diff options
Diffstat (limited to 'docs/smbdotconf/security')
32 files changed, 139 insertions, 196 deletions
diff --git a/docs/smbdotconf/security/adminusers.xml b/docs/smbdotconf/security/adminusers.xml index 6c2d8e8f72..d8f14b6d74 100644 --- a/docs/smbdotconf/security/adminusers.xml +++ b/docs/smbdotconf/security/adminusers.xml @@ -11,8 +11,7 @@ this list will be able to do anything they like on the share, irrespective of file permissions.</para> - <para>This parameter will not work with the <link linkend="SECURITY"> - <parameter moreinfo="none">security = share</parameter></link> in + <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in Samba 3.0. This is by design.</para> </description> diff --git a/docs/smbdotconf/security/allowtrusteddomains.xml b/docs/smbdotconf/security/allowtrusteddomains.xml index ad84513417..7bc5554550 100644 --- a/docs/smbdotconf/security/allowtrusteddomains.xml +++ b/docs/smbdotconf/security/allowtrusteddomains.xml @@ -4,8 +4,8 @@ advanced="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This option only takes effect when the <link linkend="SECURITY"> - <parameter moreinfo="none">security</parameter></link> option is set to + <para> + This option only takes effect when the <smbconfoption name="security"/> option is set to <constant>server</constant>,<constant>domain</constant> or <constant>ads</constant>. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running diff --git a/docs/smbdotconf/security/authmethods.xml b/docs/smbdotconf/security/authmethods.xml index 2eaf6a352b..6e6b88c519 100644 --- a/docs/smbdotconf/security/authmethods.xml +++ b/docs/smbdotconf/security/authmethods.xml @@ -4,12 +4,12 @@ basic="1" advanced="1" wizard="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This option allows the administrator to chose what - authentication methods <command moreinfo="none">smbd</command> will use when authenticating - a user. This option defaults to sensible values based on <link linkend="SECURITY"> - <parameter moreinfo="none">security</parameter></link>. This should be considered - a developer option and used only in rare circumstances. In the majority (if not all) - of production servers, the default setting should be adequate.</para> + <para> + This option allows the administrator to chose what authentication methods <command + moreinfo="none">smbd</command> will use when authenticating a user. This option defaults to sensible values + based on <smbconfoption name="security"/>. This should be considered a developer option and used only in rare + circumstances. In the majority (if not all) of production servers, the default setting should be adequate. + </para> <para>Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually diff --git a/docs/smbdotconf/security/createmask.xml b/docs/smbdotconf/security/createmask.xml index 14b8253a87..7f9f93caaa 100644 --- a/docs/smbdotconf/security/createmask.xml +++ b/docs/smbdotconf/security/createmask.xml @@ -17,18 +17,15 @@ 'group' and 'other' write and execute bits from the UNIX modes.</para> <para>Following this Samba will bit-wise 'OR' the UNIX mode created - from this parameter with the value of the <link linkend="FORCECREATEMODE"> - <parameter moreinfo="none">force create mode</parameter></link> + from this parameter with the value of the <smbconfoption name="force create mode"/> parameter which is set to 000 by default.</para> <para>This parameter does not affect directory modes. See the - parameter <link linkend="DIRECTORYMODE"><parameter moreinfo="none">directory mode - </parameter></link> for details.</para> + parameter <smbconfoption name="directory mode"/> for details.</para> <para>Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the <link linkend="SECURITYMASK"> - <parameter moreinfo="none">security mask</parameter></link>.</para> + a mask on access control lists also, they need to set the <smbconfoption name="security mask"/>.</para> </description> <related>force create mode</related> diff --git a/docs/smbdotconf/security/directorymask.xml b/docs/smbdotconf/security/directorymask.xml index 8662b31e15..414239bcff 100644 --- a/docs/smbdotconf/security/directorymask.xml +++ b/docs/smbdotconf/security/directorymask.xml @@ -21,14 +21,12 @@ user who owns the directory to modify it.</para> <para>Following this Samba will bit-wise 'OR' the UNIX mode - created from this parameter with the value of the <link linkend="FORCEDIRECTORYMODE"> - <parameter moreinfo="none">force directory mode</parameter></link> parameter. + created from this parameter with the value of the <smbconfoption name="force directory mode"/> parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added).</para> <para>Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the <link linkend="DIRECTORYSECURITYMASK"> - <parameter moreinfo="none">directory security mask</parameter></link>.</para> + a mask on access control lists also, they need to set the <smbconfoption name="directory security mask"/>.</para> </description> <related>force directory mode</related> diff --git a/docs/smbdotconf/security/encryptpasswords.xml b/docs/smbdotconf/security/encryptpasswords.xml index e3bc3f6dea..8d2b86cb8c 100644 --- a/docs/smbdotconf/security/encryptpasswords.xml +++ b/docs/smbdotconf/security/encryptpasswords.xml @@ -32,7 +32,7 @@ have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> program for information on how to set up - and maintain this file), or set the <link linkend="SECURITY">security = [server|domain|ads]</link> parameter which + and maintain this file), or set the <smbconfoption name="security">[server|domain|ads]</smbconfoption> parameter which causes <command moreinfo="none">smbd</command> to authenticate against another server.</para> </description> diff --git a/docs/smbdotconf/security/forcegroup.xml b/docs/smbdotconf/security/forcegroup.xml index 2d8f5790d8..f6c9974f99 100644 --- a/docs/smbdotconf/security/forcegroup.xml +++ b/docs/smbdotconf/security/forcegroup.xml @@ -25,8 +25,8 @@ primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group.</para> - <para>If the <link linkend="FORCEUSER"><parameter moreinfo="none">force user</parameter> - </link> parameter is also set the group specified in + <para> + If the <smbconfoption name="force user"/> parameter is also set the group specified in <parameter moreinfo="none">force group</parameter> will override the primary group set in <parameter moreinfo="none">force user</parameter>.</para> diff --git a/docs/smbdotconf/security/guestaccount.xml b/docs/smbdotconf/security/guestaccount.xml index fd791c7423..8132835a82 100644 --- a/docs/smbdotconf/security/guestaccount.xml +++ b/docs/smbdotconf/security/guestaccount.xml @@ -5,8 +5,7 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para>This is a username which will be used for access - to services which are specified as <link linkend="GUESTOK"><parameter moreinfo="none"> - guest ok</parameter></link> (see below). Whatever privileges this + to services which are specified as <smbconfoption name="guest ok"/> (see below). Whatever privileges this user has will be available to any client connecting to the guest service. This user must exist in the password file, but does not require a valid login. The user account "ftp" is often a good choice diff --git a/docs/smbdotconf/security/guestok.xml b/docs/smbdotconf/security/guestok.xml index f2e5f0adcd..7cbf4e50bb 100644 --- a/docs/smbdotconf/security/guestok.xml +++ b/docs/smbdotconf/security/guestok.xml @@ -7,15 +7,13 @@ <description> <para>If this parameter is <constant>yes</constant> for a service, then no password is required to connect to the service. - Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter moreinfo="none"> - guest account</parameter></link>.</para> + Privileges will be those of the <smbconfoption name="guest account"/>.</para> <para>This paramater nullifies the benifits of setting - <link linkend="RESTRICTANONYMOUS"><parameter moreinfo="none">restrict - anonymous</parameter></link> = 2</para> + <smbconfoption name="restrict anonymous">2</smbconfoption> + </para> - <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none"> - security</parameter></link> for more information about this option. + <para>See the section below on <smbconfoption name="security"/> for more information about this option. </para> </description> <value type="default">no</value> diff --git a/docs/smbdotconf/security/guestonly.xml b/docs/smbdotconf/security/guestonly.xml index 9d70c16c3f..258eba9267 100644 --- a/docs/smbdotconf/security/guestonly.xml +++ b/docs/smbdotconf/security/guestonly.xml @@ -6,11 +6,9 @@ <description> <para>If this parameter is <constant>yes</constant> for a service, then only guest connections to the service are permitted. - This parameter will have no effect if <link linkend="GUESTOK"> - <parameter moreinfo="none">guest ok</parameter></link> is not set for the service.</para> + This parameter will have no effect if <smbconfoption name="guest ok"/> is not set for the service.</para> - <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none"> - security</parameter></link> for more information about this option. + <para>See the section below on <smbconfoption name="security"/> for more information about this option. </para> </description> <value type="default">no</value> diff --git a/docs/smbdotconf/security/hostsallow.xml b/docs/smbdotconf/security/hostsallow.xml index e71377a289..5e807daa68 100644 --- a/docs/smbdotconf/security/hostsallow.xml +++ b/docs/smbdotconf/security/hostsallow.xml @@ -24,8 +24,7 @@ be given here also.</para> <para>Note that the localhost address 127.0.0.1 will always - be allowed access unless specifically denied by a <link linkend="HOSTSDENY"> - <parameter moreinfo="none">hosts deny</parameter></link> option.</para> + be allowed access unless specifically denied by a <smbconfoption name="hosts deny"/> option.</para> <para>You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The diff --git a/docs/smbdotconf/security/hostsequiv.xml b/docs/smbdotconf/security/hostsequiv.xml index 014c75369a..db7cbaffc8 100644 --- a/docs/smbdotconf/security/hostsequiv.xml +++ b/docs/smbdotconf/security/hostsequiv.xml @@ -9,8 +9,7 @@ and users who will be allowed access without specifying a password. </para> - <para>This is not be confused with <link linkend="HOSTSALLOW"> - <parameter moreinfo="none">hosts allow</parameter></link> which is about hosts + <para>This is not be confused with <smbconfoption name="hosts allow"/> which is about hosts access to services and is more useful for guest services. <parameter moreinfo="none"> hosts equiv</parameter> may be useful for NT clients which will not supply passwords to Samba.</para> diff --git a/docs/smbdotconf/security/inheritpermissions.xml b/docs/smbdotconf/security/inheritpermissions.xml index b6c774ab93..6e09f4f033 100644 --- a/docs/smbdotconf/security/inheritpermissions.xml +++ b/docs/smbdotconf/security/inheritpermissions.xml @@ -3,24 +3,20 @@ type="boolean" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>The permissions on new files and directories - are normally governed by <link linkend="CREATEMASK"><parameter moreinfo="none"> - create mask</parameter></link>, <link linkend="DIRECTORYMASK"> - <parameter moreinfo="none">directory mask</parameter></link>, <link linkend="FORCECREATEMODE"> - <parameter moreinfo="none">force create mode</parameter> - </link> and <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force - directory mode</parameter></link> but the boolean inherit - permissions parameter overrides this.</para> + <para> + The permissions on new files and directories are normally governed by <smbconfoption name="create mask"/>, + <smbconfoption name="directory mask"/>, <smbconfoption name="force create mode"/> and <smbconfoption + name="force directory mode"/> but the boolean inherit permissions parameter overrides this. + </para> <para>New directories inherit the mode of the parent directory, including bits such as setgid.</para> - <para>New files inherit their read/write bits from the parent - directory. Their execute bits continue to be determined by - <link linkend="MAPARCHIVE"><parameter moreinfo="none">map archive</parameter> - </link>, <link linkend="MAPHIDDEN"><parameter moreinfo="none">map hidden</parameter> - </link> and <link linkend="MAPSYSTEM"><parameter moreinfo="none">map system</parameter> - </link> as usual.</para> + <para> + New files inherit their read/write bits from the parent directory. Their execute bits continue to be + determined by <smbconfoption name="map archive"/>, <smbconfoption name="map hidden"/> and <smbconfoption + name="map system"/> as usual. + </para> <para>Note that the setuid bit is <emphasis>never</emphasis> set via inheritance (the code explicitly prohibits this).</para> diff --git a/docs/smbdotconf/security/maptoguest.xml b/docs/smbdotconf/security/maptoguest.xml index 8993959073..52600a5dcc 100644 --- a/docs/smbdotconf/security/maptoguest.xml +++ b/docs/smbdotconf/security/maptoguest.xml @@ -4,8 +4,8 @@ advanced="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This parameter is only useful in <link linkend="SECURITY"> - security</link> modes other than <parameter moreinfo="none">security = share</parameter> + <para>This parameter is only useful in <smbconfoption name="SECURITY"> + security</smbconfoption> modes other than <parameter moreinfo="none">security = share</parameter> - i.e. <constant>user</constant>, <constant>server</constant>, and <constant>domain</constant>.</para> @@ -27,14 +27,13 @@ <para><constant>Bad User</constant> - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and - mapped into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none"> - guest account</parameter></link>.</para> + mapped into the <smbconfoption name="guest account"/>.</para> </listitem> <listitem> <para><constant>Bad Password</constant> - Means user logins with an invalid password are treated as a guest login and mapped - into the <link linkend="GUESTACCOUNT">guest account</link>. Note that + into the <smbconfoption name="guest account"/>. Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think diff --git a/docs/smbdotconf/security/obeypamrestrictions.xml b/docs/smbdotconf/security/obeypamrestrictions.xml index fd12e456b6..40777f4f5d 100644 --- a/docs/smbdotconf/security/obeypamrestrictions.xml +++ b/docs/smbdotconf/security/obeypamrestrictions.xml @@ -9,8 +9,8 @@ should obey PAM's account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba - always ignores PAM for authentication in the case of <link linkend="ENCRYPTPASSWORDS"> - <parameter moreinfo="none">encrypt passwords = yes</parameter></link>. The reason + always ignores PAM for authentication in the case of <smbconfoption + name="encrypt passwords">yes</smbconfoption>. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption. </para> diff --git a/docs/smbdotconf/security/onlyuser.xml b/docs/smbdotconf/security/onlyuser.xml index d94d3d523d..b1ef1b7606 100644 --- a/docs/smbdotconf/security/onlyuser.xml +++ b/docs/smbdotconf/security/onlyuser.xml @@ -9,8 +9,7 @@ client can supply a username to be used by the server. Enabling this parameter will force the server to only use the login names from the <parameter moreinfo="none">user</parameter> list and is only really - useful in <link linkend="SECURITYEQUALSSHARE">share level</link> - security.</para> + useful in <smbconfoption name="security">share</smbconfoption> level security.</para> <para>Note that this also means Samba won't try to deduce usernames from the service name. This can be annoying for diff --git a/docs/smbdotconf/security/pampasswordchange.xml b/docs/smbdotconf/security/pampasswordchange.xml index 22dc98d4e9..e5c04d405c 100644 --- a/docs/smbdotconf/security/pampasswordchange.xml +++ b/docs/smbdotconf/security/pampasswordchange.xml @@ -8,10 +8,9 @@ this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in - <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter></link>. + <smbconfoption name="passwd program"/>. It should be possible to enable this without changing your - <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter></link> - parameter for most setups.</para> + <smbconfoption name="passwd chat"/> parameter for most setups.</para> </description> <value type="default">no</value> diff --git a/docs/smbdotconf/security/passdbbackend.xml b/docs/smbdotconf/security/passdbbackend.xml index 74f26b89ea..bbe1d13106 100644 --- a/docs/smbdotconf/security/passdbbackend.xml +++ b/docs/smbdotconf/security/passdbbackend.xml @@ -27,8 +27,7 @@ <listitem> <para><command moreinfo="none">tdbsam</command> - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the <link linkend="PRIVATEDIR"> - <parameter moreinfo="none">private dir</parameter></link> directory.</para> + in the <smbconfoption name="private dir"/> directory.</para> </listitem> <listitem> @@ -37,7 +36,7 @@ <command moreinfo="none">ldap://localhost</command>)</para> <para>LDAP connections should be secured where possible. This may be done using either - Start-TLS (see <link linkend="LDAPSSL"><parameter moreinfo="none">ldap ssl</parameter></link>) or by + Start-TLS (see <smbconfoption name="ldap ssl"/>) or by specifying <parameter moreinfo="none">ldaps://</parameter> in the URL argument. </para> diff --git a/docs/smbdotconf/security/passwdchat.xml b/docs/smbdotconf/security/passwdchat.xml index f3a7395710..32ae5b3033 100644 --- a/docs/smbdotconf/security/passwdchat.xml +++ b/docs/smbdotconf/security/passwdchat.xml @@ -10,22 +10,20 @@ program to change the user's password. The string describes a sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the - <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter> - </link> and what to expect back. If the expected output is not + <smbconfoption name="passwd program"/> and what to expect back. If the expected output is not received then the password is not changed.</para> <para>This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc).</para> - <para>Note that this parameter only is only used if the <link - linkend="UNIXPASSWORDSYNC"> <parameter moreinfo="none">unix password sync</parameter> - </link> parameter is set to <constant>yes</constant>. This sequence is + <para>Note that this parameter only is only used if the <smbconfoption + name="unix password sync"/> parameter is set to <constant>yes</constant>. This sequence is then called <emphasis>AS ROOT</emphasis> when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext. This means that root must be able to reset the user's password without knowing the text of the previous password. In the presence of - NIS/YP, this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must + NIS/YP, this means that the <smbconfoption name="passwd program"/> must be executed on the NIS master. </para> @@ -41,10 +39,9 @@ stop ".", then no string is sent. Similarly, if the expect string is a full stop then no string is expected.</para> - <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam - password change</parameter></link> parameter is set to <constant>yes</constant>, the chat pairs - may be matched in any order, and success is determined by the PAM result, - not any particular output. The \n macro is ignored for PAM conversions. + <para>If the <smbconfoption name="pam password change"/> parameter is set to <constant>yes</constant>, the + chat pairs may be matched in any order, and success is determined by the PAM result, not any particular + output. The \n macro is ignored for PAM conversions. </para> </description> diff --git a/docs/smbdotconf/security/passwdchatdebug.xml b/docs/smbdotconf/security/passwdchatdebug.xml index 6211688eb7..78714ab8b5 100644 --- a/docs/smbdotconf/security/passwdchatdebug.xml +++ b/docs/smbdotconf/security/passwdchatdebug.xml @@ -9,13 +9,13 @@ strings passed to and received from the passwd chat are printed in the <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> log with a - <link linkend="DEBUGLEVEL"><parameter moreinfo="none">debug level</parameter></link> + <smbconfoption name="debug level"/> of 100. This is a dangerous option as it will allow plaintext passwords to be seen in the <command moreinfo="none">smbd</command> log. It is available to help Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts when calling the <parameter moreinfo="none">passwd program</parameter> and should be turned off after this has been done. This option has no effect if the - <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter></link> + <smbconfoption name="pam password change"/> paramter is set. This parameter is off by default.</para> </description> diff --git a/docs/smbdotconf/security/passwordlevel.xml b/docs/smbdotconf/security/passwordlevel.xml index 33a0f13e2a..1da11e406b 100644 --- a/docs/smbdotconf/security/passwordlevel.xml +++ b/docs/smbdotconf/security/passwordlevel.xml @@ -40,8 +40,7 @@ <para>This parameter is used only when using plain-text passwords. It is not at all used when encrypted passwords as in use (that is the default - since samba-3.0.0). Use this only when <link linkend="ENCRYPTPASSWORDS"> - encrypt passwords = No</link>.</para> + since samba-3.0.0). Use this only when <smbconfoption name="encrypt passwords">No</smbconfoption>.</para> </description> <value type="default">0</value> diff --git a/docs/smbdotconf/security/passwordserver.xml b/docs/smbdotconf/security/passwordserver.xml index 4836a17731..188cea88d1 100644 --- a/docs/smbdotconf/security/passwordserver.xml +++ b/docs/smbdotconf/security/passwordserver.xml @@ -20,8 +20,7 @@ connections.</para> <para>If parameter is a name, it is looked up using the - parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name - resolve order</parameter></link> and so may resolved + parameter <smbconfoption name="name resolve order"/> and so may resolved by any method and order described in that parameter.</para> <para>The password server must be a machine capable of using diff --git a/docs/smbdotconf/security/readlist.xml b/docs/smbdotconf/security/readlist.xml index 613758ec2a..df6b4f129b 100644 --- a/docs/smbdotconf/security/readlist.xml +++ b/docs/smbdotconf/security/readlist.xml @@ -3,16 +3,14 @@ type="list" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This is a list of users that are given read-only - access to a service. If the connecting user is in this list then - they will not be given write access, no matter what the <link linkend="READONLY"> - <parameter moreinfo="none">read only</parameter></link> - option is set to. The list can include group names using the - syntax described in the <link linkend="INVALIDUSERS"><parameter moreinfo="none"> - invalid users</parameter></link> parameter.</para> + <para> + This is a list of users that are given read-only access to a service. If the connecting user is in this list + then they will not be given write access, no matter what the <smbconfoption name="read only"/> option is set + to. The list can include group names using the syntax described in the <smbconfoption name="invalid users"/> + parameter. + </para> - <para>This parameter will not work with the <link linkend="SECURITY"> - <parameter moreinfo="none">security = share</parameter></link> in + <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in Samba 3.0. This is by design.</para> </description> diff --git a/docs/smbdotconf/security/readonly.xml b/docs/smbdotconf/security/readonly.xml index 686b28aede..6e1f6dd2b8 100644 --- a/docs/smbdotconf/security/readonly.xml +++ b/docs/smbdotconf/security/readonly.xml @@ -4,8 +4,7 @@ basic="1" advanced="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>An inverted synonym is <link linkend="WRITEABLE"> - <parameter moreinfo="none">writeable</parameter></link>.</para> + <para>An inverted synonym is <smbconfoption name="writeable"/>.</para> <para>If this parameter is <constant>yes</constant>, then users of a service may not create or modify files in the service's diff --git a/docs/smbdotconf/security/restrictanonymous.xml b/docs/smbdotconf/security/restrictanonymous.xml index a7aaa31b0b..2a45ef1561 100644 --- a/docs/smbdotconf/security/restrictanonymous.xml +++ b/docs/smbdotconf/security/restrictanonymous.xml @@ -29,8 +29,7 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ <note> <para> The security advantage of using restrict anonymous = 2 is removed - by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest - ok</parameter> = yes</link> on any share. + by setting <smbconfoption name="guest ok">yes</smbconfoption> on any share. </para> </note> </description> diff --git a/docs/smbdotconf/security/rootdirectory.xml b/docs/smbdotconf/security/rootdirectory.xml index ed894d57cb..8736598001 100644 --- a/docs/smbdotconf/security/rootdirectory.xml +++ b/docs/smbdotconf/security/rootdirectory.xml @@ -12,9 +12,8 @@ server will deny access to files not in one of the service entries. It may also check for, and deny access to, soft links to other parts of the filesystem, or attempts to use ".." in file names - to access other directories (depending on the setting of the <link linkend="WIDELINKS"> - <parameter moreinfo="none">wide links</parameter></link> - parameter). + to access other directories (depending on the setting of the + <smbconfoption name="wide smbconfoptions"/> parameter). </para> <para>Adding a <parameter moreinfo="none">root directory</parameter> entry other diff --git a/docs/smbdotconf/security/security.xml b/docs/smbdotconf/security/security.xml index fe5cf5404f..226d1c1270 100644 --- a/docs/smbdotconf/security/security.xml +++ b/docs/smbdotconf/security/security.xml @@ -47,13 +47,11 @@ want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server. It is more difficult to setup guest shares with <command moreinfo="none">security = user</command>, see - the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> - </link>parameter for details.</para> + the <smbconfoption name="map to guest"/>parameter for details.</para> <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis> hybrid mode</emphasis> where it is offers both user and share - level security under different <link linkend="NETBIOSALIASES"> - <parameter moreinfo="none">NetBIOS aliases</parameter></link>. </para> + level security under different <smbconfoption name="NetBIOS aliases"/>. </para> <para>The different settings will now be explained.</para> @@ -83,17 +81,14 @@ <itemizedlist> <listitem> - <para>If the <link linkend="GUESTONLY"><parameter moreinfo="none">guest - only</parameter></link> parameter is set, then all the other - stages are missed and only the <link linkend="GUESTACCOUNT"> - <parameter moreinfo="none">guest account</parameter></link> username is checked. + <para>If the <smbconfoption name="guest only"/> parameter is set, then all the other + stages are missed and only the <smbconfoption name="guest account"/> username is checked. </para> </listitem> <listitem> <para>Is a username is sent with the share connection - request, then this username (after mapping - see <link linkend="USERNAMEMAP"> - <parameter moreinfo="none">username map</parameter></link>), + request, then this username (after mapping - see <smbconfoption name="username map"/>), is added as a potential username. </para> </listitem> @@ -118,8 +113,7 @@ </listitem> <listitem> - <para>Any users on the <link linkend="USER"><parameter moreinfo="none"> - user</parameter></link> list are added as potential usernames. + <para>Any users on the <smbconfoption name="user"/> list are added as potential usernames. </para> </listitem> </itemizedlist> @@ -145,13 +139,10 @@ <para>This is the default security setting in Samba 3.0. With user-level security a client must first "log-on" with a - valid username and password (which can be mapped using the <link linkend="USERNAMEMAP"> - <parameter moreinfo="none">username map</parameter></link> - parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS"> - <parameter moreinfo="none">encrypted passwords</parameter></link> parameter) can also - be used in this security mode. Parameters such as <link linkend="USER"> - <parameter moreinfo="none">user</parameter></link> and <link linkend="GUESTONLY"> - <parameter moreinfo="none">guest only</parameter></link> if set are then applied and + valid username and password (which can be mapped using the <smbconfoption name="username map"/> + parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also + be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption + name="guest only"/> if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated.</para> @@ -159,21 +150,17 @@ requested is <emphasis>not</emphasis> sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"> - <parameter moreinfo="none">guest account</parameter></link>. - See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> - </link> parameter for details on doing this.</para> + the server to automatically map unknown users into the <smbconfoption name="guest account"/>. + See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> - <para>See also the section <link linkend="VALIDATIONSECT"> - NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para> <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle> <manvolnum>8</manvolnum></citerefentry> has been used to add this - machine into a Windows NT Domain. It expects the <link linkend="ENCRYPTPASSWORDS"> - <parameter moreinfo="none">encrypted passwords</parameter> - </link> parameter to be set to <constant>yes</constant>. In this + machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/> + parameter to be set to <constant>yes</constant>. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly the same way that a Windows NT Server would do.</para> @@ -192,31 +179,26 @@ requested is <emphasis>not</emphasis> sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"> - <parameter moreinfo="none">guest account</parameter></link>. - See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> - </link> parameter for details on doing this.</para> + the server to automatically map unknown users into the <smbconfoption name="guest account"/>. + See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> <para>See also the section <link linkend="VALIDATIONSECT"> NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> - <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password - server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS"> - <parameter moreinfo="none">encrypted passwords</parameter> - </link> parameter.</para> + <para>See also the <smbconfoption name="password server"/> parameter and + the <smbconfoption name="encrypted passwords"/> parameter.</para> <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para> - <para>In this mode Samba will try to validate the username/password - by passing it to another SMB server, such as an NT box. If this - fails it will revert to <command moreinfo="none">security = - user</command>. It expects the <link linkend="ENCRYPTPASSWORDS"> - <parameter moreinfo="none">encrypted passwords</parameter></link> parameter - to be set to <constant>yes</constant>, unless the remote server - does not support them. However note that if encrypted passwords have been - negotiated then Samba cannot revert back to checking the UNIX password file, - it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check - users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</para> + <para> + In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an + NT box. If this fails it will revert to <command moreinfo="none">security = user</command>. It expects the + <smbconfoption name="encrypted passwords"/> parameter to be set to <constant>yes</constant>, unless the remote + server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid <filename + moreinfo="none">smbpasswd</filename> file to check users against. See the chapter about the User Database in + the Samba HOWTO Collection for details on how to set this up. +</para> <note><para>This mode of operation has significant pitfalls, due to the fact that is activly initiates a @@ -238,17 +220,14 @@ requested is <emphasis>not</emphasis> sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"> - <parameter moreinfo="none">guest account</parameter></link>. - See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> - </link> parameter for details on doing this.</para> + the server to automatically map unknown users into the <smbconfoption name="guest account"/>. + See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> <para>See also the section <link linkend="VALIDATIONSECT"> NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> - <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password - server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS"> - <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para> + <para>See also the <smbconfoption name="password server"/> parameter and the + <smbconfoption name="encrypted passwords"/> parameter.</para> <para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para> diff --git a/docs/smbdotconf/security/serverschannel.xml b/docs/smbdotconf/security/serverschannel.xml index 0f264a0f7d..6317448fb6 100644 --- a/docs/smbdotconf/security/serverschannel.xml +++ b/docs/smbdotconf/security/serverschannel.xml @@ -4,20 +4,18 @@ basic="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This controls whether the server offers or even - demands the use of the netlogon schannel. - <parameter>server schannel = no</parameter> does not - offer the schannel, <parameter>server schannel = - auto</parameter> offers the schannel but does not - enforce it, and <parameter>server schannel = - yes</parameter> denies access if the client is not - able to speak netlogon schannel. This is only the case - for Windows NT4 before SP4.</para> + <para> + This controls whether the server offers or even demands the use of the netlogon schannel. + <smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption + name="server schannel">auto</smbconfoption> offers the schannel but does not enforce it, and <smbconfoption + name="server schannel">yes</smbconfoption> denies access if the client is not able to speak netlogon schannel. + This is only the case for Windows NT4 before SP4. + </para> - <para>Please note that with this set to - <parameter>no</parameter> you will have to apply the - WindowsXP requireSignOrSeal-Registry patch found in - the docs/Registry subdirectory.</para> + <para> + Please note that with this set to <literal>no</literal> you will have to apply the WindowsXP + <filename>WinXP_SignOrSeal.reg</filename> registry patch found in the docs/registry subdirectory of the Samba distribution tarball. + </para> </description> <value type="default">auto</value> diff --git a/docs/smbdotconf/security/updateencrypted.xml b/docs/smbdotconf/security/updateencrypted.xml index 7042a11678..da493665cf 100644 --- a/docs/smbdotconf/security/updateencrypted.xml +++ b/docs/smbdotconf/security/updateencrypted.xml @@ -5,29 +5,29 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> - <para>This boolean parameter allows a user logging on with - a plaintext password to have their encrypted (hashed) password in - the smbpasswd file to be updated automatically as they log - on. This option allows a site to migrate from plaintext - password authentication (users authenticate with plaintext - password over the wire, and are checked against a UNIX account - database) to encrypted password authentication (the SMB - challenge/response authentication mechanism) without forcing all - users to re-enter their passwords via smbpasswd at the time the - change is made. This is a convenience option to allow the change - over to encrypted passwords to be made over a longer period. - Once all users have encrypted representations of their passwords - in the smbpasswd file this parameter should be set to - <constant>no</constant>.</para> + <para> + This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) + password in the smbpasswd file to be updated automatically as they log on. This option allows a site to + migrate from plaintext password authentication (users authenticate with plaintext password over the + wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing all users to re-enter their passwords via + smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted + passwords to be made over a longer period. Once all users have encrypted representations of their passwords + in the smbpasswd file this parameter should be set to <constant>no</constant>. + </para> - <para>In order for this parameter to work correctly the <link linkend="ENCRYPTPASSWORDS"> - <parameter moreinfo="none">encrypt passwords</parameter></link> parameter must - be set to <constant>no</constant> when this parameter is set to <constant>yes</constant>.</para> + <para> + In order for this parameter to be operative the <smbconfoption name="encrypt passwords"/> parameter must + be set to <constant>no</constant>. The default value of <smbconfoption name="encrypt + passwords">Yes</smbconfoption>. Note: This must be set to <constant>no</constant> for this <smbconfoption + name="update encrypted"/> to work. + </para> - <para>Note that even when this parameter is set a user - authenticating to <command moreinfo="none">smbd</command> must still enter a valid - password in order to connect correctly, and to update their hashed - (smbpasswd) passwords.</para> + <para> + Note that even when this parameter is set a user authenticating to <command moreinfo="none">smbd</command> + must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) + passwords. + </para> </description> <value type="default">no</value> diff --git a/docs/smbdotconf/security/username.xml b/docs/smbdotconf/security/username.xml index 9a6d83ae71..3a45d4d72f 100644 --- a/docs/smbdotconf/security/username.xml +++ b/docs/smbdotconf/security/username.xml @@ -32,8 +32,7 @@ so they cannot do anything that user cannot do.</para> <para>To restrict a service to a particular set of users you - can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users - </parameter></link> parameter.</para> + can use the <smbconfoption name="valid users"/> parameter.</para> <para>If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba @@ -54,9 +53,9 @@ quite some time, and some clients may time out during the search.</para> - <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT - USERNAME/PASSWORD VALIDATION</link> for more information on how -this parameter determines access to the services.</para> + <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT + USERNAME/PASSWORD VALIDATION</link> for more information on how + this parameter determines access to the services.</para> </description> <value type="default"><comment>The guest account if a guest service, diff --git a/docs/smbdotconf/security/usernamemap.xml b/docs/smbdotconf/security/usernamemap.xml index 1c76d31711..ef4291733e 100644 --- a/docs/smbdotconf/security/usernamemap.xml +++ b/docs/smbdotconf/security/usernamemap.xml @@ -75,8 +75,7 @@ guest = * will actually be connecting to \\server\mary and will need to supply a password suitable for <constant>mary</constant> not <constant>fred</constant>. The only exception to this is the - username passed to the <link linkend="PASSWORDSERVER"><parameter moreinfo="none"> - password server</parameter></link> (if you have one). The password + username passed to the <smbconfoption name="password server"/> (if you have one). The password server will receive whatever username the client supplies without modification.</para> diff --git a/docs/smbdotconf/security/writeable.xml b/docs/smbdotconf/security/writeable.xml index 1bb0e41810..f811c47e5c 100644 --- a/docs/smbdotconf/security/writeable.xml +++ b/docs/smbdotconf/security/writeable.xml @@ -4,7 +4,6 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <synonym>writable</synonym> <description> - <para>Inverted synonym for <link linkend="READONLY"> - <parameter moreinfo="none">read only</parameter></link>.</para> + <para>Inverted synonym for <smbconfoption name="read only"/>.</para> </description> </samba:parameter> |