From 89c3447c7f98a00f0b503732e4abfb5d7c84ccd0 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 18:34:31 +0000 Subject: being a responsible developer for a change. Make sure to update the docs wrt to the recent code changes. Can someone regenerate these in the SAMBA_3_0 tree please? Thanks. (This used to be commit ba448e6eb866d70daf5fe629c0f1c8c5afb1d312) --- docs/docbook/smbdotconf/security/authmethods.xml | 14 ++++++++-- .../docbook/smbdotconf/security/passwordserver.xml | 32 +++++++++++++--------- 2 files changed, 31 insertions(+), 15 deletions(-) (limited to 'docs/docbook/smbdotconf/security') diff --git a/docs/docbook/smbdotconf/security/authmethods.xml b/docs/docbook/smbdotconf/security/authmethods.xml index 0b7965d55b..7c0f5a71e1 100644 --- a/docs/docbook/smbdotconf/security/authmethods.xml +++ b/docs/docbook/smbdotconf/security/authmethods.xml @@ -6,14 +6,24 @@ This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on - security. + security. This should be considered + a developer option and used only in rare circumstances. In the majority (if not all) + of production servers, the default setting should be adequate. Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication. + Possible options include guest (anonymous access), + sam (lookups in local list of accounts based on netbios + name or domain name), winbind (relay authentication requests + for remote users through winbindd), ntdomain (pre-winbindd + method of authentication for remote domain users; deprecated in favour of winbind method), + trustdomain (authenticate trusted users by contacting the + remote DC directly from smbd; deprecated in favour of winbind method). + Default: auth methods = <empty string> - Example: auth methods = guest sam ntdomain + Example: auth methods = guest sam winbind diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml index e40ff32b75..f854027041 100644 --- a/docs/docbook/smbdotconf/security/passwordserver.xml +++ b/docs/docbook/smbdotconf/security/passwordserver.xml @@ -3,18 +3,22 @@ advanced="1" wizard="1" developer="1" xmlns:samba="http://samba.org/common"> - By specifying the name of another SMB server (such - as a WinNT box) with this option, and using security = domain - or security = server you can get Samba - to do all its username/password validation via a remote server. + By specifying the name of another SMB server + or Active Directory domain controller with this option, + and using security = [ads|domain|server] + it is possible to get Samba to + to do all its username/password validation using a specific remote server. - This option sets the name of the password server to use. - It must be a NetBIOS name, so if the machine's NetBIOS name is - different from its Internet name then you may have to add its NetBIOS - name to the lmhosts file which is stored in the same directory - as the smb.conf file. + This option sets the name or IP address of the password server to use. + New syntax has been added to support defining the port to use when connecting + to the server the case of an ADS realm. To define a port other than the + default LDAP port of 389, add the port number using a colon after the + name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, + Samba will use the standard LDAP port of tcp/389. Note that port numbers + have no effect on password servers for Windows NT 4.0 domains or netbios + connections. - The name of the password server is looked up using the + If parameter is a name, it is looked up using the parameter name resolve order and so may resolved by any method and order described in that parameter. @@ -38,14 +42,14 @@ trust your clients, and you had better restrict them with hosts allow! If the security parameter is set to - domain, then the list of machines in this + domain or ads, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on. The advantage of using security = domain is that if you list several hosts in the password server option then smbd - will try each in turn till it finds one that responds. This + will try each in turn till it finds one that responds. This is useful in case your primary server goes down. If the password server option is set @@ -55,7 +59,7 @@ and then contacting each server returned in the list of IP addresses from the name resolution source. - If the list of servers contains both names and the '*' + If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC's will be added to the list as well. Samba will not attempt to optimize @@ -93,6 +97,8 @@ Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * + Example: password server = windc.mydomain.com:389 192.168.1.101 * + Example: password server = * -- cgit