summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Terpstra <jht@samba.org>2004-11-08 06:10:13 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:46:06 -0500
commit62b976057f1ad64092ca1be6b09168656aaa6600 (patch)
tree806785ef090ed5964e25aee553ba7e1136c71ca3
parentb5fd5167261ae77cc6c1876af782d7237fe7c25e (diff)
downloadsamba-62b976057f1ad64092ca1be6b09168656aaa6600.tar.gz
samba-62b976057f1ad64092ca1be6b09168656aaa6600.tar.bz2
samba-62b976057f1ad64092ca1be6b09168656aaa6600.zip
Updated username mape man page to reflect post 3.0.7 operation.
(This used to be commit db5b2ef32a92d47e2c02a1fc111177bfd8bfa179)
-rw-r--r--docs/smbdotconf/security/usernamemap.xml28
1 files changed, 27 insertions, 1 deletions
diff --git a/docs/smbdotconf/security/usernamemap.xml b/docs/smbdotconf/security/usernamemap.xml
index 1dae4f0932..a76fc283ef 100644
--- a/docs/smbdotconf/security/usernamemap.xml
+++ b/docs/smbdotconf/security/usernamemap.xml
@@ -83,7 +83,33 @@ guest = *
<para>Also note that no reverse mapping is done. The main effect
this has is with printing. Users who have been mapped may have
trouble deleting print jobs as PrintManager under WfWg will think
- they don't own the print job.</para>
+ they don't own the print job.</para>
+
+ <para>
+ Samab versions prior to 3.0.8 would only support reading the fully qualified
+ username (e.g.: DOMAIN\user) from the username map when performing a
+ kerberos login from a client. However, when looking up a map
+ entry for a user authenticated by NTLM[SSP], only the login name would be
+ used for matches. This resulted in inconsistent behavior sometimes
+ even on the same server.
+ </para>
+
+ <para>
+ The following functionality is obeyed in version 3.0.8 and later:
+ </para>
+
+ <para>
+ When performing local authentication, the username map is
+ applied to the login name before attempting to authenticate
+ the connection.
+ </para>
+
+ <para>
+ When relying upon a external domain controller for validating
+ authentication requests, smbd will apply the username map
+ to the fully qualified username (i.e. DOMAIN\user) only
+ after the user has been successfully authenticated.
+ </para>
</description>
<value type="default"><comment>no username map</comment></value>