diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2012-02-03 18:03:10 +1100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2012-03-04 23:33:05 +0100 |
| commit | d7bb961859a3501aec4d28842bfffb6190d19a73 (patch) | |
| tree | e472b543e1e88914fbcf7bf68a3e431ff7314afd /docs-xml/smbdotconf/security/username.xml | |
| parent | acfa107ec64ceb6bf3a28df14585cfb0ccc79f41 (diff) | |
| download | samba-d7bb961859a3501aec4d28842bfffb6190d19a73.tar.gz samba-d7bb961859a3501aec4d28842bfffb6190d19a73.tar.bz2 samba-d7bb961859a3501aec4d28842bfffb6190d19a73.zip | |
s3-auth: Remove security=share (depricated since 3.6).
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.
The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok. This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server
At the same time, this closes the door on one of the most arcane areas
of Samba authentication.
Naturally, full user-name/password authentication remain available in
security=user and above.
This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.
Andrew Bartlett
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SHARE |
| security=share |
| |
| |
| 5 March |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
Diffstat (limited to 'docs-xml/smbdotconf/security/username.xml')
| -rw-r--r-- | docs-xml/smbdotconf/security/username.xml | 51 |
1 files changed, 5 insertions, 46 deletions
diff --git a/docs-xml/smbdotconf/security/username.xml b/docs-xml/smbdotconf/security/username.xml index 19d8a2ecfd..a85076c737 100644 --- a/docs-xml/smbdotconf/security/username.xml +++ b/docs-xml/smbdotconf/security/username.xml @@ -5,57 +5,16 @@ <synonym>user</synonym> <synonym>users</synonym> <description> - <para>Multiple users may be specified in a comma-delimited - list, in which case the supplied password will be tested against - each username in turn (left to right).</para> - - <para>The deprecated <parameter moreinfo="none">username</parameter> line is needed only when - the PC is unable to supply its own username. This is the case - for the COREPLUS protocol or where your users have different WfWg - usernames to UNIX usernames. In both these cases you may also be - better using the \\server\share%user syntax instead.</para> - - <para>The <parameter moreinfo="none">username</parameter> line is not a great - solution in many cases as it means Samba will try to validate - the supplied password against each of the usernames in the - <parameter moreinfo="none">username</parameter> line in turn. This is slow and - a bad idea for lots of users in case of duplicate passwords. - You may get timeouts or security breaches using this parameter - unwisely.</para> - - <para>Samba relies on the underlying UNIX security. This - parameter does not restrict who can login, it just offers hints - to the Samba server as to what usernames might correspond to the - supplied password. Users can login as whoever they please and - they will be able to do no more damage than if they started a - telnet session. The daemon runs as the user that they log in as, - so they cannot do anything that user cannot do.</para> - <para>To restrict a service to a particular set of users you can use the <smbconfoption name="valid users"/> parameter.</para> - <para>If any of the usernames begin with a '@' then the name - will be looked up first in the NIS netgroups list (if Samba - is compiled with netgroup support), followed by a lookup in - the UNIX groups database and will expand to a list of all users - in the group of that name.</para> - - <para>If any of the usernames begin with a '+' then the name - will be looked up only in the UNIX groups database and will - expand to a list of all users in the group of that name.</para> - - <para>If any of the usernames begin with a '&' then the name - will be looked up only in the NIS netgroups database (if Samba - is compiled with netgroup support) and will expand to a list - of all users in the netgroup group of that name.</para> + <para>This parameter is deprecated</para> - <para>Note that searching though a groups database can take - quite some time, and some clients may time out during the - search.</para> + <para>However, it currently operates only in conjunction with + <smbconfoption name="only user"/>. The supported way to restrict + a service to a particular set of users is the + <smbconfoption name="valid users"/> parameter.</para> - <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT - USERNAME/PASSWORD VALIDATION</link> for more information on how - this parameter determines access to the services.</para> </description> <value type="default"><comment>The guest account if a guest service, |