diff options
Diffstat (limited to 'docs-xml/smbdotconf/security')
-rw-r--r-- | docs-xml/smbdotconf/security/adminusers.xml | 3 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/encryptpasswords.xml | 2 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/maptoguest.xml | 18 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/passwordserver.xml | 55 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/readlist.xml | 4 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/security.xml | 2 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/usernamemap.xml | 6 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/writelist.xml | 5 |
8 files changed, 12 insertions, 83 deletions
diff --git a/docs-xml/smbdotconf/security/adminusers.xml b/docs-xml/smbdotconf/security/adminusers.xml index d8f14b6d74..30adea9d97 100644 --- a/docs-xml/smbdotconf/security/adminusers.xml +++ b/docs-xml/smbdotconf/security/adminusers.xml @@ -11,9 +11,6 @@ this list will be able to do anything they like on the share, irrespective of file permissions.</para> - <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in - Samba 3.0. This is by design.</para> - </description> <value type="default"/> diff --git a/docs-xml/smbdotconf/security/encryptpasswords.xml b/docs-xml/smbdotconf/security/encryptpasswords.xml index 1a631fd098..fdf0cfd43e 100644 --- a/docs-xml/smbdotconf/security/encryptpasswords.xml +++ b/docs-xml/smbdotconf/security/encryptpasswords.xml @@ -32,7 +32,7 @@ have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> program for information on how to set up - and maintain this file), or set the <smbconfoption name="security">[server|domain|ads]</smbconfoption> parameter which + and maintain this file), or set the <smbconfoption name="security">[domain|ads]</smbconfoption> parameter which causes <command moreinfo="none">smbd</command> to authenticate against another server.</para> </description> diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml index 0f680ae71c..09017bcb10 100644 --- a/docs-xml/smbdotconf/security/maptoguest.xml +++ b/docs-xml/smbdotconf/security/maptoguest.xml @@ -4,11 +4,6 @@ advanced="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter is only useful in <smbconfoption name="SECURITY"> - security</smbconfoption> modes other than <parameter moreinfo="none">security = share</parameter> - and <parameter moreinfo="none">security = server</parameter> - - i.e. <constant>user</constant>, and <constant>domain</constant>.</para> - <para>This parameter can take four different values, which tell <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> what to do with user @@ -55,20 +50,11 @@ </itemizedlist> <para>Note that this parameter is needed to set up "Guest" - share services when using <parameter moreinfo="none">security</parameter> modes other than - share and server. This is because in these modes the name of the resource being + share services. This is because in these modes the name of the resource being requested is <emphasis>not</emphasis> sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection - to the share) for "Guest" shares. This parameter is not useful with - <parameter moreinfo="none">security = server</parameter> as in this security mode - no information is returned about whether a user logon failed due to - a bad username or bad password, the same error is returned from a modern server - in both cases.</para> - - <para>For people familiar with the older Samba releases, this - parameter maps to the old compile-time setting of the <constant> - GUEST_SESSSETUP</constant> value in local.h.</para> + to the share) for "Guest" shares. </para> </description> <value type="default">Never</value> diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml index ad242c4a41..18baa9bdbc 100644 --- a/docs-xml/smbdotconf/security/passwordserver.xml +++ b/docs-xml/smbdotconf/security/passwordserver.xml @@ -4,17 +4,16 @@ advanced="1" wizard="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>By specifying the name of another SMB server - or Active Directory domain controller with this option, - and using <command moreinfo="none">security = [ads|domain|server]</command> + <para>By specifying the name of a domain controller with this option, + and using <command moreinfo="none">security = [ads|domain]</command> it is possible to get Samba to do all its username/password validation using a specific remote server.</para> - <para>If the <parameter moreinfo="none">security</parameter> parameter is set to - <constant>domain</constant> or <constant>ads</constant>, then this option + <para>Ideally, this option <emphasis>should not</emphasis> be used, as the default '*' indicates to Samba to determine the best DC to contact dynamically, just as all other hosts in an - AD domain do. This allows the domain to be maintained without modification to + AD domain do. This allows the domain to be maintained (addition + and removal of domain controllers) without modification to the smb.conf file. The cryptographic protection on the authenticated RPC calls used to verify passwords ensures that this default is safe.</para> @@ -39,50 +38,6 @@ parameter <smbconfoption name="name resolve order"/> and so may resolved by any method and order described in that parameter.</para> - <para>If the <parameter moreinfo="none">security</parameter> parameter is - set to <constant>server</constant>, these additional restrictions apply:</para> - - <itemizedlist> - <listitem> - <para>You may list several password servers in - the <parameter moreinfo="none">password server</parameter> parameter, however if an - <command moreinfo="none">smbd</command> makes a connection to a password server, - and then the password server fails, no more users will be able - to be authenticated from this <command moreinfo="none">smbd</command>. This is a - restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server - </command> mode and cannot be fixed in Samba.</para> - </listitem> - - <listitem> - <para>You will have to ensure that your users - are able to login from the Samba server, as when in <command moreinfo="none"> - security = server</command> mode the network logon will appear to - come from the Samba server rather than from the users workstation.</para> - </listitem> - - <listitem> - <para>The client must not select NTLMv2 authentication.</para> - </listitem> - - <listitem> - <para>The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode.</para> - </listitem> - - <listitem> - <para>Using a password server means your UNIX box (running - Samba) is only as secure as (a host masquerading as) your password server. <emphasis>DO NOT - CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>. - </para> - </listitem> - - <listitem> - <para>Never point a Samba server at itself for password serving. - This will cause a loop and could lock up your Samba server!</para> - </listitem> - - </itemizedlist> </description> <related>security</related> diff --git a/docs-xml/smbdotconf/security/readlist.xml b/docs-xml/smbdotconf/security/readlist.xml index df6b4f129b..c874fef456 100644 --- a/docs-xml/smbdotconf/security/readlist.xml +++ b/docs-xml/smbdotconf/security/readlist.xml @@ -9,11 +9,7 @@ to. The list can include group names using the syntax described in the <smbconfoption name="invalid users"/> parameter. </para> - - <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in - Samba 3.0. This is by design.</para> </description> - <related>write list</related> <related>invalid users</related> diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml index 453de94620..406089f2da 100644 --- a/docs-xml/smbdotconf/security/security.xml +++ b/docs-xml/smbdotconf/security/security.xml @@ -16,7 +16,7 @@ <para>The alternatives are <command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain - </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = server</command>, which is deprecated.</para> + </command>, which support joining Samba to a Windows domain</para> <para>You should use <command moreinfo="none">security = user</command> and <smbconfoption name="map to guest"/> if you diff --git a/docs-xml/smbdotconf/security/usernamemap.xml b/docs-xml/smbdotconf/security/usernamemap.xml index fec7375f7f..21098fa463 100644 --- a/docs-xml/smbdotconf/security/usernamemap.xml +++ b/docs-xml/smbdotconf/security/usernamemap.xml @@ -12,7 +12,7 @@ </para> <para> - Please note that for user or share mode security, the username map is applied prior to validating the user + Please note that for user mode security, the username map is applied prior to validating the user credentials. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified entries in the map table (e.g. biddle = <literal>DOMAIN\foo</literal>). @@ -84,8 +84,8 @@ guest = * Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and <constant>fred</constant> is remapped to <constant>mary</constant> then you will actually be connecting to \\server\mary and will need to supply a password suitable for <constant>mary</constant> not - <constant>fred</constant>. The only exception to this is the username passed to the <smbconfoption - name="password server"/> (if you have one). The password server will receive whatever username the client + <constant>fred</constant>. The only exception to this is the + username passed to a Domain Controller (if you have one). The DC will receive whatever username the client supplies without modification. </para> diff --git a/docs-xml/smbdotconf/security/writelist.xml b/docs-xml/smbdotconf/security/writelist.xml index 60db3f19f0..c17db81743 100644 --- a/docs-xml/smbdotconf/security/writelist.xml +++ b/docs-xml/smbdotconf/security/writelist.xml @@ -15,11 +15,6 @@ given write access. </para> - <para> - By design, this parameter will not work with the - <smbconfoption name="security">share</smbconfoption> in Samba 3.0. - </para> - </description> <related>read list</related> |