Woozle: splitting into subpages

2010-09-05T16:03:01Z

splitting into subpages

New page

unix charset (G)
Specifies the charset the unix machine Samba runs on uses. Samba
needs to know this in order to be able to convert text to the
charsets other SMB clients use.

This is also the charset Samba will use when specifying argu-
ments to scripts that it invokes.

Default: _�u_�n_�i_�x _�c_�h_�a_�r_�s_�e_�t = UTF8

Example: _�u_�n_�i_�x _�c_�h_�a_�r_�s_�e_�t = ASCII

unix extensions (G)
This boolean parameter controls whether Samba implments the CIFS
UNIX extensions, as defined by HP. These extensions enable Samba
to better serve UNIX CIFS clients by supporting features such as
symbolic links, hard links, etc... These extensions require a
similarly enabled client, and are of no current use to Windows
clients.

Default: _�u_�n_�i_�x _�e_�x_�t_�e_�n_�s_�i_�o_�n_�s = yes

unix password sync (G)
This boolean parameter controls whether Samba attempts to syn-
chronize the UNIX password with the SMB password when the
encrypted SMB password in the smbpasswd file is changed. If this
is set to y�ye�es�s the program specified in the _�p_�a_�s_�s_�w_�d _�p_�r_�o_�g_�r_�a_�mparame-
ter is called A�AS�S R�RO�OO�OT�T - to allow the new UNIX password to be set
without access to the old UNIX password (as the SMB password
change code has no access to the old password cleartext, only
the new).

Default: _�u_�n_�i_�x _�p_�a_�s_�s_�w_�o_�r_�d _�s_�y_�n_�c = no

update encrypted (G)
This boolean parameter allows a user logging on with a plaintext
password to have their encrypted (hashed) password in the smb-
passwd file to be updated automatically as they log on. This
option allows a site to migrate from plaintext password authen-
tication (users authenticate with plaintext password over the
wire, and are checked against a UNIX account database) to
encrypted password authentication (the SMB challenge/response
authentication mechanism) without forcing all users to re-enter
their passwords via smbpasswd at the time the change is made.
This is a convenience option to allow the change over to
encrypted passwords to be made over a longer period. Once all
users have encrypted representations of their passwords in the
smbpasswd file this parameter should be set to n�no�o.

In order for this parameter to work correctly the _�e_�n_�c_�r_�y_�p_�t _�p_�a_�s_�s_�-
_�w_�o_�r_�d_�s parameter must be set to n�no�o when this parameter is set to
y�ye�es�s.

Note that even when this parameter is set a user authenticating
to s�sm�mb�bd�d must still enter a valid password in order to connect
correctly, and to update their hashed (smbpasswd) passwords.

Default: _�u_�p_�d_�a_�t_�e _�e_�n_�c_�r_�y_�p_�t_�e_�d = no

use client driver (S)
This parameter applies only to Windows NT/2000 clients. It has
no effect on Windows 95/98/ME clients. When serving a printer to
Windows NT/2000 clients without first installing a valid printer
driver on the Samba host, the client will be required to install
a local printer driver. From this point on, the client will
treat the print as a local printer and not a network printer
connection. This is much the same behavior that will occur when
d�di�is�sa�ab�bl�le�e s�sp�po�oo�ol�ls�ss�s =�= y�ye�es�s.

The differentiating factor is that under normal circumstances,
the NT/2000 client will attempt to open the network printer
using MS-RPC. The problem is that because the client considers
the printer to be local, it will attempt to issue the OpenPrint-
erEx() call requesting access rights associated with the logged
on user. If the user possesses local administator rights but not
root privilegde on the Samba host (often the case), the Open-
PrinterEx() call will fail. The result is that the client will
now display an "Access Denied; Unable to connect" message in the
printer queue window (even though jobs may successfully be
printed).

If this parameter is enabled for a printer, then any attempt to
open the printer with the PRINTER_ACCESS_ADMINISTER right is
mapped to PRINTER_ACCESS_USE instead. Thus allowing the Open-
PrinterEx() call to succeed. T�Th�hi�is�s p�pa�ar�ra�am�me�et�te�er�r M�MU�US�ST�T n�no�ot�t b�be�e a�ab�bl�le�e
e�en�na�ab�bl�le�ed�d o�on�n a�a p�pr�ri�in�nt�t s�sh�ha�ar�re�e w�wh�hi�ic�ch�h h�ha�as�s v�va�al�li�id�d p�pr�ri�in�nt�t d�dr�ri�iv�ve�er�r i�in�ns�st�ta�al�ll�le�ed�d
o�on�n t�th�he�e S�Sa�am�mb�ba�a s�se�er�rv�ve�er�r.�.

Default: _�u_�s_�e _�c_�l_�i_�e_�n_�t _�d_�r_�i_�v_�e_�r = no

use kerberos keytab (G)
Specifies whether Samba should attempt to maintain service prin-
cipals in the systems keytab file for h�ho�os�st�t/�/F�FQ�QD�DN�N and c�ci�if�fs�s/�/F�FQ�QD�DN�N.

When you are using the heimdal Kerberos libraries, you must also
specify the following in _�/_�e_�t_�c_�/_�k_�r_�b_�5_�._�c_�o_�n_�f:

[libdefaults]
default_keytab_name = FILE:/etc/krb5.keytab
Default: _�u_�s_�e _�k_�e_�r_�b_�e_�r_�o_�s _�k_�e_�y_�t_�a_�b = False

use mmap (G)
This global parameter determines if the tdb internals of Samba
can depend on mmap working correctly on the running system.
Samba requires a coherent mmap/read-write system memory cache.
Currently only HPUX does not have such a coherent cache, and so
this parameter is set to n�no�o by default on HPUX. On all other
systems this parameter should be left alone. This parameter is
provided to help the Samba developers track down problems with
the tdb internal code.

Default: _�u_�s_�e _�m_�m_�a_�p = yes

user This parameter is a synonym for username.

users This parameter is a synonym for username.

username (S)
Multiple users may be specified in a comma-delimited list, in
which case the supplied password will be tested against each
username in turn (left to right).

The _�u_�s_�e_�r_�n_�a_�m_�e line is needed only when the PC is unable to supply
its own username. This is the case for the COREPLUS protocol or
where your users have different WfWg usernames to UNIX user-
names. In both these cases you may also be better using the
\\server\share%user syntax instead.

The _�u_�s_�e_�r_�n_�a_�m_�e line is not a great solution in many cases as it
means Samba will try to validate the supplied password against
each of the usernames in the _�u_�s_�e_�r_�n_�a_�m_�e line in turn. This is slow
and a bad idea for lots of users in case of duplicate passwords.
You may get timeouts or security breaches using this parameter
unwisely.

Samba relies on the underlying UNIX security. This parameter
does not restrict who can login, it just offers hints to the
Samba server as to what usernames might correspond to the sup-
plied password. Users can login as whoever they please and they
will be able to do no more damage than if they started a telnet
session. The daemon runs as the user that they log in as, so
they cannot do anything that user cannot do.

To restrict a service to a particular set of users you can use
the _�v_�a_�l_�i_�d _�u_�s_�e_�r_�s parameter.

If any of the usernames begin with a '@' then the name will be
looked up first in the NIS netgroups list (if Samba is compiled
with netgroup support), followed by a lookup in the UNIX groups
database and will expand to a list of all users in the group of
that name.

If any of the usernames begin with a '+' then the name will be
looked up only in the UNIX groups database and will expand to a
list of all users in the group of that name.

If any of the usernames begin with a '&' then the name will be
looked up only in the NIS netgroups database (if Samba is com-
piled with netgroup support) and will expand to a list of all
users in the netgroup group of that name.

Note that searching though a groups database can take quite some
time, and some clients may time out during the search.

See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more
information on how this parameter determines access to the ser-
vices.

Default: _�u_�s_�e_�r_�n_�a_�m_�e = # The guest account if a guest service, else
<empty string>.

Example: _�u_�s_�e_�r_�n_�a_�m_�e = fred, mary, jack, jane, @users, @pcgroup

username level (G)
This option helps Samba to try and 'guess' at the real UNIX
username, as many DOS clients send an all-uppercase username. By
default Samba tries all lowercase, followed by the username with
the first letter capitalized, and fails if the username is not
found on the UNIX machine.

If this parameter is set to non-zero the behavior changes. This
parameter is a number that specifies the number of uppercase
combinations to try while trying to determine the UNIX user
name. The higher the number the more combinations will be tried,
but the slower the discovery of usernames will be. Use this
parameter when you have strange usernames on your UNIX machine,
such as A�As�st�tr�ra�an�ng�ge�eU�Us�se�er�r .

This parameter is needed only on UNIX systems that have case
sensitive usernames.

Default: _�u_�s_�e_�r_�n_�a_�m_�e _�l_�e_�v_�e_�l = 0

Example: _�u_�s_�e_�r_�n_�a_�m_�e _�l_�e_�v_�e_�l = 5

username map (G)
This option allows you to specify a file containing a mapping of
usernames from the clients to the server. This can be used for
several purposes. The most common is to map usernames that users
use on DOS or Windows machines to those that the UNIX box uses.
The other is to map multiple users to a single username so that
they can more easily share files.

The map file is parsed line by line. Each line should contain a
single UNIX username on the left then a '=' followed by a list
of usernames on the right. The list of usernames on the right
may contain names of the form @group in which case they will
match any UNIX username in that group. The special client name
'*' is a wildcard and matches any name. Each line of the map
file may be up to 1023 characters long.

The file is processed on each line by taking the supplied user-
name and comparing it with each username on the right hand side
of the '=' signs. If the supplied name matches any of the names
on the right hand side then it is replaced with the name on the
left. Processing then continues with the next line.

If any line begins with a '#' or a ';' then it is ignored

If any line begins with an '!' then the processing will stop
after that line if a mapping was done by the line. Otherwise
mapping continues with every line being processed. Using '!' is
most useful when you have a wildcard mapping line later in the
file.

For example to map from the name a�ad�dm�mi�in�n or a�ad�dm�mi�in�ni�is�st�tr�ra�at�to�or�r to the
UNIX name r�ro�oo�ot�t you would use:

r�ro�oo�ot�t =�= a�ad�dm�mi�in�n a�ad�dm�mi�in�ni�is�st�tr�ra�at�to�or�r

Or to map anyone in the UNIX group s�sy�ys�st�te�em�m to the UNIX name s�sy�ys�s
you would use:

s�sy�ys�s =�= @�@s�sy�ys�st�te�em�m

You can have as many mappings as you like in a username map
file.

If your system supports the NIS NETGROUP option then the net-
group database is checked before the _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p database for
matching groups.

You can map Windows usernames that have spaces in them by using
double quotes around the name. For example:

t�tr�ri�id�dg�ge�e =�= "�"A�An�nd�dr�re�ew�w T�Tr�ri�id�dg�ge�el�ll�l"�"

would map the windows username "Andrew Tridgell" to the unix
username "tridge".

The following example would map mary and fred to the unix user
sys, and map the rest to guest. Note the use of the '!' to tell
Samba to stop processing if it gets a match on that line.

!sys = mary fred
guest = *

Note that the remapping is applied to all occurrences of user-
names. Thus if you connect to \\server\fred and f�fr�re�ed�d is
remapped to m�ma�ar�ry�y then you will actually be connecting to
\\server\mary and will need to supply a password suitable for
m�ma�ar�ry�y not f�fr�re�ed�d. The only exception to this is the username passed
to the _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r (if you have one). The password server
will receive whatever username the client supplies without modi-
fication.

Also note that no reverse mapping is done. The main effect this
has is with printing. Users who have been mapped may have trou-
ble deleting print jobs as PrintManager under WfWg will think
they don't own the print job.

Samba versions prior to 3.0.8 would only support reading the
fully qualified username (e.g.: DOMAIN\user) from the username
map when performing a kerberos login from a client. However,
when looking up a map entry for a user authenticated by
NTLM[SSP], only the login name would be used for matches. This
resulted in inconsistent behavior sometimes even on the same
server.

The following functionality is obeyed in version 3.0.8 and
later:

When performing local authentication, the username map is
applied to the login name before attempting to authenticate the
connection.

When relying upon a external domain controller for validating
authentication requests, smbd will apply the username map to the
fully qualified username (i.e. DOMAIN\user) only after the user
has been successfully authenticated.

Default: _�u_�s_�e_�r_�n_�a_�m_�e _�m_�a_�p = # no username map

Example: _�u_�s_�e_�r_�n_�a_�m_�e _�m_�a_�p = /usr/local/samba/lib/users.map

use sendfile (S)
If this parameter is y�ye�es�s, and the s�se�en�nd�df�fi�il�le�e(�()�) system call is sup-
ported by the underlying operating system, then some SMB read
calls (mainly ReadAndX and ReadRaw) will use the more efficient
sendfile system call for files that are exclusively oplocked.
This may make more efficient use of the system CPU's and cause
Samba to be faster. Samba automatically turns this off for
clients that use protocol levels lower than NT LM 0.12 and when
it detects a client is Windows 9x (using sendfile from Linux
will cause these clients to fail).

Default: _�u_�s_�e _�s_�e_�n_�d_�f_�i_�l_�e = yes

use spnego (G)
This variable controls controls whether samba will try to use
Simple and Protected NEGOciation (as specified by rfc2478) with
WindowsXP and Windows2000 clients to agree upon an authentica-
tion mechanism.

Unless further issues are discovered with our SPNEGO implementa-
tion, there is no reason this should ever be disabled.

Default: _�u_�s_�e _�s_�p_�n_�e_�g_�o = yes

utmp (G)
This boolean parameter is only available if Samba has been con-
figured and compiled with the option -�--�-w�wi�it�th�h-�-u�ut�tm�mp�p. If set to y�ye�es�s
then Samba will attempt to add utmp or utmpx records (depending
on the UNIX system) whenever a connection is made to a Samba
server. Sites may use this to record the user connecting to a
Samba share.

Due to the requirements of the utmp record, we are required to
create a unique identifier for the incoming user. Enabling this
option creates an n^2 algorithm to find this number. This may
impede performance on large installations.

Default: _�u_�t_�m_�p = no

utmp directory (G)
This parameter is only available if Samba has been configured
and compiled with the option -�--�-w�wi�it�th�h-�-u�ut�tm�mp�p. It specifies a direc-
tory pathname that is used to store the utmp or utmpx files
(depending on the UNIX system) that record user connections to a
Samba server. By default this is not set, meaning the system
will use whatever utmp file the native system is set to use
(usually_�/_�v_�a_�r_�/_�r_�u_�n_�/_�u_�t_�m_�p on Linux).

Default: _�u_�t_�m_�p _�d_�i_�r_�e_�c_�t_�o_�r_�y = # Determined automatically

Example: _�u_�t_�m_�p _�d_�i_�r_�e_�c_�t_�o_�r_�y = /var/run/utmp

smb.conf/manpage/2006/parameters/U - Revision history

Woozle: splitting into subpages