<listitem>
<para>This option is used by the programs in the Samba
suite to determine what naming services to use and in what order
- to resolve host names to IP addresses. The option takes a space
+ to resolve host names to IP addresses. Its main purpose to is to
+ control how netbios name resolution is performed. The option takes a space
separated string of name resolution options.</para>
<para>The options are: "lmhosts", "host",
<listitem>
<para><constant>lmhosts</constant> : Lookup an IP
address in the Samba lmhosts file. If the line in lmhosts has
- no name type attached to the NetBIOS name (see the <ulink url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
+ no name type attached to the NetBIOS name (see the <ulink
+ url="lmhosts.5.html">lmhosts(5)</ulink> for details) then
any name type matches for lookup.</para>
</listitem>
</filename>, NIS, or DNS lookups. This method of name resolution
is operating system depended for instance on IRIX or Solaris this
may be controlled by the <filename moreinfo="none">/etc/nsswitch.conf</filename>
- file. Note that this method is only used if the NetBIOS name
- type being queried is the 0x20 (server) name type, otherwise
- it is ignored.</para>
+ file. Note that this method is used only if the NetBIOS name
+ type being queried is the 0x20 (server) name type or 0x1c (domain controllers).
+ The latter case is only useful for active directory domains and results in a DNS
+ query for the SRV RR entry matching _ldap._tcp.domain.</para>
</listitem>
<listitem>
it is advised to use following settings for <parameter moreinfo="none">name resolve order</parameter>:</para>
<para><command moreinfo="none">name resolve order = wins bcast</command></para>
+
+ <para>DC lookups will still be done via DNS, but fallbacks to netbios names will
+ not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.</para>
</listitem>
</samba:parameter>
<para>This option allows the administrator to chose what
authentication methods <command moreinfo="none">smbd</command> will use when authenticating
a user. This option defaults to sensible values based on <link linkend="SECURITY">
- <parameter moreinfo="none">security</parameter></link>.</para>
+ <parameter moreinfo="none">security</parameter></link>. This should be considered
+ a developer option and used only in rare circumstances. In the majority (if not all)
+ of production servers, the default setting should be adequate.</para>
<para>Each entry in the list attempts to authenticate the user in turn, until
the user authenticates. In practice only one method will ever actually
be able to complete the authentication.
</para>
+ <para>Possible options include <constant>guest</constant> (anonymous access),
+ <constant>sam</constant> (lookups in local list of accounts based on netbios
+ name or domain name), <constant>winbind</constant> (relay authentication requests
+ for remote users through winbindd), <constant>ntdomain</constant> (pre-winbindd
+ method of authentication for remote domain users; deprecated in favour of winbind method),
+ <constant>trustdomain</constant> (authenticate trusted users by contacting the
+ remote DC directly from smbd; deprecated in favour of winbind method).</para>
+
<para>Default: <command moreinfo="none">auth methods = <empty string></command></para>
- <para>Example: <command moreinfo="none">auth methods = guest sam ntdomain</command></para>
+ <para>Example: <command moreinfo="none">auth methods = guest sam winbind</command></para>
</listitem>
</samba:parameter>
advanced="1" wizard="1" developer="1"
xmlns:samba="http://samba.org/common">
<listitem>
- <para>By specifying the name of another SMB server (such
- as a WinNT box) with this option, and using <command moreinfo="none">security = domain
- </command> or <command moreinfo="none">security = server</command> you can get Samba
- to do all its username/password validation via a remote server.</para>
+ <para>By specifying the name of another SMB server
+ or Active Directory domain controller with this option,
+ and using <command moreinfo="none">security = [ads|domain|server]</command>
+ it is possible to get Samba to
+ to do all its username/password validation using a specific remote server.</para>
- <para>This option sets the name of the password server to use.
- It must be a NetBIOS name, so if the machine's NetBIOS name is
- different from its Internet name then you may have to add its NetBIOS
- name to the lmhosts file which is stored in the same directory
- as the <filename moreinfo="none">smb.conf</filename> file.</para>
+ <para>This option sets the name or IP address of the password server to use.
+ New syntax has been added to support defining the port to use when connecting
+ to the server the case of an ADS realm. To define a port other than the
+ default LDAP port of 389, add the port number using a colon after the
+ name or IP address (e.g. 192.168.1.100:389). If you do not specify a port,
+ Samba will use the standard LDAP port of tcp/389. Note that port numbers
+ have no effect on password servers for Windows NT 4.0 domains or netbios
+ connections.</para>
- <para>The name of the password server is looked up using the
+ <para>If parameter is a name, it is looked up using the
parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
resolve order</parameter></link> and so may resolved
by any method and order described in that parameter.</para>
trust your clients, and you had better restrict them with hosts allow!</para>
<para>If the <parameter moreinfo="none">security</parameter> parameter is set to
- <constant>domain</constant>, then the list of machines in this
+ <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this
option must be a list of Primary or Backup Domain controllers for the
Domain or the character '*', as the Samba server is effectively
in that domain, and will use cryptographically authenticated RPC calls
to authenticate the user logging on. The advantage of using <command moreinfo="none">
security = domain</command> is that if you list several hosts in the
<parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
- </command> will try each in turn till it finds one that responds. This
+ </command> will try each in turn till it finds one that responds. This
is useful in case your primary server goes down.</para>
<para>If the <parameter moreinfo="none">password server</parameter> option is set
and then contacting each server returned in the list of IP
addresses from the name resolution source. </para>
- <para>If the list of servers contains both names and the '*'
+ <para>If the list of servers contains both names/IP's and the '*'
character, the list is treated as a list of preferred
domain controllers, but an auto lookup of all remaining DC's
will be added to the list as well. Samba will not attempt to optimize
<para>Example: <command moreinfo="none">password server = NT-PDC, NT-BDC1, NT-BDC2, *</command></para>
+ <para>Example: <command moreinfo="none">password server = windc.mydomain.com:389 192.168.1.101 *</command></para>
+
<para>Example: <command moreinfo="none">password server = *</command></para>
</listitem>
</samba:parameter>
git.samba.org / amitay / samba.git / commitdiff