unix charset (G) Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.
This is also the charset Samba will use when specifying argu- ments to scripts that it invokes.
Default: _�u_�n_�i_�x _�c_�h_�a_�r_�s_�e_�t = UTF8
Example: _�u_�n_�i_�x _�c_�h_�a_�r_�s_�e_�t = ASCII
unix extensions (G) This boolean parameter controls whether Samba implments the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.
Default: _�u_�n_�i_�x _�e_�x_�t_�e_�n_�s_�i_�o_�n_�s = yes
unix password sync (G) This boolean parameter controls whether Samba attempts to syn- chronize the UNIX password with the SMB password when the encrypted SMB password in the smbpasswd file is changed. If this is set to y�ye�es�s the program specified in the _�p_�a_�s_�s_�w_�d _�p_�r_�o_�g_�r_�a_�mparame- ter is called A�AS�S R�RO�OO�OT�T - to allow the new UNIX password to be set without access to the old UNIX password (as the SMB password change code has no access to the old password cleartext, only the new).
Default: _�u_�n_�i_�x _�p_�a_�s_�s_�w_�o_�r_�d _�s_�y_�n_�c = no
update encrypted (G) This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) password in the smb- passwd file to be updated automatically as they log on. This option allows a site to migrate from plaintext password authen- tication (users authenticate with plaintext password over the wire, and are checked against a UNIX account database) to encrypted password authentication (the SMB challenge/response authentication mechanism) without forcing all users to re-enter their passwords via smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted passwords to be made over a longer period. Once all users have encrypted representations of their passwords in the smbpasswd file this parameter should be set to n�no�o.
In order for this parameter to work correctly the _�e_�n_�c_�r_�y_�p_�t _�p_�a_�s_�s_�- _�w_�o_�r_�d_�s parameter must be set to n�no�o when this parameter is set to y�ye�es�s.
Note that even when this parameter is set a user authenticating to s�sm�mb�bd�d must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) passwords.
Default: _�u_�p_�d_�a_�t_�e _�e_�n_�c_�r_�y_�p_�t_�e_�d = no
use client driver (S) This parameter applies only to Windows NT/2000 clients. It has no effect on Windows 95/98/ME clients. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required to install a local printer driver. From this point on, the client will treat the print as a local printer and not a network printer connection. This is much the same behavior that will occur when d�di�is�sa�ab�bl�le�e s�sp�po�oo�ol�ls�ss�s =�= y�ye�es�s.
The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS-RPC. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrint- erEx() call requesting access rights associated with the logged on user. If the user possesses local administator rights but not root privilegde on the Samba host (often the case), the Open- PrinterEx() call will fail. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed).
If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead. Thus allowing the Open- PrinterEx() call to succeed. T�Th�hi�is�s p�pa�ar�ra�am�me�et�te�er�r M�MU�US�ST�T n�no�ot�t b�be�e a�ab�bl�le�e e�en�na�ab�bl�le�ed�d o�on�n a�a p�pr�ri�in�nt�t s�sh�ha�ar�re�e w�wh�hi�ic�ch�h h�ha�as�s v�va�al�li�id�d p�pr�ri�in�nt�t d�dr�ri�iv�ve�er�r i�in�ns�st�ta�al�ll�le�ed�d o�on�n t�th�he�e S�Sa�am�mb�ba�a s�se�er�rv�ve�er�r.�.
Default: _�u_�s_�e _�c_�l_�i_�e_�n_�t _�d_�r_�i_�v_�e_�r = no
use kerberos keytab (G) Specifies whether Samba should attempt to maintain service prin- cipals in the systems keytab file for h�ho�os�st�t/�/F�FQ�QD�DN�N and c�ci�if�fs�s/�/F�FQ�QD�DN�N.
When you are using the heimdal Kerberos libraries, you must also specify the following in _�/_�e_�t_�c_�/_�k_�r_�b_�5_�._�c_�o_�n_�f:
[libdefaults] default_keytab_name = FILE:/etc/krb5.keytab Default: _�u_�s_�e _�k_�e_�r_�b_�e_�r_�o_�s _�k_�e_�y_�t_�a_�b = False
use mmap (G) This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent mmap/read-write system memory cache. Currently only HPUX does not have such a coherent cache, and so this parameter is set to n�no�o by default on HPUX. On all other systems this parameter should be left alone. This parameter is provided to help the Samba developers track down problems with the tdb internal code.
Default: _�u_�s_�e _�m_�m_�a_�p = yes
user This parameter is a synonym for username.
users This parameter is a synonym for username.
username (S) Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right).
The _�u_�s_�e_�r_�n_�a_�m_�e line is needed only when the PC is unable to supply its own username. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX user- names. In both these cases you may also be better using the \\server\share%user syntax instead.
The _�u_�s_�e_�r_�n_�a_�m_�e line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the _�u_�s_�e_�r_�n_�a_�m_�e line in turn. This is slow and a bad idea for lots of users in case of duplicate passwords. You may get timeouts or security breaches using this parameter unwisely.
Samba relies on the underlying UNIX security. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the sup- plied password. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do.
To restrict a service to a particular set of users you can use the _�v_�a_�l_�i_�d _�u_�s_�e_�r_�s parameter.
If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name.
If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name.
If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is com- piled with netgroup support) and will expand to a list of all users in the netgroup group of that name.
Note that searching though a groups database can take quite some time, and some clients may time out during the search.
See the section NOTE ABOUT USERNAME/PASSWORD VALIDATION for more information on how this parameter determines access to the ser- vices.
Default: _�u_�s_�e_�r_�n_�a_�m_�e = # The guest account if a guest service, else <empty string>.
Example: _�u_�s_�e_�r_�n_�a_�m_�e = fred, mary, jack, jane, @users, @pcgroup
username level (G) This option helps Samba to try and 'guess' at the real UNIX username, as many DOS clients send an all-uppercase username. By default Samba tries all lowercase, followed by the username with the first letter capitalized, and fails if the username is not found on the UNIX machine.
If this parameter is set to non-zero the behavior changes. This parameter is a number that specifies the number of uppercase combinations to try while trying to determine the UNIX user name. The higher the number the more combinations will be tried, but the slower the discovery of usernames will be. Use this parameter when you have strange usernames on your UNIX machine, such as A�As�st�tr�ra�an�ng�ge�eU�Us�se�er�r .
This parameter is needed only on UNIX systems that have case sensitive usernames.
Default: _�u_�s_�e_�r_�n_�a_�m_�e _�l_�e_�v_�e_�l = 0
Example: _�u_�s_�e_�r_�n_�a_�m_�e _�l_�e_�v_�e_�l = 5
username map (G) This option allows you to specify a file containing a mapping of usernames from the clients to the server. This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they can more easily share files.
The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '=' followed by a list of usernames on the right. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group. The special client name '*' is a wildcard and matches any name. Each line of the map file may be up to 1023 characters long.
The file is processed on each line by taking the supplied user- name and comparing it with each username on the right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left. Processing then continues with the next line.
If any line begins with a '#' or a ';' then it is ignored
If any line begins with an '!' then the processing will stop after that line if a mapping was done by the line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a wildcard mapping line later in the file.
For example to map from the name a�ad�dm�mi�in�n or a�ad�dm�mi�in�ni�is�st�tr�ra�at�to�or�r to the UNIX name r�ro�oo�ot�t you would use:
r�ro�oo�ot�t =�= a�ad�dm�mi�in�n a�ad�dm�mi�in�ni�is�st�tr�ra�at�to�or�r
Or to map anyone in the UNIX group s�sy�ys�st�te�em�m to the UNIX name s�sy�ys�s you would use:
s�sy�ys�s =�= @�@s�sy�ys�st�te�em�m
You can have as many mappings as you like in a username map file.
If your system supports the NIS NETGROUP option then the net- group database is checked before the _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p database for matching groups.
You can map Windows usernames that have spaces in them by using double quotes around the name. For example:
t�tr�ri�id�dg�ge�e =�= "�"A�An�nd�dr�re�ew�w T�Tr�ri�id�dg�ge�el�ll�l"�"
would map the windows username "Andrew Tridgell" to the unix username "tridge".
The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the '!' to tell Samba to stop processing if it gets a match on that line.
!sys = mary fred guest = *
Note that the remapping is applied to all occurrences of user- names. Thus if you connect to \\server\fred and f�fr�re�ed�d is remapped to m�ma�ar�ry�y then you will actually be connecting to \\server\mary and will need to supply a password suitable for m�ma�ar�ry�y not f�fr�re�ed�d. The only exception to this is the username passed to the _�p_�a_�s_�s_�w_�o_�r_�d _�s_�e_�r_�v_�e_�r (if you have one). The password server will receive whatever username the client supplies without modi- fication.
Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been mapped may have trou- ble deleting print jobs as PrintManager under WfWg will think they don't own the print job.
Samba versions prior to 3.0.8 would only support reading the fully qualified username (e.g.: DOMAIN\user) from the username map when performing a kerberos login from a client. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent behavior sometimes even on the same server.
The following functionality is obeyed in version 3.0.8 and later:
When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection.
When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated.
Default: _�u_�s_�e_�r_�n_�a_�m_�e _�m_�a_�p = # no username map
Example: _�u_�s_�e_�r_�n_�a_�m_�e _�m_�a_�p = /usr/local/samba/lib/users.map
use sendfile (S) If this parameter is y�ye�es�s, and the s�se�en�nd�df�fi�il�le�e(�()�) system call is sup- ported by the underlying operating system, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked. This may make more efficient use of the system CPU's and cause Samba to be faster. Samba automatically turns this off for clients that use protocol levels lower than NT LM 0.12 and when it detects a client is Windows 9x (using sendfile from Linux will cause these clients to fail).
Default: _�u_�s_�e _�s_�e_�n_�d_�f_�i_�l_�e = yes
use spnego (G) This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentica- tion mechanism.
Unless further issues are discovered with our SPNEGO implementa- tion, there is no reason this should ever be disabled.
Default: _�u_�s_�e _�s_�p_�n_�e_�g_�o = yes
utmp (G) This boolean parameter is only available if Samba has been con- figured and compiled with the option -�--�-w�wi�it�th�h-�-u�ut�tm�mp�p. If set to y�ye�es�s then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server. Sites may use this to record the user connecting to a Samba share.
Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user. Enabling this option creates an n^2 algorithm to find this number. This may impede performance on large installations.
Default: _�u_�t_�m_�p = no
utmp directory (G) This parameter is only available if Samba has been configured and compiled with the option -�--�-w�wi�it�th�h-�-u�ut�tm�mp�p. It specifies a direc- tory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually_�/_�v_�a_�r_�/_�r_�u_�n_�/_�u_�t_�m_�p on Linux).
Default: _�u_�t_�m_�p _�d_�i_�r_�e_�c_�t_�o_�r_�y = # Determined automatically
Example: _�u_�t_�m_�p _�d_�i_�r_�e_�c_�t_�o_�r_�y = /var/run/utmp