diff options
Diffstat (limited to 'docs/smbdotconf/security')
63 files changed, 2178 insertions, 0 deletions
diff --git a/docs/smbdotconf/security/adminusers.xml b/docs/smbdotconf/security/adminusers.xml new file mode 100644 index 0000000000..bcb4108ed5 --- /dev/null +++ b/docs/smbdotconf/security/adminusers.xml @@ -0,0 +1,17 @@ +<samba:parameter name="admin users" + context="S" + type="list" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root).</para> + + <para>You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions.</para> +</description> + +<value type="default"/> +<value type="example">jason</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/algorithmicridbase.xml b/docs/smbdotconf/security/algorithmicridbase.xml new file mode 100644 index 0000000000..f44f53bb69 --- /dev/null +++ b/docs/smbdotconf/security/algorithmicridbase.xml @@ -0,0 +1,27 @@ +<samba:parameter name="algorithmic rid base" + context="G" + advanced="1" developer="1" + type="integer" + xmlns:samba="http://samba.org/common"> +<description> + <para>This determines how Samba will use its + algorithmic mapping from uids/gid to the RIDs needed to construct + NT Security Identifiers. + </para> + + <para>Setting this option to a larger value could be useful to sites + transitioning from WinNT and Win2k, as existing user and + group rids would otherwise clash with sytem users etc. + </para> + + <para>All UIDs and GIDs must be able to be resolved into SIDs for + the correct operation of ACLs on the server. As such the algorithmic + mapping can't be 'turned off', but pushing it 'out of the way' should + resolve the issues. Users and groups can then be assigned 'low' RIDs + in arbitary-rid supporting backends. + </para> +</description> + +<value type="default">1000</value> +<value type="example">100000</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/allowtrusteddomains.xml b/docs/smbdotconf/security/allowtrusteddomains.xml new file mode 100644 index 0000000000..38d3fc150e --- /dev/null +++ b/docs/smbdotconf/security/allowtrusteddomains.xml @@ -0,0 +1,26 @@ +<samba:parameter name="allow trusted domains" + context="G" + type="boolean" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This option only takes effect when the <link linkend="SECURITY"> + <parameter moreinfo="none">security</parameter></link> option is set to + <constant>server</constant> or <constant>domain</constant>. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication.</para> + + <para>This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/authmethods.xml b/docs/smbdotconf/security/authmethods.xml new file mode 100644 index 0000000000..d518f9516d --- /dev/null +++ b/docs/smbdotconf/security/authmethods.xml @@ -0,0 +1,29 @@ +<samba:parameter name="auth methods" + context="G" + type="list" + basic="1" advanced="1" wizard="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This option allows the administrator to chose what + authentication methods <command moreinfo="none">smbd</command> will use when authenticating + a user. This option defaults to sensible values based on <link linkend="SECURITY"> + <parameter moreinfo="none">security</parameter></link>. This should be considered + a developer option and used only in rare circumstances. In the majority (if not all) + of production servers, the default setting should be adequate.</para> + + <para>Each entry in the list attempts to authenticate the user in turn, until + the user authenticates. In practice only one method will ever actually + be able to complete the authentication. + </para> + + <para>Possible options include <constant>guest</constant> (anonymous access), + <constant>sam</constant> (lookups in local list of accounts based on netbios + name or domain name), <constant>winbind</constant> (relay authentication requests + for remote users through winbindd), <constant>ntdomain</constant> (pre-winbindd + method of authentication for remote domain users; deprecated in favour of winbind method), + <constant>trustdomain</constant> (authenticate trusted users by contacting the + remote DC directly from smbd; deprecated in favour of winbind method).</para> +</description> +<value type="default"/> +<value type="example">guest sam winbind</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/clientlanmanauth.xml b/docs/smbdotconf/security/clientlanmanauth.xml new file mode 100644 index 0000000000..b390cc16b6 --- /dev/null +++ b/docs/smbdotconf/security/clientlanmanauth.xml @@ -0,0 +1,28 @@ +<samba:parameter name="client lanman auth" + context="G" + type="boolean" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> and other samba client + tools will attempt to authenticate itself to servers using the + weaker LANMAN password hash. If disabled, only server which support NT + password hashes (e.g. Windows NT/2000, Samba, etc... but not + Windows 95/98) will be able to be connected from the Samba client.</para> + + <para>The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Clients + without Windows 95/98 servers are advised to disable + this option. </para> + + <para>Disabling this option will also disable the <command + moreinfo="none">client plaintext auth</command> option</para> + + <para>Likewise, if the <command moreinfo="none">client ntlmv2 + auth</command> parameter is enabled, then only NTLMv2 logins will be + attempted.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/clientntlmv2auth.xml b/docs/smbdotconf/security/clientntlmv2auth.xml new file mode 100644 index 0000000000..b8436d72e9 --- /dev/null +++ b/docs/smbdotconf/security/clientntlmv2auth.xml @@ -0,0 +1,32 @@ +<samba:parameter name="client ntlmv2 auth" + context="G" + type="boolean" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> will attempt to + authenticate itself to servers using the NTLMv2 encrypted password + response.</para> + + <para>If enabled, only an NTLMv2 and LMv2 response (both much more + secure than earlier versions) will be sent. Many servers + (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with + NTLMv2. </para> + + <para>Similarly, if enabled, NTLMv1, <command + moreinfo="none">client lanman auth</command> and <command + moreinfo="none">client plaintext auth</command> + authentication will be disabled. This also disables share-level + authentication. </para> + + <para>If disabled, an NTLM response (and possibly a LANMAN response) + will be sent by the client, depending on the value of <command + moreinfo="none">client lanman auth</command>. </para> + + <para>Note that some sites (particularly + those following 'best practice' security polices) only allow NTLMv2 + responses, and not the weaker LM or NTLM.</para> +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/clientplaintextauth.xml b/docs/smbdotconf/security/clientplaintextauth.xml new file mode 100644 index 0000000000..656b645abc --- /dev/null +++ b/docs/smbdotconf/security/clientplaintextauth.xml @@ -0,0 +1,12 @@ +<samba:parameter name="client plaintext auth" + context="G" + type="boolean" + basic="1" advanced="1" wizard="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>Specifies whether a client should send a plaintext + password if the server does not support encrypted passwords.</para> +</description> +<value type="default">yes</value> +</samba:parameter> + diff --git a/docs/smbdotconf/security/clientschannel.xml b/docs/smbdotconf/security/clientschannel.xml new file mode 100644 index 0000000000..e252edbb0a --- /dev/null +++ b/docs/smbdotconf/security/clientschannel.xml @@ -0,0 +1,19 @@ +<samba:parameter name="client schannel" + context="G" + basic="1" + type="boolean-auto" + xmlns:samba="http://samba.org/common"> +<description> + + <para>This controls whether the client offers or even + demands the use of the netlogon schannel. + <parameter>client schannel = no</parameter> does not + offer the schannel, <parameter>server schannel = + auto</parameter> offers the schannel but does not + enforce it, and <parameter>server schannel = + yes</parameter> denies access if the server is not + able to speak netlogon schannel. </para> +</description> +<value type="default">auto</value> +<value type="example">yes</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/clientsigning.xml b/docs/smbdotconf/security/clientsigning.xml new file mode 100644 index 0000000000..807bf12816 --- /dev/null +++ b/docs/smbdotconf/security/clientsigning.xml @@ -0,0 +1,19 @@ +<samba:parameter name="client signing" + context="G" + type="boolean-auto" + basic="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This controls whether the client offers or requires + the server it talks to to use SMB signing. Possible values + are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> + and <emphasis>disabled</emphasis>. + </para> + + <para>When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.</para> +</description> + +<value type="default">auto</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/createmask.xml b/docs/smbdotconf/security/createmask.xml new file mode 100644 index 0000000000..33c945b8f5 --- /dev/null +++ b/docs/smbdotconf/security/createmask.xml @@ -0,0 +1,40 @@ +<samba:parameter name="create mask" + context="S" + type="string" + xmlns:samba="http://samba.org/common"> + +<synonym>create mode</synonym> +<description> + <para>When a file is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX + permissions, and the resulting UNIX mode is then bit-wise 'AND'ed + with this parameter. This parameter may be thought of as a bit-wise + MASK for the UNIX modes of a file. Any bit <emphasis>not</emphasis> + set here will be removed from the modes set on a file when it is + created.</para> + + <para>The default value of this parameter removes the + 'group' and 'other' write and execute bits from the UNIX modes.</para> + + <para>Following this Samba will bit-wise 'OR' the UNIX mode created + from this parameter with the value of the <link linkend="FORCECREATEMODE"> + <parameter moreinfo="none">force create mode</parameter></link> + parameter which is set to 000 by default.</para> + + <para>This parameter does not affect directory modes. See the + parameter <link linkend="DIRECTORYMODE"><parameter moreinfo="none">directory mode + </parameter></link> for details.</para> + + <para>Note that this parameter does not apply to permissions + set by Windows NT/2000 ACL editors. If the administrator wishes to enforce + a mask on access control lists also, they need to set the <link linkend="SECURITYMASK"> + <parameter moreinfo="none">security mask</parameter></link>.</para> +</description> + +<related>force create mode</related> +<related>directory mode</related> +<related>inherit permissions</related> + +<value type="default">0744</value> +<value type="example">0775</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/directorymask.xml b/docs/smbdotconf/security/directorymask.xml new file mode 100644 index 0000000000..e609e8eee2 --- /dev/null +++ b/docs/smbdotconf/security/directorymask.xml @@ -0,0 +1,40 @@ +<samba:parameter name="directory mask" + context="S" + type="string" + xmlns:samba="http://samba.org/common"> +<synonym>directory mode</synonym> +<description> + <para>This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories.</para> + + <para>When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit <emphasis>not</emphasis> set + here will be removed from the modes set on a directory when it is + created.</para> + + <para>The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it.</para> + + <para>Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the <link linkend="FORCEDIRECTORYMODE"> + <parameter moreinfo="none">force directory mode</parameter></link> parameter. + This parameter is set to 000 by default (i.e. no extra mode bits are added).</para> + + <para>Note that this parameter does not apply to permissions + set by Windows NT/2000 ACL editors. If the administrator wishes to enforce + a mask on access control lists also, they need to set the <link linkend="DIRECTORYSECURITYMASK"> + <parameter moreinfo="none">directory security mask</parameter></link>.</para> +</description> + +<related>force directory mode</related> +<related>create mode</related> +<related>directory security mask</related> +<related>inherit permissions</related> +<value type="default">0755</value> +<value type="example">0775</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/directorysecuritymask.xml b/docs/smbdotconf/security/directorysecuritymask.xml new file mode 100644 index 0000000000..ced788449f --- /dev/null +++ b/docs/smbdotconf/security/directorysecuritymask.xml @@ -0,0 +1,33 @@ +<samba:parameter name="directory security mask" + context="S" + type="string" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog + box.</para> + + <para>This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change.</para> + + <para>If not set explicitly this parameter is set to 0777 + meaning a user is allowed to modify all the user/group/world + permissions on a directory.</para> + + <para><emphasis>Note</emphasis> that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + it as the default of <constant>0777</constant>.</para> +</description> + +<related>force directory security mode</related> +<related>security mask</related> +<related>force security mode</related> +<value type="default">0777</value> +<value type="example">0700</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/encryptpasswords.xml b/docs/smbdotconf/security/encryptpasswords.xml new file mode 100644 index 0000000000..70ee97ee0a --- /dev/null +++ b/docs/smbdotconf/security/encryptpasswords.xml @@ -0,0 +1,24 @@ +<samba:parameter name="encrypt passwords" + context="G" + type="boolean" + basic="1" advanced="1" wizard="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the chapter "User Database" in the Samba HOWTO Collection. </para> + + <para>In order for encrypted passwords to work correctly + <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> must either + have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> program for information on how to set up + and maintain this file), or set the <link linkend="SECURITY">security = [server|domain|ads]</link> parameter which + causes <command moreinfo="none">smbd</command> to authenticate against another + server.</para> +</description> +<value type="default">yes</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/forcecreatemode.xml b/docs/smbdotconf/security/forcecreatemode.xml new file mode 100644 index 0000000000..f34dddbf71 --- /dev/null +++ b/docs/smbdotconf/security/forcecreatemode.xml @@ -0,0 +1,25 @@ +<samba:parameter name="force create mode" + context="S" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter specifies a set of UNIX mode bit + permissions that will <emphasis>always</emphasis> be set on a + file created by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created or having its + permissions changed. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the <parameter moreinfo="none">create mask</parameter> + parameter is applied.</para> + + <para>The example below would force all created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.</para> + +</description> + +<related>create mask</related> +<related>inherit permissions</related> + +<value type="default">000</value> +<value type="example">0755</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/forcedirectorymode.xml b/docs/smbdotconf/security/forcedirectorymode.xml new file mode 100644 index 0000000000..b9c1412980 --- /dev/null +++ b/docs/smbdotconf/security/forcedirectorymode.xml @@ -0,0 +1,25 @@ +<samba:parameter name="force directory mode" + context="S" + type="string" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter specifies a set of UNIX mode bit + permissions that will <emphasis>always</emphasis> be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter <parameter moreinfo="none">directory mask</parameter> is + applied.</para> + + <para>The example below would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'.</para> +</description> + +<value type="default">000</value> +<value type="example">0755</value> + +<related>directory mask</related> +<related>inherit permissions</related> +</samba:parameter> diff --git a/docs/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/smbdotconf/security/forcedirectorysecuritymode.xml new file mode 100644 index 0000000000..c64c53a0ee --- /dev/null +++ b/docs/smbdotconf/security/forcedirectorysecuritymode.xml @@ -0,0 +1,35 @@ +<samba:parameter name="force directory security mode" + context="S" + type="string" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog box.</para> + + <para>This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a directory, the user has always set to be 'on'.</para> + + <para>If not set explicitly this parameter is 000, which + allows a user to modify all the user/group/world permissions on a + directory without restrictions.</para> + + <note><para>Users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + it set as 0000.</para></note> + +</description> + +<value type="default">0</value> +<value type="example">700</value> + +<related>directory security mask</related> +<related>security mask</related> +<related>force security mode</related> + +</samba:parameter> diff --git a/docs/smbdotconf/security/forcegroup.xml b/docs/smbdotconf/security/forcegroup.xml new file mode 100644 index 0000000000..19bef7301e --- /dev/null +++ b/docs/smbdotconf/security/forcegroup.xml @@ -0,0 +1,39 @@ +<samba:parameter name="force group" + context="S" + type="string" + xmlns:samba="http://samba.org/common"> +<synonym>group</synonym> +<description> + <para>This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files.</para> + + <para>In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting <filename moreinfo="none">force group = +sys</filename> means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group.</para> + + <para>If the <link linkend="FORCEUSER"><parameter moreinfo="none">force user</parameter> + </link> parameter is also set the group specified in + <parameter moreinfo="none">force group</parameter> will override the primary group + set in <parameter moreinfo="none">force user</parameter>.</para> + +</description> + +<related>force user</related> + +<value type="default"/> +<value type="example">agroup</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/forcesecuritymode.xml b/docs/smbdotconf/security/forcesecuritymode.xml new file mode 100644 index 0000000000..f9f701e1df --- /dev/null +++ b/docs/smbdotconf/security/forcesecuritymode.xml @@ -0,0 +1,35 @@ +<samba:parameter name="force security mode" + context="S" + type="string" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog + box.</para> + + <para>This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a file, the user has always set to be 'on'.</para> + + <para>If not set explicitly this parameter is set to 0, + and allows a user to modify all the user/group/world permissions on a file, + with no restrictions.</para> + + <para><emphasis>Note</emphasis> that users who can access + the Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + this set to 0000.</para> + +</description> + +<value type="default">0</value> +<value type="example">700</value> + +<related>force directory security mode</related> +<related>directory security mask</related> +<related>security mask</related> +</samba:parameter> diff --git a/docs/smbdotconf/security/forceuser.xml b/docs/smbdotconf/security/forceuser.xml new file mode 100644 index 0000000000..aa6c15ba0e --- /dev/null +++ b/docs/smbdotconf/security/forceuser.xml @@ -0,0 +1,27 @@ +<samba:parameter name="force user" + type="string" + context="S" + xmlns:samba="http://samba.org/common"> +<description> + <para>This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems.</para> + + <para>This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as. This can be very useful.</para> + + <para>In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug).</para> + +</description> + +<related>force group</related> +<value type="default"/> +<value type="example">auser</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/guestaccount.xml b/docs/smbdotconf/security/guestaccount.xml new file mode 100644 index 0000000000..e7d3c5faac --- /dev/null +++ b/docs/smbdotconf/security/guestaccount.xml @@ -0,0 +1,29 @@ +<samba:parameter name="guest account" + context="G" + type="string" + basic="1" advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is a username which will be used for access + to services which are specified as <link linkend="GUESTOK"><parameter moreinfo="none"> + guest ok</parameter></link> (see below). Whatever privileges this + user has will be available to any client connecting to the guest service. + This user must exist in the password file, but does not require + a valid login. The user account "ftp" is often a good choice + for this parameter. + </para> + + <para>On some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + <command moreinfo="none">su -</command> command) and trying to print using the + system print command such as <command moreinfo="none">lpr(1)</command> or <command moreinfo="none"> + lp(1)</command>.</para> + + <para>This parameter does not accept % macros, because + many parts of the system require this value to be + constant for correct operation.</para> +</description> +<value type="default">nobody<comment>default can be changed at compile-time</comment></value> +<value type="example">ftp</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/guestok.xml b/docs/smbdotconf/security/guestok.xml new file mode 100644 index 0000000000..e7b6e1c796 --- /dev/null +++ b/docs/smbdotconf/security/guestok.xml @@ -0,0 +1,22 @@ +<samba:parameter name="guest ok" + type="boolean" + context="S" + basic="1" advanced="1" print="1" developer="1" + xmlns:samba="http://samba.org/common"> +<synonym>public</synonym> +<description> + <para>If this parameter is <constant>yes</constant> for + a service, then no password is required to connect to the service. + Privileges will be those of the <link linkend="GUESTACCOUNT"><parameter moreinfo="none"> + guest account</parameter></link>.</para> + + <para>This paramater nullifies the benifits of setting + <link linkend="RESTRICTANONYMOUS"><parameter moreinfo="none">restrict + anonymous</parameter></link> = 2</para> + + <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none"> + security</parameter></link> for more information about this option. + </para> +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/guestonly.xml b/docs/smbdotconf/security/guestonly.xml new file mode 100644 index 0000000000..27f70dacd1 --- /dev/null +++ b/docs/smbdotconf/security/guestonly.xml @@ -0,0 +1,17 @@ +<samba:parameter name="guest only" + context="S" + type="boolean" + xmlns:samba="http://samba.org/common"> +<synonym>only guest</synonym> +<description> + <para>If this parameter is <constant>yes</constant> for + a service, then only guest connections to the service are permitted. + This parameter will have no effect if <link linkend="GUESTOK"> + <parameter moreinfo="none">guest ok</parameter></link> is not set for the service.</para> + + <para>See the section below on <link linkend="SECURITY"><parameter moreinfo="none"> + security</parameter></link> for more information about this option. + </para> +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/hostsallow.xml b/docs/smbdotconf/security/hostsallow.xml new file mode 100644 index 0000000000..394161535c --- /dev/null +++ b/docs/smbdotconf/security/hostsallow.xml @@ -0,0 +1,65 @@ +<samba:parameter name="hosts allow" + context="S" + type="list" + basic="1" advanced="1" print="1" developer="1" + xmlns:samba="http://samba.org/common"> +<synonym>allow hosts</synonym> +<description> + <para>A synonym for this parameter is <parameter moreinfo="none">allow + hosts</parameter>.</para> + + <para>This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service.</para> + + <para>If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting.</para> + + <para>You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like <command moreinfo="none">allow hosts = 150.203.5. + </command>. The full syntax of the list is described in the man + page <filename moreinfo="none">hosts_access(5)</filename>. Note that this man + page may not be present on your system, so a brief description will + be given here also.</para> + + <para>Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a <link linkend="HOSTSDENY"> + <parameter moreinfo="none">hosts deny</parameter></link> option.</para> + + <para>You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + <emphasis>EXCEPT</emphasis> keyword can also be used to limit a + wildcard list. The following examples may provide some help:</para> + +<para>Example 1: allow all IPs in 150.203.*.*; except one</para> + + <para><command moreinfo="none">hosts allow = 150.203. EXCEPT 150.203.6.66</command></para> + + <para>Example 2: allow hosts that match the given network/netmask</para> + + <para><command moreinfo="none">hosts allow = 150.203.15.0/255.255.255.0</command></para> + + <para>Example 3: allow a couple of hosts</para> + + <para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para> + + <para>Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host</para> + + <para><command moreinfo="none">hosts allow = @foonet</command></para> + + <para><command moreinfo="none">hosts deny = pirate</command></para> + + <note><para>Note that access still requires suitable user-level passwords.</para></note> + + <para>See <citerefentry><refentrytitle>testparm</refentrytitle> + <manvolnum>1</manvolnum></citerefentry> for a way of testing your host access + to see if it does what you expect.</para> + + +</description> + +<value type="example">150.203.5. myhost.mynet.edu.au</value> +<value type="default"><comment>none (i.e., all hosts permitted access)</comment></value> +</samba:parameter> diff --git a/docs/smbdotconf/security/hostsdeny.xml b/docs/smbdotconf/security/hostsdeny.xml new file mode 100644 index 0000000000..c655a72b1e --- /dev/null +++ b/docs/smbdotconf/security/hostsdeny.xml @@ -0,0 +1,18 @@ +<samba:parameter name="hosts deny" + context="S" + type="list" + basic="1" advanced="1" print="1" developer="1" + xmlns:samba="http://samba.org/common"> +<synonym>deny hosts</synonym> +<description> + <para>The opposite of <parameter moreinfo="none">hosts allow</parameter> + - hosts listed here are <emphasis>NOT</emphasis> permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the <parameter moreinfo="none">allow</parameter> + list takes precedence.</para> +</description> + +<value type="default"><comment>none (i.e., no hosts specifically excluded)</comment></value> + +<value type="example">150.203.4. badhost.mynet.edu.au</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/hostsequiv.xml b/docs/smbdotconf/security/hostsequiv.xml new file mode 100644 index 0000000000..529f464a7b --- /dev/null +++ b/docs/smbdotconf/security/hostsequiv.xml @@ -0,0 +1,30 @@ +<samba:parameter name="hosts equiv" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>If this global parameter is a non-null string, + it specifies the name of a file to read for the names of hosts + and users who will be allowed access without specifying a password. + </para> + + <para>This is not be confused with <link linkend="HOSTSALLOW"> + <parameter moreinfo="none">hosts allow</parameter></link> which is about hosts + access to services and is more useful for guest services. <parameter moreinfo="none"> + hosts equiv</parameter> may be useful for NT clients which will + not supply passwords to Samba.</para> + + <note><para>The use of <parameter moreinfo="none">hosts equiv + </parameter> can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the + <parameter moreinfo="none">hosts equiv</parameter> option be only used if you really + know what you are doing, or perhaps on a home network where you trust + your spouse and kids. And only if you <emphasis>really</emphasis> trust + them :-).</para></note> +</description> + +<value type="default"><comment>no host equivalences</comment></value> +<value type="example">hosts equiv = /etc/hosts.equiv</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/inheritacls.xml b/docs/smbdotconf/security/inheritacls.xml new file mode 100644 index 0000000000..dff4c25c0f --- /dev/null +++ b/docs/smbdotconf/security/inheritacls.xml @@ -0,0 +1,15 @@ +<samba:parameter name="inherit acls" + context="S" + type="boolean" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter can be used to ensure that if default acls + exist on parent directories, they are always honored when creating a + subdirectory. The default behavior is to use the mode specified when + creating the directory. Enabling this option sets the mode to 0777, + thus guaranteeing that default directory acls are propagated. +</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/inheritpermissions.xml b/docs/smbdotconf/security/inheritpermissions.xml new file mode 100644 index 0000000000..d684ea2673 --- /dev/null +++ b/docs/smbdotconf/security/inheritpermissions.xml @@ -0,0 +1,39 @@ +<samba:parameter name="inherit permissions" + context="S" + type="boolean" + xmlns:samba="http://samba.org/common"> +<description> + <para>The permissions on new files and directories + are normally governed by <link linkend="CREATEMASK"><parameter moreinfo="none"> + create mask</parameter></link>, <link linkend="DIRECTORYMASK"> + <parameter moreinfo="none">directory mask</parameter></link>, <link linkend="FORCECREATEMODE"> + <parameter moreinfo="none">force create mode</parameter> + </link> and <link linkend="FORCEDIRECTORYMODE"><parameter moreinfo="none">force + directory mode</parameter></link> but the boolean inherit + permissions parameter overrides this.</para> + + <para>New directories inherit the mode of the parent directory, + including bits such as setgid.</para> + + <para>New files inherit their read/write bits from the parent + directory. Their execute bits continue to be determined by + <link linkend="MAPARCHIVE"><parameter moreinfo="none">map archive</parameter> + </link>, <link linkend="MAPHIDDEN"><parameter moreinfo="none">map hidden</parameter> + </link> and <link linkend="MAPSYSTEM"><parameter moreinfo="none">map system</parameter> + </link> as usual.</para> + + <para>Note that the setuid bit is <emphasis>never</emphasis> set via + inheritance (the code explicitly prohibits this).</para> + + <para>This can be particularly useful on large systems with + many users, perhaps several thousand, to allow a single [homes] + share to be used flexibly by each user.</para> +</description> + +<related>create mask</related> +<related>directory mask</related> +<related>force create mode</related> +<related>force directory mode</related> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/invalidusers.xml b/docs/smbdotconf/security/invalidusers.xml new file mode 100644 index 0000000000..71a45d1a9d --- /dev/null +++ b/docs/smbdotconf/security/invalidusers.xml @@ -0,0 +1,34 @@ +<samba:parameter name="invalid users" + context="S" + type="list" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is a list of users that should not be allowed + to login to this service. This is really a <emphasis>paranoid</emphasis> + check to absolutely ensure an improper setting does not breach + your security.</para> + + <para>A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database.</para> + + <para>A name starting with '+' is interpreted only + by looking in the UNIX group database. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value <parameter moreinfo="none">+&group</parameter> means check the + UNIX group database, followed by the NIS netgroup database, and + the value <parameter moreinfo="none">&+group</parameter> means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix).</para> + + <para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>. + This is useful in the [homes] section.</para> +</description> + +<related>valid users</related> + +<value type="default"><comment>no invalid users</comment></value> +<value type="example">root fred admin @wheel</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/lanmanauth.xml b/docs/smbdotconf/security/lanmanauth.xml new file mode 100644 index 0000000000..dba8d6f975 --- /dev/null +++ b/docs/smbdotconf/security/lanmanauth.xml @@ -0,0 +1,31 @@ +<samba:parameter name="lanman auth" + context="G" + type="boolean" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users + using the LANMAN password hash. If disabled, only clients which support NT + password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not + Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host.</para> + + <para>The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Servers + without Windows 95/98 or MS DOS clients are advised to disable + this option. </para> + + <para>Unlike the <command moreinfo="none">encypt + passwords</command> option, this parameter cannot alter client + behaviour, and the LANMAN response will still be sent over the + network. See the <command moreinfo="none">client lanman + auth</command> to disable this for Samba's clients (such as smbclient)</para> + + <para>If this option, and <command moreinfo="none">ntlm + auth</command> are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to us it.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/maptoguest.xml b/docs/smbdotconf/security/maptoguest.xml new file mode 100644 index 0000000000..f4753617c2 --- /dev/null +++ b/docs/smbdotconf/security/maptoguest.xml @@ -0,0 +1,63 @@ +<samba:parameter name="map to guest" + type="enum" + context="G" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter is only useful in <link linkend="SECURITY"> + security</link> modes other than <parameter moreinfo="none">security = share</parameter> + - i.e. <constant>user</constant>, <constant>server</constant>, + and <constant>domain</constant>.</para> + + <para>This parameter can take three different values, which tell + <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> what to do with user + login requests that don't match a valid UNIX user in some way.</para> + + <para>The three settings are :</para> + + <itemizedlist> + <listitem> + <para><constant>Never</constant> - Means user login + requests with an invalid password are rejected. This is the + default.</para> + </listitem> + + <listitem> + <para><constant>Bad User</constant> - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the <link linkend="GUESTACCOUNT"><parameter moreinfo="none"> + guest account</parameter></link>.</para> + </listitem> + + <listitem> + <para><constant>Bad Password</constant> - Means user logins + with an invalid password are treated as a guest login and mapped + into the <link linkend="GUESTACCOUNT">guest account</link>. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + <emphasis>hate</emphasis> you if you set the <parameter moreinfo="none">map to + guest</parameter> parameter this way :-).</para> + </listitem> + </itemizedlist> + + <para>Note that this parameter is needed to set up "Guest" + share services when using <parameter moreinfo="none">security</parameter> modes other than + share. This is because in these modes the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares.</para> + + <para>For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the <constant> + GUEST_SESSSETUP</constant> value in local.h.</para> +</description> + +<value type="default">Never</value> +<value type="example">Bad User</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/minpasswordlength.xml b/docs/smbdotconf/security/minpasswordlength.xml new file mode 100644 index 0000000000..d9c9ebf0bb --- /dev/null +++ b/docs/smbdotconf/security/minpasswordlength.xml @@ -0,0 +1,17 @@ +<samba:parameter name="min password length" + context="G" + type="integer" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<synonym>min passwd length</synonym> +<description> + <para>This option sets the minimum length in characters of a + plaintext password that <command moreinfo="none">smbd</command> will + accept when performing UNIX password changing.</para> +</description> + +<related>unix password sync</related> +<related>passwd program</related> +<related>passwd char debug</related> +<value type="default">5</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/ntlmauth.xml b/docs/smbdotconf/security/ntlmauth.xml new file mode 100644 index 0000000000..91c72eab39 --- /dev/null +++ b/docs/smbdotconf/security/ntlmauth.xml @@ -0,0 +1,20 @@ +<samba:parameter name="ntlm auth" + context="G" + type="boolean" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> will attempt to + authenticate users using the NTLM encrypted password response. + If disabled, either the lanman password hash or an NTLMv2 response + will need to be sent by the client.</para> + + <para>If this option, and <command moreinfo="none">lanman + auth</command> are both disabled, then only NTLMv2 logins will be + permited. Not all clients support NTLMv2, and most will require + special configuration to us it.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/nullpasswords.xml b/docs/smbdotconf/security/nullpasswords.xml new file mode 100644 index 0000000000..2e47541a78 --- /dev/null +++ b/docs/smbdotconf/security/nullpasswords.xml @@ -0,0 +1,14 @@ +<samba:parameter name="null passwords" + context="G" + advanced="1" developer="1" + type="boolean" + xmlns:samba="http://samba.org/common"> +<description> + <para>Allow or disallow client access to accounts that have null passwords. </para> + + <para>See also <citerefentry><refentrytitle>smbpasswd</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>.</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/obeypamrestrictions.xml b/docs/smbdotconf/security/obeypamrestrictions.xml new file mode 100644 index 0000000000..2643d3f099 --- /dev/null +++ b/docs/smbdotconf/security/obeypamrestrictions.xml @@ -0,0 +1,20 @@ +<samba:parameter name="obey pam restrictions" + context="G" + type="boolean" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>When Samba 3.0 is configured to enable PAM support + (i.e. --with-pam), this parameter will control whether or not Samba + should obey PAM's account and session management directives. The + default behavior is to use PAM for clear text authentication only + and to ignore any account or session management. Note that Samba + always ignores PAM for authentication in the case of <link linkend="ENCRYPTPASSWORDS"> + <parameter moreinfo="none">encrypt passwords = yes</parameter></link>. The reason + is that PAM modules cannot support the challenge/response + authentication mechanism needed in the presence of SMB password encryption. +</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/onlyuser.xml b/docs/smbdotconf/security/onlyuser.xml new file mode 100644 index 0000000000..d5cb227a6e --- /dev/null +++ b/docs/smbdotconf/security/onlyuser.xml @@ -0,0 +1,26 @@ +<samba:parameter name="only user" + type="boolean" + context="S" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is a boolean option that controls whether + connections with usernames not in the <parameter moreinfo="none">user</parameter> + list will be allowed. By default this option is disabled so that a + client can supply a username to be used by the server. Enabling + this parameter will force the server to only use the login + names from the <parameter moreinfo="none">user</parameter> list and is only really + useful in <link linkend="SECURITYEQUALSSHARE">share level</link> + security.</para> + + <para>Note that this also means Samba won't try to deduce + usernames from the service name. This can be annoying for + the [homes] section. To get around this you could use <command moreinfo="none">user = + %S</command> which means your <parameter moreinfo="none">user</parameter> list + will be just the service name, which for home directories is the + name of the user.</para> +</description> + +<related>user</related> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/pampasswordchange.xml b/docs/smbdotconf/security/pampasswordchange.xml new file mode 100644 index 0000000000..af519457c0 --- /dev/null +++ b/docs/smbdotconf/security/pampasswordchange.xml @@ -0,0 +1,18 @@ +<samba:parameter name="pam password change" + context="G" + type="boolean" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>With the addition of better PAM support in Samba 2.2, + this parameter, it is possible to use PAM's password change control + flag for Samba. If enabled, then PAM will be used for password + changes when requested by an SMB client instead of the program listed in + <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter></link>. + It should be possible to enable this without changing your + <link linkend="PASSWDCHAT"><parameter moreinfo="none">passwd chat</parameter></link> + parameter for most setups.</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/passdbbackend.xml b/docs/smbdotconf/security/passdbbackend.xml new file mode 100644 index 0000000000..794aaafc35 --- /dev/null +++ b/docs/smbdotconf/security/passdbbackend.xml @@ -0,0 +1,74 @@ +<samba:parameter name="passdb backend" + context="G" + type="list" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + + <para>This option allows the administrator to chose which backends + to retrieve and store passwords with. This allows (for example) both + smbpasswd and tdbsam to be used without a recompile. Multiple + backends can be specified, separated by spaces. The backends will be + searched in the order they are specified. New users are always added + to the first backend specified. </para> + + <para>This parameter is in two parts, the backend's name, and a 'location' + string that has meaning only to that particular backed. These are separated + by a : character.</para> + + <para>Available backends can include: + <itemizedlist> + <listitem> + <para><command moreinfo="none">smbpasswd</command> - The default smbpasswd + backend. Takes a path to the smbpasswd file as an optional argument. + </para> + </listitem> + + <listitem> + <para><command moreinfo="none">tdbsam</command> - The TDB based password storage + backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb + in the <link linkend="PRIVATEDIR"> + <parameter moreinfo="none">private dir</parameter></link> directory.</para> + </listitem> + + <listitem> + <para><command moreinfo="none">ldapsam</command> - The LDAP based passdb + backend. Takes an LDAP URL as an optional argument (defaults to + <command moreinfo="none">ldap://localhost</command>)</para> + + <para>LDAP connections should be secured where possible. This may be done using either + Start-TLS (see <link linkend="LDAPSSL"><parameter moreinfo="none">ldap ssl</parameter></link>) or by + specifying <parameter moreinfo="none">ldaps://</parameter> in + the URL argument. </para> + + <para>Multiple servers may also be specified in double-quotes, if your + LDAP libraries supports the LDAP URL notation. + (OpenLDAP does). + </para> + + </listitem> + + <listitem> + <para><command moreinfo="none">nisplussam</command> - + The NIS+ based passdb backend. Takes name NIS domain as + an optional argument. Only works with sun NIS+ servers. + </para> + </listitem> + + <listitem> + <para><command moreinfo="none">mysql</command> - + The MySQL based passdb backend. Takes an identifier as + argument. Read the Samba HOWTO Collection for configuration + details. + </para></listitem> + + </itemizedlist> + </para> +</description> + +<value type="default">smbpasswd</value> +<value type="example">tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd</value> +<value type="example">ldapsam:ldaps://ldap.example.com</value> +<value type="example">ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"</value> +<value type="example">mysql:my_plugin_args tdbsam</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/passwdchat.xml b/docs/smbdotconf/security/passwdchat.xml new file mode 100644 index 0000000000..be1c55aad0 --- /dev/null +++ b/docs/smbdotconf/security/passwdchat.xml @@ -0,0 +1,59 @@ +<samba:parameter name="passwd chat" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This string controls the <emphasis>"chat"</emphasis> + conversation that takes places between <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> and the local password changing + program to change the user's password. The string describes a + sequence of response-receive pairs that <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> uses to determine what to send to the + <link linkend="PASSWDPROGRAM"><parameter moreinfo="none">passwd program</parameter> + </link> and what to expect back. If the expected output is not + received then the password is not changed.</para> + + <para>This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc).</para> + + <para>Note that this parameter only is only used if the <link + linkend="UNIXPASSWORDSYNC"> <parameter moreinfo="none">unix password sync</parameter> + </link> parameter is set to <constant>yes</constant>. This sequence is + then called <emphasis>AS ROOT</emphasis> when the SMB password in the + smbpasswd file is being changed, without access to the old password + cleartext. This means that root must be able to reset the user's password without + knowing the text of the previous password. In the presence of + NIS/YP, this means that the <link linkend="PASSWDPROGRAM">passwd program</link> must + be executed on the NIS master. + </para> + + + <para>The string can contain the macro <parameter moreinfo="none">%n</parameter> which is substituted + for the new password. The chat sequence can also contain the standard + macros <constant>\\n</constant>, <constant>\\r</constant>, <constant>\\t</constant> and <constant>\\s</constant> to + give line-feed, carriage-return, tab and space. The chat sequence string can also contain + a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces + in them into a single string.</para> + + <para>If the send string in any part of the chat sequence is a full + stop ".", then no string is sent. Similarly, if the + expect string is a full stop then no string is expected.</para> + + <para>If the <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam + password change</parameter></link> parameter is set to <constant>yes</constant>, the chat pairs + may be matched in any order, and success is determined by the PAM result, + not any particular output. The \n macro is ignored for PAM conversions. + </para> + +</description> + +<related>unix password sync</related> +<related>passwd program</related> +<related>passwd chat debug</related> +<related>pam password change</related> + +<value type="default">*new*password* %n\\n*new*password* %n\\n *changed*</value> +<value type="example">"*Enter OLD password*" %o\\n "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password changed*"</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/passwdchatdebug.xml b/docs/smbdotconf/security/passwdchatdebug.xml new file mode 100644 index 0000000000..777532ee27 --- /dev/null +++ b/docs/smbdotconf/security/passwdchatdebug.xml @@ -0,0 +1,27 @@ +<samba:parameter name="passwd chat debug" + context="G" + advanced="1" developer="1" + type="boolean" + xmlns:samba="http://samba.org/common"> +<description> + <para>This boolean specifies if the passwd chat script + parameter is run in <emphasis>debug</emphasis> mode. In this mode the + strings passed to and received from the passwd chat are printed + in the <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> log with a + <link linkend="DEBUGLEVEL"><parameter moreinfo="none">debug level</parameter></link> + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the <command moreinfo="none">smbd</command> log. It is available to help + Samba admins debug their <parameter moreinfo="none">passwd chat</parameter> scripts + when calling the <parameter moreinfo="none">passwd program</parameter> and should + be turned off after this has been done. This option has no effect if the + <link linkend="PAMPASSWORDCHANGE"><parameter moreinfo="none">pam password change</parameter></link> + paramter is set. This parameter is off by default.</para> +</description> + +<related>passwd chat</related> +<related>pam password change</related> +<related>passwd program</related> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/passwdchattimeout.xml b/docs/smbdotconf/security/passwdchattimeout.xml new file mode 100644 index 0000000000..419f44354a --- /dev/null +++ b/docs/smbdotconf/security/passwdchattimeout.xml @@ -0,0 +1,14 @@ +<samba:parameter name="passwd chat timeout" + context="G" + type="integer" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This integer specifies the number of seconds smbd will wait for an initial + answer from a passwd chat script being run. Once the initial answer is received + the subsequent answers must be received in one tenth of this time. The default it + two seconds.</para> +</description> + +<value type="default">2</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/passwdprogram.xml b/docs/smbdotconf/security/passwdprogram.xml new file mode 100644 index 0000000000..89e1af3b1a --- /dev/null +++ b/docs/smbdotconf/security/passwdprogram.xml @@ -0,0 +1,37 @@ +<samba:parameter name="passwd program" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> + <description> + <para>The name of a program that can be used to set + UNIX user passwords. Any occurrences of <parameter moreinfo="none">%u</parameter> + will be replaced with the user name. The user name is checked for + existence before calling the password changing program.</para> + + <para>Also note that many passwd programs insist in <emphasis>reasonable + </emphasis> passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it.</para> + + <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix + password sync</parameter> parameter is set to <constant>yes + </constant> then this program is called <emphasis>AS ROOT</emphasis> + before the SMB password in the smbpasswd + file is changed. If this UNIX password change fails, then + <command moreinfo="none">smbd</command> will fail to change the SMB password also + (this is by design).</para> + + <para>If the <parameter moreinfo="none">unix password sync</parameter> parameter + is set this parameter <emphasis>MUST USE ABSOLUTE PATHS</emphasis> + for <emphasis>ALL</emphasis> programs called, and must be examined + for security implications. Note that by default <parameter moreinfo="none">unix + password sync</parameter> is set to <constant>no</constant>.</para> + </description> + + <related>unix password symc</related> + + <value type="default"></value> +<value type="example">/bin/passwd %u</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/passwordlevel.xml b/docs/smbdotconf/security/passwordlevel.xml new file mode 100644 index 0000000000..d3a8137678 --- /dev/null +++ b/docs/smbdotconf/security/passwordlevel.xml @@ -0,0 +1,49 @@ +<samba:parameter name="password level" + context="G" + type="integer" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS! Another problem child is the Windows 95/98 + family of operating systems. These clients upper case clear + text passwords even when NT LM 0.12 selected by the protocol + negotiation request/response.</para> + + <para>This parameter defines the maximum number of characters + that may be upper case in passwords.</para> + + <para>For example, say the password given was "FRED". If <parameter moreinfo="none"> + password level</parameter> is set to 1, the following combinations + would be tried if "FRED" failed:</para> + + <para>"Fred", "fred", "fRed", "frEd","freD"</para> + + <para>If <parameter moreinfo="none">password level</parameter> was set to 2, + the following combinations would also be tried: </para> + + <para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para> + + <para>And so on.</para> + + <para>The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection.</para> + + <para>A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case.</para> + + <para>This parameter is used only when using plain-text passwords. It is + not at all used when encrypted passwords as in use (that is the default + since samba-3.0.0). Use this only when <link linkend="ENCRYPTPASSWORDS"> + encrypt passwords = No</link>.</para> +</description> + +<value type="default">0</value> +<value type="example">4</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/passwordserver.xml b/docs/smbdotconf/security/passwordserver.xml new file mode 100644 index 0000000000..19bf015435 --- /dev/null +++ b/docs/smbdotconf/security/passwordserver.xml @@ -0,0 +1,100 @@ +<samba:parameter name="password server" + context="G" + type="list" + advanced="1" wizard="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>By specifying the name of another SMB server + or Active Directory domain controller with this option, + and using <command moreinfo="none">security = [ads|domain|server]</command> + it is possible to get Samba to + to do all its username/password validation using a specific remote server.</para> + + <para>This option sets the name or IP address of the password server to use. + New syntax has been added to support defining the port to use when connecting + to the server the case of an ADS realm. To define a port other than the + default LDAP port of 389, add the port number using a colon after the + name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, + Samba will use the standard LDAP port of tcp/389. Note that port numbers + have no effect on password servers for Windows NT 4.0 domains or netbios + connections.</para> + + <para>If parameter is a name, it is looked up using the + parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name + resolve order</parameter></link> and so may resolved + by any method and order described in that parameter.</para> + + <para>The password server must be a machine capable of using + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + user level security mode.</para> + + <note><para>Using a password server means your UNIX box (running + Samba) is only as secure as your password server. <emphasis>DO NOT + CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>. + </para></note> + + <para>Never point a Samba server at itself for password serving. + This will cause a loop and could lock up your Samba server!</para> + + <para>The name of the password server takes the standard + substitutions, but probably the only useful one is <parameter moreinfo="none">%m + </parameter>, which means the Samba server will use the incoming + client as the password server. If you use this then you better + trust your clients, and you had better restrict them with hosts allow!</para> + + <para>If the <parameter moreinfo="none">security</parameter> parameter is set to + <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is effectively + in that domain, and will use cryptographically authenticated RPC calls + to authenticate the user logging on. The advantage of using <command moreinfo="none"> + security = domain</command> is that if you list several hosts in the + <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd + </command> will try each in turn till it finds one that responds. This + is useful in case your primary server goes down.</para> + + <para>If the <parameter moreinfo="none">password server</parameter> option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name <constant>WORKGROUP<1C></constant> + and then contacting each server returned in the list of IP + addresses from the name resolution source. </para> + + <para>If the list of servers contains both names/IP's and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC.</para> + + <para>If the <parameter moreinfo="none">security</parameter> parameter is + set to <constant>server</constant>, then there are different + restrictions that <command moreinfo="none">security = domain</command> doesn't + suffer from:</para> + + <itemizedlist> + <listitem> + <para>You may list several password servers in + the <parameter moreinfo="none">password server</parameter> parameter, however if an + <command moreinfo="none">smbd</command> makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this <command moreinfo="none">smbd</command>. This is a + restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server + </command> mode and cannot be fixed in Samba.</para> + </listitem> + + <listitem> + <para>If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in <command moreinfo="none"> + security = server</command> mode the network logon will appear to + come from there rather than from the users workstation.</para> + </listitem> + </itemizedlist> +</description> + +<related>security</related> +<value type="default"></value> +<value type="example">NT-PDC, NT-BDC1, NT-BDC2, *</value> +<value type="example">windc.mydomain.com:389 192.168.1.101 *</value> +<value type="example">*</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/preloadmodules.xml b/docs/smbdotconf/security/preloadmodules.xml new file mode 100644 index 0000000000..fb061d2893 --- /dev/null +++ b/docs/smbdotconf/security/preloadmodules.xml @@ -0,0 +1,14 @@ +<samba:parameter name="preload modules" + type="list" + context="G" + basic="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is a list of paths to modules that should + be loaded into smbd before a client connects. This improves + the speed of smbd when reacting to new connections somewhat. </para> +</description> + +<value type="default"></value> +<value type="example">/usr/lib/samba/passdb/mysql.so</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/printeradmin.xml b/docs/smbdotconf/security/printeradmin.xml new file mode 100644 index 0000000000..845744a1cb --- /dev/null +++ b/docs/smbdotconf/security/printeradmin.xml @@ -0,0 +1,15 @@ +<samba:parameter name="printer admin" + context="S" + type="list" + print="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is a list of users that can do anything to + printers via the remote administration interfaces offered by MS-RPC + (usually using a NT workstation). Note that the root user always + has admin rights.</para> +</description> + +<value type="default"></value> +<value type="example">admin, @staff</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/privatedir.xml b/docs/smbdotconf/security/privatedir.xml new file mode 100644 index 0000000000..52cdde3694 --- /dev/null +++ b/docs/smbdotconf/security/privatedir.xml @@ -0,0 +1,14 @@ +<samba:parameter name="private dir" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameters defines the directory + smbd will use for storing such files as <filename moreinfo="none">smbpasswd</filename> + and <filename moreinfo="none">secrets.tdb</filename>. +</para> +</description> + +<value type="default">${prefix}/private</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/readlist.xml b/docs/smbdotconf/security/readlist.xml new file mode 100644 index 0000000000..11b8176955 --- /dev/null +++ b/docs/smbdotconf/security/readlist.xml @@ -0,0 +1,20 @@ +<samba:parameter name="read list" + context="S" + type="list" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is a list of users that are given read-only + access to a service. If the connecting user is in this list then + they will not be given write access, no matter what the <link linkend="READONLY"> + <parameter moreinfo="none">read only</parameter></link> + option is set to. The list can include group names using the + syntax described in the <link linkend="INVALIDUSERS"><parameter moreinfo="none"> + invalid users</parameter></link> parameter.</para> +</description> + +<related>write list</related> +<related>invalid users</related> + +<value type="default"></value> +<value type="example">mary, @students</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/readonly.xml b/docs/smbdotconf/security/readonly.xml new file mode 100644 index 0000000000..c758a617b4 --- /dev/null +++ b/docs/smbdotconf/security/readonly.xml @@ -0,0 +1,20 @@ +<samba:parameter name="read only" + context="S" + type="boolean" + basic="1" advanced="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>An inverted synonym is <link linkend="WRITEABLE"> + <parameter moreinfo="none">writeable</parameter></link>.</para> + + <para>If this parameter is <constant>yes</constant>, then users + of a service may not create or modify files in the service's + directory.</para> + + <para>Note that a printable service (<command moreinfo="none">printable = yes</command>) + will <emphasis>ALWAYS</emphasis> allow writing to the directory + (user privileges permitting), but only via spooling operations.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/restrictanonymous.xml b/docs/smbdotconf/security/restrictanonymous.xml new file mode 100644 index 0000000000..ddcaee896d --- /dev/null +++ b/docs/smbdotconf/security/restrictanonymous.xml @@ -0,0 +1,36 @@ +<samba:parameter name="restrict anonymous" + type="integer" + context="G" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>The setting of this parameter determines whether user and + group list information is returned for an anonymous connection. + and mirrors the effects of the + <constant>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous</constant> registry key in Windows + 2000 and Windows NT. When set to 0, user and group list + information is returned to anyone who asks. When set + to 1, only an authenticated user can retrive user and + group list information. For the value 2, supported by + Windows 2000/XP and Samba, no anonymous connections are allowed at + all. This can break third party and Microsoft + applications which expect to be allowed to perform + operations anonymously.</para> + + <para> + The security advantage of using restrict anonymous = 1 is dubious, + as user and group list information can be obtained using other + means. + </para> + + <note> + <para> + The security advantage of using restrict anonymous = 2 is removed + by setting <link linkend="GUESTOK"><parameter moreinfo="none">guest + ok</parameter> = yes</link> on any share. + </para> + </note> +</description> + +<value type="default">0</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/rootdirectory.xml b/docs/smbdotconf/security/rootdirectory.xml new file mode 100644 index 0000000000..337eccdda2 --- /dev/null +++ b/docs/smbdotconf/security/rootdirectory.xml @@ -0,0 +1,36 @@ +<samba:parameter name="root directory" + context="G" + type="string" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<synonym>root</synonym> +<synonym>root dir</synonym> +<description> + <para>The server will <command moreinfo="none">chroot()</command> (i.e. + Change its root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the <link linkend="WIDELINKS"> + <parameter moreinfo="none">wide links</parameter></link> + parameter). + </para> + + <para>Adding a <parameter moreinfo="none">root directory</parameter> entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the <parameter moreinfo="none">root directory</parameter> + option, <emphasis>including</emphasis> some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the <parameter moreinfo="none">root directory</parameter> tree. In particular + you will need to mirror <filename moreinfo="none">/etc/passwd</filename> (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent.</para> +</description> + +<value type="default">/</value> +<value type="example">/homes/smb</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/security.xml b/docs/smbdotconf/security/security.xml new file mode 100644 index 0000000000..b029c0fa67 --- /dev/null +++ b/docs/smbdotconf/security/security.xml @@ -0,0 +1,268 @@ +<samba:parameter name="security" + context="G" + type="enum" + basic="1" advanced="1" wizard="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This option affects how clients respond to + Samba and is one of the most important settings in the <filename moreinfo="none"> + smb.conf</filename> file.</para> + + <para>The option sets the "security mode bit" in replies to + protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server.</para> + + + <para>The default is <command moreinfo="none">security = user</command>, as this is + the most common setting needed when talking to Windows 98 and + Windows NT.</para> + + <para>The alternatives are <command moreinfo="none">security = share</command>, + <command moreinfo="none">security = server</command> or <command moreinfo="none">security = domain + </command>.</para> + + <para>In versions of Samba prior to 2.0.0, the default was + <command moreinfo="none">security = share</command> mainly because that was + the only option at one stage.</para> + + <para>There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as.</para> + + <para>If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + <command moreinfo="none">security = user</command>. If you mostly use usernames + that don't exist on the UNIX box then use <command moreinfo="none">security = + share</command>.</para> + + <para>You should also use <command moreinfo="none">security = share</command> if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with <command moreinfo="none">security = user</command>, see + the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> + </link>parameter for details.</para> + + <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis> + hybrid mode</emphasis> where it is offers both user and share + level security under different <link linkend="NETBIOSALIASES"> + <parameter moreinfo="none">NetBIOS aliases</parameter></link>. </para> + + <para>The different settings will now be explained.</para> + + + <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para> + + <para>When clients connect to a share level security server they + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a <command moreinfo="none">security = share + </command> server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share.</para> + + <para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis> + uses a valid UNIX user to act on behalf of the client, even in + <command moreinfo="none">security = share</command> level security.</para> + + <para>As clients are not required to send a username to the server + in share level security, <command moreinfo="none">smbd</command> uses several + techniques to determine the correct UNIX user to use on behalf + of the client.</para> + + <para>A list of possible UNIX usernames to match with the given + client password is constructed using the following methods :</para> + + <itemizedlist> + <listitem> + <para>If the <link linkend="GUESTONLY"><parameter moreinfo="none">guest + only</parameter></link> parameter is set, then all the other + stages are missed and only the <link linkend="GUESTACCOUNT"> + <parameter moreinfo="none">guest account</parameter></link> username is checked. + </para> + </listitem> + + <listitem> + <para>Is a username is sent with the share connection + request, then this username (after mapping - see <link linkend="USERNAMEMAP"> + <parameter moreinfo="none">username map</parameter></link>), + is added as a potential username. + </para> + </listitem> + + <listitem> + <para>If the client did a previous <emphasis>logon + </emphasis> request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. + </para> + </listitem> + + <listitem> + <para>The name of the service the client requested is + added as a potential username. + </para> + </listitem> + + <listitem> + <para>The NetBIOS name of the client is added to + the list as a potential username. + </para> + </listitem> + + <listitem> + <para>Any users on the <link linkend="USER"><parameter moreinfo="none"> + user</parameter></link> list are added as potential usernames. + </para> + </listitem> + </itemizedlist> + + <para>If the <parameter moreinfo="none">guest only</parameter> parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user.</para> + + <para>If the <parameter moreinfo="none">guest only</parameter> parameter is + set, or no username can be determined then if the share is marked + as available to the <parameter moreinfo="none">guest account</parameter>, then this + guest user will be used, otherwise access is denied.</para> + + <para>Note that it can be <emphasis>very</emphasis> confusing + in share-level security as to which UNIX username will eventually + be used in granting access.</para> + + <para>See also the section <link linkend="VALIDATIONSECT"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para> + + <para>This is the default security setting in Samba 3.0. + With user-level security a client must first "log-on" with a + valid username and password (which can be mapped using the <link linkend="USERNAMEMAP"> + <parameter moreinfo="none">username map</parameter></link> + parameter). Encrypted passwords (see the <link linkend="ENCRYPTPASSWORDS"> + <parameter moreinfo="none">encrypted passwords</parameter></link> parameter) can also + be used in this security mode. Parameters such as <link linkend="USER"> + <parameter moreinfo="none">user</parameter></link> and <link linkend="GUESTONLY"> + <parameter moreinfo="none">guest only</parameter></link> if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated.</para> + + <para><emphasis>Note</emphasis> that the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"> + <parameter moreinfo="none">guest account</parameter></link>. + See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> + </link> parameter for details on doing this.</para> + + <para>See also the section <link linkend="VALIDATIONSECT"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para> + + <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> has been used to add this + machine into a Windows NT Domain. It expects the <link linkend="ENCRYPTPASSWORDS"> + <parameter moreinfo="none">encrypted passwords</parameter> + </link> parameter to be set to <constant>yes</constant>. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do.</para> + + <para><emphasis>Note</emphasis> that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to.</para> + + <para><emphasis>Note</emphasis> that from the client's point + of view <command moreinfo="none">security = domain</command> is the same + as <command moreinfo="none">security = user</command>. It only + affects how the server deals with the authentication, + it does not in any way affect what the client sees.</para> + + <para><emphasis>Note</emphasis> that the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"> + <parameter moreinfo="none">guest account</parameter></link>. + See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> + </link> parameter for details on doing this.</para> + + <para>See also the section <link linkend="VALIDATIONSECT"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password + server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS"> + <parameter moreinfo="none">encrypted passwords</parameter> + </link> parameter.</para> + + <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para> + + <para>In this mode Samba will try to validate the username/password + by passing it to another SMB server, such as an NT box. If this + fails it will revert to <command moreinfo="none">security = + user</command>. It expects the <link linkend="ENCRYPTPASSWORDS"> + <parameter moreinfo="none">encrypted passwords</parameter></link> parameter + to be set to <constant>yes</constant>, unless the remote server + does not support them. However note that if encrypted passwords have been + negotiated then Samba cannot revert back to checking the UNIX password file, + it must have a valid <filename moreinfo="none">smbpasswd</filename> file to check + users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up.</para> + + <note><para>This mode of operation has + significant pitfalls, due to the fact that is activly initiates a + man-in-the-middle attack on the remote SMB server. In particular, + this mode of operation can cause significant resource consuption on + the PDC, as it must maintain an active connection for the duration + of the user's session. Furthermore, if this connection is lost, + there is no way to reestablish it, and futher authenticaions to the + Samba server may fail. (From a single client, till it disconnects). + </para></note> + + <note><para>From the client's point of + view <command moreinfo="none">security = server</command> is the + same as <command moreinfo="none">security = user</command>. It + only affects how the server deals with the authentication, it does + not in any way affect what the client sees.</para></note> + + <para><emphasis>Note</emphasis> that the name of the resource being + requested is <emphasis>not</emphasis> sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the <link linkend="GUESTACCOUNT"> + <parameter moreinfo="none">guest account</parameter></link>. + See the <link linkend="MAPTOGUEST"><parameter moreinfo="none">map to guest</parameter> + </link> parameter for details on doing this.</para> + + <para>See also the section <link linkend="VALIDATIONSECT"> + NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> + + <para>See also the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">password + server</parameter></link> parameter and the <link linkend="ENCRYPTPASSWORDS"> + <parameter moreinfo="none">encrypted passwords</parameter></link> parameter.</para> + + <para><anchor id="SECURITYEQUALSADS"/><emphasis>SECURITY = ADS</emphasis></para> + + <para>In this mode, Samba will act as a domain member in an ADS realm. To operate + in this mode, the machine running Samba will need to have Kerberos installed + and configured and Samba will need to be joined to the ADS realm using the + net utility. </para> + + <para>Note that this mode does NOT make Samba operate as a Active Directory Domain + Controller. </para> + + <para>Read the chapter about Domain Membership in the HOWTO for details.</para> +</description> + +<related>realm</related> +<related>encrypt passwords</related> + +<value type="default">USER</value> +<value type="example">DOMAIN</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/securitymask.xml b/docs/smbdotconf/security/securitymask.xml new file mode 100644 index 0000000000..39c5633622 --- /dev/null +++ b/docs/smbdotconf/security/securitymask.xml @@ -0,0 +1,34 @@ +<samba:parameter name="security mask" + context="S" + type="string" + xmlns:samba="http://samba.org/common"> +<description> + <para>This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security + dialog box.</para> + + <para>This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change.</para> + + <para>If not set explicitly this parameter is 0777, allowing + a user to modify all the user/group/world permissions on a file. + </para> + + <para><emphasis>Note</emphasis> that users who can access the + Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone + "appliance" systems. Administrators of most normal systems will + probably want to leave it set to <constant>0777</constant>.</para> +</description> + +<related>force directory security mode</related> +<related>directory security mask</related> +<related>force security mode</related> + +<value type="default">0777</value> +<value type="example">0770</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/serverschannel.xml b/docs/smbdotconf/security/serverschannel.xml new file mode 100644 index 0000000000..8aecc32daa --- /dev/null +++ b/docs/smbdotconf/security/serverschannel.xml @@ -0,0 +1,25 @@ +<samba:parameter name="server schannel" + context="G" + type="boolean-auto" + basic="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This controls whether the server offers or even + demands the use of the netlogon schannel. + <parameter>server schannel = no</parameter> does not + offer the schannel, <parameter>server schannel = + auto</parameter> offers the schannel but does not + enforce it, and <parameter>server schannel = + yes</parameter> denies access if the client is not + able to speak netlogon schannel. This is only the case + for Windows NT4 before SP4.</para> + + <para>Please note that with this set to + <parameter>no</parameter> you will have to apply the + WindowsXP requireSignOrSeal-Registry patch found in + the docs/Registry subdirectory.</para> +</description> + +<value type="default">auto</value> +<value type="example">yes</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/serversigning.xml b/docs/smbdotconf/security/serversigning.xml new file mode 100644 index 0000000000..b03797ef53 --- /dev/null +++ b/docs/smbdotconf/security/serversigning.xml @@ -0,0 +1,20 @@ +<samba:parameter name="server signing" + context="G" + type="enum" + basic="1" + xmlns:samba="http://samba.org/common"> +<description> + + <para>This controls whether the server offers or requires + the client it talks to to use SMB signing. Possible values + are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> + and <emphasis>disabled</emphasis>. + </para> + + <para>When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either.</para> +</description> + +<value type="default">Disabled</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/smbpasswdfile.xml b/docs/smbdotconf/security/smbpasswdfile.xml new file mode 100644 index 0000000000..252887de00 --- /dev/null +++ b/docs/smbdotconf/security/smbpasswdfile.xml @@ -0,0 +1,13 @@ +<samba:parameter name="smb passwd file" + type="string" + context="G" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This option sets the path to the encrypted smbpasswd file. By + default the path to the smbpasswd file is compiled into Samba.</para> +</description> + +<value type="default">${prefix}/private/smbpasswd</value> +<value type="example">/etc/samba/smbpasswd</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/unixpasswordsync.xml b/docs/smbdotconf/security/unixpasswordsync.xml new file mode 100644 index 0000000000..9877af80d6 --- /dev/null +++ b/docs/smbdotconf/security/unixpasswordsync.xml @@ -0,0 +1,21 @@ +<samba:parameter name="unix password sync" + context="G" + type="boolean" + advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + <para>This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to <constant>yes</constant> the program specified in the <parameter moreinfo="none">passwd + program</parameter>parameter is called <emphasis>AS ROOT</emphasis> - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password change code has no + access to the old password cleartext, only the new).</para> +</description> + +<related>passwd program</related> +<related>passwd chat</related> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/updateencrypted.xml b/docs/smbdotconf/security/updateencrypted.xml new file mode 100644 index 0000000000..551f4338f6 --- /dev/null +++ b/docs/smbdotconf/security/updateencrypted.xml @@ -0,0 +1,34 @@ +<samba:parameter name="update encrypted" + context="G" + type="boolean" + basic="1" advanced="1" developer="1" + xmlns:samba="http://samba.org/common"> +<description> + + <para>This boolean parameter allows a user logging on with + a plaintext password to have their encrypted (hashed) password in + the smbpasswd file to be updated automatically as they log + on. This option allows a site to migrate from plaintext + password authentication (users authenticate with plaintext + password over the wire, and are checked against a UNIX account + database) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing all + users to re-enter their passwords via smbpasswd at the time the + change is made. This is a convenience option to allow the change + over to encrypted passwords to be made over a longer period. + Once all users have encrypted representations of their passwords + in the smbpasswd file this parameter should be set to + <constant>no</constant>.</para> + + <para>In order for this parameter to work correctly the <link linkend="ENCRYPTPASSWORDS"> + <parameter moreinfo="none">encrypt passwords</parameter></link> parameter must + be set to <constant>no</constant> when this parameter is set to <constant>yes</constant>.</para> + + <para>Note that even when this parameter is set a user + authenticating to <command moreinfo="none">smbd</command> must still enter a valid + password in order to connect correctly, and to update their hashed + (smbpasswd) passwords.</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/username.xml b/docs/smbdotconf/security/username.xml new file mode 100644 index 0000000000..a734b509b8 --- /dev/null +++ b/docs/smbdotconf/security/username.xml @@ -0,0 +1,66 @@ +<samba:parameter name="username" + context="S" + type="string" + xmlns:samba="http://samba.org/common"> +<synonym>user</synonym> +<synonym>users</synonym> +<description> + <para>Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right).</para> + + <para>The <parameter moreinfo="none">username</parameter> line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead.</para> + + <para>The <parameter moreinfo="none">username</parameter> line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + <parameter moreinfo="none">username</parameter> line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely.</para> + + <para>Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do.</para> + + <para>To restrict a service to a particular set of users you + can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users + </parameter></link> parameter.</para> + + <para>If any of the usernames begin with a '@' then the name + will be looked up first in the NIS netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name.</para> + + <para>If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name.</para> + + <para>If any of the usernames begin with a '&' then the name + will be looked up only in the NIS netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name.</para> + + <para>Note that searching though a groups database can take + quite some time, and some clients may time out during the + search.</para> + + <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT + USERNAME/PASSWORD VALIDATION</link> for more information on how +this parameter determines access to the services.</para> +</description> + +<value type="default"><comment>The guest account if a guest service, + else <empty string>.</comment></value> + +<value type="example">fred, mary, jack, jane, @users, @pcgroup</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/usernamelevel.xml b/docs/smbdotconf/security/usernamelevel.xml new file mode 100644 index 0000000000..0a5344c75f --- /dev/null +++ b/docs/smbdotconf/security/usernamelevel.xml @@ -0,0 +1,27 @@ +<samba:parameter name="username level" + context="G" + advanced="1" developer="1" + type="integer" + xmlns:samba="http://samba.org/common"> +<description> + <para>This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine.</para> + + <para>If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try while trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as <constant>AstrangeUser + </constant>.</para> + + <para>This parameter is needed only on UNIX systems that have case + sensitive usernames.</para> +</description> + +<value type="default">0</value> +<value type="example">5</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/usernamemap.xml b/docs/smbdotconf/security/usernamemap.xml new file mode 100644 index 0000000000..1dae4f0932 --- /dev/null +++ b/docs/smbdotconf/security/usernamemap.xml @@ -0,0 +1,91 @@ +<samba:parameter name="username map" + context="G" + advanced="1" developer="1" + type="string" + xmlns:samba="http://samba.org/common"> +<description> + <para>This option allows you to specify a file containing + a mapping of usernames from the clients to the server. This can be + used for several purposes. The most common is to map usernames + that users use on DOS or Windows machines to those that the UNIX + box uses. The other is to map multiple users to a single username + so that they can more easily share files.</para> + + <para>The map file is parsed line by line. Each line should + contain a single UNIX username on the left then a '=' followed + by a list of usernames on the right. The list of usernames on the + right may contain names of the form @group in which case they + will match any UNIX username in that group. The special client + name '*' is a wildcard and matches any name. Each line of the + map file may be up to 1023 characters long.</para> + + <para>The file is processed on each line by taking the + supplied username and comparing it with each username on the right + hand side of the '=' signs. If the supplied name matches any of + the names on the right hand side then it is replaced with the name + on the left. Processing then continues with the next line.</para> + + <para>If any line begins with a '#' or a ';' then it is ignored</para> + + <para>If any line begins with an '!' then the processing + will stop after that line if a mapping was done by the line. + Otherwise mapping continues with every line being processed. + Using '!' is most useful when you have a wildcard mapping line + later in the file.</para> + + <para>For example to map from the name <constant>admin</constant> + or <constant>administrator</constant> to the UNIX name <constant> + root</constant> you would use:</para> + + <para><command moreinfo="none">root = admin administrator</command></para> + + <para>Or to map anyone in the UNIX group <constant>system</constant> + to the UNIX name <constant>sys</constant> you would use:</para> + + <para><command moreinfo="none">sys = @system</command></para> + + <para>You can have as many mappings as you like in a username map file.</para> + + + <para>If your system supports the NIS NETGROUP option then + the netgroup database is checked before the <filename moreinfo="none">/etc/group + </filename> database for matching groups.</para> + + <para>You can map Windows usernames that have spaces in them + by using double quotes around the name. For example:</para> + + <para><command moreinfo="none">tridge = "Andrew Tridgell"</command></para> + + <para>would map the windows username "Andrew Tridgell" to the + unix username "tridge".</para> + + <para>The following example would map mary and fred to the + unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on + that line.</para> + +<para><programlisting format="linespecific"> +!sys = mary fred +guest = * +</programlisting></para> + + <para>Note that the remapping is applied to all occurrences + of usernames. Thus if you connect to \\server\fred and <constant> + fred</constant> is remapped to <constant>mary</constant> then you + will actually be connecting to \\server\mary and will need to + supply a password suitable for <constant>mary</constant> not + <constant>fred</constant>. The only exception to this is the + username passed to the <link linkend="PASSWORDSERVER"><parameter moreinfo="none"> + password server</parameter></link> (if you have one). The password + server will receive whatever username the client supplies without + modification.</para> + + <para>Also note that no reverse mapping is done. The main effect + this has is with printing. Users who have been mapped may have + trouble deleting print jobs as PrintManager under WfWg will think + they don't own the print job.</para> +</description> + +<value type="default"><comment>no username map</comment></value> +<value type="example">/usr/local/samba/lib/users.map</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/validusers.xml b/docs/smbdotconf/security/validusers.xml new file mode 100644 index 0000000000..28cc576e67 --- /dev/null +++ b/docs/smbdotconf/security/validusers.xml @@ -0,0 +1,23 @@ +<samba:parameter name="valid users" + context="S" + type="list" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is a list of users that should be allowed + to login to this service. Names starting with '@', '+' and '&' + are interpreted using the same rules as described in the + <parameter moreinfo="none">invalid users</parameter> parameter.</para> + + <para>If this is empty (the default) then any user can login. + If a username is in both this list and the <parameter moreinfo="none">invalid + users</parameter> list then access is denied for that user.</para> + + <para>The current servicename is substituted for <parameter moreinfo="none">%S + </parameter>. This is useful in the [homes] section.</para> +</description> + +<related>invalid users</related> + +<value type="default"><comment>No valid users list (anyone can login) </comment></value> +<value type="example">greg, @pcusers</value> +</samba:parameter> diff --git a/docs/smbdotconf/security/writeable.xml b/docs/smbdotconf/security/writeable.xml new file mode 100644 index 0000000000..c38d6026ba --- /dev/null +++ b/docs/smbdotconf/security/writeable.xml @@ -0,0 +1,10 @@ +<samba:parameter name="writeable" + context="S" + type="boolean" + xmlns:samba="http://samba.org/common"> +<synonym>writable</synonym> +<description> + <para>Inverted synonym for <link linkend="READONLY"> + <parameter moreinfo="none">read only</parameter></link>.</para> +</description> +</samba:parameter> diff --git a/docs/smbdotconf/security/writelist.xml b/docs/smbdotconf/security/writelist.xml new file mode 100644 index 0000000000..ad72bc19f2 --- /dev/null +++ b/docs/smbdotconf/security/writelist.xml @@ -0,0 +1,21 @@ +<samba:parameter name="write list" + context="S" + type="list" + xmlns:samba="http://samba.org/common"> +<description> + <para>This is a list of users that are given read-write + access to a service. If the connecting user is in this list then + they will be given write access, no matter what the <link linkend="READONLY"> + <parameter moreinfo="none">read only</parameter></link> + option is set to. The list can include group names using the + @group syntax.</para> + + <para>Note that if a user is in both the read list and the + write list then they will be given write access.</para> +</description> + +<related>read list</related> + +<value type="default"></value> +<value type="example">admin, root, @staff</value> +</samba:parameter> |