diff options
Diffstat (limited to 'docs/manpages')
-rw-r--r-- | docs/manpages/smb.conf.5 | 176 |
1 files changed, 158 insertions, 18 deletions
diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5 index 5c89a0ace0..9215184ae5 100644 --- a/docs/manpages/smb.conf.5 +++ b/docs/manpages/smb.conf.5 @@ -569,6 +569,9 @@ parameter for details\&. Note that some are synonyms\&. \fBdomain master\fP .IP .IP o +\fBdomain user map\fP +.IP +.IP o \fBencrypt passwords\fP .IP .IP o @@ -1439,7 +1442,7 @@ This parameter can be set per share\&. \fBExample:\fP \f(CW blocking locks = False\fP .IP -.IP "\fBbrowseable (S)\fP" +.IP "\fBbrowsable (S)\fP" .IP Synonym for \fBbrowseable\fP\&. .IP @@ -2047,14 +2050,16 @@ NT users, despite the lack of native support for the NT Security model with the NT Domain system and its administration\&. .IP This option is used in conjunction with \fB\'local group map\'\fP -and \fB\'username map\'\fP\&. The use of these three +and \fB\'domain user map\'\fP\&. The use of these three options is trivial and often unnecessary in the case where Samba is not expected to interact with any other SAM databases (whether local workstations or Domain Controllers)\&. .IP The map file is parsed line by line\&. If any line begins with a \f(CW\'#\'\fP or a \f(CW\';\'\fP then it is ignored\&. Each line should contain a single UNIX -group name on the left then an NT Domain Group name on the right\&. +group name on the left then a single NT Domain Group name on the right, +separated by a tabstop or \f(CW\'=\'\fP\&. If either name contains spaces then +it should be enclosed in quotes\&. The line can be either of the form: .IP \f(CW UNIXgroupname \e\eDOMAIN_NAME\e\eDomainGroupName \fP @@ -2069,16 +2074,16 @@ the latter format can be used: the default Domain name is the Samba Server\'s Domain name, specified by \fB"workgroup = MYGROUP"\fP\&. .IP Any UNIX groups that are \fINOT\fP specified in this map file are assumed -to be Domain Groups\&. +to be Domain Groups, but it depends on the role of the Samba Server\&. .IP -In this case, when Samba is an \fBEXPERIMENTAL\fP Domain Controller, Samba +In the case when Samba is an \fBEXPERIMENTAL\fP Domain Controller, Samba will present \fIALL\fP such unspecified UNIX groups as its own NT Domain Groups, with the same name\&. .IP In the case where Samba is member of a domain using \fB"security = domain"\fP, Samba will check the UNIX name with its Domain Controller (see \fB"password server"\fP) -as if it was an NT Domain Group\&. If the UNIX group is not an NT Group, +as if it was an NT Domain Group\&. If the Domain Controller says that it is not, such unspecified (unmapped) UNIX groups which also are not NT Domain Groups are treated as Local Groups in the Samba Server\'s local SAM database\&. NT Administrators will recognise these as Workstation Local Groups, @@ -2086,14 +2091,35 @@ which are managed by running \fBUSRMGR\&.EXE\fP and selecting a remote Domain named "\e\eWORKSTATION_NAME", or by running \fBMUSRMGR\&.EXE\fP on a local Workstation\&. .IP +This may sound complicated, but it means that a Samba Server as +either a member of a domain or as an \fBEXPERIMENTAL\fP Domain Controller +will act like an NT Workstation (with a local SAM database) or an NT PDC +(with a Domain SAM database) respectively, without the need for any of +the map files at all\&. If you \fBwant\fP to get fancy, however, you can\&. +.IP Note that adding an entry to map an arbitrary NT group in an arbitrary -Domain to an arbitrary UNIX group requires the following: that the UNIX -group exists on the UNIX server; that the NT Domain Group exists in the -specified NT Domain; that the UNIX Server knows about the specified Domain; +Domain to an arbitrary UNIX group \fIREQUIRES\fP the following: +.IP +.IP +.IP o +that the UNIX group exists on the UNIX server\&. +.IP +.IP o +that the NT Domain Group exists in the specified NT Domain +.IP +.IP o +that the UNIX Server knows about the specified Domain; +.IP +.IP o that all the UNIX users (who are expecting to access the Samba Server as the correct NT user and with the correct NT group permissions) in the UNIX group be mapped to the correct NT Domain users in the specified -NT Domain using \fB\'username map\'\fP\&. +NT Domain using \fB\'domain user map\'\fP\&. +.IP +.IP +Failure to meet any of these requirements may result in either (or +both) errors reported in the log files or (and) incorrect or missing +access rights granted to users\&. .IP .IP "\fBdomain groups (G)\fP" .IP @@ -2165,6 +2191,86 @@ and may fail\&. \fBDefault:\fP \f(CW domain master = no\fP .IP +.IP "\fBdomain user map (G)\fP" +.IP +This option allows you to specify a file containing unique mappings +of individual NT Domain User names (in any domain) to UNIX user +names\&. This allows NT domain users to be presented correctly to +NT systems, despite the lack of native support for the NT Security model +(based on VAX/VMS) in UNIX\&. The reader is advised to become familiar +with the NT Domain system and its administration\&. +.IP +This option is used in conjunction with \fB\'local group map\'\fP +and \fB\'domain group map\'\fP\&. The use of these three +options is trivial and often unnecessary in the case where Samba is +not expected to interact with any other SAM databases (whether local +workstations or Domain Controllers)\&. +.IP +This option, which provides (and maintains) a one-to-one link between +UNIX and NT users, is \fIDIFFERENT\fP from \fB\'username map\'\fP, which does \fINOT\fP maintain a distinction between the +name(s) it can map to and the name it maps\&. +.IP +The map file is parsed line by line\&. If any line begins with a \f(CW\'#\'\fP +or a \f(CW\';\'\fP then the line is ignored\&. Each line should contain a single UNIX +user name on the left then a single NT Domain User name on the right, +separated by a tabstop or \f(CW\'=\'\fP\&. If either name contains spaces then +it should be enclosed in quotes\&. +The line can be either of the form: +.IP +\f(CW UNIXusername \e\eDOMAIN_NAME\e\eDomainUserName \fP +.IP +or: +.IP +\f(CW UNIXusername DomainUserName \fP +.IP +In the case where Samba is either an \fBEXPERIMENTAL\fP Domain Controller +or it is a member of a domain using \fB"security = domain"\fP, +the latter format can be used: the default Domain name is the Samba Server\'s +Domain name, specified by \fB"workgroup = MYGROUP"\fP\&. +.IP +Any UNIX users that are \fINOT\fP specified in this map file are assumed +to be either Domain or Workstation Users, depending on the role of the +Samba Server\&. +.IP +In the case when Samba is an \fBEXPERIMENTAL\fP Domain Controller, Samba +will present \fIALL\fP such unspecified UNIX users as its own NT Domain +Users, with the same name\&. +.IP +In the case where Samba is member of a domain using +\fB"security = domain"\fP, Samba will check the UNIX name with +its Domain Controller (see \fB"password server"\fP) +as if it was an NT Domain User\&. If the Domain Controller says that it is not, +such unspecified (unmapped) UNIX users which also are not NT Domain +Users are treated as Local Users in the Samba Server\'s local SAM database\&. +NT Administrators will recognise these as Workstation Users, +which are managed by running \fBUSRMGR\&.EXE\fP and selecting a remote +Domain named "\e\eWORKSTATION_NAME", or by running \fBMUSRMGR\&.EXE\fP on +a local Workstation\&. +.IP +This may sound complicated, but it means that a Samba Server as +either a member of a domain or as an \fBEXPERIMENTAL\fP Domain Controller +will act like an NT Workstation (with a local SAM database) or an NT PDC +(with a Domain SAM database) respectively, without the need for any of +the map files at all\&. If you \fBwant\fP to get fancy, however, you can\&. +.IP +Note that adding an entry to map an arbitrary NT User in an arbitrary +Domain to an arbitrary UNIX user \fIREQUIRES\fP the following: +.IP +.IP +.IP o +that the UNIX user exists on the UNIX server\&. +.IP +.IP o +that the NT Domain User exists in the specified NT Domain\&. +.IP +.IP o +that the UNIX Server knows about the specified Domain\&. +.IP +.IP +Failure to meet any of these requirements may result in either (or +both) errors reported in the log files or (and) incorrect or missing +access rights granted to users\&. +.IP .IP "\fBdont descend (S)\fP" .IP There are certain directories on some systems (e\&.g\&., the \f(CW/proc\fP tree @@ -2846,14 +2952,16 @@ NT users, despite the lack of native support for the NT Security model with the NT Domain system and its administration\&. .IP This option is used in conjunction with \fB\'domain group map\'\fP -and \fB\'username map\'\fP\&. The use of these three +and \fB\'domain name map\'\fP\&. The use of these three options is trivial and often unnecessary in the case where Samba is not expected to interact with any other SAM databases (whether local workstations or Domain Controllers)\&. .IP The map file is parsed line by line\&. If any line begins with a \f(CW\'#\'\fP or a \f(CW\';\'\fP then it is ignored\&. Each line should contain a single UNIX -group name on the left then an NT Local Group name on the right\&. +group name on the left then a single NT Local Group name on the right, +separated by a tabstop or \f(CW\'=\'\fP\&. If either name contains spaces then +it should be enclosed in quotes\&. The line can be either of the form: .IP \f(CW UNIXgroupname \e\eDOMAIN_NAME\e\eLocalGroupName \fP @@ -2870,14 +2978,14 @@ Domain name, specified by \fB"workgroup = MYGROUP"\fP\&. Any UNIX groups that are \fINOT\fP specified in this map file are treated as Local Groups depending on the role of the Samba Server\&. .IP -When Samba is an \fBEXPERIMENTAL\fP Domain Controller, Samba +In the case when Samba is an \fBEXPERIMENTAL\fP Domain Controller, Samba will present \fIALL\fP unspecified UNIX groups as its own NT Domain Groups, with the same name, and \fINOT\fP as Local Groups\&. .IP In the case where Samba is member of a domain using \fB"security = domain"\fP, Samba will check the UNIX name with its Domain Controller (see \fB"password server"\fP) -as if it was an NT Domain Group\&. If the UNIX group is not an NT Group, +as if it was an NT Domain Group\&. If the Domain Controller says that it is not, such unspecified (unmapped) UNIX groups which also are not NT Domain Groups are treated as Local Groups in the Samba Server\'s local SAM database\&. NT Administrators will recognise these as Workstation Local Groups, @@ -2885,14 +2993,35 @@ which are managed by running \fBUSRMGR\&.EXE\fP and selecting a remote Domain named "\e\eWORKSTATION_NAME", or by running \fBMUSRMGR\&.EXE\fP on a local Workstation\&. .IP +This may sound complicated, but it means that a Samba Server as +either a member of a domain or as an \fBEXPERIMENTAL\fP Domain Controller +will act like an NT Workstation (with a local SAM database) or an NT PDC +(with a Domain SAM database) respectively, without the need for any of +the map files at all\&. If you \fBwant\fP to get fancy, however, you can\&. +.IP Note that adding an entry to map an arbitrary NT group in an arbitrary -Domain to an arbitrary UNIX group requires the following: that the UNIX -group exists on the UNIX server; that the NT Local Group exists in the -specified NT Domain; that the UNIX Server knows about the specified Domain; +Domain to an arbitrary UNIX group \fIREQUIRES\fP the following: +.IP +.IP +.IP o +that the UNIX group exists on the UNIX server\&. +.IP +.IP o +that the NT Domain Group exists in the specified NT Domain +.IP +.IP o +that the UNIX Server knows about the specified Domain; +.IP +.IP o that all the UNIX users (who are expecting to access the Samba Server as the correct NT user and with the correct NT group permissions) in the UNIX group be mapped to the correct NT Domain users in the specified -NT Domain using \fB\'username map\'\fP\&. +NT Domain using \fB\'domain user map\'\fP\&. +.IP +.IP +Failure to meet any of these requirements may result in either (or +both) errors reported in the log files or (and) incorrect or missing +access rights granted to users\&. .IP .IP "\fBlocal master (G)\fP" .IP @@ -5912,6 +6041,17 @@ Windows machines to those that the UNIX box uses\&. The other is to map multiple users to a single username so that they can more easily share files\&. .IP +The use of this option, therefore, relates to UNIX usernames +and not Windows (specifically NT Domain) usernames\&. In other words, +once a name has been mapped using this option, the Samba server uses +the mapped name for internal \fIAND\fP external purposes\&. +.IP +This option is \fIDIFFERENT\fP from the \fB"domain user map"\fP +parameter, which maintains a one-to-one mapping between UNIX usernames +and NT Domain Usernames: more specifically, the Samba server maintains +a link between \fIBOTH\fP usernames, presenting the NT username to the +external NT world, and using the UNIX username internally\&. +.IP The map file is parsed line by line\&. Each line should contain a single UNIX username on the left then a \f(CW\'=\'\fP followed by a list of usernames on the right\&. The list of usernames on the right may contain |