diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/docbook/manpages/smb.conf.5.sgml | 363 |
1 files changed, 2 insertions, 361 deletions
diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index ba4495e34f..a9963b72ce 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -729,24 +729,6 @@ <listitem><para><link linkend="SOCKETOPTIONS"><parameter>socket options</parameter></link></para></listitem> <listitem><para><link linkend="SOURCEENVIRONMENT"><parameter>source environment</parameter></link></para></listitem> - <listitem><para><link linkend="SSL"><parameter>ssl</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCACERTFILE"><parameter>ssl CA certFile</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCIPHERS"><parameter>ssl ciphers</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCLIENTCERT"><parameter>ssl client cert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCLIENTKEY"><parameter>ssl client key</parameter></link></para></listitem> - <listitem><para><link linkend="SSLCOMPATIBILITY"><parameter>ssl compatibility</parameter></link></para></listitem> - <listitem><para><link linkend="SSLEGDSOCKET"><parameter>ssl egd socket</parameter></link></para></listitem> - <listitem><para><link linkend="SSLENTROPYBYTES"><parameter>ssl entropy bytes</parameter></link></para></listitem> - <listitem><para><link linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link></para></listitem> - <listitem><para><link linkend="SSLHOSTS"><parameter>ssl hosts</parameter></link></para></listitem> - <listitem><para><link linkend="SSLHOSTSRESIGN"><parameter>ssl hosts resign</parameter></link></para></listitem> - <listitem><para><link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require clientcert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLREQUIRESERVERCERT"><parameter>ssl require servercert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLSERVERCERT"><parameter>ssl server cert</parameter></link></para></listitem> - <listitem><para><link linkend="SSLSERVERKEY"><parameter>ssl server key</parameter></link></para></listitem> - <listitem><para><link linkend="SSLVERSION"><parameter>ssl version</parameter></link></para></listitem> - <listitem><para><link linkend="STATCACHE"><parameter>stat cache</parameter></link></para></listitem> <listitem><para><link linkend="STATCACHESIZE"><parameter>stat cache size</parameter></link></para></listitem> <listitem><para><link linkend="STRIPDOT"><parameter>strip dot</parameter></link></para></listitem> @@ -3387,9 +3369,9 @@ This option is used to define whether or not Samba should use SSL when connecting to the <link linkend="LDAPSERVER"><parameter>ldap server</parameter></link>. This is <emphasis>NOT</emphasis> related to - Samba SSL support which is enabled by specifying the + Samba's previous SSL support which was enabled by specifying the <command>--with-ssl</command> option to the <filename>configure</filename> - script (see <link linkend="SSL"><parameter>ssl</parameter></link>). + script. </para> <para> @@ -7031,347 +7013,6 @@ <varlistentry> - <term><anchor id="SSL">ssl (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable enables or disables the entire SSL mode. If - it is set to <constant>no</constant>, the SSL-enabled Samba behaves - exactly like the non-SSL Samba. If set to <constant>yes</constant>, - it depends on the variables <link linkend="SSLHOSTS"><parameter> - ssl hosts</parameter></link> and <link linkend="SSLHOSTSRESIGN"> - <parameter>ssl hosts resign</parameter></link> whether an SSL - connection will be required.</para> - - <para>Default: <command>ssl = no</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCACERTDIR">ssl CA certDir (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable defines where to look up the Certification - Authorities. The given directory should contain one file for - each CA that Samba will trust. The file name must be the hash - value over the "Distinguished Name" of the CA. How this directory - is set up is explained later in this document. All files within the - directory that don't fit into this naming scheme are ignored. You - don't need this variable if you don't verify client certificates.</para> - - <para>Default: <command>ssl CA certDir = /usr/local/ssl/certs - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCACERTFILE">ssl CA certFile (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable is a second way to define the trusted CAs. - The certificates of the trusted CAs are collected in one big - file and this variable points to the file. You will probably - only use one of the two ways to define your CAs. The first choice is - preferable if you have many CAs or want to be flexible, the second - is preferable if you only have one CA and want to keep things - simple (you won't need to create the hashed file names). You - don't need this variable if you don't verify client certificates.</para> - - <para>Default: <command>ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCIPHERS">ssl ciphers (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable defines the ciphers that should be offered - during SSL negotiation. You should not set this variable unless - you know what you are doing.</para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLCLIENTCERT">ssl client cert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>The certificate in this file is used by <ulink url="smbclient.1.html"> - <command>smbclient(1)</command></ulink> if it exists. It's needed - if the server requires a client certificate.</para> - - <para>Default: <command>ssl client cert = /usr/local/ssl/certs/smbclient.pem - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCLIENTKEY">ssl client key (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This is the private key for <ulink url="smbclient.1.html"> - <command>smbclient(1)</command></ulink>. It's only needed if the - client should have a certificate. </para> - - <para>Default: <command>ssl client key = /usr/local/ssl/private/smbclient.pem - </command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLCOMPATIBILITY">ssl compatibility (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This variable defines whether OpenSSL should be configured - for bug compatibility with other SSL implementations. This is - probably not desirable because currently no clients with SSL - implementations other than OpenSSL exist.</para> - - <para>Default: <command>ssl compatibility = no</command></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLEGDSOCKET">ssl egd socket (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para> - This option is used to define the location of the communiation socket of - an EGD or PRNGD daemon, from which entropy can be retrieved. This option - can be used instead of or together with the <link - linkend="SSLENTROPYFILE"><parameter>ssl entropy file</parameter></link> - directive. 255 bytes of entropy will be retrieved from the daemon. - </para> - - <para>Default: <emphasis>none</emphasis></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLENTROPYBYTES">ssl entropy bytes (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para> - This parameter is used to define the number of bytes which should - be read from the <link linkend="SSLENTROPYFILE"><parameter>ssl entropy - file</parameter></link> If a -1 is specified, the entire file will - be read. - </para> - - <para>Default: <command>ssl entropy bytes = 255</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLENTROPYFILE">ssl entropy file (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para> - This parameter is used to specify a file from which processes will - read "random bytes" on startup. In order to seed the internal pseudo - random number generator, entropy must be provided. On system with a - <filename>/dev/urandom</filename> device file, the processes - will retrieve its entropy from the kernel. On systems without kernel - entropy support, a file can be supplied that will be read on startup - and that will be used to seed the PRNG. - </para> - - <para>Default: <emphasis>none</emphasis></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLHOSTS">ssl hosts (G)</term> - <listitem><para>See <link linkend="SSLHOSTSRESIGN"><parameter> - ssl hosts resign</parameter></link>.</para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLHOSTSRESIGN">ssl hosts resign (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>These two variables define whether Samba will go - into SSL mode or not. If none of them is defined, Samba will - allow only SSL connections. If the <link linkend="SSLHOSTS"> - <parameter>ssl hosts</parameter></link> variable lists - hosts (by IP-address, IP-address range, net group or name), - only these hosts will be forced into SSL mode. If the <parameter> - ssl hosts resign</parameter> variable lists hosts, only these - hosts will <emphasis>NOT</emphasis> be forced into SSL mode. The syntax for these two - variables is the same as for the <link linkend="HOSTSALLOW"><parameter> - hosts allow</parameter></link> and <link linkend="HOSTSDENY"> - <parameter>hosts deny</parameter></link> pair of variables, only - that the subject of the decision is different: It's not the access - right but whether SSL is used or not. </para> - - <para>The example below requires SSL connections from all hosts - outside the local net (which is 192.168.*.*).</para> - - <para>Default: <command>ssl hosts = <empty string></command></para> - <para><command>ssl hosts resign = <empty string></command></para> - - <para>Example: <command>ssl hosts resign = 192.168.</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLREQUIRECLIENTCERT">ssl require clientcert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>If this variable is set to <constant>yes</constant>, the - server will not tolerate connections from clients that don't - have a valid certificate. The directory/file given in <link - linkend="SSLCACERTDIR"><parameter>ssl CA certDir</parameter> - </link> and <link linkend="SSLCACERTFILE"><parameter>ssl CA certFile - </parameter></link> will be used to look up the CAs that issued - the client's certificate. If the certificate can't be verified - positively, the connection will be terminated. If this variable - is set to <constant>no</constant>, clients don't need certificates. - Contrary to web applications you really <emphasis>should</emphasis> - require client certificates. In the web environment the client's - data is sensitive (credit card numbers) and the server must prove - to be trustworthy. In a file server environment the server's data - will be sensitive and the clients must prove to be trustworthy.</para> - - <para>Default: <command>ssl require clientcert = no</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> - <term><anchor id="SSLREQUIRESERVERCERT">ssl require servercert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>If this variable is set to <constant>yes</constant>, the - <ulink url="smbclient.1.html"><command>smbclient(1)</command> - </ulink> will request a certificate from the server. Same as - <link linkend="SSLREQUIRECLIENTCERT"><parameter>ssl require - clientcert</parameter></link> for the server.</para> - - <para>Default: <command>ssl require servercert = no</command> - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><anchor id="SSLSERVERCERT">ssl server cert (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This is the file containing the server's certificate. - The server <emphasis>must</emphasis> have a certificate. The - file may also contain the server's private key. See later for - how certificates and private keys are created.</para> - - <para>Default: <command>ssl server cert = <empty string> - </command></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLSERVERKEY">ssl server key (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This file contains the private key of the server. If - this variable is not defined, the key is looked up in the - certificate file (it may be appended to the certificate). - The server <emphasis>must</emphasis> have a private key - and the certificate <emphasis>must</emphasis> - match this private key.</para> - - <para>Default: <command>ssl server key = <empty string> - </command></para> - </listitem> - </varlistentry> - - - <varlistentry> - <term><anchor id="SSLVERSION">ssl version (G)</term> - <listitem><para>This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option <command>--with-ssl</command> was - given at configure time.</para> - - <para>This enumeration variable defines the versions of the - SSL protocol that will be used. <constant>ssl2or3</constant> allows - dynamic negotiation of SSL v2 or v3, <constant>ssl2</constant> results - in SSL v2, <constant>ssl3</constant> results in SSL v3 and - <constant>tls1</constant> results in TLS v1. TLS (Transport Layer - Security) is the new standard for SSL.</para> - - <para>Default: <command>ssl version = "ssl2or3"</command></para> - </listitem> - </varlistentry> - - - - <varlistentry> <term><anchor id="STATCACHE">stat cache (G)</term> <listitem><para>This parameter determines if <ulink url="smbd.8.html">smbd(8)</ulink> will use a cache in order to |