From 28499b04769ee0d310e48576b868e11c0d2b1422 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 4 Sep 2012 08:46:06 +1000 Subject: docs: Remove references to security=share and security=server from the smb.conf docs --- docs-xml/smbdotconf/logon/adduserscript.xml | 8 ---- docs-xml/smbdotconf/security/adminusers.xml | 3 -- docs-xml/smbdotconf/security/encryptpasswords.xml | 2 +- docs-xml/smbdotconf/security/maptoguest.xml | 18 +------- docs-xml/smbdotconf/security/passwordserver.xml | 55 +++-------------------- docs-xml/smbdotconf/security/readlist.xml | 4 -- docs-xml/smbdotconf/security/security.xml | 2 +- docs-xml/smbdotconf/security/usernamemap.xml | 6 +-- docs-xml/smbdotconf/security/writelist.xml | 5 --- 9 files changed, 12 insertions(+), 91 deletions(-) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/logon/adduserscript.xml b/docs-xml/smbdotconf/logon/adduserscript.xml index 7128cb73c7..d8abcdada5 100644 --- a/docs-xml/smbdotconf/logon/adduserscript.xml +++ b/docs-xml/smbdotconf/logon/adduserscript.xml @@ -18,14 +18,6 @@ ON DEMAND when a user accesses the Samba server. - - In order to use this option, smbd - 8 must NOT be set to - share and - must be set to a full pathname for a script that will create a UNIX user given one argument of - %u, which expands into the UNIX user name to create. - - When the Windows user attempts to access the Samba server, at login (session setup in the SMB protocol) time, smbd diff --git a/docs-xml/smbdotconf/security/adminusers.xml b/docs-xml/smbdotconf/security/adminusers.xml index d8f14b6d74..30adea9d97 100644 --- a/docs-xml/smbdotconf/security/adminusers.xml +++ b/docs-xml/smbdotconf/security/adminusers.xml @@ -11,9 +11,6 @@ this list will be able to do anything they like on the share, irrespective of file permissions. - This parameter will not work with the share in - Samba 3.0. This is by design. - diff --git a/docs-xml/smbdotconf/security/encryptpasswords.xml b/docs-xml/smbdotconf/security/encryptpasswords.xml index 1a631fd098..fdf0cfd43e 100644 --- a/docs-xml/smbdotconf/security/encryptpasswords.xml +++ b/docs-xml/smbdotconf/security/encryptpasswords.xml @@ -32,7 +32,7 @@ have access to a local smbpasswd 5 file (see the smbpasswd 8 program for information on how to set up - and maintain this file), or set the [server|domain|ads] parameter which + and maintain this file), or set the [domain|ads] parameter which causes smbd to authenticate against another server. diff --git a/docs-xml/smbdotconf/security/maptoguest.xml b/docs-xml/smbdotconf/security/maptoguest.xml index 0f680ae71c..09017bcb10 100644 --- a/docs-xml/smbdotconf/security/maptoguest.xml +++ b/docs-xml/smbdotconf/security/maptoguest.xml @@ -4,11 +4,6 @@ advanced="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter is only useful in - security modes other than security = share - and security = server - - i.e. user, and domain. - This parameter can take four different values, which tell smbd 8 what to do with user @@ -55,20 +50,11 @@ Note that this parameter is needed to set up "Guest" - share services when using security modes other than - share and server. This is because in these modes the name of the resource being + share services. This is because in these modes the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client so the server cannot make authentication decisions at the correct time (connection - to the share) for "Guest" shares. This parameter is not useful with - security = server as in this security mode - no information is returned about whether a user logon failed due to - a bad username or bad password, the same error is returned from a modern server - in both cases. - - For people familiar with the older Samba releases, this - parameter maps to the old compile-time setting of the - GUEST_SESSSETUP value in local.h. + to the share) for "Guest" shares. Never diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml index ad242c4a41..18baa9bdbc 100644 --- a/docs-xml/smbdotconf/security/passwordserver.xml +++ b/docs-xml/smbdotconf/security/passwordserver.xml @@ -4,17 +4,16 @@ advanced="1" wizard="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - By specifying the name of another SMB server - or Active Directory domain controller with this option, - and using security = [ads|domain|server] + By specifying the name of a domain controller with this option, + and using security = [ads|domain] it is possible to get Samba to do all its username/password validation using a specific remote server. - If the security parameter is set to - domain or ads, then this option + Ideally, this option should not be used, as the default '*' indicates to Samba to determine the best DC to contact dynamically, just as all other hosts in an - AD domain do. This allows the domain to be maintained without modification to + AD domain do. This allows the domain to be maintained (addition + and removal of domain controllers) without modification to the smb.conf file. The cryptographic protection on the authenticated RPC calls used to verify passwords ensures that this default is safe. @@ -39,50 +38,6 @@ parameter and so may resolved by any method and order described in that parameter. - If the security parameter is - set to server, these additional restrictions apply: - - - - You may list several password servers in - the password server parameter, however if an - smbd makes a connection to a password server, - and then the password server fails, no more users will be able - to be authenticated from this smbd. This is a - restriction of the SMB/CIFS protocol when in security = server - mode and cannot be fixed in Samba. - - - - You will have to ensure that your users - are able to login from the Samba server, as when in - security = server mode the network logon will appear to - come from the Samba server rather than from the users workstation. - - - - The client must not select NTLMv2 authentication. - - - - The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode. - - - - Using a password server means your UNIX box (running - Samba) is only as secure as (a host masquerading as) your password server. DO NOT - CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. - - - - - Never point a Samba server at itself for password serving. - This will cause a loop and could lock up your Samba server! - - - security diff --git a/docs-xml/smbdotconf/security/readlist.xml b/docs-xml/smbdotconf/security/readlist.xml index df6b4f129b..c874fef456 100644 --- a/docs-xml/smbdotconf/security/readlist.xml +++ b/docs-xml/smbdotconf/security/readlist.xml @@ -9,11 +9,7 @@ to. The list can include group names using the syntax described in the parameter. - - This parameter will not work with the share in - Samba 3.0. This is by design. - write list invalid users diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml index 453de94620..406089f2da 100644 --- a/docs-xml/smbdotconf/security/security.xml +++ b/docs-xml/smbdotconf/security/security.xml @@ -16,7 +16,7 @@ The alternatives are security = ads or security = domain - , which support joining Samba to a Windows domain, along with security = server, which is deprecated. + , which support joining Samba to a Windows domain You should use security = user and if you diff --git a/docs-xml/smbdotconf/security/usernamemap.xml b/docs-xml/smbdotconf/security/usernamemap.xml index fec7375f7f..21098fa463 100644 --- a/docs-xml/smbdotconf/security/usernamemap.xml +++ b/docs-xml/smbdotconf/security/usernamemap.xml @@ -12,7 +12,7 @@ - Please note that for user or share mode security, the username map is applied prior to validating the user + Please note that for user mode security, the username map is applied prior to validating the user credentials. Domain member servers (domain or ads) apply the username map after the user has been successfully authenticated by the domain controller and require fully qualified entries in the map table (e.g. biddle = DOMAIN\foo). @@ -84,8 +84,8 @@ guest = * Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and fred is remapped to mary then you will actually be connecting to \\server\mary and will need to supply a password suitable for mary not - fred. The only exception to this is the username passed to the (if you have one). The password server will receive whatever username the client + fred. The only exception to this is the + username passed to a Domain Controller (if you have one). The DC will receive whatever username the client supplies without modification. diff --git a/docs-xml/smbdotconf/security/writelist.xml b/docs-xml/smbdotconf/security/writelist.xml index 60db3f19f0..c17db81743 100644 --- a/docs-xml/smbdotconf/security/writelist.xml +++ b/docs-xml/smbdotconf/security/writelist.xml @@ -15,11 +15,6 @@ given write access. - - By design, this parameter will not work with the - share in Samba 3.0. - - read list -- cgit