Scroll to navigation

KSMBD.CONF(5) File Formats and Conventions KSMBD.CONF(5)

NAME

ksmbd.conf - the configuration file for ksmbd.mountd

DESCRIPTION

ksmbd.conf is the configuration file for ksmbd.mountd(8) user mode daemon. ksmbd.addshare(8) may be used for configuring shares for ksmbd.conf. ksmbd.addshare modifies ksmbd.conf such that its existing formatting is not retained. ksmbd.addshare notifies ksmbd.mountd of changes, if it had made any, by sending the SIGHUP signal to ksmbd.mountd. ksmbd.control --reload can be used for notifying ksmbd.mountd of changes when not using ksmbd.addshare. ksmbd.conf is expected to be at /etc/ksmbd/ksmbd.conf by default. A configuration file that may serve as an example can be found at /etc/ksmbd/ksmbd.conf.example.

FILE FORMAT

ksmbd.conf consists of sections with each new section marking the end of the previous one. A new section begins with the section name enclosed in brackets ([]) followed by a newline. Each section may contain parameter entries separated by newlines. A parameter entry consists of a parameter and a value, in that order, separated by an equal sign (=). The parameter may contain leading and trailing tabs and spaces. The value, which begins immediately after the equal sign, may contain leading tabs and spaces or be empty. Some parameter entries can be given a list of multiple values, in which case the values are separated by commas, tabs, or spaces. For a list of users, all users in a system group can be specified by giving the group name prefixed with an at sign (@). A semicolon (;) or a hash (#) marks the beginning of a comment which continues until the end of the line.

SHARES

Each section name, except that of the global section, defines a shared resource, commonly referred to as a share. A section name, which is the share name, must be UTF-8, [1, 64) bytes, and is case-insensitive. Users that may be allowed to connect to a share are those that have user entries in ksmbdpwd.db(5) user database. A share may limit which users are allowed to connect to a particular share. When connected to a share, the user is mapped to a system user and underlying filesystem permissions are enforced. By default, this mapping is done by name, but it may also be done by mapping all users connected to the share to a single system user and group. When connecting as a user not in the user database, only guest sessions may work.

PARAMETERS

Share parameters, marked below with (S), may be specified in any section. When a share parameter is specified in a section other than global, it is specific to that particular share. Under the global section, a share parameter sets its default value for all shares. Global parameters, marked below with (G), can only be given in the global section and control functionality that applies to no specific share. Changes to global parameters apply only after restarting ksmbd.mountd and ksmbd.

Only bind to interfaces specified with interfaces.

Default: bind interfaces only = no

Share is seen in the list of available shares in a net view and in the browse list.

Default: browseable = yes

Comment string to associate with the share.

Default: comment =

Octal bitmask that gets bitwise ANDed with DOS-to-UNIX-mapped permissions when creating a file.

Default: create mask = 0744

Number of minutes of inactivity before a connection is considered dead and is then terminated. The connection is not terminated if it has any open files. With deadtime = 0, no connection is considered dead due to inactivity.

Default: deadtime = 0

Octal bitmask that gets bitwise ANDed with DOS-to-UNIX-mapped permissions when creating a directory.

Default: directory mask = 0755

Octal bitmask that gets bitwise ORed after the bitmask specified with create mask is applied.

Default: force create mode = 0000

Octal bitmask that gets bitwise ORed after the bitmask specified with directory mask is applied.

Default: force directory mode = 0000

System group that all users connected to the share should be mapped to.

Default: force group =

System user that all users connected to the share should be mapped to.

Default: force user =

User that does not require a password when connecting to any share with guest ok = yes specified. When connecting to such a share with the user left empty, the parameter determines what system user to map to.

Default: guest account = nobody

User that does not require a password when connecting to the share with guest ok = yes specified.

Default: guest account =

Allow passwordless connections to the share as the user specified with guest account and with the user left empty.

Default: guest ok = no

Files starting with a dot appear as hidden files.

Default: hide dot files = yes

Ownership for new files and directories should be controlled by the ownership of the parent directory.

Default: inherit owner = no

List of the interfaces that should be listened to when bind interfaces only = yes is specified.

Default: interfaces =

List of the users that should be disallowed to connect to the share. A user being in the list has precedence over it being in valid users. With invalid users = , no user is disallowed.

Default: invalid users =

Number of seconds user space has time to reply to a heartbeat frame. If exceeded, all sessions and TCP connections will be closed. With ipc timeout = 0, user space can reply whenever.

Default: ipc timeout = 0

Path of the keytab file for the service principal. If no value is given, it is the default keytab resolved with krb5_kt_default(3).

Default: kerberos keytab file =

Service principal name. If no value is given, it is cifs/ followed by the FQDN resolved with getaddrinfo(3).

Default: kerberos service name =

When to map a user to the user specified with guest account. With map to guest = bad user, map when the user does not exist.

Default: map to guest = never

Maximum number of simultaneous sessions to all shares.

Default: max active sessions = 1024

Maximum number of simultaneous connections to the share. The maximum value is 64k. Values greater than 64k or 0 will be silently set to 64k.

Default: max connections = 128

Maximum number of simultaneous open files for a client.

Default: max open files = 10000

NetBIOS name.

Default: netbios name = KSMBD SERVER

Issue oplocks to file open requests on the share.

Default: oplocks = yes

Path of the directory users connected to the share are given access to.

Default: path =

List of the users that should be allowed read-only access to the share. A user being in the list has precedence over read only = no or it being in write list.

Default: read list =

Inverted synonym for writeable.

Default: read only = yes

How to restrict connections to any share as the user specified with guest account. With restrict anonymous = 1 or restrict anonymous = 2, disallow connections to the IPC$ share and any share that specifies guest ok = no.

Default: restrict anonymous = 0

Path of the directory prepended to path of every share. Somewhat similar to chroot(2).

Default: root directory =

Maximum protocol version supported.

Default: server max protocol = SMB3_11

Minimum protocol version supported.

Default: server min protocol = SMB2_10

Use of SMB3 multi-channel is supported. SMB3 multi-channel support is experimental and may corrupt data under race conditions.

Default: server multi channel support = no

Client is allowed or required to use SMB2 signing. With server signing = disabled or server signing = auto, SMB2 signing is allowed if it is required by the client. With server signing = mandatory, SMB2 signing is required.

Default: server signing = disabled

String that will appear in browse lists next to the machine name.

Default: server string = SMB SERVER

Decimal bitmask that gets bitwise ORed with the filesystem capability flags so as to fake them. With share:fake_fscaps = 64, the FILE_SUPPORTS_SPARSE_FILES flag is set.

Default: share:fake_fscaps = 64

Negotiate SMB2 leases on file open requests.

Default: smb2 leases = no

Maximum number of outstanding simultaneous SMB2 operations.

Default: smb2 max credits = 8192

Maximum length that may be used in a SMB2 READ request sent by a client.

Default: smb2 max read = 4MB

Maximum buffer size that may be used by a client in a sent SET_INFO request or a received QUERY_INFO, QUERY_DIRECTORY, or CHANGE_NOTIFY response.

Default: smb2 max trans = 1MB

Maximum length that may be used in a SMB2 WRITE request sent by a client.

Default: smb2 max write = 4MB

Client is disallowed, allowed, or required to use SMB3 encryption. With smb3 encryption = disabled, SMB3 encryption is disallowed even if it is requested by the client. With smb3 encryption = auto, SMB3 encryption is allowed if it is requested by the client. With smb3 encryption = mandatory, SMB3 encryption is required. i.e. clients that do not support encryption will be denied access to the share.

Default: smb3 encryption = auto

Maximum read/write size of SMB-Direct.

Default: smbd max io size = 8MB

Store DOS attributes using xattr and then use them in the DOS-to-UNIX-mapping of permissions.

Default: store dos attributes = yes

TCP port that should be listened to.

Default: tcp port = 445

List of the users that should be allowed to connect to the share. With valid users = , all users are allowed.

Default: valid users =

Files and directories that should be made invisible and inaccessible. Files and directories are specified between forward slashes (/), e.g. veto files = /foo/bar/ to make files and directories named foo and bar invisible and inaccessible. An asterisk (*) and a question mark (?) may be used for matching any number of characters and a character, respectively.

Default: veto files =

List of the VFS modules to overload I/O operations with. Available VFS modules are acl_xattr and streams_xattr.

Default: vfs objects =

Workgroup the server will appear to be in when queried by clients.

Default: workgroup = WORKGROUP

List of the users that should be allowed read-write access to the share. A user being in the list has precedence over read only = yes.

Default: write list =

Synonym for writeable.
Inverted synonym for read only.

Default: writeable = no

COPYRIGHT

Copyright © 2015-2022 ksmbd-tools contributors. License GPLv2: GNU GPL version 2 <https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html>.
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

REPORTING BUGS

For bug reports, use the issue tracker at https://github.com/cifsd-team/ksmbd-tools/issues.

SEE ALSO

ksmbd.addshare(8), ksmbd.adduser(8), ksmbd.mountd(8)
ksmbd-tools 3.4.8