Questions about smb.conf parameters and variables

Carlos Miguel Bustillo Rodriguez cbustillo at
Tue Jul 3 12:22:06 MDT 2012

Hello Marc
>in my test environment my log is filled with several "Unknown parameter
>encountered" messages. Is there already a list, which parameters are gone/new
>in s4? But some of the parameters, samba complains, are still used by the smbd
>process for s3fs, I guess, right (like "guest ok" or "writeable")?

The following parameters have been removed:
- passdb backend: accounts are now stored in a LDB-based SAM database
- update encrypted
- public
- guest ok
- client schannel
- server schannel
- allow trusted domains
- hosts equiv
- map to guest
- smb passwd file
- algorithmic rid base
- root directory
- root dir
- root
- guest account
- enable privileges
- pam password change
- passwd program
- passwd chat debug
- passwd chat timeout
- check password script
- username map
- username level
- unix password sync
- restrict anonymous
- username
- user
- users
- invalid users
- valid users
- admin users
- read list
- write list
- printer admin
- force user
- force group
- group
- write ok
- writeable
- writable
- acl check permissions
- acl group control
- acl map full control
- create mask
- create mode
- force create mode
- security mask
- force security mode
- directory mask
- directory mode
- force directory mode
- directory security mask
- force directory security mode
- force unknown acl user
- inherit permissions
- inherit acls
- inherit owner
- guest only
- only guest
- only user
- allow hosts
- deny hosts
- preload modules
- use kerberos keytab
- syslog
- syslog only
- max log size
- debug timestamp
- timestamp logs
- debug hires timestamp
- debug pid
- debug uid
- allocation roundup size
- aio read size
- aio write size
- aio write behind
- large readwrite
- protocol
- read bmpx
- reset on zero vc
- acl compatibility
- defer sharing violations
- ea support
- nt acl support
- nt pipe support
- profile acls
- map acl inherit
- afs share
- max ttl
- client use spnego
- enable asu support
- svcctl list
- block size
- change notify timeout
- deadtime
- getwd cache
- keepalive
- kernel change notify
- lpq cache time
- max smbd processes
- max disk size
- max open files
- min print space
- strict allocate
- sync always
- use mmap
- use sendfile
- hostname lookups
- write cache size
- name cache timeout
- max reported print jobs
- load printers
- printcap cache time
- printcap name
- printcap
- printing
- cups options
- cups server
- iprint server
- print command
- disable spoolss
- enable spoolss
- lpq command
- lprm command
- lppause command
- lpresume command
- queuepause command
- queueresume command
- enumports command
- addprinter command
- deleteprinter command
- show add printer wizard
- os2 driver map
- use client driver
- default devmode
- force printername
- mangling method
- mangle prefix
- default case
- case sensitive
- casesignames
- preserve case
- short preserve case
- mangling char
- hide dot files
- hide special files
- hide unreadable
- hide unwriteable files
- delete veto files
- veto files
- hide files
- veto oplock files
- map readonly
- mangled names
- mangled map
- max stat cache size
- stat cache
- store dos attributes
- machine password timeout
- add user script
- rename user script
- delete user script
- add group script
- delete group script
- add user to group script
- delete user from group script
- set primary group script
- add machine script
- shutdown script
- abort shutdown script
- username map script
- logon script
- logon path
- logon drive
- logon home
- domain logons
- os level
- lm announce
- lm interval
- domain master
- browse list
- enhanced browsing
- wins proxy
- wins hook
- wins partners
- blocking locks
- fake oplocks
- kernel oplocks
- locking
- lock spin count
- lock spin time
- level2 oplocks
- oplock break wait time
- oplock contention limit
- posix locking
- share modes
- ldap server
- ldap port
- ldap admin dn
- ldap delete dn
- ldap group suffix
- ldap idmap suffix
- ldap machine suffix
- ldap passwd sync
- ldap password sync
- ldap replication sleep
- ldap suffix
- ldap ssl
- ldap timeout
- ldap page size
- ldap user suffix
- add share command
- change share command
- delete share command
- eventlog list
- utmp directory
- wtmp directory
- utmp
- default service
- default
- message command
- dfree cache time
- dfree command
- get quota command
- set quota command
- remote announce
- remote browse sync
- homedir map
- afs username map
- afs token lifetime
- log nt token command
- time offset
- NIS homedir
- preexec
- exec
- preexec close
- postexec
- root preexec
- root preexec close
- root postexec
- set directory
- wide links
- follow symlinks
- dont descend
- magic script
- magic output
- delete readonly
- dos filemode
- dos filetimes
- dos filetime resolution
- fake directory create times
- panic action
- vfs objects
- vfs object
- msdfs root
- msdfs proxy
- host msdfs
- enable rid algorithm
- passdb expand explicit
- idmap backend
- idmap uid
- winbind uid
- idmap gid
- winbind gid
- template homedir
- template shell
- winbind separator
- winbind cache time
- winbind enum users
- winbind enum groups
- winbind use default domain
- winbind trusted domains only
- winbind nested groups
- winbind max idle children
- winbind nss info

The following parameters have been added:
+ rpc big endian (G)
        Make Samba fake it is running on a bigendian machine when using DCE/RPC.
        Useful for debugging.

        Default: no

+ case insensitive filesystem (S)
        Set to true if this share is located on a case-insensitive filesystem.
        This disables looking for a filename by trying all possible combinations of
        uppercase/lowercase characters and thus speeds up operations when a
        file cannot be found.

        Default: no

+ setup directory
        Path to data used by provisioning script.

        Default: Set at compile-time

+ ncalrpc dir
        Directory to use for UNIX sockets used by the 'ncalrpc' DCE/RPC transport.

        Default: Set at compile-time

+ ntvfs handler
        Backend to the NT VFS to use (more than one can be specified). Available
        backends include:

        - posix:
                Maps POSIX FS semantics to NT semantics

        - simple:
                Very simple backend (original testing backend).

        - unixuid:
                Sets up user credentials based on POSIX gid/uid.

        - cifs:
                Proxies a remote CIFS FS. Mainly useful for testing.

        - nbench:
                Filter module that saves data useful to the nbench benchmark suite.

        - ipc:
                Allows using SMB for inter process communication. Only used for
                the IPC$ share.

        - print:
                Allows printing over SMB. This is LANMAN-style printing (?), not
                the be confused with the spoolss DCE/RPC interface used by later
                versions of Windows.

        Default: unixuid default

+ ntptr providor

+ dcerpc endpoint servers
        What DCE/RPC servers to start.

        Default: epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup

+ server services
        Services Samba should provide.

        Default: smb rpc nbt wrepl ldap cldap web kdc

+ spoolss database
        Spoolss (printer) DCE/RPC server database. This should be a LDB URL.

        Default: set at compile-time

+ wins config database
        WINS configuration database location. This should be a LDB URL.

        Default: set at compile-time

+ wins database
        WINS database location. This should be a LDB URL.

        Default: set at compile-time

+ client use spnego principal
        Tells the client to use the Kerberos service principal specified by the
        server during the security protocol negotation rather than
        looking up the principal itself (cifs/hostname).

        Default: false

+ nbt port
        TCP/IP Port used by the NetBIOS over TCP/IP (NBT) implementation.

        Default: 137

+ dgram port
        UDP/IP port used by the NetBIOS over TCP/IP (NBT) implementation.

        Default: 138

+ cldap port
        UDP/IP port used by the CLDAP protocol.

        Default: 389

+ krb5 port
        IP port used by the kerberos KDC.

        Default: 88

+ kpasswd port
        IP port used by the kerberos password change protocol.

        Default: 464

+ web port
        TCP/IP port SWAT should listen on.

        Default: 901

+ tls enabled
        Enable TLS support for SWAT

        Default: true

+ tls keyfile
        Path to TLS key file (PEM format) to be used by SWAT. If no
        path is specified, Samba will create a key.

        Default: none

+ tls certfile
        Path to TLS certificate file (PEM format) to be used by SWAT. If no
        path is specified, Samba will create a certificate.

        Default: none

+ tls cafile
        Path to CA authority file Samba will use to sign TLS keys it generates. If
        no path is specified, Samba will create a self-signed CA certificate.

        Default: none

+ tls crlfile
        Path to TLS certificate revocation lists file.

        Default: none

+ swat directory
        SWAT data directory.

        Default: set at compile-time

+ large readwrite
        Indicate the CIFS server is able to do large reads/writes.

        Default: true

+ unicode
        Enable/disable unicode support in the protocol.

        Default: true

>Also a question about the logs: In my s3 live environment I used
>log file = /var/log/samba/%m.log
>to have per-machine-logfiles what makes the logs very clearly. But variables
>seem not be supportet (yet) in s4. What are the new thoughts to have clear
>logfiles for easily finding problems (e.g. for one special machine) in samba4?

To enable support for logs during "configure" pass this option: "--with-syslog --with-logfilebase=/var/log/samba"
for example:
./configure.developer --with-syslog --with-logfilebase=/var/log/samba

Or edit your init script and add "--d2" option to samba deamon, for Debian/Ubuntu system:
if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba --d2 >>/var/log/samba/samba.log -- -D

I don't try this way.

Regards, Carlos

La Universidad Central "Marta Abreu" de Las Villas en su 60 Aniversario. Fundada el 30 de noviembre de 1952. Vis?tenos en:

More information about the samba-technical mailing list