From 3941058359150a7c2d2084d459620364f1bfacc0 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 15 Aug 2002 13:56:33 +0000 Subject: large set of updates converting some of the textdocs to SGML/DocBook. I think these were originally from Jelmer, but I've lost the original message. Also had some syntax errors in the manpages (does no one regenerate after making changes to the SGML source?) Still have some developer specific docs to add from Jelmer in the next go around.... (This used to be commit 5f673b788314325699a64377d514dda435e6c478) --- docs/htmldocs/smb.conf.5.html | 1227 +++++------------------------------------ 1 file changed, 149 insertions(+), 1078 deletions(-) (limited to 'docs/htmldocs/smb.conf.5.html') diff --git a/docs/htmldocs/smb.conf.5.html b/docs/htmldocs/smb.conf.5.html index d329c25d65..6f0e88c4d3 100644 --- a/docs/htmldocs/smb.conf.5.html +++ b/docs/htmldocs/smb.conf.5.html @@ -1465,11 +1465,11 @@ CLASS="PARAMETER" >
  • ldap portldap ssl

  • ldap serverldap suffix

  • ldap sslldap suffix

  • ssl

  • ssl CA certDir

  • ssl CA certFile

  • ssl ciphers

  • ssl client cert

  • ssl client key

  • ssl compatibility

  • ssl egd socket

  • ssl entropy bytes

  • ssl entropy file

  • ssl hosts

  • ssl hosts resign

  • ssl require clientcert

  • ssl require servercert

  • ssl server cert

  • ssl server key

  • ssl versionuse spnego

    COMPLETE LIST OF SERVICE PARAMETERS

    EXPLANATION OF EACH PARAMETER

    add group script (G)

    This is the full pathname to a script that will + be run AS ROOT by smbd(8) when a new group is requested. It will expand any %g to the group name passed. This script is only useful for installations using the Windows NT domain administration tools. +

    admin users (S)

    This is the full pathname to a script that will - be run AS ROOT by smbd(8) under special circumstances - described below.

    + when managing user's with remote RPC (NT) tools. +

    Normally, a Samba server requires that UNIX users are - created for all users accessing files on this server. For sites - that use Windows NT account databases as their primary user database - creating these users and keeping the user list in sync with the - Windows NT PDC is an onerous task. This option allows This script is called when a remote client removes a user + from the server, normally using 'User Manager for Domains' or + smbd to delete the required UNIX users ON - DEMAND when a user accesses the Samba server and the - Windows NT user no longer exists.

    rpcclient. +

    This script should delete the given UNIX username. +

    In order to use this option, Default: smbd must be - set to security = domain or security = - user and delete user script - must be set to a full pathname for a script - that will delete a UNIX user given one argument of %u, - which expands into the UNIX user name to delete.

    delete user script = <empty string> +

    When the Windows user attempts to access the Samba server, - at login (session setup in the SMB protocol) - time, Example: smbd contacts the password serverdelete user script = /usr/local/samba/bin/del_user + %u

    and attempts to authenticate - the given user with the given password. If the authentication fails - with the specific Domain error code meaning that the user no longer - exists then smbd attempts to find a UNIX user in - the UNIX password database that matches the Windows user account. If - this lookup succeeds, and delete veto files (S)

    This option is used when Samba is attempting to + delete a directory that contains one or more vetoed directories + (see the delete user script is - set then smbd will all the specified script - AS ROOT, expanding any %u - argument to be the user name to delete.

    This script should delete the given UNIX username. In this way, - UNIX users are dynamically deleted to match existing Windows NT - accounts.

    See also security = domain, - password server - , add user script - .

    Default: delete user script = <empty string> -

    Example: delete user script = /usr/local/samba/bin/del_user - %u

    delete veto files (S)

    This option is used when Samba is attempting to - delete a directory that contains one or more vetoed directories - (see the veto filesveto files @@ -9435,26 +9161,14 @@ NAME="LDAPADMINDN" >ldap admin dn (G)

    This parameter is only available if Samba has been - configure to include the --with-ldapsam option - at compile time. This option should be considered experimental and - under active development. -

    The The ldap admin dn defines the Distinguished - Name (DN) name used by Samba to contact the ldap - server when retreiving user account information. The ldap @@ -9487,16 +9201,7 @@ NAME="LDAPFILTER" >ldap filter (G)

    This parameter is only available if Samba has been - configure to include the --with-ldapsam option - at compile time. This option should be considered experimental and - under active development. -

    This parameter specifies the RFC 2254 compliant LDAP search filter. +>This parameter specifies the RFC 2254 compliant LDAP search filter. The default is to match the login name with the uid

    ldap port (G)

    This parameter is only available if Samba has been - configure to include the --with-ldapsam option - at compile time. This option should be considered experimental and - under active development. -

    This option is used to control the tcp port number used to contact - the ldap server. - The default is to use the stand LDAPS port 636. -

    See Also: ldap ssl -

    Default : ldap port = 636

    ldap server (G)

    This parameter is only available if Samba has been - configure to include the --with-ldapsam option - at compile time. This option should be considered experimental and - under active development. -

    This parameter should contains the FQDN of the ldap directory - server which should be queried to locate user account information. -

    Default : ldap server = localhost

    ldap ssl (G)

    This parameter is only available if Samba has been - configure to include the --with-ldapsam option - at compile time. This option should be considered experimental and - under active development. -

    This option is used to define whether or not Samba should - use SSL when connecting to the ldap - server. This is This option is used to define whether or not Samba should + use SSL when connecting to the ldap server + This is NOT related to - Samba SSL support which is enabled by specifying the + Samba's previous SSL support which was enabled by specifying the --with-sslconfigure - script (see ssl). + script.

    The ldap suffix (G)

    This parameter is only available if Samba has been - configure to include the --with-ldapsam option - at compile time. This option should be considered experimental and - under active development. +>Default : none

    ldap user suffix (G)

    It specifies where users are added to the tree. +

    Default : none

    ldap machine suffix (G)

    It specifies where machines should be + added to the ldap tree.

    Default : log level (G)

    The value of the parameter (an integer) allows +>The value of the parameter (a astring) allows the debug level (logging level) to be specified in the smb.conf file. This is to give greater +> file. This parameter has been + extended since 2.2.x series, now it allow to specify the debug + level for multiple debug classes. This is to give greater flexibility in the configuration of the system.

    The default will be the log level specified on @@ -10148,7 +9785,8 @@ CLASS="FILENAME" >

    Example: log level = 3log level = 3 passdb:5 auth:10 winbind:2 +

    Any characters after the (optional) second : are passed to the plugin for its own processing

  • unixsam - Allows samba to map all (other) available unix users

    This backend uses the standard unix database for retrieving users. Users included + in this pdb are NOT listed in samba user listings and users included in this pdb won't be + able to login. The use of this backend is to always be able to display the owner of a file + on the samba server - even when the user doesn't have a 'real' samba account in one of the + other passdb backends. +

    This backend should always be the last backend listed, since it contains all users in + the unix passdb and might 'override' mappings if specified earlier. It's meant to only return + accounts for users that aren't covered by the previous backends.

  • Default: passdb backend = smbpasswdpassdb backend = smbpasswd unixsam

    Example: passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswdpassdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd unixsam

    Example: passdb backend = ldapsam_nua:ldaps://ldap.example.compassdb backend = ldapsam_nua:ldaps://ldap.example.com unixsam

    Example:

    ssl (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This variable enables or disables the entire SSL mode. If - it is set to no, the SSL-enabled Samba behaves - exactly like the non-SSL Samba. If set to yes, - it depends on the variables ssl hosts and ssl hosts resign whether an SSL - connection will be required.

    Default: ssl = no

    ssl CA certDir (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This variable defines where to look up the Certification - Authorities. The given directory should contain one file for - each CA that Samba will trust. The file name must be the hash - value over the "Distinguished Name" of the CA. How this directory - is set up is explained later in this document. All files within the - directory that don't fit into this naming scheme are ignored. You - don't need this variable if you don't verify client certificates.

    Default: ssl CA certDir = /usr/local/ssl/certs -

    ssl CA certFile (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This variable is a second way to define the trusted CAs. - The certificates of the trusted CAs are collected in one big - file and this variable points to the file. You will probably - only use one of the two ways to define your CAs. The first choice is - preferable if you have many CAs or want to be flexible, the second - is preferable if you only have one CA and want to keep things - simple (you won't need to create the hashed file names). You - don't need this variable if you don't verify client certificates.

    Default: ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem -

    ssl ciphers (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This variable defines the ciphers that should be offered - during SSL negotiation. You should not set this variable unless - you know what you are doing.

    ssl client cert (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    The certificate in this file is used by smbclient(1) if it exists. It's needed - if the server requires a client certificate.

    Default: ssl client cert = /usr/local/ssl/certs/smbclient.pem -

    ssl client key (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This is the private key for smbclient(1). It's only needed if the - client should have a certificate.

    Default: ssl client key = /usr/local/ssl/private/smbclient.pem -

    ssl compatibility (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This variable defines whether OpenSSL should be configured - for bug compatibility with other SSL implementations. This is - probably not desirable because currently no clients with SSL - implementations other than OpenSSL exist.

    Default: ssl compatibility = no

    ssl egd socket (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This option is used to define the location of the communiation socket of - an EGD or PRNGD daemon, from which entropy can be retrieved. This option - can be used instead of or together with the ssl entropy file - directive. 255 bytes of entropy will be retrieved from the daemon. -

    Default: none

    ssl entropy bytes (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This parameter is used to define the number of bytes which should - be read from the ssl entropy - file If a -1 is specified, the entire file will - be read. -

    Default: ssl entropy bytes = 255

    ssl entropy file (G)
    use spnego (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This parameter is used to specify a file from which processes will - read "random bytes" on startup. In order to seed the internal pseudo - random number generator, entropy must be provided. On system with a - /dev/urandom device file, the processes - will retrieve its entropy from the kernel. On systems without kernel - entropy support, a file can be supplied that will be read on startup - and that will be used to seed the PRNG. -

    This variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000sp2 clients to agree upon an authentication mechanism. As of samba 3.0alpha it must be set to "no" for these clients to join a samba domain controller. It can be set to "yes" to allow samba to participate in an AD domain controlled by a Windows2000 domain controller.

    Default: none

    ssl hosts (G)

    See ssl hosts resign.

    ssl hosts resign (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    These two variables define whether Samba will go - into SSL mode or not. If none of them is defined, Samba will - allow only SSL connections. If the ssl hosts variable lists - hosts (by IP-address, IP-address range, net group or name), - only these hosts will be forced into SSL mode. If the ssl hosts resign variable lists hosts, only these - hosts will NOT be forced into SSL mode. The syntax for these two - variables is the same as for the hosts allow and hosts deny pair of variables, only - that the subject of the decision is different: It's not the access - right but whether SSL is used or not.

    The example below requires SSL connections from all hosts - outside the local net (which is 192.168.*.*).

    Default: ssl hosts = <empty string>

    ssl hosts resign = <empty string>

    Example: ssl hosts resign = 192.168.

    ssl require clientcert (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    If this variable is set to yes, the - server will not tolerate connections from clients that don't - have a valid certificate. The directory/file given in ssl CA certDir - and ssl CA certFile - will be used to look up the CAs that issued - the client's certificate. If the certificate can't be verified - positively, the connection will be terminated. If this variable - is set to no, clients don't need certificates. - Contrary to web applications you really should - require client certificates. In the web environment the client's - data is sensitive (credit card numbers) and the server must prove - to be trustworthy. In a file server environment the server's data - will be sensitive and the clients must prove to be trustworthy.

    Default: ssl require clientcert = no

    ssl require servercert (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    If this variable is set to yes, the - smbclient(1) - will request a certificate from the server. Same as - ssl require - clientcert for the server.

    Default: ssl require servercert = no -

    ssl server cert (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This is the file containing the server's certificate. - The server must have a certificate. The - file may also contain the server's private key. See later for - how certificates and private keys are created.

    Default: ssl server cert = <empty string> -

    ssl server key (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This file contains the private key of the server. If - this variable is not defined, the key is looked up in the - certificate file (it may be appended to the certificate). - The server must have a private key - and the certificate must - match this private key.

    Default: ssl server key = <empty string> -

    ssl version (G)

    This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time.

    This enumeration variable defines the versions of the - SSL protocol that will be used. ssl2or3 allows - dynamic negotiation of SSL v2 or v3, ssl2 results - in SSL v2, ssl3 results in SSL v3 and - tls1 results in TLS v1. TLS (Transport Layer - Security) is the new standard for SSL.

    Default: ssl version = "ssl2or3"Default: use spnego = yes

    This boolean parameter controls whether Samba - implments the CIFS UNIX extensions, as defined by HP. These - extensions enable CIFS to server UNIX clients to UNIX servers - better, and allow such things as symbolic links, hard links etc. + implments the CIFS UNIX extensions, as defined by HP. + These extensions enable Samba to better serve UNIX CIFS clients + by supporting features such as symbolic links, hard links, etc... These extensions require a similarly enabled client, and are of no current use to Windows clients.

    Due to the requirements of the utmp record, we + are required to create a unique identifier for the + incoming user. Enabling this option creates an n^2 + algorithm to find this number. This may impede + performance on large installations.

    See also the

    WARNINGS

    VERSION

    SEE ALSO

    AUTHOR