summaryrefslogtreecommitdiffstats
path: root/docs-xml/smbdotconf/logon
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /docs-xml/smbdotconf/logon
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--docs-xml/smbdotconf/logon/abortshutdownscript.xml16
-rw-r--r--docs-xml/smbdotconf/logon/addgroupscript.xml19
-rw-r--r--docs-xml/smbdotconf/logon/addmachinescript.xml21
-rw-r--r--docs-xml/smbdotconf/logon/adduserscript.xml47
-rw-r--r--docs-xml/smbdotconf/logon/addusertogroupscript.xml22
-rw-r--r--docs-xml/smbdotconf/logon/allownt4crypto.xml106
-rw-r--r--docs-xml/smbdotconf/logon/autheventnotification.xml29
-rw-r--r--docs-xml/smbdotconf/logon/deletegroupscript.xml15
-rw-r--r--docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml17
-rw-r--r--docs-xml/smbdotconf/logon/deleteuserscript.xml22
-rw-r--r--docs-xml/smbdotconf/logon/domainlogons.xml25
-rw-r--r--docs-xml/smbdotconf/logon/enableprivileges.xml26
-rw-r--r--docs-xml/smbdotconf/logon/initlogondelay.xml14
-rw-r--r--docs-xml/smbdotconf/logon/initlogondelayedhosts.xml20
-rw-r--r--docs-xml/smbdotconf/logon/logondrive.xml18
-rw-r--r--docs-xml/smbdotconf/logon/logonhome.xml56
-rw-r--r--docs-xml/smbdotconf/logon/logonpath.xml69
-rw-r--r--docs-xml/smbdotconf/logon/logonscript.xml54
-rw-r--r--docs-xml/smbdotconf/logon/rejectmd5clients.xml110
-rw-r--r--docs-xml/smbdotconf/logon/setprimarygroupscript.xml20
-rw-r--r--docs-xml/smbdotconf/logon/shutdownscript.xml61
21 files changed, 787 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/logon/abortshutdownscript.xml b/docs-xml/smbdotconf/logon/abortshutdownscript.xml
new file mode 100644
index 0000000..7ce0f1f
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/abortshutdownscript.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="abort shutdown script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This a full path name to a script called by <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> that
+ should stop a shutdown procedure issued by the <smbconfoption name="shutdown script"/>.</para>
+
+ <para>If the connected user possesses the <constant>SeRemoteShutdownPrivilege</constant>,
+ right, this command will be run as root.</para>
+</description>
+<value type="default">&quot;&quot;</value>
+<value type="example">/sbin/shutdown -c</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/addgroupscript.xml b/docs-xml/smbdotconf/logon/addgroupscript.xml
new file mode 100644
index 0000000..3b347d0
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/addgroupscript.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="add group script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This is the full pathname to a script that will be run <emphasis>AS ROOT</emphasis> by <citerefentry>
+ <refentrytitle>smbd</refentrytitle><manvolnum>8</manvolnum></citerefentry> when a new group is requested. It
+ will expand any <parameter moreinfo="none">%g</parameter> to the group name passed. This script is only useful
+ for installations using the Windows NT domain administration tools. The script is free to create a group with
+ an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric
+ gid of the created group on stdout.
+ </para>
+</description>
+
+<value type="default"/>
+<value type="example">/usr/sbin/groupadd %g</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/addmachinescript.xml b/docs-xml/smbdotconf/logon/addmachinescript.xml
new file mode 100644
index 0000000..db1f5bc
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/addmachinescript.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="add machine script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This is the full pathname to a script that will be run by
+ <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> when a machine is
+ added to Samba's domain and a Unix account matching the machine's name appended with a &quot;$&quot; does not
+ already exist.
+ </para>
+ <para>This option is very similar to the <smbconfoption
+ name="add user script"/>, and likewise uses the %u
+ substitution for the account name. Do not use the %m
+ substitution. </para>
+</description>
+
+<value type="default"/>
+<value type="example">/usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/adduserscript.xml b/docs-xml/smbdotconf/logon/adduserscript.xml
new file mode 100644
index 0000000..4be1146
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/adduserscript.xml
@@ -0,0 +1,47 @@
+<samba:parameter name="add user script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This is the full pathname to a script that will be run <emphasis>AS ROOT</emphasis> by
+ <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
+ under special circumstances described below.
+ </para>
+
+ <para>
+ Normally, a Samba server requires that UNIX users are created for all users accessing
+ files on this server. For sites that use Windows NT account databases as their primary
+ user database creating these users and keeping the user list in sync with the Windows
+ NT PDC is an onerous task. This option allows smbd to create the required UNIX users
+ <emphasis>ON DEMAND</emphasis> when a user accesses the Samba server.
+ </para>
+
+ <para>
+ When the Windows user attempts to access the Samba server, at login (session setup in
+ the SMB protocol) time, <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> contacts the <smbconfoption name="password server"/>
+ and attempts to authenticate the given user with the given password. If the authentication
+ succeeds then <command moreinfo="none">smbd</command> attempts to find a UNIX user in the UNIX
+ password database to map the Windows user into. If this lookup fails, and
+ <smbconfoption name="add user script"/> is set then <command moreinfo="none">smbd</command> will
+ call the specified script <emphasis>AS ROOT</emphasis>, expanding any
+ <parameter moreinfo="none">%u</parameter> argument to be the user name to create.
+ </para>
+
+ <para>
+ If this script successfully creates the user then <command moreinfo="none">smbd</command> will
+ continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to
+ match existing Windows NT accounts.
+ </para>
+
+ <para>
+ See also <smbconfoption name="security"/>, <smbconfoption name="password server"/>,
+ <smbconfoption name="delete user script"/>.
+ </para>
+</description>
+
+<value type="default"/>
+<value type="example">/usr/local/samba/bin/add_user %u</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/addusertogroupscript.xml b/docs-xml/smbdotconf/logon/addusertogroupscript.xml
new file mode 100644
index 0000000..f6e9cc2
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/addusertogroupscript.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="add user to group script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Full path to the script that will be called when a user is added to a group using the Windows NT domain administration
+ tools. It will be run by <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
+ <emphasis>AS ROOT</emphasis>. Any <parameter moreinfo="none">%g</parameter> will be replaced with the group name and
+ any <parameter moreinfo="none">%u</parameter> will be replaced with the user name.
+ </para>
+
+ <para>
+ Note that the <command>adduser</command> command used in the example below does
+ not support the used syntax on all systems.
+ </para>
+
+</description>
+<value type="default"></value>
+<value type="example">/usr/sbin/adduser %u %g</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
new file mode 100644
index 0000000..ee63e6c
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -0,0 +1,106 @@
+<samba:parameter name="allow nt4 crypto"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "no" (which will be
+ the hardcoded behavior in future).
+ </para>
+
+ <para>This option controls whether the netlogon server (currently
+ only in 'active directory domain controller' mode), will
+ reject clients which do not support NETLOGON_NEG_STRONG_KEYS
+ nor NETLOGON_NEG_SUPPORTS_AES.</para>
+
+ <para>This option was added with Samba 4.2.0. It may lock out clients
+ which worked fine with Samba versions up to 4.1.x. as the effective default
+ was "yes" there, while it is "no" now.</para>
+
+ <para>If you have clients without RequireStrongKey = 1 in the registry,
+ you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
+ </para>
+
+ <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
+
+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "yes" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
+
+<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
+ it is possible to specify an explicit exception per computer account
+ by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "yes",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+ <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
+
+ <programlisting>
+ allow nt4 crypto:LEGACYCOMPUTER1$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ allow nt4 crypto:NASBOX$ = yes
+ server reject md5 schannel:NASBOX$ = no
+ allow nt4 crypto:LEGACYCOMPUTER2$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/autheventnotification.xml b/docs-xml/smbdotconf/logon/autheventnotification.xml
new file mode 100644
index 0000000..87ccf02
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/autheventnotification.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="auth event notification"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>When enabled, this option causes Samba (acting as an
+ Active Directory Domain Controller) to stream authentication
+ events across the internal message bus. Scripts built using
+ Samba's python bindings can listen to these events by
+ registering as the service
+ <filename moreinfo="none">auth_event</filename>.</para>
+
+ <para>This is <emphasis>not</emphasis> needed for the audit
+ logging described in <smbconfoption name="log level"/>.</para>
+
+ <para>Instead, this should instead be considered a developer
+ option (it assists in the Samba testsuite) rather than a
+ facility for external auditing, as message delivery is not
+ guaranteed (a feature that the testsuite works around).</para>
+
+ <para>The authentication events are also logged via the normal
+ logging methods when the <smbconfoption name="log level"/> is
+ set appropriately, say to
+ <command moreinfo="none">auth_json_audit:3</command>.</para>
+
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/deletegroupscript.xml b/docs-xml/smbdotconf/logon/deletegroupscript.xml
new file mode 100644
index 0000000..be8bb0d
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/deletegroupscript.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="delete group script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This is the full pathname to a script that will
+ be run <emphasis>AS ROOT</emphasis> by <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> when a group is requested to be deleted.
+ It will expand any <parameter moreinfo="none">%g</parameter> to the group name passed.
+ This script is only useful for installations using the Windows NT domain administration tools.
+ </para>
+</description>
+<value type="default"></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml b/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml
new file mode 100644
index 0000000..1654a09
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml
@@ -0,0 +1,17 @@
+<samba:parameter name="delete user from group script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>Full path to the script that will be called when
+ a user is removed from a group using the Windows NT domain administration
+ tools. It will be run by <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> <emphasis>AS ROOT</emphasis>.
+ Any <parameter moreinfo="none">%g</parameter> will be replaced with the group name and
+ any <parameter moreinfo="none">%u</parameter> will be replaced with the user name.
+</para>
+</description>
+<value type="default"/>
+<value type="example">/usr/sbin/deluser %u %g</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/deleteuserscript.xml b/docs-xml/smbdotconf/logon/deleteuserscript.xml
new file mode 100644
index 0000000..22897cb
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/deleteuserscript.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="delete user script"
+ type="string"
+ context="G"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This is the full pathname to a script that will
+ be run by <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> when managing users
+ with remote RPC (NT) tools.
+ </para>
+
+ <para>This script is called when a remote client removes a user
+ from the server, normally using 'User Manager for Domains' or
+ <command moreinfo="none">rpcclient</command>.</para>
+
+ <para>This script should delete the given UNIX username.</para>
+</description>
+
+<value type="default"></value>
+<value type="example">/usr/local/samba/bin/del_user %u</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/domainlogons.xml b/docs-xml/smbdotconf/logon/domainlogons.xml
new file mode 100644
index 0000000..7f84975
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/domainlogons.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="domain logons"
+ context="G"
+ type="boolean"
+ function="_domain_logons"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter has been deprecated since Samba 4.13 and
+ support for NT4-style domain logons(as distinct from the Samba
+ AD DC) will be removed in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>domain logons = no</command>
+ will be the enforced behaviour.</para>
+ <para>
+ If set to <constant>yes</constant>, the Samba server will
+ provide the netlogon service for Windows 9X network logons for the
+ <smbconfoption name="workgroup"/> it is in.
+ This will also cause the Samba server to act as a domain
+ controller for NT4 style domain services. For more details on
+ setting up this feature see the Domain Control chapter of the
+ Samba HOWTO Collection.
+ </para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/enableprivileges.xml b/docs-xml/smbdotconf/logon/enableprivileges.xml
new file mode 100644
index 0000000..9e28457
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/enableprivileges.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="enable privileges"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This deprecated parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either
+ <command>net rpc rights</command> or one of the Windows user and group manager tools. This parameter is
+ enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to
+ assign privileges to users or groups which can then result in certain smbd operations running as root that
+ would normally run under the context of the connected user.
+ </para>
+
+ <para>
+ An example of how privileges can be used is to assign the right to join clients to a Samba controlled
+ domain without providing root access to the server via smbd.
+ </para>
+
+ <para>
+ Please read the extended description provided in the Samba HOWTO documentation.
+ </para>
+
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/initlogondelay.xml b/docs-xml/smbdotconf/logon/initlogondelay.xml
new file mode 100644
index 0000000..0cdbcd0
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/initlogondelay.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="init logon delay"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies a delay in milliseconds for the hosts configured
+ for delayed initial samlogon with
+ <smbconfoption name="init logon delayed hosts"/>.
+ </para>
+</description>
+
+<value type="default">100</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/initlogondelayedhosts.xml b/docs-xml/smbdotconf/logon/initlogondelayedhosts.xml
new file mode 100644
index 0000000..83d1ebd
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/initlogondelayedhosts.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="init logon delayed hosts"
+ context="G"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter takes a list of host names, addresses or networks for
+ which the initial samlogon reply should be delayed (so other DCs get
+ preferred by XP workstations if there are any).
+ </para>
+
+ <para>
+ The length of the delay can be specified with the
+ <smbconfoption name="init logon delay"/> parameter.
+ </para>
+</description>
+
+<value type="default"></value>
+<value type="example">150.203.5. myhost.mynet.de</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/logondrive.xml b/docs-xml/smbdotconf/logon/logondrive.xml
new file mode 100644
index 0000000..9767693
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/logondrive.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="logon drive"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the local path to which the home directory will be
+ connected (see <smbconfoption name="logon home"/>) and is only used by NT
+ Workstations.
+ </para>
+
+ <para>
+ Note that this option is only useful if Samba is set up as a logon server.
+ </para>
+</description>
+<value type="default"></value>
+<value type="example">h:</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/logonhome.xml b/docs-xml/smbdotconf/logon/logonhome.xml
new file mode 100644
index 0000000..cb5f5d5
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/logonhome.xml
@@ -0,0 +1,56 @@
+<samba:parameter name="logon home"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC.
+ It allows you to do
+ </para>
+
+ <para>
+ <prompt moreinfo="none">C:\&gt;</prompt><userinput moreinfo="none">NET USE H: /HOME</userinput>
+ </para>
+
+ <para>
+ from a command prompt, for example.
+ </para>
+
+ <para>
+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.
+ </para>
+
+ <para>
+ This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a
+ subdirectory of the user's home directory. This is done in the following way:
+ </para>
+
+ <para>
+ <command moreinfo="none">logon home = \\%N\%U\profile</command>
+ </para>
+
+ <para>
+ This tells Samba to return the above string, with substitutions made when a client requests the info, generally
+ in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does
+ <command moreinfo="none">net use /home</command> but use the whole string when dealing with profiles.
+ </para>
+
+ <para>
+ Note that in prior versions of Samba, the <smbconfoption name="logon path"/> was returned rather than
+ <parameter moreinfo="none">logon home</parameter>. This broke <command moreinfo="none">net use /home</command>
+ but allowed profiles outside the home directory. The current implementation is correct, and can be used for
+ profiles if you use the above trick.
+ </para>
+
+ <para>
+ Disable this feature by setting <smbconfoption name="logon home">""</smbconfoption> - using the empty string.
+ </para>
+
+ <para>
+ This option is only useful if Samba is set up as a logon server.
+ </para>
+</description>
+
+<value type="default">\\%N\%U</value>
+<value type="example">\\remote_smb_server\%U</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/logonpath.xml b/docs-xml/smbdotconf/logon/logonpath.xml
new file mode 100644
index 0000000..440ebc4
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/logonpath.xml
@@ -0,0 +1,69 @@
+<samba:parameter name="logon path"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are
+ stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming
+ profiles. To find out how to handle roaming profiles for Win 9X system, see the
+ <smbconfoption name="logon home"/> parameter.
+ </para>
+
+ <para>
+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
+ machine. It also specifies the directory from which the &quot;Application Data&quot;, <filename
+ moreinfo="none">desktop</filename>, <filename moreinfo="none">start menu</filename>, <filename
+ moreinfo="none">network neighborhood</filename>, <filename moreinfo="none">programs</filename> and other
+ folders, and their contents, are loaded and displayed on your Windows NT client.
+ </para>
+
+ <para>
+ The share and the path must be readable by the user for the preferences and directories to be loaded onto the
+ Windows NT client. The share must be writeable when the user logs in for the first time, in order that the
+ Windows NT client can create the NTuser.dat and other directories.
+ Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable
+ that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a
+ <emphasis>MAN</emphasis>datory profile).
+ </para>
+
+ <para>
+ Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged
+ in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting
+ this parameter to \\%N\homes\profile_path will cause problems).
+ </para>
+
+ <para>
+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine.
+ </para>
+
+ <warning><para>
+ Do not quote the value. Setting this as <quote>\\%N\profile\%U</quote>
+ will break profile handling. Where the tdbsam or ldapsam passdb backend
+ is used, at the time the user account is created the value configured
+ for this parameter is written to the passdb backend and that value will
+ over-ride the parameter value present in the smb.conf file. Any error
+ present in the passdb backend account record must be editted using the
+ appropriate tool (pdbedit on the command-line, or any other locally
+ provided system tool).
+ </para></warning>
+
+ <para>Note that this option is only useful if Samba is set up as a domain controller.</para>
+
+ <para>
+ Disable the use of roaming profiles by setting the value of this parameter to the empty string. For
+ example, <smbconfoption name="logon path">""</smbconfoption>. Take note that even if the default setting
+ in the smb.conf file is the empty string, any value specified in the user account settings in the passdb
+ backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use
+ requires that the user account settings must also be blank.
+ </para>
+
+ <para>
+ An example of use is:
+<programlisting>
+logon path = \\PROFILESERVER\PROFILE\%U
+</programlisting>
+ </para>
+</description>
+<value type="default">\\%N\%U\profile</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/logonscript.xml b/docs-xml/smbdotconf/logon/logonscript.xml
new file mode 100644
index 0000000..cf02466
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/logonscript.xml
@@ -0,0 +1,54 @@
+<samba:parameter name="logon script"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter specifies the batch file (<filename>.bat</filename>) or NT command file
+ (<filename>.cmd</filename>) to be downloaded and run on a machine when a user successfully logs in. The file
+ must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended.
+ </para>
+
+ <para>
+ The script must be a relative path to the <smbconfsection name="[netlogon]"/> service. If the [netlogon]
+ service specifies a <smbconfoption name="path"/> of <filename
+ moreinfo="none">/usr/local/samba/netlogon</filename>, and <smbconfoption name="logon
+ script">STARTUP.BAT</smbconfoption>, then the file that will be downloaded is:
+<programlisting>
+ /usr/local/samba/netlogon/STARTUP.BAT
+</programlisting>
+ </para>
+
+ <para>
+ The contents of the batch file are entirely your choice. A suggested command would be to add <command
+ moreinfo="none">NET TIME \\SERVER /SET /YES</command>, to force every machine to synchronize clocks with the
+ same time server. Another use would be to add <command moreinfo="none">NET USE U: \\SERVER\UTILS</command>
+ for commonly used utilities, or
+<programlisting>
+<userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput>
+</programlisting>
+ for example.
+ </para>
+
+ <para>
+ Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users
+ write permission on the batch files in a secure environment, as this would allow the batch files to be
+ arbitrarily modified and security to be breached.
+ </para>
+
+ <para>
+ This option takes the standard substitutions, allowing you to have separate logon scripts for each user or
+ machine.
+ </para>
+
+ <para>
+ This option is only useful if Samba is set up as a logon server in a classic domain controller role.
+ If Samba is set up as an Active Directory domain controller, LDAP attribute <filename moreinfo="none">scriptPath</filename>
+ is used instead. For configurations where <smbconfoption name="passdb backend">ldapsam</smbconfoption> is in use,
+ this option only defines a default value in case LDAP attribute <filename moreinfo="none">sambaLogonScript</filename>
+ is missing.
+ </para>
+</description>
+<value type="default"></value>
+<value type="example">scripts\%U.bat</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
new file mode 100644
index 0000000..fe7701d
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -0,0 +1,110 @@
+<samba:parameter name="reject md5 clients"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This option is deprecated and will be removed in a future release,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in the future).
+ </para>
+
+ <para>This option controls whether the netlogon server (currently
+ only in 'active directory domain controller' mode), will
+ reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
+
+ <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
+ starting with Server 2008R2 and Windows 7, it's available in Samba
+ starting with 4.0, however third party domain members like NetApp ONTAP
+ still uses RC4 (HMAC-MD5), see
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink>
+ for more details.
+ </para>
+
+ <para>The default changed from 'no' to 'yes', with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "no" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members or trusted domains,
+ which required "reject md5 clients = no" before,
+ it is possible to specify an explicit exception per computer account
+ by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "no",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
+
+ <programlisting>
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ server reject md5 schannel:NASBOX$ = no
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/setprimarygroupscript.xml b/docs-xml/smbdotconf/logon/setprimarygroupscript.xml
new file mode 100644
index 0000000..8d1ae36
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/setprimarygroupscript.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="set primary group script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>Thanks to the Posix subsystem in NT a Windows User has a
+ primary group in addition to the auxiliary groups. This script
+ sets the primary group in the unix user database when an
+ administrator sets the primary group from the windows user
+ manager or when fetching a SAM with <command>net rpc
+ vampire</command>. <parameter>%u</parameter> will be replaced
+ with the user whose primary group is to be set.
+ <parameter>%g</parameter> will be replaced with the group to
+ set.</para>
+</description>
+<value type="default"></value>
+<value type="example">/usr/sbin/usermod -g '%g' '%u'</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/shutdownscript.xml b/docs-xml/smbdotconf/logon/shutdownscript.xml
new file mode 100644
index 0000000..ea5b65f
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/shutdownscript.xml
@@ -0,0 +1,61 @@
+<samba:parameter name="shutdown script"
+ context="G"
+ type="string"
+ substitution="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This a full path name to a script called by
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> that should
+ start a shutdown procedure.</para>
+
+ <para>If the connected user possesses the <constant>SeRemoteShutdownPrivilege</constant>,
+ right, this command will be run as root.</para>
+
+ <para>The %z %t %r %f variables are expanded as follows:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><parameter moreinfo="none">%z</parameter> will be substituted with the
+ shutdown message sent to the server.</para>
+ </listitem>
+
+ <listitem>
+ <para><parameter moreinfo="none">%t</parameter> will be substituted with the
+ number of seconds to wait before effectively starting the
+ shutdown procedure.</para>
+ </listitem>
+
+ <listitem>
+ <para><parameter moreinfo="none">%r</parameter> will be substituted with the
+ switch <emphasis>-r</emphasis>. It means reboot after shutdown
+ for NT.</para>
+ </listitem>
+
+ <listitem>
+ <para><parameter moreinfo="none">%f</parameter> will be substituted with the
+ switch <emphasis>-f</emphasis>. It means force the shutdown
+ even if applications do not respond for NT.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Shutdown script example:
+<programlisting format="linespecific">
+#!/bin/bash
+
+time=$2
+let time=&quot;${time} / 60&quot;
+let time=&quot;${time} + 1&quot;
+
+/sbin/shutdown $3 $4 +$time $1 &amp;
+
+</programlisting>
+ Shutdown does not return so we need to launch it in background.
+ </para>
+
+</description>
+<related>abort shutdown script</related>
+<value type="default"></value>
+<value type="example">/usr/local/samba/sbin/shutdown %m %t %r %f</value>
+
+</samba:parameter>