From: John Terpstra Date: Wed, 6 Jul 2005 21:23:58 +0000 (+0000) Subject: Removal of CRUFT. 50 lashes to those who created CRUFT. Argh. X-Git-Tag: samba-4.0.0alpha6~801^2~2069 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5357c5e6e30035fa8d7a552675aaa355f7a27bb4;p=thirdparty%2Fsamba.git Removal of CRUFT. 50 lashes to those who created CRUFT. Argh. (This used to be commit 555e174de5d390cdc744b8bcbecbeccc31079a23) --- diff --git a/docs/manpages-3/winbindd.8.xml b/docs/manpages-3/winbindd.8.xml index 1ad8a6ff1e0..4d02ed6a35d 100644 --- a/docs/manpages-3/winbindd.8.xml +++ b/docs/manpages-3/winbindd.8.xml @@ -255,25 +255,30 @@ hosts: files wins EXAMPLE SETUP - To setup winbindd for user and group lookups plus + + To setup winbindd for user and group lookups plus authentication from a domain controller use something like the - following setup. This was tested on a RedHat 6.2 Linux box. + following setup. This was tested on an early Red Hat Linux box. + In /etc/nsswitch.conf put the following: -passwd: files winbind -group: files winbind - +passwd: files winbind +group: files winbind + + In /etc/pam.d/* replace the auth lines with something like this: -auth required /lib/security/pam_securetty.so -auth required /lib/security/pam_nologin.so -auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok - +auth required /lib/security/pam_securetty.so +auth required /lib/security/pam_nologin.so +auth sufficient /lib/security/pam_winbind.so +auth required /lib/security/pam_pwdb.so \ + use_first_pass shadow nullok + + Note in particular the use of the sufficient diff --git a/docs/smbdotconf/base/bindinterfacesonly.xml b/docs/smbdotconf/base/bindinterfacesonly.xml index 0fd302ceaa6..ae72efd73d0 100644 --- a/docs/smbdotconf/base/bindinterfacesonly.xml +++ b/docs/smbdotconf/base/bindinterfacesonly.xml @@ -10,60 +10,59 @@ 8 and name service nmbd 8 in a slightly different ways. - For name service it causes nmbd to bind - to ports 137 and 138 on the interfaces listed in - the interfaces parameter. nmbd also - binds to the "all addresses" interface (0.0.0.0) - on ports 137 and 138 for the purposes of reading broadcast messages. - If this option is not set then nmbd will service - name requests on all of these sockets. If is set then nmbd will check the - source address of any packets coming in on the broadcast sockets - and discard any that don't match the broadcast addresses of the - interfaces in the parameter list. - As unicast packets are received on the other sockets it allows - nmbd to refuse to serve names to machines that - send packets that arrive through any interfaces not listed in the - list. IP Source address spoofing - does defeat this simple check, however, so it must not be used - seriously as a security feature for nmbd. + + For name service it causes nmbd to bind to ports 137 and 138 on the + interfaces listed in the parameter. nmbd + also binds to the "all addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of + reading broadcast messages. If this option is not set then nmbd will + service name requests on all of these sockets. If is set then + nmbd will check the source address of any packets coming in on the + broadcast sockets and discard any that don't match the broadcast addresses of the interfaces in the + parameter list. As unicast packets are received on the other sockets it + allows nmbd to refuse to serve names to machines that send packets that + arrive through any interfaces not listed in the list. IP Source address + spoofing does defeat this simple check, however, so it must not be used seriously as a security feature for + nmbd. + - For file service it causes smbd - 8 to bind only to the interface list - given in the interfaces parameter. This - restricts the networks that smbd will serve - to packets coming in those interfaces. Note that you should not use this parameter - for machines that are serving PPP or other intermittent or non-broadcast network - interfaces as it will not cope with non-permanent interfaces. + + For file service it causes smbd + 8 to bind only to the interface list given in the parameter. This restricts the networks that smbd will + serve to packets coming in those interfaces. Note that you should not use this parameter for machines that + are serving PPP or other intermittent or non-broadcast network interfaces as it will not cope with + non-permanent interfaces. + -If is set then - unless the network address 127.0.0.1 is added - to the parameter - list smbpasswd - 8 and swat - 8 may not work as expected due - to the reasons covered below. + + If is set then unless the network address + 127.0.0.1 is added to the parameter list + smbpasswd 8 and + swat 8 may not work as + expected due to the reasons covered below. + - To change a users SMB password, the smbpasswd - by default connects to the localhost - 127.0.0.1 - address as an SMB client to issue the password change request. If - is set then unless the - network address 127.0.0.1 is added to the - parameter list then - smbpasswd will fail to connect in it's default mode. - smbpasswd can be forced to use the primary IP interface - of the local host by using its smbpasswd - 8 -r remote machine - parameter, with remote machine set - to the IP name of the primary interface of the local host. + + To change a users SMB password, the smbpasswd by default connects to the + localhost - 127.0.0.1 address as an SMB client to issue the password change request. If + is set then unless the network address + 127.0.0.1 is added to the parameter list then smbpasswd will fail to connect in it's default mode. smbpasswd can be forced to use the primary IP interface of the local host by using + its smbpasswd 8 -r remote machine parameter, with remote + machine set to the IP name of the primary interface of the local host. + - The swat status page tries to connect with - smbd and nmbd at the address - 127.0.0.1 to determine if they are running. - Not adding 127.0.0.1 will cause - smbd and nmbd to always show - "not running" even if they really are. This can prevent - swat from starting/stopping/restarting smbd - and nmbd. + + The swat status page tries to connect with smbd and nmbd at the address + 127.0.0.1 to determine if they are running. Not adding 127.0.0.1 + will cause smbd and nmbd to always show + "not running" even if they really are. This can prevent swat + from starting/stopping/restarting smbd and nmbd. + no diff --git a/docs/smbdotconf/filename/manglingchar.xml b/docs/smbdotconf/filename/manglingchar.xml index 39e7546ef03..95b47794d1d 100644 --- a/docs/smbdotconf/filename/manglingchar.xml +++ b/docs/smbdotconf/filename/manglingchar.xml @@ -4,7 +4,7 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> This controls what character is used as - the magic character in name mangling. The + the magic character in . The default is a '~' but this may interfere with some software. Use this option to set it to whatever you prefer. This is effective only when mangling method is hash. diff --git a/docs/smbdotconf/locking/fakeoplocks.xml b/docs/smbdotconf/locking/fakeoplocks.xml index 069cdaa95e7..fa004d7497a 100644 --- a/docs/smbdotconf/locking/fakeoplocks.xml +++ b/docs/smbdotconf/locking/fakeoplocks.xml @@ -15,8 +15,7 @@ smbd8 will always grant oplock requests no matter how many clients are using the file. - It is generally much better to use the real - oplocks support rather + It is generally much better to use the real support rather than this parameter. If you enable this option on all read-only shares or diff --git a/docs/smbdotconf/locking/kerneloplocks.xml b/docs/smbdotconf/locking/kerneloplocks.xml index a89f6b4d80a..c4f12b9bd42 100644 --- a/docs/smbdotconf/locking/kerneloplocks.xml +++ b/docs/smbdotconf/locking/kerneloplocks.xml @@ -3,8 +3,7 @@ context="G" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - For UNIXes that support kernel based - oplocks + For UNIXes that support kernel based (currently only IRIX and the Linux 2.4 kernel), this parameter allows the use of them to be turned on or off. diff --git a/docs/smbdotconf/locking/level2oplocks.xml b/docs/smbdotconf/locking/level2oplocks.xml index 96a855c45a8..496701b1885 100644 --- a/docs/smbdotconf/locking/level2oplocks.xml +++ b/docs/smbdotconf/locking/level2oplocks.xml @@ -26,11 +26,11 @@ For more discussions on level2 oplocks see the CIFS spec. - Currently, if kernel - oplocks are supported then level2 oplocks are - not granted (even if this parameter is set to yes). - Note also, the oplocks - parameter must be set to yes on this share in order for + + Currently, if are supported then + level2 oplocks are not granted (even if this parameter is set to + yes). Note also, the + parameter must be set to yes on this share in order for this parameter to have any effect. diff --git a/docs/smbdotconf/locking/lockspintime.xml b/docs/smbdotconf/locking/lockspintime.xml index 172e8548949..c2e5501f070 100644 --- a/docs/smbdotconf/locking/lockspintime.xml +++ b/docs/smbdotconf/locking/lockspintime.xml @@ -5,8 +5,7 @@ The time in microseconds that smbd should pause before attempting to gain a failed lock. See - lock spin - count for more details. + for more details. 10 diff --git a/docs/smbdotconf/locking/oplocks.xml b/docs/smbdotconf/locking/oplocks.xml index d7f453c5612..3ce70a78833 100644 --- a/docs/smbdotconf/locking/oplocks.xml +++ b/docs/smbdotconf/locking/oplocks.xml @@ -14,8 +14,7 @@ directory. Oplocks may be selectively turned off on certain files with a - share. See the - veto oplock files parameter. On some systems + share. See the parameter. On some systems oplocks are recognized by the underlying operating system. This allows data synchronization between all access to oplocked files, whether it be via Samba or NFS or a local UNIX process. See the diff --git a/docs/smbdotconf/logging/debughirestimestamp.xml b/docs/smbdotconf/logging/debughirestimestamp.xml index 7da4573df5e..eef5af73f0f 100644 --- a/docs/smbdotconf/logging/debughirestimestamp.xml +++ b/docs/smbdotconf/logging/debughirestimestamp.xml @@ -9,8 +9,8 @@ boolean parameter adds microsecond resolution to the timestamp message header when turned on. - Note that the parameter - debug timestamp must be on for this to have an + + Note that the parameter must be on for this to have an effect. diff --git a/docs/smbdotconf/logging/debugpid.xml b/docs/smbdotconf/logging/debugpid.xml index 1d6bc957042..0d84eb5263f 100644 --- a/docs/smbdotconf/logging/debugpid.xml +++ b/docs/smbdotconf/logging/debugpid.xml @@ -11,8 +11,7 @@ is adds the process-id to the timestamp message headers in the logfile when turned on. - Note that the parameter - debug timestamp must be on for this to have an + Note that the parameter must be on for this to have an effect. no diff --git a/docs/smbdotconf/logging/debugtimestamp.xml b/docs/smbdotconf/logging/debugtimestamp.xml index 2215baeb010..ac1ce7b09eb 100644 --- a/docs/smbdotconf/logging/debugtimestamp.xml +++ b/docs/smbdotconf/logging/debugtimestamp.xml @@ -6,8 +6,7 @@ timestamp logs Samba debug log messages are timestamped - by default. If you are running at a high - debug level these timestamps + by default. If you are running at a high these timestamps can be distracting. This boolean parameter allows timestamping to be turned off. diff --git a/docs/smbdotconf/logging/debuguid.xml b/docs/smbdotconf/logging/debuguid.xml index af84501e809..616128a581f 100644 --- a/docs/smbdotconf/logging/debuguid.xml +++ b/docs/smbdotconf/logging/debuguid.xml @@ -9,8 +9,7 @@ current euid, egid, uid and gid to the timestamp message headers in the log file if turned on. - Note that the parameter - debug timestamp must be on for this to have an + Note that the parameter must be on for this to have an effect. no diff --git a/docs/smbdotconf/logon/abortshutdownscript.xml b/docs/smbdotconf/logon/abortshutdownscript.xml index b9084897ff2..f1ac6183dce 100644 --- a/docs/smbdotconf/logon/abortshutdownscript.xml +++ b/docs/smbdotconf/logon/abortshutdownscript.xml @@ -6,8 +6,7 @@ This a full path name to a script called by smbd 8 that - should stop a shutdown procedure issued by the - shutdown script. + should stop a shutdown procedure issued by the . If the connected user posseses the SeRemoteShutdownPrivilege, right, this command will be run as user. diff --git a/docs/smbdotconf/logon/adduserscript.xml b/docs/smbdotconf/logon/adduserscript.xml index 568c054a1ac..1dd71b3867a 100644 --- a/docs/smbdotconf/logon/adduserscript.xml +++ b/docs/smbdotconf/logon/adduserscript.xml @@ -38,11 +38,10 @@ already existed. In this way, UNIX users are dynamically created to match existing Windows NT accounts. - See also - security, - password server, - delete user - script. + + See also , , + . + diff --git a/docs/smbdotconf/logon/domainlogons.xml b/docs/smbdotconf/logon/domainlogons.xml index 7c432221d09..d274faa18ba 100644 --- a/docs/smbdotconf/logon/domainlogons.xml +++ b/docs/smbdotconf/logon/domainlogons.xml @@ -7,8 +7,7 @@ If set to yes, the Samba server will provide the netlogon service for Windows 9X network logons for the - - workgroup it is in. + it is in. This will also cause the Samba server to act as a domain controller for NT4 style domain services. For more details on setting up this feature see the Domain Control chapter of the diff --git a/docs/smbdotconf/logon/logondrive.xml b/docs/smbdotconf/logon/logondrive.xml index a37c2e760b7..2b8f016ecee 100644 --- a/docs/smbdotconf/logon/logondrive.xml +++ b/docs/smbdotconf/logon/logondrive.xml @@ -5,8 +5,7 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> This parameter specifies the local path to - which the home directory will be connected (see - logon home) + which the home directory will be connected (see ) and is only used by NT Workstations. Note that this option is only useful if Samba is set up as a diff --git a/docs/smbdotconf/logon/logonhome.xml b/docs/smbdotconf/logon/logonhome.xml index 8d07550c300..59399026252 100644 --- a/docs/smbdotconf/logon/logonhome.xml +++ b/docs/smbdotconf/logon/logonhome.xml @@ -29,8 +29,7 @@ \\server\share when a user does net use /home but use the whole string when dealing with profiles. - Note that in prior versions of Samba, the - logon path was returned rather than + Note that in prior versions of Samba, the was returned rather than logon home. This broke net use /home but allowed profiles outside the home directory. The current implementation is correct, and can be used for profiles if you use diff --git a/docs/smbdotconf/logon/logonpath.xml b/docs/smbdotconf/logon/logonpath.xml index ab87c77bb9b..eb2e9de0569 100644 --- a/docs/smbdotconf/logon/logonpath.xml +++ b/docs/smbdotconf/logon/logonpath.xml @@ -8,8 +8,7 @@ where roaming profiles (NTuser.dat etc files for Windows NT) are stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming profiles. To find out how to - handle roaming profiles for Win 9X system, see the - logon home parameter. + handle roaming profiles for Win 9X system, see the parameter. This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. It also diff --git a/docs/smbdotconf/logon/logonscript.xml b/docs/smbdotconf/logon/logonscript.xml index eb7bda66ee4..847896e1ce9 100644 --- a/docs/smbdotconf/logon/logonscript.xml +++ b/docs/smbdotconf/logon/logonscript.xml @@ -11,13 +11,13 @@ file is recommended. The script must be a relative path to the [netlogon] - service. If the [netlogon] service specifies a - path of /usr/local/samba/netlogon, and logon script = STARTUP.BAT, then - the file that will be downloaded is: - - /usr/local/samba/netlogon/STARTUP.BAT + service. If the [netlogon] service specifies a of /usr/local/samba/netlogon, and STARTUP.BAT, then the file that will be downloaded is: + + /usr/local/samba/netlogon/STARTUP.BAT + + The contents of the batch file are entirely your choice. A suggested command would be to add NET TIME \\SERVER /SET @@ -35,8 +35,7 @@ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. - This option is only useful if Samba is set up as a logon - server. + This option is only useful if Samba is set up as a logon server. scripts\%U.bat diff --git a/docs/smbdotconf/misc/addsharecommand.xml b/docs/smbdotconf/misc/addsharecommand.xml index c1eecd59305..a351044e183 100644 --- a/docs/smbdotconf/misc/addsharecommand.xml +++ b/docs/smbdotconf/misc/addsharecommand.xml @@ -47,8 +47,7 @@ This parameter is only used for add file shares. To add printer shares, - see the addprinter - command. + see the . diff --git a/docs/smbdotconf/misc/defaultservice.xml b/docs/smbdotconf/misc/defaultservice.xml index f7a6c0234db..ca986d460a9 100644 --- a/docs/smbdotconf/misc/defaultservice.xml +++ b/docs/smbdotconf/misc/defaultservice.xml @@ -14,14 +14,12 @@ parameter is not given, attempting to connect to a nonexistent service results in an error. - Typically the default service would be a - guest ok, - read-only service. - - Also note that the apparent service name will be changed - to equal that of the requested service, this is very useful as it - allows you to use macros like %S to make - a wildcard service. + + Typically the default service would be a , service. Also note that the apparent service name will be changed to equal + that of the requested service, this is very useful as it allows you to use macros like %S to make a wildcard service. + Note also that any "_" characters in the name of the service used in the default service will get mapped to a "/". This allows for diff --git a/docs/smbdotconf/misc/deletesharecommand.xml b/docs/smbdotconf/misc/deletesharecommand.xml index 1489a4136dd..1afce2fd24b 100644 --- a/docs/smbdotconf/misc/deletesharecommand.xml +++ b/docs/smbdotconf/misc/deletesharecommand.xml @@ -35,8 +35,7 @@ This parameter is only used to remove file shares. To delete printer shares, - see the deleteprinter - command. + see the . diff --git a/docs/smbdotconf/misc/homedirmap.xml b/docs/smbdotconf/misc/homedirmap.xml index 4e4e0d9fe5c..3459928b583 100644 --- a/docs/smbdotconf/misc/homedirmap.xml +++ b/docs/smbdotconf/misc/homedirmap.xml @@ -4,8 +4,8 @@ advanced="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - Ifnis homedir - is yes, and smbd + If is yes, + and smbd 8 is also acting as a Win95/98 logon server then this parameter specifies the NIS (or YP) map from which the server for the user's diff --git a/docs/smbdotconf/misc/lockdirectory.xml b/docs/smbdotconf/misc/lockdirectory.xml index a0abf8cf97c..d96351a4fba 100644 --- a/docs/smbdotconf/misc/lockdirectory.xml +++ b/docs/smbdotconf/misc/lockdirectory.xml @@ -7,8 +7,8 @@ This option specifies the directory where lock files will be placed. The lock files are used to implement the - max connections - option. + option. + ${prefix}/var/locks diff --git a/docs/smbdotconf/misc/magicoutput.xml b/docs/smbdotconf/misc/magicoutput.xml index 1e41a9ff557..ed0cb0b21c4 100644 --- a/docs/smbdotconf/misc/magicoutput.xml +++ b/docs/smbdotconf/misc/magicoutput.xml @@ -3,10 +3,11 @@ type="string" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter specifies the name of a file + + This parameter specifies the name of a file which will contain output created by a magic script (see the - magic script - parameter below). + parameter below). + If two clients use the same magic script in the same directory the output file content diff --git a/docs/smbdotconf/misc/magicscript.xml b/docs/smbdotconf/misc/magicscript.xml index 143576e7bd6..b621f00c389 100644 --- a/docs/smbdotconf/misc/magicscript.xml +++ b/docs/smbdotconf/misc/magicscript.xml @@ -13,8 +13,8 @@ of privilege and the file permissions allow the deletion. If the script generates output, output will be sent to - the file specified by the - magic output parameter (see above). + the file specified by the + parameter (see above). Note that some shells are unable to interpret scripts containing CR/LF instead of CR as diff --git a/docs/smbdotconf/misc/nishomedir.xml b/docs/smbdotconf/misc/nishomedir.xml index a1bfd947b6b..45c451197e4 100644 --- a/docs/smbdotconf/misc/nishomedir.xml +++ b/docs/smbdotconf/misc/nishomedir.xml @@ -21,8 +21,8 @@ long as a Samba daemon is running on the home directory server, it will be mounted on the Samba client directly from the directory server. When Samba is returning the home share to the client, it - will consult the NIS map specified in - homedir map and return the server + will consult the NIS map specified in + and return the server listed there. Note that for this option to work there must be a working diff --git a/docs/smbdotconf/misc/preexec.xml b/docs/smbdotconf/misc/preexec.xml index 001f9c2b429..6608c830501 100644 --- a/docs/smbdotconf/misc/preexec.xml +++ b/docs/smbdotconf/misc/preexec.xml @@ -12,13 +12,16 @@ message every time they log in. Maybe a message of the day? Here is an example: - preexec = csh -c 'echo \"Welcome to %S!\" | /usr/local/samba/bin/smbclient -M %m -I %I' & + + preexec = csh -c 'echo \"Welcome to %S!\" | + /usr/local/samba/bin/smbclient -M %m -I %I' & + Of course, this could get annoying after a while :-) - See also preexec close and postexec - . + + See also and . + diff --git a/docs/smbdotconf/misc/preexecclose.xml b/docs/smbdotconf/misc/preexecclose.xml index a557a58a36d..c616ad7f07c 100644 --- a/docs/smbdotconf/misc/preexecclose.xml +++ b/docs/smbdotconf/misc/preexecclose.xml @@ -5,8 +5,7 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> This boolean option controls whether a non-zero - return code from preexec - should close the service being connected to. + return code from should close the service being connected to. no diff --git a/docs/smbdotconf/misc/preload.xml b/docs/smbdotconf/misc/preload.xml index 70b5b2968b7..94905a67ef7 100644 --- a/docs/smbdotconf/misc/preload.xml +++ b/docs/smbdotconf/misc/preload.xml @@ -10,9 +10,11 @@ for homes and printers services that would otherwise not be visible. - Note that if you just want all printers in your - printcap file loaded then the - load printers option is easier. + + Note that if you just want all printers in your + printcap file loaded then the + option is easier. + diff --git a/docs/smbdotconf/misc/remoteannounce.xml b/docs/smbdotconf/misc/remoteannounce.xml index 891790327d2..fc46a46e89f 100644 --- a/docs/smbdotconf/misc/remoteannounce.xml +++ b/docs/smbdotconf/misc/remoteannounce.xml @@ -21,14 +21,13 @@ the above line would cause nmbd to announce itself to the two given IP addresses using the given workgroup names. If you leave out the workgroup name then the one given in - the workgroup - parameter is used instead. + the parameter is used instead. The IP addresses you choose would normally be the broadcast addresses of the remote networks, but can also be the IP addresses of known browse masters if your network config is that stable. -See . +See . diff --git a/docs/smbdotconf/printing/cupsoptions.xml b/docs/smbdotconf/printing/cupsoptions.xml index ce3eb83c7e1..6bb3782dc36 100644 --- a/docs/smbdotconf/printing/cupsoptions.xml +++ b/docs/smbdotconf/printing/cupsoptions.xml @@ -4,8 +4,8 @@ print="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter is only applicable if printing is + + This parameter is only applicable if is set to cups. Its value is a free form string of options passed directly to the cups library. diff --git a/docs/smbdotconf/printing/cupsserver.xml b/docs/smbdotconf/printing/cupsserver.xml index ecd2958e618..045d2602771 100644 --- a/docs/smbdotconf/printing/cupsserver.xml +++ b/docs/smbdotconf/printing/cupsserver.xml @@ -4,9 +4,7 @@ print="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter is only applicable if printing is - set to cups. + This parameter is only applicable if is set to cups. If set, this option overrides the ServerName option in the CUPS diff --git a/docs/smbdotconf/printing/defaultdevmode.xml b/docs/smbdotconf/printing/defaultdevmode.xml index 971c507e5a6..fba5b898bb6 100644 --- a/docs/smbdotconf/printing/defaultdevmode.xml +++ b/docs/smbdotconf/printing/defaultdevmode.xml @@ -4,7 +4,7 @@ print="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter is only applicable to printable services. + This parameter is only applicable to services. When smbd is serving Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba server has a Device Mode which defines things such as paper size and orientation and duplex settings. The device mode can only correctly be diff --git a/docs/smbdotconf/printing/deleteprintercommand.xml b/docs/smbdotconf/printing/deleteprintercommand.xml index ed24ff40486..1f9a91656d5 100644 --- a/docs/smbdotconf/printing/deleteprintercommand.xml +++ b/docs/smbdotconf/printing/deleteprintercommand.xml @@ -10,17 +10,17 @@ DeletePrinter() RPC call. For a Samba host this means that the printer must be - physically deleted from underlying printing system. The - deleteprinter command defines a script to be run which + physically deleted from underlying printing system. The + defines a script to be run which will perform the necessary operations for removing the printer from the print system and from smb.conf. - The deleteprinter command is - automatically called with only one parameter: - "printer name". + The is + automatically called with only one parameter: . + - Once the deleteprinter command has + Once the has been executed, smbd will reparse the smb.conf to associated printer no longer exists. If the sharename is still valid, then smbd diff --git a/docs/smbdotconf/printing/loadprinters.xml b/docs/smbdotconf/printing/loadprinters.xml index 63b110dadfc..b136505009d 100644 --- a/docs/smbdotconf/printing/loadprinters.xml +++ b/docs/smbdotconf/printing/loadprinters.xml @@ -6,7 +6,7 @@ A boolean variable that controls whether all printers in the printcap will be loaded for browsing by default. - See the printers section for + See the section for more details. diff --git a/docs/smbdotconf/printing/lpresumecommand.xml b/docs/smbdotconf/printing/lpresumecommand.xml index 4a703057deb..dc807f1f718 100644 --- a/docs/smbdotconf/printing/lpresumecommand.xml +++ b/docs/smbdotconf/printing/lpresumecommand.xml @@ -10,8 +10,7 @@ This command should be a program or script which takes a printer name and job number to resume the print job. See - also the lppause command - parameter. + also the parameter. If a %p is given then the printer name is put in its place. A %j is replaced with @@ -21,8 +20,7 @@ in the lpresume command as the PATH may not be available to the server. - See also the printing - parameter. + See also the parameter. Default: Currently no default value is given to this string, unless the value of the printing diff --git a/docs/smbdotconf/printing/os2drivermap.xml b/docs/smbdotconf/printing/os2drivermap.xml index ac49babd40f..d646071e3a4 100644 --- a/docs/smbdotconf/printing/os2drivermap.xml +++ b/docs/smbdotconf/printing/os2drivermap.xml @@ -15,7 +15,7 @@ LaserJet 5L. The need for the file is due to the printer driver namespace - problem described in . For more details on OS/2 clients, please + problem described in . For more details on OS/2 clients, please refer to . diff --git a/docs/smbdotconf/printing/printable.xml b/docs/smbdotconf/printing/printable.xml index b8991ae9ad0..73aa533ed3b 100644 --- a/docs/smbdotconf/printing/printable.xml +++ b/docs/smbdotconf/printing/printable.xml @@ -11,8 +11,7 @@ Note that a printable service will ALWAYS allow writing to the service path (user privileges permitting) via the spooling - of print data. The read only - parameter controls only non-printing access to + of print data. The parameter controls only non-printing access to the resource. no diff --git a/docs/smbdotconf/printing/printcapname.xml b/docs/smbdotconf/printing/printcapname.xml index c0d228896e3..7ade8881b64 100644 --- a/docs/smbdotconf/printing/printcapname.xml +++ b/docs/smbdotconf/printing/printcapname.xml @@ -13,7 +13,7 @@ To use the CUPS printing interface set printcap name = cups . This should be supplemented by an addtional setting - printing = cups in the [global] + cups in the [global] section. printcap name = cups will use the "dummy" printcap created by CUPS, as specified in your CUPS configuration file. diff --git a/docs/smbdotconf/printing/printcommand.xml b/docs/smbdotconf/printing/printcommand.xml index e17fb7ae2f6..461d6de8e38 100644 --- a/docs/smbdotconf/printing/printcommand.xml +++ b/docs/smbdotconf/printing/printcommand.xml @@ -47,8 +47,7 @@ Note that printing may fail on some UNIXes from the nobody account. If this happens then create - an alternative guest account that can print and set the - guest account + an alternative guest account that can print and set the in the [global] section. You can form quite complex print commands by realizing @@ -61,8 +60,8 @@ You may have to vary this command considerably depending on how you normally print files on your system. The default for - the parameter varies depending on the setting of the - printing parameter. + the parameter varies depending on the setting of the + parameter. Default: For printing = BSD, AIX, QNX, LPRNG or PLP : @@ -75,7 +74,7 @@ print command = lp -d%p -s %s; rm %s For printing = CUPS : If SAMBA is compiled against - libcups, then printcap = cups + libcups, then cups uses the CUPS API to submit jobs, etc. Otherwise it maps to the System V commands with the -oraw option for printing, i.e. it diff --git a/docs/smbdotconf/printing/printername.xml b/docs/smbdotconf/printing/printername.xml index ed55a9bb703..fad127cad19 100644 --- a/docs/smbdotconf/printing/printername.xml +++ b/docs/smbdotconf/printing/printername.xml @@ -5,14 +5,22 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> printer - This parameter specifies the name of the printer - to which print jobs spooled through a printable service will be sent. + + This parameter specifies the name of the printer to which print jobs spooled through a printable service + will be sent. + - If specified in the [global] section, the printer - name given will be used for any printable service that does - not have its own printer name specified. + + If specified in the [global] section, the printer name given will be used for any printable service that + does not have its own printer name specified. + + + + The default value of the may be lp on many + systems. + -none (but may be lp on many systems) +none laserwriter diff --git a/docs/smbdotconf/printing/queueresumecommand.xml b/docs/smbdotconf/printing/queueresumecommand.xml index 1a878c20988..f6593c22899 100644 --- a/docs/smbdotconf/printing/queueresumecommand.xml +++ b/docs/smbdotconf/printing/queueresumecommand.xml @@ -7,8 +7,7 @@ This parameter specifies the command to be executed on the server host in order to resume the printer queue. It is the command to undo the behavior that is caused by the - previous parameter ( - queuepause command). + previous parameter (). This command should be a program or script which takes a printer name as its only parameter and resumes the printer queue, diff --git a/docs/smbdotconf/protocol/maxwinsttl.xml b/docs/smbdotconf/protocol/maxwinsttl.xml index 20461b7a496..09935cdd9b6 100644 --- a/docs/smbdotconf/protocol/maxwinsttl.xml +++ b/docs/smbdotconf/protocol/maxwinsttl.xml @@ -5,8 +5,8 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> This option tells smbd - 8 when acting as a WINS server ( - wins support = yes) what the maximum + 8 when acting as a WINS server + (yes) what the maximum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 days (518400 seconds). diff --git a/docs/smbdotconf/protocol/minprotocol.xml b/docs/smbdotconf/protocol/minprotocol.xml index a1480756bd1..0bec282467c 100644 --- a/docs/smbdotconf/protocol/minprotocol.xml +++ b/docs/smbdotconf/protocol/minprotocol.xml @@ -6,15 +6,14 @@ The value of the parameter (a string) is the lowest SMB protocol dialect than Samba will support. Please refer - to the max protocol + to the parameter for a list of valid protocol names and a brief description of each. You may also wish to refer to the C source code in source/smbd/negprot.c for a listing of known protocol dialects supported by clients. If you are viewing this parameter as a security measure, you should - also refer to the lanman - auth parameter. Otherwise, you should never need + also refer to the parameter. Otherwise, you should never need to change this parameter. diff --git a/docs/smbdotconf/protocol/minwinsttl.xml b/docs/smbdotconf/protocol/minwinsttl.xml index 9c308d8b73a..38fbd7b0ebb 100644 --- a/docs/smbdotconf/protocol/minwinsttl.xml +++ b/docs/smbdotconf/protocol/minwinsttl.xml @@ -6,8 +6,7 @@ This option tells nmbd 8 - when acting as a WINS server ( - wins support = yes) what the minimum 'time to live' + when acting as a WINS server (yes) what the minimum 'time to live' of NetBIOS names that nmbd will grant will be (in seconds). You should never need to change this parameter. The default is 6 hours (21600 seconds). diff --git a/docs/smbdotconf/protocol/nameresolveorder.xml b/docs/smbdotconf/protocol/nameresolveorder.xml index a3637a3ee0e..d8bbb395891 100644 --- a/docs/smbdotconf/protocol/nameresolveorder.xml +++ b/docs/smbdotconf/protocol/nameresolveorder.xml @@ -18,8 +18,8 @@ lmhosts : Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has - no name type attached to the NetBIOS name (see the lmhosts(5) for details) then + no name type attached to the NetBIOS name (see the lmhosts(5) for details) then any name type matches for lookup. @@ -37,14 +37,14 @@ wins : Query a name with - the IP address listed in the - wins server parameter. If no WINS server has + the IP address listed in the + wins server parameter. If no WINS server has been specified this method will be ignored. bcast : Do a broadcast on - each of the known local interfaces listed in the interfaces + each of the known local interfaces listed in the parameter. This is the least reliable of the name resolution methods as it depends on the target host being on a locally connected subnet. diff --git a/docs/smbdotconf/security/adminusers.xml b/docs/smbdotconf/security/adminusers.xml index 6c2d8e8f721..d8f14b6d740 100644 --- a/docs/smbdotconf/security/adminusers.xml +++ b/docs/smbdotconf/security/adminusers.xml @@ -11,8 +11,7 @@ this list will be able to do anything they like on the share, irrespective of file permissions. - This parameter will not work with the - security = share in + This parameter will not work with the share in Samba 3.0. This is by design. diff --git a/docs/smbdotconf/security/allowtrusteddomains.xml b/docs/smbdotconf/security/allowtrusteddomains.xml index ad84513417b..7bc55545508 100644 --- a/docs/smbdotconf/security/allowtrusteddomains.xml +++ b/docs/smbdotconf/security/allowtrusteddomains.xml @@ -4,8 +4,8 @@ advanced="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This option only takes effect when the - security option is set to + + This option only takes effect when the option is set to server,domain or ads. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running diff --git a/docs/smbdotconf/security/authmethods.xml b/docs/smbdotconf/security/authmethods.xml index 2eaf6a352b5..6e6b88c5190 100644 --- a/docs/smbdotconf/security/authmethods.xml +++ b/docs/smbdotconf/security/authmethods.xml @@ -4,12 +4,12 @@ basic="1" advanced="1" wizard="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This option allows the administrator to chose what - authentication methods smbd will use when authenticating - a user. This option defaults to sensible values based on - security. This should be considered - a developer option and used only in rare circumstances. In the majority (if not all) - of production servers, the default setting should be adequate. + + This option allows the administrator to chose what authentication methods smbd will use when authenticating a user. This option defaults to sensible values + based on . This should be considered a developer option and used only in rare + circumstances. In the majority (if not all) of production servers, the default setting should be adequate. + Each entry in the list attempts to authenticate the user in turn, until the user authenticates. In practice only one method will ever actually diff --git a/docs/smbdotconf/security/createmask.xml b/docs/smbdotconf/security/createmask.xml index 14b8253a87b..7f9f93caaa9 100644 --- a/docs/smbdotconf/security/createmask.xml +++ b/docs/smbdotconf/security/createmask.xml @@ -17,18 +17,15 @@ 'group' and 'other' write and execute bits from the UNIX modes. Following this Samba will bit-wise 'OR' the UNIX mode created - from this parameter with the value of the - force create mode + from this parameter with the value of the parameter which is set to 000 by default. This parameter does not affect directory modes. See the - parameter directory mode - for details. + parameter for details. Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the - security mask. + a mask on access control lists also, they need to set the . force create mode diff --git a/docs/smbdotconf/security/directorymask.xml b/docs/smbdotconf/security/directorymask.xml index 8662b31e15a..414239bcff3 100644 --- a/docs/smbdotconf/security/directorymask.xml +++ b/docs/smbdotconf/security/directorymask.xml @@ -21,14 +21,12 @@ user who owns the directory to modify it. Following this Samba will bit-wise 'OR' the UNIX mode - created from this parameter with the value of the - force directory mode parameter. + created from this parameter with the value of the parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added). Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce - a mask on access control lists also, they need to set the - directory security mask. + a mask on access control lists also, they need to set the . force directory mode diff --git a/docs/smbdotconf/security/encryptpasswords.xml b/docs/smbdotconf/security/encryptpasswords.xml index e3bc3f6deaf..8d2b86cb8cc 100644 --- a/docs/smbdotconf/security/encryptpasswords.xml +++ b/docs/smbdotconf/security/encryptpasswords.xml @@ -32,7 +32,7 @@ have access to a local smbpasswd 5 file (see the smbpasswd 8 program for information on how to set up - and maintain this file), or set the security = [server|domain|ads] parameter which + and maintain this file), or set the [server|domain|ads] parameter which causes smbd to authenticate against another server. diff --git a/docs/smbdotconf/security/forcegroup.xml b/docs/smbdotconf/security/forcegroup.xml index 2d8f5790d8d..f6c9974f99d 100644 --- a/docs/smbdotconf/security/forcegroup.xml +++ b/docs/smbdotconf/security/forcegroup.xml @@ -25,8 +25,8 @@ primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group. - If the force user - parameter is also set the group specified in + + If the parameter is also set the group specified in force group will override the primary group set in force user. diff --git a/docs/smbdotconf/security/guestaccount.xml b/docs/smbdotconf/security/guestaccount.xml index fd791c74238..8132835a821 100644 --- a/docs/smbdotconf/security/guestaccount.xml +++ b/docs/smbdotconf/security/guestaccount.xml @@ -5,8 +5,7 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> This is a username which will be used for access - to services which are specified as - guest ok (see below). Whatever privileges this + to services which are specified as (see below). Whatever privileges this user has will be available to any client connecting to the guest service. This user must exist in the password file, but does not require a valid login. The user account "ftp" is often a good choice diff --git a/docs/smbdotconf/security/guestok.xml b/docs/smbdotconf/security/guestok.xml index f2e5f0adcd9..7cbf4e50bbd 100644 --- a/docs/smbdotconf/security/guestok.xml +++ b/docs/smbdotconf/security/guestok.xml @@ -7,15 +7,13 @@ If this parameter is yes for a service, then no password is required to connect to the service. - Privileges will be those of the - guest account. + Privileges will be those of the . This paramater nullifies the benifits of setting - restrict - anonymous = 2 + 2 + - See the section below on - security for more information about this option. + See the section below on for more information about this option. no diff --git a/docs/smbdotconf/security/guestonly.xml b/docs/smbdotconf/security/guestonly.xml index 9d70c16c3fd..258eba92678 100644 --- a/docs/smbdotconf/security/guestonly.xml +++ b/docs/smbdotconf/security/guestonly.xml @@ -6,11 +6,9 @@ If this parameter is yes for a service, then only guest connections to the service are permitted. - This parameter will have no effect if - guest ok is not set for the service. + This parameter will have no effect if is not set for the service. - See the section below on - security for more information about this option. + See the section below on for more information about this option. no diff --git a/docs/smbdotconf/security/hostsallow.xml b/docs/smbdotconf/security/hostsallow.xml index e71377a2892..5e807daa68f 100644 --- a/docs/smbdotconf/security/hostsallow.xml +++ b/docs/smbdotconf/security/hostsallow.xml @@ -24,8 +24,7 @@ be given here also. Note that the localhost address 127.0.0.1 will always - be allowed access unless specifically denied by a - hosts deny option. + be allowed access unless specifically denied by a option. You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The diff --git a/docs/smbdotconf/security/hostsequiv.xml b/docs/smbdotconf/security/hostsequiv.xml index 014c75369a4..db7cbaffc8f 100644 --- a/docs/smbdotconf/security/hostsequiv.xml +++ b/docs/smbdotconf/security/hostsequiv.xml @@ -9,8 +9,7 @@ and users who will be allowed access without specifying a password. - This is not be confused with - hosts allow which is about hosts + This is not be confused with which is about hosts access to services and is more useful for guest services. hosts equiv may be useful for NT clients which will not supply passwords to Samba. diff --git a/docs/smbdotconf/security/inheritpermissions.xml b/docs/smbdotconf/security/inheritpermissions.xml index b6c774ab93f..6e09f4f033c 100644 --- a/docs/smbdotconf/security/inheritpermissions.xml +++ b/docs/smbdotconf/security/inheritpermissions.xml @@ -3,24 +3,20 @@ type="boolean" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - The permissions on new files and directories - are normally governed by - create mask, - directory mask, - force create mode - and force - directory mode but the boolean inherit - permissions parameter overrides this. + + The permissions on new files and directories are normally governed by , + , and but the boolean inherit permissions parameter overrides this. + New directories inherit the mode of the parent directory, including bits such as setgid. - New files inherit their read/write bits from the parent - directory. Their execute bits continue to be determined by - map archive - , map hidden - and map system - as usual. + + New files inherit their read/write bits from the parent directory. Their execute bits continue to be + determined by , and as usual. + Note that the setuid bit is never set via inheritance (the code explicitly prohibits this). diff --git a/docs/smbdotconf/security/maptoguest.xml b/docs/smbdotconf/security/maptoguest.xml index 89939590732..52600a5dcc4 100644 --- a/docs/smbdotconf/security/maptoguest.xml +++ b/docs/smbdotconf/security/maptoguest.xml @@ -4,8 +4,8 @@ advanced="1" developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter is only useful in - security modes other than security = share + This parameter is only useful in + security modes other than security = share - i.e. user, server, and domain. @@ -27,14 +27,13 @@ Bad User - Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and - mapped into the - guest account. + mapped into the . Bad Password - Means user logins with an invalid password are treated as a guest login and mapped - into the guest account. Note that + into the . Note that this can cause problems as it means that any user incorrectly typing their password will be silently logged on as "guest" - and will not know the reason they cannot access files they think diff --git a/docs/smbdotconf/security/obeypamrestrictions.xml b/docs/smbdotconf/security/obeypamrestrictions.xml index fd12e456b6a..40777f4f5da 100644 --- a/docs/smbdotconf/security/obeypamrestrictions.xml +++ b/docs/smbdotconf/security/obeypamrestrictions.xml @@ -9,8 +9,8 @@ should obey PAM's account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba - always ignores PAM for authentication in the case of - encrypt passwords = yes. The reason + always ignores PAM for authentication in the case of yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption. diff --git a/docs/smbdotconf/security/onlyuser.xml b/docs/smbdotconf/security/onlyuser.xml index d94d3d523d2..b1ef1b76060 100644 --- a/docs/smbdotconf/security/onlyuser.xml +++ b/docs/smbdotconf/security/onlyuser.xml @@ -9,8 +9,7 @@ client can supply a username to be used by the server. Enabling this parameter will force the server to only use the login names from the user list and is only really - useful in share level - security. + useful in share level security. Note that this also means Samba won't try to deduce usernames from the service name. This can be annoying for diff --git a/docs/smbdotconf/security/pampasswordchange.xml b/docs/smbdotconf/security/pampasswordchange.xml index 22dc98d4e93..e5c04d405cc 100644 --- a/docs/smbdotconf/security/pampasswordchange.xml +++ b/docs/smbdotconf/security/pampasswordchange.xml @@ -8,10 +8,9 @@ this parameter, it is possible to use PAM's password change control flag for Samba. If enabled, then PAM will be used for password changes when requested by an SMB client instead of the program listed in - passwd program. + . It should be possible to enable this without changing your - passwd chat - parameter for most setups. + parameter for most setups. no diff --git a/docs/smbdotconf/security/passdbbackend.xml b/docs/smbdotconf/security/passdbbackend.xml index 74f26b89ea1..bbe1d131060 100644 --- a/docs/smbdotconf/security/passdbbackend.xml +++ b/docs/smbdotconf/security/passdbbackend.xml @@ -27,8 +27,7 @@ tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb - in the - private dir directory. + in the directory. @@ -37,7 +36,7 @@ ldap://localhost) LDAP connections should be secured where possible. This may be done using either - Start-TLS (see ldap ssl) or by + Start-TLS (see ) or by specifying ldaps:// in the URL argument. diff --git a/docs/smbdotconf/security/passwdchat.xml b/docs/smbdotconf/security/passwdchat.xml index f3a73957100..32ae5b30336 100644 --- a/docs/smbdotconf/security/passwdchat.xml +++ b/docs/smbdotconf/security/passwdchat.xml @@ -10,22 +10,20 @@ program to change the user's password. The string describes a sequence of response-receive pairs that smbd 8 uses to determine what to send to the - passwd program - and what to expect back. If the expected output is not + and what to expect back. If the expected output is not received then the password is not changed. This chat sequence is often quite site specific, depending on what local methods are used for password control (such as NIS etc). - Note that this parameter only is only used if the unix password sync - parameter is set to yes. This sequence is + Note that this parameter only is only used if the parameter is set to yes. This sequence is then called AS ROOT when the SMB password in the smbpasswd file is being changed, without access to the old password cleartext. This means that root must be able to reset the user's password without knowing the text of the previous password. In the presence of - NIS/YP, this means that the passwd program must + NIS/YP, this means that the must be executed on the NIS master. @@ -41,10 +39,9 @@ stop ".", then no string is sent. Similarly, if the expect string is a full stop then no string is expected. - If the pam - password change parameter is set to yes, the chat pairs - may be matched in any order, and success is determined by the PAM result, - not any particular output. The \n macro is ignored for PAM conversions. + If the parameter is set to yes, the + chat pairs may be matched in any order, and success is determined by the PAM result, not any particular + output. The \n macro is ignored for PAM conversions. diff --git a/docs/smbdotconf/security/passwdchatdebug.xml b/docs/smbdotconf/security/passwdchatdebug.xml index 6211688eb79..78714ab8b58 100644 --- a/docs/smbdotconf/security/passwdchatdebug.xml +++ b/docs/smbdotconf/security/passwdchatdebug.xml @@ -9,13 +9,13 @@ strings passed to and received from the passwd chat are printed in the smbd 8 log with a - debug level + of 100. This is a dangerous option as it will allow plaintext passwords to be seen in the smbd log. It is available to help Samba admins debug their passwd chat scripts when calling the passwd program and should be turned off after this has been done. This option has no effect if the - pam password change + paramter is set. This parameter is off by default. diff --git a/docs/smbdotconf/security/passwordlevel.xml b/docs/smbdotconf/security/passwordlevel.xml index 33a0f13e2a4..1da11e406bd 100644 --- a/docs/smbdotconf/security/passwordlevel.xml +++ b/docs/smbdotconf/security/passwordlevel.xml @@ -40,8 +40,7 @@ This parameter is used only when using plain-text passwords. It is not at all used when encrypted passwords as in use (that is the default - since samba-3.0.0). Use this only when - encrypt passwords = No. + since samba-3.0.0). Use this only when No. 0 diff --git a/docs/smbdotconf/security/passwordserver.xml b/docs/smbdotconf/security/passwordserver.xml index 4836a177310..188cea88d1a 100644 --- a/docs/smbdotconf/security/passwordserver.xml +++ b/docs/smbdotconf/security/passwordserver.xml @@ -20,8 +20,7 @@ connections. If parameter is a name, it is looked up using the - parameter name - resolve order and so may resolved + parameter and so may resolved by any method and order described in that parameter. The password server must be a machine capable of using diff --git a/docs/smbdotconf/security/readlist.xml b/docs/smbdotconf/security/readlist.xml index 613758ec2aa..df6b4f129bb 100644 --- a/docs/smbdotconf/security/readlist.xml +++ b/docs/smbdotconf/security/readlist.xml @@ -3,16 +3,14 @@ type="list" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This is a list of users that are given read-only - access to a service. If the connecting user is in this list then - they will not be given write access, no matter what the - read only - option is set to. The list can include group names using the - syntax described in the - invalid users parameter. + + This is a list of users that are given read-only access to a service. If the connecting user is in this list + then they will not be given write access, no matter what the option is set + to. The list can include group names using the syntax described in the + parameter. + - This parameter will not work with the - security = share in + This parameter will not work with the share in Samba 3.0. This is by design. diff --git a/docs/smbdotconf/security/readonly.xml b/docs/smbdotconf/security/readonly.xml index 686b28aede4..6e1f6dd2b83 100644 --- a/docs/smbdotconf/security/readonly.xml +++ b/docs/smbdotconf/security/readonly.xml @@ -4,8 +4,7 @@ basic="1" advanced="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - An inverted synonym is - writeable. + An inverted synonym is . If this parameter is yes, then users of a service may not create or modify files in the service's diff --git a/docs/smbdotconf/security/restrictanonymous.xml b/docs/smbdotconf/security/restrictanonymous.xml index a7aaa31b0b2..2a45ef15613 100644 --- a/docs/smbdotconf/security/restrictanonymous.xml +++ b/docs/smbdotconf/security/restrictanonymous.xml @@ -29,8 +29,7 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ The security advantage of using restrict anonymous = 2 is removed - by setting guest - ok = yes on any share. + by setting yes on any share. diff --git a/docs/smbdotconf/security/rootdirectory.xml b/docs/smbdotconf/security/rootdirectory.xml index ed894d57cbe..8736598001f 100644 --- a/docs/smbdotconf/security/rootdirectory.xml +++ b/docs/smbdotconf/security/rootdirectory.xml @@ -12,9 +12,8 @@ server will deny access to files not in one of the service entries. It may also check for, and deny access to, soft links to other parts of the filesystem, or attempts to use ".." in file names - to access other directories (depending on the setting of the - wide links - parameter). + to access other directories (depending on the setting of the + parameter). Adding a root directory entry other diff --git a/docs/smbdotconf/security/security.xml b/docs/smbdotconf/security/security.xml index fe5cf5404f2..226d1c12702 100644 --- a/docs/smbdotconf/security/security.xml +++ b/docs/smbdotconf/security/security.xml @@ -47,13 +47,11 @@ want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server. It is more difficult to setup guest shares with security = user, see - the map to guest - parameter for details. + the parameter for details. It is possible to use smbd in a hybrid mode where it is offers both user and share - level security under different - NetBIOS aliases. + level security under different . The different settings will now be explained. @@ -83,17 +81,14 @@ - If the guest - only parameter is set, then all the other - stages are missed and only the - guest account username is checked. + If the parameter is set, then all the other + stages are missed and only the username is checked. Is a username is sent with the share connection - request, then this username (after mapping - see - username map), + request, then this username (after mapping - see ), is added as a potential username. @@ -118,8 +113,7 @@ - Any users on the - user list are added as potential usernames. + Any users on the list are added as potential usernames. @@ -145,13 +139,10 @@ This is the default security setting in Samba 3.0. With user-level security a client must first "log-on" with a - valid username and password (which can be mapped using the - username map - parameter). Encrypted passwords (see the - encrypted passwords parameter) can also - be used in this security mode. Parameters such as - user and - guest only if set are then applied and + valid username and password (which can be mapped using the + parameter). Encrypted passwords (see the parameter) can also + be used in this security mode. Parameters such as and if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated. @@ -159,21 +150,17 @@ requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the - guest account. - See the map to guest - parameter for details on doing this. + the server to automatically map unknown users into the . + See the parameter for details on doing this. - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. + See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. SECURITY = DOMAIN This mode will only work correctly if net 8 has been used to add this - machine into a Windows NT Domain. It expects the - encrypted passwords - parameter to be set to yes. In this + machine into a Windows NT Domain. It expects the + parameter to be set to yes. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly the same way that a Windows NT Server would do. @@ -192,31 +179,26 @@ requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the - guest account. - See the map to guest - parameter for details on doing this. + the server to automatically map unknown users into the . + See the parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. - See also the password - server parameter and the - encrypted passwords - parameter. + See also the parameter and + the parameter. SECURITY = SERVER - In this mode Samba will try to validate the username/password - by passing it to another SMB server, such as an NT box. If this - fails it will revert to security = - user. It expects the - encrypted passwords parameter - to be set to yes, unless the remote server - does not support them. However note that if encrypted passwords have been - negotiated then Samba cannot revert back to checking the UNIX password file, - it must have a valid smbpasswd file to check - users against. See the chapter about the User Database in the Samba HOWTO Collection for details on how to set this up. + + In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an + NT box. If this fails it will revert to security = user. It expects the + parameter to be set to yes, unless the remote + server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot + revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the chapter about the User Database in + the Samba HOWTO Collection for details on how to set this up. + This mode of operation has significant pitfalls, due to the fact that is activly initiates a @@ -238,17 +220,14 @@ requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing - the server to automatically map unknown users into the - guest account. - See the map to guest - parameter for details on doing this. + the server to automatically map unknown users into the . + See the parameter for details on doing this. See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. - See also the password - server parameter and the - encrypted passwords parameter. + See also the parameter and the + parameter. SECURITY = ADS diff --git a/docs/smbdotconf/security/serverschannel.xml b/docs/smbdotconf/security/serverschannel.xml index 0f264a0f7d7..6317448fb62 100644 --- a/docs/smbdotconf/security/serverschannel.xml +++ b/docs/smbdotconf/security/serverschannel.xml @@ -4,20 +4,18 @@ basic="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This controls whether the server offers or even - demands the use of the netlogon schannel. - server schannel = no does not - offer the schannel, server schannel = - auto offers the schannel but does not - enforce it, and server schannel = - yes denies access if the client is not - able to speak netlogon schannel. This is only the case - for Windows NT4 before SP4. + + This controls whether the server offers or even demands the use of the netlogon schannel. + no does not offer the schannel, auto offers the schannel but does not enforce it, and yes denies access if the client is not able to speak netlogon schannel. + This is only the case for Windows NT4 before SP4. + - Please note that with this set to - no you will have to apply the - WindowsXP requireSignOrSeal-Registry patch found in - the docs/Registry subdirectory. + + Please note that with this set to no you will have to apply the WindowsXP + WinXP_SignOrSeal.reg registry patch found in the docs/registry subdirectory of the Samba distribution tarball. + auto diff --git a/docs/smbdotconf/security/updateencrypted.xml b/docs/smbdotconf/security/updateencrypted.xml index 7042a116786..da493665cf2 100644 --- a/docs/smbdotconf/security/updateencrypted.xml +++ b/docs/smbdotconf/security/updateencrypted.xml @@ -5,29 +5,29 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This boolean parameter allows a user logging on with - a plaintext password to have their encrypted (hashed) password in - the smbpasswd file to be updated automatically as they log - on. This option allows a site to migrate from plaintext - password authentication (users authenticate with plaintext - password over the wire, and are checked against a UNIX account - database) to encrypted password authentication (the SMB - challenge/response authentication mechanism) without forcing all - users to re-enter their passwords via smbpasswd at the time the - change is made. This is a convenience option to allow the change - over to encrypted passwords to be made over a longer period. - Once all users have encrypted representations of their passwords - in the smbpasswd file this parameter should be set to - no. + + This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) + password in the smbpasswd file to be updated automatically as they log on. This option allows a site to + migrate from plaintext password authentication (users authenticate with plaintext password over the + wire, and are checked against a UNIX account atabase) to encrypted password authentication (the SMB + challenge/response authentication mechanism) without forcing all users to re-enter their passwords via + smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted + passwords to be made over a longer period. Once all users have encrypted representations of their passwords + in the smbpasswd file this parameter should be set to no. + - In order for this parameter to work correctly the - encrypt passwords parameter must - be set to no when this parameter is set to yes. + + In order for this parameter to be operative the parameter must + be set to no. The default value of Yes. Note: This must be set to no for this to work. + - Note that even when this parameter is set a user - authenticating to smbd must still enter a valid - password in order to connect correctly, and to update their hashed - (smbpasswd) passwords. + + Note that even when this parameter is set a user authenticating to smbd + must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) + passwords. + no diff --git a/docs/smbdotconf/security/username.xml b/docs/smbdotconf/security/username.xml index 9a6d83ae710..3a45d4d72fc 100644 --- a/docs/smbdotconf/security/username.xml +++ b/docs/smbdotconf/security/username.xml @@ -32,8 +32,7 @@ so they cannot do anything that user cannot do. To restrict a service to a particular set of users you - can use the valid users - parameter. + can use the parameter. If any of the usernames begin with a '@' then the name will be looked up first in the NIS netgroups list (if Samba @@ -54,9 +53,9 @@ quite some time, and some clients may time out during the search. - See the section NOTE ABOUT - USERNAME/PASSWORD VALIDATION for more information on how -this parameter determines access to the services. + See the section NOTE ABOUT + USERNAME/PASSWORD VALIDATION for more information on how + this parameter determines access to the services. The guest account if a guest service, diff --git a/docs/smbdotconf/security/usernamemap.xml b/docs/smbdotconf/security/usernamemap.xml index 1c76d317111..ef4291733e0 100644 --- a/docs/smbdotconf/security/usernamemap.xml +++ b/docs/smbdotconf/security/usernamemap.xml @@ -75,8 +75,7 @@ guest = * will actually be connecting to \\server\mary and will need to supply a password suitable for mary not fred. The only exception to this is the - username passed to the - password server (if you have one). The password + username passed to the (if you have one). The password server will receive whatever username the client supplies without modification. diff --git a/docs/smbdotconf/security/writeable.xml b/docs/smbdotconf/security/writeable.xml index 1bb0e41810d..f811c47e5c2 100644 --- a/docs/smbdotconf/security/writeable.xml +++ b/docs/smbdotconf/security/writeable.xml @@ -4,7 +4,6 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> writable - Inverted synonym for - read only. + Inverted synonym for . diff --git a/docs/smbdotconf/tuning/getwdcache.xml b/docs/smbdotconf/tuning/getwdcache.xml index cac8dba47b2..74d30c28e54 100644 --- a/docs/smbdotconf/tuning/getwdcache.xml +++ b/docs/smbdotconf/tuning/getwdcache.xml @@ -6,8 +6,7 @@ This is a tuning option. When this is enabled a caching algorithm will be used to reduce the time taken for getwd() calls. This can have a significant impact on performance, especially - when the wide links - parameter is set to no. + when the parameter is set to no. yes diff --git a/docs/smbdotconf/tuning/keepalive.xml b/docs/smbdotconf/tuning/keepalive.xml index 56482534780..0586365512f 100644 --- a/docs/smbdotconf/tuning/keepalive.xml +++ b/docs/smbdotconf/tuning/keepalive.xml @@ -11,8 +11,7 @@ a client is still present and responding. Keepalives should, in general, not be needed if the socket - has the SO_KEEPALIVE attribute set on it by default. (see - socket options). + has the SO_KEEPALIVE attribute set on it by default. (see ). Basically you should only use this option if you strike difficulties. diff --git a/docs/smbdotconf/tuning/maxconnections.xml b/docs/smbdotconf/tuning/maxconnections.xml index ac014100ea2..1e3043b2f7a 100644 --- a/docs/smbdotconf/tuning/maxconnections.xml +++ b/docs/smbdotconf/tuning/maxconnections.xml @@ -9,8 +9,7 @@ of zero mean an unlimited number of connections may be made. Record lock files are used to implement this feature. The lock files will be stored in - the directory specified by the - lock directory option. + the directory specified by the option. 0 diff --git a/docs/smbdotconf/vfs/hostmsdfs.xml b/docs/smbdotconf/vfs/hostmsdfs.xml index f941621a6cd..877daac998b 100644 --- a/docs/smbdotconf/vfs/hostmsdfs.xml +++ b/docs/smbdotconf/vfs/hostmsdfs.xml @@ -8,8 +8,7 @@ server, and allow Dfs-aware clients to browse Dfs trees hosted on the server. - See also the - msdfs root share level parameter. For + See also the share level parameter. For more information on setting up a Dfs tree on Samba, refer to . diff --git a/docs/smbdotconf/vfs/msdfsproxy.xml b/docs/smbdotconf/vfs/msdfsproxy.xml index 86e8175f068..5117bae2241 100644 --- a/docs/smbdotconf/vfs/msdfsproxy.xml +++ b/docs/smbdotconf/vfs/msdfsproxy.xml @@ -10,8 +10,7 @@ the SMB-Dfs protocol. Only Dfs roots can act as proxy shares. Take a look at the - msdfs root - and host msdfs + and options to find out how to set up a Dfs root share. diff --git a/docs/smbdotconf/vfs/msdfsroot.xml b/docs/smbdotconf/vfs/msdfsroot.xml index 5fdaef50921..24b8884ffc6 100644 --- a/docs/smbdotconf/vfs/msdfsroot.xml +++ b/docs/smbdotconf/vfs/msdfsroot.xml @@ -16,5 +16,5 @@ host msdfs no - See also host msdfs + See also