From ba448e6eb866d70daf5fe629c0f1c8c5afb1d312 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 18:34:31 +0000 Subject: [PATCH] being a responsible developer for a change. Make sure to update the docs wrt to the recent code changes. Can someone regenerate these in the SAMBA_3_0 tree please? Thanks. --- docs/docbook/smbdotconf/base/adsserver.xml | 15 --------- .../smbdotconf/protocol/nameresolveorder.xml | 16 +++++++--- .../smbdotconf/security/authmethods.xml | 14 ++++++-- .../smbdotconf/security/passwordserver.xml | 32 +++++++++++-------- 4 files changed, 42 insertions(+), 35 deletions(-) delete mode 100644 docs/docbook/smbdotconf/base/adsserver.xml diff --git a/docs/docbook/smbdotconf/base/adsserver.xml b/docs/docbook/smbdotconf/base/adsserver.xml deleted file mode 100644 index 4dd2a4b6351..00000000000 --- a/docs/docbook/smbdotconf/base/adsserver.xml +++ /dev/null @@ -1,15 +0,0 @@ - - - If this option is specified, samba does not try to figure out what - ads server to use itself, but uses the specified ads server. Either one - DNS name or IP address can be used. - - Default: ads server = - - Example: ads server = 192.168.1.2 - - - diff --git a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml index c029dcd181d..777fc2268ea 100644 --- a/docs/docbook/smbdotconf/protocol/nameresolveorder.xml +++ b/docs/docbook/smbdotconf/protocol/nameresolveorder.xml @@ -5,7 +5,8 @@ This option is used by the programs in the Samba suite to determine what naming services to use and in what order - to resolve host names to IP addresses. The option takes a space + to resolve host names to IP addresses. Its main purpose to is to + control how netbios name resolution is performed. The option takes a space separated string of name resolution options. The options are: "lmhosts", "host", @@ -16,7 +17,8 @@ lmhosts : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see the lmhosts(5) for details) then + no name type attached to the NetBIOS name (see the lmhosts(5) for details) then any name type matches for lookup. @@ -26,9 +28,10 @@ , NIS, or DNS lookups. This method of name resolution is operating system depended for instance on IRIX or Solaris this may be controlled by the /etc/nsswitch.conf - file. Note that this method is only used if the NetBIOS name - type being queried is the 0x20 (server) name type, otherwise - it is ignored. + file. Note that this method is used only if the NetBIOS name + type being queried is the 0x20 (server) name type or 0x1c (domain controllers). + The latter case is only useful for active directory domains and results in a DNS + query for the SRV RR entry matching _ldap._tcp.domain. @@ -59,6 +62,9 @@ it is advised to use following settings for name resolve order: name resolve order = wins bcast + + DC lookups will still be done via DNS, but fallbacks to netbios names will + not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups. diff --git a/docs/docbook/smbdotconf/security/authmethods.xml b/docs/docbook/smbdotconf/security/authmethods.xml index 0b7965d55bf..7c0f5a71e11 100644 --- a/docs/docbook/smbdotconf/security/authmethods.xml +++ b/docs/docbook/smbdotconf/security/authmethods.xml @@ -6,14 +6,24 @@ This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values based on - security. + security. This should be considered + a developer option and used only in rare circumstances. In the majority (if not all) + of production servers, the default setting should be adequate. Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually be able to complete the authentication. + Possible options include guest (anonymous access), + sam (lookups in local list of accounts based on netbios + name or domain name), winbind (relay authentication requests + for remote users through winbindd), ntdomain (pre-winbindd + method of authentication for remote domain users; deprecated in favour of winbind method), + trustdomain (authenticate trusted users by contacting the + remote DC directly from smbd; deprecated in favour of winbind method). + Default: auth methods = <empty string> - Example: auth methods = guest sam ntdomain + Example: auth methods = guest sam winbind diff --git a/docs/docbook/smbdotconf/security/passwordserver.xml b/docs/docbook/smbdotconf/security/passwordserver.xml index e40ff32b75f..f8540270415 100644 --- a/docs/docbook/smbdotconf/security/passwordserver.xml +++ b/docs/docbook/smbdotconf/security/passwordserver.xml @@ -3,18 +3,22 @@ advanced="1" wizard="1" developer="1" xmlns:samba="http://samba.org/common"> - By specifying the name of another SMB server (such - as a WinNT box) with this option, and using security = domain - or security = server you can get Samba - to do all its username/password validation via a remote server. + By specifying the name of another SMB server + or Active Directory domain controller with this option, + and using security = [ads|domain|server] + it is possible to get Samba to + to do all its username/password validation using a specific remote server. - This option sets the name of the password server to use. - It must be a NetBIOS name, so if the machine's NetBIOS name is - different from its Internet name then you may have to add its NetBIOS - name to the lmhosts file which is stored in the same directory - as the smb.conf file. + This option sets the name or IP address of the password server to use. + New syntax has been added to support defining the port to use when connecting + to the server the case of an ADS realm. To define a port other than the + default LDAP port of 389, add the port number using a colon after the + name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, + Samba will use the standard LDAP port of tcp/389. Note that port numbers + have no effect on password servers for Windows NT 4.0 domains or netbios + connections. - The name of the password server is looked up using the + If parameter is a name, it is looked up using the parameter name resolve order and so may resolved by any method and order described in that parameter. @@ -38,14 +42,14 @@ trust your clients, and you had better restrict them with hosts allow! If the security parameter is set to - domain, then the list of machines in this + domain or ads, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on. The advantage of using security = domain is that if you list several hosts in the password server option then smbd - will try each in turn till it finds one that responds. This + will try each in turn till it finds one that responds. This is useful in case your primary server goes down. If the password server option is set @@ -55,7 +59,7 @@ and then contacting each server returned in the list of IP addresses from the name resolution source. - If the list of servers contains both names and the '*' + If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC's will be added to the list as well. Samba will not attempt to optimize @@ -93,6 +97,8 @@ Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * + Example: password server = windc.mydomain.com:389 192.168.1.101 * + Example: password server = *