Changeset 988 for vendor/current/docs

vendor/current/docs/manpages/dbwrap_tool.1

-              r860
+              r988
 .\"     Title: dbwrap_tool
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "DBWRAP_TOOL" "1" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "DBWRAP_TOOL" "1" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 dbwrap_tool {<database>} {<operation>} [<key>\ [<type>\ [<value>]\ ]]
+dbwrap_tool [\-\-persistent] [\-\-non\-persistent] [\-d\ <debug\ level>] [\-s\ <config\ file>] [\-l\ <log\ file\ base>] [\-V] [\-\-option=<name>=<value>] {<database>} {<operation>} [<key>\ [<type>\ [<value>]]]
 .SH "DESCRIPTION"
 .PP
 …
 .IP \(bu 2.3
 .\}
+exists: test for existence of a record
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
 erase: remove all records
 .RE
 …
 .RE
 .sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+listwatchers: list processes, which are waiting for changes in a record
+.RE
+.sp
 .RE
 .PP
 …
 .RE
 .sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+hex: hex strings like "68656C6C6F20776F726C6400" ("hello world")
+.RE
+.sp
 .RE
 .SH "OPTIONS"
 .PP
+None\&.
+\-\-persistent
+.RS 4
+Open the database as a persistent database\&.
+.sp
+Exactly one of \-\-persistent and \-\-non\-persistent must be specified\&.
+.RE
+.PP
+\-\-non\-persistent
+.RS 4
+Open the database as a non\-persistent database\&.
+.sp
+Caveat: opening a database as non\-persistent when there is currently no other opener will wipe the database\&.
+.sp
+Exactly one of \-\-persistent and \-\-non\-persistent must be specified\&.
+.RE
 .SH "COMMANDS"
 .SS "fetch"
 …
 dbwrap_tool <database> delete <key>
+.SS "exists"
+.HP \w'\ 'u
+dbwrap_tool <database> exists <key>
 .SS "erase"
 .HP \w'\ 'u
+dbwrap_tool <database> erase
+dbwrap_tool <database> erase
 .SS "listkeys"
 .HP \w'\ 'u
 dbwrap_tool <database> listkeys
+.SS "listwatchers"
+.HP \w'\ 'u
+dbwrap_tool <database> listwatchers
 .SH "EXAMPLES"
 .PP
 …
 .RS 4
 dbwrap_tool
 winbindd_idmap\&.tdb listkeys
+\-\-persistent winbindd_idmap\&.tdb listkeys
 .RE
 .PP
 …
 .RS 4
 dbwrap_tool
 winbindd_idmap\&.tdb fetch "USER HWM" uint32
+\-\-persistent winbindd_idmap\&.tdb fetch "USER HWM" uint32
 .RE
 .PP
 …
 .RS 4
 dbwrap_tool
 winbindd_idmap\&.tdb remove "USER HWM"
+\-\-persistent winbindd_idmap\&.tdb remove "USER HWM"
 .RE
 .PP
 Store and overwrite record "USER HWM" with value 214
 .RS 4
+dbwrap_tool
+winbindd_idmap\&.tdb store "USER HWM" uint32 214
+uint32:
+dbwrap_tool
+\-\-persistent winbindd_idmap\&.tdb store "USER HWM" uint32 214
+hex:
+dbwrap_tool
+\-\-persistent winbindd_idmap\&.tdb store "USER HWM" hex D6000000
 .RE
 .SH "NOTES"

vendor/current/docs/manpages/eventlogadm.8

-              r860
+              r988
 .\"     Title: eventlogadm
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "EVENTLOGADM" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "EVENTLOGADM" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .IP \(bu 2.3
 .\}
 LEN
 \- This field should be 0, since
 …
 .IP \(bu 2.3
 .\}
 RS1
 \- This must be the value 1699505740\&.
 …
 .IP \(bu 2.3
 .\}
 RCN
 \- This field should be 0\&.
 …
 .IP \(bu 2.3
 .\}
 TMG
 \- The time the eventlog record was generated; format is the number of seconds since 00:00:00 January 1, 1970, UTC\&.
 …
 .IP \(bu 2.3
 .\}
 TMW
 \- The time the eventlog record was written; format is the number of seconds since 00:00:00 January 1, 1970, UTC\&.
 …
 .IP \(bu 2.3
 .\}
 EID
 \- The eventlog ID\&.
 …
 .IP \(bu 2.3
 .\}
 ETP
 \- The event type \-\- one of "INFO", "ERROR", "WARNING", "AUDIT SUCCESS" or "AUDIT FAILURE"\&.
 …
 .IP \(bu 2.3
 .\}
 ECT
 \- The event category; this depends on the message file\&. It is primarily used as a means of filtering in the eventlog viewer\&.
 …
 .IP \(bu 2.3
 .\}
 RS2
 \- This field should be 0\&.
 …
 .IP \(bu 2.3
 .\}
 CRN
 \- This field should be 0\&.
 …
 .IP \(bu 2.3
 .\}
 USL
 \- This field should be 0\&.
 …
 .IP \(bu 2.3
 .\}
 SRC
 \- This field contains the source name associated with the event log\&. If a message file is used with an event log, there will be a registry entry for associating this source name with a message file DLL\&.
 …
 .IP \(bu 2.3
 .\}
 SRN
 \- The name of the machine on which the eventlog was generated\&. This is typically the host name\&.
 …
 .IP \(bu 2.3
 .\}
 STR
 \- The text associated with the eventlog\&. There may be more than one string in a record\&.
 …
 .IP \(bu 2.3
 .\}
 DAT
 \- This field should be left unset\&.

vendor/current/docs/manpages/findsmb.1

-              r860
+              r988
 .\"     Title: findsmb
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "FINDSMB" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "FINDSMB" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/idmap_ad.8

-              r860
+              r988
 .\"     Title: idmap_ad
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "IDMAP_AD" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "IDMAP_AD" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 The idmap_ad plugin provides a way for Winbind to read id mappings from an AD server that uses RFC2307/SFU schema extensions\&. This module implements only the "idmap" API, and is READONLY\&. Mappings must be provided in advance by the administrator by adding the uidNumber attributes for users and gidNumber attributes for groups in the AD\&. Winbind will only map users that have a uidNumber and whose primary group have a gidNumber attribute set\&. It is however recommended that all groups in use have gidNumber attributes assigned, otherwise they are not working\&.
 .PP
 Note that the idmap_ad module has changed considerably since Samba versions 3\&.0 and 3\&.2\&. Currently, the
+Currently, the
 \fIad\fR
 backend does not work as the the default idmap backend, but one has to configure it separately for each domain for which one wants to use it, using disjoint ranges\&. One usually needs to configure a writeable default idmap range, using for example the
+backend does not work as the default idmap backend, but one has to configure it separately for each domain for which one wants to use it, using disjoint ranges\&. One usually needs to configure a writeable default idmap range, using for example the
 \fItdb\fR
 or
 …
 .RE
 .PP
 schema_mode = <rfc2307 | sfu >
+schema_mode = <rfc2307 | sfu | sfu20>
 .RS 4
 Defines the schema that idmap_ad should use when querying Active Directory regarding user and group information\&. This can be either the RFC2307 schema support included in Windows 2003 R2 or the Service for Unix (SFU) schema\&.
+Defines the schema that idmap_ad should use when querying Active Directory regarding user and group information\&. This can be either the RFC2307 schema support included in Windows 2003 R2 or the Service for Unix (SFU) schema\&. For SFU 3\&.0 or 3\&.5 please choose "sfu", for SFU 2\&.0 please choose "sfu20"\&. Please note that primary group membership is currently always calculated via the "primaryGroupID" LDAP attribute\&.
 .RE
 .SH "EXAMPLES"
 …
 .nf
         [global]
+        workgroup = CORP
         idmap config * : backend = tdb
         idmap config * : range = 1000000\-1999999

vendor/current/docs/manpages/idmap_autorid.8

-              r860
+              r988
 .\"     Title: idmap_autorid
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "IDMAP_AUTORID" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "IDMAP_AUTORID" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "IDMAP OPTIONS"
 .PP
+range = low \- high
+.RS 4
+Defines the available matching uid and gid range for which the backend is authoritative\&. Note that the range acts as a filter\&. If algorithmically determined UID or GID fall outside the range, they are ignored and the corresponding map is discarded\&. It is intended as a way to avoid accidental UID/GID overlaps between local and remotely defined IDs\&.
+.RE
+.PP
 rangesize = numberofidsperdomain
 .RS 4
 Defines the available number of uids/gids per domain\&. The minimum needed value is 2000\&. SIDs with RIDs larger than this value cannot be mapped, are ignored and the corresponding map is discarded\&. Choose this value carefully, as this should not be changed after the first ranges for domains have been defined, otherwise mappings between domains will get intermixed leading to unpredictable results\&. Please note that RIDs in Windows Domains usually start with 500 for builtin users and 1000 for regular users\&. As the parameter cannot be changed later, please plan accordingly for your expected number of users in a domain with safety margins\&.
+Defines the number of uids/gids available per domain range\&. The minimum needed value is 2000\&. SIDs with RIDs larger than this value will be mapped into extension ranges depending upon number of available ranges\&. If the autorid backend runs out of available ranges, mapping requests for new domains (or new extension ranges for domains already known) are ignored and the corresponding map is discarded\&.
 .sp
+One range will be used for local users and groups\&. Thus the number of local users and groups that can be created is limited by this option as well\&. If you plan to create a large amount of local users or groups, you will need set this parameter accordingly\&.
+Example: with rangesize set to 10000, users/groups with a RID up to 10000 will be put into the first range for the domain\&. When attempting to map the an object with a RID of 25000, an extension range will be allocated that will then be used to map all RIDs from 20000\-29999\&.
+.sp
+One range will be used for local users and groups and for non\-domain well\-known SIDs like Everyone (S\-1\-1\-0) or Creator Owner (S\-1\-3\-0)\&. A chosen list of well\-known SIDs will be preallocated on first start to create deterministic mappings for those\&.
+.sp
+Thus the number of local users and groups that can be created is limited by this option as well\&. If you plan to create a large amount of local users or groups, you will need set this parameter accordingly\&.
 .sp
 The default value is 100000\&.
+.RE
+.PP
+read only = [ yes | no ]
+.RS 4
+Turn the module into read\-only mode\&. No new ranges will be allocated nor will new mappings be created in the idmap pool\&. Defaults to no\&.
+.RE
+.PP
+ignore builtin = [ yes | no ]
+.RS 4
+Ignore any mapping requests for the BUILTIN domain\&. Defaults to no\&.
 .RE
 .SH "THE MAPPING FORMULAS"
 …
 .\}
 .nf
                         ID = IDMAP UID LOW VALUE + DOMAINRANGENUMBER * RANGESIZE + RID
+                        ID =  REDUCED RID + IDMAP RANGE LOW VALUE + RANGE NUMBER * RANGE SIZE
 .fi
 …
 .RE
 .\}
+.sp
+where REDUCED RID = RID % RANGE_SIZE and a DOMAIN RANGE INDEX = RID / RANGE_SIZE is used together with the domain sid to determine the RANGE NUMBER (stored in the database)\&.
 .PP
 Correspondingly, the formula for calculating the RID for a given Unix ID is this:
 …
 .\}
 .nf
                         RID = ID \- IDMAP UID LOW VALUE \- DOMAINRANGENUMBER * RANGESIZE
+                        RID = (ID \- LOW ID) % RANGE SIZE + DOMAIN RANGE INDEX * RANGE SIZE
 .fi
 …
 .\}
 .sp
+Where the DOMAIN RANGE INDEX is retrieved from the database along with the domain sid by the RANGE NUMBER = (ID \- LOW ID) / RANGE SIZE \&.
 .SH "EXAMPLES"
 .PP
 This example shows you the minimal configuration that will work for the principial domain and 19 trusted domains\&.
+This example shows you the minimal configuration that will work for the principal domain and 19 trusted domains / range extensions\&.
 .sp
 .if n \{\

vendor/current/docs/manpages/idmap_hash.8

-              r860
+              r988
 .\"     Title: idmap_hash
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "IDMAP_HASH" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "IDMAP_HASH" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/idmap_ldap.8

-              r860
+              r988
 .\"     Title: idmap_ldap
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "IDMAP_LDAP" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "IDMAP_LDAP" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/idmap_nss.8

-              r860
+              r988
 .\"     Title: idmap_nss
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "IDMAP_NSS" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "IDMAP_NSS" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/idmap_rid.8

-              r860
+              r988
 .\"     Title: idmap_rid
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "IDMAP_RID" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "IDMAP_RID" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 The idmap_rid backend provides a way to use an algorithmic mapping scheme to map UIDs/GIDs and SIDs\&. No database is required in this case as the mapping is deterministic\&.
 .PP
 Note that the idmap_rid module has changed considerably since Samba versions 3\&.0\&. and 3\&.2\&. Currently, there should to be an explicit idmap configuration for each domain that should use the idmap_rid backend, using disjoint ranges\&. One usually needs to define a writeable default idmap range, using a backent like
+Note that the idmap_rid module has changed considerably since Samba versions 3\&.0\&. and 3\&.2\&. Currently, there should to be an explicit idmap configuration for each domain that should use the idmap_rid backend, using disjoint ranges\&. One usually needs to define a writeable default idmap range, using a backend like
 \fItdb\fR
 or
 …
 base_rid = INTEGER
 .RS 4
 Defines the base integer used to build SIDs out of a UID or a GID, and to rebase the UID or GID to be obtained from a SID\&. This means SIDs with a RID less than the base rid are filtered\&. The default is not to restrict the allowed rids at all, i\&.e\&. a base_rid value of 0\&. A good value for the base_rid can be 1000, since user RIDs by default start at 1000 (512 hexadecimal)\&.
+Defines the base integer used to build SIDs out of a UID or a GID, and to rebase the UID or GID to be obtained from a SID\&. This means SIDs with a RID less than the base rid are filtered\&. The default is not to restrict the allowed rids at all, i\&.e\&. a base_rid value of 0\&.
 .sp
 Use of this parameter is deprecated\&.
 …
         idmap config TRUSTED : backend  = rid
         idmap config TRUSTED : range    = 50000 \- 99999
-        idmap config TRUSTED : base_rid = 1000
 .fi

vendor/current/docs/manpages/idmap_tdb.8

-              r860
+              r988
 .\"     Title: idmap_tdb
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "IDMAP_TDB" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "IDMAP_TDB" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/idmap_tdb2.8

-              r860
+              r988
 .\"     Title: idmap_tdb2
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "IDMAP_TDB2" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "IDMAP_TDB2" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/libsmbclient.7

-              r860
+              r988
 .\"     Title: libsmbclient
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: 7
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "LIBSMBCLIENT" "7" "09/18/2013" "Samba 3\&.6" "7"
+.TH "LIBSMBCLIENT" "7" "05/02/2016" "Samba 4\&.4" "7"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 suite\&.
 .PP
 libsmbclient
 is a library toolset that permits applications to manipulate CIFS/SMB network resources using many of the standards POSIX functions available for manipulating local UNIX/Linux files\&. It permits much more than just browsing, files can be opened and read or written, permissions changed, file times modified, attributes and ACL\*(Aqs can be manipulated, and so on\&. Of course, its functionality includes all the capabilities commonly called browsing\&.
 .PP
 libsmbclient
 can not be used directly from the command line, instead it provides an extension of the capabilities of tools such as file managers and browsers\&. This man page describes the configuration options for this tool so that the user may obtain greatest utility of use\&.
 …
 to it\&.
 .PP
 libsmbclient
 will check the users shell environment for the

vendor/current/docs/manpages/lmhosts.5

-              r860
+              r988
 .\"     Title: lmhosts
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: File Formats and Conventions
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "LMHOSTS" "5" "09/18/2013" "Samba 3\&.6" "File Formats and Conventions"
+.TH "LMHOSTS" "5" "05/02/2016" "Samba 4\&.4" "File Formats and Conventions"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/log2pcap.1

-              r860
+              r988
 .\"     Title: log2pcap
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "LOG2PCAP" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "LOG2PCAP" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 Name of the output file to write the pcap (or hexdump) data to\&. If this argument is not specified, output data will be written to stdout\&.
 .RE
-.PP
-\-h|\-\-help
-.RS 4
-Print a summary of command line options\&.
-.RE
 .SH "EXAMPLES"
 .PP

vendor/current/docs/manpages/net.8

-              r860
+              r988
 .\"     Title: net
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "NET" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "NET" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 net {<ads|rap|rpc>} [\-h] [\-w\ workgroup] [\-W\ myworkgroup] [\-U\ user] [\-I\ ip\-address] [\-p\ port] [\-n\ myname] [\-s\ conffile] [\-S\ server] [\-l] [\-P] [\-d\ debuglevel] [\-V] [\-\-request\-timeout\ seconds]
+net {<ads|rap|rpc>} [\-h|\-\-help] [\-w|\-\-workgroup\ workgroup] [\-W|\-\-myworkgroup\ myworkgroup] [\-U|\-\-user\ user] [\-I|\-\-ipaddress\ ip\-address] [\-p|\-\-port\ port] [\-n\ myname] [\-s\ conffile] [\-S|\-\-server\ server] [\-l|\-\-long] [\-v|\-\-verbose] [\-f|\-\-force] [\-P|\-\-machine\-pass] [\-d\ debuglevel] [\-V] [\-\-request\-timeout\ seconds] [\-t|\-\-timeout\ seconds] [\-i|\-\-stdin] [\-\-tallocreport]
 .SH "DESCRIPTION"
 .PP
 …
 .SH "OPTIONS"
 .PP
+\-h|\-\-help
+.RS 4
+Print a summary of command line options\&.
+.RE
+.PP
+\-k|\-\-kerberos
+.RS 4
+Try to authenticate with kerberos\&. Only useful in an Active Directory environment\&.
+.RE
+.PP
+\-w target\-workgroup
+\-w|\-\-workgroup target\-workgroup
 .RS 4
 Sets target workgroup or domain\&. You have to specify either this option or the IP address or the name of a server\&.
 .RE
 .PP
 \-W workgroup
+\-W|\-\-myworkgroup workgroup
 .RS 4
 Sets client workgroup or domain
 .RE
 .PP
 \-U user
+\-U|\-\-user user
 .RS 4
 User name to use
 .RE
 .PP
 \-I ip\-address
+\-I|\-\-ipaddress ip\-address
 .RS 4
 IP address of target server to use\&. You have to specify either this option or a target workgroup or a target server\&.
 .RE
 .PP
 \-p port
+\-p|\-\-port port
 .RS 4
 Port on the target server to connect to (usually 139 or 445)\&. Defaults to trying 445 first, then 139\&.
 .RE
 .PP
+\-n|\-\-netbiosname <primary NetBIOS name>
+.RS 4
+This option allows you to override the NetBIOS name that Samba uses for itself\&. This is identical to setting the
+\m[blue]\fBnetbios name\fR\m[]
+parameter in the
+smb\&.conf
+file\&. However, a command line setting will take precedence over settings in
+smb\&.conf\&.
+.RE
+.PP
+\-s|\-\-configfile <configuration file>
+.RS 4
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-S server
+\-S|\-\-server server
 .RS 4
 Name of target server\&. You should specify either this option or a target workgroup or a target IP address\&.
 .RE
 .PP
 \-l
+\-l|\-\-long
 .RS 4
 When listing data, give more information on each item\&.
 .RE
 .PP
+\-P
+\-v|\-\-verbose
+.RS 4
+When listing data, give more verbose information on each item\&.
+.RE
+.PP
+\-f|\-\-force
+.RS 4
+Enforcing a net command\&.
+.RE
+.PP
+\-P|\-\-machine\-pass
 .RS 4
 Make queries to the external server using the machine account of the local server\&.
 …
 .RE
 .PP
+\-d|\-\-debuglevel=level
+.RS 4
+\fIlevel\fR
+is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
+.sp
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+.sp
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBlog level\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+\-t|\-\-timeout 30
+.RS 4
+Set timeout for client operations to 30 seconds\&.
+.RE
+.PP
+\-\-use\-ccache
+.RS 4
+Try to use the credentials cached by winbind\&.
+.RE
+.PP
+\-i|\-\-stdin
+.RS 4
+Take input for net commands from standard input\&.
+.RE
+.PP
+\-\-tallocreport
+.RS 4
+Generate a talloc report while processing a net command\&.
+.RE
+.PP
+\-T|\-\-test
+.RS 4
+Only test command sequence, dry\-run\&.
+.RE
+.PP
+\-F|\-\-flags FLAGS
+.RS 4
+Pass down integer flags to a net subcommand\&.
+.RE
+.PP
+\-C|\-\-comment COMMENT
+.RS 4
+Pass down a comment string to a net subcommand\&.
+.RE
+.PP
+\-n|\-\-myname MYNAME
+.RS 4
+Use MYNAME as a requester name for a net subcommand\&.
+.RE
+.PP
+\-c|\-\-container CONTAINER
+.RS 4
+Use a specific AD container for net ads operations\&.
+.RE
+.PP
+\-M|\-\-maxusers MAXUSERS
+.RS 4
+Fill in the maxusers field in net rpc share operations\&.
+.RE
+.PP
+\-r|\-\-reboot
+.RS 4
+Reboot a remote machine after a command has been successfully executed (e\&.g\&. in remote join operations)\&.
+.RE
+.PP
+\-\-force\-full\-repl
+.RS 4
+When calling "net rpc vampire keytab" this option enforces a full re\-creation of the generated keytab file\&.
+.RE
+.PP
+\-\-single\-obj\-repl
+.RS 4
+When calling "net rpc vampire keytab" this option allows one to replicate just a single object to the generated keytab file\&.
+.RE
+.PP
+\-\-clean\-old\-entries
+.RS 4
+When calling "net rpc vampire keytab" this option allows one to cleanup old entries from the generated keytab file\&.
+.RE
+.PP
+\-\-db
+.RS 4
+Define dbfile for "net idmap" commands\&.
+.RE
+.PP
+\-\-lock
+.RS 4
+Activates locking of the dbfile for "net idmap check" command\&.
+.RE
+.PP
+\-a|\-\-auto
+.RS 4
+Activates noninteractive mode in "net idmap check"\&.
+.RE
+.PP
+\-\-repair
+.RS 4
+Activates repair mode in "net idmap check"\&.
+.RE
+.PP
+\-\-acls
+.RS 4
+Includes ACLs to be copied in "net rpc share migrate"\&.
+.RE
+.PP
+\-\-attrs
+.RS 4
+Includes file attributes to be copied in "net rpc share migrate"\&.
+.RE
+.PP
+\-\-timestamps
+.RS 4
+Includes timestamps to be copied in "net rpc share migrate"\&.
+.RE
+.PP
+\-X|\-\-exclude DIRECTORY
+.RS 4
+Allows one to exclude directories when copying with "net rpc share migrate"\&.
+.RE
+.PP
+\-\-destination SERVERNAME
+.RS 4
+Defines the target servername of migration process (defaults to localhost)\&.
+.RE
+.PP
+\-L|\-\-local
+.RS 4
+Sets the type of group mapping to local (used in "net groupmap set")\&.
+.RE
+.PP
+\-D|\-\-domain
+.RS 4
+Sets the type of group mapping to domain (used in "net groupmap set")\&.
+.RE
+.PP
+\-N|\-\-ntname NTNAME
+.RS 4
+Sets the ntname of a group mapping (used in "net groupmap set")\&.
+.RE
+.PP
+\-R|\-\-rid RID
+.RS 4
+Sets the rid of a group mapping (used in "net groupmap set")\&.
+.RE
+.PP
+\-\-reg\-version REG_VERSION
+.RS 4
+Assume database version {n|1,2,3} (used in "net registry check")\&.
+.RE
+.PP
+\-o|\-\-output FILENAME
+.RS 4
+Output database file (used in "net registry check")\&.
+.RE
+.PP
+\-\-wipe
+.RS 4
+Create a new database from scratch (used in "net registry check")\&.
+.RE
+.PP
+\-\-precheck PRECHECK_DB_FILENAME
+.RS 4
+Defines filename for database prechecking (used in "net registry import")\&.
+.RE
+.PP
+\-\-no\-dns\-updates
+.RS 4
+Do not perform DNS updates as part of "net ads join"\&.
 .RE
 .SH "COMMANDS"
 …
 Without any options, the
 NET TIME
 command displays the time on the remote server\&.
+command displays the time on the remote server\&. The remote server must be specified with the \-S option\&.
 .SS "TIME SYSTEM"
 .PP
 Displays the time on the remote server in a format ready for
 /bin/date\&.
+/bin/date\&. The remote server must be specified with the \-S option\&.
 .SS "TIME SET"
 .PP
 Tries to set the date and time of the local server to that on the remote server using
 /bin/date\&.
+/bin/date\&. The remote server must be specified with the \-S option\&.
 .SS "TIME ZONE"
 .PP
 Displays the timezone in hours from GMT on the remote computer\&.
 .SS "[RPC|ADS] JOIN [TYPE] [\-U username[%password]] [createupn=UPN] [createcomputer=OU] [options]"
+Displays the timezone in hours from GMT on the remote server\&. The remote server must be specified with the \-S option\&.
+.SS "[RPC|ADS] JOIN [TYPE] [\-\-no\-dns\-updates] [\-U username[%password]] [createupn=UPN] [createcomputer=OU] [machinepass=PASS] [osName=string osVer=string] [options]"
 .PP
 Join a domain\&. If the account already exists on the server, and [TYPE] is MEMBER, the machine will attempt to join automatically\&. (Assuming that the machine has been created in server manager) Otherwise, a password will be prompted for, and a new account may be created\&.
 …
 .PP
 [OU] (ADS only) Precreate the computer account in a specific OU\&. The OU string reads from top to bottom without RDNs, and is delimited by a \*(Aq/\*(Aq\&. Please note that \*(Aq\e\*(Aq is used for escape by both the shell and ldap, so it may need to be doubled or quadrupled to pass through, and it is not used as a delimiter\&.
+.PP
+[PASS] (ADS only) Set a specific password on the computer account being created by the join\&.
+.PP
+[osName=string osVer=String] (ADS only) Set the operatingSystem and operatingSystemVersion attribute during the join\&. Both parameters must be specified for either to take effect\&.
 .SS "[RPC] OLDJOIN [options]"
 .PP
 …
 .PP
 Validate whether the specified user can log in to the remote server\&. If the password is not specified on the commandline, it will be prompted\&.
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-.PP
-Currently NOT implemented\&.
-.sp .5v
-.RE
 .SS "RAP GROUPMEMBER"
 .SS "RAP GROUPMEMBER LIST GROUP"
 …
 \fIcommand\fR
 on the remote server\&. Only works with OS/2 servers\&.
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-.PP
-Currently NOT implemented\&.
-.sp .5v
-.RE
 .SS "RAP SERVICE"
 .SS "RAP SERVICE START NAME [arguments...]"
 .PP
 Start the specified service on the remote server\&. Not implemented yet\&.
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-.PP
-Currently NOT implemented\&.
-.sp .5v
-.RE
 .SS "RAP SERVICE STOP"
 .PP
 Stop the specified service on the remote server\&.
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-.PP
-Currently NOT implemented\&.
-.sp .5v
-.RE
 .SS "RAP PASSWORD \fIUSER\fR \fIOLDPASS\fR \fINEWPASS\fR"
 .PP
 …
 .SS "GROUPMAP MODIFY"
 .PP
+Update en existing group entry\&.
+.PP
+.sp
+Update an existing group entry\&.
+.PP
 .if n \{\
 .RS 4
 …
 .PP
 List all interdomain trust relationships\&.
-.SS "RPC TRUSTDOM LIST"
-.PP
-List all interdomain trust relationships\&.
 .SS "RPC TRUST"
 .SS "RPC TRUST CREATE"
 .PP
 Create a trust trust object by calling lsaCreateTrustedDomainEx2\&. The can be done on a single server or on two servers at once with the possibility to use a random trust password\&.
+Create a trust object by calling lsaCreateTrustedDomainEx2\&. The can be done on a single server or on two servers at once with the possibility to use a random trust password\&.
 .PP
 \fBOptions:\fR
 …
 .SS "RPC TRUST DELETE"
 .PP
 Delete a trust trust object by calling lsaDeleteTrustedDomain\&. The can be done on a single server or on two servers at once\&.
+Delete a trust object by calling lsaDeleteTrustedDomain\&. The can be done on a single server or on two servers at once\&.
 .PP
 \fBOptions:\fR
 …
 .SS "RPC VAMPIRE"
 .PP
 Export users, aliases and groups from remote server to local server\&. You need to run this against the PDC, from a Samba machine joined as a BDC\&.
+Export users, aliases and groups from remote server to local server\&. You need to run this against the PDC, from a Samba machine joined as a BDC\&. This vampire command cannot be used against an Active Directory, only against an NT4 Domain Controller\&.
 .SS "RPC VAMPIRE KEYTAB"
 .PP
 …
 .PP
 Print out workgroup name for specified kerberos realm\&.
+.SS "ADS ENCTYPES"
+.PP
+List, modify or delete the value of the "msDS\-SupportedEncryptionTypes" attribute of an account in AD\&.
+.PP
+This attribute allows one to control which Kerberos encryption types are used for the generation of initial and service tickets\&. The value consists of an integer bitmask with the following values:
+.PP
+x00000001 DES\-CBC\-CRC
+.PP
+x00000002 DES\-CBC\-MD5
+.PP
+x00000004 RC4\-HMAC
+.PP
+x00000008 AES128\-CTS\-HMAC\-SHA1\-96
+.PP
+x00000010 AES256\-CTS\-HMAC\-SHA1\-96
+.SS "ADS ENCTYPES LIST \fI<ACCOUNTNAME>\fR"
+.PP
+List the value of the "msDS\-SupportedEncryptionTypes" attribute of a given account\&.
+.PP
+Example:
+\fBnet ads enctypes list Computername\fR
+.SS "ADS ENCTYPES SET \fI<ACCOUNTNAME>\fR \fI[enctypes]\fR"
+.PP
+Set the value of the "msDS\-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value\&. If the value is omitted, the value is set to 31 which enables all the currently supported encryption types\&.
+.PP
+Example:
+\fBnet ads enctypes set Computername 24\fR
+.SS "ADS ENCTYPES DELETE \fI<ACCOUNTNAME>\fR"
+.PP
+Deletes the "msDS\-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME\&.
+.PP
+Example:
+\fBnet ads enctypes set Computername 24\fR
 .SS "SAM CREATEBUILTINGROUP <NAME>"
 .PP
 …
 .PP
 Restore the mappings from the specified file or stdin\&.
 .SS "IDMAP SECRET <DOMAIN> <secret>"
+.SS "IDMAP SET SECRET <DOMAIN> <secret>"
 .PP
 Store a secret for the specified domain, used primarily for domains that use idmap_ldap as a backend\&. In this case the secret is used as the password for the user DN used to bind to the ldap server\&.
+.SS "IDMAP DELETE [\-f] [\-\-db=<DB>] <ID>"
+.SS "IDMAP SET RANGE <RANGE> <SID> [index] [\-\-db=<DB>]"
+.PP
+Store a domain\-range mapping for a given domain (and index) in autorid database\&.
+.SS "IDMAP SET CONFIG <config> [\-\-db=<DB>]"
+.PP
+Update CONFIG entry in autorid database\&.
+.SS "IDMAP GET RANGE <SID> [index] [\-\-db=<DB>]"
+.PP
+Get the range for a given domain and index from autorid database\&.
+.SS "IDMAP GET RANGES [<SID>] [\-\-db=<DB>]"
+.PP
+Get ranges for all domains or for one identified by given SID\&.
+.SS "IDMAP GET CONFIG [\-\-db=<DB>]"
+.PP
+Get CONFIG entry from autorid database\&.
+.SS "IDMAP DELETE MAPPING [\-f] [\-\-db=<DB>] <ID>"
 .PP
 Delete a mapping sid <\-> gid or sid <\-> uid from the IDMAP database\&. The mapping is given by <ID> which may either be a sid: S\-x\-\&.\&.\&., a gid: "GID number" or a uid: "UID number"\&. Use \-f to delete an invalid partial mapping <ID> \-> xx
 …
 \fBsmbcontrol\fR(1)
 manpage for details\&.
+.SS "IDMAP DELETE RANGE [\-f] [\-\-db=<TDB>] <RANGE>|(<SID> [<INDEX>])"
+.PP
+Delete a domain range mapping identified by \*(AqRANGE\*(Aq or "domain SID and INDEX" from autorid database\&. Use \-f to delete invalid mappings\&.
+.SS "IDMAP DELETE RANGES [\-f] [\-\-db=<TDB>] <SID>"
+.PP
+Delete all domain range mappings for a domain identified by SID\&. Use \-f to delete invalid mappings\&.
 .SS "IDMAP CHECK [\-v] [\-r] [\-a] [\-T] [\-f] [\-l] [\-\-db=<DB>]"
 .PP
 …
 .PP
 net usershare list on its own list out the names of the user defined shares that were created by the current user, or restricts the list to share names that match the given wildcard pattern (\*(Aq*\*(Aq matches one or more characters, \*(Aq?\*(Aq matches only one character)\&. If the \*(Aq\-l\*(Aq or \*(Aq\-\-long\*(Aq option is also given, it includes the names of user defined shares created by other users\&.
 .SS "CONF"
 .PP
 Starting with version 3\&.2\&.0, a Samba server can be configured by data stored in registry\&. This configuration data can be edited with the new "net conf" commands\&.
+.SS "[RPC] CONF"
+.PP
+Starting with version 3\&.2\&.0, a Samba server can be configured by data stored in registry\&. This configuration data can be edited with the new "net conf" commands\&. There is also the possibility to configure a remote Samba server by enabling the RPC conf mode and specifying the address of the remote server\&.
 .PP
 The deployment of this configuration data can be activated in two levels from the
 …
 The conf commands are:
 .RS 4
 net conf list \- Dump the complete configuration in smb\&.conf like
+net [rpc] conf list \- Dump the complete configuration in smb\&.conf like
 format\&.
 .RE
 .RS 4
 net conf import \- Import configuration from file in smb\&.conf
+net [rpc] conf import \- Import configuration from file in smb\&.conf
 format\&.
 .RE
 .RS 4
 net conf listshares \- List the registry shares\&.
 .RE
 .RS 4
 net conf drop \- Delete the complete configuration from
+net [rpc] conf listshares \- List the registry shares\&.
+.RE
+.RS 4
+net [rpc] conf drop \- Delete the complete configuration from
 registry\&.
 .RE
 .RS 4
 net conf showshare \- Show the definition of a registry share\&.
 .RE
 .RS 4
 net conf addshare \- Create a new registry share\&.
 .RE
 .RS 4
 net conf delshare \- Delete a registry share\&.
 .RE
 .RS 4
 net conf setparm \- Store a parameter\&.
 .RE
 .RS 4
 net conf getparm \- Retrieve the value of a parameter\&.
 .RE
 .RS 4
 net conf delparm \- Delete a parameter\&.
 .RE
 .RS 4
 net conf getincludes \- Show the includes of a share definition\&.
 .RE
 .RS 4
 net conf setincludes \- Set includes for a share\&.
 .RE
 .RS 4
 net conf delincludes \- Delete includes from a share definition\&.
 .RE
 .SS "CONF LIST"
+net [rpc] conf showshare \- Show the definition of a registry share\&.
+.RE
+.RS 4
+net [rpc] conf addshare \- Create a new registry share\&.
+.RE
+.RS 4
+net [rpc] conf delshare \- Delete a registry share\&.
+.RE
+.RS 4
+net [rpc] conf setparm \- Store a parameter\&.
+.RE
+.RS 4
+net [rpc] conf getparm \- Retrieve the value of a parameter\&.
+.RE
+.RS 4
+net [rpc] conf delparm \- Delete a parameter\&.
+.RE
+.RS 4
+net [rpc] conf getincludes \- Show the includes of a share definition\&.
+.RE
+.RS 4
+net [rpc] conf setincludes \- Set includes for a share\&.
+.RE
+.RS 4
+net [rpc] conf delincludes \- Delete includes from a share definition\&.
+.RE
+.SS "[RPC] CONF LIST"
 .PP
 Print the configuration data stored in the registry in a smb\&.conf\-like format to standard output\&.
 .SS "CONF IMPORT [--test|-T] filename [section]"
+.SS "[RPC] CONF IMPORT [--test|-T] filename [section]"
 .PP
 This command imports configuration from a file in smb\&.conf format\&. If a section encountered in the input file is present in registry, its contents is replaced\&. Sections of registry configuration that have no counterpart in the input file are not affected\&. If you want to delete these, you will have to use the "net conf drop" or "net conf delshare" commands\&. Optionally, a section may be specified to restrict the effect of the import command to that specific section\&. A test mode is enabled by specifying the parameter "\-T" on the commandline\&. In test mode, no changes are made to the registry, and the resulting configuration is printed to standard output instead\&.
 .SS "CONF LISTSHARES"
+.SS "[RPC] CONF LISTSHARES"
 .PP
 List the names of the shares defined in registry\&.
 .SS "CONF DROP"
+.SS "[RPC] CONF DROP"
 .PP
 Delete the complete configuration data from registry\&.
 .SS "CONF SHOWSHARE sharename"
+.SS "[RPC] CONF SHOWSHARE sharename"
 .PP
 Show the definition of the share or section specified\&. It is valid to specify "global" as sharename to retrieve the global configuration options from registry\&.
 .SS "CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N} [comment]]] "
+.SS "[RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N} [comment]]] "
 .PP
 Create a new share definition in registry\&. The sharename and path have to be given\&. The share name may
 \fInot\fR
 be "global"\&. Optionally, values for the very common options "writeable", "guest ok" and a "comment" may be specified\&. The same result may be obtained by a sequence of "net conf setparm" commands\&.
 .SS "CONF DELSHARE sharename"
+.SS "[RPC] CONF DELSHARE sharename"
 .PP
 Delete a share definition from registry\&.
 .SS "CONF SETPARM section parameter value"
+.SS "[RPC] CONF SETPARM section parameter value"
 .PP
 Store a parameter in registry\&. The section may be global or a sharename\&. The section is created if it does not exist yet\&.
 .SS "CONF GETPARM section parameter"
+.SS "[RPC] CONF GETPARM section parameter"
 .PP
 Show a parameter stored in registry\&.
 .SS "CONF DELPARM section parameter"
+.SS "[RPC] CONF DELPARM section parameter"
 .PP
 Delete a parameter stored in registry\&.
 .SS "CONF GETINCLUDES section"
+.SS "[RPC] CONF GETINCLUDES section"
 .PP
 Get the list of includes for the provided section (global or share)\&.
 …
 .PP
 Further note that currently, only files can be included from registry configuration\&. In the future, there will be the ability to include configuration data from other registry keys\&.
 .SS "CONF SETINCLUDES section [filename]+"
+.SS "[RPC] CONF SETINCLUDES section [filename]+"
 .PP
 Set the list of includes for the provided section (global or share) to the given list of one or more filenames\&. The filenames may contain the usual smb\&.conf macros like %I\&.
 .SS "CONF DELINCLUDES section"
+.SS "[RPC] CONF DELINCLUDES section"
 .PP
 Delete the list of includes from the provided section (global or share)\&.
 …
 .RS 4
 net registry convert     \- Convert a registration entries (\&.reg) file\&.
+.RE
+.RS 4
+net registry check       \- Check and repair a registry database\&.
 .RE
 .SS "REGISTRY ENUMERATE key "
 …
 or
 \fIdword\fR\&. In case of
+\fImulti_sz\fR
+\fIvalue\fR
+\fImulti_sz\fR\fIvalue\fR
 may be given multiple times\&.
 .SS "REGISTRY INCREMENT key name [inc]"
 …
 from a Security Descriptor Definition Language (SDDL) string
 \fIsd\fR\&.
 .SS "REGISTRY IMPORT file[opt]"
+.SS "REGISTRY IMPORT file [--precheck <check-file>] [opt]"
 .PP
 Import a registration entries (\&.reg)
 \fIfile\fR\&.
+.PP
+The following options are available:
+.PP
+\-\-precheck \fIcheck\-file\fR
+.RS 4
+This is a mechanism to check the existence or non\-existence of certain keys or values specified in a precheck file before applying the import file\&. The import file will only be applied if the precheck succeeds\&.
+.sp
+The check\-file follows the normal registry file syntax with the following semantics:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+<value name>=<value> checks whether the value exists and has the given value\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+<value name>=\- checks whether the value does not exist\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+[key] checks whether the key exists\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+[\-key] checks whether the key does not exist\&.
+.RE
+.sp
+.RE
+.RE
 .SS "REGISTRY EXPORT keyfile[opt]"
 .PP
 …
 Convert a registration entries (\&.reg) file
 \fIin\fR\&.
+.SS "REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]"
+.PP
+Check and repair the registry database\&. If no option is given a read only check of the database is done\&. Among others an interactive or automatic repair mode may be chosen with one of the following options
+.PP
+\-r|\-\-repair
+.RS 4
+Interactive repair mode, ask a lot of questions\&.
+.RE
+.PP
+\-a|\-\-auto
+.RS 4
+Noninteractive repair mode, use default answers\&.
+.RE
+.PP
+\-v|\-\-verbose
+.RS 4
+Produce more output\&.
+.RE
+.PP
+\-T|\-\-test
+.RS 4
+Dry run, show what changes would be made but don\*(Aqt touch anything\&.
+.RE
+.PP
+\-l|\-\-lock
+.RS 4
+Lock the database while doing the check\&.
+.RE
+.PP
+\-\-reg\-version={1,2,3}
+.RS 4
+Specify the format of the registry database\&. If not given it defaults to the value of the binary or, if an registry\&.tdb is explizitly stated at the commandline, to the value found in the INFO/version record\&.
+.RE
+.PP
+[\-\-db] <DB>
+.RS 4
+Check the specified database\&.
+.RE
+.PP
+\-o|\-\-output <ODB>
+.RS 4
+Create a new registry database <ODB> instead of modifying the input\&. If <ODB> is already existing \-\-wipe may be used to overwrite it\&.
+.RE
+.PP
+\-\-wipe
+.RS 4
+Replace the registry database instead of modifying the input or overwrite an existing output database\&.
+.RE
+.PP
+.RS 4
+.RE
 .SS "EVENTLOG"
 .PP

vendor/current/docs/manpages/nmbd.8

-              r860
+              r988
 .\"     Title: nmbd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "NMBD" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "NMBD" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 nmbd [\-D] [\-F] [\-S] [\-a] [\-i] [\-o] [\-h] [\-V] [\-d\ <debug\ level>] [\-H\ <lmhosts\ file>] [\-l\ <log\ directory>] [\-p\ <port\ number>] [\-s\ <configuration\ file>]
+nmbd [\-D|\-\-daemon] [\-F|\-\-foreground] [\-S|\-\-log\-stdout] [\-i|\-\-interactive] [\-V] [\-d\ <debug\ level>] [\-H|\-\-hosts\ <lmhosts\ file>] [\-l\ <log\ directory>] [\-p|\-\-port\ <port\ number>] [\-s\ <configuration\ file>] [\-\-no\-process\-group]
 .SH "DESCRIPTION"
 .PP
 …
 will listen for such requests, and if its own NetBIOS name is specified it will respond with the IP number of the host it is running on\&. Its "own NetBIOS name" is by default the primary DNS name of the host it is running on, but this can be overridden by the
 \m[blue]\fBnetbios name\fR\m[]
+in
+smb\&.conf\&. Thus
+in \&. Thus
 nmbd
 will reply to broadcast queries for its own name(s)\&. Additional names for
 …
 .SH "OPTIONS"
 .PP
 \-D
+\-D|\-\-daemon
 .RS 4
 If specified, this parameter causes
 …
 .RE
 .PP
 \-F
+\-F|\-\-foreground
 .RS 4
 If specified, this parameter causes the main
 …
 .RE
 .PP
 \-S
+\-S|\-\-log\-stdout
 .RS 4
 If specified, this parameter causes
 …
 .RE
 .PP
 \-i
+\-i|\-\-interactive
 .RS 4
 If this parameter is specified it causes the server to run "interactively", not as a daemon, even if the server is executed on the command line of a shell\&. Setting this parameter negates the implicit daemon mode when run from the command line\&.
 …
 .RE
 .PP
+\-h|\-\-help
+.RS 4
+Print a summary of command line options\&.
+.RE
+.PP
+\-H <filename>
+\-H|\-\-hosts <filename>
 .RS 4
 NetBIOS lmhosts file\&. The lmhosts file is a list of NetBIOS names to IP addresses that is loaded by the nmbd server and used via the name resolution mechanism
 …
 .RE
 .PP
+\-d|\-\-debuglevel=level
+.RS 4
+\fIlevel\fR
+is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
+.sp
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+.sp
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBlog level\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-V|\-\-version
+.RS 4
+Prints the program version number\&.
+.RE
+.PP
+\-s|\-\-configfile <configuration file>
+.RS 4
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-l|\-\-log\-basename=logdirectory
+.RS 4
+Base directory name for log/debug files\&. The extension
+\fB"\&.progname"\fR
+will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
+.RE
+.PP
+\-p <UDP port number>
+\-p|\-\-port <UDP port number>
 .RS 4
 UDP port number is a positive integer value\&. This option changes the default UDP port number (normally 137) that
 nmbd
 responds to name queries on\&. Don\*(Aqt use this option unless you are an expert, in which case you won\*(Aqt need help!
+.RE
+.PP
+\-\-no\-process\-group
+.RS 4
+Do not create a new process group for nmbd\&.
 .RE
 .SH "FILES"
 …
 .SH "SEE ALSO"
 .PP
 \fBinetd\fR(8),
 \fBsmbd\fR(8),
 \fBsmb.conf\fR(5),
 \fBsmbclient\fR(1),
+\fBtestparm\fR(1),
+\fBtestprns\fR(1), and the Internet RFC\*(Aqs
+\fBtestparm\fR(1), and the Internet RFC\*(Aqs
 rfc1001\&.txt,
 rfc1002\&.txt\&. In addition the CIFS (formerly SMB) specification is available as a link from the Web page

vendor/current/docs/manpages/nmblookup.1

-              r860
+              r988
 .\"     Title: nmblookup
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "NMBLOOKUP" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "NMBLOOKUP" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 nmblookup [\-M] [\-R] [\-S] [\-r] [\-A] [\-h] [\-B\ <broadcast\ address>] [\-U\ <unicast\ address>] [\-d\ <debug\ level>] [\-s\ <smb\ config\ file>] [\-i\ <NetBIOS\ scope>] [\-T] [\-f] {name}
+nmblookup [\-M|\-\-master\-browser] [\-R|\-\-recursion] [\-S|\-\-status] [\-r|\-\-root\-port] [\-A|\-\-lookup\-by\-ip] [\-B|\-\-broadcast\ <broadcast\ address>] [\-U|\-\-unicast\ <unicast\ address>] [\-d\ <debug\ level>] [\-s\ <smb\ config\ file>] [\-i\ <NetBIOS\ scope>] [\-T|\-\-translate] [\-f|\-\-flags] {name}
 .SH "DESCRIPTION"
 .PP
 …
 .SH "OPTIONS"
 .PP
 \-M
+\-M|\-\-master\-browser
 .RS 4
 Searches for a master browser by looking up the NetBIOS name
+Searches for a master browser by looking up the NetBIOS
 \fIname\fR
 with a type of
 …
 .RE
 .PP
 \-R
+\-R|\-\-recursion
 .RS 4
 Set the recursion desired bit in the packet to do a recursive lookup\&. This is used when sending a name query to a machine running a WINS server and the user wishes to query the names in the WINS server\&. If this bit is unset the normal (broadcast responding) NetBIOS processing code on a machine is used instead\&. See RFC1001, RFC1002 for details\&.
 .RE
 .PP
 \-S
+\-S|\-\-status
 .RS 4
 Once the name query has returned an IP address then do a node status query as well\&. A node status query returns the NetBIOS names registered by a host\&.
 .RE
 .PP
 \-r
+\-r|\-\-root\-port
 .RS 4
 Try and bind to UDP port 137 to send and receive UDP datagrams\&. The reason for this option is a bug in Windows 95 where it ignores the source port of the requesting packet and only replies to UDP port 137\&. Unfortunately, on most UNIX systems root privilege is needed to bind to this port, and in addition, if the
 …
 .RE
 .PP
 \-A
+\-A|\-\-lookup\-by\-ip
 .RS 4
 Interpret
 …
 .RE
 .PP
+\-n|\-\-netbiosname <primary NetBIOS name>
+.RS 4
+This option allows you to override the NetBIOS name that Samba uses for itself\&. This is identical to setting the
+\m[blue]\fBnetbios name\fR\m[]
+parameter in the
+smb\&.conf
+file\&. However, a command line setting will take precedence over settings in
+smb\&.conf\&.
+.RE
+.PP
+\-i|\-\-scope <scope>
+.RS 4
+This specifies a NetBIOS scope that
+nmblookup
+will use to communicate with when generating NetBIOS names\&. For details on the use of NetBIOS scopes, see rfc1001\&.txt and rfc1002\&.txt\&. NetBIOS scopes are
+\fIvery\fR
+rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with\&.
+.RE
+.PP
+\-W|\-\-workgroup=domain
+.RS 4
+Set the SMB domain of the username\&. This overrides the default domain which is the domain defined in smb\&.conf\&. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM)\&.
+.RE
+.PP
+\-O|\-\-socket\-options socket options
+.RS 4
+TCP socket options to set on the client socket\&. See the socket options parameter in the
+smb\&.conf
+manual page for the list of valid options\&.
+.RE
+.PP
+\-h|\-\-help
+.RS 4
+Print a summary of command line options\&.
+.RE
+.PP
+\-B <broadcast address>
+\-B|\-\-broadcast <broadcast address>
 .RS 4
 Send the query to the given broadcast address\&. Without this option the default behavior of nmblookup is to send the query to the broadcast address of the network interfaces as either auto\-detected or defined in the
 …
 .RE
 .PP
 \-U <unicast address>
+\-U|\-\-unicast <unicast address>
 .RS 4
 Do a unicast query to the specified address or host
 …
 .RE
 .PP
+\-d|\-\-debuglevel=level
+.RS 4
+\fIlevel\fR
+is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
+.sp
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+.sp
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBlog level\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-V|\-\-version
+.RS 4
+Prints the program version number\&.
+.RE
+.PP
+\-s|\-\-configfile <configuration file>
+.RS 4
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-l|\-\-log\-basename=logdirectory
+.RS 4
+Base directory name for log/debug files\&. The extension
+\fB"\&.progname"\fR
+will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
+.RE
+.PP
+\-T
+\-T|\-\-translate
 .RS 4
 This causes any IP addresses found in the lookup to be looked up via a reverse DNS lookup into a DNS name, and printed out before each
 …
 .RE
 .PP
 \-f
+\-f|\-\-flags
 .RS 4
 Show which flags apply to the name that has been looked up\&. Possible answers are zero or more of: Response, Authoritative, Truncated, Recursion_Desired, Recursion_Available, Broadcast\&.

vendor/current/docs/manpages/ntlm_auth.1

-              r860
+              r988
 .\"     Title: ntlm_auth
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "NTLM_AUTH" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "NTLM_AUTH" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 ntlm_auth [\-d\ debuglevel] [\-l\ logdir] [\-s\ <smb\ config\ file>]
+ntlm_auth
 .SH "DESCRIPTION"
 .PP
 …
 .RE
 .PP
+\-d|\-\-debuglevel=level
+.RS 4
+\fIlevel\fR
+is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
+.sp
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+.sp
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBlog level\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-V|\-\-version
+.RS 4
+Prints the program version number\&.
+.RE
+.PP
+\-s|\-\-configfile <configuration file>
+.RS 4
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-l|\-\-log\-basename=logdirectory
+.RS 4
+Base directory name for log/debug files\&. The extension
+\fB"\&.progname"\fR
+will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
+.RE
+.PP
+\-h|\-\-help
+.RS 4
+Print a summary of command line options\&.
+\-\-pam\-winbind\-conf=FILENAME
+.RS 4
+Define the path to the pam_winbind\&.conf file\&.
+.RE
+.PP
+\-\-target\-hostname=HOSTNAME
+.RS 4
+Define the target hostname\&.
+.RE
+.PP
+\-\-target\-service=SERVICE
+.RS 4
+Define the target service\&.
+.RE
+.PP
+\-\-use\-cached\-creds
+.RS 4
+Whether to use credentials cached by winbindd\&.
+.RE
+.PP
+\-\-offline\-logon
+.RS 4
+Allow offline logons for plain text auth\&.
+.RE
+.PP
+\-\-configfile=<configuration file>
+.RS 4
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See for more information\&. The default configuration file name is determined at compile time\&.
 .RE
 .SH "EXAMPLE SETUP"

vendor/current/docs/manpages/pam_winbind.8

-              r860
+              r988
 .\"     Title: pam_winbind
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: 8
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "PAM_WINBIND" "8" "09/18/2013" "Samba 3\&.6" "8"
+.TH "PAM_WINBIND" "8" "05/02/2016" "Samba 4\&.4" "8"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 \fIMYDOMAIN\e\emyuser\fR\&. pam_winbind will, in that case, lookup the SID internally\&. Note that NAME may not contain any spaces\&. It is thus recommended to only use SIDs\&. You can verify the list of SIDs a user is a member of with
 wbinfo \-\-user\-sids=SID\&.
+.sp
+This option must only be specified on a auth module declaration, as it only operates in conjunction with password authentication\&.
 .RE
 .PP
 …
 cached_login
 .RS 4
 Winbind allows to logon using cached credentials when
+Winbind allows one to logon using cached credentials when
 \fIwinbind offline logon\fR
 is enabled\&. To use this feature from the PAM module this option must be set\&.

vendor/current/docs/manpages/pam_winbind.conf.5

-              r860
+              r988
 .\"     Title: pam_winbind.conf
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: 5
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "PAM_WINBIND\&.CONF" "5" "09/18/2013" "Samba 3\&.6" "5"
+.TH "PAM_WINBIND\&.CONF" "5" "05/02/2016" "Samba 4\&.4" "5"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 \fIMYDOMAIN\e\emyuser\fR\&. pam_winbind will, in that case, lookup the SID internally\&. Note that NAME may not contain any spaces\&. It is thus recommended to only use SIDs\&. You can verify the list of SIDs a user is a member of with
 wbinfo \-\-user\-sids=SID\&. This setting is empty by default\&.
+.sp
+This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key\-based login)\&.
 .RE
 .PP
 …
 When pam_winbind is configured to try kerberos authentication by enabling the
 \fIkrb5_auth\fR
+option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache\&. The type of credential cache can be set with this option\&. Currently the only supported value is:
+\fIFILE\fR\&. In that case a credential cache in the form of /tmp/krb5cc_UID will be created, where UID is replaced with the numeric user id\&. Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded\&. This setting is empty by default\&.
+option, it can store the retrieved Ticket Granting Ticket (TGT) in a credential cache\&. The type of credential cache can be controlled with this option\&. The supported values are:
+\fIKEYRING\fR
+(when supported by the system\*(Aqs Kerberos library and Kernel),
+\fIFILE\fR
+and
+\fIDIR\fR
+(when the DIR type is supported by the system\*(Aqs Kerberos library)\&. In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created \- in case of DIR you NEED to specify a directory\&. UID is replaced with the numeric user id\&.
+.sp
+When using the KEYRING type, the supported mechanism is
+\(lqKEYRING:persistent:UID\(rq, which uses the Linux kernel keyring to store credentials on a per\-UID basis\&. This is the recommended choice on latest Linux distributions, as it is the most secure and predictable method\&.
+.sp
+It is also possible to define custom filepaths and use the "%u" pattern in order to substitue the numeric user id\&. Examples:
+.PP
+krb5_ccache_type = DIR:/run/user/%u/krb5cc
+.RS 4
+This will create a credential cache file in the specified directory\&.
+.RE
+.PP
+krb5_ccache_type = FILE:/tmp/krb5cc_%u
+.RS 4
+This will create a credential cache file\&.
+.RE
+.sp
+Leave empty to just do kerberos authentication without having a ticket cache after the logon has succeeded\&. This setting is empty by default\&.
 .RE
 .PP
 cached_login = yes|no
 .RS 4
 Winbind allows to logon using cached credentials when
+Winbind allows one to logon using cached credentials when
 \fIwinbind offline logon\fR
 is enabled\&. To use this feature from the PAM module this option must be set\&. Defaults to "no"\&.

vendor/current/docs/manpages/pdbedit.8

-              r860
+              r988
 .\"     Title: pdbedit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "PDBEDIT" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "PDBEDIT" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 pdbedit [\-a] [\-b\ passdb\-backend] [\-c\ account\-control] [\-C\ value] [\-d\ debuglevel] [\-D\ drive] [\-e\ passdb\-backend] [\-f\ fullname] [\-\-force\-initialized\-passwords] [\-g] [\-h\ homedir] [\-i\ passdb\-backend] [\-I\ domain] [\-K] [\-L] [\-m] [\-M\ SID|RID] [\-N\ description] [\-P\ account\-policy] [\-p\ profile] [\-\-policies\-reset] [\-r] [\-s\ configfile] [\-S\ script] [\-t] [\-\-time\-format] [\-u\ username] [\-U\ SID|RID] [\-v] [\-V] [\-w] [\-x] [\-y] [\-z] [\-Z]
+pdbedit [\-a] [\-b\ passdb\-backend] [\-c\ account\-control] [\-C\ value] [\-d\ debuglevel] [\-D\ drive] [\-e\ passdb\-backend] [\-f\ fullname] [\-\-force\-initialized\-passwords] [\-g] [\-h\ homedir] [\-i\ passdb\-backend] [\-I\ domain] [\-K] [\-L] [\-m] [\-M\ SID|RID] [\-N\ description] [\-P\ account\-policy] [\-p\ profile] [\-\-policies\-reset] [\-r] [\-s\ configfile] [\-S\ script] [\-\-set\-nt\-hash] [\-t] [\-\-time\-format] [\-u\ username] [\-U\ SID|RID] [\-v] [\-V] [\-w] [\-x] [\-y] [\-z] [\-Z]
 .SH "DESCRIPTION"
 .PP
 …
 \-v|\-\-verbose
 .RS 4
 This option enables the verbose listing format\&. It causes pdbedit to list the users in the database, printing out the account fields in a descriptive format\&.
+This option enables the verbose listing format\&. It causes pdbedit to list the users in the database, printing out the account fields in a descriptive format\&. Used together with \-w also shows passwords hashes\&.
 .sp
 Example:
 …
 file format\&. (see the
 \fBsmbpasswd\fR(5)
 for details)
+for details)\&. Instead used together with (\-v) displays the passwords hashes in verbose output\&.
 .sp
 Example:
 …
 .RE
 .PP
+\-\-set\-nt\-hash
+.RS 4
+This option can be used while modifying a user account\&. It will set the user\*(Aqs password using the nt\-hash value given as hexadecimal string\&. Useful to synchronize passwords\&.
+.sp
+Example:
+\-\-set\-nt\-hash 8846F7EAEE8FB117AD06BDD830B7586C
+.RE
+.PP
 \-p|\-\-profile profile
 .RS 4
 …
 .RS 4
 This option can be used while adding or modifying a user account\&. It will specify the users\*(Aq account control property\&. Possible flags are listed below\&.
-.sp
 .sp
 .RS 4
 …
 .ps -1
 .br
 pdbedit does not call the unix password syncronisation script if
+pdbedit does not call the unix password synchronization script if
 \m[blue]\fBunix password sync\fR\m[]
 has been set\&. It only updates the data in the Samba user database\&.
 …
 applies to the account policies instead of the user database\&.
 .sp
 This option will allow to migrate account policies from their default tdb\-store into a passdb backend, e\&.g\&. an LDAP directory server\&.
+This option will allow one to migrate account policies from their default tdb\-store into a passdb backend, e\&.g\&. an LDAP directory server\&.
 .sp
 Example:
 …
 .RS 4
 This option is currently not being used\&.
-.RE
-.PP
-\-h|\-\-help
-.RS 4
-Print a summary of command line options\&.
-.RE
-.PP
-\-d|\-\-debuglevel=level
-.RS 4
-\fIlevel\fR
-is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
-.sp
-The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
-.sp
-Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBlog level\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-V|\-\-version
-.RS 4
-Prints the program version number\&.
-.RE
-.PP
-\-s|\-\-configfile <configuration file>
-.RS 4
-The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
-smb\&.conf
-for more information\&. The default configuration file name is determined at compile time\&.
-.RE
-.PP
-\-l|\-\-log\-basename=logdirectory
-.RS 4
-Base directory name for log/debug files\&. The extension
-\fB"\&.progname"\fR
-will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
 .RE
 .SH "NOTES"

vendor/current/docs/manpages/profiles.1

-              r860
+              r988
 .\"     Title: profiles
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "PROFILES" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "PROFILES" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 profiles [\-v] [\-c\ SID] [\-n\ SID] {file}
+profiles [\-v] [\-c|\-\-change\-sid\ SID] [\-n|\-\-new\-sid\ SID] {file}
 .SH "DESCRIPTION"
 .PP
 …
 .RE
 .PP
 \-c SID1 \-n SID2
+\-c SID1 \-n SID2, \-\-change\-sid SID1 \-\-new\-sid SID2
 .RS 4
 Change all occurrences of SID1 in
 file
 by SID2\&.
-.RE
-.PP
-\-h|\-\-help
-.RS 4
-Print a summary of command line options\&.
 .RE
 .SH "VERSION"

vendor/current/docs/manpages/rpcclient.1

-              r860
+              r988
 .\"     Title: rpcclient
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "RPCCLIENT" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "RPCCLIENT" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 rpcclient [\-A\ authfile] [\-c\ <command\ string>] [\-d\ debuglevel] [\-h] [\-l\ logdir] [\-N] [\-s\ <smb\ config\ file>] [\-U\ username[%password]] [\-W\ workgroup] [\-I\ destinationIP] {server}
+rpcclient [\-A\ authfile] [\-c\ <command\ string>] [\-d\ debuglevel] [\-l\ logdir] [\-N] [\-s\ <smb\ config\ file>] [\-U\ username[%password]] [\-W\ workgroup] [\-I\ destinationIP] {server}
 .SH "DESCRIPTION"
 .PP
 …
 This number is the TCP port number that will be used when making connections to the server\&. The standard (well\-known) TCP port number for an SMB/CIFS server is 139, which is the default\&.
 .RE
-.PP
-\-d|\-\-debuglevel=level
-.RS 4
-\fIlevel\fR
-is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
-.sp
-The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
-.sp
-Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBlog level\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-V|\-\-version
-.RS 4
-Prints the program version number\&.
-.RE
-.PP
-\-s|\-\-configfile <configuration file>
-.RS 4
-The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
-smb\&.conf
-for more information\&. The default configuration file name is determined at compile time\&.
-.RE
-.PP
-\-l|\-\-log\-basename=logdirectory
-.RS 4
-Base directory name for log/debug files\&. The extension
-\fB"\&.progname"\fR
-will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
-.RE
-.PP
-\-N|\-\-no\-pass
-.RS 4
-If specified, this parameter suppresses the normal password prompt from the client to the user\&. This is useful when accessing a service that does not require a password\&.
-.sp
-Unless a password is specified on the command line or this parameter is specified, the client will request a password\&.
-.sp
-If a password is specified on the command line and this option is also defined the password on the command line will be silently ingnored and no password will be used\&.
-.RE
-.PP
-\-k|\-\-kerberos
-.RS 4
-Try to authenticate with kerberos\&. Only useful in an Active Directory environment\&.
-.RE
-.PP
-\-C|\-\-use\-ccache
-.RS 4
-Try to use the credentials cached by winbind\&.
-.RE
-.PP
-\-A|\-\-authentication\-file=filename
-.RS 4
-This option allows you to specify a file from which to read the username and password used in the connection\&. The format of the file is
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-username = <value>
-password = <value>
-domain   = <value>
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-Make certain that the permissions on the file restrict access from unwanted users\&.
-.RE
-.PP
-\-U|\-\-user=username[%password]
-.RS 4
-Sets the SMB username or username and password\&.
-.sp
-If %password is not specified, the user will be prompted\&. The client will first check the
-\fBUSER\fR
-environment variable, then the
-\fBLOGNAME\fR
-variable and if either exists, the string is uppercased\&. If these environmental variables are not found, the username
-\fBGUEST\fR
-is used\&.
-.sp
-A third option is to use a credentials file which contains the plaintext of the username and password\&. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables\&. If this method is used, make certain that the permissions on the file restrict access from unwanted users\&. See the
-\fI\-A\fR
-for more details\&.
-.sp
-Be cautious about including passwords in scripts\&. Also, on many systems the command line of a running process may be seen via the
-ps
-command\&. To be safe always allow
-rpcclient
-to prompt for a password and type it in directly\&.
-.RE
-.PP
-\-n|\-\-netbiosname <primary NetBIOS name>
-.RS 4
-This option allows you to override the NetBIOS name that Samba uses for itself\&. This is identical to setting the
-\m[blue]\fBnetbios name\fR\m[]
-parameter in the
-smb\&.conf
-file\&. However, a command line setting will take precedence over settings in
-smb\&.conf\&.
-.RE
-.PP
-\-i|\-\-scope <scope>
-.RS 4
-This specifies a NetBIOS scope that
-nmblookup
-will use to communicate with when generating NetBIOS names\&. For details on the use of NetBIOS scopes, see rfc1001\&.txt and rfc1002\&.txt\&. NetBIOS scopes are
-\fIvery\fR
-rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with\&.
-.RE
-.PP
-\-W|\-\-workgroup=domain
-.RS 4
-Set the SMB domain of the username\&. This overrides the default domain which is the domain defined in smb\&.conf\&. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM)\&.
-.RE
-.PP
-\-O|\-\-socket\-options socket options
-.RS 4
-TCP socket options to set on the client socket\&. See the socket options parameter in the
-smb\&.conf
-manual page for the list of valid options\&.
-.RE
-.PP
-\-h|\-\-help
-.RS 4
-Print a summary of command line options\&.
-.RE
 .SH "COMMANDS"
 .SS "LSARPC"
 …
 .RE
 .PP
 enumtrusts
+enumtrust
 .RS 4
 Enumerate trusted domains
 …
 .RE
 .PP
+netshareenumall
+.RS 4
+Enumerate all shares
+.RE
+.PP
+netsharegetinfo
+.RS 4
+Get Share Info
+.RE
+.PP
+netsharesetinfo
+.RS 4
+Set Share Info
+.RE
+.PP
+netsharesetdfsflags
+.RS 4
+Set DFS flags
+.RE
+.PP
 netfileenum
 .RS 4
 …
 .RS 4
 Fetch remote time of day
+.RE
+.PP
+netnamevalidate
+.RS 4
+Validate sharename
+.RE
+.PP
+netfilegetsec
+.RS 4
+Get File security
+.RE
+.PP
+netsessdel
+.RS 4
+Delete Session
+.RE
+.PP
+netsessenum
+.RS 4
+Enumerate Sessions
+.RE
+.PP
+netdiskenum
+.RS 4
+Enumerate Disks
+.RE
+.PP
+netconnenum
+.RS 4
+Enumerate Connections
+.RE
+.PP
+netshareadd
+.RS 4
+Add share
+.RE
+.PP
+netsharedel
+.RS 4
+Delete share
 .RE
 .SS "SAMR"
 …
 .\}
 .nf
 Long Printer Name:\e
+Long Driver Name:\e
 Driver File Name:\e
 Data File Name:\e
 …
 .RE
 .PP
+deldriverex <driver> [architecture] [version]
+.RS 4
+Delete the specified printer driver including driver files\&. You can limit this action to a specific architecture and a specific version\&. If no architecure is given, all driver files of that driver will be deleted\&.
+deldriverex <driver> [architecture] [version] [flags]
+.RS 4
+Delete the specified printer driver and optionally files associated with the driver\&. You can limit this action to a specific architecture and a specific version\&. If no architecture is given, all driver files of that driver will be deleted\&.
+\fIflags\fR
+correspond to numeric DPD_* values, i\&.e\&. a value of 3 requests (DPD_DELETE_UNUSED_FILES | DPD_DELETE_SPECIFIC_VERSION)\&.
 .RE
 .PP
 …
 Sam Logon
 .RE
+.SS "FSRVP"
+.PP
+fss_is_path_sup <share>
+.RS 4
+Check whether a share supports shadow\-copy requests
+.RE
+.PP
+fss_get_sup_version
+.RS 4
+Get supported FSRVP version from server
+.RE
+.PP
+fss_create_expose <context> <[ro|rw]> <share1> [share2] \&.\&.\&. [shareN]
+.RS 4
+Request shadow\-copy creation and exposure as a new share
+.RE
+.PP
+fss_delete <base_share> <shadow_copy_set_id> <shadow_copy_id>
+.RS 4
+Request shadow\-copy share deletion
+.RE
+.PP
+fss_has_shadow_copy <base_share>
+.RS 4
+Check for an associated share shadow\-copy
+.RE
+.PP
+fss_get_mapping <base_share> <shadow_copy_set_id> <shadow_copy_id>
+.RS 4
+Get shadow\-copy share mapping information
+.RE
+.PP
+fss_recovery_complete <shadow_copy_set_id>
+.RS 4
+Flag read\-write shadow\-copy as recovery complete, allowing further shadow\-copy requests
+.RE
 .SS "GENERAL COMMANDS"
 .PP

vendor/current/docs/manpages/samba.7

-              r860
+              r988
 .\"     Title: samba
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: Miscellanea
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SAMBA" "7" "09/18/2013" "Samba 3\&.6" "Miscellanea"
+.TH "SAMBA" "7" "05/02/2016" "Samba 4\&.4" "Miscellanea"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .\" -----------------------------------------------------------------
 .SH "NAME"
 samba \- A Windows SMB/CIFS fileserver for UNIX
+samba \- A Windows AD and SMB/CIFS fileserver for UNIX
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 …
 .SH "DESCRIPTION"
 .PP
 The Samba software suite is a collection of programs that implements the Server Message Block (commonly abbreviated as SMB) protocol for UNIX systems\&. This protocol is sometimes also referred to as the Common Internet File System (CIFS)\&. For a more thorough description, see
+The Samba software suite is a collection of programs that implements the Server Message Block (commonly abbreviated as SMB) protocol for UNIX systems and provides Active Directory services\&. This protocol is sometimes also referred to as the Common Internet File System (CIFS)\&. For a more thorough description, see
 http://www\&.ubiqx\&.org/cifs/\&. Samba also implements the NetBIOS protocol in nmbd\&.
+.PP
+\fBsamba\fR(8)
+.RS 4
+The
+samba
+daemon provides the Active Directory services and file and print services to SMB clients\&. The configuration file for this daemon is described in
+\fBsmb.conf\fR(5)\&.
+.RE
 .PP
 \fBsmbd\fR(8)
 …
 smbd
 daemon provides the file and print services to SMB clients, such as Windows 95/98, Windows NT, Windows for Workgroups or LanManager\&. The configuration file for this daemon is described in
 \fBsmb.conf\fR(5)
+\fBsmb.conf\fR(5)\&.
 .RE
 .PP
 …
 nmbd
 daemon provides NetBIOS nameservice and browsing support\&. The configuration file for this daemon is described in
+\fBsmb.conf\fR(5)
+\fBsmb.conf\fR(5)\&.
+.RE
+.PP
+\fBwinbindd\fR(8)
+.RS 4
+winbindd
+is a daemon that is used for integrating authentication and the user database into unix\&.
 .RE
 .PP
 …
 smbclient
 program implements a simple ftp\-like client\&. This is useful for accessing SMB shares on other compatible servers (such as Windows NT), and can also be used to allow a UNIX box to print to a printer attached to any SMB server (such as a PC running Windows NT)\&.
+.RE
+.PP
+\fBsamba-tool\fR(8)
+.RS 4
+The
+samba\-tool
+is the main Samba Administration tool regarding Active Directory services\&.
 .RE
 .PP
 …
 .RE
 .PP
-\fBtestprns\fR(1)
-.RS 4
-The
-testprns
-utility supports testing printer names defined in your
-printcap
-file used by Samba\&.
-.RE
-.PP
 \fBsmbstatus\fR(1)
 .RS 4
 …
 .RE
 .PP
-\fBsmbsh\fR(1)
-.RS 4
-The
-smbsh
-command is a program that allows you to run a unix shell with with an overloaded VFS\&.
-.RE
-.PP
 \fBsmbtree\fR(1)
 .RS 4
 …
 .RS 4
 smbcontrol
+is a utility that can change the behaviour of running samba daemons\&.
+is a utility that can change the behaviour of running
+smbd,
+nmbd
+and
+winbindd
+daemons\&.
 .RE
 .PP
 …
 .RE
 .PP
-\fBswat\fR(8)
-.RS 4
-swat
-is a web\-based interface to configuring
-smb\&.conf\&.
-.RE
-.PP
-\fBwinbindd\fR(8)
-.RS 4
-winbindd
-is a daemon that is used for integrating authentication and the user database into unix\&.
-.RE
-.PP
 \fBwbinfo\fR(1)
 .RS 4
 …
 ntlm_auth
 is a helper\-utility for external programs wanting to do NTLM\-authentication\&.
-.RE
-.PP
-\fBsmbmount\fR(8), \fBsmbumount\fR(8), \fBsmbmnt\fR(8)
-.RS 4
-smbmount,smbumount
-and
-smbmnt
-are commands that can be used to mount CIFS/SMB shares on Linux\&.
 .RE
 .PP
 …
 .SH "VERSION"
 .PP
 This man page is correct for version 3 of the Samba suite\&.
+This man page is correct for version 4 of the Samba suite\&.
 .SH "CONTRIBUTIONS"
 .PP
 …
 http://devel\&.samba\&.org/
 for information on how to do it properly\&. We prefer patches in
+diff \-u
+git format\-patch
 format\&.
 .SH "CONTRIBUTORS"
 …
 change\-log
 in the source package for the pre\-CVS changes and at
 http://cvs\&.samba\&.org/
 for the contributors to Samba post\-CVS\&. CVS is the Open Source source code control system used by the Samba Team to develop Samba\&. The project would have been unmanageable without it\&.
+http://git\&.samba\&.org/
+for the contributors to Samba post\-GIT\&. GIT is the Open Source source code control system used by the Samba Team to develop Samba\&. The project would have been unmanageable without it\&.
 .SH "AUTHOR"
 .PP

vendor/current/docs/manpages/sharesec.1

-              r860
+              r988
 .\"     Title: sharesec
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SHARESEC" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "SHARESEC" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 sharesec {sharename} [\-r,\ \-\-remove=ACL] [\-m,\ \-\-modify=ACL] [\-a,\ \-\-add=ACL] [\-R,\ \-\-replace=ACLs] [\-D,\ \-\-delete] [\-v,\ \-\-view] [\-M,\ \-\-machine\-sid] [\-F,\ \-\-force] [\-d,\ \-\-debuglevel=DEBUGLEVEL] [\-s,\ \-\-configfile=CONFIGFILE] [\-l,\ \-\-log\-basename=LOGFILEBASE] [\-V,\ \-\-version] [\-?,\ \-\-help] [\-\-usage]
+sharesec {sharename} [\-r,\ \-\-remove=ACL] [\-m,\ \-\-modify=ACL] [\-a,\ \-\-add=ACL] [\-R,\ \-\-replace=ACLs] [\-D,\ \-\-delete] [\-v,\ \-\-view] [\-\-view\-all] [\-M,\ \-\-machine\-sid] [\-F,\ \-\-force] [\-d,\ \-\-debuglevel=DEBUGLEVEL] [\-s,\ \-\-configfile=CONFIGFILE] [\-l,\ \-\-log\-basename=LOGFILEBASE] [\-\-version] [\-?,\ \-\-help] [\-\-usage] [\-S,\ \-\-setsddl=STRING] [\-V,\ \-\-viewsddl]
 .SH "DESCRIPTION"
 .PP
 …
 .RE
 .PP
+\-h|\-\-help
+.RS 4
+Print a summary of command line options\&.
+.RE
+.PP
+\-d|\-\-debuglevel=level
+.RS 4
+\fIlevel\fR
+is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
+.sp
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+.sp
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBlog level\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-V|\-\-version
+.RS 4
+Prints the program version number\&.
+.RE
+.PP
+\-s|\-\-configfile <configuration file>
+.RS 4
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-l|\-\-log\-basename=logdirectory
+.RS 4
+Base directory name for log/debug files\&. The extension
+\fB"\&.progname"\fR
+will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
+\-v|\-\-view
+.RS 4
+List a share acl
+.RE
+.PP
+\-\-view\-all
+.RS 4
+List all share acls
+.RE
+.PP
+\-S|\-\-setsddl=STRING
+.RS 4
+Set security descriptor by providing ACL in SDDL format\&.
+.RE
+.PP
+\-V|\-\-viewsddl
+.RS 4
+List a share acl in SDDL format\&.
 .RE
 .SH "ACL FORMAT"
 …
 The revision of the ACL specifies the internal Windows NT ACL revision for the security descriptor\&. If not specified it defaults to 1\&. Using values other than 1 may cause strange behaviour\&.
 .PP
 The owner and group specify the owner and group SIDs for the object\&. If a SID in the format S\-1\-x\-y\-z is specified this is used, otherwise the name specified is resolved using the server on which the file or directory resides\&.
+The owner and group specify the owner and group SIDs for the object\&. Share ACLs do not specify an owner or a group, so these fields are empty\&.
 .PP
 ACLs specify permissions granted to the SID\&. This SID can be specified in S\-1\-x\-y\-z format or as a name in which case it is resolved against the server on which the file or directory resides\&. The type, flags and mask values determine the type of access granted to the SID\&.
 …
         host:~ # sharesec share \-v
         REVISION:1
+        OWNER:(NULL SID)
+        GROUP:(NULL SID)
+        ACL:S\-1\-1\-0:ALLOWED/0/0x101f01ff
+        ACL:S\-1\-5\-21\-1866488690\-1365729215\-3963860297\-17724:ALLOWED/0/FULL
+        CONTROL:SR|DP
+        OWNER:
+        GROUP:
+        ACL:S\-1\-1\-0:ALLOWED/0x0/FULL
+        ACL:S\-1\-5\-21\-1866488690\-1365729215\-3963860297\-17724:ALLOWED/0x0/FULL
 .fi

vendor/current/docs/manpages/smb.conf.5

-              r860
+              r988
 .\"     Title: smb.conf
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: File Formats and Conventions
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMB\&.CONF" "5" "09/18/2013" "Samba 3\&.6" "File Formats and Conventions"
+.TH "SMB\&.CONF" "5" "05/02/2016" "Samba 4\&.4" "File Formats and Conventions"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 file is a configuration file for the Samba suite\&.
 smb\&.conf
+contains runtime configuration information for the Samba programs\&. The
+smb\&.conf
+file is designed to be configured and administered by the
+\fBswat\fR(8)
+program\&. The complete description of the file format and possible parameters held within are here for reference purposes\&.
+contains runtime configuration information for the Samba programs\&. The complete description of the file format and possible parameters held within are here for reference purposes\&.
 .SH "FILE FORMAT"
 .PP
 …
 %R
 .RS 4
 the selected protocol level after protocol negotiation\&. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1\&.
+the selected protocol level after protocol negotiation\&. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2, NT1, SMB2_02, SMB2_10, SMB2_22, SMB2_24, SMB3_00, SMB3_02, SMB3_10, SMB3_11 or SMB2_FF\&.
 .RE
 .PP
 …
 the IP address of the client machine\&.
 .sp
 Before 3\&.6\&.0 it could contain IPv4 mapped IPv6 addresses, now it only contains IPv4 or IPv6 addresses\&.
+Before 4\&.0\&.0 it could contain IPv4 mapped IPv6 addresses, now it only contains IPv4 or IPv6 addresses\&.
 .RE
 .PP
 …
 the local IP address to which a client connected\&.
 .sp
 Before 3\&.6\&.0 it could contain IPv4 mapped IPv6 addresses, now it only contains IPv4 or IPv6 addresses\&.
+Before 4\&.0\&.0 it could contain IPv4 mapped IPv6 addresses, now it only contains IPv4 or IPv6 addresses\&.
 .RE
 .PP
 …
 .PP
 By default, Samba 3\&.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving\&. As a special case for directories with large numbers of files, if the case options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no" then the "default case" option will be applied and will modify all filenames sent from the client when accessing this share\&.
-.SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"
-.PP
-There are a number of ways in which a user can connect to a service\&. The server uses the following steps in determining if it will allow a connection to a specified service\&. If all the steps fail, the connection request is rejected\&. However, if one of the steps succeeds, the following steps are not checked\&.
-.PP
-If the service is marked
-\(lqguest only = yes\(rq
-and the server is running with share\-level security (\(lqsecurity = share\(rq, steps 1 to 5 are skipped\&.
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 1.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  1." 4.2
-.\}
-If the client has passed a username/password pair and that username/password pair is validated by the UNIX system\*(Aqs password programs, the connection is made as that username\&. This includes the
-\e\eserver\eservice%\fIusername\fR
-method of passing a username\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 2.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  2." 4.2
-.\}
-If the client has previously registered a username with the system and now supplies a correct password for that username, the connection is allowed\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 3.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  3." 4.2
-.\}
-The client\*(Aqs NetBIOS name and any previously used usernames are checked against the supplied password\&. If they match, the connection is allowed as the corresponding user\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 4.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  4." 4.2
-.\}
-If the client has previously validated a username/password pair with the server and the client has passed the validation token, that username is used\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 5.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  5." 4.2
-.\}
-If a
-user =
-field is given in the
-smb\&.conf
-file for the service and the client has supplied a password, and that password matches (according to the UNIX system\*(Aqs password checking) with one of the usernames from the
-user =
-field, the connection is made as the username in the
-user =
-line\&. If one of the usernames in the
-user =
-list begins with a
-@, that name expands to a list of names in the group of the same name\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 6.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  6." 4.2
-.\}
-If the service is a guest service, a connection is made as the username given in the
-guest account =
-for the service, irrespective of the supplied password\&.
-.RE
 .SH "REGISTRY-BASED CONFIGURATION"
 .PP
 …
 \m[blue]\fBshutdown script\fR\m[]\&.
 .sp
 If the connected user posseses the
+If the connected user possesses the
 \fBSeRemoteShutdownPrivilege\fR, right, this command will be run as root\&.
 .sp
 …
 If this parameter is
 \fByes\fR
+for a service, then the share hosted by the service will only be visible to users who have read or write access to the share during share enumeration (for example net view \e\esambaserver)\&. This has parallels to access based enumeration, the main difference being that only share permissions are evaluated, and security descriptors on files contained on the share are not used in computing enumeration access rights\&.
+for a service, then the share hosted by the service will only be visible to users who have read or write access to the share during share enumeration (for example net view \e\esambaserver)\&. The share ACLs which allow or deny the access to the share can be modified using for example the
+sharesec
+command or using the appropriate Windows tools\&. This has parallels to access based enumeration, the main difference being that only share permissions are evaluated, and security descriptors on files contained on the share are not used in computing enumeration access rights\&.
 .sp
 Default:
 \fI\fIaccess based share enum\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+acl allow execute always (S)
+.\" acl allow execute always
+.PP
+.RS 4
+This boolean parameter controls the behaviour of
+\fBsmbd\fR(8)
+when receiving a protocol request of "open for execution" from a Windows client\&. With Samba 3\&.6 and older, the execution right in the ACL was not checked, so a client could execute a file even if it did not have execute rights on the file\&. In Samba 4\&.0, this has been fixed, so that by default, i\&.e\&. when this parameter is set to "False", "open for execution" is now denied when execution permissions are not present\&.
+.sp
+If this parameter is set to "True", Samba does not check execute permissions on "open for execution", thus re\-establishing the behaviour of Samba 3\&.6\&. This can be useful to smoothen upgrades from older Samba versions to 4\&.0 and newer\&. This setting is not meant to be used as a permanent setting, but as a temporary relief: It is recommended to fix the permissions in the ACLs and reset this parameter to the default after a certain transition period\&.
+.sp
+Default:
+\fI\fIacl allow execute always\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 .PP
 .RS 4
+Please note this parameter is now deprecated in Samba 3\&.6\&.2 and will be removed in a future version of Samba\&.
+.sp
 This boolean parameter controls what
+\fBsmbd\fR(8)does on receiving a protocol request of "open for delete" from a Windows client\&. If a Windows client doesn\*(Aqt have permissions to delete a file then they expect this to be denied at open time\&. POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory\&. As Windows clients can (and do) "back out" a delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately on "open for delete" request as we cannot restore such a deleted file\&. With this parameter set to true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the request without actually deleting the file if the file system permissions would seem to deny it\&. This is not perfect, as it\*(Aqs possible a user could have deleted a file without Samba being able to check the permissions correctly, but it is close enough to Windows semantics for mostly correct behaviour\&. Samba will correctly check POSIX ACL semantics in this case\&.
+\fBsmbd\fR(8)
+does on receiving a protocol request of "open for delete" from a Windows client\&. If a Windows client doesn\*(Aqt have permissions to delete a file then they expect this to be denied at open time\&. POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory\&. As Windows clients can (and do) "back out" a delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately on "open for delete" request as we cannot restore such a deleted file\&. With this parameter set to true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the request without actually deleting the file if the file system permissions would seem to deny it\&. This is not perfect, as it\*(Aqs possible a user could have deleted a file without Samba being able to check the permissions correctly, but it is close enough to Windows semantics for mostly correct behaviour\&. Samba will correctly check POSIX ACL semantics in this case\&.
 .sp
 If this parameter is set to "false" Samba doesn\*(Aqt check permissions on "open for delete" and allows the open\&. If the user doesn\*(Aqt have permission to delete the file this will only be discovered at close time, which is too late for the Windows user tools to display an error message to the user\&. The symptom of this is files that appear to have been deleted "magically" re\-appearing on a Windows explorer refresh\&. This is an extremely advanced protocol option which should not need to be changed\&. This parameter was introduced in its final form in 3\&.0\&.21, an earlier version with slightly different semantics was introduced in 3\&.0\&.20\&. That older version is not documented here\&.
 .sp
 Default:
+\fI\fIacl check permissions\fR\fR\fI = \fR\fITrue\fR\fI \fR
+.RE
+acl compatibility (G)
+.\" acl compatibility
+.PP
+.RS 4
+This parameter specifies what OS ACL semantics should be compatible with\&. Possible values are
+\fIwinnt\fR
+for Windows NT 4,
+\fIwin2k\fR
+for Windows 2000 and above and
+\fIauto\fR\&. If you specify
+\fIauto\fR, the value for this parameter will be based upon the version of the client\&. There should be no reason to change this parameter from the default\&.
+.sp
+Default:
+\fI\fIacl compatibility\fR\fR\fI = \fR\fIAuto\fR\fI \fR
+.sp
+Example:
+\fI\fIacl compatibility\fR\fR\fI = \fR\fIwin2k\fR\fI \fR
+\fI\fIacl check permissions\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 of a file or directory to modify the permissions and ACLs on that file\&.
 .sp
 On a Windows server, groups may be the owner of a file or directory \- thus allowing anyone in that group to modify the permissions on it\&. This allows the delegation of security controls on a point in the filesystem to the group owner of a directory and anything below it also owned by that group\&. This means there are multiple people with permissions to modify ACLs on a file or directory, easing managability\&.
+On a Windows server, groups may be the owner of a file or directory \- thus allowing anyone in that group to modify the permissions on it\&. This allows the delegation of security controls on a point in the filesystem to the group owner of a directory and anything below it also owned by that group\&. This means there are multiple people with permissions to modify ACLs on a file or directory, easing manageability\&.
 .sp
 This parameter allows Samba to also permit delegation of the control over a point in the exported directory hierarchy in much the same way as Windows\&. This allows all members of a UNIX group to control the permissions on a file or directory they have group ownership on\&.
 …
 This parameter is best used with the
 \m[blue]\fBinherit owner\fR\m[]
 option and also on on a share containing directories with the UNIX
+option and also on a share containing directories with the UNIX
 \fIsetgid bit\fR
 set on them, which causes new files and directories created within it to inherit the group ownership from the containing directory\&.
 .sp
 This is parameter has been was deprecated in Samba 3\&.0\&.23, but re\-activated in Samba 3\&.0\&.31 and above, as it now only controls permission changes if the user is in the owning primary group\&. It is now no longer equivalent to the
+This parameter was deprecated in Samba 3\&.0\&.23, but re\-activated in Samba 3\&.0\&.31 and above, as it now only controls permission changes if the user is in the owning primary group\&. It is now no longer equivalent to the
 \fIdos filemode\fR
 option\&.
 …
 .sp
 Default:
 \fI\fIacl map full control\fR\fR\fI = \fR\fITrue\fR\fI \fR
+\fI\fIacl map full control\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 .RE
 add port command (G)
 .\" add port command
+addport command (G)
+.\" addport command
 .PP
 .RS 4
 …
 .sp
 Default:
 \fI\fIadd port command\fR\fR\fI = \fR\fI\fR\fI \fR
 .sp
 Example:
 \fI\fIadd port command\fR\fR\fI = \fR\fI/etc/samba/scripts/addport\&.sh\fR\fI \fR
+\fI\fIaddport command\fR\fR\fI = \fR\fI\fR\fI \fR
+.sp
+Example:
+\fI\fIaddport command\fR\fR\fI = \fR\fI/etc/samba/scripts/addport\&.sh\fR\fI \fR
 .RE
 …
 \fION DEMAND\fR
 when a user accesses the Samba server\&.
-.sp
-In order to use this option,
-\fBsmbd\fR(8)
-must
-\fINOT\fR
-be set to
-\m[blue]\fBsecurity = share\fR\m[]
-and
-\m[blue]\fBadd user script\fR\m[]
-must be set to a full pathname for a script that will create a UNIX user given one argument of
-\fI%u\fR, which expands into the UNIX user name to create\&.
 .sp
 When the Windows user attempts to access the Samba server, at login (session setup in the SMB protocol) time,
 …
 .RS 4
 Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools\&. It will be run by
+\fBsmbd\fR(8)
+\fIAS ROOT\fR\&. Any
+\fBsmbd\fR(8)\fIAS ROOT\fR\&. Any
 \fI%g\fR
 will be replaced with the group name and any
 …
 You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions\&.
 .sp
-This parameter will not work with the
-\m[blue]\fBsecurity = share\fR\m[]
-in Samba 3\&.0\&. This is by design\&.
-.sp
 Default:
 \fI\fIadmin users\fR\fR\fI = \fR\fI\fR\fI \fR
 …
 .RE
+afs token lifetime (G)
+.\" afs token lifetime
+.PP
+.RS 4
+This parameter controls the lifetime of tokens that the AFS fake\-kaserver claims\&. In reality these never expire but this lifetime controls when the afs client will forget the token\&.
+.sp
+Set this parameter to 0 to get
+\fBNEVERDATE\fR\&.
+.sp
+Default:
+\fI\fIafs token lifetime\fR\fR\fI = \fR\fI604800\fR\fI \fR
+.RE
 afs username map (G)
 .\" afs username map
 …
 Example:
 \fI\fIafs username map\fR\fR\fI = \fR\fI%u@afs\&.samba\&.org\fR\fI \fR
+.RE
+aio max threads (G)
+.\" aio max threads
+.PP
+.RS 4
+The integer parameter specifies the maximum number of threads each smbd process will create when doing parallel asynchronous IO calls\&. If the number of outstanding calls is greater than this number the requests will not be refused but go onto a queue and will be scheduled in turn as outstanding requests complete\&.
+.sp
+Related command:
+\m[blue]\fBaio read size\fR\m[]
+.sp
+Related command:
+\m[blue]\fBaio write size\fR\m[]
+.sp
+Default:
+\fI\fIaio max threads\fR\fR\fI = \fR\fI100\fR\fI \fR
 .RE
 …
 This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers\&.
 .sp
 Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with sytem users etc\&.
+Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with system users etc\&.
 .sp
 All UIDs and GIDs must be able to be resolved into SIDs for the correct operation of ACLs on the server\&. As such the algorithmic mapping can\*(Aqt be \*(Aqturned off\*(Aq, but pushing it \*(Aqout of the way\*(Aq should resolve the issues\&. Users and groups can then be assigned \*(Aqlow\*(Aq RIDs in arbitrary\-rid supporting backends\&.
 …
 Example:
 \fI\fIallocation roundup size\fR\fR\fI = \fR\fI0 # (to disable roundups)\fR\fI \fR
+.RE
+allow dcerpc auth level connect (G)
+.\" allow dcerpc auth level connect
+.PP
+.RS 4
+This option controls whether DCERPC services are allowed to be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per message integrity nor privacy protection\&.
+.sp
+Some interfaces like samr, lsarpc and netlogon have a hard\-coded default of
+\fBno\fR
+and epmapper, mgmt and rpcecho have a hard\-coded default of
+\fByes\fR\&.
+.sp
+The behavior can be overwritten per interface name (e\&.g\&. lsarpc, netlogon, samr, srvsvc, winreg, wkssvc \&.\&.\&.) by using \*(Aqallow dcerpc auth level connect:interface = yes\*(Aq as option\&.
+.sp
+This option yields precedence to the implementation specific restrictions\&. E\&.g\&. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY\&. The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY\&.
+.sp
+Default:
+\fI\fIallow dcerpc auth level connect\fR\fR\fI = \fR\fIno\fR\fI \fR
+.sp
+Example:
+\fI\fIallow dcerpc auth level connect\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+allow dns updates (G)
+.\" allow dns updates
+.PP
+.RS 4
+This option determines what kind of updates to the DNS are allowed\&.
+.sp
+DNS updates can either be disallowed completely by setting it to
+\fBdisabled\fR, enabled over secure connections only by setting it to
+\fBsecure only\fR
+or allowed in all cases by setting it to
+\fBnonsecure\fR\&.
+.sp
+Default:
+\fI\fIallow dns updates\fR\fR\fI = \fR\fIsecure only\fR\fI \fR
+.sp
+Example:
+\fI\fIallow dns updates\fR\fR\fI = \fR\fIdisabled\fR\fI \fR
 .RE
 …
 .RE
+allow nt4 crypto (G)
+.\" allow nt4 crypto
+.PP
+.RS 4
+This option controls whether the netlogon server (currently only in \*(Aqactive directory domain controller\*(Aq mode), will reject clients which does not support NETLOGON_NEG_STRONG_KEYS nor NETLOGON_NEG_SUPPORTS_AES\&.
+.sp
+This option was added with Samba 4\&.2\&.0\&. It may lock out clients which worked fine with Samba versions up to 4\&.1\&.x\&. as the effective default was "yes" there, while it is "no" now\&.
+.sp
+If you have clients without RequireStrongKey = 1 in the registry, you may need to set "allow nt4 crypto = yes", until you have fixed all clients\&.
+.sp
+"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks\&.
+.sp
+This option yields precedence to the \*(Aqreject md5 clients\*(Aq option\&.
+.sp
+Default:
+\fI\fIallow nt4 crypto\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
 allow trusted domains (G)
 .\" allow trusted domains
 …
 Default:
 \fI\fIallow trusted domains\fR\fR\fI = \fR\fIyes\fR\fI \fR
-.RE
-announce as (G)
-.\" announce as
-.PP
-.RS 4
-This specifies what type of server
-\fBnmbd\fR(8)
-will announce itself as, to a network neighborhood browse list\&. By default this is set to Windows NT\&. The valid options are : "NT Server" (which can also be written as "NT"), "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 and Windows for Workgroups respectively\&. Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this may prevent Samba servers from participating as browser servers correctly\&.
-.sp
-Default:
-\fI\fIannounce as\fR\fR\fI = \fR\fINT Server\fR\fI \fR
-.sp
-Example:
-\fI\fIannounce as\fR\fR\fI = \fR\fIWin95\fR\fI \fR
-.RE
-announce version (G)
-.\" announce version
-.PP
-.RS 4
-This specifies the major and minor version numbers that nmbd will use when announcing itself as a server\&. The default is 4\&.9\&. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server\&.
-.sp
-Default:
-\fI\fIannounce version\fR\fR\fI = \fR\fI4\&.9\fR\fI \fR
-.sp
-Example:
-\fI\fIannounce version\fR\fR\fI = \fR\fI2\&.0\fR\fI \fR
 .RE
 …
 Example:
 \fI\fIauth methods\fR\fR\fI = \fR\fIguest sam winbind\fR\fI \fR
+.RE
+preload
+.\" preload
+.PP
+.RS 4
+This parameter is a synonym for
+auto services\&.
+.RE
+auto services (G)
+.\" auto services
+.PP
+.RS 4
+This is a list of services that you want to be automatically added to the browse lists\&. This is most useful for homes and printers services that would otherwise not be visible\&.
+.sp
+Note that if you just want all printers in your printcap file loaded then the
+\m[blue]\fBload printers\fR\m[]
+option is easier\&.
+.sp
+Default:
+\fI\fIauto services\fR\fR\fI = \fR\fI\fR\fI \fR
+.sp
+Example:
+\fI\fIauto services\fR\fR\fI = \fR\fIfred lp colorlp\fR\fI \fR
 .RE
 …
 parameter list
 \fBsmbpasswd\fR(8)
-and
-\fBswat\fR(8)
 may not work as expected due to the reasons covered below\&.
 .sp
 …
 smbpasswd
 can be forced to use the primary IP interface of the local host by using its
+\fBsmbpasswd\fR(8)
+\fI\-r \fR\fI\fIremote machine\fR\fR
+\fBsmbpasswd\fR(8)\fI\-r \fR\fI\fIremote machine\fR\fR
 parameter, with
 \fIremote machine\fR
 set to the IP name of the primary interface of the local host\&.
-.sp
-The
-swat
-status page tries to connect with
-smbd
-and
-nmbd
-at the address
-\fI127\&.0\&.0\&.1\fR
-to determine if they are running\&. Not adding
-\fI127\&.0\&.0\&.1\fR
-will cause
-smbd
-and
-nmbd
-to always show "not running" even if they really are\&. This can prevent
-swat
-from starting/stopping/restarting
-smbd
-and
-nmbd\&.
 .sp
 Default:
 …
 .sp
 Default:
 \fI\fIcache directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
+\fI\fIcache directory\fR\fR\fI = \fR\fI${prefix}/var/cache\fR\fI \fR
 .sp
 Example:
 …
 .RE
 change notify (S)
+change notify (G)
 .\" change notify
 .PP
 …
 will automatically invoke the
 \fIchange share command\fR
 with five parameters\&.
+with six parameters\&.
 .sp
 .RS 4
 …
 .RE
 .sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fICSC policy\fR
+\- client side caching policy in string form\&. Valid values are: manual, documents, programs, disable\&.
+.RE
+.sp
 .RE
 This parameter is only used to modify existing file share definitions\&. To modify printer shares, use the "Printers\&.\&.\&." folder as seen when browsing the Samba host\&.
 …
 .sp
 Default:
 \fI\fIcheck password script\fR\fR\fI = \fR\fIDisabled\fR\fI \fR
+\fI\fIcheck password script\fR\fR\fI = \fR\fI # Disabled\fR\fI \fR
 .sp
 Example:
 \fI\fIcheck password script\fR\fR\fI = \fR\fI/usr/local/sbin/crackcheck\fR\fI \fR
+.RE
+cldap port (G)
+.\" cldap port
+.PP
+.RS 4
+This option controls the port used by the CLDAP protocol\&.
+.sp
+Default:
+\fI\fIcldap port\fR\fR\fI = \fR\fI389\fR\fI \fR
+.sp
+Example:
+\fI\fIcldap port\fR\fR\fI = \fR\fI3389\fR\fI \fR
+.RE
+client ipc max protocol (G)
+.\" client ipc max protocol
+.PP
+.RS 4
+The value of the parameter (a string) is the highest protocol level that will be supported for IPC$ connections as DCERPC transport\&.
+.sp
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+The value
+\fBdefault\fR
+refers to the latest supported protocol, currently
+\fBSMB3_11\fR\&.
+.sp
+See
+\m[blue]\fBclient max protocol\fR\m[]
+for a full list of available protocols\&. The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1\&.
+.sp
+Default:
+\fI\fIclient ipc max protocol\fR\fR\fI = \fR\fIdefault\fR\fI \fR
+.sp
+Example:
+\fI\fIclient ipc max protocol\fR\fR\fI = \fR\fISMB2_10\fR\fI \fR
+.RE
+client ipc min protocol (G)
+.\" client ipc min protocol
+.PP
+.RS 4
+This setting controls the minimum protocol version that the will be attempted to use for IPC$ connections as DCERPC transport\&.
+.sp
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+The value
+\fBdefault\fR
+refers to the higher value of
+\fBNT1\fR
+and the effective value of
+\m[blue]\fBclient min protocol\fR\m[]\&.
+.sp
+See
+\m[blue]\fBclient max protocol\fR\m[]
+for a full list of available protocols\&. The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1\&.
+.sp
+Default:
+\fI\fIclient ipc min protocol\fR\fR\fI = \fR\fIdefault\fR\fI \fR
+.sp
+Example:
+\fI\fIclient ipc min protocol\fR\fR\fI = \fR\fISMB3_11\fR\fI \fR
+.RE
+client ipc signing (G)
+.\" client ipc signing
+.PP
+.RS 4
+This controls whether the client is allowed or required to use SMB signing for IPC$ connections as DCERPC transport\&. Possible values are
+\fIauto\fR,
+\fImandatory\fR
+and
+\fIdisabled\fR\&.
+.sp
+When set to mandatory or default, SMB signing is required\&.
+.sp
+When set to auto, SMB signing is offered, but not enforced and if set to disabled, SMB signing is not offered either\&.
+.sp
+Connections from winbindd to Active Directory Domain Controllers always enforce signing\&.
+.sp
+Default:
+\fI\fIclient ipc signing\fR\fR\fI = \fR\fIdefault\fR\fI \fR
 .RE
 …
 are only available if Samba has been compiled against a modern OpenLDAP version (2\&.3\&.x or higher)\&.
 .sp
+This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e\&.g\&. Windows 2000 SP3 or higher)\&. LDAP sign and seal can be controlled with the registry key "HKLM\eSystem\eCurrentControlSet\eServices\e
+NTDS\eParameters\eLDAPServerIntegrity" on the Windows server side\&.
+This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e\&.g\&. Windows 2000 SP3 or higher)\&. LDAP sign and seal can be controlled with the registry key "HKLM\eSystem\eCurrentControlSet\eServices\eNTDS\eParameters\eLDAPServerIntegrity" on the Windows server side\&.
 .sp
 Depending on the used KRB5 library (MIT and older Heimdal versions) it is possible that the message "integrity only" is not supported\&. In this case,
 …
 .sp
 The default value is
+\fIplain\fR
+which is not irritable to KRB5 clock skew errors\&. That implies synchronizing the time with the KDC in the case of using
+\fIsign\fR
+or
+\fIseal\fR\&.
+.sp
+Default:
+\fI\fIclient ldap sasl wrapping\fR\fR\fI = \fR\fIplain\fR\fI \fR
+.RE
+client ntlmv2 auth (G)
+.\" client ntlmv2 auth
+\fIsign\fR\&. That implies synchronizing the time with the KDC in the case of using
+\fIKerberos\fR\&.
+.sp
+Default:
+\fI\fIclient ldap sasl wrapping\fR\fR\fI = \fR\fIsign\fR\fI \fR
+.RE
+client max protocol (G)
+.\" client max protocol
+.PP
+.RS 4
+The value of the parameter (a string) is the highest protocol level that will be supported by the client\&.
+.sp
+Possible values are :
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBCORE\fR: Earliest version\&. No concept of user names\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBCOREPLUS\fR: Slight improvements on CORE for efficiency\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBLANMAN1\fR: First
+\fImodern\fR
+version of the protocol\&. Long filename support\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBLANMAN2\fR: Updates to Lanman1 protocol\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBNT1\fR: Current up to date version of the protocol\&. Used by Windows NT\&. Known as CIFS\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2\fR: Re\-implementation of the SMB protocol\&. Used by Windows Vista and later versions of Windows\&. SMB2 has sub protocols available\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_02\fR: The earliest SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_10\fR: Windows 7 SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_22\fR: Early Windows 8 SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_24\fR: Windows 8 beta SMB2 version\&.
+.RE
+.sp
+.RE
+By default SMB2 selects the SMB2_10 variant\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3\fR: The same as SMB2\&. Used by Windows 8\&. SMB3 has sub protocols available\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_00\fR: Windows 8 SMB3 version\&. (mostly the same as SMB2_24)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_02\fR: Windows 8\&.1 SMB3 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_10\fR: early Windows 10 technical preview SMB3 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_11\fR: Windows 10 technical preview SMB3 version (maybe final)\&.
+.RE
+.sp
+.RE
+By default SMB3 selects the SMB3_11 variant\&.
+.RE
+.sp
+.RE
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+The value
+\fBdefault\fR
+refers to
+\fBNT1\fR\&.
+.sp
+IPC$ connections for DCERPC e\&.g\&. in winbindd, are handled by the
+\m[blue]\fBclient ipc max protocol\fR\m[]
+option\&.
+.sp
+Default:
+\fI\fIclient max protocol\fR\fR\fI = \fR\fIdefault\fR\fI \fR
+.sp
+Example:
+\fI\fIclient max protocol\fR\fR\fI = \fR\fILANMAN1\fR\fI \fR
+.RE
+client min protocol (G)
+.\" client min protocol
+.PP
+.RS 4
+This setting controls the minimum protocol version that the client will attempt to use\&.
+.sp
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+See
+Related command: \m[blue]\fBclient max protocol\fR\m[]
+for a full list of available protocols\&.
+.sp
+IPC$ connections for DCERPC e\&.g\&. in winbindd, are handled by the
+\m[blue]\fBclient ipc min protocol\fR\m[]
+option\&.
+.sp
+Default:
+\fI\fIclient min protocol\fR\fR\fI = \fR\fICORE\fR\fI \fR
+.sp
+Example:
+\fI\fIclient min protocol\fR\fR\fI = \fR\fINT1\fR\fI \fR
+.RE
+client NTLMv2 auth (G)
+.\" client NTLMv2 auth
 .PP
 .RS 4
 …
 Note that Windows Vista and later versions already use NTLMv2 by default, and some sites (particularly those following \*(Aqbest practice\*(Aq security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM\&.
 .sp
+Default:
+\fI\fIclient ntlmv2 auth\fR\fR\fI = \fR\fIyes\fR\fI \fR
+When
+\m[blue]\fBclient use spnego\fR\m[]
+is also set to
+\fByes\fR
+extended security (SPNEGO) is required in order to use NTLMv2 only within NTLMSSP\&. This behavior was introduced with the patches for CVE\-2016\-2111\&.
+.sp
+Default:
+\fI\fIclient NTLMv2 auth\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 denies access if the server is not able to speak netlogon schannel\&.
 .sp
+Note that for active directory domains this is hardcoded to
+\m[blue]\fBclient schannel = yes\fR\m[]\&.
+.sp
+This option yields precedence to the
+\m[blue]\fBrequire strong key\fR\m[]
+option\&.
+.sp
 Default:
 \fI\fIclient schannel\fR\fR\fI = \fR\fIauto\fR\fI \fR
 …
 \fIdisabled\fR\&.
 .sp
+When set to auto, SMB signing is offered, but not enforced\&. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either\&.
+.sp
+Default:
+\fI\fIclient signing\fR\fR\fI = \fR\fIauto\fR\fI \fR
+When set to auto or default, SMB signing is offered, but not enforced\&.
+.sp
+When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either\&.
+.sp
+IPC$ connections for DCERPC e\&.g\&. in winbindd, are handled by the
+\m[blue]\fBclient ipc signing\fR\m[]
+option\&.
+.sp
+Default:
+\fI\fIclient signing\fR\fR\fI = \fR\fIdefault\fR\fI \fR
 .RE
 …
 If enabled, Samba can attempt to use Kerberos to contact servers known only by IP address\&. Kerberos relies on names, so ordinarily cannot function in this situation\&.
 .sp
+This is a VERY BAD IDEA for security reasons, and so this parameter SHOULD NOT BE USED\&. It will be removed in a future version of Samba\&.
+.sp
 If disabled, Samba will use the name used to look up the server when asking the KDC for a ticket\&. This avoids situations where a server may impersonate another, soliciting authentication as one principal while being known on the network as another\&.
 .sp
 Note that Windows XP SP2 and later versions already follow this behaviour, and Windows Vista and later servers no longer supply this \*(Aqrfc4178 hint\*(Aq principal on the server side\&.
+.sp
+This parameter is deprecated in Samba 4\&.2\&.1 and will be removed (along with the functionality) in a later release of Samba\&.
 .sp
 Default:
 …
 .RS 4
 This variable controls whether Samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with supporting servers (including WindowsXP, Windows2000 and Samba 3\&.0) to agree upon an authentication mechanism\&. This enables Kerberos authentication in particular\&.
+.sp
+When
+\m[blue]\fBclient NTLMv2 auth\fR\m[]
+is also set to
+\fByes\fR
+extended security (SPNEGO) is required in order to use NTLMv2 only within NTLMSSP\&. This behavior was introduced with the patches for CVE\-2016\-2111\&.
 .sp
 Default:
 …
 .PP
 .RS 4
 Setting this paramter to
+Setting this parameter to
 no
 prevents winbind from creating custom krb5\&.conf files\&. Winbind normally does this because the krb5 libraries are not AD\-site\-aware and thus would pick any domain controller out of potentially very many\&. Winbind is site\-aware and makes the krb5 libraries use a local DC by creating its own krb5\&.conf files\&.
 …
 for details\&.
 .sp
-Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors\&. If the administrator wishes to enforce a mask on access control lists also, they need to set the
-\m[blue]\fBsecurity mask\fR\m[]\&.
-.sp
 Default:
 \fI\fIcreate mask\fR\fR\fI = \fR\fI0744\fR\fI \fR
 …
 .PP
 .RS 4
 This parameter specifies a timeout in seconds for the connection between Samba and ctdb\&. It is only valid if you have compiled Samba with clustering and if you have set
+This parameter specifies a timeout in milliseconds for the connection between Samba and ctdb\&. It is only valid if you have compiled Samba with clustering and if you have set
 \fIclustering=yes\fR\&.
 .sp
 When something in the cluster blocks, it can happen that we wait indefinitely long for ctdb, just adding to the blocking condition\&. In a well\-running cluster this should never happen, but there are too many components in a cluster that might have hickups\&. Choosing the right balance for this value is very tricky, because on a busy cluster long service times to transfer something across the cluster might be valid\&. Setting it too short will degrade the service your cluster presents, setting it too long might make the cluster itself not recover from something severely broken for too long\&.
 .sp
 Be aware that if you set this parameter, this needs to be in the file smb\&.conf, it is not really helpful to put this into a registry configuration (typical on a cluster), because to access the registry contact to ctdb is requred\&.
+Be aware that if you set this parameter, this needs to be in the file smb\&.conf, it is not really helpful to put this into a registry configuration (typical on a cluster), because to access the registry contact to ctdb is required\&.
 .sp
 Setting
 \fIctdb timeout\fR
 to n makes any process waiting longer than n seconds for a reply by the cluster panic\&. Setting it to 0 (the default) makes Samba block forever, which is the highly recommended default\&.
+to n makes any process waiting longer than n milliseconds for a reply by the cluster panic\&. Setting it to 0 (the default) makes Samba block forever, which is the highly recommended default\&.
 .sp
 Default:
 …
 .sp
 Default:
 \fI\fIcups encrypt\fR\fR\fI = \fR\fI"no"\fR\fI \fR
+\fI\fIcups encrypt\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 .RE
+dcerpc endpoint servers (G)
+.\" dcerpc endpoint servers
+.PP
+.RS 4
+Specifies which DCE/RPC endpoint servers should be run\&.
+.sp
+Default:
+\fI\fIdcerpc endpoint servers\fR\fR\fI = \fR\fIepmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver\fR\fI \fR
+.sp
+Example:
+\fI\fIdcerpc endpoint servers\fR\fR\fI = \fR\fIrpcecho\fR\fI \fR
+.RE
 deadtime (G)
 .\" deadtime
 …
 Default:
 \fI\fIdebug prefix timestamp\fR\fR\fI = \fR\fIno\fR\fI \fR
-.RE
-timestamp logs
-.\" timestamp logs
-.PP
-.RS 4
-This parameter is a synonym for
-debug timestamp\&.
-.RE
-debug timestamp (G)
-.\" debug timestamp
-.PP
-.RS 4
-Samba debug log messages are timestamped by default\&. If you are running at a high
-\m[blue]\fBdebug level\fR\m[]
-these timestamps can be distracting\&. This boolean parameter allows timestamping to be turned off\&.
-.sp
-Default:
-\fI\fIdebug timestamp\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 .sp
 Default:
 \fI\fIdefer sharing violations\fR\fR\fI = \fR\fITrue\fR\fI \fR
+\fI\fIdefer sharing violations\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 .RS 4
 This is the full pathname to a script that will be run
+\fIAS ROOT\fR
+\fBsmbd\fR(8)
+\fIAS ROOT\fR\fBsmbd\fR(8)
 when a group is requested to be deleted\&. It will expand any
 \fI%g\fR
 …
 .RS 4
 Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools\&. It will be run by
+\fBsmbd\fR(8)
+\fIAS ROOT\fR\&. Any
+\fBsmbd\fR(8)\fIAS ROOT\fR\&. Any
 \fI%g\fR
 will be replaced with the group name and any
 …
 .sp
 Example:
 \fI\fIdfree cache time\fR\fR\fI = \fR\fIdfree cache time = 60\fR\fI \fR
+\fI\fIdfree cache time\fR\fR\fI = \fR\fI60\fR\fI \fR
 .RE
 …
 .RE
+dgram port (G)
+.\" dgram port
+.PP
+.RS 4
+Specifies which ports the server should listen on for NetBIOS datagram traffic\&.
+.sp
+Default:
+\fI\fIdgram port\fR\fR\fI = \fR\fI138\fR\fI \fR
+.RE
 directory mode
 .\" directory mode
 …
 parameter\&. This parameter is set to 000 by default (i\&.e\&. no extra mode bits are added)\&.
 .sp
-Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors\&. If the administrator wishes to enforce a mask on access control lists also, they need to set the
-\m[blue]\fBdirectory security mask\fR\m[]\&.
-.sp
 Default:
 \fI\fIdirectory mask\fR\fR\fI = \fR\fI0755\fR\fI \fR
 …
 .PP
 .RS 4
 This parameter specifies the the size of the directory name cache\&. It will be needed to turn this off for *BSD systems\&.
+This parameter specifies the size of the directory name cache\&. It will be needed to turn this off for *BSD systems\&.
 .sp
 Default:
 …
 .PP
 .RS 4
+This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box\&.
+.sp
+This parameter is applied as a mask (AND\*(Aqed with) to the incoming permission bits, thus resetting any bits not in this mask\&. Make sure not to mix up this parameter with
+\m[blue]\fBforce directory security mode\fR\m[], which works similar like this one but uses logical OR instead of AND\&. Essentially, zero bits in this mask are a set of bits that will always be set to zero\&.
+.sp
+Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the file permissions regardless of the previous status of this bits on the file\&.
+.sp
+If not set explicitly this parameter is set to 0777 meaning a user is allowed to set all the user/group/world permissions on a directory\&.
+.sp
+\fINote\fR
+that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it as the default of
+\fB0777\fR\&.
+.sp
+Default:
+\fI\fIdirectory security mask\fR\fR\fI = \fR\fI0777\fR\fI \fR
+.sp
+Example:
+\fI\fIdirectory security mask\fR\fR\fI = \fR\fI0700\fR\fI \fR
+This parameter has been removed for Samba 4\&.0\&.0\&.
+.sp
+\fINo default\fR
 .RE
 …
 .RE
-display charset (G)
-.\" display charset
-.PP
-.RS 4
-Specifies the charset that samba will use to print messages to stdout and stderr\&. The default value is "LOCALE", which means automatically set, depending on the current locale\&. The value should generally be the same as the value of the parameter
-\m[blue]\fBunix charset\fR\m[]\&.
-.sp
-Default:
-\fI\fIdisplay charset\fR\fR\fI = \fR\fI"LOCALE" or "ASCII" (depending on the system)\fR\fI \fR
-.sp
-Example:
-\fI\fIdisplay charset\fR\fR\fI = \fR\fIUTF8\fR\fI \fR
-.RE
 dmapi support (S)
 .\" dmapi support
 …
 Default:
 \fI\fIdmapi support\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+dns forwarder (G)
+.\" dns forwarder
+.PP
+.RS 4
+This option specifies the DNS server that DNS requests will be forwarded to if they can not be handled by Samba itself\&.
+.sp
+The DNS forwarder is only used if the internal DNS server in Samba is used\&.
+.sp
+Default:
+\fI\fIdns forwarder\fR\fR\fI = \fR\fI\fR\fI \fR
+.sp
+Example:
+\fI\fIdns forwarder\fR\fR\fI = \fR\fI192\&.168\&.0\&.1\fR\fI \fR
 .RE
 …
 Default:
 \fI\fIdns proxy\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+dns update command (G)
+.\" dns update command
+.PP
+.RS 4
+This option sets the command that is called when there are DNS updates\&. It should update the local machines DNS names using TSIG\-GSS\&.
+.sp
+Default:
+\fI\fIdns update command\fR\fR\fI = \fR\fI${prefix}/sbin/samba_dnsupdate\fR\fI \fR
+.sp
+Example:
+\fI\fIdns update command\fR\fR\fI = \fR\fI/usr/local/sbin/dnsupdate\fR\fI \fR
 .RE
 …
 .PP
 .RS 4
 Under DOS and Windows, if a user can write to a file they can change the timestamp on it\&. Under POSIX semantics, only the owner of the file or root may change the timestamp\&. By default, Samba emulates the DOS semantics and allows to change the timestamp on a file if the user
+Under DOS and Windows, if a user can write to a file they can change the timestamp on it\&. Under POSIX semantics, only the owner of the file or root may change the timestamp\&. By default, Samba emulates the DOS semantics and allows one to change the timestamp on a file if the user
 smbd
 is acting on behalf has write permissions\&. Due to changes in Microsoft Office 2000 and beyond, the default for this parameter has been changed from "no" to "yes" in Samba 3\&.0\&.14 and above\&. Microsoft Excel will display dialog box warnings about the file being changed by another user if this parameter is not set to "yes" and files are being shared between users\&.
 …
 Default:
 \fI\fIdos filetimes\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+durable handles (S)
+.\" durable handles
+.PP
+.RS 4
+This boolean parameter controls whether Samba can grant SMB2 durable file handles on a share\&.
+.sp
+Note that durable handles are only enabled if
+\m[blue]\fBkernel oplocks = no\fR\m[],
+\m[blue]\fBkernel share modes = no\fR\m[], and
+\m[blue]\fBposix locking = no\fR\m[], i\&.e\&. if the share is configured for CIFS/SMB2 only access, not supporting interoperability features with local UNIX processes or NFS operations\&.
+.sp
+Also note that, for the time being, durability is not granted for a handle that has the delete on close flag set\&.
+.sp
+Default:
+\fI\fIdurable handles\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 .PP
 .RS 4
 Hosts running the "Advanced Server for Unix (ASU)" product require some special accomodations such as creating a builtin [ADMIN$] share that only supports IPC connections\&. The has been the default behavior in smbd for many years\&. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support an [ADMIN$} file share\&. Disabling this parameter allows for creating an [ADMIN$] file share in smb\&.conf\&.
+Hosts running the "Advanced Server for Unix (ASU)" product require some special accomodations such as creating a builtin [ADMIN$] share that only supports IPC connections\&. The has been the default behavior in smbd for many years\&. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support an [ADMIN$] file share\&. Disabling this parameter allows for creating an [ADMIN$] file share in smb\&.conf\&.
 .sp
 Default:
 …
 \fBsmbpasswd\fR(8)
 program for information on how to set up and maintain this file), or set the
 \m[blue]\fBsecurity = [server|domain|ads]\fR\m[]
+\m[blue]\fBsecurity = [domain|ads]\fR\m[]
 parameter which causes
 smbd
 …
 .RS 4
 This option defines a list of log names that Samba will report to the Microsoft EventViewer utility\&. The listed eventlogs will be associated with tdb file on disk in the
 $(lockdir)/eventlog\&.
+$(statedir)/eventlog\&.
 .sp
 The administrator must use an external process to parse the normal Unix logs such as
 …
 This option is mainly used as a compatibility option for Visual C++ when used against Samba shares\&. Visual C++ generated makefiles have the object directory as a dependency for each object file, and a make rule to create the directory\&. Also, when NMAKE compares timestamps it uses the creation time when examining a directory\&. Thus the object directory will be created if it does not exist, but once it does exist it will always have an earlier timestamp than the object files it contains\&.
 .sp
 However, Unix time semantics mean that the create time reported by Samba will be updated whenever a file is created or or deleted in the directory\&. NMAKE finds all object files in the object directory\&. The timestamp of the last one built is then compared to the timestamp of the object directory\&. If the directory\*(Aqs timestamp if newer, then all object files will be rebuilt\&. Enabling this option ensures directories always predate their contents and an NMAKE build will proceed as expected\&.
+However, Unix time semantics mean that the create time reported by Samba will be updated whenever a file is created or deleted in the directory\&. NMAKE finds all object files in the object directory\&. The timestamp of the last one built is then compared to the timestamp of the object directory\&. If the directory\*(Aqs timestamp if newer, then all object files will be rebuilt\&. Enabling this option ensures directories always predate their contents and an NMAKE build will proceed as expected\&.
 .sp
 Default:
 …
 .sp
 Default:
 \fI\fIforce create mode\fR\fR\fI = \fR\fI000\fR\fI \fR
+\fI\fIforce create mode\fR\fR\fI = \fR\fI0000\fR\fI \fR
 .sp
 Example:
 …
 .sp
 Default:
 \fI\fIforce directory mode\fR\fR\fI = \fR\fI000\fR\fI \fR
+\fI\fIforce directory mode\fR\fR\fI = \fR\fI0000\fR\fI \fR
 .sp
 Example:
 …
 .PP
 .RS 4
+This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box\&.
+.sp
+This parameter is applied as a mask (OR\*(Aqed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on\&. Make sure not to mix up this parameter with
+\m[blue]\fBdirectory security mask\fR\m[], which works in a similar manner to this one, but uses a logical AND instead of an OR\&.
+.sp
+Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, to will enable (1) any flags that are off (0) but which the mask has set to on (1)\&.
+.sp
+If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world permissions on a directory without restrictions\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBNote\fR
+.ps -1
+.br
+Users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set as 0000\&.
+.sp .5v
+.RE
+Default:
+\fI\fIforce directory security mode\fR\fR\fI = \fR\fI0\fR\fI \fR
+.sp
+Example:
+\fI\fIforce directory security mode\fR\fR\fI = \fR\fI700\fR\fI \fR
+This parameter has been removed for Samba 4\&.0\&.0\&.
+.sp
+\fINo default\fR
 .RE
 …
 .PP
 .RS 4
+This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box\&.
+.sp
+This parameter is applied as a mask (OR\*(Aqed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on\&. Make sure not to mix up this parameter with
+\m[blue]\fBsecurity mask\fR\m[], which works similar like this one but uses logical AND instead of OR\&.
+.sp
+Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, the user has always set to be on\&.
+.sp
+If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world permissions on a file, with no restrictions\&.
+.sp
+\fI Note\fR
+that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave this set to 0000\&.
+.sp
+Default:
+\fI\fIforce security mode\fR\fR\fI = \fR\fI0\fR\fI \fR
+.sp
+Example:
+\fI\fIforce security mode\fR\fR\fI = \fR\fI700\fR\fI \fR
+This parameter has been removed for Samba 4\&.0\&.0\&.
+.sp
+\fINo default\fR
 .RE
 …
 Example:
 \fI\fIforce user\fR\fR\fI = \fR\fIauser\fR\fI \fR
+.RE
+fss: prune stale (G)
+.\" fss: prune stale
+.PP
+.RS 4
+When enabled, Samba\*(Aqs File Server Remove VSS Protocol (FSRVP) server checks all FSRVP initiated snapshots on startup, and removes any corresponding state (including share definitions) for nonexistent snapshot paths\&.
+.sp
+Default:
+\fI\fIfss: prune stale\fR\fR\fI = \fR\fIno\fR\fI \fR
+.sp
+Example:
+\fI\fIfss: prune stale\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+fss: sequence timeout (G)
+.\" fss: sequence timeout
+.PP
+.RS 4
+The File Server Remove VSS Protocol (FSRVP) server includes a message sequence timer to ensure cleanup on unexpected client disconnect\&. This parameter overrides the default timeout between FSRVP operations\&. FSRVP timeouts can be completely disabled via a value of 0\&.
+.sp
+Default:
+\fI\fIfss: sequence timeout\fR\fR\fI = \fR\fI180 or 1800, depending on operation\fR\fI \fR
+.sp
+Example:
+\fI\fIfss: sequence timeout\fR\fR\fI = \fR\fI0\fR\fI \fR
 .RE
 …
 should only be used whenever there is no operating system API available from the OS that samba can use\&.
 .sp
+This option is only available you have compiled Samba with the
+\-\-with\-sys\-quotas
+option or on Linux with
+\-\-with\-quotas
+and a working quota api was found in the system\&.
+This option is only available Samba was compiled with quotas support\&.
 .sp
 This parameter should specify the path to a script that queries the quota information for the specified user/group for the partition that the specified directory is on\&.
 .sp
 Such a script should take 3 arguments:
+Such a script is being given 3 arguments:
 .sp
 .RS 4
 …
 .sp
 .RE
+The type of query can be one of :
+The directory is actually mostly just "\&." \- It needs to be treated relatively to the current working directory that the script can also query\&.
+.sp
+The type of query can be one of:
 .sp
 .RS 4
 …
 .sp
 .RE
 This script should print one line as output with spaces between the arguments\&. The arguments are:
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 Arg 1 \- quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 Arg 2 \- number of currently used blocks
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 Arg 3 \- the softlimit number of blocks
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 Arg 4 \- the hardlimit number of blocks
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 Arg 5 \- currently used number of inodes
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 Arg 6 \- the softlimit number of inodes
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 Arg 7 \- the hardlimit number of inodes
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 Arg 8(optional) \- the number of bytes in a block(default is 1024)
+This script should print one line as output with spaces between the columns\&. The printed columns should be:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- number of currently used blocks
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- the softlimit number of blocks
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- the hardlimit number of blocks
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- currently used number of inodes
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- the softlimit number of inodes
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- the hardlimit number of inodes
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+(optional) \- the number of bytes in a block(default is 1024)
 .RE
 .sp
 …
 This parameter prevents clients from seeing the existance of files that cannot be read\&. Defaults to off\&.
 .sp
+Please note that enabling this can slow down listing large directories significantly\&. Samba has to evaluate the ACLs of all directory members, which can be a lot of effort\&.
+.sp
 Default:
 \fI\fIhide unreadable\fR\fR\fI = \fR\fIno\fR\fI \fR
 …
 .RS 4
 This parameter prevents clients from seeing the existance of files that cannot be written to\&. Defaults to off\&. Note that unwriteable directories are shown as usual\&.
+.sp
+Please note that enabling this can slow down listing large directories significantly\&. Samba has to evaluate the ACLs of all directory members, which can be a lot of effort\&.
 .sp
 Default:
 …
 .PP
 .RS 4
 This parameter specifies the number of seconds that Winbind\*(Aqs idmap interface will cache positive SID/uid/gid query results\&.
 .sp
 Default:
 \fI\fIidmap cache time\fR\fR\fI = \fR\fI604800 (one week)\fR\fI \fR
 .RE
 idmap config (G)
 .\" idmap config
+This parameter specifies the number of seconds that Winbind\*(Aqs idmap interface will cache positive SID/uid/gid query results\&. By default, Samba will cache these results for one week\&.
+.sp
+Default:
+\fI\fIidmap cache time\fR\fR\fI = \fR\fI604800\fR\fI \fR
+.RE
+idmap config DOMAIN : OPTION (G)
+.\" idmap config DOMAIN : OPTION
 .PP
 .RS 4
 …
 prefix, followed by a domain name or the asterisk character (*), a colon, and the name of an idmap setting for the chosen domain\&.
 .sp
 The idmap configuration is hence divided into groups, one group for each domain to be configured, and one group with the the asterisk instead of a proper domain name, which speifies the default configuration that is used to catch all domains that do not have an explicit idmap configuration of their own\&.
+The idmap configuration is hence divided into groups, one group for each domain to be configured, and one group with the asterisk instead of a proper domain name, which specifies the default configuration that is used to catch all domains that do not have an explicit idmap configuration of their own\&.
 .sp
 There are three general options available:
 …
 backend = backend_name
 .RS 4
 This specifies the name of the idmap plugin to use as the SID/uid/gid backend for this domain\&. The standard backends are tdb (\fBidmap_tdb\fR(8)), tdb2 (\fBidmap_tdb2\fR(8)), ldap (\fBidmap_ldap\fR(8)), , rid (\fBidmap_rid\fR(8)), , hash (\fBidmap_hash\fR(8)), , autorid (\fBidmap_autorid\fR(8)), , ad (\fBidmap_ad\fR(8)), , adex (\fBidmap_adex\fR(8)), , and nss\&. (\fBidmap_nss\fR(8)), The corresponding manual pages contain the details, but here is a summary\&.
 .sp
 The first three of these create mappings of their own using internal unixid counters and store the mappings in a database\&. These are suitable for use in the default idmap configuration\&. The rid and hash backends use a pure algorithmic calculation to determine the unixid for a SID\&. The autorid module is a mixture of the tdb and rid backend\&. It creates ranges for each domain encountered and then uses the rid algorithm for each of these automatically configured domains individually\&. The ad and adex backends both use unix IDs stored in Active Directory via the standard schema extensions\&. The nss backend reverses the standard winbindd setup and gets the unixids via names from nsswitch which can be useful in an ldap setup\&.
+This specifies the name of the idmap plugin to use as the SID/uid/gid backend for this domain\&. The standard backends are tdb (\fBidmap_tdb\fR(8)), tdb2 (\fBidmap_tdb2\fR(8)), ldap (\fBidmap_ldap\fR(8)), rid (\fBidmap_rid\fR(8)), hash (\fBidmap_hash\fR(8)), autorid (\fBidmap_autorid\fR(8)), ad (\fBidmap_ad\fR(8)) and nss (\fBidmap_nss\fR(8))\&. The corresponding manual pages contain the details, but here is a summary\&.
+.sp
+The first three of these create mappings of their own using internal unixid counters and store the mappings in a database\&. These are suitable for use in the default idmap configuration\&. The rid and hash backends use a pure algorithmic calculation to determine the unixid for a SID\&. The autorid module is a mixture of the tdb and rid backend\&. It creates ranges for each domain encountered and then uses the rid algorithm for each of these automatically configured domains individually\&. The ad backend uses unix ids stored in Active Directory via the standard schema extensions\&. The nss backend reverses the standard winbindd setup and gets the unix ids via names from nsswitch which can be useful in an ldap setup\&.
 .RE
 .PP
 range = low \- high
 .RS 4
 Defines the available matching uid and gid range for which the backend is authoritative\&. For allocating backends, this also defines the start and the end of the range for allocating new unid IDs\&.
+Defines the available matching uid and gid range for which the backend is authoritative\&. For allocating backends, this also defines the start and the end of the range for allocating new unique IDs\&.
 .sp
 winbind uses this parameter to find the backend that is authoritative for a unix ID to SID mapping, so it must be set for each individually configured domain and for the default configuration\&. The configured ranges must be mutually disjoint\&.
 …
 .RE
 include (G)
+include (S)
 .\" include
 .PP
 …
 The ownership of new files and directories is normally governed by effective uid of the connected user\&. This option allows the Samba administrator to specify that the ownership for new files and directories should be controlled by the ownership of the parent directory\&.
 .sp
 Common scenarios where this behavior is useful is in implementing drop\-boxes where users can create and edit files but not delete them and to ensure that newly create files in a user\*(Aqs roaming profile directory are actually owner by the user\&.
+Common scenarios where this behavior is useful is in implementing drop\-boxes, where users can create and edit files but not delete them and ensuring that newly created files in a user\*(Aqs roaming profile directory are actually owned by the user\&.
 .sp
 Default:
 …
 .RE
+init logon delay (G)
+.\" init logon delay
+.PP
+.RS 4
+This parameter specifies a delay in milliseconds for the hosts configured for delayed initial samlogon with
+\m[blue]\fBinit logon delayed hosts\fR\m[]\&.
+.sp
+Default:
+\fI\fIinit logon delay\fR\fR\fI = \fR\fI100\fR\fI \fR
+.RE
 init logon delayed hosts (G)
 .\" init logon delayed hosts
 …
 .RE
-init logon delay (G)
-.\" init logon delay
-.PP
-.RS 4
-This parameter specifies a delay in milliseconds for the hosts configured for delayed initial samlogon with
-\m[blue]\fBinit logon delayed hosts\fR\m[]\&.
-.sp
-Default:
-\fI\fIinit logon delay\fR\fR\fI = \fR\fI100\fR\fI \fR
-.RE
 interfaces (G)
 .\" interfaces
 …
 .sp
 By default Samba enables all active interfaces that are broadcast capable except the loopback adaptor (IP address 127\&.0\&.0\&.1)\&.
+.sp
+In order to support SMB3 multi\-channel configurations, smbd understands some extra data that can be appended after the actual interface with this extended syntax:
+.sp
+interface[;key1=value1[,key2=value2[\&.\&.\&.]]]
+.sp
+Known keys are speed, capability, and if_index\&. Speed is specified in bits per second\&. Known capabilities are RSS and RDMA\&. The if_index should be used with care: the values must not coincide with indexes used by the kernel\&. Note that these options are mainly intended for testing and development rather than for production use\&. At least on Linux systems, these values should be auto\-detected, but the settings can serve as last a resort when autodetection is not working or is not available\&.
 .sp
 The example below configures three network interfaces corresponding to the eth0 device and IP addresses 192\&.168\&.2\&.10 and 192\&.168\&.3\&.10\&. The netmasks of the latter two interfaces would be set to 255\&.255\&.255\&.0\&.
 …
 \m[blue]\fBsocket options\fR\m[])\&. Basically you should only use this option if you strike difficulties\&.
 .sp
+Please note this option only applies to SMB1 client connections, and has no effect on SMB2 clients\&.
+.sp
 Default:
 \fI\fIkeepalive\fR\fR\fI = \fR\fI300\fR\fI \fR
 …
 .sp
 Default:
 \fI\fIkerberos method\fR\fR\fI = \fR\fIsecrets only\fR\fI \fR
 .RE
 kernel change notify (S)
+\fI\fIkerberos method\fR\fR\fI = \fR\fIdefault\fR\fI \fR
+.RE
+kernel change notify (G)
 .\" kernel change notify
 .PP
 …
 .RE
 kernel oplocks (G)
+kernel oplocks (S)
 .\" kernel oplocks
 .PP
 …
 For UNIXes that support kernel based
 \m[blue]\fBoplocks\fR\m[]
 (currently only IRIX and the Linux 2\&.4 kernel), this parameter allows the use of them to be turned on or off\&.
+(currently only IRIX and the Linux 2\&.4 kernel), this parameter allows the use of them to be turned on or off\&. However, this disables Level II oplocks for clients as the Linux and IRIX kernels do not support them properly\&.
 .sp
 Kernel oplocks support allows Samba
 …
 cool feature :\-)\&.
 .sp
+If you do not need this interaction, you should disable the parameter on Linux and IRIX to get Level II oplocks and the associated performance benefit\&.
+.sp
 This parameter defaults to
+\fBon\fR, but is translated to a no\-op on systems that no not have the necessary kernel support\&. You should never need to touch this parameter\&.
+.sp
+Default:
+\fI\fIkernel oplocks\fR\fR\fI = \fR\fIyes\fR\fI \fR
+\fBno\fR
+and is translated to a no\-op on systems that do not have the necessary kernel support\&.
+.sp
+Default:
+\fI\fIkernel oplocks\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+kernel share modes (S)
+.\" kernel share modes
+.PP
+.RS 4
+This parameter controls whether SMB share modes are translated into UNIX flocks\&.
+.sp
+Kernel share modes provide a minimal level of interoperability with local UNIX processes and NFS operations by preventing access with flocks corresponding to the SMB share modes\&. Generally, it is very desirable to leave this enabled\&.
+.sp
+Note that in order to use SMB2 durable file handles on a share, you have to turn kernel share modes off\&.
+.sp
+This parameter defaults to
+\fByes\fR
+and is translated to a no\-op on systems that do not have the necessary kernel flock support\&.
+.sp
+Default:
+\fI\fIkernel share modes\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+kpasswd port (G)
+.\" kpasswd port
+.PP
+.RS 4
+Specifies which ports the Kerberos server should listen on for password changes\&.
+.sp
+Default:
+\fI\fIkpasswd port\fR\fR\fI = \fR\fI464\fR\fI \fR
+.RE
+krb5 port (G)
+.\" krb5 port
+.PP
+.RS 4
+Specifies which port the KDC should listen on for Kerberos traffic\&.
+.sp
+Default:
+\fI\fIkrb5 port\fR\fR\fI = \fR\fI88\fR\fI \fR
 .RE
 …
 When this parameter is set to
 no
 this will also result in sambaLMPassword in Samba\*(Aqs passdb being blanked after the next password change\&. As a result of that lanman clients won\*(Aqt be able to authenticate, even if lanman auth is reenabled later on\&.
+this will also result in sambaLMPassword in Samba\*(Aqs passdb being blanked after the next password change\&. As a result of that lanman clients won\*(Aqt be able to authenticate, even if lanman auth is re\-enabled later on\&.
 .sp
 Unlike the
 …
 for tracing function calls\&.
 .sp
 The debug ouput from the LDAP libraries appears with the prefix [LDAP] in Samba\*(Aqs logging output\&. The level at which LDAP logging is printed is controlled by the parameter
+The debug output from the LDAP libraries appears with the prefix [LDAP] in Samba\*(Aqs logging output\&. The level at which LDAP logging is printed is controlled by the parameter
 \fIldap debug threshold\fR\&.
 .sp
 …
 .sp
 Default:
 \fI\fIldap page size\fR\fR\fI = \fR\fI1024\fR\fI \fR
+\fI\fIldap page size\fR\fR\fI = \fR\fI1000\fR\fI \fR
 .sp
 Example:
 \fI\fIldap page size\fR\fR\fI = \fR\fI512\fR\fI \fR
+.RE
+ldap password sync
+.\" ldap password sync
+.PP
+.RS 4
+This parameter is a synonym for
+ldap passwd sync\&.
 .RE
 …
 .sp
 To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly configured\&. On virgin servers the default users and groups (Administrator, Guest, Domain Users, Domain Admins, Domain Guests) can be precreated with the command
 net sam provision\&. To run this command the ldap server must be running, Winindd must be running and the smb\&.conf ldap options must be properly configured\&. The typical ldap setup used with the
+net sam provision\&. To run this command the ldap server must be running, Winbindd must be running and the smb\&.conf ldap options must be properly configured\&. The typical ldap setup used with the
 \m[blue]\fBldapsam:trusted = yes\fR\m[]
 option is usually sufficient to use
 …
 .RE
+ldap ssl ads (G)
+.\" ldap ssl ads
+.PP
+.RS 4
+This option is used to define whether or not Samba should use SSL when connecting to the ldap server using
+\fIads\fR
+methods\&. Rpc methods are not affected by this parameter\&. Please note, that this parameter won\*(Aqt have any effect if
+\m[blue]\fBldap ssl\fR\m[]
+is set to
+\fIno\fR\&.
+.sp
+See
+smb\&.conf(5)
+for more information on
+\m[blue]\fBldap ssl\fR\m[]\&.
+.sp
+Default:
+\fI\fIldap ssl ads\fR\fR\fI = \fR\fIno\fR\fI \fR
+ldap server require strong auth (G)
+.\" ldap server require strong auth
+.PP
+.RS 4
+The
+\m[blue]\fBldap server require strong auth\fR\m[]
+defines whether the ldap server requires ldap traffic to be signed or signed and encrypted (sealed)\&. Possible values are
+\fIno\fR,
+\fIallow_sasl_over_tls\fR
+and
+\fIyes\fR\&.
+.sp
+A value of
+\fIno\fR
+allows simple and sasl binds over all transports\&.
+.sp
+A value of
+\fIallow_sasl_over_tls\fR
+allows simple and sasl binds (without sign or seal) over TLS encrypted connections\&. Unencrypted connections only allow sasl binds with sign or seal\&.
+.sp
+A value of
+\fIyes\fR
+allows only simple binds over TLS encrypted connections\&. Unencrypted connections only allow sasl binds with sign or seal\&.
+.sp
+Default:
+\fI\fIldap server require strong auth\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 \fIeither\fR
 this parameter to
+\fIStart_tls\fR
+\fIor\fR
+\fIStart_tls\fR\fIor\fR
 by specifying
 \fIldaps://\fR
 …
 methods\&. To enable the LDAPv3 StartTLS extended operation (RFC2830) for
 \fIads\fR, set
+\m[blue]\fBldap ssl = yes\fR\m[]
+\fIand\fR
+\m[blue]\fBldap ssl ads = yes\fR\m[]\&. See
+\m[blue]\fBldap ssl = yes\fR\m[]\fIand\fR\m[blue]\fBldap ssl ads = yes\fR\m[]\&. See
 smb\&.conf(5)
 for more information on
 …
 Default:
 \fI\fIldap ssl\fR\fR\fI = \fR\fIstart tls\fR\fI \fR
+.RE
+ldap ssl ads (G)
+.\" ldap ssl ads
+.PP
+.RS 4
+This option is used to define whether or not Samba should use SSL when connecting to the ldap server using
+\fIads\fR
+methods\&. Rpc methods are not affected by this parameter\&. Please note, that this parameter won\*(Aqt have any effect if
+\m[blue]\fBldap ssl\fR\m[]
+is set to
+\fIno\fR\&.
+.sp
+See
+smb\&.conf(5)
+for more information on
+\m[blue]\fBldap ssl\fR\m[]\&.
+.sp
+Default:
+\fI\fIldap ssl ads\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 \fBno\fR
 will cause
+nmbd
+\fInever\fR
+nmbd\fInever\fR
 to become a local master browser\&.
 .sp
 …
 .sp
 Default:
 \fI\fIlock directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
+\fI\fIlock directory\fR\fR\fI = \fR\fI${prefix}/var/lock\fR\fI \fR
 .sp
 Example:
 …
 Be careful about disabling locking either globally or in a specific service, as lack of locking may result in data corruption\&. You should never need to set this parameter\&.
 .sp
+\fINo default\fR
+.RE
+lock spin count (G)
+.\" lock spin count
+.PP
+.RS 4
+This parameter has been made inoperative in Samba 3\&.0\&.24\&. The functionality it contolled is now controlled by the parameter
+\m[blue]\fBlock spin time\fR\m[]\&.
+.sp
+Default:
+\fI\fIlock spin count\fR\fR\fI = \fR\fI0\fR\fI \fR
+Default:
+\fI\fIlocking\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 .RE
+logging (G)
+.\" logging
+.PP
+.RS 4
+This parameter configures logging backends\&. Multiple backends can be specified at the same time, with different log levels for each backend\&. The parameter is a list of backends, where each backend is specified as backend[:option][@loglevel]\&.
+.sp
+The \*(Aqoption\*(Aq parameter can be used to pass backend\-specific options\&.
+.sp
+The log level for a backend is optional, if it is not set for a backend, all messages are sent to this backend\&. The parameter
+\m[blue]\fBlog level\fR\m[]
+determines overall log levels, while the log levels specified here define what is sent to the individual backends\&.
+.sp
+When
+\m[blue]\fBlogging\fR\m[]
+is set, it overrides the
+\m[blue]\fBsyslog\fR\m[]
+and
+\m[blue]\fBsyslog only\fR\m[]
+parameters\&.
+.sp
+Some backends are only available when Samba has been compiled with the additional libraries\&. The overall list of logging backends:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIsyslog\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIfile\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIsystemd\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIlttng\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIgpfs\fR
+.RE
+.sp
+.RE
+Default:
+\fI\fIlogging\fR\fR\fI = \fR\fI\fR\fI \fR
+.sp
+Example:
+\fI\fIlogging\fR\fR\fI = \fR\fIsyslog@1 file\fR\fI \fR
+.RE
 debuglevel
 .\" debuglevel
 …
 file\&.
 .sp
 This parameter has been extended since the 2\&.2\&.x series, now it allows to specify the debug level for multiple debug classes\&. This is to give greater flexibility in the configuration of the system\&. The following debug classes are currently implemented:
+This parameter has been extended since the 2\&.2\&.x series, now it allows one to specify the debug level for multiple debug classes\&. This is to give greater flexibility in the configuration of the system\&. The following debug classes are currently implemented:
 .sp
 .RS 4
 …
 Example:
 \fI\fIlog level\fR\fR\fI = \fR\fI3 passdb:5 auth:10 winbind:2\fR\fI \fR
+.RE
+log nt token command (G)
+.\" log nt token command
+.PP
+.RS 4
+This option can be set to a command that will be called when new nt tokens are created\&.
+.sp
+This is only useful for development purposes\&.
+.sp
+Default:
+\fI\fIlog nt token command\fR\fR\fI = \fR\fI\fR\fI \fR
 .RE
 …
 This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC\&. It allows you to do
 .sp
 C:\e>\fBNET USE H: /HOME\fR
 .sp
 …
 This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a subdirectory of the user\*(Aqs home directory\&. This is done in the following way:
 .sp
 logon home = \e\e%N\e%U\eprofile
 .sp
 …
 Note that it is good practice to include the absolute path in the lppause command as the PATH may not be available to the server\&.
 .sp
+Default:
+\fI\fIlppause command\fR\fR\fI = \fR\fI # Currently no default value is given to this string, unless the value of the \m[blue]\fBprinting\fR\m[] parameter is \fBSYSV\fR, in which case the default is : lp \-i %p\-%j \-H hold or if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then the default is: qstat \-s \-j%j \-h\&. \fR\fI \fR
+Currently no default value is given to this string, unless the value of the
+\m[blue]\fBprinting\fR\m[]
+parameter is
+\fBSYSV\fR, in which case the default is :
+lp \-i %p\-%j \-H hold
+or if the value of the
+\fIprinting\fR
+parameter is
+\fBSOFTQ\fR, then the default is:
+qstat \-s \-j%j \-h\&.
+.sp
+Default:
+\fI\fIlppause command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .sp
 Example:
 …
 .sp
 Default:
 \fI\fIlpq command\fR\fR\fI = \fR\fI\fR\fI \fR
+\fI\fIlpq command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .sp
 Example:
 …
 qstat \-s \-j%j \-r
 .sp
+\fINo default\fR
+Default:
+\fI\fIlpresume command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .sp
 Example:
 …
 .sp
 Default:
 \fI\fIlprm command\fR\fR\fI = \fR\fI determined by printing parameter\fR\fI \fR
+\fI\fIlprm command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .RE
 …
 .PP
 .RS 4
 If a Samba server is a member of a Windows NT Domain (see the
+If a Samba server is a member of a Windows NT or Active Directory Domain (see the
 \m[blue]\fBsecurity = domain\fR\m[]
+parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called
+private/secrets\&.tdb\&. This parameter specifies how often this password will be changed, in seconds\&. The default is one week (expressed in seconds), the same as a Windows NT Domain member server\&.
+and
+\m[blue]\fBsecurity = ads\fR\m[]
+parameters), then periodically a running winbindd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called
+secrets\&.tdb\&. This parameter specifies how often this password will be changed, in seconds\&. The default is one week (expressed in seconds), the same as a Windows NT Domain member server\&.
 .sp
 See also
 \fBsmbpasswd\fR(8), and the
 \m[blue]\fBsecurity = domain\fR\m[]
+parameter\&.
+and
+\m[blue]\fBsecurity = ads\fR\m[]
+parameters\&.
 .sp
 Default:
 …
 .RE
 Default:
 \fI\fImagic output\fR\fR\fI = \fR\fI<magic script name>\&.out\fR\fI \fR
+\fI\fImagic output\fR\fR\fI = \fR\fI # <magic script name>\&.out\fR\fI \fR
 .sp
 Example:
 …
 .PP
 .RS 4
 controls the algorithm used for the generating the mangled names\&. Can take two different values, "hash" and "hash2"\&. "hash" is the algorithm that was used used in Samba for many years and was the default in Samba 2\&.2\&.x "hash2" is now the default and is newer and considered a better algorithm (generates less collisions) in the names\&. Many Win32 applications store the mangled names and so changing to algorithms must not be done lightly as these applications may break unless reinstalled\&.
+controls the algorithm used for the generating the mangled names\&. Can take two different values, "hash" and "hash2"\&. "hash" is the algorithm that was used in Samba for many years and was the default in Samba 2\&.2\&.x "hash2" is now the default and is newer and considered a better algorithm (generates less collisions) in the names\&. Many Win32 applications store the mangled names and so changing to algorithms must not be done lightly as these applications may break unless reinstalled\&.
 .sp
 Default:
 …
 .RS 4
 This controls whether the DOS archive attribute should be mapped to the UNIX owner execute bit\&. The DOS archive bit is set when a file has been modified since its last backup\&. One motivation for this option is to keep Samba/your PC from making any file it touches from becoming executable under UNIX\&. This can be quite annoying for shared source code, documents, etc\&.\&.\&.
+.sp
+Note that this parameter will be ignored if the
+\m[blue]\fBstore dos attributes\fR\m[]
+parameter is set, as the DOS archive attribute will then be stored inside a UNIX extended attribute\&.
 .sp
 Note that this requires the
 …
 This controls whether DOS style hidden files should be mapped to the UNIX world execute bit\&.
 .sp
+Note that this parameter will be ignored if the
+\m[blue]\fBstore dos attributes\fR\m[]
+parameter is set, as the DOS hidden attribute will then be stored inside a UNIX extended attribute\&.
+.sp
 Note that this requires the
 \m[blue]\fBcreate mask\fR\m[]
 …
 for details\&.
 .sp
+\fINo default\fR
+Default:
+\fI\fImap hidden\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 .IP \(bu 2.3
 .\}
 \fBYes\fR
 \- The read only DOS attribute is mapped to the inverse of the user or owner write bit in the unix permission mode set\&. If the owner write bit is not set, the read only attribute is reported as being set on the file\&. If the read only DOS attribute is set, Samba sets the owner, group and others write bits to zero\&. Write bits set in an ACL are ignored by Samba\&. If the read only DOS attribute is unset, Samba simply sets the write bit of the owner to one\&.
 …
 .IP \(bu 2.3
 .\}
 \fBPermissions\fR
 \- The read only DOS attribute is mapped to the effective permissions of the connecting user, as evaluated by
 …
 .IP \(bu 2.3
 .\}
 \fBNo\fR
 \- The read only DOS attribute is unaffected by permissions, and can only be set by the
 …
 .sp
 .RE
+Note that this parameter will be ignored if the
+\m[blue]\fBstore dos attributes\fR\m[]
+parameter is set, as the DOS \*(Aqread\-only\*(Aq attribute will then be stored inside a UNIX extended attribute\&.
+.sp
 Default:
 \fI\fImap readonly\fR\fR\fI = \fR\fIyes\fR\fI \fR
 …
 .RS 4
 This controls whether DOS style system files should be mapped to the UNIX group execute bit\&.
+.sp
+Note that this parameter will be ignored if the
+\m[blue]\fBstore dos attributes\fR\m[]
+parameter is set, as the DOS system attribute will then be stored inside a UNIX extended attribute\&.
 .sp
 Note that this requires the
 …
 .PP
 .RS 4
-This parameter is only useful in
-\m[blue]\fBSECURITY = security\fR\m[]
-modes other than
-\fIsecurity = share\fR
-and
-\fIsecurity = server\fR
-\- i\&.e\&.
-\fBuser\fR, and
-\fBdomain\fR\&.
-.sp
 This parameter can take four different values, which tell
 \fBsmbd\fR(8)
 …
 .sp
 .RE
+Note that this parameter is needed to set up "Guest" share services when using
+\fIsecurity\fR
+modes other than share and server\&. This is because in these modes the name of the resource being requested is
+Note that this parameter is needed to set up "Guest" share services\&. This is because in these modes the name of the resource being requested is
 \fInot\fR
+sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for "Guest" shares\&. This parameter is not useful with
+\fIsecurity = server\fR
+as in this security mode no information is returned about whether a user logon failed due to a bad username or bad password, the same error is returned from a modern server in both cases\&.
+.sp
+For people familiar with the older Samba releases, this parameter maps to the old compile\-time setting of the
+\fB GUEST_SESSSETUP\fR
+value in local\&.h\&.
+sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for "Guest" shares\&.
 .sp
 Default:
 …
 This parameter limits the maximum number of open files that one
 \fBsmbd\fR(8)
 file serving process may have open for a client at any one time\&. The This parameter can be set very high (16404) as Samba uses only one bit per unopened file\&. Setting this parameter lower than 16404 will cause Samba to complain and set this value back to the minimum of 16404, as Windows 7 depends on this number of open file handles being available\&.
+file serving process may have open for a client at any one time\&. This parameter can be set very high (16384) as Samba uses only one bit per unopened file\&. Setting this parameter lower than 16384 will cause Samba to complain and set this value back to the minimum of 16384, as Windows 7 depends on this number of open file handles being available\&.
 .sp
 The limit of the number of open files is usually set by the UNIX per\-process file descriptor limit rather than this parameter so you should never need to touch this parameter\&.
 .sp
 Default:
 \fI\fImax open files\fR\fR\fI = \fR\fI16404\fR\fI \fR
+\fI\fImax open files\fR\fR\fI = \fR\fI16384\fR\fI \fR
 .RE
 …
 Example:
 \fI\fImax print jobs\fR\fR\fI = \fR\fI5000\fR\fI \fR
-.RE
-protocol
-.\" protocol
-.PP
-.RS 4
-This parameter is a synonym for
-max protocol\&.
-.RE
-max protocol (G)
-.\" max protocol
-.PP
-.RS 4
-The value of the parameter (a string) is the highest protocol level that will be supported by the server\&.
-.sp
-Possible values are :
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBCORE\fR: Earliest version\&. No concept of user names\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBCOREPLUS\fR: Slight improvements on CORE for efficiency\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBLANMAN1\fR: First
-\fI modern\fR
-version of the protocol\&. Long filename support\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBLANMAN2\fR: Updates to Lanman1 protocol\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBNT1\fR: Current up to date version of the protocol\&. Used by Windows NT\&. Known as CIFS\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBSMB2\fR: Re\-implementation of the SMB protocol\&. Used by Windows Vista and newer\&.
-.RE
-.sp
-.RE
-Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
-.sp
-Default:
-\fI\fImax protocol\fR\fR\fI = \fR\fINT1\fR\fI \fR
-.sp
-Example:
-\fI\fImax protocol\fR\fR\fI = \fR\fILANMAN1\fR\fI \fR
 .RE
 …
 .RE
-min protocol (G)
-.\" min protocol
-.PP
-.RS 4
-The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support\&. Please refer to the
-\m[blue]\fBmax protocol\fR\m[]
-parameter for a list of valid protocol names and a brief description of each\&. You may also wish to refer to the C source code in
-source/smbd/negprot\&.c
-for a listing of known protocol dialects supported by clients\&.
-.sp
-If you are viewing this parameter as a security measure, you should also refer to the
-\m[blue]\fBlanman auth\fR\m[]
-parameter\&. Otherwise, you should never need to change this parameter\&.
-.sp
-Default:
-\fI\fImin protocol\fR\fR\fI = \fR\fICORE\fR\fI \fR
-.sp
-Example:
-\fI\fImin protocol\fR\fR\fI = \fR\fINT1\fR\fI \fR
-.RE
 min receivefile size (G)
 .\" min receivefile size
 …
 Note this option will have NO EFFECT if set on a SMB signed connection\&.
 .sp
 The default is zero, which diables this option\&.
+The default is zero, which disables this option\&.
 .sp
 Default:
 …
 .PP
 .RS 4
 This parameter indicates that the share is a stand\-in for another CIFS share whose location is specified by the value of the parameter\&. When clients attempt to connect to this share, they are redirected to the proxied share using the SMB\-Dfs protocol\&.
+This parameter indicates that the share is a stand\-in for another CIFS share whose location is specified by the value of the parameter\&. When clients attempt to connect to this share, they are redirected to one or multiple, comma separated proxied shares using the SMB\-Dfs protocol\&.
 .sp
 Only Dfs roots can act as proxy shares\&. Take a look at the
 …
 .sp
 Example:
 \fI\fImsdfs proxy\fR\fR\fI = \fR\fI\eotherserver\esomeshare\fR\fI \fR
+\fI\fImsdfs proxy\fR\fR\fI = \fR\fI\eotherserver\esomeshare,\eotherserver2\esomeshare\fR\fI \fR
 .RE
 …
 .RE
+msdfs shuffle referrals (S)
+.\" msdfs shuffle referrals
+.PP
+.RS 4
+If set to
+\fByes\fR, Samba will shuffle Dfs referrals for a given Dfs link if multiple are available, allowing for load balancing across clients\&. For more information on setting up a Dfs tree on Samba, refer to the MSDFS chapter in the Samba3\-HOWTO book\&.
+.sp
+Default:
+\fI\fImsdfs shuffle referrals\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
 multicast dns register (G)
 .\" multicast dns register
 …
 .IP \(bu 2.3
 .\}
 \fBlmhosts\fR
 : Lookup an IP address in the Samba lmhosts file\&. If the line in lmhosts has no name type attached to the NetBIOS name (see the manpage for lmhosts for details) then any name type matches for lookup\&.
 …
 .IP \(bu 2.3
 .\}
 \fBhost\fR
 : Do a standard host name to IP address resolution, using the system
 …
 .RE
+socket address
+.\" socket address
+.PP
+.RS 4
+This parameter is a synonym for
+nbt client socket address\&.
+.RE
+nbt client socket address (G)
+.\" nbt client socket address
+.PP
+.RS 4
+This option allows you to control what address Samba will send NBT client packets from, and process replies using, including in nmbd\&.
+.sp
+Setting this option should never be necessary on usual Samba servers running only one nmbd\&.
+.sp
+By default Samba will send UDP packets from the OS default address for the destination, and accept replies on 0\&.0\&.0\&.0\&.
+.sp
+This parameter is deprecated\&. See
+\m[blue]\fBbind interfaces only = Yes\fR\m[]
+and
+\m[blue]\fBinterfaces\fR\m[]
+for the previous behaviour of controlling the normal listening sockets\&.
+.sp
+Default:
+\fI\fInbt client socket address\fR\fR\fI = \fR\fI0\&.0\&.0\&.0\fR\fI \fR
+.sp
+Example:
+\fI\fInbt client socket address\fR\fR\fI = \fR\fI192\&.168\&.2\&.20\fR\fI \fR
+.RE
+nbt port (G)
+.\" nbt port
+.PP
+.RS 4
+Specifies which port the server should use for NetBIOS over IP name services traffic\&.
+.sp
+Default:
+\fI\fInbt port\fR\fR\fI = \fR\fI137\fR\fI \fR
+.RE
 ncalrpc dir (G)
 .\" ncalrpc dir
 …
 This directory will hold a series of named pipes to allow RPC over inter\-process communication\&.
 .sp
+\&.
+        This will allow Samba and other unix processes to interact over DCE/RPC without using TCP/IP\&. Additionally a sub\-directory \*(Aqnp\*(Aq has restricted permissions, and allows a trusted communication channel between Samba processes
+.sp
+Default:
+\fI\fIncalrpc dir\fR\fR\fI = \fR\fI${prefix}/var/ncalrpc\fR\fI \fR
+This will allow Samba and other unix processes to interact over DCE/RPC without using TCP/IP\&. Additionally a sub\-directory \*(Aqnp\*(Aq has restricted permissions, and allows a trusted communication channel between Samba processes
+.sp
+Default:
+\fI\fIncalrpc dir\fR\fR\fI = \fR\fI${prefix}/var/run/ncalrpc\fR\fI \fR
 .sp
 Example:
 …
 This sets the NetBIOS name by which a Samba server is known\&. By default it is the same as the first component of the host\*(Aqs DNS name\&. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under\&.
 .sp
+There is a bug in Samba\-3 that breaks operation of browsing and access to shares if the netbios name is set to the literal name
+PIPE\&. To avoid this problem, do not name your Samba\-3 server
+Note that the maximum length for a NetBIOS name is 15 charactars\&.
+.sp
+There is a bug in Samba that breaks operation of browsing and access to shares if the netbios name is set to the literal name
+PIPE\&. To avoid this problem, do not name your Samba server
 PIPE\&.
 .sp
 …
 .RE
+nis homedir (G)
+.\" nis homedir
+neutralize nt4 emulation (G)
+.\" neutralize nt4 emulation
+.PP
+.RS 4
+This option controls whether winbindd sends the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass the NT4 emulation of a domain controller\&.
+.sp
+Typically you should not need set this\&. It can be useful for upgrades from NT4 to AD domains\&.
+.sp
+The behavior can be controlled per netbios domain by using \*(Aqneutralize nt4 emulation:NETBIOSDOMAIN = yes\*(Aq as option\&.
+.sp
+Default:
+\fI\fIneutralize nt4 emulation\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+NIS homedir (G)
+.\" NIS homedir
 .PP
 .RS 4
 …
 .sp
 Default:
 \fI\fInis homedir\fR\fR\fI = \fR\fIno\fR\fI \fR
+\fI\fINIS homedir\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 .RE
+nsupdate command (G)
+.\" nsupdate command
+.PP
+.RS 4
+This option sets the path to the
+nsupdate
+command which is used for GSS\-TSIG dynamic DNS updates\&.
+.sp
+Default:
+\fI\fInsupdate command\fR\fR\fI = \fR\fI/usr/bin/nsupdate \-g\fR\fI \fR
+.RE
 nt acl support (S)
 .\" nt acl support
 …
 This boolean parameter controls whether
 \fBsmbd\fR(8)
 will attempt to map UNIX permissions into Windows NT access control lists\&. The UNIX permissions considered are the the traditional UNIX owner and group permissions, as well as POSIX ACLs set on any files or directories\&. This parameter was formally a global parameter in releases prior to 2\&.2\&.2\&.
+will attempt to map UNIX permissions into Windows NT access control lists\&. The UNIX permissions considered are the traditional UNIX owner and group permissions, as well as POSIX ACLs set on any files or directories\&. This parameter was formally a global parameter in releases prior to 2\&.2\&.2\&.
 .sp
 Default:
 …
 .RE
+ntp signd socket directory (G)
+.\" ntp signd socket directory
+.PP
+.RS 4
+This setting controls the location of the socket that the NTP daemon uses to communicate with Samba for signing packets\&.
+.sp
+If a non\-default path is specified here, then it is also necessary to make NTP aware of the new path using the
+\fBntpsigndsocket\fR
+directive in
+ntp\&.conf\&.
+.sp
+Default:
+\fI\fIntp signd socket directory\fR\fR\fI = \fR\fI${prefix}/var/lib/ntp_signd\fR\fI \fR
+.RE
 nt status support (G)
 .\" nt status support
 …
 .RE
+ntvfs handler (S)
+.\" ntvfs handler
+.PP
+.RS 4
+This specifies the NTVFS handlers for this share\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+posix: Maps POSIX FS semantics to NT semantics
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+unixuid: Sets up user credentials based on POSIX gid/uid\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+cifs: Proxies a remote CIFS FS\&. Mainly useful for testing\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+nbench: Filter module that saves data useful to the nbench benchmark suite\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+ipc: Allows using SMB for inter process communication\&. Only used for the IPC$ share\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+posix: Maps POSIX FS semantics to NT semantics
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+print: Allows printing over SMB\&. This is LANMAN\-style printing, not the be confused with the spoolss DCE/RPC interface used by later versions of Windows\&.
+.RE
+.sp
+.RE
+Note that this option is only used when the NTVFS file server is in use\&. It is not used with the (default) s3fs file server\&.
+.sp
+Default:
+\fI\fIntvfs handler\fR\fR\fI = \fR\fIunixuid, default\fR\fI \fR
+.RE
 null passwords (G)
 .\" null passwords
 …
 .RE
+old password allowed period (G)
+.\" old password allowed period
+.PP
+.RS 4
+Number of minutes to permit an NTLM login after a password change or reset using the old password\&. This allows the user to re\-cache the new password on multiple clients without disrupting a network reconnection in the meantime\&.
+.sp
+This parameter only applies when
+\m[blue]\fBserver role\fR\m[]
+is set to Active Directory Domain Controller
+.sp
+Default:
+\fI\fIold password allowed period\fR\fR\fI = \fR\fI60\fR\fI \fR
+.RE
 only user (S)
 .\" only user
 .PP
 .RS 4
+This is a boolean option that controls whether connections with usernames not in the
+\fIuser\fR
+list will be allowed\&. By default this option is disabled so that a client can supply a username to be used by the server\&. Enabling this parameter will force the server to only use the login names from the
+\fIuser\fR
+list and is only really useful in
+\m[blue]\fBsecurity = share\fR\m[]
+level security\&.
+.sp
+Note that this also means Samba won\*(Aqt try to deduce usernames from the service name\&. This can be annoying for the [homes] section\&. To get around this you could use
+user = %S
+which means your
+\fIuser\fR
+list will be just the service name, which for home directories is the name of the user\&.
+To restrict a service to a particular set of users you can use the
+\m[blue]\fBvalid users\fR\m[]
+parameter\&.
+.sp
+This parameter is deprecated
+.sp
+However, it currently operates only in conjunction with
+\m[blue]\fBusername\fR\m[]\&. The supported way to restrict a service to a particular set of users is the
+\m[blue]\fBvalid users\fR\m[]
+parameter\&.
 .sp
 Default:
 …
 .RE
-paranoid server security (G)
-.\" paranoid server security
-.PP
-.RS 4
-Some version of NT 4\&.x allow non\-guest users with a bad passowrd\&. When this option is enabled, samba will not use a broken NT 4\&.x server as password server, but instead complain to the logs and exit\&.
-.sp
-Disabling this option prevents Samba from making this check, which involves deliberatly attempting a bad logon to the remote server\&.
-.sp
-Default:
-\fI\fIparanoid server security\fR\fR\fI = \fR\fIyes\fR\fI \fR
-.RE
 passdb backend (G)
 .\" passdb backend
 …
 Default:
 \fI\fIpassdb expand explicit\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+passwd chat (G)
+.\" passwd chat
+.PP
+.RS 4
+This string controls the
+\fI"chat"\fR
+conversation that takes places between
+\fBsmbd\fR(8)
+and the local password changing program to change the user\*(Aqs password\&. The string describes a sequence of response\-receive pairs that
+\fBsmbd\fR(8)
+uses to determine what to send to the
+\m[blue]\fBpasswd program\fR\m[]
+and what to expect back\&. If the expected output is not received then the password is not changed\&.
+.sp
+This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc)\&.
+.sp
+Note that this parameter only is used if the
+\m[blue]\fBunix password sync\fR\m[]
+parameter is set to
+\fByes\fR\&. This sequence is then called
+\fIAS ROOT\fR
+when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext\&. This means that root must be able to reset the user\*(Aqs password without knowing the text of the previous password\&. In the presence of NIS/YP, this means that the
+\m[blue]\fBpasswd program\fR\m[]
+must be executed on the NIS master\&.
+.sp
+The string can contain the macro
+\fI%n\fR
+which is substituted for the new password\&. The old passsword (\fI%o\fR) is only available when
+\m[blue]\fBencrypt passwords\fR\m[]
+has been disabled\&. The chat sequence can also contain the standard macros \en, \er, \et and \es to give line\-feed, carriage\-return, tab and space\&. The chat sequence string can also contain a \*(Aq*\*(Aq which matches any sequence of characters\&. Double quotes can be used to collect strings with spaces in them into a single string\&.
+.sp
+If the send string in any part of the chat sequence is a full stop "\&.", then no string is sent\&. Similarly, if the expect string is a full stop then no string is expected\&.
+.sp
+If the
+\m[blue]\fBpam password change\fR\m[]
+parameter is set to
+\fByes\fR, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output\&. The \en macro is ignored for PAM conversions\&.
+.sp
+Default:
+\fI\fIpasswd chat\fR\fR\fI = \fR\fI*new*password* %n\en *new*password* %n\en *changed*\fR\fI \fR
+.sp
+Example:
+\fI\fIpasswd chat\fR\fR\fI = \fR\fI"*Enter NEW password*" %n\en "*Reenter NEW password*" %n\en "*Password changed*"\fR\fI \fR
 .RE
 …
 .RE
-passwd chat (G)
-.\" passwd chat
-.PP
-.RS 4
-This string controls the
-\fI"chat"\fR
-conversation that takes places between
-\fBsmbd\fR(8)
-and the local password changing program to change the user\*(Aqs password\&. The string describes a sequence of response\-receive pairs that
-\fBsmbd\fR(8)
-uses to determine what to send to the
-\m[blue]\fBpasswd program\fR\m[]
-and what to expect back\&. If the expected output is not received then the password is not changed\&.
-.sp
-This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc)\&.
-.sp
-Note that this parameter only is used if the
-\m[blue]\fBunix password sync\fR\m[]
-parameter is set to
-\fByes\fR\&. This sequence is then called
-\fIAS ROOT\fR
-when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext\&. This means that root must be able to reset the user\*(Aqs password without knowing the text of the previous password\&. In the presence of NIS/YP, this means that the
-\m[blue]\fBpasswd program\fR\m[]
-must be executed on the NIS master\&.
-.sp
-The string can contain the macro
-\fI%n\fR
-which is substituted for the new password\&. The old passsword (\fI%o\fR) is only available when
-\m[blue]\fBencrypt passwords\fR\m[]
-has been disabled\&. The chat sequence can also contain the standard macros \en, \er, \et and \es to give line\-feed, carriage\-return, tab and space\&. The chat sequence string can also contain a \*(Aq*\*(Aq which matches any sequence of characters\&. Double quotes can be used to collect strings with spaces in them into a single string\&.
-.sp
-If the send string in any part of the chat sequence is a full stop "\&.", then no string is sent\&. Similarly, if the expect string is a full stop then no string is expected\&.
-.sp
-If the
-\m[blue]\fBpam password change\fR\m[]
-parameter is set to
-\fByes\fR, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output\&. The \en macro is ignored for PAM conversions\&.
-.sp
-Default:
-\fI\fIpasswd chat\fR\fR\fI = \fR\fI*new*password* %n\en*new*password* %n\en *changed*\fR\fI \fR
-.sp
-Example:
-\fI\fIpasswd chat\fR\fR\fI = \fR\fI"*Enter NEW password*" %n\en "*Reenter NEW password*" %n\en "*Password changed*"\fR\fI \fR
-.RE
 passwd program (G)
 .\" passwd program
 …
 .RE
-password level (G)
-.\" password level
-.PP
-.RS 4
-Some client/server combinations have difficulty with mixed\-case passwords\&. One offending client is Windows for Workgroups, which for some reason forces passwords to upper case when using the LANMAN1 protocol, but leaves them alone when using COREPLUS! Another problem child is the Windows 95/98 family of operating systems\&. These clients upper case clear text passwords even when NT LM 0\&.12 selected by the protocol negotiation request/response\&.
-.sp
-This deprecated parameter defines the maximum number of characters that may be upper case in passwords\&.
-.sp
-For example, say the password given was "FRED"\&. If
-\fI password level\fR
-is set to 1, the following combinations would be tried if "FRED" failed:
-.sp
-"Fred", "fred", "fRed", "frEd","freD"
-.sp
-If
-\fIpassword level\fR
-was set to 2, the following combinations would also be tried:
-.sp
-"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", \&.\&.
-.sp
-And so on\&.
-.sp
-The higher value this parameter is set to the more likely it is that a mixed case password will be matched against a single case password\&. However, you should be aware that use of this parameter reduces security and increases the time taken to process a new connection\&.
-.sp
-A value of zero will cause only two attempts to be made \- the password as is and the password in all\-lower case\&.
-.sp
-This parameter is used only when using plain\-text passwords\&. It is not at all used when encrypted passwords as in use (that is the default since samba\-3\&.0\&.0)\&. Use this only when
-\m[blue]\fBencrypt passwords = No\fR\m[]\&.
-.sp
-Default:
-\fI\fIpassword level\fR\fR\fI = \fR\fI0\fR\fI \fR
-.sp
-Example:
-\fI\fIpassword level\fR\fR\fI = \fR\fI4\fR\fI \fR
-.RE
 password server (G)
 .\" password server
 .PP
 .RS 4
 By specifying the name of another SMB server or Active Directory domain controller with this option, and using
 security = [ads|domain|server]
+By specifying the name of a domain controller with this option, and using
+security = [ads|domain]
 it is possible to get Samba to do all its username/password validation using a specific remote server\&.
 .sp
+If the
+\fIsecurity\fR
+parameter is set to
+\fBdomain\fR
+or
+\fBads\fR, then this option
+Ideally, this option
 \fIshould not\fR
 be used, as the default \*(Aq*\*(Aq indicates to Samba to determine the best DC to contact dynamically, just as all other hosts in an AD domain do\&. This allows the domain to be maintained without modification to the smb\&.conf file\&. The cryptograpic protection on the authenticated RPC calls used to verify passwords ensures that this default is safe\&.
+be used, as the default \*(Aq*\*(Aq indicates to Samba to determine the best DC to contact dynamically, just as all other hosts in an AD domain do\&. This allows the domain to be maintained (addition and removal of domain controllers) without modification to the smb\&.conf file\&. The cryptographic protection on the authenticated RPC calls used to verify passwords ensures that this default is safe\&.
 .sp
 \fIIt is strongly recommended that you use the default of \*(Aq*\*(Aq\fR, however if in your particular environment you have reason to specify a particular DC list, then the list of machines in this option must be a list of names or IP addresses of Domain controllers for the Domain\&. If you use the default of \*(Aq*\*(Aq, or list several hosts in the
 …
 and so may resolved by any method and order described in that parameter\&.
 .sp
-If the
-\fIsecurity\fR
-parameter is set to
-\fBserver\fR, these additional restrictions apply:
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-You may list several password servers in the
-\fIpassword server\fR
-parameter, however if an
-smbd
-makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this
-smbd\&. This is a restriction of the SMB/CIFS protocol when in
-security = server
-mode and cannot be fixed in Samba\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-You will have to ensure that your users are able to login from the Samba server, as when in
-security = server
-mode the network logon will appear to come from the Samba server rather than from the users workstation\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-The client must not select NTLMv2 authentication\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-The password server must be a machine capable of using the "LM1\&.2X002" or the "NT LM 0\&.12" protocol, and it must be in user level security mode\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Using a password server means your UNIX box (running Samba) is only as secure as (a host masqurading as) your password server\&.
-\fIDO NOT CHOOSE A PASSWORD SERVER THAT YOU DON\*(AqT COMPLETELY TRUST\fR\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Never point a Samba server at itself for password serving\&. This will cause a loop and could lock up your Samba server!
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-The name of the password server takes the standard substitutions, but probably the only useful one is
-\fI%m \fR, which means the Samba server will use the incoming client as the password server\&. If you use this then you better trust your clients, and you had better restrict them with hosts allow!
-.RE
-.sp
-.RE
 Default:
 \fI\fIpassword server\fR\fR\fI = \fR\fI*\fR\fI \fR
 …
 .sp
 Default:
 \fI\fIpid directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
 .sp
 Example:
 \fI\fIpid directory\fR\fR\fI = \fR\fIpid directory = /var/run/\fR\fI \fR
+\fI\fIpid directory\fR\fR\fI = \fR\fI${prefix}/var/run\fR\fI \fR
+.sp
+Example:
+\fI\fIpid directory\fR\fR\fI = \fR\fI/var/run/\fR\fI \fR
 .RE
 …
 .RE
-preexec close (S)
-.\" preexec close
-.PP
-.RS 4
-This boolean option controls whether a non\-zero return code from
-\m[blue]\fBpreexec\fR\m[]
-should close the service being connected to\&.
-.sp
-Default:
-\fI\fIpreexec close\fR\fR\fI = \fR\fIno\fR\fI \fR
-.RE
 exec
 .\" exec
 …
 An interesting example is to send the users a welcome message every time they log in\&. Maybe a message of the day? Here is an example:
 .sp
 preexec = csh \-c \*(Aqecho \e"Welcome to %S!\e" | /usr/local/samba/bin/smbclient \-M %m \-I %I\*(Aq &
 .sp
 …
 Example:
 \fI\fIpreexec\fR\fR\fI = \fR\fIecho \e"%u connected to %S from %m (%I)\e" >> /tmp/log\fR\fI \fR
+.RE
+preexec close (S)
+.\" preexec close
+.PP
+.RS 4
+This boolean option controls whether a non\-zero return code from
+\m[blue]\fBpreexec\fR\m[]
+should close the service being connected to\&.
+.sp
+Default:
+\fI\fIpreexec close\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 .RE
-auto services
-.\" auto services
-.PP
-.RS 4
-This parameter is a synonym for
-preload\&.
-.RE
-preload (G)
-.\" preload
-.PP
-.RS 4
-This is a list of services that you want to be automatically added to the browse lists\&. This is most useful for homes and printers services that would otherwise not be visible\&.
-.sp
-Note that if you just want all printers in your printcap file loaded then the
-\m[blue]\fBload printers\fR\m[]
-option is easier\&.
-.sp
-Default:
-\fI\fIpreload\fR\fR\fI = \fR\fI\fR\fI \fR
-.sp
-Example:
-\fI\fIpreload\fR\fR\fI = \fR\fIfred lp colorlp\fR\fI \fR
-.RE
 preserve case (S)
 .\" preserve case
 …
 .sp
 To use the CUPS printing interface set
 printcap name = cups\&. This should be supplemented by an addtional setting
+printcap name = cups\&. This should be supplemented by an additional setting
 \m[blue]\fBprinting = cups\fR\m[]
 in the [global] section\&.
 …
 .RE
-printer admin (S)
-.\" printer admin
-.PP
-.RS 4
-This lists users who can do anything to printers via the remote administration interfaces offered by MS\-RPC (usually using a NT workstation)\&. This parameter can be set per\-share or globally\&. Note: The root user always has admin rights\&. Use caution with use in the global stanza as this can cause side effects\&.
-.sp
-This parameter has been marked deprecated in favor of using the SePrintOperatorPrivilege and individual print security descriptors\&. It will be removed in a future release\&.
-.sp
-Default:
-\fI\fIprinter admin\fR\fR\fI = \fR\fI\fR\fI \fR
-.sp
-Example:
-\fI\fIprinter admin\fR\fR\fI = \fR\fIadmin, @staff\fR\fI \fR
-.RE
 printer
 .\" printer
 …
 .sp
 Default:
 \fI\fIprinter name\fR\fR\fI = \fR\fInone\fR\fI \fR
+\fI\fIprinter name\fR\fR\fI = \fR\fI\fR\fI \fR
 .sp
 Example:
 …
 \fBHPUX\fR,
 \fBQNX\fR,
+\fBSOFTQ\fR, and
+\fBCUPS\fR\&.
+\fBSOFTQ\fR,
+\fBCUPS\fR
+and
+\fBIPRINT\fR\&.
+.sp
+Be aware that CUPS and IPRINT are only available if the CUPS development library was available at the time Samba was compiled or packaged\&.
 .sp
 To see what the defaults are for the other print commands when using the various options use the
 …
 section\&.
 .sp
+Default:
+\fI\fIprinting\fR\fR\fI = \fR\fIDepends on the operating system, see testparm \-v\&.\fR\fI \fR
+See
+testparm \-v\&.
+for the default value on your system
+.sp
+Default:
+\fI\fIprinting\fR\fR\fI = \fR\fI # Depends on the operating system\fR\fI \fR
 .RE
 …
 .PP
 .RS 4
+Windows print clients can update print queue status by expecting the server to open a backchannel SMB connection to them\&. Due to client firewall settings this can cause considerable timeouts and will often fail, as there is no guarantee the client is even running an SMB server\&. By setting this parameter to
+\fBno\fR
+the Samba print server will not try to connect back to clients and treat corresponding requests as if the connection back to the client failed\&. The default setting of
+\fByes\fR
+causes smbd to attempt this connection\&.
+.sp
+Default:
+\fI\fIprint notify backchannel\fR\fR\fI = \fR\fIyes\fR\fI \fR
+Windows print clients can update print queue status by expecting the server to open a backchannel SMB connection to them\&. Due to client firewall settings this can cause considerable timeouts and will often fail, as there is no guarantee the client is even running an SMB server\&. By default, the Samba print server will not try to connect back to clients, and will treat corresponding requests as if the connection back to the client failed\&.
+.sp
+Default:
+\fI\fIprint notify backchannel\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+private directory
+.\" private directory
+.PP
+.RS 4
+This parameter is a synonym for
+private dir\&.
 .RE
 …
 Note that it is good practice to include the absolute path in the command as the PATH may not be available to the server\&.
 .sp
+\fINo default\fR
+Default:
+\fI\fIqueuepause command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .sp
 Example:
 …
 .sp
 Default:
 \fI\fIqueueresume command\fR\fR\fI = \fR\fI\fR\fI \fR
+\fI\fIqueueresume command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .sp
 Example:
 \fI\fIqueueresume command\fR\fR\fI = \fR\fIenable %p\fR\fI \fR
+.RE
+raw NTLMv2 auth (G)
+.\" raw NTLMv2 auth
+.PP
+.RS 4
+This parameter determines whether or not
+\fBsmbd\fR(8)
+will allow SMB1 clients without extended security (without SPNEGO) to use NTLMv2 authentication\&.
+.sp
+If this option,
+lanman auth
+and
+ntlm auth
+are all disabled, then only clients with SPNEGO support will be permitted\&. That means NTLMv2 is only supported within NTLMSSP\&.
+.sp
+Default:
+\fI\fIraw NTLMv2 auth\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 parameter\&.
 .sp
-This parameter will not work with the
-\m[blue]\fBsecurity = share\fR\m[]
-in Samba 3\&.0\&. This is by design\&.
-.sp
 Default:
 \fI\fIread list\fR\fR\fI = \fR\fI\fR\fI \fR
 …
 .PP
 .RS 4
+This parameter controls whether or not the server will support the raw read SMB requests when transferring data to clients\&.
+.sp
+If enabled, raw reads allow reads of 65535 bytes in one packet\&. This typically provides a major performance benefit\&.
+This is ignored if
+\m[blue]\fBasync smb echo handler\fR\m[]
+is set, because this feature is incompatible with raw read SMB requests
+.sp
+If enabled, raw reads allow reads of 65535 bytes in one packet\&. This typically provides a major performance benefit for some very, very old clients\&.
 .sp
 However, some clients either negotiate the allowable block size incorrectly or are incapable of supporting larger block sizes, and for these clients you may need to disable raw reads\&.
 …
 Example:
 \fI\fIregistry shares\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+reject md5 clients (G)
+.\" reject md5 clients
+.PP
+.RS 4
+This option controls whether the netlogon server (currently only in \*(Aqactive directory domain controller\*(Aq mode), will reject clients which does not support NETLOGON_NEG_SUPPORTS_AES\&.
+.sp
+You can set this to yes if all domain members support aes\&. This will prevent downgrade attacks\&.
+.sp
+This option takes precedence to the \*(Aqallow nt4 crypto\*(Aq option\&.
+.sp
+Default:
+\fI\fIreject md5 clients\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+reject md5 servers (G)
+.\" reject md5 servers
+.PP
+.RS 4
+This option controls whether winbindd requires support for aes support for the netlogon secure channel\&.
+.sp
+The following flags will be required NETLOGON_NEG_ARCFOUR, NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC\&.
+.sp
+You can set this to yes if all domain controllers support aes\&. This will prevent downgrade attacks\&.
+.sp
+The behavior can be controlled per netbios domain by using \*(Aqreject md5 servers:NETBIOSDOMAIN = yes\*(Aq as option\&.
+.sp
+This option takes precedence to the
+\m[blue]\fBrequire strong key\fR\m[]
+option\&.
+.sp
+Default:
+\fI\fIreject md5 servers\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 .RE
 Default:
+\fI\fIrename user script\fR\fR\fI = \fR\fIno\fR\fI \fR
+\fI\fIrename user script\fR\fR\fI = \fR\fI\fR\fI \fR
+.RE
+require strong key (G)
+.\" require strong key
+.PP
+.RS 4
+This option controls whether winbindd requires support for md5 strong key support for the netlogon secure channel\&.
+.sp
+The following flags will be required NETLOGON_NEG_STRONG_KEYS, NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC\&.
+.sp
+You can set this to no if some domain controllers only support des\&. This might allows weak crypto to be negotiated, may via downgrade attacks\&.
+.sp
+The behavior can be controlled per netbios domain by using \*(Aqrequire strong key:NETBIOSDOMAIN = no\*(Aq as option\&.
+.sp
+Note for active directory domain this option is hardcoded to \*(Aqyes\*(Aq
+.sp
+This option yields precedence to the
+\m[blue]\fBreject md5 servers\fR\m[]
+option\&.
+.sp
+This option takes precedence to the
+\m[blue]\fBclient schannel\fR\m[]
+option\&.
+.sp
+Default:
+\fI\fIrequire strong key\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 .\}
 .sp
 registry key in Windows 2000 and Windows NT\&. When set to 0, user and group list information is returned to anyone who asks\&. When set to 1, only an authenticated user can retrive user and group list information\&. For the value 2, supported by Windows 2000/XP and Samba, no anonymous connections are allowed at all\&. This can break third party and Microsoft applications which expect to be allowed to perform operations anonymously\&.
+registry key in Windows 2000 and Windows NT\&. When set to 0, user and group list information is returned to anyone who asks\&. When set to 1, only an authenticated user can retrieve user and group list information\&. For the value 2, supported by Windows 2000/XP and Samba, no anonymous connections are allowed at all\&. This can break third party and Microsoft applications which expect to be allowed to perform operations anonymously\&.
 .sp
 The security advantage of using restrict anonymous = 1 is dubious, as user and group list information can be obtained using other means\&.
 …
 .RE
+rndc command (G)
+.\" rndc command
+.PP
+.RS 4
+This option specifies the path to the name server control utility\&.
+.sp
+The
+rndc
+utility should be a part of the bind installation\&.
+.sp
+Default:
+\fI\fIrndc command\fR\fR\fI = \fR\fI/usr/sbin/rndc\fR\fI \fR
+.sp
+Example:
+\fI\fIrndc command\fR\fR\fI = \fR\fI/usr/local/bind9/sbin/rndc\fR\fI \fR
+.RE
 root
 .\" root
 …
 .sp
 Default:
 \fI\fIroot directory\fR\fR\fI = \fR\fI/\fR\fI \fR
+\fI\fIroot directory\fR\fR\fI = \fR\fI\fR\fI \fR
 .sp
 Example:
 …
 .RE
+root preexec (S)
+.\" root preexec
+.PP
+.RS 4
+This is the same as the
+\fIpreexec\fR
+parameter except that the command is run as root\&. This is useful for mounting filesystems (such as CDROMs) when a connection is opened\&.
+.sp
+Default:
+\fI\fIroot preexec\fR\fR\fI = \fR\fI\fR\fI \fR
+.RE
 root preexec close (S)
 .\" root preexec close
 …
 .RE
+root preexec (S)
+.\" root preexec
+.PP
+.RS 4
+This is the same as the
+\fIpreexec\fR
+parameter except that the command is run as root\&. This is useful for mounting filesystems (such as CDROMs) when a connection is opened\&.
+.sp
+Default:
+\fI\fIroot preexec\fR\fR\fI = \fR\fI\fR\fI \fR
+.RE
+rpc_server (G)
+.\" rpc_server
+.PP
+.RS 4
+Defines what kind of rpc server to use for a named pipe\&. The rpc_server prefix must be followed by the pipe name, and a value\&.
+.sp
+Three possible values are currently supported:
+embedded
+daemon
+external
+.sp
+The classic method is to run every pipe as an internal function
+\fIembedded\fR
+in smbd\&.
+.sp
+An alternative method is to fork a
+\fIdaemon\fR
+early on at smbd startup time\&. This is supported only for selected pipes\&.
+.sp
+Choosing the
+\fIexternal\fR
+option allows to run a completely independent (3rd party) server capable of interfacing with samba via the MS\-RPC interface over named pipes\&.
+.sp
+Currently only the spoolss pipe can be configured in
+\fIdaemon\fR
+mode like this:
+rpc big endian (G)
+.\" rpc big endian
+.PP
+.RS 4
+Setting this option will force the RPC client and server to transfer data in big endian\&.
+.sp
+If it is disabled, data will be transferred in little endian\&.
+.sp
+The behaviour is independent of the endianness of the host machine\&.
+.sp
+Default:
+\fI\fIrpc big endian\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+rpc_daemon:DAEMON (G)
+.\" rpc_daemon:DAEMON
+.PP
+.RS 4
+Defines whether to use the embedded code or start a separate daemon for the defined rpc services\&. The rpc_daemon prefix must be followed by the server name, and a value\&.
+.sp
+Two possible values are currently supported:
 .sp
 .if n \{\
 …
 .\}
 .nf
+        rpc_server:spoolss = daemon
+                disabled
+                fork
 .fi
 …
 .\}
 .sp
+Default:
+\fI\fIrpc_server\fR\fR\fI = \fR\fInone\fR\fI \fR
+.RE
+security mask (S)
+.\" security mask
+.PP
+.RS 4
+This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box\&.
+.sp
+This parameter is applied as a mask (AND\*(Aqed with) to the incoming permission bits, thus resetting any bits not in this mask\&. Make sure not to mix up this parameter with
+\m[blue]\fBforce security mode\fR\m[], which works in a manner similar to this one but uses a logical OR instead of an AND\&.
+.sp
+Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the file permissions regardless of the previous status of this bits on the file\&.
+.sp
+If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file\&.
+.sp
+\fI Note\fR
+that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set to
+\fB0777\fR\&.
+.sp
+Default:
+\fI\fIsecurity mask\fR\fR\fI = \fR\fI0777\fR\fI \fR
+.sp
+Example:
+\fI\fIsecurity mask\fR\fR\fI = \fR\fI0770\fR\fI \fR
+The classic method is to run rpc services as internal daemons embedded in smbd, therefore the external daemons are
+\fIdisabled\fR
+by default\&.
+.sp
+Choosing the
+\fIfork\fR
+option will cause samba to fork a separate process for each daemon configured this way\&. Each daemon may in turn fork a number of children used to handle requests from multiple smbds and direct tcp/ip connections (if the Endpoint Mapper is enabled)\&. Communication with smbd happens over named pipes and require that said pipes are forward to the external daemon (see
+\m[blue]\fBrpc_server\fR\m[])\&.
+.sp
+Forked RPC Daemons support dynamically forking children to handle connections\&. The heuristics about how many children to keep around and how fast to allow them to fork and also how many clients each child is allowed to handle concurrently is defined by parametrical options named after the daemon\&. Five options are currently supported:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+                prefork_min_children
+                prefork_max_children
+                prefork_spawn_rate
+                prefork_max_allowed_clients
+                prefork_child_min_life
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+To set one of these options use the follwing syntax:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+        damonname:prefork_min_children = 5
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Samba includes separate daemons for spoolss, lsarpc/lsass, netlogon, samr, FSRVP and mdssvc(Spotlight)\&. Currently five daemons are available and they are called:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+                epmd
+                lsasd
+                spoolssd
+                fssd
+                mdssd
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Example:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+        rpc_daemon:spoolssd = fork
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Default:
+\fI\fIrpc_daemon:DAEMON\fR\fR\fI = \fR\fIdisabled\fR\fI \fR
+.RE
+rpc_server:SERVER (G)
+.\" rpc_server:SERVER
+.PP
+.RS 4
+With this option you can define if a rpc service should be running internal/embedded in smbd or should be redirected to an external daemon like Samba4, the endpoint mapper daemon, the spoolss daemon or the new LSA service daemon\&. The rpc_server prefix must be followed by the pipe name, and a value\&.
+.sp
+This option can be set for each available rpc service in Samba\&. The following list shows all available pipe names services you can modify with this option\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+epmapper \- Endpoint Mapper
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+winreg \- Remote Registry Service
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+srvsvc \- Remote Server Services
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+lsarpc \- Local Security Authority
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+samr \- Security Account Management
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+netlogon \- Netlogon Remote Protocol
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+netdfs \- Settings for Distributed File System
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+dssetup \- Active Directory Setup
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+wkssvc \- Workstation Services
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+spoolss \- Network Printing Spooler
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+svcctl \- Service Control
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+ntsvcs \- Plug and Play Services
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+eventlog \- Event Logger
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+initshutdown \- Init Shutdown Service
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+mdssvc \- Spotlight
+.RE
+.sp
+.RE
+Three possible values currently supported are:
+embeddedexternaldisabled
+.sp
+The classic method is to run every pipe as an internal function
+\fIembedded\fR
+in smbd\&. The defaults may vary depending on the service\&.
+.sp
+Choosing the
+\fIexternal\fR
+option allows one to run a separate daemon or even a completely independent (3rd party) server capable of interfacing with samba via the MS\-RPC interface over named pipes\&.
+.sp
+Currently in Samba3 we support four daemons, spoolssd, epmd, lsasd and mdssd\&. These daemons can be enabled using the
+\fIrpc_daemon\fR
+option\&. For spoolssd you have to enable the daemon and proxy the named pipe with:
+.sp
+Examples:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+                        rpc_daemon:lsasd = fork
+                        rpc_server:lsarpc = external
+                        rpc_server:samr = external
+                        rpc_server:netlogon = external
+                        rpc_server:spoolss = external
+                        rpc_server:epmapper = disabled
+                        rpc_daemon:mdssd = fork
+                        rpc_server:mdssvc = external
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+There is one special option which allows you to enable rpc services to listen for ncacn_ip_tcp connections too\&. Currently this is only used for testing and doesn\*(Aqt scale!
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+                        rpc_server:tcpip = yes
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Default:
+\fI\fIrpc_server:SERVER\fR\fR\fI = \fR\fIembedded\fR\fI \fR
+.RE
+samba kcc command (G)
+.\" samba kcc command
+.PP
+.RS 4
+This option specifies the path to the Samba KCC command\&. This script is used for replication topology replication\&.
+.sp
+It should not be necessary to modify this option except for testing purposes or if the
+samba_kcc
+was installed in a non\-default location\&.
+.sp
+Default:
+\fI\fIsamba kcc command\fR\fR\fI = \fR\fI${prefix}/sbin/samba_kcc\fR\fI \fR
+.sp
+Example:
+\fI\fIsamba kcc command\fR\fR\fI = \fR\fI/usr/local/bin/kcc\fR\fI \fR
 .RE
 …
 file\&.
 .sp
-The option sets the "security mode bit" in replies to protocol negotiations with
-\fBsmbd\fR(8)
-to turn share level security on or off\&. Clients decide based on this bit whether (and how) to transfer user and password information to the server\&.
-.sp
 The default is
 security = user, as this is the most common setting needed when talking to Windows 98 and Windows NT\&.
+security = user, as this is the most common setting, used for a standalone file server or a DC\&.
 .sp
 The alternatives are
 security = ads
 or
+security = domain, which support joining Samba to a Windows domain, along with
+security = share
+and
+security = server, both of which are deprecated\&.
+.sp
+In versions of Samba prior to 2\&.0\&.0, the default was
+security = share
+mainly because that was the only option at one stage\&.
+security = domain, which support joining Samba to a Windows domain
 .sp
 You should use
 …
 if you want to mainly setup shares without a password (guest shares)\&. This is commonly used for a shared printer server\&.
 .sp
-It is possible to use
-smbd
-in a
-\fI hybrid mode\fR
-where it is offers both user and share level security under different
-\m[blue]\fBNetBIOS aliases\fR\m[]\&.
-.sp
 The different settings will now be explained\&.
 .sp
+\fISECURITY = AUTO\fR
+.sp
+This is the default security setting in Samba, and causes Samba to consult the
+\m[blue]\fBserver role\fR\m[]
+parameter (if set) to determine the security mode\&.
+.sp
 \fISECURITY = USER\fR
 .sp
+This is the default security setting in Samba\&. With user\-level security a client must first "log\-on" with a valid username and password (which can be mapped using the
+If
+\m[blue]\fBserver role\fR\m[]
+is not specified, this is the default security setting in Samba\&. With user\-level security a client must first "log\-on" with a valid username and password (which can be mapped using the
 \m[blue]\fBusername map\fR\m[]
 parameter)\&. Encrypted passwords (see the
 …
 parameter for details on doing this\&.
 .sp
-See also the section
-NOTE ABOUT USERNAME/PASSWORD VALIDATION\&.
-.sp
 \fISECURITY = DOMAIN\fR
 .sp
 …
 parameter for details on doing this\&.
 .sp
-See also the section
-NOTE ABOUT USERNAME/PASSWORD VALIDATION\&.
-.sp
 See also the
 \m[blue]\fBpassword server\fR\m[]
 …
 parameter\&.
 .sp
-\fISECURITY = SHARE\fR
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-This option is deprecated as it is incompatible with SMB2
-.sp .5v
-.RE
-When clients connect to a share level security server, they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with a username but no password when talking to a
-security = share
-server)\&. Instead, the clients send authentication information (passwords) on a per\-share basis, at the time they attempt to connect to that share\&.
-.sp
-Note that
-smbd
-\fIALWAYS\fR
-uses a valid UNIX user to act on behalf of the client, even in
-security = share
-level security\&.
-.sp
-As clients are not required to send a username to the server in share level security,
-smbd
-uses several techniques to determine the correct UNIX user to use on behalf of the client\&.
-.sp
-A list of possible UNIX usernames to match with the given client password is constructed using the following methods :
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-If the
-\m[blue]\fBguest only\fR\m[]
-parameter is set, then all the other stages are missed and only the
-\m[blue]\fBguest account\fR\m[]
-username is checked\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Is a username is sent with the share connection request, then this username (after mapping \- see
-\m[blue]\fBusername map\fR\m[]), is added as a potential username\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-If the client did a previous
-\fIlogon \fR
-request (the SessionSetup SMB call) then the username sent in this SMB will be added as a potential username\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-The name of the service the client requested is added as a potential username\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-The NetBIOS name of the client is added to the list as a potential username\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Any users on the
-\m[blue]\fBuser\fR\m[]
-list are added as potential usernames\&.
-.RE
-.sp
-.RE
-If the
-\fIguest only\fR
-parameter is not set, then this list is then tried with the supplied password\&. The first user for whom the password matches will be used as the UNIX user\&.
-.sp
-If the
-\fIguest only\fR
-parameter is set, or no username can be determined then if the share is marked as available to the
-\fIguest account\fR, then this guest user will be used, otherwise access is denied\&.
-.sp
-Note that it can be
-\fIvery\fR
-confusing in share\-level security as to which UNIX username will eventually be used in granting access\&.
-.sp
-See also the section
-NOTE ABOUT USERNAME/PASSWORD VALIDATION\&.
-.sp
-\fISECURITY = SERVER\fR
-.sp
-In this depicted mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box\&. If this fails it will revert to
-security = user\&. It expects the
-\m[blue]\fBencrypted passwords\fR\m[]
-parameter to be set to
-\fByes\fR, unless the remote server does not support them\&. However note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid
-smbpasswd
-file to check users against\&. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up\&.
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-This mode of operation has significant pitfalls since it is more vulnerable to man\-in\-the\-middle attacks and server impersonation\&. In particular, this mode of operation can cause significant resource consumption on the PDC, as it must maintain an active connection for the duration of the user\*(Aqs session\&. Furthermore, if this connection is lost, there is no way to reestablish it, and further authentications to the Samba server may fail (from a single client, till it disconnects)\&.
-.sp .5v
-.RE
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-If the client selects NTLMv2 authentication, then this mode of operation
-\fIwill fail\fR
-.sp .5v
-.RE
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-From the client\*(Aqs point of view,
-security = server
-is the same as
-security = user\&. It only affects how the server deals with the authentication, it does not in any way affect what the client sees\&.
-.sp .5v
-.RE
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-This option is deprecated, and may be removed in future
-.sp .5v
-.RE
 \fINote\fR
 that the name of the resource being requested is
 …
 parameter for details on doing this\&.
 .sp
-See also the section
-NOTE ABOUT USERNAME/PASSWORD VALIDATION\&.
-.sp
 See also the
 \m[blue]\fBpassword server\fR\m[]
 …
 Note that this mode does NOT make Samba operate as a Active Directory Domain Controller\&.
 .sp
+Note that this forces
+\m[blue]\fBrequire strong key = yes\fR\m[]
+and
+\m[blue]\fBclient schannel = yes\fR\m[]
+for the primary domain\&.
+.sp
 Read the chapter about Domain Membership in the HOWTO for details\&.
 .sp
 Default:
 \fI\fIsecurity\fR\fR\fI = \fR\fIUSER\fR\fI \fR
+\fI\fIsecurity\fR\fR\fI = \fR\fIAUTO\fR\fI \fR
 .sp
 Example:
 …
 .RE
+send spnego principal (G)
+.\" send spnego principal
+.PP
+.RS 4
+This parameter determines whether or not
+security mask (S)
+.\" security mask
+.PP
+.RS 4
+This parameter has been removed for Samba 4\&.0\&.0\&.
+.sp
+\fINo default\fR
+.RE
+max protocol
+.\" max protocol
+.PP
+.RS 4
+This parameter is a synonym for
+server max protocol\&.
+.RE
+protocol
+.\" protocol
+.PP
+.RS 4
+This parameter is a synonym for
+server max protocol\&.
+.RE
+server max protocol (G)
+.\" server max protocol
+.PP
+.RS 4
+The value of the parameter (a string) is the highest protocol level that will be supported by the server\&.
+.sp
+Possible values are :
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBLANMAN1\fR: First
+\fImodern\fR
+version of the protocol\&. Long filename support\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBLANMAN2\fR: Updates to Lanman1 protocol\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBNT1\fR: Current up to date version of the protocol\&. Used by Windows NT\&. Known as CIFS\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2\fR: Re\-implementation of the SMB protocol\&. Used by Windows Vista and later versions of Windows\&. SMB2 has sub protocols available\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_02\fR: The earliest SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_10\fR: Windows 7 SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_22\fR: Early Windows 8 SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_24\fR: Windows 8 beta SMB2 version\&.
+.RE
+.sp
+.RE
+By default SMB2 selects the SMB2_10 variant\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3\fR: The same as SMB2\&. Used by Windows 8\&. SMB3 has sub protocols available\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_00\fR: Windows 8 SMB3 version\&. (mostly the same as SMB2_24)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_02\fR: Windows 8\&.1 SMB3 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_10\fR: early Windows 10 technical preview SMB3 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_11\fR: Windows 10 technical preview SMB3 version (maybe final)\&.
+.RE
+.sp
+.RE
+By default SMB3 selects the SMB3_11 variant\&.
+.RE
+.sp
+.RE
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+Default:
+\fI\fIserver max protocol\fR\fR\fI = \fR\fISMB3\fR\fI \fR
+.sp
+Example:
+\fI\fIserver max protocol\fR\fR\fI = \fR\fILANMAN1\fR\fI \fR
+.RE
+min protocol
+.\" min protocol
+.PP
+.RS 4
+This parameter is a synonym for
+server min protocol\&.
+.RE
+server min protocol (G)
+.\" server min protocol
+.PP
+.RS 4
+This setting controls the minimum protocol version that the server will allow the client to use\&.
+.sp
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+See
+Related command: \m[blue]\fBserver max protocol\fR\m[]
+for a full list of available protocols\&.
+.sp
+Default:
+\fI\fIserver min protocol\fR\fR\fI = \fR\fILANMAN1\fR\fI \fR
+.sp
+Example:
+\fI\fIserver min protocol\fR\fR\fI = \fR\fINT1\fR\fI \fR
+.RE
+server multi channel support (G)
+.\" server multi channel support
+.PP
+.RS 4
+This boolean parameter controls whether
 \fBsmbd\fR(8)
+will send the server\-supplied principal sometimes given in the SPNEGO exchange\&.
+.sp
+If enabled, Samba can attempt to help clients to use Kerberos to contact it, even when known only by IP address or a name not registered with our KDC as a service principal name\&. Kerberos relies on names, so ordinarily cannot function in this situation\&.
+.sp
+If disabled, Samba will send the string not_defined_in_RFC4178@please_ignore as the \*(Aqrfc4178 hint\*(Aq, following the updated RFC and Windows 2008 behaviour in this area\&.
+.sp
+Note that Windows XP SP2 and later versions already ignored this value in all circumstances\&.
+.sp
+Default:
+\fI\fIsend spnego principal\fR\fR\fI = \fR\fIno\fR\fI \fR
+will support SMB3 multi\-channel\&.
+.sp
+This parameter has been added with version 4\&.4\&.
+.sp
+Warning: Note that this feature is considered experimental in Samba 4\&.4\&. Use it at your own risk: Even though it may seem to work well in testing, it may result in data corruption under some race conditions\&. Future 4\&.4\&.x release may improve this situation\&.
+.sp
+Default:
+\fI\fIserver multi channel support\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+server role (G)
+.\" server role
+.PP
+.RS 4
+This option determines the basic operating mode of a Samba server and is one of the most important settings in the
+smb\&.conf
+file\&.
+.sp
+The default is
+server role = auto, as causes Samba to operate according to the
+\m[blue]\fBsecurity\fR\m[]
+setting, or if not specified as a simple file server that is not connected to any domain\&.
+.sp
+The alternatives are
+server role = standalone
+or
+server role = member server, which support joining Samba to a Windows domain, along with
+server role = domain controller, which run Samba as a Windows domain controller\&.
+.sp
+You should use
+server role = standalone
+and
+\m[blue]\fBmap to guest\fR\m[]
+if you want to mainly setup shares without a password (guest shares)\&. This is commonly used for a shared printer server\&.
+.sp
+\fISERVER ROLE = AUTO\fR
+.sp
+This is the default server role in Samba, and causes Samba to consult the
+\m[blue]\fBsecurity\fR\m[]
+parameter (if set) to determine the server role, giving compatible behaviours to previous Samba versions\&.
+.sp
+\fISERVER ROLE = STANDALONE\fR
+.sp
+If
+\m[blue]\fBsecurity\fR\m[]
+is also not specified, this is the default security setting in Samba\&. In standalone operation, a client must first "log\-on" with a valid username and password (which can be mapped using the
+\m[blue]\fBusername map\fR\m[]
+parameter) stored on this machine\&. Encrypted passwords (see the
+\m[blue]\fBencrypted passwords\fR\m[]
+parameter) are by default used in this security mode\&. Parameters such as
+\m[blue]\fBuser\fR\m[]
+and
+\m[blue]\fBguest only\fR\m[]
+if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated\&.
+.sp
+\fISERVER ROLE = MEMBER SERVER\fR
+.sp
+This mode will only work correctly if
+\fBnet\fR(8)
+has been used to add this machine into a Windows Domain\&. It expects the
+\m[blue]\fBencrypted passwords\fR\m[]
+parameter to be set to
+\fByes\fR\&. In this mode Samba will try to validate the username/password by passing it to a Windows or Samba Domain Controller, in exactly the same way that a Windows Server would do\&.
+.sp
+\fINote\fR
+that a valid UNIX user must still exist as well as the account on the Domain Controller to allow Samba to have a valid UNIX account to map file access to\&. Winbind can provide this\&.
+.sp
+\fISERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER\fR
+.sp
+This mode of operation runs a classic Samba primary domain controller, providing domain logon services to Windows and Samba clients of an NT4\-like domain\&. Clients must be joined to the domain to create a secure, trusted path across the network\&. There must be only one PDC per NetBIOS scope (typcially a broadcast network or clients served by a single WINS server)\&.
+.sp
+\fISERVER ROLE = CLASSIC BACKUP DOMAIN CONTROLLER\fR
+.sp
+This mode of operation runs a classic Samba backup domain controller, providing domain logon services to Windows and Samba clients of an NT4\-like domain\&. As a BDC, this allows multiple Samba servers to provide redundant logon services to a single NetBIOS scope\&.
+.sp
+\fISERVER ROLE = ACTIVE DIRECTORY DOMAIN CONTROLLER\fR
+.sp
+This mode of operation runs Samba as an active directory domain controller, providing domain logon services to Windows and Samba clients of the domain\&. This role requires special configuration, see the
+Samba4 HOWTO
+.sp
+Default:
+\fI\fIserver role\fR\fR\fI = \fR\fIAUTO\fR\fI \fR
+.sp
+Example:
+\fI\fIserver role\fR\fR\fI = \fR\fIACTIVE DIRECTORY DOMAIN CONTROLLER\fR\fI \fR
 .RE
 …
 .RE
+server services (G)
+.\" server services
+.PP
+.RS 4
+This option contains the services that the Samba daemon will run\&.
+.sp
+An entry in the
+smb\&.conf
+file can either override the previous value completely or entries can be removed from or added to it by prefixing them with
+\fB+\fR
+or
+\fB\-\fR\&.
+.sp
+Default:
+\fI\fIserver services\fR\fR\fI = \fR\fIs3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns\fR\fI \fR
+.sp
+Example:
+\fI\fIserver services\fR\fR\fI = \fR\fI\-s3fs, +smb\fR\fI \fR
+.RE
 server signing (G)
 .\" server signing
 …
 .RS 4
 This controls whether the client is allowed or required to use SMB1 and SMB2 signing\&. Possible values are
+\fIdefault\fR,
 \fIauto\fR,
 \fImandatory\fR
 and
 \fIdisabled\fR\&.
+.sp
+By default, and when smb signing is set to
+\fIdefault\fR, smb signing is required when
+\m[blue]\fBserver role\fR\m[]
+is
+\fIactive directory domain controller\fR
+and disabled otherwise\&.
 .sp
 When set to auto, SMB1 signing is offered, but not enforced\&. When set to mandatory, SMB1 signing is required and if set to disabled, SMB signing is not offered either\&.
 …
 .sp
 Default:
 \fI\fIserver signing\fR\fR\fI = \fR\fIDisabled\fR\fI \fR
+\fI\fIserver signing\fR\fR\fI = \fR\fIdefault\fR\fI \fR
 .RE
 …
 .RE
-set directory (S)
-.\" set directory
-.PP
-.RS 4
-If
-set directory = no, then users of the service may not use the setdir command to change directory\&.
-.sp
-The
-setdir
-command is only implemented in the Digital Pathworks client\&. See the Pathworks documentation for details\&.
-.sp
-Default:
-\fI\fIset directory\fR\fR\fI = \fR\fIno\fR\fI \fR
-.RE
 set primary group script (G)
 .\" set primary group script
 .PP
 .RS 4
 Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups\&. This script sets the primary group in the unix userdatase when an administrator sets the primary group from the windows user manager or when fetching a SAM with
+Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups\&. This script sets the primary group in the unix user database when an administrator sets the primary group from the windows user manager or when fetching a SAM with
 net rpc vampire\&.
 \fI%u\fR
 …
 should only be used whenever there is no operating system API available from the OS that samba can use\&.
 .sp
+This option is only available if Samba was configured with the argument
+\-\-with\-sys\-quotas
+or on linux when
+\&./configure \-\-with\-quotas
+was used and a working quota api was found in the system\&. Most packages are configured with these options already\&.
+This option is only available if Samba was compiled with quota support\&.
 .sp
 This parameter should specify the path to a script that can set quota for the specified arguments\&.
 …
 .IP \(bu 2.3
 .\}
+\- quota type
+\- path to where the quota needs to be set\&. This needs to be interpreted relative to the current working directory that the script may also check for\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- quota type
 .sp
 .RS 4
 …
 .IP \(bu 2.3
 .\}
 \- id (uid for user, gid for group, \-1 if N/A)
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 \- quota state (0 = disable, 1 = enable, 2 = enable and enforce)
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 \- block softlimit
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 \- block hardlimit
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 \- inode softlimit
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 \- inode hardlimit
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 (optional) \- block size, defaults to 1024
+\- id (uid for user, gid for group, \-1 if N/A)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- quota state (0 = disable, 1 = enable, 2 = enable and enforce)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- block softlimit
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- block hardlimit
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- inode softlimit
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\- inode hardlimit
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+(optional) \- block size, defaults to 1024
 .RE
 .sp
 …
 Example:
 \fI\fIset quota command\fR\fR\fI = \fR\fI/usr/local/sbin/set_quota\fR\fI \fR
+.RE
+share backend (G)
+.\" share backend
+.PP
+.RS 4
+This option specifies the backend that will be used to access the configuration of file shares\&.
+.sp
+Traditionally, Samba file shares have been configured in the
+\fBsmb\&.conf\fR
+file and this is still the default\&.
+.sp
+At the moment there are no other supported backends\&.
+.sp
+Default:
+\fI\fIshare backend\fR\fR\fI = \fR\fIclassic\fR\fI \fR
 .RE
 …
 Default:
 \fI\fIshare:fake_fscaps\fR\fR\fI = \fR\fI0\fR\fI \fR
-.RE
-share modes (S)
-.\" share modes
-.PP
-.RS 4
-This enables or disables the honoring of the
-\fIshare modes\fR
-during a file open\&. These modes are used by clients to gain exclusive read or write access to a file\&.
-.sp
-This is a deprecated option from old versions of Samba, and will be removed in the next major release\&.
-.sp
-These open modes are not directly supported by UNIX, so they are simulated using shared memory\&.
-.sp
-The share modes that are enabled by this option are the standard Windows share modes\&.
-.sp
-This option gives full share compatibility and is enabled by default\&.
-.sp
-You should
-\fINEVER\fR
-turn this parameter off as many Windows applications will break if you do so\&.
-.sp
-Default:
-\fI\fIshare modes\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 With the introduction of MS\-RPC based printing support for Windows NT/2000 client in Samba 2\&.2, a "Printers\&.\&.\&." folder will appear on Samba hosts in the share listing\&. Normally this folder will contain an icon for the MS Add Printer Wizard (APW)\&. However, it is possible to disable this feature regardless of the level of privilege of the connected user\&.
 .sp
+Under normal circumstances, the Windows NT/2000 client will open a handle on the printer server with OpenPrinterEx() asking for Administrator privileges\&. If the user does not have administrative access on the print server (i\&.e is not root or a member of the
+\fIprinter admin\fR
+group), the OpenPrinterEx() call fails and the client makes another open call with a request for a lower privilege level\&. This should succeed, however the APW icon will not be displayed\&.
+Under normal circumstances, the Windows NT/2000 client will open a handle on the printer server with OpenPrinterEx() asking for Administrator privileges\&. If the user does not have administrative access on the print server (i\&.e is not root or has granted the SePrintOperatorPrivilege), the OpenPrinterEx() call fails and the client makes another open call with a request for a lower privilege level\&. This should succeed, however the APW icon will not be displayed\&.
 .sp
 Disabling the
 …
 that should start a shutdown procedure\&.
 .sp
 If the connected user posseses the
+If the connected user possesses the
 \fBSeRemoteShutdownPrivilege\fR, right, this command will be run as root\&.
 .sp
 …
 .RE
+smb2 leases (G)
+.\" smb2 leases
+.PP
+.RS 4
+This boolean option tells
+smbd
+whether to globally negotiate SMB2 leases on file open requests\&. Leasing is an SMB2\-only feature which allows clients to aggressively cache files locally above and beyond the caching allowed by SMB1 oplocks\&. This (experimental) parameter is set to off by default until the SMB2 leasing code is declared fully stable\&.
+.sp
+This is only available with
+\m[blue]\fBoplocks = yes\fR\m[]
+and
+\m[blue]\fBkernel oplocks = no\fR\m[]\&.
+.sp
+Note that the write cache won\*(Aqt be used for file handles with a smb2 write lease\&.
+.sp
+The Samba implementation of leases is currently marked as experimental!
+.sp
+Default:
+\fI\fIsmb2 leases\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
 smb2 max credits (G)
 .\" smb2 max credits
 …
 will return to a client, informing the client of the largest size that may be returned by a single SMB2 read call\&.
 .sp
+The maximum is 65536 bytes (64KB), which is the same as a Windows Vista SMB2 server\&.
+.sp
+Default:
+\fI\fIsmb2 max read\fR\fR\fI = \fR\fI65536\fR\fI \fR
+The maximum is 8388608 bytes (8MiB), which is the same as a Windows Server 2012 r2\&.
+.sp
+Please note that the default is 8MiB, but it\*(Aqs limit is based on the smb2 dialect (64KiB for SMB == 2\&.0, 8MiB for SMB >= 2\&.1 with LargeMTU)\&. Large MTU is not supported over NBT (tcp port 139)\&.
+.sp
+Default:
+\fI\fIsmb2 max read\fR\fR\fI = \fR\fI8388608\fR\fI \fR
 .RE
 …
 will return to a client, informing the client of the largest size of buffer that may be used in querying file meta\-data via QUERY_INFO and related SMB2 calls\&.
 .sp
+The maximum is 65536 bytes (64KB), which is the same as a Windows Vista SMB2 server\&.
+.sp
+Default:
+\fI\fIsmb2 max trans\fR\fR\fI = \fR\fI65536\fR\fI \fR
+The maximum is 8388608 bytes (8MiB), which is the same as a Windows Server 2012 r2\&.
+.sp
+Please note that the default is 8MiB, but it\*(Aqs limit is based on the smb2 dialect (64KiB for SMB == 2\&.0, 1MiB for SMB >= 2\&.1 with LargeMTU)\&. Large MTU is not supported over NBT (tcp port 139)\&.
+.sp
+Default:
+\fI\fIsmb2 max trans\fR\fR\fI = \fR\fI8388608\fR\fI \fR
 .RE
 …
 will return to a client, informing the client of the largest size that may be sent to the server by a single SMB2 write call\&.
 .sp
+The maximum is 65536 bytes (64KB), which is the same as a Windows Vista SMB2 server\&.
+.sp
+Default:
+\fI\fIsmb2 max write\fR\fR\fI = \fR\fI65536\fR\fI \fR
+The maximum is 8388608 bytes (8MiB), which is the same as a Windows Server 2012 r2\&.
+.sp
+Please note that the default is 8MiB, but it\*(Aqs limit is based on the smb2 dialect (64KiB for SMB == 2\&.0, 8MiB for SMB => 2\&.1 with LargeMTU)\&. Large MTU is not supported over NBT (tcp port 139)\&.
+.sp
+Default:
+\fI\fIsmb2 max write\fR\fR\fI = \fR\fI8388608\fR\fI \fR
+.RE
+smbd profiling level (G)
+.\" smbd profiling level
+.PP
+.RS 4
+This parameter allows the administrator to enable profiling support\&.
+.sp
+Possible values are
+\fBoff\fR,
+\fBcount\fR
+and
+\fBon\fR\&.
+.sp
+Default:
+\fI\fIsmbd profiling level\fR\fR\fI = \fR\fIoff\fR\fI \fR
+.sp
+Example:
+\fI\fIsmbd profiling level\fR\fR\fI = \fR\fIon\fR\fI \fR
 .RE
 …
 .PP
 .RS 4
+This is a new feature introduced with Samba 3\&.2 and above\&. It is an extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions\&. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream\&. When enabled it provides a secure method of SMB/CIFS communication, similar to an ssh protected session, but using SMB/CIFS authentication to negotiate encryption and signing keys\&. Currently this is only supported by Samba 3\&.2 smbclient, and hopefully soon Linux CIFSFS and MacOS/X clients\&. Windows clients do not support this feature\&.
+.sp
+This controls whether the remote client is allowed or required to use SMB encryption\&. Possible values are
+\fIauto\fR,
+\fImandatory\fR
+and
+\fIdisabled\fR\&. This may be set on a per\-share basis, but clients may chose to encrypt the entire session, not just traffic to a specific share\&. If this is set to mandatory then all traffic to a share
+This parameter controls whether a remote client is allowed or required to use SMB encryption\&. It has different effects depending on whether the connection uses SMB1 or SMB2 and newer:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+If the connection uses SMB1, then this option controls the use of a Samba\-specific extension to the SMB protocol introduced in Samba 3\&.2 that makes use of the Unix extensions\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+If the connection uses SMB2 or newer, then this option controls the use of the SMB\-level encryption that is supported in SMB version 3\&.0 and above and available in Windows 8 and newer\&.
+.RE
+.sp
+.RE
+This parameter can be set globally and on a per\-share bases\&. Possible values are
+\fIoff\fR
+(or
+\fIdisabled\fR),
+\fIenabled\fR
+(or
+\fIauto\fR, or
+\fIif_required\fR),
+\fIdesired\fR, and
+\fIrequired\fR
+(or
+\fImandatory\fR)\&. A special value is
+\fIdefault\fR
+which is the implicit default setting of
+\fIenabled\fR\&.
+.PP
+\fIEffects for SMB1\fR
+.RS 4
+The Samba\-specific encryption of SMB1 connections is an extension to the SMB protocol negotiated as part of the UNIX extensions\&. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream\&. When enabled it provides a secure method of SMB/CIFS communication, similar to an ssh protected session, but using SMB/CIFS authentication to negotiate encryption and signing keys\&. Currently this is only supported smbclient of by Samba 3\&.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X clients\&. Windows clients do not support this feature\&.
+.sp
+This may be set on a per\-share basis, but clients may chose to encrypt the entire session, not just traffic to a specific share\&. If this is set to mandatory then all traffic to a share
 \fImust\fR
 must be encrypted once the connection has been made to the share\&. The server would return "access denied" to all non\-encrypted requests on such a share\&. Selecting encrypted traffic reduces throughput as smaller packet sizes must be used (no huge UNIX style read/writes allowed) as well as the overhead of encrypting and signing all the data\&.
+be encrypted once the connection has been made to the share\&. The server would return "access denied" to all non\-encrypted requests on such a share\&. Selecting encrypted traffic reduces throughput as smaller packet sizes must be used (no huge UNIX style read/writes allowed) as well as the overhead of encrypting and signing all the data\&.
 .sp
 If SMB encryption is selected, Windows style SMB signing (see the
 …
 option) is no longer necessary, as the GSSAPI flags use select both signing and sealing of the data\&.
 .sp
+When set to auto, SMB encryption is offered, but not enforced\&. When set to mandatory, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated\&.
+.sp
+Default:
+\fI\fIsmb encrypt\fR\fR\fI = \fR\fIauto\fR\fI \fR
+When set to auto or default, SMB encryption is offered, but not enforced\&. When set to mandatory, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated\&.
+.RE
+.PP
+\fIEffects for SMB2\fR
+.RS 4
+Native SMB transport encryption is available in SMB version 3\&.0 or newer\&. It is only offered by Samba if
+\fIserver max protocol\fR
+is set to
+\fISMB3\fR
+or newer\&. Clients supporting this type of encryption include Windows 8 and newer, Windows server 2012 and newer, and smbclient of Samba 4\&.1 and newer\&.
+.sp
+The protocol implementation offers various options:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+The capability to perform SMB encryption can be negotiated during protocol negotiation\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Data encryption can be enabled globally\&. In that case, an encryption\-capable connection will have all traffic in all its sessions encrypted\&. In particular all share connections will be encrypted\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Data encryption can also be enabled per share if not enabled globally\&. For an encryption\-capable connection, all connections to an encryption\-enabled share will be encrypted\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Encryption can be enforced\&. This means that session setups will be denied on non\-encryption\-capable connections if data encryption has been enabled globally\&. And tree connections will be denied for non\-encryption capable connections to shares with data encryption enabled\&.
+.RE
+.sp
+.RE
+These features can be controlled with settings of
+\fIsmb encrypt\fR
+as follows:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Leaving it as default, explicitly setting
+\fIdefault\fR, or setting it to
+\fIenabled\fR
+globally will enable negotiation of encryption but will not turn on data encryption globally or per share\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIdesired\fR
+globally will enable negotiation and will turn on data encryption on sessions and share connections for those clients that support it\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIrequired\fR
+globally will enable negotiation and turn on data encryption on sessions and share connections\&. Clients that do not support encryption will be denied access to the server\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIoff\fR
+globally will completely disable the encryption feature\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIdesired\fR
+on a share will turn on data encryption for this share for clients that support encryption if negotiation has been enabled globally\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIrequired\fR
+on a share will enforce data encryption for this share if negotiation has been enabled globally\&. I\&.e\&. clients that do not support encryption will be denied access to the share\&.
+.sp
+Note that this allows per\-share enforcing to be controlled in Samba differently from Windows: In Windows,
+\fIRejectUnencryptedAccess\fR
+is a global setting, and if it is set, all shares with data encryption turned on are automatically enforcing encryption\&. In order to achieve the same effect in Samba, one has to globally set
+\fIsmb encrypt\fR
+to
+\fIenabled\fR, and then set all shares that should be encrypted to
+\fIrequired\fR\&. Additionally, it is possible in Samba to have some shares with encryption
+\fIrequired\fR
+and some other shares with encryption only
+\fIdesired\fR, which is not possible in Windows\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIoff\fR
+or
+\fIenabled\fR
+for a share has no effect\&.
+.RE
+.sp
+.RE
+.RE
+.sp
+Default:
+\fI\fIsmb encrypt\fR\fR\fI = \fR\fIdefault\fR\fI \fR
 .RE
 …
 .RE
-socket address (G)
-.\" socket address
-.PP
-.RS 4
-This option allows you to control what address Samba will listen for connections on\&. This is used to support multiple virtual interfaces on the one server, each with a different configuration\&.
-.sp
-Setting this option should never be necessary on usual Samba servers running only one nmbd\&.
-.sp
-By default Samba will accept connections on any address\&.
-.sp
-Default:
-\fI\fIsocket address\fR\fR\fI = \fR\fI\fR\fI \fR
-.sp
-Example:
-\fI\fIsocket address\fR\fR\fI = \fR\fI192\&.168\&.2\&.20\fR\fI \fR
-.RE
 socket options (G)
 .\" socket options
 .PP
 .RS 4
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
+Modern server operating systems are tuned for high network performance in the majority of situations; when you set socket options you are overriding those settings\&. Linux in particular has an auto\-tuning mechanism for buffer sizes that will be disabled if you specify a socket buffer size\&. This can potentially cripple your TCP/IP stack\&.
+.sp
+Getting the socket options correct can make a big difference to your performance, but getting them wrong can degrade it by just as much\&. As with any other low level setting, if you must make changes to it, make small changes and
+\fItest\fR
+the effect before making any large changes\&.
+.sp .5v
+.RE
+.sp
 This option allows you to set socket options to be used when talking with the client\&.
 .sp
 …
 .sp
 You may find that on some systems Samba will say "Unknown socket option" when you supply an option\&. This means you either incorrectly typed it or you need to add an include file to includes\&.h for your OS\&. If the latter is the case please send the patch to
 samba\-technical@samba\&.org\&.
+samba\-technical@lists\&.samba\&.org\&.
 .sp
 Any of the supported socket options may be combined in any way you like, as long as your OS allows it\&.
 …
 .IP \(bu 2.3
 .\}
+TCP_KEEPCNT *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_KEEPIDLE *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_KEEPINTVL *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
 IPTOS_LOWDELAY
 .RE
 …
 .IP \(bu 2.3
 .\}
+SO_REUSEPORT
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
 SO_SNDBUF *
 .RE
 …
 .\}
 SO_RCVLOWAT *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SO_SNDTIMEO *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SO_RCVTIMEO *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_FASTACK *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_QUICKACK
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_NODELAYACK
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_KEEPALIVE_THRESHOLD *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_KEEPALIVE_ABORT_THRESHOLD *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_DEFER_ACCEPT *
 .RE
 .sp
 …
 Example:
 \fI\fIsocket options\fR\fR\fI = \fR\fIIPTOS_LOWDELAY\fR\fI \fR
+.RE
+spn update command (G)
+.\" spn update command
+.PP
+.RS 4
+This option sets the command that for updating servicePrincipalName names from
+spn_update_list\&.
+.sp
+Default:
+\fI\fIspn update command\fR\fR\fI = \fR\fI${prefix}/sbin/samba_spnupdate\fR\fI \fR
+.sp
+Example:
+\fI\fIspn update command\fR\fR\fI = \fR\fI/usr/local/sbin/spnupdate\fR\fI \fR
+.RE
+spoolss: architecture (G)
+.\" spoolss: architecture
+.PP
+.RS 4
+Windows spoolss print clients only allow association of server\-side drivers with printers when the driver architecture matches the advertised print server architecture\&. Samba\*(Aqs spoolss print server architecture can be changed using this parameter\&.
+.sp
+Default:
+\fI\fIspoolss: architecture\fR\fR\fI = \fR\fIWindows NT x86\fR\fI \fR
+.sp
+Example:
+\fI\fIspoolss: architecture\fR\fR\fI = \fR\fIWindows x64\fR\fI \fR
+.RE
+spoolss: os_major (G)
+.\" spoolss: os_major
+.PP
+.RS 4
+Windows might require a new os version number\&. This option allows to modify the build number\&. The complete default version number is: 5\&.0\&.2195 (Windows 2000)\&. The example is 6\&.1\&.7601 (Windows 2008 R2)\&.
+.sp
+Default:
+\fI\fIspoolss: os_major\fR\fR\fI = \fR\fI5\fR\fI \fR
+.sp
+Example:
+\fI\fIspoolss: os_major\fR\fR\fI = \fR\fI6\fR\fI \fR
+.RE
+spoolss: os_minor (G)
+.\" spoolss: os_minor
+.PP
+.RS 4
+Windows might require a new os version number\&. This option allows to modify the build number\&. The complete default version number is: 5\&.0\&.2195 (Windows 2000)\&. The example is 6\&.1\&.7601 (Windows 2008 R2)\&.
+.sp
+Default:
+\fI\fIspoolss: os_minor\fR\fR\fI = \fR\fI0\fR\fI \fR
+.sp
+Example:
+\fI\fIspoolss: os_minor\fR\fR\fI = \fR\fI1\fR\fI \fR
+.RE
+spoolss: os_build (G)
+.\" spoolss: os_build
+.PP
+.RS 4
+Windows might require a new os version number\&. This option allows to modify the build number\&. The complete default version number is: 5\&.0\&.2195 (Windows 2000)\&. The example is 6\&.1\&.7601 (Windows 2008 R2)\&.
+.sp
+Default:
+\fI\fIspoolss: os_build\fR\fR\fI = \fR\fI2195\fR\fI \fR
+.sp
+Example:
+\fI\fIspoolss: os_build\fR\fR\fI = \fR\fI7601\fR\fI \fR
+.RE
+spotlight (S)
+.\" spotlight
+.PP
+.RS 4
+This parameter controls whether Samba allows Spotlight queries on a share\&. For controlling indexing of filesystems you also have to use Tracker\*(Aqs own configuration system\&.
+.sp
+Spotlight has several prerequisites:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Samba must be configured and built with Spotlight support\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+The
+\fImdssvc\fR
+RPC service must be enabled, see below\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Tracker intergration must be setup and the share must be indexed by Tracker\&.
+.RE
+.sp
+.RE
+For a detailed set of instructions please see
+https://wiki\&.samba\&.org/index\&.php/Spotlight\&.
+.sp
+The Spotlight RPC service can either be enabled as embedded RPC service:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+\fI[Global]\fR
+\m[blue]\fBrpc_server:mdsvc = embedded\fR\m[]
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Or it can be run in a seperate RPC service daemon:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+\fI[Global]\fR
+\m[blue]\fBrpc_server:mdssd = fork\fR\m[]
+\m[blue]\fBrpc_server:mdsvc = external\fR\m[]
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Default:
+\fI\fIspotlight\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 \m[blue]\fBmap hidden\fR\m[]
 and
 \m[blue]\fBmap readonly\fR\m[])\&. When set, DOS attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or directory\&. For no other mapping to occur as a fall\-back, the parameters
+\m[blue]\fBmap readonly\fR\m[])\&. When set, DOS attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or directory\&. When this parameter is set it will override the parameters
 \m[blue]\fBmap hidden\fR\m[],
 \m[blue]\fBmap system\fR\m[],
 …
 and
 \m[blue]\fBmap readonly\fR\m[]
 must be set to off\&. This parameter writes the DOS attributes as a string into the extended attribute named "user\&.DOSATTRIB"\&. This extended attribute is explicitly hidden from smbd clients requesting an EA list\&. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel\&. In Samba 3\&.5\&.0 and above the "user\&.DOSATTRIB" extended attribute has been extended to store the create time for a file as well as the DOS attributes\&. This is done in a backwards compatible way so files created by Samba 3\&.5\&.0 and above can still have the DOS attribute read from this extended attribute by earlier versions of Samba, but they will not be able to read the create time stored there\&. Storing the create time separately from the normal filesystem meta\-data allows Samba to faithfully reproduce NTFS semantics on top of a POSIX filesystem\&.
+and they will behave as if they were set to off\&. This parameter writes the DOS attributes as a string into the extended attribute named "user\&.DOSATTRIB"\&. This extended attribute is explicitly hidden from smbd clients requesting an EA list\&. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel\&. In Samba 3\&.5\&.0 and above the "user\&.DOSATTRIB" extended attribute has been extended to store the create time for a file as well as the DOS attributes\&. This is done in a backwards compatible way so files created by Samba 3\&.5\&.0 and above can still have the DOS attribute read from this extended attribute by earlier versions of Samba, but they will not be able to read the create time stored there\&. Storing the create time separately from the normal filesystem meta\-data allows Samba to faithfully reproduce NTFS semantics on top of a POSIX filesystem\&.
 .sp
 Default:
 …
 the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour of actually forcing the disk system to allocate real storage blocks when a file is created or extended to be a given size\&. In UNIX terminology this means that Samba will stop creating sparse files\&.
 .sp
 This option is really desgined for file systems that support fast allocation of large numbers of blocks such as extent\-based file systems\&. On file systems that don\*(Aqt support extents (most notably ext3) this can make Samba slower\&. When you work with large files over >100MB on file systems without extents you may even run into problems with clients running into timeouts\&.
+This option is really designed for file systems that support fast allocation of large numbers of blocks such as extent\-based file systems\&. On file systems that don\*(Aqt support extents (most notably ext3) this can make Samba slower\&. When you work with large files over >100MB on file systems without extents you may even run into problems with clients running into timeouts\&.
 .sp
 When you have an extent based filesystem it\*(Aqs likely that we can make use of unwritten extents which allows Samba to allocate even large amounts of space very fast and you will not see any timeout problems caused by strict allocate\&. With strict allocate in use you will also get much better out of quota messages in case you use quotas\&. Another advantage of activating this setting is that it will help to reduce file fragmentation\&.
 …
 .RE
+strict rename (S)
+.\" strict rename
+.PP
+.RS 4
+By default a Windows SMB server prevents directory renames when there are open file or directory handles below it in the filesystem hierarchy\&. Historically Samba has always allowed this as POSIX filesystem semantics require it\&.
+.sp
+This boolean parameter allows Samba to match the Windows behavior\&. Setting this to "yes" is a very expensive change, as it forces Samba to travers the entire open file handle database on every directory rename request\&. In a clustered Samba system the cost is even greater than the non\-clustered case\&.
+.sp
+When set to "no" smbd only checks the local process the client is attached to for open files below a directory being renamed, instead of checking for open files across all smbd processes\&.
+.sp
+Because of the expense in fully searching the database, the default is "no", and it is recommended to be left that way unless a specific Windows application requires it to be changed\&.
+.sp
+If the client has requested UNIX extensions (POSIX pathnames) then renames are always allowed and this parameter has no effect\&.
+.sp
+Default:
+\fI\fIstrict rename\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
 strict sync (S)
 .\" strict sync
 .PP
 .RS 4
 Many Windows applications (including the Windows 98 explorer shell) seem to confuse flushing buffer contents to disk with doing a sync to disk\&. Under UNIX, a sync call forces the process to be suspended until the kernel has ensured that all outstanding data in kernel disk buffers has been safely stored onto stable storage\&. This is very slow and should only be done rarely\&. Setting this parameter to
+Many Windows applications (including the Windows 98 explorer shell) seem to confuse flushing buffer contents to disk with doing a sync to disk\&. Under UNIX, a sync call forces the thread to be suspended until the kernel has ensured that all outstanding data in kernel disk buffers has been safely stored onto stable storage\&. This is very slow and should only be done rarely\&. Setting this parameter to
 \fBno\fR
 (the default) means that
 \fBsmbd\fR(8)
 ignores the Windows applications requests for a sync call\&. There is only a possibility of losing data if the operating system itself that Samba is running on crashes, so there is little danger in this default setting\&. In addition, this fixes many performance problems that people have reported with the new Windows98 explorer shell file copies\&.
+.sp
+The flush request from SMB2/3 clients is handled asynchronously, so for these clients setting the parameter to
+\fByes\fR
+does not block the processing of other requests in the smbd process\&.
 .sp
 Default:
 …
 .RE
-syslog only (G)
-.\" syslog only
-.PP
-.RS 4
-If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files\&. There still will be some logging to log\&.[sn]mbd even if
-\fIsyslog only\fR
-is enabled\&.
-.sp
-Default:
-\fI\fIsyslog only\fR\fR\fI = \fR\fIno\fR\fI \fR
-.RE
 syslog (G)
 .\" syslog
 …
 is enabled\&.
 .sp
+The
+\m[blue]\fBlogging\fR\m[]
+parameter should be used instead\&. When
+\m[blue]\fBlogging\fR\m[]
+is set, it overrides the
+\m[blue]\fBsyslog\fR\m[]
+parameter\&.
+.sp
 Default:
 \fI\fIsyslog\fR\fR\fI = \fR\fI1\fR\fI \fR
+.RE
+syslog only (G)
+.\" syslog only
+.PP
+.RS 4
+If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files\&. There still will be some logging to log\&.[sn]mbd even if
+\fIsyslog only\fR
+is enabled\&.
+.sp
+The
+\m[blue]\fBlogging\fR\m[]
+parameter should be used instead\&. When
+\m[blue]\fBlogging\fR\m[]
+is set, it overrides the
+\m[blue]\fBsyslog only\fR\m[]
+parameter\&.
+.sp
+Default:
+\fI\fIsyslog only\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 daemon uses this parameter to fill in the login shell for that user\&.
 .sp
+\fINo default\fR
+.RE
+time offset (G)
+.\" time offset
+.PP
+.RS 4
+This deprecated parameter is a setting in minutes to add to the normal GMT to local time conversion\&. This is useful if you are serving a lot of PCs that have incorrect daylight saving time handling\&.
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBNote\fR
+.ps -1
+.br
+This option is deprecated, and will be removed in the next major release
+.sp .5v
+.RE
+Default:
+\fI\fItime offset\fR\fR\fI = \fR\fI0\fR\fI \fR
+.sp
+Example:
+\fI\fItime offset\fR\fR\fI = \fR\fI60\fR\fI \fR
+Default:
+\fI\fItemplate shell\fR\fR\fI = \fR\fI/bin/false\fR\fI \fR
 .RE
 …
 .RE
+debug timestamp
+.\" debug timestamp
+.PP
+.RS 4
+This parameter is a synonym for
+timestamp logs\&.
+.RE
+timestamp logs (G)
+.\" timestamp logs
+.PP
+.RS 4
+Samba debug log messages are timestamped by default\&. If you are running at a high
+\m[blue]\fBdebug level\fR\m[]
+these timestamps can be distracting\&. This boolean parameter allows timestamping to be turned off\&.
+.sp
+Default:
+\fI\fItimestamp logs\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+tls cafile (G)
+.\" tls cafile
+.PP
+.RS 4
+This option can be set to a file (PEM format) containing CA certificates of root CAs to trust to sign certificates or intermediate CA certificates\&.
+.sp
+This path is relative to
+\m[blue]\fBprivate dir\fR\m[]
+if the path does not start with a /\&.
+.sp
+Default:
+\fI\fItls cafile\fR\fR\fI = \fR\fItls/ca\&.pem\fR\fI \fR
+.RE
+tls certfile (G)
+.\" tls certfile
+.PP
+.RS 4
+This option can be set to a file (PEM format) containing the RSA certificate\&.
+.sp
+This path is relative to
+\m[blue]\fBprivate dir\fR\m[]
+if the path does not start with a /\&.
+.sp
+Default:
+\fI\fItls certfile\fR\fR\fI = \fR\fItls/cert\&.pem\fR\fI \fR
+.RE
+tls crlfile (G)
+.\" tls crlfile
+.PP
+.RS 4
+This option can be set to a file containing a certificate revocation list (CRL)\&.
+.sp
+This path is relative to
+\m[blue]\fBprivate dir\fR\m[]
+if the path does not start with a /\&.
+.sp
+Default:
+\fI\fItls crlfile\fR\fR\fI = \fR\fI\fR\fI \fR
+.RE
+tls dh params file (G)
+.\" tls dh params file
+.PP
+.RS 4
+This option can be set to a file with Diffie\-Hellman parameters which will be used with DH ciphers\&.
+.sp
+This path is relative to
+\m[blue]\fBprivate dir\fR\m[]
+if the path does not start with a /\&.
+.sp
+Default:
+\fI\fItls dh params file\fR\fR\fI = \fR\fI\fR\fI \fR
+.RE
+tls enabled (G)
+.\" tls enabled
+.PP
+.RS 4
+If this option is set to
+\fByes\fR, then Samba will use TLS when possible in communication\&.
+.sp
+Default:
+\fI\fItls enabled\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+tls keyfile (G)
+.\" tls keyfile
+.PP
+.RS 4
+This option can be set to a file (PEM format) containing the RSA private key\&. This file must be accessible without a pass\-phrase, i\&.e\&. it must not be encrypted\&.
+.sp
+This path is relative to
+\m[blue]\fBprivate dir\fR\m[]
+if the path does not start with a /\&.
+.sp
+Default:
+\fI\fItls keyfile\fR\fR\fI = \fR\fItls/key\&.pem\fR\fI \fR
+.RE
+tls priority (G)
+.\" tls priority
+.PP
+.RS 4
+This option can be set to a string describing the TLS protocols to be supported in the parts of Samba that use GnuTLS, specifically the AD DC\&.
+.sp
+The default turns off SSLv3, as this protocol is no longer considered secure after CVE\-2014\-3566 (otherwise known as POODLE) impacted SSLv3 use in HTTPS applications\&.
+.sp
+The valid options are described in the
+GNUTLS Priority\-Strings documentation at http://gnutls\&.org/manual/html_node/Priority\-Strings\&.html
+.sp
+Default:
+\fI\fItls priority\fR\fR\fI = \fR\fINORMAL:\-VERS\-SSL3\&.0\fR\fI \fR
+.RE
+tls verify peer (G)
+.\" tls verify peer
+.PP
+.RS 4
+This controls if and how strict the client will verify the peer\*(Aqs certificate and name\&. Possible values are (in increasing order):
+\fBno_check\fR,
+\fBca_only\fR,
+\fBca_and_name_if_available\fR,
+\fBca_and_name\fR
+and
+\fBas_strict_as_possible\fR\&.
+.sp
+When set to
+\fBno_check\fR
+the certificate is not verified at all, which allows trivial man in the middle attacks\&.
+.sp
+When set to
+\fBca_only\fR
+the certificate is verified to be signed from a ca specified in the
+\m[blue]\fBtls ca file\fR\m[]
+option\&. Setting
+\m[blue]\fBtls ca file\fR\m[]
+to a valid file is required\&. The certificate lifetime is also verified\&. If the
+\m[blue]\fBtls crl file\fR\m[]
+option is configured, the certificate is also verified against the ca crl\&.
+.sp
+When set to
+\fBca_and_name_if_available\fR
+all checks from
+\fBca_only\fR
+are performed\&. In addition, the peer hostname is verified against the certificate\*(Aqs name, if it is provided by the application layer and not given as an ip address string\&.
+.sp
+When set to
+\fBca_and_name\fR
+all checks from
+\fBca_and_name_if_available\fR
+are performed\&. In addition the peer hostname needs to be provided and even an ip address is checked against the certificate\*(Aqs name\&.
+.sp
+When set to
+\fBas_strict_as_possible\fR
+all checks from
+\fBca_and_name\fR
+are performed\&. In addition the
+\m[blue]\fBtls crl file\fR\m[]
+needs to be configured\&. Future versions of Samba may implement additional checks\&.
+.sp
+Default:
+\fI\fItls verify peer\fR\fR\fI = \fR\fIas_strict_as_possible\fR\fI \fR
+.RE
+unicode (G)
+.\" unicode
+.PP
+.RS 4
+Specifies whether the server and client should support unicode\&.
+.sp
+If this option is set to false, the use of ASCII will be forced\&.
+.sp
+Default:
+\fI\fIunicode\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
 unix charset (G)
 .\" unix charset
 …
 .sp
 Default:
 \fI\fIunix charset\fR\fR\fI = \fR\fIUTF8\fR\fI \fR
+\fI\fIunix charset\fR\fR\fI = \fR\fIUTF\-8\fR\fI \fR
 .sp
 Example:
 …
 disable spoolss = yes\&.
 .sp
 The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS\-RPC\&. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user\&. If the user possesses local administator rights but not root privilege on the Samba host (often the case), the OpenPrinterEx() call will fail\&. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed)\&.
+The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS\-RPC\&. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user\&. If the user possesses local administrator rights but not root privilege on the Samba host (often the case), the OpenPrinterEx() call will fail\&. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed)\&.
 .sp
 If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead\&. Thus allowing the OpenPrinterEx() call to succeed\&.
 …
 .RE
+user
+.\" user
+.PP
+.RS 4
+This parameter is a synonym for
+username\&.
+.RE
+users
+.\" users
+.PP
+.RS 4
+This parameter is a synonym for
+username\&.
+.RE
+username (S)
+.\" username
+.PP
+.RS 4
+To restrict a service to a particular set of users you can use the
+\m[blue]\fBvalid users\fR\m[]
+parameter\&.
+.sp
+This parameter is deprecated
+.sp
+However, it currently operates only in conjunction with
+\m[blue]\fBonly user\fR\m[]\&. The supported way to restrict a service to a particular set of users is the
+\m[blue]\fBvalid users\fR\m[]
+parameter\&.
+.sp
+Default:
+\fI\fIusername\fR\fR\fI = \fR\fI # The guest account if a guest service, else <empty string>\&.\fR\fI \fR
+.sp
+Example:
+\fI\fIusername\fR\fR\fI = \fR\fIfred, mary, jack, jane, @users, @pcgroup\fR\fI \fR
+.RE
 username level (G)
 .\" username level
 …
 Example:
 \fI\fIusername level\fR\fR\fI = \fR\fI5\fR\fI \fR
+.RE
+username map (G)
+.\" username map
+.PP
+.RS 4
+This option allows you to specify a file containing a mapping of usernames from the clients to the server\&. This can be used for several purposes\&. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses\&. The other is to map multiple users to a single username so that they can more easily share files\&.
+.sp
+Please note that for user mode security, the username map is applied prior to validating the user credentials\&. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified entries in the map table (e\&.g\&. biddle =
+DOMAIN\efoo)\&.
+.sp
+The map file is parsed line by line\&. Each line should contain a single UNIX username on the left then a \*(Aq=\*(Aq followed by a list of usernames on the right\&. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group\&. The special client name \*(Aq*\*(Aq is a wildcard and matches any name\&. Each line of the map file may be up to 1023 characters long\&.
+.sp
+The file is processed on each line by taking the supplied username and comparing it with each username on the right hand side of the \*(Aq=\*(Aq signs\&. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left\&. Processing then continues with the next line\&.
+.sp
+If any line begins with a \*(Aq#\*(Aq or a \*(Aq;\*(Aq then it is ignored\&.
+.sp
+If any line begins with an \*(Aq!\*(Aq then the processing will stop after that line if a mapping was done by the line\&. Otherwise mapping continues with every line being processed\&. Using \*(Aq!\*(Aq is most useful when you have a wildcard mapping line later in the file\&.
+.sp
+For example to map from the name
+\fBadmin\fR
+or
+\fBadministrator\fR
+to the UNIX name
+\fB root\fR
+you would use:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+root = admin administrator
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Or to map anyone in the UNIX group
+\fBsystem\fR
+to the UNIX name
+\fBsys\fR
+you would use:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+sys = @system
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+You can have as many mappings as you like in a username map file\&.
+.sp
+If your system supports the NIS NETGROUP option then the netgroup database is checked before the
+/etc/group
+database for matching groups\&.
+.sp
+You can map Windows usernames that have spaces in them by using double quotes around the name\&. For example:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+tridge = "Andrew Tridgell"
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+would map the windows username "Andrew Tridgell" to the unix username "tridge"\&.
+.sp
+The following example would map mary and fred to the unix user sys, and map the rest to guest\&. Note the use of the \*(Aq!\*(Aq to tell Samba to stop processing if it gets a match on that line:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+!sys = mary fred
+guest = *
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Note that the remapping is applied to all occurrences of usernames\&. Thus if you connect to \e\eserver\efred and
+\fBfred\fR
+is remapped to
+\fBmary\fR
+then you will actually be connecting to \e\eserver\emary and will need to supply a password suitable for
+\fBmary\fR
+not
+\fBfred\fR\&. The only exception to this is the username passed to a Domain Controller (if you have one)\&. The DC will receive whatever username the client supplies without modification\&.
+.sp
+Also note that no reverse mapping is done\&. The main effect this has is with printing\&. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don\*(Aqt own the print job\&.
+.sp
+Samba versions prior to 3\&.0\&.8 would only support reading the fully qualified username (e\&.g\&.:
+DOMAIN\euser) from the username map when performing a kerberos login from a client\&. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches\&. This resulted in inconsistent behavior sometimes even on the same server\&.
+.sp
+The following functionality is obeyed in version 3\&.0\&.8 and later:
+.sp
+When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection\&.
+.sp
+When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i\&.e\&.
+DOMAIN\euser) only after the user has been successfully authenticated\&.
+.sp
+An example of use is:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+username map = /usr/local/samba/lib/users\&.map
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Default:
+\fI\fIusername map\fR\fR\fI = \fR\fI # no username map\fR\fI \fR
 .RE
 …
 This script is a mutually exclusive alternative to the
 \m[blue]\fBusername map\fR\m[]
 parameter\&. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line line on standard output (the name to which the account should mapped)\&. In this way, it is possible to store username map tables in an LDAP or NIS directory services\&.
+parameter\&. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line on standard output (the name to which the account should mapped)\&. In this way, it is possible to store username map tables in an LDAP or NIS directory services\&.
 .sp
 Default:
 …
 Example:
 \fI\fIusername map script\fR\fR\fI = \fR\fI/etc/samba/scripts/mapusers\&.sh\fR\fI \fR
-.RE
-username map (G)
-.\" username map
-.PP
-.RS 4
-This option allows you to specify a file containing a mapping of usernames from the clients to the server\&. This can be used for several purposes\&. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses\&. The other is to map multiple users to a single username so that they can more easily share files\&.
-.sp
-Please note that for user or share mode security, the username map is applied prior to validating the user credentials\&. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified enties in the map table (e\&.g\&. biddle =
-DOMAIN\efoo)\&.
-.sp
-The map file is parsed line by line\&. Each line should contain a single UNIX username on the left then a \*(Aq=\*(Aq followed by a list of usernames on the right\&. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group\&. The special client name \*(Aq*\*(Aq is a wildcard and matches any name\&. Each line of the map file may be up to 1023 characters long\&.
-.sp
-The file is processed on each line by taking the supplied username and comparing it with each username on the right hand side of the \*(Aq=\*(Aq signs\&. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left\&. Processing then continues with the next line\&.
-.sp
-If any line begins with a \*(Aq#\*(Aq or a \*(Aq;\*(Aq then it is ignored\&.
-.sp
-If any line begins with an \*(Aq!\*(Aq then the processing will stop after that line if a mapping was done by the line\&. Otherwise mapping continues with every line being processed\&. Using \*(Aq!\*(Aq is most useful when you have a wildcard mapping line later in the file\&.
-.sp
-For example to map from the name
-\fBadmin\fR
-or
-\fBadministrator\fR
-to the UNIX name
-\fB root\fR
-you would use:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-root = admin administrator
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-Or to map anyone in the UNIX group
-\fBsystem\fR
-to the UNIX name
-\fBsys\fR
-you would use:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-sys = @system
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-You can have as many mappings as you like in a username map file\&.
-.sp
-If your system supports the NIS NETGROUP option then the netgroup database is checked before the
-/etc/group
-database for matching groups\&.
-.sp
-You can map Windows usernames that have spaces in them by using double quotes around the name\&. For example:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-tridge = "Andrew Tridgell"
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-would map the windows username "Andrew Tridgell" to the unix username "tridge"\&.
-.sp
-The following example would map mary and fred to the unix user sys, and map the rest to guest\&. Note the use of the \*(Aq!\*(Aq to tell Samba to stop processing if it gets a match on that line:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-!sys = mary fred
-guest = *
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-Note that the remapping is applied to all occurrences of usernames\&. Thus if you connect to \e\eserver\efred and
-\fBfred\fR
-is remapped to
-\fBmary\fR
-then you will actually be connecting to \e\eserver\emary and will need to supply a password suitable for
-\fBmary\fR
-not
-\fBfred\fR\&. The only exception to this is the username passed to the
-\m[blue]\fBpassword server\fR\m[]
-(if you have one)\&. The password server will receive whatever username the client supplies without modification\&.
-.sp
-Also note that no reverse mapping is done\&. The main effect this has is with printing\&. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don\*(Aqt own the print job\&.
-.sp
-Samba versions prior to 3\&.0\&.8 would only support reading the fully qualified username (e\&.g\&.:
-DOMAIN\euser) from the username map when performing a kerberos login from a client\&. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches\&. This resulted in inconsistent behavior sometimes even on the same server\&.
-.sp
-The following functionality is obeyed in version 3\&.0\&.8 and later:
-.sp
-When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection\&.
-.sp
-When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i\&.e\&.
-DOMAIN\euser) only after the user has been successfully authenticated\&.
-.sp
-An example of use is:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-username map = /usr/local/samba/lib/users\&.map
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-Default:
-\fI\fIusername map\fR\fR\fI = \fR\fI # no username map\fR\fI \fR
-.RE
-user
-.\" user
-.PP
-.RS 4
-This parameter is a synonym for
-username\&.
-.RE
-users
-.\" users
-.PP
-.RS 4
-This parameter is a synonym for
-username\&.
-.RE
-username (S)
-.\" username
-.PP
-.RS 4
-Multiple users may be specified in a comma\-delimited list, in which case the supplied password will be tested against each username in turn (left to right)\&.
-.sp
-The deprecated
-\fIusername\fR
-line is needed only when the PC is unable to supply its own username\&. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames\&. In both these cases you may also be better using the \e\eserver\eshare%user syntax instead\&.
-.sp
-The
-\fIusername\fR
-line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the
-\fIusername\fR
-line in turn\&. This is slow and a bad idea for lots of users in case of duplicate passwords\&. You may get timeouts or security breaches using this parameter unwisely\&.
-.sp
-Samba relies on the underlying UNIX security\&. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password\&. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session\&. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do\&.
-.sp
-To restrict a service to a particular set of users you can use the
-\m[blue]\fBvalid users\fR\m[]
-parameter\&.
-.sp
-If any of the usernames begin with a \*(Aq@\*(Aq then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name\&.
-.sp
-If any of the usernames begin with a \*(Aq+\*(Aq then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name\&.
-.sp
-If any of the usernames begin with a \*(Aq&\*(Aq then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name\&.
-.sp
-Note that searching though a groups database can take quite some time, and some clients may time out during the search\&.
-.sp
-See the section
-NOTE ABOUT USERNAME/PASSWORD VALIDATION
-for more information on how this parameter determines access to the services\&.
-.sp
-Default:
-\fI\fIusername\fR\fR\fI = \fR\fI # The guest account if a guest service, else <empty string>\&.\fR\fI \fR
-.sp
-Example:
-\fI\fIusername\fR\fR\fI = \fR\fIfred, mary, jack, jane, @users, @pcgroup\fR\fI \fR
 .RE
 …
 .sp
 Default:
 \fI\fIusershare owner only\fR\fR\fI = \fR\fITrue\fR\fI \fR
+\fI\fIusershare owner only\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 .PP
 .RS 4
 This parameter specifies the absolute path of the directory on the filesystem used to store the user defined share definition files\&. This directory must be owned by root, and have no access for other, and be writable only by the group owner\&. In addition the "sticky" bit must also be set, restricting rename and delete to owners of a file (in the same way the /tmp directory is usually configured)\&. Members of the group owner of this directory are the users allowed to create usershares\&. If this parameter is undefined then no user defined shares are allowed\&.
+This parameter specifies the absolute path of the directory on the filesystem used to store the user defined share definition files\&. This directory must be owned by root, and have no access for other, and be writable only by the group owner\&. In addition the "sticky" bit must also be set, restricting rename and delete to owners of a file (in the same way the /tmp directory is usually configured)\&. Members of the group owner of this directory are the users allowed to create usershares\&.
 .sp
 For example, a valid usershare directory might be /usr/local/samba/lib/usershares, set up as follows\&.
-.sp
 .sp
 .if n \{\
 …
 .sp
 Default:
 \fI\fIusershare path\fR\fR\fI = \fR\fINULL\fR\fI \fR
+\fI\fIusershare path\fR\fR\fI = \fR\fI${prefix}/var/locks/usershares\fR\fI \fR
 .RE
 …
 .sp
 Default:
 \fI\fIusershare prefix allow list\fR\fR\fI = \fR\fINULL\fR\fI \fR
+\fI\fIusershare prefix allow list\fR\fR\fI = \fR\fI\fR\fI \fR
 .sp
 Example:
 …
 .sp
 Default:
 \fI\fIusershare prefix deny list\fR\fR\fI = \fR\fINULL\fR\fI \fR
+\fI\fIusershare prefix deny list\fR\fR\fI = \fR\fI\fR\fI \fR
 .sp
 Example:
 …
 .sp
 Default:
 \fI\fIusershare template share\fR\fR\fI = \fR\fINULL\fR\fI \fR
+\fI\fIusershare template share\fR\fR\fI = \fR\fI\fR\fI \fR
 .sp
 Example:
 …
 .sp
 Default:
 \fI\fIuse sendfile\fR\fR\fI = \fR\fIfalse\fR\fI \fR
+\fI\fIuse sendfile\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 .PP
 .RS 4
 This deprecated variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism\&.
+This deprecated variable controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism\&.
 .sp
 Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled\&.
 …
 Default:
 \fI\fIuse spnego\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+utmp (G)
+.\" utmp
+.PP
+.RS 4
+This boolean parameter is only available if Samba has been configured and compiled with the option
+\-\-with\-utmp\&. If set to
+\fByes\fR
+then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&.
+.sp
+Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&.
+.sp
+Default:
+\fI\fIutmp\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 …
 .RE
+utmp (G)
+.\" utmp
+.PP
+.RS 4
+This boolean parameter is only available if Samba has been configured and compiled with the option
+\-\-with\-utmp\&. If set to
+\fByes\fR
+then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&.
+.sp
+Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&.
+.sp
+Default:
+\fI\fIutmp\fR\fR\fI = \fR\fIno\fR\fI \fR
+\-valid (S)
+.\" -valid
+.PP
+.RS 4
+This parameter indicates whether a share is valid and thus can be used\&. When this parameter is set to false, the share will be in no way visible nor accessible\&.
+.sp
+This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&.
+.sp
+Default:
+\fI\fI\-valid\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 \fI%S\fR\&. This is useful in the [homes] section\&.
 .sp
+\fINote: \fRWhen used in the [global] section this parameter may have unwanted side effects\&. For example: If samba is configured as a MASTER BROWSER (see
+\fIlocal master\fR,
+\fIos level\fR,
+\fIdomain master\fR,
+\fIpreferred master\fR) this option will prevent workstations from being able to browse the network\&.
+.sp
 Default:
 \fI\fIvalid users\fR\fR\fI = \fR\fI # No valid users list (anyone can login) \fR\fI \fR
 …
 Example:
 \fI\fIvalid users\fR\fR\fI = \fR\fIgreg, @pcusers\fR\fI \fR
-.RE
-\-valid (S)
-.\" -valid
-.PP
-.RS 4
-This parameter indicates whether a share is valid and thus can be used\&. When this parameter is set to false, the share will be in no way visible nor accessible\&.
-.sp
-This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&.
-.sp
-Default:
-\fI\fI\-valid\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 .sp
 Default:
 \fI\fIveto files\fR\fR\fI = \fR\fINo files or directories are vetoed\&.\fR\fI \fR
+\fI\fIveto files\fR\fR\fI = \fR\fI # No files or directories are vetoed\fR\fI \fR
 .RE
 …
 .RE
+web port (G)
+.\" web port
+.PP
+.RS 4
+Specifies which port the Samba web server should listen on\&.
+.sp
+Default:
+\fI\fIweb port\fR\fR\fI = \fR\fI901\fR\fI \fR
+.sp
+Example:
+\fI\fIweb port\fR\fR\fI = \fR\fI80\fR\fI \fR
+.RE
 wide links (S)
 .\" wide links
 …
 Default:
 \fI\fIwinbind cache time\fR\fR\fI = \fR\fI300\fR\fI \fR
+.RE
+winbindd privileged socket directory (G)
+.\" winbindd privileged socket directory
+.PP
+.RS 4
+This setting controls the location of the winbind daemon\*(Aqs privileged socket\&.
+.sp
+Default:
+\fI\fIwinbindd privileged socket directory\fR\fR\fI = \fR\fI${prefix}/var/lib/winbindd_privileged\fR\fI \fR
+.RE
+winbindd socket directory (G)
+.\" winbindd socket directory
+.PP
+.RS 4
+This setting controls the location of the winbind daemon\*(Aqs socket\&.
+.sp
+Except within automated test scripts, this should not be altered, as the client tools (nss_winbind etc) do not honour this parameter\&. Client tools must then be advised of the altered path with the WINBINDD_SOCKET_DIR environment varaible\&.
+.sp
+Default:
+\fI\fIwinbindd socket directory\fR\fR\fI = \fR\fI${prefix}/var/run/winbindd\fR\fI \fR
 .RE
 …
 Be aware that a high value for this parameter can result in system slowdown as the main parent winbindd daemon must perform the group unrolling and will be unable to answer incoming NSS or authentication requests during this time\&.
 .sp
+Default:
+\fI\fIwinbind expand groups\fR\fR\fI = \fR\fI1\fR\fI \fR
+The default value was changed from 1 to 0 with Samba 4\&.2\&. Some broken applications calculate the group memberships of users by traversing groups, such applications will require "winbind expand groups = 1"\&. But the new default makes winbindd more reliable as it doesn\*(Aqt require SAMR access to domain controllers of trusted domains\&.
+.sp
+Default:
+\fI\fIwinbind expand groups\fR\fR\fI = \fR\fI0\fR\fI \fR
 .RE
 …
 This parameter specifies the maximum number of clients the
 \fBwinbindd\fR(8)
+daemon can connect with\&.
+daemon can connect with\&. The parameter is not a hard limit\&. The
+\fBwinbindd\fR(8)
+daemon configures itself to be able to accept at least that many connections, and if the limit is reached, an attempt is made to disconnect idle clients\&.
 .sp
 Default:
 …
 This parameter controls whether winbindd will replace whitespace in user and group names with an underscore (_) character\&. For example, whether the name "Space Kadet" should be replaced with the string "space_kadet"\&. Frequently Unix shell scripts will have difficulty with usernames contains whitespace due to the default field separator in the shell\&. If your domain possesses names containing the underscore character, this option may cause problems unless the name aliasing feature is supported by your nss_info plugin\&.
 .sp
 This feature also enables the name aliasing API which can be used to make domain user and group names to a non\-qualified version\&. Please refer to the manpage for the configured idmap and nss_info plugin for the specifics on how to configure name aliasing for a specific configuration\&. Name aliasing takes precedence (and is mutually exclusive) over the whitespace replacement mechanism discussed previsouly\&.
+This feature also enables the name aliasing API which can be used to make domain user and group names to a non\-qualified version\&. Please refer to the manpage for the configured idmap and nss_info plugin for the specifics on how to configure name aliasing for a specific configuration\&. Name aliasing takes precedence (and is mutually exclusive) over the whitespace replacement mechanism discussed previously\&.
 .sp
 Default:
 …
 .IP \(bu 2.3
 .\}
 \fI<sfu | rfc2307 >\fR
 \- When Samba is running in security = ads and your Active Directory Domain Controller does support the Microsoft "Services for Unix" (SFU) LDAP schema, winbind can retrieve the login shell and the home directory attributes directly from your Directory Server\&. Note that retrieving UID and GID from your ADS\-Server requires to use
+\fI<sfu | sfu20 | rfc2307 >\fR
+\- When Samba is running in security = ads and your Active Directory Domain Controller does support the Microsoft "Services for Unix" (SFU) LDAP schema, winbind can retrieve the login shell and the home directory attributes directly from your Directory Server\&. For SFU 3\&.0 or 3\&.5 simply choose "sfu", if you use SFU 2\&.0 please choose "sfu20"\&. Note that retrieving UID and GID from your ADS\-Server requires to use
 \fIidmap config DOMAIN:backend\fR
 = ad as well\&.
+= ad as well\&. The primary group membership is currently always calculated via the "primaryGroupID" LDAP attribute\&.
 .RE
 .sp
 …
 .PP
 .RS 4
 This parameter is designed to control whether Winbind should allow to login with the
+This parameter is designed to control whether Winbind should allow one to login with the
 \fIpam_winbind\fR
 module using Cached Credentials\&. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache\&.
 .sp
 Default:
 \fI\fIwinbind offline logon\fR\fR\fI = \fR\fIfalse\fR\fI \fR
 .sp
 Example:
 \fI\fIwinbind offline logon\fR\fR\fI = \fR\fItrue\fR\fI \fR
+\fI\fIwinbind offline logon\fR\fR\fI = \fR\fIno\fR\fI \fR
+.sp
+Example:
+\fI\fIwinbind offline logon\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 .sp
 Default:
+\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fIfalse\fR\fI \fR
+.sp
+Example:
+\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fItrue\fR\fI \fR
+\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fIno\fR\fI \fR
+.sp
+Example:
+\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+winbind request timeout (G)
+.\" winbind request timeout
+.PP
+.RS 4
+This parameter specifies the number of seconds the
+\fBwinbindd\fR(8)
+daemon will wait before disconnecting either a client connection with no outstanding requests (idle) or a client connection with a request that has remained outstanding (hung) for longer than this number of seconds\&.
+.sp
+Default:
+\fI\fIwinbind request timeout\fR\fR\fI = \fR\fI60\fR\fI \fR
 .RE
 …
 Default:
 \fI\fIwinbind rpc only\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+winbind sealed pipes (G)
+.\" winbind sealed pipes
+.PP
+.RS 4
+This option controls whether any requests from winbindd to domain controllers pipe will be sealed\&. Disabling sealing can be useful for debugging purposes\&.
+.sp
+The behavior can be controlled per netbios domain by using \*(Aqwinbind sealed pipes:NETBIOSDOMAIN = no\*(Aq as option\&.
+.sp
+Default:
+\fI\fIwinbind sealed pipes\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 …
 .sp
 Default:
 \fI\fIwinbind separator\fR\fR\fI = \fR\fI\*(Aq\e\*(Aq\fR\fI \fR
+\fI\fIwinbind separator\fR\fR\fI = \fR\fI\e\fR\fI \fR
 .sp
 Example:
 …
 .RE
+write ok
+.\" write ok
+.PP
+.RS 4
+This parameter is a synonym for
+writeable\&.
+.RE
 writeable (S)
 .\" writeable
 …
 The integer parameter specifies the size of this cache (per oplocked file) in bytes\&.
 .sp
+Note that the write cache won\*(Aqt be used for file handles with a smb2 write lease\&.
+.sp
 Default:
 \fI\fIwrite cache size\fR\fR\fI = \fR\fI0\fR\fI \fR
 …
 Note that if a user is in both the read list and the write list then they will be given write access\&.
 .sp
-By design, this parameter will not work with the
-\m[blue]\fBsecurity = share\fR\m[]
-in Samba 3\&.0\&.
-.sp
 Default:
 \fI\fIwrite list\fR\fR\fI = \fR\fI\fR\fI \fR
 …
 .PP
 .RS 4
+This parameter controls whether or not the server will support raw write SMB\*(Aqs when transferring data from clients\&. You should never need to change this parameter\&.
+This is ignored if
+\m[blue]\fBasync smb echo handler\fR\m[]
+is set, because this feature is incompatible with raw write SMB requests
+.sp
+If enabled, raw writes allow writes of 65535 bytes in one packet\&. This typically provides a major performance benefit for some very, very old clients\&.
+.sp
+However, some clients either negotiate the allowable block size incorrectly or are incapable of supporting larger block sizes, and for these clients you may need to disable raw writes\&.
+.sp
+In general this parameter should be viewed as a system tuning tool and left severely alone\&.
 .sp
 Default:
 …
 .SH "VERSION"
 .PP
 This man page is correct for version 3 of the Samba suite\&.
+This man page is correct for version 4 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
 \fBsamba\fR(7),
 \fBsmbpasswd\fR(8),
-\fBswat\fR(8),
 \fBsmbd\fR(8),
 \fBnmbd\fR(8),
+\fBwinbindd\fR(8),
+\fBsamba\fR(8),
+\fBsamba-tool\fR(8),
 \fBsmbclient\fR(1),
 \fBnmblookup\fR(1),
+\fBtestparm\fR(1),
+\fBtestprns\fR(1)\&.
+\fBtestparm\fR(1)\&.
 .SH "AUTHOR"
 .PP

vendor/current/docs/manpages/smbcacls.1

-              r860
+              r988
 .\"     Title: smbcacls
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBCACLS" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "SMBCACLS" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 smbcacls {//server/share} {/filename} [\-D|\-\-delete\ acls] [\-M|\-\-modify\ acls] [\-a|\-\-add\ acls] [\-S|\-\-set\ acls] [\-C|\-\-chown\ name] [\-G|\-\-chgrp\ name] [\-I\ allow|romove|copy] [\-\-numeric] [\-t] [\-U\ username] [\-h] [\-d]
+smbcacls {//server/share} {/filename} [\-D|\-\-delete\ acl] [\-M|\-\-modify\ acl] [\-a|\-\-add\ acl] [\-S|\-\-set\ acl] [\-C|\-\-chown\ name] [\-G|\-\-chgrp\ name] [\-I\ allow|remove|copy] [\-\-numeric] [\-t] [\-U\ username] [\-d] [\-e] [\-m|\-\-max\-protocol\ LEVEL] [\-\-query\-security\-info\ FLAGS] [\-\-set\-security\-info\ FLAGS] [\-\-sddl] [\-\-domain\-sid\ SID]
 .SH "DESCRIPTION"
 .PP
 …
 The
 smbcacls
 program manipulates NT Access Control Lists (ACLs) on SMB file shares\&.
+program manipulates NT Access Control Lists (ACLs) on SMB file shares\&. An ACL is comprised zero or more Access Control Entries (ACEs), which define access restrictions for a specific user or group\&.
 .SH "OPTIONS"
 .PP
 …
 program\&. The format of ACLs is described in the section ACL FORMAT
 .PP
 \-a|\-\-add acls
 .RS 4
 Add the ACLs specified to the ACL list\&. Existing access control entries are unchanged\&.
 .RE
 .PP
 \-M|\-\-modify acls
 .RS 4
 Modify the mask value (permissions) for the ACLs specified on the command line\&. An error will be printed for each ACL specified that was not already present in the ACL list
 .RE
 .PP
 \-D|\-\-delete acls
 .RS 4
 Delete any ACLs specified on the command line\&. An error will be printed for each ACL specified that was not already present in the ACL list\&.
 .RE
 .PP
 \-S|\-\-set acls
 .RS 4
 This command sets the ACLs on the file with only the ones specified on the command line\&. All other ACLs are erased\&. Note that the ACL specified must contain at least a revision, type, owner and group for the call to succeed\&.
+\-a|\-\-add acl
+.RS 4
+Add the entries specified to the ACL\&. Existing access control entries are unchanged\&.
+.RE
+.PP
+\-M|\-\-modify acl
+.RS 4
+Modify the mask value (permissions) for the ACEs specified on the command line\&. An error will be printed for each ACE specified that was not already present in the object\*(Aqs ACL\&.
+.RE
+.PP
+\-D|\-\-delete acl
+.RS 4
+Delete any ACEs specified on the command line\&. An error will be printed for each ACE specified that was not already present in the object\*(Aqs ACL\&.
+.RE
+.PP
+\-S|\-\-set acl
+.RS 4
+This command sets the ACL on the object with only what is specified on the command line\&. Any existing ACL is erased\&. Note that the ACL specified must contain at least a revision, type, owner and group for the call to succeed\&.
 .RE
 .PP
 …
 .RE
 .PP
+\-m|\-\-max\-protocol PROTOCOL_NAME
+.RS 4
+This allows the user to select the highest SMB protocol level that smbcacls will use to connect to the server\&. By default this is set to NT1, which is the highest available SMB1 protocol\&. To connect using SMB2 or SMB3 protocol, use the strings SMB2 or SMB3 respectively\&. Note that to connect to a Windows 2012 server with encrypted transport selecting a max\-protocol of SMB3 is required\&.
+.RE
+.PP
 \-t|\-\-test\-args
 .RS 4
 …
 .RE
 .PP
+\-h|\-\-help
+.RS 4
+Print a summary of command line options\&.
+.RE
+.PP
+\-d|\-\-debuglevel=level
+.RS 4
+\fIlevel\fR
+is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
+.sp
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+.sp
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBlog level\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-V|\-\-version
+.RS 4
+Prints the program version number\&.
+.RE
+.PP
+\-s|\-\-configfile <configuration file>
+.RS 4
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-l|\-\-log\-basename=logdirectory
+.RS 4
+Base directory name for log/debug files\&. The extension
+\fB"\&.progname"\fR
+will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
+.RE
+.PP
+\-N|\-\-no\-pass
+.RS 4
+If specified, this parameter suppresses the normal password prompt from the client to the user\&. This is useful when accessing a service that does not require a password\&.
+.sp
+Unless a password is specified on the command line or this parameter is specified, the client will request a password\&.
+.sp
+If a password is specified on the command line and this option is also defined the password on the command line will be silently ingnored and no password will be used\&.
+.RE
+.PP
+\-k|\-\-kerberos
+.RS 4
+Try to authenticate with kerberos\&. Only useful in an Active Directory environment\&.
+.RE
+.PP
+\-C|\-\-use\-ccache
+.RS 4
+Try to use the credentials cached by winbind\&.
+.RE
+.PP
+\-A|\-\-authentication\-file=filename
+.RS 4
+This option allows you to specify a file from which to read the username and password used in the connection\&. The format of the file is
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+username = <value>
+password = <value>
+domain   = <value>
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Make certain that the permissions on the file restrict access from unwanted users\&.
+.RE
+.PP
+\-U|\-\-user=username[%password]
+.RS 4
+Sets the SMB username or username and password\&.
+.sp
+If %password is not specified, the user will be prompted\&. The client will first check the
+\fBUSER\fR
+environment variable, then the
+\fBLOGNAME\fR
+variable and if either exists, the string is uppercased\&. If these environmental variables are not found, the username
+\fBGUEST\fR
+is used\&.
+.sp
+A third option is to use a credentials file which contains the plaintext of the username and password\&. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables\&. If this method is used, make certain that the permissions on the file restrict access from unwanted users\&. See the
+\fI\-A\fR
+for more details\&.
+.sp
+Be cautious about including passwords in scripts\&. Also, on many systems the command line of a running process may be seen via the
+ps
+command\&. To be safe always allow
+rpcclient
+to prompt for a password and type it in directly\&.
+\-\-query\-security\-info FLAGS
+.RS 4
+The security\-info flags for queries\&.
+.RE
+.PP
+\-\-set\-security\-info FLAGS
+.RS 4
+The security\-info flags for queries\&.
+.RE
+.PP
+\-\-sddl
+.RS 4
+Output and input acls in sddl format\&.
+.RE
+.PP
+\-\-domain\-sid SID
+.RS 4
+SID used for sddl processing\&.
 .RE
 .SH "ACL FORMAT"
 .PP
 The format of an ACL is one or more ACL entries separated by either commas or newlines\&. An ACL entry is one of the following:
+The format of an ACL is one or more entries separated by either commas or newlines\&. An ACL entry is one of the following:
 .PP
 .if n \{\
 …
 The owner and group specify the owner and group sids for the object\&. If a SID in the format S\-1\-x\-y\-z is specified this is used, otherwise the name specified is resolved using the server on which the file or directory resides\&.
 .PP
 ACLs specify permissions granted to the SID\&. This SID again can be specified in S\-1\-x\-y\-z format or as a name in which case it is resolved against the server on which the file or directory resides\&. The type, flags and mask values determine the type of access granted to the SID\&.
 .PP
 The type can be either ALLOWED or DENIED to allow/deny access to the SID\&. The flags values are generally zero for file ACLs and either 9 or 2 for directory ACLs\&. Some common flags are:
+ACEs are specified with an "ACL:" prefix, and define permissions granted to an SID\&. The SID again can be specified in S\-1\-x\-y\-z format or as a name in which case it is resolved against the server on which the file or directory resides\&. The type, flags and mask values determine the type of access granted to the SID\&.
+.PP
+The type can be either ALLOWED or DENIED to allow/deny access to the SID\&. The flags values are generally zero for file ACEs and either 9 or 2 for directory ACEs\&. Some common flags are:
 .sp
 .RS 4
 …
 .RE
 .PP
 At present flags can only be specified as decimal or hexadecimal values\&.
+At present, flags can only be specified as decimal or hexadecimal values\&.
 .PP
 The mask is a value which expresses the access right granted to the SID\&. It can be given as a decimal or hexadecimal value, or by using one of the following text strings which map to the NT file permissions of the same name\&.
 …
 .SH "VERSION"
 .PP
 This man page is correct for version 3 of the Samba suite\&.
+This man page is correct for version 4 of the Samba suite\&.
 .SH "AUTHOR"
 .PP

vendor/current/docs/manpages/smbclient.1

-              r860
+              r988
 .\"     Title: smbclient
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBCLIENT" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "SMBCLIENT" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 smbclient [\-b\ <buffer\ size>] [\-d\ debuglevel] [\-e] [\-L\ <netbios\ name>] [\-U\ username] [\-I\ destinationIP] [\-M\ <netbios\ name>] [\-m\ maxprotocol] [\-A\ authfile] [\-N] [\-C] [\-g] [\-i\ scope] [\-O\ <socket\ options>] [\-p\ port] [\-R\ <name\ resolve\ order>] [\-s\ <smb\ config\ file>] [\-k] [\-P] [\-c\ <command>]
+smbclient [\-b\ <buffer\ size>] [\-d\ debuglevel] [\-e] [\-L\ <netbios\ name>] [\-U\ username] [\-I\ destinationIP] [\-M\ <netbios\ name>] [\-m\ maxprotocol] [\-A\ authfile] [\-N] [\-C] [\-g] [\-i\ scope] [\-O\ <socket\ options>] [\-p\ port] [\-R\ <name\ resolve\ order>] [\-s\ <smb\ config\ file>] [\-t\ <per\-operation\ timeout\ in\ seconds>] [\-k] [\-P] [\-c\ <command>]
 .HP \w'\ 'u
 smbclient {servicename} [password] [\-b\ <buffer\ size>] [\-d\ debuglevel] [\-e] [\-D\ Directory] [\-U\ username] [\-W\ workgroup] [\-M\ <netbios\ name>] [\-m\ maxprotocol] [\-A\ authfile] [\-N] [\-C] [\-g] [\-l\ log\-basename] [\-I\ destinationIP] [\-E] [\-c\ <command\ string>] [\-i\ scope] [\-O\ <socket\ options>] [\-p\ port] [\-R\ <name\ resolve\ order>] [\-s\ <smb\ config\ file>] [\-T<c|x>IXFqgbNan] [\-k]
+smbclient {servicename} [password] [\-b\ <buffer\ size>] [\-d\ debuglevel] [\-e] [\-D\ Directory] [\-U\ username] [\-W\ workgroup] [\-M\ <netbios\ name>] [\-m\ maxprotocol] [\-A\ authfile] [\-N] [\-C] [\-g] [\-l\ log\-basename] [\-I\ destinationIP] [\-E] [\-c\ <command\ string>] [\-i\ scope] [\-O\ <socket\ options>] [\-p\ port] [\-R\ <name\ resolve\ order>] [\-s\ <smb\ config\ file>] [\-t\ <per\-operation\ timeout\ in\ seconds>] [\-T<c|x>IXFqgbNan] [\-k]
 .SH "DESCRIPTION"
 .PP
 …
 \-m|\-\-max\-protocol protocol
 .RS 4
 This parameter sets the maximum protocol version announced by the client\&.
+This allows the user to select the highest SMB protocol level that smbclient will use to connect to the server\&. By default this is set to NT1, which is the highest available SMB1 protocol\&. To connect using SMB2 or SMB3 protocol, use the strings SMB2 or SMB3 respectively\&. Note that to connect to a Windows 2012 server with encrypted transport selecting a max\-protocol of SMB3 is required\&.
 .RE
 .PP
 …
 .RS 4
 Make queries to the external server using the machine account of the local server\&.
-.RE
-.PP
-\-h|\-\-help
-.RS 4
-Print a summary of command line options\&.
 .RE
 .PP
 …
 \-b|\-\-send\-buffer buffersize
 .RS 4
+This option changes the transmit/send buffer size when getting or putting a file from/to the server\&. The default is 65520 bytes\&. Setting this value smaller (to 1200 bytes) has been observed to speed up file transfers to and from a Win9x server\&.
+.RE
+.PP
+\-e|\-\-encrypt
+.RS 4
+This command line parameter requires the remote server support the UNIX extensions\&. Request that the connection be encrypted\&. This is new for Samba 3\&.2 and will only work with Samba 3\&.2 or above servers\&. Negotiates SMB encryption using GSSAPI\&. Uses the given credentials for the encryption negotiation (either kerberos or NTLMv1/v2 if given domain/username/password triple\&. Fails the connection if encryption cannot be negotiated\&.
+.RE
+.PP
+\-d|\-\-debuglevel=level
+.RS 4
+\fIlevel\fR
+is an integer from 0 to 10\&. The default value if this parameter is not specified is 1\&.
+.sp
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+.sp
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBlog level\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-V|\-\-version
+.RS 4
+Prints the program version number\&.
+.RE
+.PP
+\-s|\-\-configfile <configuration file>
+.RS 4
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-l|\-\-log\-basename=logdirectory
+.RS 4
+Base directory name for log/debug files\&. The extension
+\fB"\&.progname"\fR
+will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
+.RE
+.PP
+\-N|\-\-no\-pass
+.RS 4
+If specified, this parameter suppresses the normal password prompt from the client to the user\&. This is useful when accessing a service that does not require a password\&.
+.sp
+Unless a password is specified on the command line or this parameter is specified, the client will request a password\&.
+.sp
+If a password is specified on the command line and this option is also defined the password on the command line will be silently ingnored and no password will be used\&.
+.RE
+.PP
+\-k|\-\-kerberos
+.RS 4
+Try to authenticate with kerberos\&. Only useful in an Active Directory environment\&.
+.RE
+.PP
+\-C|\-\-use\-ccache
+.RS 4
+Try to use the credentials cached by winbind\&.
+.RE
+.PP
+\-A|\-\-authentication\-file=filename
+.RS 4
+This option allows you to specify a file from which to read the username and password used in the connection\&. The format of the file is
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+username = <value>
+password = <value>
+domain   = <value>
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Make certain that the permissions on the file restrict access from unwanted users\&.
+.RE
+.PP
+\-U|\-\-user=username[%password]
+.RS 4
+Sets the SMB username or username and password\&.
+.sp
+If %password is not specified, the user will be prompted\&. The client will first check the
+\fBUSER\fR
+environment variable, then the
+\fBLOGNAME\fR
+variable and if either exists, the string is uppercased\&. If these environmental variables are not found, the username
+\fBGUEST\fR
+is used\&.
+.sp
+A third option is to use a credentials file which contains the plaintext of the username and password\&. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables\&. If this method is used, make certain that the permissions on the file restrict access from unwanted users\&. See the
+\fI\-A\fR
+for more details\&.
+.sp
+Be cautious about including passwords in scripts\&. Also, on many systems the command line of a running process may be seen via the
+ps
+command\&. To be safe always allow
+rpcclient
+to prompt for a password and type it in directly\&.
+.RE
+.PP
+\-n|\-\-netbiosname <primary NetBIOS name>
+.RS 4
+This option allows you to override the NetBIOS name that Samba uses for itself\&. This is identical to setting the
+\m[blue]\fBnetbios name\fR\m[]
+parameter in the
+smb\&.conf
+file\&. However, a command line setting will take precedence over settings in
+smb\&.conf\&.
+.RE
+.PP
+\-i|\-\-scope <scope>
+.RS 4
+This specifies a NetBIOS scope that
+nmblookup
+will use to communicate with when generating NetBIOS names\&. For details on the use of NetBIOS scopes, see rfc1001\&.txt and rfc1002\&.txt\&. NetBIOS scopes are
+\fIvery\fR
+rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with\&.
+.RE
+.PP
+\-W|\-\-workgroup=domain
+.RS 4
+Set the SMB domain of the username\&. This overrides the default domain which is the domain defined in smb\&.conf\&. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM)\&.
+.RE
+.PP
+\-O|\-\-socket\-options socket options
+.RS 4
+TCP socket options to set on the client socket\&. See the socket options parameter in the
+smb\&.conf
+manual page for the list of valid options\&.
+When sending or receiving files, smbclient uses an internal buffer sized by the maximum number of allowed requests to the connected server\&. This command allows this size to be set to any range between 0 (which means use the default server controlled size) bytes and 16776960 (0xFFFF00) bytes\&. Using the server controlled size is the most efficient as smbclient will pipeline as many simultaneous reads or writes needed to keep the server as busy as possible\&. Setting this to any other size will slow down the transfer\&. This can also be set using the
+iosize
+command inside smbclient\&.
+.RE
+.PP
+\-B|\-\-browse
+.RS 4
+Browse SMB servers using DNS\&.
+.RE
+.PP
+\-t|\-\-timeout <timeout\-seconds>
+.RS 4
+This allows the user to tune the default timeout used for each SMB request\&. The default setting is 20 seconds\&. Increase it if requests to the server sometimes time out\&. This can happen when SMB3 encryption is selected and smbclient is overwhelming the server with requests\&. This can also be set using the
+timeout
+command inside smbclient\&.
 .RE
 .PP
 …
 smbclient may be used to create
 tar(1)
 compatible backups of all the files on an SMB/CIFS share\&. The secondary tar flags that can be given to this option are :
+compatible backups of all the files on an SMB/CIFS share\&. The secondary tar flags that can be given to this option are:
 .sp
 .RS 4
 …
 .\}
 \fIc\fR
 \- Create a tar file on UNIX\&. Must be followed by the name of a tar file, tape device or "\-" for standard output\&. If using standard output you must turn the log level to its lowest value \-d0 to avoid corrupting your tar file\&. This flag is mutually exclusive with the
+\- Create a tar backup archive on the local system\&. Must be followed by the name of a tar file, tape device or "\-" for standard output\&. If using standard output you must turn the log level to its lowest value \-d0 to avoid corrupting your tar file\&. This flag is mutually exclusive with the
 \fIx\fR
 flag\&.
 …
 .\}
 \fIX\fR
 \- Exclude files and directories\&. Causes files to be excluded from an extract or create\&. See example below\&. Filename globbing works in one of two ways now\&. See
+\- Exclude files and directories\&. Causes files to be excluded from an extract or create\&. See example below\&. Filename globbing works in one of two ways\&. See
 \fIr\fR
 below\&.
 …
 .\}
 \fIb\fR
 \- Blocksize\&. Must be followed by a valid (greater than zero) blocksize\&. Causes tar file to be written out in blocksize*TBLOCK (usually 512 byte) blocks\&.
+\- Blocksize\&. Must be followed by a valid (greater than zero) blocksize\&. Causes tar file to be written out in blocksize*TBLOCK (512 byte) blocks\&.
 .RE
 .sp
 …
 .\}
 \fIr\fR
 \- Regular expression include or exclude\&. Uses regular expression matching for excluding or excluding files if compiled with HAVE_REGEX_H\&. However this mode can be very slow\&. If not compiled with HAVE_REGEX_H, does a limited wildcard match on \*(Aq*\*(Aq and \*(Aq?\*(Aq\&.
+\- Use wildcard matching to include or exclude\&. Deprecated\&.
 .RE
 .sp
 …
 Create the same tar file as above, but now use a DOS path name\&.
 .sp
 smbclient //mypc/myshare "" \-N \-tc backup\&.tar users\eedocs
+smbclient //mypc/myshare "" \-N \-Tc backup\&.tar users\eedocs
 .sp
 Create a tar file of the files listed in the file
 …
 .RS 4
 Sets the archive level when operating on files\&. 0 means ignore the archive bit, 1 means only operate on files with this bit set, 2 means only operate on files with this bit set and reset it after operation, 3 means operate on all files and reset it after operation\&. The default is 0\&.
+.RE
+.PP
+backup
+.RS 4
+Toggle the state of the "backup intent" flag sent to the server on directory listings and file opens\&. If the "backup intent" flag is true, the server will try and bypass some file system checks if the user has been granted SE_BACKUP or SE_RESTORE privileges\&. This state is useful when performing a backup or restore operation\&.
 .RE
 .PP
 …
 iosize <bytes>
 .RS 4
 When sending or receiving files, smbclient uses an internal memory buffer by default of size 64512 bytes\&. This command allows this size to be set to any range between 16384 (0x4000) bytes and 16776960 (0xFFFF00) bytes\&. Larger sizes may mean more efficient data transfer as smbclient will try and use the most efficient read and write calls for the connected server\&.
+When sending or receiving files, smbclient uses an internal buffer sized by the maximum number of allowed requests to the connected server\&. This command allows this size to be set to any range between 0 (which means use the default server controlled size) bytes and 16776960 (0xFFFF00) bytes\&. Using the server controlled size is the most efficient as smbclient will pipeline as many simultaneous reads or writes needed to keep the server as busy as possible\&. Setting this to any other size will slow down the transfer\&.
 .RE
 .PP
 …
 .RS 4
 Establishes a new vuid for this session by logging on again\&. Replaces the current vuid\&. Prints out the new vuid\&. Used for internal Samba testing purposes\&.
+.RE
+.PP
+logoff
+.RS 4
+Logs the user off the server, closing the session\&. Used for internal Samba testing purposes\&.
 .RE
 .PP
 …
 smbclient
 are binary\&.
+.RE
+.PP
+notify <dir name>
+.RS 4
+Query a directory for change notifications\&. This command issues a recursive filechangenotify call for all possible changes\&. As changes come in will print one line per change\&. See
+https://msdn\&.microsoft\&.com/en\-us/library/dn392331\&.aspx
+for a description of the action numbers that this command prints\&.
+.sp
+This command never ends, it waits for event indefinitely\&.
 .RE
 .PP
 …
 .RE
 .PP
+scopy <source filename> <destination filename>
+.RS 4
+Attempt to copy a file on the server using the most efficient server\-side copy calls\&. Falls back to using read then write if server doesn\*(Aqt support server\-side copy\&.
+.RE
+.PP
 setmode <filename> <perm=[+|\e\-]rsha>
 .RS 4
 …
 .RS 4
 Performs a tar operation \- see the
 \fI\-T \fR
+\fI\-T\fR
 command line option above\&. Behavior may be affected by the tarmode command (see below)\&. Using g (incremental) and N (newer) will affect tarmode settings\&. Note that using the "\-" option with tar x may not work \- use the command line option instead\&.
 .RE
 …
 .RS 4
 Blocksize\&. Must be followed by a valid (greater than zero) blocksize\&. Causes tar file to be written out in
+\fIblocksize\fR*TBLOCK (usually 512 byte) blocks\&.
+.RE
+.PP
+tarmode <full|inc|reset|noreset>
+.RS 4
+Changes tar\*(Aqs behavior with regard to archive bits\&. In full mode, tar will back up everything regardless of the archive bit setting (this is the default mode)\&. In incremental mode, tar will only back up files with the archive bit set\&. In reset mode, tar will reset the archive bit on all files it backs up (implies read/write share)\&.
+\fIblocksize\fR*TBLOCK (512 byte) blocks\&.
+.RE
+.PP
+tarmode <full|inc|reset|noreset|system|nosystem|hidden|nohidden>
+.RS 4
+Changes tar\*(Aqs behavior with regard to DOS attributes\&. There are 4 modes which can be turned on or off\&.
+.sp
+Incremental mode (default off)\&. When off (using
+full) tar will back up everything regardless of the
+\fIarchive\fR
+bit setting\&. When on (using
+inc), tar will only back up files with the archive bit set\&.
+.sp
+Reset mode (default off)\&. When on (using
+reset), tar will remove the archive bit on all files it backs up (implies read/write share)\&. Use
+noreset
+to turn off\&.
+.sp
+System mode (default on)\&. When off, tar will not backup system files\&. Use
+nosystem
+to turn off\&.
+.sp
+Hidden mode (default on)\&. When off, tar will not backup hidden files\&. Use
+nohidden
+to turn off\&.
+.RE
+.PP
+timeout <per\-operation timeout in seconds>
+.RS 4
+This allows the user to tune the default timeout used for each SMB request\&. The default setting is 20 seconds\&. Increase it if requests to the server sometimes time out\&. This can happen when SMB3 encryption is selected and smbclient is overwhelming the server with requests\&.
 .RE
 .PP
 …
 .RS 4
 Changes the currently used vuid in the protocol to the given arbitrary number\&. Without an argument prints out the current vuid being used\&. Used for internal Samba testing purposes\&.
+.RE
+.PP
+tcon <sharename>
+.RS 4
+Establishes a new tree connect (connection to a share)\&. Replaces the current tree connect\&. Prints the new tid (tree id)\&. Used for internal Samba testing purposes\&.
+.RE
+.PP
+tdis
+.RS 4
+Close the current share connection (tree disconnect)\&. Used for internal Samba testing purposes\&.
+.RE
+.PP
+tid <number>
+.RS 4
+Changes the current tree id (tid) in the protocol to a new arbitrary number\&. Without an argument, it prints out the tid currently used\&. Used for internal Samba testing purposes\&.
 .RE
 .SH "NOTES"

vendor/current/docs/manpages/smbcontrol.1

-              r860
+              r988
 .\"     Title: smbcontrol
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBCONTROL" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "SMBCONTROL" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 smbcontrol [\-i] [\-s]
+smbcontrol [\-s] [\-t|\-\-timeout]
 .HP \w'\ 'u
 smbcontrol [destination] [message\-type] [parameter]
 …
 .SH "OPTIONS"
 .PP
+\-h|\-\-help
+.RS 4
+Print a summary of command line options\&.
+.RE
+.PP
+\-s|\-\-configfile <configuration file>
+.RS 4
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-i
+.RS 4
+Run interactively\&. Individual commands of the form destination message\-type parameters can be entered on STDIN\&. An empty command line or a "q" will quit the program\&.
+\-t|\-\-timeout
+.RS 4
+Set timeout to seconds\&.
 .RE
 .PP
 …
 One of
 \fInmbd\fR,
+\fIsmbd\fR
+\fIsmbd\fR,
+\fIwinbindd\fR
 or a process ID\&.
 .sp
 …
 .RE
 .PP
+kill\-client\-ip
+.RS 4
+Order smbd to close the client connections from a given IP address\&. This message\-type takes an argument of the IP address from which client connections will be closed\&. This message can only be sent to
+\fBsmbd\fR\&.
+.RE
+.PP
 force\-election
 .RS 4
 …
 This message can only be sent to
 \fBsmbd\fR\&.
-.RE
-.PP
-samsync
-.RS 4
-Order smbd to synchronise sam database from PDC (being BDC)\&. Can only be sent to
-\fBsmbd\fR\&.
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-Not working at the moment
-.sp .5v
-.RE
-.RE
-.PP
-samrepl
-.RS 4
-Send sam replication message, with specified serial\&. Can only be sent to
-\fBsmbd\fR\&. Should not be used manually\&.
 .RE
 .PP
 …
 .RE
 .PP
+reload\-printers
+.RS 4
+Force smbd to reload printers\&. Can only be sent to
+\fBsmbd\fR\&.
+.RE
+.PP
 idmap
 .RS 4
 …
 .RE
 .RE
+.PP
+num\-children
+.RS 4
+Query the number of smbd child processes\&. This message can only be sent to
+\fBsmbd\fR\&.
+.RE
 .SH "VERSION"
 .PP

vendor/current/docs/manpages/smbcquotas.1

-              r860
+              r988
 .\"     Title: smbcquotas
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBCQUOTAS" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "SMBCQUOTAS" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 smbcquotas {//server/share} [\-u\ user] [\-L] [\-F] [\-S\ QUOTA_SET_COMMAND] [\-n] [\-t] [\-v] [\-d\ debuglevel] [\-s\ configfile] [\-l\ logdir] [\-V] [\-U\ username] [\-N] [\-k] [\-A]
+smbcquotas {//server/share} [\-u|\-\-user\ user] [\-L|\-\-list] [\-F|\-\-fs] [\-S|\-\-set\ QUOTA_SET_COMMAND] [\-n|\-\-numeric] [\-t|\-\-test\-args] [\-v|\-\-verbose] [\-d\ debuglevel] [\-s\ configfile] [\-l\ logdir] [\-V] [\-U\ username] [\-N] [\-k] [\-A]
 .SH "DESCRIPTION"
 .PP
 …
 program\&.
 .PP
 \-u user
+\-u|\-\-user user
 .RS 4
 Specifies the user of whom the quotas are get or set\&. By default the current user\*(Aqs username will be used\&.
 .RE
 .PP
 \-L
+\-L|\-\-list
 .RS 4
 Lists all quota records of the share\&.
 .RE
 .PP
 \-F
+\-F|\-\-fs
 .RS 4
 Show the share quota status and default limits\&.
 .RE
 .PP
 \-S QUOTA_SET_COMMAND
+\-S|\-\-set QUOTA_SET_COMMAND
 .RS 4
 This command sets/modifies quotas for a user or on the share, depending on the QUOTA_SET_COMMAND parameter which is described later\&.
 .RE
 .PP
 \-n
+\-n|\-\-numeric
 .RS 4
 This option displays all QUOTA information in numeric format\&. The default is to convert SIDs to names and QUOTA limits to a readable string format\&.
 .RE
 .PP
 \-t
+\-t|\-\-test\-args
 .RS 4
 Don\*(Aqt actually do anything, only validate the correctness of the arguments\&.
 .RE
 .PP
 \-v
+\-v|\-\-verbose
 .RS 4
 Be verbose\&.
-.RE
-.PP
-\-h|\-\-help
-.RS 4
-Print a summary of command line options\&.
-.RE
-.PP
-\-d|\-\-debuglevel=level
-.RS 4
-\fIlevel\fR
-is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
-.sp
-The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
-.sp
-Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBlog level\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-V|\-\-version
-.RS 4
-Prints the program version number\&.
-.RE
-.PP
-\-s|\-\-configfile <configuration file>
-.RS 4
-The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
-smb\&.conf
-for more information\&. The default configuration file name is determined at compile time\&.
-.RE
-.PP
-\-l|\-\-log\-basename=logdirectory
-.RS 4
-Base directory name for log/debug files\&. The extension
-\fB"\&.progname"\fR
-will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
-.RE
-.PP
-\-N|\-\-no\-pass
-.RS 4
-If specified, this parameter suppresses the normal password prompt from the client to the user\&. This is useful when accessing a service that does not require a password\&.
-.sp
-Unless a password is specified on the command line or this parameter is specified, the client will request a password\&.
-.sp
-If a password is specified on the command line and this option is also defined the password on the command line will be silently ingnored and no password will be used\&.
-.RE
-.PP
-\-k|\-\-kerberos
-.RS 4
-Try to authenticate with kerberos\&. Only useful in an Active Directory environment\&.
-.RE
-.PP
-\-C|\-\-use\-ccache
-.RS 4
-Try to use the credentials cached by winbind\&.
-.RE
-.PP
-\-A|\-\-authentication\-file=filename
-.RS 4
-This option allows you to specify a file from which to read the username and password used in the connection\&. The format of the file is
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-username = <value>
-password = <value>
-domain   = <value>
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-Make certain that the permissions on the file restrict access from unwanted users\&.
-.RE
-.PP
-\-U|\-\-user=username[%password]
-.RS 4
-Sets the SMB username or username and password\&.
-.sp
-If %password is not specified, the user will be prompted\&. The client will first check the
-\fBUSER\fR
-environment variable, then the
-\fBLOGNAME\fR
-variable and if either exists, the string is uppercased\&. If these environmental variables are not found, the username
-\fBGUEST\fR
-is used\&.
-.sp
-A third option is to use a credentials file which contains the plaintext of the username and password\&. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables\&. If this method is used, make certain that the permissions on the file restrict access from unwanted users\&. See the
-\fI\-A\fR
-for more details\&.
-.sp
-Be cautious about including passwords in scripts\&. Also, on many systems the command line of a running process may be seen via the
-ps
-command\&. To be safe always allow
-rpcclient
-to prompt for a password and type it in directly\&.
 .RE
 .SH "QUOTA_SET_COMMAND"

vendor/current/docs/manpages/smbd.8

-              r860
+              r988
 .\"     Title: smbd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBD" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "SMBD" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 smbd [\-D] [\-F] [\-S] [\-i] [\-h] [\-V] [\-b] [\-d\ <debug\ level>] [\-l\ <log\ directory>] [\-p\ <port\ number(s)>] [\-P\ <profiling\ level>] [\-O\ <socket\ option>] [\-s\ <configuration\ file>]
+smbd [\-D|\-\-daemon] [\-F|\-\-foreground] [\-S|\-\-log\-stdout] [\-i|\-\-interactive] [\-V] [\-b|\-\-build\-options] [\-d\ <debug\ level>] [\-l|\-\-log\-basename\ <log\ directory>] [\-p\ <port\ number(s)>] [\-P\ <profiling\ level>] [\-s\ <configuration\ file>] [\-\-no\-process\-group]
 .SH "DESCRIPTION"
 .PP
 …
 .SH "OPTIONS"
 .PP
 \-D
+\-D|\-\-daemon
 .RS 4
 If specified, this parameter causes the server to operate as a daemon\&. That is, it detaches itself and runs in the background, fielding requests on the appropriate port\&. Operating the server as a daemon is the recommended way of running
 …
 .RE
 .PP
 \-F
+\-F|\-\-foreground
 .RS 4
 If specified, this parameter causes the main
 …
 .RE
 .PP
 \-S
+\-S|\-\-log\-stdout
 .RS 4
 If specified, this parameter causes
 …
 .RE
 .PP
 \-i
+\-i|\-\-interactive
 .RS 4
 If this parameter is specified it causes the server to run "interactively", not as a daemon, even if the server is executed on the command line of a shell\&. Setting this parameter negates the implicit daemon mode when run from the command line\&.
 smbd
 also logs to standard output, as if the
+will only accept one connection and terminate\&. It will also log to standard output, as if the
 \-S
 parameter had been given\&.
 .RE
 .PP
+\-d|\-\-debuglevel=level
+.RS 4
+\fIlevel\fR
+is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
+.sp
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+.sp
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBlog level\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-V|\-\-version
+.RS 4
+Prints the program version number\&.
+.RE
+.PP
+\-s|\-\-configfile <configuration file>
+.RS 4
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-l|\-\-log\-basename=logdirectory
+.RS 4
+Base directory name for log/debug files\&. The extension
+\fB"\&.progname"\fR
+will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
+.RE
+.PP
+\-h|\-\-help
+.RS 4
+Print a summary of command line options\&.
+.RE
+.PP
+\-b
+\-\-no\-process\-group
+.RS 4
+Do not create a new process group for smbd\&.
+.RE
+.PP
+\-b|\-\-build\-options
 .RS 4
 Prints information about how Samba was built\&.
 …
 \m[blue]\fBports\fR\m[]
 parameter in
-smb\&.conf
 .sp
 The default ports are 139 (used for SMB over NetBIOS over TCP) and port 445 (used for plain SMB over TCP)\&.
 …
 .PP
 Samba uses PAM for authentication (when presented with a plaintext password), for account checking (is this account disabled?) and for session management\&. The degree too which samba supports PAM is restricted by the limitations of the SMB protocol and the
+\m[blue]\fBobey pam restrictions\fR\m[]
+\fBsmb.conf\fR(5)
+\m[blue]\fBobey pam restrictions\fR\m[]\fBsmb.conf\fR(5)
 parameter\&. When this is set, the following restrictions apply:
 .sp
 …
 .RE
 .PP
+connections\&.tdb
+gencache\&.tdb
+.RS 4
+generic caching db
+.RE
+.PP
+group_mapping\&.tdb*
+.RS 4
+group mapping information
+.RE
+.PP
+locking\&.tdb
+.RS 4
+share modes & oplocks
+.RE
+.PP
+login_cache\&.tdb*
+.RS 4
+bad pw attempts
+.RE
+.PP
+messages\&.tdb
+.RS 4
+Samba messaging system
+.RE
+.PP
+netsamlogon_cache\&.tdb*
+.RS 4
+cache of user net_info_3 struct from net_samlogon() request (as a domain member)
+.RE
+.PP
+ntdrivers\&.tdb*
+.RS 4
+installed printer drivers
+.RE
+.PP
+ntforms\&.tdb*
+.RS 4
+installed printer forms
+.RE
+.PP
+ntprinters\&.tdb*
+.RS 4
+installed printer information
+.RE
+.PP
+printing/
+.RS 4
+directory containing tdb per print queue of cached lpq output
+.RE
+.PP
+registry\&.tdb
+.RS 4
+Windows registry skeleton (connect via regedit\&.exe)
+.RE
+.PP
+smbXsrv_session_global\&.tdb
+.RS 4
+session information (e\&.g\&. support for \*(Aqutmp = yes\*(Aq)
+.RE
+.PP
+smbXsrv_tcon_global\&.tdb
 .RS 4
 share connections (used to enforce max connections, etc\&.\&.\&.)
 .RE
 .PP
+gencache\&.tdb
+.RS 4
+generic caching db
+.RE
+.PP
+group_mapping\&.tdb*
+.RS 4
+group mapping information
+.RE
+.PP
+locking\&.tdb
+.RS 4
+share modes & oplocks
+.RE
+.PP
+login_cache\&.tdb*
+.RS 4
+bad pw attempts
+.RE
+.PP
+messages\&.tdb
+.RS 4
+Samba messaging system
+.RE
+.PP
+netsamlogon_cache\&.tdb*
+.RS 4
+cache of user net_info_3 struct from net_samlogon() request (as a domain member)
+.RE
+.PP
+ntdrivers\&.tdb*
+.RS 4
+installed printer drivers
+.RE
+.PP
+ntforms\&.tdb*
+.RS 4
+installed printer forms
+.RE
+.PP
+ntprinters\&.tdb*
+.RS 4
+installed printer information
+.RE
+.PP
+printing/
+.RS 4
+directory containing tdb per print queue of cached lpq output
+.RE
+.PP
+registry\&.tdb
+.RS 4
+Windows registry skeleton (connect via regedit\&.exe)
+.RE
+.PP
+sessionid\&.tdb
+.RS 4
+session information (e\&.g\&. support for \*(Aqutmp = yes\*(Aq)
+smbXsrv_open_global\&.tdb
+.RS 4
+open file handles (used durable handles, etc\&.\&.\&.)
 .RE
 .PP
 …
 smbd
 process it is recommended that
+SIGKILL (\-9)
+\fINOT\fR
+SIGKILL (\-9)\fINOT\fR
 be used, except as a last resort, as this may leave the shared memory area in an inconsistent state\&. The safe way to terminate an
 smbd
 …
 \fBsmb.conf\fR(5),
 \fBsmbclient\fR(1),
+\fBtestparm\fR(1),
+\fBtestprns\fR(1), and the Internet RFC\*(Aqs
+\fBtestparm\fR(1), and the Internet RFC\*(Aqs
 rfc1001\&.txt,
 rfc1002\&.txt\&. In addition the CIFS (formerly SMB) specification is available as a link from the Web page

vendor/current/docs/manpages/smbget.1

-              r860
+              r988
 .\"     Title: smbget
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBGET" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "SMBGET" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 smbget [\-a,\ \-\-guest] [\-r,\ \-\-resume] [\-R,\ \-\-recursive] [\-u,\ \-\-username=STRING] [\-p,\ \-\-password=STRING] [\-w,\ \-\-workgroup=STRING] [\-n,\ \-\-nonprompt] [\-d,\ \-\-debuglevel=INT] [\-D,\ \-\-dots] [\-P,\ \-\-keep\-permissions] [\-o,\ \-\-outputfile] [\-f,\ \-\-rcfile] [\-q,\ \-\-quiet] [\-v,\ \-\-verbose] [\-b,\ \-\-blocksize] [\-O,\ \-\-stdout] [\-?,\ \-\-help] [\-\-usage] {smb://host/share/path/to/file} [smb://url2/] [\&.\&.\&.]
+smbget [\-a,\ \-\-guest] [\-r,\ \-\-resume] [\-R,\ \-\-recursive] [\-U,\ \-\-username=STRING] [\-w,\ \-\-workgroup=STRING] [\-n,\ \-\-nonprompt] [\-d,\ \-\-debuglevel=INT] [\-D,\ \-\-dots] [\-o,\ \-\-outputfile] [\-f,\ \-\-rcfile] [\-q,\ \-\-quiet] [\-v,\ \-\-verbose] [\-b,\ \-\-blocksize] [\-O,\ \-\-stdout] [\-u,\ \-\-update] [\-?,\ \-\-help] [\-\-usage] {smb://host/share/path/to/file} [smb://url2/] [\&.\&.\&.]
 .SH "DESCRIPTION"
 .PP
 …
 .RE
 .PP
 \-u, \-\-username=STRING
+\-U, \-\-username=\fIusername[%password]\fR
 .RS 4
+Username to use
+.RE
+.PP
+\-p, \-\-password=STRING
+.RS 4
+Password to use
+Username (and password) to use
 .RE
 .PP
 …
 .RS 4
 Show dots as progress indication
-.RE
-.PP
-\-P, \-\-keep\-permissions
-.RS 4
-Set same permissions on local file as are set on remote file\&.
 .RE
 .PP
 …
 .RS 4
 Display brief usage message
+.RE
+.PP
+\-u, \-\-update
+.RS 4
+Download only when remote file is newer than local file or local file is missing\&.
 .RE
 .SH "SMB URLS"

vendor/current/docs/manpages/smbgetrc.5

-              r860
+              r988
 .\"     Title: smbgetrc
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: File Formats and Conventions
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBGETRC" "5" "09/18/2013" "Samba 3\&.6" "File Formats and Conventions"
+.TH "SMBGETRC" "5" "05/02/2016" "Samba 4\&.4" "File Formats and Conventions"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .RE
 .PP
 username \fIname\fR
+user \fIname[%password]\fR
 .RS 4
+Username to use when logging in to the remote server\&. Use an empty string for anonymous access\&.
+.RE
+.PP
+password \fIpass\fR
+.RS 4
+Password to use when logging in\&.
+Username (and password) to use when logging in to the remote server\&. Use an empty string for anonymous access\&.
 .RE
 .PP

vendor/current/docs/manpages/smbpasswd.5

-              r860
+              r988
 .\"     Title: smbpasswd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: File Formats and Conventions
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBPASSWD" "5" "09/18/2013" "Samba 3\&.6" "File Formats and Conventions"
+.TH "SMBPASSWD" "5" "05/02/2016" "Samba 4\&.4" "File Formats and Conventions"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 The format of the smbpasswd file used by Samba 2\&.2 is very similar to the familiar Unix
 passwd(5)
 file\&. It is an ASCII file containing one line for each user\&. Each field ithin each line is separated from the next by a colon\&. Any entry beginning with \*(Aq#\*(Aq is ignored\&. The smbpasswd file contains the following information for each user:
+file\&. It is an ASCII file containing one line for each user\&. Each field within each line is separated from the next by a colon\&. Any entry beginning with \*(Aq#\*(Aq is ignored\&. The smbpasswd file contains the following information for each user:
 .PP
 name

vendor/current/docs/manpages/smbpasswd.8

-              r860
+              r988
 .\"     Title: smbpasswd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBPASSWD" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "SMBPASSWD" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 \-c
 .RS 4
+This option can be used to specify the path and file name of the
+smb\&.conf
+configuration file when it is important to use other than the default file and / or location\&.
+This option can be used to specify the path and file name of the configuration file when it is important to use other than the default file and / or location\&.
 .RE
 .PP

vendor/current/docs/manpages/smbspool.8

-              r860
+              r988
 .\"     Title: smbspool
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBSPOOL" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "SMBSPOOL" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .IP \(bu 2.3
 .\}
+smb://domain\eusername:password@server[:port]/printer
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
 smb://username:password@workgroup/server[:port]/printer
 .RE
 …
 \fBDEVICE_URI\fR
 environment variable prior to running smbspool\&.
+.PP
+smbspool will accept URI escaped characters\&. This allows setting a domain in the username, or space in the printer name\&. For example smb://domain%5Cusername/printer%20name
 .SH "OPTIONS"
 .sp

vendor/current/docs/manpages/smbstatus.1

-              r860
+              r988
 .\"     Title: smbstatus
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBSTATUS" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "SMBSTATUS" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 smbstatus [\-P] [\-b] [\-d\ <debug\ level>] [\-v] [\-L] [\-B] [\-p] [\-S] [\-s\ <configuration\ file>] [\-u\ <username>]
+smbstatus [\-P] [\-b] [\-d\ <debug\ level>] [\-v] [\-L] [\-B] [\-p] [\-S] [\-N] [\-f] [\-s\ <configuration\ file>] [\-u\ <username>] [\-n|\-\-numeric] [\-R|\-\-profile\-rates]
 .SH "DESCRIPTION"
 .PP
 …
 .RE
 .PP
+\-R|\-\-profile\-rates
+.RS 4
+If samba has been compiled with the profiling option, print the contents of the profiling shared memory area and the call rates\&.
+.RE
+.PP
 \-b|\-\-brief
 .RS 4
 gives brief output\&.
-.RE
-.PP
-\-d|\-\-debuglevel=level
-.RS 4
-\fIlevel\fR
-is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
-.sp
-The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
-.sp
-Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBlog level\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-V|\-\-version
-.RS 4
-Prints the program version number\&.
-.RE
-.PP
-\-s|\-\-configfile <configuration file>
-.RS 4
-The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
-smb\&.conf
-for more information\&. The default configuration file name is determined at compile time\&.
-.RE
-.PP
-\-l|\-\-log\-basename=logdirectory
-.RS 4
-Base directory name for log/debug files\&. The extension
-\fB"\&.progname"\fR
-will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
 .RE
 .PP
 …
 .RE
 .PP
 \-h|\-\-help
+\-N|\-\-notify
 .RS 4
+Print a summary of command line options\&.
+causes smbstatus to display registered file notifications
+.RE
+.PP
+\-f|\-\-fast
+.RS 4
+causes smbstatus to not check if the status data is valid by checking if the processes that the status data refer to all still exist\&. This speeds up execution on busy systems and clusters but might display stale data of processes that died without cleaning up properly\&.
 .RE
 .PP
 …
 \fIusername\fR
 only\&.
+.RE
+.PP
+\-n|\-\-numeric
+.RS 4
+causes smbstatus to display numeric UIDs and GIDs instead of resolving them to names\&.
 .RE
 .SH "VERSION"

vendor/current/docs/manpages/smbtar.1

-              r860
+              r988
 .\"     Title: smbtar
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBTAR" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "SMBTAR" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/smbtree.1

-              r860
+              r988
 .\"     Title: smbtree
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "SMBTREE" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "SMBTREE" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 Only print a list of all the domains and servers responding on broadcast or known by the master browser\&.
 .RE
-.PP
-\-d|\-\-debuglevel=level
-.RS 4
-\fIlevel\fR
-is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
-.sp
-The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
-.sp
-Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBlog level\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-V|\-\-version
-.RS 4
-Prints the program version number\&.
-.RE
-.PP
-\-s|\-\-configfile <configuration file>
-.RS 4
-The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
-smb\&.conf
-for more information\&. The default configuration file name is determined at compile time\&.
-.RE
-.PP
-\-l|\-\-log\-basename=logdirectory
-.RS 4
-Base directory name for log/debug files\&. The extension
-\fB"\&.progname"\fR
-will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
-.RE
-.PP
-\-N|\-\-no\-pass
-.RS 4
-If specified, this parameter suppresses the normal password prompt from the client to the user\&. This is useful when accessing a service that does not require a password\&.
-.sp
-Unless a password is specified on the command line or this parameter is specified, the client will request a password\&.
-.sp
-If a password is specified on the command line and this option is also defined the password on the command line will be silently ingnored and no password will be used\&.
-.RE
-.PP
-\-k|\-\-kerberos
-.RS 4
-Try to authenticate with kerberos\&. Only useful in an Active Directory environment\&.
-.RE
-.PP
-\-C|\-\-use\-ccache
-.RS 4
-Try to use the credentials cached by winbind\&.
-.RE
-.PP
-\-A|\-\-authentication\-file=filename
-.RS 4
-This option allows you to specify a file from which to read the username and password used in the connection\&. The format of the file is
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-username = <value>
-password = <value>
-domain   = <value>
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-Make certain that the permissions on the file restrict access from unwanted users\&.
-.RE
-.PP
-\-U|\-\-user=username[%password]
-.RS 4
-Sets the SMB username or username and password\&.
-.sp
-If %password is not specified, the user will be prompted\&. The client will first check the
-\fBUSER\fR
-environment variable, then the
-\fBLOGNAME\fR
-variable and if either exists, the string is uppercased\&. If these environmental variables are not found, the username
-\fBGUEST\fR
-is used\&.
-.sp
-A third option is to use a credentials file which contains the plaintext of the username and password\&. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables\&. If this method is used, make certain that the permissions on the file restrict access from unwanted users\&. See the
-\fI\-A\fR
-for more details\&.
-.sp
-Be cautious about including passwords in scripts\&. Also, on many systems the command line of a running process may be seen via the
-ps
-command\&. To be safe always allow
-rpcclient
-to prompt for a password and type it in directly\&.
-.RE
-.PP
-\-h|\-\-help
-.RS 4
-Print a summary of command line options\&.
-.RE
 .SH "VERSION"
 .PP

vendor/current/docs/manpages/testparm.1

-              r860
+              r988
 .\"     Title: testparm
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "TESTPARM" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "TESTPARM" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 testparm [\-s] [\-h] [\-v] [\-t\ <encoding>] {config\ filename} [hostname\ hostIP]
+testparm [\-s|\-\-suppress\-prompt] [\-\-help] [\-v|\-\-verbose] {config\ filename} [hostname\ hostIP]
 .SH "DESCRIPTION"
 .PP
 …
 .SH "OPTIONS"
 .PP
 \-s
+\-s|\-\-suppress\-prompt
 .RS 4
 Without this option,
 …
 .RE
 .PP
+\-h|\-\-help
+.RS 4
+Print a summary of command line options\&.
+.RE
+.PP
+\-V|\-\-version
+.RS 4
+Prints the program version number\&.
+.RE
+.PP
+\-v
+\-v|\-\-verbose
 .RS 4
 If this option is specified, testparm will also output all options that were not used in
 \fBsmb.conf\fR(5)
 and are thus set to their defaults\&.
-.RE
-.PP
-\-t encoding
-.RS 4
-Output data in specified encoding\&.
 .RE
 .PP
 …
 .RS 4
 Dumps the named section\&.
+.RE
+.PP
+\-\-show\-all\-parameters
+.RS 4
+Show the parameters, type, possible values\&.
+.RE
+.PP
+\-l|\-\-skip\-logic\-checks
+.RS 4
+Skip the global checks\&.
 .RE
 .PP

vendor/current/docs/manpages/vfs_acl_tdb.8

-              r860
+              r988
 .\"     Title: vfs_acl_tdb
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_ACL_TDB" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_ACL_TDB" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_acl_xattr.8

-              r860
+              r988
 .\"     Title: vfs_acl_xattr
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_ACL_XATTR" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_ACL_XATTR" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_aio_fork.8

-              r860
+              r988
 .\"     Title: vfs_aio_fork
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_AIO_FORK" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_AIO_FORK" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "VERSION"
 .PP
 This man page is correct for version 3\&.6\&.0 of the Samba suite\&.
+This man page is correct for version 4\&.0\&.0 of the Samba suite\&.
 .SH "AUTHOR"
 .PP

vendor/current/docs/manpages/vfs_aio_pthread.8

-              r860
+              r988
 .\"     Title: vfs_aio_pthread
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_AIO_PTHREAD" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_AIO_PTHREAD" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "VERSION"
 .PP
 This man page is correct for version 3\&.6\&.3 of the Samba suite\&.
+This man page is correct for version 4\&.0 of the Samba suite\&.
 .SH "AUTHOR"
 .PP

vendor/current/docs/manpages/vfs_audit.8

-              r860
+              r988
 .\"     Title: vfs_audit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_AUDIT" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_AUDIT" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_cacheprime.8

-              r860
+              r988
 .\"     Title: vfs_cacheprime
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_CACHEPRIME" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_CACHEPRIME" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .PP
 cacheprime
 is not a a substitute for a general\-purpose readahead mechanism\&. It is intended for use only in very specific environments where disk operations must be aligned and sized to known values (as much as that is possible)\&.
+is not a substitute for a general\-purpose readahead mechanism\&. It is intended for use only in very specific environments where disk operations must be aligned and sized to known values (as much as that is possible)\&.
 .SH "VERSION"
 .PP

vendor/current/docs/manpages/vfs_cap.8

-              r860
+              r988
 .\"     Title: vfs_cap
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_CAP" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_CAP" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_catia.8

-              r860
+              r988
 .\"     Title: vfs_catia
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_CATIA" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_CATIA" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 This module is stackable\&.
 .PP
+Up to samba version 3\&.4\&.x a fixed character mapping was used\&. The invalid windows characters \e / : * ? " < > | and the blank character were mapped in a hardcoded way\&.
+The parameter "catia:mappings" specifies the mapping on a per\-character basis, see below\&.
+.SH "OPTIONS"
 .PP
+Starting with samba\-3\&.5\&.0 a more flexible mapping was introduced\&. The new parameter "catia:mappings" now specifies the mapping on a char by char basis using the notation: unix hex char 0x\&.\&. : windows hex char 0x\&.\&. Multiple character mappings are separated by a comma\&.
+catia:mappings = SERVER_HEX_CHAR:CLIENT_HEX_CHAR
+.RS 4
+SERVER_HEX_CHAR specifies a 0x prefixed hexedecimal character code that, when included in a Samba server\-side filename, will be mapped to CLIENT_HEX_CHAR for the CIFS client\&.
+.sp
+The same mapping occurs in the opposite direction\&. Multiple character mappings are separated by a comma\&.
+.RE
 .SH "EXAMPLES"
 .PP
+Samba versions up to 3\&.4\&.x:
+.PP
+Map Catia filenames on the [CAD] share:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+        \fI[CAD]\fR
+        \m[blue]\fBpath = /data/cad\fR\m[]
+        \m[blue]\fBvfs objects = catia\fR\m[]
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Samba versions 3\&.5\&.0 and later:
+.PP
+Map Catia filenames on the [CAD] share:
+Map server\-side quotation\-marks (") to client\-side diaeresis (\(ad) on filenames in the [CAD] share:
 .sp
 .if n \{\
 …
 .\}
 .PP
 To get the full formerly fixed mappings:
+Perform comprehensive mapping of common Catia filename characters:
 .sp
 .if n \{\
 …
         \m[blue]\fBpath = /data/cad\fR\m[]
         \m[blue]\fBvfs objects = catia\fR\m[]
         \m[blue]\fBcatia:mappings = 0x22:0xa8,0x2a:0xa4,0x2f:0xf8,0x3a:0xf7,0x3c:0xab,0x3e:0xbb,0x3f:0xbf,0x5c:0xff,0x7c:0xa6,0x20:0xb1\fR\m[]
+        \m[blue]\fBcatia:mappings = 0x22:0xa8,0x2a:0xa4,0x2f:0xf8,0x3a:0xf7,0x3c:0xab,0x3e:0xbb,0x3f:0xbf,0x5c:0xff,0x7c:0xa6\fR\m[]
 .fi
 .if n \{\
 …
 .\}
 .PP
 Unix filename to be translated (Note that the path delimiter "/" is not used here):
+Server\-side filename to be translated (Note that the path delimiter "/" is not used here):
 .PP
 a\ea:a*a?a"a<a>a|a a
+a\ea:a*a?a"a<a>a|a
 .PP
 Resulting windows filename:
+Resulting filename, as seen by the client:
 .PP
+aÃ¿a\(dia\(Csa\(r?a\(ada\(Foa\(Fca\(bba\(+-a
+aÃ¿a\(dia\(Csa\(r?a\(ada\(Foa\(Fca\(bba
+.SH "CAVEATS"
 .PP
 Note that the character mapping must work in BOTH directions (unix \-> windows and windows \-> unix) to get unique and existing file names!
+Character mapping must work in BOTH directions (server \-> client and client \-> server) to get unique and existing file names!
 .PP
 A NOT working example:
 …
 Here the colon ":" is mapped to the underscore "_"\&.
 .PP
 Assuming a unix filename "a:should_work", which is well translated to windows as "a_should_work"\&.
+Assuming a server\-side filename "a:should_work", which is translated to "a_should_work" for the client\&.
 .PP
 BUT the reverse mapping from windows "a_should_work" to unix will result in "a:should:work" \- something like "file not found" will be returned\&.
+BUT the reverse mapping from client "a_should_work" to server will result in "a:should:work" \- something like "file not found" will be returned\&.
 .SH "VERSION"
 .PP
 This man page is correct for all versions up to 4\&.0\&.3 of the Samba suite\&.
+This man page is correct for Samba versions from 3\&.5\&.0 to 4\&.0\&.6\&.
 .SH "AUTHOR"
 .PP

vendor/current/docs/manpages/vfs_commit.8

-              r860
+              r988
 .\"     Title: vfs_commit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_COMMIT" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_COMMIT" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_crossrename.8

-              r860
+              r988
 .\"     Title: vfs_crossrename
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_CROSSRENAME" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_CROSSRENAME" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "VERSION"
 .PP
 This man page is correct for version 3\&.6\&.0 of the Samba suite\&.
+This man page is correct for version 4\&.0\&.0 of the Samba suite\&.
 .SH "AUTHOR"
 .PP

vendor/current/docs/manpages/vfs_default_quota.8

-              r860
+              r988
 .\"     Title: vfs_default_quota
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_DEFAULT_QUOTA" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_DEFAULT_QUOTA" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_dirsort.8

-              r860
+              r988
 .\"     Title: vfs_dirsort
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_DIRSORT" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_DIRSORT" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_extd_audit.8

-              r860
+              r988
 .\"     Title: vfs_extd_audit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_EXTD_AUDIT" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_EXTD_AUDIT" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_fake_perms.8

-              r860
+              r988
 .\"     Title: vfs_fake_perms
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_FAKE_PERMS" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_FAKE_PERMS" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_fileid.8

-              r860
+              r988
 .\"     Title: vfs_fileid
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_FILEID" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_FILEID" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_full_audit.8

-              r860
+              r988
 .\"     Title: vfs_full_audit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_FULL_AUDIT" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_FULL_AUDIT" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 is able to record the complete set of Samba VFS operations:
 .RS 4
-aio_cancel
-.RE
-.RS 4
-aio_error
-.RE
-.RS 4
-aio_fsync
-.RE
-.RS 4
-aio_read
-.RE
-.RS 4
-aio_return
-.RE
-.RS 4
-aio_suspend
-.RE
-.RS 4
-aio_write
-.RE
-.RS 4
 chdir
 .RE
 …
 .RE
 .RS 4
+copy_chunk_send
+.RE
+.RS 4
+copy_chunk_recv
+.RE
+.RS 4
 disconnect
 .RE
 …
 .RE
 .RS 4
+get_compression
+.RE
+.RS 4
 get_nt_acl
 .RE
 …
 .RE
 .RS 4
-lgetxattr
-.RE
-.RS 4
 link
 .RE
 …
 .RE
 .RS 4
-llistxattr
-.RE
-.RS 4
 lock
 .RE
 .RS 4
-lremovexattr
-.RE
-.RS 4
 lseek
 .RE
 .RS 4
-lsetxattr
-.RE
-.RS 4
 lstat
 .RE
 …
 .RE
 .RS 4
+set_compression
+.RE
+.RS 4
 set_nt_acl
 .RE
 …
 .RE
 .RS 4
+snap_check_path
+.RE
+.RS 4
+snap_create
+.RE
+.RS 4
+snap_delete
+.RE
+.RS 4
 stat
 .RE
 …
 .RE
 .RS 4
-sys_acl_add_perm
-.RE
-.RS 4
-sys_acl_clear_perms
-.RE
-.RS 4
-sys_acl_create_entry
-.RE
-.RS 4
 sys_acl_delete_def_file
 .RE
 .RS 4
-sys_acl_free_acl
-.RE
-.RS 4
-sys_acl_free_qualifier
-.RE
-.RS 4
-sys_acl_free_text
-.RE
-.RS 4
-sys_acl_get_entry
-.RE
-.RS 4
 sys_acl_get_fd
 .RE
 …
 .RE
 .RS 4
-sys_acl_get_perm
-.RE
-.RS 4
-sys_acl_get_permset
-.RE
-.RS 4
-sys_acl_get_qualifier
-.RE
-.RS 4
-sys_acl_get_tag_type
-.RE
-.RS 4
-sys_acl_init
-.RE
-.RS 4
 sys_acl_set_fd
 .RE
 .RS 4
 sys_acl_set_file
-.RE
-.RS 4
-sys_acl_set_permset
-.RE
-.RS 4
-sys_acl_set_qualifier
-.RE
-.RS 4
-sys_acl_set_tag_type
-.RE
-.RS 4
-sys_acl_to_text
-.RE
-.RS 4
-sys_acl_valid
 .RE
 .RS 4
 …
 .SH "OPTIONS"
 .PP
 vfs_full_audit:prefix = STRING
+full_audit:prefix = STRING
 .RS 4
 Prepend audit messages with STRING\&. STRING is processed for standard substitution variables listed in
 …
 .RE
 .PP
 vfs_full_audit:success = LIST
 .RS 4
 LIST is a list of VFS operations that should be recorded if they succeed\&. Operations are specified using the names listed above\&. Operations can be unset by prefixing the names with "!"\&.
 .RE
 .PP
 vfs_full_audit:failure = LIST
 .RS 4
 LIST is a list of VFS operations that should be recorded if they failed\&. Operations are specified using the names listed above\&. Operations can be unset by prefixing the names with "!"\&.
+full_audit:success = LIST
+.RS 4
+LIST is a list of VFS operations that should be recorded if they succeed\&. Operations are specified using the names listed above\&. Operations can be unset by prefixing the names with "!"\&. The default is all operations\&.
+.RE
+.PP
+full_audit:failure = LIST
+.RS 4
+LIST is a list of VFS operations that should be recorded if they failed\&. Operations are specified using the names listed above\&. Operations can be unset by prefixing the names with "!"\&. The default is all operations\&.
 .RE
 .PP
 …
 \fBsyslog\fR(3)
 priority\&.
+.RE
+.PP
+full_audit:syslog = true/false
+.RS 4
+Log messages to syslog (default) or as a debug level 1 message\&.
+.RE
+.PP
+full_audit:log_secdesc = true/false
+.RS 4
+Log an sddl form of the security descriptor coming in when a client sets an acl\&. Defaults to false\&.
 .RE
 .SH "EXAMPLES"

vendor/current/docs/manpages/vfs_gpfs.8

-              r860
+              r988
 .\"     Title: vfs_gpfs
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_GPFS" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_GPFS" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .RE
 .PP
+NOTE:This module follows the posix\-acl behaviour and hence allows permission stealing via chown\&. Samba might allow at a later point in time, to restrict the chown via this module as such restrictions are the responsibility of the underlying filesystem than of Samba\&.
+NOTE:
+This module follows the posix\-acl behaviour and hence allows permission stealing via chown\&. Samba might allow at a later point in time, to restrict the chown via this module as such restrictions are the responsibility of the underlying filesystem than of Samba\&.
+.PP
+This module makes use of the smb\&.conf parameter
+\m[blue]\fBacl map full control\fR\m[]\&. When set to yes (the default), this parameter will add in the FILE_DELETE_CHILD bit on a returned ACE entry for a file (not a directory) that already contains all file permissions except for FILE_DELETE and FILE_DELETE_CHILD\&. This can prevent Windows applications that request GENERIC_ALL access from getting ACCESS_DENIED errors when running against a filesystem with NFSv4 compatible ACLs\&.
 .PP
 This module is stackable\&.
+.PP
+Since Samba 4\&.0 all options are per share options\&.
 .SH "OPTIONS"
 .PP
 …
 .IP \(bu 2.3
 .\}
 yes(default)
 \- propagate sharemodes across all GPFS nodes\&.
 …
 .IP \(bu 2.3
 .\}
 no
 \- do not propagate sharemodes across all GPFS nodes\&. This should only be used if the GPFS file system is exclusively exported by Samba\&. Access by local unix application or NFS exports could lead to corrupted files\&.
 …
 .IP \(bu 2.3
 .\}
 yes(default)
 \- propagate leases across all GPFS nodes\&.
 …
 .IP \(bu 2.3
 .\}
 no
 \- do not propagate leases across all GPFS nodes\&. This should only be used if the GPFS file system is exclusively exported by Samba\&. Access by local unix application or NFS exports could lead to corrupted files\&.
 …
 .IP \(bu 2.3
 .\}
 no(default)
 \- Do not announce HSM\&.
 …
 .IP \(bu 2.3
 .\}
+no
+yes
 \- Announce HSM\&.
+.RE
+.sp
+.RE
+.RE
+.PP
+gpfs:recalls = [ yes | no ]
+.RS 4
+When this option is set to no, an attempt to open an offline file will be rejected with access denied\&. This helps preventing recall storms triggered by careless applications like Finder and Explorer\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+yes(default)
+\- Open files that are offline\&. This will recall the files from HSM\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+no
+\- Reject access to offline files with access denied\&. This will prevent recalls of files from HSM\&. Using this setting also requires gpfs:hsm to be set to yes\&.
 .RE
 .sp
 …
 .IP \(bu 2.3
 .\}
 yes(default)
 \- use
 …
 .IP \(bu 2.3
 .\}
 no
 \- do not use
 …
 .IP \(bu 2.3
 .\}
 no(default)
 \- do not use GPFS windows attributes\&.
 …
 .IP \(bu 2.3
 .\}
 yes
 \- use GPFS windows attributes\&.
 …
 gpfs:merge_writeappend = [ yes | no ]
 .RS 4
+GPFS ACLs doesn\*(Aqt know about the \*(AqAPPEND\*(Aq right\&. This optionen lets Samba map the \*(AqAPPEND\*(Aq right to \*(AqWRITE\*(Aq\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+GPFS ACLs doesn\*(Aqt know about the \*(AqAPPEND\*(Aq right\&. This option lets Samba map the \*(AqAPPEND\*(Aq right to \*(AqWRITE\*(Aq\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
 yes(default)
 \- map \*(AqAPPEND\*(Aq to \*(AqWRITE\*(Aq\&.
 …
 .IP \(bu 2.3
 .\}
 no
 \- do not map \*(AqAPPEND\*(Aq to \*(AqWRITE\*(Aq\&.
+.RE
+.sp
+.RE
+.RE
+.PP
+gpfs:acl = [ yes | no ]
+.RS 4
+This option lets Samba use or ignore GPFS ACLs\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+yes(default)
+\- use GPFS ACLs\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+no
+\- do not use GPFS ACLs and pass everything to the next SMB_VFS module\&.
 .RE
 .sp
 …
 .IP \(bu 2.3
 .\}
 no(default)
 \- ignore the DESC_DACL_PROTECTED flags\&.
 …
 .IP \(bu 2.3
 .\}
 yes
 \- reject ACLs with DESC_DACL_PROTECTED\&.
 …
 .RE
 .PP
+gpfs:dfreequota = [ yes | no ]
+.RS 4
+Adjust reporting of the size and free space of a share according to quotas\&. If this setting is "yes", a request for size and free space will also evaluate the user quota of the user requesting the data and the group quota of the primary group of the user\&. Fileset quotas are not queried, since GPFS already provides the option \-\-dfreequota to reflect the fileset quota in the free space query\&. Please use that option to include fileset quotas in the reported disk space\&.
+.sp
+If any of the soft or hard quota limits has been reached, the free space will be reported as 0\&. If a quota is in place, but the limits have not been reached, the free space will be reported according to the space left in the quota\&. If more than one quota applies the free space will be reported as the smallest space left in those quotas\&. The size of the share will be reported according to the quota usage\&. If more than one quota applies, the smallest size will be reported for the share size according to these quotas\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+yes
+\- include the quotas when reporting the share size and free space
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+no(default)
+\- do not include quotas, simply report the size and free space of the file system
+.RE
+.sp
+.RE
+.RE
+.PP
+gpfs:prealloc = [ yes | no ]
+.RS 4
+If set to yes the gpfs_prealloc function will be used in the fallocate callback when appropriate\&. If set to no gpfs_prealloc will not be used\&. In both cases the system and libc calls are avoided\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+yes (default)
+\- Use gpfs_prealloc for the fallocate callback\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+no
+\- Do not use gpfs_prealloc for the fallocate callback\&.
+.RE
+.sp
+.RE
+.RE
+.PP
+gpfs:settimes = [ yes | no ]
+.RS 4
+Use the gpfs_set_times API when changing the timestamps of a file or directory\&. If the GPFS API is not available the old method of using utime and the GPFS winattr call will be used instead\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+yes(default)
+\- Use gpfs_set_times\&. Fall back to utime and winattr when it is not available\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+no
+\- Do not use gpfs_set_times\&.
+.RE
+.sp
+.RE
+.RE
+.PP
 nfs4:mode = [ simple | special ]
 .RS 4
 Enable/Disable substitution of special IDs on GPFS\&. This parameter should not affect the windows users in anyway\&. It only ensures that Samba sets the special IDs \- OWNER@ and GROUP@ ( mappings to simple uids ) that are relevant to GPFS\&.
+Controls substitution of special IDs (OWNER@ and GROUP@) on GPFS\&. The use of mode simple is recommended\&. In this mode only non inheriting ACL entries for the file owner and group are mapped to special IDs\&.
 .sp
 The following MODEs are understood by the module:
 …
 .\}
 simple(default)
 \- do not use special IDs in GPFS ACEs
 .RE
 .sp
 .RS 4
 .ie n \{\
 \h'-04'\(bu\h'+03'\c
 .\}
 .el \{\
 .sp -1
 .IP \(bu 2.3
 .\}
 special
 \- use special IDs in GPFS ACEs\&.
+\- use OWNER@ and GROUP@ special IDs for non inheriting ACEs only\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+special(deprecated)
+\- use OWNER@ and GROUP@ special IDs in ACEs for all file owner and group ACEs\&.
 .RE
 .sp
 …
 .IP \(bu 2.3
 .\}
+yesOpen files with O_SYNC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+no (default)Open files as normal Samba would do
+yes
+\- Open files with O_SYNC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+no (default)
+\- Open files as normal Samba would do
 .RE
 .sp
 …
 At build time, only the header file
 gpfs_gpl\&.h
 is required , which is a symlink to
+is required, which is a symlink to
 gpfs\&.h
 in gpfs versions newer than 3\&.2\&.1 PTF8\&.

vendor/current/docs/manpages/vfs_netatalk.8

-              r860
+              r988
 .\"     Title: vfs_netatalk
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_NETATALK" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_NETATALK" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_prealloc.8

-              r860
+              r988
 .\"     Title: vfs_prealloc
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_PREALLOC" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_PREALLOC" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_preopen.8

-              r860
+              r988
 .\"     Title: vfs_preopen
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_PREOPEN" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_PREOPEN" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_readahead.8

-              r860
+              r988
 .\"     Title: vfs_readahead
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_READAHEAD" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_READAHEAD" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_readonly.8

-              r860
+              r988
 .\"     Title: vfs_readonly
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_READONLY" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_READONLY" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_recycle.8

-              r860
+              r988
 .\"     Title: vfs_recycle
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_RECYCLE" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_RECYCLE" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfs_shadow_copy.8

-              r860
+              r988
 .\"     Title: vfs_shadow_copy
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_SHADOW_COPY" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_SHADOW_COPY" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .\" -----------------------------------------------------------------
 .SH "NAME"
 vfs_shadow_copy \- Make a Samba share read only for a specified time period
+vfs_shadow_copy \- Expose snapshots to Windows clients as shadow copies\&.
 .SH "SYNOPSIS"
 .HP \w'\ 'u

vendor/current/docs/manpages/vfs_shadow_copy2.8

-              r860
+              r988
 .\"     Title: vfs_shadow_copy2
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_SHADOW_COPY2" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_SHADOW_COPY2" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 The
 vfs_shadow_copy2
+VFS module functionality that is similar to Microsoft Shadow Copy services\&. When setup properly, this module allows Microsoft Shadow Copy clients to browse "shadow copies" on Samba shares\&.
+.PP
+This is a 2nd implementation of a shadow copy module\&. This version has the following features:
+VFS module offers a functionality similar to Microsoft Shadow Copy services\&. When set up properly, this module allows Microsoft Shadow Copy clients to browse through file system snapshots as "shadow copies" on Samba shares\&.
+.PP
+This is a second implementation of a shadow copy module which has the following additional features (compared to the original
+\fBshadow_copy\fR(8)
+module):
 .sp
 .RS 4
 …
 .IP "  1." 4.2
 .\}
 You don\*(Aqt need to populate your shares with symlinks to the snapshots\&. This can be very important when you have thousands of shares, or use [homes]\&.
+There is no need any more to populate your share\*(Aqs root directory with symlinks to the snapshots if the file system stores the snapshots elsewhere\&. Instead, you can flexibly configure the module where to look for the file system snapshots\&. This can be very important when you have thousands of shares, or use [homes]\&.
 .RE
 .sp
 …
 .IP "  2." 4.2
 .\}
+The inode number of the files is altered so it is different from the original\&. This allows the \*(Aqrestore\*(Aq button to work without a sharing violation\&.
+Snapshot directories need not be in one fixed central place but can be located anywhere in the directory tree\&. This mode helps to support file systems that offer snapshotting of particular subtrees, for example the GPFS independent file sets\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 3.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP "  3." 4.2
+.\}
+Vanity naming for snapshots: snapshots can be named in any format compatible with str[fp]time conversions\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 4.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP "  4." 4.2
+.\}
+Timestamps can be represented in localtime rather than UTC\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 5.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP "  5." 4.2
+.\}
+The inode number of the files can optionally be altered to be different from the original\&. This fixes the \*(Aqrestore\*(Aq button in the Windows GUI to work without a sharing violation when serving from file systems, like GPFS, that return the same device and inode number for the snapshot file and the original\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 6.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP "  6." 4.2
+.\}
+Shadow copy results are by default sorted before being sent to the client\&. This is beneficial for filesystems that don\*(Aqt read directories alphabetically (the default unix)\&. Sort ordering can be configured and sorting can be turned off completely if the file system sorts its directory listing\&.
 .RE
 .sp
 …
 relies on a filesystem snapshot implementation\&. Many common filesystems have native support for this\&.
 .PP
+Filesystem snapshots must be mounted on specially named directories in order to be recognized by
+vfs_shadow_copy2\&. The snapshot mount points must be immediate children of a the directory being shared\&.
+.PP
+The snapshot naming convention is @GMT\-YYYY\&.MM\&.DD\-hh\&.mm\&.ss, where:
+Filesystem snapshots must be available under specially named directories in order to be recognized by
+vfs_shadow_copy2\&. These snapshot directory is typically a direct subdirectory of the share root\*(Aqs mountpoint but there are other modes that can be configured with the parameters described in detail below\&.
+.PP
+The snapshot at a given point in time is expected in a subdirectory of the snapshot directory where the snapshot\*(Aqs directory is expected to be a formatted version of the snapshot time\&. The default format which can be changed with the
+shadow:format
+option is @GMT\-YYYY\&.MM\&.DD\-hh\&.mm\&.ss, where:
 .sp
 .RS 4
 …
 .SH "OPTIONS"
 .PP
+shadow:mountpoint = MOUNTPOINT
+.RS 4
+With this parameter, one can specify the mount point of the filesystem that contains the share path\&. Usually this mount point is automatically detected\&. But for some constellations, in particular tests, it can be convenient to be able to specify it\&.
+.sp
+Example: shadow:mountpoint = /path/to/filesystem
+.sp
+Default: shadow:mountpoint = NOT SPECIFIED
+.RE
+.PP
 shadow:snapdir = SNAPDIR
 .RS 4
+Path to the directory where snapshots are kept\&.
+Path to the directory where the file system of the share keeps its snapshots\&. If an absolute path is specified, it is used as\-is\&. If a relative path is specified, then it is taken relative to the mount point of the filesystem of the share root\&. (See
+shadow:mountpoint\&.)
+.sp
+Note that
+shadow:snapdirseverywhere
+depends on this parameter and needs a relative path\&. Setting an absolute path disables
+shadow:snapdirseverywhere\&.
+.sp
+Note that the
+shadow:crossmountpoints
+option also requires a relative snapdir\&. Setting an absolute path disables
+shadow:crossmountpoints\&.
+.sp
+Example: shadow:snapdir = /some/absolute/path
+.sp
+Default: shadow:snapdir = \&.snapshots
 .RE
 .PP
 shadow:basedir = BASEDIR
 .RS 4
+Path to the base directory that snapshots are from\&.
+.RE
+.PP
+shadow:sort = asc/desc, or not specified for unsorted (default)
+.RS 4
+By this parameter one can specify that the shadow copy directories should be sorted before they are sent to the client\&. This can be beneficial as unix filesystems are usually not listed alphabetically sorted\&. If enabled, you typically want to specify descending order\&.
+The basedir option allows one to specify a directory between the share\*(Aqs mount point and the share root, relative to which the file system\*(Aqs snapshots are taken\&.
+.sp
+For example, if
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+basedir = mountpoint/rel_basedir
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+share_root = basedir/rel_share_root
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+snapshot_path = mountpoint/snapdir
+.sp
+or
+snapshot_path = snapdir
+if snapdir is absolute
+.RE
+.sp
+.RE
+then the snapshot of a
+file = mountpoint/rel_basedir/rel_share_root/rel_file
+at a time TIME will be found under
+snapshot_path/FS_GMT_TOKEN(TIME)/rel_share_root/rel_file, where FS_GMT_TOKEN(TIME) is the timestamp string belonging to TIME in the format required by the file system\&. (See
+shadow:format\&.)
+.sp
+The default for the basedir is the mount point of the file system of the share root (see
+shadow:mountpoint)\&.
+.sp
+Note that the
+shadow:snapdirseverywhere
+and
+shadow:crossmountpoints
+options are incompatible with
+shadow:basedir
+and disable the basedir setting\&.
+.RE
+.PP
+shadow:snapsharepath = SNAPSHAREPATH
+.RS 4
+With this parameter, one can specify the path of the share\*(Aqs root directory in snapshots, relative to the snapshot\*(Aqs root directory\&. It is an alternative method to
+shadow:basedir, allowing greater control\&.
+.sp
+For example, if within each snapshot the files of the share have a
+path/to/share/
+prefix, then
+shadow:snapsharepath
+can be set to
+path/to/share\&.
+.sp
+With this parameter, it is no longer assumed that a snapshot represents an image of the original file system or a portion of it\&. For example, a system could perform backups of only files contained in shares, and then expose the backup files in a logical structure:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+share1/
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+share2/
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\&.\&.\&./
+.RE
+.sp
+.RE
+Note that the
+shadow:snapdirseverywhere
+and the
+shadow:basedir
+options are incompatible with
+shadow:snapsharepath
+and disable
+shadow:snapsharepath
+setting\&.
+.sp
+Example: shadow:snapsharepath = path/to/share
+.sp
+Default: shadow:snapsharepath = NOT SPECIFIED
+.RE
+.PP
+shadow:sort = asc/desc
+.RS 4
+By default, this module sorts the shadow copy data alphabetically before sending it to the client\&. With this parameter, one can specify the sort order\&. Possible known values are desc (descending, the default) and asc (ascending)\&. If the file system lists directories alphabetically sorted, one can turn off sorting in this module by specifying any other value\&.
+.sp
+Example: shadow:sort = asc
+.sp
+Example: shadow:sort = none
+.sp
+Default: shadow:sort = desc
 .RE
 .PP
 shadow:localtime = yes/no
 .RS 4
+This is an optional parameter that indicates whether the snapshot names are in UTC/GMT or in local time\&. By default UTC is expected\&.
+This is an optional parameter that indicates whether the snapshot names are in UTC/GMT or in local time\&. If it is disabled then UTC/GMT is expected\&.
+.sp
+shadow:localtime = no
 .RE
 .PP
 shadow:format = format specification for snapshot names
 .RS 4
+This is an optional parameter that specifies the format specification for the naming of snapshots\&. The format must be compatible with the conversion specifications recognized by str[fp]time\&. The default value is "@GMT\-%Y\&.%m\&.%d\-%H\&.%M\&.%S"\&.
+This is an optional parameter that specifies the format specification for the naming of snapshots in the file system\&. The format must be compatible with the conversion specifications recognized by str[fp]time\&.
+.sp
+Default: shadow:format = "@GMT\-%Y\&.%m\&.%d\-%H\&.%M\&.%S"
+.RE
+.PP
+shadow:sscanf = yes/no
+.RS 4
+This parameter can be used to specify that the time in format string is given as an unsigned long integer (%lu) rather than a time strptime() can parse\&. The result must be a unix time_t time\&.
+.sp
+Default: shadow:sscanf = no
 .RE
 .PP
 …
 shadow:fixinodes
 then this module will modify the apparent inode number of files in the snapshot directories using a hash of the files path\&. This is needed for snapshot systems where the snapshots have the same device:inode number as the original files (such as happens with GPFS snapshots)\&. If you don\*(Aqt set this option then the \*(Aqrestore\*(Aq button in the shadow copy UI will fail with a sharing violation\&.
+.sp
+Default: shadow:fixinodes = no
+.RE
+.PP
+shadow:snapdirseverywhere = yes/no
+.RS 4
+If you enable
+shadow:snapdirseverywhere
+then this module will look out for snapshot directories in the current working directory and all parent directories, stopping at the mount point by default\&. But see
+shadow:crossmountpoints
+how to change that behaviour\&.
+.sp
+An example where this is needed are independent filesets in IBM\*(Aqs GPFS, but other filesystems might support snapshotting only particular subtrees of the filesystem as well\&.
+.sp
+Note that
+shadow:snapdirseverywhere
+depends on
+shadow:snapdir
+and needs it to be a relative path\&. Setting an absolute snapdir path disables
+shadow:snapdirseverywhere\&.
+.sp
+Note that this option is incompatible with the
+shadow:basedir
+option and removes the
+shadow:basedir
+setting by itself\&.
+.sp
+Example: shadow:snapdirseverywhere = yes
+.sp
+Default: shadow:snapdirseverywhere = no
+.RE
+.PP
+shadow:crossmountpoints = yes/no
+.RS 4
+This option is effective in the case of
+shadow:snapdirseverywhere = yes\&. Setting this option makes the module not stop at the first mount point encountered when looking for snapdirs, but lets it search potentially all through the path instead\&.
+.sp
+An example where this is needed are independent filesets in IBM\*(Aqs GPFS, but other filesystems might support snapshotting only particular subtrees of the filesystem as well\&.
+.sp
+Note that
+shadow:crossmountpoints
+depends on
+shadow:snapdir
+and needs it to be a relative path\&. Setting an absolute snapdir path disables
+shadow:crossmountpoints\&.
+.sp
+Note that this option is incompatible with the
+shadow:basedir
+option and removes the
+shadow:basedir
+setting by itself\&.
+.sp
+Example: shadow:crossmountpoints = yes
+.sp
+Default: shadow:crossmountpoints = no
 .RE
 .SH "EXAMPLES"
 …
 .SH "VERSION"
 .PP
 This man page is correct for version 3\&.2\&.7 of the Samba suite\&.
+This man page is correct for version 4\&.0 of the Samba suite\&.
 .SH "AUTHOR"
 .PP

vendor/current/docs/manpages/vfs_streams_depot.8

-              r860
+              r988
 .\"     Title: vfs_streams_depot
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_STREAMS_DEPOT" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_STREAMS_DEPOT" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 Path of the directory where the alternate data streams should be stored\&. Defaults to the sharepath/\&.streams\&.
 .RE
+.PP
+streams_depot:delete_lost = [ yes | no ]
+.RS 4
+In the case of an already existing data streams directory for a newly created file the streams directory will be renamed to "lost\-%lu", random()\&. With this option lost stream directories will be removed instead of renamed\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+no(default)
+\- rename lost streams to "lost\-%lu", random()\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+yes
+\- remove lost streams\&.
+.RE
+.sp
+.RE
+.RE
 .SH "EXAMPLES"
 .sp

vendor/current/docs/manpages/vfs_streams_xattr.8

-              r860
+              r988
 .\"     Title: vfs_streams_xattr
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_STREAMS_XATTR" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_STREAMS_XATTR" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 The
 vfs_streams_xattr
+enables storing of NTFS alternate data streams in the file system\&. As a normal posix file system does not support the concept of multiple data streams per file, the streams_xattr module stores the data in posix extended attributes (xattrs)\&. The name of these attributes is user\&.DosStream\&."ADS\-NAME"\&.
+enables storing of NTFS alternate data streams in the file system\&. As a normal posix file system does not support the concept of multiple data streams per file, the streams_xattr module stores the data in posix extended attributes (xattrs)\&. The name of these attributes by default is user\&.DosStream\&."ADS\-NAME"\&. The prefix "user\&.DosStream\&." can be changed with the module option
+streams_xattr:prefix, but be aware that this will also expose those ADS over the SMB extended attributes interface\&.
 .PP
 The file system that is shared with this module enabled must support xattrs\&.
 .PP
 Please note that most file systems have severe limitations on the size of xattrs\&. So this module might work for applications like IE that stores small zone information in streams but will fail for applications that store serious amounts of data in ADSs\&.
+.PP
+CAUTION: Make sure to set "kernel oplocks = no" in smb\&.conf if if you use this module because this combination is currently broken\&. See Bug 7537 for details\&.
+.SH "OPTIONS"
+.PP
+streams_xattr:prefix = STRING
+.RS 4
+Name prefix used when storing an ADS in an xattr, defaults to
+user\&.DosStream\&.\&. Changing this will also expose ADS over the SMB extended attributes interface\&.
+.RE
+.PP
+streams_xattr:store_stream_type = [yes|no]
+.RS 4
+Whether the xattr names for Alternate Data Streams of type "$DATA" are suffixed by the stream type string ":$DATA"\&. The default is
+yes\&.
+.RE
 .SH "EXAMPLES"
 .sp

vendor/current/docs/manpages/vfs_time_audit.8

-              r860
+              r988
 .\"     Title: vfs_time_audit
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_TIME_AUDIT" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_TIME_AUDIT" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 time_audit
 VFS module logs system calls that take longer than the number of milliseconds defined by the variable
 time_audit:audit_timeout\&. It will log the calls and the time spent in it\&.
+time_audit:timeout\&. It will log the calls and the time spent in it\&.
 .PP
 It\*(Aqs kind of comparable with
 …
 .SH "OPTIONS"
 .PP
 time_audit:audit_timeout = number of milliseconds
+time_audit:timeout = number of milliseconds
 .RS 4
 VFS calls that take longer than the defined number of milliseconds that should be logged\&. The default is 10000 (10s)\&.
 …
         \m[blue]\fBpath = /test/sample_share\fR\m[]
         \m[blue]\fBvfs objects = time_audit\fR\m[]
         \m[blue]\fBtime_audit: audit_timeout = 3000\fR\m[]
+        \m[blue]\fBtime_audit:timeout = 3000\fR\m[]
 .fi
 .if n \{\
 …
 .SH "VERSION"
 .PP
 This man page is correct for version 3\&.6\&.0 of the Samba suite\&.
+This man page is correct for version 4\&.0\&.0 of the Samba suite\&.
 .SH "AUTHOR"
 .PP

vendor/current/docs/manpages/vfs_xattr_tdb.8

-              r860
+              r988
 .\"     Title: vfs_xattr_tdb
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFS_XATTR_TDB" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "VFS_XATTR_TDB" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff

vendor/current/docs/manpages/vfstest.1

-              r860
+              r988
 .\"     Title: vfstest
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "VFSTEST" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "VFSTEST" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 \-c|\-\-command=command
 .RS 4
+Execute the specified (colon\-separated) commands\&. See below for the commands that are available\&.
+.RE
+.PP
+\-h|\-\-help
+.RS 4
+Print a summary of command line options\&.
+Execute the specified (\fBsemicolon\fR\-separated) commands\&. See below for the commands that are available\&.
 .RE
 .PP
 …
 will be appended\&. The log file is never removed by the client\&.
 .RE
-.PP
-\-d|\-\-debuglevel=level
-.RS 4
-\fIlevel\fR
-is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
-.sp
-The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
-.sp
-Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
-.sp
-Note that specifying this parameter here will override the
-\m[blue]\fBlog level\fR\m[]
-parameter in the
-smb\&.conf
-file\&.
-.RE
-.PP
-\-V|\-\-version
-.RS 4
-Prints the program version number\&.
-.RE
-.PP
-\-s|\-\-configfile <configuration file>
-.RS 4
-The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
-smb\&.conf
-for more information\&. The default configuration file name is determined at compile time\&.
-.RE
-.PP
-\-l|\-\-log\-basename=logdirectory
-.RS 4
-Base directory name for log/debug files\&. The extension
-\fB"\&.progname"\fR
-will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
-.RE
 .SH "COMMANDS"
 .PP
 …
 .RE
 .sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+getxattr
+\- VFS getxattr()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+listxattr
+\- VFS listxattr()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+setxattr
+\- VFS setxattr()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+removexattr
+\- VFS removexattr()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+fget_nt_acl
+\- VFS fget_nt_acl()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+get_nt_acl
+\- VFS get_nt_acl()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+fset_nt_acl
+\- VFS fset_nt_acl()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+set_nt_acl
+\- VFS open() and fset_nt_acl()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+fchmod_acl
+\- VFS fchmod_acl()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+chmod_acl
+\- VFS chmod_acl()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+sys_acl_get_file
+\- VFS sys_acl_get_file()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+sys_acl_get_fd
+\- VFS sys_acl_get_fd()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+sys_acl_blob_get_file
+\- VFS sys_acl_blob_get_file()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+sys_acl_blob_get_fd
+\- VFS sys_acl_blob_get_fd()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+sys_acl_delete_def_file
+\- VFS sys_acl_delete_def_file()
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+test_chain
+\- test chain code
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+translate_name
+\- VFS translate_name()
+.RE
+.sp
 .RE
 .PP
 …
 .SH "VERSION"
 .PP
 This man page is correct for version 3 of the Samba suite\&.
+This man page is correct for version 3 and 4 of the Samba suite\&.
 .SH "AUTHOR"
 .PP
 The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.
 .PP
 The vfstest man page was written by Jelmer Vernooij\&.
+The vfstest man page was written by Jelmer Vernooij\&. Updated version by Guenter Kukkukk\&.

vendor/current/docs/manpages/wbinfo.1

-              r860
+              r988
 .\"     Title: wbinfo
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: User Commands
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "WBINFO" "1" "09/18/2013" "Samba 3\&.6" "User Commands"
+.TH "WBINFO" "1" "05/02/2016" "Samba 4\&.4" "User Commands"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 wbinfo [\-a\ user%password] [\-\-all\-domains] [\-\-allocate\-gid] [\-\-allocate\-uid] [\-c] [\-\-ccache\-save] [\-\-change\-user\-password] [\-D\ domain] [\-\-domain\ domain] [\-\-dsgetdcname\ domain] [\-g] [\-\-getdcname\ domain] [\-\-get\-auth\-user] [\-G\ gid] [\-\-gid\-info] [\-\-group\-info] [\-\-help|\-?] [\-i\ user] [\-I\ ip] [\-K\ user%password] [\-\-lanman] [\-m] [\-n\ name] [\-N\ netbios\-name] [\-\-ntlmv2] [\-\-online\-status] [\-\-own\-domain] [\-p] [\-P|\-\-ping\-dc] [\-r\ user] [\-R|\-\-lookup\-rids] [\-s\ sid] [\-\-separator] [\-\-set\-auth\-user\ user%password] [\-S\ sid] [\-\-sid\-aliases] [\-\-sid\-to\-fullname] [\-t] [\-u] [\-\-uid\-info\ uid] [\-\-usage] [\-\-user\-domgroups\ sid] [\-\-user\-sids\ sid] [\-U\ uid] [\-V] [\-\-verbose] [\-Y\ sid]
+wbinfo [\-a\ user%password] [\-\-all\-domains] [\-\-allocate\-gid] [\-\-allocate\-uid] [\-c] [\-\-ccache\-save] [\-\-change\-user\-password] [\-D\ domain] [\-\-dc\-info\ domain] [\-\-domain\ domain] [\-\-dsgetdcname\ domain] [\-g] [\-\-getdcname\ domain] [\-\-get\-auth\-user] [\-G\ gid] [\-\-gid\-info\ gid] [\-\-group\-info\ group] [\-\-help|\-?] [\-i\ user] [\-I\ ip] [\-K\ user%password] [\-\-krb5ccname\ cctype] [\-\-lanman] [\-\-logoff] [\-\-logoff\-uid\ uid] [\-\-logoff\-user\ username] [\-\-lookup\-sids] [\-m] [\-n\ name] [\-N\ netbios\-name] [\-\-ntlmv2] [\-\-online\-status] [\-\-own\-domain] [\-p] [\-P|\-\-ping\-dc] [\-\-pam\-logon\ user%password] [\-r\ user] [\-R|\-\-lookup\-rids] [\-\-remove\-gid\-mapping\ gid,sid] [\-\-remove\-uid\-mapping\ uid,sid] [\-s\ sid] [\-\-separator] [\-\-sequence] [\-\-set\-auth\-user\ user%password] [\-\-set\-gid\-mapping\ gid,sid] [\-\-set\-uid\-mapping\ uid,sid] [\-S\ sid] [\-\-sid\-aliases\ sid] [\-\-sid\-to\-fullname\ sid] [\-\-sids\-to\-unix\-ids\ sidlist] [\-t] [\-u] [\-\-uid\-info\ uid] [\-\-usage] [\-\-user\-domgroups\ sid] [\-\-user\-sidinfo\ sid] [\-\-user\-sids\ sid] [\-U\ uid] [\-V] [\-\-verbose] [\-Y\ sid]
 .SH "DESCRIPTION"
 .PP
 …
 .RE
 .PP
+\-\-dc\-info \fIdomain\fR
+.RS 4
+Displays information about the current domain controller for a domain\&.
+.RE
+.PP
 \-\-domain \fIname\fR
 .RS 4
 This parameter sets the domain on which any specified operations will performed\&. If special domain name \*(Aq\&.\*(Aq is used to represent the current domain to which
 \fBwinbindd\fR(8)
+belongs\&. Currently only the
+\fB\-u\fR, and
+\fB\-g\fR
+options honor this parameter\&.
+belongs\&. A \*(Aq*\*(Aq as the domain name means to enumerate over all domains (NOTE: This can take a long time and use a lot of memory)\&.
 .RE
 .PP
 …
 .RE
 .PP
 \-\-group\-info \fIuser\fR
 .RS 4
 Get group info for user\&.
+\-\-group\-info \fIgroup\fR
+.RS 4
+Get group info from group name\&.
 .RE
 .PP
 …
 This option will list all groups available in the Windows NT domain for which the
 \fBsamba\fR(7)
 daemon is operating in\&. Groups in all trusted domains will also be listed\&. Note that this operation does not assign group ids to any groups that have not already been seen by
+daemon is operating in\&. Groups in all trusted domains can be listed with the \-\-domain=\*(Aq*\*(Aq option\&. Note that this operation does not assign group ids to any groups that have not already been seen by
 \fBwinbindd\fR(8)\&.
 .RE
 …
 .RE
 .PP
+\-\-krb5ccname \fIKRB5CCNAME\fR
+.RS 4
+Allows one to request a sepcific kerberos credential cache type used for authentication\&.
+.RE
+.PP
 \-\-lanman
 .RS 4
 Use lanman cryptography for user authentication\&.
+.RE
+.PP
+\-\-logoff
+.RS 4
+Logoff a user\&.
+.RE
+.PP
+\-\-logoff\-uid \fIUID\fR
+.RS 4
+Define user uid used during logoff request\&.
+.RE
+.PP
+\-\-logoff\-user \fIUSERNAME\fR
+.RS 4
+Define username used during logoff request\&.
+.RE
+.PP
+\-\-lookup\-sids \fISID1,SID2\&.\&.\&.\fR
+.RS 4
+Looks up SIDs\&. SIDs must be specified as ASCII strings in the traditional Microsoft format\&. For example, S\-1\-5\-21\-1455342024\-3071081365\-2475485837\-500\&.
 .RE
 .PP
 …
 \fBwinbindd\fR(8)
 for the SID associated with the name specified\&. Domain names can be specified before the user name by using the winbind separator character\&. For example CWDOM1/Administrator refers to the Administrator user in the domain CWDOM1\&. If no domain is specified then the domain used is the one specified in the
+\fBsmb.conf\fR(5)
+\fIworkgroup \fR
+\fBsmb.conf\fR(5)\fIworkgroup \fR
 parameter\&.
 .RE
 …
 .RE
 .PP
+\-\-pam\-logon \fIusername%password\fR
+.RS 4
+Attempt to authenticate a user in the same way pam_winbind would do\&.
+.RE
+.PP
 \-p|\-\-ping
 .RS 4
 …
 .RS 4
 Converts RIDs to names\&. Uses a comma separated list of rids\&.
+.RE
+.PP
+\-\-remove\-gid\-mapping \fIGID,SID\fR
+.RS 4
+Removes an existing GID to SID mapping from the database\&.
+.RE
+.PP
+\-\-remove\-uid\-mapping \fIUID,SID\fR
+.RS 4
+Removes an existing UID to SID mapping from the database\&.
 .RE
 .PP
 …
 .RE
 .PP
+\-\-sequence
+.RS 4
+This command has been deprecated\&. Please use the \-\-online\-status option instead\&.
+.RE
+.PP
 \-\-set\-auth\-user \fIusername%password\fR
 .RS 4
 …
 .RE
 .PP
+\-\-set\-gid\-mapping \fIGID,SID\fR
+.RS 4
+Create a GID to SID mapping in the database\&.
+.RE
+.PP
+\-\-set\-uid\-mapping \fIUID,SID\fR
+.RS 4
+Create a UID to SID mapping in the database\&.
+.RE
+.PP
 \-S|\-\-sid\-to\-uid \fIsid\fR
 .RS 4
 …
 .RS 4
 Converts a SID to a full username (DOMAIN\eusername)\&.
+.RE
+.PP
+\-\-sids\-to\-unix\-ids \fIsid1,sid2,sid3\&.\&.\&.\fR
+.RS 4
+Resolve SIDs to Unix IDs\&. SIDs must be specified as ASCII strings in the traditional Microsoft format\&. For example, S\-1\-5\-21\-1455342024\-3071081365\-2475485837\-500\&.
 .RE
 .PP
 …
 This option will list all users available in the Windows NT domain for which the
 \fBwinbindd\fR(8)
 daemon is operating in\&. Users in all trusted domains will also be listed\&. Note that this operation does not assign user ids to any users that have not already been seen by
+daemon is operating in\&. Users in all trusted domains can be listed with the \-\-domain=\*(Aq*\*(Aq option\&. Note that this operation does not assign user ids to any users that have not already been seen by
 \fBwinbindd\fR(8)
 \&.
 …
 .RE
 .PP
+\-\-user\-sidinfo \fIsid\fR
+.RS 4
+Get user info by sid\&.
+.RE
+.PP
 \-\-user\-sids \fIsid\fR
 .RS 4
 …
 \fBwinbindd\fR(8)
 then the operation will fail\&.
-.RE
-.PP
-\-V|\-\-version
-.RS 4
-Prints the program version number\&.
-.RE
-.PP
-\-h|\-\-help
-.RS 4
-Print a summary of command line options\&.
 .RE
 .SH "EXIT STATUS"

vendor/current/docs/manpages/winbind_krb5_locator.7

-              r860
+              r988
 .\"     Title: winbind_krb5_locator
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: 7
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "WINBIND_KRB5_LOCATOR" "7" "09/18/2013" "Samba 3\&.6" "7"
+.TH "WINBIND_KRB5_LOCATOR" "7" "05/02/2016" "Samba 4\&.4" "7"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 suite\&.
 .PP
 winbind_krb5_locator
 is a plugin that permits MIT and Heimdal Kerberos libraries to detect Kerberos Servers (for the KDC and kpasswd service) using the same semantics that other tools of the Samba suite use\&. This include site\-aware DNS service record lookups and caching of closest dc\&. The plugin uses the public locator API provided by most modern Kerberos implementations\&.

vendor/current/docs/manpages/winbindd.8

-              r860
+              r988
 .\"     Title: winbindd
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
 .\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: System Administration tools
 .\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
 .TH "WINBINDD" "8" "09/18/2013" "Samba 3\&.6" "System Administration tools"
+.TH "WINBINDD" "8" "05/02/2016" "Samba 4\&.4" "System Administration tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 …
 .SH "SYNOPSIS"
 .HP \w'\ 'u
 winbindd [\-D] [\-F] [\-S] [\-i] [\-d\ <debug\ level>] [\-s\ <smb\ config\ file>] [\-n]
+winbindd [\-D|\-\-daemon] [\-F|\-\-foreground] [\-S|\-\-stdout] [\-i|\-\-interactive] [\-d\ <debug\ level>] [\-s\ <smb\ config\ file>] [\-n|\-\-no\-caching] [\-\-no\-process\-group]
 .SH "DESCRIPTION"
 .PP
 …
 .SH "OPTIONS"
 .PP
 \-D
+\-D|\-\-daemon
 .RS 4
 If specified, this parameter causes the server to operate as a daemon\&. That is, it detaches itself and runs in the background on the appropriate port\&. This switch is assumed if
 …
 .RE
 .PP
 \-F
+\-F|\-\-foreground
 .RS 4
 If specified, this parameter causes the main
 …
 .RE
 .PP
 \-S
+\-S|\-\-stdout
 .RS 4
 If specified, this parameter causes
 …
 .RE
 .PP
+\-d|\-\-debuglevel=level
+.RS 4
+\fIlevel\fR
+is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&.
+.sp
+The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
+.sp
+Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
+.sp
+Note that specifying this parameter here will override the
+\m[blue]\fBlog level\fR\m[]
+parameter in the
+smb\&.conf
+file\&.
+.RE
+.PP
+\-V|\-\-version
+.RS 4
+Prints the program version number\&.
+.RE
+.PP
+\-s|\-\-configfile <configuration file>
+.RS 4
+The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
+smb\&.conf
+for more information\&. The default configuration file name is determined at compile time\&.
+.RE
+.PP
+\-l|\-\-log\-basename=logdirectory
+.RS 4
+Base directory name for log/debug files\&. The extension
+\fB"\&.progname"\fR
+will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
+.RE
+.PP
+\-h|\-\-help
+.RS 4
+Print a summary of command line options\&.
+.RE
+.PP
+\-i
+\-i|\-\-interactive
 .RS 4
 Tells
 …
 .RE
 .PP
+\-n
+.RS 4
+Disable caching\&. This means winbindd will always have to wait for a response from the domain controller before it can respond to a client and this thus makes things slower\&. The results will however be more accurate, since results from the cache might not be up\-to\-date\&. This might also temporarily hang winbindd if the DC doesn\*(Aqt respond\&.
+\-n|\-\-no\-caching
+.RS 4
+Disable some caching\&. This means winbindd will often have to wait for a response from the domain controller before it can respond to a client and this thus makes things slower\&. The results will however be more accurate, since results from the cache might not be up\-to\-date\&. This might also temporarily hang winbindd if the DC doesn\*(Aqt respond\&. This does not disable the samlogon cache, which is required for group membership tracking in trusted environments\&.
+.RE
+.PP
+\-\-no\-process\-group
+.RS 4
+Do not create a new process group for winbindd\&.
 .RE
 .SH "NAME AND ID RESOLUTION"
 …
 .IP \(bu 2.3
 .\}
 \m[blue]\fBwinbind separator\fR\m[]
 .RE
 …
 .IP \(bu 2.3
 .\}
 \m[blue]\fBidmap config * : range\fR\m[]
 .RE
 …
 .IP \(bu 2.3
 .\}
 \m[blue]\fBidmap config * : backend\fR\m[]
 .RE
 …
 .IP \(bu 2.3
 .\}
 \m[blue]\fBwinbind cache time\fR\m[]
 .RE
 …
 .IP \(bu 2.3
 .\}
 \m[blue]\fBwinbind enum users\fR\m[]
 .RE
 …
 .IP \(bu 2.3
 .\}
 \m[blue]\fBwinbind enum groups\fR\m[]
 .RE
 …
 .IP \(bu 2.3
 .\}
 \m[blue]\fBtemplate homedir\fR\m[]
 .RE
 …
 .IP \(bu 2.3
 .\}
 \m[blue]\fBtemplate shell\fR\m[]
 .RE
 …
 .IP \(bu 2.3
 .\}
 \m[blue]\fBwinbind use default domain\fR\m[]
 .RE
 …
 .IP \(bu 2.3
 .\}
 \m[blue]\fBwinbind: rpc only\fR\m[]
 Setting this parameter forces winbindd to use RPC instead of LDAP to retrieve information from Domain Controllers\&.
 …
 is configured\&.
 .PP
 If the the Windows NT SID to UNIX user and group id mapping file is damaged or destroyed then the mappings will be lost\&.
+If the Windows NT SID to UNIX user and group id mapping file is damaged or destroyed then the mappings will be lost\&.
 .SH "SIGNALS"
 .PP

Context Navigation

Legend:

Download in other formats: