From f88faa0105fdf47eccfa3212870ac3066ff8113c Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 22 Oct 2005 00:04:38 +0000 Subject: Fixes and reformatting from Bug #3190, plus a clean-up. (This used to be commit 8250e36fe34394938df16533f77869b93d3be761) --- docs/smbdotconf/misc/dfreecommand.xml | 34 ++--- docs/smbdotconf/printing/printcapname.xml | 54 ++++---- docs/smbdotconf/security/usekerberoskeytab.xml | 18 +-- docs/smbdotconf/security/usernamemap.xml | 166 ++++++++++++------------- 4 files changed, 139 insertions(+), 133 deletions(-) diff --git a/docs/smbdotconf/misc/dfreecommand.xml b/docs/smbdotconf/misc/dfreecommand.xml index be5f00aabd..546cead306 100644 --- a/docs/smbdotconf/misc/dfreecommand.xml +++ b/docs/smbdotconf/misc/dfreecommand.xml @@ -5,51 +5,55 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - The dfree command setting + + The dfree command setting should only be used on systems where a problem occurs with the internal disk space calculations. This has been known to happen with Ultrix, but may occur with other operating systems. The symptom that was seen was an error of "Abort Retry - Ignore" at the end of each directory listing. + Ignore" at the end of each directory listing. + - This setting allows the replacement of the internal routines to + + This setting allows the replacement of the internal routines to calculate the total disk space and amount available with an external routine. The example below gives a possible script that might fulfill - this function. + this function. + - In Samba version 3.0.21 this parameter has been changed to be + + In Samba version 3.0.21 this parameter has been changed to be a per-share parameter, and in addition the parameter dfree cache time was added to allow the output of this script to be cached for systems under heavy load. - The external program will be passed a single parameter indicating + + The external program will be passed a single parameter indicating a directory in the filesystem being queried. This will typically consist of the string ./. The script should return two integers in ASCII. The first should be the total disk space in blocks, and the second should be the number of available blocks. An optional third return value can give the block size in bytes. The default - blocksize is 1024 bytes. + blocksize is 1024 bytes. + - Note: Your script should NOT be setuid or - setgid and should be owned by (and writeable only by) root! + + Note: Your script should NOT be setuid or + setgid and should be owned by (and writeable only by) root! + Where the script dfree (which must be made executable) could be: #!/bin/sh df $1 | tail -1 | awk '{print $2" "$4}' - - - or perhaps (on Sys V based systems): + or perhaps (on Sys V based systems): #!/bin/sh /usr/bin/df -k $1 | tail -1 | awk '{print $3" "$5}' - - - Note that you may have to replace the command names with full path names on some systems. diff --git a/docs/smbdotconf/printing/printcapname.xml b/docs/smbdotconf/printing/printcapname.xml index 7ade8881b6..90c575f31c 100644 --- a/docs/smbdotconf/printing/printcapname.xml +++ b/docs/smbdotconf/printing/printcapname.xml @@ -5,48 +5,50 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> printcap - This parameter may be used to override the - compiled-in default printcap name used by the server (usually - /etc/printcap). See the discussion of the [printers] section above for reasons - why you might want to do this. + + This parameter may be used to override the compiled-in default printcap name used by the server (usually + /etc/printcap). See the discussion of the [printers] section above for reasons why you might want to do this. + - To use the CUPS printing interface set printcap name = cups - . This should be supplemented by an addtional setting - cups in the [global] - section. printcap name = cups will use the - "dummy" printcap created by CUPS, as specified in your CUPS - configuration file. + + To use the CUPS printing interface set printcap name = cups . This should + be supplemented by an addtional setting cups in the [global] + section. printcap name = cups will use the "dummy" printcap + created by CUPS, as specified in your CUPS configuration file. - On System V systems that use lpstat to + + On System V systems that use lpstat to list available printers you can use printcap name = lpstat to automatically obtain lists of available printers. This is the default for systems that define SYSV at configure time in Samba (this includes most System V based systems). If printcap name is set to lpstat on these systems then Samba will launch lpstat -v and - attempt to parse the output to obtain a printer list. + attempt to parse the output to obtain a printer list. + - A minimal printcap file would look something like this: - - + + A minimal printcap file would look something like this: + print1|My Printer 1 print2|My Printer 2 print3|My Printer 3 print4|My Printer 4 print5|My Printer 5 - - - where the '|' separates aliases of a printer. The fact - that the second alias has a space in it gives a hint to Samba - that it's a comment. + + where the '|' separates aliases of a printer. The fact that the second alias has a space in + it gives a hint to Samba that it's a comment. + + + + Under AIX the default printcap name is /etc/qconfig. Samba will + assume the file is in AIX qconfig format if the string qconfig appears in the printcap filename. + - Under AIX the default printcap - name is /etc/qconfig. Samba will assume the - file is in AIX qconfig format if the string - qconfig appears in the printcap filename. - + /etc/printcap /etc/myprintcap diff --git a/docs/smbdotconf/security/usekerberoskeytab.xml b/docs/smbdotconf/security/usekerberoskeytab.xml index 0fb9e0ff9e..ad6cc88278 100644 --- a/docs/smbdotconf/security/usekerberoskeytab.xml +++ b/docs/smbdotconf/security/usekerberoskeytab.xml @@ -3,18 +3,20 @@ type="boolean" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - -Specifies whether Samba should attempt to maintain service principals in the systems -keytab file for host/FQDN and cifs/FQDN. - - -When you are using the heimdal Kerberos libraries, you must also -specify the following in /etc/krb5.conf: + + Specifies whether Samba should attempt to maintain service principals in the systems + keytab file for host/FQDN and cifs/FQDN. + + + When you are using the heimdal Kerberos libraries, you must also specify the following in + /etc/krb5.conf: [libdefaults] - default_keytab_name = FILE:/etc/krb5.keytab +default_keytab_name = FILE:/etc/krb5.keytab + + False diff --git a/docs/smbdotconf/security/usernamemap.xml b/docs/smbdotconf/security/usernamemap.xml index c30e2327c5..59c0cdde7c 100644 --- a/docs/smbdotconf/security/usernamemap.xml +++ b/docs/smbdotconf/security/usernamemap.xml @@ -4,102 +4,102 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This option allows you to specify a file containing - a mapping of usernames from the clients to the server. This can be - used for several purposes. The most common is to map usernames - that users use on DOS or Windows machines to those that the UNIX - box uses. The other is to map multiple users to a single username - so that they can more easily share files. - - Please note that for user or share mode security, the - username map is applied prior to validating the user credentials. - Domain member servers (domain or ads) apply the username map - after the user has been successfully authenticated by the domain - controller and require fully qualified enties in the map table - (e.g. biddle = DOMAIN\foo). - - The map file is parsed line by line. Each line should - contain a single UNIX username on the left then a '=' followed - by a list of usernames on the right. The list of usernames on the - right may contain names of the form @group in which case they - will match any UNIX username in that group. The special client - name '*' is a wildcard and matches any name. Each line of the - map file may be up to 1023 characters long. - - The file is processed on each line by taking the - supplied username and comparing it with each username on the right - hand side of the '=' signs. If the supplied name matches any of - the names on the right hand side then it is replaced with the name - on the left. Processing then continues with the next line. - - If any line begins with a '#' or a ';' then it is ignored - - If any line begins with an '!' then the processing - will stop after that line if a mapping was done by the line. - Otherwise mapping continues with every line being processed. - Using '!' is most useful when you have a wildcard mapping line - later in the file. - - For example to map from the name admin - or administrator to the UNIX name - root you would use: - - root = admin administrator + + This option allows you to specify a file containing a mapping of usernames from the clients to the server. + This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows + machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they + can more easily share files. + - Or to map anyone in the UNIX group system - to the UNIX name sys you would use: + + Please note that for user or share mode security, the username map is applied prior to validating the user + credentials. Domain member servers (domain or ads) apply the username map after the user has been + successfully authenticated by the domain controller and require fully qualified enties in the map table (e.g. + biddle = DOMAIN\foo). + + + + The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '=' + followed by a list of usernames on the right. The list of usernames on the right may contain names of the form + @group in which case they will match any UNIX username in that group. The special client name '*' is a + wildcard and matches any name. Each line of the map file may be up to 1023 characters long. + - sys = @system + + The file is processed on each line by taking the supplied username and comparing it with each username on the + right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it + is replaced with the name on the left. Processing then continues with the next line. + - You can have as many mappings as you like in a username map file. + + If any line begins with a '#' or a ';' then it is ignored. + + + If any line begins with an '!' then the processing will stop after that line if a mapping was done by the + line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a + wildcard mapping line later in the file. + - If your system supports the NIS NETGROUP option then - the netgroup database is checked before the /etc/group - database for matching groups. + + For example to map from the name admin or administrator to the UNIX + name root you would use: + +root = admin administrator + + Or to map anyone in the UNIX group system to the UNIX name sys you would use: + +sys = @system + + - You can map Windows usernames that have spaces in them - by using double quotes around the name. For example: + + You can have as many mappings as you like in a username map file. + - tridge = "Andrew Tridgell" - would map the windows username "Andrew Tridgell" to the - unix username "tridge". + + If your system supports the NIS NETGROUP option then the netgroup database is checked before the /etc/group database for matching groups. + - The following example would map mary and fred to the - unix user sys, and map the rest to guest. Note the use of the - '!' to tell Samba to stop processing if it gets a match on - that line. + + You can map Windows usernames that have spaces in them by using double quotes around the name. For example: + +tridge = "Andrew Tridgell" + + would map the windows username "Andrew Tridgell" to the unix username "tridge". + - + + The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on that line: + !sys = mary fred guest = * - + + - Note that the remapping is applied to all occurrences - of usernames. Thus if you connect to \\server\fred and - fred is remapped to mary then you - will actually be connecting to \\server\mary and will need to - supply a password suitable for mary not - fred. The only exception to this is the - username passed to the - (if you have one). The password server will receive whatever - username the client supplies without modification. + Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and + fred is remapped to mary then you will actually be connecting to + \\server\mary and will need to supply a password suitable for mary not + fred. The only exception to this is the username passed to the (if you have one). The password server will receive whatever username the client + supplies without modification. - Also note that no reverse mapping is done. The main effect - this has is with printing. Users who have been mapped may have - trouble deleting print jobs as PrintManager under WfWg will think - they don't own the print job. + + Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been + mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print + job. + - Samba versions prior to 3.0.8 would only support reading the fully qualified - username (e.g.: DOMAIN\user) from the username map when performing a - kerberos login from a client. However, when looking up a map - entry for a user authenticated by NTLM[SSP], only the login name would be - used for matches. This resulted in inconsistent behavior sometimes - even on the same server. + Samba versions prior to 3.0.8 would only support reading the fully qualified username (e.g.: DOMAIN\user) from + the username map when performing a kerberos login from a client. However, when looking up a map entry for a + user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent + behavior sometimes even on the same server. @@ -107,16 +107,13 @@ guest = * - When performing local authentication, the username map is - applied to the login name before attempting to authenticate + When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection. - When relying upon a external domain controller for validating - authentication requests, smbd will apply the username map - to the fully qualified username (i.e. DOMAIN\user) only - after the user has been successfully authenticated. + When relying upon a external domain controller for validating authentication requests, smbd will apply the username map + to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated. @@ -125,6 +122,7 @@ guest = * username map = /usr/local/samba/lib/users.map + no username map -- cgit