summaryrefslogtreecommitdiff
path: root/docs/smbdotconf/security
diff options
context:
space:
mode:
authorJohn Terpstra <jht@samba.org>2005-07-06 21:23:58 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:47:03 -0500
commit5357c5e6e30035fa8d7a552675aaa355f7a27bb4 (patch)
tree0dcd935b977c934f8280b14508f0bf300b78147d /docs/smbdotconf/security
parent021d72252114414238b31659ee0d090efe4450de (diff)
downloadsamba-5357c5e6e30035fa8d7a552675aaa355f7a27bb4.tar.gz
samba-5357c5e6e30035fa8d7a552675aaa355f7a27bb4.tar.bz2
samba-5357c5e6e30035fa8d7a552675aaa355f7a27bb4.zip
Removal of CRUFT. 50 lashes to those who created CRUFT. Argh.
(This used to be commit 555e174de5d390cdc744b8bcbecbeccc31079a23)
Diffstat (limited to 'docs/smbdotconf/security')
-rw-r--r--docs/smbdotconf/security/adminusers.xml3
-rw-r--r--docs/smbdotconf/security/allowtrusteddomains.xml4
-rw-r--r--docs/smbdotconf/security/authmethods.xml12
-rw-r--r--docs/smbdotconf/security/createmask.xml9
-rw-r--r--docs/smbdotconf/security/directorymask.xml6
-rw-r--r--docs/smbdotconf/security/encryptpasswords.xml2
-rw-r--r--docs/smbdotconf/security/forcegroup.xml4
-rw-r--r--docs/smbdotconf/security/guestaccount.xml3
-rw-r--r--docs/smbdotconf/security/guestok.xml10
-rw-r--r--docs/smbdotconf/security/guestonly.xml6
-rw-r--r--docs/smbdotconf/security/hostsallow.xml3
-rw-r--r--docs/smbdotconf/security/hostsequiv.xml3
-rw-r--r--docs/smbdotconf/security/inheritpermissions.xml24
-rw-r--r--docs/smbdotconf/security/maptoguest.xml9
-rw-r--r--docs/smbdotconf/security/obeypamrestrictions.xml4
-rw-r--r--docs/smbdotconf/security/onlyuser.xml3
-rw-r--r--docs/smbdotconf/security/pampasswordchange.xml5
-rw-r--r--docs/smbdotconf/security/passdbbackend.xml5
-rw-r--r--docs/smbdotconf/security/passwdchat.xml17
-rw-r--r--docs/smbdotconf/security/passwdchatdebug.xml4
-rw-r--r--docs/smbdotconf/security/passwordlevel.xml3
-rw-r--r--docs/smbdotconf/security/passwordserver.xml3
-rw-r--r--docs/smbdotconf/security/readlist.xml16
-rw-r--r--docs/smbdotconf/security/readonly.xml3
-rw-r--r--docs/smbdotconf/security/restrictanonymous.xml3
-rw-r--r--docs/smbdotconf/security/rootdirectory.xml5
-rw-r--r--docs/smbdotconf/security/security.xml85
-rw-r--r--docs/smbdotconf/security/serverschannel.xml24
-rw-r--r--docs/smbdotconf/security/updateencrypted.xml42
-rw-r--r--docs/smbdotconf/security/username.xml9
-rw-r--r--docs/smbdotconf/security/usernamemap.xml3
-rw-r--r--docs/smbdotconf/security/writeable.xml3
32 files changed, 139 insertions, 196 deletions
diff --git a/docs/smbdotconf/security/adminusers.xml b/docs/smbdotconf/security/adminusers.xml
index 6c2d8e8f72..d8f14b6d74 100644
--- a/docs/smbdotconf/security/adminusers.xml
+++ b/docs/smbdotconf/security/adminusers.xml
@@ -11,8 +11,7 @@
this list will be able to do anything they like on the share,
irrespective of file permissions.</para>
- <para>This parameter will not work with the <link linkend="SECURITY">
- <parameter moreinfo="none">security = share</parameter></link> in
+ <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in
Samba 3.0. This is by design.</para>
</description>
diff --git a/docs/smbdotconf/security/allowtrusteddomains.xml b/docs/smbdotconf/security/allowtrusteddomains.xml
index ad84513417..7bc5554550 100644
--- a/docs/smbdotconf/security/allowtrusteddomains.xml
+++ b/docs/smbdotconf/security/allowtrusteddomains.xml
@@ -4,8 +4,8 @@
advanced="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This option only takes effect when the <link linkend="SECURITY">
- <parameter moreinfo="none">security</parameter></link> option is set to
+ <para>
+ This option only takes effect when the <smbconfoption name="security"/> option is set to
<constant>server</constant>,<constant>domain</constant> or <constant>ads</constant>.
If it is set to no, then attempts to connect to a resource from
a domain or workgroup other than the one which smbd is running
diff --git a/docs/smbdotconf/security/authmethods.xml b/docs/smbdotconf/security/authmethods.xml
index 2eaf6a352b..6e6b88c519 100644
--- a/docs/smbdotconf/security/authmethods.xml
+++ b/docs/smbdotconf/security/authmethods.xml
@@ -4,12 +4,12 @@
basic="1" advanced="1" wizard="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This option allows the administrator to chose what
- authentication methods <command moreinfo="none">smbd</command> will use when authenticating
- a user. This option defaults to sensible values based on <link linkend="SECURITY">
- <parameter moreinfo="none">security</parameter></link>. This should be considered
- a developer option and used only in rare circumstances. In the majority (if not all)
- of production servers, the default setting should be adequate.</para>
+ <para>
+ This option allows the administrator to chose what authentication methods <command
+ moreinfo="none">smbd</command> will use when authenticating a user. This option defaults to sensible values
+ based on <smbconfoption name="security"/>. This should be considered a developer option and used only in rare
+ circumstances. In the majority (if not all) of production servers, the default setting should be adequate.
+ </para>
<para>Each entry in the list attempts to authenticate the user in turn, until
the user authenticates. In practice only one method will ever actually
diff --git a/docs/smbdotconf/security/createmask.xml b/docs/smbdotconf/security/createmask.xml
index 14b8253a87..7f9f93caaa 100644
--- a/docs/smbdotconf/security/createmask.xml
+++ b/docs/smbdotconf/security/createmask.xml
@@ -17,18 +17,15 @@
'group' and 'other' write and execute bits from the UNIX modes.</para>
<para>Following this Samba will bit-wise 'OR' the UNIX mode created
- from this parameter with the value of the <link linkend="FORCECREATEMODE">
- <parameter moreinfo="none">force create mode</parameter></link>
+ from this parameter with the value of the <smbconfoption name="force create mode"/>
parameter which is set to 000 by default.</para>
<para>This parameter does not affect directory modes. See the
- parameter <link linkend="DIRECTORYMODE"><parameter moreinfo="none">directory mode
- </parameter></link> for details.</para>
+ parameter <smbconfoption name="directory mode"/> for details.</para>
<para>Note that this parameter does not apply to permissions
set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the <link linkend="SECURITYMASK">
- <parameter moreinfo="none">security mask</parameter></link>.</para>
+ a mask on access control lists also, they need to set the <smbconfoption name="security mask"/>.</para>
</description>
<related>force create mode</related>
diff --git a/docs/smbdotconf/security/directorymask.xml b/docs/smbdotconf/security/directorymask.xml
index 8662b31e15..414239bcff 100644
--- a/docs/smbdotconf/security/directorymask.xml
+++ b/docs/smbdotconf/security/directorymask.xml
@@ -21,14 +21,12 @@
user who owns the directory to modify it.</para>
<para>Following this Samba will bit-wise 'OR' the UNIX mode
- created from this parameter with the value of the <link linkend="FORCEDIRECTORYMODE">
- <parameter moreinfo="none">force directory mode</parameter></link> parameter.
+ created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter.
This parameter is set to 000 by default (i.e. no extra mode bits are added).</para>
<para>Note that this parameter does not apply to permissions
set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the <link linkend="DIRECTORYSECURITYMASK">
- <parameter moreinfo="none">directory security mask</parameter></link>.</para>
+ a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para>
</description>
<related>force directory mode</related>
diff --git a/docs/smbdotconf/security/encryptpasswords.xml b/docs/smbdotconf/security/encryptpasswords.xml
index e3bc3f6dea..8d2b86cb8c 100644
--- a/docs/smbdotconf/security/encryptpasswords.xml
+++ b/docs/smbdotconf/security/encryptpasswords.xml
@@ -32,7 +32,7 @@
have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> program for information on how to set up
- and maintain this file), or set the <link linkend="SECURITY">security = [server|domain|ads]</link> parameter which
+ and maintain this file), or set the <smbconfoption name="security">[server|domain|ads]</smbconfoption> parameter which
causes <command moreinfo="none">smbd</command> to authenticate against another
server.</para>
</description>
diff --git a/docs/smbdotconf/security/forcegroup.xml b/docs/smbdotconf/security/forcegroup.xml
index 2d8f5790d8..f6c9974f99 100644
--- a/docs/smbdotconf/security/forcegroup.xml
+++ b/docs/smbdotconf/security/forcegroup.xml
@@ -25,8 +25,8 @@
primary group assigned to sys when accessing this Samba share. All
other users will retain their ordinary primary group.</para>
- <para>If the <link linkend="FORCEUSER"><parameter moreinfo="none">force user</parameter>
- </link> parameter is also set the group specified in
+ <para>
+ If the <smbconfoption name="force user"/> parameter is also set the group specified in
<parameter moreinfo="none">force group</parameter> will override the primary group
set in <parameter moreinfo="none">force user</parameter>.</para>
diff --git a/docs/smbdotconf/security/guestaccount.xml b/docs/smbdotconf/security/guestaccount.xml
index fd791c7423..8132835a82 100644
--- a/docs/smbdotconf/security/guestaccount.xml
+++ b/docs/smbdotconf/security/guestaccount.xml
@@ -5,8 +5,7 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This is a username which will be used for access
- to services which are specified as <link linkend="GUESTOK"><parameter moreinfo="none">
- guest ok</parameter></link> (see below). Whatever privileges this
+ to services which are specified as <smbconfoption name="guest ok"/> (see below). Whatever privileges this
user has will be available to any client connecting to the guest service.
This user must exist in the password file, but does not require
a valid login. The user account &quot;ftp&quot; is often a good choice
diff --git a/docs/smbdotconf/security/guestok.xml b/docs/smbdotconf/security/guestok.xml
index f2e5f0adcd..7cbf4e50bb 100644
--- a/docs/smbdotconf/security/guestok.xml
+++ b/docs/smbdotconf/security/guestok.xml
@@ -7,15 +7,13 @@
<description>
<para>If this parameter is <constant>yes</constant> for
a service, then no password is required to connect to the service.
- Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
- guest account</parameter></link>.</para>
+ Privileges will be those of the <smbconfoption name="guest account"/>.</para>
<para>This paramater nullifies the benifits of setting
- <link linkend="RESTRICTANONYMOUS"><parameter moreinfo="none">restrict
- anonymous</parameter></link> = 2</para>
+ <smbconfoption name="restrict anonymous">2</smbconfoption>
+ </para>
- <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
- security</parameter></link> for more information about this option.
+ <para>See the section below on <smbconfoption name="security"/> for more information about this option.
</para>
</description>
<value type="default">no</value>
diff --git a/docs/smbdotconf/security/guestonly.xml b/docs/smbdotconf/security/guestonly.xml
index 9d70c16c3f..258eba9267 100644
--- a/docs/smbdotconf/security/guestonly.xml
+++ b/docs/smbdotconf/security/guestonly.xml
@@ -6,11 +6,9 @@
<description>
<para>If this parameter is <constant>yes</constant> for
a service, then only guest connections to the service are permitted.
- This parameter will have no effect if <link linkend="GUESTOK">
- <parameter moreinfo="none">guest ok</parameter></link> is not set for the service.</para>
+ This parameter will have no effect if <smbconfoption name="guest ok"/> is not set for the service.</para>
- <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none">
- security</parameter></link> for more information about this option.
+ <para>See the section below on <smbconfoption name="security"/> for more information about this option.
</para>
</description>
<value type="default">no</value>
diff --git a/docs/smbdotconf/security/hostsallow.xml b/docs/smbdotconf/security/hostsallow.xml
index e71377a289..5e807daa68 100644
--- a/docs/smbdotconf/security/hostsallow.xml
+++ b/docs/smbdotconf/security/hostsallow.xml
@@ -24,8 +24,7 @@
be given here also.</para>
<para>Note that the localhost address 127.0.0.1 will always
- be allowed access unless specifically denied by a <link linkend="HOSTSDENY">
- <parameter moreinfo="none">hosts deny</parameter></link> option.</para>
+ be allowed access unless specifically denied by a <smbconfoption name="hosts deny"/> option.</para>
<para>You can also specify hosts by network/netmask pairs and
by netgroup names if your system supports netgroups. The
diff --git a/docs/smbdotconf/security/hostsequiv.xml b/docs/smbdotconf/security/hostsequiv.xml
index 014c75369a..db7cbaffc8 100644
--- a/docs/smbdotconf/security/hostsequiv.xml
+++ b/docs/smbdotconf/security/hostsequiv.xml
@@ -9,8 +9,7 @@
and users who will be allowed access without specifying a password.
</para>
- <para>This is not be confused with <link linkend="HOSTSALLOW">
- <parameter moreinfo="none">hosts allow</parameter></link> which is about hosts
+ <para>This is not be confused with <smbconfoption name="hosts allow"/> which is about hosts
access to services and is more useful for guest services. <parameter moreinfo="none">
hosts equiv</parameter> may be useful for NT clients which will
not supply passwords to Samba.</para>
diff --git a/docs/smbdotconf/security/inheritpermissions.xml b/docs/smbdotconf/security/inheritpermissions.xml
index b6c774ab93..6e09f4f033 100644
--- a/docs/smbdotconf/security/inheritpermissions.xml
+++ b/docs/smbdotconf/security/inheritpermissions.xml
@@ -3,24 +3,20 @@
type="boolean"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>The permissions on new files and directories
- are normally governed by <link linkend="CREATEMASK"><parameter moreinfo="none">
- create mask</parameter></link>, <link linkend="DIRECTORYMASK">
- <parameter moreinfo="none">directory mask</parameter></link>, <link linkend="FORCECREATEMODE">
- <parameter moreinfo="none">force create mode</parameter>
- </link> and <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force
- directory mode</parameter></link> but the boolean inherit
- permissions parameter overrides this.</para>
+ <para>
+ The permissions on new files and directories are normally governed by <smbconfoption name="create mask"/>,
+ <smbconfoption name="directory mask"/>, <smbconfoption name="force create mode"/> and <smbconfoption
+ name="force directory mode"/> but the boolean inherit permissions parameter overrides this.
+ </para>
<para>New directories inherit the mode of the parent directory,
including bits such as setgid.</para>
- <para>New files inherit their read/write bits from the parent
- directory. Their execute bits continue to be determined by
- <link linkend="MAPARCHIVE"><parameter moreinfo="none">map archive</parameter>
- </link>, <link linkend="MAPHIDDEN"><parameter moreinfo="none">map hidden</parameter>
- </link> and <link linkend="MAPSYSTEM"><parameter moreinfo="none">map system</parameter>
- </link> as usual.</para>
+ <para>
+ New files inherit their read/write bits from the parent directory. Their execute bits continue to be
+ determined by <smbconfoption name="map archive"/>, <smbconfoption name="map hidden"/> and <smbconfoption
+ name="map system"/> as usual.
+ </para>
<para>Note that the setuid bit is <emphasis>never</emphasis> set via
inheritance (the code explicitly prohibits this).</para>
diff --git a/docs/smbdotconf/security/maptoguest.xml b/docs/smbdotconf/security/maptoguest.xml
index 8993959073..52600a5dcc 100644
--- a/docs/smbdotconf/security/maptoguest.xml
+++ b/docs/smbdotconf/security/maptoguest.xml
@@ -4,8 +4,8 @@
advanced="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter is only useful in <link linkend="SECURITY">
- security</link> modes other than <parameter moreinfo="none">security = share</parameter>
+ <para>This parameter is only useful in <smbconfoption name="SECURITY">
+ security</smbconfoption> modes other than <parameter moreinfo="none">security = share</parameter>
- i.e. <constant>user</constant>, <constant>server</constant>,
and <constant>domain</constant>.</para>
@@ -27,14 +27,13 @@
<para><constant>Bad User</constant> - Means user
logins with an invalid password are rejected, unless the username
does not exist, in which case it is treated as a guest login and
- mapped into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">
- guest account</parameter></link>.</para>
+ mapped into the <smbconfoption name="guest account"/>.</para>
</listitem>
<listitem>
<para><constant>Bad Password</constant> - Means user logins
with an invalid password are treated as a guest login and mapped
- into the <link linkend="GUESTACCOUNT">guest account</link>. Note that
+ into the <smbconfoption name="guest account"/>. Note that
this can cause problems as it means that any user incorrectly typing
their password will be silently logged on as &quot;guest&quot; - and
will not know the reason they cannot access files they think
diff --git a/docs/smbdotconf/security/obeypamrestrictions.xml b/docs/smbdotconf/security/obeypamrestrictions.xml
index fd12e456b6..40777f4f5d 100644
--- a/docs/smbdotconf/security/obeypamrestrictions.xml
+++ b/docs/smbdotconf/security/obeypamrestrictions.xml
@@ -9,8 +9,8 @@
should obey PAM's account and session management directives. The
default behavior is to use PAM for clear text authentication only
and to ignore any account or session management. Note that Samba
- always ignores PAM for authentication in the case of <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypt passwords = yes</parameter></link>. The reason
+ always ignores PAM for authentication in the case of <smbconfoption
+ name="encrypt passwords">yes</smbconfoption>. The reason
is that PAM modules cannot support the challenge/response
authentication mechanism needed in the presence of SMB password encryption.
</para>
diff --git a/docs/smbdotconf/security/onlyuser.xml b/docs/smbdotconf/security/onlyuser.xml
index d94d3d523d..b1ef1b7606 100644
--- a/docs/smbdotconf/security/onlyuser.xml
+++ b/docs/smbdotconf/security/onlyuser.xml
@@ -9,8 +9,7 @@
client can supply a username to be used by the server. Enabling
this parameter will force the server to only use the login
names from the <parameter moreinfo="none">user</parameter> list and is only really
- useful in <link linkend="SECURITYEQUALSSHARE">share level</link>
- security.</para>
+ useful in <smbconfoption name="security">share</smbconfoption> level security.</para>
<para>Note that this also means Samba won't try to deduce
usernames from the service name. This can be annoying for
diff --git a/docs/smbdotconf/security/pampasswordchange.xml b/docs/smbdotconf/security/pampasswordchange.xml
index 22dc98d4e9..e5c04d405c 100644
--- a/docs/smbdotconf/security/pampasswordchange.xml
+++ b/docs/smbdotconf/security/pampasswordchange.xml
@@ -8,10 +8,9 @@
this parameter, it is possible to use PAM's password change control
flag for Samba. If enabled, then PAM will be used for password
changes when requested by an SMB client instead of the program listed in
- <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter></link>.
+ <smbconfoption name="passwd program"/>.
It should be possible to enable this without changing your
- <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter></link>
- parameter for most setups.</para>
+ <smbconfoption name="passwd chat"/> parameter for most setups.</para>
</description>
<value type="default">no</value>
diff --git a/docs/smbdotconf/security/passdbbackend.xml b/docs/smbdotconf/security/passdbbackend.xml
index 74f26b89ea..bbe1d13106 100644
--- a/docs/smbdotconf/security/passdbbackend.xml
+++ b/docs/smbdotconf/security/passdbbackend.xml
@@ -27,8 +27,7 @@
<listitem>
<para><command moreinfo="none">tdbsam</command> - The TDB based password storage
backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb
- in the <link linkend="PRIVATEDIR">
- <parameter moreinfo="none">private dir</parameter></link> directory.</para>
+ in the <smbconfoption name="private dir"/> directory.</para>
</listitem>
<listitem>
@@ -37,7 +36,7 @@
<command moreinfo="none">ldap://localhost</command>)</para>
<para>LDAP connections should be secured where possible. This may be done using either
- Start-TLS (see <link linkend="LDAPSSL"><parameter moreinfo="none">ldap ssl</parameter></link>) or by
+ Start-TLS (see <smbconfoption name="ldap ssl"/>) or by
specifying <parameter moreinfo="none">ldaps://</parameter> in
the URL argument. </para>
diff --git a/docs/smbdotconf/security/passwdchat.xml b/docs/smbdotconf/security/passwdchat.xml
index f3a7395710..32ae5b3033 100644
--- a/docs/smbdotconf/security/passwdchat.xml
+++ b/docs/smbdotconf/security/passwdchat.xml
@@ -10,22 +10,20 @@
program to change the user's password. The string describes a
sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the
- <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter>
- </link> and what to expect back. If the expected output is not
+ <smbconfoption name="passwd program"/> and what to expect back. If the expected output is not
received then the password is not changed.</para>
<para>This chat sequence is often quite site specific, depending
on what local methods are used for password control (such as NIS
etc).</para>
- <para>Note that this parameter only is only used if the <link
- linkend="UNIXPASSWORDSYNC"> <parameter moreinfo="none">unix password sync</parameter>
- </link> parameter is set to <constant>yes</constant>. This sequence is
+ <para>Note that this parameter only is only used if the <smbconfoption
+ name="unix password sync"/> parameter is set to <constant>yes</constant>. This sequence is
then called <emphasis>AS ROOT</emphasis> when the SMB password in the
smbpasswd file is being changed, without access to the old password
cleartext. This means that root must be able to reset the user's password without
knowing the text of the previous password. In the presence of
- NIS/YP, this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must
+ NIS/YP, this means that the <smbconfoption name="passwd program"/> must
be executed on the NIS master.
</para>
@@ -41,10 +39,9 @@
stop &quot;.&quot;, then no string is sent. Similarly, if the
expect string is a full stop then no string is expected.</para>
- <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam
- password change</parameter></link> parameter is set to <constant>yes</constant>, the chat pairs
- may be matched in any order, and success is determined by the PAM result,
- not any particular output. The \n macro is ignored for PAM conversions.
+ <para>If the <smbconfoption name="pam password change"/> parameter is set to <constant>yes</constant>, the
+ chat pairs may be matched in any order, and success is determined by the PAM result, not any particular
+ output. The \n macro is ignored for PAM conversions.
</para>
</description>
diff --git a/docs/smbdotconf/security/passwdchatdebug.xml b/docs/smbdotconf/security/passwdchatdebug.xml
index 6211688eb7..78714ab8b5 100644
--- a/docs/smbdotconf/security/passwdchatdebug.xml
+++ b/docs/smbdotconf/security/passwdchatdebug.xml
@@ -9,13 +9,13 @@
strings passed to and received from the passwd chat are printed
in the <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> log with a
- <link linkend="DEBUGLEVEL"><parameter moreinfo="none">debug level</parameter></link>
+ <smbconfoption name="debug level"/>
of 100. This is a dangerous option as it will allow plaintext passwords
to be seen in the <command moreinfo="none">smbd</command> log. It is available to help
Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts
when calling the <parameter moreinfo="none">passwd program</parameter> and should
be turned off after this has been done. This option has no effect if the
- <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter></link>
+ <smbconfoption name="pam password change"/>
paramter is set. This parameter is off by default.</para>
</description>
diff --git a/docs/smbdotconf/security/passwordlevel.xml b/docs/smbdotconf/security/passwordlevel.xml
index 33a0f13e2a..1da11e406b 100644
--- a/docs/smbdotconf/security/passwordlevel.xml
+++ b/docs/smbdotconf/security/passwordlevel.xml
@@ -40,8 +40,7 @@
<para>This parameter is used only when using plain-text passwords. It is
not at all used when encrypted passwords as in use (that is the default
- since samba-3.0.0). Use this only when <link linkend="ENCRYPTPASSWORDS">
- encrypt passwords = No</link>.</para>
+ since samba-3.0.0). Use this only when <smbconfoption name="encrypt passwords">No</smbconfoption>.</para>
</description>
<value type="default">0</value>
diff --git a/docs/smbdotconf/security/passwordserver.xml b/docs/smbdotconf/security/passwordserver.xml
index 4836a17731..188cea88d1 100644
--- a/docs/smbdotconf/security/passwordserver.xml
+++ b/docs/smbdotconf/security/passwordserver.xml
@@ -20,8 +20,7 @@
connections.</para>
<para>If parameter is a name, it is looked up using the
- parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
- resolve order</parameter></link> and so may resolved
+ parameter <smbconfoption name="name resolve order"/> and so may resolved
by any method and order described in that parameter.</para>
<para>The password server must be a machine capable of using
diff --git a/docs/smbdotconf/security/readlist.xml b/docs/smbdotconf/security/readlist.xml
index 613758ec2a..df6b4f129b 100644
--- a/docs/smbdotconf/security/readlist.xml
+++ b/docs/smbdotconf/security/readlist.xml
@@ -3,16 +3,14 @@
type="list"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This is a list of users that are given read-only
- access to a service. If the connecting user is in this list then
- they will not be given write access, no matter what the <link linkend="READONLY">
- <parameter moreinfo="none">read only</parameter></link>
- option is set to. The list can include group names using the
- syntax described in the <link linkend="INVALIDUSERS"><parameter moreinfo="none">
- invalid users</parameter></link> parameter.</para>
+ <para>
+ This is a list of users that are given read-only access to a service. If the connecting user is in this list
+ then they will not be given write access, no matter what the <smbconfoption name="read only"/> option is set
+ to. The list can include group names using the syntax described in the <smbconfoption name="invalid users"/>
+ parameter.
+ </para>
- <para>This parameter will not work with the <link linkend="SECURITY">
- <parameter moreinfo="none">security = share</parameter></link> in
+ <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in
Samba 3.0. This is by design.</para>
</description>
diff --git a/docs/smbdotconf/security/readonly.xml b/docs/smbdotconf/security/readonly.xml
index 686b28aede..6e1f6dd2b8 100644
--- a/docs/smbdotconf/security/readonly.xml
+++ b/docs/smbdotconf/security/readonly.xml
@@ -4,8 +4,7 @@
basic="1" advanced="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>An inverted synonym is <link linkend="WRITEABLE">
- <parameter moreinfo="none">writeable</parameter></link>.</para>
+ <para>An inverted synonym is <smbconfoption name="writeable"/>.</para>
<para>If this parameter is <constant>yes</constant>, then users
of a service may not create or modify files in the service's
diff --git a/docs/smbdotconf/security/restrictanonymous.xml b/docs/smbdotconf/security/restrictanonymous.xml
index a7aaa31b0b..2a45ef1561 100644
--- a/docs/smbdotconf/security/restrictanonymous.xml
+++ b/docs/smbdotconf/security/restrictanonymous.xml
@@ -29,8 +29,7 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
<note>
<para>
The security advantage of using restrict anonymous = 2 is removed
- by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest
- ok</parameter> = yes</link> on any share.
+ by setting <smbconfoption name="guest ok">yes</smbconfoption> on any share.
</para>
</note>
</description>
diff --git a/docs/smbdotconf/security/rootdirectory.xml b/docs/smbdotconf/security/rootdirectory.xml
index ed894d57cb..8736598001 100644
--- a/docs/smbdotconf/security/rootdirectory.xml
+++ b/docs/smbdotconf/security/rootdirectory.xml
@@ -12,9 +12,8 @@
server will deny access to files not in one of the service entries.
It may also check for, and deny access to, soft links to other
parts of the filesystem, or attempts to use &quot;..&quot; in file names
- to access other directories (depending on the setting of the <link linkend="WIDELINKS">
- <parameter moreinfo="none">wide links</parameter></link>
- parameter).
+ to access other directories (depending on the setting of the
+ <smbconfoption name="wide smbconfoptions"/> parameter).
</para>
<para>Adding a <parameter moreinfo="none">root directory</parameter> entry other
diff --git a/docs/smbdotconf/security/security.xml b/docs/smbdotconf/security/security.xml
index fe5cf5404f..226d1c1270 100644
--- a/docs/smbdotconf/security/security.xml
+++ b/docs/smbdotconf/security/security.xml
@@ -47,13 +47,11 @@
want to mainly setup shares without a password (guest shares). This
is commonly used for a shared printer server. It is more difficult
to setup guest shares with <command moreinfo="none">security = user</command>, see
- the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link>parameter for details.</para>
+ the <smbconfoption name="map to guest"/>parameter for details.</para>
<para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
hybrid mode</emphasis> where it is offers both user and share
- level security under different <link linkend="NETBIOSALIASES">
- <parameter moreinfo="none">NetBIOS aliases</parameter></link>. </para>
+ level security under different <smbconfoption name="NetBIOS aliases"/>. </para>
<para>The different settings will now be explained.</para>
@@ -83,17 +81,14 @@
<itemizedlist>
<listitem>
- <para>If the <link linkend="GUESTONLY"><parameter moreinfo="none">guest
- only</parameter></link> parameter is set, then all the other
- stages are missed and only the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link> username is checked.
+ <para>If the <smbconfoption name="guest only"/> parameter is set, then all the other
+ stages are missed and only the <smbconfoption name="guest account"/> username is checked.
</para>
</listitem>
<listitem>
<para>Is a username is sent with the share connection
- request, then this username (after mapping - see <link linkend="USERNAMEMAP">
- <parameter moreinfo="none">username map</parameter></link>),
+ request, then this username (after mapping - see <smbconfoption name="username map"/>),
is added as a potential username.
</para>
</listitem>
@@ -118,8 +113,7 @@
</listitem>
<listitem>
- <para>Any users on the <link linkend="USER"><parameter moreinfo="none">
- user</parameter></link> list are added as potential usernames.
+ <para>Any users on the <smbconfoption name="user"/> list are added as potential usernames.
</para>
</listitem>
</itemizedlist>
@@ -145,13 +139,10 @@
<para>This is the default security setting in Samba 3.0.
With user-level security a client must first &quot;log-on&quot; with a
- valid username and password (which can be mapped using the <link linkend="USERNAMEMAP">
- <parameter moreinfo="none">username map</parameter></link>
- parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter></link> parameter) can also
- be used in this security mode. Parameters such as <link linkend="USER">
- <parameter moreinfo="none">user</parameter></link> and <link linkend="GUESTONLY">
- <parameter moreinfo="none">guest only</parameter></link> if set are then applied and
+ valid username and password (which can be mapped using the <smbconfoption name="username map"/>
+ parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
+ be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
+ name="guest only"/> if set are then applied and
may change the UNIX user to use on this connection, but only after
the user has been successfully authenticated.</para>
@@ -159,21 +150,17 @@
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
- <para>See also the section <link linkend="VALIDATIONSECT">
- NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+ <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
<para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
<para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> has been used to add this
- machine into a Windows NT Domain. It expects the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter>
- </link> parameter to be set to <constant>yes</constant>. In this
+ machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
+ parameter to be set to <constant>yes</constant>. In this
mode Samba will try to validate the username/password by passing
it to a Windows NT Primary or Backup Domain Controller, in exactly
the same way that a Windows NT Server would do.</para>
@@ -192,31 +179,26 @@
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
<para>See also the section <link linkend="VALIDATIONSECT">
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
- <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
- server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter>
- </link> parameter.</para>
+ <para>See also the <smbconfoption name="password server"/> parameter and
+ the <smbconfoption name="encrypted passwords"/> parameter.</para>
<para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
- <para>In this mode Samba will try to validate the username/password
- by passing it to another SMB server, such as an NT box. If this
- fails it will revert to <command moreinfo="none">security =
- user</command>. It expects the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter></link> parameter
- to be set to <constant>yes</constant>, unless the remote server
- does not support them. However note that if encrypted passwords have been
- negotiated then Samba cannot revert back to checking the UNIX password file,
- it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check
- users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</para>
+ <para>
+ In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
+ NT box. If this fails it will revert to <command moreinfo="none">security = user</command>. It expects the
+ <smbconfoption name="encrypted passwords"/> parameter to be set to <constant>yes</constant>, unless the remote
+ server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot
+ revert back to checking the UNIX password file, it must have a valid <filename
+ moreinfo="none">smbpasswd</filename> file to check users against. See the chapter about the User Database in
+ the Samba HOWTO Collection for details on how to set this up.
+</para>
<note><para>This mode of operation has
significant pitfalls, due to the fact that is activly initiates a
@@ -238,17 +220,14 @@
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
<para>See also the section <link linkend="VALIDATIONSECT">
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
- <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
- server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
+ <para>See also the <smbconfoption name="password server"/> parameter and the
+ <smbconfoption name="encrypted passwords"/> parameter.</para>
<para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
diff --git a/docs/smbdotconf/security/serverschannel.xml b/docs/smbdotconf/security/serverschannel.xml
index 0f264a0f7d..6317448fb6 100644
--- a/docs/smbdotconf/security/serverschannel.xml
+++ b/docs/smbdotconf/security/serverschannel.xml
@@ -4,20 +4,18 @@
basic="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This controls whether the server offers or even
- demands the use of the netlogon schannel.
- <parameter>server schannel = no</parameter> does not
- offer the schannel, <parameter>server schannel =
- auto</parameter> offers the schannel but does not
- enforce it, and <parameter>server schannel =
- yes</parameter> denies access if the client is not
- able to speak netlogon schannel. This is only the case
- for Windows NT4 before SP4.</para>
+ <para>
+ This controls whether the server offers or even demands the use of the netlogon schannel.
+ <smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
+ name="server schannel">auto</smbconfoption> offers the schannel but does not enforce it, and <smbconfoption
+ name="server schannel">yes</smbconfoption> denies access if the client is not able to speak netlogon schannel.
+ This is only the case for Windows NT4 before SP4.
+ </para>
- <para>Please note that with this set to
- <parameter>no</parameter> you will have to apply the
- WindowsXP requireSignOrSeal-Registry patch found in
- the docs/Registry subdirectory.</para>
+ <para>
+ Please note that with this set to <literal>no</literal> you will have to apply the WindowsXP
+ <filename>WinXP_SignOrSeal.reg</filename> registry patch found in the docs/registry subdirectory of the Samba distribution tarball.
+ </para>
</description>
<value type="default">auto</value>
diff --git a/docs/smbdotconf/security/updateencrypted.xml b/docs/smbdotconf/security/updateencrypted.xml
index 7042a11678..da493665cf 100644
--- a/docs/smbdotconf/security/updateencrypted.xml
+++ b/docs/smbdotconf/security/updateencrypted.xml
@@ -5,29 +5,29 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This boolean parameter allows a user logging on with
- a plaintext password to have their encrypted (hashed) password in
- the smbpasswd file to be updated automatically as they log
- on. This option allows a site to migrate from plaintext
- password authentication (users authenticate with plaintext
- password over the wire, and are checked against a UNIX account
- database) to encrypted password authentication (the SMB
- challenge/response authentication mechanism) without forcing all
- users to re-enter their passwords via smbpasswd at the time the
- change is made. This is a convenience option to allow the change
- over to encrypted passwords to be made over a longer period.
- Once all users have encrypted representations of their passwords
- in the smbpasswd file this parameter should be set to
- <constant>no</constant>.</para>
+ <para>
+ This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed)
+ password in the smbpasswd file to be updated automatically as they log on. This option allows a site to
+ migrate from plaintext password authentication (users authenticate with plaintext password over the
+ wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB
+ challenge/response authentication mechanism) without forcing all users to re-enter their passwords via
+ smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted
+ passwords to be made over a longer period. Once all users have encrypted representations of their passwords
+ in the smbpasswd file this parameter should be set to <constant>no</constant>.
+ </para>
- <para>In order for this parameter to work correctly the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypt passwords</parameter></link> parameter must
- be set to <constant>no</constant> when this parameter is set to <constant>yes</constant>.</para>
+ <para>
+ In order for this parameter to be operative the <smbconfoption name="encrypt passwords"/> parameter must
+ be set to <constant>no</constant>. The default value of <smbconfoption name="encrypt
+ passwords">Yes</smbconfoption>. Note: This must be set to <constant>no</constant> for this <smbconfoption
+ name="update encrypted"/> to work.
+ </para>
- <para>Note that even when this parameter is set a user
- authenticating to <command moreinfo="none">smbd</command> must still enter a valid
- password in order to connect correctly, and to update their hashed
- (smbpasswd) passwords.</para>
+ <para>
+ Note that even when this parameter is set a user authenticating to <command moreinfo="none">smbd</command>
+ must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd)
+ passwords.
+ </para>
</description>
<value type="default">no</value>
diff --git a/docs/smbdotconf/security/username.xml b/docs/smbdotconf/security/username.xml
index 9a6d83ae71..3a45d4d72f 100644
--- a/docs/smbdotconf/security/username.xml
+++ b/docs/smbdotconf/security/username.xml
@@ -32,8 +32,7 @@
so they cannot do anything that user cannot do.</para>
<para>To restrict a service to a particular set of users you
- can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
- </parameter></link> parameter.</para>
+ can use the <smbconfoption name="valid users"/> parameter.</para>
<para>If any of the usernames begin with a '@' then the name
will be looked up first in the NIS netgroups list (if Samba
@@ -54,9 +53,9 @@
quite some time, and some clients may time out during the
search.</para>
- <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
- USERNAME/PASSWORD VALIDATION</link> for more information on how
-this parameter determines access to the services.</para>
+ <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
+ USERNAME/PASSWORD VALIDATION</link> for more information on how
+ this parameter determines access to the services.</para>
</description>
<value type="default"><comment>The guest account if a guest service,
diff --git a/docs/smbdotconf/security/usernamemap.xml b/docs/smbdotconf/security/usernamemap.xml
index 1c76d31711..ef4291733e 100644
--- a/docs/smbdotconf/security/usernamemap.xml
+++ b/docs/smbdotconf/security/usernamemap.xml
@@ -75,8 +75,7 @@ guest = *
will actually be connecting to \\server\mary and will need to
supply a password suitable for <constant>mary</constant> not
<constant>fred</constant>. The only exception to this is the
- username passed to the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">
- password server</parameter></link> (if you have one). The password
+ username passed to the <smbconfoption name="password server"/> (if you have one). The password
server will receive whatever username the client supplies without
modification.</para>
diff --git a/docs/smbdotconf/security/writeable.xml b/docs/smbdotconf/security/writeable.xml
index 1bb0e41810..f811c47e5c 100644
--- a/docs/smbdotconf/security/writeable.xml
+++ b/docs/smbdotconf/security/writeable.xml
@@ -4,7 +4,6 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<synonym>writable</synonym>
<description>
- <para>Inverted synonym for <link linkend="READONLY">
- <parameter moreinfo="none">read only</parameter></link>.</para>
+ <para>Inverted synonym for <smbconfoption name="read only"/>.</para>
</description>
</samba:parameter>