blob: 9a6d83ae710900f0d9e0ef8b6e7d3dcbd3026e5f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
<samba:parameter name="username"
context="S"
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<synonym>user</synonym>
<synonym>users</synonym>
<description>
<para>Multiple users may be specified in a comma-delimited
list, in which case the supplied password will be tested against
each username in turn (left to right).</para>
<para>The <parameter moreinfo="none">username</parameter> line is needed only when
the PC is unable to supply its own username. This is the case
for the COREPLUS protocol or where your users have different WfWg
usernames to UNIX usernames. In both these cases you may also be
better using the \\server\share%user syntax instead.</para>
<para>The <parameter moreinfo="none">username</parameter> line is not a great
solution in many cases as it means Samba will try to validate
the supplied password against each of the usernames in the
<parameter moreinfo="none">username</parameter> line in turn. This is slow and
a bad idea for lots of users in case of duplicate passwords.
You may get timeouts or security breaches using this parameter
unwisely.</para>
<para>Samba relies on the underlying UNIX security. This
parameter does not restrict who can login, it just offers hints
to the Samba server as to what usernames might correspond to the
supplied password. Users can login as whoever they please and
they will be able to do no more damage than if they started a
telnet session. The daemon runs as the user that they log in as,
so they cannot do anything that user cannot do.</para>
<para>To restrict a service to a particular set of users you
can use the <link linkend="VALIDUSERS"><parameter moreinfo="none">valid users
</parameter></link> parameter.</para>
<para>If any of the usernames begin with a '@' then the name
will be looked up first in the NIS netgroups list (if Samba
is compiled with netgroup support), followed by a lookup in
the UNIX groups database and will expand to a list of all users
in the group of that name.</para>
<para>If any of the usernames begin with a '+' then the name
will be looked up only in the UNIX groups database and will
expand to a list of all users in the group of that name.</para>
<para>If any of the usernames begin with a '&' then the name
will be looked up only in the NIS netgroups database (if Samba
is compiled with netgroup support) and will expand to a list
of all users in the netgroup group of that name.</para>
<para>Note that searching though a groups database can take
quite some time, and some clients may time out during the
search.</para>
<para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
USERNAME/PASSWORD VALIDATION</link> for more information on how
this parameter determines access to the services.</para>
</description>
<value type="default"><comment>The guest account if a guest service,
else <empty string>.</comment></value>
<value type="example">fred, mary, jack, jane, @users, @pcgroup</value>
</samba:parameter>
|