summaryrefslogtreecommitdiff
path: root/docs/smbdotconf/security/security.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/smbdotconf/security/security.xml')
-rw-r--r--docs/smbdotconf/security/security.xml85
1 files changed, 32 insertions, 53 deletions
diff --git a/docs/smbdotconf/security/security.xml b/docs/smbdotconf/security/security.xml
index fe5cf5404f..226d1c1270 100644
--- a/docs/smbdotconf/security/security.xml
+++ b/docs/smbdotconf/security/security.xml
@@ -47,13 +47,11 @@
want to mainly setup shares without a password (guest shares). This
is commonly used for a shared printer server. It is more difficult
to setup guest shares with <command moreinfo="none">security = user</command>, see
- the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link>parameter for details.</para>
+ the <smbconfoption name="map to guest"/>parameter for details.</para>
<para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
hybrid mode</emphasis> where it is offers both user and share
- level security under different <link linkend="NETBIOSALIASES">
- <parameter moreinfo="none">NetBIOS aliases</parameter></link>. </para>
+ level security under different <smbconfoption name="NetBIOS aliases"/>. </para>
<para>The different settings will now be explained.</para>
@@ -83,17 +81,14 @@
<itemizedlist>
<listitem>
- <para>If the <link linkend="GUESTONLY"><parameter moreinfo="none">guest
- only</parameter></link> parameter is set, then all the other
- stages are missed and only the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link> username is checked.
+ <para>If the <smbconfoption name="guest only"/> parameter is set, then all the other
+ stages are missed and only the <smbconfoption name="guest account"/> username is checked.
</para>
</listitem>
<listitem>
<para>Is a username is sent with the share connection
- request, then this username (after mapping - see <link linkend="USERNAMEMAP">
- <parameter moreinfo="none">username map</parameter></link>),
+ request, then this username (after mapping - see <smbconfoption name="username map"/>),
is added as a potential username.
</para>
</listitem>
@@ -118,8 +113,7 @@
</listitem>
<listitem>
- <para>Any users on the <link linkend="USER"><parameter moreinfo="none">
- user</parameter></link> list are added as potential usernames.
+ <para>Any users on the <smbconfoption name="user"/> list are added as potential usernames.
</para>
</listitem>
</itemizedlist>
@@ -145,13 +139,10 @@
<para>This is the default security setting in Samba 3.0.
With user-level security a client must first &quot;log-on&quot; with a
- valid username and password (which can be mapped using the <link linkend="USERNAMEMAP">
- <parameter moreinfo="none">username map</parameter></link>
- parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter></link> parameter) can also
- be used in this security mode. Parameters such as <link linkend="USER">
- <parameter moreinfo="none">user</parameter></link> and <link linkend="GUESTONLY">
- <parameter moreinfo="none">guest only</parameter></link> if set are then applied and
+ valid username and password (which can be mapped using the <smbconfoption name="username map"/>
+ parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
+ be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
+ name="guest only"/> if set are then applied and
may change the UNIX user to use on this connection, but only after
the user has been successfully authenticated.</para>
@@ -159,21 +150,17 @@
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
- <para>See also the section <link linkend="VALIDATIONSECT">
- NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+ <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
<para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
<para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> has been used to add this
- machine into a Windows NT Domain. It expects the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter>
- </link> parameter to be set to <constant>yes</constant>. In this
+ machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/>
+ parameter to be set to <constant>yes</constant>. In this
mode Samba will try to validate the username/password by passing
it to a Windows NT Primary or Backup Domain Controller, in exactly
the same way that a Windows NT Server would do.</para>
@@ -192,31 +179,26 @@
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
<para>See also the section <link linkend="VALIDATIONSECT">
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
- <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
- server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter>
- </link> parameter.</para>
+ <para>See also the <smbconfoption name="password server"/> parameter and
+ the <smbconfoption name="encrypted passwords"/> parameter.</para>
<para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
- <para>In this mode Samba will try to validate the username/password
- by passing it to another SMB server, such as an NT box. If this
- fails it will revert to <command moreinfo="none">security =
- user</command>. It expects the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter></link> parameter
- to be set to <constant>yes</constant>, unless the remote server
- does not support them. However note that if encrypted passwords have been
- negotiated then Samba cannot revert back to checking the UNIX password file,
- it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check
- users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</para>
+ <para>
+ In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an
+ NT box. If this fails it will revert to <command moreinfo="none">security = user</command>. It expects the
+ <smbconfoption name="encrypted passwords"/> parameter to be set to <constant>yes</constant>, unless the remote
+ server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot
+ revert back to checking the UNIX password file, it must have a valid <filename
+ moreinfo="none">smbpasswd</filename> file to check users against. See the chapter about the User Database in
+ the Samba HOWTO Collection for details on how to set this up.
+</para>
<note><para>This mode of operation has
significant pitfalls, due to the fact that is activly initiates a
@@ -238,17 +220,14 @@
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client. This is why
guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <link linkend="GUESTACCOUNT">
- <parameter moreinfo="none">guest account</parameter></link>.
- See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter>
- </link> parameter for details on doing this.</para>
+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
<para>See also the section <link linkend="VALIDATIONSECT">
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
- <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password
- server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS">
- <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para>
+ <para>See also the <smbconfoption name="password server"/> parameter and the
+ <smbconfoption name="encrypted passwords"/> parameter.</para>
<para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para>
generated by cgit (git 2.34.1) at 2024-12-16 13:49:00 +0000