From 1d4b2ff4b5766cf36965188f982a36483395f864 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 1 Feb 2003 04:34:40 +0000 Subject: Minor doco updates - with a slightly bigger change to the 'security=server/domain' text, to try and explain the difference better, and why you should always use the latter. Also update the BDC-HOWTO to have some relation to current reality. Andrew Bartlett (This used to be commit 7fd0c9bd74a8513a0cbf67bb516c6c2642380c7f) --- docs/docbook/manpages/smb.conf.5.sgml | 103 ++++++++++++++++++++-------------- 1 file changed, 61 insertions(+), 42 deletions(-) (limited to 'docs/docbook/manpages') diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index 9a2ea4fbde..713d4a012e 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -2879,6 +2879,10 @@ df $1 | tail -1 | awk '{print $2" "$4}' Privileges will be those of the guest account. + This paramater nullifies the benifits of setting + restrict + anonymous = 2 + See the section below on security for more information about this option. @@ -5392,9 +5396,13 @@ df $1 | tail -1 | awk '{print $2" "$4}' Some version of NT 4.x allow non-guest users with a bad passowrd. When this option is enabled, samba will not use a broken NT 4.x server as password server, but instead complain - to the logs and exit. + to the logs and exit. + Disabling this option prevents Samba from making + this check, which involves deliberatly attempting a + bad logon to the remote server. + Default: paranoid server security = yes @@ -6851,7 +6859,7 @@ print5|My Printer 5 SECURITY = USER - This is the default security setting in Samba 2.2. + This is the default security setting in Samba 3.0. With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the username map @@ -6875,24 +6883,27 @@ print5|My Printer 5 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. - SECURITY = SERVER + SECURITY = DOMAIN + - In this mode Samba will try to validate the username/password - by passing it to another SMB server, such as an NT box. If this - fails it will revert to security = user, but note - that if encrypted passwords have been negotiated then Samba cannot - revert back to checking the UNIX password file, it must have a valid - smbpasswd file to check users against. See the - documentation file in the docs/ directory - ENCRYPTION.txt for details on how to set this - up. + This mode will only work correctly if net + 8 has been used to add this + machine into a Windows NT Domain. It expects the encrypted passwords + parameter to be set to yes. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do. - Note that from the client's point of - view security = server is the same as - security = user. It only affects how the server deals - with the authentication, it does not in any way affect what the - client sees. + Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. + + Note that from the client's point + of view security = domain is the same as security = user + . It only affects how the server deals with the authentication, + it does not in any way affect what the client sees. Note that the name of the resource being requested is not sent to the server until after @@ -6910,27 +6921,42 @@ print5|My Printer 5 server parameter and the encrypted passwords parameter. - - SECURITY = DOMAIN + + SECURITY = SERVER - This mode will only work correctly if smbpasswd - 8 has been used to add this - machine into a Windows NT Domain. It expects the In this mode Samba will try to validate the username/password + by passing it to another SMB server, such as an NT box. If this + fails it will revert to security = + user. It expects the encrypted passwords - parameter to be set to yes. In this - mode Samba will try to validate the username/password by passing - it to a Windows NT Primary or Backup Domain Controller, in exactly - the same way that a Windows NT Server would do. + parameter to be set to + yes, unless the remote server + does not support them. However note + that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid + smbpasswd file to check users against. See the + documentation file in the docs/ directory + ENCRYPTION.txt for details on how to set this + up. - Note that a valid UNIX user must still - exist as well as the account on the Domain Controller to allow - Samba to have a valid UNIX account to map file access to. + Note this mode of operation + has significant pitfalls, due to the fact that is + activly initiates a man-in-the-middle attack on the + remote SMB server. In particular, this mode of + operation can cause significant resource consuption on + the PDC, as it must maintain an active connection for + the duration of the user's session. Furthermore, if + this connection is lost, there is no way to + reestablish it, and futher authenticaions to the Samba + server may fail. (From a single client, till it + disconnects). - Note that from the client's point - of view security = domain is the same as security = user - . It only affects how the server deals with the authentication, - it does not in any way affect what the client sees. + Note that from the client's point of + view security = server is the same as + security = user. It only affects how the server deals + with the authentication, it does not in any way affect what the + client sees. Note that the name of the resource being requested is not sent to the server until after @@ -6941,14 +6967,6 @@ print5|My Printer 5 See the map to guest parameter for details on doing this. - BUG: There is currently a bug in the - implementation of security = domain with respect - to multi-byte character set usernames. The communication with a - Domain Controller must be done in UNICODE and Samba currently - does not widen multi-byte user names to UNICODE correctly, thus - a multi-byte username will not be recognized correctly at the - Domain Controller. This issue will be addressed in a future release. - See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. @@ -6956,9 +6974,10 @@ print5|My Printer 5 server parameter and the encrypted passwords parameter. - + Default: security = USER Example: security = DOMAIN + -- cgit