From 9496f1e2063eb0b93142bfaf86979b21bf8b56e6 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sun, 6 Apr 2003 13:07:44 +0000 Subject: Convert 'Security' section of smb.conf to new format (This used to be commit 85eadec0838bdcb5604d5cf66b204ee610e2ad7a) --- docs/docbook/smbdotconf/security/adminusers.xml | 26 +- .../smbdotconf/security/algorithmicridbase.xml | 43 +- docs/docbook/smbdotconf/security/allowhosts.xml | 14 +- .../smbdotconf/security/allowtrusteddomains.xml | 42 +- docs/docbook/smbdotconf/security/authmethods.xml | 31 +- docs/docbook/smbdotconf/security/createmask.xml | 84 ++-- docs/docbook/smbdotconf/security/createmode.xml | 13 +- docs/docbook/smbdotconf/security/denyhosts.xml | 14 +- docs/docbook/smbdotconf/security/directorymask.xml | 88 ++-- docs/docbook/smbdotconf/security/directorymode.xml | 13 +- .../smbdotconf/security/directorysecuritymask.xml | 58 +-- .../smbdotconf/security/encryptpasswords.xml | 43 +- .../smbdotconf/security/forcecreatemode.xml | 45 +- .../smbdotconf/security/forcedirectorymode.xml | 47 +- .../security/forcedirectorysecuritymode.xml | 57 +-- docs/docbook/smbdotconf/security/forcegroup.xml | 64 +-- .../smbdotconf/security/forcesecuritymode.xml | 59 +-- docs/docbook/smbdotconf/security/forceuser.xml | 44 +- docs/docbook/smbdotconf/security/group.xml | 14 +- docs/docbook/smbdotconf/security/guestaccount.xml | 50 ++- docs/docbook/smbdotconf/security/guestok.xml | 32 +- docs/docbook/smbdotconf/security/guestonly.xml | 25 +- docs/docbook/smbdotconf/security/hostsallow.xml | 86 ++-- docs/docbook/smbdotconf/security/hostsdeny.xml | 26 +- docs/docbook/smbdotconf/security/hostsequiv.xml | 49 ++- docs/docbook/smbdotconf/security/inheritacls.xml | 26 +- .../smbdotconf/security/inheritpermissions.xml | 64 +-- docs/docbook/smbdotconf/security/invalidusers.xml | 58 +-- docs/docbook/smbdotconf/security/lanmanauth.xml | 23 +- docs/docbook/smbdotconf/security/maptoguest.xml | 99 +++-- .../smbdotconf/security/minpasswdlength.xml | 16 +- .../smbdotconf/security/minpasswordlength.xml | 27 +- .../smbdotconf/security/nonunixaccountrange.xml | 40 +- docs/docbook/smbdotconf/security/ntlmauth.xml | 27 +- docs/docbook/smbdotconf/security/nullpasswords.xml | 20 +- .../smbdotconf/security/obeypamrestrictions.xml | 32 +- docs/docbook/smbdotconf/security/onlyguest.xml | 14 +- docs/docbook/smbdotconf/security/onlyuser.xml | 44 +- .../smbdotconf/security/pampasswordchange.xml | 31 +- docs/docbook/smbdotconf/security/passdbbackend.xml | 174 ++++---- docs/docbook/smbdotconf/security/passwdchat.xml | 120 +++--- .../smbdotconf/security/passwdchatdebug.xml | 48 ++- docs/docbook/smbdotconf/security/passwdprogram.xml | 64 +-- docs/docbook/smbdotconf/security/passwordlevel.xml | 84 ++-- .../docbook/smbdotconf/security/passwordserver.xml | 164 +++---- docs/docbook/smbdotconf/security/printeradmin.xml | 25 +- docs/docbook/smbdotconf/security/privatedir.xml | 21 +- docs/docbook/smbdotconf/security/public.xml | 15 +- docs/docbook/smbdotconf/security/readlist.xml | 35 +- docs/docbook/smbdotconf/security/readonly.xml | 29 +- .../smbdotconf/security/restrictanonymous.xml | 20 +- docs/docbook/smbdotconf/security/root.xml | 16 +- docs/docbook/smbdotconf/security/rootdir.xml | 16 +- docs/docbook/smbdotconf/security/rootdirectory.xml | 58 +-- docs/docbook/smbdotconf/security/security.xml | 477 +++++++++++---------- docs/docbook/smbdotconf/security/securitymask.xml | 59 +-- .../docbook/smbdotconf/security/serverschannel.xml | 43 +- docs/docbook/smbdotconf/security/smbpasswdfile.xml | 25 +- .../smbdotconf/security/unixpasswordsync.xml | 36 +- .../smbdotconf/security/updateencrypted.xml | 55 +-- docs/docbook/smbdotconf/security/user.xml | 14 +- docs/docbook/smbdotconf/security/username.xml | 124 +++--- docs/docbook/smbdotconf/security/usernamelevel.xml | 40 +- docs/docbook/smbdotconf/security/usernamemap.xml | 169 ++++---- docs/docbook/smbdotconf/security/users.xml | 15 +- docs/docbook/smbdotconf/security/validusers.xml | 38 +- docs/docbook/smbdotconf/security/writable.xml | 14 +- docs/docbook/smbdotconf/security/writeable.xml | 14 +- docs/docbook/smbdotconf/security/writelist.xml | 35 +- docs/docbook/smbdotconf/security/writeok.xml | 14 +- 70 files changed, 1953 insertions(+), 1696 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/smbdotconf/security/adminusers.xml b/docs/docbook/smbdotconf/security/adminusers.xml index 2e1abaf6e1..09989aa79a 100644 --- a/docs/docbook/smbdotconf/security/adminusers.xml +++ b/docs/docbook/smbdotconf/security/adminusers.xml @@ -1,15 +1,17 @@ - - admin users (S) - This is a list of users who will be granted - administrative privileges on the share. This means that they - will do all file operations as the super-user (root). + + + This is a list of users who will be granted + administrative privileges on the share. This means that they + will do all file operations as the super-user (root). - You should use this option very carefully, as any user in - this list will be able to do anything they like on the share, - irrespective of file permissions. + You should use this option very carefully, as any user in + this list will be able to do anything they like on the share, + irrespective of file permissions. - Default: no admin users + Default: no admin users - Example: admin users = jason - - + Example: admin users = jason + + diff --git a/docs/docbook/smbdotconf/security/algorithmicridbase.xml b/docs/docbook/smbdotconf/security/algorithmicridbase.xml index 3c2bf8686e..d1d33d419b 100644 --- a/docs/docbook/smbdotconf/security/algorithmicridbase.xml +++ b/docs/docbook/smbdotconf/security/algorithmicridbase.xml @@ -1,22 +1,27 @@ - - algorithmic rid base (G) - This determines how Samba will use its - algorithmic mapping from uids/gid to the RIDs needed to construct - NT Security Identifiers. + + + This determines how Samba will use its + algorithmic mapping from uids/gid to the RIDs needed to construct + NT Security Identifiers. + - Setting this option to a larger value could be useful to sites - transitioning from WinNT and Win2k, as existing user and - group rids would otherwise clash with sytem users etc. - + Setting this option to a larger value could be useful to sites + transitioning from WinNT and Win2k, as existing user and + group rids would otherwise clash with sytem users etc. + - All UIDs and GIDs must be able to be resolved into SIDs for - the correct operation of ACLs on the server. As such the algorithmic - mapping can't be 'turned off', but pushing it 'out of the way' should - resolve the issues. Users and groups can then be assigned 'low' RIDs - in arbitary-rid supporting backends. + All UIDs and GIDs must be able to be resolved into SIDs for + the correct operation of ACLs on the server. As such the algorithmic + mapping can't be 'turned off', but pushing it 'out of the way' should + resolve the issues. Users and groups can then be assigned 'low' RIDs + in arbitary-rid supporting backends. + - Default: algorithmic rid base = 1000 - - Example: algorithmic rid base = 100000 - - + Default: algorithmic rid base = 1000 + + Example: algorithmic rid base = 100000 + + diff --git a/docs/docbook/smbdotconf/security/allowhosts.xml b/docs/docbook/smbdotconf/security/allowhosts.xml index 7fd2f426f8..ea7c0fa05e 100644 --- a/docs/docbook/smbdotconf/security/allowhosts.xml +++ b/docs/docbook/smbdotconf/security/allowhosts.xml @@ -1,5 +1,9 @@ - - allow hosts (S) - Synonym for - hosts allow. - + + + Synonym for + hosts allow. + + diff --git a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml index 35dcd76cbd..63363d2607 100644 --- a/docs/docbook/smbdotconf/security/allowtrusteddomains.xml +++ b/docs/docbook/smbdotconf/security/allowtrusteddomains.xml @@ -1,22 +1,26 @@ - - allow trusted domains (G) - This option only takes effect when the security option is set to - server or domain. - If it is set to no, then attempts to connect to a resource from - a domain or workgroup other than the one which smbd is running - in will fail, even if that domain is trusted by the remote server - doing the authentication. + + + This option only takes effect when the + security option is set to + server or domain. + If it is set to no, then attempts to connect to a resource from + a domain or workgroup other than the one which smbd is running + in will fail, even if that domain is trusted by the remote server + doing the authentication. - This is useful if you only want your Samba server to - serve resources to users in the domain it is a member of. As - an example, suppose that there are two domains DOMA and DOMB. DOMB - is trusted by DOMA, which contains the Samba server. Under normal - circumstances, a user with an account in DOMB can then access the - resources of a UNIX account with the same account name on the - Samba server even if they do not have an account in DOMA. This - can make implementing a security boundary difficult. + This is useful if you only want your Samba server to + serve resources to users in the domain it is a member of. As + an example, suppose that there are two domains DOMA and DOMB. DOMB + is trusted by DOMA, which contains the Samba server. Under normal + circumstances, a user with an account in DOMB can then access the + resources of a UNIX account with the same account name on the + Samba server even if they do not have an account in DOMA. This + can make implementing a security boundary difficult. - Default: allow trusted domains = yes + Default: allow trusted domains = yes - - + + diff --git a/docs/docbook/smbdotconf/security/authmethods.xml b/docs/docbook/smbdotconf/security/authmethods.xml index 2e569558a0..0b7965d55b 100644 --- a/docs/docbook/smbdotconf/security/authmethods.xml +++ b/docs/docbook/smbdotconf/security/authmethods.xml @@ -1,16 +1,19 @@ - - auth methods (G) - This option allows the administrator to chose what - authentication methods smbd will use when authenticating - a user. This option defaults to sensible values based on - security. + + + This option allows the administrator to chose what + authentication methods smbd will use when authenticating + a user. This option defaults to sensible values based on + security. - Each entry in the list attempts to authenticate the user in turn, until - the user authenticates. In practice only one method will ever actually - be able to complete the authentication. - + Each entry in the list attempts to authenticate the user in turn, until + the user authenticates. In practice only one method will ever actually + be able to complete the authentication. + - Default: auth methods = <empty string> - Example: auth methods = guest sam ntdomain - - + Default: auth methods = <empty string> + Example: auth methods = guest sam ntdomain + + diff --git a/docs/docbook/smbdotconf/security/createmask.xml b/docs/docbook/smbdotconf/security/createmask.xml index 9a197bf7c3..6765702878 100644 --- a/docs/docbook/smbdotconf/security/createmask.xml +++ b/docs/docbook/smbdotconf/security/createmask.xml @@ -1,39 +1,45 @@ - - create mask (S) - A synonym for this parameter is - create mode - . - - When a file is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX - permissions, and the resulting UNIX mode is then bit-wise 'AND'ed - with this parameter. This parameter may be thought of as a bit-wise - MASK for the UNIX modes of a file. Any bit not - set here will be removed from the modes set on a file when it is - created. - - The default value of this parameter removes the - 'group' and 'other' write and execute bits from the UNIX modes. - - Following this Samba will bit-wise 'OR' the UNIX mode created - from this parameter with the value of the force create mode - parameter which is set to 000 by default. - - This parameter does not affect directory modes. See the - parameter directory mode - for details. - - See also the force - create mode parameter for forcing particular mode - bits to be set on created files. See also the - directory mode parameter for masking - mode bits on created directories. See also the - inherit permissions parameter. - - Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the security mask. - - Default: create mask = 0744 - Example: create mask = 0775 - + + + A synonym for this parameter is + create mode + . + + When a file is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX + permissions, and the resulting UNIX mode is then bit-wise 'AND'ed + with this parameter. This parameter may be thought of as a bit-wise + MASK for the UNIX modes of a file. Any bit not + set here will be removed from the modes set on a file when it is + created. + + The default value of this parameter removes the + 'group' and 'other' write and execute bits from the UNIX modes. + + Following this Samba will bit-wise 'OR' the UNIX mode created + from this parameter with the value of the + force create mode + parameter which is set to 000 by default. + + This parameter does not affect directory modes. See the + parameter directory mode + for details. + + See also the force + create mode parameter for forcing particular mode + bits to be set on created files. See also the + directory mode parameter for masking + mode bits on created directories. See also the + inherit permissions parameter. + + Note that this parameter does not apply to permissions + set by Windows NT/2000 ACL editors. If the administrator wishes to enforce + a mask on access control lists also, they need to set the + security mask. + + Default: create mask = 0744 + + Example: create mask = 0775 + + diff --git a/docs/docbook/smbdotconf/security/createmode.xml b/docs/docbook/smbdotconf/security/createmode.xml index 7e78ab0181..c49acf070d 100644 --- a/docs/docbook/smbdotconf/security/createmode.xml +++ b/docs/docbook/smbdotconf/security/createmode.xml @@ -1,5 +1,8 @@ - - create mode (S) - This is a synonym for - create mask. - + + + This is a synonym for + create mask. + + diff --git a/docs/docbook/smbdotconf/security/denyhosts.xml b/docs/docbook/smbdotconf/security/denyhosts.xml index f50fb33d33..d5ffb0e452 100644 --- a/docs/docbook/smbdotconf/security/denyhosts.xml +++ b/docs/docbook/smbdotconf/security/denyhosts.xml @@ -1,5 +1,9 @@ - - deny hosts (S) - Synonym for hosts - deny. - + + + Synonym for hosts + deny. + + diff --git a/docs/docbook/smbdotconf/security/directorymask.xml b/docs/docbook/smbdotconf/security/directorymask.xml index 0844733ede..d50047d46f 100644 --- a/docs/docbook/smbdotconf/security/directorymask.xml +++ b/docs/docbook/smbdotconf/security/directorymask.xml @@ -1,43 +1,47 @@ - - directory mask (S) - This parameter is the octal modes which are - used when converting DOS modes to UNIX modes when creating UNIX - directories. - - When a directory is created, the necessary permissions are - calculated according to the mapping from DOS modes to UNIX permissions, - and the resulting UNIX mode is then bit-wise 'AND'ed with this - parameter. This parameter may be thought of as a bit-wise MASK for - the UNIX modes of a directory. Any bit not set - here will be removed from the modes set on a directory when it is - created. - - The default value of this parameter removes the 'group' - and 'other' write bits from the UNIX mode, allowing only the - user who owns the directory to modify it. + + + This parameter is the octal modes which are + used when converting DOS modes to UNIX modes when creating UNIX + directories. + + When a directory is created, the necessary permissions are + calculated according to the mapping from DOS modes to UNIX permissions, + and the resulting UNIX mode is then bit-wise 'AND'ed with this + parameter. This parameter may be thought of as a bit-wise MASK for + the UNIX modes of a directory. Any bit not set + here will be removed from the modes set on a directory when it is + created. + + The default value of this parameter removes the 'group' + and 'other' write bits from the UNIX mode, allowing only the + user who owns the directory to modify it. - Following this Samba will bit-wise 'OR' the UNIX mode - created from this parameter with the value of the force directory mode - parameter. This parameter is set to 000 by - default (i.e. no extra mode bits are added). - - Note that this parameter does not apply to permissions - set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the directory security mask. - - See the force - directory mode parameter to cause particular mode - bits to always be set on created directories. - - See also the create mode - parameter for masking mode bits on created files, - and the directory - security mask parameter. - - Also refer to the - inherit permissions parameter. - - Default: directory mask = 0755 - Example: directory mask = 0775 - - + Following this Samba will bit-wise 'OR' the UNIX mode + created from this parameter with the value of the + force directory mode parameter. + This parameter is set to 000 by default (i.e. no extra mode bits are added). + + Note that this parameter does not apply to permissions + set by Windows NT/2000 ACL editors. If the administrator wishes to enforce + a mask on access control lists also, they need to set the + directory security mask. + + See the force + directory mode parameter to cause particular mode + bits to always be set on created directories. + + See also the create mode + parameter for masking mode bits on created files, + and the directory + security mask parameter. + + Also refer to the + inherit permissions parameter. + + Default: directory mask = 0755 + + Example: directory mask = 0775 + + diff --git a/docs/docbook/smbdotconf/security/directorymode.xml b/docs/docbook/smbdotconf/security/directorymode.xml index 9678cd91ad..3facac2bc1 100644 --- a/docs/docbook/smbdotconf/security/directorymode.xml +++ b/docs/docbook/smbdotconf/security/directorymode.xml @@ -1,5 +1,8 @@ - - directory mode (S) - Synonym for - directory mask - + + + Synonym for + directory mask + + diff --git a/docs/docbook/smbdotconf/security/directorysecuritymask.xml b/docs/docbook/smbdotconf/security/directorysecuritymask.xml index 76d153f6f4..d5413d4578 100644 --- a/docs/docbook/smbdotconf/security/directorysecuritymask.xml +++ b/docs/docbook/smbdotconf/security/directorysecuritymask.xml @@ -1,32 +1,36 @@ - - directory security mask (S) - This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog - box. + + + This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog + box. - This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change. + This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change. - If not set explicitly this parameter is set to 0777 - meaning a user is allowed to modify all the user/group/world - permissions on a directory. + If not set explicitly this parameter is set to 0777 + meaning a user is allowed to modify all the user/group/world + permissions on a directory. - Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it as the default of 0777. + Note that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + it as the default of 0777. - See also the - force directory security mode, security mask, - force security mode - parameters. + See also the + force directory security mode, + security mask, + force security mode + parameters. - Default: directory security mask = 0777 - Example: directory security mask = 0700 - - + Default: directory security mask = 0777 + + Example: directory security mask = 0700 + + diff --git a/docs/docbook/smbdotconf/security/encryptpasswords.xml b/docs/docbook/smbdotconf/security/encryptpasswords.xml index d7ceb8d598..4f83a776c8 100644 --- a/docs/docbook/smbdotconf/security/encryptpasswords.xml +++ b/docs/docbook/smbdotconf/security/encryptpasswords.xml @@ -1,21 +1,26 @@ - - encrypt passwords (G) - This boolean controls whether encrypted passwords - will be negotiated with the client. Note that Windows NT 4.0 SP3 and - above and also Windows 98 will by default expect encrypted passwords - unless a registry entry is changed. To use encrypted passwords in - Samba see the file ENCRYPTION.txt in the Samba documentation - directory docs/ shipped with the source code. + + + This boolean controls whether encrypted passwords + will be negotiated with the client. Note that Windows NT 4.0 SP3 and + above and also Windows 98 will by default expect encrypted passwords + unless a registry entry is changed. To use encrypted passwords in + Samba see the file ENCRYPTION.txt in the Samba documentation + directory docs/ shipped + with the source code. - In order for encrypted passwords to work correctly - smbd - 8 must either - have access to a local smbpasswd - 5 file (see the smbpasswd - 8 program for information on how to set up - and maintain this file), or set the security = [server|domain|ads] parameter which - causes smbd to authenticate against another - server. + In order for encrypted passwords to work correctly + smbd + 8 must either + have access to a local smbpasswd + 5 file (see the smbpasswd + 8 program for information on how to set up + and maintain this file), or set the security = [server|domain|ads] parameter which + causes smbd to authenticate against another + server. - Default: encrypt passwords = yes - + Default: encrypt passwords = yes + + diff --git a/docs/docbook/smbdotconf/security/forcecreatemode.xml b/docs/docbook/smbdotconf/security/forcecreatemode.xml index 238340d7c5..66b29950d0 100644 --- a/docs/docbook/smbdotconf/security/forcecreatemode.xml +++ b/docs/docbook/smbdotconf/security/forcecreatemode.xml @@ -1,25 +1,28 @@ - - force create mode (S) - This parameter specifies a set of UNIX mode bit - permissions that will always be set on a - file created by Samba. This is done by bitwise 'OR'ing these bits onto - the mode bits of a file that is being created or having its - permissions changed. The default for this parameter is (in octal) - 000. The modes in this parameter are bitwise 'OR'ed onto the file - mode after the mask set in the create mask - parameter is applied. + + + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a + file created by Samba. This is done by bitwise 'OR'ing these bits onto + the mode bits of a file that is being created or having its + permissions changed. The default for this parameter is (in octal) + 000. The modes in this parameter are bitwise 'OR'ed onto the file + mode after the mask set in the create mask + parameter is applied. - See also the parameter create - mask for details on masking mode bits on files. + See also the parameter create + mask for details on masking mode bits on files. - See also the inherit - permissions parameter. + See also the inherit + permissions parameter. - Default: force create mode = 000 - Example: force create mode = 0755 + Default: force create mode = 000 - would force all created files to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'. - - + Example: force create mode = 0755 + + would force all created files to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + + diff --git a/docs/docbook/smbdotconf/security/forcedirectorymode.xml b/docs/docbook/smbdotconf/security/forcedirectorymode.xml index 460a7fc6f2..b417f08b24 100644 --- a/docs/docbook/smbdotconf/security/forcedirectorymode.xml +++ b/docs/docbook/smbdotconf/security/forcedirectorymode.xml @@ -1,26 +1,29 @@ - - force directory mode (S) - This parameter specifies a set of UNIX mode bit - permissions that will always be set on a directory - created by Samba. This is done by bitwise 'OR'ing these bits onto the - mode bits of a directory that is being created. The default for this - parameter is (in octal) 0000 which will not add any extra permission - bits to a created directory. This operation is done after the mode - mask in the parameter directory mask is - applied. + + + This parameter specifies a set of UNIX mode bit + permissions that will always be set on a directory + created by Samba. This is done by bitwise 'OR'ing these bits onto the + mode bits of a directory that is being created. The default for this + parameter is (in octal) 0000 which will not add any extra permission + bits to a created directory. This operation is done after the mode + mask in the parameter directory mask is + applied. - See also the parameter - directory mask for details on masking mode bits - on created directories. + See also the parameter + directory mask for details on masking mode bits + on created directories. - See also the - inherit permissions parameter. + See also the + inherit permissions parameter. - Default: force directory mode = 000 - Example: force directory mode = 0755 + Default: force directory mode = 000 - would force all created directories to have read and execute - permissions set for 'group' and 'other' as well as the - read/write/execute bits set for the 'user'. - - + Example: force directory mode = 0755 + + would force all created directories to have read and execute + permissions set for 'group' and 'other' as well as the + read/write/execute bits set for the 'user'. + + diff --git a/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml b/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml index a01b297b05..8c35ccbf8a 100644 --- a/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml +++ b/docs/docbook/smbdotconf/security/forcedirectorysecuritymode.xml @@ -1,32 +1,35 @@ - - force directory security mode (S) - This parameter controls what UNIX permission bits - can be modified when a Windows NT client is manipulating the UNIX - permission on a directory using the native NT security dialog box. + + + This parameter controls what UNIX permission bits + can be modified when a Windows NT client is manipulating the UNIX + permission on a directory using the native NT security dialog box. - This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a directory, the user has always set to be 'on'. + This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a directory, the user has always set to be 'on'. - If not set explicitly this parameter is 000, which - allows a user to modify all the user/group/world permissions on a - directory without restrictions. + If not set explicitly this parameter is 000, which + allows a user to modify all the user/group/world permissions on a + directory without restrictions. - Note that users who can access the - Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - it set as 0000. + Note that users who can access the + Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + it set as 0000. - See also the - directory security mask, - security mask, - force security mode - parameters. + See also the + directory security mask, + security mask, + force security mode + parameters. - Default: force directory security mode = 0 - Example: force directory security mode = 700 - - + Default: force directory security mode = 0 + + Example: force directory security mode = 700 + + diff --git a/docs/docbook/smbdotconf/security/forcegroup.xml b/docs/docbook/smbdotconf/security/forcegroup.xml index abfec79e03..eafdfe8e23 100644 --- a/docs/docbook/smbdotconf/security/forcegroup.xml +++ b/docs/docbook/smbdotconf/security/forcegroup.xml @@ -1,35 +1,37 @@ - - force group (S) - This specifies a UNIX group name that will be - assigned as the default primary group for all users connecting - to this service. This is useful for sharing files by ensuring - that all access to files on service will use the named group for - their permissions checking. Thus, by assigning permissions for this - group to the files and directories within this service the Samba - administrator can restrict or allow sharing of these files. + + + This specifies a UNIX group name that will be + assigned as the default primary group for all users connecting + to this service. This is useful for sharing files by ensuring + that all access to files on service will use the named group for + their permissions checking. Thus, by assigning permissions for this + group to the files and directories within this service the Samba + administrator can restrict or allow sharing of these files. - In Samba 2.0.5 and above this parameter has extended - functionality in the following way. If the group name listed here - has a '+' character prepended to it then the current user accessing - the share only has the primary group default assigned to this group - if they are already assigned as a member of that group. This allows - an administrator to decide that only users who are already in a - particular group will create files with group ownership set to that - group. This gives a finer granularity of ownership assignment. For - example, the setting force group = +sys means - that only users who are already in group sys will have their default - primary group assigned to sys when accessing this Samba share. All - other users will retain their ordinary primary group. + In Samba 2.0.5 and above this parameter has extended + functionality in the following way. If the group name listed here + has a '+' character prepended to it then the current user accessing + the share only has the primary group default assigned to this group + if they are already assigned as a member of that group. This allows + an administrator to decide that only users who are already in a + particular group will create files with group ownership set to that + group. This gives a finer granularity of ownership assignment. For + example, the setting force group = +sys means + that only users who are already in group sys will have their default + primary group assigned to sys when accessing this Samba share. All + other users will retain their ordinary primary group. - If the force user - parameter is also set the group specified in - force group will override the primary group - set in force user. + If the force user + parameter is also set the group specified in + force group will override the primary group + set in force user. - See also force - user. + See also force user. - Default: no forced group - Example: force group = agroup - - + Default: no forced group + + Example: force group = agroup + + diff --git a/docs/docbook/smbdotconf/security/forcesecuritymode.xml b/docs/docbook/smbdotconf/security/forcesecuritymode.xml index 2db50f1ce3..4151239f53 100644 --- a/docs/docbook/smbdotconf/security/forcesecuritymode.xml +++ b/docs/docbook/smbdotconf/security/forcesecuritymode.xml @@ -1,33 +1,36 @@ - - force security mode (S) - This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security dialog - box. + + + This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security dialog + box. - This parameter is applied as a mask (OR'ed with) to the - changed permission bits, thus forcing any bits in this mask that - the user may have modified to be on. Essentially, one bits in this - mask may be treated as a set of bits that, when modifying security - on a file, the user has always set to be 'on'. + This parameter is applied as a mask (OR'ed with) to the + changed permission bits, thus forcing any bits in this mask that + the user may have modified to be on. Essentially, one bits in this + mask may be treated as a set of bits that, when modifying security + on a file, the user has always set to be 'on'. - If not set explicitly this parameter is set to 0, - and allows a user to modify all the user/group/world permissions on a file, - with no restrictions. + If not set explicitly this parameter is set to 0, + and allows a user to modify all the user/group/world permissions on a file, + with no restrictions. - Note that users who can access - the Samba server through other means can easily bypass this restriction, - so it is primarily useful for standalone "appliance" systems. - Administrators of most normal systems will probably want to leave - this set to 0000. + Note that users who can access + the Samba server through other means can easily bypass this restriction, + so it is primarily useful for standalone "appliance" systems. + Administrators of most normal systems will probably want to leave + this set to 0000. - See also the - force directory security mode, - directory security - mask, - security mask parameters. + See also the + force directory security mode, + directory security + mask, + security mask parameters. - Default: force security mode = 0 - Example: force security mode = 700 - - + Default: force security mode = 0 + + Example: force security mode = 700 + + diff --git a/docs/docbook/smbdotconf/security/forceuser.xml b/docs/docbook/smbdotconf/security/forceuser.xml index 4747db13fe..79c7aa3806 100644 --- a/docs/docbook/smbdotconf/security/forceuser.xml +++ b/docs/docbook/smbdotconf/security/forceuser.xml @@ -1,25 +1,27 @@ - - force user (S) - This specifies a UNIX user name that will be - assigned as the default user for all users connecting to this service. - This is useful for sharing files. You should also use it carefully - as using it incorrectly can cause security problems. + + + This specifies a UNIX user name that will be + assigned as the default user for all users connecting to this service. + This is useful for sharing files. You should also use it carefully + as using it incorrectly can cause security problems. - This user name only gets used once a connection is established. - Thus clients still need to connect as a valid user and supply a - valid password. Once connected, all file operations will be performed - as the "forced user", no matter what username the client connected - as. This can be very useful. + This user name only gets used once a connection is established. + Thus clients still need to connect as a valid user and supply a + valid password. Once connected, all file operations will be performed + as the "forced user", no matter what username the client connected + as. This can be very useful. - In Samba 2.0.5 and above this parameter also causes the - primary group of the forced user to be used as the primary group - for all file activity. Prior to 2.0.5 the primary group was left - as the primary group of the connecting user (this was a bug). + In Samba 2.0.5 and above this parameter also causes the + primary group of the forced user to be used as the primary group + for all file activity. Prior to 2.0.5 the primary group was left + as the primary group of the connecting user (this was a bug). - See also force group - + See also force group - Default: no forced user - Example: force user = auser - - + Default: no forced user + + Example: force user = auser + + diff --git a/docs/docbook/smbdotconf/security/group.xml b/docs/docbook/smbdotconf/security/group.xml index afc410ce34..453ca0f45b 100644 --- a/docs/docbook/smbdotconf/security/group.xml +++ b/docs/docbook/smbdotconf/security/group.xml @@ -1,5 +1,9 @@ - - group (S) - Synonym for force - group. - + + + Synonym for + force group. + + diff --git a/docs/docbook/smbdotconf/security/guestaccount.xml b/docs/docbook/smbdotconf/security/guestaccount.xml index ab15c4460d..9db3b6362d 100644 --- a/docs/docbook/smbdotconf/security/guestaccount.xml +++ b/docs/docbook/smbdotconf/security/guestaccount.xml @@ -1,27 +1,31 @@ - - guest account (S) - This is a username which will be used for access - to services which are specified as - guest ok (see below). Whatever privileges this - user has will be available to any client connecting to the guest service. - Typically this user will exist in the password file, but will not - have a valid login. The user account "ftp" is often a good choice - for this parameter. If a username is specified in a given service, - the specified username overrides this one. + + + This is a username which will be used for access + to services which are specified as + guest ok (see below). Whatever privileges this + user has will be available to any client connecting to the guest service. + Typically this user will exist in the password file, but will not + have a valid login. The user account "ftp" is often a good choice + for this parameter. If a username is specified in a given service, + the specified username overrides this one. + - One some systems the default guest account "nobody" may not - be able to print. Use another account in this case. You should test - this by trying to log in as your guest user (perhaps by using the - su - command) and trying to print using the - system print command such as lpr(1) or - lp(1). + One some systems the default guest account "nobody" may not + be able to print. Use another account in this case. You should test + this by trying to log in as your guest user (perhaps by using the + su - command) and trying to print using the + system print command such as lpr(1) or + lp(1). - This parameter does not accept % macros, because - many parts of the system require this value to be - constant for correct operation. + This parameter does not accept % macros, because + many parts of the system require this value to be + constant for correct operation. - Default: specified at compile time, usually - "nobody" + Default: specified at compile time, usually "nobody" - Example: guest account = ftp - + Example: guest account = ftp + + diff --git a/docs/docbook/smbdotconf/security/guestok.xml b/docs/docbook/smbdotconf/security/guestok.xml index 2b7a8cee8a..eef1801dc3 100644 --- a/docs/docbook/smbdotconf/security/guestok.xml +++ b/docs/docbook/smbdotconf/security/guestok.xml @@ -1,17 +1,21 @@ - - guest ok (S) - If this parameter is yes for - a service, then no password is required to connect to the service. - Privileges will be those of the - guest account. + + + If this parameter is yes for + a service, then no password is required to connect to the service. + Privileges will be those of the + guest account. - This paramater nullifies the benifits of setting - restrict - anonymous = 2 + This paramater nullifies the benifits of setting + restrict + anonymous = 2 - See the section below on - security for more information about this option. - + See the section below on + security for more information about this option. + - Default: guest ok = no - + Default: guest ok = no + + diff --git a/docs/docbook/smbdotconf/security/guestonly.xml b/docs/docbook/smbdotconf/security/guestonly.xml index ac7f62ad68..f116a5f22c 100644 --- a/docs/docbook/smbdotconf/security/guestonly.xml +++ b/docs/docbook/smbdotconf/security/guestonly.xml @@ -1,13 +1,16 @@ - - guest only (S) - If this parameter is yes for - a service, then only guest connections to the service are permitted. - This parameter will have no effect if - guest ok is not set for the service. + + + If this parameter is yes for + a service, then only guest connections to the service are permitted. + This parameter will have no effect if + guest ok is not set for the service. - See the section below on - security for more information about this option. - + See the section below on + security for more information about this option. + - Default: guest only = no - + Default: guest only = no + + diff --git a/docs/docbook/smbdotconf/security/hostsallow.xml b/docs/docbook/smbdotconf/security/hostsallow.xml index ea91b73903..95aa7ee516 100644 --- a/docs/docbook/smbdotconf/security/hostsallow.xml +++ b/docs/docbook/smbdotconf/security/hostsallow.xml @@ -1,60 +1,62 @@ - - hosts allow (S) - A synonym for this parameter is allow - hosts. + + + A synonym for this parameter is allow + hosts. - This parameter is a comma, space, or tab delimited - set of hosts which are permitted to access a service. + This parameter is a comma, space, or tab delimited + set of hosts which are permitted to access a service. - If specified in the [global] section then it will - apply to all services, regardless of whether the individual - service has a different setting. + If specified in the [global] section then it will + apply to all services, regardless of whether the individual + service has a different setting. - You can specify the hosts by name or IP number. For - example, you could restrict access to only the hosts on a - Class C subnet with something like allow hosts = 150.203.5. - . The full syntax of the list is described in the man - page hosts_access(5). Note that this man - page may not be present on your system, so a brief description will - be given here also. + You can specify the hosts by name or IP number. For + example, you could restrict access to only the hosts on a + Class C subnet with something like allow hosts = 150.203.5. + . The full syntax of the list is described in the man + page hosts_access(5). Note that this man + page may not be present on your system, so a brief description will + be given here also. - Note that the localhost address 127.0.0.1 will always - be allowed access unless specifically denied by a hosts deny option. + Note that the localhost address 127.0.0.1 will always + be allowed access unless specifically denied by a + hosts deny option. - You can also specify hosts by network/netmask pairs and - by netgroup names if your system supports netgroups. The - EXCEPT keyword can also be used to limit a - wildcard list. The following examples may provide some help: + You can also specify hosts by network/netmask pairs and + by netgroup names if your system supports netgroups. The + EXCEPT keyword can also be used to limit a + wildcard list. The following examples may provide some help: - Example 1: allow all IPs in 150.203.*.*; except one + Example 1: allow all IPs in 150.203.*.*; except one - hosts allow = 150.203. EXCEPT 150.203.6.66 + hosts allow = 150.203. EXCEPT 150.203.6.66 - Example 2: allow hosts that match the given network/netmask + Example 2: allow hosts that match the given network/netmask - hosts allow = 150.203.15.0/255.255.255.0 + hosts allow = 150.203.15.0/255.255.255.0 - Example 3: allow a couple of hosts + Example 3: allow a couple of hosts - hosts allow = lapland, arvidsjaur + hosts allow = lapland, arvidsjaur - Example 4: allow only hosts in NIS netgroup "foonet", but - deny access from one particular host + Example 4: allow only hosts in NIS netgroup "foonet", but + deny access from one particular host - hosts allow = @foonet + hosts allow = @foonet - hosts deny = pirate + hosts deny = pirate - Note that access still requires suitable user-level passwords. + Note that access still requires suitable user-level passwords. - See testparm - 1 for a way of testing your host access - to see if it does what you expect. + See testparm + 1 for a way of testing your host access + to see if it does what you expect. - Default: none (i.e., all hosts permitted access) - + Default: none (i.e., all hosts permitted access) - Example: allow hosts = 150.203.5. myhost.mynet.edu.au - - - + Example: allow hosts = 150.203.5. myhost.mynet.edu.au + + diff --git a/docs/docbook/smbdotconf/security/hostsdeny.xml b/docs/docbook/smbdotconf/security/hostsdeny.xml index f37e2b7e4d..e4b47051fa 100644 --- a/docs/docbook/smbdotconf/security/hostsdeny.xml +++ b/docs/docbook/smbdotconf/security/hostsdeny.xml @@ -1,14 +1,16 @@ - - hosts deny (S) - The opposite of hosts allow - - hosts listed here are NOT permitted access to - services unless the specific services have their own lists to override - this one. Where the lists conflict, the allow - list takes precedence. + + + The opposite of hosts allow + - hosts listed here are NOT permitted access to + services unless the specific services have their own lists to override + this one. Where the lists conflict, the allow + list takes precedence. - Default: none (i.e., no hosts specifically excluded) - + Default: none (i.e., no hosts specifically excluded) - Example: hosts deny = 150.203.4. badhost.mynet.edu.au - - + Example: hosts deny = 150.203.4. badhost.mynet.edu.au + + diff --git a/docs/docbook/smbdotconf/security/hostsequiv.xml b/docs/docbook/smbdotconf/security/hostsequiv.xml index 084d8268ef..873053be28 100644 --- a/docs/docbook/smbdotconf/security/hostsequiv.xml +++ b/docs/docbook/smbdotconf/security/hostsequiv.xml @@ -1,26 +1,29 @@ - - hosts equiv (G) - If this global parameter is a non-null string, - it specifies the name of a file to read for the names of hosts - and users who will be allowed access without specifying a password. - + + + If this global parameter is a non-null string, + it specifies the name of a file to read for the names of hosts + and users who will be allowed access without specifying a password. + - This is not be confused with - hosts allow which is about hosts - access to services and is more useful for guest services. - hosts equiv may be useful for NT clients which will - not supply passwords to Samba. + This is not be confused with + hosts allow which is about hosts + access to services and is more useful for guest services. + hosts equiv may be useful for NT clients which will + not supply passwords to Samba. - The use of hosts equiv - can be a major security hole. This is because you are - trusting the PC to supply the correct username. It is very easy to - get a PC to supply a false username. I recommend that the - hosts equiv option be only used if you really - know what you are doing, or perhaps on a home network where you trust - your spouse and kids. And only if you really trust - them :-). + The use of hosts equiv + can be a major security hole. This is because you are + trusting the PC to supply the correct username. It is very easy to + get a PC to supply a false username. I recommend that the + hosts equiv option be only used if you really + know what you are doing, or perhaps on a home network where you trust + your spouse and kids. And only if you really trust + them :-). - Default: no host equivalences - Example: hosts equiv = /etc/hosts.equiv - - + Default: no host equivalences + Example: hosts equiv = /etc/hosts.equiv + + diff --git a/docs/docbook/smbdotconf/security/inheritacls.xml b/docs/docbook/smbdotconf/security/inheritacls.xml index f70c0d9165..6fcfdc19ce 100644 --- a/docs/docbook/smbdotconf/security/inheritacls.xml +++ b/docs/docbook/smbdotconf/security/inheritacls.xml @@ -1,14 +1,14 @@ - - inherit acls (S) - This parameter can be used to ensure - that if default acls exist on parent directories, - they are always honored when creating a subdirectory. - The default behavior is to use the mode specified - when creating the directory. Enabling this option - sets the mode to 0777, thus guaranteeing that - default directory acls are propagated. - + + + This parameter can be used to ensure that if default acls + exist on parent directories, they are always honored when creating a + subdirectory. The default behavior is to use the mode specified when + creating the directory. Enabling this option sets the mode to 0777, + thus guaranteeing that default directory acls are propagated. + - Default: inherit acls = no - - + Default: inherit acls = no + + diff --git a/docs/docbook/smbdotconf/security/inheritpermissions.xml b/docs/docbook/smbdotconf/security/inheritpermissions.xml index 34fade33d0..aacf169863 100644 --- a/docs/docbook/smbdotconf/security/inheritpermissions.xml +++ b/docs/docbook/smbdotconf/security/inheritpermissions.xml @@ -1,36 +1,40 @@ - - inherit permissions (S) - The permissions on new files and directories - are normally governed by - create mask, - directory mask, force create mode - and force - directory mode but the boolean inherit - permissions parameter overrides this. + + + The permissions on new files and directories + are normally governed by + create mask, + directory mask, + force create mode + and force + directory mode but the boolean inherit + permissions parameter overrides this. - New directories inherit the mode of the parent directory, - including bits such as setgid. + New directories inherit the mode of the parent directory, + including bits such as setgid. - New files inherit their read/write bits from the parent - directory. Their execute bits continue to be determined by - map archive - , map hidden - and map system - as usual. + New files inherit their read/write bits from the parent + directory. Their execute bits continue to be determined by + map archive + , map hidden + and map system + as usual. - Note that the setuid bit is never set via - inheritance (the code explicitly prohibits this). + Note that the setuid bit is never set via + inheritance (the code explicitly prohibits this). - This can be particularly useful on large systems with - many users, perhaps several thousand, to allow a single [homes] - share to be used flexibly by each user. + This can be particularly useful on large systems with + many users, perhaps several thousand, to allow a single [homes] + share to be used flexibly by each user. - See also create mask - , - directory mask, - force create mode and force directory mode - . + See also create mask + , + directory mask, + force create mode and + force directory mode + . - Default: inherit permissions = no - - + Default: inherit permissions = no + + diff --git a/docs/docbook/smbdotconf/security/invalidusers.xml b/docs/docbook/smbdotconf/security/invalidusers.xml index 34e534ff28..f9d5d218e8 100644 --- a/docs/docbook/smbdotconf/security/invalidusers.xml +++ b/docs/docbook/smbdotconf/security/invalidusers.xml @@ -1,33 +1,35 @@ - - invalid users (S) - This is a list of users that should not be allowed - to login to this service. This is really a paranoid - check to absolutely ensure an improper setting does not breach - your security. + + + This is a list of users that should not be allowed + to login to this service. This is really a paranoid + check to absolutely ensure an improper setting does not breach + your security. - A name starting with a '@' is interpreted as an NIS - netgroup first (if your system supports NIS), and then as a UNIX - group if the name was not found in the NIS netgroup database. + A name starting with a '@' is interpreted as an NIS + netgroup first (if your system supports NIS), and then as a UNIX + group if the name was not found in the NIS netgroup database. - A name starting with '+' is interpreted only - by looking in the UNIX group database. A name starting with - '&' is interpreted only by looking in the NIS netgroup database - (this requires NIS to be working on your system). The characters - '+' and '&' may be used at the start of the name in either order - so the value +&group means check the - UNIX group database, followed by the NIS netgroup database, and - the value &+group means check the NIS - netgroup database, followed by the UNIX group database (the - same as the '@' prefix). + A name starting with '+' is interpreted only + by looking in the UNIX group database. A name starting with + '&' is interpreted only by looking in the NIS netgroup database + (this requires NIS to be working on your system). The characters + '+' and '&' may be used at the start of the name in either order + so the value +&group means check the + UNIX group database, followed by the NIS netgroup database, and + the value &+group means check the NIS + netgroup database, followed by the UNIX group database (the + same as the '@' prefix). - The current servicename is substituted for %S. - This is useful in the [homes] section. + The current servicename is substituted for %S. + This is useful in the [homes] section. - See also valid users - . + See also valid users + . - Default: no invalid users - Example: invalid users = root fred admin @wheel - - - + Default: no invalid users + + Example: invalid users = root fred admin @wheel + + diff --git a/docs/docbook/smbdotconf/security/lanmanauth.xml b/docs/docbook/smbdotconf/security/lanmanauth.xml index 851b1ae4ac..e293242472 100644 --- a/docs/docbook/smbdotconf/security/lanmanauth.xml +++ b/docs/docbook/smbdotconf/security/lanmanauth.xml @@ -1,11 +1,14 @@ - - lanman auth (G) - This parameter determines whether or not smbd - 8 will attempt to authenticate users - using the LANMAN password hash. If disabled, only clients which support NT - password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not - Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host. + + + This parameter determines whether or not smbd + 8 will attempt to authenticate users + using the LANMAN password hash. If disabled, only clients which support NT + password hashes (e.g. Windows NT/2000 clients, smbclient, etc... but not + Windows 95/98 or the MS DOS network client) will be able to connect to the Samba host. - Default : lanman auth = yes - - + Default : lanman auth = yes + + diff --git a/docs/docbook/smbdotconf/security/maptoguest.xml b/docs/docbook/smbdotconf/security/maptoguest.xml index 966260a9b1..4f66319928 100644 --- a/docs/docbook/smbdotconf/security/maptoguest.xml +++ b/docs/docbook/smbdotconf/security/maptoguest.xml @@ -1,53 +1,62 @@ - - map to guest (G) - This parameter is only useful in - security modes other than security = share - - i.e. user, server, - and domain. + + + This parameter is only useful in + security modes other than security = share + - i.e. user, server, + and domain. - This parameter can take three different values, which tell - smbd - 8 what to do with user - login requests that don't match a valid UNIX user in some way. + This parameter can take three different values, which tell + smbd + 8 what to do with user + login requests that don't match a valid UNIX user in some way. - The three settings are : + The three settings are : - - Never - Means user login - requests with an invalid password are rejected. This is the - default. + + + Never - Means user login + requests with an invalid password are rejected. This is the + default. + - Bad User - Means user - logins with an invalid password are rejected, unless the username - does not exist, in which case it is treated as a guest login and - mapped into the - guest account. + + Bad User - Means user + logins with an invalid password are rejected, unless the username + does not exist, in which case it is treated as a guest login and + mapped into the + guest account. + - Bad Password - Means user logins - with an invalid password are treated as a guest login and mapped - into the guest account. Note that - this can cause problems as it means that any user incorrectly typing - their password will be silently logged on as "guest" - and - will not know the reason they cannot access files they think - they should - there will have been no message given to them - that they got their password wrong. Helpdesk services will - hate you if you set the map to - guest parameter this way :-). - + + Bad Password - Means user logins + with an invalid password are treated as a guest login and mapped + into the guest account. Note that + this can cause problems as it means that any user incorrectly typing + their password will be silently logged on as "guest" - and + will not know the reason they cannot access files they think + they should - there will have been no message given to them + that they got their password wrong. Helpdesk services will + hate you if you set the map to + guest parameter this way :-). + + - Note that this parameter is needed to set up "Guest" - share services when using security modes other than - share. This is because in these modes the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client so the server - cannot make authentication decisions at the correct time (connection - to the share) for "Guest" shares. + Note that this parameter is needed to set up "Guest" + share services when using security modes other than + share. This is because in these modes the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client so the server + cannot make authentication decisions at the correct time (connection + to the share) for "Guest" shares. - For people familiar with the older Samba releases, this - parameter maps to the old compile-time setting of the - GUEST_SESSSETUP value in local.h. + For people familiar with the older Samba releases, this + parameter maps to the old compile-time setting of the + GUEST_SESSSETUP value in local.h. - Default: map to guest = Never - Example: map to guest = Bad User - - + Default: map to guest = Never + Example: map to guest = Bad User + + diff --git a/docs/docbook/smbdotconf/security/minpasswdlength.xml b/docs/docbook/smbdotconf/security/minpasswdlength.xml index 8e52b923fb..d7ecc3e21b 100644 --- a/docs/docbook/smbdotconf/security/minpasswdlength.xml +++ b/docs/docbook/smbdotconf/security/minpasswdlength.xml @@ -1,6 +1,10 @@ - - min passwd length (G) - Synonym for - min password length. - - + + + Synonym for + min password length. + + + diff --git a/docs/docbook/smbdotconf/security/minpasswordlength.xml b/docs/docbook/smbdotconf/security/minpasswordlength.xml index da1e65a55b..69a1701ea2 100644 --- a/docs/docbook/smbdotconf/security/minpasswordlength.xml +++ b/docs/docbook/smbdotconf/security/minpasswordlength.xml @@ -1,14 +1,17 @@ - - min password length (G) - This option sets the minimum length in characters - of a plaintext password that smbd will accept when performing - UNIX password changing. + + + This option sets the minimum length in characters of a + plaintext password that smbd will + accept when performing UNIX password changing. - See also unix - password sync, - passwd program and passwd chat debug - . + See also unix + password sync, + passwd program and + passwd chat debug. - Default: min password length = 5 - - + Default: min password length = 5 + + diff --git a/docs/docbook/smbdotconf/security/nonunixaccountrange.xml b/docs/docbook/smbdotconf/security/nonunixaccountrange.xml index baa9a783b0..4004af2d94 100644 --- a/docs/docbook/smbdotconf/security/nonunixaccountrange.xml +++ b/docs/docbook/smbdotconf/security/nonunixaccountrange.xml @@ -1,21 +1,25 @@ - - non unix account range (G) - The non unix account range parameter specifies - the range of 'user ids' that are allocated by the various 'non unix - account' passdb backends. These backends allow - the storage of passwords for users who don't exist in /etc/passwd. - This is most often used for machine account creation. - This range of ids should have no existing local or NIS users within - it as strange conflicts can occur otherwise. + + + The non unix account range parameter specifies + the range of 'user ids' that are allocated by the various 'non unix + account' passdb backends. These backends allow + the storage of passwords for users who don't exist in /etc/passwd. + This is most often used for machine account creation. + This range of ids should have no existing local or NIS users within + it as strange conflicts can occur otherwise. - These userids never appear on the system and Samba will never - 'become' these users. They are used only to ensure that the algorithmic - RID mapping does not conflict with normal users. - + + These userids never appear on the system and Samba will never + 'become' these users. They are used only to ensure that the algorithmic + RID mapping does not conflict with normal users. + + - Default: non unix account range = <empty string> - + Default: non unix account range = <empty string> - Example: non unix account range = 10000-20000 - - + Example: non unix account range = 10000-20000 + + diff --git a/docs/docbook/smbdotconf/security/ntlmauth.xml b/docs/docbook/smbdotconf/security/ntlmauth.xml index a3b8caf062..b0b3179ab7 100644 --- a/docs/docbook/smbdotconf/security/ntlmauth.xml +++ b/docs/docbook/smbdotconf/security/ntlmauth.xml @@ -1,16 +1,15 @@ - - ntlm auth (G) - This parameter determines - whether or not smbd - 8 will - attempt to authenticate users using the NTLM password hash. - If disabled, only the lanman password hashes will be used. - + + + This parameter determines whether or not smbd + 8 will attempt to authenticate users using the NTLM password hash. + If disabled, only the lanman password hashes will be used. - Please note that at least this option or lanman auth should - be enabled in order to be able to log in. - + Please note that at least this option or lanman auth should + be enabled in order to be able to log in. - Default : ntlm auth = yes - - + Default : ntlm auth = yes + + diff --git a/docs/docbook/smbdotconf/security/nullpasswords.xml b/docs/docbook/smbdotconf/security/nullpasswords.xml index 40b687fceb..944a307eb7 100644 --- a/docs/docbook/smbdotconf/security/nullpasswords.xml +++ b/docs/docbook/smbdotconf/security/nullpasswords.xml @@ -1,11 +1,13 @@ - - null passwords (G) - Allow or disallow client access to accounts - that have null passwords. + + + Allow or disallow client access to accounts that have null passwords. - See also smbpasswd - 5. + See also smbpasswd + 5. - Default: null passwords = no - - + Default: null passwords = no + + diff --git a/docs/docbook/smbdotconf/security/obeypamrestrictions.xml b/docs/docbook/smbdotconf/security/obeypamrestrictions.xml index 92a6bce22d..42d6b5cc43 100644 --- a/docs/docbook/smbdotconf/security/obeypamrestrictions.xml +++ b/docs/docbook/smbdotconf/security/obeypamrestrictions.xml @@ -1,15 +1,19 @@ - - obey pam restrictions (G) - When Samba 2.2 is configured to enable PAM support - (i.e. --with-pam), this parameter will control whether or not Samba - should obey PAM's account and session management directives. The - default behavior is to use PAM for clear text authentication only - and to ignore any account or session management. Note that Samba - always ignores PAM for authentication in the case of encrypt passwords = yes - . The reason is that PAM modules cannot support the challenge/response - authentication mechanism needed in the presence of SMB password encryption. - + + + When Samba 3.0 is configured to enable PAM support + (i.e. --with-pam), this parameter will control whether or not Samba + should obey PAM's account and session management directives. The + default behavior is to use PAM for clear text authentication only + and to ignore any account or session management. Note that Samba + always ignores PAM for authentication in the case of + encrypt passwords = yes. The reason + is that PAM modules cannot support the challenge/response + authentication mechanism needed in the presence of SMB password encryption. + - Default: obey pam restrictions = no - - + Default: obey pam restrictions = no + + diff --git a/docs/docbook/smbdotconf/security/onlyguest.xml b/docs/docbook/smbdotconf/security/onlyguest.xml index 018fa1a0b5..756c682ab3 100644 --- a/docs/docbook/smbdotconf/security/onlyguest.xml +++ b/docs/docbook/smbdotconf/security/onlyguest.xml @@ -1,6 +1,8 @@ - - only guest (S) - A synonym for - guest only. - - + + + A synonym for + guest only. + + diff --git a/docs/docbook/smbdotconf/security/onlyuser.xml b/docs/docbook/smbdotconf/security/onlyuser.xml index d0bbac7541..9975023ecb 100644 --- a/docs/docbook/smbdotconf/security/onlyuser.xml +++ b/docs/docbook/smbdotconf/security/onlyuser.xml @@ -1,24 +1,26 @@ - - only user (S) - This is a boolean option that controls whether - connections with usernames not in the user - list will be allowed. By default this option is disabled so that a - client can supply a username to be used by the server. Enabling - this parameter will force the server to only use the login - names from the user list and is only really - useful in share level - security. + + + This is a boolean option that controls whether + connections with usernames not in the user + list will be allowed. By default this option is disabled so that a + client can supply a username to be used by the server. Enabling + this parameter will force the server to only use the login + names from the user list and is only really + useful in share level + security. - Note that this also means Samba won't try to deduce - usernames from the service name. This can be annoying for - the [homes] section. To get around this you could use user = - %S which means your user list - will be just the service name, which for home directories is the - name of the user. + Note that this also means Samba won't try to deduce + usernames from the service name. This can be annoying for + the [homes] section. To get around this you could use user = + %S which means your user list + will be just the service name, which for home directories is the + name of the user. - See also the user - parameter. + See also the user + parameter. - Default: only user = no - - + Default: only user = no + + diff --git a/docs/docbook/smbdotconf/security/pampasswordchange.xml b/docs/docbook/smbdotconf/security/pampasswordchange.xml index 8f0e91ae2d..5eb60e5270 100644 --- a/docs/docbook/smbdotconf/security/pampasswordchange.xml +++ b/docs/docbook/smbdotconf/security/pampasswordchange.xml @@ -1,16 +1,17 @@ - - pam password change (G) - With the addition of better PAM support in Samba 2.2, - this parameter, it is possible to use PAM's password change control - flag for Samba. If enabled, then PAM will be used for password - changes when requested by an SMB client instead of the program listed in - passwd program. - It should be possible to enable this without changing your - passwd chat - parameter for most setups. - + + + With the addition of better PAM support in Samba 2.2, + this parameter, it is possible to use PAM's password change control + flag for Samba. If enabled, then PAM will be used for password + changes when requested by an SMB client instead of the program listed in + passwd program. + It should be possible to enable this without changing your + passwd chat + parameter for most setups. - Default: pam password change = no - - - + Default: pam password change = no + + diff --git a/docs/docbook/smbdotconf/security/passdbbackend.xml b/docs/docbook/smbdotconf/security/passdbbackend.xml index 918c802e78..256b6c9709 100644 --- a/docs/docbook/smbdotconf/security/passdbbackend.xml +++ b/docs/docbook/smbdotconf/security/passdbbackend.xml @@ -1,91 +1,119 @@ - - passdb backend (G) - This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both - smbpasswd and tdbsam to be used without a recompile. - Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. - Experimental backends must still be selected - (eg --with-tdbsam) at configure time. - + + + + This option allows the administrator to chose which backends + to retrieve and store passwords with. This allows (for example) both + smbpasswd and tdbsam to be used without a recompile. Multiple + backends can be specified, separated by spaces. The backends will be + searched in the order they are specified. New users are always added + to the first backend specified. Experimental backends must still be + selected (eg --with-tdbsam) at configure time. - This parameter is in two parts, the backend's name, and a 'location' - string that has meaning only to that particular backed. These are separated - by a : character. + This parameter is in two parts, the backend's name, and a 'location' + string that has meaning only to that particular backed. These are separated + by a : character. - Available backends can include: - - smbpasswd - The default smbpasswd - backend. Takes a path to the smbpasswd file as an optional argument. + Available backends can include: + + + smbpasswd - The default smbpasswd + backend. Takes a path to the smbpasswd file as an optional argument. + + - smbpasswd_nua - The smbpasswd - backend, but with support for 'not unix accounts'. - Takes a path to the smbpasswd file as an optional argument. - See also - non unix account range + + smbpasswd_nua - The smbpasswd + backend, but with support for 'not unix accounts'. + Takes a path to the smbpasswd file as an optional argument. + + See also + non unix account range + - tdbsam - The TDB based password storage - backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the - private dir directory. + + tdbsam - The TDB based password storage + backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb + in the + private dir directory. + - tdbsam_nua - The TDB based password storage - backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the - private dir directory. - See also - non unix account range + + tdbsam_nua - The TDB based password storage + backend, with non unix account support. Takes a path to the TDB as an optional argument (defaults to passdb.tdb + in the + private dir directory. + + See also + non unix account range + - ldapsam - The LDAP based passdb - backend. Takes an LDAP URL as an optional argument (defaults to - ldap://localhost) + + ldapsam - The LDAP based passdb + backend. Takes an LDAP URL as an optional argument (defaults to + ldap://localhost) + - ldapsam_nua - The LDAP based passdb - backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to - ldap://localhost) + + ldapsam_nua - The LDAP based passdb + backend, with non unix account support. Takes an LDAP URL as an optional argument (defaults to + ldap://localhost) - Note: In this module, any account without a matching POSIX account is regarded - as 'non unix'. + Note: In this module, any account without a matching POSIX account is regarded + as 'non unix'. - See also - non unix account - range + See also + non unix account range - LDAP connections should be secured where - possible. This may be done using either - Start-TLS (see - ldap ssl) or by - specifying ldaps:// in - the URL argument. - + LDAP connections should be secured where possible. This may be done using either + Start-TLS (see ldap ssl) or by + specifying ldaps:// in + the URL argument. + - nisplussam - The NIS+ based passdb backend. Takes name NIS domain as an optional argument. Only works with sun NIS+ servers. + + nisplussam - + The NIS+ based passdb backend. Takes name NIS domain as + an optional argument. Only works with sun NIS+ servers. + + - plugin - Allows Samba to load an - arbitary passdb backend from the .so specified as a compulsary argument. - + + plugin - Allows Samba to load an + arbitary passdb backend from the .so specified as a compulsary argument. + - Any characters after the (optional) second : are passed to the plugin - for its own processing - + Any characters after the (optional) second : are passed to the plugin + for its own processing + - unixsam - Allows samba to map all (other) available unix users + + unixsam - Allows samba to map all (other) + available unix users - This backend uses the standard unix database for retrieving users. Users included - in this pdb are NOT listed in samba user listings and users included in this pdb won't be - able to login. The use of this backend is to always be able to display the owner of a file - on the samba server - even when the user doesn't have a 'real' samba account in one of the - other passdb backends. - + This backend uses the standard unix database for retrieving users. Users included + in this pdb are NOT listed in samba user listings and users included in this pdb won't be + able to login. The use of this backend is to always be able to display the owner of a file + on the samba server - even when the user doesn't have a 'real' samba account in one of the + other passdb backends. + - This backend should always be the last backend listed, since it contains all users in - the unix passdb and might 'override' mappings if specified earlier. It's meant to only return - accounts for users that aren't covered by the previous backends. - - + This backend should always be the last backend listed, since it contains all users in + the unix passdb and might 'override' mappings if specified earlier. It's meant to only return + accounts for users that aren't covered by the previous backends. + + + + + Default: passdb backend = smbpasswd unixsam + + Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam + + Example: passdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam - Default: passdb backend = smbpasswd unixsam - Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam - Example: passdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam - Example: passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb - - + Example: passdb backend = plugin:/usr/local/samba/lib/my_passdb.so:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb + + diff --git a/docs/docbook/smbdotconf/security/passwdchat.xml b/docs/docbook/smbdotconf/security/passwdchat.xml index 922f1a878c..fcefd8f8df 100644 --- a/docs/docbook/smbdotconf/security/passwdchat.xml +++ b/docs/docbook/smbdotconf/security/passwdchat.xml @@ -1,58 +1,62 @@ - - passwd chat (G) - This string controls the "chat" - conversation that takes places between smbd - 8 and the local password changing - program to change the user's password. The string describes a - sequence of response-receive pairs that smbd - 8 uses to determine what to send to the - passwd program - and what to expect back. If the expected output is not - received then the password is not changed. - - This chat sequence is often quite site specific, depending - on what local methods are used for password control (such as NIS - etc). - Note that this parameter only is only used if the unix - password sync parameter is set to yes. This - sequence is then called AS ROOT when the SMB password - in the smbpasswd file is being changed, without access to the old - password cleartext. This means that root must be able to reset the user's password - without knowing the text of the previous password. In the presence of NIS/YP, - this means that the passwd program must be - executed on the NIS master. - - - - The string can contain the macro %n which is substituted - for the new password. The chat sequence can also contain the standard - macros \\n, \\r, - \\t and \\s to give line-feed, - carriage-return, tab and space. The chat sequence string can also contain - a '*' which matches any sequence of characters. - Double quotes can be used to collect strings with spaces - in them into a single string. - - If the send string in any part of the chat sequence - is a full stop ".", then no string is sent. Similarly, - if the expect string is a full stop then no string is expected. - - If the pam - password change parameter is set to yes, the chat pairs - may be matched in any order, and success is determined by the PAM result, - not any particular output. The \n macro is ignored for PAM conversions. - - - See also unix password - sync, - passwd program , - passwd chat debug and - pam password change. - - Default: passwd chat = *new*password* %n\\n - *new*password* %n\\n *changed* - Example: passwd chat = "*Enter OLD password*" %o\\n - "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n "*Password - changed*" - - + + + This string controls the "chat" + conversation that takes places between smbd + 8 and the local password changing + program to change the user's password. The string describes a + sequence of response-receive pairs that smbd + 8 uses to determine what to send to the + passwd program + and what to expect back. If the expected output is not + received then the password is not changed. + + This chat sequence is often quite site specific, depending + on what local methods are used for password control (such as NIS + etc). + + Note that this parameter only is only used if the unix password sync + parameter is set to yes. This sequence is + then called AS ROOT when the SMB password in the + smbpasswd file is being changed, without access to the old password + cleartext. This means that root must be able to reset the user's password without + knowing the text of the previous password. In the presence of + NIS/YP, this means that the passwd program must + be executed on the NIS master. + + + + The string can contain the macro %n which is substituted + for the new password. The chat sequence can also contain the standard + macros \\n, \\r, \\t and \\s to + give line-feed, carriage-return, tab and space. The chat sequence string can also contain + a '*' which matches any sequence of characters. Double quotes can be used to collect strings with spaces + in them into a single string. + + If the send string in any part of the chat sequence is a full + stop ".", then no string is sent. Similarly, if the + expect string is a full stop then no string is expected. + + If the pam + password change parameter is set to yes, the chat pairs + may be matched in any order, and success is determined by the PAM result, + not any particular output. The \n macro is ignored for PAM conversions. + + + See also unix password + sync, + passwd program , + passwd chat debug and + pam password change. + + Default: passwd chat = *new*password* %n\\n + *new*password* %n\\n *changed* + + Example: passwd chat = "*Enter OLD password*" %o\\n + "*Enter NEW password*" %n\\n "*Reenter NEW password*" %n\\n + "*Password changed*" + + diff --git a/docs/docbook/smbdotconf/security/passwdchatdebug.xml b/docs/docbook/smbdotconf/security/passwdchatdebug.xml index a5771b72d2..2d731b5d11 100644 --- a/docs/docbook/smbdotconf/security/passwdchatdebug.xml +++ b/docs/docbook/smbdotconf/security/passwdchatdebug.xml @@ -1,25 +1,27 @@ - - passwd chat debug (G) - This boolean specifies if the passwd chat script - parameter is run in debug mode. In this mode the - strings passed to and received from the passwd chat are printed - in the smbd - 8 log with a - debug level - of 100. This is a dangerous option as it will allow plaintext passwords - to be seen in the smbd log. It is available to help - Samba admins debug their passwd chat scripts - when calling the passwd program and should - be turned off after this has been done. This option has no effect if the - pam password change - paramter is set. This parameter is off by default. + + + This boolean specifies if the passwd chat script + parameter is run in debug mode. In this mode the + strings passed to and received from the passwd chat are printed + in the smbd + 8 log with a + debug level + of 100. This is a dangerous option as it will allow plaintext passwords + to be seen in the smbd log. It is available to help + Samba admins debug their passwd chat scripts + when calling the passwd program and should + be turned off after this has been done. This option has no effect if the + pam password change + paramter is set. This parameter is off by default. + See also passwd chat + , pam password change + , passwd program + . - See also passwd chat - , pam password change - , passwd program - . - - Default: passwd chat debug = no - - + Default: passwd chat debug = no + + diff --git a/docs/docbook/smbdotconf/security/passwdprogram.xml b/docs/docbook/smbdotconf/security/passwdprogram.xml index dae24e22a1..dbcc261ce4 100644 --- a/docs/docbook/smbdotconf/security/passwdprogram.xml +++ b/docs/docbook/smbdotconf/security/passwdprogram.xml @@ -1,35 +1,39 @@ - - passwd program (G) - The name of a program that can be used to set - UNIX user passwords. Any occurrences of %u - will be replaced with the user name. The user name is checked for - existence before calling the password changing program. + + + The name of a program that can be used to set + UNIX user passwords. Any occurrences of %u + will be replaced with the user name. The user name is checked for + existence before calling the password changing program. - Also note that many passwd programs insist in reasonable - passwords, such as a minimum length, or the inclusion - of mixed case chars and digits. This can pose a problem as some clients - (such as Windows for Workgroups) uppercase the password before sending - it. + Also note that many passwd programs insist in reasonable + passwords, such as a minimum length, or the inclusion + of mixed case chars and digits. This can pose a problem as some clients + (such as Windows for Workgroups) uppercase the password before sending + it. - Note that if the unix - password sync parameter is set to yes - then this program is called AS ROOT - before the SMB password in the smbpasswd(5) - file is changed. If this UNIX password change fails, then - smbd will fail to change the SMB password also - (this is by design). + Note that if the unix + password sync parameter is set to yes + then this program is called AS ROOT + before the SMB password in the + smbpasswd5 + file is changed. If this UNIX password change fails, then + smbd will fail to change the SMB password also + (this is by design). - If the unix password sync parameter - is set this parameter MUST USE ABSOLUTE PATHS - for ALL programs called, and must be examined - for security implications. Note that by default unix - password sync is set to no. + If the unix password sync parameter + is set this parameter MUST USE ABSOLUTE PATHS + for ALL programs called, and must be examined + for security implications. Note that by default unix + password sync is set to no. - See also unix - password sync. + See also unix + password sync. - Default: passwd program = /bin/passwd - Example: passwd program = /sbin/npasswd %u - - - + Default: passwd program = /bin/passwd + + Example: passwd program = /sbin/npasswd %u + + diff --git a/docs/docbook/smbdotconf/security/passwordlevel.xml b/docs/docbook/smbdotconf/security/passwordlevel.xml index 408082f838..28b9999731 100644 --- a/docs/docbook/smbdotconf/security/passwordlevel.xml +++ b/docs/docbook/smbdotconf/security/passwordlevel.xml @@ -1,40 +1,44 @@ - - password level (G) - Some client/server combinations have difficulty - with mixed-case passwords. One offending client is Windows for - Workgroups, which for some reason forces passwords to upper - case when using the LANMAN1 protocol, but leaves them alone when - using COREPLUS! Another problem child is the Windows 95/98 - family of operating systems. These clients upper case clear - text passwords even when NT LM 0.12 selected by the protocol - negotiation request/response. - - This parameter defines the maximum number of characters - that may be upper case in passwords. - - For example, say the password given was "FRED". If - password level is set to 1, the following combinations - would be tried if "FRED" failed: - - "Fred", "fred", "fRed", "frEd","freD" - - If password level was set to 2, - the following combinations would also be tried: - - "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. - - And so on. - - The higher value this parameter is set to the more likely - it is that a mixed case password will be matched against a single - case password. However, you should be aware that use of this - parameter reduces security and increases the time taken to - process a new connection. - - A value of zero will cause only two attempts to be - made - the password as is and the password in all-lower case. - - Default: password level = 0 - Example: password level = 4 - - + + + Some client/server combinations have difficulty + with mixed-case passwords. One offending client is Windows for + Workgroups, which for some reason forces passwords to upper + case when using the LANMAN1 protocol, but leaves them alone when + using COREPLUS! Another problem child is the Windows 95/98 + family of operating systems. These clients upper case clear + text passwords even when NT LM 0.12 selected by the protocol + negotiation request/response. + + This parameter defines the maximum number of characters + that may be upper case in passwords. + + For example, say the password given was "FRED". If + password level is set to 1, the following combinations + would be tried if "FRED" failed: + + "Fred", "fred", "fRed", "frEd","freD" + + If password level was set to 2, + the following combinations would also be tried: + + "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. + + And so on. + + The higher value this parameter is set to the more likely + it is that a mixed case password will be matched against a single + case password. However, you should be aware that use of this + parameter reduces security and increases the time taken to + process a new connection. + + A value of zero will cause only two attempts to be + made - the password as is and the password in all-lower case. + + Default: password level = 0 + + Example: password level = 4 + + diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml index b803816d88..e40ff32b75 100644 --- a/docs/docbook/smbdotconf/security/passwordserver.xml +++ b/docs/docbook/smbdotconf/security/passwordserver.xml @@ -1,92 +1,98 @@ - - password server (G) - By specifying the name of another SMB server (such - as a WinNT box) with this option, and using security = domain - or security = server you can get Samba - to do all its username/password validation via a remote server. + + + By specifying the name of another SMB server (such + as a WinNT box) with this option, and using security = domain + or security = server you can get Samba + to do all its username/password validation via a remote server. - This option sets the name of the password server to use. - It must be a NetBIOS name, so if the machine's NetBIOS name is - different from its Internet name then you may have to add its NetBIOS - name to the lmhosts file which is stored in the same directory - as the smb.conf file. + This option sets the name of the password server to use. + It must be a NetBIOS name, so if the machine's NetBIOS name is + different from its Internet name then you may have to add its NetBIOS + name to the lmhosts file which is stored in the same directory + as the smb.conf file. - The name of the password server is looked up using the - parameter name - resolve order and so may resolved - by any method and order described in that parameter. + The name of the password server is looked up using the + parameter name + resolve order and so may resolved + by any method and order described in that parameter. - The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode. + The password server must be a machine capable of using + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + user level security mode. - Using a password server - means your UNIX box (running Samba) is only as secure as your - password server. DO NOT CHOOSE A PASSWORD SERVER THAT - YOU DON'T COMPLETELY TRUST. + Using a password server means your UNIX box (running + Samba) is only as secure as your password server. DO NOT + CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. + - Never point a Samba server at itself for password - serving. This will cause a loop and could lock up your Samba - server! + Never point a Samba server at itself for password serving. + This will cause a loop and could lock up your Samba server! - The name of the password server takes the standard - substitutions, but probably the only useful one is %m - , which means the Samba server will use the incoming - client as the password server. If you use this then you better - trust your clients, and you had better restrict them with hosts allow! + The name of the password server takes the standard + substitutions, but probably the only useful one is %m + , which means the Samba server will use the incoming + client as the password server. If you use this then you better + trust your clients, and you had better restrict them with hosts allow! - If the security parameter is set to - domain, then the list of machines in this - option must be a list of Primary or Backup Domain controllers for the - Domain or the character '*', as the Samba server is effectively - in that domain, and will use cryptographically authenticated RPC calls - to authenticate the user logging on. The advantage of using - security = domain is that if you list several hosts in the - password server option then smbd - will try each in turn till it finds one that responds. This - is useful in case your primary server goes down. + If the security parameter is set to + domain, then the list of machines in this + option must be a list of Primary or Backup Domain controllers for the + Domain or the character '*', as the Samba server is effectively + in that domain, and will use cryptographically authenticated RPC calls + to authenticate the user logging on. The advantage of using + security = domain is that if you list several hosts in the + password server option then smbd + will try each in turn till it finds one that responds. This + is useful in case your primary server goes down. - If the password server option is set - to the character '*', then Samba will attempt to auto-locate the - Primary or Backup Domain controllers to authenticate against by - doing a query for the name WORKGROUP<1C> - and then contacting each server returned in the list of IP - addresses from the name resolution source. + If the password server option is set + to the character '*', then Samba will attempt to auto-locate the + Primary or Backup Domain controllers to authenticate against by + doing a query for the name WORKGROUP<1C> + and then contacting each server returned in the list of IP + addresses from the name resolution source. - If the list of servers contains both names and the '*' - character, the list is treated as a list of preferred - domain controllers, but an auto lookup of all remaining DC's - will be added to the list as well. Samba will not attempt to optimize - this list by locating the closest DC. + If the list of servers contains both names and the '*' + character, the list is treated as a list of preferred + domain controllers, but an auto lookup of all remaining DC's + will be added to the list as well. Samba will not attempt to optimize + this list by locating the closest DC. - If the security parameter is - set to server, then there are different - restrictions that security = domain doesn't - suffer from: + If the security parameter is + set to server, then there are different + restrictions that security = domain doesn't + suffer from: - - You may list several password servers in - the password server parameter, however if an - smbd makes a connection to a password server, - and then the password server fails, no more users will be able - to be authenticated from this smbd. This is a - restriction of the SMB/CIFS protocol when in security = server - mode and cannot be fixed in Samba. + + + You may list several password servers in + the password server parameter, however if an + smbd makes a connection to a password server, + and then the password server fails, no more users will be able + to be authenticated from this smbd. This is a + restriction of the SMB/CIFS protocol when in security = server + mode and cannot be fixed in Samba. + + + + If you are using a Windows NT server as your + password server then you will have to ensure that your users + are able to login from the Samba server, as when in + security = server mode the network logon will appear to + come from there rather than from the users workstation. + + - If you are using a Windows NT server as your - password server then you will have to ensure that your users - are able to login from the Samba server, as when in - security = server mode the network logon will appear to - come from there rather than from the users workstation. - + See also the security + parameter. - See also the security - parameter. - - Default: password server = <empty string> - - Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * - - Example: password server = * - - + Default: password server = <empty string> + + Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * + + Example: password server = * + + diff --git a/docs/docbook/smbdotconf/security/printeradmin.xml b/docs/docbook/smbdotconf/security/printeradmin.xml index 7037facca0..c0640ea188 100644 --- a/docs/docbook/smbdotconf/security/printeradmin.xml +++ b/docs/docbook/smbdotconf/security/printeradmin.xml @@ -1,12 +1,15 @@ - - printer admin (S) - This is a list of users that can do anything to - printers via the remote administration interfaces offered by MS-RPC - (usually using a NT workstation). Note that the root user always - has admin rights. + + + This is a list of users that can do anything to + printers via the remote administration interfaces offered by MS-RPC + (usually using a NT workstation). Note that the root user always + has admin rights. - Default: printer admin = <empty string> - - Example: printer admin = admin, @staff - - + Default: printer admin = <empty string> + + Example: printer admin = admin, @staff + + diff --git a/docs/docbook/smbdotconf/security/privatedir.xml b/docs/docbook/smbdotconf/security/privatedir.xml index ca22089122..1fc7eb0b36 100644 --- a/docs/docbook/smbdotconf/security/privatedir.xml +++ b/docs/docbook/smbdotconf/security/privatedir.xml @@ -1,10 +1,13 @@ - - private dir (G) - This parameters defines the directory - smbd will use for storing such files as smbpasswd - and secrets.tdb. - + + + This parameters defines the directory + smbd will use for storing such files as smbpasswd + and secrets.tdb. + - Default :private dir = ${prefix}/private - - + Default :private dir = ${prefix}/private + + diff --git a/docs/docbook/smbdotconf/security/public.xml b/docs/docbook/smbdotconf/security/public.xml index a1f6a1ee29..a9e942811e 100644 --- a/docs/docbook/smbdotconf/security/public.xml +++ b/docs/docbook/smbdotconf/security/public.xml @@ -1,6 +1,9 @@ - - public (S) - Synonym for guest - ok. - - + + + Synonym for guest + ok. + + diff --git a/docs/docbook/smbdotconf/security/readlist.xml b/docs/docbook/smbdotconf/security/readlist.xml index 15d135d54e..41a97e5ffc 100644 --- a/docs/docbook/smbdotconf/security/readlist.xml +++ b/docs/docbook/smbdotconf/security/readlist.xml @@ -1,17 +1,22 @@ - - read list (S) - This is a list of users that are given read-only - access to a service. If the connecting user is in this list then - they will not be given write access, no matter what the read only - option is set to. The list can include group names using the - syntax described in the - invalid users parameter. + + + This is a list of users that are given read-only + access to a service. If the connecting user is in this list then + they will not be given write access, no matter what the + read only + option is set to. The list can include group names using the + syntax described in the + invalid users parameter. - See also the - write list parameter and the invalid users - parameter. + See also the + write list parameter and the + invalid users + parameter. - Default: read list = <empty string> - Example: read list = mary, @students - - + Default: read list = <empty string> + + Example: read list = mary, @students + + diff --git a/docs/docbook/smbdotconf/security/readonly.xml b/docs/docbook/smbdotconf/security/readonly.xml index 02721935de..e71301c3e5 100644 --- a/docs/docbook/smbdotconf/security/readonly.xml +++ b/docs/docbook/smbdotconf/security/readonly.xml @@ -1,16 +1,19 @@ - - read only (S) - An inverted synonym is - writeable. + + + An inverted synonym is + writeable. - If this parameter is yes, then users - of a service may not create or modify files in the service's - directory. + If this parameter is yes, then users + of a service may not create or modify files in the service's + directory. - Note that a printable service (printable = yes) - will ALWAYS allow writing to the directory - (user privileges permitting), but only via spooling operations. + Note that a printable service (printable = yes) + will ALWAYS allow writing to the directory + (user privileges permitting), but only via spooling operations. - Default: read only = yes - - + Default: read only = yes + + diff --git a/docs/docbook/smbdotconf/security/restrictanonymous.xml b/docs/docbook/smbdotconf/security/restrictanonymous.xml index 4b09b7d2bc..7f78f94a99 100644 --- a/docs/docbook/smbdotconf/security/restrictanonymous.xml +++ b/docs/docbook/smbdotconf/security/restrictanonymous.xml @@ -1,10 +1,12 @@ - - restrict anonymous (G) - This is a integer parameter, and - mirrors as much as possible the functinality the - RestrictAnonymous - registry key does on NT/Win2k. + + + This is a integer parameter, and mirrors as much as possible the functinality the + RestrictAnonymous registry key does on NT/Win2k. + - Default: restrict anonymous = 0 - - + Default: restrict anonymous = 0 + + diff --git a/docs/docbook/smbdotconf/security/root.xml b/docs/docbook/smbdotconf/security/root.xml index f69c1a1ae1..1199d54099 100644 --- a/docs/docbook/smbdotconf/security/root.xml +++ b/docs/docbook/smbdotconf/security/root.xml @@ -1,6 +1,10 @@ - - root (G) - Synonym for - root directory". - - + + + Synonym for + root directory". + + + diff --git a/docs/docbook/smbdotconf/security/rootdir.xml b/docs/docbook/smbdotconf/security/rootdir.xml index 1f543aed6a..e4e5f0e509 100644 --- a/docs/docbook/smbdotconf/security/rootdir.xml +++ b/docs/docbook/smbdotconf/security/rootdir.xml @@ -1,6 +1,10 @@ - - root dir (G) - Synonym for - root directory". - - + + + Synonym for + root directory". + + + diff --git a/docs/docbook/smbdotconf/security/rootdirectory.xml b/docs/docbook/smbdotconf/security/rootdirectory.xml index 9efc11e3c6..9c3e9cfad2 100644 --- a/docs/docbook/smbdotconf/security/rootdirectory.xml +++ b/docs/docbook/smbdotconf/security/rootdirectory.xml @@ -1,28 +1,34 @@ - - root directory (G) - The server will chroot() (i.e. - Change its root directory) to this directory on startup. This is - not strictly necessary for secure operation. Even without it the - server will deny access to files not in one of the service entries. - It may also check for, and deny access to, soft links to other - parts of the filesystem, or attempts to use ".." in file names - to access other directories (depending on the setting of the wide links - parameter). + + + The server will chroot() (i.e. + Change its root directory) to this directory on startup. This is + not strictly necessary for secure operation. Even without it the + server will deny access to files not in one of the service entries. + It may also check for, and deny access to, soft links to other + parts of the filesystem, or attempts to use ".." in file names + to access other directories (depending on the setting of the + wide links + parameter). + - Adding a root directory entry other - than "/" adds an extra level of security, but at a price. It - absolutely ensures that no access is given to files not in the - sub-tree specified in the root directory - option, including some files needed for - complete operation of the server. To maintain full operability - of the server you will need to mirror some system files - into the root directory tree. In particular - you will need to mirror /etc/passwd (or a - subset of it), and any binaries or configuration files needed for - printing (if required). The set of files that must be mirrored is - operating system dependent. + Adding a root directory entry other + than "/" adds an extra level of security, but at a price. It + absolutely ensures that no access is given to files not in the + sub-tree specified in the root directory + option, including some files needed for + complete operation of the server. To maintain full operability + of the server you will need to mirror some system files + into the root directory tree. In particular + you will need to mirror /etc/passwd (or a + subset of it), and any binaries or configuration files needed for + printing (if required). The set of files that must be mirrored is + operating system dependent. - Default: root directory = / - Example: root directory = /homes/smb - - + Default: root directory = / + + Example: root directory = /homes/smb + + diff --git a/docs/docbook/smbdotconf/security/security.xml b/docs/docbook/smbdotconf/security/security.xml index 8e97d8721f..68c5f2cdd2 100644 --- a/docs/docbook/smbdotconf/security/security.xml +++ b/docs/docbook/smbdotconf/security/security.xml @@ -1,237 +1,254 @@ - - security (G) - This option affects how clients respond to - Samba and is one of the most important settings in the - smb.conf file. - - The option sets the "security mode bit" in replies to - protocol negotiations with smbd - 8 to turn share level security on or off. Clients decide - based on this bit whether (and how) to transfer user and password - information to the server. - - - The default is security = user, as this is - the most common setting needed when talking to Windows 98 and - Windows NT. - - The alternatives are security = share, - security = server or security = domain - . - - In versions of Samba prior to 2.0.0, the default was - security = share mainly because that was - the only option at one stage. - - There is a bug in WfWg that has relevance to this - setting. When in user or server level security a WfWg client - will totally ignore the password you type in the "connect - drive" dialog box. This makes it very difficult (if not impossible) - to connect to a Samba service as anyone except the user that - you are logged into WfWg as. - - If your PCs use usernames that are the same as their - usernames on the UNIX machine then you will want to use - security = user. If you mostly use usernames - that don't exist on the UNIX box then use security = - share. - - You should also use security = share if you - want to mainly setup shares without a password (guest shares). This - is commonly used for a shared printer server. It is more difficult - to setup guest shares with security = user, see - the map to guest - parameter for details. + + + This option affects how clients respond to + Samba and is one of the most important settings in the + smb.conf file. + + The option sets the "security mode bit" in replies to + protocol negotiations with smbd + 8 to turn share level security on or off. Clients decide + based on this bit whether (and how) to transfer user and password + information to the server. + + + The default is security = user, as this is + the most common setting needed when talking to Windows 98 and + Windows NT. + + The alternatives are security = share, + security = server or security = domain + . + + In versions of Samba prior to 2.0.0, the default was + security = share mainly because that was + the only option at one stage. + + There is a bug in WfWg that has relevance to this + setting. When in user or server level security a WfWg client + will totally ignore the password you type in the "connect + drive" dialog box. This makes it very difficult (if not impossible) + to connect to a Samba service as anyone except the user that + you are logged into WfWg as. + + If your PCs use usernames that are the same as their + usernames on the UNIX machine then you will want to use + security = user. If you mostly use usernames + that don't exist on the UNIX box then use security = + share. + + You should also use security = share if you + want to mainly setup shares without a password (guest shares). This + is commonly used for a shared printer server. It is more difficult + to setup guest shares with security = user, see + the map to guest + parameter for details. - It is possible to use smbd in a - hybrid mode where it is offers both user and share - level security under different - NetBIOS aliases. + It is possible to use smbd in a + hybrid mode where it is offers both user and share + level security under different + NetBIOS aliases. - The different settings will now be explained. + The different settings will now be explained. - SECURITY = SHARE - + SECURITY = SHARE - When clients connect to a share level security server they - need not log onto the server with a valid username and password before - attempting to connect to a shared resource (although modern clients - such as Windows 95/98 and Windows NT will send a logon request with - a username but no password when talking to a security = share - server). Instead, the clients send authentication information - (passwords) on a per-share basis, at the time they attempt to connect - to that share. - - Note that smbd ALWAYS - uses a valid UNIX user to act on behalf of the client, even in - security = share level security. - - As clients are not required to send a username to the server - in share level security, smbd uses several - techniques to determine the correct UNIX user to use on behalf - of the client. - - A list of possible UNIX usernames to match with the given - client password is constructed using the following methods : - - - If the guest - only parameter is set, then all the other - stages are missed and only the - guest account username is checked. - - - Is a username is sent with the share connection - request, then this username (after mapping - see username map), - is added as a potential username. - - If the client did a previous logon - request (the SessionSetup SMB call) then the - username sent in this SMB will be added as a potential username. - - - The name of the service the client requested is - added as a potential username. - - The NetBIOS name of the client is added to - the list as a potential username. - - Any users on the - user list are added as potential usernames. - - - - If the guest only parameter is - not set, then this list is then tried with the supplied password. - The first user for whom the password matches will be used as the - UNIX user. - - If the guest only parameter is - set, or no username can be determined then if the share is marked - as available to the guest account, then this - guest user will be used, otherwise access is denied. - - Note that it can be very confusing - in share-level security as to which UNIX username will eventually - be used in granting access. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - SECURITY = USER - - - This is the default security setting in Samba 3.0. - With user-level security a client must first "log-on" with a - valid username and password (which can be mapped using the username map - parameter). Encrypted passwords (see the - encrypted passwords parameter) can also - be used in this security mode. Parameters such as - user and - guest only if set are then applied and - may change the UNIX user to use on this connection, but only after - the user has been successfully authenticated. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest - parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - SECURITY = DOMAIN - - - - This mode will only work correctly if net - 8 has been used to add this - machine into a Windows NT Domain. It expects the encrypted passwords - parameter to be set to yes. In this - mode Samba will try to validate the username/password by passing - it to a Windows NT Primary or Backup Domain Controller, in exactly - the same way that a Windows NT Server would do. - - Note that a valid UNIX user must still - exist as well as the account on the Domain Controller to allow - Samba to have a valid UNIX account to map file access to. - - Note that from the client's point - of view security = domain is the same as security = user - . It only affects how the server deals with the authentication, - it does not in any way affect what the client sees. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest - parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - See also the password - server parameter and the encrypted passwords - parameter. - - SECURITY = SERVER - - - In this mode Samba will try to validate the username/password - by passing it to another SMB server, such as an NT box. If this - fails it will revert to security = - user. It expects the encrypted passwords - parameter to be set to - yes, unless the remote server - does not support them. However note - that if encrypted passwords have been negotiated then Samba cannot - revert back to checking the UNIX password file, it must have a valid - smbpasswd file to check users against. See the - documentation file in the docs/ directory - ENCRYPTION.txt for details on how to set this - up. - - Note this mode of operation - has significant pitfalls, due to the fact that is - activly initiates a man-in-the-middle attack on the - remote SMB server. In particular, this mode of - operation can cause significant resource consuption on - the PDC, as it must maintain an active connection for - the duration of the user's session. Furthermore, if - this connection is lost, there is no way to - reestablish it, and futher authenticaions to the Samba - server may fail. (From a single client, till it - disconnects). - - Note that from the client's point of - view security = server is the same as - security = user. It only affects how the server deals - with the authentication, it does not in any way affect what the - client sees. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the guest account. - See the map to guest - parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - See also the password - server parameter and the encrypted passwords - parameter. + When clients connect to a share level security server they + need not log onto the server with a valid username and password before + attempting to connect to a shared resource (although modern clients + such as Windows 95/98 and Windows NT will send a logon request with + a username but no password when talking to a security = share + server). Instead, the clients send authentication information + (passwords) on a per-share basis, at the time they attempt to connect + to that share. + + Note that smbd ALWAYS + uses a valid UNIX user to act on behalf of the client, even in + security = share level security. + + As clients are not required to send a username to the server + in share level security, smbd uses several + techniques to determine the correct UNIX user to use on behalf + of the client. + + A list of possible UNIX usernames to match with the given + client password is constructed using the following methods : + + + + If the guest + only parameter is set, then all the other + stages are missed and only the + guest account username is checked. + + + + + Is a username is sent with the share connection + request, then this username (after mapping - see + username map), + is added as a potential username. + + + + + If the client did a previous logon + request (the SessionSetup SMB call) then the + username sent in this SMB will be added as a potential username. + + + + + The name of the service the client requested is + added as a potential username. + + + + + The NetBIOS name of the client is added to + the list as a potential username. + + + + + Any users on the + user list are added as potential usernames. + + + + + If the guest only parameter is + not set, then this list is then tried with the supplied password. + The first user for whom the password matches will be used as the + UNIX user. + + If the guest only parameter is + set, or no username can be determined then if the share is marked + as available to the guest account, then this + guest user will be used, otherwise access is denied. + + Note that it can be very confusing + in share-level security as to which UNIX username will eventually + be used in granting access. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURITY = USER + + This is the default security setting in Samba 3.0. + With user-level security a client must first "log-on" with a + valid username and password (which can be mapped using the + username map + parameter). Encrypted passwords (see the + encrypted passwords parameter) can also + be used in this security mode. Parameters such as + user and + guest only if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the + guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURITY = DOMAIN + + This mode will only work correctly if net + 8 has been used to add this + machine into a Windows NT Domain. It expects the + encrypted passwords + parameter to be set to yes. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do. + + Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. + + Note that from the client's point + of view security = domain is the same + as security = user. It only + affects how the server deals with the authentication, + it does not in any way affect what the client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the + guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the password + server parameter and the + encrypted passwords + parameter. + + SECURITY = SERVER + + In this mode Samba will try to validate the username/password + by passing it to another SMB server, such as an NT box. If this + fails it will revert to security = + user. It expects the + encrypted passwords parameter + to be set to yes, unless the remote server + does not support them. However note that if encrypted passwords have been + negotiated then Samba cannot revert back to checking the UNIX password file, + it must have a valid smbpasswd file to check + users against. See the documentation file in the docs/ directory + ENCRYPTION.txt for details on how to set this up. + + Note this mode of operation has + significant pitfalls, due to the fact that is activly initiates a + man-in-the-middle attack on the remote SMB server. In particular, + this mode of operation can cause significant resource consuption on + the PDC, as it must maintain an active connection for the duration + of the user's session. Furthermore, if this connection is lost, + there is no way to reestablish it, and futher authenticaions to the + Samba server may fail. (From a single client, till it disconnects). + + + Note that from the client's point of + view security = server is the + same as security = user. It + only affects how the server deals with the authentication, it does + not in any way affect what the client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the + guest account. + See the map to guest + parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the password + server parameter and the + encrypted passwords parameter. - Default: security = USER - Example: security = DOMAIN + Default: security = USER + Example: security = DOMAIN - - + + diff --git a/docs/docbook/smbdotconf/security/securitymask.xml b/docs/docbook/smbdotconf/security/securitymask.xml index 9ed0adcbf4..ee3e8f916c 100644 --- a/docs/docbook/smbdotconf/security/securitymask.xml +++ b/docs/docbook/smbdotconf/security/securitymask.xml @@ -1,33 +1,36 @@ - - security mask (S) - This parameter controls what UNIX permission - bits can be modified when a Windows NT client is manipulating - the UNIX permission on a file using the native NT security - dialog box. + + + This parameter controls what UNIX permission + bits can be modified when a Windows NT client is manipulating + the UNIX permission on a file using the native NT security + dialog box. - This parameter is applied as a mask (AND'ed with) to - the changed permission bits, thus preventing any bits not in - this mask from being modified. Essentially, zero bits in this - mask may be treated as a set of bits the user is not allowed - to change. + This parameter is applied as a mask (AND'ed with) to + the changed permission bits, thus preventing any bits not in + this mask from being modified. Essentially, zero bits in this + mask may be treated as a set of bits the user is not allowed + to change. - If not set explicitly this parameter is 0777, allowing - a user to modify all the user/group/world permissions on a file. - + If not set explicitly this parameter is 0777, allowing + a user to modify all the user/group/world permissions on a file. + - Note that users who can access the - Samba server through other means can easily bypass this - restriction, so it is primarily useful for standalone - "appliance" systems. Administrators of most normal systems will - probably want to leave it set to 0777. + Note that users who can access the + Samba server through other means can easily bypass this + restriction, so it is primarily useful for standalone + "appliance" systems. Administrators of most normal systems will + probably want to leave it set to 0777. - See also the - force directory security mode, - directory - security mask, - force security mode parameters. + See also the + force directory security mode, + directory + security mask, + force security mode parameters. - Default: security mask = 0777 - Example: security mask = 0770 - - + Default: security mask = 0777 + + Example: security mask = 0770 + + diff --git a/docs/docbook/smbdotconf/security/serverschannel.xml b/docs/docbook/smbdotconf/security/serverschannel.xml index 05261fa417..afbc458068 100644 --- a/docs/docbook/smbdotconf/security/serverschannel.xml +++ b/docs/docbook/smbdotconf/security/serverschannel.xml @@ -1,24 +1,25 @@ - - server schannel (G) - + + - This controls whether the server offers or even - demands the use of the netlogon schannel. - server schannel = no does not - offer the schannel, server schannel = - auto offers the schannel but does not - enforce it, and server schannel = - yes denies access if the client is not - able to speak netlogon schannel. This is only the case - for Windows NT4 before SP4. + This controls whether the server offers or even + demands the use of the netlogon schannel. + server schannel = no does not + offer the schannel, server schannel = + auto offers the schannel but does not + enforce it, and server schannel = + yes denies access if the client is not + able to speak netlogon schannel. This is only the case + for Windows NT4 before SP4. - Please note that with this set to - no you will have to apply the - WindowsXP requireSignOrSeal-Registry patch found in - the docs/Registry subdirectory.Please note that with this set to + no you will have to apply the + WindowsXP requireSignOrSeal-Registry patch found in + the docs/Registry subdirectory.Default: server schannel = auto - - Example: server schannel = yes/para> - - \ No newline at end of file + Default: server schannel = auto + Example: server schannel = yes + + \ No newline at end of file diff --git a/docs/docbook/smbdotconf/security/smbpasswdfile.xml b/docs/docbook/smbdotconf/security/smbpasswdfile.xml index 2efbd12169..cb31ba5019 100644 --- a/docs/docbook/smbdotconf/security/smbpasswdfile.xml +++ b/docs/docbook/smbdotconf/security/smbpasswdfile.xml @@ -1,13 +1,14 @@ - - smb passwd file (G) - This option sets the path to the encrypted - smbpasswd file. By default the path to the smbpasswd file - is compiled into Samba. - - Default: smb passwd file = ${prefix}/private/smbpasswd - + + - Example: smb passwd file = /etc/samba/smbpasswd - - - + This option sets the path to the encrypted smbpasswd file. By + default the path to the smbpasswd file is compiled into Samba. + + Default: smb passwd file = ${prefix}/private/smbpasswd + + Example: smb passwd file = /etc/samba/smbpasswd + + diff --git a/docs/docbook/smbdotconf/security/unixpasswordsync.xml b/docs/docbook/smbdotconf/security/unixpasswordsync.xml index 41c6d983d0..0d22ed9c7e 100644 --- a/docs/docbook/smbdotconf/security/unixpasswordsync.xml +++ b/docs/docbook/smbdotconf/security/unixpasswordsync.xml @@ -1,18 +1,22 @@ - - unix password sync (G) - This boolean parameter controls whether Samba - attempts to synchronize the UNIX password with the SMB password - when the encrypted SMB password in the smbpasswd file is changed. - If this is set to yes the program specified in the passwd - programparameter is called AS ROOT - - to allow the new UNIX password to be set without access to the - old UNIX password (as the SMB password change code has no - access to the old password cleartext, only the new). + + + This boolean parameter controls whether Samba + attempts to synchronize the UNIX password with the SMB password + when the encrypted SMB password in the smbpasswd file is changed. + If this is set to yes the program specified in the passwd + programparameter is called AS ROOT - + to allow the new UNIX password to be set without access to the + old UNIX password (as the SMB password change code has no + access to the old password cleartext, only the new). - See also passwd - program, - passwd chat. + See also passwd + program, + passwd chat. + - Default: unix password sync = no - - + Default: unix password sync = no + + diff --git a/docs/docbook/smbdotconf/security/updateencrypted.xml b/docs/docbook/smbdotconf/security/updateencrypted.xml index 45c66e0de2..76b37948d7 100644 --- a/docs/docbook/smbdotconf/security/updateencrypted.xml +++ b/docs/docbook/smbdotconf/security/updateencrypted.xml @@ -1,28 +1,33 @@ - - update encrypted (G) - This boolean parameter allows a user logging - on with a plaintext password to have their encrypted (hashed) - password in the smbpasswd file to be updated automatically as - they log on. This option allows a site to migrate from plaintext - password authentication (users authenticate with plaintext - password over the wire, and are checked against a UNIX account - database) to encrypted password authentication (the SMB - challenge/response authentication mechanism) without forcing - all users to re-enter their passwords via smbpasswd at the time the - change is made. This is a convenience option to allow the change over - to encrypted passwords to be made over a longer period. Once all users - have encrypted representations of their passwords in the smbpasswd - file this parameter should be set to no. + + - In order for this parameter to work correctly the encrypt passwords - parameter must be set to no when - this parameter is set to yes. + This boolean parameter allows a user logging on with + a plaintext password to have their encrypted (hashed) password in + the smbpasswd file to be updated automatically as they log + on. This option allows a site to migrate from plaintext + password authentication (users authenticate with plaintext + password over the wire, and are checked against a UNIX account + database) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing all + users to re-enter their passwords via smbpasswd at the time the + change is made. This is a convenience option to allow the change + over to encrypted passwords to be made over a longer period. + Once all users have encrypted representations of their passwords + in the smbpasswd file this parameter should be set to + no. - Note that even when this parameter is set a user - authenticating to smbd must still enter a valid - password in order to connect correctly, and to update their hashed - (smbpasswd) passwords. + In order for this parameter to work correctly the + encrypt passwords parameter must + be set to no when this parameter is set to yes. - Default: update encrypted = no - - + Note that even when this parameter is set a user + authenticating to smbd must still enter a valid + password in order to connect correctly, and to update their hashed + (smbpasswd) passwords. + + Default: update encrypted = no + + diff --git a/docs/docbook/smbdotconf/security/user.xml b/docs/docbook/smbdotconf/security/user.xml index 9c0502061b..4ca2e18fac 100644 --- a/docs/docbook/smbdotconf/security/user.xml +++ b/docs/docbook/smbdotconf/security/user.xml @@ -1,6 +1,8 @@ - - user (S) - Synonym for - username. - - + + + Synonym for username. + + diff --git a/docs/docbook/smbdotconf/security/username.xml b/docs/docbook/smbdotconf/security/username.xml index 779f24170b..f1aa2fe1f8 100644 --- a/docs/docbook/smbdotconf/security/username.xml +++ b/docs/docbook/smbdotconf/security/username.xml @@ -1,62 +1,64 @@ - - username (S) - Multiple users may be specified in a comma-delimited - list, in which case the supplied password will be tested against - each username in turn (left to right). - - The username line is needed only when - the PC is unable to supply its own username. This is the case - for the COREPLUS protocol or where your users have different WfWg - usernames to UNIX usernames. In both these cases you may also be - better using the \\server\share%user syntax instead. - - The username line is not a great - solution in many cases as it means Samba will try to validate - the supplied password against each of the usernames in the - username line in turn. This is slow and - a bad idea for lots of users in case of duplicate passwords. - You may get timeouts or security breaches using this parameter - unwisely. - - Samba relies on the underlying UNIX security. This - parameter does not restrict who can login, it just offers hints - to the Samba server as to what usernames might correspond to the - supplied password. Users can login as whoever they please and - they will be able to do no more damage than if they started a - telnet session. The daemon runs as the user that they log in as, - so they cannot do anything that user cannot do. - - To restrict a service to a particular set of users you - can use the valid users - parameter. - - If any of the usernames begin with a '@' then the name - will be looked up first in the NIS netgroups list (if Samba - is compiled with netgroup support), followed by a lookup in - the UNIX groups database and will expand to a list of all users - in the group of that name. + + + Multiple users may be specified in a comma-delimited + list, in which case the supplied password will be tested against + each username in turn (left to right). + + The username line is needed only when + the PC is unable to supply its own username. This is the case + for the COREPLUS protocol or where your users have different WfWg + usernames to UNIX usernames. In both these cases you may also be + better using the \\server\share%user syntax instead. + + The username line is not a great + solution in many cases as it means Samba will try to validate + the supplied password against each of the usernames in the + username line in turn. This is slow and + a bad idea for lots of users in case of duplicate passwords. + You may get timeouts or security breaches using this parameter + unwisely. + + Samba relies on the underlying UNIX security. This + parameter does not restrict who can login, it just offers hints + to the Samba server as to what usernames might correspond to the + supplied password. Users can login as whoever they please and + they will be able to do no more damage than if they started a + telnet session. The daemon runs as the user that they log in as, + so they cannot do anything that user cannot do. + + To restrict a service to a particular set of users you + can use the valid users + parameter. + + If any of the usernames begin with a '@' then the name + will be looked up first in the NIS netgroups list (if Samba + is compiled with netgroup support), followed by a lookup in + the UNIX groups database and will expand to a list of all users + in the group of that name. - If any of the usernames begin with a '+' then the name - will be looked up only in the UNIX groups database and will - expand to a list of all users in the group of that name. - - If any of the usernames begin with a '&' then the name - will be looked up only in the NIS netgroups database (if Samba - is compiled with netgroup support) and will expand to a list - of all users in the netgroup group of that name. - - Note that searching though a groups database can take - quite some time, and some clients may time out during the - search. - - See the section NOTE ABOUT - USERNAME/PASSWORD VALIDATION for more information on how - this parameter determines access to the services. - - Default: The guest account if a guest service, - else <empty string>. - - Examples:username = fred, mary, jack, jane, - @users, @pcgroup - - + If any of the usernames begin with a '+' then the name + will be looked up only in the UNIX groups database and will + expand to a list of all users in the group of that name. + + If any of the usernames begin with a '&' then the name + will be looked up only in the NIS netgroups database (if Samba + is compiled with netgroup support) and will expand to a list + of all users in the netgroup group of that name. + + Note that searching though a groups database can take + quite some time, and some clients may time out during the + search. + + See the section NOTE ABOUT + USERNAME/PASSWORD VALIDATION for more information on how + this parameter determines access to the services. + + Default: The guest account if a guest service, + else <empty string>. + + Examples:username = fred, mary, jack, jane, + @users, @pcgroup + + diff --git a/docs/docbook/smbdotconf/security/usernamelevel.xml b/docs/docbook/smbdotconf/security/usernamelevel.xml index a4deff3bf9..3c71e3b710 100644 --- a/docs/docbook/smbdotconf/security/usernamelevel.xml +++ b/docs/docbook/smbdotconf/security/usernamelevel.xml @@ -1,20 +1,24 @@ - - username level (G) - This option helps Samba to try and 'guess' at - the real UNIX username, as many DOS clients send an all-uppercase - username. By default Samba tries all lowercase, followed by the - username with the first letter capitalized, and fails if the - username is not found on the UNIX machine. + + + This option helps Samba to try and 'guess' at + the real UNIX username, as many DOS clients send an all-uppercase + username. By default Samba tries all lowercase, followed by the + username with the first letter capitalized, and fails if the + username is not found on the UNIX machine. - If this parameter is set to non-zero the behavior changes. - This parameter is a number that specifies the number of uppercase - combinations to try while trying to determine the UNIX user name. The - higher the number the more combinations will be tried, but the slower - the discovery of usernames will be. Use this parameter when you have - strange usernames on your UNIX machine, such as AstrangeUser - . + If this parameter is set to non-zero the behavior changes. + This parameter is a number that specifies the number of uppercase + combinations to try while trying to determine the UNIX user name. The + higher the number the more combinations will be tried, but the slower + the discovery of usernames will be. Use this parameter when you have + strange usernames on your UNIX machine, such as AstrangeUser + . - Default: username level = 0 - Example: username level = 5 - - + Default: username level = 0 + + Example: username level = 5 + + diff --git a/docs/docbook/smbdotconf/security/usernamemap.xml b/docs/docbook/smbdotconf/security/usernamemap.xml index 37ee72c235..583a1a872e 100644 --- a/docs/docbook/smbdotconf/security/usernamemap.xml +++ b/docs/docbook/smbdotconf/security/usernamemap.xml @@ -1,90 +1,91 @@ - - username map (G) - This option allows you to specify a file containing - a mapping of usernames from the clients to the server. This can be - used for several purposes. The most common is to map usernames - that users use on DOS or Windows machines to those that the UNIX - box uses. The other is to map multiple users to a single username - so that they can more easily share files. - - The map file is parsed line by line. Each line should - contain a single UNIX username on the left then a '=' followed - by a list of usernames on the right. The list of usernames on the - right may contain names of the form @group in which case they - will match any UNIX username in that group. The special client - name '*' is a wildcard and matches any name. Each line of the - map file may be up to 1023 characters long. - - The file is processed on each line by taking the - supplied username and comparing it with each username on the right - hand side of the '=' signs. If the supplied name matches any of - the names on the right hand side then it is replaced with the name - on the left. Processing then continues with the next line. - - If any line begins with a '#' or a ';' then it is - ignored - - If any line begins with an '!' then the processing - will stop after that line if a mapping was done by the line. - Otherwise mapping continues with every line being processed. - Using '!' is most useful when you have a wildcard mapping line - later in the file. - - For example to map from the name admin - or administrator to the UNIX name - root you would use: - - root = admin administrator - - Or to map anyone in the UNIX group system - to the UNIX name sys you would use: - - sys = @system - - You can have as many mappings as you like in a username - map file. - - - If your system supports the NIS NETGROUP option then - the netgroup database is checked before the /etc/group - database for matching groups. - - You can map Windows usernames that have spaces in them - by using double quotes around the name. For example: - - tridge = "Andrew Tridgell" - - would map the windows username "Andrew Tridgell" to the - unix username "tridge". - - The following example would map mary and fred to the - unix user sys, and map the rest to guest. Note the use of the - '!' to tell Samba to stop processing if it gets a match on - that line. + + + This option allows you to specify a file containing + a mapping of usernames from the clients to the server. This can be + used for several purposes. The most common is to map usernames + that users use on DOS or Windows machines to those that the UNIX + box uses. The other is to map multiple users to a single username + so that they can more easily share files. + + The map file is parsed line by line. Each line should + contain a single UNIX username on the left then a '=' followed + by a list of usernames on the right. The list of usernames on the + right may contain names of the form @group in which case they + will match any UNIX username in that group. The special client + name '*' is a wildcard and matches any name. Each line of the + map file may be up to 1023 characters long. + + The file is processed on each line by taking the + supplied username and comparing it with each username on the right + hand side of the '=' signs. If the supplied name matches any of + the names on the right hand side then it is replaced with the name + on the left. Processing then continues with the next line. + + If any line begins with a '#' or a ';' then it is ignored + + If any line begins with an '!' then the processing + will stop after that line if a mapping was done by the line. + Otherwise mapping continues with every line being processed. + Using '!' is most useful when you have a wildcard mapping line + later in the file. + + For example to map from the name admin + or administrator to the UNIX name + root you would use: + + root = admin administrator + + Or to map anyone in the UNIX group system + to the UNIX name sys you would use: + + sys = @system + + You can have as many mappings as you like in a username map file. + + + If your system supports the NIS NETGROUP option then + the netgroup database is checked before the /etc/group + database for matching groups. + + You can map Windows usernames that have spaces in them + by using double quotes around the name. For example: + + tridge = "Andrew Tridgell" + + would map the windows username "Andrew Tridgell" to the + unix username "tridge". + + The following example would map mary and fred to the + unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on + that line. !sys = mary fred guest = * - Note that the remapping is applied to all occurrences - of usernames. Thus if you connect to \\server\fred and - fred is remapped to mary then you - will actually be connecting to \\server\mary and will need to - supply a password suitable for mary not - fred. The only exception to this is the - username passed to the - password server (if you have one). The password - server will receive whatever username the client supplies without - modification. - - Also note that no reverse mapping is done. The main effect - this has is with printing. Users who have been mapped may have - trouble deleting print jobs as PrintManager under WfWg will think - they don't own the print job. - - Default: no username map - Example: username map = /usr/local/samba/lib/users.map - - - + Note that the remapping is applied to all occurrences + of usernames. Thus if you connect to \\server\fred and + fred is remapped to mary then you + will actually be connecting to \\server\mary and will need to + supply a password suitable for mary not + fred. The only exception to this is the + username passed to the + password server (if you have one). The password + server will receive whatever username the client supplies without + modification. + + Also note that no reverse mapping is done. The main effect + this has is with printing. Users who have been mapped may have + trouble deleting print jobs as PrintManager under WfWg will think + they don't own the print job. + + Default: no username map + + Example: username map = /usr/local/samba/lib/users.map + + diff --git a/docs/docbook/smbdotconf/security/users.xml b/docs/docbook/smbdotconf/security/users.xml index e78d259f62..fdb19da243 100644 --- a/docs/docbook/smbdotconf/security/users.xml +++ b/docs/docbook/smbdotconf/security/users.xml @@ -1,6 +1,9 @@ - - users (S) - Synonym for - username. - - + + + Synonym for + username. + + diff --git a/docs/docbook/smbdotconf/security/validusers.xml b/docs/docbook/smbdotconf/security/validusers.xml index 5155a5ef34..268e913cb5 100644 --- a/docs/docbook/smbdotconf/security/validusers.xml +++ b/docs/docbook/smbdotconf/security/validusers.xml @@ -1,23 +1,25 @@ - - valid users (S) - This is a list of users that should be allowed - to login to this service. Names starting with '@', '+' and '&' - are interpreted using the same rules as described in the - invalid users parameter. + + + This is a list of users that should be allowed + to login to this service. Names starting with '@', '+' and '&' + are interpreted using the same rules as described in the + invalid users parameter. - If this is empty (the default) then any user can login. - If a username is in both this list and the invalid - users list then access is denied for that user. + If this is empty (the default) then any user can login. + If a username is in both this list and the invalid + users list then access is denied for that user. - The current servicename is substituted for %S - . This is useful in the [homes] section. + The current servicename is substituted for %S + . This is useful in the [homes] section. - See also invalid users - + See also invalid users + - Default: No valid users list (anyone can login) - + Default: No valid users list (anyone can login) + - Example: valid users = greg, @pcusers - - + Example: valid users = greg, @pcusers + + diff --git a/docs/docbook/smbdotconf/security/writable.xml b/docs/docbook/smbdotconf/security/writable.xml index 66ba44cc44..9b32db8ebc 100644 --- a/docs/docbook/smbdotconf/security/writable.xml +++ b/docs/docbook/smbdotconf/security/writable.xml @@ -1,6 +1,8 @@ - - writable (S) - Synonym for - writeable for people who can't spell :-). - - + + + Synonym for + writeable for people who can't spell :-). + + diff --git a/docs/docbook/smbdotconf/security/writeable.xml b/docs/docbook/smbdotconf/security/writeable.xml index b963410374..63e7734986 100644 --- a/docs/docbook/smbdotconf/security/writeable.xml +++ b/docs/docbook/smbdotconf/security/writeable.xml @@ -1,6 +1,8 @@ - - writeable (S) - Inverted synonym for - read only. - - + + + Inverted synonym for + read only. + + diff --git a/docs/docbook/smbdotconf/security/writelist.xml b/docs/docbook/smbdotconf/security/writelist.xml index 76ee56c93a..4a0e046127 100644 --- a/docs/docbook/smbdotconf/security/writelist.xml +++ b/docs/docbook/smbdotconf/security/writelist.xml @@ -1,21 +1,22 @@ - - write list (S) - This is a list of users that are given read-write - access to a service. If the connecting user is in this list then - they will be given write access, no matter what the read only - option is set to. The list can include group names using the - @group syntax. + + + This is a list of users that are given read-write + access to a service. If the connecting user is in this list then + they will be given write access, no matter what the + read only + option is set to. The list can include group names using the + @group syntax. - Note that if a user is in both the read list and the - write list then they will be given write access. + Note that if a user is in both the read list and the + write list then they will be given write access. - See also the read list - option. + See also the read list + option. - Default: write list = <empty string> - + Default: write list = <empty string> - Example: write list = admin, root, @staff - - - + Example: write list = admin, root, @staff + + diff --git a/docs/docbook/smbdotconf/security/writeok.xml b/docs/docbook/smbdotconf/security/writeok.xml index 103c2be993..da68489012 100644 --- a/docs/docbook/smbdotconf/security/writeok.xml +++ b/docs/docbook/smbdotconf/security/writeok.xml @@ -1,6 +1,8 @@ - - write ok (S) - Inverted synonym for - read only. - - + + + Inverted synonym for + read only. + + -- cgit