diff options
author | John Terpstra <jht@samba.org> | 2005-07-08 10:16:53 +0000 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:47:04 -0500 |
commit | 97e3e540f72021d81b34f7597506da6cdc552b8a (patch) | |
tree | 0fbf5ca9ee58fead3c6ac25d60d27ffe25aeebf6 | |
parent | 9953c886c64bd94778d8b78aea4699748a15abac (diff) | |
download | samba-97e3e540f72021d81b34f7597506da6cdc552b8a.tar.gz samba-97e3e540f72021d81b34f7597506da6cdc552b8a.tar.bz2 samba-97e3e540f72021d81b34f7597506da6cdc552b8a.zip |
More updates.
(This used to be commit b546de20f793aeec7739ef32451d72582175ae58)
-rw-r--r-- | docs/Samba3-Developers-Guide/printing.xml | 2 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-IDMAP.xml | 185 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-VFS.xml | 12 | ||||
-rw-r--r-- | docs/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml | 144 | ||||
-rw-r--r-- | docs/manpages-3/smb.conf.5.xml | 8 | ||||
-rw-r--r-- | docs/smbdotconf/logon/logonscript.xml | 48 | ||||
-rw-r--r-- | docs/smbdotconf/security/createmask.xml | 40 | ||||
-rw-r--r-- | docs/smbdotconf/security/directorymask.xml | 2 | ||||
-rw-r--r-- | docs/smbdotconf/security/directorysecuritymask.xml | 11 | ||||
-rw-r--r-- | docs/smbdotconf/security/forcedirectorysecuritymode.xml | 46 | ||||
-rw-r--r-- | docs/smbdotconf/security/forcesecuritymode.xml | 40 | ||||
-rw-r--r-- | docs/smbdotconf/security/securitymask.xml | 36 |
12 files changed, 329 insertions, 245 deletions
diff --git a/docs/Samba3-Developers-Guide/printing.xml b/docs/Samba3-Developers-Guide/printing.xml index fc0a1ee4b7..bbdbb85ef7 100644 --- a/docs/Samba3-Developers-Guide/printing.xml +++ b/docs/Samba3-Developers-Guide/printing.xml @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> -<chapter id="printing"> +<chapter id="devprinting"> <chapterinfo> <author> <firstname>Gerald</firstname><surname>Carter</surname> diff --git a/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml b/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml index a14c8b0b84..2ff794939c 100644 --- a/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml +++ b/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml @@ -496,19 +496,24 @@ domain member servers (DMSs) and domain member clients (DMCs). <title>NT4-Style Domains (Includes Samba Domains)</title> <para> - The following is a simple example of an NT4 DMS &smb.conf; file that shows only the global section. -<screen> -#Global parameters -[global] - workgroup = MEGANET2 - security = DOMAIN - idmap uid = 10000-20000 - idmap gid = 10000-20000 - template primary group = "Domain Users" - template shell = /bin/bash -</screen> + <link linkend="idmapnt4dms">NT4 Domain Member Server smb.con</link> is a simple example of an NT4 DMS + &smb.conf; file that shows only the global section. </para> +<example id="idmapnt4dms"> +<title>NT4 Domain Member Server smb.conf</title> +<smbconfblock> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">MEGANET2</smbconfoption> +<smbconfoption name="security">DOMAIN</smbconfoption> +<smbconfoption name="idmap uid">10000-20000</smbconfoption> +<smbconfoption name="idmap gid">10000-20000</smbconfoption> +<smbconfoption name="template primary group">"Domain Users"</smbconfoption> +<smbconfoption name="template shell">/bin/bash</smbconfoption> +</smbconfblock> +</example> + <para> <indexterm><primary>winbind</primary></indexterm> <indexterm><primary>/etc/nsswitch.conf</primary></indexterm> @@ -573,23 +578,27 @@ Join to domain 'MEGANET2' is not valid <indexterm><primary>domain join</primary></indexterm> <indexterm><primary>ADS domain</primary></indexterm> The procedure for joining an ADS domain is similar to the NT4 domain join, except the &smb.conf; file - will have the following contents: -<screen> -# Global parameters -[global] - workgroup = BUTTERNET - netbios name = GARGOYLE - realm = BUTTERNET.BIZ - security = ADS - template shell = /bin/bash - idmap uid = 500-10000000 - idmap gid = 500-10000000 - winbind use default domain = Yes - winbind nested groups = Yes - printer admin = "BUTTERNET\Domain Admins" -</screen> + will have the contents shown in <link linkend="idmapadsdms">ADS Domain Member Server smb.conf</link> </para> +<example id="idmapadsdms"> +<title>ADS Domain Member Server smb.conf</title> +<smbconfblock> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">BUTTERNET</smbconfoption> +<smbconfoption name="netbios name">GARGOYLE</smbconfoption> +<smbconfoption name="realm">BUTTERNET.BIZ</smbconfoption> +<smbconfoption name="security">ADS</smbconfoption> +<smbconfoption name="template shell">/bin/bash</smbconfoption> +<smbconfoption name="idmap uid">500-10000000</smbconfoption> +<smbconfoption name="idmap gid">500-10000000</smbconfoption> +<smbconfoption name="winbind use default domain">Yes</smbconfoption> +<smbconfoption name="winbind nested groups">Yes</smbconfoption> +<smbconfoption name="printer admin">"BUTTERNET\Domain Admins"</smbconfoption> +</smbconfblock> +</example> + <para> <indexterm><primary>KRB</primary></indexterm> <indexterm><primary>kerberos</primary></indexterm> @@ -696,28 +705,33 @@ Join to domain is not valid </para> <para> - An example &smb.conf; file for and ADS domain environment is shown here: -<screen> -# Global parameters -[global] - workgroup = KPAK - netbios name = BIGJOE - realm = CORP.KPAK.COM - server string = Office Server - security = ADS - allow trusted domains = No - idmap backend = idmap_rid:KPAK=500-100000000 - idmap uid = 500-100000000 - idmap gid = 500-100000000 - template shell = /bin/bash - winbind use default domain = Yes - winbind enum users = No - winbind enum groups = No - winbind nested groups = Yes - printer admin = "Domain Admins" -</screen> + An example &smb.conf; file for and ADS domain environment is shown in <link linkend="idmapadsridDMS">ADS + Domain Member smb.conf using idmap_rid</link>. </para> +<example id="idmapadsridDMS"> +<title>ADS Domain Member smb.conf using idmap_rid</title> +<smbconfblock> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">KPAK</smbconfoption> +<smbconfoption name="netbios name">BIGJOE</smbconfoption> +<smbconfoption name="realm">CORP.KPAK.COM</smbconfoption> +<smbconfoption name="server string">Office Server</smbconfoption> +<smbconfoption name="security">ADS</smbconfoption> +<smbconfoption name="allow trusted domains">No</smbconfoption> +<smbconfoption name="idmap backend">idmap_rid:KPAK=500-100000000</smbconfoption> +<smbconfoption name="idmap uid">500-100000000</smbconfoption> +<smbconfoption name="idmap gid">500-100000000</smbconfoption> +<smbconfoption name="template shell">/bin/bash</smbconfoption> +<smbconfoption name="winbind use default domain">Yes</smbconfoption> +<smbconfoption name="winbind enum users">No</smbconfoption> +<smbconfoption name="winbind enum groups">No</smbconfoption> +<smbconfoption name="winbind nested groups">Yes</smbconfoption> +<smbconfoption name="printer admin">"Domain Admins"</smbconfoption> +</smbconfblock> +</example> + <para> <indexterm><primary>large domain</primary></indexterm> <indexterm><primary>Active Directory</primary></indexterm> @@ -815,29 +829,31 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash </para> <para> - The following example is for an ADS domain: + An example is for an ADS domain is shown in <link linkend="idmapldapDMS">ADS Domain Member Server using + LDAP</link>. </para> - <para> -<screen> -# Global parameters -[global] - workgroup = SNOWSHOW - netbios name = GOODELF - realm = SNOWSHOW.COM - server string = Samba Server - security = ADS - log level = 1 ads:10 auth:10 sam:10 rpc:10 - ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM - ldap idmap suffix = ou=Idmap - ldap suffix = dc=SNOWSHOW,dc=COM - idmap backend = ldap:ldap://ldap.snowshow.com - idmap uid = 150000-550000 - idmap gid = 150000-550000 - template shell = /bin/bash - winbind use default domain = Yes -</screen> - </para> +<example id="idmapldapDMS"> +<title>ADS Domain Member Server using LDAP</title> +<smbconfblock> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">SNOWSHOW</smbconfoption> +<smbconfoption name="netbios name">GOODELF</smbconfoption> +<smbconfoption name="realm">SNOWSHOW.COM</smbconfoption> +<smbconfoption name="server string">Samba Server</smbconfoption> +<smbconfoption name="security">ADS</smbconfoption> +<smbconfoption name="log level">1 ads:10 auth:10 sam:10 rpc:10</smbconfoption> +<smbconfoption name="ldap admin dn">cn=Manager,dc=SNOWSHOW,dc=COM</smbconfoption> +<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption> +<smbconfoption name="ldap suffix">dc=SNOWSHOW,dc=COM</smbconfoption> +<smbconfoption name="idmap backend">ldap:ldap://ldap.snowshow.com</smbconfoption> +<smbconfoption name="idmap uid">150000-550000</smbconfoption> +<smbconfoption name="idmap gid">150000-550000</smbconfoption> +<smbconfoption name="template shell">/bin/bash</smbconfoption> +<smbconfoption name="winbind use default domain">Yes</smbconfoption> +</smbconfblock> +</example> <para> <indexterm><primary>realm</primary></indexterm> @@ -1018,23 +1034,28 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM' </para> <para> - The following is an example &smb.conf; file: -<screen> -# Global parameters -[global] - workgroup = BOBBY - realm = BOBBY.COM - security = ADS - idmap uid = 150000-550000 - idmap gid = 150000-550000 - template shell = /bin/bash - winbind cache time = 5 - winbind use default domain = Yes - winbind trusted domains only = Yes - winbind nested groups = Yes -</screen> + An example &smb.conf; file is shown in <link linkend="idmaprfc2307">ADS Domain Member Server using +RFC2307bis Schema Extension Date via NSS</link>. </para> +<example id="idmaprfc2307"> +<title>ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS</title> +<smbconfblock> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">BOBBY</smbconfoption> +<smbconfoption name="realm">BOBBY.COM</smbconfoption> +<smbconfoption name="security">ADS</smbconfoption> +<smbconfoption name="idmap uid">150000-550000</smbconfoption> +<smbconfoption name="idmap gid">150000-550000</smbconfoption> +<smbconfoption name="template shell">/bin/bash</smbconfoption> +<smbconfoption name="winbind cache time">5</smbconfoption> +<smbconfoption name="winbind use default domain">Yes</smbconfoption> +<smbconfoption name="winbind trusted domains only">Yes</smbconfoption> +<smbconfoption name="winbind nested groups">Yes</smbconfoption> +</smbconfblock> +</example> + <para> <indexterm><primary>nss_ldap</primary></indexterm> The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary diff --git a/docs/Samba3-HOWTO/TOSHARG-VFS.xml b/docs/Samba3-HOWTO/TOSHARG-VFS.xml index 41b9562c40..02bf851c63 100644 --- a/docs/Samba3-HOWTO/TOSHARG-VFS.xml +++ b/docs/Samba3-HOWTO/TOSHARG-VFS.xml @@ -49,15 +49,15 @@ modules example</link>: </para> <example id="vfsrecyc"> - <title>smb.conf with VFS modules</title> - <smbconfblock> - <smbconfsection name="[audit]"/> +<title>smb.conf with VFS modules</title> +<smbconfblock> +<smbconfsection name="[audit]"/> <smbconfoption name="comment">Audited /data directory</smbconfoption> <smbconfoption name="path">/data</smbconfoption> <smbconfoption name="vfs objects">audit recycle</smbconfoption> <smbconfoption name="writeable">yes</smbconfoption> <smbconfoption name="browseable">yes</smbconfoption> - </smbconfblock> +</smbconfblock> </example> <para> @@ -87,8 +87,8 @@ Some modules can be used twice for the same share. This can be done using a con shown in <link linkend="multimodule">the smb.conf with multiple VFS modules</link>. <example id="multimodule"> - <title>smb.conf with multiple VFS modules</title> - <smbconfblock> +<title>smb.conf with multiple VFS modules</title> +<smbconfblock> <smbconfsection name="[test]"/> <smbconfoption name="comment">VFS TEST</smbconfoption> <smbconfoption name="path">/data</smbconfoption> diff --git a/docs/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml b/docs/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml index ab328eda0b..8898232304 100644 --- a/docs/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml +++ b/docs/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml @@ -178,7 +178,7 @@ complete descriptions of new or modified parameters. <title>Removed Parameters</title> <indexterm><primary>deleted parameters</primary></indexterm> -<para>In alphabetical order, these are the parameters eliminated for Samba 3.0.20.</para> +<para>In alphabetical order, these are the parameters eliminated during the Samba 3.0.0 series prior to release of Samba 3.0.20.</para> <itemizedlist> <listitem><para>admin log </para></listitem> @@ -190,17 +190,22 @@ complete descriptions of new or modified parameters. <listitem><para>domain admin group </para></listitem> <listitem><para>domain guest group </para></listitem> <listitem><para>force unknown acl user </para></listitem> + <listitem><para>ldap filter</para></listitem> <listitem><para>nt smb support </para></listitem> <listitem><para>post script </para></listitem> <listitem><para>printer driver </para></listitem> <listitem><para>printer driver file </para></listitem> <listitem><para>printer driver location </para></listitem> + <listitem><para>read size</para></listitem> + <listitem><para>source environment</para></listitem> <listitem><para>status </para></listitem> <listitem><para>strip dot </para></listitem> <listitem><para>total print jobs </para></listitem> + <listitem><para>unicode</para></listitem> <listitem><para>use rhosts </para></listitem> <listitem><para>valid chars </para></listitem> <listitem><para>vfs options </para></listitem> + <listitem><para>winbind enable local accounts</para></listitem> </itemizedlist> </sect2> @@ -208,114 +213,135 @@ complete descriptions of new or modified parameters. <sect2> <title>New Parameters</title> -<para>New parameters in Samba 3.0.20 are grouped by function):</para> +<para>New parameters in the Samba 3.0.0 series prior to release of Samba 3.0.20 are grouped by function):</para> <para>Remote Management</para> <indexterm><primary>new parameters</primary></indexterm> <itemizedlist> - <listitem><para>abort shutdown script </para></listitem> - <listitem><para>shutdown script </para></listitem> + <listitem><para>abort shutdown script</para></listitem> + <listitem><para>shutdown script</para></listitem> </itemizedlist> <para>User and Group Account Management</para> <itemizedlist> - <listitem><para>add group script </para></listitem> - <listitem><para>add machine script </para></listitem> - <listitem><para>add user to group script </para></listitem> - <listitem><para>algorithmic rid base </para></listitem> - <listitem><para>delete group script </para></listitem> - <listitem><para>delete user from group script </para></listitem> - <listitem><para>passdb backend </para></listitem> - <listitem><para>set primary group script </para></listitem> + <listitem><para>add group script</para></listitem> + <listitem><para>add machine script</para></listitem> + <listitem><para>add user to group script</para></listitem> + <listitem><para>algorithmic rid base</para></listitem> + <listitem><para>delete group script</para></listitem> + <listitem><para>delete user from group script</para></listitem> + <listitem><para>passdb backend</para></listitem> + <listitem><para>set primary group script</para></listitem> </itemizedlist> <para>Authentication</para> <itemizedlist> - <listitem><para>auth methods </para></listitem> - <listitem><para>realm </para></listitem> + <listitem><para>auth methods</para></listitem> + <listitem><para>ldap password sync</para></listitem> + <listitem><para>realm</para></listitem> </itemizedlist> <para>Protocol Options</para> <itemizedlist> - <listitem><para>client lanman auth </para></listitem> - <listitem><para>client NTLMv2 auth </para></listitem> - <listitem><para>client schannel </para></listitem> - <listitem><para>client signing </para></listitem> - <listitem><para>client use spnego </para></listitem> - <listitem><para>disable netbios </para></listitem> - <listitem><para>ntlm auth </para></listitem> + <listitem><para>afs token lifetime</para></listitem> + <listitem><para>client lanman auth</para></listitem> + <listitem><para>client NTLMv2 auth</para></listitem> + <listitem><para>client schannel</para></listitem> + <listitem><para>client signing</para></listitem> + <listitem><para>client use spnego</para></listitem> + <listitem><para>defer sharing violations</para></listitem> + <listitem><para>disable netbios</para></listitem> + <listitem><para>enable privileges</para></listitem> + <listitem><para>use kerberos keytab</para></listitem> + <listitem><para>log nt token command</para></listitem> + <listitem><para>ntlm auth</para></listitem> <listitem><para>paranoid server security </para></listitem> - <listitem><para>server schannel </para></listitem> - <listitem><para>server signing </para></listitem> - <listitem><para>smb ports </para></listitem> - <listitem><para>use spnego </para></listitem> + <listitem><para>sendfile</para></listitem> + <listitem><para>server schannel</para></listitem> + <listitem><para>server signing</para></listitem> + <listitem><para>smb ports</para></listitem> + <listitem><para>use spnego</para></listitem> </itemizedlist> <para>File Service</para> <itemizedlist> - <listitem><para>get quota command </para></listitem> - <listitem><para>hide special files </para></listitem> - <listitem><para>hide unwriteable files </para></listitem> - <listitem><para>hostname lookups </para></listitem> - <listitem><para>kernel change notify </para></listitem> - <listitem><para>mangle prefix </para></listitem> - <listitem><para>map acl inherit </para></listitem> - <listitem><para>msdfs proxy </para></listitem> - <listitem><para>set quota command </para></listitem> - <listitem><para>use sendfile </para></listitem> - <listitem><para>vfs objects </para></listitem> + <listitem><para>allocation roundup size</para></listitem> + <listitem><para>acl check permissions</para></listitem> + <listitem><para>ea support</para></listitem> + <listitem><para>enable asu support</para></listitem> + <listitem><para>force unknown acl user</para></listitem> + <listitem><para>get quota command</para></listitem> + <listitem><para>hide special files</para></listitem> + <listitem><para>hide unwriteable files</para></listitem> + <listitem><para>inherit owner</para></listitem> + <listitem><para>hostname lookups</para></listitem> + <listitem><para>kernel change notify</para></listitem> + <listitem><para>mangle prefix</para></listitem> + <listitem><para>map acl inherit</para></listitem> + <listitem><para>max stat cache size</para></listitem> + <listitem><para>msdfs proxy</para></listitem> + <listitem><para>set quota command</para></listitem> + <listitem><para>store dos attributes</para></listitem> + <listitem><para>use sendfile</para></listitem> + <listitem><para>vfs objects</para></listitem> </itemizedlist> <para>Printing</para> <itemizedlist> - <listitem><para>max reported print jobs </para></listitem> + <listitem><para>cups options</para></listitem> + <listitem><para>cups server</para></listitem> + <listitem><para>force printername</para></listitem> + <listitem><para>max reported print jobs</para></listitem> + <listitem><para>printcap cache time</para></listitem> </itemizedlist> <para>Unicode and Character Sets</para> <itemizedlist> - <listitem><para>display charset </para></listitem> - <listitem><para>dos charset </para></listitem> - <listitem><para>unicode </para></listitem> - <listitem><para>UNIX charset </para></listitem> + <listitem><para>display charset</para></listitem> + <listitem><para>dos charset</para></listitem> + <listitem><para>UNIX charset</para></listitem> </itemizedlist> <para>SID to UID/GID Mappings</para> <itemizedlist> - <listitem><para>idmap backend </para></listitem> - <listitem><para>idmap gid </para></listitem> - <listitem><para>idmap uid </para></listitem> - <listitem><para>winbind enable local accounts </para></listitem> - <listitem><para>winbind trusted domains only </para></listitem> - <listitem><para>template primary group </para></listitem> - <listitem><para>enable rid algorithm </para></listitem> + <listitem><para>idmap backend</para></listitem> + <listitem><para>idmap gid</para></listitem> + <listitem><para>idmap uid</para></listitem> + <listitem><para>winbind enable local accounts</para></listitem> + <listitem><para>winbind nested groups</para></listitem> + <listitem><para>winbind trusted domains only</para></listitem> + <listitem><para>template primary group</para></listitem> + <listitem><para>enable rid algorithm</para></listitem> </itemizedlist> <para>LDAP</para> <itemizedlist> - <listitem><para>ldap delete dn </para></listitem> - <listitem><para>ldap group suffix </para></listitem> - <listitem><para>ldap idmap suffix </para></listitem> - <listitem><para>ldap machine suffix </para></listitem> - <listitem><para>ldap passwd sync </para></listitem> - <listitem><para>ldap user suffix </para></listitem> + <listitem><para>ldap delete dn</para></listitem> + <listitem><para>ldap group suffix</para></listitem> + <listitem><para>ldap idmap suffix</para></listitem> + <listitem><para>ldap machine suffix</para></listitem> + <listitem><para>ldap passwd sync</para></listitem> + <listitem><para>ldap replication sleep</para></listitem> + <listitem><para>ldap timeout</para></listitem> + <listitem><para>ldap user suffix</para></listitem> </itemizedlist> <para>General Configuration</para> <itemizedlist> - <listitem><para>preload modules </para></listitem> - <listitem><para>privatedir </para></listitem> + <listitem><para>preload modules</para></listitem> + <listitem><para>privatedir</para></listitem> </itemizedlist> </sect2> @@ -324,17 +350,23 @@ complete descriptions of new or modified parameters. <title>Modified Parameters (Changes in Behavior)</title> <itemizedlist> + <listitem><para>dos filetimes (enabled by default)</para></listitem> <listitem><para>encrypt passwords (enabled by default) </para></listitem> <listitem><para>mangling method (set to hash2 by default) </para></listitem> + <listitem><para>map to guest (new parameter added)</para></listitem> + <listitem><para>min password length (deprecated)</para></listitem> + <listitem><para>only user (deprecated)</para></listitem> <listitem><para>passwd chat </para></listitem> <listitem><para>passwd program </para></listitem> <listitem><para>password server </para></listitem> + <listitem><para>printer admin (deprecated)</para></listitem> <listitem><para>restrict anonymous (integer value) </para></listitem> <listitem><para>security (new ads value) </para></listitem> <listitem><para>strict locking (enabled by default) </para></listitem> <listitem><para>winbind cache time (increased to 5 minutes) </para></listitem> <listitem><para>winbind uid (deprecated in favor of idmap uid) </para></listitem> <listitem><para>winbind gid (deprecated in favor of idmap gid) </para></listitem> + <listitem><para>write cache (deprecated)</para></listitem> </itemizedlist> </sect2> diff --git a/docs/manpages-3/smb.conf.5.xml b/docs/manpages-3/smb.conf.5.xml index e7e4a8933c..a21c813f20 100644 --- a/docs/manpages-3/smb.conf.5.xml +++ b/docs/manpages-3/smb.conf.5.xml @@ -61,7 +61,7 @@ <para> The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved - in string values. Some items such as create modes are numeric. + in string values. Some items such as create masks are numeric. </para> </refsect1> @@ -292,8 +292,8 @@ alias|alias|alias|alias... <note><para> On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use - <literal>printcap name = lpstat</literal> to automatically obtain a list of printers. See the <literal>printcap name</literal> option - for more details. + <literal>printcap name = lpstat</literal> to automatically obtain a list of printers. See the + <literal>printcap name</literal> option for more details. </para></note> </refsect2> </refsect1> @@ -305,7 +305,7 @@ alias|alias|alias|alias... <para> Some parameters are specific to the [global] section (e.g., <emphasis>security</emphasis>). Some parameters - are usable in all sections (e.g., <emphasis>create mode</emphasis>). All others are permissible only in normal + are usable in all sections (e.g., <emphasis>create mask</emphasis>). All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] sections will be considered normal. The letter <emphasis>G</emphasis> in parentheses indicates that a parameter is specific to the [global] section. The letter <emphasis>S</emphasis> indicates that a parameter can be specified in a diff --git a/docs/smbdotconf/logon/logonscript.xml b/docs/smbdotconf/logon/logonscript.xml index 847896e1ce..13ce9a0c03 100644 --- a/docs/smbdotconf/logon/logonscript.xml +++ b/docs/smbdotconf/logon/logonscript.xml @@ -4,14 +4,15 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter specifies the batch file (.bat) or - NT command file (.cmd) to be downloaded and run on a machine when - a user successfully logs in. The file must contain the DOS - style CR/LF line endings. Using a DOS-style editor to create the - file is recommended.</para> + <para> + This parameter specifies the batch file (<filename>.bat</filename>) or NT command file + (<filename>.cmd</filename>) to be downloaded and run on a machine when a user successfully logs in. The file + must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended. + </para> - <para>The script must be a relative path to the [netlogon] - service. If the [netlogon] service specifies a <smbconfoption name="path"/> of <filename + <para> + The script must be a relative path to the <smbconfsection name="[netlogon]"/> service. If the [netlogon] + service specifies a <smbconfoption name="path"/> of <filename moreinfo="none">/usr/local/samba/netlogon</filename>, and <smbconfoption name="logon script">STARTUP.BAT</smbconfoption>, then the file that will be downloaded is: <screen> @@ -19,23 +20,28 @@ </screen> </para> - <para>The contents of the batch file are entirely your choice. A - suggested command would be to add <command moreinfo="none">NET TIME \\SERVER /SET - /YES</command>, to force every machine to synchronize clocks with - the same time server. Another use would be to add <command moreinfo="none">NET USE - U: \\SERVER\UTILS</command> for commonly used utilities, or <screen> - <userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput></screen> for example.</para> + <para> + The contents of the batch file are entirely your choice. A suggested command would be to add <command + moreinfo="none">NET TIME \\SERVER /SET /YES</command>, to force every machine to synchronize clocks with the + same time server. Another use would be to add <command moreinfo="none">NET USE U: \\SERVER\UTILS</command> + for commonly used utilities, or <screen> <userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput></screen> for + example. + </para> - <para>Note that it is particularly important not to allow write - access to the [netlogon] share, or to grant users write permission - on the batch files in a secure environment, as this would allow - the batch files to be arbitrarily modified and security to be - breached.</para> + <para> + Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users + write permission on the batch files in a secure environment, as this would allow the batch files to be + arbitrarily modified and security to be breached. + </para> - <para>This option takes the standard substitutions, allowing you - to have separate logon scripts for each user or machine.</para> + <para> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. + </para> - <para>This option is only useful if Samba is set up as a logon server.</para> + <para> + This option is only useful if Samba is set up as a logon server. + </para> </description> <value type="default"></value> <value type="example">scripts\%U.bat</value> diff --git a/docs/smbdotconf/security/createmask.xml b/docs/smbdotconf/security/createmask.xml index 7f9f93caaa..cf6864c78e 100644 --- a/docs/smbdotconf/security/createmask.xml +++ b/docs/smbdotconf/security/createmask.xml @@ -5,27 +5,33 @@ <synonym>create mode</synonym> <description> - <para>When a file is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX - permissions, and the resulting UNIX mode is then bit-wise 'AND'ed - with this parameter. This parameter may be thought of as a bit-wise - MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> - set here will be removed from the modes set on a file when it is - created.</para> + <para> + When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to + UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may + be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> set here will + be removed from the modes set on a file when it is created. + </para> - <para>The default value of this parameter removes the - 'group' and 'other' write and execute bits from the UNIX modes.</para> + <para> + The default value of this parameter removes the <literal>group</literal> and <literal>other</literal> + write and execute bits from the UNIX modes. + </para> - <para>Following this Samba will bit-wise 'OR' the UNIX mode created - from this parameter with the value of the <smbconfoption name="force create mode"/> - parameter which is set to 000 by default.</para> + <para> + Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the + <smbconfoption name="force create mode"/> parameter which is set to 000 by default. + </para> - <para>This parameter does not affect directory modes. See the - parameter <smbconfoption name="directory mode"/> for details.</para> + <para> + This parameter does not affect directory masks. See the parameter <smbconfoption name="directory mask"/> + for details. + </para> - <para>Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the <smbconfoption name="security mask"/>.</para> + <para> + Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the + administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption + name="security mask"/>. + </para> </description> <related>force create mode</related> diff --git a/docs/smbdotconf/security/directorymask.xml b/docs/smbdotconf/security/directorymask.xml index 414239bcff..7b67f79214 100644 --- a/docs/smbdotconf/security/directorymask.xml +++ b/docs/smbdotconf/security/directorymask.xml @@ -30,7 +30,7 @@ </description> <related>force directory mode</related> -<related>create mode</related> +<related>create mask</related> <related>directory security mask</related> <related>inherit permissions</related> <value type="default">0755</value> diff --git a/docs/smbdotconf/security/directorysecuritymask.xml b/docs/smbdotconf/security/directorysecuritymask.xml index 5511cd1700..a16f275698 100644 --- a/docs/smbdotconf/security/directorysecuritymask.xml +++ b/docs/smbdotconf/security/directorysecuritymask.xml @@ -8,11 +8,12 @@ permission on a directory using the native NT security dialog box.</para> - <para>This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change.</para> + <para> + This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with <smbconfoption name="force + directory security mode"/>, which works similar like this one but uses logical OR instead of AND. + Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. + </para> <para>If not set explicitly this parameter is set to 0777 meaning a user is allowed to modify all the user/group/world diff --git a/docs/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/smbdotconf/security/forcedirectorysecuritymode.xml index 184337ba69..2c15ec2753 100644 --- a/docs/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs/smbdotconf/security/forcedirectorysecuritymode.xml @@ -3,25 +3,33 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog box.</para> - - <para>This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a directory, the user has always set to be 'on'.</para> - - <para>If not set explicitly this parameter is 000, which - allows a user to modify all the user/group/world permissions on a - directory without restrictions.</para> - - <note><para>Users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it set as 0000.</para></note> + <para> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a directory using the native NT security dialog box. + </para> + + <para> + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption + name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead + of an OR. + </para> + + <para> + Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, + to will enable (1) any flags that are off (0) but which the mask has set to on (1). + </para> + + <para> + If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world + permissions on a directory without restrictions. + </para> + + <note><para> + Users who can access the Samba server through other means can easily bypass this restriction, so it is + primarily useful for standalone "appliance" systems. Administrators of most normal systems will + probably want to leave it set as 0000. + </para></note> </description> diff --git a/docs/smbdotconf/security/forcesecuritymode.xml b/docs/smbdotconf/security/forcesecuritymode.xml index 98de6fa401..7451ef91ae 100644 --- a/docs/smbdotconf/security/forcesecuritymode.xml +++ b/docs/smbdotconf/security/forcesecuritymode.xml @@ -3,26 +3,32 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog - box.</para> + <para> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog box. + </para> - <para>This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a file, the user has always set to be 'on'.</para> + <para> + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption + name="security mask"/>, which works similar like this one but uses logical AND instead of OR. + </para> - <para>If not set explicitly this parameter is set to 0, - and allows a user to modify all the user/group/world permissions on a file, - with no restrictions.</para> + <para> + Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, + the user has always set to be on. + </para> + + <para> + If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world + permissions on a file, with no restrictions. + </para> - <para><emphasis>Note</emphasis> that users who can access - the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - this set to 0000.</para> + <para><emphasis> + Note</emphasis> that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most + normal systems will probably want to leave this set to 0000. + </para> </description> diff --git a/docs/smbdotconf/security/securitymask.xml b/docs/smbdotconf/security/securitymask.xml index de3dd29753..d41d6bddae 100644 --- a/docs/smbdotconf/security/securitymask.xml +++ b/docs/smbdotconf/security/securitymask.xml @@ -3,26 +3,30 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security - dialog box.</para> + <para> + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the + UNIX permission on a file using the native NT security dialog box. + </para> - <para>This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change.</para> + <para> + This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with <smbconfoption name="force + security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND. + </para> - <para>If not set explicitly this parameter is 0777, allowing - a user to modify all the user/group/world permissions on a file. + <para> + Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. + </para> + + <para> + If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file. </para> - <para><emphasis>Note</emphasis> that users who can access the - Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will - probably want to leave it set to <constant>0777</constant>.</para> + <para><emphasis> + Note</emphasis> that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of + most normal systems will probably want to leave it set to <constant>0777</constant>. + </para> </description> <related>force directory security mode</related> |