summaryrefslogtreecommitdiff
path: root/docs/smbdotconf/security/passwordserver.xml
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2004-04-07 10:15:11 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:45:43 -0500
commit992f1e6b8f86b346fddd266b04d29cde69585633 (patch)
tree878573999a6831aa14cd6b8072263eb5d5910aa4 /docs/smbdotconf/security/passwordserver.xml
parent65c0fd59203a3d9c4cb685e3a739f29f6f0c4fd6 (diff)
downloadsamba-992f1e6b8f86b346fddd266b04d29cde69585633.tar.gz
samba-992f1e6b8f86b346fddd266b04d29cde69585633.tar.bz2
samba-992f1e6b8f86b346fddd266b04d29cde69585633.zip
Add all the source files from the old CVS tree,
add the 5 missing chapters from the HOWTO and add jht's Samba by Example book. (This used to be commit 9fb5bcb93e57c5162b3ee6f9c7d777dc0269d100)
Diffstat (limited to 'docs/smbdotconf/security/passwordserver.xml')
-rw-r--r--docs/smbdotconf/security/passwordserver.xml100
1 files changed, 100 insertions, 0 deletions
diff --git a/docs/smbdotconf/security/passwordserver.xml b/docs/smbdotconf/security/passwordserver.xml
new file mode 100644
index 0000000000..19bf015435
--- /dev/null
+++ b/docs/smbdotconf/security/passwordserver.xml
@@ -0,0 +1,100 @@
+<samba:parameter name="password server"
+ context="G"
+ type="list"
+ advanced="1" wizard="1" developer="1"
+ xmlns:samba="http://samba.org/common">
+<description>
+ <para>By specifying the name of another SMB server
+ or Active Directory domain controller with this option,
+ and using <command moreinfo="none">security = [ads|domain|server]</command>
+ it is possible to get Samba to
+ to do all its username/password validation using a specific remote server.</para>
+
+ <para>This option sets the name or IP address of the password server to use.
+ New syntax has been added to support defining the port to use when connecting
+ to the server the case of an ADS realm. To define a port other than the
+ default LDAP port of 389, add the port number using a colon after the
+ name or IP address (e.g. 192.168.1.100:389). If you do not specify a port,
+ Samba will use the standard LDAP port of tcp/389. Note that port numbers
+ have no effect on password servers for Windows NT 4.0 domains or netbios
+ connections.</para>
+
+ <para>If parameter is a name, it is looked up using the
+ parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
+ resolve order</parameter></link> and so may resolved
+ by any method and order described in that parameter.</para>
+
+ <para>The password server must be a machine capable of using
+ the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in
+ user level security mode.</para>
+
+ <note><para>Using a password server means your UNIX box (running
+ Samba) is only as secure as your password server. <emphasis>DO NOT
+ CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>.
+ </para></note>
+
+ <para>Never point a Samba server at itself for password serving.
+ This will cause a loop and could lock up your Samba server!</para>
+
+ <para>The name of the password server takes the standard
+ substitutions, but probably the only useful one is <parameter moreinfo="none">%m
+ </parameter>, which means the Samba server will use the incoming
+ client as the password server. If you use this then you better
+ trust your clients, and you had better restrict them with hosts allow!</para>
+
+ <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
+ <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this
+ option must be a list of Primary or Backup Domain controllers for the
+ Domain or the character '*', as the Samba server is effectively
+ in that domain, and will use cryptographically authenticated RPC calls
+ to authenticate the user logging on. The advantage of using <command moreinfo="none">
+ security = domain</command> is that if you list several hosts in the
+ <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
+ </command> will try each in turn till it finds one that responds. This
+ is useful in case your primary server goes down.</para>
+
+ <para>If the <parameter moreinfo="none">password server</parameter> option is set
+ to the character '*', then Samba will attempt to auto-locate the
+ Primary or Backup Domain controllers to authenticate against by
+ doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant>
+ and then contacting each server returned in the list of IP
+ addresses from the name resolution source. </para>
+
+ <para>If the list of servers contains both names/IP's and the '*'
+ character, the list is treated as a list of preferred
+ domain controllers, but an auto lookup of all remaining DC's
+ will be added to the list as well. Samba will not attempt to optimize
+ this list by locating the closest DC.</para>
+
+ <para>If the <parameter moreinfo="none">security</parameter> parameter is
+ set to <constant>server</constant>, then there are different
+ restrictions that <command moreinfo="none">security = domain</command> doesn't
+ suffer from:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>You may list several password servers in
+ the <parameter moreinfo="none">password server</parameter> parameter, however if an
+ <command moreinfo="none">smbd</command> makes a connection to a password server,
+ and then the password server fails, no more users will be able
+ to be authenticated from this <command moreinfo="none">smbd</command>. This is a
+ restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
+ </command> mode and cannot be fixed in Samba.</para>
+ </listitem>
+
+ <listitem>
+ <para>If you are using a Windows NT server as your
+ password server then you will have to ensure that your users
+ are able to login from the Samba server, as when in <command moreinfo="none">
+ security = server</command> mode the network logon will appear to
+ come from there rather than from the users workstation.</para>
+ </listitem>
+ </itemizedlist>
+</description>
+
+<related>security</related>
+<value type="default"></value>
+<value type="example">NT-PDC, NT-BDC1, NT-BDC2, *</value>
+<value type="example">windc.mydomain.com:389 192.168.1.101 *</value>
+<value type="example">*</value>
+</samba:parameter>