smb.conf/manpage/2006/parameters/P

pam password change (G) With the addition of better PAM support in Samba 2.2, this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in _�p_�a_�s_�s_�w_�d _�p_�r_�o_�g_�r_�a_�m. It should be possible to enable this without changing your _�p_�a_�s_�s_�w_�d _�c_�h_�a_�t parameter for most setups.

Default: _�p_�a_�m _�p_�a_�s_�s_�w_�o_�r_�d _�c_�h_�a_�n_�g_�e = no

panic action (G) This is a Samba developer option that allows a system command to be called when either s�sm�mb�bd�d(8) or s�sm�mb�bd�d(8)crashes. This is usually used to draw attention to the fact that a problem occurred.

Default: _�p_�a_�n_�i_�c _�a_�c_�t_�i_�o_�n =

Example: _�p_�a_�n_�i_�c _�a_�c_�t_�i_�o_�n = "/bin/sleep 90000"

paranoid server security (G) Some version of NT 4.x allow non-guest users with a bad passowrd. When this option is enabled, samba will not use a broken NT 4.x server as password server, but instead complain to the logs and exit.

Disabling this option prevents Samba from making this check, which involves deliberatly attempting a bad logon to the remote server.

Default: _�p_�a_�r_�a_�n_�o_�i_�d _�s_�e_�r_�v_�e_�r _�s_�e_�c_�u_�r_�i_�t_�y = yes

passdb backend (G) This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.

This parameter is in two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated by a : character.

Available backends can include:

· s�sm�mb�bp�pa�as�ss�sw�wd�d - The default smbpasswd backend. Takes a path to the smbpasswd file as an optional argument.

· t�td�db�bs�sa�am�m - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the _�p_�r_�i_�v_�a_�t_�e _�d_�i_�r directory.

· l�ld�da�ap�ps�sa�am�m - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to l�ld�da�ap�p:�:/�//�/l�lo�oc�ca�al�lh�ho�os�st�t)

LDAP connections should be secured where possible. This may be done using either Start-TLS (see _�l_�d_�a_�p _�s_�s_�l) or by specifying _�l_�d_�a_�p_�s_�:_�/_�/ in the URL argument.

Multiple servers may also be specified in double-quotes, if your LDAP libraries supports the LDAP URL notation. (OpenLDAP does).

· n�ni�is�sp�pl�lu�us�ss�sa�am�m - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers.

· m�my�ys�sq�ql�l - The MySQL based passdb backend. Takes an identifier as argument. Read the Samba HOWTO Collection for configuration details.

Default: _�p_�a_�s_�s_�d_�b _�b_�a_�c_�k_�e_�n_�d = smbpasswd

Example: _�p_�a_�s_�s_�d_�b _�b_�a_�c_�k_�e_�n_�d = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd

Example: _�p_�a_�s_�s_�d_�b _�b_�a_�c_�k_�e_�n_�d = ldapsam:ldaps://ldap.example.com

Example: _�p_�a_�s_�s_�d_�b _�b_�a_�c_�k_�e_�n_�d = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"

Example: _�p_�a_�s_�s_�d_�b _�b_�a_�c_�k_�e_�n_�d = mysql:my_plugin_args tdbsam

passwd chat (G) This string controls the "�"c�ch�ha�at�t"�" conversation that takes places between s�sm�mb�bd�d(8) and the local password changing program to change the user's password. The string describes a sequence of response-receive pairs that s�sm�mb�bd�d(8) uses to determine what to send to the _�p_�a_�s_�s_�w_�d _�p_�r_�o_�g_�r_�a_�m and what to expect back. If the expected output is not received then the password is not changed.

This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc).

Note that this parameter only is only used if the _�u_�n_�i_�x _�p_�a_�s_�s_�w_�o_�r_�d _�s_�y_�n_�c parameter is set to y�ye�es�s. This sequence is then called A�AS�S R�RO�OO�OT�T when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext. This means that root must be able to reset the user's password without knowing the text of the previous password. In the presence of NIS/YP, this means that the passwd program must be executed on the NIS master.

The string can contain the macro _�%_�n which is substituted for the new password. The chat sequence can also contain the standard macros \�\\�\n�n, \�\\�\r�r, \�\\�\t�t and \�\\�\s�s to give line-feed, carriage-return, tab and space. The chat sequence string can also contain a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces in them into a single string.

If the send string in any part of the chat sequence is a full stop ".", then no string is sent. Similarly, if the expect string is a full stop then no string is expected.

If the _�p_�a_�m _�p_�a_�s_�s_�w_�o_�r_�d _�c_�h_�a_�n_�g_�e parameter is set to y�ye�es�s, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output. The \n macro is ignored for PAM conversions.

Default: _�p_�a_�s_�s_�w_�d _�c_�h_�a_�t = *new*password* %n\\n*new*password* %n\\n *changed*

Example: _�p_�a_�s_�s_�w_�d _�c_�h_�a_�t = "*Enter OLD password*" %o\\n "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password changed*"

passwd chat debug (G) This boolean specifies if the passwd chat script parameter is run in d�de�eb�bu�ug�g mode. In this mode the strings passed to and received from the passwd chat are printed in the s�sm�mb�bd�d(8) log with a _�d_�e_�b_�u_�g _�l_�e_�v_�e_�l of 100. This is a dangerous option as it will allow plaintext passwords to be seen in the s�sm�mb�bd�d log. It is available to help Samba admins debug their _�p_�a_�s_�s_�w_�d _�c_�h_�a_�t scripts when calling the _�p_�a_�s_�s_�w_�d _�p_�r_�o_�g_�r_�a_�m and should be turned off after this has been done. This option has no effect if the _�p_�a_�m _�p_�a_�s_�s_�w_�o_�r_�d _�c_�h_�a_�n_�g_�e paramter is set. This parameter is off by default.

Default: _�p_�a_�s_�s_�w_�d _�c_�h_�a_�t _�d_�e_�b_�u_�g = no

passwd chat timeout (G) This integer specifies the number of seconds smbd will wait for an initial answer from a passwd chat script being run. Once the initial answer is received the subsequent answers must be received in one tenth of this time. The default it two seconds.

Default: _�p_�a_�s_�s_�w_�d _�c_�h_�a_�t _�t_�i_�m_�e_�o_�u_�t = 2

passwd program (G) The name of a program that can be used to set UNIX user passwords. Any occurrences of _�%_�u will be replaced with the user name. The user name is checked for existence before calling the password changing program.

Also note that many passwd programs insist in r�re�ea�as�so�on�na�ab�bl�le�e passwords, such as a minimum length, or the inclusion of mixed case chars and digits. This can pose a problem as some clients (such as Windows for Workgroups) uppercase the password before sending it.

N�No�ot�te�e that if the _�u_�n_�i_�x _�p_�a_�s_�s_�w_�o_�r_�d _�s_�y_�n_�c parameter is set to y�ye�es�s then this program is called A�AS�S R�RO�OO�OT�T before the SMB password in the smbpasswd file is changed. If this UNIX password change fails, then s�sm�mb�bd�d will fail to change the SMB password also (this is by design).

If the _�u_�n_�i_�x _�p_�a_�s_�s_�w_�o_�r_�d _�s_�y_�n_�c parameter is set this parameter M�MU�US�ST�T U�US�SE�E A�AB�BS�SO�OL�LU�UT�TE�E P�PA�AT�TH�HS�S for A�AL�LL�L programs called, and must be examined for security implications. Note that by default _�u_�n_�i_�x _�p_�a_�s_�s_�w_�o_�r_�d _�s_�y_�n_�c is set to n�no�o.

Default: _�p_�a_�s_�s_�w_�d _�p_�r_�o_�g_�r_�a_�m =

Example: _�p_�a_�s_�s_�w_�d _�p_�r_�o_�g_�r_�a_�m = /bin/passwd %u

password level (G) Some client/server combinations have difficulty with mixed-case passwords. One offending client is Windows for Workgroups, which for some reason forces passwords to upper case when using the LANMAN1 protocol, but leaves them alone when using COREPLUS! Another problem child is the Windows 95/98 family of operating systems. These clients upper case clear text passwords even when NT LM 0.12 selected by the protocol negotiation request/response.

This parameter defines the maximum number of characters that may be upper case in passwords.

For example, say the password given was "FRED". If _�p_�a_�s_�s_�w_�o_�r_�d _�l_�e_�v_�e_�l is set to 1, the following combinations would be tried if "FRED" failed:

"Fred", "fred", "fRed", "frEd","freD"

If _�p_�a_�s_�s_�w_�o_�r_�d _�l_�e_�v_�e_�l was set to 2, the following combinations would also be tried:

"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..

And so on.

The higher value this parameter is set to the more likely it is that a mixed case password will be matched against a single case password. However, you should be aware that use of this parameter reduces security and increases the time taken to process a new connection.

A value of zero will cause only two attempts to be made - the password as is and the password in all-lower case.

This parameter is used only when using plain-text passwords. It is not at all used when encrypted passwords as in use (that is the default since samba-3.0.0). Use this only when encrypt passwords = No.

Default: _�p_�a_�s_�s_�w_�o_�r_�d _�l_�e_�v_�e_�l = 0

Example: _�p_�a_�s_�s_�w_�o_�r_�d _�l_�e_�v_�e_�l = 4

password server (G) By specifying the name of another SMB server or Active Directory domain controller with this option, and using s�se�ec�cu�ur�ri�it�ty�y =�= [�[a�ad�ds�s|�|d�do�om�ma�ai�in�n|�|s�se�er�rv�ve�er�r]�] it is possible to get Samba to to do all its username/password validation using a specific remote server.

This option sets the name or IP address of the password server to use. New syntax has been added to support defining the port to use when connecting to the server the case of an ADS realm. To define a port other than the default LDAP port of 389, add the port number using a colon after the name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, Samba will use the standard LDAP port of tcp/389. Note that port numbers have no effect on password servers for Windows NT 4.0 domains or netbios connections.

If parameter is a name, it is looked up using the parameter _�n_�a_�m_�e _�r_�e_�s_�o_�l_�v_�e _�o_�r_�d_�e_�r and so may resolved by any method and order described in that parameter.

The password server must be a machine capable of using the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode.

N�No�ot�te�e

Using a password server means your UNIX box (running Samba) is only as secure as your password server. D�DO�O N�NO�OT�T C�CH�HO�OO�OS�SE�E A�A P�PA�AS�SS�SW�WO�OR�RD�D S�SE�ER�RV�VE�ER�R T�TH�HA�AT�T Y�YO�OU�U D�DO�ON�N'�'T�T C�CO�OM�MP�PL�LE�ET�TE�EL�LY�Y T�TR�RU�US�ST�T.

Never point a Samba server at itself for password serving. This will cause a loop and could lock up your Samba server!

The name of the password server takes the standard substitutions, but probably the only useful one is _�%_�m, which means the Samba server will use the incoming client as the password server. If you use this then you better trust your clients, and you had better restrict them with hosts allow!

If the _�s_�e_�c_�u_�r_�i_�t_�y parameter is set to d�do�om�ma�ai�in�n or a�ad�ds�s, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on. The advantage of using s�se�ec�cu�ur�ri�it�ty�y =�= d�do�om�ma�ai�in�n is that if you list several hosts in the _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r option then s�sm�mb�bd�d  will try each in turn till it finds one that responds. This is useful in case your primary server goes down.

If the _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r option is set to the character '*', then Samba will attempt to auto-locate the Primary or Backup Domain controllers to authenticate against by doing a query for the name W�WO�OR�RK�KG�GR�RO�OU�UP�P<�<1�1C�C>�> and then contacting each server returned in the list of IP addresses from the name resolution source.

If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC's will be added to the list as well. Samba will not attempt to optimize this list by locating the closest DC.

If the _�s_�e_�c_�u_�r_�i_�t_�y parameter is set to s�se�er�rv�ve�er�r, then there are different restrictions that s�se�ec�cu�ur�ri�it�ty�y =�= d�do�om�ma�ai�in�n doesn't suffer from:

· You may list several password servers in the _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r parameter, however if an s�sm�mb�bd�d makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this s�sm�mb�bd�d. This is a restriction of the SMB/CIFS protocol when in s�se�ec�cu�ur�ri�it�ty�y =�= s�se�er�rv�ve�er�r mode and cannot be fixed in Samba.

· If you are using a Windows NT server as your password server then you will have to ensure that your users are able to login from the Samba server, as when in  s�se�ec�cu�ur�ri�it�ty�y =�= s�se�er�rv�ve�er�r mode the network logon will appear to come from there rather than from the users workstation.

Default: _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r =

Example: _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r = NT-PDC, NT-BDC1, NT-BDC2, *

Example: _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r = windc.mydomain.com:389 192.168.1.101 *

Example: _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r = *

directory This parameter is a synonym for path.

path (S) This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing.

For a printable service offering guest access, the service should be readonly and the path should be world-writeable and have the sticky bit set. This is not mandatory of course, but you probably won't get the results you expect if you do otherwise.

Any occurrences of _�%_�u in the path will be replaced with the UNIX username that the client is using on this connection. Any occurrences of _�%_�m will be replaced by the NetBIOS name of the machine they are connecting from. These replacements are very useful for setting up pseudo home directories for users.

Note that this path will be based on _�r_�o_�o_�t _�d_�i_�r if one was specified.

Default: _�p_�a_�t_�h =

Example: _�p_�a_�t_�h = /home/fred

pid directory (G) This option specifies the directory where pid files will be placed.

Default: _�p_�i_�d _�d_�i_�r_�e_�c_�t_�o_�r_�y = ${prefix}/var/locks

Example: _�p_�i_�d _�d_�i_�r_�e_�c_�t_�o_�r_�y = pid directory = /var/run/

posix locking (S) The s�sm�mb�bd�d(8) daemon maintains an database of file locks obtained by SMB clients. The default behavior is to map this internal database to POSIX locks. This means that file locks obtained by SMB clients are consistent with those seen by POSIX compliant applications accessing the files via a non-SMB method (e.g. NFS or local file access). You should never need to disable this parameter.

Default: _�p_�o_�s_�i_�x _�l_�o_�c_�k_�i_�n_�g = yes

postexec (S) This option specifies a command to be run whenever the service is disconnected. It takes the usual substitutions. The command may be run as the root on some systems.

An interesting example may be to unmount server resources:

p�po�os�st�te�ex�xe�ec�c =�= /�/e�et�tc�c/�/u�um�mo�ou�un�nt�t /�/c�cd�dr�ro�om�m

Default: _�p_�o_�s_�t_�e_�x_�e_�c =

Example: _�p_�o_�s_�t_�e_�x_�e_�c = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log

exec  This parameter is a synonym for preexec.

preexec (S) This option specifies a command to be run whenever the service is connected to. It takes the usual substitutions.

An interesting example is to send the users a welcome message every time they log in. Maybe a message of the day? Here is an example:

p�pr�re�ee�ex�xe�ec�c =�= c�cs�sh�h -�-c�c '�'e�ec�ch�ho�o \�\"�"W�We�el�lc�co�om�me�e t�to�o %�%S�S!�!\�\"�" |�| /�/u�us�sr�r/�/l�lo�oc�ca�al�l/�/s�sa�am�mb�ba�a/�/b�bi�in�n/�/s�sm�mb�bc�cl�li�ie�en�nt�t -�-M�M %�%m�m -�-I�I %�%I�I'�' &�&

Of course, this could get annoying after a while :-)

See also _�p_�r_�e_�e_�x_�e_�c _�c_�l_�o_�s_�e and _�p_�o_�s_�t_�e_�x_�e_�c.

Default: _�p_�r_�e_�e_�x_�e_�c =

Example: _�p_�r_�e_�e_�x_�e_�c = echo \"%u connected to %S from %m (%I)\" >> /tmp/log

preexec close (S) This boolean option controls whether a non-zero return code from _�p_�r_�e_�e_�x_�e_�c should close the service being connected to.

Default: _�p_�r_�e_�e_�x_�e_�c _�c_�l_�o_�s_�e = no

prefered master This parameter is a synonym for preferred master.

preferred master (G) This boolean parameter controls ifn�nm�mb�bd�d(8) is a preferred master browser for its workgroup.

If this is set to y�ye�es�s, on startup, n�nm�mb�bd�d will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with d�do�om�ma�ai�in�n m�ma�as�st�te�er�r =�= y�ye�es�s, so that n�nm�mb�bd�d can guarantee becoming a domain master.

Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing capabilities.

Default: _�p_�r_�e_�f_�e_�r_�r_�e_�d _�m_�a_�s_�t_�e_�r = auto

auto services This parameter is a synonym for preload.

preload (G) This is a list of services that you want to be automatically added to the browse lists. This is most useful for homes and printers services that would otherwise not be visible.

Note that if you just want all printers in your printcap file loaded then the _�l_�o_�a_�d _�p_�r_�i_�n_�t_�e_�r_�s option is easier.

Default: _�p_�r_�e_�l_�o_�a_�d =

Example: _�p_�r_�e_�l_�o_�a_�d = fred lp colorlp

preload modules (G) This is a list of paths to modules that should be loaded into smbd before a client connects. This improves the speed of smbd when reacting to new connections somewhat.

Default: _�p_�r_�e_�l_�o_�a_�d _�m_�o_�d_�u_�l_�e_�s =

Example: _�p_�r_�e_�l_�o_�a_�d _�m_�o_�d_�u_�l_�e_�s = /usr/lib/samba/passdb/mysql.so

preserve case (S) This controls if new filenames are created with the case that the client passes, or if they are forced to be the _�d_�e_�f_�a_�u_�l_�t _�c_�a_�s_�e.

See the section on NAME MANGLING for a fuller discussion.

Default: _�p_�r_�e_�s_�e_�r_�v_�e _�c_�a_�s_�e = yes

print ok             This parameter is a synonym for printable.

printable (S) If this parameter is y�ye�es�s, then clients may open, write to and submit spool files on the directory specified for the service.

Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling of print data. The _�r_�e_�a_�d _�o_�n_�l_�y parameter controls only non-printing access to the resource.

Default: _�p_�r_�i_�n_�t_�a_�b_�l_�e = no

printcap cache time (G) This option specifies the number of seconds before the printing subsystem is again asked for the known printers. If the value is greater than 60 the initial waiting time is set to 60 seconds to allow an earlier first rescan of the printing subsystem.

Setting this parameter to 0 (the default) disables any rescanning for new or removed printers after the initial startup.

Default: _�p_�r_�i_�n_�t_�c_�a_�p _�c_�a_�c_�h_�e _�t_�i_�m_�e = 0

Example: _�p_�r_�i_�n_�t_�c_�a_�p _�c_�a_�c_�h_�e _�t_�i_�m_�e = 600

printcap This parameter is a synonym for printcap name.

printcap name (S) This parameter may be used to override the compiled-in default printcap name used by the server (usually _�/_�e_�t_�c_�/_�p_�r_�i_�n_�t_�c_�a_�p). See the discussion of the [printers] section above for reasons why you might want to do this.

To use the CUPS printing interface set p�pr�ri�in�nt�tc�ca�ap�p n�na�am�me�e =�= c�cu�up�ps�s. This should be supplemented by an addtional setting printing = cups in the [global] section. p�pr�ri�in�nt�tc�ca�ap�p n�na�am�me�e =�= c�cu�up�ps�s will use the "dummy" printcap created by CUPS, as specified in your CUPS configuration file.

On System V systems that use l�lp�ps�st�ta�at�t to list available printers you can use p�pr�ri�in�nt�tc�ca�ap�p n�na�am�me�e =�= l�lp�ps�st�ta�at�t to automatically obtain lists of available printers. This is the default for systems that define SYSV at configure time in Samba (this includes most System V based systems). If _�p_�r_�i_�n_�t_�c_�a_�p _�n_�a_�m_�e is set to l�lp�ps�st�ta�at�t on these systems then Samba will launch l�lp�ps�st�ta�at�t -�-v�v and attempt to parse the output to obtain a printer list.

A minimal printcap file would look something like this:

print1|My Printer 1 print2|My Printer 2 print3|My Printer 3 print4|My Printer 4 print5|My Printer 5

where the '|' separates aliases of a printer. The fact that the second alias has a space in it gives a hint to Samba that it's a             comment.

N�No�ot�te�e

Under AIX the default printcap name is _�/_�e_�t_�c_�/_�q_�c_�o_�n_�f_�i_�g. Samba will assume the  file  is in AIX _�q_�c_�o_�n_�f_�i_�g format if the string_�q_�c_�o_�n_�f_�i_�g appears in the printcap filename.

Default: _�p_�r_�i_�n_�t_�c_�a_�p _�n_�a_�m_�e = /etc/printcap

Example: _�p_�r_�i_�n_�t_�c_�a_�p _�n_�a_�m_�e = /etc/myprintcap

print command (S) After a print job has finished spooling to a service, this com- mand will be used via a s�sy�ys�st�te�em�m(��) call to process the spool file. Typically the command specified will submit the spool  file  to              the  host's printing subsystem, but there is no requirement that this be the case. The server will not remove the spool file, so              whatever  command  you specify should remove the spool file when it has been processed, otherwise  you  will  need  to  manually remove old spool files.

The print command is simply a text string. It will be used ver- batim after macro substitutions have been made:

%s, %f - the path to the spool file name

%p - the appropriate printer name

%J - the job name as transmitted by the client.

%c - The number of printed pages of the spooled job (if known).

%z - the size of the spooled print job (in bytes)

The print command M�MU�US�ST�T contain at least one occurrence of _�%_�s or              _�%_�f  - the _�%_�p is optional. At the time a job is submitted, if no              printer  name  is supplied the _�%_�p  will be silently removed from the printer command.

If specified in the [global] section, the print  command  given will be  used  for any printable service that does not have its own print command specified.

If there is neither a specified print command for  a  printable service nor a global print command, spool files will be created but not processed and (most importantly) not removed.

Note that printing may fail on  some  UNIXes  from  the  n�no�ob�bo�od�dy�y account. If this  happens  then  create  an  alternative guest account that can print and set the _�g_�u_�e_�s_�t _�a_�c_�c_�o_�u_�n_�t in the [global] section.

You can form quite complex print commands by realizing that they are just passed to a shell. For example the following will log a             print  job, print the file, then remove it. Note that ';' is the usual separator for command in shell scripts.

p�pr�ri�in�nt�t c�co�om�mm�ma�an�nd�d =�= e�ec�ch�ho�o P�Pr�ri�in�nt�ti�in�ng�g %�%s�s >�>>�> /�/t�tm�mp�p/�/p�pr�ri�in�nt�t.�.l�lo�og�g;�; l�lp�pr�r  -�-P�P  %�%p�p %�%s�s;�; r�rm�m %�%s�s

You may have to vary this command considerably depending on how you normally print files on your system. The default  for  the parameter varies depending on the setting of the _�p_�r_�i_�n_�t_�i_�n_�g param- eter.

Default: For p�pr�ri�in�nt�ti�in�ng�g =�= B�BS�SD�D,�, A�AI�IX�X,�, Q�QN�NX�X,�, L�LP�PR�RN�NG�G o�or�r P�PL�LP�P :�:

p�pr�ri�in�nt�t c�co�om�mm�ma�an�nd�d =�= l�lp�pr�r -�-r�r -�-P�P%�%p�p %�%s�s

For p�pr�ri�in�nt�ti�in�ng�g =�= S�SY�YS�SV�V o�or�r H�HP�PU�UX�X :�:

p�pr�ri�in�nt�t c�co�om�mm�ma�an�nd�d =�= l�lp�p -�-c�c -�-d�d%�%p�p %�%s�s;�; r�rm�m %�%s�s

For p�pr�ri�in�nt�ti�in�ng�g =�= S�SO�OF�FT�TQ�Q :�:

p�pr�ri�in�nt�t c�co�om�mm�ma�an�nd�d =�= l�lp�p -�-d�d%�%p�p -�-s�s %�%s�s;�; r�rm�m %�%s�s

For printing = CUPS : If SAMBA is compiled against libcups, then printcap = cups uses the CUPS API to submit jobs, etc. Otherwise it maps to the System V commands  with  the  -oraw  option  for printing, i.e. it uses l�lp�p -�-c�c -�-d�d%�%p�p -�-o�or�ra�aw�w;�; r�rm�m %�%s�s. With p�pr�ri�in�nt�ti�in�ng�g =�= c�cu�up�ps�s, and if SAMBA is compiled against libcups, any manually set print command will be ignored.

N�No�o d�de�ef�fa�au�ul�lt�t

Example: _�p_�r_�i_�n_�t  _�c_�o_�m_�m_�a_�n_�d = /usr/local/samba/bin/myprintscript %p %s

printer admin (S) This is a list of users that can do anything to printers via the remote administration  interfaces  offered  by  MS-RPC (usually              using a NT workstation). Note that the  root  user  always  has admin rights.

Default: _�p_�r_�i_�n_�t_�e_�r _�a_�d_�m_�i_�n =

Example: _�p_�r_�i_�n_�t_�e_�r _�a_�d_�m_�i_�n = admin, @staff

printer This parameter is a synonym for printer name.

printer name (S) This parameter specifies the name of the printer to which print jobs spooled through a printable service will be sent.

If specified in the [global] section, the  printer  name  given will be  used  for any printable service that does not have its own printer name specified.

Default: _�p_�r_�i_�n_�t_�e_�r _�n_�a_�m_�e = # none (but may be l�lp�p on many systems)

Example: _�p_�r_�i_�n_�t_�e_�r _�n_�a_�m_�e = laserwriter

printing (S) This parameters controls  how  printer  status  information  is              interpreted  on  your system. It also affects the default values for the _�p_�r_�i_�n_�t _�c_�o_�m_�m_�a_�n_�d, _�l_�p_�q _�c_�o_�m_�m_�a_�n_�d, _�l_�p_�p_�a_�u_�s_�e _�c_�o_�m_�m_�a_�n_�d,  _�l_�p_�r_�e_�s_�u_�m_�e _�c_�o_�m_�m_�a_�n_�d, and _�l_�p_�r_�m _�c_�o_�m_�m_�a_�n_�d if specified in the [global] section.

Currently nine printing styles are supported. They are B�BS�SD�D, A�AI�IX�X, L�LP�PR�RN�NG�G, P�PL�LP�P, S�SY�YS�SV�V, H�HP�PU�UX�X, Q�QN�NX�X, S�SO�OF�FT�TQ�Q, and C�CU�UP�PS�S.

To see  what the defaults are for the other print commands when using the various options use the t�te�es�st�tp�pa�ar�rm�m(1) program.

This option can be set on a per printer basis. Please be  aware however, that  you  must place any of the various printing com- mands (e.g. print command, lpq command, etc...) after  defining the value for the _�p_�r_�i_�n_�t_�i_�n_�g option since it will reset the print- ing commands to default values.

See also the discussion in the [printers] section.

N�No�o d�de�ef�fa�au�ul�lt�t

private dir (G) This parameters defines the directory smbd will use for storing such files as _�s_�m_�b_�p_�a_�s_�s_�w_�d and _�s_�e_�c_�r_�e_�t_�s_�._�t_�d_�b.

Default: _�p_�r_�i_�v_�a_�t_�e _�d_�i_�r = ${prefix}/private

profile acls (S) This boolean parameter was added to fix the problems that people have been having with storing user profiles on Samba shares from Windows 2000 or Windows XP clients. New versions of Windows 2000 or Windows XP service packs do security  ACL  checking  on  the owner and ability to write of the profile directory stored on a              local workstation when copied from a Samba share.

When not in domain mode with winbindd then  the  security  info copied onto  the local workstation has no meaning to the logged in user (SID) on that workstation so the profile storing fails. Adding this  parameter  onto  a  share used for profile storage changes two things about the returned Windows ACL. Firstly it              changes  the  owner  and  group  owner of all reported files and directories to   be   BUILTIN\\Administrators,   BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds an ACE entry of "Full Control" to  the  SID  BUILTIN\\Users  to              every returned ACL. This will allow any Windows 2000 or XP work- station user to access the profile.

Note that if you have multiple users logging on to a workstation then in  order  to  prevent them from being able to access each others profiles you must remove the "Bypass traverse  checking" advanced user  right. This will prevent access to other users profile directories as the top level profile  directory  (named              after  the  user) is created by the workstation profile code and has an ACL restricting entry to the directory tree to the owning user.

Default: _�p_�r_�o_�f_�i_�l_�e _�a_�c_�l_�s = no