1 <samba:parameter name="password server"
4 advanced="1" wizard="1" developer="1"
5 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
7 <para>By specifying the name of another SMB server
8 or Active Directory domain controller with this option,
9 and using <command moreinfo="none">security = [ads|domain|server]</command>
10 it is possible to get Samba
11 to do all its username/password validation using a specific remote server.</para>
13 <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
14 <constant>domain</constant> or <constant>ads</constant>, then this option
15 <emphasis>should not</emphasis> be used, as the default '*' indicates to Samba
16 to determine the best DC to contact dynamically, just as all other hosts in an
17 AD domain do. This allows the domain to be maintained without modification to
18 the smb.conf file. The cryptograpic protection on the authenticated RPC calls
19 used to verify passwords ensures that this default is safe.</para>
21 <para><emphasis>It is strongly recommended that you use the
22 default of '*'</emphasis>, however if in your particular
23 environment you have reason to specify a particular DC list, then
24 the list of machines in this option must be a list of names or IP
25 addresses of Domain controllers for the Domain. If you use the
26 default of '*', or list several hosts in the <parameter
27 moreinfo="none">password server</parameter> option then <command
28 moreinfo="none">smbd </command> will try each in turn till it
29 finds one that responds. This is useful in case your primary
30 server goes down.</para>
32 <para>If the list of servers contains both names/IP's and the '*'
33 character, the list is treated as a list of preferred
34 domain controllers, but an auto lookup of all remaining DC's
35 will be added to the list as well. Samba will not attempt to optimize
36 this list by locating the closest DC.</para>
38 <para>If parameter is a name, it is looked up using the
39 parameter <smbconfoption name="name resolve order"/> and so may resolved
40 by any method and order described in that parameter.</para>
42 <para>If the <parameter moreinfo="none">security</parameter> parameter is
43 set to <constant>server</constant>, these additional restrictions apply:</para>
47 <para>You may list several password servers in
48 the <parameter moreinfo="none">password server</parameter> parameter, however if an
49 <command moreinfo="none">smbd</command> makes a connection to a password server,
50 and then the password server fails, no more users will be able
51 to be authenticated from this <command moreinfo="none">smbd</command>. This is a
52 restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
53 </command> mode and cannot be fixed in Samba.</para>
57 <para>You will have to ensure that your users
58 are able to login from the Samba server, as when in <command moreinfo="none">
59 security = server</command> mode the network logon will appear to
60 come from the Samba server rather than from the users workstation.</para>
64 <para>The client must not select NTLMv2 authentication.</para>
68 <para>The password server must be a machine capable of using
69 the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
70 user level security mode.</para>
74 <para>Using a password server means your UNIX box (running
75 Samba) is only as secure as (a host masqurading as) your password server. <emphasis>DO NOT
76 CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>.
81 <para>Never point a Samba server at itself for password serving.
82 This will cause a loop and could lock up your Samba server!</para>
88 <related>security</related>
89 <value type="default">*</value>
90 <value type="example">NT-PDC, NT-BDC1, NT-BDC2, *</value>
91 <value type="example">windc.mydomain.com:389 192.168.1.101 *</value>
git.samba.org / bbaumbach / samba-autobuild / .git / blob