Provided by:
manpages-zh_1.5.1-3_all 
NAME
smb.conf - Samba組件的配置檔案
�`� SYNOPSIS
smb.conf是Samba組件的配置檔案,包含Samba程式運行時的配置信
息.smb.conf被設p成可由swat (8)程式來配置和管理.本檔案包含了
關於smb.conf的檔案格式和可能出現的選項的完整描z以供參考.
� FILE FORMAT
本檔案由一系列段和選項構成.一茯q由一對方括號中的段名開始,直到下一-
茯q名結束.包含在段中的選項按以下格式定義:
W = 琯�
本檔案是基於文本行的.這就是說,每一茈H換行符結束的行描z了一-
荈等(注釋,段名,或選項).
段名和選項名是不區分大小寫的.
只有選項設置中的第一茧斥馱~有意義.第一-
茧斥鼠e後的空格會被忽略.段名和選項名的前後以及中間包含的空格是無關的.選項-
e後的空格會被忽略.選項丰]含的空格會儤邧O留.
所有以';'和'#'符開頭的行都會被忽略,就像只有空格的行那樣.
按照UNIX上的慣例,以''符號結尾的行續下一行.(也就是說:''是續行符,如果一行寫不下,可以在行尾以''結束,在下一行繼續寫--譯注)
等號後掘簹漪O字符串(無需引號)或者邏輯(可以是yes/no,1/0,或者true/false
來表示).邏輯O不區分大小寫的.字符串h儤邧O留了輸入的大小寫.某些選項
(例如create modes)的O數洩.
�q�yz SECTION DESCRIPTIONS
配置檔案的每一段([global]段除外)描-
z一項共享資源.段名就是共享名,段內的選項設置確定了該共享資源的屬性.
三荅S殊段([global],[homes],[printers])將在後'special
sections'單獨說明,以下的內容是普通段的說明.
一茼@享資源由一蚗仵蚰媬和使用者對此目錄的操作權-
的說明構成.另外,還列入了一些用於內部管理的選項.
每一段定義了一項檔案服務(客戶端可以把它看作其本機檔案系統的延伸)或列印服務(客戶端可以通過它來使用伺服器提供的列印服務).
段可以定義成guest服務類型,在這種情況下,客戶無需口令就可以訪問該資源.一-
荅S定的UNIX系統下的guest account通常用來指定這種情況下的客戶訪問權.
除了guest服務類型以外,其他類型的段定義的共享資源都需-
n口令才能訪問.使用者名是由客戶端提供的.由於某些老的客戶端只提供口令,沒有使用者名,你需-
n在共享定義中使用"user="選項來指定一茖洏峈怞C表,以便根據這-
茖洏峈怞C表進行口令驗証.對於像Windos95/98和WindowsNT這樣的現代客戶端程式,這-
蚇龠筋O不需n的.
注意,對於資源的操作權還取決於主機系統賦予指定使用者或來訪者賬戶的權-
.samba提供的服務權不能超出主機系統指定的權S圍.
下悸漸傰d段定義了一項檔案服務,使用者擁有對/home/bar目錄進行寫操作的權-
.這茼@享資源是通過共享名"foo"來訪問的.
[foo]
path = /home/bar
read only = no
下-
悼傰d段定義了一項列印服務,此共享資源是只讀的,但是可以進行列印操作.也就是說,唯一允釭獐g操作只能是打開、寫入並關閉一-
茼C印假脫機檔案.其中的guest
ok選項定義意味著允野H預設的guest使用者(在別處定義的)權進行訪問.
[aprinter]
path = /usr/spool/public
read only = yes
printable = yes
guest ok = yes
�S�q SPECIAL SECTIONS
[global]�q
這一段中定義的選項是伺服器的全局性設置,如果在其他段中沒有再對這些選項進行-
奐s設置的話還可以作為它-
怐犒w設選項.更多的說明請參'PARAMETERS'部分的內容.
[homes]H��q
如果配置檔案中包含名為'homes'的段,就可以建立客戶到自己在伺服器上的-
茪H目錄的連接.
當伺服器收到連接請求時,-
漸在已定義的段中搜索,如果段名與被請求的共享資源名一-
P,則該段的內容就被採用.如果沒有找到匹配的段,則被請求的資源就被當作是一-
茖洏峈怞W,同時伺服器查看本地的口令檔案.如果該使用者名在口令檔案中存在且使用者給出了正確的口令,伺服器就會複製[homes]段的內容來生成一-
茼@享資源(供該使用者訪問).
對新建共享會做以下蚹鵅G
共享名從'homes'改為查到的使用者名.
如果沒有指定訪問路徑,則設置為該使用者的茪H目錄.
如果n在[homes]段中定義訪問路徑path=,宏%S也章鴽A很有用.舉例如下:
path = /data/pchome/%S
如果你的PC 有與UNIX伺服器上茪H目錄不同的目錄,像上掖o樣的設置會很有用的.
這是為大量使用者提供對他枅人目錄的訪問的一種快速簡潔的辦法.
如果被請求訪問的共享資源名就是'homes',那麼,除了共享名不被改變為發出請求的使用者名外,其他處理過程和前-
探ㄗ鴘犒L程是類似的.這種方式適合於不同使用者共享一台終端的情況.
在[homes]段中可以定義所有普通段中可以使用的選項,可是有些選項更有意義.下-
惇O一蚢磪峈滿B典型的[homes]段的例子:
[homes]
read only = no
注意,很-
n的一點是:如果在[homes]段中定義了允野Hguest賬戶訪問的話,任何人都可L�f�O而訪問所有賬戶的宿主目錄.也釵b某些特殊情況下,這正是想-
n的結果,在這種情況下,你最好同時把[homes]段設置u�.
注意,自動的宿主目錄共享資源i�s�標誌是從[global]段繼承來的,而不是[homes]段.這樣,當在[homes]段中設置browseable=no時,使用者就看不到單獨的'homes'共享,但可以看到自動的宿主目錄.
[printers]C�@�]�m�q
這一段很像[homes]段,不過是用於設置共享列表機的.
如果在本配置檔案中存在[printers]段,使用者就可以連接到在主機上的printcap檔案
中指定的任一列表機.
當伺服器收到連接請求時,-
漸在已定義的段中搜索,如果有段名與被請求的共享資源名一-
P,則該段的內容就被採用.如果沒有找到匹配的段,且在配置檔案中存在[homes]段,則按照前-
惟珨〞漱閬○B理.否則,被請求的資源就被當作是一-
茼C表機名,伺服器在適當的printcap檔案中查找,檢驗被請求的共享資源名是否是有效的列表機共享名.如果共享名匹配,伺服器就會複製[printers]段的內容來生成一-
茼@享列印服務.
對新建共享的蚹鵅G
共享名被設置為查找到的列表機名.
如果未給出列表機名,則把列表機名設為前惇d找到的列表機名.
如果該共享資源不允野Hguest-
份進行訪問,且沒有給出使用者名,那麼使用者名就被設為前惇d找到的列表機名.
注意,[printers]段必須設置為可列印,如果你不這樣設置,伺服器會拒絕裝載配置檔案.
指定的典型路徑應該設為一-
茪膝峈漸i寫假脫機目錄(spooling)並且設置sticky標誌.一-
茖憳洩暨printers]段如下所示:
[printers]
path = /usr/spool/public
guest ok = yes
printable = yes
上台列表機在printcap檔案中列出的所有別名都是伺服器相關的有效列表機名.如果你系統的列印子系統的工作方式不是這樣,你就必須設置一-
荌郡rintcap檔案,其中包含一行或多行如下格式的設置:
別名1|別名2|別名3|別名4...
每荍O名必須是你的列印子系統可以接受的列表機名.在[global]段中指定這-
虓s檔案作為你的printcap檔案.這荌郡rintcap檔案可以包含任何你-
n的別名,而伺服器只識別在此檔案中列出的名字.這荍瑋N可以很方便的用於-
制對本地列表機子集的訪問.
順便提一下,printcap檔案中的別名用每-
荌O錄第一項的任何部分來定義.記錄由換行進行分隔.如果一條記錄中有多-
茬﹞,中間用"|"符號分隔.
Note
注意,在SYSV系統中,用lpstat可以確定系統中安裝了什麼樣的列表機.你可以設置"printcap
name = lpstat"來自動獲得列表機列表.詳情參見"printcap name"選項.
� PARAMETERS
選項定義了每茯q的屬性.
有些選項是在[global]段中設定的(比如有w�特性的設置),有些可以用在任何段中的(比式�
),剩下的就只能用在普通的段中了.在以下的描-
z中,[homes]和[printers]段被看作是普通段.標記(G)表示此選項只能在[global]段中使用,標記(S)表示此選項可以在服務定義段中使用.注意,有(S)標記的選項也可以用在[global]段中,在這種情況下,這-
蚇龠絨]置被當作所有其他段的預設設置.
選項的詳細說明是按照字母順序排列的,這樣也酗ㄛO最好的分類方式,但至少保証你可以找得到他-
.如果有多茼P義詞,那麼我怚u對瑪麊漕-
荍@詳細說明,其他的同義詞都只指明參儘碩瑪麊瑪龠策W.
�q� VARIABLE SUBSTITUTIONS
在配置檔案中可以用很多字符串進行替換.例如,當使用者以john的名稱建立連接後,選項"path
= /tmp/%u"就被解釋成"path = /tmp/john".
這些置換會在後悸煽yz中說明,這裏說明一些可以用在任何地方的通用置換.它-
怓O:
%U 對話使用者名(客戶端想n的使用者名不一定與取得的一P.)
%G %U的使用者組名
%h 運行Samba的主機的internet主機名
%m 客戶機的NetBIOS名(非常有用)
%L 伺服器的NetBIOS名.這使得你可以根據調用的客戶端來改變你的配置,這樣你的伺服器就可以擁有"雙-
帥性".
Note that this parameter is not available when Samba listens on
port 445, as clients no longer send this information
%M 客戶端的internet主機名
%R 協議協商後選擇的協議,它可以是CORE,COREPLUS,LANMAN1,LANMAN2或NT1中的一種.
%d 當前samba伺服器的進程號.
%a 遠程主機的結構.現在只能認出來某些類型,並且不是100%可靠.目前支持的有Samba、WfWg、WinNT和Win95.任何其他的都被認作"UNKNOWN".如果出現錯誤就給samba-bugs@samba.org發一-
3級的日誌以便袨_這羒ug.
%I 客戶機的IP地址.
%T 當前的日期和時間.
%D Name of the domain or workgroup of the current user.
%$(envvar)
The value of the environment variable envar.
The following substitutes apply only to some configuration options(only
those that are used when a connection has been established):
%S 當前服務名
%P 當前服務的根目錄
%u 當前服務的使用者名
%g %u的使用者組名
%H %u所表示的使用者的宿主目錄
%N tNIS伺服器的名字.它從auto.map獲得.如果沒有用--with-auto-mount選項編譯samba,那麼它的-
M%L相同.
%p 使用者宿主目錄的路徑.它由NIS的auot.map得到.NIS的auot.map入口項被分為"%N:%p".
靈活運用這些置換和其他的smb.conf選項可以做出非常有創造性的事情來.
NAME
Samba支持"名稱蚰",這樣dos和windows客戶端就可以使用與8.3格式不一-
P的檔案.也可以用來調整8.3格式檔名的大小寫.
有一些選項可以控制名稱蚰羲滌鶡,下-
捷陘丹C出來.對於預設情況請看testparm程式的輸出結果.
所有這些選項都可以針對每茠A務項單獨設置(當然也可以設為全局變量).
這些選項是:
mangle case = yes/no
作用是控制是否對不符合預設寫法的名稱進行-
蚰.例如,如果設為yes,像"Mail"這樣的檔名就會被蚰.預設設置是no.
case sensitive = yes/no
控制檔名是否區分大小寫.如果不區分的話,Samba就必須在傳遞名稱時查找並匹配檔名.預設設置是no.
default case = upper/lower
控制新檔名大小寫預設.預設設置p�g.
preserve case = yes/no
控制建新檔案時是否用客戶所提供的大小寫形式,或強制用預設形式.預設為yes.
short preserve case = yes/no
控制新建8.3格式的檔名時是全部用大寫及合適長度,還是強制用預設情況.它可以和上-
悸"preserve case =
yes"聯用以允釭衋犰W保持大小寫不變,而短檔名為小寫.本項的預設設置是yes.
預設情況下,Samba3.0與Windows NT相同,就是不區分大小寫但保持大小寫形式.
�W/NOTE ABOUT USERNAME/PASSWORD VALIDATION
使用者有多種連接到服務項的方式.伺服器按照下-
悸漕B驟來確定是否允釩廜麉定服務的連接.如果下-
惆B驟全部失敗,則拒絕使用者的連接請求.如果某一步通過,餘下的檢驗就不再進行.
如果被請求的服務項設置為guest only =
yes,並且,服務運行在共享級安全模式(security = share)
,則跳過1--5步檢查.
第一步:
如果客戶端提供一對使用者名和口令,且這對使用者名和口令經unix系統口令程式檢驗為有效,那麼就以該使用者名建立連接.注意,這包括用\\server\service%username方式傳遞使用者名.
第二步:
如果客戶端事先在系統上注冊了一-
茖洏峈怞W,並且提供了正確的口令,就允釩堨蒆s接.
第三步:
根據提供的口令檢查客戶端的netbios名及以前用過的使用者名,如匹配,就允野H該使用者名建立連接.
第四步:
如果客戶端以前有合法的使用者名和口令,並獲得了有效的令牌,就允野H該使用者名建立連接.
第尹B:
如果在smb.conf裏設置了"user = "字段,且客戶端提供了一-
茪f令,口令經UNIX系統檢驗,並與"user="字段裏某一-
茖洏峈怳t,那麼就允野H"user="裏匹配到的使用者名建立連接.如果"user="字段是以@開始,那麼該名字會展開為同名組裏的使用者名列表
.
第六步:
如果這是一荋ㄗ捄鉚uest用的服務項,那麼連接以"guest account
="裏給出的使用者名建立,而不考慮提供的口令.
��C� COMPLETE LIST OF GLOBAL PARAMETERS
以下列出了所有的全局選項,各選項的詳細說明請參看後-
悸漪衈閉q落.注意,有些選項的意義是相同的.
o abort shutdown script
o add group script
o add machine script
o addprinter command
o add share command
o add user script
o add user to group script
o afs username map
o algorithmic rid base
o allow trusted domains
o announce as
o announce version
o auth methods
o auto services
o bind interfaces only
o browse list
o change notify timeout
o change share command
o client lanman auth
o client ntlmv2 auth
o client plaintext auth
o client schannel
o client signing
o client use spnego
o config file
o deadtime
o debug hires timestamp
o debuglevel
o debug pid
o debug timestamp
o debug uid
o default
o default service
o delete group script
o deleteprinter command
o delete share command
o delete user from group script
o delete user script
o dfree command
o disable netbios
o disable spoolss
o display charset
o dns proxy
o domain logons
o domain master
o dos charset
o enable rid algorithm
o encrypt passwords
o enhanced browsing
o enumports command
o get quota command
o getwd cache
o guest account
o hide local users
o homedir map
o host msdfs
o hostname lookups
o hosts equiv
o idmap backend
o idmap gid
o idmap uid
o include
o interfaces
o keepalive
o kernel change notify
o kernel oplocks
o lanman auth
o large readwrite
o ldap admin dn
o ldap delete dn
o ldap filter
o ldap group suffix
o ldap idmap suffix
o ldap machine suffix
o ldap passwd sync
o ldap port
o ldap server
o ldap ssl
o ldap suffix
o ldap user suffix
o lm announce
o lm interval
o load printers
o local master
o lock dir
o lock directory
o lock spin count
o lock spin time
o log file
o log level
o logon drive
o logon home
o logon path
o logon script
o lpq cache time
o machine password timeout
o mangled stack
o mangle prefix
o mangling method
o map to guest
o max disk size
o max log size
o max mux
o max open files
o max protocol
o max smbd processes
o max ttl
o max wins ttl
o max xmit
o message command
o min passwd length
o min password length
o min protocol
o min wins ttl
o name cache timeout
o name resolve order
o netbios aliases
o netbios name
o netbios scope
o nis homedir
o ntlm auth
o nt pipe support
o nt status support
o null passwords
o obey pam restrictions
o oplock break wait time
o os2 driver map
o os level
o pam password change
o panic action
o paranoid server security
o passdb backend
o passwd chat
o passwd chat debug
o passwd program
o password level
o password server
o pid directory
o prefered master
o preferred master
o preload
o preload modules
o printcap
o private dir
o protocol
o read bmpx
o read raw
o read size
o realm
o remote announce
o remote browse sync
o restrict anonymous
o root
o root dir
o root directory
o security
o server schannel
o server signing
o server string
o set primary group script
o set quota command
o show add printer wizard
o shutdown script
o smb passwd file
o smb ports
o socket address
o socket options
o source environment
o stat cache
o syslog
o syslog only
o template homedir
o template primary group
o template shell
o time offset
o time server
o timestamp logs
o unicode
o unix charset
o unix extensions
o unix password sync
o update encrypted
o use mmap
o username level
o username map
o use spnego
o utmp
o utmp directory
o winbind cache time
o winbind enable local accounts
o winbind enum groups
o winbind enum users
o winbind gid
o winbind separator
o winbind trusted domains only
o winbind uid
o winbind use default domain
o wins hook
o wins partners
o wins proxy
o wins server
o wins support
o workgroup
o write raw
o wtmp directory
�A�C� COMPLETE LIST OF SERVICE PARAMETERS
以下列出了所有關於服務項的選項,各選項的詳細說明請參見後-
悸漪衈閉q落.注意,有些選項的意義是相同的.
o acl compatibility
o admin users
o afs share
o allow hosts
o available
o blocking locks
o block size
o browsable
o browseable
o case sensitive
o casesignames
o comment
o copy
o create mask
o create mode
o csc policy
o default case
o default devmode
o delete readonly
o delete veto files
o deny hosts
o directory
o directory mask
o directory mode
o directory security mask
o dont descend
o dos filemode
o dos filetime resolution
o dos filetimes
o exec
o fake directory create times
o fake oplocks
o follow symlinks
o force create mode
o force directory mode
o force directory security mode
o force group
o force security mode
o force user
o fstype
o group
o guest account
o guest ok
o guest only
o hide dot files
o hide files
o hide special files
o hide unreadable
o hide unwriteable files
o hosts allow
o hosts deny
o inherit acls
o inherit permissions
o invalid users
o level2 oplocks
o locking
o lppause command
o lpq command
o lpresume command
o lprm command
o magic output
o magic script
o mangle case
o mangled map
o mangled names
o mangling char
o map acl inherit
o map archive
o map hidden
o map system
o max connections
o max print jobs
o max reported print jobs
o min print space
o msdfs proxy
o msdfs root
o nt acl support
o only guest
o only user
o oplock contention limit
o oplocks
o path
o posix locking
o postexec
o preexec
o preexec close
o preserve case
o printable
o printcap name
o print command
o printer
o printer admin
o printer name
o printing
o print ok
o profile acls
o public
o queuepause command
o queueresume command
o read list
o read only
o root postexec
o root preexec
o root preexec close
o security mask
o set directory
o share modes
o short preserve case
o strict allocate
o strict locking
o strict sync
o sync always
o use client driver
o user
o username
o users
o use sendfile
o -valid
o valid users
o veto files
o veto oplock files
o vfs object
o vfs objects
o volume
o wide links
o writable
o writeable
o write cache size
o write list
o write ok
�C�@� EXPLANATION OF EACH PARAMETER
abort shutdown script (G)
This parameter only exists in the HEAD cvs branch This a full
path name to a script called by smbd(8) that should stop a
shutdown procedure issued by the shutdown script.
This command will be run as user.
預設設置: None.
示例: abort shutdown script = /sbin/shutdown -c
acl compatibility (S)
This parameter specifies what OS ACL semantics should be
compatible with. Possible values are winnt for Windows NT 4,
win2k for Windows 2000 and above and auto. If you specify auto,
the value for this parameter will be based upon the version of
the client. There should be no reason to change this parameter
from the default.
預設設置: acl compatibility = Auto
示例: acl compatibility = win2k
add group script (G)
This is the full pathname to a script that will be run AS ROOT
by smbd(8) when a new group is requested. It will expand any %g
to the group name passed. This script is only useful for
installations using the Windows NT domain administration tools.
The script is free to create a group with an arbitrary name to
circumvent unix group name restrictions. In that case the script
must print the numeric gid of the created group on stdout.
add machine script (G)
This is the full pathname to a script that will be run by
smbd(8) when a machine is added to it's domain using the
administrator username and password method.
This option is only required when using sam back-ends tied to
the Unix uid method of RID calculation such as smbpasswd. This
option is only available in Samba 3.0.
預設設置: add machine script = <>
示例: add machine script = /usr/sbin/adduser -n -g machines -c
Machine -d /dev/null -s /bin/false %u
addprinter command (G)
With the introduction of MS-RPC based printing support for
Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard
(APW) icon is now also available in the "Printers..." folder
displayed a share listing. The APW allows for printers to be add
remotely to a Samba or Windows NT/2000 print server.
For a Samba host this means that the printer must be physically
added to the underlying printing system. The add printer command
defines a script to be run which will perform the necessary
operations for adding the printer to the print system and to add
the appropriate service definition to the smb.conf file in order
that it can be shared by smbd(8).
The addprinter command is automatically invoked with the
following parameter (in order):
printer name
share name
port name
driver name
location
Windows 9x driver location
All parameters are filled in from the PRINTER_INFO_2 structure
sent by the Windows NT/2000 client with one exception. The
"Windows 9x driver location" parameter is included for backwards
compatibility only. The remaining fields in the structure are
generated from answers to the APW questions.
Once the addprinter command has been executed, smbd will reparse
the smb.conf to determine if the share defined by the APW
exists. If the sharename is still invalid, then smbd will
return an ACCESS_DENIED error to the client.
The "add printer command" program can output a single line of
text, which Samba will set as the port the new printer is
connected to. If this line isn't output, Samba won't reload its
printer shares.
參見 deleteprinter command, printing, show add printer wizard
預設設置: none
示例: addprinter command = /usr/bin/addprinter
add share command (G)
Samba 2.2.0 introduced the ability to dynamically add and delete
shares via the Windows NT 4.0 Server Manager. The add share
command is used to define an external program or script which
will add a new service definition to smb.conf. In order to
successfully execute the add share command, smbd requires that
the administrator be connected using a root account (i.e. uid ==
0).
When executed, smbd will automatically invoke the add share
command with four parameters.
configFile - the location of the global smb.conf file.
shareName - the name of the new share.
pathName - path to an **existing** directory on disk.
comment - comment string to associate with the new share.
This parameter is only used for add file shares. To add printer
shares, see the addprinter command.
參見 change share command, delete share command.
預設設置: none
示例: add share command = /usr/local/bin/addshare
add user script (G)
這蚇龠筍出一蚑Z本的完整檔案路徑,這蚑Z本將在特定環境下(下-
惘雩埴虒挭)由smbd (8Hrootsmbdsecurity=server或者security=domain,並且add
user
script必須設為用%u參數來建立unix帳號的稿本檔案的全路徑,%u擴展成建立的unix帳號名.
當windows使用者嘗試訪問samba伺服器時,在登陸時(建立SMB協議會話),smbd與fOA嘗p系,並嘗試驗証使用者名和口令.如果成smbd就會根據unix的口令檔案試著將這-
荑indows使用者映射成一荄nix使用者.如果查找失敗,但設置了add user
script ,smbd就會以root的言鷜掍帠o蚑Z本,將%u擴展成該-
n建立的使用者賬號.
如果這蚑Z本執行成smbd就認為這-
茖洏峈怳w經存在.用這種方式,可以動態建立UNIX使用者賬號並匹配已有的NT賬號.
參見 security, password server, delete user script.
預設設置: add user script = <>
示例: add user script = /usr/local/samba/bin/add_user %u
add user to group script (G)
Full path to the script that will be called when a user is added
to a group using the Windows NT domain administration tools. It
will be run by smbd(8) AS ROOT. Any %g will be replaced with the
group name and any %u will be replaced with the user name.
預設設置: add user to group script =
示例: add user to group script = /usr/sbin/adduser %u %g
admin users (S)
admin
users定義一組對共享有管理特權的使用者.就相當於這些使用者可以像超級使用者那樣操作所有的檔案.
小心使用該選項,因為在這茼W單裏的使用者可以對共享資源作任何他-
抪Q做的事.
預設設置:S� admin users
示例: admin users = jason
afs share (S)
This parameter controls whether special AFS features are enabled
for this share. If enabled, it assumes that the directory
exported via the path parameter is a local AFS import. The
special AFS features include the attempt to hand-craft an AFS
token if you enabled --with-fake-kaserver in configure.
預設設置: afs share = no
示例: afs share = yes
afs username map (G)
If you are using the fake kaserver AFS feature, you might want
to hand-craft the usernames you are creating tokens for. For
example this is necessary if you have users from several domain
in your AFS Protection Database. One possible scheme to code
users as DOMAIN+User as it is done by winbind with the + as a
separator.
The mapped user name must contain the cell name to log into, so
without setting this parameter there will be no token.
預設設置: none
示例: afs username map = %u@afs.samba.org
algorithmic rid base (G)
This determines how Samba will use its algorithmic mapping from
uids/gid to the RIDs needed to construct NT Security
Identifiers.
Setting this option to a larger value could be useful to sites
transitioning from WinNT and Win2k, as existing user and group
rids would otherwise clash with sytem users etc.
All UIDs and GIDs must be able to be resolved into SIDs for the
correct operation of ACLs on the server. As such the algorithmic
mapping can't be 'turned off', but pushing it 'out of the way'
should resolve the issues. Users and groups can then be assigned
'low' RIDs in arbitary-rid supporting backends.
預設設置: algorithmic rid base = 1000
示例: algorithmic rid base = 100000
allow hosts (S)
和hosts allow同義.
allow trusted domains (G)
這-
蚇龠等u在security選項被設成server或domain模式時才有效果.如果設為no的話,嘗試聯接到smbd運行的域或工作組以外的資源時會失敗,即使那-
荌鴐O由遠程伺服器驗証為可信的也不行.
如果你只需n在域中對成提供服務資源的話這-
蚇龠筋O非常有用的.舉例來說,假設有兩-
荌鋻OMA和DOMB,DOMA已經向DOMB進行了委托,而samba伺服器位於DOMA中.在通常情況下,在DOMB中有賬號的使用者可以用同樣的samba伺服器賬號名訪問UNIX上的資源.而無須他在DOMA上有賬號.不過這樣就使安全界線更難分清了.
預設設置: allow trusted domains = yes
announce as (G)
這蚇龠筒w義nmbd(8) 對網路鄰居聲稱的伺服器類型.預設為windows
NT.可選項有"NT",它與"NT Server"同義,"NT Server","NT
Workstation","Win95"或"WfW",它怳嬪O代表Windows NT Server,Windows
NT Workstation,Windows 95和Windows for
Workgroups.除非有特殊的需n不想讓samba以windows NT的-
份出現,一般不n改動這-
蚇龠,因為這可能會影響samba作為瀏覽伺服器的正確性.
預設設置: announce as = NT Server
示例: announce as = Win95
announce version (G)
此選項定義nmbd用於聲明伺服器版本號的主版本號和次版本號.預設版本號的是4.9。除非有特殊的必-
n想將samba設為低版本,一般不n改動這蚇龠.
預設設置: announce version = 4.9
示例: announce version = 2.0
auth methods (G)
This option allows the administrator to chose what
authentication methods smbd will use when authenticating a user.
This option defaults to sensible values based on security. This
should be considered a developer option and used only in rare
circumstances. In the majority (if not all) of production
servers, the default setting should be adequate.
Each entry in the list attempts to authenticate the user in
turn, until the user authenticates. In practice only one method
will ever actually be able to complete the authentication.
Possible options include guest (anonymous access), sam (lookups
in local list of accounts based on netbios name or domain name),
winbind (relay authentication requests for remote users through
winbindd), ntdomain (pre-winbindd method of authentication for
remote domain users; deprecated in favour of winbind method),
trustdomain (authenticate trusted users by contacting the remote
DC directly from smbd; deprecated in favour of winbind method).
預設設置: auth methods = <>
示例: auth methods = guest sam winbind
auto services (G)
與 preload 同義.
available (S)
這蚇龠等i以用來關掉一茠A務項.如果available =
no,那章儭茠A務的連接都會失敗.而這些失敗會被記錄下來.
預設設置: available = yes
bind interfaces only (G)
這茈局選項允豚a管理制一台主機的某一-
蚨蘢翿竣f用於響應請求.這會對於smbd(8)檔案服務和nmbd(8)名字服務造成些頃v響.
對於名字服務,它將使nmbd
綁定到'interfaces'選項裏列出的網路接口的137和138端口上.為了讀取廣播消息,nmbd也會綁定到"所有地址"接口(0.0.0.0)的137和138端口上.如果沒有設置這-
蚇龠,nmbd將在所有的接口上響應名字服務請求.如果設置了"bind
interfaces
only",那麼nmbd將在廣播接口上檢查任何分組的源地址,丟棄任何不匹配interfaces選項所列接口之廣播地址的分組.當在其它接口上收到單播分組,此選項使nmbd拒絕對任何不是是interfaces選項所列接口來發送分組的主機的服務.IP源地址哄騙可以使這-
蚋眾瑼瑰邠d失效,所以不n將nmbd安全弁鄍峏鬎Y肅場合.
對於檔案服務,該選項使smbd(8)只在'interfaces'選項所列的網路接口上綁定.這就-
制smbd
只響應那些接口上發出的分組.注意,不應該在PPP和時斷時續的機器上或非廣播網路接口上使用這-
蚇龠,因為它處理不了非永久連接的接口.
如果設置了bind interfaces
only,除非網路地址127.0.0.1被加到interfaces選項的列表中,否則smbpasswd(8)和swat(8)
可能不會像我怍珒螫瑼漕獐豸u作,鴞]如下:
為了改變使用者SMB口令,smbpasswd預設情況下會以smb客戶端的-
份連接本地主機地址localhost -
127.0.0.1,發出更改口令請求.如果設置了bind interfaces
only,smbpasswd在預設情況下將會連接失敗,除非127.0.0.1已被加入到interfaces選項.另外,可以用-r
remote
machine選項指定本地主機的主網路接口ip地址,這樣smbpasswd就會強制使用本地的主ip地址.
swat的狀態雇會在127.0.0.1嘗試連接smbd和 nmbd,以確定它-
怓O否正在運行.如果不加入127.0.0.1,將會使smbd和nmbd
總表示沒有運行甚至實際情況並不是這樣.這就阻止了 swat啟動/停止/-
垮珧smbd 和nmbd進程.
預設設置: bind interfaces only = no
blocking locks (S)
此項控制在客戶為了在打開檔案處獲得一茼r節-
S圍的鎖定而發出請求時smbd(8)的動作,同時 該請求會有一-
蚖P之相關的時.
如果設置了這蚇龠,鎖定-
S圍請求不能立即滿足的話,samba將會在內部對請求進行排隊,並且周期性地嘗試獲得鎖定,直到超時.
如果這蚇龠絨]置為no,samba就會同以前版本那樣,在鎖定-
S圍無法獲得時立即使鎖定請求失敗.
預設設置: blocking locks = yes
block size (S)
This parameter controls the behavior of smbd(8) when reporting
disk free sizes. By default, this reports a disk block size of
1024 bytes.
Changing this parameter may have some effect on the efficiency
of client writes, this is not yet confirmed. This parameter was
added to allow advanced administrators to change it (usually to
a higher value) and test the effect it has on client write
performance without re-compiling the code. As this is an
experimental option it may be removed in a future release.
Changing this option does not change the disk free reporting
size, just the block size unit reported to the client.
browsable (S)
與 browseable 同義。
browseable (S)
這蚇龠絞惆謢@享資源在可獲得共享列表、net
view命令及瀏覽列表裏是否可見.
預設設置: browseable = yes
browse list (G)
它控制smbd(8)是否執行一NetServerEnum調用來為客戶提供一-
蚋s覽列表.正常情況它被設為yes.這蚇龠等i能永遠不需n改動.
預設設置: browse list = yes
case sensitive (S)
參見NAME MANGLING段的討論.
預設設置: case sensitive = no
casesignames (S)
與 case sensitive 同義.
change notify timeout (G)
samba允釩廕搷i訴伺服器監視某-
荅S定目錄的任何變化,僅當有變化發生的時-
啈^復SMB請求.這種連續不斷的掃描在unix系統上代價很高,因此,smbd(8)只在等待change
notify timeout時間後才對每蚑虼D的目錄執行一次掃描.
預設設置: change notify timeout = 60
示例: change notify timeout = 300
這將把掃描時間改為每5分鐘一次.
change share command (G)
Samba 2.2.0 introduced the ability to dynamically add and delete
shares via the Windows NT 4.0 Server Manager. The change share
command is used to define an external program or script which
will modify an existing service definition in smb.conf. In order
to successfully execute the change share command, smbd requires
that the administrator be connected using a root account (i.e.
uid == 0).
When executed, smbd will automatically invoke the change share
command with four parameters.
configFile - the location of the global smb.conf file.
shareName - the name of the new share.
pathName - path to an **existing** directory on disk.
comment - comment string to associate with the new share.
This parameter is only used modify existing file shares
definitions. To modify printer shares, use the "Printers..."
folder as seen when browsing the Samba host.
參見 add share command, delete share command.
預設設置: none
示例: change share command = /usr/local/bin/addshare
client lanman auth (G)
This parameter determines whether or not smbclient(8) and other
samba client tools will attempt to authenticate itself to
servers using the weaker LANMAN password hash. If disabled, only
server which support NT password hashes (e.g. Windows NT/2000,
Samba, etc... but not Windows 95/98) will be able to be
connected from the Samba client.
The LANMAN encrypted response is easily broken, due to it's
case-insensitive nature, and the choice of algorithm. Clients
without Windows 95/98 servers are advised to disable this
option.
Disabling this option will also disable the client plaintext
auth option
Likewise, if the client ntlmv2 auth parameter is enabled, then
only NTLMv2 logins will be attempted. Not all servers support
NTLMv2, and most will require special configuration to us it.
Default : client lanman auth = yes
client ntlmv2 auth (G)
This parameter determines whether or not smbclient(8) will
attempt to authenticate itself to servers using the NTLMv2
encrypted password response.
If enabled, only an NTLMv2 and LMv2 response (both much more
secure than earlier versions) will be sent. Many servers
(including NT4 < SP4, Win9x and Samba 2.2) are not compatible
with NTLMv2.
Similarly, if enabled, NTLMv1, client lanman auth and client
plaintext auth authentication will be disabled. This also
disables share-level authentication.
If disabled, an NTLM response (and possibly a LANMAN response)
will be sent by the client, depending on the value of client
lanman auth.
Note that some sites (particularly those following 'best
practice' security polices) only allow NTLMv2 responses, and not
the weaker LM or NTLM.
Default : client ntlmv2 auth = no
client plaintext auth (G)
Specifies whether a client should send a plaintext password if
the server does not support encrypted passwords.
預設設置: client plaintext auth = yes
client schannel (G)
This controls whether the client offers or even demands the use
of the netlogon schannel. client schannel = no does not offer
the schannel, server schannel = auto offers the schannel but
does not enforce it, and server schannel = yes denies access if
the server is not able to speak netlogon schannel.
預設設置: client schannel = auto
示例: client schannel = yes
client signing (G)
This controls whether the client offers or requires the server
it talks to to use SMB signing. Possible values are auto,
mandatory and disabled.
When set to auto, SMB signing is offered, but not enforced. When
set to mandatory, SMB signing is required and if set to
disabled, SMB signing is not offered either.
預設設置: client signing = auto
client use spnego (G)
This variable controls controls whether samba clients will try
to use Simple and Protected NEGOciation (as specified by
rfc2478) with WindowsXP and Windows2000 servers to agree upon an
authentication mechanism. SPNEGO client support for SMB Signing
is currently broken, so you might want to turn this option off
when operating with Windows 2003 domain controllers in
particular.
預設設置: client use spnego = yes
comment (S)
這是一段當客戶W�F�~(net
view)察看伺服器上共享資源時顯示的說明文字.
如果想設置機器名後的說明文字請參考 server string 命令.
預設設置: No comment string
示例: comment = Fred's Files
config file (G)
這可以使samba使用指定的配置檔案來替代預設的配置檔案,(通常是smb.conf).如果設置了這-
蚇龠,會出現一茈有雞還是先有蛋的問題!
由於這适因,如果在加載這蚇龠答漁-
埽o現配置檔名變化了,就會從新的配置檔案裏奐s加載選項.
這蚇龠筆@為常用的替換非常有用.
如果這-
荌t置檔案不存在,那麼就不會被加載.(允釦A特殊地處理少數客戶的配置檔案)
示例: config file = /usr/local/samba/lib/smb.conf.%m
copy (S)
這使你可以克隆服務.
指定的服務以當前服務的名字進行簡單的複製,當前服務裏定義的選項將替代被拷服務裏任何相應的選項.
這荅S性允釩堨艉@-
茠A務的'模版',可以很容易的生成相似的服務.注意,被拷貝的服務在配置檔案裏必須先於拷貝的服務出現.
預設設置: no value
示例: copy = otherservice
create mask (S)
與 create mode 同義.
當生成一蚗仵蛌漁尕,需n知道從dos模式映射到unix下的檔案權-
.最後的結果用這荌捊i行逐位的與運算得到.這-
蚇龠等i以理解成unix下檔案的位掩碼.在生成檔案的時-
,任S�陶]置的位將會從創建模式中去掉.
這蚇龠答犒w設-
O從unix的檔案創建模式中去掉組和其他使用者的寫和執行標誌位.
根據這茬W則,samba將會把這蚇龠等穻赤滾nix檔案創建模式和由force
create mode設置的選項進行逐位的或運算,force create mode
的預設選項是000.
這蚇龠竣ㄦ|影響目錄創建模式.細節參見directory mode .
參考force create
mode以進一步了解在創建檔案時設置的特殊位.關於創建目錄模式參見directory
mode選項.參見 inherit permissions parameter.
Note that this parameter does not apply to permissions set by
Windows NT/2000 ACL editors. If the administrator wishes to
enforce a mask on access control lists also, they need to set
the security mask.
預設設置: create mask = 0744
示例: create mask = 0775
create mode (S)
與 create mask 同義.
csc policy (S)
This stands for client-side caching policy, and specifies how
clients capable of offline caching will cache the files in the
share. The valid values are: manual, documents, programs,
disable.
These values correspond to those used on Windows servers.
For example, shares containing roaming profiles can have offline
caching disabled using csc policy = disable.
預設設置: csc policy = manual
示例: csc policy = programs
deadtime (G)
這蚧(十進制整數)定義連接發呆超時,單位是分鐘.如果一-
茬s接發超過了這荇伅●N會被斷開.如果有檔案被打開了,這-
荇伅●N不起作用.
這可以保護伺服器不被過多的發呆連接耗盡資源.
多數客戶端有連接斷開後的自動奕s弁,所以大多數情況下,這-
蚇龠給翵洏峈抸雩茯O透明的
對多數系統建議使用較短的發呆超時的選項.
發呆超時選項被設為0意味著不會自動斷開連接..
預設設置: deadtime = 0
示例: deadtime = 15
debug hires timestamp (G)
有些時埶O錄信息需n比秒更高層次的時間標識,用這-
茈牯葆q選項可以向時間標識信息頭中加入以微秒級的頻率.
注意n使用這蚇龠,必須打開 debug timestamp選項.
預設設置: debug hires timestamp = no
debuglevel (G)
與 log level 同義.
debug pid (G)
為很多從smbd(8)fork出來的進程使用同一-
荌O錄檔案時,很難精確地跟蹤信息是荈i程輸出的.用這-
茈牯葆q選項向時間標識信息頭中自動添加進程號.
注意n使用這蚇龠,必須打開 debug timestamp 選項.
預設設置: debug pid = no
debug timestamp (G)
samba預設會給調試紀錄信息加上時間標識.如果運行的是高級別debug
level的調試,這荇伅□陏悒i以被轉移.用這蚇龠等i以將時間標識關閉.
預設設置: debug timestamp = yes
debug uid (G)
samba有時以root言鷞B行,而有時以已聯接的使用者來運行.使用這-
茈牯葆q選項可以向記錄檔案的時間標識信息頭中自動插入當前的euid,egid,uid和gid標識.
Note that the parameter must be on for this to have an effect.
注意n使用這蚇龠,必須打開 debug timestamp選項.
預設設置: debug uid = no
default (G)
與 default service 同義.
default case (S)
參見"NAME MANGLING"段. 也注意一下short preserve case選項.
預設設置: default case = lower
default devmode (S)
This parameter is only applicable to printable services. When
smbd is serving Printer Drivers to Windows NT/2k/XP clients,
each printer on the Samba server has a Device Mode which defines
things such as paper size and orientation and duplex settings.
The device mode can only correctly be generated by the printer
driver itself (which can only be executed on a Win32 platform).
Because smbd is unable to execute the driver code to generate
the device mode, the default behavior is to set this field to
NULL.
Most problems with serving printer drivers to Windows NT/2k/XP
clients can be traced to a problem with the generated device
mode. Certain drivers will do things such as crashing the
client's Explorer.exe with a NULL devmode. However, other
printer drivers can cause the client's spooler service
(spoolsv.exe) to die if the devmode was not created by the
driver itself (i.e. smbd generates a default devmode).
This parameter should be used with care and tested with the
printer driver in question. It is better to leave the device
mode to NULL and let the Windows client set the correct values.
Because drivers do not do this all the time, setting default
devmode = yes will instruct smbd to generate a default one.
For more information on Windows NT/2k printing and Device Modes,
see the MSDN documentation.
預設設置: default devmode = no
default service (G)
這蚇龠筒w義一虓礅定服務找不到時的預設服務.注意,在選項-
S�酗雓A號(看示例!).
這蚇龠筐S有預設. 如果沒給出這-
蚇龠答爾,對不存在的服務的請求將返回錯誤.
預設服務一般是那些允許fIguest ok, read-only的服務.
外在的服務名可能被替換成請求的服務名,這樣就可以用像%S這樣的宏來做一-
茬q用的服務.
注意在預設服務選項指定的服務名裏, 字符'_'被映射為'/'.
這樣可能會出現有趣的事情.
示例:
[global]
default service = pub
[pub]
path = /%S
delete group script (G)
This is the full pathname to a script that will be run AS ROOT
smbd(8) when a group is requested to be deleted. It will expand
any %g to the group name passed. This script is only useful for
installations using the Windows NT domain administration tools.
deleteprinter command (G)
With the introduction of MS-RPC based printer support for
Windows NT/2000 clients in Samba 2.2, it is now possible to
delete printer at run time by issuing the DeletePrinter() RPC
call.
For a Samba host this means that the printer must be physically
deleted from underlying printing system. The deleteprinter
command defines a script to be run which will perform the
necessary operations for removing the printer from the print
system and from smb.conf.
The deleteprinter command is automatically called with only one
parameter: "printer name".
Once the deleteprinter command has been executed, smbd will
reparse the smb.conf to associated printer no longer exists. If
the sharename is still valid, then smbd will return an
ACCESS_DENIED error to the client.
參見 addprinter command, printing, show add printer wizard
預設設置: none
示例: deleteprinter command = /usr/bin/removeprinter
delete readonly (S)
這蚇龠竣像刪除只讀檔案,這茈u讀不是通常dos裏的含義,而是unix中的.
這-
蚇龠給鴭鏎cs這樣的應用很有用,在這種情況下,unix檔案的屬主不允釦幭凗v-
,dos檔案只讀.
預設設置: delete readonly = no
delete share command (G)
Samba 2.2.0 introduced the ability to dynamically add and delete
shares via the Windows NT 4.0 Server Manager. The delete share
command is used to define an external program or script which
will remove an existing service definition from smb.conf. In
order to successfully execute the delete share command, smbd
requires that the administrator be connected using a root
account (i.e. uid == 0).
When executed, smbd will automatically invoke the delete share
command with two parameters.
configFile - the location of the global smb.conf file.
shareName - the name of the existing service.
This parameter is only used to remove file shares. To delete
printer shares, see the deleteprinter command.
參見 add share command, change share command.
預設設置: none
示例: delete share command = /usr/local/bin/delshare
delete user from group script (G)
Full path to the script that will be called when a user is
removed from a group using the Windows NT domain administration
tools. It will be run by smbd(8) AS ROOT. Any %g will be
replaced with the group name and any %u will be replaced with
the user name.
預設設置: delete user from group script =
示例: delete user from group script = /usr/sbin/deluser %u %g
delete user script (G)
它定義一茼b使用RPC(NT)工具管理使用者時,fBsmbd(8)以root-
份運行的包括路徑的一蚑Z本.
當遠程客戶使用'User Manager for Domains' 或是 rpcclient
從伺服器上刪除一茖洏峈怌仱鶡璁嗾犑@。
這蚑Z本刪除給定的unix使用者。
預設設置: delete user script = <>
示例: delete user script = /usr/local/samba/bin/del_user %u
delete veto files (S)
這蚇龠等峏鏀amba試圖刪除一茤峖h-
茈]含禁止檔案的目錄的情況(參見veto files選項). 如果這-
蚇龠絨]置為no(預設情況),那麼如果一-
虒T止目錄裏包含了任何非禁止的檔案或目錄,刪除就會失敗.這通常正是你所希望的.
如果這蚇龠絨Q設為了
yes,Samba將試圖遞歸刪除在被禁止目錄裏的任何檔案和目錄.這對於整合像NetAtalk這樣的檔案服務系統很有用,它通常會在目錄裏生成Dos/windows使用者看不見的中間檔案(e.g.
.AppleDouble).
設置delete veto files = yes 使那些有權-
的使用者可以在刪除父目錄的時堀z明的刪除子目錄.
參見 veto files 選項.
預設設置: delete veto files = no
deny hosts (S)
與 hosts deny 同義.
dfree command (G)
dfree command只需在磁碟空間p算有問題的系統上使用.這茠韃-
p算的問題僅在Ultrix系統上發生過,但在其他的作業系統上也有可能發生.發生這-
荌暋D的現象是在每茈媬列表最後發生錯誤並提示"Abort Retry
Ignore".
這茬]置允野峊~部程式代替內部程式來-
p算總共的磁碟空間和可用的磁碟空間.下悸漕狺l給出了一荅鄑髡迅o-
茈能的稿本.
這茈~部程式的輸入是檔案系統裏一蚖愯-
p算的目錄,典型的包括./字符串.以ascii碼返回兩蚞蒱.第一-
茯O總共的磁碟空間(以塊為單位),第二茯O可用塊樹.可選的第三茠藀^-
i以以字節為單位給出塊的大小.預設的塊的大小是1024字節.
注意:這-
蚑Z本應該屬主為rootu�逗oot可寫,並鈺a有使用者標識位和組標識位(setuid
or setgid)!
預設設置:w�]�{�p�e�q�M�i�.
示例: dfree command = /usr/local/samba/bin/dfree
如下這翂free稿本必須是可執行的.
#!/bin/sh
df $1 | tail -1 | awk '{print $2" "$4}'
在Sys V一類的系統上可能是:
#!/bin/sh
/usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}'
注意在特定的系統上可能需n給出相應的帶有全路徑的命令.
directory (S)
與 path 同義.
directory mask (S)
這-
蚇龠筋O8進制的模式。用來控制在生成UNIX目錄時,將其從dos模式轉換為unix模式。
當生成一虒纁|的時,必須指定的目錄權-
從dos模式映射到unix模式,然後這茧痕G和這蚇龠絮i行逐位的與運算.這-
蚇龠等i以理解成unix模式下的位掩碼.這-
蚇龠註堨籉S�陶]置的位在生成unix下的目錄時將會被去掉
預設情況下,這蚇龠筆漜晥M其他使用者的寫權-
位去掉,只允野媬的屬主對目錄進行蚹.
Samba將把這蚇龠筒Mforce directory mode的選項進行逐位的或運算,這-
蚇龠給w設時設置為000(也就是不加額外的制).
Note that this parameter does not apply to permissions set by
Windows NT/2000 ACL editors. If the administrator wishes to
enforce a mask on access control lists also, they need to set
the directory security mask.
在生成目錄時如果需n設置特殊的模式位,參見force directory
mode選項.
關於生成檔案時的模式位參見create mode 選項和directory security
mask選項.
Also refer to the inherit permissions parameter.
預設設置: directory mask = 0755
示例: directory mask = 0775
directory mode (S)
與 directory mask 同義。
directory security mask (S)
此選項控制了NT客戶在他的本地NT安全對話框中操縱unix目錄權時可以-
蚹獶些權位.
這蚇龠等H掩碼來實現改變權位,所以在蚹黈-
n防止不在掩碼中涉及的那些位.實際上,在這-
荓遢X中的位0可以使使用者無法改變任何東東.
如果沒有明確設定的話,這蚇龠絲|用與directory mask選項同樣的.-
n允釣洏峈怞b目錄中可以蚹鴭狾釭滾ser/group/world權,可以把這-
蚇龠絨]為0777.
`�N,能訪問samba伺服器的使用者通過其它方法也可以很容易地繞過這-
制,所以對獨立工作的系統來說這-
蚇龠筋O最根本最有用的.很多系統管理的管理都會把它設為預設的0777.
參見 force directory security mode, security mask, force
security mode 選項。
預設設置: directory security mask = 0777
示例: directory security mask = 0700
disable netbios (G)
Enabling this parameter will disable netbios support in Samba.
Netbios is the only available form of browsing in all windows
versions except for 2000 and XP.
Note that clients that only support netbios won't be able to see
your samba server when netbios support is disabled.
預設設置: disable netbios = no
示例: disable netbios = yes
disable spoolss (G)
Enabling this parameter will disable Samba's support for the
SPOOLSS set of MS-RPC's and will yield identical behavior as
Samba 2.0.x. Windows NT/2000 clients will downgrade to using
Lanman style printing commands. Windows 9x/ME will be uneffected
by the 選項。 However, this will also disable the ability to
upload printer drivers to a Samba server via the Windows NT Add
Printer Wizard or by using the NT printer properties dialog
window. It will also disable the capability of Windows NT/2000
clients to download print drivers from the Samba host upon
demand. Be very careful about enabling thisC
See also use client driver
Default : disable spoolss = no
display charset (G)
Specifies the charset that samba will use to print messages to
stdout and stderr and SWAT will use. Should generally be the
same as the unix charset.
預設設置: display charset = ASCII
示例: display charset = UTF8
dns proxy (G)
指定nmbd(8)像WINS伺服器那樣尋找沒有登記的NetBIOS名,像對待DNS名那樣逐字的對待NetBIOS名,向DNS伺服器查詢該名稱所代表的客戶端.
注意,NetBISO名的最大長度是15-
茼r符,所以DNS名(或DNS別名)同樣最多只能有15茼r符.
nmbd 在做DNS名查詢的時埜N自里s一份,因為域名查詢是一-
茠塞的動作.
參見 wins support 。
預設設置: dns proxy = yes
domain logons (G)
如果這蚇龠筋yes,Samba伺服器將為workgroup提供Windows 95/98
登陸域服務.Samba 2.2只能實現Windows NT 4 域中域控制器的有-
弁遄C有關設置這茈能的更詳細信息參見Samba 文件中的Samba-PDC-
HOWTO。
預設設置: domain logons = no
domain master (G)
這蚇龠筆i訴smbd(8)收集廣域網內的瀏覽列表.設置這蚇龠筍,nmbd用一-
荅S定的NetBIOS名向它的u@梩陏悒戌菑v是一-
茈D控瀏覽器.在同一u@掑ㄕP子網中的本地主控瀏覽器將把自己的瀏覽列表傳給nmbd,然後向smbd(8)
請求整蚨蘢穭W瀏覽列表的完整拷貝.客戶端將和他-
怐漸誚a主控瀏覽器聯系,得到整荌-
S圍內的瀏覽列表,而不只是子網上的列表.
注意,windows NT主域控制器預設情況總是佔有這-
茼bu@掑云滲S殊的NetBIOS名,宣稱自己是u@晡漸D域瀏覽器(也就是說,沒有什麼方法可以阻止一-
紟indows NT主域控制器這樣做). 這樣如果設置了這蚇龠,並且nmbd
在Windows NT之前向u@晛驕暀F這-
荅S殊的名字,那麼跨子網的瀏覽行為會變得奇怪,並且可能會失敗.
If domain logons = yes , then the default behavior is to enable
the domain master 選項。 If domain logons is not enabled (the
default setting), then neither will domain master be enabled by
default.
預設設置: domain master = auto
dont descend (S)
有些系統上存在某些特殊的路徑(比如linux中的/proc),這些目錄不需-
n(也不希望)客戶端關心,甚至可能具有無的層次深度(遞歸的).這-
蚇龠竣像你指定一-
茈捖r號分隔的列表,伺服器將把列表內包含的目錄始終顯示成空目錄.
注意,Samba對'dont descend'選項的輸入格式十分挑.例如他也-
n求你輸入./proc而不是僅僅是/proc.實踐是最好的策略.
預設設置: none (,)
示例: dont descend = /proc,/dev
dos charset (G)
DOS SMB clients assume the server has the same charset as they
do. This option specifies which charset Samba should talk to DOS
clients.
The default depends on which charsets you have installed. Samba
tries to use charset 850 but falls back to ASCII in case it is
not available. Run testparm(1) to check the default on your
system.
dos filemode (S)
The default behavior in Samba is to provide UNIX-like behavior
where only the owner of a file/directory is able to change the
permissions on it. However, this behavior is often confusing to
DOS/Windows users. Enabling this parameter allows a user who has
write access to the file (by whatever means) to modify the
permissions on it. Note that a user belonging to the group
owning the file will not be allowed to change permissions if the
group is only granted read access. Ownership of the
file/directory is not changed, only the permissions are
modified.
預設設置: dos filemode = no
dos filetime resolution (S)
在DOS和Windows FAT檔案系統中,時間的-
p量精度是2秒。對共享資源設置這蚇龠,可以使得在一-
茼Vsmbd(8)的查詢需n1秒精度時,Samba把報告的時間精度-
飢C到2秒左右。
這蚇龠答漸Dn用於解決Visual
C++與Samba的相容性問題.當共享檔案被鎖定時(oplocks選項被設置為允,Visual
C++使用兩-
茪ㄕP的讀取時間的函數調用來檢查檔案自從最後一次讀操作以來是否有改變.其中一-
茖蝻洏1秒的時間尺度,而另一-
茷h使用2秒的時間尺度.由於使用基於2秒的方法-
n舍去任何的奇數秒,當檔案的時間記錄是奇數秒時,Visual
C++的兩次函數調用結果就會不一P,Visual
C++就會總是認為檔案被改變.設置這-
蚇龠等i以使得兩次函數調用的結果一P,Visual
C++會很高興的接受這一切.
預設設置: dos filetime resolution = no
dos filetimes (S)
在DOS和Windows作業系統中,如果使用者對檔案進行寫操作,就會改變檔案的時間記錄.而在POSIX規則中,只有檔案的所有者和root才有改變檔案時間記錄的能力.預設的,Samba按照POSIX規則運行,如果smbd的使用者不是檔案的所有者,那麼他對檔案的操作不會改變檔案的時間記錄.如果設置這-
蚇龠筋 yes,那麼smbd(8)就按照DOS的規則運行,並且按照DOS系統的-
n求改變檔案的時間記錄.
預設設置: dos filetimes = no
enable rid algorithm (G)
This option is used to control whether or not smbd in Samba 3.0
should fallback to the algorithm used by Samba 2.2 to generate
user and group RIDs. The longterm development goal is to remove
the algorithmic mappings of RIDs altogether, but this has proved
to be difficult. This parameter is mainly provided so that
developers can turn the algorithm on and off and see what
breaks. This parameter should not be disabled by non-developers
because certain features in Samba will fail to work without it.
預設設置: enable rid algorithm = <yes>
encrypt passwords (G)
這茈牯葦畏控制著是否與客戶端用加密口令進行交談.注意,NT4.0 SP3
及以上還有WINDOWS
98在預設情況下使用加密口令進行交談,除非改變了注冊表的相應健.想-
n使用加密口令,清參鞍a HOWTO Collection中的 "User Database"
章節。
想n使加密口令能正確的工作,
smbd(8)必須能訪問本地的smbpasswd(5)檔案(如何正確設置和維護這-
蚗仵,請參閱fBsmbpasswd(8)手冊),或者,設置選項security=
[server|domain|ads],這樣設置將使得smbd依賴其它的伺服器來幫它鑒別口令.
預設設置: encrypt passwords = yes
enhanced browsing (G)
This option enables a couple of enhancements to cross-subnet
browse propagation that have been added in Samba but which are
not standard in Microsoft implementations.
The first enhancement to browse propagation consists of a
regular wildcard query to a Samba WINS server for all Domain
Master Browsers, followed by a browse synchronization with each
of the returned DMBs. The second enhancement consists of a
regular randomised browse synchronization with all currently
known DMBs.
You may wish to disable this option if you have a problem with
empty workgroups not disappearing from browse lists. Due to the
restrictions of the browse protocols these enhancements can
cause a empty workgroup to stay around forever which can be
annoying.
In general you should leave this option enabled as it makes
cross-subnet browse propagation much more reliable.
預設設置: enhanced browsing = yes
enumports command (G)
The concept of a "port" is fairly foreign to UNIX hosts. Under
Windows NT/2000 print servers, a port is associated with a port
monitor and generally takes the form of a local port (i.e.
LPT1:, COM1:, FILE:) or a remote port (i.e. LPD Port Monitor,
etc...). By default, Samba has only one port defined--"Samba
Printer Port". Under Windows NT/2000, all printers must have a
valid port name. If you wish to have a list of ports displayed
(smbd does not use a port name for anything) other than the
default "Samba Printer Port", you can define enumports command
to point to a program which should generate a list of ports, one
per line, to standard output. This listing will then be used in
response to the level 1 and 2 EnumPorts() RPC.
預設設置: no enumports command
示例: enumports command = /usr/bin/listports
exec (S)
與 preexec 同義。
fake directory create times (S)
NTFS和Windows VFAT檔案系統為每一蚗仵蚸M目錄保留一茬衎堮伅. 這-
荇伅〝MUNIX下的狀態改變時間--ctime不同. 所以, 在預設狀態下,
Samba將報告UNIX系統所保持的各種時間屬性中的最扛漕-
荍@為(檔案/目錄)建立時間. 如果在一茼@享中設置了這蚇龠,
將會使得Samba偽造一茈媬生成時間, 這荇伅●N是1980.01.01的午夜.
這蚇龠答漸Dn用於解決Visual C++與Samba的相容性問題.Visual
C++生成makefiles檔案時, 包含目標檔案所依賴的目的目錄.
包含建立目錄的規則. 同樣的, 當NMAKE比較時間屬性時,
它檢查目錄建立時間. 目標目錄不存在的話, 會建立一-
荂F如果存在,它的建立時間總是比它所包含的目標檔案的建立時間.
UNIX的時間規則意味著只-
n有檔案在共享目錄中建立或刪除,Samba將更新關於該目錄建立時間的報告.
NMAKE將發現目錄中除了最後建立的檔案以外的所有目標檔案都過期了(與目錄的建立時間相比較),
然後奐s編譯目標檔案.設置這蚇龠脹將保証目錄的建立時間扣韞伸-
悸瑰仵,NMAKE就能夠正常工作.
預設設置: fake directory create times = no
fake oplocks (S)
oplocks是這樣一蚇龠, 它允釩廕搹b本地緩存對伺服器的檔案操作.
如果伺服器允o�k�oportunistic lock)操作, 客戶端可以簡單的認為,
它自己是唯一的檔案訪問者, 可以隨意的緩存檔案.
有些oplocks類型甚至允魚w存檔案的打開和關閉操作. 這-
蚞犑@換來性能上的巨大提升.