diff options
author | Andrew Bartlett <abartlet@samba.org> | 2002-05-17 12:42:39 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2002-05-17 12:42:39 +0000 |
commit | eed5094264945ca8ccf47030375cc56808ae8ea3 (patch) | |
tree | 4a39aca15191b1a857e60f5a4b761fce29867688 /docs | |
parent | a64932dfc06af46d4a4eebd6fb537e229466b00b (diff) | |
download | samba-eed5094264945ca8ccf47030375cc56808ae8ea3.tar.gz samba-eed5094264945ca8ccf47030375cc56808ae8ea3.tar.bz2 samba-eed5094264945ca8ccf47030375cc56808ae8ea3.zip |
This removes --with-ssl from Samba.
This option was badly maintained, useless and confused our users and
distirbutors. (its SSL, therfore it must be good...)
No windows client uses this protocol without help from an SSL tunnel.
I can't see any reason why setting up a unix-side SSL wrapper would
be any more difficult than the > 10 config options this mess added
to samba in any case.
On the Samba client end, I think the LIBSMB_PROG hack should be
sufficient to start stunnel on the unix side. We might extend this
to take %i and %p (IP and port) if there is demand.
Andrew Bartlett
(This used to be commit b04561d3fd3ee732877790fb4193b20ad72a75f8)
Diffstat (limited to 'docs')
-rw-r--r-- | docs/docbook/manpages/smb.conf.5.sgml | 363 |
1 files changed, 2 insertions, 361 deletions
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index ba4495e34f..a9963b72ce 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -729,24 +729,6 @@ <listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem> <listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem> - <listitem><para><link linkend="SSL"><parameter>ssl</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCACERTFILE"><parameter>ssl CA certFile</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCIPHERS"><parameter>ssl ciphers</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCLIENTCERT"><parameter>ssl client cert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCLIENTKEY"><parameter>ssl client key</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCOMPATIBILITY"><parameter>ssl compatibility</parameter></link></para></listitem> - <listitem><para><link linkend="SSLEGDSOCKET"><parameter>ssl egd socket</parameter></link></para></listitem> - <listitem><para><link linkend="SSLENTROPYBYTES"><parameter>ssl entropy bytes</parameter></link></para></listitem> - <listitem><para><link linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link></para></listitem> - <listitem><para><link linkend="SSLHOSTS"><parameter>ssl hosts</parameter></link></para></listitem> - <listitem><para><link linkend="SSLHOSTSRESIGN"><parameter>ssl hosts resign</parameter></link></para></listitem> - <listitem><para><link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require clientcert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLREQUIRESERVERCERT"><parameter>ssl require servercert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLSERVERCERT"><parameter>ssl server cert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLSERVERKEY"><parameter>ssl server key</parameter></link></para></listitem> - <listitem><para><link linkend="SSLVERSION"><parameter>ssl version</parameter></link></para></listitem> - <listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem> <listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem> <listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem> @@ -3387,9 +3369,9 @@ This option is used to define whether or not Samba should use SSL when connecting to the <link linkend="LDAPSERVER"><parameter>ldap server</parameter></link>. This is <emphasis>NOT</emphasis> related to - Samba SSL support which is enabled by specifying the + Samba's previous SSL support which was enabled by specifying the <command>--with-ssl</command> option to the <filename>configure</filename> - script (see <link linkend="SSL"><parameter>ssl</parameter></link>). + script. </para> <para> @@ -7031,347 +7013,6 @@ <varlistentry> - <term><anchor id="SSL">ssl (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable enables or disables the entire SSL mode. If - it is set to <constant>no</constant>, the SSL-enabled Samba behaves - exactly like the non-SSL Samba. If set to <constant>yes</constant>, - it depends on the variables <link linkend="SSLHOSTS"><parameter> - ssl hosts</parameter></link> and <link linkend="SSLHOSTSRESIGN"> - <parameter>ssl hosts resign</parameter></link> whether an SSL - connection will be required.</para> - - <para>Default: <command>ssl = no</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCACERTDIR">ssl CA certDir (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable defines where to look up the Certification - Authorities. The given directory should contain one file for - each CA that Samba will trust. The file name must be the hash - value over the "Distinguished Name" of the CA. How this directory - is set up is explained later in this document. All files within the - directory that don't fit into this naming scheme are ignored. You - don't need this variable if you don't verify client certificates.</para> - - <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCACERTFILE">ssl CA certFile (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable is a second way to define the trusted CAs. - The certificates of the trusted CAs are collected in one big - file and this variable points to the file. You will probably - only use one of the two ways to define your CAs. The first choice is - preferable if you have many CAs or want to be flexible, the second - is preferable if you only have one CA and want to keep things - simple (you won't need to create the hashed file names). You - don't need this variable if you don't verify client certificates.</para> - - <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCIPHERS">ssl ciphers (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable defines the ciphers that should be offered - during SSL negotiation. You should not set this variable unless - you know what you are doing.</para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLCLIENTCERT">ssl client cert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>The certificate in this file is used by <ulink url="smbclient.1.html"> - <command>smbclient(1)</command></ulink> if it exists. It's needed - if the server requires a client certificate.</para> - - <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCLIENTKEY">ssl client key (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This is the private key for <ulink url="smbclient.1.html"> - <command>smbclient(1)</command></ulink>. It's only needed if the - client should have a certificate. </para> - - <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCOMPATIBILITY">ssl compatibility (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable defines whether OpenSSL should be configured - for bug compatibility with other SSL implementations. This is - probably not desirable because currently no clients with SSL - implementations other than OpenSSL exist.</para> - - <para>Default: <command>ssl compatibility = no</command></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLEGDSOCKET">ssl egd socket (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para> - This option is used to define the location of the communiation socket of - an EGD or PRNGD daemon, from which entropy can be retrieved. This option - can be used instead of or together with the <link - linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link> - directive. 255 bytes of entropy will be retrieved from the daemon. - </para> - - <para>Default: <emphasis>none</emphasis></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLENTROPYBYTES">ssl entropy bytes (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para> - This parameter is used to define the number of bytes which should - be read from the <link linkend="SSLENTROPYFILE"><parameter>ssl entropy - file</parameter></link> If a -1 is specified, the entire file will - be read. - </para> - - <para>Default: <command>ssl entropy bytes = 255</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLENTROPYFILE">ssl entropy file (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para> - This parameter is used to specify a file from which processes will - read "random bytes" on startup. In order to seed the internal pseudo - random number generator, entropy must be provided. On system with a - <filename>/dev/urandom</filename> device file, the processes - will retrieve its entropy from the kernel. On systems without kernel - entropy support, a file can be supplied that will be read on startup - and that will be used to seed the PRNG. - </para> - - <para>Default: <emphasis>none</emphasis></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLHOSTS">ssl hosts (G)</term> - <listitem><para>See <link linkend="SSLHOSTSRESIGN"><parameter> - ssl hosts resign</parameter></link>.</para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLHOSTSRESIGN">ssl hosts resign (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>These two variables define whether Samba will go - into SSL mode or not. If none of them is defined, Samba will - allow only SSL connections. If the <link linkend="SSLHOSTS"> - <parameter>ssl hosts</parameter></link> variable lists - hosts (by IP-address, IP-address range, net group or name), - only these hosts will be forced into SSL mode. If the <parameter> - ssl hosts resign</parameter> variable lists hosts, only these - hosts will <emphasis>NOT</emphasis> be forced into SSL mode. The syntax for these two - variables is the same as for the <link linkend="HOSTSALLOW"><parameter> - hosts allow</parameter></link> and <link linkend="HOSTSDENY"> - <parameter>hosts deny</parameter></link> pair of variables, only - that the subject of the decision is different: It's not the access - right but whether SSL is used or not. </para> - - <para>The example below requires SSL connections from all hosts - outside the local net (which is 192.168.*.*).</para> - - <para>Default: <command>ssl hosts = <empty string></command></para> - <para><command>ssl hosts resign = <empty string></command></para> - - <para>Example: <command>ssl hosts resign = 192.168.</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLREQUIRECLIENTCERT">ssl require clientcert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>If this variable is set to <constant>yes</constant>, the - server will not tolerate connections from clients that don't - have a valid certificate. The directory/file given in <link - linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter> - </link> and <link linkend="SSLCACERTFILE"><parameter>ssl CA certFile - </parameter></link> will be used to look up the CAs that issued - the client's certificate. If the certificate can't be verified - positively, the connection will be terminated. If this variable - is set to <constant>no</constant>, clients don't need certificates. - Contrary to web applications you really <emphasis>should</emphasis> - require client certificates. In the web environment the client's - data is sensitive (credit card numbers) and the server must prove - to be trustworthy. In a file server environment the server's data - will be sensitive and the clients must prove to be trustworthy.</para> - - <para>Default: <command>ssl require clientcert = no</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLREQUIRESERVERCERT">ssl require servercert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>If this variable is set to <constant>yes</constant>, the - <ulink url="smbclient.1.html"><command>smbclient(1)</command> - </ulink> will request a certificate from the server. Same as - <link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require - clientcert</parameter></link> for the server.</para> - - <para>Default: <command>ssl require servercert = no</command> - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><anchor id="SSLSERVERCERT">ssl server cert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This is the file containing the server's certificate. - The server <emphasis>must</emphasis> have a certificate. The - file may also contain the server's private key. See later for - how certificates and private keys are created.</para> - - <para>Default: <command>ssl server cert = <empty string> - </command></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLSERVERKEY">ssl server key (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This file contains the private key of the server. If - this variable is not defined, the key is looked up in the - certificate file (it may be appended to the certificate). - The server <emphasis>must</emphasis> have a private key - and the certificate <emphasis>must</emphasis> - match this private key.</para> - - <para>Default: <command>ssl server key = <empty string> - </command></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLVERSION">ssl version (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This enumeration variable defines the versions of the - SSL protocol that will be used. <constant>ssl2or3</constant> allows - dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results - in SSL v2, <constant>ssl3</constant> results in SSL v3 and - <constant>tls1</constant> results in TLS v1. TLS (Transport Layer - Security) is the new standard for SSL.</para> - - <para>Default: <command>ssl version = "ssl2or3"</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> <term><anchor id="STATCACHE">stat cache (G)</term> <listitem><para>This parameter determines if <ulink url="smbd.8.html">smbd(8)</ulink> will use a cache in order to |