summaryrefslogtreecommitdiff
path: root/docs/docbook/smbdotconf
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-07-16 05:42:34 +0000
committerGerald Carter <jerry@samba.org>2003-07-16 05:42:34 +0000
commit1caa6b23e417f77e7b38ecdfa47d9abe8c7b7d0e (patch)
tree8bdf608593fc37227886691b0a12190dd1e8ba66 /docs/docbook/smbdotconf
parent4a090ba06a54f5da179ac02bb307cc03d08831bf (diff)
downloadsamba-1caa6b23e417f77e7b38ecdfa47d9abe8c7b7d0e.tar.gz
samba-1caa6b23e417f77e7b38ecdfa47d9abe8c7b7d0e.tar.bz2
samba-1caa6b23e417f77e7b38ecdfa47d9abe8c7b7d0e.zip
ading new files from 3.0
(This used to be commit 99feae7b5b1c229a925367b87c0c0f636d9a2d75)
Diffstat (limited to 'docs/docbook/smbdotconf')
-rw-r--r--docs/docbook/smbdotconf/misc/valid.xml18
-rw-r--r--docs/docbook/smbdotconf/printing/totalprintjobs.xml22
-rw-r--r--docs/docbook/smbdotconf/protocol/clientusespnego.xml13
-rw-r--r--docs/docbook/smbdotconf/protocol/mapaclinherit.xml17
-rw-r--r--docs/docbook/smbdotconf/protocol/profileacls.xml33
-rw-r--r--docs/docbook/smbdotconf/security/clientlanmanauth.xml28
-rw-r--r--docs/docbook/smbdotconf/security/clientntlmv2auth.xml26
-rw-r--r--docs/docbook/smbdotconf/vfs/vfsobjects.xml14
-rw-r--r--docs/docbook/smbdotconf/winbind/enableridalgorithm.xml17
-rw-r--r--docs/docbook/smbdotconf/winbind/idmapgid.xml18
-rw-r--r--docs/docbook/smbdotconf/winbind/idmapuid.xml14
-rw-r--r--docs/docbook/smbdotconf/winbind/templateprimarygroup.xml14
-rw-r--r--docs/docbook/smbdotconf/winbind/winbindenablelocalaccounts.xml16
-rw-r--r--docs/docbook/smbdotconf/winbind/winbindtrusteddomainsonly.xml16
14 files changed, 266 insertions, 0 deletions
diff --git a/docs/docbook/smbdotconf/misc/valid.xml b/docs/docbook/smbdotconf/misc/valid.xml
new file mode 100644
index 0000000000..b5756f0afe
--- /dev/null
+++ b/docs/docbook/smbdotconf/misc/valid.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="-valid"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+ <listitem>
+ <para> This parameter indicates whether a share is
+ valid and thus can be used. When this parameter is set to false,
+ the share will be in no way visible nor accessible.
+ </para>
+
+ <para>
+ This option should not be
+ used by regular users but might be of help to developers.
+ Samba uses this option internally to mark shares as deleted.
+ </para>
+
+ <para>Default: <emphasis>True</emphasis></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/printing/totalprintjobs.xml b/docs/docbook/smbdotconf/printing/totalprintjobs.xml
new file mode 100644
index 0000000000..ccdb137a69
--- /dev/null
+++ b/docs/docbook/smbdotconf/printing/totalprintjobs.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="total print jobs"
+ context="G"
+ print="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter accepts an integer value which defines
+ a limit on the maximum number of print jobs that will be accepted
+ system wide at any given time. If a print job is submitted
+ by a client which will exceed this number, then <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will return an
+ error indicating that no space is available on the server. The
+ default value of 0 means that no such limit exists. This parameter
+ can be used to prevent a server from exceeding its capacity and is
+ designed as a printing throttle. See also <link linkend="MAXPRINTJOBS">
+ <parameter moreinfo="none">max print jobs</parameter></link>.
+ </para>
+
+ <para>Default: <command moreinfo="none">total print jobs = 0</command></para>
+
+ <para>Example: <command moreinfo="none">total print jobs = 5000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/clientusespnego.xml b/docs/docbook/smbdotconf/protocol/clientusespnego.xml
new file mode 100644
index 0000000000..df25fbfb20
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/clientusespnego.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="client use spnego"
+ context="G"
+ developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para> This variable controls controls whether samba clients will try
+ to use Simple and Protected NEGOciation (as specified by rfc2478) with
+ WindowsXP and Windows2000 servers to agree upon an authentication mechanism.
+ </para>
+
+ <para>Default: <emphasis>client use spnego = yes</emphasis></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/mapaclinherit.xml b/docs/docbook/smbdotconf/protocol/mapaclinherit.xml
new file mode 100644
index 0000000000..5b8ed7f656
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/mapaclinherit.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="map acl inherit"
+ context="S"
+ advanced="1" wizard="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to map the 'inherit' and 'protected'
+ access control entry flags stored in Windows ACLs into an extended attribute
+ called user.SAMBA_PAI. This parameter only takes effect if Samba is being run
+ on a platform that supports extended attributes (Linux and IRIX so far) and
+ allows the Windows 2000 ACL editor to correctly use inheritance with the Samba
+ POSIX ACL mapping code.
+ </para>
+
+ <para>Default: <command moreinfo="none">map acl inherit = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/protocol/profileacls.xml b/docs/docbook/smbdotconf/protocol/profileacls.xml
new file mode 100644
index 0000000000..6f2b3ec510
--- /dev/null
+++ b/docs/docbook/smbdotconf/protocol/profileacls.xml
@@ -0,0 +1,33 @@
+<samba:parameter name="profile acls"
+ context="S"
+ advanced="1" wizard="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>
+ This boolean parameter was added to fix the problems that people have been
+ having with storing user profiles on Samba shares from Windows 2000 or
+ Windows XP clients. New versions of Windows 2000 or Windows XP service
+ packs do security ACL checking on the owner and ability to write of the
+ profile directory stored on a local workstation when copied from a Samba
+ share. When not in domain mode with winbindd then the security info copied
+ onto the local workstation has no meaning to the logged in user (SID) on
+ that workstation so the profile storing fails. Adding this parameter
+ onto a share used for profile storage changes two things about the
+ returned Windows ACL. Firstly it changes the owner and group owner
+ of all reported files and directories to be BUILTIN\\Administrators,
+ BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
+ it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
+ every returned ACL. This will allow any Windows 2000 or XP workstation
+ user to access the profile. Note that if you have multiple users logging
+ on to a workstation then in order to prevent them from being able to access
+ each others profiles you must remove the "Bypass traverse checking" advanced
+ user right. This will prevent access to other users profile directories as
+ the top level profile directory (named after the user) is created by the
+ workstation profile code and has an ACL restricting entry to the directory
+ tree to the owning user.
+ </para>
+
+ <para>Default: <command moreinfo="none">profile acls = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/clientlanmanauth.xml b/docs/docbook/smbdotconf/security/clientlanmanauth.xml
new file mode 100644
index 0000000000..a427198ea3
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/clientlanmanauth.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="client lanman auth"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> and other samba client
+ tools will attempt to authenticate itself to servers using the
+ weaker LANMAN password hash. If disabled, only server which support NT
+ password hashes (e.g. Windows NT/2000, Samba, etc... but not
+ Windows 95/98) will be able to be connected from the Samba client.</para>
+
+ <para>The LANMAN encrypted response is easily broken, due to it's
+ case-insensitive nature, and the choice of algorithm. Clients
+ without Windows 95/98 servers are advised to disable
+ this option. </para>
+
+ <para>Disabling this option will also disable the <command
+ moreinfo="none">client plaintext auth</command> option</para>
+
+ <para>Likewise, if the <command moreinfo="none">client ntlmv2
+ auth</command> parameter is enabled, then only NTLMv2 logins will be
+ attempted. Not all servers support NTLMv2, and most will require
+ special configuration to us it.</para>
+
+ <para>Default : <command moreinfo="none">client lanman auth = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/clientntlmv2auth.xml b/docs/docbook/smbdotconf/security/clientntlmv2auth.xml
new file mode 100644
index 0000000000..0bf196488b
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/clientntlmv2auth.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="client ntlmv2 auth"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will attempt to
+ authenticate itself to servers using the NTLMv2 encrypted password
+ response.</para>
+
+ <para>If enabled, only an NTLMv2 and LMv2 response (both much more
+ secure than earlier versions) will be sent. Many servers
+ (including NT4 &lt; SP4, Win9x and Samba 2.2) are not compatible with
+ NTLMv2. </para>
+
+ <para>If disabled, an NTLM response (and possibly a LANMAN response)
+ will be sent by the client, depending on the value of <command
+ moreinfo="none">client lanman auth</command>. </para>
+
+ <para>Note that some sites (particularly
+ those following 'best practice' security polices) only allow NTLMv2
+ responses, and not the weaker LM or NTLM.</para>
+
+ <para>Default : <command moreinfo="none">client ntlmv2 auth = no</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/vfs/vfsobjects.xml b/docs/docbook/smbdotconf/vfs/vfsobjects.xml
new file mode 100644
index 0000000000..32a10b5bd6
--- /dev/null
+++ b/docs/docbook/smbdotconf/vfs/vfsobjects.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="vfs objects"
+ context="S"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter specifies the backend names which
+ are used for Samba VFS I/O operations. By default, normal
+ disk I/O operations are used but these can be overloaded
+ with one or more VFS objects. </para>
+
+ <para>Default: <emphasis>no value</emphasis></para>
+
+ <para>Example: <command moreinfo="none">vfs objects = extd_audit recycle</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/enableridalgorithm.xml b/docs/docbook/smbdotconf/winbind/enableridalgorithm.xml
new file mode 100644
index 0000000000..86786f0734
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/enableridalgorithm.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="enable rid algorithm"
+ context="G"
+ advanced="1" developer="1" hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option is used to control whether or not smbd in Samba 3.0 should fallback
+ to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm
+ development goal is to remove the algorithmic mappings of RIDs altogether, but
+ this has proved to be difficult. This parameter is mainly provided so that
+ developers can turn the algorithm on and off and see what breaks. This parameter
+ should not be disabled by non-developers because certain features in Samba will fail
+ to work without it.
+ </para>
+
+ <para>Default: <command moreinfo="none">enable rid algorithm = &lt;yes&gt;</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/idmapgid.xml b/docs/docbook/smbdotconf/winbind/idmapgid.xml
new file mode 100644
index 0000000000..8bd46a80c6
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/idmapgid.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="idmap gid"
+ context="G"
+ advanced="1" developer="1" hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+
+ <para>The idmap gid parameter specifies the range of group ids that are allocated for
+ the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no
+ existing local or NIS groups within it as strange conflicts can occur otherwise.</para>
+
+ <para>The availability of an idmap gid range is essential for correct operation of
+ all group mapping.</para>
+
+ <para>Default: <command moreinfo="none">idmap gid = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command moreinfo="none">idmap gid = 10000-20000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/idmapuid.xml b/docs/docbook/smbdotconf/winbind/idmapuid.xml
new file mode 100644
index 0000000000..5e6a245bfe
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/idmapuid.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="idmap uid"
+ context="G"
+ advanced="1" developer="1" hide="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>The idmap uid parameter specifies the range of user ids that are allocated for use
+ in mapping UNIX users to NT user SIDs. This range of ids should have no existing local
+ or NIS users within it as strange conflicts can occur otherwise.</para>
+
+ <para>Default: <command moreinfo="none">idmap uid = &lt;empty string&gt;</command></para>
+
+ <para>Example: <command moreinfo="none">idmap uid = 10000-20000</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/templateprimarygroup.xml b/docs/docbook/smbdotconf/winbind/templateprimarygroup.xml
new file mode 100644
index 0000000000..bd59ea7ee0
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/templateprimarygroup.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="template primary group"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This option defines the default primary group for
+ each user created by <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry>'s local account management
+ functions (similar to the 'add user script').
+ </para>
+
+ <para>Default: <command moreinfo="none">template primary group = nobody</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/winbindenablelocalaccounts.xml b/docs/docbook/smbdotconf/winbind/winbindenablelocalaccounts.xml
new file mode 100644
index 0000000000..f6e7cfb359
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/winbindenablelocalaccounts.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind enable local accounts"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter controls whether or not winbindd
+ will act as a stand in replacement for the various account
+ management hooks in smb.conf (e.g. 'add user script').
+ If enabled, winbindd will support the creation of local
+ users and groups as another source of UNIX account information
+ available via getpwnam() or getgrgid(), etc...
+ </para>
+
+ <para>Default: <command moreinfo="none">winbind enable local accounts = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs/docbook/smbdotconf/winbind/winbindtrusteddomainsonly.xml
new file mode 100644
index 0000000000..bf383131d4
--- /dev/null
+++ b/docs/docbook/smbdotconf/winbind/winbindtrusteddomainsonly.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind trusted domains only"
+ context="G"
+ advanced="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<listitem>
+ <para>This parameter is designed to allow Samba servers that
+ are members of a Samba controlled domain to use UNIX accounts
+ distributed vi NIS, rsync, or LDAP as the uid's for winbindd users
+ in the hosts primary domain. Therefore, the user 'SAMBA\user1' would
+ be mapped to the account 'user1' in /etc/passwd instead of allocating
+ a new uid for him or her.
+ </para>
+
+ <para>Default: <command moreinfo="none">winbind trusted domains only = &lt;no&gt;</command></para>
+</listitem>
+</samba:parameter>