Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right).
The User List is needed only when the PC is unable to supply its own username. This is the case for the coreplus protocol or where your users have different WfWg usernames to UNIX usernames. In both these cases you may also be better off using the \\server\share%user syntax instead.
The User List is not a great solution in many cases, as it means Samba will try to validate the supplied password against each of the usernames in the User List in turn. This is slow and a bad idea for lots of users in case of duplicate passwords. You may get timeouts or security breaches using this parameter unwisely.
Samba relies on the underlying UNIX security. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password. Users can login as whoever they please, and they will be able to do no more damage than if they started a Telnet session. The daemon runs as the user that they log in as, so they cannot do anything that that user cannot do.
To restrict a service to a particular set of users you can use the Valid Users field.
If any of the usernames begin with a @ then the name will be looked up in the groups file and will expand to a list of all users in the group of that name. Note that searching though a groups file can take quite some time, and some clients may time out during the search.
Default: The guest account if a guest service, otherwise the name of the service.
Examples: fred, mary, jack, jane, @users, @pcgroup
This is a boolean parameter that controls whether connections with usernames not in the User List will be allowed. By default this option is disabled so a client can supply a username to be used by the server.
Note that this also means Samba won't try to deduce usernames from the service name. This can be annoying for the Homes section. To get around this you could use "user = %S" which means your "user" list will be just the service name, which for home directories is the name of the user.
Default: Off
This is a list of users that are given read-write access to a service. If the connecting user is in this list then he will be given write access, no matter what the Writable option is set to. The list can include group names using the @group syntax.
Note that if a user is in both the read list and the write list then they will be given write access.
Default: None
Example: admin, root, @staff
This is a list of users that should be allowed to login to this service. A name starting with @ is interpreted as a UNIX group.
If this is empty (the default) then any user can login. If a username is in both this list and the Invalid users list then access is denied for that user.
The current servicename is substituted for %S. This is useful in the [homes] section.
See also Invalid users.
Default: No valid users list (anyone can login)
Example: greg, @pcusers
This is a list of users that should not be allowed to login to this service. This is really a "paranoid" check to absolutely ensure an improper setting does not breach your security.
A name starting with @ is interpreted as a UNIX group.
The current servicename is substituted for %S. This is useful in the Homes section.
See also Valid users.
Default: No invalid users.
Example: root fred admin @wheel
This option allows the number of simultaneous connections to a service to be limited. If Max connections is greater than 0 then connections will be refused if this number of connections to the service are already open. A value of zero means an unlimited number of connections may be made.
Record lock files are used to implement this feature. The lock files will be stored in the directory specified by the "lock directory" option.
Default: 0
Example: 10
This is a list of users that are given read-only access to a service. If the connecting user is in this list then they will not be given write access, no matter what the Writable option is set to. The list can include group names using the @group syntax.
See also the Write list option
Default: None
Example: mary, @students