Appendix B. Samba Configuration Option Quick Reference

The first section of this appendix lists each option that can be used in a Samba configuration file, which is usually named smb.conf. Most configuration files contain a global section of options that apply to all services (shares) and a separate section for various individual shares. If an option applies only to the global section, [global] appears to the right of its name in the following reference section.

Except where noted, when specifying elements of a list, the elements can be separated by spaces, tabs, commas, semicolons, escaped newlines, or escaped carriage returns.

Following this reference section is a glossary of value types, and a list of variables Samba recognizes.

Configuration File Options

abort shutdown script = command[global]

Allowable values: command

Default: NULL

Specifies a command that stops the shutdown procedure started by shutdown script. The command will be run with the UID of the connected user. New in Samba 3.0.

add printer command = command[global]

Allowable values: command

Default: NULL

Specifies a command that creates a new printer on the system hosting the Samba server. This command runs as root when the Windows NT/2000/XP Add Printer Wizard is run. The command will be passed a printer name, share name, port name, driver name, Windows NT/2000/XP driver location, and Windows 95/98/Me driver location, in that order. It will need to add the printer to the system and a share definition for the printer to smb.conf. See also add printer wizard, printing, and show add printer wizard.

add machine script = command[global]

Allowable values: command

Default: NULL

Specifies a command that adds a computer to the Samba server's domain. New in Samba 3.0.

add share command = command[global]

Allowable values: command

Default: NULL

Specifies a command that creates a new share on the Samba server. This command runs as root when a share is created using the Windows NT/2000/XP Server Manager. The client user must be logged on as the root user. The command will be passed the name of the Samba configuration file, the name of the share to be created, the full pathname of a directory on the Samba server (which must already exist), and a string to use as a comment for the share, in that order. The command must add a share definition for the share to smb.conf. See also add printer command, for adding a print share.

add user script = command[global]

Allowable values: command

Default: NULL

Specifies a command that creates a new user on the system hosting the Samba server. This command runs as root when access to a Samba share is attempted by a Windows user who does not have an account on the hosting system, but does have an account maintained by a primary domain controller on a different system. The command should accept the name of the user as a single argument that matches the behavior of typical adduser commands. Samba honors the %u value (username) as the argument to the command. Requires security = server or security = domain. See also delete user script.

admin users = user list

Allowable values: user list

Default: NULL

Specifies users who will be granted root permissions on the share by Samba.

ads server = value[global]

Allowable values: DNS hostname or IP address

Default: NONE

Specifies the Active Directory server, used by Samba 3.0 for authenticating clients. Requires security = ads. New in Samba 3.0.

algorithmic rid base = number[global]

Allowable values: positive integer

Default: 1000

Specifies the base value that Samba uses when calculating Windows domain security identifier equivalents to Unix UIDs. See also non unix account range. New in Samba 3.0.

allow hosts = host list

Allowable values: list of hosts or networks

Default: NULL

Specifies systems that can connect to the share or shares. If NULL, any system can access the share unless there is a hosts deny option. Synonym for hosts allow.

allow trusted domains = boolean[global]

Allowable values: YES, NO

Default: YES

Allows access to users who lack accounts on the Samba server but have accounts in another, trusted domain. Requires security = server or security = domain.

announce as = value[global]

Allowable values: NT, Win95, Wf W

Default: NT

Has Samba announce itself as something other than an NT server. Discouraged because it interferes with serving browse lists.

announce version = value[global]

Allowable values: two numbers separated by a dot character

Default: 4.5

Instructs Samba to announce itself as a different version SMB server. Discouraged.

auth methods = list[global]

Allowable values: guest, sam, ntdomain

Default: NONE

Specifies what methods Samba tries in turn to authenticate users. New in Samba 3.0.

auto services = service list[global]

Allowable values: service list

Default: NULL

Specifies a list of shares that always appear in browse lists. Also called preload.

available = boolean

Allowable values: YES, NO

Default: YES

If set to NO, denies access to a share. The share appears in the browse list, but attempts to access it will fail.

bind interfaces only = boolean[global]

Allowable values: YES, NO

Default: NO

If set to YES, shares and browsing are provided only on interfaces in an interfaces list (see interfaces). If you set this option to YES, be sure to add 127.0.0.1 to the interfaces list to allow smbpasswd to connect to the local system to change passwords. This is a convenience option; it does not improve security.

block size = number

Allowable values: integer

Default: 1024

Sets the size of disk blocks as reported by smbd to the client. Obsolete starting with Samba 3.0.

blocking locks = boolean

Allowable values: YES, NO

Default: YES

If YES, honors byte range lock requests with time limits. Samba will queue the requests and retry them until the time period expires.

browsable = boolean

Allowable values: YES, NO

Default: YES

Allows a share to be announced in browse lists. Also called browseable.

browse list = boolean[global]

Allowable values: YES, NO

Default: YES

If YES, serves the browse list to other systems on the network. Avoid changing.

browseable = boolean

Allowable values: YES, NO

Default: YES

Synonym for browsable.

case sensitive = boolean[global]

Allowable values: YES, NO

Default: NO

If YES, uses the exact case the client supplied when trying to resolve a filename. If NO, matches either upper- or lowercase name. Avoid changing. Also called casesignames.

casesignames = boolean[global]

Allowable values: YES, NO

Default: NO

Synonym for case sensitive.

change notify timeout = number[global]

Allowable values: positive number

Default: 60

Sets the number of seconds between checks when a client asks for notification of changes in a directory. Avoid lowering.

change share command = command[global]

Allowable values: command

Default: NULL

Specifies a command that modifies a share definition on the Samba server. This command runs as root when a share is created using the Windows NT/2000/XP Server Manager. The client user must be logged on as the root user. The command is passed the name of the Samba configuration file, the name of the share to be modified, the full pathname of a directory on the Samba server (which must already exist), and a string to use as a comment for the share, in that order. The command modifies the share definition for the share in smb.conf. See also add share command and delete share command.

character set = name

Allowable values: ISO8859-1, ISO8859-2, ISO8859-5, KOI8-R

Default: NULL

If set, translates from DOS code pages to the Western European (ISO8859-1), Eastern European (ISO8859-2), Russian Cyrillic (ISO8859-5), or Alternate Russian (KOI8-R) character set. The client code page option must be set to 850. Obsolete starting with Samba 3.0.

client code page = name

Allowable values: see Table 11-4 in Chapter 11

Default: 850 (MS-DOS Latin 1)

Sets the DOS code page explicitly, overriding any previous valid chars settings. Examples of values are 850 for Western European, 437 for the U.S. standard, and 932 for Japanese Shift-JIS. Obsolete starting with Samba 3.0.

code page directory = directory[global]

Allowable values: full directory name

Default: /usr/local/samba/lib/codepages

Specifies the directory that stores code pages. Obsolete starting with Samba 3.0.

coding system = value[global]

Allowable values: euc, cap, hex, hexN, sjis, j8bb, j8bj, jis8, j8bh, j8@b, j8@j,j8@h, j7bb, j7bj, jis7, j7bh, j7@b, j7@j, j7@h, jubb, jubj, junet, jubh, ju@b, ju@j, ju@h

Default: NULL

Sets the coding system used, notably for Kanji. This is employed for filenames and should correspond to the code page in use. The client code page option must be set to 932 ( Japanese Shift-JIS). Obsolete starting with Samba 3.0.

comment = string

Allowable values: string

Default: NULL

Sets the comment corresponding to a share. The comment appears in places such as a net view listing or through the Network Neighborhood. See also the server string configuration option.

config file = filename[global]

Allowable values: \filename

Default: NULL

Selects a new Samba configuration file to read instead of the current one. Used to relocate the configuration file or used with % variables to select custom configuration files for some users or systems.

copy = section name

Allowable values: existing section's name

Default: NULL

Copies the configuration of an already defined share into the share in which this option appears. Used with % variables to select custom configurations for systems, architectures, and users. Each option specified or copied takes precedence over earlier specifications of the option.

create mask = value

Allowable values: octal value from 0 to 0777

Default: 0744

Sets the maximum allowable permissions for new files (e.g., 0755). See also directory mask. To require certain permissions to be set, see force create mask and force directory mask. Also called create mode.

create mode = value

Allowable values: octal value from 0 to 0777

Default: 0744

Synonym for create mask.

csc policy = value

Allowable values: manual, documents, programs, or disable

Default: manual

Sets the client-side caching policy, telling them how to cache files offline if they are capable of doing so.

deadtime = number[global]

Allowable values: number

Default: 0

Specifies the time in minutes before an unused connection will be terminated. Zero means never. Used to keep clients from tying up server resources for long periods of time. If used, clients must autoreconnect after the specified period of inactivity. See also keepalive.

debug hires timestamp = boolean[global]

Allowable values: YES, NO

Default: NO

Changes the timestamps in log entries from seconds to microseconds. Useful for measuring performance.

debug pid = boolean[global]

Allowable values: YES, NO

Default: NO

Adds the process ID of the Samba server to log lines, making it easier to debug a particular server. Requires debug timestamp = yes to work.

debug timestamp = boolean[global]

Allowable values: YES, NO

Default: YES

Timestamps all log messages. Can be turned off when it's not useful (e.g., in debugging ). Also called timestamp logs.

debug uid = boolean[global]

Allowable values: YES, NO

Default: NO

Adds the real and effective user ID and group ID of the user being served to the logs, making it easier to debug one particular user.

debuglevel = number[global]

Allowable values: number

Default: 0

Sets the logging level used. Values of 3 or more slow Samba noticeably. Also called log level. Recommended value is 1.

default = service name[global]

Allowable values: share name

Default: NULL

Specifies the name of a service (share) to provide if someone requests a service he doesn't have permission to use or that doesn't exist. The path is set from the name the client specified, with any underscore ( _ ) characters changed to slash ( / ) characters, allowing access to any directory on the Samba server. Use is discouraged. See also load printers. Also called default service.

default case = value

Allowable values: LOWER, UPPER

Default: LOWER

Sets the case in which to store new filenames. LOWER indicates lowercase, and UPPER indicates uppercase.

default devmode = boolean

Allowable values: YES, NO

Default: NO

Used with printer shares being accessed by Windows NT/2000/XP clients to set a default device mode for the printer. Can be problematic. Use with care.

default service = share name[global]

Allowable values: share name

Default: NULL

Synonym for default.

delete printer command = command[global]

Allowable values: command

Default: NULL

Specifies a command that removes a printer from the system hosting the Samba server and deletes its service definition from smb.conf. The command is passed a printer name as its only argument. See also add printer command, printing, and show add printer wizard.

delete readonly = boolean

Allowable values: NO, YES

Default: NO

If set to YES, allows delete requests to remove read-only files. This is not allowed in MS-DOS/Windows, but it is normal in Unix, which has separate directory permissions. Used with programs such as RCS.

delete share command = command

Allowable values: command

Default: NULL

Specifies a command that deletes a share from the Samba server. The command runs when a user logged in as the root user on a Windows NT/2000/XP system deletes a share using Server Manager. The command is passed the name of the Samba configuration file and the name of the share to be deleted. The command must remove the definition of the share from the configuration file. See also add share command and change share command.

delete user script = command[global]

Allowable values: full path to script

Default: NULL

Sets the command to run as root when a user connects who no longer has an account on the domain's PDC. Honors %u. Can be used to delete the user account automatically from the Samba server's host. Requires security = domain or security = user. Use with caution. See also add user script.

delete veto files = boolean

Allowable values: NO, YES

Default: NO

If set to YES, allows delete requests for a directory containing files or subdirectories the user can't see due to the veto files option. If set to NO, the directory is not deleted and still contains invisible files.

deny hosts = host list

Allowable values: hosts or networks

Default: NULL

Specifies a list of systems from which to refuse connections. Also called hosts deny.

dfree command = command[global]

Allowable values: command

Default: varies

Specifies a command to run on the server to return free disk space. Not needed unless the Samba host system's dfree command does not work properly.

directory = directory

Allowable values: Unix directory name

Default: varies

Sets the path to the directory provided by a file share or used by a printer share. If the option is omitted in the [homes] share, it is set automatically to the user's home directory; otherwise, it defaults to /tmp. For a printer share, the directory is used to spool printer files. Honors the %u (user) and %m (machine) variables. Synonym for path.

directory mask = value

Allowable values: octal value from 0 to 0777

Default: 0755

Sets the maximum allowable permissions for newly created directories. To require that certain permissions be set, see the force create mask and force directory mask options. Also called directory mode.

directory mode = value

Allowable values: octal value from 0 to 0777

Default: 0755

Synonym for directory mask.

directory security mask = value

Allowable values: octal value from 0 to 0777

Default: same as directory mode

Controls which permission bits can be changed if a user edits the Unix permissions of directories on the Samba server from a Windows system. Any bit that is set in the mask can be changed by the user; any bit that is clear remains the same on the directory even if the user tries to change it. Requires nt acl support = YES.

disable spools = boolean[global]

Allowable values: YES, NO

Default: NO

If set to YES, Windows NT/2000/XP systems will downgrade to Lanman-style printing. Prevents printer driver uploading and downloading from working. Use with care. See also use client driver.

dns proxy = boolean[global]

Allowable values: YES, NO

Default: YES

If set to YES and if wins server = YES, looks up hostnames in DNS when they are not found using WINS.

domain admin group = user list[global]

Allowable values: usernames and/or group names

Default: NULL

Specifies users who are in the Domain Admins group and have domain administrator authority when Samba is the PDC. See also domain guest group and domain logons. Useful in Samba 2.2 only. Obsolete in Samba 3.0.

domain guest group = user/group list[global]

Allowable values: list of usernames and/or group names

Default: NULL

Specifies users who are in the Domain Guest group when Samba is the PDC. See also domain admin group and domain logons. Useful in Samba 2.2 only. Obsolete in Samba 3.0.

domain logons = boolean[global]

Allowable values: YES, NO

Default: NO

Causes Samba to serve domain logons. This is one of the basic functions required when Samba is acting as the PDC.

domain master = boolean[global]

Allowable values: YES, NO

Default: automatic

Makes Samba a domain master browser for its domain. When domain logons are enabled, domain master defaults to YES. Otherwise, it defaults to NO.

dont descend = list

Allowable values: list of directories

Default: NULL

Prohibits a change directory or search in the directories specified. This is a browsing-convenience option; it doesn't provide any extra security.

dos filemode = boolean

Allowable values: YES, NO

Default: NO

Allows anyone with write permissions to change permissions on a file, as allowed by MS-DOS.

dos filetime resolution = boolean

Allowable values: YES, NO

Default: NO

Sets file times on Unix to match MS-DOS standards (rounding to the next even second). Recommended if using Visual C++ or a PC make program to avoid remaking the programs unnecessarily. Use with the dos filetimes option.

dos filetimes = boolean

Allowable values: YES, NO

Default: NO

Allows nonowners to change file times if they can write to the files, matching the behavior of MS-DOS and Windows. See also dos filetime resolution.

encrypt passwords = boolean[global]

Allowable values: YES, NO

Default: NO in Samba 2.2, YES in Samba 3.0

If enabled, Samba will use password encryption. Requires an smbpasswd file on the Samba server.

enhanced browsing = boolean[global]

Allowable values: YES, NO

Default: YES

Automatically synchronizes browse lists with all domain master browsers known to the WINS server. Makes cross-subnet browsing more reliable, but also can cause empty workgroups to persist forever in browse lists.

enumports command = command[global]

Allowable values: command

Default: NULL

Allows for a command to provide clients with customized MS-DOS/Windows port names (e.g., PRN:) corresponding to printers. Samba's default behavior is to return Samba Printer Port. The command must return a series of lines, with one port name per line.

exec = command

Allowable values: command

Default: NULL

Sets a command to run as the user before connecting to the share. Synonym for preexec. See also the postexec, root preexec, and root postexec options.

fake directory create times = boolean

Allowable values: YES, NO

Default: NO

A bug fix for users of Microsoft nmake. If YES, Samba sets directory create times such that nmake won't remake all files every time.

fake oplocks = boolean

Allowable values: YES, NO

Default: NO

If set, returns YES whenever a client asks if it can lock a file and cache it locally but does not enforce the lock on the server. Results in performance improvement for read-only shares. Never use with read/write shares! See also oplocks and veto oplock files.

follow symlinks = boolean

Allowable values: YES, NO

Default: YES

If set to YES, Samba follows symlinks in a file share(s). See the wide links option if you want to restrict symlinks to just the current share.

force create mode = value

Allowable values: octal value from 0 to 0777

Default: 0

Takes effect when a user on a Windows client creates a file that resides on the Samba server. This option ensures that bits set in this mask will always be set on the new file. Used with the create mask configuration option.

force directory mode = value

Allowable values: octal value from 0 to 0777

Default: 0

Takes effect when a user on a Windows client creates a directory on the Samba server. This option ensures that bits set in the mask will be set on every newly created directory. Used with directory mask.

force directory security mode = value

Allowable values: octal value from 0 to 0777

Default