summaryrefslogtreecommitdiff
path: root/docs/docbook/manpages/smb.conf.5.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/manpages/smb.conf.5.sgml')
-rw-r--r--docs/docbook/manpages/smb.conf.5.sgml363
1 files changed, 2 insertions, 361 deletions
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml
index ba4495e34f..a9963b72ce 100644
--- a/docs/docbook/manpages/smb.conf.5.sgml
+++ b/docs/docbook/manpages/smb.conf.5.sgml
@@ -729,24 +729,6 @@
<listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem>
<listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem>
- <listitem><para><link linkend="SSL"><parameter>ssl</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLCACERTFILE"><parameter>ssl CA certFile</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLCIPHERS"><parameter>ssl ciphers</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLCLIENTCERT"><parameter>ssl client cert</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLCLIENTKEY"><parameter>ssl client key</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLCOMPATIBILITY"><parameter>ssl compatibility</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLEGDSOCKET"><parameter>ssl egd socket</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLENTROPYBYTES"><parameter>ssl entropy bytes</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLHOSTS"><parameter>ssl hosts</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLHOSTSRESIGN"><parameter>ssl hosts resign</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require clientcert</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLREQUIRESERVERCERT"><parameter>ssl require servercert</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLSERVERCERT"><parameter>ssl server cert</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLSERVERKEY"><parameter>ssl server key</parameter></link></para></listitem>
- <listitem><para><link linkend="SSLVERSION"><parameter>ssl version</parameter></link></para></listitem>
-
<listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem>
<listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem>
<listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem>
@@ -3387,9 +3369,9 @@
This option is used to define whether or not Samba should
use SSL when connecting to the <link linkend="LDAPSERVER"><parameter>ldap
server</parameter></link>. This is <emphasis>NOT</emphasis> related to
- Samba SSL support which is enabled by specifying the
+ Samba's previous SSL support which was enabled by specifying the
<command>--with-ssl</command> option to the <filename>configure</filename>
- script (see <link linkend="SSL"><parameter>ssl</parameter></link>).
+ script.
</para>
<para>
@@ -7031,347 +7013,6 @@
<varlistentry>
- <term><anchor id="SSL">ssl (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>This variable enables or disables the entire SSL mode. If
- it is set to <constant>no</constant>, the SSL-enabled Samba behaves
- exactly like the non-SSL Samba. If set to <constant>yes</constant>,
- it depends on the variables <link linkend="SSLHOSTS"><parameter>
- ssl hosts</parameter></link> and <link linkend="SSLHOSTSRESIGN">
- <parameter>ssl hosts resign</parameter></link> whether an SSL
- connection will be required.</para>
-
- <para>Default: <command>ssl = no</command></para>
- </listitem>
- </varlistentry>
-
-
-
- <varlistentry>
- <term><anchor id="SSLCACERTDIR">ssl CA certDir (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>This variable defines where to look up the Certification
- Authorities. The given directory should contain one file for
- each CA that Samba will trust. The file name must be the hash
- value over the "Distinguished Name" of the CA. How this directory
- is set up is explained later in this document. All files within the
- directory that don't fit into this naming scheme are ignored. You
- don't need this variable if you don't verify client certificates.</para>
-
- <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs
- </command></para>
- </listitem>
- </varlistentry>
-
-
-
- <varlistentry>
- <term><anchor id="SSLCACERTFILE">ssl CA certFile (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>This variable is a second way to define the trusted CAs.
- The certificates of the trusted CAs are collected in one big
- file and this variable points to the file. You will probably
- only use one of the two ways to define your CAs. The first choice is
- preferable if you have many CAs or want to be flexible, the second
- is preferable if you only have one CA and want to keep things
- simple (you won't need to create the hashed file names). You
- don't need this variable if you don't verify client certificates.</para>
-
- <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem
- </command></para>
- </listitem>
- </varlistentry>
-
-
-
- <varlistentry>
- <term><anchor id="SSLCIPHERS">ssl ciphers (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>This variable defines the ciphers that should be offered
- during SSL negotiation. You should not set this variable unless
- you know what you are doing.</para>
- </listitem>
- </varlistentry>
-
-
- <varlistentry>
- <term><anchor id="SSLCLIENTCERT">ssl client cert (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>The certificate in this file is used by <ulink url="smbclient.1.html">
- <command>smbclient(1)</command></ulink> if it exists. It's needed
- if the server requires a client certificate.</para>
-
- <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem
- </command></para>
- </listitem>
- </varlistentry>
-
-
-
- <varlistentry>
- <term><anchor id="SSLCLIENTKEY">ssl client key (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>This is the private key for <ulink url="smbclient.1.html">
- <command>smbclient(1)</command></ulink>. It's only needed if the
- client should have a certificate. </para>
-
- <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem
- </command></para>
- </listitem>
- </varlistentry>
-
-
-
- <varlistentry>
- <term><anchor id="SSLCOMPATIBILITY">ssl compatibility (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>This variable defines whether OpenSSL should be configured
- for bug compatibility with other SSL implementations. This is
- probably not desirable because currently no clients with SSL
- implementations other than OpenSSL exist.</para>
-
- <para>Default: <command>ssl compatibility = no</command></para>
- </listitem>
- </varlistentry>
-
-
- <varlistentry>
- <term><anchor id="SSLEGDSOCKET">ssl egd socket (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>
- This option is used to define the location of the communiation socket of
- an EGD or PRNGD daemon, from which entropy can be retrieved. This option
- can be used instead of or together with the <link
- linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link>
- directive. 255 bytes of entropy will be retrieved from the daemon.
- </para>
-
- <para>Default: <emphasis>none</emphasis></para>
- </listitem>
- </varlistentry>
-
-
- <varlistentry>
- <term><anchor id="SSLENTROPYBYTES">ssl entropy bytes (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>
- This parameter is used to define the number of bytes which should
- be read from the <link linkend="SSLENTROPYFILE"><parameter>ssl entropy
- file</parameter></link> If a -1 is specified, the entire file will
- be read.
- </para>
-
- <para>Default: <command>ssl entropy bytes = 255</command></para>
- </listitem>
- </varlistentry>
-
-
-
- <varlistentry>
- <term><anchor id="SSLENTROPYFILE">ssl entropy file (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>
- This parameter is used to specify a file from which processes will
- read "random bytes" on startup. In order to seed the internal pseudo
- random number generator, entropy must be provided. On system with a
- <filename>/dev/urandom</filename> device file, the processes
- will retrieve its entropy from the kernel. On systems without kernel
- entropy support, a file can be supplied that will be read on startup
- and that will be used to seed the PRNG.
- </para>
-
- <para>Default: <emphasis>none</emphasis></para>
- </listitem>
- </varlistentry>
-
-
-
- <varlistentry>
- <term><anchor id="SSLHOSTS">ssl hosts (G)</term>
- <listitem><para>See <link linkend="SSLHOSTSRESIGN"><parameter>
- ssl hosts resign</parameter></link>.</para>
- </listitem>
- </varlistentry>
-
-
- <varlistentry>
- <term><anchor id="SSLHOSTSRESIGN">ssl hosts resign (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>These two variables define whether Samba will go
- into SSL mode or not. If none of them is defined, Samba will
- allow only SSL connections. If the <link linkend="SSLHOSTS">
- <parameter>ssl hosts</parameter></link> variable lists
- hosts (by IP-address, IP-address range, net group or name),
- only these hosts will be forced into SSL mode. If the <parameter>
- ssl hosts resign</parameter> variable lists hosts, only these
- hosts will <emphasis>NOT</emphasis> be forced into SSL mode. The syntax for these two
- variables is the same as for the <link linkend="HOSTSALLOW"><parameter>
- hosts allow</parameter></link> and <link linkend="HOSTSDENY">
- <parameter>hosts deny</parameter></link> pair of variables, only
- that the subject of the decision is different: It's not the access
- right but whether SSL is used or not. </para>
-
- <para>The example below requires SSL connections from all hosts
- outside the local net (which is 192.168.*.*).</para>
-
- <para>Default: <command>ssl hosts = &lt;empty string&gt;</command></para>
- <para><command>ssl hosts resign = &lt;empty string&gt;</command></para>
-
- <para>Example: <command>ssl hosts resign = 192.168.</command></para>
- </listitem>
- </varlistentry>
-
-
-
- <varlistentry>
- <term><anchor id="SSLREQUIRECLIENTCERT">ssl require clientcert (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>If this variable is set to <constant>yes</constant>, the
- server will not tolerate connections from clients that don't
- have a valid certificate. The directory/file given in <link
- linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter>
- </link> and <link linkend="SSLCACERTFILE"><parameter>ssl CA certFile
- </parameter></link> will be used to look up the CAs that issued
- the client's certificate. If the certificate can't be verified
- positively, the connection will be terminated. If this variable
- is set to <constant>no</constant>, clients don't need certificates.
- Contrary to web applications you really <emphasis>should</emphasis>
- require client certificates. In the web environment the client's
- data is sensitive (credit card numbers) and the server must prove
- to be trustworthy. In a file server environment the server's data
- will be sensitive and the clients must prove to be trustworthy.</para>
-
- <para>Default: <command>ssl require clientcert = no</command></para>
- </listitem>
- </varlistentry>
-
-
-
- <varlistentry>
- <term><anchor id="SSLREQUIRESERVERCERT">ssl require servercert (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>If this variable is set to <constant>yes</constant>, the
- <ulink url="smbclient.1.html"><command>smbclient(1)</command>
- </ulink> will request a certificate from the server. Same as
- <link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require
- clientcert</parameter></link> for the server.</para>
-
- <para>Default: <command>ssl require servercert = no</command>
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><anchor id="SSLSERVERCERT">ssl server cert (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>This is the file containing the server's certificate.
- The server <emphasis>must</emphasis> have a certificate. The
- file may also contain the server's private key. See later for
- how certificates and private keys are created.</para>
-
- <para>Default: <command>ssl server cert = &lt;empty string&gt;
- </command></para>
- </listitem>
- </varlistentry>
-
-
- <varlistentry>
- <term><anchor id="SSLSERVERKEY">ssl server key (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>This file contains the private key of the server. If
- this variable is not defined, the key is looked up in the
- certificate file (it may be appended to the certificate).
- The server <emphasis>must</emphasis> have a private key
- and the certificate <emphasis>must</emphasis>
- match this private key.</para>
-
- <para>Default: <command>ssl server key = &lt;empty string&gt;
- </command></para>
- </listitem>
- </varlistentry>
-
-
- <varlistentry>
- <term><anchor id="SSLVERSION">ssl version (G)</term>
- <listitem><para>This variable is part of SSL-enabled Samba. This
- is only available if the SSL libraries have been compiled on your
- system and the configure option <command>--with-ssl</command> was
- given at configure time.</para>
-
- <para>This enumeration variable defines the versions of the
- SSL protocol that will be used. <constant>ssl2or3</constant> allows
- dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results
- in SSL v2, <constant>ssl3</constant> results in SSL v3 and
- <constant>tls1</constant> results in TLS v1. TLS (Transport Layer
- Security) is the new standard for SSL.</para>
-
- <para>Default: <command>ssl version = "ssl2or3"</command></para>
- </listitem>
- </varlistentry>
-
-
-
- <varlistentry>
<term><anchor id="STATCACHE">stat cache (G)</term>
<listitem><para>This parameter determines if <ulink
url="smbd.8.html">smbd(8)</ulink> will use a cache in order to