From 8f8a9f01909ba29e2b781310baeeaaddc3f15f0d Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Tue, 22 Apr 2008 10:09:40 -0500 Subject: Moving docs tree to docs-xml to make room for generated docs in the release tarball. (This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14) --- docs-xml/smbdotconf/winbind/idmapallocbackend.xml | 25 +++++++++ docs-xml/smbdotconf/winbind/idmapallocconfig.xml | 14 +++++ docs-xml/smbdotconf/winbind/idmapbackend.xml | 28 ++++++++++ docs-xml/smbdotconf/winbind/idmapcachetime.xml | 13 +++++ docs-xml/smbdotconf/winbind/idmapconfig.xml | 65 ++++++++++++++++++++++ docs-xml/smbdotconf/winbind/idmapdomains.xml | 27 +++++++++ docs-xml/smbdotconf/winbind/idmapgid.xml | 21 +++++++ .../smbdotconf/winbind/idmapnegativecachetime.xml | 13 +++++ docs-xml/smbdotconf/winbind/idmapuid.xml | 21 +++++++ docs-xml/smbdotconf/winbind/templatehomedir.xml | 18 ++++++ docs-xml/smbdotconf/winbind/templateshell.xml | 14 +++++ docs-xml/smbdotconf/winbind/winbindcachetime.xml | 21 +++++++ docs-xml/smbdotconf/winbind/winbindenumgroups.xml | 20 +++++++ docs-xml/smbdotconf/winbind/winbindenumusers.xml | 23 ++++++++ .../smbdotconf/winbind/winbindexpandgroups.xml | 24 ++++++++ .../smbdotconf/winbind/winbindnestedgroups.xml | 17 ++++++ .../smbdotconf/winbind/winbindnormalizenames.xml | 20 +++++++ docs-xml/smbdotconf/winbind/winbindnssinfo.xml | 40 +++++++++++++ .../smbdotconf/winbind/winbindofflinelogon.xml | 18 ++++++ .../smbdotconf/winbind/winbindrefreshtickets.xml | 16 ++++++ docs-xml/smbdotconf/winbind/winbindrpconly.xml | 16 ++++++ docs-xml/smbdotconf/winbind/winbindseparator.xml | 21 +++++++ .../winbind/winbindtrusteddomainsonly.xml | 24 ++++++++ .../smbdotconf/winbind/winbindusedefaultdomain.xml | 19 +++++++ 24 files changed, 538 insertions(+) create mode 100644 docs-xml/smbdotconf/winbind/idmapallocbackend.xml create mode 100644 docs-xml/smbdotconf/winbind/idmapallocconfig.xml create mode 100644 docs-xml/smbdotconf/winbind/idmapbackend.xml create mode 100644 docs-xml/smbdotconf/winbind/idmapcachetime.xml create mode 100644 docs-xml/smbdotconf/winbind/idmapconfig.xml create mode 100644 docs-xml/smbdotconf/winbind/idmapdomains.xml create mode 100644 docs-xml/smbdotconf/winbind/idmapgid.xml create mode 100644 docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml create mode 100644 docs-xml/smbdotconf/winbind/idmapuid.xml create mode 100644 docs-xml/smbdotconf/winbind/templatehomedir.xml create mode 100644 docs-xml/smbdotconf/winbind/templateshell.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindcachetime.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindenumgroups.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindenumusers.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindexpandgroups.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindnestedgroups.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindnormalizenames.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindnssinfo.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindofflinelogon.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindrpconly.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindseparator.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml create mode 100644 docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml (limited to 'docs-xml/smbdotconf/winbind') diff --git a/docs-xml/smbdotconf/winbind/idmapallocbackend.xml b/docs-xml/smbdotconf/winbind/idmapallocbackend.xml new file mode 100644 index 0000000000..60e20b82d5 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapallocbackend.xml @@ -0,0 +1,25 @@ + + + + The idmap alloc backend provides a plugin interface for Winbind to use + when allocating Unix uids/gids for Windows SIDs. This option is + to be used in conjunction with the + parameter and refers to the name of the idmap module which will provide + the id allocation functionality. Please refer to the man page + for each idmap plugin to determine whether or not the module implements + the allocation feature. The most common plugins are the tdb ( + idmap_tdb8) + and ldap (idmap_ldap + 8) libraries. + + + Also refer to the option. + + + +tdb + diff --git a/docs-xml/smbdotconf/winbind/idmapallocconfig.xml b/docs-xml/smbdotconf/winbind/idmapallocconfig.xml new file mode 100644 index 0000000000..013904122c --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapallocconfig.xml @@ -0,0 +1,14 @@ + + + + The idmap alloc config prefix provides a means of managing settings + for the backend defined by the + parameter. Refer to the man page for each idmap plugin regarding + specific configuration details. + + + diff --git a/docs-xml/smbdotconf/winbind/idmapbackend.xml b/docs-xml/smbdotconf/winbind/idmapbackend.xml new file mode 100644 index 0000000000..20e1115c5f --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapbackend.xml @@ -0,0 +1,28 @@ + + + + The idmap backend provides a plugin interface for Winbind to use + varying backends to store SID/uid/gid mapping tables. This + option is mutually exclusive with the newer and more flexible + parameter. The main difference + between the "idmap backend" and the "idmap domains" + is that the former only allows on backend for all domains while the + latter supports configuring backends on a per domain basis. + + + Examples of SID/uid/gid backends include tdb ( + idmap_tdb8), + ldap (idmap_ldap + 8), rid ( + idmap_rid8), + and ad (idmap_tdb + 8). + + + +tdb + diff --git a/docs-xml/smbdotconf/winbind/idmapcachetime.xml b/docs-xml/smbdotconf/winbind/idmapcachetime.xml new file mode 100644 index 0000000000..1636cdfa58 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapcachetime.xml @@ -0,0 +1,13 @@ + + + This parameter specifies the number of seconds that Winbind's + idmap interface will cache positive SID/uid/gid query results. + + + +900 + diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml new file mode 100644 index 0000000000..63b0a907a8 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml @@ -0,0 +1,65 @@ + + + + The idmap config prefix provides a means of managing each domain + defined by the option using Samba's + parameteric option support. The idmap config prefix should be + followed by the name of the domain, a colon, and a setting specific to + the chosen backend. There are three options available for all domains: + + + + backend = backend_name + + Specifies the name of the idmap plugin to use as the + SID/uid/gid backend for this domain. + + + + + default = [yes|no] + + The default domain/backend will be used for searching for + users and groups not belonging to one of the explicitly + listed domains (matched by comparing the account SID and the + domain SID). + + + + + readonly = [yes|no] + + Mark the domain as readonly which means that no attempts to + allocate a uid or gid (by the ) for any user or group in that domain + will be attempted. + + + + + + The following example illustrates how to configure the + idmap_ad8 + for the CORP domain and the idmap_tdb + 8 backend for all other domains. The + TRUSTEDDOMAINS string is simply a key used to reference the "idmap + config" settings and does not represent the actual name of a domain. + + + + idmap domains = CORP TRUSTEDDOMAINS + + idmap config CORP:backend = ad + idmap config CORP:readonly = yes + + idmap config TRUSTEDDOMAINS:backend = tdb + idmap config TRUSTEDDOMAINS:default = yes + idmap config TRUSTEDDOMAINS:range = 1000 - 9999 + + + + diff --git a/docs-xml/smbdotconf/winbind/idmapdomains.xml b/docs-xml/smbdotconf/winbind/idmapdomains.xml new file mode 100644 index 0000000000..131b9e8167 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapdomains.xml @@ -0,0 +1,27 @@ + + + + The idmap domains option defines a list of Windows domains which will each + have a separately configured backend for managing Winbind's SID/uid/gid + tables. This parameter is mutually exclusive with the older option. + + + + Values consist of the short domain name for Winbind's primary or collection + of trusted domains. You may also use an arbitrary string to represent a catchall + domain backend for any domain not explicitly listed. + + + + Refer to the for details about + managing the SID/uid/gid backend for each domain. + + + +default AD CORP + diff --git a/docs-xml/smbdotconf/winbind/idmapgid.xml b/docs-xml/smbdotconf/winbind/idmapgid.xml new file mode 100644 index 0000000000..28d88b51b0 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapgid.xml @@ -0,0 +1,21 @@ + + winbind gid + + The idmap gid parameter specifies the range of group ids + that are allocated for the purpose of mapping UNX groups to NT group + SIDs. This range of group ids should have no + existing local or NIS groups within it as strange conflicts can + occur otherwise. + + See also the , , and options. + + + + +10000-20000 + diff --git a/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml b/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml new file mode 100644 index 0000000000..6790938d94 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml @@ -0,0 +1,13 @@ + + + This parameter specifies the number of seconds that Winbind's + idmap interface will cache negative SID/uid/gid query results. + + + +120 + diff --git a/docs-xml/smbdotconf/winbind/idmapuid.xml b/docs-xml/smbdotconf/winbind/idmapuid.xml new file mode 100644 index 0000000000..de4074cfa4 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapuid.xml @@ -0,0 +1,21 @@ + +winbind uid + + + The idmap uid parameter specifies the range of user ids that are + allocated for use in mapping UNIX users to NT user SIDs. This + range of ids should have no existing local + or NIS users within it as strange conflicts can occur otherwise. + + See also the , , and options. + + + + +10000-20000 + diff --git a/docs-xml/smbdotconf/winbind/templatehomedir.xml b/docs-xml/smbdotconf/winbind/templatehomedir.xml new file mode 100644 index 0000000000..f5965c613c --- /dev/null +++ b/docs-xml/smbdotconf/winbind/templatehomedir.xml @@ -0,0 +1,18 @@ + + + When filling out the user information for a Windows NT + user, the winbindd + 8 daemon uses this + parameter to fill in the home directory for that user. If the + string %D is present it + is substituted with the user's Windows NT domain name. If the + string %U is present it + is substituted with the user's Windows NT user name. + + +/home/%D/%U + diff --git a/docs-xml/smbdotconf/winbind/templateshell.xml b/docs-xml/smbdotconf/winbind/templateshell.xml new file mode 100644 index 0000000000..ce59cd12d0 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/templateshell.xml @@ -0,0 +1,14 @@ + + + When filling out the user information for a Windows NT + user, the winbindd + 8 daemon uses this + parameter to fill in the login shell for that user. + + +/bin/false + diff --git a/docs-xml/smbdotconf/winbind/winbindcachetime.xml b/docs-xml/smbdotconf/winbind/winbindcachetime.xml new file mode 100644 index 0000000000..6bdcf0d06e --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindcachetime.xml @@ -0,0 +1,21 @@ + + + This parameter specifies the number of + seconds the winbindd + 8 daemon will cache + user and group information before querying a Windows NT server + again. + + + This does not apply to authentication requests, these are always + evaluated in real time unless the option has been enabled. + + + +300 + diff --git a/docs-xml/smbdotconf/winbind/winbindenumgroups.xml b/docs-xml/smbdotconf/winbind/winbindenumgroups.xml new file mode 100644 index 0000000000..74f6feed01 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindenumgroups.xml @@ -0,0 +1,20 @@ + + + On large installations using winbindd + 8 it may be necessary to suppress + the enumeration of groups through the setgrent(), + getgrent() and + endgrent() group of system calls. If + the winbind enum groups parameter is + no, calls to the getgrent() system + call will not return any data. + +Turning off group enumeration may cause some programs to behave oddly. + + +no + diff --git a/docs-xml/smbdotconf/winbind/winbindenumusers.xml b/docs-xml/smbdotconf/winbind/winbindenumusers.xml new file mode 100644 index 0000000000..c987feaf8a --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindenumusers.xml @@ -0,0 +1,23 @@ + + + On large installations using winbindd + 8 it may be + necessary to suppress the enumeration of users through the setpwent(), + getpwent() and + endpwent() group of system calls. If + the winbind enum users parameter is + no, calls to the getpwent system call + will not return any data. + +Turning off user + enumeration may cause some programs to behave oddly. For + example, the finger program relies on having access to the + full user list when searching for matching + usernames. + + +no + diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml new file mode 100644 index 0000000000..19b81b3e0a --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml @@ -0,0 +1,24 @@ + + + This option controls the maximum depth that winbindd + will traverse when flattening nested group memberships + of Windows domain groups. This is different from the + option + which implements the Windows NT4 model of local group + nesting. The "winbind expand groups" + parameter specifically applies to the membership of + domain groups. + + Be aware that a high value for this parameter can + result in system slowdown as the main parent winbindd daemon + must perform the group unrolling and will be unable to answer + incoming NSS or authentication requests during this time. + + + +1 + diff --git a/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml b/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml new file mode 100644 index 0000000000..01e95bbaca --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml @@ -0,0 +1,17 @@ + + + If set to yes, this parameter activates the support for nested + groups. Nested groups are also called local groups or + aliases. They work like their counterparts in Windows: Nested + groups are defined locally on any machine (they are shared + between DC's through their SAM) and can contain users and + global groups from any trusted SAM. To be able to use nested + groups, you need to run nss_winbind. + + +yes + diff --git a/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml b/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml new file mode 100644 index 0000000000..28826cf5f3 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml @@ -0,0 +1,20 @@ + + + This parameter controls whether winbindd will replace + whitespace in user and group names with an underscore (_) character. + For example, whether the name "Space Kadet" should be + replaced with the string "space_kadet". + Frequently Unix shell scripts will have difficulty with usernames + contains whitespace due to the default field separator in the shell. + Do not enable this option if the underscore character is used in + account names within your domain + + + +no +yes + diff --git a/docs-xml/smbdotconf/winbind/winbindnssinfo.xml b/docs-xml/smbdotconf/winbind/winbindnssinfo.xml new file mode 100644 index 0000000000..d6e40c6bf6 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindnssinfo.xml @@ -0,0 +1,40 @@ + + + + This parameter is designed to control how Winbind retrieves Name + Service Information to construct a user's home directory and login shell. + Currently the following settings are available: + + + + template + - The default, using the parameters of template + shell and template homedir) + + + + + <sfu | rfc2307 > + - When Samba is running in security = ads and your Active Directory + Domain Controller does support the Microsoft "Services for Unix" (SFU) + LDAP schema, winbind can retrieve the login shell and the home + directory attributes directly from your Directory Server. Note that + retrieving UID and GID from your ADS-Server requires to + use idmap backend = ad + or idmap config DOMAIN:backend = ad + as well. + + + + + + + + +template +template sfu + diff --git a/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml b/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml new file mode 100644 index 0000000000..b5a0de1631 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml @@ -0,0 +1,18 @@ + + + + This parameter is designed to control whether Winbind should + allow to login with the pam_winbind + module using Cached Credentials. If enabled, winbindd will store user credentials + from successful logins encrypted in a local cache. + + + + +false +true + diff --git a/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml b/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml new file mode 100644 index 0000000000..d39cb76861 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml @@ -0,0 +1,16 @@ + + + + This parameter is designed to control whether Winbind should refresh Kerberos Tickets + retrieved using the pam_winbind module. + + + + +false +true + diff --git a/docs-xml/smbdotconf/winbind/winbindrpconly.xml b/docs-xml/smbdotconf/winbind/winbindrpconly.xml new file mode 100644 index 0000000000..53a0877350 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindrpconly.xml @@ -0,0 +1,16 @@ + + + + + Setting this parameter to yes forces + winbindd to use RPC instead of LDAP to retrieve information from Domain + Controllers. + + + +no + diff --git a/docs-xml/smbdotconf/winbind/winbindseparator.xml b/docs-xml/smbdotconf/winbind/winbindseparator.xml new file mode 100644 index 0000000000..63ab42000d --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindseparator.xml @@ -0,0 +1,21 @@ + + + This parameter allows an admin to define the character + used when listing a username of the form of DOMAIN + \user. This parameter + is only applicable when using the pam_winbind.so + and nss_winbind.so modules for UNIX services. + + + Please note that setting this parameter to + causes problems + with group membership at least on glibc systems, as the character + + is used as a special character for NIS in /etc/group. + + +'\' ++ + diff --git a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml new file mode 100644 index 0000000000..6ca229cfe9 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml @@ -0,0 +1,24 @@ + + + + This parameter is designed to allow Samba servers that are members + of a Samba controlled domain to use UNIX accounts distributed via NIS, + rsync, or LDAP as the uid's for winbindd users in the hosts primary domain. + Therefore, the user DOMAIN\user1 would be mapped to + the account user1 in /etc/passwd instead of allocating a new uid for him or her. + + + + This parameter is now deprecated in favor of the newer idmap_nss backend. + Refer to the smb.conf option and + the idmap_nss + 8 man page for more information. + + + +no + diff --git a/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml b/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml new file mode 100644 index 0000000000..334068a329 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml @@ -0,0 +1,19 @@ + + + This parameter specifies whether the + winbindd + 8 daemon should operate on users + without domain component in their username. Users without a domain + component are treated as is part of the winbindd server's own + domain. While this does not benifit Windows users, it makes SSH, FTP and + e-mail function in a way much closer to the way they + would in a native unix system. + + +no +yes + -- cgit