +password server option in smb.conf: + password server = your.kerberos.server The most common reason for which Samba may not be able to locate the ADS domain controller is a consequence of sites maintaining some DNS servers on UNIX systems without regard for the DNS requirements of the ADS infrastructure. There is no harm in specifying a preferred ADS domain controller using the password server. Note - - + + You do not need an smbpasswd file, and older clients will be authenticated as -if security = domain, although it will not do any harm and +if

Prev	Up	Next
Chapter 32. Handling Large Directories	Home	Part IV. Migration and Updating

Prev	Up	Next
Chapter 43. Samba Performance Tuning	Home	Chapter 45. Samba Support

Setting	Default Printing Commands
printing = bsd\|aix\|lprng\|plp	print command is lpr -r -P%p %s
printing = sysv\|hpux	print command is lp -c -P%p %s; rm %s
printing = qnx	print command is lp -r -P%p -s %s
printing = bsd\|aix\|lprng\|plp	lpq command is lpq -P%p
printing = sysv\|hpux	lpq command is lpstat -o%p
printing = qnx	lpq command is lpq -P%p
printing = bsd\|aix\|lprng\|plp	lprm command is lprm -P%p %j
printing = sysv\|hpux	lprm command is cancel %p-%j
printing = qnx	lprm command is cancel %p-%j
printing = bsd\|aix\|lprng\|plp	lppause command is lp -i %p-%j -H hold
printing = sysv\|hpux	lppause command (...is empty)
printing = qnx	lppause command (...is empty)
printing = bsd\|aix\|lprng\|plp	lpresume command is lp -i %p-%j -H resume
printing = sysv\|hpux	lpresume command (...is empty)
printing = qnx	lpresume command (...is empty)

PPD file	Printer type
deskjet.ppd	older HP inkjet printers and compatible
deskjet2.ppd	newer HP inkjet printers and compatible
dymo.ppd	label printers
epson9.ppd	Epson 24-pin impact printers and compatible
epson24.ppd	Epson 24-pin impact printers and compatible
okidata9.ppd	Okidata 9-pin impact printers and compatible
okidat24.ppd	Okidata 24-pin impact printers and compatible
stcolor.ppd	older Epson Stylus Color printers
stcolor2.ppd	newer Epson Stylus Color printers
stphoto.ppd	older Epson Stylus Photo printers
stphoto2.ppd	newer Epson Stylus Photo printers
laserjet.ppd	all PCL printers

Samba DMS NetBIOS name:	SERV1
Windows 200x/NT domain name:	MIDEARTH
Domain's PDC NetBIOS name:	DOMPDC
Domain's BDC NetBIOS names:	DOMBDC1 and DOMBDC2

Name

Synopsis

DESCRIPTION

OPTIONS

VERSION

AUTHOR

Name

Synopsis

DESCRIPTION

OPTIONS

EXAMPLES

VERSION

SEE ALSO

AUTHOR

Name

Synopsis

DESCRIPTION

OPTIONS

PROGRAMMERS GUIDE

VERSION

AUTHOR

Name

Synopsis

DESCRIPTION

FILE FORMAT

FILES

VERSION

SEE ALSO

AUTHOR

Name

Synopsis

DESCRIPTION

OPTIONS

EXAMPLES

VERSION

BUGS

SEE ALSO

AUTHOR

Name

Synopsis

DESCRIPTION

OPTIONS

Note

ENVIRONMENT VARIABLES

NOTES

CONFIGURATION

BUGS

VERSION

SEE ALSO

AUTHOR

Name

Synopsis

DESCRIPTION

OPTIONS

COMMANDS

CHANGESECRETPW

TIME

TIME

TIME SYSTEM

TIME SET

TIME ZONE

[RPC|ADS] JOIN [TYPE] [-U username[%password]] [options]

[RPC] OLDJOIN [options]

[RPC|ADS] USER

[RPC|ADS] USER

[RPC|ADS] USER DELETE target

[RPC|ADS] USER INFO target

[RPC|ADS] USER RENAME oldname newname

[RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]

[RPC|ADS] GROUP

[RPC|ADS] GROUP [misc options] [targets]

[RPC|ADS] GROUP DELETE name [misc. options]

[RPC|ADS] GROUP ADD name [-C comment]

[RAP|RPC] SHARE

[RAP|RPC] SHARE [misc. options] [targets]

[RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]

SHARE DELETE sharenam

[RPC|RAP] FILE

[RPC|RAP] FILE

[RPC|RAP] FILE CLOSE fileid

[RPC|ADS] USER DELETE `target`

[RPC|ADS] USER INFO `target`

[RPC|ADS] USER RENAME `oldname` `newname`

[RPC|ADS] USER ADD `name` [password] [-F user flags] [-C comment]

[RPC|ADS] GROUP DELETE `name` [misc. options]

[RPC|ADS] GROUP ADD `name` [-C comment]

[RAP|RPC] SHARE ADD `name=serverpath` [-C comment] [-M maxusers] [targets]

SHARE DELETE `sharenam`

[RPC|RAP] FILE CLOSE `fileid`

[RPC|RAP] FILE INFO `fileid`

RAP SESSION DELETE|CLOSE `CLIENT_NAME`

RAP SESSION INFO `CLIENT_NAME`

RAP SERVER `DOMAIN`

RAP PRINTQ LIST `QUEUE_NAME`

RAP PRINTQ DELETE `JOBID`

RAP VALIDATE `user` [`password`]

RAP GROUPMEMBER LIST `GROUP`

RAP GROUPMEMBER DELETE `GROUP` `USER`

RAP GROUPMEMBER ADD `GROUP` `USER`

RAP ADMIN `command`

RAP SERVICE START `NAME` [arguments...]

RAP PASSWORD `USER` `OLDPASS` `NEWPASS`

LOOKUP HOST `HOSTNAME` [`TYPE`]

LOOKUP LDAP [`DOMAIN`

LOOKUP KDC [`REALM`]

LOOKUP DC [`DOMAIN`]

LOOKUP MASTER `DOMAIN`

CACHE ADD `key` `data` `time-out`

CACHE DEL `key`

CACHE SET `key` `data` `time-out`

CACHE SEARCH `PATTERN`

RPC TRUSTDOM ADD `DOMAIN`

RPC TRUSTDOM DEL `DOMAIM`

RPC TRUSTDOM ESTABLISH `DOMAIN`

RPC TRUSTDOM REVOKE `DOMAIN`

ADS PRINTER INFO [`PRINTER`] [`SERVER`]

ADS PRINTER PUBLISH `PRINTER`

ADS PRINTER REMOVE `PRINTER`

ADS SEARCH `EXPRESSION` `ATTRIBUTES...`