Add new framework for smb.conf(5). Please read README before trying to compile.

I will commit more meta-information updates during week-end.
(This used to be commit 8d684dffab6a90b3d612a1aa2b2c457a2bc2e6ac)

1 files changed, 92 insertions, 0 deletions

diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml
new file mode 100644
index 0000000000..df50ac8f8a
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/passwordserver.xml
@@ -0,0 +1,92 @@
+<samba:parameter xmlns:samba="http://samba.org/common">
+		<term><anchor id="PASSWORDSERVER"/>password server (G)</term>
+		<listitem><para>By specifying the name of another SMB server (such 
+		as a WinNT box) with this option, and using <command moreinfo="none">security = domain
+		</command> or <command moreinfo="none">security = server</command> you can get Samba 
+		to do all its username/password validation via a remote server.</para>
+
+		<para>This option sets the name of the password server to use. 
+		It must be a NetBIOS name, so if the machine's NetBIOS name is 
+		different from its Internet name then you may have to add its NetBIOS 
+		name to the lmhosts  file which is stored in the same directory 
+		as the <filename moreinfo="none">smb.conf</filename> file.</para>
+
+		<para>The name of the password server is looked up using the 
+		parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name 
+		resolve order</parameter></link> and so may resolved
+		by any method and order described in that parameter.</para>
+
+		<para>The password server must be a machine capable of using 
+		the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in 
+		user level security mode.</para>
+
+		<para><emphasis>NOTE:</emphasis> Using a password server 
+		means your UNIX box (running Samba) is only as secure as your 
+		password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT 
+		YOU DON'T COMPLETELY TRUST</emphasis>.</para>
+		
+		<para>Never point a Samba server at itself for password 
+		serving. This will cause a loop and could lock up your Samba 
+		server!</para>
+
+		<para>The name of the password server takes the standard 
+		substitutions, but probably the only useful one is <parameter moreinfo="none">%m
+		</parameter>, which means the Samba server will use the incoming 
+	 	client as the password server. If you use this then you better 
+		trust your clients, and you had better restrict them with hosts allow!</para>
+
+		<para>If the <parameter moreinfo="none">security</parameter> parameter is set to
+		<constant>domain</constant>, then the list of machines in this 
+		option must be a list of Primary or Backup Domain controllers for the
+		Domain or the character '*', as the Samba server is effectively
+		in that domain, and will use cryptographically authenticated RPC calls
+		to authenticate the user logging on. The advantage of using <command moreinfo="none">
+		security = domain</command> is that if you list several hosts in the 
+		<parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
+		</command> will try each in turn till it finds one that responds. This 
+		is useful in case your primary server goes down.</para>
+
+		<para>If the <parameter moreinfo="none">password server</parameter> option is set 
+		to the character '*', then Samba will attempt to auto-locate the 
+		Primary or Backup Domain controllers to authenticate against by 
+		doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant> 
+		and then contacting each server returned in the list of IP 
+		addresses from the name resolution source. </para>
+
+		<para>If the list of servers contains both names and the '*'
+		character, the list is treated as a list of preferred 
+		domain controllers, but an auto lookup of all remaining DC's
+		will be added to the list as well.  Samba will not attempt to optimize 
+		this list by locating the closest DC.</para>
+		
+		<para>If the <parameter moreinfo="none">security</parameter> parameter is 
+		set to <constant>server</constant>, then there are different
+		restrictions that <command moreinfo="none">security = domain</command> doesn't 
+		suffer from:</para>
+
+		<itemizedlist>
+			<listitem><para>You may list several password servers in 
+			the <parameter moreinfo="none">password server</parameter> parameter, however if an 
+			<command moreinfo="none">smbd</command> makes a connection to a password server, 
+			and then the password server fails, no more users will be able 
+			to be authenticated from this <command moreinfo="none">smbd</command>.  This is a 
+			restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
+			</command> mode and cannot be fixed in Samba.</para></listitem>
+
+			<listitem><para>If you are using a Windows NT server as your 
+			password server then you will have to ensure that your users 
+			are able to login from the Samba server, as when in <command moreinfo="none">
+			security = server</command>  mode the network logon will appear to 
+			come from there rather than from the users workstation.</para></listitem>
+		</itemizedlist>
+
+		<para>See also the <link linkend="SECURITY"><parameter moreinfo="none">security
+		</parameter></link> parameter.</para>
+
+		<para>Default: <command moreinfo="none">password server = &lt;empty string&gt;</command>
+		</para>
+		<para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *
+		</command></para>
+		<para>Example: <command moreinfo="none">password server = *</command></para>
+		</listitem>
+		</samba:parameter>