Provided by: ksmbd-tools_3.5.3-1_amd64 
NAME
ksmbd.conf - the configuration file for ksmbd.mountd
DESCRIPTION
ksmbd.conf is the configuration file for ksmbd.mountd(8) user mode daemon. ksmbd.addshare(8) can be used
for configuring shares for ksmbd.conf. ksmbd.addshare modifies ksmbd.conf such that its existing
formatting is not retained. ksmbd.addshare notifies ksmbd.mountd of changes, if it had made any, by
sending the SIGHUP signal to ksmbd.mountd. Changes made with ksmbd.addshare will never require
restarting ksmbd.mountd and ksmbd to take effect. ksmbd.control --reload can be used for notifying
ksmbd.mountd of changes when not using ksmbd.addshare. ksmbd.conf is expected to be at
/etc/ksmbd/ksmbd.conf by default. A configuration file that may serve as an example can be found at
/etc/ksmbd/ksmbd.conf.example.
FILE FORMAT
ksmbd.conf consists of sections (i.e. groups) with each section marking the end of the previous one. A
section begins with the section name enclosed in brackets ([]) followed by a newline. A section may
contain parameters separated by newlines. A parameter consists of a name (i.e. a key) and a value, in
that order, separated by an equal sign (=). A name may contain leading and trailing tabs and spaces. A
value, which begins immediately after the equal sign, may contain leading tabs and spaces or be empty. A
value may be a list of multiple values separated by commas, tabs, and spaces. For a list of users, all
users in a system group are given by giving the group name prefixed with an at (@). A value may have a
number suffix, which is either K, M, G, T, P, or E. A semicolon (;) or a hash (#) marks the beginning of
a comment which continues until the end of the line. If a section has the same name as a previous
section, it is a continuation of that previous section, i.e. they are the same section. A duplicate
parameter in a section has its value updated only if its previous value was empty.
SHARES
Each section name, except that of the global section, defines a shared resource, commonly referred to as
a share. A section name, which is the share name, must be UTF-8, [1, 64) bytes, and is case-insensitive.
Users that may be allowed to connect to a share are those that are present in ksmbdpwd.db(5) user
database. A share may limit which users are allowed to connect to it. When connected to a share, the
user is mapped to a system user and underlying filesystem permissions are enforced. By default, this
mapping is done by name, but it may also be done by mapping all users connected to the share to a single
system user and group. When connecting as a user not in the user database, only guest sessions may work.
PARAMETERS
Share parameters, marked below with (S), can be given in any section. When a share parameter is given in
a section other than global, it is specific to that particular share. Under the global section, a share
parameter sets its default value for all shares. Global parameters, marked below with (G), can only be
given in the global section and control functionality that applies to the server. Changes to global
parameters apply only after restarting ksmbd.mountd and ksmbd.
bind interfaces only (G)
Only bind to interfaces given with interfaces.
Default: bind interfaces only = no
browseable (S)
Share is seen in a net view and in the browse list.
Default: browseable = yes
comment (S)
Description of the share as seen in a net view and and in the browse list.
Default: comment =
create mask (S)
Octal bitmask that gets bitwise ANDed with DOS-to-UNIX-mapped permissions when creating a file.
Default: create mask = 0744
crossmnt (S)
Allow path lookup to cross a mountpoint to the root of a different filesystem.
Default: crossmnt = yes
deadtime (G)
Number of minutes of inactivity before a connection is considered dead and is then terminated.
The connection is not terminated if it has any open files. With deadtime = 0, no connection is
considered dead due to inactivity.
Default: deadtime = 0
directory mask (S)
Octal bitmask that gets bitwise ANDed with DOS-to-UNIX-mapped permissions when creating a
directory.
Default: directory mask = 0755
durable handles (G)
Can grant SMB2 durable file handles on a share.
Default: durable handles = no
force create mode (S)
Octal bitmask that gets bitwise ORed after the bitmask given with create mask is applied.
Default: force create mode = 0000
force directory mode (S)
Octal bitmask that gets bitwise ORed after the bitmask given with directory mask is applied.
Default: force directory mode = 0000
force group (S)
System group that all users connected to the share are mapped to.
Default: force group =
force user (S)
System user that all users connected to the share are mapped to. With force group = , primary
group of the system user is the respective system group.
Default: force user =
guest account (G)
User that does not require a password when connecting to any share with guest ok = yes. When
connecting to such a share with the user left empty, the parameter determines what system user to
map to.
Default: guest account = nobody
guest account (S)
User that does not require a password when connecting to the share with guest ok = yes given.
Default: guest account =
guest ok (S)
Allow passwordless connections to the share as the user given with guest account and with the user
left empty.
Default: guest ok = no
hide dot files (S)
Files starting with a dot appear as hidden files.
Default: hide dot files = yes
inherit owner (S)
Ownership for new files and directories is controlled by the ownership of the parent directory.
Default: inherit owner = no
interfaces (G)
List of the interfaces that are listened to with bind interfaces only = yes given.
Default: interfaces =
invalid users (S)
List of the users that are disallowed to connect to the share. A user being in the list has
precedence over it being in valid users. With invalid users = , no user is disallowed.
Default: invalid users =
ipc timeout (G)
Number of seconds user space has time to reply to a heartbeat frame. If exceeded, all sessions
and TCP connections will be closed. With ipc timeout = 0, user space can reply whenever.
Default: ipc timeout = 0
kerberos keytab file (G)
Path of the keytab file for the service principal. If no value is given, it is the default keytab
resolved with krb5_kt_default(3).
Default: kerberos keytab file =
kerberos service name (G)
Service principal name. If no value is given, it is cifs/ followed by the FQDN resolved with
getaddrinfo(3).
Default: kerberos service name =
kerberos support (G)
Support for Kerberos 5 authentication. For the parameter to take effect, ksmbd.mountd must be
built against Kerberos 5.
Default: kerberos support = no
map to guest (G)
When to map a user to the user given with guest account. With map to guest = bad user, map when
the user does not exist.
Default: map to guest = never
max active sessions (G)
Maximum number of simultaneous sessions to all shares.
Default: max active sessions = 1024
max connections (G)
Maximum number of simultaneous connections to the server. With max connections = 0, the value
will be set to the maximum allowed number of 65536. Number suffixes are allowed.
Default: max connections = 128
max connections (S)
Maximum number of simultaneous connections to the share. With max connections = 0, the value will
be set to the maximum allowed number of 65536. Number suffixes are allowed.
Default: max connections = 128
max open files (G)
Maximum number of simultaneous open files for a client.
Default: max open files = 10000
netbios name (G)
NetBIOS name.
Default: netbios name = KSMBD SERVER
oplocks (S)
Issue oplocks to file open requests on the share.
Default: oplocks = yes
path (S)
Path of the directory users connected to the share are given access to.
Default: path =
read list (S)
List of the users that are allowed read-only access to the share. A user being in the list has
precedence over read only = no or it being in write list.
Default: read list =
read only (S)
Users are allowed read-only access to the share. With read only = no, the effect is the same as
with writable = yes. The parameter has precedence over writable, writeable, and write ok.
Default: read only = ; yes
restrict anonymous (G)
How to restrict connections to any share as the user given with guest account. With restrict
anonymous = 1 or restrict anonymous = 2, disallow connections to the IPC$ share and any share that
gives guest ok = no.
Default: restrict anonymous = 0
root directory (G)
Path of the directory prepended to path of every share. Somewhat similar to chroot(2).
Default: root directory =
server max protocol (G)
Maximum protocol version supported.
Default: server max protocol = SMB3_11
server min protocol (G)
Minimum protocol version supported.
Default: server min protocol = SMB2_10
server multi channel support (G)
Use of SMB3 multi-channel is supported. SMB3 multi-channel support is experimental and may
corrupt data under race conditions.
Default: server multi channel support = no
server signing (G)
Client is allowed or required to use SMB2 signing. With server signing = disabled or server
signing = auto, SMB2 signing is allowed if it is requested by the client. With server signing =
mandatory, SMB2 signing is required.
Default: server signing = disabled
server string (G)
String that will appear in browse lists next to the machine name.
Default: server string = SMB SERVER
share:fake_fscaps (G)
Decimal bitmask that gets bitwise ORed with the filesystem capability flags so as to fake them.
With share:fake_fscaps = 64, the FILE_SUPPORTS_SPARSE_FILES flag is set.
Default: share:fake_fscaps = 64
smb2 leases (G)
Negotiate SMB2 leases on file open requests.
Default: smb2 leases = no
smb2 max credits (G)
Maximum number of outstanding simultaneous SMB2 operations. Number suffixes are allowed.
Default: smb2 max credits = 8192
smb2 max read (G)
Maximum length that may be used in a SMB2 READ request sent by a client. Number suffixes are
allowed.
Default: smb2 max read = 4MB
smb2 max trans (G)
Maximum buffer size that may be used by a client in a sent SET_INFO request or a received
QUERY_INFO, QUERY_DIRECTORY, or CHANGE_NOTIFY response. Number suffixes are allowed.
Default: smb2 max trans = 1MB
smb2 max write (G)
Maximum length that may be used in a SMB2 WRITE request sent by a client. Number suffixes are
allowed.
Default: smb2 max write = 4MB
smb3 encryption (G)
Client is disallowed, allowed, or required to use SMB3 encryption. With smb3 encryption =
disabled, SMB3 encryption is disallowed even if it is requested by the client. With smb3
encryption = auto, SMB3 encryption is allowed if it is requested by the client. With smb3
encryption = mandatory, SMB3 encryption is required, i.e. clients that do not support encryption
will be denied access to all shares.
Default: smb3 encryption = auto
smbd max io size (G)
Maximum read/write size of SMB-Direct. Number suffixes are allowed.
Default: smbd max io size = 8MB
store dos attributes (S)
Store DOS attributes using xattr and then use them in the DOS-to-UNIX-mapping of permissions.
Default: store dos attributes = yes
tcp port (G)
TCP port that is listened to.
Default: tcp port = 445
valid users (S)
List of the users that are allowed to connect to the share. With valid users = , all users are
allowed.
Default: valid users =
veto files (S)
Names of files and directories that are made invisible and inaccessible. Names are given between
forward slashes (/), e.g. veto files = /foo/bar/ to make files and directories named foo and bar
invisible and inaccessible. An asterisk (*) and a question mark (?) are used for matching any
number of characters and a character, respectively.
Default: veto files =
vfs objects (S)
List of the VFS modules to overload I/O operations with. Available VFS modules are acl_xattr and
streams_xattr.
Default: vfs objects =
workgroup (G)
Workgroup the server will appear to be in when queried by clients.
Default: workgroup = WORKGROUP
writable (S)
Users are allowed read-write access to the share. With writable = yes, the effect is the same as
with read only = no. The parameter has precedence over writeable, and write ok.
Default: writable =
writeable (S)
Same effect as writable. The parameter has precedence over write ok.
Default: writeable =
write list (S)
List of the users that are allowed read-write access to the share. A user being in the list has
precedence over read only = yes.
Default: write list =
write ok (S)
Same effect as writable.
Default: write ok =
COPYRIGHT
Copyright © 2015-2022 ksmbd-tools contributors. License GPLv2: GNU GPL version 2
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html>.
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent
permitted by law.
REPORTING BUGS
For bug reports, use the issue tracker at https://github.com/cifsd-team/ksmbd-tools/issues.
SEE ALSO
Utilities
ksmbd.addshare(8), ksmbd.adduser(8), ksmbd.mountd(8)
ksmbd-tools 3.5.3 KSMBD.CONF(5)