summaryrefslogtreecommitdiff
path: root/docs/docbook/smbdotconf/security/username.xml
blob: 779f24170b6a8126f54d9c78296871f1d16966db (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
<samba:parameter xmlns:samba="http://samba.org/common">
		<term><anchor id="USERNAME"/>username (S)</term>
		<listitem><para>Multiple users may be specified in a comma-delimited 
		list, in which case the supplied password will be tested against 
		each username in turn (left to right).</para>

		<para>The <parameter moreinfo="none">username</parameter> line is needed only when 
		the PC is unable to supply its own username. This is the case 
		for the COREPLUS protocol or where your users have different WfWg 
		usernames to UNIX usernames. In both these cases you may also be 
		better using the \\server\share%user syntax instead.</para>

		<para>The <parameter moreinfo="none">username</parameter> line is not a great 
		solution in many cases as it means Samba will try to validate 
		the supplied password against each of the usernames in the 
		<parameter moreinfo="none">username</parameter> line in turn. This is slow and 
		a bad idea for lots of users in case of duplicate passwords. 
		You may get timeouts or security breaches using this parameter 
		unwisely.</para>

		<para>Samba relies on the underlying UNIX security. This 
		parameter does not restrict who can login, it just offers hints 
		to the Samba server as to what usernames might correspond to the 
		supplied password. Users can login as whoever they please and 
		they will be able to do no more damage than if they started a 
		telnet session. The daemon runs as the user that they log in as, 
		so they cannot do anything that user cannot do.</para>

		<para>To restrict a service to a particular set of users you 
		can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
		</parameter></link> parameter.</para>

		<para>If any of the usernames begin with a '@' then the name 
		will be looked up first in the NIS netgroups list (if Samba 
		is compiled with netgroup support), followed by a lookup in 
		the UNIX groups database and will expand to a list of all users 
		in the group of that name.</para>
		
		<para>If any of the usernames begin with a '+' then the name 
		will be looked up only in the UNIX groups database and will 
		expand to a list of all users in the group of that name.</para>

		<para>If any of the usernames begin with a '&amp;' then the name 
		will be looked up only in the NIS netgroups database (if Samba 
		is compiled with netgroup support) and will expand to a list 
		of all users in the netgroup group of that name.</para>

		<para>Note that searching though a groups database can take 
		quite some time, and some clients may time out during the 
		search.</para>

		<para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT 
		USERNAME/PASSWORD VALIDATION</link> for more information on how 
		this parameter determines access to the services.</para>

		<para>Default: <command moreinfo="none">The guest account if a guest service, 
		else &lt;empty string&gt;.</command></para>

		<para>Examples:<command moreinfo="none">username = fred, mary, jack, jane, 
		@users, @pcgroup</command></para>
		</listitem>
		</samba:parameter>