Samba3 net time set error

samba3 net time set error

The net command is one of the new features of Samba-3 and is an attempt to provide a useful tool for the majority of remote management. If the MS Visual Studio compiler starts to crash with an internal error, set this parameter to zero for this share. The integer parameter specifies the. feature must be enabled at compile time using the --with-dnsupdate. when running the./configure script. There is also a related "net ads.

Samba3 net time set error - final, sorry

alias n]] To create or modify (overwrite) a user defined share. net usershare delete sharename To delete a user defined share. net usershare list wildcard-sharename To list user defined shares. net usershare info wildcard-sharename To print information about user defined shares.

PARAMETERS

Parameters define the specific attributes of sections. Some parameters are specific to the [global] section (e.g., security). Some parameters are usable in all sections (e.g., createmask). All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] sections will be con- sidered normal. The letter G in parentheses indicates that a parameter is specific to the [global] section. The letter S indicates that a parameter can be specified in a service specific section. All S parame- ters can also be specified in the [global] section - in which case they will define the default behavior for all services. Parameters are arranged here in alphabetical order - this may not cre- ate best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the pre- ferred synonym.

VARIABLE SUBSTITUTIONS

Many of the strings that are settable in the config file can take sub- stitutions. For example the option path=/tmp/%u is interpreted as path=/tmp/john if the user connected with the username john. These substitutions are mostly noted in the descriptions below, but there are some general substitutions which apply whenever they might be relevant. These are: %U session username (the username that the client wanted, not necessar- ily the same as the one they got). %G primary group name of %U. %h the Internet hostname that Samba is running on. %m the NetBIOS name of the client machine (very useful). This parameter is not available when Samba listens on port 445, as clients no longer send this information. If you use this macro in an include statement on a domain that has a Samba domain controller be sure to set in the [global] section smbports=139. This will cause Samba to not listen on port 445 and will permit include functional- ity to function as it did with Samba 2.x. %L the NetBIOS name of the server. This allows you to change your con- fig based on what the client calls you. Your server can have a dualpersonality. %M the Internet name of the client machine. %R the selected protocol level after protocol negotiation. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1. %d the process id of the current server process. %a the architecture of the remote machine. It currently recognizes Samba (Samba), the Linux CIFS file system (CIFSFS), OS/2, (OS2), Windows for Workgroups (WfWg), Windows 9x/ME (Win95), Windows NT (WinNT), Windows 2000 (Win2K), Windows XP (WinXP), and Windows 2003 (Win2K3). Anything else will be known as UNKNOWN. %I the IP address of the client machine. %i the local IP address to which a client connected. %T the current date and time. %D name of the domain or workgroup of the current user. %w the winbind separator. %$(envvar) the value of the environment variable envar. The following substitutes apply only to some configuration options (only those that are used when a connection has been established): %S the name of the current service, if any. %P the root directory of the current service, if any. %u username of the current service, if any. %g primary group name of %u. %H the home directory of the user given by %u. %N the name of your NIS home directory server. This is obtained from your NIS auto.map entry. If you have not compiled Samba with the --with-automount option, this value will be the same as %L. %p the path of the service's home directory, obtained from your NIS auto.map entry. The NIS auto.map entry is split up as %N:%p. There are some quite creative things that can be done with these sub- stitutions and other smb.conf options.

NAME MANGLING

Samba supports name mangling so that DOS and Windows clients can use files that don't conform to the 8.3 format. It can also be set to adjust the case of 8.3 format filenames. There are several options that control the way mangling is performed, and they are grouped here rather than listed separately. For the defaults look at the output of the testparm program. These options can be set separately for each service. The options are: case sensitive = yes/no/auto controls whether filenames are case sensitive. If they aren't, Samba must do a filename search and match on passed names. The default setting of auto allows clients that support case sensitive filenames (Linux CIFSVFS and smbclient 3.0.5 and above currently) to tell the Samba server on a per-packet basis that they wish to access the file system in a case-sensitive manner (to support UNIX case sensitive semantics). No Windows or DOS system supports case-sensitive file- name so setting this option to auto is that same as setting it to no for them. Default auto. default case = upper/lower controls what the default case is for new filenames (ie. files that don't currently exist in the filesystem). Default lower. IMPORTANT NOTE: This option will be used to modify the case of all incoming client filenames, not just new filenames if the options case sensi- tive = yes, preserve case = No, short preserve case = No are set. This change is needed as part of the optimisations for directories containing large numbers of files. preserve case = yes/no controls whether new files (ie. files that don't currently exist in the filesystem) are created with the case that the client passes, or if they are forced to be the default case. Default yes. short preserve case = yes/no controls if new files (ie. files that don't currently exist in the filesystem) which conform to 8.3 syntax, that is all in upper case and of suitable length, are created upper case, or if they are forced to be the default case. This option can be used with preserve case = yes to permit long filenames to retain their case, while short names are lowercased. Default yes. By default, Samba 3.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving. As a special case for directories with large numbers of files, if the case options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no" then the "default case" option will be applied and will mod- ify all filenames sent from the client when accessing this share.

NOTE ABOUT USERNAME/PASSWORD VALIDATION

There are a number of ways in which a user can connect to a service. The server uses the following steps in determining if it will allow a connection to a specified service. If all the steps fail, the connec- tion request is rejected. However, if one of the steps succeeds, the following steps are not checked. If the service is marked guestonly=yes and the server is running with share-level security (security=share, steps 1 to 5 are skipped. 1. If the client has passed a username/password pair and that user- name/password pair is validated by the UNIX system's password pro- grams, the connection is made as that username. This includes the \\server\service%username method of passing a username. 2. If the client has previously registered a username with the system and now supplies a correct password for that username, the connec- tion is allowed. 3. The client's NetBIOS name and any previously used usernames are checked against the supplied password. If they match, the connection is allowed as the corresponding user. 4. If the client has previously validated a username/password pair with the server and the client has passed the validation token, that username is used. 5. If a user = field is given in the smb.conf file for the service and the client has supplied a password, and that password matches (according to the UNIX system's password checking) with one of the usernames from the user = field, the connection is made as the user- name in the user = line. If one of the usernames in the user = list begins with a @, that name expands to a list of names in the group of the same name. 6. If the service is a guest service, a connection is made as the user- name given in the guest account = for the service, irrespective of the supplied password.

EXPLANATION OF EACH PARAMETER

abort shutdown script (G) This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the shutdown script. If the connected user posseses the SeRemoteShutdownPrivilege, right, this command will be run as user. Default: abortshutdownscript = "" Example: abortshutdownscript = /sbin/shutdown -c acl check permissions (S) This boolean parameter controls what smbd(8)does on receiving a pro- tocol request of "open for delete" from a Windows client. If a Win- dows client doesn't have permissions to delete a file then they expect this to be denied at open time. POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory. As Windows clients can (and do) "back out" a delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately on "open for delete" request as we can- not restore such a deleted file. With this parameter set to true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the request without actually delet- ing the file if the file system permissions would seem to deny it. This is not perfect, as it's possible a user could have deleted a file without Samba being able to check the permissions correctly, but it is close enough to Windows semantics for mostly correct be- haviour. Samba will correctly check POSIX ACL semantics in this case. If this parameter is set to "false" Samba doesn't check permissions on "open for delete" and allows the open. If the user doesn't have permission to delete the file this will only be discovered at close time, which is too late for the Windows user tools to display an error message to the user. The symptom of this is files that appear to have been deleted "magically" re-appearing on a Windows explorer refersh. This is an extremely advanced protocol option which should not need to be changed. This parameter was introduced in its final form in 3.0.21, an earlier version with slightly different semantics was introduced in 3.0.20. That older version is not documented here. Default: aclcheckpermissions = True acl compatibility (S) This parameter specifies what OS ACL semantics should be compatible with. Possible values are winnt for Windows NT 4, win2k for Windows 2000 and above and auto. If you specify auto, the value for this parameter will be based upon the version of the client. There should be no reason to change this parameter from the default. Default: aclcompatibility = Auto Example: aclcompatibility = win2k acl group control (S) In a POSIX filesystem, only the owner of a file or directory and the superuser can modify the permissions and ACLs on a file. If this parameter is set, then Samba overrides this restriction, and also allows the primarygroupowner of a file or directory to modify the permissions and ACLs on that file. On a Windows server, groups may be the owner of a file or directory - thus allowing anyone in that group to modify the permissions on it. This allows the delegation of security controls on a point in the filesystem to the group owner of a directory and anything below it also owned by that group. This means there are multiple people with permissions to modify ACLs on a file or directory, easing man- agability. This parameter allows Samba to also permit delegation of the control over a point in the exported directory hierarchy in much the same was as Windows. This allows all members of a UNIX group to control the permissions on a file or directory they have group ownership on. This parameter is best used with the inherit owner option and also on on a share containing directories with the UNIX setgidbit bit set on them, which causes new files and directories created within it to inherit the group ownership from the containing directory. This is parameter has been marked deprecated in Samba 3.0.23. The same behavior is now implemented by the dosfilemode option. Default: aclgroupcontrol = no acl map full control (S) This boolean parameter controls whether smbd(8)maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum allowed POSIX per- mission set, into a Windows ACL of "FULL CONTROL". If this parameter is set to true any POSIX ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any POSIX ACE entry of "rwx" will be returned as the specific Windows ACL bits representing read, write and execute. Default: aclmapfullcontrol = True add group script (G) This is the full pathname to a script that will be run ASROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric gid of the created group on stdout. Default: addgroupscript = Example: addgroupscript = /usr/sbin/groupadd %g add machine script (G) This is the full pathname to a script that will be run by smbd(8) when a machine is added to Samba's domain and a Unix account match- ing the machine's name appended with a "$" does not already exist. This option is very similar to the add user script, and likewise uses the %u substitution for the account name. Do not use the %m substitution. Default: addmachinescript = Example: addmachinescript = /usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u add port command (G) Samba 3.0.23 introduces support for adding printer ports remotely using the Windows "Add Standard TCP/IP Port Wizard". This option defines an external program to be executed when smbd receives a request to add a new Port to the system. he script is passed two parameters: oportnameodeviceURI The deviceURI is in the for of socket://<hostname>[:<portnumber>] or lpd://<hostname>/<queuename>. Default: addportcommand = Example: addportcommand = /etc/samba/scripts/addport.sh add printer command (G) With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the "Printers..." folder displayed a share listing. The APW allows for printers to be add remotely to a Samba or Windows NT/2000 print server. For a Samba host this means that the printer must be physically added to the underlying printing system. The addprintercommand defines a script to be run which will perform the necessary opera- tions for adding the printer to the print system and to add the appropriate service definition to the smb.conf file in order that it can be shared by smbd(8). The addprintercommand is automatically invoked with the following parameter (in order): oprinternameosharenameoportnameodrivernameolocationoWindows9xdriverlocation All parameters are filled in from the PRINTER_INFO_2 structure sent by the Windows NT/2000 client with one exception. The "Win- dows 9x driver location" parameter is included for backwards com- patibility only. The remaining fields in the structure are gener- ated from answers to the APW questions. Once the addprintercommand has been executed, smbd will reparse the smb.conf to determine if the share defined by the APW exists. If the sharename is still invalid, then smbd will return an ACCESS_DENIED error to the client. The "add printer command" program can output a single line of text, which Samba will set as the port the new printer is con- nected to. If this line isn't output, Samba won't reload its printer shares. Default: addprintercommand = Example: addprintercommand = /usr/bin/addprinter add share command (G) Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The addsharecommand is used to define an external program or script which will add a new service definition to smb.conf. In order to successfully execute the addsharecommand, smbd requires that the administrator be connected using a root account (i.e. uid == 0). When executed, smbd will automatically invoke the addsharecommand with five parameters. oconfigFile - the location of the global smb.conf file. oshareName - the name of the new share. opathName - path to an **existing** directory on disk. ocomment - comment string to associate with the new share. omaxconnections Number of maximum simultaneous connections to this share. This parameter is only used for add file shares. To add printer shares, see the addprinter command. Default: addsharecommand = Example: addsharecommand = /usr/local/bin/addshare add user script (G) This is the full pathname to a script that will be run ASROOT by smbd(8) under special circumstances described below. Normally, a Samba server requires that UNIX users are created for all users accessing files on this server. For sites that use Windows NT account databases as their primary user database creating these users and keeping the user list in sync with the Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users ONDEMAND when a user accesses the Samba server. In order to use this option, smbd(8) must NOT be set to security = share and add user script must be set to a full pathname for a script that will create a UNIX user given one argument of %u, which expands into the UNIX user name to create. When the Windows user attempts to access the Samba server, at login (session setup in the SMB protocol) time, smbd(8) contacts the pass- word server and attempts to authenticate the given user with the given password. If the authentication succeeds then smbd attempts to find a UNIX user in the UNIX password database to map the Windows user into. If this lookup fails, and add user script is set then smbd will call the specified script ASROOT, expanding any %u argu- ment to be the user name to create. If this script successfully creates the user then smbd will continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to match existing Windows NT accounts. See also security, password server, delete user script. Default: adduserscript = Example: adduserscript = /usr/local/samba/bin/add_user %u add user to group script (G) Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools. It will be run by smbd(8)ASROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name. Note that the adduser command used in the example below does not support the used syntax on all systems. Default: addusertogroupscript = Example: addusertogroupscript = /usr/sbin/adduser %u %g admin users (S) This is a list of users who will be granted administrative privi- leges on the share. This means that they will do all file operations as the super-user (root). You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions. This parameter will not work with the security = share in Samba 3.0. This is by design. Default: adminusers = Example: adminusers = jason afs share (S) This parameter controls whether special AFS features are enabled for this share. If enabled, it assumes that the directory exported via the path parameter is a local AFS import. The special AFS features include the attempt to hand-craft an AFS token if you enabled --with-fake-kaserver in configure. Default: afsshare = no afs username map (G) If you are using the fake kaserver AFS feature, you might want to hand-craft the usernames you are creating tokens for. For example this is necessary if you have users from several domain in your AFS Protection Database. One possible scheme to code users as DOMAIN+User as it is done by winbind with the + as a separator. The mapped user name must contain the cell name to log into, so without setting this parameter there will be no token. Default: afsusernamemap = Example: afsusernamemap = %[email protected] aio read size (S) If Samba has been built with asynchronous I/O support and this inte- ger parameter is set to non-zero value, Samba will read from file asynchronously when size of request is bigger than this value. Note that it happens only for non-chained and non-chaining reads and when not using write cache. Current implementation of asynchronous I/O in Samba 3.0 does support only up to 10 outstanding asynchronous requests, read and write com- bined. write cache size aio write size Default: aioreadsize = 0 Example: aioreadsize = 16384 # Use asynchronous I/O for reads big- ger than 16KB request size aio write size (S) If Samba has been built with asynchronous I/O support and this inte- ger parameter is set to non-zero value, Samba will write to file asynchronously when size of request is bigger than this value. Note that it happens only for non-chained and non-chaining reads and when not using write cache. Current implementation of asynchronous I/O in Samba 3.0 does support only up to 10 outstanding asynchronous requests, read and write com- bined. write cache size aio read size Default: aiowritesize = 0 Example: aiowritesize = 16384 # Use asynchronous I/O for writes bigger than 16KB request size algorithmic rid base (G) This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers. Setting this option to a larger value could be useful to sites tran- sitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with sytem users etc. All UIDs and GIDs must be able to be resolved into SIDs for the cor- rect operation of ACLs on the server. As such the algorithmic map- ping can't be 'turned off', but pushing it 'out of the way' should resolve the issues. Users and groups can then be assigned 'low' RIDs in arbitary-rid supporting backends. Default: algorithmicridbase = 1000 Example: algorithmicridbase = 100000 allocation roundup size (S) This parameter allows an administrator to tune the allocation size reported to Windows clients. The default size of 1Mb generally results in improved Windows client performance. However, rounding the allocation size may cause difficulties for some applications, e.g. MS Visual Studio. If the MS Visual Studio compiler starts to crash with an internal error, set this parameter to zero for this share. The integer parameter specifies the roundup size in bytes. Default: allocationroundupsize = 1048576 Example: allocationroundupsize = 0 # (to disable roundups) allow trusted domains (G) This option only takes effect when the security option is set to server, domain or ads. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication. This is useful if you only want your Samba server to serve resources to users in the domain it is a member of. As an example, suppose that there are two domains DOMA and DOMB. DOMB is trusted by DOMA, which contains the Samba server. Under normal circumstances, a user with an account in DOMB can then access the resources of a UNIX account with the same account name on the Samba server even if they do not have an account in DOMA. This can make implementing a secu- rity boundary difficult. Default: allowtrusteddomains = yes announce as (G) This specifies what type of server nmbd(8) will announce itself as, to a network neighborhood browse list. By default this is set to Windows NT. The valid options are : "NT Server" (which can also be written as "NT"), "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 and Windows for Work- groups respectively. Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this may prevent Samba servers from participating as browser servers cor- rectly. Default: announceas = NT Server Example: announceas = Win95 announce version (G) This specifies the major and minor version numbers that nmbd will use when announcing itself as a server. The default is 4.9. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server. Default: announceversion = 4.9 Example: announceversion = 2.0 auth methods (G) This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on security. This should be con- sidered a developer option and used only in rare circumstances. In the majority (if not all) of production servers, the default setting should be adequate. Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication. Possible options include guest (anonymous access), sam (lookups in local list of accounts based on netbios name or domain name), win-bind (relay authentication requests for remote users through win- bindd), ntdomain (pre-winbindd method of authentication for remote domain users; deprecated in favour of winbind method), trustdomain (authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method). Default: authmethods = Example: authmethods = guest sam winbind available (S) This parameter lets you "turn off" a service. If available=no, then ALL attempts to connect to the service will fail. Such failures are logged. Default: available = yes bind interfaces only (G) This global parameter allows the Samba admin to limit what inter- faces on a machine will serve SMB requests. It affects file service smbd(8) and name service nmbd(8) in a slightly different ways. For name service it causes nmbd to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter. nmbd also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then nmbd will service name requests on all of these sockets. If bind interfaces only is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the interfaces parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the interfaces list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a secu- rity feature for nmbd. For file service it causes smbd(8) to bind only to the interface list given in the interfaces parameter. This restricts the networks that smbd will serve to packets coming in those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces. If bind interfaces only is set then unless the network address 127.0.0.1 is added to the interfaces parameter list smbpasswd(8) and swat(8) may not work as expected due to the reasons covered below. To change a users SMB password, the smbpasswd by default connects to the localhost-127.0.0.1 address as an SMB client to issue the password change request. If bind interfaces only is set then unless the network address 127.0.0.1 is added to the interfaces parameter list then smbpasswd will fail to connect in it's default mode. smb- passwd can be forced to use the primary IP interface of the local host by using its smbpasswd(8)-rremotemachine parameter, with remotemachine set to the IP name of the primary interface of the local host. The swat status page tries to connect with smbd and nmbd at the address 127.0.0.1 to determine if they are running. Not adding 127.0.0.1 will cause smbd and nmbd to always show "not running" even if they really are. This can prevent swat from starting/stop- ping/restarting smbd and nmbd. Default: bindinterfacesonly = no blocking locks (S) This parameter controls the behavior of smbd(8) when given a request by a client to obtain a byte range lock on a region of an open file, and the request has a time limit associated with it. If this parameter is set and the lock range requested cannot be immediately satisfied, samba will internally queue the lock request, and periodically attempt to obtain the lock until the timeout period expires. If this parameter is set to no, then samba will behave as previous versions of Samba would and will fail the lock request immediately if the lock range cannot be obtained. Default: blockinglocks = yes block size (S) This parameter controls the behavior of smbd(8) when reporting disk free sizes. By default, this reports a disk block size of 1024 bytes. Changing this parameter may have some effect on the efficiency of client writes, this is not yet confirmed. This parameter was added to allow advanced administrators to change it (usually to a higher value) and test the effect it has on client write performance with- out re-compiling the code. As this is an experimental option it may be removed in a future release. Changing this option does not change the disk free reporting size, just the block size unit reported to the client. Default: blocksize = 1024 Example: blocksize = 4096 browsable This parameter is a synonym for browseable. browseable (S) This controls whether this share is seen in the list of available shares in a net view and in the browse list. Default: browseable = yes browse list (G) This controls whether smbd(8) will serve a browse list to a client doing a NetServerEnum call. Normally set to yes. You should never need to change this. Default: browselist = yes casesignames This parameter is a synonym for case sensitive. case sensitive (S) See the discussion in the section name mangling. Default: casesensitive = no change notify (S) This parameter specifies whether Samba should reply to a client's file change notify requests. You should never need to change this parameter Default: changenotify = no change share command (G) Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The changesharecom-mand is used to define an external program or script which will mod- ify an existing service definition in smb.conf. In order to success- fully execute the changesharecommand, smbd requires that the administrator be connected using a root account (i.e. uid == 0). When executed, smbd will automatically invoke the changesharecom-mand with five parameters. oconfigFile - the location of the global smb.conf file. oshareName - the name of the new share. opathName - path to an **existing** directory on disk. ocomment - comment string to associate with the new share. omaxconnections Number of maximum simultaneous connections to this share. This parameter is only used modify existing file shares defini- tions. To modify printer shares, use the "Printers..." folder as seen when browsing the Samba host. Default: changesharecommand = Example: changesharecommand = /usr/local/bin/addshare check password script (G) The name of a program that can be used to check password complexity. The password is sent to the program's standrad input. The program must return 0 on good password any other value other- wise. In case the password is considered weak (the program do not return 0) the user will be notified and the password change will fail. Note: In the example directory there is a sample program called crackcheck that uses cracklib to checkpassword quality Default: checkpasswordscript = Disabled Example: checkpasswordscript = check password script = /usr/local/sbin/crackcheck client lanman auth (G) This parameter determines whether or not smbclient(8) and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash. If disabled, only server which support NT password hashes (e.g. Windows NT/2000, Samba, etc... but not Windows 95/98) will be able to be connected from the Samba client. The LANMAN encrypted response is easily broken, due to it's case- insensitive nature, and the choice of algorithm. Clients without Windows 95/98 servers are advised to disable this option. Disabling this option will also disable the client plaintext auth option Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 logins will be attempted. Default: clientlanmanauth = yes client ntlmv2 auth (G) This parameter determines whether or not smbclient(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted pass- word response. If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent. Many servers (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with NTLMv2. Similarly, if enabled, NTLMv1, client lanman auth and client plain- text auth authentication will be disabled. This also disables share- level authentication. If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of client lanman auth. Note that some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM. Default: clientntlmv2auth = no client plaintext auth (G) Specifies whether a client should send a plaintext password if the server does not support encrypted passwords. Default: clientplaintextauth = yes client schannel (G) This controls whether the client offers or even demands the use of the netlogon schannel. client schannel = no does not offer the schannel, client schannel = auto offers the schannel but does not enforce it, and client schannel = yes denies access if the server is not able to speak netlogon schannel. Default: clientschannel = auto Example: clientschannel = yes client signing (G) This controls whether the client offers or requires the server it talks to to use SMB signing. Possible values are auto, mandatory and disabled. When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either. Default: clientsigning = auto client use spnego (G) This variable controls whether Samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with supporting servers (including WindowsXP, Windows2000 and Samba 3.0) to agree upon an authentication mechanism. This enables Kerberos authentica- tion in particular. Default: clientusespnego = yes comment (S) This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via net view to list what shares are available. If you want to set the string that is displayed next to the machine name then see the server string parameter. Default: comment = # No comment Example: comment = Fred's Files config file (G) This allows you to override the config file to use, instead of the default (usually smb.conf). There is a chicken and egg problem here as this option is set in the config file! For this reason, if the name of the config file has changed when the parameters are loaded then it will reload them from the new config file. This option takes the usual substitutions, which can be very useful. If the config file doesn't exist then it won't be loaded (allowing you to special case the config files of just a few clients). Nodefault Example: configfile = /usr/local/samba/lib/smb.conf.%m copy (S) This parameter allows you to "clone" service entries. The specified service is simply duplicated under the current service's name. Any parameters specified in the current section will override those in the section being copied. This feature lets you set up a 'template' service and create similar services easily. Note that the service being copied must occur ear- lier in the configuration file than the service doing the copying. Default: copy = Example: copy = otherservice create mode This parameter is a synonym for create mask. create mask (S) When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created. The default value of this parameter removes the group and other write and execute bits from the UNIX modes. Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default. This parameter does not affect directory masks. See the parameter directory mask for details. Note that this parameter does not apply to permissions set by Win- dows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the security mask. Default: createmask = 0744 Example: createmask = 0775 csc policy (S) This stands for client-sidecachingpolicy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable. These values correspond to those used on Windows servers. For example, shares containing roaming profiles can have offline caching disabled using csc policy = disable. Default: cscpolicy = manual Example: cscpolicy = programs cups options (S) This parameter is only applicable if printing is set to cups. Its value is a free form string of options passed directly to the cups library. You can pass any generic print option known to CUPS (as listed in the CUPS "Software Users' Manual"). You can also pass any printer specific option (as listed in "lpoptions -d printername -l") valid for the target queue. You should set this parameter to raw if your CUPS server error_log file contains messages such as "Unsupported format 'applica- tion/octet-stream'" when printing from a Windows client through Samba. It is no longer necessary to enable system wide raw printing in /etc/cups/mime.{convs,types}. Default: cupsoptions = "" Example: cupsoptions = "raw,media=a4,job-sheets=secret,secret" cups server (G) This parameter is only applicable if printing is set to cups. If set, this option overrides the ServerName option in the CUPS client.conf. This is necessary if you have virtual samba servers that connect to different CUPS daemons. Optionally, a port can be specified by separating the server name and port number with a colon. If no port was specified, the default port for IPP (631) will be used. Default: cupsserver = "" Example: cupsserver = mycupsserver Example: cupsserver = mycupsserver:1631 deadtime (G) The value of the parameter (a decimal integer) represents the number of minutes of inactivity before a connection is considered dead, and it is disconnected. The deadtime only takes effect if the number of open files is zero. This is useful to stop a server's resources being exhausted by a large number of inactive connections. Most clients have an auto-reconnect feature when a connection is broken so in most cases this parameter should be transparent to users. Using this parameter with a timeout of a few minutes is recommended for most systems. A deadtime of zero indicates that no auto-disconnection should be performed. Default: deadtime = 0 Example: deadtime = 15 debug hires timestamp (G) Sometimes the timestamps in the log messages are needed with a reso- lution of higher that seconds, this boolean parameter adds microsec- ond resolution to the timestamp message header when turned on. Note that the parameter debug timestamp must be on for this to have an effect. Default: debughirestimestamp = no debug pid (G) When using only one log file for more then one forked smbd(8)-process there may be hard to follow which process outputs which message. This boolean parameter is adds the process-id to the timestamp message headers in the logfile when turned on. Note that the parameter debug timestamp must be on for this to have an effect. Default: debugpid = no debug prefix timestamp (G) With this option enabled, the timestamp message header is prefixed to the debug message without the filename and function information that is included with the debug timestamp parameter. This gives timestamps to the messages without adding an additional line. Note that this parameter overrides the debug timestamp parameter. Default: debugprefixtimestamp = no timestamp logs This parameter is a synonym for debug timestamp. debug timestamp (G) Samba debug log messages are timestamped by default. If you are run- ning at a high debug level these timestamps can be distracting. This boolean parameter allows timestamping to be turned off. Default: debugtimestamp = yes debug uid (G) Samba is sometimes run as root and sometime run as the connected user, this boolean parameter inserts the current euid, egid, uid and gid to the timestamp message headers in the log file if turned on. Note that the parameter debug timestamp must be on for this to have an effect. Default: debuguid = no default case (S) See the section on name mangling. Also note the short preserve case parameter. Default: defaultcase = lower default devmode (S) This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba server has a Device Mode which defines things such as paper size and orientation and duplex settings. The device mode can only correctly be generated by the printer driver itself (which can only be executed on a Win32 platform). Because smbd is unable to execute the driver code to generate the device mode, the default behavior is to set this field to NULL. Most problems with serving printer drivers to Windows NT/2k/XP clients can be traced to a problem with the generated device mode. Certain drivers will do things such as crashing the client's Explorer.exe with a NULL devmode. However, other printer drivers can cause the client's spooler service (spoolsv.exe) to die if the dev- mode was not created by the driver itself (i.e. smbd generates a default devmode). This parameter should be used with care and tested with the printer driver in question. It is better to leave the device mode to NULL and let the Windows client set the correct values. Because drivers do not do this all the time, setting default devmode = yes will instruct smbd to generate a default one. For more information on Windows NT/2k printing and Device Modes, see the MSDN documentation. Default: defaultdevmode = yes default This parameter is a synonym for default service. default service (G) This parameter specifies the name of a service which will be con- nected to if the service actually requested cannot be found. Note that the square brackets are NOT given in the parameter value (see example below). There is no default value for this parameter. If this parameter is not given, attempting to connect to a nonexistent service results in an error. Typically the default service would be a guest ok, read-only ser- vice. Also note that the apparent service name will be changed to equal that of the requested service, this is very useful as it allows you to use macros like %S to make a wildcard service. Note also that any "_" characters in the name of the service used in the default service will get mapped to a "/". This allows for inter- esting things. Default: defaultservice = Example: defaultservice = pub defer sharing violations (G) Windows allows specifying how a file will be shared with other pro- cesses when it is opened. Sharing violations occur when a file is opened by a different process using options that violate the share settings specified by other processes. This parameter causes smbd to act as a Windows server does, and defer returning a "sharing viola- tion" error message for up to one second, allowing the client to close the file causing the violation in the meantime. UNIX by default does not have this behaviour. There should be no reason to turn off this parameter, as it is designed to enable Samba to more correctly emulate Windows. Default: defersharingviolations = True delete group script (G) This is the full pathname to a script that will be run ASROOTsmbd(8) when a group is requested to be deleted. It will expand any %g to the group name passed. This script is only useful for instal- lations using the Windows NT domain administration tools. Default: deletegroupscript = deleteprinter command (G) With the introduction of MS-RPC based printer support for Windows NT/2000 clients in Samba 2.2, it is now possible to delete printer at run time by issuing the DeletePrinter() RPC call. For a Samba host this means that the printer must be physically deleted from underlying printing system. The deleteprinter command defines a script to be run which will perform the necessary opera- tions for removing the printer from the print system and from smb.conf. The deleteprinter command is automatically called with only one parameter: printer name. Once the deleteprinter command has been executed, smbd will reparse the smb.conf to associated printer no longer exists. If the sharename is still valid, then smbd will return an ACCESS_DENIED error to the client. Default: deleteprintercommand = Example: deleteprintercommand = /usr/bin/removeprinter delete readonly (S) This parameter allows readonly files to be deleted. This is not nor- mal DOS semantics, but is allowed by UNIX. This option may be useful for running applications such as rcs, where UNIX file ownership prevents changing file permissions, and DOS semantics prevent deletion of a read only file. Default: deletereadonly = no delete share command (G) Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The deletesharecom-mand is used to define an external program or script which will remove an existing service definition from smb.conf. In order to successfully execute the deletesharecommand, smbd requires that the administrator be connected using a root account (i.e. uid == 0). When executed, smbd will automatically invoke the deletesharecom-mand with two parameters. oconfigFile - the location of the global smb.conf file. oshareName - the name of the existing service. This parameter is only used to remove file shares. To delete printer shares, see the deleteprinter command. Default: deletesharecommand = Example: deletesharecommand = /usr/local/bin/delshare delete user from group script (G) Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools. It will be run by smbd(8)ASROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name. Default: deleteuserfromgroupscript = Example: deleteuserfromgroupscript = /usr/sbin/deluser %u %g delete user script (G) This is the full pathname to a script that will be run by smbd(8) when managing users with remote RPC (NT) tools. This script is called when a remote client removes a user from the server, normally using 'User Manager for Domains' or rpcclient. This script should delete the given UNIX username. Default: deleteuserscript = Example: deleteuserscript = /usr/local/samba/bin/del_user %u delete veto files (S) This option is used when Samba is attempting to delete a directory that contains one or more vetoed directories (see the veto files option). If this option is set to no (the default) then if a vetoed directory contains any non-vetoed files or directories then the directory delete will fail. This is usually what you want. If this option is set to yes, then Samba will attempt to recursively delete any files and directories within the vetoed directory. This can be useful for integration with file serving systems such as NetAtalk which create meta-files within directories you might nor- mally veto DOS/Windows users from seeing (e.g. .AppleDouble) Setting delete veto files = yes allows these directories to be transparently deleted when the parent directory is deleted (so long as the user has permissions to do so). Default: deletevetofiles = no dfree cache time (S) The dfreecachetime should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating sys- tems. The symptom that was seen was an error of "Abort Retry Ignore" at the end of each directory listing. This is a new parameter introduced in Samba version 3.0.21. It spec- ifies in seconds the time that smbd will cache the output of a disk free query. If set to zero (the default) no caching is done. This allows a heavily loaded server to prevent rapid spawning of dfree command scripts increasing the load. By default this parameter is zero, meaning no caching will be done. Nodefault Example: dfreecachetime = dfree cache time = 60 dfree command (S) The dfreecommand setting should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating systems. The symptom that was seen was an error of "Abort Retry Ignore" at the end of each directory listing. This setting allows the replacement of the internal routines to cal- culate the total disk space and amount available with an external routine. The example below gives a possible script that might ful- fill this function. In Samba version 3.0.21 this parameter has been changed to be a per- share parameter, and in addition the parameter dfree cache time was added to allow the output of this script to be cached for systems under heavy load. The external program will be passed a single parameter indicating a directory in the filesystem being queried. This will typically con- sist of the string ./. The script should return two integers in ASCII. The first should be the total disk space in blocks, and the second should be the number of available blocks. An optional third return value can give the block size in bytes. The default blocksize is 1024 bytes. Note: Your script should NOT be setuid or setgid and should be owned by (and writeable only by) root! Where the script dfree (which must be made executable) could be: #!/bin/sh df $1  sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

Now setup your sshd_config

AuthorizedKeysCommand /usr/bin/ldapAuthSSH.sh
AuthorizedKeysCommandUser root