From 12800a658903b7bcbd6f12e2bd6203f806609f94 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 23 May 2011 10:20:47 +1000 Subject: [PATCH 1/4] docs: Rewrite 'password server' documentation I think this new version is more clear. Andrew Bartlett --- docs-xml/smbdotconf/security/passwordserver.xml | 106 ++++++++++++----------- 1 files changed, 54 insertions(+), 52 deletions(-) diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml index 0e92af9..0ac39f1 100644 --- a/docs-xml/smbdotconf/security/passwordserver.xml +++ b/docs-xml/smbdotconf/security/passwordserver.xml @@ -10,54 +10,24 @@ it is possible to get Samba to do all its username/password validation using a specific remote server. - This option sets the name or IP address of the password server to use. - New syntax has been added to support defining the port to use when connecting - to the server the case of an ADS realm. To define a port other than the - default LDAP port of 389, add the port number using a colon after the - name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, - Samba will use the standard LDAP port of tcp/389. Note that port numbers - have no effect on password servers for Windows NT 4.0 domains or netbios - connections. - - If parameter is a name, it is looked up using the - parameter and so may resolved - by any method and order described in that parameter. - - The password server must be a machine capable of using - the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in - user level security mode. - - Using a password server means your UNIX box (running - Samba) is only as secure as your password server. DO NOT - CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. - - - Never point a Samba server at itself for password serving. - This will cause a loop and could lock up your Samba server! - - The name of the password server takes the standard - substitutions, but probably the only useful one is %m - , which means the Samba server will use the incoming - client as the password server. If you use this then you better - trust your clients, and you had better restrict them with hosts allow! - If the security parameter is set to - domain or ads, then the list of machines in this - option must be a list of Primary or Backup Domain controllers for the - Domain or the character '*', as the Samba server is effectively - in that domain, and will use cryptographically authenticated RPC calls - to authenticate the user logging on. The advantage of using - security = domain is that if you list several hosts in the - password server option then smbd - will try each in turn till it finds one that responds. This - is useful in case your primary server goes down. + domain or ads, then this option + should not be used, as the default '*' indicates to Samba + to determine the best DC to contact dynamically, just as all other hosts in an + AD domain do. This allows the domain to be maintained without modification to + the smb.conf file. The cryptograpic protection on the authenticated RPC calls + used to verify passwords ensures that this default is safe. - If the password server option is set - to the character '*', then Samba will attempt to auto-locate the - Primary or Backup Domain controllers to authenticate against by - doing a query for the name WORKGROUP<1C> - and then contacting each server returned in the list of IP - addresses from the name resolution source. + It is strongly recommended that you use the + default of '*', however if in your particular + environment you have reason to specify a particular DC list, then + the list of machines in this option must be a list of names or IP + addresses of Domain controllers for the Domain. If you use the + default of '*', or list several hosts in the password server option then smbd will try each in turn till it + finds one that responds. This is useful in case your primary + server goes down. If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred @@ -65,10 +35,12 @@ will be added to the list as well. Samba will not attempt to optimize this list by locating the closest DC. + If parameter is a name, it is looked up using the + parameter and so may resolved + by any method and order described in that parameter. + If the security parameter is - set to server, then there are different - restrictions that security = domain doesn't - suffer from: + set to server, these additional restrictions apply: @@ -82,12 +54,42 @@ - If you are using a Windows NT server as your - password server then you will have to ensure that your users + You will have to ensure that your users are able to login from the Samba server, as when in security = server mode the network logon will appear to - come from there rather than from the users workstation. + come from the Samba server rather than from the users workstation. + + + The client must not select NTLMv2 authentication. + + + + The password server must be a machine capable of using + the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in + user level security mode. + + + + Using a password server means your UNIX box (running + Samba) is only as secure as (a host masqurading as) your password server. DO NOT + CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. + + + + + Never point a Samba server at itself for password serving. + This will cause a loop and could lock up your Samba server! + + + + The name of the password server takes the standard + substitutions, but probably the only useful one is %m + , which means the Samba server will use the incoming + client as the password server. If you use this then you better + trust your clients, and you had better restrict them with hosts allow! + + -- 1.7.4.4