From 97e3e540f72021d81b34f7597506da6cdc552b8a Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 8 Jul 2005 10:16:53 +0000 Subject: More updates. (This used to be commit b546de20f793aeec7739ef32451d72582175ae58) --- docs/Samba3-Developers-Guide/printing.xml | 2 +- docs/Samba3-HOWTO/TOSHARG-IDMAP.xml | 185 ++++++++++++--------- docs/Samba3-HOWTO/TOSHARG-VFS.xml | 12 +- docs/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml | 144 +++++++++------- docs/manpages-3/smb.conf.5.xml | 8 +- docs/smbdotconf/logon/logonscript.xml | 48 +++--- docs/smbdotconf/security/createmask.xml | 40 +++-- docs/smbdotconf/security/directorymask.xml | 2 +- docs/smbdotconf/security/directorysecuritymask.xml | 11 +- .../security/forcedirectorysecuritymode.xml | 46 ++--- docs/smbdotconf/security/forcesecuritymode.xml | 40 +++-- docs/smbdotconf/security/securitymask.xml | 36 ++-- 12 files changed, 329 insertions(+), 245 deletions(-) diff --git a/docs/Samba3-Developers-Guide/printing.xml b/docs/Samba3-Developers-Guide/printing.xml index fc0a1ee4b7..bbdbb85ef7 100644 --- a/docs/Samba3-Developers-Guide/printing.xml +++ b/docs/Samba3-Developers-Guide/printing.xml @@ -1,6 +1,6 @@ - + GeraldCarter diff --git a/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml b/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml index a14c8b0b84..2ff794939c 100644 --- a/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml +++ b/docs/Samba3-HOWTO/TOSHARG-IDMAP.xml @@ -496,19 +496,24 @@ domain member servers (DMSs) and domain member clients (DMCs). NT4-Style Domains (Includes Samba Domains) - The following is a simple example of an NT4 DMS &smb.conf; file that shows only the global section. - -#Global parameters -[global] - workgroup = MEGANET2 - security = DOMAIN - idmap uid = 10000-20000 - idmap gid = 10000-20000 - template primary group = "Domain Users" - template shell = /bin/bash - + NT4 Domain Member Server smb.con is a simple example of an NT4 DMS + &smb.conf; file that shows only the global section. + +NT4 Domain Member Server smb.conf + +Global parameters + +MEGANET2 +DOMAIN +10000-20000 +10000-20000 +"Domain Users" +/bin/bash + + + winbind /etc/nsswitch.conf @@ -573,23 +578,27 @@ Join to domain 'MEGANET2' is not valid domain join ADS domain The procedure for joining an ADS domain is similar to the NT4 domain join, except the &smb.conf; file - will have the following contents: - -# Global parameters -[global] - workgroup = BUTTERNET - netbios name = GARGOYLE - realm = BUTTERNET.BIZ - security = ADS - template shell = /bin/bash - idmap uid = 500-10000000 - idmap gid = 500-10000000 - winbind use default domain = Yes - winbind nested groups = Yes - printer admin = "BUTTERNET\Domain Admins" - + will have the contents shown in ADS Domain Member Server smb.conf + +ADS Domain Member Server smb.conf + +Global parameters + +BUTTERNET +GARGOYLE +BUTTERNET.BIZ +ADS +/bin/bash +500-10000000 +500-10000000 +Yes +Yes +"BUTTERNET\Domain Admins" + + + KRB kerberos @@ -696,28 +705,33 @@ Join to domain is not valid - An example &smb.conf; file for and ADS domain environment is shown here: - -# Global parameters -[global] - workgroup = KPAK - netbios name = BIGJOE - realm = CORP.KPAK.COM - server string = Office Server - security = ADS - allow trusted domains = No - idmap backend = idmap_rid:KPAK=500-100000000 - idmap uid = 500-100000000 - idmap gid = 500-100000000 - template shell = /bin/bash - winbind use default domain = Yes - winbind enum users = No - winbind enum groups = No - winbind nested groups = Yes - printer admin = "Domain Admins" - + An example &smb.conf; file for and ADS domain environment is shown in ADS + Domain Member smb.conf using idmap_rid. + +ADS Domain Member smb.conf using idmap_rid + +Global parameters + +KPAK +BIGJOE +CORP.KPAK.COM +Office Server +ADS +No +idmap_rid:KPAK=500-100000000 +500-100000000 +500-100000000 +/bin/bash +Yes +No +No +Yes +"Domain Admins" + + + large domain Active Directory @@ -815,29 +829,31 @@ administrator:x:1000:1013:Administrator:/home/BE/administrator:/bin/bash - The following example is for an ADS domain: + An example is for an ADS domain is shown in ADS Domain Member Server using + LDAP. - - -# Global parameters -[global] - workgroup = SNOWSHOW - netbios name = GOODELF - realm = SNOWSHOW.COM - server string = Samba Server - security = ADS - log level = 1 ads:10 auth:10 sam:10 rpc:10 - ldap admin dn = cn=Manager,dc=SNOWSHOW,dc=COM - ldap idmap suffix = ou=Idmap - ldap suffix = dc=SNOWSHOW,dc=COM - idmap backend = ldap:ldap://ldap.snowshow.com - idmap uid = 150000-550000 - idmap gid = 150000-550000 - template shell = /bin/bash - winbind use default domain = Yes - - + +ADS Domain Member Server using LDAP + +Global parameters + +SNOWSHOW +GOODELF +SNOWSHOW.COM +Samba Server +ADS +1 ads:10 auth:10 sam:10 rpc:10 +cn=Manager,dc=SNOWSHOW,dc=COM +ou=Idmap +dc=SNOWSHOW,dc=COM +ldap:ldap://ldap.snowshow.com +150000-550000 +150000-550000 +/bin/bash +Yes + + realm @@ -1018,23 +1034,28 @@ Joined 'GOODELF' to realm 'SNOWSHOW.COM' - The following is an example &smb.conf; file: - -# Global parameters -[global] - workgroup = BOBBY - realm = BOBBY.COM - security = ADS - idmap uid = 150000-550000 - idmap gid = 150000-550000 - template shell = /bin/bash - winbind cache time = 5 - winbind use default domain = Yes - winbind trusted domains only = Yes - winbind nested groups = Yes - + An example &smb.conf; file is shown in ADS Domain Member Server using +RFC2307bis Schema Extension Date via NSS. + +ADS Domain Member Server using RFC2307bis Schema Extension Date via NSS + +Global parameters + +BOBBY +BOBBY.COM +ADS +150000-550000 +150000-550000 +/bin/bash +5 +Yes +Yes +Yes + + + nss_ldap The DMS must be joined to the domain using the usual procedure. Additionally, it is necessary diff --git a/docs/Samba3-HOWTO/TOSHARG-VFS.xml b/docs/Samba3-HOWTO/TOSHARG-VFS.xml index 41b9562c40..02bf851c63 100644 --- a/docs/Samba3-HOWTO/TOSHARG-VFS.xml +++ b/docs/Samba3-HOWTO/TOSHARG-VFS.xml @@ -49,15 +49,15 @@ modules example: - smb.conf with VFS modules - - +smb.conf with VFS modules + + Audited /data directory /data audit recycle yes yes - + @@ -87,8 +87,8 @@ Some modules can be used twice for the same share. This can be done using a con shown in the smb.conf with multiple VFS modules. - smb.conf with multiple VFS modules - +smb.conf with multiple VFS modules + VFS TEST /data diff --git a/docs/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml b/docs/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml index ab328eda0b..8898232304 100644 --- a/docs/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml +++ b/docs/Samba3-HOWTO/TOSHARG-upgrading-to-3.0.xml @@ -178,7 +178,7 @@ complete descriptions of new or modified parameters. Removed Parameters deleted parameters -In alphabetical order, these are the parameters eliminated for Samba 3.0.20. +In alphabetical order, these are the parameters eliminated during the Samba 3.0.0 series prior to release of Samba 3.0.20. admin log @@ -190,17 +190,22 @@ complete descriptions of new or modified parameters. domain admin group domain guest group force unknown acl user + ldap filter nt smb support post script printer driver printer driver file printer driver location + read size + source environment status strip dot total print jobs + unicode use rhosts valid chars vfs options + winbind enable local accounts @@ -208,114 +213,135 @@ complete descriptions of new or modified parameters. New Parameters -New parameters in Samba 3.0.20 are grouped by function): +New parameters in the Samba 3.0.0 series prior to release of Samba 3.0.20 are grouped by function): Remote Management new parameters - abort shutdown script - shutdown script + abort shutdown script + shutdown script User and Group Account Management - add group script - add machine script - add user to group script - algorithmic rid base - delete group script - delete user from group script - passdb backend - set primary group script + add group script + add machine script + add user to group script + algorithmic rid base + delete group script + delete user from group script + passdb backend + set primary group script Authentication - auth methods - realm + auth methods + ldap password sync + realm Protocol Options - client lanman auth - client NTLMv2 auth - client schannel - client signing - client use spnego - disable netbios - ntlm auth + afs token lifetime + client lanman auth + client NTLMv2 auth + client schannel + client signing + client use spnego + defer sharing violations + disable netbios + enable privileges + use kerberos keytab + log nt token command + ntlm auth paranoid server security - server schannel - server signing - smb ports - use spnego + sendfile + server schannel + server signing + smb ports + use spnego File Service - get quota command - hide special files - hide unwriteable files - hostname lookups - kernel change notify - mangle prefix - map acl inherit - msdfs proxy - set quota command - use sendfile - vfs objects + allocation roundup size + acl check permissions + ea support + enable asu support + force unknown acl user + get quota command + hide special files + hide unwriteable files + inherit owner + hostname lookups + kernel change notify + mangle prefix + map acl inherit + max stat cache size + msdfs proxy + set quota command + store dos attributes + use sendfile + vfs objects Printing - max reported print jobs + cups options + cups server + force printername + max reported print jobs + printcap cache time Unicode and Character Sets - display charset - dos charset - unicode - UNIX charset + display charset + dos charset + UNIX charset SID to UID/GID Mappings - idmap backend - idmap gid - idmap uid - winbind enable local accounts - winbind trusted domains only - template primary group - enable rid algorithm + idmap backend + idmap gid + idmap uid + winbind enable local accounts + winbind nested groups + winbind trusted domains only + template primary group + enable rid algorithm LDAP - ldap delete dn - ldap group suffix - ldap idmap suffix - ldap machine suffix - ldap passwd sync - ldap user suffix + ldap delete dn + ldap group suffix + ldap idmap suffix + ldap machine suffix + ldap passwd sync + ldap replication sleep + ldap timeout + ldap user suffix General Configuration - preload modules - privatedir + preload modules + privatedir @@ -324,17 +350,23 @@ complete descriptions of new or modified parameters. Modified Parameters (Changes in Behavior) + dos filetimes (enabled by default) encrypt passwords (enabled by default) mangling method (set to hash2 by default) + map to guest (new parameter added) + min password length (deprecated) + only user (deprecated) passwd chat passwd program password server + printer admin (deprecated) restrict anonymous (integer value) security (new ads value) strict locking (enabled by default) winbind cache time (increased to 5 minutes) winbind uid (deprecated in favor of idmap uid) winbind gid (deprecated in favor of idmap gid) + write cache (deprecated) diff --git a/docs/manpages-3/smb.conf.5.xml b/docs/manpages-3/smb.conf.5.xml index e7e4a8933c..a21c813f20 100644 --- a/docs/manpages-3/smb.conf.5.xml +++ b/docs/manpages-3/smb.conf.5.xml @@ -61,7 +61,7 @@ The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved - in string values. Some items such as create modes are numeric. + in string values. Some items such as create masks are numeric. @@ -292,8 +292,8 @@ alias|alias|alias|alias... On SYSV systems which use lpstat to determine what printers are defined on the system you may be able to use - printcap name = lpstat to automatically obtain a list of printers. See the printcap name option - for more details. + printcap name = lpstat to automatically obtain a list of printers. See the + printcap name option for more details. @@ -305,7 +305,7 @@ alias|alias|alias|alias... Some parameters are specific to the [global] section (e.g., security). Some parameters - are usable in all sections (e.g., create mode). All others are permissible only in normal + are usable in all sections (e.g., create mask). All others are permissible only in normal sections. For the purposes of the following descriptions the [homes] and [printers] sections will be considered normal. The letter G in parentheses indicates that a parameter is specific to the [global] section. The letter S indicates that a parameter can be specified in a diff --git a/docs/smbdotconf/logon/logonscript.xml b/docs/smbdotconf/logon/logonscript.xml index 847896e1ce..13ce9a0c03 100644 --- a/docs/smbdotconf/logon/logonscript.xml +++ b/docs/smbdotconf/logon/logonscript.xml @@ -4,14 +4,15 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter specifies the batch file (.bat) or - NT command file (.cmd) to be downloaded and run on a machine when - a user successfully logs in. The file must contain the DOS - style CR/LF line endings. Using a DOS-style editor to create the - file is recommended. + + This parameter specifies the batch file (.bat) or NT command file + (.cmd) to be downloaded and run on a machine when a user successfully logs in. The file + must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended. + - The script must be a relative path to the [netlogon] - service. If the [netlogon] service specifies a of + The script must be a relative path to the service. If the [netlogon] + service specifies a of /usr/local/samba/netlogon, and STARTUP.BAT, then the file that will be downloaded is: @@ -19,23 +20,28 @@ - The contents of the batch file are entirely your choice. A - suggested command would be to add NET TIME \\SERVER /SET - /YES, to force every machine to synchronize clocks with - the same time server. Another use would be to add NET USE - U: \\SERVER\UTILS for commonly used utilities, or - NET USE Q: \\SERVER\ISO9001_QA for example. + + The contents of the batch file are entirely your choice. A suggested command would be to add NET TIME \\SERVER /SET /YES, to force every machine to synchronize clocks with the + same time server. Another use would be to add NET USE U: \\SERVER\UTILS + for commonly used utilities, or NET USE Q: \\SERVER\ISO9001_QA for + example. + - Note that it is particularly important not to allow write - access to the [netlogon] share, or to grant users write permission - on the batch files in a secure environment, as this would allow - the batch files to be arbitrarily modified and security to be - breached. + + Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users + write permission on the batch files in a secure environment, as this would allow the batch files to be + arbitrarily modified and security to be breached. + - This option takes the standard substitutions, allowing you - to have separate logon scripts for each user or machine. + + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. + - This option is only useful if Samba is set up as a logon server. + + This option is only useful if Samba is set up as a logon server. + scripts\%U.bat diff --git a/docs/smbdotconf/security/createmask.xml b/docs/smbdotconf/security/createmask.xml index 7f9f93caaa..cf6864c78e 100644 --- a/docs/smbdotconf/security/createmask.xml +++ b/docs/smbdotconf/security/createmask.xml @@ -5,27 +5,33 @@ create mode - When a file is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX - permissions, and the resulting UNIX mode is then bit-wise 'AND'ed - with this parameter. This parameter may be thought of as a bit-wise - MASK for the UNIX modes of a file. Any bit not - set here will be removed from the modes set on a file when it is - created. + + When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to + UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may + be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will + be removed from the modes set on a file when it is created. + - The default value of this parameter removes the - 'group' and 'other' write and execute bits from the UNIX modes. + + The default value of this parameter removes the group and other + write and execute bits from the UNIX modes. + - Following this Samba will bit-wise 'OR' the UNIX mode created - from this parameter with the value of the - parameter which is set to 000 by default. + + Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the + parameter which is set to 000 by default. + - This parameter does not affect directory modes. See the - parameter for details. + + This parameter does not affect directory masks. See the parameter + for details. + - Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the . + + Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the + administrator wishes to enforce a mask on access control lists also, they need to set the . + force create mode diff --git a/docs/smbdotconf/security/directorymask.xml b/docs/smbdotconf/security/directorymask.xml index 414239bcff..7b67f79214 100644 --- a/docs/smbdotconf/security/directorymask.xml +++ b/docs/smbdotconf/security/directorymask.xml @@ -30,7 +30,7 @@ force directory mode -create mode +create mask directory security mask inherit permissions 0755 diff --git a/docs/smbdotconf/security/directorysecuritymask.xml b/docs/smbdotconf/security/directorysecuritymask.xml index 5511cd1700..a16f275698 100644 --- a/docs/smbdotconf/security/directorysecuritymask.xml +++ b/docs/smbdotconf/security/directorysecuritymask.xml @@ -8,11 +8,12 @@ permission on a directory using the native NT security dialog box. - This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change. + + This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with , which works similar like this one but uses logical OR instead of AND. + Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. + If not set explicitly this parameter is set to 0777 meaning a user is allowed to modify all the user/group/world diff --git a/docs/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/smbdotconf/security/forcedirectorysecuritymode.xml index 184337ba69..2c15ec2753 100644 --- a/docs/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs/smbdotconf/security/forcedirectorysecuritymode.xml @@ -3,25 +3,33 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog box. - - This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a directory, the user has always set to be 'on'. - - If not set explicitly this parameter is 000, which - allows a user to modify all the user/group/world permissions on a - directory without restrictions. - - Users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it set as 0000. + + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a directory using the native NT security dialog box. + + + + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with , which works in a similar manner to this one, but uses a logical AND instead + of an OR. + + + + Essentially, this mask may be treated as a set of bits that, when modifying security on a directory, + to will enable (1) any flags that are off (0) but which the mask has set to on (1). + + + + If not set explicitly this parameter is 0000, which allows a user to modify all the user/group/world + permissions on a directory without restrictions. + + + + Users who can access the Samba server through other means can easily bypass this restriction, so it is + primarily useful for standalone "appliance" systems. Administrators of most normal systems will + probably want to leave it set as 0000. + diff --git a/docs/smbdotconf/security/forcesecuritymode.xml b/docs/smbdotconf/security/forcesecuritymode.xml index 98de6fa401..7451ef91ae 100644 --- a/docs/smbdotconf/security/forcesecuritymode.xml +++ b/docs/smbdotconf/security/forcesecuritymode.xml @@ -3,26 +3,32 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog - box. + + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog box. + - This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a file, the user has always set to be 'on'. + + This parameter is applied as a mask (OR'ed with) to the changed permission bits, thus forcing any bits in this + mask that the user may have modified to be on. Make sure not to mix up this parameter with , which works similar like this one but uses logical AND instead of OR. + - If not set explicitly this parameter is set to 0, - and allows a user to modify all the user/group/world permissions on a file, - with no restrictions. + + Essentially, one bits in this mask may be treated as a set of bits that, when modifying security on a file, + the user has always set to be on. + + + + If not set explicitly this parameter is set to 0, and allows a user to modify all the user/group/world + permissions on a file, with no restrictions. + - Note that users who can access - the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - this set to 0000. + + Note that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of most + normal systems will probably want to leave this set to 0000. + diff --git a/docs/smbdotconf/security/securitymask.xml b/docs/smbdotconf/security/securitymask.xml index de3dd29753..d41d6bddae 100644 --- a/docs/smbdotconf/security/securitymask.xml +++ b/docs/smbdotconf/security/securitymask.xml @@ -3,26 +3,30 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security - dialog box. + + This parameter controls what UNIX permission bits can be modified when a Windows NT client is manipulating the + UNIX permission on a file using the native NT security dialog box. + - This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change. + + This parameter is applied as a mask (AND'ed with) to the changed permission bits, thus preventing any bits not + in this mask from being modified. Make sure not to mix up this parameter with , which works in a manner similar to this one but uses a logical OR instead of an AND. + - If not set explicitly this parameter is 0777, allowing - a user to modify all the user/group/world permissions on a file. + + Essentially, zero bits in this mask may be treated as a set of bits the user is not allowed to change. + + + + If not set explicitly this parameter is 0777, allowing a user to modify all the user/group/world permissions on a file. - Note that users who can access the - Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will - probably want to leave it set to 0777. + + Note that users who can access the Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone "appliance" systems. Administrators of + most normal systems will probably want to leave it set to 0777. + force directory security mode -- cgit