From 1d4b2ff4b5766cf36965188f982a36483395f864 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 1 Feb 2003 04:34:40 +0000 Subject: Minor doco updates - with a slightly bigger change to the 'security=server/domain' text, to try and explain the difference better, and why you should always use the latter. Also update the BDC-HOWTO to have some relation to current reality. Andrew Bartlett (This used to be commit 7fd0c9bd74a8513a0cbf67bb516c6c2642380c7f) --- docs/docbook/manpages/smb.conf.5.sgml | 103 ++++++++++++++++++------------ docs/docbook/projdoc/Samba-BDC-HOWTO.sgml | 21 +++++- 2 files changed, 80 insertions(+), 44 deletions(-) (limited to 'docs') diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index 9a2ea4fbde..713d4a012e 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -2879,6 +2879,10 @@ df $1 | tail -1 | awk '{print $2" "$4}' Privileges will be those of the guest account. + This paramater nullifies the benifits of setting + restrict + anonymous = 2 + See the section below on security for more information about this option. @@ -5392,9 +5396,13 @@ df $1 | tail -1 | awk '{print $2" "$4}' Some version of NT 4.x allow non-guest users with a bad passowrd. When this option is enabled, samba will not use a broken NT 4.x server as password server, but instead complain - to the logs and exit. + to the logs and exit. + Disabling this option prevents Samba from making + this check, which involves deliberatly attempting a + bad logon to the remote server. + Default: paranoid server security = yes @@ -6851,7 +6859,7 @@ print5|My Printer 5 SECURITY = USER - This is the default security setting in Samba 2.2. + This is the default security setting in Samba 3.0. With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the username map @@ -6875,24 +6883,27 @@ print5|My Printer 5 See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. - SECURITY = SERVER + SECURITY = DOMAIN + - In this mode Samba will try to validate the username/password - by passing it to another SMB server, such as an NT box. If this - fails it will revert to security = user, but note - that if encrypted passwords have been negotiated then Samba cannot - revert back to checking the UNIX password file, it must have a valid - smbpasswd file to check users against. See the - documentation file in the docs/ directory - ENCRYPTION.txt for details on how to set this - up. + This mode will only work correctly if net + 8 has been used to add this + machine into a Windows NT Domain. It expects the encrypted passwords + parameter to be set to yes. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do. - Note that from the client's point of - view security = server is the same as - security = user. It only affects how the server deals - with the authentication, it does not in any way affect what the - client sees. + Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. + + Note that from the client's point + of view security = domain is the same as security = user + . It only affects how the server deals with the authentication, + it does not in any way affect what the client sees. Note that the name of the resource being requested is not sent to the server until after @@ -6910,27 +6921,42 @@ print5|My Printer 5 server parameter and the encrypted passwords parameter. - - SECURITY = DOMAIN + + SECURITY = SERVER - This mode will only work correctly if smbpasswd - 8 has been used to add this - machine into a Windows NT Domain. It expects the In this mode Samba will try to validate the username/password + by passing it to another SMB server, such as an NT box. If this + fails it will revert to security = + user. It expects the encrypted passwords - parameter to be set to yes. In this - mode Samba will try to validate the username/password by passing - it to a Windows NT Primary or Backup Domain Controller, in exactly - the same way that a Windows NT Server would do. + parameter to be set to + yes, unless the remote server + does not support them. However note + that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid + smbpasswd file to check users against. See the + documentation file in the docs/ directory + ENCRYPTION.txt for details on how to set this + up. - Note that a valid UNIX user must still - exist as well as the account on the Domain Controller to allow - Samba to have a valid UNIX account to map file access to. + Note this mode of operation + has significant pitfalls, due to the fact that is + activly initiates a man-in-the-middle attack on the + remote SMB server. In particular, this mode of + operation can cause significant resource consuption on + the PDC, as it must maintain an active connection for + the duration of the user's session. Furthermore, if + this connection is lost, there is no way to + reestablish it, and futher authenticaions to the Samba + server may fail. (From a single client, till it + disconnects). - Note that from the client's point - of view security = domain is the same as security = user - . It only affects how the server deals with the authentication, - it does not in any way affect what the client sees. + Note that from the client's point of + view security = server is the same as + security = user. It only affects how the server deals + with the authentication, it does not in any way affect what the + client sees. Note that the name of the resource being requested is not sent to the server until after @@ -6941,14 +6967,6 @@ print5|My Printer 5 See the map to guest parameter for details on doing this. - BUG: There is currently a bug in the - implementation of security = domain with respect - to multi-byte character set usernames. The communication with a - Domain Controller must be done in UNICODE and Samba currently - does not widen multi-byte user names to UNICODE correctly, thus - a multi-byte username will not be recognized correctly at the - Domain Controller. This issue will be addressed in a future release. - See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. @@ -6956,9 +6974,10 @@ print5|My Printer 5 server parameter and the encrypted passwords parameter. - + Default: security = USER Example: security = DOMAIN + diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml index 7653e3d1c0..e3bee32db0 100644 --- a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml @@ -128,7 +128,7 @@ the password change is done. -Can Samba be a Backup Domain Controller? +Can Samba be a Backup Domain Controller to an NT PDC? With version 2.2, no. The native NT SAM replication protocols have @@ -137,6 +137,12 @@ understanding and implementing the protocols, but this work has not been finished for version 2.2. + +With version 3.0, the work on both the replication protocols and a +suitable storage mechanism has progressed, and some form of NT4 BDC +support is expected soon. + + Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a BDC is availability. If the PDC is a Samba machine, @@ -178,7 +184,8 @@ whenever changes are made, or the PDC is set up as a NIS master server and the BDC as a NIS slave server. To set up the BDC as a mere NIS client would not be enough, as the BDC would not be able to access its user database in case of a PDC failure. - + + The Samba password database in the file private/smbpasswd has to be @@ -236,5 +243,15 @@ password. + +Can I do this all with LDAP? +The simple answer is YES. Samba's pdb_ldap code supports +binding to a replica LDAP server, and will also follow referrals and +rebind to the master if it ever needs to make a modification to the +database. (Normally BDCs are read only, so this will not occur +often). + + + -- cgit