From 99bde6889d3d8b7a9e950c86c30e82662e1dacdd Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Tue, 9 Sep 2003 02:58:53 +0000
Subject: syncing files from 3.0 into HEAD again (This used to be commit
 bca0bba209255d0effbae6a3d3b6d298f0952c3a)

---
 .../smbdotconf/security/allowtrusteddomains.xml       |  2 +-
 docs/docbook/smbdotconf/security/clientntlmv2auth.xml |  6 ++++++
 .../smbdotconf/security/clientplaintextauth.xml       | 12 ++++++++++++
 docs/docbook/smbdotconf/security/clientschannel.xml   | 19 +++++++++++++++++++
 docs/docbook/smbdotconf/security/clientsigning.xml    | 19 +++++++++++++++++++
 docs/docbook/smbdotconf/security/passdbbackend.xml    | 13 +++----------
 docs/docbook/smbdotconf/security/passwdprogram.xml    |  5 ++---
 docs/docbook/smbdotconf/security/preloadmodules.xml   |  3 ---
 docs/docbook/smbdotconf/security/serversigning.xml    | 19 +++++++++++++++++++
 9 files changed, 81 insertions(+), 17 deletions(-)
 create mode 100644 docs/docbook/smbdotconf/security/clientplaintextauth.xml
 create mode 100644 docs/docbook/smbdotconf/security/clientschannel.xml
 create mode 100644 docs/docbook/smbdotconf/security/clientsigning.xml
 create mode 100644 docs/docbook/smbdotconf/security/serversigning.xml

(limited to 'docs/docbook/smbdotconf/security')

diff --git a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml
index 63363d2607..8354f8b8da 100644
--- a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml
+++ b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml
@@ -7,7 +7,7 @@
     <parameter moreinfo="none">security</parameter></link> option is set to 
     <constant>server</constant> or <constant>domain</constant>.  
     If it is set to no, then attempts to connect to a resource from 
-    a domain or workgroup other than the one which <ulink url="smbd.8.html">smbd</ulink> is running 
+    a domain or workgroup other than the one which smbd is running 
     in will fail, even if that domain is trusted by the remote server 
     doing the authentication.</para>
 		
diff --git a/docs/docbook/smbdotconf/security/clientntlmv2auth.xml b/docs/docbook/smbdotconf/security/clientntlmv2auth.xml
index 0bf196488b..611ebcd094 100644
--- a/docs/docbook/smbdotconf/security/clientntlmv2auth.xml
+++ b/docs/docbook/smbdotconf/security/clientntlmv2auth.xml
@@ -13,6 +13,12 @@
     (including NT4 &lt; SP4, Win9x and Samba 2.2) are not compatible with
     NTLMv2.  </para>
 
+    <para>Similarly, if enabled, NTLMv1, <command
+    moreinfo="none">client lanman auth</command> and <command
+    moreinfo="none">client plaintext auth</command>
+    authentication will be disabled.  This also disables share-level 
+    authentication. </para>
+
     <para>If disabled, an NTLM response (and possibly a LANMAN response)
     will be sent by the client, depending on the value of <command
     moreinfo="none">client lanman auth</command>.  </para>
diff --git a/docs/docbook/smbdotconf/security/clientplaintextauth.xml b/docs/docbook/smbdotconf/security/clientplaintextauth.xml
new file mode 100644
index 0000000000..ac90ef9fe5
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/clientplaintextauth.xml
@@ -0,0 +1,12 @@
+<samba:parameter name="client plaintext auth"
+                 context="G"
+                 basic="1" advanced="1" wizard="1" developer="1"
+		 xmlns:samba="http://samba.org/common">
+<listitem>
+	<para>Specifies whether a client should send a plaintext 
+	password if the server does not support encrypted passwords.</para>
+	
+    <para>Default: <command moreinfo="none">client plaintext auth = yes</command></para>
+
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/clientschannel.xml b/docs/docbook/smbdotconf/security/clientschannel.xml
new file mode 100644
index 0000000000..f3ad682517
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/clientschannel.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="client schannel"
+                 context="G"
+                 basic="1"
+		 xmlns:samba="http://samba.org/common">
+<listitem>
+
+    <para>This controls whether the client offers or even
+    demands the use of the netlogon schannel.
+    <parameter>client schannel = no</parameter> does not
+    offer the schannel, <parameter>server schannel =
+    auto</parameter> offers the schannel but does not
+    enforce it, and <parameter>server schannel =
+    yes</parameter> denies access if the server is not
+    able to speak netlogon schannel. </para>
+
+    <para>Default: <command>client schannel = auto</command></para>
+    <para>Example: <command>client schannel = yes</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/clientsigning.xml b/docs/docbook/smbdotconf/security/clientsigning.xml
new file mode 100644
index 0000000000..e006dc71ab
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/clientsigning.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="client signing"
+                 context="G"
+                 basic="1"
+		 xmlns:samba="http://samba.org/common">
+<listitem>
+
+    <para>This controls whether the client offers or requires
+    the server it talks to to use SMB signing. Possible values 
+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> 
+    and <emphasis>disabled</emphasis>. 
+    </para>
+
+    <para>When set to auto, SMB signing is offered, but not enforced. 
+    When set to mandatory, SMB signing is required and if set 
+    to disabled, SMB signing is not offered either.</para>
+
+    <para>Default: <command>client signing = auto</command></para>
+</listitem>
+</samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passdbbackend.xml b/docs/docbook/smbdotconf/security/passdbbackend.xml
index 1a3a83946a..8c64299dd4 100644
--- a/docs/docbook/smbdotconf/security/passdbbackend.xml
+++ b/docs/docbook/smbdotconf/security/passdbbackend.xml
@@ -55,22 +55,15 @@
 		details.
 		</para></listitem>
 
-		<listitem>
-		<para><command moreinfo="none">guest</command> - 
-		Very simple backend that only provides one user: the guest user.
-		Only maps the NT guest user to the <parameter>guest account</parameter>.
-		Required in pretty much all situations.
-		</para></listitem>
-
 	</itemizedlist>
     </para>
 
     <para>Default: <command moreinfo="none">passdb backend = smbpasswd</command></para>
 
-    <para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest</command></para>
+    <para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd</command></para>
 
-	<para>Example: <command moreinfo="none">passdb backend = ldapsam:ldaps://ldap.example.com guest</command></para>
+	<para>Example: <command moreinfo="none">passdb backend = ldapsam:ldaps://ldap.example.com</command></para>
 
-    <para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest</command></para>
+    <para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam</command></para>
 </listitem>
 </samba:parameter>
diff --git a/docs/docbook/smbdotconf/security/passwdprogram.xml b/docs/docbook/smbdotconf/security/passwdprogram.xml
index dbcc261ce4..db02670158 100644
--- a/docs/docbook/smbdotconf/security/passwdprogram.xml
+++ b/docs/docbook/smbdotconf/security/passwdprogram.xml
@@ -17,9 +17,8 @@
     <para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix 
     password sync</parameter> parameter is set to <constant>yes
     </constant> then this program is called <emphasis>AS ROOT</emphasis> 
-    before the SMB password in the <ulink url="smbpasswd.5.html"><citerefentry>
-    <refentrytitle>smbpasswd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-    </ulink> file is changed. If this UNIX password change fails, then 
+    before the SMB password in the smbpasswd
+    file is changed. If this UNIX password change fails, then 
     <command moreinfo="none">smbd</command> will fail to change the SMB password also 
     (this is by design).</para>
 
diff --git a/docs/docbook/smbdotconf/security/preloadmodules.xml b/docs/docbook/smbdotconf/security/preloadmodules.xml
index 7b4e57cff1..101d9606fa 100644
--- a/docs/docbook/smbdotconf/security/preloadmodules.xml
+++ b/docs/docbook/smbdotconf/security/preloadmodules.xml
@@ -7,9 +7,6 @@
 	be loaded into smbd before a client connects. This improves
 	the speed of smbd when reacting to new connections somewhat. </para>
 
-	<para>It is recommended to only use this option on heavy-performance
-	servers.</para> 
-
 	<para>Default: <command>preload modules = </command></para>
 
 	<para>Example: <command>preload modules = /usr/lib/samba/passdb/mysql.so+++ </command></para>
diff --git a/docs/docbook/smbdotconf/security/serversigning.xml b/docs/docbook/smbdotconf/security/serversigning.xml
new file mode 100644
index 0000000000..5108918d84
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/serversigning.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="server signing"
+                 context="G"
+                 basic="1"
+		 xmlns:samba="http://samba.org/common">
+<listitem>
+
+    <para>This controls whether the server offers or requires
+    the client it talks to to use SMB signing. Possible values 
+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> 
+    and <emphasis>disabled</emphasis>. 
+    </para>
+
+    <para>When set to auto, SMB signing is offered, but not enforced. 
+    When set to mandatory, SMB signing is required and if set 
+    to disabled, SMB signing is not offered either.</para>
+
+    <para>Default: <command>client signing = False</command></para>
+</listitem>
+</samba:parameter>
-- 
cgit