From eed5094264945ca8ccf47030375cc56808ae8ea3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 17 May 2002 12:42:39 +0000 Subject: This removes --with-ssl from Samba. This option was badly maintained, useless and confused our users and distirbutors. (its SSL, therfore it must be good...) No windows client uses this protocol without help from an SSL tunnel. I can't see any reason why setting up a unix-side SSL wrapper would be any more difficult than the > 10 config options this mess added to samba in any case. On the Samba client end, I think the LIBSMB_PROG hack should be sufficient to start stunnel on the unix side. We might extend this to take %i and %p (IP and port) if there is demand. Andrew Bartlett (This used to be commit b04561d3fd3ee732877790fb4193b20ad72a75f8) --- docs/docbook/manpages/smb.conf.5.sgml | 363 +--------------------------------- 1 file changed, 2 insertions(+), 361 deletions(-) (limited to 'docs') diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index ba4495e34f..a9963b72ce 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -729,24 +729,6 @@ socket options source environment - ssl - ssl CA certDir - ssl CA certFile - ssl ciphers - ssl client cert - ssl client key - ssl compatibility - ssl egd socket - ssl entropy bytes - ssl entropy file - ssl hosts - ssl hosts resign - ssl require clientcert - ssl require servercert - ssl server cert - ssl server key - ssl version - stat cache stat cache size strip dot @@ -3387,9 +3369,9 @@ This option is used to define whether or not Samba should use SSL when connecting to the ldap server. This is NOT related to - Samba SSL support which is enabled by specifying the + Samba's previous SSL support which was enabled by specifying the --with-ssl option to the configure - script (see ssl). + script. @@ -7030,347 +7012,6 @@ - - ssl (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - This variable enables or disables the entire SSL mode. If - it is set to no, the SSL-enabled Samba behaves - exactly like the non-SSL Samba. If set to yes, - it depends on the variables - ssl hosts and - ssl hosts resign whether an SSL - connection will be required. - - Default: ssl = no - - - - - - - ssl CA certDir (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - This variable defines where to look up the Certification - Authorities. The given directory should contain one file for - each CA that Samba will trust. The file name must be the hash - value over the "Distinguished Name" of the CA. How this directory - is set up is explained later in this document. All files within the - directory that don't fit into this naming scheme are ignored. You - don't need this variable if you don't verify client certificates. - - Default: ssl CA certDir = /usr/local/ssl/certs - - - - - - - - ssl CA certFile (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - This variable is a second way to define the trusted CAs. - The certificates of the trusted CAs are collected in one big - file and this variable points to the file. You will probably - only use one of the two ways to define your CAs. The first choice is - preferable if you have many CAs or want to be flexible, the second - is preferable if you only have one CA and want to keep things - simple (you won't need to create the hashed file names). You - don't need this variable if you don't verify client certificates. - - Default: ssl CA certFile = /usr/local/ssl/certs/trustedCAs.pem - - - - - - - - ssl ciphers (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - This variable defines the ciphers that should be offered - during SSL negotiation. You should not set this variable unless - you know what you are doing. - - - - - - ssl client cert (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - The certificate in this file is used by - smbclient(1) if it exists. It's needed - if the server requires a client certificate. - - Default: ssl client cert = /usr/local/ssl/certs/smbclient.pem - - - - - - - - ssl client key (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - This is the private key for - smbclient(1). It's only needed if the - client should have a certificate. - - Default: ssl client key = /usr/local/ssl/private/smbclient.pem - - - - - - - - ssl compatibility (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - This variable defines whether OpenSSL should be configured - for bug compatibility with other SSL implementations. This is - probably not desirable because currently no clients with SSL - implementations other than OpenSSL exist. - - Default: ssl compatibility = no - - - - - - ssl egd socket (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - - This option is used to define the location of the communiation socket of - an EGD or PRNGD daemon, from which entropy can be retrieved. This option - can be used instead of or together with the ssl entropy file - directive. 255 bytes of entropy will be retrieved from the daemon. - - - Default: none - - - - - - ssl entropy bytes (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - - This parameter is used to define the number of bytes which should - be read from the ssl entropy - file If a -1 is specified, the entire file will - be read. - - - Default: ssl entropy bytes = 255 - - - - - - - ssl entropy file (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - - This parameter is used to specify a file from which processes will - read "random bytes" on startup. In order to seed the internal pseudo - random number generator, entropy must be provided. On system with a - /dev/urandom device file, the processes - will retrieve its entropy from the kernel. On systems without kernel - entropy support, a file can be supplied that will be read on startup - and that will be used to seed the PRNG. - - - Default: none - - - - - - - ssl hosts (G) - See - ssl hosts resign. - - - - - - ssl hosts resign (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - These two variables define whether Samba will go - into SSL mode or not. If none of them is defined, Samba will - allow only SSL connections. If the - ssl hosts variable lists - hosts (by IP-address, IP-address range, net group or name), - only these hosts will be forced into SSL mode. If the - ssl hosts resign variable lists hosts, only these - hosts will NOT be forced into SSL mode. The syntax for these two - variables is the same as for the - hosts allow and - hosts deny pair of variables, only - that the subject of the decision is different: It's not the access - right but whether SSL is used or not. - - The example below requires SSL connections from all hosts - outside the local net (which is 192.168.*.*). - - Default: ssl hosts = <empty string> - ssl hosts resign = <empty string> - - Example: ssl hosts resign = 192.168. - - - - - - - ssl require clientcert (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - If this variable is set to yes, the - server will not tolerate connections from clients that don't - have a valid certificate. The directory/file given in ssl CA certDir - and ssl CA certFile - will be used to look up the CAs that issued - the client's certificate. If the certificate can't be verified - positively, the connection will be terminated. If this variable - is set to no, clients don't need certificates. - Contrary to web applications you really should - require client certificates. In the web environment the client's - data is sensitive (credit card numbers) and the server must prove - to be trustworthy. In a file server environment the server's data - will be sensitive and the clients must prove to be trustworthy. - - Default: ssl require clientcert = no - - - - - - - ssl require servercert (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - If this variable is set to yes, the - smbclient(1) - will request a certificate from the server. Same as - ssl require - clientcert for the server. - - Default: ssl require servercert = no - - - - - - ssl server cert (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - This is the file containing the server's certificate. - The server must have a certificate. The - file may also contain the server's private key. See later for - how certificates and private keys are created. - - Default: ssl server cert = <empty string> - - - - - - - ssl server key (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - This file contains the private key of the server. If - this variable is not defined, the key is looked up in the - certificate file (it may be appended to the certificate). - The server must have a private key - and the certificate must - match this private key. - - Default: ssl server key = <empty string> - - - - - - - ssl version (G) - This variable is part of SSL-enabled Samba. This - is only available if the SSL libraries have been compiled on your - system and the configure option --with-ssl was - given at configure time. - - This enumeration variable defines the versions of the - SSL protocol that will be used. ssl2or3 allows - dynamic negotiation of SSL v2 or v3, ssl2 results - in SSL v2, ssl3 results in SSL v3 and - tls1 results in TLS v1. TLS (Transport Layer - Security) is the new standard for SSL. - - Default: ssl version = "ssl2or3" - - - - - stat cache (G) This parameter determines if