diff options
Diffstat (limited to 'docs/smbdotconf/logon')
| -rw-r--r-- | docs/smbdotconf/logon/abortshutdownscript.xml | 17 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/addgroupscript.xml | 18 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/addmachinescript.xml | 20 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/adduserscript.xml | 50 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/addusertogroupscript.xml | 17 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/deletegroupscript.xml | 15 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/deleteuserfromgroupscript.xml | 17 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/deleteuserscript.xml | 22 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/domainlogons.xml | 15 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/logondrive.xml | 17 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/logonhome.xml | 45 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/logonpath.xml | 48 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/logonscript.xml | 43 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/setprimarygroupscript.xml | 20 | ||||
| -rw-r--r-- | docs/smbdotconf/logon/shutdownscript.xml | 57 |
15 files changed, 421 insertions, 0 deletions
diff --git a/docs/smbdotconf/logon/abortshutdownscript.xml b/docs/smbdotconf/logon/abortshutdownscript.xml new file mode 100644 index 0000000000..f4e399a759 --- /dev/null +++ b/docs/smbdotconf/logon/abortshutdownscript.xml @@ -0,0 +1,17 @@ +<samba:parameter name="abort shutdown script" + context="G" + advanced="1" developer="1" + type="string" + xmlns:samba="http://samba.org/common"> +<description> + <para><emphasis>This parameter only exists in the HEAD cvs branch</emphasis> + This a full path name to a script called by <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> that + should stop a shutdown procedure issued by the <link linkend="SHUTDOWNSCRIPT"> + <parameter moreinfo="none">shutdown script</parameter></link>.</para> + + <para>This command will be run as user.</para> +</description> +<value type="default"></value> +<value type="example">/sbin/shutdown -c</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/addgroupscript.xml b/docs/smbdotconf/logon/addgroupscript.xml new file mode 100644 index 0000000000..38da0f79ef --- /dev/null +++ b/docs/smbdotconf/logon/addgroupscript.xml @@ -0,0 +1,18 @@ +<samba:parameter name="add group script" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is the full pathname to a script that will be run + <emphasis>AS ROOT</emphasis> by <citerefentry> + <refentrytitle>smbd</refentrytitle><manvolnum>8</manvolnum></citerefentry> + when a new group is requested. It will expand any <parameter + moreinfo="none">%g</parameter> to the group name passed. This + script is only useful for installations using the Windows NT + domain administration tools. The script is free to create a + group with an arbitrary name to circumvent unix group name + restrictions. In that case the script must print the numeric gid + of the created group on stdout.</para> +</description> +</samba:parameter> diff --git a/docs/smbdotconf/logon/addmachinescript.xml b/docs/smbdotconf/logon/addmachinescript.xml new file mode 100644 index 0000000000..bd76d00a6c --- /dev/null +++ b/docs/smbdotconf/logon/addmachinescript.xml @@ -0,0 +1,20 @@ +<samba:parameter name="add machine script" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is the full pathname to a script that will be run by + <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> when a machine is added + to it's domain using the administrator username and password + method. </para> + + <para>This option is only required when using sam back-ends tied + to the Unix uid method of RID calculation such as smbpasswd. + This option is only available in Samba 3.0.</para> +</description> + +<value type="default"/> +<value type="example">/usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/adduserscript.xml b/docs/smbdotconf/logon/adduserscript.xml new file mode 100644 index 0000000000..d1d3ef118e --- /dev/null +++ b/docs/smbdotconf/logon/adduserscript.xml @@ -0,0 +1,50 @@ +<samba:parameter name="add user script" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is the full pathname to a script that will + be run <emphasis>AS ROOT</emphasis> by <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> under special circumstances described below.</para> + + <para>Normally, a Samba server requires that UNIX users are + created for all users accessing files on this server. For sites + that use Windows NT account databases as their primary user database + creating these users and keeping the user list in sync with the + Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users + <emphasis>ON DEMAND</emphasis> when a user accesses the Samba server.</para> + + <para>In order to use this option, <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> must <emphasis>NOT</emphasis> be set to <parameter moreinfo="none">security = share</parameter> + and <parameter moreinfo="none">add user script</parameter> + must be set to a full pathname for a script that will create a UNIX + user given one argument of <parameter moreinfo="none">%u</parameter>, which expands into + the UNIX user name to create.</para> + + <para>When the Windows user attempts to access the Samba server, + at login (session setup in the SMB protocol) time, <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> contacts the <parameter moreinfo="none">password server</parameter> and + attempts to authenticate the given user with the given password. If the + authentication succeeds then <command moreinfo="none">smbd</command> + attempts to find a UNIX user in the UNIX password database to map the + Windows user into. If this lookup fails, and <parameter moreinfo="none">add user script + </parameter> is set then <command moreinfo="none">smbd</command> will + call the specified script <emphasis>AS ROOT</emphasis>, expanding + any <parameter moreinfo="none">%u</parameter> argument to be the user name to create.</para> + + <para>If this script successfully creates the user then <command moreinfo="none">smbd + </command> will continue on as though the UNIX user + already existed. In this way, UNIX users are dynamically created to + match existing Windows NT accounts.</para> + + <para>See also <link linkend="SECURITY"><parameter moreinfo="none"> + security</parameter></link>, <link linkend="PASSWORDSERVER"> + <parameter moreinfo="none">password server</parameter></link>, + <link linkend="DELETEUSERSCRIPT"><parameter moreinfo="none">delete user + script</parameter></link>.</para> +</description> + +<value type="default"/> +<value type="example">/usr/local/samba/bin/add_user %u</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/addusertogroupscript.xml b/docs/smbdotconf/logon/addusertogroupscript.xml new file mode 100644 index 0000000000..74ac6071a1 --- /dev/null +++ b/docs/smbdotconf/logon/addusertogroupscript.xml @@ -0,0 +1,17 @@ +<samba:parameter name="add user to group script" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>Full path to the script that will be called when + a user is added to a group using the Windows NT domain administration + tools. It will be run by <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> <emphasis>AS ROOT</emphasis>. + Any <parameter moreinfo="none">%g</parameter> will be replaced with the group name and + any <parameter moreinfo="none">%u</parameter> will be replaced with the user name. + </para> +</description> +<value type="default"></value> +<value type="example">/usr/sbin/adduser %u %g</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/deletegroupscript.xml b/docs/smbdotconf/logon/deletegroupscript.xml new file mode 100644 index 0000000000..11c499de35 --- /dev/null +++ b/docs/smbdotconf/logon/deletegroupscript.xml @@ -0,0 +1,15 @@ +<samba:parameter name="delete group script" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is the full pathname to a script that will + be run <emphasis>AS ROOT</emphasis> <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> when a group is requested to be deleted. + It will expand any <parameter moreinfo="none">%g</parameter> to the group name passed. + This script is only useful for installations using the Windows NT domain administration tools. + </para> +</description> +<value type="default"></value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/deleteuserfromgroupscript.xml b/docs/smbdotconf/logon/deleteuserfromgroupscript.xml new file mode 100644 index 0000000000..502f98b664 --- /dev/null +++ b/docs/smbdotconf/logon/deleteuserfromgroupscript.xml @@ -0,0 +1,17 @@ +<samba:parameter name="delete user from group script" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>Full path to the script that will be called when + a user is removed from a group using the Windows NT domain administration + tools. It will be run by <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> <emphasis>AS ROOT</emphasis>. + Any <parameter moreinfo="none">%g</parameter> will be replaced with the group name and + any <parameter moreinfo="none">%u</parameter> will be replaced with the user name. +</para> +</description> +<value type="default"/> +<value type="example">/usr/sbin/deluser %u %g</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/deleteuserscript.xml b/docs/smbdotconf/logon/deleteuserscript.xml new file mode 100644 index 0000000000..3579f1b21c --- /dev/null +++ b/docs/smbdotconf/logon/deleteuserscript.xml @@ -0,0 +1,22 @@ +<samba:parameter name="delete user script" + type="string" + context="G" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is the full pathname to a script that will + be run by <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> when managing users + with remote RPC (NT) tools. + </para> + + <para>This script is called when a remote client removes a user + from the server, normally using 'User Manager for Domains' or + <command moreinfo="none">rpcclient</command>.</para> + + <para>This script should delete the given UNIX username.</para> +</description> + +<value type="default"></value> +<value type="example">/usr/local/samba/bin/del_user %u</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/domainlogons.xml b/docs/smbdotconf/logon/domainlogons.xml new file mode 100644 index 0000000000..db694ab32e --- /dev/null +++ b/docs/smbdotconf/logon/domainlogons.xml @@ -0,0 +1,15 @@ +<samba:parameter name="domain logons" + context="G" + type="boolean" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>If set to <constant>yes</constant>, the Samba server will serve + Windows 95/98 Domain logons for the <link linkend="WORKGROUP"> + <parameter moreinfo="none">workgroup</parameter></link> it is in. Samba 2.2 + has limited capability to act as a domain controller for Windows + NT 4 Domains. For more details on setting up this feature see + the PDC chapter of the Samba HOWTO Collection.</para> +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/logondrive.xml b/docs/smbdotconf/logon/logondrive.xml new file mode 100644 index 0000000000..f69cc62e78 --- /dev/null +++ b/docs/smbdotconf/logon/logondrive.xml @@ -0,0 +1,17 @@ +<samba:parameter name="logon drive" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter specifies the local path to + which the home directory will be connected (see <link linkend="LOGONHOME"> + <parameter moreinfo="none">logon home</parameter></link>) + and is only used by NT Workstations. </para> + + <para>Note that this option is only useful if Samba is set up as a + logon server.</para> +</description> +<value type="default">z:</value> +<value type="example">h:</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/logonhome.xml b/docs/smbdotconf/logon/logonhome.xml new file mode 100644 index 0000000000..6d288e6d7c --- /dev/null +++ b/docs/smbdotconf/logon/logonhome.xml @@ -0,0 +1,45 @@ +<samba:parameter name="logon home" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter specifies the home directory + location when a Win95/98 or NT Workstation logs into a Samba PDC. + It allows you to do </para> + + <para><prompt moreinfo="none">C:\></prompt> + <userinput moreinfo="none">NET USE H: /HOME</userinput> + </para> + + <para>from a command prompt, for example.</para> + + <para>This option takes the standard substitutions, allowing + you to have separate logon scripts for each user or machine.</para> + + <para>This parameter can be used with Win9X workstations to ensure + that roaming profiles are stored in a subdirectory of the user's + home directory. This is done in the following way:</para> + + <para><command moreinfo="none">logon home = \\%N\%U\profile</command></para> + + <para>This tells Samba to return the above string, with + substitutions made when a client requests the info, generally + in a NetUserGetInfo request. Win9X clients truncate the info to + \\server\share when a user does <command moreinfo="none">net use /home</command> + but use the whole string when dealing with profiles.</para> + + <para>Note that in prior versions of Samba, the <link linkend="LOGONPATH"> + <parameter moreinfo="none">logon path</parameter></link> was returned rather than + <parameter moreinfo="none">logon home</parameter>. This broke <command + moreinfo="none">net use /home</command> but allowed profiles outside the home directory. + The current implementation is correct, and can be used for profiles if you use + the above trick.</para> + + <para>This option is only useful if Samba is set up as a logon + server.</para> +</description> + +<value type="default">\\%N\%U</value> +<value type="example">\\remote_smb_server\%U</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/logonpath.xml b/docs/smbdotconf/logon/logonpath.xml new file mode 100644 index 0000000000..b7c53b7011 --- /dev/null +++ b/docs/smbdotconf/logon/logonpath.xml @@ -0,0 +1,48 @@ +<samba:parameter name="logon path" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter specifies the home directory + where roaming profiles (NTuser.dat etc files for Windows NT) are + stored. Contrary to previous versions of these manual pages, it has + nothing to do with Win 9X roaming profiles. To find out how to + handle roaming profiles for Win 9X system, see the <link linkend="LOGONHOME"> + <parameter moreinfo="none">logon home</parameter></link> parameter.</para> + + <para>This option takes the standard substitutions, allowing you + to have separate logon scripts for each user or machine. It also + specifies the directory from which the "Application Data", + (<filename moreinfo="none">desktop</filename>, <filename moreinfo="none">start menu</filename>, + <filename moreinfo="none">network neighborhood</filename>, <filename moreinfo="none">programs</filename> + and other folders, and their contents, are loaded and displayed on + your Windows NT client.</para> + + <para>The share and the path must be readable by the user for + the preferences and directories to be loaded onto the Windows NT + client. The share must be writeable when the user logs in for the first + time, in order that the Windows NT client can create the NTuser.dat + and other directories.</para> + + <para>Thereafter, the directories and any of the contents can, + if required, be made read-only. It is not advisable that the + NTuser.dat file be made read-only - rename it to NTuser.man to + achieve the desired effect (a <emphasis>MAN</emphasis>datory + profile). </para> + + <para>Windows clients can sometimes maintain a connection to + the [homes] share, even though there is no user logged in. + Therefore, it is vital that the logon path does not include a + reference to the homes share (i.e. setting this parameter to + \%N\%U\profile_path will cause problems).</para> + + <para>This option takes the standard substitutions, allowing + you to have separate logon scripts for each user or machine.</para> + + <para>Note that this option is only useful if Samba is set up + as a logon server.</para> +</description> +<value type="default">\\%N\%U\profile</value> +<value type="example">>\\PROFILESERVER\PROFILE\%U</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/logonscript.xml b/docs/smbdotconf/logon/logonscript.xml new file mode 100644 index 0000000000..7e7561ca65 --- /dev/null +++ b/docs/smbdotconf/logon/logonscript.xml @@ -0,0 +1,43 @@ +<samba:parameter name="logon script" + context="G" + advanced="1" developer="1" + type="string" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter specifies the batch file (.bat) or + NT command file (.cmd) to be downloaded and run on a machine when + a user successfully logs in. The file must contain the DOS + style CR/LF line endings. Using a DOS-style editor to create the + file is recommended.</para> + + <para>The script must be a relative path to the [netlogon] + service. If the [netlogon] service specifies a <link linkend="PATH"> + <parameter moreinfo="none">path</parameter></link> of <filename + moreinfo="none">/usr/local/samba/netlogon</filename>, and <command + moreinfo="none">logon script = STARTUP.BAT</command>, then + the file that will be downloaded is:</para> + + <para><filename moreinfo="none">/usr/local/samba/netlogon/STARTUP.BAT</filename></para> + + <para>The contents of the batch file are entirely your choice. A + suggested command would be to add <command moreinfo="none">NET TIME \\SERVER /SET + /YES</command>, to force every machine to synchronize clocks with + the same time server. Another use would be to add <command moreinfo="none">NET USE + U: \\SERVER\UTILS</command> for commonly used utilities, or <screen> + <userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput></screen> for example.</para> + + <para>Note that it is particularly important not to allow write + access to the [netlogon] share, or to grant users write permission + on the batch files in a secure environment, as this would allow + the batch files to be arbitrarily modified and security to be + breached.</para> + + <para>This option takes the standard substitutions, allowing you + to have separate logon scripts for each user or machine.</para> + + <para>This option is only useful if Samba is set up as a logon + server.</para> +</description> +<value type="default"></value> +<value type="example">scripts\%U.bat</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/setprimarygroupscript.xml b/docs/smbdotconf/logon/setprimarygroupscript.xml new file mode 100644 index 0000000000..08a3d50b4a --- /dev/null +++ b/docs/smbdotconf/logon/setprimarygroupscript.xml @@ -0,0 +1,20 @@ +<samba:parameter name="set primary group script" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + + <para>Thanks to the Posix subsystem in NT a Windows User has a + primary group in addition to the auxiliary groups. This script + sets the primary group in the unix userdatase when an + administrator sets the primary group from the windows user + manager or when fetching a SAM with <command>net rpc + vampire</command>. <parameter>%u</parameter> will be replaced + with the user whose primary group is to be set. + <parameter>%g</parameter> will be replaced with the group to + set.</para> +</description> +<value type="default"></value> +<value type="example">/usr/sbin/usermod -g '%g' '%u'</value> +</samba:parameter> diff --git a/docs/smbdotconf/logon/shutdownscript.xml b/docs/smbdotconf/logon/shutdownscript.xml new file mode 100644 index 0000000000..bd86bfd06d --- /dev/null +++ b/docs/smbdotconf/logon/shutdownscript.xml @@ -0,0 +1,57 @@ +<samba:parameter name="shutdown script" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para><emphasis>This parameter only exists in the HEAD cvs branch</emphasis> + This a full path name to a script called by <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> that should start a shutdown procedure.</para> + + <para>This command will be run as the user connected to the server.</para> + + <para>%m %t %r %f parameters are expanded:</para> + + <itemizedlist> + <listitem> + <para><parameter moreinfo="none">%m</parameter> will be substituted with the + shutdown message sent to the server.</para> + </listitem> + + <listitem> + <para><parameter moreinfo="none">%t</parameter> will be substituted with the + number of seconds to wait before effectively starting the + shutdown procedure.</para> + </listitem> + + <listitem> + <para><parameter moreinfo="none">%r</parameter> will be substituted with the + switch <emphasis>-r</emphasis>. It means reboot after shutdown + for NT.</para> + </listitem> + + <listitem> + <para><parameter moreinfo="none">%f</parameter> will be substituted with the + switch <emphasis>-f</emphasis>. It means force the shutdown + even if applications do not respond for NT.</para> + </listitem> + </itemizedlist> + + <para>Shutdown script example: +<programlisting format="linespecific"> +#!/bin/bash + +$time=0 +let "time/60" +let "time++" + +/sbin/shutdown $3 $4 +$time $1 & +</programlisting> +Shutdown does not return so we need to launch it in background. +</para> +</description> +<related>abort shutdown script</related> +<value type="default"></value> +<value type="example">/usr/local/samba/sbin/shutdown %m %t %r %f</value> + +</samba:parameter> |