diff options
Diffstat (limited to 'docs-xml/smbdotconf/security/passwordserver.xml')
-rw-r--r-- | docs-xml/smbdotconf/security/passwordserver.xml | 55 |
1 files changed, 5 insertions, 50 deletions
diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml index ad242c4a41..18baa9bdbc 100644 --- a/docs-xml/smbdotconf/security/passwordserver.xml +++ b/docs-xml/smbdotconf/security/passwordserver.xml @@ -4,17 +4,16 @@ advanced="1" wizard="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>By specifying the name of another SMB server - or Active Directory domain controller with this option, - and using <command moreinfo="none">security = [ads|domain|server]</command> + <para>By specifying the name of a domain controller with this option, + and using <command moreinfo="none">security = [ads|domain]</command> it is possible to get Samba to do all its username/password validation using a specific remote server.</para> - <para>If the <parameter moreinfo="none">security</parameter> parameter is set to - <constant>domain</constant> or <constant>ads</constant>, then this option + <para>Ideally, this option <emphasis>should not</emphasis> be used, as the default '*' indicates to Samba to determine the best DC to contact dynamically, just as all other hosts in an - AD domain do. This allows the domain to be maintained without modification to + AD domain do. This allows the domain to be maintained (addition + and removal of domain controllers) without modification to the smb.conf file. The cryptographic protection on the authenticated RPC calls used to verify passwords ensures that this default is safe.</para> @@ -39,50 +38,6 @@ parameter <smbconfoption name="name resolve order"/> and so may resolved by any method and order described in that parameter.</para> - <para>If the <parameter moreinfo="none">security</parameter> parameter is - set to <constant>server</constant>, these additional restrictions apply:</para> - - <itemizedlist> - <listitem> - <para>You may list several password servers in - the <parameter moreinfo="none">password server</parameter> parameter, however if an - <command moreinfo="none">smbd</command> makes a connection to a password server, - and then the password server fails, no more users will be able - to be authenticated from this <command moreinfo="none">smbd</command>. This is a - restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server - </command> mode and cannot be fixed in Samba.</para> - </listitem> - - <listitem> - <para>You will have to ensure that your users - are able to login from the Samba server, as when in <command moreinfo="none"> - security = server</command> mode the network logon will appear to - come from the Samba server rather than from the users workstation.</para> - </listitem> - - <listitem> - <para>The client must not select NTLMv2 authentication.</para> - </listitem> - - <listitem> - <para>The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode.</para> - </listitem> - - <listitem> - <para>Using a password server means your UNIX box (running - Samba) is only as secure as (a host masquerading as) your password server. <emphasis>DO NOT - CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>. - </para> - </listitem> - - <listitem> - <para>Never point a Samba server at itself for password serving. - This will cause a loop and could lock up your Samba server!</para> - </listitem> - - </itemizedlist> </description> <related>security</related> |