From 1caa6b23e417f77e7b38ecdfa47d9abe8c7b7d0e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 16 Jul 2003 05:42:34 +0000 Subject: ading new files from 3.0 (This used to be commit 99feae7b5b1c229a925367b87c0c0f636d9a2d75) --- docs/docbook/smbdotconf/misc/valid.xml | 18 ++++++++++++ .../docbook/smbdotconf/printing/totalprintjobs.xml | 22 +++++++++++++++ .../smbdotconf/protocol/clientusespnego.xml | 13 +++++++++ docs/docbook/smbdotconf/protocol/mapaclinherit.xml | 17 +++++++++++ docs/docbook/smbdotconf/protocol/profileacls.xml | 33 ++++++++++++++++++++++ .../smbdotconf/security/clientlanmanauth.xml | 28 ++++++++++++++++++ .../smbdotconf/security/clientntlmv2auth.xml | 26 +++++++++++++++++ docs/docbook/smbdotconf/vfs/vfsobjects.xml | 14 +++++++++ .../smbdotconf/winbind/enableridalgorithm.xml | 17 +++++++++++ docs/docbook/smbdotconf/winbind/idmapgid.xml | 18 ++++++++++++ docs/docbook/smbdotconf/winbind/idmapuid.xml | 14 +++++++++ .../smbdotconf/winbind/templateprimarygroup.xml | 14 +++++++++ .../winbind/winbindenablelocalaccounts.xml | 16 +++++++++++ .../winbind/winbindtrusteddomainsonly.xml | 16 +++++++++++ 14 files changed, 266 insertions(+) create mode 100644 docs/docbook/smbdotconf/misc/valid.xml create mode 100644 docs/docbook/smbdotconf/printing/totalprintjobs.xml create mode 100644 docs/docbook/smbdotconf/protocol/clientusespnego.xml create mode 100644 docs/docbook/smbdotconf/protocol/mapaclinherit.xml create mode 100644 docs/docbook/smbdotconf/protocol/profileacls.xml create mode 100644 docs/docbook/smbdotconf/security/clientlanmanauth.xml create mode 100644 docs/docbook/smbdotconf/security/clientntlmv2auth.xml create mode 100644 docs/docbook/smbdotconf/vfs/vfsobjects.xml create mode 100644 docs/docbook/smbdotconf/winbind/enableridalgorithm.xml create mode 100644 docs/docbook/smbdotconf/winbind/idmapgid.xml create mode 100644 docs/docbook/smbdotconf/winbind/idmapuid.xml create mode 100644 docs/docbook/smbdotconf/winbind/templateprimarygroup.xml create mode 100644 docs/docbook/smbdotconf/winbind/winbindenablelocalaccounts.xml create mode 100644 docs/docbook/smbdotconf/winbind/winbindtrusteddomainsonly.xml (limited to 'docs/docbook/smbdotconf') diff --git a/docs/docbook/smbdotconf/misc/valid.xml b/docs/docbook/smbdotconf/misc/valid.xml new file mode 100644 index 0000000000..b5756f0afe --- /dev/null +++ b/docs/docbook/smbdotconf/misc/valid.xml @@ -0,0 +1,18 @@ + + + This parameter indicates whether a share is + valid and thus can be used. When this parameter is set to false, + the share will be in no way visible nor accessible. + + + + This option should not be + used by regular users but might be of help to developers. + Samba uses this option internally to mark shares as deleted. + + + Default: True + + diff --git a/docs/docbook/smbdotconf/printing/totalprintjobs.xml b/docs/docbook/smbdotconf/printing/totalprintjobs.xml new file mode 100644 index 0000000000..ccdb137a69 --- /dev/null +++ b/docs/docbook/smbdotconf/printing/totalprintjobs.xml @@ -0,0 +1,22 @@ + + + This parameter accepts an integer value which defines + a limit on the maximum number of print jobs that will be accepted + system wide at any given time. If a print job is submitted + by a client which will exceed this number, then smbd + 8 will return an + error indicating that no space is available on the server. The + default value of 0 means that no such limit exists. This parameter + can be used to prevent a server from exceeding its capacity and is + designed as a printing throttle. See also + max print jobs. + + + Default: total print jobs = 0 + + Example: total print jobs = 5000 + + diff --git a/docs/docbook/smbdotconf/protocol/clientusespnego.xml b/docs/docbook/smbdotconf/protocol/clientusespnego.xml new file mode 100644 index 0000000000..df25fbfb20 --- /dev/null +++ b/docs/docbook/smbdotconf/protocol/clientusespnego.xml @@ -0,0 +1,13 @@ + + + This variable controls controls whether samba clients will try + to use Simple and Protected NEGOciation (as specified by rfc2478) with + WindowsXP and Windows2000 servers to agree upon an authentication mechanism. + + + Default: client use spnego = yes + + diff --git a/docs/docbook/smbdotconf/protocol/mapaclinherit.xml b/docs/docbook/smbdotconf/protocol/mapaclinherit.xml new file mode 100644 index 0000000000..5b8ed7f656 --- /dev/null +++ b/docs/docbook/smbdotconf/protocol/mapaclinherit.xml @@ -0,0 +1,17 @@ + + + This boolean parameter controls whether smbd + 8 will attempt to map the 'inherit' and 'protected' + access control entry flags stored in Windows ACLs into an extended attribute + called user.SAMBA_PAI. This parameter only takes effect if Samba is being run + on a platform that supports extended attributes (Linux and IRIX so far) and + allows the Windows 2000 ACL editor to correctly use inheritance with the Samba + POSIX ACL mapping code. + + + Default: map acl inherit = no + + diff --git a/docs/docbook/smbdotconf/protocol/profileacls.xml b/docs/docbook/smbdotconf/protocol/profileacls.xml new file mode 100644 index 0000000000..6f2b3ec510 --- /dev/null +++ b/docs/docbook/smbdotconf/protocol/profileacls.xml @@ -0,0 +1,33 @@ + + + This boolean parameter controls whether smbd + 8 + This boolean parameter was added to fix the problems that people have been + having with storing user profiles on Samba shares from Windows 2000 or + Windows XP clients. New versions of Windows 2000 or Windows XP service + packs do security ACL checking on the owner and ability to write of the + profile directory stored on a local workstation when copied from a Samba + share. When not in domain mode with winbindd then the security info copied + onto the local workstation has no meaning to the logged in user (SID) on + that workstation so the profile storing fails. Adding this parameter + onto a share used for profile storage changes two things about the + returned Windows ACL. Firstly it changes the owner and group owner + of all reported files and directories to be BUILTIN\\Administrators, + BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly + it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to + every returned ACL. This will allow any Windows 2000 or XP workstation + user to access the profile. Note that if you have multiple users logging + on to a workstation then in order to prevent them from being able to access + each others profiles you must remove the "Bypass traverse checking" advanced + user right. This will prevent access to other users profile directories as + the top level profile directory (named after the user) is created by the + workstation profile code and has an ACL restricting entry to the directory + tree to the owning user. + + + Default: profile acls = no + + diff --git a/docs/docbook/smbdotconf/security/clientlanmanauth.xml b/docs/docbook/smbdotconf/security/clientlanmanauth.xml new file mode 100644 index 0000000000..a427198ea3 --- /dev/null +++ b/docs/docbook/smbdotconf/security/clientlanmanauth.xml @@ -0,0 +1,28 @@ + + + This parameter determines whether or not smbclient + 8 and other samba client + tools will attempt to authenticate itself to servers using the + weaker LANMAN password hash. If disabled, only server which support NT + password hashes (e.g. Windows NT/2000, Samba, etc... but not + Windows 95/98) will be able to be connected from the Samba client. + + The LANMAN encrypted response is easily broken, due to it's + case-insensitive nature, and the choice of algorithm. Clients + without Windows 95/98 servers are advised to disable + this option. + + Disabling this option will also disable the client plaintext auth option + + Likewise, if the client ntlmv2 + auth parameter is enabled, then only NTLMv2 logins will be + attempted. Not all servers support NTLMv2, and most will require + special configuration to us it. + + Default : client lanman auth = yes + + diff --git a/docs/docbook/smbdotconf/security/clientntlmv2auth.xml b/docs/docbook/smbdotconf/security/clientntlmv2auth.xml new file mode 100644 index 0000000000..0bf196488b --- /dev/null +++ b/docs/docbook/smbdotconf/security/clientntlmv2auth.xml @@ -0,0 +1,26 @@ + + + This parameter determines whether or not smbclient + 8 will attempt to + authenticate itself to servers using the NTLMv2 encrypted password + response. + + If enabled, only an NTLMv2 and LMv2 response (both much more + secure than earlier versions) will be sent. Many servers + (including NT4 < SP4, Win9x and Samba 2.2) are not compatible with + NTLMv2. + + If disabled, an NTLM response (and possibly a LANMAN response) + will be sent by the client, depending on the value of client lanman auth. + + Note that some sites (particularly + those following 'best practice' security polices) only allow NTLMv2 + responses, and not the weaker LM or NTLM. + + Default : client ntlmv2 auth = no + + diff --git a/docs/docbook/smbdotconf/vfs/vfsobjects.xml b/docs/docbook/smbdotconf/vfs/vfsobjects.xml new file mode 100644 index 0000000000..32a10b5bd6 --- /dev/null +++ b/docs/docbook/smbdotconf/vfs/vfsobjects.xml @@ -0,0 +1,14 @@ + + + This parameter specifies the backend names which + are used for Samba VFS I/O operations. By default, normal + disk I/O operations are used but these can be overloaded + with one or more VFS objects. + + Default: no value + + Example: vfs objects = extd_audit recycle + + diff --git a/docs/docbook/smbdotconf/winbind/enableridalgorithm.xml b/docs/docbook/smbdotconf/winbind/enableridalgorithm.xml new file mode 100644 index 0000000000..86786f0734 --- /dev/null +++ b/docs/docbook/smbdotconf/winbind/enableridalgorithm.xml @@ -0,0 +1,17 @@ + + + This option is used to control whether or not smbd in Samba 3.0 should fallback + to the algorithm used by Samba 2.2 to generate user and group RIDs. The longterm + development goal is to remove the algorithmic mappings of RIDs altogether, but + this has proved to be difficult. This parameter is mainly provided so that + developers can turn the algorithm on and off and see what breaks. This parameter + should not be disabled by non-developers because certain features in Samba will fail + to work without it. + + + Default: enable rid algorithm = <yes> + + diff --git a/docs/docbook/smbdotconf/winbind/idmapgid.xml b/docs/docbook/smbdotconf/winbind/idmapgid.xml new file mode 100644 index 0000000000..8bd46a80c6 --- /dev/null +++ b/docs/docbook/smbdotconf/winbind/idmapgid.xml @@ -0,0 +1,18 @@ + + + + The idmap gid parameter specifies the range of group ids that are allocated for + the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no + existing local or NIS groups within it as strange conflicts can occur otherwise. + + The availability of an idmap gid range is essential for correct operation of + all group mapping. + + Default: idmap gid = <empty string> + + Example: idmap gid = 10000-20000 + + diff --git a/docs/docbook/smbdotconf/winbind/idmapuid.xml b/docs/docbook/smbdotconf/winbind/idmapuid.xml new file mode 100644 index 0000000000..5e6a245bfe --- /dev/null +++ b/docs/docbook/smbdotconf/winbind/idmapuid.xml @@ -0,0 +1,14 @@ + + + The idmap uid parameter specifies the range of user ids that are allocated for use + in mapping UNIX users to NT user SIDs. This range of ids should have no existing local + or NIS users within it as strange conflicts can occur otherwise. + + Default: idmap uid = <empty string> + + Example: idmap uid = 10000-20000 + + diff --git a/docs/docbook/smbdotconf/winbind/templateprimarygroup.xml b/docs/docbook/smbdotconf/winbind/templateprimarygroup.xml new file mode 100644 index 0000000000..bd59ea7ee0 --- /dev/null +++ b/docs/docbook/smbdotconf/winbind/templateprimarygroup.xml @@ -0,0 +1,14 @@ + + + This option defines the default primary group for + each user created by winbindd + 8's local account management + functions (similar to the 'add user script'). + + + Default: template primary group = nobody + + diff --git a/docs/docbook/smbdotconf/winbind/winbindenablelocalaccounts.xml b/docs/docbook/smbdotconf/winbind/winbindenablelocalaccounts.xml new file mode 100644 index 0000000000..f6e7cfb359 --- /dev/null +++ b/docs/docbook/smbdotconf/winbind/winbindenablelocalaccounts.xml @@ -0,0 +1,16 @@ + + + This parameter controls whether or not winbindd + will act as a stand in replacement for the various account + management hooks in smb.conf (e.g. 'add user script'). + If enabled, winbindd will support the creation of local + users and groups as another source of UNIX account information + available via getpwnam() or getgrgid(), etc... + + + Default: winbind enable local accounts = yes + + diff --git a/docs/docbook/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs/docbook/smbdotconf/winbind/winbindtrusteddomainsonly.xml new file mode 100644 index 0000000000..bf383131d4 --- /dev/null +++ b/docs/docbook/smbdotconf/winbind/winbindtrusteddomainsonly.xml @@ -0,0 +1,16 @@ + + + This parameter is designed to allow Samba servers that + are members of a Samba controlled domain to use UNIX accounts + distributed vi NIS, rsync, or LDAP as the uid's for winbindd users + in the hosts primary domain. Therefore, the user 'SAMBA\user1' would + be mapped to the account 'user1' in /etc/passwd instead of allocating + a new uid for him or her. + + + Default: winbind trusted domains only = <no> + + -- cgit