<emphasis>ON DEMAND</emphasis> when a user accesses the Samba server.
</para>
- <para>
- In order to use this option, <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> must <emphasis>NOT</emphasis> be set to
- <smbconfoption name="security">share</smbconfoption> and <smbconfoption name="add user script"/>
- must be set to a full pathname for a script that will create a UNIX user given one argument of
- <parameter moreinfo="none">%u</parameter>, which expands into the UNIX user name to create.
- </para>
-
<para>
When the Windows user attempts to access the Samba server, at login (session setup in
the SMB protocol) time, <citerefentry><refentrytitle>smbd</refentrytitle>
this list will be able to do anything they like on the share,
irrespective of file permissions.</para>
- <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in
- Samba 3.0. This is by design.</para>
-
</description>
<value type="default"/>
have access to a local <citerefentry><refentrytitle>smbpasswd</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> file (see the <citerefentry><refentrytitle>smbpasswd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> program for information on how to set up
- and maintain this file), or set the <smbconfoption name="security">[server|domain|ads]</smbconfoption> parameter which
+ and maintain this file), or set the <smbconfoption name="security">[domain|ads]</smbconfoption> parameter which
causes <command moreinfo="none">smbd</command> to authenticate against another
server.</para>
</description>
advanced="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This parameter is only useful in <smbconfoption name="SECURITY">
- security</smbconfoption> modes other than <parameter moreinfo="none">security = share</parameter>
- and <parameter moreinfo="none">security = server</parameter>
- - i.e. <constant>user</constant>, and <constant>domain</constant>.</para>
-
<para>This parameter can take four different values, which tell
<citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> what to do with user
</itemizedlist>
<para>Note that this parameter is needed to set up "Guest"
- share services when using <parameter moreinfo="none">security</parameter> modes other than
- share and server. This is because in these modes the name of the resource being
+ share services. This is because in these modes the name of the resource being
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client so the server
cannot make authentication decisions at the correct time (connection
- to the share) for "Guest" shares. This parameter is not useful with
- <parameter moreinfo="none">security = server</parameter> as in this security mode
- no information is returned about whether a user logon failed due to
- a bad username or bad password, the same error is returned from a modern server
- in both cases.</para>
-
- <para>For people familiar with the older Samba releases, this
- parameter maps to the old compile-time setting of the <constant>
- GUEST_SESSSETUP</constant> value in local.h.</para>
+ to the share) for "Guest" shares. </para>
</description>
<value type="default">Never</value>
advanced="1" wizard="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>By specifying the name of another SMB server
- or Active Directory domain controller with this option,
- and using <command moreinfo="none">security = [ads|domain|server]</command>
+ <para>By specifying the name of a domain controller with this option,
+ and using <command moreinfo="none">security = [ads|domain]</command>
it is possible to get Samba
to do all its username/password validation using a specific remote server.</para>
- <para>If the <parameter moreinfo="none">security</parameter> parameter is set to
- <constant>domain</constant> or <constant>ads</constant>, then this option
+ <para>Ideally, this option
<emphasis>should not</emphasis> be used, as the default '*' indicates to Samba
to determine the best DC to contact dynamically, just as all other hosts in an
- AD domain do. This allows the domain to be maintained without modification to
+ AD domain do. This allows the domain to be maintained (addition
+ and removal of domain controllers) without modification to
the smb.conf file. The cryptographic protection on the authenticated RPC calls
used to verify passwords ensures that this default is safe.</para>
parameter <smbconfoption name="name resolve order"/> and so may resolved
by any method and order described in that parameter.</para>
- <para>If the <parameter moreinfo="none">security</parameter> parameter is
- set to <constant>server</constant>, these additional restrictions apply:</para>
-
- <itemizedlist>
- <listitem>
- <para>You may list several password servers in
- the <parameter moreinfo="none">password server</parameter> parameter, however if an
- <command moreinfo="none">smbd</command> makes a connection to a password server,
- and then the password server fails, no more users will be able
- to be authenticated from this <command moreinfo="none">smbd</command>. This is a
- restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
- </command> mode and cannot be fixed in Samba.</para>
- </listitem>
-
- <listitem>
- <para>You will have to ensure that your users
- are able to login from the Samba server, as when in <command moreinfo="none">
- security = server</command> mode the network logon will appear to
- come from the Samba server rather than from the users workstation.</para>
- </listitem>
-
- <listitem>
- <para>The client must not select NTLMv2 authentication.</para>
- </listitem>
-
- <listitem>
- <para>The password server must be a machine capable of using
- the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
- user level security mode.</para>
- </listitem>
-
- <listitem>
- <para>Using a password server means your UNIX box (running
- Samba) is only as secure as (a host masquerading as) your password server. <emphasis>DO NOT
- CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>.
- </para>
- </listitem>
-
- <listitem>
- <para>Never point a Samba server at itself for password serving.
- This will cause a loop and could lock up your Samba server!</para>
- </listitem>
-
- </itemizedlist>
</description>
<related>security</related>
to. The list can include group names using the syntax described in the <smbconfoption name="invalid users"/>
parameter.
</para>
-
- <para>This parameter will not work with the <smbconfoption name="security">share</smbconfoption> in
- Samba 3.0. This is by design.</para>
</description>
-
<related>write list</related>
<related>invalid users</related>
<para>The alternatives are
<command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain
- </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = server</command>, which is deprecated.</para>
+ </command>, which support joining Samba to a Windows domain</para>
<para>You should use <command moreinfo="none">security = user</command> and
<smbconfoption name="map to guest"/> if you
</para>
<para>
- Please note that for user or share mode security, the username map is applied prior to validating the user
+ Please note that for user mode security, the username map is applied prior to validating the user
credentials. Domain member servers (domain or ads) apply the username map after the user has been
successfully authenticated by the domain controller and require fully qualified entries in the map table (e.g.
biddle = <literal>DOMAIN\foo</literal>).
Note that the remapping is applied to all occurrences of usernames. Thus if you connect to \\server\fred and
<constant>fred</constant> is remapped to <constant>mary</constant> then you will actually be connecting to
\\server\mary and will need to supply a password suitable for <constant>mary</constant> not
- <constant>fred</constant>. The only exception to this is the username passed to the <smbconfoption
- name="password server"/> (if you have one). The password server will receive whatever username the client
+ <constant>fred</constant>. The only exception to this is the
+ username passed to a Domain Controller (if you have one). The DC will receive whatever username the client
supplies without modification.
</para>
given write access.
</para>
- <para>
- By design, this parameter will not work with the
- <smbconfoption name="security">share</smbconfoption> in Samba 3.0.
- </para>
-
</description>
<related>read list</related>
git.samba.org / gd / samba-autobuild / .git / commitdiff