# SMB.CONF

Section: (5)
Updated:
Index

## NAME

smb.conf - Samba组件的配置文件

## 总览 SYNOPSIS

smb.conf是Samba组件的配置文件,包含Samba程序运行时的配置信息.smb.conf被设计成可由swat (8)程序来配置和管理.本文件包含了关于smb.conf的文件格式和可能出现的选项的完整描述以供参考.

## 段描述 SECTION DESCRIPTIONS

[foo]
path = /home/bar


[aprinter]
path = /usr/spool/public
printable = yes
guest ok = yes


## 特殊段 SPECIAL SECTIONS

### [homes] 个人目录段

path = /data/pchome/%S

[homes]


### [printers] 打印机共享设置段

[printers]
path = /usr/spool/public
guest ok = yes
printable = yes


别名1|别名2|别名3|别名4...


## 变量替换 VARIABLE SUBSTITUTIONS

%U

%G
%U的用户组名

%h

%m

%L

Note that this parameter is not available when Samba listens on port 445, as clients no longer send this information

%M

%R

%d

%a

%I

%T

%D
Name of the domain or workgroup of the current user.

%$( envvar) The value of the environment variable envar. The following substitutes apply only to some configuration options(only those that are used when a connection has been established): %S 当前服务名 %P 当前服务的根目录 %u 当前服务的用户名 %g %u的用户组名 %H %u所表示的用户的宿主目录 %N tNIS服务器的名字.它从auto.map获得.如果没有用 --with-auto-mount选项编译samba,那么它的值和%L相同. %p 用户宿主目录的路径.它由NIS的auot.map得到.NIS的auot.map入口项被分为"%N:%p". 灵活运用这些置换和其他的smb.conf选项可以做出非常有创造性的事情来. ## NAME Samba支持"名称修正",这样dos和windows客户端就可以使用与8.3格式不一致的文件.也可以用来调整8.3格式文件名的大小写. 有一些选项可以控制名称修正的执行,下面集中列出来.对于缺省情况请看testparm程序的输出结果. 所有这些选项都可以针对每个服务项单独设置(当然也可以设为全局变量). 这些选项是: mangle case = yes/no 作用是控制是否对不符合缺省写法的名称进行修正.例如,如果设为yes,象"Mail"这样的文件名就会被修正.缺省设置是 no. case sensitive = yes/no 控制文件名是否区分大小写.如果不区分的话,Samba就必须在传递名称时查找并匹配文件名.缺省设置是 no. default case = upper/lower 控制新文件名大小写缺省值.缺省设置是 小写. preserve case = yes/no 控制建新文件时是否用客户所提供的大小写形式,或强制用缺省形式.缺省为 yes. short preserve case = yes/no 控制新建8.3格式的文件名时是全部用大写及合适长度,还是强制用缺省情况.它可以和上面的"preserve case = yes"联用以允许长文件名保持大小写不变,而短文件名为小写.本项的缺省设置是 yes. 缺省情况下,Samba3.0与Windows NT相同,就是不区分大小写但保持大小写形式. ## 用户名/口令检验中的注意事项 NOTE ABOUT USERNAME/PASSWORD VALIDATION 用户有多种连接到服务项的方式.服务器按照下面的步骤来确定是否允许客户对指定服务的连接.如果下面步骤全部失败,则拒绝用户的连接请求.如果某一步通过,余下的检验就不再进行. 如果被请求的服务项设置为guest only = yes，并且，服务运行在共享级安全模式(security = share) ,则跳过1--5步检查. 第一步： 如果客户端提供一对用户名和口令,且这对用户名和口令经unix系统口令程序检验为有效,那么就以该用户名建立连接.注意,这包括用 \\server\service%username方式传递用户名. 第二步： 如果客户端事先在系统上注册了一个用户名,并且提供了正确的口令,就允许建立连接. 第三步： 根据提供的口令检查客户端的netbios名及以前用过的用户名,如匹配,就允许以该用户名建立连接. 第四步： 如果客户端以前有合法的用户名和口令,并获得了有效的令牌,就允许以该用户名建立连接. 第五步： 如果在 smb.conf里设置了"user = "字段,且客户端提供了一个口令,口令经UNIX系统检验,并与"user="字段里某一个用户匹配,那么就允许以"user="里匹配到的用户名建立连接.如果"user="字段是以@开始,那么该名字会展开为同名组里的用户名列表 . 第六步： 如果这是一个提供给guest用的服务项,那么连接以"guest account ="里给出的用户名建立,而不考虑提供的口令. ## 全局选项完整列表 COMPLETE LIST OF GLOBAL PARAMETERS 以下列出了所有的全局选项,各选项的详细说明请参看后面的相应段落.注意,有些选项的意义是相同的. * abort shutdown script * add group script * add machine script * addprinter command * add share command * add user script * add user to group script * afs username map * algorithmic rid base * allow trusted domains * announce as * announce version * auth methods * auto services * bind interfaces only * browse list * change notify timeout * change share command * client lanman auth * client ntlmv2 auth * client plaintext auth * client schannel * client signing * client use spnego * config file * deadtime * debug hires timestamp * debuglevel * debug pid * debug timestamp * debug uid * default * default service * delete group script * deleteprinter command * delete share command * delete user from group script * delete user script * dfree command * disable netbios * disable spoolss * display charset * dns proxy * domain logons * domain master * dos charset * enable rid algorithm * encrypt passwords * enhanced browsing * enumports command * get quota command * getwd cache * guest account * hide local users * homedir map * host msdfs * hostname lookups * hosts equiv * idmap backend * idmap gid * idmap uid * include * interfaces * keepalive * kernel change notify * kernel oplocks * lanman auth * large readwrite * ldap admin dn * ldap delete dn * ldap filter * ldap group suffix * ldap idmap suffix * ldap machine suffix * ldap passwd sync * ldap port * ldap server * ldap ssl * ldap suffix * ldap user suffix * lm announce * lm interval * load printers * local master * lock dir * lock directory * lock spin count * lock spin time * log file * log level * logon drive * logon home * logon path * logon script * lpq cache time * machine password timeout * mangled stack * mangle prefix * mangling method * map to guest * max disk size * max log size * max mux * max open files * max protocol * max smbd processes * max ttl * max wins ttl * max xmit * message command * min passwd length * min password length * min protocol * min wins ttl * name cache timeout * name resolve order * netbios aliases * netbios name * netbios scope * nis homedir * ntlm auth * nt pipe support * nt status support * null passwords * obey pam restrictions * oplock break wait time * os2 driver map * os level * pam password change * panic action * paranoid server security * passdb backend * passwd chat * passwd chat debug * passwd program * password level * password server * pid directory * prefered master * preferred master * preload * preload modules * printcap * private dir * protocol * read bmpx * read raw * read size * realm * remote announce * remote browse sync * restrict anonymous * root * root dir * root directory * security * server schannel * server signing * server string * set primary group script * set quota command * show add printer wizard * shutdown script * smb passwd file * smb ports * socket address * socket options * source environment * stat cache * syslog * syslog only * template homedir * template primary group * template shell * time offset * time server * timestamp logs * unicode * unix charset * unix extensions * unix password sync * update encrypted * use mmap * username level * username map * use spnego * utmp * utmp directory * winbind cache time * winbind enable local accounts * winbind enum groups * winbind enum users * winbind gid * winbind separator * winbind trusted domains only * winbind uid * winbind use default domain * wins hook * wins partners * wins proxy * wins server * wins support * workgroup * write raw * wtmp directory ## 服务选项完整列表 COMPLETE LIST OF SERVICE PARAMETERS 以下列出了所有关于服务项的选项,各选项的详细说明请参见后面的相应段落.注意,有些选项的意义是相同的. * acl compatibility * admin users * afs share * allow hosts * available * blocking locks * block size * browsable * browseable * case sensitive * casesignames * comment * copy * create mask * create mode * csc policy * default case * default devmode * delete readonly * delete veto files * deny hosts * directory * directory mask * directory mode * directory security mask * dont descend * dos filemode * dos filetime resolution * dos filetimes * exec * fake directory create times * fake oplocks * follow symlinks * force create mode * force directory mode * force directory security mode * force group * force security mode * force user * fstype * group * guest account * guest ok * guest only * hide dot files * hide files * hide special files * hide unreadable * hide unwriteable files * hosts allow * hosts deny * inherit acls * inherit permissions * invalid users * level2 oplocks * locking * lppause command * lpq command * lpresume command * lprm command * magic output * magic script * mangle case * mangled map * mangled names * mangling char * map acl inherit * map archive * map hidden * map system * max connections * max print jobs * max reported print jobs * min print space * msdfs proxy * msdfs root * nt acl support * only guest * only user * oplock contention limit * oplocks * path * posix locking * postexec * preexec * preexec close * preserve case * printable * printcap name * print command * printer * printer admin * printer name * printing * print ok * profile acls * public * queuepause command * queueresume command * read list * read only * root postexec * root preexec * root preexec close * security mask * set directory * share modes * short preserve case * strict allocate * strict locking * strict sync * sync always * use client driver * user * username * users * use sendfile * -valid * valid users * veto files * veto oplock files * vfs object * vfs objects * volume * wide links * writable * writeable * write cache size * write list * write ok ## 每一个选项的详细解释 EXPLANATION OF EACH PARAMETER abort shutdown script (G) This parameter only exists in the HEAD cvs branch This a full path name to a script called by smbd(8) that should stop a shutdown procedure issued by the shutdown script. This command will be run as user. 缺省设置: None. 示例: abort shutdown script = /sbin/shutdown -c acl compatibility (S) This parameter specifies what OS ACL semantics should be compatible with. Possible values are winnt for Windows NT 4, win2k for Windows 2000 and above and auto. If you specify auto, the value for this parameter will be based upon the version of the client. There should be no reason to change this parameter from the default. 缺省设置: acl compatibility = Auto 示例: acl compatibility = win2k add group script (G) This is the full pathname to a script that will be run AS ROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. The script is free to create a group with an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric gid of the created group on stdout. add machine script (G) This is the full pathname to a script that will be run by smbd(8) when a machine is added to it's domain using the administrator username and password method. This option is only required when using sam back-ends tied to the Unix uid method of RID calculation such as smbpasswd. This option is only available in Samba 3.0. 缺省设置: add machine script = <空字符串> 示例: add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u addprinter command (G) With the introduction of MS-RPC based printing support for Windows NT/2000 clients in Samba 2.2, The MS Add Printer Wizard (APW) icon is now also available in the "Printers..." folder displayed a share listing. The APW allows for printers to be add remotely to a Samba or Windows NT/2000 print server. For a Samba host this means that the printer must be physically added to the underlying printing system. The add printer command defines a script to be run which will perform the necessary operations for adding the printer to the print system and to add the appropriate service definition to the smb.conf file in order that it can be shared by smbd(8). The addprinter command is automatically invoked with the following parameter (in order): printer name share name port name driver name location Windows 9x driver location All parameters are filled in from the PRINTER_INFO_2 structure sent by the Windows NT/2000 client with one exception. The "Windows 9x driver location" parameter is included for backwards compatibility only. The remaining fields in the structure are generated from answers to the APW questions. Once the addprinter command has been executed, smbd will reparse the smb.conf to determine if the share defined by the APW exists. If the sharename is still invalid, then smbd will return an ACCESS_DENIED error to the client. The "add printer command" program can output a single line of text, which Samba will set as the port the new printer is connected to. If this line isn't output, Samba won't reload its printer shares. 参见 deleteprinter command, printing, show add printer wizard 缺省设置: none 示例: addprinter command = /usr/bin/addprinter add share command (G) Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The add share command is used to define an external program or script which will add a new service definition to smb.conf. In order to successfully execute the add share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0). When executed, smbd will automatically invoke the add share command with four parameters. configFile - the location of the global smb.conf file. shareName - the name of the new share. pathName - path to an **existing** directory on disk. comment - comment string to associate with the new share. This parameter is only used for add file shares. To add printer shares, see the addprinter command. 参见 change share command, delete share command. 缺省设置: none 示例: add share command = /usr/local/bin/addshare add user script (G) 这个选项指出一个脚本的完整文件路径,这个脚本将在特定环境下(下面有详细解释)由 smbd (8) 以root身份执行. 通常,samba服务器需要为所有访问服务器上文件的用户建立UNIX用户账号.但是在使用Windows NT账号数据库作为主用户数据库的站点,建立这些用户并在与NT的主域控制器保持用户列表同步是一件很麻烦的事情.这个选项使smbd可以在用户访问时根据需要自动生成UNIX用户账号. 为了使用这个选项,smbd必须被设置成security=server或者security=domain,并且add user script必须设为用%u参数来建立unix帐号的脚本文件的全路径,%u扩展成建立的unix帐号名. 当windows用户尝试访问samba服务器时,在登陆时(建立SMB协议会话),smbd口令服务器联系,并尝试验证用户名和口令.如果成功,smbd就会根据unix的口令文件试着将这个windows用户映射成一个unix用户.如果查找失败,但设置了add user script ,smbd就会以root的身份调用这个脚本,将%u扩展成该要建立的用户账号. 如果这个脚本执行成功,smbd就认为这个用户已经存在.用这种方式,可以动态建立UNIX用户账号并匹配已有的NT账号. 参见 security, password server, delete user script. 缺省设置: add user script = <空字符串> 示例: add user script = /usr/local/samba/bin/add_user %u add user to group script (G) Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools. It will be run by smbd(8) AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name. 缺省设置: add user to group script = 示例: add user to group script = /usr/sbin/adduser %u %g admin users (S) admin users定义一组对共享有管理特权的用户.就相当于这些用户可以象超级用户那样操作所有的文件. 小心使用该选项,因为在这个名单里的用户可以对共享资源作任何他们想做的事. 缺省设置: 没有 admin users 示例: admin users = jason afs share (S) This parameter controls whether special AFS features are enabled for this share. If enabled, it assumes that the directory exported via the path parameter is a local AFS import. The special AFS features include the attempt to hand-craft an AFS token if you enabled --with-fake-kaserver in configure. 缺省设置: afs share = no 示例: afs share = yes afs username map (G) If you are using the fake kaserver AFS feature, you might want to hand-craft the usernames you are creating tokens for. For example this is necessary if you have users from several domain in your AFS Protection Database. One possible scheme to code users as DOMAIN+User as it is done by winbind with the + as a separator. The mapped user name must contain the cell name to log into, so without setting this parameter there will be no token. 缺省设置: none 示例: afs username map = %u@afs.samba.org algorithmic rid base (G) This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers. Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with sytem users etc. All UIDs and GIDs must be able to be resolved into SIDs for the correct operation of ACLs on the server. As such the algorithmic mapping can't be 'turned off', but pushing it 'out of the way' should resolve the issues. Users and groups can then be assigned 'low' RIDs in arbitary-rid supporting backends. 缺省设置: algorithmic rid base = 1000 示例: algorithmic rid base = 100000 allow hosts (S) hosts allow同义. allow trusted domains (G) 这个选项只在 security选项被设成 serverdomain模式时才有效果.如果设为no的话,尝试联接到smbd运行的域或工作组以外的资源时会失败,即使那个域是由远程服务器验证为可信的也不行. 如果你只需要在域中对成员提供服务资源的话这个选项是非常有用的.举例来说,假设有两个域DOMA和DOMB,DOMA已经向DOMB进行了委托,而samba服务器位于DOMA中.在通常情况下,在DOMB中有账号的用户可以用同样的samba服务器账号名访问UNIX上的资源.而无须他在DOMA上有账号.不过这样就使安全界线更难分清了. 缺省设置: allow trusted domains = yes announce as (G) 这个选项定义 nmbd(8) 对网络邻居声称的服务器类型.缺省为windows NT.可选项有"NT",它与"NT Server"同义,"NT Server","NT Workstation","Win95"或"WfW",它们分别代表Windows NT Server,Windows NT Workstation,Windows 95和Windows for Workgroups.除非有特殊的需要不想让samba以windows NT的身份出现,一般不要改动这个选项,因为这可能会影响samba作为浏览服务器的正确性. 缺省设置: announce as = NT Server 示例: announce as = Win95 announce version (G) 此选项定义nmbd用于声明服务器版本号的主版本号和次版本号.缺省版本号的是4.9。除非有特殊的必要想将samba设为低版本,一般不要改动这个选项. 缺省设置: announce version = 4.9 示例: announce version = 2.0 auth methods (G) This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on security. This should be considered a developer option and used only in rare circumstances. In the majority (if not all) of production servers, the default setting should be adequate. Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication. Possible options include guest (anonymous access), sam (lookups in local list of accounts based on netbios name or domain name), winbind (relay authentication requests for remote users through winbindd), ntdomain (pre-winbindd method of authentication for remote domain users; deprecated in favour of winbind method), trustdomain (authenticate trusted users by contacting the remote DC directly from smbd; deprecated in favour of winbind method). 缺省设置: auth methods = <空字符串> 示例: auth methods = guest sam winbind auto services (G) preload 同义. available (S) 这个选项可以用来关掉一个服务项.如果 available = no,那么 所有对该服务的连接都会失败.而这些失败会被记录下来. 缺省设置: available = yes bind interfaces only (G) 这个全局选项允许samba管理员限制一台主机的某一个网络接口用于响应请求.这会对于 smbd(8)文件服务和 nmbd(8)名字服务造成些许影响. 对于名字服务,它将使nmbd 绑定到'interfaces'选项里列出的网络接口的137和138端口上.为了读取广播消息,nmbd也会绑定到"所有地址"接口(0.0.0.0)的137和138端口上.如果没有设置这个选项,nmbd将在所有的接口上响应名字服务请求.如果设置了"bind interfaces only",那么nmbd将在广播接口上检查任何分组的源地址,丢弃任何不匹配interfaces选项所列接口之广播地址的分组.当在其它接口上收到单播分组,此选项使nmbd拒绝对任何不是是interfaces选项所列接口来发送分组的主机的服务.IP源地址哄骗可以使这个简单的检查失效,所以不要将nmbd安全功能用于严肃场合. 对于文件服务,该选项使smbd(8)只在'interfaces'选项所列的网络接口上绑定.这就限制smbd 只响应那些接口上发出的分组.注意,不应该在PPP和时断时续的机器上或非广播网络接口上使用这个选项,因为它处理不了非永久连接的接口. 如果设置了bind interfaces only,除非网络地址127.0.0.1被加到interfaces选项的列表中,否则smbpasswd(8)和swat(8) 可能不会象我们所期望的那样工作,原因如下: 为了改变用户SMB口令,smbpasswd缺省情况下会以smb客户端的身份连接本地主机地址localhost - 127.0.0.1,发出更改口令请求.如果设置了bind interfaces only,smbpasswd在缺省情况下将会连接失败,除非127.0.0.1已被加入到interfaces选项.另外,可以用-r remote machine选项指定本地主机的主网络接口ip地址,这样smbpasswd就会强制使用本地的主ip地址. swat的状态页面会在127.0.0.1尝试连接smbdnmbd,以确定它们是否正在运行.如果不加入127.0.0.1,将会使smbdnmbd 总表示没有运行甚至实际情况并不是这样.这就阻止了 swat启动/停止/重启动smbdnmbd进程. 缺省设置: bind interfaces only = no blocking locks (S) 此项控制在客户为了在打开文件处获得一个字节范围的锁定而发出请求时 smbd(8)的动作,同时该请求会有一个与之相关的时限. 如果设置了这个选项,锁定范围请求不能立即满足的话,samba将会在内部对请求进行排队,并且周期性地尝试获得锁定,直到超时. 如果这个选项设置为no,samba就会同以前版本那样,在锁定范围无法获得时立即使锁定请求失败. 缺省设置: blocking locks = yes block size (S) This parameter controls the behavior of smbd(8) when reporting disk free sizes. By default, this reports a disk block size of 1024 bytes. Changing this parameter may have some effect on the efficiency of client writes, this is not yet confirmed. This parameter was added to allow advanced administrators to change it (usually to a higher value) and test the effect it has on client write performance without re-compiling the code. As this is an experimental option it may be removed in a future release. Changing this option does not change the disk free reporting size, just the block size unit reported to the client. browsable (S) browseable 同义。 browseable (S) 这个选项控制共享资源在可获得共享列表、net view命令及浏览列表里是否可见. 缺省设置: browseable = yes browse list (G) 它控制 smbd(8)是否执行一个 NetServerEnum调用来为客户提供一个浏览列表.正常情况它被设为 yes.这个选项可能永远不需要改动. 缺省设置: browse list = yes case sensitive (S) 参见NAME MANGLING段的讨论. 缺省设置: case sensitive = no casesignames (S) case sensitive 同义. change notify timeout (G) samba允许客户端告诉服务器监视某个特定目录的任何变化,仅当有变化发生的时候回复SMB请求.这种连续不断的扫描在unix系统上代价很高,因此, smbd(8)只在等待 change notify timeout时间后才对每个请求的目录执行一次扫描. 缺省设置: change notify timeout = 60 示例: change notify timeout = 300 这将把扫描时间改为每5分钟一次. change share command (G) Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The change share command is used to define an external program or script which will modify an existing service definition in smb.conf. In order to successfully execute the change share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0). When executed, smbd will automatically invoke the change share command with four parameters. configFile - the location of the global smb.conf file. shareName - the name of the new share. pathName - path to an **existing** directory on disk. comment - comment string to associate with the new share. This parameter is only used modify existing file shares definitions. To modify printer shares, use the "Printers..." folder as seen when browsing the Samba host. 参见 add share command, delete share command. 缺省设置: none 示例: change share command = /usr/local/bin/addshare client lanman auth (G) This parameter determines whether or not smbclient(8) and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash. If disabled, only server which support NT password hashes (e.g. Windows NT/2000, Samba, etc... but not Windows 95/98) will be able to be connected from the Samba client. The LANMAN encrypted response is easily broken, due to it's case-insensitive nature, and the choice of algorithm. Clients without Windows 95/98 servers are advised to disable this option. Disabling this option will also disable the client plaintext auth option Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 logins will be attempted. Not all servers support NTLMv2, and most will require special configuration to us it. Default : client lanman auth = yes client ntlmv2 auth (G) This parameter determines whether or not smbclient(8) will attempt to authenticate itself to servers using the NTLMv2 encrypted password response. If enabled, only an NTLMv2 and LMv2 response (both much more secure than earlier versions) will be sent. Many servers (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with NTLMv2. Similarly, if enabled, NTLMv1, client lanman auth and client plaintext auth authentication will be disabled. This also disables share-level authentication. If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of client lanman auth. Note that some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM. Default : client ntlmv2 auth = no client plaintext auth (G) Specifies whether a client should send a plaintext password if the server does not support encrypted passwords. 缺省设置: client plaintext auth = yes client schannel (G) This controls whether the client offers or even demands the use of the netlogon schannel. client schannel = no does not offer the schannel, server schannel = auto offers the schannel but does not enforce it, and server schannel = yes denies access if the server is not able to speak netlogon schannel. 缺省设置: client schannel = auto 示例: client schannel = yes client signing (G) This controls whether the client offers or requires the server it talks to to use SMB signing. Possible values are auto, mandatory and disabled. When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either. 缺省设置: client signing = auto client use spnego (G) This variable controls controls whether samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 servers to agree upon an authentication mechanism. SPNEGO client support for SMB Signing is currently broken, so you might want to turn this option off when operating with Windows 2003 domain controllers in particular. 缺省设置: client use spnego = yes comment (S) 这是一段当客户用 网上邻居( net view)察看服务器上共享资源时显示的说明文字. 如果想设置机器名后的说明文字请参考 server string 命令. 缺省设置: No comment string 示例: comment = Fred's Files config file (G) 这可以使samba使用指定的配置文件来替代缺省的配置文件,(通常是 smb.conf).如果设置了这个选项,会出现一个先有鸡还是先有蛋的问题! 由于这个原因,如果在加载这个选项的时候发现配置文件名变化了,就会从新的配置文件里重新加载选项. 这个选项作为常用的替换非常有用. 如果这个配置文件不存在,那么就不会被加载.(允许你特殊地处理少数客户的配置文件) 示例: config file = /usr/local/samba/lib/smb.conf.%m copy (S) 这使你可以克隆服务. 指定的服务以当前服务的名字进行简单的复制,当前服务里定义的选项将替代被拷服务里任何相应的选项. 这个特性允许建立一个服务的'模版',可以很容易的生成相似的服务.注意,被拷贝的服务在配置文件里必须先于拷贝的服务出现. 缺省设置: no value 示例: copy = otherservice create mask (S) create mode 同义. 当生成一个文件的时候,需要知道从dos模式映射到unix下的文件权限.最后的结果用这个参数进行逐位的与运算得到.这个选项可以理解成unix下文件的位掩码.在生成文件的时候,任何没有设置的位将会从创建模式中去掉. 这个选项的缺省值是从unix的文件创建模式中去掉组和其他用户的写和执行标志位. 根据这个规则,samba将会把这个选项生成的unix文件创建模式和由force create mode设置的选项进行逐位的或运算,force create mode 的缺省选项是000. 这个选项不会影响目录创建模式.细节参见directory mode . 参考force create mode以进一步了解在创建文件时设置的特殊位.关于创建目录模式参见directory mode选项.参见 inherit permissions parameter. Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the security mask. 缺省设置: create mask = 0744 示例: create mask = 0775 create mode (S) create mask 同义. csc policy (S) This stands for client-side caching policy, and specifies how clients capable of offline caching will cache the files in the share. The valid values are: manual, documents, programs, disable. These values correspond to those used on Windows servers. For example, shares containing roaming profiles can have offline caching disabled using csc policy = disable. 缺省设置: csc policy = manual 示例: csc policy = programs deadtime (G) 这个值(十进制整数)定义连接发呆超时,单位是分钟.如果一个连接发超过了这个时间就会被断开.如果有文件被打开了,这个时间就不起作用. 这可以保护服务器不被过多的发呆连接耗尽资源. 多数客户端有连接断开后的自动重连功能,所以大多数情况下,这个选项对用户应该是透明的 对多数系统建议使用较短的发呆超时的选项. 发呆超时选项被设为0意味着不会自动断开连接.. 缺省设置: deadtime = 0 示例: deadtime = 15 debug hires timestamp (G) 有些时候记录信息需要比秒更高层次的时间标识,用这个布尔量选项可以向时间标识信息头中加入以微秒级的频率. 注意要使用这个选项,必须打开 debug timestamp选项. 缺省设置: debug hires timestamp = no debuglevel (G) log level 同义. debug pid (G) 为很多从 smbd(8)fork出来的进程使用同一个记录文件时，很难精确地跟踪信息是哪个进程输出的.用这个布尔量选项向时间标识信息头中自动添加进程号. 注意要使用这个选项,必须打开 debug timestamp 选项. 缺省设置: debug pid = no debug timestamp (G) samba缺省会给调试纪录信息加上时间标识.如果运行的是高级别 debug level的调试,这个时间标识可以被转移.用这个选项可以将时间标识关闭. 缺省设置: debug timestamp = yes debug uid (G) samba有时以root身份运行,而有时以已联接的用户来运行.使用这个布尔量选项可以向记录文件的时间标识信息头中自动插入当前的euid,egid,uid和gid标识. Note that the parameter must be on for this to have an effect. 注意要使用这个选项,必须打开 debug timestamp选项. 缺省设置: debug uid = no default (G) default service 同义. default case (S) 参见"NAME MANGLING"段. 也注意一下 short preserve case选项. 缺省设置: default case = lower default devmode (S) This parameter is only applicable to printable services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba server has a Device Mode which defines things such as paper size and orientation and duplex settings. The device mode can only correctly be generated by the printer driver itself (which can only be executed on a Win32 platform). Because smbd is unable to execute the driver code to generate the device mode, the default behavior is to set this field to NULL. Most problems with serving printer drivers to Windows NT/2k/XP clients can be traced to a problem with the generated device mode. Certain drivers will do things such as crashing the client's Explorer.exe with a NULL devmode. However, other printer drivers can cause the client's spooler service (spoolsv.exe) to die if the devmode was not created by the driver itself (i.e. smbd generates a default devmode). This parameter should be used with care and tested with the printer driver in question. It is better to leave the device mode to NULL and let the Windows client set the correct values. Because drivers do not do this all the time, setting default devmode = yes will instruct smbd to generate a default one. For more information on Windows NT/2k printing and Device Modes, see the MSDN documentation. 缺省设置: default devmode = no default service (G) 这个选项定义一个当指定服务找不到时的缺省服务.注意,在选项值里 没有方括号(看示例！). 这个选项没有缺省值. 如果没给出这个选项的话,对不存在的服务的请求将返回错误. 缺省服务一般是那些允许guest ok, read-only的服务. 外在的服务名可能被替换成请求的服务名,这样就可以用象%S这样的宏来做一个通用的服务. 注意在缺省服务选项指定的服务名里, 字符'_'被映射为'/'. 这样可能会出现有趣的事情. 示例: [global] default service = pub [pub] path = /%S  delete group script (G) This is the full pathname to a script that will be run AS ROOT smbd(8) when a group is requested to be deleted. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. deleteprinter command (G) With the introduction of MS-RPC based printer support for Windows NT/2000 clients in Samba 2.2, it is now possible to delete printer at run time by issuing the DeletePrinter() RPC call. For a Samba host this means that the printer must be physically deleted from underlying printing system. The deleteprinter command defines a script to be run which will perform the necessary operations for removing the printer from the print system and from smb.conf. The deleteprinter command is automatically called with only one parameter: "printer name". Once the deleteprinter command has been executed, smbd will reparse the smb.conf to associated printer no longer exists. If the sharename is still valid, then smbd will return an ACCESS_DENIED error to the client. 参见 addprinter command, printing, show add printer wizard 缺省设置: none 示例: deleteprinter command = /usr/bin/removeprinter delete readonly (S) 这个选项允许删除只读文件,这个只读不是通常dos里的含义,而是unix中的. 这个选项对于rcs这样的应用很有用,在这种情况下,unix文件的属主不允许改变权限,dos文件只读. 缺省设置: delete readonly = no delete share command (G) Samba 2.2.0 introduced the ability to dynamically add and delete shares via the Windows NT 4.0 Server Manager. The delete share command is used to define an external program or script which will remove an existing service definition from smb.conf. In order to successfully execute the delete share command, smbd requires that the administrator be connected using a root account (i.e. uid == 0). When executed, smbd will automatically invoke the delete share command with two parameters. configFile - the location of the global smb.conf file. shareName - the name of the existing service. This parameter is only used to remove file shares. To delete printer shares, see the deleteprinter command. 参见 add share command, change share command. 缺省设置: none 示例: delete share command = /usr/local/bin/delshare delete user from group script (G) Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools. It will be run by smbd(8) AS ROOT. Any %g will be replaced with the group name and any %u will be replaced with the user name. 缺省设置: delete user from group script = 示例: delete user from group script = /usr/sbin/deluser %u %g delete user script (G) 它定义一个在使用RPC(NT)工具管理用户时，fBsmbd(8)以root身份运行的包括路径的一个脚本. 当远程客户使用'User Manager for Domains' 或是 rpcclient 从服务器上删除一个用户时执行此操作。 这个脚本删除给定的unix用户。 缺省设置: delete user script = <空字符串> 示例: delete user script = /usr/local/samba/bin/del_user %u delete veto files (S) 这个选项用于samba试图删除一个或多个包含禁止文件的目录的情况(参见 veto files选项). 如果这个选项设置为 no(缺省情况),那么如果一个禁止目录里包含了任何非禁止的文件或目录,删除就会失败.这通常正是你所希望的. 如果这个选项被设为了 yes,Samba将试图递归删除在被禁止目录里的任何文件和目录.这对于整合象NetAtalk这样的文件服务系统很有用,它通常会在目录里生成Dos/windows用户看不见的中间文件(e.g. .AppleDouble). 设置delete veto files = yes 使那些有权限的用户可以在删除父目录的时候透明的删除子目录. 参见 veto files 选项. 缺省设置: delete veto files = no deny hosts (S) hosts deny 同义. dfree command (G) dfree command只需在磁盘空间计算有问题的系统上使用.这个空间计算的问题仅在Ultrix系统上发生过,但在其他的操作系统上也有可能发生.发生这个问题的现象是在每个目录列表最后发生错误并提示"Abort Retry Ignore". 这个设置允许用外部程序代替内部程序来计算总共的磁盘空间和可用的磁盘空间.下面的例子给出了一个能完成这个功能的脚本. 这个外部程序的输入是文件系统里一个需要计算的目录,典型的包括./字符串.以ascii码返回两个整数.第一个是总共的磁盘空间(以块为单位),第二个是可用块树.可选的第三个返回值可以以字节为单位给出块的大小.缺省的块的大小是1024字节. 注意:这个脚本应该属主为root,只有root可写,并且不能带有用户标识位和组标识位(setuid or setgid)! 缺省设置: 缺省用内部程序来计算磁盘容量和可用空间. 示例: dfree command = /usr/local/samba/bin/dfree 如下这个dfree脚本必须是可执行的.  #!/bin/sh df$1 | tail -1 | awk '{print $2" "$4}'



#!/bin/sh
/usr/bin/df -k $1 | tail -1 | awk '{print$3" "$5}'  注意在特定的系统上可能需要给出相应的带有全路径的命令. directory (S) path 同义. directory mask (S) 这个选项是8进制的模式。用来控制在生成UNIX目录时，将其从dos模式转换为unix模式。 当生成一个路径的时候,必须指定的目录权限从dos模式映射到unix模式,然后这个结果和这个选项进行逐位的与运算.这个选项可以理解成unix模式下的位掩码.这个选项里任何没有设置的位在生成unix下的目录时将会被去掉 缺省情况下,这个选项把组和其他用户的写权限位去掉,只允许目录的属主对目录进行修改. Samba将把这个选项和force directory mode的选项进行逐位的或运算,这个选项缺省时设置为000(也就是不加额外的限制). Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the directory security mask. 在生成目录时如果需要设置特殊的模式位,参见force directory mode选项. 关于生成文件时的模式位参见create mode 选项和directory security mask选项. Also refer to the inherit permissions parameter. 缺省设置: directory mask = 0755 示例: directory mask = 0775 directory mode (S) directory mask 同义。 directory security mask (S) 此选项控制了NT客户在他的本地NT安全对话框中操纵unix目录权限时可以修改哪些权限位. 这个选项以掩码来实现改变权限位,所以在修改时要防止不在掩码中涉及的那些位.实际上,在这个掩码中的位0可以使用户无法改变任何东东. 如果没有明确设定的话,这个选项会用与directory mask选项同样的值.要允许用户在目录中可以修改所有的user/group/world权限,可以把这个选项设为0777. 注意,能访问samba服务器的用户通过其它方法也可以很容易地绕过这个限制,所以对独立工作的系统来说这个选项是最根本最有用的.很多系统管理的管理员都会把它设为默认的0777. 参见 force directory security mode, security mask, force security mode 选项。 缺省设置: directory security mask = 0777 示例: directory security mask = 0700 disable netbios (G) Enabling this parameter will disable netbios support in Samba. Netbios is the only available form of browsing in all windows versions except for 2000 and XP. Note that clients that only support netbios won't be able to see your samba server when netbios support is disabled. 缺省设置: disable netbios = no 示例: disable netbios = yes disable spoolss (G) Enabling this parameter will disable Samba's support for the SPOOLSS set of MS-RPC's and will yield identical behavior as Samba 2.0.x. Windows NT/2000 clients will downgrade to using Lanman style printing commands. Windows 9x/ME will be uneffected by the 选项。 However, this will also disable the ability to upload printer drivers to a Samba server via the Windows NT Add Printer Wizard or by using the NT printer properties dialog window. It will also disable the capability of Windows NT/2000 clients to download print drivers from the Samba host upon demand. Be very careful about enabling this 选项。 See also use client driver Default : disable spoolss = no display charset (G) Specifies the charset that samba will use to print messages to stdout and stderr and SWAT will use. Should generally be the same as the unix charset. 缺省设置: display charset = ASCII 示例: display charset = UTF8 dns proxy (G) 指定 nmbd(8)象WINS服务器那样寻找没有登记的NetBIOS名,象对待DNS名那样逐字的对待NetBIOS名,向DNS服务器查询该名称所代表的客户端. 注意,NetBISO名的最大长度是15个字符,所以DNS名(或DNS别名)同样最多只能有15个字符. nmbd 在做DNS名查询的时候将自身复制一份,因为域名查询是一个阻塞的动作. 参见 wins support 缺省设置: dns proxy = yes domain logons (G) 如果这个选项为 yes,Samba服务器将为 workgroup提供Windows 95/98 登陆域服务.Samba 2.2只能实现Windows NT 4 域中域控制器的有限功能。有关设置这个功能的更详细信息参见Samba 文档中的Samba-PDC-HOWTO。 缺省设置: domain logons = no domain master (G) 这个选项告诉 smbd(8)收集广域网内的浏览列表.设置这个选项后, nmbd用一个特定的NetBIOS名向它的 工作组标识它自己是一个主控浏览器.在同一 工作组不同子网中的本地主控浏览器将把自己的浏览列表传给 nmbd,然后向 smbd(8) 请求整个网络上浏览列表的完整拷贝.客户端将和他们的本地主控浏览器联系,得到整个域范围内的浏览列表,而不只是子网上的列表. 注意,windows NT主域控制器默认情况总是占有这个在工作组中的特殊的NetBIOS名，宣称自己是工作组的主域浏览器(也就是说,没有什么方法可以阻止一个Windows NT主域控制器这样做). 这样如果设置了这个选项,并且nmbd 在Windows NT之前向工作组宣称了这个特殊的名字,那么跨子网的浏览行为会变得奇怪,并且可能会失败. If domain logons = yes , then the default behavior is to enable the domain master 选项。 If domain logons is not enabled (the default setting), then neither will domain master be enabled by default. 缺省设置: domain master = auto dont descend (S) 有些系统上存在某些特殊的路径(比如linux中的 /proc),这些目录不需要(也不希望)客户端关心,甚至可能具有无限的层次深度(递归的).这个选项允许你指定一个由逗号分隔的列表,服务器将把列表内包含的目录始终显示成空目录. 注意,Samba对'dont descend'选项的输入格式十分挑剔.例如他也许要求你输入./proc而不是仅仅是/proc.实践是最好的策略. 缺省设置: none (也就是说,所有目录的内容会正常的传递给客户端) 示例: dont descend = /proc,/dev dos charset (G) DOS SMB clients assume the server has the same charset as they do. This option specifies which charset Samba should talk to DOS clients. The default depends on which charsets you have installed. Samba tries to use charset 850 but falls back to ASCII in case it is not available. Run testparm(1) to check the default on your system. dos filemode (S) The default behavior in Samba is to provide UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior is often confusing to DOS/Windows users. Enabling this parameter allows a user who has write access to the file (by whatever means) to modify the permissions on it. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access. Ownership of the file/directory is not changed, only the permissions are modified. 缺省设置: dos filemode = no dos filetime resolution (S) 在DOS和Windows FAT文件系统中,时间的计量精度是2秒。对共享资源设置这个选项,可以使得在一个向 smbd(8)的查询需要1秒精度时，Samba把报告的时间精度降低到2秒左右。 这个选项的主要用于解决Visual C++与Samba的兼容性问题.当共享文件被锁定时(oplocks选项被设置为允许),Visual C++使用两个不同的读取时间的函数调用来检查文件自从最后一次读操作以来是否有改变.其中一个函数使用1秒的时间尺度,而另一个则使用2秒的时间尺度.由于使用基于2秒的方法要舍去任何的奇数秒,当文件的时间记录是奇数秒时,Visual C++的两次函数调用结果就会不一致,Visual C++就会总是认为文件被改变.设置这个选项可以使得两次函数调用的结果一致,Visual C++会很高兴的接受这一切. 缺省设置: dos filetime resolution = no dos filetimes (S) 在DOS和Windows操作系统中,如果用户对文件进行写操作,就会改变文件的时间记录.而在POSIX规则中,只有文件的所有者和root才有改变文件时间记录的能力.缺省的,Samba按照POSIX规则运行,如果 smbd的用户不是文件的所有者,那么他对文件的操作不会改变文件的时间记录.如果设置这个选项为 yes,那么 smbd(8)就按照DOS的规则运行,并且按照DOS系统的要求改变文件的时间记录. 缺省设置: dos filetimes = no enable rid algorithm (G) This option is used to control whether or not smbd in Samba 3.0 should fallback to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm development goal is to remove the algorithmic mappings of RIDs altogether, but this has proved to be difficult. This parameter is mainly provided so that developers can turn the algorithm on and off and see what breaks. This parameter should not be disabled by non-developers because certain features in Samba will fail to work without it. 缺省设置: enable rid algorithm = <yes> encrypt passwords (G) 这个布尔型值控制着是否与客户端用加密口令进行交谈.注意,NT4.0 SP3 及以上还有WINDOWS 98在缺省情况下使用加密口令进行交谈,除非改变了注册表的相应健值.想要使用加密口令,清参阅Samba HOWTO Collection中的 "User Database" 章节。 想要使加密口令能正确的工作, smbd(8)必须能访问本地的smbpasswd(5)文件(如何正确设置和维护这个文件,请参阅smbpasswd(8)手册),或者,设置选项security= [server|domain|ads],这样设置将使得smbd依赖其它的服务器来帮它鉴别口令. 缺省设置: encrypt passwords = yes enhanced browsing (G) This option enables a couple of enhancements to cross-subnet browse propagation that have been added in Samba but which are not standard in Microsoft implementations. The first enhancement to browse propagation consists of a regular wildcard query to a Samba WINS server for all Domain Master Browsers, followed by a browse synchronization with each of the returned DMBs. The second enhancement consists of a regular randomised browse synchronization with all currently known DMBs. You may wish to disable this option if you have a problem with empty workgroups not disappearing from browse lists. Due to the restrictions of the browse protocols these enhancements can cause a empty workgroup to stay around forever which can be annoying. In general you should leave this option enabled as it makes cross-subnet browse propagation much more reliable. 缺省设置: enhanced browsing = yes enumports command (G) The concept of a "port" is fairly foreign to UNIX hosts. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default, Samba has only one port defined-- "Samba Printer Port". Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed ( smbd does not use a port name for anything) other than the default "Samba Printer Port", you can define enumports command to point to a program which should generate a list of ports, one per line, to standard output. This listing will then be used in response to the level 1 and 2 EnumPorts() RPC. 缺省设置: no enumports command 示例: enumports command = /usr/bin/listports exec (S) preexec 同义。 fake directory create times (S) NTFS和Windows VFAT文件系统为每一个文件和目录保留一个创建时间. 这个时间和UNIX下的状态改变时间--ctime不同. 所以, 在缺省状态下, Samba将报告UNIX系统所保持的各种时间属性中的最早的那个作为(文件/目录)建立时间. 如果在一个共享中设置了这个选项, 将会使得Samba伪造一个目录生成时间, 这个时间就是1980.01.01的午夜. 这个选项的主要用于解决Visual C++与Samba的兼容性问题.Visual C++生成makefiles文件时, 包含目标文件所依赖的目的目录. 包含建立目录的规则. 同样的, 当NMAKE比较时间属性时, 它检查目录建立时间. 目标目录不存在的话, 会建立一个；如果存在,它的建立时间总是比它所包含的目标文件的建立时间早. UNIX的时间规则意味着只要有文件在共享目录中建立或删除,Samba将更新关于该目录建立时间的报告. NMAKE将发现目录中除了最后建立的文件以外的所有目标文件都过期了(与目录的建立时间相比较), 然后重新编译目标文件.设置这个选项值将保证目录的建立时间早于它里面的文件,NMAKE就能够正常工作. 缺省设置: fake directory create times = no fake oplocks (S) oplocks是这样一个选项, 它允许SMB客户端在本地缓存对服务器的文件操作. 如果服务器允许oplock(opportunistic lock)操作, 客户端可以简单的认为, 它自己是唯一的文件访问者, 可以随意的缓存文件. 有些oplocks类型甚至允许缓存文件的打开和关闭操作. 这个操作换来性能上的巨大提升. 当你设置fake oplocks = yes后,smbd(8)总是允许oplock请求, 而不管到底有多少的客户端在使用这个文件. 在通常情况下, 使用真实的oplocks支持总是比使用这个选项好. 如果你使用这个选项在一些只读的共享上(例如: CDROM共享),或者你知道这个共享只能够被一个客户端所访问(例如: 客户主目录). 你将会注意到性能上的重大提升. 如果你将这个选项用在多个客户端都可以读写的共享上, 由于客户可能同时访问一个共享文件, 这样会造成文件损坏. 请一定小心使用. 缺省设置: fake oplocks = no follow symlinks (S) 这个选项允许Samba管理员禁止某个特殊共享下 smbd(8)对符号链接的访问. 将这个选项设置为 no将会阻止这个共享下的任何链接形式的文件或目录被查看(用户将会得到一个错误信息).例如: 这个选项将阻止客户将 /etc/passwd文件链接到自己的主目录. (我们看到, 这是很有用的). 但是, 它将会使文件名字的查找速度慢一些. 这个选项缺省是允许(也就是, smbd将允许访问符号链接) 缺省设置: follow symlinks = yes force create mode (S) 这个选项设置一组UNIX格式的权限代码, 当Samba建立新文档的时候, 总是会使用这个权限设置新文档, 通过将新文档的权限位和这组权限代码做逐位与, 就完成了设置工作.缺省状态下, 这个选项设置为八进制000,在 create mask加到新建立的文件的权限位上后, 与这个值进行按位与操作, 就得到文件建立时的权限设置. 参见 create mask 来获得关于建立文件时的掩码的详细资料。 另外也参见 inherit permissions 参数. 缺省设置: force create mode = 000 示例: force create mode = 0755 这个例子中, 将迫使所有被建立的文档对"同组/其它(用户)"有读和执行权. 对用户自己有读/写/执行权力. force directory mode (S) 这个选项设置一组UNIX格式的权限代码, 当Samba建立新目录的时候, 总是会使用这个权限设置新目录, 通过将新目录的权限位和这组权限代码做逐位与, 就完成了设置工作.缺省状态下, 这个选项设置为八进制000,在 directory mask加到新建立的目录的权限位上后,与这个值进行按位与操作, 就得到目录建立时的权限设置. 参见 directory mask 来获得关于建立目录时的掩码的详细资料。 另外也参见 inherit permissions参数. 缺省设置: force directory mode = 000 示例: force directory mode = 0755 这个例子中, 将迫使所有被建立的目录对"同组/其它(用户)"有读和进入权. 对用户自己有读/写/进入权力. force directory security mode (S) 此选项控制NT用户通过本地NT安全对话框可以操作哪些目录上的unix权限位. 此选项以掩码('or')来实现权限位的改变,所以它强制了任何掩码中用户可以更改的位.实际上,当在修改目录的安全性时,这个掩码中的一个0位可以作为一组用户已经设为'on'的位来看待. 如果没有明确设定的话,这个选项会用与force directory mode选项同样的值.要允许用户在目录中可以修改所有的user/group/world权限,可以把这个选项设为0000. 注意,能访问samba服务器的用户通过其它方法也可以很容易地绕过这个限制,所以这个参数只对独立工作的应用系统来说有用.很多系统管理的管理员都会把它设为默认的0000. 参见 directory security mask, security mask, force security mode 参数。 缺省设置: force directory security mode = 0 示例: force directory security mode = 700 force group (S) 这个选项指定一个UNIX组, 所有连接到服务上的用户都被强迫使用这个组作为"主组". 所有访问文件的用户都使用这个组的访问权限做权限检查. 因此, 通过分配文件和目录的访问权限给这个用户组, Samba的管理员可以限制或允许对共享文件的访问. 在samba 2.0.5及更新的版本中这个选项已经按下面的方法有了一些扩展功能.如果在此列出的组名有一个'+'字符加在名称前的话,当前用户正在访问的共享资源只有初始组被缺省分配到这个组中,而可能的情况是用户已经是其它组成员了.这样,管理员可以决定只有在特殊组里的用户才能以设定的组身份建立文件,更有益于所有权分配管理.例如,设定force group = +sys的话,只有在sys组里的用户才能在访问samba共享资源时拥有缺省的初始组标识.而其它所有用户保留他们原始的组标识. 如果又设定了 force user选项的话,force group选项中指定的组将会越过在 force user中指定的初始组. If the force user parameter is also set the group specified in force group will override the primary group set in force user. 参见 force user选项. 缺省设置: no forced group 示例: force group = agroup force security mode (S) 此选项控制NT用户通过本地NT安全对话框可以操作哪些目录上的unix权限位. 此选项以掩码('or')来实现权限位的改变,所以它强制了任何掩码中用户可以更改的位.实际上,当在修改目录的安全性时,这个掩码中的一个0位可以作为一组用户已经设为'on'的位来看待. 如果没有明确设定的话,这个选项会用与force create mode选项同样的值.要允许用户在文件上可以修改所有的user/group/world权限,可以把这个选项设为000. 注意,能访问samba服务器的用户通过其它方法可以很容易地绕过这个限制,所以这个选项对独立工作的系统来说才有用的.很多系统管理的管理员都会把它设为默认的0000. 参见 force directory security mode, directory security mask, security mask 参数。 缺省设置: force security mode = 0 示例: force security mode = 700 force user (S) 这个选项指定一个UNIX用户的名字, 所有连接到服务上的用户的缺省名字就使用这个名字. (由于权限的原因)在共享文件时这个选项是有用的.你必须小心使用这个选项, 它有可能带来安全上的问题. 这个选项只有当一个连接建立起来后才有用. 在建立连接的使用, 用户还是必须有合法的用户名和口令. 一旦连接建立起来, 所有的操作将强迫以这个名字进行, 而不管它是以什么名字登录的. samba 2.0.5和更新的版本中这个选项会导致用户的初始组被作为所有文件操作的初始组.2.0.5以前的初始组被允许作为联接用户的初始组(这是个bug) 参见 force group 选项。 缺省设置: no forced user 示例: force user = auser fstype (S) 这个选项允许管理员设置一个字符串说明共享的文件系统的类型, 当客户端有查询时, smbd(8)将这个字符串作为正在使用的文件系统的类型报告给客户端. 为了和 Windows NT兼容缺省值设置是 NTFS, 当然,如果必要的话,也可以改变为其它的字符串,例如 SambaFAT. 缺省设置: fstype = NTFS 示例: fstype = Samba get quota command (G) The get quota command should only be used whenever there is no operating system API available from the OS that samba can use. This parameter should specify the path to a script that queries the quota information for the specified user/group for the partition that the specified directory is on. Such a script should take 3 arguments: directory type of query uid of user or gid of group The type of query can be one of : 1 - user quotas 2 - user default quotas (uid = -1) 3 - group quotas 4 - group default quotas (gid = -1) This script should print its output according to the following format: Line 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced) Line 2 - number of currently used blocks Line 3 - the softlimit number of blocks Line 4 - the hardlimit number of blocks Line 5 - currently used number of inodes Line 6 - the softlimit number of inodes Line 7 - the hardlimit number of inodes Line 8(optional) - the number of bytes in a block(default is 1024) 参见 set quota command 选项。 缺省设置: get quota command = 示例: get quota command = /usr/local/sbin/query_quota getwd cache (G) 这是一个性能调节选项. 当这个选项允许时, 一个高速缓冲算法将被用来减少调用"getwd()"的时间. 这个选项对性能会产生很大的影响, 特别是在 wide links选项设为 no的时候. 缺省设置: getwd cache = yes group (S) force group 同义。 guest account (G,S) 这是一个用来访问服务的用户名(作为客户来访账户,区别于系统上的用户), 当然, 被访问的服务必须先设置了选项fI guest ok. 这个账户所拥有的所有权利都会反映到以"访问客户(guest)"身份连接进来的客户身上. 典型的, 这个客户必须在passwd文件中存在, 但是没有有效的登录权限.通常系统中存在着名为"ftp"的账户,把这个账户名使用在这里是个好主意.注意:如果一个服务指定了一个专用的访问用户名,这个专用名将代替这里的用户名. 在某些系统上,缺省的访问用户名"nobody"账户可能不能打印.如果遇到这种情况,请使用其它的账户名(例如ftp)。想要测试这种情况,可以试着用来访账户登录(可以用su -命令),然后,使用系统打印命令lpr(1)或lp(1). 这个参数不接受%宏，因为Samba系统的很多组件要正确工作都需要这个值是一个常量。 缺省设置: 编译时指定，通常是"nobody" 示例: guest account = ftp guest ok (S) 如果一个服务的这个选项的值设为 yes, 那末, 连接到这个服务不需要口令, 权限设置为 guest account的权限. 这个选项抵消了设置 restrict anonymous = 2 的好处。 参见下面的 security来获得更多信息。 缺省设置: guest ok = no guest only (S) 如果一个服务的这个选项设置为 yes, 那末, 只有客户(guest)访问被允许, 也就是说, 不允许以其他用户的身份访问.如果没有设置 guest ok选项, 则此选项无效. 参见下面的 security 参数来获得更多信息。 缺省设置: guest only = no hide dot files (S) 这是一个布尔值选项. 控制文件名最前面一个字符为"."的文件是否表现为隐含文件(UNIX文件系统中, 最前面为"."的文件是隐含文件). 缺省设置: hide dot files = yes hide files (S) 这是一个隐藏文件或目录的列表.这些文件不能被看见但是能被访问.列表中的文件或目录将被赋予DOS下的"隐藏"属性. 每个条目必须以"/"分隔以便允许在条目中使用空格.可以使用DOS风格的通配符"*"和"?"匹配多个目录和文件。 每一个条目必须使用UNIX格式的路径,而不是DOS格式的路径,同时,不能包含UNIX路径分隔符"/". 注意:大小写敏感的特性也适用于隐含文件. 设置这个选项会影响Samba的性能,它会迫使系统检查所有的文件和目录以确定是否与它的所要寻找的项目匹配. 参见 hide dot files, veto filescase sensitive. 缺省设置: 没有隐藏文件 示例: hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/ 上面的例子中的文件从Thursby共享出来,给Macintosh的SMB客户端(DAVE),供内部使用,仍然隐藏了"."打头的文件. hide local users (G) This parameter toggles the hiding of local UNIX users (root, wheel, floppy, etc) from remote clients. 缺省设置: hide local users = no hide special files (S) This parameter prevents clients from seeing special files such as sockets, devices and fifo's in directory listings. 缺省设置: hide special files = no hide unreadable (S) This parameter prevents clients from seeing the existance of files that cannot be read. Defaults to off. 缺省设置: hide unreadable = no hide unwriteable files (S) This parameter prevents clients from seeing the existance of files that cannot be written to. Defaults to off. Note that unwriteable directories are shown as usual. 缺省设置: hide unwriteable = no homedir map (G) 如果 nis homedir 选项的值为 yes,同时, smbd(8)也作为win95/98的 登录服务器,那么,这个选项指明一个NIS(或者YP)映射.指向用户主目录所在的服务器.目前,只认识Sun的auto.home映射格式.映射格式如下: username server:/some/file/system 程序从":"号前取得服务器名字.将来也许会有更好的解释系统来处理不同的映射格式,当然,也包括Amd(另一种自动装载方式)映射. 需要系统中有一个运行的NIS客户来使这个选项工作。 参见 nis homedir , domain logons . 缺省设置: homedir map = <空字符串> 示例: homedir map = amd.homedir host msdfs (G) If set to yes, Samba will act as a Dfs server, and allow Dfs-aware clients to browse Dfs trees hosted on the server. 参见 msdfs root share level 选项。 For more information on setting up a Dfs tree on Samba, refer to ???. 缺省设置: host msdfs = no hostname lookups (G) Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead. An example place where hostname lookups are currently used is when checking the hosts deny and hosts allow. 缺省设置: hostname lookups = yes 示例: hostname lookups = no hosts allow (S) allow hosts 同义. 这个选项是一个由逗号,空格或者tab字符隔开的一组主机名.列入其中的主机才允许访问. 如果该选项出现在[global]段中,它会作用于所有服务而忽略单个服务所作的不同设置. 你可以用ip地址或主机名来指定主机.比如,你可以用类似 allow hosts = 150.203.5. 来限定只允许访问在这个c类子网中的主机.hosts_access(5)中详细描述了关于这个选项设置的完整语法.注意到你的系统中也许没有这个参考手册,这里也作一个简单的说明. 注意，本机地址127.0.0.1 总是允许连接,除非在hosts deny 选项中加以禁止. 你也可以使用子网号/子网掩码对来指定主机.如果你的网络支持网络组,你还可以用网络组名来指定组内的主机.EXCEPT(除了...)关键字可以在使用了通配符的情况下起到限定作用. Example 1: 允许150.203.*.* 中除了一台机器之外的所有IP访问 hosts allow = 150.203. EXCEPT 150.203.6.66 Example 2: 允许满足给定的子网号/子网掩码的IP访问 hosts allow = 150.203.15.0/255.255.255.0 Example 3: 允许一系列主机访问 hosts allow = lapland, arvidsjaur Example 4: 允许NIS网络组"foonet"访问,但是禁止其中的一台主机 hosts allow = @foonet hosts deny = pirate 注意,访问时还是需要有适当的用户级口令. 参见testparm(1) 来检测主机是否可以按照你希望的方式被访问. 缺省设置: none (也就是说,所有机器都可以访问) 示例: allow hosts = 150.203.5. myhost.mynet.edu.au hosts deny (S) hosts allow选项的反义词.所有被列入这个选项中的主机的服务都 允许被访问,除非这个被访问的服务定义了自己的允许列表.当允许的主机列表和禁止的主机列表发生冲突的时候, allow优先. 缺省设置: none (没有禁止访问的主机) 示例: hosts deny = 150.203.4. badhost.mynet.edu.au hosts equiv (G) 如果这个选项值不是空字符串,就指定了一个文件名.这个文件中列出了可以不用口令就允许访问的主机和用户的名字. 不要把这个选项和hosts allow 搞混了,那是关于控制主机对服务的访问的,用于管理对来访者的服务.而 hosts equiv是用于支持那些不对samba提供口令的NT客户的. 注意:使用hosts equiv 可能会成为一个很大的安全漏洞.这是因为你相信发起访问的PC提供了正确的用户名.找一台PC来提供一个假的用户名是很容易的.我建议你只有在完全明白你在干什么的情况下才使用hosts equiv选项,或者在你自己的家里(那里有你可以完全信任的配偶和孩子)使用它.仅仅是在你完全可以信任他们的时候才用 :-) 缺省设置: no host equivalences 示例: hosts equiv = /etc/hosts.equiv idmap backend (G) The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common LDAP backend. This way all domain members and controllers will have the same UID and GID to SID mappings. This avoids the risk of UID / GID inconsistencies across UNIX / Linux systems that are sharing information over protocols other than SMB/CIFS (ie: NFS). 缺省设置: idmap backend = <空字符串> 示例: idmap backend = ldap:ldap://ldapslave.example.com idmap gid (G) The idmap gid parameter specifies the range of group ids that are allocated for the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise. The availability of an idmap gid range is essential for correct operation of all group mapping. 缺省设置: idmap gid = <空字符串> 示例: idmap gid = 10000-20000 idmap uid (G) The idmap uid parameter specifies the range of user ids that are allocated for use in mapping UNIX users to NT user SIDs. This range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise. 缺省设置: idmap uid = <空字符串> 示例: idmap uid = 10000-20000 include (G) 这个选项使得你可以把一个配置文件插入到另一个配置文件中去.这只是一种文本替换,就在好像被插入的文件的那个位置直接写入那个插入文件一样. 它支持标准替换,除%u , %P%S以外. 缺省设置: 没有包含其他文件 示例: include = /usr/local/samba/lib/admin_smb.conf inherit acls (S) This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a subdirectory. The default behavior is to use the mode specified when creating the directory. Enabling this option sets the mode to 0777, thus guaranteeing that default directory acls are propagated. 缺省设置: inherit acls = no inherit permissions (S) The permissions on new files and directories are normally governed by create mask, directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this. New directories inherit the mode of the parent directory, including bits such as setgid. New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by map archive , map hidden and map system as usual. Note that the setuid bit is never set via inheritance (the code explicitly prohibits this). This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user. 参见 create mask , directory mask, force create mode and force directory mode . 缺省设置: inherit permissions = no interfaces (G) 这个选项允许你超越默认的Samba用来处理浏览,名字注册和其他NBT网络流量的网络借口列表. 默认情况Samba向内核查询所有活动的接口列表并且使用除了127.0.0.1 之外的接口. 这个选项的内容是一个接口字符串的列表, 每个字符串可以是下列任何一种格式: 一个网络接口名(例如eth0).它可以包含象在shell风格的通配符如eth*来匹配任何以子字符品"eth"起始的网络接口. 一个IP地址.这种情况下,网络掩码是从内核中获得的接口列表中检测的. 一个IP/掩码对. 一个广播地址/掩码对. "mask"选项可以是一个位长度(例如C类网络可以是24)或者是以点分格式出现的完整网络地址掩码. "IP"选项可以是完整点分十六进制IP地址或是按操作系统通常使用的主机名解析机制查找的主机名. 例如,下面这一行: interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 将配置三个网络接口,对应eth0设备以及IP地址192.168.2.10 和192.168.3.10。后两个接口的网络掩码将设置为255.255.255.0。 参见bind interfaces only. 缺省设置: 除了127.0.0.1 之外的所有活动接口 that are broadcast capable invalid users (S) 这是一个不允许在这个服务上登录的用户的名单.这的确是一个非常严格的( paranoid)检查,确保任何可能的不适当的设置都不会破坏你的系统的安全. 以@开头的用户名首先被当作NIS网络组名(如果你的系统支持NIS的话),如果在NIS的网络组数据库中找不到这个组,那么这个名字就被当作一个UNIX用户组名来处理. 以+开头的用户名仅表示UNIX用户组名,以&开头的用户名仅表示NIX网络组名(这个设置要求你的系统中有NIS在运行).'+'和'&'符号可以以任何顺序出现在用户组名前,因此,你可以指定对这个名称的查找次序,比如+&group表示先在UNIX用户组中查找,再在NIS网络组中查找,而&+group则相反,先在NIX网络组中查找,再到UNIX用户组中查找.(这与使用@前缀的效果相同). 当前的服务名可以用%S来表示,这在[homes]段中是很有用的. 参见 valid users . 缺省设置: 没有非法用户 示例: invalid users = root fred admin @wheel keepalive (G) 这个选项是一个整数,它表示用于 keepalive包间隔的秒数.如果这个选项是0,那么就不发送保持连接的包.发送保持连接的包使得主机可以确定客户端是否还在响应。 通常,如果用于连接的socket使用了SO_KEEPALIVE属性设置(参见socket options),那么发送保持连接的包是不需要的.基本上,除非你遇到了某些困难,这个选项是用不到的. 缺省设置: keepalive = 300 示例: keepalive = 600 kernel change notify (G) This parameter specifies whether Samba should ask the kernel for change notifications in directories so that SMB clients can refresh whenever the data on the server changes. This parameter is only usd when your kernel supports change notification to user programs, using the F_NOTIFY fcntl. 缺省设置: Yes kernel oplocks (G) 在支持基于内核的 oplocks(opportunistic lock)的UNIX系统上(目前只有IRIX 和Linux2.4内核),这个选项允许打开或关闭对这个特性的利用. 内核机会性锁定操作使得本地UNIX进程或NFS对文件进行操作时可以锁定(冻结)smbd(8)对同一个文件的oplocks 操作.这可以保持SMB/CIFS,NFS和本地文件操作之间的数据一致性.(这是一个很cool的特性哦 :-) 如果你的系统支持这个设置,缺省设置就是on(打开),如果系统不支持,缺省设置就是Off(关闭).你根本不必去管这个选项. 参见 oplockslevel2 oplocks 参数. 缺省设置: kernel oplocks = yes lanman auth (G) This parameter determines whether or not smbd(8) will attempt to authenticate users using the LANMAN password hash. If disabled, only clients which support NT password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host. The LANMAN encrypted response is easily broken, due to it's case-insensitive nature, and the choice of algorithm. Servers without Windows 95/98 or MS DOS clients are advised to disable this option. Unlike the encypt passwords option, this parameter cannot alter client behaviour, and the LANMAN response will still be sent over the network. See the client lanman auth to disable this for Samba's clients (such as smbclient) If this option, and ntlm auth are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to us it. Default : lanman auth = yes large readwrite (G) This parameter determines whether or not smbd(8) supports the new 64k streaming read and write varient SMB requests introduced with Windows 2000. Note that due to Windows 2000 client redirector bugs this requires Samba to be running on a 64-bit capable operating system such as IRIX, Solaris or a Linux 2.4 kernel. Can improve performance by 10% with Windows 2000 clients. Defaults to on. Not as tested as some other Samba code paths. 缺省设置: large readwrite = yes ldap admin dn (G) The ldap admin dn defines the Distinguished Name (DN) name used by Samba to contact the ldap server when retreiving user account information. The ldap admin dn is used in conjunction with the admin dn password stored in the private/secrets.tdb file. See the smbpasswd(8) man page for more information on how to accmplish this. ldap delete dn (G) This parameter specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba. 缺省设置: ldap delete dn = no ldap filter (G) 这个选项指定了RFC2254兼容的LDAP搜索过滤器。默认对所有匹配 sambaAccount对象类的条目进行登录名和 uid 属性之间的匹配。注意这个过滤器只应当返回一个条目. 缺省设置: ldap filter = (&(uid=%u)(objectclass=sambaAccount)) ldap group suffix (G) This parameters specifies the suffix that is used for groups when these are added to the LDAP directory. If this parameter is unset, the value of ldap suffix will be used instead. 缺省设置: none 示例: dc=samba,ou=Groups ldap idmap suffix (G) This parameters specifies the suffix that is used when storing idmap mappings. If this parameter is unset, the value of ldap suffix will be used instead. 缺省设置: none 示例: ou=Idmap,dc=samba,dc=org ldap machine suffix (G) It specifies where machines should be added to the ldap tree. 缺省设置: none ldap passwd sync (G) This option is used to define whether or not Samba should sync the LDAP password with the NT and LM hashes for normal accounts (NOT for workstation, server or domain trusts) on a password change via SAMBA. The ldap passwd sync can be set to one of three values: Yes = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time. No = Update NT and LM passwords and update the pwdLastSet time. Only = Only update the LDAP password and let the LDAP server do the rest. 缺省设置: ldap passwd sync = no ldap port (G) 这个选项只有在编译时配置了"--with-ldap"选项的情况下才可用. 这个选项控制用于和LDAP服务器通讯的tcp端口号。默认应用标准的LDAP端口636。 参见: ldap ssl Default : ldap port = 636 ; 如果 ldap ssl = on Default : ldap port = 389 ; 如果 ldap ssl = off ldap server (G) 这个选项只有在编译时配置了"--with-ldapsam"选项的情况下才可用. 这个选项应当包含ldap目录服务器的FQDN，用来查询和定位用户帐户信息。 Default : ldap server = localhost ldap ssl (G) This option is used to define whether or not Samba should use SSL when connecting to the ldap server This is NOT related to Samba's previous SSL support which was enabled by specifying the --with-ssl option to the configure script. The ldap ssl can be set to one of three values: Off = Never use SSL when querying the directory. Start_tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server. On = Use SSL on the ldaps port when contacting the ldap server. Only available when the backwards-compatiblity --with-ldapsam option is specified to configure. See passdb backend Default : ldap ssl = start_tls ldap suffix (G) 指定用户和机器帐号从哪里加入树中。可以被 ldap user suffixldap machine suffix选项越过。它也用作所有ldap搜索的base dn。 缺省设置: none ldap user suffix (G) This parameter specifies where users are added to the tree. If this parameter is not specified, the value from ldap suffix. 缺省设置: none level2 oplocks (S) 这个参数控制了是否Samba在一个共享上支持第二级(只读)oplocks。 2级,或者只读oplocks允许Windows NT客户在文件中可以保持一个oplocks,一旦第二个用户请求同一文件时可以从读写oplocks级降为只读oplocks(而不是像传统的做法，保持唯一的oplocks，在第二次打开时释放所有的oplocks).这样就可以允许支持2级oplocks的文件打开者缓存用于只读的文件(也就是说,他们的写和锁定请求不可能被缓冲),并且使只读文件的大量访问提升性能(例如.exe文件). 一旦在拥有只读oplocks的客户中有一位对文件进行了写操作,所有的客户都会被通知(不需要回复及等待), told to break their oplocks to "none",然后删除所有read-ahead caches. 推荐打开这个选项，为共享的可执行程序提高访问速度。 更多关于2级oplocks的讨论请查看CIFS的规约. 当前,如果使用了kernel oplocks的话,就不会认可2级oplocks(即使把那个选项设为yes也没用).还要注意,oplocks 选项必须在共享上被设成yes才有效果. 参见 oplockskernel oplocks 选项。 缺省设置: level2 oplocks = yes lm announce (G) 这个选项决定 nmbd(8)是否产生"Lanman宣告广播",OS/2的客户端需要这个广播用以在它们的浏览列表里看到Samba服务器.这个选项有3个值: yesnoauto.缺省值是 auto.如果这值为 no,Samba将不会产生这种广播.如果设置为 yes,Samba将以 lm interval选项的值为频率产生这种广播.如果设置为 auto,Samba并不发出这类广播,但是侦听他们.如果收到这样的广播,它就开始发送这种广播,频率还是以 lm interval选项设定的为准. 参见 lm interval. 缺省设置: lm announce = auto 示例: lm announce = yes lm interval (G) 如果Samba设置为产生"Lanman宣告广播（给OS/2客户端使用,参见 lm announce选项）.那么,这里的选项设定了以秒为单位的发生频率.如果这个选项设置为"0",则不管 lm announce选项的值,永远不会发出任何"Lanman宣告广播". 参见lm announce. 缺省设置: lm interval = 60 示例: lm interval = 120 load printers (G) 这个布尔值控制是否在"printcap"文件中的所有打印机将会被缺省的安装到Samba环境,并且可以被浏览.参见"printers"段获得更多细节. 缺省设置: load printers = yes local master (G) 这个选项允许 nmbd(8)试着去成为本地子网的主控浏览器.如果选项值为 no, nmbd不会去争取这个权利.在缺省情况下,这个值为 yes.设置这个值为 yes,并不意味着 become 就一定会成为本地的主浏览器,只是意味着 become 会参加成为主浏览器的选举. 设置这个值为 no 将使 nmbd 永远不会 成为主控浏览器。 缺省设置: local master = yes lock dir (G) lock directory 同义. lock directory (G) 这个选项指出"加锁文件"放置的目录.加锁文件用以实现最大连接数 max connections. 缺省设置: lock directory =${prefix}/var/locks

locking (S)

lock spin count (G)
This parameter controls the number of times that smbd should attempt to gain a byte range lock on the behalf of a client request. Experiments have shown that Windows 2k servers do not reply with a failure if the lock could not be immediately granted, but try a few more times in case the lock could later be aquired. This behavior is used to support PC database formats such as MS Access and FoxPro.

lock spin time (G)
The time in microseconds that smbd should pause before attempting to gain a failed lock. See lock spin count for more details.

log file (G)

log level (G)

logon drive (G)

logon home (G)

C:\> NET USE H: /HOME

This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a subdirectory of the user's home directory. This is done in the following way:

logon home = \%NU
rofile

This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does net use /home but use the whole string when dealing with profiles.

Note that in prior versions of Samba, the logon path was returned rather than logon home. This broke net use /home but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use the above trick.

logon path (G)

Windows终端有时候即使没有用户登录也会保持对[homes]共享资源的连接.因此,logon path不能包含对homes共享资源的任何参照(也就是说,把这个选项设置成类似\\%N\HOMES\profile_path会引起问题).

logon script (G)

/usr/local/samba/netlogon/STARTUP.BAT

NET USE Q:\SERVERISO9001_QA


lppause command (S)

%p置换可以取得打印机名,而%j会被打印作业号(一个整数)置换.在HPUX系统中(参见printing=hpux ),如果给lpq命令加上-p%p选项,打印作业会显示其执行状态,具体的说,如果作业的优先级低于阻塞级别,它会显示'PAUSED'状态,反之,如果作业的优先级等于或高于阻塞级别,它会显示'SPOOLED'或'PRINTING'状态.

lp -i %p-%j -H hold

qstat -s -j%j -h

lpq cache time (G)

lpq command (S)

lpresume command (S)

lp -i %p-%j -H resume

qstat -s -j%j -r

HPUX的示例: lpresume command = /usr/bin/lpalt %p-%j -p2

lprm command (S)

magic output (S)

magic script (S)

magic脚本仍处于实验阶段,所以不能对此完全依赖.

mangle case (S)

mangled map (S)

mangled map = (*.html *.htm)

mangled names (S)

NAME MANGLING部分有更多关于如何控制这类处理的详细信息.

unix的文件名如果以点开始,那么好比DOS中的隐藏文件.这些文件映射后的文件名就会拿掉点符号并用"___"来作为它的扩展名,而不管原来的扩展名是什么("___"是三个下划线).

mangled stack (G)

mangle prefix (G)
controls the number of prefix characters from the original name used when generating the mangled names. A larger value will give a weaker hash and therefore more name collisions. The minimum value is 1 and the maximum value is 6.

mangle prefix is effective only when mangling method is hash2.

mangling char (S)

mangling method (G)
controls the algorithm used for the generating the mangled names. Can take two different values, "hash" and "hash2". "hash" is the default and is the algorithm that has been used in Samba for many years. "hash2" is a newer and considered a better algorithm (generates less collisions) in the names. However, many Win32 applications store the mangled names and so changing to the new algorithm must not be done lightly as these applications may break unless reinstalled.

map acl inherit (S)
This boolean parameter controls whether smbd(8) will attempt to map the 'inherit' and 'protected' access control entry flags stored in Windows ACLs into an extended attribute called user.SAMBA_PAI. This parameter only takes effect if Samba is being run on a platform that supports extended attributes (Linux and IRIX so far) and allows the Windows 2000 ACL editor to correctly use inheritance with the Samba POSIX ACL mapping code.

map archive (S)

map hidden (S)

map system (S)

map to guest (G)

Never - 意思是用户登录时用了个非法口令并且被服务器所拒.这是个缺省值.

Bad Password - 意思是用户登录时即使用了非法口令,但是还会以来宾身份登录并映射到对应的guest账号.可能出现这样的问题,就是用户虽然输错了口令,却非常平静地以“来宾”身份登录到系统上。他们不明白为什么他们不能访问那些他们认为可以访问的资源,因为在登录时没有任何信息提示他们输错了口令。所以应该小心使用它,以避免不必要的麻烦. Helpdesk services will hate you if you set the map to guest parameter this way :-).

max connections (S)

max disk size (G)

max log size (G)

max mux (G)

max open files (G)

max print jobs (S)
This parameter limits the maximum number of jobs allowable in a Samba printer queue at any given moment. If this number is exceeded, smbd(8) will remote "Out of Space" to the client. See all total print jobs.

max protocol (G)

CORE: 早期版本,不接受用户名.

COREPLUS: 在CORE的基础上改进了一些性能.

LANMAN1: 第一个比较流行的协议,支持长文件名.

LANMAN2: 对LANMAN1进行了更新.

NT1: 目前用于Windows NT,一般称为CIFS.

max reported print jobs (S)
This parameter limits the maximum number of jobs displayed in a port monitor for Samba printer queue at any given moment. If this number is exceeded, the excess jobs will not be shown. A value of zero means there is no limit on the number of print jobs reported. See all total print jobs and max print jobs parameters.

max smbd processes (G)
This parameter limits the maximum number of smbd(8) processes concurrently running on a system and is intended as a stopgap to prevent degrading service to clients in the event that the server has insufficient resources to handle more than this number of connections. Remember that under normal operating conditions, each user will have an smbd(8) associated with him or her to handle connections to all shares from a given host.

max ttl (G)

max wins ttl (G)

max xmit (G)

message command (G)

message command = csh -c 'xedit %s;rm %s' &

%s =包含消息的文件名

%t = 发送信息的目标(很可能是服务器名).

%f = 信息的来源.

message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s

message command = rm %s

min passwd length (G)

min print space (S)

min protocol (G)
The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer to the max protocol parameter for a list of valid protocol names and a brief description of each. You may also wish to refer to the C source code in source/smbd/negprot.c for a listing of known protocol dialects supported by clients.

If you are viewing this parameter as a security measure, you should also refer to the lanman auth 选项。 Otherwise, you should never need to change this 选项。

Default : min protocol = CORE

Example : min protocol = NT1 # disable DOS clients

min wins ttl (G)

msdfs proxy (S)
This parameter indicates that the share is a stand-in for another CIFS share whose location is specified by the value of the 选项。 When clients attempt to connect to this share, they are redirected to the proxied share using the SMB-Dfs protocol.

Only Dfs roots can act as proxy shares. Take a look at the msdfs root and host msdfs options to find out how to set up a Dfs root share.

msdfs root (S)
If set to yes, Samba treats the share as a Dfs root and allows clients to browse the distributed file system tree rooted at the share directory. Dfs links are specified in the share directory by symbolic links of the form msdfs:serverA\\shareA,serverB\\shareB and so on. For more information on setting up a Dfs tree on Samba, refer to ???.

name cache timeout (G)
Specifies the number of seconds it takes before entries in samba's hostname resolve cache time out. If the timeout is set to 0. the caching is disabled.

name resolve order (G)
samba套件中的一些程序使用此项来决定使用的名字服务以及解析主机名到IP地址的次序.主要目的是控制netbios名称怎样解析。此选项列出不同的名字解析选项，以空格为分隔符.

lmhosts : 在samba的lmhosts文件中查找IP地址.如果lmhosts文件的内容行中没有名字类型附加在NetBIOS名上时(参见lmhosts (5)中的详细描述),任何类型的名字都可以匹配这个查询.

host : 执行标准的主机名到IP地址的解析操作,此操作会使用系统的/etc/hosts,NIS或者是DNS来查询.具体方法取决于操作系统,在IRIX和Solaris中解析名字的方法可能是由/etc/nsswitch.conf文件来控制的.注意此方法只适用于对被查询的NetBIOS名字类型为0x20(服务器)或者是0x1c(域控制器)时才有用,其它类型都会被忽略.后一种情况只在活动目录域中有用，返回一个匹配_ldap._tcp.domain 的SRV RR条目的DNS 查询。

wins : 向列在wins server选项中的服务器查询一个名字对应的IP地址.如果没有指定WINS服务器,那么此方法就被略过了.

bcast : 向在interfaces选项中列出的每一个已知本地网络接口进行广播来作查询.这是最不可信的名字解析方法,除非目标主机就在本地子网中.

When Samba is functioning in ADS security mode (security = ads) it is advised to use following settings for name resolve order:

name resolve order = wins bcast

DC lookups will still be done via DNS, but fallbacks to netbios names will not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.

netbios aliases (G)

netbios name (G)

netbios scope (G)
This sets the NetBIOS scope that Samba will operate under. This should not be set unless every machine on your LAN also sets this value.

nis homedir (G)

nt acl support (S)

ntlm auth (G)
This parameter determines whether or not smbd(8) will attempt to authenticate users using the NTLM encrypted password response. If disabled, either the lanman password hash or an NTLMv2 response will need to be sent by the client.

If this option, and lanman auth are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to us it.

Default : ntlm auth = yes

nt pipe support (G)

With the addition of better PAM support in Samba 2.2, this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in passwd program. It should be possible to enable this without changing your passwd chat parameter for most setups.

panic action (G)

paranoid server security (G)
Some version of NT 4.x allow non-guest users with a bad passowrd. When this option is enabled, samba will not use a broken NT 4.x server as password server, but instead complain to the logs and exit.

Disabling this option prevents Samba from making this check, which involves deliberatly attempting a bad logon to the remote server.

passdb backend (G)
This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified.

This parameter is in two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated by a : character.

Available backends can include: .TP 3 * smbpasswd - The default smbpasswd backend. Takes a path to the smbpasswd file as an optional argument. .TP * tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the private dir directory. .TP * ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to ldap://localhost) LDAP connections should be secured where possible. This may be done using either Start-TLS (see ldap ssl) or by specifying ldaps:// in the URL argument. .TP * nisplussam - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. .TP * mysql - The MySQL based passdb backend. Takes an identifier as argument. Read the Samba HOWTO Collection for configuration details. .LP

passwd chat (G)

passwd chat debug (G)

passwd program (G)

"Fred", "fred", "fRed", "frEd","freD"

"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..

path (S)

pid directory (G)
This option specifies the directory where pid files will be placed.

profile acls (S)
This boolean parameter controls whether smbd(8) This boolean parameter was added to fix the problems that people have been having with storing user profiles on Samba shares from Windows 2000 or Windows XP clients. New versions of Windows 2000 or Windows XP service packs do security ACL checking on the owner and ability to write of the profile directory stored on a local workstation when copied from a Samba share.

When not in domain mode with winbindd then the security info copied onto the local workstation has no meaning to the logged in user (SID) on that workstation so the profile storing fails. Adding this parameter onto a share used for profile storage changes two things about the returned Windows ACL. Firstly it changes the owner and group owner of all reported files and directories to be BUILTIN\\Administrators, BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to every returned ACL. This will allow any Windows 2000 or XP workstation user to access the profile.

Note that if you have multiple users logging on to a workstation then in order to prevent them from being able to access each others profiles you must remove the "Bypass traverse checking" advanced user right. This will prevent access to other users profile directories as the top level profile directory (named after the user) is created by the workstation profile code and has an ACL restricting entry to the directory tree to the owning user.

protocol (G)
max protocol 同义

public (S)
guest ok 同义

queuepause command (S)

queueresume command (S)

realm (G)
This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server.

remote announce (G)

remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF

remote browse sync (G)

This is useful if you want your Samba server and all local clients to appear in a remote workgroup for which the normal browse propagation rules don't work. The remote workgroup can be anywhere that you can send IP packets to.

remote browse sync = 192.168.2.255 192.168.4.255

restrict anonymous (G)

let "time/60"
let "time++"

/sbin/shutdown $3$4 +$time$1 &


Shutdown does not return so we need to launch it in background.

smb passwd file (G)

smb ports (G)
Specifies which ports the server should listen on for SMB traffic.

By default Samba will accept connections on any address.

socket options (G)

SO_KEEPALIVE

TCP_NODELAY

IPTOS_LOWDELAY

IPTOS_THROUGHPUT

SO_SNDBUF *

SO_RCVBUF *

SO_SNDLOWAT *

SO_RCVLOWAT *

socket options = IPTOS_LOWDELAY

socket options = IPTOS_LOWDELAY TCP_NODELAY

source environment (G)
This parameter causes Samba to set environment variables as per the content of the file named.

If the value of this parameter starts with a "|" character then Samba will treat that value as a pipe command to open and will set the environment variables from the output of the pipe.

The contents of the file or the output of the pipe should be formatted as the output of the standard Unix env(1) command. This is of the form:

Example environment entry:

SAMBA_NETBIOS_NAME = myhostname

Examples: source environment = |/etc/smb.conf.sh

stat cache (G)

strict allocate (S)
This is a boolean that controls the handling of disk space allocation in the server. When this is set to yes the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour of actually forcing the disk system to allocate real storage blocks when a file is created or extended to be a given size. In UNIX terminology this means that Samba will stop creating sparse files. This can be slow on some systems.

When strict allocate is no the server does sparse disk block allocation when a file is extended.

Setting this to yes can help Samba return out of quota messages on systems that are restricting the disk quota of users.

strict locking (S)

strict sync (S)

sync always (S)

syslog (G)

syslog only (G)

template homedir (G)
When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the home directory for that user. If the string %D is present it is substituted with the user's Windows NT domain name. If the string %U is present it is substituted with the user's Windows NT user name.

template primary group (G)
This option defines the default primary group for each user created by winbindd(8)'s local account management functions (similar to the 'add user script').

template shell (G)
When filling out the user information for a Windows NT user, the winbindd(8) daemon uses this parameter to fill in the login shell for that user.

time offset (G)

time server (G)

timestamp logs (G)
debug timestamp 同义.

unicode (G)
Specifies whether Samba should try to use unicode on the wire by default. Note: This does NOT mean that samba will assume that the unix machine uses unicode!

unix charset (G)
Specifies the charset the unix machine Samba runs on uses. Samba needs to know this in order to be able to convert text to the charsets other SMB clients use.

unix extensions (G)
This boolean parameter controls whether Samba implments the CIFS UNIX extensions, as defined by HP. These extensions enable Samba to better serve UNIX CIFS clients by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.

update encrypted (G)

use client driver (S)
This parameter applies only to Windows NT/2000 clients. It has no effect on Windows 95/98/ME clients. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required to install a local printer driver. From this point on, the client will treat the print as a local printer and not a network printer connection. This is much the same behavior that will occur when disable spoolss = yes.

The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS-RPC. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user. If the user possesses local administator rights but not root privilegde on the Samba host (often the case), the OpenPrinterEx() call will fail. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed).

If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead. Thus allowing the OpenPrinterEx() call to succeed. This parameter MUST not be able enabled on a print share which has valid print driver installed on the Samba server.

use mmap (G)
This global parameter determines if the tdb internals of Samba can depend on mmap working correctly on the running system. Samba requires a coherent mmap/read-write system memory cache. Currently only HPUX does not have such a coherent cache, and so this parameter is set to no by default on HPUX. On all other systems this parameter should be left alone. This parameter is provided to help the Samba developers track down problems with the tdb internal code.

user (S)

samba依靠底层的UNIX安全.此选项不限制登录者,它只对Samba服务器提供响应所提供口令的用户名的线索.任何喜欢的人都可以登录,而且如果他们只是启动一次telnet对话的话不会造成破坏.进程以登录的用户身份运行,所以他们无法做任何他们不能做的事儿.

sys = @system

tridge = "Andrew Tridgell"

!sys = mary fred
guest = *


users (S)

use sendfile (S)
If this parameter is yes, and Samba was built with the --with-sendfile-support option, and the underlying operating system supports sendfile system call, then some SMB read calls (mainly ReadAndX and ReadRaw) will use the more efficient sendfile system call for files that are exclusively oplocked. This may make more efficient use of the system CPU's and cause Samba to be faster. This is off by default as it's effects are unknown as yet.

use spnego (G)
This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism. Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled.

utmp (G)
This boolean parameter is only available if Samba has been configured and compiled with the option --with-utmp. If set to yes then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server. Sites may use this to record the user connecting to a Samba share.

Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user. Enabling this option creates an n^2 algorithm to find this number. This may impede performance on large installations.

utmp directory (G)
This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server. 参见 utmp 选项。 By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually /var/run/utmp on Linux).

-valid (S)
This parameter indicates whether a share is valid and thus can be used. When this parameter is set to false, the share will be in no way visible nor accessible.

This option should not be used by regular users but might be of help to developers. Samba uses this option internally to mark shares as deleted.

valid users (S)

%S 替换为当前服务名. 这在[homes]段里非常有用.

veto files (S)

; 隐藏任何文件名带有'Security'的文件，
; 任何扩展名是.tmp的文件,任何文件名带有'root'的文件
veto files = /*Security*/*.tmp/*root*/

; 隐藏NetAtalk服务器创建的Apple专用的文件
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/


veto oplock files (S)

vfs object (S)
vfs objects 同义.

vfs objects (S)
This parameter specifies the backend names which are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects.

volume (S)

winbind cache time (G)
This parameter specifies the number of seconds the winbindd(8) daemon will cache user and group information before querying a Windows NT server again.

winbind enable local accounts (G)
This parameter controls whether or not winbindd will act as a stand in replacement for the various account management hooks in smb.conf (e.g. 'add user script'). If enabled, winbindd will support the creation of local users and groups as another source of UNIX account information available via getpwnam() or getgrgid(), etc...

winbind enum groups (G)
On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(), getgrent() and endgrent() group of system calls. If the winbind enum groups parameter is no, calls to the getgrent() system call will not return any data.

Warning: Turning off group enumeration may cause some programs to behave oddly.

winbind enum users (G)
On large installations using winbindd(8) it may be necessary to suppress the enumeration of users through the setpwent(), getpwent() and endpwent() group of system calls. If the winbind enum users parameter is no, calls to the getpwent system call will not return any data.

Warning: Turning off user enumeration may cause some programs to behave oddly. For example, the finger program relies on having access to the full user list when searching for matching usernames.

winbind gid (G)
This parameter is now an alias for idmap gid

The winbind gid parameter specifies the range of group ids that are allocated by the winbindd(8) daemon. This range of group ids should have no existing local or NIS groups within it as strange conflicts can occur otherwise.

winbind separator (G)
This parameter allows an admin to define the character used when listing a username of the form of DOMAIN \ user. This parameter is only applicable when using the pam_winbind.so and nss_winbind.so modules for UNIX services.

Please note that setting this parameter to + causes problems with group membership at least on glibc systems, as the character + is used as a special character for NIS in /etc/group.

winbind trusted domains only (G)
This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use UNIX accounts distributed vi NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. Therefore, the user 'SAMBA\user1' would be mapped to the account 'user1' in /etc/passwd instead of allocating a new uid for him or her.

winbind uid (G)
This parameter is now an alias for idmap uid

The winbind gid parameter specifies the range of user ids that are allocated by the winbindd(8) daemon. This range of ids should have no existing local or NIS users within it as strange conflicts can occur otherwise.

winbind use default domain (G)
This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own domain. While this does not benifit Windows users, it makes SSH, FTP and e-mail function in a way much closer to the way they would in a native unix system.

wins hook (G)

wins_hook operation name nametype ttl IP_list

wins partners (G)
A space separated list of partners' IP addresses for WINS replication. WINS partners are always defined as push/pull partners as defining only one way WINS replication is unreliable. WINS replication is currently experimental and unreliable between samba servers.

wins proxy (G)

wins server (G)

If you want to work in multiple namespaces, you can give every wins server a 'tag'. For each tag, only one (working) server will be queried for a name. The tag should be seperated from the ip address by a colon.

For this example when querying a certain name, 192.19.200.1 will be asked first and if that doesn't respond 192.168.2.61 . If either of those doesn't know the name 192.168.3.199 will be queried.

wins support (G)

workgroup (G)

writable (S)
writeable 相同，是为拼写错误者准备的 :-)

writeable (S)

write cache size (S)
If this integer parameter is set to non-zero value, Samba will create an in-memory cache for each oplocked file (it does not do this for non-oplocked files). All writes that the client does not request to be flushed directly to disk will be stored in this cache if possible. The cache is flushed onto disk when a write comes in whose offset would not fit into the cache or when the file is closed by the client. Reads for the file are also served from this cache if the data is stored within it.

This cache allows Samba to batch client writes into a more efficient write size for RAID disks (i.e. writes may be tuned to be the RAID stripe size) and can improve performance on systems where the disk subsystem is a bottleneck but there is free memory for userspace programs.

The integer parameter specifies the size of this cache (per oplocked file) in bytes.

for a 256k cache size per file.

write list (S)

write ok (S)

write raw (G)

wtmp directory (G)
This parameter is only available if Samba has been configured and compiled with the option --with-utmp. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact that user info is kept after a user has logged out.

02-04
08-14 1025

smb.conf
06-13 152
06-05 217
04-17 121
08-29 1万+
03-01 5717
05-06
09-14 743
02-24 5234
02-14 173
01-03 617
08-24 2784
01-18 1275
03-19 1663
11-19 1759
08-14 3070
01-27 3444
05-31 145
08-25 200

• 非常没帮助
• 没帮助
• 一般
• 有帮助
• 非常有帮助