1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
samba-mirror/docs-xml/smbdotconf/security/serverrole.xml
Alexander Bokovoy e2d5b4d709 CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.

It means that role won't result in ROLE_STANDALONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00

97 lines
5.1 KiB
XML

<samba:parameter name="server role"
context="G"
type="enum"
function="_server_role"
enumlist="enum_server_role"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option determines the basic operating mode of a Samba
server and is one of the most important settings in the <filename
moreinfo="none"> smb.conf</filename> file.</para>
<para>The default is <command moreinfo="none">server role = auto</command>, as causes
Samba to operate according to the <smbconfoption name="security"/> setting, or if not
specified as a simple file server that is not connected to any domain.</para>
<para>The alternatives are
<command moreinfo="none">server role = standalone</command> or <command moreinfo="none">server role = member server
</command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">server role = domain controller</command>, which run Samba as a Windows domain controller.</para>
<para>You should use <command moreinfo="none">server role = standalone</command> and
<smbconfoption name="map to guest"/> if you
want to mainly setup shares without a password (guest shares). This
is commonly used for a shared printer server. </para>
<para><anchor id="AUTO"/><emphasis>SERVER ROLE = AUTO</emphasis></para>
<para>This is the default server role in Samba, and causes Samba to consult
the <smbconfoption name="security"/> parameter (if set) to determine the server role, giving compatible behaviours to previous Samba versions.</para>
<para><anchor id="STANDALONE"/><emphasis>SERVER ROLE = STANDALONE</emphasis></para>
<para>If <smbconfoption name="security"/> is also not specified, this is the default security setting in Samba.
In standalone operation, a client must first &quot;log-on&quot; with a
valid username and password (which can be mapped using the <smbconfoption name="username map"/>
parameter) stored on this machine. Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) are by default
used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
name="guest only"/> if set are then applied and
may change the UNIX user to use on this connection, but only after
the user has been successfully authenticated.</para>
<para><anchor id="MEMBER SERVER"/><emphasis>SERVER ROLE = MEMBER SERVER</emphasis></para>
<para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> has been used to add this
machine into a Windows Domain. It expects the <smbconfoption name="encrypted passwords"/>
parameter to be set to <constant>yes</constant>. In this
mode Samba will try to validate the username/password by passing
it to a Windows or Samba Domain Controller, in exactly
the same way that a Windows Server would do.</para>
<para><emphasis>Note</emphasis> that a valid UNIX user must still
exist as well as the account on the Domain Controller to allow
Samba to have a valid UNIX account to map file access to. Winbind can provide this.</para>
<para><anchor id="PDC"/><emphasis>SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER</emphasis></para>
<para>This mode of operation runs a classic Samba primary domain
controller, providing domain logon services to Windows and Samba
clients of an NT4-like domain. Clients must be joined to the domain to
create a secure, trusted path across the network. There must be
only one PDC per NetBIOS scope (typcially a broadcast network or
clients served by a single WINS server).</para>
<para><anchor id="BDC"/><emphasis>SERVER ROLE = CLASSIC BACKUP DOMAIN CONTROLLER</emphasis></para>
<para>This mode of operation runs a classic Samba backup domain
controller, providing domain logon services to Windows and Samba
clients of an NT4-like domain. As a BDC, this allows
multiple Samba servers to provide redundant logon services to a
single NetBIOS scope.</para>
<para><anchor id="AD-DC"/><emphasis>SERVER ROLE = ACTIVE DIRECTORY DOMAIN CONTROLLER</emphasis></para>
<para>This mode of operation runs Samba as an active directory
domain controller, providing domain logon services to Windows and
Samba clients of the domain. This role requires special
configuration, see the <ulink
url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4
HOWTO</ulink></para>
<para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para>
<para>This mode of operation runs Samba in a hybrid mode for IPA
domain controller, providing forest trust to Active Directory.
This role requires special configuration performed by IPA installers
and should not be used manually by any administrator.
</para>
</description>
<related>security</related>
<related>realm</related>
<related>encrypt passwords</related>
<value type="default">AUTO</value>
<value type="example">ACTIVE DIRECTORY DOMAIN CONTROLLER</value>
</samba:parameter>