Disorder Not Samba Extended Mix Fix
If this parameter is yes for a service, then the share hosted by the service will only be visible to users who have read or write access to the share during share enumeration (for example net view \\sambaserver). The share ACLs which allow or deny the access to the share can be modified using for example the sharesec command or using the appropriate Windows tools. This has parallels to access based enumeration, the main difference being that only share permissions are evaluated, and security descriptors on files contained on the share are not used in computing enumeration access rights.
Disorder Not Samba Extended Mix
This parameters defines the directory samba will use to store the configuration files for bind, such as named.conf. NOTE: The bind dns directory needs to be on the same mount point as the private directory!
If this parameter is set and the lock range requested cannot be immediately satisfied, samba will internally queue the lock request, and periodically attempt to obtain the lock until the timeout period expires.
This parameter determines whether or not smbclient(8) and other samba client tools will attempt to authenticate itself to servers using the weaker LANMAN password hash. If disabled, only server which support NT password hashes (e.g. Windows NT/2000, Samba, etc... but not Windows 95/98) will be able to be connected from the Samba client.
This option should not be enabled for installations created withversions of samba before 4.9. Doing this will result in the loss ofstatic DNS entries. This is due to a bug in previous versionsof samba (BUG 12451) which marked dynamic DNS records as static andstatic records as dynamic.
Note that the SMB protocol allows setting attributes whose value is 64K bytes long, and that on NTFS, the maximum storage space for extended attributes per file is 64K. On some filesystem the limits may be lower. Filesystems with too limited EA space may experience unexpected weird effects. The default has changed to yes in Samba release 4.9.0 and above to allow better Windows fileserver compatibility in a default install.
In Samba 2.0.5 and above this parameter has extended functionality in the following way. If the group name listed here has a '+' character prepended to it then the current user accessing the share only has the primary group default assigned to this group if they are already assigned as a member of that group. This allows an administrator to decide that only users who are already in a particular group will create files with group ownership set to that group. This gives a finer granularity of ownership assignment. For example, the setting force group = +sys means that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group.
This option sets the command that is called to apply GPO policies. The samba-gpupdate script applies System Access and Kerberos Policiesto the KDC. System Access policies set minPwdAge, maxPwdAge,minPwdLength, and pwdProperties in the samdb. Kerberos Policies setkdc:service ticket lifetime, kdc:user ticket lifetime, and kdc:renewallifetime in smb.conf.
Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead. An example place where hostname lookups are currently used is when checking the hosts deny and hosts allow.
This option can be used to turn the writing backendstdb, tdb2, and ldap into read only mode. This can be usefule.g. in cases where a pre-filled database exists that shouldnot be extended automatically.
In order to support SMB3 multi-channel configurations, smbd understandssome extra parameters which can be appended after the actual interface withthis extended syntax (note that the quoting is important in order to handle the ; and ,characters):
When set to legacy, only RC4-HMAC-MD5 is allowed. Avoiding AES this way has one a very specific use. Normally, the encryption type is negotiated between the peers. However, there is one scenario in which a Windows read-only domain controller (RODC) advertises AES encryption, but then proxies the request to a writeable DC which may not support AES encryption, leading to failure of the handshake. Setting this parameter to legacy would cause samba not to negotiate AES encryption. It is assumed of course that the weaker legacy encryption types are acceptable for the setup.
When this parameter is set to no this will also result in sambaLMPassword in Samba's passdb being blanked after the next password change. As a result of that lanman clients won't be able to authenticate, even if lanman auth is re-enabled later on.
This parameter has been extended since the 2.2.x series, now it allows one to specify the debug level for multiple debug classes and distinct logfiles for debug classes. This is to give greater flexibility in the configuration of the system. The following debug classes are currently implemented:
The script must be a relative path to the [netlogon] service. If the [netlogon]service specifies a path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then the file that will be downloaded is:
This option is only useful if Samba is set up as a logon server in a classic domain controller role. If Samba is set up as an Active Directory domain controller, LDAP attribute scriptPath is used instead. For configurations where passdb backend = ldapsam is in use, this option only defines a default value in case LDAP attribute sambaLogonScript is missing.
This boolean parameter is only relevant for systems that do not support standardized NFS4 ACLs but only a POSIX draft implementation of ACLs. Linux is the only common UNIX system which does still not offer standardized NFS4 ACLs actually. On such systems this parameter controls whether smbd(8) will attempt to map the 'protected' (don't inherit) flags of the Windows ACLs into an extended attribute called user.SAMBA_PAI (POSIX draft ACL Inheritance). This parameter requires support for extended attributes on the filesystem and allows the Windows ACL editor to store (non-)inheritance information while NT ACLs are mapped best-effort to the POSIX draft ACLs that the OS and filesystem implements.
This parameter can take three different values, which tell smbd(8) how to display the read only attribute on files, where eitherstore dos attributes is set to No, or no extended attribute ispresent. If store dos attributes is set to yes then thisparameter is ignored. This is a new parameter introduced in Samba version 3.0.21.
You may need to export the GNUPGHOMEenvironment variable before starting samba.It is strongly recommended to only store the public key in thislocation. The private key is not used for encryption and should beonly stored where decryption is required.
Being able to restore the cleartext password helps, when they need to be importedinto other authentication systems later (see samba-tool user getpassword)or you want to keep the passwords in sync with another system, e.g. an OpenLDAP server(see samba-tool user syncpasswords).
Currently the NT Hash of the password is recorded when these hashesare calculated and stored. When retrieving the hashes the current value of theNT Hash is checked against the stored NT Hash. This detects password changesthat have not updated the password hashes. In this casesamba-tool user will ignore the storedhash values.
Being able to obtain the hashed password helps, whenthey need to be imported into other authentication systemslater (see samba-tool usergetpassword) or you want to keep the passwords insync with another system, e.g. an OpenLDAP server (seesamba-tool usersyncpasswords).
This option controls the number of worker processes that arestarted for each service when prefork process model is enabled(see samba(8) -M)The prefork children are only started for those services thatsupport prefork (currently ldap, kdc and netlogon).For processes that don't support preforking all requests arehandled by a single process for that service.
The script has all responsibility to rename all the necessary data that is accessible in this posix method.This can mean different requirements for different backends. The tdbsam and smbpasswd backends will take careof the contents of their respective files, so the script is responsible only for changing the POSIX username, andother data that may required for your circumstances, such as home directory. Please also consider whether ornot you need to rename the actual home directories themselves. The ldapsam backend will not make any changes,because of the potential issues with renaming the LDAP naming attribute. In this case the script isresponsible for changing the attribute that samba uses (uid) for locating users, as well as any data thatneeds to change for other applications using the same directory.
This global parameter determines if samba-dcerpcdshould be started on demand to service named pipe (np) DCE-RPC requests fromsmbd or winbindd. This is thenormal case where no startup scripts have been modified to startsamba-dcerpcd as a daemon.
This parameter controls the maximum size of extended attributes that may be written to the server as EAs or as alternate data streams if vfs_streams_xattr is enabled. The maximum size of extended attributes depends on the Samba server's operating system and the underlying filesystem. The Linux VFS currently sets an upper boundary of 64 KiB per extended attribute. FreeBSD does not set a practical upper limit, but since pread() and pwrite() are not possible via the extattr on FreeBSD, it is not recommended to increase this value above a few MiB. If a client attempts to write an overly-large alternate datastream, the Samba server will return STATUS_FILESYSTEM_LIMITATION. If this error is encountered, users may try increasing the maximum size supported for xattr writes. If this is not possible, and writes are from a MacOS client and to an AFP_Resource extended attribute, the user may enable the vfs_fruit module and configure to allow stream writes for AFP_Resource to an alternative storage location. See vfs_fruit documentation for further details. 041b061a72