summaryrefslogtreecommitdiff
path: root/docs/smbdotconf
diff options
context:
space:
mode:
authorJohn Terpstra <jht@samba.org>2005-07-08 10:16:53 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:47:04 -0500
commit97e3e540f72021d81b34f7597506da6cdc552b8a (patch)
tree0fbf5ca9ee58fead3c6ac25d60d27ffe25aeebf6 /docs/smbdotconf
parent9953c886c64bd94778d8b78aea4699748a15abac (diff)
downloadsamba-97e3e540f72021d81b34f7597506da6cdc552b8a.tar.gz
samba-97e3e540f72021d81b34f7597506da6cdc552b8a.tar.bz2
samba-97e3e540f72021d81b34f7597506da6cdc552b8a.zip
More updates.
(This used to be commit b546de20f793aeec7739ef32451d72582175ae58)
Diffstat (limited to 'docs/smbdotconf')
-rw-r--r--docs/smbdotconf/logon/logonscript.xml48
-rw-r--r--docs/smbdotconf/security/createmask.xml40
-rw-r--r--docs/smbdotconf/security/directorymask.xml2
-rw-r--r--docs/smbdotconf/security/directorysecuritymask.xml11
-rw-r--r--docs/smbdotconf/security/forcedirectorysecuritymode.xml46
-rw-r--r--docs/smbdotconf/security/forcesecuritymode.xml40
-rw-r--r--docs/smbdotconf/security/securitymask.xml36
7 files changed, 127 insertions, 96 deletions
diff --git a/docs/smbdotconf/logon/logonscript.xml b/docs/smbdotconf/logon/logonscript.xml
index 847896e1ce..13ce9a0c03 100644
--- a/docs/smbdotconf/logon/logonscript.xml
+++ b/docs/smbdotconf/logon/logonscript.xml
@@ -4,14 +4,15 @@
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter specifies the batch file (.bat) or
- NT command file (.cmd) to be downloaded and run on a machine when
- a user successfully logs in. The file must contain the DOS
- style CR/LF line endings. Using a DOS-style editor to create the
- file is recommended.</para>
+ <para>
+ This parameter specifies the batch file (<filename>.bat</filename>) or NT command file
+ (<filename>.cmd</filename>) to be downloaded and run on a machine when a user successfully logs in. The file
+ must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.
+ </para>
- <para>The script must be a relative path to the [netlogon]
- service. If the [netlogon] service specifies a <smbconfoption name="path"/> of <filename
+ <para>
+ The script must be a relative path to the <smbconfsection name="[netlogon]"/> service. If the [netlogon]
+ service specifies a <smbconfoption name="path"/> of <filename
moreinfo="none">/usr/local/samba/netlogon</filename>, and <smbconfoption name="logon
script">STARTUP.BAT</smbconfoption>, then the file that will be downloaded is:
<screen>
@@ -19,23 +20,28 @@
</screen>
</para>
- <para>The contents of the batch file are entirely your choice. A
- suggested command would be to add <command moreinfo="none">NET TIME \\SERVER /SET
- /YES</command>, to force every machine to synchronize clocks with
- the same time server. Another use would be to add <command moreinfo="none">NET USE
- U: \\SERVER\UTILS</command> for commonly used utilities, or <screen>
- <userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput></screen> for example.</para>
+ <para>
+ The contents of the batch file are entirely your choice. A suggested command would be to add <command
+ moreinfo="none">NET TIME \\SERVER /SET /YES</command>, to force every machine to synchronize clocks with the
+ same time server. Another use would be to add <command moreinfo="none">NET USE U: \\SERVER\UTILS</command>
+ for commonly used utilities, or <screen> <userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput></screen> for
+ example.
+ </para>
- <para>Note that it is particularly important not to allow write
- access to the [netlogon] share, or to grant users write permission
- on the batch files in a secure environment, as this would allow
- the batch files to be arbitrarily modified and security to be
- breached.</para>
+ <para>
+ Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users
+ write permission on the batch files in a secure environment, as this would allow the batch files to be
+ arbitrarily modified and security to be breached.
+ </para>
- <para>This option takes the standard substitutions, allowing you
- to have separate logon scripts for each user or machine.</para>
+ <para>
+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
+ machine.
+ </para>
- <para>This option is only useful if Samba is set up as a logon server.</para>
+ <para>
+ This option is only useful if Samba is set up as a logon server.
+ </para>
</description>
<value type="default"></value>
<value type="example">scripts\%U.bat</value>
diff --git a/docs/smbdotconf/security/createmask.xml b/docs/smbdotconf/security/createmask.xml
index 7f9f93caaa..cf6864c78e 100644
--- a/docs/smbdotconf/security/createmask.xml
+++ b/docs/smbdotconf/security/createmask.xml
@@ -5,27 +5,33 @@
<synonym>create mode</synonym>
<description>
- <para>When a file is created, the necessary permissions are
- calculated according to the mapping from DOS modes to UNIX
- permissions, and the resulting UNIX mode is then bit-wise 'AND'ed
- with this parameter. This parameter may be thought of as a bit-wise
- MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis>
- set here will be removed from the modes set on a file when it is
- created.</para>
+ <para>
+ When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to
+ UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may
+ be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> set here will
+ be removed from the modes set on a file when it is created.
+ </para>
- <para>The default value of this parameter removes the
- 'group' and 'other' write and execute bits from the UNIX modes.</para>
+ <para>
+ The default value of this parameter removes the <literal>group</literal> and <literal>other</literal>
+ write and execute bits from the UNIX modes.
+ </para>
- <para>Following this Samba will bit-wise 'OR' the UNIX mode created
- from this parameter with the value of the <smbconfoption name="force create mode"/>
- parameter which is set to 000 by default.</para>
+ <para>
+ Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the
+ <smbconfoption name="force create mode"/> parameter which is set to 000 by default.
+ </para>
- <para>This parameter does not affect directory modes. See the
- parameter <smbconfoption name="directory mode"/> for details.</para>
+ <para>
+ This parameter does not affect directory masks. See the parameter <smbconfoption name="directory mask"/>
+ for details.
+ </para>
- <para>Note that this parameter does not apply to permissions
- set by Windows NT/2000 ACL editors. If the administrator wishes to enforce
- a mask on access control lists also, they need to set the <smbconfoption name="security mask"/>.</para>
+ <para>
+ Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the
+ administrator wishes to enforce a mask on access control lists also, they need to set the <smbconfoption
+ name="security mask"/>.
+ </para>
</description>
<related>force create mode</related>
diff --git a/docs/smbdotconf/security/directorymask.xml b/docs/smbdotconf/security/directorymask.xml
index 414239bcff..7b67f79214 100644
--- a/docs/smbdotconf/security/directorymask.xml
+++ b/docs/smbdotconf/security/directorymask.xml
@@ -30,7 +30,7 @@
</description>
<related>force directory mode</related>
-<related>create mode</related>
+<related>create mask</related>
<related>directory security mask</related>
<related>inherit permissions</related>
<value type="default">0755</value>
diff --git a/docs/smbdotconf/security/directorysecuritymask.xml b/docs/smbdotconf/security/directorysecuritymask.xml
index 5511cd1700..a16f275698 100644
--- a/docs/smbdotconf/security/directorysecuritymask.xml
+++ b/docs/smbdotconf/security/directorysecuritymask.xml
@@ -8,11 +8,12 @@
permission on a directory using the native NT security dialog
box.</para>
- <para>This parameter is applied as a mask (AND'ed with) to
- the changed permission bits, thus preventing any bits not in
- this mask from being modified. Essentially, zero bits in this
- mask may be treated as a set of bits the user is not allowed
- to change.</para>
+ <para>
+ This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
+ in this mask from being modified. Make sure not to mix up this parameter with <smbconfoption name="force
+ directory security mode"/>, which works similar like this one but uses logical OR instead of AND.
+ Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
+ </para>
<para>If not set explicitly this parameter is set to 0777
meaning a user is allowed to modify all the user/group/world
diff --git a/docs/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/smbdotconf/security/forcedirectorysecuritymode.xml
index 184337ba69..2c15ec2753 100644
--- a/docs/smbdotconf/security/forcedirectorysecuritymode.xml
+++ b/docs/smbdotconf/security/forcedirectorysecuritymode.xml
@@ -3,25 +3,33 @@
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter controls what UNIX permission bits
- can be modified when a Windows NT client is manipulating the UNIX
- permission on a directory using the native NT security dialog box.</para>
-
- <para>This parameter is applied as a mask (OR'ed with) to the
- changed permission bits, thus forcing any bits in this mask that
- the user may have modified to be on. Essentially, one bits in this
- mask may be treated as a set of bits that, when modifying security
- on a directory, the user has always set to be 'on'.</para>
-
- <para>If not set explicitly this parameter is 000, which
- allows a user to modify all the user/group/world permissions on a
- directory without restrictions.</para>
-
- <note><para>Users who can access the
- Samba server through other means can easily bypass this restriction,
- so it is primarily useful for standalone &quot;appliance&quot; systems.
- Administrators of most normal systems will probably want to leave
- it set as 0000.</para></note>
+ <para>
+ This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a directory using the native NT security dialog box.
+ </para>
+
+ <para>
+ This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
+ mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption
+ name="directory security mask"/>, which works in a similar manner to this one, but uses a logical AND instead
+ of an OR.
+ </para>
+
+ <para>
+ Essentially, this mask may be treated as a set of bits that, when modifying security on a directory,
+ to will enable (1) any flags that are off (0) but which the mask has set to on (1).
+ </para>
+
+ <para>
+ If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world
+ permissions on a directory without restrictions.
+ </para>
+
+ <note><para>
+ Users who can access the Samba server through other means can easily bypass this restriction, so it is
+ primarily useful for standalone &quot;appliance&quot; systems. Administrators of most normal systems will
+ probably want to leave it set as 0000.
+ </para></note>
</description>
diff --git a/docs/smbdotconf/security/forcesecuritymode.xml b/docs/smbdotconf/security/forcesecuritymode.xml
index 98de6fa401..7451ef91ae 100644
--- a/docs/smbdotconf/security/forcesecuritymode.xml
+++ b/docs/smbdotconf/security/forcesecuritymode.xml
@@ -3,26 +3,32 @@
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter controls what UNIX permission
- bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a file using the native NT security dialog
- box.</para>
+ <para>
+ This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating
+ the UNIX permission on a file using the native NT security dialog box.
+ </para>
- <para>This parameter is applied as a mask (OR'ed with) to the
- changed permission bits, thus forcing any bits in this mask that
- the user may have modified to be on. Essentially, one bits in this
- mask may be treated as a set of bits that, when modifying security
- on a file, the user has always set to be 'on'.</para>
+ <para>
+ This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this
+ mask that the user may have modified to be on. Make sure not to mix up this parameter with <smbconfoption
+ name="security mask"/>, which works similar like this one but uses logical AND instead of OR.
+ </para>
- <para>If not set explicitly this parameter is set to 0,
- and allows a user to modify all the user/group/world permissions on a file,
- with no restrictions.</para>
+ <para>
+ Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file,
+ the user has always set to be on.
+ </para>
+
+ <para>
+ If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world
+ permissions on a file, with no restrictions.
+ </para>
- <para><emphasis>Note</emphasis> that users who can access
- the Samba server through other means can easily bypass this restriction,
- so it is primarily useful for standalone &quot;appliance&quot; systems.
- Administrators of most normal systems will probably want to leave
- this set to 0000.</para>
+ <para><emphasis>
+ Note</emphasis> that users who can access the Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone &quot;appliance&quot; systems. Administrators of most
+ normal systems will probably want to leave this set to 0000.
+ </para>
</description>
diff --git a/docs/smbdotconf/security/securitymask.xml b/docs/smbdotconf/security/securitymask.xml
index de3dd29753..d41d6bddae 100644
--- a/docs/smbdotconf/security/securitymask.xml
+++ b/docs/smbdotconf/security/securitymask.xml
@@ -3,26 +3,30 @@
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter controls what UNIX permission
- bits can be modified when a Windows NT client is manipulating
- the UNIX permission on a file using the native NT security
- dialog box.</para>
+ <para>
+ This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the
+ UNIX permission on a file using the native NT security dialog box.
+ </para>
- <para>This parameter is applied as a mask (AND'ed with) to
- the changed permission bits, thus preventing any bits not in
- this mask from being modified. Essentially, zero bits in this
- mask may be treated as a set of bits the user is not allowed
- to change.</para>
+ <para>
+ This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not
+ in this mask from being modified. Make sure not to mix up this parameter with <smbconfoption name="force
+ security mode"/>, which works in a manner similar to this one but uses a logical OR instead of an AND.
+ </para>
- <para>If not set explicitly this parameter is 0777, allowing
- a user to modify all the user/group/world permissions on a file.
+ <para>
+ Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change.
+ </para>
+
+ <para>
+ If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file.
</para>
- <para><emphasis>Note</emphasis> that users who can access the
- Samba server through other means can easily bypass this
- restriction, so it is primarily useful for standalone
- &quot;appliance&quot; systems. Administrators of most normal systems will
- probably want to leave it set to <constant>0777</constant>.</para>
+ <para><emphasis>
+ Note</emphasis> that users who can access the Samba server through other means can easily bypass this
+ restriction, so it is primarily useful for standalone &quot;appliance&quot; systems. Administrators of
+ most normal systems will probably want to leave it set to <constant>0777</constant>.
+ </para>
</description>
<related>force directory security mode</related>