diff options
Diffstat (limited to 'docs/docbook/smbdotconf/security')
69 files changed, 0 insertions, 1871 deletions
diff --git a/docs/docbook/smbdotconf/security/adminusers.xml b/docs/docbook/smbdotconf/security/adminusers.xml deleted file mode 100644 index 2e1abaf6e1..0000000000 --- a/docs/docbook/smbdotconf/security/adminusers.xml +++ /dev/null @@ -1,15 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="ADMINUSERS"/>admin users (S)</term> - <listitem><para>This is a list of users who will be granted - administrative privileges on the share. This means that they - will do all file operations as the super-user (root).</para> - - <para>You should use this option very carefully, as any user in - this list will be able to do anything they like on the share, - irrespective of file permissions.</para> - - <para>Default: <emphasis>no admin users</emphasis></para> - - <para>Example: <command moreinfo="none">admin users = jason</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/algorithmicridbase.xml b/docs/docbook/smbdotconf/security/algorithmicridbase.xml deleted file mode 100644 index 3c2bf8686e..0000000000 --- a/docs/docbook/smbdotconf/security/algorithmicridbase.xml +++ /dev/null @@ -1,22 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="ALGORITHMICRIDBASE"/>algorithmic rid base (G)</term> - <listitem><para>This determines how Samba will use its - algorithmic mapping from uids/gid to the RIDs needed to construct - NT Security Identifiers.</para> - - <para>Setting this option to a larger value could be useful to sites - transitioning from WinNT and Win2k, as existing user and - group rids would otherwise clash with sytem users etc. - </para> - - <para>All UIDs and GIDs must be able to be resolved into SIDs for - the correct operation of ACLs on the server. As such the algorithmic - mapping can't be 'turned off', but pushing it 'out of the way' should - resolve the issues. Users and groups can then be assigned 'low' RIDs - in arbitary-rid supporting backends. </para> - - <para>Default: <command moreinfo="none">algorithmic rid base = 1000</command></para> - - <para>Example: <command moreinfo="none">algorithmic rid base = 100000</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/allowhosts.xml b/docs/docbook/smbdotconf/security/allowhosts.xml deleted file mode 100644 index 7fd2f426f8..0000000000 --- a/docs/docbook/smbdotconf/security/allowhosts.xml +++ /dev/null @@ -1,5 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="ALLOWHOSTS"/>allow hosts (S)</term> - <listitem><para>Synonym for <link linkend="HOSTSALLOW"> - <parameter moreinfo="none">hosts allow</parameter></link>.</para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml deleted file mode 100644 index 35dcd76cbd..0000000000 --- a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml +++ /dev/null @@ -1,22 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="ALLOWTRUSTEDDOMAINS"/>allow trusted domains (G)</term> - <listitem><para>This option only takes effect when the <link linkend="SECURITY"><parameter moreinfo="none">security</parameter></link> option is set to - <constant>server</constant> or <constant>domain</constant>. - If it is set to no, then attempts to connect to a resource from - a domain or workgroup other than the one which <ulink url="smbd.8.html">smbd</ulink> is running - in will fail, even if that domain is trusted by the remote server - doing the authentication.</para> - - <para>This is useful if you only want your Samba server to - serve resources to users in the domain it is a member of. As - an example, suppose that there are two domains DOMA and DOMB. DOMB - is trusted by DOMA, which contains the Samba server. Under normal - circumstances, a user with an account in DOMB can then access the - resources of a UNIX account with the same account name on the - Samba server even if they do not have an account in DOMA. This - can make implementing a security boundary difficult.</para> - - <para>Default: <command moreinfo="none">allow trusted domains = yes</command></para> - - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/authmethods.xml b/docs/docbook/smbdotconf/security/authmethods.xml deleted file mode 100644 index 2e569558a0..0000000000 --- a/docs/docbook/smbdotconf/security/authmethods.xml +++ /dev/null @@ -1,16 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="AUTHMETHODS"/>auth methods (G)</term> - <listitem><para>This option allows the administrator to chose what - authentication methods <command moreinfo="none">smbd</command> will use when authenticating - a user. This option defaults to sensible values based on <link linkend="SECURITY"><parameter moreinfo="none"> - security</parameter></link>. - - Each entry in the list attempts to authenticate the user in turn, until - the user authenticates. In practice only one method will ever actually - be able to complete the authentication. - </para> - - <para>Default: <command moreinfo="none">auth methods = <empty string></command></para> - <para>Example: <command moreinfo="none">auth methods = guest sam ntdomain</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/createmask.xml b/docs/docbook/smbdotconf/security/createmask.xml deleted file mode 100644 index 9a197bf7c3..0000000000 --- a/docs/docbook/smbdotconf/security/createmask.xml +++ /dev/null @@ -1,39 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="CREATEMASK"/>create mask (S)</term> - <listitem><para>A synonym for this parameter is - <link linkend="CREATEMODE"><parameter moreinfo="none">create mode</parameter> - </link>.</para> - - <para>When a file is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX - permissions, and the resulting UNIX mode is then bit-wise 'AND'ed - with this parameter. This parameter may be thought of as a bit-wise - MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> - set here will be removed from the modes set on a file when it is - created.</para> - - <para>The default value of this parameter removes the - 'group' and 'other' write and execute bits from the UNIX modes.</para> - - <para>Following this Samba will bit-wise 'OR' the UNIX mode created - from this parameter with the value of the <link linkend="FORCECREATEMODE"><parameter moreinfo="none">force create mode</parameter></link> - parameter which is set to 000 by default.</para> - - <para>This parameter does not affect directory modes. See the - parameter <link linkend="DIRECTORYMODE"><parameter moreinfo="none">directory mode - </parameter></link> for details.</para> - - <para>See also the <link linkend="FORCECREATEMODE"><parameter moreinfo="none">force - create mode</parameter></link> parameter for forcing particular mode - bits to be set on created files. See also the <link linkend="DIRECTORYMODE"> - <parameter moreinfo="none">directory mode</parameter></link> parameter for masking - mode bits on created directories. See also the <link linkend="INHERITPERMISSIONS"> - <parameter moreinfo="none">inherit permissions</parameter></link> parameter.</para> - - <para>Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the <link linkend="SECURITYMASK"><parameter moreinfo="none">security mask</parameter></link>.</para> - - <para>Default: <command moreinfo="none">create mask = 0744</command></para> - <para>Example: <command moreinfo="none">create mask = 0775</command></para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/createmode.xml b/docs/docbook/smbdotconf/security/createmode.xml deleted file mode 100644 index 7e78ab0181..0000000000 --- a/docs/docbook/smbdotconf/security/createmode.xml +++ /dev/null @@ -1,5 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="CREATEMODE"/>create mode (S)</term> - <listitem><para>This is a synonym for <link linkend="CREATEMASK"><parameter moreinfo="none"> - create mask</parameter></link>.</para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/denyhosts.xml b/docs/docbook/smbdotconf/security/denyhosts.xml deleted file mode 100644 index f50fb33d33..0000000000 --- a/docs/docbook/smbdotconf/security/denyhosts.xml +++ /dev/null @@ -1,5 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="DENYHOSTS"/>deny hosts (S)</term> - <listitem><para>Synonym for <link linkend="HOSTSDENY"><parameter moreinfo="none">hosts - deny</parameter></link>.</para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/directorymask.xml b/docs/docbook/smbdotconf/security/directorymask.xml deleted file mode 100644 index 0844733ede..0000000000 --- a/docs/docbook/smbdotconf/security/directorymask.xml +++ /dev/null @@ -1,43 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="DIRECTORYMASK"/>directory mask (S)</term> - <listitem><para>This parameter is the octal modes which are - used when converting DOS modes to UNIX modes when creating UNIX - directories.</para> - - <para>When a directory is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX permissions, - and the resulting UNIX mode is then bit-wise 'AND'ed with this - parameter. This parameter may be thought of as a bit-wise MASK for - the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set - here will be removed from the modes set on a directory when it is - created.</para> - - <para>The default value of this parameter removes the 'group' - and 'other' write bits from the UNIX mode, allowing only the - user who owns the directory to modify it.</para> - - <para>Following this Samba will bit-wise 'OR' the UNIX mode - created from this parameter with the value of the <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force directory mode - </parameter></link> parameter. This parameter is set to 000 by - default (i.e. no extra mode bits are added).</para> - - <para>Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory security mask</parameter></link>.</para> - - <para>See the <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force - directory mode</parameter></link> parameter to cause particular mode - bits to always be set on created directories.</para> - - <para>See also the <link linkend="CREATEMODE"><parameter moreinfo="none">create mode - </parameter></link> parameter for masking mode bits on created files, - and the <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory - security mask</parameter></link> parameter.</para> - - <para>Also refer to the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none"> - inherit permissions</parameter></link> parameter.</para> - - <para>Default: <command moreinfo="none">directory mask = 0755</command></para> - <para>Example: <command moreinfo="none">directory mask = 0775</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/directorymode.xml b/docs/docbook/smbdotconf/security/directorymode.xml deleted file mode 100644 index 9678cd91ad..0000000000 --- a/docs/docbook/smbdotconf/security/directorymode.xml +++ /dev/null @@ -1,5 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="DIRECTORYMODE"/>directory mode (S)</term> - <listitem><para>Synonym for <link linkend="DIRECTORYMASK"><parameter moreinfo="none"> - directory mask</parameter></link></para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/directorysecuritymask.xml b/docs/docbook/smbdotconf/security/directorysecuritymask.xml deleted file mode 100644 index 76d153f6f4..0000000000 --- a/docs/docbook/smbdotconf/security/directorysecuritymask.xml +++ /dev/null @@ -1,32 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="DIRECTORYSECURITYMASK"/>directory security mask (S)</term> - <listitem><para>This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box.</para> - - <para>This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change.</para> - - <para>If not set explicitly this parameter is set to 0777 - meaning a user is allowed to modify all the user/group/world - permissions on a directory.</para> - - <para><emphasis>Note</emphasis> that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it as the default of <constant>0777</constant>.</para> - - <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter moreinfo="none"> - force directory security mode</parameter></link>, <link linkend="SECURITYMASK"><parameter moreinfo="none">security mask</parameter></link>, - <link linkend="FORCESECURITYMODE"><parameter moreinfo="none">force security mode - </parameter></link> parameters.</para> - - <para>Default: <command moreinfo="none">directory security mask = 0777</command></para> - <para>Example: <command moreinfo="none">directory security mask = 0700</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/encryptpasswords.xml b/docs/docbook/smbdotconf/security/encryptpasswords.xml deleted file mode 100644 index d7ceb8d598..0000000000 --- a/docs/docbook/smbdotconf/security/encryptpasswords.xml +++ /dev/null @@ -1,21 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="ENCRYPTPASSWORDS"/>encrypt passwords (G)</term> - <listitem><para>This boolean controls whether encrypted passwords - will be negotiated with the client. Note that Windows NT 4.0 SP3 and - above and also Windows 98 will by default expect encrypted passwords - unless a registry entry is changed. To use encrypted passwords in - Samba see the file ENCRYPTION.txt in the Samba documentation - directory <filename moreinfo="none">docs/</filename> shipped with the source code.</para> - - <para>In order for encrypted passwords to work correctly - <citerefentry><refentrytitle>smbd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> must either - have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle> - <manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> program for information on how to set up - and maintain this file), or set the <link linkend="SECURITY">security = [server|domain|ads]</link> parameter which - causes <command moreinfo="none">smbd</command> to authenticate against another - server.</para> - - <para>Default: <command moreinfo="none">encrypt passwords = yes</command></para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/forcecreatemode.xml b/docs/docbook/smbdotconf/security/forcecreatemode.xml deleted file mode 100644 index 238340d7c5..0000000000 --- a/docs/docbook/smbdotconf/security/forcecreatemode.xml +++ /dev/null @@ -1,25 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="FORCECREATEMODE"/>force create mode (S)</term> - <listitem><para>This parameter specifies a set of UNIX mode bit - permissions that will <emphasis>always</emphasis> be set on a - file created by Samba. This is done by bitwise 'OR'ing these bits onto - the mode bits of a file that is being created or having its - permissions changed. The default for this parameter is (in octal) - 000. The modes in this parameter are bitwise 'OR'ed onto the file - mode after the mask set in the <parameter moreinfo="none">create mask</parameter> - parameter is applied.</para> - - <para>See also the parameter <link linkend="CREATEMASK"><parameter moreinfo="none">create - mask</parameter></link> for details on masking mode bits on files.</para> - - <para>See also the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none">inherit - permissions</parameter></link> parameter.</para> - - <para>Default: <command moreinfo="none">force create mode = 000</command></para> - <para>Example: <command moreinfo="none">force create mode = 0755</command></para> - - <para>would force all created files to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'.</para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/forcedirectorymode.xml b/docs/docbook/smbdotconf/security/forcedirectorymode.xml deleted file mode 100644 index 460a7fc6f2..0000000000 --- a/docs/docbook/smbdotconf/security/forcedirectorymode.xml +++ /dev/null @@ -1,26 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="FORCEDIRECTORYMODE"/>force directory mode (S)</term> - <listitem><para>This parameter specifies a set of UNIX mode bit - permissions that will <emphasis>always</emphasis> be set on a directory - created by Samba. This is done by bitwise 'OR'ing these bits onto the - mode bits of a directory that is being created. The default for this - parameter is (in octal) 0000 which will not add any extra permission - bits to a created directory. This operation is done after the mode - mask in the parameter <parameter moreinfo="none">directory mask</parameter> is - applied.</para> - - <para>See also the parameter <link linkend="DIRECTORYMASK"><parameter moreinfo="none"> - directory mask</parameter></link> for details on masking mode bits - on created directories.</para> - - <para>See also the <link linkend="INHERITPERMISSIONS"><parameter moreinfo="none"> - inherit permissions</parameter></link> parameter.</para> - - <para>Default: <command moreinfo="none">force directory mode = 000</command></para> - <para>Example: <command moreinfo="none">force directory mode = 0755</command></para> - - <para>would force all created directories to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'.</para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml deleted file mode 100644 index a01b297b05..0000000000 --- a/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml +++ /dev/null @@ -1,32 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="FORCEDIRECTORYSECURITYMODE"/>force directory security mode (S)</term> - <listitem><para>This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog box.</para> - - <para>This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a directory, the user has always set to be 'on'.</para> - - <para>If not set explicitly this parameter is 000, which - allows a user to modify all the user/group/world permissions on a - directory without restrictions.</para> - - <para><emphasis>Note</emphasis> that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it set as 0000.</para> - - <para>See also the <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none"> - directory security mask</parameter></link>, <link linkend="SECURITYMASK"> - <parameter moreinfo="none">security mask</parameter></link>, - <link linkend="FORCESECURITYMODE"><parameter moreinfo="none">force security mode - </parameter></link> parameters.</para> - - <para>Default: <command moreinfo="none">force directory security mode = 0</command></para> - <para>Example: <command moreinfo="none">force directory security mode = 700</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/forcegroup.xml b/docs/docbook/smbdotconf/security/forcegroup.xml deleted file mode 100644 index abfec79e03..0000000000 --- a/docs/docbook/smbdotconf/security/forcegroup.xml +++ /dev/null @@ -1,35 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="FORCEGROUP"/>force group (S)</term> - <listitem><para>This specifies a UNIX group name that will be - assigned as the default primary group for all users connecting - to this service. This is useful for sharing files by ensuring - that all access to files on service will use the named group for - their permissions checking. Thus, by assigning permissions for this - group to the files and directories within this service the Samba - administrator can restrict or allow sharing of these files.</para> - - <para>In Samba 2.0.5 and above this parameter has extended - functionality in the following way. If the group name listed here - has a '+' character prepended to it then the current user accessing - the share only has the primary group default assigned to this group - if they are already assigned as a member of that group. This allows - an administrator to decide that only users who are already in a - particular group will create files with group ownership set to that - group. This gives a finer granularity of ownership assignment. For - example, the setting <filename moreinfo="none">force group = +sys</filename> means - that only users who are already in group sys will have their default - primary group assigned to sys when accessing this Samba share. All - other users will retain their ordinary primary group.</para> - - <para>If the <link linkend="FORCEUSER"><parameter moreinfo="none">force user - </parameter></link> parameter is also set the group specified in - <parameter moreinfo="none">force group</parameter> will override the primary group - set in <parameter moreinfo="none">force user</parameter>.</para> - - <para>See also <link linkend="FORCEUSER"><parameter moreinfo="none">force - user</parameter></link>.</para> - - <para>Default: <emphasis>no forced group</emphasis></para> - <para>Example: <command moreinfo="none">force group = agroup</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/forcesecuritymode.xml b/docs/docbook/smbdotconf/security/forcesecuritymode.xml deleted file mode 100644 index 2db50f1ce3..0000000000 --- a/docs/docbook/smbdotconf/security/forcesecuritymode.xml +++ /dev/null @@ -1,33 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="FORCESECURITYMODE"/>force security mode (S)</term> - <listitem><para>This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog - box.</para> - - <para>This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a file, the user has always set to be 'on'.</para> - - <para>If not set explicitly this parameter is set to 0, - and allows a user to modify all the user/group/world permissions on a file, - with no restrictions.</para> - - <para><emphasis>Note</emphasis> that users who can access - the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - this set to 0000.</para> - - <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"><parameter moreinfo="none"> - force directory security mode</parameter></link>, - <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory security - mask</parameter></link>, <link linkend="SECURITYMASK"><parameter moreinfo="none"> - security mask</parameter></link> parameters.</para> - - <para>Default: <command moreinfo="none">force security mode = 0</command></para> - <para>Example: <command moreinfo="none">force security mode = 700</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/forceuser.xml b/docs/docbook/smbdotconf/security/forceuser.xml deleted file mode 100644 index 4747db13fe..0000000000 --- a/docs/docbook/smbdotconf/security/forceuser.xml +++ /dev/null @@ -1,25 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="FORCEUSER"/>force user (S)</term> - <listitem><para>This specifies a UNIX user name that will be - assigned as the default user for all users connecting to this service. - This is useful for sharing files. You should also use it carefully - as using it incorrectly can cause security problems.</para> - - <para>This user name only gets used once a connection is established. - Thus clients still need to connect as a valid user and supply a - valid password. Once connected, all file operations will be performed - as the "forced user", no matter what username the client connected - as. This can be very useful.</para> - - <para>In Samba 2.0.5 and above this parameter also causes the - primary group of the forced user to be used as the primary group - for all file activity. Prior to 2.0.5 the primary group was left - as the primary group of the connecting user (this was a bug).</para> - - <para>See also <link linkend="FORCEGROUP"><parameter moreinfo="none">force group - </parameter></link></para> - - <para>Default: <emphasis>no forced user</emphasis></para> - <para>Example: <command moreinfo="none">force user = auser</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/group.xml b/docs/docbook/smbdotconf/security/group.xml deleted file mode 100644 index afc410ce34..0000000000 --- a/docs/docbook/smbdotconf/security/group.xml +++ /dev/null @@ -1,5 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="GROUP"/>group (S)</term> - <listitem><para>Synonym for <link linkend="FORCEGROUP"><parameter moreinfo="none">force - group</parameter></link>.</para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/guestaccount.xml b/docs/docbook/smbdotconf/security/guestaccount.xml deleted file mode 100644 index ab15c4460d..0000000000 --- a/docs/docbook/smbdotconf/security/guestaccount.xml +++ /dev/null @@ -1,27 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="GUESTACCOUNT"/>guest account (S)</term> - <listitem><para>This is a username which will be used for access - to services which are specified as <link linkend="GUESTOK"><parameter moreinfo="none"> - guest ok</parameter></link> (see below). Whatever privileges this - user has will be available to any client connecting to the guest service. - Typically this user will exist in the password file, but will not - have a valid login. The user account "ftp" is often a good choice - for this parameter. If a username is specified in a given service, - the specified username overrides this one.</para> - - <para>One some systems the default guest account "nobody" may not - be able to print. Use another account in this case. You should test - this by trying to log in as your guest user (perhaps by using the - <command moreinfo="none">su -</command> command) and trying to print using the - system print command such as <command moreinfo="none">lpr(1)</command> or <command moreinfo="none"> - lp(1)</command>.</para> - - <para>This parameter does not accept % macros, because - many parts of the system require this value to be - constant for correct operation.</para> - - <para>Default: <emphasis>specified at compile time, usually - "nobody"</emphasis></para> - - <para>Example: <command moreinfo="none">guest account = ftp</command></para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/guestok.xml b/docs/docbook/smbdotconf/security/guestok.xml deleted file mode 100644 index 2b7a8cee8a..0000000000 --- a/docs/docbook/smbdotconf/security/guestok.xml +++ /dev/null @@ -1,17 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="GUESTOK"/>guest ok (S)</term> - <listitem><para>If this parameter is <constant>yes</constant> for - a service, then no password is required to connect to the service. - Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter moreinfo="none"> - guest account</parameter></link>.</para> - - <para>This paramater nullifies the benifits of setting - <link linkend="RESTRICTANONYMOUS"><parameter moreinfo="none">restrict - anonymous</parameter></link> = 2</para> - - <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none"> - security</parameter></link> for more information about this option. - </para> - - <para>Default: <command moreinfo="none">guest ok = no</command></para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/guestonly.xml b/docs/docbook/smbdotconf/security/guestonly.xml deleted file mode 100644 index ac7f62ad68..0000000000 --- a/docs/docbook/smbdotconf/security/guestonly.xml +++ /dev/null @@ -1,13 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="GUESTONLY"/>guest only (S)</term> - <listitem><para>If this parameter is <constant>yes</constant> for - a service, then only guest connections to the service are permitted. - This parameter will have no effect if <link linkend="GUESTOK"> - <parameter moreinfo="none">guest ok</parameter></link> is not set for the service.</para> - - <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none"> - security</parameter></link> for more information about this option. - </para> - - <para>Default: <command moreinfo="none">guest only = no</command></para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/hostsallow.xml b/docs/docbook/smbdotconf/security/hostsallow.xml deleted file mode 100644 index ea91b73903..0000000000 --- a/docs/docbook/smbdotconf/security/hostsallow.xml +++ /dev/null @@ -1,60 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="HOSTSALLOW"/>hosts allow (S)</term> - <listitem><para>A synonym for this parameter is <parameter moreinfo="none">allow - hosts</parameter>.</para> - - <para>This parameter is a comma, space, or tab delimited - set of hosts which are permitted to access a service.</para> - - <para>If specified in the [global] section then it will - apply to all services, regardless of whether the individual - service has a different setting.</para> - - <para>You can specify the hosts by name or IP number. For - example, you could restrict access to only the hosts on a - Class C subnet with something like <command moreinfo="none">allow hosts = 150.203.5. - </command>. The full syntax of the list is described in the man - page <filename moreinfo="none">hosts_access(5)</filename>. Note that this man - page may not be present on your system, so a brief description will - be given here also.</para> - - <para>Note that the localhost address 127.0.0.1 will always - be allowed access unless specifically denied by a <link linkend="HOSTSDENY"><parameter moreinfo="none">hosts deny</parameter></link> option.</para> - - <para>You can also specify hosts by network/netmask pairs and - by netgroup names if your system supports netgroups. The - <emphasis>EXCEPT</emphasis> keyword can also be used to limit a - wildcard list. The following examples may provide some help:</para> - - <para>Example 1: allow all IPs in 150.203.*.*; except one</para> - - <para><command moreinfo="none">hosts allow = 150.203. EXCEPT 150.203.6.66</command></para> - - <para>Example 2: allow hosts that match the given network/netmask</para> - - <para><command moreinfo="none">hosts allow = 150.203.15.0/255.255.255.0</command></para> - - <para>Example 3: allow a couple of hosts</para> - - <para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para> - - <para>Example 4: allow only hosts in NIS netgroup "foonet", but - deny access from one particular host</para> - - <para><command moreinfo="none">hosts allow = @foonet</command></para> - - <para><command moreinfo="none">hosts deny = pirate</command></para> - - <para>Note that access still requires suitable user-level passwords.</para> - - <para>See <citerefentry><refentrytitle>testparm</refentrytitle> - <manvolnum>1</manvolnum></citerefentry> for a way of testing your host access - to see if it does what you expect.</para> - - <para>Default: <emphasis>none (i.e., all hosts permitted access) - </emphasis></para> - - <para>Example: <command moreinfo="none">allow hosts = 150.203.5. myhost.mynet.edu.au - </command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/hostsdeny.xml b/docs/docbook/smbdotconf/security/hostsdeny.xml deleted file mode 100644 index f37e2b7e4d..0000000000 --- a/docs/docbook/smbdotconf/security/hostsdeny.xml +++ /dev/null @@ -1,14 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="HOSTSDENY"/>hosts deny (S)</term> - <listitem><para>The opposite of <parameter moreinfo="none">hosts allow</parameter> - - hosts listed here are <emphasis>NOT</emphasis> permitted access to - services unless the specific services have their own lists to override - this one. Where the lists conflict, the <parameter moreinfo="none">allow</parameter> - list takes precedence.</para> - - <para>Default: <emphasis>none (i.e., no hosts specifically excluded) - </emphasis></para> - - <para>Example: <command moreinfo="none">hosts deny = 150.203.4. badhost.mynet.edu.au - </command></para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/hostsequiv.xml b/docs/docbook/smbdotconf/security/hostsequiv.xml deleted file mode 100644 index 084d8268ef..0000000000 --- a/docs/docbook/smbdotconf/security/hostsequiv.xml +++ /dev/null @@ -1,26 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="HOSTSEQUIV"/>hosts equiv (G)</term> - <listitem><para>If this global parameter is a non-null string, - it specifies the name of a file to read for the names of hosts - and users who will be allowed access without specifying a password. - </para> - - <para>This is not be confused with <link linkend="HOSTSALLOW"> - <parameter moreinfo="none">hosts allow</parameter></link> which is about hosts - access to services and is more useful for guest services. <parameter moreinfo="none"> - hosts equiv</parameter> may be useful for NT clients which will - not supply passwords to Samba.</para> - - <note><para>The use of <parameter moreinfo="none">hosts equiv - </parameter> can be a major security hole. This is because you are - trusting the PC to supply the correct username. It is very easy to - get a PC to supply a false username. I recommend that the - <parameter moreinfo="none">hosts equiv</parameter> option be only used if you really - know what you are doing, or perhaps on a home network where you trust - your spouse and kids. And only if you <emphasis>really</emphasis> trust - them :-).</para></note> - - <para>Default: <emphasis>no host equivalences</emphasis></para> - <para>Example: <command moreinfo="none">hosts equiv = /etc/hosts.equiv</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/inheritacls.xml b/docs/docbook/smbdotconf/security/inheritacls.xml deleted file mode 100644 index f70c0d9165..0000000000 --- a/docs/docbook/smbdotconf/security/inheritacls.xml +++ /dev/null @@ -1,14 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="INHERITACLS"/>inherit acls (S)</term> - <listitem><para>This parameter can be used to ensure - that if default acls exist on parent directories, - they are always honored when creating a subdirectory. - The default behavior is to use the mode specified - when creating the directory. Enabling this option - sets the mode to 0777, thus guaranteeing that - default directory acls are propagated. - </para> - - <para>Default: <command moreinfo="none">inherit acls = no</command> - </para></listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/inheritpermissions.xml b/docs/docbook/smbdotconf/security/inheritpermissions.xml deleted file mode 100644 index 34fade33d0..0000000000 --- a/docs/docbook/smbdotconf/security/inheritpermissions.xml +++ /dev/null @@ -1,36 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="INHERITPERMISSIONS"/>inherit permissions (S)</term> - <listitem><para>The permissions on new files and directories - are normally governed by <link linkend="CREATEMASK"><parameter moreinfo="none"> - create mask</parameter></link>, <link linkend="DIRECTORYMASK"> - <parameter moreinfo="none">directory mask</parameter></link>, <link linkend="FORCECREATEMODE"><parameter moreinfo="none">force create mode</parameter> - </link> and <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force - directory mode</parameter></link> but the boolean inherit - permissions parameter overrides this.</para> - - <para>New directories inherit the mode of the parent directory, - including bits such as setgid.</para> - - <para>New files inherit their read/write bits from the parent - directory. Their execute bits continue to be determined by - <link linkend="MAPARCHIVE"><parameter moreinfo="none">map archive</parameter> - </link>, <link linkend="MAPHIDDEN"><parameter moreinfo="none">map hidden</parameter> - </link> and <link linkend="MAPSYSTEM"><parameter moreinfo="none">map system</parameter> - </link> as usual.</para> - - <para>Note that the setuid bit is <emphasis>never</emphasis> set via - inheritance (the code explicitly prohibits this).</para> - - <para>This can be particularly useful on large systems with - many users, perhaps several thousand, to allow a single [homes] - share to be used flexibly by each user.</para> - - <para>See also <link linkend="CREATEMASK"><parameter moreinfo="none">create mask - </parameter></link>, <link linkend="DIRECTORYMASK"><parameter moreinfo="none"> - directory mask</parameter></link>, <link linkend="FORCECREATEMODE"> - <parameter moreinfo="none">force create mode</parameter></link> and <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force directory mode</parameter> - </link>.</para> - - <para>Default: <command moreinfo="none">inherit permissions = no</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/invalidusers.xml b/docs/docbook/smbdotconf/security/invalidusers.xml deleted file mode 100644 index 34e534ff28..0000000000 --- a/docs/docbook/smbdotconf/security/invalidusers.xml +++ /dev/null @@ -1,33 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="INVALIDUSERS"/>invalid users (S)</term> - <listitem><para>This is a list of users that should not be allowed - to login to this service. This is really a <emphasis>paranoid</emphasis> - check to absolutely ensure an improper setting does not breach - your security.</para> - - <para>A name starting with a '@' is interpreted as an NIS - netgroup first (if your system supports NIS), and then as a UNIX - group if the name was not found in the NIS netgroup database.</para> - - <para>A name starting with '+' is interpreted only - by looking in the UNIX group database. A name starting with - '&' is interpreted only by looking in the NIS netgroup database - (this requires NIS to be working on your system). The characters - '+' and '&' may be used at the start of the name in either order - so the value <parameter moreinfo="none">+&group</parameter> means check the - UNIX group database, followed by the NIS netgroup database, and - the value <parameter moreinfo="none">&+group</parameter> means check the NIS - netgroup database, followed by the UNIX group database (the - same as the '@' prefix).</para> - - <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. - This is useful in the [homes] section.</para> - - <para>See also <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users - </parameter></link>.</para> - - <para>Default: <emphasis>no invalid users</emphasis></para> - <para>Example: <command moreinfo="none">invalid users = root fred admin @wheel - </command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml deleted file mode 100644 index 851b1ae4ac..0000000000 --- a/docs/docbook/smbdotconf/security/lanmanauth.xml +++ /dev/null @@ -1,11 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="LANMANAUTH"/>lanman auth (G)</term> - <listitem><para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users - using the LANMAN password hash. If disabled, only clients which support NT - password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not - Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para> - - <para>Default : <command moreinfo="none">lanman auth = yes</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/maptoguest.xml b/docs/docbook/smbdotconf/security/maptoguest.xml deleted file mode 100644 index 966260a9b1..0000000000 --- a/docs/docbook/smbdotconf/security/maptoguest.xml +++ /dev/null @@ -1,53 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="MAPTOGUEST"/>map to guest (G)</term> - <listitem><para>This parameter is only useful in <link linkend="SECURITY"> - security</link> modes other than <parameter moreinfo="none">security = share</parameter> - - i.e. <constant>user</constant>, <constant>server</constant>, - and <constant>domain</constant>.</para> - - <para>This parameter can take three different values, which tell - <citerefentry><refentrytitle>smbd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> what to do with user - login requests that don't match a valid UNIX user in some way.</para> - - <para>The three settings are :</para> - - <itemizedlist> - <listitem><para><constant>Never</constant> - Means user login - requests with an invalid password are rejected. This is the - default.</para></listitem> - - <listitem><para><constant>Bad User</constant> - Means user - logins with an invalid password are rejected, unless the username - does not exist, in which case it is treated as a guest login and - mapped into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none"> - guest account</parameter></link>.</para></listitem> - - <listitem><para><constant>Bad Password</constant> - Means user logins - with an invalid password are treated as a guest login and mapped - into the <link linkend="GUESTACCOUNT">guest account</link>. Note that - this can cause problems as it means that any user incorrectly typing - their password will be silently logged on as "guest" - and - will not know the reason they cannot access files they think - they should - there will have been no message given to them - that they got their password wrong. Helpdesk services will - <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to - guest</parameter> parameter this way :-).</para></listitem> - </itemizedlist> - - <para>Note that this parameter is needed to set up "Guest" - share services when using <parameter moreinfo="none">security</parameter> modes other than - share. This is because in these modes the name of the resource being - requested is <emphasis>not</emphasis> sent to the server until after - the server has successfully authenticated the client so the server - cannot make authentication decisions at the correct time (connection - to the share) for "Guest" shares.</para> - - <para>For people familiar with the older Samba releases, this - parameter maps to the old compile-time setting of the <constant> - GUEST_SESSSETUP</constant> value in local.h.</para> - - <para>Default: <command moreinfo="none">map to guest = Never</command></para> - <para>Example: <command moreinfo="none">map to guest = Bad User</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/minpasswdlength.xml b/docs/docbook/smbdotconf/security/minpasswdlength.xml deleted file mode 100644 index 8e52b923fb..0000000000 --- a/docs/docbook/smbdotconf/security/minpasswdlength.xml +++ /dev/null @@ -1,6 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="MINPASSWDLENGTH"/>min passwd length (G)</term> - <listitem><para>Synonym for <link linkend="MINPASSWORDLENGTH"> - <parameter moreinfo="none">min password length</parameter></link>.</para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/minpasswordlength.xml b/docs/docbook/smbdotconf/security/minpasswordlength.xml deleted file mode 100644 index da1e65a55b..0000000000 --- a/docs/docbook/smbdotconf/security/minpasswordlength.xml +++ /dev/null @@ -1,14 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="MINPASSWORDLENGTH"/>min password length (G)</term> - <listitem><para>This option sets the minimum length in characters - of a plaintext password that <command moreinfo="none">smbd</command> will accept when performing - UNIX password changing.</para> - - <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix - password sync</parameter></link>, <link linkend="PASSWDPROGRAM"> - <parameter moreinfo="none">passwd program</parameter></link> and <link linkend="PASSWDCHATDEBUG"><parameter moreinfo="none">passwd chat debug</parameter> - </link>.</para> - - <para>Default: <command moreinfo="none">min password length = 5</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/nonunixaccountrange.xml b/docs/docbook/smbdotconf/security/nonunixaccountrange.xml deleted file mode 100644 index baa9a783b0..0000000000 --- a/docs/docbook/smbdotconf/security/nonunixaccountrange.xml +++ /dev/null @@ -1,21 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="NONUNIXACCOUNTRANGE"/>non unix account range (G)</term> - <listitem><para>The non unix account range parameter specifies - the range of 'user ids' that are allocated by the various 'non unix - account' passdb backends. These backends allow - the storage of passwords for users who don't exist in /etc/passwd. - This is most often used for machine account creation. - This range of ids should have no existing local or NIS users within - it as strange conflicts can occur otherwise.</para> - - <note><para>These userids never appear on the system and Samba will never - 'become' these users. They are used only to ensure that the algorithmic - RID mapping does not conflict with normal users. - </para></note> - - <para>Default: <command moreinfo="none">non unix account range = <empty string> - </command></para> - - <para>Example: <command moreinfo="none">non unix account range = 10000-20000</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml deleted file mode 100644 index a3b8caf062..0000000000 --- a/docs/docbook/smbdotconf/security/ntlmauth.xml +++ /dev/null @@ -1,16 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="NTLMAUTH"/>ntlm auth (G)</term> - <listitem><para>This parameter determines - whether or not <citerefentry><refentrytitle>smbd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> will - attempt to authenticate users using the NTLM password hash. - If disabled, only the lanman password hashes will be used. - </para> - - <para>Please note that at least this option or <command moreinfo="none">lanman auth</command> should - be enabled in order to be able to log in. - </para> - - <para>Default : <command moreinfo="none">ntlm auth = yes</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/nullpasswords.xml b/docs/docbook/smbdotconf/security/nullpasswords.xml deleted file mode 100644 index 40b687fceb..0000000000 --- a/docs/docbook/smbdotconf/security/nullpasswords.xml +++ /dev/null @@ -1,11 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="NULLPASSWORDS"/>null passwords (G)</term> - <listitem><para>Allow or disallow client access to accounts - that have null passwords. </para> - - <para>See also <citerefentry><refentrytitle>smbpasswd</refentrytitle> - <manvolnum>5</manvolnum></citerefentry>.</para> - - <para>Default: <command moreinfo="none">null passwords = no</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/obeypamrestrictions.xml b/docs/docbook/smbdotconf/security/obeypamrestrictions.xml deleted file mode 100644 index 92a6bce22d..0000000000 --- a/docs/docbook/smbdotconf/security/obeypamrestrictions.xml +++ /dev/null @@ -1,15 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="OBEYPAMRESTRICTIONS"/>obey pam restrictions (G)</term> - <listitem><para>When Samba 2.2 is configured to enable PAM support - (i.e. --with-pam), this parameter will control whether or not Samba - should obey PAM's account and session management directives. The - default behavior is to use PAM for clear text authentication only - and to ignore any account or session management. Note that Samba - always ignores PAM for authentication in the case of <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypt passwords = yes</parameter> - </link>. The reason is that PAM modules cannot support the challenge/response - authentication mechanism needed in the presence of SMB password encryption. - </para> - - <para>Default: <command moreinfo="none">obey pam restrictions = no</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/onlyguest.xml b/docs/docbook/smbdotconf/security/onlyguest.xml deleted file mode 100644 index 018fa1a0b5..0000000000 --- a/docs/docbook/smbdotconf/security/onlyguest.xml +++ /dev/null @@ -1,6 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="ONLYGUEST"/>only guest (S)</term> - <listitem><para>A synonym for <link linkend="GUESTONLY"><parameter moreinfo="none"> - guest only</parameter></link>.</para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/onlyuser.xml b/docs/docbook/smbdotconf/security/onlyuser.xml deleted file mode 100644 index d0bbac7541..0000000000 --- a/docs/docbook/smbdotconf/security/onlyuser.xml +++ /dev/null @@ -1,24 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="ONLYUSER"/>only user (S)</term> - <listitem><para>This is a boolean option that controls whether - connections with usernames not in the <parameter moreinfo="none">user</parameter> - list will be allowed. By default this option is disabled so that a - client can supply a username to be used by the server. Enabling - this parameter will force the server to only use the login - names from the <parameter moreinfo="none">user</parameter> list and is only really - useful in <link linkend="SECURITYEQUALSSHARE">share level</link> - security.</para> - - <para>Note that this also means Samba won't try to deduce - usernames from the service name. This can be annoying for - the [homes] section. To get around this you could use <command moreinfo="none">user = - %S</command> which means your <parameter moreinfo="none">user</parameter> list - will be just the service name, which for home directories is the - name of the user.</para> - - <para>See also the <link linkend="USER"><parameter moreinfo="none">user</parameter> - </link> parameter.</para> - - <para>Default: <command moreinfo="none">only user = no</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/pampasswordchange.xml b/docs/docbook/smbdotconf/security/pampasswordchange.xml deleted file mode 100644 index 8f0e91ae2d..0000000000 --- a/docs/docbook/smbdotconf/security/pampasswordchange.xml +++ /dev/null @@ -1,16 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="PAMPASSWORDCHANGE"/>pam password change (G)</term> - <listitem><para>With the addition of better PAM support in Samba 2.2, - this parameter, it is possible to use PAM's password change control - flag for Samba. If enabled, then PAM will be used for password - changes when requested by an SMB client instead of the program listed in - <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter></link>. - It should be possible to enable this without changing your - <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter></link> - parameter for most setups. - </para> - - <para>Default: <command moreinfo="none">pam password change = no</command></para> - - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/passdbbackend.xml b/docs/docbook/smbdotconf/security/passdbbackend.xml deleted file mode 100644 index 918c802e78..0000000000 --- a/docs/docbook/smbdotconf/security/passdbbackend.xml +++ /dev/null @@ -1,91 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="PASSDBBACKEND"/>passdb backend (G)</term> - <listitem><para>This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both - smbpasswd and tdbsam to be used without a recompile. - Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. - Experimental backends must still be selected - (eg --with-tdbsam) at configure time. - </para> - - <para>This parameter is in two parts, the backend's name, and a 'location' - string that has meaning only to that particular backed. These are separated - by a : character.</para> - - <para>Available backends can include: - <itemizedlist> - <listitem><para><command moreinfo="none">smbpasswd</command> - The default smbpasswd - backend. Takes a path to the smbpasswd file as an optional argument.</para></listitem> - - <listitem><para><command moreinfo="none">smbpasswd_nua</command> - The smbpasswd - backend, but with support for 'not unix accounts'. - Takes a path to the smbpasswd file as an optional argument.</para> - <para>See also <link linkend="NONUNIXACCOUNTRANGE"> - <parameter moreinfo="none">non unix account range</parameter></link></para></listitem> - - <listitem><para><command moreinfo="none">tdbsam</command> - The TDB based password storage - backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the <link linkend="PRIVATEDIR"> - <parameter moreinfo="none">private dir</parameter></link> directory.</para></listitem> - - <listitem><para><command moreinfo="none">tdbsam_nua</command> - The TDB based password storage - backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the <link linkend="PRIVATEDIR"> - <parameter moreinfo="none">private dir</parameter></link> directory.</para> - <para>See also <link linkend="NONUNIXACCOUNTRANGE"> - <parameter moreinfo="none">non unix account range</parameter></link></para></listitem> - - <listitem><para><command moreinfo="none">ldapsam</command> - The LDAP based passdb - backend. Takes an LDAP URL as an optional argument (defaults to - <command moreinfo="none">ldap://localhost</command>)</para></listitem> - - <listitem><para><command moreinfo="none">ldapsam_nua</command> - The LDAP based passdb - backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to - <command moreinfo="none">ldap://localhost</command>)</para> - - <para>Note: In this module, any account without a matching POSIX account is regarded - as 'non unix'. </para> - - <para>See also <link linkend="NONUNIXACCOUNTRANGE"> - <parameter moreinfo="none">non unix account - range</parameter></link></para> - - <para>LDAP connections should be secured where - possible. This may be done using either - Start-TLS (see <link linkend="LDAPSSL"> - <parameter moreinfo="none">ldap ssl</parameter></link>) or by - specifying <parameter moreinfo="none">ldaps://</parameter> in - the URL argument. - </para></listitem> - - <listitem><para><command moreinfo="none">nisplussam</command> - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. </para></listitem> - - <listitem><para><command moreinfo="none">plugin</command> - Allows Samba to load an - arbitary passdb backend from the .so specified as a compulsary argument. - </para> - - <para>Any characters after the (optional) second : are passed to the plugin - for its own processing</para> - </listitem> - - <listitem><para><command moreinfo="none">unixsam</command> - Allows samba to map all (other) available unix users</para> - - <para>This backend uses the standard unix database for retrieving users. Users included - in this pdb are NOT listed in samba user listings and users included in this pdb won't be - able to login. The use of this backend is to always be able to display the owner of a file - on the samba server - even when the user doesn't have a 'real' samba account in one of the - other passdb backends. - </para> - - <para>This backend should always be the last backend listed, since it contains all users in - the unix passdb and might 'override' mappings if specified earlier. It's meant to only return - accounts for users that aren't covered by the previous backends.</para> - </listitem> - </itemizedlist> - </para> - - <para>Default: <command moreinfo="none">passdb backend = smbpasswd unixsam</command></para> - <para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam</command></para> - <para>Example: <command moreinfo="none">passdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam</command></para> - <para>Example: <command moreinfo="none">passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/passwdchat.xml b/docs/docbook/smbdotconf/security/passwdchat.xml deleted file mode 100644 index 922f1a878c..0000000000 --- a/docs/docbook/smbdotconf/security/passwdchat.xml +++ /dev/null @@ -1,58 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="PASSWDCHAT"/>passwd chat (G)</term> - <listitem><para>This string controls the <emphasis>"chat"</emphasis> - conversation that takes places between <citerefentry><refentrytitle>smbd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> and the local password changing - program to change the user's password. The string describes a - sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the - <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter> - </link> and what to expect back. If the expected output is not - received then the password is not changed.</para> - - <para>This chat sequence is often quite site specific, depending - on what local methods are used for password control (such as NIS - etc).</para> - <para>Note that this parameter only is only used if the <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix - password sync</parameter></link> parameter is set to <constant>yes</constant>. This - sequence is then called <emphasis>AS ROOT</emphasis> when the SMB password - in the smbpasswd file is being changed, without access to the old - password cleartext. This means that root must be able to reset the user's password - without knowing the text of the previous password. In the presence of NIS/YP, - this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must be - executed on the NIS master. - </para> - - - <para>The string can contain the macro <parameter moreinfo="none">%n</parameter> which is substituted - for the new password. The chat sequence can also contain the standard - macros <constant>\\n</constant>, <constant>\\r</constant>, <constant> - \\t</constant> and <constant>\\s</constant> to give line-feed, - carriage-return, tab and space. The chat sequence string can also contain - a '*' which matches any sequence of characters. - Double quotes can be used to collect strings with spaces - in them into a single string.</para> - - <para>If the send string in any part of the chat sequence - is a full stop ".", then no string is sent. Similarly, - if the expect string is a full stop then no string is expected.</para> - - <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam - password change</parameter></link> parameter is set to <constant>yes</constant>, the chat pairs - may be matched in any order, and success is determined by the PAM result, - not any particular output. The \n macro is ignored for PAM conversions. - </para> - - <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix password - sync</parameter></link>, <link linkend="PASSWDPROGRAM"><parameter moreinfo="none"> - passwd program</parameter></link> ,<link linkend="PASSWDCHATDEBUG"> - <parameter moreinfo="none">passwd chat debug</parameter></link> and <link linkend="PAMPASSWORDCHANGE"> - <parameter moreinfo="none">pam password change</parameter></link>.</para> - - <para>Default: <command moreinfo="none">passwd chat = *new*password* %n\\n - *new*password* %n\\n *changed*</command></para> - <para>Example: <command moreinfo="none">passwd chat = "*Enter OLD password*" %o\\n - "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password - changed*"</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/passwdchatdebug.xml b/docs/docbook/smbdotconf/security/passwdchatdebug.xml deleted file mode 100644 index a5771b72d2..0000000000 --- a/docs/docbook/smbdotconf/security/passwdchatdebug.xml +++ /dev/null @@ -1,25 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="PASSWDCHATDEBUG"/>passwd chat debug (G)</term> - <listitem><para>This boolean specifies if the passwd chat script - parameter is run in <emphasis>debug</emphasis> mode. In this mode the - strings passed to and received from the passwd chat are printed - in the <citerefentry><refentrytitle>smbd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> log with a - <link linkend="DEBUGLEVEL"><parameter moreinfo="none">debug level</parameter></link> - of 100. This is a dangerous option as it will allow plaintext passwords - to be seen in the <command moreinfo="none">smbd</command> log. It is available to help - Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts - when calling the <parameter moreinfo="none">passwd program</parameter> and should - be turned off after this has been done. This option has no effect if the - <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter></link> - paramter is set. This parameter is off by default.</para> - - - <para>See also <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter> - </link>, <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter> - </link>, <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter> - </link>.</para> - - <para>Default: <command moreinfo="none">passwd chat debug = no</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/passwdprogram.xml b/docs/docbook/smbdotconf/security/passwdprogram.xml deleted file mode 100644 index dae24e22a1..0000000000 --- a/docs/docbook/smbdotconf/security/passwdprogram.xml +++ /dev/null @@ -1,35 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="PASSWDPROGRAM"/>passwd program (G)</term> - <listitem><para>The name of a program that can be used to set - UNIX user passwords. Any occurrences of <parameter moreinfo="none">%u</parameter> - will be replaced with the user name. The user name is checked for - existence before calling the password changing program.</para> - - <para>Also note that many passwd programs insist in <emphasis>reasonable - </emphasis> passwords, such as a minimum length, or the inclusion - of mixed case chars and digits. This can pose a problem as some clients - (such as Windows for Workgroups) uppercase the password before sending - it.</para> - - <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix - password sync</parameter> parameter is set to <constant>yes - </constant> then this program is called <emphasis>AS ROOT</emphasis> - before the SMB password in the <ulink url="smbpasswd.5.html">smbpasswd(5) - </ulink> file is changed. If this UNIX password change fails, then - <command moreinfo="none">smbd</command> will fail to change the SMB password also - (this is by design).</para> - - <para>If the <parameter moreinfo="none">unix password sync</parameter> parameter - is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis> - for <emphasis>ALL</emphasis> programs called, and must be examined - for security implications. Note that by default <parameter moreinfo="none">unix - password sync</parameter> is set to <constant>no</constant>.</para> - - <para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix - password sync</parameter></link>.</para> - - <para>Default: <command moreinfo="none">passwd program = /bin/passwd</command></para> - <para>Example: <command moreinfo="none">passwd program = /sbin/npasswd %u</command> - </para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/passwordlevel.xml b/docs/docbook/smbdotconf/security/passwordlevel.xml deleted file mode 100644 index 408082f838..0000000000 --- a/docs/docbook/smbdotconf/security/passwordlevel.xml +++ /dev/null @@ -1,40 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="PASSWORDLEVEL"/>password level (G)</term> - <listitem><para>Some client/server combinations have difficulty - with mixed-case passwords. One offending client is Windows for - Workgroups, which for some reason forces passwords to upper - case when using the LANMAN1 protocol, but leaves them alone when - using COREPLUS! Another problem child is the Windows 95/98 - family of operating systems. These clients upper case clear - text passwords even when NT LM 0.12 selected by the protocol - negotiation request/response.</para> - - <para>This parameter defines the maximum number of characters - that may be upper case in passwords.</para> - - <para>For example, say the password given was "FRED". If <parameter moreinfo="none"> - password level</parameter> is set to 1, the following combinations - would be tried if "FRED" failed:</para> - - <para>"Fred", "fred", "fRed", "frEd","freD"</para> - - <para>If <parameter moreinfo="none">password level</parameter> was set to 2, - the following combinations would also be tried: </para> - - <para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para> - - <para>And so on.</para> - - <para>The higher value this parameter is set to the more likely - it is that a mixed case password will be matched against a single - case password. However, you should be aware that use of this - parameter reduces security and increases the time taken to - process a new connection.</para> - - <para>A value of zero will cause only two attempts to be - made - the password as is and the password in all-lower case.</para> - - <para>Default: <command moreinfo="none">password level = 0</command></para> - <para>Example: <command moreinfo="none">password level = 4</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml deleted file mode 100644 index b803816d88..0000000000 --- a/docs/docbook/smbdotconf/security/passwordserver.xml +++ /dev/null @@ -1,92 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="PASSWORDSERVER"/>password server (G)</term> - <listitem><para>By specifying the name of another SMB server (such - as a WinNT box) with this option, and using <command moreinfo="none">security = domain - </command> or <command moreinfo="none">security = server</command> you can get Samba - to do all its username/password validation via a remote server.</para> - - <para>This option sets the name of the password server to use. - It must be a NetBIOS name, so if the machine's NetBIOS name is - different from its Internet name then you may have to add its NetBIOS - name to the lmhosts file which is stored in the same directory - as the <filename moreinfo="none">smb.conf</filename> file.</para> - - <para>The name of the password server is looked up using the - parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name - resolve order</parameter></link> and so may resolved - by any method and order described in that parameter.</para> - - <para>The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode.</para> - - <note><para>Using a password server - means your UNIX box (running Samba) is only as secure as your - password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT - YOU DON'T COMPLETELY TRUST</emphasis>.</para></note> - - <para>Never point a Samba server at itself for password - serving. This will cause a loop and could lock up your Samba - server!</para> - - <para>The name of the password server takes the standard - substitutions, but probably the only useful one is <parameter moreinfo="none">%m - </parameter>, which means the Samba server will use the incoming - client as the password server. If you use this then you better - trust your clients, and you had better restrict them with hosts allow!</para> - - <para>If the <parameter moreinfo="none">security</parameter> parameter is set to - <constant>domain</constant>, then the list of machines in this - option must be a list of Primary or Backup Domain controllers for the - Domain or the character '*', as the Samba server is effectively - in that domain, and will use cryptographically authenticated RPC calls - to authenticate the user logging on. The advantage of using <command moreinfo="none"> - security = domain</command> is that if you list several hosts in the - <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd - </command> will try each in turn till it finds one that responds. This - is useful in case your primary server goes down.</para> - - <para>If the <parameter moreinfo="none">password server</parameter> option is set - to the character '*', then Samba will attempt to auto-locate the - Primary or Backup Domain controllers to authenticate against by - doing a query for the name <constant>WORKGROUP<1C></constant> - and then contacting each server returned in the list of IP - addresses from the name resolution source. </para> - - <para>If the list of servers contains both names and the '*' - character, the list is treated as a list of preferred - domain controllers, but an auto lookup of all remaining DC's - will be added to the list as well. Samba will not attempt to optimize - this list by locating the closest DC.</para> - - <para>If the <parameter moreinfo="none">security</parameter> parameter is - set to <constant>server</constant>, then there are different - restrictions that <command moreinfo="none">security = domain</command> doesn't - suffer from:</para> - - <itemizedlist> - <listitem><para>You may list several password servers in - the <parameter moreinfo="none">password server</parameter> parameter, however if an - <command moreinfo="none">smbd</command> makes a connection to a password server, - and then the password server fails, no more users will be able - to be authenticated from this <command moreinfo="none">smbd</command>. This is a - restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server - </command> mode and cannot be fixed in Samba.</para></listitem> - - <listitem><para>If you are using a Windows NT server as your - password server then you will have to ensure that your users - are able to login from the Samba server, as when in <command moreinfo="none"> - security = server</command> mode the network logon will appear to - come from there rather than from the users workstation.</para></listitem> - </itemizedlist> - - <para>See also the <link linkend="SECURITY"><parameter moreinfo="none">security - </parameter></link> parameter.</para> - - <para>Default: <command moreinfo="none">password server = <empty string></command> - </para> - <para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, * - </command></para> - <para>Example: <command moreinfo="none">password server = *</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/printeradmin.xml b/docs/docbook/smbdotconf/security/printeradmin.xml deleted file mode 100644 index 7037facca0..0000000000 --- a/docs/docbook/smbdotconf/security/printeradmin.xml +++ /dev/null @@ -1,12 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="PRINTERADMIN"/>printer admin (S)</term> - <listitem><para>This is a list of users that can do anything to - printers via the remote administration interfaces offered by MS-RPC - (usually using a NT workstation). Note that the root user always - has admin rights.</para> - - <para>Default: <command moreinfo="none">printer admin = <empty string></command> - </para> - <para>Example: <command moreinfo="none">printer admin = admin, @staff</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/privatedir.xml b/docs/docbook/smbdotconf/security/privatedir.xml deleted file mode 100644 index ca22089122..0000000000 --- a/docs/docbook/smbdotconf/security/privatedir.xml +++ /dev/null @@ -1,10 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="PRIVATEDIR"/>private dir (G)</term> - <listitem><para>This parameters defines the directory - smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename> - and <filename moreinfo="none">secrets.tdb</filename>. - </para> - - <para>Default :<command moreinfo="none">private dir = ${prefix}/private</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/public.xml b/docs/docbook/smbdotconf/security/public.xml deleted file mode 100644 index a1f6a1ee29..0000000000 --- a/docs/docbook/smbdotconf/security/public.xml +++ /dev/null @@ -1,6 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="PUBLIC"/>public (S)</term> - <listitem><para>Synonym for <link linkend="GUESTOK"><parameter moreinfo="none">guest - ok</parameter></link>.</para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/readlist.xml b/docs/docbook/smbdotconf/security/readlist.xml deleted file mode 100644 index 15d135d54e..0000000000 --- a/docs/docbook/smbdotconf/security/readlist.xml +++ /dev/null @@ -1,17 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="READLIST"/>read list (S)</term> - <listitem><para>This is a list of users that are given read-only - access to a service. If the connecting user is in this list then - they will not be given write access, no matter what the <link linkend="READONLY"><parameter moreinfo="none">read only</parameter></link> - option is set to. The list can include group names using the - syntax described in the <link linkend="INVALIDUSERS"><parameter moreinfo="none"> - invalid users</parameter></link> parameter.</para> - - <para>See also the <link linkend="WRITELIST"><parameter moreinfo="none"> - write list</parameter></link> parameter and the <link linkend="INVALIDUSERS"><parameter moreinfo="none">invalid users</parameter> - </link> parameter.</para> - - <para>Default: <command moreinfo="none">read list = <empty string></command></para> - <para>Example: <command moreinfo="none">read list = mary, @students</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/readonly.xml b/docs/docbook/smbdotconf/security/readonly.xml deleted file mode 100644 index 02721935de..0000000000 --- a/docs/docbook/smbdotconf/security/readonly.xml +++ /dev/null @@ -1,16 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="READONLY"/>read only (S)</term> - <listitem><para>An inverted synonym is <link linkend="WRITEABLE"> - <parameter moreinfo="none">writeable</parameter></link>.</para> - - <para>If this parameter is <constant>yes</constant>, then users - of a service may not create or modify files in the service's - directory.</para> - - <para>Note that a printable service (<command moreinfo="none">printable = yes</command>) - will <emphasis>ALWAYS</emphasis> allow writing to the directory - (user privileges permitting), but only via spooling operations.</para> - - <para>Default: <command moreinfo="none">read only = yes</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/restrictanonymous.xml b/docs/docbook/smbdotconf/security/restrictanonymous.xml deleted file mode 100644 index 4b09b7d2bc..0000000000 --- a/docs/docbook/smbdotconf/security/restrictanonymous.xml +++ /dev/null @@ -1,10 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="RESTRICTANONYMOUS"/>restrict anonymous (G)</term> - <listitem><para>This is a integer parameter, and - mirrors as much as possible the functinality the - <constant>RestrictAnonymous</constant> - registry key does on NT/Win2k. </para> - - <para>Default: <command moreinfo="none">restrict anonymous = 0</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/root.xml b/docs/docbook/smbdotconf/security/root.xml deleted file mode 100644 index f69c1a1ae1..0000000000 --- a/docs/docbook/smbdotconf/security/root.xml +++ /dev/null @@ -1,6 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="ROOT"/>root (G)</term> - <listitem><para>Synonym for <link linkend="ROOTDIRECTORY"> - <parameter moreinfo="none">root directory"</parameter></link>.</para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/rootdir.xml b/docs/docbook/smbdotconf/security/rootdir.xml deleted file mode 100644 index 1f543aed6a..0000000000 --- a/docs/docbook/smbdotconf/security/rootdir.xml +++ /dev/null @@ -1,6 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="ROOTDIR"/>root dir (G)</term> - <listitem><para>Synonym for <link linkend="ROOTDIRECTORY"> - <parameter moreinfo="none">root directory"</parameter></link>.</para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/rootdirectory.xml b/docs/docbook/smbdotconf/security/rootdirectory.xml deleted file mode 100644 index 9efc11e3c6..0000000000 --- a/docs/docbook/smbdotconf/security/rootdirectory.xml +++ /dev/null @@ -1,28 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="ROOTDIRECTORY"/>root directory (G)</term> - <listitem><para>The server will <command moreinfo="none">chroot()</command> (i.e. - Change its root directory) to this directory on startup. This is - not strictly necessary for secure operation. Even without it the - server will deny access to files not in one of the service entries. - It may also check for, and deny access to, soft links to other - parts of the filesystem, or attempts to use ".." in file names - to access other directories (depending on the setting of the <link linkend="WIDELINKS"><parameter moreinfo="none">wide links</parameter></link> - parameter).</para> - - <para>Adding a <parameter moreinfo="none">root directory</parameter> entry other - than "/" adds an extra level of security, but at a price. It - absolutely ensures that no access is given to files not in the - sub-tree specified in the <parameter moreinfo="none">root directory</parameter> - option, <emphasis>including</emphasis> some files needed for - complete operation of the server. To maintain full operability - of the server you will need to mirror some system files - into the <parameter moreinfo="none">root directory</parameter> tree. In particular - you will need to mirror <filename moreinfo="none">/etc/passwd</filename> (or a - subset of it), and any binaries or configuration files needed for - printing (if required). The set of files that must be mirrored is - operating system dependent.</para> - - <para>Default: <command moreinfo="none">root directory = /</command></para> - <para>Example: <command moreinfo="none">root directory = /homes/smb</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/security.xml b/docs/docbook/smbdotconf/security/security.xml deleted file mode 100644 index 8e97d8721f..0000000000 --- a/docs/docbook/smbdotconf/security/security.xml +++ /dev/null @@ -1,237 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="SECURITY"/>security (G)</term> - <listitem><para>This option affects how clients respond to - Samba and is one of the most important settings in the <filename moreinfo="none"> - smb.conf</filename> file.</para> - - <para>The option sets the "security mode bit" in replies to - protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide - based on this bit whether (and how) to transfer user and password - information to the server.</para> - - - <para>The default is <command moreinfo="none">security = user</command>, as this is - the most common setting needed when talking to Windows 98 and - Windows NT.</para> - - <para>The alternatives are <command moreinfo="none">security = share</command>, - <command moreinfo="none">security = server</command> or <command moreinfo="none">security = domain - </command>.</para> - - <para>In versions of Samba prior to 2.0.0, the default was - <command moreinfo="none">security = share</command> mainly because that was - the only option at one stage.</para> - - <para>There is a bug in WfWg that has relevance to this - setting. When in user or server level security a WfWg client - will totally ignore the password you type in the "connect - drive" dialog box. This makes it very difficult (if not impossible) - to connect to a Samba service as anyone except the user that - you are logged into WfWg as.</para> - - <para>If your PCs use usernames that are the same as their - usernames on the UNIX machine then you will want to use - <command moreinfo="none">security = user</command>. If you mostly use usernames - that don't exist on the UNIX box then use <command moreinfo="none">security = - share</command>.</para> - - <para>You should also use <command moreinfo="none">security = share</command> if you - want to mainly setup shares without a password (guest shares). This - is commonly used for a shared printer server. It is more difficult - to setup guest shares with <command moreinfo="none">security = user</command>, see - the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> - </link>parameter for details.</para> - - <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis> - hybrid mode</emphasis> where it is offers both user and share - level security under different <link linkend="NETBIOSALIASES"> - <parameter moreinfo="none">NetBIOS aliases</parameter></link>. </para> - - <para>The different settings will now be explained.</para> - - - <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE - </emphasis></para> - - <para>When clients connect to a share level security server they - need not log onto the server with a valid username and password before - attempting to connect to a shared resource (although modern clients - such as Windows 95/98 and Windows NT will send a logon request with - a username but no password when talking to a <command moreinfo="none">security = share - </command> server). Instead, the clients send authentication information - (passwords) on a per-share basis, at the time they attempt to connect - to that share.</para> - - <para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis> - uses a valid UNIX user to act on behalf of the client, even in - <command moreinfo="none">security = share</command> level security.</para> - - <para>As clients are not required to send a username to the server - in share level security, <command moreinfo="none">smbd</command> uses several - techniques to determine the correct UNIX user to use on behalf - of the client.</para> - - <para>A list of possible UNIX usernames to match with the given - client password is constructed using the following methods :</para> - - <itemizedlist> - <listitem><para>If the <link linkend="GUESTONLY"><parameter moreinfo="none">guest - only</parameter></link> parameter is set, then all the other - stages are missed and only the <link linkend="GUESTACCOUNT"> - <parameter moreinfo="none">guest account</parameter></link> username is checked. - </para></listitem> - - <listitem><para>Is a username is sent with the share connection - request, then this username (after mapping - see <link linkend="USERNAMEMAP"><parameter moreinfo="none">username map</parameter></link>), - is added as a potential username.</para></listitem> - - <listitem><para>If the client did a previous <emphasis>logon - </emphasis> request (the SessionSetup SMB call) then the - username sent in this SMB will be added as a potential username. - </para></listitem> - - <listitem><para>The name of the service the client requested is - added as a potential username.</para></listitem> - - <listitem><para>The NetBIOS name of the client is added to - the list as a potential username.</para></listitem> - - <listitem><para>Any users on the <link linkend="USER"><parameter moreinfo="none"> - user</parameter></link> list are added as potential usernames. - </para></listitem> - </itemizedlist> - - <para>If the <parameter moreinfo="none">guest only</parameter> parameter is - not set, then this list is then tried with the supplied password. - The first user for whom the password matches will be used as the - UNIX user.</para> - - <para>If the <parameter moreinfo="none">guest only</parameter> parameter is - set, or no username can be determined then if the share is marked - as available to the <parameter moreinfo="none">guest account</parameter>, then this - guest user will be used, otherwise access is denied.</para> - - <para>Note that it can be <emphasis>very</emphasis> confusing - in share-level security as to which UNIX username will eventually - be used in granting access.</para> - - <para>See also the section <link linkend="VALIDATIONSECT"> - NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> - - <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER - </emphasis></para> - - <para>This is the default security setting in Samba 3.0. - With user-level security a client must first "log-on" with a - valid username and password (which can be mapped using the <link linkend="USERNAMEMAP"><parameter moreinfo="none">username map</parameter></link> - parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS"> - <parameter moreinfo="none">encrypted passwords</parameter></link> parameter) can also - be used in this security mode. Parameters such as <link linkend="USER"> - <parameter moreinfo="none">user</parameter></link> and <link linkend="GUESTONLY"> - <parameter moreinfo="none">guest only</parameter></link> if set are then applied and - may change the UNIX user to use on this connection, but only after - the user has been successfully authenticated.</para> - - <para><emphasis>Note</emphasis> that the name of the resource being - requested is <emphasis>not</emphasis> sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">guest account</parameter></link>. - See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> - </link> parameter for details on doing this.</para> - - <para>See also the section <link linkend="VALIDATIONSECT"> - NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> - - <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN - - </emphasis></para> - - <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle> - <manvolnum>8</manvolnum></citerefentry> has been used to add this - machine into a Windows NT Domain. It expects the <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypted passwords</parameter> - </link> parameter to be set to <constant>yes</constant>. In this - mode Samba will try to validate the username/password by passing - it to a Windows NT Primary or Backup Domain Controller, in exactly - the same way that a Windows NT Server would do.</para> - - <para><emphasis>Note</emphasis> that a valid UNIX user must still - exist as well as the account on the Domain Controller to allow - Samba to have a valid UNIX account to map file access to.</para> - - <para><emphasis>Note</emphasis> that from the client's point - of view <command moreinfo="none">security = domain</command> is the same as <command moreinfo="none">security = user - </command>. It only affects how the server deals with the authentication, - it does not in any way affect what the client sees.</para> - - <para><emphasis>Note</emphasis> that the name of the resource being - requested is <emphasis>not</emphasis> sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">guest account</parameter></link>. - See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> - </link> parameter for details on doing this.</para> - - <para>See also the section <link linkend="VALIDATIONSECT"> - NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> - - <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password - server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypted passwords</parameter> - </link> parameter.</para> - - <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER - </emphasis></para> - - <para>In this mode Samba will try to validate the username/password - by passing it to another SMB server, such as an NT box. If this - fails it will revert to <command moreinfo="none">security = - user</command>. It expects the <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypted passwords</parameter> - </link> parameter to be set to - <constant>yes</constant>, unless the remote server - does not support them. However note - that if encrypted passwords have been negotiated then Samba cannot - revert back to checking the UNIX password file, it must have a valid - <filename moreinfo="none">smbpasswd</filename> file to check users against. See the - documentation file in the <filename moreinfo="none">docs/</filename> directory - <filename moreinfo="none">ENCRYPTION.txt</filename> for details on how to set this - up.</para> - - <para><emphasis>Note</emphasis> this mode of operation - has significant pitfalls, due to the fact that is - activly initiates a man-in-the-middle attack on the - remote SMB server. In particular, this mode of - operation can cause significant resource consuption on - the PDC, as it must maintain an active connection for - the duration of the user's session. Furthermore, if - this connection is lost, there is no way to - reestablish it, and futher authenticaions to the Samba - server may fail. (From a single client, till it - disconnects). </para> - - <para><emphasis>Note</emphasis> that from the client's point of - view <command moreinfo="none">security = server</command> is the same as <command moreinfo="none"> - security = user</command>. It only affects how the server deals - with the authentication, it does not in any way affect what the - client sees.</para> - - <para><emphasis>Note</emphasis> that the name of the resource being - requested is <emphasis>not</emphasis> sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none">guest account</parameter></link>. - See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> - </link> parameter for details on doing this.</para> - - <para>See also the section <link linkend="VALIDATIONSECT"> - NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> - - <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password - server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypted passwords</parameter> - </link> parameter.</para> - - <para>Default: <command moreinfo="none">security = USER</command></para> - <para>Example: <command moreinfo="none">security = DOMAIN</command></para> - - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/securitymask.xml b/docs/docbook/smbdotconf/security/securitymask.xml deleted file mode 100644 index 9ed0adcbf4..0000000000 --- a/docs/docbook/smbdotconf/security/securitymask.xml +++ /dev/null @@ -1,33 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="SECURITYMASK"/>security mask (S)</term> - <listitem><para>This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security - dialog box.</para> - - <para>This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change.</para> - - <para>If not set explicitly this parameter is 0777, allowing - a user to modify all the user/group/world permissions on a file. - </para> - - <para><emphasis>Note</emphasis> that users who can access the - Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will - probably want to leave it set to <constant>0777</constant>.</para> - - <para>See also the <link linkend="FORCEDIRECTORYSECURITYMODE"> - <parameter moreinfo="none">force directory security mode</parameter></link>, - <link linkend="DIRECTORYSECURITYMASK"><parameter moreinfo="none">directory - security mask</parameter></link>, <link linkend="FORCESECURITYMODE"> - <parameter moreinfo="none">force security mode</parameter></link> parameters.</para> - - <para>Default: <command moreinfo="none">security mask = 0777</command></para> - <para>Example: <command moreinfo="none">security mask = 0770</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/smbpasswdfile.xml b/docs/docbook/smbdotconf/security/smbpasswdfile.xml deleted file mode 100644 index 2efbd12169..0000000000 --- a/docs/docbook/smbdotconf/security/smbpasswdfile.xml +++ /dev/null @@ -1,13 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="SMBPASSWDFILE"/>smb passwd file (G)</term> - <listitem><para>This option sets the path to the encrypted - smbpasswd file. By default the path to the smbpasswd file - is compiled into Samba.</para> - - <para>Default: <command moreinfo="none">smb passwd file = ${prefix}/private/smbpasswd - </command></para> - - <para>Example: <command moreinfo="none">smb passwd file = /etc/samba/smbpasswd - </command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/unixpasswordsync.xml b/docs/docbook/smbdotconf/security/unixpasswordsync.xml deleted file mode 100644 index 41c6d983d0..0000000000 --- a/docs/docbook/smbdotconf/security/unixpasswordsync.xml +++ /dev/null @@ -1,18 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="UNIXPASSWORDSYNC"/>unix password sync (G)</term> - <listitem><para>This boolean parameter controls whether Samba - attempts to synchronize the UNIX password with the SMB password - when the encrypted SMB password in the smbpasswd file is changed. - If this is set to <constant>yes</constant> the program specified in the <parameter moreinfo="none">passwd - program</parameter>parameter is called <emphasis>AS ROOT</emphasis> - - to allow the new UNIX password to be set without access to the - old UNIX password (as the SMB password change code has no - access to the old password cleartext, only the new).</para> - - <para>See also <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd - program</parameter></link>, <link linkend="PASSWDCHAT"><parameter moreinfo="none"> - passwd chat</parameter></link>.</para> - - <para>Default: <command moreinfo="none">unix password sync = no</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/updateencrypted.xml b/docs/docbook/smbdotconf/security/updateencrypted.xml deleted file mode 100644 index 45c66e0de2..0000000000 --- a/docs/docbook/smbdotconf/security/updateencrypted.xml +++ /dev/null @@ -1,28 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="UPDATEENCRYPTED"/>update encrypted (G)</term> - <listitem><para>This boolean parameter allows a user logging - on with a plaintext password to have their encrypted (hashed) - password in the smbpasswd file to be updated automatically as - they log on. This option allows a site to migrate from plaintext - password authentication (users authenticate with plaintext - password over the wire, and are checked against a UNIX account - database) to encrypted password authentication (the SMB - challenge/response authentication mechanism) without forcing - all users to re-enter their passwords via smbpasswd at the time the - change is made. This is a convenience option to allow the change over - to encrypted passwords to be made over a longer period. Once all users - have encrypted representations of their passwords in the smbpasswd - file this parameter should be set to <constant>no</constant>.</para> - - <para>In order for this parameter to work correctly the <link linkend="ENCRYPTPASSWORDS"><parameter moreinfo="none">encrypt passwords</parameter> - </link> parameter must be set to <constant>no</constant> when - this parameter is set to <constant>yes</constant>.</para> - - <para>Note that even when this parameter is set a user - authenticating to <command moreinfo="none">smbd</command> must still enter a valid - password in order to connect correctly, and to update their hashed - (smbpasswd) passwords.</para> - - <para>Default: <command moreinfo="none">update encrypted = no</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/user.xml b/docs/docbook/smbdotconf/security/user.xml deleted file mode 100644 index 9c0502061b..0000000000 --- a/docs/docbook/smbdotconf/security/user.xml +++ /dev/null @@ -1,6 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="USER"/>user (S)</term> - <listitem><para>Synonym for <link linkend="USERNAME"><parameter moreinfo="none"> - username</parameter></link>.</para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/username.xml b/docs/docbook/smbdotconf/security/username.xml deleted file mode 100644 index 779f24170b..0000000000 --- a/docs/docbook/smbdotconf/security/username.xml +++ /dev/null @@ -1,62 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="USERNAME"/>username (S)</term> - <listitem><para>Multiple users may be specified in a comma-delimited - list, in which case the supplied password will be tested against - each username in turn (left to right).</para> - - <para>The <parameter moreinfo="none">username</parameter> line is needed only when - the PC is unable to supply its own username. This is the case - for the COREPLUS protocol or where your users have different WfWg - usernames to UNIX usernames. In both these cases you may also be - better using the \\server\share%user syntax instead.</para> - - <para>The <parameter moreinfo="none">username</parameter> line is not a great - solution in many cases as it means Samba will try to validate - the supplied password against each of the usernames in the - <parameter moreinfo="none">username</parameter> line in turn. This is slow and - a bad idea for lots of users in case of duplicate passwords. - You may get timeouts or security breaches using this parameter - unwisely.</para> - - <para>Samba relies on the underlying UNIX security. This - parameter does not restrict who can login, it just offers hints - to the Samba server as to what usernames might correspond to the - supplied password. Users can login as whoever they please and - they will be able to do no more damage than if they started a - telnet session. The daemon runs as the user that they log in as, - so they cannot do anything that user cannot do.</para> - - <para>To restrict a service to a particular set of users you - can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users - </parameter></link> parameter.</para> - - <para>If any of the usernames begin with a '@' then the name - will be looked up first in the NIS netgroups list (if Samba - is compiled with netgroup support), followed by a lookup in - the UNIX groups database and will expand to a list of all users - in the group of that name.</para> - - <para>If any of the usernames begin with a '+' then the name - will be looked up only in the UNIX groups database and will - expand to a list of all users in the group of that name.</para> - - <para>If any of the usernames begin with a '&' then the name - will be looked up only in the NIS netgroups database (if Samba - is compiled with netgroup support) and will expand to a list - of all users in the netgroup group of that name.</para> - - <para>Note that searching though a groups database can take - quite some time, and some clients may time out during the - search.</para> - - <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT - USERNAME/PASSWORD VALIDATION</link> for more information on how - this parameter determines access to the services.</para> - - <para>Default: <command moreinfo="none">The guest account if a guest service, - else <empty string>.</command></para> - - <para>Examples:<command moreinfo="none">username = fred, mary, jack, jane, - @users, @pcgroup</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/usernamelevel.xml b/docs/docbook/smbdotconf/security/usernamelevel.xml deleted file mode 100644 index a4deff3bf9..0000000000 --- a/docs/docbook/smbdotconf/security/usernamelevel.xml +++ /dev/null @@ -1,20 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="USERNAMELEVEL"/>username level (G)</term> - <listitem><para>This option helps Samba to try and 'guess' at - the real UNIX username, as many DOS clients send an all-uppercase - username. By default Samba tries all lowercase, followed by the - username with the first letter capitalized, and fails if the - username is not found on the UNIX machine.</para> - - <para>If this parameter is set to non-zero the behavior changes. - This parameter is a number that specifies the number of uppercase - combinations to try while trying to determine the UNIX user name. The - higher the number the more combinations will be tried, but the slower - the discovery of usernames will be. Use this parameter when you have - strange usernames on your UNIX machine, such as <constant>AstrangeUser - </constant>.</para> - - <para>Default: <command moreinfo="none">username level = 0</command></para> - <para>Example: <command moreinfo="none">username level = 5</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/usernamemap.xml b/docs/docbook/smbdotconf/security/usernamemap.xml deleted file mode 100644 index 37ee72c235..0000000000 --- a/docs/docbook/smbdotconf/security/usernamemap.xml +++ /dev/null @@ -1,90 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="USERNAMEMAP"/>username map (G)</term> - <listitem><para>This option allows you to specify a file containing - a mapping of usernames from the clients to the server. This can be - used for several purposes. The most common is to map usernames - that users use on DOS or Windows machines to those that the UNIX - box uses. The other is to map multiple users to a single username - so that they can more easily share files.</para> - - <para>The map file is parsed line by line. Each line should - contain a single UNIX username on the left then a '=' followed - by a list of usernames on the right. The list of usernames on the - right may contain names of the form @group in which case they - will match any UNIX username in that group. The special client - name '*' is a wildcard and matches any name. Each line of the - map file may be up to 1023 characters long.</para> - - <para>The file is processed on each line by taking the - supplied username and comparing it with each username on the right - hand side of the '=' signs. If the supplied name matches any of - the names on the right hand side then it is replaced with the name - on the left. Processing then continues with the next line.</para> - - <para>If any line begins with a '#' or a ';' then it is - ignored</para> - - <para>If any line begins with an '!' then the processing - will stop after that line if a mapping was done by the line. - Otherwise mapping continues with every line being processed. - Using '!' is most useful when you have a wildcard mapping line - later in the file.</para> - - <para>For example to map from the name <constant>admin</constant> - or <constant>administrator</constant> to the UNIX name <constant> - root</constant> you would use:</para> - - <para><command moreinfo="none">root = admin administrator</command></para> - - <para>Or to map anyone in the UNIX group <constant>system</constant> - to the UNIX name <constant>sys</constant> you would use:</para> - - <para><command moreinfo="none">sys = @system</command></para> - - <para>You can have as many mappings as you like in a username - map file.</para> - - - <para>If your system supports the NIS NETGROUP option then - the netgroup database is checked before the <filename moreinfo="none">/etc/group - </filename> database for matching groups.</para> - - <para>You can map Windows usernames that have spaces in them - by using double quotes around the name. For example:</para> - - <para><command moreinfo="none">tridge = "Andrew Tridgell"</command></para> - - <para>would map the windows username "Andrew Tridgell" to the - unix username "tridge".</para> - - <para>The following example would map mary and fred to the - unix user sys, and map the rest to guest. Note the use of the - '!' to tell Samba to stop processing if it gets a match on - that line.</para> - -<para><programlisting format="linespecific"> -!sys = mary fred -guest = * -</programlisting></para> - - <para>Note that the remapping is applied to all occurrences - of usernames. Thus if you connect to \\server\fred and <constant> - fred</constant> is remapped to <constant>mary</constant> then you - will actually be connecting to \\server\mary and will need to - supply a password suitable for <constant>mary</constant> not - <constant>fred</constant>. The only exception to this is the - username passed to the <link linkend="PASSWORDSERVER"><parameter moreinfo="none"> - password server</parameter></link> (if you have one). The password - server will receive whatever username the client supplies without - modification.</para> - - <para>Also note that no reverse mapping is done. The main effect - this has is with printing. Users who have been mapped may have - trouble deleting print jobs as PrintManager under WfWg will think - they don't own the print job.</para> - - <para>Default: <emphasis>no username map</emphasis></para> - <para>Example: <command moreinfo="none">username map = /usr/local/samba/lib/users.map - </command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/users.xml b/docs/docbook/smbdotconf/security/users.xml deleted file mode 100644 index e78d259f62..0000000000 --- a/docs/docbook/smbdotconf/security/users.xml +++ /dev/null @@ -1,6 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="USERS"/>users (S)</term> - <listitem><para>Synonym for <link linkend="USERNAME"><parameter moreinfo="none"> - username</parameter></link>.</para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/validusers.xml b/docs/docbook/smbdotconf/security/validusers.xml deleted file mode 100644 index 5155a5ef34..0000000000 --- a/docs/docbook/smbdotconf/security/validusers.xml +++ /dev/null @@ -1,23 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="VALIDUSERS"/>valid users (S)</term> - <listitem><para>This is a list of users that should be allowed - to login to this service. Names starting with '@', '+' and '&' - are interpreted using the same rules as described in the - <parameter moreinfo="none">invalid users</parameter> parameter.</para> - - <para>If this is empty (the default) then any user can login. - If a username is in both this list and the <parameter moreinfo="none">invalid - users</parameter> list then access is denied for that user.</para> - - <para>The current servicename is substituted for <parameter moreinfo="none">%S - </parameter>. This is useful in the [homes] section.</para> - - <para>See also <link linkend="INVALIDUSERS"><parameter moreinfo="none">invalid users - </parameter></link></para> - - <para>Default: <emphasis>No valid users list (anyone can login) - </emphasis></para> - - <para>Example: <command moreinfo="none">valid users = greg, @pcusers</command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/writable.xml b/docs/docbook/smbdotconf/security/writable.xml deleted file mode 100644 index 66ba44cc44..0000000000 --- a/docs/docbook/smbdotconf/security/writable.xml +++ /dev/null @@ -1,6 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="WRITABLE"/>writable (S)</term> - <listitem><para>Synonym for <link linkend="WRITEABLE"><parameter moreinfo="none"> - writeable</parameter></link> for people who can't spell :-).</para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/writeable.xml b/docs/docbook/smbdotconf/security/writeable.xml deleted file mode 100644 index b963410374..0000000000 --- a/docs/docbook/smbdotconf/security/writeable.xml +++ /dev/null @@ -1,6 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="WRITEABLE"/>writeable (S)</term> - <listitem><para>Inverted synonym for <link linkend="READONLY"><parameter moreinfo="none"> - read only</parameter></link>.</para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/writelist.xml b/docs/docbook/smbdotconf/security/writelist.xml deleted file mode 100644 index 76ee56c93a..0000000000 --- a/docs/docbook/smbdotconf/security/writelist.xml +++ /dev/null @@ -1,21 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="WRITELIST"/>write list (S)</term> - <listitem><para>This is a list of users that are given read-write - access to a service. If the connecting user is in this list then - they will be given write access, no matter what the <link linkend="READONLY"><parameter moreinfo="none">read only</parameter></link> - option is set to. The list can include group names using the - @group syntax.</para> - - <para>Note that if a user is in both the read list and the - write list then they will be given write access.</para> - - <para>See also the <link linkend="READLIST"><parameter moreinfo="none">read list - </parameter></link> option.</para> - - <para>Default: <command moreinfo="none">write list = <empty string> - </command></para> - - <para>Example: <command moreinfo="none">write list = admin, root, @staff - </command></para> - </listitem> - </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/writeok.xml b/docs/docbook/smbdotconf/security/writeok.xml deleted file mode 100644 index 103c2be993..0000000000 --- a/docs/docbook/smbdotconf/security/writeok.xml +++ /dev/null @@ -1,6 +0,0 @@ -<samba:parameter xmlns:samba="http://samba.org/common"> - <term><anchor id="WRITEOK"/>write ok (S)</term> - <listitem><para>Inverted synonym for <link linkend="READONLY"><parameter moreinfo="none"> - read only</parameter></link>.</para> - </listitem> - </samba:parameter> |