If a section called [homes] is included in the configuration file, services connecting clients to their home directories can be created on the fly by the server. When the connection request is made, the existing sections are scanned. If a match is found, it is used. If no match is found, the requested section name is treated as a username and looked up in the local password file.
If the name exists and the correct password has been given, a share is created by cloning the [homes] section. For example:. This is a fast and simple way to give a large number of clients access to their home directories with a minimum of fuss. This method of using the [homes] section works well if different users share a client PC. The [homes] section can specify all the parameters a normal service section can specify, though some make more sense than others.
The following is a typical and suitable [homes] section:. An important point is that if guest access is specified in the [homes] section, all home directories will be visible to all clients without a password. In the very unlikely event that this is actually desirable, it is wise to also specify read only access. The browseable flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. If a [printers] section occurs in the configuration file, users are able to connect to any printer specified in the local host's printcap file.
When a connection request is made, the existing sections are scanned. If no match is found, but a [homes] section exists, it is used as described above. Otherwise, the requested section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested section name is a valid printer share name.
If a match is found, a new printer share is created by cloning the [printers] section. If the share does not permit guest access and no username was given, the username is set to the located printer name.
The [printers] service MUST be printable - if you specify otherwise, the server will refuse to load the configuration file. Typically the path specified is that of a world-writeable spool directory with the sticky bit set on it.
A typical [printers] entry looks like this:. All aliases given for a printer in the printcap file are legitimate printer names as far as the server is concerned. If your printing subsystem doesn't work like that, you will have to set up a pseudo-printcap.
This is a file consisting of one or more lines like this:. Each alias should be an acceptable printer name for your printing subsystem. In the [global] section, specify the new file as your printcap. The server will only recognize names found in your pseudo-printcap, which of course can contain whatever aliases you like. The same technique could be used simply to limit access to a subset of your local printers.
An alias, by the way, is defined as any component of the first entry of a printcap record. Records are separated by newlines, components if there are more than one are separated by vertical bar symbols.
See the printcap name option for more details. Starting with Samba version 3. This capability is called usershares and is controlled by a set of parameters in the [global] section of the smb. The relevant parameters are :. Points to the directory containing the user defined share definitions. The filesystem permissions on this directory control who can create user defined shares. Comma-separated list of absolute pathnames restricting what directories can be shared.
Only directories below the pathnames in this list are permitted. Directories below the pathnames in this list are prohibited. Names a pre-existing share used as a template for creating new usershares. All other share parameters not specified in the user defined share definition are copied from this named share. To allow members of the UNIX group foo to create user defined shares, create the directory to contain the share definitions as follows:. Members of the group foo may then manipulate the user defined shares using the following commands.
Some parameters are specific to the [global] section e. Some parameters are usable in all sections e. All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] sections will be considered normal. The letter G in parentheses indicates that a parameter is specific to the [global] section. The letter S indicates that a parameter can be specified in a service specific section. All S parameters can also be specified in the [global] section - in which case they will define the default behavior for all services.
Parameters are arranged here in alphabetical order - this may not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym.
Many of the strings that are settable in the config file can take substitutions. These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant. These are:. This parameter is not available when Samba listens on port , as clients no longer send this information.
This will cause Samba to not listen on port and will permit include functionality to function as it did with Samba 2. This allows you to change your config based on what the client calls you. The architecture of the remote machine. Before 4. The following substitutes apply only to some configuration options only those that are used when a connection has been established :. There are some quite creative things that can be done with these substitutions and other smb.
Samba supports name mangling so that DOS and Windows clients can use files that don't conform to the 8. It can also be set to adjust the case of 8. There are several options that control the way mangling is performed, and they are grouped here rather than listed separately. For the defaults look at the output of the testparm program. If they aren't, Samba must do a filename search and match on passed names.
No Windows or DOS system supports case-sensitive filename so setting this option to auto is that same as setting it to no for them. Default auto. Default lower. See additional notes below. Default yes. By default, Samba 3. There are two levels of registry configuration:. Share definitions stored in registry are used. The registry shares are loaded not at startup but on demand at runtime by smbd. Shares defined in smb. Global smb. This can be activated in two different ways:. This resets everything that has been read from config files to this point and reads the content of the global configuration section from the registry.
This is the recommended method of using registry based configuration. This reads the global options from registry with the same priorities as for an include of a text file. This may be especially useful in cases where an initial configuration is needed to access the registry.
Activation of global registry options automatically activates registry shares. So in the registry only case, shares are loaded on demand only. Note: To make registry-based configurations foolproof at least to a certain extent, the use of lock directory and config backend inside the registry configuration has been disabled: Especially by changing the lock directory inside the registry configuration, one would create a broken setup where the daemons do not see the configuration they loaded once it is active.
More conveniently, the conf subcommand of the net 8 utility offers a dedicated interface to read and write the registry based configuration locally, i. They are applicable to different use cases and scenarios. It is advised to read the documentation of the individual identity mapping modules before choosing a specific scenario to use.
Each identity management module is documented in a separate manual page. Overall, ID mapping configuration should be decided carefully. Changes to the already deployed ID mapping configuration may create the risk of losing access to the data or disclosing the data to the wrong parties. This a full path name to a script called by smbd 8 that should stop a shutdown procedure issued by the shutdown script.
If the connected user possesses the SeRemoteShutdownPrivilege , right, this command will be run as root. The share ACLs which allow or deny the access to the share can be modified using for example the sharesec command or using the appropriate Windows tools. This has parallels to access based enumeration, the main difference being that only share permissions are evaluated, and security descriptors on files contained on the share are not used in computing enumeration access rights.
This boolean parameter controls the behaviour of smbd 8 when receiving a protocol request of "open for execution" from a Windows client. With Samba 3. In Samba 4. If this parameter is set to "True", Samba does not check execute permissions on "open for execution", thus re-establishing the behaviour of Samba 3. This can be useful to smoothen upgrades from older Samba versions to 4.
This setting is not meant to be used as a permanent setting, but as a temporary relief: It is recommended to fix the permissions in the ACLs and reset this parameter to the default after a certain transition period. Please note this parameter is now deprecated in Samba 3. This boolean parameter controls what smbd 8 does on receiving a protocol request of "open for delete" from a Windows client.
If a Windows client doesn't have permissions to delete a file then they expect this to be denied at open time.
POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory. As Windows clients can and do "back out" a delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately on "open for delete" request as we cannot restore such a deleted file. With this parameter set to true the default then smbd checks the file system permissions directly on "open for delete" and denies the request without actually deleting the file if the file system permissions would seem to deny it.
This is not perfect, as it's possible a user could have deleted a file without Samba being able to check the permissions correctly, but it is close enough to Windows semantics for mostly correct behaviour. If this parameter is set to "false" Samba doesn't check permissions on "open for delete" and allows the open. If the user doesn't have permission to delete the file this will only be discovered at close time, which is too late for the Windows user tools to display an error message to the user.
The symptom of this is files that appear to have been deleted "magically" re-appearing on a Windows explorer refresh. This is an extremely advanced protocol option which should not need to be changed. This parameter was introduced in its final form in 3. That older version is not documented here.
This option controls the way Samba handles client requests setting the Security Descriptor of files and directories and the effect the operation has on the Security Descriptor flag "DACL auto-inherited" DI. Generally, this flag is set on a file or directory upon creation if the parent directory has DI set and also has inheritable ACEs. This is the default behaviour when this option is enabled the default. When setting this option to no , the resulting value of the DI flag on-disk is directly taken from the DI value of the to-be-set Security Descriptor.
If this parameter is set, then Samba overrides this restriction, and also allows the primary group owner of a file or directory to modify the permissions and ACLs on that file. On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in that group to modify the permissions on it.
This allows the delegation of security controls on a point in the filesystem to the group owner of a directory and anything below it also owned by that group.
This means there are multiple people with permissions to modify ACLs on a file or directory, easing manageability. This parameter allows Samba to also permit delegation of the control over a point in the exported directory hierarchy in much the same way as Windows.
This allows all members of a UNIX group to control the permissions on a file or directory they have group ownership on. This parameter is best used with the inherit owner option and also on a share containing directories with the UNIX setgid bit set on them, which causes new files and directories created within it to inherit the group ownership from the containing directory.
This parameter was deprecated in Samba 3. It is now no longer equivalent to the dos filemode option. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric gid of the created group on stdout.
Samba 3. This option defines an external program to be executed when smbd receives a request to add a new Port to the system. The script is passed two parameters:. For a Samba host this means that the printer must be physically added to the underlying printing system.
The addprinter command defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition to the smb.
The addprinter command is automatically invoked with the following parameter in order :. The "Windows 9x driver location" parameter is included for backwards compatibility only. The remaining fields in the structure are generated from answers to the APW questions. Once the addprinter command has been executed, smbd will reparse the smb. The addprinter command program can output a single line of text, which Samba will set as the port the new printer is connected to.
If this line isn't output, Samba won't reload its printer shares. Samba 2. The add share command is used to define an external program or script which will add a new service definition to smb. In order to successfully execute the add share command , smbd requires that the administrator connects using a root account i. Scripts defined in the add share command parameter are executed as root.
When executed, smbd will automatically invoke the add share command with five parameters. This parameter is only used to add file shares. To add printer shares, see the addprinter command. Normally, a Samba server requires that UNIX users are created for all users accessing files on this server.
For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task. When the Windows user attempts to access the Samba server, at login session setup in the SMB protocol time, smbd 8 contacts the password server and attempts to authenticate the given user with the given password. If this script successfully creates the user then smbd will continue on as though the UNIX user already existed.
See also security , password server , delete user script. Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools. Note that the adduser command used in the example below does not support the used syntax on all systems. If this parameter is set to yes for a share, then the share will be an administrative share.
The Administrative Shares are the default network shares created by all Windows NT-based operating systems. See the section below on security for more information about this option.
This is a list of users who will be granted administrative privileges on the share. This means that they will do all file operations as the super-user root. You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions. This parameter controls whether special AFS features are enabled for this share. If enabled, it assumes that the directory exported via the path parameter is a local AFS import.
The special AFS features include the attempt to hand-craft an AFS token if you enabled --with-fake-kaserver in configure. This parameter controls the lifetime of tokens that the AFS fake-kaserver claims. In reality these never expire but this lifetime controls when the afs client will forget the token. If you are using the fake kaserver AFS feature, you might want to hand-craft the usernames you are creating tokens for.
The mapped user name must contain the cell name to log into, so without setting this parameter there will be no token. The integer parameter specifies the maximum number of threads each smbd process will create when doing parallel asynchronous IO calls. If the number of outstanding calls is greater than this number the requests will not be refused but go onto a queue and will be scheduled in turn as outstanding requests complete.
Related command: aio read size. Related command: aio write size. If this integer parameter is set to a non-zero value, Samba will read from files asynchronously when the request size is bigger than this value. Note that it happens only for non-chained and non-chaining reads and when not using write cache. Related command: write cache size. Instead, Samba will immediately return that the write request has been finished successfully, no matter if the operation will succeed or not.
This might speed up clients without aio support, but is really dangerous, because data could be lost and files could be damaged. The syntax is identical to the veto files parameter.
If this integer parameter is set to a non-zero value, Samba will write to files asynchronously when the request size is bigger than this value. Compared to aio read size this parameter has a smaller effect, most writes should end up in the file system cache.
Writes that require space allocation might benefit most from going asynchronous. Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with system users etc.
As such the algorithmic mapping can't be 'turned off', but pushing it 'out of the way' should resolve the issues. Users and groups can then be assigned 'low' RIDs in arbitrary-rid supporting backends. This parameter allows an administrator to tune the allocation size reported to Windows clients. This is only useful for old SMB1 clients because modern SMB dialects eliminated that bottleneck and have better performance by default.
Using this parameter may cause difficulties for some applications, e. MS Visual Studio. If the MS Visual Studio compiler starts to crash with an internal error, set this parameter to zero for this share. Settings this parameter to a large value can also cause small files to allocate more space on the disk than needed.
Some interfaces like samr, lsarpc and netlogon have a hard-coded default of no and epmapper, mgmt and rpcecho have a hard-coded default of yes. The behavior can be overwritten per interface name e.
This option yields precedence to the implementation specific restrictions. DNS updates can either be disallowed completely by setting it to disabled , enabled over secure connections only by setting it to secure only or allowed in all cases by setting it to nonsecure. In normal operation the option wide links which allows the server to follow symlinks outside of a share path is automatically disabled when unix extensions are enabled on a Samba server.
This is done for security purposes to prevent UNIX clients creating symlinks to areas of the server file system that the administrator does not wish to export.
Setting allow insecure wide links to true disables the link between these two parameters, removing this protection and allowing a site to configure the server to follow symlinks by setting wide links to "true" even when unix extensions is turned on.
It is not recommended to enable this option unless you fully understand the implications of allowing the server to follow symbolic links created by UNIX clients. For most normal Samba configurations this would be considered a security hole and setting this parameter is not recommended. This option was added at the request of sites who had deliberately set Samba up in this way and needed to continue supporting this functionality without having to patch the Samba code.
This option was added with Samba 4. It may lock out clients which worked fine with Samba versions up to 4.
This option only takes effect when the security option is set to server , domain or ads. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication.
This is useful if you only want your Samba server to serve resources to users in the domain it is a member of. This can make implementing a security boundary difficult. If set to no the default , smbd checks at startup if other smbd versions are running in the cluster and refuses to start if so.
This is done to protect data corruption in internal data structures due to incompatible Samba versions running concurrently in the same cluster. Setting this parameter to yes disables this safety check. This option controls whether winbind will execute the gpupdate command defined in gpo update command on the Group Policy update interval.
The Group Policy update interval is defined as every 90 minutes, plus a random offset between 0 and 30 minutes. The number of seconds the asynchronous DNS resolver code in Samba will wait for responses. This value prevents this name resolution code from waiting for DNS server timeouts. This parameter specifies whether Samba should fork the async smb echo handler.
It can be beneficial if your file system can block syscalls for a very long time. In some circumstances, it prolongs the timeout that Windows uses to determine whether a connection is dead. This parameter is only for SMB1. When enabled, this option causes Samba acting as an Active Directory Domain Controller to stream authentication events across the internal message bus. This is not needed for the audit logging described in log level.
Instead, this should instead be considered a developer option it assists in the Samba testsuite rather than a facility for external auditing, as message delivery is not guaranteed a feature that the testsuite works around. This is a list of services that you want to be automatically added to the browse lists. This is most useful for homes and printers services that would otherwise not be visible. Note that if you just want all printers in your printcap file loaded then the load printers option is easier.
This parameter lets you "turn off" a service. Such failures are logged. This parameters defines the directory samba will use to store the configuration files for bind, such as named. NOTE: The bind dns directory needs to be on the same mount point as the private directory! This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests. It affects file service smbd 8 and name service nmbd 8 in a slightly different ways.
For name service it causes nmbd to bind to ports and on the interfaces listed in the interfaces parameter. If this option is not set then nmbd will service name requests on all of these sockets. If bind interfaces only is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the interfaces parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the interfaces list.
IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for nmbd. For file service it causes smbd 8 to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will serve, to packets coming in on those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces.
If bind interfaces only is set and the network address To change a users SMB password, the smbpasswd by default connects to the localhost - If bind interfaces only is set then unless the network address This parameter controls the behavior of smbd 8 when given a request by a client to obtain a byte range lock on a region of an open file, and the request has a time limit associated with it. If this parameter is set and the lock range requested cannot be immediately satisfied, samba will internally queue the lock request, and periodically attempt to obtain the lock until the timeout period expires.
If this parameter is set to no , then samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained. This parameter controls the behavior of smbd 8 when reporting disk free sizes. By default, this reports a disk block size of bytes. Changing this parameter may have some effect on the efficiency of client writes, this is not yet confirmed.
This parameter was added to allow advanced administrators to change it usually to a higher value and test the effect it has on client write performance without re-compiling the code. As this is an experimental option it may be removed in a future release.
Changing this option does not change the disk free reporting size, just the block size unit reported to the client. This controls whether this share is seen in the list of available shares in a net view and in the browse list. This controls whether smbd 8 will serve a browse list to a client doing a NetServerEnum call. Normally set to yes. You should never need to change this.
Usually, most of the TDB files are stored in the lock directory. Since Samba 3. This option specifies the directory for storing TDB files containing non-persistent data that will be kept across service restarts. The directory should be placed on persistent storage, but the data can be safely deleted by an administrator. See the discussion in the section name mangling. The change share command is used to define an external program or script which will modify an existing service definition in smb.
In order to successfully execute the change share command , smbd requires that the administrator connects using a root account i. Scripts defined in the change share command parameter are executed as root. When executed, smbd will automatically invoke the change share command with six parameters.
CSC policy - client side caching policy in string form. Valid values are: manual, documents, programs, disable.
This parameter is only used to modify existing file share definitions. To modify printer shares, use the "Printers A Windows SMB server prevents the client from creating files in a directory that has the delete-on-close flag set. By default Samba doesn't perform this check as this check is a quite expensive operation in Samba. The name of a program that can be used to check password complexity.
The password is sent to the program's standard input. The program must return 0 on a good password, or any other value if the password is bad. In case the password is considered weak the program does not return 0 the user will be notified and the password change will fail. Note that starting with Samba 4. Note: In the example directory is a sample program called crackcheck that uses cracklib to check the password quality.
Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol. See client max protocol for a full list of available protocols. The value default refers to the higher value of NT1 and the effective value of client min protocol.
Possible values are desired , required and disabled. When set to desired, SMB signing is offered, but not enforced and if set to disabled, SMB signing is not offered either.
This parameter has been deprecated since Samba 4. This parameter determines whether or not smbclient 8 and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash. If disabled, only server which support NT password hashes e. Disabling this option will also disable the client plaintext auth option. Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 logins will be attempted. The client ldap sasl wrapping defines whether ldap traffic will be signed or signed and encrypted sealed.
Possible values are plain , sign and seal. Windows SP3 or higher. In this case, sign is just an alias for seal. The default value is sign. That implies synchronizing the time with the KDC in the case of using Kerberos.
The value of the parameter a string is the highest protocol level that will be supported by the client. Long filename support. NT1 : Current up to date version of the protocol.
Used by Windows NT. Known as CIFS. Used by Windows Vista and later versions of Windows. SMB2 has sub protocols available. Used by Windows 8. SMB3 has sub protocols available. Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol unless you connect to a legacy SMB1-only server.
Related command: client max protocol. This parameter determines whether or not smbclient 8 will attempt to authenticate itself to servers using the NTLMv2 encrypted password response. Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth authentication will be disabled.
This also disables share-level authentication. This behavior was introduced with the patches for CVE Specifies whether a client should send a plaintext password if the server does not support encrypted passwords. This option is deprecated with Samba 4.
At the same time the default changed to yes, which will be the hardcoded behavior in future. This controls whether the client offers or even demands the use of the netlogon schannel. This option yields precedence to the require strong key option.
This controls whether the client is allowed or required to use SMB signing. It is also possible to remove individual algorithms from the default list, by prefixing them with '-'. This can avoid having to specify a hardcoded list. This parameter controls whether a client should try or is required to use SMB encryption. This parameter can be set globally. Currently this is only supported smbclient of by Samba 3. Windows does not support this feature. When set to default, SMB encryption is probed, but not enforced.
It is only used by Samba if client max protocol is set to SMB3 or newer. These features can be controlled with settings of client smb encrypt as follows:. Setting it to desired globally will enable negotiation and will turn on data encryption on sessions and share connections for those servers that support it. Setting it to required globally will enable negotiation and turn on data encryption on sessions and share connections. Clients that do not support encryption will be denied access to the server.
Setting it to off globally will completely disable the encryption feature for all connections. This parameter determines whether Samba client tools will try to authenticate using Kerberos. For Kerberos authentication you need to use dns names instead of IP addresses when connnecting to a service. There will be no falllback to NTLM or a different alternative.
In case that weak cryptography is not allowed e. FIPS mode the default will be forced to required. This parameter determines whether or not smbclient 8 and other samba components acting as a client will attempt to use the server-supplied principal sometimes given in the SPNEGO exchange. If enabled, Samba can attempt to use Kerberos to contact servers known only by IP address. Now the share will NOT automatically mount when you boot and you will be asked for your samba password. There is a fix in the troubleshooting section of this forum post.
Mounting a share on the local filesystem allows you to work around programs that do not yet use GnomeVFS to browse remote shares transparently. I advise you configure sudo, as above. To mount the share now, just use the following command as root.
It will mount automatically on subsequent reboots. You will see an icon "Windows network" and should be able to browse to your shared folder. You will be asked for a password, leave it blank. Click the "Connect button. Navigate to your Ubuntu server and your share will be available without a password. Select an available letter for your SMB share Default is z:.
Tic Select with the mouse the option "Reconnect at login" if you want the share to be automatically mounted when you boot Windows. Click the "Finish" box. A dialog box will appear, enter your samba user name and password.
Encrypt Passwords — This option must be enabled if the clients are connecting from a system with Windows 98, Windows NT 4. The passwords are transfered between the server and the client in an encrypted format instead of as a plain-text word that can be intercepted. This corresponds to the encrypted passwords option.
Guest Account — When users or guest users log into a Samba server, they must be mapped to a valid user on the server. Select one of the existing usernames on the system to be the guest Samba account. When guests log in to the Samba server, they have the same privileges as this user.
This corresponds to the guest account option. After clicking OK , the changes are written to the configuration file and the daemon is restarted; thus, the changes take effect immediately. The Samba Server Configuration Tool requires that an existing user account be active on the system acting as the Samba server before a Samba user can be added. The Samba user is associated with the existing user account.
If the user has a different username on a Windows machine and needs to log into the Samba server from the Windows machine, specify that Windows username in the Windows Username field. The Authentication Mode on the Security tab of the Server Settings preferences must be set to User for this option to work.
Also, configure a Samba Password for the Samba User and confirm it by typing it again. Even if you opt to use encrypted passwords for Samba, it is recommended that the Samba passwords for all users are different from their system passwords. To edit an existing user, select the user from the list, and click Edit User. To delete an existing Samba user, select the user, and click the Delete User button. Deleting a Samba user does not delete the associated system user account.
The users are modified immediately after clicking the OK button. To create a Samba share, click the Add button from the main Samba configuration window. Directory — The directory to share via Samba. The directory must exist before it can be entered here.
Share name — The actual name of the share that is seen from remote machines.
0コメント