diff options
Diffstat (limited to 'docs-xml/smbdotconf/winbind')
35 files changed, 816 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/winbind/applygrouppolicies.xml b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml new file mode 100644 index 0000000..67baa0d --- /dev/null +++ b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml @@ -0,0 +1,19 @@ +<samba:parameter name="apply group policies" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>This option controls whether winbind will execute the gpupdate + command defined in <smbconfoption name="gpo update command"/> on the + Group Policy update interval. The Group Policy update interval is + defined as every 90 minutes, plus a random offset between 0 and 30 + minutes. This applies Group Policy Machine polices to the client or + KDC and machine policies to a server. + </para> + +</description> + +<value type="default">no</value> +<value type="example">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/createkrb5conf.xml b/docs-xml/smbdotconf/winbind/createkrb5conf.xml new file mode 100644 index 0000000..4054034 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/createkrb5conf.xml @@ -0,0 +1,23 @@ +<samba:parameter name="create krb5 conf" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + Setting this parameter to <value type="example">no</value> prevents + winbind from creating custom krb5.conf files. Winbind normally does + this because the krb5 libraries are not AD-site-aware and thus would + pick any domain controller out of potentially very many. Winbind + is site-aware and makes the krb5 libraries use a local DC by + creating its own krb5.conf files. + </para> + <para> + Preventing winbind from doing this might become necessary if you + have to add special options into your system-krb5.conf that winbind + does not see. + </para> + +</description> +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/idmapbackend.xml b/docs-xml/smbdotconf/winbind/idmapbackend.xml new file mode 100644 index 0000000..864a975 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapbackend.xml @@ -0,0 +1,22 @@ +<samba:parameter name="idmap backend" + context="G" + type="string" + generated_function="0" + handler="handle_idmap_backend" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + The idmap backend provides a plugin interface for Winbind to use + varying backends to store SID/uid/gid mapping tables. + </para> + + <para> + This option specifies the default backend that is used when no special + configuration set, but it is now deprecated in favour of the new + spelling <smbconfoption name="idmap config * : backend"/>. + </para> +</description> + +<value type="default">tdb</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/idmapcachetime.xml b/docs-xml/smbdotconf/winbind/idmapcachetime.xml new file mode 100644 index 0000000..87c6c56 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapcachetime.xml @@ -0,0 +1,13 @@ +<samba:parameter name="idmap cache time" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the number of seconds that Winbind's + idmap interface will cache positive SID/uid/gid query results. By + default, Samba will cache these results for one week. + </para> +</description> + +<value type="default">604800</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml new file mode 100644 index 0000000..f70f11d --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml @@ -0,0 +1,122 @@ +<samba:parameter name="idmap config DOMAIN : OPTION" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + ID mapping in Samba is the mapping between Windows SIDs and Unix user + and group IDs. This is performed by Winbindd with a configurable plugin + interface. Samba's ID mapping is configured by options starting with the + <smbconfoption name="idmap config"/> prefix. + An idmap option consists of the <smbconfoption name="idmap config"/> + prefix, followed by a domain name or the asterisk character (*), + a colon, and the name of an idmap setting for the chosen domain. + </para> + + <para> + The idmap configuration is hence divided into groups, one group + for each domain to be configured, and one group with the + asterisk instead of a proper domain name, which specifies the + default configuration that is used to catch all domains that do + not have an explicit idmap configuration of their own. + </para> + + <para> + There are three general options available: + </para> + + <variablelist> + <varlistentry> + <term>backend = backend_name</term> + <listitem><para> + This specifies the name of the idmap plugin to use as the + SID/uid/gid backend for this domain. The standard backends are + tdb + (<citerefentry><refentrytitle>idmap_tdb</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>), + tdb2 + (<citerefentry><refentrytitle>idmap_tdb2</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + ldap + (<citerefentry><refentrytitle>idmap_ldap</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + rid + (<citerefentry><refentrytitle>idmap_rid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + hash + (<citerefentry><refentrytitle>idmap_hash</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + autorid + (<citerefentry><refentrytitle>idmap_autorid</refentrytitle> <manvolnum>8</manvolnum></citerefentry>), + ad + (<citerefentry><refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum></citerefentry>) + and nss + (<citerefentry><refentrytitle>idmap_nss</refentrytitle> <manvolnum>8</manvolnum></citerefentry>). + The corresponding manual pages contain the details, but + here is a summary. + </para> + <para> + The first three of these create mappings of their own using + internal unixid counters and store the mappings in a database. + These are suitable for use in the default idmap configuration. + The rid and hash backends use a pure algorithmic calculation + to determine the unixid for a SID. The autorid module is a + mixture of the tdb and rid backend. It creates ranges for + each domain encountered and then uses the rid algorithm for each + of these automatically configured domains individually. + The ad backend uses unix ids stored in Active Directory via + the standard schema extensions. The nss backend reverses + the standard winbindd setup and gets the unix ids via names + from nsswitch which can be useful in an ldap setup. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>range = low - high</term> + <listitem><para> + Defines the available matching uid and gid range for which the + backend is authoritative. For allocating backends, this also + defines the start and the end of the range for allocating + new unique IDs. + </para> + <para> + winbind uses this parameter to find the backend that is + authoritative for a unix ID to SID mapping, so it must be set + for each individually configured domain and for the default + configuration. The configured ranges must be mutually disjoint. + </para> + <para> + Note that the low value interacts with the <smbconfoption name="min domain uid"/> option! + </para></listitem> + </varlistentry> + + <varlistentry> + <term>read only = yes|no</term> + <listitem><para> + This option can be used to turn the writing backends + tdb, tdb2, and ldap into read only mode. This can be useful + e.g. in cases where a pre-filled database exists that should + not be extended automatically. + </para></listitem> + </varlistentry> + </variablelist> + + <para> + The following example illustrates how to configure the <citerefentry> + <refentrytitle>idmap_ad</refentrytitle> <manvolnum>8</manvolnum> + </citerefentry> backend for the CORP domain and the + <citerefentry><refentrytitle>idmap_tdb</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> backend for all other + domains. This configuration assumes that the admin of CORP assigns + unix ids below 1000000 via the SFU extensions, and winbind is supposed + to use the next million entries for its own mappings from trusted + domains and for local groups for example. + </para> + + <programlisting> + idmap config * : backend = tdb + idmap config * : range = 1000000-1999999 + + idmap config CORP : backend = ad + idmap config CORP : range = 1000-999999 + </programlisting> + +</description> +<related>min domain uid</related> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/idmapgid.xml b/docs-xml/smbdotconf/winbind/idmapgid.xml new file mode 100644 index 0000000..1b576b2 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapgid.xml @@ -0,0 +1,21 @@ +<samba:parameter name="idmap gid" + context="G" + type="string" + generated_function="0" + handler="handle_idmap_gid" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>winbind gid</synonym> +<description> + <para> + The idmap gid parameter specifies the range of group ids + for the default idmap configuration. It is now deprecated + in favour of <smbconfoption name="idmap config * : range"/>. + </para> + + <para>See the <smbconfoption name="idmap config"/> option.</para> +</description> + +<value type="default"></value> +<value type="example">10000-20000</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml b/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml new file mode 100644 index 0000000..32c4e1f --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapnegativecachetime.xml @@ -0,0 +1,12 @@ +<samba:parameter name="idmap negative cache time" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the number of seconds that Winbind's + idmap interface will cache negative SID/uid/gid query results. + </para> +</description> + +<value type="default">120</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/idmapuid.xml b/docs-xml/smbdotconf/winbind/idmapuid.xml new file mode 100644 index 0000000..f666f61 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/idmapuid.xml @@ -0,0 +1,21 @@ +<samba:parameter name="idmap uid" + type="string" + context="G" + generated_function="0" + handler="handle_idmap_uid" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<synonym>winbind uid</synonym> +<description> + <para> + The idmap uid parameter specifies the range of user ids for + the default idmap configuration. It is now deprecated in favour + of <smbconfoption name="idmap config * : range"/>. + </para> + + <para>See the <smbconfoption name="idmap config"/> option.</para> +</description> + +<value type="default"></value> +<value type="example">10000-20000</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml new file mode 100644 index 0000000..3e53292 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml @@ -0,0 +1,15 @@ +<samba:parameter name="include system krb5 conf" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + Setting this parameter to <value type="example">no</value> will prevent + winbind to include the system /etc/krb5.conf file into the krb5.conf file + it creates. See also <smbconfoption name="create krb5 conf"/>. This option + only applies to Samba built with MIT Kerberos. + </para> + +</description> +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml new file mode 100644 index 0000000..247822e --- /dev/null +++ b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml @@ -0,0 +1,18 @@ +<samba:parameter name="neutralize nt4 emulation" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option controls whether winbindd sends + the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass + the NT4 emulation of a domain controller.</para> + + <para>Typically you should not need set this. + It can be useful for upgrades from NT4 to AD domains.</para> + + <para>The behavior can be controlled per netbios domain + by using 'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.</para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml new file mode 100644 index 0000000..3bc4eaf --- /dev/null +++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml @@ -0,0 +1,25 @@ +<samba:parameter name="reject md5 servers" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option controls whether winbindd requires support + for aes support for the netlogon secure channel.</para> + + <para>The following flags will be required NETLOGON_NEG_ARCFOUR, + NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para> + + <para>You can set this to yes if all domain controllers support aes. + This will prevent downgrade attacks.</para> + + <para>The behavior can be controlled per netbios domain + by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para> + + <para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023, + see https://bugzilla.samba.org/show_bug.cgi?id=15240</para> + + <para>This option overrides the <smbconfoption name="require strong key"/> option.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml new file mode 100644 index 0000000..9c1c1d7 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml @@ -0,0 +1,26 @@ +<samba:parameter name="require strong key" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option controls whether winbindd requires support + for md5 strong key support for the netlogon secure channel.</para> + + <para>The following flags will be required NETLOGON_NEG_STRONG_KEYS, + NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para> + + <para>You can set this to no if some domain controllers only support des. + This might allows weak crypto to be negotiated, may via downgrade attacks.</para> + + <para>The behavior can be controlled per netbios domain + by using 'require strong key:NETBIOSDOMAIN = no' as option.</para> + + <para>Note for active directory domain this option is hardcoded to 'yes'</para> + + <para>This option is over-ridden by the <smbconfoption name="reject md5 servers"/> option.</para> + + <para>This option overrides the <smbconfoption name="client schannel"/> option.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/templatehomedir.xml b/docs-xml/smbdotconf/winbind/templatehomedir.xml new file mode 100644 index 0000000..2801edf --- /dev/null +++ b/docs-xml/smbdotconf/winbind/templatehomedir.xml @@ -0,0 +1,17 @@ +<samba:parameter name="template homedir" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>When filling out the user information for a Windows NT + user, the <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> daemon uses this + parameter to fill in the home directory for that user. If the + string <parameter moreinfo="none">%D</parameter> is present it + is substituted with the user's Windows NT domain name. If the + string <parameter moreinfo="none">%U</parameter> is present it + is substituted with the user's Windows NT user name.</para> +</description> + +<value type="default">/home/%D/%U</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/templateshell.xml b/docs-xml/smbdotconf/winbind/templateshell.xml new file mode 100644 index 0000000..891c424 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/templateshell.xml @@ -0,0 +1,13 @@ +<samba:parameter name="template shell" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>When filling out the user information for a Windows NT + user, the <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> daemon uses this + parameter to fill in the login shell for that user.</para> +</description> + +<value type="default">/bin/false</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindcachetime.xml b/docs-xml/smbdotconf/winbind/winbindcachetime.xml new file mode 100644 index 0000000..2f69de3 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindcachetime.xml @@ -0,0 +1,20 @@ +<samba:parameter name="winbind cache time" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the number of + seconds the <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> daemon will cache + user and group information before querying a Windows NT server + again.</para> + + <para> + This does not apply to authentication requests, these are always + evaluated in real time unless the <smbconfoption name="winbind + offline logon"/> option has been enabled. + </para> +</description> + +<value type="default">300</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbinddsocketdirectory.xml b/docs-xml/smbdotconf/winbind/winbinddsocketdirectory.xml new file mode 100644 index 0000000..7827d36 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbinddsocketdirectory.xml @@ -0,0 +1,15 @@ +<samba:parameter name="winbindd socket directory" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This setting controls the location of the winbind daemon's socket.</para> + <para>Except within automated test scripts, this should not be + altered, as the client tools (nss_winbind etc) do not honour + this parameter. Client tools must then be advised of the + altered path with the WINBINDD_SOCKET_DIR environment + variable.</para> +</description> + +<value type="default">&pathconfig.WINBINDD_SOCKET_DIR;</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindenumgroups.xml b/docs-xml/smbdotconf/winbind/winbindenumgroups.xml new file mode 100644 index 0000000..c3339e1 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindenumgroups.xml @@ -0,0 +1,19 @@ +<samba:parameter name="winbind enum groups" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>On large installations using <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> it may be necessary to suppress + the enumeration of groups through the <command moreinfo="none">setgrent()</command>, + <command moreinfo="none">getgrent()</command> and + <command moreinfo="none">endgrent()</command> group of system calls. If + the <parameter moreinfo="none">winbind enum groups</parameter> parameter is + <constant>no</constant>, calls to the <command moreinfo="none">getgrent()</command> system + call will not return any data. </para> + +<warning><para>Turning off group enumeration may cause some programs to behave oddly. </para></warning> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindenumusers.xml b/docs-xml/smbdotconf/winbind/winbindenumusers.xml new file mode 100644 index 0000000..5ce53d6 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindenumusers.xml @@ -0,0 +1,23 @@ +<samba:parameter name="winbind enum users" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>On large installations using <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> it may be + necessary to suppress the enumeration of users through the <command moreinfo="none">setpwent()</command>, + <command moreinfo="none">getpwent()</command> and + <command moreinfo="none">endpwent()</command> group of system calls. If + the <parameter moreinfo="none">winbind enum users</parameter> parameter is + <constant>no</constant>, calls to the <command moreinfo="none">getpwent</command> system call + will not return any data. </para> + +<warning><para>Turning off user + enumeration may cause some programs to behave oddly. For + example, the finger program relies on having access to the + full user list when searching for matching + usernames. </para></warning> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml new file mode 100644 index 0000000..5a05ecf --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml @@ -0,0 +1,35 @@ +<samba:parameter name="winbind expand groups" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option controls the maximum depth that winbindd + will traverse when flattening nested group memberships + of Windows domain groups. This is different from the + <smbconfoption name="winbind nested groups"/> option + which implements the Windows NT4 model of local group + nesting. The "winbind expand groups" + parameter specifically applies to the membership of + domain groups.</para> + + <para>This option also affects the return of non nested + group memberships of Windows domain users. With the + new default "winbind expand groups = 0" winbind does + not query group memberships at all.</para> + + <para>Be aware that a high value for this parameter can + result in system slowdown as the main parent winbindd daemon + must perform the group unrolling and will be unable to answer + incoming NSS or authentication requests during this time.</para> + + <para>The default value was changed from 1 to 0 with Samba 4.2. + Some broken applications (including some implementations of + newgrp and sg) calculate the group memberships of + users by traversing groups, such applications will require + "winbind expand groups = 1". But the new default makes winbindd + more reliable as it doesn't require SAMR access to domain + controllers of trusted domains.</para> +</description> + +<value type="default">0</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindignoredomains.xml b/docs-xml/smbdotconf/winbind/winbindignoredomains.xml new file mode 100644 index 0000000..af99222 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindignoredomains.xml @@ -0,0 +1,14 @@ +<samba:parameter name="winbind:ignore domains" + context="G" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>Allows one to enter a list of trusted domains winbind should + ignore (untrust). This can avoid the overhead of resources from + attempting to login to DCs that should not be communicated with. + </para> + +</description> +<value type="default"></value> +<value type="example">DOMAIN1, DOMAIN2</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindmaxclients.xml b/docs-xml/smbdotconf/winbind/winbindmaxclients.xml new file mode 100644 index 0000000..847a588 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindmaxclients.xml @@ -0,0 +1,19 @@ +<samba:parameter name="winbind max clients" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the maximum number of clients + the <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> daemon can connect with. + The parameter is not a hard limit. + The <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> daemon configures + itself to be able to accept at least that many connections, + and if the limit is reached, an attempt is made to disconnect + idle clients. + </para> +</description> + +<value type="default">200</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml b/docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml new file mode 100644 index 0000000..be39143 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindmaxdomainconnections.xml @@ -0,0 +1,24 @@ +<samba:parameter name="winbind max domain connections" + context="G" + type="integer" + function="_winbind_max_domain_connections" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the maximum number of simultaneous + connections that the <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> daemon should open to the + domain controller of one domain. + Setting this parameter to a value greater than 1 can improve + scalability with many simultaneous winbind requests, + some of which might be slow. + </para> + <para> + Note that if <smbconfoption name="winbind offline logon"/> is set to + <constant>Yes</constant>, then only one + DC connection is allowed per domain, regardless of this setting. + </para> +</description> + +<value type="default">1</value> +<value type="example">10</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml b/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml new file mode 100644 index 0000000..a4a03eb --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindnestedgroups.xml @@ -0,0 +1,16 @@ +<samba:parameter name="winbind nested groups" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>If set to yes, this parameter activates the support for nested + groups. Nested groups are also called local groups or + aliases. They work like their counterparts in Windows: Nested + groups are defined locally on any machine (they are shared + between DC's through their SAM) and can contain users and + global groups from any trusted SAM. To be able to use nested + groups, you need to run nss_winbind.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml b/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml new file mode 100644 index 0000000..362f488 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindnormalizenames.xml @@ -0,0 +1,30 @@ +<samba:parameter name="winbind normalize names" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter controls whether winbindd will replace + whitespace in user and group names with an underscore (_) character. + For example, whether the name "Space Kadet" should be + replaced with the string "space_kadet". + Frequently Unix shell scripts will have difficulty with usernames + contains whitespace due to the default field separator in the shell. + If your domain possesses names containing the underscore character, + this option may cause problems unless the name aliasing feature + is supported by your nss_info plugin. + </para> + + <para>This feature also enables the name aliasing API which can + be used to make domain user and group names to a non-qualified + version. Please refer to the manpage for the configured + idmap and nss_info plugin for the specifics on how to configure + name aliasing for a specific configuration. Name aliasing takes + precedence (and is mutually exclusive) over the whitespace + replacement mechanism discussed previously. + </para> + +</description> + +<value type="default">no</value> +<value type="example">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindnssinfo.xml b/docs-xml/smbdotconf/winbind/winbindnssinfo.xml new file mode 100644 index 0000000..e6d17c2 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindnssinfo.xml @@ -0,0 +1,38 @@ +<samba:parameter name="winbind nss info" + context="G" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>This parameter is designed to control how Winbind retrieves Name + Service Information to construct a user's home directory and login shell. + Currently the following settings are available: + + <itemizedlist> + <listitem> + <para><parameter moreinfo="none">template</parameter> + - The default, using the parameters of <parameter moreinfo="none">template + shell</parameter> and <parameter moreinfo="none">template homedir</parameter>) + </para> + </listitem> + + <listitem> + <para><parameter moreinfo="none"><sfu | sfu20 | rfc2307 ></parameter> + - When Samba is running in security = ads and your Active Directory + Domain Controller does support the Microsoft "Services for Unix" (SFU) + LDAP schema, winbind can retrieve the login shell and the home + directory attributes directly from your Directory Server. For SFU 3.0 or 3.5 simply choose + "sfu", if you use SFU 2.0 please choose "sfu20".</para> + <para>Note that for the idmap backend <refentrytitle>idmap_ad</refentrytitle> + you need to configure those settings in the idmap configuration section. + Make sure to consult the documentation of the idmap backend that you are using. + </para> + </listitem> + </itemizedlist> + +</para> +</description> + +<value type="default">template</value> +<value type="example">sfu</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml b/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml new file mode 100644 index 0000000..9cf1249 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindofflinelogon.xml @@ -0,0 +1,17 @@ +<samba:parameter name="winbind offline logon" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>This parameter is designed to control whether Winbind should + allow one to login with the <parameter moreinfo="none">pam_winbind</parameter> + module using Cached Credentials. If enabled, winbindd will store user credentials + from successful logins encrypted in a local cache. + </para> + +</description> + +<value type="default">no</value> +<value type="example">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindreconnectdelay.xml b/docs-xml/smbdotconf/winbind/winbindreconnectdelay.xml new file mode 100644 index 0000000..f26fd5e --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindreconnectdelay.xml @@ -0,0 +1,14 @@ +<samba:parameter name="winbind reconnect delay" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the number of + seconds the <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> daemon will wait between + attempts to contact a Domain controller for a domain that is + determined to be down or not contactable.</para> +</description> + +<value type="default">30</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml b/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml new file mode 100644 index 0000000..f6bb738 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindrefreshtickets.xml @@ -0,0 +1,15 @@ +<samba:parameter name="winbind refresh tickets" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>This parameter is designed to control whether Winbind should refresh Kerberos Tickets + retrieved using the <parameter moreinfo="none">pam_winbind</parameter> module. + +</para> +</description> + +<value type="default">no</value> +<value type="example">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindrequesttimeout.xml b/docs-xml/smbdotconf/winbind/winbindrequesttimeout.xml new file mode 100644 index 0000000..8c7ec56 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindrequesttimeout.xml @@ -0,0 +1,15 @@ +<samba:parameter name="winbind request timeout" + context="G" + type="integer" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies the number of + seconds the <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> daemon will wait before + disconnecting either a client connection with no outstanding + requests (idle) or a client connection with a request that has + remained outstanding (hung) for longer than this number of seconds.</para> +</description> + +<value type="default">60</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindrpconly.xml b/docs-xml/smbdotconf/winbind/winbindrpconly.xml new file mode 100644 index 0000000..50795ac --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindrpconly.xml @@ -0,0 +1,15 @@ +<samba:parameter name="winbind rpc only" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + Setting this parameter to <value type="example">yes</value> forces + winbindd to use RPC instead of LDAP to retrieve information from Domain + Controllers. + </para> + +</description> +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml new file mode 100644 index 0000000..12e94cb --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml @@ -0,0 +1,29 @@ +<samba:parameter name="winbind scan trusted domains" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This option only takes effect when the <smbconfoption name="security"/> option is set to + <constant>domain</constant> or <constant>ads</constant>. + If it is set to yes, winbindd periodically tries to scan for new + trusted domains and adds them to a global list inside of winbindd. + The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>. + Setting it to yes matches the behaviour of Samba 4.7 and older.</para> + + <para>The construction of that global list is not reliable and often + incomplete in complex trust setups. In most situations the list is + not needed any more for winbindd to operate correctly. + E.g. for plain file serving via SMB using a simple idmap setup + with <constant>autorid</constant>, <constant>tdb</constant> or <constant>ad</constant>. + However some more complex setups require the list, e.g. + if you specify idmap backends for specific domains. + Some pam_winbind setups may also require the global list.</para> + + <para>If you have a setup that doesn't require the global list, you should set + <smbconfoption name="winbind scan trusted domains">no</smbconfoption>. + </para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml new file mode 100644 index 0000000..016ac9b --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml @@ -0,0 +1,15 @@ +<samba:parameter name="winbind sealed pipes" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option controls whether any requests from winbindd to domain controllers + pipe will be sealed. Disabling sealing can be useful for debugging + purposes.</para> + + <para>The behavior can be controlled per netbios domain + by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para> +</description> + +<value type="default">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindseparator.xml b/docs-xml/smbdotconf/winbind/winbindseparator.xml new file mode 100644 index 0000000..eda14f4 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindseparator.xml @@ -0,0 +1,20 @@ +<samba:parameter name="winbind separator" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter allows an admin to define the character + used when listing a username of the form of <replaceable>DOMAIN + </replaceable>\<replaceable>user</replaceable>. This parameter + is only applicable when using the <filename moreinfo="none">pam_winbind.so</filename> + and <filename moreinfo="none">nss_winbind.so</filename> modules for UNIX services. + </para> + + <para>Please note that setting this parameter to + causes problems + with group membership at least on glibc systems, as the character + + is used as a special character for NIS in /etc/group.</para> +</description> + +<value type="default">\</value> +<value type="example">+</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml b/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml new file mode 100644 index 0000000..186398e --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindusedefaultdomain.xml @@ -0,0 +1,22 @@ +<samba:parameter name="winbind use default domain" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter specifies whether the + <citerefentry><refentrytitle>winbindd</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> daemon should operate on users + without domain component in their username. Users without a domain + component are treated as is part of the winbindd server's own + domain. While this does not benefit Windows users, it makes SSH, FTP and + e-mail function in a way much closer to the way they + would in a native unix system.</para> + <para>This option should be avoided if possible. It can cause confusion + about responsibilities for a user or group. In many situations it is + not clear whether winbind or /etc/passwd should be seen as authoritative + for a user, likewise for groups.</para> +</description> + +<value type="default">no</value> +<value type="example">yes</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml new file mode 100644 index 0000000..d30b7f3 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml @@ -0,0 +1,34 @@ +<samba:parameter name="winbind use krb5 enterprise principals" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>winbindd is able to get kerberos tickets for + pam_winbind with krb5_auth or wbinfo -K/--krb5auth=. + </para> + + <para>winbindd (at least on a domain member) is never be able + to have a complete picture of the trust topology (which is managed by the DCs). + There might be uPNSuffixes and msDS-SPNSuffixes values, + which don't belong to any AD domain at all. + </para> + + <para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption> + winbindd doesn't even get a complete picture of the topology. + </para> + + <para>It is not really required to know about the trust topology. + We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM) + and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM + and follow the WRONG_REALM referrals in order to find the correct DC. + The final principal might be userfromB@INTERNALB.EXAMPLE.PRIVATE. + </para> + + <para>With <smbconfoption name="winbind use krb5 enterprise principals">yes</smbconfoption> + winbindd enterprise principals will be used. + </para> +</description> + +<value type="default">yes</value> +<value type="example">no</value> +</samba:parameter> |