smb.conf/manpage/2006/parameters/S

security (G) This option affects how clients respond to Samba and is one  of              the most important settings in the  _�s_�m_�b_�._�c_�o_�n_�f file.

The option  sets the "security mode bit" in replies to protocol negotiations with s�sm�mb�bd�d(8) to turn share level  security  on  or              off. Clients decide  based  on  this  bit whether (and how) to              transfer user and password information to the server.

The default is s�se�ec�cu�ur�ri�it�ty�y =�= u�us�se�er�r, as this is the most common set- ting needed when talking to Windows 98 and Windows NT.

The alternatives  are  s�se�ec�cu�ur�ri�it�ty�y  =�=  s�sh�ha�ar�re�e, s�se�ec�cu�ur�ri�it�ty�y =�= s�se�er�rv�ve�er�r or              s�se�ec�cu�ur�ri�it�ty�y =�= d�do�om�ma�ai�in�n.

In versions of Samba prior to 2.0.0, the default was s�se�ec�cu�ur�ri�it�ty�y =�= s�sh�ha�ar�re�e mainly because that was the only option at one stage.

There is a bug in WfWg that has relevance to this setting. When in user or server level security a  WfWg  client  will  totally ignore the password you type in the "connect drive" dialog box. This makes it very difficult (if not impossible) to connect to a             Samba service as anyone except the user that you are logged into WfWg as.

If your PCs use usernames that are the same as their  usernames on the  UNIX machine then you will want to use s�se�ec�cu�ur�ri�it�ty�y =�= u�us�se�er�r. If you mostly use usernames that don't exist on  the  UNIX  box then use s�se�ec�cu�ur�ri�it�ty�y =�= s�sh�ha�ar�re�e.

You should also use s�se�ec�cu�ur�ri�it�ty�y =�= s�sh�ha�ar�re�e if you want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server. It is more difficult to setup guest shares with s�se�ec�cu�ur�ri�it�ty�y =�= u�us�se�er�r, see the _�m_�a_�p _�t_�o _�g_�u_�e_�s_�tparameter  for details.

It is possible to use s�sm�mb�bd�d in a  h�hy�yb�br�ri�id�d m�mo�od�de�e where it is offers both user and share  level  security  under  different  _�N_�e_�t_�B_�I_�O_�S _�a_�l_�i_�a_�s_�e_�s.

The different settings will now be explained.

S�SE�EC�CU�UR�RI�IT�TY�Y =�= S�SH�HA�AR�RE�E

When clients connect to a share level security server they need not log onto the server with  a  valid  username  and  password before attempting to connect to a shared resource (although mod-             ern clients such as Windows 95/98 and Windows  NT  will  send  a              logon  request with a username but no password when talking to a              s�se�ec�cu�ur�ri�it�ty�y =�= s�sh�ha�ar�re�e  server). Instead, the clients send authentica- tion information  (passwords) on a per-share basis, at the time they attempt to connect to that share.

Note that s�sm�mb�bd�d A�AL�LW�WA�AY�YS�S uses a valid UNIX user to act  on  behalf of the client, even in s�se�ec�cu�ur�ri�it�ty�y =�= s�sh�ha�ar�re�e level security.

As clients are not required to send a username to the server in              share level security, s�sm�mb�bd�d uses several techniques to  determine the correct UNIX user to use on behalf of the client.

A list of possible UNIX usernames to match with the given client password is constructed using the following methods :

· If the _�g_�u_�e_�s_�t _�o_�n_�l_�y parameter is set, then all the other stages are missed and only the _�g_�u_�e_�s_�t _�a_�c_�c_�o_�u_�n_�t username is checked.

· Is a username is sent with the share connection request, then this username (after mapping - see _�u_�s_�e_�r_�n_�a_�m_�e _�m_�a_�p), is added as                a potential username.

· If the client did a previous l�lo�og�go�on�n  request (the SessionSetup                 SMB call) then the username sent in this SMB will be added as                 a potential username.

· The  name  of  the service the client requested is added as a                 potential username.

· The NetBIOS name of the client is added  to  the  list  as  a                 potential username.

· Any users on the  _�u_�s_�e_�r list are added as potential usernames.

If the _�g_�u_�e_�s_�t _�o_�n_�l_�y parameter is not set, then this list is  then  tried with the  supplied  password. The first  user  for whom the password matches will be used as the UNIX user.

If the _�g_�u_�e_�s_�t _�o_�n_�l_�y parameter is set, or no username can  be  determined then if  the  share  is marked as available to the _�g_�u_�e_�s_�t _�a_�c_�c_�o_�u_�n_�t, then this guest user will be used, otherwise access is denied.

Note that it can be v�ve�er�ry�y confusing in share-level security as to which UNIX username will eventually be used in granting access.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

S�SE�EC�CU�UR�RI�IT�TY�Y =�= U�US�SE�ER�R

This is  the  default  security  setting in Samba 3.0. With user-level security a client must first "log-on" with a valid username and  pass- word (which can be mapped using the _�u_�s_�e_�r_�n_�a_�m_�e _�m_�a_�p parameter). Encrypted passwords (see the _�e_�n_�c_�r_�y_�p_�t_�e_�d _�p_�a_�s_�s_�w_�o_�r_�d_�s parameter) can also be used  in       this  security  mode. Parameters such as _�u_�s_�e_�r and _�g_�u_�e_�s_�t _�o_�n_�l_�y if set are then applied and may change the UNIX user to use on  this  connection, but only after the user has been successfully authenticated.

N�No�ot�te�e that  the name of the resource being requested is n�no�ot�t sent to the server until after  the  server  has  successfully  authenticated  the client. This is  why  guest  shares don't work in user level security without allowing the server to automatically map unknown users into the _�g_�u_�e_�s_�t _�a_�c_�c_�o_�u_�n_�t. See the  _�m_�a_�p  _�t_�o _�g_�u_�e_�s_�t parameter for details on doing this.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

S�SE�EC�CU�UR�RI�IT�TY�Y =�= D�DO�OM�MA�AI�IN�N

This mode will only work correctly if n�ne�et�t(8) has been used to add this machine into  a  Windows NT Domain. It expects the _�e_�n_�c_�r_�y_�p_�t_�e_�d _�p_�a_�s_�s_�w_�o_�r_�d_�s parameter to be set to y�ye�es�s. In this mode Samba will try to validate the username/password by  passing  it  to  a  Windows NT Primary or Backup Domain Controller, in exactly the same way that a  Windows  NT  Server would do.

N�No�ot�te�e that a valid UNIX user must still exist as well as the account on       the Domain Controller to allow Samba to have a valid  UNIX  account  to       map file access to.

N�No�ot�te�e that from the client's point of view s�se�ec�cu�ur�ri�it�ty�y =�= d�do�om�ma�ai�in�n is the same as s�se�ec�cu�ur�ri�it�ty�y =�= u�us�se�er�r. It only affects how  the  server  deals  with  the authentication, it does not in any way affect what the client sees.

N�No�ot�te�e that  the name of the resource being requested is n�no�ot�t sent to the server until after  the  server  has  successfully  authenticated  the client. This is  why  guest  shares don't work in user level security without allowing the server to automatically map unknown users into the _�g_�u_�e_�s_�t _�a_�c_�c_�o_�u_�n_�t. See the  _�m_�a_�p  _�t_�o _�g_�u_�e_�s_�t parameter for details on doing this.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

See also the _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r parameter  and  the  _�e_�n_�c_�r_�y_�p_�t_�e_�d  _�p_�a_�s_�s_�w_�o_�r_�d_�s parameter.

S�SE�EC�CU�UR�RI�IT�TY�Y =�= S�SE�ER�RV�VE�ER�R

In this mode Samba will try to validate the username/password by pass- ing it to another SMB server, such as an NT box. If this fails it will revert to s�se�ec�cu�ur�ri�it�ty�y =�= u�us�se�er�r. It expects the _�e_�n_�c_�r_�y_�p_�t_�e_�d _�p_�a_�s_�s_�w_�o_�r_�d_�s parameter to be set to y�ye�es�s, unless the remote server does not support them. How- ever note  that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have  a       valid  _�s_�m_�b_�p_�a_�s_�s_�w_�d file to check users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to  set this up.

N�No�ot�te�e

This mode of operation has significant pitfalls, due to the fact that is activly initiates a  man-in-the-middle  attack  on  the remote SMB  server. In particular, this mode of operation can cause significant resource consuption on the PDC,  as  it  must maintain an  active  connection  for the duration of the user's              session. Furthermore, if this connection is lost, there  is  no              way  to  reestablish  it, and futher authenticaions to the Samba server may fail. (From a single client, till it disconnects).

N�No�ot�te�e

From the client's point of view s�se�ec�cu�ur�ri�it�ty�y =�= s�se�er�rv�ve�er�r is the same as             s�se�ec�cu�ur�ri�it�ty�y  =�=  u�us�se�er�r. It only affects how the server deals with the authentication, it does not in any way affect what  the  client sees.

N�No�ot�te�e that  the name of the resource being requested is n�no�ot�t sent to the server until after  the  server  has  successfully  authenticated  the client. This is  why  guest  shares don't work in user level security without allowing the server to automatically map unknown users into the _�g_�u_�e_�s_�t _�a_�c_�c_�o_�u_�n_�t. See the  _�m_�a_�p  _�t_�o _�g_�u_�e_�s_�t parameter for details on doing this.

See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION.

See also the _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r parameter  and  the  _�e_�n_�c_�r_�y_�p_�t_�e_�d  _�p_�a_�s_�s_�w_�o_�r_�d_�s parameter.

S�SE�EC�CU�UR�RI�IT�TY�Y =�= A�AD�DS�S

In this  mode,  Samba  will act as a domain member in an ADS realm. To      operate in this mode, the machine running Samba will need to have  Ker- beros installed and configured and Samba will need to be joined to the ADS realm using the net utility.

Note that this mode does NOT make Samba operate as a Active  Directory Domain Controller.

Read the chapter about Domain Membership in the HOWTO for details.

Default: _�s_�e_�c_�u_�r_�i_�t_�y = USER

Example: _�s_�e_�c_�u_�r_�i_�t_�y = DOMAIN

security mask (S) This parameter  controls what UNIX permission bits can be modi- fied when a Windows NT client is manipulating the UNIX  permis- sion on a file using the native NT security dialog box.

This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Essentially, zero  bits  in  this mask may be              treated as a set of bits the user is not allowed to change.

If not set explicitly this parameter is 0777, allowing a user to             modify all the user/group/world permissions on a file.

N�No�ot�te�e that  users  who can access the Samba server through other means can easily bypass this restriction, so  it  is  primarily useful for  standalone  "appliance"  systems. Administrators of             most normal systems will probably want to leave it set to  0�07�77�77�7.

Default: _�s_�e_�c_�u_�r_�i_�t_�y _�m_�a_�s_�k = 0777

Example: _�s_�e_�c_�u_�r_�i_�t_�y _�m_�a_�s_�k = 0770

server schannel (G) This controls whether the server offers or even demands the use of the netlogon schannel. _�s_�e_�r_�v_�e_�r _�s_�c_�h_�a_�n_�n_�e_�l _�= _�n_�o does  not  offer the schannel,  _�s_�e_�r_�v_�e_�r  _�s_�c_�h_�a_�n_�n_�e_�l  _�= _�a_�u_�t_�o offers the schannel but does not enforce it, and _�s_�e_�r_�v_�e_�r _�s_�c_�h_�a_�n_�n_�e_�l _�= _�y_�e_�s denies access if              the  client is not able to speak netlogon schannel. This is only the case for Windows NT4 before SP4.

Please note that with this set to _�n_�o you will have to apply the WindowsXP  requireSignOrSeal-Registry   patch   found   in  the docs/Registry subdirectory.

Default: _�s_�e_�r_�v_�e_�r _�s_�c_�h_�a_�n_�n_�e_�l = auto

Example: _�s_�e_�r_�v_�e_�r _�s_�c_�h_�a_�n_�n_�e_�l = yes

server signing (G) This controls whether the server offers or requires the  client it talks to to use SMB signing. Possible values are a�au�ut�to�o, m�ma�an�nd�da�a-�- t�to�or�ry�y and d�di�is�sa�ab�bl�le�ed�d.

When set to auto, SMB signing is offered, but not enforced. When set to  mandatory,  SMB  signing is required and if set to dis- abled, SMB signing is not offered either.

Default: _�s_�e_�r_�v_�e_�r _�s_�i_�g_�n_�i_�n_�g = Disabled

server string (G) This controls what string will show up in the  printer  comment box in print manager and next to the IPC connection in n�ne�et�t v�vi�ie�ew�w. It can be any string that you wish to show to your users.

It also sets what will appear  in  browse  lists  next  to  the machine name.

A _�%_�v will be replaced with the Samba version number.

A _�%_�h will be replaced with the hostname.

Default: _�s_�e_�r_�v_�e_�r _�s_�t_�r_�i_�n_�g = Samba %v

Example: _�s_�e_�r_�v_�e_�r _�s_�t_�r_�i_�n_�g = University of GNUs Samba Server

set directory (S) If s�se�et�t d�di�ir�re�ec�ct�to�or�ry�y =�= n�no�o, then users of the service may not use the setdir command to change directory.

The s�se�et�td�di�ir�r command is only implemented in the Digital Pathworks client. See the Pathworks documentation for details.

Default: _�s_�e_�t _�d_�i_�r_�e_�c_�t_�o_�r_�y = no

set primary group script (G) Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups. This script sets the primary group in the unix userdatase when an administrator sets the primary group from the windows user manager or when fetching a SAM  with  n�ne�et�t r�rp�pc�c v�va�am�mp�pi�ir�re�e. _�%_�u will be replaced with the user whose primary group is to be set._�%_�g will be replaced  with  the group to set.

Default: _�s_�e_�t _�p_�r_�i_�m_�a_�r_�y _�g_�r_�o_�u_�p _�s_�c_�r_�i_�p_�t =

Example: _�s_�e_�t  _�p_�r_�i_�m_�a_�r_�y  _�g_�r_�o_�u_�p _�s_�c_�r_�i_�p_�t = /usr/sbin/usermod -g '%g' '%u'

set quota command (G) The s�se�et�t q�qu�uo�ot�ta�a c�co�om�mm�ma�an�nd�d should only be used whenever there is  no              operating system API available from the OS that samba can use.

This option  is only available if Samba was configured with the argument -�--�-w�wi�it�th�h-�-s�sy�ys�s-�-q�qu�uo�ot�ta�as�s  or  on   linux   when   .�./�/c�co�on�nf�fi�ig�gu�ur�re�e -�--�-w�wi�it�th�h-�-q�qu�uo�ot�ta�as�s was used and a working quota api was found in the system. Most packages are configured with these options already.

This parameter should specify the path to a script that can set quota for the specified arguments.

The specified script should take the following arguments:

· 1 - quota type

· 1 - user quotas

· 2 - user default quotas (uid = -1)

· 3 - group quotas

· 4 - group default quotas (gid = -1)

· 2 - id (uid for user, gid for group, -1 if N/A)

· 3 - quota state (0 = disable, 1 =  enable,  2  =  enable  and                 enforce)

· 4 - block softlimit

· 5 - block hardlimit

· 6 - inode softlimit

· 7 - inode hardlimit

· 8(optional) - block size, defaults to 1024

The script  should  output  at  least one line of data on success. And nothing on failure.

Default: _�s_�e_�t _�q_�u_�o_�t_�a _�c_�o_�m_�m_�a_�n_�d =

Example: _�s_�e_�t _�q_�u_�o_�t_�a _�c_�o_�m_�m_�a_�n_�d = /usr/local/sbin/set_quota

share modes (S) This enables or disables the honoring of the _�s_�h_�a_�r_�e _�m_�o_�d_�e_�s during a file  open. These modes are used by clients to gain exclusive read or write access to a file.

These open modes are not directly supported by UNIX, so they are simulated using  shared  memory,  or  lock  files  if your UNIX doesn't support shared memory (almost all do).

The share modes that are enabled by  this  option  areD�DE�EN�NY�Y_�_D�DO�OS�S, D�DE�EN�NY�Y_�_A�AL�LL�L,D�DE�EN�NY�Y_�_R�RE�EA�AD�D, D�DE�EN�NY�Y_�_W�WR�RI�IT�TE�E,D�DE�EN�NY�Y_�_N�NO�ON�NE�E and D�DE�EN�NY�Y_�_F�FC�CB�B.

This option  gives  full  share  compatibility  and  enabled by              default.

You should N�NE�EV�VE�ER�R turn this parameter off as many Windows appli- cations will break if you do so.

Default: _�s_�h_�a_�r_�e _�m_�o_�d_�e_�s = yes

short preserve case (S) This boolean  parameter  controls if new files which conform to              8.3 syntax, that is all in upper case and  of  suitable  length, are created upper case, or if they are forced to be the _�d_�e_�f_�a_�u_�l_�t _�c_�a_�s_�e. This option can be use with p�pr�re�es�se�er�rv�ve�e c�ca�as�se�e =�= y�ye�es�s to permit long filenames to retain their case, while short names are low- ered.

See the section on NAME MANGLING.

Default: _�s_�h_�o_�r_�t _�p_�r_�e_�s_�e_�r_�v_�e _�c_�a_�s_�e = yes

show add printer wizard (G) With the introduction of MS-RPC based printing support for Win- dows NT/2000  client  in Samba 2.2, a "Printers..." folder will appear on Samba hosts in the share listing. Normally this folder will contain  an icon for the MS Add Printer Wizard (APW). How- ever, it is possible to disable this feature regardless of  the level of privilege of the connected user.

Under normal circumstances, the Windows NT/2000 client will open a handle on the printer server with OpenPrinterEx asking  for Administrator privileges. If the user does not have administra- tive access on the print server (i.e is not root or a member of              the _�p_�r_�i_�n_�t_�e_�r _�a_�d_�m_�i_�n group), the OpenPrinterEx call fails and the client makes another open call with a request for a lower privi- lege level. This should succeed, however the APW icon will not be displayed.

Disabling the _�s_�h_�o_�w _�a_�d_�d _�p_�r_�i_�n_�t_�e_�r  _�w_�i_�z_�a_�r_�d  parameter  will  always cause the  OpenPrinterEx  on the server to fail. Thus the APW icon will never be displayed.

N�No�ot�te�e

This does not prevent the same user from having  administrative privilege on an individual printer.

Default: _�s_�h_�o_�w _�a_�d_�d _�p_�r_�i_�n_�t_�e_�r _�w_�i_�z_�a_�r_�d = yes

shutdown script (G) T�Th�hi�is�s p�pa�ar�ra�am�me�et�te�er�r  o�on�nl�ly�y  e�ex�xi�is�st�ts�s i�in�n t�th�he�e H�HE�EA�AD�D c�cv�vs�s b�br�ra�an�nc�ch�h This a full path name to a script called by s�sm�mb�bd�d(8)  that  should  start  a              shutdown procedure.

This command will be run as the user connected to the server.

%m %t %r %f parameters are expanded:

· _�%_�m  will be substituted with the shutdown message sent to the server.

· _�%_�t will be substituted with the number  of  seconds  to  wait before effectively starting the shutdown procedure.

· _�%_�r  will  be  substituted with the switch -�-r�r. It means reboot after shutdown for NT.

· _�%_�f will be substituted with the switch -�-f�f. It means force the shutdown even if applications do not respond for NT.

Shutdown script example:

#!/bin/bash

$time=0 let "time/60" let "time++"

/sbin/shutdown $3 $4 +$time $1 & Shutdown does not return so we need to launch it in background.

Default: _�s_�h_�u_�t_�d_�o_�w_�n _�s_�c_�r_�i_�p_�t =

Example: _�s_�h_�u_�t_�d_�o_�w_�n _�s_�c_�r_�i_�p_�t = /usr/local/samba/sbin/shutdown %m %t %r %f

smb passwd file (G) This option  sets  the path to the encrypted smbpasswd file. By             default the path to the smbpasswd file is compiled into Samba.

Default: _�s_�m_�b _�p_�a_�s_�s_�w_�d _�f_�i_�l_�e = ${prefix}/private/smbpasswd

Example: _�s_�m_�b _�p_�a_�s_�s_�w_�d _�f_�i_�l_�e = /etc/samba/smbpasswd

smb ports (G) Specifies which ports the server should listen on for SMB traf- fic.

Default: _�s_�m_�b _�p_�o_�r_�t_�s = 445 139

socket address (G) This option allows you to control what address Samba will listen for connections on. This is used to  support  multiple  virtual interfaces on  the one server, each with a different configura- tion.

By default Samba will accept connections on any address.

Default: _�s_�o_�c_�k_�e_�t _�a_�d_�d_�r_�e_�s_�s =

Example: _�s_�o_�c_�k_�e_�t _�a_�d_�d_�r_�e_�s_�s = 192.168.2.20

socket options (G) This option allows you to set socket options to  be  used  when talking with the client.

Socket options are controls on the networking layer of the oper- ating systems which allow the connection to be tuned.

This option will typically be used to tune your Samba server for optimal performance for your local network. There is no way that Samba can know what the optimal parameters are for your net, so              you  must  experiment and choose them yourself. We strongly sug- gest you read the appropriate documentation for your  operating system first (perhaps m�ma�an�n s�se�et�ts�so�oc�ck�ko�op�pt�t will help).

You may find that on some systems Samba will say "Unknown socket             option" when you supply an option. This means you either incor- rectly typed it or you need to add an include file to includes.h             for your OS. If the latter is the case please send the patch to              samba-technical@samba.org.

Any of  the supported socket options may be combined in any way you like, as long as your OS allows it.

This is the list of socket options currently settable using this option:

· SO_KEEPALIVE

· SO_REUSEADDR

· SO_BROADCAST

· TCP_NODELAY

· IPTOS_LOWDELAY

· IPTOS_THROUGHPUT

· SO_SNDBUF *

· SO_RCVBUF *

· SO_SNDLOWAT *

· SO_RCVLOWAT *

Those marked  with  a  '�'*�*'�'  take  an  integer argument. The others can optionally take a 1 or 0 argument to enable or disable the option,  by       default they will be enabled if you don't specify 1 or 0.

To specify  an argument use the syntax SOME_OPTION = VALUE for example S�SO�O_�_S�SN�ND�DB�BU�UF�F =�= 8�81�19�92�2. Note that you must not have  any  spaces  before  or       after the = sign.

If you are on a local network then a sensible option might be:

s�so�oc�ck�ke�et�t o�op�pt�ti�io�on�ns�s =�= I�IP�PT�TO�OS�S_�_L�LO�OW�WD�DE�EL�LA�AY�Y

If you have a local network then you could try:

s�so�oc�ck�ke�et�t o�op�pt�ti�io�on�ns�s =�= I�IP�PT�TO�OS�S_�_L�LO�OW�WD�DE�EL�LA�AY�Y T�TC�CP�P_�_N�NO�OD�DE�EL�LA�AY�Y

If  you   are  on  a  wide  area  network  then  perhaps  try  setting IPTOS_THROUGHPUT.

Note that several of the options may cause your Samba server  to  fail completely. Use these options with caution!

Default: _�s_�o_�c_�k_�e_�t _�o_�p_�t_�i_�o_�n_�s = TCP_NODELAY

Example: _�s_�o_�c_�k_�e_�t _�o_�p_�t_�i_�o_�n_�s = IPTOS_LOWDELAY

stat cache (G) This parameter  determines if s�sm�mb�bd�d(8) will use a cache in order to speed up case insensitive name mappings. You should  never need to change this parameter.

Default: _�s_�t_�a_�t _�c_�a_�c_�h_�e = yes

store dos attributes (S) If this  parameter  is  set Samba no longer attempts to map DOS attributes like SYSTEM, HIDDEN, ARCHIVE or  READ-ONLY  to  UNIX permission bits (such as the _�m_�a_�p _�h_�i_�d_�d_�e_�n. Instead, DOS attributes             will be stored onto an extended attribute in the  UNIX  filesys-              tem,  associated with the file or directory. For this to operate              correctly, the parameters _�m_�a_�p _�h_�i_�d_�d_�e_�n, _�m_�a_�p  _�s_�y_�s_�t_�e_�m,  _�m_�a_�p  _�a_�r_�c_�h_�i_�v_�e              must  be set to off. This parameter writes the DOS attributes as              a string into the  extended  attribute  named  "user.DOSATTRIB".              This  extended  attribute is explicitly hidden from smbd clients              requesting an EA list. On Linux the filesystem  must  have  been              mounted  with  the mount option user_xattr in order for extended              attributes to work, also extended attributes  must  be  compiled              into the Linux kernel.

Default: _�s_�t_�o_�r_�e _�d_�o_�s _�a_�t_�t_�r_�i_�b_�u_�t_�e_�s = no

strict allocate (S) This is a boolean that controls the handling of disk space allo- cation in the server. When this is set to y�ye�es�s the  server  will change from  UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour of actu- ally forcing  the  disk  system to allocate real storage blocks when a file is created or extended to be a given size. In UNIX terminology this  means  that  Samba  will stop creating sparse files. This can be slow on some systems.

When strict allocate is n�no�o the server does  sparse  disk  block allocation when a file is extended.

Setting this to y�ye�es�s can help Samba return out of quota messages on systems that are restricting the disk quota of users.

Default: _�s_�t_�r_�i_�c_�t _�a_�l_�l_�o_�c_�a_�t_�e = no

strict locking (S) This is a boolean that controls the handling of file locking in              the server. When this is set to y�ye�es�s, the server will check every read and write access for file locks, and deny access if  locks exist. This can be slow on some systems.

When strict  locking is disabled, the server performs file lock checks only when the client explicitly asks for them.

Well-behaved clients always ask for  lock  checks  when  it  is              important. So in the vast majority of cases, s�st�tr�ri�ic�ct�t l�lo�oc�ck�ki�in�ng�g =�= n�no�o is preferable.

Default: _�s_�t_�r_�i_�c_�t _�l_�o_�c_�k_�i_�n_�g = no

strict sync (S) Many Windows applications (including the  Windows  98  explorer              shell)  seem  to  confuse  flushing buffer contents to disk with doing a sync to disk. Under UNIX, a sync call forces the process to be suspended until the kernel has ensured that all outstand- ing data in kernel disk buffers has been safely stored onto sta- ble storage. This is very slow and should only be done rarely. Setting this parameter to n�no�o (the default) means  that  s�sm�mb�bd�d(8) ignores the Windows applications requests for a sync call. There is only a possibility of losing data if  the  operating  system itself that Samba is running on crashes, so there is little dan- ger in this default setting. In addition, this fixes many  per- formance problems  that  people have reported with the new Win- dows98 explorer shell file copies.

Default: _�s_�t_�r_�i_�c_�t _�s_�y_�n_�c = no

sync always (S) This is a boolean parameter that controls whether  writes  will always be  written  to  stable  storage  before  the write call returns. If this is n�no�o then the server will be  guided  by  the client's request in each write call (clients can set a bit indi-             cating that a particular write should be synchronous). If this is y�ye�es�s  then every write will be followed by a f�fs�sy�yn�nc�c(��)  call to              ensure the data is written to disk. Note that the  _�s_�t_�r_�i_�c_�t  _�s_�y_�n_�c parameter must be set to y�ye�es�s in order for this parameter to have any affect.

Default: _�s_�y_�n_�c _�a_�l_�w_�a_�y_�s = no

syslog (G) This parameter maps how Samba debug messages are logged onto the system syslog  logging levels. Samba debug level zero maps onto syslog L�LO�OG�G_�_E�ER�RR�R, debug level one maps  onto  L�LO�OG�G_�_W�WA�AR�RN�NI�IN�NG�G,  debug level two  maps  onto  L�LO�OG�G_�_N�NO�OT�TI�IC�CE�E,  debug level three maps onto LOG_INFO. All higher levels are mapped to L�LO�OG�G_�_D�DE�EB�BU�UG�G.

This parameter sets the threshold for sending messages to  sys- log. Only messages with debug level less than this value will be             sent to syslog.

Default: _�s_�y_�s_�l_�o_�g = 1

syslog only (G) If this parameter is set then Samba debug messages  are  logged into the system syslog only, and not to the debug log files.

Default: _�s_�y_�s_�l_�o_�g _�o_�n_�l_�y = no