From 510064b14e8fddafe615f8c707023fcc3f84f094 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 10 Oct 2003 16:21:39 +0000 Subject: removing docs from HEAD (This used to be commit 820903ef5a062b4b9824c33ee035c68a39c8eeb0) --- .../docbook/smbdotconf/security/passwordserver.xml | 104 --------------------- 1 file changed, 104 deletions(-) delete mode 100644 docs/docbook/smbdotconf/security/passwordserver.xml (limited to 'docs/docbook/smbdotconf/security/passwordserver.xml') diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml deleted file mode 100644 index f854027041..0000000000 --- a/docs/docbook/smbdotconf/security/passwordserver.xml +++ /dev/null @@ -1,104 +0,0 @@ - - - By specifying the name of another SMB server - or Active Directory domain controller with this option, - and using security = [ads|domain|server] - it is possible to get Samba to - to do all its username/password validation using a specific remote server. - - This option sets the name or IP address of the password server to use. - New syntax has been added to support defining the port to use when connecting - to the server the case of an ADS realm. To define a port other than the - default LDAP port of 389, add the port number using a colon after the - name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, - Samba will use the standard LDAP port of tcp/389. Note that port numbers - have no effect on password servers for Windows NT 4.0 domains or netbios - connections. - - If parameter is a name, it is looked up using the - parameter name - resolve order and so may resolved - by any method and order described in that parameter. - - The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode. - - Using a password server means your UNIX box (running - Samba) is only as secure as your password server. DO NOT - CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. - - - Never point a Samba server at itself for password serving. - This will cause a loop and could lock up your Samba server! - - The name of the password server takes the standard - substitutions, but probably the only useful one is %m - , which means the Samba server will use the incoming - client as the password server. If you use this then you better - trust your clients, and you had better restrict them with hosts allow! - - If the security parameter is set to - domain or ads, then the list of machines in this - option must be a list of Primary or Backup Domain controllers for the - Domain or the character '*', as the Samba server is effectively - in that domain, and will use cryptographically authenticated RPC calls - to authenticate the user logging on. The advantage of using - security = domain is that if you list several hosts in the - password server option then smbd - will try each in turn till it finds one that responds. This - is useful in case your primary server goes down. - - If the password server option is set - to the character '*', then Samba will attempt to auto-locate the - Primary or Backup Domain controllers to authenticate against by - doing a query for the name WORKGROUP<1C> - and then contacting each server returned in the list of IP - addresses from the name resolution source. - - If the list of servers contains both names/IP's and the '*' - character, the list is treated as a list of preferred - domain controllers, but an auto lookup of all remaining DC's - will be added to the list as well. Samba will not attempt to optimize - this list by locating the closest DC. - - If the security parameter is - set to server, then there are different - restrictions that security = domain doesn't - suffer from: - - - - You may list several password servers in - the password server parameter, however if an - smbd makes a connection to a password server, - and then the password server fails, no more users will be able - to be authenticated from this smbd. This is a - restriction of the SMB/CIFS protocol when in security = server - mode and cannot be fixed in Samba. - - - - If you are using a Windows NT server as your - password server then you will have to ensure that your users - are able to login from the Samba server, as when in - security = server mode the network logon will appear to - come from there rather than from the users workstation. - - - - See also the security - parameter. - - Default: password server = <empty string> - - Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * - - Example: password server = windc.mydomain.com:389 192.168.1.101 * - - Example: password server = * - - -- cgit