-h|—help. Print a summary of command line options.

-w target-workgroup. Sets target workgroup or domain. You have to specify either this option or the IP address or the name of a server.

-W workgroup. Sets client workgroup or domain

-U user. User name to use

-I ip-address. IP address of target server to use. You have to specify either this option or a target workgroup or a target server.

-p port. Port on the target server to connect to (usually 139 or 445). Defaults to trying 445 first, then 139.

-n <primary NetBIOS name>. This option allows you to override the NetBIOS name that Samba uses for itself. This is identical to setting the parameter in the smb.conf file. However, a command line setting will take precedence over settings in smb.conf.

-s <configuration file>. The file specified contains the configuration details required by the server. The information in this file includes server-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at compile time.

-S server. Name of target server. You should specify either this option or a target workgroup or a target IP address.

-l. When listing data, give more information on each item.

-P. Make queries to the external server using the machine account of the local server.

-d|—debug=debuglevel. debuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

unixgroup - Name of the UNIX group

ntgroup - Name of the Windows NT group (must be resolvable to a SID

rid - Unsigned 32-bit integer

sid - Full SID in the form of ”S-1-...”

type - Type of the group; either ’domain’, ’local’, or ’builtin’

comment - Freeform text description of the group

-r. Reboot after shutdown.

-f. Force shutting down all applications.

-t timeout. Timeout before system will be shut down. An interactive user of the system can use this time to cancel the shutdown.

-C message. Display the specified message on the screen to announce the shutdown.

-D. If specified, this parameter causes nmbd to operate as a daemon. That is, it detaches itself and runs in the background, fielding requests on the appropriate port. By default, nmbd will operate as a daemon if launched from a command shell. nmbd can also be operated from the inetd meta-daemon, although this is not recommended.

-F. If specified, this parameter causes the main nmbd process to not daemonize, i.e. double-fork and disassociate with the terminal. Child processes are still created as normal to service each connection request, but the main process does not exit. This operation mode is suitable for running nmbd under process supervisors such as supervise and svscan from Daniel J. Bernstein’s daemontools package, or the AIX process monitor.

-S. If specified, this parameter causes nmbd to log to standard output rather than a file.

-i. If this parameter is specified it causes the server to run ”interactively”, not as a daemon, even if the server is executed on the command line of a shell. Setting this parameter negates the implicit daemon mode when run from the command line. nmbd also logs to standard output, as if the -S parameter had been given.

-h|—help. Print a summary of command line options.

-H <filename>. NetBIOS lmhosts file. The lmhosts file is a list of NetBIOS names to IP addresses that is loaded by the nmbd server and used via the name resolution mechanism name resolve order described in smb.conf(5) to resolve any NetBIOS name queries needed by the server. Note that the contents of this file are NOT used by nmbd to answer any name queries. Adding a line to this file affects name NetBIOS resolution from this host ONLY.

The default path to this file is compiled into Samba as part of the build process. Common defaults are /usr/local/samba/lib/lmhosts, /usr/samba/lib/lmhosts or /etc/samba/lmhosts. See the lmhosts(5) man page for details on the contents of this file.

-V. Prints the program version number.

-s <configuration file>. The file specified contains the configuration details required by the server. The information in this file includes server-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at compile time.

-d|—debug=debuglevel debuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.

Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

Note that specifying this parameter here will override the parameter in the smb.conf file.

-l|—logfile=logdirectory. Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.

-p <UDP port number>. UDP port number is a positive integer value. This option changes the default UDP port number (normally 137) that nmbd responds to name queries on. Don’t use this option unless you are an expert, in which case you won’t need help!

/etc/inetd.conf. If the server is to be run by the inetd meta-daemon, this file must contain suitable startup information for the meta-daemon.

/etc/rc or whatever initialization script your system uses).

If running the server as a daemon at startup, this file will need to contain an appropriate startup sequence for the server.

/etc/services. If running the server via the metadaemon inetd, this file must contain a mapping of service name (e.g., netbios-ssn) to service port (e.g., 139) and protocol type (e.g., tcp).

/usr/local/samba/lib/smb.conf. This is the default location of the smb.conf(5) server configuration file. Other common places that systems install this file are /usr/samba/ lib/smb.conf and /etc/samba/smb.conf.

When run as a WINS server (see the wins support parameter in the smb.conf(5) man page), nmbd will store the WINS database in the file wins.dat in the var/locks directory configured under wherever Samba was configured to install itself.

If nmbd is acting as a browse master (see the local master parameter in the smb.conf(5) man page, nmbd will store the browsing database in the file browse.dat in the var/ locks directory configured under wherever Samba was configured to install itself.

-M. Searches for a master browser by looking up the NetBIOS name name with a type of 0x1d. If name is ”-” then it does a lookup on the special name __MSBROWSE__. Please note that in order to use the name ”-”, you need to make sure ”-” isn’t parsed as an argument, e.g. use : nmblookup -M -- -.

-R. Set the recursion desired bit in the packet to do a recursive lookup. This is used when sending a name query to a machine running a WINS server and the user wishes to query the names in the WINS server. If this bit is unset the normal (broadcast responding) NetBIOS processing code on a machine is used instead. See RFC1001, RFC1002 for details.

-S. Once the name query has returned an IP address then do a node status query as well. A node status query returns the NetBIOS names registered by a host.

-r. Try and bind to UDP port 137 to send and receive UDP datagrams. The reason for this option is a bug in Windows 95 where it ignores the source port of the requesting packet and only replies to UDP port 137. Unfortunately, on most UNIX systems root privilege is needed to bind to this port, and in addition, if the nmbd(8) daemon is running on this machine it also binds to this port.

-A. Interpret name as an IP Address and do a node status query on this address.

-n <primary NetBIOS name>. This option allows you to override the NetBIOS name that Samba uses for itself. This is identical to setting the parameter in the smb.conf file. However, a command line setting will take precedence over settings in smb.conf.

-i <scope>. This specifies a NetBIOS scope that nmblookup will use to communicate with when generating NetBIOS names. For details on the use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are very rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with.

-W|—workgroup=domain. Set the SMB domain of the username. This overrides the default domain which is the domain defined in smb.conf. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM).

-O socket options. TCP socket options to set on the client socket. See the socket options parameter in the smb.conf manual page for the list of valid options.

-h|—help. Print a summary of command line options.

-B <broadcast address>. Send the query to the given broadcast address. Without this option the default behavior of nmblookup is to send the query to the broadcast address of the network interfaces as either auto-detected or defined in the interfaces^[3] parameter of the smb.conf(5) file.

-U <unicast address>. Do a unicast query to the specified address or host unicast address. This option (along with the -R option) is needed to query a WINS server.

-V. Prints the program version number.

-s <configuration file>. The file specified contains the configuration details required by the server. The information in this file includes server-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at compile time.

-d|—debug=debuglevel debuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.

Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

Note that specifying this parameter here will override the parameter in the smb.conf file.

-l|—logfile=logdirectory. Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.

-T. This causes any IP addresses found in the lookup to be looked up via a reverse DNS lookup into a DNS name, and printed out before each

IP address .... NetBIOS name

pair that is the normal output.

-f. Show which flags apply to the name that has been looked up. Possible answers are zero or more of: Response, Authoritative, Truncated, Recursion_Desired, Recursion_Available, Broadcast.

name. This is the NetBIOS name being queried. Depending upon the previous options this may be a NetBIOS name or IP address. If a NetBIOS name then the different name types may be specified by appending ’#<type>’ to the name. This name may also be ’*’, which will return all registered names within a broadcast area.

-L. This option lists all the user accounts present in the users database. This option prints a list of user/uid pairs separated by the ’:’ character.

Example: pdbedit -L

sorce:500:Simo Sorce
samba:45:Test User

-v. This option enables the verbose listing format. It causes pdbedit to list the users in the database, printing out the account fields in a descriptive format.

Example: pdbedit -L -v

---------------
username:       sorce
user ID/Group:  500/500
user RID/GRID:  2000/2001
Full Name:      Simo Sorce
Home Directory: \BERSERKERsorce
HomeDir Drive:  H:
Logon Script:   \BERSERKER
etlogonsorce.bat
Profile Path:   \BERSERKERprofile
---------------
username:       samba
user ID/Group:  45/45
user RID/GRID:  1090/1091
Full Name:      Test User
Home Directory: \BERSERKERsamba
HomeDir Drive:
Logon Script:
Profile Path:   \BERSERKERprofile

-w. This option sets the ”smbpasswd” listing format. It will make pdbedit list the users in the database, printing out the account fields in a format compatible with the smbpasswd file format. (see the smbpasswd(5) for details)

Example: pdbedit -L -w

sorce:500:508818B733CE64BEAAD3B435B51404EE:
          D2A2418EFC466A8A0F6B1DBB5C3DB80C:
          [UX         ]:LCT-00000000:
samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
          BC281CE3F53B6A5146629CD4751D3490:
          [UX         ]:LCT-3BFA1E8D:

-u username. This option specifies the username to be used for the operation requested (listing, adding, removing). It is required in add, remove and modify operations and optional in list operations.

-f fullname. This option can be used while adding or modifing a user account. It will specify the user’s full name.

Example: -f ”Simo Sorce”

-h homedir. This option can be used while adding or modifing a user account. It will specify the user’s home directory network path.

Example: -h ”\\BERSERKER\sorce”

-D drive. This option can be used while adding or modifing a user account. It will specify the windows drive letter to be used to map the home directory.

Example: -d ”H:”

-S script. This option can be used while adding or modifing a user account. It will specify the user’s logon script path.

Example: -S ”\\BERSERKER\netlogon\sorce.bat”

-p profile. This option can be used while adding or modifing a user account. It will specify the user’s profile directory.

Example: -p ”\\BERSERKER\netlogon”

-G SID|rid. This option can be used while adding or modifying a user account. It will specify the users’ new primary group SID (Security Identifier) or rid.

Example: -G S-1-5-21-2447931902-1787058256-3961074038-1201

-U SID|rid. This option can be used while adding or modifying a user account. It will specify the users’ new SID (Security Identifier) or rid.

Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004

-c account-control. This option can be used while adding or modifying a user account. It will specify the users’ account control property. Possible flags are listed below.

Example: -c ”[X ]”

-a. This option is used to add a user into the database. This command needs a user name specified with the -u switch. When adding a new user, pdbedit will also ask for the password to be used.

Example: pdbedit -a -u sorce

new password:
retype new password

NOTE

If you wish to add a user and synchronise the password that immediately, use smbpasswd’s -a option.

-r. This option is used to modify an existing user in the database. This command needs a user name specified with the -u switch. Other options can be specified to modify the properties of the specified user. This flag is kept for backwards compatibility, but it is no longer necessary to specify it.

-m. This option may only be used in conjunction with the -a option. It will make pdbedit to add a machine trust account instead of a user account (-u username will provide the machine name).

Example: pdbedit -a -m -u w2k-wks

-x. This option causes pdbedit to delete an account from the database. It needs a username specified with the -u switch.

Example: pdbedit -x -u bob

-i passdb-backend. Use a different passdb backend to retrieve users than the one specified in smb.conf. Can be used to import data into your local user database.

This option will ease migration from one passdb backend to another.

Example: pdbedit -i smbpasswd:/etc/smbpasswd.old

-e passdb-backend. Exports all currently available users to the specified password database backend.

This option will ease migration from one passdb backend to another and will ease backing up.

Example: pdbedit -e smbpasswd:/root/samba-users.backup

-g. If you specify -g, then -i in-backend -e out-backend applies to the group mapping instead of the user database.

This option will ease migration from one passdb backend to another and will ease backing up.

-b passdb-backend. Use a different default passdb backend.

Example: pdbedit -b xml:/root/pdb-backup.xml -l

-P account-policy. Display an account policy

Valid policies are: minimum password age, reset count minutes, disconnect time, user must logon to change password, password history, lockout duration, min password length, maximum password age and bad lockout attempt.

Example: pdbedit -P ”bad lockout attempt”

account policy value for bad lockout attempt is 0

-C account-policy-value. Sets an account policy to a specified value. This option may only be used in conjunction with the -P option.

Example: pdbedit -P ”bad lockout attempt” -C 3

account policy value for bad lockout attempt was 0
account policy value for bad lockout attempt is now 3

-h|—help. Print a summary of command line options.

-V. Prints the program version number.

-s <configuration file>. The file specified contains the configuration details required by the server. The information in this file includes server-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at compile time.

-d|—debug=debuglevel. debuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.

Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

Note that specifying this parameter here will override the parameter in the smb.conf file.

-l|—logfile=logdirectory. Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.

file. Registry file to view or edit.

-v,—verbose. Increases verbosity of messages.

-c SID1 -n SID2. Change all occurences of SID1 in file by SID2.

-h|—help. Print a summary of command line options.

server. NetBIOS name of Server to which to connect. The server can be any SMB/CIFS server. The name is resolved using the name resolve order line from smb.conf(5).

-c|—command=’command string’ execute semicolon separated commands (listed below))

-I IP-address. IP address is the address of the server to connect to. It should be specified in standard ”a.b.c.d” notation.

Normally the client would attempt to locate a named SMB/CIFS server by looking it up via the NetBIOS name resolution mechanism described above in the name resolve order parameter above. Using this parameter will force the client to assume that the server is on the machine with the specified IP address and the NetBIOS name component of the resource being connected to will be ignored.

There is no default for this parameter. If not supplied, it will be determined automatically by the client as described above.

-V. Prints the program version number.

-s <configuration file>. The file specified contains the configuration details required by the server. The information in this file includes server-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at compile time.

-d|—debug=debuglevel. debuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

-l|—logfile=logdirectory. Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.

-N. If specified, this parameter suppresses the normal password prompt from the client to the user. This is useful when accessing a service that does not require a password.

Unless a password is specified on the command line or this parameter is specified, the client will request a password.

-k. Try to authenticate with kerberos. Only useful in an Active Directory environment.

-A|—authentication-file=filename. This option allows you to specify a file from which to read the username and password used in the connection. The format of the file is

username = <value>
password = <value>
domain   = <value>

Make certain that the permissions on the file restrict access from unwanted users.

-U|—user=username[%password]. Sets the SMB username or username and password.

If %password is not specified, the user will be prompted. The client will first check the USER environment variable, then the LOGNAME variable and if either exists, the string is uppercased. If these environmental variables are not found, the username GUEST is used.

A third option is to use a credentials file which contains the plaintext of the username and password. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access from unwanted users. See the -A for more details.

Be cautious about including passwords in scripts. Also, on many systems the command line of a running process may be seen via the ps command. To be safe always allow rpcclient to prompt for a password and type it in directly.

-n <primary NetBIOS name>. This option allows you to override the NetBIOS name that Samba uses for itself. This is identical to setting the parameter in the smb.conf file. However, a command line setting will take precedence over settings in smb.conf.

-i <scope>. This specifies a NetBIOS scope that nmblookup will use to communicate with when generating NetBIOS names. For details on the use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are very rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with.

-W|—workgroup=domain. Set the SMB domain of the username. This overrides the default domain which is the domain defined in smb.conf. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM).

-O socket options. TCP socket options to set on the client socket. See the socket options parameter in the smb.conf manual page for the list of valid options.

-h|—help. Print a summary of command line options.

lsaquery. Query info policy

lookupsids. Resolve a list of SIDs to usernames.

lookupnames. Resolve a list of usernames to SIDs.

enumtrusts. Enumerate trusted domains

enumprivs. Enumerate privileges

getdispname. Get the privilege name

lsaenumsid. Enumerate the LSA SIDS

lsaenumprivsaccount. Enumerate the privileges of an SID

lsaenumacctrights. Enumerate the rights of an SID

lsaenumacctwithright. Enumerate accounts with a right

lsaaddacctrights. Add rights to an account

lsaremoveacctrights. Remove rights from an account

lsalookupprivvalue. Get a privilege value given its name

lsaquerysecobj. Query LSA security object

dsroledominfo. Get Primary Domain Information DFS

dfsexist. Query DFS support

dfsadd. Add a DFS share

dfsremove. Remove a DFS share

dfsgetinfo. Query DFS share info

dfsenum. Enumerate dfs shares

shutdown. Remote Shutdown

abortshutdown. Abort Shutdown

srvinfo. Server query info

netshareenum. Enumerate shares

netfileenum. Enumerate open files

netremotetod. Fetch remote time of day

queryuser. Query user info

querygroup. Query group info

queryusergroups. Query user groups

querygroupmem. Query group membership

queryaliasmem. Query alias membership

querydispinfo. Query display info

querydominfo. Query domain info

enumdomusers. Enumerate domain users

enumdomgroups. Enumerate domain groups

enumalsgroups. Enumerate alias groups

createdomuser. Create domain user

samlookupnames. Look up names

samlookuprids. Look up names

deletedomuser. Delete domain user

samquerysecobj. Query SAMR security object

getdompwinfo. Retrieve domain password info

lookupdomain. Look up domain

adddriver <arch > < config> [<version>]. Execute an AddPrinterDriver() RPC to install the printer driver information on the server. Note that the driver files should already exist in the directory returned by getdriverdir. Possible values for arch are the same as those for the getdriverdir command. The config parameter is defined as follows:

Long Printer Name:
Driver File Name:
Data File Name:
Config File Name:
Help File Name:
Language Monitor Name:
Default Data Type:
Comma Separated list of Files

Any empty fields should be enter as the string ”NULL”.

Samba does not need to support the concept of Print Monitors since these only apply to local printers whose driver can make use of a bi-directional link for communication. This field should be ”NULL”. On a remote NT print server, the Print Monitor for a driver must already be installed prior to adding the driver or else the RPC will fail.

The version parameter lets you specify the printer driver version number. If omitted, the default driver version for the specified architecture will be used. This option can be used to upload Windows 2000 (version 3) printer drivers.

addprinter <printername> <sharename> <drivername> <port>. Add a printer on the remote server. This printer will be automatically shared. Be aware that the printer driver must already be installed on the server (see adddriver) and the portmust be a valid port name (see enumports.

deldriver. Delete the specified printer driver for all architectures. This does not delete the actual driver files from the server, only the entry from the server’s list of drivers.

deldriverex <driver> [architecture] [version]. Delete the specified printer driver including driver files. You can limit this action to a specific architecture and a specific version. If no architecure is given, all driver files of that driver will be deleted.

enumdata. Enumerate all printer setting data stored on the server. On Windows NT clients, these values are stored in the registry, while Samba servers store them in the printers TDB. This command corresponds to the MS Platform SDK GetPrinterData() function (* This command is currently unimplemented).

enumdataex. Enumerate printer data for a key

enumjobs <printer>. List the jobs and status of a given printer. This command corresponds to the MS Platform SDK EnumJobs() function

enumkey. Enumerate printer keys

enumports [level]. Executes an EnumPorts() call using the specified info level. Currently only info levels 1 and 2 are supported.

enumdrivers [level]. Execute an EnumPrinterDrivers() call. This lists the various installed printer drivers for all architectures. Refer to the MS Platform SDK documentation for more details of the various flags and calling options. Currently supported info levels are 1, 2, and 3.

enumprinters [level]. Execute an EnumPrinters() call. This lists the various installed and share printers. Refer to the MS Platform SDK documentation for more details of the various flags and calling options. Currently supported info levels are 1, 2 and 5.

getdata <printername> <valuename;>. Retrieve the data for a given printer setting. See the enumdata command for more information. This command corresponds to the GetPrinterData() MS Platform SDK function.

getdataex. Get printer driver data with keyname

getdriver <printername>. Retrieve the printer driver information (such as driver file, config file, dependent files, etc...) for the given printer. This command corresponds to the GetPrinterDriver() MS Platform SDK function. Currently info level 1, 2, and 3 are supported.

getdriverdir <arch>. Execute a GetPrinterDriverDirectory() RPC to retrieve the SMB share name and subdirectory for storing printer driver files for a given architecture. Possible values for arch are ”Windows 4.0” (for Windows 95/98), ”Windows NT x86”, ”Windows NT PowerPC”, ”Windows Alpha_AXP”, and ”Windows NT R4000”.

getprinter <printername>. Retrieve the current printer information. This command corresponds to the GetPrinter() MS Platform SDK function.

getprintprocdir. Get print processor directory

openprinter <printername>. Execute an OpenPrinterEx() and ClosePrinter() RPC against a given printer.

setdriver <printername> <drivername>. Execute a SetPrinter() command to update the printer driver associated with an installed printer. The printer driver must already be correctly installed on the print server.

See also the enumprinters and enumdrivers commands for obtaining a list of of installed printers and drivers.

addform. Add form

setform. Set form

getform. Get form

deleteform. Delete form

enumforms. Enumerate form

setprinter. Set printer comment

setprinterdata. Set REG_SZ printer data

setprintername. <printername> <newprintername> Set printer name

rffpcnex. Rffpcnex test

logonctrl2. Logon Control 2

logonctrl. Logon Control

samsync. Sam Synchronisation

samdeltas. Query Sam Deltas

samlogon. Sam Logon

debuglevel. Set the current debug level used to log information.

help (?). Print a listing of all known commands or extended help on a particular command.

quit (exit). Exit rpcclient.

-a acls. Add the ACLs specified to the ACL list. Existing access control entries are unchanged.

-M acls. Modify the mask value (permissions) for the ACLs specified on the command line. An error will be printed for each ACL specified that was not already present in the ACL list

-D acls. Delete any ACLs specified on the command line. An error will be printed for each ACL specified that was not already present in the ACL list.

-S acls. This command sets the ACLs on the file with only the ones specified on the command line. All other ACLs are erased. Note that the ACL specified must contain at least a revision, type, owner and group for the call to succeed.

-U username. Specifies a username used to connect to the specified service. The username may be of the form ”username” in which case the user is prompted to enter in a password and the workgroup specified in the smb.conf(5) file is used, or ”username%password” or ”DOMAINusername%password” and the password and workgroup names are used as provided.

-C name. The owner of a file or directory can be changed to the name given using the -C option. The name can be a sid in the form S-1-x-y-z or a name resolved against the server specified in the first argument.

This command is a shortcut for -M OWNER:name.

-G name. The group owner of a file or directory can be changed to the name given using the -G option. The name can be a sid in the form S-1-x-y-z or a name resolved against the server specified n the first argument.

This command is a shortcut for -M GROUP:name.

—numeric. This option displays all ACL information in numeric format. The default is to convert SIDs to names and ACE types and masks to a readable string format.

-t. Don’t actually do anything, only validate the correctness of the arguments.

-h|—help. Print a summary of command line options.

-V. Prints the program version number.

-s. <configuration file> The file specified contains the configuration details required by the server. The information in this file includes server-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at compile time.

-d|—debug=debuglevel. debuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.

Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

Note that specifying this parameter here will override the parameter in the smb.conf file.

-l|—logfile=logdirectory. Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.

#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1

#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2

#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4

#define SEC_ACE_FLAG_INHERIT_ONLY 0x8

R - Allow read access

W - Allow write access

X - Execute permission on the object

D - Delete the object

P - Change permissions

O - Take ownership

READ - Equivalent to ’RX’ permissions

CHANGE - Equivalent to ’RXWD’ permissions

FULL - Equivalent to ’RWXDPO’ permissions

servicename servicename is the name of the service you want to use on the server. A service name takes the form //server/service where server is the NetBIOS name of the SMB/CIFS server offering the desired service and service is the name of the service offered. Thus to connect to the service ”printer” on the SMB/CIFS server ”smbserver”, you would use the servicename //smbserver/printer

Note that the server name required is NOT necessarily the IP (DNS) host name of the server ! The name required is a NetBIOS server name, which may or may not be the same as the IP hostname of the machine running the server.

The server name is looked up according to either the -R parameter to smbclient or using the name resolve order parameter in the smb.conf(5) file, allowing an administrator to change the order and methods by which server names are looked up.

password. The password required to access the specified service on the specified server. If this parameter is supplied, the -N option (suppress password prompt) is assumed.

There is no default password. If no password is supplied on the command line (either by using this parameter or adding a password to the -U option (see below)) and the -N option is not specified, the client will prompt for a password, even if the desired service does not require one. (If no password is required, simply press ENTER to provide a null password.)

Note: Some servers (including OS/2 and Windows for Workgroups) insist on an uppercase password. Lowercase or mixed case passwords may be rejected by these servers.

Be cautious about including passwords in scripts.

-R <name resolve order>. This option is used by the programs in the Samba suite to determine what naming services and in what order to resolve host names to IP addresses. The option takes a space-separated string of different name resolution options.

The options are :”lmhosts”, ”host”, ”wins” and ”bcast”. They cause names to be resolved as follows:

If this parameter is not set then the name resolve order defined in the smb.conf(5) file parameter (name resolve order) will be used.

The default order is lmhosts, host, wins, bcast and without this parameter or any entry in the name resolve order parameter of the smb.conf(5) file the name resolution methods will be attempted in this order.

-M NetBIOS name. This options allows you to send messages, using the ”WinPopup” protocol, to another computer. Once a connection is established you then type your message, pressing ^D (control-D) to end.

If the receiving computer is running WinPopup the user will receive the message and probably a beep. If they are not running WinPopup the message will be lost, and no error message will occur.

The message is also automatically truncated if the message is over 1600 bytes, as this is the limit of the protocol.

One useful trick is to cat the message through smbclient. For example: cat mymessage.txt | smbclient -M FRED will send the message in the file mymessage.txt to the machine FRED.

You may also find the -U and -I options useful, as they allow you to control the FROM and TO parts of the message.

See the message command parameter in the smb.conf(5) for a description of how to handle incoming WinPopup messages in Samba.

Note: Copy WinPopup into the startup group on your WfWg PCs if you want them to always be able to receive messages.

-p port. This number is the TCP port number that will be used when making connections to the server. The standard (well-known) TCP port number for an SMB/CIFS server is 139, which is the default.

-h|—help. Print a summary of command line options.

-I IP-address. IP address is the address of the server to connect to. It should be specified in standard ”a.b.c.d” notation.

Normally the client would attempt to locate a named SMB/CIFS server by looking it up via the NetBIOS name resolution mechanism described above in the name resolve order parameter above. Using this parameter will force the client to assume that the server is on the machine with the specified IP address and the NetBIOS name component of the resource being connected to will be ignored.

There is no default for this parameter. If not supplied, it will be determined automatically by the client as described above.

-E. This parameter causes the client to write messages to the standard error stream (stderr) rather than to the standard output stream.

By default, the client writes messages to standard output - typically the user’s tty.

-L. This option allows you to look at what services are available on a server. You use it as smbclient -L host and a list should appear. The -I option may be useful if your NetBIOS names don’t match your TCP/IP DNS host names or if you are trying to reach a host on another network.

-t terminal code. This option tells smbclient how to interpret filenames coming from the remote server. Usually Asian language multibyte UNIX implementations use different character sets than SMB/CIFS servers (EUC instead of SJIS for example). Setting this parameter will let smbclient convert between the UNIX filenames and the SMB filenames correctly. This option has not been seriously tested and may have some problems.

The terminal codes include CWsjis, CWeuc, CWjis7, CWjis8, CWjunet, CWhex, CW-cap. This is not a complete list, check the Samba source code for the complete list.

-b buffersize. This option changes the transmit/send buffer size when getting or putting a file from/to the server. The default is 65520 bytes. Setting this value smaller (to 1200 bytes) has been observed to speed up file transfers to and from a Win9x server.

-V. Prints the program version number.

-s <configuration file>. The file specified contains the configuration details required by the server. The information in this file includes server-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at compile time.

-d|—debug=debuglevel. debuglevel is an integer from 0 to 10. The default value if this parameter is not specified is zero.

The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running-it generates a small amount of information about operations carried out.

Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

Note that specifying this parameter here will override the parameter in the smb.conf file.

-l|—logfile=logdirectory. Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.

-N. If specified, this parameter suppresses the normal password prompt from the client to the user. This is useful when accessing a service that does not require a password.

Unless a password is specified on the command line or this parameter is specified, the client will request a password.

-k. Try to authenticate with kerberos. Only useful in an Active Directory environment.

-A|—authentication-file=filename. This option allows you to specify a file from which to read the username and password used in the connection. The format of the file is

username = <value>
password = <value>
domain   = <value>

Make certain that the permissions on the file restrict access from unwanted users.

-U|—user=username[%password]. Sets the SMB username or username and password.

If %password is not specified, the user will be prompted. The client will first check the USER environment variable, then the LOGNAME variable and if either exists, the string is uppercased. If these environmental variables are not found, the username GUEST is used.

A third option is to use a credentials file which contains the plaintext of the username and password. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access from unwanted users. See the -A for more details.

Be cautious about including passwords in scripts. Also, on many systems the command line of a running process may be seen via the ps command. To be safe always allow rpcclient to prompt for a password and type it in directly.

-n <primary NetBIOS name>. This option allows you to override the NetBIOS name that Samba uses for itself. This is identical to setting the parameter in the smb.conf file. However, a command line setting will take precedence over settings in smb.conf.

-i <scope>. This specifies a NetBIOS scope that nmblookup will use to communicate with when generating NetBIOS names. For details on the use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are very rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with.

-W|—workgroup=domain. Set the SMB domain of the username. This overrides the default domain which is the domain defined in smb.conf. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM).

-O socket options. TCP socket options to set on the client socket. See the socket options parameter in the smb.conf manual page for the list of valid options.

-T tar options smbclient may be used to create tar(1) compatible backups of all the files on an SMB/CIFS share. The secondary tar flags that can be given to this option are :

Tar Long File Names

smbclient’s tar option now supports long file names both on backup and restore. However, the full path name of the file must be less than 1024 bytes. Also, when a tar archive is created, smbclient’s tar option places all files in the archive with relative names, not absolute names.

Tar Filenames

All file names can be given as DOS path names (with ’\’ as the component separator) or as UNIX path names (with ’/’ as the component separator).

Examples

Restore from tar file backup.tar into myshare on mypc (no password on share).

smbclient //mypc/yshare ”” -N -Tx backup.tar

Restore everything except users/docs

smbclient //mypc/myshare ”” -N -TXx backup.tar users/docs

Create a tar file of the files beneath users/docs.

smbclient //mypc/myshare ”” -N -Tc backup.tar users/docs

Create the same tar file as above, but now use a DOS path name.

smbclient //mypc/myshare ”” -N -tc backup.tar usersedocs

Create a tar file of all the files and directories in the share.

smbclient //mypc/myshare ”” -N -Tc backup.tar *

-D initial directory. Change to initial directory before starting. Probably only of any use with the tar -T option.

-c command string command string is a semicolon-separated list of commands to be executed instead of prompting from stdin. -N is implied by -c.

This is particularly useful in scripts and for printing stdin to the server, e.g. -c ’print -’.

? [command]. If command is specified, the ? command will display a brief informative message about the specified command. If no command is specified, a list of available commands will be displayed.

! [shell command]. If shell command is specified, the ! command will execute a shell locally and run the specified shell command. If no command is specified, a local shell will be run.

altname file. The client will request that the server return the ”alternate” name (the 8.3 name) for a file or directory.

case_sensitive. Toggles the setting of the flag in SMB packets that tells the server to treat filenames as case sensitive. Set to OFF by default (tells file server to treat filenames as case insensitive). Only currently affects Samba 3.0.5 and above file servers with the case sensitive parameter set to auto in the smb.conf.

cancel jobid0 [jobid1] ... [jobidN]. The client will request that the server cancel the printjobs identified by the given numeric print job ids.

chmod file mode in octal. This command depends on the server supporting the CIFS UNIX extensions and will fail if the server does not. The client requests that the server change the UNIX permissions to the given octal mode, in standard UNIX format.

chown file uid gid. This command depends on the server supporting the CIFS UNIX extensions and will fail if the server does not. The client requests that the server change the UNIX user and group ownership to the given decimal values. Note there is currently no way to remotely look up the UNIX uid and gid values for a given name. This may be addressed in future versions of the CIFS UNIX extensions.

cd [directory name]. If ”directory name” is specified, the current working directory on the server will be changed to the directory specified. This operation will fail if for any reason the specified directory is inaccessible.

If no directory name is specified, the current working directory on the server will be reported.

del. <mask> The client will request that the server attempt to delete all files matching mask from the current working directory on the server.

dir. <mask> A list of the files matching mask in the current working directory on the server will be retrieved from the server and displayed.

exit. Terminate the connection with the server and exit from the program.

get. <remote file name> [local file name] Copy the file called remote file name from the server to the machine running the client. If specified, name the local copy local file name. Note that all transfers in smbclient are binary. See also the lowercase command.

help [command]. See the ? command above.

lcd [directory name]. If directory name is specified, the current working directory on the local machine will be changed to the directory specified. This operation will fail if for any reason the specified directory is inaccessible.

If no directory name is specified, the name of the current working directory on the local machine will be reported.

link target linkname. This command depends on the server supporting the CIFS UNIX extensions and will fail if the server does not. The client requests that the server create a hard link between the linkname and target files. The linkname file must not exist.

lowercase. Toggle lowercasing of filenames for the get and mget commands.

When lowercasing is toggled ON, local filenames are converted to lowercase when using the get and mget commands. This is often useful when copying (say) MSDOS files from a server, because lowercase filenames are the norm on UNIX systems.

ls. <mask> See the dir command above.

mask. <mask> This command allows the user to set up a mask which will be used during recursive operation of the mget and mput commands.

The masks specified to the mget and mput commands act as filters for directories rather than files when recursion is toggled ON.

The mask specified with the mask command is necessary to filter files within those directories. For example, if the mask specified in an mget command is ”source*” and the mask specified with the mask command is ”*.c” and recursion is toggled ON, the mget command will retrieve all files matching ”*.c” in all directories below and including all directories matching ”source*” in the current working directory.

Note that the value for mask defaults to blank (equivalent to ”*”) and remains so until the mask command is used to change it. It retains the most recently specified value indefinitely. To avoid unexpected results it would be wise to change the value of mask back to ”*” after using the mget or mput commands.

md. <directory name> See the mkdir command.

mget. <mask> Copy all files matching mask from the server to the machine running the client.

Note that mask is interpreted differently during recursive operation and non-recursive operation - refer to the recurse and mask commands for more information. Note that all transfers in smbclient are binary. See also the lowercase command.

mkdir. <directory name> Create a new directory on the server (user access privileges permitting) with the specified name.

mput. <mask> Copy all files matching mask in the current working directory on the local machine to the current working directory on the server.

Note that mask is interpreted differently during recursive operation and non-recursive operation - refer to the recurse and mask commands for more information. Note that all transfers in smbclient are binary.

print. <file name> Print the specified file from the local machine through a printable service on the server.

See also the printmode command.

printmode. <graphics or text> Set the print mode to suit either binary data (such as graphical information) or text. Subsequent print commands will use the currently set print mode.

prompt. Toggle prompting for filenames during operation of the mget and mput commands.

When toggled ON, the user will be prompted to confirm the transfer of each file during these commands. When toggled OFF, all specified files will be transferred without prompting.

put. <local file name> [remote file name] Copy the file called local file name from the machine running the client to the server. If specified, name the remote copy remote file name. Note that all transfers in smbclient are binary. See also the lowercase command.

queue. Displays the print queue, showing the job id, name, size and current status.

quit. See the exit command.

rd. <directory name> See the rmdir command.

recurse. Toggle directory recursion for the commands mget and mput.

When toggled ON, these commands will process all directories in the source directory (i.e., the directory they are copying from) and will recurse into any that match the mask specified to the command. Only files that match the mask specified using the mask command will be retrieved. See also the mask command.

When recursion is toggled OFF, only files from the current working directory on the source machine that match the mask specified to the mget or mput commands will be copied, and any mask specified using the mask command will be ignored.

rm. <mask> Remove all files matching mask from the current working directory on the server.

rmdir. <directory name> Remove the specified directory (user access privileges permitting) from the server.

setmode. <filename> <perm=[+|-]rsha> A version of the DOS attrib command to set file permissions. For example:

setmode myfile +r

would make myfile read only.

stat file. This command depends on the server supporting the CIFS UNIX extensions and will fail if the server does not. The client requests the UNIX basic info level and prints out the same info that the Linux stat command would about the file. This includes the size, blocks used on disk, file type, permissions, inode number, number of links and finally the three timestamps (access, modify and change). If the file is a special file (symlink, character or block device, fifo or socket) then extra information may also be printed.

symlink target linkname. This command depends on the server supporting the CIFS UNIX extensions and will fail if the server does not. The client requests that the server create a symbolic hard link between the target and linkname files. The linkname file must not exist. Note that the server will not create a link to any path that lies outside the currently connected share. This is enforced by the Samba server.

tar. <c|x>[IXbgNa] Performs a tar operation - see the -T command line option above. Behavior may be affected by the tarmode command (see below). Using g (incremental) and N (newer) will affect tarmode settings. Note that using the ”-” option with tar x may not work - use the command line option instead.

blocksize. <blocksize> Blocksize. Must be followed by a valid (greater than zero) block-size. Causes tar file to be written out in blocksize*TBLOCK (usually 512 byte) blocks.

tarmode. <full|inc|reset|noreset> Changes tar’s behavior with regard to archive bits. In full mode, tar will back up everything regardless of the archive bit setting (this is the default mode). In incremental mode, tar will only back up files with the archive bit set. In reset mode, tar will reset the archive bit on all files it backs up (implies read/write share).

The share name is changed from homes to the located username.

If no path was given, the path is set to the user’s home directory.

The share name is set to the located printer name

If no printer name was given, the printer name is set to the located printer name

If the share does not permit guest access and no username was given, the username is set to the located printer name.

%U session username (the username that the client wanted, not necessarily the same as the one they got).

%G primary group name of %U.

%h the Internet hostname that Samba is running on.

%m the NetBIOS name of the client machine (very useful).

%L the NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your server can have a “dual personality”.

This parameter is not available when Samba listens on port 445, as clients no longer send this information. If you use this macro in an include statement on a domain that has a Samba domain controller be sure to set in the [global] section smb ports = 139. This will cause Samba to not listen on port 445 and will permit include functionality to function as it did with Samba 2.x.

%M the Internet name of the client machine.

%R the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.

%d the process id of the current server process.

%a the architecture of the remote machine. It currently recognizes Samba (Samba), the Linux CIFS file system (CIFSFS), OS/2, (OS2), Windows for Workgroups (WfWg), Windows 9x/ME (Win95), Windows NT (WinNT), Windows 2000 (Win2K), Windows XP (WinXP), and Windows 2003 (Win2K3). Anything else will be known as UNKNOWN.

%I the IP address of the client machine.

%i the local IP address to which a client connected.

%T the current date and time.

%D name of the domain or workgroup of the current user.

%$(envvar) the value of the environment variable envar.

The following substitutes apply only to some configuration options (only those that are used when a connection has been established):

%S the name of the current service, if any.

%P the root directory of the current service, if any.

%u username of the current service, if any.

%g primary group name of %u.

%H the home directory of the user given by %u.

%N the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have not compiled Samba with the -with-automount option, this value will be the same as %L.

%p the path of the service’s home directory, obtained from your NIS auto.map entry. The NIS auto.map entry is split up as %N:%p.

case sensitive = yes/no/auto controls whether filenames are case sensitive. If they aren’t, Samba must do a filename search and match on passed names. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS and smbclient 3.0.5 and above currently) to tell the Samba server on a per-packet basis that they wish to access the file system in a case-sensitive manner (to support UNIX case sensitive semantics). No Windows or DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no for them. Default auto.

default case = upper/lower controls what the default case is for new filenames. Default lower.

preserve case = yes/no controls whether new files are created with the case that the client passes, or if they are forced to be the default case. Default yes.

short preserve case = yes/no controls if new files which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the default case. This option can be used with preserve case = yes to permit long filenames to retain their case, while short names are lowercased. Default yes.

abort shutdown script (G). Default: No default

Example: abort shutdown script = /sbin/shutdown -c

This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the shutdown script.

If the connected user posseses the SeRemoteShutdownPrivilege, right, this command will be run as user.

acl compatibility (S). Default: acl compatibility = Autowin2k

Example: acl compatibility = win2k

This parameter specifies what OS ACL semantics should be compatible with. Possible values are winnt for Windows NT 4, win2k for Windows 2000 and above and auto. If you specify auto, the value for this parameter will be based upon the version of the client. There should be no reason to change this parameter from the default.

add group script (G). Default: No default

This is the full pathname to a script that will be run AS ROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric gid of the created group on stdout.

add machine script (G). Default: No default

Example: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u

This is the full pathname to a script that will be run by smbd(8) when a machine is added to it’s domain using the administrator username and password method.

This option is only required when using sam back-ends tied to the Unix uid method of RID calculation such as smbpasswd. This option is only available in Samba 3.0.

addprinter command (G). Default: No default

Example: addprinter command = /usr/bin/addprinter

With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the ”Printers...” folder displayed a share listing. The APW allows for printers to be add remotely to a Samba or Windows NT/2000 print server.

For a Samba host this means that the printer must be physically added to the underlying printing system. The add printer command defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition to the smb.conf file in order that it can be shared by smbd(8).

The addprinter command is automatically invoked with the following parameter (in order):

All parameters are filled in from the PRINTER_INFO_2 structure sent by the Windows NT/2000 client with one exception. The ”Windows 9x driver location” parameter is included for backwards compatibility only. The remaining fields in the structure are generated from answers to the APW questions.

Once the addprinter command has been executed, smbd will reparse the smb.conf to determine if the share defined by the APW exists. If the sharename is still invalid, then smbd will return an ACCESS_DENIED error to the client.

The ”add printer command” program can output a single line of text, which Samba will set as the port the new printer is connected to. If this line isn’t output, Samba won’t reload its printer shares.

add share command (G). Default: No default

Example: add share command = /usr/local/bin/addshare

Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The add share command is used to define an external program or script which will add a new service definition to smb.conf. In order to successfully execute the add share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0).

When executed, smbd will automatically invoke the add share command with four parameters.

This parameter is only used for add file shares. To add printer shares, see the addprinter command.

add user script (G). Default: No default

Example: add user script = /usr/local/samba/bin/add_user %u

This is the full pathname to a script that will be run AS ROOT by smbd(8) under special circumstances described below.

Normally, a Samba server requires that UNIX users are created for all users accessing files on this server. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users ON DEMAND when a user accesses the Samba server.

In order to use this option, smbd(8) must NOT be set to security = share and add user script must be set to a full pathname for a script that will create a UNIX user given one argument of %u, which expands into the UNIX user name to create.

When the Windows user attempts to access the Samba server, at login (session setup in the SMB protocol) time, smbd(8) contacts the password server and attempts to authenticate the given user with the given password. If the authentication succeeds then smbd attempts to find a UNIX user in the UNIX password database to map the Windows user into. If this lookup fails, and add user script is set then smbd will call the specified script AS ROOT, expanding any %u argument to be the user name to create.

If this script successfully creates the user then smbd will continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to match existing Windows NT accounts.

See also security, password server, delete user script.

add user to group script (G). Default: No default

Example: add user to group script = /usr/sbin/adduser %u %g

Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools. It will be run by smbd(8) AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name.

Note that the adduser command used in the example below does not support the used syntax on all systems.

admin users (S). Default: No default

Example: admin users = jason

This is a list of users who will be granted administrative privileges on the share. This means that they will do all file operations as the super-user (root).

You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions.

This parameter will not work with the security = share in Samba 3.0. This is by design.

afs share (S). Default: afs share = no

This parameter controls whether special AFS features are enabled for this share. If enabled, it assumes that the directory exported via the path parameter is a local AFS import. The special AFS features include the attempt to hand-craft an AFS token if you enabled –with-fake-kaserver in configure.

afs username map (G). Default: No default

Example: afs username map = %[email protected]

If you are using the fake kaserver AFS feature, you might want to hand-craft the usernames you are creating tokens for. For example this is necessary if you have users from several domain in your AFS Protection Database. One possible scheme to code users as DOMAIN+User as it is done by winbind with the + as a separator.

The mapped user name must contain the cell name to log into, so without setting this parameter there will be no token.

algorithmic rid base (G). Default: algorithmic rid base = 1000100000

Example: algorithmic rid base = 100000

This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers.

Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with sytem users etc.

All UIDs and GIDs must be able to be resolved into SIDs for the correct operation of ACLs on the server. As such the algorithmic mapping can’t be ’turned off’, but pushing it ’out of the way’ should resolve the issues. Users and groups can then be assigned ’low’ RIDs in arbitary-rid supporting backends.

allocation roundup size (S). Default: allocation roundup size = 10485760 (to disable roundups)

Example: allocation roundup size = 0 (to disable roundups)

This parameter allows an administrator to tune the allocation size reported to Windows clients. The default size of 1Mb generally results in improved Windows client performance. However, rounding the allocation size may cause difficulties for some applications, e.g. MS Visual Studio. If the MS Visual Studio compiler starts to crash with an internal error, set this parameter to zero for this share.

The integer parameter specifies the roundup size in bytes.

allow trusted domains (G). Default: allow trusted domains = yes

This option only takes effect when the security option is set to server,domain or ads. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication.

This is useful if you only want your Samba server to serve resources to users in the domain it is a member of. As an example, suppose that there are two domains DOMA and DOMB. DOMB is trusted by DOMA, which contains the Samba server. Under normal circumstances, a user with an account in DOMB can then access the resources of a UNIX account with the same account name on the Samba server even if they do not have an account in DOMA. This can make implementing a security boundary difficult.

announce as (G). Default: announce as = NT ServerWin95

Example: announce as = Win95

This specifies what type of server nmbd(8) will announce itself as, to a network neighborhood browse list. By default this is set to Windows NT. The valid options are : ”NT Server” (which can also be written as ”NT”), ”NT Workstation”, ”Win95” or ”WfW” meaning Windows NT Server, Windows NT Workstation, Windows 95 and Windows for Workgroups respectively. Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this may prevent Samba servers from participating as browser servers correctly.

announce version (G). Default: announce version = 4.92.0

Example: announce version = 2.0

This specifies the major and minor version numbers that nmbd will use when announcing itself as a server. The default is 4.9. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server.

auth methods (G). Default: No default

Example: auth methods = guest sam winbind

This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on security. This should be considered a developer option and used only in rare circumstances. In the majority (if not all) of production servers, the default setting should be adequate.

Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication.

Possible options include guest (anonymous access), sam (lookups in local list of accounts based on netbios name or domain name), winbind (relay authentication requests for remote users through winbindd), ntdomain (pre-winbindd method of authentication for remote domain users; deprecated in favour of winbind method), trustdomain (authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method).

available (S). Default: available = yes

This parameter lets you ”turn off” a service. If available = no, then ALL attempts to connect to the service will fail. Such failures are logged.

bind interfaces only (G). Default: bind interfaces only = no

This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests. It affects file service smbd(8) and name service nmbd(8) in a slightly different ways.

For name service it causes nmbd to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter. nmbd also binds to the ”all addresses” interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then nmbd will service name requests on all of these sockets. If bind interfaces only is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don’t match the broadcast addresses of the interfaces in the interfaces parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the interfaces list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for nmbd.

For file service it causes smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will serve to packets coming in those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces.

If bind interfaces only is set then unless the network address 127.0.0.1 is added to the interfaces parameter list smbpasswd(8) and swat(8) may not work as expected due to the reasons covered below.

To change a users SMB password, the smbpasswd by default connects to the localhost - 127.0.0.1 address as an SMB client to issue the password change request. If bind interfaces only is set then unless the network address 127.0.0.1 is added to the interfaces parameter list then smbpasswd will fail to connect in it’s default mode. smbpasswd can be forced to use the primary IP interface of the local host by using its smbpasswd(8) -r remote machine parameter, with remote machine set to the IP name of the primary interface of the local host.

The swat status page tries to connect with smbd and nmbd at the address 127.0.0.1 to determine if they are running. Not adding 127.0.0.1 will cause smbd and nmbd to always show ”not running” even if they really are. This can prevent swat from starting/stopping/restarting smbd and nmbd.

blocking locks (S). Default: blocking locks = yes

This parameter controls the behavior of smbd(8) when given a request by a client to obtain a byte range lock on a region of an open file, and the request has a time limit associated with it.

If this parameter is set and the lock range requested cannot be immediately satisfied, samba will internally queue the lock request, and periodically attempt to obtain the lock until the timeout period expires.

If this parameter is set to no, then samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained.

block size (S). Default: No default

This parameter controls the behavior of smbd(8) when reporting disk free sizes. By default, this reports a disk block size of 1024 bytes.

Changing this parameter may have some effect on the efficiency of client writes, this is not yet confirmed. This parameter was added to allow advanced administrators to change it (usually to a higher value) and test the effect it has on client write performance without re-compiling the code. As this is an experimental option it may be removed in a future release.

Changing this option does not change the disk free reporting size, just the block size unit reported to the client.

browsable. This parameter is a synonym for browseable.

browseable (S). Default: browseable = yes

This controls whether this share is seen in the list of available shares in a net view and in the browse list.

browse list (G). Default: browse list = yes

This controls whether smbd(8) will serve a browse list to a client doing a Net-ServerEnum call. Normally set to yes. You should never need to change this.

casesignames. This parameter is a synonym for case sensitive.

case sensitive (S). Default: case sensitive = no

See the discussion in the section name mangling.

change notify timeout (G). Default: change notify timeout = 60300 Would change the scan time to every 5 minutes.

Example: change notify timeout = 300 Would change the scan time to every 5 minutes.

This SMB allows a client to tell a server to ”watch” a particular directory for any changes and only reply to the SMB request when a change has occurred. Such constant scanning of a directory is expensive under UNIX, hence an smbd(8) daemon only performs such a scan on each requested directory once every change notify timeout seconds.

change share command (G). Default: No default

Example: change share command = /usr/local/bin/addshare

Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The change share command is used to define an external program or script which will modify an existing service definition in smb.conf. In order to successfully execute the change share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0).

When executed, smbd will automatically invoke the change share command with four parameters.

This parameter is only used modify existing file shares definitions. To modify printer shares, use the ”Printers...” folder as seen when browsing the Samba host.

check password script (G). Default: check password script = Disabledcheck password script = /usr/local/sbin/crackcheck

Example: check password script = check password script = /usr/local/sbin/crackcheck

The name of a program that can be used to check password complexity. The password is sent to the program’s standrad input.

The program must return 0 on good password any other value otherwise. In case the password is considered weak (the program do not return 0) the user will be notified and the password change will fail.

Note: In the example directory there is a sample program called crackcheck that uses cracklib to checkpassword quality.

client lanman auth (G). Default: client lanman auth = yes

This parameter determines whether or not smbclient(8) and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash. If disabled, only server which support NT password hashes (e.g. Windows NT/2000, Samba, etc... but not Windows 95/98) will be able to be connected from the Samba client.

The LANMAN encrypted response is easily broken, due to it’s case-insensitive nature, and the choice of algorithm. Clients without Windows 95/98 servers are advised to disable this option.

Disabling this option will also disable the client plaintext auth option

Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 logins will be attempted.

client ntlmv2 auth (G). Default: client ntlmv2 auth = no

This parameter determines whether or not smbclient(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted password response.

If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent. Many servers (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with NTLMv2.

Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth authentication will be disabled. This also disables share-level authentication.

If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of client lanman auth.

Note that some sites (particularly those following ’best practice’ security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM.

client plaintext auth (G). Default: client plaintext auth = yes

Specifies whether a client should send a plaintext password if the server does not support encrypted passwords.

client schannel (G). Default: client schannel = autoyes

Example: client schannel = yes

This controls whether the client offers or even demands the use of the netlogon schannel. client schannel = no does not offer the schannel, client schannel = auto offers the schannel but does not enforce it, and client schannel = yes denies access if the server is not able to speak netlogon schannel.

client signing (G). Default: client signing = auto

This controls whether the client offers or requires the server it talks to to use SMB signing. Possible values are auto, mandatory and disabled.

When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either.

client use spnego (G). Default: client use spnego = yes

This variable controls whether Samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with supporting servers (including WindowsXP, Windows2000 and Samba 3.0) to agree upon an authentication mechanism. This enables Kerberos authentication in particular.

comment (S). Default: comment = No commentFred’s Files

Example: comment = Fred’s Files

This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via net view to list what shares are available.

If you want to set the string that is displayed next to the machine name then see the server string parameter.

config file (G). Default: No default

Example: config file = /usr/local/samba/lib/smb.conf.%m

This allows you to override the config file to use, instead of the default (usually smb.conf). There is a chicken and egg problem here as this option is set in the config file!

For this reason, if the name of the config file has changed when the parameters are loaded then it will reload them from the new config file.

This option takes the usual substitutions, which can be very useful.

If the config file doesn’t exist then it won’t be loaded (allowing you to special case the config files of just a few clients).

copy (S). Default: No default

Example: copy = otherservice

This parameter allows you to ”clone” service entries. The specified service is simply duplicated under the current service’s name. Any parameters specified in the current section will override those in the section being copied.

This feature lets you set up a ’template’ service and create similar services easily. Note that the service being copied must occur earlier in the configuration file than the service doing the copying.

create mode. This parameter is a synonym for create mask.

create mask (S). Default: create mask = 07440775

Example: create mask = 0775

When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise ’AND’ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created.

The default value of this parameter removes the group and other write and execute bits from the UNIX modes.

Following this Samba will bit-wise ’OR’ the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default.

This parameter does not affect directory masks. See the parameter directory mask for details.

Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the security mask.

csc policy (S). Default: csc policy = manualprograms

Example: csc policy = programs

This stands for client-side caching policy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable.

These values correspond to those used on Windows servers.

For example, shares containing roaming profiles can have offline caching disabled using csc policy = disable.

cups options (S). Default: cups options = ”””raw,media=a4,job-sheets=secret,secret”

Example: cups options = ”raw,media=a4,job-sheets=secret,secret”

This parameter is only applicable if printing is set to cups. Its value is a free form string of options passed directly to the cups library.

You can pass any generic print option known to CUPS (as listed in the CUPS ”Software Users’ Manual”). You can also pass any printer specific option (as listed in ”lpoptions -d printername -l”) valid for the target queue.

You should set this parameter to raw if your CUPS server error_log file contains messages such as ”Unsupported format ’application/octet-stream’” when printing from a Windows client through Samba. It is no longer necessary to enable system wide raw printing in /etc/cups/mime.{convs,types}.

cups server (G). Default: cups server = ””MYCUPSSERVER

Example: cups server = MYCUPSSERVER

This parameter is only applicable if printing is set to cups.

If set, this option overrides the ServerName option in the CUPS client.conf. This is necessary if you have virtual samba servers that connect to different CUPS daemons.

deadtime (G). Default: deadtime = 015

Example: deadtime = 15

The value of the parameter (a decimal integer) represents the number of minutes of inactivity before a connection is considered dead, and it is disconnected. The deadtime only takes effect if the number of open files is zero.

This is useful to stop a server’s resources being exhausted by a large number of inactive connections.

Most clients have an auto-reconnect feature when a connection is broken so in most cases this parameter should be transparent to users.

Using this parameter with a timeout of a few minutes is recommended for most systems.

A deadtime of zero indicates that no auto-disconnection should be performed.

debug hires timestamp (G). Default: debug hires timestamp = no

Sometimes the timestamps in the log messages are needed with a resolution of higher that seconds, this boolean parameter adds microsecond resolution to the timestamp message header when turned on.

Note that the parameter debug timestamp must be on for this to have an effect.

debug pid (G). Default: debug pid = no

When using only one log file for more then one forked smbd(8)-process there may be hard to follow which process outputs which message. This boolean parameter is adds the process-id to the timestamp message headers in the logfile when turned on.

Note that the parameter debug timestamp must be on for this to have an effect.

timestamp logs. This parameter is a synonym for debug timestamp.

debug timestamp (G). Default: debug timestamp = yes

Samba debug log messages are timestamped by default. If you are running at a high debug level these timestamps can be distracting. This boolean parameter allows timestamping to be turned off.

debug uid (G). Default: debug uid = no

Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the current euid, egid, uid and gid to the timestamp message headers in the log file if turned on.

Note that the parameter debug timestamp must be on for this to have an effect.

default case (S). Default: default case = lower

See the section on name mangling. Also note the short preserve case parameter.

default devmode (S). Default: default devmode = no

This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba server has a Device Mode which defines things such as paper size and orientation and duplex settings. The device mode can only correctly be generated by the printer driver itself (which can only be executed on a Win32 platform). Because smbd is unable to execute the driver code to generate the device mode, the default behavior is to set this field to NULL.

Most problems with serving printer drivers to Windows NT/2k/XP clients can be traced to a problem with the generated device mode. Certain drivers will do things such as crashing the client’s Explorer.exe with a NULL devmode. However, other printer drivers can cause the client’s spooler service (spoolsv.exe) to die if the devmode was not created by the driver itself (i.e. smbd generates a default devmode).

This parameter should be used with care and tested with the printer driver in question. It is better to leave the device mode to NULL and let the Windows client set the correct values. Because drivers do not do this all the time, setting default devmode = yes will instruct smbd to generate a default one.

For more information on Windows NT/2k printing and Device Modes, see the MSDN documentation^[4].

default. This parameter is a synonym for default service.

default service (G). Default: No default

Example: default service = pub

This parameter specifies the name of a service which will be connected to if the service actually requested cannot be found. Note that the square brackets are NOT given in the parameter value (see example below).

There is no default value for this parameter. If this parameter is not given, attempting to connect to a nonexistent service results in an error.

Typically the default service would be a guest ok, read-only service.

Also note that the apparent service name will be changed to equal that of the requested service, this is very useful as it allows you to use macros like %S to make a wildcard service.

Note also that any ”_” characters in the name of the service used in the default service will get mapped to a ”/”. This allows for interesting things.

defer sharing violations (G). Default: defer sharing violations = True

Windows allows specifying how a file will be shared with other processes when it is opened. Sharing violations occur when a file is opened by a different process using options that violate the share settings specified by other processes. This parameter causes smbd to act as a Windows server does, and defer returning a ”sharing violation”

error message for up to one second, allowing the client to close the file causing the violation in the meantime.

Unix by default does not have this behaviour.

There should be no reason to turn off this parameter, as it is designed to enable Samba to more correctly emulate Windows.

delete group script (G). Default: No default

This is the full pathname to a script that will be run AS ROOT smbd(8) when a group is requested to be deleted. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools.

deleteprinter command (G). Default: No default

Example: deleteprinter command = /usr/bin/removeprinter

With the introduction of MS-RPC based printer support for Windows NT/2000 clients in Samba 2.2, it is now possible to delete printer at run time by issuing the DeletePrinter() RPC call.

For a Samba host this means that the printer must be physically deleted from underlying printing system. The deleteprinter command defines a script to be run which will perform the necessary operations for removing the printer from the print system and from smb.conf.

The [smbcomfoption] [/smbcomfoption] is automatically called with only one parameter: printer name.

Once the deleteprinter command has been executed, smbd will reparse the smb.conf to associated printer no longer exists. If the sharename is still valid, then smbd will return an ACCESS_DENIED error to the client.

delete readonly (S). Default: delete readonly = no

This parameter allows readonly files to be deleted. This is not normal DOS semantics, but is allowed by UNIX.

This option may be useful for running applications such as rcs, where UNIX file ownership prevents changing file permissions, and DOS semantics prevent deletion of a read only file.

delete share command (G). Default: No default

Example: delete share command = /usr/local/bin/delshare

Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The delete share command is used to define an external program or script which will remove an existing service definition from smb.conf.

In order to successfully execute the delete share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0).

When executed, smbd will automatically invoke the delete share command with two parameters.

This parameter is only used to remove file shares. To delete printer shares, see the deleteprinter command.

delete user from group script (G). Default: No default

Example: delete user from group script = /usr/sbin/deluser %u %g

Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools. It will be run by smbd(8) AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name.

delete user script (G). Default: No default

Example: delete user script = /usr/local/samba/bin/del_user %u

This is the full pathname to a script that will be run by smbd(8) when managing users with remote RPC (NT) tools.

This script is called when a remote client removes a user from the server, normally using ’User Manager for Domains’ or rpcclient.

This script should delete the given UNIX username.

delete veto files (S). Default: delete veto files = no

This option is used when Samba is attempting to delete a directory that contains one or more vetoed directories (see the veto files option). If this option is set to no (the default) then if a vetoed directory contains any non-vetoed files or directories then the directory delete will fail. This is usually what you want.

If this option is set to yes, then Samba will attempt to recursively delete any files and directories within the vetoed directory. This can be useful for integration with file serving systems such as NetAtalk which create meta-files within directories you might normally veto DOS/Windows users from seeing (e.g. .AppleDouble)

Setting delete veto files = yes allows these directories to be transparently deleted when the parent directory is deleted (so long as the user has permissions to do so).

dfree command (G). Default: dfree command = By default internal routines for determining the disk capacity and remaining space will be used./usr/local/samba/bin/dfree

Example: dfree command = /usr/local/samba/bin/dfree

The dfree command setting should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating systems. The symptom that was seen was an error of ”Abort Retry Ignore” at the end of each directory listing.

This setting allows the replacement of the internal routines to calculate the total disk space and amount available with an external routine. The example below gives a possible script that might fulfill this function.

The external program will be passed a single parameter indicating a directory in the filesystem being queried. This will typically consist of the string ./. The script should return two integers in ASCII. The first should be the total disk space in blocks, and the second should be the number of available blocks. An optional third return value can give the block size in bytes. The default blocksize is 1024 bytes.

Note: Your script should NOT be setuid or setgid and should be owned by (and writeable only by) root!

Where the script dfree (which must be made executable) could be:

#!/bin/sh
df $1 | tail -1 | awk '{print $2" "$4}'

or perhaps (on Sys V based systems):

#!/bin/sh
/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'

Note that you may have to replace the command names with full path names on some systems.

directory mode. This parameter is a synonym for directory mask.

directory mask (S). Default: directory mask = 07550775

Example: directory mask = 0775

This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.

When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise ’AND’ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a directory. Any bit not set here will be removed from the modes set on a directory when it is created.

The default value of this parameter removes the ’group’ and ’other’ write bits from the UNIX mode, allowing only the user who owns the directory to modify it.

Following this Samba will bit-wise ’OR’ the UNIX mode created from this parameter with the value of the force directory mode parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added).

Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the directory security mask.

directory security mask (S). Default: directory security mask = 07770700

Example: directory security mask = 0700

This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box.

This parameter is applied as a mask (AND’ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Make sure not to mix up this parameter with force directory security mode, which works similar like this one but uses logical OR instead of AND. Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.

If not set explicitly this parameter is set to 0777 meaning a user is allowed to modify all the user/group/world permissions on a directory.

Note that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone ”appliance” systems. Administrators of most normal systems will probably want to leave it as the default of 0777.

disable netbios (G). Default: disable netbios = no

Enabling this parameter will disable netbios support in Samba. Netbios is the only available form of browsing in all windows versions except for 2000 and XP.

NOTE

disable spoolss (G). Default: disable spoolss = no

Enabling this parameter will disable Samba’s support for the SPOOLSS set of MS-RPC’s and will yield identical behavior as Samba 2.0.x. Windows NT/2000 clients will downgrade to using Lanman style printing commands. Windows 9x/ME will be uneffected by the parameter. However, this will also disable the ability to upload printer drivers to a Samba server via the Windows NT Add Printer Wizard or by using the NT printer properties dialog window. It will also disable the capability of Windows NT/2000 clients to download print drivers from the Samba host upon demand. Be very careful about enabling this parameter.

display charset (G). Default: display charset = ASCIIUTF8

Example: display charset = UTF8

Specifies the charset that samba will use to print messages to stdout and stderr and SWAT will use. Should generally be the same as the unix charset.

dns proxy (G). Default: dns proxy = yes

Specifies that nmbd(8) when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.

Note that the maximum length for a NetBIOS name is 15 characters, so the DNS name (or DNS alias) can likewise only be 15 characters, maximum.

nmbd spawns a second copy of itself to do the DNS name lookup requests, as doing a name lookup is a blocking action.

domain logons (G). Default: domain logons = no

If set to yes, the Samba server will provide the netlogon service for Windows 9X network logons for the workgroup it is in. This will also cause the Samba server to act as a domain controller for NT4 style domain services. For more details on setting up this feature see the Domain Control chapter of the Samba HOWTO Collection.

domain master (G). Default: domain master = auto

Tell smbd(8) to enable WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. Local master browsers in the same workgroup on broadcast-isolated subnets will give this nmbd their local browse lists, and then ask smbd(8) for a complete copy of the browse list for the whole wide area network. Browser clients will then contact their local master browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.

Note that Windows NT Primary Domain Controllers expect to be able to claim this workgroup specific special NetBIOS name that identifies them as domain master browsers for that workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting to do this). This means that if this parameter is set and nmbd claims the special name for a workgroup before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail.

If domain logons = yes , then the default behavior is to enable the domain master parameter. If domain logons is not enabled (the default setting), then neither will domain master be enabled by default.

dont descend (S). Default: No default

Example: dont descend = /proc,/dev

There are certain directories on some systems (e.g., the /proc tree under Linux) that are either not of interest to clients or are infinitely deep (recursive). This parameter allows you to specify a comma-delimited list of directories that the server should always show as empty.

Note that Samba can be very fussy about the exact format of the ”dont descend” entries. For example you may need ./proc instead of just /proc. Experimentation is the best policy :-)

dos charset (G). Default: No default

DOS SMB clients assume the server has the same charset as they do. This option specifies which charset Samba should talk to DOS clients.

The default depends on which charsets you have installed. Samba tries to use charset 850 but falls back to ASCII in case it is not available. Run testparm(1) to check the default on your system.

dos filemode (S). Default: dos filemode = no

The default behavior in Samba is to provide UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior is often confusing to DOS/Windows users. Enabling this parameter allows a user who has write access to the file (by whatever means) to modify the permissions on it. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access. Ownership of the file/directory is not changed, only the permissions are modified.

dos filetime resolution (S). Default: dos filetime resolution = no

Under the DOS and Windows FAT filesystem, the finest granularity on time resolution is two seconds. Setting this parameter for a share causes Samba to round the reported time down to the nearest two second boundary when a query call that requires one second resolution is made to smbd(8).

This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. If oplocks are enabled on a share, Visual C++ uses two different time reading calls to check if a file has changed since it was last read. One of these calls uses a one-second granularity, the other uses a two second granularity. As the two second call rounds any odd second down, then if the file has a timestamp of an odd number of seconds then the two timestamps will not match and Visual C++ will keep reporting the file has changed. Setting this option causes the two timestamps to match, and Visual C++ is happy.

dos filetimes (S). Default: dos filetimes = yes

Under DOS and Windows, if a user can write to a file they can change the timestamp on it. Under POSIX semantics, only the owner of the file or root may change the timestamp. By default, Samba runs with POSIX semantics and refuses to change the timestamp on a file if the user smbd is acting on behalf of is not the file owner. Setting this option to yes allows DOS semantics and smbd(8) will change the file timestamp as DOS requires. Due to changes in Microsoft Office 2000 and beyond, the default for this parameter has been changed from ”no” to ”yes” in Samba 3.0.14 and above. Microsoft Excel will display dialog box warnings about the file being changed by another user if this parameter is not set to ”yes” and files are being shared between users.

ea support (S). Default: ea support = no

This boolean parameter controls whether smbd(8) will allow clients to attempt to store OS/2 style Extended attributes on a share. In order to enable this parameter the underlying filesystem exported by the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the correct kernel patches). On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel.

enable asu support (G). Default: enable asu support = yes

Hosts running the ”Advanced Server for Unix (ASU)” product require some special accomodations such as creating a builting [ADMIN$] share that only supports IPC connections. The has been the default behavior in smbd for many years. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support an [ADMIN$} file share. Disabling this parameter allows for creating an [ADMIN$] file share in smb.conf.

enable privileges (G). Default: enable privileges = no

This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either net rpc rights or one of the Windows user and group manager tools. This parameter is disabled by default to prevent members of the Domain Admins group from being able to assign privileges to users or groups which can then result in certain smbd operations running as root that would normally run under the context of the connected user.

An example of how privileges can be used is to assign the right to join clients to a Samba controlled domain without providing root access to the server via smbd.

Please read the extended description provided in the Samba documentation before enabling this option.

enable rid algorithm (G). Default: enable rid algorithm = yes

This option is used to control whether or not smbd in Samba 3.0 should fallback to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm development goal is to remove the algorithmic mappings of RIDs altogether, but this has proved to be difficult. This parameter is mainly provided so that developers can turn the algorithm on and off and see what breaks. This parameter should not be disabled by non-developers because certain features in Samba will fail to work without it.

encrypt passwords (G). Default: encrypt passwords = yes

This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter ”User Database” in the Samba HOWTO Collection.

MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encypted password support enabled and for which the user accounts have a valid encrypted password. Refer to the smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts.

The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products. If you want to use plain text passwords you must set this parameter to no.

In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes smbd to authenticate against another server.

enhanced browsing (G). Default: enhanced browsing = yes

This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations.

The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, followed by a browse synchronization with each of the returned DMBs. The second enhancement consists of a regular randomised browse synchronization with all currently known DMBs.

You may wish to disable this option if you have a problem with empty workgroups not disappearing from browse lists. Due to the restrictions of the browse protocols these enhancements can cause a empty workgroup to stay around forever which can be annoying.

In general you should leave this option enabled as it makes cross-subnet browse propagation much more reliable.

enumports command (G). Default: No default

Example: enumports command = /usr/bin/listports

The concept of a ”port” is fairly foreign to UNIX hosts. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default, Samba has only one port defined–"Samba Printer Port". Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed (smbd does not use a port name for anything) other than the default "Samba Printer Port", you can define enumports command to point to a program which should generate a list of ports, one per line, to standard output. This listing will then be used in response to the level 1 and 2 EnumPorts() RPC.

fake directory create times (S). Default: fake directory create times = no

NTFS and Windows VFAT file systems keep a create time for all files and directories. This is not the same as the ctime - status change time - that Unix keeps, so Samba by default reports the earliest of the various times Unix does keep. Setting this parameter for a share causes Samba to always report midnight 1-1-1980 as the create time for directories.

This option is mainly used as a compatibility option for Visual C++ when used against Samba shares. Visual C++ generated makefiles have the object directory as a dependency for each object file, and a make rule to create the directory. Also, when NMAKE compares timestamps it uses the creation time when examining a directory. Thus the object directory will be created if it does not exist, but once it does exist it will always have an earlier timestamp than the object files it contains.

However, Unix time semantics mean that the create time reported by Samba will be updated whenever a file is created or or deleted in the directory. NMAKE finds all object files in the object directory. The timestamp of the last one built is then compared to the timestamp of the object directory. If the directory’s timestamp if newer, then all object files will be rebuilt. Enabling this option ensures directories always predate their contents and an NMAKE build will proceed as expected.

fake oplocks (S). Default: fake oplocks = no

Oplocks are the way that SMB clients get permission from a server to locally cache file operations. If a server grants an oplock (opportunistic lock) then the client is free to assume that it is the only one accessing the file and it will aggressively cache file data. With some oplock types the client may even cache file open/close operations. This can give enormous performance benefits.

When you set fake oplocks = yes, smbd(8) will always grant oplock requests no matter how many clients are using the file.

It is generally much better to use the real oplocks support rather than this parameter.

If you enable this option on all read-only shares or shares that you know will only be accessed from one client at a time such as physically read-only media like CDROMs, you will see a big performance improvement on many operations. If you enable this option on shares where multiple clients may be accessing the files read-write at the same time you can get data corruption. Use this option carefully!

follow symlinks (S). Default: follow symlinks = yes

This parameter allows the Samba administrator to stop smbd(8) from following symbolic links in a particular share. Setting this parameter to no prevents any file or directory that is a symbolic link from being followed (the user will get an error). This option is very useful to stop users from adding a symbolic link to /etc/passwd in their home directory for instance. However it will slow filename lookups down slightly.

This option is enabled (i.e. smbd will follow symbolic links) by default.

force create mode (S). Default: force create mode = 0000755

Example: force create mode = 0755

This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba. This is done by bitwise ’OR’ing these bits onto the mode bits of a file that is being created or having its permissions changed. The default for this parameter is (in octal) 000. The modes in this parameter are bitwise ’OR’ed onto the file mode after the mask set in the create mask parameter is applied.

The example below would force all created files to have read and execute permissions set for ’group’ and ’other’ as well as the read/write/execute bits set for the ’user’.

force directory mode (S). Default: force directory mode = 0000755