From: Stefan Metzmacher Date: Wed, 22 Mar 2017 11:11:26 +0000 (+0100) Subject: docs-xml: document "map untrusted to domain = auto" X-Git-Tag: tevent-0.9.32~99 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6e2ddaee1867b49710d22ebcb6c87b2f0a54a29;p=thirdparty%2Fsamba.git docs-xml: document "map untrusted to domain = auto" BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml index a02948ace4b..095ce6e5760 100644 --- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml +++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml @@ -1,9 +1,20 @@ + + With auto + smbd will defer the decision whether the domain name provided by the + client is a valid domain name to the Domain Controller (DC) of + the domain it is a member of, if it is not a DC. If the DC indicates + that the domain portion is unknown, then a local authentication is performed. + Standalone servers always ignore the domain. This is basically the same as + the behavior implemented in Windows. + + By default, and with no, if a client connects to smbd using an untrusted domain name, such as @@ -12,6 +23,11 @@ attempting to authenticate that user. In the case where smbd is acting as a NT4 PDC/BDC this will be DOMAIN\user. In the case where smbd is acting as a domain member server or a standalone server this will be WORKSTATION\user. + While this appears similar to the behaviour of + auto, + the difference is that smbd will use a cached (maybe incomplete) list + of trusted domains in order to classify a domain as "untrusted" + before contacting any DC first. @@ -21,6 +37,11 @@ primary domain before attempting to authenticate that user. This will be DOMAIN\user in all server roles except active directory domain controller. + + + auto was added + with Samba 4.7.0. + no