diff options
Diffstat (limited to 'docs-xml/smbdotconf/security/passwordserver.xml')
| -rw-r--r-- | docs-xml/smbdotconf/security/passwordserver.xml | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml new file mode 100644 index 0000000000..188cea88d1 --- /dev/null +++ b/docs-xml/smbdotconf/security/passwordserver.xml @@ -0,0 +1,99 @@ +<samba:parameter name="password server" + context="G" + type="list" + advanced="1" wizard="1" developer="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>By specifying the name of another SMB server + or Active Directory domain controller with this option, + and using <command moreinfo="none">security = [ads|domain|server]</command> + it is possible to get Samba to + to do all its username/password validation using a specific remote server.</para> + + <para>This option sets the name or IP address of the password server to use. + New syntax has been added to support defining the port to use when connecting + to the server the case of an ADS realm. To define a port other than the + default LDAP port of 389, add the port number using a colon after the + name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, + Samba will use the standard LDAP port of tcp/389. Note that port numbers + have no effect on password servers for Windows NT 4.0 domains or netbios + connections.</para> + + <para>If parameter is a name, it is looked up using the + parameter <smbconfoption name="name resolve order"/> and so may resolved + by any method and order described in that parameter.</para> + + <para>The password server must be a machine capable of using + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + user level security mode.</para> + + <note><para>Using a password server means your UNIX box (running + Samba) is only as secure as your password server. <emphasis>DO NOT + CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>. + </para></note> + + <para>Never point a Samba server at itself for password serving. + This will cause a loop and could lock up your Samba server!</para> + + <para>The name of the password server takes the standard + substitutions, but probably the only useful one is <parameter moreinfo="none">%m + </parameter>, which means the Samba server will use the incoming + client as the password server. If you use this then you better + trust your clients, and you had better restrict them with hosts allow!</para> + + <para>If the <parameter moreinfo="none">security</parameter> parameter is set to + <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is effectively + in that domain, and will use cryptographically authenticated RPC calls + to authenticate the user logging on. The advantage of using <command moreinfo="none"> + security = domain</command> is that if you list several hosts in the + <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd + </command> will try each in turn till it finds one that responds. This + is useful in case your primary server goes down.</para> + + <para>If the <parameter moreinfo="none">password server</parameter> option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name <constant>WORKGROUP<1C></constant> + and then contacting each server returned in the list of IP + addresses from the name resolution source. </para> + + <para>If the list of servers contains both names/IP's and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC.</para> + + <para>If the <parameter moreinfo="none">security</parameter> parameter is + set to <constant>server</constant>, then there are different + restrictions that <command moreinfo="none">security = domain</command> doesn't + suffer from:</para> + + <itemizedlist> + <listitem> + <para>You may list several password servers in + the <parameter moreinfo="none">password server</parameter> parameter, however if an + <command moreinfo="none">smbd</command> makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this <command moreinfo="none">smbd</command>. This is a + restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server + </command> mode and cannot be fixed in Samba.</para> + </listitem> + + <listitem> + <para>If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in <command moreinfo="none"> + security = server</command> mode the network logon will appear to + come from there rather than from the users workstation.</para> + </listitem> + </itemizedlist> +</description> + +<related>security</related> +<value type="default"></value> +<value type="example">NT-PDC, NT-BDC1, NT-BDC2, *</value> +<value type="example">windc.mydomain.com:389 192.168.1.101 *</value> +<value type="example">*</value> +</samba:parameter> |