diff options
Diffstat (limited to 'docs-xml/smbdotconf/logon')
21 files changed, 787 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/logon/abortshutdownscript.xml b/docs-xml/smbdotconf/logon/abortshutdownscript.xml new file mode 100644 index 0000000..7ce0f1f --- /dev/null +++ b/docs-xml/smbdotconf/logon/abortshutdownscript.xml @@ -0,0 +1,16 @@ +<samba:parameter name="abort shutdown script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This a full path name to a script called by <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> that + should stop a shutdown procedure issued by the <smbconfoption name="shutdown script"/>.</para> + + <para>If the connected user possesses the <constant>SeRemoteShutdownPrivilege</constant>, + right, this command will be run as root.</para> +</description> +<value type="default">""</value> +<value type="example">/sbin/shutdown -c</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/addgroupscript.xml b/docs-xml/smbdotconf/logon/addgroupscript.xml new file mode 100644 index 0000000..3b347d0 --- /dev/null +++ b/docs-xml/smbdotconf/logon/addgroupscript.xml @@ -0,0 +1,19 @@ +<samba:parameter name="add group script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This is the full pathname to a script that will be run <emphasis>AS ROOT</emphasis> by <citerefentry> + <refentrytitle>smbd</refentrytitle><manvolnum>8</manvolnum></citerefentry> when a new group is requested. It + will expand any <parameter moreinfo="none">%g</parameter> to the group name passed. This script is only useful + for installations using the Windows NT domain administration tools. The script is free to create a group with + an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric + gid of the created group on stdout. + </para> +</description> + +<value type="default"/> +<value type="example">/usr/sbin/groupadd %g</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/addmachinescript.xml b/docs-xml/smbdotconf/logon/addmachinescript.xml new file mode 100644 index 0000000..db1f5bc --- /dev/null +++ b/docs-xml/smbdotconf/logon/addmachinescript.xml @@ -0,0 +1,21 @@ +<samba:parameter name="add machine script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This is the full pathname to a script that will be run by + <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> when a machine is + added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not + already exist. + </para> + <para>This option is very similar to the <smbconfoption + name="add user script"/>, and likewise uses the %u + substitution for the account name. Do not use the %m + substitution. </para> +</description> + +<value type="default"/> +<value type="example">/usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/adduserscript.xml b/docs-xml/smbdotconf/logon/adduserscript.xml new file mode 100644 index 0000000..4be1146 --- /dev/null +++ b/docs-xml/smbdotconf/logon/adduserscript.xml @@ -0,0 +1,47 @@ +<samba:parameter name="add user script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This is the full pathname to a script that will be run <emphasis>AS ROOT</emphasis> by + <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> + under special circumstances described below. + </para> + + <para> + Normally, a Samba server requires that UNIX users are created for all users accessing + files on this server. For sites that use Windows NT account databases as their primary + user database creating these users and keeping the user list in sync with the Windows + NT PDC is an onerous task. This option allows smbd to create the required UNIX users + <emphasis>ON DEMAND</emphasis> when a user accesses the Samba server. + </para> + + <para> + When the Windows user attempts to access the Samba server, at login (session setup in + the SMB protocol) time, <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> contacts the <smbconfoption name="password server"/> + and attempts to authenticate the given user with the given password. If the authentication + succeeds then <command moreinfo="none">smbd</command> attempts to find a UNIX user in the UNIX + password database to map the Windows user into. If this lookup fails, and + <smbconfoption name="add user script"/> is set then <command moreinfo="none">smbd</command> will + call the specified script <emphasis>AS ROOT</emphasis>, expanding any + <parameter moreinfo="none">%u</parameter> argument to be the user name to create. + </para> + + <para> + If this script successfully creates the user then <command moreinfo="none">smbd</command> will + continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to + match existing Windows NT accounts. + </para> + + <para> + See also <smbconfoption name="security"/>, <smbconfoption name="password server"/>, + <smbconfoption name="delete user script"/>. + </para> +</description> + +<value type="default"/> +<value type="example">/usr/local/samba/bin/add_user %u</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/addusertogroupscript.xml b/docs-xml/smbdotconf/logon/addusertogroupscript.xml new file mode 100644 index 0000000..f6e9cc2 --- /dev/null +++ b/docs-xml/smbdotconf/logon/addusertogroupscript.xml @@ -0,0 +1,22 @@ +<samba:parameter name="add user to group script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + Full path to the script that will be called when a user is added to a group using the Windows NT domain administration + tools. It will be run by <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> + <emphasis>AS ROOT</emphasis>. Any <parameter moreinfo="none">%g</parameter> will be replaced with the group name and + any <parameter moreinfo="none">%u</parameter> will be replaced with the user name. + </para> + + <para> + Note that the <command>adduser</command> command used in the example below does + not support the used syntax on all systems. + </para> + +</description> +<value type="default"></value> +<value type="example">/usr/sbin/adduser %u %g</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml new file mode 100644 index 0000000..ee63e6c --- /dev/null +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml @@ -0,0 +1,106 @@ +<samba:parameter name="allow nt4 crypto" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This option is deprecated and will be removed in future, + as it is a security problem if not set to "no" (which will be + the hardcoded behavior in future). + </para> + + <para>This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will + reject clients which do not support NETLOGON_NEG_STRONG_KEYS + nor NETLOGON_NEG_SUPPORTS_AES.</para> + + <para>This option was added with Samba 4.2.0. It may lock out clients + which worked fine with Samba versions up to 4.1.x. as the effective default + was "yes" there, while it is "no" now.</para> + + <para>If you have clients without RequireStrongKey = 1 in the registry, + you may need to set "allow nt4 crypto = yes", until you have fixed all clients. + </para> + + <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para> + + <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para>This allows admins to use "yes" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para> + + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="reject md5 clients"/>' options.</para> +</description> + +<value type="default">no</value> +</samba:parameter> + +<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members which required 'allow nt4 crypto = yes', + it is possible to specify an explicit exception per computer account + by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "yes", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will log a warning in the log files at log level 5, + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para> + + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="reject md5 clients"/>' options.</para> + <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' + is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para> + + <programlisting> + allow nt4 crypto:LEGACYCOMPUTER1$ = yes + server reject md5 schannel:LEGACYCOMPUTER1$ = no + allow nt4 crypto:NASBOX$ = yes + server reject md5 schannel:NASBOX$ = no + allow nt4 crypto:LEGACYCOMPUTER2$ = yes + server reject md5 schannel:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/autheventnotification.xml b/docs-xml/smbdotconf/logon/autheventnotification.xml new file mode 100644 index 0000000..87ccf02 --- /dev/null +++ b/docs-xml/smbdotconf/logon/autheventnotification.xml @@ -0,0 +1,29 @@ +<samba:parameter name="auth event notification" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>When enabled, this option causes Samba (acting as an + Active Directory Domain Controller) to stream authentication + events across the internal message bus. Scripts built using + Samba's python bindings can listen to these events by + registering as the service + <filename moreinfo="none">auth_event</filename>.</para> + + <para>This is <emphasis>not</emphasis> needed for the audit + logging described in <smbconfoption name="log level"/>.</para> + + <para>Instead, this should instead be considered a developer + option (it assists in the Samba testsuite) rather than a + facility for external auditing, as message delivery is not + guaranteed (a feature that the testsuite works around).</para> + + <para>The authentication events are also logged via the normal + logging methods when the <smbconfoption name="log level"/> is + set appropriately, say to + <command moreinfo="none">auth_json_audit:3</command>.</para> + +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/deletegroupscript.xml b/docs-xml/smbdotconf/logon/deletegroupscript.xml new file mode 100644 index 0000000..be8bb0d --- /dev/null +++ b/docs-xml/smbdotconf/logon/deletegroupscript.xml @@ -0,0 +1,15 @@ +<samba:parameter name="delete group script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This is the full pathname to a script that will + be run <emphasis>AS ROOT</emphasis> by <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> when a group is requested to be deleted. + It will expand any <parameter moreinfo="none">%g</parameter> to the group name passed. + This script is only useful for installations using the Windows NT domain administration tools. + </para> +</description> +<value type="default"></value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml b/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml new file mode 100644 index 0000000..1654a09 --- /dev/null +++ b/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml @@ -0,0 +1,17 @@ +<samba:parameter name="delete user from group script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>Full path to the script that will be called when + a user is removed from a group using the Windows NT domain administration + tools. It will be run by <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> <emphasis>AS ROOT</emphasis>. + Any <parameter moreinfo="none">%g</parameter> will be replaced with the group name and + any <parameter moreinfo="none">%u</parameter> will be replaced with the user name. +</para> +</description> +<value type="default"/> +<value type="example">/usr/sbin/deluser %u %g</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/deleteuserscript.xml b/docs-xml/smbdotconf/logon/deleteuserscript.xml new file mode 100644 index 0000000..22897cb --- /dev/null +++ b/docs-xml/smbdotconf/logon/deleteuserscript.xml @@ -0,0 +1,22 @@ +<samba:parameter name="delete user script" + type="string" + context="G" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This is the full pathname to a script that will + be run by <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> when managing users + with remote RPC (NT) tools. + </para> + + <para>This script is called when a remote client removes a user + from the server, normally using 'User Manager for Domains' or + <command moreinfo="none">rpcclient</command>.</para> + + <para>This script should delete the given UNIX username.</para> +</description> + +<value type="default"></value> +<value type="example">/usr/local/samba/bin/del_user %u</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/domainlogons.xml b/docs-xml/smbdotconf/logon/domainlogons.xml new file mode 100644 index 0000000..7f84975 --- /dev/null +++ b/docs-xml/smbdotconf/logon/domainlogons.xml @@ -0,0 +1,25 @@ +<samba:parameter name="domain logons" + context="G" + type="boolean" + function="_domain_logons" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter has been deprecated since Samba 4.13 and + support for NT4-style domain logons(as distinct from the Samba + AD DC) will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>domain logons = no</command> + will be the enforced behaviour.</para> + <para> + If set to <constant>yes</constant>, the Samba server will + provide the netlogon service for Windows 9X network logons for the + <smbconfoption name="workgroup"/> it is in. + This will also cause the Samba server to act as a domain + controller for NT4 style domain services. For more details on + setting up this feature see the Domain Control chapter of the + Samba HOWTO Collection. + </para> +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/enableprivileges.xml b/docs-xml/smbdotconf/logon/enableprivileges.xml new file mode 100644 index 0000000..9e28457 --- /dev/null +++ b/docs-xml/smbdotconf/logon/enableprivileges.xml @@ -0,0 +1,26 @@ +<samba:parameter name="enable privileges" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This deprecated parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either + <command>net rpc rights</command> or one of the Windows user and group manager tools. This parameter is + enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to + assign privileges to users or groups which can then result in certain smbd operations running as root that + would normally run under the context of the connected user. + </para> + + <para> + An example of how privileges can be used is to assign the right to join clients to a Samba controlled + domain without providing root access to the server via smbd. + </para> + + <para> + Please read the extended description provided in the Samba HOWTO documentation. + </para> + +</description> +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/initlogondelay.xml b/docs-xml/smbdotconf/logon/initlogondelay.xml new file mode 100644 index 0000000..0cdbcd0 --- /dev/null +++ b/docs-xml/smbdotconf/logon/initlogondelay.xml @@ -0,0 +1,14 @@ +<samba:parameter name="init logon delay" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter specifies a delay in milliseconds for the hosts configured + for delayed initial samlogon with + <smbconfoption name="init logon delayed hosts"/>. + </para> +</description> + +<value type="default">100</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/initlogondelayedhosts.xml b/docs-xml/smbdotconf/logon/initlogondelayedhosts.xml new file mode 100644 index 0000000..83d1ebd --- /dev/null +++ b/docs-xml/smbdotconf/logon/initlogondelayedhosts.xml @@ -0,0 +1,20 @@ +<samba:parameter name="init logon delayed hosts" + context="G" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter takes a list of host names, addresses or networks for + which the initial samlogon reply should be delayed (so other DCs get + preferred by XP workstations if there are any). + </para> + + <para> + The length of the delay can be specified with the + <smbconfoption name="init logon delay"/> parameter. + </para> +</description> + +<value type="default"></value> +<value type="example">150.203.5. myhost.mynet.de</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/logondrive.xml b/docs-xml/smbdotconf/logon/logondrive.xml new file mode 100644 index 0000000..9767693 --- /dev/null +++ b/docs-xml/smbdotconf/logon/logondrive.xml @@ -0,0 +1,18 @@ +<samba:parameter name="logon drive" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter specifies the local path to which the home directory will be + connected (see <smbconfoption name="logon home"/>) and is only used by NT + Workstations. + </para> + + <para> + Note that this option is only useful if Samba is set up as a logon server. + </para> +</description> +<value type="default"></value> +<value type="example">h:</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/logonhome.xml b/docs-xml/smbdotconf/logon/logonhome.xml new file mode 100644 index 0000000..cb5f5d5 --- /dev/null +++ b/docs-xml/smbdotconf/logon/logonhome.xml @@ -0,0 +1,56 @@ +<samba:parameter name="logon home" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. + It allows you to do + </para> + + <para> + <prompt moreinfo="none">C:\></prompt><userinput moreinfo="none">NET USE H: /HOME</userinput> + </para> + + <para> + from a command prompt, for example. + </para> + + <para> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. + </para> + + <para> + This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a + subdirectory of the user's home directory. This is done in the following way: + </para> + + <para> + <command moreinfo="none">logon home = \\%N\%U\profile</command> + </para> + + <para> + This tells Samba to return the above string, with substitutions made when a client requests the info, generally + in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does + <command moreinfo="none">net use /home</command> but use the whole string when dealing with profiles. + </para> + + <para> + Note that in prior versions of Samba, the <smbconfoption name="logon path"/> was returned rather than + <parameter moreinfo="none">logon home</parameter>. This broke <command moreinfo="none">net use /home</command> + but allowed profiles outside the home directory. The current implementation is correct, and can be used for + profiles if you use the above trick. + </para> + + <para> + Disable this feature by setting <smbconfoption name="logon home">""</smbconfoption> - using the empty string. + </para> + + <para> + This option is only useful if Samba is set up as a logon server. + </para> +</description> + +<value type="default">\\%N\%U</value> +<value type="example">\\remote_smb_server\%U</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/logonpath.xml b/docs-xml/smbdotconf/logon/logonpath.xml new file mode 100644 index 0000000..440ebc4 --- /dev/null +++ b/docs-xml/smbdotconf/logon/logonpath.xml @@ -0,0 +1,69 @@ +<samba:parameter name="logon path" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are + stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming + profiles. To find out how to handle roaming profiles for Win 9X system, see the + <smbconfoption name="logon home"/> parameter. + </para> + + <para> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. It also specifies the directory from which the "Application Data", <filename + moreinfo="none">desktop</filename>, <filename moreinfo="none">start menu</filename>, <filename + moreinfo="none">network neighborhood</filename>, <filename moreinfo="none">programs</filename> and other + folders, and their contents, are loaded and displayed on your Windows NT client. + </para> + + <para> + The share and the path must be readable by the user for the preferences and directories to be loaded onto the + Windows NT client. The share must be writeable when the user logs in for the first time, in order that the + Windows NT client can create the NTuser.dat and other directories. + Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable + that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a + <emphasis>MAN</emphasis>datory profile). + </para> + + <para> + Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged + in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting + this parameter to \\%N\homes\profile_path will cause problems). + </para> + + <para> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. + </para> + + <warning><para> + Do not quote the value. Setting this as <quote>\\%N\profile\%U</quote> + will break profile handling. Where the tdbsam or ldapsam passdb backend + is used, at the time the user account is created the value configured + for this parameter is written to the passdb backend and that value will + over-ride the parameter value present in the smb.conf file. Any error + present in the passdb backend account record must be editted using the + appropriate tool (pdbedit on the command-line, or any other locally + provided system tool). + </para></warning> + + <para>Note that this option is only useful if Samba is set up as a domain controller.</para> + + <para> + Disable the use of roaming profiles by setting the value of this parameter to the empty string. For + example, <smbconfoption name="logon path">""</smbconfoption>. Take note that even if the default setting + in the smb.conf file is the empty string, any value specified in the user account settings in the passdb + backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use + requires that the user account settings must also be blank. + </para> + + <para> + An example of use is: +<programlisting> +logon path = \\PROFILESERVER\PROFILE\%U +</programlisting> + </para> +</description> +<value type="default">\\%N\%U\profile</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/logonscript.xml b/docs-xml/smbdotconf/logon/logonscript.xml new file mode 100644 index 0000000..cf02466 --- /dev/null +++ b/docs-xml/smbdotconf/logon/logonscript.xml @@ -0,0 +1,54 @@ +<samba:parameter name="logon script" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter specifies the batch file (<filename>.bat</filename>) or NT command file + (<filename>.cmd</filename>) to be downloaded and run on a machine when a user successfully logs in. The file + must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended. + </para> + + <para> + The script must be a relative path to the <smbconfsection name="[netlogon]"/> service. If the [netlogon] + service specifies a <smbconfoption name="path"/> of <filename + moreinfo="none">/usr/local/samba/netlogon</filename>, and <smbconfoption name="logon + script">STARTUP.BAT</smbconfoption>, then the file that will be downloaded is: +<programlisting> + /usr/local/samba/netlogon/STARTUP.BAT +</programlisting> + </para> + + <para> + The contents of the batch file are entirely your choice. A suggested command would be to add <command + moreinfo="none">NET TIME \\SERVER /SET /YES</command>, to force every machine to synchronize clocks with the + same time server. Another use would be to add <command moreinfo="none">NET USE U: \\SERVER\UTILS</command> + for commonly used utilities, or +<programlisting> +<userinput>NET USE Q: \\SERVER\ISO9001_QA</userinput> +</programlisting> + for example. + </para> + + <para> + Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users + write permission on the batch files in a secure environment, as this would allow the batch files to be + arbitrarily modified and security to be breached. + </para> + + <para> + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. + </para> + + <para> + This option is only useful if Samba is set up as a logon server in a classic domain controller role. + If Samba is set up as an Active Directory domain controller, LDAP attribute <filename moreinfo="none">scriptPath</filename> + is used instead. For configurations where <smbconfoption name="passdb backend">ldapsam</smbconfoption> is in use, + this option only defines a default value in case LDAP attribute <filename moreinfo="none">sambaLogonScript</filename> + is missing. + </para> +</description> +<value type="default"></value> +<value type="example">scripts\%U.bat</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml new file mode 100644 index 0000000..fe7701d --- /dev/null +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml @@ -0,0 +1,110 @@ +<samba:parameter name="reject md5 clients" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This option is deprecated and will be removed in a future release, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in the future). + </para> + + <para>This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will + reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para> + + <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows + starting with Server 2008R2 and Windows 7, it's available in Samba + starting with 4.0, however third party domain members like NetApp ONTAP + still uses RC4 (HMAC-MD5), see + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink> + for more details. + </para> + + <para>The default changed from 'no' to 'yes', with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para>This allows admins to use "no" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para> + + <para>When set to 'yes' this option overrides the + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and + '<smbconfoption name="allow nt4 crypto"/>' options and implies + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'. + </para> +</description> + +<value type="default">yes</value> +</samba:parameter> + +<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members or trusted domains, + which required "reject md5 clients = no" before, + it is possible to specify an explicit exception per computer account + by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will log a warning in the log files at log level 5 + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para> + + <para>When set to 'yes' this option overrides the + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and + '<smbconfoption name="allow nt4 crypto"/>' options and implies + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'. + </para> + + <programlisting> + server reject md5 schannel:LEGACYCOMPUTER1$ = no + server reject md5 schannel:NASBOX$ = no + server reject md5 schannel:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/setprimarygroupscript.xml b/docs-xml/smbdotconf/logon/setprimarygroupscript.xml new file mode 100644 index 0000000..8d1ae36 --- /dev/null +++ b/docs-xml/smbdotconf/logon/setprimarygroupscript.xml @@ -0,0 +1,20 @@ +<samba:parameter name="set primary group script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>Thanks to the Posix subsystem in NT a Windows User has a + primary group in addition to the auxiliary groups. This script + sets the primary group in the unix user database when an + administrator sets the primary group from the windows user + manager or when fetching a SAM with <command>net rpc + vampire</command>. <parameter>%u</parameter> will be replaced + with the user whose primary group is to be set. + <parameter>%g</parameter> will be replaced with the group to + set.</para> +</description> +<value type="default"></value> +<value type="example">/usr/sbin/usermod -g '%g' '%u'</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/shutdownscript.xml b/docs-xml/smbdotconf/logon/shutdownscript.xml new file mode 100644 index 0000000..ea5b65f --- /dev/null +++ b/docs-xml/smbdotconf/logon/shutdownscript.xml @@ -0,0 +1,61 @@ +<samba:parameter name="shutdown script" + context="G" + type="string" + substitution="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This a full path name to a script called by + <citerefentry><refentrytitle>smbd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> that should + start a shutdown procedure.</para> + + <para>If the connected user possesses the <constant>SeRemoteShutdownPrivilege</constant>, + right, this command will be run as root.</para> + + <para>The %z %t %r %f variables are expanded as follows:</para> + + <itemizedlist> + <listitem> + <para><parameter moreinfo="none">%z</parameter> will be substituted with the + shutdown message sent to the server.</para> + </listitem> + + <listitem> + <para><parameter moreinfo="none">%t</parameter> will be substituted with the + number of seconds to wait before effectively starting the + shutdown procedure.</para> + </listitem> + + <listitem> + <para><parameter moreinfo="none">%r</parameter> will be substituted with the + switch <emphasis>-r</emphasis>. It means reboot after shutdown + for NT.</para> + </listitem> + + <listitem> + <para><parameter moreinfo="none">%f</parameter> will be substituted with the + switch <emphasis>-f</emphasis>. It means force the shutdown + even if applications do not respond for NT.</para> + </listitem> + </itemizedlist> + + <para>Shutdown script example: +<programlisting format="linespecific"> +#!/bin/bash + +time=$2 +let time="${time} / 60" +let time="${time} + 1" + +/sbin/shutdown $3 $4 +$time $1 & + +</programlisting> + Shutdown does not return so we need to launch it in background. + </para> + +</description> +<related>abort shutdown script</related> +<value type="default"></value> +<value type="example">/usr/local/samba/sbin/shutdown %m %t %r %f</value> + +</samba:parameter> |