summaryrefslogtreecommitdiff
path: root/docs/docbook/smbdotconf/security/passwordserver.xml
blob: b803816d8881e67a10d5d8183c62602395f8d160 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
<samba:parameter xmlns:samba="http://samba.org/common">
		<term><anchor id="PASSWORDSERVER"/>password server (G)</term>
		<listitem><para>By specifying the name of another SMB server (such 
		as a WinNT box) with this option, and using <command moreinfo="none">security = domain
		</command> or <command moreinfo="none">security = server</command> you can get Samba 
		to do all its username/password validation via a remote server.</para>

		<para>This option sets the name of the password server to use. 
		It must be a NetBIOS name, so if the machine's NetBIOS name is 
		different from its Internet name then you may have to add its NetBIOS 
		name to the lmhosts  file which is stored in the same directory 
		as the <filename moreinfo="none">smb.conf</filename> file.</para>

		<para>The name of the password server is looked up using the 
		parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name 
		resolve order</parameter></link> and so may resolved
		by any method and order described in that parameter.</para>

		<para>The password server must be a machine capable of using 
		the &quot;LM1.2X002&quot; or the &quot;NT LM 0.12&quot; protocol, and it must be in 
		user level security mode.</para>

		<note><para>Using a password server 
		means your UNIX box (running Samba) is only as secure as your 
		password server. <emphasis>DO NOT CHOOSE A PASSWORD SERVER THAT 
		YOU DON'T COMPLETELY TRUST</emphasis>.</para></note>
		
		<para>Never point a Samba server at itself for password 
		serving. This will cause a loop and could lock up your Samba 
		server!</para>

		<para>The name of the password server takes the standard 
		substitutions, but probably the only useful one is <parameter moreinfo="none">%m
		</parameter>, which means the Samba server will use the incoming 
	 	client as the password server. If you use this then you better 
		trust your clients, and you had better restrict them with hosts allow!</para>

		<para>If the <parameter moreinfo="none">security</parameter> parameter is set to
		<constant>domain</constant>, then the list of machines in this 
		option must be a list of Primary or Backup Domain controllers for the
		Domain or the character '*', as the Samba server is effectively
		in that domain, and will use cryptographically authenticated RPC calls
		to authenticate the user logging on. The advantage of using <command moreinfo="none">
		security = domain</command> is that if you list several hosts in the 
		<parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
		</command> will try each in turn till it finds one that responds. This 
		is useful in case your primary server goes down.</para>

		<para>If the <parameter moreinfo="none">password server</parameter> option is set 
		to the character '*', then Samba will attempt to auto-locate the 
		Primary or Backup Domain controllers to authenticate against by 
		doing a query for the name <constant>WORKGROUP&lt;1C&gt;</constant> 
		and then contacting each server returned in the list of IP 
		addresses from the name resolution source. </para>

		<para>If the list of servers contains both names and the '*'
		character, the list is treated as a list of preferred 
		domain controllers, but an auto lookup of all remaining DC's
		will be added to the list as well.  Samba will not attempt to optimize 
		this list by locating the closest DC.</para>
		
		<para>If the <parameter moreinfo="none">security</parameter> parameter is 
		set to <constant>server</constant>, then there are different
		restrictions that <command moreinfo="none">security = domain</command> doesn't 
		suffer from:</para>

		<itemizedlist>
			<listitem><para>You may list several password servers in 
			the <parameter moreinfo="none">password server</parameter> parameter, however if an 
			<command moreinfo="none">smbd</command> makes a connection to a password server, 
			and then the password server fails, no more users will be able 
			to be authenticated from this <command moreinfo="none">smbd</command>.  This is a 
			restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
			</command> mode and cannot be fixed in Samba.</para></listitem>

			<listitem><para>If you are using a Windows NT server as your 
			password server then you will have to ensure that your users 
			are able to login from the Samba server, as when in <command moreinfo="none">
			security = server</command>  mode the network logon will appear to 
			come from there rather than from the users workstation.</para></listitem>
		</itemizedlist>

		<para>See also the <link linkend="SECURITY"><parameter moreinfo="none">security
		</parameter></link> parameter.</para>

		<para>Default: <command moreinfo="none">password server = &lt;empty string&gt;</command>
		</para>
		<para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *
		</command></para>
		<para>Example: <command moreinfo="none">password server = *</command></para>
		</listitem>
		</samba:parameter>