summaryrefslogtreecommitdiff
path: root/docs/docbook/smbdotconf/security
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-07-16 05:34:56 +0000
committerGerald Carter <jerry@samba.org>2003-07-16 05:34:56 +0000
commit4a090ba06a54f5da179ac02bb307cc03d08831bf (patch)
treeed652ef36be7f16682c358816334f969a22f1c27 /docs/docbook/smbdotconf/security
parent95fe82670032a3a43571b46d7bbf2c26bc8cdcd9 (diff)
downloadsamba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.gz
samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.tar.bz2
samba-4a090ba06a54f5da179ac02bb307cc03d08831bf.zip
trying to get HEAD building again. If you want the code
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
Diffstat (limited to 'docs/docbook/smbdotconf/security')
-rw-r--r--docs/docbook/smbdotconf/security/authmethods.xml14
-rw-r--r--docs/docbook/smbdotconf/security/lanmanauth.xml16
-rw-r--r--docs/docbook/smbdotconf/security/ntlmauth.xml12
-rw-r--r--docs/docbook/smbdotconf/security/passdbbackend.xml51
-rw-r--r--docs/docbook/smbdotconf/security/passwordserver.xml32
-rw-r--r--docs/docbook/smbdotconf/security/restrictanonymous.xml15
-rw-r--r--docs/docbook/smbdotconf/security/security.xml28
7 files changed, 106 insertions, 62 deletions
diff --git a/docs/docbook/smbdotconf/security/authmethods.xml b/docs/docbook/smbdotconf/security/authmethods.xml
index 0b7965d55b..7c0f5a71e1 100644
--- a/docs/docbook/smbdotconf/security/authmethods.xml
+++ b/docs/docbook/smbdotconf/security/authmethods.xml
@@ -6,14 +6,24 @@
<para>This option allows the administrator to chose what
authentication methods <command moreinfo="none">smbd</command> will use when authenticating
a user. This option defaults to sensible values based on <link linkend="SECURITY">
- <parameter moreinfo="none">security</parameter></link>.</para>
+ <parameter moreinfo="none">security</parameter></link>. This should be considered
+ a developer option and used only in rare circumstances. In the majority (if not all)
+ of production servers, the default setting should be adequate.</para>
<para>Each entry in the list attempts to authenticate the user in turn, until
the user authenticates. In practice only one method will ever actually
be able to complete the authentication.
</para>
+ <para>Possible options include <constant>guest</constant> (anonymous access),
+ <constant>sam</constant> (lookups in local list of accounts based on netbios
+ name or domain name), <constant>winbind</constant> (relay authentication requests
+ for remote users through winbindd), <constant>ntdomain</constant> (pre-winbindd
+ method of authentication for remote domain users; deprecated in favour of winbind method),
+ <constant>trustdomain</constant> (authenticate trusted users by contacting the
+ remote DC directly from smbd; deprecated in favour of winbind method).</para>
+
<para>Default: <command moreinfo="none">auth methods = &lt;empty string&gt;</command></para>
- <para>Example: <command moreinfo="none">auth methods = guest sam ntdomain</command></para>
+ <para>Example: <command moreinfo="none">auth methods = guest sam winbind</command></para>
</listitem>
</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml
index e293242472..0a8fdd3ef3 100644
--- a/docs/docbook/smbdotconf/security/lanmanauth.xml
+++ b/docs/docbook/smbdotconf/security/lanmanauth.xml
@@ -8,7 +8,23 @@
using the LANMAN password hash. If disabled, only clients which support NT
password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not
Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para>
+
+ <para>The LANMAN encrypted response is easily broken, due to it's
+ case-insensitive nature, and the choice of algorithm. Servers
+ without Windows 95/98 or MS DOS clients are advised to disable
+ this option. </para>
+ <para>Unlike the <command moreinfo="none">encypt
+ passwords</command> option, this parameter cannot alter client
+ behaviour, and the LANMAN response will still be sent over the
+ network. See the <command moreinfo="none">client lanman
+ auth</command> to disable this for Samba's clients (such as smbclient)</para>
+
+ <para>If this option, and <command moreinfo="none">ntlm
+ auth</command> are both disabled, then only NTLMv2 logins will be
+ permited. Not all clients support NTLMv2, and most will require
+ special configuration to us it.</para>
+
<para>Default : <command moreinfo="none">lanman auth = yes</command></para>
</listitem>
</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml
index b0b3179ab7..96092152c9 100644
--- a/docs/docbook/smbdotconf/security/ntlmauth.xml
+++ b/docs/docbook/smbdotconf/security/ntlmauth.xml
@@ -4,11 +4,15 @@
xmlns:samba="http://samba.org/common">
<listitem>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM password hash.
- If disabled, only the lanman password hashes will be used.</para>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to
+ authenticate users using the NTLM encrypted password response.
+ If disabled, either the lanman password hash or an NTLMv2 response
+ will need to be sent by the client.</para>
- <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should
- be enabled in order to be able to log in.</para>
+ <para>If this option, and <command moreinfo="none">lanman
+ auth</command> are both disabled, then only NTLMv2 logins will be
+ permited. Not all clients support NTLMv2, and most will require
+ special configuration to us it.</para>
<para>Default : <command moreinfo="none">ntlm auth = yes</command></para>
</listitem>
diff --git a/docs/docbook/smbdotconf/security/passdbbackend.xml b/docs/docbook/smbdotconf/security/passdbbackend.xml
index d755cfc313..1a3a83946a 100644
--- a/docs/docbook/smbdotconf/security/passdbbackend.xml
+++ b/docs/docbook/smbdotconf/security/passdbbackend.xml
@@ -24,15 +24,6 @@
</listitem>
<listitem>
- <para><command moreinfo="none">smbpasswd_nua</command> - The smbpasswd
- backend, but with support for 'not unix accounts'.
- Takes a path to the smbpasswd file as an optional argument.</para>
-
- <para>See also <link linkend="NONUNIXACCOUNTRANGE">
- <parameter moreinfo="none">non unix account range</parameter></link></para>
- </listitem>
-
- <listitem>
<para><command moreinfo="none">tdbsam</command> - The TDB based password storage
backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
in the <link linkend="PRIVATEDIR">
@@ -40,32 +31,10 @@
</listitem>
<listitem>
- <para><command moreinfo="none">tdbsam_nua</command> - The TDB based password storage
- backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
- in the <link linkend="PRIVATEDIR">
- <parameter moreinfo="none">private dir</parameter></link> directory.</para>
-
- <para>See also <link linkend="NONUNIXACCOUNTRANGE">
- <parameter moreinfo="none">non unix account range</parameter></link></para>
- </listitem>
-
- <listitem>
<para><command moreinfo="none">ldapsam</command> - The LDAP based passdb
backend. Takes an LDAP URL as an optional argument (defaults to
<command moreinfo="none">ldap://localhost</command>)</para>
- </listitem>
- <listitem>
- <para><command moreinfo="none">ldapsam_nua</command> - The LDAP based passdb
- backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to
- <command moreinfo="none">ldap://localhost</command>)</para>
-
- <para>Note: In this module, any account without a matching POSIX account is regarded
- as 'non unix'. </para>
-
- <para>See also <link linkend="NONUNIXACCOUNTRANGE">
- <parameter moreinfo="none">non unix account range</parameter></link></para>
-
<para>LDAP connections should be secured where possible. This may be done using either
Start-TLS (see <link linkend="LDAPSSL"><parameter moreinfo="none">ldap ssl</parameter></link>) or by
specifying <parameter moreinfo="none">ldaps://</parameter> in
@@ -79,15 +48,29 @@
</para>
</listitem>
+ <listitem>
+ <para><command moreinfo="none">mysql</command> -
+ The MySQL based passdb backend. Takes an identifier as
+ argument. Read the Samba HOWTO Collection for configuration
+ details.
+ </para></listitem>
+
+ <listitem>
+ <para><command moreinfo="none">guest</command> -
+ Very simple backend that only provides one user: the guest user.
+ Only maps the NT guest user to the <parameter>guest account</parameter>.
+ Required in pretty much all situations.
+ </para></listitem>
+
</itemizedlist>
</para>
- <para>Default: <command moreinfo="none">passdb backend = smbpasswd unixsam</command></para>
+ <para>Default: <command moreinfo="none">passdb backend = smbpasswd</command></para>
<para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest</command></para>
- <para>Example: <command moreinfo="none">passdb backend = ldapsam_nua:ldaps://ldap.example.com guest</command></para>
+ <para>Example: <command moreinfo="none">passdb backend = ldapsam:ldaps://ldap.example.com guest</command></para>
- <para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb</command></para>
+ <para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest</command></para>
</listitem>
</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml
index e40ff32b75..f854027041 100644
--- a/docs/docbook/smbdotconf/security/passwordserver.xml
+++ b/docs/docbook/smbdotconf/security/passwordserver.xml
@@ -3,18 +3,22 @@
advanced="1" wizard="1" developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
- <para>By specifying the name of another SMB server (such
- as a WinNT box) with this option, and using <command moreinfo="none">security = domain
- </command> or <command moreinfo="none">security = server</command> you can get Samba
- to do all its username/password validation via a remote server.</para>
+ <para>By specifying the name of another SMB server
+ or Active Directory domain controller with this option,
+ and using <command moreinfo="none">security = [ads|domain|server]</command>
+ it is possible to get Samba to
+ to do all its username/password validation using a specific remote server.</para>
- <para>This option sets the name of the password server to use.
- It must be a NetBIOS name, so if the machine's NetBIOS name is
- different from its Internet name then you may have to add its NetBIOS
- name to the lmhosts file which is stored in the same directory
- as the <filename moreinfo="none">smb.conf</filename> file.</para>
+ <para>This option sets the name or IP address of the password server to use.
+ New syntax has been added to support defining the port to use when connecting
+ to the server the case of an ADS realm. To define a port other than the
+ default LDAP port of 389, add the port number using a colon after the
+ name or IP address (e.g. 192.168.1.100:389). If you do not specify a port,
+ Samba will use the standard LDAP port of tcp/389. Note that port numbers
+ have no effect on password servers for Windows NT 4.0 domains or netbios
+ connections.</para>
- <para>The name of the password server is looked up using the
+ <para>If parameter is a name, it is looked up using the
parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
resolve order</parameter></link> and so may resolved
by any method and order described in that parameter.</para>
@@ -38,14 +42,14 @@
trust your clients, and you had better restrict them with hosts allow!</para>
<para>If the <parameter moreinfo="none">security</parameter> parameter is set to
- <constant>domain</constant>, then the list of machines in this
+ <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this
option must be a list of Primary or Backup Domain controllers for the
Domain or the character '*', as the Samba server is effectively
in that domain, and will use cryptographically authenticated RPC calls
to authenticate the user logging on. The advantage of using <command moreinfo="none">
security = domain</command> is that if you list several hosts in the
<parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
- </command> will try each in turn till it finds one that responds. This
+ </command> will try each in turn till it finds one that responds. This
is useful in case your primary server goes down.</para>
<para>If the <parameter moreinfo="none">password server</parameter> option is set
@@ -55,7 +59,7 @@
and then contacting each server returned in the list of IP
addresses from the name resolution source. </para>
- <para>If the list of servers contains both names and the '*'
+ <para>If the list of servers contains both names/IP's and the '*'
character, the list is treated as a list of preferred
domain controllers, but an auto lookup of all remaining DC's
will be added to the list as well. Samba will not attempt to optimize
@@ -93,6 +97,8 @@
<para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *</command></para>
+ <para>Example: <command moreinfo="none">password server = windc.mydomain.com:389 192.168.1.101 *</command></para>
+
<para>Example: <command moreinfo="none">password server = *</command></para>
</listitem>
</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/restrictanonymous.xml b/docs/docbook/smbdotconf/security/restrictanonymous.xml
index 803bc06b2b..25d2ba0df6 100644
--- a/docs/docbook/smbdotconf/security/restrictanonymous.xml
+++ b/docs/docbook/smbdotconf/security/restrictanonymous.xml
@@ -14,12 +14,21 @@
Windows 2000/XP and Samba, no anonymous connections are allowed at
all. This can break third party and Microsoft
applications which expect to be allowed to perform
- operations anonymously.
+ operations anonymously.</para>
+ <para>
The security advantage of using restrict anonymous = 1 is dubious,
as user and group list information can be obtained using other
- means.
- </para>
+ means.
+ </para>
+
+ <note>
+ <para>
+ The security advantage of using restrict anonymous = 2 is removed
+ by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest
+ ok</parameter> = yes</link> on any share.
+ </para>
+ </note>
<para>Default: <command moreinfo="none">restrict anonymous = 0</command></para>
</listitem>
diff --git a/docs/docbook/smbdotconf/security/security.xml b/docs/docbook/smbdotconf/security/security.xml
index 68c5f2cdd2..030abc1de1 100644
--- a/docs/docbook/smbdotconf/security/security.xml
+++ b/docs/docbook/smbdotconf/security/security.xml
@@ -212,10 +212,9 @@
does not support them. However note that if encrypted passwords have been
negotiated then Samba cannot revert back to checking the UNIX password file,
it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check
- users against. See the documentation file in the <filename moreinfo="none">docs/</filename> directory
- <filename moreinfo="none">ENCRYPTION.txt</filename> for details on how to set this up.</para>
+ users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</para>
- <para><emphasis>Note</emphasis> this mode of operation has
+ <note><para>This mode of operation has
significant pitfalls, due to the fact that is activly initiates a
man-in-the-middle attack on the remote SMB server. In particular,
this mode of operation can cause significant resource consuption on
@@ -223,13 +222,13 @@
of the user's session. Furthermore, if this connection is lost,
there is no way to reestablish it, and futher authenticaions to the
Samba server may fail. (From a single client, till it disconnects).
- </para>
+ </para></note>
- <para><emphasis>Note</emphasis> that from the client's point of
+ <note><para>From the client's point of
view <command moreinfo="none">security = server</command> is the
same as <command moreinfo="none">security = user</command>. It
only affects how the server deals with the authentication, it does
- not in any way affect what the client sees.</para>
+ not in any way affect what the client sees.</para></note>
<para><emphasis>Note</emphasis> that the name of the resource being
requested is <emphasis>not</emphasis> sent to the server until after
@@ -246,6 +245,23 @@
<para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
<parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
+
+ <para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
+
+ <para>In this mode, Samba will act as a domain member in an ADS realm. To operate
+ in this mode, the machine running Samba will need to have Kerberos installed
+ and configured and Samba will need to be joined to the ADS realm using the
+ net utility. </para>
+
+ <para>Note that this mode does NOT make Samba operate as a Active Directory Domain
+ Controller. </para>
+
+ <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
+
+ <para>See also the <link linkend="ADSSERVER"><parameter moreinfo="none">ads server
+ </parameter></link> parameter, the <link linkend="REALM"><parameter moreinfo="none">realm
+ </parameter></link> paramter and the <link linkend="ENCRYPTPASSWORDS">
+ <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
<para>Default: <command moreinfo="none">security = USER</command></para>
<para>Example: <command moreinfo="none">security = DOMAIN</command></para>