diff options
Diffstat (limited to 'docs/docbook/smbdotconf')
-rw-r--r-- | docs/docbook/smbdotconf/base/adsserver.xml | 15 | ||||
-rw-r--r-- | docs/docbook/smbdotconf/protocol/nameresolveorder.xml | 16 | ||||
-rw-r--r-- | docs/docbook/smbdotconf/security/authmethods.xml | 14 | ||||
-rw-r--r-- | docs/docbook/smbdotconf/security/passwordserver.xml | 32 |
4 files changed, 42 insertions, 35 deletions
diff --git a/docs/docbook/smbdotconf/base/adsserver.xml b/docs/docbook/smbdotconf/base/adsserver.xml deleted file mode 100644 index 4dd2a4b635..0000000000 --- a/docs/docbook/smbdotconf/base/adsserver.xml +++ /dev/null @@ -1,15 +0,0 @@ -<samba:parameter name="ads server" - context="G" - basic="1" advanced="1" wizard="1" developer="1" - xmlns:samba="http://samba.org/common"> -<listitem> - <para>If this option is specified, samba does not try to figure out what - ads server to use itself, but uses the specified ads server. Either one - DNS name or IP address can be used.</para> - - <para>Default: <command moreinfo="none">ads server = </command></para> - - <para>Example: <command moreinfo="none">ads server = 192.168.1.2</command></para> -</listitem> - -</samba:parameter> diff --git a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml index c029dcd181..777fc2268e 100644 --- a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml +++ b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml @@ -5,7 +5,8 @@ <listitem> <para>This option is used by the programs in the Samba suite to determine what naming services to use and in what order - to resolve host names to IP addresses. The option takes a space + to resolve host names to IP addresses. Its main purpose to is to + control how netbios name resolution is performed. The option takes a space separated string of name resolution options.</para> <para>The options are: "lmhosts", "host", @@ -16,7 +17,8 @@ <listitem> <para><constant>lmhosts</constant> : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see the <ulink url="lmhosts.5.html">lmhosts(5)</ulink> for details) then + no name type attached to the NetBIOS name (see the <ulink + url="lmhosts.5.html">lmhosts(5)</ulink> for details) then any name type matches for lookup.</para> </listitem> @@ -26,9 +28,10 @@ </filename>, NIS, or DNS lookups. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the <filename moreinfo="none">/etc/nsswitch.conf</filename> - file. Note that this method is only used if the NetBIOS name - type being queried is the 0x20 (server) name type, otherwise - it is ignored.</para> + file. Note that this method is used only if the NetBIOS name + type being queried is the 0x20 (server) name type or 0x1c (domain controllers). + The latter case is only useful for active directory domains and results in a DNS + query for the SRV RR entry matching _ldap._tcp.domain.</para> </listitem> <listitem> @@ -59,6 +62,9 @@ it is advised to use following settings for <parameter moreinfo="none">name resolve order</parameter>:</para> <para><command moreinfo="none">name resolve order = wins bcast</command></para> + + <para>DC lookups will still be done via DNS, but fallbacks to netbios names will + not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.</para> </listitem> </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/authmethods.xml b/docs/docbook/smbdotconf/security/authmethods.xml index 0b7965d55b..7c0f5a71e1 100644 --- a/docs/docbook/smbdotconf/security/authmethods.xml +++ b/docs/docbook/smbdotconf/security/authmethods.xml @@ -6,14 +6,24 @@ <para>This option allows the administrator to chose what authentication methods <command moreinfo="none">smbd</command> will use when authenticating a user. This option defaults to sensible values based on <link linkend="SECURITY"> - <parameter moreinfo="none">security</parameter></link>.</para> + <parameter moreinfo="none">security</parameter></link>. This should be considered + a developer option and used only in rare circumstances. In the majority (if not all) + of production servers, the default setting should be adequate.</para> <para>Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication. </para> + <para>Possible options include <constant>guest</constant> (anonymous access), + <constant>sam</constant> (lookups in local list of accounts based on netbios + name or domain name), <constant>winbind</constant> (relay authentication requests + for remote users through winbindd), <constant>ntdomain</constant> (pre-winbindd + method of authentication for remote domain users; deprecated in favour of winbind method), + <constant>trustdomain</constant> (authenticate trusted users by contacting the + remote DC directly from smbd; deprecated in favour of winbind method).</para> + <para>Default: <command moreinfo="none">auth methods = <empty string></command></para> - <para>Example: <command moreinfo="none">auth methods = guest sam ntdomain</command></para> + <para>Example: <command moreinfo="none">auth methods = guest sam winbind</command></para> </listitem> </samba:parameter> diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml index e40ff32b75..f854027041 100644 --- a/docs/docbook/smbdotconf/security/passwordserver.xml +++ b/docs/docbook/smbdotconf/security/passwordserver.xml @@ -3,18 +3,22 @@ advanced="1" wizard="1" developer="1" xmlns:samba="http://samba.org/common"> <listitem> - <para>By specifying the name of another SMB server (such - as a WinNT box) with this option, and using <command moreinfo="none">security = domain - </command> or <command moreinfo="none">security = server</command> you can get Samba - to do all its username/password validation via a remote server.</para> + <para>By specifying the name of another SMB server + or Active Directory domain controller with this option, + and using <command moreinfo="none">security = [ads|domain|server]</command> + it is possible to get Samba to + to do all its username/password validation using a specific remote server.</para> - <para>This option sets the name of the password server to use. - It must be a NetBIOS name, so if the machine's NetBIOS name is - different from its Internet name then you may have to add its NetBIOS - name to the lmhosts file which is stored in the same directory - as the <filename moreinfo="none">smb.conf</filename> file.</para> + <para>This option sets the name or IP address of the password server to use. + New syntax has been added to support defining the port to use when connecting + to the server the case of an ADS realm. To define a port other than the + default LDAP port of 389, add the port number using a colon after the + name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, + Samba will use the standard LDAP port of tcp/389. Note that port numbers + have no effect on password servers for Windows NT 4.0 domains or netbios + connections.</para> - <para>The name of the password server is looked up using the + <para>If parameter is a name, it is looked up using the parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name resolve order</parameter></link> and so may resolved by any method and order described in that parameter.</para> @@ -38,14 +42,14 @@ trust your clients, and you had better restrict them with hosts allow!</para> <para>If the <parameter moreinfo="none">security</parameter> parameter is set to - <constant>domain</constant>, then the list of machines in this + <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on. The advantage of using <command moreinfo="none"> security = domain</command> is that if you list several hosts in the <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd - </command> will try each in turn till it finds one that responds. This + </command> will try each in turn till it finds one that responds. This is useful in case your primary server goes down.</para> <para>If the <parameter moreinfo="none">password server</parameter> option is set @@ -55,7 +59,7 @@ and then contacting each server returned in the list of IP addresses from the name resolution source. </para> - <para>If the list of servers contains both names and the '*' + <para>If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC's will be added to the list as well. Samba will not attempt to optimize @@ -93,6 +97,8 @@ <para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *</command></para> + <para>Example: <command moreinfo="none">password server = windc.mydomain.com:389 192.168.1.101 *</command></para> + <para>Example: <command moreinfo="none">password server = *</command></para> </listitem> </samba:parameter> |