diff options
Diffstat (limited to 'docs/docbook/smbdotconf/security')
9 files changed, 81 insertions, 17 deletions
diff --git a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml index 63363d2607..8354f8b8da 100644 --- a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml +++ b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml @@ -7,7 +7,7 @@ <parameter moreinfo="none">security</parameter></link> option is set to <constant>server</constant> or <constant>domain</constant>. If it is set to no, then attempts to connect to a resource from - a domain or workgroup other than the one which <ulink url="smbd.8.html">smbd</ulink> is running + a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication.</para> diff --git a/docs/docbook/smbdotconf/security/clientntlmv2auth.xml b/docs/docbook/smbdotconf/security/clientntlmv2auth.xml index 0bf196488b..611ebcd094 100644 --- a/docs/docbook/smbdotconf/security/clientntlmv2auth.xml +++ b/docs/docbook/smbdotconf/security/clientntlmv2auth.xml @@ -13,6 +13,12 @@ (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with NTLMv2. </para> + <para>Similarly, if enabled, NTLMv1, <command + moreinfo="none">client lanman auth</command> and <command + moreinfo="none">client plaintext auth</command> + authentication will be disabled. This also disables share-level + authentication. </para> + <para>If disabled, an NTLM response (and possibly a LANMAN response) will be sent by the client, depending on the value of <command moreinfo="none">client lanman auth</command>. </para> diff --git a/docs/docbook/smbdotconf/security/clientplaintextauth.xml b/docs/docbook/smbdotconf/security/clientplaintextauth.xml new file mode 100644 index 0000000000..ac90ef9fe5 --- /dev/null +++ b/docs/docbook/smbdotconf/security/clientplaintextauth.xml @@ -0,0 +1,12 @@ +<samba:parameter name="client plaintext auth" + context="G" + basic="1" advanced="1" wizard="1" developer="1" + xmlns:samba="http://samba.org/common"> +<listitem> + <para>Specifies whether a client should send a plaintext + password if the server does not support encrypted passwords.</para> + + <para>Default: <command moreinfo="none">client plaintext auth = yes</command></para> + +</listitem> +</samba:parameter> diff --git a/docs/docbook/smbdotconf/security/clientschannel.xml b/docs/docbook/smbdotconf/security/clientschannel.xml new file mode 100644 index 0000000000..f3ad682517 --- /dev/null +++ b/docs/docbook/smbdotconf/security/clientschannel.xml @@ -0,0 +1,19 @@ +<samba:parameter name="client schannel" + context="G" + basic="1" + xmlns:samba="http://samba.org/common"> +<listitem> + + <para>This controls whether the client offers or even + demands the use of the netlogon schannel. + <parameter>client schannel = no</parameter> does not + offer the schannel, <parameter>server schannel = + auto</parameter> offers the schannel but does not + enforce it, and <parameter>server schannel = + yes</parameter> denies access if the server is not + able to speak netlogon schannel. </para> + + <para>Default: <command>client schannel = auto</command></para> + <para>Example: <command>client schannel = yes</command></para> +</listitem> +</samba:parameter> diff --git a/docs/docbook/smbdotconf/security/clientsigning.xml b/docs/docbook/smbdotconf/security/clientsigning.xml new file mode 100644 index 0000000000..e006dc71ab --- /dev/null +++ b/docs/docbook/smbdotconf/security/clientsigning.xml @@ -0,0 +1,19 @@ +<samba:parameter name="client signing" + context="G" + basic="1" + xmlns:samba="http://samba.org/common"> +<listitem> + + <para>This controls whether the client offers or requires + the server it talks to to use SMB signing. Possible values + are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> + and <emphasis>disabled</emphasis>. + </para> + + <para>When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.</para> + + <para>Default: <command>client signing = auto</command></para> +</listitem> +</samba:parameter> diff --git a/docs/docbook/smbdotconf/security/passdbbackend.xml b/docs/docbook/smbdotconf/security/passdbbackend.xml index 1a3a83946a..8c64299dd4 100644 --- a/docs/docbook/smbdotconf/security/passdbbackend.xml +++ b/docs/docbook/smbdotconf/security/passdbbackend.xml @@ -55,22 +55,15 @@ details. </para></listitem> - <listitem> - <para><command moreinfo="none">guest</command> - - Very simple backend that only provides one user: the guest user. - Only maps the NT guest user to the <parameter>guest account</parameter>. - Required in pretty much all situations. - </para></listitem> - </itemizedlist> </para> <para>Default: <command moreinfo="none">passdb backend = smbpasswd</command></para> - <para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest</command></para> + <para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd</command></para> - <para>Example: <command moreinfo="none">passdb backend = ldapsam:ldaps://ldap.example.com guest</command></para> + <para>Example: <command moreinfo="none">passdb backend = ldapsam:ldaps://ldap.example.com</command></para> - <para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest</command></para> + <para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam</command></para> </listitem> </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/passwdprogram.xml b/docs/docbook/smbdotconf/security/passwdprogram.xml index dbcc261ce4..db02670158 100644 --- a/docs/docbook/smbdotconf/security/passwdprogram.xml +++ b/docs/docbook/smbdotconf/security/passwdprogram.xml @@ -17,9 +17,8 @@ <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix password sync</parameter> parameter is set to <constant>yes </constant> then this program is called <emphasis>AS ROOT</emphasis> - before the SMB password in the <ulink url="smbpasswd.5.html"><citerefentry> - <refentrytitle>smbpasswd</refentrytitle><manvolnum>5</manvolnum></citerefentry> - </ulink> file is changed. If this UNIX password change fails, then + before the SMB password in the smbpasswd + file is changed. If this UNIX password change fails, then <command moreinfo="none">smbd</command> will fail to change the SMB password also (this is by design).</para> diff --git a/docs/docbook/smbdotconf/security/preloadmodules.xml b/docs/docbook/smbdotconf/security/preloadmodules.xml index 7b4e57cff1..101d9606fa 100644 --- a/docs/docbook/smbdotconf/security/preloadmodules.xml +++ b/docs/docbook/smbdotconf/security/preloadmodules.xml @@ -7,9 +7,6 @@ be loaded into smbd before a client connects. This improves the speed of smbd when reacting to new connections somewhat. </para> - <para>It is recommended to only use this option on heavy-performance - servers.</para> - <para>Default: <command>preload modules = </command></para> <para>Example: <command>preload modules = /usr/lib/samba/passdb/mysql.so+++ </command></para> diff --git a/docs/docbook/smbdotconf/security/serversigning.xml b/docs/docbook/smbdotconf/security/serversigning.xml new file mode 100644 index 0000000000..5108918d84 --- /dev/null +++ b/docs/docbook/smbdotconf/security/serversigning.xml @@ -0,0 +1,19 @@ +<samba:parameter name="server signing" + context="G" + basic="1" + xmlns:samba="http://samba.org/common"> +<listitem> + + <para>This controls whether the server offers or requires + the client it talks to to use SMB signing. Possible values + are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> + and <emphasis>disabled</emphasis>. + </para> + + <para>When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.</para> + + <para>Default: <command>client signing = False</command></para> +</listitem> +</samba:parameter> |