mirror of
https://github.com/samba-team/samba.git
synced 2024-12-25 23:21:54 +03:00
992f1e6b8f
add the 5 missing chapters from the HOWTO
and add jht's Samba by Example book.
(This used to be commit 9fb5bcb93e)
101 lines
5.2 KiB
XML
101 lines
5.2 KiB
XML
<samba:parameter name="password server"
|
|
context="G"
|
|
type="list"
|
|
advanced="1" wizard="1" developer="1"
|
|
xmlns:samba="http://samba.org/common">
|
|
<description>
|
|
<para>By specifying the name of another SMB server
|
|
or Active Directory domain controller with this option,
|
|
and using <command moreinfo="none">security = [ads|domain|server]</command>
|
|
it is possible to get Samba to
|
|
to do all its username/password validation using a specific remote server.</para>
|
|
|
|
<para>This option sets the name or IP address of the password server to use.
|
|
New syntax has been added to support defining the port to use when connecting
|
|
to the server the case of an ADS realm. To define a port other than the
|
|
default LDAP port of 389, add the port number using a colon after the
|
|
name or IP address (e.g. 192.168.1.100:389). If you do not specify a port,
|
|
Samba will use the standard LDAP port of tcp/389. Note that port numbers
|
|
have no effect on password servers for Windows NT 4.0 domains or netbios
|
|
connections.</para>
|
|
|
|
<para>If parameter is a name, it is looked up using the
|
|
parameter <link linkend="NAMERESOLVEORDER"><parameter moreinfo="none">name
|
|
resolve order</parameter></link> and so may resolved
|
|
by any method and order described in that parameter.</para>
|
|
|
|
<para>The password server must be a machine capable of using
|
|
the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
|
|
user level security mode.</para>
|
|
|
|
<note><para>Using a password server means your UNIX box (running
|
|
Samba) is only as secure as your password server. <emphasis>DO NOT
|
|
CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>.
|
|
</para></note>
|
|
|
|
<para>Never point a Samba server at itself for password serving.
|
|
This will cause a loop and could lock up your Samba server!</para>
|
|
|
|
<para>The name of the password server takes the standard
|
|
substitutions, but probably the only useful one is <parameter moreinfo="none">%m
|
|
</parameter>, which means the Samba server will use the incoming
|
|
client as the password server. If you use this then you better
|
|
trust your clients, and you had better restrict them with hosts allow!</para>
|
|
|
|
<para>If the <parameter moreinfo="none">security</parameter> parameter is set to
|
|
<constant>domain</constant> or <constant>ads</constant>, then the list of machines in this
|
|
option must be a list of Primary or Backup Domain controllers for the
|
|
Domain or the character '*', as the Samba server is effectively
|
|
in that domain, and will use cryptographically authenticated RPC calls
|
|
to authenticate the user logging on. The advantage of using <command moreinfo="none">
|
|
security = domain</command> is that if you list several hosts in the
|
|
<parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd
|
|
</command> will try each in turn till it finds one that responds. This
|
|
is useful in case your primary server goes down.</para>
|
|
|
|
<para>If the <parameter moreinfo="none">password server</parameter> option is set
|
|
to the character '*', then Samba will attempt to auto-locate the
|
|
Primary or Backup Domain controllers to authenticate against by
|
|
doing a query for the name <constant>WORKGROUP<1C></constant>
|
|
and then contacting each server returned in the list of IP
|
|
addresses from the name resolution source. </para>
|
|
|
|
<para>If the list of servers contains both names/IP's and the '*'
|
|
character, the list is treated as a list of preferred
|
|
domain controllers, but an auto lookup of all remaining DC's
|
|
will be added to the list as well. Samba will not attempt to optimize
|
|
this list by locating the closest DC.</para>
|
|
|
|
<para>If the <parameter moreinfo="none">security</parameter> parameter is
|
|
set to <constant>server</constant>, then there are different
|
|
restrictions that <command moreinfo="none">security = domain</command> doesn't
|
|
suffer from:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>You may list several password servers in
|
|
the <parameter moreinfo="none">password server</parameter> parameter, however if an
|
|
<command moreinfo="none">smbd</command> makes a connection to a password server,
|
|
and then the password server fails, no more users will be able
|
|
to be authenticated from this <command moreinfo="none">smbd</command>. This is a
|
|
restriction of the SMB/CIFS protocol when in <command moreinfo="none">security = server
|
|
</command> mode and cannot be fixed in Samba.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you are using a Windows NT server as your
|
|
password server then you will have to ensure that your users
|
|
are able to login from the Samba server, as when in <command moreinfo="none">
|
|
security = server</command> mode the network logon will appear to
|
|
come from there rather than from the users workstation.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</description>
|
|
|
|
<related>security</related>
|
|
<value type="default"></value>
|
|
<value type="example">NT-PDC, NT-BDC1, NT-BDC2, *</value>
|
|
<value type="example">windc.mydomain.com:389 192.168.1.101 *</value>
|
|
<value type="example">*</value>
|
|
</samba:parameter>
|