Changeset 44 for trunk/samba/docs/manpages/smb.conf.5

Timestamp:

Jun 29, 2007, 1:34:14 PM (18 years ago)

Author:

Paul Smedley

Message:

Update source to 3.0.25b

File:

• trunk/samba/docs/manpages/smb.conf.5 (modified) (174 diffs)

trunk/samba/docs/manpages/smb.conf.5

@@ -51 +51 @@
 Only the first equals sign in a parameter is significant. Whitespace before or after the first equals sign is discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value is retained verbatim.
 .PP
-Any line beginning with a semicolon (“;”) or a hash (“#”) character is ignored, as are lines containing only whitespace.
+Any line beginning with a semicolon (\fB;\fR) or a hash (\fB#\fR) character is ignored, as are lines containing only whitespace.
 .PP
 Any line ending in a
-“\”
+\fB\\\fR
 is continued on the next line in the customary UNIX fashion.
 .PP
@@ -61 +61 @@
 .PP
 Each section in the configuration file (except for the [global] section) describes a shared resource (known as a
-“share”). The section name is the name of the shared resource and the parameters within the section define the shares attributes.
+\fBshare\fR). The section name is the name of the shared resource and the parameters within the section define the shares attributes.
 .PP
 There are three special sections, [global], [homes] and [printers], which are described under
@@ -125 +125 @@
 Some modifications are then made to the newly created share:
 .TP 3n
-•
+\(bu
 The share name is changed from homes to the located username.
 .TP 3n
-•
+\(bu
 If no path was given, the path is set to the user's home directory.
 .PP
@@ -147 +147 @@
 .PP
 A similar process occurs if the requested section name is
-“homes”, except that the share name is not changed to that of the requesting user. This method of using the [homes] section works well if different users share a client PC.
+\fBhomes\fR, except that the share name is not changed to that of the requesting user. This method of using the [homes] section works well if different users share a client PC.
 .PP
 The [homes] section can specify all the parameters a normal service section can specify, though some make more sense than others. The following is a typical and suitable [homes] section:
@@ -180 +180 @@
 A few modifications are then made to the newly created share:
 .TP 3n
-•
+\(bu
 The share name is set to the located printer name
 .TP 3n
-•
+\(bu
 If no printer name was given, the printer name is set to the located printer name
 .TP 3n
-•
+\(bu
 If the share does not permit guest access and no username was given, the username is set to the located printer name.
 .PP
@@ -336 +336 @@
 .PP
 Many of the strings that are settable in the config file can take substitutions. For example the option
-“path = /tmp/%u”
+\fBpath = /tmp/%u\fR
 is interpreted as
-“path = /tmp/john”
+\fBpath = /tmp/john\fR
 if the user connected with the username john.
 .PP
@@ -369 +369 @@
 .RS 3n
 the NetBIOS name of the server. This allows you to change your config based on what the client calls you. Your server can have a
-“dual personality”.
+\fBdual personality\fR.
 .RE
 .PP
@@ -520 +520 @@
 .PP
 If the service is marked
-“guest only = yes”
-and the server is running with share-level security (“security = share”, steps 1 to 5 are skipped.
+\fBguest only = yes\fR
+and the server is running with share-level security (\fBsecurity = share\fR, steps 1 to 5 are skipped.
 .TP 3n
 1.
 If the client has passed a username/password pair and that username/password pair is validated by the UNIX system's password programs, the connection is made as that username. This includes the
-\\server\service%\fIusername\fR
+\\\\server\\service%\fIusername\fR
 method of passing a username.
 .TP 3n
@@ -672 +672 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 \fIport name\fR
 .TP 3n
-•
+\(bu
 \fIdevice URI\fR
 .RE
@@ -704 +704 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 \fIprinter name\fR
 .TP 3n
-•
+\(bu
 \fIshare name\fR
 .TP 3n
-•
+\(bu
 \fIport name\fR
 .TP 3n
-•
+\(bu
 \fIdriver name\fR
 .TP 3n
-•
+\(bu
 \fIlocation\fR
 .TP 3n
-•
+\(bu
 \fIWindows 9x driver location\fR
 .RE
@@ -728 +728 @@
 \fIaddprinter command\fR
 has been executed,
-\fBsmbd\fR
+smbd
 will reparse the
 \fI smb.conf\fR
 to determine if the share defined by the APW exists. If the sharename is still invalid, then
-\fBsmbd \fR
+smbd
 will return an ACCESS_DENIED error to the client.
 .sp
@@ -751 +751 @@
 \fIsmb.conf\fR. In order to successfully execute the
 \fIadd share command\fR,
-\fBsmbd\fR
+smbd
 requires that the administrator be connected using a root account (i.e. uid == 0).
 .sp
 When executed,
-\fBsmbd\fR
+smbd
 will automatically invoke the
 \fIadd share command\fR
@@ -761 +761 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 \fIconfigFile\fR
 - the location of the global
@@ -767 +767 @@
 file.
 .TP 3n
-•
+\(bu
 \fIshareName\fR
 - the name of the new share.
 .TP 3n
-•
+\(bu
 \fIpathName\fR
 - path to an **existing** directory on disk.
 .TP 3n
-•
+\(bu
 \fIcomment\fR
 - comment string to associate with the new share.
 .TP 3n
-•
+\(bu
 \fImax connections\fR
 Number of maximum simultaneous connections to this share.
@@ -819 +819 @@
 contacts the
 password server and attempts to authenticate the given user with the given password. If the authentication succeeds then
-\fBsmbd\fR
+smbd
 attempts to find a UNIX user in the UNIX password database to map the Windows user into. If this lookup fails, and
 add user script is set then
-\fBsmbd\fR
+smbd
 will call the specified script
 \fBAS ROOT\fR, expanding any
@@ -829 +829 @@
 .sp
 If this script successfully creates the user then
-\fBsmbd\fR
+smbd
 will continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to match existing Windows NT accounts.
 .sp
@@ -855 +855 @@
 .sp
 Note that the
-\fBadduser\fR
+adduser
 command used in the example below does not support the used syntax on all systems.
 .sp
@@ -902 +902 @@
 Example:
 \fB\fIafs username map\fR = %u@afs.samba.org \fR
+.RE
+.PP
+aio read size (S)
+.RS 3n
+If Samba has been built with asynchronous I/O support and this integer parameter is set to non-zero value, Samba will read from file asynchronously when size of request is bigger than this value. Note that it happens only for non-chained and non-chaining reads and when not using write cache.
+.sp
+Current implementation of asynchronous I/O in Samba 3.0 does support only up to 10 outstanding asynchronous requests, read and write combined.
+.sp
+
+
+  write cache size
+  aio write size
+
+Default:
+\fB\fIaio read size\fR = 0 \fR
+.sp
+Example:
+\fB\fIaio read size\fR = 16384 # Use asynchronous I/O for reads bigger than 16KB request size \fR
+.RE
+.PP
+aio write size (S)
+.RS 3n
+If Samba has been built with asynchronous I/O support and this integer parameter is set to non-zero value, Samba will write to file asynchronously when size of request is bigger than this value. Note that it happens only for non-chained and non-chaining reads and when not using write cache.
+.sp
+Current implementation of asynchronous I/O in Samba 3.0 does support only up to 10 outstanding asynchronous requests, read and write combined.
+.sp
+
+  
+  write cache size
+  aio read size
+
+Default:
+\fB\fIaio write size\fR = 0 \fR
+.sp
+Example:
+\fB\fIaio write size\fR = 16384 # Use asynchronous I/O for writes bigger than 16KB request size \fR
 .RE
 .PP
@@ -974 +1010 @@
 .RS 3n
 This option allows the administrator to chose what authentication methods
-\fBsmbd\fR
+smbd
 will use when authenticating a user. This option defaults to sensible values based on
 security. This should be considered a developer option and used only in rare circumstances. In the majority (if not all) of production servers, the default setting should be adequate.
@@ -1019 +1055 @@
 .sp
 For name service it causes
-\fBnmbd\fR
+nmbd
 to bind to ports 137 and 138 on the interfaces listed in the
 interfaces parameter.
-\fBnmbd\fR
+nmbd
 also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then
-\fBnmbd\fR
+nmbd
 will service name requests on all of these sockets. If
 bind interfaces only is set then
-\fBnmbd\fR
+nmbd
 will check the source address of any packets coming in on the broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the
 interfaces parameter list. As unicast packets are received on the other sockets it allows
-\fBnmbd\fR
+nmbd
 to refuse to serve names to machines that send packets that arrive through any interfaces not listed in the
 interfaces list. IP Source address spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for
-\fBnmbd\fR.
+nmbd.
 .sp
 For file service it causes
@@ -1039 +1075 @@
 to bind only to the interface list given in the
 interfaces parameter. This restricts the networks that
-\fBsmbd\fR
+smbd
 will serve to packets coming in those interfaces. Note that you should not use this parameter for machines that are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with non-permanent interfaces.
 .sp
@@ -1053 +1089 @@
 .sp
 To change a users SMB password, the
-\fBsmbpasswd\fR
+smbpasswd
 by default connects to the
 \fBlocalhost - 127.0.0.1\fR
@@ -1061 +1097 @@
 is added to the
 interfaces parameter list then
-\fB smbpasswd\fR
+smbpasswd
 will fail to connect in it's default mode.
-\fBsmbpasswd\fR
+smbpasswd
 can be forced to use the primary IP interface of the local host by using its
 \fBsmbpasswd\fR(8)
@@ -1072 +1108 @@
 .sp
 The
-\fBswat\fR
+swat
 status page tries to connect with
-\fBsmbd\fR
+smbd
 and
-\fBnmbd\fR
+nmbd
 at the address
 \fB127.0.0.1\fR
@@ -1082 +1118 @@
 \fB127.0.0.1\fR
 will cause
-\fB smbd\fR
+smbd
 and
-\fBnmbd\fR
+nmbd
 to always show "not running" even if they really are. This can prevent
-\fB swat\fR
+swat
 from starting/stopping/restarting
-\fBsmbd\fR
+smbd
 and
-\fBnmbd\fR.
+nmbd.
 .sp
 Default:
@@ -1146 +1182 @@
 \fBsmbd\fR(8)
 will serve a browse list to a client doing a
-\fBNetServerEnum\fR
+NetServerEnum
 call. Normally set to
 \fByes\fR. You should never need to change this.
@@ -1185 +1221 @@
 \fIsmb.conf\fR. In order to successfully execute the
 \fIchange share command\fR,
-\fBsmbd\fR
+smbd
 requires that the administrator be connected using a root account (i.e. uid == 0).
 .sp
 When executed,
-\fBsmbd\fR
+smbd
 will automatically invoke the
 \fIchange share command\fR
@@ -1195 +1231 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 \fIconfigFile\fR
 - the location of the global
@@ -1201 +1237 @@
 file.
 .TP 3n
-•
+\(bu
 \fIshareName\fR
 - the name of the new share.
 .TP 3n
-•
+\(bu
 \fIpathName\fR
 - path to an **existing** directory on disk.
 .TP 3n
-•
+\(bu
 \fIcomment\fR
 - comment string to associate with the new share.
 .TP 3n
-•
+\(bu
 \fImax connections\fR
 Number of maximum simultaneous connections to this share.
@@ -1254 +1290 @@
 .sp
 Disabling this option will also disable the
-\fBclient plaintext auth\fR
+client plaintext auth
 option
 .sp
 Likewise, if the
-\fBclient ntlmv2 auth\fR
+client ntlmv2 auth
 parameter is enabled, then only NTLMv2 logins will be attempted.
 .sp
@@ -1274 +1310 @@
 .sp
 Similarly, if enabled, NTLMv1,
-\fBclient lanman auth\fR
+client lanman auth
 and
-\fBclient plaintext auth\fR
+client plaintext auth
 authentication will be disabled. This also disables share-level authentication.
 .sp
 If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of
-\fBclient lanman auth\fR.
+client lanman auth.
 .sp
 Note that some sites (particularly those following 'best practice' security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM.
@@ -1335 +1371 @@
 .RS 3n
 This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via
-\fBnet view\fR
+net view
 to list what shares are available.
 .sp
@@ -1568 +1604 @@
 .sp
 This parameter should be used with care and tested with the printer driver in question. It is better to leave the device mode to NULL and let the Windows client set the correct values. Because drivers do not do this all the time, setting
-\fBdefault devmode = yes\fR
+default devmode = yes
 will instruct smbd to generate a default one.
 .sp
@@ -1647 +1683 @@
 Once the
 deleteprinter command has been executed,
-\fBsmbd\fR
+smbd
 will reparse the
 \fI smb.conf\fR
 to associated printer no longer exists. If the sharename is still valid, then
-\fBsmbd \fR
+smbd
 will return an ACCESS_DENIED error to the client.
 .sp
@@ -1678 +1714 @@
 \fIsmb.conf\fR. In order to successfully execute the
 \fIdelete share command\fR,
-\fBsmbd\fR
+smbd
 requires that the administrator be connected using a root account (i.e. uid == 0).
 .sp
 When executed,
-\fBsmbd\fR
+smbd
 will automatically invoke the
 \fIdelete share command\fR
@@ -1688 +1724 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 \fIconfigFile\fR
 - the location of the global
@@ -1694 +1730 @@
 file.
 .TP 3n
-•
+\(bu
 \fIshareName\fR
 - the name of the existing service.
@@ -1733 +1769 @@
 .sp
 This script is called when a remote client removes a user from the server, normally using 'User Manager for Domains' or
-\fBrpcclient\fR.
+rpcclient.
 .sp
 This script should delete the given UNIX username.
@@ -1932 +1968 @@
 Note that the maximum length for a NetBIOS name is 15 characters, so the DNS name (or DNS alias) can likewise only be 15 characters, maximum.
 .sp
-\fBnmbd\fR
+nmbd
 spawns a second copy of itself to do the DNS name lookup requests, as doing a name lookup is a blocking action.
 .sp
@@ -1954 +1990 @@
 \fBsmbd\fR(8)
 to enable WAN-wide browse list collation. Setting this option causes
-\fBnmbd\fR
+nmbd
 to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given
 workgroup. Local master browsers in the same
 workgroup on broadcast-isolated subnets will give this
-\fBnmbd\fR
+nmbd
 their local browse lists, and then ask
 \fBsmbd\fR(8)
@@ -1966 +2002 @@
 workgroup specific special NetBIOS name that identifies them as domain master browsers for that
 workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting to do this). This means that if this parameter is set and
-\fBnmbd\fR
+nmbd
 claims the special name for a
 workgroup before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail.
@@ -2035 +2071 @@
 .RS 3n
 Under DOS and Windows, if a user can write to a file they can change the timestamp on it. Under POSIX semantics, only the owner of the file or root may change the timestamp. By default, Samba runs with POSIX semantics and refuses to change the timestamp on a file if the user
-\fBsmbd\fR
+smbd
 is acting on behalf of is not the file owner. Setting this option to
 \fB yes\fR
@@ -2067 +2103 @@
 .RS 3n
 This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either
-\fBnet rpc rights\fR
+net rpc rights
 or one of the Windows user and group manager tools. This parameter is enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to assign privileges to users or groups which can then result in certain smbd operations running as root that would normally run under the context of the connected user.
 .sp
@@ -2094 +2130 @@
 program for information on how to set up and maintain this file), or set the
 security = [server|domain|ads] parameter which causes
-\fBsmbd\fR
+smbd
 to authenticate against another server.
 .sp
@@ -2117 +2153 @@
 enumports command (G)
 .RS 3n
-The concept of a "port" is fairly foreign to UNIX hosts. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default, Samba has only one port defined--\fB"Samba Printer Port"\fR. Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed (\fBsmbd \fR
+The concept of a "port" is fairly foreign to UNIX hosts. Under Windows NT/2000 print servers, a port is associated with a port monitor and generally takes the form of a local port (i.e. LPT1:, COM1:, FILE:) or a remote port (i.e. LPD Port Monitor, etc...). By default, Samba has only one port defined--\fB"Samba Printer Port"\fR. Under Windows NT/2000, all printers must have a valid port name. If you wish to have a list of ports displayed (smbd
 does not use a port name for anything) other than the default
 \fB"Samba Printer Port"\fR, you can define
@@ -2163 +2199 @@
 .sp
 When you set
-\fBfake oplocks = yes\fR,
+fake oplocks = yes,
 \fBsmbd\fR(8)
 will always grant oplock requests no matter how many clients are using the file.
@@ -2187 +2223 @@
 .sp
 This option is enabled (i.e.
-\fBsmbd\fR
+smbd
 will follow symbolic links) by default.
 .sp
@@ -2367 +2403 @@
 .RS 3n
 The
-\fBget quota command\fR
+get quota command
 should only be used whenever there is no operating system API available from the OS that samba can use.
 .sp
 This option is only available with
-\fB./configure --with-sys-quotas\fR. Or on linux when
-\fB./configure --with-quotas\fR
+./configure --with-sys-quotas. Or on linux when
+./configure --with-quotas
 was used and a working quota api was found in the system.
 .sp
@@ -2380 +2416 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 directory
 .TP 3n
-•
+\(bu
 type of query
 .TP 3n
-•
+\(bu
 uid of user or gid of group
 .RE
@@ -2393 +2429 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 1 - user quotas
 .TP 3n
-•
+\(bu
 2 - user default quotas (uid = -1)
 .TP 3n
-•
+\(bu
 3 - group quotas
 .TP 3n
-•
+\(bu
 4 - group default quotas (gid = -1)
 .RE
@@ -2409 +2445 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 Arg 1 - quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)
 .TP 3n
-•
+\(bu
 Arg 2 - number of currently used blocks
 .TP 3n
-•
+\(bu
 Arg 3 - the softlimit number of blocks
 .TP 3n
-•
+\(bu
 Arg 4 - the hardlimit number of blocks
 .TP 3n
-•
+\(bu
 Arg 5 - currently used number of inodes
 .TP 3n
-•
+\(bu
 Arg 6 - the softlimit number of inodes
 .TP 3n
-•
+\(bu
 Arg 7 - the hardlimit number of inodes
 .TP 3n
-•
+\(bu
 Arg 8(optional) - the number of bytes in a block(default is 1024)
 .RE
@@ -2457 +2493 @@
 .sp
 On some systems the default guest account "nobody" may not be able to print. Use another account in this case. You should test this by trying to log in as your guest user (perhaps by using the
-\fBsu -\fR
+su -
 command) and trying to print using the system print command such as
-\fBlpr(1)\fR
+lpr(1)
 or
-\fB lp(1)\fR.
+lp(1).
 .sp
 This parameter does not accept % macros, because many parts of the system require this value to be constant for correct operation.
@@ -2590 +2626 @@
 .nf
 
-\fBusername server:/some/file/system\fR
+username server:/some/file/system
 
 .fi
@@ -2623 +2659 @@
 .RS 3n
 Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead. An example place where hostname lookups are currently used is when checking the
-\fBhosts deny\fR
+hosts deny
 and
-\fBhosts allow\fR.
+hosts allow.
 .sp
 Default:
@@ -2649 +2685 @@
 .sp
 You can specify the hosts by name or IP number. For example, you could restrict access to only the hosts on a Class C subnet with something like
-\fBallow hosts = 150.203.5.\fR. The full syntax of the list is described in the man page
+allow hosts = 150.203.5.. The full syntax of the list is described in the man page
 \fIhosts_access(5)\fR. Note that this man page may not be present on your system, so a brief description will be given here also.
 .sp
@@ -2661 +2697 @@
 Example 1: allow all IPs in 150.203.*.*; except one
 .sp
-\fBhosts allow = 150.203. EXCEPT 150.203.6.66\fR
+hosts allow = 150.203. EXCEPT 150.203.6.66
 .sp
 Example 2: allow hosts that match the given network/netmask
 .sp
-\fBhosts allow = 150.203.15.0/255.255.255.0\fR
+hosts allow = 150.203.15.0/255.255.255.0
 .sp
 Example 3: allow a couple of hosts
 .sp
-\fBhosts allow = lapland, arvidsjaur\fR
+hosts allow = lapland, arvidsjaur
 .sp
 Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host
 .sp
-\fBhosts allow = @foonet\fR
-.sp
-\fBhosts deny = pirate\fR
+hosts allow = @foonet
+.sp
+hosts deny = pirate
 .sp
 .it 1 an-trap
@@ -2939 +2975 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 a network interface name (such as eth0). This may include shell-like wildcards so eth* will match any interface starting with the substring "eth"
 .TP 3n
-•
+\(bu
 an IP address. In this case the netmask is determined from the list of interfaces obtained from the kernel
 .TP 3n
-•
+\(bu
 an IP/mask pair.
 .TP 3n
-•
+\(bu
 a broadcast/mask pair.
 .RE
@@ -3062 +3098 @@
 .sp
 Unlike the
-\fBencrypt passwords\fR
+encrypt passwords
 option, this parameter cannot alter client behaviour, and the LANMAN response will still be sent over the network. See the
-\fBclient lanman auth\fR
+client lanman auth
 to disable this for Samba's clients (such as smbclient)
 .sp
 If this option, and
-\fBntlm auth\fR
+ntlm auth
 are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to use it.
 .sp
@@ -3158 +3194 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 \fIYes\fR
 = Try to update the LDAP, NT and LM passwords and update the pwdLastSet time.
 .TP 3n
-•
+\(bu
 \fINo\fR
 = Update NT and LM passwords and update the pwdLastSet time.
 .TP 3n
-•
+\(bu
 \fIOnly\fR
 = Only update the LDAP password and let the LDAP server do the rest.
@@ -3192 +3228 @@
 .sp
 To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly configured. On virgin servers the default users and groups (Administrator, Guest, Domain Users, Domain Admins, Domain Guests) can be precreated with the command
-\fBnet sam provision\fR. To run this command the ldap server must be running, Winindd must be running and the smb.conf ldap options must be properly configured. The tipical ldap setup used with the
+net sam provision. To run this command the ldap server must be running, Winindd must be running and the smb.conf ldap options must be properly configured. The typical ldap setup used with the
 ldapsam:trusted = yes option is usually sufficient to use
 ldapsam:editposix = yes as well.
@@ -3286 +3322 @@
 \fBNOT\fR
 related to Samba's previous SSL support which was enabled by specifying the
-\fB--with-ssl\fR
+--with-ssl
 option to the
 \fIconfigure\fR
@@ -3295 +3331 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 \fIOff\fR
 = Never use SSL when querying the directory.
 .TP 3n
-•
+\(bu
 \fIStart_tls\fR
 = Use the LDAPv3 StartTLS extended operation (RFC2830) for communicating with the directory server.
 .TP 3n
-•
+\(bu
 \fIOn\fR
 = Use SSL on the ldaps port when contacting the
 \fIldap server\fR. Only available when the backwards-compatiblity
-\fB--with-ldapsam\fR
+--with-ldapsam
 option is specified to configure. See
 passdb backend
@@ -3433 +3469 @@
 \fBno\fR
 then
-\fB nmbd\fR
+nmbd
 will not attempt to become a local master browser on a subnet and will also lose in all browsing elections. By default this value is set to
 \fByes\fR. Setting this value to
@@ -3440 +3476 @@
 \fBbecome\fR
 the local master browser on a subnet, just that
-\fBnmbd\fR
+nmbd
 will
 \fBparticipate\fR
@@ -3448 +3484 @@
 \fBno\fR
 will cause
-\fBnmbd\fR
+nmbd
 \fBnever\fR
 to become a local master browser.
@@ -3478 +3514 @@
 .sp
 If
-\fBlocking = no\fR, all lock and unlock requests will appear to succeed and all lock queries will report that the file in question is available for locking.
+locking = no, all lock and unlock requests will appear to succeed and all lock queries will report that the file in question is available for locking.
 .sp
 If
-\fBlocking = yes\fR, real locking will be performed by the server.
+locking = yes, real locking will be performed by the server.
 .sp
 This option
@@ -3573 +3609 @@
 .sp
 
-\fBlogon home = \\%N\%U\profile\fR
+logon home = \\\\%N\\%U\\profile
 .sp
 This tells Samba to return the above string, with substitutions made when a client requests the info, generally in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does
-\fBnet use /home\fR
+net use /home
 but use the whole string when dealing with profiles.
 .sp
@@ -3582 +3618 @@
 logon path was returned rather than
 \fIlogon home\fR. This broke
-\fBnet use /home\fR
+net use /home
 but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use the above trick.
 .sp
@@ -3591 +3627 @@
 .sp
 Default:
-\fB\fIlogon home\fR = \\%N\%U \fR
-.sp
-Example:
-\fB\fIlogon home\fR = \\remote_smb_server\%U \fR
+\fB\fIlogon home\fR = \\\\%N\\%U \fR
+.sp
+Example:
+\fB\fIlogon home\fR = \\\\remote_smb_server\\%U \fR
 .RE
 .PP
@@ -3622 +3658 @@
 \fBWarning\fR
 Do not quote the value. Setting this as
-“\\%N\profile\%U”
+\fB\\%N\profile\%U\fR
 will break profile handling. Where the tdbsam or ldapsam passdb backend is used, at the time the user account is created the value configured for this parameter is written to the passdb backend and that value will over-ride the parameter value present in the smb.conf file. Any error present in the passdb backend account record must be editted using the appropriate tool (pdbedit on the command-line, or any other locally provided system tool).
 Note that this option is only useful if Samba is set up as a domain controller.
@@ -3641 +3677 @@
 .sp
 Default:
-\fB\fIlogon path\fR = \\%N\%U\profile \fR
+\fB\fIlogon path\fR = \\\\%N\\%U\\profile \fR
 .RE
 .PP
@@ -3665 +3701 @@
 .sp
 The contents of the batch file are entirely your choice. A suggested command would be to add
-\fBNET TIME \\SERVER /SET /YES\fR, to force every machine to synchronize clocks with the same time server. Another use would be to add
-\fBNET USE U: \\SERVER\UTILS\fR
+NET TIME \\\\SERVER /SET /YES, to force every machine to synchronize clocks with the same time server. Another use would be to add
+NET USE U: \\\\SERVER\\UTILS
 for commonly used utilities, or
 
@@ -3688 +3724 @@
 .sp
 Example:
-\fB\fIlogon script\fR = scripts\%U.bat \fR
+\fB\fIlogon script\fR = scripts\\%U.bat \fR
 .RE
 .PP
@@ -3709 +3745 @@
 .sp
 Default:
-\fB\fIlppause command\fR = # Currently no default value is given to this string, unless the value of the printing parameter is \fBSYSV\fR, in which case the default is : \fBlp -i %p-%j -H hold\fR or if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then the default is: \fBqstat -s -j%j -h\fR. \fR
+\fB\fIlppause command\fR = # Currently no default value is given to this string, unless the value of the printing parameter is \\fBSYSV\\fR, in which case the default is : lp -i %p-%j -H hold or if the value of the \\fIprinting\\fR parameter is \\fBSOFTQ\\fR, then the default is: qstat -s -j%j -h. \fR
 .sp
 Example:
@@ -3718 +3754 @@
 .RS 3n
 This controls how long lpq info will be cached for to prevent the
-\fBlpq\fR
+lpq
 command being called too often. A separate cache is kept for each variation of the
-\fB lpq\fR
+lpq
 command used by the system, so if you use different
-\fBlpq\fR
+lpq
 commands for different users then they won't share cache information.
 .sp
@@ -3728 +3764 @@
 \fI/tmp/lpq.xxxx\fR
 where xxxx is a hash of the
-\fBlpq\fR
+lpq
 command in use.
 .sp
 The default is 30 seconds, meaning that the cached results of a previous identical
-\fBlpq\fR
+lpq
 command will be used if the cached data is less than 30 seconds old. A large value may be advisable if your
-\fBlpq\fR
+lpq
 command is very slow.
 .sp
@@ -3749 +3785 @@
 .RS 3n
 This parameter specifies the command to be executed on the server host in order to obtain
-\fBlpq \fR-style printer status information.
+lpq-style printer status information.
 .sp
 This command should be a program or script which takes a printer name as its only parameter and outputs printer status information.
@@ -3803 +3839 @@
 \fBSYSV\fR, in which case the default is :
 .sp
-\fBlp -i %p-%j -H resume\fR
+lp -i %p-%j -H resume
 .sp
 or if the value of the
@@ -3810 +3846 @@
 \fBSOFTQ\fR, then the default is:
 .sp
-\fBqstat -s -j%j -r\fR
+qstat -s -j%j -r
 .sp
 Default:
@@ -3949 +3985 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 The first (up to) five alphanumeric characters before the rightmost dot of the filename are preserved, forced to upper case, and appear as the first (up to) five characters of the mangled name.
 .TP 3n
-•
+\(bu
 A tilde "~" is appended to the first part of the mangled name, followed by a two-character unique sequence, based on the original root name (i.e., the original filename minus its final extension). The final extension is included in the hash calculation only if it contains any upper case characters or is longer than three characters.
 .sp
@@ -3958 +3994 @@
 mangling char option, if you don't like '~'.
 .TP 3n
-•
+\(bu
 Files whose UNIX name begins with a dot will be presented as DOS hidden files. The mangled name will be created as for other filenames, but with the leading dot removed and "___" as its extension regardless of actual original extension (that's three underscores).
 .RE
@@ -4060 +4096 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 
 \fBYes\fR
 - The read only DOS attribute is mapped to the inverse of the user or owner write bit in the unix permission mode set. If the owner write bit is not set, the read only attribute is reported as being set on the file.
 .TP 3n
-•
+\(bu
 
 \fBPermissions\fR
@@ -4072 +4108 @@
 by reading the unix permissions and POSIX ACL (if present). If the connecting user does not have permission to modify the file, the read only attribute is reported as being set on the file.
 .TP 3n
-•
+\(bu
 
 \fBNo\fR
@@ -4113 +4149 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 \fBNever\fR
 - Means user login requests with an invalid password are rejected. This is the default.
 .TP 3n
-•
+\(bu
 \fBBad User\fR
 - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the
 guest account.
 .TP 3n
-•
+\(bu
 \fBBad Password\fR
 - Means user logins with an invalid password are treated as a guest login and mapped into the
@@ -4131 +4167 @@
 parameter this way :-).
 .TP 3n
-•
+\(bu
 \fBBad Uid\fR
 - Is only applicable when Samba is configured in some type of domain mode security (security = {domain|ads}) and means that user logins which are successfully authenticated but which have no valid Unix user account (and smbd is unable to create one) should be mapped to the defined guest account. This was the default behavior of Samba 2.x releases. Note that if a member server is running winbindd, this option should never be required because the nss_winbind library will export the Windows domain users and groups to the underlying OS via the Name Service Switch interface.
@@ -4251 +4287 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 \fBCORE\fR: Earliest version. No concept of user names.
 .TP 3n
-•
+\(bu
 \fBCOREPLUS\fR: Slight improvements on CORE for efficiency.
 .TP 3n
-•
+\(bu
 \fBLANMAN1\fR: First
 \fB modern\fR
 version of the protocol. Long filename support.
 .TP 3n
-•
+\(bu
 \fBLANMAN2\fR: Updates to Lanman1 protocol.
 .TP 3n
-•
+\(bu
 \fBNT1\fR: Current up to date version of the protocol. Used by Windows NT. Known as CIFS.
 .RE
@@ -4322 +4358 @@
 \fBnmbd\fR(8)
 what the default 'time to live' of NetBIOS names should be (in seconds) when
-\fBnmbd\fR
+nmbd
 is requesting a name using either a broadcast packet or from a WINS server. You should never need to change this parameter. The default is 3 days.
 .sp
@@ -4334 +4370 @@
 \fBsmbd\fR(8)
 when acting as a WINS server (wins support = yes) what the maximum 'time to live' of NetBIOS names that
-\fBnmbd\fR
+nmbd
 will grant will be (in seconds). You should never need to change this parameter. The default is 6 days (518400 seconds).
 .sp
@@ -4364 +4400 @@
 .nf
 
-\fBmessage command = csh -c 'xedit %s;rm %s' &\fR
+message command = csh -c 'xedit %s;rm %s' &
 
 .fi
@@ -4370 +4406 @@
 .sp
 This delivers the message using
-\fBxedit\fR, then removes it afterwards.
+xedit, then removes it afterwards.
 \fBNOTE THAT IT IS VERY IMPORTANT THAT THIS COMMAND RETURN IMMEDIATELY\fR. That's why I have the '&' on the end. If it doesn't return immediately then your PCs may freeze when sending messages (they should recover after 30 seconds, hopefully).
 .sp
@@ -4381 +4417 @@
 .RS 3n
 .TP 3n
-•
+\(bu
 \fI%s\fR
 = the filename containing the message.
 .TP 3n
-•
+\(bu
 \fI%t\fR
 = the destination that the message was sent to (probably the server name).
 .TP 3n
-•
+\(bu
 \fI%f\fR
 = who the message is from.
@@ -4402 +4438 @@
 .nf
 
-\fBmessage command = /bin/mail -s 'message from %f on %m' root < %s; rm %s\fR
+message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s
 
 .fi
@@ -4415 +4451 @@
 .nf
 
-\fBmessage command = rm %s\fR
+message command = rm %s
 
 .fi
@@ -4460 +4496 @@
 \fBnmbd\fR(8)
 when acting as a WINS server (wins support = yes) what the minimum 'time to live' of NetBIOS names that
-\fBnmbd\fR
+nmbd
 will grant will be (in seconds). You should never need to change this parameter. The default is 6 hours (21600 seconds).
 .sp
@@ -4478 +4514 @@
 .sp
 Example:
-\fB\fImsdfs proxy\fR = \\otherserver\someshare \fR
+\fB\fImsdfs proxy\fR = \\\\otherserver\\someshare \fR
 .RE
 .PP
@@ -4510 +4546 @@
 .RS 3n
 .TP 3n
-&#8226;
+\(bu
 
 \fBlmhosts\fR
 : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has no name type attached to the NetBIOS name (see the manpage for lmhosts for details) then any name type matches for lookup.
 .TP 3n
-&#8226;
+\(bu
 
 \fBhost\fR
@@ -4523 +4559 @@
 file. Note that this method is used only if the NetBIOS name type being queried is the 0x20 (server) name type or 0x1c (domain controllers). The latter case is only useful for active directory domains and results in a DNS query for the SRV RR entry matching _ldap._tcp.domain.
 .TP 3n
-&#8226;
+\(bu
 \fBwins\fR
 : Query a name with the IP address listed in the
 WINSSERVER parameter. If no WINS server has been specified this method will be ignored.
 .TP 3n
-&#8226;
+\(bu
 \fBbcast\fR
 : Do a broadcast on each of the known local interfaces listed in the
@@ -4536 +4572 @@
 The example below will cause the local lmhosts file to be examined first, followed by a broadcast attempt, followed by a normal system hostname lookup.
 .sp
-When Samba is functioning in ADS security mode (\fBsecurity = ads\fR) it is advised to use following settings for
+When Samba is functioning in ADS security mode (security = ads) it is advised to use following settings for
 \fIname resolve order\fR:
 .sp
-\fBname resolve order = wins bcast\fR
+name resolve order = wins bcast
 .sp
 DC lookups will still be done via DNS, but fallbacks to netbios names will not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.
@@ -4616 +4652 @@
 .sp
 If this option, and
-\fBlanman auth\fR
+lanman auth
 are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require special configuration to us it.
 .sp
@@ -4679 +4715 @@
 .sp
 Note that this also means Samba won't try to deduce usernames from the service name. This can be annoying for the [homes] section. To get around this you could use
-\fBuser = %S\fR
+user = %S
 which means your
 \fIuser\fR
@@ -4723 +4759 @@
 In brief it specifies a number, which causes
 \fBsmbd\fR(8)not to grant an oplock even when requested if the approximate number of clients contending for an oplock on the same file goes over this limit. This causes
-\fBsmbd\fR
+smbd
 to behave in a similar way to Windows NT.
 .sp
@@ -4739 +4775 @@
 .RS 3n
 This boolean option tells
-\fBsmbd\fR
+smbd
 whether to issue oplocks (opportunistic locks) to file open requests on this share. The oplock code can dramatically (approx. 30% or more) improve the speed of access to files on Samba servers. It allows the clients to aggressively cache files locally and you may want to disable this option for unreliable network environments (it is turned on by default in Windows NT Servers). For more information see the file
 \fISpeed.txt\fR
@@ -4761 +4797 @@
 .sp
 For example, a valid entry using the HP LaserJet 5 printer driver would appear as
-\fBHP LaserJet 5L = LASERJET.HP LaserJet 5L\fR.
+HP LaserJet 5L = LASERJET.HP LaserJet 5L.
 .sp
 The need for the file is due to the printer driver namespace problem described in the chapter on Classical Printing in the Samba3-HOWTO book. For more details on OS/2 clients, please refer to chapter on other clients in the Samba3-HOWTO book.
@@ -4829 +4865 @@
 .RS 3n
 .TP 3n
-&#8226;
-\fBsmbpasswd\fR
+\(bu
+smbpasswd
 - The default smbpasswd backend. Takes a path to the smbpasswd file as an optional argument.
 .TP 3n
-&#8226;
-\fBtdbsam\fR
+\(bu
+tdbsam
 - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the
 private dir directory.
 .TP 3n
-&#8226;
-\fBldapsam\fR
+\(bu
+ldapsam
 - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to
-\fBldap://localhost\fR)
+ldap://localhost)
 .sp
 LDAP connections should be secured where possible. This may be done using either Start-TLS (see
@@ -4874 +4910 @@
 Default:
 \fB\fIpassdb expand explicit\fR = no \fR
-.RE
-.PP
-passwd chat debug (G)
-.RS 3n
-This boolean specifies if the passwd chat script parameter is run in
-\fBdebug\fR
-mode. In this mode the strings passed to and received from the passwd chat are printed in the
-\fBsmbd\fR(8)
-log with a
-debug level of 100. This is a dangerous option as it will allow plaintext passwords to be seen in the
-\fBsmbd\fR
-log. It is available to help Samba admins debug their
-\fIpasswd chat\fR
-scripts when calling the
-\fIpasswd program\fR
-and should be turned off after this has been done. This option has no effect if the
-pam password change paramter is set. This parameter is off by default.
-.sp
-Default:
-\fB\fIpasswd chat debug\fR = no \fR
-.RE
-.PP
-passwd chat timeout (G)
-.RS 3n
-This integer specifies the number of seconds smbd will wait for an initial answer from a passwd chat script being run. Once the initial answer is received the subsequent answers must be received in one tenth of this time. The default it two seconds.
-.sp
-Default:
-\fB\fIpasswd chat timeout\fR = 2 \fR
 .RE
 .PP
@@ -4935 +4943 @@
 .sp
 Default:
-\fB\fIpasswd chat\fR = *new*password* %n\n*new*password* %n\n *changed* \fR
-.sp
-Example:
-\fB\fIpasswd chat\fR = "*Enter OLD password*" %o\n "*Enter NEW password*" %n\n "*Reenter NEW password*" %n\n "*Password changed*" \fR
+\fB\fIpasswd chat\fR = *new*password* %n\\n*new*password* %n\\n *changed* \fR
+.sp
+Example:
+\fB\fIpasswd chat\fR = "*Enter OLD password*" %o\\n "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password changed*" \fR
+.RE
+.PP
+passwd chat debug (G)
+.RS 3n
+This boolean specifies if the passwd chat script parameter is run in
+\fBdebug\fR
+mode. In this mode the strings passed to and received from the passwd chat are printed in the
+\fBsmbd\fR(8)
+log with a
+debug level of 100. This is a dangerous option as it will allow plaintext passwords to be seen in the
+smbd
+log. It is available to help Samba admins debug their
+\fIpasswd chat\fR
+scripts when calling the
+\fIpasswd program\fR
+and should be turned off after this has been done. This option has no effect if the
+pam password change paramter is set. This parameter is off by default.
+.sp
+Default:
+\fB\fIpasswd chat debug\fR = no \fR
+.RE
+.PP
+passwd chat timeout (G)
+.RS 3n
+This integer specifies the number of seconds smbd will wait for an initial answer from a passwd chat script being run. Once the initial answer is received the subsequent answers must be received in one tenth of this time. The default it two seconds.
+.sp
+Default:
+\fB\fIpasswd chat timeout\fR = 2 \fR
 .RE
 .PP
@@ -4959 +4995 @@
 \fBAS ROOT\fR
 before the SMB password in the smbpasswd file is changed. If this UNIX password change fails, then
-\fBsmbd\fR
+smbd
 will fail to change the SMB password also (this is by design).
 .sp
@@ -5017 +5053 @@
 .RS 3n
 By specifying the name of another SMB server or Active Directory domain controller with this option, and using
-\fBsecurity = [ads|domain|server]\fR
+security = [ads|domain|server]
 it is possible to get Samba to to do all its username/password validation using a specific remote server.
 .sp
@@ -5045 +5081 @@
 or
 \fBads\fR, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on. The advantage of using
-\fB security = domain\fR
+security = domain
 is that if you list several hosts in the
 \fIpassword server\fR
 option then
-\fBsmbd \fR
+smbd
 will try each in turn till it finds one that responds. This is useful in case your primary server goes down.
 .sp
@@ -5064 +5100 @@
 parameter is set to
 \fBserver\fR, then there are different restrictions that
-\fBsecurity = domain\fR
+security = domain
 doesn't suffer from:
 .RS 3n
 .TP 3n
-&#8226;
+\(bu
 You may list several password servers in the
 \fIpassword server\fR
 parameter, however if an
-\fBsmbd\fR
+smbd
 makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this
-\fBsmbd\fR. This is a restriction of the SMB/CIFS protocol when in
-\fBsecurity = server \fR
+smbd. This is a restriction of the SMB/CIFS protocol when in
+security = server
 mode and cannot be fixed in Samba.
 .TP 3n
-&#8226;
+\(bu
 If you are using a Windows NT server as your password server then you will have to ensure that your users are able to login from the Samba server, as when in
-\fB security = server\fR
+security = server
 mode the network logon will appear to come from there rather than from the users workstation.
 .RE
@@ -5151 +5187 @@
 An interesting example may be to unmount server resources:
 .sp
-\fBpostexec = /etc/umount /cdrom\fR
+postexec = /etc/umount /cdrom
 .sp
 Default:
@@ -5157 +5193 @@
 .sp
 Example:
-\fB\fIpostexec\fR = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log \fR
-.RE
-.PP
-preexec close (S)
-.RS 3n
-This boolean option controls whether a non-zero return code from
-preexec should close the service being connected to.
-.sp
-Default:
-\fB\fIpreexec close\fR = no \fR
+\fB\fIpostexec\fR = echo \\"%u disconnected from %S from %m (%I)\\" >> /tmp/log \fR
 .RE
 .PP
@@ -5181 +5208 @@
 .sp
 
-\fBpreexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & \fR
+preexec = csh -c 'echo \\"Welcome to %S!\\" | /usr/local/samba/bin/smbclient -M %m -I %I' &
 .sp
 Of course, this could get annoying after a while :-)
@@ -5193 +5220 @@
 .sp
 Example:
-\fB\fIpreexec\fR = echo \"%u connected to %S from %m (%I)\" >> /tmp/log \fR
+\fB\fIpreexec\fR = echo \\"%u connected to %S from %m (%I)\\" >> /tmp/log \fR
+.RE
+.PP
+preexec close (S)
+.RS 3n
+This boolean option controls whether a non-zero return code from
+preexec should close the service being connected to.
+.sp
+Default:
+\fB\fIpreexec close\fR = no \fR
 .RE
 .PP
@@ -5209 +5245 @@
 If this is set to
 \fByes\fR, on startup,
-\fBnmbd\fR
+nmbd
 will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with
 domain master = yes, so that
-\fBnmbd\fR
+nmbd
 can guarantee becoming a domain master.
 .sp
@@ -5219 +5255 @@
 Default:
 \fB\fIpreferred master\fR = auto \fR
-.RE
-.PP
-preload modules (G)
-.RS 3n
-This is a list of paths to modules that should be loaded into smbd before a client connects. This improves the speed of smbd when reacting to new connections somewhat.
-.sp
-Default:
-\fB\fIpreload modules\fR = \fR
-.sp
-Example:
-\fB\fIpreload modules\fR = /usr/lib/samba/passdb/mysql.so \fR
 .RE
 .PP
@@ -5249 +5274 @@
 Example:
 \fB\fIpreload\fR = fred lp colorlp \fR
+.RE
+.PP
+preload modules (G)
+.RS 3n
+This is a list of paths to modules that should be loaded into smbd before a client connects. This improves the speed of smbd when reacting to new connections somewhat.
+.sp
+Default:
+\fB\fIpreload modules\fR = \fR
+.sp
+Example:
+\fB\fIpreload modules\fR = /usr/lib/samba/passdb/mysql.so \fR
 .RE
 .PP
@@ -5307 +5343 @@
 .sp
 To use the CUPS printing interface set
-\fBprintcap name = cups \fR. This should be supplemented by an addtional setting
+printcap name = cups. This should be supplemented by an addtional setting
 printing = cups in the [global] section.
-\fBprintcap name = cups\fR
+printcap name = cups
 will use the "dummy" printcap created by CUPS, as specified in your CUPS configuration file.
 .sp
 On System V systems that use
-\fBlpstat\fR
+lpstat
 to list available printers you can use
-\fBprintcap name = lpstat \fR
+printcap name = lpstat
 to automatically obtain lists of available printers. This is the default for systems that define SYSV at configure time in Samba (this includes most System V based systems). If
 \fI printcap name\fR
 is set to
-\fBlpstat\fR
+lpstat
 on these systems then Samba will launch
-\fBlpstat -v\fR
+lpstat -v
 and attempt to parse the output to obtain a printer list.
 .sp
@@ -5360 +5396 @@
 .RS 3n
 After a print job has finished spooling to a service, this command will be used via a
-\fBsystem()\fR
+system()
 call to process the spool file. Typically the command specified will submit the spool file to the host's printing subsystem, but there is no requirement that this be the case. The server will not remove the spool file, so whatever command you specify should remove the spool file when it has been processed, otherwise you will need to manually remove old spool files.
 .sp
@@ -5398 +5434 @@
 You can form quite complex print commands by realizing that they are just passed to a shell. For example the following will log a print job, print the file, then remove it. Note that ';' is the usual separator for command in shell scripts.
 .sp
-\fBprint command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s\fR
+print command = echo Printing %s >> /tmp/print.log; lpr -P %p %s; rm %s
 .sp
 You may have to vary this command considerably depending on how you normally print files on your system. The default for the parameter varies depending on the setting of the
@@ -5404 +5440 @@
 .sp
 Default: For
-\fBprinting = BSD, AIX, QNX, LPRNG or PLP :\fR
-.sp
-\fBprint command = lpr -r -P%p %s\fR
+printing = BSD, AIX, QNX, LPRNG or PLP :
+.sp
+print command = lpr -r -P%p %s
 .sp
 For
-\fBprinting = SYSV or HPUX :\fR
-.sp
-\fBprint command = lp -c -d%p %s; rm %s\fR
+printing = SYSV or HPUX :
+.sp
+print command = lp -c -d%p %s; rm %s
 .sp
 For
-\fBprinting = SOFTQ :\fR
-.sp
-\fBprint command = lp -d%p -s %s; rm %s\fR
+printing = SOFTQ :
+.sp
+print command = lp -d%p -s %s; rm %s
 .sp
 For printing = CUPS : If SAMBA is compiled against libcups, then
 printcap = cups uses the CUPS API to submit jobs, etc. Otherwise it maps to the System V commands with the -oraw option for printing, i.e. it uses
-\fBlp -c -d%p -oraw; rm %s\fR. With
-\fBprinting = cups\fR, and if SAMBA is compiled against libcups, any manually set print command will be ignored.
+lp -c -d%p -oraw; rm %s. With
+printing = cups, and if SAMBA is compiled against libcups, any manually set print command will be ignored.
 .sp
 \fBNo default\fR
@@ -5509 +5545 @@
 .sp
 Example:
-\fB\fIprintjob username\fR = %D\%U \fR
+\fB\fIprintjob username\fR = %D\\%U \fR
 .RE
 .PP
@@ -5611 +5647 @@
 \fByes\fR, then users of a service may not create or modify files in the service's directory.
 .sp
-Note that a printable service (\fBprintable = yes\fR) will
+Note that a printable service (printable = yes) will
 \fBALWAYS\fR
 allow writing to the directory (user privileges permitting), but only via spooling operations.
@@ -5636 +5672 @@
 .RS 3n
 This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4
-\fBdomain\fR. It is usually set to the DNS name of the kerberos server.
+domain. It is usually set to the DNS name of the kerberos server.
 .sp
 Default:
@@ -5658 +5694 @@
 .nf
 
-\fBremote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF\fR
+remote announce = 192.168.2.255/SERVERS 192.168.4.255/STAFF
 
 .fi
 the above line would cause
-\fBnmbd\fR
+nmbd
 to announce itself to the two given IP addresses using the given workgroup names. If you leave out the workgroup name then the one given in the
 workgroup parameter is used instead.
@@ -5692 +5728 @@
 .fi
 the above line would cause
-\fBnmbd\fR
+nmbd
 to request the master browser on the specified subnets or addresses to synchronize their browse lists with the local server.
 .sp
@@ -5773 +5809 @@
 .RS 3n
 The server will
-\fBchroot()\fR
+chroot()
 (i.e. Change its root directory) to this directory on startup. This is not strictly necessary for secure operation. Even without it the server will deny access to files not in one of the service entries. It may also check for, and deny access to, soft links to other parts of the filesystem, or attempts to use ".." in file names to access other directories (depending on the setting of the
 wide smbconfoptions parameter).
@@ -5806 +5842 @@
 .RE
 .PP
+root preexec (S)
+.RS 3n
+This is the same as the
+\fIpreexec\fR
+parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.
+.sp
+Default:
+\fB\fIroot preexec\fR = \fR
+.RE
+.PP
 root preexec close (S)
 .RS 3n
@@ -5816 +5862 @@
 .RE
 .PP
-root preexec (S)
-.RS 3n
-This is the same as the
-\fIpreexec\fR
-parameter except that the command is run as root. This is useful for mounting filesystems (such as CDROMs) when a connection is opened.
-.sp
-Default:
-\fB\fIroot preexec\fR = \fR
-.RE
-.PP
-security mask (S)
-.RS 3n
-This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box.
-.sp
-This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Make sure not to mix up this parameter with
-force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
-.sp
-Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
-.sp
-If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
-.sp
-\fB Note\fR
-that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it set to
-\fB0777\fR.
-.sp
-Default:
-\fB\fIsecurity mask\fR = 0777 \fR
-.sp
-Example:
-\fB\fIsecurity mask\fR = 0770 \fR
-.RE
-.PP
 security (G)
 .RS 3n
@@ -5859 +5873 @@
 .sp
 The default is
-\fBsecurity = user\fR, as this is the most common setting needed when talking to Windows 98 and Windows NT.
+security = user, as this is the most common setting needed when talking to Windows 98 and Windows NT.
 .sp
 The alternatives are
-\fBsecurity = share\fR,
-\fBsecurity = server\fR
+security = share,
+security = server
 or
-\fBsecurity = domain \fR.
+security = domain.
 .sp
 In versions of Samba prior to 2.0.0, the default was
-\fBsecurity = share\fR
+security = share
 mainly because that was the only option at one stage.
 .sp
@@ -5874 +5888 @@
 .sp
 If your PCs use usernames that are the same as their usernames on the UNIX machine then you will want to use
-\fBsecurity = user\fR. If you mostly use usernames that don't exist on the UNIX box then use
-\fBsecurity = share\fR.
+security = user. If you mostly use usernames that don't exist on the UNIX box then use
+security = share.
 .sp
 You should also use
-\fBsecurity = share\fR
+security = share
 if you want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server. It is more difficult to setup guest shares with
-\fBsecurity = user\fR, see the
+security = user, see the
 map to guestparameter for details.
 .sp
 It is possible to use
-\fBsmbd\fR
+smbd
 in a
 \fB hybrid mode\fR
@@ -5895 +5909 @@
 .sp
 When clients connect to a share level security server they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with a username but no password when talking to a
-\fBsecurity = share \fR
+security = share
 server). Instead, the clients send authentication information (passwords) on a per-share basis, at the time they attempt to connect to that share.
 .sp
 Note that
-\fBsmbd\fR
+smbd
 \fBALWAYS\fR
 uses a valid UNIX user to act on behalf of the client, even in
-\fBsecurity = share\fR
+security = share
 level security.
 .sp
 As clients are not required to send a username to the server in share level security,
-\fBsmbd\fR
+smbd
 uses several techniques to determine the correct UNIX user to use on behalf of the client.
 .sp
@@ -5912 +5926 @@
 .RS 3n
 .TP 3n
-&#8226;
+\(bu
 If the
 guest only parameter is set, then all the other stages are missed and only the
 guest account username is checked.
 .TP 3n
-&#8226;
+\(bu
 Is a username is sent with the share connection request, then this username (after mapping - see
 username map), is added as a potential username.
 .TP 3n
-&#8226;
+\(bu
 If the client did a previous
 \fBlogon \fR
 request (the SessionSetup SMB call) then the username sent in this SMB will be added as a potential username.
 .TP 3n
-&#8226;
+\(bu
 The name of the service the client requested is added as a potential username.
 .TP 3n
-&#8226;
+\(bu
 The NetBIOS name of the client is added to the list as a potential username.
 .TP 3n
-&#8226;
+\(bu
 Any users on the
 user list are added as potential usernames.
@@ -5984 +5998 @@
 \fBNote\fR
 that from the client's point of view
-\fBsecurity = domain\fR
+security = domain
 is the same as
-\fBsecurity = user\fR. It only affects how the server deals with the authentication, it does not in any way affect what the client sees.
+security = user. It only affects how the server deals with the authentication, it does not in any way affect what the client sees.
 .sp
 \fBNote\fR
@@ -6005 +6019 @@
 .sp
 In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to
-\fBsecurity = user\fR. It expects the
+security = user. It expects the
 encrypted passwords parameter to be set to
 \fByes\fR, unless the remote server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid
@@ -6024 +6038 @@
 \fBNote\fR
 From the client's point of view
-\fBsecurity = server\fR
+security = server
 is the same as
-\fBsecurity = user\fR. It only affects how the server deals with the authentication, it does not in any way affect what the client sees.
+security = user. It only affects how the server deals with the authentication, it does not in any way affect what the client sees.
 \fBNote\fR
 that the name of the resource being requested is
@@ -6056 +6070 @@
 .RE
 .PP
+security mask (S)
+.RS 3n
+This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box.
+.sp
+This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not in this mask from being modified. Make sure not to mix up this parameter with
+force security mode, which works in a manner similar to this one but uses a logical OR instead of an AND.
+.sp
+Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
+.sp
+If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
+.sp
+\fB Note\fR
+that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most normal systems will probably want to leave it set to
+\fB0777\fR.
+.sp
+Default:
+\fB\fIsecurity mask\fR = 0777 \fR
+.sp
+Example:
+\fB\fIsecurity mask\fR = 0770 \fR
+.RE
+.PP
 server schannel (G)
 .RS 3n
@@ -6093 +6129 @@
 .RS 3n
 This controls what string will show up in the printer comment box in print manager and next to the IPC connection in
-\fBnet view\fR. It can be any string that you wish to show to your users.
+net view. It can be any string that you wish to show to your users.
 .sp
 It also sets what will appear in browse lists next to the machine name.
@@ -6115 +6151 @@
 .RS 3n
 If
-\fBset directory = no\fR, then users of the service may not use the setdir command to change directory.
+set directory = no, then users of the service may not use the setdir command to change directory.
 .sp
 The
-\fBsetdir\fR
+setdir
 command is only implemented in the Digital Pathworks client. See the Pathworks documentation for details.
 .sp
@@ -6128 +6164 @@
 .RS 3n
 Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups. This script sets the primary group in the unix userdatase when an administrator sets the primary group from the windows user manager or when fetching a SAM with
-\fBnet rpc vampire\fR.
+net rpc vampire.
 \fI%u\fR
 will be replaced with the user whose primary group is to be set.
@@ -6144 +6180 @@
 .RS 3n
 The
-\fBset quota command\fR
+set quota command
 should only be used whenever there is no operating system API available from the OS that samba can use.
 .sp
 This option is only available if Samba was configured with the argument
-\fB--with-sys-quotas\fR
+--with-sys-quotas
 or on linux when
-\fB./configure --with-quotas\fR
+./configure --with-quotas
 was used and a working quota api was found in the system. Most packages are configured with these options already.
 .sp
@@ -6158 +6194 @@
 .RS 3n
 .TP 3n
-&#8226;
+\(bu
 1 - quota type
 .RS 3n
 .TP 3n
-&#8226;
+\(bu
 1 - user quotas
 .TP 3n
-&#8226;
+\(bu
 2 - user default quotas (uid = -1)
 .TP 3n
-&#8226;
+\(bu
 3 - group quotas
 .TP 3n
-&#8226;
+\(bu
 4 - group default quotas (gid = -1)
 .RE
@@ -6177 +6213 @@
 
 .TP 3n
-&#8226;
+\(bu
 2 - id (uid for user, gid for group, -1 if N/A)
 .TP 3n
-&#8226;
+\(bu
 3 - quota state (0 = disable, 1 = enable, 2 = enable and enforce)
 .TP 3n
-&#8226;
+\(bu
 4 - block softlimit
 .TP 3n
-&#8226;
+\(bu
 5 - block hardlimit
 .TP 3n
-&#8226;
+\(bu
 6 - inode softlimit
 .TP 3n
-&#8226;
+\(bu
 7 - inode hardlimit
 .TP 3n
-&#8226;
+\(bu
 8(optional) - block size, defaults to 1024
 .RE
@@ -6282 +6318 @@
 .RS 3n
 .TP 3n
-&#8226;
+\(bu
 \fI%z\fR
 will be substituted with the shutdown message sent to the server.
 .TP 3n
-&#8226;
+\(bu
 \fI%t\fR
 will be substituted with the number of seconds to wait before effectively starting the shutdown procedure.
 .TP 3n
-&#8226;
+\(bu
 \fI%r\fR
 will be substituted with the switch
 \fB-r\fR. It means reboot after shutdown for NT.
 .TP 3n
-&#8226;
+\(bu
 \fI%f\fR
 will be substituted with the switch
@@ -6372 +6408 @@
 .sp
 This option will typically be used to tune your Samba server for optimal performance for your local network. There is no way that Samba can know what the optimal parameters are for your net, so you must experiment and choose them yourself. We strongly suggest you read the appropriate documentation for your operating system first (perhaps
-\fBman setsockopt\fR
+man setsockopt
 will help).
 .sp
@@ -6383 +6419 @@
 .RS 3n
 .TP 3n
-&#8226;
+\(bu
 SO_KEEPALIVE
 .TP 3n
-&#8226;
+\(bu
 SO_REUSEADDR
 .TP 3n
-&#8226;
+\(bu
 SO_BROADCAST
 .TP 3n
-&#8226;
+\(bu
 TCP_NODELAY
 .TP 3n
-&#8226;
+\(bu
 IPTOS_LOWDELAY
 .TP 3n
-&#8226;
+\(bu
 IPTOS_THROUGHPUT
 .TP 3n
-&#8226;
+\(bu
 SO_SNDBUF *
 .TP 3n
-&#8226;
+\(bu
 SO_RCVBUF *
 .TP 3n
-&#8226;
+\(bu
 SO_SNDLOWAT *
 .TP 3n
-&#8226;
+\(bu
 SO_RCVLOWAT *
 .RE
@@ -6419 +6455 @@
 .sp
 To specify an argument use the syntax SOME_OPTION = VALUE for example
-\fBSO_SNDBUF = 8192\fR. Note that you must not have any spaces before or after the = sign.
+SO_SNDBUF = 8192. Note that you must not have any spaces before or after the = sign.
 .sp
 If you are on a local network then a sensible option might be:
 .sp
-\fBsocket options = IPTOS_LOWDELAY\fR
+socket options = IPTOS_LOWDELAY
 .sp
 If you have a local network then you could try:
 .sp
-\fBsocket options = IPTOS_LOWDELAY TCP_NODELAY\fR
+socket options = IPTOS_LOWDELAY TCP_NODELAY
 .sp
 If you are on a wide area network then perhaps try setting IPTOS_THROUGHPUT.
@@ -6461 +6497 @@
 .sp
 Default:
-\fB\fIstore dos attributes\fR = yes \fR
+\fB\fIstore dos attributes\fR = no \fR
 .RE
 .PP
@@ -6492 +6528 @@
 .sp
 Well-behaved clients always ask for lock checks when it is important. So in the vast majority of cases,
-\fBstrict locking = Auto\fR
+strict locking = Auto
 or
-\fBstrict locking = no\fR
+strict locking = no
 is acceptable.
 .sp
@@ -6537 +6573 @@
 \fByes\fR
 then every write will be followed by a
-\fBfsync() \fR
+fsync()
 call to ensure the data is written to disk. Note that the
 \fIstrict sync\fR
@@ -6548 +6584 @@
 .RE
 .PP
-syslog only (G)
-.RS 3n
-If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files.
-.sp
-Default:
-\fB\fIsyslog only\fR = no \fR
-.RE
-.PP
 syslog (G)
 .RS 3n
@@ -6568 +6596 @@
 Default:
 \fB\fIsyslog\fR = 1 \fR
+.RE
+.PP
+syslog only (G)
+.RS 3n
+If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files.
+.sp
+Default:
+\fB\fIsyslog only\fR = no \fR
 .RE
 .PP
@@ -6662 +6698 @@
 .sp
 Note that even when this parameter is set a user authenticating to
-\fBsmbd\fR
+smbd
 must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) passwords.
 .sp
@@ -6672 +6708 @@
 .RS 3n
 This parameter applies only to Windows NT/2000 clients. It has no effect on Windows 95/98/ME clients. When serving a printer to Windows NT/2000 clients without first installing a valid printer driver on the Samba host, the client will be required to install a local printer driver. From this point on, the client will treat the print as a local printer and not a network printer connection. This is much the same behavior that will occur when
-\fBdisable spoolss = yes\fR.
+disable spoolss = yes.
 .sp
 The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS-RPC. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user. If the user possesses local administator rights but not root privilege on the Samba host (often the case), the OpenPrinterEx() call will fail. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed).
@@ -6717 +6753 @@
 .RE
 .PP
+user
+.RS 3n
+This parameter is a synonym for username.
+.RE
+.PP
+users
+.RS 3n
+This parameter is a synonym for username.
+.RE
+.PP
+username (S)
+.RS 3n
+Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right).
+.sp
+The
+\fIusername\fR
+line is needed only when the PC is unable to supply its own username. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames. In both these cases you may also be better using the \\server\share%user syntax instead.
+.sp
+The
+\fIusername\fR
+line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the
+\fIusername\fR
+line in turn. This is slow and a bad idea for lots of users in case of duplicate passwords. You may get timeouts or security breaches using this parameter unwisely.
+.sp
+Samba relies on the underlying UNIX security. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do.
+.sp
+To restrict a service to a particular set of users you can use the
+valid users parameter.
+.sp
+If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name.
+.sp
+If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name.
+.sp
+If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name.
+.sp
+Note that searching though a groups database can take quite some time, and some clients may time out during the search.
+.sp
+See the section
+NOTE ABOUT USERNAME/PASSWORD VALIDATION
+for more information on how this parameter determines access to the services.
+.sp
+Default:
+\fB\fIusername\fR = # The guest account if a guest service, else <empty string>. \fR
+.sp
+Example:
+\fB\fIusername\fR = fred, mary, jack, jane, @users, @pcgroup \fR
+.RE
+.PP
 username level (G)
 .RS 3n
@@ -6731 +6815 @@
 Example:
 \fB\fIusername level\fR = 5 \fR
-.RE
-.PP
-username map script (G)
-.RS 3n
-This script is a mutually exclusive alternative to the
-username map parameter. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line line on standard output (the name to which the account should mapped). In this way, it is possible to store username map tables in an LDAP or NIS directory services.
-.sp
-Default:
-\fB\fIusername map script\fR = \fR
-.sp
-Example:
-\fB\fIusername map script\fR = /etc/samba/scripts/mapusers.sh \fR
 .RE
 .PP
@@ -6771 +6843 @@
 .nf
 
-\fBroot = admin administrator\fR
+root = admin administrator
 
 .fi
@@ -6784 +6856 @@
 .nf
 
-\fBsys = @system\fR
+sys = @system
 
 .fi
@@ -6801 +6873 @@
 .nf
 
-\fBtridge = "Andrew Tridgell"\fR
+tridge = "Andrew Tridgell"
 
 .fi
@@ -6853 +6925 @@
 .RE
 .PP
-user
-.RS 3n
-This parameter is a synonym for username.
-.RE
-.PP
-users
-.RS 3n
-This parameter is a synonym for username.
-.RE
-.PP
-username (S)
-.RS 3n
-Multiple users may be specified in a comma-delimited list, in which case the supplied password will be tested against each username in turn (left to right).
-.sp
-The
-\fIusername\fR
-line is needed only when the PC is unable to supply its own username. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames. In both these cases you may also be better using the \\server\share%user syntax instead.
-.sp
-The
-\fIusername\fR
-line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the
-\fIusername\fR
-line in turn. This is slow and a bad idea for lots of users in case of duplicate passwords. You may get timeouts or security breaches using this parameter unwisely.
-.sp
-Samba relies on the underlying UNIX security. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do.
-.sp
-To restrict a service to a particular set of users you can use the
-valid users parameter.
-.sp
-If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name.
-.sp
-If any of the usernames begin with a '+' then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name.
-.sp
-If any of the usernames begin with a '&' then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name.
-.sp
-Note that searching though a groups database can take quite some time, and some clients may time out during the search.
-.sp
-See the section
-NOTE ABOUT USERNAME/PASSWORD VALIDATION
-for more information on how this parameter determines access to the services.
-.sp
-Default:
-\fB\fIusername\fR = # The guest account if a guest service, else <empty string>. \fR
-.sp
-Example:
-\fB\fIusername\fR = fred, mary, jack, jane, @users, @pcgroup \fR
+username map script (G)
+.RS 3n
+This script is a mutually exclusive alternative to the
+username map parameter. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line line on standard output (the name to which the account should mapped). In this way, it is possible to store username map tables in an LDAP or NIS directory services.
+.sp
+Default:
+\fB\fIusername map script\fR = \fR
+.sp
+Example:
+\fB\fIusername map script\fR = /etc/samba/scripts/mapusers.sh \fR
 .RE
 .PP
@@ -7011 +7047 @@
 .RE
 .PP
+utmp (G)
+.RS 3n
+This boolean parameter is only available if Samba has been configured and compiled with the option
+--with-utmp. If set to
+\fByes\fR
+then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server. Sites may use this to record the user connecting to a Samba share.
+.sp
+Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user. Enabling this option creates an n^2 algorithm to find this number. This may impede performance on large installations.
+.sp
+Default:
+\fB\fIutmp\fR = no \fR
+.RE
+.PP
 utmp directory (G)
 .RS 3n
 This parameter is only available if Samba has been configured and compiled with the option
-\fB --with-utmp\fR. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually
+--with-utmp. It specifies a directory pathname that is used to store the utmp or utmpx files (depending on the UNIX system) that record user connections to a Samba server. By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually
 \fI/var/run/utmp\fR
 on Linux).
@@ -7025 +7074 @@
 .RE
 .PP
-utmp (G)
-.RS 3n
-This boolean parameter is only available if Samba has been configured and compiled with the option
-\fB--with-utmp\fR. If set to
-\fByes\fR
-then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server. Sites may use this to record the user connecting to a Samba share.
-.sp
-Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user. Enabling this option creates an n^2 algorithm to find this number. This may impede performance on large installations.
-.sp
-Default:
-\fB\fIutmp\fR = no \fR
+-valid (S)
+.RS 3n
+This parameter indicates whether a share is valid and thus can be used. When this parameter is set to false, the share will be in no way visible nor accessible.
+.sp
+This option should not be used by regular users but might be of help to developers. Samba uses this option internally to mark shares as deleted.
+.sp
+Default:
+\fB\fI-valid\fR = yes \fR
 .RE
 .PP
@@ -7056 +7102 @@
 Example:
 \fB\fIvalid users\fR = greg, @pcusers \fR
-.RE
-.PP
--valid (S)
-.RS 3n
-This parameter indicates whether a share is valid and thus can be used. When this parameter is set to false, the share will be in no way visible nor accessible.
-.sp
-This option should not be used by regular users but might be of help to developers. Samba uses this option internally to mark shares as deleted.
-.sp
-Default:
-\fB\fI-valid\fR = yes \fR
 .RE
 .PP
@@ -7185 +7221 @@
 \fBwinbindd\fR(8)
 it may be necessary to suppress the enumeration of groups through the
-\fBsetgrent()\fR,
-\fBgetgrent()\fR
+setgrent(),
+getgrent()
 and
-\fBendgrent()\fR
+endgrent()
 group of system calls. If the
 \fIwinbind enum groups\fR
 parameter is
 \fBno\fR, calls to the
-\fBgetgrent()\fR
+getgrent()
 system call will not return any data.
 .sp
@@ -7211 +7247 @@
 \fBwinbindd\fR(8)
 it may be necessary to suppress the enumeration of users through the
-\fBsetpwent()\fR,
-\fBgetpwent()\fR
+setpwent(),
+getpwent()
 and
-\fBendpwent()\fR
+endpwent()
 group of system calls. If the
 \fIwinbind enum users\fR
 parameter is
 \fBno\fR, calls to the
-\fBgetpwent\fR
+getpwent
 system call will not return any data.
 .sp
@@ -7232 +7268 @@
 .RE
 .PP
+winbind expand groups (G)
+.RS 3n
+This option controls the maximum depth that winbindd will traverse when flattening nested group memberships of Windows domain groups. This is different from the
+winbind nested groups option which implements the Windows NT4 model of local group nesting. The "winbind expand groups" parameter specifically applies to the membership of domain groups.
+.sp
+Be aware that a high value for this parameter can result in system slowdown as the main parent winbindd daemon must perform the group unrolling and will be unable to answer incoming NSS or authentication requests during this time.
+.sp
+Default:
+\fB\fIwinbind expand groups\fR = 1 \fR
+.RE
+.PP
 winbind nested groups (G)
 .RS 3n
@@ -7256 +7303 @@
 .RS 3n
 .TP 3n
-&#8226;
+\(bu
 \fItemplate\fR
 - The default, using the parameters of
@@ -7263 +7310 @@
 \fItemplate homedir\fR)
 .TP 3n
-&#8226;
+\(bu
 \fIsfu\fR
 - When Samba is running in security = ads and your Active Directory Domain Controller does support the Microsoft "Services for Unix" (SFU) LDAP schema, winbind can retrieve the login shell and the home directory attributes directly from your Directory Server. Note that retrieving UID and GID from your ADS-Server requires to use
@@ -7303 +7350 @@
 Example:
 \fB\fIwinbind refresh tickets\fR = true \fR
+.RE
+.PP
+winbind rpc only (G)
+.RS 3n
+Setting this parameter to
+yes
+forces winbindd to use RPC instead of LDAP to retrieve information from Domain Controllers.
+.sp
+Default:
+\fB\fIwinbind rpc only\fR = no \fR
 .RE
 .PP
@@ -7317 +7374 @@
 .sp
 Default:
-\fB\fIwinbind separator\fR = '\' \fR
+\fB\fIwinbind separator\fR = '\\' \fR
 .sp
 Example:
@@ -7326 +7383 @@
 .RS 3n
 This parameter is designed to allow Samba servers that are members of a Samba controlled domain to use UNIX accounts distributed via NIS, rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. Therefore, the user
-DOMAIN\user1
+DOMAIN\\user1
 would be mapped to the account user1 in /etc/passwd instead of allocating a new uid for him or her.
 .sp
-This parameter is not deprecated in favor of the newer idmap_nss backend. Refer to the
+This parameter is now deprecated in favor of the newer idmap_nss backend. Refer to the
 idmap domains smb.conf option and the
 \fBidmap_nss\fR(8)
@@ -7357 +7414 @@
 The wins hook parameter specifies the name of a script or executable that will be called as follows:
 .sp
-\fBwins_hook operation name nametype ttl IP_list\fR
-.RS 3n
-.TP 3n
-&#8226;
+wins_hook operation name nametype ttl IP_list
+.RS 3n
+.TP 3n
+\(bu
 The first argument is the operation and is one of "add", "delete", or "refresh". In most cases the operation can be ignored as the rest of the parameters provide sufficient information. Note that "refresh" may sometimes be called when the name has not previously been added, in that case it should be treated as an add.
 .TP 3n
-&#8226;
+\(bu
 The second argument is the NetBIOS name. If the name is not a legal name then the wins hook is not called. Legal names contain only letters, digits, hyphens, underscores and periods.
 .TP 3n
-&#8226;
+\(bu
 The third argument is the NetBIOS name type as a 2 digit hexadecimal number.
 .TP 3n
-&#8226;
+\(bu
 The fourth argument is the TTL (time to live) for the name in seconds.
 .TP 3n
-&#8226;
+\(bu
 The fifth and subsequent arguments are the IP addresses currently registered for that name. If this list is empty then the name should be deleted.
 .RE
 .IP "" 3n
 An example script that calls the BIND dynamic DNS update program
-\fBnsupdate\fR
+nsupdate
 is provided in the examples directory of the Samba source code.
 .sp
@@ -7430 +7487 @@
 \fByes\fR
 unless you have a multi-subnetted network and you wish a particular
-\fBnmbd\fR
+nmbd
 to be your WINS server. Note that you should
 \fBNEVER\fR
@@ -7511 +7568 @@
 .RS 3n
 This parameter is only available if Samba has been configured and compiled with the option
-\fB --with-utmp\fR. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact that user info is kept after a user has logged out.
+--with-utmp. It specifies a directory pathname that is used to store the wtmp or wtmpx files (depending on the UNIX system) that record user connections to a Samba server. The difference with the utmp directory is the fact that user info is kept after a user has logged out.
 .sp
 By default this is not set, meaning the system will use whatever utmp file the native system is set to use (usually