  Linuxconf: SAMBA shares menu
  Original Author: Andrew Tridgell (Samba Team) Linuxconf ver-
  sion by: Joshua Lamorie <jlamorie@engsoc.carleton.ca>


  11..  OOvveerrvviieeww


  This is the menu for defining the options that are set for the
  specific share chosen.

  22..  SShhaarree SSeettuupp


  22..11..  SShhaarree nnaammee


  The name of the share that is exported. It is used when connecting the
  share to another computer.


  22..22..  CCoommmmeenntt//ddeessccrriippttiioonn

  This is a text field that is seen next to a share when a client does a
  net view to list what shares are available.

  If you want to set the string that is displayed next to the machine
  name, see the server string command.

  DDeeffaauulltt:: No comment string

  EExxaammppllee:: Fred's Files


  22..33..  TThhiiss sshhaarree iiss eennaabblleedd


  This enables the share to be viewable from browse lists automatically.


  22..44..  BBrroowwssaabbllee

  This controls whether this share is seen in the list of available
  shares in a net view and in the browse list.


  22..55..  IInnhheerriitt sseettttiinnggss ffrroomm sshhaarree

  This parameter allows you to 'clone' service entries. The specified
  service is simply duplicated under the current service's name. Any
  parameters specified in the current section will override those in the
  section being copied.

  This feature lets you set up a 'template' service and create similar
  services easily. Note that the service being copied must occur earlier
  in the configuration file than the service doing the copying.

  DDeeffaauulltt:: No copy service set

  EExxaammppllee:: otherservice


  22..66..  DDiirreeccttoorryy ttoo eexxppoorrtt

  This parameter specifies a directory to which the user of the service
  is to be given access.
  Any occurrences of %u in the path will be replaced with the username
  that the client is connecting as. Any occurrences of %m will be
  replaced by the name of the machine they are connecting from. These
  replacements are very useful for setting up pseudo home directories
  for users.

  Note that this path will be based on Root Directory if one was
  specified.

  DDeeffaauulltt:: No path set

  EExxaammppllee:: /home/fred+


  33..  AAcccceessss


  33..11..  PPuubblliicc AAcccceessss

  If this parameter is OOnn for a service, then no password is required to
  connect to the service. Privileges will be those of the guest account.

  DDeeffaauulltt:: Off


  33..22..  GGuueesstt AAcccceessss oonnllyy

  If this parameter is OOnn for a service, then only guest connections to
  the service are permitted. This parameter will have no affect if
  Public Access is not set for the service.

  DDeeffaauulltt:: Off


  33..33..  WWrriittaabbllee

  If this parameter is OOffff, then users of a service may not create or
  modify files in the service's directory.


  33..44..  AAllllooww hhoossttss

  This parameter is a comma-delimited set of hosts which are permitted
  to access a service.

  If specified in the Default section, it will apply to all services,
  regardless of whether the individual service has a different setting.

  You can specify the hosts by name or IP number. For example, you could
  restrict access to only the hosts on a Class C subnet with something
  like "allow hosts = 150.203.5.". The full syntax of the list is
  described in the man page hosts_access(5).

  You can also specify hosts by network/netmask pairs and by netgroup
  names if your system supports netgroups. The EXCEPT keyword can also
  be used to limit a wildcard list. The following examples may provide
  some help:


     EExxaammppllee 11
        allow all IPs in 150.203.*.* except one

        hosts allow = 150.203. EXCEPT 150.203.6.66


     EExxaammppllee 22
        allow hosts that match the given network/netmask

        hosts allow = 150.203.15.0/255.255.255.0


     EExxaammppllee 33
        allow a couple of hosts

        hosts allow = lapland, arvidsjaur


     EExxaammppllee 44
        allow only hosts in netgroup "foonet" or local host, but deny
        access from one particular host

        hosts allow = @foonet, localhost hosts deny = pirate

  Note that access still requires suitable user-level passwords.

  See testparm(1) for a way of testing your host access to see if it
  does what you expect.

  DDeeffaauulltt:: None (i.e., all hosts permitted access)

  EExxaammppllee:: 150.203.5. myhost.mynet.edu.au


  33..55..  DDeennyy hhoossttss

  The opposite of Allow Hosts -- hosts listed here are nnoott permitted
  access to services unless the specific services have their own lists
  to override this one. Where the lists conflict, the Allow Hosts list
  takes precedence.

  DDeeffaauulltt:: None (i.e., no hosts specifically excluded)

  EExxaammppllee:: 150.203.4. badhost.mynet.edu.au


  44..  UUsseerrss


  44..11..  UUsseerr lliisstt

  Multiple users may be specified in a comma-delimited list, in which
  case the supplied password will be tested against each username in
  turn (left to right).

  The User List is needed only when the PC is unable to supply its own
  username.  This is the case for the coreplus protocol or where your
  users have different WfWg usernames to UNIX usernames. In both these
  cases you may also be better off using the \\server\share%user syntax
  instead.

  The User List is not a great solution in many cases as it means Samba
  will try to validate the supplied password against each of the
  usernames in the User List in turn. This is slow and a bad idea for
  lots of users in case of duplicate passwords. You may get timeouts or
  security breaches using this parameter unwisely.

  Samba relies on the underlying UNIX security. This parameter does not
  restrict who can login, it just offers hints to the Samba server as to
  what usernames might correspond to the supplied password. Users can
  login as whoever they please and they will be able to do no more
  damage than if they started a telnet session. The daemon runs as the
  user that they log in as, so they cannot do anything that user cannot
  do.

  To restrict a service to a particular set of users you can use the
  Valid Users field.

  If any of the usernames begin with a @ then the name will be looked up
  in the groups file and will expand to a list of all users in the group
  of that name. Note that searching though a groups file can take quite
  some time, and some clients may time out during the search.

  DDeeffaauulltt:: The guest account if a guest service, else the name of the
  service.

  EExxaammpplleess:: fred, mary, jack, jane, @users, @pcgroup


  44..22..  OOnnllyy uusseerr mmaayy ccoonnnneecctt

  This is a boolean option that controls whether connections with
  usernames not in the User List will be allowed. By default this option
  is disabled so a client can supply a username to be used by the
  server.

  Note that this also means Samba won't try to deduce usernames from the
  service name. This can be annoying for the Homes section. To get
  around this you could use "user = %S" which means your "user" list
  will be just the service name, which for home directories is the name
  of the user.

  DDeeffaauulltt:: Off


  44..33..  AAddmmiinn uusseerrss

  This is a list of users who will be granted administrative privileges
  on the share. This means that they will do all file operations as the
  super-user (root).

  You should use this option very carefully, as any user in this list
  will be able to do anything they like on the share, irrespective of
  file permissions.

  DDeeffaauulltt:: No admin users.

  EExxaammppllee:: jason


  44..44..  WWrriittee lliisstt

  This is a list of users that are given read-write access to a service.
  If the connecting user is in this list then they will be given write
  access, no matter what the Writable option is set to. The list can
  include group names using the @group syntax.

  Note that if a user is in both the read list and the write list then
  they will be given write access.

  See also the Read List option.

  DDeeffaauulltt:: No write list specified

  EExxaammppllee:: admin, root, @staff


  44..55..  VVaalliidd uusseerrss

  This is a list of users that should be allowed to login to this
  service.  A name starting with @ is interpreted as a UNIX group.

  If this is empty (the default) then any user can login. If a username
  is in both this list and the Invalid users list then access is denied
  for that user.

  The current servicename is substituted for %S. This is useful in the
  [homes] section.

  See also Invalid users.

  DDeeffaauulltt:: No valid users list. (anyone can login)

  EExxaammppllee:: greg, @pcusers


  44..66..  IInnvvaalliidd uusseerrss

  This is a list of users that should not be allowed to login to this
  service.  This is really a "paranoid" check to absolutely ensure an
  improper setting does not breach your security.

  A name starting with @ is interpreted as a UNIX group.

  The current servicename is substituted for %S. This is useful in the
  Homes section.

  See also Valid users.

  DDeeffaauulltt:: No invalid users.

  EExxaammppllee:: root fred admin @wheel


  44..77..  RReeaadd oonnllyy uusseerr lliisstt

  This is a list of users that are given read-only access to a service.
  If the connecting user is in this list then they will not be given
  write access, no matter what the Writable option is set to. The list
  can include group names using the @group syntax.

  See also the Write list option

  DDeeffaauulltt:: None

  EExxaammppllee:: mary, @students


  55..  SSccrriippttss


  55..11..  SSeettuupp CCoommmmaanndd ((AAKKAA pprreeeexxeecc))

  This option specifies a command to be run whenever the service is
  connected to. It takes the usual substitutions.

  An interesting example is to send the users a welcome message every
  time they log in. Perhaps a message of the day? Here is an example:


          csh -c 'echo \"Welcome to %S!\" | \ /usr/local/samba/bin/smbclient
           -M %m -I %I' &


  Of course, this could get annoying after a while :-)

  See also Cleanup Command.

  DDeeffaauulltt:: None (No command executed)

  EExxaammppllee:: echo \"%u connected to %S from %m (%I)\"  >> /tmp/log


  55..22..  SSeettuupp CCoommmmaanndd ((rroooott))

  This is the same as Setup Command except that the command is run as
  root.  This is useful for mounting filesystems (such as CD-ROMs)
  before a connection is finalized.


  55..33..  CClleeaannuupp CCoommmmaanndd

  This option specifies a command to be run whenever the service is
  disconnected.  It takes the usual substitutions. The command may be
  run as the root on some systems.

  An interesting example may be:


               /sbin/umount /mnt/cdrom


  See also Setup Command.

  DDeeffaauulltt:: None (No command executed)

  EExxaammppllee:: echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log


  55..44..  CClleeaannuupp CCoommmmaanndd ((rroooott))

  This is the same as Cleanup Command except that the command is run as
  root.  This is useful for unmounting filesystems (such as CD-ROMs)
  after a connection is closed.


  55..55..  MMaaggiicc ssccrriipptt

  This parameter specifies the name of a file which, if opened, will be
  executed by the server when the file is closed. This allows a UNIX
  script to be sent to the Samba host and executed on behalf of the
  connected user.

  Scripts executed in this way will be deleted upon completion,
  permissions permitting.


  If the script generates output, output will be sent to the file
  specified by the magic output parameter (see above).

  Note that some shells are unable to interpret scripts containing
  carriage-return-linefeed instead of linefeed as the end-of-line
  marker.  Magic scripts must be executable "as is" on the host, which
  for some hosts and some shells will require filtering at the DOS end.

  Magic scripts are EEXXPPEERRIIMMEENNTTAALL and should NNOOTT be relied upon!

  DDeeffaauulltt:: None. Magic scripts disabled.

  EExxaammppllee:: user.csh


  66..  FFeeaattuurreess


  66..11..  FFoorrccee uusseerr

  This specifies a user name that all connections to this service should
  be made as. This may be useful for sharing files. You should also use
  it carefully as using it incorrectly can cause security problems.

  This user name only gets used once a connection is established. Thus
  clients still need to connect as a valid user and supply a valid
  password. Once connected, all file operations will be performed as the
  "forced user," no matter what username the client connected as.

  DDeeffaauulltt:: No forced user.

  EExxaammppllee:: auser


  66..22..  FFoorrccee ggrroouupp

  This specifies a group name that all connections to this service
  should be made as. This may be useful for sharing files.

  DDeeffaauulltt:: No forced group.

  EExxaammppllee:: agroup


  66..33..  DDoonn''tt ddeesscceenndd

  There are certain directories on some systems (eg., the /proc tree
  under Linux) that are either not of interest to clients or are
  infinitely deep (recursive). This parameter allows you to specify a
  comma-delimited list of directories that the server should always show
  as empty.

  Note that Samba can be very fussy about the exact format of the Don't
  descend entries. For example you may need "./proc" instead of just
  "/proc".  Experimentation is the best policy :-)

  DDeeffaauulltt:: None (i.e., all directories are OK to descend)

  EExxaammppllee:: /proc,/dev


  66..44..  GGuueesstt aaccccoouunntt ((tthhiiss sshhaarree))

  This is a username which will be used for access to services which are
  specified as Public Access (see above). Whatever privileges this user
  has will be available to any client connecting to the guest service.
  Typically this user will exist in the password file, but will not have
  a valid login. If a username is specified in a given service, the
  specified username overrides this one.

  On some systems the account "nobody" may not be able to print. Use
  another account in this case. You should test this by trying to log in
  as your guest user (perhaps by using the "su -" command) and trying to
  print using lpr.

  Note that as of version 1.9 of Samba this option may be set
  differently for each service.

  DDeeffaauulltt:: specified at compile time (usually nobody)

  EExxaammppllee:: nobody


  66..55..  MMaaggiicc oouuttppuutt

  This parameter specifies the name of a file which will contain output
  created by a Magic script (see above).

  WWaarrnniinngg:: If two clients use the same magic script in the same
  directory the output file content is undefined.

  DDeeffaauulltt:: <magic script name>.out

  EExxaammppllee:: myfile.txt


  66..66..  MMaaxx.. ccoonnnneeccttiioonnss

  This option allows the number of simultaneous connections to a service
  to be limited. If Max connections is greater than 0, then connections
  will be refused if this number of connections to the service are
  already open. A value of zero mean an unlimited number of connections
  may be made.

  Record lock files are used to implement this feature. The lock files
  will be stored in the directory specified by the "lock directory"
  option.

  DDeeffaauulltt:: 0

  EExxaammppllee:: 10