Changeset 988 for vendor/current/docs/manpages/smb.conf.5

Timestamp:

Nov 24, 2016, 1:14:11 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to version 4.4.3

File:

• vendor/current/docs/manpages/smb.conf.5 (modified) (238 diffs)

vendor/current/docs/manpages/smb.conf.5

@@ -2 +2 @@
 .\"     Title: smb.conf
 .\"    Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
-.\"      Date: 09/18/2013
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 05/02/2016
 .\"    Manual: File Formats and Conventions
-.\"    Source: Samba 3.6
+.\"    Source: Samba 4.4
 .\"  Language: English
 .\"
-.TH "SMB\&.CONF" "5" "09/18/2013" "Samba 3\&.6" "File Formats and Conventions"
+.TH "SMB\&.CONF" "5" "05/02/2016" "Samba 4\&.4" "File Formats and Conventions"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
@@ -36 +36 @@
 file is a configuration file for the Samba suite\&.
 smb\&.conf
-contains runtime configuration information for the Samba programs\&. The
-smb\&.conf
-file is designed to be configured and administered by the
-\fBswat\fR(8)
-program\&. The complete description of the file format and possible parameters held within are here for reference purposes\&.
+contains runtime configuration information for the Samba programs\&. The complete description of the file format and possible parameters held within are here for reference purposes\&.
 .SH "FILE FORMAT"
 .PP
@@ -457 +453 @@
 %R
 .RS 4
-the selected protocol level after protocol negotiation\&. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2 or NT1\&.
+the selected protocol level after protocol negotiation\&. It can be one of CORE, COREPLUS, LANMAN1, LANMAN2, NT1, SMB2_02, SMB2_10, SMB2_22, SMB2_24, SMB3_00, SMB3_02, SMB3_10, SMB3_11 or SMB2_FF\&.
 .RE
 .PP
@@ -475 +471 @@
 the IP address of the client machine\&.
 .sp
-Before 3\&.6\&.0 it could contain IPv4 mapped IPv6 addresses, now it only contains IPv4 or IPv6 addresses\&.
+Before 4\&.0\&.0 it could contain IPv4 mapped IPv6 addresses, now it only contains IPv4 or IPv6 addresses\&.
 .RE
 .PP
@@ -482 +478 @@
 the local IP address to which a client connected\&.
 .sp
-Before 3\&.6\&.0 it could contain IPv4 mapped IPv6 addresses, now it only contains IPv4 or IPv6 addresses\&.
+Before 4\&.0\&.0 it could contain IPv4 mapped IPv6 addresses, now it only contains IPv4 or IPv6 addresses\&.
 .RE
 .PP
@@ -598 +594 @@
 .PP
 By default, Samba 3\&.0 has the same semantics as a Windows NT server, in that it is case insensitive but case preserving\&. As a special case for directories with large numbers of files, if the case options are set as follows, "case sensitive = yes", "case preserve = no", "short preserve case = no" then the "default case" option will be applied and will modify all filenames sent from the client when accessing this share\&.
-.SH "NOTE ABOUT USERNAME/PASSWORD VALIDATION"
-.PP
-There are a number of ways in which a user can connect to a service\&. The server uses the following steps in determining if it will allow a connection to a specified service\&. If all the steps fail, the connection request is rejected\&. However, if one of the steps succeeds, the following steps are not checked\&.
-.PP
-If the service is marked
-\(lqguest only = yes\(rq
-and the server is running with share\-level security (\(lqsecurity = share\(rq, steps 1 to 5 are skipped\&.
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 1.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  1." 4.2
-.\}
-If the client has passed a username/password pair and that username/password pair is validated by the UNIX system\*(Aqs password programs, the connection is made as that username\&. This includes the
-\e\eserver\eservice%\fIusername\fR
-method of passing a username\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 2.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  2." 4.2
-.\}
-If the client has previously registered a username with the system and now supplies a correct password for that username, the connection is allowed\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 3.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  3." 4.2
-.\}
-The client\*(Aqs NetBIOS name and any previously used usernames are checked against the supplied password\&. If they match, the connection is allowed as the corresponding user\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 4.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  4." 4.2
-.\}
-If the client has previously validated a username/password pair with the server and the client has passed the validation token, that username is used\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 5.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  5." 4.2
-.\}
-If a
-user =
-field is given in the
-smb\&.conf
-file for the service and the client has supplied a password, and that password matches (according to the UNIX system\*(Aqs password checking) with one of the usernames from the
-user =
-field, the connection is made as the username in the
-user =
-line\&. If one of the usernames in the
-user =
-list begins with a
-@, that name expands to a list of names in the group of the same name\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04' 6.\h'+01'\c
-.\}
-.el \{\
-.sp -1
-.IP "  6." 4.2
-.\}
-If the service is a guest service, a connection is made as the username given in the
-guest account =
-for the service, irrespective of the supplied password\&.
-.RE
 .SH "REGISTRY-BASED CONFIGURATION"
 .PP
@@ -769 +677 @@
 \m[blue]\fBshutdown script\fR\m[]\&.
 .sp
-If the connected user posseses the
+If the connected user possesses the
 \fBSeRemoteShutdownPrivilege\fR, right, this command will be run as root\&.
 .sp
@@ -785 +693 @@
 If this parameter is
 \fByes\fR
-for a service, then the share hosted by the service will only be visible to users who have read or write access to the share during share enumeration (for example net view \e\esambaserver)\&. This has parallels to access based enumeration, the main difference being that only share permissions are evaluated, and security descriptors on files contained on the share are not used in computing enumeration access rights\&.
+for a service, then the share hosted by the service will only be visible to users who have read or write access to the share during share enumeration (for example net view \e\esambaserver)\&. The share ACLs which allow or deny the access to the share can be modified using for example the
+sharesec
+command or using the appropriate Windows tools\&. This has parallels to access based enumeration, the main difference being that only share permissions are evaluated, and security descriptors on files contained on the share are not used in computing enumeration access rights\&.
 .sp
 Default:
 \fI\fIaccess based share enum\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
+acl allow execute always (S)
+.\" acl allow execute always
+.PP
+.RS 4
+This boolean parameter controls the behaviour of
+\fBsmbd\fR(8)
+when receiving a protocol request of "open for execution" from a Windows client\&. With Samba 3\&.6 and older, the execution right in the ACL was not checked, so a client could execute a file even if it did not have execute rights on the file\&. In Samba 4\&.0, this has been fixed, so that by default, i\&.e\&. when this parameter is set to "False", "open for execution" is now denied when execution permissions are not present\&.
+.sp
+If this parameter is set to "True", Samba does not check execute permissions on "open for execution", thus re\-establishing the behaviour of Samba 3\&.6\&. This can be useful to smoothen upgrades from older Samba versions to 4\&.0 and newer\&. This setting is not meant to be used as a permanent setting, but as a temporary relief: It is recommended to fix the permissions in the ACLs and reset this parameter to the default after a certain transition period\&.
+.sp
+Default:
+\fI\fIacl allow execute always\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -795 +719 @@
 .PP
 .RS 4
+Please note this parameter is now deprecated in Samba 3\&.6\&.2 and will be removed in a future version of Samba\&.
+.sp
 This boolean parameter controls what
-\fBsmbd\fR(8)does on receiving a protocol request of "open for delete" from a Windows client\&. If a Windows client doesn\*(Aqt have permissions to delete a file then they expect this to be denied at open time\&. POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory\&. As Windows clients can (and do) "back out" a delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately on "open for delete" request as we cannot restore such a deleted file\&. With this parameter set to true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the request without actually deleting the file if the file system permissions would seem to deny it\&. This is not perfect, as it\*(Aqs possible a user could have deleted a file without Samba being able to check the permissions correctly, but it is close enough to Windows semantics for mostly correct behaviour\&. Samba will correctly check POSIX ACL semantics in this case\&.
+\fBsmbd\fR(8)
+does on receiving a protocol request of "open for delete" from a Windows client\&. If a Windows client doesn\*(Aqt have permissions to delete a file then they expect this to be denied at open time\&. POSIX systems normally only detect restrictions on delete by actually attempting to delete the file or directory\&. As Windows clients can (and do) "back out" a delete request by unsetting the "delete on close" bit Samba cannot delete the file immediately on "open for delete" request as we cannot restore such a deleted file\&. With this parameter set to true (the default) then smbd checks the file system permissions directly on "open for delete" and denies the request without actually deleting the file if the file system permissions would seem to deny it\&. This is not perfect, as it\*(Aqs possible a user could have deleted a file without Samba being able to check the permissions correctly, but it is close enough to Windows semantics for mostly correct behaviour\&. Samba will correctly check POSIX ACL semantics in this case\&.
 .sp
 If this parameter is set to "false" Samba doesn\*(Aqt check permissions on "open for delete" and allows the open\&. If the user doesn\*(Aqt have permission to delete the file this will only be discovered at close time, which is too late for the Windows user tools to display an error message to the user\&. The symptom of this is files that appear to have been deleted "magically" re\-appearing on a Windows explorer refresh\&. This is an extremely advanced protocol option which should not need to be changed\&. This parameter was introduced in its final form in 3\&.0\&.21, an earlier version with slightly different semantics was introduced in 3\&.0\&.20\&. That older version is not documented here\&.
 .sp
 Default:
-\fI\fIacl check permissions\fR\fR\fI = \fR\fITrue\fR\fI \fR
-.RE
-
-acl compatibility (G)
-.\" acl compatibility
-.PP
-.RS 4
-This parameter specifies what OS ACL semantics should be compatible with\&. Possible values are
-\fIwinnt\fR
-for Windows NT 4,
-\fIwin2k\fR
-for Windows 2000 and above and
-\fIauto\fR\&. If you specify
-\fIauto\fR, the value for this parameter will be based upon the version of the client\&. There should be no reason to change this parameter from the default\&.
-.sp
-Default:
-\fI\fIacl compatibility\fR\fR\fI = \fR\fIAuto\fR\fI \fR
-.sp
-Example:
-\fI\fIacl compatibility\fR\fR\fI = \fR\fIwin2k\fR\fI \fR
+\fI\fIacl check permissions\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -831 +739 @@
 of a file or directory to modify the permissions and ACLs on that file\&.
 .sp
-On a Windows server, groups may be the owner of a file or directory \- thus allowing anyone in that group to modify the permissions on it\&. This allows the delegation of security controls on a point in the filesystem to the group owner of a directory and anything below it also owned by that group\&. This means there are multiple people with permissions to modify ACLs on a file or directory, easing managability\&.
+On a Windows server, groups may be the owner of a file or directory \- thus allowing anyone in that group to modify the permissions on it\&. This allows the delegation of security controls on a point in the filesystem to the group owner of a directory and anything below it also owned by that group\&. This means there are multiple people with permissions to modify ACLs on a file or directory, easing manageability\&.
 .sp
 This parameter allows Samba to also permit delegation of the control over a point in the exported directory hierarchy in much the same way as Windows\&. This allows all members of a UNIX group to control the permissions on a file or directory they have group ownership on\&.
@@ -837 +745 @@
 This parameter is best used with the
 \m[blue]\fBinherit owner\fR\m[]
-option and also on on a share containing directories with the UNIX
+option and also on a share containing directories with the UNIX
 \fIsetgid bit\fR
 set on them, which causes new files and directories created within it to inherit the group ownership from the containing directory\&.
 .sp
-This is parameter has been was deprecated in Samba 3\&.0\&.23, but re\-activated in Samba 3\&.0\&.31 and above, as it now only controls permission changes if the user is in the owning primary group\&. It is now no longer equivalent to the
+This parameter was deprecated in Samba 3\&.0\&.23, but re\-activated in Samba 3\&.0\&.31 and above, as it now only controls permission changes if the user is in the owning primary group\&. It is now no longer equivalent to the
 \fIdos filemode\fR
 option\&.
@@ -858 +766 @@
 .sp
 Default:
-\fI\fIacl map full control\fR\fR\fI = \fR\fITrue\fR\fI \fR
+\fI\fIacl map full control\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -898 +806 @@
 .RE
 
-add port command (G)
-.\" add port command
+addport command (G)
+.\" addport command
 .PP
 .RS 4
@@ -930 +838 @@
 .sp
 Default:
-\fI\fIadd port command\fR\fR\fI = \fR\fI\fR\fI \fR
-.sp
-Example:
-\fI\fIadd port command\fR\fR\fI = \fR\fI/etc/samba/scripts/addport\&.sh\fR\fI \fR
+\fI\fIaddport command\fR\fR\fI = \fR\fI\fR\fI \fR
+.sp
+Example:
+\fI\fIaddport command\fR\fR\fI = \fR\fI/etc/samba/scripts/addport\&.sh\fR\fI \fR
 .RE
 
@@ -1152 +1060 @@
 \fION DEMAND\fR
 when a user accesses the Samba server\&.
-.sp
-In order to use this option,
-\fBsmbd\fR(8)
-must
-\fINOT\fR
-be set to
-\m[blue]\fBsecurity = share\fR\m[]
-and
-\m[blue]\fBadd user script\fR\m[]
-must be set to a full pathname for a script that will create a UNIX user given one argument of
-\fI%u\fR, which expands into the UNIX user name to create\&.
 .sp
 When the Windows user attempts to access the Samba server, at login (session setup in the SMB protocol) time,
@@ -1200 +1097 @@
 .RS 4
 Full path to the script that will be called when a user is added to a group using the Windows NT domain administration tools\&. It will be run by
-\fBsmbd\fR(8)
-\fIAS ROOT\fR\&. Any
+\fBsmbd\fR(8)\fIAS ROOT\fR\&. Any
 \fI%g\fR
 will be replaced with the group name and any
@@ -1242 +1138 @@
 You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions\&.
 .sp
-This parameter will not work with the
-\m[blue]\fBsecurity = share\fR\m[]
-in Samba 3\&.0\&. This is by design\&.
-.sp
 Default:
 \fI\fIadmin users\fR\fR\fI = \fR\fI\fR\fI \fR
@@ -1265 +1157 @@
 .RE
 
+afs token lifetime (G)
+.\" afs token lifetime
+.PP
+.RS 4
+This parameter controls the lifetime of tokens that the AFS fake\-kaserver claims\&. In reality these never expire but this lifetime controls when the afs client will forget the token\&.
+.sp
+Set this parameter to 0 to get
+\fBNEVERDATE\fR\&.
+.sp
+Default:
+\fI\fIafs token lifetime\fR\fR\fI = \fR\fI604800\fR\fI \fR
+.RE
+
 afs username map (G)
 .\" afs username map
@@ -1278 +1183 @@
 Example:
 \fI\fIafs username map\fR\fR\fI = \fR\fI%u@afs\&.samba\&.org\fR\fI \fR
+.RE
+
+aio max threads (G)
+.\" aio max threads
+.PP
+.RS 4
+The integer parameter specifies the maximum number of threads each smbd process will create when doing parallel asynchronous IO calls\&. If the number of outstanding calls is greater than this number the requests will not be refused but go onto a queue and will be scheduled in turn as outstanding requests complete\&.
+.sp
+Related command:
+\m[blue]\fBaio read size\fR\m[]
+.sp
+Related command:
+\m[blue]\fBaio write size\fR\m[]
+.sp
+Default:
+\fI\fIaio max threads\fR\fR\fI = \fR\fI100\fR\fI \fR
 .RE
 
@@ -1345 +1266 @@
 This determines how Samba will use its algorithmic mapping from uids/gid to the RIDs needed to construct NT Security Identifiers\&.
 .sp
-Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with sytem users etc\&.
+Setting this option to a larger value could be useful to sites transitioning from WinNT and Win2k, as existing user and group rids would otherwise clash with system users etc\&.
 .sp
 All UIDs and GIDs must be able to be resolved into SIDs for the correct operation of ACLs on the server\&. As such the algorithmic mapping can\*(Aqt be \*(Aqturned off\*(Aq, but pushing it \*(Aqout of the way\*(Aq should resolve the issues\&. Users and groups can then be assigned \*(Aqlow\*(Aq RIDs in arbitrary\-rid supporting backends\&.
@@ -1369 +1290 @@
 Example:
 \fI\fIallocation roundup size\fR\fR\fI = \fR\fI0 # (to disable roundups)\fR\fI \fR
+.RE
+
+allow dcerpc auth level connect (G)
+.\" allow dcerpc auth level connect
+.PP
+.RS 4
+This option controls whether DCERPC services are allowed to be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per message integrity nor privacy protection\&.
+.sp
+Some interfaces like samr, lsarpc and netlogon have a hard\-coded default of
+\fBno\fR
+and epmapper, mgmt and rpcecho have a hard\-coded default of
+\fByes\fR\&.
+.sp
+The behavior can be overwritten per interface name (e\&.g\&. lsarpc, netlogon, samr, srvsvc, winreg, wkssvc \&.\&.\&.) by using \*(Aqallow dcerpc auth level connect:interface = yes\*(Aq as option\&.
+.sp
+This option yields precedence to the implementation specific restrictions\&. E\&.g\&. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY\&. The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY\&.
+.sp
+Default:
+\fI\fIallow dcerpc auth level connect\fR\fR\fI = \fR\fIno\fR\fI \fR
+.sp
+Example:
+\fI\fIallow dcerpc auth level connect\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+
+allow dns updates (G)
+.\" allow dns updates
+.PP
+.RS 4
+This option determines what kind of updates to the DNS are allowed\&.
+.sp
+DNS updates can either be disallowed completely by setting it to
+\fBdisabled\fR, enabled over secure connections only by setting it to
+\fBsecure only\fR
+or allowed in all cases by setting it to
+\fBnonsecure\fR\&.
+.sp
+Default:
+\fI\fIallow dns updates\fR\fR\fI = \fR\fIsecure only\fR\fI \fR
+.sp
+Example:
+\fI\fIallow dns updates\fR\fR\fI = \fR\fIdisabled\fR\fI \fR
 .RE
 
@@ -1397 +1359 @@
 .RE
 
+allow nt4 crypto (G)
+.\" allow nt4 crypto
+.PP
+.RS 4
+This option controls whether the netlogon server (currently only in \*(Aqactive directory domain controller\*(Aq mode), will reject clients which does not support NETLOGON_NEG_STRONG_KEYS nor NETLOGON_NEG_SUPPORTS_AES\&.
+.sp
+This option was added with Samba 4\&.2\&.0\&. It may lock out clients which worked fine with Samba versions up to 4\&.1\&.x\&. as the effective default was "yes" there, while it is "no" now\&.
+.sp
+If you have clients without RequireStrongKey = 1 in the registry, you may need to set "allow nt4 crypto = yes", until you have fixed all clients\&.
+.sp
+"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks\&.
+.sp
+This option yields precedence to the \*(Aqreject md5 clients\*(Aq option\&.
+.sp
+Default:
+\fI\fIallow nt4 crypto\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
 allow trusted domains (G)
 .\" allow trusted domains
@@ -1413 +1393 @@
 Default:
 \fI\fIallow trusted domains\fR\fR\fI = \fR\fIyes\fR\fI \fR
-.RE
-
-announce as (G)
-.\" announce as
-.PP
-.RS 4
-This specifies what type of server
-\fBnmbd\fR(8)
-will announce itself as, to a network neighborhood browse list\&. By default this is set to Windows NT\&. The valid options are : "NT Server" (which can also be written as "NT"), "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, Windows NT Workstation, Windows 95 and Windows for Workgroups respectively\&. Do not change this parameter unless you have a specific need to stop Samba appearing as an NT server as this may prevent Samba servers from participating as browser servers correctly\&.
-.sp
-Default:
-\fI\fIannounce as\fR\fR\fI = \fR\fINT Server\fR\fI \fR
-.sp
-Example:
-\fI\fIannounce as\fR\fR\fI = \fR\fIWin95\fR\fI \fR
-.RE
-
-announce version (G)
-.\" announce version
-.PP
-.RS 4
-This specifies the major and minor version numbers that nmbd will use when announcing itself as a server\&. The default is 4\&.9\&. Do not change this parameter unless you have a specific need to set a Samba server to be a downlevel server\&.
-.sp
-Default:
-\fI\fIannounce version\fR\fR\fI = \fR\fI4\&.9\fR\fI \fR
-.sp
-Example:
-\fI\fIannounce version\fR\fR\fI = \fR\fI2\&.0\fR\fI \fR
 .RE
 
@@ -1481 +1433 @@
 Example:
 \fI\fIauth methods\fR\fR\fI = \fR\fIguest sam winbind\fR\fI \fR
+.RE
+
+preload
+.\" preload
+.PP
+.RS 4
+This parameter is a synonym for
+auto services\&.
+.RE
+
+auto services (G)
+.\" auto services
+.PP
+.RS 4
+This is a list of services that you want to be automatically added to the browse lists\&. This is most useful for homes and printers services that would otherwise not be visible\&.
+.sp
+Note that if you just want all printers in your printcap file loaded then the
+\m[blue]\fBload printers\fR\m[]
+option is easier\&.
+.sp
+Default:
+\fI\fIauto services\fR\fR\fI = \fR\fI\fR\fI \fR
+.sp
+Example:
+\fI\fIauto services\fR\fR\fI = \fR\fIfred lp colorlp\fR\fI \fR
 .RE
 
@@ -1543 +1520 @@
 parameter list
 \fBsmbpasswd\fR(8)
-and
-\fBswat\fR(8)
 may not work as expected due to the reasons covered below\&.
 .sp
@@ -1562 +1537 @@
 smbpasswd
 can be forced to use the primary IP interface of the local host by using its
-\fBsmbpasswd\fR(8)
-\fI\-r \fR\fI\fIremote machine\fR\fR
+\fBsmbpasswd\fR(8)\fI\-r \fR\fI\fIremote machine\fR\fR
 parameter, with
 \fIremote machine\fR
 set to the IP name of the primary interface of the local host\&.
-.sp
-The
-swat
-status page tries to connect with
-smbd
-and
-nmbd
-at the address
-\fI127\&.0\&.0\&.1\fR
-to determine if they are running\&. Not adding
-\fI127\&.0\&.0\&.1\fR
-will cause
-smbd
-and
-nmbd
-to always show "not running" even if they really are\&. This can prevent
-swat
-from starting/stopping/restarting
-smbd
-and
-nmbd\&.
 .sp
 Default:
@@ -1676 +1629 @@
 .sp
 Default:
-\fI\fIcache directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
+\fI\fIcache directory\fR\fR\fI = \fR\fI${prefix}/var/cache\fR\fI \fR
 .sp
 Example:
@@ -1701 +1654 @@
 .RE
 
-change notify (S)
+change notify (G)
 .\" change notify
 .PP
@@ -1734 +1687 @@
 will automatically invoke the
 \fIchange share command\fR
-with five parameters\&.
+with six parameters\&.
 .sp
 .RS 4
@@ -1798 +1751 @@
 .RE
 .sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fICSC policy\fR
+\- client side caching policy in string form\&. Valid values are: manual, documents, programs, disable\&.
+.RE
+.sp
 .RE
 This parameter is only used to modify existing file share definitions\&. To modify printer shares, use the "Printers\&.\&.\&." folder as seen when browsing the Samba host\&.
@@ -1821 +1786 @@
 .sp
 Default:
-\fI\fIcheck password script\fR\fR\fI = \fR\fIDisabled\fR\fI \fR
+\fI\fIcheck password script\fR\fR\fI = \fR\fI # Disabled\fR\fI \fR
 .sp
 Example:
 \fI\fIcheck password script\fR\fR\fI = \fR\fI/usr/local/sbin/crackcheck\fR\fI \fR
+.RE
+
+cldap port (G)
+.\" cldap port
+.PP
+.RS 4
+This option controls the port used by the CLDAP protocol\&.
+.sp
+Default:
+\fI\fIcldap port\fR\fR\fI = \fR\fI389\fR\fI \fR
+.sp
+Example:
+\fI\fIcldap port\fR\fR\fI = \fR\fI3389\fR\fI \fR
+.RE
+
+client ipc max protocol (G)
+.\" client ipc max protocol
+.PP
+.RS 4
+The value of the parameter (a string) is the highest protocol level that will be supported for IPC$ connections as DCERPC transport\&.
+.sp
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+The value
+\fBdefault\fR
+refers to the latest supported protocol, currently
+\fBSMB3_11\fR\&.
+.sp
+See
+\m[blue]\fBclient max protocol\fR\m[]
+for a full list of available protocols\&. The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1\&.
+.sp
+Default:
+\fI\fIclient ipc max protocol\fR\fR\fI = \fR\fIdefault\fR\fI \fR
+.sp
+Example:
+\fI\fIclient ipc max protocol\fR\fR\fI = \fR\fISMB2_10\fR\fI \fR
+.RE
+
+client ipc min protocol (G)
+.\" client ipc min protocol
+.PP
+.RS 4
+This setting controls the minimum protocol version that the will be attempted to use for IPC$ connections as DCERPC transport\&.
+.sp
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+The value
+\fBdefault\fR
+refers to the higher value of
+\fBNT1\fR
+and the effective value of
+\m[blue]\fBclient min protocol\fR\m[]\&.
+.sp
+See
+\m[blue]\fBclient max protocol\fR\m[]
+for a full list of available protocols\&. The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1\&.
+.sp
+Default:
+\fI\fIclient ipc min protocol\fR\fR\fI = \fR\fIdefault\fR\fI \fR
+.sp
+Example:
+\fI\fIclient ipc min protocol\fR\fR\fI = \fR\fISMB3_11\fR\fI \fR
+.RE
+
+client ipc signing (G)
+.\" client ipc signing
+.PP
+.RS 4
+This controls whether the client is allowed or required to use SMB signing for IPC$ connections as DCERPC transport\&. Possible values are
+\fIauto\fR,
+\fImandatory\fR
+and
+\fIdisabled\fR\&.
+.sp
+When set to mandatory or default, SMB signing is required\&.
+.sp
+When set to auto, SMB signing is offered, but not enforced and if set to disabled, SMB signing is not offered either\&.
+.sp
+Connections from winbindd to Active Directory Domain Controllers always enforce signing\&.
+.sp
+Default:
+\fI\fIclient ipc signing\fR\fR\fI = \fR\fIdefault\fR\fI \fR
 .RE
 
@@ -1867 +1915 @@
 are only available if Samba has been compiled against a modern OpenLDAP version (2\&.3\&.x or higher)\&.
 .sp
-This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e\&.g\&. Windows 2000 SP3 or higher)\&. LDAP sign and seal can be controlled with the registry key "HKLM\eSystem\eCurrentControlSet\eServices\e
-NTDS\eParameters\eLDAPServerIntegrity" on the Windows server side\&.
+This option is needed in the case of Domain Controllers enforcing the usage of signed LDAP connections (e\&.g\&. Windows 2000 SP3 or higher)\&. LDAP sign and seal can be controlled with the registry key "HKLM\eSystem\eCurrentControlSet\eServices\eNTDS\eParameters\eLDAPServerIntegrity" on the Windows server side\&.
 .sp
 Depending on the used KRB5 library (MIT and older Heimdal versions) it is possible that the message "integrity only" is not supported\&. In this case,
@@ -1876 +1923 @@
 .sp
 The default value is
-\fIplain\fR
-which is not irritable to KRB5 clock skew errors\&. That implies synchronizing the time with the KDC in the case of using
-\fIsign\fR
-or
-\fIseal\fR\&.
-.sp
-Default:
-\fI\fIclient ldap sasl wrapping\fR\fR\fI = \fR\fIplain\fR\fI \fR
-.RE
-
-client ntlmv2 auth (G)
-.\" client ntlmv2 auth
+\fIsign\fR\&. That implies synchronizing the time with the KDC in the case of using
+\fIKerberos\fR\&.
+.sp
+Default:
+\fI\fIclient ldap sasl wrapping\fR\fR\fI = \fR\fIsign\fR\fI \fR
+.RE
+
+client max protocol (G)
+.\" client max protocol
+.PP
+.RS 4
+The value of the parameter (a string) is the highest protocol level that will be supported by the client\&.
+.sp
+Possible values are :
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBCORE\fR: Earliest version\&. No concept of user names\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBCOREPLUS\fR: Slight improvements on CORE for efficiency\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBLANMAN1\fR: First
+\fImodern\fR
+version of the protocol\&. Long filename support\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBLANMAN2\fR: Updates to Lanman1 protocol\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBNT1\fR: Current up to date version of the protocol\&. Used by Windows NT\&. Known as CIFS\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2\fR: Re\-implementation of the SMB protocol\&. Used by Windows Vista and later versions of Windows\&. SMB2 has sub protocols available\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_02\fR: The earliest SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_10\fR: Windows 7 SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_22\fR: Early Windows 8 SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_24\fR: Windows 8 beta SMB2 version\&.
+.RE
+.sp
+.RE
+By default SMB2 selects the SMB2_10 variant\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3\fR: The same as SMB2\&. Used by Windows 8\&. SMB3 has sub protocols available\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_00\fR: Windows 8 SMB3 version\&. (mostly the same as SMB2_24)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_02\fR: Windows 8\&.1 SMB3 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_10\fR: early Windows 10 technical preview SMB3 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_11\fR: Windows 10 technical preview SMB3 version (maybe final)\&.
+.RE
+.sp
+.RE
+By default SMB3 selects the SMB3_11 variant\&.
+.RE
+.sp
+.RE
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+The value
+\fBdefault\fR
+refers to
+\fBNT1\fR\&.
+.sp
+IPC$ connections for DCERPC e\&.g\&. in winbindd, are handled by the
+\m[blue]\fBclient ipc max protocol\fR\m[]
+option\&.
+.sp
+Default:
+\fI\fIclient max protocol\fR\fR\fI = \fR\fIdefault\fR\fI \fR
+.sp
+Example:
+\fI\fIclient max protocol\fR\fR\fI = \fR\fILANMAN1\fR\fI \fR
+.RE
+
+client min protocol (G)
+.\" client min protocol
+.PP
+.RS 4
+This setting controls the minimum protocol version that the client will attempt to use\&.
+.sp
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+See
+Related command: \m[blue]\fBclient max protocol\fR\m[]
+for a full list of available protocols\&.
+.sp
+IPC$ connections for DCERPC e\&.g\&. in winbindd, are handled by the
+\m[blue]\fBclient ipc min protocol\fR\m[]
+option\&.
+.sp
+Default:
+\fI\fIclient min protocol\fR\fR\fI = \fR\fICORE\fR\fI \fR
+.sp
+Example:
+\fI\fIclient min protocol\fR\fR\fI = \fR\fINT1\fR\fI \fR
+.RE
+
+client NTLMv2 auth (G)
+.\" client NTLMv2 auth
 .PP
 .RS 4
@@ -1907 +2174 @@
 Note that Windows Vista and later versions already use NTLMv2 by default, and some sites (particularly those following \*(Aqbest practice\*(Aq security polices) only allow NTLMv2 responses, and not the weaker LM or NTLM\&.
 .sp
-Default:
-\fI\fIclient ntlmv2 auth\fR\fR\fI = \fR\fIyes\fR\fI \fR
+When
+\m[blue]\fBclient use spnego\fR\m[]
+is also set to
+\fByes\fR
+extended security (SPNEGO) is required in order to use NTLMv2 only within NTLMSSP\&. This behavior was introduced with the patches for CVE\-2016\-2111\&.
+.sp
+Default:
+\fI\fIclient NTLMv2 auth\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -1933 +2206 @@
 denies access if the server is not able to speak netlogon schannel\&.
 .sp
+Note that for active directory domains this is hardcoded to
+\m[blue]\fBclient schannel = yes\fR\m[]\&.
+.sp
+This option yields precedence to the
+\m[blue]\fBrequire strong key\fR\m[]
+option\&.
+.sp
 Default:
 \fI\fIclient schannel\fR\fR\fI = \fR\fIauto\fR\fI \fR
@@ -1950 +2230 @@
 \fIdisabled\fR\&.
 .sp
-When set to auto, SMB signing is offered, but not enforced\&. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either\&.
-.sp
-Default:
-\fI\fIclient signing\fR\fR\fI = \fR\fIauto\fR\fI \fR
+When set to auto or default, SMB signing is offered, but not enforced\&.
+.sp
+When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either\&.
+.sp
+IPC$ connections for DCERPC e\&.g\&. in winbindd, are handled by the
+\m[blue]\fBclient ipc signing\fR\m[]
+option\&.
+.sp
+Default:
+\fI\fIclient signing\fR\fR\fI = \fR\fIdefault\fR\fI \fR
 .RE
 
@@ -1966 +2252 @@
 If enabled, Samba can attempt to use Kerberos to contact servers known only by IP address\&. Kerberos relies on names, so ordinarily cannot function in this situation\&.
 .sp
+This is a VERY BAD IDEA for security reasons, and so this parameter SHOULD NOT BE USED\&. It will be removed in a future version of Samba\&.
+.sp
 If disabled, Samba will use the name used to look up the server when asking the KDC for a ticket\&. This avoids situations where a server may impersonate another, soliciting authentication as one principal while being known on the network as another\&.
 .sp
 Note that Windows XP SP2 and later versions already follow this behaviour, and Windows Vista and later servers no longer supply this \*(Aqrfc4178 hint\*(Aq principal on the server side\&.
+.sp
+This parameter is deprecated in Samba 4\&.2\&.1 and will be removed (along with the functionality) in a later release of Samba\&.
 .sp
 Default:
@@ -1979 +2269 @@
 .RS 4
 This variable controls whether Samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with supporting servers (including WindowsXP, Windows2000 and Samba 3\&.0) to agree upon an authentication mechanism\&. This enables Kerberos authentication in particular\&.
+.sp
+When
+\m[blue]\fBclient NTLMv2 auth\fR\m[]
+is also set to
+\fByes\fR
+extended security (SPNEGO) is required in order to use NTLMv2 only within NTLMSSP\&. This behavior was introduced with the patches for CVE\-2016\-2111\&.
 .sp
 Default:
@@ -2092 +2388 @@
 .PP
 .RS 4
-Setting this paramter to
+Setting this parameter to
 no
 prevents winbind from creating custom krb5\&.conf files\&. Winbind normally does this because the krb5 libraries are not AD\-site\-aware and thus would pick any domain controller out of potentially very many\&. Winbind is site\-aware and makes the krb5 libraries use a local DC by creating its own krb5\&.conf files\&.
@@ -2132 +2428 @@
 for details\&.
 .sp
-Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors\&. If the administrator wishes to enforce a mask on access control lists also, they need to set the
-\m[blue]\fBsecurity mask\fR\m[]\&.
-.sp
 Default:
 \fI\fIcreate mask\fR\fR\fI = \fR\fI0744\fR\fI \fR
@@ -2193 +2486 @@
 .PP
 .RS 4
-This parameter specifies a timeout in seconds for the connection between Samba and ctdb\&. It is only valid if you have compiled Samba with clustering and if you have set
+This parameter specifies a timeout in milliseconds for the connection between Samba and ctdb\&. It is only valid if you have compiled Samba with clustering and if you have set
 \fIclustering=yes\fR\&.
 .sp
 When something in the cluster blocks, it can happen that we wait indefinitely long for ctdb, just adding to the blocking condition\&. In a well\-running cluster this should never happen, but there are too many components in a cluster that might have hickups\&. Choosing the right balance for this value is very tricky, because on a busy cluster long service times to transfer something across the cluster might be valid\&. Setting it too short will degrade the service your cluster presents, setting it too long might make the cluster itself not recover from something severely broken for too long\&.
 .sp
-Be aware that if you set this parameter, this needs to be in the file smb\&.conf, it is not really helpful to put this into a registry configuration (typical on a cluster), because to access the registry contact to ctdb is requred\&.
+Be aware that if you set this parameter, this needs to be in the file smb\&.conf, it is not really helpful to put this into a registry configuration (typical on a cluster), because to access the registry contact to ctdb is required\&.
 .sp
 Setting
 \fIctdb timeout\fR
-to n makes any process waiting longer than n seconds for a reply by the cluster panic\&. Setting it to 0 (the default) makes Samba block forever, which is the highly recommended default\&.
+to n makes any process waiting longer than n milliseconds for a reply by the cluster panic\&. Setting it to 0 (the default) makes Samba block forever, which is the highly recommended default\&.
 .sp
 Default:
@@ -2243 +2536 @@
 .sp
 Default:
-\fI\fIcups encrypt\fR\fR\fI = \fR\fI"no"\fR\fI \fR
+\fI\fIcups encrypt\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -2295 +2588 @@
 .RE
 
+dcerpc endpoint servers (G)
+.\" dcerpc endpoint servers
+.PP
+.RS 4
+Specifies which DCE/RPC endpoint servers should be run\&.
+.sp
+Default:
+\fI\fIdcerpc endpoint servers\fR\fR\fI = \fR\fIepmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver\fR\fI \fR
+.sp
+Example:
+\fI\fIdcerpc endpoint servers\fR\fR\fI = \fR\fIrpcecho\fR\fI \fR
+.RE
+
 deadtime (G)
 .\" deadtime
@@ -2372 +2678 @@
 Default:
 \fI\fIdebug prefix timestamp\fR\fR\fI = \fR\fIno\fR\fI \fR
-.RE
-
-timestamp logs
-.\" timestamp logs
-.PP
-.RS 4
-This parameter is a synonym for
-debug timestamp\&.
-.RE
-
-debug timestamp (G)
-.\" debug timestamp
-.PP
-.RS 4
-Samba debug log messages are timestamped by default\&. If you are running at a high
-\m[blue]\fBdebug level\fR\m[]
-these timestamps can be distracting\&. This boolean parameter allows timestamping to be turned off\&.
-.sp
-Default:
-\fI\fIdebug timestamp\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -2504 +2790 @@
 .sp
 Default:
-\fI\fIdefer sharing violations\fR\fR\fI = \fR\fITrue\fR\fI \fR
+\fI\fIdefer sharing violations\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -2512 +2798 @@
 .RS 4
 This is the full pathname to a script that will be run
-\fIAS ROOT\fR
-\fBsmbd\fR(8)
+\fIAS ROOT\fR\fBsmbd\fR(8)
 when a group is requested to be deleted\&. It will expand any
 \fI%g\fR
@@ -2632 +2917 @@
 .RS 4
 Full path to the script that will be called when a user is removed from a group using the Windows NT domain administration tools\&. It will be run by
-\fBsmbd\fR(8)
-\fIAS ROOT\fR\&. Any
+\fBsmbd\fR(8)\fIAS ROOT\fR\&. Any
 \fI%g\fR
 will be replaced with the group name and any
@@ -2705 +2989 @@
 .sp
 Example:
-\fI\fIdfree cache time\fR\fR\fI = \fR\fIdfree cache time = 60\fR\fI \fR
+\fI\fIdfree cache time\fR\fR\fI = \fR\fI60\fR\fI \fR
 .RE
 
@@ -2767 +3051 @@
 .RE
 
+dgram port (G)
+.\" dgram port
+.PP
+.RS 4
+Specifies which ports the server should listen on for NetBIOS datagram traffic\&.
+.sp
+Default:
+\fI\fIdgram port\fR\fR\fI = \fR\fI138\fR\fI \fR
+.RE
+
 directory mode
 .\" directory mode
@@ -2791 +3085 @@
 parameter\&. This parameter is set to 000 by default (i\&.e\&. no extra mode bits are added)\&.
 .sp
-Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors\&. If the administrator wishes to enforce a mask on access control lists also, they need to set the
-\m[blue]\fBdirectory security mask\fR\m[]\&.
-.sp
 Default:
 \fI\fIdirectory mask\fR\fR\fI = \fR\fI0755\fR\fI \fR
@@ -2805 +3096 @@
 .PP
 .RS 4
-This parameter specifies the the size of the directory name cache\&. It will be needed to turn this off for *BSD systems\&.
+This parameter specifies the size of the directory name cache\&. It will be needed to turn this off for *BSD systems\&.
 .sp
 Default:
@@ -2815 +3106 @@
 .PP
 .RS 4
-This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box\&.
-.sp
-This parameter is applied as a mask (AND\*(Aqed with) to the incoming permission bits, thus resetting any bits not in this mask\&. Make sure not to mix up this parameter with
-\m[blue]\fBforce directory security mode\fR\m[], which works similar like this one but uses logical OR instead of AND\&. Essentially, zero bits in this mask are a set of bits that will always be set to zero\&.
-.sp
-Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the file permissions regardless of the previous status of this bits on the file\&.
-.sp
-If not set explicitly this parameter is set to 0777 meaning a user is allowed to set all the user/group/world permissions on a directory\&.
-.sp
-\fINote\fR
-that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it as the default of
-\fB0777\fR\&.
-.sp
-Default:
-\fI\fIdirectory security mask\fR\fR\fI = \fR\fI0777\fR\fI \fR
-.sp
-Example:
-\fI\fIdirectory security mask\fR\fR\fI = \fR\fI0700\fR\fI \fR
+This parameter has been removed for Samba 4\&.0\&.0\&.
+.sp
+\fINo default\fR
 .RE
 
@@ -2870 +3146 @@
 .RE
 
-display charset (G)
-.\" display charset
-.PP
-.RS 4
-Specifies the charset that samba will use to print messages to stdout and stderr\&. The default value is "LOCALE", which means automatically set, depending on the current locale\&. The value should generally be the same as the value of the parameter
-\m[blue]\fBunix charset\fR\m[]\&.
-.sp
-Default:
-\fI\fIdisplay charset\fR\fR\fI = \fR\fI"LOCALE" or "ASCII" (depending on the system)\fR\fI \fR
-.sp
-Example:
-\fI\fIdisplay charset\fR\fR\fI = \fR\fIUTF8\fR\fI \fR
-.RE
-
 dmapi support (S)
 .\" dmapi support
@@ -2896 +3158 @@
 Default:
 \fI\fIdmapi support\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
+dns forwarder (G)
+.\" dns forwarder
+.PP
+.RS 4
+This option specifies the DNS server that DNS requests will be forwarded to if they can not be handled by Samba itself\&.
+.sp
+The DNS forwarder is only used if the internal DNS server in Samba is used\&.
+.sp
+Default:
+\fI\fIdns forwarder\fR\fR\fI = \fR\fI\fR\fI \fR
+.sp
+Example:
+\fI\fIdns forwarder\fR\fR\fI = \fR\fI192\&.168\&.0\&.1\fR\fI \fR
 .RE
 
@@ -2913 +3190 @@
 Default:
 \fI\fIdns proxy\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+
+dns update command (G)
+.\" dns update command
+.PP
+.RS 4
+This option sets the command that is called when there are DNS updates\&. It should update the local machines DNS names using TSIG\-GSS\&.
+.sp
+Default:
+\fI\fIdns update command\fR\fR\fI = \fR\fI${prefix}/sbin/samba_dnsupdate\fR\fI \fR
+.sp
+Example:
+\fI\fIdns update command\fR\fR\fI = \fR\fI/usr/local/sbin/dnsupdate\fR\fI \fR
 .RE
 
@@ -3033 +3323 @@
 .PP
 .RS 4
-Under DOS and Windows, if a user can write to a file they can change the timestamp on it\&. Under POSIX semantics, only the owner of the file or root may change the timestamp\&. By default, Samba emulates the DOS semantics and allows to change the timestamp on a file if the user
+Under DOS and Windows, if a user can write to a file they can change the timestamp on it\&. Under POSIX semantics, only the owner of the file or root may change the timestamp\&. By default, Samba emulates the DOS semantics and allows one to change the timestamp on a file if the user
 smbd
 is acting on behalf has write permissions\&. Due to changes in Microsoft Office 2000 and beyond, the default for this parameter has been changed from "no" to "yes" in Samba 3\&.0\&.14 and above\&. Microsoft Excel will display dialog box warnings about the file being changed by another user if this parameter is not set to "yes" and files are being shared between users\&.
@@ -3039 +3329 @@
 Default:
 \fI\fIdos filetimes\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+
+durable handles (S)
+.\" durable handles
+.PP
+.RS 4
+This boolean parameter controls whether Samba can grant SMB2 durable file handles on a share\&.
+.sp
+Note that durable handles are only enabled if
+\m[blue]\fBkernel oplocks = no\fR\m[],
+\m[blue]\fBkernel share modes = no\fR\m[], and
+\m[blue]\fBposix locking = no\fR\m[], i\&.e\&. if the share is configured for CIFS/SMB2 only access, not supporting interoperability features with local UNIX processes or NFS operations\&.
+.sp
+Also note that, for the time being, durability is not granted for a handle that has the delete on close flag set\&.
+.sp
+Default:
+\fI\fIdurable handles\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -3057 +3364 @@
 .PP
 .RS 4
-Hosts running the "Advanced Server for Unix (ASU)" product require some special accomodations such as creating a builtin [ADMIN$] share that only supports IPC connections\&. The has been the default behavior in smbd for many years\&. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support an [ADMIN$} file share\&. Disabling this parameter allows for creating an [ADMIN$] file share in smb\&.conf\&.
+Hosts running the "Advanced Server for Unix (ASU)" product require some special accomodations such as creating a builtin [ADMIN$] share that only supports IPC connections\&. The has been the default behavior in smbd for many years\&. However, certain Microsoft applications such as the Print Migrator tool require that the remote server support an [ADMIN$] file share\&. Disabling this parameter allows for creating an [ADMIN$] file share in smb\&.conf\&.
 .sp
 Default:
@@ -3121 +3428 @@
 \fBsmbpasswd\fR(8)
 program for information on how to set up and maintain this file), or set the
-\m[blue]\fBsecurity = [server|domain|ads]\fR\m[]
+\m[blue]\fBsecurity = [domain|ads]\fR\m[]
 parameter which causes
 smbd
@@ -3168 +3475 @@
 .RS 4
 This option defines a list of log names that Samba will report to the Microsoft EventViewer utility\&. The listed eventlogs will be associated with tdb file on disk in the
-$(lockdir)/eventlog\&.
+$(statedir)/eventlog\&.
 .sp
 The administrator must use an external process to parse the normal Unix logs such as
@@ -3189 +3496 @@
 This option is mainly used as a compatibility option for Visual C++ when used against Samba shares\&. Visual C++ generated makefiles have the object directory as a dependency for each object file, and a make rule to create the directory\&. Also, when NMAKE compares timestamps it uses the creation time when examining a directory\&. Thus the object directory will be created if it does not exist, but once it does exist it will always have an earlier timestamp than the object files it contains\&.
 .sp
-However, Unix time semantics mean that the create time reported by Samba will be updated whenever a file is created or or deleted in the directory\&. NMAKE finds all object files in the object directory\&. The timestamp of the last one built is then compared to the timestamp of the object directory\&. If the directory\*(Aqs timestamp if newer, then all object files will be rebuilt\&. Enabling this option ensures directories always predate their contents and an NMAKE build will proceed as expected\&.
+However, Unix time semantics mean that the create time reported by Samba will be updated whenever a file is created or deleted in the directory\&. NMAKE finds all object files in the object directory\&. The timestamp of the last one built is then compared to the timestamp of the object directory\&. If the directory\*(Aqs timestamp if newer, then all object files will be rebuilt\&. Enabling this option ensures directories always predate their contents and an NMAKE build will proceed as expected\&.
 .sp
 Default:
@@ -3249 +3556 @@
 .sp
 Default:
-\fI\fIforce create mode\fR\fR\fI = \fR\fI000\fR\fI \fR
+\fI\fIforce create mode\fR\fR\fI = \fR\fI0000\fR\fI \fR
 .sp
 Example:
@@ -3268 +3575 @@
 .sp
 Default:
-\fI\fIforce directory mode\fR\fR\fI = \fR\fI000\fR\fI \fR
+\fI\fIforce directory mode\fR\fR\fI = \fR\fI0000\fR\fI \fR
 .sp
 Example:
@@ -3278 +3585 @@
 .PP
 .RS 4
-This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a directory using the native NT security dialog box\&.
-.sp
-This parameter is applied as a mask (OR\*(Aqed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on\&. Make sure not to mix up this parameter with
-\m[blue]\fBdirectory security mask\fR\m[], which works in a similar manner to this one, but uses a logical AND instead of an OR\&.
-.sp
-Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, to will enable (1) any flags that are off (0) but which the mask has set to on (1)\&.
-.sp
-If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world permissions on a directory without restrictions\&.
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-Users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set as 0000\&.
-.sp .5v
-.RE
-Default:
-\fI\fIforce directory security mode\fR\fR\fI = \fR\fI0\fR\fI \fR
-.sp
-Example:
-\fI\fIforce directory security mode\fR\fR\fI = \fR\fI700\fR\fI \fR
+This parameter has been removed for Samba 4\&.0\&.0\&.
+.sp
+\fINo default\fR
 .RE
 
@@ -3365 +3647 @@
 .PP
 .RS 4
-This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box\&.
-.sp
-This parameter is applied as a mask (OR\*(Aqed with) to the changed permission bits, thus forcing any bits in this mask that the user may have modified to be on\&. Make sure not to mix up this parameter with
-\m[blue]\fBsecurity mask\fR\m[], which works similar like this one but uses logical AND instead of OR\&.
-.sp
-Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, the user has always set to be on\&.
-.sp
-If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world permissions on a file, with no restrictions\&.
-.sp
-\fI Note\fR
-that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave this set to 0000\&.
-.sp
-Default:
-\fI\fIforce security mode\fR\fR\fI = \fR\fI0\fR\fI \fR
-.sp
-Example:
-\fI\fIforce security mode\fR\fR\fI = \fR\fI700\fR\fI \fR
+This parameter has been removed for Samba 4\&.0\&.0\&.
+.sp
+\fINo default\fR
 .RE
 
@@ -3413 +3681 @@
 Example:
 \fI\fIforce user\fR\fR\fI = \fR\fIauser\fR\fI \fR
+.RE
+
+fss: prune stale (G)
+.\" fss: prune stale
+.PP
+.RS 4
+When enabled, Samba\*(Aqs File Server Remove VSS Protocol (FSRVP) server checks all FSRVP initiated snapshots on startup, and removes any corresponding state (including share definitions) for nonexistent snapshot paths\&.
+.sp
+Default:
+\fI\fIfss: prune stale\fR\fR\fI = \fR\fIno\fR\fI \fR
+.sp
+Example:
+\fI\fIfss: prune stale\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+
+fss: sequence timeout (G)
+.\" fss: sequence timeout
+.PP
+.RS 4
+The File Server Remove VSS Protocol (FSRVP) server includes a message sequence timer to ensure cleanup on unexpected client disconnect\&. This parameter overrides the default timeout between FSRVP operations\&. FSRVP timeouts can be completely disabled via a value of 0\&.
+.sp
+Default:
+\fI\fIfss: sequence timeout\fR\fR\fI = \fR\fI180 or 1800, depending on operation\fR\fI \fR
+.sp
+Example:
+\fI\fIfss: sequence timeout\fR\fR\fI = \fR\fI0\fR\fI \fR
 .RE
 
@@ -3444 +3738 @@
 should only be used whenever there is no operating system API available from the OS that samba can use\&.
 .sp
-This option is only available you have compiled Samba with the
-\-\-with\-sys\-quotas
-option or on Linux with
-\-\-with\-quotas
-and a working quota api was found in the system\&.
+This option is only available Samba was compiled with quotas support\&.
 .sp
 This parameter should specify the path to a script that queries the quota information for the specified user/group for the partition that the specified directory is on\&.
 .sp
-Such a script should take 3 arguments:
+Such a script is being given 3 arguments:
 .sp
 .RS 4
@@ -3488 +3778 @@
 .sp
 .RE
-The type of query can be one of :
+The directory is actually mostly just "\&." \- It needs to be treated relatively to the current working directory that the script can also query\&.
+.sp
+The type of query can be one of:
 .sp
 .RS 4
@@ -3535 +3827 @@
 .sp
 .RE
-This script should print one line as output with spaces between the arguments\&. The arguments are:
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Arg 1 \- quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Arg 2 \- number of currently used blocks
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Arg 3 \- the softlimit number of blocks
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Arg 4 \- the hardlimit number of blocks
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Arg 5 \- currently used number of inodes
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Arg 6 \- the softlimit number of inodes
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Arg 7 \- the hardlimit number of inodes
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Arg 8(optional) \- the number of bytes in a block(default is 1024)
+This script should print one line as output with spaces between the columns\&. The printed columns should be:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+1 \- quota flags (0 = no quotas, 1 = quotas enabled, 2 = quotas enabled and enforced)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+2 \- number of currently used blocks
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+3 \- the softlimit number of blocks
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+4 \- the hardlimit number of blocks
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+5 \- currently used number of inodes
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+6 \- the softlimit number of inodes
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+7 \- the hardlimit number of inodes
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+8 (optional) \- the number of bytes in a block(default is 1024)
 .RE
 .sp
@@ -3784 +4076 @@
 This parameter prevents clients from seeing the existance of files that cannot be read\&. Defaults to off\&.
 .sp
+Please note that enabling this can slow down listing large directories significantly\&. Samba has to evaluate the ACLs of all directory members, which can be a lot of effort\&.
+.sp
 Default:
 \fI\fIhide unreadable\fR\fR\fI = \fR\fIno\fR\fI \fR
@@ -3793 +4087 @@
 .RS 4
 This parameter prevents clients from seeing the existance of files that cannot be written to\&. Defaults to off\&. Note that unwriteable directories are shown as usual\&.
+.sp
+Please note that enabling this can slow down listing large directories significantly\&. Samba has to evaluate the ACLs of all directory members, which can be a lot of effort\&.
 .sp
 Default:
@@ -3998 +4294 @@
 .PP
 .RS 4
-This parameter specifies the number of seconds that Winbind\*(Aqs idmap interface will cache positive SID/uid/gid query results\&.
-.sp
-Default:
-\fI\fIidmap cache time\fR\fR\fI = \fR\fI604800 (one week)\fR\fI \fR
-.RE
-
-idmap config (G)
-.\" idmap config
+This parameter specifies the number of seconds that Winbind\*(Aqs idmap interface will cache positive SID/uid/gid query results\&. By default, Samba will cache these results for one week\&.
+.sp
+Default:
+\fI\fIidmap cache time\fR\fR\fI = \fR\fI604800\fR\fI \fR
+.RE
+
+idmap config DOMAIN : OPTION (G)
+.\" idmap config DOMAIN : OPTION
 .PP
 .RS 4
@@ -4014 +4310 @@
 prefix, followed by a domain name or the asterisk character (*), a colon, and the name of an idmap setting for the chosen domain\&.
 .sp
-The idmap configuration is hence divided into groups, one group for each domain to be configured, and one group with the the asterisk instead of a proper domain name, which speifies the default configuration that is used to catch all domains that do not have an explicit idmap configuration of their own\&.
+The idmap configuration is hence divided into groups, one group for each domain to be configured, and one group with the asterisk instead of a proper domain name, which specifies the default configuration that is used to catch all domains that do not have an explicit idmap configuration of their own\&.
 .sp
 There are three general options available:
@@ -4020 +4316 @@
 backend = backend_name
 .RS 4
-This specifies the name of the idmap plugin to use as the SID/uid/gid backend for this domain\&. The standard backends are tdb (\fBidmap_tdb\fR(8)), tdb2 (\fBidmap_tdb2\fR(8)), ldap (\fBidmap_ldap\fR(8)), , rid (\fBidmap_rid\fR(8)), , hash (\fBidmap_hash\fR(8)), , autorid (\fBidmap_autorid\fR(8)), , ad (\fBidmap_ad\fR(8)), , adex (\fBidmap_adex\fR(8)), , and nss\&. (\fBidmap_nss\fR(8)), The corresponding manual pages contain the details, but here is a summary\&.
-.sp
-The first three of these create mappings of their own using internal unixid counters and store the mappings in a database\&. These are suitable for use in the default idmap configuration\&. The rid and hash backends use a pure algorithmic calculation to determine the unixid for a SID\&. The autorid module is a mixture of the tdb and rid backend\&. It creates ranges for each domain encountered and then uses the rid algorithm for each of these automatically configured domains individually\&. The ad and adex backends both use unix IDs stored in Active Directory via the standard schema extensions\&. The nss backend reverses the standard winbindd setup and gets the unixids via names from nsswitch which can be useful in an ldap setup\&.
+This specifies the name of the idmap plugin to use as the SID/uid/gid backend for this domain\&. The standard backends are tdb (\fBidmap_tdb\fR(8)), tdb2 (\fBidmap_tdb2\fR(8)), ldap (\fBidmap_ldap\fR(8)), rid (\fBidmap_rid\fR(8)), hash (\fBidmap_hash\fR(8)), autorid (\fBidmap_autorid\fR(8)), ad (\fBidmap_ad\fR(8)) and nss (\fBidmap_nss\fR(8))\&. The corresponding manual pages contain the details, but here is a summary\&.
+.sp
+The first three of these create mappings of their own using internal unixid counters and store the mappings in a database\&. These are suitable for use in the default idmap configuration\&. The rid and hash backends use a pure algorithmic calculation to determine the unixid for a SID\&. The autorid module is a mixture of the tdb and rid backend\&. It creates ranges for each domain encountered and then uses the rid algorithm for each of these automatically configured domains individually\&. The ad backend uses unix ids stored in Active Directory via the standard schema extensions\&. The nss backend reverses the standard winbindd setup and gets the unix ids via names from nsswitch which can be useful in an ldap setup\&.
 .RE
 .PP
 range = low \- high
 .RS 4
-Defines the available matching uid and gid range for which the backend is authoritative\&. For allocating backends, this also defines the start and the end of the range for allocating new unid IDs\&.
+Defines the available matching uid and gid range for which the backend is authoritative\&. For allocating backends, this also defines the start and the end of the range for allocating new unique IDs\&.
 .sp
 winbind uses this parameter to find the backend that is authoritative for a unix ID to SID mapping, so it must be set for each individually configured domain and for the default configuration\&. The configured ranges must be mutually disjoint\&.
@@ -4123 +4419 @@
 .RE
 
-include (G)
+include (S)
 .\" include
 .PP
@@ -4166 +4462 @@
 The ownership of new files and directories is normally governed by effective uid of the connected user\&. This option allows the Samba administrator to specify that the ownership for new files and directories should be controlled by the ownership of the parent directory\&.
 .sp
-Common scenarios where this behavior is useful is in implementing drop\-boxes where users can create and edit files but not delete them and to ensure that newly create files in a user\*(Aqs roaming profile directory are actually owner by the user\&.
+Common scenarios where this behavior is useful is in implementing drop\-boxes, where users can create and edit files but not delete them and ensuring that newly created files in a user\*(Aqs roaming profile directory are actually owned by the user\&.
 .sp
 Default:
@@ -4203 +4499 @@
 .RE
 
+init logon delay (G)
+.\" init logon delay
+.PP
+.RS 4
+This parameter specifies a delay in milliseconds for the hosts configured for delayed initial samlogon with
+\m[blue]\fBinit logon delayed hosts\fR\m[]\&.
+.sp
+Default:
+\fI\fIinit logon delay\fR\fR\fI = \fR\fI100\fR\fI \fR
+.RE
+
 init logon delayed hosts (G)
 .\" init logon delayed hosts
@@ -4220 +4527 @@
 .RE
 
-init logon delay (G)
-.\" init logon delay
-.PP
-.RS 4
-This parameter specifies a delay in milliseconds for the hosts configured for delayed initial samlogon with
-\m[blue]\fBinit logon delayed hosts\fR\m[]\&.
-.sp
-Default:
-\fI\fIinit logon delay\fR\fR\fI = \fR\fI100\fR\fI \fR
-.RE
-
 interfaces (G)
 .\" interfaces
@@ -4289 +4585 @@
 .sp
 By default Samba enables all active interfaces that are broadcast capable except the loopback adaptor (IP address 127\&.0\&.0\&.1)\&.
+.sp
+In order to support SMB3 multi\-channel configurations, smbd understands some extra data that can be appended after the actual interface with this extended syntax:
+.sp
+interface[;key1=value1[,key2=value2[\&.\&.\&.]]]
+.sp
+Known keys are speed, capability, and if_index\&. Speed is specified in bits per second\&. Known capabilities are RSS and RDMA\&. The if_index should be used with care: the values must not coincide with indexes used by the kernel\&. Note that these options are mainly intended for testing and development rather than for production use\&. At least on Linux systems, these values should be auto\-detected, but the settings can serve as last a resort when autodetection is not working or is not available\&.
 .sp
 The example below configures three network interfaces corresponding to the eth0 device and IP addresses 192\&.168\&.2\&.10 and 192\&.168\&.3\&.10\&. The netmasks of the latter two interfaces would be set to 255\&.255\&.255\&.0\&.
@@ -4355 +4657 @@
 \m[blue]\fBsocket options\fR\m[])\&. Basically you should only use this option if you strike difficulties\&.
 .sp
+Please note this option only applies to SMB1 client connections, and has no effect on SMB2 clients\&.
+.sp
 Default:
 \fI\fIkeepalive\fR\fR\fI = \fR\fI300\fR\fI \fR
@@ -4422 +4726 @@
 .sp
 Default:
-\fI\fIkerberos method\fR\fR\fI = \fR\fIsecrets only\fR\fI \fR
-.RE
-
-kernel change notify (S)
+\fI\fIkerberos method\fR\fR\fI = \fR\fIdefault\fR\fI \fR
+.RE
+
+kernel change notify (G)
 .\" kernel change notify
 .PP
@@ -4437 +4741 @@
 .RE
 
-kernel oplocks (G)
+kernel oplocks (S)
 .\" kernel oplocks
 .PP
@@ -4443 +4747 @@
 For UNIXes that support kernel based
 \m[blue]\fBoplocks\fR\m[]
-(currently only IRIX and the Linux 2\&.4 kernel), this parameter allows the use of them to be turned on or off\&.
+(currently only IRIX and the Linux 2\&.4 kernel), this parameter allows the use of them to be turned on or off\&. However, this disables Level II oplocks for clients as the Linux and IRIX kernels do not support them properly\&.
 .sp
 Kernel oplocks support allows Samba
@@ -4453 +4757 @@
 cool feature :\-)\&.
 .sp
+If you do not need this interaction, you should disable the parameter on Linux and IRIX to get Level II oplocks and the associated performance benefit\&.
+.sp
 This parameter defaults to
-\fBon\fR, but is translated to a no\-op on systems that no not have the necessary kernel support\&. You should never need to touch this parameter\&.
-.sp
-Default:
-\fI\fIkernel oplocks\fR\fR\fI = \fR\fIyes\fR\fI \fR
+\fBno\fR
+and is translated to a no\-op on systems that do not have the necessary kernel support\&.
+.sp
+Default:
+\fI\fIkernel oplocks\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
+kernel share modes (S)
+.\" kernel share modes
+.PP
+.RS 4
+This parameter controls whether SMB share modes are translated into UNIX flocks\&.
+.sp
+Kernel share modes provide a minimal level of interoperability with local UNIX processes and NFS operations by preventing access with flocks corresponding to the SMB share modes\&. Generally, it is very desirable to leave this enabled\&.
+.sp
+Note that in order to use SMB2 durable file handles on a share, you have to turn kernel share modes off\&.
+.sp
+This parameter defaults to
+\fByes\fR
+and is translated to a no\-op on systems that do not have the necessary kernel flock support\&.
+.sp
+Default:
+\fI\fIkernel share modes\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+
+kpasswd port (G)
+.\" kpasswd port
+.PP
+.RS 4
+Specifies which ports the Kerberos server should listen on for password changes\&.
+.sp
+Default:
+\fI\fIkpasswd port\fR\fR\fI = \fR\fI464\fR\fI \fR
+.RE
+
+krb5 port (G)
+.\" krb5 port
+.PP
+.RS 4
+Specifies which port the KDC should listen on for Kerberos traffic\&.
+.sp
+Default:
+\fI\fIkrb5 port\fR\fR\fI = \fR\fI88\fR\fI \fR
 .RE
 
@@ -4472 +4817 @@
 When this parameter is set to
 no
-this will also result in sambaLMPassword in Samba\*(Aqs passdb being blanked after the next password change\&. As a result of that lanman clients won\*(Aqt be able to authenticate, even if lanman auth is reenabled later on\&.
+this will also result in sambaLMPassword in Samba\*(Aqs passdb being blanked after the next password change\&. As a result of that lanman clients won\*(Aqt be able to authenticate, even if lanman auth is re\-enabled later on\&.
 .sp
 Unlike the
@@ -4548 +4893 @@
 for tracing function calls\&.
 .sp
-The debug ouput from the LDAP libraries appears with the prefix [LDAP] in Samba\*(Aqs logging output\&. The level at which LDAP logging is printed is controlled by the parameter
+The debug output from the LDAP libraries appears with the prefix [LDAP] in Samba\*(Aqs logging output\&. The level at which LDAP logging is printed is controlled by the parameter
 \fIldap debug threshold\fR\&.
 .sp
@@ -4680 +5025 @@
 .sp
 Default:
-\fI\fIldap page size\fR\fR\fI = \fR\fI1024\fR\fI \fR
+\fI\fIldap page size\fR\fR\fI = \fR\fI1000\fR\fI \fR
 .sp
 Example:
 \fI\fIldap page size\fR\fR\fI = \fR\fI512\fR\fI \fR
+.RE
+
+ldap password sync
+.\" ldap password sync
+.PP
+.RS 4
+This parameter is a synonym for
+ldap passwd sync\&.
 .RE
 
@@ -4758 +5111 @@
 .sp
 To use this option, a basic ldap tree must be provided and the ldap suffix parameters must be properly configured\&. On virgin servers the default users and groups (Administrator, Guest, Domain Users, Domain Admins, Domain Guests) can be precreated with the command
-net sam provision\&. To run this command the ldap server must be running, Winindd must be running and the smb\&.conf ldap options must be properly configured\&. The typical ldap setup used with the
+net sam provision\&. To run this command the ldap server must be running, Winbindd must be running and the smb\&.conf ldap options must be properly configured\&. The typical ldap setup used with the
 \m[blue]\fBldapsam:trusted = yes\fR\m[]
 option is usually sufficient to use
@@ -4859 +5212 @@
 .RE
 
-ldap ssl ads (G)
-.\" ldap ssl ads
-.PP
-.RS 4
-This option is used to define whether or not Samba should use SSL when connecting to the ldap server using
-\fIads\fR
-methods\&. Rpc methods are not affected by this parameter\&. Please note, that this parameter won\*(Aqt have any effect if
-\m[blue]\fBldap ssl\fR\m[]
-is set to
-\fIno\fR\&.
-.sp
-See
-smb\&.conf(5)
-for more information on
-\m[blue]\fBldap ssl\fR\m[]\&.
-.sp
-Default:
-\fI\fIldap ssl ads\fR\fR\fI = \fR\fIno\fR\fI \fR
+ldap server require strong auth (G)
+.\" ldap server require strong auth
+.PP
+.RS 4
+The
+\m[blue]\fBldap server require strong auth\fR\m[]
+defines whether the ldap server requires ldap traffic to be signed or signed and encrypted (sealed)\&. Possible values are
+\fIno\fR,
+\fIallow_sasl_over_tls\fR
+and
+\fIyes\fR\&.
+.sp
+A value of
+\fIno\fR
+allows simple and sasl binds over all transports\&.
+.sp
+A value of
+\fIallow_sasl_over_tls\fR
+allows simple and sasl binds (without sign or seal) over TLS encrypted connections\&. Unencrypted connections only allow sasl binds with sign or seal\&.
+.sp
+A value of
+\fIyes\fR
+allows only simple binds over TLS encrypted connections\&. Unencrypted connections only allow sasl binds with sign or seal\&.
+.sp
+Default:
+\fI\fIldap server require strong auth\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -4894 +5255 @@
 \fIeither\fR
 this parameter to
-\fIStart_tls\fR
-\fIor\fR
+\fIStart_tls\fR\fIor\fR
 by specifying
 \fIldaps://\fR
@@ -4934 +5294 @@
 methods\&. To enable the LDAPv3 StartTLS extended operation (RFC2830) for
 \fIads\fR, set
-\m[blue]\fBldap ssl = yes\fR\m[]
-\fIand\fR
-\m[blue]\fBldap ssl ads = yes\fR\m[]\&. See
+\m[blue]\fBldap ssl = yes\fR\m[]\fIand\fR\m[blue]\fBldap ssl ads = yes\fR\m[]\&. See
 smb\&.conf(5)
 for more information on
@@ -4943 +5301 @@
 Default:
 \fI\fIldap ssl\fR\fR\fI = \fR\fIstart tls\fR\fI \fR
+.RE
+
+ldap ssl ads (G)
+.\" ldap ssl ads
+.PP
+.RS 4
+This option is used to define whether or not Samba should use SSL when connecting to the ldap server using
+\fIads\fR
+methods\&. Rpc methods are not affected by this parameter\&. Please note, that this parameter won\*(Aqt have any effect if
+\m[blue]\fBldap ssl\fR\m[]
+is set to
+\fIno\fR\&.
+.sp
+See
+smb\&.conf(5)
+for more information on
+\m[blue]\fBldap ssl\fR\m[]\&.
+.sp
+Default:
+\fI\fIldap ssl ads\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -5099 +5477 @@
 \fBno\fR
 will cause
-nmbd
-\fInever\fR
+nmbd\fInever\fR
 to become a local master browser\&.
 .sp
@@ -5126 +5503 @@
 .sp
 Default:
-\fI\fIlock directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
+\fI\fIlock directory\fR\fR\fI = \fR\fI${prefix}/var/lock\fR\fI \fR
 .sp
 Example:
@@ -5154 +5531 @@
 Be careful about disabling locking either globally or in a specific service, as lack of locking may result in data corruption\&. You should never need to set this parameter\&.
 .sp
-\fINo default\fR
-.RE
-
-lock spin count (G)
-.\" lock spin count
-.PP
-.RS 4
-This parameter has been made inoperative in Samba 3\&.0\&.24\&. The functionality it contolled is now controlled by the parameter
-\m[blue]\fBlock spin time\fR\m[]\&.
-.sp
-Default:
-\fI\fIlock spin count\fR\fR\fI = \fR\fI0\fR\fI \fR
+Default:
+\fI\fIlocking\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -5194 +5561 @@
 .RE
 
+logging (G)
+.\" logging
+.PP
+.RS 4
+This parameter configures logging backends\&. Multiple backends can be specified at the same time, with different log levels for each backend\&. The parameter is a list of backends, where each backend is specified as backend[:option][@loglevel]\&.
+.sp
+The \*(Aqoption\*(Aq parameter can be used to pass backend\-specific options\&.
+.sp
+The log level for a backend is optional, if it is not set for a backend, all messages are sent to this backend\&. The parameter
+\m[blue]\fBlog level\fR\m[]
+determines overall log levels, while the log levels specified here define what is sent to the individual backends\&.
+.sp
+When
+\m[blue]\fBlogging\fR\m[]
+is set, it overrides the
+\m[blue]\fBsyslog\fR\m[]
+and
+\m[blue]\fBsyslog only\fR\m[]
+parameters\&.
+.sp
+Some backends are only available when Samba has been compiled with the additional libraries\&. The overall list of logging backends:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIsyslog\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIfile\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIsystemd\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIlttng\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fIgpfs\fR
+.RE
+.sp
+.RE
+Default:
+\fI\fIlogging\fR\fR\fI = \fR\fI\fR\fI \fR
+.sp
+Example:
+\fI\fIlogging\fR\fR\fI = \fR\fIsyslog@1 file\fR\fI \fR
+.RE
+
 debuglevel
 .\" debuglevel
@@ -5210 +5662 @@
 file\&.
 .sp
-This parameter has been extended since the 2\&.2\&.x series, now it allows to specify the debug level for multiple debug classes\&. This is to give greater flexibility in the configuration of the system\&. The following debug classes are currently implemented:
+This parameter has been extended since the 2\&.2\&.x series, now it allows one to specify the debug level for multiple debug classes\&. This is to give greater flexibility in the configuration of the system\&. The following debug classes are currently implemented:
 .sp
 .RS 4
@@ -5438 +5890 @@
 Example:
 \fI\fIlog level\fR\fR\fI = \fR\fI3 passdb:5 auth:10 winbind:2\fR\fI \fR
+.RE
+
+log nt token command (G)
+.\" log nt token command
+.PP
+.RS 4
+This option can be set to a command that will be called when new nt tokens are created\&.
+.sp
+This is only useful for development purposes\&.
+.sp
+Default:
+\fI\fIlog nt token command\fR\fR\fI = \fR\fI\fR\fI \fR
 .RE
 
@@ -5462 +5926 @@
 This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC\&. It allows you to do
 .sp
-
 C:\e>\fBNET USE H: /HOME\fR
 .sp
@@ -5471 +5934 @@
 This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a subdirectory of the user\*(Aqs home directory\&. This is done in the following way:
 .sp
-
 logon home = \e\e%N\e%U\eprofile
 .sp
@@ -5640 +6102 @@
 Note that it is good practice to include the absolute path in the lppause command as the PATH may not be available to the server\&.
 .sp
-Default:
-\fI\fIlppause command\fR\fR\fI = \fR\fI # Currently no default value is given to this string, unless the value of the \m[blue]\fBprinting\fR\m[] parameter is \fBSYSV\fR, in which case the default is : lp \-i %p\-%j \-H hold or if the value of the \fIprinting\fR parameter is \fBSOFTQ\fR, then the default is: qstat \-s \-j%j \-h\&. \fR\fI \fR
+Currently no default value is given to this string, unless the value of the
+\m[blue]\fBprinting\fR\m[]
+parameter is
+\fBSYSV\fR, in which case the default is :
+lp \-i %p\-%j \-H hold
+or if the value of the
+\fIprinting\fR
+parameter is
+\fBSOFTQ\fR, then the default is:
+qstat \-s \-j%j \-h\&.
+.sp
+Default:
+\fI\fIlppause command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .sp
 Example:
@@ -5708 +6181 @@
 .sp
 Default:
-\fI\fIlpq command\fR\fR\fI = \fR\fI\fR\fI \fR
+\fI\fIlpq command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .sp
 Example:
@@ -5752 +6225 @@
 qstat \-s \-j%j \-r
 .sp
-\fINo default\fR
+Default:
+\fI\fIlpresume command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .sp
 Example:
@@ -5793 +6267 @@
 .sp
 Default:
-\fI\fIlprm command\fR\fR\fI = \fR\fI determined by printing parameter\fR\fI \fR
+\fI\fIlprm command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .RE
 
@@ -5800 +6274 @@
 .PP
 .RS 4
-If a Samba server is a member of a Windows NT Domain (see the
+If a Samba server is a member of a Windows NT or Active Directory Domain (see the
 \m[blue]\fBsecurity = domain\fR\m[]
-parameter) then periodically a running smbd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called
-private/secrets\&.tdb\&. This parameter specifies how often this password will be changed, in seconds\&. The default is one week (expressed in seconds), the same as a Windows NT Domain member server\&.
+and
+\m[blue]\fBsecurity = ads\fR\m[]
+parameters), then periodically a running winbindd process will try and change the MACHINE ACCOUNT PASSWORD stored in the TDB called
+secrets\&.tdb\&. This parameter specifies how often this password will be changed, in seconds\&. The default is one week (expressed in seconds), the same as a Windows NT Domain member server\&.
 .sp
 See also
 \fBsmbpasswd\fR(8), and the
 \m[blue]\fBsecurity = domain\fR\m[]
-parameter\&.
+and
+\m[blue]\fBsecurity = ads\fR\m[]
+parameters\&.
 .sp
 Default:
@@ -5839 +6317 @@
 .RE
 Default:
-\fI\fImagic output\fR\fR\fI = \fR\fI<magic script name>\&.out\fR\fI \fR
+\fI\fImagic output\fR\fR\fI = \fR\fI # <magic script name>\&.out\fR\fI \fR
 .sp
 Example:
@@ -5969 +6447 @@
 .PP
 .RS 4
-controls the algorithm used for the generating the mangled names\&. Can take two different values, "hash" and "hash2"\&. "hash" is the algorithm that was used used in Samba for many years and was the default in Samba 2\&.2\&.x "hash2" is now the default and is newer and considered a better algorithm (generates less collisions) in the names\&. Many Win32 applications store the mangled names and so changing to algorithms must not be done lightly as these applications may break unless reinstalled\&.
+controls the algorithm used for the generating the mangled names\&. Can take two different values, "hash" and "hash2"\&. "hash" is the algorithm that was used in Samba for many years and was the default in Samba 2\&.2\&.x "hash2" is now the default and is newer and considered a better algorithm (generates less collisions) in the names\&. Many Win32 applications store the mangled names and so changing to algorithms must not be done lightly as these applications may break unless reinstalled\&.
 .sp
 Default:
@@ -5995 +6473 @@
 .RS 4
 This controls whether the DOS archive attribute should be mapped to the UNIX owner execute bit\&. The DOS archive bit is set when a file has been modified since its last backup\&. One motivation for this option is to keep Samba/your PC from making any file it touches from becoming executable under UNIX\&. This can be quite annoying for shared source code, documents, etc\&.\&.\&.
+.sp
+Note that this parameter will be ignored if the
+\m[blue]\fBstore dos attributes\fR\m[]
+parameter is set, as the DOS archive attribute will then be stored inside a UNIX extended attribute\&.
 .sp
 Note that this requires the
@@ -6012 +6494 @@
 This controls whether DOS style hidden files should be mapped to the UNIX world execute bit\&.
 .sp
+Note that this parameter will be ignored if the
+\m[blue]\fBstore dos attributes\fR\m[]
+parameter is set, as the DOS hidden attribute will then be stored inside a UNIX extended attribute\&.
+.sp
 Note that this requires the
 \m[blue]\fBcreate mask\fR\m[]
@@ -6018 +6504 @@
 for details\&.
 .sp
-\fINo default\fR
+Default:
+\fI\fImap hidden\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -6049 +6536 @@
 .IP \(bu 2.3
 .\}
-
 \fBYes\fR
 \- The read only DOS attribute is mapped to the inverse of the user or owner write bit in the unix permission mode set\&. If the owner write bit is not set, the read only attribute is reported as being set on the file\&. If the read only DOS attribute is set, Samba sets the owner, group and others write bits to zero\&. Write bits set in an ACL are ignored by Samba\&. If the read only DOS attribute is unset, Samba simply sets the write bit of the owner to one\&.
@@ -6062 +6548 @@
 .IP \(bu 2.3
 .\}
-
 \fBPermissions\fR
 \- The read only DOS attribute is mapped to the effective permissions of the connecting user, as evaluated by
@@ -6077 +6562 @@
 .IP \(bu 2.3
 .\}
-
 \fBNo\fR
 \- The read only DOS attribute is unaffected by permissions, and can only be set by the
@@ -6085 +6569 @@
 .sp
 .RE
+Note that this parameter will be ignored if the
+\m[blue]\fBstore dos attributes\fR\m[]
+parameter is set, as the DOS \*(Aqread\-only\*(Aq attribute will then be stored inside a UNIX extended attribute\&.
+.sp
 Default:
 \fI\fImap readonly\fR\fR\fI = \fR\fIyes\fR\fI \fR
@@ -6094 +6582 @@
 .RS 4
 This controls whether DOS style system files should be mapped to the UNIX group execute bit\&.
+.sp
+Note that this parameter will be ignored if the
+\m[blue]\fBstore dos attributes\fR\m[]
+parameter is set, as the DOS system attribute will then be stored inside a UNIX extended attribute\&.
 .sp
 Note that this requires the
@@ -6109 +6601 @@
 .PP
 .RS 4
-This parameter is only useful in
-\m[blue]\fBSECURITY = security\fR\m[]
-modes other than
-\fIsecurity = share\fR
-and
-\fIsecurity = server\fR
-\- i\&.e\&.
-\fBuser\fR, and
-\fBdomain\fR\&.
-.sp
 This parameter can take four different values, which tell
 \fBsmbd\fR(8)
@@ -6180 +6662 @@
 .sp
 .RE
-Note that this parameter is needed to set up "Guest" share services when using
-\fIsecurity\fR
-modes other than share and server\&. This is because in these modes the name of the resource being requested is
+Note that this parameter is needed to set up "Guest" share services\&. This is because in these modes the name of the resource being requested is
 \fInot\fR
-sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for "Guest" shares\&. This parameter is not useful with
-\fIsecurity = server\fR
-as in this security mode no information is returned about whether a user logon failed due to a bad username or bad password, the same error is returned from a modern server in both cases\&.
-.sp
-For people familiar with the older Samba releases, this parameter maps to the old compile\-time setting of the
-\fB GUEST_SESSSETUP\fR
-value in local\&.h\&.
+sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection to the share) for "Guest" shares\&.
 .sp
 Default:
@@ -6289 +6763 @@
 This parameter limits the maximum number of open files that one
 \fBsmbd\fR(8)
-file serving process may have open for a client at any one time\&. The This parameter can be set very high (16404) as Samba uses only one bit per unopened file\&. Setting this parameter lower than 16404 will cause Samba to complain and set this value back to the minimum of 16404, as Windows 7 depends on this number of open file handles being available\&.
+file serving process may have open for a client at any one time\&. This parameter can be set very high (16384) as Samba uses only one bit per unopened file\&. Setting this parameter lower than 16384 will cause Samba to complain and set this value back to the minimum of 16384, as Windows 7 depends on this number of open file handles being available\&.
 .sp
 The limit of the number of open files is usually set by the UNIX per\-process file descriptor limit rather than this parameter so you should never need to touch this parameter\&.
 .sp
 Default:
-\fI\fImax open files\fR\fR\fI = \fR\fI16404\fR\fI \fR
+\fI\fImax open files\fR\fR\fI = \fR\fI16384\fR\fI \fR
 .RE
 
@@ -6310 +6784 @@
 Example:
 \fI\fImax print jobs\fR\fR\fI = \fR\fI5000\fR\fI \fR
-.RE
-
-protocol
-.\" protocol
-.PP
-.RS 4
-This parameter is a synonym for
-max protocol\&.
-.RE
-
-max protocol (G)
-.\" max protocol
-.PP
-.RS 4
-The value of the parameter (a string) is the highest protocol level that will be supported by the server\&.
-.sp
-Possible values are :
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBCORE\fR: Earliest version\&. No concept of user names\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBCOREPLUS\fR: Slight improvements on CORE for efficiency\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBLANMAN1\fR: First
-\fI modern\fR
-version of the protocol\&. Long filename support\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBLANMAN2\fR: Updates to Lanman1 protocol\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBNT1\fR: Current up to date version of the protocol\&. Used by Windows NT\&. Known as CIFS\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-\fBSMB2\fR: Re\-implementation of the SMB protocol\&. Used by Windows Vista and newer\&.
-.RE
-.sp
-.RE
-Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
-.sp
-Default:
-\fI\fImax protocol\fR\fR\fI = \fR\fINT1\fR\fI \fR
-.sp
-Example:
-\fI\fImax protocol\fR\fR\fI = \fR\fILANMAN1\fR\fI \fR
 .RE
 
@@ -6608 +6988 @@
 .RE
 
-min protocol (G)
-.\" min protocol
-.PP
-.RS 4
-The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support\&. Please refer to the
-\m[blue]\fBmax protocol\fR\m[]
-parameter for a list of valid protocol names and a brief description of each\&. You may also wish to refer to the C source code in
-source/smbd/negprot\&.c
-for a listing of known protocol dialects supported by clients\&.
-.sp
-If you are viewing this parameter as a security measure, you should also refer to the
-\m[blue]\fBlanman auth\fR\m[]
-parameter\&. Otherwise, you should never need to change this parameter\&.
-.sp
-Default:
-\fI\fImin protocol\fR\fR\fI = \fR\fICORE\fR\fI \fR
-.sp
-Example:
-\fI\fImin protocol\fR\fR\fI = \fR\fINT1\fR\fI \fR
-.RE
-
 min receivefile size (G)
 .\" min receivefile size
@@ -6639 +6998 @@
 Note this option will have NO EFFECT if set on a SMB signed connection\&.
 .sp
-The default is zero, which diables this option\&.
+The default is zero, which disables this option\&.
 .sp
 Default:
@@ -6663 +7022 @@
 .PP
 .RS 4
-This parameter indicates that the share is a stand\-in for another CIFS share whose location is specified by the value of the parameter\&. When clients attempt to connect to this share, they are redirected to the proxied share using the SMB\-Dfs protocol\&.
+This parameter indicates that the share is a stand\-in for another CIFS share whose location is specified by the value of the parameter\&. When clients attempt to connect to this share, they are redirected to one or multiple, comma separated proxied shares using the SMB\-Dfs protocol\&.
 .sp
 Only Dfs roots can act as proxy shares\&. Take a look at the
@@ -6674 +7033 @@
 .sp
 Example:
-\fI\fImsdfs proxy\fR\fR\fI = \fR\fI\eotherserver\esomeshare\fR\fI \fR
+\fI\fImsdfs proxy\fR\fR\fI = \fR\fI\eotherserver\esomeshare,\eotherserver2\esomeshare\fR\fI \fR
 .RE
 
@@ -6690 +7049 @@
 .RE
 
+msdfs shuffle referrals (S)
+.\" msdfs shuffle referrals
+.PP
+.RS 4
+If set to
+\fByes\fR, Samba will shuffle Dfs referrals for a given Dfs link if multiple are available, allowing for load balancing across clients\&. For more information on setting up a Dfs tree on Samba, refer to the MSDFS chapter in the Samba3\-HOWTO book\&.
+.sp
+Default:
+\fI\fImsdfs shuffle referrals\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
 multicast dns register (G)
 .\" multicast dns register
@@ -6731 +7101 @@
 .IP \(bu 2.3
 .\}
-
 \fBlmhosts\fR
 : Lookup an IP address in the Samba lmhosts file\&. If the line in lmhosts has no name type attached to the NetBIOS name (see the manpage for lmhosts for details) then any name type matches for lookup\&.
@@ -6744 +7113 @@
 .IP \(bu 2.3
 .\}
-
 \fBhost\fR
 : Do a standard host name to IP address resolution, using the system
@@ -6797 +7165 @@
 .RE
 
+socket address
+.\" socket address
+.PP
+.RS 4
+This parameter is a synonym for
+nbt client socket address\&.
+.RE
+
+nbt client socket address (G)
+.\" nbt client socket address
+.PP
+.RS 4
+This option allows you to control what address Samba will send NBT client packets from, and process replies using, including in nmbd\&.
+.sp
+Setting this option should never be necessary on usual Samba servers running only one nmbd\&.
+.sp
+By default Samba will send UDP packets from the OS default address for the destination, and accept replies on 0\&.0\&.0\&.0\&.
+.sp
+This parameter is deprecated\&. See
+\m[blue]\fBbind interfaces only = Yes\fR\m[]
+and
+\m[blue]\fBinterfaces\fR\m[]
+for the previous behaviour of controlling the normal listening sockets\&.
+.sp
+Default:
+\fI\fInbt client socket address\fR\fR\fI = \fR\fI0\&.0\&.0\&.0\fR\fI \fR
+.sp
+Example:
+\fI\fInbt client socket address\fR\fR\fI = \fR\fI192\&.168\&.2\&.20\fR\fI \fR
+.RE
+
+nbt port (G)
+.\" nbt port
+.PP
+.RS 4
+Specifies which port the server should use for NetBIOS over IP name services traffic\&.
+.sp
+Default:
+\fI\fInbt port\fR\fR\fI = \fR\fI137\fR\fI \fR
+.RE
+
 ncalrpc dir (G)
 .\" ncalrpc dir
@@ -6803 +7212 @@
 This directory will hold a series of named pipes to allow RPC over inter\-process communication\&.
 .sp
-\&.
-        This will allow Samba and other unix processes to interact over DCE/RPC without using TCP/IP\&. Additionally a sub\-directory \*(Aqnp\*(Aq has restricted permissions, and allows a trusted communication channel between Samba processes
-.sp
-Default:
-\fI\fIncalrpc dir\fR\fR\fI = \fR\fI${prefix}/var/ncalrpc\fR\fI \fR
+This will allow Samba and other unix processes to interact over DCE/RPC without using TCP/IP\&. Additionally a sub\-directory \*(Aqnp\*(Aq has restricted permissions, and allows a trusted communication channel between Samba processes
+.sp
+Default:
+\fI\fIncalrpc dir\fR\fR\fI = \fR\fI${prefix}/var/run/ncalrpc\fR\fI \fR
 .sp
 Example:
@@ -6832 +7240 @@
 This sets the NetBIOS name by which a Samba server is known\&. By default it is the same as the first component of the host\*(Aqs DNS name\&. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under\&.
 .sp
-There is a bug in Samba\-3 that breaks operation of browsing and access to shares if the netbios name is set to the literal name
-PIPE\&. To avoid this problem, do not name your Samba\-3 server
+Note that the maximum length for a NetBIOS name is 15 charactars\&.
+.sp
+There is a bug in Samba that breaks operation of browsing and access to shares if the netbios name is set to the literal name
+PIPE\&. To avoid this problem, do not name your Samba server
 PIPE\&.
 .sp
@@ -6853 +7263 @@
 .RE
 
-nis homedir (G)
-.\" nis homedir
+neutralize nt4 emulation (G)
+.\" neutralize nt4 emulation
+.PP
+.RS 4
+This option controls whether winbindd sends the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass the NT4 emulation of a domain controller\&.
+.sp
+Typically you should not need set this\&. It can be useful for upgrades from NT4 to AD domains\&.
+.sp
+The behavior can be controlled per netbios domain by using \*(Aqneutralize nt4 emulation:NETBIOSDOMAIN = yes\*(Aq as option\&.
+.sp
+Default:
+\fI\fIneutralize nt4 emulation\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
+NIS homedir (G)
+.\" NIS homedir
 .PP
 .RS 4
@@ -6868 +7292 @@
 .sp
 Default:
-\fI\fInis homedir\fR\fR\fI = \fR\fIno\fR\fI \fR
+\fI\fINIS homedir\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -6885 +7309 @@
 .RE
 
+nsupdate command (G)
+.\" nsupdate command
+.PP
+.RS 4
+This option sets the path to the
+nsupdate
+command which is used for GSS\-TSIG dynamic DNS updates\&.
+.sp
+Default:
+\fI\fInsupdate command\fR\fR\fI = \fR\fI/usr/bin/nsupdate \-g\fR\fI \fR
+.RE
+
 nt acl support (S)
 .\" nt acl support
@@ -6891 +7327 @@
 This boolean parameter controls whether
 \fBsmbd\fR(8)
-will attempt to map UNIX permissions into Windows NT access control lists\&. The UNIX permissions considered are the the traditional UNIX owner and group permissions, as well as POSIX ACLs set on any files or directories\&. This parameter was formally a global parameter in releases prior to 2\&.2\&.2\&.
+will attempt to map UNIX permissions into Windows NT access control lists\&. The UNIX permissions considered are the traditional UNIX owner and group permissions, as well as POSIX ACLs set on any files or directories\&. This parameter was formally a global parameter in releases prior to 2\&.2\&.2\&.
 .sp
 Default:
@@ -6927 +7363 @@
 .RE
 
+ntp signd socket directory (G)
+.\" ntp signd socket directory
+.PP
+.RS 4
+This setting controls the location of the socket that the NTP daemon uses to communicate with Samba for signing packets\&.
+.sp
+If a non\-default path is specified here, then it is also necessary to make NTP aware of the new path using the
+\fBntpsigndsocket\fR
+directive in
+ntp\&.conf\&.
+.sp
+Default:
+\fI\fIntp signd socket directory\fR\fR\fI = \fR\fI${prefix}/var/lib/ntp_signd\fR\fI \fR
+.RE
+
 nt status support (G)
 .\" nt status support
@@ -6943 +7394 @@
 .RE
 
+ntvfs handler (S)
+.\" ntvfs handler
+.PP
+.RS 4
+This specifies the NTVFS handlers for this share\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+posix: Maps POSIX FS semantics to NT semantics
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+unixuid: Sets up user credentials based on POSIX gid/uid\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+cifs: Proxies a remote CIFS FS\&. Mainly useful for testing\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+nbench: Filter module that saves data useful to the nbench benchmark suite\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+ipc: Allows using SMB for inter process communication\&. Only used for the IPC$ share\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+posix: Maps POSIX FS semantics to NT semantics
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+print: Allows printing over SMB\&. This is LANMAN\-style printing, not the be confused with the spoolss DCE/RPC interface used by later versions of Windows\&.
+.RE
+.sp
+.RE
+Note that this option is only used when the NTVFS file server is in use\&. It is not used with the (default) s3fs file server\&.
+.sp
+Default:
+\fI\fIntvfs handler\fR\fR\fI = \fR\fIunixuid, default\fR\fI \fR
+.RE
+
 null passwords (G)
 .\" null passwords
@@ -6967 +7508 @@
 .RE
 
+old password allowed period (G)
+.\" old password allowed period
+.PP
+.RS 4
+Number of minutes to permit an NTLM login after a password change or reset using the old password\&. This allows the user to re\-cache the new password on multiple clients without disrupting a network reconnection in the meantime\&.
+.sp
+This parameter only applies when
+\m[blue]\fBserver role\fR\m[]
+is set to Active Directory Domain Controller
+.sp
+Default:
+\fI\fIold password allowed period\fR\fR\fI = \fR\fI60\fR\fI \fR
+.RE
+
 only user (S)
 .\" only user
 .PP
 .RS 4
-This is a boolean option that controls whether connections with usernames not in the
-\fIuser\fR
-list will be allowed\&. By default this option is disabled so that a client can supply a username to be used by the server\&. Enabling this parameter will force the server to only use the login names from the
-\fIuser\fR
-list and is only really useful in
-\m[blue]\fBsecurity = share\fR\m[]
-level security\&.
-.sp
-Note that this also means Samba won\*(Aqt try to deduce usernames from the service name\&. This can be annoying for the [homes] section\&. To get around this you could use
-user = %S
-which means your
-\fIuser\fR
-list will be just the service name, which for home directories is the name of the user\&.
+To restrict a service to a particular set of users you can use the
+\m[blue]\fBvalid users\fR\m[]
+parameter\&.
+.sp
+This parameter is deprecated
+.sp
+However, it currently operates only in conjunction with
+\m[blue]\fBusername\fR\m[]\&. The supported way to restrict a service to a particular set of users is the
+\m[blue]\fBvalid users\fR\m[]
+parameter\&.
 .sp
 Default:
@@ -7133 +7685 @@
 .RE
 
-paranoid server security (G)
-.\" paranoid server security
-.PP
-.RS 4
-Some version of NT 4\&.x allow non\-guest users with a bad passowrd\&. When this option is enabled, samba will not use a broken NT 4\&.x server as password server, but instead complain to the logs and exit\&.
-.sp
-Disabling this option prevents Samba from making this check, which involves deliberatly attempting a bad logon to the remote server\&.
-.sp
-Default:
-\fI\fIparanoid server security\fR\fR\fI = \fR\fIyes\fR\fI \fR
-.RE
-
 passdb backend (G)
 .\" passdb backend
@@ -7235 +7775 @@
 Default:
 \fI\fIpassdb expand explicit\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
+passwd chat (G)
+.\" passwd chat
+.PP
+.RS 4
+This string controls the
+\fI"chat"\fR
+conversation that takes places between
+\fBsmbd\fR(8)
+and the local password changing program to change the user\*(Aqs password\&. The string describes a sequence of response\-receive pairs that
+\fBsmbd\fR(8)
+uses to determine what to send to the
+\m[blue]\fBpasswd program\fR\m[]
+and what to expect back\&. If the expected output is not received then the password is not changed\&.
+.sp
+This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc)\&.
+.sp
+Note that this parameter only is used if the
+\m[blue]\fBunix password sync\fR\m[]
+parameter is set to
+\fByes\fR\&. This sequence is then called
+\fIAS ROOT\fR
+when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext\&. This means that root must be able to reset the user\*(Aqs password without knowing the text of the previous password\&. In the presence of NIS/YP, this means that the
+\m[blue]\fBpasswd program\fR\m[]
+must be executed on the NIS master\&.
+.sp
+The string can contain the macro
+\fI%n\fR
+which is substituted for the new password\&. The old passsword (\fI%o\fR) is only available when
+\m[blue]\fBencrypt passwords\fR\m[]
+has been disabled\&. The chat sequence can also contain the standard macros \en, \er, \et and \es to give line\-feed, carriage\-return, tab and space\&. The chat sequence string can also contain a \*(Aq*\*(Aq which matches any sequence of characters\&. Double quotes can be used to collect strings with spaces in them into a single string\&.
+.sp
+If the send string in any part of the chat sequence is a full stop "\&.", then no string is sent\&. Similarly, if the expect string is a full stop then no string is expected\&.
+.sp
+If the
+\m[blue]\fBpam password change\fR\m[]
+parameter is set to
+\fByes\fR, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output\&. The \en macro is ignored for PAM conversions\&.
+.sp
+Default:
+\fI\fIpasswd chat\fR\fR\fI = \fR\fI*new*password* %n\en *new*password* %n\en *changed*\fR\fI \fR
+.sp
+Example:
+\fI\fIpasswd chat\fR\fR\fI = \fR\fI"*Enter NEW password*" %n\en "*Reenter NEW password*" %n\en "*Password changed*"\fR\fI \fR
 .RE
 
@@ -7271 +7856 @@
 .RE
 
-passwd chat (G)
-.\" passwd chat
-.PP
-.RS 4
-This string controls the
-\fI"chat"\fR
-conversation that takes places between
-\fBsmbd\fR(8)
-and the local password changing program to change the user\*(Aqs password\&. The string describes a sequence of response\-receive pairs that
-\fBsmbd\fR(8)
-uses to determine what to send to the
-\m[blue]\fBpasswd program\fR\m[]
-and what to expect back\&. If the expected output is not received then the password is not changed\&.
-.sp
-This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc)\&.
-.sp
-Note that this parameter only is used if the
-\m[blue]\fBunix password sync\fR\m[]
-parameter is set to
-\fByes\fR\&. This sequence is then called
-\fIAS ROOT\fR
-when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext\&. This means that root must be able to reset the user\*(Aqs password without knowing the text of the previous password\&. In the presence of NIS/YP, this means that the
-\m[blue]\fBpasswd program\fR\m[]
-must be executed on the NIS master\&.
-.sp
-The string can contain the macro
-\fI%n\fR
-which is substituted for the new password\&. The old passsword (\fI%o\fR) is only available when
-\m[blue]\fBencrypt passwords\fR\m[]
-has been disabled\&. The chat sequence can also contain the standard macros \en, \er, \et and \es to give line\-feed, carriage\-return, tab and space\&. The chat sequence string can also contain a \*(Aq*\*(Aq which matches any sequence of characters\&. Double quotes can be used to collect strings with spaces in them into a single string\&.
-.sp
-If the send string in any part of the chat sequence is a full stop "\&.", then no string is sent\&. Similarly, if the expect string is a full stop then no string is expected\&.
-.sp
-If the
-\m[blue]\fBpam password change\fR\m[]
-parameter is set to
-\fByes\fR, the chat pairs may be matched in any order, and success is determined by the PAM result, not any particular output\&. The \en macro is ignored for PAM conversions\&.
-.sp
-Default:
-\fI\fIpasswd chat\fR\fR\fI = \fR\fI*new*password* %n\en*new*password* %n\en *changed*\fR\fI \fR
-.sp
-Example:
-\fI\fIpasswd chat\fR\fR\fI = \fR\fI"*Enter NEW password*" %n\en "*Reenter NEW password*" %n\en "*Password changed*"\fR\fI \fR
-.RE
-
 passwd program (G)
 .\" passwd program
@@ -7357 +7897 @@
 .RE
 
-password level (G)
-.\" password level
-.PP
-.RS 4
-Some client/server combinations have difficulty with mixed\-case passwords\&. One offending client is Windows for Workgroups, which for some reason forces passwords to upper case when using the LANMAN1 protocol, but leaves them alone when using COREPLUS! Another problem child is the Windows 95/98 family of operating systems\&. These clients upper case clear text passwords even when NT LM 0\&.12 selected by the protocol negotiation request/response\&.
-.sp
-This deprecated parameter defines the maximum number of characters that may be upper case in passwords\&.
-.sp
-For example, say the password given was "FRED"\&. If
-\fI password level\fR
-is set to 1, the following combinations would be tried if "FRED" failed:
-.sp
-"Fred", "fred", "fRed", "frEd","freD"
-.sp
-If
-\fIpassword level\fR
-was set to 2, the following combinations would also be tried:
-.sp
-"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", \&.\&.
-.sp
-And so on\&.
-.sp
-The higher value this parameter is set to the more likely it is that a mixed case password will be matched against a single case password\&. However, you should be aware that use of this parameter reduces security and increases the time taken to process a new connection\&.
-.sp
-A value of zero will cause only two attempts to be made \- the password as is and the password in all\-lower case\&.
-.sp
-This parameter is used only when using plain\-text passwords\&. It is not at all used when encrypted passwords as in use (that is the default since samba\-3\&.0\&.0)\&. Use this only when
-\m[blue]\fBencrypt passwords = No\fR\m[]\&.
-.sp
-Default:
-\fI\fIpassword level\fR\fR\fI = \fR\fI0\fR\fI \fR
-.sp
-Example:
-\fI\fIpassword level\fR\fR\fI = \fR\fI4\fR\fI \fR
-.RE
-
 password server (G)
 .\" password server
 .PP
 .RS 4
-By specifying the name of another SMB server or Active Directory domain controller with this option, and using
-security = [ads|domain|server]
+By specifying the name of a domain controller with this option, and using
+security = [ads|domain]
 it is possible to get Samba to do all its username/password validation using a specific remote server\&.
 .sp
-If the
-\fIsecurity\fR
-parameter is set to
-\fBdomain\fR
-or
-\fBads\fR, then this option
+Ideally, this option
 \fIshould not\fR
-be used, as the default \*(Aq*\*(Aq indicates to Samba to determine the best DC to contact dynamically, just as all other hosts in an AD domain do\&. This allows the domain to be maintained without modification to the smb\&.conf file\&. The cryptograpic protection on the authenticated RPC calls used to verify passwords ensures that this default is safe\&.
+be used, as the default \*(Aq*\*(Aq indicates to Samba to determine the best DC to contact dynamically, just as all other hosts in an AD domain do\&. This allows the domain to be maintained (addition and removal of domain controllers) without modification to the smb\&.conf file\&. The cryptographic protection on the authenticated RPC calls used to verify passwords ensures that this default is safe\&.
 .sp
 \fIIt is strongly recommended that you use the default of \*(Aq*\*(Aq\fR, however if in your particular environment you have reason to specify a particular DC list, then the list of machines in this option must be a list of names or IP addresses of Domain controllers for the Domain\&. If you use the default of \*(Aq*\*(Aq, or list several hosts in the
@@ -7422 +7921 @@
 and so may resolved by any method and order described in that parameter\&.
 .sp
-If the
-\fIsecurity\fR
-parameter is set to
-\fBserver\fR, these additional restrictions apply:
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-You may list several password servers in the
-\fIpassword server\fR
-parameter, however if an
-smbd
-makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this
-smbd\&. This is a restriction of the SMB/CIFS protocol when in
-security = server
-mode and cannot be fixed in Samba\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-You will have to ensure that your users are able to login from the Samba server, as when in
-security = server
-mode the network logon will appear to come from the Samba server rather than from the users workstation\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-The client must not select NTLMv2 authentication\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-The password server must be a machine capable of using the "LM1\&.2X002" or the "NT LM 0\&.12" protocol, and it must be in user level security mode\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Using a password server means your UNIX box (running Samba) is only as secure as (a host masqurading as) your password server\&.
-\fIDO NOT CHOOSE A PASSWORD SERVER THAT YOU DON\*(AqT COMPLETELY TRUST\fR\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Never point a Samba server at itself for password serving\&. This will cause a loop and could lock up your Samba server!
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-The name of the password server takes the standard substitutions, but probably the only useful one is
-\fI%m \fR, which means the Samba server will use the incoming client as the password server\&. If you use this then you better trust your clients, and you had better restrict them with hosts allow!
-.RE
-.sp
-.RE
 Default:
 \fI\fIpassword server\fR\fR\fI = \fR\fI*\fR\fI \fR
@@ -7575 +7980 @@
 .sp
 Default:
-\fI\fIpid directory\fR\fR\fI = \fR\fI${prefix}/var/locks\fR\fI \fR
-.sp
-Example:
-\fI\fIpid directory\fR\fR\fI = \fR\fIpid directory = /var/run/\fR\fI \fR
+\fI\fIpid directory\fR\fR\fI = \fR\fI${prefix}/var/run\fR\fI \fR
+.sp
+Example:
+\fI\fIpid directory\fR\fR\fI = \fR\fI/var/run/\fR\fI \fR
 .RE
 
@@ -7610 +8015 @@
 .RE
 
-preexec close (S)
-.\" preexec close
-.PP
-.RS 4
-This boolean option controls whether a non\-zero return code from
-\m[blue]\fBpreexec\fR\m[]
-should close the service being connected to\&.
-.sp
-Default:
-\fI\fIpreexec close\fR\fR\fI = \fR\fIno\fR\fI \fR
-.RE
-
 exec
 .\" exec
@@ -7638 +8031 @@
 An interesting example is to send the users a welcome message every time they log in\&. Maybe a message of the day? Here is an example:
 .sp
-
 preexec = csh \-c \*(Aqecho \e"Welcome to %S!\e" | /usr/local/samba/bin/smbclient \-M %m \-I %I\*(Aq &
 .sp
@@ -7653 +8045 @@
 Example:
 \fI\fIpreexec\fR\fR\fI = \fR\fIecho \e"%u connected to %S from %m (%I)\e" >> /tmp/log\fR\fI \fR
+.RE
+
+preexec close (S)
+.\" preexec close
+.PP
+.RS 4
+This boolean option controls whether a non\-zero return code from
+\m[blue]\fBpreexec\fR\m[]
+should close the service being connected to\&.
+.sp
+Default:
+\fI\fIpreexec close\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -7698 +8102 @@
 .RE
 
-auto services
-.\" auto services
-.PP
-.RS 4
-This parameter is a synonym for
-preload\&.
-.RE
-
-preload (G)
-.\" preload
-.PP
-.RS 4
-This is a list of services that you want to be automatically added to the browse lists\&. This is most useful for homes and printers services that would otherwise not be visible\&.
-.sp
-Note that if you just want all printers in your printcap file loaded then the
-\m[blue]\fBload printers\fR\m[]
-option is easier\&.
-.sp
-Default:
-\fI\fIpreload\fR\fR\fI = \fR\fI\fR\fI \fR
-.sp
-Example:
-\fI\fIpreload\fR\fR\fI = \fR\fIfred lp colorlp\fR\fI \fR
-.RE
-
 preserve case (S)
 .\" preserve case
@@ -7794 +8173 @@
 .sp
 To use the CUPS printing interface set
-printcap name = cups\&. This should be supplemented by an addtional setting
+printcap name = cups\&. This should be supplemented by an additional setting
 \m[blue]\fBprinting = cups\fR\m[]
 in the [global] section\&.
@@ -7933 +8312 @@
 .RE
 
-printer admin (S)
-.\" printer admin
-.PP
-.RS 4
-This lists users who can do anything to printers via the remote administration interfaces offered by MS\-RPC (usually using a NT workstation)\&. This parameter can be set per\-share or globally\&. Note: The root user always has admin rights\&. Use caution with use in the global stanza as this can cause side effects\&.
-.sp
-This parameter has been marked deprecated in favor of using the SePrintOperatorPrivilege and individual print security descriptors\&. It will be removed in a future release\&.
-.sp
-Default:
-\fI\fIprinter admin\fR\fR\fI = \fR\fI\fR\fI \fR
-.sp
-Example:
-\fI\fIprinter admin\fR\fR\fI = \fR\fIadmin, @staff\fR\fI \fR
-.RE
-
 printer
 .\" printer
@@ -7971 +8335 @@
 .sp
 Default:
-\fI\fIprinter name\fR\fR\fI = \fR\fInone\fR\fI \fR
+\fI\fIprinter name\fR\fR\fI = \fR\fI\fR\fI \fR
 .sp
 Example:
@@ -7997 +8361 @@
 \fBHPUX\fR,
 \fBQNX\fR,
-\fBSOFTQ\fR, and
-\fBCUPS\fR\&.
+\fBSOFTQ\fR,
+\fBCUPS\fR
+and
+\fBIPRINT\fR\&.
+.sp
+Be aware that CUPS and IPRINT are only available if the CUPS development library was available at the time Samba was compiled or packaged\&.
 .sp
 To see what the defaults are for the other print commands when using the various options use the
@@ -8012 +8380 @@
 section\&.
 .sp
-Default:
-\fI\fIprinting\fR\fR\fI = \fR\fIDepends on the operating system, see testparm \-v\&.\fR\fI \fR
+See
+testparm \-v\&.
+for the default value on your system
+.sp
+Default:
+\fI\fIprinting\fR\fR\fI = \fR\fI # Depends on the operating system\fR\fI \fR
 .RE
 
@@ -8033 +8405 @@
 .PP
 .RS 4
-Windows print clients can update print queue status by expecting the server to open a backchannel SMB connection to them\&. Due to client firewall settings this can cause considerable timeouts and will often fail, as there is no guarantee the client is even running an SMB server\&. By setting this parameter to
-\fBno\fR
-the Samba print server will not try to connect back to clients and treat corresponding requests as if the connection back to the client failed\&. The default setting of
-\fByes\fR
-causes smbd to attempt this connection\&.
-.sp
-Default:
-\fI\fIprint notify backchannel\fR\fR\fI = \fR\fIyes\fR\fI \fR
+Windows print clients can update print queue status by expecting the server to open a backchannel SMB connection to them\&. Due to client firewall settings this can cause considerable timeouts and will often fail, as there is no guarantee the client is even running an SMB server\&. By default, the Samba print server will not try to connect back to clients, and will treat corresponding requests as if the connection back to the client failed\&.
+.sp
+Default:
+\fI\fIprint notify backchannel\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
+private directory
+.\" private directory
+.PP
+.RS 4
+This parameter is a synonym for
+private dir\&.
 .RE
 
@@ -8088 +8464 @@
 Note that it is good practice to include the absolute path in the command as the PATH may not be available to the server\&.
 .sp
-\fINo default\fR
+Default:
+\fI\fIqueuepause command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .sp
 Example:
@@ -8111 +8488 @@
 .sp
 Default:
-\fI\fIqueueresume command\fR\fR\fI = \fR\fI\fR\fI \fR
+\fI\fIqueueresume command\fR\fR\fI = \fR\fI # determined by printing parameter\fR\fI \fR
 .sp
 Example:
 \fI\fIqueueresume command\fR\fR\fI = \fR\fIenable %p\fR\fI \fR
+.RE
+
+raw NTLMv2 auth (G)
+.\" raw NTLMv2 auth
+.PP
+.RS 4
+This parameter determines whether or not
+\fBsmbd\fR(8)
+will allow SMB1 clients without extended security (without SPNEGO) to use NTLMv2 authentication\&.
+.sp
+If this option,
+lanman auth
+and
+ntlm auth
+are all disabled, then only clients with SPNEGO support will be permitted\&. That means NTLMv2 is only supported within NTLMSSP\&.
+.sp
+Default:
+\fI\fIraw NTLMv2 auth\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -8127 +8522 @@
 parameter\&.
 .sp
-This parameter will not work with the
-\m[blue]\fBsecurity = share\fR\m[]
-in Samba 3\&.0\&. This is by design\&.
-.sp
 Default:
 \fI\fIread list\fR\fR\fI = \fR\fI\fR\fI \fR
@@ -8160 +8551 @@
 .PP
 .RS 4
-This parameter controls whether or not the server will support the raw read SMB requests when transferring data to clients\&.
-.sp
-If enabled, raw reads allow reads of 65535 bytes in one packet\&. This typically provides a major performance benefit\&.
+This is ignored if
+\m[blue]\fBasync smb echo handler\fR\m[]
+is set, because this feature is incompatible with raw read SMB requests
+.sp
+If enabled, raw reads allow reads of 65535 bytes in one packet\&. This typically provides a major performance benefit for some very, very old clients\&.
 .sp
 However, some clients either negotiate the allowable block size incorrectly or are incapable of supporting larger block sizes, and for these clients you may need to disable raw reads\&.
@@ -8207 +8600 @@
 Example:
 \fI\fIregistry shares\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+
+reject md5 clients (G)
+.\" reject md5 clients
+.PP
+.RS 4
+This option controls whether the netlogon server (currently only in \*(Aqactive directory domain controller\*(Aq mode), will reject clients which does not support NETLOGON_NEG_SUPPORTS_AES\&.
+.sp
+You can set this to yes if all domain members support aes\&. This will prevent downgrade attacks\&.
+.sp
+This option takes precedence to the \*(Aqallow nt4 crypto\*(Aq option\&.
+.sp
+Default:
+\fI\fIreject md5 clients\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
+reject md5 servers (G)
+.\" reject md5 servers
+.PP
+.RS 4
+This option controls whether winbindd requires support for aes support for the netlogon secure channel\&.
+.sp
+The following flags will be required NETLOGON_NEG_ARCFOUR, NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC\&.
+.sp
+You can set this to yes if all domain controllers support aes\&. This will prevent downgrade attacks\&.
+.sp
+The behavior can be controlled per netbios domain by using \*(Aqreject md5 servers:NETBIOSDOMAIN = yes\*(Aq as option\&.
+.sp
+This option takes precedence to the
+\m[blue]\fBrequire strong key\fR\m[]
+option\&.
+.sp
+Default:
+\fI\fIreject md5 servers\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -8309 +8736 @@
 .RE
 Default:
-\fI\fIrename user script\fR\fR\fI = \fR\fIno\fR\fI \fR
+\fI\fIrename user script\fR\fR\fI = \fR\fI\fR\fI \fR
+.RE
+
+require strong key (G)
+.\" require strong key
+.PP
+.RS 4
+This option controls whether winbindd requires support for md5 strong key support for the netlogon secure channel\&.
+.sp
+The following flags will be required NETLOGON_NEG_STRONG_KEYS, NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC\&.
+.sp
+You can set this to no if some domain controllers only support des\&. This might allows weak crypto to be negotiated, may via downgrade attacks\&.
+.sp
+The behavior can be controlled per netbios domain by using \*(Aqrequire strong key:NETBIOSDOMAIN = no\*(Aq as option\&.
+.sp
+Note for active directory domain this option is hardcoded to \*(Aqyes\*(Aq
+.sp
+This option yields precedence to the
+\m[blue]\fBreject md5 servers\fR\m[]
+option\&.
+.sp
+This option takes precedence to the
+\m[blue]\fBclient schannel\fR\m[]
+option\&.
+.sp
+Default:
+\fI\fIrequire strong key\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -8339 +8792 @@
 .\}
 .sp
-registry key in Windows 2000 and Windows NT\&. When set to 0, user and group list information is returned to anyone who asks\&. When set to 1, only an authenticated user can retrive user and group list information\&. For the value 2, supported by Windows 2000/XP and Samba, no anonymous connections are allowed at all\&. This can break third party and Microsoft applications which expect to be allowed to perform operations anonymously\&.
+registry key in Windows 2000 and Windows NT\&. When set to 0, user and group list information is returned to anyone who asks\&. When set to 1, only an authenticated user can retrieve user and group list information\&. For the value 2, supported by Windows 2000/XP and Samba, no anonymous connections are allowed at all\&. This can break third party and Microsoft applications which expect to be allowed to perform operations anonymously\&.
 .sp
 The security advantage of using restrict anonymous = 1 is dubious, as user and group list information can be obtained using other means\&.
@@ -8363 +8816 @@
 .RE
 
+rndc command (G)
+.\" rndc command
+.PP
+.RS 4
+This option specifies the path to the name server control utility\&.
+.sp
+The
+rndc
+utility should be a part of the bind installation\&.
+.sp
+Default:
+\fI\fIrndc command\fR\fR\fI = \fR\fI/usr/sbin/rndc\fR\fI \fR
+.sp
+Example:
+\fI\fIrndc command\fR\fR\fI = \fR\fI/usr/local/bind9/sbin/rndc\fR\fI \fR
+.RE
+
 root
 .\" root
@@ -8402 +8872 @@
 .sp
 Default:
-\fI\fIroot directory\fR\fR\fI = \fR\fI/\fR\fI \fR
+\fI\fIroot directory\fR\fR\fI = \fR\fI\fR\fI \fR
 .sp
 Example:
@@ -8420 +8890 @@
 .RE
 
+root preexec (S)
+.\" root preexec
+.PP
+.RS 4
+This is the same as the
+\fIpreexec\fR
+parameter except that the command is run as root\&. This is useful for mounting filesystems (such as CDROMs) when a connection is opened\&.
+.sp
+Default:
+\fI\fIroot preexec\fR\fR\fI = \fR\fI\fR\fI \fR
+.RE
+
 root preexec close (S)
 .\" root preexec close
@@ -8432 +8914 @@
 .RE
 
-root preexec (S)
-.\" root preexec
-.PP
-.RS 4
-This is the same as the
-\fIpreexec\fR
-parameter except that the command is run as root\&. This is useful for mounting filesystems (such as CDROMs) when a connection is opened\&.
-.sp
-Default:
-\fI\fIroot preexec\fR\fR\fI = \fR\fI\fR\fI \fR
-.RE
-
-rpc_server (G)
-.\" rpc_server
-.PP
-.RS 4
-Defines what kind of rpc server to use for a named pipe\&. The rpc_server prefix must be followed by the pipe name, and a value\&.
-.sp
-Three possible values are currently supported:
-embedded
-daemon
-external
-.sp
-The classic method is to run every pipe as an internal function
-\fIembedded\fR
-in smbd\&.
-.sp
-An alternative method is to fork a
-\fIdaemon\fR
-early on at smbd startup time\&. This is supported only for selected pipes\&.
-.sp
-Choosing the
-\fIexternal\fR
-option allows to run a completely independent (3rd party) server capable of interfacing with samba via the MS\-RPC interface over named pipes\&.
-.sp
-Currently only the spoolss pipe can be configured in
-\fIdaemon\fR
-mode like this:
+rpc big endian (G)
+.\" rpc big endian
+.PP
+.RS 4
+Setting this option will force the RPC client and server to transfer data in big endian\&.
+.sp
+If it is disabled, data will be transferred in little endian\&.
+.sp
+The behaviour is independent of the endianness of the host machine\&.
+.sp
+Default:
+\fI\fIrpc big endian\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
+rpc_daemon:DAEMON (G)
+.\" rpc_daemon:DAEMON
+.PP
+.RS 4
+Defines whether to use the embedded code or start a separate daemon for the defined rpc services\&. The rpc_daemon prefix must be followed by the server name, and a value\&.
+.sp
+Two possible values are currently supported:
 .sp
 .if n \{\
@@ -8475 +8940 @@
 .\}
 .nf
-        rpc_server:spoolss = daemon
+                disabled
+                fork
         
 .fi
@@ -8482 +8948 @@
 .\}
 .sp
-Default:
-\fI\fIrpc_server\fR\fR\fI = \fR\fInone\fR\fI \fR
-.RE
-
-security mask (S)
-.\" security mask
-.PP
-.RS 4
-This parameter controls what UNIX permission bits will be set when a Windows NT client is manipulating the UNIX permission on a file using the native NT security dialog box\&.
-.sp
-This parameter is applied as a mask (AND\*(Aqed with) to the incoming permission bits, thus resetting any bits not in this mask\&. Make sure not to mix up this parameter with
-\m[blue]\fBforce security mode\fR\m[], which works in a manner similar to this one but uses a logical OR instead of an AND\&.
-.sp
-Essentially, all bits set to zero in this mask will result in setting to zero the corresponding bits on the file permissions regardless of the previous status of this bits on the file\&.
-.sp
-If not set explicitly this parameter is 0777, allowing a user to set all the user/group/world permissions on a file\&.
-.sp
-\fI Note\fR
-that users who can access the Samba server through other means can easily bypass this restriction, so it is primarily useful for standalone "appliance" systems\&. Administrators of most normal systems will probably want to leave it set to
-\fB0777\fR\&.
-.sp
-Default:
-\fI\fIsecurity mask\fR\fR\fI = \fR\fI0777\fR\fI \fR
-.sp
-Example:
-\fI\fIsecurity mask\fR\fR\fI = \fR\fI0770\fR\fI \fR
+The classic method is to run rpc services as internal daemons embedded in smbd, therefore the external daemons are
+\fIdisabled\fR
+by default\&.
+.sp
+Choosing the
+\fIfork\fR
+option will cause samba to fork a separate process for each daemon configured this way\&. Each daemon may in turn fork a number of children used to handle requests from multiple smbds and direct tcp/ip connections (if the Endpoint Mapper is enabled)\&. Communication with smbd happens over named pipes and require that said pipes are forward to the external daemon (see
+\m[blue]\fBrpc_server\fR\m[])\&.
+.sp
+Forked RPC Daemons support dynamically forking children to handle connections\&. The heuristics about how many children to keep around and how fast to allow them to fork and also how many clients each child is allowed to handle concurrently is defined by parametrical options named after the daemon\&. Five options are currently supported:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+                prefork_min_children
+                prefork_max_children
+                prefork_spawn_rate
+                prefork_max_allowed_clients
+                prefork_child_min_life
+        
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+To set one of these options use the follwing syntax:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+        damonname:prefork_min_children = 5
+        
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Samba includes separate daemons for spoolss, lsarpc/lsass, netlogon, samr, FSRVP and mdssvc(Spotlight)\&. Currently five daemons are available and they are called:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+                epmd
+                lsasd
+                spoolssd
+                fssd
+                mdssd
+        
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Example:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+        rpc_daemon:spoolssd = fork
+        
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Default:
+\fI\fIrpc_daemon:DAEMON\fR\fR\fI = \fR\fIdisabled\fR\fI \fR
+.RE
+
+rpc_server:SERVER (G)
+.\" rpc_server:SERVER
+.PP
+.RS 4
+With this option you can define if a rpc service should be running internal/embedded in smbd or should be redirected to an external daemon like Samba4, the endpoint mapper daemon, the spoolss daemon or the new LSA service daemon\&. The rpc_server prefix must be followed by the pipe name, and a value\&.
+.sp
+This option can be set for each available rpc service in Samba\&. The following list shows all available pipe names services you can modify with this option\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+epmapper \- Endpoint Mapper
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+winreg \- Remote Registry Service
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+srvsvc \- Remote Server Services
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+lsarpc \- Local Security Authority
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+samr \- Security Account Management
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+netlogon \- Netlogon Remote Protocol
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+netdfs \- Settings for Distributed File System
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+dssetup \- Active Directory Setup
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+wkssvc \- Workstation Services
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+spoolss \- Network Printing Spooler
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+svcctl \- Service Control
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+ntsvcs \- Plug and Play Services
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+eventlog \- Event Logger
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+initshutdown \- Init Shutdown Service
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+mdssvc \- Spotlight
+.RE
+.sp
+.RE
+Three possible values currently supported are:
+embeddedexternaldisabled
+.sp
+The classic method is to run every pipe as an internal function
+\fIembedded\fR
+in smbd\&. The defaults may vary depending on the service\&.
+.sp
+Choosing the
+\fIexternal\fR
+option allows one to run a separate daemon or even a completely independent (3rd party) server capable of interfacing with samba via the MS\-RPC interface over named pipes\&.
+.sp
+Currently in Samba3 we support four daemons, spoolssd, epmd, lsasd and mdssd\&. These daemons can be enabled using the
+\fIrpc_daemon\fR
+option\&. For spoolssd you have to enable the daemon and proxy the named pipe with:
+.sp
+Examples:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+                        rpc_daemon:lsasd = fork
+                        rpc_server:lsarpc = external
+                        rpc_server:samr = external
+                        rpc_server:netlogon = external
+
+                        rpc_server:spoolss = external
+                        rpc_server:epmapper = disabled
+
+                        rpc_daemon:mdssd = fork
+                        rpc_server:mdssvc = external
+                
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+There is one special option which allows you to enable rpc services to listen for ncacn_ip_tcp connections too\&. Currently this is only used for testing and doesn\*(Aqt scale!
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+                        rpc_server:tcpip = yes
+                
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Default:
+\fI\fIrpc_server:SERVER\fR\fR\fI = \fR\fIembedded\fR\fI \fR
+.RE
+
+samba kcc command (G)
+.\" samba kcc command
+.PP
+.RS 4
+This option specifies the path to the Samba KCC command\&. This script is used for replication topology replication\&.
+.sp
+It should not be necessary to modify this option except for testing purposes or if the
+samba_kcc
+was installed in a non\-default location\&.
+.sp
+Default:
+\fI\fIsamba kcc command\fR\fR\fI = \fR\fI${prefix}/sbin/samba_kcc\fR\fI \fR
+.sp
+Example:
+\fI\fIsamba kcc command\fR\fR\fI = \fR\fI/usr/local/bin/kcc\fR\fI \fR
 .RE
 
@@ -8518 +9274 @@
 file\&.
 .sp
-The option sets the "security mode bit" in replies to protocol negotiations with
-\fBsmbd\fR(8)
-to turn share level security on or off\&. Clients decide based on this bit whether (and how) to transfer user and password information to the server\&.
-.sp
 The default is
-security = user, as this is the most common setting needed when talking to Windows 98 and Windows NT\&.
+security = user, as this is the most common setting, used for a standalone file server or a DC\&.
 .sp
 The alternatives are
 security = ads
 or
-security = domain, which support joining Samba to a Windows domain, along with
-security = share
-and
-security = server, both of which are deprecated\&.
-.sp
-In versions of Samba prior to 2\&.0\&.0, the default was
-security = share
-mainly because that was the only option at one stage\&.
+security = domain, which support joining Samba to a Windows domain
 .sp
 You should use
@@ -8543 +9288 @@
 if you want to mainly setup shares without a password (guest shares)\&. This is commonly used for a shared printer server\&.
 .sp
-It is possible to use
-smbd
-in a
-\fI hybrid mode\fR
-where it is offers both user and share level security under different
-\m[blue]\fBNetBIOS aliases\fR\m[]\&.
-.sp
 The different settings will now be explained\&.
 .sp
+\fISECURITY = AUTO\fR
+.sp
+This is the default security setting in Samba, and causes Samba to consult the
+\m[blue]\fBserver role\fR\m[]
+parameter (if set) to determine the security mode\&.
+.sp
 \fISECURITY = USER\fR
 .sp
-This is the default security setting in Samba\&. With user\-level security a client must first "log\-on" with a valid username and password (which can be mapped using the
+If
+\m[blue]\fBserver role\fR\m[]
+is not specified, this is the default security setting in Samba\&. With user\-level security a client must first "log\-on" with a valid username and password (which can be mapped using the
 \m[blue]\fBusername map\fR\m[]
 parameter)\&. Encrypted passwords (see the
@@ -8572 +9318 @@
 parameter for details on doing this\&.
 .sp
-See also the section
-NOTE ABOUT USERNAME/PASSWORD VALIDATION\&.
-.sp
 \fISECURITY = DOMAIN\fR
 .sp
@@ -8601 +9344 @@
 parameter for details on doing this\&.
 .sp
-See also the section
-NOTE ABOUT USERNAME/PASSWORD VALIDATION\&.
-.sp
 See also the
 \m[blue]\fBpassword server\fR\m[]
@@ -8610 +9350 @@
 parameter\&.
 .sp
-\fISECURITY = SHARE\fR
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-This option is deprecated as it is incompatible with SMB2
-.sp .5v
-.RE
-When clients connect to a share level security server, they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with a username but no password when talking to a
-security = share
-server)\&. Instead, the clients send authentication information (passwords) on a per\-share basis, at the time they attempt to connect to that share\&.
-.sp
-Note that
-smbd
-\fIALWAYS\fR
-uses a valid UNIX user to act on behalf of the client, even in
-security = share
-level security\&.
-.sp
-As clients are not required to send a username to the server in share level security,
-smbd
-uses several techniques to determine the correct UNIX user to use on behalf of the client\&.
-.sp
-A list of possible UNIX usernames to match with the given client password is constructed using the following methods :
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-If the
-\m[blue]\fBguest only\fR\m[]
-parameter is set, then all the other stages are missed and only the
-\m[blue]\fBguest account\fR\m[]
-username is checked\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Is a username is sent with the share connection request, then this username (after mapping \- see
-\m[blue]\fBusername map\fR\m[]), is added as a potential username\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-If the client did a previous
-\fIlogon \fR
-request (the SessionSetup SMB call) then the username sent in this SMB will be added as a potential username\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-The name of the service the client requested is added as a potential username\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-The NetBIOS name of the client is added to the list as a potential username\&.
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-Any users on the
-\m[blue]\fBuser\fR\m[]
-list are added as potential usernames\&.
-.RE
-.sp
-.RE
-If the
-\fIguest only\fR
-parameter is not set, then this list is then tried with the supplied password\&. The first user for whom the password matches will be used as the UNIX user\&.
-.sp
-If the
-\fIguest only\fR
-parameter is set, or no username can be determined then if the share is marked as available to the
-\fIguest account\fR, then this guest user will be used, otherwise access is denied\&.
-.sp
-Note that it can be
-\fIvery\fR
-confusing in share\-level security as to which UNIX username will eventually be used in granting access\&.
-.sp
-See also the section
-NOTE ABOUT USERNAME/PASSWORD VALIDATION\&.
-.sp
-\fISECURITY = SERVER\fR
-.sp
-In this depicted mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box\&. If this fails it will revert to
-security = user\&. It expects the
-\m[blue]\fBencrypted passwords\fR\m[]
-parameter to be set to
-\fByes\fR, unless the remote server does not support them\&. However note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid
-smbpasswd
-file to check users against\&. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up\&.
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-This mode of operation has significant pitfalls since it is more vulnerable to man\-in\-the\-middle attacks and server impersonation\&. In particular, this mode of operation can cause significant resource consumption on the PDC, as it must maintain an active connection for the duration of the user\*(Aqs session\&. Furthermore, if this connection is lost, there is no way to reestablish it, and further authentications to the Samba server may fail (from a single client, till it disconnects)\&.
-.sp .5v
-.RE
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-If the client selects NTLMv2 authentication, then this mode of operation
-\fIwill fail\fR
-.sp .5v
-.RE
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-From the client\*(Aqs point of view,
-security = server
-is the same as
-security = user\&. It only affects how the server deals with the authentication, it does not in any way affect what the client sees\&.
-.sp .5v
-.RE
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-This option is deprecated, and may be removed in future
-.sp .5v
-.RE
 \fINote\fR
 that the name of the resource being requested is
@@ -8816 +9358 @@
 parameter for details on doing this\&.
 .sp
-See also the section
-NOTE ABOUT USERNAME/PASSWORD VALIDATION\&.
-.sp
 See also the
 \m[blue]\fBpassword server\fR\m[]
@@ -8831 +9370 @@
 Note that this mode does NOT make Samba operate as a Active Directory Domain Controller\&.
 .sp
+Note that this forces
+\m[blue]\fBrequire strong key = yes\fR\m[]
+and
+\m[blue]\fBclient schannel = yes\fR\m[]
+for the primary domain\&.
+.sp
 Read the chapter about Domain Membership in the HOWTO for details\&.
 .sp
 Default:
-\fI\fIsecurity\fR\fR\fI = \fR\fIUSER\fR\fI \fR
+\fI\fIsecurity\fR\fR\fI = \fR\fIAUTO\fR\fI \fR
 .sp
 Example:
@@ -8840 +9385 @@
 .RE
 
-send spnego principal (G)
-.\" send spnego principal
-.PP
-.RS 4
-This parameter determines whether or not
+security mask (S)
+.\" security mask
+.PP
+.RS 4
+This parameter has been removed for Samba 4\&.0\&.0\&.
+.sp
+\fINo default\fR
+.RE
+
+max protocol
+.\" max protocol
+.PP
+.RS 4
+This parameter is a synonym for
+server max protocol\&.
+.RE
+
+protocol
+.\" protocol
+.PP
+.RS 4
+This parameter is a synonym for
+server max protocol\&.
+.RE
+
+server max protocol (G)
+.\" server max protocol
+.PP
+.RS 4
+The value of the parameter (a string) is the highest protocol level that will be supported by the server\&.
+.sp
+Possible values are :
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBLANMAN1\fR: First
+\fImodern\fR
+version of the protocol\&. Long filename support\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBLANMAN2\fR: Updates to Lanman1 protocol\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBNT1\fR: Current up to date version of the protocol\&. Used by Windows NT\&. Known as CIFS\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2\fR: Re\-implementation of the SMB protocol\&. Used by Windows Vista and later versions of Windows\&. SMB2 has sub protocols available\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_02\fR: The earliest SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_10\fR: Windows 7 SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_22\fR: Early Windows 8 SMB2 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB2_24\fR: Windows 8 beta SMB2 version\&.
+.RE
+.sp
+.RE
+By default SMB2 selects the SMB2_10 variant\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3\fR: The same as SMB2\&. Used by Windows 8\&. SMB3 has sub protocols available\&.
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_00\fR: Windows 8 SMB3 version\&. (mostly the same as SMB2_24)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_02\fR: Windows 8\&.1 SMB3 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_10\fR: early Windows 10 technical preview SMB3 version\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+\fBSMB3_11\fR: Windows 10 technical preview SMB3 version (maybe final)\&.
+.RE
+.sp
+.RE
+By default SMB3 selects the SMB3_11 variant\&.
+.RE
+.sp
+.RE
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+Default:
+\fI\fIserver max protocol\fR\fR\fI = \fR\fISMB3\fR\fI \fR
+.sp
+Example:
+\fI\fIserver max protocol\fR\fR\fI = \fR\fILANMAN1\fR\fI \fR
+.RE
+
+min protocol
+.\" min protocol
+.PP
+.RS 4
+This parameter is a synonym for
+server min protocol\&.
+.RE
+
+server min protocol (G)
+.\" server min protocol
+.PP
+.RS 4
+This setting controls the minimum protocol version that the server will allow the client to use\&.
+.sp
+Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol\&.
+.sp
+See
+Related command: \m[blue]\fBserver max protocol\fR\m[]
+for a full list of available protocols\&.
+.sp
+Default:
+\fI\fIserver min protocol\fR\fR\fI = \fR\fILANMAN1\fR\fI \fR
+.sp
+Example:
+\fI\fIserver min protocol\fR\fR\fI = \fR\fINT1\fR\fI \fR
+.RE
+
+server multi channel support (G)
+.\" server multi channel support
+.PP
+.RS 4
+This boolean parameter controls whether
 \fBsmbd\fR(8)
-will send the server\-supplied principal sometimes given in the SPNEGO exchange\&.
-.sp
-If enabled, Samba can attempt to help clients to use Kerberos to contact it, even when known only by IP address or a name not registered with our KDC as a service principal name\&. Kerberos relies on names, so ordinarily cannot function in this situation\&.
-.sp
-If disabled, Samba will send the string not_defined_in_RFC4178@please_ignore as the \*(Aqrfc4178 hint\*(Aq, following the updated RFC and Windows 2008 behaviour in this area\&.
-.sp
-Note that Windows XP SP2 and later versions already ignored this value in all circumstances\&.
-.sp
-Default:
-\fI\fIsend spnego principal\fR\fR\fI = \fR\fIno\fR\fI \fR
+will support SMB3 multi\-channel\&.
+.sp
+This parameter has been added with version 4\&.4\&.
+.sp
+Warning: Note that this feature is considered experimental in Samba 4\&.4\&. Use it at your own risk: Even though it may seem to work well in testing, it may result in data corruption under some race conditions\&. Future 4\&.4\&.x release may improve this situation\&.
+.sp
+Default:
+\fI\fIserver multi channel support\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
+server role (G)
+.\" server role
+.PP
+.RS 4
+This option determines the basic operating mode of a Samba server and is one of the most important settings in the
+smb\&.conf
+file\&.
+.sp
+The default is
+server role = auto, as causes Samba to operate according to the
+\m[blue]\fBsecurity\fR\m[]
+setting, or if not specified as a simple file server that is not connected to any domain\&.
+.sp
+The alternatives are
+server role = standalone
+or
+server role = member server, which support joining Samba to a Windows domain, along with
+server role = domain controller, which run Samba as a Windows domain controller\&.
+.sp
+You should use
+server role = standalone
+and
+\m[blue]\fBmap to guest\fR\m[]
+if you want to mainly setup shares without a password (guest shares)\&. This is commonly used for a shared printer server\&.
+.sp
+\fISERVER ROLE = AUTO\fR
+.sp
+This is the default server role in Samba, and causes Samba to consult the
+\m[blue]\fBsecurity\fR\m[]
+parameter (if set) to determine the server role, giving compatible behaviours to previous Samba versions\&.
+.sp
+\fISERVER ROLE = STANDALONE\fR
+.sp
+If
+\m[blue]\fBsecurity\fR\m[]
+is also not specified, this is the default security setting in Samba\&. In standalone operation, a client must first "log\-on" with a valid username and password (which can be mapped using the
+\m[blue]\fBusername map\fR\m[]
+parameter) stored on this machine\&. Encrypted passwords (see the
+\m[blue]\fBencrypted passwords\fR\m[]
+parameter) are by default used in this security mode\&. Parameters such as
+\m[blue]\fBuser\fR\m[]
+and
+\m[blue]\fBguest only\fR\m[]
+if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated\&.
+.sp
+\fISERVER ROLE = MEMBER SERVER\fR
+.sp
+This mode will only work correctly if
+\fBnet\fR(8)
+has been used to add this machine into a Windows Domain\&. It expects the
+\m[blue]\fBencrypted passwords\fR\m[]
+parameter to be set to
+\fByes\fR\&. In this mode Samba will try to validate the username/password by passing it to a Windows or Samba Domain Controller, in exactly the same way that a Windows Server would do\&.
+.sp
+\fINote\fR
+that a valid UNIX user must still exist as well as the account on the Domain Controller to allow Samba to have a valid UNIX account to map file access to\&. Winbind can provide this\&.
+.sp
+\fISERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER\fR
+.sp
+This mode of operation runs a classic Samba primary domain controller, providing domain logon services to Windows and Samba clients of an NT4\-like domain\&. Clients must be joined to the domain to create a secure, trusted path across the network\&. There must be only one PDC per NetBIOS scope (typcially a broadcast network or clients served by a single WINS server)\&.
+.sp
+\fISERVER ROLE = CLASSIC BACKUP DOMAIN CONTROLLER\fR
+.sp
+This mode of operation runs a classic Samba backup domain controller, providing domain logon services to Windows and Samba clients of an NT4\-like domain\&. As a BDC, this allows multiple Samba servers to provide redundant logon services to a single NetBIOS scope\&.
+.sp
+\fISERVER ROLE = ACTIVE DIRECTORY DOMAIN CONTROLLER\fR
+.sp
+This mode of operation runs Samba as an active directory domain controller, providing domain logon services to Windows and Samba clients of the domain\&. This role requires special configuration, see the
+Samba4 HOWTO
+.sp
+Default:
+\fI\fIserver role\fR\fR\fI = \fR\fIAUTO\fR\fI \fR
+.sp
+Example:
+\fI\fIserver role\fR\fR\fI = \fR\fIACTIVE DIRECTORY DOMAIN CONTROLLER\fR\fI \fR
 .RE
 
@@ -8882 +9723 @@
 .RE
 
+server services (G)
+.\" server services
+.PP
+.RS 4
+This option contains the services that the Samba daemon will run\&.
+.sp
+An entry in the
+smb\&.conf
+file can either override the previous value completely or entries can be removed from or added to it by prefixing them with
+\fB+\fR
+or
+\fB\-\fR\&.
+.sp
+Default:
+\fI\fIserver services\fR\fR\fI = \fR\fIs3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns\fR\fI \fR
+.sp
+Example:
+\fI\fIserver services\fR\fR\fI = \fR\fI\-s3fs, +smb\fR\fI \fR
+.RE
+
 server signing (G)
 .\" server signing
@@ -8887 +9748 @@
 .RS 4
 This controls whether the client is allowed or required to use SMB1 and SMB2 signing\&. Possible values are
+\fIdefault\fR,
 \fIauto\fR,
 \fImandatory\fR
 and
 \fIdisabled\fR\&.
+.sp
+By default, and when smb signing is set to
+\fIdefault\fR, smb signing is required when
+\m[blue]\fBserver role\fR\m[]
+is
+\fIactive directory domain controller\fR
+and disabled otherwise\&.
 .sp
 When set to auto, SMB1 signing is offered, but not enforced\&. When set to mandatory, SMB1 signing is required and if set to disabled, SMB signing is not offered either\&.
@@ -8901 +9770 @@
 .sp
 Default:
-\fI\fIserver signing\fR\fR\fI = \fR\fIDisabled\fR\fI \fR
+\fI\fIserver signing\fR\fR\fI = \fR\fIdefault\fR\fI \fR
 .RE
 
@@ -8928 +9797 @@
 .RE
 
-set directory (S)
-.\" set directory
-.PP
-.RS 4
-If
-set directory = no, then users of the service may not use the setdir command to change directory\&.
-.sp
-The
-setdir
-command is only implemented in the Digital Pathworks client\&. See the Pathworks documentation for details\&.
-.sp
-Default:
-\fI\fIset directory\fR\fR\fI = \fR\fIno\fR\fI \fR
-.RE
-
 set primary group script (G)
 .\" set primary group script
 .PP
 .RS 4
-Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups\&. This script sets the primary group in the unix userdatase when an administrator sets the primary group from the windows user manager or when fetching a SAM with
+Thanks to the Posix subsystem in NT a Windows User has a primary group in addition to the auxiliary groups\&. This script sets the primary group in the unix user database when an administrator sets the primary group from the windows user manager or when fetching a SAM with
 net rpc vampire\&.
 \fI%u\fR
@@ -8969 +9823 @@
 should only be used whenever there is no operating system API available from the OS that samba can use\&.
 .sp
-This option is only available if Samba was configured with the argument
-\-\-with\-sys\-quotas
-or on linux when
-\&./configure \-\-with\-quotas
-was used and a working quota api was found in the system\&. Most packages are configured with these options already\&.
+This option is only available if Samba was compiled with quota support\&.
 .sp
 This parameter should specify the path to a script that can set quota for the specified arguments\&.
@@ -8987 +9837 @@
 .IP \(bu 2.3
 .\}
-1 \- quota type
+1 \- path to where the quota needs to be set\&. This needs to be interpreted relative to the current working directory that the script may also check for\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+2 \- quota type
 .sp
 .RS 4
@@ -9044 +9905 @@
 .IP \(bu 2.3
 .\}
-2 \- id (uid for user, gid for group, \-1 if N/A)
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-3 \- quota state (0 = disable, 1 = enable, 2 = enable and enforce)
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-4 \- block softlimit
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-5 \- block hardlimit
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-6 \- inode softlimit
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-7 \- inode hardlimit
-.RE
-.sp
-.RS 4
-.ie n \{\
-\h'-04'\(bu\h'+03'\c
-.\}
-.el \{\
-.sp -1
-.IP \(bu 2.3
-.\}
-8(optional) \- block size, defaults to 1024
+3 \- id (uid for user, gid for group, \-1 if N/A)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+4 \- quota state (0 = disable, 1 = enable, 2 = enable and enforce)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+5 \- block softlimit
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+6 \- block hardlimit
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+7 \- inode softlimit
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+8 \- inode hardlimit
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+9(optional) \- block size, defaults to 1024
 .RE
 .sp
@@ -9121 +9982 @@
 Example:
 \fI\fIset quota command\fR\fR\fI = \fR\fI/usr/local/sbin/set_quota\fR\fI \fR
+.RE
+
+share backend (G)
+.\" share backend
+.PP
+.RS 4
+This option specifies the backend that will be used to access the configuration of file shares\&.
+.sp
+Traditionally, Samba file shares have been configured in the
+\fBsmb\&.conf\fR
+file and this is still the default\&.
+.sp
+At the moment there are no other supported backends\&.
+.sp
+Default:
+\fI\fIshare backend\fR\fR\fI = \fR\fIclassic\fR\fI \fR
 .RE
 
@@ -9133 +10010 @@
 Default:
 \fI\fIshare:fake_fscaps\fR\fR\fI = \fR\fI0\fR\fI \fR
-.RE
-
-share modes (S)
-.\" share modes
-.PP
-.RS 4
-This enables or disables the honoring of the
-\fIshare modes\fR
-during a file open\&. These modes are used by clients to gain exclusive read or write access to a file\&.
-.sp
-This is a deprecated option from old versions of Samba, and will be removed in the next major release\&.
-.sp
-These open modes are not directly supported by UNIX, so they are simulated using shared memory\&.
-.sp
-The share modes that are enabled by this option are the standard Windows share modes\&.
-.sp
-This option gives full share compatibility and is enabled by default\&.
-.sp
-You should
-\fINEVER\fR
-turn this parameter off as many Windows applications will break if you do so\&.
-.sp
-Default:
-\fI\fIshare modes\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -9181 +10034 @@
 With the introduction of MS\-RPC based printing support for Windows NT/2000 client in Samba 2\&.2, a "Printers\&.\&.\&." folder will appear on Samba hosts in the share listing\&. Normally this folder will contain an icon for the MS Add Printer Wizard (APW)\&. However, it is possible to disable this feature regardless of the level of privilege of the connected user\&.
 .sp
-Under normal circumstances, the Windows NT/2000 client will open a handle on the printer server with OpenPrinterEx() asking for Administrator privileges\&. If the user does not have administrative access on the print server (i\&.e is not root or a member of the
-\fIprinter admin\fR
-group), the OpenPrinterEx() call fails and the client makes another open call with a request for a lower privilege level\&. This should succeed, however the APW icon will not be displayed\&.
+Under normal circumstances, the Windows NT/2000 client will open a handle on the printer server with OpenPrinterEx() asking for Administrator privileges\&. If the user does not have administrative access on the print server (i\&.e is not root or has granted the SePrintOperatorPrivilege), the OpenPrinterEx() call fails and the client makes another open call with a request for a lower privilege level\&. This should succeed, however the APW icon will not be displayed\&.
 .sp
 Disabling the
@@ -9215 +10066 @@
 that should start a shutdown procedure\&.
 .sp
-If the connected user posseses the
+If the connected user possesses the
 \fBSeRemoteShutdownPrivilege\fR, right, this command will be run as root\&.
 .sp
@@ -9299 +10150 @@
 .RE
 
+smb2 leases (G)
+.\" smb2 leases
+.PP
+.RS 4
+This boolean option tells
+smbd
+whether to globally negotiate SMB2 leases on file open requests\&. Leasing is an SMB2\-only feature which allows clients to aggressively cache files locally above and beyond the caching allowed by SMB1 oplocks\&. This (experimental) parameter is set to off by default until the SMB2 leasing code is declared fully stable\&.
+.sp
+This is only available with
+\m[blue]\fBoplocks = yes\fR\m[]
+and
+\m[blue]\fBkernel oplocks = no\fR\m[]\&.
+.sp
+Note that the write cache won\*(Aqt be used for file handles with a smb2 write lease\&.
+.sp
+The Samba implementation of leases is currently marked as experimental!
+.sp
+Default:
+\fI\fIsmb2 leases\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
 smb2 max credits (G)
 .\" smb2 max credits
@@ -9321 +10193 @@
 will return to a client, informing the client of the largest size that may be returned by a single SMB2 read call\&.
 .sp
-The maximum is 65536 bytes (64KB), which is the same as a Windows Vista SMB2 server\&.
-.sp
-Default:
-\fI\fIsmb2 max read\fR\fR\fI = \fR\fI65536\fR\fI \fR
+The maximum is 8388608 bytes (8MiB), which is the same as a Windows Server 2012 r2\&.
+.sp
+Please note that the default is 8MiB, but it\*(Aqs limit is based on the smb2 dialect (64KiB for SMB == 2\&.0, 8MiB for SMB >= 2\&.1 with LargeMTU)\&. Large MTU is not supported over NBT (tcp port 139)\&.
+.sp
+Default:
+\fI\fIsmb2 max read\fR\fR\fI = \fR\fI8388608\fR\fI \fR
 .RE
 
@@ -9335 +10209 @@
 will return to a client, informing the client of the largest size of buffer that may be used in querying file meta\-data via QUERY_INFO and related SMB2 calls\&.
 .sp
-The maximum is 65536 bytes (64KB), which is the same as a Windows Vista SMB2 server\&.
-.sp
-Default:
-\fI\fIsmb2 max trans\fR\fR\fI = \fR\fI65536\fR\fI \fR
+The maximum is 8388608 bytes (8MiB), which is the same as a Windows Server 2012 r2\&.
+.sp
+Please note that the default is 8MiB, but it\*(Aqs limit is based on the smb2 dialect (64KiB for SMB == 2\&.0, 1MiB for SMB >= 2\&.1 with LargeMTU)\&. Large MTU is not supported over NBT (tcp port 139)\&.
+.sp
+Default:
+\fI\fIsmb2 max trans\fR\fR\fI = \fR\fI8388608\fR\fI \fR
 .RE
 
@@ -9349 +10225 @@
 will return to a client, informing the client of the largest size that may be sent to the server by a single SMB2 write call\&.
 .sp
-The maximum is 65536 bytes (64KB), which is the same as a Windows Vista SMB2 server\&.
-.sp
-Default:
-\fI\fIsmb2 max write\fR\fR\fI = \fR\fI65536\fR\fI \fR
+The maximum is 8388608 bytes (8MiB), which is the same as a Windows Server 2012 r2\&.
+.sp
+Please note that the default is 8MiB, but it\*(Aqs limit is based on the smb2 dialect (64KiB for SMB == 2\&.0, 8MiB for SMB => 2\&.1 with LargeMTU)\&. Large MTU is not supported over NBT (tcp port 139)\&.
+.sp
+Default:
+\fI\fIsmb2 max write\fR\fR\fI = \fR\fI8388608\fR\fI \fR
+.RE
+
+smbd profiling level (G)
+.\" smbd profiling level
+.PP
+.RS 4
+This parameter allows the administrator to enable profiling support\&.
+.sp
+Possible values are
+\fBoff\fR,
+\fBcount\fR
+and
+\fBon\fR\&.
+.sp
+Default:
+\fI\fIsmbd profiling level\fR\fR\fI = \fR\fIoff\fR\fI \fR
+.sp
+Example:
+\fI\fIsmbd profiling level\fR\fR\fI = \fR\fIon\fR\fI \fR
 .RE
 
@@ -9359 +10256 @@
 .PP
 .RS 4
-This is a new feature introduced with Samba 3\&.2 and above\&. It is an extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions\&. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream\&. When enabled it provides a secure method of SMB/CIFS communication, similar to an ssh protected session, but using SMB/CIFS authentication to negotiate encryption and signing keys\&. Currently this is only supported by Samba 3\&.2 smbclient, and hopefully soon Linux CIFSFS and MacOS/X clients\&. Windows clients do not support this feature\&.
-.sp
-This controls whether the remote client is allowed or required to use SMB encryption\&. Possible values are
-\fIauto\fR,
-\fImandatory\fR
-and
-\fIdisabled\fR\&. This may be set on a per\-share basis, but clients may chose to encrypt the entire session, not just traffic to a specific share\&. If this is set to mandatory then all traffic to a share
+This parameter controls whether a remote client is allowed or required to use SMB encryption\&. It has different effects depending on whether the connection uses SMB1 or SMB2 and newer:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+If the connection uses SMB1, then this option controls the use of a Samba\-specific extension to the SMB protocol introduced in Samba 3\&.2 that makes use of the Unix extensions\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+If the connection uses SMB2 or newer, then this option controls the use of the SMB\-level encryption that is supported in SMB version 3\&.0 and above and available in Windows 8 and newer\&.
+.RE
+.sp
+.RE
+This parameter can be set globally and on a per\-share bases\&. Possible values are
+\fIoff\fR
+(or
+\fIdisabled\fR),
+\fIenabled\fR
+(or
+\fIauto\fR, or
+\fIif_required\fR),
+\fIdesired\fR, and
+\fIrequired\fR
+(or
+\fImandatory\fR)\&. A special value is
+\fIdefault\fR
+which is the implicit default setting of
+\fIenabled\fR\&.
+.PP
+\fIEffects for SMB1\fR
+.RS 4
+The Samba\-specific encryption of SMB1 connections is an extension to the SMB protocol negotiated as part of the UNIX extensions\&. SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt and sign every request/response in a SMB protocol stream\&. When enabled it provides a secure method of SMB/CIFS communication, similar to an ssh protected session, but using SMB/CIFS authentication to negotiate encryption and signing keys\&. Currently this is only supported smbclient of by Samba 3\&.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X clients\&. Windows clients do not support this feature\&.
+.sp
+This may be set on a per\-share basis, but clients may chose to encrypt the entire session, not just traffic to a specific share\&. If this is set to mandatory then all traffic to a share
 \fImust\fR
-must be encrypted once the connection has been made to the share\&. The server would return "access denied" to all non\-encrypted requests on such a share\&. Selecting encrypted traffic reduces throughput as smaller packet sizes must be used (no huge UNIX style read/writes allowed) as well as the overhead of encrypting and signing all the data\&.
+be encrypted once the connection has been made to the share\&. The server would return "access denied" to all non\-encrypted requests on such a share\&. Selecting encrypted traffic reduces throughput as smaller packet sizes must be used (no huge UNIX style read/writes allowed) as well as the overhead of encrypting and signing all the data\&.
 .sp
 If SMB encryption is selected, Windows style SMB signing (see the
@@ -9373 +10309 @@
 option) is no longer necessary, as the GSSAPI flags use select both signing and sealing of the data\&.
 .sp
-When set to auto, SMB encryption is offered, but not enforced\&. When set to mandatory, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated\&.
-.sp
-Default:
-\fI\fIsmb encrypt\fR\fR\fI = \fR\fIauto\fR\fI \fR
+When set to auto or default, SMB encryption is offered, but not enforced\&. When set to mandatory, SMB encryption is required and if set to disabled, SMB encryption can not be negotiated\&.
+.RE
+.PP
+\fIEffects for SMB2\fR
+.RS 4
+Native SMB transport encryption is available in SMB version 3\&.0 or newer\&. It is only offered by Samba if
+\fIserver max protocol\fR
+is set to
+\fISMB3\fR
+or newer\&. Clients supporting this type of encryption include Windows 8 and newer, Windows server 2012 and newer, and smbclient of Samba 4\&.1 and newer\&.
+.sp
+The protocol implementation offers various options:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+The capability to perform SMB encryption can be negotiated during protocol negotiation\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Data encryption can be enabled globally\&. In that case, an encryption\-capable connection will have all traffic in all its sessions encrypted\&. In particular all share connections will be encrypted\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Data encryption can also be enabled per share if not enabled globally\&. For an encryption\-capable connection, all connections to an encryption\-enabled share will be encrypted\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Encryption can be enforced\&. This means that session setups will be denied on non\-encryption\-capable connections if data encryption has been enabled globally\&. And tree connections will be denied for non\-encryption capable connections to shares with data encryption enabled\&.
+.RE
+.sp
+.RE
+These features can be controlled with settings of
+\fIsmb encrypt\fR
+as follows:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Leaving it as default, explicitly setting
+\fIdefault\fR, or setting it to
+\fIenabled\fR
+globally will enable negotiation of encryption but will not turn on data encryption globally or per share\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIdesired\fR
+globally will enable negotiation and will turn on data encryption on sessions and share connections for those clients that support it\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIrequired\fR
+globally will enable negotiation and turn on data encryption on sessions and share connections\&. Clients that do not support encryption will be denied access to the server\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIoff\fR
+globally will completely disable the encryption feature\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIdesired\fR
+on a share will turn on data encryption for this share for clients that support encryption if negotiation has been enabled globally\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIrequired\fR
+on a share will enforce data encryption for this share if negotiation has been enabled globally\&. I\&.e\&. clients that do not support encryption will be denied access to the share\&.
+.sp
+Note that this allows per\-share enforcing to be controlled in Samba differently from Windows: In Windows,
+\fIRejectUnencryptedAccess\fR
+is a global setting, and if it is set, all shares with data encryption turned on are automatically enforcing encryption\&. In order to achieve the same effect in Samba, one has to globally set
+\fIsmb encrypt\fR
+to
+\fIenabled\fR, and then set all shares that should be encrypted to
+\fIrequired\fR\&. Additionally, it is possible in Samba to have some shares with encryption
+\fIrequired\fR
+and some other shares with encryption only
+\fIdesired\fR, which is not possible in Windows\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Setting it to
+\fIoff\fR
+or
+\fIenabled\fR
+for a share has no effect\&.
+.RE
+.sp
+.RE
+.RE
+.sp
+Default:
+\fI\fIsmb encrypt\fR\fR\fI = \fR\fIdefault\fR\fI \fR
 .RE
 
@@ -9411 +10515 @@
 .RE
 
-socket address (G)
-.\" socket address
-.PP
-.RS 4
-This option allows you to control what address Samba will listen for connections on\&. This is used to support multiple virtual interfaces on the one server, each with a different configuration\&.
-.sp
-Setting this option should never be necessary on usual Samba servers running only one nmbd\&.
-.sp
-By default Samba will accept connections on any address\&.
-.sp
-Default:
-\fI\fIsocket address\fR\fR\fI = \fR\fI\fR\fI \fR
-.sp
-Example:
-\fI\fIsocket address\fR\fR\fI = \fR\fI192\&.168\&.2\&.20\fR\fI \fR
-.RE
-
 socket options (G)
 .\" socket options
 .PP
 .RS 4
+.if n \{\
+.sp
+.\}
+.RS 4
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.ps +1
+\fBWarning\fR
+.ps -1
+.br
+Modern server operating systems are tuned for high network performance in the majority of situations; when you set socket options you are overriding those settings\&. Linux in particular has an auto\-tuning mechanism for buffer sizes that will be disabled if you specify a socket buffer size\&. This can potentially cripple your TCP/IP stack\&.
+.sp
+Getting the socket options correct can make a big difference to your performance, but getting them wrong can degrade it by just as much\&. As with any other low level setting, if you must make changes to it, make small changes and
+\fItest\fR
+the effect before making any large changes\&.
+.sp .5v
+.RE
+.sp
 This option allows you to set socket options to be used when talking with the client\&.
 .sp
@@ -9441 +10548 @@
 .sp
 You may find that on some systems Samba will say "Unknown socket option" when you supply an option\&. This means you either incorrectly typed it or you need to add an include file to includes\&.h for your OS\&. If the latter is the case please send the patch to
-samba\-technical@samba\&.org\&.
+samba\-technical@lists\&.samba\&.org\&.
 .sp
 Any of the supported socket options may be combined in any way you like, as long as your OS allows it\&.
@@ -9499 +10606 @@
 .IP \(bu 2.3
 .\}
+TCP_KEEPCNT *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_KEEPIDLE *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_KEEPINTVL *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
 IPTOS_LOWDELAY
 .RE
@@ -9521 +10661 @@
 .IP \(bu 2.3
 .\}
+SO_REUSEPORT
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
 SO_SNDBUF *
 .RE
@@ -9555 +10706 @@
 .\}
 SO_RCVLOWAT *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SO_SNDTIMEO *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+SO_RCVTIMEO *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_FASTACK *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_QUICKACK
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_NODELAYACK
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_KEEPALIVE_THRESHOLD *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_KEEPALIVE_ABORT_THRESHOLD *
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+TCP_DEFER_ACCEPT *
 .RE
 .sp
@@ -9582 +10821 @@
 Example:
 \fI\fIsocket options\fR\fR\fI = \fR\fIIPTOS_LOWDELAY\fR\fI \fR
+.RE
+
+spn update command (G)
+.\" spn update command
+.PP
+.RS 4
+This option sets the command that for updating servicePrincipalName names from
+spn_update_list\&.
+.sp
+Default:
+\fI\fIspn update command\fR\fR\fI = \fR\fI${prefix}/sbin/samba_spnupdate\fR\fI \fR
+.sp
+Example:
+\fI\fIspn update command\fR\fR\fI = \fR\fI/usr/local/sbin/spnupdate\fR\fI \fR
+.RE
+
+spoolss: architecture (G)
+.\" spoolss: architecture
+.PP
+.RS 4
+Windows spoolss print clients only allow association of server\-side drivers with printers when the driver architecture matches the advertised print server architecture\&. Samba\*(Aqs spoolss print server architecture can be changed using this parameter\&.
+.sp
+Default:
+\fI\fIspoolss: architecture\fR\fR\fI = \fR\fIWindows NT x86\fR\fI \fR
+.sp
+Example:
+\fI\fIspoolss: architecture\fR\fR\fI = \fR\fIWindows x64\fR\fI \fR
+.RE
+
+spoolss: os_major (G)
+.\" spoolss: os_major
+.PP
+.RS 4
+Windows might require a new os version number\&. This option allows to modify the build number\&. The complete default version number is: 5\&.0\&.2195 (Windows 2000)\&. The example is 6\&.1\&.7601 (Windows 2008 R2)\&.
+.sp
+Default:
+\fI\fIspoolss: os_major\fR\fR\fI = \fR\fI5\fR\fI \fR
+.sp
+Example:
+\fI\fIspoolss: os_major\fR\fR\fI = \fR\fI6\fR\fI \fR
+.RE
+
+spoolss: os_minor (G)
+.\" spoolss: os_minor
+.PP
+.RS 4
+Windows might require a new os version number\&. This option allows to modify the build number\&. The complete default version number is: 5\&.0\&.2195 (Windows 2000)\&. The example is 6\&.1\&.7601 (Windows 2008 R2)\&.
+.sp
+Default:
+\fI\fIspoolss: os_minor\fR\fR\fI = \fR\fI0\fR\fI \fR
+.sp
+Example:
+\fI\fIspoolss: os_minor\fR\fR\fI = \fR\fI1\fR\fI \fR
+.RE
+
+spoolss: os_build (G)
+.\" spoolss: os_build
+.PP
+.RS 4
+Windows might require a new os version number\&. This option allows to modify the build number\&. The complete default version number is: 5\&.0\&.2195 (Windows 2000)\&. The example is 6\&.1\&.7601 (Windows 2008 R2)\&.
+.sp
+Default:
+\fI\fIspoolss: os_build\fR\fR\fI = \fR\fI2195\fR\fI \fR
+.sp
+Example:
+\fI\fIspoolss: os_build\fR\fR\fI = \fR\fI7601\fR\fI \fR
+.RE
+
+spotlight (S)
+.\" spotlight
+.PP
+.RS 4
+This parameter controls whether Samba allows Spotlight queries on a share\&. For controlling indexing of filesystems you also have to use Tracker\*(Aqs own configuration system\&.
+.sp
+Spotlight has several prerequisites:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Samba must be configured and built with Spotlight support\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+The
+\fImdssvc\fR
+RPC service must be enabled, see below\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Tracker intergration must be setup and the share must be indexed by Tracker\&.
+.RE
+.sp
+.RE
+For a detailed set of instructions please see
+https://wiki\&.samba\&.org/index\&.php/Spotlight\&.
+.sp
+The Spotlight RPC service can either be enabled as embedded RPC service:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+\fI[Global]\fR
+\m[blue]\fBrpc_server:mdsvc = embedded\fR\m[]
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Or it can be run in a seperate RPC service daemon:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+\fI[Global]\fR
+\m[blue]\fBrpc_server:mdssd = fork\fR\m[]
+\m[blue]\fBrpc_server:mdsvc = external\fR\m[]
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Default:
+\fI\fIspotlight\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -9623 +11006 @@
 \m[blue]\fBmap hidden\fR\m[]
 and
-\m[blue]\fBmap readonly\fR\m[])\&. When set, DOS attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or directory\&. For no other mapping to occur as a fall\-back, the parameters
+\m[blue]\fBmap readonly\fR\m[])\&. When set, DOS attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or directory\&. When this parameter is set it will override the parameters
 \m[blue]\fBmap hidden\fR\m[],
 \m[blue]\fBmap system\fR\m[],
@@ -9629 +11012 @@
 and
 \m[blue]\fBmap readonly\fR\m[]
-must be set to off\&. This parameter writes the DOS attributes as a string into the extended attribute named "user\&.DOSATTRIB"\&. This extended attribute is explicitly hidden from smbd clients requesting an EA list\&. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel\&. In Samba 3\&.5\&.0 and above the "user\&.DOSATTRIB" extended attribute has been extended to store the create time for a file as well as the DOS attributes\&. This is done in a backwards compatible way so files created by Samba 3\&.5\&.0 and above can still have the DOS attribute read from this extended attribute by earlier versions of Samba, but they will not be able to read the create time stored there\&. Storing the create time separately from the normal filesystem meta\-data allows Samba to faithfully reproduce NTFS semantics on top of a POSIX filesystem\&.
+and they will behave as if they were set to off\&. This parameter writes the DOS attributes as a string into the extended attribute named "user\&.DOSATTRIB"\&. This extended attribute is explicitly hidden from smbd clients requesting an EA list\&. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel\&. In Samba 3\&.5\&.0 and above the "user\&.DOSATTRIB" extended attribute has been extended to store the create time for a file as well as the DOS attributes\&. This is done in a backwards compatible way so files created by Samba 3\&.5\&.0 and above can still have the DOS attribute read from this extended attribute by earlier versions of Samba, but they will not be able to read the create time stored there\&. Storing the create time separately from the normal filesystem meta\-data allows Samba to faithfully reproduce NTFS semantics on top of a POSIX filesystem\&.
 .sp
 Default:
@@ -9643 +11026 @@
 the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour of actually forcing the disk system to allocate real storage blocks when a file is created or extended to be a given size\&. In UNIX terminology this means that Samba will stop creating sparse files\&.
 .sp
-This option is really desgined for file systems that support fast allocation of large numbers of blocks such as extent\-based file systems\&. On file systems that don\*(Aqt support extents (most notably ext3) this can make Samba slower\&. When you work with large files over >100MB on file systems without extents you may even run into problems with clients running into timeouts\&.
+This option is really designed for file systems that support fast allocation of large numbers of blocks such as extent\-based file systems\&. On file systems that don\*(Aqt support extents (most notably ext3) this can make Samba slower\&. When you work with large files over >100MB on file systems without extents you may even run into problems with clients running into timeouts\&.
 .sp
 When you have an extent based filesystem it\*(Aqs likely that we can make use of unwritten extents which allows Samba to allocate even large amounts of space very fast and you will not see any timeout problems caused by strict allocate\&. With strict allocate in use you will also get much better out of quota messages in case you use quotas\&. Another advantage of activating this setting is that it will help to reduce file fragmentation\&.
@@ -9674 +11057 @@
 .RE
 
+strict rename (S)
+.\" strict rename
+.PP
+.RS 4
+By default a Windows SMB server prevents directory renames when there are open file or directory handles below it in the filesystem hierarchy\&. Historically Samba has always allowed this as POSIX filesystem semantics require it\&.
+.sp
+This boolean parameter allows Samba to match the Windows behavior\&. Setting this to "yes" is a very expensive change, as it forces Samba to travers the entire open file handle database on every directory rename request\&. In a clustered Samba system the cost is even greater than the non\-clustered case\&.
+.sp
+When set to "no" smbd only checks the local process the client is attached to for open files below a directory being renamed, instead of checking for open files across all smbd processes\&.
+.sp
+Because of the expense in fully searching the database, the default is "no", and it is recommended to be left that way unless a specific Windows application requires it to be changed\&.
+.sp
+If the client has requested UNIX extensions (POSIX pathnames) then renames are always allowed and this parameter has no effect\&.
+.sp
+Default:
+\fI\fIstrict rename\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
 strict sync (S)
 .\" strict sync
 .PP
 .RS 4
-Many Windows applications (including the Windows 98 explorer shell) seem to confuse flushing buffer contents to disk with doing a sync to disk\&. Under UNIX, a sync call forces the process to be suspended until the kernel has ensured that all outstanding data in kernel disk buffers has been safely stored onto stable storage\&. This is very slow and should only be done rarely\&. Setting this parameter to
+Many Windows applications (including the Windows 98 explorer shell) seem to confuse flushing buffer contents to disk with doing a sync to disk\&. Under UNIX, a sync call forces the thread to be suspended until the kernel has ensured that all outstanding data in kernel disk buffers has been safely stored onto stable storage\&. This is very slow and should only be done rarely\&. Setting this parameter to
 \fBno\fR
 (the default) means that
 \fBsmbd\fR(8)
 ignores the Windows applications requests for a sync call\&. There is only a possibility of losing data if the operating system itself that Samba is running on crashes, so there is little danger in this default setting\&. In addition, this fixes many performance problems that people have reported with the new Windows98 explorer shell file copies\&.
+.sp
+The flush request from SMB2/3 clients is handled asynchronously, so for these clients setting the parameter to
+\fByes\fR
+does not block the processing of other requests in the smbd process\&.
 .sp
 Default:
@@ -9727 +11132 @@
 .RE
 
-syslog only (G)
-.\" syslog only
-.PP
-.RS 4
-If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files\&. There still will be some logging to log\&.[sn]mbd even if
-\fIsyslog only\fR
-is enabled\&.
-.sp
-Default:
-\fI\fIsyslog only\fR\fR\fI = \fR\fIno\fR\fI \fR
-.RE
-
 syslog (G)
 .\" syslog
@@ -9753 +11146 @@
 is enabled\&.
 .sp
+The
+\m[blue]\fBlogging\fR\m[]
+parameter should be used instead\&. When
+\m[blue]\fBlogging\fR\m[]
+is set, it overrides the
+\m[blue]\fBsyslog\fR\m[]
+parameter\&.
+.sp
 Default:
 \fI\fIsyslog\fR\fR\fI = \fR\fI1\fR\fI \fR
+.RE
+
+syslog only (G)
+.\" syslog only
+.PP
+.RS 4
+If this parameter is set then Samba debug messages are logged into the system syslog only, and not to the debug log files\&. There still will be some logging to log\&.[sn]mbd even if
+\fIsyslog only\fR
+is enabled\&.
+.sp
+The
+\m[blue]\fBlogging\fR\m[]
+parameter should be used instead\&. When
+\m[blue]\fBlogging\fR\m[]
+is set, it overrides the
+\m[blue]\fBsyslog only\fR\m[]
+parameter\&.
+.sp
+Default:
+\fI\fIsyslog only\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -9781 +11202 @@
 daemon uses this parameter to fill in the login shell for that user\&.
 .sp
-\fINo default\fR
-.RE
-
-time offset (G)
-.\" time offset
-.PP
-.RS 4
-This deprecated parameter is a setting in minutes to add to the normal GMT to local time conversion\&. This is useful if you are serving a lot of PCs that have incorrect daylight saving time handling\&.
-.if n \{\
-.sp
-.\}
-.RS 4
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.br
-.ps +1
-\fBNote\fR
-.ps -1
-.br
-This option is deprecated, and will be removed in the next major release
-.sp .5v
-.RE
-Default:
-\fI\fItime offset\fR\fR\fI = \fR\fI0\fR\fI \fR
-.sp
-Example:
-\fI\fItime offset\fR\fR\fI = \fR\fI60\fR\fI \fR
+Default:
+\fI\fItemplate shell\fR\fR\fI = \fR\fI/bin/false\fR\fI \fR
 .RE
 
@@ -9823 +11218 @@
 .RE
 
+debug timestamp
+.\" debug timestamp
+.PP
+.RS 4
+This parameter is a synonym for
+timestamp logs\&.
+.RE
+
+timestamp logs (G)
+.\" timestamp logs
+.PP
+.RS 4
+Samba debug log messages are timestamped by default\&. If you are running at a high
+\m[blue]\fBdebug level\fR\m[]
+these timestamps can be distracting\&. This boolean parameter allows timestamping to be turned off\&.
+.sp
+Default:
+\fI\fItimestamp logs\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+
+tls cafile (G)
+.\" tls cafile
+.PP
+.RS 4
+This option can be set to a file (PEM format) containing CA certificates of root CAs to trust to sign certificates or intermediate CA certificates\&.
+.sp
+This path is relative to
+\m[blue]\fBprivate dir\fR\m[]
+if the path does not start with a /\&.
+.sp
+Default:
+\fI\fItls cafile\fR\fR\fI = \fR\fItls/ca\&.pem\fR\fI \fR
+.RE
+
+tls certfile (G)
+.\" tls certfile
+.PP
+.RS 4
+This option can be set to a file (PEM format) containing the RSA certificate\&.
+.sp
+This path is relative to
+\m[blue]\fBprivate dir\fR\m[]
+if the path does not start with a /\&.
+.sp
+Default:
+\fI\fItls certfile\fR\fR\fI = \fR\fItls/cert\&.pem\fR\fI \fR
+.RE
+
+tls crlfile (G)
+.\" tls crlfile
+.PP
+.RS 4
+This option can be set to a file containing a certificate revocation list (CRL)\&.
+.sp
+This path is relative to
+\m[blue]\fBprivate dir\fR\m[]
+if the path does not start with a /\&.
+.sp
+Default:
+\fI\fItls crlfile\fR\fR\fI = \fR\fI\fR\fI \fR
+.RE
+
+tls dh params file (G)
+.\" tls dh params file
+.PP
+.RS 4
+This option can be set to a file with Diffie\-Hellman parameters which will be used with DH ciphers\&.
+.sp
+This path is relative to
+\m[blue]\fBprivate dir\fR\m[]
+if the path does not start with a /\&.
+.sp
+Default:
+\fI\fItls dh params file\fR\fR\fI = \fR\fI\fR\fI \fR
+.RE
+
+tls enabled (G)
+.\" tls enabled
+.PP
+.RS 4
+If this option is set to
+\fByes\fR, then Samba will use TLS when possible in communication\&.
+.sp
+Default:
+\fI\fItls enabled\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+
+tls keyfile (G)
+.\" tls keyfile
+.PP
+.RS 4
+This option can be set to a file (PEM format) containing the RSA private key\&. This file must be accessible without a pass\-phrase, i\&.e\&. it must not be encrypted\&.
+.sp
+This path is relative to
+\m[blue]\fBprivate dir\fR\m[]
+if the path does not start with a /\&.
+.sp
+Default:
+\fI\fItls keyfile\fR\fR\fI = \fR\fItls/key\&.pem\fR\fI \fR
+.RE
+
+tls priority (G)
+.\" tls priority
+.PP
+.RS 4
+This option can be set to a string describing the TLS protocols to be supported in the parts of Samba that use GnuTLS, specifically the AD DC\&.
+.sp
+The default turns off SSLv3, as this protocol is no longer considered secure after CVE\-2014\-3566 (otherwise known as POODLE) impacted SSLv3 use in HTTPS applications\&.
+.sp
+The valid options are described in the
+GNUTLS Priority\-Strings documentation at http://gnutls\&.org/manual/html_node/Priority\-Strings\&.html
+.sp
+Default:
+\fI\fItls priority\fR\fR\fI = \fR\fINORMAL:\-VERS\-SSL3\&.0\fR\fI \fR
+.RE
+
+tls verify peer (G)
+.\" tls verify peer
+.PP
+.RS 4
+This controls if and how strict the client will verify the peer\*(Aqs certificate and name\&. Possible values are (in increasing order):
+\fBno_check\fR,
+\fBca_only\fR,
+\fBca_and_name_if_available\fR,
+\fBca_and_name\fR
+and
+\fBas_strict_as_possible\fR\&.
+.sp
+When set to
+\fBno_check\fR
+the certificate is not verified at all, which allows trivial man in the middle attacks\&.
+.sp
+When set to
+\fBca_only\fR
+the certificate is verified to be signed from a ca specified in the
+\m[blue]\fBtls ca file\fR\m[]
+option\&. Setting
+\m[blue]\fBtls ca file\fR\m[]
+to a valid file is required\&. The certificate lifetime is also verified\&. If the
+\m[blue]\fBtls crl file\fR\m[]
+option is configured, the certificate is also verified against the ca crl\&.
+.sp
+When set to
+\fBca_and_name_if_available\fR
+all checks from
+\fBca_only\fR
+are performed\&. In addition, the peer hostname is verified against the certificate\*(Aqs name, if it is provided by the application layer and not given as an ip address string\&.
+.sp
+When set to
+\fBca_and_name\fR
+all checks from
+\fBca_and_name_if_available\fR
+are performed\&. In addition the peer hostname needs to be provided and even an ip address is checked against the certificate\*(Aqs name\&.
+.sp
+When set to
+\fBas_strict_as_possible\fR
+all checks from
+\fBca_and_name\fR
+are performed\&. In addition the
+\m[blue]\fBtls crl file\fR\m[]
+needs to be configured\&. Future versions of Samba may implement additional checks\&.
+.sp
+Default:
+\fI\fItls verify peer\fR\fR\fI = \fR\fIas_strict_as_possible\fR\fI \fR
+.RE
+
+unicode (G)
+.\" unicode
+.PP
+.RS 4
+Specifies whether the server and client should support unicode\&.
+.sp
+If this option is set to false, the use of ASCII will be forced\&.
+.sp
+Default:
+\fI\fIunicode\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+
 unix charset (G)
 .\" unix charset
@@ -9832 +11405 @@
 .sp
 Default:
-\fI\fIunix charset\fR\fR\fI = \fR\fIUTF8\fR\fI \fR
+\fI\fIunix charset\fR\fR\fI = \fR\fIUTF\-8\fR\fI \fR
 .sp
 Example:
@@ -9879 +11452 @@
 disable spoolss = yes\&.
 .sp
-The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS\-RPC\&. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user\&. If the user possesses local administator rights but not root privilege on the Samba host (often the case), the OpenPrinterEx() call will fail\&. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed)\&.
+The differentiating factor is that under normal circumstances, the NT/2000 client will attempt to open the network printer using MS\-RPC\&. The problem is that because the client considers the printer to be local, it will attempt to issue the OpenPrinterEx() call requesting access rights associated with the logged on user\&. If the user possesses local administrator rights but not root privilege on the Samba host (often the case), the OpenPrinterEx() call will fail\&. The result is that the client will now display an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may successfully be printed)\&.
 .sp
 If this parameter is enabled for a printer, then any attempt to open the printer with the PRINTER_ACCESS_ADMINISTER right is mapped to PRINTER_ACCESS_USE instead\&. Thus allowing the OpenPrinterEx() call to succeed\&.
@@ -9900 +11473 @@
 .RE
 
+user
+.\" user
+.PP
+.RS 4
+This parameter is a synonym for
+username\&.
+.RE
+
+users
+.\" users
+.PP
+.RS 4
+This parameter is a synonym for
+username\&.
+.RE
+
+username (S)
+.\" username
+.PP
+.RS 4
+To restrict a service to a particular set of users you can use the
+\m[blue]\fBvalid users\fR\m[]
+parameter\&.
+.sp
+This parameter is deprecated
+.sp
+However, it currently operates only in conjunction with
+\m[blue]\fBonly user\fR\m[]\&. The supported way to restrict a service to a particular set of users is the
+\m[blue]\fBvalid users\fR\m[]
+parameter\&.
+.sp
+Default:
+\fI\fIusername\fR\fR\fI = \fR\fI # The guest account if a guest service, else <empty string>\&.\fR\fI \fR
+.sp
+Example:
+\fI\fIusername\fR\fR\fI = \fR\fIfred, mary, jack, jane, @users, @pcgroup\fR\fI \fR
+.RE
+
 username level (G)
 .\" username level
@@ -9916 +11527 @@
 Example:
 \fI\fIusername level\fR\fR\fI = \fR\fI5\fR\fI \fR
+.RE
+
+username map (G)
+.\" username map
+.PP
+.RS 4
+This option allows you to specify a file containing a mapping of usernames from the clients to the server\&. This can be used for several purposes\&. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses\&. The other is to map multiple users to a single username so that they can more easily share files\&.
+.sp
+Please note that for user mode security, the username map is applied prior to validating the user credentials\&. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified entries in the map table (e\&.g\&. biddle =
+DOMAIN\efoo)\&.
+.sp
+The map file is parsed line by line\&. Each line should contain a single UNIX username on the left then a \*(Aq=\*(Aq followed by a list of usernames on the right\&. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group\&. The special client name \*(Aq*\*(Aq is a wildcard and matches any name\&. Each line of the map file may be up to 1023 characters long\&.
+.sp
+The file is processed on each line by taking the supplied username and comparing it with each username on the right hand side of the \*(Aq=\*(Aq signs\&. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left\&. Processing then continues with the next line\&.
+.sp
+If any line begins with a \*(Aq#\*(Aq or a \*(Aq;\*(Aq then it is ignored\&.
+.sp
+If any line begins with an \*(Aq!\*(Aq then the processing will stop after that line if a mapping was done by the line\&. Otherwise mapping continues with every line being processed\&. Using \*(Aq!\*(Aq is most useful when you have a wildcard mapping line later in the file\&.
+.sp
+For example to map from the name
+\fBadmin\fR
+or
+\fBadministrator\fR
+to the UNIX name
+\fB root\fR
+you would use:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+root = admin administrator
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Or to map anyone in the UNIX group
+\fBsystem\fR
+to the UNIX name
+\fBsys\fR
+you would use:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+sys = @system
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+You can have as many mappings as you like in a username map file\&.
+.sp
+If your system supports the NIS NETGROUP option then the netgroup database is checked before the
+/etc/group
+database for matching groups\&.
+.sp
+You can map Windows usernames that have spaces in them by using double quotes around the name\&. For example:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+tridge = "Andrew Tridgell"
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+would map the windows username "Andrew Tridgell" to the unix username "tridge"\&.
+.sp
+The following example would map mary and fred to the unix user sys, and map the rest to guest\&. Note the use of the \*(Aq!\*(Aq to tell Samba to stop processing if it gets a match on that line:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+!sys = mary fred
+guest = *
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Note that the remapping is applied to all occurrences of usernames\&. Thus if you connect to \e\eserver\efred and
+\fBfred\fR
+is remapped to
+\fBmary\fR
+then you will actually be connecting to \e\eserver\emary and will need to supply a password suitable for
+\fBmary\fR
+not
+\fBfred\fR\&. The only exception to this is the username passed to a Domain Controller (if you have one)\&. The DC will receive whatever username the client supplies without modification\&.
+.sp
+Also note that no reverse mapping is done\&. The main effect this has is with printing\&. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don\*(Aqt own the print job\&.
+.sp
+Samba versions prior to 3\&.0\&.8 would only support reading the fully qualified username (e\&.g\&.:
+DOMAIN\euser) from the username map when performing a kerberos login from a client\&. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches\&. This resulted in inconsistent behavior sometimes even on the same server\&.
+.sp
+The following functionality is obeyed in version 3\&.0\&.8 and later:
+.sp
+When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection\&.
+.sp
+When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i\&.e\&.
+DOMAIN\euser) only after the user has been successfully authenticated\&.
+.sp
+An example of use is:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+username map = /usr/local/samba/lib/users\&.map
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Default:
+\fI\fIusername map\fR\fR\fI = \fR\fI # no username map\fR\fI \fR
 .RE
 
@@ -9947 +11679 @@
 This script is a mutually exclusive alternative to the
 \m[blue]\fBusername map\fR\m[]
-parameter\&. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line line on standard output (the name to which the account should mapped)\&. In this way, it is possible to store username map tables in an LDAP or NIS directory services\&.
+parameter\&. This parameter specifies and external program or script that must accept a single command line option (the username transmitted in the authentication request) and return a line on standard output (the name to which the account should mapped)\&. In this way, it is possible to store username map tables in an LDAP or NIS directory services\&.
 .sp
 Default:
@@ -9954 +11686 @@
 Example:
 \fI\fIusername map script\fR\fR\fI = \fR\fI/etc/samba/scripts/mapusers\&.sh\fR\fI \fR
-.RE
-
-username map (G)
-.\" username map
-.PP
-.RS 4
-This option allows you to specify a file containing a mapping of usernames from the clients to the server\&. This can be used for several purposes\&. The most common is to map usernames that users use on DOS or Windows machines to those that the UNIX box uses\&. The other is to map multiple users to a single username so that they can more easily share files\&.
-.sp
-Please note that for user or share mode security, the username map is applied prior to validating the user credentials\&. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified enties in the map table (e\&.g\&. biddle =
-DOMAIN\efoo)\&.
-.sp
-The map file is parsed line by line\&. Each line should contain a single UNIX username on the left then a \*(Aq=\*(Aq followed by a list of usernames on the right\&. The list of usernames on the right may contain names of the form @group in which case they will match any UNIX username in that group\&. The special client name \*(Aq*\*(Aq is a wildcard and matches any name\&. Each line of the map file may be up to 1023 characters long\&.
-.sp
-The file is processed on each line by taking the supplied username and comparing it with each username on the right hand side of the \*(Aq=\*(Aq signs\&. If the supplied name matches any of the names on the right hand side then it is replaced with the name on the left\&. Processing then continues with the next line\&.
-.sp
-If any line begins with a \*(Aq#\*(Aq or a \*(Aq;\*(Aq then it is ignored\&.
-.sp
-If any line begins with an \*(Aq!\*(Aq then the processing will stop after that line if a mapping was done by the line\&. Otherwise mapping continues with every line being processed\&. Using \*(Aq!\*(Aq is most useful when you have a wildcard mapping line later in the file\&.
-.sp
-For example to map from the name
-\fBadmin\fR
-or
-\fBadministrator\fR
-to the UNIX name
-\fB root\fR
-you would use:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-root = admin administrator
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-Or to map anyone in the UNIX group
-\fBsystem\fR
-to the UNIX name
-\fBsys\fR
-you would use:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-sys = @system
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-You can have as many mappings as you like in a username map file\&.
-.sp
-If your system supports the NIS NETGROUP option then the netgroup database is checked before the
-/etc/group
-database for matching groups\&.
-.sp
-You can map Windows usernames that have spaces in them by using double quotes around the name\&. For example:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-tridge = "Andrew Tridgell"
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-would map the windows username "Andrew Tridgell" to the unix username "tridge"\&.
-.sp
-The following example would map mary and fred to the unix user sys, and map the rest to guest\&. Note the use of the \*(Aq!\*(Aq to tell Samba to stop processing if it gets a match on that line:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-!sys = mary fred
-guest = *
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-Note that the remapping is applied to all occurrences of usernames\&. Thus if you connect to \e\eserver\efred and
-\fBfred\fR
-is remapped to
-\fBmary\fR
-then you will actually be connecting to \e\eserver\emary and will need to supply a password suitable for
-\fBmary\fR
-not
-\fBfred\fR\&. The only exception to this is the username passed to the
-\m[blue]\fBpassword server\fR\m[]
-(if you have one)\&. The password server will receive whatever username the client supplies without modification\&.
-.sp
-Also note that no reverse mapping is done\&. The main effect this has is with printing\&. Users who have been mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don\*(Aqt own the print job\&.
-.sp
-Samba versions prior to 3\&.0\&.8 would only support reading the fully qualified username (e\&.g\&.:
-DOMAIN\euser) from the username map when performing a kerberos login from a client\&. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches\&. This resulted in inconsistent behavior sometimes even on the same server\&.
-.sp
-The following functionality is obeyed in version 3\&.0\&.8 and later:
-.sp
-When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection\&.
-.sp
-When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i\&.e\&.
-DOMAIN\euser) only after the user has been successfully authenticated\&.
-.sp
-An example of use is:
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-username map = /usr/local/samba/lib/users\&.map
-.fi
-.if n \{\
-.RE
-.\}
-.sp
-Default:
-\fI\fIusername map\fR\fR\fI = \fR\fI # no username map\fR\fI \fR
-.RE
-
-user
-.\" user
-.PP
-.RS 4
-This parameter is a synonym for
-username\&.
-.RE
-
-users
-.\" users
-.PP
-.RS 4
-This parameter is a synonym for
-username\&.
-.RE
-
-username (S)
-.\" username
-.PP
-.RS 4
-Multiple users may be specified in a comma\-delimited list, in which case the supplied password will be tested against each username in turn (left to right)\&.
-.sp
-The deprecated
-\fIusername\fR
-line is needed only when the PC is unable to supply its own username\&. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames\&. In both these cases you may also be better using the \e\eserver\eshare%user syntax instead\&.
-.sp
-The
-\fIusername\fR
-line is not a great solution in many cases as it means Samba will try to validate the supplied password against each of the usernames in the
-\fIusername\fR
-line in turn\&. This is slow and a bad idea for lots of users in case of duplicate passwords\&. You may get timeouts or security breaches using this parameter unwisely\&.
-.sp
-Samba relies on the underlying UNIX security\&. This parameter does not restrict who can login, it just offers hints to the Samba server as to what usernames might correspond to the supplied password\&. Users can login as whoever they please and they will be able to do no more damage than if they started a telnet session\&. The daemon runs as the user that they log in as, so they cannot do anything that user cannot do\&.
-.sp
-To restrict a service to a particular set of users you can use the
-\m[blue]\fBvalid users\fR\m[]
-parameter\&.
-.sp
-If any of the usernames begin with a \*(Aq@\*(Aq then the name will be looked up first in the NIS netgroups list (if Samba is compiled with netgroup support), followed by a lookup in the UNIX groups database and will expand to a list of all users in the group of that name\&.
-.sp
-If any of the usernames begin with a \*(Aq+\*(Aq then the name will be looked up only in the UNIX groups database and will expand to a list of all users in the group of that name\&.
-.sp
-If any of the usernames begin with a \*(Aq&\*(Aq then the name will be looked up only in the NIS netgroups database (if Samba is compiled with netgroup support) and will expand to a list of all users in the netgroup group of that name\&.
-.sp
-Note that searching though a groups database can take quite some time, and some clients may time out during the search\&.
-.sp
-See the section
-NOTE ABOUT USERNAME/PASSWORD VALIDATION
-for more information on how this parameter determines access to the services\&.
-.sp
-Default:
-\fI\fIusername\fR\fR\fI = \fR\fI # The guest account if a guest service, else <empty string>\&.\fR\fI \fR
-.sp
-Example:
-\fI\fIusername\fR\fR\fI = \fR\fIfred, mary, jack, jane, @users, @pcgroup\fR\fI \fR
 .RE
 
@@ -10165 +11717 @@
 .sp
 Default:
-\fI\fIusershare owner only\fR\fR\fI = \fR\fITrue\fR\fI \fR
+\fI\fIusershare owner only\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -10172 +11724 @@
 .PP
 .RS 4
-This parameter specifies the absolute path of the directory on the filesystem used to store the user defined share definition files\&. This directory must be owned by root, and have no access for other, and be writable only by the group owner\&. In addition the "sticky" bit must also be set, restricting rename and delete to owners of a file (in the same way the /tmp directory is usually configured)\&. Members of the group owner of this directory are the users allowed to create usershares\&. If this parameter is undefined then no user defined shares are allowed\&.
+This parameter specifies the absolute path of the directory on the filesystem used to store the user defined share definition files\&. This directory must be owned by root, and have no access for other, and be writable only by the group owner\&. In addition the "sticky" bit must also be set, restricting rename and delete to owners of a file (in the same way the /tmp directory is usually configured)\&. Members of the group owner of this directory are the users allowed to create usershares\&.
 .sp
 For example, a valid usershare directory might be /usr/local/samba/lib/usershares, set up as follows\&.
-.sp
-
 .sp
 .if n \{\
@@ -10193 +11743 @@
 .sp
 Default:
-\fI\fIusershare path\fR\fR\fI = \fR\fINULL\fR\fI \fR
+\fI\fIusershare path\fR\fR\fI = \fR\fI${prefix}/var/locks/usershares\fR\fI \fR
 .RE
 
@@ -10205 +11755 @@
 .sp
 Default:
-\fI\fIusershare prefix allow list\fR\fR\fI = \fR\fINULL\fR\fI \fR
+\fI\fIusershare prefix allow list\fR\fR\fI = \fR\fI\fR\fI \fR
 .sp
 Example:
@@ -10220 +11770 @@
 .sp
 Default:
-\fI\fIusershare prefix deny list\fR\fR\fI = \fR\fINULL\fR\fI \fR
+\fI\fIusershare prefix deny list\fR\fR\fI = \fR\fI\fR\fI \fR
 .sp
 Example:
@@ -10235 +11785 @@
 .sp
 Default:
-\fI\fIusershare template share\fR\fR\fI = \fR\fINULL\fR\fI \fR
+\fI\fIusershare template share\fR\fR\fI = \fR\fI\fR\fI \fR
 .sp
 Example:
@@ -10251 +11801 @@
 .sp
 Default:
-\fI\fIuse sendfile\fR\fR\fI = \fR\fIfalse\fR\fI \fR
+\fI\fIuse sendfile\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -10258 +11808 @@
 .PP
 .RS 4
-This deprecated variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism\&.
+This deprecated variable controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism\&.
 .sp
 Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled\&.
@@ -10264 +11814 @@
 Default:
 \fI\fIuse spnego\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+
+utmp (G)
+.\" utmp
+.PP
+.RS 4
+This boolean parameter is only available if Samba has been configured and compiled with the option
+\-\-with\-utmp\&. If set to
+\fByes\fR
+then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&.
+.sp
+Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&.
+.sp
+Default:
+\fI\fIutmp\fR\fR\fI = \fR\fIno\fR\fI \fR
 .RE
 
@@ -10282 +11847 @@
 .RE
 
-utmp (G)
-.\" utmp
-.PP
-.RS 4
-This boolean parameter is only available if Samba has been configured and compiled with the option
-\-\-with\-utmp\&. If set to
-\fByes\fR
-then Samba will attempt to add utmp or utmpx records (depending on the UNIX system) whenever a connection is made to a Samba server\&. Sites may use this to record the user connecting to a Samba share\&.
-.sp
-Due to the requirements of the utmp record, we are required to create a unique identifier for the incoming user\&. Enabling this option creates an n^2 algorithm to find this number\&. This may impede performance on large installations\&.
-.sp
-Default:
-\fI\fIutmp\fR\fR\fI = \fR\fIno\fR\fI \fR
+\-valid (S)
+.\" -valid
+.PP
+.RS 4
+This parameter indicates whether a share is valid and thus can be used\&. When this parameter is set to false, the share will be in no way visible nor accessible\&.
+.sp
+This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&.
+.sp
+Default:
+\fI\fI\-valid\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -10312 +11874 @@
 \fI%S\fR\&. This is useful in the [homes] section\&.
 .sp
+\fINote: \fRWhen used in the [global] section this parameter may have unwanted side effects\&. For example: If samba is configured as a MASTER BROWSER (see
+\fIlocal master\fR,
+\fIos level\fR,
+\fIdomain master\fR,
+\fIpreferred master\fR) this option will prevent workstations from being able to browse the network\&.
+.sp
 Default:
 \fI\fIvalid users\fR\fR\fI = \fR\fI # No valid users list (anyone can login) \fR\fI \fR
@@ -10317 +11885 @@
 Example:
 \fI\fIvalid users\fR\fR\fI = \fR\fIgreg, @pcusers\fR\fI \fR
-.RE
-
-\-valid (S)
-.\" -valid
-.PP
-.RS 4
-This parameter indicates whether a share is valid and thus can be used\&. When this parameter is set to false, the share will be in no way visible nor accessible\&.
-.sp
-This option should not be used by regular users but might be of help to developers\&. Samba uses this option internally to mark shares as deleted\&.
-.sp
-Default:
-\fI\fI\-valid\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -10374 +11930 @@
 .sp
 Default:
-\fI\fIveto files\fR\fR\fI = \fR\fINo files or directories are vetoed\&.\fR\fI \fR
+\fI\fIveto files\fR\fR\fI = \fR\fI # No files or directories are vetoed\fR\fI \fR
 .RE
 
@@ -10437 +11993 @@
 .RE
 
+web port (G)
+.\" web port
+.PP
+.RS 4
+Specifies which port the Samba web server should listen on\&.
+.sp
+Default:
+\fI\fIweb port\fR\fR\fI = \fR\fI901\fR\fI \fR
+.sp
+Example:
+\fI\fIweb port\fR\fR\fI = \fR\fI80\fR\fI \fR
+.RE
+
 wide links (S)
 .\" wide links
@@ -10469 +12038 @@
 Default:
 \fI\fIwinbind cache time\fR\fR\fI = \fR\fI300\fR\fI \fR
+.RE
+
+winbindd privileged socket directory (G)
+.\" winbindd privileged socket directory
+.PP
+.RS 4
+This setting controls the location of the winbind daemon\*(Aqs privileged socket\&.
+.sp
+Default:
+\fI\fIwinbindd privileged socket directory\fR\fR\fI = \fR\fI${prefix}/var/lib/winbindd_privileged\fR\fI \fR
+.RE
+
+winbindd socket directory (G)
+.\" winbindd socket directory
+.PP
+.RS 4
+This setting controls the location of the winbind daemon\*(Aqs socket\&.
+.sp
+Except within automated test scripts, this should not be altered, as the client tools (nss_winbind etc) do not honour this parameter\&. Client tools must then be advised of the altered path with the WINBINDD_SOCKET_DIR environment varaible\&.
+.sp
+Default:
+\fI\fIwinbindd socket directory\fR\fR\fI = \fR\fI${prefix}/var/run/winbindd\fR\fI \fR
 .RE
 
@@ -10553 +12144 @@
 Be aware that a high value for this parameter can result in system slowdown as the main parent winbindd daemon must perform the group unrolling and will be unable to answer incoming NSS or authentication requests during this time\&.
 .sp
-Default:
-\fI\fIwinbind expand groups\fR\fR\fI = \fR\fI1\fR\fI \fR
+The default value was changed from 1 to 0 with Samba 4\&.2\&. Some broken applications calculate the group memberships of users by traversing groups, such applications will require "winbind expand groups = 1"\&. But the new default makes winbindd more reliable as it doesn\*(Aqt require SAMR access to domain controllers of trusted domains\&.
+.sp
+Default:
+\fI\fIwinbind expand groups\fR\fR\fI = \fR\fI0\fR\fI \fR
 .RE
 
@@ -10563 +12156 @@
 This parameter specifies the maximum number of clients the
 \fBwinbindd\fR(8)
-daemon can connect with\&.
+daemon can connect with\&. The parameter is not a hard limit\&. The
+\fBwinbindd\fR(8)
+daemon configures itself to be able to accept at least that many connections, and if the limit is reached, an attempt is made to disconnect idle clients\&.
 .sp
 Default:
@@ -10605 +12200 @@
 This parameter controls whether winbindd will replace whitespace in user and group names with an underscore (_) character\&. For example, whether the name "Space Kadet" should be replaced with the string "space_kadet"\&. Frequently Unix shell scripts will have difficulty with usernames contains whitespace due to the default field separator in the shell\&. If your domain possesses names containing the underscore character, this option may cause problems unless the name aliasing feature is supported by your nss_info plugin\&.
 .sp
-This feature also enables the name aliasing API which can be used to make domain user and group names to a non\-qualified version\&. Please refer to the manpage for the configured idmap and nss_info plugin for the specifics on how to configure name aliasing for a specific configuration\&. Name aliasing takes precedence (and is mutually exclusive) over the whitespace replacement mechanism discussed previsouly\&.
+This feature also enables the name aliasing API which can be used to make domain user and group names to a non\-qualified version\&. Please refer to the manpage for the configured idmap and nss_info plugin for the specifics on how to configure name aliasing for a specific configuration\&. Name aliasing takes precedence (and is mutually exclusive) over the whitespace replacement mechanism discussed previously\&.
 .sp
 Default:
@@ -10643 +12238 @@
 .IP \(bu 2.3
 .\}
-\fI<sfu | rfc2307 >\fR
-\- When Samba is running in security = ads and your Active Directory Domain Controller does support the Microsoft "Services for Unix" (SFU) LDAP schema, winbind can retrieve the login shell and the home directory attributes directly from your Directory Server\&. Note that retrieving UID and GID from your ADS\-Server requires to use
+\fI<sfu | sfu20 | rfc2307 >\fR
+\- When Samba is running in security = ads and your Active Directory Domain Controller does support the Microsoft "Services for Unix" (SFU) LDAP schema, winbind can retrieve the login shell and the home directory attributes directly from your Directory Server\&. For SFU 3\&.0 or 3\&.5 simply choose "sfu", if you use SFU 2\&.0 please choose "sfu20"\&. Note that retrieving UID and GID from your ADS\-Server requires to use
 \fIidmap config DOMAIN:backend\fR
-= ad as well\&.
+= ad as well\&. The primary group membership is currently always calculated via the "primaryGroupID" LDAP attribute\&.
 .RE
 .sp
@@ -10662 +12257 @@
 .PP
 .RS 4
-This parameter is designed to control whether Winbind should allow to login with the
+This parameter is designed to control whether Winbind should allow one to login with the
 \fIpam_winbind\fR
 module using Cached Credentials\&. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache\&.
 .sp
 Default:
-\fI\fIwinbind offline logon\fR\fR\fI = \fR\fIfalse\fR\fI \fR
-.sp
-Example:
-\fI\fIwinbind offline logon\fR\fR\fI = \fR\fItrue\fR\fI \fR
+\fI\fIwinbind offline logon\fR\fR\fI = \fR\fIno\fR\fI \fR
+.sp
+Example:
+\fI\fIwinbind offline logon\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -10694 +12289 @@
 .sp
 Default:
-\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fIfalse\fR\fI \fR
-.sp
-Example:
-\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fItrue\fR\fI \fR
+\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fIno\fR\fI \fR
+.sp
+Example:
+\fI\fIwinbind refresh tickets\fR\fR\fI = \fR\fIyes\fR\fI \fR
+.RE
+
+winbind request timeout (G)
+.\" winbind request timeout
+.PP
+.RS 4
+This parameter specifies the number of seconds the
+\fBwinbindd\fR(8)
+daemon will wait before disconnecting either a client connection with no outstanding requests (idle) or a client connection with a request that has remained outstanding (hung) for longer than this number of seconds\&.
+.sp
+Default:
+\fI\fIwinbind request timeout\fR\fR\fI = \fR\fI60\fR\fI \fR
 .RE
 
@@ -10710 +12317 @@
 Default:
 \fI\fIwinbind rpc only\fR\fR\fI = \fR\fIno\fR\fI \fR
+.RE
+
+winbind sealed pipes (G)
+.\" winbind sealed pipes
+.PP
+.RS 4
+This option controls whether any requests from winbindd to domain controllers pipe will be sealed\&. Disabling sealing can be useful for debugging purposes\&.
+.sp
+The behavior can be controlled per netbios domain by using \*(Aqwinbind sealed pipes:NETBIOSDOMAIN = no\*(Aq as option\&.
+.sp
+Default:
+\fI\fIwinbind sealed pipes\fR\fR\fI = \fR\fIyes\fR\fI \fR
 .RE
 
@@ -10726 +12345 @@
 .sp
 Default:
-\fI\fIwinbind separator\fR\fR\fI = \fR\fI\*(Aq\e\*(Aq\fR\fI \fR
+\fI\fIwinbind separator\fR\fR\fI = \fR\fI\e\fR\fI \fR
 .sp
 Example:
@@ -10933 +12552 @@
 .RE
 
+write ok
+.\" write ok
+.PP
+.RS 4
+This parameter is a synonym for
+writeable\&.
+.RE
+
 writeable (S)
 .\" writeable
@@ -10956 +12583 @@
 The integer parameter specifies the size of this cache (per oplocked file) in bytes\&.
 .sp
+Note that the write cache won\*(Aqt be used for file handles with a smb2 write lease\&.
+.sp
 Default:
 \fI\fIwrite cache size\fR\fR\fI = \fR\fI0\fR\fI \fR
@@ -10973 +12602 @@
 Note that if a user is in both the read list and the write list then they will be given write access\&.
 .sp
-By design, this parameter will not work with the
-\m[blue]\fBsecurity = share\fR\m[]
-in Samba 3\&.0\&.
-.sp
 Default:
 \fI\fIwrite list\fR\fR\fI = \fR\fI\fR\fI \fR
@@ -10988 +12613 @@
 .PP
 .RS 4
-This parameter controls whether or not the server will support raw write SMB\*(Aqs when transferring data from clients\&. You should never need to change this parameter\&.
+This is ignored if
+\m[blue]\fBasync smb echo handler\fR\m[]
+is set, because this feature is incompatible with raw write SMB requests
+.sp
+If enabled, raw writes allow writes of 65535 bytes in one packet\&. This typically provides a major performance benefit for some very, very old clients\&.
+.sp
+However, some clients either negotiate the allowable block size incorrectly or are incapable of supporting larger block sizes, and for these clients you may need to disable raw writes\&.
+.sp
+In general this parameter should be viewed as a system tuning tool and left severely alone\&.
 .sp
 Default:
@@ -11026 +12659 @@
 .SH "VERSION"
 .PP
-This man page is correct for version 3 of the Samba suite\&.
+This man page is correct for version 4 of the Samba suite\&.
 .SH "SEE ALSO"
 .PP
-
 \fBsamba\fR(7),
 \fBsmbpasswd\fR(8),
-\fBswat\fR(8),
 \fBsmbd\fR(8),
 \fBnmbd\fR(8),
+\fBwinbindd\fR(8),
+\fBsamba\fR(8),
+\fBsamba-tool\fR(8),
 \fBsmbclient\fR(1),
 \fBnmblookup\fR(1),
-\fBtestparm\fR(1),
-\fBtestprns\fR(1)\&.
+\fBtestparm\fR(1)\&.
 .SH "AUTHOR"
 .PP