smb.conf
computing: software: Samba: smb.conf
Overview
smb.conf is the main configuration file for the Samba server, which provides Windows "Network Neighborhood" shares on Linux (and possibly on other non-Windows operating systems).
Articles
Parameters
[global]
- abort shutdown script
- acl compatibility
- add group script
- add machine script
- add port command
- addprinter command
- add share command
- add user script
- add user to group script
- afs username map
- algorithmic rid base
- allow trusted domains
- announce as
- announce version
- auth methods
- bind interfaces only
- browse list
- cache directory
- change share command
- check password script
- client lanman auth
- client ldap sasl wrapping
- client ntlmv2 auth
- client plaintext auth
- client schannel
- client signing
- client use spnego
- cluster addresses
- clustering
- config backend
- config file
- ctdbd socket
- cups connection timeout
- cups server
- deadtime
- debug class
- debug hires timestamp
- debug pid
- debug prefix timestamp
- debug timestamp
- debug uid
- dedicated keytab file
- default service
- defer sharing violations
- delete group script
- deleteprinter command
- delete share command
- delete user from group script
- delete user script
- disable netbios
- disable spoolss
- display charset
- dns proxy
- domain logons
- domain master
- dos charset
- dos filemode
- enable asu support
- enable core files
- enable privileges
- enable spoolss
- encrypt passwords
- enhanced browsing
- enumports command
- eventlog list
- get quota command
- getwd cache
- guest account
- homedir map
- host msdfs
- hostname lookups
- idmap alloc backend
- idmap alloc config
- idmap backend
- idmap cache time
- idmap config
- idmap gid
- idmap negative cache time
- include - can actually go anywhere
- init logon delayed hosts
- init logon delay
- interfaces
- iprint server
- keepalive
- kerberos method
- kernel oplocks
- lanman auth
- large readwrite
- ldap admin dn
- ldap connection timeout
- ldap debug level
- ldap debug threshold
- ldap delete dn
- ldap group suffix
- ldap idmap suffix
- ldap machine suffix
- ldap page size
- ldap passwd sync
- ldap replication sleep
- ldapsam:editposix
- ldapsam:trusted
- ldap ssl ads
- ldap ssl
- ldap suffix
- ldap timeout
- ldap user suffix
- lm announce
- lm interval
- load printers
- local master
- lock directory
- lock spin count
- lock spin time
- log file
- log level
- logon drive
- logon home
- logon path
- logon script
- lpq cache time
- machine password timeout
- mangle prefix
- mangling method
- map to guest
- map untrusted to domain
- max disk size
- max log size
- max mux
- max open files
- max protocol
- max smbd processes
- max stat cache size
- max ttl
- max wins ttl
- max xmit
- message command
- min protocol
- min receivefile size
- min wins ttl
- name cache timeout
- name resolve order
- netbios aliases
- netbios name
- netbios scope
- nis homedir
- ntlm auth
- nt pipe support
- nt status support
- null passwords
- obey pam restrictions
- oplock break wait time
- os2 driver map
- os level
- pam password change
- panic action
- paranoid server security
- passdb backend
- passdb expand explicit
- passwd chat debug
- passwd chat timeout
- passwd chat
- passwd program
- password level
- password server
- perfcount module
- pid directory
- preferred master
- preload modules
- preload
- printcap cache time
- printcap name
- private dir
- read raw
- realm
- registry shares
- remote announce
- remote browse sync
- rename user script
- reset on zero vc
- restrict anonymous
- root directory
- security
- server schannel
- server signing
- server string
- set primary group script
- set quota command
- share:fake_fscaps
- show add printer wizard
- shutdown script
- smb passwd file
- smb ports
- socket address
- socket options
- stat cache
- state directory
- svcctl list
- syslog only
- syslog
- template homedir
- template shell
- time offset
- time server
- unix charset
- unix extensions
- unix password sync
- update encrypted
- use mmap
- username level
- username map script
- username map
- usershare allow guests
- usershare max shares
- usershare owner only
- usershare path
- usershare prefix allow list
- usershare prefix deny list
- usershare template share
- use spnego
- utmp directory
- utmp
- winbind cache time
- winbind enum groups
- winbind enum users
- winbind expand groups
- winbind nested groups
- winbind normalize names
- winbind nss info
- winbind offline logon
- winbind reconnect delay
- winbind refresh tickets
- winbind rpc only
- winbind separator
- winbind trusted domains only
- winbind use default domain
- wins hook
- wins proxy
- wins server
- wins support
- workgroup
- write raw
- wtmp directory
[printers]
see /printers
[homes]
- access based share enum
- acl check permissions
- acl group control
- acl map full control
- administrative share
- admin users
- afs share
- aio read size
- aio write behind
- aio write size
- allocation roundup size
- available
- blocking locks
- block size
- browseable
- case sensitive
- change notify
- comment
- copy
- create mask
- csc policy
- cups options
- default case
- default devmode
- delete readonly
- delete veto files
- dfree cache time
- dfree command
- directory mask
- directory name cache size
- directory security mask
- dmapi support
- dont descend
- dos filetime resolution
- dos filetimes
- ea support
- fake directory create times
- fake oplocks
- follow symlinks
- force create mode
- force directory mode
- force directory security mode
- force group
- force printername
- force security mode
- force unknown acl user
- force user
- fstype
- guest ok
- guest only
- hide dot files
- hide files
- hide special files
- hide unreadable
- hide unwriteable files
- hosts allow
- hosts deny
- inherit acls
- inherit owner
- inherit permissions
- invalid users
- kernel change notify
- level2 oplocks
- locking
- lppause command
- lpq command
- lpresume command
- lprm command
- magic output
- magic script
- mangled names
- mangling char
- map acl inherit
- map archive
- map hidden
- map read only
- map system
- max connections
- max print jobs
- max reported print jobs
- min print space
- msdfs proxy
- msdfs root
- nt acl support
- only user
- oplock contention limit
- oplocks
- path
- posix locking
- postexec
- preexec close
- preexec
- preserve case
- printable
- print command
- printer admin
- printer name
- printing
- printjob username
- profile acls
- queuepause command
- queueresume command
- read list
- read only
- root postexec
- root preexec close
- root preexec
- security mask
- set directory
- share modes
- short preserve case
- smb encrypt
- store dos attributes
- strict allocate
- strict locking
- strict sync
- sync always
- use client driver
- username
- use sendfile
- valid users
- -valid
- veto files
- veto oplock files
- vfs objects
- volume
- wide links
- writeable
- write cache size
- write list
aliases
These parameters are aliases for other parameters. Use the real name where possible.
- allow hosts → hosts allow
- auto services → preload
- browsable → browseable
- casesignames → case sensitive
- create mode → create mask
- debuglevel → log level
- default → default service
- deny hosts → hosts deny
- directory → path
- directory mode → directory mask
- exec → preexec
- group → force group
- lock dir → lock directory
- only guest → guest only
- prefered master → preferred master
- print ok → printable
- printcap → printcap name
- printer → printer name
- protocol → max protocol
- public → guest ok
- root → root directory
- root dir → root directory
- timestamp logs → debug timestamp
- user → username
- users → username
- vfs object → vfs objects
- winbind gid → idmap gid
- winbind uid → idmap uid
- writable → writeable
- writeable → not read only
Starting with Samba version 3.0.23 the capability for non−root users to add, modify, and delete their own share definitions has been added. This capability is called usershares and is controlled by a set of parameters in the [global] section of the smb.conf. The relevant parameters are :
- usershare allow guests - Controls if usershares can permit guest access.
- usershare max shares - Maximum number of user defined shares allowed.
- usershare owner only - If set only directories owned by the sharing user can be shared.
- usershare path - Points to the directory containing the user defined share definitions. The filesystem permissions on this directory control who can create user defined shares.
- usershare prefix allow list - Comma−separated list of absolute pathnames: only directories below the pathnames in this list are permitted.
- usershare prefix deny list - Comma−separated list of absolute pathnames: directories below the pathnames in this list are prohibited.
- usershare template share - Names a pre-existing share used as a template for creating new usershares. All other share parameters not specified in the user defined share definition are copied from this named share.
variable substitutions
Many of the strings that are settable in the config file can take substitutions. For example the option "path = /tmp/%u" is interpreted as "path = /tmp/john" if the user connected with the username john.
These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant. These are:
- %U - session username (the username that the client wanted, not necessarily the same as the one they got).
- %G - primary group name of %U.
- %h - the Internet hostname that Samba is running on.
- %m - the NetBIOS name of the client machine (very useful).
- This parameter is not available when Samba listens on port 445, as clients no longer send this information. If you use this macro in an include statement on a domain that has a Samba domain controller be sure to set in the [global] section smb ports = 139. This will cause Samba to not listen on port 445 and will permit include functionality to function as it did with Samba 2.x.
- %L - the NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your server can have a "dual personality".
- %M - the Internet name of the client machine.
- %R - the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1.
- %d - the process id of the current server process.
- %a - The architecture of the remote machine. It currently recognizes Samba (Samba), the Linux CIFS file system (CIFSFS), OS/2, (OS2), Windows for Workgroups (WfWg), Windows 9x/ME (Win95), Windows NT (WinNT), Windows 2000 (Win2K), Windows XP (WinXP), Windows XP 64-bit (WinXP64), Windows 2003 including 2003R2 (Win2K3), and Windows Vista (Vista). Anything else will be known as UNKNOWN.
- %I - the IP address of the client machine.
- %i - the local IP address to which a client connected.
- %T - the current date and time.
- %D - name of the domain or workgroup of the current user.
- %w - the winbind separator.
- %$(envvar) - the value of the environment variable envar.
The following substitutes apply only to some configuration options (only those that are used when a connection has been established):
- %S - the name of the current service, if any.
- %P - the root directory of the current service, if any.
- %u - username of the current service, if any.
- %g - primary group name of %u.
- %H - the home directory of the user given by %u.
- %N - the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have not compiled Samba with the --with-automount option, this value will be the same as %L.
- %p - the path of the service´s home directory, obtained from your NIS auto.map entry. The NIS auto.map entry is split up as %N:%p.
There are some quite creative things that can be done with these substitutions and other smb.conf options.