<para><command moreinfo="none">hosts allow = lapland, arvidsjaur</command></para>
+ <para>Example 4: allow only hosts in NIS netgroup "foonet", but
+ deny access from one particular host</para>
+
+ <para><command moreinfo="none">hosts allow = @foonet</command></para>
+
+ <para><command moreinfo="none">hosts deny = pirate</command></para>
+
<note><para>Note that access still requires suitable user-level passwords.</para></note>
<para>See <citerefentry><refentrytitle>testparm</refentrytitle>
to login to this service. This is really a <emphasis>paranoid</emphasis>
check to absolutely ensure an improper setting does not breach
your security.</para>
+
+ <para>A name starting with a '@' is interpreted as an NIS
+ netgroup first (if your system supports NIS), and then as a UNIX
+ group if the name was not found in the NIS netgroup database.</para>
- <para>A name starting with a '@' is interpreted UNIX group.</para>
+ <para>A name starting with '+' is interpreted only
+ by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with
+ '&' is interpreted only by looking in the NIS netgroup database
+ (this requires NIS to be working on your system). The characters
+ '+' and '&' may be used at the start of the name in either order
+ so the value <parameter moreinfo="none">+&group</parameter> means check the
+ UNIX group database, followed by the NIS netgroup database, and
+ the value <parameter moreinfo="none">&+group</parameter> means check the NIS
+ netgroup database, followed by the UNIX group database (the
+ same as the '@' prefix).</para>
<para>The current servicename is substituted for <parameter moreinfo="none">%S</parameter>.
This is useful in the [homes] section.</para>
</para>
+ <para>
+ If your system supports the NIS NETGROUP option then the netgroup database is checked before the <filename
+ moreinfo="none">/etc/group </filename> database for matching groups.
+ </para>
+
<para>
You can map Windows usernames that have spaces in them by using double quotes around the name. For example:
<programlisting>
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
- This is a list of users that should be allowed to login to this service.
- Names starting with an '@' are interpreted using the same rules as
- described in the
- <parameter moreinfo="none">invalid users</parameter> parameter.
+ This is a list of users that should be allowed to login to this service. Names starting with
+ '@', '+' and '&' are interpreted using the same rules as described in the
+ <parameter moreinfo="none">invalid users</parameter> parameter.
</para>
<para>
and <filename moreinfo="none">nss_winbind.so</filename> modules for UNIX services.
</para>
- <para>Please note that setting this parameter to + can cause problems
+ <para>Please note that setting this parameter to + causes problems
with group membership at least on glibc systems, as the character +
- was used as a special character for NIS in /etc/group.</para>
+ is used as a special character for NIS in /etc/group.</para>
</description>
<value type="default">\</value>