summaryrefslogtreecommitdiff
path: root/docs-xml/smbdotconf/security/passwordserver.xml
blob: 0ac39f103cefd84b65848947f9b02df4d6e2a5c4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
<samba:parameter name="password server"
                 context="G"
				 type="list"
                 advanced="1" wizard="1" developer="1"
		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
    <para>By specifying the name of another SMB server 
    or Active Directory domain controller with this option, 
    and using <command moreinfo="none">security = [ads|domain|server]</command> 
    it is possible to get Samba
    to do all its username/password validation using a specific remote server.</para>

    <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
    <constant>domain</constant> or <constant>ads</constant>, then this option 
    <emphasis>should not</emphasis> be used, as the default '*' indicates to Samba 
    to determine the best DC to contact dynamically, just as all other hosts in an 
    AD domain do.  This allows the domain to be maintained without modification to 
    the smb.conf file.  The cryptograpic protection on the authenticated RPC calls
    used to verify passwords ensures that this default is safe.</para>

    <para><emphasis>It is strongly recommended that you use the
    default of '*'</emphasis>, however if in your particular
    environment you have reason to specify a particular DC list, then
    the list of machines in this option must be a list of names or IP
    addresses of Domain controllers for the Domain. If you use the
    default of '*', or list several hosts in the <parameter
    moreinfo="none">password server</parameter> option then <command
    moreinfo="none">smbd </command> will try each in turn till it
    finds one that responds.  This is useful in case your primary
    server goes down.</para>

    <para>If the list of servers contains both names/IP's and the '*'
    character, the list is treated as a list of preferred 
    domain controllers, but an auto lookup of all remaining DC's
    will be added to the list as well.  Samba will not attempt to optimize 
    this list by locating the closest DC.</para>
		
    <para>If parameter is a name, it is looked up using the 
    parameter <smbconfoption name="name resolve order"/> and so may resolved
    by any method and order described in that parameter.</para>

    <para>If the <parameter moreinfo="none">security</parameter> parameter is 
    set to <constant>server</constant>, these additional restrictions apply:</para>

    <itemizedlist>
	<listitem>
	    <para>You may list several password servers in 
	    the <parameter moreinfo="none">password server</parameter> parameter, however if an 
	    <command moreinfo="none">smbd</command> makes a connection to a password server, 
	    and then the password server fails, no more users will be able 
	    to be authenticated from this <command moreinfo="none">smbd</command>.  This is a 
	    restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
	    </command> mode and cannot be fixed in Samba.</para>
	</listitem>
	    
	<listitem>
	    <para>You will have to ensure that your users 
	    are able to login from the Samba server, as when in <command moreinfo="none">
	    security = server</command>  mode the network logon will appear to 
	    come from the Samba server rather than from the users workstation.</para>
	</listitem>

	<listitem>
	    <para>The client must not select NTLMv2 authentication.</para>
	</listitem>

	<listitem>
	  <para>The password server must be a machine capable of using 
	  the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in 
	  user level security mode.</para>
	</listitem>

	<listitem>
	  <para>Using a password server  means your UNIX box (running
	  Samba) is only as secure as (a host masqurading as) your password server. <emphasis>DO NOT
	  CHOOSE A PASSWORD SERVER THAT  YOU DON'T COMPLETELY TRUST</emphasis>.
	  </para>
	</listitem>
		
	<listitem>
	  <para>Never point a Samba server at itself for password serving.
	  This will cause a loop and could lock up your Samba  server!</para>
	</listitem>

	<listitem>
	  <para>The name of the password server takes the standard 
	  substitutions, but probably the only useful one is <parameter moreinfo="none">%m
	  </parameter>, which means the Samba server will use the incoming 
	  client as the password server. If you use this then you better 
	  trust your clients, and you had better restrict them with hosts allow!</para>
	</listitem>

    </itemizedlist>
</description>

<related>security</related>
<value type="default">*</value>
<value type="example">NT-PDC, NT-BDC1, NT-BDC2, *</value>
<value type="example">windc.mydomain.com:389 192.168.1.101 *</value>
</samba:parameter>