smb.conf.5

samba-3.0.22.tar.gz 编译smb服务器的源码

These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant\&. These are:

.TP
%U
session username (the username that the client wanted, not necessarily the same as the one they got)\&.

.TP
%G
primary group name of %U\&.

.TP
%h
the Internet hostname that Samba is running on\&.

.TP
%m
the NetBIOS name of the client machine (very useful)\&.

This parameter is not available when Samba listens on port 445, as clients no longer send this information\&. If you use this macro in an include statement on a domain that has a Samba domain controller be sure to set in the [global] section \fIsmb ports = 139\fR\&. This will cause Samba to not listen on port 445 and will permit include functionality to function as it did with Samba 2\&.x\&.

.TP
%L
the NetBIOS name of the server\&. This allows you to change your config based on what the client calls you\&. Your server can have a ``dual personality''\&.

.TP
%M
the Internet name of the client machine\&.

.TP
%R
the selected protocol level after protocol negotiation\&. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1\&.

.TP
%d
the process id of the current server process\&.

.TP
%a
the architecture of the remote machine\&. It currently recognizes Samba (\fBSamba\fR), the Linux CIFS file system (\fBCIFSFS\fR), OS/2, (\fBOS2\fR), Windows for Workgroups (\fBWfWg\fR), Windows 9x/ME (\fBWin95\fR), Windows NT (\fBWinNT\fR), Windows 2000 (\fBWin2K\fR), Windows XP (\fBWinXP\fR), and Windows 2003 (\fBWin2K3\fR)\&. Anything else will be known as\fBUNKNOWN\fR\&.

.TP
%I
the IP address of the client machine\&.

.TP
%i
the local IP address to which a client connected\&.

.TP
%T
the current date and time\&.

.TP
%D
name of the domain or workgroup of the current user\&.

.TP
%w
the winbind separator\&.

.TP
%$(\fIenvvar\fR)
the value of the environment variable\fIenvar\fR\&.

.PP
The following substitutes apply only to some configuration options (only those that are used when a connection has been established):

.TP
%S
the name of the current service, if any\&.

.TP
%P
the root directory of the current service, if any\&.

.TP
%u
username of the current service, if any\&.

.TP
%g
primary group name of %u\&.

.TP
%H
the home directory of the user given by %u\&.

.TP
%N
the name of your NIS home directory server\&. This is obtained from your NIS auto\&.map entry\&. If you have not compiled Samba with the \fB\-\-with\-automount\fR option, this value will be the same as %L\&.

.TP
%p
the path of the service's home directory, obtained from your NIS auto\&.map entry\&. The NIS auto\&.map entry is split up as %N:%p\&.

.PP
There are some quite creative things that can be done with these substitutions and other\fIsmb\&.conf\fR options\&.

.SH "NAME MANGLING"

.PP
Samba supports name mangling so that DOS and Windows clients can use files that don't conform to the 8\&.3 format\&. It can also be set to adjust the case of 8\&.3 format filenames\&.

.PP
There are several options that control the way mangling is performed, and they are grouped here rather than listed separately\&. For the defaults look at the output of the testparm program\&.

.PP
All of these options can be set separately for each service (or globally, of course)\&.

.PP
The options are:

.TP
case sensitive = yes/no/auto
controls whether filenames are case sensitive\&. If they aren't, Samba must do a filename search and match on passed names\&. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS and smbclient 3\&.0\&.5 and above currently) to tell the Samba server on a per\-packet basis that they wish to access the file system in a case\-sensitive manner (to support UNIX case sensitive semantics)\&. No Windows or DOS system supports case\-sensitive filename so setting this option to auto is that same as setting it to no for them\&. Default \fBauto\fR\&.

.TP
default case = upper/lower
controls what the default case is for new filenames (ie\&. files that don't currently exist in the filesystem)\&. Default \fBlower\fR\&. IMPORTANT NOTE: This option will be used to modify the case of\fBall\fR incoming client filenames, not just new filenames if the options case sensitive = yes, preserve case = No,short preserve case = No are set\&. This change is needed as part of the optimisations for directories containing large numbers of files\&.

.TP
preserve case = yes/no
controls whether new files (ie\&. files that don't currently exist in the filesystem) are created with the case that the client passes, or if they are forced to be the default case\&. Default\fByes\fR\&.

.TP
short preserve case = yes/no
controls if new files (ie\&. files that don't currently exist in the filesystem) which conform to 8\&.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be thedefault case\&. This option can be used with preserve case = yes to permit long filenames to retain their case, while short names are lowercased\&. Default \fByes\fR\&.

.PP
By default, Samba 3\&.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving\&. As a special case for directories with large numbers of files, if the case options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no" then the "default case" option will be applied and will modify all filenames sent from the client when accessing this share\&.

.SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"

.PP
There are a number of ways in which a user can connect to a service\&. The server uses the following steps in determining if it will allow a connection to a specified service\&. If all the steps fail, the connection request is rejected\&. However, if one of the steps succeeds, the following steps are not checked\&.

.PP
If the service is marked ``guest only = yes'' and the server is running with share\-level security (``security = share'', steps 1 to 5 are skipped\&.

.TP 3
1.
If the client has passed a username/password pair and that username/password pair is validated by the UNIX system's password programs, the connection is made as that username\&. This includes the\\\\server\\service%\fIusername\fR method of passing a username\&.
.TP
2.
If the client has previously registered a username with the system and now supplies a correct password for that username, the connection is allowed\&.
.TP
3.
The client's NetBIOS name and any previously used usernames are checked against the supplied password\&. If they match, the connection is allowed as the corresponding user\&.
.TP
4.
If the client has previously validated a username/password pair with the server and the client has passed the validation token, that username is used\&.
.TP
5.
If a user = field is given in the \fIsmb\&.conf\fR file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password checking) with one of the usernames from the user = field, the connection is made as the username in the user = line\&. If one of the usernames in the user = list begins with a @, that name expands to a list of names in the group of the same name\&.
.TP
6.
If the service is a guest service, a connection is made as the username given in the guest account = for the service, irrespective of the supplied password\&.
.LP

.SH "EXPLANATION OF EACH PARAMETER"

.TP
abort shutdown script (G)
This a full path name to a script called by \fBsmbd\fR(8) that should stop a shutdown procedure issued by the shutdown script\&.

If the connected user posseses the \fBSeRemoteShutdownPrivilege\fR, right, this command will be run as user\&.

Default: \fB\fIabort shutdown script\fR = \fR 

Example: \fB\fIabort shutdown script\fR = /sbin/shutdown \-c \fR 

.TP
acl check permissions (S)
This boolean parameter controls what \fBsmbd\fR(8)does on receiving a protocol request of "open for delete" from a Windows client\&. If a Windows client doesn't have permissions to delete a file then they expect this to be denied at open time\&. POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory\&. As Windows clients can (and do) "back out" a delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately on "open for delete" request as we cannot restore such a deleted file\&. With this parameter set to true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the request without actually deleting the file if the file system permissions would seem to deny it\&. This is not perfect, as it's possible a user could have deleted a file without Samba being able to check the permissions correctly, but it is close enough to Windows semantics for mostly correct behaviour\&. Samba will correctly check POSIX ACL semantics in this case\&.

If this parameter is set to "false" Samba doesn't check permissions on "open for delete" and allows the open\&. If the user doesn't have permission to delete the file this will only be discovered at close time, which is too late for the Windows user tools to display an error message to the user\&. The symptom of this is files that appear to have been deleted "magically" re\-appearing on a Windows explorer refersh\&. This is an extremely advanced protocol option which should not need to be changed\&. This parameter was introduced in its final form in 3\&.0\&.21, an earlier version with slightly different semantics was introduced in 3\&.0\&.20\&. That older version is not documented here\&.

Default: \fB\fIacl check permissions\fR = True \fR 

.TP
acl compatibility (S)
This parameter specifies what OS ACL semantics should be compatible with\&. Possible values are \fBwinnt\fR for Windows NT 4,\fBwin2k\fR for Windows 2000 and above and \fBauto\fR\&. If you specify \fBauto\fR, the value for this parameter will be based upon the version of the client\&. There should be no reason to change this parameter from the default\&.

Default: \fB\fIacl compatibility\fR = Auto \fR 

Example: \fB\fIacl compatibility\fR = win2k \fR 

.TP
acl group control (S)
In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions and ACLs on a file\&. If this parameter is set, then Samba overrides this restriction, and also allows the\fBprimary group owner\fR of a file or directory to modify the permissions and ACLs on that file\&.

On a Windows server, groups may be the owner of a file or directory \- thus allowing anyone in that group to modify the permissions on it\&. This allows the delegation of security controls on a point in the filesystem to the group owner of a directory and anything below it also owned by that group\&. This means there are multiple people with permissions to modify ACLs on a file or directory, easing managability\&.

This parameter allows Samba to also permit delegation of the control over a point in the exported directory hierarchy in much the same was as Windows\&. This allows all members of a UNIX group to control the permissions on a file or directory they have group ownership on\&.

This parameter is best used with the inherit owner option and also on on a share containing directories with the UNIX \fBsetgid bit\fR bit set on them, which causes new files and directories created within it to inherit the group ownership from the containing directory\&.

This is a new parameter introduced in Samba 3\&.0\&.20\&.

This can be particularly useful to allow groups to manage their own security on a part of the filesystem they have group ownership of, removing the bottleneck of having only the user owner or superuser able to reset permissions\&.

Default: \fB\fIacl group control\fR = no \fR 

.TP
acl map full control (S)
This boolean parameter controls whether \fBsmbd\fR(8)maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum allowed POSIX permission set, into a Windows ACL of "FULL CONTROL"\&. If this parameter is set to true any POSIX ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any POSIX ACE entry of "rwx" will be returned as the specific Windows ACL bits representing read, write and execute\&.

Default: \fB\fIacl map full control\fR = True \fR 

.TP
add group script (G)
This is the full pathname to a script that will be run\fBAS ROOT\fR by \fBsmbd\fR(8) when a new group is requested\&. It will expand any \fI%g\fR to the group name passed\&. This script is only useful for installations using the Windows NT domain administration tools\&. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions\&. In that case the script must print the numeric gid of the created group on stdout\&.

\fBNo default\fR

.TP
add machine script (G)
This is the full pathname to a script that will be run by\fBsmbd\fR(8) when a machine is added to it's domain using the administrator username and password method\&.

This option is only required when using sam back\-ends tied to the Unix uid method of RID calculation such as smbpasswd\&. This option is only available in Samba 3\&.0\&.

Default: \fB\fIadd machine script\fR = \fR 

Example: \fB\fIadd machine script\fR = /usr/sbin/adduser \-n \-g machines \-c Machine \-d /var/lib/nobody \-s /bin/false %u \fR 

.TP
add printer command (G)
With the introduction of MS\-RPC based printing support for Windows NT/2000 clients in Samba 2\&.2, The MS Add Printer Wizard (APW) icon is now also available in the "Printers\&.\&.\&." folder displayed a share listing\&. The APW allows for printers to be add remotely to a Samba or Windows NT/2000 print server\&.

For a Samba host this means that the printer must be physically added to the underlying printing system\&. The \fIadd printer command\fR defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition to the \fIsmb\&.conf\fR file in order that it can be shared by \fBsmbd\fR(8)\&.

The \fIaddprinter command\fR is automatically invoked with the following parameter (in order):