From: Rob van der Linde Date: Mon, 25 Mar 2024 00:46:47 +0000 (+1300) Subject: netcmd: docs: update documentation for new auth policy command structure X-Git-Tag: tdb-1.4.11~1317 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93f4be164714ddd36e52bcc28d8278361ba6bf2f;p=thirdparty%2Fsamba.git netcmd: docs: update documentation for new auth policy command structure Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index a9b62611090..62ce4e690d4 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -761,38 +761,6 @@ - - --user-allowed-to-authenticate-from-device-group=GROUP - - - User is allowed to - authenticate, if the device they - authenticate from is assigned - and granted membership of a - given GROUP. - - - This attribute avoids the need to write SDDL by hand and - cannot be used with --user-allowed-to-authenticate-from - - - - - --user-allowed-to-authenticate-from-device-silo=SILO - - - User is allowed to - authenticate, if the device they - authenticate from is assigned - and granted membership of a - given SILO. - - - This attribute avoids the need to write SDDL by hand and - cannot be used with --user-allowed-to-authenticate-from - - - --user-allowed-to-authenticate-to=SDDL @@ -813,42 +781,6 @@ - - --user-allowed-to-authenticate-to-by-group=GROUP - - - The user account, offering a - network service, covered by - this policy, will only be allowed - access from other accounts - that are members of the given - GROUP. - - - This attribute avoids the need to write SDDL by hand and - cannot be used with --user-allowed-to-authenticate-to - - - - - --user-allowed-to-authenticate-to-by-silo=SILO - - - The user account, offering a - network service, covered by - this policy, will only be - allowed access from other accounts - that are assigned to, - granted membership of (and - meet any authentication - conditions of) the given SILO. - - - This attribute avoids the need to write SDDL by hand and - cannot be used with --user-allowed-to-authenticate-to - - - --service-tgt-lifetime-mins @@ -889,41 +821,6 @@ - - --service-allowed-to-authenticate-from-device-silo=SILO - - - The service account (eg a Managed - Service Account, Group Managed - Service Account) is allowed to - authenticate, if the device it - authenticates from is assigned - and granted membership of a - given SILO. - - - This attribute avoids the need to write SDDL by hand and - cannot be used with --service-allowed-to-authenticate-from - - - - - --service-allowed-to-authenticate-from-device-group=GROUP - - - The service account (eg a Managed - Service Account, Group Managed - Service Account) is allowed to - authenticate, if the device it - authenticates from is a member - of the given GROUP. - - - This attribute avoids the need to write SDDL by hand and - cannot be used with --service-allowed-to-authenticate-from - - - --service-allowed-to-authenticate-to=SDDL @@ -944,42 +841,6 @@ - - --service-allowed-to-authenticate-to-by-group=GROUP - - - The service account (eg a Managed - Service Account, Group Managed - Service Account), will only be - allowed access by other accounts - that are members of the given - GROUP. - - - This attribute avoids the need to write SDDL by hand and - cannot be used with --service-allowed-to-authenticate-to - - - - - --service-allowed-to-authenticate-to-by-silo=SILO - - - The service account (eg a - Managed Service Account, Group - Managed Service Account), will - only be allowed access by other - accounts that are assigned - to, granted membership of (and - meet any authentication - conditions of) the given SILO. - - - This attribute avoids the need to write SDDL by hand and - cannot be used with --service-allowed-to-authenticate-to - - - --computer-tgt-lifetime-mins @@ -1007,43 +868,7 @@ - - --computer-allowed-to-authenticate-to-by-group=GROUP - - - The computer account (eg a server - or workstation), will only be - allowed access by other accounts - that are members of the given - GROUP. - - - This attribute avoids the need to write SDDL by hand and - cannot be used with --computer-allowed-to-authenticate-to - - - - - --computer-allowed-to-authenticate-to-by-silo=SILO - - - The computer account (eg a - server or workstation), will - only be allowed access by - other accounts that are - assigned to, granted - membership of (and meet any - authentication conditions of) - the given SILO. - - - This attribute avoids the need to write SDDL by hand and - cannot be used with --computer-allowed-to-authenticate-to - - - - - + @@ -1077,6 +902,215 @@ + + domain auth policy user-allowed-to-authenticate-from set + Set the user-allowed-to-authenticate-from property by scenario. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of authentication policy. + + + + --by-group=GROUP + + User is allowed to + authenticate, if the device they + authenticate from is assigned + and granted membership of a + given GROUP. + + + + --silo=SILO + + User is allowed to + authenticate, if the device they + authenticate from is assigned + and granted membership of a + given SILO. + + + + + + + domain auth policy user-allowed-to-authenticate-to set + Set the user-allowed-to-authenticate-to property by scenario. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of authentication policy. + + + + --group=GROUP + + The user account, offering a + network service, covered by + this policy, will only be allowed + access from other accounts + that are members of the given + GROUP. + + + + --silo=SILO + + The user account, offering a + network service, covered by + this policy, will only be + allowed access from other accounts + that are assigned to, + granted membership of (and + meet any authentication + conditions of) the given SILO. + + + + + + + domain auth policy service-allowed-to-authenticate-from set + Set the service-allowed-to-authenticate-from property by scenario. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of authentication policy. + + + + --group=GROUP + + The service account (eg a Managed + Service Account, Group Managed + Service Account) is allowed to + authenticate, if the device it + authenticates from is a member + of the given GROUP. + + + + --silo=SILO + + The service account (eg a Managed + Service Account, Group Managed + Service Account) is allowed to + authenticate, if the device it + authenticates from is assigned + and granted membership of a + given SILO. + + + + + + + domain auth policy service-allowed-to-authenticate-to set + Set the service-allowed-to-authenticate-to property by scenario. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of authentication policy. + + + + --group=GROUP + + The service account (eg a Managed + Service Account, Group Managed + Service Account), will only be + allowed access by other accounts + that are members of the given + GROUP. + + + + --silo=SILO + + The service account (eg a + Managed Service Account, Group + Managed Service Account), will + only be allowed access by other + accounts that are assigned + to, granted membership of (and + meet any authentication + conditions of) the given SILO. + + + + + + + domain auth policy computer-allowed-to-authenticate-to set + Set the computer-allowed-to-authenticate-to property by scenario. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of authentication policy. + + + + --group=GROUP + + The computer account (eg a server + or workstation), will only be + allowed access by other accounts + that are members of the given + GROUP. + + + + --silo=SILO + + The computer account (eg a + server or workstation), will + only be allowed access by + other accounts that are + assigned to, granted + membership of (and meet any + authentication conditions of) + the given SILO. + + + + + domain auth silo Manage authentication silos.