From f88faa0105fdf47eccfa3212870ac3066ff8113c Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 22 Oct 2005 00:04:38 +0000 Subject: Fixes and reformatting from Bug #3190, plus a clean-up. (This used to be commit 8250e36fe34394938df16533f77869b93d3be761) --- docs/smbdotconf/security/usekerberoskeytab.xml | 18 +-- docs/smbdotconf/security/usernamemap.xml | 166 ++++++++++++------------- 2 files changed, 92 insertions(+), 92 deletions(-) (limited to 'docs/smbdotconf/security') diff --git a/docs/smbdotconf/security/usekerberoskeytab.xml b/docs/smbdotconf/security/usekerberoskeytab.xml index 0fb9e0ff9e..ad6cc88278 100644 --- a/docs/smbdotconf/security/usekerberoskeytab.xml +++ b/docs/smbdotconf/security/usekerberoskeytab.xml @@ -3,18 +3,20 @@ type="boolean" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - -Specifies whether Samba should attempt to maintain service principals in the systems -keytab file for host/FQDN and cifs/FQDN. - - -When you are using the heimdal Kerberos libraries, you must also -specify the following in /etc/krb5.conf: + + Specifies whether Samba should attempt to maintain service principals in the systems + keytab file for host/FQDN and cifs/FQDN. + + + When you are using the heimdal Kerberos libraries, you must also specify the following in + /etc/krb5.conf: [libdefaults] - default_keytab_name = FILE:/etc/krb5.keytab +default_keytab_name = FILE:/etc/krb5.keytab + + False diff --git a/docs/smbdotconf/security/usernamemap.xml b/docs/smbdotconf/security/usernamemap.xml index c30e2327c5..59c0cdde7c 100644 --- a/docs/smbdotconf/security/usernamemap.xml +++ b/docs/smbdotconf/security/usernamemap.xml @@ -4,102 +4,102 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This option allows you to specify a file containing - a mapping of usernames from the clients to the server. This can be - used for several purposes. The most common is to map usernames - that users use on DOS or Windows machines to those that the UNIX - box uses. The other is to map multiple users to a single username - so that they can more easily share files. - - Please note that for user or share mode security, the - username map is applied prior to validating the user credentials. - Domain member servers (domain or ads) apply the username map - after the user has been successfully authenticated by the domain - controller and require fully qualified enties in the map table - (e.g. biddle = DOMAIN\foo). - - The map file is parsed line by line. Each line should - contain a single UNIX username on the left then a '=' followed - by a list of usernames on the right. The list of usernames on the - right may contain names of the form @group in which case they - will match any UNIX username in that group. The special client - name '*' is a wildcard and matches any name. Each line of the - map file may be up to 1023 characters long. - - The file is processed on each line by taking the - supplied username and comparing it with each username on the right - hand side of the '=' signs. If the supplied name matches any of - the names on the right hand side then it is replaced with the name - on the left. Processing then continues with the next line. - - If any line begins with a '#' or a ';' then it is ignored - - If any line begins with an '!' then the processing - will stop after that line if a mapping was done by the line. - Otherwise mapping continues with every line being processed. - Using '!' is most useful when you have a wildcard mapping line - later in the file. - - For example to map from the name admin - or administrator to the UNIX name - root you would use: - - root = admin administrator + + This option allows you to specify a file containing a mapping of usernames from the clients to the server. + This can be used for several purposes. The most common is to map usernames that users use on DOS or Windows + machines to those that the UNIX box uses. The other is to map multiple users to a single username so that they + can more easily share files. + - Or to map anyone in the UNIX group system - to the UNIX name sys you would use: + + Please note that for user or share mode security, the username map is applied prior to validating the user + credentials. Domain member servers (domain or ads) apply the username map after the user has been + successfully authenticated by the domain controller and require fully qualified enties in the map table (e.g. + biddle = DOMAIN\foo). + + + + The map file is parsed line by line. Each line should contain a single UNIX username on the left then a '=' + followed by a list of usernames on the right. The list of usernames on the right may contain names of the form + @group in which case they will match any UNIX username in that group. The special client name '*' is a + wildcard and matches any name. Each line of the map file may be up to 1023 characters long. + - sys = @system + + The file is processed on each line by taking the supplied username and comparing it with each username on the + right hand side of the '=' signs. If the supplied name matches any of the names on the right hand side then it + is replaced with the name on the left. Processing then continues with the next line. + - You can have as many mappings as you like in a username map file. + + If any line begins with a '#' or a ';' then it is ignored. + + + If any line begins with an '!' then the processing will stop after that line if a mapping was done by the + line. Otherwise mapping continues with every line being processed. Using '!' is most useful when you have a + wildcard mapping line later in the file. + - If your system supports the NIS NETGROUP option then - the netgroup database is checked before the /etc/group - database for matching groups. + + For example to map from the name admin or administrator to the UNIX + name root you would use: + +root = admin administrator + + Or to map anyone in the UNIX group system to the UNIX name sys you would use: + +sys = @system + + - You can map Windows usernames that have spaces in them - by using double quotes around the name. For example: + + You can have as many mappings as you like in a username map file. + - tridge = "Andrew Tridgell" - would map the windows username "Andrew Tridgell" to the - unix username "tridge". + + If your system supports the NIS NETGROUP option then the netgroup database is checked before the /etc/group database for matching groups. + - The following example would map mary and fred to the - unix user sys, and map the rest to guest. Note the use of the - '!' to tell Samba to stop processing if it gets a match on - that line. + + You can map Windows usernames that have spaces in them by using double quotes around the name. For example: + +tridge = "Andrew Tridgell" + + would map the windows username "Andrew Tridgell" to the unix username "tridge". + - + + The following example would map mary and fred to the unix user sys, and map the rest to guest. Note the use of the + '!' to tell Samba to stop processing if it gets a match on that line: + !sys = mary fred guest = * - + + - Note that the remapping is applied to all occurrences - of usernames. Thus if you connect to \\server\fred and - fred is remapped to mary then you - will actually be connecting to \\server\mary and will need to - supply a password suitable for mary not - fred. The only exception to this is the - username passed to the - (if you have one). The password server will receive whatever - username the client supplies without modification. + Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and + fred is remapped to mary then you will actually be connecting to + \\server\mary and will need to supply a password suitable for mary not + fred. The only exception to this is the username passed to the (if you have one). The password server will receive whatever username the client + supplies without modification. - Also note that no reverse mapping is done. The main effect - this has is with printing. Users who have been mapped may have - trouble deleting print jobs as PrintManager under WfWg will think - they don't own the print job. + + Also note that no reverse mapping is done. The main effect this has is with printing. Users who have been + mapped may have trouble deleting print jobs as PrintManager under WfWg will think they don't own the print + job. + - Samba versions prior to 3.0.8 would only support reading the fully qualified - username (e.g.: DOMAIN\user) from the username map when performing a - kerberos login from a client. However, when looking up a map - entry for a user authenticated by NTLM[SSP], only the login name would be - used for matches. This resulted in inconsistent behavior sometimes - even on the same server. + Samba versions prior to 3.0.8 would only support reading the fully qualified username (e.g.: DOMAIN\user) from + the username map when performing a kerberos login from a client. However, when looking up a map entry for a + user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent + behavior sometimes even on the same server. @@ -107,16 +107,13 @@ guest = * - When performing local authentication, the username map is - applied to the login name before attempting to authenticate + When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection. - When relying upon a external domain controller for validating - authentication requests, smbd will apply the username map - to the fully qualified username (i.e. DOMAIN\user) only - after the user has been successfully authenticated. + When relying upon a external domain controller for validating authentication requests, smbd will apply the username map + to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated. @@ -125,6 +122,7 @@ guest = * username map = /usr/local/samba/lib/users.map + no username map -- cgit