smb.conf/manpage/2006/parameters/U

unix charset (G) Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text  to  the charsets other SMB clients use.

This is  also  the charset Samba will use when specifying argu- ments to scripts that it invokes.

Default: _�u_�n_�i_�x _�c_�h_�a_�r_�s_�e_�t = UTF8

Example: _�u_�n_�i_�x _�c_�h_�a_�r_�s_�e_�t = ASCII

unix extensions (G) This boolean parameter controls whether Samba implments the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as             symbolic  links,  hard  links, etc... These extensions require a             similarly enabled client, and are of no current use  to  Windows clients.

Default: _�u_�n_�i_�x _�e_�x_�t_�e_�n_�s_�i_�o_�n_�s = yes

unix password sync (G) This boolean  parameter controls whether Samba attempts to syn- chronize the UNIX password  with  the  SMB  password  when  the encrypted SMB password in the smbpasswd file is changed. If this is set to y�ye�es�s the program specified in the _�p_�a_�s_�s_�w_�d _�p_�r_�o_�g_�r_�a_�mparame- ter is called A�AS�S R�RO�OO�OT�T - to allow the new UNIX password to be set without access to the old UNIX password (as  the  SMB  password              change  code  has  no access to the old password cleartext, only              the new).

Default: _�u_�n_�i_�x _�p_�a_�s_�s_�w_�o_�r_�d _�s_�y_�n_�c = no

update encrypted (G) This boolean parameter allows a user logging on with a plaintext password to  have their encrypted (hashed) password in the smb- passwd file to be updated automatically as they  log  on. This option allows a site to migrate from plaintext password authen- tication (users authenticate with plaintext password  over  the              wire,  and  are  checked  against  a  UNIX  account database) to              encrypted password authentication  (the  SMB  challenge/response              authentication  mechanism) without forcing all users to re-enter their passwords via smbpasswd at the time the change  is  made. This is  a  convenience  option  to  allow  the  change over to              encrypted passwords to be made over a longer  period. Once all users have  encrypted representations of their passwords in the smbpasswd file this parameter should be set to n�no�o.

In order for this parameter to work correctly the _�e_�n_�c_�r_�y_�p_�t _�p_�a_�s_�s_�- _�w_�o_�r_�d_�s parameter must be set to n�no�o when this parameter is set to              y�ye�es�s.

Note that even when this parameter is set a user authenticating to s�sm�mb�bd�d  must  still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) passwords.

Default: _�u_�p_�d_�a_�t_�e _�e_�n_�c_�r_�y_�p_�t_�e_�d = no

use client driver (S) This parameter applies only to Windows NT/2000 clients. It has no effect on Windows 95/98/ME clients. When serving a printer to             Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required to install a local printer driver. From this point  on,  the  client  will treat the  print  as  a local printer and not a network printer connection. This is much the same behavior that will occur when d�di�is�sa�ab�bl�le�e s�sp�po�oo�ol�ls�ss�s =�= y�ye�es�s.

The differentiating  factor is that under normal circumstances, the NT/2000 client will attempt to  open  the  network  printer using MS-RPC. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrint- erEx call requesting access rights associated with the logged on user. If the user possesses local administator rights but not root privilegde  on  the Samba host (often the case), the Open- PrinterEx call will fail. The result is that the client  will now display an "Access Denied; Unable to connect" message in the printer queue window (even  though  jobs  may  successfully  be              printed).

If this parameter is enabled for a printer, then any attempt to              open the printer with  the  PRINTER_ACCESS_ADMINISTER  right  is              mapped  to  PRINTER_ACCESS_USE  instead. Thus allowing the Open- PrinterEx call to succeed. T�Th�hi�is�s p�pa�ar�ra�am�me�et�te�er�r M�MU�US�ST�T  n�no�ot�t  b�be�e  a�ab�bl�le�e e�en�na�ab�bl�le�ed�d o�on�n a�a p�pr�ri�in�nt�t s�sh�ha�ar�re�e w�wh�hi�ic�ch�h h�ha�as�s v�va�al�li�id�d p�pr�ri�in�nt�t d�dr�ri�iv�ve�er�r i�in�ns�st�ta�al�ll�le�ed�d o�on�n t�th�he�e S�Sa�am�mb�ba�a s�se�er�rv�ve�er�r.�.

Default: _�u_�s_�e _�c_�l_�i_�e_�n_�t _�d_�r_�i_�v_�e_�r = no

use kerberos keytab (G) Specifies whether Samba should attempt to maintain service prin- cipals in the systems keytab file for h�ho�os�st�t/�/F�FQ�QD�DN�N and c�ci�if�fs�s/�/F�FQ�QD�DN�N.

When you are using the heimdal Kerberos libraries, you must also specify the following in _�/_�e_�t_�c_�/_�k_�r_�b_�5_�._�c_�o_�n_�f:

[libdefaults] default_keytab_name = FILE:/etc/krb5.keytab Default: _�u_�s_�e _�k_�e_�r_�b_�e_�r_�o_�s _�k_�e_�y_�t_�a_�b = False

use mmap (G) This global parameter determines if the tdb internals of  Samba can depend  on  mmap  working  correctly on the running system. Samba requires a coherent mmap/read-write system memory  cache. Currently only HPUX does not have such a coherent cache, and so              this parameter is set to n�no�o by default on  HPUX. On all  other systems this  parameter should be left alone. This parameter is             provided to help the Samba developers track down  problems  with the tdb internal code.

Default: _�u_�s_�e _�m_�m_�a_�p = yes

user  This parameter is a synonym for username.

users This parameter is a synonym for username.

username (S) Multiple users  may  be specified in a comma-delimited list, in              which case the supplied password will  be  tested  against  each username in turn (left to right).

The _�u_�s_�e_�r_�n_�a_�m_�e line is needed only when the PC is unable to supply its own username. This is the case for the COREPLUS protocol or              where  your  users  have  different WfWg usernames to UNIX user- names. In both these cases you may also  be  better  using  the \\server\share%user syntax instead.

The _�u_�s_�e_�r_�n_�a_�m_�e  line  is not a great solution in many cases as it              means Samba will try to validate the supplied  password  against each of the usernames in the _�u_�s_�e_�r_�n_�a_�m_�e line in turn. This is slow and a bad idea for lots of users in case of duplicate passwords. You may  get timeouts or security breaches using this parameter unwisely.

Samba relies on the underlying UNIX  security. This parameter does not  restrict  who  can login, it just offers hints to the Samba server as to what usernames might correspond to the  sup- plied password. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session. The daemon  runs  as the user that they log in as, so              they cannot do anything that user cannot do.

To restrict a service to a particular set of users you can  use the _�v_�a_�l_�i_�d _�u_�s_�e_�r_�s parameter.

If any  of the usernames begin with a '@' then the name will be              looked up first in the NIS netgroups list (if Samba is  compiled              with  netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of              that name.

If any  of the usernames begin with a '+' then the name will be              looked up only in the UNIX groups database and will expand to  a              list of all users in the group of that name.

If any  of the usernames begin with a '&' then the name will be              looked up only in the NIS netgroups database (if Samba  is  com-              piled  with  netgroup  support) and will expand to a list of all users in the netgroup group of that name.

Note that searching though a groups database can take quite some time, and some clients may time out during the search.

See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how this parameter determines access to the ser- vices.

Default: _�u_�s_�e_�r_�n_�a_�m_�e = # The guest account if a guest service, else .

Example: _�u_�s_�e_�r_�n_�a_�m_�e = fred, mary, jack, jane, @users, @pcgroup

username level (G) This option helps Samba to try and 'guess'  at  the  real  UNIX username, as many DOS clients send an all-uppercase username. By             default Samba tries all lowercase, followed by the username with the first  letter capitalized, and fails if the username is not found on the UNIX machine.

If this parameter is set to non-zero the behavior changes. This parameter is  a  number  that specifies the number of uppercase combinations to try while trying to  determine  the  UNIX  user name. The higher the number the more combinations will be tried, but the slower the discovery of usernames  will  be. Use this parameter when you have strange usernames on your UNIX machine, such as A�As�st�tr�ra�an�ng�ge�eU�Us�se�er�r.

This parameter is needed only on UNIX systems  that  have  case sensitive usernames.

Default: _�u_�s_�e_�r_�n_�a_�m_�e _�l_�e_�v_�e_�l = 0

Example: _�u_�s_�e_�r_�n_�a_�m_�e _�l_�e_�v_�e_�l = 5

username map (G) This option allows you to specify a file containing a mapping of             usernames from the clients to the server. This can be used  for several purposes. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they can more easily share files.

The map file is parsed line by line. Each line should contain a              single  UNIX  username on the left then a '=' followed by a list of usernames on the right. The list of usernames on  the  right may contain  names  of  the form @group in which case they will match any UNIX username in that group. The special client  name '*' is  a  wildcard  and matches any name. Each line of the map file may be up to 1023 characters long.

The file is processed on each line by taking the supplied user- name and comparing it with each username on the right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left. Processing then continues with the next line.

If any line begins with a '#' or a ';' then it is ignored

If any line begins with an '!' then the  processing  will  stop after that  line  if  a mapping was done by the line. Otherwise mapping continues with every line being processed. Using '!' is              most  useful  when you have a wildcard mapping line later in the file.

For example to map from the name a�ad�dm�mi�in�n or a�ad�dm�mi�in�ni�is�st�tr�ra�at�to�or�r to  the UNIX name r�ro�oo�ot�t you would use:

r�ro�oo�ot�t =�= a�ad�dm�mi�in�n a�ad�dm�mi�in�ni�is�st�tr�ra�at�to�or�r

Or to  map anyone in the UNIX group s�sy�ys�st�te�em�m to the UNIX name s�sy�ys�s you would use:

s�sy�ys�s =�= @�@s�sy�ys�st�te�em�m

You can have as many mappings as you like  in  a  username  map file.

If your  system  supports the NIS NETGROUP option then the net- group database is checked before the _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p   database  for matching groups.

You can map Windows usernames that have spaces in them by using double quotes around the name. For example:

t�tr�ri�id�dg�ge�e =�= "�"A�An�nd�dr�re�ew�w T�Tr�ri�id�dg�ge�el�ll�l"�"

would map the windows username "Andrew Tridgell"  to  the  unix username "tridge".

The following  example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the '!' to tell Samba to stop processing if it gets a match on that line.

!sys = mary fred guest = *

Note that  the remapping is applied to all occurrences of user- names. Thus if  you  connect  to  \\server\fred  and   f�fr�re�ed�d  is              remapped  to  m�ma�ar�ry�y  then  you  will  actually  be  connecting to              \\server\mary and will need to supply a  password  suitable  for m�ma�ar�ry�y not f�fr�re�ed�d. The only exception to this is the username passed to the _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r (if you have one). The password  server will receive whatever username the client supplies without modi- fication.

Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been mapped may have trou- ble deleting print jobs as PrintManager under WfWg  will  think they don't own the print job.

Samba versions  prior  to  3.0.8 would only support reading the fully qualified username (e.g.: DOMAIN\user) from the  username map when  performing  a  kerberos login from a client. However, when looking up  a  map  entry  for  a  user  authenticated  by              NTLM[SSP],  only  the login name would be used for matches. This resulted in inconsistent behavior sometimes even  on  the  same server.

The following  functionality  is  obeyed  in  version 3.0.8 and later:

When performing  local  authentication,  the  username  map  is              applied  to the login name before attempting to authenticate the connection.

When relying upon a external domain controller  for  validating authentication requests, smbd will apply the username map to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated.

Default: _�u_�s_�e_�r_�n_�a_�m_�e _�m_�a_�p = # no username map

Example: _�u_�s_�e_�r_�n_�a_�m_�e _�m_�a_�p = /usr/local/samba/lib/users.map

use sendfile (S) If this parameter is y�ye�es�s, and the s�se�en�nd�df�fi�il�le�e(��) system call is sup- ported by the underlying operating system, then some  SMB  read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are  exclusively  oplocked. This may  make more efficient use of the system CPU's and cause Samba to be faster. Samba automatically  turns  this  off  for clients that use protocol levels lower than NT LM 0.12 and when it detects a client is Windows 9x (using  sendfile  from  Linux              will cause these clients to fail).

Default: _�u_�s_�e _�s_�e_�n_�d_�f_�i_�l_�e = yes

use spnego (G) This variable  controls  controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and  Windows2000 clients to agree upon an authentica- tion mechanism.

Unless further issues are discovered with our SPNEGO implementa- tion, there is no reason this should ever be disabled.

Default: _�u_�s_�e _�s_�p_�n_�e_�g_�o = yes

utmp (G) This boolean parameter is only available if Samba has been con- figured and compiled with the option -�--�-w�wi�it�th�h-�-u�ut�tm�mp�p. If set to y�ye�es�s then Samba will attempt to add utmp or utmpx records (depending              on the UNIX system) whenever a connection is  made  to  a  Samba server. Sites may  use this to record the user connecting to a              Samba share.

Due to the requirements of the utmp record, we are required  to              create  a unique identifier for the incoming user. Enabling this option creates an n^2 algorithm to find this number. This may impede performance on large installations.

Default: _�u_�t_�m_�p = no

utmp directory (G) This parameter  is  only available if Samba has been configured and compiled with the option -�--�-w�wi�it�th�h-�-u�ut�tm�mp�p. It specifies a direc- tory pathname  that  is  used  to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a             Samba  server. By default  this is not set, meaning the system will use whatever utmp file the native system  is  set  to  use (usually_�/_�v_�a_�r_�/_�r_�u_�n_�/_�u_�t_�m_�p on Linux).

Default: _�u_�t_�m_�p _�d_�i_�r_�e_�c_�t_�o_�r_�y = # Determined automatically

Example: _�u_�t_�m_�p _�d_�i_�r_�e_�c_�t_�o_�r_�y = /var/run/utmp