  Linuxconf: SAMBA Global Share Configuration
  Original Author: Andrew Tridgell (Samba Team) Linuxconf ver-
  sion by: Joshua Lamorie (jlamorie@engsoc.carleton.ca)


  11..  OOvveerrvviieeww


  The settings in this menu are inherited (and sometimes overridden) by
  all other shares on the system.

  22..  DDeeffaauulltt MMeennuu


  This menu describes the general configuration for the server. Unless
  specified otherwise, in other areas, all shares (exports) will inherit
  these properties.


  33..  BBaassee ccoonnffiigg


  33..11..  SSMMBB aaccccoouunntt mmaannaaggeemmeenntt

  Linux passwords (for Linux services such as the shell, e-mail, etc.)
  are stored in a different format than SMB passwords. Linux passwords
  are normally stored in the /etc/passwd file while SMB passwords are
  stored in /etc/smbpasswd file.

  Linuxconf can update both password databases when you change or set a
  user account password.  If you choose not to use this feature, you
  must update the SMB password using the smbpasswd utility.

  Note that the two files (/etc/passwd and /etc/smbpasswd) must be
  synchronized, so that ID numbers in one match the IDs in the other.
  For this reason, the SMB password file may be managed using a
  different strategy.


     NNoott mmaannaaggeedd
        Here you are on your own. For each new Linux account, you must
        use the smbpasswd to add accounts in
        /etc/smbpasswd using the -a command line option. You must also
        enter the password which will be used for SMB transactions.


     AAcccctt.. && ppaasssswwoorrddss
        Linuxconf fully synchronizes both password databases. Both
        databases will contain the same passwords, encrypted
        differently.


     AAcccctt.. oonnllyy
        Linuxconf will create and delete accounts in the SMB password
        database, but will never update a SMB password,

        This is the recommended option if you install the pam_smbpass
        authentication module. This module allows you to use a single
        password database (/etc/smbpasswd) for all services, including
        normal Linux logons.


  33..22..  SSyynncchhrroonniizzee LLiinnuuxx ffrroomm SSMMBB ppaasssswwoorrddss

  Samba users (Windows users) can change their password. This updates
  the SMB password in /etc/smbpasswd. If you enable this feature, the
  Linux password will be updated, also.


  33..33..  SSeerrvveerr ddeessccrriippttiioonn


  This controls what string will be shown in the printer comment box in
  print manager and next to the IPC connection in "net view." It can be
  any string that you want your users to see.

  It also sets what will appear next to the machine name in the browse
  lists.


  +o  A %v will be replaced with the Samba version number.

  +o  A %h will be replaced with the hostname.

  DDeeffaauulltt:: Samba %v

  EExxaammppllee:: University of GNUs Samba Server


  33..44..  WWoorrkk ggrroouupp


  This controls which workgroup your server will appear to be in when
  queried by clients.

  DDeeffaauulltt:: set in the Makefile

  EExxaammppllee:: MYGROUP


  33..55..  NNeettbbiiooss nnaammee ((oopptt))

  This is the name of the machine as seen by SMB clients. Samba uses the
  hostname of the server by default. You can specify a different one if
  needed.


  33..66..  NNeettbbiiooss aalliiaasseess ((oopptt))

  A Samba server may be accessed using different names. If you use the
  %L macro, one can easily create virtual services where the effective
  directory exported changes, depending on the server name used. You can
  use this to merge two servers into one, thus preserving client
  configuration (the old server logically continues to exist).


  44..  PPaasssswwoorrddss


  44..11..  EEnnccrryypptteedd ppaasssswwoorrdd rreeqquuiirreedd


  This boolean parameter controls whether encrypted passwords will be
  negotiated with the client. Note that Windows NT 4.0 SP3 and above
  will, by default, expect encrypted passwords unless a registry entry
  is changed. To use encrypted passwords in Samba see the file
  docs/ENCRYPTION.txt.
  44..22..  AAuutthheennttiiccaattiioonn mmooddee


  44..33..  PPaasssswwoorrdd sseerrvveerr

  By specifying the name of another SMB server (such as a WinNT box)
  with this option, and using "security = server", you can get Samba to
  do all its username/password validation via a remote server.

  This option sets the name of the password server to use. It must be a
  netbios name, so if the machine's netbios name is different from its
  Internet name, then you may have to add its netbios name to
  /etc/hosts.

  Note that with Samba 1.9.18p4 and above, the name of the password
  server is looked up using the parameter "name resolve order=" and so
  may be resolved by any method and order described in that parameter.

  The password server must be a machine capable of using the "LM1.2X002"
  or the "LM NT 0.12" protocol, and it must be in user level security
  mode.


  NOTE: Using a password server means your UNIX box (running Samba) is
  only as secure as your password server. DO NOT CHOOSE A PASSWORD
  SERVER THAT YOU DON'T COMPLETELY TRUST.


  Never point a Samba server at itself for password serving. This will
  cause a loop and could lock up your Samba server!

  The name of the password server takes the standard substitutions, but
  probably the only useful one is %m, which means the Samba server will
  use the incoming client as the password server. If you use this then
  you better trust your clients, and you better restrict them with allow
  hosts!

  If you list several hosts in the "password server" option then smbd
  will try each in turn until it finds one that responds. This is useful
  in case your primary server goes down.

  If you are using a WindowsNT server as your password server then you
  will have to ensure that your users are able to login from the Samba
  server, as the network logon will appear to come from there, rather
  than from the user's workstation.


  44..44..  PPaasssswwoorrdd lleevveell

  Some client/server combinations have difficulty with mixed-case
  passwords.  One offending client is Windows for Workgroups, which for
  some reason forces passwords to be in upper case when using the
  LANMAN1 protocol, but leaves them alone when using COREPLUS!

  This parameter defines the maximum number of characters that may be
  upper case in passwords.

  For example, say the password given was "FRED". If password level is
  set to 1 (one), the following combinations would be tried if "FRED"
  failed: "Fred", "fred", "fRed", "frEd", "freD". If password level was
  set to 2 (two), the following combinations would also be tried:
  "FRed", "FrEd", "FreD", "fREd", "fReD", "frED". And so on.

  The higher value this parameter is set to, the more likely it is that
  a mixed case password will be matched against a single case password.
  However, you should be aware that usage of this parameter reduces
  security and increases the time taken to process a new connection.

  A value of zero will cause only two attempts to be made -- the
  password as is and the password in all-lower case.

  If you find the connections are taking too long with this option, then
  you probably have a slow crypt() routine. Samba now comes with a fast
  "ufc crypt" that you can select in the Makefile. You should also make
  sure the PASSWORD_LENGTH option is correct for your system in local.h
  and includes.h. On most systems, only the first eight characters of a
  password are significant so PASSWORD_LENGTH should be 8, but on some
  systems, longer passwords are significant. The includes.h file tries
  to select the right length for your system.

  DDeeffaauulltt:: 0

  EExxaammppllee:: 4


  44..55..  PPaasssswwdd pprrooggrraamm

  The name of a program that can be used to set user passwords.

  This is only available if you have enabled remote password changing at
  compile time (see the comments in the Makefile for details). Any
  occurrences of %u will be replaced with the username. The username is
  checked for existence before calling the password-changing program.

  Also note that many passwd programs insist on a "reasonable" password,
  such as a minimum length, or the inclusion of mixed case characters
  and digits.  This can pose a problem because some clients, (such as
  Windows for Workgroups) change characters to uppercase before sending
  the password.

  Note that if the Synchronize Linux and SMB Passwords parameter is set
  to true, then this sequence is called *AS ROOT* when the SMB password
  in the smbpasswd file is being changed. If the "Synchronize Linux and
  SMB Passwords" parameter is set, this parameter MUST USE ABSOLUTE
  PATHS for ALL programs called, and must be examined for security
  implications.

  See also Synchronize Linux from SMB Passwords.

  DDeeffaauulltt:: /bin/passwd %percnt;u

  EExxaammppllee:: /bin/passwd %u


  44..66..  AAllllooww nnuullll ppaasssswwoorrddss aaccccoouunntt

  Allow or disallow access to accounts that have null passwords.

  DDeeffaauulltt:: Off


  55..  AAcccceessss


  55..11..  AAllllooww hhoossttss


  This parameter is a comma-delimited set of hosts which are permitted
  to access a service.

  If specified in the Default section, it will apply to all services,
  regardless of whether the individual service has a different setting.

  You can specify the hosts by name or IP number. For example, you could
  restrict access to only the hosts on a Class C subnet with something
  like "allow hosts = 150.203.5.". The full syntax of the list is
  described in the man page hosts_access(5).

  You can also specify hosts by network/netmask pairs and by netgroup
  names if your system supports netgroups. The EXCEPT keyword can also
  be used to limit a wildcard list. The following examples may be
  useful:


     EExxaammppllee 11
        allow all IPs in 150.203.*.* except one

        hosts allow = 150.203. EXCEPT 150.203.6.66


     EExxaammppllee 22
        allow hosts that match the given network/netmask

        hosts allow = 150.203.15.0/255.255.255.0


     EExxaammppllee 33
        allow a couple of hosts

        hosts allow = lapland, arvidsjaur


     EExxaammppllee 44
        allow only hosts in netgroup "foonet" or localhost, but deny
        access from one particular host

        hosts allow = @foonet, localhost hosts deny = pirate

  Note that access still requires suitable user-level passwords.

  See testparm(1) for a way of testing your host access to see if it
  does what you expect.

  DDeeffaauulltt:: None (i.e., all hosts are permitted access)

  EExxaammppllee:: 150.203.5. myhost.mynet.edu.au


  55..22..  DDeennyy hhoossttss


  The opposite of 'allow hosts' -- hosts listed here are NOT permitted
  access to services unless the specific services have their own lists
  to override this one. Where the lists conflict, the 'allow' list takes
  precedence.

  DDeeffaauulltt:: none (i.e., no hosts are specifically excluded)

  EExxaammppllee:: 150.203.4. badhost.mynet.edu.au


  66..  NNeettwwoorrkkiinngg


  66..11..  OOSS lleevveell


  This integer value controls what level at which Samba advertises
  itself as for browse elections. See BROWSING.txt for details.


  66..22..  PPrreeffeerrrreedd MMaasstteerr


  This boolean parameter controls if Samba is a preferred master browser
  for its workgroup. If this is set to true, on startup, Samba will
  force an election, and it will have a slight advantage in winning the
  election. It is recommended that this parameter be used in conjunction
  with domain master set "on," so that Samba can guarantee becoming a
  domain master.

  Use this option with caution, because if there are several hosts
  (whether Samba servers, Windows 95 or NT) that are preferred master
  browsers on the same subnet, they will each, periodically and
  continuously, attempt to become the local master browser. This will
  result in unnecessary broadcast traffic and reduced browsing
  capabilities.

  See OS level.

  DDeeffaauulltt:: Off


  66..33..  DDoommaaiinn MMaasstteerr

  Enable WAN-wide browse list collation. Local master browsers on
  broadcast- isolated subnets will give Samba their local browse lists,
  and ask for a complete copy of the browse list for the whole wide area
  network. Browser clients will then contact their local master browser,
  and will receive the domain-wide browse list, instead of just the list
  for their broadcast-isolated subnet.

  DDeeffaauulltt:: Off


  66..44..  RReemmoottee aannnnoouunnccee

  This option allows you to setup nmbd to periodically announce itself
  to arbitrary IP addresses with an arbitrary workgroup name.

  This is useful if you want your Samba server to appear in a remote
  workgroup for which the normal browse propagation rules don't work.
  The remote workgroup can be anywhere that you can send IP packets to.

  FFoorr eexxaammppllee::

  Remote announce: 192.168.2.255/SERVERS 192.168.4.255/STAFF

  The above line would cause nmbd to announce itself to the two given IP
  addresses using the given workgroup names. If you leave out the
  workgroup name then the one given in the "workgroup" option is used.

  The IP addresses you choose would normally be the broadcast addresses
  of the remote networks, but they can also be the IP addresses of known
  browse masters if your network configuration is that stable.

  This option replaces similar functionality from the nmbd lmhosts file.


  66..55..  EEnnaabbllee SSaammbbaa aass aa WWIINNSS sseerrvveerr


  66..66..  WWIINNSS sseerrvveerr

  If there is a WINS (Windows Name server) operating on your network,
  enter its IP here. This will tell Samba to register with it and use it
  later to convert netbios names to IP numbers.


  66..77..  IInntteerrffaacceess

  Normally, Samba will only operate on the first network. To let Samba
  operate on more networks, you must enter here the IP number of each
  network interface, separated by spaces.


  77..  AAuuttoo--aaccccoouunnttss

  Samba may create and delete user accounts on the fly under some
  conditions. This can be used to create administration-free file and
  print servers.

  User accounts will be created if:


  +o  A connection is established with the Samba server

  +o  Authentication mode is set to either "server" or "domain"

  +o  The password server authenticates the user

  +o  The corresponding user account does not exist on the Samba server

  User accounts will be deleted if:


  +o  A connection is established with the Samba server

  +o  Authentication mode is set to "domain"

  +o  The password server confirms that the user account does not exist

  +o  The corresponding user account does exist on the Samba server


  77..11..  AAdddd uusseerr ssccrriipptt

  You must specify a command used to create user accounts. This command
  must not be interactive. A help list provides one suitable command.
  It creates an e-mail account suitable for file/print usage.


  77..22..  DDeelleettee uusseerr ssccrriipptt

  You must specify a command used to delete a user account. This command
  must not be interactive. A help list provides one suitable example.


  88..  FFeeaattuurreess


  88..11..  GGuueesstt AAccccoouunntt


  This is a username which will be used for access to services which are
  specified as Public Access (see below). Whatever privileges this user
  has will be available to any client connecting to the guest service.
  Typically this user will exist in the password file, but will not have
  a valid login. If a username is specified in a given service, the
  specified username overrides this one.

  Note that as of Samba version 1.9 this option may be set differently
  for each service.

  DDeeffaauulltt:: specified at compile time

  EExxaammppllee:: nobody


  88..22..  DDeeaadd ttiimmee

  The value of the parameter (a decimal integer) represents the number
  of minutes of inactivity before a connection is considered dead, and
  it is disconnected. The deadtime only takes effect if the number of
  open files is zero.

  This is useful to stop a server's resources from being exhausted by a
  large number of inactive connections.

  Most clients have an auto-reconnect feature when a connection is
  broken.  In most cases this parameter should be transparent to users.

  Using this parameter with a timeout of a few minutes is recommended
  for most systems.

  A deadtime of zero indicates that no auto-disconnection should be
  performed.

  DDeeffaauulltt:: 0

  EExxaammppllee:: 15


  88..33..  DDeebbuugg lleevveell

  The value of the parameter (an integer) allows the debug level
  (logging level) to be specified in the smb.conf file. This is to give
  greater flexibility in the configuration of the system.

  The default will be the debug level specified on the command line.

  DDeeffaauulltt:: ???

  EExxaammppllee:: 3


  88..44..  DDeeffaauulltt sseerrvviiccee

  This parameter specifies the name of a service which will be connected
  to if the service requested cannot actually be found.

  There is no default value for this parameter. If this parameter is not
  given, attempting to connect to a non-existent service results in an
  error.


  Typically the default service would be a public, read-only service.

  Also note that as of 1.9.14 the apparent service name will be changed
  to equal that of the requested service. This is very useful as it
  allows you to use macros like %S to make a wildcard service.

  Note also that any characters in the name of the service used, in the
  default service, will get mapped to a /. This allows for interesting
  things.

  EExxaammppllee:: pub


  where, [pub] path = /%S


  88..55..  SShhooww aallll aavvaaiillaabbllee pprriinntteerrss


  A boolean parameter that controls whether all printers in the printcap
  will be loaded for browsing by default.

  DDeeffaauulltt:: On


  88..66..  WWiinnPPooppuupp ccoommmmaanndd


  This specifies what command to run when the server receives a WinPopup
  style message.

  This would normally be a command that would somehow deliver the
  message.  How this should be done is up to your imagination.

  What I use is:


               WinPopup command: csh -c 'xedit %s;rm %s' &


  This delivers the message using xedit, then removes it afterwards.
  NOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY.
  That's why I have the & on the end. If it doesn't return immediately
  then your PC may freeze when sending messages (they should recover
  after 30secs, hopefully).

  All messages are delivered as the global guest user. The command takes
  the standard substitutions, although %u won't work (%U may be better
  in this case).

  Apart from the standard substitutions, some additional ones apply.  In
  particular:

  %s = the filename containing the message

  %t = the destination that the message was sent to (probably the server
  name)

  %f = who the message is from

  You could make this command send mail, or whatever else takes your
  fancy.  Please let me know of any really interesting ideas you have.
  Here's a way of sending the messages, as mail, to root:

  WinPopup command: /bin/mail -s 'message from %f on %m' root < %s; rm
  %s

  If you don't have a message command, then the message won't be
  delivered and Samba will tell the sender there was an error.
  Unfortunately WfWg totally ignores the error code and carries on,
  saying that the message was delivered.

  If you want to silently delete it then try "message command = rm %s".

  For the really adventurous, try something like this:


       WinPopup command: csh -c 'csh < %s |& /usr/local/samba/bin/smbclient
                \ -M %m; rm %s' &


  This would execute the command as a script on the server, then give
  them the result in a WinPopup message. Note that this could cause a
  loop if you send a message from the server using smbclient! You better
  wrap the above in a script that checks for this :-)

  DDeeffaauulltt:: no message command

  EExxaammppllee:: csh -c 'xedit %s;rm %s' &