From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- docs-xml/smbdotconf/logon/abortshutdownscript.xml | 16 +++ docs-xml/smbdotconf/logon/addgroupscript.xml | 19 ++++ docs-xml/smbdotconf/logon/addmachinescript.xml | 21 ++++ docs-xml/smbdotconf/logon/adduserscript.xml | 47 +++++++++ docs-xml/smbdotconf/logon/addusertogroupscript.xml | 22 +++++ docs-xml/smbdotconf/logon/allownt4crypto.xml | 106 ++++++++++++++++++++ .../smbdotconf/logon/autheventnotification.xml | 29 ++++++ docs-xml/smbdotconf/logon/deletegroupscript.xml | 15 +++ .../smbdotconf/logon/deleteuserfromgroupscript.xml | 17 ++++ docs-xml/smbdotconf/logon/deleteuserscript.xml | 22 +++++ docs-xml/smbdotconf/logon/domainlogons.xml | 25 +++++ docs-xml/smbdotconf/logon/enableprivileges.xml | 26 +++++ docs-xml/smbdotconf/logon/initlogondelay.xml | 14 +++ .../smbdotconf/logon/initlogondelayedhosts.xml | 20 ++++ docs-xml/smbdotconf/logon/logondrive.xml | 18 ++++ docs-xml/smbdotconf/logon/logonhome.xml | 56 +++++++++++ docs-xml/smbdotconf/logon/logonpath.xml | 69 +++++++++++++ docs-xml/smbdotconf/logon/logonscript.xml | 54 ++++++++++ docs-xml/smbdotconf/logon/rejectmd5clients.xml | 110 +++++++++++++++++++++ .../smbdotconf/logon/setprimarygroupscript.xml | 20 ++++ docs-xml/smbdotconf/logon/shutdownscript.xml | 61 ++++++++++++ 21 files changed, 787 insertions(+) create mode 100644 docs-xml/smbdotconf/logon/abortshutdownscript.xml create mode 100644 docs-xml/smbdotconf/logon/addgroupscript.xml create mode 100644 docs-xml/smbdotconf/logon/addmachinescript.xml create mode 100644 docs-xml/smbdotconf/logon/adduserscript.xml create mode 100644 docs-xml/smbdotconf/logon/addusertogroupscript.xml create mode 100644 docs-xml/smbdotconf/logon/allownt4crypto.xml create mode 100644 docs-xml/smbdotconf/logon/autheventnotification.xml create mode 100644 docs-xml/smbdotconf/logon/deletegroupscript.xml create mode 100644 docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml create mode 100644 docs-xml/smbdotconf/logon/deleteuserscript.xml create mode 100644 docs-xml/smbdotconf/logon/domainlogons.xml create mode 100644 docs-xml/smbdotconf/logon/enableprivileges.xml create mode 100644 docs-xml/smbdotconf/logon/initlogondelay.xml create mode 100644 docs-xml/smbdotconf/logon/initlogondelayedhosts.xml create mode 100644 docs-xml/smbdotconf/logon/logondrive.xml create mode 100644 docs-xml/smbdotconf/logon/logonhome.xml create mode 100644 docs-xml/smbdotconf/logon/logonpath.xml create mode 100644 docs-xml/smbdotconf/logon/logonscript.xml create mode 100644 docs-xml/smbdotconf/logon/rejectmd5clients.xml create mode 100644 docs-xml/smbdotconf/logon/setprimarygroupscript.xml create mode 100644 docs-xml/smbdotconf/logon/shutdownscript.xml (limited to 'docs-xml/smbdotconf/logon') diff --git a/docs-xml/smbdotconf/logon/abortshutdownscript.xml b/docs-xml/smbdotconf/logon/abortshutdownscript.xml new file mode 100644 index 0000000..7ce0f1f --- /dev/null +++ b/docs-xml/smbdotconf/logon/abortshutdownscript.xml @@ -0,0 +1,16 @@ + + + This a full path name to a script called by smbd + 8 that + should stop a shutdown procedure issued by the . + + If the connected user possesses the SeRemoteShutdownPrivilege, + right, this command will be run as root. + +"" +/sbin/shutdown -c + diff --git a/docs-xml/smbdotconf/logon/addgroupscript.xml b/docs-xml/smbdotconf/logon/addgroupscript.xml new file mode 100644 index 0000000..3b347d0 --- /dev/null +++ b/docs-xml/smbdotconf/logon/addgroupscript.xml @@ -0,0 +1,19 @@ + + + + This is the full pathname to a script that will be run AS ROOT by + smbd8 when a new group is requested. It + will expand any %g to the group name passed. This script is only useful + for installations using the Windows NT domain administration tools. The script is free to create a group with + an arbitrary name to circumvent unix group name restrictions. In that case the script must print the numeric + gid of the created group on stdout. + + + + +/usr/sbin/groupadd %g + diff --git a/docs-xml/smbdotconf/logon/addmachinescript.xml b/docs-xml/smbdotconf/logon/addmachinescript.xml new file mode 100644 index 0000000..db1f5bc --- /dev/null +++ b/docs-xml/smbdotconf/logon/addmachinescript.xml @@ -0,0 +1,21 @@ + + + + This is the full pathname to a script that will be run by + smbd 8 when a machine is + added to Samba's domain and a Unix account matching the machine's name appended with a "$" does not + already exist. + + This option is very similar to the , and likewise uses the %u + substitution for the account name. Do not use the %m + substitution. + + + +/usr/sbin/adduser -n -g machines -c Machine -d /var/lib/nobody -s /bin/false %u + diff --git a/docs-xml/smbdotconf/logon/adduserscript.xml b/docs-xml/smbdotconf/logon/adduserscript.xml new file mode 100644 index 0000000..4be1146 --- /dev/null +++ b/docs-xml/smbdotconf/logon/adduserscript.xml @@ -0,0 +1,47 @@ + + + + This is the full pathname to a script that will be run AS ROOT by + smbd 8 + under special circumstances described below. + + + + Normally, a Samba server requires that UNIX users are created for all users accessing + files on this server. For sites that use Windows NT account databases as their primary + user database creating these users and keeping the user list in sync with the Windows + NT PDC is an onerous task. This option allows smbd to create the required UNIX users + ON DEMAND when a user accesses the Samba server. + + + + When the Windows user attempts to access the Samba server, at login (session setup in + the SMB protocol) time, smbd + 8 contacts the + and attempts to authenticate the given user with the given password. If the authentication + succeeds then smbd attempts to find a UNIX user in the UNIX + password database to map the Windows user into. If this lookup fails, and + is set then smbd will + call the specified script AS ROOT, expanding any + %u argument to be the user name to create. + + + + If this script successfully creates the user then smbd will + continue on as though the UNIX user already existed. In this way, UNIX users are dynamically created to + match existing Windows NT accounts. + + + + See also , , + . + + + + +/usr/local/samba/bin/add_user %u + diff --git a/docs-xml/smbdotconf/logon/addusertogroupscript.xml b/docs-xml/smbdotconf/logon/addusertogroupscript.xml new file mode 100644 index 0000000..f6e9cc2 --- /dev/null +++ b/docs-xml/smbdotconf/logon/addusertogroupscript.xml @@ -0,0 +1,22 @@ + + + + Full path to the script that will be called when a user is added to a group using the Windows NT domain administration + tools. It will be run by smbd 8 + AS ROOT. Any %g will be replaced with the group name and + any %u will be replaced with the user name. + + + + Note that the adduser command used in the example below does + not support the used syntax on all systems. + + + + +/usr/sbin/adduser %u %g + diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml new file mode 100644 index 0000000..ee63e6c --- /dev/null +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml @@ -0,0 +1,106 @@ + + + + This option is deprecated and will be removed in future, + as it is a security problem if not set to "no" (which will be + the hardcoded behavior in future). + + + This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will + reject clients which do not support NETLOGON_NEG_STRONG_KEYS + nor NETLOGON_NEG_SUPPORTS_AES. + + This option was added with Samba 4.2.0. It may lock out clients + which worked fine with Samba versions up to 4.1.x. as the effective default + was "yes" there, while it is "no" now. + + If you have clients without RequireStrongKey = 1 in the registry, + you may need to set "allow nt4 crypto = yes", until you have fixed all clients. + + + "allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks. + + Avoid using this option! Use explicit 'yes' instead! + Which is available with the patches for + CVE-2022-38023 + see https://bugzilla.samba.org/show_bug.cgi?id=15240 + + + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + 'yes' option + for the client. The message will indicate + the explicit 'yes' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + This allows admins to use "yes" only for a short grace period, + in order to collect the explicit + 'yes' options. + + This option is over-ridden by the effective value of 'yes' from + the '' + and/or '' options. + + +no + + + + + + If you still have legacy domain members which required 'allow nt4 crypto = yes', + it is possible to specify an explicit exception per computer account + by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + + + + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "yes", + but the related computer does not require it. + (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + + Samba will log a warning in the log files at log level 5, + if a setting is still needed for the specified computer account. + + + + See CVE-2022-38023, + https://bugzilla.samba.org/show_bug.cgi?id=15240. + + + This option overrides the option. + + This option is over-ridden by the effective value of 'yes' from + the '' + and/or '' options. + Which means 'yes' + is only useful in combination with 'no' + + + allow nt4 crypto:LEGACYCOMPUTER1$ = yes + server reject md5 schannel:LEGACYCOMPUTER1$ = no + allow nt4 crypto:NASBOX$ = yes + server reject md5 schannel:NASBOX$ = no + allow nt4 crypto:LEGACYCOMPUTER2$ = yes + server reject md5 schannel:LEGACYCOMPUTER2$ = no + + + + diff --git a/docs-xml/smbdotconf/logon/autheventnotification.xml b/docs-xml/smbdotconf/logon/autheventnotification.xml new file mode 100644 index 0000000..87ccf02 --- /dev/null +++ b/docs-xml/smbdotconf/logon/autheventnotification.xml @@ -0,0 +1,29 @@ + + + When enabled, this option causes Samba (acting as an + Active Directory Domain Controller) to stream authentication + events across the internal message bus. Scripts built using + Samba's python bindings can listen to these events by + registering as the service + auth_event. + + This is not needed for the audit + logging described in . + + Instead, this should instead be considered a developer + option (it assists in the Samba testsuite) rather than a + facility for external auditing, as message delivery is not + guaranteed (a feature that the testsuite works around). + + The authentication events are also logged via the normal + logging methods when the is + set appropriately, say to + auth_json_audit:3. + + + +no + diff --git a/docs-xml/smbdotconf/logon/deletegroupscript.xml b/docs-xml/smbdotconf/logon/deletegroupscript.xml new file mode 100644 index 0000000..be8bb0d --- /dev/null +++ b/docs-xml/smbdotconf/logon/deletegroupscript.xml @@ -0,0 +1,15 @@ + + + This is the full pathname to a script that will + be run AS ROOT by smbd + 8 when a group is requested to be deleted. + It will expand any %g to the group name passed. + This script is only useful for installations using the Windows NT domain administration tools. + + + + diff --git a/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml b/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml new file mode 100644 index 0000000..1654a09 --- /dev/null +++ b/docs-xml/smbdotconf/logon/deleteuserfromgroupscript.xml @@ -0,0 +1,17 @@ + + + Full path to the script that will be called when + a user is removed from a group using the Windows NT domain administration + tools. It will be run by smbd + 8 AS ROOT. + Any %g will be replaced with the group name and + any %u will be replaced with the user name. + + + +/usr/sbin/deluser %u %g + diff --git a/docs-xml/smbdotconf/logon/deleteuserscript.xml b/docs-xml/smbdotconf/logon/deleteuserscript.xml new file mode 100644 index 0000000..22897cb --- /dev/null +++ b/docs-xml/smbdotconf/logon/deleteuserscript.xml @@ -0,0 +1,22 @@ + + + This is the full pathname to a script that will + be run by smbd + 8 when managing users + with remote RPC (NT) tools. + + + This script is called when a remote client removes a user + from the server, normally using 'User Manager for Domains' or + rpcclient. + + This script should delete the given UNIX username. + + + +/usr/local/samba/bin/del_user %u + diff --git a/docs-xml/smbdotconf/logon/domainlogons.xml b/docs-xml/smbdotconf/logon/domainlogons.xml new file mode 100644 index 0000000..7f84975 --- /dev/null +++ b/docs-xml/smbdotconf/logon/domainlogons.xml @@ -0,0 +1,25 @@ + + + This parameter has been deprecated since Samba 4.13 and + support for NT4-style domain logons(as distinct from the Samba + AD DC) will be removed in a future Samba release. + That is, in the future, the current default of + domain logons = no + will be the enforced behaviour. + + If set to yes, the Samba server will + provide the netlogon service for Windows 9X network logons for the + it is in. + This will also cause the Samba server to act as a domain + controller for NT4 style domain services. For more details on + setting up this feature see the Domain Control chapter of the + Samba HOWTO Collection. + + +no + diff --git a/docs-xml/smbdotconf/logon/enableprivileges.xml b/docs-xml/smbdotconf/logon/enableprivileges.xml new file mode 100644 index 0000000..9e28457 --- /dev/null +++ b/docs-xml/smbdotconf/logon/enableprivileges.xml @@ -0,0 +1,26 @@ + + + + This deprecated parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either + net rpc rights or one of the Windows user and group manager tools. This parameter is + enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to + assign privileges to users or groups which can then result in certain smbd operations running as root that + would normally run under the context of the connected user. + + + + An example of how privileges can be used is to assign the right to join clients to a Samba controlled + domain without providing root access to the server via smbd. + + + + Please read the extended description provided in the Samba HOWTO documentation. + + + +yes + diff --git a/docs-xml/smbdotconf/logon/initlogondelay.xml b/docs-xml/smbdotconf/logon/initlogondelay.xml new file mode 100644 index 0000000..0cdbcd0 --- /dev/null +++ b/docs-xml/smbdotconf/logon/initlogondelay.xml @@ -0,0 +1,14 @@ + + + + This parameter specifies a delay in milliseconds for the hosts configured + for delayed initial samlogon with + . + + + +100 + diff --git a/docs-xml/smbdotconf/logon/initlogondelayedhosts.xml b/docs-xml/smbdotconf/logon/initlogondelayedhosts.xml new file mode 100644 index 0000000..83d1ebd --- /dev/null +++ b/docs-xml/smbdotconf/logon/initlogondelayedhosts.xml @@ -0,0 +1,20 @@ + + + + This parameter takes a list of host names, addresses or networks for + which the initial samlogon reply should be delayed (so other DCs get + preferred by XP workstations if there are any). + + + + The length of the delay can be specified with the + parameter. + + + + +150.203.5. myhost.mynet.de + diff --git a/docs-xml/smbdotconf/logon/logondrive.xml b/docs-xml/smbdotconf/logon/logondrive.xml new file mode 100644 index 0000000..9767693 --- /dev/null +++ b/docs-xml/smbdotconf/logon/logondrive.xml @@ -0,0 +1,18 @@ + + + + This parameter specifies the local path to which the home directory will be + connected (see ) and is only used by NT + Workstations. + + + + Note that this option is only useful if Samba is set up as a logon server. + + + +h: + diff --git a/docs-xml/smbdotconf/logon/logonhome.xml b/docs-xml/smbdotconf/logon/logonhome.xml new file mode 100644 index 0000000..cb5f5d5 --- /dev/null +++ b/docs-xml/smbdotconf/logon/logonhome.xml @@ -0,0 +1,56 @@ + + + + This parameter specifies the home directory location when a Win95/98 or NT Workstation logs into a Samba PDC. + It allows you to do + + + + C:\>NET USE H: /HOME + + + + from a command prompt, for example. + + + + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. + + + + This parameter can be used with Win9X workstations to ensure that roaming profiles are stored in a + subdirectory of the user's home directory. This is done in the following way: + + + + logon home = \\%N\%U\profile + + + + This tells Samba to return the above string, with substitutions made when a client requests the info, generally + in a NetUserGetInfo request. Win9X clients truncate the info to \\server\share when a user does + net use /home but use the whole string when dealing with profiles. + + + + Note that in prior versions of Samba, the was returned rather than + logon home. This broke net use /home + but allowed profiles outside the home directory. The current implementation is correct, and can be used for + profiles if you use the above trick. + + + + Disable this feature by setting "" - using the empty string. + + + + This option is only useful if Samba is set up as a logon server. + + + +\\%N\%U +\\remote_smb_server\%U + diff --git a/docs-xml/smbdotconf/logon/logonpath.xml b/docs-xml/smbdotconf/logon/logonpath.xml new file mode 100644 index 0000000..3cc85db --- /dev/null +++ b/docs-xml/smbdotconf/logon/logonpath.xml @@ -0,0 +1,69 @@ + + + + This parameter specifies the directory where roaming profiles (Desktop, NTuser.dat, etc) are + stored. Contrary to previous versions of these manual pages, it has nothing to do with Win 9X roaming + profiles. To find out how to handle roaming profiles for Win 9X system, see the + parameter. + + + + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. It also specifies the directory from which the "Application Data", desktop, start menu, network neighborhood, programs and other + folders, and their contents, are loaded and displayed on your Windows NT client. + + + + The share and the path must be readable by the user for the preferences and directories to be loaded onto the + Windows NT client. The share must be writeable when the user logs in for the first time, in order that the + Windows NT client can create the NTuser.dat and other directories. + Thereafter, the directories and any of the contents can, if required, be made read-only. It is not advisable + that the NTuser.dat file be made read-only - rename it to NTuser.man to achieve the desired effect (a + MANdatory profile). + + + + Windows clients can sometimes maintain a connection to the [homes] share, even though there is no user logged + in. Therefore, it is vital that the logon path does not include a reference to the homes share (i.e. setting + this parameter to \\%N\homes\profile_path will cause problems). + + + + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or machine. + + + + Do not quote the value. Setting this as \\%N\profile\%U + will break profile handling. Where the tdbsam or ldapsam passdb backend + is used, at the time the user account is created the value configured + for this parameter is written to the passdb backend and that value will + over-ride the parameter value present in the smb.conf file. Any error + present in the passdb backend account record must be edited using the + appropriate tool (pdbedit on the command-line, or any other locally + provided system tool). + + + Note that this option is only useful if Samba is set up as a domain controller. + + + Disable the use of roaming profiles by setting the value of this parameter to the empty string. For + example, "". Take note that even if the default setting + in the smb.conf file is the empty string, any value specified in the user account settings in the passdb + backend will over-ride the effect of setting this parameter to null. Disabling of all roaming profile use + requires that the user account settings must also be blank. + + + + An example of use is: + +logon path = \\PROFILESERVER\PROFILE\%U + + + +\\%N\%U\profile + diff --git a/docs-xml/smbdotconf/logon/logonscript.xml b/docs-xml/smbdotconf/logon/logonscript.xml new file mode 100644 index 0000000..cf02466 --- /dev/null +++ b/docs-xml/smbdotconf/logon/logonscript.xml @@ -0,0 +1,54 @@ + + + + This parameter specifies the batch file (.bat) or NT command file + (.cmd) to be downloaded and run on a machine when a user successfully logs in. The file + must contain the DOS style CR/LF line endings. Using a DOS-style editor to create the file is recommended. + + + + The script must be a relative path to the service. If the [netlogon] + service specifies a of /usr/local/samba/netlogon, and STARTUP.BAT, then the file that will be downloaded is: + + /usr/local/samba/netlogon/STARTUP.BAT + + + + + The contents of the batch file are entirely your choice. A suggested command would be to add NET TIME \\SERVER /SET /YES, to force every machine to synchronize clocks with the + same time server. Another use would be to add NET USE U: \\SERVER\UTILS + for commonly used utilities, or + +NET USE Q: \\SERVER\ISO9001_QA + + for example. + + + + Note that it is particularly important not to allow write access to the [netlogon] share, or to grant users + write permission on the batch files in a secure environment, as this would allow the batch files to be + arbitrarily modified and security to be breached. + + + + This option takes the standard substitutions, allowing you to have separate logon scripts for each user or + machine. + + + + This option is only useful if Samba is set up as a logon server in a classic domain controller role. + If Samba is set up as an Active Directory domain controller, LDAP attribute scriptPath + is used instead. For configurations where ldapsam is in use, + this option only defines a default value in case LDAP attribute sambaLogonScript + is missing. + + + +scripts\%U.bat + diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml new file mode 100644 index 0000000..fe7701d --- /dev/null +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml @@ -0,0 +1,110 @@ + + + + This option is deprecated and will be removed in a future release, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in the future). + + + This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will + reject clients which does not support NETLOGON_NEG_SUPPORTS_AES. + + Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows + starting with Server 2008R2 and Windows 7, it's available in Samba + starting with 4.0, however third party domain members like NetApp ONTAP + still uses RC4 (HMAC-MD5), see + https://www.samba.org/samba/security/CVE-2022-38023.html + for more details. + + + The default changed from 'no' to 'yes', with the patches for + CVE-2022-38023 + see https://bugzilla.samba.org/show_bug.cgi?id=15240. + + + Avoid using this option! Use an explicit per machine account + '' instead! + Which is available with the patches for + CVE-2022-38023 + see https://bugzilla.samba.org/show_bug.cgi?id=15240. + + + + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + 'no' option + for the client. The message will indicate + the explicit 'no' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + This allows admins to use "no" only for a short grace period, + in order to collect the explicit + 'no' options. + + When set to 'yes' this option overrides the + '' and + '' options and implies + 'no'. + + + +yes + + + + + + If you still have legacy domain members or trusted domains, + which required "reject md5 clients = no" before, + it is possible to specify an explicit exception per computer account + by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + + + + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + + Samba will log a warning in the log files at log level 5 + if a setting is still needed for the specified computer account. + + + + See CVE-2022-38023, + https://bugzilla.samba.org/show_bug.cgi?id=15240. + + + This option overrides the option. + + When set to 'yes' this option overrides the + '' and + '' options and implies + 'no'. + + + + server reject md5 schannel:LEGACYCOMPUTER1$ = no + server reject md5 schannel:NASBOX$ = no + server reject md5 schannel:LEGACYCOMPUTER2$ = no + + + + diff --git a/docs-xml/smbdotconf/logon/setprimarygroupscript.xml b/docs-xml/smbdotconf/logon/setprimarygroupscript.xml new file mode 100644 index 0000000..8d1ae36 --- /dev/null +++ b/docs-xml/smbdotconf/logon/setprimarygroupscript.xml @@ -0,0 +1,20 @@ + + + + Thanks to the Posix subsystem in NT a Windows User has a + primary group in addition to the auxiliary groups. This script + sets the primary group in the unix user database when an + administrator sets the primary group from the windows user + manager or when fetching a SAM with net rpc + vampire. %u will be replaced + with the user whose primary group is to be set. + %g will be replaced with the group to + set. + + +/usr/sbin/usermod -g '%g' '%u' + diff --git a/docs-xml/smbdotconf/logon/shutdownscript.xml b/docs-xml/smbdotconf/logon/shutdownscript.xml new file mode 100644 index 0000000..ea5b65f --- /dev/null +++ b/docs-xml/smbdotconf/logon/shutdownscript.xml @@ -0,0 +1,61 @@ + + + This a full path name to a script called by + smbd + 8 that should + start a shutdown procedure. + + If the connected user possesses the SeRemoteShutdownPrivilege, + right, this command will be run as root. + + The %z %t %r %f variables are expanded as follows: + + + + %z will be substituted with the + shutdown message sent to the server. + + + + %t will be substituted with the + number of seconds to wait before effectively starting the + shutdown procedure. + + + + %r will be substituted with the + switch -r. It means reboot after shutdown + for NT. + + + + %f will be substituted with the + switch -f. It means force the shutdown + even if applications do not respond for NT. + + + + Shutdown script example: + +#!/bin/bash + +time=$2 +let time="${time} / 60" +let time="${time} + 1" + +/sbin/shutdown $3 $4 +$time $1 & + + + Shutdown does not return so we need to launch it in background. + + + +abort shutdown script + +/usr/local/samba/sbin/shutdown %m %t %r %f + + -- cgit v1.2.3