  Linuxconf:SAMBA Homes Interface
  Original Author: Andrew Tridgell (Samba Team) Linuxconf ver-
  sion by: Joshua Lamorie (jlamorie@engsoc.carleton.ca)


  11..  OOvveerrvviieeww


  22..  DDeeffaauulltt SSeettuupp ffoorr UUsseerrss'' HHoommee


  22..11..  CCoommmmeenntt//ddeessccrriippttiioonn

  This is a text field that is seen next to a share when a client does a
  net view to list what shares are available.

  If you want to set the string that is displayed next to the machine
  name, see the server string command.

  DDeeffaauulltt:: No comment string

  EExxaammppllee:: comment = Fred's Files


  22..22..  TThhiiss sshhaarree iiss eennaabblleedd

  This enables the share to be viewable from browse lists automatically.


  22..33..  BBrroowwssaabbllee

  This controls whether this share is seen in the list of available
  shares in a net view and in the browse list.

  DDeeffaauulltt:: On


  33..  AAcccceessss


  33..11..  PPuubblliicc AAcccceessss


  If this parameter is OOnn for a service, then no password is required to
  connect to the service. Privileges will be those of the guest account.

  DDeeffaauulltt:: Off


  33..22..  WWrriitteeaabbllee

  If this parameter is OOffff, then users of a service may not create or
  modify files in the service's directory.

  DDeeffaauulltt:: Off


  33..33..  AAllllooww hhoossttss

  This parameter is a comma-delimited set of hosts which are permitted
  to access a service.

  If specified in the [global] section then it will apply to all
  services, regardless of whether the individual service has a different
  setting.

  You can specify the hosts by name or IP number. For example, you could
  restrict access to only the hosts on a Class C subnet with something
  like "allow hosts = 150.203.5.". The full syntax of the list is
  described in the man page hosts_access(5).

  You can also specify hosts by network/netmask pairs and by netgroup
  names if your system supports netgroups. The EXCEPT keyword can also
  be used to limit a wildcard list. The following examples may provide
  some help:


     EExxaammppllee 11
        allow all IPs in 150.203.*.* except one

        Allow Hosts: 150.203. EXCEPT 150.203.6.66


     EExxaammppllee 22
        allow hosts that match the given network/netmask

        Allow Hosts: 150.203.15.0/255.255.255.0


     EExxaammppllee 33
        allow a couple of hosts

        Allow Hosts: lapland, arvidsjaur


     EExxaammppllee 44
        allow only hosts in netgroup "foonet" or localhost, but deny
        access from one particular host

        Allow Hosts: @foonet, localhost


  Note that access still requires suitable user-level passwords.

  See testparm(1) for a way of testing your host access to see if it
  does what you expect.

  DDeeffaauulltt:: None (i.e., all hosts permitted access)

  EExxaammppllee:: 150.203.5. myhost.mynet.edu.au


  33..44..  DDeennyy hhoossttss

  The opposite of Allow Hosts - hosts listed here are nnoott permitted
  access to services unless the specific services have their own lists
  to override this one. Where the lists conflict, the Allow osts list
  takes precedence.

  DDeeffaauulltt:: None (i.e., no hosts specifically excluded)

  EExxaammppllee:: 150.203.4. badhost.mynet.edu.au


  44..  UUsseerrss


  44..11..  UUsseerr lliisstt

  Multiple users may be specified in a comma-delimited list, in which
  case the supplied password will be tested against each username in
  turn (left to right).

  The User List is needed only when the PC is unable to supply its own
  username. This is the case for the coreplus protocol or where your
  users have different WfWg usernames to UNIX usernames. In both these
  cases you may also be better off using the \\server\share%user syntax
  instead.

  The User List is not a great solution in many cases, as it means Samba
  will try to validate the supplied password against each of the
  usernames in the User List in turn. This is slow and a bad idea for
  lots of users in case of duplicate passwords. You may get timeouts or
  security breaches using this parameter unwisely.

  Samba relies on the underlying UNIX security. This parameter does not
  restrict who can login, it just offers hints to the Samba server as to
  what usernames might correspond to the supplied password. Users can
  login as whoever they please, and they will be able to do no more
  damage than if they started a Telnet session. The daemon runs as the
  user that they log in as, so they cannot do anything that that user
  cannot do.

  To restrict a service to a particular set of users you can use the
  Valid Users field.

  If any of the usernames begin with a @ then the name will be looked up
  in the groups file and will expand to a list of all users in the group
  of that name. Note that searching though a groups file can take quite
  some time, and some clients may time out during the search.

  DDeeffaauulltt:: The guest account if a guest service, otherwise the name of
  the service.

  EExxaammpplleess:: fred, mary, jack, jane, @users, @pcgroup


  44..22..  OOnnllyy uusseerr mmaayy ccoonnnneecctt

  This is a boolean parameter that controls whether connections with
  usernames not in the User List will be allowed. By default this option
  is disabled so a client can supply a username to be used by the
  server.

  Note that this also means Samba won't try to deduce usernames from the
  service name. This can be annoying for the Homes section. To get
  around this you could use "user = %S" which means your "user" list
  will be just the service name, which for home directories is the name
  of the user.

  DDeeffaauulltt:: Off


  44..33..  WWrriittee lliisstt

  This is a list of users that are given read-write access to a service.
  If the connecting user is in this list then he will be given write
  access, no matter what the Writable option is set to. The list can
  include group names using the @group syntax.

  Note that if a user is in both the read list and the write list then
  they will be given write access.

  DDeeffaauulltt:: None

  EExxaammppllee:: admin, root, @staff


  44..44..  VVaalliidd uusseerrss

  This is a list of users that should be allowed to login to this
  service.  A name starting with @ is interpreted as a UNIX group.

  If this is empty (the default) then any user can login. If a username
  is in both this list and the Invalid users list then access is denied
  for that user.

  The current servicename is substituted for %S. This is useful in the
  [homes] section.

  See also Invalid users.

  DDeeffaauulltt:: No valid users list (anyone can login)

  EExxaammppllee:: greg, @pcusers


  44..55..  IInnvvaalliidd uusseerrss

  This is a list of users that should not be allowed to login to this
  service.  This is really a "paranoid" check to absolutely ensure an
  improper setting does not breach your security.

  A name starting with @ is interpreted as a UNIX group.

  The current servicename is substituted for %S. This is useful in the
  Homes section.

  See also Valid users.

  DDeeffaauulltt:: No invalid users.

  EExxaammppllee:: root fred admin @wheel


  44..66..  MMaaxx.. ccoonnnneeccttiioonnss

  This option allows the number of simultaneous connections to a service
  to be limited. If Max connections is greater than 0 then connections
  will be refused if this number of connections to the service are
  already open. A value of zero means an unlimited number of connections
  may be made.

  Record lock files are used to implement this feature. The lock files
  will be stored in the directory specified by the "lock directory"
  option.

  DDeeffaauulltt:: 0

  EExxaammppllee:: 10


  44..77..  RReeaadd oonnllyy uusseerr lliisstt

  This is a list of users that are given read-only access to a service.
  If the connecting user is in this list then they will not be given
  write access, no matter what the Writable option is set to. The list
  can include group names using the @group syntax.

  See also the Write list option

  DDeeffaauulltt:: None

  EExxaammppllee:: mary, @students


  55..  SSccrriippttss

  Some scripts may be executed as share connection/disconnection time.


  55..11..  SSeettuupp CCoommmmaanndd ((AAKKAA pprreeeexxeecc))

  This option specifies a command to be run whenever the service is
  connected to. It takes the usual substitutions.

  An interesting example is to send the users a welcome message every
  time they log in. Perhaps a message of the day? Here is an example:


               csh -c 'echo \"Welcome to %S!\" | \ /usr/local/samba/bin/smbclient
                       -M %m -I %I' &


  Of course, this could get annoying after a while :-)

  See also Cleanup Command.

  DDeeffaauulltt:: None (no command executed)

  EExxaammppllee:: echo \"%u connected to %S from %m (%I)\"  >> /tmp/log


  55..22..  SSeettuupp CCoommmmaanndd ((rroooott))

  This is the same as Setup Command except that the command is run as
  root.  This is useful for mounting filesystems (such as CD-ROMs)
  before a connection is finalized.


  55..33..  CClleeaannuupp CCoommmmaanndd

  This option specifies a command to be run whenever the service is
  disconnected. It takes the usual substitutions. The command may be run
  as root on some systems.

  An interesting example may be:


               /sbin/umount /mnt/cdrom


  See also Setup Command.

  DDeeffaauulltt:: None (no command executed)

  EExxaammppllee:: echo \"%u disconnected from %S from %m (%I)\"  >> /tmp/log


  55..44..  CClleeaannuupp CCoommmmaanndd ((rroooott))

  This is the same as postexec except that the command is run as root.
  This is useful for unmounting filesystems (such as CD-ROMs) after a
  connection is closed.