summaryrefslogtreecommitdiff
path: root/docs/docbook/smbdotconf/security/passwordserver.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/docbook/smbdotconf/security/passwordserver.xml')
-rw-r--r--docs/docbook/smbdotconf/security/passwordserver.xml92
1 files changed, 92 insertions, 0 deletions
diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml
new file mode 100644
index 0000000000..df50ac8f8a
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/passwordserver.xml
@@ -0,0 +1,92 @@
+<samba:parameter xmlns:samba="http://samba.org/common">
+ <term><anchor id="PASSWORDSERVER"/>password server (G)</term>
+ <listitem><para>By specifying the name of another SMB server (such
+ as a WinNT box) with this option, and using <command moreinfo="none">security = domain
+ </command> or <command moreinfo="none">security = server</command> you can get Samba
+ to do all its username/password validation via a remote server.</para>
+
+ <para>This option sets the name of the password server to use.
+ It must be a NetBIOS name, so if the machine's NetBIOS name is
+ different from its Internet name then you may have to add its NetBIOS
+ name to the lmhosts file which is stored in the same directory
+ as the <filename moreinfo="none">smb.conf</filename> file.</para>
+
+ <para>The name of the password server is looked up using the
+ parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
+ resolve order</parameter></link> and so may resolved
+ by any method and order described in that parameter.</para>
+
+ <para>The password server must be a machine capable of using
+ the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in
+ user level security mode.</para>
+
+ <para><emphasis>NOTE:</emphasis> Using a password server
+ means your UNIX box (running Samba) is only as secure as your
+ password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT
+ YOU DON'T COMPLETELY TRUST</emphasis>.</para>
+
+ <para>Never point a Samba server at itself for password
+ serving. This will cause a loop and could lock up your Samba
+ server!</para>
+
+ <para>The name of the password server takes the standard
+ substitutions, but probably the only useful one is <parameter moreinfo="none">%m
+ </parameter>, which means the Samba server will use the incoming
+ client as the password server. If you use this then you better
+ trust your clients, and you had better restrict them with hosts allow!</para>
+
+ <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
+ <constant>domain</constant>, then the list of machines in this
+ option must be a list of Primary or Backup Domain controllers for the
+ Domain or the character '*', as the Samba server is effectively
+ in that domain, and will use cryptographically authenticated RPC calls
+ to authenticate the user logging on. The advantage of using <command moreinfo="none">
+ security = domain</command> is that if you list several hosts in the
+ <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
+ </command> will try each in turn till it finds one that responds. This
+ is useful in case your primary server goes down.</para>
+
+ <para>If the <parameter moreinfo="none">password server</parameter> option is set
+ to the character '*', then Samba will attempt to auto-locate the
+ Primary or Backup Domain controllers to authenticate against by
+ doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant>
+ and then contacting each server returned in the list of IP
+ addresses from the name resolution source. </para>
+
+ <para>If the list of servers contains both names and the '*'
+ character, the list is treated as a list of preferred
+ domain controllers, but an auto lookup of all remaining DC's
+ will be added to the list as well. Samba will not attempt to optimize
+ this list by locating the closest DC.</para>
+
+ <para>If the <parameter moreinfo="none">security</parameter> parameter is
+ set to <constant>server</constant>, then there are different
+ restrictions that <command moreinfo="none">security = domain</command> doesn't
+ suffer from:</para>
+
+ <itemizedlist>
+ <listitem><para>You may list several password servers in
+ the <parameter moreinfo="none">password server</parameter> parameter, however if an
+ <command moreinfo="none">smbd</command> makes a connection to a password server,
+ and then the password server fails, no more users will be able
+ to be authenticated from this <command moreinfo="none">smbd</command>. This is a
+ restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
+ </command> mode and cannot be fixed in Samba.</para></listitem>
+
+ <listitem><para>If you are using a Windows NT server as your
+ password server then you will have to ensure that your users
+ are able to login from the Samba server, as when in <command moreinfo="none">
+ security = server</command> mode the network logon will appear to
+ come from there rather than from the users workstation.</para></listitem>
+ </itemizedlist>
+
+ <para>See also the <link linkend="SECURITY"><parameter moreinfo="none">security
+ </parameter></link> parameter.</para>
+
+ <para>Default: <command moreinfo="none">password server = &lt;empty string&gt;</command>
+ </para>
+ <para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *
+ </command></para>
+ <para>Example: <command moreinfo="none">password server = *</command></para>
+ </listitem>
+ </samba:parameter>