diff options
Diffstat (limited to 'docs/docbook/smbdotconf/security/passwordserver.xml')
| -rw-r--r-- | docs/docbook/smbdotconf/security/passwordserver.xml | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml new file mode 100644 index 0000000000..df50ac8f8a --- /dev/null +++ b/docs/docbook/smbdotconf/security/passwordserver.xml @@ -0,0 +1,92 @@ +<samba:parameter xmlns:samba="http://samba.org/common"> + <term><anchor id="PASSWORDSERVER"/>password server (G)</term> + <listitem><para>By specifying the name of another SMB server (such + as a WinNT box) with this option, and using <command moreinfo="none">security = domain + </command> or <command moreinfo="none">security = server</command> you can get Samba + to do all its username/password validation via a remote server.</para> + + <para>This option sets the name of the password server to use. + It must be a NetBIOS name, so if the machine's NetBIOS name is + different from its Internet name then you may have to add its NetBIOS + name to the lmhosts file which is stored in the same directory + as the <filename moreinfo="none">smb.conf</filename> file.</para> + + <para>The name of the password server is looked up using the + parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name + resolve order</parameter></link> and so may resolved + by any method and order described in that parameter.</para> + + <para>The password server must be a machine capable of using + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + user level security mode.</para> + + <para><emphasis>NOTE:</emphasis> Using a password server + means your UNIX box (running Samba) is only as secure as your + password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT + YOU DON'T COMPLETELY TRUST</emphasis>.</para> + + <para>Never point a Samba server at itself for password + serving. This will cause a loop and could lock up your Samba + server!</para> + + <para>The name of the password server takes the standard + substitutions, but probably the only useful one is <parameter moreinfo="none">%m + </parameter>, which means the Samba server will use the incoming + client as the password server. If you use this then you better + trust your clients, and you had better restrict them with hosts allow!</para> + + <para>If the <parameter moreinfo="none">security</parameter> parameter is set to + <constant>domain</constant>, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is effectively + in that domain, and will use cryptographically authenticated RPC calls + to authenticate the user logging on. The advantage of using <command moreinfo="none"> + security = domain</command> is that if you list several hosts in the + <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd + </command> will try each in turn till it finds one that responds. This + is useful in case your primary server goes down.</para> + + <para>If the <parameter moreinfo="none">password server</parameter> option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name <constant>WORKGROUP<1C></constant> + and then contacting each server returned in the list of IP + addresses from the name resolution source. </para> + + <para>If the list of servers contains both names and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC.</para> + + <para>If the <parameter moreinfo="none">security</parameter> parameter is + set to <constant>server</constant>, then there are different + restrictions that <command moreinfo="none">security = domain</command> doesn't + suffer from:</para> + + <itemizedlist> + <listitem><para>You may list several password servers in + the <parameter moreinfo="none">password server</parameter> parameter, however if an + <command moreinfo="none">smbd</command> makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this <command moreinfo="none">smbd</command>. This is a + restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server + </command> mode and cannot be fixed in Samba.</para></listitem> + + <listitem><para>If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in <command moreinfo="none"> + security = server</command> mode the network logon will appear to + come from there rather than from the users workstation.</para></listitem> + </itemizedlist> + + <para>See also the <link linkend="SECURITY"><parameter moreinfo="none">security + </parameter></link> parameter.</para> + + <para>Default: <command moreinfo="none">password server = <empty string></command> + </para> + <para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, * + </command></para> + <para>Example: <command moreinfo="none">password server = *</command></para> + </listitem> + </samba:parameter> |