summaryrefslogtreecommitdiff
path: root/docs/smbdotconf/security/username.xml
blob: 9a6d83ae710900f0d9e0ef8b6e7d3dcbd3026e5f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<samba:parameter name="username"
	context="S"
	type="string"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<synonym>user</synonym>
<synonym>users</synonym>
<description>
    <para>Multiple users may be specified in a comma-delimited 
    list, in which case the supplied password will be tested against 
    each username in turn (left to right).</para>

    <para>The <parameter moreinfo="none">username</parameter> line is needed only when 
    the PC is unable to supply its own username. This is the case 
    for the COREPLUS protocol or where your users have different WfWg 
    usernames to UNIX usernames. In both these cases you may also be 
    better using the \\server\share%user syntax instead.</para>

    <para>The <parameter moreinfo="none">username</parameter> line is not a great 
    solution in many cases as it means Samba will try to validate 
    the supplied password against each of the usernames in the 
    <parameter moreinfo="none">username</parameter> line in turn. This is slow and 
    a bad idea for lots of users in case of duplicate passwords. 
    You may get timeouts or security breaches using this parameter 
    unwisely.</para>

    <para>Samba relies on the underlying UNIX security. This 
    parameter does not restrict who can login, it just offers hints 
    to the Samba server as to what usernames might correspond to the 
    supplied password. Users can login as whoever they please and 
    they will be able to do no more damage than if they started a 
    telnet session. The daemon runs as the user that they log in as, 
    so they cannot do anything that user cannot do.</para>

    <para>To restrict a service to a particular set of users you 
    can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
    </parameter></link> parameter.</para>

    <para>If any of the usernames begin with a '@' then the name 
    will be looked up first in the NIS netgroups list (if Samba 
    is compiled with netgroup support), followed by a lookup in 
    the UNIX groups database and will expand to a list of all users 
    in the group of that name.</para>
		
    <para>If any of the usernames begin with a '+' then the name 
    will be looked up only in the UNIX groups database and will 
    expand to a list of all users in the group of that name.</para>

    <para>If any of the usernames begin with a '&amp;' then the name 
    will be looked up only in the NIS netgroups database (if Samba 
    is compiled with netgroup support) and will expand to a list 
    of all users in the netgroup group of that name.</para>

    <para>Note that searching though a groups database can take 
    quite some time, and some clients may time out during the 
    search.</para>

    <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT 
    USERNAME/PASSWORD VALIDATION</link> for more information on how 
this parameter determines access to the services.</para>
</description>

<value type="default"><comment>The guest account if a guest service, 
		else &lt;empty string&gt;.</comment></value>

<value type="example">fred, mary, jack, jane, @users, @pcgroup</value>
</samba:parameter>