diff options
Diffstat (limited to 'docs/docbook/smbdotconf/security/passwordserver.xml')
-rw-r--r-- | docs/docbook/smbdotconf/security/passwordserver.xml | 104 |
1 files changed, 0 insertions, 104 deletions
diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml deleted file mode 100644 index f854027041..0000000000 --- a/docs/docbook/smbdotconf/security/passwordserver.xml +++ /dev/null @@ -1,104 +0,0 @@ -<samba:parameter name="password server" - context="G" - advanced="1" wizard="1" developer="1" - xmlns:samba="http://samba.org/common"> -<listitem> - <para>By specifying the name of another SMB server - or Active Directory domain controller with this option, - and using <command moreinfo="none">security = [ads|domain|server]</command> - it is possible to get Samba to - to do all its username/password validation using a specific remote server.</para> - - <para>This option sets the name or IP address of the password server to use. - New syntax has been added to support defining the port to use when connecting - to the server the case of an ADS realm. To define a port other than the - default LDAP port of 389, add the port number using a colon after the - name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, - Samba will use the standard LDAP port of tcp/389. Note that port numbers - have no effect on password servers for Windows NT 4.0 domains or netbios - connections.</para> - - <para>If parameter is a name, it is looked up using the - parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name - resolve order</parameter></link> and so may resolved - by any method and order described in that parameter.</para> - - <para>The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode.</para> - - <note><para>Using a password server means your UNIX box (running - Samba) is only as secure as your password server. <emphasis>DO NOT - CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>. - </para></note> - - <para>Never point a Samba server at itself for password serving. - This will cause a loop and could lock up your Samba server!</para> - - <para>The name of the password server takes the standard - substitutions, but probably the only useful one is <parameter moreinfo="none">%m - </parameter>, which means the Samba server will use the incoming - client as the password server. If you use this then you better - trust your clients, and you had better restrict them with hosts allow!</para> - - <para>If the <parameter moreinfo="none">security</parameter> parameter is set to - <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this - option must be a list of Primary or Backup Domain controllers for the - Domain or the character '*', as the Samba server is effectively - in that domain, and will use cryptographically authenticated RPC calls - to authenticate the user logging on. The advantage of using <command moreinfo="none"> - security = domain</command> is that if you list several hosts in the - <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd - </command> will try each in turn till it finds one that responds. This - is useful in case your primary server goes down.</para> - - <para>If the <parameter moreinfo="none">password server</parameter> option is set - to the character '*', then Samba will attempt to auto-locate the - Primary or Backup Domain controllers to authenticate against by - doing a query for the name <constant>WORKGROUP<1C></constant> - and then contacting each server returned in the list of IP - addresses from the name resolution source. </para> - - <para>If the list of servers contains both names/IP's and the '*' - character, the list is treated as a list of preferred - domain controllers, but an auto lookup of all remaining DC's - will be added to the list as well. Samba will not attempt to optimize - this list by locating the closest DC.</para> - - <para>If the <parameter moreinfo="none">security</parameter> parameter is - set to <constant>server</constant>, then there are different - restrictions that <command moreinfo="none">security = domain</command> doesn't - suffer from:</para> - - <itemizedlist> - <listitem> - <para>You may list several password servers in - the <parameter moreinfo="none">password server</parameter> parameter, however if an - <command moreinfo="none">smbd</command> makes a connection to a password server, - and then the password server fails, no more users will be able - to be authenticated from this <command moreinfo="none">smbd</command>. This is a - restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server - </command> mode and cannot be fixed in Samba.</para> - </listitem> - - <listitem> - <para>If you are using a Windows NT server as your - password server then you will have to ensure that your users - are able to login from the Samba server, as when in <command moreinfo="none"> - security = server</command> mode the network logon will appear to - come from there rather than from the users workstation.</para> - </listitem> - </itemizedlist> - - <para>See also the <link linkend="SECURITY"><parameter moreinfo="none">security - </parameter></link> parameter.</para> - - <para>Default: <command moreinfo="none">password server = <empty string></command></para> - - <para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *</command></para> - - <para>Example: <command moreinfo="none">password server = windc.mydomain.com:389 192.168.1.101 *</command></para> - - <para>Example: <command moreinfo="none">password server = *</command></para> -</listitem> -</samba:parameter> |