From 46168e99f7c6116b96335635ad974c7d8e20948e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 13 May 2011 17:55:41 +0200 Subject: s3-param Deprecate a number of security parameters for 3.6 This follows up on the agreement on the samba-technical list in Jan 2011 to deprecate these options, and to possibly remove these in the 4.0 release after user feedback. Andrew Bartlett Autobuild-User: Andrew Bartlett Autobuild-Date: Fri May 13 19:51:41 CEST 2011 on sn-devel-104 --- docs-xml/smbdotconf/logon/enableprivileges.xml | 2 +- docs-xml/smbdotconf/protocol/usespnego.xml | 2 +- docs-xml/smbdotconf/security/passwordlevel.xml | 2 +- docs-xml/smbdotconf/security/security.xml | 142 ++++++++++++------------- docs-xml/smbdotconf/security/username.xml | 2 +- 5 files changed, 70 insertions(+), 80 deletions(-) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/logon/enableprivileges.xml b/docs-xml/smbdotconf/logon/enableprivileges.xml index 3e958e0ce9..0fbc504c52 100644 --- a/docs-xml/smbdotconf/logon/enableprivileges.xml +++ b/docs-xml/smbdotconf/logon/enableprivileges.xml @@ -5,7 +5,7 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either + This deprecated parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either net rpc rights or one of the Windows user and group manager tools. This parameter is enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to assign privileges to users or groups which can then result in certain smbd operations running as root that diff --git a/docs-xml/smbdotconf/protocol/usespnego.xml b/docs-xml/smbdotconf/protocol/usespnego.xml index 8fb559c177..e16c7ce2be 100644 --- a/docs-xml/smbdotconf/protocol/usespnego.xml +++ b/docs-xml/smbdotconf/protocol/usespnego.xml @@ -4,7 +4,7 @@ developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This variable controls controls whether samba will try + This deprecated variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism. diff --git a/docs-xml/smbdotconf/security/passwordlevel.xml b/docs-xml/smbdotconf/security/passwordlevel.xml index 1da11e406b..eee838f65c 100644 --- a/docs-xml/smbdotconf/security/passwordlevel.xml +++ b/docs-xml/smbdotconf/security/passwordlevel.xml @@ -13,7 +13,7 @@ text passwords even when NT LM 0.12 selected by the protocol negotiation request/response. - This parameter defines the maximum number of characters + This deprecated parameter defines the maximum number of characters that may be upper case in passwords. For example, say the password given was "FRED". If diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml index 514ea54e0f..e20a73d6b1 100644 --- a/docs-xml/smbdotconf/security/security.xml +++ b/docs-xml/smbdotconf/security/security.xml @@ -22,32 +22,18 @@ the most common setting needed when talking to Windows 98 and Windows NT. - The alternatives are security = share, - security = server or security = domain - . + The alternatives are + security = ads or security = domain + , which support joining Samba to a Windows domain, along with security = share and security = server, both of which are deprecated. In versions of Samba prior to 2.0.0, the default was security = share mainly because that was the only option at one stage. - There is a bug in WfWg that has relevance to this - setting. When in user or server level security a WfWg client - will totally ignore the username and password you type in the "connect - drive" dialog box. This makes it very difficult (if not impossible) - to connect to a Samba service as anyone except the user that - you are logged into WfWg as. - - If your PCs use usernames that are the same as their - usernames on the UNIX machine then you will want to use - security = user. If you mostly use usernames - that don't exist on the UNIX box then use security = - share. - - You should also use security = share if you + You should use security = user and + if you want to mainly setup shares without a password (guest shares). This - is commonly used for a shared printer server. It is more difficult - to setup guest shares with security = user, see - the parameter for details. + is commonly used for a shared printer server. It is possible to use smbd in a hybrid mode where it is offers both user and share @@ -56,7 +42,62 @@ The different settings will now be explained. + SECURITY = USER + + This is the default security setting in Samba. + With user-level security a client must first "log-on" with a + valid username and password (which can be mapped using the + parameter). Encrypted passwords (see the parameter) can also + be used in this security mode. Parameters such as and if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the . + See the parameter for details on doing this. + + See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURITY = DOMAIN + + This mode will only work correctly if net + 8 has been used to add this + machine into a Windows NT Domain. It expects the + parameter to be set to yes. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do. + + Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. + + Note that from the client's point + of view security = domain is the same + as security = user. It only + affects how the server deals with the authentication, + it does not in any way affect what the client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the . + See the parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the parameter and + the parameter. + SECURITY = SHARE + + This option is deprecated as it is incompatible with SMB2 When clients connect to a share level security server, they need not log onto the server with a valid username and password before @@ -135,63 +176,10 @@ See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. - SECURITY = USER - - This is the default security setting in Samba 3.0. - With user-level security a client must first "log-on" with a - valid username and password (which can be mapped using the - parameter). Encrypted passwords (see the parameter) can also - be used in this security mode. Parameters such as and if set are then applied and - may change the UNIX user to use on this connection, but only after - the user has been successfully authenticated. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the . - See the parameter for details on doing this. - - See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - SECURITY = DOMAIN - - This mode will only work correctly if net - 8 has been used to add this - machine into a Windows NT Domain. It expects the - parameter to be set to yes. In this - mode Samba will try to validate the username/password by passing - it to a Windows NT Primary or Backup Domain Controller, in exactly - the same way that a Windows NT Server would do. - - Note that a valid UNIX user must still - exist as well as the account on the Domain Controller to allow - Samba to have a valid UNIX account to map file access to. - - Note that from the client's point - of view security = domain is the same - as security = user. It only - affects how the server deals with the authentication, - it does not in any way affect what the client sees. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the . - See the parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - See also the parameter and - the parameter. - SECURITY = SERVER - In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an + In this depicted mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to security = user. It expects the parameter to be set to yes, unless the remote server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot @@ -203,10 +191,10 @@ This mode of operation has significant pitfalls since it is more vulnerable to man-in-the-middle attacks and server impersonation. In particular, - this mode of operation can cause significant resource consuption on + this mode of operation can cause significant resource consumption on the PDC, as it must maintain an active connection for the duration of the user's session. Furthermore, if this connection is lost, - there is no way to reestablish it, and futher authentications to the + there is no way to reestablish it, and further authentications to the Samba server may fail (from a single client, till it disconnects). @@ -216,6 +204,8 @@ only affects how the server deals with the authentication, it does not in any way affect what the client sees. + This option is deprecated, and may be removed in future + Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why diff --git a/docs-xml/smbdotconf/security/username.xml b/docs-xml/smbdotconf/security/username.xml index 3a45d4d72f..19d8a2ecfd 100644 --- a/docs-xml/smbdotconf/security/username.xml +++ b/docs-xml/smbdotconf/security/username.xml @@ -9,7 +9,7 @@ list, in which case the supplied password will be tested against each username in turn (left to right). - The username line is needed only when + The deprecated username line is needed only when the PC is unable to supply its own username. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames. In both these cases you may also be -- cgit From 5608995bd2182c12310ef4b4dd39583b6fe77b1e Mon Sep 17 00:00:00 2001 From: Björn Baumbach Date: Thu, 3 Feb 2011 11:06:57 +0100 Subject: s3-docs: change eventlog path from lockdir to statedir See elog_tdbname() in source3/lib/eventlog/eventlog.c. Signed-off-by: Stefan Metzmacher --- docs-xml/smbdotconf/protocol/eventloglist.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/protocol/eventloglist.xml b/docs-xml/smbdotconf/protocol/eventloglist.xml index e98559bc17..101821ad12 100644 --- a/docs-xml/smbdotconf/protocol/eventloglist.xml +++ b/docs-xml/smbdotconf/protocol/eventloglist.xml @@ -6,7 +6,7 @@ This option defines a list of log names that Samba will report to the Microsoft EventViewer utility. The listed eventlogs will be associated with tdb file on disk in the - $(lockdir)/eventlog. + $(statedir)/eventlog. -- cgit From 387cbb1c37fba6a0a18b87ced31c91d0948a0699 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 23 May 2011 10:42:40 +1000 Subject: docs: Clarify the 'security=server' fails for NTLMv2 --- docs-xml/smbdotconf/security/security.xml | 3 +++ 1 file changed, 3 insertions(+) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml index e20a73d6b1..55e147e8dc 100644 --- a/docs-xml/smbdotconf/security/security.xml +++ b/docs-xml/smbdotconf/security/security.xml @@ -198,6 +198,9 @@ Samba server may fail (from a single client, till it disconnects). + If the client selects NTLMv2 authentication, then this mode of operation will fail + + From the client's point of view, security = server is the same as security = user. It -- cgit From ddbc5fa236a91d4b9ecd7641ab1d3c69d9569410 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 23 May 2011 10:20:47 +1000 Subject: docs: Rewrite 'password server' documentation I think this new version is more clear. Andrew Bartlett --- docs-xml/smbdotconf/security/passwordserver.xml | 106 ++++++++++++------------ 1 file changed, 54 insertions(+), 52 deletions(-) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml index 0e92af9eba..0ac39f103c 100644 --- a/docs-xml/smbdotconf/security/passwordserver.xml +++ b/docs-xml/smbdotconf/security/passwordserver.xml @@ -10,54 +10,24 @@ it is possible to get Samba to do all its username/password validation using a specific remote server. - This option sets the name or IP address of the password server to use. - New syntax has been added to support defining the port to use when connecting - to the server the case of an ADS realm. To define a port other than the - default LDAP port of 389, add the port number using a colon after the - name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, - Samba will use the standard LDAP port of tcp/389. Note that port numbers - have no effect on password servers for Windows NT 4.0 domains or netbios - connections. - - If parameter is a name, it is looked up using the - parameter and so may resolved - by any method and order described in that parameter. - - The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode. - - Using a password server means your UNIX box (running - Samba) is only as secure as your password server. DO NOT - CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. - - - Never point a Samba server at itself for password serving. - This will cause a loop and could lock up your Samba server! - - The name of the password server takes the standard - substitutions, but probably the only useful one is %m - , which means the Samba server will use the incoming - client as the password server. If you use this then you better - trust your clients, and you had better restrict them with hosts allow! - If the security parameter is set to - domain or ads, then the list of machines in this - option must be a list of Primary or Backup Domain controllers for the - Domain or the character '*', as the Samba server is effectively - in that domain, and will use cryptographically authenticated RPC calls - to authenticate the user logging on. The advantage of using - security = domain is that if you list several hosts in the - password server option then smbd - will try each in turn till it finds one that responds. This - is useful in case your primary server goes down. + domain or ads, then this option + should not be used, as the default '*' indicates to Samba + to determine the best DC to contact dynamically, just as all other hosts in an + AD domain do. This allows the domain to be maintained without modification to + the smb.conf file. The cryptograpic protection on the authenticated RPC calls + used to verify passwords ensures that this default is safe. - If the password server option is set - to the character '*', then Samba will attempt to auto-locate the - Primary or Backup Domain controllers to authenticate against by - doing a query for the name WORKGROUP<1C> - and then contacting each server returned in the list of IP - addresses from the name resolution source. + It is strongly recommended that you use the + default of '*', however if in your particular + environment you have reason to specify a particular DC list, then + the list of machines in this option must be a list of names or IP + addresses of Domain controllers for the Domain. If you use the + default of '*', or list several hosts in the password server option then smbd will try each in turn till it + finds one that responds. This is useful in case your primary + server goes down. If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred @@ -65,10 +35,12 @@ will be added to the list as well. Samba will not attempt to optimize this list by locating the closest DC. + If parameter is a name, it is looked up using the + parameter and so may resolved + by any method and order described in that parameter. + If the security parameter is - set to server, then there are different - restrictions that security = domain doesn't - suffer from: + set to server, these additional restrictions apply: @@ -82,12 +54,42 @@ - If you are using a Windows NT server as your - password server then you will have to ensure that your users + You will have to ensure that your users are able to login from the Samba server, as when in security = server mode the network logon will appear to - come from there rather than from the users workstation. + come from the Samba server rather than from the users workstation. + + + The client must not select NTLMv2 authentication. + + + + The password server must be a machine capable of using + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + user level security mode. + + + + Using a password server means your UNIX box (running + Samba) is only as secure as (a host masqurading as) your password server. DO NOT + CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. + + + + + Never point a Samba server at itself for password serving. + This will cause a loop and could lock up your Samba server! + + + + The name of the password server takes the standard + substitutions, but probably the only useful one is %m + , which means the Samba server will use the incoming + client as the password server. If you use this then you better + trust your clients, and you had better restrict them with hosts allow! + + -- cgit From 875e29ba830b269faf8ca7ff7cd7fc95c0c18f28 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 26 May 2011 11:40:21 +0200 Subject: s3: Document "async smb echo handler" Autobuild-User: Volker Lendecke Autobuild-Date: Thu May 26 12:50:55 CEST 2011 on sn-devel-104 --- docs-xml/smbdotconf/misc/asyncsmbechohandler.xml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 docs-xml/smbdotconf/misc/asyncsmbechohandler.xml (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/misc/asyncsmbechohandler.xml b/docs-xml/smbdotconf/misc/asyncsmbechohandler.xml new file mode 100644 index 0000000000..d10dac90b3 --- /dev/null +++ b/docs-xml/smbdotconf/misc/asyncsmbechohandler.xml @@ -0,0 +1,15 @@ + + + This parameter specifies whether Samba should fork the + async smb echo handler. It can be beneficial if your file + system can block syscalls for a very long time. In some + circumstances, it prolongs the timeout that Windows uses to + determine whether a connection is dead. + + +no + -- cgit From 939378d42abaed230bf7590c37ea275c57f4fd93 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 10:03:18 +0200 Subject: s3:doc: update documentation of the "idmap config FOO : BAR" familiy of parameters --- docs-xml/smbdotconf/winbind/idmapconfig.xml | 103 ++++++++++++++++++++++------ 1 file changed, 83 insertions(+), 20 deletions(-) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml index f6e97b9d97..69bddf0ebf 100644 --- a/docs-xml/smbdotconf/winbind/idmapconfig.xml +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml @@ -6,44 +6,108 @@ - The idmap config prefix provides a means of managing each trusted - domain separately. The idmap config prefix should be followed by the - name of the domain, a colon, and a setting specific to the chosen - backend. There are three options available for all domains: + ID mapping in Samba is the mapping between Windows SIDs and Unix user + and group IDs. This is performed by Winbindd with a configurable plugin + interface. Samba's ID mapping is configured by options starting with the + prefix. + An idmap option consists of the + prefix, followed by a domain name or the asterisk character (*), + a colon, and the name of an idmap setting for the chosen domain. - + + The idmap configuration is hence divided into groups, one group + for each domain to be configured, and one group with the the + asterisk instead of a proper domain name, which speifies the + default configuration that is used to catch all domains that do + not have an explicit idmap configuration of their own. + + + + There are three general options available: + + + backend = backend_name - Specifies the name of the idmap plugin to use as the - SID/uid/gid backend for this domain. + This specifies the name of the idmap plugin to use as the + SID/uid/gid backend for this domain. The standard backends are + tdb + (idmap_tdb 8 ), + tdb2 + (idmap_tdb2 8), + ldap + (idmap_ldap 8), + , + rid + (idmap_rid 8), + , + hash + (idmap_hash 8), + , + autorid + (idmap_autorid 8), + , + ad + (idmap_ad 8), + , + adex + (idmap_adex 8), + , + and nss. + (idmap_nss 8), + The corresponding manual pages contain the details, but + here is a summary. + + + The first three of these create mappings of their own using + internal unixid counters and store the mappings in a database. + These are suitable for use in the default idmap configuration. + The rid and hash backends use a pure algorithmic calculation + to determine the unixid for a SID. The autorid module is a + mixture of the tdb and rid backend. It creates ranges for + each domain encountered and then uses the rid algorithm for each + of these automatically configured domains individually. + The ad and adex + backends both use unix IDs stored in Active Directory via + the standard schema extensions. The nss backend reverses + the standard winbindd setup and gets the unixids via names + from nsswitch which can be useful in an ldap setup. range = low - high - + Defines the available matching uid and gid range for which the - backend is authoritative. Note that the range commonly - matches the allocation range due to the fact that the same - backend will store and retrieve SID/uid/gid mapping entries. - + backend is authoritative. For allocating backends, this also + defines the start and the end of the range for allocating + new unid IDs. + winbind uses this parameter to find the backend that is - authoritative for a unix ID to SID mapping, so it must be set - for each individually configured domain, and it must be - disjoint from the ranges set via and . + authoritative for a unix ID to SID mapping, so it must be set + for each individually configured domain and for the default + configuration. The configured ranges must be mutually disjoint. + + + read only = yes|no + + This option can be used to turn the writing backends + tdb, tdb2, and ldap into read only mode. This can be useful + e.g. in cases where a pre-filled database exists that should + not be extended automatically. + The following example illustrates how to configure the idmap_ad 8 - for the CORP domain and the + backend for the CORP domain and the idmap_tdb 8 backend for all other domains. This configuration assumes that the admin of CORP assigns @@ -53,9 +117,8 @@ - idmap backend = tdb - idmap uid = 1000000-1999999 - idmap gid = 1000000-1999999 + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 idmap config CORP : backend = ad idmap config CORP : range = 1000-999999 -- cgit From 13c4c30a02269b91379a50acbc45a883588d37bf Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 10:07:59 +0200 Subject: s3:doc: document "idmap backend" as deprecated. --- docs-xml/smbdotconf/winbind/idmapbackend.xml | 35 ++-------------------------- 1 file changed, 2 insertions(+), 33 deletions(-) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/winbind/idmapbackend.xml b/docs-xml/smbdotconf/winbind/idmapbackend.xml index 824476f454..bd96dfedd8 100644 --- a/docs-xml/smbdotconf/winbind/idmapbackend.xml +++ b/docs-xml/smbdotconf/winbind/idmapbackend.xml @@ -11,39 +11,8 @@ This option specifies the default backend that is used when no special - configuration set by matches the - specific request. - - - - This default backend also specifies the place where winbind-generated - idmap entries will be stored. So it is highly recommended that you - specify a writable backend like - idmap_tdb 8 - or - idmap_ldap 8 - as the idmap backend. The - idmap_rid 8 - and - idmap_ad 8 - backends are not writable and thus will generate - unexpected results if set as idmap backend. - - - - To use the rid and ad backends, please specify them via the - parameter, possibly also for the - domain your machine is member of, specified by . - - - Examples of SID/uid/gid backends include tdb ( - idmap_tdb8), - ldap (idmap_ldap - 8), rid ( - idmap_rid8), - and ad (idmap_ad - 8). + configuration set, but it is now deprecated in favour of the new + spelling . -- cgit From 871daf1aa4b3c73e63f0ff7e47a444bfc000b7aa Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 10:08:44 +0200 Subject: s3:doc: remove the documentation of "idmap alloc backend", which has been removed --- docs-xml/smbdotconf/winbind/idmapallocconfig.xml | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 docs-xml/smbdotconf/winbind/idmapallocconfig.xml (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/winbind/idmapallocconfig.xml b/docs-xml/smbdotconf/winbind/idmapallocconfig.xml deleted file mode 100644 index 013904122c..0000000000 --- a/docs-xml/smbdotconf/winbind/idmapallocconfig.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - - The idmap alloc config prefix provides a means of managing settings - for the backend defined by the - parameter. Refer to the man page for each idmap plugin regarding - specific configuration details. - - - -- cgit From 7c1021bc2b90777c2171dff2923ee16a0957c2f5 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 10:29:08 +0200 Subject: s3:doc: document "idmap uid" as deprecated. --- docs-xml/smbdotconf/winbind/idmapuid.xml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/winbind/idmapuid.xml b/docs-xml/smbdotconf/winbind/idmapuid.xml index 2c53817375..ce5a4dea05 100644 --- a/docs-xml/smbdotconf/winbind/idmapuid.xml +++ b/docs-xml/smbdotconf/winbind/idmapuid.xml @@ -6,14 +6,12 @@ winbind uid - The idmap uid parameter specifies the range of user ids that are - allocated for use in mapping UNIX users to NT user SIDs. This - range of ids should have no existing local - or NIS users within it as strange conflicts can occur otherwise. - - See also the and - options. + The idmap uid parameter specifies the range of user ids for + the default idmap configuration. It is now deprecated in favour + of . + + See the option. -- cgit From 54c788f2dff1280636f3ce6f21e547c852aa862f Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 31 May 2011 10:29:37 +0200 Subject: s3:doc: document "idmap gid" as deprecated. Autobuild-User: Michael Adam Autobuild-Date: Tue May 31 11:39:38 CEST 2011 on sn-devel-104 --- docs-xml/smbdotconf/winbind/idmapgid.xml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/winbind/idmapgid.xml b/docs-xml/smbdotconf/winbind/idmapgid.xml index ef3ae4fde1..27648a253d 100644 --- a/docs-xml/smbdotconf/winbind/idmapgid.xml +++ b/docs-xml/smbdotconf/winbind/idmapgid.xml @@ -5,16 +5,13 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> winbind gid - The idmap gid parameter specifies the range of group ids - that are allocated for the purpose of mapping UNX groups to NT group - SIDs. This range of group ids should have no - existing local or NIS groups within it as strange conflicts can - occur otherwise. - - See also the , and - options. + + The idmap gid parameter specifies the range of group ids + for the default idmap configuration. It is now deprecated + in favour of . + See the option. -- cgit From ec9ff19e60907d6858c6a04f3fcd0e61d5c83100 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 1 Jun 2011 11:10:47 +1000 Subject: s3-param Make lp_passwordserver() const. This means that it no longer takes % substituations, and so the documentation for this behaviour is removed from the smb.conf manpage. (This mode is only useful in security=server, which is already marked as deprecated in 3.6). Andrew Bartlett --- docs-xml/smbdotconf/security/passwordserver.xml | 8 -------- 1 file changed, 8 deletions(-) (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml index 0ac39f103c..09d335c3ac 100644 --- a/docs-xml/smbdotconf/security/passwordserver.xml +++ b/docs-xml/smbdotconf/security/passwordserver.xml @@ -82,14 +82,6 @@ This will cause a loop and could lock up your Samba server! - - The name of the password server takes the standard - substitutions, but probably the only useful one is %m - , which means the Samba server will use the incoming - client as the password server. If you use this then you better - trust your clients, and you had better restrict them with hosts allow! - - -- cgit From 776598a98103a20fc6a0bfafdebd105e448518ac Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 7 Jun 2011 09:47:26 +1000 Subject: s3-docs Add documentation for ncalrpc dir Autobuild-User: Andrew Bartlett Autobuild-Date: Tue Jun 7 02:57:33 CEST 2011 on sn-devel-104 --- docs-xml/smbdotconf/misc/ncalrpcdir.xml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 docs-xml/smbdotconf/misc/ncalrpcdir.xml (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/misc/ncalrpcdir.xml b/docs-xml/smbdotconf/misc/ncalrpcdir.xml new file mode 100644 index 0000000000..b53acef9e2 --- /dev/null +++ b/docs-xml/smbdotconf/misc/ncalrpcdir.xml @@ -0,0 +1,13 @@ + + + This directory will hold a series of named pipes to allow RPC over inter-process communication. . + This will allow Samba and other unix processes to interact over DCE/RPC without using TCP/IP. Additionally a sub-directory 'np' has restricted permissions, and allows a trusted communication channel between Samba processes + + +${prefix}/var/ncalrpc +/var/run/samba/ncalrpc + -- cgit From 530e4cac2e93177923080daa5ec1bac2c65d269b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 11 Jun 2011 09:49:12 +1000 Subject: s3-param Remove 'time offset' from smb.conf This strange parameter is apparently very rarely used, and it seems to me that on modern networks, if clients don't have correct clocks and DST offsets, that many other things (Kerberos) start to fail pretty quickly, and time and DST tables tend to be internet delivered anyway. Autobuild-User: Andrew Bartlett Autobuild-Date: Sat Jun 11 03:54:45 CEST 2011 on sn-devel-104 --- docs-xml/smbdotconf/misc/timeoffset.xml | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 docs-xml/smbdotconf/misc/timeoffset.xml (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/misc/timeoffset.xml b/docs-xml/smbdotconf/misc/timeoffset.xml deleted file mode 100644 index 1afc514e60..0000000000 --- a/docs-xml/smbdotconf/misc/timeoffset.xml +++ /dev/null @@ -1,15 +0,0 @@ - - - This parameter is a setting in minutes to add - to the normal GMT to local time conversion. This is useful if - you are serving a lot of PCs that have incorrect daylight - saving time handling. - - -0 -60 - -- cgit From 38b5beb33d78fd6a799fa591e29e5e1227adfa70 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 21 Jun 2011 10:20:05 +1000 Subject: param: Remove "announce as" parameter --- docs-xml/smbdotconf/protocol/announceas.xml | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 docs-xml/smbdotconf/protocol/announceas.xml (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/protocol/announceas.xml b/docs-xml/smbdotconf/protocol/announceas.xml deleted file mode 100644 index 8891496194..0000000000 --- a/docs-xml/smbdotconf/protocol/announceas.xml +++ /dev/null @@ -1,21 +0,0 @@ - - - This specifies what type of server nmbd - 8 will announce itself as, to a network neighborhood browse - list. By default this is set to Windows NT. The valid options - are : "NT Server" (which can also be written as "NT"), - "NT Workstation", "Win95" or "WfW" meaning Windows NT Server, - Windows NT Workstation, Windows 95 and Windows for Workgroups - respectively. Do not change this parameter unless you have a - specific need to stop Samba appearing as an NT server as this - may prevent Samba servers from participating as browser servers - correctly. - - -NT Server -Win95 - -- cgit From 734e1b6812b672fc7d838e943b14b8a176552734 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 21 Jun 2011 15:14:29 +1000 Subject: s3-param Remove 'announce version' parameter The only users I can find of this on the internet involve confused users, and our own documentation recommends never setting this. Don't confuse our users any longer. Andrew Bartlett --- docs-xml/smbdotconf/protocol/announceversion.xml | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 docs-xml/smbdotconf/protocol/announceversion.xml (limited to 'docs-xml/smbdotconf') diff --git a/docs-xml/smbdotconf/protocol/announceversion.xml b/docs-xml/smbdotconf/protocol/announceversion.xml deleted file mode 100644 index ecdcd4c734..0000000000 --- a/docs-xml/smbdotconf/protocol/announceversion.xml +++ /dev/null @@ -1,14 +0,0 @@ - - - This specifies the major and minor version numbers - that nmbd will use when announcing itself as a server. The default - is 4.9. Do not change this parameter unless you have a specific - need to set a Samba server to be a downlevel server. - -4.9 -2.0 - -- cgit