<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<chapter id="printing">
+<chapter id="devprinting">
<chapterinfo>
<author>
<firstname>Gerald</firstname><surname>Carter</surname>
<title>NT4-Style Domains (Includes Samba Domains)</title>
<para>
- The following is a simple example of an NT4 DMS &smb.conf; file that shows only the global section.
-<screen>
-#Global parameters
-[global]
- workgroup = MEGANET2
- security = DOMAIN
- idmap uid = 10000-20000
- idmap gid = 10000-20000
- template primary group = "Domain Users"
- template shell = /bin/bash
-</screen>
+ <link linkend="idmapnt4dms">NT4 Domain Member Server smb.con</link> is a simple example of an NT4 DMS
+ &smb.conf; file that shows only the global section.
</para>
+<example id="idmapnt4dms">
+<title>NT4 Domain Member Server smb.conf</title>
+<smbconfblock>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">MEGANET2</smbconfoption>
+<smbconfoption name="security">DOMAIN</smbconfoption>
+<smbconfoption name="idmap uid">10000-20000</smbconfoption>
+<smbconfoption name="idmap gid">10000-20000</smbconfoption>
+<smbconfoption name="template primary group">"Domain Users"</smbconfoption>
+<smbconfoption name="template shell">/bin/bash</smbconfoption>
+</smbconfblock>
+</example>
+
<para>
<indexterm><primary>winbind</primary></indexterm>
<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
<indexterm><primary>domain join</primary></indexterm>
<indexterm><primary>ADS domain</primary></indexterm>
The procedure for joining an ADS domain is similar to the NT4 domain join, except the &smb.conf; file
- will have the following contents:
-<screen>
-# Global parameters
-[global]
- workgroup = BUTTERNET
- netbios name = GARGOYLE
- realm = BUTTERNET.BIZ
- security = ADS
- template shell = /bin/bash
- idmap uid = 500-10000000
- idmap gid = 500-10000000
- winbind use default domain = Yes
- winbind nested groups = Yes
- printer admin = "BUTTERNET\Domain Admins"
-</screen>
+ will have the contents shown in <link linkend="idmapadsdms">ADS Domain Member Server smb.conf</link>
</para>
+<example id="idmapadsdms">
+<title>ADS Domain Member Server smb.conf</title>
+<smbconfblock>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">BUTTERNET</smbconfoption>
+<smbconfoption name="netbios name">GARGOYLE</smbconfoption>
+<smbconfoption name="realm">BUTTERNET.BIZ</smbconfoption>
+<smbconfoption name="security">ADS</smbconfoption>
+<smbconfoption name="template shell">/bin/bash</smbconfoption>
+<smbconfoption name="idmap uid">500-10000000</smbconfoption>
+<smbconfoption name="idmap gid">500-10000000</smbconfoption>
+<smbconfoption name="winbind use default domain">Yes</smbconfoption>
+<smbconfoption name="winbind nested groups">Yes</smbconfoption>
+<smbconfoption name="printer admin">"BUTTERNET\Domain Admins"</smbconfoption>
+</smbconfblock>
+</example>
+
<para>
<indexterm><primary>KRB</primary></indexterm>
<indexterm><primary>kerberos</primary></indexterm>
</para>
<para>
- An example &smb.conf; file for and ADS domain environment is shown here:
-<screen>
-# Global parameters
-[global]
- workgroup = KPAK
- netbios name = BIGJOE
- realm = CORP.KPAK.COM
- server string = Office Server
- security = ADS
- allow trusted domains = No
- idmap backend = idmap_rid:KPAK=500-100000000
- idmap uid = 500-100000000
- idmap gid = 500-100000000
- template shell = /bin/bash
- winbind use default domain = Yes
- winbind enum users = No
- winbind enum groups = No
- winbind nested groups = Yes
- printer admin = "Domain Admins"
-</screen>
+ An example &smb.conf; file for and ADS domain environment is shown in <link linkend="idmapadsridDMS">ADS
+ Domain Member smb.conf using idmap_rid</link>.
</para>
+<example id="idmapadsridDMS">
+<title>ADS Domain Member smb.conf using idmap_rid</title>
+<smbconfblock>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">KPAK</smbconfoption>
+<smbconfoption name="netbios name">BIGJOE</smbconfoption>
+<smbconfoption name="realm">CORP.KPAK.COM</smbconfoption>
+<smbconfoption name="server string">Office Server</smbconfoption>
+<smbconfoption name="security">ADS</smbconfoption>
+<smbconfoption name="allow trusted domains">No</smbconfoption>
+<smbconfoption name="idmap backend">idmap_rid:KPAK=500-100000000</smbconfoption>
+<smbconfoption name="idmap uid">500-100000000</smbconfoption>
+<smbconfoption name="idmap gid">500-100000000</smbconfoption>
+<smbconfoption name="template shell">/bin/bash</smbconfoption>
+<smbconfoption name="winbind use default domain">Yes</smbconfoption>
+<smbconfoption name="winbind enum users">No</smbconfoption>
+<smbconfoption name="winbind enum groups">No</smbconfoption>
+<smbconfoption name="winbind nested groups">Yes</smbconfoption>
+<smbconfoption name="printer admin">"Domain Admins"</smbconfoption>
+</smbconfblock>
+</example>
+
<para>
<indexterm><primary>large domain</primary></indexterm>
<indexterm><primary>Active Directory</primary></indexterm>
</para>
<para>
- The following example is for an ADS domain:
+ An example is for an ADS domain is shown in <link linkend="idmapldapDMS">ADS Domain Member Server using
+ LDAP</link>.
</para>
- <para>
-<screen>
-# Global parameters
-[global]
- workgroup = SNOWSHOW
- netbios name = GOODELF
- realm = SNOWSHOW.COM
- server string = Samba Server
- security = ADS
- log level = 1 ads:10 auth:10 sam:10 rpc:10
- ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM
- ldap idmap suffix = ou=Idmap
- ldap suffix = dc=SNOWSHOW,dc=COM
- idmap backend = ldap:ldap://ldap.snowshow.com
- idmap uid = 150000-550000
- idmap gid = 150000-550000
- template shell = /bin/bash
- winbind use default domain = Yes
-</screen>
- </para>
+<example id="idmapldapDMS">
+<title>ADS Domain Member Server using LDAP</title>
+<smbconfblock>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">SNOWSHOW</smbconfoption>
+<smbconfoption name="netbios name">GOODELF</smbconfoption>
+<smbconfoption name="realm">SNOWSHOW.COM</smbconfoption>
+<smbconfoption name="server string">Samba Server</smbconfoption>
+<smbconfoption name="security">ADS</smbconfoption>
+<smbconfoption name="log level">1 ads:10 auth:10 sam:10 rpc:10</smbconfoption>
+<smbconfoption name="ldap admin dn">cn=Manager,dc=SNOWSHOW,dc=COM</smbconfoption>
+<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
+<smbconfoption name="ldap suffix">dc=SNOWSHOW,dc=COM</smbconfoption>
+<smbconfoption name="idmap backend">ldap:ldap://ldap.snowshow.com</smbconfoption>
+<smbconfoption name="idmap uid">150000-550000</smbconfoption>
+<smbconfoption name="idmap gid">150000-550000</smbconfoption>
+<smbconfoption name="template shell">/bin/bash</smbconfoption>
+<smbconfoption name="winbind use default domain">Yes</smbconfoption>
+</smbconfblock>
+</example>
<para>
<indexterm><primary>realm</primary></indexterm>
</para>
<para>
- The following is an example &smb.conf; file:
-<screen>
-# Global parameters
-[global]
- workgroup = BOBBY
- realm = BOBBY.COM
- security = ADS
- idmap uid = 150000-550000
- idmap gid = 150000-550000
- template shell = /bin/bash
- winbind cache time = 5
- winbind use default domain = Yes
- winbind trusted domains only = Yes
- winbind nested groups = Yes
-</screen>
+ An example &smb.conf; file is shown in <link linkend="idmaprfc2307">ADS Domain Member Server using
+RFC2307bis Schema Extension Date via NSS</link>.
</para>
+<example id="idmaprfc2307">
+<title>ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS</title>
+<smbconfblock>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">BOBBY</smbconfoption>
+<smbconfoption name="realm">BOBBY.COM</smbconfoption>
+<smbconfoption name="security">ADS</smbconfoption>
+<smbconfoption name="idmap uid">150000-550000</smbconfoption>
+<smbconfoption name="idmap gid">150000-550000</smbconfoption>
+<smbconfoption name="template shell">/bin/bash</smbconfoption>
+<smbconfoption name="winbind cache time">5</smbconfoption>
+<smbconfoption name="winbind use default domain">Yes</smbconfoption>
+<smbconfoption name="winbind trusted domains only">Yes</smbconfoption>
+<smbconfoption name="winbind nested groups">Yes</smbconfoption>
+</smbconfblock>
+</example>
+
<para>
<indexterm><primary>nss_ldap</primary></indexterm>
The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary
</para>
<example id="vfsrecyc">
- <title>smb.conf with VFS modules</title>
- <smbconfblock>
- <smbconfsection name="[audit]"/>
+<title>smb.conf with VFS modules</title>
+<smbconfblock>
+<smbconfsection name="[audit]"/>
<smbconfoption name="comment">Audited /data directory</smbconfoption>
<smbconfoption name="path">/data</smbconfoption>
<smbconfoption name="vfs objects">audit recycle</smbconfoption>
<smbconfoption name="writeable">yes</smbconfoption>
<smbconfoption name="browseable">yes</smbconfoption>
- </smbconfblock>
+</smbconfblock>
</example>
<para>
shown in <link linkend="multimodule">the smb.conf with multiple VFS modules</link>.
<example id="multimodule">
- <title>smb.conf with multiple VFS modules</title>
- <smbconfblock>
+<title>smb.conf with multiple VFS modules</title>
+<smbconfblock>
<smbconfsection name="[test]"/>
<smbconfoption name="comment">VFS TEST</smbconfoption>
<smbconfoption name="path">/data</smbconfoption>
<title>Removed Parameters</title>
<indexterm><primary>deleted parameters</primary></indexterm>
-<para>In alphabetical order, these are the parameters eliminated for Samba 3.0.20.</para>
+<para>In alphabetical order, these are the parameters eliminated during the Samba 3.0.0 series prior to release of Samba 3.0.20.</para>
<itemizedlist>
<listitem><para>admin log </para></listitem>
<listitem><para>domain admin group </para></listitem>
<listitem><para>domain guest group </para></listitem>
<listitem><para>force unknown acl user </para></listitem>
+ <listitem><para>ldap filter</para></listitem>
<listitem><para>nt smb support </para></listitem>
<listitem><para>post script </para></listitem>
<listitem><para>printer driver </para></listitem>
<listitem><para>printer driver file </para></listitem>
<listitem><para>printer driver location </para></listitem>
+ <listitem><para>read size</para></listitem>
+ <listitem><para>source environment</para></listitem>
<listitem><para>status </para></listitem>
<listitem><para>strip dot </para></listitem>
<listitem><para>total print jobs </para></listitem>
+ <listitem><para>unicode</para></listitem>
<listitem><para>use rhosts </para></listitem>
<listitem><para>valid chars </para></listitem>
<listitem><para>vfs options </para></listitem>
+ <listitem><para>winbind enable local accounts</para></listitem>
</itemizedlist>
</sect2>
<sect2>
<title>New Parameters</title>
-<para>New parameters in Samba 3.0.20 are grouped by function):</para>
+<para>New parameters in the Samba 3.0.0 series prior to release of Samba 3.0.20 are grouped by function):</para>
<para>Remote Management</para>
<indexterm><primary>new parameters</primary></indexterm>
<itemizedlist>
- <listitem><para>abort shutdown script </para></listitem>
- <listitem><para>shutdown script </para></listitem>
+ <listitem><para>abort shutdown script</para></listitem>
+ <listitem><para>shutdown script</para></listitem>
</itemizedlist>
<para>User and Group Account Management</para>
<itemizedlist>
- <listitem><para>add group script </para></listitem>
- <listitem><para>add machine script </para></listitem>
- <listitem><para>add user to group script </para></listitem>
- <listitem><para>algorithmic rid base </para></listitem>
- <listitem><para>delete group script </para></listitem>
- <listitem><para>delete user from group script </para></listitem>
- <listitem><para>passdb backend </para></listitem>
- <listitem><para>set primary group script </para></listitem>
+ <listitem><para>add group script</para></listitem>
+ <listitem><para>add machine script</para></listitem>
+ <listitem><para>add user to group script</para></listitem>
+ <listitem><para>algorithmic rid base</para></listitem>
+ <listitem><para>delete group script</para></listitem>
+ <listitem><para>delete user from group script</para></listitem>
+ <listitem><para>passdb backend</para></listitem>
+ <listitem><para>set primary group script</para></listitem>
</itemizedlist>
<para>Authentication</para>
<itemizedlist>
- <listitem><para>auth methods </para></listitem>
- <listitem><para>realm </para></listitem>
+ <listitem><para>auth methods</para></listitem>
+ <listitem><para>ldap password sync</para></listitem>
+ <listitem><para>realm</para></listitem>
</itemizedlist>
<para>Protocol Options</para>
<itemizedlist>
- <listitem><para>client lanman auth </para></listitem>
- <listitem><para>client NTLMv2 auth </para></listitem>
- <listitem><para>client schannel </para></listitem>
- <listitem><para>client signing </para></listitem>
- <listitem><para>client use spnego </para></listitem>
- <listitem><para>disable netbios </para></listitem>
- <listitem><para>ntlm auth </para></listitem>
+ <listitem><para>afs token lifetime</para></listitem>
+ <listitem><para>client lanman auth</para></listitem>
+ <listitem><para>client NTLMv2 auth</para></listitem>
+ <listitem><para>client schannel</para></listitem>
+ <listitem><para>client signing</para></listitem>
+ <listitem><para>client use spnego</para></listitem>
+ <listitem><para>defer sharing violations</para></listitem>
+ <listitem><para>disable netbios</para></listitem>
+ <listitem><para>enable privileges</para></listitem>
+ <listitem><para>use kerberos keytab</para></listitem>
+ <listitem><para>log nt token command</para></listitem>
+ <listitem><para>ntlm auth</para></listitem>
<listitem><para>paranoid server security </para></listitem>
- <listitem><para>server schannel </para></listitem>
- <listitem><para>server signing </para></listitem>
- <listitem><para>smb ports </para></listitem>
- <listitem><para>use spnego </para></listitem>
+ <listitem><para>sendfile</para></listitem>
+ <listitem><para>server schannel</para></listitem>
+ <listitem><para>server signing</para></listitem>
+ <listitem><para>smb ports</para></listitem>
+ <listitem><para>use spnego</para></listitem>
</itemizedlist>
<para>File Service</para>
<itemizedlist>
- <listitem><para>get quota command </para></listitem>
- <listitem><para>hide special files </para></listitem>
- <listitem><para>hide unwriteable files </para></listitem>
- <listitem><para>hostname lookups </para></listitem>
- <listitem><para>kernel change notify </para></listitem>
- <listitem><para>mangle prefix </para></listitem>
- <listitem><para>map acl inherit </para></listitem>
- <listitem><para>msdfs proxy </para></listitem>
- <listitem><para>set quota command </para></listitem>
- <listitem><para>use sendfile </para></listitem>
- <listitem><para>vfs objects </para></listitem>
+ <listitem><para>allocation roundup size</para></listitem>
+ <listitem><para>acl check permissions</para></listitem>
+ <listitem><para>ea support</para></listitem>
+ <listitem><para>enable asu support</para></listitem>
+ <listitem><para>force unknown acl user</para></listitem>
+ <listitem><para>get quota command</para></listitem>
+ <listitem><para>hide special files</para></listitem>
+ <listitem><para>hide unwriteable files</para></listitem>
+ <listitem><para>inherit owner</para></listitem>
+ <listitem><para>hostname lookups</para></listitem>
+ <listitem><para>kernel change notify</para></listitem>
+ <listitem><para>mangle prefix</para></listitem>
+ <listitem><para>map acl inherit</para></listitem>
+ <listitem><para>max stat cache size</para></listitem>
+ <listitem><para>msdfs proxy</para></listitem>
+ <listitem><para>set quota command</para></listitem>
+ <listitem><para>store dos attributes</para></listitem>
+ <listitem><para>use sendfile</para></listitem>
+ <listitem><para>vfs objects</para></listitem>
</itemizedlist>
<para>Printing</para>
<itemizedlist>
- <listitem><para>max reported print jobs </para></listitem>
+ <listitem><para>cups options</para></listitem>
+ <listitem><para>cups server</para></listitem>
+ <listitem><para>force printername</para></listitem>
+ <listitem><para>max reported print jobs</para></listitem>
+ <listitem><para>printcap cache time</para></listitem>
</itemizedlist>
<para>Unicode and Character Sets</para>
<itemizedlist>
- <listitem><para>display charset </para></listitem>
- <listitem><para>dos charset </para></listitem>
- <listitem><para>unicode </para></listitem>
- <listitem><para>UNIX charset </para></listitem>
+ <listitem><para>display charset</para></listitem>
+ <listitem><para>dos charset</para></listitem>
+ <listitem><para>UNIX charset</para></listitem>
</itemizedlist>
<para>SID to UID/GID Mappings</para>
<itemizedlist>
- <listitem><para>idmap backend </para></listitem>
- <listitem><para>idmap gid </para></listitem>
- <listitem><para>idmap uid </para></listitem>
- <listitem><para>winbind enable local accounts </para></listitem>
- <listitem><para>winbind trusted domains only </para></listitem>
- <listitem><para>template primary group </para></listitem>
- <listitem><para>enable rid algorithm </para></listitem>
+ <listitem><para>idmap backend</para></listitem>
+ <listitem><para>idmap gid</para></listitem>
+ <listitem><para>idmap uid</para></listitem>
+ <listitem><para>winbind enable local accounts</para></listitem>
+ <listitem><para>winbind nested groups</para></listitem>
+ <listitem><para>winbind trusted domains only</para></listitem>
+ <listitem><para>template primary group</para></listitem>
+ <listitem><para>enable rid algorithm</para></listitem>
</itemizedlist>
<para>LDAP</para>
<itemizedlist>
- <listitem><para>ldap delete dn </para></listitem>
- <listitem><para>ldap group suffix </para></listitem>
- <listitem><para>ldap idmap suffix </para></listitem>
- <listitem><para>ldap machine suffix </para></listitem>
- <listitem><para>ldap passwd sync </para></listitem>
- <listitem><para>ldap user suffix </para></listitem>
+ <listitem><para>ldap delete dn</para></listitem>
+ <listitem><para>ldap group suffix</para></listitem>
+ <listitem><para>ldap idmap suffix</para></listitem>
+ <listitem><para>ldap machine suffix</para></listitem>
+ <listitem><para>ldap passwd sync</para></listitem>
+ <listitem><para>ldap replication sleep</para></listitem>
+ <listitem><para>ldap timeout</para></listitem>
+ <listitem><para>ldap user suffix</para></listitem>
</itemizedlist>
<para>General Configuration</para>
<itemizedlist>
- <listitem><para>preload modules </para></listitem>
- <listitem><para>privatedir </para></listitem>
+ <listitem><para>preload modules</para></listitem>
+ <listitem><para>privatedir</para></listitem>
</itemizedlist>
</sect2>
<title>Modified Parameters (Changes in Behavior)</title>
<itemizedlist>
+ <listitem><para>dos filetimes (enabled by default)</para></listitem>
<listitem><para>encrypt passwords (enabled by default) </para></listitem>
<listitem><para>mangling method (set to hash2 by default) </para></listitem>
+ <listitem><para>map to guest (new parameter added)</para></listitem>
+ <listitem><para>min password length (deprecated)</para></listitem>
+ <listitem><para>only user (deprecated)</para></listitem>
<listitem><para>passwd chat </para></listitem>
<listitem><para>passwd program </para></listitem>
<listitem><para>password server </para></listitem>
+ <listitem><para>printer admin (deprecated)</para></listitem>
<listitem><para>restrict anonymous (integer value) </para></listitem>
<listitem><para>security (new ads value) </para></listitem>
<listitem><para>strict locking (enabled by default) </para></listitem>
<listitem><para>winbind cache time (increased to 5 minutes) </para></listitem>
<listitem><para>winbind uid (deprecated in favor of idmap uid) </para></listitem>
<listitem><para>winbind gid (deprecated in favor of idmap gid) </para></listitem>
+ <listitem><para>write cache (deprecated)</para></listitem>
</itemizedlist>
</sect2>
<para>
The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean,
which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved
- in string values. Some items such as create modes are numeric.
+ in string values. Some items such as create masks are numeric.
</para>
</refsect1>
<note><para>
On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use
- <literal>printcap name = lpstat</literal> to automatically obtain a list of printers. See the <literal>printcap name</literal> option
- for more details.
+ <literal>printcap name = lpstat</literal> to automatically obtain a list of printers. See the
+ <literal>printcap name</literal> option for more details.
</para></note>
</refsect2>
</refsect1>
<para>
Some parameters are specific to the [global] section (e.g., <emphasis>security</emphasis>). Some parameters
- are usable in all sections (e.g., <emphasis>create mode</emphasis>). All others are permissible only in normal
+ are usable in all sections (e.g., <emphasis>create mask</emphasis>). All others are permissible only in normal
sections. For the purposes of the following descriptions the [homes] and [printers] sections will be
considered normal. The letter <emphasis>G</emphasis> in parentheses indicates that a parameter is specific to
the [global] section. The letter <emphasis>S</emphasis> indicates that a parameter can be specified in a
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter specifies the batch file (.bat) or
- NT command file (.cmd) to be downloaded and run on a machine when
- a user successfully logs in. The file must contain the DOS
- style CR/LF line endings. Using a DOS-style editor to create the
- file is recommended.</para>
+ <para>
+ This parameter specifies the batch file (<filename>.bat</filename>) or NT command file
+ (<filename>.cmd</filename>) to be downloaded and run on a machine when a user successfully logs in. The file
+ must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.
+ </para>
- <para>The script must be a relative path to the [netlogon]
- service. If the [netlogon] service specifies a <smbconfoption name="path"/> of <filename
+ <para>
+ The script must be a relative path to the <smbconfsection name="[netlogon]"/> service. If the [netlogon]
+ service specifies a <smbconfoption name="path"/> of <filename
moreinfo="none">/usr/local/samba/netlogon</filename>, and <smbconfoption name="logon
script">STARTUP.BAT</smbconfoption>, then the file that will be downloaded is:
<screen>
</screen>
</para>
- <para>The contents of the batch file are entirely your choice. A
- suggested command would be to add <command moreinfo="none">NET TIME \\SERVER /SET
- /YES</command>, to force every machine to synchronize clocks with
- the same time server. Another use would be to add <command moreinfo="none">NET USE
- U: \\SERVER\UTILS</command> for commonly used utilities, or <screen>
- <userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput></screen> for example.</para>
+ <para>
+ The contents of the batch file are entirely your choice. A suggested command would be to add <command
+ moreinfo="none">NET TIME \\SERVER /SET /YES</command>, to force every machine to synchronize clocks with the
+ same time server. Another use would be to add <command moreinfo="none">NET USE U: \\SERVER\UTILS</command>
+ for commonly used utilities, or <screen> <userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput></screen> for
+ example.
+ </para>
- <para>Note that it is particularly important not to allow write
- access to the [netlogon] share, or to grant users write permission
- on the batch files in a secure environment, as this would allow
- the batch files to be arbitrarily modified and security to be
- breached.</para>
+ <para>
+ Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users
+ write permission on the batch files in a secure environment, as this would allow the batch files to be
+ arbitrarily modified and security to be breached.
+ </para>
- <para>This option takes the standard substitutions, allowing you
- to have separate logon scripts for each user or machine.</para>
+ <para>
+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
+ machine.
+ </para>
- <para>This option is only useful if Samba is set up as a logon server.</para>
+ <para>
+ This option is only useful if Samba is set up as a logon server.
+ </para>
</description>
<value type="default"></value>
<value type="example">scripts\%U.bat</value>
<synonym>create mode</synonym>
<description>
- <para>When a file is created, the necessary permissions are
- calculated according to the mapping from DOS modes to UNIX
- permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
- with this parameter. This parameter may be thought of as a bit-wise
- MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis>
- set here will be removed from the modes set on a file when it is
- created.</para>
+ <para>
+ When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to
+ UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may
+ be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> set here will
+ be removed from the modes set on a file when it is created.
+ </para>
- <para>The default value of this parameter removes the
- 'group' and 'other' write and execute bits from the UNIX modes.</para>
+ <para>
+ The default value of this parameter removes the <literal>group</literal> and <literal>other</literal>
+ write and execute bits from the UNIX modes.
+ </para>
- <para>Following this Samba will bit-wise 'OR' the UNIX mode created
- from this parameter with the value of the <smbconfoption name="force create mode"/>
- parameter which is set to 000 by default.</para>
+ <para>
+ Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the
+ <smbconfoption name="force create mode"/> parameter which is set to 000 by default.
+ </para>
- <para>This parameter does not affect directory modes. See the
- parameter <smbconfoption name="directory mode"/> for details.</para>
+ <para>
+ This parameter does not affect directory masks. See the parameter <smbconfoption name="directory mask"/>
+ for details.
+ </para>
- <para>Note that this parameter does not apply to permissions
- set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the <smbconfoption name="security mask"/>.</para>
+ <para>
+ Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
+ administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption
+ name="security mask"/>.
+ </para>
</description>
<related>force create mode</related>
</description>
<related>force directory mode</related>
-<related>create mode</related>
+<related>create mask</related>
<related>directory security mask</related>
<related>inherit permissions</related>
<value type="default">0755</value>
permission on a directory using the native NT security dialog
box.</para>
- <para>This parameter is applied as a mask (AND'ed with) to
- the changed permission bits, thus preventing any bits not in
- this mask from being modified. Essentially, zero bits in this
- mask may be treated as a set of bits the user is not allowed
- to change.</para>
+ <para>
+ This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
+ in this mask from being modified. Make sure not to mix up this parameter with <smbconfoption name="force
+ directory security mode"/>, which works similar like this one but uses logical OR instead of AND.
+ Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
+ </para>
<para>If not set explicitly this parameter is set to 0777
meaning a user is allowed to modify all the user/group/world
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter controls what UNIX permission bits
- can be modified when a Windows NT client is manipulating the UNIX
- permission on a directory using the native NT security dialog box.</para>
-
- <para>This parameter is applied as a mask (OR'ed with) to the
- changed permission bits, thus forcing any bits in this mask that
- the user may have modified to be on. Essentially, one bits in this
- mask may be treated as a set of bits that, when modifying security
- on a directory, the user has always set to be 'on'.</para>
-
- <para>If not set explicitly this parameter is 000, which
- allows a user to modify all the user/group/world permissions on a
- directory without restrictions.</para>
-
- <note><para>Users who can access the
- Samba server through other means can easily bypass this restriction,
- so it is primarily useful for standalone "appliance" systems.
- Administrators of most normal systems will probably want to leave
- it set as 0000.</para></note>
+ <para>
+ This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a directory using the native NT security dialog box.
+ </para>
+
+ <para>
+ This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
+ mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption
+ name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead
+ of an OR.
+ </para>
+
+ <para>
+ Essentially, this mask may be treated as a set of bits that, when modifying security on a directory,
+ to will enable (1) any flags that are off (0) but which the mask has set to on (1).
+ </para>
+
+ <para>
+ If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world
+ permissions on a directory without restrictions.
+ </para>
+
+ <note><para>
+ Users who can access the Samba server through other means can easily bypass this restriction, so it is
+ primarily useful for standalone "appliance" systems. Administrators of most normal systems will
+ probably want to leave it set as 0000.
+ </para></note>
</description>
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter controls what UNIX permission
- bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a file using the native NT security dialog
- box.</para>
+ <para>
+ This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security dialog box.
+ </para>
- <para>This parameter is applied as a mask (OR'ed with) to the
- changed permission bits, thus forcing any bits in this mask that
- the user may have modified to be on. Essentially, one bits in this
- mask may be treated as a set of bits that, when modifying security
- on a file, the user has always set to be 'on'.</para>
+ <para>
+ This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
+ mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption
+ name="security mask"/>, which works similar like this one but uses logical AND instead of OR.
+ </para>
- <para>If not set explicitly this parameter is set to 0,
- and allows a user to modify all the user/group/world permissions on a file,
- with no restrictions.</para>
+ <para>
+ Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
+ the user has always set to be on.
+ </para>
+
+ <para>
+ If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world
+ permissions on a file, with no restrictions.
+ </para>
- <para><emphasis>Note</emphasis> that users who can access
- the Samba server through other means can easily bypass this restriction,
- so it is primarily useful for standalone "appliance" systems.
- Administrators of most normal systems will probably want to leave
- this set to 0000.</para>
+ <para><emphasis>
+ Note</emphasis> that users who can access the Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most
+ normal systems will probably want to leave this set to 0000.
+ </para>
</description>
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter controls what UNIX permission
- bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a file using the native NT security
- dialog box.</para>
+ <para>
+ This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the
+ UNIX permission on a file using the native NT security dialog box.
+ </para>
- <para>This parameter is applied as a mask (AND'ed with) to
- the changed permission bits, thus preventing any bits not in
- this mask from being modified. Essentially, zero bits in this
- mask may be treated as a set of bits the user is not allowed
- to change.</para>
+ <para>
+ This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
+ in this mask from being modified. Make sure not to mix up this parameter with <smbconfoption name="force
+ security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND.
+ </para>
- <para>If not set explicitly this parameter is 0777, allowing
- a user to modify all the user/group/world permissions on a file.
+ <para>
+ Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
+ </para>
+
+ <para>
+ If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
</para>
- <para><emphasis>Note</emphasis> that users who can access the
- Samba server through other means can easily bypass this
- restriction, so it is primarily useful for standalone
- "appliance" systems. Administrators of most normal systems will
- probably want to leave it set to <constant>0777</constant>.</para>
+ <para><emphasis>
+ Note</emphasis> that users who can access the Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone "appliance" systems. Administrators of
+ most normal systems will probably want to leave it set to <constant>0777</constant>.
+ </para>
</description>
<related>force directory security mode</related>
projects / thirdparty / samba.git / commitdiff
