<para>
New to Samba-3 is the ability to use a back-end database that holds the same type of data as
the NT4 style SAM (Security Account Manager) database (one of the registry files).
-<footnote>See also <link linkend="passdb"/>.</footnote>
+<footnote><para>See also <link linkend="passdb"/>.</para></footnote>
</para>
<para>
For Samba to provide these is rather easy to configure. Each Samba Domain Controller must provide
the NETLOGON service which Samba calls the <smbconfoption><name>domain logons</name></smbconfoption> functionality
(after the name of the parameter in the &smb.conf; file). Additionally, one (1) server in a Samba-3
-Domain must advertise itself as the domain master browser<footnote>See also <link linkend="NetworkBrowsing"/></footnote>. This causes the Primary Domain Controller
+Domain must advertise itself as the domain master browser<footnote><para>See also <link linkend="NetworkBrowsing"/></para></footnote>. This causes the Primary Domain Controller
to claim domain specific NetBIOS name that identifies it as a domain master browser for its given
domain/workgroup. Local master browsers in the same domain/workgroup on broadcast-isolated subnets
then ask for a complete copy of the browse list for the whole wide area network. Browser clients
<varlistentry>
<term>only</term>
- <listitem><para>Only update the LDAP password and let the LDAP server worry about the other fields. This option is only available on some LDAP servers. <footnote>Only when the LDAP server supports LDAP_EXOP_X_MODIFY_PASSWD</footnote></para></listitem>
+ <listitem><para>Only update the LDAP password and let the LDAP server worry about the other fields. This option is only available on some LDAP servers. <footnote><para>Only when the LDAP server supports LDAP_EXOP_X_MODIFY_PASSWD</para></footnote></para></listitem>
</varlistentry>
</variablelist>
advanced="1" wizard="1" developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
- <para>This is a list of NetBIOS names that <ulink url="nmbd.8.html">nmbd(8)</ulink> will
+ <para>This is a list of NetBIOS names that nmbd will
advertise as additional names by which the Samba server is known. This allows one machine
to appear in browse lists under multiple names. If a machine is acting as a browse server
or logon server none of these names will be advertised as either browse server or logon
<listitem>
<para>If a Samba server is a member of a Windows
NT Domain (see the <link linkend="SECURITYEQUALSDOMAIN">security = domain</link>)
- parameter) then periodically a running <ulink url="smbd.8.html">
- smbd(8)</ulink> process will try and change the MACHINE ACCOUNT
+ parameter) then periodically a running smbd
+ process will try and change the MACHINE ACCOUNT
PASSWORD stored in the TDB called <filename moreinfo="none">private/secrets.tdb
</filename>. This parameter specifies how often this password
will be changed, in seconds. The default is one week (expressed in
created for all users accessing files on this server. For sites
that use Windows NT account databases as their primary user database
creating these users and keeping the user list in sync with the
- Windows NT PDC is an onerous task. This option allows <ulink url="smbd.8.html">smbd</ulink> to create the required UNIX users
+ Windows NT PDC is an onerous task. This option allows smbd to create the required UNIX users
<emphasis>ON DEMAND</emphasis> when a user accesses the Samba server.</para>
<para>In order to use this option, <citerefentry><refentrytitle>smbd</refentrytitle>
suggested command would be to add <command moreinfo="none">NET TIME \\SERVER /SET
/YES</command>, to force every machine to synchronize clocks with
the same time server. Another use would be to add <command moreinfo="none">NET USE
- U: \\SERVER\UTILS</command> for commonly used utilities, or <command moreinfo="none">
- NET USE Q: \\SERVER\ISO9001_QA</command> for example.</para>
+ U: \\SERVER\UTILS</command> for commonly used utilities, or <screen>
+ <userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput></screen> for example.</para>
<para>Note that it is particularly important not to allow write
access to the [netlogon] share, or to grant users write permission
addresses of the remote networks, but can also be the IP addresses
of known browse masters if your network config is that stable.</para>
- <para>See the documentation file <ulink url="improved-browsing.html">BROWSING</ulink>
- in the <filename moreinfo="none">docs/</filename> directory.</para>
+ <para>See <link linkend="NetworkBrowsing"/>.</para>
<para>Default: <command moreinfo="none">remote announce = <empty string></command></para>
</listitem>
LaserJet 5L</command>.</para>
<para>The need for the file is due to the printer driver namespace
- problem described in the <ulink url="printing.html">Samba
- Printing HOWTO</ulink>. For more details on OS/2 clients, please
- refer to the OS2-Client-HOWTO containing in the Samba documentation.</para>
+ problem described in <link linkiend="printing"/>. For more details on OS/2 clients, please
+ refer to <link linkend="Other-Clients"/>.</para>
<para>Default: <command moreinfo="none">os2 driver map = <empty string></command></para>
</listitem>
<para> This variable controls controls whether samba clients will try
to use Simple and Protected NEGOciation (as specified by rfc2478) with
WindowsXP and Windows2000 servers to agree upon an authentication mechanism.
+ SPNEGO client support for SMB Signing is currently broken, so
+ you might want to turn this option off when operating with
+ Windows 2003 domain controllers in particular.
</para>
<para>Default: <emphasis>client use spnego = yes</emphasis></para>
<para><constant>lmhosts</constant> : Lookup an IP
address in the Samba lmhosts file. If the line in lmhosts has
no name type attached to the NetBIOS name (see the <ulink
- url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
+ noescape="1" url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
any name type matches for lookup.</para>
</listitem>
Windows XP clients. New versions of Windows 2000 or Windows XP service
packs do security ACL checking on the owner and ability to write of the
profile directory stored on a local workstation when copied from a Samba
- share. When not in domain mode with winbindd then the security info copied
+ share.
+</para>
+
+<para>When not in domain mode with winbindd then the security info copied
onto the local workstation has no meaning to the logged in user (SID) on
that workstation so the profile storing fails. Adding this parameter
onto a share used for profile storage changes two things about the
BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
every returned ACL. This will allow any Windows 2000 or XP workstation
- user to access the profile. Note that if you have multiple users logging
+ user to access the profile.</para>
+
+ <para>Note that if you have multiple users logging
on to a workstation then in order to prevent them from being able to access
each others profiles you must remove the "Bypass traverse checking" advanced
user right. This will prevent access to other users profile directories as
the top level profile directory (named after the user) is created by the
workstation profile code and has an ACL restricting entry to the directory
tree to the owning user.
- </para>
-
+</para>
+
<para>Default: <command moreinfo="none">profile acls = no</command></para>
</listitem>
</samba:parameter>
<parameter moreinfo="none">security</parameter></link> option is set to
<constant>server</constant> or <constant>domain</constant>.
If it is set to no, then attempts to connect to a resource from
- a domain or workgroup other than the one which <ulink url="smbd.8.html">smbd</ulink> is running
+ a domain or workgroup other than the one which smbd is running
in will fail, even if that domain is trusted by the remote server
doing the authentication.</para>
<samba:parameter name="guest account"
- context="G"
+ context="G,S"
basic="1" advanced="1" developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
the specified username overrides this one.
</para>
- <para>On some systems the default guest account "nobody" may not
+ <para>One some systems the default guest account "nobody" may not
be able to print. Use another account in this case. You should test
this by trying to log in as your guest user (perhaps by using the
<command moreinfo="none">su -</command> command) and trying to print using the
details.
</para></listitem>
- <listitem>
- <para><command moreinfo="none">guest</command> -
- Very simple backend that only provides one user: the guest user.
- Only maps the NT guest user to the <parameter>guest account</parameter>.
- Required in pretty much all situations.
- </para></listitem>
-
</itemizedlist>
</para>
<para>Default: <command moreinfo="none">passdb backend = smbpasswd</command></para>
- <para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd guest</command></para>
+ <para>Example: <command moreinfo="none">passdb backend = tdbsam:/etc/samba/private/passdb.tdb smbpasswd:/etc/samba/smbpasswd</command></para>
- <para>Example: <command moreinfo="none">passdb backend = ldapsam:ldaps://ldap.example.com guest</command></para>
+ <para>Example: <command moreinfo="none">passdb backend = ldapsam:ldaps://ldap.example.com</command></para>
- <para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam:/etc/samba/private/passdb.tdb guest</command></para>
+ <para>Example: <command moreinfo="none">passdb backend = mysql:my_plugin_args tdbsam</command></para>
</listitem>
</samba:parameter>
<para><emphasis>Note</emphasis> that if the <parameter moreinfo="none">unix
password sync</parameter> parameter is set to <constant>yes
</constant> then this program is called <emphasis>AS ROOT</emphasis>
- before the SMB password in the <ulink url="smbpasswd.5.html"><citerefentry>
- <refentrytitle>smbpasswd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- </ulink> file is changed. If this UNIX password change fails, then
+ before the SMB password in the smbpasswd
+ file is changed. If this UNIX password change fails, then
<command moreinfo="none">smbd</command> will fail to change the SMB password also
(this is by design).</para>
for security implications. Note that by default <parameter moreinfo="none">unix
password sync</parameter> is set to <constant>no</constant>.</para>
- <para>Not that this program is only invoked when a password change is
- done via the smbd program, not when smbpasswd is used locally as root to
- change a password. This means that you cannot run "smbpasswd USERNAME" as
- root on the SMB server in order to test this parameter, but should run the
- command "smbpasswd -r SMBMACHINE" as a non-root user instead if you want
- to test the invocation of this program.</para>
-
<para>See also <link linkend="UNIXPASSWORDSYNC"><parameter moreinfo="none">unix
password sync</parameter></link>.</para>
Windows NT.</para>
<para>The alternatives are <command moreinfo="none">security = share</command>,
- <command moreinfo="none">security = server</command>, <command moreinfo="none">security = domain
- </command>, or <command moreinfo="none">security = ads</command>.</para>
+ <command moreinfo="none">security = server</command> or <command moreinfo="none">security = domain
+ </command>.</para>
<para>In versions of Samba prior to 2.0.0, the default was
<command moreinfo="none">security = share</command> mainly because that was
context="S"
xmlns:samba="http://samba.org/common">
<listitem>
- <para>If this parameter is <constant>yes</constant>, and the underlying operating
+ <para>If this parameter is <constant>yes</constant>, and Samba
+ was built with the --with-sendfile-support option, and the underlying operating
system supports sendfile system call, then some SMB read calls (mainly ReadAndX
and ReadRaw) will use the more efficient sendfile system call for files that
are exclusively oplocked. This may make more efficient use of the system CPU's
- and cause Samba to be faster.</para>
+ and cause Samba to be faster. This is off by default as it's effects are unknown
+ as yet.</para>
<para>Default: <command moreinfo="none">use sendfile = no</command></para>
</listitem>
advanced="1" developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
- <para>If set to <constant>yes</constant>,
+ <para>This boolean parameter is only available
+ if Samba has been configured and compiled with the <command moreinfo="none">
+ --with-msdfs</command> option. If set to <constant>yes</constant>,
Samba will act as a Dfs server, and allow Dfs-aware clients
to browse Dfs trees hosted on the server.</para>
<para>See also the <link linkend="MSDFSROOT"><parameter moreinfo="none">
msdfs root</parameter></link> share level parameter. For
more information on setting up a Dfs tree on Samba,
- refer to <ulink url="msdfs_setup.html">msdfs_setup.html</ulink>.
+ refer to <link linkend="msdfs"/>.
</para>
<para>Default: <command moreinfo="none">host msdfs = no</command></para>
context="S"
xmlns:samba="http://samba.org/common">
<listitem>
- <para>If set to <constant>yes</constant>,
+ <para>This boolean parameter is only available if
+ Samba is configured and compiled with the <command moreinfo="none">
+ --with-msdfs</command> option. If set to <constant>yes</constant>,
Samba treats the share as a Dfs root and allows clients to browse
the distributed file system tree rooted at the share directory.
Dfs links are specified in the share directory by symbolic
links of the form <filename moreinfo="none">msdfs:serverA\\shareA,serverB\\shareB</filename>
and so on. For more information on setting up a Dfs tree
- on Samba, refer to <ulink url="msdfs.html">"Hosting a Microsoft
- Distributed File System tree on Samba"</ulink> document.</para>
+ on Samba, refer to <link linkend="msdfs"/>.</para>
<para>See also <link linkend="HOSTMSDFS"><parameter moreinfo="none">host msdfs</parameter></link></para>
context="S"
xmlns:samba="http://samba.org/common">
<listitem>
- <para>This parameter specifies the backend module names which
+ <para>This parameter specifies the backend names which
are used for Samba VFS I/O operations. By default, normal
disk I/O operations are used but these can be overloaded
with one or more VFS objects. </para>
-
- <para>Options for a given VFS module are specified one per line
- smb.conf perfaced by the module name and a colon (:). Such as</para>
-
- <para>foo:bar=biddle</para>
-
- <para>where 'foo' is the name of VFS module, 'bar' is a parameter supported
- by ;foo;, and 'biddle' is the value of the option 'bar'. Refer to the
- manpage for a given VFS modules regarding the options supported by that module.</para>
<para>Default: <emphasis>no value</emphasis></para>
<listitem>
<para>The idmap gid parameter specifies the range of group ids that are allocated for
- the purpose of mapping UNIX groups to NT group SIDs. This range of group ids should have no
+ the purpose of mapping UNX groups to NT group SIDs. This range of group ids should have no
existing local or NIS groups within it as strange conflicts can occur otherwise.</para>
<para>The availability of an idmap gid range is essential for correct operation of
to a WINS server if you have multiple subnets and wish cross-subnet
browsing to work correctly.</para></note>
- <para>See the documentation file <ulink url="improved-browsing.html">Browsing</ulink> in the samba howto collection.</para>
+ <para>See the <link linkend="NetworkBrowsing"/>.</para>
<para>Default: <emphasis>not enabled</emphasis></para>
git.samba.org / samba.git / commitdiff