diff options
Diffstat (limited to 'docs/docbook/smbdotconf/protocol')
| -rw-r--r-- | docs/docbook/smbdotconf/protocol/clientusespnego.xml | 3 | ||||
| -rw-r--r-- | docs/docbook/smbdotconf/protocol/nameresolveorder.xml | 2 | ||||
| -rw-r--r-- | docs/docbook/smbdotconf/protocol/profileacls.xml | 13 |
3 files changed, 13 insertions, 5 deletions
diff --git a/docs/docbook/smbdotconf/protocol/clientusespnego.xml b/docs/docbook/smbdotconf/protocol/clientusespnego.xml index df25fbfb20..ce187a36fa 100644 --- a/docs/docbook/smbdotconf/protocol/clientusespnego.xml +++ b/docs/docbook/smbdotconf/protocol/clientusespnego.xml @@ -6,6 +6,9 @@ <para> This variable controls controls whether samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 servers to agree upon an authentication mechanism. + SPNEGO client support for SMB Signing is currently broken, so + you might want to turn this option off when operating with + Windows 2003 domain controllers in particular. </para> <para>Default: <emphasis>client use spnego = yes</emphasis></para> diff --git a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml index 4e88495489..45bc98843f 100644 --- a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml +++ b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml @@ -18,7 +18,7 @@ <para><constant>lmhosts</constant> : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has no name type attached to the NetBIOS name (see the <ulink - url="lmhosts.5.html">lmhosts(5)</ulink> for details) then + noescape="1" url="lmhosts.5.html">lmhosts(5)</ulink> for details) then any name type matches for lookup.</para> </listitem> diff --git a/docs/docbook/smbdotconf/protocol/profileacls.xml b/docs/docbook/smbdotconf/protocol/profileacls.xml index 6f2b3ec510..505f371809 100644 --- a/docs/docbook/smbdotconf/protocol/profileacls.xml +++ b/docs/docbook/smbdotconf/protocol/profileacls.xml @@ -10,7 +10,10 @@ Windows XP clients. New versions of Windows 2000 or Windows XP service packs do security ACL checking on the owner and ability to write of the profile directory stored on a local workstation when copied from a Samba - share. When not in domain mode with winbindd then the security info copied + share. +</para> + +<para>When not in domain mode with winbindd then the security info copied onto the local workstation has no meaning to the logged in user (SID) on that workstation so the profile storing fails. Adding this parameter onto a share used for profile storage changes two things about the @@ -19,15 +22,17 @@ BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to every returned ACL. This will allow any Windows 2000 or XP workstation - user to access the profile. Note that if you have multiple users logging + user to access the profile.</para> + + <para>Note that if you have multiple users logging on to a workstation then in order to prevent them from being able to access each others profiles you must remove the "Bypass traverse checking" advanced user right. This will prevent access to other users profile directories as the top level profile directory (named after the user) is created by the workstation profile code and has an ACL restricting entry to the directory tree to the owning user. - </para> - +</para> + <para>Default: <command moreinfo="none">profile acls = no</command></para> </listitem> </samba:parameter> |